From 974b80dbc1bb03e18f0b7f9deabeb3c664befb4e Mon Sep 17 00:00:00 2001 From: angristan Date: Mon, 17 Sep 2018 18:05:51 +0200 Subject: [PATCH 1/4] Remove unused variables --- openvpn-install.sh | 3 --- 1 file changed, 3 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index dca1d3f..f4e7acf 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -20,7 +20,6 @@ if [[ -e /etc/debian_version ]]; then OS="debian" # Getting the version number, to verify that a recent version of OpenVPN is available VERSION_ID=$(grep "VERSION_ID" /etc/os-release) - IPTABLES='/etc/iptables/iptables.rules' if [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="18.04"' ]]; then echo "Your version of Debian/Ubuntu is not supported." echo "I can't install a recent version of OpenVPN on your system." @@ -38,7 +37,6 @@ if [[ -e /etc/debian_version ]]; then fi elif [[ -e /etc/fedora-release ]]; then OS=fedora - IPTABLES='/etc/iptables/iptables.rules' elif [[ -e /etc/centos-release ]]; then if ! grep -qs "^CentOS Linux release 7" /etc/centos-release; then echo "Your version of CentOS is not supported." @@ -54,7 +52,6 @@ elif [[ -e /etc/centos-release ]]; then fi fi OS=centos - IPTABLES='/etc/iptables/iptables.rules' else echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora or CentOS system" exit 4 From d3974220ef1cdac141bfcaa67c8c4e31581a892a Mon Sep 17 00:00:00 2001 From: angristan Date: Tue, 18 Sep 2018 12:37:07 +0200 Subject: [PATCH 2/4] Fix public interface in iptables rules --- openvpn-install.sh | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index f4e7acf..f4c8ac1 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -545,42 +545,42 @@ else # Script to add rules echo "#!/bin/sh -iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE +iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $NIC -j MASQUERADE iptables -A INPUT -i tun0 -j ACCEPT -iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT -iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT" > /etc/iptables/add-openvpn-rules.sh +iptables -A FORWARD -i $NIC -o tun0 -j ACCEPT +iptables -A FORWARD -i tun0 -o $NIC -j ACCEPT" > /etc/iptables/add-openvpn-rules.sh if [[ "$PROTOCOL" = 'UDP' ]]; then - echo "iptables -A INPUT -i eth0 -p udp --dport $PORT -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh + echo "iptables -A INPUT -i $NIC -p udp --dport $PORT -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh elif [[ "$PROTOCOL" = 'TCP' ]]; then - echo "iptables -A INPUT -i eth0 -p tcp --dport $PORT -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh + echo "iptables -A INPUT -i $NIC -p tcp --dport $PORT -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh fi if [[ "$IPV6" = 'y' ]]; then - echo "ip6tables -t nat -A POSTROUTING -s fd42:42:42:42::/112 -o eth0 -j MASQUERADE + echo "ip6tables -t nat -A POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE ip6tables -A INPUT -i tun0 -j ACCEPT -ip6tables -A FORWARD -i eth0 -o tun0 -j ACCEPT -ip6tables -A FORWARD -i tun0 -o eth0 -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh +ip6tables -A FORWARD -i $NIC -o tun0 -j ACCEPT +ip6tables -A FORWARD -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh fi # Script to remove rules echo "#!/bin/sh -iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE +iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o $NIC -j MASQUERADE iptables -D INPUT -i tun0 -j ACCEPT -iptables -D FORWARD -i eth0 -o tun0 -j ACCEPT -iptables -D FORWARD -i tun0 -o eth0 -j ACCEPT" > /etc/iptables/rm-openvpn-rules.sh +iptables -D FORWARD -i $NIC -o tun0 -j ACCEPT +iptables -D FORWARD -i tun0 -o $NIC -j ACCEPT" > /etc/iptables/rm-openvpn-rules.sh if [[ "$PROTOCOL" = 'UDP' ]]; then - echo "iptables -D INPUT -i eth0 -p udp --dport $PORT -j ACCEPT" >> /etc/iptables/rm-openvpn-rules.sh + echo "iptables -D INPUT -i $NIC -p udp --dport $PORT -j ACCEPT" >> /etc/iptables/rm-openvpn-rules.sh elif [[ "$PROTOCOL" = 'TCP' ]]; then - echo "iptables -D INPUT -i eth0 -p tcp --dport $PORT -j ACCEPT" >> /etc/iptables/rm-openvpn-rules.sh + echo "iptables -D INPUT -i $NIC -p tcp --dport $PORT -j ACCEPT" >> /etc/iptables/rm-openvpn-rules.sh fi if [[ "$IPV6" = 'y' ]]; then - echo "ip6tables -t nat -D POSTROUTING -s fd42:42:42:42::/112 -o eth0 -j MASQUERADE + echo "ip6tables -t nat -D POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE ip6tables -D INPUT -i tun0 -j ACCEPT -ip6tables -D FORWARD -i eth0 -o tun0 -j ACCEPT -ip6tables -D FORWARD -i tun0 -o eth0 -j ACCEPT" >> /etc/iptables/rm-openvpn-rules.sh +ip6tables -D FORWARD -i $NIC -o tun0 -j ACCEPT +ip6tables -D FORWARD -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/rm-openvpn-rules.sh fi chmod +x /etc/iptables/add-openvpn-rules.sh From 1cd80a5cc743651e12e295c3d6d44f834f310dbf Mon Sep 17 00:00:00 2001 From: angristan Date: Tue, 18 Sep 2018 14:26:00 +0200 Subject: [PATCH 3/4] Add Hetzner/IPv6 to FAQ --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index c4a3f32..ffa1fb6 100644 --- a/README.md +++ b/README.md @@ -118,6 +118,12 @@ You can, of course, it's even recommended, update the `openvpn` package with you --- +**Q:** IPv6 is not working on my Hetzner VM + +**A:** This an issue on their side. See [issue #295](https://github.com/angristan/openvpn-install/issues/295). + +--- + ## Encryption The main reason why I made this fork is to improve the encryption. Indeed, OpenVPN's default parameters are weak (and that's what [Nyr's script](https://github.com/Nyr/openvpn-install) uses). From 136a46874e6575fe6da373cc2b4591b94bcf79ad Mon Sep 17 00:00:00 2001 From: Stanislas Date: Tue, 18 Sep 2018 14:55:00 +0200 Subject: [PATCH 4/4] Rework and cleanup systemd service handling (#294) * Don't hardcode server.conf in systemd service * Rework and cleanup service handling --- openvpn-install.sh | 46 ++++++++++++++++------------------------------ 1 file changed, 16 insertions(+), 30 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index f4c8ac1..a2ca315 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -781,37 +781,23 @@ verb 3" >> /etc/openvpn/server.conf fi fi - # And finally, restart OpenVPN - if [[ "$OS" = 'debian' ]]; then - # Little hack to check for systemd - if pgrep systemd-journal; then - #Workaround to fix OpenVPN service on OpenVZ - sed -i 's|LimitNPROC|#LimitNPROC|' /lib/systemd/system/openvpn\@.service - sed -i 's|/etc/openvpn/server|/etc/openvpn|' /lib/systemd/system/openvpn\@.service - sed -i 's|%i.conf|server.conf|' /lib/systemd/system/openvpn\@.service - systemctl daemon-reload - systemctl restart openvpn - systemctl enable openvpn - else - /etc/init.d/openvpn restart - fi + # Finally, restart and enable OpenVPN + if [[ "$OS" = 'fedora' ]]; then + # Workaround to fix OpenVPN service on OpenVZ + sed -i 's|LimitNPROC|#LimitNPROC|' /usr/lib/systemd/system/openvpn-server@.service + # Another workaround to keep using /etc/openvpn/ + sed -i 's|/etc/openvpn/server|/etc/openvpn|' /usr/lib/systemd/system/openvpn-server@.service + systemctl daemon-reload + systemctl restart openvpn-server@server + systemctl enable openvpn-server@server else - if pgrep systemd-journal; then - if [[ "$OS" = 'fedora' ]]; then - # Workaround to avoid rewriting the entire script for Fedora - sed -i 's|/etc/openvpn/server|/etc/openvpn|' /usr/lib/systemd/system/openvpn-server@.service - sed -i 's|%i.conf|server.conf|' /usr/lib/systemd/system/openvpn-server@.service - systemctl daemon-reload - systemctl restart openvpn-server@openvpn.service - systemctl enable openvpn-server@openvpn.service - else - systemctl restart openvpn@server.service - systemctl enable openvpn@server.service - fi - else - service openvpn restart - chkconfig openvpn on - fi + # Workaround to fix OpenVPN service on OpenVZ + sed -i 's|LimitNPROC|#LimitNPROC|' /lib/systemd/system/openvpn\@.service + # Another workaround to keep using /etc/openvpn/ + sed -i 's|/etc/openvpn/server|/etc/openvpn|' /lib/systemd/system/openvpn\@.service + systemctl daemon-reload + systemctl restart openvpn@server + systemctl enable openvpn@server fi # If the server is behind a NAT, use the correct IP address