Fabio/openvpn-install
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: Fabio:master
Branches Tags
Fabio:master
Fabio:dependabot/github_actions/actions/checkout-3.5.2
Fabio:dependabot/github_actions/github/super-linter-5.0.0
Fabio:dependabot/github_actions/appleboy/ssh-action-0.1.10
Fabio:bash-good-pratices
..
compare: Fabio:bash-good-pratices
Branches Tags
Fabio:master
Fabio:dependabot/github_actions/actions/checkout-3.5.2
Fabio:dependabot/github_actions/github/super-linter-5.0.0
Fabio:dependabot/github_actions/appleboy/ssh-action-0.1.10
Fabio:bash-good-pratices

1 commit
master ... bash-good-

Author SHA1 Message Date
Stanislas Lange
c487eec4b0 Bash good practices 2020-04-16 14:03:08 +02:00
15 changed files with 581 additions and 963 deletions
Show stats Expand all files Collapse all files

3
.editorconfig
View file

@ -1,3 +0,0 @@
[*.sh]
indent_style = tab
indent_size = 4

5
.github/FUNDING.yml vendored
View file

@ -1,2 +1,3 @@
ko_fi: stanislas patreon: angristan
custom: https://coindrop.to/stanislas liberapay: angristan
ko_fi: angristan

13
.github/ISSUE_TEMPLATE.md vendored Normal file
View file

@ -0,0 +1,13 @@
<!---
Before opening an issue, please make sure:
- You installed OpenVPN with the latest version of the script
- You read the FAQ
- Your issue is about the script, NOT OpenVPN itself
- ⚠ PLEASE Post your OpenVPN version and OS for both the server and the client if needed
FYI, you can execute the script with `bash -x openvpn-install.sh` to enable debug mode.
You can format your comments with Markdown: https://guides.github.com/features/mastering-markdown/
--->

6
.github/dependabot.yml vendored
View file

@ -1,6 +0,0 @@
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "monthly"

10
.github/issue_template.md vendored
View file

@ -1,10 +0,0 @@
<!---
❗️ Please read ❗️
➡️ If you need help with OpenVPN itself, please use the community forums (https://forums.openvpn.net/) or Stack Overflow (https://stackoverflow.com/questions/tagged/openvpn)
➡️ For the script, prefer opening a discussion thread for help: https://github.com/angristan/openvpn-install/discussions
💡 It helps keep the issue tracker clean and focused on bugs and feature requests.
🙏 Please include as much information as possible, and make sure you're running the latest version of the script.
✍️ Please state the Linux distribution you're using and its version, as well as the OpenVPN version.
✋ For feature requests, remember that this script is meant to be simple and easy to use. If you want to add a lot of options, it's better to fork the project.
--->

1
.github/linters/.markdown-lint.yml vendored
View file

@ -1 +0,0 @@
{ "MD013": null, "MD045": null, "MD040": null, "MD036": null }

7
.github/pull_request_template.md vendored
View file

@ -1,7 +0,0 @@
<!---
❗️ Please read ❗️
➡️ Please make sure you've followed the guidelines: https://github.com/angristan/openvpn-install#contributing
✅ Please make sure your changes are tested and working
🗣️ Please avoid large PRs, and discuss changes in a GitHub issue first
✋ If the changes are too big and not in line with the project, they will probably be rejected. Remember that this script is meant to be simple and easy to use.
--->

14
.github/workflows/lint.yml vendored
View file

@ -1,14 +0,0 @@
on: [push, pull_request, workflow_dispatch]
name: Lint
jobs:
super-linter:
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v4
- name: Lint Code Base
uses: github/super-linter@v4.1.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

11
.github/workflows/push.yml vendored Normal file
View file

@ -0,0 +1,11 @@
on: [push, pull_request]
name: ShellCheck
jobs:
shellcheck:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: shellcheck
uses: ludeeus/action-shellcheck@0.0.1
with:
args: openvpn-install.sh -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009

