Merge branch 'angristan:master' into master

.editorconfig

@@ -0,0 +1,3 @@
+[*.sh]
+indent_style = tab
+indent_size = 4

.github/FUNDING.yml

@@ -1,3 +1,2 @@
-patreon: angristan
-liberapay: angristan
-ko_fi: angristan
+ko_fi: stanislas
+custom: https://coindrop.to/stanislas

.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"

.github/issue_template.md

@@ -0,0 +1,10 @@
+<!---
+❗️ Please read ❗️
+➡️ If you need help with OpenVPN itself, please use the community forums (https://forums.openvpn.net/) or Stack Overflow (https://stackoverflow.com/questions/tagged/openvpn)
+➡️ For the script, prefer opening a discussion thread for help: https://github.com/angristan/openvpn-install/discussions
+💡 It helps keep the issue tracker clean and focused on bugs and feature requests.
+
+🙏 Please include as much information as possible, and make sure you're running the latest version of the script.
+✍️ Please state the Linux distribution you're using and its version, as well as the OpenVPN version.
+✋ For feature requests, remember that this script is meant to be simple and easy to use. If you want to add a lot of options, it's better to fork the project.
+--->

.github/linters/.markdown-lint.yml

@@ -0,0 +1 @@
+{ "MD013": null, "MD045": null, "MD040": null, "MD036": null }

.github/pull_request_template.md

@@ -0,0 +1,7 @@
+<!---
+❗️ Please read ❗️
+➡️ Please make sure you've followed the guidelines: https://github.com/angristan/openvpn-install#contributing
+✅ Please make sure your changes are tested and working
+🗣️ Please avoid large PRs, and discuss changes in a GitHub issue first
+✋ If the changes are too big and not in line with the project, they will probably be rejected. Remember that this script is meant to be simple and easy to use.
+--->

.github/workflows/lint.yml

@@ -0,0 +1,14 @@
+on: [push, pull_request, workflow_dispatch]
+
+name: Lint
+
+jobs:
+  super-linter:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+      - name: Lint Code Base
+        uses: github/super-linter@v4.1.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test.yml

