Reflect master changes (#170)
This commit is contained in:
cezar97
Angristan
parent
d38a3a18e1
commit
8cd151f58e
2 changed files with 24 additions and 18 deletions
|
|
@ -89,6 +89,7 @@ This fork includes the following features :
|
|||
- No comp-lzo, as [compression is a vector for oracle attacks, e.g. CRIME or BREACH](https://github.com/BetterCrypto/Applied-Crypto-Hardening/pull/91#issuecomment-75388575)
|
||||
- [Arch Linux support](https://github.com/Angristan/OpenVPN-install/pull/2)
|
||||
- Up-to-date OpenVPN thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) for CentOS and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos) for Ubuntu and Debian. These are third-party yet trusted repositories.
|
||||
- Randomized certificate name
|
||||
- Other improvements !
|
||||
|
||||
## DNS
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ if [[ -e /etc/debian_version ]]; then
|
|||
VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID")
|
||||
IPTABLES='/etc/iptables/iptables.rules'
|
||||
SYSCTL='/etc/sysctl.conf'
|
||||
if [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.04"' ]]; then
|
||||
if [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.10"' ]]; then
|
||||
echo "Your version of Debian/Ubuntu is not supported."
|
||||
echo "I can't install a recent version of OpenVPN on your system."
|
||||
echo ""
|
||||
|
|
@ -40,7 +40,11 @@ if [[ -e /etc/debian_version ]]; then
|
|||
exit 4
|
||||
fi
|
||||
fi
|
||||
elif [[ -e /etc/centos-release || -e /etc/redhat-release && ! -e /etc/fedora-release ]]; then
|
||||
elif [[ -e /etc/fedora-release ]]; then
|
||||
OS=fedora
|
||||
IPTABLES='/etc/iptables/iptables.rules'
|
||||
SYSCTL='/etc/sysctl.d/openvpn.conf'
|
||||
elif [[ -e /etc/centos-release || -e /etc/redhat-release || -e /etc/system-release ]]; then
|
||||
OS=centos
|
||||
IPTABLES='/etc/iptables/iptables.rules'
|
||||
SYSCTL='/etc/sysctl.conf'
|
||||
|
|
@ -48,10 +52,6 @@ elif [[ -e /etc/arch-release ]]; then
|
|||
OS=arch
|
||||
IPTABLES='/etc/iptables/iptables.rules'
|
||||
SYSCTL='/etc/sysctl.d/openvpn.conf'
|
||||
elif [[ -e /etc/fedora-release ]]; then
|
||||
OS=fedora
|
||||
IPTABLES='/etc/iptables/iptables.rules'
|
||||
SYSCTL='/etc/sysctl.d/openvpn.conf'
|
||||
else
|
||||
echo "Looks like you aren't running this installer on a Debian, Ubuntu, CentOS or ArchLinux system"
|
||||
exit 4
|
||||
|
|
@ -118,7 +118,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then
|
|||
echo ""
|
||||
echo "Tell me a name for the client cert"
|
||||
echo "Please, use one word only, no special characters"
|
||||
read -p "Client name: " -e -i client CLIENT
|
||||
read -p "Client name: " -e -i newclient CLIENT
|
||||
cd /etc/openvpn/easy-rsa/
|
||||
./easyrsa build-client-full $CLIENT nopass
|
||||
# Generates the custom client.ovpn
|
||||
|
|
@ -508,7 +508,7 @@ else
|
|||
read -n1 -r -p "Press any key to continue..."
