diff --git a/alipay b/alipay
new file mode 100644
index 0000000..191f47f
--- /dev/null
+++ b/alipay
@@ -0,0 +1,37 @@
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
diff --git a/api b/api
new file mode 100644
index 0000000..546f623
--- /dev/null
+++ b/api
@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+clear
+# ====== CONFIG (edit here once) ======
+DOMAIN="domain.com"
+API_KEY="YOUR_API_KEY"
+SECRET_API_KEY="YOUR_SECRET_API_KEY"
+TTL="600"
+TYPE="A"
+
+API_BASE="https://api.porkbun.com/api/json/v3/dns"
+
+echo "====== Porkbun DNS Manager ======"
+echo "Domain: $DOMAIN"
+echo ""
+
+echo "Choose an action:"
+echo "1) Update subdomain IP"
+echo "2) Create new subdomain"
+echo ""
+
+read -p "Enter choice (1 or 2): " ACTION
+
+case $ACTION in
+
+# Update existing record
+1)
+    read -p "Enter subdomain to update: " SUBDOMAIN
+    read -p "Enter new IP address: " IP
+
+    echo ""
+    echo "Updating ${SUBDOMAIN}.${DOMAIN} -> ${IP}"
+    read -p "Proceed? (y/n): " CONFIRM
+    [[ "$CONFIRM" != "y" ]] && echo "Cancelled." && exit 1
+
+    RESPONSE=$(curl -s -X POST \
+    "$API_BASE/editByNameType/${DOMAIN}/${TYPE}/${SUBDOMAIN}" \
+    -H "Content-Type: application/json" \
+    -d "{
+        \"secretapikey\": \"${SECRET_API_KEY}\",
+        \"apikey\": \"${API_KEY}\",
+        \"content\": \"${IP}\",
+        \"ttl\": \"${TTL}\"
+    }")
+
+    echo ""
+    echo "API Response:"
+    echo "$RESPONSE"
+    ;;
+
+# Create new subdomain
+2)
+    read -p "Enter new subdomain name: " SUBDOMAIN
+    read -p "Enter IP address: " IP
+
+    echo ""
+    echo "Creating ${SUBDOMAIN}.${DOMAIN} -> ${IP}"
+
+    RESPONSE=$(curl -s -X POST \
+    "$API_BASE/create/${DOMAIN}" \
+    -H "Content-Type: application/json" \
+    -d "{
+        \"secretapikey\": \"${SECRET_API_KEY}\",
+        \"apikey\": \"${API_KEY}\",
+        \"name\": \"${SUBDOMAIN}\",
+        \"type\": \"${TYPE}\",
+        \"content\": \"${IP}\",
+        \"ttl\": \"${TTL}\"
+    }")
+
+    echo ""
+    echo "API Response:"
+    echo "$RESPONSE"
+    ;;
+
+*)
+    echo "Invalid choice."
+    exit 1
+    ;;
+esac
diff --git a/arch/arch_config.sh b/arch/arch_config.sh
new file mode 100644
index 0000000..d529a91
--- /dev/null
+++ b/arch/arch_config.sh
@@ -0,0 +1,154 @@
+#/bin/bash
+clear
+#************************************************************************************Print old information
+if [[ -f "/root/info" ]]; then
+    name1=$(awk 'NR==1 {print $1}' /root/info)
+    disk1=$(awk 'NR==2 {print $1}' /root/info)
+    boot1=$(awk 'NR==3 {print $1}' /root/info)
+    encrypt1=$(awk 'NR==4 {print $1}' /root/info)
+    euuid=$(sed -n '5p' /root/info)
+    efistub=$(awk 'NR==6 {print $1}' /root/info)
+    minisys=$(awk 'NR==7 {print $1}' /root/info)
+    root1=$(sed -n '8p' /root/info)
+
+    echo '--------------System Information--------------'
+    if [[ -d "/sys/firmware/efi" ]]; then
+        echo 'UEFI      = ON'
+    else
+        echo 'UEFI      = OFF'
+    fi
+    if [[ $efistub = 1 ]]; then
+        echo 'EFIstub   = ON'
+    else
+        echo 'EFIstub   = OFF'
+    fi
+    if [[ $minisys = 1 ]]; then
+        echo 'Minisys   = ON'
+    else
+        echo 'Minisys   = OFF'
+    fi
+    if [[ $encrypt1 = 1 ]]; then
+        echo 'Encrypt   = ON'
+        echo "Enc UUID  = $(sed -n '5p' /root/info)"
+    else
+        echo 'Encrypt   = OFF'
+    fi
+    echo -e "HOOKs     = \e[33m$(sed -n '55p' /etc/mkinitcpio.conf | awk -F= '{print $2}')\e[0m"
+    echo -e "SSH file  = \e[33m$(sed -n '33p' /etc/ssh/sshd_config)\e[0m"
+    echo -e "Localtime = \e[33m$(date +%H:%M\ \ \ %Y/%m/%d)\e[0m"
+    echo -e "Sudoers   = \e[33m$(sed -n '125p' /etc/sudoers)\e[0m"
+    echo -e "Shell     = \e[33m$(echo $SHELL)\e[0m"
+    if [[ -f "/etc/default/grub" ]]; then
+        echo -e "GRUB time = \e[33m$(sed -n '4p' /etc/default/grub)\e[0m"
+        echo -e "GRUB UUID = \e[33m$(sed -n '7p' /etc/default/grub)\e[0m"
+    fi
+    if [[ -f "/etc/vconsole.conf" ]]; then
+        echo -e "Font size = \e[33m$(cat /etc/vconsole.conf)\e[0m"
+    fi
+    echo '----------------------------------------------'
+else
+    echo 'No info file'
+    exit 1
+fi
+read -p 'Continue: (YES/NO) ' ask_continue
+if [[ $ask_continue != YES ]]; then
+    echo -e "\e[31mAborted ...\e[0m"
+    exit 1
+fi
+#************************************************************************************Change information
+if [[ -f "/root/info" ]]; then
+    if [[ $efistub = 1 ]]; then #----------------------------------------------------------EFI Stub
+        if [[ $encrypt1 = 1 ]]; then #-------------------------------EFI Stub Encrypt
+            efibootmgr --create --disk $disk1 --part $boot1 --label "Arch Linux LTS" --loader \vmlinuz-linux-lts --unicode "rd.luks.name=${euuid}=system root=/dev/mapper/OS-ROOT rw rd.luks.options=password-echo=no initrd=\initramfs-linux-lts.img"
+            sed -i '55d' /etc/mkinitcpio.conf
+            sed -i '55i HOOKS=(base systemd autodetect microcode modconf kms keyboard keymap sd-vconsole block sd-encrypt lvm2 filesystems fsck)' /etc/mkinitcpio.conf
+        else #-------------------------------------------------------EFI Stub
+            efibootmgr --create --disk $disk1 --part $boot1 --label "Arch Linux LTS" --loader \vmlinuz-linux-lts --unicode "root=${root1} rw initrd=\initramfs-linux-lts.img"
+        fi
+    else #---------------------------------------------------------------------------------GRUB
+        sed -i '4d' /etc/default/grub
+        sed -i '4i GRUB_TIMEOUT=0' /etc/default/grub
+        if [[ $encrypt1 = 1 ]]; then #-------------------------------GEUB Encrypt
+            sed -i '7d' /etc/default/grub
+            sed -i "7i GRUB_CMDLINE_LINUX=cryptdevice=UUID=${euuid}:SYSTEM root=/dev/mapper/os-root" /etc/default/grub
+            sed -i '55d' /etc/mkinitcpio.conf
+            sed -i '55i HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolefont block encrypt lvm2 filesystems fsck)' /etc/mkinitcpio.conf
+        fi
+        if [ -d "/sys/firmware/efi" ]; then #------------------------UEFI
+            echo -e "\e[32mUEFI\e[0m"
+            grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=Unix
+            echo -e "\e[32mgrub installed\e[0m"
+            grub-mkconfig -o /boot/grub/grub.cfg
+            echo -e "\e[32mgrub.cfg installed\e[0m"
+        else #-------------------------------------------------------BIOS
+            echo -e "\e[32mBIOS\e[0m"
+            grub-install --target=i386-pc /dev/vda
+            echo -e "\e[32mgrub installed\e[0m"
+            grub-mkconfig -o /boot/grub/grub.cfg
+            echo -e "\e[32mgrub.cfg installed\e[0m"
+        fi
+    fi
+    if [[ $minisys != 1 ]]; then
+        systemctl enable docker >/dev/null 2>&1
+        systemctl enable fail2ban >/dev/null 2>&1
+        systemctl enable nginx >/dev/null 2>&1
+        mkdir /etc/nginx/conf.d
+        sed -i '22a \ \ \ \ include /etc/nginx/conf.d/*.conf;' /etc/nginx/nginx.conf
+    fi
+else
+    echo 'No info file'
+fi
+
+#------------------------------------------------------------------------------Common Services
+#Change SSH
+sed -i '33d' /etc/ssh/sshd_config
+sed -i '33i PermitRootLogin yes' /etc/ssh/sshd_config
+#Change issue
+echo Welcome back > /etc/issue
+#Change hostname
+echo $name1 > /etc/hostname
+#Change time
+ln -s /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
+#Change font
+echo 'FONT=ter-v28b' > /etc/vconsole.conf
+#Change sudoers file
+sed -i '125d' /etc/sudoers
+sed -i '125i %wheel ALL=(ALL:ALL) ALL' /etc/sudoers
+#enable ssh networkmanager
+systemctl enable sshd >/dev/null 2>&1
+systemctl enable NetworkManager >/dev/null 2>&1
+#Add my key
+bash <(curl -sL sh.lihanzhang.cn/pub)
+chsh -s /bin/zsh
+ln -s /bin/vim /bin/vi
+#Create my folder
+mkdir /file
+mkdir /www/log -p
+mkdir /frp
+#arch environment
+#Add user
+useradd -m olivia -G wheel
+mkdir -p ~/.local/bin
+curl https://sh.lihanzhang.cn/arch/profile -so ~/.local/bin/.bashrc
+curl https://sh.lihanzhang.cn/arch/zshrc -so ~/.zshrc
+curl https://sh.lihanzhang.cn/arch/vimrc -so ~/.vimrc
+curl https://sh.lihanzhang.cn/arch/fail2ban.conf -so /etc/fail2ban/jail.conf
+mkinitcpio -p linux-lts
+#************************************************************************************Print Changed information
+echo '--------------System Information--------------'
+echo -e "HOOKs     = \e[33m$(sed -n '55p' /etc/mkinitcpio.conf | awk -F= '{print $2}')\e[0m"
+echo -e "SSH file  = \e[33m$(sed -n '33p' /etc/ssh/sshd_config)\e[0m"
+echo -e "Issue     = \e[33m$(cat /etc/issue)\e[0m"
+echo -e "Hostname  = \e[33m$(cat /etc/hostname)\e[0m"
+echo -e "Localtime = \e[33m$(date +%H:%M\ \ \ %Y/%m/%d)\e[0m"
+echo -e "Sudoers   = \e[33m$(sed -n '125p' /etc/sudoers)\e[0m"
+echo -e "Shell     = \e[33m$(echo $SHELL)\e[0m"
+echo -e "Font size = \e[33m$(cat /etc/vconsole.conf)\e[0m"
+if [[ -f "/etc/default/grub" ]]; then
+    echo -e "GRUB time = \e[33m$(sed -n '4p' /etc/default/grub)\e[0m"
+    echo -e "GRUB UUID = \e[33m$(sed -n '7p' /etc/default/grub)\e[0m"
+fi
+echo '----------------------------------------------'
+rm -rf /root/info
+rm -rf /arch_config.sh
+echo -e "\e[32m------Please change password------\e[0m"
diff --git a/arch/fail2ban.conf b/arch/fail2ban.conf
new file mode 100644
index 0000000..6f1e79b
--- /dev/null
+++ b/arch/fail2ban.conf
@@ -0,0 +1,10 @@
+[sshd]
+enabled = true
+port = ssh
+filter = sshd
+backend = systemd
+logpath = journal
+maxretry = 3
+bantime = 1d
+findtime = 10m
+action = iptables[name=SSH, port=ssh, protocol=tcp]
diff --git a/arch/profile b/arch/profile
new file mode 100644
index 0000000..b46b08e
--- /dev/null
+++ b/arch/profile
@@ -0,0 +1,56 @@
+#!/bin/bash
+code() {
+    if [ $# -eq 0 ]; then
+        echo "Usage: code [-d] <script name>"
+        echo " -d Download and execute the script with bash"
+        return 1
+    fi  
+
+    local execute=false
+    
+    if [ "$1" = "-d" ]; then
+        execute=true
+        shift
+    fi
+    
+    local script_name="$1"
+    local base_url="https://sh.lihanzhang.cn"
+    
+    if curl -sfO "${base_url}/${script_name}" 2>/dev/null; then
+        if [ -f "${script_name}" ]; then
+            if [ "$execute" = true ]; then
+                bash "${script_name}"
+            fi
+        fi
+    fi
+}
+transfer() {
+    if [ -z "$1" ]; then
+        echo "Usage: transfer <file>"
+        return 1
+    fi
+    url=$(curl -sT "$1" https://u.lihanzhang.cn)
+
+    if command -v qrencode >/dev/null 2>&1; then
+        qrencode -t ANSIUTF8 "$url"
+    fi
+
+    echo -e "\e[32m$url\e[0m"
+}
+enc() {
+    if [ "$1" = "-d" ]; then
+        shift
+        if [ $# -ne 2 ]; then
+            echo "Usage: enc -d <input_file> <output_file>"
+            return 1
+        fi
+        openssl enc -d -aes-256-cbc -pbkdf2 -in "$1" -out "$2"
+    else
+        if [ $# -ne 2 ]; then
+            echo "Usage: enc <input_file> <output_file>"
+            return 1
+        fi
+        openssl enc -aes-256-cbc -pbkdf2 -in "$1" -out "$2"
+    fi
+}
+#curl -L sh.lihanzhang.cn/profile -o /root/.local/bin/.bashrc
diff --git a/arch/vimrc b/arch/vimrc
new file mode 100644
index 0000000..8839382
--- /dev/null
+++ b/arch/vimrc
@@ -0,0 +1,3 @@
+if has('mouse')
+    set mouse-=a
+endif
diff --git a/arch/zshrc b/arch/zshrc
new file mode 100644
index 0000000..6be59cf
--- /dev/null
+++ b/arch/zshrc
@@ -0,0 +1,22 @@
+PS1='[%n@%m %1~]%# '
+alias t="clear;exit"
+alias cc="clear"
+alias duf="duf --only local"
+alias ls="ls --color=auto"
+source ~/.local/bin/.bashrc
+
+source /usr/share/zsh/plugins/zsh-autosuggestions/zsh-autosuggestions.zsh
+source /usr/share/zsh/plugins/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh
+autoload -Uz compinit
+compinit
+
+HISTFILE=~/.zsh_history
+HISTSIZE=10000
+SAVEHIST=10000
+
+setopt APPEND_HISTORY
+setopt SHARE_HISTORY
+bindkey '^[[1;5D' backward-word
+bindkey '^[[1;5C' forward-word
+cd /file
+clear
diff --git a/arch_cloud b/arch_cloud
new file mode 100644
index 0000000..6821a06
--- /dev/null
+++ b/arch_cloud
@@ -0,0 +1,23 @@
+#Change UUID
+set timeout=600
+menuentry "Arch Linux Live (UUID Method)" {
+    insmod part_msdos
+    insmod iso9660
+    insmod search_fs_uuid
+    search --no-floppy --fs-uuid --set=root UUID
+    linux /arch/boot/x86_64/vmlinuz-linux \
+        archisobasedir=arch \
+        archisolabel=ARCH_202604
+    initrd /arch/boot/x86_64/initramfs-linux.img
+}
+#-------------------------------------------------------------------------------------------------------------------------------------------
+parted /dev/vda
+resizepart 2 48GB
+print
+quit
+#-------------------------------------------------------------------------------------------------------------------------------------------
+#Create a partition, sized 1M
+#And 
+parted /dev/vda
+set 1 bios_grub on
+quit
diff --git a/archboot b/archboot
new file mode 100644
index 0000000..87b7ef6
--- /dev/null
+++ b/archboot
@@ -0,0 +1,54 @@
+#/bin/bash
+clear
+echo '|--------------|'
+echo '|Boot generator|'
+echo '|--------------|'
+iso_date=$(date "+%Y.%m.")
+
+read -p "Do you want to use the archlinux-${iso_date}01-x86_64.iso?(YES/NO) :" archlinux
+if [ "$archlinux" = "NO" ]; then
+    echo -e "\e[31mAttention\e[0m"
+    read -p "Enter the date like '2026.04.': " iso_date
+fi
+echo ''
+echo '-----------------------------------------------------------------------------------------------------------'
+blkid
+echo '-----------------------------------------------------------------------------------------------------------'
+echo ''
+read -p "Which partition is the ISO located? 1 or 2(line) :" p_iso
+echo ''
+uuid=$(blkid | sed -n "${p_iso}p"| grep -Eo '\<UUID=.{9}-.{4}-.{4}-.{4}-.{12}' | grep -Eo '.{8}-.{4}-.{4}-.{4}-.{12}')
+echo -e "\e[32mUUID=${uuid}\e[0m"
+echo -e "\e[32mRelease=archlinux-${iso_date}01-x86_64.iso\e[0m"
+echo ''
+
+cat << EOF > grub_arch
+menuentry "Arch ISO" {
+
+    set isofile="/archlinux-${iso_date}01-x86_64.iso"
+
+    insmod part_gpt
+    insmod ext2
+    insmod loopback
+    insmod iso9660
+
+    search --no-floppy --fs-uuid --set=root $uuid
+
+    loopback loop \$isofile
+
+    linux (loop)/arch/boot/x86_64/vmlinuz-linux \\
+        img_dev=/dev/disk/by-uuid/$uuid \\
+        img_loop=\$isofile
+
+    initrd (loop)/arch/boot/x86_64/initramfs-linux.img
+}
+EOF
+
+read -p "Do you want to copy it to /boot/grub/grub.cfg and backup the old grub.cof?(YES/NO) :" grub_file
+if [ "$grub_file" = "YES" ]; then
+    cp grub_arch /boot/grub/
+    mv /boot/grub/grub.cfg /boot/grub/grub.cfg.back
+    mv /boot/grub/grub_arch /boot/grub/grub.cfg
+    sed -n '1p' /boot/grub/grub.cfg
+fi
+
diff --git a/bash b/bash
new file mode 100644
index 0000000..2c13c1e
--- /dev/null
+++ b/bash
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+#Change the environment file
+echo 'alias cc="clear"
+alias t="clear;exit"
+cd /file
+source /root/.local/bin/.bashrc
+clear' >> ~/.bashrc
+
+#Create .local/bin
+mkdir -p /root/.local/bin
+curl https://sh.lihanzhang.cn/arch/profile -o /root/.local/bin/.bashrc
+chmod +x /root/.local/bin/.bashrc
+
+#Create directories
+if [ ! -d "/root/.ssh" ]; then
+    mkdir /root/.ssh
+fi
+mkdir /www/log -p
+mkdir /file
+
+chmod 000 /etc/update-motd.d/* -R
+
+#Add public sshkey
+bash <(curl -sL sh.lihanzhang.cn/pub)
+echo -e "\e[32msource ~/.bashrc\e[0m"
diff --git a/certbot b/certbot
new file mode 100755
index 0000000..8ca373b
--- /dev/null
+++ b/certbot
@@ -0,0 +1,8 @@
+#/bin/bash
+clear
+systemctl stop nginx
+
+read -p 'Enter your doamin :' domain
+certbot certonly --standalone -d $domain
+
+systemctl restart nginx
diff --git a/climail b/climail
new file mode 100644
index 0000000..9c302b4
--- /dev/null
+++ b/climail
@@ -0,0 +1,13 @@
+Installing ssmtp mailutils
+
+#ssmtp.conf
+mailhub=mail.abc.com:587
+AuthUser=hello@abc.com
+AuthPass=passwd
+UseSTARTTLS=YES
+
+#revaliases
+root:hello@domain.com:mail.doamin.com:587
+
+#sending
+echo "This is the email body" | mail -s "Subject" me@lihanzhang.cn
diff --git a/crypto/bitcoin b/crypto/bitcoin
new file mode 100644
index 0000000..af257aa
--- /dev/null
+++ b/crypto/bitcoin
@@ -0,0 +1 @@
+bc1py36m8vcwznxpajrrsj6w9cndp4xff7ggxgsf9q2rfdjkuh7wamasw39ulz
diff --git a/crypto/doge b/crypto/doge
new file mode 100644
index 0000000..0d407a9
--- /dev/null
+++ b/crypto/doge
@@ -0,0 +1 @@
+D87bzhaHwfhsuDc3MCM3FJymLqmgjR2Tby
diff --git a/crypto/list b/crypto/list
new file mode 100644
index 0000000..6ac5f19
--- /dev/null
+++ b/crypto/list
@@ -0,0 +1,7 @@
+total 20K
+-rw-r--r-- 1 root root  63 Dec 31 18:43 bitcoin
+-rw-r--r-- 1 root root  35 Dec 31 18:44 doge
+-rw-r--r-- 1 root root   0 Dec 31 18:45 list
+-rw-r--r-- 1 root root 291 Dec 31 18:45 lsit
+-rw-r--r-- 1 root root  43 Dec 31 18:44 usdt_eth
+-rw-r--r-- 1 root root  35 Dec 31 18:44 usdt_trx
diff --git a/crypto/usdt_eth b/crypto/usdt_eth
new file mode 100644
index 0000000..2169369
--- /dev/null
+++ b/crypto/usdt_eth
@@ -0,0 +1 @@
+0xFF5EEbf6A6E0C90415066A18a0bb60125A4bd987
diff --git a/crypto/usdt_trx b/crypto/usdt_trx
new file mode 100644
index 0000000..16df443
--- /dev/null
+++ b/crypto/usdt_trx
@@ -0,0 +1 @@
+TFC1sKEs1UC7VfKuxQHMQA8KtBLeG6jqLg
diff --git a/exam b/exam
new file mode 100644
index 0000000..f48c0ab
--- /dev/null
+++ b/exam
@@ -0,0 +1,2 @@
+#docker run -d -p 1991:1991 registry.cn-hangzhou.aliyuncs.com/surveyking/surveyking:latest
+docker run --name exam -d -p 1991:1991 surveyking/surveyking
diff --git a/frp.conf b/frp.conf
new file mode 100644
index 0000000..38e6ea4
--- /dev/null
+++ b/frp.conf
@@ -0,0 +1,16 @@
+#Server
+bindPort = 7000
+
+#Client
+serverAddr = "lihanzhang.cn"
+serverPort = 7000
+
+[[proxies]]
+name = "test-tcp"
+type = "tcp"
+localIP = "192.168.0.1"
+localPort = 22
+remotePort = 6000
+
+#Authentication
+auth.token = ""
diff --git a/frp.sh b/frp.sh
new file mode 100755
index 0000000..b5e72f7
--- /dev/null
+++ b/frp.sh
@@ -0,0 +1,77 @@
+#!/bin/bash
+clear
+m_s="https://file.lihanzhang.cn/frp/"
+echo -e "\e[32mWelcome to use Penetration tools\e[0m"
+echo '1.linux amd64'
+echo '2.linux arm'
+echo '3.linux arm64'
+echo ''
+
+read -p 'Chose your version(1, 2, 3): ' version
+read -p 'Client or Server?(c, s): ' version2
+read -p 'Whether to enable Authentication(y/n): ' auth
+if [[ "$auth" = y ]]; then
+    read -sp "Enter token: " token
+    echo ''
+fi
+echo ''
+echo -e "\e[32mDownloading......\e[0m"
+
+if [ ! -d /frp ]; then
+    mkdir /frp
+fi
+if [ "$version2" == s ]; then
+    if [ "$version" == 1 ]; then
+        curl "${m_s}linux_amd64_s.tar.gz" -o /frp/frps.tar.gz
+    fi
+    if [ "$version" == 2 ]; then
+        curl "${m_s}linux_arm_s.tar.gz" -o /frp/frps.tar.gz
+    fi
+    if [ "$version" == 3 ]; then
+        curl "${m_s}linux_arm64_s.tar.gz" -o /frp/frps.tar.gz
+    fi
+    echo 'bindPort = 7000' >/frp/frps.toml
+    if [[ "$auth" = y ]]; then
+        sed -i "1a auth.token = \"${token}\"" /frp/frps.toml
+    fi
+    echo ''
+    echo -e "\e[32mDecompressing......\e[0m"
+    tar -xzvf /frp/frps.tar.gz -C /frp
+    rm -rf /frp/frps.tar.gz
+fi
+
+if [ "$version2" == c ]; then
+    if [ "$version" == 1 ]; then
+        curl "${m_s}linux_amd64_c.tar.gz" -o /frp/frpc.tar.gz
+    fi
+    if [ "$version" == 2 ]; then
+        curl "${m_s}linux_arm_c.tar.gz" -o /frp/frpc.tar.gz
+    fi
+    if [ "$version" == 3 ]; then
+        curl "${m_s}linux_arm64_c.tar.gz" -o /frp/frpc.tar.gz
+    fi
+    echo ''
+    echo -e "\e[32mDecompressing......\e[0m"
+    tar -xzvf /frp/frpc.tar.gz -C /frp
+    rm -rf /frp/frpc.tar.gz
+fi
+
+if [ "$version2" == c ]; then
+    echo ''
+    echo -e "\e[32mConfiguring......\e[0m"
+    read -p 'IP or Domain: ' domain
+    read -p 'Local   port: ' local_port
+    read -p 'Remote  port: ' remote_port
+    echo "serveraddr = \"${domain}\"" >/frp/frpc.toml
+    sed -i "1a serverport = 7000" /frp/frpc.toml
+    sed -i "2a [[proxies]]" /frp/frpc.toml
+    sed -i "3a name = \"proxies\"" /frp/frpc.toml
+    sed -i "4a type = \"tcp\"" /frp/frpc.toml
+    sed -i "5a localip = \"127.0.0.1\"" /frp/frpc.toml
+    sed -i "6a localport = ${local_port}" /frp/frpc.toml
+    sed -i "7a remoteport = ${remote_port}" /frp/frpc.toml
+    if [[ "$auth" = y ]]; then
+        sed -i "2a auth.token = \"${token}\"" /frp/frpc.toml
+    fi
+fi
+echo ''
diff --git a/hello b/hello
new file mode 100644
index 0000000..7a69421
--- /dev/null
+++ b/hello
@@ -0,0 +1 @@
+echo -e "\e[32mhello world\e[0m"
diff --git a/iarch b/iarch
new file mode 100755
index 0000000..129268a
--- /dev/null
+++ b/iarch
@@ -0,0 +1,189 @@
+#!/bin/bash
+clear
+# ------------------ Display Device ------------------
+echo -e "\e[32m$(lsblk)\e[0m"
+
+# ------------------ User Input ------------------
+read -rp "Install Disk    (e.g. /dev/sda): " my_disk
+read -p "Enable Encryption?     (YES/NO): " encrypt_disk
+read -p "Specify ROOT size?     (YES/NO): " root_size
+read -p "BOOT size in MB      (e.g. 500): " fs_boot
+read -p "SWAP size in GB        (e.g. 2): " fs_swap
+read -p "Enable EFIstub?        (YES/NO): " efi1
+read -p "Essential packages?    (YES/NO): " packages
+read -p "Use my mirrorlist?     (YES/NO): " my_source
+read -p "Hostname             (e.g. bob): " name1
+
+# ------------------ Specify ROOT Size ------------------
+if [[ $root_size == YES ]];then
+    read -p "ROOT size in GB      (e.g. 20) : " fs_root
+fi
+
+#List size of partitions
+echo -e "\e[32mThe         boot         size  = ${fs_boot}MB\e[0m"
+echo -e "\e[32mThe         swap         size  = ${fs_swap}GB\e[0m"
+if [[ $root_size == YES ]];then
+    echo -e "\e[32mThe         root         size  = ${fs_root}GB\e[0m"
+else
+    echo -e "\e[32mThe         root         size  = remaining space\e[0m"
+fi
+
+#Confirmation
+read -rp "Are you sure?(YES/NO) " confirmation
+if [[ $confirmation != YES ]];then
+    echo -e "\e[31mAborted...\e[0m"
+    exit 1
+fi
+
+# ------------------ Create boot partition ------------------
+echo -e "\e[32mCreating boot partition...\e[0m"
+printf "n\np\n\n\n+${fs_boot}M\nw\n" | fdisk "$my_disk" >/dev/null 2>&1
+sleep 3
+
+# ------------------ Create partitions ------------------
+#Whether Encrypt
+if [[ $encrypt_disk == YES ]];then
+    #Specify ROOT Size
+    if [[ $root_size == YES ]];then
+        total=$((fs_swap + fs_root))
+        printf "n\np\n\n\n+${total}G\nw\n" | fdisk "$my_disk" >/dev/null 2>&1
+        sleep 3            #Encryption Specified root
+    else
+        printf "n\np\n\n\n\nw\n" | fdisk "$my_disk" >/dev/null 2>&1
+        sleep 3                      #Encryption
+    fi
+    #Define encryption partition
+    echo -e "\e[32m$(lsblk)\e[0m"
+    read -rp "Encrypt Partition: " encryption_path
+    read -rp "Boot    Partition: " boot_path
+    #Encrypt partition
+    echo -e "\e[32mEncrypting $encryption_path\e[0m"
+    cryptsetup luksFormat "$encryption_path" --type luks2 --pbkdf argon2id -s 512 -h sha512 --iter-time 10000 -c aes-xts-plain64
+    #Open encryption partition
+    echo -e "\e[32mOpening $encryption_path\e[0m"
+    cryptsetup luksOpen "$encryption_path" crypt_device
+    #Create logical volume and volume group
+    pvcreate /dev/mapper/crypt_device
+    vgcreate OS /dev/mapper/crypt_device
+    lvcreate -L "${fs_swap}G" OS -n SWAP
+    lvcreate -l 100%FREE OS -n ROOT
+    echo -e "\e[32mWait 9 seconds......\e[0m"
+    #Format partitions
+    mkfs.fat -F32 "$boot_path"
+    sleep 3
+    mkfs.ext4 -q /dev/mapper/OS-ROOT
+    sleep 3
+    mkswap /dev/mapper/OS-SWAP
+    sleep 3
+    #Mount partitions
+    mount /dev/mapper/OS-ROOT /mnt
+    mkdir -p /mnt/boot
+    mount "$boot_path" /mnt/boot
+    swapon /dev/mapper/OS-SWAP
+else
+    #Specify ROOT Size
+    if [[ $root_size == YES ]];then
+        printf "n\np\n\n\n+${fs_swap}G\nw\n" | fdisk "$my_disk" >/dev/null 2>&1          #swap
+        printf "n\np\n\n\n+${fs_root}G\nw\n" | fdisk "$my_disk" >/dev/null 2>&1          #root
+        sleep 3
+    else
+        printf "n\np\n\n\n+${fs_swap}G\nw\n" | fdisk "$my_disk" >/dev/null 2>&1          #swap
+        printf "n\np\n\n\n\nw\n" | fdisk "$my_disk" >/dev/null 2>&1                      #root
+        sleep 3
+    fi
+    #Define partitions of boot swap root
+    echo -e "\e[32m$(lsblk)\e[0m"
+    read -rp "Boot                  Partition: " boot_path
+    read -rp "Swap                  Partition: " swap_path
+    read -rp "Root                  Partition: " root_path
+    echo -e "\e[32mWait 9 seconds......\e[0m"
+    #Format partitions
+    mkfs.fat -F32 "$boot_path"
+    sleep 3
+    mkfs.ext4 -q "$root_path"
+    sleep 3
+    mkswap "$swap_path"
+    sleep 3
+   #Mount partitions
+    mount "$root_path" /mnt
+    mkdir -p /mnt/boot
+    mount "$boot_path" /mnt/boot
+    swapon "$swap_path"
+fi
+
+#List partitioins infomation
+echo -e "\e[33mFormat and mount successful\e[0m"
+echo -e "\e[32m$(lsblk)\e[0m"
+
+#Change my source
+if [[ $my_source == YES ]];then
+    curl https://sh.lihanzhang.cn/mirrorlist -so /etc/pacman.d/mirrorlist
+fi
+
+#Install software packages
+
+echo -e "\e[32mBegin to install packges......\e[0m"
+
+sleep 1
+#GRUB
+if [[ $efi1 = YES ]]; then
+    p1=''
+else
+    p1='grub'
+fi
+#lvm2
+if [[ $encrypt_disk = YES ]]; then
+    p2='lvm2'
+else
+    p2=''
+fi
+#Install packages
+if [[ $packages = YES ]]; then
+    pacstrap -K /mnt base linux-lts linux-firmware efibootmgr networkmanager openssh vim sudo zsh zsh-autosuggestions zsh-syntax-highlighting zsh-completions terminus-font ${p1} ${p2}
+else
+    pacstrap -K /mnt base linux-lts linux-firmware efibootmgr networkmanager openssh vim sudo zsh zsh-autosuggestions zsh-syntax-highlighting zsh-completions \
+    terminus-font reflector certbot unzip zip nmap screen wget go git base-devel hexedit duf docker docker-compose docker-buildx netcat nginx \
+    fail2ban hyfetch qrencode ${p1} ${p2}
+fi
+genfstab -U /mnt >> /mnt/etc/fstab
+
+#Download system configuration
+curl https://sh.lihanzhang.cn/arch/arch_config.sh -o /mnt/arch_config.sh
+chmod +x /mnt/arch_config.sh
+#--------------------------------------Create info
+part_n=$(echo $boot_path | awk '{print substr($0,length($0),1)}')
+echo "$name1 Hostname" > /root/info
+echo "$my_disk The Disk. The next is Boot partition" >> /root/info
+echo "$part_n Boot number" >> /root/info
+#--------------------------------------
+if [[ $encrypt_disk == YES ]]; then
+    euuid2=$(blkid | grep $encryption_path | awk -F\" '{print $2}' )
+    echo '1 Enable encrypt' >> /root/info
+    echo "$euuid2" >> /root/info
+else
+    echo '0 Disable encrypt' >> /root/info
+    echo '0 Disable e-uuid' >> /root/info
+fi
+#--------------------------------------
+if [[ $efi1 == YES ]]; then
+    echo '1 Enable EFI stub' >> /root/info
+else
+    echo '0 Disable EFI stub' >> /root/info
+fi
+#--------------------------------------
+if [[ $packages == YES ]]; then
+    echo '1 Enable Mini install' >> /root/info
+else
+    echo '0 Disable Mini install' >> /root/info
+fi
+#--------------------------------------
+if [[ $encrypt_disk == YES ]]; then
+    echo '0 No Root path' >> /root/info
+else
+    echo "$root_path" >> /root/info
+fi
+cp /root/info /mnt/root/info
+#Complete
+echo -e "\e[32mAll software packages installed\e[0m"
+echo -e "\e[32mExrcute arch-chroot /mnt\e[0m"
+echo -e "\e[32mExecute /arch_config.sh\e[0m"
diff --git a/index.html b/index.html
new file mode 100644
index 0000000..6a9dfdb
--- /dev/null
+++ b/index.html
@@ -0,0 +1,9 @@
+<!--Successfully-->
+<title>Reached</title>
+<html>
+<head><title>403 Forbidden</title></head>
+<body>
+<center><h1>403 Forbidden</h1></center>
+<hr><center>nginx</center>
+</body>
+</html>
diff --git a/info b/info
new file mode 100755
index 0000000..20cd9b8
--- /dev/null
+++ b/info
@@ -0,0 +1,319 @@
+#!/bin/bash
+trap _exit INT QUIT TERM
+
+_red() {
+    printf '\033[0;31;31m%b\033[0m' "$1"
+}
+
+_green() {
+    printf '\033[0;31;32m%b\033[0m' "$1"
+}
+
+_yellow() {
+    printf '\033[0;31;33m%b\033[0m' "$1"
+}
+
+_blue() {
+    printf '\033[0;31;36m%b\033[0m' "$1"
+}
+
+_exists() {
+    local cmd="$1"
+    if eval type type >/dev/null 2>&1; then
+        eval type "$cmd" >/dev/null 2>&1
+    elif command >/dev/null 2>&1; then
+        command -v "$cmd" >/dev/null 2>&1
+    else
+        which "$cmd" >/dev/null 2>&1
+    fi
+    local rt=$?
+    return ${rt}
+}
+
+_exit() {
+    _red "\nThe script has been terminated. Cleaning up files...\n"
+    # clean up
+    rm -fr speedtest.tgz speedtest-cli benchtest_*
+    exit 1
+}
+
+get_opsy() {
+    [ -f /etc/redhat-release ] && awk '{print $0}' /etc/redhat-release && return
+    [ -f /etc/os-release ] && awk -F'[= "]' '/PRETTY_NAME/{print $3,$4,$5}' /etc/os-release && return
+    [ -f /etc/lsb-release ] && awk -F'[="]+' '/DESCRIPTION/{print $2}' /etc/lsb-release && return
+}
+
+next() {
+    printf "%-70s\n" "-" | sed 's/\s/-/g'
+}
+
+
+calc_size() {
+    local raw=$1
+    local total_size=0
+    local num=1
+    local unit="KB"
+    if ! [[ ${raw} =~ ^[0-9]+$ ]]; then
+        echo ""
+        return
+    fi
+    if [ "${raw}" -ge 1073741824 ]; then
+        num=1073741824
+        unit="TB"
+    elif [ "${raw}" -ge 1048576 ]; then
+        num=1048576
+        unit="GB"
+    elif [ "${raw}" -ge 1024 ]; then
+        num=1024
+        unit="MB"
+    elif [ "${raw}" -eq 0 ]; then
+        echo "${total_size}"
+        return
+    fi
+    total_size=$(awk 'BEGIN{printf "%.1f", '"$raw"' / '$num'}')
+    echo "${total_size} ${unit}"
+}
+
+# since calc_size converts kilobyte to MB, GB and TB
+# to_kibyte converts zfs size from bytes to kilobyte
+to_kibyte() {
+    local raw=$1
+    awk 'BEGIN{printf "%.0f", '"$raw"' / 1024}'
+}
+
+calc_sum() {
+    local arr=("$@")
+    local s
+    s=0
+    for i in "${arr[@]}"; do
+        s=$((s + i))
+    done
+    echo ${s}
+}
+
+check_virt() {
+    _exists "dmesg" && virtualx="$(dmesg 2>/dev/null)"
+    if _exists "dmidecode"; then
+        sys_manu="$(dmidecode -s system-manufacturer 2>/dev/null)"
+        sys_product="$(dmidecode -s system-product-name 2>/dev/null)"
+        sys_ver="$(dmidecode -s system-version 2>/dev/null)"
+    else
+        sys_manu=""
+        sys_product=""
+        sys_ver=""
+    fi
+    if grep -qa docker /proc/1/cgroup; then
+        virt="Docker"
+    elif grep -qa lxc /proc/1/cgroup; then
+        virt="LXC"
+    elif grep -qa container=lxc /proc/1/environ; then
+        virt="LXC"
+    elif [[ -f /proc/user_beancounters ]]; then
+        virt="OpenVZ"
+    elif [[ "${virtualx}" == *kvm-clock* ]]; then
+        virt="KVM"
+    elif [[ "${sys_product}" == *KVM* ]]; then
+        virt="KVM"
+    elif [[ "${sys_manu}" == *QEMU* ]]; then
+        virt="KVM"
+    elif [[ "${cname}" == *KVM* ]]; then
+        virt="KVM"
+    elif [[ "${cname}" == *QEMU* ]]; then
+        virt="KVM"
+    elif [[ "${virtualx}" == *"VMware Virtual Platform"* ]]; then
+        virt="VMware"
+    elif [[ "${sys_product}" == *"VMware Virtual Platform"* ]]; then
+        virt="VMware"
+    elif [[ "${virtualx}" == *"Parallels Software International"* ]]; then
+        virt="Parallels"
+    elif [[ "${virtualx}" == *VirtualBox* ]]; then
+        virt="VirtualBox"
+    elif [[ -e /proc/xen ]]; then
+        if grep -q "control_d" "/proc/xen/capabilities" 2>/dev/null; then
+            virt="Xen-Dom0"
+        else
+            virt="Xen-DomU"
+        fi
+    elif [ -f "/sys/hypervisor/type" ] && grep -q "xen" "/sys/hypervisor/type"; then
+        virt="Xen"
+    elif [[ "${sys_manu}" == *"Microsoft Corporation"* ]]; then
+        if [[ "${sys_product}" == *"Virtual Machine"* ]]; then
+            if [[ "${sys_ver}" == *"7.0"* || "${sys_ver}" == *"Hyper-V" ]]; then
+                virt="Hyper-V"
+            else
+                virt="Microsoft Virtual Machine"
+            fi
+        fi
+    else
+        virt="Dedicated"
+    fi
+}
+
+ipv4_info() {
+    local org city country region
+    org="$(wget -q -T10 -O- http://ipinfo.io/org)"
+    city="$(wget -q -T10 -O- http://ipinfo.io/city)"
+    country="$(wget -q -T10 -O- http://ipinfo.io/country)"
+    region="$(wget -q -T10 -O- http://ipinfo.io/region)"
+    if [[ -n "${org}" ]]; then
+        echo " Organization       : $(_blue "${org}")"
+    fi
+    if [[ -n "${city}" && -n "${country}" ]]; then
+        echo " Location           : $(_blue "${city} / ${country}")"
+    fi
+    if [[ -n "${region}" ]]; then
+        echo " $(_red Region)             : $(_red "${region}")"
+    fi
+    if [[ -z "${org}" ]]; then
+        echo " Region             : $(_red "No ISP detected")"
+    fi
+}
+
+print_intro() {
+    echo -e "\e[32m------------------------- System information -------------------------\e[0m"
+    echo " Version            : $(_blue v2025-13-31)"
+    echo " Usage              : $(_blue "bash <(curl -L sh.lihanzhang.cn/info)")"
+}
+
+# Get System information
+get_system_info() {
+    cname=$(awk -F: '/model name/ {name=$2} END {print name}' /proc/cpuinfo | sed 's/^[ \t]*//;s/[ \t]*$//')
+    cores=$(awk -F: '/^processor/ {core++} END {print core}' /proc/cpuinfo)
+    freq=$(awk -F'[ :]' '/cpu MHz/ {print $4;exit}' /proc/cpuinfo)
+    ccache=$(awk -F: '/cache size/ {cache=$2} END {print cache}' /proc/cpuinfo | sed 's/^[ \t]*//;s/[ \t]*$//')
+    cpu_aes=$(grep -i 'aes' /proc/cpuinfo)
+    cpu_virt=$(grep -Ei 'vmx|svm' /proc/cpuinfo)
+    tram=$(
+        LANG=C
+        free | awk '/Mem/ {print $2}'
+    )
+    tram=$(calc_size "$tram")
+    uram=$(
+        LANG=C
+        free | awk '/Mem/ {print $3}'
+    )
+    uram=$(calc_size "$uram")
+    swap=$(
+        LANG=C
+        free | awk '/Swap/ {print $2}'
+    )
+    swap=$(calc_size "$swap")
+    uswap=$(
+        LANG=C
+        free | awk '/Swap/ {print $3}'
+    )
+    uswap=$(calc_size "$uswap")
+    up=$(awk '{a=$1/86400;b=($1%86400)/3600;c=($1%3600)/60} {printf("%d days, %d hour %d min\n",a,b,c)}' /proc/uptime)
+    if _exists "w"; then
+        load=$(
+            LANG=C
+            w | head -1 | awk -F'load average:' '{print $2}' | sed 's/^[ \t]*//;s/[ \t]*$//'
+        )
+    elif _exists "uptime"; then
+        load=$(
+            LANG=C
+            uptime | head -1 | awk -F'load average:' '{print $2}' | sed 's/^[ \t]*//;s/[ \t]*$//'
+        )
+    fi
+    opsy=$(get_opsy)
+    arch=$(uname -m)
+    if _exists "getconf"; then
+        lbit=$(getconf LONG_BIT)
+    else
+        echo "${arch}" | grep -q "64" && lbit="64" || lbit="32"
+    fi
+    kern=$(uname -r)
+    in_kernel_no_swap_total_size=$(
+        LANG=C
+        df -t simfs -t ext2 -t ext3 -t ext4 -t btrfs -t xfs -t vfat -t ntfs --total 2>/dev/null | grep total | awk '{ print $2 }'
+    )
+    swap_total_size=$(free -k | grep Swap | awk '{print $2}')
+    zfs_total_size=$(to_kibyte "$(calc_sum "$(zpool list -o size -Hp 2> /dev/null)")")
+    disk_total_size=$(calc_size $((swap_total_size + in_kernel_no_swap_total_size + zfs_total_size)))
+    in_kernel_no_swap_used_size=$(
+        LANG=C
+        df -t simfs -t ext2 -t ext3 -t ext4 -t btrfs -t xfs -t vfat -t ntfs --total 2>/dev/null | grep total | awk '{ print $3 }'
+    )
+    swap_used_size=$(free -k | grep Swap | awk '{print $3}')
+    zfs_used_size=$(to_kibyte "$(calc_sum "$(zpool list -o allocated -Hp 2> /dev/null)")")
+    disk_used_size=$(calc_size $((swap_used_size + in_kernel_no_swap_used_size + zfs_used_size)))
+    tcpctrl=$(sysctl net.ipv4.tcp_congestion_control | awk -F ' ' '{print $3}')
+}
+# Print System information
+print_system_info() {
+    if [ -n "$cname" ]; then
+        echo " CPU Model          : $(_blue "$cname")"
+    else
+        echo " CPU Model          : $(_blue "CPU model not detected")"
+    fi
+    if [ -n "$freq" ]; then
+        echo " CPU Cores          : $(_blue "$cores @ $freq MHz")"
+    else
+        echo " CPU Cores          : $(_blue "$cores")"
+    fi
+    if [ -n "$ccache" ]; then
+        echo " CPU Cache          : $(_blue "$ccache")"
+    fi
+    if [ -n "$cpu_aes" ]; then
+        echo " AES-NI             : $(_green "\xe2\x9c\x93 Enabled")"
+    else
+        echo " AES-NI             : $(_red "\xe2\x9c\x97 Disabled")"
+    fi
+    if [ -n "$cpu_virt" ]; then
+        echo " VM-x/AMD-V         : $(_green "\xe2\x9c\x93 Enabled")"
+    else
+        echo " VM-x/AMD-V         : $(_red "\xe2\x9c\x97 Disabled")"
+    fi
+    echo " Total Disk         : $(_yellow "$disk_total_size") $(_blue "($disk_used_size Used)")"
+    echo " Total Mem          : $(_yellow "$tram") $(_blue "($uram Used)")"
+    if [ "$swap" != "0" ]; then
+        echo " Total Swap         : $(_blue "$swap ($uswap Used)")"
+    fi
+    echo " System uptime      : $(_blue "$up")"
+    echo " Load average       : $(_blue "$load")"
+    echo " $(_red  OS)                 : $(_red "$opsy")"
+    echo " Arch               : $(_blue "$arch ($lbit Bit)")"
+    echo " Kernel             : $(_blue "$kern")"
+    echo " TCP CC             : $(_blue "$tcpctrl")"
+    echo " Virtualization     : $(_blue "$virt")"
+    echo " IPv4/IPv6          : $online"
+}
+
+print_end_time() {
+    end_time=$(date +%s)
+    time=$((end_time - start_time))
+    if [ ${time} -gt 60 ]; then
+        min=$((time / 60))
+        sec=$((time % 60))
+        echo " Finished in        : ${min} min ${sec} sec"
+    else
+        echo " Finished in        : ${time} sec"
+    fi
+    date_time=$(date '+%Y-%m-%d %H:%M:%S %Z')
+    echo " Timestamp          : $date_time"
+}
+
+! _exists "wget" && _red "Error: wget command not found.\n" && exit 1
+! _exists "free" && _red "Error: free command not found.\n" && exit 1
+# check for curl/wget
+_exists "curl" && local_curl=true
+# test if the host has IPv4/IPv6 connectivity
+[[ -n ${local_curl} ]] && ip_check_cmd="curl -s -m 4" || ip_check_cmd="wget -qO- -T 4"
+ipv4_check=$( (ping -4 -c 1 -W 4 ipv4.google.com >/dev/null 2>&1 && echo true) || ${ip_check_cmd} -4 icanhazip.com 2> /dev/null)
+ipv6_check=$( (ping -6 -c 1 -W 4 ipv6.google.com >/dev/null 2>&1 && echo true) || ${ip_check_cmd} -6 icanhazip.com 2> /dev/null)
+if [[ -z "$ipv4_check" && -z "$ipv6_check" ]]; then
+    _yellow "Warning: Both IPv4 and IPv6 connectivity were not detected.\n"
+fi
+[[ -z "$ipv4_check" ]] && online="$(_red "\xe2\x9c\x97 Offline")" || online="$(_green "\xe2\x9c\x93 Online")"
+[[ -z "$ipv6_check" ]] && online+=" / $(_red "\xe2\x9c\x97 Offline")" || online+=" / $(_green "\xe2\x9c\x93 Online")"
+start_time=$(date +%s)
+get_system_info
+check_virt
+clear
+print_intro
+next
+print_system_info
+ipv4_info
+next
+print_end_time
+next
diff --git a/irc b/irc
new file mode 100644
index 0000000..d0495e0
--- /dev/null
+++ b/irc
@@ -0,0 +1,26 @@
+#!/bin/bash
+clear
+docker stop inspircd
+docker rm inspircd
+echo -e "\e[33mStoped\e[0m"
+echo -e "\e[33mDeleted\e[0m"
+echo
+
+docker run --name inspircd -p 6697:6697 \
+-e "INSP_TLS_CN=irc.lihanzhang.cn" \
+-e "INSP_SERVICES_IPADDR=irc.lihanzhang.cn" \
+-e "INSP_NET_SUFFIX=.irc.lihanzhang.cn" \
+-e "INSP_NET_NAME=Lihanzhang" \
+-e "INSP_CONNECT_PASSWORD=" \
+-d 3c0b38beedd6
+echo -e "\e[33mWaiting ......\e[0m"
+echo 
+sleep 3
+
+#key.pem must be owned by 10000
+docker cp key.pem inspircd:/inspircd/conf
+docker cp cert.pem inspircd:/inspircd/conf
+docker restart inspircd
+
+echo -e "\e[32mInspircd restarted\e[0m"
+echo -e "\e[32mTSL has been used\e[0m"
diff --git a/list b/list
new file mode 100644
index 0000000..a232331
--- /dev/null
+++ b/list
@@ -0,0 +1,44 @@
+total 408K
+-rw-r--r-- 1 root root 5.2K Jan  4 12:45 alipay
+-rw-r--r-- 1 root root 1.7K Apr 15 13:06 api
+drwxr-xr-x 2 root root 4.0K May 22 10:23 arch
+-rw-r--r-- 1 root root  750 Apr 15 14:19 arch_cloud
+-rw-r--r-- 1 root root 1.6K Apr 25 18:22 archboot
+-rw-r--r-- 1 root root  535 Apr 26 12:46 bash
+-rwxr-xr-x 1 root root  142 Apr 27 19:05 certbot
+-rw-r--r-- 1 root root  252 Jan  4 12:45 climail
+drwxr-xr-x 2 root root 4.0K Jan  4 12:45 crypto
+-rw-r--r-- 1 root root  152 Jan  4 12:45 exam
+-rw-r--r-- 1 root root  214 Jan  4 12:45 frp.conf
+-rwxr-xr-x 1 root root 2.3K Jan 14 11:50 frp.sh
+-rw-r--r-- 1 root root   33 Jan  4 12:45 hello
+-rwxr-xr-x 1 root root 6.4K May  2 20:12 iarch
+-rw-r--r-- 1 root root  159 Apr 22 16:35 index.html
+-rwxr-xr-x 1 root root  11K Apr 26 13:03 info
+-rw-r--r-- 1 root root  638 Jan  4 12:45 irc
+-rw-r--r-- 1 root root    0 May 22 10:28 list
+drwxr-xr-x 2 root root 4.0K Apr 27 19:03 mailserver
+-rw-r--r-- 1 root root 1.1K May 12 17:37 mirrorlist
+-rwxr-xr-x 1 root root  23K Mar 15 19:48 mtproxy.sh
+drwxr-xr-x 2 root root 4.0K Apr 27 19:02 nginx
+-rw-r--r-- 1 root root  630 May 17 15:59 note
+-rw-r--r-- 1 root root 1.8K Apr 30 23:04 os
+-rw-r--r-- 1 root root 2.9K Apr 25 16:01 php-login.tar.gz
+-rw-r--r-- 1 root root 1.9K Apr 25 16:10 phplogin
+-rw-r--r-- 1 root root 1.1K Jan 10 15:12 pub
+-rw-r--r-- 1 root root 1.8K Apr 26 12:54 qq
+-rwxr-xr-x 1 root root 3.2K May 20 10:40 self_cert
+-rwxr-xr-x 1 root root 1.4K Jan 12 18:28 self_ssl
+-rw-r--r-- 1 root root  16K Apr 28 17:25 ssh-luks.tar.gz
+-rw-r--r-- 1 root root   47 Jan  4 12:45 su
+-rw-r--r-- 1 root root  261 Mar  7 20:46 systemd
+drwxr-xr-x 2 root root 4.0K Jan  4 12:45 telegram_bot
+-rw-r--r-- 1 root root  641 Jan  4 12:45 torweb
+-rw-r--r-- 1 root root  102 Apr 15 14:18 transfer
+-rwxr-xr-x 1 root root  23K Jan  4 12:45 vpn.sh
+-rwxr-xr-x 1 root root 145K Apr 19 18:32 vpn_diy.sh
+-rw-r--r-- 1 root root 5.2K Jan  4 12:45 wechat
+-rw-r--r-- 1 root root 5.2K Jan  4 12:45 wepay
+-rw-r--r-- 1 root root  392 Jan  4 12:45 wifi
+-rwxr-xr-x 1 root root  21K May 21 17:23 wireguard.sh
+-rwxr-xr-x 1 root root  516 Jan  4 12:45 wordpress
diff --git a/mailserver/compose.yaml b/mailserver/compose.yaml
new file mode 100644
index 0000000..e887aa7
--- /dev/null
+++ b/mailserver/compose.yaml
@@ -0,0 +1,33 @@
+services:
+  mailserver:
+    image: af51b15dd3fc
+    container_name: mailserver
+    # Provide the FQDN of your mail server here (Your DNS MX record should point to this value)
+    hostname: domain
+    env_file: mailserver.env
+    # More information about the mail-server ports:
+    # https://docker-mailserver.github.io/docker-mailserver/latest/config/security/understanding-the-ports/
+    ports:
+      - "25:25"    # SMTP  (explicit TLS => STARTTLS, Authentication is DISABLED => use port 465/587 instead)
+      - "143:143"  # IMAP4 (explicit TLS => STARTTLS)
+      - "465:465"  # ESMTP (implicit TLS)
+      - "587:587"  # ESMTP (explicit TLS => STARTTLS)
+      - "993:993"  # IMAP4 (implicit TLS)
+    volumes:
+      - ./docker-data/dms/mail-data/:/var/mail/
+      - ./docker-data/dms/mail-state/:/var/mail-state/
+      - ./docker-data/dms/mail-logs/:/var/log/mail/
+      - ./docker-data/dms/config/:/tmp/docker-mailserver/
+      - /etc/localtime:/etc/localtime:ro
+        #- /etc/letsencrypt/:/etc/letsencrypt
+      - /etc/letsencrypt/live/domain/fullchain.pem:/etc/cert/fullchain.pem
+      - /etc/letsencrypt/live/domain/privkey.pem:/etc/cert/privkey.pem
+    restart: always
+    stop_grace_period: 1m
+    # Uncomment if using `ENABLE_FAIL2BAN=1`:
+    cap_add:
+      - NET_ADMIN
+    healthcheck:
+      test: "ss --listening --ipv4 --tcp | grep --silent ':smtp' || exit 1"
+      timeout: 3s
+      retries: 0
diff --git a/mailserver/list b/mailserver/list
new file mode 100644
index 0000000..29432e6
--- /dev/null
+++ b/mailserver/list
@@ -0,0 +1,4 @@
+total 28K
+-rw-r--r-- 1 root root 1.5K Apr 14 18:47 compose.yaml
+-rw-r--r-- 1 root root    0 Apr 14 18:47 list
+-rw-r--r-- 1 root root  24K Apr 14 18:47 mailserver.env
diff --git a/mailserver/mailserver.env b/mailserver/mailserver.env
new file mode 100644
index 0000000..5d65210
--- /dev/null
+++ b/mailserver/mailserver.env
@@ -0,0 +1,660 @@
+# -----------------------------------------------
+# --- Mailserver Environment Variables ----------
+# -----------------------------------------------
+
+# DOCUMENTATION FOR THESE VARIABLES IS FOUND UNDER
+# https://docker-mailserver.github.io/docker-mailserver/latest/config/environment/
+
+# -----------------------------------------------
+# --- General Section ---------------------------
+# -----------------------------------------------
+
+# **empty** => Internally uses the `hostname --fqdn` command to get the canonical hostname assigned to the DMS container.