@@ -0,0 +1,99 @@
+on:
+  push:
+    branches:
+      - master
+      - ci
+  workflow_dispatch:
+
+name: Test
+jobs:
+  install:
+    runs-on: ubuntu-latest
+    if: github.repository == 'angristan/openvpn-install' && github.actor == 'angristan'
+    strategy:
+      matrix:
+        os-image:
+          - debian-10-x64
+          - debian-11-x64
+          - debian-12-x64
+          - ubuntu-20-04-x64
+          - ubuntu-22-04-x64
+          - ubuntu-24-04-x64
+          - fedora-39-x64
+          - centos-7-x64
+          # - centos-stream-9-x64 # yum oomkill
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup doctl
+        uses: digitalocean/action-doctl@v2
+        with:
+          token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
+
+      - name: Create server
+        run: doctl compute droplet create openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }} --size s-1vcpu-1gb --image ${{ matrix.os-image }} --region lon1 --enable-ipv6 --ssh-keys be:66:76:61:a8:71:93:aa:e3:19:ba:d8:0d:d2:2d:d4 --wait
+
+      - name: Get server ID
+        run: echo ::set-output name=value::$(doctl compute droplet list -o json | jq -r '.[] | select(.name == "'openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }}'").id')
+        id: server_id
+
+      - name: Move server to dedicated project
+        run: doctl projects resources assign ${{ secrets.DIGITALOCEAN_PROJECT_ID }} --resource=do:droplet:${{ steps.server_id.outputs.value }}
+
+      - name: Wait for server to boot
+        run: sleep 90
+
+      - name: Get server IP
+        run: echo ::set-output name=value::$(doctl compute droplet list -o json | jq -r '.[] | select(.name == "'openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }}'").networks.v4 | .[] | select(.type == "'public'").ip_address')
+        id: server_ip
+
+      - name: Get server OS
+        run: echo ::set-output name=value::$(echo ${{ matrix.os-image }} | cut -d '-' -f1)
+        id: server_os
+
+      - name: Setup remote server (Debian/Ubuntu)
+        if: steps.server_os.outputs.value == 'debian' || steps.server_os.outputs.value == 'ubuntu'
+        uses: appleboy/ssh-action@v0.1.6
+        with:
+          host: ${{ steps.server_ip.outputs.value }}
+          username: root
+          key: ${{ secrets.SSH_KEY }}
+          script: set -x && apt-get update && apt-get -o DPkg::Lock::Timeout=120 install -y git
+
+      - name: Setup remote server (Fedora)
+        if: steps.server_os.outputs.value == 'fedora'
+        uses: appleboy/ssh-action@v0.1.6
+        with:
+          host: ${{ steps.server_ip.outputs.value }}
+          username: root
+          key: ${{ secrets.SSH_KEY }}
+          script: set -x && dnf install -y git
+
+      - name: Setup remote server (CentOS)
+        if: steps.server_os.outputs.value == 'centos'
+        uses: appleboy/ssh-action@v0.1.6
+        with:
+          host: ${{ steps.server_ip.outputs.value }}
+          username: root
+          key: ${{ secrets.SSH_KEY }}
+          script: set -x && yum install -y git
+
+      - name: Download repo and checkout current commit
+        uses: appleboy/ssh-action@v0.1.6
+        with:
+          host: ${{ steps.server_ip.outputs.value }}
+          username: root
+          key: ${{ secrets.SSH_KEY }}
+          script: set -x && git clone https://github.com/angristan/openvpn-install.git && cd openvpn-install && git checkout ${{ github.sha }}
+
+      - name: Run openvpn-install.sh in headless mode
+        uses: appleboy/ssh-action@v0.1.6
+        with:
+          host: ${{ steps.server_ip.outputs.value }}
+          username: root
+          key: ${{ secrets.SSH_KEY }}
+          script: 'set -x && AUTO_INSTALL=y bash -x ~/openvpn-install/openvpn-install.sh && ps aux | grep openvpn | grep -v grep > /dev/null 2>&1 && echo "Success: OpenVPN is running" && exit 0 || echo "Failure: OpenVPN is not running" && exit 1'
+
+      - name: Delete server
+        run: doctl compute droplet delete -f openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }}
+        if: always()

