Fabio/openvpn-install
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'master' into patch-1

Browse source
This commit is contained in:
cezar97 2018-08-18 16:14:15 +00:00 committed by GitHub
commit 8ae059727f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 138 additions and 87 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
LICENSE
View file

@ -1,6 +1,7 @@
The MIT License (MIT)
MIT License
Copyright (c) 2016 Nyr, Angristan
Copyright (c) 2013 Nyr
Copyright (c) 2016 Angristan (Stanislas Lange)
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in

15
README.md
View file

@ -40,11 +40,11 @@ When OpenVPN is installed, you can run the script again, and you will get the ch
This script is based on the great work of [Nyr and its contributors](https://github.com/Nyr/openvpn-install).
I made it because I wanted to have a more secured OpenVPN out-of-the-box. It works like the original script, but is more focused on privacy and espicially better encryption. Nyr's original script uses mainly default parameters regarding encryption, and some of them are unsecure. See [#encryption](#encryption).
I made it because I wanted to have a more secured OpenVPN out-of-the-box. It works like the original script, but is more focused on privacy and especially better encryption. Nyr's original script uses mainly default parameters regarding encryption, and some of them are insecure. See [#encryption](#encryption).
Also, Nyr and myself clearly have not the same point of view regarding this script, that's why it's a fork.
The only drawback is that you need to use a recent version of OpenVPN, because some parameters that requires TLS 1.2 are only availble since OpenVPN 2.3.3. Therefore I restrain the compatibility of this script to a few but widely used GNU/Linux distributions, to get a recent version of OpenVPN from trusted third-party repositories, if needed. That is not a complete drawback tough, because it means that you can have the latest version with all the new features and security fixes. See [compatibilty](#compatibility).
The only drawback is that you need to use a recent version of OpenVPN, because some parameters that requires TLS 1.2 are only available since OpenVPN 2.3.3. Therefore I restrain the compatibility of this script to a few but widely used GNU/Linux distributions, to get a recent version of OpenVPN from trusted third-party repositories, if needed. That is not a complete drawback tough, because it means that you can have the latest version with all the new features and security fixes. See [compatibility](#compatibility).
On the client-side, it's less problematic, but if you want to use an OpenVPN server installed with this script with an old client (\<2.3.3), it won't work. However I don't see why you would use an outdated client.
@ -62,6 +62,7 @@ The script is made to work on these OS and architectures :
- **Ubuntu 14.04 LTS** (i386, amd64)
- **Ubuntu 16.04 LTS** (i386, amd64, armhf)
- **Ubuntu 17.10** (i386, amd64, armhf, arm64)
- **Ubuntu 18.04 LTS** (i386, amd64, armhf, arm64)
- **Fedora 25** (amd64)
- **Fedora 26** (amd64)
- **Fedora 27** (amd64)
@ -185,7 +186,7 @@ The [SWEET32 vulnerability page](https://community.openvpn.net/openvpn/wiki/SWEE
Indeed, AES is today's standard. It's the fastest and more secure cipher available today. [SEED](https://en.wikipedia.org/wiki/SEED) and [Camellia](https://en.wikipedia.org/wiki/Camellia_(cipher)) are not vulnerable to date but are slower than AES and relatively less trusted.
As they have not any proven vulnerabilities, I decided to give the user the choice to use them, though I don't see any particular reason to this day to use it. Maybe someday if AES happens to be broken. Here is an exemple about [why Camellia is good, but AES is better and should be used](http://crypto.stackexchange.com/questions/476/why-does-nobody-use-or-break-the-camellia-cipher/477#477).
As they have not any proven vulnerabilities, I decided to give the user the choice to use them, though I don't see any particular reason to this day to use it. Maybe someday if AES happens to be broken. Here is an example about [why Camellia is good, but AES is better and should be used](http://crypto.stackexchange.com/questions/476/why-does-nobody-use-or-break-the-camellia-cipher/477#477).
Currently AES is only available in its CBC mode, which is weaker than GCM.
@ -213,7 +214,7 @@ Thus, the best data channel cipher currently available in OpenVPN is `AES-128-CB
### Control channel's cipher
According to the [Hardening](https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-cipher) page of the OpenVPN wiki, TLS 1.2 is not supported by OpenVPN <2.3.3, so it uses a TLS 1.0 cipher by default, which is unsecure.
