From 19320c8d9213b2ebfb9b5a53bc2cc546df7f1f86 Mon Sep 17 00:00:00 2001
From: randomshell <43271778+randomshell@users.noreply.github.com>
Date: Fri, 1 May 2020 22:51:51 +0000
Subject: [PATCH 01/10] Remove workaround to keep using /etc/openvpn/
---
openvpn-install.sh | 4 ----
1 file changed, 4 deletions(-)
diff --git a/openvpn-install.sh b/openvpn-install.sh
index 5f49ada..d3d3b1a 100755
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -923,8 +923,6 @@ verb 3" >>/etc/openvpn/server.conf
# Workaround to fix OpenVPN service on OpenVZ
sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn-server@.service
- # Another workaround to keep using /etc/openvpn/
- sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn-server@.service
# On fedora, the service hardcodes the ciphers. We want to manage the cipher ourselves, so we remove it from the service
if [[ $OS == "fedora" ]]; then
sed -i 's|--cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC||' /etc/systemd/system/openvpn-server@.service
@@ -944,8 +942,6 @@ verb 3" >>/etc/openvpn/server.conf
# Workaround to fix OpenVPN service on OpenVZ
sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn\@.service
- # Another workaround to keep using /etc/openvpn/
- sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn\@.service
systemctl daemon-reload
systemctl enable openvpn@server
From 32b1c4fcb53590b45faa1ad4ccd2f1cd00379d9f Mon Sep 17 00:00:00 2001
From: randomshell <43271778+randomshell@users.noreply.github.com>
Date: Fri, 1 May 2020 23:14:25 +0000
Subject: [PATCH 02/10] Update paths to /etc/openvpn/server
---
openvpn-install.sh | 158 ++++++++++++++++++++++-----------------------
1 file changed, 79 insertions(+), 79 deletions(-)
diff --git a/openvpn-install.sh b/openvpn-install.sh
index d3d3b1a..af52d87 100755
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -648,7 +648,7 @@ function installOpenVPN() {
# If OpenVPN isn't installed yet, install it. This script is more-or-less
# idempotent on multiple runs, but will only install OpenVPN from upstream
# the first time.
- if [[ ! -e /etc/openvpn/server.conf ]]; then
+ if [[ ! -e /etc/openvpn/server/server.conf ]]; then
if [[ $OS =~ (debian|ubuntu) ]]; then
apt-get update
apt-get -y install ca-certificates gnupg
@@ -691,14 +691,14 @@ function installOpenVPN() {
fi
# Install the latest version of easy-rsa from source, if not already installed.
- if [[ ! -d /etc/openvpn/easy-rsa/ ]]; then
+ if [[ ! -d /etc/openvpn/server/easy-rsa/ ]]; then
local version="3.0.7"
wget -O ~/easy-rsa.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-${version}.tgz
- mkdir /etc/openvpn/easy-rsa
- tar xzf ~/easy-rsa.tgz --strip-components=1 --directory /etc/openvpn/easy-rsa
+ mkdir /etc/openvpn/server/easy-rsa
+ tar xzf ~/easy-rsa.tgz --strip-components=1 --directory /etc/openvpn/server/easy-rsa
rm -f ~/easy-rsa.tgz
- cd /etc/openvpn/easy-rsa/ || return
+ cd /etc/openvpn/server/easy-rsa/ || return
case $CERT_TYPE in
1)
echo "set_var EASYRSA_ALGO ec" >vars
@@ -737,35 +737,35 @@ function installOpenVPN() {
case $TLS_SIG in
1)
# Generate tls-crypt key
- openvpn --genkey --secret /etc/openvpn/tls-crypt.key
