From a34d13adbb2374cae3a7dbd8c552f6165188ee31 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Wed, 5 Jun 2019 01:13:03 +0200 Subject: [PATCH 01/22] Update LICENSE --- LICENSE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LICENSE b/LICENSE index 1727729..af58bae 100644 --- a/LICENSE +++ b/LICENSE @@ -1,7 +1,7 @@ MIT License Copyright (c) 2013 Nyr -Copyright (c) 2016 Angristan (Stanislas Lange) +Copyright (c) 2016 Stanislas Lange (angristan) Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in From 5844a8440f05bc751873a7c5ccde7660c7653fd2 Mon Sep 17 00:00:00 2001 From: angristan Date: Sun, 30 Jun 2019 23:06:33 +0200 Subject: [PATCH 02/22] Add support for Debian 10 Fix #439 --- README.md | 7 ++++--- Vagrantfile | 1 + openvpn-install.sh | 20 ++++++++++---------- 3 files changed, 15 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 9fa3f59..b2c07ef 100644 --- a/README.md +++ b/README.md @@ -100,6 +100,7 @@ The script supports these OS and architectures: | CentOS 7 | ❔ | ✅ | ❌ | ✅ | | Debian 8 | ✅ | ✅ | ❌ | ❌ | | Debian 9 | ❌ | ✅ | ✅ | ✅ | +| Debian 10 | ❔ | ✅ | ❔ | ❔ | | Fedora 27 | ❔ | ✅ | ❔ | ❔ | | Fedora 28 | ❔ | ✅ | ❔ | ❔ | | Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ | @@ -264,7 +265,7 @@ It defaults to `prime256v1`. From the OpenVPN wiki, about `--auth`: > Authenticate data channel packets and (if enabled) tls-auth control channel packets with HMAC using message digest algorithm alg. (The default is SHA1 ). HMAC is a commonly used message authentication algorithm (MAC) that uses a data string, a secure hash algorithm, and a key, to produce a digital signature. -> +> > If an AEAD cipher mode (e.g. GCM) is chosen, the specified --auth algorithm is ignored for the data channel, and the authentication method of the AEAD cipher is used instead. Note that alg still specifies the digest used for tls-auth. SHA1 [isn't safe anymore](https://en.wikipedia.org/wiki/SHA-1#Attacks). @@ -282,13 +283,13 @@ It defaults to `SHA256`. From the OpenVPN wiki, about `tls-auth`: > Add an additional layer of HMAC authentication on top of the TLS control channel to mitigate DoS attacks and attacks on the TLS stack. -> +> > In a nutshell, --tls-auth enables a kind of "HMAC firewall" on OpenVPN's TCP/UDP port, where TLS control channel packets bearing an incorrect HMAC signature can be dropped immediately without response. About `tls-crypt`: > Encrypt and authenticate all control channel packets with the key from keyfile. (See --tls-auth for more background.) -> +> > Encrypting (and authenticating) control channel packets: > - provides more privacy by hiding the certificate used for the TLS connection, > - makes it harder to identify OpenVPN traffic as such, diff --git a/Vagrantfile b/Vagrantfile index b2a7847..4dd0973 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -5,6 +5,7 @@ autostart_machines = ENV['VAGRANT_AUTOSTART'] == 'true' || false # else, run `vagrant up ` machines = [ + { hostname: 'debian-10', box: 'debian/stretch64' }, { hostname: 'debian-9', box: 'debian/stretch64' }, { hostname: 'debian-8', box: 'debian/jessie64' }, { hostname: 'ubuntu-1604', box: 'ubuntu/bionic64' }, diff --git a/openvpn-install.sh b/openvpn-install.sh index 99e7bca..08daa7c 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -21,7 +21,7 @@ function checkOS () { source /etc/os-release if [[ "$ID" == "debian" ]]; then - if [[ ! $VERSION_ID =~ (8|9) ]]; then + if [[ ! $VERSION_ID =~ (8|9|10) ]]; then echo "⚠️ Your version of Debian is not supported." echo "" echo "However, if you're using Debian >= 9 or unstable/testing then you can continue." @@ -128,7 +128,7 @@ prefetch: yes' >> /etc/unbound/unbound.conf curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old - + echo 'server: use-syslog: yes do-daemonize: no @@ -650,10 +650,10 @@ function installOpenVPN () { # ECDH keys are generated