diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml new file mode 100644 index 0000000..7d1aa44 --- /dev/null +++ b/.github/FUNDING.yml @@ -0,0 +1,3 @@ +patreon: angristan +liberapay: angristan +ko_fi: angristan diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md index 40547d5..617414b 100644 --- a/.github/ISSUE_TEMPLATE.md +++ b/.github/ISSUE_TEMPLATE.md @@ -2,10 +2,12 @@ Before opening an issue, please make sure: -- You installed OpenVPN with the lastest version of the script +- You installed OpenVPN with the latest version of the script - You read the FAQ - Your issue is about the script, NOT OpenVPN itself - ⚠ PLEASE Post your OpenVPN version and OS for both the server and the client if needed +FYI, you can excute the script with `bash -x openvpn-install.sh` to enable debug mode. + You can format your comments with Markdown: https://guides.github.com/features/mastering-markdown/ ---> diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml new file mode 100644 index 0000000..5fa44e3 --- /dev/null +++ b/.github/workflows/push.yml @@ -0,0 +1,11 @@ +on: push +name: ShellCheck +jobs: + shellcheck: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + - name: shellcheck + uses: actions/bin/shellcheck@master + with: + args: openvpn-install.sh -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009 diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 2b6c9e9..0000000 --- a/.travis.yml +++ /dev/null @@ -1,4 +0,0 @@ -language: shell - -script: - - shellcheck -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009 openvpn-install.sh diff --git a/LICENSE b/LICENSE index 1727729..af58bae 100644 --- a/LICENSE +++ b/LICENSE @@ -1,7 +1,7 @@ MIT License Copyright (c) 2013 Nyr -Copyright (c) 2016 Angristan (Stanislas Lange) +Copyright (c) 2016 Stanislas Lange (angristan) Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in diff --git a/README.md b/README.md index d2cadce..3d9d691 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,5 @@ # openvpn-install -[![Travis CI](https://travis-ci.com/angristan/openvpn-install.svg?branch=master)](https://travis-ci.com/angristan/openvpn-install) - OpenVPN installer for Debian, Ubuntu, Fedora, CentOS and Arch Linux. This script will let you setup your own secure VPN server in just a few seconds. @@ -13,7 +11,7 @@ You can also check out [wireguard-install](https://github.com/angristan/wireguar First, get the script and make it executable : ```bash -curl -O https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh +curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh chmod +x openvpn-install.sh ``` @@ -97,7 +95,7 @@ export PASS="1" - Choice to use a self-hosted resolver with Unbound (supports already existing Unbound installations) - Choice between TCP and UDP - NATed IPv6 support -- Compression disabled by default to prevent VORACLE. LZ4 and LZ0 algorithms available otherwise. +- Compression disabled by default to prevent VORACLE. LZ4 (v1/v2) and LZ0 algorithms available otherwise. - Unprivileged mode: run as `nobody`/`nogroup` - Block DNS leaks on Windows 10 - Randomised server certificate name @@ -108,17 +106,19 @@ export PASS="1" The script supports these OS and architectures: -| | i386 | amd64 | armhf | arm64 | -| ------------ | ---- | ----- | ----- | ----- | -| Arch Linux | ❔ | ✅ | ❔ | ❔ | -| CentOS 7 | ❔ | ✅ | ❌ | ✅ | -| Debian 8 | ✅ | ✅ | ❌ | ❌ | -| Debian 9 | ❌ | ✅ | ✅ | ✅ | -| Fedora 27 | ❔ | ✅ | ❔ | ❔ | -| Fedora 28 | ❔ | ✅ | ❔ | ❔ | -| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ | -| Ubuntu 18.04 | ❌ | ✅ | ✅ | ✅ | -| Ubuntu 19.04 | ❌ | ✅ | ✅ | ✅ | +| | i386 | amd64 | armhf | arm64 | +| -------------- | ---- | ----- | ----- | ----- | +| Amazon Linux 2 | ❔ | ✅ | ❔ | ❔ | +| Arch Linux | ❔ | ✅ | ❔ | ❔ | +| CentOS 7 | ❔ | ✅ | ❌ | ✅ | +| Debian 8 | ✅ | ✅ | ❌ | ❌ | +| Debian 9 | ❌ | ✅ | ✅ | ✅ | +| Debian 10 | ❔ | ✅ | ✅ | ❔ | +| Fedora 27 | ❔ | ✅ | ❔ | ❔ | +| Fedora 28 | ❔ | ✅ | ❔ | ❔ | +| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ | +| Ubuntu 18.04 | ❌ | ✅ | ✅ | ✅ | +| Ubuntu 19.04 | ❌ | ✅ | ✅ | ✅ | To be noted: @@ -183,7 +183,7 @@ If you want more information about an option mentioned below, head to the [OpenV Most of OpenVPN's encryption-related stuff is managed by [Easy-RSA](https://github.com/OpenVPN/easy-rsa). Defaults