From 0188c442a287fd86b49e2c574362abf5a990d345 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Thu, 23 Apr 2020 18:49:20 +0200 Subject: [PATCH 01/28] FAQ: Remove obsolete entry Fix #634 --- FAQ.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/FAQ.md b/FAQ.md index 18601a0..4c31f2f 100644 --- a/FAQ.md +++ b/FAQ.md @@ -75,16 +75,8 @@ If your client is <2.3.3, remove `tls-version-min 1.2` from your `/etc/openvpn/s --- -**Q:** How to setup openVPN in a LXC container? (f.e. Proxmox) - -**A:** See https://github.com/Nyr/openvpn-install/wiki/How-to-setup-openVPN-in-a-LXC-container-(f.e.-Proxmox) - ---- - **Q:** What syctl and iptables changes are made by the script? **A:** Iptables rules are saved at `/etc/iptables/add-openvpn-rules.sh` and `/etc/iptables/rm-openvpn-rules.sh`. They are managed by the service `/etc/systemd/system/iptables-openvpn.service` Sysctl options are at `/etc/sysctl.d/20-openvpn.conf` - ---- From 72c99f3e8f78d35469c9383d5b6ed445782d3c02 Mon Sep 17 00:00:00 2001 From: randomshell <43271778+randomshell@users.noreply.github.com> Date: Fri, 24 Apr 2020 16:00:59 +0000 Subject: [PATCH 02/28] Add FAQ for router clients (#629) --- FAQ.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/FAQ.md b/FAQ.md index 4c31f2f..80db057 100644 --- a/FAQ.md +++ b/FAQ.md @@ -80,3 +80,16 @@ If your client is <2.3.3, remove `tls-version-min 1.2` from your `/etc/openvpn/s **A:** Iptables rules are saved at `/etc/iptables/add-openvpn-rules.sh` and `/etc/iptables/rm-openvpn-rules.sh`. They are managed by the service `/etc/systemd/system/iptables-openvpn.service` Sysctl options are at `/etc/sysctl.d/20-openvpn.conf` + +--- + +**Q:** My router can't connect + +**A:** +- `Options error: No closing quotation (") in config.ovpn:46` : + + type `yes` when asked to customize encryption settings and choose `tls-auth` + +- `Options error: Unrecognized option or missing parameter(s) in config.ovpn:36: tls-version-min (2.3.2)` : + + see question "Can I use an OpenVPN 2.3 client?" From ecd2b45c9f1f5cc79c76a527d6306757997ea915 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Sun, 26 Apr 2020 15:50:57 +0200 Subject: [PATCH 03/28] Delete issue template (blank still available) --- .github/ISSUE_TEMPLATE/somehting-else.md | 19 ------------------- 1 file changed, 19 deletions(-) delete mode 100644 .github/ISSUE_TEMPLATE/somehting-else.md diff --git a/.github/ISSUE_TEMPLATE/somehting-else.md b/.github/ISSUE_TEMPLATE/somehting-else.md deleted file mode 100644 index 08564b1..0000000 --- a/.github/ISSUE_TEMPLATE/somehting-else.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -name: Something else -about: Not a bug nor a feature request? -title: '' -labels: '' -assignees: '' - ---- - -**Checklist** - -- [ ] I read the [README](https://github.com/angristan/openvpn-install/blob/master/README.md) -- [ ] I read the [FAQ](https://github.com/angristan/openvpn-install/blob/master/FAQ.md) -- [ ] I searched the [issues](https://github.com/angristan/openvpn-install/issues?q=is%3Aissue+) -- [ ] My issue is about the script, and not OpenVPN itself - - From 0481e10bcef6a52f415891e3c329cc88da1c7bb2 Mon Sep 17 00:00:00 2001 From: randomshell <43271778+randomshell@users.noreply.github.com> Date: Mon, 27 Apr 2020 08:39:33 +0000 Subject: [PATCH 04/28] Add FAQ for client-to-client (#631) --- FAQ.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/FAQ.md b/FAQ.md index 80db057..0fa5340 100644 --- a/FAQ.md +++ b/FAQ.md @@ -83,6 +83,12 @@ Sysctl options are at `/etc/sysctl.d/20-openvpn.conf` --- +**Q:** How can I access other clients connected to the same OpenVPN server? + +**A:** Add `client-to-client` to your `server.conf` + +--- + **Q:** My router can't connect **A:** From 957712e73d070da52eb6bb923cb016d8df455742 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 27 Apr 2020 13:11:11 +0200 Subject: [PATCH 05/28] docs(readme): update compatibility matrix --- README.md | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index b7cbd01..05eb8ab 100644 --- a/README.md +++ b/README.md @@ -107,20 +107,17 @@ export PASS="1" The script supports these OS and architectures: -| | i386 | amd64 | armhf | arm64 | -| -------------- | ---- | ----- | ----- | ----- | -| Amazon Linux 2 | ❔ | ✅ | ❔ | ❔ | -| Arch Linux | ❔ | ✅ | ❔ | ✅ | -| Centos 8 | ❌ | ✅ | ❔ | ❔ | -| CentOS 7 | ❔ | ✅ | ❌ | ✅ | -| Debian 8 | ✅ | ✅ | ❌ | ❌ | -| Debian 9 | ❌ | ✅ | ✅ | ✅ | -| Debian 10 | ❔ | ✅ | ✅ | ❔ | -| Fedora 27 | ❔ | ✅ | ❔ | ❔ | -| Fedora 28 | ❔ | ✅ | ❔ | ❔ | -| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ | -| Ubuntu 18.04 | ❌ | ✅ | ✅ | ✅ | -| Ubuntu 19.04 | ❌ | ✅ | ✅ | ✅ | +| | i386 | amd64 | armhf | arm64 | +| --------------- | ---- | ----- | ----- | ----- | +| Amazon Linux 2 | ❔ | ✅ | ❔ | ❔ | +| Arch Linux | ❔ | ✅ | ❔ | ✅ | +| CentOS 7 | ❔ | ✅ | ❌ | ✅ | +| CentOS 8 | ❌ | ✅ | ❔ | ❔ | +| Debian 8 | ✅ | ✅ | ❌ | ❌ | +| Debian >= 9 | ❌ | ✅ | ✅ | ✅ | +| Fedora >= 27 | ❔ | ✅ | ❔ | ❔ | +| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ | +| Ubuntu >= 18.04 | ❌ | ✅ | ✅ | ✅ | To be noted: From 3b0c2ace9048421468d60ac8f8f17fb319e58822 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 27 Apr 2020 13:35:32 +0200 Subject: [PATCH 06/28] fix(checkOS): update Ubuntu/Debian compatibility check --- openvpn-install.sh | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 4d97cd4..9187ec6 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -22,11 +22,10 @@ function checkOS () { source /etc/os-release if [[ "$ID" == "debian" || "$ID" == "raspbian" ]]; then - if [[ ! $VERSION_ID =~ (8|9|10) ]]; then + if [[ "$VERSION_ID" -lt 8 ]]; then echo "⚠️ Your version of Debian is not supported." echo "" - echo "However, if you're using Debian >= 9 or unstable/testing then you can continue." - echo "Keep in mind they are not supported, though." + echo "However, if you're using Debian >= 8 or unstable/testing then you can continue, at your own risk." echo "" until [[ $CONTINUE =~ (y|n) ]]; do read -rp "Continue? [y/n]: " -e CONTINUE @@ -37,11 +36,11 @@ function checkOS () { fi elif [[ "$ID" == "ubuntu" ]];then OS="ubuntu" - if [[ ! $VERSION_ID =~ (16.04|18.04|19.04) ]]; then + MAJOR_UBUNTU_VERSION=$(echo "$VERSION_ID" | cut -d '.' -f1) + if [[ $MAJOR_UBUNTU_VERSION -lt 16 ]]; then echo "⚠️ Your version of Ubuntu is not supported." echo "" - echo "However, if you're using Ubuntu > 17 or beta, then you can continue." - echo "Keep in mind they are not supported, though." + echo "However, if you're using Ubuntu >= 16.04 or beta, then you can continue, at your own risk." echo "" until [[ $CONTINUE =~ (y|n) ]]; do read -rp "Continue? [y/n]: " -e CONTINUE From fe0b995bdf68b628ff38aa7529c64d6788881b93 Mon Sep 17 00:00:00 2001 From: John E <44390932+jmeubank@users.noreply.github.com> Date: Mon, 27 Apr 2020 04:56:34 -0700 Subject: [PATCH 07/28] feat(headless): make script idempotent This set of changes adjusts the script so that you can run it multiple times with the same input and not have any unexpected changes. This makes it appropriate for "enforcing state", as required by automated provisioners like Puppet, Salt, Chef, or Ansible. - Unbound, OpenVPN, easy-rsa, and other dependencies are only installed from upstream if they are not already present. This prevents multiple runs of the script from causing unexpected version upgrades. - The easy-rsa system is put in a folder called "easy-rsa-auto" so it can't conflict with the "easy-rsa" folder from some older OpenVPN packages - The easy-rsa CA is only initialized once - SERVER_CN and SERVER_NAME are randomly generated once and saved for future reference - File append ('>>') is only done strictly after a file is created with '>' (e.g. /etc/sysctl.d/20-openvpn.conf) - Clients are only added to easy-rsa once - If AUTO_INSTALL == y, then the script operates in install mode and doesn't enter manageMenu --- README.md | 2 + openvpn-install.sh | 224 +++++++++++++++++++++++++-------------------- 2 files changed, 129 insertions(+), 97 deletions(-) diff --git a/README.md b/README.md index 05eb8ab..bd82d07 100644 --- a/README.md +++ b/README.md @@ -72,6 +72,8 @@ Other variables can be set depending on your choice (encryption, compression). Y Password-protected clients are not supported by the headless installation method since user input is expected by Easy-RSA. +The headless install is more-or-less idempotent, in that it has been made safe to run multiple times with the same parameters, e.g. by a state provisioner like Ansible/Terraform/Salt/Chef/Puppet. It will only install and regenerate the Easy-RSA PKI if it doesn't already exist, and it will only install OpenVPN and other upstream dependencies if OpenVPN isn't already installed. It will recreate all local config and re-generate the client file on each headless run. + ### Headless User Addition It's also possible to automate the addition of a new user. Here, the key is to provide the (string) value of the `MENU_OPTION` variable along with the remaining mandatory variables before invoking the script. diff --git a/openvpn-install.sh b/openvpn-install.sh index 9187ec6..5a78e73 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -97,6 +97,7 @@ function initialCheck () { } function installUnbound () { + # If Unbound isn't installed, install it if [[ ! -e /etc/unbound/unbound.conf ]]; then if [[ "$OS" =~ (debian|ubuntu) ]]; then @@ -136,7 +137,9 @@ prefetch: yes' >> /etc/unbound/unbound.conf # Get root servers list curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache - mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old + if [[ ! -f /etc/unbound/unbound.conf.old ]]; then + mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old + fi echo 'server: use-syslog: yes @@ -595,9 +598,13 @@ function installOpenVPN () { PASS=${PASS:-1} CONTINUE=${CONTINUE:-y} - # Behind NAT, we'll default to the publicly reachable IPv4. - PUBLIC_IPV4=$(curl ifconfig.co) - ENDPOINT=${ENDPOINT:-$PUBLIC_IPV4} + # Behind NAT, we'll default to the publicly reachable IPv4/IPv6. + if [[ $IPV6_SUPPORT == "y" ]]; then + PUBLIC_IP=$(curl https://ifconfig.co) + else + PUBLIC_IP=$(curl -4 https://ifconfig.co) + fi + ENDPOINT=${ENDPOINT:-$PUBLIC_IP} fi # Run setup questions first, and set other variales if auto-install @@ -622,33 +629,42 @@ function installOpenVPN () { fi fi - if [[ "$OS" =~ (debian|ubuntu) ]]; then - apt-get update - apt-get -y install ca-certificates gnupg - # We add the OpenVPN repo to get the latest version. - if [[ "$VERSION_ID" == "8" ]]; then - echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list - wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - + # If OpenVPN isn't installed yet, install it. This script is more-or-less + # idempotent on multiple runs, but will only install OpenVPN from upstream + # the first time. + if [[ ! -e /etc/openvpn/server.conf ]]; then + if [[ "$OS" =~ (debian|ubuntu) ]]; then apt-get update + apt-get -y install ca-certificates gnupg + # We add the OpenVPN repo to get the latest version. + if [[ "$VERSION_ID" = "8" ]]; then + echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list + wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - + apt-get update + fi + if [[ "$VERSION_ID" = "16.04" ]]; then + echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" > /etc/apt/sources.list.d/openvpn.list + wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - + apt-get update + fi + # Ubuntu > 16.04 and Debian > 8 have OpenVPN >= 2.4 without the need of a third party repository. + apt-get install -y openvpn iptables openssl wget ca-certificates curl + elif [[ "$OS" = 'centos' ]]; then + yum install -y epel-release + yum install -y openvpn iptables openssl wget ca-certificates curl tar 'policycoreutils-python*' + elif [[ "$OS" = 'amzn' ]]; then + amazon-linux-extras install -y epel + yum install -y openvpn iptables openssl wget ca-certificates curl + elif [[ "$OS" = 'fedora' ]]; then + dnf install -y openvpn iptables openssl wget ca-certificates curl + elif [[ "$OS" = 'arch' ]]; then + # Install required dependencies and upgrade the system + pacman --needed --noconfirm -Syu openvpn iptables openssl wget ca-certificates curl fi - if [[ "$VERSION_ID" == "16.04" ]]; then - echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" > /etc/apt/sources.list.d/openvpn.list - wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - - apt-get update + # An old version of easy-rsa was available by default in some openvpn packages + if [[ -d /etc/openvpn/easy-rsa/ ]]; then + rm -rf /etc/openvpn/easy-rsa/ fi - # Ubuntu > 16.04 and Debian > 8 have OpenVPN >= 2.4 without the need of a third party repository. - apt-get install -y openvpn iptables openssl wget ca-certificates curl - elif [[ "$OS" == 'centos' ]]; then - yum install -y epel-release - yum install -y openvpn iptables openssl wget ca-certificates curl tar 'policycoreutils-python*' - elif [[ "$OS" == 'amzn' ]]; then - amazon-linux-extras install -y epel - yum install -y openvpn iptables openssl wget ca-certificates curl - elif [[ "$OS" == 'fedora' ]]; then - dnf install -y openvpn iptables openssl wget ca-certificates curl - elif [[ "$OS" == 'arch' ]]; then - # Install required dependencies and upgrade the system - pacman --needed --noconfirm -Syu openvpn iptables openssl wget ca-certificates curl fi # Find out if the machine uses nogroup or nobody for the permissionless group @@ -658,63 +674,70 @@ function installOpenVPN () { NOGROUP=nobody fi - # An old version of easy-rsa was available by default in some openvpn packages - if [[ -d /etc/openvpn/easy-rsa/ ]]; then - rm -rf /etc/openvpn/easy-rsa/ + # Install the latest version of easy-rsa from source, if not already + # installed. + if [[ ! -d /etc/openvpn/easy-rsa/ ]]; then + local version="3.0.6" + wget -O ~/EasyRSA-unix-v${version}.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-unix-v${version}.tgz + tar xzf ~/EasyRSA-unix-v${version}.tgz -C ~/ + mkdir -p /etc/openvpn/easy-rsa + mv ~/EasyRSA-v${version}/* /etc/openvpn/easy-rsa/ + chown -R root:root /etc/openvpn/easy-rsa/ + rm -f ~/EasyRSA-unix-v${version}.tgz + + cd /etc/openvpn/easy-rsa/ || return + case $CERT_TYPE in + 1) + echo "set_var EASYRSA_ALGO ec" > vars + echo "set_var EASYRSA_CURVE $CERT_CURVE" >> vars + ;; + 2) + echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars + ;; + esac + + # Generate a random, alphanumeric identifier of 16 characters for CN and one for server name + SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" + echo "$SERVER_CN" > SERVER_CN_GENERATED + SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" + echo "$SERVER_NAME" > SERVER_NAME_GENERATED + + echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars + + # Create the PKI, set up the CA, the DH params and the server certificate + ./easyrsa init-pki + + # Workaround to remove unharmful error until easy-rsa 3.0.7 + # https://github.com/OpenVPN/easy-rsa/issues/261 + sed -i 's/^RANDFILE/#RANDFILE/g' pki/openssl-easyrsa.cnf + + ./easyrsa --batch build-ca nopass + + if [[ $DH_TYPE == "2" ]]; then + # ECDH keys are generated on-the-fly so we don't need to generate them beforehand + openssl dhparam -out dh.pem $DH_KEY_SIZE + fi + + ./easyrsa build-server-full "$SERVER_NAME" nopass + EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl + + case $TLS_SIG in + 1) + # Generate tls-crypt key + openvpn --genkey --secret /etc/openvpn/tls-crypt.key + ;; + 2) + # Generate tls-auth key + openvpn --genkey --secret /etc/openvpn/tls-auth.key + ;; + esac + else + # If easy-rsa is already installed, grab the generated SERVER_NAME + # for client configs + cd /etc/openvpn/easy-rsa/ || return + SERVER_NAME=$(cat SERVER_NAME_GENERATED) fi - # Install the latest version of easy-rsa from source - local version="3.0.6" - wget -O ~/EasyRSA-unix-v${version}.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-unix-v${version}.tgz - tar xzf ~/EasyRSA-unix-v${version}.tgz -C ~/ - mv ~/EasyRSA-v${version} /etc/openvpn/easy-rsa - chown -R root:root /etc/openvpn/easy-rsa/ - rm -f ~/EasyRSA-unix-v${version}.tgz - - cd /etc/openvpn/easy-rsa/ || return - case $CERT_TYPE in - 1) - echo "set_var EASYRSA_ALGO ec" > vars - echo "set_var EASYRSA_CURVE $CERT_CURVE" >> vars - ;; - 2) - echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars - ;; - esac - - # Generate a random, alphanumeric identifier of 16 characters for CN and one for server name - SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" - SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" - echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars - - # Create the PKI, set up the CA, the DH params and the server certificate - ./easyrsa init-pki - - # Workaround to remove unharmful error until easy-rsa 3.0.7 - # https://github.com/OpenVPN/easy-rsa/issues/261 - sed -i 's/^RANDFILE/#RANDFILE/g' pki/openssl-easyrsa.cnf - - ./easyrsa --batch build-ca nopass - - if [[ $DH_TYPE == "2" ]]; then - # ECDH keys are generated on-the-fly so we don't need to generate them beforehand - openssl dhparam -out dh.pem $DH_KEY_SIZE - fi - - ./easyrsa build-server-full "$SERVER_NAME" nopass - EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl - - case $TLS_SIG in - 1) - # Generate tls-crypt key - openvpn --genkey --secret /etc/openvpn/tls-crypt.key - ;; - 2) - # Generate tls-auth key - openvpn --genkey --secret /etc/openvpn/tls-auth.key - ;; - esac - # Move all the generated files cp pki/ca.crt pki/private/ca.key "pki/issued/$SERVER_NAME.crt" "pki/private/$SERVER_NAME.key" /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn if [[ $DH_TYPE == "2" ]]; then @@ -858,8 +881,8 @@ verb 3" >> /etc/openvpn/server.conf mkdir -p /var/log/openvpn # Enable routing - echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.d/20-openvpn.conf - if [[ "$IPV6_SUPPORT" == 'y' ]]; then + echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/20-openvpn.conf + if [[ "$IPV6_SUPPORT" = 'y' ]]; then echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.d/20-openvpn.conf fi # Apply sysctl rules @@ -1028,16 +1051,23 @@ function newClient () { read -rp "Select an option [1-2]: " -e -i 1 PASS done - cd /etc/openvpn/easy-rsa/ || return - case $PASS in - 1) - ./easyrsa build-client-full "$CLIENT" nopass - ;; - 2) - echo "⚠️ You will be asked for the client password below ⚠️" - ./easyrsa build-client-full "$CLIENT" - ;; - esac + CLIENTEXISTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c -E "/CN=$CLIENT\$") + if [[ "$CLIENTEXISTS" = '1' ]]; then + echo "" + echo "The specified client CN was found in easy-rsa." + else + cd /etc/openvpn/easy-rsa/ || return + case $PASS in + 1) + ./easyrsa build-client-full "$CLIENT" nopass + ;; + 2) + echo "⚠️ You will be asked for the client password below ⚠️" + ./easyrsa build-client-full "$CLIENT" + ;; + esac + echo "Client $CLIENT added." + fi # Home directory of the user, where the client configuration (.ovpn) will be written if [ -e "/home/$CLIENT" ]; then # if $1 is a user name @@ -1086,7 +1116,7 @@ function newClient () { } >> "$homeDir/$CLIENT.ovpn" echo "" - echo "Client $CLIENT added, the configuration file is available at $homeDir/$CLIENT.ovpn." + echo "The configuration file has been written to $homeDir/$CLIENT.ovpn." echo "Download the .ovpn file and import it in your OpenVPN client." exit 0 @@ -1276,7 +1306,7 @@ function manageMenu () { initialCheck # Check if OpenVPN is already installed -if [[ -e /etc/openvpn/server.conf ]]; then +if [[ -e /etc/openvpn/server.conf && $AUTO_INSTALL != "y" ]]; then manageMenu else installOpenVPN From 159ab9af6e5f3764a61cfefea951dd84dbe93ba4 Mon Sep 17 00:00:00 2001 From: randomshell <43271778+randomshell@users.noreply.github.com> Date: Mon, 27 Apr 2020 12:12:23 +0000 Subject: [PATCH 08/28] refactor(revoke client): remove uneeded cleanup (#607) The deletion of issued files is handled by easy-rsa. See function move_revoked() https://github.com/OpenVPN/easy-rsa/blob/f0129cfe6222820a85db2d394ab73d3c7759c5be/easyrsa3/easyrsa#L1050 --- openvpn-install.sh | 4 ---- 1 file changed, 4 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 5a78e73..3071a65 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -1143,10 +1143,6 @@ function revokeClient () { cd /etc/openvpn/easy-rsa/ || return ./easyrsa --batch revoke "$CLIENT" EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl - # Cleanup - rm -f "pki/reqs/$CLIENT.req" - rm -f "pki/private/$CLIENT.key" - rm -f "pki/issued/$CLIENT.crt" rm -f /etc/openvpn/crl.pem cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem chmod 644 /etc/openvpn/crl.pem From 62a4ff3b41d562c1d5c82dd48ff34aa36780b160 Mon Sep 17 00:00:00 2001 From: randomshell <43271778+randomshell@users.noreply.github.com> Date: Mon, 27 Apr 2020 12:19:25 +0000 Subject: [PATCH 09/28] fix(client conf): ignore block-outside-dns if not supported (#628) --- openvpn-install.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/openvpn-install.sh b/openvpn-install.sh index 3071a65..d79620f 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -1020,6 +1020,7 @@ cipher $CIPHER tls-client tls-version-min 1.2 tls-cipher $CC_CIPHER +ignore-unknown-option block-outside-dns setenv opt block-outside-dns # Prevent Windows 10 DNS leak verb 3" >> /etc/openvpn/client-template.txt From a3e6652d6d63de55c6016b37af9ef20f3d8390cd Mon Sep 17 00:00:00 2001 From: randomshell <43271778+randomshell@users.noreply.github.com> Date: Mon, 27 Apr 2020 12:20:04 +0000 Subject: [PATCH 10/28] docs(faq): update DNS not working question (#632) --- FAQ.