From 06c66a96a7634bc179ee948655e0e8be181a2e80 Mon Sep 17 00:00:00 2001 From: Angristan Date: Mon, 6 Feb 2017 14:05:58 +0100 Subject: [PATCH 01/51] Correct typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c2b068c..f48df81 100644 --- a/README.md +++ b/README.md @@ -177,7 +177,7 @@ To quote the [OpenVPN documentation](https://community.openvpn.net/openvpn/wiki/ >Of the currently supported ciphers, OpenVPN currently recommends using AES-256-CBC or AES-128-CBC. OpenVPN 2.4 and newer will also support GCM. For 2.4+, we recommend using AES-256-GCM or AES-128-GCM. -Of course I will update the script to add AES-GCM mode (as weel as ECDH and ECDSA) as soon as OpenVPN 2.4 is released. +Of course I will update the script to add AES-GCM mode (as well as ECDH and ECDSA) as soon as OpenVPN 2.4 is released. For now, these cipher are available in the setup : From e8554eb35abde7c29e835440d5979bfccf46e942 Mon Sep 17 00:00:00 2001 From: Angristan Date: Wed, 1 Mar 2017 17:10:33 +0100 Subject: [PATCH 02/51] Updates links --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f48df81..c33703f 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,8 @@ Here is a preview of the installer : **You have to enable the TUN module otherwise OpenVPN won't work.** Ask your host if you don't know how to do it. If the TUN module is not enabled, the script will warn you and exit. +You can get a cheap VPS to run this script for $2.50/month worldwide at [Vultr](https://goo.gl/Xyd1Sc) or 3€/month for unlimited bandwidth in France at [PulseHeberg](https://goo.gl/oBhgaj). + First, get the script and make it executable : ``` @@ -63,8 +65,6 @@ The script is made to work on these OS : If your're using an Ubuntu version that is not supported by the script, be aware that it's not supported by Ubuntu either, thus it's insecure. -You can get a cheap VPS to run this script for 3€/month at [PulseHeberg](https://goo.gl/oBhgaj). - ## Features This fork includes the following features : From 504597fe96d5df38bf0c280a576ea3f044629b79 Mon Sep 17 00:00:00 2001 From: Santiago Castro Date: Sun, 16 Apr 2017 23:21:39 -0300 Subject: [PATCH 03/51] Fix broken Markdown headings --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c33703f..b08a06a 100644 --- a/README.md +++ b/README.md @@ -79,7 +79,7 @@ This fork includes the following features : - Up-to-date OpenVPN thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) for CentOS and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos) for Ubuntu and Debian. These are third-party yet trusted repositories. - Other improvements ! -##DNS +## DNS The script will ask you which DNS resolvers you want to use when connected to the VPN. From fa9e5235f9cbd864d67e4b7975d9888882a7f641 Mon Sep 17 00:00:00 2001 From: DrXala Date: Sun, 23 Apr 2017 12:43:33 +0200 Subject: [PATCH 04/51] Close Angristan/OpenVPN-install#46 This patch is for Angristan/OpenVPN-install#46 --- openvpn-install.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index cee3e36..848287a 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -80,6 +80,8 @@ IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1, if [[ "$IP" = "" ]]; then IP=$(wget -qO- ipv4.icanhazip.com) fi +# Get Internet network interface with default route +NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)') if [[ -e /etc/openvpn/server.conf ]]; then while : @@ -483,8 +485,8 @@ verb 3" >> /etc/openvpn/server.conf # Avoid an unneeded reboot echo 1 > /proc/sys/net/ipv4/ip_forward # Set NAT for the VPN subnet - iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP - sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL + iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE + sed -i "1 a\iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE" $RCLOCAL if pgrep firewalld; then # We don't use --add-service=openvpn because that would only work with # the default port. Using both permanent and not permanent rules to From 823ff21fccb3823fcb0f0fc16faf3fdaeb859f2b Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 7 May 2017 23:56:19 +0200 Subject: [PATCH 05/51] Add support for Ubuntu 17.04 --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index cee3e36..3c59d67 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -25,7 +25,7 @@ if [[ -e /etc/debian_version ]]; then VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID") RCLOCAL='/etc/rc.local' SYSCTL='/etc/sysctl.conf' - if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.10"' ]]; then + if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.04"' ]]; then echo "Your version of Debian/Ubuntu is not supported." echo "I can't install a recent version of OpenVPN on your system." echo "" From 0bc1e6ea59986367f585f06935442d7decf82410 Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 7 May 2017 23:59:43 +0200 Subject: [PATCH 06/51] Add support for Ubuntu 17.04 --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index b08a06a..878a7aa 100644 --- a/README.md +++ b/README.md @@ -57,6 +57,7 @@ The script is made to work on these OS : - Ubuntu 14.04 LTS - Ubuntu 16.04 LTS - Ubuntu 16.10 +- Ubuntu 17.04 - CentOS 6 - CentOS 7 - Arch Linux From 5d40c041ddc9cda843d2367e83784c388e733c27 Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 18 Jun 2017 21:07:15 +0200 Subject: [PATCH 07/51] More proper remove openvpn-blacklist isn't installed with Debian 9. --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 3c59d67..e8dc561 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -164,7 +164,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then fi fi if [[ "$OS" = 'debian' ]]; then - apt-get remove --purge -y openvpn openvpn-blacklist + apt-get autoremove --purge -y openvpn elif [[ "$OS" = 'arch' ]]; then pacman -R openvpn --noconfirm else From d712e157951ff52dd3b4230c76403eda8f91755d Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 18 Jun 2017 21:12:25 +0200 Subject: [PATCH 08/51] Support OpenSSL 1.1.0 DH generation Fixes dh.pem gen on Debian 9 and Arch Linux https://github.com/Angristan/OpenVPN-install/issues/64 https://github.com/Angristan/OpenVPN-install/issues/74 https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#openssl-issues --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index e8dc561..457fab0 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -403,7 +403,7 @@ WantedBy=multi-user.target" > /etc/systemd/system/rc-local.service # Create the PKI, set up the CA, the DH params and the server + client certificates ./easyrsa init-pki ./easyrsa --batch build-ca nopass - openssl dhparam $DH_KEY_SIZE -out dh.pem + openssl dhparam -out dh.pem $DH_KEY_SIZE ./easyrsa build-server-full server nopass ./easyrsa build-client-full $CLIENT nopass ./easyrsa gen-crl From a2a3bfc605d104e363bdd1b2fde4cf94a6636fa3 Mon Sep 17 00:00:00 2001 From: Angristan Date: Fri, 23 Jun 2017 14:30:57 +0200 Subject: [PATCH 09/51] Added Yandex Basic DNS resolvers https://dns.yandex.com/ Nice for Russia. --- openvpn-install.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/openvpn-install.sh b/openvpn-install.sh index 457fab0..a34e84b 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -211,6 +211,7 @@ else echo " 3) DNS.WATCH (Germany)" echo " 4) OpenDNS (Anycast: worldwide)" echo " 5) Google (Anycast: worldwide)" + echo " 6) Yandex Basic (Russia)" while [[ $DNS != "1" && $DNS != "2" && $DNS != "3" && $DNS != "4" && $DNS != "5" ]]; do read -p "DNS [1-5]: " -e -i 2 DNS done @@ -454,6 +455,10 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf ;; + 6) #Yandex Basic + echo 'push "dhcp-option DNS 77.88.8.8"' >> /etc/openvpn/server.conf + echo 'push "dhcp-option DNS 77.88.8.1"' >> /etc/openvpn/server.conf + ;; esac echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf echo "crl-verify crl.pem From ec41b64b15f2fd5a915b0df301007ac5f9b9462c Mon Sep 17 00:00:00 2001 From: Angristan Date: Fri, 23 Jun 2017 14:32:16 +0200 Subject: [PATCH 10/51] Added Yandex Basic DNS resolvers Nice speed for Russia --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 878a7aa..37bcc87 100644 --- a/README.md +++ b/README.md @@ -91,6 +91,7 @@ Here are the possibilities : - [DNS.WATCH DNS Servers](https://dns.watch/index), recommended if you're in western europe (Germany) - [OpenDNS](https://en.wikipedia.org/wiki/OpenDNS), not recommened but fast wordlwide (Anycast servers) - [Google Public DNS](https://en.wikipedia.org/wiki/Google_Public_DNS), not recommended, but fast worldwide (Anycast servers) +- [Yandex Basic DNS](https://dns.yandex.com/), not recommended, but fast in Russia - Soon : local resolver :D Any other fast, trustable and neutral servers proposition is welcome. From d74318562d289bf18d4deec32e5c02360fb24a2f Mon Sep 17 00:00:00 2001 From: Kenneth Zhao Date: Sun, 25 Jun 2017 09:38:52 -0700 Subject: [PATCH 11/51] adding support for debian 9 stretch --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index a34e84b..8786538 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -25,7 +25,7 @@ if [[ -e /etc/debian_version ]]; then VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID") RCLOCAL='/etc/rc.local' SYSCTL='/etc/sysctl.conf' - if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.04"' ]]; then + if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.04"' ]]; then echo "Your version of Debian/Ubuntu is not supported." echo "I can't install a recent version of OpenVPN on your system." echo "" From 8c66c8e684726ead903710501684948af97bfb9a Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 25 Jun 2017 19:58:41 +0200 Subject: [PATCH 12/51] Fix client revocation A client revocation would make crl.pem unreadable and thus blocking any other client to connect. Fixes https://github.com/Angristan/OpenVPN-install/pull/47, https://github.com/Angristan/OpenVPN-install/issues/25 and https://github.com/Angristan/OpenVPN-install/issues/49. --- openvpn-install.