According to the [Hardening](https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-cipher) page of the OpenVPN wiki, TLS 1.2 is not supported by OpenVPN <2.3.3, so it uses a TLS 1.0 cipher by default, which is insecure.
> The following are TLSv1.2 DHE + RSA choices, requiring a compatible peer running at least OpenVPN 2.3.3:
- TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
@ -229,7 +230,7 @@ Thus, I have chosen `TLS-DHE-RSA-WITH-AES-128-GCM-SHA256` as the control channel
OpenVPN uses a 2048 bits DH key [by default](https://github.com/OpenVPN/easy-rsa/blob/master/easyrsa3/vars.example#L97).
2048 bits is OK, but both [NSA](https://cryptome.org/2016/01/CNSA-Suite-and-Quantum-Computing-FAQ.pdf) and [ANSSI](https://www.ssi.gouv.fr/uploads/2015/01/RGS_v-2-0_B1.pdf) recommend at least a 3072 bits for a future-proof key. Like RSA, the size of the key will have an impact on speed, I leave the choice to use a 2048, 3072 or 4096 bits key. 4096 bits is what's most used and recommened today, but 3072 bits is still good.
2048 bits is OK, but both [NSA](https://cryptome.org/2016/01/CNSA-Suite-and-Quantum-Computing-FAQ.pdf) and [ANSSI](https://www.ssi.gouv.fr/uploads/2015/01/RGS_v-2-0_B1.pdf) recommend at least a 3072 bits for a future-proof key. Like RSA, the size of the key will have an impact on speed, I leave the choice to use a 2048, 3072 or 4096 bits key. 4096 bits is what's most used and recommended today, but 3072 bits is still good.
In OpenVPN 2.4, we will be able to use ECDH key. It uses elliptic curves instead of prime numbers' factorization for a reduced key size and calculation time, thus it's faster and more secure.
@ -254,6 +255,10 @@ SHA-1 is not safe anymore, so I use SHA-256 which is safe and widely used.
TLS-Auth is not enabled by default by OpenVPN, but it is in this script.
## Check for DNS leaks
Go to [dnsleaktest.com](https://dnsleaktest.com/) or [ipleak.net](https://ipleak.net/) with your browser. Only your server's IP should show up.
## Say thanks
You can [say thanks](https://saythanks.io/to/Angristan) if you want!

205
openvpn-install.sh
View file

@ -4,16 +4,19 @@
# https://github.com/Angristan/OpenVPN-install
# Verify root
if [[ "$EUID" -ne 0 ]]; then
echo "Sorry, you need to run this as root"
exit 1
fi
# Verify tun
if [[ ! -e /dev/net/tun ]]; then
echo "TUN is not available"
exit 2
fi
# Check if CentOS 5
if grep -qs "CentOS release 5" "/etc/redhat-release"; then
echo "CentOS 5 is too old and not supported"
exit 3
@ -22,10 +25,10 @@ fi
if [[ -e /etc/debian_version ]]; then
OS="debian"
# Getting the version number, to verify that a recent version of OpenVPN is available
VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID")
VERSION_ID=$(grep "VERSION_ID" /etc/os-release)
IPTABLES='/etc/iptables/iptables.rules'
SYSCTL='/etc/sysctl.conf'
if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.10"' ]]; then
if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="18.04"' ]]; then
echo "Your version of Debian/Ubuntu is not supported."
echo "I can't install a recent version of OpenVPN on your system."
echo ""
@ -33,7 +36,7 @@ if [[ -e /etc/debian_version ]]; then
echo "then you can continue, a recent version of OpenVPN is available on these."
echo "Keep in mind they are not supported, though."
while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do
read -p "Continue ? [y/n]: " -e CONTINUE
read -rp "Continue ? [y/n]: " -e CONTINUE
done
if [[ "$CONTINUE" = "n" ]]; then
echo "Ok, bye !"
