From c42b028538b38a4aa8973565e05903fdde0b9a91 Mon Sep 17 00:00:00 2001 From: cezar97 Date: Fri, 6 Jul 2018 01:25:57 +0300 Subject: [PATCH 01/22] Add "Check for DNS leaks" paragraph in README (#242) --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 7ffa7b3..21b1a3f 100644 --- a/README.md +++ b/README.md @@ -255,6 +255,10 @@ SHA-1 is not safe anymore, so I use SHA-256 which is safe and widely used. TLS-Auth is not enabled by default by OpenVPN, but it is in this script. +## Check for DNS leaks + +Go to [dnsleaktest.com](https://dnsleaktest.com/) or [ipleak.net](https://ipleak.net/) with your browser. Only your server's IP should show up. + ## Say thanks You can [say thanks](https://saythanks.io/to/Angristan) if you want! From 63ac18075d07a1c944e9b4e08ba6e01b99c9cf2e Mon Sep 17 00:00:00 2001 From: cezar97 Date: Fri, 6 Jul 2018 23:11:22 +0300 Subject: [PATCH 02/22] Add quad9 secondary DNS (#248) See https://www.quad9.net/faq/#Is_there_a_service_that_Quad9_offers_that_does_not_have_the_blocklist_or_other_security. --- openvpn-install.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/openvpn-install.sh b/openvpn-install.sh index e74d854..44647c5 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -529,6 +529,7 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf ;; 3) # Quad9 echo 'push "dhcp-option DNS 9.9.9.9"' >> /etc/openvpn/server.conf + echo 'push "dhcp-option DNS 149.112.112.112"' >> /etc/openvpn/server.conf ;; 4) # FDN echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/server.conf From 5501de73c8742bef58aa62685ca4c898cae2e616 Mon Sep 17 00:00:00 2001 From: Sayem Chowdhury Date: Sun, 15 Jul 2018 15:25:59 +0600 Subject: [PATCH 03/22] Improved code (#243) --- openvpn-install.sh | 130 +++++++++++++++++++++++++++------------------ 1 file changed, 78 insertions(+), 52 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 44647c5..046b319 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -4,16 +4,19 @@ # https://github.com/Angristan/OpenVPN-install +# Verify root if [[ "$EUID" -ne 0 ]]; then echo "Sorry, you need to run this as root" exit 1 fi +# Verify tun if [[ ! -e /dev/net/tun ]]; then echo "TUN is not available" exit 2 fi +# Check if CentOS 5 if grep -qs "CentOS release 5" "/etc/redhat-release"; then echo "CentOS 5 is too old and not supported" exit 3 @@ -22,7 +25,7 @@ fi if [[ -e /etc/debian_version ]]; then OS="debian" # Getting the version number, to verify that a recent version of OpenVPN is available - VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID") + VERSION_ID=$(grep "VERSION_ID" /etc/os-release) IPTABLES='/etc/iptables/iptables.rules' SYSCTL='/etc/sysctl.conf' if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="18.04"' ]]; then @@ -33,7 +36,7 @@ if [[ -e /etc/debian_version ]]; then echo "then you can continue, a recent version of OpenVPN is available on these." echo "Keep in mind they are not supported, though." while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do - read -p "Continue ? [y/n]: " -e CONTINUE + read -rp "Continue ? [y/n]: " -e CONTINUE done if [[ "$CONTINUE" = "n" ]]; then echo "Ok, bye !" @@ -59,28 +62,33 @@ fi newclient () { # Where to write the custom client.ovpn? - if [ -e /home/$1 ]; then # if $1 is a user name + if [ -e "/home/$1" ]; then # if $1 is a user name homeDir="/home/$1" - elif [ ${SUDO_USER} ]; then # if not, use SUDO_USER + elif [ "${SUDO_USER}" ]; then # if not, use SUDO_USER homeDir="/home/${SUDO_USER}" else # if not SUDO_USER, use /root homeDir="/root" fi # Generates the custom client.ovpn - cp /etc/openvpn/client-template.txt $homeDir/$1.ovpn - echo "" >> $homeDir/$1.ovpn - cat /etc/openvpn/easy-rsa/pki/ca.crt >> $homeDir/$1.ovpn - echo "" >> $homeDir/$1.ovpn - echo "" >> $homeDir/$1.ovpn - cat /etc/openvpn/easy-rsa/pki/issued/$1.crt >> $homeDir/$1.ovpn - echo "" >> $homeDir/$1.ovpn - echo "" >> $homeDir/$1.ovpn - cat /etc/openvpn/easy-rsa/pki/private/$1.key >> $homeDir/$1.ovpn - echo "" >> $homeDir/$1.ovpn - echo "key-direction 1" >> $homeDir/$1.ovpn - echo "" >> $homeDir/$1.ovpn - cat /etc/openvpn/tls-auth.key >> $homeDir/$1.ovpn - echo "" >> $homeDir/$1.ovpn + cp /etc/openvpn/client-template.txt "$homeDir/$1.ovpn" + { + echo "" + cat "/etc/openvpn/easy-rsa/pki/ca.crt" + echo "" + + echo "" + cat "/etc/openvpn/easy-rsa/pki/issued/$1.crt" + echo "" + + echo "" + cat "/etc/openvpn/easy-rsa/pki/private/$1.key" + echo "" + echo "key-direction 1" + + echo "" + cat "/etc/openvpn/tls-auth.key" + echo "" + } >> "$homeDir/$1.ovpn" } # Get Internet network interface with default route @@ -94,22 +102,27 @@ if [[ -e /etc/openvpn/server.conf ]]; then echo "" echo "Looks like OpenVPN is already installed" echo "" + echo "What do you want to do?" echo " 1) Add a cert for a new user" echo " 2) Revoke existing user cert" echo " 3) Remove OpenVPN" echo " 4) Exit" - read -p "Select an option [1-4]: " option + read -rp "Select an option [1-4]: " option + case $option in 1) echo "" echo "Tell me a name for the client cert" echo "Please, use one word only, no special characters" - read -p "Client name: " -e -i newclient CLIENT - cd /etc/openvpn/easy-rsa/ + read -rp "Client name: " -e -i newclient CLIENT + + cd /etc/openvpn/easy-rsa/ || return ./easyrsa build-client-full $CLIENT nopass + # Generates the custom client.ovpn newclient "$CLIENT" + echo "" echo "Client $CLIENT added, certs available at $homeDir/$CLIENT.ovpn" exit @@ -121,16 +134,18 @@ if [[ -e /etc/openvpn/server.conf ]]; then echo "You have no existing clients!" exit 5 fi + echo "" echo "Select the existing client certificate you want to revoke" tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') ' if [[ "$NUMBEROFCLIENTS" = '1' ]]; then - read -p "Select one client [1]: " CLIENTNUMBER + read -rp "Select one client [1]: " CLIENTNUMBER else - read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER + read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER fi + CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p) - cd /etc/openvpn/easy-rsa/ + cd /etc/openvpn/easy-rsa/ || return ./easyrsa --batch revoke $CLIENT EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl rm -f pki/reqs/$CLIENT.req @@ -141,6 +156,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then chmod 644 /etc/openvpn/crl.pem rm -f $(find /home -maxdepth 2 | grep $CLIENT.ovpn) 2>/dev/null rm -f /root/$CLIENT.ovpn 2>/dev/null + echo "" echo "Certificate for client $CLIENT revoked" echo "Exiting..." @@ -148,7 +164,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then ;; 3) echo "" - read -p "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE + read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE if [[ "$REMOVE" = 'y' ]]; then PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2) if pgrep firewalld; then @@ -206,6 +222,7 @@ else clear echo "Welcome to the secure OpenVPN installer (github.com/Angristan/OpenVPN-install)" echo "" + # OpenVPN setup and first user creation echo "I need to ask you a few questions before starting the setup" echo "You can leave the default options and just press enter if you are ok with them" @@ -213,23 +230,25 @@ else echo "I need to know the IPv4 address of the network interface you want OpenVPN listening to." echo "If your server is running behind a NAT, (e.g. LowEndSpirit, Scaleway) leave the IP address as it is. (local/private IP)" echo "Otherwise, it should be your public IPv4 address." + # Autodetect IP address and pre-fill for the user IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1) - read -p "IP address: " -e -i $IP IP + read -rp "IP address: " -e -i $IP IP echo "" echo "What port do you want for OpenVPN?" - read -p "Port: " -e -i 1194 PORT + read -rp "Port: " -e -i 1194 PORT + # If $IP is a private IP address, the server must be behind NAT if echo "$IP" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then echo "" echo "This server is behind NAT. What is the public IPv4 address or hostname?" - read -p "Public IP address / hostname: " -e PUBLICIP + read -rp "Public IP address / hostname: " -e PUBLICIP fi echo "" echo "What protocol do you want for OpenVPN?" echo "Unless UDP is blocked, you should not use TCP (unnecessarily slower)" - while [[ $PROTOCOL != "UDP" && $PROTOCOL != "TCP" ]]; do - read -p "Protocol [UDP/TCP]: " -e -i UDP PROTOCOL + until [[ "$PROTOCOL" == "UDP" || "$PROTOCOL" == "TCP" ]]; do + read -rp "Protocol [UDP/TCP]: " -e -i UDP PROTOCOL done echo "" echo "What DNS do you want to use with the VPN?" @@ -242,8 +261,8 @@ else echo " 7) Google (Anycast: worldwide)" echo " 8) Yandex Basic (Russia)" echo " 9) AdGuard DNS (Russia)" - while [[ $DNS != "1" && $DNS != "2" && $DNS != "3" && $DNS != "4" && $DNS != "5" && $DNS != "6" && $DNS != "7" && $DNS != "8" && $DNS != "9" ]]; do - read -p "DNS [1-9]: " -e -i 1 DNS + until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 -a "$DNS" -le 9 ]; do + read -rp "DNS [1-9]: " -e -i 1 DNS done echo "" echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about " @@ -261,8 +280,8 @@ else echo " 5) CAMELLIA-192-CBC" echo " 6) CAMELLIA-256-CBC" echo " 7) SEED-CBC" - while [[ $CIPHER != "1" && $CIPHER != "2" && $CIPHER != "3" && $CIPHER != "4" && $CIPHER != "5" && $CIPHER != "6" && $CIPHER != "7" ]]; do - read -p "Cipher [1-7]: " -e -i 1 CIPHER + until [[ "$CIPHER" =~ ^[0-9]+$ ]] && [ "$CIPHER" -ge 1 -a "$CIPHER" -le 7 ]; do + read -rp "Cipher [1-7]: " -e -i 1 CIPHER done case $CIPHER in 1) @@ -292,8 +311,8 @@ else echo " 1) 2048 bits (fastest)" echo " 2) 3072 bits (recommended, best compromise)" echo " 3) 4096 bits (most secure)" - while [[ $DH_KEY_SIZE != "1" && $DH_KEY_SIZE != "2" && $DH_KEY_SIZE != "3" ]]; do - read -p "DH key size [1-3]: " -e -i 2 DH_KEY_SIZE + until [[ "$DH_KEY_SIZE" =~ ^[0-9]+$ ]] && [ "$DH_KEY_SIZE" -ge 1 -a "$DH_KEY_SIZE" -le 3 ]; do + read -rp "DH key size [1-3]: " -e -i 2 DH_KEY_SIZE done case $DH_KEY_SIZE in 1) @@ -311,8 +330,8 @@ else echo " 1) 2048 bits (fastest)" echo " 2) 3072 bits (recommended, best compromise)" echo " 3) 4096 bits (most secure)" - while [[ $RSA_KEY_SIZE != "1" && $RSA_KEY_SIZE != "2" && $RSA_KEY_SIZE != "3" ]]; do - read -p "RSA key size [1-3]: " -e -i 2 RSA_KEY_SIZE + until [[ "$RSA_KEY_SIZE" =~ ^[0-9]+$ ]] && [ "$RSA_KEY_SIZE" -ge 1 -a "$RSA_KEY_SIZE" -le 3 ]; do + read -rp "RSA key size [1-3]: " -e -i 2 RSA_KEY_SIZE done case $RSA_KEY_SIZE in 1) @@ -329,7 +348,9 @@ else echo "Finally, tell me a name for the client certificate and configuration" while [[ $CLIENT = "" ]]; do echo "Please, use one word only, no special characters" - read -p "Client name: " -e -i client CLIENT + read -rp "Client name: " -e -i client CLIENT + # Remove special characters + CLIENT=$(echo $CLIENT | tr -dc '[:alnum:]\n\r') done echo "" echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now" @@ -437,8 +458,8 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service echo "Not doing that could cause problems between dependencies, or missing files in repositories." echo "" echo "Continuing will update your installed packages and install needed ones." - while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do - read -p "Continue ? [y/n]: " -e -i y CONTINUE + until [[ $CONTINUE == "y" || $CONTINUE == "n" ]]; do + read -rp "Continue ? [y/n]: " -e -i y CONTINUE done if [[ "$CONTINUE" = "n" ]]; then echo "Ok, bye !" @@ -472,10 +493,10 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service mv /etc/openvpn/EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/ chown -R root:root /etc/openvpn/easy-rsa/ rm -f ~/EasyRSA-3.0.4.tgz - cd /etc/openvpn/easy-rsa/ + cd /etc/openvpn/easy-rsa/ || return # Generate a random, alphanumeric identifier of 16 characters for CN and one for server name - SERVER_CN="cn_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" - SERVER_NAME="server_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" + SERVER_CN="cn_$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 16 | head -n 1)" + SERVER_NAME="server_$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 16 | head -n 1)" echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars # Create the PKI, set up the CA, the DH params and the server + client certificates @@ -494,11 +515,7 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service # Generate server.conf echo "port $PORT" > /etc/openvpn/server.conf - if [[ "$PROTOCOL" = 'UDP' ]]; then - echo "proto udp" >> /etc/openvpn/server.conf - elif [[ "$PROTOCOL" = 'TCP' ]]; then - echo "proto tcp" >> /etc/openvpn/server.conf - fi + echo "proto $(echo $PROTOCOL | tr '[:upper:]' '[:lower:]')" >> /etc/openvpn/server.conf echo "dev tun user nobody group $NOGROUP @@ -519,7 +536,7 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf RESOLVCONF='/etc/resolv.conf' fi # Obtain the resolvers from resolv.conf and use them for OpenVPN - grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do + grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read -r line; do echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf done ;; @@ -556,7 +573,7 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf ;; esac -echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf +echo 'push "redirect-gateway def1 bypass-dhcp" ' >> /etc/openvpn/server.conf echo "crl-verify crl.pem ca ca.crt cert $SERVER_NAME.crt @@ -581,12 +598,16 @@ verb 3" >> /etc/openvpn/server.conf if ! grep -q "\" $SYSCTL; then echo 'net.ipv4.ip_forward=1' >> $SYSCTL fi + # Avoid an unneeded reboot echo 1 > /proc/sys/net/ipv4/ip_forward + # Set NAT for the VPN subnet iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE + # Save persitent iptables rules iptables-save > $IPTABLES + if pgrep firewalld; then # We don't use --add-service=openvpn because that would only work with # the default port. Using both permanent and not permanent rules to @@ -601,6 +622,7 @@ verb 3" >> /etc/openvpn/server.conf firewall-cmd --zone=trusted --add-source=10.8.0.0/24 firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24 fi + if iptables -L -n | grep -qE 'REJECT|DROP'; then # If iptables has at least one REJECT rule, we asume this is needed. # Not the best approach but I can't think of other and this shouldn't @@ -613,8 +635,9 @@ verb 3" >> /etc/openvpn/server.conf iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT # Save persitent OpenVPN rules - iptables-save > $IPTABLES + iptables-save > $IPTABLES fi + # If SELinux is enabled and a custom port was selected, we need this if hash sestatus 2>/dev/null; then if sestatus | grep "Current mode" | grep -qs "enforcing"; then @@ -631,6 +654,7 @@ verb 3" >> /etc/openvpn/server.conf fi fi fi + # And finally, restart OpenVPN if [[ "$OS" = 'debian' ]]; then # Little hack to check for systemd @@ -663,10 +687,12 @@ verb 3" >> /etc/openvpn/server.conf chkconfig openvpn on fi fi + # If the server is behind a NAT, use the correct IP address if [[ "$PUBLICIP" != "" ]]; then IP=$PUBLICIP fi + # client-template.txt is created so we have a template to add further users later echo "client" > /etc/openvpn/client-template.txt if [[ "$PROTOCOL" = 'UDP' ]]; then From 1c7e06ed07b13237a0665d960a1e0592ba2a4105 Mon Sep 17 00:00:00 2001 From: Sam Mingo Date: Sat, 11 Aug 2018 16:33:07 -0400 Subject: [PATCH 04/22] Update README.md (#268) Fixed typos + phrasing --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 21b1a3f..0a2a5cf 100644 --- a/README.md +++ b/README.md @@ -40,11 +40,11 @@ When OpenVPN is installed, you can run the script again, and you will get the ch This script is based on the great work of [Nyr and its contributors](https://github.com/Nyr/openvpn-install). -I made it because I wanted to have a more secured OpenVPN out-of-the-box. It works like the original script, but is more focused on privacy and espicially better encryption. Nyr's original script uses mainly default parameters regarding encryption, and some of them are unsecure. See [#encryption](#encryption). +I made it because I wanted to have a more secured OpenVPN out-of-the-box. It works like the original script, but is more focused on privacy and especially better encryption. Nyr's original script uses mainly default parameters regarding encryption, and some of them are insecure. See [#encryption](#encryption). Also, Nyr and myself clearly have not the same point of view regarding this script, that's why it's a fork. -The only drawback is that you need to use a recent version of OpenVPN, because some parameters that requires TLS 1.2 are only availble since OpenVPN 2.3.3. Therefore I restrain the compatibility of this script to a few but widely used GNU/Linux distributions, to get a recent version of OpenVPN from trusted third-party repositories, if needed. That is not a complete drawback tough, because it means that you can have the latest version with all the new features and security fixes. See [compatibilty](#compatibility). +The only drawback is that you need to use a recent version of OpenVPN, because some parameters that requires TLS 1.2 are only available since OpenVPN 2.3.3. Therefore I restrain the compatibility of this script to a few but widely used GNU/Linux distributions, to get a recent version of OpenVPN from trusted third-party repositories, if needed. That is not a complete drawback tough, because it means that you can have the latest version with all the new features and security fixes. See [compatibility](#compatibility). On the client-side, it's less problematic, but if you want to use an OpenVPN server installed with this script with an old client (\<2.3.3), it won't work. However I don't see why you would use an outdated client. @@ -186,7 +186,7 @@ The [SWEET32 vulnerability page](https://community.openvpn.net/openvpn/wiki/SWEE Indeed, AES is today's standard. It's the fastest and more secure cipher available today. [SEED](https://en.wikipedia.org/wiki/SEED) and [Camellia](https://en.wikipedia.org/wiki/Camellia_(cipher)) are not vulnerable to date but are slower than AES and relatively less trusted. -As they have not any proven vulnerabilities, I decided to give the user the choice to use them, though I don't see any particular reason to this day to use it. Maybe someday if AES happens to be broken. Here is an exemple about [why Camellia is good, but AES is better and should be used](http://crypto.stackexchange.com/questions/476/why-does-nobody-use-or-break-the-camellia-cipher/477#477). +As they have not any proven vulnerabilities, I decided to give the user the choice to use them, though I don't see any particular reason to this day to use it. Maybe someday if AES happens to be broken. Here is an example about [why Camellia is good, but AES is better and should be used](http://crypto.stackexchange.com/questions/476/why-does-nobody-use-or-break-the-camellia-cipher/477#477). Currently AES is only available in its CBC mode, which is weaker than GCM. @@ -214,7 +214,7 @@ Thus, the best data channel cipher currently available in OpenVPN is `AES-128-CB ### Control channel's cipher -According to the [Hardening](https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-cipher) page of the OpenVPN wiki, TLS 1.2 is not supported by OpenVPN <2.3.3, so it uses a TLS 1.0 cipher by default, which is unsecure. +According to the [Hardening](https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-cipher) page of the OpenVPN wiki, TLS 1.2 is not supported by OpenVPN <2.3.3, so it uses a TLS 1.0 cipher by default, which is insecure. > The following are TLSv1.2 DHE + RSA choices, requiring a compatible peer running at least OpenVPN 2.3.3: - TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 @@ -230,7 +230,7 @@ Thus, I have chosen `TLS-DHE-RSA-WITH-AES-128-GCM-SHA256` as the control channel OpenVPN uses a 2048 bits DH key [by default](https://github.com/OpenVPN/easy-rsa/blob/master/easyrsa3/vars.example#L97). -2048 bits is OK, but both [NSA](https://cryptome.org/2016/01/CNSA-Suite-and-Quantum-Computing-FAQ.pdf) and [ANSSI](https://www.ssi.gouv.fr/uploads/2015/01/RGS_v-2-0_B1.pdf) recommend at least a 3072 bits for a future-proof key. Like RSA, the size of the key will have an impact on speed, I leave the choice to use a 2048, 3072 or 4096 bits key. 4096 bits is what's most used and recommened today, but 3072 bits is still good. +2048 bits is OK, but both [NSA](https://cryptome.org/2016/01/CNSA-Suite-and-Quantum-Computing-FAQ.pdf) and [ANSSI](https://www.ssi.gouv.fr/uploads/2015/01/RGS_v-2-0_B1.pdf) recommend at least a 3072 bits for a future-proof key. Like RSA, the size of the key will have an impact on speed, I leave the choice to use a 2048, 3072 or 4096 bits key. 4096 bits is what's most used and recommended today, but 3072 bits is still good. In OpenVPN 2.4, we will be able to use ECDH key. It uses elliptic curves instead of prime numbers' factorization for a reduced key size and calculation time, thus it's faster and more secure. From df172b962d40483d9d950bf988e9fef62ea62ad5 Mon Sep 17 00:00:00 2001 From: Jebtrix Date: Sat, 18 Aug 2018 09:57:24 -0400 Subject: [PATCH 05/22] Add option to generate random port in private port range (#229) --- openvpn-install.sh | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 046b319..df5b77d 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -236,7 +236,27 @@ else read -rp "IP address: " -e -i $IP IP echo "" echo "What port do you want for OpenVPN?" - read -rp "Port: " -e -i 1194 PORT + echo " 1) Default: 1194" + echo " 2) Custom" + echo " 3) Random [49152-65535]" + until [[ "$PORT_CHOICE" =~ ^[1-3]$ ]]; do + read -p "Port choice [1-3]: " -e -i 1 PORT_CHOICE + done + case $PORT_CHOICE in + 1) + PORT="1194" + ;; + 2) + until [[ "$PORT" =~ ^[0-9]+$ ]] && [ "$PORT" -ge 1 -a "$PORT" -le 65535 ]; do + read -p "Custom port [1-65535]: " -e -i 1194 PORT + done + ;; + 3) + # Generate random number within private ports range + PORT=$(shuf -i49152-65535 -n1) + echo "Random Port: $PORT" + ;; + esac # If $IP is a private IP address, the server must be behind NAT if echo "$IP" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then From a0267c994dbe42e543f9e085dedc35587e89cafd Mon Sep 17 00:00:00 2001 From: Angristan Date: Sat, 18 Aug 2018 16:08:32 +0200 Subject: [PATCH 06/22] Fix License copyright holders --- LICENSE | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/LICENSE b/LICENSE index 5b44955..1727729 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,7 @@ -The MIT License (MIT) +MIT License -Copyright (c) 2016 Nyr, Angristan +Copyright (c) 2013 Nyr +Copyright (c) 2016 Angristan (Stanislas Lange) Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in From 9ef0bbc47d1890c1e9795e8d4242888e35c423ac Mon Sep 17 00:00:00 2001 From: Angristan <11699655+Angristan@users.noreply.github.com> Date: Sat, 18 Aug 2018 19:40:07 +0200 Subject: [PATCH 07/22] Add password option for clients (#160) --- README.md | 1 + openvpn-install.sh | 38 +++++++++++++++++++++++++++++++++++--- 2 files changed, 36 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 0a2a5cf..20fbac4 100644 --- a/README.md +++ b/README.md @@ -88,6 +88,7 @@ This fork includes the following features : - [Arch Linux support](https://github.com/Angristan/OpenVPN-install/pull/2) - Up-to-date OpenVPN thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) for CentOS and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos) for Ubuntu and Debian. These are third-party yet trusted repositories. - Randomized certificate name +- The ability to create passwordless clients and clients protected with a password - Other improvements ! ## DNS diff --git a/openvpn-install.sh b/openvpn-install.sh index df5b77d..2c0c173 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -113,12 +113,28 @@ if [[ -e /etc/openvpn/server.conf ]]; then case $option in 1) echo "" + echo "Do you want to protect the configuration file with a password?" + echo "(e.g. encrypt the private key with a password)" + echo " 1) Add a passwordless client" + echo " 2) Use a password for the client" + until [[ "$pass" =~ ^[1-2]$ ]]; do + read -rp "Select an option [1-2]: " -e -i 1 pass + done + echo "" echo "Tell me a name for the client cert" echo "Please, use one word only, no special characters" - read -rp "Client name: " -e -i newclient CLIENT + read -rp "Client name: " -e -i newclient CLIENT cd /etc/openvpn/easy-rsa/ || return - ./easyrsa build-client-full $CLIENT nopass + case $pass in + 1) + ./easyrsa build-client-full $CLIENT nopass + ;; + 2) + echo "⚠️ You will be asked for the client password below ⚠️" + ./easyrsa build-client-full $CLIENT + ;; + esac # Generates the custom client.ovpn newclient "$CLIENT" @@ -365,6 +381,14 @@ else ;; esac echo "" + echo "Do you want to protect the configuration file with a password?" + echo "(e.g. encrypt the private key with a password)" + echo " 1) Add a passwordless client" + echo " 2) Use a password for the client" + until [[ "$pass" =~ ^[1-2]$ ]]; do + read -rp "Select an option [1-2]: " -e -i 1 pass + done + echo "" echo "Finally, tell me a name for the client certificate and configuration" while [[ $CLIENT = "" ]]; do echo "Please, use one word only, no special characters" @@ -524,7 +548,15 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service ./easyrsa --batch build-ca nopass openssl dhparam -out dh.pem $DH_KEY_SIZE ./easyrsa build-server-full $SERVER_NAME nopass - ./easyrsa build-client-full $CLIENT nopass + case $pass in + 1) + ./easyrsa build-client-full $CLIENT nopass + ;; + 2) + echo "⚠️ You will be asked for the client password below ⚠️" + ./easyrsa build-client-full $CLIENT + ;; + esac EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl # generate tls-auth key openvpn --genkey --secret /etc/openvpn/tls-auth.key From 47c86874dc00ff9d2c638cac2e00ee7333445bf9 Mon Sep 17 00:00:00 2001 From: Angristan Date: Sat, 18 Aug 2018 19:55:36 +0200 Subject: [PATCH 08/22] Update check on the client's name input --- openvpn-install.