+ openvpn --genkey --secret /etc/openvpn/server/tls-crypt.key
;;
2)
# Generate tls-auth key
- openvpn --genkey --secret /etc/openvpn/tls-auth.key
+ openvpn --genkey --secret /etc/openvpn/server/tls-auth.key
;;
esac
else
# If easy-rsa is already installed, grab the generated SERVER_NAME
# for client configs
- cd /etc/openvpn/easy-rsa/ || return
+ cd /etc/openvpn/server/easy-rsa/ || return
SERVER_NAME=$(cat SERVER_NAME_GENERATED)
fi
# Move all the generated files
- cp pki/ca.crt pki/private/ca.key "pki/issued/$SERVER_NAME.crt" "pki/private/$SERVER_NAME.key" /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
+ cp pki/ca.crt pki/private/ca.key "pki/issued/$SERVER_NAME.crt" "pki/private/$SERVER_NAME.key" /etc/openvpn/server/easy-rsa/pki/crl.pem /etc/openvpn/server
if [[ $DH_TYPE == "2" ]]; then
- cp dh.pem /etc/openvpn
+ cp dh.pem /etc/openvpn/server
fi
# Make cert revocation list readable for non-root
- chmod 644 /etc/openvpn/crl.pem
+ chmod 644 /etc/openvpn/server/crl.pem
# Generate server.conf
- echo "port $PORT" >/etc/openvpn/server.conf
+ echo "port $PORT" >/etc/openvpn/server/server.conf
if [[ $IPV6_SUPPORT == 'n' ]]; then
- echo "proto $PROTOCOL" >>/etc/openvpn/server.conf
+ echo "proto $PROTOCOL" >>/etc/openvpn/server/server.conf
elif [[ $IPV6_SUPPORT == 'y' ]]; then
- echo "proto ${PROTOCOL}6" >>/etc/openvpn/server.conf
+ echo "proto ${PROTOCOL}6" >>/etc/openvpn/server/server.conf
fi
echo "dev tun
@@ -776,7 +776,7 @@ persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
-ifconfig-pool-persist ipp.txt" >>/etc/openvpn/server.conf
+ifconfig-pool-persist ipp.txt" >>/etc/openvpn/server/server.conf
# DNS resolvers
case $DNS in
@@ -792,64 +792,64 @@ ifconfig-pool-persist ipp.txt" >>/etc/openvpn/server.conf
sed -ne 's/^nameserver[[:space:]]\+\([^[:space:]]\+\).*$/\1/p' $RESOLVCONF | while read -r line; do
# Copy, if it's a IPv4 |or| if IPv6 is enabled, IPv4/IPv6 does not matter
if [[ $line =~ ^[0-9.]*$ ]] || [[ $IPV6_SUPPORT == 'y' ]]; then
- echo "push \"dhcp-option DNS $line\"" >>/etc/openvpn/server.conf
+ echo "push \"dhcp-option DNS $line\"" >>/etc/openvpn/server/server.conf
fi
done
;;
2) # Self-hosted DNS resolver (Unbound)
- echo 'push "dhcp-option DNS 10.8.0.1"' >>/etc/openvpn/server.conf
+ echo 'push "dhcp-option DNS 10.8.0.1"' >>/etc/openvpn/server/server.conf
if [[ $IPV6_SUPPORT == 'y' ]]; then
- echo 'push "dhcp-option DNS fd42:42:42:42::1"' >>/etc/openvpn/server.conf
+ echo 'push "dhcp-option DNS fd42:42:42:42::1"' >>/etc/openvpn/server/server.conf
fi
;;
3) # Cloudflare
- echo 'push "dhcp-option DNS 1.0.0.1"' >>/etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 1.1.1.1"' >>/etc/openvpn/server.conf
+ echo 'push "dhcp-option DNS 1.0.0.1"' >>/etc/openvpn/server/server.conf
+ echo 'push "dhcp-option DNS 1.1.1.1"' >>/etc/openvpn/server/server.conf
;;
4) # Quad9
- echo 'push "dhcp-option DNS 9.9.9.9"' >>/etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 149.112.112.112"' >>/etc/openvpn/server.conf
+ echo 'push "dhcp-option DNS 9.9.9.9"' >>/etc/openvpn/server/server.conf
+ echo 'push "dhcp-option DNS 149.112.112.112"' >>/etc/openvpn/server/server.conf
;;
5) # Quad9 uncensored