+# => Specify an FQDN (fully-qualified domain name) to serve mail for. The hostname is required for DMS to function correctly
+#
+# **WARNING**: Setting OVERRIDE_HOSTNAME can have difficult to predict side effects:
+# https://docker-mailserver.github.io/docker-mailserver/latest/config/environment/#override_hostname
+OVERRIDE_HOSTNAME=
+
+# Set the log level for DMS.
+# This is mostly relevant for container startup scripts and change detection event feedback.
+#
+# Valid values (in order of increasing verbosity) are: `error`, `warn`, `info`, `debug` and `trace`.
+# The default log level is `info`.
+LOG_LEVEL=info
+
+# critical => Only show critical messages
+# error => Only show erroneous output
+# **warn** => Show warnings
+# info => Normal informational output
+# debug => Also show debug messages
+SUPERVISOR_LOGLEVEL=
+
+# Support for deployment where these defaults are not compatible (eg: some NAS appliances):
+# /var/mail vmail User ID (default: 5000)
+DMS_VMAIL_UID=
+# /var/mail vmail Group ID (default: 5000)
+DMS_VMAIL_GID=
+
+# **empty** => use FILE
+# LDAP => use LDAP authentication
+# OIDC => use OIDC authentication (not yet implemented)
+# FILE => use local files (this is used as the default)
+ACCOUNT_PROVISIONER=
+
+# empty => postmaster@domain.com
+# => Specify the postmaster address
+POSTMASTER_ADDRESS=
+
+# Check for updates on container start and then once a day
+# If an update is available, a mail is sent to POSTMASTER_ADDRESS
+# 0 => Update check disabled
+# 1 => Update check enabled
+ENABLE_UPDATE_CHECK=0
+
+# Customize the update check interval.
+# Number + Suffix. Suffix must be 's' for seconds, 'm' for minutes, 'h' for hours or 'd' for days.
+UPDATE_CHECK_INTERVAL=1d
+
+# Set different options for mynetworks option (can be overwrite in postfix-main.cf)
+# **WARNING**: Adding the docker network's gateway to the list of trusted hosts, e.g. using the `network` or
+# `connected-networks` option, can create an open relay
+# https://github.com/docker-mailserver/docker-mailserver/issues/1405#issuecomment-590106498
+# The same can happen for rootless podman. To prevent this, set the value to "none" or configure slirp4netns
+# https://github.com/docker-mailserver/docker-mailserver/issues/2377
+#
+# none => Explicitly force authentication
+# container => Container IP address only
+# host => Add docker container network (ipv4 only)
+# network => Add all docker container networks (ipv4 only)
+# connected-networks => Add all connected docker networks (ipv4 only)
+PERMIT_DOCKER=none
+
+# Set the timezone. If this variable is unset, the container runtime will try to detect the time using
+# `/etc/localtime`, which you can alternatively mount into the container. The value of this variable
+# must follow the pattern `AREA/ZONE`, i.e. of you want to use Germany's time zone, use `Europe/Berlin`.
+# You can lookup all available timezones here: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
+TZ=
+
+# In case you network interface differs from 'eth0', e.g. when you are using HostNetworking in Kubernetes,
+# you can set NETWORK_INTERFACE to whatever interface you want. This interface will then be used.
+#  - **empty** => eth0
+NETWORK_INTERFACE=
+
+# empty => modern
+# modern => Limits the cipher suite to secure ciphers only.
+# intermediate => Relaxes security by adding additional ciphers for broader compatibility.
+# NOTE: The minimum TLS version supported is 1.2, if you need to lower that follow this workaround advice:
+# https://github.com/docker-mailserver/docker-mailserver/pull/2945#issuecomment-1949907964
+TLS_LEVEL=
+
+# Configures the handling of creating mails with forged sender addresses.
+#
+# **0** => (not recommended) Mail address spoofing allowed. Any logged in user may create email messages with a forged sender address (see also https://en.wikipedia.org/wiki/Email_spoofing).
+# 1 => Mail spoofing denied. Each user may only send with their own or their alias addresses. Addresses with extension delimiters(http://www.postfix.org/postconf.5.html#recipient_delimiter) are not able to send messages.
+SPOOF_PROTECTION=
+
+# Enables the Sender Rewriting Scheme. SRS is needed if your mail server acts as forwarder. See [postsrsd](https://github.com/roehling/postsrsd/blob/main/README.rst) for further explanation.
+#  - **0** => Disabled
+#  - 1 => Enabled
+ENABLE_SRS=0
+
+# Enables the OpenDKIM service.
+# **1** => Enabled
+#   0   => Disabled
+ENABLE_OPENDKIM=1
+
+# Enables the OpenDMARC service.
+# **1** => Enabled
+#   0   => Disabled
+ENABLE_OPENDMARC=1
+
+
+# Enabled `policyd-spf` in Postfix's configuration. You will likely want to set this
+# to `0` in case you're using Rspamd (`ENABLE_RSPAMD=1`).
+#
+# - 0     => Disabled
+# - **1** => Enabled
+ENABLE_POLICYD_SPF=1
+
+# Enables POP3 service
+# - **0** => Disabled
+# - 1     => Enabled
+ENABLE_POP3=
+
+# Enables IMAP service
+# - 0     => Disabled
+# - **1** => Enabled
+ENABLE_IMAP=1
+
+# Enables ClamAV, and anti-virus scanner.
+#   1   => Enabled
+# **0** => Disabled
+ENABLE_CLAMAV=0
+
+# Add the value of this ENV as a prefix to the mail subject when spam is detected.
+# NOTE: This subject prefix may be redundant (by default spam is delivered to a junk folder).
+#       It provides value when your junk mail is stored alongside legitimate mail instead of a separate location (like with `SPAMASSASSIN_SPAM_TO_INBOX=1` or `MOVE_SPAM_TO_JUNK=0` or a POP3 only setup, without IMAP).
+# NOTE: When not using Docker Compose, other CRI may not support quote-wrapping the value here to preserve any trailing white-space.
+SPAM_SUBJECT=
+
+# Enables Rspamd
+# **0** => Disabled
+#   1   => Enabled
+ENABLE_RSPAMD=0
+
+# When `ENABLE_RSPAMD=1`, an internal Redis instance is enabled implicitly.
+# This setting provides an opt-out to allow using an external instance instead.
+# 0 => Disabled
+# 1 => Enabled
+ENABLE_RSPAMD_REDIS=
+
+# When enabled,
+#
+# 1. the "[autolearning][rspamd-autolearn]" feature is turned on;
+# 2. the Bayes classifier will be trained when moving mails from or to the Junk folder (with the help of Sieve scripts).
+#
+# **0** => disabled
+# 1     => enabled
+RSPAMD_LEARN=0
+
+# This settings controls whether checks should be performed on emails coming
+# from authenticated users (i.e. most likely outgoing emails). The default value
+# is `0` in order to align better with SpamAssassin. We recommend reading
+# through https://rspamd.com/doc/tutorials/scanning_outbound.html though to
+# decide for yourself whether you need and want this feature.
+#
+# Note that DKIM signing of e-mails will still happen.
+RSPAMD_CHECK_AUTHENTICATED=0
+
+# Controls whether the Rspamd Greylisting module is enabled.
+# This module can further assist in avoiding spam emails by greylisting
+# e-mails with a certain spam score.
+#
+# **0** => disabled
+# 1     => enabled
+RSPAMD_GREYLISTING=0
+
+# Can be used to enable or disable the Hfilter group module.
+#
+# - 0     => Disabled
+# - **1** => Enabled
+RSPAMD_HFILTER=1
+
+# Can be used to control the score when the HFILTER_HOSTNAME_UNKNOWN symbol applies. A higher score is more punishing. Setting it to 15 is equivalent to rejecting the email when the check fails.
+#
+# Default: 6
+RSPAMD_HFILTER_HOSTNAME_UNKNOWN_SCORE=6
+
+# Can be used to enable or disable the (still experimental) neural module.
+#
+# - **0** => Disabled
+# - 1     => Enabled
+RSPAMD_NEURAL=0
+
+# Amavis content filter (used for ClamAV & SpamAssassin)
+# 0 => Disabled
+# 1 => Enabled
+ENABLE_AMAVIS=1
+
+# -1/-2/-3 => Only show errors
+# **0**    => Show warnings
+# 1/2      => Show default informational output
+# 3/4/5    => log debug information (very verbose)
+AMAVIS_LOGLEVEL=0
+
+# This enables DNS block lists in Postscreen.
+# Note: Emails will be rejected, if they don't pass the block list checks!
+# **0** => DNS block lists are disabled
+# 1     => DNS block lists are enabled
+ENABLE_DNSBL=0
+
+# If you enable Fail2Ban, don't forget to add the following lines to your `compose.yaml`:
+#    cap_add:
+#      - NET_ADMIN
+# Otherwise, `nftables` won't be able to ban IPs.
+ENABLE_FAIL2BAN=1
+
+# Fail2Ban blocktype
+# drop   => drop packet (send NO reply)
+# reject => reject packet (send ICMP unreachable)
+FAIL2BAN_BLOCKTYPE=drop
+
+# 1 => Enables Managesieve on port 4190
+# empty => disables Managesieve
+ENABLE_MANAGESIEVE=
+
+# **enforce** => Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects.
+# drop => Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects.
+# ignore => Ignore the failure of this test. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing and collecting statistics without blocking mail.
+POSTSCREEN_ACTION=enforce
+
+# empty => all daemons start
+# 1 => only launch postfix smtp
+SMTP_ONLY=
+
+# Please read [the SSL page in the documentation](https://docker-mailserver.github.io/docker-mailserver/latest/config/security/ssl) for more information.
+#
+# empty => SSL disabled
+# letsencrypt => Enables Let's Encrypt certificates
+# custom => Enables custom certificates
+# manual => Let's you manually specify locations of your SSL certificates for non-standard cases
+# self-signed => Enables self-signed certificates
+SSL_TYPE=manual
+
+# These are only supported with `SSL_TYPE=manual`.
+# Provide the path to your cert and key files that you've mounted access to within the container.
+SSL_CERT_PATH=/etc/cert/fullchain.pem
+SSL_KEY_PATH=/etc/cert/privkey.pem
+# Optional: A 2nd certificate can be supported as fallback (dual cert support), eg ECDSA with an RSA fallback.
+# Useful for additional compatibility with older MTA and MUA (eg pre-2015).
+SSL_ALT_CERT_PATH=
+SSL_ALT_KEY_PATH=
+
+# Set how many days a virusmail will stay on the server before being deleted
+# empty => 7 days
+VIRUSMAILS_DELETE_DELAY=
+
+# Configure Postfix `virtual_transport` to deliver mail to a different LMTP client (default is a dovecot socket).
+# Provide any valid URI. Examples:
+#
+# empty => `lmtp:unix:/var/run/dovecot/lmtp` (default, configured in Postfix main.cf)
+# `lmtp:unix:private/dovecot-lmtp` (use socket)
+# `lmtps:inet:<host>:<port>` (secure lmtp with starttls)
+# `lmtp:<kopano-host>:2003` (use kopano as mailstore)
+POSTFIX_DAGENT=
+
+# Set the mailbox size limit for all users. If set to zero, the size will be unlimited (default). Size is in bytes.
+#
+# empty => 0
+POSTFIX_MAILBOX_SIZE_LIMIT=
+
+# See https://docker-mailserver.github.io/docker-mailserver/latest/config/account-management/overview/#quotas
+# 0 => Dovecot quota is disabled
+# 1 => Dovecot quota is enabled
+ENABLE_QUOTAS=1
+
+# Set the message size limit for all users. If set to zero, the size will be unlimited (not recommended!). Size is in bytes.
+#
+# empty => 10240000 (~10 MB)
+POSTFIX_MESSAGE_SIZE_LIMIT=
+
+# Mails larger than this limit won't be scanned.
+# ClamAV must be enabled (ENABLE_CLAMAV=1) for this.
+#
+# empty => 25M (25 MB)
+CLAMAV_MESSAGE_SIZE_LIMIT=
+
+# Enables regular pflogsumm mail reports.
+# This is a new option. The old REPORT options are still supported for backwards compatibility. If this is not set and reports are enabled with the old options, logrotate will be used.
+#
+# not set => No report
+# daily_cron => Daily report for the previous day
+# logrotate => Full report based on the mail log when it is rotated
+PFLOGSUMM_TRIGGER=
+
+# Recipient address for pflogsumm reports.
+#
+# not set => Use REPORT_RECIPIENT or POSTMASTER_ADDRESS
+# => Specify the recipient address(es)
+PFLOGSUMM_RECIPIENT=
+
+# Sender address (`FROM`) for pflogsumm reports if pflogsumm reports are enabled.
+#
+# not set => Use REPORT_SENDER
+# => Specify the sender address
+PFLOGSUMM_SENDER=
+
+# Interval for logwatch report.
+#
+# none => No report is generated
+# daily => Send a daily report
+# weekly => Send a report every week
+LOGWATCH_INTERVAL=
+
+# Recipient address for logwatch reports if they are enabled.
+#
+# not set => Use REPORT_RECIPIENT or POSTMASTER_ADDRESS
+# => Specify the recipient address(es)
+LOGWATCH_RECIPIENT=
+
+# Sender address (`FROM`) for logwatch reports if logwatch reports are enabled.
+#
+# not set => Use REPORT_SENDER
+# => Specify the sender address
+LOGWATCH_SENDER=
+
+# Defines who receives reports if they are enabled.
+# **empty** => ${POSTMASTER_ADDRESS}
+# => Specify the recipient address
+REPORT_RECIPIENT=
+
+# Defines who sends reports if they are enabled.
+# **empty** => mailserver-report@${DOMAINNAME}
+# => Specify the sender address
+REPORT_SENDER=
+
+# Changes the interval in which log files are rotated
+# **weekly** => Rotate log files weekly
+# daily => Rotate log files daily
+# monthly => Rotate log files monthly
+#
+# Note: This Variable actually controls logrotate inside the container
+# and rotates the log files depending on this setting. The main log output is
+# still available in its entirety via `docker logs mail` (Or your
+# respective container name). If you want to control logrotation for
+# the Docker-generated logfile see:
+# https://docs.docker.com/config/containers/logging/configure/
+#
+# Note: This variable can also determine the interval for Postfix's log summary reports, see [`PFLOGSUMM_TRIGGER`](#pflogsumm_trigger).
+LOGROTATE_INTERVAL=weekly
+
+# Defines how many log files are kept by logrorate
+LOGROTATE_COUNT=4
+
+
+# If enabled, employs `reject_unknown_client_hostname` to sender restrictions in Postfix's configuration.
+#
+# - **0** => Disabled
+# - 1 => Enabled
+POSTFIX_REJECT_UNKNOWN_CLIENT_HOSTNAME=0
+
+# Choose TCP/IP protocols for postfix to use
+# **all** => All possible protocols.
+# ipv4 => Use only IPv4 traffic. Most likely you want this behind Docker.
+# ipv6 => Use only IPv6 traffic.
+#
+# Note: More details at http://www.postfix.org/postconf.5.html#inet_protocols
+POSTFIX_INET_PROTOCOLS=all
+
+# Enables MTA-STS support for outbound mail.
+# More details: https://docker-mailserver.github.io/docker-mailserver/v13.3/config/best-practices/mta-sts/
+# - **0** ==> MTA-STS disabled
+# - 1 => MTA-STS enabled
+ENABLE_MTA_STS=0
+
+# Choose TCP/IP protocols for dovecot to use
+# **all** => Listen on all interfaces
+# ipv4 => Listen only on IPv4 interfaces. Most likely you want this behind Docker.
+# ipv6 => Listen only on IPv6 interfaces.
+#
+# Note: More information at https://dovecot.org/doc/dovecot-example.conf
+DOVECOT_INET_PROTOCOLS=all
+
+# -----------------------------------------------
+# --- SpamAssassin Section ----------------------
+# -----------------------------------------------
+
+ENABLE_SPAMASSASSIN=0
+
+# KAM is a 3rd party SpamAssassin ruleset, provided by the McGrail Foundation.
+# If SpamAssassin is enabled, KAM can be used in addition to the default ruleset.
+# - **0** => KAM disabled
+# - 1 => KAM enabled
+#
+# Note: only has an effect if `ENABLE_SPAMASSASSIN=1`
+ENABLE_SPAMASSASSIN_KAM=0
+
+# deliver spam messages to the inbox (tagged using SPAM_SUBJECT)
+SPAMASSASSIN_SPAM_TO_INBOX=1
+
+# spam messages will be moved in the Junk folder (SPAMASSASSIN_SPAM_TO_INBOX=1 required)
+MOVE_SPAM_TO_JUNK=1
+
+# spam messages will be marked as read
+MARK_SPAM_AS_READ=0
+
+# add 'spam info' headers at, or above this level
+SA_TAG=2.0
+
+# add 'spam detected' headers at, or above this level
+SA_TAG2=6.31
+
+# triggers spam evasive actions
+SA_KILL=10.0
+
+# -----------------------------------------------
+# --- Fetchmail Section -------------------------
+# -----------------------------------------------
+
+ENABLE_FETCHMAIL=0
+
+# The interval to fetch mail in seconds
+FETCHMAIL_POLL=300
+# Use multiple fetchmail instances (1 per poll entry in fetchmail.cf)
+# Supports multiple IMAP IDLE connections when a server is used across multiple poll entries
+# https://otremba.net/wiki/Fetchmail_(Debian)#Immediate_Download_via_IMAP_IDLE
+FETCHMAIL_PARALLEL=0
+
+# Enable or disable `getmail`.
+#
+# - **0** => Disabled
+# - 1 => Enabled
+ENABLE_GETMAIL=0
+
+# The number of minutes for the interval. Min: 1; Default: 5.
+GETMAIL_POLL=5
+
+# -----------------------------------------------
+# --- OAUTH2 Section ----------------------------
+# -----------------------------------------------
+
+# empty => OAUTH2 authentication is disabled
+# 1 => OAUTH2 authentication is enabled
+ENABLE_OAUTH2=
+
+# Specify the user info endpoint URL of the oauth2 provider
+# Example: https://oauth2.example.com/userinfo/
+OAUTH2_INTROSPECTION_URL=
+
+# -----------------------------------------------
+# --- LDAP Section ------------------------------
+# -----------------------------------------------
+
+# A second container for the ldap service is necessary (i.e. https://hub.docker.com/r/bitnami/openldap/)
+
+# empty => no
+# yes => LDAP over TLS enabled for Postfix
+LDAP_START_TLS=
+
+# empty => mail.example.com
+# Specify the `<dns-name>` / `<ip-address>` where the LDAP server is reachable via a URI like: `ldaps://mail.example.com`.
+# Note: You must include the desired URI scheme (`ldap://`, `ldaps://`, `ldapi://`).
+LDAP_SERVER_HOST=
+
+# empty => ou=people,dc=domain,dc=com
+# => e.g. LDAP_SEARCH_BASE=dc=mydomain,dc=local
+LDAP_SEARCH_BASE=
+
+# empty => cn=admin,dc=domain,dc=com
+# => take a look at examples of SASL_LDAP_BIND_DN
+LDAP_BIND_DN=
+
+# empty** => admin
+# => Specify the password to bind against ldap
+LDAP_BIND_PW=
+
+# e.g. `"(&(mail=%s)(mailEnabled=TRUE))"`
+# => Specify how ldap should be asked for users
+LDAP_QUERY_FILTER_USER=
+
+# e.g. `"(&(mailGroupMember=%s)(mailEnabled=TRUE))"`
+# => Specify how ldap should be asked for groups
+LDAP_QUERY_FILTER_GROUP=
+
+# e.g. `"(&(mailAlias=%s)(mailEnabled=TRUE))"`
+# => Specify how ldap should be asked for aliases
+LDAP_QUERY_FILTER_ALIAS=
+
+# e.g. `"(&(|(mail=*@%s)(mailalias=*@%s)(mailGroupMember=*@%s))(mailEnabled=TRUE))"`
+# => Specify how ldap should be asked for domains
+LDAP_QUERY_FILTER_DOMAIN=
+
+# -----------------------------------------------
+# --- Dovecot Section ---------------------------
+# -----------------------------------------------
+
+# empty => no
+# yes => LDAP over TLS enabled for Dovecot
+DOVECOT_TLS=
+
+# e.g. `"(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))"`
+DOVECOT_USER_FILTER=
+
+# e.g. `"(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))"`
+DOVECOT_PASS_FILTER=
+
+# Define the mailbox format to be used
+# default is maildir, supported values are: sdbox, mdbox, maildir
+DOVECOT_MAILBOX_FORMAT=maildir
+
+# empty => no
+# yes => Allow bind authentication for LDAP
+# https://doc.dovecot.org/2.4.0/core/config/auth/databases/ldap.html#authentication-bind
+DOVECOT_AUTH_BIND=
+
+# -----------------------------------------------
+# --- Postgrey Section --------------------------
+# -----------------------------------------------
+
+ENABLE_POSTGREY=0
+# greylist for N seconds
+POSTGREY_DELAY=300
+# delete entries older than N days since the last time that they have been seen
+POSTGREY_MAX_AGE=35
+# response when a mail is greylisted
+POSTGREY_TEXT="Delayed by Postgrey"
+# whitelist host after N successful deliveries (N=0 to disable whitelisting)
+POSTGREY_AUTO_WHITELIST_CLIENTS=5
+
+# -----------------------------------------------
+# --- SASL Section ------------------------------
+# -----------------------------------------------
+
+ENABLE_SASLAUTHD=0
+
+# empty => ldap
+# `ldap` => authenticate against ldap server
+# `rimap` => authenticate against imap server
+SASLAUTHD_MECHANISMS=
+
+# empty => None
+# e.g. with SASLAUTHD_MECHANISMS rimap you need to specify the ip-address/servername of the imap server  ==> xxx.xxx.xxx.xxx
+SASLAUTHD_MECH_OPTIONS=
+
+# empty => Use value of LDAP_SERVER_HOST
+# Note: You must include the desired URI scheme (`ldap://`, `ldaps://`, `ldapi://`).
+SASLAUTHD_LDAP_SERVER=
+
+# empty => Use value of LDAP_BIND_DN
+# specify an object with privileges to search the directory tree
+# e.g. active directory: SASLAUTHD_LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=net
+# e.g. openldap: SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=mydomain,dc=net
+SASLAUTHD_LDAP_BIND_DN=
+
+# empty => Use value of LDAP_BIND_PW
+SASLAUTHD_LDAP_PASSWORD=
+
+# empty => Use value of LDAP_SEARCH_BASE
+# specify the search base
+SASLAUTHD_LDAP_SEARCH_BASE=
+
+# empty => default filter `(&(uniqueIdentifier=%u)(mailEnabled=TRUE))`
+# e.g. for active directory: `(&(sAMAccountName=%U)(objectClass=person))`
+# e.g. for openldap: `(&(uid=%U)(objectClass=person))`
+SASLAUTHD_LDAP_FILTER=
+
+# empty => no
+# yes => LDAP over TLS enabled for SASL
+# If set to yes, the protocol in SASLAUTHD_LDAP_SERVER must be ldap:// or missing.
+SASLAUTHD_LDAP_START_TLS=
+
+# empty => no
+# yes => Require and verify server certificate
+# If yes you must/could specify SASLAUTHD_LDAP_TLS_CACERT_FILE or SASLAUTHD_LDAP_TLS_CACERT_DIR.
+SASLAUTHD_LDAP_TLS_CHECK_PEER=
+
+# File containing CA (Certificate Authority) certificate(s).
+# empty => Nothing is added to the configuration
+# Any value => Fills the `ldap_tls_cacert_file` option
+SASLAUTHD_LDAP_TLS_CACERT_FILE=
+
+# Path to directory with CA (Certificate Authority) certificates.
+# empty => Nothing is added to the configuration
+# Any value => Fills the `ldap_tls_cacert_dir` option
+SASLAUTHD_LDAP_TLS_CACERT_DIR=
+
+# Specify what password attribute to use for password verification.
+# empty => Nothing is added to the configuration but the documentation says it is `userPassword` by default.
+# Any value => Fills the `ldap_password_attr` option
+SASLAUTHD_LDAP_PASSWORD_ATTR=
+
+# empty => `bind` will be used as a default value
+# `fastbind` => The fastbind method is used
+# `custom` => The custom method uses userPassword attribute to verify the password
+SASLAUTHD_LDAP_AUTH_METHOD=
+
+# Specify the authentication mechanism for SASL bind
+# empty => Nothing is added to the configuration
+# Any value => Fills the `ldap_mech` option
+SASLAUTHD_LDAP_MECH=
+
+# -----------------------------------------------
+# --- SRS Section -------------------------------
+# -----------------------------------------------
+
+# envelope_sender => Rewrite only envelope sender address (default)
+# header_sender => Rewrite only header sender (not recommended)
+# envelope_sender,header_sender => Rewrite both senders
+# An email has an "envelope" sender (indicating the sending server) and a
+# "header" sender (indicating who sent it). More strict SPF policies may require
+# you to replace both instead of just the envelope sender.
+SRS_SENDER_CLASSES=envelope_sender
+
+# empty => Envelope sender will be rewritten for all domains
+# provide comma separated list of domains to exclude from rewriting
+SRS_EXCLUDE_DOMAINS=
+
+# empty => generated when the image is built
+# provide a secret to use in base64
+# you may specify multiple keys, comma separated. the first one is used for
+# signing and the remaining will be used for verification. this is how you
+# rotate and expire keys
+SRS_SECRET=
+
+# -----------------------------------------------
+# --- Default Relay Host Section ----------------
+# -----------------------------------------------
+
+# Setup relaying all mail through a default relay host
+#
+# Set a default host to relay all mail through (optionally include a port)
+# Example: [mail.example.com]:587
+DEFAULT_RELAY_HOST=
+
+# -----------------------------------------------
+# --- Multi-Domain Relay Section ----------------
+# -----------------------------------------------
+
+# Setup relaying for multiple domains based on the domain name of the sender
+# optionally uses usernames and passwords in postfix-sasl-password.cf and relay host mappings in postfix-relaymap.cf
+#
+# Set a default host to relay mail through
+# Example: mail.example.com
+RELAY_HOST=
+
+# empty => 25
+# default port to relay mail
+RELAY_PORT=25
+
+# -----------------------------------------------
+# --- Relay Host Credentials Section ------------
+# -----------------------------------------------
+
+# Configure a relay user and password to use with RELAY_HOST / DEFAULT_RELAY_HOST
+
+# empty => no default
+RELAY_USER=
+
+# empty => no default
+RELAY_PASSWORD=
diff --git a/mirrorlist b/mirrorlist
new file mode 100644
index 0000000..913dce9
--- /dev/null
+++ b/mirrorlist
@@ -0,0 +1,20 @@
+################################################################################
+################# Arch Linux mirrorlist generated by Reflector #################
+################################################################################
+
+# With:       reflector --sort rate -c CN -f 10 --verbose --save mirrorlist
+# When:       2026-05-12 09:37:18 UTC
+# From:       https://archlinux.org/mirrors/status/json/
+# Retrieved:  2026-05-12 09:36:28 UTC
+# Last Check: 2026-05-12 09:15:29 UTC
+
+Server = http://mirrors.bfsu.edu.cn/archlinux/$repo/os/$arch
+Server = https://mirrors.bfsu.edu.cn/archlinux/$repo/os/$arch
+Server = https://mirrors.jlu.edu.cn/archlinux/$repo/os/$arch
+Server = https://mirrors.qlu.edu.cn/archlinux/$repo/os/$arch
+Server = https://mirrors.tuna.tsinghua.edu.cn/archlinux/$repo/os/$arch
+Server = http://mirrors.nju.edu.cn/archlinux/$repo/os/$arch
+Server = http://mirrors.tuna.tsinghua.edu.cn/archlinux/$repo/os/$arch
+Server = https://mirrors.nju.edu.cn/archlinux/$repo/os/$arch
+Server = http://mirror.nyist.edu.cn/archlinux/$repo/os/$arch
+Server = http://mirrors.jlu.edu.cn/archlinux/$repo/os/$arch
diff --git a/mtproxy.sh b/mtproxy.sh
new file mode 100755
index 0000000..1d12b0b
--- /dev/null
+++ b/mtproxy.sh
@@ -0,0 +1,765 @@
+#!/bin/bash
+WORKDIR=$(dirname $(readlink -f $0))
+cd $WORKDIR
+SYSTEM_ARCH=$(uname -m)
+SYSTEM_PYTHON=$(which python3 || which python)
+
+IS_DOCKER=$( [ -f /.dockerenv ] && echo "true" || echo "false" )
+
+PID_FILE=$WORKDIR/pid/pid_mtproxy
+CONFIG_PATH=$WORKDIR/config
+
+URL_MTG="https://github.com/ellermister/mtproxy/releases/download/v0.04/$(uname -m)-mtg"
+URL_MTPROTO="https://github.com/ellermister/mtproxy/releases/download/v0.04/mtproto-proxy"
+URL_PY_MTPROTOPROXY="https://github.com/alexbers/mtprotoproxy/archive/refs/heads/master.zip"
+BINARY_MTG_PATH=$WORKDIR/bin/mtg
+BINARY_MTPROTO_PROXY_PATH=$WORKDIR/bin/mtproto-proxy
+BINARY_PY_MTPROTOPROXY_PATH=$WORKDIR/bin/mtprotoproxy.py
+
+PUBLIC_IP=""
+
+
+check_sys() {
+    local checkType=$1
+    local value=$2
+
+    local release=''
+    local systemPackage=''
+
+    if [[ -f /etc/redhat-release ]]; then
+        release="centos"
+        systemPackage="yum"
+    elif grep -Eqi "debian|raspbian" /etc/issue; then
+        release="debian"
+        systemPackage="apt"
+    elif grep -Eqi "ubuntu" /etc/issue; then
+        release="ubuntu"
+        systemPackage="apt"
+    elif grep -Eqi "centos|red hat|redhat" /etc/issue; then
+        release="centos"
+        systemPackage="yum"
+    elif grep -Eqi "debian|raspbian" /proc/version; then
+        release="debian"
+        systemPackage="apt"
+    elif grep -Eqi "ubuntu" /proc/version; then
+        release="ubuntu"
+        systemPackage="apt"
+    elif grep -Eqi "centos|red hat|redhat" /proc/version; then
+        release="centos"
+        systemPackage="yum"
+    fi
+
+    if [[ "${checkType}" == "sysRelease" ]]; then
+        if [ "${value}" == "${release}" ]; then
+            return 0
+        else
+            return 1
+        fi
+    elif [[ "${checkType}" == "packageManager" ]]; then
+        if [ "${value}" == "${systemPackage}" ]; then
+            return 0
+        else
+            return 1
+        fi
+    fi
+}
+
+function abs() {
+    echo ${1#-};
+}
+
+function get_ip_public() {
+    local public_ip=""
+
+    # 尝试 Cloudflare trace API
+    if [ -z "$public_ip" ]; then
+        public_ip=$(curl -4 -s --connect-timeout 5 --max-time 10 https://1.1.1.1/cdn-cgi/trace -A Mozilla 2>/dev/null | grep "^ip=" | cut -d'=' -f2)
+    fi
+    
+    # 尝试 ip.sb API获取公网IP
+    if [ -z "$public_ip" ]; then
+        public_ip=$(curl -s --connect-timeout 5 --max-time 10 https://api.ip.sb/ip -A Mozilla --ipv4 2>/dev/null)
+    fi
+    
+    # 尝试 ipinfo.io API
+    if [ -z "$public_ip" ]; then
+        public_ip=$(curl -s --connect-timeout 5 --max-time 10 https://ipinfo.io/ip -A Mozilla --ipv4 2>/dev/null)
+    fi
+    
+    # 如果所有API都失败，退出
+    if [ -z "$public_ip" ]; then
+        print_error_exit "Failed to get public IP address. Please check your network connection."
+    fi
+    echo "$public_ip"
+}
+
+function get_ip_private() {
+    echo $(ip a | grep inet | grep -v 127.0.0.1 | grep -v inet6 | awk '{print $2}' | cut -d "/" -f1 | awk 'NR==1 {print $1}')
+}
+
+function get_local_ip(){
+  ip a | grep inet | grep 127.0.0.1 > /dev/null 2>&1
+  if [[ $? -eq 1 ]];then
+    echo $(get_ip_private)
+  else
+    echo "127.0.0.1"
+  fi
+}
+
+function get_nat_ip_param() {
+    nat_ip=$(get_ip_private)
+    nat_info=""
+    if [[ $nat_ip != $PUBLIC_IP ]]; then
+        nat_info="--nat-info ${nat_ip}:${PUBLIC_IP}"
+    fi
+    echo $nat_info
+}
+
+function get_cpu_core() {
+    echo $(cat /proc/cpuinfo | grep "processor" | wc -l)
+}
+
+function get_architecture() {
+    local architecture=""
+    case $(uname -m) in
+    i386) architecture="386" ;;
+    i686) architecture="386" ;;
+    x86_64) architecture="amd64" ;;
+    arm | aarch64 | aarch) dpkg --print-architecture | grep -q "arm64" && architecture="arm64" || architecture="armv6l" ;;
+    *) echo "Unsupported system architecture "$(uname -m) && exit 1 ;;
+    esac
+    echo $architecture
+}
+
+function build_mtproto() {
+    cd $WORKDIR
+
+    local platform=$(uname -m)
+    if [[ -z "$1" ]]; then
+        print_error_exit "缺少参数"
+    fi
+
+    do_install_build_dep
+
+    rm -rf build
+    mkdir build && cd build
+
+    if [[ "1" == "$1" ]]; then
+         if [ -d 'MTProxy' ]; then
+            rm -rf 'MTProxy'
+        fi
+
+        git clone https://github.com/ellermister/MTProxyC --depth=1 MTProxy
+        cd MTProxy && make && cd objs/bin &&  chmod +x mtproto-proxy
+
+        if [ ! -f "./mtproto-proxy" ]; then
+            print_error_exit "mtproto-proxy 编译失败"
+        fi
+
+        cp -f mtproto-proxy $WORKDIR
+        
+
+        # clean
+        rm -rf 'MTProxy'
+
+    elif [[ "2" == "$1" ]]; then
+        # golang
+        local arch=$(get_architecture)
+
+        #  https://go.dev/dl/go1.18.4.linux-amd64.tar.gz
+        local golang_url="https://go.dev/dl/go1.18.4.linux-$arch.tar.gz"
+        wget $golang_url -O golang.tar.gz
+        rm -rf go && tar -C . -xzf golang.tar.gz
+        export PATH=$PATH:$(pwd)/go/bin
+
+        go version
+        if [[ $? != 0 ]]; then
+            local uname_m=$(uname -m)
+            local architecture_origin=$(dpkg --print-architecture)
+            print_error_exit "golang download failed, please check!!! arch: $arch, platform: $platform,  uname: $uname_m, architecture_origin: $architecture_origin download url: $golang_url"
+        fi
+
+        rm -rf build-mtg
+        git clone https://github.com/9seconds/mtg.git -b v1 build-mtg
+        cd build-mtg && git reset --hard 9d67414db633dded5f11d549eb80617dc6abb2c3  && make static
+
+        if [[ ! -f "./mtg" ]]; then
+            print_error_exit "Build fail for mtg, please check!!! $arch"
+        fi
+
+        cp -f mtg $WORKDIR && chmod +x $WORKDIR/mtg
+    fi
+
+    # clean
+    cd $WORKDIR
+    rm -rf build
+
+}
+
+function get_mtg_provider() {
+    source $CONFIG_PATH
+
+    local arch=$(get_architecture)
+    if [[ "$arch" != "amd64" && $provider -eq 1 ]]; then
+        provider=2
+    fi
+
+    if [ $provider -eq 1 ]; then
+        echo "official-MTProxy"
+    elif [ $provider -eq 2 ]; then
+        echo "mtg"
+    elif [ $provider -eq 3 ]; then
+        echo "python-mtprotoproxy"
+    else
+        print_error_exit "Invalid configuration, please reinstall"
+    fi
+}
+
+function is_installed() {
+    if [ ! -f "$CONFIG_PATH" ]; then
+        return 1
+    fi
+    return 0
+}
+
+
+function kill_process_by_port() {
+    pids=$(get_pids_by_port $1)
+    if [ -n "$pids" ]; then
+        kill -9 $pids
+    fi
+}
+
+function get_pids_by_port() {
+    echo $(netstat -tulpn 2>/dev/null | grep ":$1 " | awk '{print $7}' | sed 's|/.*||')
+}
+
+function is_port_open() {
+    pids=$(get_pids_by_port $1)
+
+    if [ -n "$pids" ]; then
+        return 0
+    else
+        return 1
+    fi
+}
+
+
+function is_running_mtp() {
+    if [ -f $PID_FILE ]; then
+
+        if is_pid_exists $(cat $PID_FILE); then
+            return 0
+        fi
+    fi
+    return 1
+}
+
+function is_pid_exists() {
+    # check_ps_not_install_to_install
+    local exists=$(ps aux | awk '{print $2}' | grep -w $1)
+    if [[ ! $exists ]]; then
+        return 1
+    else
+        return 0
+    fi
+}
+
+do_install_proxy() {
+    local mtg_provider=$1
+
+    if [ ! -d "$WORKDIR/bin" ]; then
+        mkdir -p $WORKDIR/bin
+    fi
+
+    if [[ "$mtg_provider" == "mtg" ]]; then
+        wget $URL_MTG -O $BINARY_MTG_PATH -q
+        chmod +x $BINARY_MTG_PATH
+        $BINARY_MTG_PATH
+        exit_code=$?
+        if [ $exit_code -ne 0 ]; then
+            print_error_exit "Install mtg failed"
+        fi
+        print_info "Installed for mtg"
+    elif [[ "$mtg_provider" == "official-MTProxy" ]]; then
+        wget $URL_MTPROTO -O $BINARY_MTPROTO_PROXY_PATH -q
+        chmod +x $BINARY_MTPROTO_PROXY_PATH
+        $BINARY_MTPROTO_PROXY_PATH
+        exit_code=$?
+        if [ $exit_code -ne 0 ] && [ $exit_code -ne 2 ]; then
+            print_error_exit "Install mtproto-proxy failed"
+        fi
+        print_info "Installed for mtproto-proxy"
+    
+    elif [[ "$mtg_provider" == "python-mtprotoproxy" ]]; then
+        wget $URL_PY_MTPROTOPROXY -O mtprotoproxy-master.zip
+        unzip mtprotoproxy-master.zip
+        cp -rf mtprotoproxy-master/*.py mtprotoproxy-master/pyaes $WORKDIR/bin/
+        rm -rf mtprotoproxy-master mtprotoproxy-master.zip
+        print_info "Installed for mtprotoproxy"
+    fi
+}
+
+do_install() {
+    cd $WORKDIR
+
+    mtg_provider=$(get_mtg_provider)
+
+    do_install_proxy $mtg_provider
+
+    if [ ! -d "./pid" ]; then
+        mkdir "./pid"
+    fi
+}
+
+print_line() {
+    echo -e "========================================="
+}
+
+print_error_exit() {
+    print_line
+    echo -e "[\033[95mERROR\033[0m] $1"
+    print_line
+    exit 1
+}
+
+print_warning() {
+    echo -e "[\033[33mWARNING\033[0m] $1"
+}
+
+print_info() {
+    echo -e "[\033[32mINFO\033[0m] $1"
+}
+
+print_subject() {
+    echo -e "\n\033[32m> $1\033[0m"
+}
+
+
+do_kill_process() {
+    cd $WORKDIR
+    if [ ! -f "$CONFIG_PATH" ]; then
+        print_error_exit "配置文件不存在,请重新安装"
+    fi
+    source $CONFIG_PATH
+
+    if is_port_open $port; then
+        print_info "Detected port $port is occupied, preparing to kill process!"
+        kill_process_by_port $port
+    fi
+    
+    if is_port_open $statport; then
+        print_info "Detected port $statport is occupied, preparing to kill process!"
+        kill_process_by_port $statport
+    fi
+}
+
+do_check_system_datetime_and_update() {
+    dateFromLocal=$(date +%s)
+    dateFromServer=$(date -d "$(curl -v --silent ip.sb 2>&1 | grep Date | sed -e 's/< Date: //')" +%s)
+    offset=$(abs $(( "$dateFromServer" - "$dateFromLocal")))
+    tolerance=60
+    if [ "$offset" -gt "$tolerance" ];then
+        print_info "Detected system time is not synchronized with world time, preparing to update"
+        ntpdate -u time.google.com
+        if [ $? -ne 0 ]; then
+            if [[ "$IS_DOCKER" == "true" ]]; then
+                print_warning "Update system time failed, please manually update the system time"
+            else
+                print_error_exit "Update system time failed, please manually update the system time"
+            fi
+        fi
+    fi
+}
+
+do_install_basic_dep() {
+    print_info "Checking and installing basic dependencies..."
