Fabio/openvpn-install
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Just unify the code format

Browse source
This commit is contained in:
xiagw 2018-10-16 21:22:01 +08:00
parent 7cabdf79c6
commit 5cd7cfebc0
1 changed files with 338 additions and 337 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

235
openvpn-install.sh
View file

@ -3,21 +3,22 @@
# Secure OpenVPN server installer for Debian, Ubuntu, CentOS, Fedora and Arch Linux # Secure OpenVPN server installer for Debian, Ubuntu, CentOS, Fedora and Arch Linux
# https://github.com/angristan/openvpn-install # https://github.com/angristan/openvpn-install
function isRoot () { function isRoot() {
if [ "$EUID" -ne 0 ]; then if [ "$EUID" -ne 0 ]; then
return 1 return 1
fi fi
} }
function tunAvailable () { function tunAvailable() {
if [ ! -e /dev/net/tun ]; then if [ ! -e /dev/net/tun ]; then
return 1 return 1
fi fi
} }
function checkOS () { function checkOS() {
if [[ -e /etc/debian_version ]]; then if [[ -e /etc/debian_version ]]; then
OS="debian" OS="debian"
# shellcheck disable=1091
source /etc/os-release source /etc/os-release
if [[ "$ID" == "debian" ]]; then if [[ "$ID" == "debian" ]]; then
@ -30,11 +31,11 @@ function checkOS () {
until [[ $CONTINUE =~ (y|n) ]]; do until [[ $CONTINUE =~ (y|n) ]]; do
read -rp "Continue? [y/n]: " -e CONTINUE read -rp "Continue? [y/n]: " -e CONTINUE
done done
if [[ "$CONTINUE" = "n" ]]; then if [[ "$CONTINUE" == "n" ]]; then
exit 1 exit 1
fi fi
fi fi
elif [[ "$ID" == "ubuntu" ]];then elif [[ "$ID" == "ubuntu" ]]; then
OS="ubuntu" OS="ubuntu"
if [[ ! $VERSION_ID =~ (16.04|18.04) ]]; then if [[ ! $VERSION_ID =~ (16.04|18.04) ]]; then
echo "⚠️ Your version of Ubuntu is not supported." echo "⚠️ Your version of Ubuntu is not supported."
@ -45,7 +46,7 @@ function checkOS () {
until [[ $CONTINUE =~ (y|n) ]]; do until [[ $CONTINUE =~ (y|n) ]]; do
read -rp "Continue? [y/n]: " -e CONTINUE read -rp "Continue? [y/n]: " -e CONTINUE
done done
if [[ "$CONTINUE" = "n" ]]; then if [[ "$CONTINUE" == "n" ]]; then
exit 1 exit 1
fi fi
fi fi
@ -61,7 +62,7 @@ function checkOS () {
until [[ $CONTINUE =~ (y|n) ]]; do until [[ $CONTINUE =~ (y|n) ]]; do
read -rp "Continue anyway? [y/n]: " -e CONTINUE read -rp "Continue anyway? [y/n]: " -e CONTINUE
done done
if [[ "$CONTINUE" = "n" ]]; then if [[ "$CONTINUE" == "n" ]]; then
echo "Ok, bye!" echo "Ok, bye!"