@ -59,37 +62,35 @@ fi
newclient () {
# Where to write the custom client.ovpn?
if [ -e /home/$1 ]; then # if $1 is a user name
if [ -e "/home/$1" ]; then # if $1 is a user name
homeDir="/home/$1"
elif [ ${SUDO_USER} ]; then # if not, use SUDO_USER
elif [ "${SUDO_USER}" ]; then # if not, use SUDO_USER
homeDir="/home/${SUDO_USER}"
else # if not SUDO_USER, use /root
homeDir="/root"
fi
# Generates the custom client.ovpn
cp /etc/openvpn/client-template.txt $homeDir/$1.ovpn
echo "<ca>" >> $homeDir/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/ca.crt >> $homeDir/$1.ovpn
echo "</ca>" >> $homeDir/$1.ovpn
echo "<cert>" >> $homeDir/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/issued/$1.crt | awk '/BEGIN/,/END/' >> $homeDir/$1.ovpn
echo "</cert>" >> $homeDir/$1.ovpn
echo "<key>" >> $homeDir/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/private/$1.key >> $homeDir/$1.ovpn
echo "</key>" >> $homeDir/$1.ovpn
echo "key-direction 1" >> $homeDir/$1.ovpn
echo "<tls-auth>" >> $homeDir/$1.ovpn
cat /etc/openvpn/tls-auth.key >> $homeDir/$1.ovpn
echo "</tls-auth>" >> $homeDir/$1.ovpn
cp /etc/openvpn/client-template.txt "$homeDir/$1.ovpn"
{
echo "<ca>"
cat "/etc/openvpn/easy-rsa/pki/ca.crt"
echo "</ca>"
echo "<cert>"
cat "/etc/openvpn/easy-rsa/pki/issued/$1.crt" | awk '/BEGIN/,/END/'
echo "</cert>"
echo "<key>"
cat "/etc/openvpn/easy-rsa/pki/private/$1.key"
echo "</key>"
echo "key-direction 1"
echo "<tls-auth>"
cat "/etc/openvpn/tls-auth.key"
echo "</tls-auth>"
} >> "$homeDir/$1.ovpn"
}
# Try to get our IP from the system and fallback to the Internet.
# I do this to make the script compatible with NATed servers (LowEndSpirit/Scaleway)
# and to avoid getting an IPv6.
IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -o -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
if [[ "$IP" = "" ]]; then
IP=$(wget -qO- ipv4.icanhazip.com)
fi
# Get Internet network interface with default route
NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)
@ -101,22 +102,27 @@ if [[ -e /etc/openvpn/server.conf ]]; then
echo ""
echo "Looks like OpenVPN is already installed"
echo ""
echo "What do you want to do?"
echo " 1) Add a cert for a new user"
echo " 2) Revoke existing user cert"
echo " 3) Remove OpenVPN"
echo " 4) Exit"
read -p "Select an option [1-4]: " option
read -rp "Select an option [1-4]: " option
case $option in
1)
echo ""
echo "Tell me a name for the client cert"
echo "Please, use one word only, no special characters"
read -p "Client name: " -e -i newclient CLIENT
cd /etc/openvpn/easy-rsa/
read -rp "Client name: " -e -i newclient CLIENT
cd /etc/openvpn/easy-rsa/ || return
./easyrsa build-client-full $CLIENT nopass
# Generates the custom client.ovpn
newclient "$CLIENT"
echo ""
echo "Client $CLIENT added, certs available at $homeDir/$CLIENT.ovpn"
exit
@ -128,26 +134,29 @@ if [[ -e /etc/openvpn/server.conf ]]; then
echo "You have no existing clients!"
exit 5
fi
echo ""
echo "Select the existing client certificate you want to revoke"
tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
if [[ "$NUMBEROFCLIENTS" = '1' ]]; then
read -p "Select one client [1]: " CLIENTNUMBER
read -rp "Select one client [1]: " CLIENTNUMBER
else
read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
fi
CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
cd /etc/openvpn/easy-rsa/
cd /etc/openvpn/easy-rsa/ || return
./easyrsa --batch revoke $CLIENT
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
rm -rf pki/reqs/$CLIENT.req
rm -rf pki/private/$CLIENT.key
rm -rf pki/issued/$CLIENT.crt
rm -rf /etc/openvpn/crl.pem
rm -f pki/reqs/$CLIENT.req
rm -f pki/private/$CLIENT.key
rm -f pki/issued/$CLIENT.crt
rm -f /etc/openvpn/crl.pem
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
chmod 644 /etc/openvpn/crl.pem
rm -rf $(find /home -maxdepth 2 | grep $CLIENT.ovpn) 2>/dev/null
rm -rf /root/$CLIENT.ovpn 2>/dev/null
rm -f $(find /home -maxdepth 2 | grep $CLIENT.ovpn) 2>/dev/null
rm -f /root/$CLIENT.ovpn 2>/dev/null
echo ""
echo "Certificate for client $CLIENT revoked"
echo "Exiting..."
