From 56881521426aef75c7940fc9e4b20e5a6dab6f81 Mon Sep 17 00:00:00 2001 From: phjanderson Date: Sun, 1 Apr 2018 19:01:08 +0200 Subject: [PATCH 01/26] Added support for Ubuntu 16.04 on armhf to readme (#191) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4a6cdb7..3d35ed8 100644 --- a/README.md +++ b/README.md @@ -60,7 +60,7 @@ The script is made to work on these OS and architectures : - **Debian 8** (i386, amd64) - **Debian 9** (i386, amd64, armhf, arm64) - **Ubuntu 14.04 LTS** (i386, amd64) -- **Ubuntu 16.04 LTS** (i386, amd64) +- **Ubuntu 16.04 LTS** (i386, amd64, armhf) - **Ubuntu 17.10** (i386, amd64, armhf, arm64) - **Fedora 25** (amd64) - **Fedora 26** (amd64) From d7e706ac241a90bbaa25fb6e41b73e1c9e737fc1 Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 1 Apr 2018 23:12:05 +0200 Subject: [PATCH 02/26] Add Cloudflare resolvers Fixes #193 --- README.md | 1 + openvpn-install.sh | 33 +++++++++++++++++++-------------- 2 files changed, 20 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 3d35ed8..fbc7869 100644 --- a/README.md +++ b/README.md @@ -96,6 +96,7 @@ The script will ask you which DNS resolvers you want to use when connected to th Here are the possibilities : - Current system resolvers, those that are in `/etc/resolv.conf` +- [Cloudflare](https://1.1.1.1/), recommended, fastest resolvers available (Anycast servers) - [Quad9](https://www.quad9.net), recommended, security and privacy oriented, fast worldwide (Anycast servers) - [FDN's DNS Servers](http://www.fdn.fr/actions/dns/), recommended if you're in western europe (France) - [DNS.WATCH DNS Servers](https://dns.watch/index), recommended if you're in western europe (Germany) diff --git a/openvpn-install.sh b/openvpn-install.sh index 54aacdf..46568ca 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -225,13 +225,14 @@ else echo "" echo "What DNS do you want to use with the VPN?" echo " 1) Current system resolvers (from /etc/resolv.conf)" - echo " 2) Quad9 (Anycast: worldwide)" - echo " 3) FDN (France)" - echo " 4) DNS.WATCH (Germany)" - echo " 5) OpenDNS (Anycast: worldwide)" - echo " 6) Google (Anycast: worldwide)" - echo " 7) Yandex Basic (Russia)" - echo " 8) AdGuard DNS (Russia)" + echo " 2) Cloudflare (Anycast: worldwide)" + echo " 3) Quad9 (Anycast: worldwide)" + echo " 4) FDN (France)" + echo " 5) DNS.WATCH (Germany)" + echo " 6) OpenDNS (Anycast: worldwide)" + echo " 7) Google (Anycast: worldwide)" + echo " 8) Yandex Basic (Russia)" + echo " 9) AdGuard DNS (Russia)" while [[ $DNS != "1" && $DNS != "2" && $DNS != "3" && $DNS != "4" && $DNS != "5" && $DNS != "6" && $DNS != "7" && $DNS != "8" ]]; do read -p "DNS [1-8]: " -e -i 1 DNS done @@ -506,30 +507,34 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf done ;; - 2) #Quad9 + 2) # Cloudflare + echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server.conf + echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server.conf + ;; + 3) # Quad9 echo 'push "dhcp-option DNS 9.9.9.9"' >> /etc/openvpn/server.conf ;; - 3) #FDN + 4) # FDN echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 80.67.169.12"' >> /etc/openvpn/server.conf ;; - 4) #DNS.WATCH + 5) # DNS.WATCH echo 'push "dhcp-option DNS 84.200.69.80"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 84.200.70.40"' >> /etc/openvpn/server.conf ;; - 5) #OpenDNS + 6) # OpenDNS echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf ;; - 6) #Google + 7) # Google echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf ;; - 7) #Yandex Basic + 8) # Yandex Basic echo 'push "dhcp-option DNS 77.88.8.8"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 77.88.8.1"' >> /etc/openvpn/server.conf ;; - 8) #AdGuard DNS + 9) # AdGuard DNS echo 'push "dhcp-option DNS 176.103.130.130"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf ;; From 853683b0b389903878c2d7e26d5ecf07bdba24d8 Mon Sep 17 00:00:00 2001 From: Angristan Date: Tue, 3 Apr 2018 22:52:42 +0200 Subject: [PATCH 03/26] Add saythanks.io Thanks to @cezar97 (#188) --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index fbc7869..71ead65 100644 --- a/README.md +++ b/README.md @@ -254,6 +254,10 @@ SHA-1 is not safe anymore, so I use SHA-256 which is safe and widely used. TLS-Auth is not enabled by default by OpenVPN, but it is in this script. +## Say thanks + +You can [say thanks](https://saythanks.io/to/Angristan) if you want! + ## Credits & Licence Thanks to the [contributors](https://github.com/Angristan/OpenVPN-install/graphs/contributors) and of course Nyr's orginal work. From 61d89e3ba20af7b4530dde08ebb4a73a6c84f1fe Mon Sep 17 00:00:00 2001 From: cezar97 Date: Tue, 10 Apr 2018 11:06:19 +0200 Subject: [PATCH 04/26] Remove .ovpn on cert revoke or OpenVPN uninstall (#178) --- openvpn-install.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/openvpn-install.sh b/openvpn-install.sh index 46568ca..1b6af00 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -146,6 +146,8 @@ if [[ -e /etc/openvpn/server.conf ]]; then rm -rf /etc/openvpn/crl.pem cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem chmod 644 /etc/openvpn/crl.pem + rm -rf $(find /home -maxdepth 2 | grep $CLIENT.ovpn) 2>/dev/null + rm -rf /root/$CLIENT.ovpn 2>/dev/null echo "" echo "Certificate for client $CLIENT revoked" echo "Exiting..." @@ -188,6 +190,12 @@ if [[ -e /etc/openvpn/server.conf ]]; then else yum remove openvpn -y fi + OVPNS=$(ls /etc/openvpn/easy-rsa/pki/issued | awk -F "." {'print $1'}) + for i in $OVPNS + do + rm $(find /home -maxdepth 2 | grep $i.ovpn) 2>/dev/null + rm /root/$i.ovpn 2>/dev/null + done rm -rf /etc/openvpn rm -rf /usr/share/doc/openvpn* echo "" From 71bb6e8371e0c9b03ace8c88e7e4834808239a11 Mon Sep 17 00:00:00 2001 From: Timofey Vasenin Date: Mon, 7 May 2018 23:50:01 +0700 Subject: [PATCH 05/26] Remove unneeded -r argument from some rm commands Backport the relevant part of: https://github.com/Nyr/openvpn-install/commit/d7173537692df686afa26e74c456aede8bc569f3 --- openvpn-install.