Fabio/openvpn-install
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Rebase

Browse source
This commit is contained in:
Swamy Goundar 2020-05-01 23:01:18 -07:00
parent 05e998b314
commit 8eecbf2df6
2 changed files with 1845 additions and 512 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1342
local copy.sh Normal file
View file

File diff suppressed because it is too large Load diff

339
openvpn-install.sh
View file

@ -1,8 +1,7 @@
#!/bin/bash #!/bin/bash
# Secure OpenVPN server installer for Debian, Ubuntu, CentOS, Amazon Linux 2, Fedora and Arch Linux # Secure OpenVPN server installer for Debian, Ubuntu, CentOS, Amazon Linux 2, Fedora and Arch Linux
# Original Script from https://github.com/angristan/openvpn-install # https://github.com/angristan/openvpn-install
# Additional features imported from https://www.pivpn.io/
function isRoot() { function isRoot() {
if [ "$EUID" -ne 0 ]; then if [ "$EUID" -ne 0 ]; then
@ -22,32 +21,31 @@ function checkOS () {
# shellcheck disable=SC1091 # shellcheck disable=SC1091
source /etc/os-release source /etc/os-release
if [[ "$ID" == "debian" || "$ID" == "raspbian" ]]; then if [[ $ID == "debian" || $ID == "raspbian" ]]; then
if [[ ! $VERSION_ID =~ (8|9|10) ]]; then if [[ $VERSION_ID -lt 8 ]]; then
echo "⚠️ Your version of Debian is not supported." echo "⚠️ Your version of Debian is not supported."
echo "" echo ""
echo "However, if you're using Debian >= 9 or unstable/testing then you can continue." echo "However, if you're using Debian >= 8 or unstable/testing then you can continue, at your own risk."
echo "Keep in mind they are not supported, though."
echo "" echo ""
until [[ $CONTINUE =~ (y|n) ]]; do until [[ $CONTINUE =~ (y|n) ]]; do
read -rp "Continue? [y/n]: " -e CONTINUE read -rp "Continue? [y/n]: " -e CONTINUE
done done
if [[ "$CONTINUE" == "n" ]]; then if [[ $CONTINUE == "n" ]]; then
exit 1 exit 1
fi fi
fi fi
elif [[ "$ID" == "ubuntu" ]];then elif [[ $ID == "ubuntu" ]]; then
OS="ubuntu" OS="ubuntu"
if [[ ! $VERSION_ID =~ (16.04|18.04|19.04) ]]; then MAJOR_UBUNTU_VERSION=$(echo "$VERSION_ID" | cut -d '.' -f1)
if [[ $MAJOR_UBUNTU_VERSION -lt 16 ]]; then
echo "⚠️ Your version of Ubuntu is not supported." echo "⚠️ Your version of Ubuntu is not supported."
echo "" echo ""
echo "However, if you're using Ubuntu > 17 or beta, then you can continue." echo "However, if you're using Ubuntu >= 16.04 or beta, then you can continue, at your own risk."
echo "Keep in mind they are not supported, though."
echo "" echo ""
until [[ $CONTINUE =~ (y|n) ]]; do until [[ $CONTINUE =~ (y|n) ]]; do
read -rp "Continue? [y/n]: " -e CONTINUE read -rp "Continue? [y/n]: " -e CONTINUE
done done
if [[ "$CONTINUE" == "n" ]]; then if [[ $CONTINUE == "n" ]]; then
exit 1 exit 1
fi fi
fi fi
@ -55,10 +53,10 @@ function checkOS () {
elif [[ -e /etc/system-release ]]; then elif [[ -e /etc/system-release ]]; then
# shellcheck disable=SC1091 # shellcheck disable=SC1091
source /etc/os-release source /etc/os-release
if [[ "$ID" == "fedora" ]]; then if [[ $ID == "fedora" ]]; then
OS="fedora" OS="fedora"
fi fi
if [[ "$ID" == "centos" ]]; then if [[ $ID == "centos" ]]; then
OS="centos" OS="centos"
if [[ ! $VERSION_ID =~ (7|8) ]]; then if [[ ! $VERSION_ID =~ (7|8) ]]; then
echo "⚠️ Your version of CentOS is not supported." echo "⚠️ Your version of CentOS is not supported."
@ -68,9 +66,9 @@ function checkOS () {
exit 1 exit 1
fi fi
fi fi
if [[ "$ID" == "amzn" ]]; then if [[ $ID == "amzn" ]]; then
OS="amzn" OS="amzn"
if [[ ! $VERSION_ID == "2" ]]; then if [[ $VERSION_ID != "2" ]]; then
echo "⚠️ Your version of Amazon Linux is not supported." echo "⚠️ Your version of Amazon Linux is not supported."
echo "" echo ""
echo "The script only support Amazon Linux 2." echo "The script only support Amazon Linux 2."
