From 4fa0544c723d6a8e08254737f477b59220ef6d55 Mon Sep 17 00:00:00 2001 From: Angristan Date: Thu, 14 Sep 2017 12:35:18 +0200 Subject: [PATCH 01/21] Initial commit for OpenVPN 2.4 support - Add support for AES-GCM ciphers for the data channel - Add support for tls-crypt - Add support for ECDSA certificates - Add support for ECDHE - Add choice for HMAC auth algorithm - Add choice for certificate hash algorithm - Add choice for the control channel's cipher All these options have an OpenVPN 2.3-compatible choice (example : RSA cert and DH key) --- openvpn-install.sh | 322 ++++++++++++++++++++++++++++++++++----------- 1 file changed, 246 insertions(+), 76 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 3b49d31..8f7c97d 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -25,7 +25,7 @@ if [[ -e /etc/debian_version ]]; then VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID") RCLOCAL='/etc/rc.local' SYSCTL='/etc/sysctl.conf' - if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.04"' ]]; then + if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.04"' ]]; then echo "Your version of Debian/Ubuntu is not supported." echo "I can't install a recent version of OpenVPN on your system." echo "" @@ -75,10 +75,17 @@ newclient () { echo "" >> $homeDir/$1.ovpn cat /etc/openvpn/easy-rsa/pki/private/$1.key >> $homeDir/$1.ovpn echo "" >> $homeDir/$1.ovpn - echo "key-direction 1" >> $homeDir/$1.ovpn - echo "" >> $homeDir/$1.ovpn - cat /etc/openvpn/tls-auth.key >> $homeDir/$1.ovpn - echo "" >> $homeDir/$1.ovpn + #We verify if we used tls-crypt or tls-auth during the installation + TLS_SIG=$(cat /etc/openvpn/TLS_SIG) + if [[ $TLS_SIG == "1" ]]; then + cat /etc/openvpn/tls-crypt.key >> ~/$1.ovpn + echo "" >> ~/$1.ovpn + elif [[ $TLS_SIG == "2" ]]; then + echo "key-direction 1" >> $homeDir/$1.ovpn + echo "" >> $homeDir/$1.ovpn + cat /etc/openvpn/tls-auth.key >> $homeDir/$1.ovpn + echo "" >> $homeDir/$1.ovpn + fi } # Try to get our IP from the system and fallback to the Internet. @@ -212,8 +219,10 @@ else echo "" echo "What protocol do you want for OpenVPN?" echo "Unless UDP is blocked, you should not use TCP (unnecessarily slower)" - while [[ $PROTOCOL != "UDP" && $PROTOCOL != "TCP" ]]; do - read -p "Protocol [UDP/TCP]: " -e -i UDP PROTOCOL + echo " 1) UDP (recommended)" + echo " 2) TCP" + while [[ $PROTOCOL != "1" && $PROTOCOL != "2" ]]; do + read -p "Protocol [1-2]: " -e -i 1 PROTOCOL done echo "" echo "What DNS do you want to use with the VPN?" @@ -229,83 +238,215 @@ else echo "" echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about " echo "the encryption in OpenVPN and the choices I made in this script." - echo "Please note that all the choices proposed are secure (to a different degree)" - echo "and are still viable to date, unlike some default OpenVPN options" + echo "Please note that all the choices proposed are secure enough considering today's strandards," + echo "unlike some default OpenVPN options" echo '' echo "Choose which cipher you want to use for the data channel:" - echo " 1) AES-128-CBC (fastest and sufficiently secure for everyone, recommended)" - echo " 2) AES-192-CBC" - echo " 3) AES-256-CBC" - echo "Alternatives to AES, use them only if you know what you're doing." - echo "They are relatively slower but as secure as AES." - echo " 4) CAMELLIA-128-CBC" - echo " 5) CAMELLIA-192-CBC" - echo " 6) CAMELLIA-256-CBC" - echo " 7) SEED-CBC" - while [[ $CIPHER != "1" && $CIPHER != "2" && $CIPHER != "3" && $CIPHER != "4" && $CIPHER != "5" && $CIPHER != "6" && $CIPHER != "7" ]]; do + echo "" + echo " 1) AES-128-GCM (recommended)" + echo " 2) AES-192-GCM" + echo " 3) AES-256-GCM" + echo "Only use AES-CBC for OpenVPN 2.3 compatibilty" + echo " 4) AES-128-CBC" + echo " 5) AES-192-CBC" + echo " 6) AES-256-CBC" + while [[ $CIPHER != "1" && $CIPHER != "2" && $CIPHER != "3" && $CIPHER != "4" && $CIPHER != "5" && $CIPHER != "6" ]]; do read -p "Cipher [1-7]: " -e -i 1 CIPHER done case $CIPHER in 1) - CIPHER="cipher AES-128-CBC" + CIPHER="cipher AES-128-GCM" ;; 2) - CIPHER="cipher AES-192-CBC" + CIPHER="cipher AES-192-GCM" ;; 3) - CIPHER="cipher AES-256-CBC" + CIPHER="cipher AES-256-GCM" ;; 4) - CIPHER="cipher CAMELLIA-128-CBC" + CIPHER="cipher AES-128-CBC" ;; 5) - CIPHER="cipher CAMELLIA-192-CBC" + CIPHER="cipher AES-192-CBC" ;; 6) - CIPHER="cipher CAMELLIA-256-CBC" - ;; - 7) - CIPHER="cipher SEED-CBC" + CIPHER="cipher AES-256-CBC" ;; esac echo "" - echo "Choose what size of Diffie-Hellman key you want to use:" - echo " 1) 2048 bits (fastest)" - echo " 2) 3072 bits (recommended, best compromise)" - echo " 3) 4096 bits (most secure)" - while [[ $DH_KEY_SIZE != "1" && $DH_KEY_SIZE != "2" && $DH_KEY_SIZE != "3" ]]; do - read -p "DH key size [1-3]: " -e -i 2 DH_KEY_SIZE + echo "Choose what kind of Diffie-Hellman key you want to use." + echo "Elleptic Curves (EC) are recommended, they're faster, lighter and more secure." + echo "Use DH for OpenVPN 2.3 compatibilty" + echo " 1) ECDH (recommended)" + echo " 2) DH" + while [[ $DH_TYPE != "1" && $DH_TYPE != "2" ]]; do + read -p "DH key size [1-2]: " -e -i 1 DH_TYPE done - case $DH_KEY_SIZE in + case $DH_TYPE in 1) - DH_KEY_SIZE="2048" + echo "Choose which curve you want to use" + echo " 1) secp256r1" + echo " 2) secp384r1 (recommended)" + echo " 3) secp521r1" + while [[ $DH_CURVE != "1" && $DH_CURVE != "2" && $DH_CURVE != "3" ]]; do + read -p "ECDH [1-3]: " -e -i 2 DH_CURVE + done + case $DH_CURVE in + 1) + DH_CURVE="secp256r1" + ;; + 2) + DH_CURVE="secp384r1" + ;; + 3) + DH_CURVE"secp521r1" + ;; + esac ;; 