From 148cbf93a9c2dcb75887ec008cd2b2ea36e05138 Mon Sep 17 00:00:00 2001 From: Henry N Date: Wed, 1 Apr 2020 00:57:56 +0200 Subject: [PATCH 01/11] one unbound config for all OS Fix for #602 Create new config as /etc/unbound/unbound.conf.d/openvpn.conf, include this into /etc/unbound/unbound.conf. On uninstall simple remove the include, if if was injected by openvpn-install. --- openvpn-install.sh | 70 +++++++++++++--------------------------------- 1 file changed, 19 insertions(+), 51 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index edb703e..0faebea 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -103,34 +103,12 @@ function installUnbound () { if [[ "$OS" =~ (debian|ubuntu) ]]; then apt-get install -y unbound - # Configuration - echo 'interface: 10.8.0.1 -access-control: 10.8.0.1/24 allow -hide-identity: yes -hide-version: yes -use-caps-for-id: yes -prefetch: yes' >> /etc/unbound/unbound.conf - elif [[ "$OS" =~ (centos|amzn) ]]; then yum install -y unbound - # Configuration - sed -i 's|# interface: 0.0.0.0$|interface: 10.8.0.1|' /etc/unbound/unbound.conf - sed -i 's|# access-control: 127.0.0.0/8 allow|access-control: 10.8.0.1/24 allow|' /etc/unbound/unbound.conf - sed -i 's|# hide-identity: no|hide-identity: yes|' /etc/unbound/unbound.conf - sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf - sed -i 's|use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf - elif [[ "$OS" = "fedora" ]]; then dnf install -y unbound - # Configuration - sed -i 's|# interface: 0.0.0.0$|interface: 10.8.0.1|' /etc/unbound/unbound.conf - sed -i 's|# access-control: 127.0.0.0/8 allow|access-control: 10.8.0.1/24 allow|' /etc/unbound/unbound.conf - sed -i 's|# hide-identity: no|hide-identity: yes|' /etc/unbound/unbound.conf - sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf - sed -i 's|# use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf - elif [[ "$OS" = "arch" ]]; then pacman -Syu --noconfirm unbound @@ -146,48 +124,38 @@ prefetch: yes' >> /etc/unbound/unbound.conf directory: "/etc/unbound" trust-anchor-file: trusted-key.key root-hints: root.hints - interface: 10.8.0.1 - access-control: 10.8.0.1/24 allow port: 53 num-threads: 2 - use-caps-for-id: yes harden-glue: yes - hide-identity: yes - hide-version: yes - qname-minimisation: yes - prefetch: yes' > /etc/unbound/unbound.conf + qname-minimisation: yes' >/etc/unbound/unbound.conf fi + fi - if [[ ! "$OS" =~ (fedora|centos|amzn) ]];then - # DNS Rebinding fix - echo "private-address: 10.0.0.0/8 -private-address: 172.16.0.0/12 -private-address: 192.168.0.0/16 -private-address: 169.254.0.0/16 -private-address: fd00::/8 -private-address: fe80::/10 -private-address: 127.0.0.0/8 -private-address: ::ffff:0:0/96" >> /etc/unbound/unbound.conf - fi - else # Unbound is already installed - echo 'include: /etc/unbound/openvpn.conf' >> /etc/unbound/unbound.conf - - # Add Unbound 'server' for the OpenVPN subnet - echo 'server: + # Add Unbound 'server' for the OpenVPN subnet + mkdir -p /etc/unbound/unbound.conf.d + echo 'server: interface: 10.8.0.1 access-control: 10.8.0.1/24 allow hide-identity: yes hide-version: yes use-caps-for-id: yes -prefetch: yes -private-address: 10.0.0.0/8 +prefetch: yes' >/etc/unbound/unbound.conf.d/openvpn.conf + + if [[ ! "$OS" =~ (fedora|centos|amzn) ]];then + # DNS Rebinding fix + echo 'private-address: 10.0.0.0/8 private-address: 172.16.0.0/12 private-address: 192.168.0.0/16 private-address: 169.254.0.0/16 private-address: fd00::/8 private-address: fe80::/10 private-address: 127.0.0.0/8 -private-address: ::ffff:0:0/96' > /etc/unbound/openvpn.conf +private-address: ::ffff:0:0/96' >>/etc/unbound/unbound.conf.d/openvpn.conf + fi + + # Add as include, if no wildcard include exist + if ! grep -q '/etc/unbound/unbound.conf.d/' /etc/unbound/unbound.conf; then + echo 'include: /etc/unbound/unbound.conf.d/openvpn.conf' >>/etc/unbound/unbound.conf fi systemctl enable unbound @@ -1128,8 +1096,8 @@ function revokeClient () { function removeUnbound () { # Remove OpenVPN-related config - sed -i 's|include: \/etc\/unbound\/openvpn.conf||' /etc/unbound/unbound.conf - rm /etc/unbound/openvpn.conf + sed -i '/include .