Fabio/openvpn-install
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge remote-tracking branch 'angristan/master'

Browse source
This commit is contained in:
Dominic Dumrauf (MacBook Pro 2017) 2019-09-09 08:46:26 +01:00
commit d6fbec4675
8 changed files with 125 additions and 78 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
.github/FUNDING.yml vendored Normal file
View file

@ -0,0 +1,3 @@
patreon: angristan
liberapay: angristan
ko_fi: angristan

4
.github/ISSUE_TEMPLATE.md vendored
View file

@ -2,10 +2,12 @@
Before opening an issue, please make sure: Before opening an issue, please make sure:
- You installed OpenVPN with the lastest version of the script - You installed OpenVPN with the latest version of the script
- You read the FAQ - You read the FAQ
- Your issue is about the script, NOT OpenVPN itself - Your issue is about the script, NOT OpenVPN itself
- ⚠ PLEASE Post your OpenVPN version and OS for both the server and the client if needed - ⚠ PLEASE Post your OpenVPN version and OS for both the server and the client if needed
FYI, you can excute the script with `bash -x openvpn-install.sh` to enable debug mode.
You can format your comments with Markdown: https://guides.github.com/features/mastering-markdown/ You can format your comments with Markdown: https://guides.github.com/features/mastering-markdown/
---> --->

11
.github/workflows/push.yml vendored Normal file
View file

@ -0,0 +1,11 @@
on: push
name: ShellCheck
jobs:
shellcheck:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: shellcheck
uses: actions/bin/shellcheck@master
with:
args: openvpn-install.sh -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009

4
.travis.yml
View file

@ -1,4 +0,0 @@
language: shell
script:
- shellcheck -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009 openvpn-install.sh

2
LICENSE
View file

@ -1,7 +1,7 @@
MIT License MIT License
Copyright (c) 2013 Nyr Copyright (c) 2013 Nyr
Copyright (c) 2016 Angristan (Stanislas Lange) Copyright (c) 2016 Stanislas Lange (angristan)
Permission is hereby granted, free of charge, to any person obtaining a copy of Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in this software and associated documentation files (the "Software"), to deal in

14
README.md
View file

@ -1,7 +1,5 @@
# openvpn-install # openvpn-install
[![Travis CI](https://travis-ci.com/angristan/openvpn-install.svg?branch=master)](https://travis-ci.com/angristan/openvpn-install)
OpenVPN installer for Debian, Ubuntu, Fedora, CentOS and Arch Linux. OpenVPN installer for Debian, Ubuntu, Fedora, CentOS and Arch Linux.
This script will let you setup your own secure VPN server in just a few seconds. This script will let you setup your own secure VPN server in just a few seconds.
@ -13,7 +11,7 @@ You can also check out [wireguard-install](https://github.com/angristan/wireguar
First, get the script and make it executable : First, get the script and make it executable :
```bash ```bash
curl -O https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh chmod +x openvpn-install.sh
``` ```
@ -97,7 +95,7 @@ export PASS="1"
- Choice to use a self-hosted resolver with Unbound (supports already existing Unbound installations) - Choice to use a self-hosted resolver with Unbound (supports already existing Unbound installations)
- Choice between TCP and UDP - Choice between TCP and UDP
- NATed IPv6 support - NATed IPv6 support
- Compression disabled by default to prevent VORACLE. LZ4 and LZ0 algorithms available otherwise. - Compression disabled by default to prevent VORACLE. LZ4 (v1/v2) and LZ0 algorithms available otherwise.
- Unprivileged mode: run as `nobody`/`nogroup` - Unprivileged mode: run as `nobody`/`nogroup`
- Block DNS leaks on Windows 10 - Block DNS leaks on Windows 10
- Randomised server certificate name - Randomised server certificate name
@ -109,11 +107,13 @@ export PASS="1"
The script supports these OS and architectures: The script supports these OS and architectures:
| | i386 | amd64 | armhf | arm64 | | | i386 | amd64 | armhf | arm64 |
| ------------ | ---- | ----- | ----- | ----- | | -------------- | ---- | ----- | ----- | ----- |
| Amazon Linux 2 | ❔ | ✅ | ❔ | ❔ |
| Arch Linux | ❔ | ✅ | ❔ | ❔ | | Arch Linux | ❔ | ✅ | ❔ | ❔ |
| CentOS 7 | ❔ | ✅ | ❌ | ✅ | | CentOS 7 | ❔ | ✅ | ❌ | ✅ |
| Debian 8 | ✅ | ✅ | ❌ | ❌ | | Debian 8 | ✅ | ✅ | ❌ | ❌ |
| Debian 9 | ❌ | ✅ | ✅ | ✅ | | Debian 9 | ❌ | ✅ | ✅ | ✅ |
| Debian 10 | ❔ | ✅ | ✅ | ❔ |
| Fedora 27 | ❔ | ✅ | ❔ | ❔ | | Fedora 27 | ❔ | ✅ | ❔ | ❔ |
| Fedora 28 | ❔ | ✅ | ❔ | ❔ | | Fedora 28 | ❔ | ✅ | ❔ | ❔ |
| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ | | Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ |
@ -183,7 +183,7 @@ If you want more information about an option mentioned below, head to the [OpenV
Most of OpenVPN's encryption-related stuff is managed by [Easy-RSA](https://github.com/OpenVPN/easy-rsa). Defaults parameters are in the [vars.example](https://github.com/OpenVPN/easy-rsa/blob/v3.0.6/easyrsa3/vars.example) file. Most of OpenVPN's encryption-related stuff is managed by [Easy-RSA](https://github.com/OpenVPN/easy-rsa). Defaults parameters are in the [vars.example](https://github.com/OpenVPN/easy-rsa/blob/v3.0.6/easyrsa3/vars.example) file.
### Compression ### Compression
By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 algorithms, the latter being more efficient. By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 (v1/v2) algorithms, the latter being more efficient.
However, it is discouraged to use compression since it since the [VORACLE attack](https://protonvpn.com/blog/voracle-attack/) makes use of it. However, it is discouraged to use compression since it since the [VORACLE attack](https://protonvpn.com/blog/voracle-attack/) makes use of it.
@ -281,8 +281,6 @@ From the OpenVPN wiki, about `--auth`:
> >
> If an AEAD cipher mode (e.g. GCM) is chosen, the specified --auth algorithm is ignored for the data channel, and the authentication method of the AEAD cipher is used instead. Note that alg still specifies the digest used for tls-auth. > If an AEAD cipher mode (e.g. GCM) is chosen, the specified --auth algorithm is ignored for the data channel, and the authentication method of the AEAD cipher is used instead. Note that alg still specifies the digest used for tls-auth.
SHA1 [isn't safe anymore](https://en.wikipedia.org/wiki/SHA-1#Attacks).
The script provides the following choices: The script provides the following choices:
- `SHA256` - `SHA256`