parameters are in the [vars.example](https://github.com/OpenVPN/easy-rsa/blob/v3.0.6/easyrsa3/vars.example) file. ### Compression -By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 algorithms, the latter being more efficient. +By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 (v1/v2) algorithms, the latter being more efficient. However, it is discouraged to use compression since it since the [VORACLE attack](https://protonvpn.com/blog/voracle-attack/) makes use of it. @@ -278,11 +278,9 @@ It defaults to `prime256v1`. From the OpenVPN wiki, about `--auth`: > Authenticate data channel packets and (if enabled) tls-auth control channel packets with HMAC using message digest algorithm alg. (The default is SHA1 ). HMAC is a commonly used message authentication algorithm (MAC) that uses a data string, a secure hash algorithm, and a key, to produce a digital signature. -> +> > If an AEAD cipher mode (e.g. GCM) is chosen, the specified --auth algorithm is ignored for the data channel, and the authentication method of the AEAD cipher is used instead. Note that alg still specifies the digest used for tls-auth. -SHA1 [isn't safe anymore](https://en.wikipedia.org/wiki/SHA-1#Attacks). - The script provides the following choices: - `SHA256` @@ -296,13 +294,13 @@ It defaults to `SHA256`. From the OpenVPN wiki, about `tls-auth`: > Add an additional layer of HMAC authentication on top of the TLS control channel to mitigate DoS attacks and attacks on the TLS stack. -> +> > In a nutshell, --tls-auth enables a kind of "HMAC firewall" on OpenVPN's TCP/UDP port, where TLS control channel packets bearing an incorrect HMAC signature can be dropped immediately without response. About `tls-crypt`: > Encrypt and authenticate all control channel packets with the key from keyfile. (See --tls-auth for more background.) -> +> > Encrypting (and authenticating) control channel packets: > - provides more privacy by hiding the certificate used for the TLS connection, > - makes it harder to identify OpenVPN traffic as such, diff --git a/Vagrantfile b/Vagrantfile index b2a7847..4dd0973 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -5,6 +5,7 @@ autostart_machines = ENV['VAGRANT_AUTOSTART'] == 'true' || false # else, run `vagrant up ` machines = [ + { hostname: 'debian-10', box: 'debian/stretch64' }, { hostname: 'debian-9', box: 'debian/stretch64' }, { hostname: 'debian-8', box: 'debian/jessie64' }, { hostname: 'ubuntu-1604', box: 'ubuntu/bionic64' }, diff --git a/openvpn-install.sh b/openvpn-install.sh index 3fa2fe9..d624db4 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Secure OpenVPN server installer for Debian, Ubuntu, CentOS, Fedora and Arch Linux +# Secure OpenVPN server installer for Debian, Ubuntu, CentOS, Amazon Linux 2, Fedora and Arch Linux # https://github.com/angristan/openvpn-install function isRoot () { @@ -20,8 +20,8 @@ function checkOS () { OS="debian" source /etc/os-release - if [[ "$ID" == "debian" ]]; then - if [[ ! $VERSION_ID =~ (8|9) ]]; then + if [[ "$ID" == "debian" || "$ID" == "raspbian" ]]; then + if [[ ! $VERSION_ID =~ (8|9|10) ]]; then echo "⚠️ Your version of Debian is not supported." echo "" echo "However, if you're using Debian >= 9 or unstable/testing then you can continue." @@ -50,27 +50,34 @@ function checkOS () { fi fi fi - elif [[ -e /etc/fedora-release ]]; then - OS=fedora - elif [[ -e /etc/centos-release ]]; then - if ! grep -qs "^CentOS Linux release 7" /etc/centos-release; then - echo "Your version of CentOS is not supported." - echo "The script only support CentOS 7." - echo "" - unset CONTINUE - until [[ $CONTINUE =~ (y|n) ]]; do - read -rp "Continue anyway? [y/n]: " -e CONTINUE - done - if [[ "$CONTINUE" = "n" ]]; then - echo "Ok, bye!" + elif [[ -e /etc/system-release ]]; then + source /etc/os-release + if [[ "$ID" = "centos" ]]; then + OS="centos" + if [[ ! $VERSION_ID == "7" ]]; then + echo "⚠️ Your version of CentOS is not supported." + echo "" + echo "The script only support CentOS 7." + echo "" exit 1 fi fi - OS=centos + if [[ "$ID" = "amzn" ]]; then + OS="amzn" + if [[ ! $VERSION_ID == "2" ]]; then + echo "⚠️ Your version of Amazon Linux is not supported." + echo "" + echo "The script only support Amazon Linux 2." + echo "" + exit 