+    if check_sys packageManager yum; then
+        yum update && yum install -y iproute curl wget procps-ng.x86_64 net-tools ntp
+    elif check_sys packageManager apt; then
+        apt update
+        # 先安装必需的包
+        apt install -y iproute2 curl wget procps net-tools unzip || true
+        # 尝试安装时间同步工具（可选，允许失败）
+        apt install -y ntpsec-ntpdate 2>/dev/null || apt install -y ntpdate 2>/dev/null || true
+    fi
+
+    return 0
+}
+
+do_install_build_dep() {
+    print_info "Checking and installing build dependencies..."
+    if check_sys packageManager yum; then
+        yum install -y git  openssl-devel zlib-devel
+        yum groupinstall -y "Development Tools"
+    elif check_sys packageManager apt; then
+        apt install -y git curl  build-essential libssl-dev zlib1g-dev
+    fi
+    return 0
+}
+
+do_config_mtp() {
+    cd $WORKDIR
+
+    while true; do
+        default_provider=1
+        print_subject "请输入要安装的程序版本"
+        echo ""
+        
+        if [ "$SYSTEM_ARCH" == "x86_64" ]; then
+            echo -e "  \033[36m1.\033[0m MTProxy (TelegramMessenger)"
+            echo -e "     └─ Telegram官方版本,只支持 x86_64, 存在很多问题"
+        else
+            echo -e "  \033[90m1.\033[0mMTProxy (TelegramMessenger) \033[33m[不支持当前架构]\033[0m"
+            echo -e "     └─ Telegram官方版本,只支持 x86_64, 存在很多问题"
+        fi
+        
+        echo -e "  \033[36m2.\033[0m mtg (9seconds)"
+        echo -e "     └─ Golang 版本, 兼容性强, 推荐使用"
+        
+        echo -e "  \033[36m3.\033[0m mtprotoproxy (alexbers)"
+        echo -e "     └─ Python 版本, 兼容性强"
+        echo ""
+
+        [ "$SYSTEM_ARCH" != "x86_64" ] && default_provider=2
+
+        read -p "(默认版本: ${default_provider}):" input_provider
+        [ -z "${input_provider}" ] && input_provider=${default_provider}
+        expr ${input_provider} + 1 &>/dev/null
+        if [ $? -eq 0 ]; then
+            [ "$SYSTEM_ARCH" != "x86_64" ] && [ ${input_provider} -eq 1 ] && print_warning "你的系统不支持该版本, 请重新输入" && continue
+            if [ ${input_provider} -ge 1 ] && [ ${input_provider} -le 3 ] && [ ${input_provider:0:1} != 0 ]; then
+                echo
+                echo "---------------------------"
+                echo "provider = ${input_provider}"
+                echo "---------------------------"
+                echo
+                break
+            fi
+        fi
+        print_warning "请重新输入程序版本 [1-3]"
+    done
+
+    while true; do
+        default_port=443
+        print_subject "请输入一个客户端连接端口 [1-65535]"
+        read -p "(默认端口: ${default_port}):" input_port
+        [ -z "${input_port}" ] && input_port=${default_port}
+        expr ${input_port} + 1 &>/dev/null
+        if [ $? -eq 0 ]; then
+            if [ ${input_port} -ge 1 ] && [ ${input_port} -le 65535 ] && [ ${input_port:0:1} != 0 ]; then
+                echo
+                echo "---------------------------"
+                echo "port = ${input_port}"
+                echo "---------------------------"
+                echo
+                break
+            fi
+        fi
+        print_warning "请重新输入一个客户端连接端口 [1-65535]"
+    done
+
+    # 管理端口
+    while true; do
+        default_manage=8888
+        print_subject "请输入一个管理端口 [1-65535]"
+        echo -e "管理端口仅用于查看一些统计数据, 只监听本地网卡不会对外暴露"
+        read -p "(默认端口: ${default_manage}):" input_manage_port
+        [ -z "${input_manage_port}" ] && input_manage_port=${default_manage}
+        expr ${input_manage_port} + 1 &>/dev/null
+        if [ $? -eq 0 ] && [ $input_manage_port -ne $input_port ]; then
+            if [ ${input_manage_port} -ge 1 ] && [ ${input_manage_port} -le 65535 ] && [ ${input_manage_port:0:1} != 0 ]; then
+                echo
+                echo "---------------------------"
+                echo "manage port = ${input_manage_port}"
+                echo "---------------------------"
+                echo
+                break
+            fi
+        fi
+        print_warning "请重新输入一个管理端口 [1-65535]"
+    done
+
+    # domain
+    while true; do
+        default_domain="azure.microsoft.com"
+        print_subject "请输入一个需要伪装的域名："
+        read -p "(默认域名: ${default_domain}):" input_domain
+        [ -z "${input_domain}" ] && input_domain=${default_domain}
+        http_code=$(curl -I -m 10 -o /dev/null -s -w %{http_code} $input_domain)
+        if [ $http_code -eq "200" ] || [ $http_code -eq "302" ] || [ $http_code -eq "301" ]; then
+            echo
+            echo "---------------------------"
+            echo "伪装域名 = ${input_domain}"
+            echo "---------------------------"
+            echo
+            break
+        fi
+        print_warning "域名无法访问,请重新输入或更换域名!"
+    done
+
+    # config info
+    secret=$(gen_rand_hex 32)
+
+    # proxy tag
+    while true; do
+        default_tag=""
+        print_subject "请输入你需要推广的TAG："
+        echo -e "若没有,请联系 @MTProxybot 进一步创建你的TAG, 可能需要信息如下："
+        echo -e "IP: ${PUBLIC_IP}"
+        echo -e "PORT: ${input_port}"
+        echo -e "SECRET(可以随便填): ${secret}"
+        read -p "(留空则跳过):" input_tag
+        [ -z "${input_tag}" ] && input_tag=${default_tag}
+        if [ -z "$input_tag" ] || [[ "$input_tag" =~ ^[A-Za-z0-9]{32}$ ]]; then
+            echo
+            echo "---------------------------"
+            echo "PROXY TAG = ${input_tag}"
+            echo "---------------------------"
+            echo
+            break
+        fi
+        print_warning "TAG格式不正确!"
+    done
+
+    cat >$CONFIG_PATH <<EOF
+#!/bin/bash
+secret="${secret}"
+port=${input_port}
+statport=${input_manage_port}
+domain="${input_domain}"
+adtag="${input_tag}"
+provider=${input_provider}
+EOF
+    print_info "配置已经生成完毕!"
+}
+
+function str_to_hex() {
+    string=$1
+    hex=$(printf "%s" "$string" | od -An -tx1 | tr -d ' \n')
+    echo $hex
+}
+
+function gen_rand_hex() {
+    local result=$(dd if=/dev/urandom bs=1 count=500 status=none | od -An -tx1 | tr -d ' \n')
+    echo "${result:0:$1}"
+}
+
+info_mtp() {
+    if [[ "$1" == "ingore" ]] || is_running_mtp; then
+        source $CONFIG_PATH
+
+        domain_hex=$(str_to_hex $domain)
+
+        client_secret="ee${secret}${domain_hex}"
+        echo -e "TMProxy+TLS代理: \033[32m运行中\033[0m"
+        echo -e "服务器IP：\033[31m$PUBLIC_IP\033[0m"
+        echo -e "服务器端口：\033[31m$port\033[0m"
+        echo -e "MTProxy Secret:  \033[31m$client_secret\033[0m"
+        echo -e "TG一键链接: https://t.me/proxy?server=${PUBLIC_IP}&port=${port}&secret=${client_secret}"
+        echo -e "TG一键链接: tg://proxy?server=${PUBLIC_IP}&port=${port}&secret=${client_secret}"
+    else
+        echo -e "TMProxy+TLS代理: \033[33m已停止\033[0m"
+    fi
+}
+
+function get_run_command(){
+  cd $WORKDIR
+  mtg_provider=$(get_mtg_provider)
+  source $CONFIG_PATH
+  if [[ "$mtg_provider" == "mtg" ]]; then
+      domain_hex=$(str_to_hex $domain)
+      client_secret="ee${secret}${domain_hex}"
+      local local_ip=$(get_local_ip)
+      
+      # ./mtg simple-run -n 1.1.1.1 -t 30s -a 512kib 0.0.0.0:$port $client_secret >/dev/null 2>&1 &
+      [[ -f "$BINARY_MTG_PATH" ]] || (print_warning "MTProxy 代理程序不存在请重新安装!" && exit 1)
+      echo "$BINARY_MTG_PATH run $client_secret $adtag -b 0.0.0.0:$port --multiplex-per-connection 500 --prefer-ip=ipv4 -t $local_ip:$statport" -4 "$PUBLIC_IP:$port"
+  elif [[ "$mtg_provider" == "python-mtprotoproxy" ]]; then
+        cat >$WORKDIR/bin/config.py <<EOF
+PORT = ${port}
+USERS = {
+    "tg":  "${secret}",
+}
+MODES = {
+    "classic": False,
+    "secure": False,
+    "tls": True
+}
+TLS_DOMAIN = "${domain}"
+AD_TAG = "${adtag}"
+EOF
+      #optimze pool
+      sed -i 's/MAX_CONNS_IN_POOL =\s[0-9]\+/MAX_CONNS_IN_POOL = 500/' "$BINARY_PY_MTPROTOPROXY_PATH"
+      
+      echo "$SYSTEM_PYTHON $BINARY_PY_MTPROTOPROXY_PATH $WORKDIR/bin/config.py"
+  elif [[ "$mtg_provider" == "official-MTProxy" ]]; then
+      curl -s https://core.telegram.org/getProxyConfig -o proxy-multi.conf
+      curl -s https://core.telegram.org/getProxySecret -o proxy-secret
+      nat_info=$(get_nat_ip_param)
+      workerman=$(get_cpu_core)
+      tag_arg=""
+      [[ -n "$adtag" ]] && tag_arg="-P $adtag"
+      echo "$BINARY_MTPROTO_PROXY_PATH -u nobody -p $statport -H $port -S $secret --aes-pwd proxy-secret proxy-multi.conf -M $workerman $tag_arg --domain $domain $nat_info --ipv6"
+  else
+      print_warning "Invalid configuration, please reinstall"
+      exit 1
+  fi
+}
+
+run_mtp() {
+    cd $WORKDIR
+
+    if is_running_mtp; then
+        print_warning "MTProxy已经运行，请勿重复运行!"
+    else
+        do_kill_process
+        do_check_system_datetime_and_update
+
+        local command=$(get_run_command)
+        echo $command
+        $command >/dev/null 2>&1 &
+
+        echo $! >$PID_FILE
+        sleep 2
+        info_mtp
+    fi
+}
+
+
+daemon_mtp() {
+    cd $WORKDIR
+
+    if is_running_mtp; then
+        print_warning "MTProxy已经运行，请勿重复运行!"
+    else
+        do_kill_process
+        do_check_system_datetime_and_update
+
+        local command=$(get_run_command)
+        echo $command
+        while true
+        do
+            {
+                sleep 2
+                info_mtp "ingore"
+            } &
+            $command >/dev/null
+            print_warning "进程检测到被关闭,正在重启中!!!"
+            sleep 2
+        done
+    fi
+}
+
+debug_mtp() {
+    cd $WORKDIR
+
+    print_info "当前正在运行调试模式："
+    print_warning "\t你随时可以通过 Ctrl+C 进行取消操作"
+
+    do_kill_process
+    do_check_system_datetime_and_update
+
+    local command=$(get_run_command)
+    echo $command
+    $command
+
+}
+
+stop_mtp() {
+    local pid=$(cat $PID_FILE)
+    kill -9 $pid
+
+    if is_pid_exists $pid; then
+        print_warning "停止任务失败"
+    fi
+}
+
+reinstall_mtp() {
+    cd $WORKDIR
+    if [ -f "$CONFIG_PATH" ]; then
+        while true; do
+            default_keep_config="y"
+            print_subject "是否保留配置文件? "
+            read -p "y: 保留 , n: 不保留 (默认: ${default_keep_config}):" input_keep_config
+            [ -z "${input_keep_config}" ] && input_keep_config=${default_keep_config}
+
+            if [[ "$input_keep_config" == "y" ]] || [[ "$input_keep_config" == "n" ]]; then
+                if [[ "$input_keep_config" == "n" ]]; then
+                    rm -f $CONFIG_PATH
+                fi
+                break
+            fi
+            print_warning "输入错误， 请输入 y / n"
+        done
+    fi
+
+    if [ ! -f "$CONFIG_PATH" ]; then 
+        do_install_basic_dep
+        do_config_mtp
+    fi
+
+    do_install
+    run_mtp
+}
+
+param=$1
+
+if [ -z "$PUBLIC_IP" ]; then
+    PUBLIC_IP=$(get_ip_public) || print_error_exit "Failed to get public IP address. Please check your network connection."
+fi
+
+if [[ "start" == $param ]]; then
+    print_info "即将：启动脚本"
+    run_mtp
+elif [[ "daemon" == $param ]]; then
+    print_info "即将：启动脚本(守护进程)"
+    daemon_mtp
+elif [[ "stop" == $param ]]; then
+    print_info "即将：停止脚本"
+    stop_mtp
+elif [[ "debug" == $param ]]; then
+    print_info "即将：调试运行"
+    debug_mtp
+elif [[ "restart" == $param ]]; then
+    stop_mtp
+    run_mtp
+elif [[ "reinstall" == $param ]]; then
+    reinstall_mtp
+elif [[ "build" == $param ]]; then
+    arch=$(get_architecture)
+    if [[ "$arch" == "amd64" ]]; then
+        # build_mtproto 1
+        do_install_proxy "official-MTProxy"
+    fi
+    
+    # build_mtproto 2
+    do_install_proxy "mtg"
+    do_install_proxy "python-mtprotoproxy"
+else
+    if ! is_installed; then
+        echo "MTProxyTLS一键安装运行绿色脚本"
+        print_line
+        print_warning "检测到您的配置文件不存在, 为您指引生成!" && print_line
+
+        do_install_basic_dep
+        do_config_mtp
+        do_install
+        run_mtp
+    else
+        [ ! -f "$CONFIG_PATH" ] && do_config_mtp
+        echo "MTProxyTLS一键安装运行绿色脚本"
+        print_line
+        info_mtp
+        print_line
+        echo -e "脚本源码：https://github.com/ellermister/mtproxy"
+        echo -e "配置文件: $CONFIG_PATH"
+        echo -e "卸载方式：直接删除当前目录下文件即可"
+        echo "使用方式:"
+        echo -e "\t启动服务\t bash $0 start"
+        echo -e "\t调试运行\t bash $0 debug"
+        echo -e "\t停止服务\t bash $0 stop"
+        echo -e "\t重启服务\t bash $0 restart"
+        echo -e "\t重新安装代理程序 bash $0 reinstall"
+    fi
+fi
diff --git a/nginx/authentication b/nginx/authentication
new file mode 100644
index 0000000..95ffbb6
--- /dev/null
+++ b/nginx/authentication
@@ -0,0 +1,13 @@
+#install tolls
+apt install apache2-utils -y
+
+#add user
+htpasswd -c /etc/nginx/.htpasswd myuser
+
+#change nginx configuration
+location / {
+    auth_basic "Restricted Content";
+    auth_basic_user_file /etc/nginx/.htpasswd;
+    root /var/www/html;
+    index index.html index.htm;
+}
diff --git a/nginx/http b/nginx/http
new file mode 100644
index 0000000..3f49abf
--- /dev/null
+++ b/nginx/http
@@ -0,0 +1,10 @@
+server {
+    listen 80;
+    
+    server_name domain;
+    root /www/domain;
+    index index.html;
+    
+    access_log /www/log/domain-a.log;
+    error_log /www/log/domain-e.log;
+}
diff --git a/nginx/list b/nginx/list
new file mode 100644
index 0000000..c6e21b3
--- /dev/null
+++ b/nginx/list
@@ -0,0 +1,9 @@
+total 28K
+-rw-r--r-- 1 root root  279 Jan  4 12:45 authentication
+-rw-r--r-- 1 root root  179 Apr 22 16:57 http
+-rw-r--r-- 1 root root    0 May 22 10:30 list
+-rw-r--r-- 1 root root  614 Apr 27 19:02 match
+-rw-r--r-- 1 root root   52 Apr 27 14:07 onion
+-rw-r--r-- 1 root root  740 Apr 27 19:02 sslreverse
+-rw-r--r-- 1 root root  523 Apr 27 19:02 sslsite
+-rw-r--r-- 1 root root 1005 Apr 27 19:02 transfer
diff --git a/nginx/match b/nginx/match
new file mode 100644
index 0000000..6c874e6
--- /dev/null
+++ b/nginx/match
@@ -0,0 +1,28 @@
+server {
+    listen 80;
+    server_name domain;
+    return 301 https://$server_name$request_uri;
+}
+
+server {
+    listen 443 ssl;
+    server_name domain;
+    
+    ssl_certificate /etc/letsencrypt/live/domain/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/domain/privkey.pem;
+    
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+
+    access_log /www/log/domain-a.log;
+    error_log /www/log/domain-e.log;
+    
+    set $root_dir "/www/public";
+    
+    if ($http_user_agent ~* "(curl|wget)") {
+        set $root_dir "/www/sh";
+    }
+    
+    root $root_dir;
+    index index.html;
+}
diff --git a/nginx/onion b/nginx/onion
new file mode 100644
index 0000000..b54f1a7
--- /dev/null
+++ b/nginx/onion
@@ -0,0 +1 @@
+add_header Onion-Location "http://xxx$request_uri";
diff --git a/nginx/sslreverse b/nginx/sslreverse
new file mode 100644
index 0000000..b48fb96
--- /dev/null
+++ b/nginx/sslreverse
@@ -0,0 +1,30 @@
+server {
+    listen 80;
+    server_name domain;
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_name domain;
+
+    ssl_certificate /etc/letsencrypt/live/domain/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/domain/privkey.pem;
+
+    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_ciphers         HIGH:!aNULL:!MD5;
+
+    access_log /www/log/domain-a.log;
+    error_log /www/log/domain-e.log;
+
+    location / {
+        proxy_pass http://localhost:8080;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
diff --git a/nginx/sslsite b/nginx/sslsite
new file mode 100644
index 0000000..a3b9616
--- /dev/null
+++ b/nginx/sslsite
@@ -0,0 +1,26 @@
+server {
+    listen 80;
+    server_name domain;
+    return 301 https://$server_name$request_uri;
+}
+
+server {
+    listen 443 ssl;
+    server_name domain;
+
+    ssl_certificate /etc/letsencrypt/live/domain/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/domain/privkey.pem;
+    
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+
+    access_log /www/log/domain-a.log;
+    error_log /www/log/domain-e.log;
+
+    root /www/domain;
+    
+    location / {
+        try_files $uri $uri/ =404;
+    }
+}
+
diff --git a/nginx/transfer b/nginx/transfer
new file mode 100644
index 0000000..88e453e
--- /dev/null
+++ b/nginx/transfer
@@ -0,0 +1,36 @@
+server {
+    listen 80;
+    server_name domain;
+
+    client_max_body_size 100M;
+    location / {
+        proxy_pass http://localhost:8088;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_name domain;
+
+    ssl_certificate /etc/letsencrypt/live/domain/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/domain/privkey.pem;
+
+    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_ciphers         HIGH:!aNULL:!MD5;
+
+    access_log /www/log/domain-a.log;
+    error_log /www/log/domain-e.log;
+
+    client_max_body_size 100M;
+    location / {
+        proxy_pass http://localhost:8088;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
diff --git a/note b/note
new file mode 100644
index 0000000..90939d4
--- /dev/null
+++ b/note
@@ -0,0 +1,12 @@
+plasma kde-application
+sddm
+noto-fonts-cjk
+fcitx5 fcitx5-chinese-addons fcitx5-gtk fcitx5-qt fcitx5-configtool
+networkmanager-openvpn network-manager-applet
+
+efibootmgr --create --disk /dev/nvme0n1 --part 1 --label "Linux" --loader \vmlinuz-linux-lts --unicode "rd.luks.name=ea70f853-bb0d-45e4-bf8c-5306b11c5083=system root=/dev/mapper/OS-ROOT rw rd.luks.options=password-echo=no initrd=\initramfs-linux-lts.img"
+
+CREATE DATABASE empirecms CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
+CREATE USER 'empireuser'@'%' IDENTIFIED BY 'StrongPassword123!';
+GRANT ALL PRIVILEGES ON empirecms.* TO 'empireuser'@'%';
+FLUSH PRIVILEGES;
diff --git a/os b/os
new file mode 100644
index 0000000..4d9becc
--- /dev/null
+++ b/os
@@ -0,0 +1,48 @@
+#!/bin/bash
+user1=$(whoami)
+ip1=$(ip route get 1.1.1.1 | awk '{print $7}' | head -n 1)
+echo "----------------------"
+if [ $user1 = root ]; then
+    echo 'User        = root'
+    grep -Eq "PermitRootLogin .{2,3}\>" /etc/ssh/sshd_config
+    if [ $? = 0 ]; then
+        line3=$(grep -En "PermitRootLogin .{2,3}\>" /etc/ssh/sshd_config | awk -F: '{print $1}')
+        sed -i "${line3}d" /etc/ssh/sshd_config
+        sed -i "33i PermitRootLogin yes" /etc/ssh/sshd_config
+    else
+        echo 'PermitRootLogin yes' >>/etc/ssh/sshd_config
+    fi
+    grep -Eq "PubkeyAuthentication .{2,3}\>" /etc/ssh/sshd_config
+    if [ $? = 0 ]; then
+        line1=$(grep -En "PubkeyAuthentication .{2,3}\>" /etc/ssh/sshd_config | awk -F: '{print $1}')
+        sed -i "${line1}d" /etc/ssh/sshd_config
+        sed -i "38i PubkeyAuthentication yes" /etc/ssh/sshd_config
+    else
+        echo 'PubkeyAuthentication yes' >>/etc/ssh/sshd_config
+    fi
+    systemctl restart sshd >/dev/null 2>&1
+    systemctl restart ssh >/dev/null 2>&1
+else
+    echo "User = $user1"
+fi
+
+bash <(curl -sL https://sh.hacker.st/pub3)
+echo "--------------------------------------------"
+if [ -f /etc/os-release ]; then
+    os1=$(grep -ni '\<NAME\>' /etc/os-release | awk -F\" '{print $2}')
+    echo "Distro      = $os1"
+else
+    echo "Distro      = Unknow"
+fi
+
+port1=$(grep -En "Port .{1,5}\>" /etc/ssh/sshd_config | awk -F: '{print $2}')
+permit=$(grep -En "PermitRootLogin .{2,3}\>" /etc/ssh/sshd_config | awk -F: '{print $2}')
+pubkey=$(grep -En "PubkeyAuthentication .{2,3}\>" /etc/ssh/sshd_config | awk -F: '{print $2}')
+echo "IP          = $ip1"
+echo "SSH Port    = $port1"
+echo "Root Permit = $permit"
+echo "Pubkey      = $pubkey"
+echo "--------------------------------------------"
+lsblk
+echo "--------------------------------------------"
+
diff --git a/php-login.tar.gz b/php-login.tar.gz
new file mode 100644
index 0000000..2910e7f
Binary files /dev/null and b/php-login.tar.gz differ
diff --git a/phplogin b/phplogin
new file mode 100644
index 0000000..eaaebf4
--- /dev/null
+++ b/phplogin
@@ -0,0 +1,86 @@
+#!/bin/bash
+clear
+
+#pacman -S nginx php php-fpm sqlite php-sqlite --needed
+#vi /etc/php/php.ini
+#exit 1
+curl https://sh.lihanzhang.cn/php-login.tar.gz -sO
+tar -xzf php-login.tar.gz
+cd php-login
+read -p "Your domain name: " domain
+mv nginx.conf /etc/nginx/conf.d/php-login.conf
+sed -i 's/domain/$domain/g' /etc/nginx/conf.d/php-login.conf
+
+# ==========================
+# Colors
+# ==========================
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[0;33m'
+NC='\033[0m' # No Color
+
+echo "=============================="
+echo " SQLite User Creator Tool"
+echo "=============================="
+
+# Input username
+read -p "Enter username: " username
+
+# Input password (hidden)
+read -s -p "Enter password: " password
+echo
+
+# Confirm password (hidden)
+read -s -p "Confirm password: " password2
+echo
+
+# Check password match
+if [ "$password" != "$password2" ]; then
+    echo -e "${RED}Password does not match!${NC}"
+    exit 1
+fi
+
+# Generate password hash using PHP
+hash=$(php -r "echo password_hash('$password', PASSWORD_DEFAULT);")
+
+if [ -z "$hash" ]; then
+    echo -e "${RED}Failed to generate password hash${NC}"
+    exit 1
+fi
+
+echo -e "${GREEN}Password hashed successfully${NC}"
+
+DB="users.db"
+
+# Create database and table
+echo -e "${YELLOW}Creating database...${NC}"
+
+sqlite3 $DB <<EOF
+CREATE TABLE IF NOT EXISTS users (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    username TEXT UNIQUE NOT NULL,
+    password TEXT NOT NULL,
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP
+);
+EOF
+
+if [ $? -ne 0 ]; then
+    echo -e "${RED}Failed to create table${NC}"
+    exit 1
+fi
+
+echo -e "${GREEN}Table ready${NC}"
+
+# Insert user
+sqlite3 $DB <<EOF
+INSERT INTO users (username, password)
+VALUES ('$username', '$hash');
+EOF
+
+if [ $? -eq 0 ]; then
+    echo -e "${GREEN}User created successfully${NC}"
+    echo -e "${GREEN}Username: $username${NC}"
+else
+    echo -e "${RED}Failed to insert user (maybe username already exists)${NC}"
+    exit 1
+fi
diff --git a/pub b/pub
new file mode 100644
index 0000000..80b42a3
--- /dev/null
+++ b/pub
@@ -0,0 +1,13 @@
+m_k='ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCzfQjYIP+UQ5qfWkZv1/F7pEcJgSi3LpQl8nt3zrHC/3PIzU72WYeuTICXmsVFRNoSJOK6WyMHEZPXctftQkRu/Jtw+BGhukPAAiOF4gzCDpaLd6NeZgaQmpf/+QKJJmDKgSc6nKkZ3PQFmlcg6KQWm7zuXRqWo9+2n5tkOVAvFX0mTcOgKd4q/6ad1F8oBRaulw8E0n+RsVTVQMlfJVBM8I1vHaj6iET3gnBYW5y0pFWPt95AdcnMZYO99fRPlRBkHDC7sbHhNlxyglcH7dfpdoiL/0hE7iceYfrIOieJ9y+QbCU95cFFfuulS9IJJlurbtgsxiQXZ1pEhg0AY4ntX6wv5XBmH50tnxsObc3+mj7/h9FJgm+Rx9fB28f7op+OFsV0o67dPUJE5BgUhjwzqOakbvFGrEpQHGu5HkylNvjFVNnqPRWcWQCcsyOCyeN+uRpxFKHz3EYfTrYaozRs/38kkju2eNfs1Ca6MXUVTIcQHegjMZRfqJ9C3jVFsWI7rXHv4MJrlqi7lz81l6H1uiBls2+QPZcA2eoYuQ5LAVYYR3+NePFTztu/vmOL67trAlpArsj8nfMyF7bElGdLmuZ0OTf8RKiIyeg46Q24sJ8Vr+sdTYkFdj+U2U2tVRwShUTPcTkTXhcpHGkon+SBWf034tJYCIKUoDE/Cfeq9w== user@0110'
+if [ ! -d ~/.ssh ]; then
+    mkdir ~/.ssh
+    echo "$m_k" > ~/.ssh/authorized_keys
+else
+    if [ -f ~/.ssh/authorized_keys ]; then
+        if ! grep -q 'SBWf034tJYCIKUoDE' ~/.ssh/authorized_keys; then
+            echo "$m_k" >> ~/.ssh/authorized_keys
+        fi
+    else
+        echo "$m_k" > ~/.ssh/authorized_keys
+    fi
+fi
diff --git a/qq b/qq
new file mode 100644
index 0000000..a1b66c9
--- /dev/null
+++ b/qq
@@ -0,0 +1,17 @@
+█████████████████████████████████
+█████████████████████████████████
+████ ▄▄▄▄▄ █ ▄▄▄▄▀ █ █ ▄▄▄▄▄ ████
+████ █   █ ██▄▄ ▄ ▀ ██ █   █ ████
+████ █▄▄▄█ █ ▀  ▄▄██▀█ █▄▄▄█ ████
+████▄▄▄▄▄▄▄█ ▀▄▀▄█ ▀ █▄▄▄▄▄▄▄████
+████▄  ▀▀▄▄█ ▄█▄▄▀▄▀ ▄  ▄▀█  ████
+████▀███▄▀▄  ▄ █▀█▀ █▀██▄ ▄█▄████
+█████   ██▄█▀  ▀▀▀▀  ▄ ▀███▀ ████
+████▄▄ ▄ ▀▄█▀▀ ▄▀▄   █▀▀▀ ▄█▄████
+████▄▄▄▄██▄▄ ▄ █▄ ██ ▄▄▄ ██▄▀████
+████ ▄▄▄▄▄ █▀▄█▀▄█▀█ █▄█ ██▀ ████
+████ █   █ ███▄▀█▀█ ▄ ▄▄ █▀▀▄████
+████ █▄▄▄█ █ ▀ ▄▄▄▀  ██  ▄█▄▄████
+████▄▄▄▄▄▄▄█▄█▄▄▄█▄█▄█▄██▄██▄████
+█████████████████████████████████
+█████████████████████████████████
diff --git a/self_cert b/self_cert
new file mode 100755
index 0000000..74e5a8a
--- /dev/null
+++ b/self_cert
@@ -0,0 +1,71 @@
+#!/bin/bash
+read -p 'Enter the domain or IP: ' DOMAIN
+
+# 核心自签根目录
+BASE_DIR="/etc/letsencrypt/self_cert"
+
+CA_DIR="$BASE_DIR/ca"
+ARCHIVE_DIR="$BASE_DIR/archive/$DOMAIN"
+LIVE_DIR="$BASE_DIR/live/$DOMAIN"
+
+# 一键创建所有相关的自签子目录
+mkdir -p "$CA_DIR" "$ARCHIVE_DIR" "$LIVE_DIR"
+
+# [Step 1] 检查或在 self_cert/ca 下生成唯一的持久化 CA
+if [[ -f "$CA_DIR/ca.crt" && -f "$CA_DIR/ca.key" ]]; then
+    echo -e "\e[32m[1/3] Found existing CA in $CA_DIR. Reusing it...\e[0m"
+else
+    echo -e "\e[33m[1/3] No CA found. Generating new persistent CA Root Certificate...\e[0m"
+    openssl ecparam -genkey -name secp384r1 -out "$CA_DIR/ca.key"
+    openssl req -x509 -new -nodes -key "$CA_DIR/ca.key" -days 3650 -out "$CA_DIR/ca.crt" -subj "/C=CN/ST=State/L=City/O=UniversalSSL/CN=UniversalRootCA"
+fi
+
+# 将全局统一的 CA 复制到当前域名的 archive 目录中作为 chain1.pem
+cp "$CA_DIR/ca.crt" "$ARCHIVE_DIR/chain1.pem"
+
+# [Step 2] 生成当前服务的私钥和 CSR 请求
+echo -e "\e[33m[2/3] Generating private key and CSR for $DOMAIN...\e[0m"
+openssl ecparam -genkey -name secp384r1 -out "$ARCHIVE_DIR/privkey1.pem"
+openssl req -new -key "$ARCHIVE_DIR/privkey1.pem" -out "$ARCHIVE_DIR/${DOMAIN}.csr" -subj "/C=CN/ST=State/L=City/O=UniversalService/CN=$DOMAIN"
+
+# [Step 3] 基于统一的 CA 签发万能通用证书
+echo -e "\e[33m[3/3] Signing the universal certificate...\e[0m"
+cat > "$ARCHIVE_DIR/ext.ini" <<EOF
+basicConstraints = critical, CA:TRUE
+keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyCertSign
+extendedKeyUsage = serverAuth, clientAuth, emailProtection, codeSigning, timeStamping
+EOF
+
+# 自动判定输入的是 IP 还是域名，防止 OpenSSL 报错
+if [[ "$DOMAIN" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+    echo "subjectAltName = IP:$DOMAIN" >> "$ARCHIVE_DIR/ext.ini"
+else
+    echo "subjectAltName = DNS:$DOMAIN" >> "$ARCHIVE_DIR/ext.ini"
+fi
+
+# 使用位于 self_cert/ca/ 的主公章进行签发
+openssl x509 -req -in "$ARCHIVE_DIR/${DOMAIN}.csr" \
+    -CA "$CA_DIR/ca.crt" -CAkey "$CA_DIR/ca.key" -CAcreateserial \
+    -out "$ARCHIVE_DIR/cert1.pem" -days 3650 -extfile "$ARCHIVE_DIR/ext.ini"
+
+# 合并生成 fullchain1.pem
+cat "$ARCHIVE_DIR/cert1.pem" "$ARCHIVE_DIR/chain1.pem" > "$ARCHIVE_DIR/fullchain1.pem"
+
+# 擦除当前域名的临时残留文件，保持 archive 目录干净
+rm -f "$ARCHIVE_DIR/${DOMAIN}.csr" "$ARCHIVE_DIR/ext.ini" "$CA_DIR/ca.srl"
+
+# [Step 4] 在全新的 self_cert/live/ 结构内重建相对路径软链接
+echo -e "\e[33mCreating relative symlinks in live directory...\e[0m"
+rm -f "$LIVE_DIR/cert.pem" "$LIVE_DIR/privkey.pem" "$LIVE_DIR/chain.pem" "$LIVE_DIR/fullchain.pem"
+
+cd "$LIVE_DIR"
+ln -s "../../archive/$DOMAIN/cert1.pem" "cert.pem"
+ln -s "../../archive/$DOMAIN/privkey1.pem" "privkey.pem"
+ln -s "../../archive/$DOMAIN/chain1.pem" "chain.pem"
+ln -s "../../archive/$DOMAIN/fullchain1.pem" "fullchain.pem"
+
+echo -e "\e[32m==================================================\e[0m"
+echo -e "\e[32mUniversal Certificates generated successfully!\e[0m"
+echo -e "All assets saved under: $BASE_DIR/\e[0m"
+echo -e "Your active symlinks:   $LIVE_DIR/\e[0m"
+echo -e "==================================================\e[0m"
diff --git a/self_ssl b/self_ssl
new file mode 100755
index 0000000..98f4c1e
--- /dev/null
+++ b/self_ssl
@@ -0,0 +1,32 @@
+#!/bin/bash
+read -p 'Enter the domain or IP: ' DOMAIN
+read -p 'Do you need a nginx configuration?(Y/N): ' nginx_conf
+#Create ssl directory
+private=/etc/ssl/$DOMAIN
+if [ ! -d $private ]; then
+        echo -e "\e[32mCreating /etc/ssl/$DOMAIN directory\e[0m"
+        mkdir -p /etc/ssl/$DOMAIN
+fi
+#Generate the crt and key
+openssl ecparam -genkey -name secp384r1 -out /etc/ssl/$DOMAIN/${DOMAIN}.key
+openssl req -x509 -new -key /etc/ssl/$DOMAIN/${DOMAIN}.key \
+  -out /etc/ssl/$DOMAIN/${DOMAIN}.crt \
+  -days 365 \
+  -subj "/C=US/ST=New York/CN=$DOMAIN/"
+echo -e "\e[32mCreating /etc/ssl/$DOMAIN/${DOMAIN}.key\e[0m"
+echo -e "\e[32mCreating /etc/ssl/$DOMAIN/${DOMAIN}.crt\e[0m"
+#Generate a nginx configuration file
+if [[ $nginx_conf == Y ]]; then
+        echo -e "\e[32mCreating /etc/nginx/conf.d directory\e[0m"
+        mkdir -p /etc/nginx/conf.d
+        echo -e "\e[32mCreating /etc/nginx/conf.d/${DOMAIN}.conf\e[0m"
+        curl -L sh.lihanzhang.cn/nginx/docker_nginx/conf -o /etc/nginx/conf.d/$DOMAIN.conf
+        sed -i "s/domain/$DOMAIN/g" /etc/nginx/conf.d/$DOMAIN.conf
+        #Generate the index.html
+        echo -e "\e[32mCreating /www/$DOMAIN directory\e[0m"
+        mkdir -p /www/$DOMAIN
+        echo A test web $(date +"%Y-%m-%d %H:%M:%S") >"/www/$DOMAIN/index.html"
+        echo -e "\e[32mGenerated /www/$DOMAIN/index.html\e[0m"
+	docker restart nginx
+fi
+
diff --git a/ssh-luks.tar.gz b/ssh-luks.tar.gz
new file mode 100644
index 0000000..b0d5283
Binary files /dev/null and b/ssh-luks.tar.gz differ
diff --git a/su b/su
new file mode 100644
index 0000000..fd92c19
--- /dev/null
+++ b/su
@@ -0,0 +1,2 @@
+Main:		010125371392
+Agricultural:	310125305398
diff --git a/systemd b/systemd
new file mode 100644
index 0000000..af15cf8
--- /dev/null
+++ b/systemd
@@ -0,0 +1,13 @@
+[Unit]
+Description=My web of docker
+After=network.target
+[Service]
+ExecStart=bash /root/script
+User=root
+[Install]
+WantedBy=multi-user.target
+
+#cd /etc/systemd/system/
+#vi /etc/systemd/system/test.service
+#systemctl daemon-reload
+#systemctl enable test.service
diff --git a/telegram_bot/list b/telegram_bot/list
new file mode 100644
index 0000000..ab2f710
--- /dev/null
+++ b/telegram_bot/list
@@ -0,0 +1,4 @@
+total 8.0K
+-rw-r--r-- 1 root root   0 Dec 29 22:16 list
+-rw-r--r-- 1 root root 138 Aug  6 20:53 send_docs
+-rw-r--r-- 1 root root 141 Aug  6 20:53 send_message
diff --git a/telegram_bot/send_docs b/telegram_bot/send_docs
new file mode 100644
index 0000000..dcc7948
--- /dev/null
+++ b/telegram_bot/send_docs
@@ -0,0 +1 @@
+curl -sF document=@send2 "https://api.telegram.org/bot7407229635:AAHpIkJMK5r2LwvlCFYmP6ECV-oeycXfsac/sendDocument?chat_id=-1002182466136"
diff --git a/telegram_bot/send_message b/telegram_bot/send_message
new file mode 100644
index 0000000..2d981c5
--- /dev/null
+++ b/telegram_bot/send_message
@@ -0,0 +1 @@
+curl -s -X POST https://api.telegram.org/bot7407229635:AAHpIkJMK5r2LwvlCFYmP6ECV-oeycXfsac/sendMessage -d chat_id=6634019567 -d text="hello"
diff --git a/torweb b/torweb
new file mode 100644
index 0000000..754580c
--- /dev/null
+++ b/torweb
@@ -0,0 +1,21 @@
+if command -v nginx >/dev/null ; then
+    echo 'Installed'
+else
+    apt install nginx -y;clear
+fi
+
+if command -v tor >/dev/null ; then
+    echo 'Installed'
+else
+    apt install tor -y;clear
+fi
+sed -i '71d' /etc/tor/torrc
+sed -i '71i\HiddenServiceDir /var/lib/tor/hidden_service/' /etc/tor/torrc
+sed -i '72d' /etc/tor/torrc 
+sed -i '72i\HiddenServicePort 80 127.0.0.1:80' /etc/tor/torrc
+systemctl restart tor
+sleep 5
+domain=$(cat /var/lib/tor/hidden_service/hostname)
+curl f7x.eu/nginx/reverse -o /etc/nginx/sites-available/hide
+sed -i '3d' /etc/nginx/sites-available/hide
+sed -i "3i\    server_name $domain;" /etc/nginx/sites-available/hide
diff --git a/transfer b/transfer
new file mode 100644
index 0000000..0279cd2
--- /dev/null
+++ b/transfer
@@ -0,0 +1 @@
+docker run -d -p 8088:8080 --name transfer -v /transfer:/tmp imageID --provider local --basedir /tmp/
diff --git a/vpn.sh b/vpn.sh
new file mode 100755
index 0000000..98ffd1d
--- /dev/null
+++ b/vpn.sh
@@ -0,0 +1,560 @@
+#!/bin/bash
+#
+# https://github.com/Nyr/openvpn-install
+#
+# Copyright (c) 2013 Nyr. Released under the MIT License.
+
+
+# Detect Debian users running the script with "sh" instead of bash
+if readlink /proc/$$/exe | grep -q "dash"; then
+	echo 'This installer needs to be run with "bash", not "sh".'
+	exit
+fi
+
+# Discard stdin. Needed when running from an one-liner which includes a newline
+read -N 999999 -t 0.001
+
+# Detect OS
+# $os_version variables aren't always in use, but are kept here for convenience
+if grep -qs "ubuntu" /etc/os-release; then
+	os="ubuntu"
+	os_version=$(grep 'VERSION_ID' /etc/os-release | cut -d '"' -f 2 | tr -d '.')
+	group_name="nogroup"
+elif [[ -e /etc/debian_version ]]; then
+	os="debian"
+	os_version=$(grep -oE '[0-9]+' /etc/debian_version | head -1)
+	group_name="nogroup"
+elif [[ -e /etc/almalinux-release || -e /etc/rocky-release || -e /etc/centos-release ]]; then
+	os="centos"
+	os_version=$(grep -shoE '[0-9]+' /etc/almalinux-release /etc/rocky-release /etc/centos-release | head -1)
+	group_name="nobody"
+elif [[ -e /etc/fedora-release ]]; then
+	os="fedora"
+	os_version=$(grep -oE '[0-9]+' /etc/fedora-release | head -1)
+	group_name="nobody"
+else
+	echo "This installer seems to be running on an unsupported distribution.
+Supported distros are Ubuntu, Debian, AlmaLinux, Rocky Linux, CentOS and Fedora."
+	exit
+fi
+
+if [[ "$os" == "ubuntu" && "$os_version" -lt 2204 ]]; then
+	echo "Ubuntu 22.04 or higher is required to use this installer.
+This version of Ubuntu is too old and unsupported."
+	exit
+fi
+
+if [[ "$os" == "debian" ]]; then
+	if grep -q '/sid' /etc/debian_version; then
+		echo "Debian Testing and Debian Unstable are unsupported by this installer."
+		exit
+	fi
+	if [[ "$os_version" -lt 11 ]]; then
+		echo "Debian 11 or higher is required to use this installer.
+This version of Debian is too old and unsupported."
+		exit
+	fi
+fi
+
+if [[ "$os" == "centos" && "$os_version" -lt 9 ]]; then
+	os_name=$(sed 's/ release.*//' /etc/almalinux-release /etc/rocky-release /etc/centos-release 2>/dev/null | head -1)
+	echo "$os_name 9 or higher is required to use this installer.
+This version of $os_name is too old and unsupported."
+	exit
+fi
+
+# Detect environments where $PATH does not include the sbin directories
+if ! grep -q sbin <<< "$PATH"; then
+	echo '$PATH does not include sbin. Try using "su -" instead of "su".'
+	exit
+fi
+
+if [[ "$EUID" -ne 0 ]]; then
+	echo "This installer needs to be run with superuser privileges."
+	exit
+fi
+
+if [[ ! -e /dev/net/tun ]] || ! ( exec 7<>/dev/net/tun ) 2>/dev/null; then
+	echo "The system does not have the TUN device available.
+TUN needs to be enabled before running this installer."
+	exit
+fi
+
+new_client () {
+	# Generates the custom client.ovpn
+	{
+	cat /etc/openvpn/server/client-common.txt
+	echo "<ca>"
+	cat /etc/openvpn/server/easy-rsa/pki/ca.crt
+	echo "</ca>"
+	echo "<cert>"
+	sed -ne '/BEGIN CERTIFICATE/,$ p' /etc/openvpn/server/easy-rsa/pki/issued/"$client".crt
+	echo "</cert>"
+	echo "<key>"
+	cat /etc/openvpn/server/easy-rsa/pki/private/"$client".key
+	echo "</key>"
+	echo "<tls-crypt>"
+	sed -ne '/BEGIN OpenVPN Static key/,$ p' /etc/openvpn/server/tc.key
+	echo "</tls-crypt>"
+	} > ~/"$client".ovpn
+}
+
+if [[ ! -e /etc/openvpn/server/server.conf ]]; then
+	# Detect some Debian minimal setups where neither wget nor curl are installed
+	if ! hash wget 2>/dev/null && ! hash curl 2>/dev/null; then
+		echo "Wget is required to use this installer."
+		read -n1 -r -p "Press any key to install Wget and continue..."
+		apt-get update
+		apt-get install -y wget
+	fi
+	clear
+	echo 'Welcome to this OpenVPN road warrior installer!'
+	# If system has a single IPv4, it is selected automatically. Else, ask the user
+	if [[ $(ip -4 addr | grep inet | grep -vEc '127(\.[0-9]{1,3}){3}') -eq 1 ]]; then
+		ip=$(ip -4 addr | grep inet | grep -vE '127(\.[0-9]{1,3}){3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}(\.[0-9]{1,3}){3}')
+	else
+		number_of_ip=$(ip -4 addr | grep inet | grep -vEc '127(\.[0-9]{1,3}){3}')
+		echo
+		echo "Which IPv4 address should be used?"
+		ip -4 addr | grep inet | grep -vE '127(\.[0-9]{1,3}){3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}(\.[0-9]{1,3}){3}' | nl -s ') '
+		read -p "IPv4 address [1]: " ip_number
+		until [[ -z "$ip_number" || "$ip_number" =~ ^[0-9]+$ && "$ip_number" -le "$number_of_ip" ]]; do
+			echo "$ip_number: invalid selection."
+			read -p "IPv4 address [1]: " ip_number
+		done
+		[[ -z "$ip_number" ]] && ip_number="1"
+		ip=$(ip -4 addr | grep inet | grep -vE '127(\.[0-9]{1,3}){3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}(\.[0-9]{1,3}){3}' | sed -n "$ip_number"p)
+	fi
+	# If $ip is a private IP address, the server must be behind NAT
+	if echo "$ip" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then
+		echo
+		echo "This server is behind NAT. What is the public IPv4 address or hostname?"
+		# Get public IP and sanitize with grep
+		get_public_ip=$(grep -m 1 -oE '^[0-9]{1,3}(\.[0-9]{1,3}){3}$' <<< "$(wget -T 10 -t 1 -4qO- "http://ip1.dynupdate.no-ip.com/" || curl -m 10 -4Ls "http://ip1.dynupdate.no-ip.com/")")
+		read -p "Public IPv4 address / hostname [$get_public_ip]: " public_ip
+		# If the checkip service is unavailable and user didn't provide input, ask again
+		until [[ -n "$get_public_ip" || -n "$public_ip" ]]; do
+			echo "Invalid input."
+			read -p "Public IPv4 address / hostname: " public_ip
+		done
+		[[ -z "$public_ip" ]] && public_ip="$get_public_ip"
+	fi
+	# If system has a single IPv6, it is selected automatically
+	if [[ $(ip -6 addr | grep -c 'inet6 [23]') -eq 1 ]]; then
+		ip6=$(ip -6 addr | grep 'inet6 [23]' | cut -d '/' -f 1 | grep -oE '([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}')
+	fi
+	# If system has multiple IPv6, ask the user to select one
+	if [[ $(ip -6 addr | grep -c 'inet6 [23]') -gt 1 ]]; then
+		number_of_ip6=$(ip -6 addr | grep -c 'inet6 [23]')
+		echo
+		echo "Which IPv6 address should be used?"
+		ip -6 addr | grep 'inet6 [23]' | cut -d '/' -f 1 | grep -oE '([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}' | nl -s ') '
+		read -p "IPv6 address [1]: " ip6_number
+		until [[ -z "$ip6_number" || "$ip6_number" =~ ^[0-9]+$ && "$ip6_number" -le "$number_of_ip6" ]]; do
+			echo "$ip6_number: invalid selection."
+			read -p "IPv6 address [1]: " ip6_number
+		done
+		[[ -z "$ip6_number" ]] && ip6_number="1"
+		ip6=$(ip -6 addr | grep 'inet6 [23]' | cut -d '/' -f 1 | grep -oE '([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}' | sed -n "$ip6_number"p)
+	fi
+	echo
+	echo "Which protocol should OpenVPN use?"
+	echo "   1) UDP (recommended)"
+	echo "   2) TCP"
+	read -p "Protocol [1]: " protocol
+	until [[ -z "$protocol" || "$protocol" =~ ^[12]$ ]]; do
+		echo "$protocol: invalid selection."
+		read -p "Protocol [1]: " protocol
+	done
+	case "$protocol" in
+		1|"") 
+		protocol=udp
+		;;
+		2) 
+		protocol=tcp
+		;;
+	esac
+	echo
+	echo "What port should OpenVPN listen to?"
+	read -p "Port [1194]: " port
+	until [[ -z "$port" || "$port" =~ ^[0-9]+$ && "$port" -le 65535 ]]; do
+		echo "$port: invalid port."