*\/openvpn.conf/d' /etc/unbound/unbound.conf + rm /etc/unbound/unbound.conf.d/openvpn.conf systemctl restart unbound until [[ $REMOVE_UNBOUND =~ (y|n) ]]; do @@ -1227,7 +1195,7 @@ function removeOpenVPN () { rm -rf /var/log/openvpn # Unbound - if [[ -e /etc/unbound/openvpn.conf ]]; then + if [[ -e /etc/unbound/unbound.conf.d/openvpn.conf ]]; then removeUnbound fi echo "" From d31dad466a72812699c8df778a01402cee98f7e8 Mon Sep 17 00:00:00 2001 From: Henry N Date: Wed, 1 Apr 2020 23:25:27 +0200 Subject: [PATCH 02/11] harden-glue: and qname-minimisation for all OS harden-glue: yes and qname-minimisation: yes for all OS, not only for Arch. --- openvpn-install.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 0faebea..32ecba0 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -125,9 +125,7 @@ function installUnbound () { trust-anchor-file: trusted-key.key root-hints: root.hints port: 53 - num-threads: 2 - harden-glue: yes - qname-minimisation: yes' >/etc/unbound/unbound.conf + num-threads: 2' >/etc/unbound/unbound.conf fi fi @@ -139,6 +137,8 @@ access-control: 10.8.0.1/24 allow hide-identity: yes hide-version: yes use-caps-for-id: yes +harden-glue: yes +qname-minimisation: yes prefetch: yes' >/etc/unbound/unbound.conf.d/openvpn.conf if [[ ! "$OS" =~ (fedora|centos|amzn) ]];then From d744222674eb2b5f384efd0a10c720300e87b32d Mon Sep 17 00:00:00 2001 From: Henry N Date: Wed, 1 Apr 2020 23:35:36 +0200 Subject: [PATCH 03/11] DNS Rebinding fix for all OS --- openvpn-install.sh | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 32ecba0..7c1e728 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -141,9 +141,8 @@ harden-glue: yes qname-minimisation: yes prefetch: yes' >/etc/unbound/unbound.conf.d/openvpn.conf - if [[ ! "$OS" =~ (fedora|centos|amzn) ]];then - # DNS Rebinding fix - echo 'private-address: 10.0.0.0/8 + # DNS Rebinding fix + echo 'private-address: 10.0.0.0/8 private-address: 172.16.0.0/12 private-address: 192.168.0.0/16 private-address: 169.254.0.0/16 @@ -151,7 +150,6 @@ private-address: fd00::/8 private-address: fe80::/10 private-address: 127.0.0.0/8 private-address: ::ffff:0:0/96' >>/etc/unbound/unbound.conf.d/openvpn.conf - fi # Add as include, if no wildcard include exist if ! grep -q '/etc/unbound/unbound.conf.d/' /etc/unbound/unbound.conf; then From 6e21a540815df40829f7ea26d87ec6c1ed390e23 Mon Sep 17 00:00:00 2001 From: Henry N Date: Wed, 1 Apr 2020 23:53:36 +0200 Subject: [PATCH 04/11] Full path to remove include openvpn.conf Full path to remove include of /etc/unbound/unbound.conf.d/openvpn.conf, and missing ":" after the "include". --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 7c1e728..751a2a5 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -1094,7 +1094,7 @@ function revokeClient () { function removeUnbound () { # Remove OpenVPN-related config - sed -i '/include .*\/openvpn.conf/d' /etc/unbound/unbound.conf + sed -i '/include: \/etc\/unbound\/unbound\.conf\.d\/openvpn\.conf/d' /etc/unbound/unbound.conf rm /etc/unbound/unbound.conf.d/openvpn.conf systemctl restart unbound From e5f169ad3b94ddbb12cec24b5fa46135bd89eb9b Mon Sep 17 00:00:00 2001 From: Henry N Date: Wed, 1 Apr 2020 23:58:37 +0200 Subject: [PATCH 05/11] Remove intermediate echo --- openvpn-install.sh | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 751a2a5..33f18b7 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -139,17 +139,16 @@ hide-version: yes use-caps-for-id: yes harden-glue: yes qname-minimisation: yes -prefetch: yes' >/etc/unbound/unbound.conf.d/openvpn.conf - - # DNS Rebinding fix - echo 'private-address: 10.0.0.0/8 +prefetch: yes +# DNS Rebinding fix +private-address: 10.0.0.0/8 private-address: 172.16.0.0/12 private-address: 192.168.0.0/16 private-address: 169.254.0.0/16 private-address: fd00::/8 private-address: fe80::/10 private-address: 127.0.0.0/8 -private-address: ::ffff:0:0/96' >>/etc/unbound/unbound.conf.d/openvpn.conf +private-address: ::ffff:0:0/96' >/etc/unbound/unbound.conf.d/openvpn.conf # Add as include, if no wildcard include exist if ! grep -q '/etc/unbound/unbound.conf.d/' /etc/unbound/unbound.conf; then From f15c88c0aafebeed059730d530871acf40e637f2 Mon Sep 17 00:00:00 2001 From: Henry N Date: Thu, 2 Apr 2020 21:03:46 +0200 Subject: [PATCH 06/11] Text unbound.conf.d/openvpn.conf --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 33f18b7..92feff3 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -267,7 +267,7 @@ function installQuestions () { echo "" echo "Unbound is already installed." echo "You can allow the script to configure it in order to use it from your OpenVPN clients" - echo "We will simply add a second server to /etc/unbound/unbound.conf for the OpenVPN subnet." + echo "We will simply add a second server to /etc/unbound/unbound.conf.d/openvpn.conf for the OpenVPN subnet." echo "No changes are made to the current configuration." echo "" From 3cc3715b0e6fa984f7c6bc44e39b78238d0170d1 Mon Sep 17 00:00:00 2001 From: Henry N Date: Sat, 4 Apr 2020 21:20:02 +0200 Subject: [PATCH 07/11] arch: username unbound default "username: unbound" is default. Found in arch linu xdefauls unbound.conf and https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/#username --- openvpn-install.