- echo 'push "dhcp-option DNS 9.9.9.10"' >>/etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 149.112.112.10"' >>/etc/openvpn/server.conf
+ echo 'push "dhcp-option DNS 9.9.9.10"' >>/etc/openvpn/server/server.conf
+ echo 'push "dhcp-option DNS 149.112.112.10"' >>/etc/openvpn/server/server.conf
;;
6) # FDN
- echo 'push "dhcp-option DNS 80.67.169.40"' >>/etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 80.67.169.12"' >>/etc/openvpn/server.conf
+ echo 'push "dhcp-option DNS 80.67.169.40"' >>/etc/openvpn/server/server.conf
+ echo 'push "dhcp-option DNS 80.67.169.12"' >>/etc/openvpn/server/server.conf
;;
7) # DNS.WATCH
- echo 'push "dhcp-option DNS 84.200.69.80"' >>/etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 84.200.70.40"' >>/etc/openvpn/server.conf
+ echo 'push "dhcp-option DNS 84.200.69.80"' >>/etc/openvpn/server/server.conf
+ echo 'push "dhcp-option DNS 84.200.70.40"' >>/etc/openvpn/server/server.conf
;;
8) # OpenDNS
- echo 'push "dhcp-option DNS 208.67.222.222"' >>/etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 208.67.220.220"' >>/etc/openvpn/server.conf
+ echo 'push "dhcp-option DNS 208.67.222.222"' >>/etc/openvpn/server/server.conf
+ echo 'push "dhcp-option DNS 208.67.220.220"' >>/etc/openvpn/server/server.conf
;;
9) # Google
- echo 'push "dhcp-option DNS 8.8.8.8"' >>/etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 8.8.4.4"' >>/etc/openvpn/server.conf
+ echo 'push "dhcp-option DNS 8.8.8.8"' >>/etc/openvpn/server/server.conf
+ echo 'push "dhcp-option DNS 8.8.4.4"' >>/etc/openvpn/server/server.conf
;;
10) # Yandex Basic
- echo 'push "dhcp-option DNS 77.88.8.8"' >>/etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 77.88.8.1"' >>/etc/openvpn/server.conf
+ echo 'push "dhcp-option DNS 77.88.8.8"' >>/etc/openvpn/server/server.conf
+ echo 'push "dhcp-option DNS 77.88.8.1"' >>/etc/openvpn/server/server.conf
;;
11) # AdGuard DNS
- echo 'push "dhcp-option DNS 176.103.130.130"' >>/etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 176.103.130.131"' >>/etc/openvpn/server.conf
+ echo 'push "dhcp-option DNS 176.103.130.130"' >>/etc/openvpn/server/server.conf
+ echo 'push "dhcp-option DNS 176.103.130.131"' >>/etc/openvpn/server/server.conf
;;
12) # NextDNS
- echo 'push "dhcp-option DNS 45.90.28.167"' >>/etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 45.90.30.167"' >>/etc/openvpn/server.conf
+ echo 'push "dhcp-option DNS 45.90.28.167"' >>/etc/openvpn/server/server.conf
+ echo 'push "dhcp-option DNS 45.90.30.167"' >>/etc/openvpn/server/server.conf
;;
13) # Custom DNS
- echo "push \"dhcp-option DNS $DNS1\"" >>/etc/openvpn/server.conf
+ echo "push \"dhcp-option DNS $DNS1\"" >>/etc/openvpn/server/server.conf
if [[ $DNS2 != "" ]]; then
- echo "push \"dhcp-option DNS $DNS2\"" >>/etc/openvpn/server.conf
+ echo "push \"dhcp-option DNS $DNS2\"" >>/etc/openvpn/server/server.conf
fi
;;
esac
- echo 'push "redirect-gateway def1 bypass-dhcp"' >>/etc/openvpn/server.conf
+ echo 'push "redirect-gateway def1 bypass-dhcp"' >>/etc/openvpn/server/server.conf
# IPv6 network settings if needed
if [[ $IPV6_SUPPORT == 'y' ]]; then