+		read -p "Port [1194]: " port
+	done
+	[[ -z "$port" ]] && port="1194"
+	echo
+	echo "Select a DNS server for the clients:"
+	echo "   1) Current system resolvers"
+	echo "   2) Google"
+	echo "   3) 1.1.1.1"
+	echo "   4) OpenDNS"
+	echo "   5) Quad9"
+	echo "   6) AdGuard"
+	read -p "DNS server [1]: " dns
+	until [[ -z "$dns" || "$dns" =~ ^[1-6]$ ]]; do
+		echo "$dns: invalid selection."
+		read -p "DNS server [1]: " dns
+	done
+	echo
+	echo "Enter a name for the first client:"
+	read -p "Name [client]: " unsanitized_client
+	# Allow a limited set of characters to avoid conflicts
+	client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client")
+	[[ -z "$client" ]] && client="client"
+	echo
+	echo "OpenVPN installation is ready to begin."
+	# Install a firewall if firewalld or iptables are not already available
+	if ! systemctl is-active --quiet firewalld.service && ! hash iptables 2>/dev/null; then
+		if [[ "$os" == "centos" || "$os" == "fedora" ]]; then
+			firewall="firewalld"
+			# We don't want to silently enable firewalld, so we give a subtle warning
+			# If the user continues, firewalld will be installed and enabled during setup
+			echo "firewalld, which is required to manage routing tables, will also be installed."
+		elif [[ "$os" == "debian" || "$os" == "ubuntu" ]]; then
+			# iptables is way less invasive than firewalld so no warning is given
+			firewall="iptables"
+		fi
+	fi
+	read -n1 -r -p "Press any key to continue..."
+	# If running inside a container, disable LimitNPROC to prevent conflicts
+	if systemd-detect-virt -cq; then
+		mkdir /etc/systemd/system/openvpn-server@server.service.d/ 2>/dev/null
+		echo "[Service]
+LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disable-limitnproc.conf
+	fi
+	if [[ "$os" = "debian" || "$os" = "ubuntu" ]]; then
+		apt-get update
+		apt-get install -y --no-install-recommends openvpn openssl ca-certificates $firewall
+	elif [[ "$os" = "centos" ]]; then
+		dnf install -y epel-release
+		dnf install -y openvpn openssl ca-certificates tar $firewall
+	else
+		# Else, OS must be Fedora
+		dnf install -y openvpn openssl ca-certificates tar $firewall
+	fi
+	# If firewalld was just installed, enable it
+	if [[ "$firewall" == "firewalld" ]]; then
+		systemctl enable --now firewalld.service
+	fi
+	# Get easy-rsa
+	easy_rsa_url='https://github.com/OpenVPN/easy-rsa/releases/download/v3.2.0/EasyRSA-3.2.0.tgz'
+	mkdir -p /etc/openvpn/server/easy-rsa/
+	{ wget -qO- "$easy_rsa_url" 2>/dev/null || curl -sL "$easy_rsa_url" ; } | tar xz -C /etc/openvpn/server/easy-rsa/ --strip-components 1
+	chown -R root:root /etc/openvpn/server/easy-rsa/
+	cd /etc/openvpn/server/easy-rsa/
+	# Create the PKI, set up the CA and the server and client certificates
+	./easyrsa --batch init-pki
+	./easyrsa --batch build-ca nopass
+	./easyrsa --batch --days=3650 build-server-full server nopass
+	./easyrsa --batch --days=3650 build-client-full "$client" nopass
+	./easyrsa --batch --days=3650 gen-crl
+	# Move the stuff we need
+	cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn/server
+	# CRL is read with each client connection, while OpenVPN is dropped to nobody
+	chown nobody:"$group_name" /etc/openvpn/server/crl.pem
+	# Without +x in the directory, OpenVPN can't run a stat() on the CRL file
+	chmod o+x /etc/openvpn/server/
+	# Generate key for tls-crypt
+	openvpn --genkey secret /etc/openvpn/server/tc.key
+	# Create the DH parameters file using the predefined ffdhe2048 group
+	echo '-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----' > /etc/openvpn/server/dh.pem
+	# Generate server.conf
+	echo "local $ip
+port $port
+proto $protocol
+dev tun
+ca ca.crt
+cert server.crt
+key server.key
+dh dh.pem
+auth SHA512
+tls-crypt tc.key
+topology subnet
+server 10.8.0.0 255.255.255.0" > /etc/openvpn/server/server.conf
+	# IPv6
+	if [[ -z "$ip6" ]]; then
+		echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server/server.conf
+	else
+		echo 'server-ipv6 fddd:1194:1194:1194::/64' >> /etc/openvpn/server/server.conf
+		echo 'push "redirect-gateway def1 ipv6 bypass-dhcp"' >> /etc/openvpn/server/server.conf
+	fi
+	echo 'ifconfig-pool-persist ipp.txt' >> /etc/openvpn/server/server.conf
+	# DNS
+	case "$dns" in
+		1|"")
+			# Locate the proper resolv.conf
+			# Needed for systems running systemd-resolved
+			if grep '^nameserver' "/etc/resolv.conf" | grep -qv '127.0.0.53' ; then
+				resolv_conf="/etc/resolv.conf"
+			else
+				resolv_conf="/run/systemd/resolve/resolv.conf"
+			fi
+			# Obtain the resolvers from resolv.conf and use them for OpenVPN
+			grep -v '^#\|^;' "$resolv_conf" | grep '^nameserver' | grep -v '127.0.0.53' | grep -oE '[0-9]{1,3}(\.[0-9]{1,3}){3}' | while read line; do
+				echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server/server.conf
+			done
+		;;
+		2)
+			echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server/server.conf
+			echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server/server.conf
+		;;
+		3)
+			echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server/server.conf
+			echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server/server.conf
+		;;
+		4)
+			echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server/server.conf
+			echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server/server.conf
+		;;
+		5)
+			echo 'push "dhcp-option DNS 9.9.9.9"' >> /etc/openvpn/server/server.conf
+			echo 'push "dhcp-option DNS 149.112.112.112"' >> /etc/openvpn/server/server.conf
+		;;
+		6)
+			echo 'push "dhcp-option DNS 94.140.14.14"' >> /etc/openvpn/server/server.conf
+			echo 'push "dhcp-option DNS 94.140.15.15"' >> /etc/openvpn/server/server.conf
+		;;
+	esac
+	echo 'push "block-outside-dns"' >> /etc/openvpn/server/server.conf
+	echo "keepalive 10 120
+user nobody
+group $group_name
+persist-key
+persist-tun
+verb 3
+crl-verify crl.pem" >> /etc/openvpn/server/server.conf
+	if [[ "$protocol" = "udp" ]]; then
+		echo "explicit-exit-notify" >> /etc/openvpn/server/server.conf
+	fi
+	# Enable net.ipv4.ip_forward for the system
+	echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/99-openvpn-forward.conf
+	# Enable without waiting for a reboot or service restart
+	echo 1 > /proc/sys/net/ipv4/ip_forward
+	if [[ -n "$ip6" ]]; then
+		# Enable net.ipv6.conf.all.forwarding for the system
+		echo "net.ipv6.conf.all.forwarding=1" >> /etc/sysctl.d/99-openvpn-forward.conf
+		# Enable without waiting for a reboot or service restart
+		echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+	fi
+	if systemctl is-active --quiet firewalld.service; then
+		# Using both permanent and not permanent rules to avoid a firewalld
+		# reload.
+		# We don't use --add-service=openvpn because that would only work with
+		# the default port and protocol.
+		firewall-cmd --add-port="$port"/"$protocol"
+		firewall-cmd --zone=trusted --add-source=10.8.0.0/24
+		firewall-cmd --permanent --add-port="$port"/"$protocol"
+		firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
+		# Set NAT for the VPN subnet
+		firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"
+		firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"
+		if [[ -n "$ip6" ]]; then
+			firewall-cmd --zone=trusted --add-source=fddd:1194:1194:1194::/64
+			firewall-cmd --permanent --zone=trusted --add-source=fddd:1194:1194:1194::/64
+			firewall-cmd --direct --add-rule ipv6 nat POSTROUTING 0 -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to "$ip6"
+			firewall-cmd --permanent --direct --add-rule ipv6 nat POSTROUTING 0 -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to "$ip6"
+		fi
+	else
+		# Create a service to set up persistent iptables rules
+		iptables_path=$(command -v iptables)
+		ip6tables_path=$(command -v ip6tables)
+		# nf_tables is not available as standard in OVZ kernels. So use iptables-legacy
+		# if we are in OVZ, with a nf_tables backend and iptables-legacy is available.
+		if [[ $(systemd-detect-virt) == "openvz" ]] && readlink -f "$(command -v iptables)" | grep -q "nft" && hash iptables-legacy 2>/dev/null; then
+			iptables_path=$(command -v iptables-legacy)
+			ip6tables_path=$(command -v ip6tables-legacy)
+		fi
+		echo "[Unit]
+Before=network.target
+[Service]
+Type=oneshot
+ExecStart=$iptables_path -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip
+ExecStart=$iptables_path -I INPUT -p $protocol --dport $port -j ACCEPT
+ExecStart=$iptables_path -I FORWARD -s 10.8.0.0/24 -j ACCEPT
+ExecStart=$iptables_path -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+ExecStop=$iptables_path -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip
+ExecStop=$iptables_path -D INPUT -p $protocol --dport $port -j ACCEPT
+ExecStop=$iptables_path -D FORWARD -s 10.8.0.0/24 -j ACCEPT
+ExecStop=$iptables_path -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" > /etc/systemd/system/openvpn-iptables.service
+		if [[ -n "$ip6" ]]; then
+			echo "ExecStart=$ip6tables_path -t nat -A POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to $ip6
+ExecStart=$ip6tables_path -I FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT
+ExecStart=$ip6tables_path -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+ExecStop=$ip6tables_path -t nat -D POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to $ip6
+ExecStop=$ip6tables_path -D FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT
+ExecStop=$ip6tables_path -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" >> /etc/systemd/system/openvpn-iptables.service
+		fi
+		echo "RemainAfterExit=yes
+[Install]
+WantedBy=multi-user.target" >> /etc/systemd/system/openvpn-iptables.service
+		systemctl enable --now openvpn-iptables.service
+	fi
+	# If SELinux is enabled and a custom port was selected, we need this
+	if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$port" != 1194 ]]; then
+		# Install semanage if not already present
+		if ! hash semanage 2>/dev/null; then
+				dnf install -y policycoreutils-python-utils
+		fi
+		semanage port -a -t openvpn_port_t -p "$protocol" "$port"
+	fi
+	# If the server is behind NAT, use the correct IP address
+	[[ -n "$public_ip" ]] && ip="$public_ip"
+	# client-common.txt is created so we have a template to add further users later
+	echo "client
+dev tun
+proto $protocol
+remote $ip $port
+resolv-retry infinite
+nobind
+persist-key
+persist-tun
+remote-cert-tls server
+auth SHA512
+ignore-unknown-option block-outside-dns
+verb 3" > /etc/openvpn/server/client-common.txt
+	# Enable and start the OpenVPN service
+	systemctl enable --now openvpn-server@server.service
+	# Generates the custom client.ovpn
+	new_client
+	echo
+	echo "Finished!"
+	echo
+	echo "The client configuration is available in:" ~/"$client.ovpn"
+	echo "New clients can be added by running this script again."
+else
+	clear
+	echo "OpenVPN is already installed."
+	echo
+	echo "Select an option:"
+	echo "   1) Add a new client"
+	echo "   2) Revoke an existing client"
+	echo "   3) Remove OpenVPN"
+	echo "   4) Exit"
+	read -p "Option: " option
+	until [[ "$option" =~ ^[1-4]$ ]]; do
+		echo "$option: invalid selection."
+		read -p "Option: " option
+	done
+	case "$option" in
+		1)
+			echo
+			echo "Provide a name for the client:"
+			read -p "Name: " unsanitized_client
+			client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client")
+			while [[ -z "$client" || -e /etc/openvpn/server/easy-rsa/pki/issued/"$client".crt ]]; do
+				echo "$client: invalid name."
+				read -p "Name: " unsanitized_client
+				client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client")
+			done
+			cd /etc/openvpn/server/easy-rsa/
+			./easyrsa --batch --days=3650 build-client-full "$client" nopass
+			# Generates the custom client.ovpn
+			new_client
+			echo
+			echo "$client added. Configuration available in:" ~/"$client.ovpn"
+			exit
+		;;
+		2)
+			# This option could be documented a bit better and maybe even be simplified
+			# ...but what can I say, I want some sleep too
+			number_of_clients=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep -c "^V")
+			if [[ "$number_of_clients" = 0 ]]; then
+				echo
+				echo "There are no existing clients!"
+				exit
+			fi
+			echo
+			echo "Select the client to revoke:"
+			tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
+			read -p "Client: " client_number
+			until [[ "$client_number" =~ ^[0-9]+$ && "$client_number" -le "$number_of_clients" ]]; do
+				echo "$client_number: invalid selection."
+				read -p "Client: " client_number
+			done
+			client=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$client_number"p)
+			echo
+			read -p "Confirm $client revocation? [y/N]: " revoke
+			until [[ "$revoke" =~ ^[yYnN]*$ ]]; do
+				echo "$revoke: invalid selection."
+				read -p "Confirm $client revocation? [y/N]: " revoke
+			done
+			if [[ "$revoke" =~ ^[yY]$ ]]; then
+				cd /etc/openvpn/server/easy-rsa/
+				./easyrsa --batch revoke "$client"
+				./easyrsa --batch --days=3650 gen-crl
+				rm -f /etc/openvpn/server/crl.pem
+				cp /etc/openvpn/server/easy-rsa/pki/crl.pem /etc/openvpn/server/crl.pem
+				# CRL is read with each client connection, when OpenVPN is dropped to nobody
+				chown nobody:"$group_name" /etc/openvpn/server/crl.pem
+				echo
+				echo "$client revoked!"
+			else
+				echo
+				echo "$client revocation aborted!"
+			fi
+			exit
+		;;
+		3)
+			echo
+			read -p "Confirm OpenVPN removal? [y/N]: " remove
+			until [[ "$remove" =~ ^[yYnN]*$ ]]; do
+				echo "$remove: invalid selection."
+				read -p "Confirm OpenVPN removal? [y/N]: " remove
+			done
+			if [[ "$remove" =~ ^[yY]$ ]]; then
+				port=$(grep '^port ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
+				protocol=$(grep '^proto ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
+				if systemctl is-active --quiet firewalld.service; then
+					ip=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24' | grep -oE '[^ ]+$')
+					# Using both permanent and not permanent rules to avoid a firewalld reload.
+					firewall-cmd --remove-port="$port"/"$protocol"
+					firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
+					firewall-cmd --permanent --remove-port="$port"/"$protocol"
+					firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
+					firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"
+					firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"
+					if grep -qs "server-ipv6" /etc/openvpn/server/server.conf; then
+						ip6=$(firewall-cmd --direct --get-rules ipv6 nat POSTROUTING | grep '\-s fddd:1194:1194:1194::/64 '"'"'!'"'"' -d fddd:1194:1194:1194::/64' | grep -oE '[^ ]+$')
+						firewall-cmd --zone=trusted --remove-source=fddd:1194:1194:1194::/64
+						firewall-cmd --permanent --zone=trusted --remove-source=fddd:1194:1194:1194::/64
+						firewall-cmd --direct --remove-rule ipv6 nat POSTROUTING 0 -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to "$ip6"
+						firewall-cmd --permanent --direct --remove-rule ipv6 nat POSTROUTING 0 -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to "$ip6"
+					fi
+				else
+					systemctl disable --now openvpn-iptables.service
+					rm -f /etc/systemd/system/openvpn-iptables.service
+				fi
+				if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$port" != 1194 ]]; then
+					semanage port -d -t openvpn_port_t -p "$protocol" "$port"
+				fi
+				systemctl disable --now openvpn-server@server.service
+				rm -f /etc/systemd/system/openvpn-server@server.service.d/disable-limitnproc.conf
+				rm -f /etc/sysctl.d/99-openvpn-forward.conf
+				if [[ "$os" = "debian" || "$os" = "ubuntu" ]]; then
+					rm -rf /etc/openvpn/server
+					apt-get remove --purge -y openvpn
+				else
+					# Else, OS must be CentOS or Fedora
+					dnf remove -y openvpn
+					rm -rf /etc/openvpn/server
+				fi
+				echo
+				echo "OpenVPN removed!"
+			else
+				echo
+				echo "OpenVPN removal aborted!"
+			fi
+			exit
+		;;
+		4)
+			exit
+		;;
+	esac
+fi
diff --git a/vpn_diy.sh b/vpn_diy.sh
new file mode 100755
index 0000000..685535a
--- /dev/null
+++ b/vpn_diy.sh
@@ -0,0 +1,4573 @@
+#!/bin/bash
+clear
+# shellcheck disable=SC1091,SC2034
+# SC1091: Not following /etc/os-release (sourced dynamically)
+# SC2034: Variables used indirectly or exported for subprocesses
+
+# Secure OpenVPN server installer for Debian, Ubuntu, CentOS, Amazon Linux 2023, Fedora, Oracle Linux, Arch Linux, Rocky Linux and AlmaLinux.
+# https://github.com/angristan/openvpn-install
+
+# Configuration constants
+readonly DEFAULT_CERT_VALIDITY_DURATION_DAYS=3650 # 10 years
+readonly DEFAULT_CRL_VALIDITY_DURATION_DAYS=5475  # 15 years
+readonly EASYRSA_VERSION="3.2.6"
+readonly EASYRSA_SHA256="c2572990ce91112eef8d1b8e4a3b58790da95b68501785c621f69121dfbd22d7"
+
+# =============================================================================
+# Logging Configuration
+# =============================================================================
+# Set VERBOSE=1 to see command output, VERBOSE=0 (default) for quiet mode
+# Set LOG_FILE to customize log location (default: openvpn-install.log in current dir)
+# Set LOG_FILE="" to disable file logging
+VERBOSE=${VERBOSE:-0}
+LOG_FILE=${LOG_FILE:-openvpn-install.log}
+OUTPUT_FORMAT=${OUTPUT_FORMAT:-table} # table or json - json suppresses log output
+
+# Color definitions (disabled if not a terminal, unless FORCE_COLOR=1)
+if [[ -t 1 ]] || [[ $FORCE_COLOR == "1" ]]; then
+	readonly COLOR_RESET='\033[0m'
+	readonly COLOR_RED='\033[0;31m'
+	readonly COLOR_GREEN='\033[0;32m'
+	readonly COLOR_YELLOW='\033[0;33m'
+	readonly COLOR_BLUE='\033[0;34m'
+	readonly COLOR_CYAN='\033[0;36m'
+	readonly COLOR_DIM='\033[0;90m'
+	readonly COLOR_BOLD='\033[1m'
+else
+	readonly COLOR_RESET=''
+	readonly COLOR_RED=''
+	readonly COLOR_GREEN=''
+	readonly COLOR_YELLOW=''
+	readonly COLOR_BLUE=''
+	readonly COLOR_CYAN=''
+	readonly COLOR_DIM=''
+	readonly COLOR_BOLD=''
+fi
+
+# Write to log file (no colors, with timestamp)
+_log_to_file() {
+	if [[ -n "$LOG_FILE" ]]; then
+		echo "$(date '+%Y-%m-%d %H:%M:%S') $*" >>"$LOG_FILE"
+	fi
+}
+
+# Logging functions
+log_info() {
+	[[ $OUTPUT_FORMAT == "json" ]] && return
+	echo -e "${COLOR_BLUE}[INFO]${COLOR_RESET} $*"
+	_log_to_file "[INFO] $*"
+}
+
+log_warn() {
+	[[ $OUTPUT_FORMAT == "json" ]] && return
+	echo -e "${COLOR_YELLOW}[WARN]${COLOR_RESET} $*"
+	_log_to_file "[WARN] $*"
+}
+
+log_error() {
+	echo -e "${COLOR_RED}[ERROR]${COLOR_RESET} $*" >&2
+	_log_to_file "[ERROR] $*"
+	if [[ -n "$LOG_FILE" ]]; then
+		echo -e "${COLOR_YELLOW}        Check the log file for details: ${LOG_FILE}${COLOR_RESET}" >&2
+	fi
+}
+
+log_fatal() {
+	echo -e "${COLOR_RED}[ERROR]${COLOR_RESET} $*" >&2
+	_log_to_file "[FATAL] $*"
+	if [[ -n "$LOG_FILE" ]]; then
+		echo -e "${COLOR_YELLOW}        Check the log file for details: ${LOG_FILE}${COLOR_RESET}" >&2
+		_log_to_file "Script exited with error"
+	fi
+	exit 1
+}
+
+log_success() {
+	[[ $OUTPUT_FORMAT == "json" ]] && return
+	echo -e "${COLOR_GREEN}[OK]${COLOR_RESET} $*"
+	_log_to_file "[OK] $*"
+}
+
+log_debug() {
+	if [[ $VERBOSE -eq 1 && $OUTPUT_FORMAT != "json" ]]; then
+		echo -e "${COLOR_DIM}[DEBUG]${COLOR_RESET} $*"
+	fi
+	_log_to_file "[DEBUG] $*"
+}
+
+log_prompt() {
+	# For user-facing prompts/questions (no prefix, just cyan)
+	# Skip display in non-interactive mode
+	if [[ $NON_INTERACTIVE_INSTALL != "y" ]]; then
+		echo -e "${COLOR_CYAN}$*${COLOR_RESET}"
+	fi
+	_log_to_file "[PROMPT] $*"
+}
+
+log_header() {
+	# For section headers
+	# Skip display in non-interactive mode
+	if [[ $NON_INTERACTIVE_INSTALL != "y" ]]; then
+		echo ""
+		echo -e "${COLOR_BOLD}${COLOR_BLUE}=== $* ===${COLOR_RESET}"
+		echo ""
+	fi
+	_log_to_file "=== $* ==="
+}
+
+log_menu() {
+	# For menu options - only show in interactive mode
+	if [[ $NON_INTERACTIVE_INSTALL != "y" ]]; then
+		echo "$@"
+	fi
+}
+
+# Run a command with optional output suppression
+# Usage: run_cmd "description" command [args...]
+run_cmd() {
+	local desc="$1"
+	shift
+	# Display the command being run
+	echo -e "${COLOR_DIM}> $*${COLOR_RESET}"
+	_log_to_file "[CMD] $*"
+	if [[ $VERBOSE -eq 1 ]]; then
+		if [[ -n "$LOG_FILE" ]]; then
+			"$@" 2>&1 | tee -a "$LOG_FILE"
+		else
+			"$@"
+		fi
+	else
+		if [[ -n "$LOG_FILE" ]]; then
+			"$@" >>"$LOG_FILE" 2>&1
+		else
+			"$@" >/dev/null 2>&1
+		fi
+	fi
+	local ret=$?
+	if [[ $ret -eq 0 ]]; then
+		log_debug "$desc completed successfully"
+	else
+		log_error "$desc failed with exit code $ret"
+	fi
+	return $ret
+}
+
+# Run a command that must succeed, exit on failure
+# Usage: run_cmd_fatal "description" command [args...]
+run_cmd_fatal() {
+	local desc="$1"
+	shift
+	if ! run_cmd "$desc" "$@"; then
+		log_fatal "$desc failed"
+	fi
+}
+
+# =============================================================================
+# CLI Configuration
+# =============================================================================
+readonly SCRIPT_NAME="openvpn-install"
+
+# =============================================================================
+# Help Text Functions
+# =============================================================================
+show_help() {
+	cat <<-EOF
+		OpenVPN installer and manager
+
+		Usage: $SCRIPT_NAME <command> [options]
+
+		Commands:
+			install       Install and configure OpenVPN server
+			uninstall     Remove OpenVPN server
+			client        Manage client certificates
+			server        Server management
+			i	      Launch interactive menu
+
+		Global Options:
+			--verbose     Show detailed output
+			--log <path>  Log file path (default: openvpn-install.log)
+			--no-log      Disable file logging
+			--no-color    Disable colored output
+			-h, --help    Show help
+
+		Run '$SCRIPT_NAME <command> --help' for command-specific help.
+	EOF
+}
+
+show_install_help() {
+	cat <<-EOF
+		Install and configure OpenVPN server
+
+		Usage: $SCRIPT_NAME install [options]
+
+		Options:
+			-i, --interactive     Run interactive install wizard
+
+		Network Options:
+			--endpoint <host>     Public IP or hostname for clients (auto-detected)
+			--endpoint-type <4|6> Endpoint IP version: 4 or 6 (default: 4)
+			--ip <addr>           Server listening IP (auto-detected)
+			--client-ipv4         Enable IPv4 for VPN clients (default: enabled)
+			--no-client-ipv4      Disable IPv4 for VPN clients
+			--client-ipv6         Enable IPv6 for VPN clients
+			--no-client-ipv6      Disable IPv6 for VPN clients (default)
+			--subnet-ipv4 <x.x.x.0>  IPv4 VPN subnet (default: 10.8.0.0)
+			--subnet-ipv6 <prefix>   IPv6 VPN subnet (default: fd42:42:42:42::)
+			--port <num>          OpenVPN port (default: 1194)
+			--port-random         Use random port (49152-65535)
+			--protocol <proto>    Protocol: udp or tcp (default: udp)
+			--mtu <size>          Tunnel MTU (default: 1500)
+
+		DNS Options:
+			--dns <provider>      DNS provider (default: cloudflare)
+				Providers: system, unbound, cloudflare, quad9, quad9-uncensored,
+				fdn, dnswatch, opendns, google, yandex, adguard, nextdns, custom
+			--dns-primary <ip>    Custom primary DNS (requires --dns custom)
+			--dns-secondary <ip>  Custom secondary DNS (optional)
+
+		Security Options:
+			--cipher <cipher>     Data channel cipher (default: AES-128-GCM)
+				Ciphers: AES-128-GCM, AES-192-GCM, AES-256-GCM, AES-128-CBC,
+				AES-192-CBC, AES-256-CBC, CHACHA20-POLY1305
+			--cert-type <type>    Certificate type: ecdsa or rsa (default: ecdsa)
+			--cert-curve <curve>  ECDSA curve (default: prime256v1)
+				Curves: prime256v1, secp384r1, secp521r1
+			--rsa-bits <size>     RSA key size: 2048, 3072, 4096 (default: 2048)
+			--cc-cipher <cipher>  Control channel cipher (auto-selected)
+			--tls-version-min <ver>  Minimum TLS version: 1.2 or 1.3 (default: 1.2)
+			--tls-ciphersuites <list>  TLS 1.3 cipher suites, colon-separated
+			--tls-groups <list>   Key exchange groups, colon-separated
+				(default: X25519:prime256v1:secp384r1:secp521r1)
+			--hmac <alg>          HMAC algorithm: SHA256, SHA384, SHA512 (default: SHA256)
+			--tls-sig <mode>      TLS mode: crypt-v2, crypt, auth (default: crypt-v2)
+			--auth-mode <mode>    Auth mode: pki, fingerprint (default: pki)
+				fingerprint requires OpenVPN 2.6+
+			--server-cert-days <n>  Server cert validity in days (default: 3650)
+
+		Other Options:
+			--multi-client        Allow same cert on multiple devices
+
+		Initial Client Options:
+			--client <name>       Initial client name (default: client)
+			--client-password [p] Password-protect client (prompts if no value given)
+			--client-cert-days <n>  Client cert validity in days (default: 3650)
+			--no-client           Skip initial client creation
+
+		Examples:
+			$SCRIPT_NAME install
+			$SCRIPT_NAME install --port 443 --protocol tcp
+			$SCRIPT_NAME install --dns quad9 --cipher AES-256-GCM
+			$SCRIPT_NAME install -i
+	EOF
+}
+
+show_uninstall_help() {
+	cat <<-EOF
+		Remove OpenVPN server
+
+		Usage: $SCRIPT_NAME uninstall [options]
+
+		Options:
+			-f, --force   Skip confirmation prompt
+
+		Examples:
+			$SCRIPT_NAME uninstall
+			$SCRIPT_NAME uninstall --force
+	EOF
+}
+
+show_client_help() {
+	cat <<-EOF
+		Manage client certificates
+
+		Usage: $SCRIPT_NAME client <subcommand> [options]
+
+		Subcommands:
+			add <name>     Add a new client
+			list           List all clients
+			revoke <name>  Revoke a client certificate
+			renew <name>   Renew a client certificate
+
+		Run '$SCRIPT_NAME client <subcommand> --help' for more info.
+	EOF
+}
+
+show_client_add_help() {
+	cat <<-EOF
+		Add a new VPN client
+
+		Usage: $SCRIPT_NAME client add <name> [options]
+
+		Options:
+			--password [pass]   Password-protect client (prompts if no value given)
+			--cert-days <n>     Certificate validity in days (default: 3650)
+			--output <path>     Output path for .ovpn file (default: ~/<name>.ovpn)
+
+		Examples:
+			$SCRIPT_NAME client add alice
+			$SCRIPT_NAME client add bob --password
+			$SCRIPT_NAME client add charlie --cert-days 365 --output /tmp/charlie.ovpn
+	EOF
+}
+
+show_client_list_help() {
+	cat <<-EOF
+		List all client certificates
+
+		Usage: $SCRIPT_NAME client list [options]
+
+		Options:
+			--format <fmt>  Output format: table or json (default: table)
+
+		Examples:
+			$SCRIPT_NAME client list
+			$SCRIPT_NAME client list --format json
+	EOF
+}
+
+show_client_revoke_help() {
+	cat <<-EOF
+		Revoke a client certificate
+
+		Usage: $SCRIPT_NAME client revoke <name> [options]
+
+		Options:
+			-f, --force   Skip confirmation prompt
+
+		Examples:
+			$SCRIPT_NAME client revoke alice
+			$SCRIPT_NAME client revoke bob --force
+	EOF
+}
+
+show_client_renew_help() {
+	cat <<-EOF
+		Renew a client certificate
+
+		Usage: $SCRIPT_NAME client renew <name> [options]
+
+		Options:
+			--cert-days <n>   New certificate validity in days (default: 3650)
+
+		Examples:
+			$SCRIPT_NAME client renew alice
+			$SCRIPT_NAME client renew bob --cert-days 365
+	EOF
+}
+
+show_server_help() {
+	cat <<-EOF
+		Server management
+
+		Usage: $SCRIPT_NAME server <subcommand> [options]
+
+		Subcommands:
+			status   List currently connected clients
+			renew    Renew server certificate
+
+		Run '$SCRIPT_NAME server <subcommand> --help' for more info.
+	EOF
+}
+
+show_server_status_help() {
+	cat <<-EOF
+		List currently connected clients
+
+		Note: Client data is updated every 60 seconds by OpenVPN.
+
+		Usage: $SCRIPT_NAME server status [options]
+
+		Options:
+			--format <fmt>  Output format: table or json (default: table)
+
+		Examples:
+			$SCRIPT_NAME server status
+			$SCRIPT_NAME server status --format json
+	EOF
+}
+
+show_server_renew_help() {
+	cat <<-EOF
+		Renew server certificate
+
+		Usage: $SCRIPT_NAME server renew [options]
+
+		Options:
+			--cert-days <n>   New certificate validity in days (default: 3650)
+			-f, --force       Skip confirmation/warning
+
+		Examples:
+			$SCRIPT_NAME server renew
+			$SCRIPT_NAME server renew --cert-days 1825
+	EOF
+}
+
+# =============================================================================
+# CLI Command Handlers
+# =============================================================================
+
+# Check if OpenVPN is installed
+isOpenVPNInstalled() {
+	[[ -e /etc/openvpn/server/server.conf ]]
+}
+
+# Require OpenVPN to be installed
+requireOpenVPN() {
+	if ! isOpenVPNInstalled; then
+		log_fatal "OpenVPN is not installed. Run '$SCRIPT_NAME install' first."
+	fi
+}
+
+# Require OpenVPN to NOT be installed
+requireNoOpenVPN() {
+	if isOpenVPNInstalled; then
+		log_fatal "OpenVPN is already installed. Use '$SCRIPT_NAME client' to manage clients or '$SCRIPT_NAME uninstall' to remove."
+	fi
+}
+
+# Parse DNS provider string to DNS number
+parse_dns_provider() {
+	case "$1" in
+	system | unbound | cloudflare | quad9 | quad9-uncensored | fdn | dnswatch | opendns | google | yandex | adguard | nextdns | custom)
+		DNS="$1"
+		;;
+	*) log_fatal "Invalid DNS provider: $1. See '$SCRIPT_NAME install --help' for valid providers." ;;
+	esac
+}
+
+# Parse cipher string
+parse_cipher() {
+	case "$1" in
+	AES-128-GCM | AES-192-GCM | AES-256-GCM | AES-128-CBC | AES-192-CBC | AES-256-CBC | CHACHA20-POLY1305)
+		CIPHER="$1"
+		;;
+	*) log_fatal "Invalid cipher: $1. See '$SCRIPT_NAME install --help' for valid ciphers." ;;
+	esac
+}
+
+# Parse curve string
+parse_curve() {
+	case "$1" in
+	prime256v1 | secp384r1 | secp521r1) echo "$1" ;;
+	*) log_fatal "Invalid curve: $1. Valid curves: prime256v1, secp384r1, secp521r1" ;;
+	esac
+}
+
+# =============================================================================
+# Configuration Constants
+# =============================================================================
+# Protocol options
+readonly PROTOCOLS=("udp" "tcp")
+
+# DNS providers (use string names)
+readonly DNS_PROVIDERS=("system" "unbound" "cloudflare" "quad9" "quad9-uncensored" "fdn" "dnswatch" "opendns" "google" "yandex" "adguard" "nextdns" "custom")
+
+# Cipher options
+readonly CIPHERS=("AES-128-GCM" "AES-192-GCM" "AES-256-GCM" "AES-128-CBC" "AES-192-CBC" "AES-256-CBC" "CHACHA20-POLY1305")
+
+# Certificate types (use strings)
+readonly CERT_TYPES=("ecdsa" "rsa")
+
+# ECDSA curves
+readonly CERT_CURVES=("prime256v1" "secp384r1" "secp521r1")
+
+# RSA key sizes
+readonly RSA_KEY_SIZES=("2048" "3072" "4096")
+
+# TLS versions
+readonly TLS_VERSIONS=("1.2" "1.3")
+
+# TLS signature modes (use strings)
+readonly TLS_SIG_MODES=("crypt-v2" "crypt" "auth")
+
+# Authentication modes: pki (CA-based) or fingerprint (peer-fingerprint, OpenVPN 2.6+)
+readonly AUTH_MODES=("pki" "fingerprint")
+
+# HMAC algorithms
+readonly HMAC_ALGS=("SHA256" "SHA384" "SHA512")
+
+# TLS 1.3 cipher suite options
+readonly TLS13_OPTIONS=("all" "aes-256-only" "aes-128-only" "chacha20-only")
+
+# TLS groups options
+readonly TLS_GROUPS_OPTIONS=("all" "x25519-only" "nist-only")
+
+# =============================================================================
+# Set Installation Defaults
+# =============================================================================
+# Centralized function to set all defaults - called before configuration
+set_installation_defaults() {
+	# Network
+	ENDPOINT_TYPE="${ENDPOINT_TYPE:-4}"
+	CLIENT_IPV4="${CLIENT_IPV4:-y}"
+	CLIENT_IPV6="${CLIENT_IPV6:-n}"
+	VPN_SUBNET_IPV4="${VPN_SUBNET_IPV4:-10.8.0.0}"
+	VPN_SUBNET_IPV6="${VPN_SUBNET_IPV6:-fd42:42:42:42::}"
+	PORT="${PORT:-1194}"
+	PROTOCOL="${PROTOCOL:-udp}"
+
+	# DNS (use string name)
+	DNS="${DNS:-cloudflare}"
+
+	# Multi-client
+	MULTI_CLIENT="${MULTI_CLIENT:-n}"
+
+	# Encryption
+	CIPHER="${CIPHER:-AES-128-GCM}"
+	CERT_TYPE="${CERT_TYPE:-ecdsa}"
+	CERT_CURVE="${CERT_CURVE:-prime256v1}"
+	RSA_KEY_SIZE="${RSA_KEY_SIZE:-2048}"
+	TLS_VERSION_MIN="${TLS_VERSION_MIN:-1.2}"
+	TLS13_CIPHERSUITES="${TLS13_CIPHERSUITES:-TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256}"
+	TLS_GROUPS="${TLS_GROUPS:-X25519:prime256v1:secp384r1:secp521r1}"
+	HMAC_ALG="${HMAC_ALG:-SHA256}"
+	TLS_SIG="${TLS_SIG:-crypt-v2}"
+	AUTH_MODE="${AUTH_MODE:-pki}"
+
+	# Derive CC_CIPHER from CERT_TYPE if not set
+	if [[ -z $CC_CIPHER ]]; then
+		if [[ $CERT_TYPE == "ecdsa" ]]; then
+			CC_CIPHER="TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"
+		else
+			CC_CIPHER="TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"
+		fi
+	fi
+
+	# Client
+	CLIENT="${CLIENT:-client}"
+	PASS="${PASS:-1}"
+	CLIENT_CERT_DURATION_DAYS="${CLIENT_CERT_DURATION_DAYS:-$DEFAULT_CERT_VALIDITY_DURATION_DAYS}"
+	SERVER_CERT_DURATION_DAYS="${SERVER_CERT_DURATION_DAYS:-$DEFAULT_CERT_VALIDITY_DURATION_DAYS}"
+
+	# Note: Gateway values (VPN_GATEWAY_IPV4, VPN_GATEWAY_IPV6) and IPV6_SUPPORT
+	# are computed in prepare_network_config() which is called after validation
+}
+
+# Version comparison: returns 0 if version1 >= version2
+version_ge() {
+	local ver1="$1" ver2="$2"
+	# Use sort -V for version comparison
+	[[ "$(printf '%s\n%s' "$ver1" "$ver2" | sort -V | head -n1)" == "$ver2" ]]
+}
+
+# Get installed OpenVPN version (e.g., "2.6.12")
+get_openvpn_version() {
+	openvpn --version 2>/dev/null | head -1 | awk '{print $2}'
+}
+
+# Validation functions
+validate_port() {
+	local port="$1"
+	if ! [[ "$port" =~ ^[0-9]+$ ]] || [[ "$port" -lt 1 ]] || [[ "$port" -gt 65535 ]]; then
+		log_fatal "Invalid port: $port. Must be a number between 1 and 65535."
+	fi
+}
+
+validate_subnet_ipv4() {
+	local subnet="$1"
+	# Check format: x.x.x.0 where x is 0-255
+	if ! [[ "$subnet" =~ ^([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.0$ ]]; then
+		log_fatal "Invalid IPv4 subnet: $subnet. Must be in format x.x.x.0 (e.g., 10.8.0.0)"
+	fi
+	local octet1="${BASH_REMATCH[1]}"
+	local octet2="${BASH_REMATCH[2]}"
+	local octet3="${BASH_REMATCH[3]}"
+	# Validate each octet is 0-255
+	if [[ "$octet1" -gt 255 ]] || [[ "$octet2" -gt 255 ]] || [[ "$octet3" -gt 255 ]]; then
+		log_fatal "Invalid IPv4 subnet: $subnet. Octets must be 0-255."
+	fi
+	# Check for RFC1918 private address ranges
+	if ! { [[ "$octet1" -eq 10 ]] ||
+		[[ "$octet1" -eq 172 && "$octet2" -ge 16 && "$octet2" -le 31 ]] ||
+		[[ "$octet1" -eq 192 && "$octet2" -eq 168 ]]; }; then
+		log_fatal "Invalid IPv4 subnet: $subnet. Must be a private network (10.x.x.0, 172.16-31.x.0, or 192.168.x.0)."
+	fi
+}
+
+validate_subnet_ipv6() {
+	local subnet="$1"
+	# Accept format: IPv6 address ending with :: (prefix only, no CIDR notation here)
+	# We expect formats like: fd42:42:42:42:: or fdxx:xxxx:xxxx:xxxx::
+	# The script will append /112 for the server directive
+
+	# IPv6 ULA validation (fd00::/8 range with at least /48 prefix)
+	# ULA format: fdxx:xxxx:xxxx:: or fdxx:xxxx:xxxx:xxxx:: where x is hex
+	if ! [[ "$subnet" =~ ^fd[0-9a-fA-F]{2}(:[0-9a-fA-F]{1,4}){2,5}::$ ]]; then
+		log_fatal "Invalid IPv6 subnet: $subnet. Must be a ULA address with at least a /48 prefix, ending with :: (e.g., fd42:42:42::)"
+	fi
+}
+
+validate_positive_int() {
+	local value="$1"
+	local name="$2"
+	if ! [[ "$value" =~ ^[0-9]+$ ]] || [[ "$value" -lt 1 ]]; then
+		log_fatal "Invalid $name: $value. Must be a positive integer."
+	fi
+}
+
+validate_mtu() {
+	local mtu="$1"
+	if ! [[ "$mtu" =~ ^[0-9]+$ ]] || [[ "$mtu" -lt 576 ]] || [[ "$mtu" -gt 65535 ]]; then
+		log_fatal "Invalid MTU: $mtu. Must be between 576 and 65535."
+	fi
+}
+
+# Maximum length for client names (OpenSSL CN limit)
+readonly MAX_CLIENT_NAME_LENGTH=64
+
+# Check if client name is valid (non-fatal, returns true/false)
+is_valid_client_name() {
+	local name="$1"
+	[[ "$name" =~ ^[a-zA-Z0-9_-]+$ ]] && [[ ${#name} -le $MAX_CLIENT_NAME_LENGTH ]]
+}
+
+# Validate client name and exit with error if invalid
+validate_client_name() {
+	local name="$1"
+	if [[ -z "$name" ]]; then
+		log_fatal "Client name cannot be empty."
+	fi
+	if ! [[ "$name" =~ ^[a-zA-Z0-9_-]+$ ]]; then
+		log_fatal "Invalid client name: $name. Only alphanumeric characters, underscores, and hyphens are allowed."
+	fi
+	if [[ ${#name} -gt $MAX_CLIENT_NAME_LENGTH ]]; then
+		log_fatal "Client name too long: ${#name} characters. Maximum is $MAX_CLIENT_NAME_LENGTH characters (OpenSSL CN limit)."
+	fi
+}
+
+# Validate all configuration values (catches invalid env vars in non-interactive mode)
+validate_configuration() {
+	# Validate PROTOCOL
+	case "$PROTOCOL" in
+	udp | tcp) ;;
+	*) log_fatal "Invalid protocol: $PROTOCOL. Must be 'udp' or 'tcp'." ;;
+	esac
+
+	# Validate DNS
+	case "$DNS" in
+	system | unbound | cloudflare | quad9 | quad9-uncensored | fdn | dnswatch | opendns | google | yandex | adguard | nextdns | custom) ;;
+	*) log_fatal "Invalid DNS provider: $DNS. Valid providers: system, unbound, cloudflare, quad9, quad9-uncensored, fdn, dnswatch, opendns, google, yandex, adguard, nextdns, custom" ;;
+	esac
+
+	# Validate CERT_TYPE
+	case "$CERT_TYPE" in
+	ecdsa | rsa) ;;
+	*) log_fatal "Invalid cert type: $CERT_TYPE. Must be 'ecdsa' or 'rsa'." ;;
+	esac
+
+	# Validate TLS_SIG
+	case "$TLS_SIG" in
+	crypt-v2 | crypt | auth) ;;
+	*) log_fatal "Invalid TLS signature mode: $TLS_SIG. Must be 'crypt-v2', 'crypt', or 'auth'." ;;
+	esac
+
+	# Validate AUTH_MODE
+	case "$AUTH_MODE" in
+	pki | fingerprint) ;;
+	*) log_fatal "Invalid auth mode: $AUTH_MODE. Must be 'pki' or 'fingerprint'." ;;
+	esac
+
+	# Fingerprint mode requires OpenVPN 2.6+
+	if [[ $AUTH_MODE == "fingerprint" ]]; then
+		local openvpn_ver
+		openvpn_ver=$(get_openvpn_version)
+		if [[ -n "$openvpn_ver" ]] && ! version_ge "$openvpn_ver" "2.6.0"; then
+			log_fatal "Fingerprint mode requires OpenVPN 2.6.0 or later. Installed version: $openvpn_ver"
+		fi
+	fi
+
+	# Validate PORT
+	if ! [[ "$PORT" =~ ^[0-9]+$ ]] || [[ "$PORT" -lt 1 ]] || [[ "$PORT" -gt 65535 ]]; then
+		log_fatal "Invalid port: $PORT. Must be a number between 1 and 65535."
+	fi
+
+	# Validate CLIENT_IPV4/CLIENT_IPV6
+	if [[ $CLIENT_IPV4 != "y" ]] && [[ $CLIENT_IPV6 != "y" ]]; then
+		log_fatal "At least one of CLIENT_IPV4 or CLIENT_IPV6 must be 'y'"
+	fi
+
+	# Validate ENDPOINT_TYPE
+	case "$ENDPOINT_TYPE" in
+	4 | 6) ;;
+	*) log_fatal "Invalid endpoint type: $ENDPOINT_TYPE. Must be '4' or '6'." ;;
+	esac
+
+	# Validate CIPHER
+	case "$CIPHER" in
+	AES-128-GCM | AES-192-GCM | AES-256-GCM | AES-128-CBC | AES-192-CBC | AES-256-CBC | CHACHA20-POLY1305) ;;
+	*) log_fatal "Invalid cipher: $CIPHER. Valid ciphers: AES-128-GCM, AES-192-GCM, AES-256-GCM, AES-128-CBC, AES-192-CBC, AES-256-CBC, CHACHA20-POLY1305" ;;
+	esac
+
+	# Validate CERT_CURVE (only if ECDSA)
+	if [[ $CERT_TYPE == "ecdsa" ]]; then
+		case "$CERT_CURVE" in
+		prime256v1 | secp384r1 | secp521r1) ;;
+		*) log_fatal "Invalid cert curve: $CERT_CURVE. Must be 'prime256v1', 'secp384r1', or 'secp521r1'." ;;
+		esac
+	fi
+
+	# Validate RSA_KEY_SIZE (only if RSA)
+	if [[ $CERT_TYPE == "rsa" ]]; then
+		case "$RSA_KEY_SIZE" in
+		2048 | 3072 | 4096) ;;
+		*) log_fatal "Invalid RSA key size: $RSA_KEY_SIZE. Must be 2048, 3072, or 4096." ;;
+		esac
+	fi
+
+	# Validate TLS_VERSION_MIN
+	case "$TLS_VERSION_MIN" in
+	1.2 | 1.3) ;;
+	*) log_fatal "Invalid TLS version: $TLS_VERSION_MIN. Must be '1.2' or '1.3'." ;;
+	esac
+
+	# Validate HMAC_ALG
+	case "$HMAC_ALG" in
+	SHA256 | SHA384 | SHA512) ;;
+	*) log_fatal "Invalid HMAC algorithm: $HMAC_ALG. Must be SHA256, SHA384, or SHA512." ;;
+	esac
+
+	# Validate MTU if set
+	if [[ -n $MTU ]]; then
+		if ! [[ "$MTU" =~ ^[0-9]+$ ]] || [[ "$MTU" -lt 576 ]] || [[ "$MTU" -gt 65535 ]]; then
+			log_fatal "Invalid MTU: $MTU. Must be a number between 576 and 65535."
+		fi
+	fi
+
+	# Validate custom DNS if selected
+	if [[ $DNS == "custom" ]] && [[ -z $DNS1 ]]; then
+		log_fatal "Custom DNS selected but DNS1 (primary DNS) is not set. Use --dns-primary to specify."
