Fabio/openvpn-install
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge remote-tracking branch 'angristan/master'

Browse source
This commit is contained in:
Dominic Dumrauf (MacBook Pro 2017) 2019-09-09 08:46:26 +01:00
commit d6fbec4675
8 changed files with 125 additions and 78 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
.github/FUNDING.yml vendored Normal file
View file

@ -0,0 +1,3 @@
patreon: angristan
liberapay: angristan
ko_fi: angristan

4
.github/ISSUE_TEMPLATE.md vendored
View file

@ -2,10 +2,12 @@
Before opening an issue, please make sure:
- You installed OpenVPN with the lastest version of the script
- You installed OpenVPN with the latest version of the script
- You read the FAQ
- Your issue is about the script, NOT OpenVPN itself
- ⚠ PLEASE Post your OpenVPN version and OS for both the server and the client if needed
FYI, you can excute the script with `bash -x openvpn-install.sh` to enable debug mode.
You can format your comments with Markdown: https://guides.github.com/features/mastering-markdown/
--->

11
.github/workflows/push.yml vendored Normal file
View file

@ -0,0 +1,11 @@
on: push
name: ShellCheck
jobs:
shellcheck:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: shellcheck
uses: actions/bin/shellcheck@master
with:
args: openvpn-install.sh -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009

4
.travis.yml
View file

@ -1,4 +0,0 @@
language: shell
script:
- shellcheck -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009 openvpn-install.sh

2
LICENSE
View file

@ -1,7 +1,7 @@
MIT License
Copyright (c) 2013 Nyr
Copyright (c) 2016 Angristan (Stanislas Lange)
Copyright (c) 2016 Stanislas Lange (angristan)
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in

34
README.md
View file

@ -1,7 +1,5 @@
# openvpn-install
[![Travis CI](https://travis-ci.com/angristan/openvpn-install.svg?branch=master)](https://travis-ci.com/angristan/openvpn-install)
OpenVPN installer for Debian, Ubuntu, Fedora, CentOS and Arch Linux.
This script will let you setup your own secure VPN server in just a few seconds.
@ -13,7 +11,7 @@ You can also check out [wireguard-install](https://github.com/angristan/wireguar
First, get the script and make it executable :
```bash
curl -O https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh
curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh
```
@ -97,7 +95,7 @@ export PASS="1"
- Choice to use a self-hosted resolver with Unbound (supports already existing Unbound installations)
- Choice between TCP and UDP
- NATed IPv6 support
- Compression disabled by default to prevent VORACLE. LZ4 and LZ0 algorithms available otherwise.
- Compression disabled by default to prevent VORACLE. LZ4 (v1/v2) and LZ0 algorithms available otherwise.
- Unprivileged mode: run as `nobody`/`nogroup`
- Block DNS leaks on Windows 10
- Randomised server certificate name
@ -108,17 +106,19 @@ export PASS="1"
The script supports these OS and architectures:
| | i386 | amd64 | armhf | arm64 |
| ------------ | ---- | ----- | ----- | ----- |
| Arch Linux | ❔ | ✅ | ❔ | ❔ |
| CentOS 7 | ❔ | ✅ | ❌ | ✅ |
| Debian 8 | ✅ | ✅ | ❌ | ❌ |
| Debian 9 | ❌ | ✅ | ✅ | ✅ |
| Fedora 27 | ❔ | ✅ | ❔ | ❔ |
| Fedora 28 | ❔ | ✅ | ❔ | ❔ |
| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ |
| Ubuntu 18.04 | ❌ | ✅ | ✅ | ✅ |
| Ubuntu 19.04 | ❌ | ✅ | ✅ | ✅ |
| | i386 | amd64 | armhf | arm64 |
| -------------- | ---- | ----- | ----- | ----- |
| Amazon Linux 2 | ❔ | ✅ | ❔ | ❔ |
| Arch Linux | ❔ | ✅ | ❔ | ❔ |
| CentOS 7 | ❔ | ✅ | ❌ | ✅ |
| Debian 8 | ✅ | ✅ | ❌ | ❌ |
| Debian 9 | ❌ | ✅ | ✅ | ✅ |
| Debian 10 | ❔ | ✅ | ✅ | ❔ |
| Fedora 27 | ❔ | ✅ | ❔ | ❔ |
| Fedora 28 | ❔ | ✅ | ❔ | ❔ |
| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ |
| Ubuntu 18.04 | ❌ | ✅ | ✅ | ✅ |
| Ubuntu 19.04 | ❌ | ✅ | ✅ | ✅ |
To be noted:
@ -183,7 +183,7 @@ If you want more information about an option mentioned below, head to the [OpenV
Most of OpenVPN's encryption-related stuff is managed by [Easy-RSA](https://github.com/OpenVPN/easy-rsa). Defaults parameters are in the [vars.example](https://github.com/OpenVPN/easy-rsa/blob/v3.0.6/easyrsa3/vars.example) file.
### Compression
By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 algorithms, the latter being more efficient.
By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 (v1/v2) algorithms, the latter being more efficient.
However, it is discouraged to use compression since it since the [VORACLE attack](https://protonvpn.com/blog/voracle-attack/) makes use of it.
@ -281,8 +281,6 @@ From the OpenVPN wiki, about `--auth`:
>
> If an AEAD cipher mode (e.g. GCM) is chosen, the specified --auth algorithm is ignored for the data channel, and the authentication method of the AEAD cipher is used instead. Note that alg still specifies the digest used for tls-auth.
SHA1 [isn't safe anymore](https://en.wikipedia.org/wiki/SHA-1#Attacks).
The script provides the following choices:
- `SHA256`