2) - DH_KEY_SIZE="3072" - ;; - 3) - DH_KEY_SIZE="4096" + echo "Choose which DH key size do you want to use" + echo " 1) 2048 bits" + echo " 2) 3072 bits (recommended)" + echo " 3) 4096 bits" + while [[ $DH_SIZE != "1" && $DH_SIZE != "2" && $DH_SIZE != "3" ]]; do + read -p "DH key size [1-3]: " -e -i 2 DH_SIZE + done + case $DH_SIZE in + 1) + DH_SIZE="2048" + ;; + 2) + DH_SIZE="3072" + ;; + 3) + DH_SIZE"4096" + ;; + esac ;; esac echo "" - echo "Choose what size of RSA key you want to use:" - echo " 1) 2048 bits (fastest)" - echo " 2) 3072 bits (recommended, best compromise)" - echo " 3) 4096 bits (most secure)" - while [[ $RSA_KEY_SIZE != "1" && $RSA_KEY_SIZE != "2" && $RSA_KEY_SIZE != "3" ]]; do - read -p "DH key size [1-3]: " -e -i 2 RSA_KEY_SIZE + echo "Choose what kind Certificate key you want to use." + echo "Elleptic Curves (EC) are recommended, they're faster, lighter and more secure." + echo "Use RSA for OpenVPN 2.3 compatibilty" + echo " 1) ECDSA (recommended)" + echo " 2) RSA" + while [[ $CERT_TYPE != "1" && $CERT_TYPE != "2" ]]; do + read -p "Certificate key [1-2]: " -e -i 1 CERT_TYPE done - case $RSA_KEY_SIZE in + case $CERT_TYPE in 1) - RSA_KEY_SIZE="2048" + echo "Choose which curve you want to use:" + echo " 1) secp256r1" + echo " 2) secp384r1 (recommended)" + echo " 3) secp521r1" + while [[ $CERT_CURVE != "1" && $CERT_CURVE != "2" && $CERT_CURVE != "3" ]]; do + read -p "ECDH [1-3]: " -e -i 2 CERT_CURVE + done + case $CERT_CURVE in + 1) + CERT_CURVE="secp256r1" + ;; + 2) + CERT_CURVE="secp384r1" + ;; + 3) + CERT_CURVE"secp521r1" + ;; + esac ;; 2) - RSA_KEY_SIZE="3072" - ;; - 3) - RSA_KEY_SIZE="4096" + echo "Choose which RSA key size do you want to use:" + echo " 1) 2048 bits" + echo " 2) 3072 bits (recommended)" + echo " 3) 4096 bits" + while [[ $RSA_SIZE != "1" && $RSA_SIZE != "2" && $RSA_SIZE != "3" ]]; do + read -p "DH key size [1-3]: " -e -i 2 RSA_SIZE + done + case $RSA_SIZE in + 1) + RSA_SIZE="2048" + ;; + 2) + RSA_SIZE="3072" + ;; + 3) + RSA_SIZE"4096" + ;; + esac ;; esac + echo "Choose which hash algorithm you want to use for the certificate:" + echo " 1) SHA-256" + echo " 2) SHA-384 (recommended)" + echo " 3) SHA-512" + while [[ $CERT_HASH != "1" && $CERT_HASH != "2" ]]; do + read -p "Cert hash algo [1-3]: " -e -i 2 CERT_HASH + done + case $CERT_HASH in + 1) + CERT_HASH="sha256" + ;; + 2) + CERT_HASH="sha384" + ;; + 3) + CERT_HASH="sha512" + ;; + esac + echo "Which cipher to use for the control channel ?" + if [[ "$CERT_TYPE" = '1' ]]; then + echo " 1) ECDHE-ECDSA-AES-256-GCM-SHA384 (recommended)" + echo " 2) ECDHE-ECDSA-AES-128-GCM-SHA256" + while [[ $CC_ENC != "1" && $CC_ENC != "2" ]]; do + read -p "Control Channel encryption [1-2]: " -e -i 1 CC_ENC + done + case $CC_ENC in + 1) + CC_ENC="TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" + ;; + 2) + CC_ENC="TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" + ;; + esac + elif [[ "$CERT_TYPE" = '2' ]]; then + echo " 1) ECDHE-RSA-AES-256-GCM-SHA384 (recommended)" + echo " 2) ECDHE-RSA-AES-128-GCM-SHA256" + while [[ $CC_ENC != "1" && $CC_ENC != "2" ]]; do + read -p "Control Channel encryption [1-2]: " -e -i 1 CC_ENC + done + case $CC_ENC in + 1) + CC_ENC="TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384" + ;; + 2) + CC_ENC="TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256" + ;; + esac + fi + echo "Choose which HMAC authentication algorithm you want to use" + echo " 1) SHA-256" + echo " 2) SHA-384 (recommended)" + echo " 3) SHA-512" + while [[ $HMAC_AUTH != "1" && $HMAC_AUTH != "2" ]]; do + read -p "HMAC authentication algorithmHMAC_AUTH [1-3]: " -e -i 2 HMAC_AUTH + done + case $HMAC_AUTH in + 1) + HMAC_AUTH="sha256" + ;; + 2) + HMAC_AUTH="sha384" + ;; + 3) + HMAC_AUTH="sha512" + ;; + esac + echo "tls crypt or tls auth" + echo " 1) tls-crypt (recommended)" + echo " 2) tls-auth (use only for openvpn 2.3 compat)" + while [[ $TLS_SIG != "1" && $TLS_SIG != "2" ]]; do + read -p "tls sig [1-2]: " -e -i 1 TLS_SIG + done echo "" echo "Finally, tell me a name for the client certificate and configuration" while [[ $CLIENT = "" ]]; do @@ -392,6 +533,10 @@ WantedBy=multi-user.target" > /etc/systemd/system/rc-local.service systemctl start iptables fi fi + + #To remember if we use tls-crypt or tls-auth when generating a new client conf + echo $TLS_SIG > /etc/openvpn/TLS_SIG + # Find out if the machine uses nogroup or nobody for the permissionless group if grep -qs "^nogroup:" /etc/group; then NOGROUP=nogroup @@ -411,27 +556,43 @@ WantedBy=multi-user.target" > /etc/systemd/system/rc-local.service chown -R root:root /etc/openvpn/easy-rsa/ rm -rf ~/EasyRSA-3.0.3.tgz cd /etc/openvpn/easy-rsa/ - echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars + if [[ $CERT_TYPE == "1" ]]; then + echo "set_var EASYRSA_ALGO ec +set_var EASYRSA_CURVE $CERT_CURVE" > vars + elif [[ $CERT_TYPE == "2" ]]; then + echo "set_var EASYRSA_KEY_SIZE $RSA_SIZE" > vars + fi + echo 'set_var EASYRSA_DIGEST "'$CERT_HASH'"' >> vars # Create the PKI, set up the CA, the DH params and the server + client certificates ./easyrsa init-pki ./easyrsa --batch build-ca nopass - openssl dhparam -out dh.pem $DH_KEY_SIZE + if [[ $DH_TYPE == "2" ]]; then + openssl dhparam -out dh.pem $DH_SIZE + fi ./easyrsa build-server-full server nopass ./easyrsa build-client-full $CLIENT nopass ./easyrsa gen-crl - # generate tls-auth key - openvpn --genkey --secret /etc/openvpn/tls-auth.key + if [[ $TLS_SIG == "1" ]]; then + # Generate tls-crypt key + openvpn --genkey --secret /etc/openvpn/tls-crypt.key + elif [[ $TLS_SIG == "2" ]]; then + # Generate tls-auth key + openvpn --genkey --secret /etc/openvpn/tls-auth.key + fi # Move all the generated files - cp pki/ca.crt pki/private/ca.key dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn + cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn + if [[ $DH_TYPE == "2" ]]; then + cp dh.pem /etc/openvpn + fi # Make cert revocation list readable for non-root chmod 644 /etc/openvpn/crl.pem # Generate server.conf echo "local $IP" > /etc/openvpn/server.conf echo "port $PORT" >> /etc/openvpn/server.conf - if [[ "$PROTOCOL" = 'UDP' ]]; then + if [[ "$PROTOCOL" = '1' ]]; then echo "proto udp" >> /etc/openvpn/server.conf - elif [[ "$PROTOCOL" = 'TCP' ]]; then + elif [[ "$PROTOCOL" = '2' ]]; then echo "proto tcp" >> /etc/openvpn/server.conf fi echo "dev tun @@ -476,14 +637,23 @@ echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf echo "crl-verify crl.pem ca ca.crt cert server.crt -key server.key -tls-auth tls-auth.key 0 -dh dh.pem -auth SHA256 +key server.key" >> /etc/openvpn/server.conf +if [[ $TLS_SIG == "1" ]]; then + echo "tls-auth tls-crypt.key 0" >> /etc/openvpn/server.conf +elif [[ $TLS_SIG == "2" ]]; then + echo "tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf +fi +if [[ $DH_TYPE == "1" ]]; then + echo "dh none +ecdh-curve $DH_CURVE" >> /etc/openvpn/server.conf +elif [[ $DH_TYPE == "2" ]]; then + echo "dh dh.pem" >> /etc/openvpn/server.conf +fi +echo "auth $HMAC_AUTH $CIPHER tls-server tls-version-min 1.2 -tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 +tls-cipher $CC_ENC status openvpn.log verb 3" >> /etc/openvpn/server.conf @@ -512,10 +682,10 @@ verb 3" >> /etc/openvpn/server.conf # We don't use --add-service=openvpn because that would only work with # the default port. Using both permanent and not permanent rules to # avoid a firewalld reload. - if [[ "$PROTOCOL" = 'UDP' ]]; then + if [[ "$PROTOCOL" = '1' ]]; then firewall-cmd --zone=public --add-port=$PORT/udp firewall-cmd --permanent --zone=public --add-port=$PORT/udp - elif [[ "$PROTOCOL" = 'TCP' ]]; then + elif [[ "$PROTOCOL" = '2' ]]; then firewall-cmd --zone=public --add-port=$PORT/tcp firewall-cmd --permanent --zone=public --add-port=$PORT/tcp fi @@ -526,16 +696,16 @@ verb 3" >> /etc/openvpn/server.conf # If iptables has at least one REJECT rule, we asume this is needed. # Not the best approach but I can't think of other and this shouldn't # cause problems. - if [[ "$PROTOCOL" = 'UDP' ]]; then + if [[ "$PROTOCOL" = '1' ]]; then iptables -I INPUT -p udp --dport $PORT -j ACCEPT - elif [[ "$PROTOCOL" = 'TCP' ]]; then + elif [[ "$PROTOCOL" = '2' ]]; then iptables -I INPUT -p tcp --dport $PORT -j ACCEPT fi iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT - if [[ "$PROTOCOL" = 'UDP' ]]; then + if [[ "$PROTOCOL" = '1' ]]; then sed -i "1 a\iptables -I INPUT -p udp --dport $PORT -j ACCEPT" $RCLOCAL - elif [[ "$PROTOCOL" = 'TCP' ]]; then + elif [[ "$PROTOCOL" = '2' ]]; then sed -i "1 a\iptables -I INPUT -p tcp --dport $PORT -j ACCEPT" $RCLOCAL fi sed -i "1 a\iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" $RCLOCAL @@ -549,9 +719,9 @@ verb 3" >> /etc/openvpn/server.conf if ! hash semanage 2>/dev/null; then yum install policycoreutils-python -y fi - if [[ "$PROTOCOL" = 'UDP' ]]; then + if [[ "$PROTOCOL" = '1' ]]; then semanage port -a -t openvpn_port_t -p udp $PORT - elif [[ "$PROTOCOL" = 'TCP' ]]; then + elif [[ "$PROTOCOL" = '2' ]]; then semanage port -a -t openvpn_port_t -p tcp $PORT fi fi @@ -609,9 +779,9 @@ verb 3" >> /etc/openvpn/server.conf fi # client-template.txt is created so we have a template to add further users later echo "client" > /etc/openvpn/client-template.txt - if [[ "$PROTOCOL" = 'UDP' ]]; then + if [[ "$PROTOCOL" = '1' ]]; then echo "proto udp" >> /etc/openvpn/client-template.txt - elif [[ "$PROTOCOL" = 'TCP' ]]; then + elif [[ "$PROTOCOL" = '2' ]]; then echo "proto tcp-client" >> /etc/openvpn/client-template.txt fi echo "remote $IP $PORT @@ -621,11 +791,11 @@ nobind persist-key persist-tun remote-cert-tls server -auth SHA256 +auth $HMAC_AUTH $CIPHER tls-client tls-version-min 1.2 -tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 +tls-cipher $CC_ENC setenv opt block-outside-dns verb 3" >> /etc/openvpn/client-template.txt From 7d56181699a4d4e67835b5b2265e462b98191a7c Mon Sep 17 00:00:00 2001 From: hybtoy Date: Thu, 14 Sep 2017 16:37:57 +0500 Subject: [PATCH 02/21] Update openvpn-install.sh --- openvpn-install.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/openvpn-install.sh b/openvpn-install.sh index 8f7c97d..95c01dc 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -78,6 +78,7 @@ newclient () { #We verify if we used tls-crypt or tls-auth during the installation TLS_SIG=$(cat /etc/openvpn/TLS_SIG) if [[ $TLS_SIG == "1" ]]; then + echo "" >> ~/$1.ovpn cat /etc/openvpn/tls-crypt.key >> ~/$1.ovpn echo "" >> ~/$1.ovpn elif [[ $TLS_SIG == "2" ]]; then From d5b5129f086f16de44e8d58f261672f2452289b1 Mon Sep 17 00:00:00 2001 From: Angristan Date: Thu, 14 Sep 2017 14:09:47 +0200 Subject: [PATCH 03/21] Fix HMAC auth alg menu --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 95c01dc..ead6cad 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -428,8 +428,8 @@ else echo " 1) SHA-256" echo " 2) SHA-384 (recommended)" echo " 3) SHA-512" - while [[ $HMAC_AUTH != "1" && $HMAC_AUTH != "2" ]]; do - read -p "HMAC authentication algorithmHMAC_AUTH [1-3]: " -e -i 2 HMAC_AUTH + while [[ $HMAC_AUTH != "1" && $HMAC_AUTH != "2" && $HMAC_AUTH != "3" ]]; do + read -p "HMAC authentication algorithm [1-3]: " -e -i 2 HMAC_AUTH done case $HMAC_AUTH in 1) From 7322a711ec2cc86bbb8e88a0f9e469534eae53e8 Mon Sep 17 00:00:00 2001 From: Angristan Date: Thu, 14 Sep 2017 14:11:16 +0200 Subject: [PATCH 04/21] Fix cert hash alg menu --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index ead6cad..ad386ac 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -380,7 +380,7 @@ else echo " 1) SHA-256" echo " 2) SHA-384 (recommended)" echo " 3) SHA-512" - while [[ $CERT_HASH != "1" && $CERT_HASH != "2" ]]; do + while [[ $CERT_HASH != "1" && $CERT_HASH != "2" && $CERT_HASH != "3"]]; do read -p "Cert hash algo [1-3]: " -e -i 2 CERT_HASH done case $CERT_HASH in From 2171003bda786cf43aa220eb3f6a456b57f6a78f Mon Sep 17 00:00:00 2001 From: Angristan Date: Thu, 14 Sep 2017 14:12:25 +0200 Subject: [PATCH 05/21] Fix variables --- openvpn-install.