Installing OpenVPN with "oneclick" script

There are a lots of settings which can be changed because of this kind of scripts. But how well centmin fights against bad changes?
So I decided to use Angristan's OpenVPN installer. There's also Nyr's similar installer. I don't know which is better...

Everything worked almost like a charm. Only few 'not founds':

Code:

Complete! ./openvpn-install.sh: line 421:
/etc/systemd/system/iptables .service: No such file
or directory ./openvpn-install.sh: line 422:
systemctl: command not found ./openvpn-install.sh:
line 423: systemctl: command not found
./openvpn-install.sh: line 425: systemctl: command
not found ./openvpn-install.sh: line 426: systemctl:
command not found --2018-01-11 07:11:00--
https://github.com/OpenVPN/easy-rsa
/releases/download/v3.0.3/EasyRSA-3.0.3.tgz

Code:

WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
                        systemctl daemon-reload
                        systemctl enable iptables.service
                        # Disable firewalld to allow iptables to start upon reboot
                        systemctl disable firewalld
                        systemctl mask firewalld
                fi

Of course OpenVPN worked before csf -r like I expected. Anyway I luckily make it work:
nano /etc/csf/csf.conf
allow udp 1191 in and out

nano /etc/csf/csfpre.sh
If the file does not exist, you can create it. If it already exists, you should append to it.

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -j SNAT --to-source SER.VER.IPH.ERE
(with KVM and similar you can propably use iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE instead of the nat line.)
After booting it still worked.
But because I'm not a coder or anything like it I don't know how secure is my OpenVZ VPS now? I looked thru OpenVPN install script and didn't find anything else "bad" settings like above. There can still be some incompatible code which I didn't notice. Can someone say if my VPS is unsecure or not?

---

This is not a tutorial!

Please fill in any relevant information that applies to you:

• CentOS Version: CentOS 6 64bit
  
• Centmin Mod Version Installed: 123.09beta01 (minimal)
  
• Nginx Version Installed:1.13.8
• PHP Version Installed: stopped
• MariaDB MySQL Version Installed: stopped
• When was last time updated Centmin Mod code base ? : few moments ago
  
• Persistent Config: Do you have any persistent config file options set in /etc/centminmod/custom_config.inc ? You can check via this command:
  
  
  Code:

  NSD_DISABLED=y               # when set to =y, NSD disabled by default with chkconfig off
  NGINX_RTMP=n                 # Nginx RTMP Module support https://github.com/arut/nginx-rtmp-module
  NGINX_FLV=n                  # http://nginx.org/en/docs/http/ngx_http_flv_module.html
  NGINX_MP4=n                  # Nginx MP4 Module http://nginx.org/en/docs/http/ngx_http_mp4_module.html
  NGINX_AUTHREQ=n              # http://nginx.org/en/docs/http/ngx_http_auth_request_module.html
  NGINX_SECURELINK=n           # http://nginx.org/en/docs/http/ngx_http_secure_link_module.html
  NGINX_FANCYINDEX=n           # http://wiki.nginx.org/NgxFancyIndex
  NGINX_VHOSTSTATS=n           # https://github.com/vozlt/nginx-module-vts
  NGINX_PAGESPEED=n            # Install ngx_pagespeed
  NGINX_PASSENGER='n'          # Install Phusion Passenger requires installing addons/passenger.sh before hand
  NGINX_WEBDAV=n               # Nginx WebDAV and nginx-dav-ext-module
  NGINX_UPSTREAMCHECK='n'      # nginx upstream check https://github.com/yaoweibin/nginx_upstream_check_module
  NGINX_OPENRESTY='n'          # Agentzh's openresty Nginx modules
  LUAJIT_GITINSTALL='n'        # opt to install luajit 2.1 from dev branch http://repo.or.cz/w/luajit-2.0.git/shortlog/refs/heads/v2.1
  ORESTY_LUANGINX='n'          # enable or disable or ORESTY_LUA* nginx modules below
  NGINX_STUBSTATUS=y           # http://nginx.org/en/docs/http/ngx_http_stub_status_module.html required for nginx statistics
  NGINX_SUB=n                  # http://nginx.org/en/docs/http/ngx_http_sub_module.html
  NGINX_ADDITION=n             # http://nginx.org/en/docs/http/ngx_http_addition_module.html
  NGINX_IMAGEFILTER=n          # http://nginx.org/en/docs/http/ngx_http_image_filter_module.html
  NGINX_CACHEPURGE=y           # https://github.com/FRiCKLE/ngx_cache_purge/
  NGINX_ACCESSKEY=n            #
  NGINX_HTTPCONCAT=n           # https://github.com/alibaba/nginx-http-concat
  NGINX_THREADS=y              # https://www.nginx.com/blog/thread-pools-boost-performance-9x/
  ORESTY_HEADERSMORE=y         # openresty headers more https://github.com/openresty/headers-more-nginx-module
  LOWMEM_INSTALL='y'
  

• betainstaller-minimal.sh

 

It must be my bad english. I didn't mean OpenVPN as a securing thing to my VPS. I'm worried about automatic script which I used to install OpenVPN. Can the script do bad changes to my VPS settings and make my VPS unsecure? Can it mess Centmin mod?

Hmm... Script should be CentOS 6 (i386, amd64) compatible. According to readme.md at github.
Yes the VPN connection is working. IP is VPS's IP and DNS is the set up IP. No leaking. OpenVPN Android connects nicely. Netflix have different movies and betting site won't let me in because "wrong country"...

I forgot to mention TUN/TAP is enabled... I'm quite sure that OpenVPN started upon reboot. Have to check it later.

Hopefully forum posts like these (stupid newbie questions ) courages more people to join here. Setting VPS up should be fast and easy like it is with centmin mod. Personal tuning can be done later.

 

Is there a short cut to install and setup csf/iptables again? Or should I delete vps and do everything again?
Maybe I edit openvpn install script and do manually firewall settings next time...

 

Forgot to mention IPv6 settings.

Code:

1. Enable IPv6 forwarding in /etc/sysctl.conf adding/editingnet.ipv6.conf.all.forwarding=1

2. Run sysctl -p to load changes.

3. Edit server.conf adding:

server-ipv6 2001:1234:5678:9::/64 # your subnet
push "route-ipv6 2000::/3" # tell client to route IPv6 traffic via the VPN. 

Copied & pasted from ipv6 support? · Issue #242 · Nyr/openvpn-install · GitHub

 

As far as I know, I need a rooted phone to disable ipv6. I'm not going to root it. (yet)
While using mobile data, it will leak ipv6 if ovpn is not configured for ipv6.

Of course better ideas are allways welcome. This is the easiest method (for me).