1
Vagrantfile vendored
View file

@ -5,6 +5,7 @@ autostart_machines = ENV['VAGRANT_AUTOSTART'] == 'true' || false
# else, run `vagrant up <hostname>`
machines = [
{ hostname: 'debian-10', box: 'debian/stretch64' },
{ hostname: 'debian-9', box: 'debian/stretch64' },
{ hostname: 'debian-8', box: 'debian/jessie64' },
{ hostname: 'ubuntu-1604', box: 'ubuntu/bionic64' },

120
openvpn-install.sh
View file

@ -1,6 +1,6 @@
#!/bin/bash
# Secure OpenVPN server installer for Debian, Ubuntu, CentOS, Fedora and Arch Linux
# Secure OpenVPN server installer for Debian, Ubuntu, CentOS, Amazon Linux 2, Fedora and Arch Linux
# https://github.com/angristan/openvpn-install
function isRoot () {
@ -20,8 +20,8 @@ function checkOS () {
OS="debian"
source /etc/os-release
if [[ "$ID" == "debian" ]]; then
if [[ ! $VERSION_ID =~ (8|9) ]]; then
if [[ "$ID" == "debian" || "$ID" == "raspbian" ]]; then
if [[ ! $VERSION_ID =~ (8|9|10) ]]; then
echo "⚠️ Your version of Debian is not supported."
echo ""
echo "However, if you're using Debian >= 9 or unstable/testing then you can continue."
@ -50,27 +50,34 @@ function checkOS () {
fi
fi
fi
elif [[ -e /etc/fedora-release ]]; then
OS=fedora
elif [[ -e /etc/centos-release ]]; then
if ! grep -qs "^CentOS Linux release 7" /etc/centos-release; then
echo "Your version of CentOS is not supported."
echo "The script only support CentOS 7."
echo ""
unset CONTINUE
until [[ $CONTINUE =~ (y|n) ]]; do
read -rp "Continue anyway? [y/n]: " -e CONTINUE
done
if [[ "$CONTINUE" = "n" ]]; then
echo "Ok, bye!"
elif [[ -e /etc/system-release ]]; then
source /etc/os-release
if [[ "$ID" = "centos" ]]; then
OS="centos"
if [[ ! $VERSION_ID == "7" ]]; then
echo "⚠️ Your version of CentOS is not supported."
echo ""
echo "The script only support CentOS 7."
echo ""
exit 1
fi
fi
OS=centos
if [[ "$ID" = "amzn" ]]; then
OS="amzn"
if [[ ! $VERSION_ID == "2" ]]; then
echo "⚠️ Your version of Amazon Linux is not supported."
echo ""
echo "The script only support Amazon Linux 2."
echo ""
exit 1
fi
fi
elif [[ -e /etc/fedora-release ]]; then
OS=fedora
elif [[ -e /etc/arch-release ]]; then
OS=arch
else
echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora, CentOS or Arch Linux system"
echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora, CentOS, Amazon Linux 2 or Arch Linux system"
exit 1
fi
}
@ -101,7 +108,7 @@ hide-version: yes
use-caps-for-id: yes
prefetch: yes' >> /etc/unbound/unbound.conf
elif [[ "$OS" = "centos" ]]; then
elif [[ "$OS" =~ (centos|amzn) ]]; then
yum install -y unbound
# Configuration
@ -148,7 +155,7 @@ prefetch: yes' >> /etc/unbound/unbound.conf
prefetch: yes' > /etc/unbound/unbound.conf
fi
if [[ ! "$OS" =~ (fedora|centos) ]];then
if [[ ! "$OS" =~ (fedora|centos|amzn) ]];then
