Fabio/openvpn-install
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Reflect master changes (#170)

Browse source
This commit is contained in:
cezar97 2018-03-03 21:32:00 +00:00 committed by Angristan
parent d38a3a18e1
commit 8cd151f58e
2 changed files with 24 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
README.md
View file

@ -89,6 +89,7 @@ This fork includes the following features :
- No comp-lzo, as [compression is a vector for oracle attacks, e.g. CRIME or BREACH](https://github.com/BetterCrypto/Applied-Crypto-Hardening/pull/91#issuecomment-75388575) - No comp-lzo, as [compression is a vector for oracle attacks, e.g. CRIME or BREACH](https://github.com/BetterCrypto/Applied-Crypto-Hardening/pull/91#issuecomment-75388575)
- [Arch Linux support](https://github.com/Angristan/OpenVPN-install/pull/2) - [Arch Linux support](https://github.com/Angristan/OpenVPN-install/pull/2)
- Up-to-date OpenVPN thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) for CentOS and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos) for Ubuntu and Debian. These are third-party yet trusted repositories. - Up-to-date OpenVPN thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) for CentOS and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos) for Ubuntu and Debian. These are third-party yet trusted repositories.
- Randomized certificate name
- Other improvements ! - Other improvements !
## DNS ## DNS

41
openvpn-install.sh
View file

@ -25,7 +25,7 @@ if [[ -e /etc/debian_version ]]; then
VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID") VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID")
IPTABLES='/etc/iptables/iptables.rules' IPTABLES='/etc/iptables/iptables.rules'
SYSCTL='/etc/sysctl.conf' SYSCTL='/etc/sysctl.conf'
if [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.04"' ]]; then if [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.10"' ]]; then
echo "Your version of Debian/Ubuntu is not supported." echo "Your version of Debian/Ubuntu is not supported."
echo "I can't install a recent version of OpenVPN on your system." echo "I can't install a recent version of OpenVPN on your system."
echo "" echo ""
@ -40,7 +40,11 @@ if [[ -e /etc/debian_version ]]; then
exit 4 exit 4
fi fi
fi fi
elif [[ -e /etc/centos-release || -e /etc/redhat-release && ! -e /etc/fedora-release ]]; then elif [[ -e /etc/fedora-release ]]; then
OS=fedora
IPTABLES='/etc/iptables/iptables.rules'
SYSCTL='/etc/sysctl.d/openvpn.conf'
elif [[ -e /etc/centos-release || -e /etc/redhat-release || -e /etc/system-release ]]; then
OS=centos OS=centos
IPTABLES='/etc/iptables/iptables.rules' IPTABLES='/etc/iptables/iptables.rules'
SYSCTL='/etc/sysctl.conf' SYSCTL='/etc/sysctl.conf'
@ -48,10 +52,6 @@ elif [[ -e /etc/arch-release ]]; then
OS=arch OS=arch
IPTABLES='/etc/iptables/iptables.rules' IPTABLES='/etc/iptables/iptables.rules'
SYSCTL='/etc/sysctl.d/openvpn.conf' SYSCTL='/etc/sysctl.d/openvpn.conf'
elif [[ -e /etc/fedora-release ]]; then
OS=fedora
IPTABLES='/etc/iptables/iptables.rules'
SYSCTL='/etc/sysctl.d/openvpn.conf'
else else
echo "Looks like you aren't running this installer on a Debian, Ubuntu, CentOS or ArchLinux system" echo "Looks like you aren't running this installer on a Debian, Ubuntu, CentOS or ArchLinux system"
exit 4 exit 4
@ -118,7 +118,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then
echo "" echo ""
echo "Tell me a name for the client cert" echo "Tell me a name for the client cert"
echo "Please, use one word only, no special characters" echo "Please, use one word only, no special characters"
read -p "Client name: " -e -i client CLIENT read -p "Client name: " -e -i newclient CLIENT
cd /etc/openvpn/easy-rsa/ cd /etc/openvpn/easy-rsa/
./easyrsa build-client-full $CLIENT nopass ./easyrsa build-client-full $CLIENT nopass
# Generates the custom client.ovpn # Generates the custom client.ovpn
@ -508,7 +508,7 @@ else
read -n1 -r -p "Press any key to continue..." read -n1 -r -p "Press any key to continue..."
if [[ "$OS" = 'debian' ]]; then if [[ "$OS" = 'debian' ]]; then
apt-get install ca-certificates -y apt-get install ca-certificates gpg -y