on-the-fly so we don't need to generate them beforehand openssl dhparam -out dh.pem $DH_KEY_SIZE fi - + ./easyrsa build-server-full "$SERVER_NAME" nopass EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl - + case $TLS_SIG in 1) # Generate tls-crypt key @@ -664,13 +664,13 @@ function installOpenVPN () { openvpn --genkey --secret /etc/openvpn/tls-auth.key ;; esac - + # Move all the generated files cp pki/ca.crt pki/private/ca.key "pki/issued/$SERVER_NAME.crt" "pki/private/$SERVER_NAME.key" /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn if [[ $DH_TYPE == "2" ]]; then cp dh.pem /etc/openvpn fi - + # Make cert revocation list readable for non-root chmod 644 /etc/openvpn/crl.pem @@ -781,7 +781,7 @@ push "redirect-gateway ipv6"' >> /etc/openvpn/server.conf echo "crl-verify crl.pem ca ca.crt cert $SERVER_NAME.crt -key $SERVER_NAME.key +key $SERVER_NAME.key auth $HMAC_ALG cipher $CIPHER ncp-ciphers $CIPHER @@ -815,7 +815,7 @@ verb 3" >> /etc/openvpn/server.conf if [[ "$OS" = 'arch' || "$OS" = 'fedora' ]]; then # Don't modify package-provided service cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service - + # Workaround to fix OpenVPN service on OpenVZ sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn-server@.service # Another workaround to keep using /etc/openvpn/ @@ -836,12 +836,12 @@ verb 3" >> /etc/openvpn/server.conf else # Don't modify package-provided service cp /lib/systemd/system/openvpn\@.service /etc/systemd/system/openvpn\@.service - + # Workaround to fix OpenVPN service on OpenVZ sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn\@.service # Another workaround to keep using /etc/openvpn/ sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn\@.service - + systemctl daemon-reload systemctl restart openvpn@server systemctl enable openvpn@server From b7bbc57284d79090782ae8737dcddbc56fd16fe0 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Mon, 1 Jul 2019 15:02:17 +0200 Subject: [PATCH 03/22] Create FUNDING.yml --- .github/FUNDING.yml | 1 + 1 file changed, 1 insertion(+) create mode 100644 .github/FUNDING.yml diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml new file mode 100644 index 0000000..ce62efd --- /dev/null +++ b/.github/FUNDING.yml @@ -0,0 +1 @@ +patreon: angristan From 980a483ebce3b494a81419e713467bdb96664c09 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Mon, 1 Jul 2019 15:05:44 +0200 Subject: [PATCH 04/22] Update FUNDING.yml --- .github/FUNDING.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml index ce62efd..7d1aa44 100644 --- a/.github/FUNDING.yml +++ b/.github/FUNDING.yml @@ -1 +1,3 @@ patreon: angristan +liberapay: angristan +ko_fi: angristan From dea1d6db2b6611b88d7b4e94f014621fb2ad4cec Mon Sep 17 00:00:00 2001 From: Stanislas Date: Fri, 5 Jul 2019 17:49:31 +0200 Subject: [PATCH 05/22] Add support for lz4-v2 (#444) Close #366 --- README.md | 4 ++-- openvpn-install.sh | 16 ++++++++++------ 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index b2c07ef..2913b47 100644 --- a/README.md +++ b/README.md @@ -83,7 +83,7 @@ Password-protected clients are not supported by the headless installation method - Choice to use a self-hosted resolver with Unbound (supports already existing Unbound installations) - Choice between TCP and UDP - NATed IPv6 support -- Compression disabled by default to prevent VORACLE. LZ4 and LZ0 algorithms available otherwise. +- Compression disabled by default to prevent VORACLE. LZ4 (v1/v2) and LZ0 algorithms available otherwise. - Unprivileged mode: run as `nobody`/`nogroup` - Block DNS leaks on Windows 10 - Randomised server certificate name @@ -170,7 +170,7 @@ If you want more information about an option mentioned below, head to the [OpenV Most of OpenVPN's encryption-related stuff is managed by [Easy-RSA](https://github.com/OpenVPN/easy-rsa). Defaults parameters are in the [vars.example](https://github.com/OpenVPN/easy-rsa/blob/v3.0.6/easyrsa3/vars.example) file. ### Compression -By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 algorithms, the latter being more efficient. +By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 (v1/v2) algorithms, the latter being more efficient. However, it is discouraged to use compression since it since the [VORACLE attack](https://protonvpn.com/blog/voracle-attack/) makes use of it. diff --git a/openvpn-install.sh b/openvpn-install.sh index 08daa7c..0685a72 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -310,17 +310,21 @@ function installQuestions () { read -rp"Enable compression? [y/n]: " -e -i n COMPRESSION_ENABLED done if [[ $COMPRESSION_ENABLED == "y" ]];then - echo "Choose which compression algorithm you want to use:" - echo " 1) LZ4 (more efficient)" - echo " 2) LZ0" - until [[ $COMPRESSION_CHOICE =~ ^[1-2]$ ]]; do - read -rp"Compression algorithm [1-2]: " -e -i 1 COMPRESSION_CHOICE + echo "Choose which compression algorithm you want to use: (they are ordered by efficiency)" + echo " 1) LZ4-v2" + echo " 2) LZ4" + echo " 3) LZ0" + until [[ $COMPRESSION_CHOICE =~ ^[1-3]$ ]]; do + read -rp"Compression algorithm [1-3]: " -e -i 1 COMPRESSION_CHOICE done case $COMPRESSION_CHOICE in 1) - COMPRESSION_ALG="lz4" + COMPRESSION_ALG="lz4-v2" ;; 2) + COMPRESSION_ALG="lz4" + ;; + 3) COMPRESSION_ALG="lzo" ;; esac From 4255046bd6989fadb94a7055efdaf6be6d6f9cbe Mon Sep 17 00:00:00 2001 From: David Barda Date: Mon, 15 Jul 2019 20:21:18 +0300 Subject: [PATCH 06/22] Update README: HMAC-SHA1 is not broken (#448) Remove irrelevant data from readme, as HMAC strength does not depend on the collisions of the hash function --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index 2913b47..c4453c8 100644 --- a/README.md +++ b/README.md @@ -268,8 +268,6 @@ From the OpenVPN wiki, about `--auth`: > > If an AEAD cipher mode (e.g. GCM) is chosen, the specified --auth algorithm is ignored for the data channel, and the authentication method of the AEAD cipher is used instead. Note that alg still specifies the digest used for tls-auth. -SHA1 [isn't safe anymore](https://en.wikipedia.org/wiki/SHA-1#Attacks). - The script provides the following choices: - `SHA256` From a57f5e69baf8355d2a926180d8176ae52f019f1a Mon Sep 17 00:00:00 2001 From: Stanislas Date: Wed, 17 Jul 2019 18:14:24 +0200 Subject: [PATCH 07/22] Debian 10 + armhf = OK (#450) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c4453c8..112318f 100644 --- a/README.md +++ b/README.md @@ -100,7 +100,7 @@ The script supports these OS and architectures: | CentOS 7 | ❔ | ✅ | ❌ | ✅ | | Debian 8 | ✅ | ✅ | ❌ | ❌ | | Debian 9 | ❌ | ✅ | ✅ | ✅ | -| Debian 10 | ❔ | ✅ | ❔ | ❔ | +| Debian 10 | ❔ | ✅ | ✅ | ❔ | | Fedora 27 | ❔ | ✅ | ❔ | ❔ | | Fedora 28 | ❔ | ✅ | ❔ | ❔ | | Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ | From b095c2349619bab4a6433aec21aaeb59c71387b9 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Sun, 28 Jul 2019 23:31:34 +0200 Subject: [PATCH 08/22] Update README.md My username is lowercase now --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 112318f..615e8fb 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ You can also check out [wireguard-install](https://github.com/angristan/wireguar First, get the script and make it executable : ```bash -curl -O https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh +curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh chmod +x openvpn-install.sh ``` From 4fe6541a8d55b31e47613364203c70d1bafd5158 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Fri, 16 Aug 2019 18:28:12 +0200 Subject: [PATCH 09/22] Add GitHub actions workflow for shellcheck (#458) * Remove Travis * Add GitHub actions workflow for shellcheck --- .github/wrokflows/push.yml | 11 +++++++++++ .travis.yml | 4 ---- 2 files changed, 11 insertions(+), 4 