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/FAQ.md b/FAQ.md index 0fa5340..537a165 100644 --- a/FAQ.md +++ b/FAQ.md @@ -71,7 +71,7 @@ If your client is <2.3.3, remove `tls-version-min 1.2` from your `/etc/openvpn/s **Q:** DNS is not working on my Linux client -**A:** Make sure the `resolvconf` package is installed. If it does not solve the issue, look at https://wiki.archlinux.org/index.php/OpenVPN#Update_systemd-resolved_script +**A:** See "How do I fix DNS leaks?" question --- From 8d5bb43aed6a631f77def65a60a61984a16e2252 Mon Sep 17 00:00:00 2001 From: Sidd Date: Mon, 27 Apr 2020 07:22:35 -0500 Subject: [PATCH 11/28] feat(curves): add secp256k1 option (#315) --- README.md | 4 ++-- openvpn-install.sh | 28 ++++++++++++++++++---------- 2 files changed, 20 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index bd82d07..8e55490 100644 --- a/README.md +++ b/README.md @@ -211,7 +211,7 @@ OpenVPN 2.4 added support for ECDSA. Elliptic curve cryptography is faster, ligh This script provides: -- ECDSA: `prime256v1`/`secp384r1`/`secp521r1` curves +- ECDSA: `prime256v1`/`secp256k1`/`secp384r1`/`secp521r1` curves - RSA: `2048`/`3072`/`4096` bits keys It defaults to ECDSA with `prime256v1`. @@ -276,7 +276,7 @@ Also, generating a classic DH keys can take a long, looong time. ECDH keys are e The script provides the following options: -- ECDH: `prime256v1`/`secp384r1`/`secp521r1` curves +- ECDH: `prime256v1`/`secp256k1`/`secp384r1`/`secp521r1` curves - DH: `2048`/`3072`/`4096` bits keys It defaults to `prime256v1`. diff --git a/openvpn-install.sh b/openvpn-install.sh index d79620f..ff19a04 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -416,19 +416,23 @@ function installQuestions () { echo "" echo "Choose which curve you want to use for the certificate's key:" echo " 1) prime256v1 (recommended)" - echo " 2) secp384r1" - echo " 3) secp521r1" - until [[ $CERT_CURVE_CHOICE =~ ^[1-3]$ ]]; do - read -rp"Curve [1-3]: " -e -i 1 CERT_CURVE_CHOICE + echo " 2) secp256k1" + echo " 3) secp384r1" + echo " 4) secp521r1" + until [[ $CERT_CURVE_CHOICE =~ ^[1-4]$ ]]; do + read -rp"Curve [1-4]: " -e -i 1 CERT_CURVE_CHOICE done case $CERT_CURVE_CHOICE in 1) CERT_CURVE="prime256v1" ;; 2) - CERT_CURVE="secp384r1" + CERT_CURVE="secp256k1" ;; 3) + CERT_CURVE="secp384r1" + ;; + 4) CERT_CURVE="secp521r1" ;; esac @@ -501,19 +505,23 @@ function installQuestions () { echo "" echo "Choose which curve you want to use for the ECDH key:" echo " 1) prime256v1 (recommended)" - echo " 2) secp384r1" - echo " 3) secp521r1" - while [[ $DH_CURVE_CHOICE != "1" && $DH_CURVE_CHOICE != "2" && $DH_CURVE_CHOICE != "3" ]]; do - read -rp"Curve [1-3]: " -e -i 1 DH_CURVE_CHOICE + echo " 2) secp256k1" + echo " 3) secp384r1" + echo " 4) secp521r1" + until [[ $DH_CURVE_CHOICE =~ ^[1-4]$ ]]; do + read -rp"Curve [1-4]: " -e -i 1 DH_CURVE_CHOICE done case $DH_CURVE_CHOICE in 1) DH_CURVE="prime256v1" ;; 2) - DH_CURVE="secp384r1" + DH_CURVE="secp256k1" ;; 3) + DH_CURVE="secp384r1" + ;; + 4) DH_CURVE="secp521r1" ;; esac From e3139cd8778d62b29b95d61d0cba78c15ba8b1ba Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 27 Apr 2020 14:36:44 +0200 Subject: [PATCH 12/28] Revert "feat(curves): add secp256k1 option (#315)" This reverts commit 8d5bb43aed6a631f77def65a60a61984a16e2252. Tested with Viscosity, doesn't work --- README.md | 4 ++-- openvpn-install.sh | 28 ++++++++++------------------ 2 files changed, 12 insertions(+), 20 deletions(-) diff --git a/README.md b/README.md index 8e55490..bd82d07 100644 --- a/README.md +++ b/README.md @@ -211,7 +211,7 @@ OpenVPN 2.4 added support for ECDSA. Elliptic curve cryptography is faster, ligh This script provides: -- ECDSA: `prime256v1`/`secp256k1`/`secp384r1`/`secp521r1` curves +- ECDSA: `prime256v1`/`secp384r1`/`secp521r1` curves - RSA: `2048`/`3072`/`4096` bits keys It defaults to ECDSA with `prime256v1`. @@ -276,7 +276,7 @@ Also, generating a classic DH keys can take a long, looong time. ECDH keys are e The script provides the following options: -- ECDH: `prime256v1`/`secp256k1`/`secp384r1`/`secp521r1` curves +- ECDH: `prime256v1`/`secp384r1`/`secp521r1` curves - DH: `2048`/`3072`/`4096` bits keys It defaults to `prime256v1`. diff --git a/openvpn-install.sh b/openvpn-install.sh index ff19a04..d79620f 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -416,23 +416,19 @@ function installQuestions () { echo "" echo "Choose which curve you want to use for the certificate's key:" echo " 1) prime256v1 (recommended)" - echo " 2) secp256k1" - echo " 3) secp384r1" - echo " 4) secp521r1" - until [[ $CERT_CURVE_CHOICE =~ ^[1-4]$ ]]; do - read -rp"Curve [1-4]: " -e -i 1 CERT_CURVE_CHOICE + echo " 2) secp384r1" + echo " 3) secp521r1" + until [[ $CERT_CURVE_CHOICE =~ ^[1-3]$ ]]; do + read -rp"Curve [1-3]: " -e -i 1 CERT_CURVE_CHOICE done case $CERT_CURVE_CHOICE in 1) CERT_CURVE="prime256v1" ;; 2) - CERT_CURVE="secp256k1" - ;; - 3) CERT_CURVE="secp384r1" ;; - 4) + 3) CERT_CURVE="secp521r1" ;; esac @@ -505,23 +501,19 @@ function installQuestions () { echo "" echo "Choose which curve you want to use for the ECDH key:" echo " 1) prime256v1 (recommended)" - echo " 2) secp256k1" - echo " 3) secp384r1" - echo " 4) secp521r1" - until [[ $DH_CURVE_CHOICE =~ ^[1-4]$ ]]; do - read -rp"Curve [1-4]: " -e -i 1 DH_CURVE_CHOICE + echo " 2) secp384r1" + echo " 3) secp521r1" + while [[ $DH_CURVE_CHOICE != "1" && $DH_CURVE_CHOICE != "2" && $DH_CURVE_CHOICE != "3" ]]; do + read -rp"Curve [1-3]: " -e -i 1 DH_CURVE_CHOICE done case $DH_CURVE_CHOICE in 1) DH_CURVE="prime256v1" ;; 2) - DH_CURVE="secp256k1" - ;; - 3) DH_CURVE="secp384r1" ;; - 4) + 3) DH_CURVE="secp521r1" ;; esac From 6cc0022dff3025a6d5b1fe0dde6e9a967926fab7 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Mon, 27 Apr 2020 14:59:19 +0200 Subject: [PATCH 13/28] style(script): format with shfmt (#638) shfmt -w -s --- openvpn-install.sh | 760 ++++++++++++++++++++++----------------------- 1 file changed, 380 insertions(+), 380 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index d79620f..7c2cffc 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -3,26 +3,26 @@ # Secure OpenVPN server installer for Debian, Ubuntu, CentOS, Amazon Linux 2, Fedora and Arch Linux # https://github.com/angristan/openvpn-install -function isRoot () { +function isRoot() { if [ "$EUID" -ne 0 ]; then return 1 fi } -function tunAvailable () { +function tunAvailable() { if [ ! -e /dev/net/tun ]; then return 1 fi } -function checkOS () { +function checkOS() { if [[ -e /etc/debian_version ]]; then OS="debian" # shellcheck disable=SC1091 source /etc/os-release - if [[ "$ID" == "debian" || "$ID" == "raspbian" ]]; then - if [[ "$VERSION_ID" -lt 8 ]]; then + if [[ $ID == "debian" || $ID == "raspbian" ]]; then + if [[ $VERSION_ID -lt 8 ]]; then echo "⚠️ Your version of Debian is not supported." echo "" echo "However, if you're using Debian >= 8 or unstable/testing then you can continue, at your own risk." @@ -30,11 +30,11 @@ function checkOS () { until [[ $CONTINUE =~ (y|n) ]]; do read -rp "Continue? [y/n]: " -e CONTINUE done - if [[ "$CONTINUE" == "n" ]]; then + if [[ $CONTINUE == "n" ]]; then exit 1 fi fi - elif [[ "$ID" == "ubuntu" ]];then + elif [[ $ID == "ubuntu" ]]; then OS="ubuntu" MAJOR_UBUNTU_VERSION=$(echo "$VERSION_ID" | cut -d '.' -f1) if [[ $MAJOR_UBUNTU_VERSION -lt 16 ]]; then @@ -45,7 +45,7 @@ function checkOS () { until [[ $CONTINUE =~ (y|n) ]]; do read -rp "Continue? [y/n]: " -e CONTINUE done - if [[ "$CONTINUE" == "n" ]]; then + if [[ $CONTINUE == "n" ]]; then exit 1 fi fi @@ -53,10 +53,10 @@ function checkOS () { elif [[ -e /etc/system-release ]]; then # shellcheck disable=SC1091 source /etc/os-release - if [[ "$ID" == "fedora" ]]; then + if [[ $ID == "fedora" ]]; then OS="fedora" fi - if [[ "$ID" == "centos" ]]; then + if [[ $ID == "centos" ]]; then OS="centos" if [[ ! $VERSION_ID =~ (7|8) ]]; then echo "⚠️ Your version of CentOS is not supported." @@ -66,9 +66,9 @@ function checkOS () { exit 1 fi fi - if [[ "$ID" == "amzn" ]]; then + if [[ $ID == "amzn" ]]; then OS="amzn" - if [[ ! $VERSION_ID == "2" ]]; then + if [[ $VERSION_ID != "2" ]]; then echo "⚠️ Your version of Amazon Linux is not supported." echo "" echo "The script only support Amazon Linux 2." @@ -84,7 +84,7 @@ function checkOS () { fi } -function initialCheck () { +function initialCheck() { if ! isRoot; then echo "Sorry, you need to run this as root" exit 1 @@ -96,11 +96,11 @@ function initialCheck () { checkOS } -function installUnbound () { +function installUnbound() { # If Unbound isn't installed, install it if [[ ! -e /etc/unbound/unbound.conf ]]; then - if [[ "$OS" =~ (debian|ubuntu) ]]; then + if [[ $OS =~ (debian|ubuntu) ]]; then apt-get install -y unbound # Configuration @@ -109,9 +109,9 @@ access-control: 10.8.0.1/24 allow hide-identity: yes hide-version: yes use-caps-for-id: yes -prefetch: yes' >> /etc/unbound/unbound.conf +prefetch: yes' >>/etc/unbound/unbound.conf - elif [[ "$OS" =~ (centos|amzn) ]]; then + elif [[ $OS =~ (centos|amzn) ]]; then yum install -y unbound # Configuration @@ -121,7 +121,7 @@ prefetch: yes' >> /etc/unbound/unbound.conf sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf sed -i 's|use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf - elif [[ "$OS" == "fedora" ]]; then + elif [[ $OS == "fedora" ]]; then dnf install -y unbound # Configuration @@ -131,7 +131,7 @@ prefetch: yes' >> /etc/unbound/unbound.conf sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf sed -i 's|# use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf - elif [[ "$OS" == "arch" ]]; then + elif [[ $OS == "arch" ]]; then pacman -Syu --noconfirm unbound # Get root servers list @@ -157,10 +157,10 @@ prefetch: yes' >> /etc/unbound/unbound.conf hide-identity: yes hide-version: yes qname-minimisation: yes - prefetch: yes' > /etc/unbound/unbound.conf + prefetch: yes' >/etc/unbound/unbound.conf fi - if [[ ! "$OS" =~ (fedora|centos|amzn) ]];then + if [[ ! $OS =~ (fedora|centos|amzn) ]]; then # DNS Rebinding fix echo "private-address: 10.0.0.0/8 private-address: 172.16.0.0/12 @@ -169,10 +169,10 @@ private-address: 169.254.0.0/16 private-address: fd00::/8 private-address: fe80::/10 private-address: 127.0.0.0/8 -private-address: ::ffff:0:0/96" >> /etc/unbound/unbound.conf +private-address: ::ffff:0:0/96" >>/etc/unbound/unbound.conf fi else # Unbound is already installed - echo 'include: /etc/unbound/openvpn.conf' >> /etc/unbound/unbound.conf + echo 'include: /etc/unbound/openvpn.conf' >>/etc/unbound/unbound.conf # Add Unbound 'server' for the OpenVPN subnet echo 'server: @@ -189,14 +189,14 @@ private-address: 169.254.0.0/16 private-address: fd00::/8 private-address: fe80::/10 private-address: 127.0.0.0/8 -private-address: ::ffff:0:0/96' > /etc/unbound/openvpn.conf +private-address: ::ffff:0:0/96' >/etc/unbound/openvpn.conf fi - systemctl enable unbound - systemctl restart unbound + systemctl enable unbound + systemctl restart unbound } -function installQuestions () { +function installQuestions() { echo "Welcome to the OpenVPN installer!" echo "The git repository is available at: https://github.com/angristan/openvpn-install" echo "" @@ -218,7 +218,7 @@ function installQuestions () { echo "" echo "It seems this server is behind NAT. What is its public IPv4 address or hostname?" echo "We need it for the clients to connect to the server." - until [[ "$ENDPOINT" != "" ]]; do + until [[ $ENDPOINT != "" ]]; do read -rp "Public IPv4 address or hostname: " -e ENDPOINT done fi @@ -227,7 +227,7 @@ function installQuestions () { echo "Checking for IPv6 connectivity..." echo "" # "ping6" and "ping -6" availability varies depending on the distribution - if type ping6 > /dev/null 2>&1; then + if type ping6 >/dev/null 2>&1; then PING6="ping6 -c3 ipv6.google.com > /dev/null 2>&1" else PING6="ping -6 -c3 ipv6.google.com > /dev/null 2>&1" @@ -249,22 +249,22 @@ function installQuestions () { echo " 1) Default: 1194" echo " 2) Custom" echo " 3) Random [49152-65535]" - until [[ "$PORT_CHOICE" =~ ^[1-3]$ ]]; do + until [[ $PORT_CHOICE =~ ^[1-3]$ ]]; do read -rp "Port choice [1-3]: " -e -i 1 PORT_CHOICE done case $PORT_CHOICE in - 1) - PORT="1194" + 1) + PORT="1194" ;; - 2) - until [[ "$PORT" =~ ^[0-9]+$ ]] && [ "$PORT" -ge 1 ] && [ "$PORT" -le 65535 ]; do - read -rp "Custom port [1-65535]: " -e -i 1194 