1 + fi + fi + elif [[ -e /etc/fedora-release ]]; then + OS=fedora elif [[ -e /etc/arch-release ]]; then OS=arch else - echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora, CentOS or Arch Linux system" + echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora, CentOS, Amazon Linux 2 or Arch Linux system" exit 1 fi } @@ -101,7 +108,7 @@ hide-version: yes use-caps-for-id: yes prefetch: yes' >> /etc/unbound/unbound.conf - elif [[ "$OS" = "centos" ]]; then + elif [[ "$OS" =~ (centos|amzn) ]]; then yum install -y unbound # Configuration @@ -128,7 +135,7 @@ prefetch: yes' >> /etc/unbound/unbound.conf curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old - + echo 'server: use-syslog: yes do-daemonize: no @@ -148,7 +155,7 @@ prefetch: yes' >> /etc/unbound/unbound.conf prefetch: yes' > /etc/unbound/unbound.conf fi - if [[ ! "$OS" =~ (fedora|centos) ]];then + if [[ ! "$OS" =~ (fedora|centos|amzn) ]];then # DNS Rebinding fix echo "private-address: 10.0.0.0/8 private-address: 172.16.0.0/12 @@ -284,8 +291,9 @@ function installQuestions () { echo " 9) Google (Anycast: worldwide)" echo " 10) Yandex Basic (Russia)" echo " 11) AdGuard DNS (Russia)" - until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 11 ]; do - read -rp "DNS [1-10]: " -e -i 3 DNS + echo " 12) Custom" + until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 12 ]; do + read -rp "DNS [1-12]: " -e -i 3 DNS if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then echo "" echo "Unbound is already installed." @@ -302,6 +310,16 @@ function installQuestions () { unset DNS unset CONTINUE fi + elif [[ $DNS == "12" ]]; then + until [[ "$DNS1" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do + read -rp "Primary DNS: " -e DNS1 + done + until [[ "$DNS2" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do + read -rp "Secondary DNS (optional): " -e DNS2 + if [[ "$DNS2" == "" ]]; then + break + fi + done fi done echo "" @@ -310,17 +328,21 @@ function installQuestions () { read -rp"Enable compression? [y/n]: " -e -i n COMPRESSION_ENABLED done if [[ $COMPRESSION_ENABLED == "y" ]];then - echo "Choose which compression algorithm you want to use:" - echo " 1) LZ4 (more efficient)" - echo " 2) LZ0" - until [[ $COMPRESSION_CHOICE =~ ^[1-2]$ ]]; do - read -rp"Compression algorithm [1-2]: " -e -i 1 COMPRESSION_CHOICE + echo "Choose which compression algorithm you want to use: (they are ordered by efficiency)" + echo " 1) LZ4-v2" + echo " 2) LZ4" + echo " 3) LZ0" + until [[ $COMPRESSION_CHOICE =~ ^[1-3]$ ]]; do + read -rp"Compression algorithm [1-3]: " -e -i 1 COMPRESSION_CHOICE done case $COMPRESSION_CHOICE in 1) - COMPRESSION_ALG="lz4" + COMPRESSION_ALG="lz4-v2" ;; 2) + COMPRESSION_ALG="lz4" + ;; + 3) COMPRESSION_ALG="lzo" ;; esac @@ -600,6 +622,9 @@ function installOpenVPN () { elif [[ "$OS" = 'centos' ]]; then yum install -y epel-release yum install -y openvpn iptables openssl wget ca-certificates curl + elif [[ "$OS" = 'amzn' ]]; then + amazon-linux-extras install -y epel + yum install -y openvpn iptables openssl wget ca-certificates curl elif [[ "$OS" = 'fedora' ]]; then dnf install -y openvpn iptables openssl wget ca-certificates curl elif [[ "$OS" = 'arch' ]]; then @@ -642,6 +667,11 @@ function installOpenVPN () { SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars + + # Workaround to remove unharmful error until easy-rsa 3.0.7 + # https://github.com/OpenVPN/easy-rsa/issues/261 + sed -i 's/^RANDFILE/#RANDFILE/g' pki/openssl-easyrsa.cnf + # Create the PKI, set up the CA, the DH params and the server certificate ./easyrsa init-pki ./easyrsa --batch build-ca nopass @@ -650,10 +680,10 @@ function installOpenVPN () { # ECDH keys are generated on-the-fly so we don't need to generate them beforehand openssl dhparam -out dh.pem $DH_KEY_SIZE fi - + ./easyrsa build-server-full "$SERVER_NAME" nopass EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl - + case $TLS_SIG in 1) # Generate tls-crypt key @@ -664,13 +694,13 @@ function installOpenVPN () { openvpn --genkey --secret /etc/openvpn/tls-auth.key ;; esac - + # Move all the generated files cp pki/ca.crt pki/private/ca.key "pki/issued/$SERVER_NAME.crt" "pki/private/$SERVER_NAME.key" /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn if [[ $DH_TYPE == "2" ]]; then cp dh.pem /etc/openvpn fi - + # Make cert revocation list readable for non-root chmod 644 /etc/openvpn/crl.pem @@ -746,6 +776,12 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 176.103.130.130"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf ;; + 12) # Custom DNS + echo "push \"dhcp-option DNS $DNS1\"" >> /etc/openvpn/server.conf + if [[ "$DNS2" != "" ]]; then + echo "push \"dhcp-option DNS $DNS2\"" >> /etc/openvpn/server.conf + fi + ;; esac echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf @@ -781,7 +817,7 @@ push "redirect-gateway ipv6"' >> /etc/openvpn/server.conf echo "crl-verify crl.pem ca ca.crt cert $SERVER_NAME.crt -key $SERVER_NAME.key +key $SERVER_NAME.key auth $HMAC_ALG cipher $CIPHER ncp-ciphers $CIPHER @@ -799,7 +835,7 @@ verb 3" >> /etc/openvpn/server.conf if [[ "$IPV6_SUPPORT" = 'y' ]]; then echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.d/20-openvpn.conf fi - # Avoid an unneeded reboot + # Apply sysctl rules sysctl --system # If SELinux is enabled and a custom port was selected, we need this @@ -815,7 +851,7 @@ verb 3" >> /etc/openvpn/server.conf if [[ "$OS" = 'arch' || "$OS" = 'fedora' ]]; then # Don't modify package-provided service cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service - + # Workaround to fix OpenVPN service on OpenVZ sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn-server@.service # Another workaround to keep using /etc/openvpn/ @@ -836,12 +872,12 @@ verb 3" >> /etc/openvpn/server.conf else # Don't modify package-provided service cp /lib/systemd/system/openvpn\@.service /etc/systemd/system/openvpn\@.service - + # Workaround to fix OpenVPN service on OpenVZ sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn\@.service # Another workaround to keep using /etc/openvpn/ sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn\@.service - + systemctl daemon-reload systemctl restart openvpn@server systemctl enable openvpn@server @@ -856,17 +892,17 @@ verb 3" >> /etc/openvpn/server.conf # Script to add rules echo "#!/bin/sh -iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $NIC -j MASQUERADE -iptables -A INPUT -i tun0 -j ACCEPT -iptables -A FORWARD -i $NIC -o tun0 -j ACCEPT -iptables -A FORWARD -i tun0 -o $NIC -j ACCEPT -iptables -A INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/add-openvpn-rules.sh +iptables -t nat -I POSTROUTING 1 -s 10.8.0.0/24 -o $NIC -j MASQUERADE +iptables -I INPUT 1 -i tun0 -j ACCEPT +iptables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT +iptables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT +iptables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/add-openvpn-rules.sh if [[ "$IPV6_SUPPORT" = 'y' ]]; then - echo "ip6tables -t nat -A POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE -ip6tables -A INPUT -i tun0 -j ACCEPT -ip6tables -A FORWARD -i $NIC -o tun0 -j ACCEPT -ip6tables -A FORWARD -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh + echo "ip6tables -t nat -I POSTROUTING 1 -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE +ip6tables -I INPUT 1 -i tun0 -j ACCEPT +ip6tables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT +ip6tables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh fi # Script to remove rules @@ -978,9 +1014,9 @@ function newClient () { # Home directory of the user, where the client configuration (.ovpn) will be written if [ -e "/home/$CLIENT" ]; then # if $1 is a user name homeDir="/home/$CLIENT" - elif [ "${SUDO_USER}" ]; then # if not, use SUDO_USER + elif [ "${SUDO_USER}" ]; then # if not, use SUDO_USER homeDir="/home/${SUDO_USER}" - else # if not SUDO_USER, use /root + else # if not SUDO_USER, use /root homeDir="/root" fi @@ -1086,7 +1122,7 @@ function removeUnbound () { apt-get autoremove --purge -y unbound elif [[ "$OS" = 'arch' ]]; then pacman --noconfirm -R unbound - elif [[ "$OS" = 'centos' ]]; then + elif [[ "$OS" =~ (centos|amzn) ]]; then yum remove -y unbound elif [[ "$OS" = 'fedora' ]]; then dnf remove -y unbound @@ -1151,7 +1187,7 @@ function removeOpenVPN () { fi elif [[ "$OS" = 'arch' ]]; then pacman --noconfirm -R openvpn - elif [[ "$OS" = 'centos' ]]; then + elif [[ "$OS" =~ (centos|amzn) ]]; then yum remove -y openvpn elif [[ "$OS" = 'fedora' ]]; then dnf remove -y openvpn