@ -155,7 +164,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then
;;
3)
echo ""
read -p "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
if [[ "$REMOVE" = 'y' ]]; then
PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
if pgrep firewalld; then
@ -213,6 +222,7 @@ else
clear
echo "Welcome to the secure OpenVPN installer (github.com/Angristan/OpenVPN-install)"
echo ""
# OpenVPN setup and first user creation
echo "I need to ask you a few questions before starting the setup"
echo "You can leave the default options and just press enter if you are ok with them"
@ -220,15 +230,45 @@ else
echo "I need to know the IPv4 address of the network interface you want OpenVPN listening to."
echo "If your server is running behind a NAT, (e.g. LowEndSpirit, Scaleway) leave the IP address as it is. (local/private IP)"
echo "Otherwise, it should be your public IPv4 address."
read -p "IP address: " -e -i $IP IP
# Autodetect IP address and pre-fill for the user
IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
read -rp "IP address: " -e -i $IP IP
echo ""
echo "What port do you want for OpenVPN?"
read -p "Port: " -e -i 1194 PORT
echo " 1) Default: 1194"
echo " 2) Custom"
echo " 3) Random [49152-65535]"
until [[ "$PORT_CHOICE" =~ ^[1-3]$ ]]; do
read -p "Port choice [1-3]: " -e -i 1 PORT_CHOICE
done
case $PORT_CHOICE in
1)
PORT="1194"
;;
2)
until [[ "$PORT" =~ ^[0-9]+$ ]] && [ "$PORT" -ge 1 -a "$PORT" -le 65535 ]; do
read -p "Custom port [1-65535]: " -e -i 1194 PORT
done
;;
3)
# Generate random number within private ports range
PORT=$(shuf -i49152-65535 -n1)
echo "Random Port: $PORT"
;;
esac
# If $IP is a private IP address, the server must be behind NAT
if echo "$IP" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then
echo ""
echo "This server is behind NAT. What is the public IPv4 address or hostname?"
read -rp "Public IP address / hostname: " -e PUBLICIP
fi
echo ""
echo "What protocol do you want for OpenVPN?"
echo "Unless UDP is blocked, you should not use TCP (unnecessarily slower)"
while [[ $PROTOCOL != "UDP" && $PROTOCOL != "TCP" ]]; do
read -p "Protocol [UDP/TCP]: " -e -i UDP PROTOCOL
until [[ "$PROTOCOL" == "UDP" || "$PROTOCOL" == "TCP" ]]; do
read -rp "Protocol [UDP/TCP]: " -e -i UDP PROTOCOL
done
echo ""
echo "What DNS do you want to use with the VPN?"