@ -99,9 +97,10 @@ function initialCheck () {
} }
function installUnbound() { function installUnbound() {
# If Unbound isn't installed, install it
if [[ ! -e /etc/unbound/unbound.conf ]]; then if [[ ! -e /etc/unbound/unbound.conf ]]; then
if [[ "$OS" =~ (debian|ubuntu) ]]; then if [[ $OS =~ (debian|ubuntu) ]]; then
apt-get install -y unbound apt-get install -y unbound
# Configuration # Configuration
@ -112,7 +111,7 @@ hide-version: yes
use-caps-for-id: yes use-caps-for-id: yes
prefetch: yes' >>/etc/unbound/unbound.conf prefetch: yes' >>/etc/unbound/unbound.conf
elif [[ "$OS" =~ (centos|amzn) ]]; then elif [[ $OS =~ (centos|amzn) ]]; then
yum install -y unbound yum install -y unbound
# Configuration # Configuration
@ -122,7 +121,7 @@ prefetch: yes' >> /etc/unbound/unbound.conf
sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf
sed -i 's|use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf sed -i 's|use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf
elif [[ "$OS" == "fedora" ]]; then elif [[ $OS == "fedora" ]]; then
dnf install -y unbound dnf install -y unbound
# Configuration # Configuration
@ -132,13 +131,15 @@ prefetch: yes' >> /etc/unbound/unbound.conf
sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf
sed -i 's|# use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf sed -i 's|# use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf
elif [[ "$OS" == "arch" ]]; then elif [[ $OS == "arch" ]]; then
pacman -Syu --noconfirm unbound pacman -Syu --noconfirm unbound
# Get root servers list # Get root servers list
curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache
if [[ ! -f /etc/unbound/unbound.conf.old ]]; then
mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old
fi
echo 'server: echo 'server:
use-syslog: yes use-syslog: yes
@ -159,9 +160,16 @@ prefetch: yes' >> /etc/unbound/unbound.conf
prefetch: yes' >/etc/unbound/unbound.conf prefetch: yes' >/etc/unbound/unbound.conf
fi fi
if [[ ! "$OS" =~ (fedora|centos|amzn) ]];then # IPv6 DNS for all OS
if [[ $IPV6_SUPPORT == 'y' ]]; then
echo 'interface: fd42:42:42:42::1
access-control: fd42:42:42:42::/112 allow' >>/etc/unbound/unbound.conf
fi
if [[ ! $OS =~ (fedora|centos|amzn) ]]; then
# DNS Rebinding fix # DNS Rebinding fix
echo "private-address: 10.0.0.0/8 echo "private-address: 10.0.0.0/8
private-address: fd42:42:42:42::/112
private-address: 172.16.0.0/12 private-address: 172.16.0.0/12
private-address: 192.168.0.0/16 private-address: 192.168.0.0/16
private-address: 169.254.0.0/16 private-address: 169.254.0.0/16
@ -182,6 +190,7 @@ hide-version: yes
use-caps-for-id: yes use-caps-for-id: yes
prefetch: yes prefetch: yes
private-address: 10.0.0.0/8 private-address: 10.0.0.0/8
private-address: fd42:42:42:42::/112
private-address: 172.16.0.0/12 private-address: 172.16.0.0/12
private-address: 192.168.0.0/16 private-address: 192.168.0.0/16
private-address: 169.254.0.0/16 private-address: 169.254.0.0/16
@ -189,6 +198,10 @@ private-address: fd00::/8
private-address: fe80::/10 private-address: fe80::/10
private-address: 127.0.0.0/8 private-address: 127.0.0.0/8
private-address: ::ffff:0:0/96' >/etc/unbound/openvpn.conf private-address: ::ffff:0:0/96' >/etc/unbound/openvpn.conf
if [[ $IPV6_SUPPORT == 'y' ]]; then
echo 'interface: fd42:42:42:42::1
access-control: fd42:42:42:42::/112 allow' >>/etc/unbound/openvpn.conf
fi
fi fi
systemctl enable unbound systemctl enable unbound
@ -197,7 +210,7 @@ private-address: ::ffff:0:0/96' > /etc/unbound/openvpn.conf
function installQuestions() { function installQuestions() {
echo "Welcome to the OpenVPN installer!" echo "Welcome to the OpenVPN installer!"
echo "The git repository is available at: https://github.com/psgoundar/openvpn-install" echo "The git repository is available at: https://github.com/angristan/openvpn-install"
echo "" echo ""
echo "I need to ask you a few questions before starting the setup." echo "I need to ask you a few questions before starting the setup."
@ -207,17 +220,21 @@ function installQuestions () {
echo "Unless your server is behind NAT, it should be your public IPv4 address." echo "Unless your server is behind NAT, it should be your public IPv4 address."
# Detect public IPv4 address and pre-fill for the user # Detect public IPv4 address and pre-fill for the user
IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1) IP=$(ip -4 addr | sed -ne 's|^.* inet \([^/]*\)/.* scope global.*$|\1|p' | head -1)
if [[ -z $IP ]]; then
# Detect public IPv6 address
IP=$(ip -6 addr | sed -ne 's|^.* inet6 \([^/]*\)/.* scope global.*$|\1|p' | head -1)
fi
APPROVE_IP=${APPROVE_IP:-n} APPROVE_IP=${APPROVE_IP:-n}
if [[ $APPROVE_IP =~ n ]]; then if [[ $APPROVE_IP =~ n ]]; then
read -rp "IP address: " -e -i "$IP" IP read -rp "IP address: " -e -i "$IP" IP
fi fi
# If $IP is a private IP address, the server must be behind NAT # If $IP is a private IP address, the server must be behind NAT
if echo "$IP" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then if echo "$IP" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then
echo "" echo ""
echo "It seems this server is behind NAT. What is its public IPv4 address or hostname?" echo "It seems this server is behind NAT. What is its public IPv4 address or hostname?"
echo "We need it for the clients to connect to the server." echo "We need it for the clients to connect to the server."
until [[ "$ENDPOINT" != "" ]]; do until [[ $ENDPOINT != "" ]]; do
read -rp "Public IPv4 address or hostname: " -e ENDPOINT read -rp "Public IPv4 address or hostname: " -e ENDPOINT
done done
fi fi
@ -248,7 +265,7 @@ function installQuestions () {
echo " 1) Default: 1194" echo " 1) Default: 1194"
echo " 2) Custom" echo " 2) Custom"
echo " 3) Random [49152-65535]" echo " 3) Random [49152-65535]"
until [[ "$PORT_CHOICE" =~ ^[1-3]$ ]]; do until [[ $PORT_CHOICE =~ ^[1-3]$ ]]; do
read -rp "Port choice [1-3]: " -e -i 1 PORT_CHOICE read -rp "Port choice [1-3]: " -e -i 1 PORT_CHOICE
done done
case $PORT_CHOICE in case $PORT_CHOICE in
@ -256,7 +273,7 @@ function installQuestions () {
PORT="1194" PORT="1194"
;; ;;
2) 2)
until [[ "$PORT" =~ ^[0-9]+$ ]] && [ "$PORT" -ge 1 ] && [ "$PORT" -le 65535 ]; do until [[ $PORT =~ ^[0-9]+$ ]] && [ "$PORT" -ge 1 ] && [ "$PORT" -le 65535 ]; do
read -rp "Custom port [1-65535]: " -e -i 1194 PORT read -rp "Custom port [1-65535]: " -e -i 1194 PORT
done done
;; ;;
@ -271,7 +288,7 @@ function installQuestions () {
echo "UDP is faster. Unless it is not available, you shouldn't use TCP." echo "UDP is faster. Unless it is not available, you shouldn't use TCP."
