Fabio/openvpn-install
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

added gentoo and openrc support

Browse source
This commit is contained in:
r7l 2019-09-02 22:31:14 +02:00
parent bc109db04f
commit 599236e640
1 changed files with 158 additions and 66 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

224
openvpn-install.sh
View file

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# Secure OpenVPN server installer for Debian, Ubuntu, CentOS, Amazon Linux 2, Fedora and Arch Linux # Secure OpenVPN server installer for Debian, Ubuntu, CentOS, Amazon Linux 2, Fedora, Arch Linux and Gentoo Linux
# https://github.com/angristan/openvpn-install # https://github.com/angristan/openvpn-install
function isRoot () { function isRoot () {
@ -9,6 +9,12 @@ function isRoot () {
fi fi
} }
function isSystemD () {
if [ ! -e /bin/systemctl ]; then
return 1
fi
}
function tunAvailable () { function tunAvailable () {
if [ ! -e /dev/net/tun ]; then if [ ! -e /dev/net/tun ]; then
return 1 return 1
@ -16,6 +22,7 @@ function tunAvailable () {
} }
function checkOS () { function checkOS () {
OPENVPN_CONF="/etc/openvpn/server.conf"
if [[ -e /etc/debian_version ]]; then if [[ -e /etc/debian_version ]]; then
OS="debian" OS="debian"
source /etc/os-release source /etc/os-release
@ -76,6 +83,11 @@ function checkOS () {
OS=fedora OS=fedora
elif [[ -e /etc/arch-release ]]; then elif [[ -e /etc/arch-release ]]; then
OS=arch OS=arch
elif [[ -e /etc/gentoo-release ]]; then
OS=gentoo
if ! isSystemD; then
OPENVPN_CONF="/etc/openvpn/openvpn.conf"
fi
else else
echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora, CentOS, Amazon Linux 2 or Arch Linux system" echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora, CentOS, Amazon Linux 2 or Arch Linux system"
exit 1 exit 1
@ -94,6 +106,38 @@ function initialCheck () {
checkOS checkOS
} }
function initSystem () {
local OPTION=$1
local APPLICATION=$2
if isSystemD; then
if [ "$OPTION" = "reload" ]; then
systemctl daemon-reload
elif [ "$OPTION" = "enable" ]; then
systemctl enable $APPLICTION
elif [ "$OPTION" = "disable" ]; then
systemctl disable $APPLICTION
elif [ "$OPTION" = "start" ]; then
systemctl start $APPLICTION
elif [ "$OPTION" = "stop" ]; then
systemctl stop $APPLICTION
fi
else
if [ "$OPTION" = "enable" ]; then
rc-update add $APPLICATION
elif [ "$OPTION" = "disable" ]; then
rc-update del $APPLICATION
elif [ "$OPTION" = "start" ]; then
/etc/init.d/$APPLICATION start
elif [ "$OPTION" = "stop" ]; then
/etc/init.d/$APPLICATION stop
fi
fi
}
function installUnbound () { function installUnbound () {
if [[ ! -e /etc/unbound/unbound.conf ]]; then if [[ ! -e /etc/unbound/unbound.conf ]]; then
@ -153,6 +197,8 @@ prefetch: yes' >> /etc/unbound/unbound.conf
hide-version: yes hide-version: yes
qname-minimisation: yes qname-minimisation: yes
prefetch: yes' > /etc/unbound/unbound.conf prefetch: yes' > /etc/unbound/unbound.conf
elif [[ "$OS" = "gentoo" ]]; then
emerge net-dns/unbound
fi fi
if [[ ! "$OS" =~ (fedora|centos|amzn) ]];then if [[ ! "$OS" =~ (fedora|centos|amzn) ]];then
@ -187,8 +233,8 @@ private-address: 127.0.0.0/8
private-address: ::ffff:0:0/96' > /etc/unbound/openvpn.conf private-address: ::ffff:0:0/96' > /etc/unbound/openvpn.conf
fi fi