# We add the OpenVPN repo to get the latest version. # We add the OpenVPN repo to get the latest version.
# Debian 8 # Debian 8
if [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then if [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then
@ -641,12 +641,12 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
rm -rf /etc/openvpn/easy-rsa/ rm -rf /etc/openvpn/easy-rsa/
fi fi
# Get easy-rsa # Get easy-rsa
wget -O ~/EasyRSA-3.0.3.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.3/EasyRSA-3.0.3.tgz wget -O ~/EasyRSA-3.0.4.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz
tar xzf ~/EasyRSA-3.0.3.tgz -C ~/ tar xzf ~/EasyRSA-3.0.4.tgz -C ~/
mv ~/EasyRSA-3.0.3/ /etc/openvpn/ mv ~/EasyRSA-3.0.4/ /etc/openvpn/
mv /etc/openvpn/EasyRSA-3.0.3/ /etc/openvpn/easy-rsa/ mv /etc/openvpn/EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/
chown -R root:root /etc/openvpn/easy-rsa/ chown -R root:root /etc/openvpn/easy-rsa/
rm -rf ~/EasyRSA-3.0.3.tgz rm -rf ~/EasyRSA-3.0.4.tgz
cd /etc/openvpn/easy-rsa/ cd /etc/openvpn/easy-rsa/
if [[ $CERT_TYPE == "1" ]]; then if [[ $CERT_TYPE == "1" ]]; then
echo "set_var EASYRSA_ALGO ec echo "set_var EASYRSA_ALGO ec
@ -654,14 +654,18 @@ set_var EASYRSA_CURVE $CERT_CURVE" > vars
elif [[ $CERT_TYPE == "2" ]]; then elif [[ $CERT_TYPE == "2" ]]; then
echo "set_var EASYRSA_KEY_SIZE $RSA_SIZE" > vars echo "set_var EASYRSA_KEY_SIZE $RSA_SIZE" > vars
fi fi
# Generate a random, alphanumeric identifier of 16 characters for CN and one for server name
SERVER_CN="cn_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
SERVER_NAME="server_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
echo 'set_var EASYRSA_DIGEST "'$CERT_HASH'"' >> vars echo 'set_var EASYRSA_DIGEST "'$CERT_HASH'"' >> vars
echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars
# Create the PKI, set up the CA, the DH params and the server + client certificates # Create the PKI, set up the CA, the DH params and the server + client certificates
./easyrsa init-pki ./easyrsa init-pki
./easyrsa --batch build-ca nopass ./easyrsa --batch build-ca nopass
if [[ $DH_TYPE == "2" ]]; then if [[ $DH_TYPE == "2" ]]; then
openssl dhparam -out dh.pem $DH_SIZE openssl dhparam -out dh.pem $DH_SIZE
fi fi
./easyrsa build-server-full server nopass ./easyrsa build-server-full $SERVER_NAME nopass
./easyrsa build-client-full $CLIENT nopass ./easyrsa build-client-full $CLIENT nopass
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
if [[ $TLS_SIG == "1" ]]; then if [[ $TLS_SIG == "1" ]]; then
@ -672,7 +676,7 @@ set_var EASYRSA_CURVE $CERT_CURVE" > vars
openvpn --genkey --secret /etc/openvpn/tls-auth.key openvpn --genkey --secret /etc/openvpn/tls-auth.key
fi fi
# Move all the generated files # Move all the generated files
cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn cp pki/ca.crt pki/private/ca.key pki/issued/$SERVER_NAME.crt pki/private/$SERVER_NAME.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
if [[ $DH_TYPE == "2" ]]; then if [[ $DH_TYPE == "2" ]]; then
cp dh.pem /etc/openvpn cp dh.pem /etc/openvpn
fi fi
@ -707,8 +711,8 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 9.9.9.9"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 9.9.9.9"' >> /etc/openvpn/server.conf
;; ;;
3) #FDN 3) #FDN
echo 'push "dhcp-option DNS 80.67.169.12"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 80.67.169.12"' >> /etc/openvpn/server.conf
;; ;;
4) #DNS.WATCH 4) #DNS.WATCH
echo 'push "dhcp-option DNS 84.200.69.80"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 84.200.69.80"' >> /etc/openvpn/server.conf
@ -734,8 +738,8 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf
echo "crl-verify crl.pem echo "crl-verify crl.pem
ca ca.crt ca ca.crt
cert server.crt cert $SERVER_NAME.crt
key server.key" >> /etc/openvpn/server.conf key $SERVER_NAME.key" >> /etc/openvpn/server.conf
if [[ $TLS_SIG == "1" ]]; then if [[ $TLS_SIG == "1" ]]; then
echo "tls-crypt tls-crypt.key 0" >> /etc/openvpn/server.conf echo "tls-crypt tls-crypt.key 0" >> /etc/openvpn/server.conf
elif [[ $TLS_SIG == "2" ]]; then elif [[ $TLS_SIG == "2" ]]; then
@ -886,6 +890,7 @@ nobind
persist-key persist-key
persist-tun persist-tun
remote-cert-tls server remote-cert-tls server
verify-x509-name $SERVER_NAME name
auth $HMAC_AUTH auth $HMAC_AUTH
$CIPHER $CIPHER
tls-client tls-client