@ -241,8 +281,8 @@ else
echo " 7) Google (Anycast: worldwide)"
echo " 8) Yandex Basic (Russia)"
echo " 9) AdGuard DNS (Russia)"
while [[ $DNS != "1" && $DNS != "2" && $DNS != "3" && $DNS != "4" && $DNS != "5" && $DNS != "6" && $DNS != "7" && $DNS != "8" ]]; do
read -p "DNS [1-8]: " -e -i 1 DNS
until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 -a "$DNS" -le 9 ]; do
read -rp "DNS [1-9]: " -e -i 1 DNS
done
echo ""
echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about "
@ -260,8 +300,8 @@ else
echo " 5) CAMELLIA-192-CBC"
echo " 6) CAMELLIA-256-CBC"
echo " 7) SEED-CBC"
while [[ $CIPHER != "1" && $CIPHER != "2" && $CIPHER != "3" && $CIPHER != "4" && $CIPHER != "5" && $CIPHER != "6" && $CIPHER != "7" ]]; do
read -p "Cipher [1-7]: " -e -i 1 CIPHER
until [[ "$CIPHER" =~ ^[0-9]+$ ]] && [ "$CIPHER" -ge 1 -a "$CIPHER" -le 7 ]; do
read -rp "Cipher [1-7]: " -e -i 1 CIPHER
done
case $CIPHER in
1)
@ -291,8 +331,8 @@ else
echo " 1) 2048 bits (fastest)"
echo " 2) 3072 bits (recommended, best compromise)"
echo " 3) 4096 bits (most secure)"
while [[ $DH_KEY_SIZE != "1" && $DH_KEY_SIZE != "2" && $DH_KEY_SIZE != "3" ]]; do
read -p "DH key size [1-3]: " -e -i 2 DH_KEY_SIZE
until [[ "$DH_KEY_SIZE" =~ ^[0-9]+$ ]] && [ "$DH_KEY_SIZE" -ge 1 -a "$DH_KEY_SIZE" -le 3 ]; do
read -rp "DH key size [1-3]: " -e -i 2 DH_KEY_SIZE
done
case $DH_KEY_SIZE in
1)
@ -310,8 +350,8 @@ else
echo " 1) 2048 bits (fastest)"
echo " 2) 3072 bits (recommended, best compromise)"
echo " 3) 4096 bits (most secure)"
while [[ $RSA_KEY_SIZE != "1" && $RSA_KEY_SIZE != "2" && $RSA_KEY_SIZE != "3" ]]; do
read -p "RSA key size [1-3]: " -e -i 2 RSA_KEY_SIZE
until [[ "$RSA_KEY_SIZE" =~ ^[0-9]+$ ]] && [ "$RSA_KEY_SIZE" -ge 1 -a "$RSA_KEY_SIZE" -le 3 ]; do
read -rp "RSA key size [1-3]: " -e -i 2 RSA_KEY_SIZE
done
case $RSA_KEY_SIZE in
1)
@ -328,14 +368,16 @@ else
echo "Finally, tell me a name for the client certificate and configuration"
while [[ $CLIENT = "" ]]; do
echo "Please, use one word only, no special characters"
read -p "Client name: " -e -i client CLIENT
read -rp "Client name: " -e -i client CLIENT
# Remove special characters
CLIENT=$(echo $CLIENT | tr -dc '[:alnum:]\n\r')
done
echo ""
echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now"
read -n1 -r -p "Press any key to continue..."
if [[ "$OS" = 'debian' ]]; then
apt-get install ca-certificates gpg -y
apt-get install ca-certificates gnupg -y
# We add the OpenVPN repo to get the latest version.
# Debian 7
if [[ "$VERSION_ID" = 'VERSION_ID="7"' ]]; then
@ -436,8 +478,8 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
echo "Not doing that could cause problems between dependencies, or missing files in repositories."
echo ""
echo "Continuing will update your installed packages and install needed ones."
while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do
read -p "Continue ? [y/n]: " -e -i y CONTINUE
until [[ $CONTINUE == "y" || $CONTINUE == "n" ]]; do
read -rp "Continue ? [y/n]: " -e -i y CONTINUE
done
if [[ "$CONTINUE" = "n" ]]; then
echo "Ok, bye !"