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 1b6af00..d0c3215 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -140,14 +140,14 @@ if [[ -e /etc/openvpn/server.conf ]]; then cd /etc/openvpn/easy-rsa/ ./easyrsa --batch revoke $CLIENT EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl - rm -rf pki/reqs/$CLIENT.req - rm -rf pki/private/$CLIENT.key - rm -rf pki/issued/$CLIENT.crt - rm -rf /etc/openvpn/crl.pem + rm -f pki/reqs/$CLIENT.req + rm -f pki/private/$CLIENT.key + rm -f pki/issued/$CLIENT.crt + rm -f /etc/openvpn/crl.pem cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem chmod 644 /etc/openvpn/crl.pem - rm -rf $(find /home -maxdepth 2 | grep $CLIENT.ovpn) 2>/dev/null - rm -rf /root/$CLIENT.ovpn 2>/dev/null + rm -f $(find /home -maxdepth 2 | grep $CLIENT.ovpn) 2>/dev/null + rm -f /root/$CLIENT.ovpn 2>/dev/null echo "" echo "Certificate for client $CLIENT revoked" echo "Exiting..." @@ -470,7 +470,7 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service mv ~/EasyRSA-3.0.4/ /etc/openvpn/ mv /etc/openvpn/EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/ chown -R root:root /etc/openvpn/easy-rsa/ - rm -rf ~/EasyRSA-3.0.4.tgz + rm -f ~/EasyRSA-3.0.4.tgz cd /etc/openvpn/easy-rsa/ # Generate a random, alphanumeric identifier of 16 characters for CN and one for server name SERVER_CN="cn_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" From 2f6821d778779bb38dbb52915752980a7c46cedc Mon Sep 17 00:00:00 2001 From: Stanislas Date: Tue, 8 May 2018 20:53:57 +0200 Subject: [PATCH 06/26] Add support for Ubuntu 18.04 --- README.md | 1 + openvpn-install.sh | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 71ead65..7ffa7b3 100644 --- a/README.md +++ b/README.md @@ -62,6 +62,7 @@ The script is made to work on these OS and architectures : - **Ubuntu 14.04 LTS** (i386, amd64) - **Ubuntu 16.04 LTS** (i386, amd64, armhf) - **Ubuntu 17.10** (i386, amd64, armhf, arm64) +- **Ubuntu 18.04 LTS** (i386, amd64, armhf, arm64) - **Fedora 25** (amd64) - **Fedora 26** (amd64) - **Fedora 27** (amd64) diff --git a/openvpn-install.sh b/openvpn-install.sh index d0c3215..645da2e 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -25,7 +25,7 @@ if [[ -e /etc/debian_version ]]; then VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID") IPTABLES='/etc/iptables/iptables.rules' SYSCTL='/etc/sysctl.conf' - if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.10"' ]]; then + if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="18.04"' ]]; then echo "Your version of Debian/Ubuntu is not supported." echo "I can't install a recent version of OpenVPN on your system." echo "" From b3fba4fddcd5797cf64237fe66451ef679ca6426 Mon Sep 17 00:00:00 2001 From: Timofey Vasenin Date: Wed, 9 May 2018 02:01:32 +0700 Subject: [PATCH 07/26] [backport] Fix system resolvers option for environments running systemd-resolved (#214) --- openvpn-install.sh | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 645da2e..c960034 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -510,8 +510,15 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf # DNS resolvers case $DNS in 1) + # Locate the proper resolv.conf + # Needed for systems running systemd-resolved + if grep -q "127.0.0.53" "/etc/resolv.conf"; then + RESOLVCONF='/run/systemd/resolve/resolv.conf' + else + RESOLVCONF='/etc/resolv.conf' + fi # Obtain the resolvers from resolv.conf and use them for OpenVPN - grep -v '#' /etc/resolv.conf | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do + grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf done ;; From d2a3b3bec673cdb010860e5075e17bf7fb4f1c40 Mon Sep 17 00:00:00 2001 From: Timofey Vasenin Date: Wed, 9 May 2018 02:23:36 +0700 Subject: [PATCH 08/26] Backport improvements of external IP handling (#213) * [backport] Remove IP address detection fallback It was never used, the one-liner is enough. * [backport] Improve NAT detection Cleaner and better: - Not relying in an external service - Avoids a false positive when the server has multiple public IPv4 addresses and the user selects one which is not the default gateway --- openvpn-install.sh | 31 +++++++++++-------------------- 1 file changed, 11 insertions(+), 20 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index c960034..93ca3c5 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -83,13 +83,6 @@ newclient () { echo "" >> $homeDir/$1.ovpn } -# Try to get our IP from the system and fallback to the Internet. -# I do this to make the script compatible with NATed servers (LowEndSpirit/Scaleway) -# and to avoid getting an IPv6. -IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -o -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1) -if [[ "$IP" = "" ]]; then - IP=$(wget -qO- ipv4.icanhazip.com) -fi # Get Internet network interface with default route NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1) @@ -220,10 +213,18 @@ else echo "I need to know the IPv4 address of the network interface you want OpenVPN listening to." echo "If your server is running behind a NAT, (e.g. LowEndSpirit, Scaleway) leave the IP address as it is. (local/private IP)" echo "Otherwise, it should be your public IPv4 address." + # Autodetect IP address and pre-fill for the user + IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1) read -p "IP address: " -e -i $IP IP echo "" echo "What port do you want for OpenVPN?" read -p "Port: " -e -i 1194 PORT + # If $IP is a private IP address, the server must be behind NAT + if echo "$IP" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then + echo "" + echo "This server is behind NAT. What is the public IPv4 address or hostname?" + read -p "Public IP address / hostname: " -e PUBLICIP + fi echo "" echo "What protocol do you want for OpenVPN?" echo "Unless UDP is blocked, you should not use TCP (unnecessarily slower)" @@ -661,19 +662,9 @@ verb 3" >> /etc/openvpn/server.conf chkconfig openvpn on fi fi - # Try to detect a NATed connection and ask about it to potential LowEndSpirit/Scaleway users - EXTERNALIP=$(wget -qO- ipv4.icanhazip.com) - if [[ "$IP" != "$EXTERNALIP" ]]; then - echo "" - echo "Looks like your server is behind a NAT!" - echo "" - echo "If your server is NATed (e.g. LowEndSpirit, Scaleway, or behind a router)," - echo "then I need to know the address that can be used to access it from outside." - echo "If that's not the case, just ignore this and leave the next field blank" - read -p "External IP or domain name: " -e USEREXTERNALIP - if [[ "$USEREXTERNALIP" != "" ]]; then - IP=$USEREXTERNALIP - fi + # If the server is behind a NAT, use the correct IP address + if [[ "$PUBLICIP" != "" ]]; then + IP=$PUBLICIP fi # client-template.txt is created so we have a template to add further users later echo "client" > /etc/openvpn/client-template.txt From 6cecc16f0db54b4a81383f5e0a80b67ee244c113 Mon Sep 17 00:00:00 2001 From: Angristan Date: Thu, 10 May 2018 00:29:05 +0200 Subject: [PATCH 09/26] Fixes #217 "Package 'gpg' has no installation candidate" --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 93ca3c5..cc05a99 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -336,7 +336,7 @@ else read -n1 -r -p "Press any key to continue..." if [[ "$OS" = 'debian' ]]; then - apt-get install ca-certificates gpg -y + apt-get install ca-certificates gnupg -y # We add the OpenVPN repo to get the latest version. # Debian 7 if [[ "$VERSION_ID" = 'VERSION_ID="7"' ]]; then From b8f0b44c55861a2805b48f080ac24200648afa35 Mon Sep 17 00:00:00 2001 From: Jebtrix Date: Tue, 29 May 2018 04:18:24 -0400 Subject: [PATCH 10/26] [FIX] Unable to select AdGuard DNS choice (#228) --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index cc05a99..e74d854 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -242,8 +242,8 @@ else echo " 7) Google (Anycast: worldwide)" echo " 8) Yandex Basic (Russia)" echo " 9) AdGuard DNS (Russia)" - while [[ $DNS != "1" && $DNS != "2" && $DNS != "3" && $DNS != "4" && $DNS != "5" && $DNS != "6" && $DNS != "7" && $DNS != "8" ]]; do - read -p "DNS [1-8]: " -e -i 1 DNS + while [[ $DNS != "1" && $DNS != "2" && $DNS != "3" && $DNS != "4" && $DNS != "5" && $DNS != "6" && $DNS != "7" && $DNS != "8" && $DNS != "9" ]]; do + read -p "DNS [1-9]: " -e -i 1 DNS done echo "" echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about " From c42b028538b38a4aa8973565e05903fdde0b9a91 Mon Sep 17 00:00:00 2001 From: cezar97 Date: Fri, 6 Jul 2018 01:25:57 +0300 Subject: [PATCH 11/26] Add "Check for DNS leaks" paragraph in README (#242) --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 7ffa7b3..21b1a3f 100644 --- a/README.md +++ b/README.md @@ -255,6 +255,10 @@ SHA-1 is not safe anymore, so I use SHA-256 which is safe and widely used. TLS-Auth is not enabled by default by OpenVPN, but it is in this script. +## Check for DNS leaks + +Go to [dnsleaktest.com](https://dnsleaktest.com/) or [ipleak.net](https://ipleak.net/) with your browser. Only your server's IP should show up. + ## Say thanks You can [say thanks](https://saythanks.io/to/Angristan) if you want! From 63ac18075d07a1c944e9b4e08ba6e01b99c9cf2e Mon Sep 17 00:00:00 2001 From: cezar97 Date: Fri, 6 Jul 2018 23:11:22 +0300 Subject: [PATCH 12/26] Add quad9 secondary DNS (#248) See https://www.quad9.net/faq/#Is_there_a_service_that_Quad9_offers_that_does_not_have_the_blocklist_or_other_security. --- openvpn-install.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/openvpn-install.sh b/openvpn-install.sh index e74d854..44647c5 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -529,6 +529,7 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf ;; 3) # Quad9 echo 'push "dhcp-option DNS 9.9.9.9"' >> /etc/openvpn/server.conf + echo 'push "dhcp-option DNS 149.112.112.112"' >> /etc/openvpn/server.conf ;; 4) # FDN echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/server.conf From 5501de73c8742bef58aa62685ca4c898cae2e616 Mon Sep 17 00:00:00 2001 From: Sayem Chowdhury Date: Sun, 15 Jul 2018 15:25:59 +0600 Subject: [PATCH 13/26] Improved code (#243) --- openvpn-install.sh | 130 +++++++++++++++++++++++++++------------------ 1 file changed, 78 insertions(+), 52 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 44647c5..046b319 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -4,16 +4,19 @@ # https://github.com/Angristan/OpenVPN-install +# Verify root if [[ "$EUID" -ne 0 ]]; then echo "Sorry, you need to run this as root" exit 1 fi +# Verify tun if [[ ! -e /dev/net/tun ]]; then echo "TUN is not available" exit 2 fi +# Check if CentOS 5 if grep -qs "CentOS release 5" "/etc/redhat-release"; then echo "CentOS 5 is too old and not supported" exit 3 @@ -22,7 +25,7 @@ fi if [[ -e /etc/debian_version ]]; then OS="debian" # Getting the version number, to verify that a recent version of OpenVPN is available - VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID") + VERSION_ID=$(grep "VERSION_ID" /etc/os-release) IPTABLES='/etc/iptables/iptables.rules' SYSCTL='/etc/sysctl.conf' if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="18.04"' ]]; then @@ -33,7 +36,7 @@ if [[ -e /etc/debian_version ]]; then echo "then you can continue, a recent version of OpenVPN is available on these." echo "Keep in mind they are not supported, though." while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do - read -p "Continue ? [y/n]: " -e CONTINUE + read -rp "Continue ? [y/n]: " -e CONTINUE done if [[ "$CONTINUE" = "n" ]]; then echo "Ok, bye !" @@ -59,28 +62,33 @@ fi newclient () { # Where to write the custom client.ovpn? - if [ -e /home/$1 ]; then # if $1 is a user name + if [ -e "/home/$1" ]; then # if $1 is a user name homeDir="/home/$1" - elif [ ${SUDO_USER} ]; then # if not, use SUDO_USER + elif [ "${SUDO_USER}" ]; then # if not, use SUDO_USER homeDir="/home/${SUDO_USER}" else # if not SUDO_USER, use /root homeDir="/root" fi # Generates the custom client.ovpn - cp /etc/openvpn/client-template.txt $homeDir/$1.ovpn - echo "" >> $homeDir/$1.ovpn - cat /etc/openvpn/easy-rsa/pki/ca.crt >> $homeDir/$1.ovpn - echo "" >> $homeDir/$1.ovpn - echo "" >> $homeDir/$1.ovpn - cat /etc/openvpn/easy-rsa/pki/issued/$1.crt >> $homeDir/$1.ovpn - echo "" >> $homeDir/$1.ovpn - echo "" >> $homeDir/$1.ovpn - cat /etc/openvpn/easy-rsa/pki/private/$1.key >> $homeDir/$1.ovpn - echo "" >> $homeDir/$1.ovpn - echo "key-direction 1" >> $homeDir/$1.ovpn - echo "" >> $homeDir/$1.ovpn - cat /etc/openvpn/tls-auth.key >> $homeDir/$1.ovpn - echo "" >> $homeDir/$1.ovpn + cp /etc/openvpn/client-template.txt "$homeDir/$1.ovpn" + { + echo "" + cat "/etc/openvpn/easy-rsa/pki/ca.crt" + echo "" + + echo "" + cat "/etc/openvpn/easy-rsa/pki/issued/$1.crt" + echo "" + + echo "" + cat "/etc/openvpn/easy-rsa/pki/private/$1.key" + echo "" + echo "key-direction 1" + + echo "" + cat "/etc/openvpn/tls-auth.key" + echo "" + } >> "$homeDir/$1.ovpn" } # Get Internet network interface with default route @@ -94,22 +102,27 @@ if [[ -e /etc/openvpn/server.conf ]]; then echo "" echo "Looks like OpenVPN is already installed" echo "" + echo "What do you want to do?" echo " 1) Add a cert for a new user" echo " 2) Revoke existing user cert" echo " 3) Remove OpenVPN" echo " 4) Exit" - read -p "Select an option [1-4]: " option + read -rp "Select an option [1-4]: " option + case $option in 1) echo "" echo "Tell me a name for the client cert" echo "Please, use one word only, no special characters" - read -p "Client name: " -e -i newclient CLIENT - cd /etc/openvpn/easy-rsa/ + read -rp "Client name: " -e -i newclient CLIENT + + cd /etc/openvpn/easy-rsa/ || return ./easyrsa build-client-full $CLIENT nopass + # Generates the custom client.ovpn newclient "$CLIENT" + echo "" echo "Client $CLIENT added, certs available at $homeDir/$CLIENT.ovpn" exit @@ -121,16 +134,18 @@ if [[ -e /etc/openvpn/server.conf ]]; then echo "You have no existing clients!" exit 5 fi + echo "" echo "Select the existing client certificate you want to revoke" tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') ' if [[ "$NUMBEROFCLIENTS" = '1' ]]; then - read -p "Select one client [1]: " CLIENTNUMBER + read -rp "Select one client [1]: " CLIENTNUMBER else - read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER + read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER fi + CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p) - cd /etc/openvpn/easy-rsa/ + cd /etc/openvpn/easy-rsa/ || return ./easyrsa --batch revoke $CLIENT EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl rm -f pki/reqs/$CLIENT.req @@ -141,6 +156,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then chmod 644 /etc/openvpn/crl.pem rm -f $(find /home -maxdepth 2 | grep $CLIENT.ovpn) 2>/dev/null rm -f /root/$CLIENT.ovpn 2>/dev/null + echo "" echo "Certificate for client $CLIENT revoked" echo "Exiting..." @@ -148,7 +164,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then ;; 3) echo "" - read -p "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE + read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE if [[ "$REMOVE" = 'y' ]]; then PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2) if pgrep firewalld; then @@ -206,6 +222,7 @@ else clear echo "Welcome to the secure OpenVPN installer (github.com/Angristan/OpenVPN-install)" echo "" + # OpenVPN setup and first user creation echo "I need to ask you a few questions before starting the setup" echo "You can leave the default options and just press enter if you are ok with them" @@ -213,23 +230,25 @@ else echo "I need to know the IPv4 address of the network interface you want OpenVPN listening to." echo "If your server is running behind a NAT, (e.g. LowEndSpirit, Scaleway) leave the IP address as it is. (local/private IP)" echo "Otherwise, it should be your public IPv4 address." + # Autodetect IP address and pre-fill for the user IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1) - read -p "IP address: " -e -i $IP IP + read -rp "IP address: " -e -i $IP IP echo "" echo "What port do you want for OpenVPN?" - read -p "Port: " -e -i 1194 PORT + read -rp "Port: " -e -i 1194 PORT + # If $IP is a private IP address, the server must be behind NAT if echo "$IP" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then echo "" echo "This server is behind NAT. What is the public IPv4 address or hostname?" - read -p "Public IP address / hostname: " -e PUBLICIP + read -rp "Public IP address / hostname: " -e PUBLICIP fi echo "" echo "What protocol do you want for OpenVPN?" echo "Unless UDP is blocked, you should not use TCP (unnecessarily slower)" - while [[ $PROTOCOL != "UDP" && $PROTOCOL != "TCP" ]]; do - read -p "Protocol [UDP/TCP]: " -e -i UDP PROTOCOL + until [[ "$PROTOCOL" == "UDP" || "$PROTOCOL" == "TCP" ]]; do + read -rp "Protocol [UDP/TCP]: " -e -i UDP PROTOCOL done echo "" echo "What DNS do you want to use with the VPN?" @@ -242,8 +261,8 @@ else echo " 7) Google (Anycast: worldwide)" echo " 8) Yandex Basic (Russia)" echo " 9) AdGuard DNS (Russia)" - while [[ $DNS != "1" && $DNS != "2" && $DNS != "3" && $DNS != "4" && $DNS != "5" && $DNS != "6" && $DNS != "7" && $DNS != "8" && $DNS != "9" ]]; do - read -p "DNS [1-9]: " -e -i 1 DNS + until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 -a "$DNS" -le 9 ]; do + read -rp "DNS [1-9]: " -e -i 1 DNS done echo "" echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about " @@ -261,8 +280,8 @@ else echo " 5) CAMELLIA-192-CBC" echo " 6) CAMELLIA-256-CBC" echo " 7) SEED-CBC" - while [[ $CIPHER != "1" && $CIPHER != "2" && $CIPHER != "3" && $CIPHER != "4" && $CIPHER != "5" && $CIPHER != "6" && $CIPHER != "7" ]]; do - read -p "Cipher [1-7]: " -e -i 1 CIPHER + until [[ "$CIPHER" =~ ^[0-9]+$ ]] && [ "$CIPHER" -ge 1 -a "$CIPHER" -le 7 ]; do + read -rp "Cipher [1-7]: " -e -i 1 CIPHER done case $CIPHER in 1) @@ -292,8 +311,8 @@ else echo " 1) 2048 bits (fastest)" echo " 2) 3072 bits (recommended, best compromise)" echo " 3) 4096 bits (most secure)" - while [[ $DH_KEY_SIZE != "1" && $DH_KEY_SIZE != "2" && $DH_KEY_SIZE != "3" ]]; do - read -p "DH key size [1-3]: " -e -i 2 DH_KEY_SIZE + until [[ "$DH_KEY_SIZE" =~ ^[0-9]+$ ]] && [ "$DH_KEY_SIZE" -ge 1 -a "$DH_KEY_SIZE" -le 