exit 1 exit 1
fi fi
@ -75,7 +76,7 @@ function checkOS () {
fi fi
} }
function initialCheck () { function initialCheck() {
if ! isRoot; then if ! isRoot; then
echo "Sorry, you need to run this as root" echo "Sorry, you need to run this as root"
exit 1 exit 1
@ -87,7 +88,7 @@ function initialCheck () {
checkOS checkOS
} }
function installUnbound () { function installUnbound() {
if [[ ! -e /etc/unbound/unbound.conf ]]; then if [[ ! -e /etc/unbound/unbound.conf ]]; then
if [[ "$OS" =~ (debian|ubuntu) ]]; then if [[ "$OS" =~ (debian|ubuntu) ]]; then
@ -99,9 +100,9 @@ access-control: 10.8.0.1/24 allow
hide-identity: yes hide-identity: yes
hide-version: yes hide-version: yes
use-caps-for-id: yes use-caps-for-id: yes
prefetch: yes' >> /etc/unbound/unbound.conf prefetch: yes' >>/etc/unbound/unbound.conf
elif [[ "$OS" = "centos" ]]; then elif [[ "$OS" == "centos" ]]; then
yum install -y unbound yum install -y unbound
# Configuration # Configuration
@ -111,7 +112,7 @@ prefetch: yes' >> /etc/unbound/unbound.conf
sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf
sed -i 's|use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf sed -i 's|use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf
elif [[ "$OS" = "fedora" ]]; then elif [[ "$OS" == "fedora" ]]; then
dnf install -y unbound dnf install -y unbound
# Configuration # Configuration
@ -121,7 +122,7 @@ prefetch: yes' >> /etc/unbound/unbound.conf
sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf
sed -i 's|# use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf sed -i 's|# use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf
elif [[ "$OS" = "arch" ]]; then elif [[ "$OS" == "arch" ]]; then
pacman -Syu --noconfirm unbound pacman -Syu --noconfirm unbound
# Get root servers list # Get root servers list
@ -145,10 +146,10 @@ prefetch: yes' >> /etc/unbound/unbound.conf
hide-identity: yes hide-identity: yes
hide-version: yes hide-version: yes
qname-minimisation: yes qname-minimisation: yes
prefetch: yes' > /etc/unbound/unbound.conf prefetch: yes' >/etc/unbound/unbound.conf
fi fi
if [[ ! "$OS" =~ (fedora|centos) ]];then if [[ ! "$OS" =~ (fedora|centos) ]]; then
# DNS Rebinding fix # DNS Rebinding fix
echo "private-address: 10.0.0.0/8 echo "private-address: 10.0.0.0/8
private-address: 172.16.0.0/12 private-address: 172.16.0.0/12
@ -157,10 +158,10 @@ private-address: 169.254.0.0/16
private-address: fd00::/8 private-address: fd00::/8
private-address: fe80::/10 private-address: fe80::/10
private-address: 127.0.0.0/8 private-address: 127.0.0.0/8
private-address: ::ffff:0:0/96" >> /etc/unbound/unbound.conf private-address: ::ffff:0:0/96" >>/etc/unbound/unbound.conf
fi fi
else # Unbound is already installed else # Unbound is already installed
echo 'include: /etc/unbound/openvpn.conf' >> /etc/unbound/unbound.conf echo 'include: /etc/unbound/openvpn.conf' >>/etc/unbound/unbound.conf
# Add Unbound 'server' for the OpenVPN subnet # Add Unbound 'server' for the OpenVPN subnet
echo 'server: echo 'server:
@ -177,14 +178,14 @@ private-address: 169.254.0.0/16
private-address: fd00::/8 private-address: fd00::/8
private-address: fe80::/10 private-address: fe80::/10
private-address: 127.0.0.0/8 private-address: 127.0.0.0/8
private-address: ::ffff:0:0/96' > /etc/unbound/openvpn.conf private-address: ::ffff:0:0/96' >/etc/unbound/openvpn.conf
fi fi
systemctl enable unbound systemctl enable unbound
systemctl restart unbound systemctl restart unbound
} }
function installQuestions () { function installQuestions() {
echo "Welcome to the OpenVPN installer!" echo "Welcome to the OpenVPN installer!"
echo "The git repository is available at: https://github.com/angristan/openvpn-install" echo "The git repository is available at: https://github.com/angristan/openvpn-install"
echo "" echo ""
@ -212,7 +213,7 @@ function installQuestions () {
echo "Checking for IPv6 connectivity..." echo "Checking for IPv6 connectivity..."
echo "" echo ""
# "ping6" and "ping -6" availability varies depending on the distribution # "ping6" and "ping -6" availability varies depending on the distribution
if type ping6 > /dev/null 2>&1; then if type ping6 >/dev/null 2>&1; then
PING6="ping6 -c3 ipv6.google.com > /dev/null 2>&1" PING6="ping6 -c3 ipv6.google.com > /dev/null 2>&1"
else else
PING6="ping -6 -c3 ipv6.google.com > /dev/null 2>&1" PING6="ping -6 -c3 ipv6.google.com > /dev/null 2>&1"
@ -294,7 +295,7 @@ function installQuestions () {
until [[ $CONTINUE =~ (y|n) ]]; do until [[ $CONTINUE =~ (y|n) ]]; do
read -rp "Apply configuration changes to Unbound? [y/n]: " -e CONTINUE read -rp "Apply configuration changes to Unbound? [y/n]: " -e CONTINUE
done done
if [[ $CONTINUE = "n" ]];then if [[ $CONTINUE == "n" ]]; then
# Break the loop and cleanup # Break the loop and cleanup
unset DNS unset DNS
unset CONTINUE unset CONTINUE
@ -304,9 +305,9 @@ function installQuestions () {
echo "" echo ""
echo "Do you want to use compression? It is not recommended since the VORACLE attack make use of it." echo "Do you want to use compression? It is not recommended since the VORACLE attack make use of it."