echo " 1) UDP" echo " 1) UDP"
echo " 2) TCP" echo " 2) TCP"
until [[ "$PROTOCOL_CHOICE" =~ ^[1-2]$ ]]; do until [[ $PROTOCOL_CHOICE =~ ^[1-2]$ ]]; do
read -rp "Protocol [1-2]: " -e -i 1 PROTOCOL_CHOICE read -rp "Protocol [1-2]: " -e -i 1 PROTOCOL_CHOICE
done done
case $PROTOCOL_CHOICE in case $PROTOCOL_CHOICE in
@ -297,7 +314,7 @@ function installQuestions () {
echo " 11) AdGuard DNS (Anycast: worldwide)" echo " 11) AdGuard DNS (Anycast: worldwide)"
echo " 12) NextDNS (Anycast: worldwide)" echo " 12) NextDNS (Anycast: worldwide)"
echo " 13) Custom" echo " 13) Custom"
until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 13 ]; do until [[ $DNS =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 13 ]; do
read -rp "DNS [1-12]: " -e -i 3 DNS read -rp "DNS [1-12]: " -e -i 3 DNS
if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then
echo "" echo ""
@ -316,12 +333,12 @@ function installQuestions () {
unset CONTINUE unset CONTINUE
fi fi
elif [[ $DNS == "13" ]]; then elif [[ $DNS == "13" ]]; then
until [[ "$DNS1" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do until [[ $DNS1 =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
read -rp "Primary DNS: " -e DNS1 read -rp "Primary DNS: " -e DNS1
done done
until [[ "$DNS2" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do until [[ $DNS2 =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
read -rp "Secondary DNS (optional): " -e DNS2 read -rp "Secondary DNS (optional): " -e DNS2
if [[ "$DNS2" == "" ]]; then if [[ $DNS2 == "" ]]; then
break break
fi fi
done done
@ -380,7 +397,7 @@ function installQuestions () {
echo " 4) AES-128-CBC" echo " 4) AES-128-CBC"
echo " 5) AES-192-CBC" echo " 5) AES-192-CBC"
echo " 6) AES-256-CBC" echo " 6) AES-256-CBC"
until [[ "$CIPHER_CHOICE" =~ ^[1-6]$ ]]; do until [[ $CIPHER_CHOICE =~ ^[1-6]$ ]]; do
read -rp "Cipher [1-6]: " -e -i 1 CIPHER_CHOICE read -rp "Cipher [1-6]: " -e -i 1 CIPHER_CHOICE
done done
case $CIPHER_CHOICE in case $CIPHER_CHOICE in
@ -438,7 +455,7 @@ function installQuestions () {
echo " 1) 2048 bits (recommended)" echo " 1) 2048 bits (recommended)"
echo " 2) 3072 bits" echo " 2) 3072 bits"
echo " 3) 4096 bits" echo " 3) 4096 bits"
until [[ "$RSA_KEY_SIZE_CHOICE" =~ ^[1-3]$ ]]; do until [[ $RSA_KEY_SIZE_CHOICE =~ ^[1-3]$ ]]; do
read -rp "RSA key size [1-3]: " -e -i 1 RSA_KEY_SIZE_CHOICE read -rp "RSA key size [1-3]: " -e -i 1 RSA_KEY_SIZE_CHOICE
done done
case $RSA_KEY_SIZE_CHOICE in case $RSA_KEY_SIZE_CHOICE in
@ -523,7 +540,7 @@ function installQuestions () {
echo " 1) 2048 bits (recommended)" echo " 1) 2048 bits (recommended)"
echo " 2) 3072 bits" echo " 2) 3072 bits"
echo " 3) 4096 bits" echo " 3) 4096 bits"
until [[ "$DH_KEY_SIZE_CHOICE" =~ ^[1-3]$ ]]; do until [[ $DH_KEY_SIZE_CHOICE =~ ^[1-3]$ ]]; do
read -rp "DH key size [1-3]: " -e -i 1 DH_KEY_SIZE_CHOICE read -rp "DH key size [1-3]: " -e -i 1 DH_KEY_SIZE_CHOICE
done done
case $DH_KEY_SIZE_CHOICE in case $DH_KEY_SIZE_CHOICE in
@ -541,9 +558,9 @@ function installQuestions () {
esac esac
echo "" echo ""
# The "auth" options behaves differently with AEAD ciphers # The "auth" options behaves differently with AEAD ciphers
if [[ "$CIPHER" =~ CBC$ ]]; then if [[ $CIPHER =~ CBC$ ]]; then
echo "The digest algorithm authenticates data channel packets and tls-auth packets from the control channel." echo "The digest algorithm authenticates data channel packets and tls-auth packets from the control channel."
elif [[ "$CIPHER" =~ GCM$ ]]; then elif [[ $CIPHER =~ GCM$ ]]; then
echo "The digest algorithm authenticates tls-auth packets from the control channel." echo "The digest algorithm authenticates tls-auth packets from the control channel."
fi fi
echo "Which digest algorithm do you want to use for HMAC?" echo "Which digest algorithm do you want to use for HMAC?"
@ -597,9 +614,13 @@ function installOpenVPN () {
PASS=${PASS:-1} PASS=${PASS:-1}
CONTINUE=${CONTINUE:-y} CONTINUE=${CONTINUE:-y}
# Behind NAT, we'll default to the publicly reachable IPv4. # Behind NAT, we'll default to the publicly reachable IPv4/IPv6.
