From 501f8a9b36d66659866d773d6eb7a6abf7e66579 Mon Sep 17 00:00:00 2001 From: Angristan Date: Mon, 12 Feb 2018 16:07:37 +0100 Subject: [PATCH 01/22] Use a different client name for new users Just in case the user keeps the default "client" username when installing, reusing "client" will fail. A tiny commit for lazy users. --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 4e9f91d..6371602 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -112,7 +112,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then echo "" echo "Tell me a name for the client cert" echo "Please, use one word only, no special characters" - read -p "Client name: " -e -i client CLIENT + read -p "Client name: " -e -i newclient CLIENT cd /etc/openvpn/easy-rsa/ ./easyrsa build-client-full $CLIENT nopass # Generates the custom client.ovpn From febdc04340a3b020afe15e833fab1ea12106522a Mon Sep 17 00:00:00 2001 From: Angristan Date: Tue, 13 Feb 2018 22:38:48 +0100 Subject: [PATCH 02/22] Support Ubuntu 17.10 Fixes #161 --- README.md | 1 + openvpn-install.sh | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 102b95d..6180428 100644 --- a/README.md +++ b/README.md @@ -64,6 +64,7 @@ The script is made to work on these OS and architectures : - **Ubuntu 16.04 LTS** (i386, amd64) - **Ubuntu 16.10** (i386, amd64, armhf, arm64) - **Ubuntu 17.04** (i386, amd64, armhf, arm64) +- **Ubuntu 17.10** (i386, amd64, armhf, arm64) - **Fedora 25** (amd64) - **Fedora 26** (amd64) - **Fedora 27** (amd64) diff --git a/openvpn-install.sh b/openvpn-install.sh index 6371602..7eb5e86 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -25,7 +25,7 @@ if [[ -e /etc/debian_version ]]; then VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID") IPTABLES='/etc/iptables/iptables.rules' SYSCTL='/etc/sysctl.conf' - if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.04"' ]]; then + if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.10"' ]]; then echo "Your version of Debian/Ubuntu is not supported." echo "I can't install a recent version of OpenVPN on your system." echo "" From f252614a365ccb8b4a08339af3f77443aa69c0b3 Mon Sep 17 00:00:00 2001 From: Kcchouette Date: Wed, 14 Feb 2018 14:48:36 +0100 Subject: [PATCH 03/22] Remove unsupported version of ubuntu (#163) * Remove unsupported version of ubuntu Remove 12.04 as the support finished on April 28, 2017 Remove 16.10 as the support finished 2017-07-20 Remove 17.04 as the support finished 2018-01-13 --- README.md | 3 --- openvpn-install.sh | 8 +------- 2 files changed, 1 insertion(+), 10 deletions(-) diff --git a/README.md b/README.md index 6180428..47b0699 100644 --- a/README.md +++ b/README.md @@ -59,11 +59,8 @@ The script is made to work on these OS and architectures : - **Debian 7** (i386, amd64) - **Debian 8** (i386, amd64) - **Debian 9** (i386, amd64, armhf, arm64) -- **Ubuntu 12.04 LTS** (i386, amd64) - **Ubuntu 14.04 LTS** (i386, amd64) - **Ubuntu 16.04 LTS** (i386, amd64) -- **Ubuntu 16.10** (i386, amd64, armhf, arm64) -- **Ubuntu 17.04** (i386, amd64, armhf, arm64) - **Ubuntu 17.10** (i386, amd64, armhf, arm64) - **Fedora 25** (amd64) - **Fedora 26** (amd64) diff --git a/openvpn-install.sh b/openvpn-install.sh index 7eb5e86..d2c56ba 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -25,7 +25,7 @@ if [[ -e /etc/debian_version ]]; then VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID") IPTABLES='/etc/iptables/iptables.rules' SYSCTL='/etc/sysctl.conf' - if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.10"' ]]; then + if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.10"' ]]; then echo "Your version of Debian/Ubuntu is not supported." echo "I can't install a recent version of OpenVPN on your system." echo "" @@ -340,12 +340,6 @@ else wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt update fi - # Ubuntu 12.04 - if [[ "$VERSION_ID" = 'VERSION_ID="12.04"' ]]; then - echo "deb http://build.openvpn.net/debian/openvpn/stable precise main" > /etc/apt/sources.list.d/openvpn.list - wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - - apt-get update - fi # Ubuntu 14.04 if [[ "$VERSION_ID" = 'VERSION_ID="14.04"' ]]; then echo "deb http://build.openvpn.net/debian/openvpn/stable trusty main" > /etc/apt/sources.list.d/openvpn.list From 687eb9019da57cee4c69b9903c9a2129563353c9 Mon Sep 17 00:00:00 2001 From: Angristan Date: Thu, 22 Feb 2018 21:47:35 +0100 Subject: [PATCH 04/22] Fix Fedora detection Fixes #168 --- openvpn-install.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index d2c56ba..4f178ef 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -40,7 +40,11 @@ if [[ -e /etc/debian_version ]]; then exit 4 fi fi -elif [[ -e /etc/centos-release || -e /etc/redhat-release || -e /etc/system-release && ! -e /etc/fedora-release ]]; then +elif [[ -e /etc/fedora-release ]]; then + OS=fedora + IPTABLES='/etc/iptables/iptables.rules' + SYSCTL='/etc/sysctl.d/openvpn.conf' +elif [[ -e /etc/centos-release || -e /etc/redhat-release || -e /etc/system-release ]]; then OS=centos IPTABLES='/etc/iptables/iptables.rules' SYSCTL='/etc/sysctl.conf' @@ -48,10 +52,6 @@ elif [[ -e /etc/arch-release ]]; then OS=arch IPTABLES='/etc/iptables/iptables.rules' SYSCTL='/etc/sysctl.d/openvpn.conf' -elif [[ -e /etc/fedora-release ]]; then - OS=fedora - IPTABLES='/etc/iptables/iptables.rules' - SYSCTL='/etc/sysctl.d/openvpn.conf' else echo "Looks like you aren't running this installer on a Debian, Ubuntu, CentOS or ArchLinux system" exit 4 From 42f6553dcc2f6ca67cecaef9516ac621d10980e3 Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 25 Feb 2018 17:37:03 +0100 Subject: [PATCH 05/22] Add GPG dependency --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 4f178ef..54aacdf 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -326,7 +326,7 @@ else read -n1 -r -p "Press any key to continue..." if [[ "$OS" = 'debian' ]]; then - apt-get install ca-certificates -y + apt-get install ca-certificates gpg -y # We add the OpenVPN repo to get the latest version. # Debian 7 if [[ "$VERSION_ID" = 'VERSION_ID="7"' ]]; then From 41860dd960c8665f6337bf874d2a47e1ba24c170 Mon Sep 17 00:00:00 2001 From: Luclu7 Date: Sun, 25 Mar 2018 18:21:20 +0200 Subject: [PATCH 06/22] typo (#183) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 47b0699..4a6cdb7 100644 --- a/README.md +++ b/README.md @@ -147,7 +147,7 @@ It also supports SHA1 and MD5, which are unsafe, and all the SHA2 family. I didn ### Data channel's cipher -By default, OpenVPN uses `BF-CBC` as the data channel cipher. Blowfish is an old (1993) an weak alogorithm. What's *funny* is that even the official OpenVPN documentation admits it. +By default, OpenVPN uses `BF-CBC` as the data channel cipher. Blowfish is an old (1993) and weak alogorithm. What's *funny* is that even the official OpenVPN documentation admits it. >The default is BF-CBC, an abbreviation for Blowfish in Cipher Block Chaining mode. Using BF-CBC is no longer recommended, because of its 64-bit block size. This small block size allows attacks based on collisions, as demonstrated by SWEET32. See https://community.openvpn.net/openvpn/wiki/SWEET32 for details. From 56881521426aef75c7940fc9e4b20e5a6dab6f81 Mon Sep 17 00:00:00 2001 From: phjanderson Date: Sun, 1 Apr 2018 19:01:08 +0200 Subject: [PATCH 07/22] Added support for Ubuntu 16.04 on armhf to readme (#191) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4a6cdb7..3d35ed8 100644 --- a/README.md +++ b/README.md @@ -60,7 +60,7 @@ The script is made to work on these OS and architectures : - **Debian 8** (i386, amd64) - **Debian 9** (i386, amd64, armhf, arm64) - **Ubuntu 14.04 LTS** (i386, amd64) -- **Ubuntu 16.04 LTS** (i386, amd64) +- **Ubuntu 16.04 LTS** (i386, amd64, armhf) - **Ubuntu 17.10** (i386, amd64, armhf, arm64) - **Fedora 25** (amd64) - **Fedora 26** (amd64) From d7e706ac241a90bbaa25fb6e41b73e1c9e737fc1 Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 1 Apr 2018 23:12:05 +0200 Subject: [PATCH 08/22] Add Cloudflare resolvers Fixes #193 --- README.md | 1 + openvpn-install.sh | 33 +++++++++++++++++++-------------- 2 files changed, 20 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 3d35ed8..fbc7869 100644 --- a/README.md +++ b/README.md @@ -96,6 +96,7 @@ The script will ask you which DNS resolvers you want to use when connected to th Here are the possibilities : - Current system resolvers, those that are in `/etc/resolv.conf` +- [Cloudflare](https://1.1.1.1/), recommended, fastest resolvers available (Anycast servers) - [Quad9](https://www.quad9.net), recommended, security and privacy oriented, fast worldwide (Anycast servers) - [FDN's DNS Servers](http://www.fdn.fr/actions/dns/), recommended if you're in western europe (France) - [DNS.WATCH DNS Servers](https://dns.watch/index), recommended if you're in western europe (Germany) diff --git a/openvpn-install.sh b/openvpn-install.sh index 54aacdf..46568ca 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -225,13 +225,14 @@ else echo "" echo "What DNS do you want to use with the VPN?" echo " 1) Current system resolvers (from /etc/resolv.conf)" - echo " 2) Quad9 (Anycast: worldwide)" - echo " 3) FDN (France)" - echo " 4) DNS.WATCH (Germany)" - echo " 5) OpenDNS (Anycast: worldwide)" - echo " 6) Google (Anycast: worldwide)" - echo " 7) Yandex Basic (Russia)" - echo " 8) AdGuard DNS (Russia)" + echo " 2) Cloudflare (Anycast: worldwide)" + echo " 3) Quad9 (Anycast: worldwide)" + echo " 4) FDN (France)" + echo " 5) DNS.WATCH (Germany)" + echo " 6) OpenDNS (Anycast: worldwide)" + echo " 7) Google (Anycast: worldwide)" + echo " 8) Yandex Basic (Russia)" + echo " 9) AdGuard DNS (Russia)" while [[ $DNS != "1" && $DNS != "2" && $DNS != "3" && $DNS != "4" && $DNS != "5" && $DNS != "6" && $DNS != "7" && $DNS != "8" ]]; do read -p "DNS [1-8]: " -e -i 1 DNS done @@ -506,30 +507,34 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf done ;; - 2) #Quad9 + 2) # Cloudflare + echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server.conf + echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server.conf + ;; + 3) # Quad9 echo 'push "dhcp-option DNS 9.9.9.9"' >> /etc/openvpn/server.conf ;; - 3) #FDN + 4) # FDN echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 80.67.169.12"' >> /etc/openvpn/server.conf ;; - 4) #DNS.WATCH + 5) # DNS.WATCH echo 'push "dhcp-option DNS 84.200.69.80"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 84.200.70.40"' >> /etc/openvpn/server.conf ;; - 5) #OpenDNS + 6) # OpenDNS echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf ;; - 6) #Google + 7) # Google echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf ;; - 7) #Yandex Basic + 8) # Yandex Basic echo 'push "dhcp-option DNS 77.88.8.8"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 77.88.8.1"' >> /etc/openvpn/server.conf ;; - 8) #AdGuard DNS + 9) # AdGuard DNS echo 'push "dhcp-option DNS 176.103.130.130"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf ;; From 853683b0b389903878c2d7e26d5ecf07bdba24d8 Mon Sep 17 