3 ]; do + read -rp "DH key size [1-3]: " -e -i 2 DH_KEY_SIZE done case $DH_KEY_SIZE in 1) @@ -311,8 +330,8 @@ else echo " 1) 2048 bits (fastest)" echo " 2) 3072 bits (recommended, best compromise)" echo " 3) 4096 bits (most secure)" - while [[ $RSA_KEY_SIZE != "1" && $RSA_KEY_SIZE != "2" && $RSA_KEY_SIZE != "3" ]]; do - read -p "RSA key size [1-3]: " -e -i 2 RSA_KEY_SIZE + until [[ "$RSA_KEY_SIZE" =~ ^[0-9]+$ ]] && [ "$RSA_KEY_SIZE" -ge 1 -a "$RSA_KEY_SIZE" -le 3 ]; do + read -rp "RSA key size [1-3]: " -e -i 2 RSA_KEY_SIZE done case $RSA_KEY_SIZE in 1) @@ -329,7 +348,9 @@ else echo "Finally, tell me a name for the client certificate and configuration" while [[ $CLIENT = "" ]]; do echo "Please, use one word only, no special characters" - read -p "Client name: " -e -i client CLIENT + read -rp "Client name: " -e -i client CLIENT + # Remove special characters + CLIENT=$(echo $CLIENT | tr -dc '[:alnum:]\n\r') done echo "" echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now" @@ -437,8 +458,8 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service echo "Not doing that could cause problems between dependencies, or missing files in repositories." echo "" echo "Continuing will update your installed packages and install needed ones." - while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do - read -p "Continue ? [y/n]: " -e -i y CONTINUE + until [[ $CONTINUE == "y" || $CONTINUE == "n" ]]; do + read -rp "Continue ? [y/n]: " -e -i y CONTINUE done if [[ "$CONTINUE" = "n" ]]; then echo "Ok, bye !" @@ -472,10 +493,10 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service mv /etc/openvpn/EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/ chown -R root:root /etc/openvpn/easy-rsa/ rm -f ~/EasyRSA-3.0.4.tgz - cd /etc/openvpn/easy-rsa/ + cd /etc/openvpn/easy-rsa/ || return # Generate a random, alphanumeric identifier of 16 characters for CN and one for server name - SERVER_CN="cn_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" - SERVER_NAME="server_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" + SERVER_CN="cn_$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 16 | head -n 1)" + SERVER_NAME="server_$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 16 | head -n 1)" echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars # Create the PKI, set up the CA, the DH params and the server + client certificates @@ -494,11 +515,7 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service # Generate server.conf echo "port $PORT" > /etc/openvpn/server.conf - if [[ "$PROTOCOL" = 'UDP' ]]; then - echo "proto udp" >> /etc/openvpn/server.conf - elif [[ "$PROTOCOL" = 'TCP' ]]; then - echo "proto tcp" >> /etc/openvpn/server.conf - fi + echo "proto $(echo $PROTOCOL | tr '[:upper:]' '[:lower:]')" >> /etc/openvpn/server.conf echo "dev tun user nobody group $NOGROUP @@ -519,7 +536,7 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf RESOLVCONF='/etc/resolv.conf' fi # Obtain the resolvers from resolv.conf and use them for OpenVPN - grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do + grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read -r line; do echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf done ;; @@ -556,7 +573,7 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf ;; esac -echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf +echo 'push "redirect-gateway def1 bypass-dhcp" ' >> /etc/openvpn/server.conf echo "crl-verify crl.pem ca ca.crt cert $SERVER_NAME.crt @@ -581,12 +598,16 @@ verb 3" >> /etc/openvpn/server.conf if ! grep -q "\" $SYSCTL; then echo 'net.ipv4.ip_forward=1' >> $SYSCTL fi + # Avoid an unneeded reboot echo 1 > /proc/sys/net/ipv4/ip_forward + # Set NAT for the VPN subnet iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE + # Save persitent iptables rules iptables-save > $IPTABLES + if pgrep firewalld; then # We don't use --add-service=openvpn because that would only work with # the default port. Using both permanent and not permanent rules to @@ -601,6 +622,7 @@ verb 3" >> /etc/openvpn/server.conf firewall-cmd --zone=trusted --add-source=10.8.0.0/24 firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24 fi + if iptables -L -n | grep -qE 'REJECT|DROP'; then # If iptables has at least one REJECT rule, we asume this is needed. # Not the best approach but I can't think of other and this shouldn't @@ -613,8 +635,9 @@ verb 3" >> /etc/openvpn/server.conf iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT # Save persitent OpenVPN rules - iptables-save > $IPTABLES + iptables-save > $IPTABLES fi + # If SELinux is enabled and a custom port was selected, we need this if hash sestatus 2>/dev/null; then if sestatus | grep "Current mode" | grep -qs "enforcing"; then @@ -631,6 +654,7 @@ verb 3" >> /etc/openvpn/server.conf fi fi fi + # And finally, restart OpenVPN if [[ "$OS" = 'debian' ]]; then # Little hack to check for systemd @@ -663,10 +687,12 @@ verb 3" >> /etc/openvpn/server.conf chkconfig openvpn on fi fi + # If the server is behind a NAT, use the correct IP address if [[ "$PUBLICIP" != "" ]]; then IP=$PUBLICIP fi + # client-template.txt is created so we have a template to add further users later echo "client" > /etc/openvpn/client-template.txt if [[ "$PROTOCOL" = 'UDP' ]]; then From 1c7e06ed07b13237a0665d960a1e0592ba2a4105 Mon Sep 17 00:00:00 2001 From: Sam Mingo Date: Sat, 11 Aug 2018 16:33:07 -0400 Subject: [PATCH 14/26] Update README.md (#268) Fixed typos + phrasing --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 21b1a3f..0a2a5cf 100644 --- a/README.md +++ b/README.md @@ -40,11 +40,11 @@ When OpenVPN is installed, you can run the script again, and you will get the ch This script is based on the great work of [Nyr and its contributors](https://github.com/Nyr/openvpn-install). -I made it because I wanted to have a more secured OpenVPN out-of-the-box. It works like the original script, but is more focused on privacy and espicially better encryption. Nyr's original script uses mainly default parameters