PUBLIC_IPV4=$(curl ifconfig.co) if [[ $IPV6_SUPPORT == "y" ]]; then
ENDPOINT=${ENDPOINT:-$PUBLIC_IPV4} PUBLIC_IP=$(curl https://ifconfig.co)
else
PUBLIC_IP=$(curl -4 https://ifconfig.co)
fi
ENDPOINT=${ENDPOINT:-$PUBLIC_IP}
fi fi
# Run setup questions first, and set other variales if auto-install # Run setup questions first, and set other variales if auto-install
@ -607,51 +628,60 @@ function installOpenVPN () {
# Get the "public" interface from the default route # Get the "public" interface from the default route
NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1) NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)
if [[ -z "$NIC" ]] && [[ "$IPV6_SUPPORT" == 'y' ]]; then if [[ -z $NIC ]] && [[ $IPV6_SUPPORT == 'y' ]]; then
NIC=$(ip -6 route show default | sed -ne 's/^default .* dev \([^ ]*\) .*$/\1/p') NIC=$(ip -6 route show default | sed -ne 's/^default .* dev \([^ ]*\) .*$/\1/p')
fi fi
# $NIC can not be empty for script rm-openvpn-rules.sh # $NIC can not be empty for script rm-openvpn-rules.sh
if [[ -z "$NIC" ]]; then if [[ -z $NIC ]]; then
echo echo
echo "Can not detect public interface." echo "Can not detect public interface."
echo "This needs for setup MASQUERADE." echo "This needs for setup MASQUERADE."
until [[ $CONTINUE =~ (y|n) ]]; do until [[ $CONTINUE =~ (y|n) ]]; do
read -rp "Continue? [y/n]: " -e CONTINUE read -rp "Continue? [y/n]: " -e CONTINUE
done done
if [[ "$CONTINUE" == "n" ]]; then if [[ $CONTINUE == "n" ]]; then
exit 1 exit 1
fi fi
fi fi
if [[ "$OS" =~ (debian|ubuntu) ]]; then # If OpenVPN isn't installed yet, install it. This script is more-or-less
# idempotent on multiple runs, but will only install OpenVPN from upstream
# the first time.
if [[ ! -e /etc/openvpn/server.conf ]]; then
if [[ $OS =~ (debian|ubuntu) ]]; then
apt-get update apt-get update
apt-get -y install ca-certificates gnupg apt-get -y install ca-certificates gnupg
# We add the OpenVPN repo to get the latest version. # We add the OpenVPN repo to get the latest version.
if [[ "$VERSION_ID" == "8" ]]; then if [[ $VERSION_ID == "8" ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" >/etc/apt/sources.list.d/openvpn.list echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" >/etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update apt-get update
fi fi
if [[ "$VERSION_ID" == "16.04" ]]; then if [[ $VERSION_ID == "16.04" ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" >/etc/apt/sources.list.d/openvpn.list echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" >/etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update apt-get update
fi fi
# Ubuntu > 16.04 and Debian > 8 have OpenVPN >= 2.4 without the need of a third party repository. # Ubuntu > 16.04 and Debian > 8 have OpenVPN >= 2.4 without the need of a third party repository.
apt-get install -y openvpn iptables openssl wget ca-certificates curl apt-get install -y openvpn iptables openssl wget ca-certificates curl
elif [[ "$OS" == 'centos' ]]; then elif [[ $OS == 'centos' ]]; then
yum install -y epel-release yum install -y epel-release
yum install -y openvpn iptables openssl wget ca-certificates curl tar 'policycoreutils-python*' yum install -y openvpn iptables openssl wget ca-certificates curl tar 'policycoreutils-python*'
elif [[ "$OS" == 'amzn' ]]; then elif [[ $OS == 'amzn' ]]; then
amazon-linux-extras install -y epel amazon-linux-extras install -y epel
yum install -y openvpn iptables openssl wget ca-certificates curl yum install -y openvpn iptables openssl wget ca-certificates curl
elif [[ "$OS" == 'fedora' ]]; then elif [[ $OS == 'fedora' ]]; then
dnf install -y openvpn iptables openssl wget ca-certificates curl dnf install -y openvpn iptables openssl wget ca-certificates curl policycoreutils-python-utils
elif [[ "$OS" == 'arch' ]]; then elif [[ $OS == 'arch' ]]; then
# Install required dependencies and upgrade the system # Install required dependencies and upgrade the system
pacman --needed --noconfirm -Syu openvpn iptables openssl wget ca-certificates curl pacman --needed --noconfirm -Syu openvpn iptables openssl wget ca-certificates curl
fi fi
# An old version of easy-rsa was available by default in some openvpn packages
if [[ -d /etc/openvpn/easy-rsa/ ]]; then
rm -rf /etc/openvpn/easy-rsa/
fi
fi
# Find out if the machine uses nogroup or nobody for the permissionless group # Find out if the machine uses nogroup or nobody for the permissionless group
if grep -qs "^nogroup:" /etc/group; then if grep -qs "^nogroup:" /etc/group; then
@ -660,18 +690,13 @@ function installOpenVPN () {
NOGROUP=nobody NOGROUP=nobody
fi fi
# An old version of easy-rsa was available by default in some openvpn packages # Install the latest version of easy-rsa from source, if not already installed.