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 2c0c173..658f5a3 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -122,9 +122,11 @@ if [[ -e /etc/openvpn/server.conf ]]; then done echo "" echo "Tell me a name for the client cert" - echo "Please, use one word only, no special characters" + echo "Use one word only, no special characters" + until [[ "$CLIENT" =~ ^[a-zA-Z0-9_]+$ ]]; do + read -rp "Client name: " -e CLIENT + done - read -rp "Client name: " -e -i newclient CLIENT cd /etc/openvpn/easy-rsa/ || return case $pass in 1) @@ -390,11 +392,9 @@ else done echo "" echo "Finally, tell me a name for the client certificate and configuration" - while [[ $CLIENT = "" ]]; do - echo "Please, use one word only, no special characters" - read -rp "Client name: " -e -i client CLIENT - # Remove special characters - CLIENT=$(echo $CLIENT | tr -dc '[:alnum:]\n\r') + echo "Use one word only, no special characters" + until [[ "$CLIENT" =~ ^[a-zA-Z0-9_]+$ ]]; do + read -rp "Client name: " -e CLIENT done echo "" echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now" From 1b18e7f2a7c2104836c00572ee514a9751fe3cec Mon Sep 17 00:00:00 2001 From: Angristan Date: Sat, 18 Aug 2018 21:47:10 +0200 Subject: [PATCH 09/22] Re-add a default suggestion for the client name But only during the setup, not for additional clients --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 658f5a3..4db321d 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -394,7 +394,7 @@ else echo "Finally, tell me a name for the client certificate and configuration" echo "Use one word only, no special characters" until [[ "$CLIENT" =~ ^[a-zA-Z0-9_]+$ ]]; do - read -rp "Client name: " -e CLIENT + read -rp "Client name: " -e -i client CLIENT done echo "" echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now" From d8d0bbb5dad57efd0b962d46bdaa7d0ed6319c85 Mon Sep 17 00:00:00 2001 From: Angristan Date: Wed, 22 Aug 2018 22:11:36 +0200 Subject: [PATCH 10/22] Add access logs (log-append) And move log files to /var/log/openvpn. Makes more sense and access logs can be very useful. --- openvpn-install.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 4db321d..7eefd3d 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -637,7 +637,8 @@ $CIPHER tls-server tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 -status openvpn.log +status /var/log/openvpn/status.log +log-append /var/log/openvpn/server.log verb 3" >> /etc/openvpn/server.conf # Create the sysctl configuration file if needed (mainly for Arch Linux) From 64f62cf8749ac074017c186a64b1d44e67cf51f4 Mon Sep 17 00:00:00 2001 From: Angristan Date: Thu, 23 Aug 2018 00:40:36 +0200 Subject: [PATCH 11/22] Remove log-append for now and create log dir See https://github.com/Angristan/OpenVPN-install/issues/275 --- openvpn-install.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 7eefd3d..2de24c8 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -638,9 +638,11 @@ tls-server tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 status /var/log/openvpn/status.log -log-append /var/log/openvpn/server.log verb 3" >> /etc/openvpn/server.conf +# Create log dir +mkdir -p /var/log/openvpn + # Create the sysctl configuration file if needed (mainly for Arch Linux) if [[ ! -e $SYSCTL ]]; then touch $SYSCTL From c923ad1ea290ea656922b6a95f87ac85ce94c5bd Mon Sep 17 00:00:00 2001 From: Angristan Date: Fri, 24 Aug 2018 23:47:08 +0200 Subject: [PATCH 12/22] Remove link to the old script --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index 20fbac4..1480e5f 100644 --- a/README.md +++ b/README.md @@ -268,6 +268,4 @@ You can [say thanks](https://saythanks.io/to/Angristan) if you want! Thanks to the [contributors](https://github.com/Angristan/OpenVPN-install/graphs/contributors) and of course Nyr's orginal work. -[Old repo](https://github.com/Angristan/OpenVPN-install-fork-old) - [MIT Licence](https://raw.githubusercontent.com/Angristan/openvpn-install/master/LICENSE) From ea40b45b52dfbd2dde753c5437bb8cec06012538 Mon Sep 17 00:00:00 2001 From: angristan Date: Sun, 2 Sep 2018 22:32:58 +0200 Subject: [PATCH 13/22] Fix /dev/urandom usage on unprivileged LXC containers Fixes https://github.com/angristan/openvpn-install/issues/280 --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 2de24c8..121a782 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -539,8 +539,8 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service rm -f ~/EasyRSA-3.0.4.tgz cd /etc/openvpn/easy-rsa/ || return # Generate a random, alphanumeric identifier of 16 characters for CN and one for server name - SERVER_CN="cn_$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 16 | head -n 1)" - SERVER_NAME="server_$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 16 | head -n 1)" + SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" + SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars # Create the PKI, set up the CA, the DH params and the server + client certificates From 2997a7e8b6beede80c9386844fc3e5b19d34d8ce Mon Sep 17 00:00:00 2001 From: angristan Date: Wed, 5 Sep 2018 20:20:46 +0200 Subject: [PATCH 14/22] Remove "|| return" --- openvpn-install.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 121a782..a176779 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -127,7 +127,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then read -rp "Client name: " -e CLIENT done - cd /etc/openvpn/easy-rsa/ || return + cd /etc/openvpn/easy-rsa/ case $pass in 1) ./easyrsa build-client-full $CLIENT nopass @@ -163,7 +163,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then fi CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p) - cd /etc/openvpn/easy-rsa/ || return + cd /etc/openvpn/easy-rsa/ ./easyrsa --batch revoke $CLIENT EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl rm -f pki/reqs/$CLIENT.req @@ -537,7 +537,7 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service mv /etc/openvpn/EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/ chown -R root:root /etc/openvpn/easy-rsa/ rm -f ~/EasyRSA-3.0.4.tgz - cd /etc/openvpn/easy-rsa/ || return + cd /etc/openvpn/easy-rsa/ # Generate a random, alphanumeric identifier of 16 characters for CN and one for server name SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" From 4bf4257cf3e1583b5b38b112f8484d137e345543 Mon Sep 17 00:00:00 2001 From: angristan Date: Wed, 5 Sep 2018 20:26:33 +0200 Subject: [PATCH 15/22] Merge two mv commands --- openvpn-install.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index a176779..df14a6f 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -533,8 +533,7 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service # Get easy-rsa wget -O ~/EasyRSA-3.0.4.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz tar xzf ~/EasyRSA-3.0.4.tgz -C ~/ - mv ~/EasyRSA-3.0.4/ /etc/openvpn/ - mv /etc/openvpn/EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/ + mv ~/EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/ chown -R root:root /etc/openvpn/easy-rsa/ rm -f ~/EasyRSA-3.0.4.tgz cd /etc/openvpn/easy-rsa/ From 30edb7b76979fae6e20f82d87b1d8dc056bdf3bf Mon Sep 17 00:00:00 2001 From: Stanislas Date: Fri, 7 Sep 2018 13:28:40 +0200 Subject: [PATCH 16/22] Update Vultr price --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1480e5f..eccb708 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ Here is a preview of the installer : **You have to enable the TUN module otherwise OpenVPN won't work.