00:00:00 2001 From: Angristan Date: Tue, 3 Apr 2018 22:52:42 +0200 Subject: [PATCH 09/22] Add saythanks.io Thanks to @cezar97 (#188) --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index fbc7869..71ead65 100644 --- a/README.md +++ b/README.md @@ -254,6 +254,10 @@ SHA-1 is not safe anymore, so I use SHA-256 which is safe and widely used. TLS-Auth is not enabled by default by OpenVPN, but it is in this script. +## Say thanks + +You can [say thanks](https://saythanks.io/to/Angristan) if you want! + ## Credits & Licence Thanks to the [contributors](https://github.com/Angristan/OpenVPN-install/graphs/contributors) and of course Nyr's orginal work. From 61d89e3ba20af7b4530dde08ebb4a73a6c84f1fe Mon Sep 17 00:00:00 2001 From: cezar97 Date: Tue, 10 Apr 2018 11:06:19 +0200 Subject: [PATCH 10/22] Remove .ovpn on cert revoke or OpenVPN uninstall (#178) --- openvpn-install.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/openvpn-install.sh b/openvpn-install.sh index 46568ca..1b6af00 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -146,6 +146,8 @@ if [[ -e /etc/openvpn/server.conf ]]; then rm -rf /etc/openvpn/crl.pem cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem chmod 644 /etc/openvpn/crl.pem + rm -rf $(find /home -maxdepth 2 | grep $CLIENT.ovpn) 2>/dev/null + rm -rf /root/$CLIENT.ovpn 2>/dev/null echo "" echo "Certificate for client $CLIENT revoked" echo "Exiting..." @@ -188,6 +190,12 @@ if [[ -e /etc/openvpn/server.conf ]]; then else yum remove openvpn -y fi + OVPNS=$(ls /etc/openvpn/easy-rsa/pki/issued | awk -F "." {'print $1'}) + for i in $OVPNS + do + rm $(find /home -maxdepth 2 | grep $i.ovpn) 2>/dev/null + rm /root/$i.ovpn 2>/dev/null + done rm -rf /etc/openvpn rm -rf /usr/share/doc/openvpn* echo "" From 71bb6e8371e0c9b03ace8c88e7e4834808239a11 Mon Sep 17 00:00:00 2001 From: Timofey Vasenin Date: Mon, 7 May 2018 23:50:01 +0700 Subject: [PATCH 11/22] Remove unneeded -r argument from some rm commands Backport the relevant part of: https://github.com/Nyr/openvpn-install/commit/d7173537692df686afa26e74c456aede8bc569f3 --- openvpn-install.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 1b6af00..d0c3215 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -140,14 +140,14 @@ if [[ -e /etc/openvpn/server.conf ]]; then cd /etc/openvpn/easy-rsa/ ./easyrsa --batch revoke $CLIENT EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl - rm -rf pki/reqs/$CLIENT.req - rm -rf pki/private/$CLIENT.key - rm -rf pki/issued/$CLIENT.crt - rm -rf /etc/openvpn/crl.pem + rm -f pki/reqs/$CLIENT.req + rm -f pki/private/$CLIENT.key + rm -f pki/issued/$CLIENT.crt + rm -f /etc/openvpn/crl.pem cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem chmod 644 /etc/openvpn/crl.pem - rm -rf $(find /home -maxdepth 2 | grep $CLIENT.ovpn) 2>/dev/null - rm -rf /root/$CLIENT.ovpn 2>/dev/null + rm -f $(find /home -maxdepth 2 | grep $CLIENT.ovpn) 2>/dev/null + rm -f /root/$CLIENT.ovpn 2>/dev/null echo "" echo "Certificate for client $CLIENT revoked" echo "Exiting..." @@ -470,7 +470,7 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service mv ~/EasyRSA-3.0.4/ /etc/openvpn/ mv /etc/openvpn/EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/ chown -R root:root /etc/openvpn/easy-rsa/ - rm -rf ~/EasyRSA-3.0.4.tgz + rm -f ~/EasyRSA-3.0.4.tgz cd /etc/openvpn/easy-rsa/ # Generate a random, alphanumeric identifier of 16 characters for CN and one for server name SERVER_CN="cn_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" From 2f6821d778779bb38dbb52915752980a7c46cedc Mon Sep 17 00:00:00 2001 From: Stanislas Date: Tue, 8 May 2018 20:53:57 +0200 Subject: [PATCH 12/22] Add support for Ubuntu 18.04 --- README.md | 1 + openvpn-install.sh | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 71ead65..7ffa7b3 100644 --- a/README.md +++ b/README.md @@ -62,6 +62,7 @@ The script is made to work on these OS and architectures : - **Ubuntu 14.04 LTS** (i386, amd64) - **Ubuntu 16.04 LTS** (i386, amd64, armhf) - **Ubuntu 17.10** (i386, amd64, armhf, arm64) +- **Ubuntu 18.04 LTS** (i386, amd64, armhf, arm64) - **Fedora 25** (amd64) - **Fedora 26** (amd64) - **Fedora 27** (amd64) diff --git a/openvpn-install.sh b/openvpn-install.sh index d0c3215..645da2e 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -25,7 +25,7 @@ if [[ -e /etc/debian_version ]]; then VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID") IPTABLES='/etc/iptables/iptables.rules' SYSCTL='/etc/sysctl.conf' - if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.10"' ]]; then + if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="18.04"' ]]; then echo "Your version of Debian/Ubuntu is not supported." echo "I can't install a recent version of OpenVPN on your system." echo "" From b3fba4fddcd5797cf64237fe66451ef679ca6426 Mon Sep 17 00:00:00 2001 From: Timofey Vasenin Date: Wed, 9 May 2018 02:01:32 +0700 Subject: [PATCH 13/22] [backport] Fix system resolvers option for environments running systemd-resolved (#214) --- openvpn-install.sh | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 645da2e..c960034 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -510,8 +510,15 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf # DNS resolvers case $DNS in 1) + # Locate the proper resolv.conf + # Needed for systems running systemd-resolved + if grep -q "127.0.0.53" "/etc/resolv.conf"; then + RESOLVCONF='/run/systemd/resolve/resolv.conf' + else + RESOLVCONF='/etc/resolv.conf' + fi # Obtain the resolvers from resolv.conf