1
Vagrantfile vendored
View file

@ -5,6 +5,7 @@ autostart_machines = ENV['VAGRANT_AUTOSTART'] == 'true' || false
# else, run `vagrant up <hostname>` # else, run `vagrant up <hostname>`
machines = [ machines = [
{ hostname: 'debian-10', box: 'debian/stretch64' },
{ hostname: 'debian-9', box: 'debian/stretch64' }, { hostname: 'debian-9', box: 'debian/stretch64' },
{ hostname: 'debian-8', box: 'debian/jessie64' }, { hostname: 'debian-8', box: 'debian/jessie64' },
{ hostname: 'ubuntu-1604', box: 'ubuntu/bionic64' }, { hostname: 'ubuntu-1604', box: 'ubuntu/bionic64' },

112
openvpn-install.sh
View file

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# Secure OpenVPN server installer for Debian, Ubuntu, CentOS, Fedora and Arch Linux # Secure OpenVPN server installer for Debian, Ubuntu, CentOS, Amazon Linux 2, Fedora and Arch Linux
# https://github.com/angristan/openvpn-install # https://github.com/angristan/openvpn-install
function isRoot () { function isRoot () {
@ -20,8 +20,8 @@ function checkOS () {
OS="debian" OS="debian"
source /etc/os-release source /etc/os-release
if [[ "$ID" == "debian" ]]; then if [[ "$ID" == "debian" || "$ID" == "raspbian" ]]; then
if [[ ! $VERSION_ID =~ (8|9) ]]; then if [[ ! $VERSION_ID =~ (8|9|10) ]]; then
echo "⚠️ Your version of Debian is not supported." echo "⚠️ Your version of Debian is not supported."
echo "" echo ""
echo "However, if you're using Debian >= 9 or unstable/testing then you can continue." echo "However, if you're using Debian >= 9 or unstable/testing then you can continue."
@ -50,27 +50,34 @@ function checkOS () {
fi fi
fi fi
fi fi
elif [[ -e /etc/fedora-release ]]; then elif [[ -e /etc/system-release ]]; then
OS=fedora source /etc/os-release
elif [[ -e /etc/centos-release ]]; then if [[ "$ID" = "centos" ]]; then
if ! grep -qs "^CentOS Linux release 7" /etc/centos-release; then OS="centos"
echo "Your version of CentOS is not supported." if [[ ! $VERSION_ID == "7" ]]; then
echo "⚠️ Your version of CentOS is not supported."
echo ""
echo "The script only support CentOS 7." echo "The script only support CentOS 7."
echo "" echo ""
unset CONTINUE
until [[ $CONTINUE =~ (y|n) ]]; do
read -rp "Continue anyway? [y/n]: " -e CONTINUE
done
if [[ "$CONTINUE" = "n" ]]; then
echo "Ok, bye!"
exit 1 exit 1
fi fi
fi fi
OS=centos if [[ "$ID" = "amzn" ]]; then
OS="amzn"
if [[ ! $VERSION_ID == "2" ]]; then
echo "⚠️ Your version of Amazon Linux is not supported."
echo ""
echo "The script only support Amazon Linux 2."
echo ""
exit 1
fi
fi
elif [[ -e /etc/fedora-release ]]; then
OS=fedora
elif [[ -e /etc/arch-release ]]; then elif [[ -e /etc/arch-release ]]; then
OS=arch OS=arch
else else
echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora, CentOS or Arch Linux system" echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora, CentOS, Amazon Linux 2 or Arch Linux system"
exit 1 exit 1
fi fi
} }
@ -101,7 +108,7 @@ hide-version: yes
use-caps-for-id: yes use-caps-for-id: yes
prefetch: yes' >> /etc/unbound/unbound.conf prefetch: yes' >> /etc/unbound/unbound.conf
elif [[ "$OS" = "centos" ]]; then elif [[ "$OS" =~ (centos|amzn) ]]; then
yum install -y unbound yum install -y unbound
# Configuration # Configuration
@ -148,7 +155,7 @@ prefetch: yes' >> /etc/unbound/unbound.conf
prefetch: yes' > /etc/unbound/unbound.conf prefetch: yes' > /etc/unbound/unbound.conf
fi fi