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/openvpn-install.sh b/openvpn-install.sh index a34e84b..2f8f79a 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -133,6 +133,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then rm -rf pki/issued/$CLIENT.crt rm -rf /etc/openvpn/crl.pem cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem + chmod 644 /etc/openvpn/crl.pem echo "" echo "Certificate for client $CLIENT revoked" echo "Exiting..." From ac203dd5eef586fb4a1c5db2fb0ca602d91edd32 Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 25 Jun 2017 22:01:05 +0200 Subject: [PATCH 13/51] Fix iptables rules on reboot for some OS Thanks a lot to Nyr for the fix : https://github.com/Nyr/openvpn-install/commit/a31aaf82f3664e5854c617752a5493011ede731f Fixes https://github.com/Angristan/OpenVPN-install/issues/6. On Ubuntu 17.04, 16.10 and Debian 9, the iptables rules were not applied because of rc.local --- openvpn-install.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/openvpn-install.sh b/openvpn-install.sh index ee7e3ac..2b0e68f 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -490,6 +490,12 @@ verb 3" >> /etc/openvpn/server.conf fi # Avoid an unneeded reboot echo 1 > /proc/sys/net/ipv4/ip_forward + # Needed to use rc.local with some systemd distros + if [[ "$OS" = 'debian' && ! -e $RCLOCAL ]]; then + echo '#!/bin/sh -e + exit 0' > $RCLOCAL + fi + chmod +x $RCLOCAL # Set NAT for the VPN subnet iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE sed -i "1 a\iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE" $RCLOCAL From 19fe6626f1d7d3cb2f46adf9277a127ba242f9a3 Mon Sep 17 00:00:00 2001 From: Angristan Date: Mon, 26 Jun 2017 02:17:14 +0200 Subject: [PATCH 14/51] Implements OpenVPN 2.4 changes for Arch Linux (kind of) Since OpenVPN 2.4 is out on Arch, the script wasn't working completely because of this : https://www.archlinux.org/news/openvpn-240-update-requires-administrative-interaction/ There is a new path for OpenVPN server config. This is just needed on Arch for now, and you're probably not going to run an OpenVPN client on an OpenVPN server. Thus I modified the systemd script to use `/etc/openvpn/` and `server.conf` instead of the new `/etc/openvpn/server/` and `openvpn.conf`. By using the same paths as the other distros, I avoid to rewrite the entire script to change the paths... It's not 100% clean, but it works pretty well. If you have any objection please leave a comment. Also, I updated the new service name. As far as I tested, it's working fine on Arch Linux for now. Fixes #63 and #61 --- openvpn-install.sh | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 2b0e68f..76c9c83 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -558,8 +558,17 @@ verb 3" >> /etc/openvpn/server.conf fi else if pgrep systemd-journal; then - systemctl restart openvpn@server.service - systemctl enable openvpn@server.service + if [[ "$OS" = 'arch']]; then + #Workaround to avoid rewriting the entire script for Arch + sed -i 's|/etc/openvpn/server|/etc/openvpn|' /usr/lib/systemd/system/openvpn-server@.service + sed -i 's|%i.conf|server.conf|' /usr/lib/systemd/system/openvpn-server@.service + systemctl daemon-reload + systemctl restart openvpn-server@openvpn.service + systemctl enable openvpn-server@openvpn.service + else + systemctl restart openvpn@server.service + systemctl enable openvpn@server.service + fi else service openvpn restart chkconfig openvpn on From 6800ef35f782e8193af399cc33dd55dd7df25d1e Mon Sep 17 00:00:00 2001 From: Angristan Date: Mon, 26 Jun 2017 02:20:38 +0200 Subject: [PATCH 15/51] Typo It's late. --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 76c9c83..925d652 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -558,7 +558,7 @@ verb 3" >> /etc/openvpn/server.conf fi else if pgrep systemd-journal; then - if [[ "$OS" = 'arch']]; then + if [[ "$OS" = 'arch' ]]; then #Workaround to avoid rewriting the entire script for Arch sed -i 's|/etc/openvpn/server|/etc/openvpn|' /usr/lib/systemd/system/openvpn-server@.service sed -i 's|%i.conf|server.conf|' /usr/lib/systemd/system/openvpn-server@.service From e185698445acc8fd98b20ca0c33b47fcd39158e4 Mon Sep 17 00:00:00 2001 From: Angristan Date: Mon, 26 Jun 2017 02:37:41 +0200 Subject: [PATCH 16/51] Use current system resolvers as default That makes more sense that putting French servers. What is in /etc/resolv.conf is not always good, but most of the time it's the hoster's or something nearby. Thus it makes more sense for the user to use them by default. --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 925d652..1c8a13a 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -209,14 +209,14 @@ else done echo "" echo "What DNS do you want to use with the VPN?" - echo " 1) Current system resolvers (/etc/resolv.conf)" + echo " 1) Current system resolvers (in /etc/resolv.conf)" echo " 2) FDN (France)" echo " 3) DNS.WATCH (Germany)" echo " 4) OpenDNS (Anycast: worldwide)" echo " 5) Google (Anycast: worldwide)" echo " 6) Yandex Basic (Russia)" while [[ $DNS != "1" && $DNS != "2" && $DNS != "3" && $DNS != "4" && $DNS != "5" ]]; do - read -p "DNS [1-5]: " -e -i 2 DNS + read -p "DNS [1-5]: " -e -i 1 DNS done echo "" echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about " From f4f8d0806730874c582bade84c5295cf2950dcf1 Mon Sep 17 00:00:00 2001 From: Angristan Date: Mon, 26 Jun 2017 03:02:16 +0200 Subject: [PATCH 17/51] Add support for Debian 9 Stretch and architectures details I figured it would be useful to add architectures to the list, especially considering the rise of ARM servers. --- README.md | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 37bcc87..e361bf1 100644 --- a/README.md +++ b/README.md @@ -50,17 +50,18 @@ On the client-side, it's less problematic, but if you want to use an OpenVPN ser ## Compatibility -The script is made to work on these OS : -- Debian 7 -- Debian 8 -- Ubuntu 12.04 LTS -- Ubuntu 14.04 LTS -- Ubuntu 16.04 LTS -- Ubuntu 16.10 -- Ubuntu 17.04 -- CentOS 6 -- CentOS 7 -- Arch Linux +The script is made to work on these OS and architectures : +- **Debian 7** (i386, amd64) +- **Debian 8** (i386, amd64) +- **Debian 9** (i386, amd64, armhf, arm64) +- **Ubuntu 12.04 LTS** (i386, amd64) +- **Ubuntu 14.04 LTS** (i386, amd64) +- **Ubuntu 16.04 LTS** (i386, amd64) +- **Ubuntu 16.10** (i386, amd64, armhf, arm64) +- **Ubuntu 17.04** (i386, amd64, armhf, arm64) +- **CentOS 6** (i386, amd64) +- **CentOS 7** (i386, amd64, arm64) +- **Arch Linux** (i686, amd64) (It should also work on Debian unstable/testing and Ubuntu beta). From 2584de5d854245c91acea08074750a8240e9093e Mon Sep 17 00:00:00 2001 From: Angristan Date: Mon, 26 Jun 2017 03:11:59 +0200 Subject: [PATCH 18/51] Caps are important --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e361bf1..44d4f97 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -## openvpn-install +## OpenVPN-install Secure OpenVPN installer for Debian, Ubuntu, CentOS and Arch Linux. This script will let you setup your own secure VPN server in just a few minutes. From d1f665c4582eb77027d8d7cbfaf64de303805a1d Mon Sep 17 00:00:00 2001 From: jackdwyer Date: Mon, 3 Jul 2017 14:11:16 -0400 Subject: [PATCH 19/51] fixes last case statement for SEED-CBC --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) mode change 100644 => 100755 openvpn-install.sh diff --git a/openvpn-install.sh b/openvpn-install.sh old mode 100644 new mode 100755 index da545e1..e16ba4e --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -256,7 +256,7 @@ else 6) CIPHER="cipher CAMELLIA-256-CBC" ;; - 5) + 7) CIPHER="cipher SEED-CBC" ;; esac From 276284458f86ea38d671817d705e7ef827f068f7 Mon Sep 17 00:00:00 2001 From: Angristan Date: Sat, 8 Jul 2017 13:30:58 +0200 Subject: [PATCH 20/51] Fix DNS choice --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index e16ba4e..4f845c2 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -215,8 +215,8 @@ else echo " 4) OpenDNS (Anycast: worldwide)" echo " 5) Google (Anycast: worldwide)" echo " 6) Yandex Basic (Russia)" - while [[ $DNS != "1" && $DNS != "2" && $DNS != "3" && $DNS != "4" && $DNS != "5" ]]; do - read -p "DNS [1-5]: " -e -i 1 DNS + while [[ $DNS != "1" && $DNS != "2" && $DNS != "3" && $DNS != "4" && $DNS != "5" && $DNS != "6" ]]; do + read -p "DNS [1-6]: " -e -i 1 DNS done echo "" echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about " From c703d41795def39b81b4a4ec6b2bda3f144b2a0a Mon Sep 17 00:00:00 2001 From: Angristan Date: Fri, 14 Jul 2017 17:15:07 +0200 Subject: [PATCH 21/51] Fix for Debian 9 on OpenVZ --- openvpn-install.sh | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 4f845c2..3bcd725 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -552,7 +552,17 @@ verb 3" >> /etc/openvpn/server.conf if [[ "$OS" = 'debian' ]]; then # Little hack to check for systemd if pgrep systemd-journal; then - systemctl restart openvpn@server.service + if [[ "$VERSION_ID" = 'VERSION_ID="9"' ]]; then + #Workaround to fix OpenVPN service on Debian 9 OpenVZ + sed -i 's|LimitNPROC|#LimitNPROC|' /lib/systemd/system/openvpn-server\@.service + sed -i 