and use them for OpenVPN - grep -v '#' /etc/resolv.conf | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do + grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf done ;; From d2a3b3bec673cdb010860e5075e17bf7fb4f1c40 Mon Sep 17 00:00:00 2001 From: Timofey Vasenin Date: Wed, 9 May 2018 02:23:36 +0700 Subject: [PATCH 14/22] Backport improvements of external IP handling (#213) * [backport] Remove IP address detection fallback It was never used, the one-liner is enough. * [backport] Improve NAT detection Cleaner and better: - Not relying in an external service - Avoids a false positive when the server has multiple public IPv4 addresses and the user selects one which is not the default gateway --- openvpn-install.sh | 31 +++++++++++-------------------- 1 file changed, 11 insertions(+), 20 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index c960034..93ca3c5 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -83,13 +83,6 @@ newclient () { echo "" >> $homeDir/$1.ovpn } -# Try to get our IP from the system and fallback to the Internet. -# I do this to make the script compatible with NATed servers (LowEndSpirit/Scaleway) -# and to avoid getting an IPv6. -IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -o -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1) -if [[ "$IP" = "" ]]; then - IP=$(wget -qO- ipv4.icanhazip.com) -fi # Get Internet network interface with default route NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1) @@ -220,10 +213,18 @@ else echo "I need to know the IPv4 address of the network interface you want OpenVPN listening to." echo "If your server is running behind a NAT, (e.g. LowEndSpirit, Scaleway) leave the IP address as it is. (local/private IP)" echo "Otherwise, it should be your public IPv4 address." + # Autodetect IP address and pre-fill for the user + IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1) read -p "IP address: " -e -i $IP IP echo "" echo "What port do you want for OpenVPN?" read -p "Port: " -e -i 1194 PORT + # If $IP is a private IP address, the server must be behind NAT + if echo "$IP" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then + echo "" + echo "This server is behind NAT. What is the public IPv4 address or hostname?" + read -p "Public IP address / hostname: " -e PUBLICIP + fi echo "" echo "What protocol do you want for OpenVPN?" echo "Unless UDP is blocked, you should not use TCP (unnecessarily slower)" @@ -661,19 +662,9 @@ verb 3" >> /etc/openvpn/server.conf chkconfig openvpn on fi fi - # Try to detect a NATed connection and ask about it to potential LowEndSpirit/Scaleway users - EXTERNALIP=$(wget -qO- ipv4.icanhazip.com) - if [[ "$IP" != "$EXTERNALIP" ]]; then - echo "" - echo "Looks like your server is behind a NAT!" - echo "" - echo "If your server is NATed (e.g. LowEndSpirit, Scaleway, or behind a router)," - echo "then I need to know the address that can be used to access it from outside." - echo "If that's not the case, just ignore this and leave the next field blank" - read -p "External IP or domain name: " -e USEREXTERNALIP - if [[ "$USEREXTERNALIP" != "" ]]; then - IP=$USEREXTERNALIP - fi + # If the server is behind a NAT, use the correct IP address + if [[ "$PUBLICIP" != "" ]]; then + IP=$PUBLICIP fi # client-template.txt is created so we have a template to add further users later echo "client" > /etc/openvpn/client-template.txt From 6cecc16f0db54b4a81383f5e0a80b67ee244c113 Mon Sep 17 00:00:00 2001 From: Angristan Date: Thu, 10 May 2018 00:29:05 +0200 Subject: [PATCH 15/22] Fixes #217 "Package 'gpg' has no installation candidate" --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 93ca3c5..cc05a99 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -336,7 +336,7 @@ else read -n1 -r -p "Press any key to continue..." if [[ "$OS" = 'debian' ]]; then - apt-get install ca-certificates gpg -y + apt-get install ca-certificates gnupg -y # We add the OpenVPN repo to get the latest version. # Debian 7 if [[ "$VERSION_ID" = 'VERSION_ID="7"' ]]; then From b8f0b44c55861a2805b48f080ac24200648afa35 Mon Sep 17 00:00:00 2001 From: Jebtrix Date: Tue, 29 May 2018 04:18:24 -0400 Subject: [PATCH 16/22] [FIX] Unable to select AdGuard DNS choice (#228) --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index cc05a99..e74d854 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -242,8 +242,8 @@ else echo " 7) Google (Anycast: worldwide)" echo " 8) Yandex Basic (Russia)" echo " 9) AdGuard DNS (Russia)" - while [[ $DNS != "1" && $DNS != "2" && $DNS != "3" && $DNS != "4" && $DNS != "5" && $DNS != "6" && $DNS != "7" && $DNS != "8" ]]; do - read -p "DNS [1-8]: " -e -i 1 DNS + while [[ $DNS != "1" && $DNS != "2" && $DNS != "3" && $DNS != "4" && $DNS != "5" && $DNS != "6" && $DNS != "7" && $DNS != "8" && $DNS != "9" ]]; do + read -p "DNS [1-9]: " -e -i 1 DNS done echo "" echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about " From c42b028538b38a4aa8973565e05903fdde0b9a91 Mon Sep 17 00:00:00 2001 From: cezar97 Date: Fri, 6 Jul 2018 01:25:57 +0300 Subject: [PATCH 17/22] Add "Check for DNS leaks" paragraph in README (#242) --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 7ffa7b3..21b1a3f 100644 --- a/README.md +++ b/README.md @@ -255,6 +255,10 @@ SHA-1 is not safe anymore, so I use SHA-256 which is safe and widely used. TLS-Auth is not enabled by default by OpenVPN, but it is in this script. +## Check for DNS leaks + +Go to [dnsleaktest.com](https://dnsleaktest.com/) or [ipleak.net](https://ipleak.net/) with your browser. Only your server's IP should show up. + ## Say thanks You can [say thanks](https://saythanks.io/to/Angristan) if you want! From 63ac18075d07a1c944e9b4e08ba6e01b99c9cf2e Mon Sep 17 00:00:00 2001 From: cezar97 Date: Fri, 6 Jul 2018 23:11:22 +0300 Subject: [PATCH 18/22] Add quad9 secondary DNS (#248) See https://www.quad9.net/faq/#Is_there_a_service_that_Quad9_offers_that_does_not_have_the_blocklist_or_other_security. --- openvpn-install.