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 92feff3..7e968ce 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -120,7 +120,6 @@ function installUnbound () { echo 'server: use-syslog: yes do-daemonize: no - username: "unbound" directory: "/etc/unbound" trust-anchor-file: trusted-key.key root-hints: root.hints From 96e2420ad09b107a9ed3380a86d5d0b77458914d Mon Sep 17 00:00:00 2001 From: Henry N Date: Sat, 4 Apr 2020 21:55:40 +0200 Subject: [PATCH 08/11] arch-Linux: Remove defaults use-syslog is default, directory /etc/unbound is default, port 53 is default --- openvpn-install.sh | 3 --- 1 file changed, 3 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 7e968ce..e1b073a 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -118,12 +118,9 @@ function installUnbound () { mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old echo 'server: - use-syslog: yes do-daemonize: no - directory: "/etc/unbound" trust-anchor-file: trusted-key.key root-hints: root.hints - port: 53 num-threads: 2' >/etc/unbound/unbound.conf fi fi From d670973f0b55d7014b64cc3c0a6b19182a2475a9 Mon Sep 17 00:00:00 2001 From: Henry N Date: Sat, 4 Apr 2020 22:14:40 +0200 Subject: [PATCH 09/11] Arch: do-daemonize no is default Arch Linux starts "/usr/bin/unbound -d -p". "-d" do not fork into the background. So the "daemonize: no" is default. (For Systemd on Arch Linux) --- openvpn-install.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index e1b073a..6730717 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -118,7 +118,6 @@ function installUnbound () { mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old echo 'server: - do-daemonize: no trust-anchor-file: trusted-key.key root-hints: root.hints num-threads: 2' >/etc/unbound/unbound.conf From fdd576eea5ff79e60d30fd70fbf80d29f320ba56 Mon Sep 17 00:00:00 2001 From: Henry N Date: Tue, 7 Apr 2020 20:21:32 +0200 Subject: [PATCH 10/11] openvpn.conf: TAB/ident All entries after "server:" with a TAP/ident --- openvpn-install.sh | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 6730717..d13df06 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -127,23 +127,23 @@ function installUnbound () { # Add Unbound 'server' for the OpenVPN subnet mkdir -p /etc/unbound/unbound.conf.d echo 'server: -interface: 10.8.0.1 -access-control: 10.8.0.1/24 allow -hide-identity: yes -hide-version: yes -use-caps-for-id: yes -harden-glue: yes -qname-minimisation: yes -prefetch: yes -# DNS Rebinding fix -private-address: 10.0.0.0/8 -private-address: 172.16.0.0/12 -private-address: 192.168.0.0/16 -private-address: 169.254.0.0/16 -private-address: fd00::/8 -private-address: fe80::/10 -private-address: 127.0.0.0/8 -private-address: ::ffff:0:0/96' >/etc/unbound/unbound.conf.d/openvpn.conf + interface: 10.8.0.1 + access-control: 10.8.0.1/24 allow + hide-identity: yes + hide-version: yes + use-caps-for-id: yes + harden-glue: yes + qname-minimisation: yes + prefetch: yes + # DNS Rebinding fix + private-address: 10.0.0.0/8 + private-address: 172.16.0.0/12 + private-address: 192.168.0.0/16 + private-address: 169.254.0.0/16 + private-address: fd00::/8 + private-address: fe80::/10 + private-address: 127.0.0.0/8 + private-address: ::ffff:0:0/96' >/etc/unbound/unbound.conf.d/openvpn.conf # Add as include, if no wildcard include exist if ! grep -q '/etc/unbound/unbound.conf.d/' /etc/unbound/unbound.conf; then From 7742636a29275721a52761fc156e11235238906a Mon Sep 17 00:00:00 2001 From: Henry N Date: Tue, 7 Apr 2020 21:48:08 +0200 Subject: [PATCH 11/11] Merge changes from #591 --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 1820dd4..61c4a6d 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -106,10 +106,10 @@ function installUnbound () { elif [[ "$OS" =~ (centos|amzn) ]]; then yum install -y unbound - elif [[ "$OS" = "fedora" ]]; then + elif [[ "$OS" == "fedora" ]]; then dnf install -y unbound - elif [[ "$OS" = "arch" ]]; then + elif [[ "$OS" == "arch" ]]; then pacman -Syu --noconfirm unbound # Get root servers list