if [[ -d /etc/openvpn/easy-rsa/ ]]; then if [[ ! -d /etc/openvpn/easy-rsa/ ]]; then
rm -rf /etc/openvpn/easy-rsa/ local version="3.0.7"
fi wget -O ~/easy-rsa.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-${version}.tgz
mkdir /etc/openvpn/easy-rsa
# Install the latest version of easy-rsa from source tar xzf ~/easy-rsa.tgz --strip-components=1 --directory /etc/openvpn/easy-rsa
local version="3.0.6" rm -f ~/easy-rsa.tgz
wget -O ~/EasyRSA-unix-v${version}.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-unix-v${version}.tgz
tar xzf ~/EasyRSA-unix-v${version}.tgz -C ~/
mv ~/EasyRSA-v${version} /etc/openvpn/easy-rsa
chown -R root:root /etc/openvpn/easy-rsa/
rm -f ~/EasyRSA-unix-v${version}.tgz
cd /etc/openvpn/easy-rsa/ || return cd /etc/openvpn/easy-rsa/ || return
case $CERT_TYPE in case $CERT_TYPE in
@ -685,18 +710,12 @@ function installOpenVPN () {
esac esac
# Generate a random, alphanumeric identifier of 16 characters for CN and one for server name # Generate a random, alphanumeric identifier of 16 characters for CN and one for server name
#SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
#SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" echo "$SERVER_CN" >SERVER_CN_GENERATED
#echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
echo "$SERVER_NAME" >SERVER_NAME_GENERATED
#############Modified Section
SERVER_CN="OPENVPNS1"
SERVER_NAME="OPENVPNSRV"
echo "set_var EASYRSA_REQ_CN $SERVER_CN" >>vars echo "set_var EASYRSA_REQ_CN $SERVER_CN" >>vars
echo "set_var EASYRSA_CA_EXPIRE 14600" >> vars
echo "set_var EASYRSA_CERT_EXPIRE 12775" >> vars
#echo "set_var EASYRSA_CERT_EXPIRE 1080" >> vars
####################################
# Create the PKI, set up the CA, the DH params and the server certificate # Create the PKI, set up the CA, the DH params and the server certificate
./easyrsa init-pki ./easyrsa init-pki
@ -714,9 +733,6 @@ function installOpenVPN () {
./easyrsa build-server-full "$SERVER_NAME" nopass ./easyrsa build-server-full "$SERVER_NAME" nopass
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
#Replace Cert Lifetime back to 1080 Days leaving only the Server Cert as 12775 Days
sed -i 's/12775/1080/' vars
case $TLS_SIG in case $TLS_SIG in
1) 1)
@ -728,6 +744,12 @@ function installOpenVPN () {
openvpn --genkey --secret /etc/openvpn/tls-auth.key openvpn --genkey --secret /etc/openvpn/tls-auth.key
;; ;;
esac esac
else
# If easy-rsa is already installed, grab the generated SERVER_NAME
# for client configs
cd /etc/openvpn/easy-rsa/ || return
SERVER_NAME=$(cat SERVER_NAME_GENERATED)
fi
# Move all the generated files # Move all the generated files
cp pki/ca.crt pki/private/ca.key "pki/issued/$SERVER_NAME.crt" "pki/private/$SERVER_NAME.key" /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn cp pki/ca.crt pki/private/ca.key "pki/issued/$SERVER_NAME.crt" "pki/private/$SERVER_NAME.key" /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
@ -740,9 +762,9 @@ function installOpenVPN () {
# Generate server.conf # Generate server.conf
echo "port $PORT" >/etc/openvpn/server.conf echo "port $PORT" >/etc/openvpn/server.conf
if [[ "$IPV6_SUPPORT" == 'n' ]]; then if [[ $IPV6_SUPPORT == 'n' ]]; then
echo "proto $PROTOCOL" >>/etc/openvpn/server.conf echo "proto $PROTOCOL" >>/etc/openvpn/server.conf
elif [[ "$IPV6_SUPPORT" == 'y' ]]; then elif [[ $IPV6_SUPPORT == 'y' ]]; then
echo "proto ${PROTOCOL}6" >>/etc/openvpn/server.conf echo "proto ${PROTOCOL}6" >>/etc/openvpn/server.conf
fi fi
@ -767,12 +789,18 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
RESOLVCONF='/etc/resolv.conf' RESOLVCONF='/etc/resolv.conf'
fi fi
# Obtain the resolvers from resolv.conf and use them for OpenVPN # Obtain the resolvers from resolv.conf and use them for OpenVPN
grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read -r line; do sed -ne 's/^nameserver[[:space:]]\+\([^[:space:]]\+\).*$/\1/p' $RESOLVCONF | while read -r line; do
# Copy, if it's a IPv4 |or| if IPv6 is enabled, IPv4/IPv6 does not matter
if [[ $line =~ ^[0-9.]*$ ]] || [[ $IPV6_SUPPORT == 'y' ]]; then
echo "push \"dhcp-option DNS $line\"" >>/etc/openvpn/server.conf echo "push \"dhcp-option DNS $line\"" >>/etc/openvpn/server.conf
fi
done done
;; ;;
2) # Self-hosted DNS resolver (Unbound) 2) # Self-hosted DNS resolver (Unbound)
echo 'push "dhcp-option DNS 10.8.0.1"' >>/etc/openvpn/server.conf echo 'push "dhcp-option DNS 10.8.0.1"' >>/etc/openvpn/server.conf
if [[ $IPV6_SUPPORT == 'y' ]]; then
echo 'push "dhcp-option DNS fd42:42:42:42::1"' >>/etc/openvpn/server.conf
fi
;; ;;
3) # Cloudflare 3) # Cloudflare
echo 'push "dhcp-option DNS 1.0.0.1"' >>/etc/openvpn/server.conf echo 'push "dhcp-option DNS 1.0.0.1"' >>/etc/openvpn/server.conf
@ -816,7 +844,7 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
;; ;;
13) # Custom DNS 13) # Custom DNS
echo "push \"dhcp-option DNS $DNS1\"" >>/etc/openvpn/server.conf echo "push \"dhcp-option DNS $DNS1\"" >>/etc/openvpn/server.conf
if [[ "$DNS2" != "" ]]; then if [[ $DNS2 != "" ]]; then
echo "push \"dhcp-option DNS $DNS2\"" >>/etc/openvpn/server.conf echo "push \"dhcp-option DNS $DNS2\"" >>/etc/openvpn/server.conf
fi fi
;; ;;
@ -824,7 +852,7 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
echo 'push "redirect-gateway def1 bypass-dhcp"' >>/etc/openvpn/server.conf echo 'push "redirect-gateway def1 bypass-dhcp"' >>/etc/openvpn/server.conf
# IPv6 network settings if needed # IPv6 network settings if needed
if [[ "$IPV6_SUPPORT" == 'y' ]]; then if [[ $IPV6_SUPPORT == 'y' ]]; then
echo 'server-ipv6 fd42:42:42:42::/112 echo 'server-ipv6 fd42:42:42:42::/112
tun-ipv6 tun-ipv6
push tun-ipv6 push tun-ipv6
@ -863,7 +891,7 @@ tls-server
tls-version-min 1.2 tls-version-min 1.2
tls-cipher $CC_CIPHER tls-cipher $CC_CIPHER
client-config-dir /etc/openvpn/ccd client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log 20 status /var/log/openvpn/status.log
verb 3" >>/etc/openvpn/server.conf verb 3" >>/etc/openvpn/server.conf
# Create client-config-dir dir # Create client-config-dir dir
@ -871,12 +899,9 @@ verb 3" >> /etc/openvpn/server.conf
# Create log dir # Create log dir
mkdir -p /var/log/openvpn mkdir -p /var/log/openvpn
#Creating log files for Openvpn
echo "status-version 3" >> /etc/openvpn/server.conf
echo "log-append /var/log/openvpn.log" >> /etc/openvpn/server.conf
# Enable routing # Enable routing
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.d/20-openvpn.conf echo 'net.ipv4.ip_forward=1' >/etc/sysctl.d/20-openvpn.conf