@@ -857,26 +857,26 @@ ifconfig-pool-persist ipp.txt" >>/etc/openvpn/server.conf
tun-ipv6
push tun-ipv6
push "route-ipv6 2000::/3"
-push "redirect-gateway ipv6"' >>/etc/openvpn/server.conf
+push "redirect-gateway ipv6"' >>/etc/openvpn/server/server.conf
fi
if [[ $COMPRESSION_ENABLED == "y" ]]; then
- echo "compress $COMPRESSION_ALG" >>/etc/openvpn/server.conf
+ echo "compress $COMPRESSION_ALG" >>/etc/openvpn/server/server.conf
fi
if [[ $DH_TYPE == "1" ]]; then
- echo "dh none" >>/etc/openvpn/server.conf
- echo "ecdh-curve $DH_CURVE" >>/etc/openvpn/server.conf
+ echo "dh none" >>/etc/openvpn/server/server.conf
+ echo "ecdh-curve $DH_CURVE" >>/etc/openvpn/server/server.conf
elif [[ $DH_TYPE == "2" ]]; then
- echo "dh dh.pem" >>/etc/openvpn/server.conf
+ echo "dh dh.pem" >>/etc/openvpn/server/server.conf
fi
case $TLS_SIG in
1)
- echo "tls-crypt tls-crypt.key 0" >>/etc/openvpn/server.conf
+ echo "tls-crypt tls-crypt.key 0" >>/etc/openvpn/server/server.conf
;;
2)
- echo "tls-auth tls-auth.key 0" >>/etc/openvpn/server.conf
+ echo "tls-auth tls-auth.key 0" >>/etc/openvpn/server/server.conf
;;
esac
@@ -890,12 +890,12 @@ ncp-ciphers $CIPHER
tls-server
tls-version-min 1.2
tls-cipher $CC_CIPHER
-client-config-dir /etc/openvpn/ccd
+client-config-dir /etc/openvpn/server/ccd
status /var/log/openvpn/status.log
-verb 3" >>/etc/openvpn/server.conf
+verb 3" >>/etc/openvpn/server/server.conf
# Create client-config-dir dir
- mkdir -p /etc/openvpn/ccd
+ mkdir -p /etc/openvpn/server/ccd
# Create log dir
mkdir -p /var/log/openvpn
@@ -1016,12 +1016,12 @@ WantedBy=multi-user.target" >/etc/systemd/system/iptables-openvpn.service
fi
# client-template.txt is created so we have a template to add further users later
- echo "client" >/etc/openvpn/client-template.txt
+ echo "client" >/etc/openvpn/server/client-template.txt
if [[ $PROTOCOL == 'udp' ]]; then
- echo "proto udp" >>/etc/openvpn/client-template.txt
- echo "explicit-exit-notify" >>/etc/openvpn/client-template.txt
+ echo "proto udp" >>/etc/openvpn/server/client-template.txt
+ echo "explicit-exit-notify" >>/etc/openvpn/server/client-template.txt
elif [[ $PROTOCOL == 'tcp' ]]; then
- echo "proto tcp-client" >>/etc/openvpn/client-template.txt
+ echo "proto tcp-client" >>/etc/openvpn/server/client-template.txt
fi
echo "remote $IP $PORT
dev tun
@@ -1039,10 +1039,10 @@ tls-version-min 1.2
tls-cipher $CC_CIPHER
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
-verb 3" >>/etc/openvpn/client-template.txt
+verb 3" >>/etc/openvpn/server/client-template.txt
if [[ $COMPRESSION_ENABLED == "y" ]]; then
- echo "compress $COMPRESSION_ALG" >>/etc/openvpn/client-template.txt
+ echo "compress $COMPRESSION_ALG" >>/etc/openvpn/server/client-template.txt
fi
# Generate the custom client.ovpn
@@ -1069,13 +1069,13 @@ function newClient() {
read -rp "Select an option [1-2]: " -e -i 1 PASS
done
- CLIENTEXISTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c -E "/CN=$CLIENT\$")
+ CLIENTEXISTS=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep -c -E "/CN=$CLIENT\$")
if [[ $CLIENTEXISTS == '1' ]]; then
echo ""
echo "The specified client CN was already found in easy-rsa, please choose another name."