regarding encryption, and some of them are unsecure. See [#encryption](#encryption). +I made it because I wanted to have a more secured OpenVPN out-of-the-box. It works like the original script, but is more focused on privacy and especially better encryption. Nyr's original script uses mainly default parameters regarding encryption, and some of them are insecure. See [#encryption](#encryption). Also, Nyr and myself clearly have not the same point of view regarding this script, that's why it's a fork. -The only drawback is that you need to use a recent version of OpenVPN, because some parameters that requires TLS 1.2 are only availble since OpenVPN 2.3.3. Therefore I restrain the compatibility of this script to a few but widely used GNU/Linux distributions, to get a recent version of OpenVPN from trusted third-party repositories, if needed. That is not a complete drawback tough, because it means that you can have the latest version with all the new features and security fixes. See [compatibilty](#compatibility). +The only drawback is that you need to use a recent version of OpenVPN, because some parameters that requires TLS 1.2 are only available since OpenVPN 2.3.3. Therefore I restrain the compatibility of this script to a few but widely used GNU/Linux distributions, to get a recent version of OpenVPN from trusted third-party repositories, if needed. That is not a complete drawback tough, because it means that you can have the latest version with all the new features and security fixes. See [compatibility](#compatibility). On the client-side, it's less problematic, but if you want to use an OpenVPN server installed with this script with an old client (\<2.3.3), it won't work. However I don't see why you would use an outdated client. @@ -186,7 +186,7 @@ The [SWEET32 vulnerability page](https://community.openvpn.net/openvpn/wiki/SWEE Indeed, AES is today's standard. It's the fastest and more secure cipher available today. [SEED](https://en.wikipedia.org/wiki/SEED) and [Camellia](https://en.wikipedia.org/wiki/Camellia_(cipher)) are not vulnerable to date but are slower than AES and relatively less trusted. -As they have not any proven vulnerabilities, I decided to give the user the choice to use them, though I don't see any particular reason to this day to use it. Maybe someday if AES happens to be broken. Here is an exemple about [why Camellia is good, but AES is better and should be used](http://crypto.stackexchange.com/questions/476/why-does-nobody-use-or-break-the-camellia-cipher/477#477). +As they have not any proven vulnerabilities, I decided to give the user the choice to use them, though I don't see any particular reason to this day to use it. Maybe someday if AES happens to be broken. Here is an example about [why Camellia is good, but AES is better and should be used](http://crypto.stackexchange.com/questions/476/why-does-nobody-use-or-break-the-camellia-cipher/477#477). Currently AES is only available in its CBC mode, which is weaker than GCM. @@ -214,7 +214,7 @@ Thus, the best data channel cipher currently available in OpenVPN is `AES-128-CB ### Control channel's cipher -According to the [Hardening](https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-cipher) page of the OpenVPN wiki, TLS 1.2 is not supported by OpenVPN <2.3.3, so it uses a TLS 1.0 cipher by default, which is unsecure. +According to the [Hardening](https://community.openvpn.net/openvpn/wiki/Hardening#Useof--tls-cipher) page of the OpenVPN wiki, TLS 1.2 is not supported by OpenVPN <2.3.3, so it uses a TLS 1.0 cipher by default, which is insecure. > The following are TLSv1.2 DHE + RSA choices, requiring a compatible peer running at least OpenVPN 2.3.3: - TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 @@ -230,7 +230,7 @@ Thus, I have chosen `TLS-DHE-RSA-WITH-AES-128-GCM-SHA256` as the control channel OpenVPN uses a 2048 bits DH key [by default](https://github.com/OpenVPN/easy-rsa/blob/master/easyrsa3/vars.example#L97). -2048 bits is OK, but both [NSA](https://cryptome.org/2016/01/CNSA-Suite-and-Quantum-Computing-FAQ.pdf) and [ANSSI](https://www.ssi.gouv.fr/uploads/2015/01/RGS_v-2-0_B1.pdf) recommend at least a 3072 bits for a future-proof key. Like RSA, the size of the key will have an impact on speed, I leave the choice to use a 2048, 3072 or 4096 bits key. 4096 bits is what's most used and recommened today, but 3072 bits is still good. +2048 bits is OK, but both [NSA](https://cryptome.org/2016/01/CNSA-Suite-and-Quantum-Computing-FAQ.pdf) and [ANSSI](https://www.ssi.gouv.fr/uploads/2015/01/RGS_v-2-0_B1.pdf) recommend at least a 3072 bits for a future-proof key. Like RSA, the size of the key will have an impact on speed, I leave the choice to use a 2048, 3072 or 4096 bits key. 4096 bits is what's most used and recommended today, but 3072 bits is still good. In OpenVPN 2.4, we will be able to use ECDH key. It uses elliptic curves instead of prime numbers' factorization for a reduced key size and calculation time, thus it's faster and more secure. From df172b962d40483d9d950bf988e9fef62ea62ad5 Mon Sep 17 00:00:00 2001 From: Jebtrix Date: Sat, 18 Aug 2018 09:57:24 -0400 Subject: [PATCH 15/26] Add option to generate random port in private port range (#229) --- openvpn-install.sh | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 046b319..df5b77d 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -236,7 +236,27 @@ else read -rp "IP address: " -e -i $IP IP echo "" echo "What port do you want for OpenVPN?" - read -rp "Port: " -e -i 1194 PORT + echo " 1) Default: 1194" + echo " 2) Custom" + echo " 3) Random [49152-65535]" + until [[ "$PORT_CHOICE" =~ ^[1-3]$ ]]; do + read -p "Port choice [1-3]: " -e -i 1 PORT_CHOICE + done + case $PORT_CHOICE in + 1) + PORT="1194" + ;; + 2) + until [[ "$PORT" =~ ^[0-9]+$ ]] && [ "$PORT" -ge 1 -a "$PORT" -le 65535 ]; do + read -p "Custom port [1-65535]: " -e -i 1194 PORT + done + ;; + 3) + # Generate random number within private ports range + PORT=$(shuf -i49152-65535 -n1) + echo "Random Port: $PORT" + ;; + esac # If $IP is a private IP address, the server must be behind NAT if echo "$IP" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then From a0267c994dbe42e543f9e085dedc35587e89cafd Mon Sep 17 00:00:00 2001 From: Angristan Date: Sat, 18 Aug 2018 16:08:32 +0200 Subject: [PATCH 16/26] Fix License copyright holders --- LICENSE | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/LICENSE b/LICENSE index 5b44955..1727729 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,7 @@ -The MIT License (MIT) +MIT License -Copyright (c) 2016 Nyr, Angristan +Copyright (c) 2013 Nyr +Copyright (c) 2016 Angristan (Stanislas Lange) Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in From 9ef0bbc47d1890c1e9795e8d4242888e35c423ac Mon Sep 17 00:00:00 2001 From: Angristan <11699655+Angristan@users.noreply.github.com> Date: Sat, 18 Aug 2018 19:40:07 +0200 Subject: [PATCH 17/26] Add password option for clients (#160) --- README.md | 1 + openvpn-install.sh | 38 +++++++++++++++++++++++++++++++++++--- 2 files changed, 36 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 0a2a5cf..20fbac4 100644 --- a/README.md +++ b/README.md @@ -88,6 +88,7 @@ This fork includes the following features : - [Arch Linux support](https://github.com/Angristan/OpenVPN-install/pull/2) - Up-to-date OpenVPN thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) for CentOS and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos) for Ubuntu and Debian. These are third-party yet trusted repositories. - Randomized certificate name +- The ability to create passwordless clients and clients protected with a password - Other improvements ! ## DNS diff --git a/openvpn-install.sh b/openvpn-install.sh index df5b77d..2c0c173 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -113,12 +113,28 @@ if [[ -e /etc/openvpn/server.conf ]]; then case $option in 1) echo "" + echo "Do you want to protect the configuration file with a password?" + echo "(e.g. encrypt the private key with a password)" + echo " 1) Add a passwordless client" + echo " 2) Use a password for the client" + until [[ "$pass" =~ ^[1-2]$ ]]; do + read -rp "Select an option [1-2]: " -e -i 1 pass + done + echo "" echo "Tell me a name for the client cert" echo "Please, use one word only, no special characters" - read -rp "Client name: " -e -i newclient CLIENT + read -rp "Client name: " -e -i newclient CLIENT cd /etc/openvpn/easy-rsa/ || return - ./easyrsa build-client-full $CLIENT nopass + case $pass in + 1) + ./easyrsa build-client-full $CLIENT nopass + ;; + 2) + echo "⚠️ You will be asked for the client password below ⚠️" + ./easyrsa build-client-full $CLIENT + ;; + esac # Generates the custom client.ovpn newclient "$CLIENT" @@ -365,6 +381,14 @@ else ;; esac echo "" + echo "Do you want to protect the configuration file with a password?" + echo "(e.g. encrypt the private key with a password)" + echo " 1) Add a passwordless client" + echo " 2) Use a password for the client" + until [[ "$pass" =~ ^[1-2]$ ]]; do + read -rp "Select an option [1-2]: " -e -i 1 pass + done + echo "" echo "Finally, tell me a name for the client certificate and configuration" while [[ $CLIENT = "" ]]; do echo "Please, use one word only, no special characters" @@ -524,7 +548,15 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service ./easyrsa --batch build-ca nopass openssl dhparam -out dh.pem $DH_KEY_SIZE ./easyrsa build-server-full $SERVER_NAME nopass - ./easyrsa build-client-full $CLIENT nopass + case $pass in + 1) + ./easyrsa build-client-full $CLIENT nopass + ;; + 2) + echo "⚠️ You will be asked for the client password below ⚠️" + ./easyrsa build-client-full $CLIENT + ;; + esac EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl # generate tls-auth key openvpn --genkey --secret /etc/openvpn/tls-auth.key From 47c86874dc00ff9d2c638cac2e00ee7333445bf9 Mon Sep 17 00:00:00 2001 From: Angristan Date: Sat, 18 Aug 2018 19:55:36 +0200 Subject: [PATCH 18/26] Update check on the client's name input --- openvpn-install.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 2c0c173..658f5a3 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -122,9 +122,11 @@ if [[ -e /etc/openvpn/server.conf ]]; then done echo "" echo "Tell me a name for the client cert" - echo "Please, use one word only, no special characters" + echo "Use one word only, no special characters" + until [[ "$CLIENT" =~ ^[a-zA-Z0-9_]+$ ]]; do + read -rp "Client name: " -e CLIENT + done - read -rp "Client name: " -e -i newclient CLIENT cd /etc/openvpn/easy-rsa/ || return case $pass in 1) @@ -390,11 +392,9 @@ else done echo "" echo "Finally, tell me a name for the client certificate and configuration" - while [[ $CLIENT = "" ]]; do - echo "Please, use one word only, no special characters" - read -rp "Client name: " -e -i client CLIENT - # Remove special characters - CLIENT=$(echo $CLIENT | tr -dc '[:alnum:]\n\r') + echo "Use one word only, no special characters" + until [[ "$CLIENT" =~ ^[a-zA-Z0-9_]+$ ]]; do + read -rp "Client name: " -e CLIENT done echo "" echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now" From 1b18e7f2a7c2104836c00572ee514a9751fe3cec Mon Sep 17 00:00:00 2001 From: Angristan Date: Sat, 18 Aug 2018 21:47:10 +0200 Subject: [PATCH 19/26] Re-add a default suggestion for the client name But only during the setup, not for additional clients --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 658f5a3..4db321d 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -394,7 +394,7 @@ else echo "Finally, tell me a name for the client certificate and configuration" echo "Use one word only, no special characters" until [[ "$CLIENT" =~ ^[a-zA-Z0-9_]+$ ]]; do - read -rp "Client name: " -e CLIENT + read -rp "Client name: " -e -i client CLIENT done echo "" echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now" From d8d0bbb5dad57efd0b962d46bdaa7d0ed6319c85 Mon Sep 17 00:00:00 2001 From: Angristan Date: Wed, 22 Aug 2018 22:11:36 +0200 Subject: [PATCH 20/26] Add access logs (log-append) And move log files to /var/log/openvpn. Makes more sense and access logs can be very useful. --- openvpn-install.