PORT - done + 2) + until [[ $PORT =~ ^[0-9]+$ ]] && [ "$PORT" -ge 1 ] && [ "$PORT" -le 65535 ]; do + read -rp "Custom port [1-65535]: " -e -i 1194 PORT + done ;; - 3) - # Generate random number within private ports range - PORT=$(shuf -i49152-65535 -n1) - echo "Random Port: $PORT" + 3) + # Generate random number within private ports range + PORT=$(shuf -i49152-65535 -n1) + echo "Random Port: $PORT" ;; esac echo "" @@ -272,15 +272,15 @@ function installQuestions () { echo "UDP is faster. Unless it is not available, you shouldn't use TCP." echo " 1) UDP" echo " 2) TCP" - until [[ "$PROTOCOL_CHOICE" =~ ^[1-2]$ ]]; do + until [[ $PROTOCOL_CHOICE =~ ^[1-2]$ ]]; do read -rp "Protocol [1-2]: " -e -i 1 PROTOCOL_CHOICE done case $PROTOCOL_CHOICE in - 1) - PROTOCOL="udp" + 1) + PROTOCOL="udp" ;; - 2) - PROTOCOL="tcp" + 2) + PROTOCOL="tcp" ;; esac echo "" @@ -298,42 +298,42 @@ function installQuestions () { echo " 11) AdGuard DNS (Anycast: worldwide)" echo " 12) NextDNS (Anycast: worldwide)" echo " 13) Custom" - until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 13 ]; do + until [[ $DNS =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 13 ]; do read -rp "DNS [1-12]: " -e -i 3 DNS - if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then - echo "" - echo "Unbound is already installed." - echo "You can allow the script to configure it in order to use it from your OpenVPN clients" - echo "We will simply add a second server to /etc/unbound/unbound.conf for the OpenVPN subnet." - echo "No changes are made to the current configuration." - echo "" + if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then + echo "" + echo "Unbound is already installed." + echo "You can allow the script to configure it in order to use it from your OpenVPN clients" + echo "We will simply add a second server to /etc/unbound/unbound.conf for the OpenVPN subnet." + echo "No changes are made to the current configuration." + echo "" - until [[ $CONTINUE =~ (y|n) ]]; do - read -rp "Apply configuration changes to Unbound? [y/n]: " -e CONTINUE - done - if [[ $CONTINUE == "n" ]];then - # Break the loop and cleanup - unset DNS - unset CONTINUE - fi - elif [[ $DNS == "13" ]]; then - until [[ "$DNS1" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do - read -rp "Primary DNS: " -e DNS1 - done - until [[ "$DNS2" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do - read -rp "Secondary DNS (optional): " -e DNS2 - if [[ "$DNS2" == "" ]]; then - break - fi - done + until [[ $CONTINUE =~ (y|n) ]]; do + read -rp "Apply configuration changes to Unbound? [y/n]: " -e CONTINUE + done + if [[ $CONTINUE == "n" ]]; then + # Break the loop and cleanup + unset DNS + unset CONTINUE fi + elif [[ $DNS == "13" ]]; then + until [[ $DNS1 =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do + read -rp "Primary DNS: " -e DNS1 + done + until [[ $DNS2 =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do + read -rp "Secondary DNS (optional): " -e DNS2 + if [[ $DNS2 == "" ]]; then + break + fi + done + fi done echo "" echo "Do you want to use compression? It is not recommended since the VORACLE attack make use of it." until [[ $COMPRESSION_ENABLED =~ (y|n) ]]; do read -rp"Enable compression? [y/n]: " -e -i n COMPRESSION_ENABLED done - if [[ $COMPRESSION_ENABLED == "y" ]];then + if [[ $COMPRESSION_ENABLED == "y" ]]; then echo "Choose which compression algorithm you want to use: (they are ordered by efficiency)" echo " 1) LZ4-v2" echo " 2) LZ4" @@ -342,13 +342,13 @@ function installQuestions () { read -rp"Compression algorithm [1-3]: " -e -i 1 COMPRESSION_CHOICE done case $COMPRESSION_CHOICE in - 1) + 1) COMPRESSION_ALG="lz4-v2" ;; - 2) + 2) COMPRESSION_ALG="lz4" ;; - 3) + 3) COMPRESSION_ALG="lzo" ;; esac @@ -362,7 +362,7 @@ function installQuestions () { until [[ $CUSTOMIZE_ENC =~ (y|n) ]]; do read -rp "Customize encryption settings? [y/n]: " -e -i n CUSTOMIZE_ENC done - if [[ $CUSTOMIZE_ENC == "n" ]];then + if [[ $CUSTOMIZE_ENC == "n" ]]; then # Use default, sane and fast parameters CIPHER="AES-128-GCM" CERT_TYPE="1" # ECDSA @@ -381,27 +381,27 @@ function installQuestions () { echo " 4) AES-128-CBC" echo " 5) AES-192-CBC" echo " 6) AES-256-CBC" - until [[ "$CIPHER_CHOICE" =~ ^[1-6]$ ]]; do + until [[ $CIPHER_CHOICE =~ ^[1-6]$ ]]; do read -rp "Cipher [1-6]: " -e -i 1 CIPHER_CHOICE done case $CIPHER_CHOICE in - 1) - CIPHER="AES-128-GCM" + 1) + CIPHER="AES-128-GCM" ;; - 2) - CIPHER="AES-192-GCM" + 2) + CIPHER="AES-192-GCM" ;; - 3) - CIPHER="AES-256-GCM" + 3) + CIPHER="AES-256-GCM" ;; - 4) - CIPHER="AES-128-CBC" + 4) + CIPHER="AES-128-CBC" ;; - 5) - CIPHER="AES-192-CBC" + 5) + CIPHER="AES-192-CBC" ;; - 6) - CIPHER="AES-256-CBC" + 6) + CIPHER="AES-256-CBC" ;; esac echo "" @@ -412,81 +412,81 @@ function installQuestions () { read -rp"Certificate key type [1-2]: " -e -i 1 CERT_TYPE done case $CERT_TYPE in + 1) + echo "" + echo "Choose which curve you want to use for the certificate's key:" + echo " 1) prime256v1 (recommended)" + echo " 2) secp384r1" + echo " 3) secp521r1" + until [[ $CERT_CURVE_CHOICE =~ ^[1-3]$ ]]; do + read -rp"Curve [1-3]: " -e -i 1 CERT_CURVE_CHOICE + done + case $CERT_CURVE_CHOICE in 1) - echo "" - echo "Choose which curve you want to use for the certificate's key:" - echo " 1) prime256v1 (recommended)" - echo " 2) secp384r1" - echo " 3) secp521r1" - until [[ $CERT_CURVE_CHOICE =~ ^[1-3]$ ]]; do - read -rp"Curve [1-3]: " -e -i 1 CERT_CURVE_CHOICE - done - case $CERT_CURVE_CHOICE in - 1) - CERT_CURVE="prime256v1" - ;; - 2) - CERT_CURVE="secp384r1" - ;; - 3) - CERT_CURVE="secp521r1" - ;; - esac - ;; + CERT_CURVE="prime256v1" + ;; 2) - echo "" - echo "Choose which size you want to use for the certificate's RSA key:" - echo " 1) 2048 bits (recommended)" - echo " 2) 3072 bits" - echo " 3) 4096 bits" - until [[ "$RSA_KEY_SIZE_CHOICE" =~ ^[1-3]$ ]]; do - read -rp "RSA key size [1-3]: " -e -i 1 RSA_KEY_SIZE_CHOICE - done - case $RSA_KEY_SIZE_CHOICE in - 1) - RSA_KEY_SIZE="2048" - ;; - 2) - RSA_KEY_SIZE="3072" - ;; - 3) - RSA_KEY_SIZE="4096" - ;; - esac + CERT_CURVE="secp384r1" + ;; + 3) + CERT_CURVE="secp521r1" + ;; + esac + ;; + 2) + echo "" + echo "Choose which size you want to use for the certificate's RSA key:" + echo " 1) 2048 bits (recommended)" + echo " 2) 3072 bits" + echo " 3) 4096 bits" + until [[ $RSA_KEY_SIZE_CHOICE =~ ^[1-3]$ ]]; do + read -rp "RSA key size [1-3]: " -e -i 1 RSA_KEY_SIZE_CHOICE + done + case $RSA_KEY_SIZE_CHOICE in + 1) + RSA_KEY_SIZE="2048" + ;; + 2) + RSA_KEY_SIZE="3072" + ;; + 3) + RSA_KEY_SIZE="4096" + ;; + esac ;; esac echo "" echo "Choose which cipher you want to use for the control channel:" case $CERT_TYPE in + 1) + echo " 1) ECDHE-ECDSA-AES-128-GCM-SHA256 (recommended)" + echo " 2) ECDHE-ECDSA-AES-256-GCM-SHA384" + until [[ $CC_CIPHER_CHOICE =~ ^[1-2]$ ]]; do + read -rp"Control channel cipher [1-2]: " -e -i 1 CC_CIPHER_CHOICE + done + case $CC_CIPHER_CHOICE in 1) - echo " 1) ECDHE-ECDSA-AES-128-GCM-SHA256 (recommended)" - echo " 2) ECDHE-ECDSA-AES-256-GCM-SHA384" - until [[ $CC_CIPHER_CHOICE =~ ^[1-2]$ ]]; do - read -rp"Control channel cipher [1-2]: " -e -i 1 CC_CIPHER_CHOICE - done - case $CC_CIPHER_CHOICE in - 1) - CC_CIPHER="TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" - ;; - 2) - CC_CIPHER="TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" - ;; - esac - ;; + CC_CIPHER="TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" + ;; 2) - echo " 1) ECDHE-RSA-AES-128-GCM-SHA256 (recommended)" - echo " 2) ECDHE-RSA-AES-256-GCM-SHA384" - until [[ $CC_CIPHER_CHOICE =~ ^[1-2]$ ]]; do - read -rp"Control channel cipher [1-2]: " -e -i 1 CC_CIPHER_CHOICE - done - case $CC_CIPHER_CHOICE in - 1) - CC_CIPHER="TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256" - ;; - 2) - CC_CIPHER="TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384" - ;; - esac + CC_CIPHER="TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" + ;; + esac + ;; + 2) + echo " 1) ECDHE-RSA-AES-128-GCM-SHA256 (recommended)" + echo " 2) ECDHE-RSA-AES-256-GCM-SHA384" + until [[ $CC_CIPHER_CHOICE =~ ^[1-2]$ ]]; do + read -rp"Control channel cipher [1-2]: " -e -i 1 CC_CIPHER_CHOICE + done + case $CC_CIPHER_CHOICE in + 1) + CC_CIPHER="TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256" + ;; + 2) + CC_CIPHER="TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384" + ;; + esac ;; esac echo "" @@ -497,54 +497,54 @@ function installQuestions () { read -rp"DH key type [1-2]: " -e -i 1 DH_TYPE done case $DH_TYPE in + 1) + echo "" + echo "Choose which curve you want to use for the ECDH key:" + echo " 1) prime256v1 (recommended)" + echo " 2) secp384r1" + echo " 3) secp521r1" + while [[ $DH_CURVE_CHOICE != "1" && $DH_CURVE_CHOICE != "2" && $DH_CURVE_CHOICE != "3" ]]; do + read -rp"Curve [1-3]: " -e -i 1 DH_CURVE_CHOICE + done + case $DH_CURVE_CHOICE in 1) - echo "" - echo "Choose which curve you want to use for the ECDH key:" - echo " 1) prime256v1 (recommended)" - echo " 2) secp384r1" - echo " 3) secp521r1" - while [[ $DH_CURVE_CHOICE != "1" && $DH_CURVE_CHOICE != "2" && $DH_CURVE_CHOICE != "3" ]]; do - read -rp"Curve [1-3]: " -e -i 1 DH_CURVE_CHOICE - done - case $DH_CURVE_CHOICE in - 1) - DH_CURVE="prime256v1" - ;; - 2) - DH_CURVE="secp384r1" - ;; - 3) - DH_CURVE="secp521r1" - ;; - esac - ;; + DH_CURVE="prime256v1" + ;; 2) - echo "" - echo "Choose what size of Diffie-Hellman key you want to use:" - echo " 1) 2048 bits (recommended)" - echo " 2) 3072 bits" - echo " 3) 4096 bits" - until [[ "$DH_KEY_SIZE_CHOICE" =~ ^[1-3]$ ]]; do - read -rp "DH key size [1-3]: " -e -i 1 DH_KEY_SIZE_CHOICE - done - case $DH_KEY_SIZE_CHOICE in - 1) - DH_KEY_SIZE="2048" - ;; - 2) - DH_KEY_SIZE="3072" - ;; - 3) - DH_KEY_SIZE="4096" - ;; - esac + DH_CURVE="secp384r1" + ;; + 3) + DH_CURVE="secp521r1" + ;; + esac + ;; + 2) + echo "" + echo "Choose what size of Diffie-Hellman key you want to use:" + echo " 1) 2048 bits (recommended)" + echo " 2) 3072 bits" + echo " 3) 4096 bits" + until [[ $DH_KEY_SIZE_CHOICE =~ ^[1-3]$ ]]; do + read -rp "DH key size [1-3]: " -e -i 1 DH_KEY_SIZE_CHOICE + done + case $DH_KEY_SIZE_CHOICE in + 1) + DH_KEY_SIZE="2048" + ;; + 2) + DH_KEY_SIZE="3072" + ;; + 3) + DH_KEY_SIZE="4096" + ;; + esac ;; esac echo "" # The "auth" options behaves differently with AEAD ciphers - if [[ "$CIPHER" =~ CBC$ ]]; then + if [[ $CIPHER =~ CBC$ ]]; then echo "The digest algorithm authenticates data channel packets and tls-auth packets from the control channel." - elif [[ "$CIPHER" =~ GCM$ ]]; then + elif [[ $CIPHER =~ GCM$ ]]; then echo "The digest algorithm authenticates tls-auth packets from the control channel." fi echo "Which digest algorithm do you want to use for HMAC?" @@ -555,14 +555,14 @@ function installQuestions () { read -rp "Digest algorithm [1-3]: " -e -i 1 HMAC_ALG_CHOICE done case $HMAC_ALG_CHOICE in - 1) - HMAC_ALG="SHA256" + 1) + HMAC_ALG="SHA256" ;; - 2) - HMAC_ALG="SHA384" + 2) + HMAC_ALG="SHA384" ;; - 3) - HMAC_ALG="SHA512" + 3) + HMAC_ALG="SHA512" ;; esac echo "" @@ -571,7 +571,7 @@ function installQuestions () { echo " 1) tls-crypt (recommended)" echo " 2) tls-auth" until [[ $TLS_SIG =~ [1-2] ]]; do - read -rp "Control channel additional security mechanism [1-2]: " -e -i 1 TLS_SIG + read -rp "Control channel additional security mechanism [1-2]: " -e -i 1 TLS_SIG done fi echo "" @@ -583,7 +583,7 @@ function installQuestions () { fi } -function installOpenVPN () { +function installOpenVPN() { if [[ $AUTO_INSTALL == "y" ]]; then # Set default choices so that no questions will be asked. APPROVE_INSTALL=${APPROVE_INSTALL:-y} @@ -612,52 +612,52 @@ function installOpenVPN () { # Get the "public" interface from the default route NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1) - if [[ -z "$NIC" ]] && [[ "$IPV6_SUPPORT" == 'y' ]]; then + if [[ -z $NIC ]] && [[ $IPV6_SUPPORT == 'y' ]]; then NIC=$(ip -6 route show default | sed -ne 's/^default .