until [[ $COMPRESSION_ENABLED =~ (y|n) ]]; do until [[ $COMPRESSION_ENABLED =~ (y|n) ]]; do
read -rp"Enable compression? [y/n]: " -e -i n COMPRESSION_ENABLED read -rp"Enable compression? [y/n]: " -e -in COMPRESSION_ENABLED
done done
if [[ $COMPRESSION_ENABLED == "y" ]];then if [[ $COMPRESSION_ENABLED == "y" ]]; then
echo "Choose which compression algorithm you want to use:" echo "Choose which compression algorithm you want to use:"
echo " 1) LZ4 (more efficient)" echo " 1) LZ4 (more efficient)"
echo " 2) LZ0" echo " 2) LZ0"
@ -329,9 +330,9 @@ function installQuestions () {
echo "See https://github.com/angristan/openvpn-install#security-and-encryption to learn more." echo "See https://github.com/angristan/openvpn-install#security-and-encryption to learn more."
echo "" echo ""
until [[ $CUSTOMIZE_ENC =~ (y|n) ]]; do until [[ $CUSTOMIZE_ENC =~ (y|n) ]]; do
read -rp "Customize encryption settings? [y/n]: " -e -i n CUSTOMIZE_ENC read -rp "Customize encryption settings? [y/n]: " -e -in CUSTOMIZE_ENC
done done
if [[ $CUSTOMIZE_ENC == "n" ]];then if [[ $CUSTOMIZE_ENC == "n" ]]; then
# Use default, sane and fast parameters # Use default, sane and fast parameters
CIPHER="AES-128-GCM" CIPHER="AES-128-GCM"
CERT_TYPE="1" # ECDSA CERT_TYPE="1" # ECDSA
@ -549,7 +550,7 @@ function installQuestions () {
read -n1 -r -p "Press any key to continue..." read -n1 -r -p "Press any key to continue..."
} }
function installOpenVPN () { function installOpenVPN() {
# Run setup questions first # Run setup questions first
installQuestions installQuestions
@ -560,24 +561,24 @@ function installOpenVPN () {
apt-get update apt-get update
apt-get -y install ca-certificates gnupg apt-get -y install ca-certificates gnupg
# We add the OpenVPN repo to get the latest version. # We add the OpenVPN repo to get the latest version.
if [[ "$VERSION_ID" = "8" ]]; then if [[ "$VERSION_ID" == "8" ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" >/etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update apt-get update
fi fi
if [[ "$VERSION_ID" = "16.04" ]]; then if [[ "$VERSION_ID" == "16.04" ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/stable trusty main" > /etc/apt/sources.list.d/openvpn.list echo "deb http://build.openvpn.net/debian/openvpn/stable trusty main" >/etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update apt-get update
fi fi
# Ubuntu > 16.04 and Debian > 8 have OpenVPN >= 2.4 without the need of a third party repository. # Ubuntu > 16.04 and Debian > 8 have OpenVPN >= 2.4 without the need of a third party repository.
apt-get install -y openvpn iptables openssl wget ca-certificates curl apt-get install -y openvpn iptables openssl wget ca-certificates curl
elif [[ "$OS" = 'centos' ]]; then elif [[ "$OS" == 'centos' ]]; then
yum install -y epel-release yum install -y epel-release
yum install -y openvpn iptables openssl wget ca-certificates curl yum install -y openvpn iptables openssl wget ca-certificates curl
elif [[ "$OS" = 'fedora' ]]; then elif [[ "$OS" == 'fedora' ]]; then
dnf install -y openvpn iptables openssl wget ca-certificates curl dnf install -y openvpn iptables openssl wget ca-certificates curl
elif [[ "$OS" = 'arch' ]]; then elif [[ "$OS" == 'arch' ]]; then
echo "" echo ""
echo "WARNING: As you're using ArchLinux, I need to update the packages on your system to install those I need." echo "WARNING: As you're using ArchLinux, I need to update the packages on your system to install those I need."
echo "Not doing that could cause problems between dependencies, or missing files in repositories (Arch Linux does not support partial upgrades)." echo "Not doing that could cause problems between dependencies, or missing files in repositories (Arch Linux does not support partial upgrades)."