** Ask your host if you don't know how to do it. If the TUN module is not enabled, the script will warn you and exit. -You can get a cheap VPS to run this script for $2.50/month worldwide at [Vultr](https://goo.gl/Xyd1Sc) or 3€/month for unlimited bandwidth in France at [PulseHeberg](https://goo.gl/76yqW5). +You can get a cheap VPS to run this script for $3.50/month worldwide at [Vultr](https://goo.gl/Xyd1Sc) or 3€/month for unlimited bandwidth in France at [PulseHeberg](https://goo.gl/76yqW5). First, get the script and make it executable : From f057e0aa5f0cb9d9eacade8224c0a6d53af09ebe Mon Sep 17 00:00:00 2001 From: randomshell <43271778+randomshell@users.noreply.github.com> Date: Sun, 16 Sep 2018 00:53:33 +0200 Subject: [PATCH 17/22] Add self-hosted DNS resolver (Unbound) --- README.md | 2 +- openvpn-install.sh | 192 ++++++++++++++++++++++++++++++++++++++++----- 2 files changed, 175 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index eccb708..785fb39 100644 --- a/README.md +++ b/README.md @@ -98,6 +98,7 @@ The script will ask you which DNS resolvers you want to use when connected to th Here are the possibilities : - Current system resolvers, those that are in `/etc/resolv.conf` +- Self-hosted resolver thanks to Unbound - [Cloudflare](https://1.1.1.1/), recommended, fastest resolvers available (Anycast servers) - [Quad9](https://www.quad9.net), recommended, security and privacy oriented, fast worldwide (Anycast servers) - [FDN's DNS Servers](http://www.fdn.fr/actions/dns/), recommended if you're in western europe (France) @@ -106,7 +107,6 @@ Here are the possibilities : - [Google Public DNS](https://en.wikipedia.org/wiki/Google_Public_DNS), not recommended, but fast worldwide (Anycast servers) - [Yandex Basic DNS](https://dns.yandex.com/), not recommended, but fast in Russia - [AdGuard DNS](https://github.com/AdguardTeam/AdguardDNS), located in Russia, blocks ads and trackers -- Soon : local resolver :D Any other fast, trustable and neutral servers proposition is welcome. diff --git a/openvpn-install.sh b/openvpn-install.sh index df14a6f..2ccd307 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -91,6 +91,109 @@ newclient () { } >> "$homeDir/$1.ovpn" } +function installLocalDNS () { + if [[ ! -e /etc/unbound/unbound.conf ]]; then + + if [[ "$OS" = "debian" ]]; then + apt-get install -y unbound + + echo 'interface: 10.8.0.1 +access-control: 10.8.0.1/24 allow +hide-identity: yes +hide-version: yes +use-caps-for-id: yes +prefetch: yes' >> /etc/unbound/unbound.conf + + elif [[ "$OS" = "centos" ]]; then + yum install -y unbound + + # Configuration + sed -i 's|# interface: 0.0.0.0$|interface: 10.8.0.1|' /etc/unbound/unbound.conf + sed -i 's|# access-control: 127.0.0.0/8 allow|access-control: 10.8.0.1/24 allow|' /etc/unbound/unbound.conf + sed -i 's|# hide-identity: no|hide-identity: yes|' /etc/unbound/unbound.conf + sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf + sed -i 's|use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf + + elif [[ "$OS" = "fedora" ]]; then + dnf install -y unbound + + # Configuration + sed -i 's|# interface: 0.0.0.0$|interface: 10.8.0.1|' /etc/unbound/unbound.conf + sed -i 's|# access-control: 127.0.0.0/8 allow|access-control: 10.8.0.1/24 allow|' /etc/unbound/unbound.conf + sed -i 's|# hide-identity: no|hide-identity: yes|' /etc/unbound/unbound.conf + sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf + sed -i 's|# use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf + + elif [[ "$OS" = "arch" ]]; then + # Install Unbound + pacman -Syu unbound expat + + #Permissions for the DNSSEC keys + chown root:unbound /etc/unbound + chmod 775 /etc/unbound + + # Get root servers list + wget https://www.internic.net/domain/named.root -O /etc/unbound/root.hints + + # Configuration + mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old + echo 'server: +root-hints: root.hints +auto-trust-anchor-file: trusted-key.key +interface: 10.8.0.1 +access-control: 10.8.0.1/24 allow +port: 53 +do-daemonize: yes +num-threads: 2 +use-caps-for-id: yes +harden-glue: yes +hide-identity: yes +hide-version: yes +qname-minimisation: yes +prefetch: yes' > /etc/unbound/unbound.conf + fi + + if [[ ! "$OS" =~ (fedora|centos) ]];then + # DNS Rebinding fix + echo "private-address: 10.0.0.0/8 + private-address: 172.16.0.0/12 + private-address: 192.168.0.0/16 + private-address: 169.254.0.0/16 + private-address: fd00::/8 + private-address: fe80::/10 + private-address: 127.0.0.0/8 + private-address: ::ffff:0:0/96" >> /etc/unbound/unbound.conf + fi + else + # Unbound is already installed + echo 'include: /etc/unbound/openvpn.conf' >> /etc/unbound/unbound.conf + + # Add OpenVPN integration + echo 'server: +interface: 10.8.0.1 +access-control: 10.8.0.1/24 allow +hide-identity: yes +hide-version: yes +use-caps-for-id: yes +prefetch: yes +private-address: 10.0.0.0/8 +private-address: 172.16.0.0/12 +private-address: 192.168.0.0/16 +private-address: 169.254.0.0/16 +private-address: fd00::/8 +private-address: fe80::/10 +private-address: 127.0.0.0/8 +private-address: ::ffff:0:0/96' > /etc/unbound/openvpn.conf + fi + + if pgrep systemd-journal; then + systemctl enable unbound + systemctl start unbound + else + service unbound restart + fi +} + # Get Internet network interface with default route NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1) @@ -225,6 +328,37 @@ if [[ -e /etc/openvpn/server.conf ]]; then done rm -rf /etc/openvpn rm -rf /usr/share/doc/openvpn* + + if [[ -e /etc/unbound/openvpn.conf ]]; then + + # Remove OpenVPN-related config + sed -i 's|include: \/etc\/unbound\/openvpn.conf||' /etc/unbound/unbound.conf + rm /etc/unbound/openvpn.conf + service unbound restart + + until [[ $REMOVE_UNBOUND == "y" || $REMOVE_UNBOUND == "n" ]]; do + echo "" + echo "If you were already using Unbound before installing OpenVPN, I removed the configuration related to OpenVPN." + echo "You can keep using Unbound as before." + read -rp "Do you want to completely remove Unbound? [y/n]: " -e REMOVE_UNBOUND + done + + if [[ "$REMOVE_UNBOUND" = 'y' ]]; then + if [[ "$OS" = 'debian' ]]; then + apt-get autoremove --purge -y unbound + elif [[ "$OS" = 'arch' ]]; then + pacman -R unbound --noconfirm + else + yum remove unbound -y + fi + + echo "" + echo "Unbound removed!" + else + echo "" + echo "Unbound not removed!" + fi + fi echo "" echo "OpenVPN removed!" else @@ -291,16 +425,33 @@ else echo "" echo "What DNS do you want to use with the VPN?" echo " 1) Current system resolvers (from /etc/resolv.conf)" - echo " 2) Cloudflare (Anycast: worldwide)" - echo " 3) Quad9 (Anycast: worldwide)" - echo " 4) FDN (France)" - echo " 5) DNS.WATCH (Germany)" - echo " 6) OpenDNS (Anycast: worldwide)" - echo " 7) Google (Anycast: worldwide)" - echo " 8) Yandex Basic (Russia)" - echo " 9) AdGuard DNS (Russia)" - until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 -a "$DNS" -le 9 ]; do - read -rp "DNS [1-9]: " -e -i 1 DNS + echo " 2) Self-hosted DNS Resolver (Unbound)" + echo " 3) Cloudflare (Anycast: worldwide)" + echo " 4) Quad9 (Anycast: worldwide)" + echo " 5) FDN (France)" + echo " 6) DNS.WATCH (Germany)" + echo " 7) OpenDNS (Anycast: worldwide)" + echo " 8) Google (Anycast: worldwide)" + echo " 9) Yandex Basic (Russia)" + echo " 10) AdGuard DNS (Russia)" + until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 -a "$DNS" -le 10 ]; do + read -rp "DNS [1-10]: " -e -i 1 DNS + if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then + echo "" + echo "Unbound is already installed." + echo "You can allow the script to configure it in order to use it from your OpenVPN clients" + echo "We will simply add a second server to /etc/unbound/unbound.conf for the OpenVPN subnet." + echo "No changes are made to the current configuration." + echo "" + + while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do + read -rp "Apply configuration changes to Unbound? [y/n]: " -e CONTINUE + done + if [[ $CONTINUE = "n" ]];then + DNS="" + CONTINUE="" + fi + fi done echo "" echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about " @@ -591,35 +742,40 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf done ;; - 2) # Cloudflare + 2) + # Install Unbound + installLocalDNS + echo 'push "dhcp-option DNS 10.8.0.1"' >> /etc/openvpn/server.conf + ;; + 3) # Cloudflare echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server.conf ;; - 3) # Quad9 + 4) # Quad9 echo 'push "dhcp-option DNS 9.9.9.9"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 149.112.112.112"' >> /etc/openvpn/server.conf ;; - 4) # FDN + 5) # FDN echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 80.67.169.12"' >> /etc/openvpn/server.conf ;; - 5) # DNS.WATCH + 6) # DNS.WATCH echo 'push "dhcp-option DNS 84.200.69.80"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 84.200.70.40"' >> /etc/openvpn/server.conf ;; - 6) # OpenDNS + 7) # OpenDNS echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf ;; - 7) # Google + 8) # Google echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf ;; - 8) # Yandex Basic + 9) # Yandex Basic echo 'push "dhcp-option DNS 77.88.8.8"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 77.88.8.1"' >> /etc/openvpn/server.conf ;; - 9) # AdGuard DNS + 10) # AdGuard DNS echo 'push "dhcp-option DNS 176.103.130.130"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf ;; From 62380c512b2185f5459816d0d3b26eade5078b61 Mon Sep 17 00:00:00 2001 From: angristan Date: Sun, 16 Sep 2018 01:26:30 +0200 Subject: [PATCH 18/22] Drop CentOS 6 support --- README.md | 1 - openvpn-install.sh | 25 ++++++++++++++++--------- 2 files changed, 16 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 785fb39..10fc377 100644 --- a/README.md +++ b/README.md @@ -66,7 +66,6 @@ The script is made to work on these OS and architectures : - **Fedora 25** (amd64) - **Fedora 26** (amd64) - **Fedora 27** (amd64) -- **CentOS 6** (i386, amd64) - **CentOS 7** (i386, amd64, arm64) - **Arch Linux** (i686, amd64, arm64) diff --git a/openvpn-install.sh b/openvpn-install.sh index 2ccd307..fe614bf 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -16,12 +16,6 @@ if [[ ! -e /dev/net/tun ]]; then exit 2 fi -# Check if CentOS 5 -if grep -qs "CentOS release 5" "/etc/redhat-release"; then - echo "CentOS 5 is too old and not supported" - exit 3 -fi - if [[ -e /etc/debian_version ]]; then OS="debian" # Getting the version number, to verify that a recent version of OpenVPN is available @@ -36,10 +30,10 @@ if [[ -e /etc/debian_version ]]; then echo "then you can continue, a recent version of OpenVPN is available on these." echo "Keep in mind they are not supported, though." while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do - read -rp "Continue ? [y/n]: " -e CONTINUE + read -rp "Continue? [y/n]: " -e CONTINUE done if [[ "$CONTINUE" = "n" ]]; then - echo "Ok, bye !" + echo "Ok, bye!" exit 4 fi fi @@ -47,7 +41,20 @@ elif [[ -e /etc/fedora-release ]]; then OS=fedora IPTABLES='/etc/iptables/iptables.rules' SYSCTL='/etc/sysctl.d/openvpn.conf' -elif [[ -e /etc/centos-release || -e /etc/redhat-release || -e /etc/system-release ]]; then +elif [[ -e /etc/centos-release ]]; then + if ! grep -qs "^CentOS Linux release 7" /etc/centos-release; then + echo "Your version of CentOS is not supported." + echo "The script only support CentOS 7." + echo "" + unset CONTINUE + while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do + read -rp "Continue anyway? [y/n]: " -e CONTINUE + done + if [[ "$CONTINUE" = "n" ]]; then + echo "Ok, bye!" + exit 5 + fi + fi OS=centos IPTABLES='/etc/iptables/iptables.rules' SYSCTL='/etc/sysctl.conf' From 320944177593087201baf9176077a054f56fe2bb Mon Sep 17 00:00:00 2001 From: angristan Date: Sun, 16 Sep 2018 01:26:37 +0200 Subject: [PATCH 19/22] Better bash --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index fe614bf..dd5a273 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -455,8 +455,8 @@ else read -rp "Apply configuration changes to Unbound? [y/n]: " -e CONTINUE done if [[ $CONTINUE = "n" ]];then - DNS="" - CONTINUE="" + unset DNS + unset CONTINUE fi fi done From 8a5de575b7b177f51b2c37d3f473a77ab4f8d29a Mon Sep 17 00:00:00 2001 From: angristan Date: Sun, 16 Sep 2018 01:29:04 +0200 Subject: [PATCH 20/22] Drop Debian 7 support Debian 7 is EOL and I can't test it on cloud providers anymore --- README.md | 1 - openvpn-install.sh | 8 +------- 2 files changed, 1 insertion(+), 8 deletions(-) diff --git a/README.md b/README.md index 10fc377..323d897 100644 --- a/README.md +++ b/README.md @@ -56,7 +56,6 @@ On the client-side, it's less problematic, but if you want to use an OpenVPN ser The script is made to work on these OS and architectures : -- **Debian 7** (i386, amd64) - **Debian 8** (i386, amd64) - **Debian 9** (i386, amd64, armhf, arm64) - **Ubuntu 14.04 LTS** (i386, amd64) diff --git a/openvpn-install.sh b/openvpn-install.sh index dd5a273..9605b83 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -22,7 +22,7 @@ if [[ -e /etc/debian_version ]]; then