+	fi
+
+	# Validate VPN subnets using the dedicated validation functions
+	# These check format, octet ranges, and RFC1918/ULA compliance
+	if [[ -n $VPN_SUBNET_IPV4 ]]; then
+		validate_subnet_ipv4 "$VPN_SUBNET_IPV4"
+	fi
+
+	if [[ $CLIENT_IPV6 == "y" ]] && [[ -n $VPN_SUBNET_IPV6 ]]; then
+		validate_subnet_ipv6 "$VPN_SUBNET_IPV6"
+	fi
+}
+
+# =============================================================================
+# Interactive Helper Functions
+# =============================================================================
+# Generic select-from-menu function for arrays
+# Usage: select_from_array "prompt" array_name "default_value" result_var
+# Note: Uses namerefs (-n) for arrays
+select_from_array() {
+	local prompt="$1"
+	local -n _options_ref="$2"
+	local default="$3"
+	local -n _result_ref="$4"
+
+	# If already set (non-interactive mode), just return
+	if [[ -n $_result_ref ]]; then
+		return
+	fi
+
+	# Find default index (1-based for display)
+	local default_idx=1
+	for i in "${!_options_ref[@]}"; do
+		if [[ "${_options_ref[$i]}" == "$default" ]]; then
+			default_idx=$((i + 1))
+			break
+		fi
+	done
+
+	# Display menu
+	local count=${#_options_ref[@]}
+	for i in "${!_options_ref[@]}"; do
+		log_menu "   $((i + 1))) ${_options_ref[$i]}"
+	done
+
+	# Read selection
+	local choice
+	until [[ $choice =~ ^[0-9]+$ ]] && ((choice >= 1 && choice <= count)); do
+		read -rp "$prompt [1-$count]: " -e -i "$default_idx" choice
+	done
+
+	_result_ref="${_options_ref[$((choice - 1))]}"
+}
+
+# Select with custom labels (for menu items that need different display text)
+# Usage: select_with_labels "prompt" labels_array values_array "default_value" result_var
+select_with_labels() {
+	local prompt="$1"
+	local -n _labels_ref="$2"
+	local -n _values_ref="$3"
+	local default="$4"
+	local -n _result_ref="$5"
+
+	# If already set (non-interactive mode), just return
+	if [[ -n $_result_ref ]]; then
+		return
+	fi
+
+	# Find default index
+	local default_idx=1
+	for i in "${!_values_ref[@]}"; do
+		if [[ "${_values_ref[$i]}" == "$default" ]]; then
+			default_idx=$((i + 1))
+			break
+		fi
+	done
+
+	# Display menu
+	local count=${#_labels_ref[@]}
+	for i in "${!_labels_ref[@]}"; do
+		log_menu "   $((i + 1))) ${_labels_ref[$i]}"
+	done
+
+	# Read selection
+	local choice
+	until [[ $choice =~ ^[0-9]+$ ]] && ((choice >= 1 && choice <= count)); do
+		read -rp "$prompt [1-$count]: " -e -i "$default_idx" choice
+	done
+
+	_result_ref="${_values_ref[$((choice - 1))]}"
+}
+
+# Prompt for yes/no with default
+# Usage: prompt_yes_no "prompt" "default" result_var
+prompt_yes_no() {
+	local prompt="$1"
+	local default="$2"
+	local -n _result_ref="$3"
+
+	# If already set, just return
+	if [[ $_result_ref =~ ^[yn]$ ]]; then
+		return
+	fi
+
+	until [[ $_result_ref =~ ^[yn]$ ]]; do
+		read -rp "$prompt [y/n]: " -e -i "$default" _result_ref
+	done
+}
+
+# Prompt for a value with validation function
+# Usage: prompt_validated "prompt" "validator_func" "default" result_var
+# The validator should return 0 for valid, non-0 for invalid
+prompt_validated() {
+	local prompt="$1"
+	local validator="$2"
+	local default="$3"
+	local -n _result_ref="$4"
+
+	# If already set and valid, return
+	if [[ -n $_result_ref ]] && $validator "$_result_ref" 2>/dev/null; then
+		return
+	fi
+
+	_result_ref=""
+	until [[ -n $_result_ref ]] && $validator "$_result_ref" 2>/dev/null; do
+		read -rp "$prompt: " -e -i "$default" _result_ref
+	done
+}
+
+# Non-fatal port validator (returns 0/1)
+is_valid_port() {
+	local port="$1"
+	[[ "$port" =~ ^[0-9]+$ ]] && ((port >= 1 && port <= 65535))
+}
+
+# Non-fatal MTU validator (returns 0/1)
+is_valid_mtu() {
+	local mtu="$1"
+	[[ "$mtu" =~ ^[0-9]+$ ]] && ((mtu >= 576 && mtu <= 65535))
+}
+
+# Handle install command
+cmd_install() {
+	local interactive=false
+	local no_client=false
+	local client_password_flag=false
+	local client_password_value=""
+
+	while [[ $# -gt 0 ]]; do
+		case "$1" in
+		-i | --interactive)
+			interactive=true
+			shift
+			;;
+		--endpoint)
+			[[ -z "${2:-}" ]] && log_fatal "--endpoint requires an argument"
+			ENDPOINT="$2"
+			shift 2
+			;;
+		--ip)
+			[[ -z "${2:-}" ]] && log_fatal "--ip requires an argument"
+			IP="$2"
+			APPROVE_IP=y
+			shift 2
+			;;
+		--endpoint-type)
+			[[ -z "${2:-}" ]] && log_fatal "--endpoint-type requires an argument"
+			case "$2" in
+			4) ENDPOINT_TYPE="4" ;;
+			6) ENDPOINT_TYPE="6" ;;
+			*) log_fatal "Invalid endpoint type: $2. Use '4' or '6'." ;;
+			esac
+			shift 2
+			;;
+		--client-ipv4)
+			CLIENT_IPV4=y
+			shift
+			;;
+		--no-client-ipv4)
+			CLIENT_IPV4=n
+			shift
+			;;
+		--client-ipv6)
+			CLIENT_IPV6=y
+			shift
+			;;
+		--no-client-ipv6)
+			CLIENT_IPV6=n
+			shift
+			;;
+		--ipv6)
+			# Legacy flag: enable IPv6 for clients (backward compatibility)
+			CLIENT_IPV6=y
+			shift
+			;;
+		--subnet-ipv4)
+			[[ -z "${2:-}" ]] && log_fatal "--subnet-ipv4 requires an argument"
+			validate_subnet_ipv4 "$2"
+			VPN_SUBNET_IPV4="$2"
+			shift 2
+			;;
+		--subnet-ipv6)
+			[[ -z "${2:-}" ]] && log_fatal "--subnet-ipv6 requires an argument"
+			validate_subnet_ipv6 "$2"
+			VPN_SUBNET_IPV6="$2"
+			shift 2
+			;;
+		--subnet)
+			# Legacy flag: --subnet now maps to --subnet-ipv4
+			[[ -z "${2:-}" ]] && log_fatal "--subnet requires an argument"
+			validate_subnet_ipv4 "$2"
+			VPN_SUBNET_IPV4="$2"
+			shift 2
+			;;
+		--port)
+			[[ -z "${2:-}" ]] && log_fatal "--port requires an argument"
+			validate_port "$2"
+			PORT="$2"
+			shift 2
+			;;
+		--port-random)
+			PORT="random"
+			shift
+			;;
+		--protocol)
+			[[ -z "${2:-}" ]] && log_fatal "--protocol requires an argument"
+			case "$2" in
+			udp | tcp)
+				PROTOCOL="$2"
+				;;
+			*) log_fatal "Invalid protocol: $2. Use 'udp' or 'tcp'." ;;
+			esac
+			shift 2
+			;;
+		--mtu)
+			[[ -z "${2:-}" ]] && log_fatal "--mtu requires an argument"
+			validate_mtu "$2"
+			MTU="$2"
+			shift 2
+			;;
+		--dns)
+			[[ -z "${2:-}" ]] && log_fatal "--dns requires an argument"
+			parse_dns_provider "$2"
+			shift 2
+			;;
+		--dns-primary)
+			[[ -z "${2:-}" ]] && log_fatal "--dns-primary requires an argument"
+			DNS1="$2"
+			shift 2
+			;;
+		--dns-secondary)
+			[[ -z "${2:-}" ]] && log_fatal "--dns-secondary requires an argument"
+			DNS2="$2"
+			shift 2
+			;;
+		--multi-client)
+			MULTI_CLIENT=y
+			shift
+			;;
+		--cipher)
+			[[ -z "${2:-}" ]] && log_fatal "--cipher requires an argument"
+			parse_cipher "$2"
+			CUSTOMIZE_ENC=y
+			shift 2
+			;;
+		--cert-type)
+			[[ -z "${2:-}" ]] && log_fatal "--cert-type requires an argument"
+			case "$2" in
+			ecdsa | rsa) CERT_TYPE="$2" ;;
+			*) log_fatal "Invalid cert-type: $2. Use 'ecdsa' or 'rsa'." ;;
+			esac
+			shift 2
+			;;
+		--cert-curve)
+			[[ -z "${2:-}" ]] && log_fatal "--cert-curve requires an argument"
+			CERT_CURVE=$(parse_curve "$2")
+			CUSTOMIZE_ENC=y
+			shift 2
+			;;
+		--rsa-bits)
+			[[ -z "${2:-}" ]] && log_fatal "--rsa-bits requires an argument"
+			case "$2" in
+			2048 | 3072 | 4096) RSA_KEY_SIZE="$2" ;;
+			*) log_fatal "Invalid RSA key size: $2. Use 2048, 3072, or 4096." ;;
+			esac
+			CUSTOMIZE_ENC=y
+			shift 2
+			;;
+		--cc-cipher)
+			[[ -z "${2:-}" ]] && log_fatal "--cc-cipher requires an argument"
+			CC_CIPHER="$2"
+			CUSTOMIZE_ENC=y
+			shift 2
+			;;
+		--tls-ciphersuites)
+			[[ -z "${2:-}" ]] && log_fatal "--tls-ciphersuites requires an argument"
+			TLS13_CIPHERSUITES="$2"
+			CUSTOMIZE_ENC=y
+			shift 2
+			;;
+		--tls-version-min)
+			[[ -z "${2:-}" ]] && log_fatal "--tls-version-min requires an argument"
+			case "$2" in
+			1.2 | 1.3) TLS_VERSION_MIN="$2" ;;
+			*) log_fatal "Invalid TLS version: $2. Use '1.2' or '1.3'." ;;
+			esac
+			CUSTOMIZE_ENC=y
+			shift 2
+			;;
+		--tls-groups)
+			[[ -z "${2:-}" ]] && log_fatal "--tls-groups requires an argument"
+			TLS_GROUPS="$2"
+			CUSTOMIZE_ENC=y
+			shift 2
+			;;
+		--hmac)
+			[[ -z "${2:-}" ]] && log_fatal "--hmac requires an argument"
+			case "$2" in
+			SHA256 | SHA384 | SHA512) HMAC_ALG="$2" ;;
+			*) log_fatal "Invalid HMAC algorithm: $2. Use SHA256, SHA384, or SHA512." ;;
+			esac
+			CUSTOMIZE_ENC=y
+			shift 2
+			;;
+		--tls-sig)
+			[[ -z "${2:-}" ]] && log_fatal "--tls-sig requires an argument"
+			case "$2" in
+			crypt-v2 | crypt | auth) TLS_SIG="$2" ;;
+			*) log_fatal "Invalid TLS mode: $2. Use 'crypt-v2', 'crypt', or 'auth'." ;;
+			esac
+			shift 2
+			;;
+		--auth-mode)
+			[[ -z "${2:-}" ]] && log_fatal "--auth-mode requires an argument"
+			case "$2" in
+			pki | fingerprint) AUTH_MODE="$2" ;;
+			*) log_fatal "Invalid auth mode: $2. Use 'pki' or 'fingerprint'." ;;
+			esac
+			shift 2
+			;;
+		--server-cert-days)
+			[[ -z "${2:-}" ]] && log_fatal "--server-cert-days requires an argument"
+			validate_positive_int "$2" "server-cert-days"
+			SERVER_CERT_DURATION_DAYS="$2"
+			shift 2
+			;;
+		--client)
+			[[ -z "${2:-}" ]] && log_fatal "--client requires an argument"
+			validate_client_name "$2"
+			CLIENT="$2"
+			shift 2
+			;;
+		--client-password)
+			client_password_flag=true
+			# Check if next arg is a value or another flag
+			if [[ -n "${2:-}" ]] && [[ ! "$2" =~ ^- ]]; then
+				client_password_value="$2"
+				shift
+			fi
+			shift
+			;;
+		--client-cert-days)
+			[[ -z "${2:-}" ]] && log_fatal "--client-cert-days requires an argument"
+			validate_positive_int "$2" "client-cert-days"
+			CLIENT_CERT_DURATION_DAYS="$2"
+			shift 2
+			;;
+		--no-client)
+			no_client=true
+			shift
+			;;
+		-h | --help)
+			show_install_help
+			exit 0
+			;;
+		*)
+			log_fatal "Unknown option: $1. See '$SCRIPT_NAME install --help' for usage."
+			;;
+		esac
+	done
+
+	# Validate custom DNS settings
+	if [[ -n "${DNS1:-}" || -n "${DNS2:-}" ]] && [[ "${DNS:-}" != "custom" ]]; then
+		log_fatal "--dns-primary and --dns-secondary require --dns custom"
+	fi
+
+	# Check if already installed
+	requireNoOpenVPN
+
+	if [[ $interactive == true ]]; then
+		# Run interactive installer
+		installQuestions
+	else
+		# Non-interactive mode - set flags and defaults
+		NON_INTERACTIVE_INSTALL=y
+		APPROVE_INSTALL=y
+		APPROVE_IP=${APPROVE_IP:-y}
+		CONTINUE=y
+
+		# Handle random port
+		if [[ $PORT == "random" ]]; then
+			PORT=$(shuf -i 49152-65535 -n1)
+			log_info "Random Port: $PORT"
+		fi
+
+		# Client setup
+		if [[ $no_client == true ]]; then
+			NEW_CLIENT=n
+		else
+			NEW_CLIENT=y
+			if [[ $client_password_flag == true ]]; then
+				PASS=2
+				if [[ -n "$client_password_value" ]]; then
+					PASSPHRASE="$client_password_value"
+				fi
+			fi
+		fi
+
+		# Set all defaults for any unset values
+		set_installation_defaults
+
+		# Validate configuration values (catches invalid env vars)
+		validate_configuration
+
+		# Detect IPs and set up network config (interactive mode does this in installQuestions)
+		detect_server_ips
+	fi
+
+	# Prepare derived network configuration (gateways, etc.)
+	prepare_network_config
+
+	installOpenVPN
+}
+
+# Handle uninstall command
+cmd_uninstall() {
+	local force=false
+
+	while [[ $# -gt 0 ]]; do
+		case "$1" in
+		-f | --force)
+			force=true
+			shift
+			;;
+		-h | --help)
+			show_uninstall_help
+			exit 0
+			;;
+		*)
+			log_fatal "Unknown option: $1. See '$SCRIPT_NAME uninstall --help' for usage."
+			;;
+		esac
+	done
+
+	requireOpenVPN
+
+	if [[ $force == true ]]; then
+		REMOVE=y
+	fi
+
+	removeOpenVPN
+}
+
+# Handle client command
+cmd_client() {
+	local subcmd="${1:-}"
+	shift || true
+
+	case "$subcmd" in
+	"" | "-h" | "--help")
+		show_client_help
+		exit 0
+		;;
+	add)
+		cmd_client_add "$@"
+		;;
+	list)
+		cmd_client_list "$@"
+		;;
+	revoke)
+		cmd_client_revoke "$@"
+		;;
+	renew)
+		cmd_client_renew "$@"
+		;;
+	*)
+		log_fatal "Unknown client subcommand: $subcmd. See '$SCRIPT_NAME client --help' for usage."
+		;;
+	esac
+}
+
+# Handle client add command
+cmd_client_add() {
+	local client_name=""
+	local password_flag=false
+	local password_value=""
+
+	# First non-flag argument is the client name
+	while [[ $# -gt 0 ]]; do
+		case "$1" in
+		--password)
+			password_flag=true
+			# Check if next arg is a value or another flag
+			if [[ -n "${2:-}" ]] && [[ ! "$2" =~ ^- ]]; then
+				password_value="$2"
+				shift
+			fi
+			shift
+			;;
+		--cert-days)
+			[[ -z "${2:-}" ]] && log_fatal "--cert-days requires an argument"
+			validate_positive_int "$2" "cert-days"
+			CLIENT_CERT_DURATION_DAYS="$2"
+			shift 2
+			;;
+		--output)
+			[[ -z "${2:-}" ]] && log_fatal "--output requires an argument"
+			CLIENT_FILEPATH="$2"
+			shift 2
+			;;
+		-h | --help)
+			show_client_add_help
+			exit 0
+			;;
+		-*)
+			log_fatal "Unknown option: $1. See '$SCRIPT_NAME client add --help' for usage."
+			;;
+		*)
+			if [[ -z "$client_name" ]]; then
+				client_name="$1"
+			else
+				log_fatal "Unexpected argument: $1"
+			fi
+			shift
+			;;
+		esac
+	done
+
+	[[ -z "$client_name" ]] && log_fatal "Client name is required. See '$SCRIPT_NAME client add --help' for usage."
+	validate_client_name "$client_name"
+
+	requireOpenVPN
+
+	# Set up variables for newClient function
+	CLIENT="$client_name"
+	CLIENT_CERT_DURATION_DAYS=${CLIENT_CERT_DURATION_DAYS:-$DEFAULT_CERT_VALIDITY_DURATION_DAYS}
+
+	if [[ $password_flag == true ]]; then
+		PASS=2
+		if [[ -n "$password_value" ]]; then
+			PASSPHRASE="$password_value"
+		fi
+	else
+		PASS=1
+	fi
+
+	newClient
+	exit 0
+}
+
+# Handle client list command
+cmd_client_list() {
+	local format="table"
+
+	while [[ $# -gt 0 ]]; do
+		case "$1" in
+		--format)
+			[[ -z "${2:-}" ]] && log_fatal "--format requires an argument"
+			case "$2" in
+			table | json) format="$2" ;;
+			*) log_fatal "Invalid format: $2. Use 'table' or 'json'." ;;
+			esac
+			shift 2
+			;;
+		-h | --help)
+			show_client_list_help
+			exit 0
+			;;
+		*)
+			log_fatal "Unknown option: $1. See '$SCRIPT_NAME client list --help' for usage."
+			;;
+		esac
+	done
+
+	requireOpenVPN
+
+	OUTPUT_FORMAT="$format" listClients
+}
+
+# Handle client revoke command
+cmd_client_revoke() {
+	local client_name=""
+	local force=false
+
+	while [[ $# -gt 0 ]]; do
+		case "$1" in
+		-f | --force)
+			force=true
+			shift
+			;;
+		-h | --help)
+			show_client_revoke_help
+			exit 0
+			;;
+		-*)
+			log_fatal "Unknown option: $1. See '$SCRIPT_NAME client revoke --help' for usage."
+			;;
+		*)
+			if [[ -z "$client_name" ]]; then
+				client_name="$1"
+			else
+				log_fatal "Unexpected argument: $1"
+			fi
+			shift
+			;;
+		esac
+	done
+
+	[[ -z "$client_name" ]] && log_fatal "Client name is required. See '$SCRIPT_NAME client revoke --help' for usage."
+
+	requireOpenVPN
+
+	CLIENT="$client_name"
+	if [[ $force == true ]]; then
+		REVOKE_CONFIRM=y
+	fi
+
+	revokeClient
+}
+
+# Handle client renew command
+cmd_client_renew() {
+	local client_name=""
+
+	while [[ $# -gt 0 ]]; do
+		case "$1" in
+		--cert-days)
+			[[ -z "${2:-}" ]] && log_fatal "--cert-days requires an argument"
+			validate_positive_int "$2" "cert-days"
+			CLIENT_CERT_DURATION_DAYS="$2"
+			shift 2
+			;;
+		-h | --help)
+			show_client_renew_help
+			exit 0
+			;;
+		-*)
+			log_fatal "Unknown option: $1. See '$SCRIPT_NAME client renew --help' for usage."
+			;;
+		*)
+			if [[ -z "$client_name" ]]; then
+				client_name="$1"
+			else
+				log_fatal "Unexpected argument: $1"
+			fi
+			shift
+			;;
+		esac
+	done
+
+	[[ -z "$client_name" ]] && log_fatal "Client name is required. See '$SCRIPT_NAME client renew --help' for usage."
+
+	requireOpenVPN
+
+	CLIENT="$client_name"
+	CLIENT_CERT_DURATION_DAYS=${CLIENT_CERT_DURATION_DAYS:-$DEFAULT_CERT_VALIDITY_DURATION_DAYS}
+
+	renewClient
+}
+
+# Handle server command
+cmd_server() {
+	local subcmd="${1:-}"
+	shift || true
+
+	case "$subcmd" in
+	"" | "-h" | "--help")
+		show_server_help
+		exit 0
+		;;
+	status)
+		cmd_server_status "$@"
+		;;
+	renew)
+		cmd_server_renew "$@"
+		;;
+	*)
+		log_fatal "Unknown server subcommand: $subcmd. See '$SCRIPT_NAME server --help' for usage."
+		;;
+	esac
+}
+
+# Handle server status command
+cmd_server_status() {
+	local format="table"
+
+	while [[ $# -gt 0 ]]; do
+		case "$1" in
+		--format)
+			[[ -z "${2:-}" ]] && log_fatal "--format requires an argument"
+			case "$2" in
+			table | json) format="$2" ;;
+			*) log_fatal "Invalid format: $2. Use 'table' or 'json'." ;;
+			esac
+			shift 2
+			;;
+		-h | --help)
+			show_server_status_help
+			exit 0
+			;;
+		*)
+			log_fatal "Unknown option: $1. See '$SCRIPT_NAME server status --help' for usage."
+			;;
+		esac
+	done
+
+	requireOpenVPN
+
+	OUTPUT_FORMAT="$format" listConnectedClients
+}
+
+# Handle server renew command
+cmd_server_renew() {
+	local force=false
+
+	while [[ $# -gt 0 ]]; do
+		case "$1" in
+		--cert-days)
+			[[ -z "${2:-}" ]] && log_fatal "--cert-days requires an argument"
+			validate_positive_int "$2" "cert-days"
+			SERVER_CERT_DURATION_DAYS="$2"
+			shift 2
+			;;
+		-f | --force)
+			force=true
+			shift
+			;;
+		-h | --help)
+			show_server_renew_help
+			exit 0
+			;;
+		*)
+			log_fatal "Unknown option: $1. See '$SCRIPT_NAME server renew --help' for usage."
+			;;
+		esac
+	done
+
+	requireOpenVPN
+
+	SERVER_CERT_DURATION_DAYS=${SERVER_CERT_DURATION_DAYS:-$DEFAULT_CERT_VALIDITY_DURATION_DAYS}
+	if [[ $force == true ]]; then
+		CONTINUE=y
+	fi
+
+	renewServer
+}
+
+# Handle interactive command (legacy menu)
+cmd_interactive() {
+	while [[ $# -gt 0 ]]; do
+		case "$1" in
+		-h | --help)
+			echo "Launch interactive menu for OpenVPN management"
+			echo ""
+			echo "Usage: $SCRIPT_NAME interactive"
+			exit 0
+			;;
+		*)
+			log_fatal "Unknown option: $1"
+			;;
+		esac
+	done
+
+	if isOpenVPNInstalled; then
+		manageMenu
+	else
+		installQuestions
+		installOpenVPN
+	fi
+}
+
+# Main argument parser
+parse_args() {
+	# Parse global options first
+	while [[ $# -gt 0 ]]; do
+		case "$1" in
+		--verbose)
+			VERBOSE=1
+			shift
+			;;
+		--log)
+			[[ -z "${2:-}" ]] && log_fatal "--log requires an argument"
+			LOG_FILE="$2"
+			shift 2
+			;;
+		--no-log)
+			LOG_FILE=""
+			shift
+			;;
+		--no-color)
+			# Colors already set at script start, but we can unset them
+			COLOR_RESET=''
+			COLOR_RED=''
+			COLOR_GREEN=''
+			COLOR_YELLOW=''
+			COLOR_BLUE=''
+			COLOR_CYAN=''
+			COLOR_DIM=''
+			COLOR_BOLD=''
+			shift
+			;;
+		-h | --help)
+			show_help
+			exit 0
+			;;
+		-*)
+			# Could be a command-specific option, let command handle it
+			break
+			;;
+		*)
+			# First non-option is the command
+			break
+			;;
+		esac
+	done
+
+	# Get the command
+	local cmd="${1:-}"
+	shift || true
+
+	# Check if user just wants help (don't require root for help)
+	# Also detect --format json early to suppress log output before initialCheck
+	local wants_help=false
+	local prev_arg=""
+	for arg in "$@"; do
+		if [[ "$arg" == "-h" || "$arg" == "--help" ]]; then
+			wants_help=true
+		fi
+		if [[ "$prev_arg" == "--format" && "$arg" == "json" ]]; then
+			OUTPUT_FORMAT="json"
+		fi
+		prev_arg="$arg"
+	done
+
+	# Dispatch to command handler
+	case "$cmd" in
+	"")
+		show_help
+		exit 0
+		;;
+	install)
+		[[ $wants_help == false ]] && initialCheck
+		cmd_install "$@"
+		;;
+	uninstall)
+		[[ $wants_help == false ]] && initialCheck
+		cmd_uninstall "$@"
+		;;
+	client)
+		[[ $wants_help == false ]] && initialCheck
+		cmd_client "$@"
+		;;
+	server)
+		[[ $wants_help == false ]] && initialCheck
+		cmd_server "$@"
+		;;
+	i)
+		[[ $wants_help == false ]] && initialCheck
+		cmd_interactive "$@"
+		;;
+	*)
+		log_fatal "Unknown command: $cmd. See '$SCRIPT_NAME --help' for usage."
+		;;
+	esac
+}
+
+# =============================================================================
+# System Check Functions
+# =============================================================================
+function isRoot() {
+	if [ "$EUID" -ne 0 ]; then
+		return 1
+	fi
+}
+
+function tunAvailable() {
+	if [ ! -e /dev/net/tun ]; then
+		return 1
+	fi
+}
+
+function checkOS() {
+	if [[ -e /etc/debian_version ]]; then
+		OS="debian"
+		source /etc/os-release
+
+		if [[ $ID == "debian" || $ID == "raspbian" ]]; then
+			if [[ $VERSION_ID -lt 11 ]]; then
+				log_warn "Your version of Debian is not supported."
+				log_info "However, if you're using Debian >= 11 or unstable/testing, you can continue at your own risk."
+				until [[ $CONTINUE =~ (y|n) ]]; do
+					read -rp "Continue? [y/n]: " -e CONTINUE
+				done
+				if [[ $CONTINUE == "n" ]]; then
+					exit 1
+				fi
+			fi
+		elif [[ $ID == "ubuntu" ]]; then
+			OS="ubuntu"
+			MAJOR_UBUNTU_VERSION=$(echo "$VERSION_ID" | cut -d '.' -f1)
+			if [[ $MAJOR_UBUNTU_VERSION -lt 18 ]]; then
+				log_warn "Your version of Ubuntu is not supported."
+				log_info "However, if you're using Ubuntu >= 18.04 or beta, you can continue at your own risk."
+				until [[ $CONTINUE =~ (y|n) ]]; do
+					read -rp "Continue? [y/n]: " -e CONTINUE
+				done
+				if [[ $CONTINUE == "n" ]]; then
+					exit 1
+				fi
+			fi
+		fi
+	elif [[ -e /etc/os-release ]]; then
+		source /etc/os-release
+		if [[ $ID == "fedora" || $ID_LIKE == "fedora" ]]; then
+			OS="fedora"
+		fi
+		if [[ $ID == "opensuse-tumbleweed" ]]; then
+			OS="opensuse"
+		fi
+		if [[ $ID == "opensuse-leap" ]]; then
+			OS="opensuse"
+			if [[ ${VERSION_ID%.*} -lt 16 ]]; then
+				log_info "The script only supports openSUSE Leap 16+."
+				log_fatal "Your version of openSUSE Leap is not supported."
+			fi
+		fi
+		if [[ $ID == "centos" || $ID == "rocky" || $ID == "almalinux" ]]; then
+			OS="centos"
+		fi
+		if [[ $ID == "ol" ]]; then
+			OS="oracle"
+		fi
+		if [[ $OS =~ (centos|oracle) ]] && [[ ${VERSION_ID%.*} -lt 8 ]]; then
+			log_info "The script only supports CentOS Stream / Rocky Linux / AlmaLinux / Oracle Linux version 8+."
+			log_fatal "Your version is not supported."
+		fi
+		if [[ $ID == "amzn" ]]; then
+			if [[ "$PRETTY_NAME" =~ ^Amazon\ Linux\ 2023\.([0-9]+) ]] && [[ "${BASH_REMATCH[1]}" -ge 6 ]]; then
+				OS="amzn2023"
+			else
+				log_info "The script only supports Amazon Linux 2023.6+"
+				log_info "Amazon Linux 2 is EOL and no longer supported."
+				log_fatal "Your version of Amazon Linux is not supported."
+			fi
+		fi
+		if [[ $ID == "arch" ]]; then
+			OS="arch"
+		fi
+	elif [[ -e /etc/arch-release ]]; then
+		OS=arch
+	else
+		log_fatal "It looks like you aren't running this installer on a Debian, Ubuntu, Fedora, openSUSE, CentOS, Amazon Linux 2023, Oracle Linux, Arch Linux, Rocky Linux or AlmaLinux system."
+	fi
+}
+
+function checkArchPendingKernelUpgrade() {
+	if [[ $OS != "arch" ]]; then
+		return 0
+	fi
+
+	# Check if running kernel's modules are available
+	# (detects if kernel was upgraded but system not rebooted)
+	# Skip this check in containers - they share host kernel but have their own /lib/modules
+	if [[ -f /.dockerenv ]] || grep -qE '(docker|lxc|containerd)' /proc/1/cgroup 2>/dev/null; then
+		log_info "Running in container, skipping kernel modules check"
+	else
+		local running_kernel
+		running_kernel=$(uname -r)
+		if [[ ! -d "/lib/modules/${running_kernel}" ]]; then
+			log_error "Kernel modules for running kernel ($running_kernel) not found!"
+			log_info "This usually means the kernel was upgraded but the system wasn't rebooted."
+			log_fatal "Please reboot your system and run this script again."
+		fi
+	fi
+
+	log_info "Checking for pending kernel upgrades on Arch Linux..."
+
+	# Sync package database to check for updates
+	if ! pacman -Sy &>/dev/null; then
+		log_warn "Failed to sync package database, skipping kernel upgrade check"
+		return 0
+	fi
+
+	# Check for pending linux kernel upgrades
+	local pending_kernels
+	pending_kernels=$(pacman -Qu 2>/dev/null | grep -E '^linux' || true)
+
+	if [[ -n "$pending_kernels" ]]; then
+		log_warn "Linux kernel upgrade(s) pending:"
+		echo "$pending_kernels" | while read -r line; do
+			log_info "  $line"
+		done
+		echo ""
+		log_info "This script uses 'pacman -Syu' which will upgrade your kernel."
+		log_info "After a kernel upgrade, the TUN module won't be available until you reboot."
+		echo ""
+		log_info "Please upgrade your system and reboot first:"
+		log_info "  sudo pacman -Syu"
+		log_info "  sudo reboot"
+		echo ""
+		log_fatal "Aborting. Run this script again after upgrading and rebooting."
+	fi
+
+	log_success "No pending kernel upgrades"
+}
+
+function initialCheck() {
+	log_debug "Checking root privileges..."
+	if ! isRoot; then
+		log_fatal "Sorry, you need to run this script as root."
+	fi
+	log_debug "Root check passed"
+
+	log_debug "Checking TUN device availability..."
+	if ! tunAvailable; then
+		log_fatal "TUN is not available."
+	fi
+	log_debug "TUN device available at /dev/net/tun"
+
+	log_debug "Detecting operating system..."
+	checkOS
+	log_debug "Detected OS: $OS (${PRETTY_NAME:-unknown})"
+	#checkArchPendingKernelUpgrade
+}
+
+# Check if OpenVPN version is at least the specified version
+# Usage: openvpnVersionAtLeast "2.5"
+# Returns 0 if version is >= specified, 1 otherwise
+function openvpnVersionAtLeast() {
+	local required_version="$1"
+	local installed_version
+
+	if ! command -v openvpn &>/dev/null; then
+		return 1
+	fi
+
+	installed_version=$(openvpn --version 2>/dev/null | head -1 | awk '{print $2}')
+	if [[ -z "$installed_version" ]]; then
+		return 1
+	fi
+
+	# Compare versions using sort -V
+	if [[ "$(printf '%s\n' "$required_version" "$installed_version" | sort -V | head -n1)" == "$required_version" ]]; then
+		return 0
+	fi
+	return 1
+}
+
+# Check if kernel version is at least the specified version
+# Usage: kernelVersionAtLeast "6.16"
+# Returns 0 if version is >= specified, 1 otherwise
+function kernelVersionAtLeast() {
+	local required_version="$1"
+	local kernel_version
+
+	kernel_version=$(uname -r | cut -d'-' -f1)
+	if [[ -z "$kernel_version" ]]; then
+		return 1
+	fi
+
+	if [[ "$(printf '%s\n' "$required_version" "$kernel_version" | sort -V | head -n1)" == "$required_version" ]]; then
+		return 0
+	fi
+	return 1
+}
+
+# Check if Data Channel Offload (DCO) is available
+# DCO requires: OpenVPN 2.6+, kernel support (Linux 6.16+ or ovpn-dco module)
+# Returns 0 if DCO is available, 1 otherwise
+function isDCOAvailable() {
+	# DCO requires OpenVPN 2.6+
+	if ! openvpnVersionAtLeast "2.6"; then
+		return 1
+	fi
+
+	# DCO is built into Linux 6.16+, or available via ovpn-dco module
+	if kernelVersionAtLeast "6.16"; then
+		return 0
+	elif lsmod 2>/dev/null | grep -q "^ovpn_dco" || modinfo ovpn-dco &>/dev/null; then
+		return 0
+	fi
+	return 1
+}
+
+function installOpenVPNRepo() {
+	log_info "Setting up official OpenVPN repository..."
+
+	if [[ $OS =~ (debian|ubuntu) ]]; then
+		run_cmd_fatal "Update package lists" apt-get update
+		run_cmd_fatal "Installing prerequisites" apt-get install -y ca-certificates curl
+
+		# Create keyrings directory
+		run_cmd "Creating keyrings directory" mkdir -p /etc/apt/keyrings
+
+		# Download and install GPG key
+		if ! run_cmd "Downloading OpenVPN GPG key" curl -fsSL https://swupdate.openvpn.net/repos/repo-public.gpg -o /etc/apt/keyrings/openvpn-repo-public.asc; then
+			log_fatal "Failed to download OpenVPN repository GPG key"
+		fi
+
+		# Add repository - using stable release
+		if [[ -z "${VERSION_CODENAME}" ]]; then
+			log_fatal "VERSION_CODENAME is not set. Unable to configure OpenVPN repository."
+		fi
+		echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/openvpn-repo-public.asc] https://build.openvpn.net/debian/openvpn/stable ${VERSION_CODENAME} main" >/etc/apt/sources.list.d/openvpn-aptrepo.list
+
+		log_info "Updating package lists with new repository..."
+		run_cmd_fatal "Update package lists" apt-get update
+
+		log_info "OpenVPN official repository configured"
+
+	elif [[ $OS =~ (centos|oracle) ]]; then
+		# For RHEL-based systems, use Fedora Copr (OpenVPN 2.6 stable)
+		# EPEL is required for pkcs11-helper dependency
+		log_info "Configuring OpenVPN Copr repository for RHEL-based system..."
+
+		# Oracle Linux uses oracle-epel-release-el* instead of epel-release
+		if [[ $OS == "oracle" ]]; then
+			EPEL_PACKAGE="oracle-epel-release-el${VERSION_ID%.*}"
+		else
+			EPEL_PACKAGE="epel-release"
+		fi
+
+		if ! command -v dnf &>/dev/null; then
+			run_cmd_fatal "Installing EPEL repository" yum install -y "$EPEL_PACKAGE"
+			run_cmd_fatal "Installing yum-plugin-copr" yum install -y yum-plugin-copr
+			run_cmd_fatal "Enabling OpenVPN Copr repo" yum copr enable -y @OpenVPN/openvpn-release-2.6
+		else
+			run_cmd_fatal "Installing EPEL repository" dnf install -y "$EPEL_PACKAGE"
+			run_cmd_fatal "Installing dnf-plugins-core" dnf install -y dnf-plugins-core
+			run_cmd_fatal "Enabling OpenVPN Copr repo" dnf copr enable -y @OpenVPN/openvpn-release-2.6
+		fi
+
+		log_info "OpenVPN Copr repository configured"
+
+	elif [[ $OS == "fedora" ]]; then
+		# Fedora already ships with recent OpenVPN 2.6.x, no Copr needed
+		log_info "Fedora already has recent OpenVPN packages, using distribution version"
+
+	else
+		log_info "No official OpenVPN repository available for this OS, using distribution packages"
+	fi
+}
+
+function installUnbound() {
+	log_info "Installing Unbound DNS resolver..."
+
+	# Install Unbound if not present
+	if [[ ! -e /etc/unbound/unbound.conf ]]; then
+		if [[ $OS =~ (debian|ubuntu) ]]; then
+			run_cmd_fatal "Installing Unbound" apt-get install -y unbound
+		elif [[ $OS =~ (centos|oracle) ]]; then
+			run_cmd_fatal "Installing Unbound" yum install -y unbound
+		elif [[ $OS =~ (fedora|amzn2023) ]]; then
+			run_cmd_fatal "Installing Unbound" dnf install -y unbound
+		elif [[ $OS == "opensuse" ]]; then
+			run_cmd_fatal "Installing Unbound" zypper install -y unbound
+		elif [[ $OS == "arch" ]]; then
+			run_cmd_fatal "Installing Unbound" pacman -Syu --noconfirm unbound
+		fi
+	fi
+
+	# Configure Unbound for OpenVPN (runs whether freshly installed or pre-existing)
+	# Create conf.d directory (works on all distros)
+	run_cmd "Creating Unbound config directory" mkdir -p /etc/unbound/unbound.conf.d
+
+	# Ensure main config includes conf.d directory
+	# Modern Debian/Ubuntu use include-toplevel, others need include directive
+	if ! grep -qE "include(-toplevel)?:\s*.*/etc/unbound/unbound.conf.d" /etc/unbound/unbound.conf 2>/dev/null; then
+		# Add include directive for conf.d if not present
+		echo 'include: "/etc/unbound/unbound.conf.d/*.conf"' >>/etc/unbound/unbound.conf
+	fi
+
+	# Generate OpenVPN-specific Unbound configuration
+	# Using consistent best-practice settings across all distros
+	{
+		echo 'server:'
+		echo '    # OpenVPN DNS resolver configuration'
+
+		# IPv4 VPN interface (only if clients get IPv4)
+		if [[ $CLIENT_IPV4 == 'y' ]]; then
+			echo "    interface: $VPN_GATEWAY_IPV4"
+			echo "    access-control: $VPN_SUBNET_IPV4/24 allow"
+		fi
+
+		# IPv6 VPN interface (only if clients get IPv6)
+		if [[ $CLIENT_IPV6 == 'y' ]]; then
+			echo "    interface: $VPN_GATEWAY_IPV6"
+			echo "    access-control: ${VPN_SUBNET_IPV6}/112 allow"
+		fi
+
+		echo ''
+		echo '    # Security hardening'
+		echo '    hide-identity: yes'
+		echo '    hide-version: yes'
+		echo '    harden-glue: yes'
+		echo '    harden-dnssec-stripped: yes'
+		echo ''
+		echo '    # Performance optimizations'
+		echo '    prefetch: yes'
+		echo '    use-caps-for-id: yes'
+		echo '    qname-minimisation: yes'
+		echo ''
+		echo '    # Allow binding before tun interface exists'
+		echo '    ip-freebind: yes'
+		echo ''
+		echo '    # DNS rebinding protection'
+		echo '    private-address: 10.0.0.0/8'
+		echo '    private-address: 172.16.0.0/12'
+		echo '    private-address: 192.168.0.0/16'
+		echo '    private-address: 169.254.0.0/16'
+		echo '    private-address: 127.0.0.0/8'
+		echo '    private-address: fd00::/8'
+		echo '    private-address: fe80::/10'
+		echo '    private-address: ::ffff:0:0/96'
+
+		# Add VPN subnet to private addresses if IPv6 enabled
+		if [[ $CLIENT_IPV6 == 'y' ]]; then
+			echo "    private-address: ${VPN_SUBNET_IPV6}/112"
+		fi
+
+		# Disable remote-control (requires SSL certs on openSUSE)
+		if [[ $OS == "opensuse" ]]; then
+			echo ''
+			echo 'remote-control:'
+			echo '    control-enable: no'
+		fi
+	} >/etc/unbound/unbound.conf.d/openvpn.conf
+
+	run_cmd "Enabling Unbound service" systemctl enable unbound
+	run_cmd "Starting Unbound service" systemctl restart unbound
+
+	# Validate Unbound is running
+	for i in {1..10}; do
+		if pgrep -x unbound >/dev/null; then
+			return 0
+		fi
+		sleep 1
+	done
+	log_fatal "Unbound failed to start. Check 'journalctl -u unbound' for details."
+}
+
+function resolvePublicIPv4() {
+	local public_ip=""
+
+	# Try to resolve public IPv4 using: https://api.seeip.org
+	if [[ -z $public_ip ]]; then
+		public_ip=$(curl -f -m 5 -sS --retry 2 --retry-connrefused -4 https://api.seeip.org 2>/dev/null)
+	fi
+
+	# Try to resolve using: https://ifconfig.me
+	if [[ -z $public_ip ]]; then
+		public_ip=$(curl -f -m 5 -sS --retry 2 --retry-connrefused -4 https://ifconfig.me 2>/dev/null)
+	fi
+
+	# Try to resolve using: https://api.ipify.org
+	if [[ -z $public_ip ]]; then
+		public_ip=$(curl -f -m 5 -sS --retry 2 --retry-connrefused -4 https://api.ipify.org 2>/dev/null)
+	fi
+
+	# Try to resolve using: ns1.google.com
+	if [[ -z $public_ip ]]; then
+		public_ip=$(dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com | tr -d '"')
+	fi
+
+	echo "$public_ip"
+}
+
+function resolvePublicIPv6() {
+	local public_ip=""
+
+	# Try to resolve public IPv6 using: https://api6.seeip.org
+	if [[ -z $public_ip ]]; then
+		public_ip=$(curl -f -m 5 -sS --retry 2 --retry-connrefused -6 https://api6.seeip.org 2>/dev/null)
+	fi
+
+	# Try to resolve using: https://ifconfig.me (IPv6)
+	if [[ -z $public_ip ]]; then
+		public_ip=$(curl -f -m 5 -sS --retry 2 --retry-connrefused -6 https://ifconfig.me 2>/dev/null)
+	fi
+
+	# Try to resolve using: https://api64.ipify.org (dual-stack, prefer IPv6)
+	if [[ -z $public_ip ]]; then
+		public_ip=$(curl -f -m 5 -sS --retry 2 --retry-connrefused -6 https://api64.ipify.org 2>/dev/null)
+	fi
+
+	# Try to resolve using: ns1.google.com
+	if [[ -z $public_ip ]]; then
+		public_ip=$(dig -6 TXT +short o-o.myaddr.l.google.com @ns1.google.com | tr -d '"')
+	fi
+
+	echo "$public_ip"
+}
+
+# Legacy wrapper for backward compatibility
+function resolvePublicIP() {
+	if [[ $ENDPOINT_TYPE == "6" ]]; then
+		resolvePublicIPv6
+	else
+		resolvePublicIPv4
+	fi
+}
+
+# Detect server's IPv4 and IPv6 addresses
+function detect_server_ips() {
+	IP_IPV4=$(ip -4 addr | sed -ne 's|^.* inet \([^/]*\)/.* scope global.*$|\1|p' | head -1)
+	IP_IPV6=$(ip -6 addr | sed -ne 's|^.* inet6 \([^/]*\)/.* scope global.*$|\1|p' | head -1)
+
+	# Set IP based on ENDPOINT_TYPE
+	if [[ $ENDPOINT_TYPE == "6" ]]; then
+		IP="$IP_IPV6"
+	else
+		IP="$IP_IPV4"
+	fi
+}
+
+# Calculate derived network configuration values
+function prepare_network_config() {
+	# Calculate IPv4 gateway (always needed for leak prevention)
+	VPN_GATEWAY_IPV4="${VPN_SUBNET_IPV4%.*}.1"
+
+	# Calculate IPv6 gateway if IPv6 is enabled
+	if [[ $CLIENT_IPV6 == "y" ]]; then
+		VPN_GATEWAY_IPV6="${VPN_SUBNET_IPV6}1"
+	fi
+
+	# Set legacy variable for backward compatibility
+	IPV6_SUPPORT="$CLIENT_IPV6"
+}
+
+function installQuestions() {
+	log_header "OpenVPN Installer"
+	log_prompt "The git repository is available at: https://github.com/angristan/openvpn-install"
+
+	log_prompt "I need to ask you a few questions before starting the setup."
+	log_prompt "You can leave the default options and just press enter if you are okay with them."
+
+	# ==========================================================================
+	# Step 1: Detect server IP addresses
+	# ==========================================================================
+	log_menu ""
+	log_prompt "Detecting server IP addresses..."
+
+	# Detect IPv4 address
+	IP_IPV4=$(ip -4 addr | sed -ne 's|^.* inet \([^/]*\)/.* scope global.*$|\1|p' | head -1)
+	# Detect IPv6 address
+	IP_IPV6=$(ip -6 addr | sed -ne 's|^.* inet6 \([^/]*\)/.* scope global.*$|\1|p' | head -1)
+
+	if [[ -n $IP_IPV4 ]]; then
+		log_prompt "  IPv4 address detected: $IP_IPV4"
+	else
+		log_prompt "  No IPv4 address detected"
+	fi
+	if [[ -n $IP_IPV6 ]]; then
+		log_prompt "  IPv6 address detected: $IP_IPV6"
+	else
+		log_prompt "  No IPv6 address detected"
+	fi
+
+	# ==========================================================================
+	# Step 2: Endpoint type selection
+	# ==========================================================================
+	log_menu ""
+	log_prompt "What IP version should clients use to connect to this server?"
+
+	# Determine default based on available addresses
+	if [[ -n $IP_IPV4 ]]; then
+		ENDPOINT_TYPE_DEFAULT=1
+	elif [[ -n $IP_IPV6 ]]; then
+		ENDPOINT_TYPE_DEFAULT=2
+	else
+		log_fatal "No IPv4 or IPv6 address detected on this server."
+	fi
+
+	log_menu "   1) IPv4"
+	log_menu "   2) IPv6"
+	until [[ $ENDPOINT_TYPE_CHOICE =~ ^[1-2]$ ]]; do
+		read -rp "Endpoint type [1-2]: " -e -i $ENDPOINT_TYPE_DEFAULT ENDPOINT_TYPE_CHOICE
+	done
+	case $ENDPOINT_TYPE_CHOICE in
+	1)
+		ENDPOINT_TYPE="4"
+		IP="$IP_IPV4"
+		;;
+	2)
+		ENDPOINT_TYPE="6"
+		IP="$IP_IPV6"
+		;;
+	esac
+
+	# ==========================================================================
+	# Step 3: Endpoint address (handle NAT for IPv4, direct for IPv6)
+	# ==========================================================================
+	APPROVE_IP=${APPROVE_IP:-n}
+	if [[ $APPROVE_IP =~ n ]]; then
+		log_menu ""
+		if [[ $ENDPOINT_TYPE == "4" ]]; then
+			log_prompt "Server listening IPv4 address:"
+			read -rp "IPv4 address: " -e -i "$IP" IP
+		else
+			log_prompt "Server listening IPv6 address:"
+			read -rp "IPv6 address: " -e -i "$IP" IP
+		fi
+	fi
+
+	# If IPv4 and private IP, server is behind NAT
+	if [[ $ENDPOINT_TYPE == "4" ]] && echo "$IP" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then
+		log_menu ""
+		log_prompt "It seems this server is behind NAT. What is its public IPv4 address or hostname?"
+		log_prompt "We need it for the clients to connect to the server."
+
+		if [[ -z $ENDPOINT ]]; then
+			DEFAULT_ENDPOINT=$(resolvePublicIPv4)
+		fi
+
+		until [[ $ENDPOINT != "" ]]; do
+			read -rp "Public IPv4 address or hostname: " -e -i "$DEFAULT_ENDPOINT" ENDPOINT
+		done
+	elif [[ $ENDPOINT_TYPE == "6" ]]; then
+		# For IPv6, check if it's a link-local address (starts with fe80)
+		if echo "$IP" | grep -qiE '^fe80'; then
+			log_menu ""
+			log_prompt "The detected IPv6 address is link-local. What is the public IPv6 address or hostname?"
+			log_prompt "We need it for the clients to connect to the server."
+
+			if [[ -z $ENDPOINT ]]; then
+				DEFAULT_ENDPOINT=$(resolvePublicIPv6)
+			fi
+
+			until [[ $ENDPOINT != "" ]]; do
+				read -rp "Public IPv6 address or hostname: " -e -i "$DEFAULT_ENDPOINT" ENDPOINT
+			done
+		fi
+	fi
+
+	# ==========================================================================
+	# Step 4: Client IP versions
+	# ==========================================================================
+	log_menu ""
+	log_prompt "What IP versions should VPN clients use?"
+	log_prompt "This determines both their VPN addresses and internet access through the tunnel."