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index ad386ac..d311edc 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -300,7 +300,7 @@ else DH_CURVE="secp384r1" ;; 3) - DH_CURVE"secp521r1" + DH_CURVE="secp521r1" ;; esac ;; @@ -320,7 +320,7 @@ else DH_SIZE="3072" ;; 3) - DH_SIZE"4096" + DH_SIZE="4096" ;; esac ;; @@ -351,7 +351,7 @@ else CERT_CURVE="secp384r1" ;; 3) - CERT_CURVE"secp521r1" + CERT_CURVE="secp521r1" ;; esac ;; @@ -371,7 +371,7 @@ else RSA_SIZE="3072" ;; 3) - RSA_SIZE"4096" + RSA_SIZE="4096" ;; esac ;; From 8c61a1afbac09fb0e34921f93879660953c4bf54 Mon Sep 17 00:00:00 2001 From: Angristan Date: Thu, 14 Sep 2017 14:19:12 +0200 Subject: [PATCH 06/21] Fix while condition --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index d311edc..f6e14d7 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -380,7 +380,7 @@ else echo " 1) SHA-256" echo " 2) SHA-384 (recommended)" echo " 3) SHA-512" - while [[ $CERT_HASH != "1" && $CERT_HASH != "2" && $CERT_HASH != "3"]]; do + while [[ $CERT_HASH != "1" && $CERT_HASH != "2" && $CERT_HASH != "3" ]]; do read -p "Cert hash algo [1-3]: " -e -i 2 CERT_HASH done case $CERT_HASH in From d5e8a69426574facb6ecd6dadee8aba1e66a4620 Mon Sep 17 00:00:00 2001 From: Angristan Date: Sat, 16 Sep 2017 20:59:31 +0200 Subject: [PATCH 07/21] Fix tls-crypt --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index f6e14d7..924685d 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -640,7 +640,7 @@ ca ca.crt cert server.crt key server.key" >> /etc/openvpn/server.conf if [[ $TLS_SIG == "1" ]]; then - echo "tls-auth tls-crypt.key 0" >> /etc/openvpn/server.conf + echo "tls-crypt tls-crypt.key 0" >> /etc/openvpn/server.conf elif [[ $TLS_SIG == "2" ]]; then echo "tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf fi From 4ec6e24e8153b76ec44ded55644efe41ce30f495 Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 17 Sep 2017 11:11:08 +0200 Subject: [PATCH 08/21] More precision concerning the use of "auth" From the OpenVPN wiki: >Authenticate data channel packets and (if enabled) tls-auth control channel packets with HMAC using message digest algorithm alg. (The default is SHA1 ). HMAC is a commonly used message authentication algorithm (MAC) that uses a data string, a secure hash algorithm, and a key, to produce a digital signature. >If an AEAD cipher mode (e.g. GCM) is chosen, the specified --auth algorithm is ignored for the data channel, and the authentication method of the AEAD cipher is used instead. Note that alg still specifies the digest used for tls-auth. Tl;DR: if we're using an AEAD cipher (AES GCM), `auth alg` won't have inpact on the impact channel, but only on the control channel if tls-auth/tls-crypt is enabled. --- openvpn-install.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 924685d..0d92834 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -424,7 +424,13 @@ else ;; esac fi - echo "Choose which HMAC authentication algorithm you want to use" + if [[ $CIPHER != "1" && $CIPHER != "2" && $CIPHER != "3" ]]; then + echo "Choose which message digest algorithm you want to use for the tls-auth/tls-crypt control channel packets:" + fi + if [[ $CIPHER != "4" && $CIPHER != "5" && $CIPHER != "6" ]]; then + echo "Choose which message digest algorithm you want to use for the data channel packets" + echo "and the tls-auth/tls-crypt control channel packets:" + fi echo " 1) SHA-256" echo " 2) SHA-384 (recommended)" echo " 3) SHA-512" From 57d5b6329f3dfe03a6a76addd291455812b50ef7 Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 17 Sep 2017 11:16:24 +0200 Subject: [PATCH 09/21] Fix case Doesn't have any impact, but that's how it should be. --- openvpn-install.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 0d92834..a17058a 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -439,13 +439,13 @@ else done case $HMAC_AUTH in 1) - HMAC_AUTH="sha256" + HMAC_AUTH="SHA256" ;; 2) - HMAC_AUTH="sha384" + HMAC_AUTH="SHA384" ;; 3) - HMAC_AUTH="sha512" + HMAC_AUTH="SHA512" ;; esac echo "tls crypt or tls auth" From ff10bd83e67ac6aa8158417b395191e781d1a45c Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 17 Sep 2017 12:19:59 +0200 Subject: [PATCH 10/21] Disable cipher negotiation for 2.4 clients This seems like a little change but it was not easy to find. I want this script to support only OpenVPN 2.4 servers, but also 2.4 and 2.3 clients. The thing is, the OpenVPN 2.3 client doesn't care at all what cipher the server wants to use. The cipher parameter in the client config is the king here. But with OpenVPN 2.4, you can specify whatever cipher you want, the clients and the server will negotiate the best cipher possible, which is AES-256-GCM right now. The use of --ncp-ciphers cipher_list is useless because a 2.3 client will still