VERSION_ID=$(grep "VERSION_ID" /etc/os-release) IPTABLES='/etc/iptables/iptables.rules' SYSCTL='/etc/sysctl.conf' - if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="18.04"' ]]; then + if [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="18.04"' ]]; then echo "Your version of Debian/Ubuntu is not supported." echo "I can't install a recent version of OpenVPN on your system." echo "" @@ -561,12 +561,6 @@ else if [[ "$OS" = 'debian' ]]; then apt-get install ca-certificates gnupg -y # We add the OpenVPN repo to get the latest version. - # Debian 7 - if [[ "$VERSION_ID" = 'VERSION_ID="7"' ]]; then - echo "deb http://build.openvpn.net/debian/openvpn/stable wheezy main" > /etc/apt/sources.list.d/openvpn.list - wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - - apt-get update - fi # Debian 8 if [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list From f6c9a63e384a5f66d419796e50ce1fe487c3b04d Mon Sep 17 00:00:00 2001 From: angristan Date: Sun, 16 Sep 2018 01:34:01 +0200 Subject: [PATCH 21/22] Drop support for Arch Linux Arch Linux isn't very used and is not available on cloud providers. I cannot test it easily so it is a burden to maintain for me --- README.md | 1 - openvpn-install.sh | 70 ++++------------------------------------------ 2 files changed, 5 insertions(+), 66 deletions(-) diff --git a/README.md b/README.md index 323d897..e089b09 100644 --- a/README.md +++ b/README.md @@ -66,7 +66,6 @@ The script is made to work on these OS and architectures : - **Fedora 26** (amd64) - **Fedora 27** (amd64) - **CentOS 7** (i386, amd64, arm64) -- **Arch Linux** (i686, amd64, arm64) (It should also work on Debian unstable/testing and Ubuntu beta). diff --git a/openvpn-install.sh b/openvpn-install.sh index 9605b83..aeb20ea 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Secure OpenVPN server installer for Debian, Ubuntu, CentOS and Arch Linux +# Secure OpenVPN server installer for Debian, Ubuntu, CentOS and Fedora # https://github.com/Angristan/OpenVPN-install @@ -58,12 +58,8 @@ elif [[ -e /etc/centos-release ]]; then OS=centos IPTABLES='/etc/iptables/iptables.rules' SYSCTL='/etc/sysctl.conf' -elif [[ -e /etc/arch-release ]]; then - OS=arch - IPTABLES='/etc/iptables/iptables.rules' - SYSCTL='/etc/sysctl.d/openvpn.conf' else - echo "Looks like you aren't running this installer on a Debian, Ubuntu, CentOS or ArchLinux system" + echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora or CentOS system" exit 4 fi @@ -130,34 +126,6 @@ prefetch: yes' >> /etc/unbound/unbound.conf sed -i 's|# hide-identity: no|hide-identity: yes|' /etc/unbound/unbound.conf sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf sed -i 's|# use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf - - elif [[ "$OS" = "arch" ]]; then - # Install Unbound - pacman -Syu unbound expat - - #Permissions for the DNSSEC keys - chown root:unbound /etc/unbound - chmod 775 /etc/unbound - - # Get root servers list - wget https://www.internic.net/domain/named.root -O /etc/unbound/root.hints - - # Configuration - mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old - echo 'server: -root-hints: root.hints -auto-trust-anchor-file: trusted-key.key -interface: 10.8.0.1 -access-control: 10.8.0.1/24 allow -port: 53 -do-daemonize: yes -num-threads: 2 -use-caps-for-id: yes -harden-glue: yes -hide-identity: yes -hide-version: yes -qname-minimisation: yes -prefetch: yes' > /etc/unbound/unbound.conf fi if [[ ! "$OS" =~ (fedora|centos) ]];then @@ -322,8 +290,6 @@ if [[ -e /etc/openvpn/server.conf ]]; then fi if [[ "$OS" = 'debian' ]]; then apt-get autoremove --purge -y openvpn - elif [[ "$OS" = 'arch' ]]; then - pacman -R openvpn --noconfirm else yum remove openvpn -y fi @@ -353,8 +319,6 @@ if [[ -e /etc/openvpn/server.conf ]]; then if [[ "$REMOVE_UNBOUND" = 'y' ]]; then if [[ "$OS" = 'debian' ]]; then apt-get autoremove --purge -y unbound - elif [[ "$OS" = 'arch' ]]; then - pacman -R unbound --noconfirm else yum remove unbound -y fi @@ -646,30 +610,6 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service systemctl disable firewalld systemctl mask firewalld fi - else - # Else, the distro is ArchLinux - echo "" - echo "" - echo "As you're using ArchLinux, I need to update the packages on your system to install those I need." - echo "Not doing that could cause problems between dependencies, or missing files in repositories." - echo "" - echo "Continuing will update your installed packages and install needed ones." - until [[ $CONTINUE == "y" || $CONTINUE == "n" ]]; do - read -rp "Continue ? [y/n]: " -e -i y CONTINUE - done - if [[ "$CONTINUE" = "n" ]]; then - echo "Ok, bye !" - exit 4 - fi - - if [[ "$OS" = 'arch' ]]; then - # Install dependencies - pacman -Syu openvpn iptables openssl wget ca-certificates curl --needed --noconfirm - iptables-save > /etc/iptables/iptables.rules # iptables won't start if this file does not exist - systemctl daemon-reload - systemctl enable iptables - systemctl start iptables - fi fi # Find out if the machine uses nogroup or nobody for the permissionless group if grep -qs "^nogroup:" /etc/group; then @@ -799,7 +739,7 @@ verb 3" >> /etc/openvpn/server.conf # Create log dir mkdir -p /var/log/openvpn - # Create the sysctl configuration file if needed (mainly for Arch Linux) + # Create the sysctl configuration file if needed if [[ ! -e $SYSCTL ]]; then touch $SYSCTL fi @@ -882,8 +822,8 @@ mkdir -p /var/log/openvpn fi else if pgrep systemd-journal; then - if [[ "$OS" = 'arch' || "$OS" = 'fedora' ]]; then - #Workaround to avoid rewriting the entire script for Arch & Fedora + if [[ "$OS" = 'fedora' ]]; then + # Workaround to avoid rewriting the entire script for Fedora sed -i 's|/etc/openvpn/server|/etc/openvpn|' /usr/lib/systemd/system/openvpn-server@.service sed -i 's|%i.conf|server.conf|' /usr/lib/systemd/system/openvpn-server@.service systemctl daemon-reload From 019da89be993b99fb99a7811e913b97d0840f319 Mon Sep 17 00:00:00 2001 From: angristan Date: Sun, 16 Sep 2018 01:49:39 +0200 Subject: [PATCH 22/22] Update Fedora compatibility Remove EOL --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index e089b09..6edd1c2 100644 --- a/README.md +++ b/README.md @@ -62,9 +62,8 @@ The script is made to work on these OS and architectures : - **Ubuntu 16.04 LTS** (i386, amd64, armhf) - **Ubuntu 17.10** (i386, amd64, armhf, arm64) - **Ubuntu 18.04 LTS** (i386, amd64, armhf, arm64) -- **Fedora 25** (amd64) -- **Fedora 26** (amd64) - **Fedora 27** (amd64) +- **Fedora 28** (amd64) - **CentOS 7** (i386, amd64, arm64) (It should also work on Debian unstable/testing and Ubuntu beta).