deletions(-) create mode 100644 .github/wrokflows/push.yml delete mode 100644 .travis.yml diff --git a/.github/wrokflows/push.yml b/.github/wrokflows/push.yml new file mode 100644 index 0000000..ebf6ae3 --- /dev/null +++ b/.github/wrokflows/push.yml @@ -0,0 +1,11 @@ +on: push +name: ShellCheck +jobs: + shellcheck: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + - name: shellcheck + uses: actions/bin/shellcheck@master + with: + args: wireguard-install.sh -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009 diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 2b6c9e9..0000000 --- a/.travis.yml +++ /dev/null @@ -1,4 +0,0 @@ -language: shell - -script: - - shellcheck -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009 openvpn-install.sh From 85c3f77d012951a63eb5489ba828c3e8767cb8d2 Mon Sep 17 00:00:00 2001 From: angristan Date: Fri, 16 Aug 2019 18:30:25 +0200 Subject: [PATCH 10/22] Fix workflows path --- .github/{wrokflows => workflows}/push.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/{wrokflows => workflows}/push.yml (100%) diff --git a/.github/wrokflows/push.yml b/.github/workflows/push.yml similarity index 100% rename from .github/wrokflows/push.yml rename to .github/workflows/push.yml From d904476647c2bd59b933331705e18d5190392a9c Mon Sep 17 00:00:00 2001 From: angristan Date: Fri, 16 Aug 2019 18:31:46 +0200 Subject: [PATCH 11/22] Fix github action --- .github/workflows/push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml index ebf6ae3..5fa44e3 100644 --- a/.github/workflows/push.yml +++ b/.github/workflows/push.yml @@ -8,4 +8,4 @@ jobs: - name: shellcheck uses: actions/bin/shellcheck@master with: - args: wireguard-install.sh -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009 + args: openvpn-install.sh -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009 From 2aab3792ca5ee44523a85996341fc109d4a925fd Mon Sep 17 00:00:00 2001 From: Stanislas Date: Fri, 16 Aug 2019 18:33:16 +0200 Subject: [PATCH 12/22] Remove Travis Badge from README Since we use Actions now. --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index 615e8fb..91eb2fd 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,5 @@ # openvpn-install -[![Travis CI](https://travis-ci.com/angristan/openvpn-install.svg?branch=master)](https://travis-ci.com/angristan/openvpn-install) - OpenVPN installer for Debian, Ubuntu, Fedora, CentOS and Arch Linux. This script will let you setup your own secure VPN server in just a few seconds. From 30735c91d81d952395c0d33b22df0e3fec2d0860 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Mon, 19 Aug 2019 23:25:48 +0200 Subject: [PATCH 13/22] Add Amazon Linux 2 support (#459) --- README.md | 25 +++++++++++++------------ openvpn-install.sh | 31 +++++++++++++++++++++++-------- 2 files changed, 36 insertions(+), 20 deletions(-) diff --git a/README.md b/README.md index 91eb2fd..780412b 100644 --- a/README.md +++ b/README.md @@ -92,18 +92,19 @@ Password-protected clients are not supported by the headless installation method The script supports these OS and architectures: -| | i386 | amd64 | armhf | arm64 | -| ------------ | ---- | ----- | ----- | ----- | -| Arch Linux | ❔ | ✅ | ❔ | ❔ | -| CentOS 7 | ❔ | ✅ | ❌ | ✅ | -| Debian 8 | ✅ | ✅ | ❌ | ❌ | -| Debian 9 | ❌ | ✅ | ✅ | ✅ | -| Debian 10 | ❔ | ✅ | ✅ | ❔ | -| Fedora 27 | ❔ | ✅ | ❔ | ❔ | -| Fedora 28 | ❔ | ✅ | ❔ | ❔ | -| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ | -| Ubuntu 18.04 | ❌ | ✅ | ✅ | ✅ | -| Ubuntu 19.04 | ❌ | ✅ | ✅ | ✅ | +| | i386 | amd64 | armhf | arm64 | +| -------------- | ---- | ----- | ----- | ----- | +| Amazon Linux 2 | ❔ | ✅ | ❔ | ❔ | +| Arch Linux | ❔ | ✅ | ❔ | ❔ | +| CentOS 7 | ❔ | ✅ | ❌ | ✅ | +| Debian 8 | ✅ | ✅ | ❌ | ❌ | +| Debian 9 | ❌ | ✅ | ✅ | ✅ | +| Debian 10 | ❔ | ✅ | ✅ | ❔ | +| Fedora 27 | ❔ | ✅ | ❔ | ❔ | +| Fedora 28 | ❔ | ✅ | ❔ | ❔ | +| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ | +| Ubuntu 18.04 | ❌ | ✅ | ✅ | ✅ | +| Ubuntu 19.04 | ❌ | ✅ | ✅ | ✅ | To be noted: diff --git a/openvpn-install.sh b/openvpn-install.sh index 0685a72..501ad07 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Secure OpenVPN server installer for Debian, Ubuntu, CentOS, Fedora and Arch Linux +# Secure OpenVPN server installer for Debian, Ubuntu, CentOS, Amazon Linux 2, Fedora and Arch Linux # https://github.com/angristan/openvpn-install function isRoot () { @@ -50,6 +50,18 @@ function checkOS () { fi fi fi + elif [[ -e /etc/system-release ]]; then + source /etc/os-release + if [[ "$ID" == "amzn" ]]; then + OS="amzn" + if [[ ! $VERSION_ID =~ (2) ]]; then + echo "⚠️ Your version of Amazon Linux is not supported." + echo "" + echo "The script only support Amazon Linux 2." + echo "" + exit 1 + fi + fi elif [[ -e /etc/fedora-release ]]; then OS=fedora elif [[ -e /etc/centos-release ]]; then @@ -70,7 +82,7 @@ function checkOS () { elif [[ -e /etc/arch-release ]]; then OS=arch else - echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora, CentOS or Arch Linux system" + echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora, CentOS, Amazon Linux 2 or Arch Linux system" exit 1 fi } @@ -101,7 +113,7 @@ hide-version: yes use-caps-for-id: yes prefetch: yes' >> /etc/unbound/unbound.conf - elif [[ "$OS" = "centos" ]]; then + elif [[ "$OS" =~ (centos|amzn) ]]; then yum install -y unbound # Configuration @@ -148,7 +160,7 @@ prefetch: yes' >> /etc/unbound/unbound.conf prefetch: yes' > /etc/unbound/unbound.conf fi - if [[ ! "$OS" =~ (fedora|centos) ]];then + if [[ ! "$OS" =~ (fedora|centos|amzn) ]];then # DNS Rebinding fix echo "private-address: 10.0.0.0/8 private-address: 172.16.0.0/12 @@ -604,6 +616,9 @@ function installOpenVPN () { elif [[ "$OS" = 'centos' ]]; then yum install -y epel-release yum install -y openvpn iptables openssl wget ca-certificates curl + elif [[ "$OS" = 'amzn' ]]; then + amazon-linux-extras install -y epel + yum install -y openvpn iptables openssl wget ca-certificates curl elif [[ "$OS" = 'fedora' ]]; then dnf install -y openvpn iptables openssl wget ca-certificates curl elif [[ "$OS" = 'arch' ]]; then @@ -982,9 +997,9 @@ function newClient () { # Home directory of the user, where the client configuration (.ovpn) will be written if [ -e "/home/$CLIENT" ]; then # if $1 is a user name homeDir="/home/$CLIENT" - elif [ "${SUDO_USER}" ]; then # if not, use SUDO_USER + elif [ "${SUDO_USER}" ]; then # if not, use SUDO_USER homeDir="/home/${SUDO_USER}" - else # if not SUDO_USER, use /root + else # if not SUDO_USER, use /root homeDir="/root" fi @@ -1088,7 +1103,7 @@ function removeUnbound () { apt-get autoremove --purge -y unbound elif [[ "$OS" = 'arch' ]]; then pacman --noconfirm -R unbound - elif [[ "$OS" = 'centos' ]]; then + elif [[ "$OS" =~ (centos|amzn) ]]; then yum remove -y unbound elif [[ "$OS" = 'fedora' ]]; then dnf remove -y unbound @@ -1153,7 +1168,7 @@ function removeOpenVPN () { fi elif [[ "$OS" = 'arch' ]]; then pacman --noconfirm -R openvpn - elif [[ "$OS" = 'centos' ]]; then + elif [[ "$OS" =~ (centos|amzn) ]]; then yum remove -y openvpn elif [[ "$OS" = 'fedora' ]]; then dnf remove -y openvpn From 6c4104c25dc87ec8611c503c9d45241195261347 Mon Sep 17 00:00:00 2001 From: angristan Date: Mon, 19 Aug 2019 23:50:17 +0200 Subject: [PATCH 14/22] Update ISSUE_TEMPLATE.md --- .github/ISSUE_TEMPLATE.