exit
else
- cd /etc/openvpn/easy-rsa/ || return
+ cd /etc/openvpn/server/easy-rsa/ || return
case $PASS in
1)
./easyrsa build-client-full "$CLIENT" nopass
@@ -1098,37 +1098,37 @@ function newClient() {
fi
# Determine if we use tls-auth or tls-crypt
- if grep -qs "^tls-crypt" /etc/openvpn/server.conf; then
+ if grep -qs "^tls-crypt" /etc/openvpn/server/server.conf; then
TLS_SIG="1"
- elif grep -qs "^tls-auth" /etc/openvpn/server.conf; then
+ elif grep -qs "^tls-auth" /etc/openvpn/server/server.conf; then
TLS_SIG="2"
fi
# Generates the custom client.ovpn
- cp /etc/openvpn/client-template.txt "$homeDir/$CLIENT.ovpn"
+ cp /etc/openvpn/server/client-template.txt "$homeDir/$CLIENT.ovpn"
{
echo ""
- cat "/etc/openvpn/easy-rsa/pki/ca.crt"
+ cat "/etc/openvpn/server/easy-rsa/pki/ca.crt"
echo ""
echo ""
- awk '/BEGIN/,/END/' "/etc/openvpn/easy-rsa/pki/issued/$CLIENT.crt"
+ awk '/BEGIN/,/END/' "/etc/openvpn/server/easy-rsa/pki/issued/$CLIENT.crt"
echo ""
echo ""
- cat "/etc/openvpn/easy-rsa/pki/private/$CLIENT.key"
+ cat "/etc/openvpn/server/easy-rsa/pki/private/$CLIENT.key"
echo ""
case $TLS_SIG in
1)
echo ""
- cat /etc/openvpn/tls-crypt.key
+ cat /etc/openvpn/server/tls-crypt.key
echo ""
;;
2)
echo "key-direction 1"
echo ""
- cat /etc/openvpn/tls-auth.key
+ cat /etc/openvpn/server/tls-auth.key
echo ""
;;
esac
@@ -1142,7 +1142,7 @@ function newClient() {
}
function revokeClient() {
- NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")
+ NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep -c "^V")
if [[ $NUMBEROFCLIENTS == '0' ]]; then
echo ""
echo "You have no existing clients!"
@@ -1151,7 +1151,7 @@ function revokeClient() {
echo ""
echo "Select the existing client certificate you want to revoke"
- tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
+ tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
until [[ $CLIENTNUMBER -ge 1 && $CLIENTNUMBER -le $NUMBEROFCLIENTS ]]; do
if [[ $CLIENTNUMBER == '1' ]]; then
read -rp "Select one client [1]: " CLIENTNUMBER
@@ -1159,16 +1159,16 @@ function revokeClient() {
read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
fi
done
- CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
- cd /etc/openvpn/easy-rsa/ || return
+ CLIENT=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
+ cd /etc/openvpn/server/easy-rsa/ || return
./easyrsa --batch revoke "$CLIENT"
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
- rm -f /etc/openvpn/crl.pem
- cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
- chmod 644 /etc/openvpn/crl.pem
+ rm -f /etc/openvpn/server/crl.pem
+ cp /etc/openvpn/server/easy-rsa/pki/crl.pem /etc/openvpn/server/crl.pem
+ chmod 644 /etc/openvpn/server/crl.pem
find /home/ -maxdepth 2 -name "$CLIENT.ovpn" -delete
rm -f "/root/$CLIENT.ovpn"
- sed -i "/^$CLIENT,.*/d" /etc/openvpn/ipp.txt
+ sed -i "/^$CLIENT,.*/d" /etc/openvpn/server/ipp.txt
echo ""
echo "Certificate for client $CLIENT revoked."
