Fabio/openvpn-install
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'master' into openvpn-2.4-update

Browse source
This commit is contained in:
Angristan 2017-11-12 23:07:38 +01:00 committed by GitHub
commit 2144fb03cc
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 103 additions and 51 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
README.md
View file

@ -1,4 +1,4 @@
## OpenVPN-install # OpenVPN-install
Secure OpenVPN installer for Debian, Ubuntu, CentOS and Arch Linux. Secure OpenVPN installer for Debian, Ubuntu, CentOS and Arch Linux.
This script will let you setup your own secure VPN server in just a few minutes. This script will let you setup your own secure VPN server in just a few minutes.
@ -46,7 +46,9 @@ The only drawback is that you need to use a recent version of OpenVPN, because s
On the client-side, it's less problematic, but if you want to use an OpenVPN server installed with this script with an old client (\<2.3.3), it won't work. However I don't see why you would use an outdated client. On the client-side, it's less problematic, but if you want to use an OpenVPN server installed with this script with an old client (\<2.3.3), it won't work. However I don't see why you would use an outdated client.
**TL;DR**, this script is relatively secure, and you can just press enter in the setup. **TL;DR**, this script is relatively secure, and you can just press enter in the setup.
**[A Pull Request](https://github.com/Angristan/OpenVPN-install/pull/96) is currently being worked on to implement the latest OpenVPN 2.4 features.**
## Compatibility ## Compatibility
@ -97,6 +99,7 @@ Here are the possibilities :
- [OpenDNS](https://en.wikipedia.org/wiki/OpenDNS), not recommened but fast wordlwide (Anycast servers) - [OpenDNS](https://en.wikipedia.org/wiki/OpenDNS), not recommened but fast wordlwide (Anycast servers)
- [Google Public DNS](https://en.wikipedia.org/wiki/Google_Public_DNS), not recommended, but fast worldwide (Anycast servers) - [Google Public DNS](https://en.wikipedia.org/wiki/Google_Public_DNS), not recommended, but fast worldwide (Anycast servers)
- [Yandex Basic DNS](https://dns.yandex.com/), not recommended, but fast in Russia - [Yandex Basic DNS](https://dns.yandex.com/), not recommended, but fast in Russia
- [AdGuard DNS](https://github.com/AdguardTeam/AdguardDNS), located in Russia, blocks ads and trackers
- Soon : local resolver :D - Soon : local resolver :D
Any other fast, trustable and neutral servers proposition is welcome. Any other fast, trustable and neutral servers proposition is welcome.

147
openvpn-install.sh
View file

@ -23,7 +23,7 @@ if [[ -e /etc/debian_version ]]; then
OS="debian" OS="debian"
# Getting the version number, to verify that a recent version of OpenVPN is available # Getting the version number, to verify that a recent version of OpenVPN is available
VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID") VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID")
RCLOCAL='/etc/rc.local' IPTABLES='/etc/iptables/iptables.rules'
SYSCTL='/etc/sysctl.conf' SYSCTL='/etc/sysctl.conf'
if [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.04"' ]]; then if [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.04"' ]]; then
echo "Your version of Debian/Ubuntu is not supported." echo "Your version of Debian/Ubuntu is not supported."
