update version #1
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
See #206 for context.
This commit contains lots changes which are not very significant on its own but provide important usability improvements and future proofing. It also includes changes which required OpenVPN v2.4+ and were pending until that version became widely available. - General cleanup - Improved IP address and NAT configuration - Added input validation and sanitization - Fix #603 - Remove "sndbuf" and "recvbuf" parameters - Add server-side "explicit-exit-notify" - Switch from "setenv opt" to "ignore-unknown-option" - Switch from "tls-auth" to "tls-crypt" - Other minor bugfixes and optimizations
LowEndSpirit no longer requires that.
LowEndSpirit fixed the issue on their end, so this is longer needed. Additionally, the check causes unneeded trouble for users whose system doesn't have the iptables package installed.
Clients will be provided with IPv6 connectivity if the server has it. Other very small and unimportant improvements are also included in this commit.
- Verisign removed (performance is subpar compared to competitors) - NTT is back (fast and reliable) - AdGuard added (for ad blocking)
- Fix #694: added sanitization during the public IP address configuration and switch to AWS checkip since the Akamai service doesn't support HTTPS. - Add validation to cover an unlikely case where: server is behind NAT, checkip service is unreachable and user doesn't provide input when asked for the public IP address or hostname. - Other small improvements not worth describing in detail.
- Made OS detection more flexible and fine-grained - Fedora is now officially supported
- Always use firewalld for CentOS and Fedora - Cleaner check to find out if firewalld is active
New logic makes way more sense: - If either firewalld or iptables are present, use whatever we have - If not, install firewalld in CentOS/Fedora and iptables in Debian/Ubuntu
The new systemd service at `/usr/lib/systemd/system/[email protected]` that comes with openvpn 2.4 includes the status option in `ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf` Using this default allows to have multiple servers with their own status files and all in the same log directory. Example `/run/openvpn-server/status-server.log` `/run/openvpn-server/status-server2.log`
nf_tables is not available in old OpenVZ kernels, so we need to use iptables-legacy instead. This issue only affects Debian 10 as it is the only distribution using iptables with a nf_tables backend by default. This is supposedly resolved in the newest kernels: https://bit.ly/3fgNZCh Additionally, a bugfix for the ip6tables path is also included.
This test is more reliable and flexible.
No need to write the tarball to disk.
While it looks hackish, I don't think there's a better way (in Bash) to open the /dev/net/tun character device. Checking for presence of /dev/net/tun like were doing is not good enough.
Fix for the mistaken stderr redirection, sorry about that. Also, run in a subshell so we don't need to manually close the file descriptor.
egrep IP regex optimizations
`30-openvpn-forward.conf` renamed to `99-openvpn-forward.conf`.
Increase priority of openvpn-forward.conf
An unrelated fix to avoid one harmless warning during removal is also included.
git.io will stop functioning by the end of this workweek: https://github.blog/changelog/2022-04-25-git-io-deprecation/
git.io will not stop functioning after all: https://github.blog/changelog/2022-04-25-git-io-deprecation/?#changelog-64536
Some systems have other DNS servers along with 127.0.0.53 in /etc/resolv.conf
This is mainly to work around a bug in Viscosity for macOS: https://www.sparklabs.com/forum/viewtopic.php?t=3152
--no-install-recommends is now required for Debian: OpenVPN/easy-rsa#725
--cipher has been deprecated since v2.4 and was kept for compatibility purposes.
The following versions are no longer supported: - Debian 10 - Ubuntu 18.04 - Ubuntu 20.04 - CentOS/Alma/Rocky 7 - CentOS/Alma/Rocky 8 - Fedora 31
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.