+
+	# Check IPv6 connectivity for suggestion
+	if type ping6 >/dev/null 2>&1; then
+		PING6="ping6 -c1 -W2 ipv6.google.com > /dev/null 2>&1"
+	else
+		PING6="ping -6 -c1 -W2 ipv6.google.com > /dev/null 2>&1"
+	fi
+	HAS_IPV6_CONNECTIVITY="n"
+	if eval "$PING6"; then
+		HAS_IPV6_CONNECTIVITY="y"
+	fi
+
+	# Default suggestion based on connectivity
+	if [[ $HAS_IPV6_CONNECTIVITY == "y" ]]; then
+		CLIENT_IP_DEFAULT=3 # Dual-stack if IPv6 available
+	else
+		CLIENT_IP_DEFAULT=1 # IPv4 only otherwise
+	fi
+
+	log_menu "   1) IPv4 only"
+	log_menu "   2) IPv6 only"
+	log_menu "   3) Dual-stack (IPv4 + IPv6)"
+	until [[ $CLIENT_IP_CHOICE =~ ^[1-3]$ ]]; do
+		read -rp "Client IP versions [1-3]: " -e -i $CLIENT_IP_DEFAULT CLIENT_IP_CHOICE
+	done
+	case $CLIENT_IP_CHOICE in
+	1)
+		CLIENT_IPV4="y"
+		CLIENT_IPV6="n"
+		;;
+	2)
+		CLIENT_IPV4="n"
+		CLIENT_IPV6="y"
+		;;
+	3)
+		CLIENT_IPV4="y"
+		CLIENT_IPV6="y"
+		;;
+	esac
+
+	# ==========================================================================
+	# Step 5: IPv4 subnet (prompt only if IPv4 enabled, but always set for leak prevention)
+	# ==========================================================================
+	if [[ $CLIENT_IPV4 == "y" ]]; then
+		log_menu ""
+		log_prompt "IPv4 VPN subnet:"
+		log_menu "   1) Default: 10.8.0.0/24"
+		log_menu "   2) Custom"
+		until [[ $SUBNET_IPV4_CHOICE =~ ^[1-2]$ ]]; do
+			read -rp "IPv4 subnet choice [1-2]: " -e -i 1 SUBNET_IPV4_CHOICE
+		done
+		case $SUBNET_IPV4_CHOICE in
+		1)
+			VPN_SUBNET_IPV4="10.8.0.0"
+			;;
+		2)
+			# Skip prompt if VPN_SUBNET_IPV4 is already set (e.g., via environment variable)
+			if [[ -z $VPN_SUBNET_IPV4 ]]; then
+				until [[ $VPN_SUBNET_IPV4 =~ ^(10\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])|172\.(1[6-9]|2[0-9]|3[0-1])\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])|192\.168\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\.0$ ]]; do
+					read -rp "Custom IPv4 subnet (e.g., 10.9.0.0): " VPN_SUBNET_IPV4
+				done
+			fi
+			;;
+		esac
+	else
+		# IPv6-only mode: still need IPv4 subnet for leak prevention (redirect-gateway def1)
+		VPN_SUBNET_IPV4="10.8.0.0"
+	fi
+
+	# ==========================================================================
+	# Step 6: IPv6 subnet (if IPv6 enabled for clients)
+	# ==========================================================================
+	if [[ $CLIENT_IPV6 == "y" ]]; then
+		log_menu ""
+		log_prompt "IPv6 VPN subnet:"
+		log_menu "   1) Default: fd42:42:42:42::/112"
+		log_menu "   2) Custom"
+		until [[ $SUBNET_IPV6_CHOICE =~ ^[1-2]$ ]]; do
+			read -rp "IPv6 subnet choice [1-2]: " -e -i 1 SUBNET_IPV6_CHOICE
+		done
+		case $SUBNET_IPV6_CHOICE in
+		1)
+			VPN_SUBNET_IPV6="fd42:42:42:42::"
+			;;
+		2)
+			# Skip prompt if VPN_SUBNET_IPV6 is already set (e.g., via environment variable)
+			if [[ -z $VPN_SUBNET_IPV6 ]]; then
+				until [[ $VPN_SUBNET_IPV6 =~ ^fd[0-9a-fA-F]{0,2}(:[0-9a-fA-F]{0,4}){0,6}::$ ]]; do
+					read -rp "Custom IPv6 subnet (e.g., fd12:3456:789a::): " VPN_SUBNET_IPV6
+				done
+			fi
+			;;
+		esac
+	fi
+
+	log_menu ""
+	log_prompt "What port do you want OpenVPN to listen to?"
+	log_menu "   1) Default: 1194"
+	log_menu "   2) Custom"
+	log_menu "   3) Random [49152-65535]"
+	until [[ $PORT_CHOICE =~ ^[1-3]$ ]]; do
+		read -rp "Port choice [1-3]: " -e -i 1 PORT_CHOICE
+	done
+	case $PORT_CHOICE in
+	1)
+		PORT="1194"
+		;;
+	2)
+		until [[ $PORT =~ ^[0-9]+$ ]] && [ "$PORT" -ge 1 ] && [ "$PORT" -le 65535 ]; do
+			read -rp "Custom port [1-65535]: " -e -i 1194 PORT
+		done
+		;;
+	3)
+		# Generate random number within private ports range
+		PORT=$(shuf -i 49152-65535 -n1)
+		log_info "Random Port: $PORT"
+		;;
+	esac
+	log_menu ""
+	log_prompt "What protocol do you want OpenVPN to use?"
+	log_prompt "UDP is faster. Unless it is not available, you shouldn't use TCP."
+	log_menu "   1) UDP"
+	log_menu "   2) TCP"
+	until [[ $PROTOCOL_CHOICE =~ ^[1-2]$ ]]; do
+		read -rp "Protocol [1-2]: " -e -i 1 PROTOCOL_CHOICE
+	done
+	case $PROTOCOL_CHOICE in
+	1)
+		PROTOCOL="udp"
+		;;
+	2)
+		PROTOCOL="tcp"
+		;;
+	esac
+	log_menu ""
+	log_prompt "What DNS resolvers do you want to use with the VPN?"
+	local dns_labels=("Current system resolvers (from /etc/resolv.conf)" "Self-hosted DNS Resolver (Unbound)" "Cloudflare (Anycast: worldwide)" "Quad9 (Anycast: worldwide)" "Quad9 uncensored (Anycast: worldwide)" "FDN (France)" "DNS.WATCH (Germany)" "OpenDNS (Anycast: worldwide)" "Google (Anycast: worldwide)" "Yandex Basic (Russia)" "AdGuard DNS (Anycast: worldwide)" "NextDNS (Anycast: worldwide)" "Custom")
+	local dns_valid=false
+	until [[ $dns_valid == true ]]; do
+		select_with_labels "DNS" dns_labels DNS_PROVIDERS "cloudflare" DNS
+		if [[ $DNS == "unbound" ]] && [[ -e /etc/unbound/unbound.conf ]]; then
+			log_menu ""
+			log_prompt "Unbound is already installed."
+			log_prompt "You can allow the script to configure it in order to use it from your OpenVPN clients"
+			log_prompt "We will simply add a second server to /etc/unbound/unbound.conf for the OpenVPN subnet."
+			log_prompt "No changes are made to the current configuration."
+			log_menu ""
+
+			local unbound_continue
+			until [[ $unbound_continue =~ ^[yn]$ ]]; do
+				read -rp "Apply configuration changes to Unbound? [y/n]: " -e unbound_continue
+			done
+			if [[ $unbound_continue == "n" ]]; then
+				unset DNS
+			else
+				dns_valid=true
+			fi
+		elif [[ $DNS == "custom" ]]; then
+			until [[ $DNS1 =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
+				read -rp "Primary DNS: " -e DNS1
+			done
+			until [[ $DNS2 =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
+				read -rp "Secondary DNS (optional): " -e DNS2
+				if [[ $DNS2 == "" ]]; then
+					break
+				fi
+			done
+			dns_valid=true
+		else
+			dns_valid=true
+		fi
+	done
+	log_menu ""
+	log_prompt "Do you want to allow a single .ovpn profile to be used on multiple devices simultaneously?"
+	log_prompt "Note: Enabling this disables persistent IP addresses for clients."
+	until [[ $MULTI_CLIENT =~ (y|n) ]]; do
+		read -rp "Allow multiple devices per client? [y/n]: " -e -i n MULTI_CLIENT
+	done
+	log_menu ""
+	log_prompt "Do you want to customize the tunnel MTU?"
+	log_menu "   MTU controls the maximum packet size. Lower values can help"
+	log_menu "   with connectivity issues on some networks (e.g., PPPoE, mobile)."
+	log_menu "   1) Default (1500) - works for most networks"
+	log_menu "   2) Custom"
+	until [[ $MTU_CHOICE =~ ^[1-2]$ ]]; do
+		read -rp "MTU choice [1-2]: " -e -i 1 MTU_CHOICE
+	done
+	if [[ $MTU_CHOICE == "2" ]]; then
+		until [[ $MTU =~ ^[0-9]+$ ]] && [[ $MTU -ge 576 ]] && [[ $MTU -le 65535 ]]; do
+			read -rp "MTU [576-65535]: " -e -i 1500 MTU
+		done
+	fi
+	log_menu ""
+	log_prompt "Choose the authentication mode:"
+	log_menu "   1) PKI (Certificate Authority) - Traditional CA-based authentication (recommended for larger setups)"
+	log_menu "   2) Peer Fingerprint - Simplified WireGuard-like authentication using certificate fingerprints"
+	log_menu "      Note: Fingerprint mode requires OpenVPN 2.6+ and is ideal for small/home setups"
+	local auth_mode_choice
+	until [[ $auth_mode_choice =~ ^[1-2]$ ]]; do
+		read -rp "Authentication mode [1-2]: " -e -i 1 auth_mode_choice
+	done
+	case $auth_mode_choice in
+	1)
+		AUTH_MODE="pki"
+		;;
+	2)
+		AUTH_MODE="fingerprint"
+		# Verify OpenVPN 2.6+ is available for fingerprint mode
+		local openvpn_ver
+		openvpn_ver=$(get_openvpn_version)
+		if [[ -n "$openvpn_ver" ]] && ! version_ge "$openvpn_ver" "2.6.0"; then
+			log_warn "OpenVPN $openvpn_ver detected. Fingerprint mode requires 2.6.0+."
+			log_warn "OpenVPN 2.6+ will be installed during setup."
+		fi
+		;;
+	esac
+	log_menu ""
+	log_prompt "Do you want to customize encryption settings?"
+	log_prompt "Unless you know what you're doing, you should stick with the default parameters provided by the script."
+	log_prompt "Note that whatever you choose, all the choices presented in the script are safe (unlike OpenVPN's defaults)."
+	log_prompt "See https://github.com/angristan/openvpn-install#security-and-encryption to learn more."
+	log_menu ""
+	until [[ $CUSTOMIZE_ENC =~ (y|n) ]]; do
+		read -rp "Customize encryption settings? [y/n]: " -e -i n CUSTOMIZE_ENC
+	done
+	if [[ $CUSTOMIZE_ENC == "n" ]]; then
+		# Use default, sane and fast parameters
+		CIPHER="AES-128-GCM"
+		CERT_TYPE="ecdsa"
+		CERT_CURVE="prime256v1"
+		CC_CIPHER="TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"
+		TLS13_CIPHERSUITES="TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256"
+		TLS_VERSION_MIN="1.2"
+		TLS_GROUPS="X25519:prime256v1:secp384r1:secp521r1"
+		HMAC_ALG="SHA256"
+		TLS_SIG="crypt-v2"
+	else
+		log_menu ""
+		log_prompt "Choose which cipher you want to use for the data channel:"
+		log_menu "   1) AES-128-GCM (recommended)"
+		log_menu "   2) AES-192-GCM"
+		log_menu "   3) AES-256-GCM"
+		log_menu "   4) AES-128-CBC"
+		log_menu "   5) AES-192-CBC"
+		log_menu "   6) AES-256-CBC"
+		log_menu "   7) CHACHA20-POLY1305 (requires OpenVPN 2.5+, good for devices without AES-NI)"
+		until [[ $CIPHER_CHOICE =~ ^[1-7]$ ]]; do
+			read -rp "Cipher [1-7]: " -e -i 1 CIPHER_CHOICE
+		done
+		case $CIPHER_CHOICE in
+		1)
+			CIPHER="AES-128-GCM"
+			;;
+		2)
+			CIPHER="AES-192-GCM"
+			;;
+		3)
+			CIPHER="AES-256-GCM"
+			;;
+		4)
+			CIPHER="AES-128-CBC"
+			;;
+		5)
+			CIPHER="AES-192-CBC"
+			;;
+		6)
+			CIPHER="AES-256-CBC"
+			;;
+		7)
+			CIPHER="CHACHA20-POLY1305"
+			;;
+		esac
+		log_menu ""
+		log_prompt "Choose what kind of certificate you want to use:"
+		log_menu "   1) ECDSA (recommended)"
+		log_menu "   2) RSA"
+		local cert_type_choice
+		until [[ $cert_type_choice =~ ^[1-2]$ ]]; do
+			read -rp "Certificate key type [1-2]: " -e -i 1 cert_type_choice
+		done
+		case $cert_type_choice in
+		1)
+			CERT_TYPE="ecdsa"
+			log_menu ""
+			log_prompt "Choose which curve you want to use for the certificate's key:"
+			select_from_array "Curve" CERT_CURVES "prime256v1" CERT_CURVE
+			;;
+		2)
+			CERT_TYPE="rsa"
+			log_menu ""
+			log_prompt "Choose which size you want to use for the certificate's RSA key:"
+			select_from_array "RSA key size" RSA_KEY_SIZES "2048" RSA_KEY_SIZE
+			;;
+		esac
+		log_menu ""
+		log_prompt "Choose which cipher you want to use for the control channel:"
+		local cc_labels cc_values
+		if [[ $CERT_TYPE == "ecdsa" ]]; then
+			cc_labels=("ECDHE-ECDSA-AES-128-GCM-SHA256 (recommended)" "ECDHE-ECDSA-AES-256-GCM-SHA384" "ECDHE-ECDSA-CHACHA20-POLY1305 (OpenVPN 2.5+)")
+			cc_values=("TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256")
+		else
+			cc_labels=("ECDHE-RSA-AES-128-GCM-SHA256 (recommended)" "ECDHE-RSA-AES-256-GCM-SHA384" "ECDHE-RSA-CHACHA20-POLY1305 (OpenVPN 2.5+)")
+			cc_values=("TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256" "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384" "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256")
+		fi
+		select_with_labels "Control channel cipher" cc_labels cc_values "${cc_values[0]}" CC_CIPHER
+		log_menu ""
+		log_prompt "Choose the minimum TLS version:"
+		log_menu "   1) TLS 1.2 (recommended, compatible with all clients)"
+		log_menu "   2) TLS 1.3 (more secure, requires OpenVPN 2.5+ clients)"
+		until [[ $TLS_VERSION_MIN_CHOICE =~ ^[1-2]$ ]]; do
+			read -rp "Minimum TLS version [1-2]: " -e -i 1 TLS_VERSION_MIN_CHOICE
+		done
+		case $TLS_VERSION_MIN_CHOICE in
+		1)
+			TLS_VERSION_MIN="1.2"
+			;;
+		2)
+			TLS_VERSION_MIN="1.3"
+			;;
+		esac
+		log_menu ""
+		log_prompt "Choose TLS 1.3 cipher suites (used when TLS 1.3 is negotiated):"
+		log_menu "   1) All secure ciphers (recommended)"
+		log_menu "   2) AES-256-GCM only"
+		log_menu "   3) AES-128-GCM only"
+		log_menu "   4) ChaCha20-Poly1305 only"
+		until [[ $TLS13_CIPHER_CHOICE =~ ^[1-4]$ ]]; do
+			read -rp "TLS 1.3 cipher suite [1-4]: " -e -i 1 TLS13_CIPHER_CHOICE
+		done
+		case $TLS13_CIPHER_CHOICE in
+		1)
+			TLS13_CIPHERSUITES="TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256"
+			;;
+		2)
+			TLS13_CIPHERSUITES="TLS_AES_256_GCM_SHA384"
+			;;
+		3)
+			TLS13_CIPHERSUITES="TLS_AES_128_GCM_SHA256"
+			;;
+		4)
+			TLS13_CIPHERSUITES="TLS_CHACHA20_POLY1305_SHA256"
+			;;
+		esac
+		log_menu ""
+		log_prompt "Choose TLS key exchange groups (for ECDH key exchange):"
+		log_menu "   1) All modern curves (recommended)"
+		log_menu "   2) X25519 only (most secure, may have compatibility issues)"
+		log_menu "   3) NIST curves only (prime256v1, secp384r1, secp521r1)"
+		until [[ $TLS_GROUPS_CHOICE =~ ^[1-3]$ ]]; do
+			read -rp "TLS groups [1-3]: " -e -i 1 TLS_GROUPS_CHOICE
+		done
+		case $TLS_GROUPS_CHOICE in
+		1)
+			TLS_GROUPS="X25519:prime256v1:secp384r1:secp521r1"
+			;;
+		2)
+			TLS_GROUPS="X25519"
+			;;
+		3)
+			TLS_GROUPS="prime256v1:secp384r1:secp521r1"
+			;;
+		esac
+		log_menu ""
+		# The "auth" options behaves differently with AEAD ciphers (GCM, ChaCha20-Poly1305)
+		if [[ $CIPHER =~ CBC$ ]]; then
+			log_prompt "The digest algorithm authenticates data channel packets and tls-auth packets from the control channel."
+		elif [[ $CIPHER =~ GCM$ ]] || [[ $CIPHER == "CHACHA20-POLY1305" ]]; then
+			log_prompt "The digest algorithm authenticates tls-auth packets from the control channel."
+		fi
+		log_prompt "Which digest algorithm do you want to use for HMAC?"
+		log_menu "   1) SHA-256 (recommended)"
+		log_menu "   2) SHA-384"
+		log_menu "   3) SHA-512"
+		until [[ $HMAC_ALG_CHOICE =~ ^[1-3]$ ]]; do
+			read -rp "Digest algorithm [1-3]: " -e -i 1 HMAC_ALG_CHOICE
+		done
+		case $HMAC_ALG_CHOICE in
+		1)
+			HMAC_ALG="SHA256"
+			;;
+		2)
+			HMAC_ALG="SHA384"
+			;;
+		3)
+			HMAC_ALG="SHA512"
+			;;
+		esac
+		log_menu ""
+		log_prompt "You can add an additional layer of security to the control channel."
+		local tls_sig_labels=("tls-crypt-v2 (recommended): Encrypts control channel, unique key per client" "tls-crypt: Encrypts control channel, shared key for all clients" "tls-auth: Authenticates control channel, no encryption")
+		select_with_labels "Control channel security" tls_sig_labels TLS_SIG_MODES "crypt-v2" TLS_SIG
+	fi
+	log_menu ""
+	log_prompt "Okay, that was all I needed. We are ready to setup your OpenVPN server now."
+	log_prompt "You will be able to generate a client at the end of the installation."
+	APPROVE_INSTALL=${APPROVE_INSTALL:-n}
+	if [[ $APPROVE_INSTALL =~ n ]]; then
+		read -n1 -r -p "Press any key to continue..."
+	fi
+}
+
+function installOpenVPN() {
+	if [[ $NON_INTERACTIVE_INSTALL == "y" ]]; then
+		# Resolve public IP if ENDPOINT not set
+		if [[ -z $ENDPOINT ]]; then
+			ENDPOINT=$(resolvePublicIP)
+		fi
+
+		# Log non-interactive mode and parameters
+		log_info "=== OpenVPN Non-Interactive Install ==="
+		log_info "Running in non-interactive mode with the following settings:"
+		log_info "  ENDPOINT=$ENDPOINT"
+		log_info "  ENDPOINT_TYPE=$ENDPOINT_TYPE"
+		log_info "  CLIENT_IPV4=$CLIENT_IPV4"
+		log_info "  CLIENT_IPV6=$CLIENT_IPV6"
+		log_info "  VPN_SUBNET_IPV4=$VPN_SUBNET_IPV4"
+		log_info "  VPN_SUBNET_IPV6=$VPN_SUBNET_IPV6"
+		log_info "  PORT=$PORT"
+		log_info "  PROTOCOL=$PROTOCOL"
+		log_info "  DNS=$DNS"
+		[[ -n $MTU ]] && log_info "  MTU=$MTU"
+		log_info "  MULTI_CLIENT=$MULTI_CLIENT"
+		log_info "  AUTH_MODE=$AUTH_MODE"
+		log_info "  CLIENT=$CLIENT"
+		log_info "  CLIENT_CERT_DURATION_DAYS=$CLIENT_CERT_DURATION_DAYS"
+		log_info "  SERVER_CERT_DURATION_DAYS=$SERVER_CERT_DURATION_DAYS"
+	fi
+
+	# Get the "public" interface from the default route
+	NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)
+	if [[ -z $NIC ]] && [[ $CLIENT_IPV6 == 'y' ]]; then
+		NIC=$(ip -6 route show default | sed -ne 's/^default .* dev \([^ ]*\) .*$/\1/p')
+	fi
+
+	# $NIC can not be empty for script rm-openvpn-rules.sh
+	if [[ -z $NIC ]]; then
+		log_warn "Could not detect public interface."
+		log_info "This needs for setup MASQUERADE."
+		until [[ $CONTINUE =~ (y|n) ]]; do
+			read -rp "Continue? [y/n]: " -e CONTINUE
+		done
+		if [[ $CONTINUE == "n" ]]; then
+			exit 1
+		fi
+	fi
+
+	# If OpenVPN isn't installed yet, install it. This script is more-or-less
+	# idempotent on multiple runs, but will only install OpenVPN from upstream
+	# the first time.
+	if [[ ! -e /etc/openvpn/server/server.conf ]]; then
+		log_header "Installing OpenVPN"
+
+		# Setup official OpenVPN repository for latest versions
+		installOpenVPNRepo
+
+		log_info "Installing OpenVPN and dependencies..."
+		# socat is used for communicating with the OpenVPN management interface (client disconnect on revoke)
+		if [[ $OS =~ (debian|ubuntu) ]]; then
+			run_cmd_fatal "Installing OpenVPN" apt-get install -y openvpn iptables openssl curl ca-certificates tar dnsutils socat
+		elif [[ $OS == 'centos' ]]; then
+			run_cmd_fatal "Installing OpenVPN" yum install -y openvpn iptables openssl ca-certificates curl tar bind-utils socat 'policycoreutils-python*'
+		elif [[ $OS == 'oracle' ]]; then
+			run_cmd_fatal "Installing OpenVPN" yum install -y openvpn iptables openssl ca-certificates curl tar bind-utils socat policycoreutils-python-utils
+		elif [[ $OS == 'amzn2023' ]]; then
+			run_cmd_fatal "Installing OpenVPN" dnf install -y openvpn iptables openssl ca-certificates curl tar bind-utils socat
+		elif [[ $OS == 'fedora' ]]; then
+			run_cmd_fatal "Installing OpenVPN" dnf install -y openvpn iptables openssl ca-certificates curl tar bind-utils socat policycoreutils-python-utils
+		elif [[ $OS == 'opensuse' ]]; then
+			run_cmd_fatal "Installing OpenVPN" zypper install -y openvpn iptables openssl ca-certificates curl tar bind-utils socat
+		elif [[ $OS == 'arch' ]]; then
+			run_cmd_fatal "Installing OpenVPN" pacman --needed --noconfirm -Syu openvpn iptables openssl ca-certificates curl tar bind socat
+		fi
+
+		# Verify ChaCha20-Poly1305 compatibility if selected
+		if [[ $CIPHER == "CHACHA20-POLY1305" ]] || [[ $CC_CIPHER =~ CHACHA20 ]]; then
+			local installed_version
+			installed_version=$(openvpn --version 2>/dev/null | head -1 | awk '{print $2}')
+			if ! openvpnVersionAtLeast "2.5"; then
+				log_fatal "ChaCha20-Poly1305 requires OpenVPN 2.5 or later. Installed version: $installed_version"
+			fi
+			log_info "OpenVPN version supports ChaCha20-Poly1305"
+		fi
+
+		# Check Data Channel Offload (DCO) availability
+		if isDCOAvailable; then
+			# Check if configuration is DCO-compatible (udp or udp6)
+			if [[ $PROTOCOL =~ ^udp ]] && [[ $CIPHER =~ (GCM|CHACHA20-POLY1305) ]]; then
+				log_info "Data Channel Offload (DCO) is available and will be used for improved performance"
+			else
+				log_info "Data Channel Offload (DCO) is available but not enabled (requires UDP, AEAD cipher)"
+			fi
+		else
+			log_info "Data Channel Offload (DCO) is not available (requires OpenVPN 2.6+ and kernel support)"
+		fi
+
+		# Create the server directory (OpenVPN 2.4+ directory structure)
+		run_cmd_fatal "Creating server directory" mkdir -p /etc/openvpn/server
+	fi
+
+	# Determine which user/group OpenVPN should run as
+	# - Fedora/RHEL/Amazon create 'openvpn' user with 'openvpn' group
+	# - Arch creates 'openvpn' user with 'network' group
+	# - Debian/Ubuntu/openSUSE don't create a dedicated user, use 'nobody'
+	#
+	# Also check if the systemd service file already handles user/group switching.
+	# If so, we shouldn't add user/group to config (would cause double privilege drop).
+	SYSTEMD_HANDLES_USER=false
+	for service_file in /usr/lib/systemd/system/openvpn-server@.service /lib/systemd/system/openvpn-server@.service; do
+		if [[ -f "$service_file" ]] && grep -q "^User=" "$service_file"; then
+			SYSTEMD_HANDLES_USER=true
+			break
+		fi
+	done
+
+	if id openvpn &>/dev/null; then
+		OPENVPN_USER=openvpn
+		# Get the openvpn user's primary group (e.g., 'openvpn' on Fedora, 'network' on Arch)
+		OPENVPN_GROUP=$(id -gn openvpn 2>/dev/null || echo openvpn)
+	else
+		OPENVPN_USER=nobody
+		if grep -qs "^nogroup:" /etc/group; then
+			OPENVPN_GROUP=nogroup
+		else
+			OPENVPN_GROUP=nobody
+		fi
+	fi
+
+	# Install the latest version of easy-rsa from source, if not already installed.
+	if [[ ! -d /etc/openvpn/server/easy-rsa/ ]]; then
+		run_cmd_fatal "Downloading Easy-RSA v${EASYRSA_VERSION}" curl -fL --retry 5 -o ~/easy-rsa.tgz "https://github.com/OpenVPN/easy-rsa/releases/download/v${EASYRSA_VERSION}/EasyRSA-${EASYRSA_VERSION}.tgz"
+		log_info "Verifying Easy-RSA checksum..."
+		CHECKSUM_OUTPUT=$(echo "${EASYRSA_SHA256}  $HOME/easy-rsa.tgz" | sha256sum -c 2>&1) || {
+			_log_to_file "[CHECKSUM] $CHECKSUM_OUTPUT"
+			run_cmd "Cleaning up failed download" rm -f ~/easy-rsa.tgz
+			log_fatal "SHA256 checksum verification failed for easy-rsa download!"
+		}
+		_log_to_file "[CHECKSUM] $CHECKSUM_OUTPUT"
+		run_cmd_fatal "Creating Easy-RSA directory" mkdir -p /etc/openvpn/server/easy-rsa
+		run_cmd_fatal "Extracting Easy-RSA" tar xzf ~/easy-rsa.tgz --strip-components=1 --no-same-owner --directory /etc/openvpn/server/easy-rsa
+		run_cmd "Cleaning up archive" rm -f ~/easy-rsa.tgz
+
+		cd /etc/openvpn/server/easy-rsa/ || return
+		case $CERT_TYPE in
+		ecdsa)
+			echo "set_var EASYRSA_ALGO ec" >vars
+			echo "set_var EASYRSA_CURVE $CERT_CURVE" >>vars
+			;;
+		rsa)
+			echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" >vars
+			;;
+		esac
+
+		# Generate a random, alphanumeric identifier of 16 characters for CN and one for server name
+		# Note: 2>/dev/null suppresses "Broken pipe" errors from fold when head exits early
+		SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 2>/dev/null | head -n 1)"
+		echo "$SERVER_CN" >SERVER_CN_GENERATED
+		SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 2>/dev/null | head -n 1)"
+		echo "$SERVER_NAME" >SERVER_NAME_GENERATED
+
+		# Create the PKI, set up the CA, the DH params and the server certificate
+		log_info "Initializing PKI..."
+		run_cmd_fatal "Initializing PKI" ./easyrsa init-pki
+
+		if [[ $AUTH_MODE == "pki" ]]; then
+			# Traditional PKI mode with CA
+			export EASYRSA_CA_EXPIRE=$DEFAULT_CERT_VALIDITY_DURATION_DAYS
+			log_info "Building CA..."
+			run_cmd_fatal "Building CA" ./easyrsa --batch --req-cn="$SERVER_CN" build-ca nopass
+
+			export EASYRSA_CERT_EXPIRE=${SERVER_CERT_DURATION_DAYS:-$DEFAULT_CERT_VALIDITY_DURATION_DAYS}
+			log_info "Building server certificate..."
+			run_cmd_fatal "Building server certificate" ./easyrsa --batch build-server-full "$SERVER_NAME" nopass
+			export EASYRSA_CRL_DAYS=$DEFAULT_CRL_VALIDITY_DURATION_DAYS
+			run_cmd_fatal "Generating CRL" ./easyrsa gen-crl
+		else
+			# Fingerprint mode with self-signed certificates (OpenVPN 2.6+)
+			log_info "Building self-signed server certificate for fingerprint mode..."
+			export EASYRSA_CERT_EXPIRE=${SERVER_CERT_DURATION_DAYS:-$DEFAULT_CERT_VALIDITY_DURATION_DAYS}
+			run_cmd_fatal "Building self-signed server certificate" ./easyrsa --batch self-sign-server "$SERVER_NAME" nopass
+
+			# Extract and store server fingerprint
+			SERVER_FINGERPRINT=$(openssl x509 -in "pki/issued/$SERVER_NAME.crt" -fingerprint -sha256 -noout | cut -d'=' -f2)
+			if [[ -z $SERVER_FINGERPRINT ]]; then
+				log_error "Failed to extract server certificate fingerprint"
+				exit 1
+			fi
+			mkdir -p /etc/openvpn/server
+			echo "$SERVER_FINGERPRINT" >/etc/openvpn/server/server-fingerprint
+			log_info "Server fingerprint: $SERVER_FINGERPRINT"
+		fi
+
+		log_info "Generating TLS key..."
+		case $TLS_SIG in
+		crypt-v2)
+			# Generate tls-crypt-v2 server key
+			run_cmd_fatal "Generating tls-crypt-v2 server key" openvpn --genkey tls-crypt-v2-server /etc/openvpn/server/tls-crypt-v2.key
+			;;
+		crypt)
+			# Generate tls-crypt key
+			run_cmd_fatal "Generating tls-crypt key" openvpn --genkey secret /etc/openvpn/server/tls-crypt.key
+			;;
+		auth)
+			# Generate tls-auth key
+			run_cmd_fatal "Generating tls-auth key" openvpn --genkey secret /etc/openvpn/server/tls-auth.key
+			;;
+		esac
+		# Store auth mode for later use
+		echo "$AUTH_MODE" >AUTH_MODE_GENERATED
+	else
+		# If easy-rsa is already installed, grab the generated SERVER_NAME
+		# for client configs
+		cd /etc/openvpn/server/easy-rsa/ || return
+		SERVER_NAME=$(cat SERVER_NAME_GENERATED)
+		# Read stored auth mode
+		if [[ -f AUTH_MODE_GENERATED ]]; then
+			AUTH_MODE=$(cat AUTH_MODE_GENERATED)
+		else
+			# Default to pki for existing installations
+			AUTH_MODE="pki"
+		fi
+	fi
+
+	# Move all the generated files
+	log_info "Copying certificates..."
+	if [[ $AUTH_MODE == "pki" ]]; then
+		run_cmd_fatal "Copying certificates to /etc/openvpn/server" cp pki/ca.crt pki/private/ca.key "pki/issued/$SERVER_NAME.crt" "pki/private/$SERVER_NAME.key" /etc/openvpn/server/easy-rsa/pki/crl.pem /etc/openvpn/server
+		# Make cert revocation list readable for non-root
+		run_cmd "Setting CRL permissions" chmod 644 /etc/openvpn/server/crl.pem
+	else
+		# Fingerprint mode: only copy server cert and key (no CA or CRL)
+		run_cmd_fatal "Copying certificates to /etc/openvpn/server" cp "pki/issued/$SERVER_NAME.crt" "pki/private/$SERVER_NAME.key" /etc/openvpn/server
+	fi
+
+	# Generate server.conf
+	log_info "Generating server configuration..."
+	echo "port $PORT" >/etc/openvpn/server/server.conf
+
+	# Protocol selection: use proto6 variants if endpoint is IPv6
+	if [[ $ENDPOINT_TYPE == "6" ]]; then
+		echo "proto ${PROTOCOL}6" >>/etc/openvpn/server/server.conf
+	else
+		echo "proto $PROTOCOL" >>/etc/openvpn/server/server.conf
+	fi
+
+	if [[ $MULTI_CLIENT == "y" ]]; then
+		echo "duplicate-cn" >>/etc/openvpn/server/server.conf
+	fi
+
+	echo "dev tun" >>/etc/openvpn/server/server.conf
+	# Only add user/group if systemd doesn't handle it (avoids double privilege drop)
+	if [[ $SYSTEMD_HANDLES_USER == "false" ]]; then
+		echo "user $OPENVPN_USER
+group $OPENVPN_GROUP" >>/etc/openvpn/server/server.conf
+	fi
+	echo "persist-key
+persist-tun
+keepalive 10 120
+topology subnet" >>/etc/openvpn/server/server.conf
+
+	# IPv4 server directive - always assign IPv4 to clients for proper routing
+	# Even for IPv6-only mode, we need IPv4 addresses so redirect-gateway def1 can block IPv4 leaks
+	echo "server $VPN_SUBNET_IPV4 255.255.255.0" >>/etc/openvpn/server/server.conf
+
+	# IPv6 server directive (only if clients get IPv6)
+	if [[ $CLIENT_IPV6 == "y" ]]; then
+		{
+			echo "server-ipv6 ${VPN_SUBNET_IPV6}/112"
+			echo "tun-ipv6"
+			echo "push tun-ipv6"
+		} >>/etc/openvpn/server/server.conf
+	fi
+
+	# ifconfig-pool-persist is incompatible with duplicate-cn
+	if [[ $MULTI_CLIENT != "y" ]]; then
+		echo "ifconfig-pool-persist ipp.txt" >>/etc/openvpn/server/server.conf
+	fi
+
+	# DNS resolvers
+	case $DNS in
+	system)
+		# Locate the proper resolv.conf
+		# Needed for systems running systemd-resolved
+		if grep -q "127.0.0.53" "/etc/resolv.conf"; then
+			RESOLVCONF='/run/systemd/resolve/resolv.conf'
+		else
+			RESOLVCONF='/etc/resolv.conf'
+		fi
+		# Obtain the resolvers from resolv.conf and use them for OpenVPN
+		sed -ne 's/^nameserver[[:space:]]\+\([^[:space:]]\+\).*$/\1/p' $RESOLVCONF | while read -r line; do
+			# Copy IPv4 resolvers if client has IPv4, or IPv6 resolvers if client has IPv6
+			if [[ $line =~ ^[0-9.]*$ ]] && [[ $CLIENT_IPV4 == 'y' ]]; then
+				echo "push \"dhcp-option DNS $line\"" >>/etc/openvpn/server/server.conf
+			elif [[ $line =~ : ]] && [[ $CLIENT_IPV6 == 'y' ]]; then
+				echo "push \"dhcp-option DNS $line\"" >>/etc/openvpn/server/server.conf
+			fi
+		done
+		;;
+	unbound)
+		if [[ $CLIENT_IPV4 == 'y' ]]; then
+			echo "push \"dhcp-option DNS $VPN_GATEWAY_IPV4\"" >>/etc/openvpn/server/server.conf
+		fi
+		if [[ $CLIENT_IPV6 == 'y' ]]; then
+			echo "push \"dhcp-option DNS $VPN_GATEWAY_IPV6\"" >>/etc/openvpn/server/server.conf
+		fi
+		;;
+	cloudflare)
+		if [[ $CLIENT_IPV4 == 'y' ]]; then
+			echo 'push "dhcp-option DNS 1.0.0.1"' >>/etc/openvpn/server/server.conf
+			echo 'push "dhcp-option DNS 1.1.1.1"' >>/etc/openvpn/server/server.conf
+		fi
+		if [[ $CLIENT_IPV6 == 'y' ]]; then
+			echo 'push "dhcp-option DNS 2606:4700:4700::1001"' >>/etc/openvpn/server/server.conf
+			echo 'push "dhcp-option DNS 2606:4700:4700::1111"' >>/etc/openvpn/server/server.conf
+		fi
+		;;
+	quad9)
+		if [[ $CLIENT_IPV4 == 'y' ]]; then
+			echo 'push "dhcp-option DNS 9.9.9.9"' >>/etc/openvpn/server/server.conf
+			echo 'push "dhcp-option DNS 149.112.112.112"' >>/etc/openvpn/server/server.conf
+		fi
+		if [[ $CLIENT_IPV6 == 'y' ]]; then
+			echo 'push "dhcp-option DNS 2620:fe::fe"' >>/etc/openvpn/server/server.conf
+			echo 'push "dhcp-option DNS 2620:fe::9"' >>/etc/openvpn/server/server.conf
+		fi
+		;;
+	quad9-uncensored)
+		if [[ $CLIENT_IPV4 == 'y' ]]; then
+			echo 'push "dhcp-option DNS 9.9.9.10"' >>/etc/openvpn/server/server.conf
+			echo 'push "dhcp-option DNS 149.112.112.10"' >>/etc/openvpn/server/server.conf
+		fi
+		if [[ $CLIENT_IPV6 == 'y' ]]; then
+			echo 'push "dhcp-option DNS 2620:fe::10"' >>/etc/openvpn/server/server.conf
+			echo 'push "dhcp-option DNS 2620:fe::fe:10"' >>/etc/openvpn/server/server.conf
+		fi
+		;;
+	fdn)
+		if [[ $CLIENT_IPV4 == 'y' ]]; then
+			echo 'push "dhcp-option DNS 80.67.169.40"' >>/etc/openvpn/server/server.conf
+			echo 'push "dhcp-option DNS 80.67.169.12"' >>/etc/openvpn/server/server.conf
+		fi
+		if [[ $CLIENT_IPV6 == 'y' ]]; then
+			echo 'push "dhcp-option DNS 2001:910:800::40"' >>/etc/openvpn/server/server.conf
+			echo 'push "dhcp-option DNS 2001:910:800::12"' >>/etc/openvpn/server/server.conf
+		fi
+		;;
+	dnswatch)
+		if [[ $CLIENT_IPV4 == 'y' ]]; then
+			echo 'push "dhcp-option DNS 84.200.69.80"' >>/etc/openvpn/server/server.conf
+			echo 'push "dhcp-option DNS 84.200.70.40"' >>/etc/openvpn/server/server.conf
+		fi
+		if [[ $CLIENT_IPV6 == 'y' ]]; then
+			echo 'push "dhcp-option DNS 2001:1608:10:25::1c04:b12f"' >>/etc/openvpn/server/server.conf
+			echo 'push "dhcp-option DNS 2001:1608:10:25::9249:d69b"' >>/etc/openvpn/server/server.conf
+		fi
+		;;
+	opendns)
+		if [[ $CLIENT_IPV4 == 'y' ]]; then
+			echo 'push "dhcp-option DNS 208.67.222.222"' >>/etc/openvpn/server/server.conf
+			echo 'push "dhcp-option DNS 208.67.220.220"' >>/etc/openvpn/server/server.conf
+		fi
+		if [[ $CLIENT_IPV6 == 'y' ]]; then
+			echo 'push "dhcp-option DNS 2620:119:35::35"' >>/etc/openvpn/server/server.conf
+			echo 'push "dhcp-option DNS 2620:119:53::53"' >>/etc/openvpn/server/server.conf
+		fi
+		;;
+	google)
+		if [[ $CLIENT_IPV4 == 'y' ]]; then
+			echo 'push "dhcp-option DNS 8.8.8.8"' >>/etc/openvpn/server/server.conf
+			echo 'push "dhcp-option DNS 8.8.4.4"' >>/etc/openvpn/server/server.conf
+		fi
+		if [[ $CLIENT_IPV6 == 'y' ]]; then
+			echo 'push "dhcp-option DNS 2001:4860:4860::8888"' >>/etc/openvpn/server/server.conf
+			echo 'push "dhcp-option DNS 2001:4860:4860::8844"' >>/etc/openvpn/server/server.conf
+		fi
+		;;
+	yandex)
+		if [[ $CLIENT_IPV4 == 'y' ]]; then
+			echo 'push "dhcp-option DNS 77.88.8.8"' >>/etc/openvpn/server/server.conf
+			echo 'push "dhcp-option DNS 77.88.8.1"' >>/etc/openvpn/server/server.conf
+		fi
+		if [[ $CLIENT_IPV6 == 'y' ]]; then
+			echo 'push "dhcp-option DNS 2a02:6b8::feed:0ff"' >>/etc/openvpn/server/server.conf
+			echo 'push "dhcp-option DNS 2a02:6b8:0:1::feed:0ff"' >>/etc/openvpn/server/server.conf
+		fi
+		;;
+	adguard)
+		if [[ $CLIENT_IPV4 == 'y' ]]; then
+			echo 'push "dhcp-option DNS 94.140.14.14"' >>/etc/openvpn/server/server.conf
+			echo 'push "dhcp-option DNS 94.140.15.15"' >>/etc/openvpn/server/server.conf
+		fi
+		if [[ $CLIENT_IPV6 == 'y' ]]; then
+			echo 'push "dhcp-option DNS 2a10:50c0::ad1:ff"' >>/etc/openvpn/server/server.conf
+			echo 'push "dhcp-option DNS 2a10:50c0::ad2:ff"' >>/etc/openvpn/server/server.conf
+		fi
+		;;
+	nextdns)
+		if [[ $CLIENT_IPV4 == 'y' ]]; then
+			echo 'push "dhcp-option DNS 45.90.28.167"' >>/etc/openvpn/server/server.conf
+			echo 'push "dhcp-option DNS 45.90.30.167"' >>/etc/openvpn/server/server.conf
+		fi
+		if [[ $CLIENT_IPV6 == 'y' ]]; then
+			echo 'push "dhcp-option DNS 2a07:a8c0::"' >>/etc/openvpn/server/server.conf
+			echo 'push "dhcp-option DNS 2a07:a8c1::"' >>/etc/openvpn/server/server.conf
+		fi
+		;;
+	custom)
+		echo "push \"dhcp-option DNS $DNS1\"" >>/etc/openvpn/server/server.conf
+		if [[ $DNS2 != "" ]]; then
+			echo "push \"dhcp-option DNS $DNS2\"" >>/etc/openvpn/server/server.conf
+		fi
+		;;
+	esac
+
+	# Redirect gateway settings - always redirect both IPv4 and IPv6 to prevent leaks
+	# For IPv4: redirect-gateway def1 routes all IPv4 through VPN (or drops it if IPv4 not configured)
+	# For IPv6: route-ipv6 + redirect-gateway ipv6 routes all IPv6, or block-ipv6 drops it
+	echo 'push "redirect-gateway def1 bypass-dhcp"' >>/etc/openvpn/server/server.conf
+	if [[ $CLIENT_IPV6 == "y" ]]; then
+		echo 'push "route-ipv6 2000::/3"' >>/etc/openvpn/server/server.conf
+		echo 'push "redirect-gateway ipv6"' >>/etc/openvpn/server/server.conf
+	else
+		# Block IPv6 on clients to prevent IPv6 leaks when VPN only handles IPv4
+		echo 'push "block-ipv6"' >>/etc/openvpn/server/server.conf
+	fi
+
+	if [[ -n $MTU ]]; then
+		echo "tun-mtu $MTU" >>/etc/openvpn/server/server.conf
+	fi
+
+	# Use ECDH key exchange (dh none) with tls-groups for curve negotiation
+	echo "dh none" >>/etc/openvpn/server/server.conf
+	echo "tls-groups $TLS_GROUPS" >>/etc/openvpn/server/server.conf
+
+	case $TLS_SIG in
+	crypt-v2)
+		echo "tls-crypt-v2 tls-crypt-v2.key" >>/etc/openvpn/server/server.conf
+		;;
+	crypt)
+		echo "tls-crypt tls-crypt.key" >>/etc/openvpn/server/server.conf
+		;;
+	auth)
+		echo "tls-auth tls-auth.key 0" >>/etc/openvpn/server/server.conf
+		;;
+	esac
+
+	# Common server config options
+	# PKI mode adds crl-verify, ca, and remote-cert-tls
+	# Fingerprint mode: <peer-fingerprint> block is added when first client is created
+	{
+		[[ $AUTH_MODE == "pki" ]] && echo "crl-verify crl.pem
+ca ca.crt"
+		echo "cert $SERVER_NAME.crt
+key $SERVER_NAME.key
+auth $HMAC_ALG
+cipher $CIPHER
+ignore-unknown-option data-ciphers
+data-ciphers $CIPHER
+ncp-ciphers $CIPHER
+tls-server
+tls-version-min $TLS_VERSION_MIN"
+		[[ $AUTH_MODE == "pki" ]] && echo "remote-cert-tls client"
+		echo "tls-cipher $CC_CIPHER
+tls-ciphersuites $TLS13_CIPHERSUITES
+client-config-dir ccd
+status /var/log/openvpn/status.log
+management /var/run/openvpn-server/server.sock unix
+verb 3"
+	} >>/etc/openvpn/server/server.conf
+
+	# Create client-config-dir dir
+	run_cmd_fatal "Creating client config directory" mkdir -p /etc/openvpn/server/ccd
+	# Create log dir
+	run_cmd_fatal "Creating log directory" mkdir -p /var/log/openvpn
+
+	# On distros that use a dedicated OpenVPN user (not "nobody"), e.g., Fedora, RHEL, Arch,
+	# set ownership so OpenVPN can read config/certs and write to log directory
+	if [[ $OPENVPN_USER != "nobody" ]]; then
+		log_info "Setting ownership for OpenVPN user..."
+		chown -R "$OPENVPN_USER:$OPENVPN_GROUP" /etc/openvpn/server
+		chown "$OPENVPN_USER:$OPENVPN_GROUP" /var/log/openvpn
+	fi
+
+	# Enable routing
+	log_info "Enabling IP forwarding..."
+	run_cmd_fatal "Creating sysctl.d directory" mkdir -p /etc/sysctl.d
+
+	# Enable IPv4 forwarding if clients get IPv4
+	if [[ $CLIENT_IPV4 == 'y' ]]; then
+		echo 'net.ipv4.ip_forward=1' >/etc/sysctl.d/99-openvpn.conf
+	else
+		echo '# IPv4 forwarding not needed (no IPv4 clients)' >/etc/sysctl.d/99-openvpn.conf
+	fi
+	# Enable IPv6 forwarding if clients get IPv6
+	if [[ $CLIENT_IPV6 == 'y' ]]; then
+		echo 'net.ipv6.conf.all.forwarding=1' >>/etc/sysctl.d/99-openvpn.conf
+	fi
+	# Apply sysctl rules
+	run_cmd "Applying sysctl rules" sysctl --system
+
+	# If SELinux is enabled and a custom port was selected, we need this
+	if hash sestatus 2>/dev/null; then
+		if sestatus | grep "Current mode" | grep -qs "enforcing"; then
+			if [[ $PORT != '1194' ]]; then
+				# Strip "6" suffix from protocol (semanage expects "udp" or "tcp", not "udp6"/"tcp6")
+				SELINUX_PROTOCOL="${PROTOCOL%6}"
+				run_cmd "Configuring SELinux port" semanage port -a -t openvpn_port_t -p "$SELINUX_PROTOCOL" "$PORT"
+			fi
+		fi
+	fi
+
+	# Finally, restart and enable OpenVPN
+	# OpenVPN 2.4+ uses openvpn-server@.service with config in /etc/openvpn/server/
+	log_info "Configuring OpenVPN service..."