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/openvpn-install.sh b/openvpn-install.sh index e74d854..44647c5 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -529,6 +529,7 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf ;; 3) # Quad9 echo 'push "dhcp-option DNS 9.9.9.9"' >> /etc/openvpn/server.conf + echo 'push "dhcp-option DNS 149.112.112.112"' >> /etc/openvpn/server.conf ;; 4) # FDN echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/server.conf From 5501de73c8742bef58aa62685ca4c898cae2e616 Mon Sep 17 00:00:00 2001 From: Sayem Chowdhury Date: Sun, 15 Jul 2018 15:25:59 +0600 Subject: [PATCH 19/22] Improved code (#243) --- openvpn-install.sh | 130 +++++++++++++++++++++++++++------------------ 1 file changed, 78 insertions(+), 52 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 44647c5..046b319 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -4,16 +4,19 @@ # https://github.com/Angristan/OpenVPN-install +# Verify root if [[ "$EUID" -ne 0 ]]; then echo "Sorry, you need to run this as root" exit 1 fi +# Verify tun if [[ ! -e /dev/net/tun ]]; then echo "TUN is not available" exit 2 fi +# Check if CentOS 5 if grep -qs "CentOS release 5" "/etc/redhat-release"; then echo "CentOS 5 is too old and not supported" exit 3 @@ -22,7 +25,7 @@ fi if [[ -e /etc/debian_version ]]; then OS="debian" # Getting the version number, to verify that a recent version of OpenVPN is available - VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID") + VERSION_ID=$(grep "VERSION_ID" /etc/os-release) IPTABLES='/etc/iptables/iptables.rules' SYSCTL='/etc/sysctl.conf' if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="18.04"' ]]; then @@ -33,7 +36,7 @@ if [[ -e /etc/debian_version ]]; then echo "then you can continue, a recent version of OpenVPN is available on these." echo "Keep in mind they are not supported, though." while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do - read -p "Continue ? [y/n]: " -e CONTINUE + read -rp "Continue ? [y/n]: " -e CONTINUE done if [[ "$CONTINUE" = "n" ]]; then echo "Ok, bye !" @@ -59,28 +62,33 @@ fi newclient () { # Where to write the custom client.ovpn? - if [ -e /home/$1 ]; then # if $1 is a user name + if [ -e "/home/$1" ]; then # if $1 is a user name homeDir="/home/$1" - elif [ ${SUDO_USER} ]; then # if not, use SUDO_USER + elif [ "${SUDO_USER}" ]; then # if not, use SUDO_USER homeDir="/home/${SUDO_USER}" else # if not SUDO_USER, use /root homeDir="/root" fi # Generates the custom client.ovpn - cp /etc/openvpn/client-template.txt $homeDir/$1.ovpn - echo "" >> $homeDir/$1.ovpn - cat /etc/openvpn/easy-rsa/pki/ca.crt >> $homeDir/$1.ovpn - echo "" >> $homeDir/$1.ovpn - echo "" >> $homeDir/$1.ovpn - cat /etc/openvpn/easy-rsa/pki/issued/$1.crt >> $homeDir/$1.ovpn - echo "" >> $homeDir/$1.ovpn - echo "" >> $homeDir/$1.ovpn - cat /etc/openvpn/easy-rsa/pki/private/$1.key >> $homeDir/$1.ovpn - echo "" >> $homeDir/$1.ovpn - echo "key-direction 1" >> $homeDir/$1.ovpn - echo "" >> $homeDir/$1.ovpn - cat /etc/openvpn/tls-auth.key >> $homeDir/$1.ovpn - echo "" >> $homeDir/$1.ovpn + cp /etc/openvpn/client-template.txt "$homeDir/$1.ovpn" + { + echo "" + cat "/etc/openvpn/easy-rsa/pki/ca.crt" + echo "" + + echo "" + cat "/etc/openvpn/easy-rsa/pki/issued/$1.crt" + echo "" + + echo "" + cat "/etc/openvpn/easy-rsa/pki/private/$1.key" + echo "" + echo "key-direction 1" + + echo "" + cat "/etc/openvpn/tls-auth.key" + echo "" + } >> "$homeDir/$1.ovpn" } # Get Internet network interface with default route @@ -94,22 +102,27 @@ if [[ -e /etc/openvpn/server.conf ]]; then echo "" echo "Looks like OpenVPN is already installed" echo "" + echo "What do you want to do?" echo " 1) Add a cert for a new user" echo " 2) Revoke existing user cert" echo " 3) Remove OpenVPN" echo " 4) Exit" - read -p "Select an option [1-4]: " option + read -rp "Select an option [1-4]: " option + case $option in 1) echo "" echo "Tell me a name for the client cert" echo "Please, use one word only, no special characters" - read -p "Client name: " -e -i newclient CLIENT - cd /etc/openvpn/easy-rsa/ + read -rp "Client name: " -e -i newclient CLIENT + + cd /etc/openvpn/easy-rsa/ || return ./easyrsa build-client-full $CLIENT nopass + # Generates the custom client.ovpn newclient "$CLIENT" + echo "" echo "Client $CLIENT added, certs available at $homeDir/$CLIENT.ovpn" exit @@ -121,16 +134,18 @@ if [[ -e /etc/openvpn/server.conf ]]; then echo "You have no existing clients!" exit 5 fi + echo "" echo "Select the existing client certificate you want to revoke" tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') ' if [[ "$NUMBEROFCLIENTS" = '1' ]]; then - read -p "Select one client [1]: " CLIENTNUMBER + read -rp "Select one client [1]: " CLIENTNUMBER else - read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER + read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER fi + CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p) - cd /etc/openvpn/easy-rsa/ + cd /etc/openvpn/easy-rsa/ || return ./easyrsa --batch revoke $CLIENT EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl rm -f pki/reqs/$CLIENT.req @@ -141,6 +156,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then chmod 644 /etc/openvpn/crl.pem rm -f $(find /home -maxdepth 2 | grep $CLIENT.ovpn) 2>/dev/null rm -f /root/$CLIENT.ovpn 2>/dev/null + echo "" echo "Certificate for client $CLIENT revoked" echo "Exiting..." @@ -148,7 +164,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then ;; 3) echo "" - read -p "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE + read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE if [[ "$REMOVE" = 'y' ]]; then PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2) if pgrep firewalld; then @@ -206,6 +222,7 @@ else clear echo "Welcome to the secure OpenVPN installer (github.com/Angristan/OpenVPN-install)" echo "" + # OpenVPN setup and first user creation echo "I need to ask you a few questions before starting the setup" echo "You can leave the default options and just press enter if you are ok with them" @@ -213,23 +230,25 @@ else echo "I need to know the IPv4 address of the network interface you want OpenVPN listening to." echo "If your server is running behind a NAT, (e.g. LowEndSpirit, Scaleway) leave the IP address as it is. (local/private IP)" echo "Otherwise, it should be your public IPv4 address." + # Autodetect IP address and pre-fill for the user IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1) - read -p "IP address: " -e -i $IP IP + read -rp "IP address: " -e -i $IP IP echo "" echo "What port do you want for OpenVPN?" - read -p "Port: " -e -i 1194 PORT + read -rp "Port: " -e -i 1194 PORT + # If $IP is a private IP address, the server must be behind NAT if echo "$IP" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then echo "" echo "This server is behind NAT. What is the public IPv4 address or hostname?" - read -p "Public IP address / hostname: " -e PUBLICIP + read -rp "Public IP address / hostname: " -e PUBLICIP fi echo "" echo "What protocol do you want for OpenVPN?" echo "Unless UDP is blocked, you should not use TCP (unnecessarily slower)" - while [[ $PROTOCOL != "UDP" && $PROTOCOL != "TCP" ]]; do - read -p "Protocol [UDP/TCP]: " -e -i UDP PROTOCOL + until [[ "$PROTOCOL" == "UDP" || "$PROTOCOL" == "TCP" ]]; do + read -rp "Protocol [UDP/TCP]: " -e -i UDP PROTOCOL done echo "" echo "What DNS do you want to use with the VPN?" @@ -242,8 +261,8 @@ else echo " 7) Google (Anycast: worldwide)" echo " 8) Yandex Basic (Russia)" echo " 9) AdGuard DNS (Russia)" - while [[ $DNS != "1" && $DNS != "2" && $DNS != "3" && $DNS != "4" && $DNS != "5" && $DNS != "6" && $DNS != "7" && $DNS != "8" && $DNS != "9" ]]; do - read -p "DNS [1-9]: " -e -i 1 DNS + until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 -a "$DNS" -le 9 ]; do + read -rp "DNS [1-9]: " -e -i 1 DNS done echo "" echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about " @@ -261,8 +280,8 @@ else echo " 5) CAMELLIA-192-CBC" echo " 6) CAMELLIA-256-CBC" echo " 7) SEED-CBC" - while [[ $CIPHER != "1" && $CIPHER != "2" && $CIPHER != "3" && $CIPHER != "4" && $CIPHER != "5" && $CIPHER != "6" && $CIPHER != "7" ]]; do - read -p "Cipher [1-7]: " -e -i 1 CIPHER + until [[ "$CIPHER" =~ ^[0-9]+$ ]] && [ "$CIPHER" -ge 1 -a "$CIPHER" -le 7 ]; do + read -rp "Cipher [1-7]: " -e -i 1 CIPHER done case $CIPHER in 1) @@ -292,8 +311,8 @@ else echo " 1) 2048 bits (fastest)" echo " 2) 3072 bits (recommended, best compromise)" echo " 3) 4096 bits (most secure)" - while [[ $DH_KEY_SIZE != "1" && $DH_KEY_SIZE != "2" && $DH_KEY_SIZE != "3" ]]; do - read -p "DH key size [1-3]: " -e -i 2 DH_KEY_SIZE + until [[ "$DH_KEY_SIZE" =~ ^[0-9]+$ ]] && [ "$DH_KEY_SIZE" -ge 1 -a "$DH_KEY_SIZE" -le 3 ]; do + read -rp "DH key size [1-3]: " -e -i 2 DH_KEY_SIZE done case $DH_KEY_SIZE in 1) @@ -311,8 +330,8 @@ else echo " 1) 2048 bits (fastest)" echo " 2) 3072 bits (recommended, best compromise)" echo " 3) 4096 bits (most secure)" - while [[ $RSA_KEY_SIZE != "1" && $RSA_KEY_SIZE != "2" && $RSA_KEY_SIZE != "3" ]]; do - read -p "RSA key size [1-3]: " -e -i 2 RSA_KEY_SIZE + until [[ "$RSA_KEY_SIZE" =~ ^[0-9]+$ ]] && [ "$RSA_KEY_SIZE" -ge 1 -a "$RSA_KEY_SIZE" -le 3 ]; do + read -rp "RSA key size [1-3]: " -e -i 2 RSA_KEY_SIZE done case $RSA_KEY_SIZE in 1) @@ -329,7 +348,9 @@ else echo "Finally, tell me a name for the client certificate and configuration" while [[ $CLIENT = "" ]]; do echo "Please, use one word only, no special characters" - read -p "Client name: " -e -i client CLIENT + read -rp "Client name: " -e -i client CLIENT + # Remove special characters + CLIENT=$(echo $CLIENT | tr -dc '[:alnum:]\n\r') done echo "" echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now" @@ -437,8 +458,8 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service echo "Not doing that could cause problems between dependencies, or missing files in repositories." echo "" echo "Continuing will update your installed packages and install needed ones." - while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do - read -p "Continue ? [y/n]: " -e -i y CONTINUE + until [[ $CONTINUE == "y" || $CONTINUE == "n" ]]; do + read -rp "Continue ? [y/n]: " -e -i y CONTINUE done if [[ "$CONTINUE" = "n" ]]; then echo "Ok, bye !" @@ -472,10 +493,10 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service mv /etc/openvpn/EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/ chown -R root:root /etc/openvpn/easy-rsa/ rm -f ~/EasyRSA-3.0.4.tgz - cd /etc/openvpn/easy-rsa/ + cd /etc/openvpn/easy-rsa/ || return # Generate a random, alphanumeric identifier of 16 characters for CN and one for server name - SERVER_CN="cn_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" - SERVER_NAME="server_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" + SERVER_CN="cn_$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 16 | head -n 1)" + SERVER_NAME="server_$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 16 | head -n 1)" echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars # Create the PKI, set up the CA, the DH params and the server + client certificates @@ -494,11 +515,7 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service # Generate server.conf echo "port $PORT" > /etc/openvpn/server.conf - if [[ "$PROTOCOL" = 'UDP' ]]; then - echo "proto udp" >> /etc/openvpn/server.conf - elif [[ "$PROTOCOL" = 'TCP' ]]; then - echo "proto tcp" >> /etc/openvpn/server.conf - fi + echo "proto $(echo $PROTOCOL | tr '[:upper:]' '[:lower:]')" >> /etc/openvpn/server.conf echo "dev tun user nobody group $NOGROUP @@ -519,7 +536,7 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf RESOLVCONF='/etc/resolv.conf' fi # Obtain the resolvers from resolv.conf and use them for OpenVPN - grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do + grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read -r line; do echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf done ;; @@ -556,7 +573,7 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf ;; esac -echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf +echo 'push "redirect-gateway def1 bypass-dhcp" ' >> /etc/openvpn/server.conf echo "crl-verify crl.pem ca ca.crt cert $SERVER_NAME.crt @@ -581,12 +598,16 @@ verb 3" >> /etc/openvpn/server.conf if ! grep -q "\" $SYSCTL; then echo 'net.ipv4.ip_forward=1' >> $SYSCTL fi + # Avoid an unneeded reboot echo 1 > /proc/sys/net/ipv4/ip_forward + # Set NAT for the VPN subnet iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE + # Save persitent iptables rules iptables-save > $IPTABLES + if pgrep firewalld; then # We don't use --add-service=openvpn because that would only work with # the default port. Using both permanent and not permanent rules to @@ -601,6 +622,7 @@ verb 3" >> /etc/openvpn/server.conf firewall-cmd --zone=trusted --add-source=10.8.0.0/24 firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24 fi + if iptables -L -n | grep -qE 'REJECT|DROP'; then # If iptables has at least one REJECT rule, we asume this is needed. # Not the best approach but I can't think of other and this shouldn't @@ -613,8 +635,9 @@ verb 3" >> /etc/openvpn/server.conf iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT # Save persitent OpenVPN rules - iptables-save > $IPTABLES + iptables-save > $IPTABLES fi + # If SELinux is enabled and a custom port was selected, we need this if hash sestatus 2>/dev/null; then if sestatus | grep "Current mode" | grep -qs "enforcing"; then @@ -631,6 +654,7 @@ verb 3" >> /etc/openvpn/server.conf fi fi fi + # And finally, restart OpenVPN if [[ "$OS" = 'debian' ]]; then # Little hack to check for systemd @@ -663,10 +687,12 @@ verb 3" >> /etc/openvpn/server.conf chkconfig openvpn on fi fi + # If the server is behind a NAT, use the correct IP address if [[ "$PUBLICIP" != "" ]]; then IP=$PUBLICIP fi + # client-template.txt is created so we have a template to add further users later echo "client" > /etc/openvpn/client-template.txt if [[ "$PROTOCOL" = 'UDP' ]]; then From 1c7e06ed07b13237a0665d960a1e0592ba2a4105 Mon Sep 17 00:00:00 2001 From: Sam Mingo Date: Sat, 11 Aug 2018 16:33:07 -0400 Subject: [PATCH 20/22] Update README.md (#268) Fixed typos + phrasing --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 21b1a3f..0a2a5cf 100644 --- a/README.md +++ b/README.md @@ -40,11 +40,11 @@ When OpenVPN is installed, you can run the script again, and you will get the ch This script is based on the great work of [Nyr and its contributors](https://github.com/Nyr/openvpn-install). -I made it because I wanted to have a more secured OpenVPN out-of-the-box. It works like the original script, but is more focused on privacy and espicially better encryption. Nyr's original script uses mainly default parameters regarding encryption, and some of them are unsecure. See [#encryption](#encryption). +I made it because I wanted to have a more secured OpenVPN out-of-the-box. It works like the original script, but is more focused on privacy and especially better encryption. Nyr's original script uses mainly default parameters regarding encryption, and some of them are insecure. See [#encryption](#encryption). Also, Nyr and myself clearly have not the same point of view regarding this script, that's why it's a fork. -The only drawback is that you need to use a recent version of OpenVPN, because some parameters that requires TLS 1.2 are only availble since OpenVPN 2.3.3. Therefore I restrain the compatibility of this script to a few but widely used GNU/Linux distributions, to get a recent version of OpenVPN from trusted third-party repositories, if needed. That is not a complete drawback tough, because it means that you can have the latest version with all the new features and security fixes. See [compatibilty](#compatibility). +The only drawback is that you need to use a recent version of OpenVPN, because some parameters that requires TLS 1.2 are only available since OpenVPN 2.3.3. Therefore I restrain the compatibility of this script to