systemctl enable unbound initSystem enable unbound
systemctl restart unbound initSystem restart unbound
} }
function installQuestions () { function installQuestions () {
@ -630,6 +676,8 @@ function installOpenVPN () {
elif [[ "$OS" = 'arch' ]]; then elif [[ "$OS" = 'arch' ]]; then
# Install required dependencies and upgrade the system # Install required dependencies and upgrade the system
pacman --needed --noconfirm -Syu openvpn iptables openssl wget ca-certificates curl pacman --needed --noconfirm -Syu openvpn iptables openssl wget ca-certificates curl
elif [[ "$OS" = 'gentoo' ]]; then
emerge openvpn
fi fi
# Find out if the machine uses nogroup or nobody for the permissionless group # Find out if the machine uses nogroup or nobody for the permissionless group
@ -705,11 +753,11 @@ function installOpenVPN () {
chmod 644 /etc/openvpn/crl.pem chmod 644 /etc/openvpn/crl.pem
# Generate server.conf # Generate server.conf
echo "port $PORT" > /etc/openvpn/server.conf echo "port $PORT" > $OPENVPN_CONF
if [[ "$IPV6_SUPPORT" = 'n' ]]; then if [[ "$IPV6_SUPPORT" = 'n' ]]; then
echo "proto $PROTOCOL" >> /etc/openvpn/server.conf echo "proto $PROTOCOL" >> $OPENVPN_CONF
elif [[ "$IPV6_SUPPORT" = 'y' ]]; then elif [[ "$IPV6_SUPPORT" = 'y' ]]; then
echo "proto ${PROTOCOL}6" >> /etc/openvpn/server.conf echo "proto ${PROTOCOL}6" >> $OPENVPN_CONF
fi fi
echo "dev tun echo "dev tun
@ -720,7 +768,7 @@ persist-tun
keepalive 10 120 keepalive 10 120
topology subnet topology subnet
server 10.8.0.0 255.255.255.0 server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf ifconfig-pool-persist ipp.txt" >> $OPENVPN_CONF
# DNS resolvers # DNS resolvers
case $DNS in case $DNS in
@ -734,56 +782,56 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
fi fi
# Obtain the resolvers from resolv.conf and use them for OpenVPN # Obtain the resolvers from resolv.conf and use them for OpenVPN
grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read -r line; do grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read -r line; do
echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf echo "push \"dhcp-option DNS $line\"" >> $OPENVPN_CONF
done done
;; ;;
2) 2)
echo 'push "dhcp-option DNS 10.8.0.1"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 10.8.0.1"' >> $OPENVPN_CONF
;; ;;
3) # Cloudflare 3) # Cloudflare
echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 1.0.0.1"' >> $OPENVPN_CONF
echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 1.1.1.1"' >> $OPENVPN_CONF
;; ;;
4) # Quad9 4) # Quad9
echo 'push "dhcp-option DNS 9.9.9.9"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 9.9.9.9"' >> $OPENVPN_CONF
echo 'push "dhcp-option DNS 149.112.112.112"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 149.112.112.112"' >> $OPENVPN_CONF
;; ;;
5) # Quad9 uncensored 5) # Quad9 uncensored
echo 'push "dhcp-option DNS 9.9.9.10"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 9.9.9.10"' >> $OPENVPN_CONF
echo 'push "dhcp-option DNS 149.112.112.10"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 149.112.112.10"' >> $OPENVPN_CONF
;; ;;
6) # FDN 6) # FDN
echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 80.67.169.40"' >> $OPENVPN_CONF
echo 'push "dhcp-option DNS 80.67.169.12"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 80.67.169.12"' >> $OPENVPN_CONF