's|/etc/openvpn/server|/etc/openvpn|' /lib/systemd/system/openvpn-server\@.service + sed -i 's|%i.conf|server.conf|' /lib/systemd/system/openvpn-server\@.service + systemctl daemon-reload + systemctl restart openvpn-server@openvpn.service + systemctl enable openvpn-server@openvpn.service + else + systemctl restart openvpn@server.service + fi else /etc/init.d/openvpn restart fi From 031afd587e594f4dc7966c11c73ed0dd90bf6022 Mon Sep 17 00:00:00 2001 From: patlol Date: Sat, 22 Jul 2017 19:30:36 +0200 Subject: [PATCH 22/51] fix #8 Client files not beeing created in the right folder when using sudo --- openvpn-install.sh | 46 +++++++++++++++++++++++++++------------------- 1 file changed, 27 insertions(+), 19 deletions(-) mode change 100755 => 100644 openvpn-install.sh diff --git a/openvpn-install.sh b/openvpn-install.sh old mode 100755 new mode 100644 index 3bcd725..e9e5373 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -56,21 +56,29 @@ else fi newclient () { + # Where to write the custom client.ovpn? + if [ -e /home/$1 ]; then # if $1 is a user ID + homeDir="/home/$1" + elif [ -e /home/${SUDO_USER} ]; then # if not, use SUDO_USER + homeDir="/home/${SUDO_USER}" + else # if not, use /root + homeDir="~" + fi # Generates the custom client.ovpn - cp /etc/openvpn/client-template.txt ~/$1.ovpn - echo "" >> ~/$1.ovpn - cat /etc/openvpn/easy-rsa/pki/ca.crt >> ~/$1.ovpn - echo "" >> ~/$1.ovpn - echo "" >> ~/$1.ovpn - cat /etc/openvpn/easy-rsa/pki/issued/$1.crt >> ~/$1.ovpn - echo "" >> ~/$1.ovpn - echo "" >> ~/$1.ovpn - cat /etc/openvpn/easy-rsa/pki/private/$1.key >> ~/$1.ovpn - echo "" >> ~/$1.ovpn - echo "key-direction 1" >> ~/$1.ovpn - echo "" >> ~/$1.ovpn - cat /etc/openvpn/tls-auth.key >> ~/$1.ovpn - echo "" >> ~/$1.ovpn + cp /etc/openvpn/client-template.txt $homeDir/$1.ovpn + echo "" >> $homeDir/$1.ovpn + cat /etc/openvpn/easy-rsa/pki/ca.crt >> $homeDir/$1.ovpn + echo "" >> $homeDir/$1.ovpn + echo "" >> $homeDir/$1.ovpn + cat /etc/openvpn/easy-rsa/pki/issued/$1.crt >> $homeDir/$1.ovpn + echo "" >> $homeDir/$1.ovpn + echo "" >> $homeDir/$1.ovpn + cat /etc/openvpn/easy-rsa/pki/private/$1.key >> $homeDir/$1.ovpn + echo "" >> $homeDir/$1.ovpn + echo "key-direction 1" >> $homeDir/$1.ovpn + echo "" >> $homeDir/$1.ovpn + cat /etc/openvpn/tls-auth.key >> $homeDir/$1.ovpn + echo "" >> $homeDir/$1.ovpn } # Try to get our IP from the system and fallback to the Internet. @@ -108,7 +116,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then # Generates the custom client.ovpn newclient "$CLIENT" echo "" - echo "Client $CLIENT added, certs available at ~/$CLIENT.ovpn" + echo "Client $CLIENT added, certs available at $homeDir/$CLIENT.ovpn" exit ;; 2) @@ -356,7 +364,7 @@ else echo "Ok, bye !" exit 4 fi - + if [[ "$OS" = 'arch' ]]; then # Install rc.local echo "[Unit] @@ -375,7 +383,7 @@ WantedBy=multi-user.target" > /etc/systemd/system/rc-local.service echo "#!/bin/bash" > $RCLOCAL fi fi - + # Install dependencies pacman -Syu openvpn iptables openssl wget ca-certificates curl --needed --noconfirm if [[ "$OS" = 'arch' ]]; then @@ -417,7 +425,7 @@ WantedBy=multi-user.target" > /etc/systemd/system/rc-local.service cp pki/ca.crt pki/private/ca.key dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn # Make cert revocation list readable for non-root chmod 644 /etc/openvpn/crl.pem - + # Generate server.conf echo "port $PORT" > /etc/openvpn/server.conf if [[ "$PROTOCOL" = 'UDP' ]]; then @@ -625,7 +633,7 @@ verb 3" >> /etc/openvpn/client-template.txt echo "" echo "Finished!" echo "" - echo "Your client config is available at ~/$CLIENT.ovpn" + echo "Your client config is available at $homeDir/$CLIENT.ovpn" echo "If you want to add more clients, you simply need to run this script another time!" fi exit 0; From 5787c45a032a204dd4f3b14e91355fd7263c9ec8 Mon Sep 17 00:00:00 2001 From: patlol Date: Sat, 22 Jul 2017 19:40:29 +0200 Subject: [PATCH 23/51] Update openvpn-install.sh --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index e9e5373..603d0a1 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -57,7 +57,7 @@ fi newclient () { # Where to write the custom client.ovpn? - if [ -e /home/$1 ]; then # if $1 is a user ID + if [ -e /home/$1 ]; then # if $1 is a user name homeDir="/home/$1" elif [ -e /home/${SUDO_USER} ]; then # if not, use SUDO_USER homeDir="/home/${SUDO_USER}" From 3c5c87b031d49335f3ccbe941343c1451f8b7f55 Mon Sep 17 00:00:00 2001 From: patlol Date: Sat, 22 Jul 2017 20:18:46 +0200 Subject: [PATCH 24/51] Update openvpn-install.sh --- openvpn-install.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 603d0a1..3e19335 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -59,10 +59,10 @@ newclient () { # Where to write the custom client.ovpn? if [ -e /home/$1 ]; then # if $1 is a user name homeDir="/home/$1" - elif [ -e /home/${SUDO_USER} ]; then # if not, use SUDO_USER + elif [ ${SUDO_USER} ]; then # if not, use SUDO_USER homeDir="/home/${SUDO_USER}" - else # if not, use /root - homeDir="~" + else # if not SUDO_USER, use /root + homeDir="/root" fi # Generates the custom client.ovpn cp /etc/openvpn/client-template.txt $homeDir/$1.ovpn From 58a5282e17b7556fe0513fd897bddd1830902cd3 Mon Sep 17 00:00:00 2001 From: patlol Date: Sat, 22 Jul 2017 21:08:06 +0200 Subject: [PATCH 25/51] Update openvpn-install.sh --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 3e19335..c5c0f77 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -59,7 +59,7 @@ newclient () { # Where to write the custom client.ovpn? if [ -e /home/$1 ]; then # if $1 is a user name homeDir="/home/$1" - elif [ ${SUDO_USER} ]; then # if not, use SUDO_USER + elif [ ${SUDO_USER} ]; then # if not, use SUDO_USER homeDir="/home/${SUDO_USER}" else # if not SUDO_USER, use /root homeDir="/root" From a3c005c556bc925af13f678aed8fa73515ca5f27 Mon Sep 17 00:00:00 2001 From: Angristan Date: Mon, 7 Aug 2017 16:44:16 +0200 Subject: [PATCH 26/51] Update Debian and Ubuntu repository swupdate.openvpn.net hasn't been updated since OpenVPN 2.3.14 whereas build.openvpn.net supports OpenVPN 2.4.x as of today Fixes https://github.com/Angristan/OpenVPN-install/issues/86 --- openvpn-install.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index c5c0f77..b874a69 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -321,25 +321,25 @@ else # We add the OpenVPN repo to get the latest version. # Debian 7 if [[ "$VERSION_ID" = 'VERSION_ID="7"' ]]; then - echo "deb http://swupdate.openvpn.net/apt wheezy main" > /etc/apt/sources.list.d/swupdate-openvpn.list + echo "deb http://build.openvpn.net/debian/openvpn/stable wheezy main" > /etc/apt/sources.list.d/swupdate-openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt-get update fi # Debian 8 if [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then - echo "deb http://swupdate.openvpn.net/apt jessie main" > /etc/apt/sources.list.d/swupdate-openvpn.list + echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/swupdate-openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt update fi # Ubuntu 12.04 if [[ "$VERSION_ID" = 'VERSION_ID="12.04"' ]]; then - echo "deb http://swupdate.openvpn.net/apt precise main" > /etc/apt/sources.list.d/swupdate-openvpn.list + echo "deb http://build.openvpn.net/debian/openvpn/stable precise main" > /etc/apt/sources.list.d/swupdate-openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt-get update fi # Ubuntu 14.04 if [[ "$VERSION_ID" = 'VERSION_ID="14.04"' ]]; then - echo "deb http://swupdate.openvpn.net/apt trusty main" > /etc/apt/sources.list.d/swupdate-openvpn.list + echo "deb http://build.openvpn.net/debian/openvpn/stable trusty main" > /etc/apt/sources.list.d/swupdate-openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt-get update fi From edbe4fed90841aebe7f1fecf95a9893eea19ab14 Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 20 Aug 2017 22:38:55 +0200 Subject: [PATCH 27/51] Rename OpenVPN's APT list --- openvpn-install.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index b874a69..429dea5 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -321,25 +321,25 @@ else # We add the OpenVPN repo to get the latest version. # Debian 7 if [[ "$VERSION_ID" = 'VERSION_ID="7"' ]]; then - echo "deb http://build.openvpn.net/debian/openvpn/stable wheezy main" > /etc/apt/sources.list.d/swupdate-openvpn.list + echo "deb http://build.openvpn.net/debian/openvpn/stable wheezy main" > /etc/apt/sources.list.d/openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt-get update fi # Debian 8 if [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then - echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/swupdate-openvpn.list + echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt update fi # Ubuntu 12.04 if [[ "$VERSION_ID" = 'VERSION_ID="12.04"' ]]; then - echo "deb http://build.openvpn.net/debian/openvpn/stable precise main" > /etc/apt/sources.list.d/swupdate-openvpn.list + echo "deb http://build.openvpn.net/debian/openvpn/stable precise main" > /etc/apt/sources.list.d/openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt-get update fi # Ubuntu 14.04 if [[ "$VERSION_ID" = 'VERSION_ID="14.04"' ]]; then - echo "deb http://build.openvpn.net/debian/openvpn/stable trusty main" > /etc/apt/sources.list.d/swupdate-openvpn.list + echo "deb http://build.openvpn.net/debian/openvpn/stable trusty main" > /etc/apt/sources.list.d/openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt-get update fi From ad3c223385a9aa323227633fcc5e456d1235e873 Mon Sep 17 00:00:00 2001 From: Ola Tuvesson Date: Tue, 22 Aug 2017 00:39:43 +0100 Subject: [PATCH 28/51] Will now set "local" in server.conf to the chosen IP adderess If you want to run OpenVPN in UDP mode on an secondary IP, UDP routing will fail unless you explicitly bind OpenVPN to the chosen IP address. This change includes the "local" parameter in the config and sets it to the IP address entered at the beginning. --- openvpn-install.