@@ -1216,8 +1216,8 @@ function removeOpenVPN() {
read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
if [[ $REMOVE == 'y' ]]; then
# Get OpenVPN port from the configuration
- PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
- PROTOCOL=$(grep '^proto ' /etc/openvpn/server.conf | cut -d " " -f 2)
+ PORT=$(grep '^port ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
+ PROTOCOL=$(grep '^proto ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
# Stop OpenVPN
if [[ $OS =~ (fedora|arch|centos) ]]; then
@@ -1270,7 +1270,7 @@ function removeOpenVPN() {
# Cleanup
find /home/ -maxdepth 2 -name "*.ovpn" -delete
find /root/ -maxdepth 1 -name "*.ovpn" -delete
- rm -rf /etc/openvpn
+ rm -rf /etc/openvpn/server
rm -rf /usr/share/doc/openvpn*
rm -f /etc/sysctl.d/20-openvpn.conf
rm -rf /var/log/openvpn
@@ -1322,7 +1322,7 @@ function manageMenu() {
initialCheck
# Check if OpenVPN is already installed
-if [[ -e /etc/openvpn/server.conf && $AUTO_INSTALL != "y" ]]; then
+if [[ -e /etc/openvpn/server/server.conf && $AUTO_INSTALL != "y" ]]; then
manageMenu
else
installOpenVPN
From 1564232fbd7f6159147544f3111d3ecaaac5eab5 Mon Sep 17 00:00:00 2001
From: randomshell <43271778+randomshell@users.noreply.github.com>
Date: Sat, 2 May 2020 00:12:46 +0000
Subject: [PATCH 03/10] Remove obsolete Ubuntu case
Ubuntu uses systemd
---
openvpn-install.sh | 5 -----
1 file changed, 5 deletions(-)
diff --git a/openvpn-install.sh b/openvpn-install.sh
index af52d87..56e202c 100755
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -931,11 +931,6 @@ verb 3" >>/etc/openvpn/server/server.conf
systemctl daemon-reload
systemctl enable openvpn-server@server
systemctl restart openvpn-server@server
- elif [[ $OS == "ubuntu" ]] && [[ $VERSION_ID == "16.04" ]]; then
- # On Ubuntu 16.04, we use the package from the OpenVPN repo
- # This package uses a sysvinit service
- systemctl enable openvpn
- systemctl start openvpn
else
# Don't modify package-provided service
cp /lib/systemd/system/openvpn\@.service /etc/systemd/system/openvpn\@.service
From f6a1c7e5983f3fecaf4bf67ae06f9c5a6159f1f9 Mon Sep 17 00:00:00 2001
From: randomshell <43271778+randomshell@users.noreply.github.com>
Date: Sat, 2 May 2020 00:20:50 +0000
Subject: [PATCH 04/10] Add workaround to keep using /etc/openvpn/server
---
openvpn-install.sh | 3 +++
1 file changed, 3 insertions(+)
diff --git a/openvpn-install.sh b/openvpn-install.sh
index 56e202c..a3286c5 100755
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -937,6 +937,9 @@ verb 3" >>/etc/openvpn/server/server.conf
# Workaround to fix OpenVPN service on OpenVZ
sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn\@.service
+ # Another workaround to keep using /etc/openvpn/server
+ sed -i 's|/etc/openvpn|/etc/openvpn/server|' /etc/systemd/system/openvpn\@.service
+ sed -i 's|/etc/openvpn/%i.conf|/etc/openvpn/server/%i.conf|' /etc/systemd/system/openvpn\@.service
systemctl daemon-reload
systemctl enable openvpn@server
From 2f9812308cdde6e2dd9a82b252ec61d604861816 Mon Sep 17 00:00:00 2001
From: randomshell <43271778+randomshell@users.noreply.github.com>
Date: Sat, 2 May 2020 00:24:33 +0000
Subject: [PATCH 05/10] Create /etc/openvpn/server directory
---
openvpn-install.sh | 1 +
1 file changed, 1 insertion(+)
diff --git a/openvpn-install.sh b/openvpn-install.sh
index a3286c5..2609738 100755
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -677,6 +677,7 @@ function installOpenVPN() {
# Install required dependencies and upgrade the system
pacman --needed --noconfirm -Syu openvpn iptables openssl wget ca-certificates curl
fi
+ mkdir -p /etc/openvpn/server
# An old version of easy-rsa was available by default in some openvpn packages
if [[ -d /etc/openvpn/easy-rsa/ ]]; then
rm -rf /etc/openvpn/easy-rsa/
From a9c60875d1683bd133d6db26ac6b81bc6fa57352 Mon Sep 17 00:00:00 2001
From: randomshell <43271778+randomshell@users.noreply.github.com>
Date: Sat, 2 May 2020 01:42:34 +0000
Subject: [PATCH 06/10] Drop openvpn 2.3 paths
See https://github.com/angristan/openvpn-install/pull/653#issuecomment-622649463
---
openvpn-install.sh | 57 +++++++++++++---------------------------------
1 file changed, 16 insertions(+), 41 deletions(-)
diff --git a/openvpn-install.sh b/openvpn-install.sh
index 2609738..742b1cb 100755
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -917,36 +917,21 @@ verb 3" >>/etc/openvpn/server/server.conf