FAQ.md

@@ -0,0 +1,175 @@
+# FAQ
+
+**Q:** The script has been updated since I installed OpenVPN. How do I update?
+
+**A:** You can't. Managing updates and new features from the script would require way too much work. Your only solution is to uninstall OpenVPN and reinstall with the updated script.
+
+You can, of course, it's even recommended, update the `openvpn` package with your package manager.
+
+---
+
+**Q:** How do I check for DNS leaks?
+
+**A:** Go to [browserleaks.com](https://browserleaks.com/dns) or [ipleak.net](https://ipleak.net/) (both perform IPv4 and IPv6 check) with your browser. Your IP should not show up (test without and without the VPN). The DNS servers should be the ones you selected during the setup, not your IP address nor your ISP's DNS servers' addresses.
+
+---
+
+**Q:** How do I fix DNS leaks?
+
+**A:** On Windows 10 DNS leaks are blocked by default with the `block-outside-dns` option.
+On Linux you need to add these lines to your `.ovpn` file based on your Distribution.
+
+Debian 9, 10 and Ubuntu 16.04, 18.04
+
+```
+script-security 2
+up /etc/openvpn/update-resolv-conf
+down /etc/openvpn/update-resolv-conf
+```
+
+Centos 6, 7
+
+```
+script-security 2
+up /usr/share/doc/openvpn-2.4.8/contrib/pull-resolv-conf/client.up
+down /usr/share/doc/openvpn-2.4.8/contrib/pull-resolv-conf/client.down
+```
+
+Centos 8, Fedora 30, 31
+
+```
+script-security 2
+up /usr/share/doc/openvpn/contrib/pull-resolv-conf/client.up
+down /usr/share/doc/openvpn/contrib/pull-resolv-conf/client.down
+```
+
+Arch Linux
+
+```
+script-security 2
+up /usr/share/openvpn/contrib/pull-resolv-conf/client.up
+down /usr/share/openvpn/contrib/pull-resolv-conf/client.down
+```
+
+---
+
+**Q:** Can I use an OpenVPN 2.3 client?
+
+**A:** Yes. I really recommend using an up-to-date client, but if you really need it, choose the following options:
+
+- No compression or LZ0
+- RSA certificate
+- DH Key
+- AES CBC
+- tls-auth
+
+If your client is <2.3.3, remove `tls-version-min 1.2` from your `/etc/openvpn/server.conf` and `.ovpn` files.
+
+---
+
+**Q:** IPv6 is not working on my Hetzner VM
+
+**A:** This an issue on their side. See <https://angristan.xyz/fix-ipv6-hetzner-cloud/>
+
+---
+
+**Q:** DNS is not working on my Linux client
+
+**A:** See "How do I fix DNS leaks?" question
+
+---
+
+**Q:** What syctl and iptables changes are made by the script?
+
+**A:** Iptables rules are saved at `/etc/iptables/add-openvpn-rules.sh` and `/etc/iptables/rm-openvpn-rules.sh`. They are managed by the service `/etc/systemd/system/iptables-openvpn.service`
+
+Sysctl options are at `/etc/sysctl.d/20-openvpn.conf`
+
+---
+
+**Q:** How can I access other clients connected to the same OpenVPN server?
+
+**A:** Add `client-to-client` to your `server.conf`
+
+---
+
+**Q:** My router can't connect
+
+**A:**
+
+- `Options error: No closing quotation (") in config.ovpn:46` :
+
+  type `yes` when asked to customize encryption settings and choose `tls-auth`
+
+- `Options error: Unrecognized option or missing parameter(s) in config.ovpn:36: tls-version-min (2.3.2)` :
+
+  see question "Can I use an OpenVPN 2.3 client?"
+
+---
+
+**Q:** How can I access computers the OpenVPN server's remote LAN?
+
+**A:** Add a route with the subnet of the remote network to `/etc/openvpn/server.conf` and restart openvpn. Example: `push "route 192.168.1.0 255.255.255.0"` if the server's LAN is `192.168.1.0/24`
+
+---
+
+**Q:** How can I add multiple users in one go?
+
+**A:** Here is a sample bash script to achieve this:
+
+```sh
+userlist=(user1 user2 user3)
+
+for i in ${userlist[@]};do
+   MENU_OPTION=1 CLIENT=$i PASS=1 ./openvpn-install.sh
+done
+```
+
+From a list in a text file:
+
+```sh
+while read USER
+    do MENU_OPTION="1" CLIENT="$USER" PASS="1" ./openvpn-install.sh
+done < users.txt
+```
+
+---
+
+**Q:** How do I change the default `.ovpn` file created for future clients?
+
+**A:** You can edit the template out of which `.ovpn` files are created by editing `/etc/openvpn/client-template.txt`
+
+---
+
+**Q:** For my clients - I want to set my internal network to pass through the VPN and the rest to go through my internet?
+
+**A:** You would need to edit the `.ovpn` file. You can edit the template out of which those files are created by editing `/etc/openvpn/client-template.txt` file and adding
+
+```sh
+route-nopull
+route 10.0.0.0 255.0.0.0
+```
+
+So for example - here it would route all traffic of `10.0.0.0/8` to the vpn. And the rest through the internet.
+
+---
+
+**Q:** I have enabled IPv6 and my VPN client gets an IPv6 address. Why do I reach the websites or other dual-stacked destionations via IPv4 only?
+
+**A:** This is because inside the tunnel you don't get a publicly routable IPv6 address, instead you get an ULA (Unlique Local Lan) address. Operating systems don't prefer this all the time. You can fix this in your operating system policies as it's unrelated to the VPN itself:
+
+Windows (commands needs to run cmd.exe as Administrator):
+
+```
+netsh interface ipv6 add prefixpolicy fd00::/8 3 1
+```
+
+Linux:
+
+edit `/etc/gai.conf` and uncomment the following line and also change its value to `1`:
+
+```
+label fc00::/7      1
+```
+
+This will not work properly unless you add you your VPN server `server.conf` one or two lines to push at least 1 (one) IPv6 DNS server. Most providers have IPv6 servers as well, add two more lines of `push "dhcp-option DNS <IPv6>"`