+
+	# Find the service file (location and name vary by distro)
+	# Modern distros: openvpn-server@.service in /usr/lib/systemd/system/ or /lib/systemd/system/
+	# openSUSE: openvpn@.service (old-style) that we need to adapt
+	if [[ -f /usr/lib/systemd/system/openvpn-server@.service ]]; then
+		SERVICE_SOURCE="/usr/lib/systemd/system/openvpn-server@.service"
+	elif [[ -f /lib/systemd/system/openvpn-server@.service ]]; then
+		SERVICE_SOURCE="/lib/systemd/system/openvpn-server@.service"
+	elif [[ -f /usr/lib/systemd/system/openvpn@.service ]]; then
+		# openSUSE uses old-style service, we'll create our own openvpn-server@.service
+		SERVICE_SOURCE="/usr/lib/systemd/system/openvpn@.service"
+	elif [[ -f /lib/systemd/system/openvpn@.service ]]; then
+		SERVICE_SOURCE="/lib/systemd/system/openvpn@.service"
+	else
+		log_fatal "Could not find openvpn-server@.service or openvpn@.service file"
+	fi
+
+	# Don't modify package-provided service, copy to /etc/systemd/system/
+	run_cmd_fatal "Copying OpenVPN service file" cp "$SERVICE_SOURCE" /etc/systemd/system/openvpn-server@.service
+
+	# Workaround to fix OpenVPN service on OpenVZ
+	run_cmd "Patching service file (LimitNPROC)" sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn-server@.service
+
+	# Ensure the service uses /etc/openvpn/server/ as working directory
+	# This is needed for openSUSE which uses old-style paths by default
+	if grep -q "cd /etc/openvpn/" /etc/systemd/system/openvpn-server@.service; then
+		run_cmd "Patching service file (paths)" sed -i 's|/etc/openvpn/|/etc/openvpn/server/|g' /etc/systemd/system/openvpn-server@.service
+	fi
+
+	# Ensure RuntimeDirectory is set for the management socket
+	# Some distros (e.g., openSUSE) don't include this in their service file
+	if ! grep -q "RuntimeDirectory=" /etc/systemd/system/openvpn-server@.service; then
+		run_cmd "Patching service file (RuntimeDirectory)" sed -i '/\[Service\]/a RuntimeDirectory=openvpn-server' /etc/systemd/system/openvpn-server@.service
+	fi
+
+	# AppArmor: Ubuntu 25.04+ ships an enforcing profile for OpenVPN
+	# (/etc/apparmor.d/openvpn) that doesn't allow the management unix socket
+	# in /run/openvpn-server/. Add a local override to permit this.
+	if [[ -f /etc/apparmor.d/openvpn ]]; then
+		log_info "Configuring AppArmor for OpenVPN..."
+		mkdir -p /etc/apparmor.d/local
+		if [[ ! -f /etc/apparmor.d/local/openvpn ]] || ! grep -q "openvpn-server" /etc/apparmor.d/local/openvpn; then
+			{
+				echo "# Allow OpenVPN management socket and status files in openvpn-server directory"
+				echo "/{,var/}run/openvpn-server/** rw,"
+			} >>/etc/apparmor.d/local/openvpn
+		fi
+		run_cmd "Reloading AppArmor profile" apparmor_parser -r /etc/apparmor.d/openvpn
+	fi
+
+	run_cmd "Reloading systemd" systemctl daemon-reload
+	run_cmd "Enabling OpenVPN service" systemctl enable openvpn-server@server
+	# In fingerprint mode, delay service start until first client is created
+	# (OpenVPN requires at least one fingerprint or a CA to start)
+	if [[ $AUTH_MODE == "pki" ]]; then
+		run_cmd "Starting OpenVPN service" systemctl restart openvpn-server@server
+	fi
+
+	if [[ $DNS == "unbound" ]]; then
+		installUnbound
+	fi
+
+	# Configure firewall rules
+	# Use source-based rules for VPN traffic (works reliably regardless of which tun interface OpenVPN uses)
+	log_info "Configuring firewall rules..."
+
+	if systemctl is-active --quiet firewalld; then
+		# Use firewalld native commands for systems with firewalld active
+		log_info "firewalld detected, using firewall-cmd..."
+		run_cmd "Adding OpenVPN port to firewalld" firewall-cmd --permanent --add-port="$PORT/$PROTOCOL"
+		run_cmd "Adding masquerade to firewalld" firewall-cmd --permanent --add-masquerade
+
+		# Add rich rules for VPN traffic (source-based only, as firewalld doesn't reliably
+		# support interface patterns with direct rules when using nftables backend)
+		if [[ $CLIENT_IPV4 == 'y' ]]; then
+			run_cmd "Adding IPv4 VPN subnet rule" firewall-cmd --permanent --add-rich-rule="rule family=\"ipv4\" source address=\"$VPN_SUBNET_IPV4/24\" accept"
+		fi
+
+		if [[ $CLIENT_IPV6 == 'y' ]]; then
+			run_cmd "Adding IPv6 VPN subnet rule" firewall-cmd --permanent --add-rich-rule="rule family=\"ipv6\" source address=\"${VPN_SUBNET_IPV6}/112\" accept"
+		fi
+
+		run_cmd "Reloading firewalld" firewall-cmd --reload
+	elif systemctl is-active --quiet nftables; then
+		# Use nftables native rules for systems with nftables active
+		log_info "nftables detected, configuring nftables rules..."
+		run_cmd_fatal "Creating nftables directory" mkdir -p /etc/nftables
+
+		# Create nftables rules file
+		{
+			echo "table inet openvpn {"
+			echo "	chain input {"
+			echo "		type filter hook input priority 0; policy accept;"
+			if [[ $CLIENT_IPV4 == 'y' ]]; then
+				echo "		iifname \"tun*\" ip saddr $VPN_SUBNET_IPV4/24 accept"
+			fi
+			if [[ $CLIENT_IPV6 == 'y' ]]; then
+				echo "		iifname \"tun*\" ip6 saddr ${VPN_SUBNET_IPV6}/112 accept"
+			fi
+			echo "		iifname \"$NIC\" $PROTOCOL dport $PORT accept"
+			echo "	}"
+			echo ""
+			echo "	chain forward {"
+			echo "		type filter hook forward priority 0; policy accept;"
+			if [[ $CLIENT_IPV4 == 'y' ]]; then
+				echo "		iifname \"tun*\" ip saddr $VPN_SUBNET_IPV4/24 accept"
+				echo "		oifname \"tun*\" ip daddr $VPN_SUBNET_IPV4/24 accept"
+			fi
+			if [[ $CLIENT_IPV6 == 'y' ]]; then
+				echo "		iifname \"tun*\" ip6 saddr ${VPN_SUBNET_IPV6}/112 accept"
+				echo "		oifname \"tun*\" ip6 daddr ${VPN_SUBNET_IPV6}/112 accept"
+			fi
+			echo "	}"
+			echo "}"
+		} >/etc/nftables/openvpn.nft
+
+		# IPv4 NAT rules (only if clients get IPv4)
+		if [[ $CLIENT_IPV4 == 'y' ]]; then
+			echo "
+table ip openvpn-nat {
+	chain postrouting {
+		type nat hook postrouting priority 100; policy accept;
+		ip saddr $VPN_SUBNET_IPV4/24 oifname \"$NIC\" masquerade
+	}
+}" >>/etc/nftables/openvpn.nft
+		fi
+
+		# IPv6 NAT rules (only if clients get IPv6)
+		if [[ $CLIENT_IPV6 == 'y' ]]; then
+			echo "
+table ip6 openvpn-nat {
+	chain postrouting {
+		type nat hook postrouting priority 100; policy accept;
+		ip6 saddr ${VPN_SUBNET_IPV6}/112 oifname \"$NIC\" masquerade
+	}
+}" >>/etc/nftables/openvpn.nft
+		fi
+
+		# Add include to nftables.conf if not already present
+		if ! grep -q 'include.*/etc/nftables/openvpn.nft' /etc/nftables.conf; then
+			run_cmd "Adding include to nftables.conf" sh -c 'echo "include \"/etc/nftables/openvpn.nft\"" >> /etc/nftables.conf'
+		fi
+
+		# Reload nftables to apply rules
+		run_cmd "Reloading nftables" systemctl reload nftables
+	else
+		# Use iptables for systems without firewalld or nftables
+		run_cmd_fatal "Creating iptables directory" mkdir -p /etc/iptables
+
+		# Script to add rules
+		echo "#!/bin/sh" >/etc/iptables/add-openvpn-rules.sh
+
+		# IPv4 rules (only if clients get IPv4)
+		if [[ $CLIENT_IPV4 == 'y' ]]; then
+			echo "iptables -t nat -I POSTROUTING 1 -s $VPN_SUBNET_IPV4/24 -o $NIC -j MASQUERADE
+iptables -I INPUT 1 -i tun+ -s $VPN_SUBNET_IPV4/24 -j ACCEPT
+iptables -I FORWARD 1 -i tun+ -s $VPN_SUBNET_IPV4/24 -j ACCEPT
+iptables -I FORWARD 1 -o tun+ -d $VPN_SUBNET_IPV4/24 -j ACCEPT
+iptables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >>/etc/iptables/add-openvpn-rules.sh
+		fi
+
+		# IPv6 rules (only if clients get IPv6)
+		if [[ $CLIENT_IPV6 == 'y' ]]; then
+			echo "ip6tables -t nat -I POSTROUTING 1 -s ${VPN_SUBNET_IPV6}/112 -o $NIC -j MASQUERADE
+ip6tables -I INPUT 1 -i tun+ -s ${VPN_SUBNET_IPV6}/112 -j ACCEPT
+ip6tables -I FORWARD 1 -i tun+ -s ${VPN_SUBNET_IPV6}/112 -j ACCEPT
+ip6tables -I FORWARD 1 -o tun+ -d ${VPN_SUBNET_IPV6}/112 -j ACCEPT
+ip6tables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >>/etc/iptables/add-openvpn-rules.sh
+		fi
+
+		# Script to remove rules
+		echo "#!/bin/sh" >/etc/iptables/rm-openvpn-rules.sh
+
+		# IPv4 removal rules
+		if [[ $CLIENT_IPV4 == 'y' ]]; then
+			echo "iptables -t nat -D POSTROUTING -s $VPN_SUBNET_IPV4/24 -o $NIC -j MASQUERADE
+iptables -D INPUT -i tun+ -s $VPN_SUBNET_IPV4/24 -j ACCEPT
+iptables -D FORWARD -i tun+ -s $VPN_SUBNET_IPV4/24 -j ACCEPT
+iptables -D FORWARD -o tun+ -d $VPN_SUBNET_IPV4/24 -j ACCEPT
+iptables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >>/etc/iptables/rm-openvpn-rules.sh
+		fi
+
+		# IPv6 removal rules
+		if [[ $CLIENT_IPV6 == 'y' ]]; then
+			echo "ip6tables -t nat -D POSTROUTING -s ${VPN_SUBNET_IPV6}/112 -o $NIC -j MASQUERADE
+ip6tables -D INPUT -i tun+ -s ${VPN_SUBNET_IPV6}/112 -j ACCEPT
+ip6tables -D FORWARD -i tun+ -s ${VPN_SUBNET_IPV6}/112 -j ACCEPT
+ip6tables -D FORWARD -o tun+ -d ${VPN_SUBNET_IPV6}/112 -j ACCEPT
+ip6tables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >>/etc/iptables/rm-openvpn-rules.sh
+		fi
+
+		run_cmd "Making add-openvpn-rules.sh executable" chmod +x /etc/iptables/add-openvpn-rules.sh
+		run_cmd "Making rm-openvpn-rules.sh executable" chmod +x /etc/iptables/rm-openvpn-rules.sh
+
+		# Handle the rules via a systemd script
+		echo "[Unit]
+Description=iptables rules for OpenVPN
+After=firewalld.service
+Before=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/etc/iptables/add-openvpn-rules.sh
+ExecStop=/etc/iptables/rm-openvpn-rules.sh
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target" >/etc/systemd/system/iptables-openvpn.service
+
+		# Enable service and apply rules
+		run_cmd "Reloading systemd" systemctl daemon-reload
+		run_cmd "Enabling iptables service" systemctl enable iptables-openvpn
+		run_cmd "Starting iptables service" systemctl start iptables-openvpn
+	fi
+
+	# If the server is behind a NAT, use the correct IP address for the clients to connect to
+	if [[ $ENDPOINT != "" ]]; then
+		IP=$ENDPOINT
+	fi
+
+	# client-template.txt is created so we have a template to add further users later
+	log_info "Creating client template..."
+	echo "client" >/etc/openvpn/server/client-template.txt
+	if [[ $PROTOCOL == 'udp' ]]; then
+		echo "proto udp" >>/etc/openvpn/server/client-template.txt
+		echo "explicit-exit-notify" >>/etc/openvpn/server/client-template.txt
+	elif [[ $PROTOCOL == 'udp6' ]]; then
+		echo "proto udp6" >>/etc/openvpn/server/client-template.txt
+		echo "explicit-exit-notify" >>/etc/openvpn/server/client-template.txt
+	elif [[ $PROTOCOL == 'tcp' ]]; then
+		echo "proto tcp-client" >>/etc/openvpn/server/client-template.txt
+	elif [[ $PROTOCOL == 'tcp6' ]]; then
+		echo "proto tcp6-client" >>/etc/openvpn/server/client-template.txt
+	fi
+	# Common client template options
+	# PKI mode adds remote-cert-tls and verify-x509-name
+	# Fingerprint mode adds peer-fingerprint when generating client config
+	{
+		echo "remote $IP $PORT
+dev tun
+resolv-retry infinite
+nobind
+persist-key
+persist-tun"
+		[[ $AUTH_MODE == "pki" ]] && echo "remote-cert-tls server
+verify-x509-name $SERVER_NAME name"
+		echo "auth $HMAC_ALG
+auth-nocache
+cipher $CIPHER
+ignore-unknown-option data-ciphers
+data-ciphers $CIPHER
+ncp-ciphers $CIPHER
+tls-client
+tls-version-min $TLS_VERSION_MIN
+tls-cipher $CC_CIPHER
+tls-ciphersuites $TLS13_CIPHERSUITES
+ignore-unknown-option block-outside-dns
+setenv opt block-outside-dns # Prevent Windows 10 DNS leak
+verb 3"
+	} >>/etc/openvpn/server/client-template.txt
+
+	if [[ -n $MTU ]]; then
+		echo "tun-mtu $MTU" >>/etc/openvpn/server/client-template.txt
+	fi
+
+	# Generate the custom client.ovpn
+	if [[ $NEW_CLIENT == "n" ]]; then
+		if [[ $AUTH_MODE == "fingerprint" ]]; then
+			log_info "No clients added. OpenVPN will not start until you add at least one client."
+		else
+			log_info "No clients added. To add clients, simply run the script again."
+		fi
+	else
+		log_info "Generating first client certificate..."
+		newClient
+		# In fingerprint mode, start service now that we have at least one fingerprint
+		if [[ $AUTH_MODE == "fingerprint" ]]; then
+			run_cmd "Starting OpenVPN service" systemctl restart openvpn-server@server
+		fi
+		log_success "If you want to add more clients, you simply need to run this script another time!"
+	fi
+}
+
+# Helper function to get the home directory for storing client configs
+function getHomeDir() {
+	local client="$1"
+	if [ -d "/home/${client}" ]; then
+		echo "/home/${client}"
+	elif [ "${SUDO_USER}" ]; then
+		if [ "${SUDO_USER}" == "root" ]; then
+			echo "/root"
+		else
+			echo "/home/${SUDO_USER}"
+		fi
+	else
+		echo "/root"
+	fi
+}
+
+# Helper function to get the owner of a client config file (if client matches a system user)
+function getClientOwner() {
+	local client="$1"
+	# Check if client name corresponds to an existing system user with a home directory
+	if id "$client" &>/dev/null && [ -d "/home/${client}" ]; then
+		echo "${client}"
+	elif [ "${SUDO_USER}" ] && [ "${SUDO_USER}" != "root" ]; then
+		echo "${SUDO_USER}"
+	fi
+}
+
+# Helper function to set proper ownership and permissions on client config file
+function setClientConfigPermissions() {
+	local filepath="$1"
+	local owner="$2"
+
+	if [[ -n "$owner" ]]; then
+		local owner_group
+		owner_group=$(id -gn "$owner")
+		chmod go-rw "$filepath"
+		chown "$owner:$owner_group" "$filepath"
+	fi
+}
+
+# Helper function to write client config file with proper path and permissions
+# Usage: writeClientConfig <client_name>
+# Uses CLIENT_FILEPATH env var if set, otherwise defaults to home directory
+# Side effects: sets GENERATED_CONFIG_PATH global variable with the final path
+function writeClientConfig() {
+	local client="$1"
+	local clientFilePath
+
+	# Determine output file path
+	if [[ -n "$CLIENT_FILEPATH" ]]; then
+		clientFilePath="$CLIENT_FILEPATH"
+		# Ensure parent directory exists for custom paths
+		local parentDir
+		parentDir=$(dirname "$clientFilePath")
+		if [[ ! -d "$parentDir" ]]; then
+			run_cmd_fatal "Creating directory $parentDir" mkdir -p "$parentDir"
+		fi
+	else
+		local homeDir
+		homeDir=$(getHomeDir "$client")
+		clientFilePath="$homeDir/$client.ovpn"
+	fi
+
+	# Generate the .ovpn config file
+	generateClientConfig "$client" "$clientFilePath"
+
+	# Set proper ownership and permissions if client matches a system user
+	local clientOwner
+	clientOwner=$(getClientOwner "$client")
+	setClientConfigPermissions "$clientFilePath" "$clientOwner"
+
+	# Export path for caller to use
+	GENERATED_CONFIG_PATH="$clientFilePath"
+}
+
+# Helper function to regenerate the CRL after certificate changes
+function regenerateCRL() {
+	export EASYRSA_CRL_DAYS=$DEFAULT_CRL_VALIDITY_DURATION_DAYS
+	run_cmd_fatal "Regenerating CRL" ./easyrsa gen-crl
+	run_cmd "Removing old CRL" rm -f /etc/openvpn/server/crl.pem
+	run_cmd_fatal "Copying new CRL" cp /etc/openvpn/server/easy-rsa/pki/crl.pem /etc/openvpn/server/crl.pem
+	run_cmd "Setting CRL permissions" chmod 644 /etc/openvpn/server/crl.pem
+}
+
+# Helper function to generate .ovpn client config file
+# Usage: generateClientConfig <client_name> <filepath>
+function generateClientConfig() {
+	local client="$1"
+	local filepath="$2"
+
+	# Read auth mode
+	local auth_mode="pki"
+	if [[ -f /etc/openvpn/server/easy-rsa/AUTH_MODE_GENERATED ]]; then
+		auth_mode=$(cat /etc/openvpn/server/easy-rsa/AUTH_MODE_GENERATED)
+	fi
+
+	# Determine if we use tls-crypt-v2, tls-crypt, or tls-auth
+	local tls_sig=""
+	if grep -qs "^tls-crypt-v2" /etc/openvpn/server/server.conf; then
+		tls_sig="1"
+	elif grep -qs "^tls-crypt" /etc/openvpn/server/server.conf; then
+		tls_sig="2"
+	elif grep -qs "^tls-auth" /etc/openvpn/server/server.conf; then
+		tls_sig="3"
+	fi
+
+	# Generate the custom client.ovpn
+	run_cmd "Creating client config" cp /etc/openvpn/server/client-template.txt "$filepath"
+	{
+		if [[ $auth_mode == "pki" ]]; then
+			# PKI mode: include CA certificate
+			echo "<ca>"
+			cat "/etc/openvpn/server/easy-rsa/pki/ca.crt"
+			echo "</ca>"
+		else
+			# Fingerprint mode: use server fingerprint instead of CA
+			local server_fingerprint
+			if [[ ! -f /etc/openvpn/server/server-fingerprint ]]; then
+				log_error "Server fingerprint file not found"
+				exit 1
+			fi
+			server_fingerprint=$(cat /etc/openvpn/server/server-fingerprint)
+			if [[ -z $server_fingerprint ]]; then
+				log_error "Server fingerprint is empty"
+				exit 1
+			fi
+			echo "peer-fingerprint $server_fingerprint"
+		fi
+
+		echo "<cert>"
+		awk '/BEGIN/,/END CERTIFICATE/' "/etc/openvpn/server/easy-rsa/pki/issued/$client.crt"
+		echo "</cert>"
+
+		echo "<key>"
+		cat "/etc/openvpn/server/easy-rsa/pki/private/$client.key"
+		echo "</key>"
+
+		case $tls_sig in
+		1)
+			# Generate per-client tls-crypt-v2 key in /etc/openvpn/server/
+			# Using /tmp would fail on Ubuntu 25.04+ due to AppArmor restrictions
+			tls_crypt_v2_tmpfile=$(mktemp /etc/openvpn/server/tls-crypt-v2-client.XXXXXX)
+			if [[ -z "$tls_crypt_v2_tmpfile" ]] || [[ ! -f "$tls_crypt_v2_tmpfile" ]]; then
+				log_error "Failed to create temporary file for tls-crypt-v2 client key"
+				exit 1
+			fi
+			if ! openvpn --tls-crypt-v2 /etc/openvpn/server/tls-crypt-v2.key \
+				--genkey tls-crypt-v2-client "$tls_crypt_v2_tmpfile"; then
+				rm -f "$tls_crypt_v2_tmpfile"
+				log_error "Failed to generate tls-crypt-v2 client key"
+				exit 1
+			fi
+			echo "<tls-crypt-v2>"
+			cat "$tls_crypt_v2_tmpfile"
+			echo "</tls-crypt-v2>"
+			rm -f "$tls_crypt_v2_tmpfile"
+			;;
+		2)
+			echo "<tls-crypt>"
+			cat /etc/openvpn/server/tls-crypt.key
+			echo "</tls-crypt>"
+			;;
+		3)
+			echo "key-direction 1"
+			echo "<tls-auth>"
+			cat /etc/openvpn/server/tls-auth.key
+			echo "</tls-auth>"
+			;;
+		esac
+	} >>"$filepath"
+}
+
+# Helper function to get the current auth mode
+# Returns: "pki" or "fingerprint"
+function getAuthMode() {
+	if [[ -f /etc/openvpn/server/easy-rsa/AUTH_MODE_GENERATED ]]; then
+		cat /etc/openvpn/server/easy-rsa/AUTH_MODE_GENERATED
+	else
+		echo "pki"
+	fi
+}
+
+# Helper function to get valid client names from server.conf fingerprint block
+# In fingerprint mode, clients are tracked via comments in the <peer-fingerprint> block
+# Format in server.conf:
+#   <peer-fingerprint>
+#   # client_name
+#   SHA256:fingerprint
+#   </peer-fingerprint>
+# Returns: newline-separated list of client names
+function getClientsFromFingerprints() {
+	local server_conf="/etc/openvpn/server/server.conf"
+	if [[ ! -f "$server_conf" ]]; then
+		return
+	fi
+	# Extract client names from comments in peer-fingerprint block
+	# Comments are in format "# client_name" on lines before fingerprints
+	sed -n '/<peer-fingerprint>/,/<\/peer-fingerprint>/p' "$server_conf" | grep "^# " | sed 's/^# //'
+}
+
+# Helper function to check if a client exists in fingerprint mode
+# Arguments: client_name
+# Returns: 0 if exists, 1 if not
+function clientExistsInFingerprints() {
+	local client_name="$1"
+	getClientsFromFingerprints | grep -qx "$client_name"
+}
+
+# Helper function to get certificate expiry info
+# Arguments: cert_file_path
+# Outputs: expiry_date|days_remaining (pipe-separated)
+function getCertExpiry() {
+	local cert_file="$1"
+	local expiry_date="unknown"
+	local days_remaining="null"
+
+	if [[ -f "$cert_file" ]]; then
+		local enddate
+		enddate=$(openssl x509 -enddate -noout -in "$cert_file" 2>/dev/null | cut -d= -f2)
+		if [[ -n "$enddate" ]]; then
+			local expiry_epoch
+			expiry_epoch=$(date -d "$enddate" +%s 2>/dev/null || date -j -f "%b %d %H:%M:%S %Y %Z" "$enddate" +%s 2>/dev/null)
+			if [[ -n "$expiry_epoch" ]]; then
+				expiry_date=$(date -d "@$expiry_epoch" +%Y-%m-%d 2>/dev/null || date -r "$expiry_epoch" +%Y-%m-%d 2>/dev/null)
+				local now_epoch
+				now_epoch=$(date +%s)
+				days_remaining=$(((expiry_epoch - now_epoch) / 86400))
+			fi
+		fi
+	fi
+	echo "$expiry_date|$days_remaining"
+}
+
+# Helper function to remove certificate files for regeneration
+# Arguments: name (client or server name)
+# Must be called from easy-rsa directory
+function removeCertFiles() {
+	local name="$1"
+	rm -f "pki/issued/$name.crt" "pki/private/$name.key" "pki/reqs/$name.req"
+}
+
+# Helper function to extract SHA256 fingerprint from certificate
+# Arguments: cert_file_path
+# Outputs: fingerprint string or empty on failure
+function extractFingerprint() {
+	local cert_file="$1"
+	openssl x509 -in "$cert_file" -fingerprint -sha256 -noout 2>/dev/null | cut -d'=' -f2
+}
+
+# Helper function to list valid clients and select one
+# Arguments: show_expiry (optional, "true" to show expiry info)
+# Sets global variables:
+#   CLIENT - the selected client name
+#   CLIENTNUMBER - the selected client number (1-based index)
+#   NUMBEROFCLIENTS - total count of valid clients
+function selectClient() {
+	local show_expiry="${1:-false}"
+	local client_number
+	local auth_mode
+	local clients_list
+
+	auth_mode=$(getAuthMode)
+
+	# Get list of valid clients based on auth mode
+	if [[ $auth_mode == "fingerprint" ]]; then
+		# Fingerprint mode: get clients from server.conf peer-fingerprint block
+		clients_list=$(getClientsFromFingerprints)
+		NUMBEROFCLIENTS=$(echo "$clients_list" | grep -c . || echo 0)
+	else
+		# PKI mode: get valid clients from index.txt
+		clients_list=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt 2>/dev/null | grep "^V" | cut -d '=' -f 2)
+		NUMBEROFCLIENTS=$(echo "$clients_list" | grep -c . || echo 0)
+	fi
+
+	if [[ $NUMBEROFCLIENTS == '0' ]]; then
+		log_fatal "You have no existing clients!"
+	fi
+
+	# If CLIENT is set, validate it exists as a valid client
+	if [[ -n $CLIENT ]]; then
+		if echo "$clients_list" | grep -qx "$CLIENT"; then
+			return
+		else
+			log_fatal "Client '$CLIENT' not found or not valid"
+		fi
+	fi
+
+	# Display client list
+	if [[ $show_expiry == "true" ]]; then
+		local i=1
+		while read -r client; do
+			local client_cert="/etc/openvpn/server/easy-rsa/pki/issued/$client.crt"
+			local days
+			days=$(getDaysUntilExpiry "$client_cert")
+			local expiry
+			expiry=$(formatExpiry "$days")
+			echo "     $i) $client $expiry"
+			((i++))
+		done <<<"$clients_list"
+	else
+		echo "$clients_list" | nl -s ') '
+	fi
+
+	# Prompt for selection
+	until [[ ${CLIENTNUMBER:-$client_number} -ge 1 && ${CLIENTNUMBER:-$client_number} -le $NUMBEROFCLIENTS ]]; do
+		if [[ $NUMBEROFCLIENTS == '1' ]]; then
+			read -rp "Select one client [1]: " client_number
+		else
+			read -rp "Select one client [1-$NUMBEROFCLIENTS]: " client_number
+		fi
+	done
+	CLIENTNUMBER="${CLIENTNUMBER:-$client_number}"
+	CLIENT=$(echo "$clients_list" | sed -n "${CLIENTNUMBER}p")
+}
+
+# Escape a string for JSON output
+function json_escape() {
+	local str="$1"
+	# Escape backslashes first, then quotes, then control characters
+	str="${str//\\/\\\\}"
+	str="${str//\"/\\\"}"
+	str="${str//$'\n'/\\n}"
+	str="${str//$'\r'/\\r}"
+	str="${str//$'\t'/\\t}"
+	printf '%s' "$str"
+}
+
+function listClients() {
+	local index_file="/etc/openvpn/server/easy-rsa/pki/index.txt"
+	local cert_dir="/etc/openvpn/server/easy-rsa/pki/issued"
+	local number_of_clients
+	local format="${OUTPUT_FORMAT:-table}"
+	local auth_mode
+
+	auth_mode=$(getAuthMode)
+
+	# Collect client data based on auth mode
+	local clients_data=()
+
+	if [[ $auth_mode == "fingerprint" ]]; then
+		# Fingerprint mode: get clients from certificates in pki/issued/
+		# Valid clients have their fingerprint in server.conf, revoked ones don't
+		local valid_clients
+		valid_clients=$(getClientsFromFingerprints)
+
+		# Get all client certificates (exclude server certs)
+		local all_clients=()
+		for cert_file in "$cert_dir"/*.crt; do
+			[[ ! -f "$cert_file" ]] && continue
+			local client_name
+			client_name=$(basename "$cert_file" .crt)
+			# Skip server certificates and backup files
+			[[ "$client_name" == server_* ]] && continue
+			[[ "$client_name" == *.bak ]] && continue
+			all_clients+=("$client_name")
+		done
+
+		number_of_clients=${#all_clients[@]}
+
+		if [[ $number_of_clients == '0' ]]; then
+			if [[ $format == "json" ]]; then
+				echo '{"clients":[]}'
+			else
+				log_warn "You have no existing client certificates!"
+			fi
+			return
+		fi
+
+		for client_name in "${all_clients[@]}"; do
+			[[ -z "$client_name" ]] && continue
+			local status_text
+			# Check if client is in the valid fingerprints list
+			if echo "$valid_clients" | grep -qx "$client_name"; then
+				status_text="valid"
+			else
+				status_text="revoked"
+			fi
+			local expiry_info
+			expiry_info=$(getCertExpiry "$cert_dir/$client_name.crt")
+			clients_data+=("$client_name|$status_text|$expiry_info")
+		done
+	else
+		# PKI mode: get clients from index.txt
+		# Exclude server certificates (CN starting with server_)
+		number_of_clients=$(tail -n +2 "$index_file" 2>/dev/null | grep "^[VR]" | grep -cv "/CN=server_" || echo 0)
+
+		if [[ $number_of_clients == '0' ]]; then
+			if [[ $format == "json" ]]; then
+				echo '{"clients":[]}'
+			else
+				log_warn "You have no existing client certificates!"
+			fi
+			return
+		fi
+
+		while read -r line; do
+			local status="${line:0:1}"
+			local client_name
+			client_name=$(echo "$line" | sed 's/.*\/CN=//')
+
+			local status_text
+			if [[ "$status" == "V" ]]; then
+				status_text="valid"
+			elif [[ "$status" == "R" ]]; then
+				status_text="revoked"
+			else
+				status_text="unknown"
+			fi
+
+			local expiry_info
+			expiry_info=$(getCertExpiry "$cert_dir/$client_name.crt")
+			clients_data+=("$client_name|$status_text|$expiry_info")
+		done < <(tail -n +2 "$index_file" | grep "^[VR]" | grep -v "/CN=server_" | sort -t$'\t' -k2)
+	fi
+
+	if [[ $format == "json" ]]; then
+		# Output JSON
+		echo '{"clients":['
+		local first=true
+		for client_entry in "${clients_data[@]}"; do
+			IFS='|' read -r name status expiry days <<<"$client_entry"
+			[[ $first == true ]] && first=false || printf ','
+			# Handle null for days_remaining (no quotes for JSON null)
+			local days_json
+			if [[ "$days" == "null" || -z "$days" ]]; then
+				days_json="null"
+			else
+				days_json="$days"
+			fi
+			printf '{"name":"%s","status":"%s","expiry":"%s","days_remaining":%s}\n' \
+				"$(json_escape "$name")" "$(json_escape "$status")" "$(json_escape "$expiry")" "$days_json"
+		done
+		echo ']}'
+	else
+		# Output table
+		log_header "Client Certificates"
+		log_info "Found $number_of_clients client certificate(s)"
+		log_menu ""
+		printf "   %-25s %-10s %-12s %s\n" "Name" "Status" "Expiry" "Remaining"
+		printf "   %-25s %-10s %-12s %s\n" "----" "------" "------" "---------"
+
+		for client_entry in "${clients_data[@]}"; do
+			IFS='|' read -r name status expiry days <<<"$client_entry"
+			local relative
+			if [[ $days == "null" ]]; then
+				relative="unknown"
+			elif [[ $days -lt 0 ]]; then
+				relative="$((-days)) days ago"
+			elif [[ $days -eq 0 ]]; then
+				relative="today"
+			elif [[ $days -eq 1 ]]; then
+				relative="1 day"
+			else
+				relative="$days days"
+			fi
+			# Capitalize status for table display
+			local status_display="${status^}"
+			printf "   %-25s %-10s %-12s %s\n" "$name" "$status_display" "$expiry" "$relative"
+		done
+		log_menu ""
+	fi
+}
+
+function formatBytes() {
+	local bytes=$1
+	# Validate input is numeric
+	if ! [[ "$bytes" =~ ^[0-9]+$ ]]; then
+		echo "N/A"
+		return
+	fi
+	if [[ $bytes -ge 1073741824 ]]; then
+		awk "BEGIN {printf \"%.1fG\", $bytes/1073741824}"
+	elif [[ $bytes -ge 1048576 ]]; then
+		awk "BEGIN {printf \"%.1fM\", $bytes/1048576}"
+	elif [[ $bytes -ge 1024 ]]; then
+		awk "BEGIN {printf \"%.1fK\", $bytes/1024}"
+	else
+		echo "${bytes}B"
+	fi
+}
+
+function listConnectedClients() {
+	local status_file="/var/log/openvpn/status.log"
+	local format="${OUTPUT_FORMAT:-table}"
+
+	if [[ ! -f "$status_file" ]]; then
+		if [[ $format == "json" ]]; then
+			echo '{"error":"Status file not found","clients":[]}'
+		else
+			log_warn "Status file not found: $status_file"
+			log_info "Make sure OpenVPN is running."
+		fi
+		return
+	fi
+
+	local client_count
+	client_count=$(grep -c "^CLIENT_LIST" "$status_file" 2>/dev/null) || client_count=0
+
+	if [[ "$client_count" -eq 0 ]]; then
+		if [[ $format == "json" ]]; then
+			echo '{"clients":[]}'
+		else
+			log_header "Connected Clients"
+			log_info "No clients currently connected."
+			log_info "Note: Data refreshes every 60 seconds."
+		fi
+		return
+	fi
+
+	# Collect client data
+	local clients_data=()
+	while IFS=',' read -r _ name real_addr vpn_ip _ bytes_recv bytes_sent connected_since _; do
+		clients_data+=("$name|$real_addr|$vpn_ip|$bytes_recv|$bytes_sent|$connected_since")
+	done < <(grep "^CLIENT_LIST" "$status_file")
+
+	if [[ $format == "json" ]]; then
+		echo '{"clients":['
+		local first=true
+		for client_entry in "${clients_data[@]}"; do
+			IFS='|' read -r name real_addr vpn_ip bytes_recv bytes_sent connected_since <<<"$client_entry"
+			[[ $first == true ]] && first=false || printf ','
+			printf '{"name":"%s","real_address":"%s","vpn_ip":"%s","bytes_received":%s,"bytes_sent":%s,"connected_since":"%s"}\n' \
+				"$(json_escape "$name")" "$(json_escape "$real_addr")" "$(json_escape "$vpn_ip")" \
+				"${bytes_recv:-0}" "${bytes_sent:-0}" "$(json_escape "$connected_since")"
+		done
+		echo ']}'
+	else
+		log_header "Connected Clients"
+		log_info "Found $client_count connected client(s)"
+		log_menu ""
+		printf "   %-20s %-22s %-16s %-20s %s\n" "Name" "Real Address" "VPN IP" "Connected Since" "Transfer"
+		printf "   %-20s %-22s %-16s %-20s %s\n" "----" "------------" "------" "---------------" "--------"
+
+		for client_entry in "${clients_data[@]}"; do
+			IFS='|' read -r name real_addr vpn_ip bytes_recv bytes_sent connected_since <<<"$client_entry"
+			local recv_human sent_human
+			recv_human=$(formatBytes "$bytes_recv")
+			sent_human=$(formatBytes "$bytes_sent")
+			local transfer="↓${recv_human} ↑${sent_human}"
+			printf "   %-20s %-22s %-16s %-20s %s\n" "$name" "$real_addr" "$vpn_ip" "$connected_since" "$transfer"
+		done
+		log_menu ""
+		log_info "Note: Data refreshes every 60 seconds."
+	fi
+}
+
+function newClient() {
+	log_header "New Client Setup"
+
+	# Only prompt for client name if not already set or invalid
+	if ! is_valid_client_name "$CLIENT"; then
+		log_prompt "Tell me a name for the client."
+		log_prompt "The name must consist of alphanumeric characters, underscores, or dashes (max $MAX_CLIENT_NAME_LENGTH characters)."
+		until is_valid_client_name "$CLIENT"; do
+			read -rp "Client name: " -e CLIENT
+		done
+	fi
+
+	# Only prompt for cert duration if not already set
+	if [[ -z $CLIENT_CERT_DURATION_DAYS ]] || ! [[ $CLIENT_CERT_DURATION_DAYS =~ ^[0-9]+$ ]] || [[ $CLIENT_CERT_DURATION_DAYS -lt 1 ]]; then
+		log_menu ""
+		log_prompt "How many days should the client certificate be valid for?"
+		until [[ $CLIENT_CERT_DURATION_DAYS =~ ^[0-9]+$ ]] && [[ $CLIENT_CERT_DURATION_DAYS -ge 1 ]]; do
+			read -rp "Certificate validity (days): " -e -i $DEFAULT_CERT_VALIDITY_DURATION_DAYS CLIENT_CERT_DURATION_DAYS
+		done
+	fi
+
+	# Only prompt for password if not already set
+	if ! [[ $PASS =~ ^[1-2]$ ]]; then
+		log_menu ""
+		log_prompt "Do you want to protect the configuration file with a password?"
+		log_prompt "(e.g. encrypt the private key with a password)"
+		log_menu "   1) Add a passwordless client"
+		log_menu "   2) Use a password for the client"
+		until [[ $PASS =~ ^[1-2]$ ]]; do
+			read -rp "Select an option [1-2]: " -e -i 1 PASS
+		done
+	fi
+
+	cd /etc/openvpn/server/easy-rsa/ || return
+
+	# Read auth mode
+	if [[ -f AUTH_MODE_GENERATED ]]; then
+		AUTH_MODE=$(cat AUTH_MODE_GENERATED)
+	else
+		AUTH_MODE="pki"
+	fi
+
+	# Check if client already exists
+	local CLIENTEXISTS=0
+	if [[ $AUTH_MODE == "fingerprint" ]]; then
+		# Fingerprint mode: check server.conf peer-fingerprint block
+		if clientExistsInFingerprints "$CLIENT"; then
+			CLIENTEXISTS=1
+		fi
+	else
+		# PKI mode: check index.txt
+		if [[ -f pki/index.txt ]]; then
+			CLIENTEXISTS=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep -E "^V" | grep -c -E "/CN=$CLIENT\$")
+		fi
+	fi
+
+	if [[ $CLIENTEXISTS != '0' ]]; then
+		log_error "The specified client CN was already found, please choose another name."
+		exit 1
+	fi
+
+	# In fingerprint mode, clean up any revoked cert files so we can reuse the name
+	if [[ $AUTH_MODE == "fingerprint" ]] && [[ -f "pki/issued/$CLIENT.crt" ]]; then
+		log_info "Removing old revoked certificate files for $CLIENT..."
+		removeCertFiles "$CLIENT"
+	fi
+
+	log_info "Generating client certificate..."
+	export EASYRSA_CERT_EXPIRE=$CLIENT_CERT_DURATION_DAYS
+
+	# Determine easyrsa command based on auth mode
+	local easyrsa_cmd cert_desc
+	if [[ $AUTH_MODE == "pki" ]]; then
+		easyrsa_cmd="build-client-full"
+		cert_desc="client certificate"
+	else
+		easyrsa_cmd="self-sign-client"
+		cert_desc="self-signed client certificate"
+	fi
+
+	case $PASS in
+	1)
+		run_cmd_fatal "Building $cert_desc" ./easyrsa --batch "$easyrsa_cmd" "$CLIENT" nopass
+		;;
+	2)
+		if [[ -z "$PASSPHRASE" ]]; then
+			log_warn "You will be asked for the client password below"
+			if ! ./easyrsa --batch "$easyrsa_cmd" "$CLIENT"; then
+				log_fatal "Building $cert_desc failed"
+			fi
+		else
+			log_info "Using provided passphrase for client certificate"
+			export EASYRSA_PASSPHRASE="$PASSPHRASE"
+			run_cmd_fatal "Building $cert_desc" ./easyrsa --batch --passin=env:EASYRSA_PASSPHRASE --passout=env:EASYRSA_PASSPHRASE "$easyrsa_cmd" "$CLIENT"
+			unset EASYRSA_PASSPHRASE
+		fi
+		;;
+	esac
+
+	# Fingerprint mode: register client fingerprint with server
+	if [[ $AUTH_MODE == "fingerprint" ]]; then
+		CLIENT_FINGERPRINT=$(openssl x509 -in "pki/issued/$CLIENT.crt" -fingerprint -sha256 -noout | cut -d'=' -f2)
+		if [[ -z $CLIENT_FINGERPRINT ]]; then
+			log_error "Failed to extract client certificate fingerprint"
+			exit 1
+		fi
+		log_info "Client fingerprint: $CLIENT_FINGERPRINT"
+
+		# Add fingerprint to server.conf's <peer-fingerprint> block
+		# Create the block if this is the first client
+		if ! grep -q '<peer-fingerprint>' /etc/openvpn/server/server.conf; then
+			echo "# Client fingerprints are listed below
+<peer-fingerprint>
+# $CLIENT
+$CLIENT_FINGERPRINT
+</peer-fingerprint>" >>/etc/openvpn/server/server.conf
+		else
+			# Insert comment and fingerprint before closing tag
+			sed -i "/<\/peer-fingerprint>/i # $CLIENT\n$CLIENT_FINGERPRINT" /etc/openvpn/server/server.conf
+		fi
+
+		# Reload OpenVPN to pick up new fingerprint
+		log_info "Reloading OpenVPN to apply new fingerprint..."
+		if systemctl is-active --quiet openvpn-server@server; then
+			systemctl reload openvpn-server@server 2>/dev/null || systemctl restart openvpn-server@server
+		fi
+	fi
+
+	log_success "Client $CLIENT added and is valid for $CLIENT_CERT_DURATION_DAYS days."
+
+	# Write the .ovpn config file with proper path and permissions
+	writeClientConfig "$CLIENT"
+
+	log_menu ""
+	log_success "The configuration file has been written to $GENERATED_CONFIG_PATH."
+	log_info "Download the .ovpn file and import it in your OpenVPN client."
+}
+
+function revokeClient() {
+	log_header "Revoke Client"
+	log_prompt "Select the existing client certificate you want to revoke"
+	selectClient
+
+	cd /etc/openvpn/server/easy-rsa/ || return
+
+	# Read auth mode
+	local auth_mode="pki"
+	if [[ -f AUTH_MODE_GENERATED ]]; then
+		auth_mode=$(cat AUTH_MODE_GENERATED)
+	fi
+
+	log_info "Revoking certificate for $CLIENT..."
+
+	if [[ $auth_mode == "pki" ]]; then
+		# PKI mode: use Easy-RSA revocation and CRL
+		run_cmd_fatal "Revoking certificate" ./easyrsa --batch revoke-issued "$CLIENT"
+		regenerateCRL
+		run_cmd "Backing up index" cp /etc/openvpn/server/easy-rsa/pki/index.txt{,.bk}
+	else
+		# Fingerprint mode: remove fingerprint from server.conf
+		# Keep cert files so revoked clients appear in client list
+		log_info "Removing client fingerprint from server configuration..."
+
+		# Remove comment line and fingerprint line below it from server.conf
+		sed -i "/^# $CLIENT\$/{N;d;}" /etc/openvpn/server/server.conf
+
+		# Reload OpenVPN to apply fingerprint removal
+		log_info "Reloading OpenVPN to apply fingerprint removal..."
+		if systemctl is-active --quiet openvpn-server@server; then
+			systemctl reload openvpn-server@server 2>/dev/null || systemctl restart openvpn-server@server
+		fi
+	fi
+
+	run_cmd "Removing client config from /home" find /home/ -maxdepth 2 -name "$CLIENT.ovpn" -delete
+	run_cmd "Removing client config from /root" rm -f "/root/$CLIENT.ovpn"
+	run_cmd "Removing IP assignment" sed -i "/^$CLIENT,.*/d" /etc/openvpn/server/ipp.txt
+
+	# Disconnect the client if currently connected
+	disconnectClient "$CLIENT"
+
+	log_success "Certificate for client $CLIENT revoked."
+}
+
+# Disconnect a client via the management interface
+function disconnectClient() {
+	local client_name="$1"
+	local mgmt_socket="/var/run/openvpn-server/server.sock"
+
+	if [[ ! -S "$mgmt_socket" ]]; then
+		log_warn "Management socket not found. Client may still be connected until they reconnect."
+		return 0
+	fi
+
+	log_info "Disconnecting client $client_name..."
+	if echo "kill $client_name" | socat - UNIX-CONNECT:"$mgmt_socket" >/dev/null 2>&1; then
+		log_success "Client $client_name disconnected."
+	else
+		log_warn "Could not disconnect client (they may not be connected)."
+	fi
+}
+
+function renewClient() {
+	local client_cert_duration_days
+	local auth_mode
+
+	log_header "Renew Client Certificate"
+	log_prompt "Select the existing client certificate you want to renew"
+	selectClient "true"
+
+	# Allow user to specify renewal duration (use CLIENT_CERT_DURATION_DAYS env var for headless mode)
+	if [[ -z $CLIENT_CERT_DURATION_DAYS ]] || ! [[ $CLIENT_CERT_DURATION_DAYS =~ ^[0-9]+$ ]] || [[ $CLIENT_CERT_DURATION_DAYS -lt 1 ]]; then
+		log_menu ""
+		log_prompt "How many days should the renewed certificate be valid for?"
+		until [[ $client_cert_duration_days =~ ^[0-9]+$ ]] && [[ $client_cert_duration_days -ge 1 ]]; do
+			read -rp "Certificate validity (days): " -e -i $DEFAULT_CERT_VALIDITY_DURATION_DAYS client_cert_duration_days
+		done
+	else
+		client_cert_duration_days=$CLIENT_CERT_DURATION_DAYS
+	fi
+
+	cd /etc/openvpn/server/easy-rsa/ || return
+	auth_mode=$(getAuthMode)
+	log_info "Renewing certificate for $CLIENT..."
+
+	# Backup the old certificate before renewal
+	run_cmd "Backing up old certificate" cp "/etc/openvpn/server/easy-rsa/pki/issued/$CLIENT.crt" "/etc/openvpn/server/easy-rsa/pki/issued/$CLIENT.crt.bak"
+
+	export EASYRSA_CERT_EXPIRE=$client_cert_duration_days
+
+	if [[ $auth_mode == "fingerprint" ]]; then
+		# Fingerprint mode: delete old cert, generate new self-signed, update fingerprint
+		removeCertFiles "$CLIENT"
+		run_cmd_fatal "Generating new certificate" ./easyrsa --batch self-sign-client "$CLIENT" nopass
+
+		local new_fingerprint
+		new_fingerprint=$(extractFingerprint "pki/issued/$CLIENT.crt")
+		if [[ -z "$new_fingerprint" ]]; then
+			log_fatal "Failed to extract new certificate fingerprint"
+		fi
+		log_info "New fingerprint: $new_fingerprint"
+
+		# Update fingerprint in server.conf (comment line followed by fingerprint)
+		if grep -q "^# $CLIENT\$" /etc/openvpn/server/server.conf; then
+			sed -i "/^# $CLIENT\$/{n;s/.*/$new_fingerprint/}" /etc/openvpn/server/server.conf
+		else
+			log_fatal "Client fingerprint entry not found in server.conf"
+		fi
+
+		# Reload OpenVPN to apply new fingerprint
+		if systemctl is-active --quiet openvpn-server@server; then
+			systemctl reload openvpn-server@server 2>/dev/null || systemctl restart openvpn-server@server
+		fi
+	else
+		# PKI mode: use easyrsa renew
+		run_cmd_fatal "Renewing certificate" ./easyrsa --batch renew "$CLIENT"
+
+		# Revoke the old certificate
+		run_cmd_fatal "Revoking old certificate" ./easyrsa --batch revoke-renewed "$CLIENT"
+
+		# Regenerate the CRL
+		regenerateCRL
+	fi
+
+	# Write the .ovpn config file with proper path and permissions
+	writeClientConfig "$CLIENT"
+
+	log_menu ""
+	log_success "Certificate for client $CLIENT renewed and is valid for $client_cert_duration_days days."
+	log_info "The new configuration file has been written to $GENERATED_CONFIG_PATH."
+	log_info "Download the new .ovpn file and import it in your OpenVPN client."
+}
+
+function renewServer() {
+	local server_name server_cert_duration_days auth_mode
+
+	log_header "Renew Server Certificate"
+
+	# Determine auth mode
+	auth_mode=$(getAuthMode)
+
+	# Get the server name from the config (extract basename since path may be relative)
+	server_name=$(basename "$(grep '^cert ' /etc/openvpn/server/server.conf | cut -d ' ' -f 2)" .crt)
+	if [[ -z "$server_name" ]]; then
+		log_fatal "Could not determine server certificate name from /etc/openvpn/server/server.conf"
+	fi
+
+	log_prompt "This will renew the server certificate: $server_name"
+	log_warn "The OpenVPN service will be restarted after renewal."