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/openvpn-install.sh b/openvpn-install.sh index 429dea5..fdb7aa3 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -427,6 +427,7 @@ WantedBy=multi-user.target" > /etc/systemd/system/rc-local.service chmod 644 /etc/openvpn/crl.pem # Generate server.conf + echo "local $IP" > /etc/openvpn/server.conf echo "port $PORT" > /etc/openvpn/server.conf if [[ "$PROTOCOL" = 'UDP' ]]; then echo "proto udp" >> /etc/openvpn/server.conf From c0ed60e8cfbc8ac36ba6472af88fb1eacc667dee Mon Sep 17 00:00:00 2001 From: Angristan Date: Tue, 22 Aug 2017 11:12:42 +0200 Subject: [PATCH 29/51] Update openvpn-install.sh --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index fdb7aa3..1317865 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -428,7 +428,7 @@ WantedBy=multi-user.target" > /etc/systemd/system/rc-local.service # Generate server.conf echo "local $IP" > /etc/openvpn/server.conf - echo "port $PORT" > /etc/openvpn/server.conf + echo "port $PORT" >> /etc/openvpn/server.conf if [[ "$PROTOCOL" = 'UDP' ]]; then echo "proto udp" >> /etc/openvpn/server.conf elif [[ "$PROTOCOL" = 'TCP' ]]; then From 37d42e25fea4a46de5b5308c80dc457266af01c6 Mon Sep 17 00:00:00 2001 From: Angristan Date: Wed, 23 Aug 2017 10:39:33 +0200 Subject: [PATCH 30/51] Update Easy-RSA to v3.0.3 --- openvpn-install.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 1317865..3b49d31 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -404,12 +404,12 @@ WantedBy=multi-user.target" > /etc/systemd/system/rc-local.service rm -rf /etc/openvpn/easy-rsa/ fi # Get easy-rsa - wget -O ~/EasyRSA-3.0.1.tgz https://github.com/OpenVPN/easy-rsa/releases/download/3.0.1/EasyRSA-3.0.1.tgz - tar xzf ~/EasyRSA-3.0.1.tgz -C ~/ - mv ~/EasyRSA-3.0.1/ /etc/openvpn/ - mv /etc/openvpn/EasyRSA-3.0.1/ /etc/openvpn/easy-rsa/ + wget -O ~/EasyRSA-3.0.3.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.3/EasyRSA-3.0.3.tgz + tar xzf ~/EasyRSA-3.0.3.tgz -C ~/ + mv ~/EasyRSA-3.0.3/ /etc/openvpn/ + mv /etc/openvpn/EasyRSA-3.0.3/ /etc/openvpn/easy-rsa/ chown -R root:root /etc/openvpn/easy-rsa/ - rm -rf ~/EasyRSA-3.0.1.tgz + rm -rf ~/EasyRSA-3.0.3.tgz cd /etc/openvpn/easy-rsa/ echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars # Create the PKI, set up the CA, the DH params and the server + client certificates From 4fa0544c723d6a8e08254737f477b59220ef6d55 Mon Sep 17 00:00:00 2001 From: Angristan Date: Thu, 14 Sep 2017 12:35:18 +0200 Subject: [PATCH 31/51] Initial commit for OpenVPN 2.4 support - Add support for AES-GCM ciphers for the data channel - Add support for tls-crypt - Add support for ECDSA certificates - Add support for ECDHE - Add choice for HMAC auth algorithm - Add choice for certificate hash algorithm - Add choice for the control channel's cipher All these options have an OpenVPN 2.3-compatible choice (example : RSA cert and DH key) --- openvpn-install.sh | 322 ++++++++++++++++++++++++++++++++++----------- 1 file changed, 246 insertions(+), 76 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 3b49d31..8f7c97d 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -25,7 +25,7 @@ if [[ -e /etc/debian_version ]]; then VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID") RCLOCAL='/etc/rc.local' SYSCTL='/etc/sysctl.conf' - if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.04"' ]]; then + if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.04"' ]]; then echo "Your version of Debian/Ubuntu is not supported." echo "I can't install a recent version of OpenVPN on your system." echo "" @@ -75,10 +75,17 @@ newclient () { echo "" >> $homeDir/$1.ovpn cat /etc/openvpn/easy-rsa/pki/private/$1.key >> $homeDir/$1.ovpn echo "" >> $homeDir/$1.ovpn - echo "key-direction 1" >> $homeDir/$1.ovpn - echo "" >> $homeDir/$1.ovpn - cat /etc/openvpn/tls-auth.key >> $homeDir/$1.ovpn - echo "" >> $homeDir/$1.ovpn + #We verify if we used tls-crypt or tls-auth during the installation + TLS_SIG=$(cat /etc/openvpn/TLS_SIG) + if [[ $TLS_SIG == "1" ]]; then + cat /etc/openvpn/tls-crypt.key >> ~/$1.ovpn + echo "" >> ~/$1.ovpn + elif [[ $TLS_SIG == "2" ]]; then + echo "key-direction 1" >> $homeDir/$1.ovpn + echo "" >> $homeDir/$1.ovpn + cat /etc/openvpn/tls-auth.key >> $homeDir/$1.ovpn + echo "" >> $homeDir/$1.ovpn + fi } # Try to get our IP from the system and fallback to the Internet. @@ -212,8 +219,10 @@ else echo "" echo "What protocol do you want for OpenVPN?" echo "Unless UDP is blocked, you should not use TCP (unnecessarily slower)" - while [[ $PROTOCOL != "UDP" && $PROTOCOL != "TCP" ]]; do - read -p "Protocol [UDP/TCP]: " -e -i UDP PROTOCOL + echo " 1) UDP (recommended)" + echo " 2) TCP" + while [[ $PROTOCOL != "1" && $PROTOCOL != "2" ]]; do + read -p "Protocol [1-2]: " -e -i 1 PROTOCOL done echo "" echo "What DNS do you want to use with the VPN?" @@ -229,83 +238,215 @@ else echo "" echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about " echo "the encryption in OpenVPN and the choices I made in this script." - echo "Please note that all the choices proposed are secure (to a different degree)" - echo "and are still viable to date, unlike some default OpenVPN options" + echo "Please note that all the choices proposed are secure enough considering today's strandards," + echo "unlike some default OpenVPN options" echo '' echo "Choose which cipher you want to use for the data channel:" - echo " 1) AES-128-CBC (fastest and sufficiently secure for everyone, recommended)" - echo " 2) AES-192-CBC" - echo " 3) AES-256-CBC" - echo "Alternatives to AES, use them only if you know what you're doing." - echo "They are relatively slower but as secure as AES." - echo " 4) CAMELLIA-128-CBC" - echo " 5) CAMELLIA-192-CBC" - echo " 6) CAMELLIA-256-CBC" - echo " 7) SEED-CBC" - while [[ $CIPHER != "1" && $CIPHER != "2" && $CIPHER != "3" && $CIPHER != "4" && $CIPHER != "5" && $CIPHER != "6" && $CIPHER != "7" ]]; do + echo "" + echo " 1) AES-128-GCM (recommended)" + echo " 2) AES-192-GCM" + echo " 3) AES-256-GCM" + echo "Only use AES-CBC for OpenVPN 2.3 compatibilty" + echo " 4) AES-128-CBC" + echo " 5) AES-192-CBC" + echo " 6) AES-256-CBC" + while [[ $CIPHER != "1" && $CIPHER != "2" && $CIPHER != "3" && $CIPHER != "4" && $CIPHER != "5" && $CIPHER != "6" ]]; do read -p "Cipher [1-7]: " -e -i 1 CIPHER done case $CIPHER in 1) - CIPHER="cipher AES-128-CBC" + CIPHER="cipher AES-128-GCM" ;; 2) - CIPHER="cipher AES-192-CBC" + CIPHER="cipher AES-192-GCM" ;; 3) - CIPHER="cipher AES-256-CBC" + CIPHER="cipher AES-256-GCM" ;; 4) - CIPHER="cipher CAMELLIA-128-CBC" + CIPHER="cipher AES-128-CBC" ;; 5) - CIPHER="cipher CAMELLIA-192-CBC" + CIPHER="cipher AES-192-CBC" ;; 6) - CIPHER="cipher CAMELLIA-256-CBC" - ;; - 7) - CIPHER="cipher SEED-CBC" + CIPHER="cipher AES-256-CBC" ;; esac echo "" - echo "Choose what size of Diffie-Hellman key you want to use:" - echo " 1) 2048 bits (fastest)" - echo " 2) 3072 bits (recommended, best compromise)" - echo " 3) 4096 bits (most secure)" - while [[ $DH_KEY_SIZE != "1" && $DH_KEY_SIZE != "2" && $DH_KEY_SIZE != "3" ]]; do - read -p "DH key size [1-3]: " -e -i 2 DH_KEY_SIZE + echo "Choose what kind of Diffie-Hellman key you want to use." + echo "Elleptic Curves (EC) are recommended, they're faster, lighter and more secure." + echo "Use DH for OpenVPN 2.3 compatibilty" + echo " 1) ECDH (recommended)" + echo " 2) DH" + while [[ $DH_TYPE != "1" && $DH_TYPE != "2" ]]; do + read -p "DH key size [1-2]: " -e -i 1 DH_TYPE done - case $DH_KEY_SIZE in + case $DH_TYPE in 1) - DH_KEY_SIZE="2048" + echo "Choose which curve you want to use" + echo " 1) secp256r1" + echo " 2) secp384r1 (recommended)" + echo " 3) secp521r1" + while [[ $DH_CURVE != "1" && $DH_CURVE != "2" && $DH_CURVE != "3" ]]; do + read -p "ECDH [1-3]: " -e -i 2 DH_CURVE + done + case $DH_CURVE in + 1) + DH_CURVE="secp256r1" + ;; + 2) + DH_CURVE="secp384r1" + ;; + 3) + DH_CURVE"secp521r1" + ;; + esac ;; 2) - DH_KEY_SIZE="3072" - ;; - 3) - DH_KEY_SIZE="4096" + echo "Choose which DH key size do you want to use" + echo " 1) 2048 bits" + echo " 2) 3072 bits (recommended)" + echo " 3) 4096 bits" + while [[ $DH_SIZE != "1" && $DH_SIZE != "2" && $DH_SIZE != "3" ]]; do + read -p "DH key size [1-3]: " -e -i 2 DH_SIZE + done + case $DH_SIZE in + 1) + DH_SIZE="2048" + ;; + 2) + DH_SIZE="3072" + ;; + 3) + DH_SIZE"4096" + ;; + esac ;; esac echo "" - echo "Choose what size of RSA key you want to use:" - echo " 1) 2048 bits (fastest)" - echo " 2) 3072 bits (recommended, best compromise)" - echo " 3) 4096 bits (most secure)" - while [[ $RSA_KEY_SIZE != "1" && $RSA_KEY_SIZE != "2" && $RSA_KEY_SIZE != "3" ]]; do - read -p "DH key size [1-3]: " -e -i 2 RSA_KEY_SIZE + echo "Choose what kind Certificate key you want to use." + echo "Elleptic Curves (EC) are recommended, they're faster, lighter and more secure." + echo "Use RSA for OpenVPN 2.3 compatibilty" + echo " 1) ECDSA (recommended)" + echo " 2) RSA" + while [[ $CERT_TYPE != "1" && $CERT_TYPE != "2" ]]; do + read -p "Certificate key [1-2]: " -e -i 1 CERT_TYPE done - case $RSA_KEY_SIZE