* dev \([^ ]*\) .*$/\1/p') fi # $NIC can not be empty for script rm-openvpn-rules.sh - if [[ -z "$NIC" ]]; then - echo - echo "Can not detect public interface." - echo "This needs for setup MASQUERADE." - until [[ $CONTINUE =~ (y|n) ]]; do - read -rp "Continue? [y/n]: " -e CONTINUE - done - if [[ "$CONTINUE" == "n" ]]; then - exit 1 - fi - fi + if [[ -z $NIC ]]; then + echo + echo "Can not detect public interface." + echo "This needs for setup MASQUERADE." + until [[ $CONTINUE =~ (y|n) ]]; do + read -rp "Continue? [y/n]: " -e CONTINUE + done + if [[ $CONTINUE == "n" ]]; then + exit 1 + fi + fi # If OpenVPN isn't installed yet, install it. This script is more-or-less # idempotent on multiple runs, but will only install OpenVPN from upstream # the first time. if [[ ! -e /etc/openvpn/server.conf ]]; then - if [[ "$OS" =~ (debian|ubuntu) ]]; then + if [[ $OS =~ (debian|ubuntu) ]]; then apt-get update apt-get -y install ca-certificates gnupg # We add the OpenVPN repo to get the latest version. - if [[ "$VERSION_ID" = "8" ]]; then - echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list + if [[ $VERSION_ID == "8" ]]; then + echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" >/etc/apt/sources.list.d/openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt-get update fi - if [[ "$VERSION_ID" = "16.04" ]]; then - echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" > /etc/apt/sources.list.d/openvpn.list + if [[ $VERSION_ID == "16.04" ]]; then + echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" >/etc/apt/sources.list.d/openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt-get update fi # Ubuntu > 16.04 and Debian > 8 have OpenVPN >= 2.4 without the need of a third party repository. apt-get install -y openvpn iptables openssl wget ca-certificates curl - elif [[ "$OS" = 'centos' ]]; then + elif [[ $OS == 'centos' ]]; then yum install -y epel-release yum install -y openvpn iptables openssl wget ca-certificates curl tar 'policycoreutils-python*' - elif [[ "$OS" = 'amzn' ]]; then + elif [[ $OS == 'amzn' ]]; then amazon-linux-extras install -y epel yum install -y openvpn iptables openssl wget ca-certificates curl - elif [[ "$OS" = 'fedora' ]]; then + elif [[ $OS == 'fedora' ]]; then dnf install -y openvpn iptables openssl wget ca-certificates curl - elif [[ "$OS" = 'arch' ]]; then + elif [[ $OS == 'arch' ]]; then # Install required dependencies and upgrade the system pacman --needed --noconfirm -Syu openvpn iptables openssl wget ca-certificates curl fi @@ -687,22 +687,22 @@ function installOpenVPN () { cd /etc/openvpn/easy-rsa/ || return case $CERT_TYPE in - 1) - echo "set_var EASYRSA_ALGO ec" > vars - echo "set_var EASYRSA_CURVE $CERT_CURVE" >> vars + 1) + echo "set_var EASYRSA_ALGO ec" >vars + echo "set_var EASYRSA_CURVE $CERT_CURVE" >>vars ;; - 2) - echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars + 2) + echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" >vars ;; esac # Generate a random, alphanumeric identifier of 16 characters for CN and one for server name SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" - echo "$SERVER_CN" > SERVER_CN_GENERATED + echo "$SERVER_CN" >SERVER_CN_GENERATED SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" - echo "$SERVER_NAME" > SERVER_NAME_GENERATED + echo "$SERVER_NAME" >SERVER_NAME_GENERATED - echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars + echo "set_var EASYRSA_REQ_CN $SERVER_CN" >>vars # Create the PKI, set up the CA, the DH params and the server certificate ./easyrsa init-pki @@ -722,13 +722,13 @@ function installOpenVPN () { EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl case $TLS_SIG in - 1) - # Generate tls-crypt key - openvpn --genkey --secret /etc/openvpn/tls-crypt.key + 1) + # Generate tls-crypt key + openvpn --genkey --secret /etc/openvpn/tls-crypt.key ;; - 2) - # Generate tls-auth key - openvpn --genkey --secret /etc/openvpn/tls-auth.key + 2) + # Generate tls-auth key + openvpn --genkey --secret /etc/openvpn/tls-auth.key ;; esac else @@ -748,11 +748,11 @@ function installOpenVPN () { chmod 644 /etc/openvpn/crl.pem # Generate server.conf - echo "port $PORT" > /etc/openvpn/server.conf - if [[ "$IPV6_SUPPORT" == 'n' ]]; then - echo "proto $PROTOCOL" >> /etc/openvpn/server.conf - elif [[ "$IPV6_SUPPORT" == 'y' ]]; then - echo "proto ${PROTOCOL}6" >> /etc/openvpn/server.conf + echo "port $PORT" >/etc/openvpn/server.conf + if [[ $IPV6_SUPPORT == 'n' ]]; then + echo "proto $PROTOCOL" >>/etc/openvpn/server.conf + elif [[ $IPV6_SUPPORT == 'y' ]]; then + echo "proto ${PROTOCOL}6" >>/etc/openvpn/server.conf fi echo "dev tun @@ -763,101 +763,101 @@ persist-tun keepalive 10 120 topology subnet server 10.8.0.0 255.255.255.0 -ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf +ifconfig-pool-persist ipp.txt" >>/etc/openvpn/server.conf # DNS resolvers case $DNS in - 1) # Current system resolvers - # Locate the proper resolv.conf - # Needed for systems running systemd-resolved - if grep -q "127.0.0.53" "/etc/resolv.conf"; then - RESOLVCONF='/run/systemd/resolve/resolv.conf' - else - RESOLVCONF='/etc/resolv.conf' - fi - # Obtain the resolvers from resolv.conf and use them for OpenVPN - grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read -r line; do - echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf - done + 1) # Current system resolvers + # Locate the proper resolv.conf + # Needed for systems running systemd-resolved + if grep -q "127.0.0.53" "/etc/resolv.conf"; then + RESOLVCONF='/run/systemd/resolve/resolv.conf' + else + RESOLVCONF='/etc/resolv.conf' + fi + # Obtain the resolvers from resolv.conf and use them for OpenVPN + grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read -r line; do + echo "push \"dhcp-option DNS $line\"" >>/etc/openvpn/server.conf + done ;; - 2) # Self-hosted DNS resolver (Unbound) - echo 'push "dhcp-option DNS 10.8.0.1"' >> /etc/openvpn/server.conf + 2) # Self-hosted DNS resolver (Unbound) + echo 'push "dhcp-option DNS 10.8.0.1"' >>/etc/openvpn/server.conf ;; - 3) # Cloudflare - echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server.conf - echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server.conf + 3) # Cloudflare + echo 'push "dhcp-option DNS 1.0.0.1"' >>/etc/openvpn/server.conf + echo 'push "dhcp-option DNS 1.1.1.1"' >>/etc/openvpn/server.conf ;; - 4) # Quad9 - echo 'push "dhcp-option DNS 9.9.9.9"' >> /etc/openvpn/server.conf - echo 'push "dhcp-option DNS 149.112.112.112"' >> /etc/openvpn/server.conf + 4) # Quad9 + echo 'push "dhcp-option DNS 9.9.9.9"' >>/etc/openvpn/server.conf + echo 'push "dhcp-option DNS 149.112.112.112"' >>/etc/openvpn/server.conf ;; - 5) # Quad9 uncensored - echo 'push "dhcp-option DNS 9.9.9.10"' >> /etc/openvpn/server.conf - echo 'push "dhcp-option DNS 149.112.112.10"' >> /etc/openvpn/server.conf + 5) # Quad9 uncensored + echo 'push "dhcp-option DNS 9.9.9.10"' >>/etc/openvpn/server.conf + echo 'push "dhcp-option DNS 149.112.112.10"' >>/etc/openvpn/server.conf ;; - 6) # FDN - echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/server.conf - echo 'push "dhcp-option DNS 80.67.169.12"' >> /etc/openvpn/server.conf + 6) # FDN + echo 'push "dhcp-option DNS 80.67.169.40"' >>/etc/openvpn/server.conf + echo 'push "dhcp-option DNS 80.67.169.12"' >>/etc/openvpn/server.conf ;; - 7) # DNS.WATCH - echo 'push "dhcp-option DNS 84.200.69.80"' >> /etc/openvpn/server.conf - echo 'push "dhcp-option DNS 84.200.70.40"' >> /etc/openvpn/server.conf + 7) # DNS.WATCH + echo 'push "dhcp-option DNS 84.200.69.80"' >>/etc/openvpn/server.conf + echo 'push "dhcp-option DNS 84.200.70.40"' >>/etc/openvpn/server.conf ;; - 8) # OpenDNS - echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf - echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf + 8) # OpenDNS + echo 'push "dhcp-option DNS 208.67.222.222"' >>/etc/openvpn/server.conf + echo 'push "dhcp-option DNS 208.67.220.220"' >>/etc/openvpn/server.conf ;; - 9) # Google - echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf - echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf + 9) # Google + echo 'push "dhcp-option DNS 8.8.8.8"' >>/etc/openvpn/server.conf + echo 'push "dhcp-option DNS 8.8.4.4"' >>/etc/openvpn/server.conf ;; - 10) # Yandex Basic - echo 'push "dhcp-option DNS 77.88.8.8"' >> /etc/openvpn/server.conf - echo 'push "dhcp-option DNS 77.88.8.1"' >> /etc/openvpn/server.conf + 10) # Yandex Basic + echo 'push "dhcp-option DNS 77.88.8.8"' >>/etc/openvpn/server.conf + echo 'push "dhcp-option DNS 77.88.8.1"' >>/etc/openvpn/server.conf ;; - 11) # AdGuard DNS - echo 'push "dhcp-option DNS 176.103.130.130"' >> /etc/openvpn/server.conf - echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf + 11) # AdGuard DNS + echo 'push "dhcp-option DNS 176.103.130.130"' >>/etc/openvpn/server.conf + echo 'push "dhcp-option DNS 176.103.130.131"' >>/etc/openvpn/server.conf ;; - 12) # NextDNS - echo 'push "dhcp-option DNS 45.90.28.167"' >> /etc/openvpn/server.conf - echo 'push "dhcp-option DNS 45.90.30.167"' >> /etc/openvpn/server.conf + 12) # NextDNS + echo 'push "dhcp-option DNS 45.90.28.167"' >>/etc/openvpn/server.conf + echo 'push "dhcp-option DNS 45.90.30.167"' >>/etc/openvpn/server.conf ;; - 13) # Custom DNS - echo "push \"dhcp-option DNS $DNS1\"" >> /etc/openvpn/server.conf - if [[ "$DNS2" != "" ]]; then - echo "push \"dhcp-option DNS $DNS2\"" >> /etc/openvpn/server.conf + 13) # Custom DNS + echo "push \"dhcp-option DNS $DNS1\"" >>/etc/openvpn/server.conf + if [[ $DNS2 != "" ]]; then + echo "push \"dhcp-option DNS $DNS2\"" >>/etc/openvpn/server.conf fi ;; esac - echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf + echo 'push "redirect-gateway def1 bypass-dhcp"' >>/etc/openvpn/server.conf # IPv6 network settings if needed - if [[ "$IPV6_SUPPORT" == 'y' ]]; then + if [[ $IPV6_SUPPORT == 'y' ]]; then echo 'server-ipv6 fd42:42:42:42::/112 tun-ipv6 push tun-ipv6 push "route-ipv6 2000::/3" -push "redirect-gateway ipv6"' >> /etc/openvpn/server.conf +push "redirect-gateway ipv6"' >>/etc/openvpn/server.conf fi - if [[ $COMPRESSION_ENABLED == "y" ]]; then - echo "compress $COMPRESSION_ALG" >> /etc/openvpn/server.conf + if [[ $COMPRESSION_ENABLED == "y" ]]; then + echo "compress $COMPRESSION_ALG" >>/etc/openvpn/server.conf fi if [[ $DH_TYPE == "1" ]]; then - echo "dh none" >> /etc/openvpn/server.conf - echo "ecdh-curve $DH_CURVE" >> /etc/openvpn/server.conf + echo "dh none" >>/etc/openvpn/server.conf + echo "ecdh-curve $DH_CURVE" >>/etc/openvpn/server.conf elif [[ $DH_TYPE == "2" ]]; then - echo "dh dh.pem" >> /etc/openvpn/server.conf + echo "dh dh.pem" >>/etc/openvpn/server.conf fi