if [[ "$IPV6_SUPPORT" == 'y' ]]; then if [[ $IPV6_SUPPORT == 'y' ]]; then
echo 'net.ipv6.conf.all.forwarding=1' >>/etc/sysctl.d/20-openvpn.conf echo 'net.ipv6.conf.all.forwarding=1' >>/etc/sysctl.d/20-openvpn.conf
fi fi
# Apply sysctl rules # Apply sysctl rules
@ -885,14 +910,14 @@ verb 3" >> /etc/openvpn/server.conf
# If SELinux is enabled and a custom port was selected, we need this # If SELinux is enabled and a custom port was selected, we need this
if hash sestatus 2>/dev/null; then if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing"; then if sestatus | grep "Current mode" | grep -qs "enforcing"; then
if [[ "$PORT" != '1194' ]]; then if [[ $PORT != '1194' ]]; then
semanage port -a -t openvpn_port_t -p "$PROTOCOL" "$PORT" semanage port -a -t openvpn_port_t -p "$PROTOCOL" "$PORT"
fi fi
fi fi
fi fi
# Finally, restart and enable OpenVPN # Finally, restart and enable OpenVPN
if [[ "$OS" == 'arch' || "$OS" == 'fedora' || "$OS" == 'centos' ]]; then if [[ $OS == 'arch' || $OS == 'fedora' || $OS == 'centos' ]]; then
# Don't modify package-provided service # Don't modify package-provided service
cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service
@ -901,14 +926,14 @@ verb 3" >> /etc/openvpn/server.conf
# Another workaround to keep using /etc/openvpn/ # Another workaround to keep using /etc/openvpn/
sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn-server@.service sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn-server@.service
# On fedora, the service hardcodes the ciphers. We want to manage the cipher ourselves, so we remove it from the service # On fedora, the service hardcodes the ciphers. We want to manage the cipher ourselves, so we remove it from the service
if [[ "$OS" == "fedora" ]];then if [[ $OS == "fedora" ]]; then
sed -i 's|--cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC||' /etc/systemd/system/openvpn-server@.service sed -i 's|--cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC||' /etc/systemd/system/openvpn-server@.service
fi fi
systemctl daemon-reload systemctl daemon-reload
systemctl enable openvpn-server@server systemctl enable openvpn-server@server
systemctl restart openvpn-server@server systemctl restart openvpn-server@server
elif [[ "$OS" == "ubuntu" ]] && [[ "$VERSION_ID" == "16.04" ]]; then elif [[ $OS == "ubuntu" ]] && [[ $VERSION_ID == "16.04" ]]; then
# On Ubuntu 16.04, we use the package from the OpenVPN repo # On Ubuntu 16.04, we use the package from the OpenVPN repo
# This package uses a sysvinit service # This package uses a sysvinit service
systemctl enable openvpn systemctl enable openvpn
@ -942,11 +967,12 @@ iptables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT
iptables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT iptables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT
iptables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >/etc/iptables/add-openvpn-rules.sh iptables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >/etc/iptables/add-openvpn-rules.sh
if [[ "$IPV6_SUPPORT" == 'y' ]]; then if [[ $IPV6_SUPPORT == 'y' ]]; then
echo "ip6tables -t nat -I POSTROUTING 1 -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE echo "ip6tables -t nat -I POSTROUTING 1 -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
ip6tables -I INPUT 1 -i tun0 -j ACCEPT ip6tables -I INPUT 1 -i tun0 -j ACCEPT
ip6tables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT ip6tables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT
ip6tables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh ip6tables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT
ip6tables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >>/etc/iptables/add-openvpn-rules.sh
fi fi
# Script to remove rules # Script to remove rules
@ -957,11 +983,12 @@ iptables -D FORWARD -i $NIC -o tun0 -j ACCEPT
iptables -D FORWARD -i tun0 -o $NIC -j ACCEPT iptables -D FORWARD -i tun0 -o $NIC -j ACCEPT
iptables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >/etc/iptables/rm-openvpn-rules.sh iptables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >/etc/iptables/rm-openvpn-rules.sh
if [[ "$IPV6_SUPPORT" == 'y' ]]; then if [[ $IPV6_SUPPORT == 'y' ]]; then
echo "ip6tables -t nat -D POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE echo "ip6tables -t nat -D POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
ip6tables -D INPUT -i tun0 -j ACCEPT ip6tables -D INPUT -i tun0 -j ACCEPT
ip6tables -D FORWARD -i $NIC -o tun0 -j ACCEPT ip6tables -D FORWARD -i $NIC -o tun0 -j ACCEPT
ip6tables -D FORWARD -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/rm-openvpn-rules.sh ip6tables -D FORWARD -i tun0 -o $NIC -j ACCEPT
ip6tables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >>/etc/iptables/rm-openvpn-rules.sh
fi fi
chmod +x /etc/iptables/add-openvpn-rules.sh chmod +x /etc/iptables/add-openvpn-rules.sh
@ -988,16 +1015,16 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables-openvpn.service
systemctl start iptables-openvpn systemctl start iptables-openvpn
# If the server is behind a NAT, use the correct IP address for the clients to connect to # If the server is behind a NAT, use the correct IP address for the clients to connect to
if [[ "$ENDPOINT" != "" ]]; then if [[ $ENDPOINT != "" ]]; then
IP=$ENDPOINT IP=$ENDPOINT
fi fi
# client-template.txt is created so we have a template to add further users later # client-template.txt is created so we have a template to add further users later
echo "client" >/etc/openvpn/client-template.txt echo "client" >/etc/openvpn/client-template.txt
if [[ "$PROTOCOL" == 'udp' ]]; then if [[ $PROTOCOL == 'udp' ]]; then
echo "proto udp" >>/etc/openvpn/client-template.txt echo "proto udp" >>/etc/openvpn/client-template.txt
echo "explicit-exit-notify" >>/etc/openvpn/client-template.txt echo "explicit-exit-notify" >>/etc/openvpn/client-template.txt
elif [[ "$PROTOCOL" == 'tcp' ]]; then elif [[ $PROTOCOL == 'tcp' ]]; then
echo "proto tcp-client" >>/etc/openvpn/client-template.txt echo "proto tcp-client" >>/etc/openvpn/client-template.txt
fi fi
echo "remote $IP $PORT echo "remote $IP $PORT
@ -1014,6 +1041,7 @@ cipher $CIPHER
tls-client tls-client
tls-version-min 1.2 tls-version-min 1.2
tls-cipher $CC_CIPHER tls-cipher $CC_CIPHER
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3" >>/etc/openvpn/client-template.txt verb 3" >>/etc/openvpn/client-template.txt
@ -1031,7 +1059,7 @@ function newClient () {
echo "Tell me a name for the client." echo "Tell me a name for the client."