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 4db321d..7eefd3d 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -637,7 +637,8 @@ $CIPHER tls-server tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 -status openvpn.log +status /var/log/openvpn/status.log +log-append /var/log/openvpn/server.log verb 3" >> /etc/openvpn/server.conf # Create the sysctl configuration file if needed (mainly for Arch Linux) From 64f62cf8749ac074017c186a64b1d44e67cf51f4 Mon Sep 17 00:00:00 2001 From: Angristan Date: Thu, 23 Aug 2018 00:40:36 +0200 Subject: [PATCH 21/26] Remove log-append for now and create log dir See https://github.com/Angristan/OpenVPN-install/issues/275 --- openvpn-install.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 7eefd3d..2de24c8 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -638,9 +638,11 @@ tls-server tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 status /var/log/openvpn/status.log -log-append /var/log/openvpn/server.log verb 3" >> /etc/openvpn/server.conf +# Create log dir +mkdir -p /var/log/openvpn + # Create the sysctl configuration file if needed (mainly for Arch Linux) if [[ ! -e $SYSCTL ]]; then touch $SYSCTL From c923ad1ea290ea656922b6a95f87ac85ce94c5bd Mon Sep 17 00:00:00 2001 From: Angristan Date: Fri, 24 Aug 2018 23:47:08 +0200 Subject: [PATCH 22/26] Remove link to the old script --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index 20fbac4..1480e5f 100644 --- a/README.md +++ b/README.md @@ -268,6 +268,4 @@ You can [say thanks](https://saythanks.io/to/Angristan) if you want! Thanks to the [contributors](https://github.com/Angristan/OpenVPN-install/graphs/contributors) and of course Nyr's orginal work. -[Old repo](https://github.com/Angristan/OpenVPN-install-fork-old) - [MIT Licence](https://raw.githubusercontent.com/Angristan/openvpn-install/master/LICENSE) From ea40b45b52dfbd2dde753c5437bb8cec06012538 Mon Sep 17 00:00:00 2001 From: angristan Date: Sun, 2 Sep 2018 22:32:58 +0200 Subject: [PATCH 23/26] Fix /dev/urandom usage on unprivileged LXC containers Fixes https://github.com/angristan/openvpn-install/issues/280 --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 2de24c8..121a782 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -539,8 +539,8 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service rm -f ~/EasyRSA-3.0.4.tgz cd /etc/openvpn/easy-rsa/ || return # Generate a random, alphanumeric identifier of 16 characters for CN and one for server name - SERVER_CN="cn_$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 16 | head -n 1)" - SERVER_NAME="server_$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 16 | head -n 1)" + SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" + SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars # Create the PKI, set up the CA, the DH params and the server + client certificates From 2997a7e8b6beede80c9386844fc3e5b19d34d8ce Mon Sep 17 00:00:00 2001 From: angristan Date: Wed, 5 Sep 2018 20:20:46 +0200 Subject: [PATCH 24/26] Remove "|| return" --- openvpn-install.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 121a782..a176779 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -127,7 +127,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then read -rp "Client name: " -e CLIENT done - cd /etc/openvpn/easy-rsa/ || return + cd /etc/openvpn/easy-rsa/ case $pass in 1) ./easyrsa build-client-full $CLIENT nopass @@ -163,7 +163,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then fi CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p) - cd /etc/openvpn/easy-rsa/ || return + cd /etc/openvpn/easy-rsa/ ./easyrsa --batch revoke $CLIENT EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl rm -f pki/reqs/$CLIENT.req @@ -537,7 +537,7 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service mv /etc/openvpn/EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/ chown -R root:root /etc/openvpn/easy-rsa/ rm -f ~/EasyRSA-3.0.4.tgz - cd /etc/openvpn/easy-rsa/ || return + cd /etc/openvpn/easy-rsa/ # Generate a random, alphanumeric identifier of 16 characters for CN and one for server name SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" From 4bf4257cf3e1583b5b38b112f8484d137e345543 Mon Sep 17 00:00:00 2001 From: angristan Date: Wed, 5 Sep 2018 20:26:33 +0200 Subject: [PATCH 25/26] Merge two mv commands --- openvpn-install.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index a176779..df14a6f 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -533,8 +533,7 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service # Get easy-rsa wget -O ~/EasyRSA-3.0.4.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz tar xzf ~/EasyRSA-3.0.4.tgz -C ~/ - mv ~/EasyRSA-3.0.4/ /etc/openvpn/ - mv /etc/openvpn/EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/ + mv ~/EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/ chown -R root:root /etc/openvpn/easy-rsa/ rm -f ~/EasyRSA-3.0.4.tgz cd /etc/openvpn/easy-rsa/ From 30edb7b76979fae6e20f82d87b1d8dc056bdf3bf Mon Sep 17 00:00:00 2001 From: Stanislas Date: Fri, 7 Sep 2018 13:28:40 +0200 Subject: [PATCH 26/26] Update Vultr price --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1480e5f..eccb708 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ Here is a preview of the installer : **You have to enable the TUN module otherwise OpenVPN won't work.** Ask your host if you don't know how to do it. If the TUN module is not enabled, the script will warn you and exit. -You can get a cheap VPS to run this script for $2.50/month worldwide at [Vultr](https://goo.gl/Xyd1Sc) or 3€/month for unlimited bandwidth in France at [PulseHeberg](https://goo.gl/76yqW5). +You can get a cheap VPS to run this script for $3.50/month worldwide at [Vultr](https://goo.gl/Xyd1Sc) or 3€/month for unlimited bandwidth in France at [PulseHeberg](https://goo.gl/76yqW5). First, get the script and make it executable :