fi
fi
- # Finally, restart and enable OpenVPN
- if [[ $OS == 'arch' || $OS == 'fedora' || $OS == 'centos' ]]; then
- # Don't modify package-provided service
- cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service
+ # Don't modify package-provided service
+ cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service
- # Workaround to fix OpenVPN service on OpenVZ
- sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn-server@.service
- # On fedora, the service hardcodes the ciphers. We want to manage the cipher ourselves, so we remove it from the service
- if [[ $OS == "fedora" ]]; then
- sed -i 's|--cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC||' /etc/systemd/system/openvpn-server@.service
- fi
-
- systemctl daemon-reload
- systemctl enable openvpn-server@server
- systemctl restart openvpn-server@server
- else
- # Don't modify package-provided service
- cp /lib/systemd/system/openvpn\@.service /etc/systemd/system/openvpn\@.service
-
- # Workaround to fix OpenVPN service on OpenVZ
- sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn\@.service
- # Another workaround to keep using /etc/openvpn/server
- sed -i 's|/etc/openvpn|/etc/openvpn/server|' /etc/systemd/system/openvpn\@.service
- sed -i 's|/etc/openvpn/%i.conf|/etc/openvpn/server/%i.conf|' /etc/systemd/system/openvpn\@.service
-
- systemctl daemon-reload
- systemctl enable openvpn@server
- systemctl restart openvpn@server
+ # Workaround to fix OpenVPN service on OpenVZ
+ sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn-server@.service
+ # On fedora, the service hardcodes the ciphers. We want to manage the cipher ourselves, so we remove it from the service
+ if [[ $OS == "fedora" ]]; then
+ sed -i 's|--cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC||' /etc/systemd/system/openvpn-server@.service
fi
+ # Finally, restart and enable OpenVPN
+ systemctl daemon-reload
+ systemctl enable openvpn-server@server
+ systemctl restart openvpn-server@server
+
if [[ $DNS == 2 ]]; then
installUnbound
fi
@@ -1219,20 +1204,10 @@ function removeOpenVPN() {
PROTOCOL=$(grep '^proto ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
# Stop OpenVPN
- if [[ $OS =~ (fedora|arch|centos) ]]; then
- systemctl disable openvpn-server@server
- systemctl stop openvpn-server@server
- # Remove customised service
- rm /etc/systemd/system/openvpn-server@.service
- elif [[ $OS == "ubuntu" ]] && [[ $VERSION_ID == "16.04" ]]; then
- systemctl disable openvpn
- systemctl stop openvpn
- else
- systemctl disable openvpn@server
- systemctl stop openvpn@server
- # Remove customised service
- rm /etc/systemd/system/openvpn\@.service
- fi
+ systemctl disable openvpn-server@server
+ systemctl stop openvpn-server@server
+ # Remove customised service
+ rm /etc/systemd/system/openvpn-server@.service
# Remove the iptables rules related to the script
systemctl stop iptables-openvpn
From fc7175a544e68301e1ce8e839b16985883920238 Mon Sep 17 00:00:00 2001
From: randomshell <43271778+randomshell@users.noreply.github.com>
Date: Sat, 2 May 2020 02:14:10 +0000
Subject: [PATCH 07/10] Create /etc/openvpn/client
openvpn package from openvpn.net repository doesn't have `server` and `client` directories
---
openvpn-install.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/openvpn-install.sh b/openvpn-install.sh
index 742b1cb..e0949ea 100755
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -677,7 +677,7 @@ function installOpenVPN() {
# Install required dependencies and upgrade the system
pacman --needed --noconfirm -Syu openvpn iptables openssl wget ca-certificates curl
fi
- mkdir -p /etc/openvpn/server
+ mkdir -p /etc/openvpn/server /etc/openvpn/client
# An old version of easy-rsa was available by default in some openvpn packages
if [[ -d /etc/openvpn/easy-rsa/ ]]; then
rm -rf /etc/openvpn/easy-rsa/
From de27da36384b8e08789edcf4b2cbbc969bb8b947 Mon Sep 17 00:00:00 2001
From: randomshell <43271778+randomshell@users.noreply.github.com>
Date: Sat, 2 May 2020 02:17:50 +0000
Subject: [PATCH 08/10] Update file paths in FAQ.md
---
FAQ.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/FAQ.md b/FAQ.md
index b891666..72a8ecc 100644
--- a/FAQ.md
+++ b/FAQ.md
@@ -63,7 +63,7 @@ down /usr/share/openvpn/contrib/pull-resolv-conf/client.down
- AES CBC
- tls-auth
-If your client is <2.3.3, remove `tls-version-min 1.2` from your `/etc/openvpn/server.conf` and `.ovpn` files.