;; ;;
7) # DNS.WATCH 7) # DNS.WATCH
echo 'push "dhcp-option DNS 84.200.69.80"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 84.200.69.80"' >> $OPENVPN_CONF
echo 'push "dhcp-option DNS 84.200.70.40"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 84.200.70.40"' >> $OPENVPN_CONF
;; ;;
8) # OpenDNS 8) # OpenDNS
echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 208.67.222.222"' >> $OPENVPN_CONF
echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 208.67.220.220"' >> $OPENVPN_CONF
;; ;;
9) # Google 9) # Google
echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 8.8.8.8"' >> $OPENVPN_CONF
echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 8.8.4.4"' >> $OPENVPN_CONF
;; ;;
10) # Yandex Basic 10) # Yandex Basic
echo 'push "dhcp-option DNS 77.88.8.8"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 77.88.8.8"' >> $OPENVPN_CONF
echo 'push "dhcp-option DNS 77.88.8.1"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 77.88.8.1"' >> $OPENVPN_CONF
;; ;;
11) # AdGuard DNS 11) # AdGuard DNS
echo 'push "dhcp-option DNS 176.103.130.130"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 176.103.130.130"' >> $OPENVPN_CONF
echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 176.103.130.131"' >> $OPENVPN_CONF
;; ;;
12) # Custom DNS 12) # Custom DNS
echo "push \"dhcp-option DNS $DNS1\"" >> /etc/openvpn/server.conf echo "push \"dhcp-option DNS $DNS1\"" >> $OPENVPN_CONF
if [[ "$DNS2" != "" ]]; then if [[ "$DNS2" != "" ]]; then
echo "push \"dhcp-option DNS $DNS2\"" >> /etc/openvpn/server.conf echo "push \"dhcp-option DNS $DNS2\"" >> $OPENVPN_CONF
fi fi
;; ;;
esac esac
echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf echo 'push "redirect-gateway def1 bypass-dhcp"' >> $OPENVPN_CONF
# IPv6 network settings if needed # IPv6 network settings if needed
if [[ "$IPV6_SUPPORT" = 'y' ]]; then if [[ "$IPV6_SUPPORT" = 'y' ]]; then
@ -791,26 +839,26 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
tun-ipv6 tun-ipv6
push tun-ipv6 push tun-ipv6
push "route-ipv6 2000::/3" push "route-ipv6 2000::/3"
push "redirect-gateway ipv6"' >> /etc/openvpn/server.conf push "redirect-gateway ipv6"' >> $OPENVPN_CONF
fi fi
if [[ $COMPRESSION_ENABLED == "y" ]]; then if [[ $COMPRESSION_ENABLED == "y" ]]; then
echo "compress $COMPRESSION_ALG" >> /etc/openvpn/server.conf echo "compress $COMPRESSION_ALG" >> $OPENVPN_CONF
fi fi
if [[ $DH_TYPE == "1" ]]; then if [[ $DH_TYPE == "1" ]]; then
echo "dh none" >> /etc/openvpn/server.conf echo "dh none" >> $OPENVPN_CONF
echo "ecdh-curve $DH_CURVE" >> /etc/openvpn/server.conf echo "ecdh-curve $DH_CURVE" >> $OPENVPN_CONF
elif [[ $DH_TYPE == "2" ]]; then elif [[ $DH_TYPE == "2" ]]; then
echo "dh dh.pem" >> /etc/openvpn/server.conf echo "dh dh.pem" >> $OPENVPN_CONF
fi fi
case $TLS_SIG in case $TLS_SIG in
1) 1)
echo "tls-crypt tls-crypt.key 0" >> /etc/openvpn/server.conf echo "tls-crypt tls-crypt.key 0" >> $OPENVPN_CONF
;; ;;
2) 2)
echo "tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf echo "tls-auth tls-auth.key 0" >> $OPENVPN_CONF
;; ;;
esac esac
@ -825,7 +873,7 @@ tls-server
tls-version-min 1.2 tls-version-min 1.2
tls-cipher $CC_CIPHER tls-cipher $CC_CIPHER
status /var/log/openvpn/status.log status /var/log/openvpn/status.log