@ -586,9 +587,9 @@ function installOpenVPN () {
echo "" echo ""
unset CONTINUE unset CONTINUE
until [[ $CONTINUE =~ (y|n) ]]; do until [[ $CONTINUE =~ (y|n) ]]; do
read -rp "Continue? [y/n]: " -e -i y CONTINUE read -rp "Continue? [y/n]: " -e -iy CONTINUE
done done
if [[ "$CONTINUE" = "n" ]]; then if [[ "$CONTINUE" == "n" ]]; then
echo "Exiting because user did not permit updating the system." echo "Exiting because user did not permit updating the system."
exit 4 exit 4
fi fi
@ -618,21 +619,21 @@ function installOpenVPN () {
chown -R root:root /etc/openvpn/easy-rsa/ chown -R root:root /etc/openvpn/easy-rsa/
rm -f ~/EasyRSA-nix-${version}.tgz rm -f ~/EasyRSA-nix-${version}.tgz
cd /etc/openvpn/easy-rsa/ cd /etc/openvpn/easy-rsa/ || exit
case $CERT_TYPE in case $CERT_TYPE in
1) 1)
echo "set_var EASYRSA_ALGO ec" > vars echo "set_var EASYRSA_ALGO ec" >vars
echo "set_var EASYRSA_CURVE $CERT_CURVE" >> vars echo "set_var EASYRSA_CURVE $CERT_CURVE" >>vars
;; ;;
2) 2)
echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" >vars
;; ;;
esac esac
# Generate a random, alphanumeric identifier of 16 characters for CN and one for server name # Generate a random, alphanumeric identifier of 16 characters for CN and one for server name
SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars echo "set_var EASYRSA_REQ_CN $SERVER_CN" >>vars
# Create the PKI, set up the CA, the DH params and the server certificate # Create the PKI, set up the CA, the DH params and the server certificate
./easyrsa init-pki ./easyrsa init-pki
./easyrsa --batch build-ca nopass ./easyrsa --batch build-ca nopass
@ -666,11 +667,11 @@ function installOpenVPN () {
chmod 644 /etc/openvpn/crl.pem chmod 644 /etc/openvpn/crl.pem
# Generate server.conf # Generate server.conf
echo "port $PORT" > /etc/openvpn/server.conf echo "port $PORT" >/etc/openvpn/server.conf
if [[ "$IPV6_SUPPORT" = 'n' ]]; then if [[ "$IPV6_SUPPORT" == 'n' ]]; then
echo "proto $PROTOCOL" >> /etc/openvpn/server.conf echo "proto $PROTOCOL" >>/etc/openvpn/server.conf
elif [[ "$IPV6_SUPPORT" = 'y' ]]; then elif [[ "$IPV6_SUPPORT" == 'y' ]]; then
echo "proto ${PROTOCOL}6" >> /etc/openvpn/server.conf echo "proto ${PROTOCOL}6" >>/etc/openvpn/server.conf
fi fi
echo "dev tun echo "dev tun
@ -681,7 +682,7 @@ persist-tun
keepalive 10 120 keepalive 10 120
topology subnet topology subnet
server 10.8.0.0 255.255.255.0 server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf ifconfig-pool-persist ipp.txt" >>/etc/openvpn/server.conf
# DNS resolvers # DNS resolvers
case $DNS in case $DNS in
@ -695,77 +696,77 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
fi fi
# Obtain the resolvers from resolv.conf and use them for OpenVPN # Obtain the resolvers from resolv.conf and use them for OpenVPN
grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read -r line; do grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read -r line; do
echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf echo "push \"dhcp-option DNS $line\"" >>/etc/openvpn/server.conf
done done
;; ;;
2) 2)
echo 'push "dhcp-option DNS 10.8.0.1"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 10.8.0.1"' >>/etc/openvpn/server.conf
;; ;;
3) # Cloudflare 3) # Cloudflare
echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 1.0.0.1"' >>/etc/openvpn/server.conf
echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 1.1.1.1"' >>/etc/openvpn/server.conf
;; ;;
4) # Quad9 4) # Quad9
echo 'push "dhcp-option DNS 9.9.9.9"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 9.9.9.9"' >>/etc/openvpn/server.conf
echo 'push "dhcp-option DNS 149.112.112.112"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 149.112.112.112"' >>/etc/openvpn/server.conf