+If your client is <2.3.3, remove `tls-version-min 1.2` from your `/etc/openvpn/server/server.conf` and `.ovpn` files.
---
@@ -109,7 +109,7 @@ Sysctl options are at `/etc/sysctl.d/20-openvpn.conf`
**Q:** How can I access computers the OpenVPN server's remote LAN?
-**A:** Add a route with the subnet of the remote network to `/etc/openvpn/server.conf` and restart openvpn. Example: `push "route 192.168.1.0 255.255.255.0"` if the server's LAN is `192.168.1.0/24`
+**A:** Add a route with the subnet of the remote network to `/etc/openvpn/server/server.conf` and restart openvpn. Example: `push "route 192.168.1.0 255.255.255.0"` if the server's LAN is `192.168.1.0/24`
---
From 40ddb4c87f0d206b344f086fac0a3c0f637fcb8c Mon Sep 17 00:00:00 2001
From: randomshell <43271778+randomshell@users.noreply.github.com>
Date: Sat, 2 May 2020 20:46:33 +0000
Subject: [PATCH 09/10] Remove status option from server.conf
It is included in the new systemd service `openvpn-server@.service`:
`ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf`
The new path is `/run/openvpn-server/status-server.log`
---
openvpn-install.sh | 1 -
1 file changed, 1 deletion(-)
diff --git a/openvpn-install.sh b/openvpn-install.sh
index e0949ea..31b9585 100755
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -892,7 +892,6 @@ tls-server
tls-version-min 1.2
tls-cipher $CC_CIPHER
client-config-dir /etc/openvpn/server/ccd
-status /var/log/openvpn/status.log
verb 3" >>/etc/openvpn/server/server.conf
# Create client-config-dir dir
From c4947d12fb7d21f4ac7d615bcf42764f26161b4a Mon Sep 17 00:00:00 2001
From: randomshell
Date: Sun, 3 May 2020 13:07:36 +0000
Subject: [PATCH 10/10] Remove old log directory
See previous commit 40ddb4c87f0d206b344f086fac0a3c0f637fcb8c
---
openvpn-install.sh | 3 ---
1 file changed, 3 deletions(-)
diff --git a/openvpn-install.sh b/openvpn-install.sh
index 31b9585..014c4e7 100755
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -896,8 +896,6 @@ verb 3" >>/etc/openvpn/server/server.conf
# Create client-config-dir dir
mkdir -p /etc/openvpn/server/ccd
- # Create log dir
- mkdir -p /var/log/openvpn
# Enable routing
echo 'net.ipv4.ip_forward=1' >/etc/sysctl.d/20-openvpn.conf
@@ -1246,7 +1244,6 @@ function removeOpenVPN() {
rm -rf /etc/openvpn/server
rm -rf /usr/share/doc/openvpn*
rm -f /etc/sysctl.d/20-openvpn.conf
- rm -rf /var/log/openvpn
# Unbound
if [[ -e /etc/unbound/openvpn.conf ]]; then