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md index 40547d5..617414b 100644 --- a/.github/ISSUE_TEMPLATE.md +++ b/.github/ISSUE_TEMPLATE.md @@ -2,10 +2,12 @@ Before opening an issue, please make sure: -- You installed OpenVPN with the lastest version of the script +- You installed OpenVPN with the latest version of the script - You read the FAQ - Your issue is about the script, NOT OpenVPN itself - ⚠ PLEASE Post your OpenVPN version and OS for both the server and the client if needed +FYI, you can excute the script with `bash -x openvpn-install.sh` to enable debug mode. + You can format your comments with Markdown: https://guides.github.com/features/mastering-markdown/ ---> From de021b67d55df0b552b8cc3920314ad844728c1b Mon Sep 17 00:00:00 2001 From: Stanislas Date: Tue, 20 Aug 2019 00:24:01 +0200 Subject: [PATCH 15/22] Insert iptables rules at the top (#461) Fix #346 --- openvpn-install.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 501ad07..92ecfab 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -877,30 +877,30 @@ verb 3" >> /etc/openvpn/server.conf echo "#!/bin/sh iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $NIC -j MASQUERADE iptables -A INPUT -i tun0 -j ACCEPT -iptables -A FORWARD -i $NIC -o tun0 -j ACCEPT -iptables -A FORWARD -i tun0 -o $NIC -j ACCEPT +iptables -A FORWARD 1 -i $NIC -o tun0 -j ACCEPT +iptables -A FORWARD 1 -i tun0 -o $NIC -j ACCEPT iptables -A INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/add-openvpn-rules.sh if [[ "$IPV6_SUPPORT" = 'y' ]]; then echo "ip6tables -t nat -A POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE ip6tables -A INPUT -i tun0 -j ACCEPT -ip6tables -A FORWARD -i $NIC -o tun0 -j ACCEPT -ip6tables -A FORWARD -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh +ip6tables -A FORWARD 1 -i $NIC -o tun0 -j ACCEPT +ip6tables -A FORWARD 1 -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh fi # Script to remove rules echo "#!/bin/sh iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o $NIC -j MASQUERADE iptables -D INPUT -i tun0 -j ACCEPT -iptables -D FORWARD -i $NIC -o tun0 -j ACCEPT -iptables -D FORWARD -i tun0 -o $NIC -j ACCEPT +iptables -D FORWARD 1 -i $NIC -o tun0 -j ACCEPT +iptables -D FORWARD 1 -i tun0 -o $NIC -j ACCEPT iptables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/rm-openvpn-rules.sh if [[ "$IPV6_SUPPORT" = 'y' ]]; then echo "ip6tables -t nat -D POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE ip6tables -D INPUT -i tun0 -j ACCEPT -ip6tables -D FORWARD -i $NIC -o tun0 -j ACCEPT -ip6tables -D FORWARD -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/rm-openvpn-rules.sh +ip6tables -D FORWARD 1 -i $NIC -o tun0 -j ACCEPT +ip6tables -D FORWARD 1 -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/rm-openvpn-rules.sh fi chmod +x /etc/iptables/add-openvpn-rules.sh From f207302334dd625ba3741cd0ce6465f79dfe79e6 Mon Sep 17 00:00:00 2001 From: Stanislas Lange Date: Tue, 20 Aug 2019 11:20:24 +0200 Subject: [PATCH 16/22] Revert "Insert iptables rules at the top (#461)" This reverts commit de021b67d55df0b552b8cc3920314ad844728c1b. --- openvpn-install.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 92ecfab..501ad07 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -877,30 +877,30 @@ verb 3" >> /etc/openvpn/server.conf echo "#!/bin/sh iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $NIC -j MASQUERADE iptables -A INPUT -i tun0 -j ACCEPT -iptables -A FORWARD 1 -i $NIC -o tun0 -j ACCEPT -iptables -A FORWARD 1 -i tun0 -o $NIC -j ACCEPT +iptables -A FORWARD -i $NIC -o tun0 -j ACCEPT +iptables -A FORWARD -i tun0 -o $NIC -j ACCEPT iptables -A INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/add-openvpn-rules.sh if [[ "$IPV6_SUPPORT" = 'y' ]]; then echo "ip6tables -t nat -A POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE ip6tables -A INPUT -i tun0 -j ACCEPT -ip6tables -A FORWARD 1 -i $NIC -o tun0 -j ACCEPT -ip6tables -A FORWARD 1 -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh +ip6tables -A FORWARD -i $NIC -o tun0 -j ACCEPT +ip6tables -A FORWARD -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh fi # Script to remove rules echo "#!