original-script

openvpn-install.sh

@@ -1,7 +1,5 @@
 #!/bin/bash
 
-set -ex
-
 # Secure OpenVPN server installer for Debian, Ubuntu, CentOS and Arch Linux
 # https://github.com/Angristan/OpenVPN-install
 
@@ -89,7 +87,7 @@ if [[ "$IP" = "" ]]; then
 	IP=$(wget -qO- ipv4.icanhazip.com)
 fi
 # Get Internet network interface with default route
-NIC=$(ip -4 route ls | grep default -m 1 | grep -Po '(?<=dev )(\S+)' | head -1)
+NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)
 
 if [[ -e /etc/openvpn/server.conf ]]; then
 	while :
@@ -196,7 +194,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then
 			fi
 			exit
 			;;
-            4) exit ;;
+			4) exit;;
 		esac
 	done
 else
@@ -222,15 +220,16 @@ else
 	done
 	echo ""
 	echo "What DNS do you want to use with the VPN?"
-    echo "   1) Current system resolvers (in /etc/resolv.conf)"
+	echo "   1) Current system resolvers (from /etc/resolv.conf)"
-    echo "   2) FDN (France)"
+	echo "   2) Quad9 (Anycast: worldwide)"
-    echo "   3) DNS.WATCH (Germany)"
+	echo "   3) FDN (France)"
-    echo "   4) OpenDNS (Anycast: worldwide)"
+	echo "   4) DNS.WATCH (Germany)"
-    echo "   5) Google (Anycast: worldwide)"
+	echo "   5) OpenDNS (Anycast: worldwide)"
-    echo "   6) Yandex Basic (Russia)"
+	echo "   6) Google (Anycast: worldwide)"
-    echo "   7) AdGuard DNS (Russia)"
+	echo "   7) Yandex Basic (Russia)"
-    while [[ $DNS != "1" && $DNS != "2" && $DNS != "3" && $DNS != "4" && $DNS != "5" && $DNS != "6" && $DNS != "7" ]]; do
+	echo "   8) AdGuard DNS (Russia)"
-        read -p "DNS [1-7]: " -e -i 1 DNS
+	while [[ $DNS != "1" && $DNS != "2" && $DNS != "3" && $DNS != "4" && $DNS != "5" && $DNS != "6" && $DNS != "7" && $DNS != "8" ]]; do
+		read -p "DNS [1-8]: " -e -i 1 DNS
 	done
 	echo ""
 	echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about "
@@ -248,9 +247,8 @@ else
 	echo "   5) CAMELLIA-192-CBC"
 	echo "   6) CAMELLIA-256-CBC"
 	echo "   7) SEED-CBC"
-    echo "   8) BF-CBC"
 	while [[ $CIPHER != "1" && $CIPHER != "2" && $CIPHER != "3" && $CIPHER != "4" && $CIPHER != "5" && $CIPHER != "6" && $CIPHER != "7" ]]; do
-        read -p "Cipher [1-8]: " -e -i 1 CIPHER
+		read -p "Cipher [1-7]: " -e -i 1 CIPHER
 	done
 	case $CIPHER in
 		1)
@@ -274,8 +272,6 @@ else
 		7)
 		CIPHER="cipher SEED-CBC"
 		;;
-        8)  CIPHER="cipher BF-CBC"
-            ;;
 	esac
 	echo ""
 	echo "Choose what size of Diffie-Hellman key you want to use:"
@@ -368,7 +364,7 @@ iptables -t mangle -F
 iptables -t mangle -X
 iptables -P INPUT ACCEPT
 iptables -P FORWARD ACCEPT
-            iptables -P OUTPUT ACCEPT" > /etc/iptables/flush-iptables.sh
+iptables -P OUTPUT ACCEPT" > /etc/iptables/flush-iptables.sh
 			chmod +x /etc/iptables/flush-iptables.sh
 			echo "[Unit]
 Description=Packet Filtering Framework
@@ -382,7 +378,7 @@ ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
 ExecStop=/etc/iptables/flush-iptables.sh
 RemainAfterExit=yes
 [Install]
-            WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
+WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
 			systemctl daemon-reload
 			systemctl enable iptables.service
 		fi
@@ -402,7 +398,7 @@ iptables -t mangle -F
 iptables -t mangle -X
 iptables -P INPUT ACCEPT
 iptables -P FORWARD ACCEPT
-            iptables -P OUTPUT ACCEPT" > /etc/iptables/flush-iptables.sh
+iptables -P OUTPUT ACCEPT" > /etc/iptables/flush-iptables.sh
 			chmod +x /etc/iptables/flush-iptables.sh
 			echo "[Unit]
 Description=Packet Filtering Framework
@@ -416,7 +412,7 @@ ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
 ExecStop=/etc/iptables/flush-iptables.sh
 RemainAfterExit=yes
 [Install]
-            WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
+WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
 			systemctl daemon-reload
 			systemctl enable iptables.service
 			# Disable firewalld to allow iptables to start upon reboot
@@ -496,8 +492,7 @@ persist-tun
 keepalive 10 120
 topology subnet
 server 10.8.0.0 255.255.255.0
-duplicate-cn
+ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
-push \"route 10.8.0.0 255.255.255.0\"" >> /etc/openvpn/server.conf
 	# DNS resolvers
 	case $DNS in
 		1)
@@ -506,33 +501,36 @@ push \"route 10.8.0.0 255.255.255.0\"" >> /etc/openvpn/server.conf
 			echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
 		done
 		;;
-        2) #FDN
+		2) #Quad9
+		echo 'push "dhcp-option DNS 9.9.9.9"' >> /etc/openvpn/server.conf
+		;;
+		3) #FDN
 		echo 'push "dhcp-option DNS 80.67.169.12"' >> /etc/openvpn/server.conf
 		echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/server.conf
 		;;
-        3) #DNS.WATCH
+		4) #DNS.WATCH
 		echo 'push "dhcp-option DNS 84.200.69.80"' >> /etc/openvpn/server.conf
 		echo 'push "dhcp-option DNS 84.200.70.40"' >> /etc/openvpn/server.conf
 		;;
-        4) #OpenDNS
+		5) #OpenDNS
 		echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf
 		echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf
 		;;
-        5) #Google
+		6) #Google
 		echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf
 		echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf
 		;;
-        6) #Yandex Basic
+		7) #Yandex Basic
 		echo 'push "dhcp-option DNS 77.88.8.8"' >> /etc/openvpn/server.conf
 		echo 'push "dhcp-option DNS 77.88.8.1"' >> /etc/openvpn/server.conf
 		;;
-        7) #AdGuard DNS
+		8) #AdGuard DNS
 		echo 'push "dhcp-option DNS 176.103.130.130"' >> /etc/openvpn/server.conf
 		echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf
 		;;
 	esac
-    echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf
+echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf
-    echo "crl-verify crl.pem
+echo "crl-verify crl.pem
 ca ca.crt
 cert server.crt
 key server.key
@@ -540,7 +538,6 @@ tls-auth tls-auth.key 0
 dh dh.pem
 auth SHA256
 $CIPHER
-comp-lzo
 tls-server
 tls-version-min 1.2
 tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
@@ -620,8 +617,6 @@ verb 3" >> /etc/openvpn/server.conf
 				systemctl restart openvpn-server@openvpn.service
 				systemctl enable openvpn-server@openvpn.service
 			else
-                sed -i 's|LimitNPROC|#LimitNPROC|' /lib/systemd/system/openvpn\@.service
-                systemctl daemon-reload
 				systemctl restart openvpn@server.service
 			fi
 		else
@@ -629,11 +624,10 @@ verb 3" >> /etc/openvpn/server.conf
 		fi
 	else
 		if pgrep systemd-journal; then
-            if [[ "$OS" = 'arch' ]] || [[ "$VERSION_ID" = 'VERSION_ID="16.04"' ]]; then
+			if [[ "$OS" = 'arch' ]]; then
 				#Workaround to avoid rewriting the entire script for Arch
-                sed -i 's|LimitNPROC|#LimitNPROC|' /usr/lib/systemd/system/openvpn-server\@.service
+				sed -i 's|/etc/openvpn/server|/etc/openvpn|' /usr/lib/systemd/system/openvpn-server@.service
-                sed -i 's|/etc/openvpn/server|/etc/openvpn|' /usr/lib/systemd/system/openvpn-server\@.service
+				sed -i 's|%i.conf|server.conf|' /usr/lib/systemd/system/openvpn-server@.service
-                sed -i 's|%i.conf|server.conf|' /usr/lib/systemd/system/openvpn-server\@.service
 				systemctl daemon-reload
 				systemctl restart openvpn-server@openvpn.service
 				systemctl enable openvpn-server@openvpn.service
@@ -677,7 +671,6 @@ remote-cert-tls server
 auth SHA256
 auth-nocache
 $CIPHER
-comp-lzo
 tls-client
 tls-version-min 1.2
 tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256