@ -42,13 +42,11 @@ if [[ -e /etc/debian_version ]]; then
fi fi
elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then
OS=centos OS=centos
RCLOCAL='/etc/rc.d/rc.local' IPTABLES='/etc/iptables/iptables.rules'
SYSCTL='/etc/sysctl.conf' SYSCTL='/etc/sysctl.conf'
# Needed for CentOS 7
chmod +x /etc/rc.d/rc.local
elif [[ -e /etc/arch-release ]]; then elif [[ -e /etc/arch-release ]]; then
OS=arch OS=arch
RCLOCAL='/etc/rc.local' IPTABLES='/etc/iptables/iptables.rules'
SYSCTL='/etc/sysctl.d/openvpn.conf' SYSCTL='/etc/sysctl.d/openvpn.conf'
else else
echo "Looks like you aren't running this installer on a Debian, Ubuntu, CentOS or ArchLinux system" echo "Looks like you aren't running this installer on a Debian, Ubuntu, CentOS or ArchLinux system"
@ -95,7 +93,7 @@ if [[ "$IP" = "" ]]; then
IP=$(wget -qO- ipv4.icanhazip.com) IP=$(wget -qO- ipv4.icanhazip.com)
fi fi
# Get Internet network interface with default route # Get Internet network interface with default route
NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)') NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)
if [[ -e /etc/openvpn/server.conf ]]; then if [[ -e /etc/openvpn/server.conf ]]; then
while : while :
@ -168,11 +166,16 @@ if [[ -e /etc/openvpn/server.conf ]]; then
firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24 firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
fi fi
if iptables -L -n | grep -qE 'REJECT|DROP'; then if iptables -L -n | grep -qE 'REJECT|DROP'; then
sed -i "/iptables -I INPUT -p udp --dport $PORT -j ACCEPT/d" $RCLOCAL if [[ "$PROTOCOL" = 'udp' ]]; then
sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL iptables -D INPUT -p udp --dport $PORT -j ACCEPT
sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL else
iptables -D INPUT -p tcp --dport $PORT -j ACCEPT
fi
iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables-save > $IPTABLES
fi fi
sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL iptables -t nat -D POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE
iptables-save > $IPTABLES
if hash sestatus 2>/dev/null; then if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing"; then if sestatus | grep "Current mode" | grep -qs "enforcing"; then
if [[ "$PORT" != '1194' ]]; then if [[ "$PORT" != '1194' ]]; then
@ -238,8 +241,9 @@ else
echo " 4) OpenDNS (Anycast: worldwide)" echo " 4) OpenDNS (Anycast: worldwide)"
echo " 5) Google (Anycast: worldwide)" echo " 5) Google (Anycast: worldwide)"
echo " 6) Yandex Basic (Russia)" echo " 6) Yandex Basic (Russia)"
while [[ $DNS != "1" && $DNS != "2" && $DNS != "3" && $DNS != "4" && $DNS != "5" && $DNS != "6" ]]; do echo " 7) AdGuard DNS (Russia)"
read -p "DNS [1-6]: " -e -i 1 DNS while [[ $DNS != "1" && $DNS != "2" && $DNS != "3" && $DNS != "4" && $DNS != "5" && $DNS != "6" && $DNS != "7" ]]; do
read -p "DNS [1-7]: " -e -i 1 DNS
done done
echo "" echo ""
echo "Choose which compression algorithm you want to use:" echo "Choose which compression algorithm you want to use:"
@ -514,9 +518,73 @@ else
# The we install OpenVPN # The we install OpenVPN
apt-get update apt-get update
apt-get install openvpn iptables openssl wget ca-certificates curl -y apt-get install openvpn iptables openssl wget ca-certificates curl -y
# Install iptables service
if [[ ! -e /etc/systemd/system/iptables.service ]]; then
mkdir /etc/iptables
iptables-save > /etc/iptables/iptables.rules
echo "#!/bin/sh
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT" > /etc/iptables/flush-iptables.sh
chmod +x /etc/iptables/flush-iptables.sh
echo "[Unit]
Description=Packet Filtering Framework
DefaultDependencies=no
Before=network-pre.target
Wants=network-pre.target
[Service]
Type=oneshot
ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
ExecStop=/etc/iptables/flush-iptables.sh
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
systemctl daemon-reload
systemctl enable iptables.service
fi
elif [[ "$OS" = 'centos' ]]; then elif [[ "$OS" = 'centos' ]]; then
yum install epel-release -y yum install epel-release -y
yum install openvpn iptables openssl wget ca-certificates curl -y yum install openvpn iptables openssl wget ca-certificates curl -y
# Install iptables service
if [[ ! -e /etc/systemd/system/iptables.service ]]; then
mkdir /etc/iptables
iptables-save > /etc/iptables/iptables.rules
echo "#!/bin/sh
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT" > /etc/iptables/flush-iptables.sh
chmod +x /etc/iptables/flush-iptables.sh
echo "[Unit]
Description=Packet Filtering Framework
DefaultDependencies=no
Before=network-pre.target
Wants=network-pre.target
[Service]
Type=oneshot
ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
ExecStop=/etc/iptables/flush-iptables.sh
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
systemctl daemon-reload
systemctl enable iptables.service
# Disable firewalld to allow iptables to start upon reboot
systemctl disable firewalld
fi
else else
# Else, the distro is ArchLinux # Else, the distro is ArchLinux
echo "" echo ""
@ -532,30 +600,12 @@ else
echo "Ok, bye !" echo "Ok, bye !"
