Validation and Parsing¶
The script validates all user input before applying any configuration.
Input Validators¶
| Function | Validates | Rules |
|---|---|---|
validate_port() | Port number | Integer 1–65535 |
validate_mtu() | MTU size | Integer 576–65535 |
validate_subnet_ipv4() | IPv4 VPN subnet | Format x.x.x.0, must be RFC1918 (10.x, 172.16-31.x, 192.168.x) |
validate_subnet_ipv6() | IPv6 VPN subnet | Must be ULA (fd00::/8), minimum /48 prefix |
validate_client_name() | Client name | Alphanumeric, underscore, hyphen, dot. Max 64 chars. No leading/trailing dots |
validate_positive_int() | Numeric values | Must be a positive integer |
is_valid_client_name() | Client name | Same rules, returns boolean (no fatal exit) |
Option Parsers¶
These functions validate a value against the allowed set and store it:
| Function | Purpose | Valid Values |
|---|---|---|
parse_dns_provider() | DNS provider | system, unbound, cloudflare, quad9, google, etc. (13 total) |
parse_cipher() | Data cipher | AES-128-GCM, AES-256-GCM, CHACHA20-POLY1305, etc. (7 total) |
parse_curve() | ECDSA curve | prime256v1, secp384r1, secp521r1 |
Configuration Validation¶
validate_configuration() runs a comprehensive check of the entire configuration before installation. It validates:
- Protocol (
udp/tcp) - DNS provider
- Certificate type (
ecdsa/rsa) - TLS signature mode (
crypt-v2/crypt/auth) - Authentication mode (
pki/fingerprint) - Port range
- IPv4/IPv6 stack settings (at least one must be enabled)
- Cipher compatibility
- Curve or RSA key size (depending on cert type)
- TLS version
- HMAC algorithm
- MTU range
- Custom DNS addresses
- Subnet formats
- OpenVPN 2.6+ requirement for fingerprint mode
Version Comparison¶
| Function | Purpose |
|---|---|
version_ge() | Compare two semantic versions using sort -V |
get_openvpn_version() | Extract version string from openvpn --version |
openvpnVersionAtLeast() | Check if installed OpenVPN meets a minimum version |
kernelVersionAtLeast() | Check if running kernel meets a minimum version |
Supported Options¶
All valid values are defined as arrays at the top of the script:
PROTOCOLS=("udp" "tcp")
DNS_PROVIDERS=("system" "unbound" "cloudflare" "quad9" "quad9-uncensored"
"fdn" "dnswatch" "opendns" "google" "yandex" "adguard"
"nextdns" "custom")
CIPHERS=("AES-128-GCM" "AES-192-GCM" "AES-256-GCM"
"AES-128-CBC" "AES-192-CBC" "AES-256-CBC"
"CHACHA20-POLY1305")
CERT_TYPES=("ecdsa" "rsa")
CERT_CURVES=("prime256v1" "secp384r1" "secp521r1")
RSA_KEY_SIZES=("2048" "3072" "4096")
TLS_VERSIONS=("1.2" "1.3")
TLS_SIG_MODES=("crypt-v2" "crypt" "auth")
AUTH_MODES=("pki" "fingerprint")
HMAC_ALGS=("SHA256" "SHA384" "SHA512")