echo "Use one word only, no special characters." echo "Use one word only, no special characters."
until [[ "$CLIENT" =~ ^[a-zA-Z0-9_]+$ ]]; do until [[ $CLIENT =~ ^[a-zA-Z0-9_]+$ ]]; do
read -rp "Client name: " -e CLIENT read -rp "Client name: " -e CLIENT
done done
@ -1041,10 +1069,16 @@ function newClient () {
echo " 1) Add a passwordless client" echo " 1) Add a passwordless client"
echo " 2) Use a password for the client" echo " 2) Use a password for the client"
until [[ "$PASS" =~ ^[1-2]$ ]]; do until [[ $PASS =~ ^[1-2]$ ]]; do
read -rp "Select an option [1-2]: " -e -i 1 PASS read -rp "Select an option [1-2]: " -e -i 1 PASS
done done
CLIENTEXISTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c -E "/CN=$CLIENT\$")
if [[ $CLIENTEXISTS == '1' ]]; then
echo ""
echo "The specified client CN was already found in easy-rsa, please choose another name."
exit
else
cd /etc/openvpn/easy-rsa/ || return cd /etc/openvpn/easy-rsa/ || return
case $PASS in case $PASS in
1) 1)
@ -1055,14 +1089,16 @@ function newClient () {
./easyrsa build-client-full "$CLIENT" ./easyrsa build-client-full "$CLIENT"
;; ;;
esac esac
echo "Client $CLIENT added."
fi
# Home directory of the user, where the client configuration (.ovpn) will be written # Home directory of the user, where the client configuration (.ovpn) will be written
if [ -e "/home/$CLIENT" ]; then # if $1 is a user name if [ -e "/home/$CLIENT" ]; then # if $1 is a user name
homeDir="/opt/ovpn" homeDir="/home/$CLIENT"
elif [ "${SUDO_USER}" ]; then # if not, use SUDO_USER elif [ "${SUDO_USER}" ]; then # if not, use SUDO_USER
homeDir="/opt/ovpn" homeDir="/home/${SUDO_USER}"
else # if not SUDO_USER, use /root else # if not SUDO_USER, use /root
homeDir="/opt/ovpn" homeDir="/root"
fi fi
# Determine if we use tls-auth or tls-crypt # Determine if we use tls-auth or tls-crypt
@ -1103,7 +1139,7 @@ function newClient () {
} >>"$homeDir/$CLIENT.ovpn" } >>"$homeDir/$CLIENT.ovpn"
echo "" echo ""
echo "Client $CLIENT added, the configuration file is available at $homeDir/$CLIENT.ovpn." echo "The configuration file has been written to $homeDir/$CLIENT.ovpn."
echo "Download the .ovpn file and import it in your OpenVPN client." echo "Download the .ovpn file and import it in your OpenVPN client."
exit 0 exit 0
@ -1111,7 +1147,7 @@ function newClient () {
function revokeClient() { function revokeClient() {
NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V") NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")
if [[ "$NUMBEROFCLIENTS" == '0' ]]; then if [[ $NUMBEROFCLIENTS == '0' ]]; then
echo "" echo ""
echo "You have no existing clients!" echo "You have no existing clients!"
exit 1 exit 1
@ -1120,20 +1156,17 @@ function revokeClient () {
echo "" echo ""
echo "Select the existing client certificate you want to revoke" echo "Select the existing client certificate you want to revoke"
tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') ' tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
if [[ "$NUMBEROFCLIENTS" == '1' ]]; then until [[ $CLIENTNUMBER -ge 1 && $CLIENTNUMBER -le $NUMBEROFCLIENTS ]]; do
if [[ $CLIENTNUMBER == '1' ]]; then
read -rp "Select one client [1]: " CLIENTNUMBER read -rp "Select one client [1]: " CLIENTNUMBER
else else
read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
fi fi
done
CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p) CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
cd /etc/openvpn/easy-rsa/ || return cd /etc/openvpn/easy-rsa/ || return
./easyrsa --batch revoke "$CLIENT" ./easyrsa --batch revoke "$CLIENT"
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
# Cleanup
rm -f "pki/reqs/$CLIENT.req"
rm -f "pki/private/$CLIENT.key"
rm -f "pki/issued/$CLIENT.crt"
rm -f /etc/openvpn/crl.pem rm -f /etc/openvpn/crl.pem
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
chmod 644 /etc/openvpn/crl.pem chmod 644 /etc/openvpn/crl.pem
@ -1156,17 +1189,17 @@ function removeUnbound () {
read -rp "Do you want to completely remove Unbound? [y/n]: " -e REMOVE_UNBOUND read -rp "Do you want to completely remove Unbound? [y/n]: " -e REMOVE_UNBOUND
done done
if [[ "$REMOVE_UNBOUND" == 'y' ]]; then if [[ $REMOVE_UNBOUND == 'y' ]]; then
# Stop Unbound # Stop Unbound
systemctl stop unbound systemctl stop unbound
if [[ "$OS" =~ (debian|ubuntu) ]]; then if [[ $OS =~ (debian|ubuntu) ]]; then
apt-get autoremove --purge -y unbound apt-get autoremove --purge -y unbound
elif [[ "$OS" == 'arch' ]]; then elif [[ $OS == 'arch' ]]; then
pacman --noconfirm -R unbound pacman --noconfirm -R unbound
elif [[ "$OS" =~ (centos|amzn) ]]; then elif [[ $OS =~ (centos|amzn) ]]; then
yum remove -y unbound yum remove -y unbound
elif [[ "$OS" == 'fedora' ]]; then elif [[ $OS == 'fedora' ]]; then
dnf remove -y unbound dnf remove -y unbound