in + case $CERT_TYPE in 1) - RSA_KEY_SIZE="2048" + echo "Choose which curve you want to use:" + echo " 1) secp256r1" + echo " 2) secp384r1 (recommended)" + echo " 3) secp521r1" + while [[ $CERT_CURVE != "1" && $CERT_CURVE != "2" && $CERT_CURVE != "3" ]]; do + read -p "ECDH [1-3]: " -e -i 2 CERT_CURVE + done + case $CERT_CURVE in + 1) + CERT_CURVE="secp256r1" + ;; + 2) + CERT_CURVE="secp384r1" + ;; + 3) + CERT_CURVE"secp521r1" + ;; + esac ;; 2) - RSA_KEY_SIZE="3072" - ;; - 3) - RSA_KEY_SIZE="4096" + echo "Choose which RSA key size do you want to use:" + echo " 1) 2048 bits" + echo " 2) 3072 bits (recommended)" + echo " 3) 4096 bits" + while [[ $RSA_SIZE != "1" && $RSA_SIZE != "2" && $RSA_SIZE != "3" ]]; do + read -p "DH key size [1-3]: " -e -i 2 RSA_SIZE + done + case $RSA_SIZE in + 1) + RSA_SIZE="2048" + ;; + 2) + RSA_SIZE="3072" + ;; + 3) + RSA_SIZE"4096" + ;; + esac ;; esac + echo "Choose which hash algorithm you want to use for the certificate:" + echo " 1) SHA-256" + echo " 2) SHA-384 (recommended)" + echo " 3) SHA-512" + while [[ $CERT_HASH != "1" && $CERT_HASH != "2" ]]; do + read -p "Cert hash algo [1-3]: " -e -i 2 CERT_HASH + done + case $CERT_HASH in + 1) + CERT_HASH="sha256" + ;; + 2) + CERT_HASH="sha384" + ;; + 3) + CERT_HASH="sha512" + ;; + esac + echo "Which cipher to use for the control channel ?" + if [[ "$CERT_TYPE" = '1' ]]; then + echo " 1) ECDHE-ECDSA-AES-256-GCM-SHA384 (recommended)" + echo " 2) ECDHE-ECDSA-AES-128-GCM-SHA256" + while [[ $CC_ENC != "1" && $CC_ENC != "2" ]]; do + read -p "Control Channel encryption [1-2]: " -e -i 1 CC_ENC + done + case $CC_ENC in + 1) + CC_ENC="TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" + ;; + 2) + CC_ENC="TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" + ;; + esac + elif [[ "$CERT_TYPE" = '2' ]]; then + echo " 1) ECDHE-RSA-AES-256-GCM-SHA384 (recommended)" + echo " 2) ECDHE-RSA-AES-128-GCM-SHA256" + while [[ $CC_ENC != "1" && $CC_ENC != "2" ]]; do + read -p "Control Channel encryption [1-2]: " -e -i 1 CC_ENC + done + case $CC_ENC in + 1) + CC_ENC="TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384" + ;; + 2) + CC_ENC="TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256" + ;; + esac + fi + echo "Choose which HMAC authentication algorithm you want to use" + echo " 1) SHA-256" + echo " 2) SHA-384 (recommended)" + echo " 3) SHA-512" + while [[ $HMAC_AUTH != "1" && $HMAC_AUTH != "2" ]]; do + read -p "HMAC authentication algorithmHMAC_AUTH [1-3]: " -e -i 2 HMAC_AUTH + done + case $HMAC_AUTH in + 1) + HMAC_AUTH="sha256" + ;; + 2) + HMAC_AUTH="sha384" + ;; + 3) + HMAC_AUTH="sha512" + ;; + esac + echo "tls crypt or tls auth" + echo " 1) tls-crypt (recommended)" + echo " 2) tls-auth (use only for openvpn 2.3 compat)" + while [[ $TLS_SIG != "1" && $TLS_SIG != "2" ]]; do + read -p "tls sig [1-2]: " -e -i 1 TLS_SIG + done echo "" echo "Finally, tell me a name for the client certificate and configuration" while [[ $CLIENT = "" ]]; do @@ -392,6 +533,10 @@ WantedBy=multi-user.target" > /etc/systemd/system/rc-local.service systemctl start iptables fi fi + + #To remember if we use tls-crypt or tls-auth when generating a new client conf + echo $TLS_SIG > /etc/openvpn/TLS_SIG + # Find out if the machine uses nogroup or nobody for the permissionless group if grep -qs "^nogroup:" /etc/group; then NOGROUP=nogroup @@ -411,27 +556,43 @@ WantedBy=multi-user.target" > /etc/systemd/system/rc-local.service chown -R root:root /etc/openvpn/easy-rsa/ rm -rf ~/EasyRSA-3.0.3.tgz cd /etc/openvpn/easy-rsa/ - echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars + if [[ $CERT_TYPE == "1" ]]; then + echo "set_var EASYRSA_ALGO ec +set_var EASYRSA_CURVE $CERT_CURVE" > vars + elif [[ $CERT_TYPE == "2" ]]; then + echo "set_var EASYRSA_KEY_SIZE $RSA_SIZE" > vars + fi + echo 'set_var EASYRSA_DIGEST "'$CERT_HASH'"' >> vars # Create the PKI, set up the CA, the DH params and the server + client certificates ./easyrsa init-pki ./easyrsa --batch build-ca nopass - openssl dhparam -out dh.pem $DH_KEY_SIZE + if [[ $DH_TYPE == "2" ]]; then + openssl dhparam -out dh.pem $DH_SIZE + fi ./easyrsa build-server-full server nopass ./easyrsa build-client-full $CLIENT nopass ./easyrsa gen-crl - # generate tls-auth key - openvpn --genkey --secret /etc/openvpn/tls-auth.key + if [[ $TLS_SIG == "1" ]]; then + # Generate tls-crypt key + openvpn --genkey --secret /etc/openvpn/tls-crypt.key + elif [[ $TLS_SIG == "2" ]]; then + # Generate tls-auth key + openvpn --genkey --secret /etc/openvpn/tls-auth.key + fi # Move all the generated files - cp pki/ca.crt pki/private/ca.key dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn + cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn + if [[ $DH_TYPE == "2" ]]; then + cp dh.pem /etc/openvpn + fi # Make cert revocation list readable for non-root chmod 644 /etc/openvpn/crl.pem # Generate server.conf echo "local $IP" > /etc/openvpn/server.conf echo "port $PORT" >> /etc/openvpn/server.conf - if [[ "$PROTOCOL" = 'UDP' ]]; then + if [[ "$PROTOCOL" = '1' ]]; then echo "proto udp" >> /etc/openvpn/server.conf - elif [[ "$PROTOCOL" = 'TCP' ]]; then + elif [[ "$PROTOCOL" = '2' ]]; then echo "proto tcp" >> /etc/openvpn/server.conf fi echo "dev tun @@ -476,14 +637,23 @@ echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf echo "crl-verify crl.pem ca ca.crt cert server.crt -key server.key -tls-auth tls-auth.key 0 -dh dh.pem -auth SHA256 +key server.key" >> /etc/openvpn/server.conf +if [[ $TLS_SIG == "1" ]]; then + echo "tls-auth tls-crypt.key 0" >> /etc/openvpn/server.conf +elif [[ $TLS_SIG == "2" ]]; then + echo "tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf +fi +if [[ $DH_TYPE == "1" ]]; then + echo "dh none +ecdh-curve $DH_CURVE" >> /etc/openvpn/server.conf +elif [[ $DH_TYPE == "2" ]]; then + echo "dh dh.pem" >> /etc/openvpn/server.conf +fi +echo "auth $HMAC_AUTH $CIPHER tls-server tls-version-min 1.2 -tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 +tls-cipher $CC_ENC status openvpn.log verb 3" >> /etc/openvpn/server.conf @@ -512,10 +682,10 @@ verb 3" >> /etc/openvpn/server.conf # We don't use --add-service=openvpn because that would only work with # the default port. Using both permanent and not permanent rules to # avoid a firewalld reload. - if [[ "$PROTOCOL" = 'UDP' ]]; then + if [[ "$PROTOCOL" = '1' ]]; then firewall-cmd --zone=public --add-port=$PORT/udp firewall-cmd --permanent --zone=public --add-port=$PORT/udp - elif [[ "$PROTOCOL" = 'TCP' ]]; then + elif [[ "$PROTOCOL" = '2' ]]; then firewall-cmd --zone=public --add-port=$PORT/tcp firewall-cmd --permanent --zone=public --add-port=$PORT/tcp fi @@ -526,16 +696,16 @@ verb 3" >> /etc/openvpn/server.conf # If iptables has at least one REJECT rule, we asume this is needed. # Not the best approach but I can't think of other and this shouldn't # cause problems. - if [[ "$PROTOCOL" = 'UDP' ]]; then + if [[ "$PROTOCOL" = '1' ]]; then iptables -I INPUT -p udp --dport $PORT -j ACCEPT - elif [[ "$PROTOCOL" = 'TCP' ]]; then + elif [[ "$PROTOCOL" = '2' ]]; then iptables -I INPUT -p tcp --dport $PORT -j ACCEPT fi iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT - if [[ "$PROTOCOL" = 'UDP' ]]; then + if [[ "$PROTOCOL" = '1' ]]; then sed -i "1 a\iptables -I INPUT -p udp --dport $PORT -j ACCEPT" $RCLOCAL - elif [[ "$PROTOCOL" = 'TCP' ]]; then + elif [[ "$PROTOCOL" = '2' ]]; then sed -i "1 a\iptables -I INPUT -p tcp --dport $PORT -j ACCEPT" $RCLOCAL fi sed -i "1 a\iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" $RCLOCAL @@ -549,9 +719,9 @@ verb 3" >> /etc/openvpn/server.conf if ! hash semanage 2>/dev/null; then yum install policycoreutils-python -y fi - if [[ "$PROTOCOL" = 'UDP' ]]; then + if [[ "$PROTOCOL" = '1' ]]; then semanage port -a -t openvpn_port_t -p udp $PORT - elif [[ "$PROTOCOL" = 'TCP' ]]; then + elif [[ "$PROTOCOL" = '2' ]]; then semanage port -a -t openvpn_port_t -p tcp $PORT fi fi @@ -609,9 +779,9 @@ verb 3" >> /etc/openvpn/server.conf fi # client-template.txt is created so we have a template to add further users later echo "client" > /etc/openvpn/client-template.txt - if [[ "$PROTOCOL" = 'UDP' ]]; then + if [[ "$PROTOCOL" = '1' ]]; then echo "proto udp" >> /etc/openvpn/client-template.txt - elif [[ "$PROTOCOL" = 'TCP' ]]; then + elif [[ "$PROTOCOL" = '2' ]]; then echo "proto tcp-client" >> /etc/openvpn/client-template.txt fi echo "remote $IP $PORT @@ -621,11 +791,11 @@ nobind persist-key persist-tun remote-cert-tls server -auth SHA256 +auth $HMAC_AUTH $CIPHER tls-client tls-version-min 1.2 -tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 +tls-cipher $CC_ENC setenv opt block-outside-dns verb 3" >> /etc/openvpn/client-template.txt From 7d56181699a4d4e67835b5b2265e462b98191a7c Mon Sep 17 00:00:00 2001 From: hybtoy Date: Thu, 14 Sep 2017 16:37:57 +0500 Subject: [PATCH 32/51] Update openvpn-install.sh --- openvpn-install.