;; ;;
5) # Quad9 uncensored 5) # Quad9 uncensored
echo 'push "dhcp-option DNS 9.9.9.10"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 9.9.9.10"' >>/etc/openvpn/server.conf
echo 'push "dhcp-option DNS 149.112.112.10"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 149.112.112.10"' >>/etc/openvpn/server.conf
;; ;;
6) # FDN 6) # FDN
echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 80.67.169.40"' >>/etc/openvpn/server.conf
echo 'push "dhcp-option DNS 80.67.169.12"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 80.67.169.12"' >>/etc/openvpn/server.conf
;; ;;
7) # DNS.WATCH 7) # DNS.WATCH
echo 'push "dhcp-option DNS 84.200.69.80"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 84.200.69.80"' >>/etc/openvpn/server.conf
echo 'push "dhcp-option DNS 84.200.70.40"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 84.200.70.40"' >>/etc/openvpn/server.conf
;; ;;
8) # OpenDNS 8) # OpenDNS
echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 208.67.222.222"' >>/etc/openvpn/server.conf
echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 208.67.220.220"' >>/etc/openvpn/server.conf
;; ;;
9) # Google 9) # Google
echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 8.8.8.8"' >>/etc/openvpn/server.conf
echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 8.8.4.4"' >>/etc/openvpn/server.conf
;; ;;
10) # Yandex Basic 10) # Yandex Basic
echo 'push "dhcp-option DNS 77.88.8.8"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 77.88.8.8"' >>/etc/openvpn/server.conf
echo 'push "dhcp-option DNS 77.88.8.1"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 77.88.8.1"' >>/etc/openvpn/server.conf
;; ;;
11) # AdGuard DNS 11) # AdGuard DNS
echo 'push "dhcp-option DNS 176.103.130.130"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 176.103.130.130"' >>/etc/openvpn/server.conf
echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 176.103.130.131"' >>/etc/openvpn/server.conf
;; ;;
esac esac
echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf echo 'push "redirect-gateway def1 bypass-dhcp" ' >>/etc/openvpn/server.conf
# IPv6 network settings if needed # IPv6 network settings if needed
if [[ "$IPV6_SUPPORT" = 'y' ]]; then if [[ "$IPV6_SUPPORT" == 'y' ]]; then
echo 'server-ipv6 fd42:42:42:42::/112 echo 'server-ipv6 fd42:42:42:42::/112
tun-ipv6 tun-ipv6
push tun-ipv6 push tun-ipv6
push "route-ipv6 2000::/3" push "route-ipv6 2000::/3"
push "redirect-gateway ipv6"' >> /etc/openvpn/server.conf push "redirect-gateway ipv6"' >>/etc/openvpn/server.conf
fi fi
if [[ $COMPRESSION_ENABLED == "y" ]]; then if [[ $COMPRESSION_ENABLED == "y" ]]; then
echo "compress $COMPRESSION_ALG" >> /etc/openvpn/server.conf echo "compress $COMPRESSION_ALG" >>/etc/openvpn/server.conf
fi fi
if [[ $DH_TYPE == "1" ]]; then if [[ $DH_TYPE == "1" ]]; then
echo "dh none" >> /etc/openvpn/server.conf echo "dh none" >>/etc/openvpn/server.conf
echo "ecdh-curve $DH_CURVE" >> /etc/openvpn/server.conf echo "ecdh-curve $DH_CURVE" >>/etc/openvpn/server.conf
elif [[ $DH_TYPE == "2" ]]; then elif [[ $DH_TYPE == "2" ]]; then
echo "dh dh.pem" >> /etc/openvpn/server.conf echo "dh dh.pem" >>/etc/openvpn/server.conf
fi fi
case $TLS_SIG in case $TLS_SIG in
1) 1)
echo "tls-crypt tls-crypt.key 0" >> /etc/openvpn/server.conf echo "tls-crypt tls-crypt.key 0" >>/etc/openvpn/server.conf
;; ;;
2) 2)
echo "tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf echo "tls-auth tls-auth.key 0" >>/etc/openvpn/server.conf
;; ;;
esac esac
@ -780,15 +781,15 @@ tls-server
tls-version-min 1.2 tls-version-min 1.2
tls-cipher $CC_CIPHER tls-cipher $CC_CIPHER