case $TLS_SIG in - 1) - echo "tls-crypt tls-crypt.key 0" >> /etc/openvpn/server.conf + 1) + echo "tls-crypt tls-crypt.key 0" >>/etc/openvpn/server.conf ;; - 2) - echo "tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf + 2) + echo "tls-auth tls-auth.key 0" >>/etc/openvpn/server.conf ;; esac @@ -873,7 +873,7 @@ tls-version-min 1.2 tls-cipher $CC_CIPHER client-config-dir /etc/openvpn/ccd status /var/log/openvpn/status.log -verb 3" >> /etc/openvpn/server.conf +verb 3" >>/etc/openvpn/server.conf # Create client-config-dir dir mkdir -p /etc/openvpn/ccd @@ -881,9 +881,9 @@ verb 3" >> /etc/openvpn/server.conf mkdir -p /var/log/openvpn # Enable routing - echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/20-openvpn.conf - if [[ "$IPV6_SUPPORT" = 'y' ]]; then - echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.d/20-openvpn.conf + echo 'net.ipv4.ip_forward=1' >/etc/sysctl.d/20-openvpn.conf + if [[ $IPV6_SUPPORT == 'y' ]]; then + echo 'net.ipv6.conf.all.forwarding=1' >>/etc/sysctl.d/20-openvpn.conf fi # Apply sysctl rules sysctl --system @@ -891,14 +891,14 @@ verb 3" >> /etc/openvpn/server.conf # If SELinux is enabled and a custom port was selected, we need this if hash sestatus 2>/dev/null; then if sestatus | grep "Current mode" | grep -qs "enforcing"; then - if [[ "$PORT" != '1194' ]]; then + if [[ $PORT != '1194' ]]; then semanage port -a -t openvpn_port_t -p "$PROTOCOL" "$PORT" fi fi fi # Finally, restart and enable OpenVPN - if [[ "$OS" == 'arch' || "$OS" == 'fedora' || "$OS" == 'centos' ]]; then + if [[ $OS == 'arch' || $OS == 'fedora' || $OS == 'centos' ]]; then # Don't modify package-provided service cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service @@ -907,14 +907,14 @@ verb 3" >> /etc/openvpn/server.conf # Another workaround to keep using /etc/openvpn/ sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn-server@.service # On fedora, the service hardcodes the ciphers. We want to manage the cipher ourselves, so we remove it from the service - if [[ "$OS" == "fedora" ]];then + if [[ $OS == "fedora" ]]; then sed -i 's|--cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC||' /etc/systemd/system/openvpn-server@.service fi systemctl daemon-reload systemctl enable openvpn-server@server systemctl restart openvpn-server@server - elif [[ "$OS" == "ubuntu" ]] && [[ "$VERSION_ID" == "16.04" ]]; then + elif [[ $OS == "ubuntu" ]] && [[ $VERSION_ID == "16.04" ]]; then # On Ubuntu 16.04, we use the package from the OpenVPN repo # This package uses a sysvinit service systemctl enable openvpn @@ -933,7 +933,7 @@ verb 3" >> /etc/openvpn/server.conf systemctl restart openvpn@server fi - if [[ $DNS == 2 ]];then + if [[ $DNS == 2 ]]; then installUnbound fi @@ -946,13 +946,13 @@ iptables -t nat -I POSTROUTING 1 -s 10.8.0.0/24 -o $NIC -j MASQUERADE iptables -I INPUT 1 -i tun0 -j ACCEPT iptables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT iptables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT -iptables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/add-openvpn-rules.sh +iptables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >/etc/iptables/add-openvpn-rules.sh - if [[ "$IPV6_SUPPORT" == 'y' ]]; then + if [[ $IPV6_SUPPORT == 'y' ]]; then echo "ip6tables -t nat -I POSTROUTING 1 -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE ip6tables -I INPUT 1 -i tun0 -j ACCEPT ip6tables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT -ip6tables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh +ip6tables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT" >>/etc/iptables/add-openvpn-rules.sh fi # Script to remove rules @@ -961,13 +961,13 @@ iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o $NIC -j MASQUERADE iptables -D INPUT -i tun0 -j ACCEPT iptables -D FORWARD -i $NIC -o tun0 -j ACCEPT iptables -D FORWARD -i tun0 -o $NIC -j ACCEPT -iptables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/rm-openvpn-rules.sh +iptables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >/etc/iptables/rm-openvpn-rules.sh - if [[ "$IPV6_SUPPORT" == 'y' ]]; then + if [[ $IPV6_SUPPORT == 'y' ]]; then echo "ip6tables -t nat -D POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE ip6tables -D INPUT -i tun0 -j ACCEPT ip6tables -D FORWARD -i $NIC -o tun0 -j ACCEPT -ip6tables -D FORWARD -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/rm-openvpn-rules.sh +ip6tables -D FORWARD -i tun0 -o $NIC -j ACCEPT" >>/etc/iptables/rm-openvpn-rules.sh fi chmod +x /etc/iptables/add-openvpn-rules.sh @@ -986,7 +986,7 @@ ExecStop=/etc/iptables/rm-openvpn-rules.sh RemainAfterExit=yes [Install] -WantedBy=multi-user.target" > /etc/systemd/system/iptables-openvpn.service +WantedBy=multi-user.target" >/etc/systemd/system/iptables-openvpn.service # Enable service and apply rules systemctl daemon-reload @@ -994,17 +994,17 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables-openvpn.service systemctl start iptables-openvpn # If the server is behind a NAT, use the correct IP address for the clients to connect to - if [[ "$ENDPOINT" != "" ]]; then + if [[ $ENDPOINT != "" ]]; then IP=$ENDPOINT fi # client-template.txt is created so we have a template to add further users later - echo "client" > /etc/openvpn/client-template.txt - if [[ "$PROTOCOL" == 'udp' ]]; then - echo "proto udp" >> /etc/openvpn/client-template.txt - echo "explicit-exit-notify" >> /etc/openvpn/client-template.txt - elif [[ "$PROTOCOL" == 'tcp' ]]; then - echo "proto tcp-client" >> /etc/openvpn/client-template.txt + echo "client" >/etc/openvpn/client-template.txt + if [[ $PROTOCOL == 'udp' ]]; then + echo "proto udp" >>/etc/openvpn/client-template.txt + echo "explicit-exit-notify" >>/etc/openvpn/client-template.txt + elif [[ $PROTOCOL == 'tcp' ]]; then + echo "proto tcp-client" >>/etc/openvpn/client-template.txt fi echo "remote $IP $PORT dev tun @@ -1022,23 +1022,23 @@ tls-version-min 1.2 tls-cipher $CC_CIPHER ignore-unknown-option block-outside-dns setenv opt block-outside-dns # Prevent Windows 10 DNS leak -verb 3" >> /etc/openvpn/client-template.txt +verb 3" >>/etc/openvpn/client-template.txt -if [[ $COMPRESSION_ENABLED == "y" ]]; then - echo "compress $COMPRESSION_ALG" >> /etc/openvpn/client-template.txt -fi + if [[ $COMPRESSION_ENABLED == "y" ]]; then + echo "compress $COMPRESSION_ALG" >>/etc/openvpn/client-template.txt + fi # Generate the custom client.ovpn newClient echo "If you want to add more clients, you simply need to run this script another time!" } -function newClient () { +function newClient() { echo "" echo "Tell me a name for the client." echo "Use one word only, no special characters." - until [[ "$CLIENT" =~ ^[a-zA-Z0-9_]+$ ]]; do + until [[ $CLIENT =~ ^[a-zA-Z0-9_]+$ ]]; do read -rp "Client name: " -e CLIENT done @@ -1048,30 +1048,30 @@ function newClient () { echo " 1) Add a passwordless client" echo " 2) Use a password for the client" - until [[ "$PASS" =~ ^[1-2]$ ]]; do + until [[ $PASS =~ ^[1-2]$ ]]; do read -rp "Select an option [1-2]: " -e -i 1 PASS done CLIENTEXISTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c -E "/CN=$CLIENT\$") - if [[ "$CLIENTEXISTS" = '1' ]]; then + if [[ $CLIENTEXISTS == '1' ]]; then echo "" echo "The specified client CN was found in easy-rsa." else cd /etc/openvpn/easy-rsa/ || return case $PASS in - 1) - ./easyrsa build-client-full "$CLIENT" nopass + 1) + ./easyrsa build-client-full "$CLIENT" nopass ;; - 2) + 2) echo "⚠️ You will be asked for the client password below ⚠️" - ./easyrsa build-client-full "$CLIENT" + ./easyrsa build-client-full "$CLIENT" ;; esac echo "Client $CLIENT added." fi # Home directory of the user, where the client configuration (.ovpn) will be written - if [ -e "/home/$CLIENT" ]; then # if $1 is a user name + if [ -e "/home/$CLIENT" ]; then # if $1 is a user name homeDir="/home/$CLIENT" elif [ "${SUDO_USER}" ]; then # if not, use SUDO_USER homeDir="/home/${SUDO_USER}" @@ -1102,19 +1102,19 @@ function newClient () { echo "" case $TLS_SIG in - 1) - echo "" - cat /etc/openvpn/tls-crypt.key - echo "" + 1) + echo "" + cat /etc/openvpn/tls-crypt.key + echo "" ;; - 2) - echo "key-direction 1" - echo "" - cat /etc/openvpn/tls-auth.key - echo "" + 2) + echo "key-direction 1" + echo "" + cat /etc/openvpn/tls-auth.key + echo "" ;; esac - } >> "$homeDir/$CLIENT.ovpn" + } >>"$homeDir/$CLIENT.ovpn" echo "" echo "The configuration file has been written to $homeDir/$CLIENT.ovpn." @@ -1123,9 +1123,9 @@ function newClient () { exit 0 } -function revokeClient () { +function revokeClient() { NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V") - if [[ "$NUMBEROFCLIENTS" == '0' ]]; then + if [[ $NUMBEROFCLIENTS == '0' ]]; then echo "" echo "You have no existing clients!" exit 1 @@ -1134,7 +1134,7 @@ function revokeClient () { echo "" echo "Select the existing client certificate you want to revoke" tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') ' - if [[ "$NUMBEROFCLIENTS" == '1' ]]; then + if [[ $NUMBEROFCLIENTS == '1' ]]; then read -rp "Select one client [1]: " CLIENTNUMBER else read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER @@ -1155,7 +1155,7 @@ function revokeClient () { echo "Certificate for client $CLIENT revoked." } -function removeUnbound () { +function removeUnbound() { # Remove OpenVPN-related config sed -i '/include: \/etc\/unbound\/openvpn.conf/d' /etc/unbound/unbound.conf rm /etc/unbound/openvpn.conf @@ -1166,17 +1166,17 @@ function removeUnbound () { read -rp "Do you want to completely remove Unbound? [y/n]: " -e REMOVE_UNBOUND done - if [[ "$REMOVE_UNBOUND" == 'y' ]]; then + if [[ $REMOVE_UNBOUND == 'y' ]]; then # Stop Unbound systemctl stop unbound - if [[ "$OS" =~ (debian|ubuntu) ]]; then + if [[ $OS =~ (debian|ubuntu) ]]; then apt-get autoremove --purge -y unbound - elif [[ "$OS" == 'arch' ]]; then + elif [[ $OS == 'arch' ]]; then pacman --noconfirm -R unbound - elif [[ "$OS" =~ (centos|amzn) ]]; then + elif [[ $OS =~ (centos|amzn) ]]; then yum remove -y unbound - elif [[ "$OS" == 'fedora' ]]; then + elif [[ $OS == 'fedora' ]]; then dnf remove -y unbound fi @@ -1191,21 +1191,21 @@ function removeUnbound () { fi } -function removeOpenVPN () { +function removeOpenVPN() { echo "" # shellcheck disable=SC2034 read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE - if [[ "$REMOVE" == 'y' ]]; then + if [[ $REMOVE == 'y' ]]; then # Get OpenVPN port from the configuration PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2) # Stop OpenVPN - if [[ "$OS" =~ (fedora|arch|centos) ]]; then + if [[ $OS =~ (fedora|arch|centos) ]]; then systemctl disable openvpn-server@server systemctl stop openvpn-server@server # Remove customised service rm /etc/systemd/system/openvpn-server@.service - elif [[ "$OS" == "ubuntu" ]] && [[ "$VERSION_ID" == "16.04" ]]; then + elif [[ $OS == "ubuntu" ]] && [[ $VERSION_ID == "16.04" ]]; then systemctl disable openvpn systemctl stop openvpn else @@ -1227,23 +1227,23 @@ function removeOpenVPN () { # SELinux if hash sestatus 2>/dev/null; then if sestatus | grep "Current mode" | grep -qs "enforcing"; then - if [[ "$PORT" != '1194' ]]; then + if [[ $PORT != '1194' ]]; then semanage port -d -t openvpn_port_t -p udp "$PORT" fi fi fi - if [[ "$OS" =~ (debian|ubuntu) ]]; then + if [[ $OS =~ (debian|ubuntu) ]]; then apt-get autoremove --purge -y openvpn - if [[ -e /etc/apt/sources.list.d/openvpn.list ]];then + if [[ -e /etc/apt/sources.list.d/openvpn.list ]]; then rm /etc/apt/sources.list.d/openvpn.list apt-get update fi - elif [[ "$OS" == 'arch' ]]; then + elif [[ $OS == 'arch' ]]; then pacman --noconfirm -R openvpn - elif [[ "$OS" =~ (centos|amzn) ]]; then + elif [[ $OS =~ (centos|amzn) ]]; then yum remove -y openvpn - elif [[ "$OS" == 'fedora' ]]; then + elif [[ $OS == 'fedora' ]]; then dnf remove -y openvpn fi @@ -1267,7 +1267,7 @@ function removeOpenVPN () { fi } -function manageMenu () { +function manageMenu() { clear echo "Welcome to OpenVPN-install!" echo "The git repository is available at: https://github.com/angristan/openvpn-install" @@ -1279,22 +1279,22 @@ function manageMenu () { echo " 2) Revoke existing user" echo " 3) Remove OpenVPN" echo " 4) Exit" - until [[ "$MENU_OPTION" =~ ^[1-4]$ ]]; do + until [[ $MENU_OPTION =~ ^[1-4]$ ]]; do read -rp "Select an option [1-4]: " MENU_OPTION done case $MENU_OPTION in - 1) - newClient + 1) + newClient ;; - 2) - revokeClient + 2) + revokeClient ;; - 3) - removeOpenVPN + 3) + removeOpenVPN ;; - 4) - exit 0 + 4) + exit 0 ;; esac } From 0f871f26d8093a88b91666063733de1d905d79b7 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Mon, 27 Apr 2020 15:01:15 +0200 Subject: [PATCH 14/28] ci(lint): add shfmt job (#639) --- .github/workflows/push.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index c6a36b9..2be7614 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -1,5 +1,5 @@ on: [push, pull_request] -name: ShellCheck +name: Lint jobs: shellcheck: runs-on: ubuntu-latest @@ -9,3 +9,11 @@ jobs: uses: ludeeus/action-shellcheck@0.0.1 with: args: openvpn-install.sh -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009 + shfmt: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + - name: shfmt + uses: bltavares/actions/shfmt@master + env: + SHFMT_ARGS: -d From b4cbb54320cf778ffb48c8d0aa54d3c265455645 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Mon, 27 Apr 2020 15:21:32 +0200 Subject: [PATCH 15/28] ci(workflow): don't run jobs twice on PRs (#640) --- .github/workflows/push.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index 2be7614..fba20c3 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -1,4 +1,11 @@ -on: [push, pull_request] +on: + push: + branches: + - master + pull_request: + branches: + - master + name: Lint jobs: shellcheck: From 08aeed2c5b28757ca834bfb066d08fd99e41e3c1 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 27 Apr 2020 15:26:20 +0200 Subject: [PATCH 16/28] docs(readme): add notes about bash formatting --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index bd82d07..a786a5f 100644 --- a/README.md +++ b/README.md @@ -179,6 +179,10 @@ Solutions that provision a ready to use OpenVPN server based on this script in o - AWS using Terraform at [`openvpn-terraform-install`](https://github.com/dumrauf/openvpn-terraform-install) +## Contributing / Code formatting + +We use [shellcheck](https://github.com/koalaman/shellcheck) and [shfmt](https://github.com/mvdan/sh) to enforce bash styling guidelines and good practices. They are executed for each commit / PR with GitHub Actions, so you can check the configuration [here](https://github.com/angristan/openvpn-install/blob/master/.github/workflows/push.yml). + ## Security and Encryption From af3bf12bb659bc37219db0499491fd9fd464c7bb Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 27 Apr 2020 15:31:36 +0200 Subject: [PATCH 17/28] style(readme): format markdown --- README.md | 37 ++++++++++++++++++++----------------- 1 file changed, 20 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index a786a5f..d49925b 100644 --- a/README.md +++ b/README.md @@ -42,6 +42,7 @@ If you have any question, head to the [FAQ](#faq) first. Please read everything It's also possible to run the script headless, e.g. without waiting for user input, in an automated manner. Example usage: + ```bash AUTO_INSTALL=y ./openvpn-install.sh @@ -79,6 +80,7 @@ The headless install is more-or-less idempotent, in that it has been made safe t It's also possible to automate the addition of a new user. Here, the key is to provide the (string) value of the `MENU_OPTION` variable along with the remaining mandatory variables before invoking the script. The following Bash script adds a new user `foo` to an existing OpenVPN configuration + ```bash #!/bin/bash export MENU_OPTION="1" @@ -111,15 +113,15 @@ The script supports these OS and architectures: | | i386 | amd64 | armhf | arm64 | | --------------- | ---- | ----- | ----- | ----- | -| Amazon Linux 2 | ❔ | ✅ | ❔ | ❔ | -| Arch Linux | ❔ | ✅ | ❔ | ✅ | -| CentOS 7 | ❔ | ✅ | ❌ | ✅ | -| CentOS 8 | ❌ | ✅ | ❔ | ❔ | -| Debian 8 | ✅ | ✅ | ❌ | ❌ | -| Debian >= 9 | ❌ | ✅ | ✅ | ✅ | -| Fedora >= 27 | ❔ | ✅ | ❔ | ❔ | -| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ | -| Ubuntu >= 18.04 | ❌ | ✅ | ✅ | ✅ | +| Amazon Linux 2 | ❔ | ✅ | ❔ | ❔ | +| Arch Linux | ❔ | ✅ | ❔ | ✅ | +| CentOS 7 | ❔ | ✅ | ❌ | ✅ | +| CentOS 8 | ❌ | ✅ | ❔ | ❔ | +| Debian 8 | ✅ | ✅ | ❌ | ❌ | +| Debian >= 9 | ❌ | ✅ | ✅ | ✅ | +| Fedora >= 27 | ❔ | ✅ | ❔ | ❔ | +| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ | +| Ubuntu >= 18.04 | ❌ | ✅ | ✅ | ✅ | To be noted: @@ -141,9 +143,9 @@ More Q&A in [FAQ.md](FAQ.md). **A:** I recommend these: -- [Vultr](https://goo.gl/Xyd1Sc): Worldwide locations, IPv6 support, starting at $3.50/month +- [Vultr](https://goo.gl/Xyd1Sc): Worldwide locations, IPv6 support, starting at \$3.50/month - [PulseHeberg](https://goo.gl/76yqW5): France, unlimited bandwidth, starting at €3/month -- [Digital Ocean](https://goo.gl/qXrNLK): Worldwide locations, IPv6 support, starting at $5/month +- [Digital Ocean](https://goo.gl/qXrNLK): Worldwide locations, IPv6 support, starting at \$5/month --- @@ -173,17 +175,16 @@ More Q&A in [FAQ.md](FAQ.md). More Q&A in [FAQ.md](FAQ.md). -## One-stop solutions for public cloud +## One-stop solutions for public cloud Solutions that provision a ready to use OpenVPN server based on this script in one go are available for: - - AWS using Terraform at [`openvpn-terraform-install`](https://github.com/dumrauf/openvpn-terraform-install) +- AWS using Terraform at [`openvpn-terraform-install`](https://github.com/dumrauf/openvpn-terraform-install) ## Contributing / Code formatting We use [shellcheck](https://github.com/koalaman/shellcheck) and [shfmt](https://github.com/mvdan/sh) to enforce bash styling guidelines and good practices. They are executed for each commit / PR with GitHub Actions, so you can check the configuration [here](https://github.com/angristan/openvpn-install/blob/master/.github/workflows/push.yml). - ## Security and Encryption OpenVPN's default settings are pretty weak regarding encryption. This script aims to improve that. @@ -193,6 +194,7 @@ OpenVPN 2.4 was a great update regarding encryption. It added support for ECDSA, If you want more information about an option mentioned below, head to the [OpenVPN manual](https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage). It is very complete. Most of OpenVPN's encryption-related stuff is managed by [Easy-RSA](https://github.com/OpenVPN/easy-rsa). Defaults parameters are in the [vars.example](https://github.com/OpenVPN/easy-rsa/blob/v3.0.6/easyrsa3/vars.example) file. + ### Compression By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 (v1/v2) algorithms, the latter being more efficient. @@ -230,11 +232,11 @@ By default, OpenVPN uses `BF-CBC` as the data channel cipher. Blowfish is an old > > Using BF-CBC is no longer recommended, because of its 64-bit block size. This small block size allows attacks based on collisions, as demonstrated by SWEET32. See https://community.openvpn.net/openvpn/wiki/SWEET32 for details. ->Security researchers at INRIA published an attack on 64-bit block ciphers, such as 3DES and Blowfish. They show that they are able to recover plaintext when the same data is sent often enough, and show how they can use cross-site scripting vulnerabilities to send data of interest often enough. This works over HTTPS, but also works for HTTP-over-OpenVPN. See ​https://sweet32.info/ for a much better and more elaborate explanation. +> Security researchers at INRIA published an attack on 64-bit block ciphers, such as 3DES and Blowfish. They show that they are able to recover plaintext when the same data is sent often enough, and show how they can use cross-site scripting vulnerabilities to send data of interest often enough. This works over HTTPS, but also works for HTTP-over-OpenVPN. See https://sweet32.info/ for a much better and more elaborate explanation. > > OpenVPN's default cipher, BF-CBC, is affected by this attack. -Indeed, AES is today's standard. It's the fastest and more secure cipher available today. [SEED](https://en.wikipedia.org/wiki/SEED) and [Camellia](https://en.wikipedia.org/wiki/Camellia_(cipher)) are not vulnerable to date but are slower than AES and relatively less trusted. +Indeed, AES is today's standard. It's the fastest and more secure cipher available today. [SEED](https://en.wikipedia.org/wiki/SEED) and [Camellia]() are not vulnerable to date but are slower than AES and relatively less trusted. > Of the currently supported ciphers, OpenVPN currently recommends using AES-256-CBC or AES-128-CBC. OpenVPN 2.4 and newer will also support GCM. For 2.4+, we recommend using AES-256-GCM or AES-128-GCM. @@ -253,7 +255,7 @@ The script supports the following ciphers: And defaults to `AES-128-GCM`. -OpenVPN 2.4 added a feature called "NCP": *Negotiable Crypto Parameters*. It means you can provide a cipher suite like with HTTPS. It is set to `AES-256-GCM:AES-128-GCM` by default and overrides the `--cipher` parameter when used with an OpenVPN 2.4 client. For the sake of simplicity, the script set both the `--cipher` and `--ncp-cipher` to the cipher chosen above. +OpenVPN 2.4 added a feature called "NCP": _Negotiable Crypto Parameters_. It means you can provide a cipher suite like with HTTPS. It is set to `AES-256-GCM:AES-128-GCM` by default and overrides the `--cipher` parameter when used with an OpenVPN 2.4 client. For the sake of simplicity, the script set both the `--cipher` and `--ncp-cipher` to the cipher chosen above. ### Control channel @@ -314,6 +316,7 @@ About `tls-crypt`: > Encrypt and authenticate all control channel packets with the key from keyfile. (See --tls-auth for more background.) > > Encrypting (and authenticating) control channel packets: +> > - provides more privacy by hiding the certificate used for the TLS connection, > - makes it harder to identify OpenVPN traffic as such, > - provides "poor-man's" post-quantum security, against attackers who will never know the pre-shared key (i.e. no forward secrecy). From c2d7729c2033c55de354a82299e9b9afce325f6a Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 27 Apr 2020 15:32:05 +0200 Subject: [PATCH 18/28] style(faq): format markdown --- FAQ.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/FAQ.md b/FAQ.md index 537a165..a058b4b 100644 --- a/FAQ.md +++ b/FAQ.md @@ -20,6 +20,7 @@ You can, of course, it's even recommended, update the `openvpn` package with you On Linux you need to add these lines to your `.ovpn` file based on your Distribution. Debian 9, 10 and Ubuntu 16.04, 18.04 + ``` script-security 2 up /etc/openvpn/update-resolv-conf @@ -27,6 +28,7 @@ down /etc/openvpn/update-resolv-conf ``` Centos 6, 7 + ``` script-security 2 up /usr/share/doc/openvpn-2.4.8/contrib/pull-resolv-conf/client.up @@ -34,6 +36,7 @@ down /usr/share/doc/openvpn-2.4.8/contrib/pull-resolv-conf/client.down ``` Centos 8, Fedora 30, 31 + ``` script-security 2 up /usr/share/doc/openvpn/contrib/pull-resolv-conf/client.up @@ -41,6 +44,7 @@ down /usr/share/doc/openvpn/contrib/pull-resolv-conf/client.down ``` Arch Linux + ``` script-security 2 up /usr/share/openvpn/contrib/pull-resolv-conf/client.up @@ -92,10 +96,11 @@ Sysctl options are at `/etc/sysctl.d/20-openvpn.conf` **Q:** My router can't connect **A:** + - `Options error: No closing quotation (") in config.ovpn:46` : - type `yes` when asked to customize encryption settings and choose `tls-auth` + type `yes` when asked to customize encryption settings and choose `tls-auth` - `Options error: Unrecognized option or missing parameter(s) in config.ovpn:36: tls-version-min (2.3.2)` : - see question "Can I use an OpenVPN 2.3 client?" + see question "Can I use an OpenVPN 2.3 client?" From 87bfd046dd768175045850873e063d5c9ab96561 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 27 Apr 2020 15:42:47 +0200 Subject: [PATCH 19/28] docs(readme): fix english punctuation --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index d49925b..f00b73d 100644 --- a/README.md +++ b/README.md @@ -8,14 +8,14 @@ You can also check out [wireguard-install](https://github.com/angristan/wireguar ## Usage -First, get the script and make it executable : +First, get the script and make it executable: ```bash curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh chmod +x openvpn-install.sh ``` -Then run it : +Then run it: ```sh ./openvpn-install.sh @@ -25,7 +25,7 @@ You need to run the script as root and have the TUN module enabled. The first time you run it, you'll have to follow the assistant and answer a few questions to setup your VPN server. -When OpenVPN is installed, you can run the script again, and you will get the choice to : +When OpenVPN is installed, you can run the script again, and you will get the choice to: - Add a client - Remove a client @@ -240,7 +240,7 @@ Indeed, AES is today's standard. It's the fastest and more secure cipher availab > Of the currently supported ciphers, OpenVPN currently recommends using AES-256-CBC or AES-128-CBC. OpenVPN 2.4 and newer will also support GCM. For 2.4+, we recommend using AES-256-GCM or AES-128-GCM. -AES-256 is 40% slower than AES-128, and there isn't any real reason to use a 256 bits key over a 128 bits key with AES. (Source : [1](http://security.stackexchange.com/questions/14068/why-most-people-use-256-bit-encryption-instead-of-128-bit),[2](http://security.stackexchange.com/questions/6141/amount-of-simple-operations-that-is-safely-out-of-reach-for-all-humanity/6149#6149)). Moreover, AES-256 is more vulnerable to [Timing attacks](https://en.wikipedia.org/wiki/Timing_attack). +AES-256 is 40% slower than AES-128, and there isn't any real reason to use a 256 bits key over a 128 bits key with AES. (Source: [1](http://security.stackexchange.com/questions/14068/why-most-people-use-256-bit-encryption-instead-of-128-bit),[2](http://security.stackexchange.com/questions/6141/amount-of-simple-operations-that-is-safely-out-of-reach-for-all-humanity/6149#6149)). Moreover, AES-256 is more vulnerable to [Timing attacks](https://en.wikipedia.org/wiki/Timing_attack). AES-GCM is an [AEAD cipher](https://en.wikipedia.org/wiki/Authenticated_encryption) which means it simultaneously provides confidentiality, integrity, and authenticity assurances on the data. From 3b2c84b94d17c636a148148873d08c55bee9acbf Mon Sep 17 00:00:00 2001 From: randomshell <43271778+randomshell@users.noreply.github.com> Date: Mon, 27 Apr 2020 14:03:55 +0000 Subject: [PATCH 20/28] fix(selinux): fix deletion of selinux policy (#555) --- openvpn-install.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 7c2cffc..1928158 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -1198,6 +1198,7 @@ function removeOpenVPN() { if [[ $REMOVE == 'y' ]]; then # Get OpenVPN port from the configuration PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2) + PROTOCOL=$(grep '^proto ' /etc/openvpn/server.conf | cut -d " " -f 2) # Stop OpenVPN if [[ $OS =~ (fedora|arch|centos) ]]; then @@ -1227,8 +1228,8 @@ function removeOpenVPN() { # SELinux if hash sestatus 2>/dev/null; then if sestatus | grep "Current mode" | grep -qs "enforcing"; then - if [[ $PORT != '1194' ]]; then - semanage port -d -t openvpn_port_t -p udp "$PORT" + if [[ "$PORT" != '1194' ]]; then + semanage port -d -t openvpn_port_t -p "$PROTOCOL" "$PORT" fi fi fi From 29980e6befc6bfa95578badd5afa9e479cfaf1d1 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 27 Apr 2020 16:05:51 +0200 Subject: [PATCH 21/28] style(script) format with shfmt --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 1928158..cfe9c4f 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -1228,7 +1228,7 @@ function removeOpenVPN() { # SELinux if hash sestatus 2>/dev/null; then if sestatus | grep "Current mode" | grep -qs "enforcing"; then - if [[ "$PORT" != '1194' ]]; then + if [[ $PORT != '1194' ]]; then semanage port -d -t openvpn_port_t -p "$PROTOCOL" "$PORT" fi fi From fdb35b86c6ea2927df553d8bfacfb362a479ba01 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 27 Apr 2020 16:19:09 +0200 Subject: [PATCH 22/28] fix(fedora): install policycoreutils-python-utils for selinux --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index cfe9c4f..4b1479f 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -656,7 +656,7 @@ function installOpenVPN() { amazon-linux-extras install -y epel yum install -y openvpn iptables openssl wget ca-certificates curl elif [[ $OS == 'fedora' ]]; then - dnf install -y openvpn iptables openssl wget ca-certificates curl + dnf install -y openvpn iptables openssl wget ca-certificates curl policycoreutils-python-utils elif [[ $OS == 'arch' ]]; then # Install required dependencies and upgrade the system pacman --needed --noconfirm -Syu openvpn iptables openssl wget ca-certificates curl From 2a35a3db16cb45e6c1d53f3def81f3a029c14f97 Mon Sep 17 00:00:00 2001 From: Henry N Date: Mon, 27 Apr 2020 16:24:30 +0200 Subject: [PATCH 23/28] refactor(install): simplify detection of public IP4, add fallback to IPv6 (#589) --- openvpn-install.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 4b1479f..0354bc3 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -208,7 +208,11 @@ function installQuestions() { echo "Unless your server is behind NAT, it should be your public IPv4 address." # Detect public IPv4 address and pre-fill for the user - IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1) + IP=$(ip -4 addr | sed -ne 's|^.* inet \([^/]*\)/.* scope global.*$|\1|p' | head -1) + if [[ -z "$IP" ]]; then + # Detect public IPv6 address + IP=$(ip -6 addr | sed -ne 's|^.* inet6 \([^/]*\)/.* scope global.*$|\1|p' | head -1) + fi APPROVE_IP=${APPROVE_IP:-n} if [[ $APPROVE_IP =~ n ]]; then read -rp "IP address: " -e -i "$IP" IP From c758418c6d2ec47e3e5f9e0768e7e4dfb59f1a6a Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 27 Apr 2020 16:25:20 +0200 Subject: [PATCH 24/28] style(script) format with shfmt --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 0354bc3..8eaae90 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -209,7 +209,7 @@ function installQuestions() { # Detect public IPv4 address and pre-fill for the user IP=$(ip -4 addr | sed -ne 's|^.* inet \([^/]*\)/.* scope global.*$|\1|p' | head -1) - if [[ -z "$IP" ]]; then + if [[ -z $IP ]]; then # Detect public IPv6 address IP=$(ip -6 addr | sed -ne 's|^.* inet6 \([^/]*\)/.* scope global.*$|\1|p' | head -1) fi From f411d9dec7a0879dd2166573375287130c096166 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 27 Apr 2020 17:35:30 +0200 Subject: [PATCH 25/28] fix(revokeClient): fix prompt input check fix #477 #590 --- openvpn-install.sh | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 8eaae90..2f9972f 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -1138,12 +1138,13 @@ function revokeClient() { echo "" echo "Select the existing client certificate you want to revoke" tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') ' - if [[ $NUMBEROFCLIENTS == '1' ]]; then - read -rp "Select one client [1]: " CLIENTNUMBER - else - read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER - fi - + until [[ $CLIENTNUMBER -ge 1 && $CLIENTNUMBER -le $NUMBEROFCLIENTS ]]; do + if [[ $CLIENTNUMBER == '1' ]]; then + read -rp "Select one client [1]: " CLIENTNUMBER + else + read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER + fi + done CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p) cd /etc/openvpn/easy-rsa/ || return ./easyrsa --batch revoke "$CLIENT" From 96e6ea71e9094c3b5bce52489e4f8262bb14b16c Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 27 Apr 2020 17:45:58 +0200 Subject: [PATCH 26/28] fix(newClient): exit if client name already taken fix #613 --- openvpn-install.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 2f9972f..27bb1c1 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -1059,7 +1059,8 @@ function newClient() { CLIENTEXISTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c -E "/CN=$CLIENT\$") if [[ $CLIENTEXISTS == '1' ]]; then echo "" - echo "The specified client CN was found in easy-rsa." + echo "The specified client CN was already found in easy-rsa, please choose another name." + exit else cd /etc/openvpn/easy-rsa/ || return case $PASS in From 182c43316ff9acd8ac46c6d548deda166893e213 Mon Sep 17 00:00:00 2001 From: Henry N Date: Mon, 27 Apr 2020 18:04:18 +0200 Subject: [PATCH 27/28] feat(install): get system IPv6 resolvers if enabled (#599) --- openvpn-install.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 27bb1c1..72122b0 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -780,8 +780,11 @@ ifconfig-pool-persist ipp.txt" >>/etc/openvpn/server.conf RESOLVCONF='/etc/resolv.conf' fi # Obtain the resolvers from resolv.conf and use them for OpenVPN - grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read -r line; do - echo "push \"dhcp-option DNS $line\"" >>/etc/openvpn/server.conf + sed -ne 's/^nameserver[[:space:]]\+\([^[:space:]]\+\).*$/\1/p' $RESOLVCONF | while read -r line; do + # Copy, if it's a IPv4 |or| if IPv6 is enabled, IPv4/IPv6 does not matter + if [[ $line =~ ^[0-9.]*$ ]] || [[ $IPV6_SUPPORT == 'y' ]]; then + echo "push \"dhcp-option DNS $line\"" >>/etc/openvpn/server.conf + fi done ;; 2) # Self-hosted DNS resolver (Unbound) From 369c8dadaa9e7819d2e24e8e5908efae23f632b9 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Mon, 27 Apr 2020 18:06:59 +0200 Subject: [PATCH 28/28] refactor(menu): remove clear console --- openvpn-install.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 72122b0..c76b8d3 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -1278,7 +1278,6 @@ function removeOpenVPN() { } function manageMenu() { - clear echo "Welcome to OpenVPN-install!" echo "The git repository is available at: https://github.com/angristan/openvpn-install" echo ""