# DNS Rebinding fix
echo "private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
@ -284,8 +291,9 @@ function installQuestions () {
echo " 9) Google (Anycast: worldwide)"
echo " 10) Yandex Basic (Russia)"
echo " 11) AdGuard DNS (Russia)"
until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 11 ]; do
read -rp "DNS [1-10]: " -e -i 3 DNS
echo " 12) Custom"
until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 12 ]; do
read -rp "DNS [1-12]: " -e -i 3 DNS
if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then
echo ""
echo "Unbound is already installed."
@ -302,6 +310,16 @@ function installQuestions () {
unset DNS
unset CONTINUE
fi
elif [[ $DNS == "12" ]]; then
until [[ "$DNS1" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
read -rp "Primary DNS: " -e DNS1
done
until [[ "$DNS2" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
read -rp "Secondary DNS (optional): " -e DNS2
if [[ "$DNS2" == "" ]]; then
break
fi
done
fi
done
echo ""
@ -310,17 +328,21 @@ function installQuestions () {
read -rp"Enable compression? [y/n]: " -e -i n COMPRESSION_ENABLED
done
if [[ $COMPRESSION_ENABLED == "y" ]];then
echo "Choose which compression algorithm you want to use:"
echo " 1) LZ4 (more efficient)"
echo " 2) LZ0"
until [[ $COMPRESSION_CHOICE =~ ^[1-2]$ ]]; do
read -rp"Compression algorithm [1-2]: " -e -i 1 COMPRESSION_CHOICE
echo "Choose which compression algorithm you want to use: (they are ordered by efficiency)"
echo " 1) LZ4-v2"
echo " 2) LZ4"
echo " 3) LZ0"
until [[ $COMPRESSION_CHOICE =~ ^[1-3]$ ]]; do
read -rp"Compression algorithm [1-3]: " -e -i 1 COMPRESSION_CHOICE
done
case $COMPRESSION_CHOICE in
1)
COMPRESSION_ALG="lz4"
COMPRESSION_ALG="lz4-v2"
;;
2)
COMPRESSION_ALG="lz4"
;;
3)
COMPRESSION_ALG="lzo"
;;
esac
@ -600,6 +622,9 @@ function installOpenVPN () {
elif [[ "$OS" = 'centos' ]]; then
yum install -y epel-release
yum install -y openvpn iptables openssl wget ca-certificates curl
elif [[ "$OS" = 'amzn' ]]; then
amazon-linux-extras install -y epel
yum install -y openvpn iptables openssl wget ca-certificates curl
elif [[ "$OS" = 'fedora' ]]; then
dnf install -y openvpn iptables openssl wget ca-certificates curl
elif [[ "$OS" = 'arch' ]]; then
@ -642,6 +667,11 @@ function installOpenVPN () {
SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars
# Workaround to remove unharmful error until easy-rsa 3.0.7
# https://github.com/OpenVPN/easy-rsa/issues/261
sed -i 's/^RANDFILE/#RANDFILE/g' pki/openssl-easyrsa.cnf
# Create the PKI, set up the CA, the DH params and the server certificate
./easyrsa init-pki
./easyrsa --batch build-ca nopass
@ -746,6 +776,12 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 176.103.130.130"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf
;;
12) # Custom DNS
echo "push \"dhcp-option DNS $DNS1\"" >> /etc/openvpn/server.conf