/bin/sh iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o $NIC -j MASQUERADE iptables -D INPUT -i tun0 -j ACCEPT -iptables -D FORWARD 1 -i $NIC -o tun0 -j ACCEPT -iptables -D FORWARD 1 -i tun0 -o $NIC -j ACCEPT +iptables -D FORWARD -i $NIC -o tun0 -j ACCEPT +iptables -D FORWARD -i tun0 -o $NIC -j ACCEPT iptables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/rm-openvpn-rules.sh if [[ "$IPV6_SUPPORT" = 'y' ]]; then echo "ip6tables -t nat -D POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE ip6tables -D INPUT -i tun0 -j ACCEPT -ip6tables -D FORWARD 1 -i $NIC -o tun0 -j ACCEPT -ip6tables -D FORWARD 1 -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/rm-openvpn-rules.sh +ip6tables -D FORWARD -i $NIC -o tun0 -j ACCEPT +ip6tables -D FORWARD -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/rm-openvpn-rules.sh fi chmod +x /etc/iptables/add-openvpn-rules.sh From 1acab15a2610e28d8ceab86327ffa7016aca095f Mon Sep 17 00:00:00 2001 From: Stanislas Date: Tue, 20 Aug 2019 11:55:43 +0200 Subject: [PATCH 17/22] Insert iptables rules at the top (#466) Fix #346 #465 --- openvpn-install.sh | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 501ad07..6325fc0 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -875,17 +875,17 @@ verb 3" >> /etc/openvpn/server.conf # Script to add rules echo "#!/bin/sh -iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $NIC -j MASQUERADE -iptables -A INPUT -i tun0 -j ACCEPT -iptables -A FORWARD -i $NIC -o tun0 -j ACCEPT -iptables -A FORWARD -i tun0 -o $NIC -j ACCEPT -iptables -A INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/add-openvpn-rules.sh +iptables -t nat -I POSTROUTING 1 -s 10.8.0.0/24 -o $NIC -j MASQUERADE +iptables -I INPUT 1 -i tun0 -j ACCEPT +iptables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT +iptables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT +iptables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/add-openvpn-rules.sh if [[ "$IPV6_SUPPORT" = 'y' ]]; then - echo "ip6tables -t nat -A POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE -ip6tables -A INPUT -i tun0 -j ACCEPT -ip6tables -A FORWARD -i $NIC -o tun0 -j ACCEPT -ip6tables -A FORWARD -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh + echo "ip6tables -t nat -I POSTROUTING 1 -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE +ip6tables -I INPUT 1 -i tun0 -j ACCEPT +ip6tables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT +ip6tables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh fi # Script to remove rules From cee02eb803f8c353e0ddfa8bce2ecaf2fcef2601 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Tue, 20 Aug 2019 13:36:16 +0200 Subject: [PATCH 18/22] Fix CentOS detection during install (#468) Fix #463 --- openvpn-install.sh | 29 ++++++++++++----------------- 1 file changed, 12 insertions(+), 17 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 6325fc0..00d0d97 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -52,9 +52,19 @@ function checkOS () { fi elif [[ -e /etc/system-release ]]; then source /etc/os-release - if [[ "$ID" == "amzn" ]]; then + if [[ "$ID" = "centos" ]]; then + OS="centos" + if [[ ! $VERSION_ID == "7" ]]; then + echo "⚠️ Your version of CentOS is not supported." + echo "" + echo "The script only support CentOS 7." + echo "" + exit 1 + fi + fi + if [[ "$ID" = "amzn" ]]; then OS="amzn" - if [[ ! $VERSION_ID =~ (2) ]]; then + if [[ ! $VERSION_ID == "2" ]]; then echo "⚠️ Your version of Amazon Linux is not supported." echo "" echo "The script only support Amazon Linux 2." @@ -64,21 +74,6 @@ function checkOS () { fi elif [[ -e /etc/fedora-release ]]; then OS=fedora - elif [[ -e /etc/centos-release ]]; then - if ! grep -qs "^CentOS Linux release 7" /etc/centos-release; then - echo "Your version of CentOS is not supported." - echo "The script only support CentOS 7." - echo "" - unset CONTINUE - until [[ $CONTINUE =~ (y|n) ]]; do - read -rp "Continue anyway? [y/n]: " -e CONTINUE - done - if [[ "$CONTINUE" = "n" ]]; then - echo "Ok, bye!" - exit 1 - fi - fi - OS=centos elif [[ -e /etc/arch-release ]]; then OS=arch else From 0e3e7f27054fe853abda1a33a07e97b0d2d38d9b Mon Sep 17 00:00:00 2001 From: angristan Date: Tue, 20 Aug 2019 17:58:51 +0200 Subject: [PATCH 19/22] Update sysctl comment --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 00d0d97..e234277 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -813,7 +813,7 @@ verb 3" >> /etc/openvpn/server.conf if [[ "$IPV6_SUPPORT" = 'y' ]]; then echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.d/20-openvpn.conf fi - # Avoid an unneeded reboot + # Apply sysctl rules sysctl --system # If SELinux is enabled and a custom port was selected, we need this From 04141c6c9169abc87841c5002de6f543e2ee8deb Mon Sep 17 00:00:00 2001 From: Stanislas Date: Tue, 20 Aug 2019 21:01:35 +0200 Subject: [PATCH 20/22] Support Raspbian (#462) Fix #382 --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index e234277..dfaf122 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -20,7 +20,7 @@ function checkOS () { OS="debian" source /etc/os-release - if [[ "$ID" == "debian" ]]; then + if [[ "$ID" == "debian" || "$ID" == "raspbian" ]]; then if [[ ! $VERSION_ID =~ (8|9|10) ]]; then echo "⚠️ Your version of Debian is not supported." echo "" From 4080585ab58f5b59eec8a79b8896e0013fe0059b Mon Sep 17 00:00:00 2001 From: Stanislas Date: Tue, 20 Aug 2019 21:02:05 +0200 Subject: [PATCH 21/22] Workaround to remove unharmful easy-rsa error (#469) Until easy-rsa 3.0.7. https://github.com/OpenVPN/easy-rsa/issues/261 Fix #454 --- openvpn-install.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/openvpn-install.sh b/openvpn-install.sh index dfaf122..a419bdc 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -656,6 +656,11 @@ function installOpenVPN () { SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars + + # Workaround to remove unharmful error until easy-rsa 3.0.7 + # https://github.com/OpenVPN/easy-rsa/issues/261 + sed -i 's/^RANDFILE/#RANDFILE/g' pki/openssl-easyrsa.cnf + # Create the PKI, set up the CA, the DH params and the server certificate ./easyrsa init-pki ./easyrsa --batch build-ca nopass From bc109db04f3d04a8902c5f34e5905142c952c1b1 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Tue, 20 Aug 2019 21:02:47 +0200 Subject: [PATCH 22/22] Add support for custom DNS input (#470) Close #258 #260 Co-authored-by: Sayem Chowdhury --- openvpn-install.sh | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index a419bdc..45615cd 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -291,8 +291,9 @@ function installQuestions () { echo " 9) Google (Anycast: worldwide)" echo " 10) Yandex Basic (Russia)" echo " 11) AdGuard DNS (Russia)" - until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 11 ]; do - read -rp "DNS [1-10]: " -e -i 3 DNS + echo " 12) Custom" + until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 12 ]; do + read -rp "DNS [1-12]: " -e -i 3 DNS if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then echo "" echo "Unbound is already installed." @@ -309,6 +310,16 @@ function installQuestions () { unset DNS unset CONTINUE fi + elif [[ $DNS == "12" ]]; then + until [[ "$DNS1" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do + read -rp "Primary DNS: " -e DNS1 + done + until [[ "$DNS2" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do + read -rp "Secondary DNS (optional): " -e DNS2 + if [[ "$DNS2" == "" ]]; then + break + fi + done fi done echo "" @@ -765,6 +776,12 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 176.103.130.130"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf ;; + 12) # Custom DNS + echo "push \"dhcp-option DNS $DNS1\"" >> /etc/openvpn/server.conf + if [[ "$DNS2" != "" ]]; then + echo "push \"dhcp-option DNS $DNS2\"" >> /etc/openvpn/server.conf + fi + ;; esac echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf