Compare commits

...

15 Commits

Author SHA1 Message Date
Stanislas Lange
e2d4990ae1
Improve README 2025-01-06 17:25:26 +01:00
Raphael Pinto
e1f19e0f24
Fix Public IP detection - Fix issue when seeip.org is unreachable #1241 (#1243)
The script does work when seeip.org is unreachable, so I changed the policy to define the public IP.

It solves the issue #1241

* Timeout limit on each try to solve the IP to avoid long waits;
* Extra public IP providers as failovers;
* the script only will try to solve an IP if the ENDPOINT is empty;

Co-authored-by: Stanislas <github@slange.me>
2024-11-07 20:55:14 +01:00
Stanislas Lange
dc114f3243
Update distribution matrix for end-to-end tests 2024-11-07 20:49:42 +01:00
Stanislas Lange
0d58ddcb8c
Update distribution matrix for end-to-end tests 2024-11-07 20:46:51 +01:00
xiahare
56660eefeb
Fix public IP detection: ip.seeip.org has been changed to api.seeip.org (#1252) 2024-11-07 20:39:28 +01:00
Stanislas Lange
2ce1ee765e
Remove centos-stream-8-x64 from test workflow
Not available on DO anymore
2024-07-12 18:22:34 +02:00
Stanislas
a189535563
Set client and server certificates validity to 10 years (#1235)
Prevent #974
2024-07-12 18:16:19 +02:00
Stanislas Lange
67701fac77
CI: wait for dpkg lock in debian/ubuntu setup step 2024-05-16 20:37:23 +02:00
Stanislas Lange
0cc002e17d
CI: wait for dpkg lock in debian/ubuntu setup step 2024-05-16 20:33:32 +02:00
Stanislas Lange
a2725d61a3
CI: update actions/checkout to v4 2024-05-16 20:13:47 +02:00
Stanislas Lange
305e9868cf
CI: update linux distributions used in end-to-end tests 2024-05-16 20:08:12 +02:00
Stanislas Lange
6a127fa2b6
Enable manual trigger of actions 2024-05-16 20:02:01 +02:00
Stanislas Lange
5a4b31bd0d
Fix typo in README 2023-11-20 21:21:56 +01:00
David Salbeï
651e36c6cb
Fix syntax error on Rocky Linux version check (#1182)
Co-authored-by: David Salbei <david@incolab.fr>
2023-11-20 21:19:13 +01:00
Stanislas
1a249c621d
ci: test workflow server images update (#1183)
* test ci

* remove ubuntu 18.04

* remove fedora 35 and add 37 38

* disable centos stream 9, add debian 12
2023-11-20 21:14:04 +01:00
4 changed files with 84 additions and 36 deletions

View File

@ -1,4 +1,4 @@
on: [push, pull_request]
on: [push, pull_request, workflow_dispatch]
name: Lint
@ -7,7 +7,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v3.2.0
uses: actions/checkout@v4
- name: Lint Code Base
uses: github/super-linter@v4.1.0
env:

View File

@ -2,6 +2,8 @@ on:
push:
branches:
- master
- ci
workflow_dispatch:
name: Test
jobs:
@ -11,20 +13,15 @@ jobs:
strategy:
matrix:
os-image:
- debian-10-x64
- debian-11-x64
- ubuntu-18-04-x64
- ubuntu-20-04-x64
- debian-12-x64
- ubuntu-22-04-x64
- fedora-35-x64
# - fedora-36-x64
# - fedora-37-x64
# dnf is broken: https://ask.fedoraproject.org/t/dnf-operations-use-large-amount-of-ram-and-may-fail-in-low-memory-environments/26427
- centos-7-x64
- centos-stream-8-x64
- centos-stream-9-x64
- ubuntu-24-04-x64
- fedora-39-x64
- fedora-40-x64
# - centos-stream-9-x64 # yum oomkill
steps:
- uses: actions/checkout@v3.2.0
- uses: actions/checkout@v4
- name: Setup doctl
uses: digitalocean/action-doctl@v2
@ -59,7 +56,7 @@ jobs:
host: ${{ steps.server_ip.outputs.value }}
username: root
key: ${{ secrets.SSH_KEY }}
script: set -x && apt-get update && apt-get install -y git
script: set -x && apt-get update && apt-get -o DPkg::Lock::Timeout=120 install -y git
- name: Setup remote server (Fedora)
if: steps.server_os.outputs.value == 'fedora'