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/openvpn-install.sh b/openvpn-install.sh index 8f7c97d..95c01dc 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -78,6 +78,7 @@ newclient () { #We verify if we used tls-crypt or tls-auth during the installation TLS_SIG=$(cat /etc/openvpn/TLS_SIG) if [[ $TLS_SIG == "1" ]]; then + echo "" >> ~/$1.ovpn cat /etc/openvpn/tls-crypt.key >> ~/$1.ovpn echo "" >> ~/$1.ovpn elif [[ $TLS_SIG == "2" ]]; then From d5b5129f086f16de44e8d58f261672f2452289b1 Mon Sep 17 00:00:00 2001 From: Angristan Date: Thu, 14 Sep 2017 14:09:47 +0200 Subject: [PATCH 33/51] Fix HMAC auth alg menu --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 95c01dc..ead6cad 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -428,8 +428,8 @@ else echo " 1) SHA-256" echo " 2) SHA-384 (recommended)" echo " 3) SHA-512" - while [[ $HMAC_AUTH != "1" && $HMAC_AUTH != "2" ]]; do - read -p "HMAC authentication algorithmHMAC_AUTH [1-3]: " -e -i 2 HMAC_AUTH + while [[ $HMAC_AUTH != "1" && $HMAC_AUTH != "2" && $HMAC_AUTH != "3" ]]; do + read -p "HMAC authentication algorithm [1-3]: " -e -i 2 HMAC_AUTH done case $HMAC_AUTH in 1) From 7322a711ec2cc86bbb8e88a0f9e469534eae53e8 Mon Sep 17 00:00:00 2001 From: Angristan Date: Thu, 14 Sep 2017 14:11:16 +0200 Subject: [PATCH 34/51] Fix cert hash alg menu --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index ead6cad..ad386ac 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -380,7 +380,7 @@ else echo " 1) SHA-256" echo " 2) SHA-384 (recommended)" echo " 3) SHA-512" - while [[ $CERT_HASH != "1" && $CERT_HASH != "2" ]]; do + while [[ $CERT_HASH != "1" && $CERT_HASH != "2" && $CERT_HASH != "3"]]; do read -p "Cert hash algo [1-3]: " -e -i 2 CERT_HASH done case $CERT_HASH in From 2171003bda786cf43aa220eb3f6a456b57f6a78f Mon Sep 17 00:00:00 2001 From: Angristan Date: Thu, 14 Sep 2017 14:12:25 +0200 Subject: [PATCH 35/51] Fix variables --- openvpn-install.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index ad386ac..d311edc 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -300,7 +300,7 @@ else DH_CURVE="secp384r1" ;; 3) - DH_CURVE"secp521r1" + DH_CURVE="secp521r1" ;; esac ;; @@ -320,7 +320,7 @@ else DH_SIZE="3072" ;; 3) - DH_SIZE"4096" + DH_SIZE="4096" ;; esac ;; @@ -351,7 +351,7 @@ else CERT_CURVE="secp384r1" ;; 3) - CERT_CURVE"secp521r1" + CERT_CURVE="secp521r1" ;; esac ;; @@ -371,7 +371,7 @@ else RSA_SIZE="3072" ;; 3) - RSA_SIZE"4096" + RSA_SIZE="4096" ;; esac ;; From 8c61a1afbac09fb0e34921f93879660953c4bf54 Mon Sep 17 00:00:00 2001 From: Angristan Date: Thu, 14 Sep 2017 14:19:12 +0200 Subject: [PATCH 36/51] Fix while condition --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index d311edc..f6e14d7 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -380,7 +380,7 @@ else echo " 1) SHA-256" echo " 2) SHA-384 (recommended)" echo " 3) SHA-512" - while [[ $CERT_HASH != "1" && $CERT_HASH != "2" && $CERT_HASH != "3"]]; do + while [[ $CERT_HASH != "1" && $CERT_HASH != "2" && $CERT_HASH != "3" ]]; do read -p "Cert hash algo [1-3]: " -e -i 2 CERT_HASH done case $CERT_HASH in From d5e8a69426574facb6ecd6dadee8aba1e66a4620 Mon Sep 17 00:00:00 2001 From: Angristan Date: Sat, 16 Sep 2017 20:59:31 +0200 Subject: [PATCH 37/51] Fix tls-crypt --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index f6e14d7..924685d 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -640,7 +640,7 @@ ca ca.crt cert server.crt key server.key" >> /etc/openvpn/server.conf if [[ $TLS_SIG == "1" ]]; then - echo "tls-auth tls-crypt.key 0" >> /etc/openvpn/server.conf + echo "tls-crypt tls-crypt.key 0" >> /etc/openvpn/server.conf elif [[ $TLS_SIG == "2" ]]; then echo "tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf fi From 4ec6e24e8153b76ec44ded55644efe41ce30f495 Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 17 Sep 2017 11:11:08 +0200 Subject: [PATCH 38/51] More precision concerning the use of "auth" From the OpenVPN wiki: >Authenticate data channel packets and (if enabled) tls-auth control channel packets with HMAC using message digest algorithm alg. (The default is SHA1 ). HMAC is a commonly used message authentication algorithm (MAC) that uses a data string, a secure hash algorithm, and a key, to produce a digital signature. >If an AEAD cipher mode (e.g. GCM) is chosen, the specified --auth algorithm is ignored for the data channel, and the authentication method of the AEAD cipher is used instead. Note that alg still specifies the digest used for tls-auth. Tl;DR: if we're using an AEAD cipher (AES GCM), `auth alg` won't have inpact on the impact channel, but only on the control channel if tls-auth/tls-crypt is enabled. --- openvpn-install.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 924685d..0d92834 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -424,7 +424,13 @@ else ;; esac fi - echo "Choose which HMAC authentication algorithm you want to use" + if [[ $CIPHER != "1" && $CIPHER != "2" && $CIPHER != "3" ]]; then + echo "Choose which message digest algorithm you want to use for the tls-auth/tls-crypt control channel packets:" + fi + if [[ $CIPHER != "4" && $CIPHER != "5" && $CIPHER != "6" ]]; then + echo "Choose which message digest algorithm you want to use for the data channel packets" + echo "and the tls-auth/tls-crypt control channel packets:" + fi echo " 1) SHA-256" echo " 2) SHA-384 (recommended)" echo " 3) SHA-512" From 57d5b6329f3dfe03a6a76addd291455812b50ef7 Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 17 Sep 2017 11:16:24 +0200 Subject: [PATCH 39/51] Fix case Doesn't have any impact, but that's how it should be. --- openvpn-install.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 0d92834..a17058a 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -439,13 +439,13 @@ else done case $HMAC_AUTH in 1) - HMAC_AUTH="sha256" + HMAC_AUTH="SHA256" ;; 2) - HMAC_AUTH="sha384" + HMAC_AUTH="SHA384" ;; 3) - HMAC_AUTH="sha512" + HMAC_AUTH="SHA512" ;; esac echo "tls crypt or tls auth" From ff10bd83e67ac6aa8158417b395191e781d1a45c Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 17 Sep 2017 12:19:59 +0200 Subject: [PATCH 40/51] Disable cipher negotiation for 2.4 clients This seems like a little change but it was not easy to find. I want this script to support only OpenVPN 2.4 servers, but also 2.4 and 2.3 clients. The thing is, the OpenVPN 2.3 client doesn't care at all what cipher the server wants to use. The cipher parameter in the client config is the king here. But with OpenVPN 2.4, you can specify whatever cipher you want, the clients and the server will negotiate the best cipher possible, which is AES-256-GCM right now. The use of --ncp-ciphers cipher_list is useless because a 2.3 client will still use its cipher and a 2.4 client will still use AES-256-GCM. I won't detail all my experiments here, but in the end, ncp-disable disable the cipher negotiation for 2.4 clients. But it will only work if the cipher in the server config and the client config are the same, and as they are in the script, it's ok. This is not the best solution because that means if you want to support a 2.3 client, you'll be forced to use one and only one AES-CBC cipher, even with your 2.4 clients, even though you could use a different cipher for each client. But as we're still using AES and OpenVPN 2.4 getting more and more deployed, this is not a too big issue in the end. Also adding menus to to choose what kind of client you want etc would make the script pretty complicated, so this is a good compromise here. TL;DR: ncp-disable enforces a OpenVPN 2.4 client to use the specified cipher in the server and the client config. See here for me details regarding the data channel cipher negotiation in OpenVPN 2.4 : https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage#lbAJ --- openvpn-install.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/openvpn-install.sh b/openvpn-install.sh index a17058a..9e479b5 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -658,6 +658,7 @@ elif [[ $DH_TYPE == "2" ]]; then fi echo "auth $HMAC_AUTH $CIPHER +ncp-disable tls-server tls-version-min 1.2 tls-cipher $CC_ENC From 75969182043a65dda4d2f1d452db9fa64e8c9480 Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 17 Sep 2017 15:36:11 +0200 Subject: [PATCH 41/51] Update openvpn-install.sh Fix https://github.com/Angristan/OpenVPN-install/commit/4ec6e24e8153b76ec44ded55644efe41ce30f495 --- openvpn-install.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 9e479b5..3702ab4 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -424,10 +424,9 @@ else ;; esac fi - if [[ $CIPHER != "1" && $CIPHER != "2" && $CIPHER != "3" ]]; then + if [[ $CIPHER = "1" && $CIPHER = "2" && $CIPHER = "3" ]]; then echo "Choose which message digest algorithm you want to use for the tls-auth/tls-crypt control channel packets:" - fi - if [[ $CIPHER != "4" && $CIPHER != "5" && $CIPHER != "6" ]]; then + elif [[ $CIPHER = "4" && $CIPHER = "5" && $CIPHER = "6" ]]; then echo "Choose which message digest algorithm you want to use for the data channel packets" echo "and the tls-auth/tls-crypt control channel packets:" fi From 9f7663303fb8412ff16cb72ca296ea67bfe3dee1 Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 17 Sep 2017 15:46:47 +0200 Subject: [PATCH 42/51] Fix if --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 3702ab4..3e881db 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -424,9 +424,9 @@ else ;; esac fi - if [[ $CIPHER = "1" && $CIPHER = "2" && $CIPHER = "3" ]]; then + if [[ $CIPHER = "cipher AES-256-GCM" ]] || [[ $CIPHER = "cipher AES-192-GCM" ]] || [[ $CIPHER = "cipher AES-128-GCM" ]]; then echo "Choose which message digest algorithm you want to use for the tls-auth/tls-crypt control channel packets:" - elif [[ $CIPHER = "4" && $CIPHER = "5" && $CIPHER = "6" ]]; then + elif [[ $CIPHER = "cipher AES-256-CBC" ]] || [[ $CIPHER = "cipher AES-192-CBC" ]] || [[ $CIPHER = "cipher AES-128-CBC" ]]; then echo "Choose which message digest algorithm you want to use for the data channel packets" echo "and the tls-auth/tls-crypt control