status /var/log/openvpn/status.log status /var/log/openvpn/status.log
verb 3" >> /etc/openvpn/server.conf verb 3" >>/etc/openvpn/server.conf
# Create log dir # Create log dir
mkdir -p /var/log/openvpn mkdir -p /var/log/openvpn
# Enable routing # Enable routing
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.d/20-openvpn.conf echo 'net.ipv4.ip_forward=1' >>/etc/sysctl.d/20-openvpn.conf
if [[ "$IPV6_SUPPORT" = 'y' ]]; then if [[ "$IPV6_SUPPORT" == 'y' ]]; then
echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.d/20-openvpn.conf echo 'net.ipv6.conf.all.forwarding=1' >>/etc/sysctl.d/20-openvpn.conf
fi fi
# Avoid an unneeded reboot # Avoid an unneeded reboot
sysctl --system sysctl --system
@ -803,7 +804,7 @@ verb 3" >> /etc/openvpn/server.conf
fi fi
# Finally, restart and enable OpenVPN # Finally, restart and enable OpenVPN
if [[ "$OS" = 'arch' || "$OS" = 'fedora' ]]; then if [[ "$OS" == 'arch' || "$OS" == 'fedora' ]]; then
# Don't modify package-provided service # Don't modify package-provided service
cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service
@ -812,7 +813,7 @@ verb 3" >> /etc/openvpn/server.conf
# Another workaround to keep using /etc/openvpn/ # Another workaround to keep using /etc/openvpn/
sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn-server@.service sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn-server@.service
# On fedora, the service hardcodes the ciphers. We want to manage the cipher ourselves, so we remove it from the service # On fedora, the service hardcodes the ciphers. We want to manage the cipher ourselves, so we remove it from the service
if [[ "$OS" == "fedora" ]];then if [[ "$OS" == "fedora" ]]; then
sed -i 's|--cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC||' /etc/systemd/system/openvpn-server@.service sed -i 's|--cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC||' /etc/systemd/system/openvpn-server@.service
fi fi
@ -838,7 +839,7 @@ verb 3" >> /etc/openvpn/server.conf
systemctl enable openvpn@server systemctl enable openvpn@server
fi fi
if [[ $DNS == 2 ]];then if [[ $DNS == 2 ]]; then
installUnbound installUnbound
fi fi
@ -851,13 +852,13 @@ iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $NIC -j MASQUERADE
iptables -A INPUT -i tun0 -j ACCEPT iptables -A INPUT -i tun0 -j ACCEPT
iptables -A FORWARD -i $NIC -o tun0 -j ACCEPT iptables -A FORWARD -i $NIC -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o $NIC -j ACCEPT iptables -A FORWARD -i tun0 -o $NIC -j ACCEPT
iptables -A INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/add-openvpn-rules.sh iptables -A INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >/etc/iptables/add-openvpn-rules.sh
if [[ "$IPV6_SUPPORT" = 'y' ]]; then if [[ "$IPV6_SUPPORT" == 'y' ]]; then
echo "ip6tables -t nat -A POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE echo "ip6tables -t nat -A POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
ip6tables -A INPUT -i tun0 -j ACCEPT ip6tables -A INPUT -i tun0 -j ACCEPT
ip6tables -A FORWARD -i $NIC -o tun0 -j ACCEPT ip6tables -A FORWARD -i $NIC -o tun0 -j ACCEPT
ip6tables -A FORWARD -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh ip6tables -A FORWARD -i tun0 -o $NIC -j ACCEPT" >>/etc/iptables/add-openvpn-rules.sh
fi fi
# Script to remove rules # Script to remove rules
@ -866,13 +867,13 @@ iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o $NIC -j MASQUERADE
iptables -D INPUT -i tun0 -j ACCEPT iptables -D INPUT -i tun0 -j ACCEPT
iptables -D FORWARD -i $NIC -o tun0 -j ACCEPT iptables -D FORWARD -i $NIC -o tun0 -j ACCEPT
iptables -D FORWARD -i tun0 -o $NIC -j ACCEPT iptables -D FORWARD -i tun0 -o $NIC -j ACCEPT