97
.github/workflows/test.yml vendored
View file

@ -1,97 +0,0 @@
on:
push:
branches:
- master
- ci
workflow_dispatch:
name: Test
jobs:
install:
runs-on: ubuntu-latest
if: github.repository == 'angristan/openvpn-install' && github.actor == 'angristan'
strategy:
matrix:
os-image:
- debian-11-x64
- debian-12-x64
- ubuntu-22-04-x64
- ubuntu-24-04-x64
- fedora-39-x64
- fedora-40-x64
# - centos-stream-9-x64 # yum oomkill
steps:
- uses: actions/checkout@v4
- name: Setup doctl
uses: digitalocean/action-doctl@v2
with:
token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
- name: Create server
run: doctl compute droplet create openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }} --size s-1vcpu-1gb --image ${{ matrix.os-image }} --region lon1 --enable-ipv6 --ssh-keys be:66:76:61:a8:71:93:aa:e3:19:ba:d8:0d:d2:2d:d4 --wait
- name: Get server ID
run: echo ::set-output name=value::$(doctl compute droplet list -o json | jq -r '.[] | select(.name == "'openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }}'").id')
id: server_id
- name: Move server to dedicated project
run: doctl projects resources assign ${{ secrets.DIGITALOCEAN_PROJECT_ID }} --resource=do:droplet:${{ steps.server_id.outputs.value }}
- name: Wait for server to boot
run: sleep 90
- name: Get server IP
run: echo ::set-output name=value::$(doctl compute droplet list -o json | jq -r '.[] | select(.name == "'openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }}'").networks.v4 | .[] | select(.type == "'public'").ip_address')
id: server_ip
- name: Get server OS
run: echo ::set-output name=value::$(echo ${{ matrix.os-image }} | cut -d '-' -f1)
id: server_os
- name: Setup remote server (Debian/Ubuntu)
if: steps.server_os.outputs.value == 'debian' || steps.server_os.outputs.value == 'ubuntu'
uses: appleboy/ssh-action@v0.1.6
with:
host: ${{ steps.server_ip.outputs.value }}
username: root
key: ${{ secrets.SSH_KEY }}
script: set -x && apt-get update && apt-get -o DPkg::Lock::Timeout=120 install -y git
- name: Setup remote server (Fedora)
if: steps.server_os.outputs.value == 'fedora'
uses: appleboy/ssh-action@v0.1.6
with:
host: ${{ steps.server_ip.outputs.value }}
username: root
key: ${{ secrets.SSH_KEY }}
script: set -x && dnf install -y git
- name: Setup remote server (CentOS)
if: steps.server_os.outputs.value == 'centos'
uses: appleboy/ssh-action@v0.1.6
with:
host: ${{ steps.server_ip.outputs.value }}
username: root
key: ${{ secrets.SSH_KEY }}
script: set -x && yum install -y git
- name: Download repo and checkout current commit
uses: appleboy/ssh-action@v0.1.6
with:
host: ${{ steps.server_ip.outputs.value }}
username: root
key: ${{ secrets.SSH_KEY }}
script: set -x && git clone https://github.com/angristan/openvpn-install.git && cd openvpn-install && git checkout ${{ github.sha }}
- name: Run openvpn-install.sh in headless mode
uses: appleboy/ssh-action@v0.1.6
with:
host: ${{ steps.server_ip.outputs.value }}
username: root
key: ${{ secrets.SSH_KEY }}
script: 'set -x && AUTO_INSTALL=y bash -x ~/openvpn-install/openvpn-install.sh && ps aux | grep openvpn | grep -v grep > /dev/null 2>&1 && echo "Success: OpenVPN is running" && exit 0 || echo "Failure: OpenVPN is not running" && exit 1'
- name: Delete server
run: doctl compute droplet delete -f openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }}
if: always()