View File

@ -10,6 +10,25 @@ This script will let you setup your own secure VPN server in just a few seconds.
You can also check out [wireguard-install](https://github.com/angristan/wireguard-install), a simple installer for a simpler, safer, faster and more modern VPN protocol.
## What is this?
This script is meant to be run on your own server, whether it's a VPS or a dedicated server, or even a computer at home.
Once set up, you will be able to generate client configuration files for every device you want to connect.
Each client will be able to route its internet traffic through the server, fully encrypted.
```mermaid
graph LR
A[Phone] --> VPN
B[Laptop] --> VPN
C[Computer] --> VPN
VPN[OpenVPN Server]
VPN -->|Encrypted Traffic| I[Internet]
```
## Usage
First, get the script and make it executable:
@ -37,9 +56,7 @@ When OpenVPN is installed, you can run the script again, and you will get the ch
In your home directory, you will have `.ovpn` files. These are the client configuration files. Download them from your server and connect using your favorite OpenVPN client.
If you have any question, head to the [FAQ](#faq) first. Please read everything before opening an issue.
**PLEASE do not send me emails or private messages asking for help.** The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you. My time is not available for free just for you, you're not special.
If you have any question, head to the [FAQ](#faq) first. And if you need help, you can open a [discussion](https://github.com/angristan/openvpn-install/discussions). Please search existing issues and dicussions first.
### Headless install
@ -120,7 +137,7 @@ The script supports these Linux distributions:
| AlmaLinux 8 | ✅ |
| Amazon Linux 2 | ✅ |
| Arch Linux | ✅ |
| CentOS 7 | ✅ 🤖 |
| CentOS 7 | ✅ |
| CentOS Stream >= 8 | ✅ 🤖 |
| Debian >= 10 | ✅ 🤖 |
| Fedora >= 35 | ✅ 🤖 |
@ -131,7 +148,7 @@ The script supports these Linux distributions:
To be noted:
- The script is regularly tested against the distributions marked with a 🤖 only.
- It's only test on `amd64` architecture.
- It's only tested on `amd64` architecture.
- It should work on older versions such as Debian 8+, Ubuntu 16.04+ and previous Fedora releases. But versions not in the table above are not officially supported.
- It should also support versions between the LTS versions, but these are not tested.
- The script requires `systemd`.