if [[ "$DNS2" != "" ]]; then
echo "push \"dhcp-option DNS $DNS2\"" >> /etc/openvpn/server.conf
fi
;;
esac
echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf
@ -799,7 +835,7 @@ verb 3" >> /etc/openvpn/server.conf
if [[ "$IPV6_SUPPORT" = 'y' ]]; then
echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.d/20-openvpn.conf
fi
# Avoid an unneeded reboot
# Apply sysctl rules
sysctl --system
# If SELinux is enabled and a custom port was selected, we need this
@ -856,17 +892,17 @@ verb 3" >> /etc/openvpn/server.conf
# Script to add rules
echo "#!/bin/sh
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $NIC -j MASQUERADE
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A FORWARD -i $NIC -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o $NIC -j ACCEPT
iptables -A INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/add-openvpn-rules.sh
iptables -t nat -I POSTROUTING 1 -s 10.8.0.0/24 -o $NIC -j MASQUERADE
iptables -I INPUT 1 -i tun0 -j ACCEPT
iptables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT
iptables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT
iptables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/add-openvpn-rules.sh
if [[ "$IPV6_SUPPORT" = 'y' ]]; then
echo "ip6tables -t nat -A POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
ip6tables -A INPUT -i tun0 -j ACCEPT
ip6tables -A FORWARD -i $NIC -o tun0 -j ACCEPT
ip6tables -A FORWARD -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh
echo "ip6tables -t nat -I POSTROUTING 1 -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
ip6tables -I INPUT 1 -i tun0 -j ACCEPT
ip6tables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT
ip6tables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh
fi
# Script to remove rules
@ -978,9 +1014,9 @@ function newClient () {
# Home directory of the user, where the client configuration (.ovpn) will be written
if [ -e "/home/$CLIENT" ]; then # if $1 is a user name
homeDir="/home/$CLIENT"
elif [ "${SUDO_USER}" ]; then # if not, use SUDO_USER
elif [ "${SUDO_USER}" ]; then # if not, use SUDO_USER
homeDir="/home/${SUDO_USER}"
else # if not SUDO_USER, use /root
else # if not SUDO_USER, use /root
homeDir="/root"
fi
@ -1086,7 +1122,7 @@ function removeUnbound () {
apt-get autoremove --purge -y unbound
elif [[ "$OS" = 'arch' ]]; then
pacman --noconfirm -R unbound
elif [[ "$OS" = 'centos' ]]; then
elif [[ "$OS" =~ (centos|amzn) ]]; then
yum remove -y unbound
elif [[ "$OS" = 'fedora' ]]; then
dnf remove -y unbound
@ -1151,7 +1187,7 @@ function removeOpenVPN () {
fi
elif [[ "$OS" = 'arch' ]]; then
pacman --noconfirm -R openvpn
elif [[ "$OS" = 'centos' ]]; then
elif [[ "$OS" =~ (centos|amzn) ]]; then
yum remove -y openvpn
elif [[ "$OS" = 'fedora' ]]; then
dnf remove -y openvpn