if [[ ! "$OS" =~ (fedora|centos) ]];then if [[ ! "$OS" =~ (fedora|centos|amzn) ]];then
# DNS Rebinding fix # DNS Rebinding fix
echo "private-address: 10.0.0.0/8 echo "private-address: 10.0.0.0/8
private-address: 172.16.0.0/12 private-address: 172.16.0.0/12
@ -284,8 +291,9 @@ function installQuestions () {
echo " 9) Google (Anycast: worldwide)" echo " 9) Google (Anycast: worldwide)"
echo " 10) Yandex Basic (Russia)" echo " 10) Yandex Basic (Russia)"
echo " 11) AdGuard DNS (Russia)" echo " 11) AdGuard DNS (Russia)"
until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 11 ]; do echo " 12) Custom"
read -rp "DNS [1-10]: " -e -i 3 DNS until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 12 ]; do
read -rp "DNS [1-12]: " -e -i 3 DNS
if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then
echo "" echo ""
echo "Unbound is already installed." echo "Unbound is already installed."
@ -302,6 +310,16 @@ function installQuestions () {
unset DNS unset DNS
unset CONTINUE unset CONTINUE
fi fi
elif [[ $DNS == "12" ]]; then
until [[ "$DNS1" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
read -rp "Primary DNS: " -e DNS1
done
until [[ "$DNS2" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
read -rp "Secondary DNS (optional): " -e DNS2
if [[ "$DNS2" == "" ]]; then
break
fi
done
fi fi
done done
echo "" echo ""
@ -310,17 +328,21 @@ function installQuestions () {
read -rp"Enable compression? [y/n]: " -e -i n COMPRESSION_ENABLED read -rp"Enable compression? [y/n]: " -e -i n COMPRESSION_ENABLED
done done
if [[ $COMPRESSION_ENABLED == "y" ]];then if [[ $COMPRESSION_ENABLED == "y" ]];then
echo "Choose which compression algorithm you want to use:" echo "Choose which compression algorithm you want to use: (they are ordered by efficiency)"
echo " 1) LZ4 (more efficient)" echo " 1) LZ4-v2"
echo " 2) LZ0" echo " 2) LZ4"
until [[ $COMPRESSION_CHOICE =~ ^[1-2]$ ]]; do echo " 3) LZ0"
read -rp"Compression algorithm [1-2]: " -e -i 1 COMPRESSION_CHOICE until [[ $COMPRESSION_CHOICE =~ ^[1-3]$ ]]; do
read -rp"Compression algorithm [1-3]: " -e -i 1 COMPRESSION_CHOICE
done done
case $COMPRESSION_CHOICE in case $COMPRESSION_CHOICE in
1) 1)
COMPRESSION_ALG="lz4" COMPRESSION_ALG="lz4-v2"
;; ;;
2) 2)
COMPRESSION_ALG="lz4"
;;
3)
COMPRESSION_ALG="lzo" COMPRESSION_ALG="lzo"
;; ;;
esac esac
@ -600,6 +622,9 @@ function installOpenVPN () {
elif [[ "$OS" = 'centos' ]]; then elif [[ "$OS" = 'centos' ]]; then
yum install -y epel-release yum install -y epel-release
yum install -y openvpn iptables openssl wget ca-certificates curl yum install -y openvpn iptables openssl wget ca-certificates curl
elif [[ "$OS" = 'amzn' ]]; then
amazon-linux-extras install -y epel
yum install -y openvpn iptables openssl wget ca-certificates curl
elif [[ "$OS" = 'fedora' ]]; then elif [[ "$OS" = 'fedora' ]]; then
dnf install -y openvpn iptables openssl wget ca-certificates curl dnf install -y openvpn iptables openssl wget ca-certificates curl
elif [[ "$OS" = 'arch' ]]; then elif [[ "$OS" = 'arch' ]]; then
@ -642,6 +667,11 @@ function installOpenVPN () {
SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars
# Workaround to remove unharmful error until easy-rsa 3.0.7
# https://github.com/OpenVPN/easy-rsa/issues/261
sed -i 's/^RANDFILE/#RANDFILE/g' pki/openssl-easyrsa.cnf
# Create the PKI, set up the CA, the DH params and the server certificate # Create the PKI, set up the CA, the DH params and the server certificate
./easyrsa init-pki ./easyrsa init-pki