@ -470,11 +512,11 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
mv ~/EasyRSA-3.0.4/ /etc/openvpn/
mv /etc/openvpn/EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/
chown -R root:root /etc/openvpn/easy-rsa/
rm -rf ~/EasyRSA-3.0.4.tgz
cd /etc/openvpn/easy-rsa/
rm -f ~/EasyRSA-3.0.4.tgz
cd /etc/openvpn/easy-rsa/ || return
# Generate a random, alphanumeric identifier of 16 characters for CN and one for server name
SERVER_CN="cn_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
SERVER_NAME="server_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
SERVER_CN="cn_$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 16 | head -n 1)"
SERVER_NAME="server_$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 16 | head -n 1)"
echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars
echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars
# Create the PKI, set up the CA, the DH params and the server + client certificates
@ -493,11 +535,7 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
# Generate server.conf
echo "port $PORT" > /etc/openvpn/server.conf
if [[ "$PROTOCOL" = 'UDP' ]]; then
echo "proto udp" >> /etc/openvpn/server.conf
elif [[ "$PROTOCOL" = 'TCP' ]]; then
echo "proto tcp" >> /etc/openvpn/server.conf
fi
echo "proto $(echo $PROTOCOL | tr '[:upper:]' '[:lower:]')" >> /etc/openvpn/server.conf
echo "dev tun
user nobody
group $NOGROUP
@ -510,8 +548,15 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
# DNS resolvers
case $DNS in
1)
# Locate the proper resolv.conf
# Needed for systems running systemd-resolved
if grep -q "127.0.0.53" "/etc/resolv.conf"; then
RESOLVCONF='/run/systemd/resolve/resolv.conf'
else
RESOLVCONF='/etc/resolv.conf'
fi
# Obtain the resolvers from resolv.conf and use them for OpenVPN
grep -v '#' /etc/resolv.conf | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read -r line; do
echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
done
;;
@ -521,6 +566,7 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
;;
3) # Quad9
echo 'push "dhcp-option DNS 9.9.9.9"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 149.112.112.112"' >> /etc/openvpn/server.conf
;;
4) # FDN
echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/server.conf
@ -547,7 +593,7 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf
;;
esac
echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf
echo 'push "redirect-gateway def1 bypass-dhcp" ' >> /etc/openvpn/server.conf
echo "crl-verify crl.pem
ca ca.crt
cert $SERVER_NAME.crt
@ -572,12 +618,16 @@ verb 3" >> /etc/openvpn/server.conf
if ! grep -q "\<net.ipv4.ip_forward\>" $SYSCTL; then
echo 'net.ipv4.ip_forward=1' >> $SYSCTL
fi
# Avoid an unneeded reboot
echo 1 > /proc/sys/net/ipv4/ip_forward
# Set NAT for the VPN subnet
iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE
# Save persitent iptables rules
iptables-save > $IPTABLES
if pgrep firewalld; then
# We don't use --add-service=openvpn because that would only work with
# the default port. Using both permanent and not permanent rules to
@ -592,6 +642,7 @@ verb 3" >> /etc/openvpn/server.conf
firewall-cmd --zone=trusted --add-source=10.8.0.0/24
firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
fi
if iptables -L -n | grep -qE 'REJECT|DROP'; then
# If iptables has at least one REJECT rule, we asume this is needed.
# Not the best approach but I can't think of other and this shouldn't
@ -604,8 +655,9 @@ verb 3" >> /etc/openvpn/server.conf
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# Save persitent OpenVPN rules
iptables-save > $IPTABLES
iptables-save > $IPTABLES
fi
# If SELinux is enabled and a custom port was selected, we need this
if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing"; then
@ -622,6 +674,7 @@ verb 3" >> /etc/openvpn/server.conf
fi
fi
fi
# And finally, restart OpenVPN
if [[ "$OS" = 'debian' ]]; then
# Little hack to check for systemd
@ -654,20 +707,12 @@ verb 3" >> /etc/openvpn/server.conf
chkconfig openvpn on
fi
fi
# Try to detect a NATed connection and ask about it to potential LowEndSpirit/Scaleway users
EXTERNALIP=$(wget -qO- ipv4.icanhazip.com)
if [[ "$IP" != "$EXTERNALIP" ]]; then
echo ""
echo "Looks like your server is behind a NAT!"
echo ""
echo "If your server is NATed (e.g. LowEndSpirit, Scaleway, or behind a router),"
echo "then I need to know the address that can be used to access it from outside."
echo "If that's not the case, just ignore this and leave the next field blank"
read -p "External IP or domain name: " -e USEREXTERNALIP
if [[ "$USEREXTERNALIP" != "" ]]; then
IP=$USEREXTERNALIP
fi
# If the server is behind a NAT, use the correct IP address
if [[ "$PUBLICIP" != "" ]]; then
IP=$PUBLICIP
fi
# client-template.txt is created so we have a template to add further users later
echo "client" > /etc/openvpn/client-template.txt
if [[ "$PROTOCOL" = 'UDP' ]]; then