use its cipher and a 2.4 client will still use AES-256-GCM. I won't detail all my experiments here, but in the end, ncp-disable disable the cipher negotiation for 2.4 clients. But it will only work if the cipher in the server config and the client config are the same, and as they are in the script, it's ok. This is not the best solution because that means if you want to support a 2.3 client, you'll be forced to use one and only one AES-CBC cipher, even with your 2.4 clients, even though you could use a different cipher for each client. But as we're still using AES and OpenVPN 2.4 getting more and more deployed, this is not a too big issue in the end. Also adding menus to to choose what kind of client you want etc would make the script pretty complicated, so this is a good compromise here. TL;DR: ncp-disable enforces a OpenVPN 2.4 client to use the specified cipher in the server and the client config. See here for me details regarding the data channel cipher negotiation in OpenVPN 2.4 : https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage#lbAJ --- openvpn-install.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/openvpn-install.sh b/openvpn-install.sh index a17058a..9e479b5 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -658,6 +658,7 @@ elif [[ $DH_TYPE == "2" ]]; then fi echo "auth $HMAC_AUTH $CIPHER +ncp-disable tls-server tls-version-min 1.2 tls-cipher $CC_ENC From 75969182043a65dda4d2f1d452db9fa64e8c9480 Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 17 Sep 2017 15:36:11 +0200 Subject: [PATCH 11/21] Update openvpn-install.sh Fix https://github.com/Angristan/OpenVPN-install/commit/4ec6e24e8153b76ec44ded55644efe41ce30f495 --- openvpn-install.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 9e479b5..3702ab4 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -424,10 +424,9 @@ else ;; esac fi - if [[ $CIPHER != "1" && $CIPHER != "2" && $CIPHER != "3" ]]; then + if [[ $CIPHER = "1" && $CIPHER = "2" && $CIPHER = "3" ]]; then echo "Choose which message digest algorithm you want to use for the tls-auth/tls-crypt control channel packets:" - fi - if [[ $CIPHER != "4" && $CIPHER != "5" && $CIPHER != "6" ]]; then + elif [[ $CIPHER = "4" && $CIPHER = "5" && $CIPHER = "6" ]]; then echo "Choose which message digest algorithm you want to use for the data channel packets" echo "and the tls-auth/tls-crypt control channel packets:" fi From 9f7663303fb8412ff16cb72ca296ea67bfe3dee1 Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 17 Sep 2017 15:46:47 +0200 Subject: [PATCH 12/21] Fix if --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 3702ab4..3e881db 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -424,9 +424,9 @@ else ;; esac fi - if [[ $CIPHER = "1" && $CIPHER = "2" && $CIPHER = "3" ]]; then + if [[ $CIPHER = "cipher AES-256-GCM" ]] || [[ $CIPHER = "cipher AES-192-GCM" ]] || [[ $CIPHER = "cipher AES-128-GCM" ]]; then echo "Choose which message digest algorithm you want to use for the tls-auth/tls-crypt control channel packets:" - elif [[ $CIPHER = "4" && $CIPHER = "5" && $CIPHER = "6" ]]; then + elif [[ $CIPHER = "cipher AES-256-CBC" ]] || [[ $CIPHER = "cipher AES-192-CBC" ]] || [[ $CIPHER = "cipher AES-128-CBC" ]]; then echo "Choose which message digest algorithm you want to use for the data channel packets" echo "and the tls-auth/tls-crypt control channel packets:" fi From a6e2481f50b4b13b97f992b80a3d7c34893e0f80 Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 17 Sep 2017 17:34:13 +0200 Subject: [PATCH 13/21] Add 2.4 repo for Ubuntu 16.04 + some cleanup --- openvpn-install.sh | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 3e881db..a25d83f 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -471,27 +471,30 @@ else echo "deb http://build.openvpn.net/debian/openvpn/stable wheezy main" > /etc/apt/sources.list.d/openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt-get update - fi # Debian 8 - if [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then + elif [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt update - fi # Ubuntu 12.04 - if [[ "$VERSION_ID" = 'VERSION_ID="12.04"' ]]; then + elif [[ "$VERSION_ID" = 'VERSION_ID="12.04"' ]]; then echo "deb http://build.openvpn.net/debian/openvpn/stable precise main" > /etc/apt/sources.list.d/openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt-get update - fi # Ubuntu 14.04 - if [[ "$VERSION_ID" = 'VERSION_ID="14.04"' ]]; then + elif [[ "$VERSION_ID" = 'VERSION_ID="14.04"' ]]; then echo "deb http://build.openvpn.net/debian/openvpn/stable trusty main" > /etc/apt/sources.list.d/openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt-get update + # Ubuntu 16.04 + elif [[ "$VERSION_ID" = 'VERSION_ID="16.04"' ]]; then + echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" > /etc/apt/sources.list.d/openvpn.list + wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - + apt-get update fi - # Ubuntu >= 16.04 and Debian > 8 have OpenVPN > 2.3.3 without the need of a third party repository. + # Ubuntu >= 17.04 and Debian > 9 have OpenVPN 2.4 without the need of a third party repository. # The we install OpenVPN + apt-get update apt-get install openvpn iptables openssl wget ca-certificates curl -y elif [[ "$OS" = 'centos' ]]; then yum install epel-release -y From f4b6742f3630977c8f4fe6b3e079c19cec13ee5b Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 17 Sep 2017 17:40:32 +0200 Subject: [PATCH 14/21] Make some space --- openvpn-install.sh | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index a25d83f..a350471 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -243,7 +243,6 @@ else echo "unlike some default OpenVPN options" echo '' echo "Choose which cipher you want to use for the data channel:" - echo "" echo " 1) AES-128-GCM (recommended)" echo " 2) AES-192-GCM" echo " 3) AES-256-GCM" @@ -285,6 +284,7 @@ else done case $DH_TYPE in 1) + echo "" echo "Choose which curve you want to use" echo " 1) secp256r1" echo " 2) secp384r1 (recommended)" @@ -305,7 +305,8 @@ else esac ;; 2) - echo "Choose which DH key size do you want to use" + echo"" + echo "Choose which DH key size do you want to use" echo " 1) 2048 bits" echo " 2) 3072 bits (recommended)" echo " 3) 4096 bits" @@ -336,6 +337,7 @@ else done case $CERT_TYPE in 1) + echo "" echo "Choose which curve you want to use:" echo " 1) secp256r1" echo " 2) secp384r1 (recommended)" @@ -356,7 +358,8 @@ else esac ;; 2) - echo "Choose which RSA key size do you want to use:" + echo "" + echo "Choose which RSA key size do you want to use:" echo " 1) 2048 bits" echo " 2) 3072 bits (recommended)" echo " 3) 4096 bits" @@ -376,6 +379,7 @@ else esac ;; esac + echo "" echo "Choose which hash algorithm you want to use for the certificate:" echo " 1) SHA-256" echo " 2) SHA-384 (recommended)" @@ -394,6 +398,7 @@ else CERT_HASH="sha512" ;; esac + echo "" echo "Which cipher to use for the control channel ?" if [[ "$CERT_TYPE" = '1' ]]; then echo " 1) ECDHE-ECDSA-AES-256-GCM-SHA384 (recommended)" @@ -424,6 +429,7 @@ else ;; esac fi + echo"" if [[ $CIPHER = "cipher AES-256-GCM" ]] || [[ $CIPHER = "cipher AES-192-GCM" ]] || [[ $CIPHER = "cipher AES-128-GCM" ]]; then echo "Choose which message digest algorithm you want to use for the tls-auth/tls-crypt control channel packets:" elif [[ $CIPHER = "cipher AES-256-CBC" ]] || [[ $CIPHER = "cipher AES-192-CBC" ]] || [[ $CIPHER = "cipher AES-128-CBC" ]]; then @@ -447,6 +453,7 @@ else HMAC_AUTH="SHA512" ;; esac + echo "" echo "tls crypt or tls auth" echo " 1) tls-crypt (recommended)" echo " 2) tls-auth (use only for openvpn 2.3 compat)" From f6eecf3dcbefb86a1cb5930718e2f03132617ec0 Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 17 Sep 2017 18:09:52 +0200 Subject: [PATCH 15/21] Cleanup and rewrites --- openvpn-install.sh | 154 +++++++++++++++++++++++---------------------- 1 file changed, 79 insertions(+), 75 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index a350471..a01acf4 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -238,10 +238,12 @@ else done echo "" echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about " - echo "the encryption in OpenVPN and the choices I made in this script." - echo "Please note that all the choices proposed are secure enough considering today's strandards," - echo "unlike some default OpenVPN options" - echo '' + echo "the encryption in OpenVPN and the choices proposed in this script." + echo "Please note that all the choices proposed are secure enough considering today's strandards, unlike some default OpenVPN options" + echo "You can just type "enter" if you don't know what to choose." + echo "Note that if you want to use an OpenVPN 2.3 client, You'll have to choose OpenVPN 2.3-compatible options." + echo "All OpenVPN 2.3-compatible choices are specified for each following option." + echo "" echo "Choose which cipher you want to use for the data channel:" echo " 1) AES-128-GCM (recommended)" echo " 2) AES-192-GCM" @@ -251,7 +253,7 @@ else echo " 5) AES-192-CBC" echo " 6) AES-256-CBC" while [[ $CIPHER != "1" && $CIPHER != "2" && $CIPHER != "3" && $CIPHER != "4" && $CIPHER != "5" && $CIPHER != "6" ]]; do - read -p "Cipher [1-7]: " -e -i 1 CIPHER + read -p "Data channel cipher [1-6]: " -e -i 1 CIPHER done case $CIPHER in 1) @@ -274,76 +276,23 @@ else ;; esac echo "" - echo "Choose what kind of Diffie-Hellman key you want to use." - echo "Elleptic Curves (EC) are recommended, they're faster, lighter and more secure." - echo "Use DH for OpenVPN 2.3 compatibilty" - echo " 1) ECDH (recommended)" - echo " 2) DH" - while [[ $DH_TYPE != "1" && $DH_TYPE != "2" ]]; do - read -p "DH key size [1-2]: " -e -i 1 DH_TYPE - done - case $DH_TYPE in - 1) - echo "" - echo "Choose which curve you want to use" - echo " 1) secp256r1" - echo " 2) secp384r1 (recommended)" - echo " 3) secp521r1" - while [[ $DH_CURVE != "1" && $DH_CURVE != "2" && $DH_CURVE != "3" ]]; do - read -p "ECDH [1-3]: " -e -i 2 DH_CURVE - done - case $DH_CURVE in - 1) - DH_CURVE="secp256r1" - ;; - 2) - DH_CURVE="secp384r1" - ;; - 3) - DH_CURVE="secp521r1" - ;; - esac - ;; - 2) - echo"" - echo "Choose which DH key size do you want to use" - echo " 1) 2048 bits" - echo " 2) 3072 bits (recommended)" - echo " 3) 4096 bits" - while [[ $DH_SIZE != "1" && $DH_SIZE != "2" && $DH_SIZE != "3" ]]; do - read -p "DH key size [1-3]: " -e -i 2 DH_SIZE - done - case $DH_SIZE in - 1) - DH_SIZE="2048" - ;; - 2) - DH_SIZE="3072" - ;; - 3) - DH_SIZE="4096" - ;; - esac - ;; - esac - echo "" - echo "Choose what kind Certificate key you want to use." - echo "Elleptic Curves (EC) are recommended, they're faster, lighter and more secure." + echo "Choose what kind of certificate you want to use:" + echo "Elleptic Curves keys (EC) are recommended, they're faster, lighter and more secure." echo "Use RSA for OpenVPN 2.3 compatibilty" echo " 1) ECDSA (recommended)" echo " 2) RSA" while [[ $CERT_TYPE != "1" && $CERT_TYPE != "2" ]]; do - read -p "Certificate key [1-2]: " -e -i 1 CERT_TYPE + read -p "Certificate type [1-2]: " -e -i 1 CERT_TYPE done case $CERT_TYPE in 1) echo "" - echo "Choose which curve you want to use:" + echo "Choose which curve you want