verb 3" >> /etc/openvpn/server.conf verb 3" >> $OPENVPN_CONF
# Create log dir # Create log dir
mkdir -p /var/log/openvpn mkdir -p /var/log/openvpn
@ -861,14 +909,17 @@ verb 3" >> /etc/openvpn/server.conf
sed -i 's|--cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC||' /etc/systemd/system/openvpn-server@.service sed -i 's|--cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC||' /etc/systemd/system/openvpn-server@.service
fi fi
systemctl daemon-reload initSystem reload
systemctl restart openvpn-server@server initSystem restart openvpn-server@server
systemctl enable openvpn-server@server initSystem enable openvpn-server@server
elif [[ "$OS" == "ubuntu" ]] && [[ "$VERSION_ID" == "16.04" ]]; then elif [[ "$OS" == "ubuntu" ]] && [[ "$VERSION_ID" == "16.04" ]]; then
# On Ubuntu 16.04, we use the package from the OpenVPN repo # On Ubuntu 16.04, we use the package from the OpenVPN repo
# This package uses a sysvinit service # This package uses a sysvinit service
systemctl enable openvpn initSystem enable openvpn
systemctl start openvpn initSystem start openvpn
elif [[ "$OS" == "gentoo" ]]; then
initSystem enable openvpn
initSystem start openvpn
else else
# Don't modify package-provided service # Don't modify package-provided service
cp /lib/systemd/system/openvpn\@.service /etc/systemd/system/openvpn\@.service cp /lib/systemd/system/openvpn\@.service /etc/systemd/system/openvpn\@.service
@ -878,9 +929,9 @@ verb 3" >> /etc/openvpn/server.conf
# Another workaround to keep using /etc/openvpn/ # Another workaround to keep using /etc/openvpn/
sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn\@.service sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn\@.service
systemctl daemon-reload initSystem reload
systemctl restart openvpn@server initSystem restart openvpn@server
systemctl enable openvpn@server initSystem enable openvpn@server
fi fi
if [[ $DNS == 2 ]];then if [[ $DNS == 2 ]];then
@ -888,7 +939,9 @@ verb 3" >> /etc/openvpn/server.conf
fi fi
# Add iptables rules in two scripts # Add iptables rules in two scripts
mkdir /etc/iptables if [ ! -e /etc/iptables ]; then
mkdir /etc/iptables
fi
# Script to add rules # Script to add rules
echo "#!/bin/sh echo "#!/bin/sh
@ -923,6 +976,8 @@ ip6tables -D FORWARD -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/rm-openvpn-rule
chmod +x /etc/iptables/add-openvpn-rules.sh chmod +x /etc/iptables/add-openvpn-rules.sh
chmod +x /etc/iptables/rm-openvpn-rules.sh chmod +x /etc/iptables/rm-openvpn-rules.sh
if isSystemD; then
# Handle the rules via a systemd script # Handle the rules via a systemd script
echo "[Unit] echo "[Unit]
Description=iptables rules for OpenVPN Description=iptables rules for OpenVPN
@ -938,10 +993,37 @@ RemainAfterExit=yes
[Install] [Install]
WantedBy=multi-user.target" > /etc/systemd/system/iptables-openvpn.service WantedBy=multi-user.target" > /etc/systemd/system/iptables-openvpn.service
else
cat > /etc/init.d/iptables-openvpn << ENDOFFILE
#!/sbin/openrc-run
INSTANCE_NAME="Iptables for OpenVPN"
description="IPTables for OpenVPN"
start() {
ebegin "Starting $INSTANCE_NAME"
/etc/iptables/add-openvpn-rules.sh
eend $?
}
stop() {
ebegin "Stopping $INSTANCE_NAME"
/etc/iptables/rm-openvpn-rules.sh
eend $?