a few but widely used GNU/Linux distributions, to get a recent version of OpenVPN from trusted third-party repositories, if needed. That is not a complete drawback tough, because it means that you can have the latest version with all the new features and security fixes. See [compatibility](#compatibility). On the client-side, it's less problematic, but if you want to use an OpenVPN server installed with this script with an old client (\<2.3.3), it won't work. However I don't see why you would use an outdated client. @@ -186,7 +186,7 @@ The [SWEET32 vulnerability page](https://community.openvpn.net/openvpn/wiki/SWEE Indeed, AES is today's standard. It's the fastest and more secure cipher available today. [SEED](https://en.wikipedia.org/wiki/SEED) and [Camellia](https://en.wikipedia.org/wiki/Camellia_(cipher)) are not vulnerable to date but are slower than AES and relatively less trusted. -As they have not any proven vulnerabilities, I decided to give the user the choice to use them, though I don't see any particular reason to this day to use it. Maybe someday if AES happens to be broken. Here is an exemple about [why Camellia is good, but AES is better and should be used](http://crypto.stackexchange.com/questions/476/why-does-nobody-use-or-break-the-camellia-cipher/477#477). +As they have not any proven vulnerabilities, I decided to give the user the choice to use them, though I don't see any particular reason to this day to use it. Maybe someday if AES happens to be broken. Here is an example about [why Camellia is good, but AES is better and should be used](http://crypto.stackexchange.com/questions/476/why-does-nobody-use-or-break-the-camellia-cipher/477#477). Currently AES is only available in its CBC mode, which is weaker than GCM. @@ -214,7 +214,7 @@ Thus, the best data channel cipher currently available in OpenVPN is `AES-128-CB ### Control channel's cipher -According to the [Hardening](https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-cipher) page of the OpenVPN wiki, TLS 1.2 is not supported by OpenVPN <2.3.3, so it uses a TLS 1.0 cipher by default, which is unsecure. +According to the [Hardening](https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-cipher) page of the OpenVPN wiki, TLS 1.2 is not supported by OpenVPN <2.3.3, so it uses a TLS 1.0 cipher by default, which is insecure. > The following are TLSv1.2 DHE + RSA choices, requiring a compatible peer running at least OpenVPN 2.3.3: - TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 @@ -230,7 +230,7 @@ Thus, I have chosen `TLS-DHE-RSA-WITH-AES-128-GCM-SHA256` as the control channel OpenVPN uses a 2048 bits DH key [by default](https://github.com/OpenVPN/easy-rsa/blob/master/easyrsa3/vars.example#L97). -2048 bits is OK, but both [NSA](https://cryptome.org/2016/01/CNSA-Suite-and-Quantum-Computing-FAQ.pdf) and [ANSSI](https://www.ssi.gouv.fr/uploads/2015/01/RGS_v-2-0_B1.pdf) recommend at least a 3072 bits for a future-proof key. Like RSA, the size of the key will have an impact on speed, I leave the choice to use a 2048, 3072 or 4096 bits key. 4096 bits is what's most used and recommened today, but 3072 bits is still good. +2048 bits is OK, but both [NSA](https://cryptome.org/2016/01/CNSA-Suite-and-Quantum-Computing-FAQ.pdf) and [ANSSI](https://www.ssi.gouv.fr/uploads/2015/01/RGS_v-2-0_B1.pdf) recommend at least a 3072 bits for a future-proof key. Like RSA, the size of the key will have an impact on speed, I leave the choice to use a 2048, 3072 or 4096 bits key. 4096 bits is what's most used and recommended today, but 3072 bits is still good. In OpenVPN 2.4, we will be able to use ECDH key. It uses elliptic curves instead of prime numbers' factorization for a reduced key size and calculation time, thus it's faster and more secure. From df172b962d40483d9d950bf988e9fef62ea62ad5 Mon Sep 17 00:00:00 2001 From: Jebtrix Date: Sat, 18 Aug 2018 09:57:24 -0400 Subject: [PATCH 21/22] Add option to generate random port in private port range (#229) --- openvpn-install.sh | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 046b319..df5b77d 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -236,7 +236,27 @@ else read -rp "IP address: " -e -i $IP IP echo "" echo "What port do you want for OpenVPN?" - read -rp "Port: " -e -i 1194 PORT + echo " 1) Default: 1194" + echo " 2) Custom" + echo " 3) Random [49152-65535]" + until [[ "$PORT_CHOICE" =~ ^[1-3]$ ]]; do + read -p "Port choice [1-3]: " -e -i 1 PORT_CHOICE + done + case $PORT_CHOICE in + 1) + PORT="1194" + ;; + 2) + until [[ "$PORT" =~ ^[0-9]+$ ]] && [ "$PORT" -ge 1 -a "$PORT" -le 65535 ]; do + read -p "Custom port [1-65535]: " -e -i 1194 PORT + done + ;; + 3) + # Generate random number within private ports range + PORT=$(shuf -i49152-65535 -n1) + echo "Random Port: $PORT" + ;; + esac # If $IP is a private IP address, the server must be behind NAT if echo "$IP" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then From a0267c994dbe42e543f9e085dedc35587e89cafd Mon Sep 17 00:00:00 2001 From: Angristan Date: Sat, 18 Aug 2018 16:08:32 +0200 Subject: [PATCH 22/22] Fix License copyright holders --- LICENSE | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/LICENSE b/LICENSE index 5b44955..1727729 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,7 @@ -The MIT License (MIT) +MIT License -Copyright (c) 2016 Nyr, Angristan +Copyright (c) 2013 Nyr +Copyright (c) 2016 Angristan (Stanislas Lange) Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in