channel packets:" fi From a6e2481f50b4b13b97f992b80a3d7c34893e0f80 Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 17 Sep 2017 17:34:13 +0200 Subject: [PATCH 43/51] Add 2.4 repo for Ubuntu 16.04 + some cleanup --- openvpn-install.sh | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 3e881db..a25d83f 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -471,27 +471,30 @@ else echo "deb http://build.openvpn.net/debian/openvpn/stable wheezy main" > /etc/apt/sources.list.d/openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt-get update - fi # Debian 8 - if [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then + elif [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt update - fi # Ubuntu 12.04 - if [[ "$VERSION_ID" = 'VERSION_ID="12.04"' ]]; then + elif [[ "$VERSION_ID" = 'VERSION_ID="12.04"' ]]; then echo "deb http://build.openvpn.net/debian/openvpn/stable precise main" > /etc/apt/sources.list.d/openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt-get update - fi # Ubuntu 14.04 - if [[ "$VERSION_ID" = 'VERSION_ID="14.04"' ]]; then + elif [[ "$VERSION_ID" = 'VERSION_ID="14.04"' ]]; then echo "deb http://build.openvpn.net/debian/openvpn/stable trusty main" > /etc/apt/sources.list.d/openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt-get update + # Ubuntu 16.04 + elif [[ "$VERSION_ID" = 'VERSION_ID="16.04"' ]]; then + echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" > /etc/apt/sources.list.d/openvpn.list + wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - + apt-get update fi - # Ubuntu >= 16.04 and Debian > 8 have OpenVPN > 2.3.3 without the need of a third party repository. + # Ubuntu >= 17.04 and Debian > 9 have OpenVPN 2.4 without the need of a third party repository. # The we install OpenVPN + apt-get update apt-get install openvpn iptables openssl wget ca-certificates curl -y elif [[ "$OS" = 'centos' ]]; then yum install epel-release -y From f4b6742f3630977c8f4fe6b3e079c19cec13ee5b Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 17 Sep 2017 17:40:32 +0200 Subject: [PATCH 44/51] Make some space --- openvpn-install.sh | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index a25d83f..a350471 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -243,7 +243,6 @@ else echo "unlike some default OpenVPN options" echo '' echo "Choose which cipher you want to use for the data channel:" - echo "" echo " 1) AES-128-GCM (recommended)" echo " 2) AES-192-GCM" echo " 3) AES-256-GCM" @@ -285,6 +284,7 @@ else done case $DH_TYPE in 1) + echo "" echo "Choose which curve you want to use" echo " 1) secp256r1" echo " 2) secp384r1 (recommended)" @@ -305,7 +305,8 @@ else esac ;; 2) - echo "Choose which DH key size do you want to use" + echo"" + echo "Choose which DH key size do you want to use" echo " 1) 2048 bits" echo " 2) 3072 bits (recommended)" echo " 3) 4096 bits" @@ -336,6 +337,7 @@ else done case $CERT_TYPE in 1) + echo "" echo "Choose which curve you want to use:" echo " 1) secp256r1" echo " 2) secp384r1 (recommended)" @@ -356,7 +358,8 @@ else esac ;; 2) - echo "Choose which RSA key size do you want to use:" + echo "" + echo "Choose which RSA key size do you want to use:" echo " 1) 2048 bits" echo " 2) 3072 bits (recommended)" echo " 3) 4096 bits" @@ -376,6 +379,7 @@ else esac ;; esac + echo "" echo "Choose which hash algorithm you want to use for the certificate:" echo " 1) SHA-256" echo " 2) SHA-384 (recommended)" @@ -394,6 +398,7 @@ else CERT_HASH="sha512" ;; esac + echo "" echo "Which cipher to use for the control channel ?" if [[ "$CERT_TYPE" = '1' ]]; then echo " 1) ECDHE-ECDSA-AES-256-GCM-SHA384 (recommended)" @@ -424,6 +429,7 @@ else ;; esac fi + echo"" if [[ $CIPHER = "cipher AES-256-GCM" ]] || [[ $CIPHER = "cipher AES-192-GCM" ]] || [[ $CIPHER = "cipher AES-128-GCM" ]]; then echo "Choose which message digest algorithm you want to use for the tls-auth/tls-crypt control channel packets:" elif [[ $CIPHER = "cipher AES-256-CBC" ]] || [[ $CIPHER = "cipher AES-192-CBC" ]] || [[ $CIPHER = "cipher AES-128-CBC" ]]; then @@ -447,6 +453,7 @@ else HMAC_AUTH="SHA512" ;; esac + echo "" echo "tls crypt or tls auth" echo " 1) tls-crypt (recommended)" echo " 2) tls-auth (use only for openvpn 2.3 compat)" From f6eecf3dcbefb86a1cb5930718e2f03132617ec0 Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 17 Sep 2017 18:09:52 +0200 Subject: [PATCH 45/51] Cleanup and rewrites --- openvpn-install.sh | 154 +++++++++++++++++++++++---------------------- 1 file changed, 79 insertions(+), 75 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index a350471..a01acf4 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -238,10 +238,12 @@ else done echo "" echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about " - echo "the encryption in OpenVPN and the choices I made in this script." - echo "Please note that all the choices proposed are secure enough considering today's strandards," - echo "unlike some default OpenVPN options" - echo '' + echo "the encryption in OpenVPN and the choices proposed in this script." + echo "Please note that all the choices proposed are secure enough considering today's strandards, unlike some default OpenVPN options" + echo "You can just type "enter" if you don't know what to choose." + echo "Note that if you want to use an OpenVPN 2.3 client, You'll have to choose OpenVPN 2.3-compatible options." + echo "All OpenVPN 2.3-compatible choices are specified for each following option." + echo "" echo "Choose which cipher you want to use for the data channel:" echo " 1) AES-128-GCM (recommended)" echo " 2) AES-192-GCM" @@ -251,7 +253,7 @@ else echo " 5) AES-192-CBC" echo " 6) AES-256-CBC" while [[ $CIPHER != "1" && $CIPHER != "2" && $CIPHER != "3" && $CIPHER != "4" && $CIPHER != "5" && $CIPHER != "6" ]]; do - read -p "Cipher [1-7]: " -e -i 1 CIPHER + read -p "Data channel cipher [1-6]: " -e -i 1 CIPHER done case $CIPHER in 1) @@ -274,76 +276,23 @@ else ;; esac echo "" - echo "Choose what kind of Diffie-Hellman key you want to use." - echo "Elleptic Curves (EC) are recommended, they're faster, lighter and more secure." - echo "Use DH for OpenVPN 2.3 compatibilty" - echo " 1) ECDH (recommended)" - echo " 2) DH" - while [[ $DH_TYPE != "1" && $DH_TYPE != "2" ]]; do - read -p "DH key size [1-2]: " -e -i 1 DH_TYPE - done - case $DH_TYPE in - 1) - echo "" - echo "Choose which curve you want to use" - echo " 1) secp256r1" - echo " 2) secp384r1 (recommended)" - echo " 3) secp521r1" - while [[ $DH_CURVE != "1" && $DH_CURVE != "2" && $DH_CURVE != "3" ]]; do - read -p "ECDH [1-3]: " -e -i 2 DH_CURVE - done - case $DH_CURVE in - 1) - DH_CURVE="secp256r1" - ;; - 2) - DH_CURVE="secp384r1" - ;; - 3) - DH_CURVE="secp521r1" - ;; - esac - ;; - 2) - echo"" - echo "Choose which DH key size do you want to use" - echo " 1) 2048 bits" - echo " 2) 3072 bits (recommended)" - echo " 3) 4096 bits" - while [[ $DH_SIZE != "1" && $DH_SIZE != "2" && $DH_SIZE != "3" ]]; do - read -p "DH key size [1-3]: " -e -i 2 DH_SIZE - done - case $DH_SIZE in - 1) - DH_SIZE="2048" - ;; - 2) - DH_SIZE="3072" - ;; - 3) - DH_SIZE="4096" - ;; - esac - ;; - esac - echo "" - echo "Choose what kind Certificate key you want to use." - echo "Elleptic Curves (EC) are recommended, they're faster, lighter and more secure." + echo "Choose what kind of certificate you want to use:" + echo "Elleptic Curves keys (EC) are recommended, they're faster, lighter and more secure." echo "Use RSA for OpenVPN 2.3 compatibilty" echo " 1) ECDSA (recommended)" echo " 2) RSA" while [[ $CERT_TYPE != "1" && $CERT_TYPE != "2" ]]; do - read -p "Certificate key [1-2]: " -e -i 1 CERT_TYPE + read -p "Certificate type [1-2]: " -e -i 1 CERT_TYPE done case $CERT_TYPE in 1) echo "" - echo "Choose which curve you want to use:" + echo "Choose which curve you want to use for the EC key:" echo " 1) secp256r1" echo " 2) secp384r1 (recommended)" echo " 3) secp521r1" while [[ $CERT_CURVE != "1" && $CERT_CURVE != "2" && $CERT_CURVE != "3" ]]; do - read -p "ECDH [1-3]: " -e -i 2 CERT_CURVE + read -p "Curve [1-3]: " -e -i 2 CERT_CURVE done case $CERT_CURVE in 1) @@ -359,7 +308,7 @@ else ;; 2) echo "" - echo "Choose which RSA key size do you want to use:" + echo "Choose which RSA key size you want to use:" echo " 1) 2048 bits" echo " 2) 3072 bits (recommended)" echo " 3) 4096 bits" @@ -385,7 +334,7 @@ else echo " 2) SHA-384 (recommended)" echo " 3) SHA-512" while [[ $CERT_HASH != "1" && $CERT_HASH != "2" && $CERT_HASH != "3" ]]; do - read -p "Cert hash algo [1-3]: " -e -i 2 CERT_HASH + read -p "Hash algorithm [1-3]: " -e -i 2 CERT_HASH done case $CERT_HASH in 1) @@ -399,12 +348,65 @@ else ;; esac echo "" - echo "Which cipher to use for the control channel ?" + echo "Choose what kind of Diffie-Hellman key you want to use." + echo "Elleptic Curves (EC) are recommended, they're faster, lighter and more secure." + echo "Use DH for OpenVPN 2.3 compatibilty" + echo " 1) ECDH (recommended)" + echo " 2) DH" + while [[ $DH_TYPE != "1" && $DH_TYPE != "2" ]]; do + read -p "DH key type [1-2]: " -e -i 1 DH_TYPE + done + case $DH_TYPE in + 1) + echo "" + echo "Choose which curve you want to use for the ECDH key" + echo " 1) secp256r1" + echo " 2) secp384r1 (recommended)" + echo " 3) secp521r1" + while [[ $DH_CURVE != "1" && $DH_CURVE != "2" && $DH_CURVE != "3" ]]; do + read -p "Curve [1-3]: " -e -i 2 DH_CURVE + done + case $DH_CURVE in + 1) + DH_CURVE="secp256r1" + ;; + 2) + DH_CURVE="secp384r1" + ;; + 3) + DH_CURVE="secp521r1" + ;; + esac + ;; + 2) + echo"" + echo "Choose which DH key size you want to use" + echo " 1) 2048 bits" + echo " 2) 3072 bits (recommended)" + echo " 3) 4096 bits" + while [[ $DH_SIZE != "1" && $DH_SIZE != "2" && $DH_SIZE != "3" ]]; do + read -p "DH key size [1-3]: " -e -i 2 DH_SIZE + done + case $DH_SIZE in + 1) + DH_SIZE="2048" + ;; + 2) + DH_SIZE="3072" + ;; + 3) + DH_SIZE="4096" + ;; + esac + ;; + esac + echo "" + echo "Choose which cipher you want to use for the control channel:" if [[ "$CERT_TYPE" = '1' ]]; then echo " 1) ECDHE-ECDSA-AES-256-GCM-SHA384 (recommended)" echo " 2) ECDHE-ECDSA-AES-128-GCM-SHA256" while [[ $CC_ENC != "1" && $CC_ENC != "2" ]]; do - read -p "Control Channel encryption [1-2]: " -e -i 1 CC_ENC + read -p "Control channel cipher [1-2]: " -e -i 1 CC_ENC done case $CC_ENC in 1) @@ -418,7 +420,7 @@ else echo " 1) ECDHE-RSA-AES-256-GCM-SHA384 (recommended)" echo " 2) ECDHE-RSA-AES-128-GCM-SHA256" while [[ $CC_ENC != "1" && $CC_ENC != "2" ]]; do - read -p "Control Channel encryption [1-2]: " -e -i 1 CC_ENC + read -p "Control channel cipher [1-2]: " -e -i 1 CC_ENC done case $CC_ENC in 1) @@ -429,6 +431,15 @@ else ;; esac fi + echo "" + echo "Do you want to use tls-crypt or tls-auth?" + echo "They both encrypt and authenticate all control channel packets with a key." + echo "tls-crypt is more advanced and secure than tls-auth, but it's an OpenVPN 2.4 feature." + echo " 1) tls-crypt (recommended)" + echo " 2) tls-auth (use only for OpenVPN 2.3 client compatibility)" + while [[ $TLS_SIG != "1" && $TLS_SIG != "2" ]]; do + read -p "Crontrol channel additional security layer [1-2]: " -e -i 1 TLS_SIG + done echo"" if [[ $CIPHER = "cipher AES-256-GCM" ]] || [[ $CIPHER = "cipher AES-192-GCM" ]] || [[ $CIPHER = "cipher AES-128-GCM" ]]; then echo "Choose which message digest algorithm you want to use for the tls-auth/tls-crypt control channel packets:" @@ -454,13 +465,6 @@ else ;; esac echo "" - echo "tls crypt or tls auth" - echo " 1) tls-crypt (recommended)" - echo " 2) tls-auth (use only for openvpn 2.3 compat)" - while [[ $TLS_SIG != "1" && $TLS_SIG != "2" ]]; do - read -p "tls sig [1-2]: " -e -i 1 TLS_SIG - done - echo "" echo "Finally, tell me a name for the client certificate and configuration" while [[ $CLIENT = "" ]]; do echo "Please, use one word only, no special characters" From d0b1fbbe51fc31f960e3a3de71bb507c090139a3 Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 17 Sep 2017 19:53:38 +0200 Subject: [PATCH 46/51] Drop Debian 7 and Ubuntu 12.04 support Debian is oldstable and has a bug with iptables. Ubuntu 12.04 is unsupported. --- openvpn-install.sh | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index a01acf4..a524849 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -25,7 +25,7 @@ if [[ -e /etc/debian_version ]]; then VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID") RCLOCAL='/etc/rc.local' SYSCTL='/etc/sysctl.conf' - if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.04"' ]]; then + if [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.04"' ]]; then echo "Your version of Debian/Ubuntu is not supported." echo "I can't install a recent version of OpenVPN on your system." echo "" @@ -477,21 +477,11 @@ else if [[ "$OS" = 'debian' ]]; then apt-get install ca-certificates -y # We add the OpenVPN repo to get the latest version. - # Debian 7 - if [[ "$VERSION_ID" = 'VERSION_ID="7"' ]]; then - echo "deb http://build.openvpn.net/debian/openvpn/stable wheezy main" > /etc/apt/sources.list.d/openvpn.list - wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - - apt-get update # Debian 8 elif [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt update - # Ubuntu 12.04 - elif [[ "$VERSION_ID" = 'VERSION_ID="12.04"' ]]; then - echo "deb http://build.openvpn.net/debian/openvpn/stable precise main" > /etc/apt/sources.list.d/openvpn.list - wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - - apt-get update # Ubuntu 14.04 elif [[ "$VERSION_ID" = 'VERSION_ID="14.04"' ]]; then echo "deb http://build.openvpn.net/debian/openvpn/stable trusty main" > /etc/apt/sources.list.d/openvpn.list From d057de2309f3874f0caebb4fb3bf4c0d40a61a09 Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 17 Sep 2017 19:55:44 +0200 Subject: [PATCH 47/51] Fix previous commit --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index a524849..21872de 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -478,7 +478,7 @@ else apt-get install ca-certificates -y # We add the OpenVPN repo to get the latest version. # Debian 8 - elif [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then + if [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt update From 484b601f0270509b4c66cf1dbd9a7408ddbe3547 Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 17 Sep 2017 20:23:11 +0200 Subject: [PATCH 48/51] Compatibility update Dropped Debian 7 and Ubuntu 12.04 according to https://github.com/Angristan/OpenVPN-install/commit/d0b1fbbe51fc31f960e3a3de71bb507c090139a3 Discovered an issue with Arch Linux : https://github.com/Angristan/OpenVPN-install/issues/99 --- README.md | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 44d4f97..ac329cf 100644 --- a/README.md +++ b/README.md @@ -50,18 +50,22 @@ On the client-side, it's less problematic, but if you want to use an OpenVPN ser ## Compatibility -The script is made to work on these OS and architectures : -- **Debian 7** (i386, amd64) -- **Debian 8** (i386, amd64) -- **Debian 9** (i386, amd64, armhf, arm64) -- **Ubuntu 12.04 LTS** (i386, amd64) -- **Ubuntu 14.04 LTS** (i386, amd64) -- **Ubuntu 16.04 LTS** (i386, amd64) -- **Ubuntu 16.10** (i386, amd64, armhf, arm64) -- **Ubuntu 17.04** (i386, amd64, armhf, arm64) -- **CentOS 6** (i386, amd64) -- **CentOS 7** (i386, amd64, arm64) -- **Arch Linux** (i686, amd64) +| | i386 | amd64 | armhf | arm64 | +|:------------:|:----:|:-----:|:-----:|:-----:| +| Debian 8 | ✔️ | ✔️ | ❌ | ❌ | +| Debian 9 | ✔️ | ✔️ | ✔️ | ✔️ | +| Ubuntu 14.04 | ✔️ | ✔️ | ❌ | ❌ | +| Ubuntu 16.04 | ✔️ | ✔️ | ❌ | ❌ | +| Ubuntu 17.04 | ✔️ | ✔️ | ✔️ | ✔️ | +| CentOS 6 | ✔️ | ✔️ | ❔ | ❔ | +| CentOS 7 | ✔️ | ✔️ | ✔️ | ❔ | +| Arch Linux | ✔️ | ✔️ | ❔ | ❌[(❔)](https://github.com/Angristan/OpenVPN-install/issues/99) | + +- ✔️ = tested and compatible + +- ❔ = untested + +- ❌ = tested and not compatible (It should also work on Debian unstable/testing and Ubuntu beta). From 948b6511b71fbcf37e4730fe90911424c1b42322 Mon Sep 17 00:00:00 2001 From: hybtoy Date: Mon, 25 Sep 2017 10:40:38 +0500 Subject: [PATCH 49/51] "local" option removal Remove "local" option from server.conf. --- openvpn-install.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 21872de..21d10b1 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -598,7 +598,6 @@ set_var EASYRSA_CURVE $CERT_CURVE" > vars chmod 644 /etc/openvpn/crl.pem # Generate server.conf - echo "local $IP" > /etc/openvpn/server.conf echo "port $PORT" >> /etc/openvpn/server.conf if [[ "$PROTOCOL" = '1' ]]; then echo "proto udp" >> /etc/openvpn/server.conf From 07de8b9feb3645f8d2ee828205e8389790b3df02 Mon Sep 17 00:00:00 2001 From: Angristan Date: Mon, 25 Sep 2017 17:10:06 +0200 Subject: [PATCH 50/51] Update openvpn-install.sh --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 21d10b1..4bd0e58 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -598,7 +598,7 @@ set_var EASYRSA_CURVE $CERT_CURVE" > vars chmod 644 /etc/openvpn/crl.pem # Generate server.conf - echo "port $PORT" >> /etc/openvpn/server.conf + echo "port $PORT" > /etc/openvpn/server.conf if [[ "$PROTOCOL" = '1' ]]; then echo "proto udp" >> /etc/openvpn/server.conf elif [[ "$PROTOCOL" = '2' ]]; then From 4785712d33b8e21be3c0a3385fd499892f036640 Mon Sep 17 00:00:00 2001 From: hybtoy Date: Tue, 26 Sep 2017 15:49:57 +0500 Subject: [PATCH 51/51] Additional TLS-Cipher and HMAC_Auth TLS-Cipher - TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 HMAC_Auth - SHA224 --- openvpn-install.sh | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 4bd0e58..ba8c7af 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -419,8 +419,9 @@ else elif [[ "$CERT_TYPE" = '2' ]]; then echo " 1) ECDHE-RSA-AES-256-GCM-SHA384 (recommended)" echo " 2) ECDHE-RSA-AES-128-GCM-SHA256" - while [[ $CC_ENC != "1" && $CC_ENC != "2" ]]; do - read -p "Control channel cipher [1-2]: " -e -i 1 CC_ENC + echo " 3) DHE-RSA-AES-128-GCM-SHA256" + while [[ $CC_ENC != "1" && $CC_ENC != "2" && $CC_ENC != "3" ]]; do + read -p "Control channel cipher [1-3]: " -e -i 1 CC_ENC done case $CC_ENC in 1) @@ -429,6 +430,9 @@ else 2) CC_ENC="TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256" ;; + 3) + CC_ENC="TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" + ;; esac fi echo "" @@ -447,20 +451,24 @@ else echo "Choose which message digest algorithm you want to use for the data channel packets" echo "and the tls-auth/tls-crypt control channel packets:" fi - echo " 1) SHA-256" - echo " 2) SHA-384 (recommended)" - echo " 3) SHA-512" - while [[ $HMAC_AUTH != "1" && $HMAC_AUTH != "2" && $HMAC_AUTH != "3" ]]; do + echo " 1) SHA-224" + echo " 2) SHA-256" + echo " 3) SHA-384 (recommended)" + echo " 4) SHA-512" + while [[ $HMAC_AUTH != "1" && $HMAC_AUTH != "2" && $HMAC_AUTH != "3" && $HMAC_AUTH != "4" ]]; do read -p "HMAC authentication algorithm [1-3]: " -e -i 2 HMAC_AUTH done case $HMAC_AUTH in 1) - HMAC_AUTH="SHA256" + HMAC_AUTH="SHA224" ;; 2) - HMAC_AUTH="SHA384" + HMAC_AUTH="SHA256" ;; 3) + HMAC_AUTH="SHA384" + ;; + 4) HMAC_AUTH="SHA512" ;; esac