View File

@ -57,7 +57,7 @@ function checkOS() {
fi
if [[ $ID == "centos" || $ID == "rocky" || $ID == "almalinux" ]]; then
OS="centos"
if [[ $VERSION_ID -lt 7 ]]; then
if [[ ${VERSION_ID%.*} -lt 7 ]]; then
echo "⚠️ Your version of CentOS is not supported."
echo ""
echo "The script only support CentOS 7 and CentOS 8."
@ -216,6 +216,45 @@ access-control: fd42:42:42:42::/112 allow' >>/etc/unbound/openvpn.conf
systemctl restart unbound
}
function resolvePublicIP() {
# IP version flags, we'll use as default the IPv4
CURL_IP_VERSION_FLAG="-4"
DIG_IP_VERSION_FLAG="-4"
# Behind NAT, we'll default to the publicly reachable IPv4/IPv6.
if [[ $IPV6_SUPPORT == "y" ]]; then
CURL_IP_VERSION_FLAG=""
DIG_IP_VERSION_FLAG="-6"
fi
# If there is no public ip yet, we'll try to solve it using: https://api.seeip.org
if [[ -z $PUBLIC_IP ]]; then
PUBLIC_IP=$(curl -f -m 5 -sS --retry 2 --retry-connrefused "$CURL_IP_VERSION_FLAG" https://api.seeip.org 2>/dev/null)
fi
# If there is no public ip yet, we'll try to solve it using: https://ifconfig.me
if [[ -z $PUBLIC_IP ]]; then
PUBLIC_IP=$(curl -f -m 5 -sS --retry 2 --retry-connrefused "$CURL_IP_VERSION_FLAG" https://ifconfig.me 2>/dev/null)
fi
# If there is no public ip yet, we'll try to solve it using: https://api.ipify.org
if [[ -z $PUBLIC_IP ]]; then
PUBLIC_IP=$(curl -f -m 5 -sS --retry 2 --retry-connrefused "$CURL_IP_VERSION_FLAG" https://api.ipify.org 2>/dev/null)
fi
# If there is no public ip yet, we'll try to solve it using: ns1.google.com
if [[ -z $PUBLIC_IP ]]; then
PUBLIC_IP=$(dig $DIG_IP_VERSION_FLAG TXT +short o-o.myaddr.l.google.com @ns1.google.com | tr -d '"')
fi
if [[ -z $PUBLIC_IP ]]; then
echo >&2 echo "Couldn't solve the public IP"
exit 1
fi
echo "$PUBLIC_IP"
}
function installQuestions() {
echo "Welcome to the OpenVPN installer!"
echo "The git repository is available at: https://github.com/angristan/openvpn-install"
@ -244,9 +283,12 @@ function installQuestions() {
echo "It seems this server is behind NAT. What is its public IPv4 address or hostname?"
echo "We need it for the clients to connect to the server."
PUBLICIP=$(curl -s https://api.ipify.org)
if [[ -z $ENDPOINT ]]; then
DEFAULT_ENDPOINT=$(resolvePublicIP)
fi
until [[ $ENDPOINT != "" ]]; do
read -rp "Public IPv4 address or hostname: " -e -i "$PUBLICIP" ENDPOINT
read -rp "Public IPv4 address or hostname: " -e -i "$DEFAULT_ENDPOINT" ENDPOINT
done
fi
@ -625,17 +667,9 @@ function installOpenVPN() {
PASS=${PASS:-1}
CONTINUE=${CONTINUE:-y}
# Behind NAT, we'll default to the publicly reachable IPv4/IPv6.
if [[ $IPV6_SUPPORT == "y" ]]; then
if ! PUBLIC_IP=$(curl -f --retry 5 --retry-connrefused https://ip.seeip.org); then
PUBLIC_IP=$(dig -6 TXT +short o-o.myaddr.l.google.com @ns1.google.com | tr -d '"')
fi
else
if ! PUBLIC_IP=$(curl -f --retry 5 --retry-connrefused -4 https://ip.seeip.org); then
PUBLIC_IP=$(dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com | tr -d '"')
fi
if [[ -z $ENDPOINT ]]; then
ENDPOINT=$(resolvePublicIP)
fi
ENDPOINT=${ENDPOINT:-$PUBLIC_IP}
fi
# Run setup questions first, and set other variables if auto-install
@ -731,14 +765,14 @@ function installOpenVPN() {
# Create the PKI, set up the CA, the DH params and the server certificate
./easyrsa init-pki
./easyrsa --batch --req-cn="$SERVER_CN" build-ca nopass
EASYRSA_CA_EXPIRE=3650 ./easyrsa --batch --req-cn="$SERVER_CN" build-ca nopass
if [[ $DH_TYPE == "2" ]]; then
# ECDH keys are generated on-the-fly so we don't need to generate them beforehand
openssl dhparam -out dh.pem $DH_KEY_SIZE
fi
./easyrsa --batch build-server-full "$SERVER_NAME" nopass
EASYRSA_CERT_EXPIRE=3650 ./easyrsa --batch build-server-full "$SERVER_NAME" nopass
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
case $TLS_SIG in
@ -1085,11 +1119,11 @@ function newClient() {
cd /etc/openvpn/easy-rsa/ || return
case $PASS in
1)
./easyrsa --batch build-client-full "$CLIENT" nopass
EASYRSA_CERT_EXPIRE=3650 ./easyrsa --batch build-client-full "$CLIENT" nopass
;;
2)
echo "⚠️ You will be asked for the client password below ⚠️"
./easyrsa --batch build-client-full "$CLIENT"
EASYRSA_CERT_EXPIRE=3650 ./easyrsa --batch build-client-full "$CLIENT"
;;
esac
echo "Client $CLIENT added."