to use for the EC key:" echo " 1) secp256r1" echo " 2) secp384r1 (recommended)" echo " 3) secp521r1" while [[ $CERT_CURVE != "1" && $CERT_CURVE != "2" && $CERT_CURVE != "3" ]]; do - read -p "ECDH [1-3]: " -e -i 2 CERT_CURVE + read -p "Curve [1-3]: " -e -i 2 CERT_CURVE done case $CERT_CURVE in 1) @@ -359,7 +308,7 @@ else ;; 2) echo "" - echo "Choose which RSA key size do you want to use:" + echo "Choose which RSA key size you want to use:" echo " 1) 2048 bits" echo " 2) 3072 bits (recommended)" echo " 3) 4096 bits" @@ -385,7 +334,7 @@ else echo " 2) SHA-384 (recommended)" echo " 3) SHA-512" while [[ $CERT_HASH != "1" && $CERT_HASH != "2" && $CERT_HASH != "3" ]]; do - read -p "Cert hash algo [1-3]: " -e -i 2 CERT_HASH + read -p "Hash algorithm [1-3]: " -e -i 2 CERT_HASH done case $CERT_HASH in 1) @@ -399,12 +348,65 @@ else ;; esac echo "" - echo "Which cipher to use for the control channel ?" + echo "Choose what kind of Diffie-Hellman key you want to use." + echo "Elleptic Curves (EC) are recommended, they're faster, lighter and more secure." + echo "Use DH for OpenVPN 2.3 compatibilty" + echo " 1) ECDH (recommended)" + echo " 2) DH" + while [[ $DH_TYPE != "1" && $DH_TYPE != "2" ]]; do + read -p "DH key type [1-2]: " -e -i 1 DH_TYPE + done + case $DH_TYPE in + 1) + echo "" + echo "Choose which curve you want to use for the ECDH key" + echo " 1) secp256r1" + echo " 2) secp384r1 (recommended)" + echo " 3) secp521r1" + while [[ $DH_CURVE != "1" && $DH_CURVE != "2" && $DH_CURVE != "3" ]]; do + read -p "Curve [1-3]: " -e -i 2 DH_CURVE + done + case $DH_CURVE in + 1) + DH_CURVE="secp256r1" + ;; + 2) + DH_CURVE="secp384r1" + ;; + 3) + DH_CURVE="secp521r1" + ;; + esac + ;; + 2) + echo"" + echo "Choose which DH key size you want to use" + echo " 1) 2048 bits" + echo " 2) 3072 bits (recommended)" + echo " 3) 4096 bits" + while [[ $DH_SIZE != "1" && $DH_SIZE != "2" && $DH_SIZE != "3" ]]; do + read -p "DH key size [1-3]: " -e -i 2 DH_SIZE + done + case $DH_SIZE in + 1) + DH_SIZE="2048" + ;; + 2) + DH_SIZE="3072" + ;; + 3) + DH_SIZE="4096" + ;; + esac + ;; + esac + echo "" + echo "Choose which cipher you want to use for the control channel:" if [[ "$CERT_TYPE" = '1' ]]; then echo " 1) ECDHE-ECDSA-AES-256-GCM-SHA384 (recommended)" echo " 2) ECDHE-ECDSA-AES-128-GCM-SHA256" while [[ $CC_ENC != "1" && $CC_ENC != "2" ]]; do - read -p "Control Channel encryption [1-2]: " -e -i 1 CC_ENC + read -p "Control channel cipher [1-2]: " -e -i 1 CC_ENC done case $CC_ENC in 1) @@ -418,7 +420,7 @@ else echo " 1) ECDHE-RSA-AES-256-GCM-SHA384 (recommended)" echo " 2) ECDHE-RSA-AES-128-GCM-SHA256" while [[ $CC_ENC != "1" && $CC_ENC != "2" ]]; do - read -p "Control Channel encryption [1-2]: " -e -i 1 CC_ENC + read -p "Control channel cipher [1-2]: " -e -i 1 CC_ENC done case $CC_ENC in 1) @@ -429,6 +431,15 @@ else ;; esac fi + echo "" + echo "Do you want to use tls-crypt or tls-auth?" + echo "They both encrypt and authenticate all control channel packets with a key." + echo "tls-crypt is more advanced and secure than tls-auth, but it's an OpenVPN 2.4 feature." + echo " 1) tls-crypt (recommended)" + echo " 2) tls-auth (use only for OpenVPN 2.3 client compatibility)" + while [[ $TLS_SIG != "1" && $TLS_SIG != "2" ]]; do + read -p "Crontrol channel additional security layer [1-2]: " -e -i 1 TLS_SIG + done echo"" if [[ $CIPHER = "cipher AES-256-GCM" ]] || [[ $CIPHER = "cipher AES-192-GCM" ]] || [[ $CIPHER = "cipher AES-128-GCM" ]]; then echo "Choose which message digest algorithm you want to use for the tls-auth/tls-crypt control channel packets:" @@ -454,13 +465,6 @@ else ;; esac echo "" - echo "tls crypt or tls auth" - echo " 1) tls-crypt (recommended)" - echo " 2) tls-auth (use only for openvpn 2.3 compat)" - while [[ $TLS_SIG != "1" && $TLS_SIG != "2" ]]; do - read -p "tls sig [1-2]: " -e -i 1 TLS_SIG - done - echo "" echo "Finally, tell me a name for the client certificate and configuration" while [[ $CLIENT = "" ]]; do echo "Please, use one word only, no special characters" From d0b1fbbe51fc31f960e3a3de71bb507c090139a3 Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 17 Sep 2017 19:53:38 +0200 Subject: [PATCH 16/21] Drop Debian 7 and Ubuntu 12.04 support Debian is oldstable and has a bug with iptables. Ubuntu 12.04 is unsupported. --- openvpn-install.sh | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index a01acf4..a524849 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -25,7 +25,7 @@ if [[ -e /etc/debian_version ]]; then VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID") RCLOCAL='/etc/rc.local' SYSCTL='/etc/sysctl.conf' - if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.04"' ]]; then + if [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.04"' ]]; then echo "Your version of Debian/Ubuntu is not supported." echo "I can't install a recent version of OpenVPN on your system." echo "" @@ -477,21 +477,11 @@ else if [[ "$OS" = 'debian' ]]; then apt-get install ca-certificates -y # We add the OpenVPN repo to get the latest version. - # Debian 7 - if [[ "$VERSION_ID" = 'VERSION_ID="7"' ]]; then - echo "deb http://build.openvpn.net/debian/openvpn/stable wheezy main" > /etc/apt/sources.list.d/openvpn.list - wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - - apt-get update # Debian 8 elif [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt update - # Ubuntu 12.04 - elif [[ "$VERSION_ID" = 'VERSION_ID="12.04"' ]]; then - echo "deb http://build.openvpn.net/debian/openvpn/stable precise main" > /etc/apt/sources.list.d/openvpn.list - wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - - apt-get update # Ubuntu 14.04 elif [[ "$VERSION_ID" = 'VERSION_ID="14.04"' ]]; then echo "deb http://build.openvpn.net/debian/openvpn/stable trusty main" > /etc/apt/sources.list.d/openvpn.list From d057de2309f3874f0caebb4fb3bf4c0d40a61a09 Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 17 Sep 2017 19:55:44 +0200 Subject: [PATCH 17/21] Fix previous commit --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index a524849..21872de 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -478,7 +478,7 @@ else apt-get install ca-certificates -y # We add the OpenVPN repo to get the latest version. # Debian 8 - elif [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then + if [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt update From 484b601f0270509b4c66cf1dbd9a7408ddbe3547 Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 17 Sep 2017 20:23:11 +0200 Subject: [PATCH 18/21] Compatibility update Dropped Debian 7 and Ubuntu 12.04 according to https://github.com/Angristan/OpenVPN-install/commit/d0b1fbbe51fc31f960e3a3de71bb507c090139a3 Discovered an issue with Arch Linux : https://github.com/Angristan/OpenVPN-install/issues/99 --- README.md | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 44d4f97..ac329cf 100644 --- a/README.md +++ b/README.md @@ -50,18 +50,22 @@ On the client-side, it's less problematic, but if you want to use an OpenVPN ser ## Compatibility -The script is made to work on these OS and architectures : -- **Debian 7** (i386, amd64) -- **Debian 8** (i386, amd64) -- **Debian 9** (i386, amd64, armhf, arm64) -- **Ubuntu 12.04 LTS** (i386, amd64) -- **Ubuntu 14.04 LTS** (i386, amd64) -- **Ubuntu 16.04 LTS** (i386, amd64) -- **Ubuntu 16.10** (i386, amd64, armhf, arm64) -- **Ubuntu 17.04** (i386, amd64, armhf, arm64) -- **CentOS 6** (i386, amd64) -- **CentOS 7** (i386, amd64, arm64) -- **Arch Linux** (i686, amd64) +| | i386 | amd64 | armhf | arm64 | +|:------------:|:----:|:-----:|:-----:|:-----:| +| Debian 8 | ✔️ | ✔️ | ❌ | ❌ | +| Debian 9 | ✔️ | ✔️ | ✔️ | ✔️ | +| Ubuntu 14.04 | ✔️ | ✔️ | ❌ | ❌ | +| Ubuntu 16.04 | ✔️ | ✔️ | ❌ | ❌ | +| Ubuntu 17.04 | ✔️ | ✔️ | ✔️ | ✔️ | +| CentOS 6 | ✔️ | ✔️ | ❔ | ❔ | +| CentOS 7 | ✔️ | ✔️ | ✔️ | ❔ | +| Arch Linux | ✔️ | ✔️ | ❔ | ❌[(❔)](https://github.com/Angristan/OpenVPN-install/issues/99) | + +- ✔️ = tested and compatible + +- ❔ = untested + +- ❌ = tested and not compatible (It should also work on Debian unstable/testing and Ubuntu beta). From 948b6511b71fbcf37e4730fe90911424c1b42322 Mon Sep 17 00:00:00 2001 From: hybtoy Date: Mon, 25 Sep 2017 10:40:38 +0500 Subject: [PATCH 19/21] "local" option removal Remove "local" option from server.conf. --- openvpn-install.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 21872de..21d10b1 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -598,7 +598,6 @@ set_var EASYRSA_CURVE $CERT_CURVE" > vars chmod 644 /etc/openvpn/crl.pem # Generate server.conf - echo "local $IP" > /etc/openvpn/server.conf echo "port $PORT" >> /etc/openvpn/server.conf if [[ "$PROTOCOL" = '1' ]]; then echo "proto udp" >> /etc/openvpn/server.conf From 07de8b9feb3645f8d2ee828205e8389790b3df02 Mon Sep 17 00:00:00 2001 From: Angristan Date: Mon, 25 Sep 2017 17:10:06 +0200 Subject: [PATCH 20/21] Update openvpn-install.sh --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 21d10b1..4bd0e58 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -598,7 +598,7 @@ set_var EASYRSA_CURVE $CERT_CURVE" > vars chmod 644 /etc/openvpn/crl.pem # Generate server.conf - echo "port $PORT" >> /etc/openvpn/server.conf + echo "port $PORT" > /etc/openvpn/server.conf if [[ "$PROTOCOL" = '1' ]]; then echo "proto udp" >> /etc/openvpn/server.conf elif [[ "$PROTOCOL" = '2' ]]; then From f4e4e9659535670396debb53e1b16aac5288583b Mon Sep 17 00:00:00 2001 From: hybtoy Date: Tue, 26 Sep 2017 15:04:34 +0500 Subject: [PATCH 21/21] Update openvpn-install.sh Add: 1. TLS Cipher - TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 2. HMAC Auth - SHA224 --- openvpn-install.sh | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 4bd0e58..ba8c7af 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -419,8 +419,9 @@ else elif [[ "$CERT_TYPE" = '2' ]]; then echo " 1) ECDHE-RSA-AES-256-GCM-SHA384 (recommended)" echo " 2) ECDHE-RSA-AES-128-GCM-SHA256" - while [[ $CC_ENC != "1" && $CC_ENC != "2" ]]; do - read -p "Control channel cipher [1-2]: " -e -i 1 CC_ENC + echo " 3) DHE-RSA-AES-128-GCM-SHA256" + while [[ $CC_ENC != "1" && $CC_ENC != "2" && $CC_ENC != "3" ]]; do + read -p "Control channel cipher [1-3]: " -e -i 1 CC_ENC done case $CC_ENC in 1) @@ -429,6 +430,9 @@ else 2) CC_ENC="TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256" ;; + 3) + CC_ENC="TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" + ;; esac fi echo "" @@ -447,20 +451,24 @@ else echo "Choose which message digest algorithm you want to use for the data channel packets" echo "and the tls-auth/tls-crypt control channel packets:" fi - echo " 1) SHA-256" - echo " 2) SHA-384 (recommended)" - echo " 3) SHA-512" - while [[ $HMAC_AUTH != "1" && $HMAC_AUTH != "2" && $HMAC_AUTH != "3" ]]; do + echo " 1) SHA-224" + echo " 2) SHA-256" + echo " 3) SHA-384 (recommended)" + echo " 4) SHA-512" + while [[ $HMAC_AUTH != "1" && $HMAC_AUTH != "2" && $HMAC_AUTH != "3" && $HMAC_AUTH != "4" ]]; do read -p "HMAC authentication algorithm [1-3]: " -e -i 2 HMAC_AUTH done case $HMAC_AUTH in 1) - HMAC_AUTH="SHA256" + HMAC_AUTH="SHA224" ;; 2) - HMAC_AUTH="SHA384" + HMAC_AUTH="SHA256" ;; 3) + HMAC_AUTH="SHA384" + ;; + 4) HMAC_AUTH="SHA512" ;; esac