##openvpn-install OpenVPN road warrior installer for Debian, Ubuntu and CentOS.
This script will let you setup your own VPN server in no more than a minute, even if you haven't used OpenVPN before. It isn't bulletproof but has been designed to be as unobtrusive and universal as possible.
This version differs from Angristan's version in that it DOES write logs (for debugging and verifying), and is intended for personal use, only allowing up to 3 simultaneous clients. In the "fast" variant (below) it also allows a weaker TLS cipher, in order to support older iOS and android clients, although any client that supports it will will a more secure cipher using GCM.
##Fork This fork includes :
- No comp-lzo compression is a vector for oracle attacks, e.g. CRIME or BREACH
- Better encryption (see below)
- Avoid DNS leak
- UFW support
- TLS 1.2 only
- Strong ciphers, DH keys and certificates. (see variants)
- AES-256-CBC and SHA-512 for HMAC (instead of BF-128-CBC and SHA1)
- Run server in unprivileged mode, reducing risks to the system
- TLS-auth to help thwart DoS attacks and provide a 2nd line of defense to the TLS channel.
- FDN's DNS Servers
- Nearest OpenNIC DNS Servers
- Up-to-date OpenVPN (2.3.11) thanks to EPEL and swupdate.openvpn.net
- Support for either SNAT or MASQUERADE for forwarding
- Every feature of the original script (I check periodically to sync the latest commits from source)
When you lauch the script you will be asked to choose a mode. Both will work the same way, but slow has stronger encryption settings, so it may slow down your connection and take more time to install.
If you're just using your VPN at home, you may choose "fast". But if you're often using public Wi-Fi or traveling a lot, you should probably use slow.
In any case, "fast" is still significantly more secure than default OpenVPN settings.
Features :
- 4096 bits RSA private key
- 4096 bits Diffie-Hellman key
- 256 bits AES-GCM
- SHA-384 RSA certificate
Features :
- 2048 bits RSA private key
- 2048 bits Diffie-Hellman key
- 128 bits AES-GCM
- SHA-256 RSA certificate
The script is made to work on these OS :
- Debian 7
- Debian 8
- Ubuntu 12.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 15.10
- Ubuntu 16.04 LTS
- CentOS 6
- CentOS 7
##Installation
Run the script and follow the assistant:
wget --no-check-certificate http://bit.ly/openvpn-install -O openvpn-install.sh
sudo source ./openvpn-install.sh
Once it ends, you can run it the second line again to add more users, remove some of them or even completely uninstall OpenVPN.
You can get a cheap VPS for 2€/month at PulseHeberg.
Based on the work of Nyr, Angristan, and others.