./easyrsa --batch build-ca nopass ./easyrsa --batch build-ca nopass
@ -746,6 +776,12 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 176.103.130.130"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 176.103.130.130"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf
;; ;;
12) # Custom DNS
echo "push \"dhcp-option DNS $DNS1\"" >> /etc/openvpn/server.conf
if [[ "$DNS2" != "" ]]; then
echo "push \"dhcp-option DNS $DNS2\"" >> /etc/openvpn/server.conf
fi
;;
esac esac
echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf
@ -799,7 +835,7 @@ verb 3" >> /etc/openvpn/server.conf
if [[ "$IPV6_SUPPORT" = 'y' ]]; then if [[ "$IPV6_SUPPORT" = 'y' ]]; then
echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.d/20-openvpn.conf echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.d/20-openvpn.conf
fi fi
# Avoid an unneeded reboot # Apply sysctl rules
sysctl --system sysctl --system
# If SELinux is enabled and a custom port was selected, we need this # If SELinux is enabled and a custom port was selected, we need this
@ -856,17 +892,17 @@ verb 3" >> /etc/openvpn/server.conf
# Script to add rules # Script to add rules
echo "#!/bin/sh echo "#!/bin/sh
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $NIC -j MASQUERADE iptables -t nat -I POSTROUTING 1 -s 10.8.0.0/24 -o $NIC -j MASQUERADE
iptables -A INPUT -i tun0 -j ACCEPT iptables -I INPUT 1 -i tun0 -j ACCEPT
iptables -A FORWARD -i $NIC -o tun0 -j ACCEPT iptables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o $NIC -j ACCEPT iptables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT
iptables -A INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/add-openvpn-rules.sh iptables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/add-openvpn-rules.sh
if [[ "$IPV6_SUPPORT" = 'y' ]]; then if [[ "$IPV6_SUPPORT" = 'y' ]]; then
echo "ip6tables -t nat -A POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE echo "ip6tables -t nat -I POSTROUTING 1 -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
ip6tables -A INPUT -i tun0 -j ACCEPT ip6tables -I INPUT 1 -i tun0 -j ACCEPT
ip6tables -A FORWARD -i $NIC -o tun0 -j ACCEPT ip6tables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT
ip6tables -A FORWARD -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh ip6tables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh
fi fi
# Script to remove rules # Script to remove rules
@ -1086,7 +1122,7 @@ function removeUnbound () {
apt-get autoremove --purge -y unbound apt-get autoremove --purge -y unbound
elif [[ "$OS" = 'arch' ]]; then elif [[ "$OS" = 'arch' ]]; then
pacman --noconfirm -R unbound pacman --noconfirm -R unbound
elif [[ "$OS" = 'centos' ]]; then elif [[ "$OS" =~ (centos|amzn) ]]; then
yum remove -y unbound yum remove -y unbound
elif [[ "$OS" = 'fedora' ]]; then elif [[ "$OS" = 'fedora' ]]; then
dnf remove -y unbound dnf remove -y unbound
@ -1151,7 +1187,7 @@ function removeOpenVPN () {
fi fi
elif [[ "$OS" = 'arch' ]]; then elif [[ "$OS" = 'arch' ]]; then
pacman --noconfirm -R openvpn pacman --noconfirm -R openvpn
elif [[ "$OS" = 'centos' ]]; then elif [[ "$OS" =~ (centos|amzn) ]]; then
yum remove -y openvpn yum remove -y openvpn
elif [[ "$OS" = 'fedora' ]]; then elif [[ "$OS" = 'fedora' ]]; then
dnf remove -y openvpn dnf remove -y openvpn