iptables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/rm-openvpn-rules.sh iptables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >/etc/iptables/rm-openvpn-rules.sh
if [[ "$IPV6_SUPPORT" = 'y' ]]; then if [[ "$IPV6_SUPPORT" == 'y' ]]; then
echo "ip6tables -t nat -D POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE echo "ip6tables -t nat -D POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
ip6tables -D INPUT -i tun0 -j ACCEPT ip6tables -D INPUT -i tun0 -j ACCEPT
ip6tables -D FORWARD -i $NIC -o tun0 -j ACCEPT ip6tables -D FORWARD -i $NIC -o tun0 -j ACCEPT
ip6tables -D FORWARD -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/rm-openvpn-rules.sh ip6tables -D FORWARD -i tun0 -o $NIC -j ACCEPT" >>/etc/iptables/rm-openvpn-rules.sh
fi fi
chmod +x /etc/iptables/add-openvpn-rules.sh chmod +x /etc/iptables/add-openvpn-rules.sh
@ -891,7 +892,7 @@ ExecStop=/etc/iptables/rm-openvpn-rules.sh
RemainAfterExit=yes RemainAfterExit=yes
[Install] [Install]
WantedBy=multi-user.target" > /etc/systemd/system/iptables-openvpn.service WantedBy=multi-user.target" >/etc/systemd/system/iptables-openvpn.service
# Enable service and apply rules # Enable service and apply rules
systemctl daemon-reload systemctl daemon-reload
@ -904,11 +905,11 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables-openvpn.service
fi fi
# client-template.txt is created so we have a template to add further users later # client-template.txt is created so we have a template to add further users later
echo "client" > /etc/openvpn/client-template.txt echo "client" >/etc/openvpn/client-template.txt
if [[ "$PROTOCOL" = 'udp' ]]; then if [[ "$PROTOCOL" == 'udp' ]]; then
echo "proto udp" >> /etc/openvpn/client-template.txt echo "proto udp" >>/etc/openvpn/client-template.txt
elif [[ "$PROTOCOL" = 'tcp' ]]; then elif [[ "$PROTOCOL" == 'tcp' ]]; then
echo "proto tcp-client" >> /etc/openvpn/client-template.txt echo "proto tcp-client" >>/etc/openvpn/client-template.txt
fi fi
echo "remote $IP $PORT echo "remote $IP $PORT
dev tun dev tun
@ -925,18 +926,18 @@ tls-client
tls-version-min 1.2 tls-version-min 1.2
tls-cipher $CC_CIPHER tls-cipher $CC_CIPHER
setenv opt block-outside-dns # Prevent Windows 10 DNS leak setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3" >> /etc/openvpn/client-template.txt verb 3" >>/etc/openvpn/client-template.txt
if [[ $COMPRESSION_ENABLED == "y" ]]; then if [[ $COMPRESSION_ENABLED == "y" ]]; then
echo "compress $COMPRESSION_ALG" >> /etc/openvpn/client-template.txt echo "compress $COMPRESSION_ALG" >>/etc/openvpn/client-template.txt
fi fi
# Generate the custom client.ovpn # Generate the custom client.ovpn
newClient newClient
echo "If you want to add more clients, you simply need to run this script another time!" echo "If you want to add more clients, you simply need to run this script another time!"
} }
function newClient () { function newClient() {
echo "" echo ""
echo "Tell me a name for the client." echo "Tell me a name for the client."
echo "Use one word only, no special characters." echo "Use one word only, no special characters."
@ -1010,16 +1011,16 @@ function newClient () {
echo "</tls-auth>" echo "</tls-auth>"
;; ;;
esac esac
} >> "$homeDir/$CLIENT.ovpn" } >>"$homeDir/$CLIENT.ovpn"
echo "" echo ""
echo "Client $CLIENT added, the configuration file is available at $homeDir/$CLIENT.ovpn." echo "Client $CLIENT added, the configuration file is available at $homeDir/$CLIENT.ovpn."
echo "Download the .ovpn file and import it in your OpenVPN client." echo "Download the .ovpn file and import it in your OpenVPN client."