fi fi
@ -1185,17 +1218,18 @@ function removeOpenVPN () {
echo "" echo ""
# shellcheck disable=SC2034 # shellcheck disable=SC2034
read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
if [[ "$REMOVE" == 'y' ]]; then if [[ $REMOVE == 'y' ]]; then
# Get OpenVPN port from the configuration # Get OpenVPN port from the configuration
PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2) PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
PROTOCOL=$(grep '^proto ' /etc/openvpn/server.conf | cut -d " " -f 2)
# Stop OpenVPN # Stop OpenVPN
if [[ "$OS" =~ (fedora|arch|centos) ]]; then if [[ $OS =~ (fedora|arch|centos) ]]; then
systemctl disable openvpn-server@server systemctl disable openvpn-server@server
systemctl stop openvpn-server@server systemctl stop openvpn-server@server
# Remove customised service # Remove customised service
rm /etc/systemd/system/openvpn-server@.service rm /etc/systemd/system/openvpn-server@.service
elif [[ "$OS" == "ubuntu" ]] && [[ "$VERSION_ID" == "16.04" ]]; then elif [[ $OS == "ubuntu" ]] && [[ $VERSION_ID == "16.04" ]]; then
systemctl disable openvpn systemctl disable openvpn
systemctl stop openvpn systemctl stop openvpn
else else
@ -1217,23 +1251,23 @@ function removeOpenVPN () {
# SELinux # SELinux
if hash sestatus 2>/dev/null; then if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing"; then if sestatus | grep "Current mode" | grep -qs "enforcing"; then
if [[ "$PORT" != '1194' ]]; then if [[ $PORT != '1194' ]]; then
semanage port -d -t openvpn_port_t -p udp "$PORT" semanage port -d -t openvpn_port_t -p "$PROTOCOL" "$PORT"
fi fi
fi fi
fi fi
if [[ "$OS" =~ (debian|ubuntu) ]]; then if [[ $OS =~ (debian|ubuntu) ]]; then
apt-get autoremove --purge -y openvpn apt-get autoremove --purge -y openvpn
if [[ -e /etc/apt/sources.list.d/openvpn.list ]]; then if [[ -e /etc/apt/sources.list.d/openvpn.list ]]; then
rm /etc/apt/sources.list.d/openvpn.list rm /etc/apt/sources.list.d/openvpn.list
apt-get update apt-get update
fi fi
elif [[ "$OS" == 'arch' ]]; then elif [[ $OS == 'arch' ]]; then
pacman --noconfirm -R openvpn pacman --noconfirm -R openvpn
elif [[ "$OS" =~ (centos|amzn) ]]; then elif [[ $OS =~ (centos|amzn) ]]; then
yum remove -y openvpn yum remove -y openvpn
elif [[ "$OS" == 'fedora' ]]; then elif [[ $OS == 'fedora' ]]; then
dnf remove -y openvpn dnf remove -y openvpn
fi fi
@ -1257,45 +1291,7 @@ function removeOpenVPN () {
fi fi
} }
function listcerts () {
# Original Script from PiVPN: list clients script
# Modified Script to add Certificate expiration Date -- psgoundar
INDEX="/etc/openvpn/easy-rsa/pki/index.txt"
printf "\n"
if [ ! -f "${INDEX}" ]; then
echo "The file: $INDEX was not found!"
exit 1
fi
#printf ": NOTE : The first entry should always be your valid server!\n"
#printf "\n"
printf "\e[1m::: Certificate Status List :::\e[0m\n"
printf "\e[4mStatus\e[0m :: \e[4mName\e[0m\e[0m :: \e[4mExpiration \e[0m\n"
while read -r line || [ -n "$line" ]; do
STATUS=$(echo "$line" | awk '{print $1}')
NAME=$(echo "$line" | sed -e 's:.*/CN=::')
EXPD=$(echo "$line" | awk '{if (length($2) == 15) print $2; else print "20"$2}' | cut -b 1-8 | date +"%b %d %Y" -f -)
if [ "${STATUS}" == "V" ]; then
printf " Valid :: $NAME :: $EXPD \n"
elif [ "${STATUS}" == "R" ]; then
printf " Revoked :: $NAME :: $EXPD \n"
else
printf " Unknown :: $NAME :: $EXPD \n"
fi
done <${INDEX} | column -t
printf "\n"
}
function manageMenu() { function manageMenu() {
clear
echo "Welcome to OpenVPN-install!" echo "Welcome to OpenVPN-install!"
echo "The git repository is available at: https://github.com/angristan/openvpn-install" echo "The git repository is available at: https://github.com/angristan/openvpn-install"
echo "" echo ""
@ -1304,11 +1300,10 @@ function manageMenu () {
echo "What do you want to do?" echo "What do you want to do?"
echo " 1) Add a new user" echo " 1) Add a new user"
echo " 2) Revoke existing user" echo " 2) Revoke existing user"
echo " 3) List Current Issued Certificates" echo " 3) Remove OpenVPN"
echo " 4) Remove OpenVPN" echo " 4) Exit"
echo " 5) Exit" until [[ $MENU_OPTION =~ ^[1-4]$ ]]; do
until [[ "$MENU_OPTION" =~ ^[1-5]$ ]]; do read -rp "Select an option [1-4]: " MENU_OPTION
read -rp "Select an option [1-5]: " MENU_OPTION
done done
case $MENU_OPTION in case $MENU_OPTION in
@ -1319,13 +1314,9 @@ function manageMenu () {
revokeClient revokeClient
;; ;;
3) 3)
listcerts
;;
4)
removeOpenVPN removeOpenVPN
;; ;;
5) 4)
exit 0 exit 0
;; ;;
esac esac
@ -1335,7 +1326,7 @@ function manageMenu () {
initialCheck initialCheck
# Check if OpenVPN is already installed # Check if OpenVPN is already installed
if [[ -e /etc/openvpn/server.conf ]]; then if [[ -e /etc/openvpn/server.conf && $AUTO_INSTALL != "y" ]]; then
manageMenu manageMenu
else else
installOpenVPN installOpenVPN