exit 4 exit 4
fi fi
if [[ "$OS" = 'arch' ]]; then if [[ "$OS" = 'arch' ]]; then
# Install rc.local # Install dependencies
echo "[Unit] pacman -Syu openvpn iptables openssl wget ca-certificates curl --needed --noconfirm
Description=/etc/rc.local compatibility iptables-save > /etc/iptables/iptables.rules # iptables won't start if this file does not exist
systemctl daemon-reload
[Service]
Type=oneshot
ExecStart=/etc/rc.local
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target" > /etc/systemd/system/rc-local.service
chmod +x /etc/rc.local
systemctl enable rc-local.service
if ! grep '#!' $RCLOCAL; then
echo "#!/bin/bash" > $RCLOCAL
fi
fi
# Install dependencies
pacman -Syu openvpn iptables openssl wget ca-certificates curl --needed --noconfirm
if [[ "$OS" = 'arch' ]]; then
touch /etc/iptables/iptables.rules # iptables won't start if this file does not exist
systemctl enable iptables systemctl enable iptables
systemctl start iptables systemctl start iptables
fi fi
@ -566,9 +616,9 @@ WantedBy=multi-user.target" > /etc/systemd/system/rc-local.service
# Find out if the machine uses nogroup or nobody for the permissionless group # Find out if the machine uses nogroup or nobody for the permissionless group
if grep -qs "^nogroup:" /etc/group; then if grep -qs "^nogroup:" /etc/group; then
NOGROUP=nogroup NOGROUP=nogroup
else else
NOGROUP=nobody NOGROUP=nobody
fi fi
# An old version of easy-rsa was available by default in some openvpn packages # An old version of easy-rsa was available by default in some openvpn packages
@ -658,6 +708,10 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 77.88.8.8"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 77.88.8.8"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 77.88.8.1"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 77.88.8.1"' >> /etc/openvpn/server.conf
;; ;;
7) #AdGuard DNS
echo 'push "dhcp-option DNS 176.103.130.130"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf
;;
esac esac
echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf
echo "crl-verify crl.pem echo "crl-verify crl.pem
@ -697,15 +751,10 @@ verb 3" >> /etc/openvpn/server.conf
fi fi
# Avoid an unneeded reboot # Avoid an unneeded reboot
echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_forward
# Needed to use rc.local with some systemd distros
if [[ "$OS" = 'debian' && ! -e $RCLOCAL ]]; then
echo '#!/bin/sh -e
exit 0' > $RCLOCAL
fi
chmod +x $RCLOCAL
# Set NAT for the VPN subnet # Set NAT for the VPN subnet
iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE
sed -i "1 a\iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE" $RCLOCAL # Save persitent iptables rules
iptables-save > $IPTABLES
if pgrep firewalld; then if pgrep firewalld; then
# We don't use --add-service=openvpn because that would only work with # We don't use --add-service=openvpn because that would only work with
# the default port. Using both permanent and not permanent rules to # the default port. Using both permanent and not permanent rules to
@ -797,10 +846,10 @@ verb 3" >> /etc/openvpn/server.conf
echo "" echo ""
echo "Looks like your server is behind a NAT!" echo "Looks like your server is behind a NAT!"
echo "" echo ""
echo "If your server is NATed (e.g. LowEndSpirit, Scaleway, or behind a router)," echo "If your server is NATed (e.g. LowEndSpirit, Scaleway, or behind a router),"
echo "then I need to know the address that can be used to access it from outside." echo "then I need to know the address that can be used to access it from outside."
echo "If that's not the case, just ignore this and leave the next field blank" echo "If that's not the case, just ignore this and leave the next field blank"
read -p "External IP or domain name: " -e USEREXTERNALIP read -p "External IP or domain name: " -e USEREXTERNALIP
if [[ "$USEREXTERNALIP" != "" ]]; then if [[ "$USEREXTERNALIP" != "" ]]; then
IP=$USEREXTERNALIP IP=$USEREXTERNALIP
fi fi
@ -835,4 +884,4 @@ verb 3" >> /etc/openvpn/client-template.txt
echo "Your client config is available at $homeDir/$CLIENT.ovpn" echo "Your client config is available at $homeDir/$CLIENT.ovpn"
echo "If you want to add more clients, you simply need to run this script another time!" echo "If you want to add more clients, you simply need to run this script another time!"
fi fi
exit 0; exit 0;