} }
function revokeClient () { function revokeClient() {
NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V") NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")
if [[ "$NUMBEROFCLIENTS" = '0' ]]; then if [[ "$NUMBEROFCLIENTS" == '0' ]]; then
echo "" echo ""
echo "You have no existing clients!" echo "You have no existing clients!"
exit 1 exit 1
@ -1028,14 +1029,14 @@ function revokeClient () {
echo "" echo ""
echo "Select the existing client certificate you want to revoke" echo "Select the existing client certificate you want to revoke"
tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') ' tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
if [[ "$NUMBEROFCLIENTS" = '1' ]]; then if [[ "$NUMBEROFCLIENTS" == '1' ]]; then
read -rp "Select one client [1]: " CLIENTNUMBER read -rp "Select one client [1]: " CLIENTNUMBER
else else
read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
fi fi
CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p) CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
cd /etc/openvpn/easy-rsa/ cd /etc/openvpn/easy-rsa/ || exit
./easyrsa --batch revoke "$CLIENT" ./easyrsa --batch revoke "$CLIENT"
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
# Cleanup # Cleanup
@ -1053,7 +1054,7 @@ function revokeClient () {
echo "Certificate for client $CLIENT revoked." echo "Certificate for client $CLIENT revoked."
} }
function removeUnbound () { function removeUnbound() {
# Remove OpenVPN-related config # Remove OpenVPN-related config
sed -i 's|include: \/etc\/unbound\/openvpn.conf||' /etc/unbound/unbound.conf sed -i 's|include: \/etc\/unbound\/openvpn.conf||' /etc/unbound/unbound.conf
rm /etc/unbound/openvpn.conf rm /etc/unbound/openvpn.conf
@ -1065,17 +1066,17 @@ function removeUnbound () {
read -rp "Do you want to completely remove Unbound? [y/n]: " -e REMOVE_UNBOUND read -rp "Do you want to completely remove Unbound? [y/n]: " -e REMOVE_UNBOUND
done done
if [[ "$REMOVE_UNBOUND" = 'y' ]]; then if [[ "$REMOVE_UNBOUND" == 'y' ]]; then
# Stop Unbound # Stop Unbound
systemctl stop unbound systemctl stop unbound
if [[ "$OS" =~ (debian|ubuntu) ]]; then if [[ "$OS" =~ (debian|ubuntu) ]]; then
apt-get autoremove --purge -y unbound apt-get autoremove --purge -y unbound
elif [[ "$OS" = 'arch' ]]; then elif [[ "$OS" == 'arch' ]]; then
pacman --noconfirm -R unbound pacman --noconfirm -R unbound
elif [[ "$OS" = 'centos' ]]; then elif [[ "$OS" == 'centos' ]]; then
yum remove -y unbound yum remove -y unbound
elif [[ "$OS" = 'fedora' ]]; then elif [[ "$OS" == 'fedora' ]]; then
dnf remove -y unbound dnf remove -y unbound
fi fi
@ -1089,10 +1090,10 @@ function removeUnbound () {
fi fi
} }
function removeOpenVPN () { function removeOpenVPN() {
echo "" echo ""
read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -in REMOVE
if [[ "$REMOVE" = 'y' ]]; then if [[ "$REMOVE" == 'y' ]]; then
# Get OpenVPN port from the configuration # Get OpenVPN port from the configuration
PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2) PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
@ -1132,15 +1133,15 @@ function removeOpenVPN () {
if [[ "$OS" =~ (debian|ubuntu) ]]; then if [[ "$OS" =~ (debian|ubuntu) ]]; then
apt-get autoremove --purge -y openvpn apt-get autoremove --purge -y openvpn
if [[ -e /etc/apt/sources.list.d/openvpn.list ]];then if [[ -e /etc/apt/sources.list.d/openvpn.list ]]; then
rm /etc/apt/sources.list.d/openvpn.list rm /etc/apt/sources.list.d/openvpn.list
apt-get update apt-get update
fi fi
elif [[ "$OS" = 'arch' ]]; then elif [[ "$OS" == 'arch' ]]; then
pacman --noconfirm -R openvpn pacman --noconfirm -R openvpn
elif [[ "$OS" = 'centos' ]]; then elif [[ "$OS" == 'centos' ]]; then
yum remove -y openvpn yum remove -y openvpn
elif [[ "$OS" = 'fedora' ]]; then elif [[ "$OS" == 'fedora' ]]; then
dnf remove -y openvpn dnf remove -y openvpn
fi fi
@ -1163,7 +1164,7 @@ function removeOpenVPN () {
fi fi
} }
function manageMenu () { function manageMenu() {
clear clear
echo "Welcome to OpenVPN-install!" echo "Welcome to OpenVPN-install!"
echo "The git repository is available at: https://github.com/angristan/openvpn-install" echo "The git repository is available at: https://github.com/angristan/openvpn-install"