|
||||
|
||||
if [[ "$OS" = 'debian' ]]; then
|
||||
apt-get install ca-certificates -y
|
||||
apt-get install ca-certificates gpg -y
|
||||
# We add the OpenVPN repo to get the latest version.
|
||||
# Debian 8
|
||||
if [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then
|
||||
|
|
@ -641,12 +641,12 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
|
|||
rm -rf /etc/openvpn/easy-rsa/
|
||||
fi
|
||||
# Get easy-rsa
|
||||
wget -O ~/EasyRSA-3.0.3.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.3/EasyRSA-3.0.3.tgz
|
||||
tar xzf ~/EasyRSA-3.0.3.tgz -C ~/
|
||||
mv ~/EasyRSA-3.0.3/ /etc/openvpn/
|
||||
mv /etc/openvpn/EasyRSA-3.0.3/ /etc/openvpn/easy-rsa/
|
||||
wget -O ~/EasyRSA-3.0.4.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz
|
||||
tar xzf ~/EasyRSA-3.0.4.tgz -C ~/
|
||||
mv ~/EasyRSA-3.0.4/ /etc/openvpn/
|
||||
mv /etc/openvpn/EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/
|
||||
chown -R root:root /etc/openvpn/easy-rsa/
|
||||
rm -rf ~/EasyRSA-3.0.3.tgz
|
||||
rm -rf ~/EasyRSA-3.0.4.tgz
|
||||
cd /etc/openvpn/easy-rsa/
|
||||
if [[ $CERT_TYPE == "1" ]]; then
|
||||
echo "set_var EASYRSA_ALGO ec
|
||||
|
|
@ -654,14 +654,18 @@ set_var EASYRSA_CURVE $CERT_CURVE" > vars
|
|||
elif [[ $CERT_TYPE == "2" ]]; then
|
||||
echo "set_var EASYRSA_KEY_SIZE $RSA_SIZE" > vars
|
||||
fi
|
||||
# Generate a random, alphanumeric identifier of 16 characters for CN and one for server name
|
||||
SERVER_CN="cn_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
|
||||
SERVER_NAME="server_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
|
||||
echo 'set_var EASYRSA_DIGEST "'$CERT_HASH'"' >> vars
|
||||
echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars
|
||||
# Create the PKI, set up the CA, the DH params and the server + client certificates
|
||||
./easyrsa init-pki
|
||||
./easyrsa --batch build-ca nopass
|
||||
if [[ $DH_TYPE == "2" ]]; then
|
||||
openssl dhparam -out dh.pem $DH_SIZE
|
||||
fi
|
||||
./easyrsa build-server-full server nopass
|
||||
./easyrsa build-server-full $SERVER_NAME nopass
|
||||
./easyrsa build-client-full $CLIENT nopass
|
||||
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
|
||||
if [[ $TLS_SIG == "1" ]]; then
|
||||
|
|
@ -672,7 +676,7 @@ set_var EASYRSA_CURVE $CERT_CURVE" > vars
|
|||
openvpn --genkey --secret /etc/openvpn/tls-auth.key
|
||||
fi
|
||||
# Move all the generated files
|
||||
cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
|
||||
cp pki/ca.crt pki/private/ca.key pki/issued/$SERVER_NAME.crt pki/private/$SERVER_NAME.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
|
||||
if [[ $DH_TYPE == "2" ]]; then
|
||||
cp dh.pem /etc/openvpn
|
||||
fi
|
||||
|
|
@ -707,8 +711,8 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
|
|||
echo 'push "dhcp-option DNS 9.9.9.9"' >> /etc/openvpn/server.conf
|
||||
;;
|
||||
3) #FDN
|
||||
echo 'push "dhcp-option DNS 80.67.169.12"' >> /etc/openvpn/server.conf
|
||||
echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/server.conf
|
||||
echo 'push "dhcp-option DNS 80.67.169.12"' >> /etc/openvpn/server.conf
|
||||
;;
|
||||
4) #DNS.WATCH
|
||||
echo 'push "dhcp-option DNS 84.200.69.80"' >> /etc/openvpn/server.conf
|
||||
|
|
@ -734,8 +738,8 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
|
|||
echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf
|
||||
echo "crl-verify crl.pem
|
||||
ca ca.crt
|
||||
cert server.crt
|
||||
key server.key" >> /etc/openvpn/server.conf
|
||||
cert $SERVER_NAME.crt
|
||||
key $SERVER_NAME.key" >> /etc/openvpn/server.conf
|
||||
if [[ $TLS_SIG == "1" ]]; then
|
||||
echo "tls-crypt tls-crypt.key 0" >> /etc/openvpn/server.conf
|
||||
elif [[ $TLS_SIG == "2" ]]; then
|
||||
|
|
@ -886,6 +890,7 @@ nobind
|
|||
persist-key
|
||||
persist-tun
|
||||
remote-cert-tls server
|
||||
verify-x509-name $SERVER_NAME name
|
||||
auth $HMAC_AUTH
|
||||
$CIPHER
|
||||
tls-client
|
||||
|
|
|
|||
Loading…
Reference in a new issue