}
ENDOFFILE
chmod +x /etc/init.d/iptables-openvpn
fi
# Enable service and apply rules # Enable service and apply rules
systemctl daemon-reload initSystem reload
systemctl enable iptables-openvpn initSystem enable iptables-openvpn
systemctl start iptables-openvpn initSystem start iptables-openvpn
# If the server is behind a NAT, use the correct IP address for the clients to connect to # If the server is behind a NAT, use the correct IP address for the clients to connect to
if [[ "$ENDPOINT" != "" ]]; then if [[ "$ENDPOINT" != "" ]]; then
@ -1021,9 +1103,9 @@ function newClient () {
fi fi
# Determine if we use tls-auth or tls-crypt # Determine if we use tls-auth or tls-crypt
if grep -qs "^tls-crypt" /etc/openvpn/server.conf; then if grep -qs "^tls-crypt" $OPENVPN_CONF; then
TLS_SIG="1" TLS_SIG="1"
elif grep -qs "^tls-auth" /etc/openvpn/server.conf; then elif grep -qs "^tls-auth" $OPENVPN_CONF; then
TLS_SIG="2" TLS_SIG="2"
fi fi
@ -1104,7 +1186,7 @@ function removeUnbound () {
# Remove OpenVPN-related config # Remove OpenVPN-related config
sed -i 's|include: \/etc\/unbound\/openvpn.conf||' /etc/unbound/unbound.conf sed -i 's|include: \/etc\/unbound\/openvpn.conf||' /etc/unbound/unbound.conf
rm /etc/unbound/openvpn.conf rm /etc/unbound/openvpn.conf
systemctl restart unbound initSystem restart unbound
until [[ $REMOVE_UNBOUND =~ (y|n) ]]; do until [[ $REMOVE_UNBOUND =~ (y|n) ]]; do
echo "" echo ""
@ -1114,7 +1196,7 @@ function removeUnbound () {
if [[ "$REMOVE_UNBOUND" = 'y' ]]; then if [[ "$REMOVE_UNBOUND" = 'y' ]]; then
# Stop Unbound # Stop Unbound
systemctl stop unbound initSystem stop unbound
if [[ "$OS" =~ (debian|ubuntu) ]]; then if [[ "$OS" =~ (debian|ubuntu) ]]; then
apt-get autoremove --purge -y unbound apt-get autoremove --purge -y unbound
@ -1141,30 +1223,39 @@ function removeOpenVPN () {
read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
if [[ "$REMOVE" = 'y' ]]; then if [[ "$REMOVE" = 'y' ]]; then
# Get OpenVPN port from the configuration # Get OpenVPN port from the configuration
PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2) PORT=$(grep '^port ' $OPENVPN_CONF | cut -d " " -f 2)
# Stop OpenVPN # Stop OpenVPN
if [[ "$OS" =~ (fedora|arch) ]]; then if [[ "$OS" =~ (fedora|arch) ]]; then
systemctl disable openvpn-server@server initSystem disable openvpn-server@server
systemctl stop openvpn-server@server initSystem stop openvpn-server@server
# Remove customised service # Remove customised service
rm /etc/systemd/system/openvpn-server@.service rm /etc/systemd/system/openvpn-server@.service
elif [[ "$OS" == "ubuntu" ]] && [[ "$VERSION_ID" == "16.04" ]]; then elif [[ "$OS" == "ubuntu" ]] && [[ "$VERSION_ID" == "16.04" ]]; then
systemctl disable openvpn initSystem disable openvpn
systemctl stop openvpn initSystem stop openvpn
elif [[ "$OS" == "gentoo" ]]; then
initSystem disable openvpn
initSystem stop openvpn
else else
systemctl disable openvpn@server initSystem disable openvpn@server
systemctl stop openvpn@server initSystem stop openvpn@server
# Remove customised service # Remove customised service
rm /etc/systemd/system/openvpn\@.service rm /etc/systemd/system/openvpn\@.service
fi fi
# Remove the iptables rules related to the script # Remove the iptables rules related to the script
systemctl stop iptables-openvpn initSystem stop iptables-openvpn
# Cleanup # Cleanup
systemctl disable iptables-openvpn initSystem disable iptables-openvpn
rm /etc/systemd/system/iptables-openvpn.service
systemctl daemon-reload if [[ -e /etc/systemd/system/iptables-openvpn.service ]]; then
rm /etc/systemd/system/iptables-openvpn.service
initSystem daemon-reload
elif [[ -e /etc/init.d/iptables-openvpn ]]; then
rm /etc/init.d/iptables-openvpn
fi
rm /etc/iptables/add-openvpn-rules.sh rm /etc/iptables/add-openvpn-rules.sh
rm /etc/iptables/rm-openvpn-rules.sh rm /etc/iptables/rm-openvpn-rules.sh
@ -1247,8 +1338,9 @@ function manageMenu () {
initialCheck initialCheck
# Check if OpenVPN is already installed # Check if OpenVPN is already installed
if [[ -e /etc/openvpn/server.conf ]]; then if [[ -e $OPENVPN_CONF ]]; then
manageMenu manageMenu
else else
installOpenVPN installOpenVPN
fi fi