+	if [[ "$auth_mode" == "fingerprint" ]]; then
+		log_warn "All client configurations will be regenerated with the new server fingerprint."
+	fi
+	if [[ -z $CONTINUE ]]; then
+		read -rp "Do you want to continue? [y/n]: " -e -i n CONTINUE
+	fi
+	if [[ $CONTINUE != "y" ]]; then
+		log_info "Renewal aborted."
+		return
+	fi
+
+	# Allow user to specify renewal duration (use SERVER_CERT_DURATION_DAYS env var for headless mode)
+	if [[ -z $SERVER_CERT_DURATION_DAYS ]] || ! [[ $SERVER_CERT_DURATION_DAYS =~ ^[0-9]+$ ]] || [[ $SERVER_CERT_DURATION_DAYS -lt 1 ]]; then
+		log_menu ""
+		log_prompt "How many days should the renewed certificate be valid for?"
+		until [[ $server_cert_duration_days =~ ^[0-9]+$ ]] && [[ $server_cert_duration_days -ge 1 ]]; do
+			read -rp "Certificate validity (days): " -e -i $DEFAULT_CERT_VALIDITY_DURATION_DAYS server_cert_duration_days
+		done
+	else
+		server_cert_duration_days=$SERVER_CERT_DURATION_DAYS
+	fi
+
+	cd /etc/openvpn/server/easy-rsa/ || return
+	log_info "Renewing server certificate..."
+
+	export EASYRSA_CERT_EXPIRE=$server_cert_duration_days
+
+	if [[ "$auth_mode" == "fingerprint" ]]; then
+		# Fingerprint mode: delete old cert, generate new self-signed, update fingerprint
+		run_cmd "Backing up old certificate" cp "pki/issued/$server_name.crt" "pki/issued/$server_name.crt.bak"
+		removeCertFiles "$server_name"
+		run_cmd_fatal "Generating new server certificate" ./easyrsa --batch self-sign-server "$server_name" nopass
+
+		local new_fingerprint
+		new_fingerprint=$(extractFingerprint "pki/issued/$server_name.crt")
+		if [[ -z "$new_fingerprint" ]]; then
+			log_fatal "Failed to extract new server certificate fingerprint"
+		fi
+		echo "$new_fingerprint" >/etc/openvpn/server/server-fingerprint
+		log_info "New server fingerprint: $new_fingerprint"
+
+		# Copy new cert and key, then regenerate client configs (they embed server fingerprint)
+		cp "pki/issued/$server_name.crt" "pki/private/$server_name.key" /etc/openvpn/server/
+		local client
+		for client in $(getClientsFromFingerprints); do
+			[[ -f "pki/issued/$client.crt" ]] && CLIENT="$client" writeClientConfig "$client"
+		done
+	else
+		# PKI mode: use standard easyrsa renew
+
+		# Backup the old certificate before renewal
+		run_cmd "Backing up old certificate" cp "/etc/openvpn/server/easy-rsa/pki/issued/$server_name.crt" "/etc/openvpn/server/easy-rsa/pki/issued/$server_name.crt.bak"
+
+		# Renew the certificate (keeps the same private key)
+		export EASYRSA_CERT_EXPIRE=$server_cert_duration_days
+		run_cmd_fatal "Renewing certificate" ./easyrsa --batch renew "$server_name"
+
+		# Revoke the old certificate
+		run_cmd_fatal "Revoking old certificate" ./easyrsa --batch revoke-renewed "$server_name"
+
+		# Regenerate the CRL
+		regenerateCRL
+
+		# Copy the new certificate to /etc/openvpn/server/
+		run_cmd_fatal "Copying new certificate" cp "/etc/openvpn/server/easy-rsa/pki/issued/$server_name.crt" /etc/openvpn/server/
+	fi
+
+	# Restart OpenVPN
+	log_info "Restarting OpenVPN service..."
+	run_cmd "Restarting OpenVPN" systemctl restart openvpn-server@server
+
+	log_success "Server certificate renewed successfully and is valid for $server_cert_duration_days days."
+}
+
+function getDaysUntilExpiry() {
+	local cert_file="$1"
+	if [[ -f "$cert_file" ]]; then
+		local expiry_date
+		expiry_date=$(openssl x509 -in "$cert_file" -noout -enddate | cut -d= -f2)
+		local expiry_epoch
+		expiry_epoch=$(date -d "$expiry_date" +%s 2>/dev/null || date -j -f "%b %d %T %Y %Z" "$expiry_date" +%s 2>/dev/null)
+		if [[ -z "$expiry_epoch" ]]; then
+			echo "?"
+			return
+		fi
+		local now_epoch
+		now_epoch=$(date +%s)
+		echo $(((expiry_epoch - now_epoch) / 86400))
+	else
+		echo "?"
+	fi
+}
+
+function formatExpiry() {
+	local days="$1"
+	if [[ "$days" == "?" ]]; then
+		echo "(unknown expiry)"
+	elif [[ $days -lt 0 ]]; then
+		echo "(EXPIRED $((-days)) days ago)"
+	elif [[ $days -eq 0 ]]; then
+		echo "(expires today)"
+	elif [[ $days -eq 1 ]]; then
+		echo "(expires in 1 day)"
+	else
+		echo "(expires in $days days)"
+	fi
+}
+
+function renewMenu() {
+	local server_name server_cert server_days server_expiry renew_option
+
+	log_header "Certificate Renewal"
+
+	# Get server certificate expiry for menu display (extract basename since path may be relative)
+	server_name=$(basename "$(grep '^cert ' /etc/openvpn/server/server.conf | cut -d ' ' -f 2)" .crt)
+	if [[ -z "$server_name" ]]; then
+		server_expiry="(unknown expiry)"
+	else
+		server_cert="/etc/openvpn/server/easy-rsa/pki/issued/$server_name.crt"
+		server_days=$(getDaysUntilExpiry "$server_cert")
+		server_expiry=$(formatExpiry "$server_days")
+	fi
+
+	log_menu ""
+	log_prompt "What do you want to renew?"
+	log_menu "   1) Renew a client certificate"
+	log_menu "   2) Renew the server certificate $server_expiry"
+	log_menu "   3) Back to main menu"
+	until [[ ${RENEW_OPTION:-$renew_option} =~ ^[1-3]$ ]]; do
+		read -rp "Select an option [1-3]: " renew_option
+	done
+	renew_option="${RENEW_OPTION:-$renew_option}"
+
+	case $renew_option in
+	1)
+		renewClient
+		;;
+	2)
+		renewServer
+		;;
+	3)
+		manageMenu
+		;;
+	esac
+}
+
+function removeUnbound() {
+	run_cmd "Removing OpenVPN Unbound config" rm -f /etc/unbound/unbound.conf.d/openvpn.conf
+
+	# Clean up include directive if conf.d directory is now empty
+	if [[ -d /etc/unbound/unbound.conf.d ]] && [[ -z "$(ls -A /etc/unbound/unbound.conf.d)" ]]; then
+		run_cmd "Cleaning up Unbound include directive" \
+			sed -i '/^include: "\/etc\/unbound\/unbound\.conf\.d\/\*\.conf"$/d' /etc/unbound/unbound.conf
+	fi
+
+	until [[ $REMOVE_UNBOUND =~ (y|n) ]]; do
+		log_info "If you were already using Unbound before installing OpenVPN, I removed the configuration related to OpenVPN."
+		read -rp "Do you want to completely remove Unbound? [y/n]: " -e REMOVE_UNBOUND
+	done
+
+	if [[ $REMOVE_UNBOUND == 'y' ]]; then
+		log_info "Removing Unbound..."
+		run_cmd "Stopping Unbound" systemctl stop unbound
+
+		if [[ $OS =~ (debian|ubuntu) ]]; then
+			run_cmd "Removing Unbound" apt-get remove --purge -y unbound
+		elif [[ $OS == 'arch' ]]; then
+			run_cmd "Removing Unbound" pacman --noconfirm -R unbound
+		elif [[ $OS =~ (centos|oracle) ]]; then
+			run_cmd "Removing Unbound" yum remove -y unbound
+		elif [[ $OS =~ (fedora|amzn2023) ]]; then
+			run_cmd "Removing Unbound" dnf remove -y unbound
+		elif [[ $OS == 'opensuse' ]]; then
+			run_cmd "Removing Unbound" zypper remove -y unbound
+		fi
+
+		run_cmd "Removing Unbound config" rm -rf /etc/unbound/
+		log_success "Unbound removed!"
+	else
+		run_cmd "Restarting Unbound" systemctl restart unbound
+		log_info "Unbound wasn't removed."
+	fi
+}
+
+function removeOpenVPN() {
+	log_header "Remove OpenVPN"
+	if [[ -z $REMOVE ]]; then
+		read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
+	fi
+	if [[ $REMOVE == 'y' ]]; then
+		# Get OpenVPN configuration
+		PORT=$(grep '^port ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
+		PROTOCOL=$(grep '^proto ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
+		# Strip "6" suffix for firewall/SELinux commands (they expect "udp"/"tcp", not "udp6"/"tcp6")
+		PROTOCOL_BASE="${PROTOCOL%6}"
+		# Extract IPv4 subnet (may be empty if IPv4 not enabled)
+		VPN_SUBNET_IPV4=$(grep '^server ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
+		# Extract IPv6 subnet (may be empty if IPv6 not enabled)
+		VPN_SUBNET_IPV6=$(grep '^server-ipv6 ' /etc/openvpn/server/server.conf | cut -d " " -f 2 | sed 's|/.*||')
+
+		# Stop OpenVPN
+		log_info "Stopping OpenVPN service..."
+		run_cmd "Disabling OpenVPN service" systemctl disable openvpn-server@server
+		run_cmd "Stopping OpenVPN service" systemctl stop openvpn-server@server
+		# Remove customised service
+		run_cmd "Removing service file" rm -f /etc/systemd/system/openvpn-server@.service
+
+		# Remove firewall rules
+		log_info "Removing firewall rules..."
+		if systemctl is-active --quiet firewalld && firewall-cmd --list-ports | grep -q "$PORT/$PROTOCOL_BASE"; then
+			# firewalld was used
+			run_cmd "Removing OpenVPN port from firewalld" firewall-cmd --permanent --remove-port="$PORT/$PROTOCOL_BASE"
+			run_cmd "Removing masquerade from firewalld" firewall-cmd --permanent --remove-masquerade
+			# Remove IPv4 rich rule if configured
+			if [[ -n $VPN_SUBNET_IPV4 ]]; then
+				firewall-cmd --permanent --remove-rich-rule="rule family=\"ipv4\" source address=\"$VPN_SUBNET_IPV4/24\" accept" 2>/dev/null || true
+			fi
+			# Remove IPv6 rich rule if configured
+			if [[ -n $VPN_SUBNET_IPV6 ]]; then
+				firewall-cmd --permanent --remove-rich-rule="rule family=\"ipv6\" source address=\"${VPN_SUBNET_IPV6}/112\" accept" 2>/dev/null || true
+			fi
+			run_cmd "Reloading firewalld" firewall-cmd --reload
+		elif [[ -f /etc/nftables/openvpn.nft ]]; then
+			# nftables was used
+			# Delete tables (suppress errors in case tables don't exist)
+			nft delete table inet openvpn 2>/dev/null || true
+			nft delete table ip openvpn-nat 2>/dev/null || true
+			nft delete table ip6 openvpn-nat 2>/dev/null || true
+			run_cmd "Removing include from nftables.conf" sed -i '/include.*openvpn\.nft/d' /etc/nftables.conf
+			run_cmd "Removing nftables rules file" rm -f /etc/nftables/openvpn.nft
+		elif [[ -f /etc/systemd/system/iptables-openvpn.service ]]; then
+			# iptables was used
+			run_cmd "Stopping iptables service" systemctl stop iptables-openvpn
+			run_cmd "Disabling iptables service" systemctl disable iptables-openvpn
+			run_cmd "Removing iptables service file" rm /etc/systemd/system/iptables-openvpn.service
+			run_cmd "Reloading systemd" systemctl daemon-reload
+			run_cmd "Removing iptables add script" rm -f /etc/iptables/add-openvpn-rules.sh
+			run_cmd "Removing iptables rm script" rm -f /etc/iptables/rm-openvpn-rules.sh
+		fi
+
+		# SELinux
+		if hash sestatus 2>/dev/null; then
+			if sestatus | grep "Current mode" | grep -qs "enforcing"; then
+				if [[ $PORT != '1194' ]]; then
+					run_cmd "Removing SELinux port" semanage port -d -t openvpn_port_t -p "$PROTOCOL_BASE" "$PORT"
+				fi
+			fi
+		fi
+
+		log_info "Removing OpenVPN package..."
+		if [[ $OS =~ (debian|ubuntu) ]]; then
+			run_cmd "Removing OpenVPN" apt-get remove --purge -y openvpn
+			# Remove OpenVPN official repository and GPG key
+			if [[ -e /etc/apt/sources.list.d/openvpn-aptrepo.list ]]; then
+				run_cmd "Removing OpenVPN repo" rm /etc/apt/sources.list.d/openvpn-aptrepo.list
+			fi
+			if [[ -e /etc/apt/keyrings/openvpn-repo-public.asc ]]; then
+				run_cmd "Removing OpenVPN GPG key" rm /etc/apt/keyrings/openvpn-repo-public.asc
+			fi
+			run_cmd_fatal "Updating package lists" apt-get update
+		elif [[ $OS == 'arch' ]]; then
+			run_cmd "Removing OpenVPN" pacman --noconfirm -R openvpn
+		elif [[ $OS =~ (centos|oracle) ]]; then
+			run_cmd "Removing OpenVPN" yum remove -y openvpn
+			# Disable Copr repo if it was enabled
+			if command -v dnf &>/dev/null; then
+				run_cmd "Disabling OpenVPN Copr repo" dnf copr disable -y @OpenVPN/openvpn-release-2.6 2>/dev/null || true
+			else
+				run_cmd "Disabling OpenVPN Copr repo" yum copr disable -y @OpenVPN/openvpn-release-2.6 2>/dev/null || true
+			fi
+		elif [[ $OS == 'amzn2023' ]]; then
+			run_cmd "Removing OpenVPN" dnf remove -y openvpn
+		elif [[ $OS == 'fedora' ]]; then
+			run_cmd "Removing OpenVPN" dnf remove -y openvpn
+		elif [[ $OS == 'opensuse' ]]; then
+			run_cmd "Removing OpenVPN" zypper remove -y openvpn
+		fi
+
+		# Cleanup
+		run_cmd "Removing client configs from /home" find /home/ -maxdepth 2 -name "*.ovpn" -delete
+		run_cmd "Removing client configs from /root" find /root/ -maxdepth 1 -name "*.ovpn" -delete
+		run_cmd "Removing /etc/openvpn" rm -rf /etc/openvpn
+		run_cmd "Removing OpenVPN docs" rm -rf /usr/share/doc/openvpn*
+		run_cmd "Removing sysctl config" rm -f /etc/sysctl.d/99-openvpn.conf
+		run_cmd "Removing OpenVPN logs" rm -rf /var/log/openvpn
+
+		# AppArmor local override
+		if [[ -f /etc/apparmor.d/local/openvpn ]]; then
+			run_cmd "Removing AppArmor local override" rm -f /etc/apparmor.d/local/openvpn
+			if [[ -f /etc/apparmor.d/openvpn ]]; then
+				run_cmd "Reloading AppArmor profile" apparmor_parser -r /etc/apparmor.d/openvpn 2>/dev/null || true
+			fi
+		fi
+
+		# Unbound
+		if [[ -e /etc/unbound/unbound.conf.d/openvpn.conf ]]; then
+			removeUnbound
+		fi
+		log_success "OpenVPN removed!"
+	else
+		log_info "Removal aborted!"
+	fi
+}
+
+function manageMenu() {
+	local menu_option
+
+	log_header "OpenVPN Management"
+	log_prompt "The git repository is available at: https://github.com/angristan/openvpn-install"
+	log_success "OpenVPN is already installed."
+	log_menu ""
+	log_prompt "What do you want to do?"
+	log_menu "   1) Add a new user"
+	log_menu "   2) List client certificates"
+	log_menu "   3) Revoke existing user"
+	log_menu "   4) Renew certificate"
+	log_menu "   5) Remove OpenVPN"
+	log_menu "   6) List connected clients"
+	log_menu "   7) Exit"
+	until [[ ${MENU_OPTION:-$menu_option} =~ ^[1-7]$ ]]; do
+		read -rp "Select an option [1-7]: " menu_option
+	done
+	menu_option="${MENU_OPTION:-$menu_option}"
+
+	case $menu_option in
+	1)
+		newClient
+		exit 0
+		;;
+	2)
+		listClients
+		;;
+	3)
+		revokeClient
+		;;
+	4)
+		renewMenu
+		;;
+	5)
+		removeOpenVPN
+		;;
+	6)
+		listConnectedClients
+		;;
+	7)
+		exit 0
+		;;
+	esac
+}
+
+# =============================================================================
+# Main Entry Point
+# =============================================================================
+parse_args "$@"
diff --git a/wechat b/wechat
new file mode 100644
index 0000000..d81190c
--- /dev/null
+++ b/wechat
@@ -0,0 +1,37 @@
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
diff --git a/wepay b/wepay
new file mode 100644
index 0000000..1a5c9a0
--- /dev/null
+++ b/wepay
@@ -0,0 +1,37 @@
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
+                                                                          
diff --git a/wifi b/wifi
new file mode 100644
index 0000000..bc32390
--- /dev/null
+++ b/wifi
@@ -0,0 +1,7 @@
+airmon-ng							#Looking for device
+airmon-ng start wlan0						#Start Listen Mode
+airodump-ng wlan0mon						#Scan surroudings wifi
+airodump-ng -c ID --bssid address -w /file/name wlan0mon	#Begin to capture packet
+aireplay-ng -0 2 -a router -c client wlan0mon			#Begin to De-authentication
+aircrack-ng -w passwd name					#Begin to attack packet
+airmon-ng stop wlan0mon						#Close Listen Mode
diff --git a/wireguard.sh b/wireguard.sh
new file mode 100755
index 0000000..243ec42
--- /dev/null
+++ b/wireguard.sh
@@ -0,0 +1,601 @@
+#!/bin/bash
+
+# Secure WireGuard server installer
+# https://github.com/angristan/wireguard-install
+
+RED='\033[0;31m'
+ORANGE='\033[0;33m'
+GREEN='\033[0;32m'
+NC='\033[0m'
+
+function installPackages() {
+	if ! "$@"; then
+		echo -e "${RED}Failed to install packages.${NC}"
+		echo "Please check your internet connection and package sources."
+		exit 1
+	fi
+}
+
+function isRoot() {
+	if [ "${EUID}" -ne 0 ]; then
+		echo "You need to run this script as root"
+		exit 1
+	fi
+}
+
+function checkVirt() {
+	if command -v virt-what &>/dev/null; then
+		VIRT=$(virt-what)
+	else
+		VIRT=$(systemd-detect-virt)
+	fi
+	if [[ ${VIRT} == "openvz" ]]; then
+		echo "OpenVZ is not supported"
+		exit 1
+	fi
+	if [[ ${VIRT} == "lxc" ]]; then
+		echo "LXC is not supported (yet)."
+		echo "WireGuard can technically run in an LXC container,"
+		echo "but the kernel module has to be installed on the host,"
+		echo "the container has to be run with some specific parameters"
+		echo "and only the tools need to be installed in the container."
+		exit 1
+	fi
+}
+
+function checkOS() {
+	source /etc/os-release
+	OS="${ID}"
+	if [[ ${OS} == "debian" || ${OS} == "raspbian" ]]; then
+		if [[ ${VERSION_ID} -lt 10 ]]; then
+			echo "Your version of Debian (${VERSION_ID}) is not supported. Please use Debian 10 Buster or later"
+			exit 1
+		fi
+		OS=debian # overwrite if raspbian
+	elif [[ ${OS} == "ubuntu" ]]; then
+		RELEASE_YEAR=$(echo "${VERSION_ID}" | cut -d'.' -f1)
+		if [[ ${RELEASE_YEAR} -lt 18 ]]; then
+			echo "Your version of Ubuntu (${VERSION_ID}) is not supported. Please use Ubuntu 18.04 or later"
+			exit 1
+		fi
+	elif [[ ${OS} == "fedora" ]]; then
+		if [[ ${VERSION_ID} -lt 32 ]]; then
+			echo "Your version of Fedora (${VERSION_ID}) is not supported. Please use Fedora 32 or later"
+			exit 1
+		fi
+	elif [[ ${OS} == 'centos' ]] || [[ ${OS} == 'almalinux' ]] || [[ ${OS} == 'rocky' ]]; then
+		if [[ ${VERSION_ID} == 7* ]]; then
+			echo "Your version of CentOS (${VERSION_ID}) is not supported. Please use CentOS 8 or later"
+			exit 1
+		fi
+	elif [[ -e /etc/oracle-release ]]; then
+		source /etc/os-release
+		OS=oracle
+	elif [[ -e /etc/arch-release ]]; then
+		OS=arch
+	elif [[ -e /etc/alpine-release ]]; then
+		OS=alpine
+		if ! command -v virt-what &>/dev/null; then
+			if ! (apk update && apk add virt-what); then
+				echo -e "${RED}Failed to install virt-what. Continuing without virtualization check.${NC}"
+			fi
+		fi
+	else
+		echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora, CentOS, AlmaLinux, Oracle or Arch Linux system"
+		exit 1
+	fi
+}
+
+function getHomeDirForClient() {
+	local CLIENT_NAME=$1
+
+	if [ -z "${CLIENT_NAME}" ]; then
+		echo "Error: getHomeDirForClient() requires a client name as argument"
+		exit 1
+	fi
+
+	# Home directory of the user, where the client configuration will be written
+	if [ -e "/home/${CLIENT_NAME}" ]; then
+		# if $1 is a user name
+		HOME_DIR="/home/${CLIENT_NAME}"
+	elif [ "${SUDO_USER}" ]; then
+		# if not, use SUDO_USER
+		if [ "${SUDO_USER}" == "root" ]; then
+			# If running sudo as root
+			HOME_DIR="/root"
+		else
+			HOME_DIR="/home/${SUDO_USER}"
+		fi
+	else
+		# if not SUDO_USER, use /root
+		HOME_DIR="/root"
+	fi
+
+	echo "$HOME_DIR"
+}
+
+function initialCheck() {
+	isRoot
+	checkOS
+	checkVirt
+}
+
+function installQuestions() {
+	echo "Welcome to the WireGuard installer!"
+	echo "The git repository is available at: https://github.com/angristan/wireguard-install"
+	echo ""
+	echo "I need to ask you a few questions before starting the setup."
+	echo "You can keep the default options and just press enter if you are ok with them."
+	echo ""
+
+	# Detect public IPv4 or IPv6 address and pre-fill for the user
+	SERVER_PUB_IP=$(ip -4 addr | sed -ne 's|^.* inet \([^/]*\)/.* scope global.*$|\1|p' | awk '{print $1}' | head -1)
+	if [[ -z ${SERVER_PUB_IP} ]]; then
+		# Detect public IPv6 address
+		SERVER_PUB_IP=$(ip -6 addr | sed -ne 's|^.* inet6 \([^/]*\)/.* scope global.*$|\1|p' | head -1)
+	fi
+	read -rp "IPv4 or IPv6 public address: " -e -i "${SERVER_PUB_IP}" SERVER_PUB_IP
+
+	# Detect public interface and pre-fill for the user
+	SERVER_NIC="$(ip -4 route ls | grep default | awk '/dev/ {for (i=1; i<=NF; i++) if ($i == "dev") print $(i+1)}' | head -1)"
+	until [[ ${SERVER_PUB_NIC} =~ ^[a-zA-Z0-9_]+$ ]]; do
+		read -rp "Public interface: " -e -i "${SERVER_NIC}" SERVER_PUB_NIC
+	done
+
+	until [[ ${SERVER_WG_NIC} =~ ^[a-zA-Z0-9_]+$ && ${#SERVER_WG_NIC} -lt 16 ]]; do
+		read -rp "WireGuard interface name: " -e -i wg0 SERVER_WG_NIC
+	done
+
+	until [[ ${SERVER_WG_IPV4} =~ ^([0-9]{1,3}\.){3} ]]; do
+		read -rp "Server WireGuard IPv4: " -e -i 10.66.66.1 SERVER_WG_IPV4
+	done
+
+	until [[ ${SERVER_WG_IPV6} =~ ^([a-f0-9]{1,4}:){3,4}: ]]; do
+		read -rp "Server WireGuard IPv6: " -e -i fd42:42:42::1 SERVER_WG_IPV6
+	done
+
+	# Generate random number within private ports range
+	RANDOM_PORT=$(shuf -i49152-65535 -n1)
+	until [[ ${SERVER_PORT} =~ ^[0-9]+$ ]] && [ "${SERVER_PORT}" -ge 1 ] && [ "${SERVER_PORT}" -le 65535 ]; do
+		read -rp "Server WireGuard port [1-65535]: " -e -i "${RANDOM_PORT}" SERVER_PORT
+	done
+
+	# Cloudflare DNS by default
+	until [[ ${CLIENT_DNS_1} =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
+		read -rp "First DNS resolver to use for the clients: " -e -i 1.1.1.1 CLIENT_DNS_1
+	done
+	until [[ ${CLIENT_DNS_2} =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
+		read -rp "Second DNS resolver to use for the clients (optional): " -e -i 1.0.0.1 CLIENT_DNS_2
+		if [[ ${CLIENT_DNS_2} == "" ]]; then
+			CLIENT_DNS_2="${CLIENT_DNS_1}"
+		fi
+	done
+
+	until [[ ${ALLOWED_IPS} =~ ^.+$ ]]; do
+		echo -e "\nWireGuard uses a parameter called AllowedIPs to determine what is routed over the VPN."
+		read -rp "Allowed IPs list for generated clients (leave default to route everything): " -e -i '0.0.0.0/0,::/0' ALLOWED_IPS
+		if [[ ${ALLOWED_IPS} == "" ]]; then
+			ALLOWED_IPS="0.0.0.0/0,::/0"
+		fi
+	done
+
+	echo ""
+	echo "Okay, that was all I needed. We are ready to setup your WireGuard server now."
+	echo "You will be able to generate a client at the end of the installation."
+	read -n1 -r -p "Press any key to continue..."
+}
+
+function installWireGuard() {
+	# Run setup questions first
+	installQuestions
+
+	# Install WireGuard tools and module
+	if [[ ${OS} == 'ubuntu' ]] || [[ ${OS} == 'debian' && ${VERSION_ID} -gt 10 ]]; then
+		apt-get update
+		installPackages apt-get install -y wireguard iptables resolvconf qrencode
+	elif [[ ${OS} == 'debian' ]]; then
+		if ! grep -rqs "^deb .* buster-backports" /etc/apt/; then
+			echo "deb http://deb.debian.org/debian buster-backports main" >/etc/apt/sources.list.d/backports.list
+			apt-get update
+		fi
+		apt-get update
+		installPackages apt-get install -y iptables resolvconf qrencode
+		installPackages apt-get install -y -t buster-backports wireguard
+	elif [[ ${OS} == 'fedora' ]]; then
+		if [[ ${VERSION_ID} -lt 32 ]]; then
+			installPackages dnf install -y dnf-plugins-core
+			dnf copr enable -y jdoss/wireguard
+			installPackages dnf install -y wireguard-dkms
+		fi
+		installPackages dnf install -y wireguard-tools iptables qrencode
+	elif [[ ${OS} == 'centos' ]] || [[ ${OS} == 'almalinux' ]] || [[ ${OS} == 'rocky' ]]; then
+		if [[ ${VERSION_ID} == 8* ]]; then
+			installPackages yum install -y epel-release elrepo-release
+			installPackages yum install -y kmod-wireguard
+			yum install -y qrencode || true # not available on release 9
+		fi
+		installPackages yum install -y wireguard-tools iptables
+	elif [[ ${OS} == 'oracle' ]]; then
+		installPackages dnf install -y oraclelinux-developer-release-el8
+		dnf config-manager --disable -y ol8_developer
+		dnf config-manager --enable -y ol8_developer_UEKR6
+		dnf config-manager --save -y --setopt=ol8_developer_UEKR6.includepkgs='wireguard-tools*'
+		installPackages dnf install -y wireguard-tools qrencode iptables
+	elif [[ ${OS} == 'arch' ]]; then
+		installPackages pacman -S --needed --noconfirm wireguard-tools qrencode
+	elif [[ ${OS} == 'alpine' ]]; then
+		apk update
+		installPackages apk add wireguard-tools iptables libqrencode-tools
+	fi
+
+	# Verify WireGuard installation
+	if ! command -v wg &>/dev/null; then
+		echo -e "${RED}WireGuard installation failed. The 'wg' command was not found.${NC}"
+		echo "Please check the installation output above for errors."
+		exit 1
+	fi
+
+	# Make sure the directory exists (this does not seem the be the case on fedora)
+	mkdir /etc/wireguard >/dev/null 2>&1
+
+	chmod 600 -R /etc/wireguard/
+
+	SERVER_PRIV_KEY=$(wg genkey)
+	SERVER_PUB_KEY=$(echo "${SERVER_PRIV_KEY}" | wg pubkey)
+
+	# Save WireGuard settings
+	echo "SERVER_PUB_IP=${SERVER_PUB_IP}
+SERVER_PUB_NIC=${SERVER_PUB_NIC}
+SERVER_WG_NIC=${SERVER_WG_NIC}
+SERVER_WG_IPV4=${SERVER_WG_IPV4}
+SERVER_WG_IPV6=${SERVER_WG_IPV6}
+SERVER_PORT=${SERVER_PORT}
+SERVER_PRIV_KEY=${SERVER_PRIV_KEY}
+SERVER_PUB_KEY=${SERVER_PUB_KEY}
+CLIENT_DNS_1=${CLIENT_DNS_1}
+CLIENT_DNS_2=${CLIENT_DNS_2}
+ALLOWED_IPS=${ALLOWED_IPS}" >/etc/wireguard/params
+
+	# Add server interface
+	echo "[Interface]
+Address = ${SERVER_WG_IPV4}/24,${SERVER_WG_IPV6}/64
+ListenPort = ${SERVER_PORT}
+PrivateKey = ${SERVER_PRIV_KEY}" >"/etc/wireguard/${SERVER_WG_NIC}.conf"
+
+	if pgrep firewalld; then
+		FIREWALLD_IPV4_ADDRESS=$(echo "${SERVER_WG_IPV4}" | cut -d"." -f1-3)".0"
+		FIREWALLD_IPV6_ADDRESS=$(echo "${SERVER_WG_IPV6}" | sed 's/:[^:]*$/:0/')
+		echo "PostUp = firewall-cmd --zone=public --add-interface=${SERVER_WG_NIC} && firewall-cmd --add-port ${SERVER_PORT}/udp && firewall-cmd --add-rich-rule='rule family=ipv4 source address=${FIREWALLD_IPV4_ADDRESS}/24 masquerade' && firewall-cmd --add-rich-rule='rule family=ipv6 source address=${FIREWALLD_IPV6_ADDRESS}/24 masquerade'
+PostDown = firewall-cmd --zone=public --add-interface=${SERVER_WG_NIC} && firewall-cmd --remove-port ${SERVER_PORT}/udp && firewall-cmd --remove-rich-rule='rule family=ipv4 source address=${FIREWALLD_IPV4_ADDRESS}/24 masquerade' && firewall-cmd --remove-rich-rule='rule family=ipv6 source address=${FIREWALLD_IPV6_ADDRESS}/24 masquerade'" >>"/etc/wireguard/${SERVER_WG_NIC}.conf"
+	else
+		echo "PostUp = iptables -I INPUT -p udp --dport ${SERVER_PORT} -j ACCEPT
+PostUp = iptables -I FORWARD -i ${SERVER_PUB_NIC} -o ${SERVER_WG_NIC} -j ACCEPT
+PostUp = iptables -I FORWARD -i ${SERVER_WG_NIC} -j ACCEPT
+PostUp = iptables -t nat -A POSTROUTING -o ${SERVER_PUB_NIC} -j MASQUERADE
+PostUp = ip6tables -I FORWARD -i ${SERVER_WG_NIC} -j ACCEPT
+PostUp = ip6tables -t nat -A POSTROUTING -o ${SERVER_PUB_NIC} -j MASQUERADE
+PostDown = iptables -D INPUT -p udp --dport ${SERVER_PORT} -j ACCEPT
+PostDown = iptables -D FORWARD -i ${SERVER_PUB_NIC} -o ${SERVER_WG_NIC} -j ACCEPT
+PostDown = iptables -D FORWARD -i ${SERVER_WG_NIC} -j ACCEPT
+PostDown = iptables -t nat -D POSTROUTING -o ${SERVER_PUB_NIC} -j MASQUERADE
+PostDown = ip6tables -D FORWARD -i ${SERVER_WG_NIC} -j ACCEPT
+PostDown = ip6tables -t nat -D POSTROUTING -o ${SERVER_PUB_NIC} -j MASQUERADE" >>"/etc/wireguard/${SERVER_WG_NIC}.conf"
+	fi
+
+	# Enable routing on the server
+	echo "net.ipv4.ip_forward = 1
+net.ipv6.conf.all.forwarding = 1" >/etc/sysctl.d/wg.conf
+
+	if [[ ${OS} == 'fedora' ]]; then
+		chmod -v 700 /etc/wireguard
+		chmod -v 600 /etc/wireguard/*
+	fi
+
+	if [[ ${OS} == 'alpine' ]]; then
+		sysctl -p /etc/sysctl.d/wg.conf
+		rc-update add sysctl
+		ln -s /etc/init.d/wg-quick "/etc/init.d/wg-quick.${SERVER_WG_NIC}"
+		rc-service "wg-quick.${SERVER_WG_NIC}" start
+		rc-update add "wg-quick.${SERVER_WG_NIC}"
+	else
+		sysctl --system
+
+		systemctl start "wg-quick@${SERVER_WG_NIC}"
+		systemctl enable "wg-quick@${SERVER_WG_NIC}"
+	fi
+
+	newClient
+	echo -e "${GREEN}If you want to add more clients, you simply need to run this script another time!${NC}"
+
+	# Check if WireGuard is running
+	if [[ ${OS} == 'alpine' ]]; then
+		rc-service --quiet "wg-quick.${SERVER_WG_NIC}" status
+	else
+		systemctl is-active --quiet "wg-quick@${SERVER_WG_NIC}"
+	fi
+	WG_RUNNING=$?
+
+	# WireGuard might not work if we updated the kernel. Tell the user to reboot
+	if [[ ${WG_RUNNING} -ne 0 ]]; then
+		echo -e "\n${RED}WARNING: WireGuard does not seem to be running.${NC}"
+		if [[ ${OS} == 'alpine' ]]; then
+			echo -e "${ORANGE}You can check if WireGuard is running with: rc-service wg-quick.${SERVER_WG_NIC} status${NC}"
+		else
+			echo -e "${ORANGE}You can check if WireGuard is running with: systemctl status wg-quick@${SERVER_WG_NIC}${NC}"
+		fi
+		echo -e "${ORANGE}If you get something like \"Cannot find device ${SERVER_WG_NIC}\", please reboot!${NC}"
+	else # WireGuard is running
+		echo -e "\n${GREEN}WireGuard is running.${NC}"
+		if [[ ${OS} == 'alpine' ]]; then
+			echo -e "${GREEN}You can check the status of WireGuard with: rc-service wg-quick.${SERVER_WG_NIC} status\n\n${NC}"
+		else
+			echo -e "${GREEN}You can check the status of WireGuard with: systemctl status wg-quick@${SERVER_WG_NIC}\n\n${NC}"
+		fi
+		echo -e "${ORANGE}If you don't have internet connectivity from your client, try to reboot the server.${NC}"
+	fi
+}
+
+function newClient() {
+	# If SERVER_PUB_IP is IPv6, add brackets if missing
+	if [[ ${SERVER_PUB_IP} =~ .*:.* ]]; then
+		if [[ ${SERVER_PUB_IP} != *"["* ]] || [[ ${SERVER_PUB_IP} != *"]"* ]]; then
+			SERVER_PUB_IP="[${SERVER_PUB_IP}]"
+		fi
+	fi
+	ENDPOINT="${SERVER_PUB_IP}:${SERVER_PORT}"
+
+	echo ""
+	echo "Client configuration"
+	echo ""
+	echo "The client name must consist of alphanumeric character(s). It may also include underscores or dashes and can't exceed 15 chars."
+
+	until [[ ${CLIENT_NAME} =~ ^[a-zA-Z0-9_-]+$ && ${CLIENT_EXISTS} == '0' && ${#CLIENT_NAME} -lt 16 ]]; do
+		read -rp "Client name: " -e CLIENT_NAME
+		CLIENT_EXISTS=$(grep -c -E "^### Client ${CLIENT_NAME}\$" "/etc/wireguard/${SERVER_WG_NIC}.conf")
+
+		if [[ ${CLIENT_EXISTS} != 0 ]]; then
+			echo ""
+			echo -e "${ORANGE}A client with the specified name was already created, please choose another name.${NC}"
+			echo ""
+		fi
+	done
+
+	for DOT_IP in {2..254}; do
+		DOT_EXISTS=$(grep -c "${SERVER_WG_IPV4::-1}${DOT_IP}" "/etc/wireguard/${SERVER_WG_NIC}.conf")
+		if [[ ${DOT_EXISTS} == '0' ]]; then
+			break
+		fi
+	done
+
+	if [[ ${DOT_EXISTS} == '1' ]]; then
+		echo ""
+		echo "The subnet configured supports only 253 clients."
+		exit 1
+	fi
+
+	BASE_IP=$(echo "$SERVER_WG_IPV4" | awk -F '.' '{ print $1"."$2"."$3 }')
+	until [[ ${IPV4_EXISTS} == '0' ]]; do
+		read -rp "Client WireGuard IPv4: ${BASE_IP}." -e -i "${DOT_IP}" DOT_IP
+		CLIENT_WG_IPV4="${BASE_IP}.${DOT_IP}"
+		IPV4_EXISTS=$(grep -c "$CLIENT_WG_IPV4/32" "/etc/wireguard/${SERVER_WG_NIC}.conf")
+
+		if [[ ${IPV4_EXISTS} != 0 ]]; then
+			echo ""
+			echo -e "${ORANGE}A client with the specified IPv4 was already created, please choose another IPv4.${NC}"
+			echo ""
+		fi
+	done
+
+	BASE_IP=$(echo "$SERVER_WG_IPV6" | awk -F '::' '{ print $1 }')
+	until [[ ${IPV6_EXISTS} == '0' ]]; do
+		read -rp "Client WireGuard IPv6: ${BASE_IP}::" -e -i "${DOT_IP}" DOT_IP
+		CLIENT_WG_IPV6="${BASE_IP}::${DOT_IP}"
+		IPV6_EXISTS=$(grep -c "${CLIENT_WG_IPV6}/128" "/etc/wireguard/${SERVER_WG_NIC}.conf")
+
+		if [[ ${IPV6_EXISTS} != 0 ]]; then
+			echo ""
+			echo -e "${ORANGE}A client with the specified IPv6 was already created, please choose another IPv6.${NC}"
+			echo ""
+		fi
+	done
+
+	# Generate key pair for the client
+	CLIENT_PRIV_KEY=$(wg genkey)
+	CLIENT_PUB_KEY=$(echo "${CLIENT_PRIV_KEY}" | wg pubkey)
+	CLIENT_PRE_SHARED_KEY=$(wg genpsk)
+
+	HOME_DIR=$(getHomeDirForClient "${CLIENT_NAME}")
+
+	# Create client file and add the server as a peer
+	echo "[Interface]
+PrivateKey = ${CLIENT_PRIV_KEY}
+Address = ${CLIENT_WG_IPV4}/32,${CLIENT_WG_IPV6}/128
+DNS = ${CLIENT_DNS_1},${CLIENT_DNS_2}
+
+# Uncomment the next line to set a custom MTU
+# This might impact performance, so use it only if you know what you are doing
+# See https://github.com/nitred/nr-wg-mtu-finder to find your optimal MTU
+# MTU = 1420
+
+[Peer]
+PublicKey = ${SERVER_PUB_KEY}
+PresharedKey = ${CLIENT_PRE_SHARED_KEY}
+Endpoint = ${ENDPOINT}
+AllowedIPs = ${ALLOWED_IPS}" >"${HOME_DIR}/${SERVER_WG_NIC}-client-${CLIENT_NAME}.conf"
+
+	# Add the client as a peer to the server
+	echo -e "\n### Client ${CLIENT_NAME}
+[Peer]
+PublicKey = ${CLIENT_PUB_KEY}
+PresharedKey = ${CLIENT_PRE_SHARED_KEY}
+AllowedIPs = ${CLIENT_WG_IPV4}/32,${CLIENT_WG_IPV6}/128" >>"/etc/wireguard/${SERVER_WG_NIC}.conf"
+
+	wg syncconf "${SERVER_WG_NIC}" <(wg-quick strip "${SERVER_WG_NIC}")
+
+	# Generate QR code if qrencode is installed
+	if command -v qrencode &>/dev/null; then
+		echo -e "${GREEN}\nHere is your client config file as a QR Code:\n${NC}"
+		qrencode -t ansiutf8 -l L <"${HOME_DIR}/${SERVER_WG_NIC}-client-${CLIENT_NAME}.conf"
+		echo ""
+	fi
+
+	echo -e "${GREEN}Your client config file is in ${HOME_DIR}/${SERVER_WG_NIC}-client-${CLIENT_NAME}.conf${NC}"
+}
+
+function listClients() {
+	NUMBER_OF_CLIENTS=$(grep -c -E "^### Client" "/etc/wireguard/${SERVER_WG_NIC}.conf")
+	if [[ ${NUMBER_OF_CLIENTS} -eq 0 ]]; then
+		echo ""
+		echo "You have no existing clients!"
+		exit 1
+	fi
+
+	grep -E "^### Client" "/etc/wireguard/${SERVER_WG_NIC}.conf" | cut -d ' ' -f 3 | nl -s ') '
+}
+
+function revokeClient() {
+	NUMBER_OF_CLIENTS=$(grep -c -E "^### Client" "/etc/wireguard/${SERVER_WG_NIC}.conf")
+	if [[ ${NUMBER_OF_CLIENTS} == '0' ]]; then
+		echo ""
+		echo "You have no existing clients!"
+		exit 1
+	fi
+
+	echo ""
+	echo "Select the existing client you want to revoke"
+	grep -E "^### Client" "/etc/wireguard/${SERVER_WG_NIC}.conf" | cut -d ' ' -f 3 | nl -s ') '
+	until [[ ${CLIENT_NUMBER} -ge 1 && ${CLIENT_NUMBER} -le ${NUMBER_OF_CLIENTS} ]]; do
+		if [[ ${CLIENT_NUMBER} == '1' ]]; then
+			read -rp "Select one client [1]: " CLIENT_NUMBER
+		else
+			read -rp "Select one client [1-${NUMBER_OF_CLIENTS}]: " CLIENT_NUMBER
+		fi
+	done
+
+	# match the selected number to a client name
+	CLIENT_NAME=$(grep -E "^### Client" "/etc/wireguard/${SERVER_WG_NIC}.conf" | cut -d ' ' -f 3 | sed -n "${CLIENT_NUMBER}"p)
+
+	# remove [Peer] block matching $CLIENT_NAME
+	sed -i "/^### Client ${CLIENT_NAME}\$/,/^$/d" "/etc/wireguard/${SERVER_WG_NIC}.conf"
+
+	# remove generated client file
+	HOME_DIR=$(getHomeDirForClient "${CLIENT_NAME}")
+	rm -f "${HOME_DIR}/${SERVER_WG_NIC}-client-${CLIENT_NAME}.conf"
+
+	# restart wireguard to apply changes
+	wg syncconf "${SERVER_WG_NIC}" <(wg-quick strip "${SERVER_WG_NIC}")
+}
+
+function uninstallWg() {
+	echo ""
+	echo -e "\n${RED}WARNING: This will uninstall WireGuard and remove all the configuration files!${NC}"
+	echo -e "${ORANGE}Please backup the /etc/wireguard directory if you want to keep your configuration files.\n${NC}"
+	read -rp "Do you really want to remove WireGuard? [y/n]: " -e REMOVE
+	REMOVE=${REMOVE:-n}
+	if [[ $REMOVE == 'y' ]]; then
+		checkOS
+
+		if [[ ${OS} == 'alpine' ]]; then
+			rc-service "wg-quick.${SERVER_WG_NIC}" stop
+			rc-update del "wg-quick.${SERVER_WG_NIC}"
+			unlink "/etc/init.d/wg-quick.${SERVER_WG_NIC}"
+			rc-update del sysctl
+		else
+			systemctl stop "wg-quick@${SERVER_WG_NIC}"
+			systemctl disable "wg-quick@${SERVER_WG_NIC}"
+		fi
+
+		if [[ ${OS} == 'ubuntu' ]] || [[ ${OS} == 'debian' ]]; then
+			apt-get remove -y wireguard wireguard-tools qrencode
+		elif [[ ${OS} == 'fedora' ]]; then
+			dnf remove -y --noautoremove wireguard-tools qrencode
+			if [[ ${VERSION_ID} -lt 32 ]]; then
+				dnf remove -y --noautoremove wireguard-dkms
+				dnf copr disable -y jdoss/wireguard
+			fi
+		elif [[ ${OS} == 'centos' ]] || [[ ${OS} == 'almalinux' ]] || [[ ${OS} == 'rocky' ]]; then
+			yum remove -y --noautoremove wireguard-tools
+			if [[ ${VERSION_ID} == 8* ]]; then
+				yum remove --noautoremove kmod-wireguard qrencode
+			fi
+		elif [[ ${OS} == 'oracle' ]]; then
+			yum remove --noautoremove wireguard-tools qrencode
+		elif [[ ${OS} == 'arch' ]]; then
+			pacman -Rs --noconfirm wireguard-tools qrencode
+		elif [[ ${OS} == 'alpine' ]]; then
+			(cd qrencode-4.1.1 || exit && make uninstall)
+			rm -rf qrencode-* || exit
+			apk del wireguard-tools libqrencode libqrencode-tools
+		fi
+
+		rm -rf /etc/wireguard
+		rm -f /etc/sysctl.d/wg.conf
+
+		if [[ ${OS} == 'alpine' ]]; then
+			rc-service --quiet "wg-quick.${SERVER_WG_NIC}" status &>/dev/null
+		else
+			# Reload sysctl
+			sysctl --system
+
+			# Check if WireGuard is running
+			systemctl is-active --quiet "wg-quick@${SERVER_WG_NIC}"
+		fi
+		WG_RUNNING=$?
+
+		if [[ ${WG_RUNNING} -eq 0 ]]; then
+			echo "WireGuard failed to uninstall properly."
+			exit 1
+		else
+			echo "WireGuard uninstalled successfully."
+			exit 0
+		fi
+	else
+		echo ""
+		echo "Removal aborted!"
+	fi
+}
+
+function manageMenu() {
+	echo "Welcome to WireGuard-install!"
+	echo "The git repository is available at: https://github.com/angristan/wireguard-install"
+	echo ""
+	echo "It looks like WireGuard is already installed."
+	echo ""
+	echo "What do you want to do?"
+	echo "   1) Add a new user"
+	echo "   2) List all users"
+	echo "   3) Revoke existing user"
+	echo "   4) Uninstall WireGuard"
+	echo "   5) Exit"
+	until [[ ${MENU_OPTION} =~ ^[1-5]$ ]]; do
+		read -rp "Select an option [1-5]: " MENU_OPTION
+	done
+	case "${MENU_OPTION}" in
+	1)
+		newClient
+		;;
+	2)
+		listClients
+		;;
+	3)
+		revokeClient
+		;;
+	4)
+		uninstallWg
+		;;
+	5)
+		exit 0
+		;;
+	esac
+}
+
+# Check for root, virt, OS...
+initialCheck
+
+# Check if WireGuard is already installed and load params
+if [[ -e /etc/wireguard/params ]]; then
+	source /etc/wireguard/params
+	manageMenu
+else
+	installWireGuard
+fi
diff --git a/wordpress b/wordpress
new file mode 100755
index 0000000..957a878
--- /dev/null
+++ b/wordpress
@@ -0,0 +1,14 @@
+net1=net1
+web1=666888hh!
+web2=wordpress
+web3=wordpress
+web4=666888hh!
+web5=5.7
+web6=8080
+
+docker network rm net1
+docker network create $net1
+
+docker run --name mysql --network $net1 -e MYSQL_ROOT_PASSWORD=$web1 -e MYSQL_DATABASE=$web2 -e MYSQL_USER=$web3 -e MYSQL_PASSWORD=$web4 -d mysql:$web5
+
+docker run --name wordpress --network $net1 -v /docker/wordpress:/var/www/html -e WORDPRESS_DB_HOST=mysql:3306 -e WORDPRESS_DB_USER=$web3 -e WORDPRESS_DB_PASSWORD=$web4 -e WORDPRESS_DB_NAME=$web2 -p $web6:80 -d wordpress