2
.gitignore vendored Normal file
View file

@ -0,0 +1,2 @@
.vagrant/
*.log

138
FAQ.md
View file

@ -10,46 +10,7 @@ You can, of course, it's even recommended, update the `openvpn` package with you
**Q:** How do I check for DNS leaks? **Q:** How do I check for DNS leaks?
**A:** Go to [browserleaks.com](https://browserleaks.com/dns) or [ipleak.net](https://ipleak.net/) (both perform IPv4 and IPv6 check) with your browser. Your IP should not show up (test without and without the VPN). The DNS servers should be the ones you selected during the setup, not your IP address nor your ISP's DNS servers' addresses. **A:** Go to [dnsleaktest.com](https://dnsleaktest.com/) or [ipleak.net](https://ipleak.net/) with your browser. Only your server's IP should show up.
---
**Q:** How do I fix DNS leaks?
**A:** On Windows 10 DNS leaks are blocked by default with the `block-outside-dns` option.
On Linux you need to add these lines to your `.ovpn` file based on your Distribution.
Debian 9, 10 and Ubuntu 16.04, 18.04
```
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
```
Centos 6, 7
```
script-security 2
up /usr/share/doc/openvpn-2.4.8/contrib/pull-resolv-conf/client.up
down /usr/share/doc/openvpn-2.4.8/contrib/pull-resolv-conf/client.down
```
Centos 8, Fedora 30, 31
```
script-security 2
up /usr/share/doc/openvpn/contrib/pull-resolv-conf/client.up
down /usr/share/doc/openvpn/contrib/pull-resolv-conf/client.down
```
Arch Linux
```
script-security 2
up /usr/share/openvpn/contrib/pull-resolv-conf/client.up
down /usr/share/openvpn/contrib/pull-resolv-conf/client.down
```
--- ---
@ -69,107 +30,18 @@ If your client is <2.3.3, remove `tls-version-min 1.2` from your `/etc/openvpn/s
**Q:** IPv6 is not working on my Hetzner VM **Q:** IPv6 is not working on my Hetzner VM
**A:** This an issue on their side. See <https://angristan.xyz/fix-ipv6-hetzner-cloud/> **A:** This an issue on their side. See https://angristan.xyz/fix-ipv6-hetzner-cloud/
--- ---
**Q:** DNS is not working on my Linux client **Q:** DNS is not working on my Linux client
**A:** See "How do I fix DNS leaks?" question **A:** Make sure the `resolvconf` package is installed. If it does not solve the issue, look at https://wiki.archlinux.org/index.php/OpenVPN#Update_systemd-resolved_script
--- ---
**Q:** What syctl and iptables changes are made by the script? **Q:** How to setup openVPN in a LXC container? (f.e. Proxmox)
**A:** Iptables rules are saved at `/etc/iptables/add-openvpn-rules.sh` and `/etc/iptables/rm-openvpn-rules.sh`. They are managed by the service `/etc/systemd/system/iptables-openvpn.service` **A:** See https://github.com/Nyr/openvpn-install/wiki/How-to-setup-openVPN-in-a-LXC-container-(f.e.-Proxmox)
Sysctl options are at `/etc/sysctl.d/20-openvpn.conf`
--- ---
**Q:** How can I access other clients connected to the same OpenVPN server?
**A:** Add `client-to-client` to your `server.conf`
---
**Q:** My router can't connect
**A:**
- `Options error: No closing quotation (") in config.ovpn:46` :
type `yes` when asked to customize encryption settings and choose `tls-auth`
- `Options error: Unrecognized option or missing parameter(s) in config.ovpn:36: tls-version-min (2.3.2)` :
see question "Can I use an OpenVPN 2.3 client?"
---
**Q:** How can I access computers the OpenVPN server's remote LAN?
**A:** Add a route with the subnet of the remote network to `/etc/openvpn/server.conf` and restart openvpn. Example: `push "route 192.168.1.0 255.255.255.0"` if the server's LAN is `192.168.1.0/24`
---
**Q:** How can I add multiple users in one go?
**A:** Here is a sample bash script to achieve this:
```sh
userlist=(user1 user2 user3)
for i in ${userlist[@]};do
MENU_OPTION=1 CLIENT=$i PASS=1 ./openvpn-install.sh
done
```
From a list in a text file:
```sh
while read USER
do MENU_OPTION="1" CLIENT="$USER" PASS="1" ./openvpn-install.sh
done < users.txt
```
---
**Q:** How do I change the default `.ovpn` file created for future clients?
**A:** You can edit the template out of which `.ovpn` files are created by editing `/etc/openvpn/client-template.txt`
---
**Q:** For my clients - I want to set my internal network to pass through the VPN and the rest to go through my internet?
**A:** You would need to edit the `.ovpn` file. You can edit the template out of which those files are created by editing `/etc/openvpn/client-template.txt` file and adding
```sh
route-nopull
route 10.0.0.0 255.0.0.0
```
So for example - here it would route all traffic of `10.0.0.0/8` to the vpn. And the rest through the internet.
---
**Q:** I have enabled IPv6 and my VPN client gets an IPv6 address. Why do I reach the websites or other dual-stacked destionations via IPv4 only?
**A:** This is because inside the tunnel you don't get a publicly routable IPv6 address, instead you get an ULA (Unlique Local Lan) address. Operating systems don't prefer this all the time. You can fix this in your operating system policies as it's unrelated to the VPN itself:
Windows (commands needs to run cmd.exe as Administrator):
```
netsh interface ipv6 add prefixpolicy fd00::/8 3 1
```
Linux:
edit `/etc/gai.conf` and uncomment the following line and also change its value to `1`:
```
label fc00::/7 1
```
This will not work properly unless you add you your VPN server `server.conf` one or two lines to push at least 1 (one) IPv6 DNS server. Most providers have IPv6 servers as well, add two more lines of `push "dhcp-option DNS <IPv6>"`

155
README.md
View file

@ -1,78 +1,11 @@
# openvpn-install Fabio
## Usage
First, get the script and make it executable:
```bash
curl -O https://forgit.patachina.it/Fabio/openvpn-install/raw/branch/master/openvpn-install.sh
chmod +x openvpn-install.sh
```
Then run it:
```sh
./openvpn-install.sh
```
The first time you run it, you'll have to follow the assistant and answer a few questions to setup your VPN server.
When OpenVPN is installed, you can run the script again, and you will get the choice to:
Add a client
Remove a client
Uninstall OpenVPN
In your home directory, you will have .ovpn files. These are the client configuration files. Download them from your server and connect using your favorite OpenVPN client.
if you change the port this installer change only the server if you use different port in your router port forwarder you have to change .opvn file and modify the port 1194 using the new
## Example:
in the OpenVPN use for example port 51194 and public router IP git.patachina.duckdns.org and local IP 192.168.1.4 you have to change also .ovpn file changing 1194 to 51194. In your router open a channel port forwarder with "external port 51194 and local 192.168.1.4 with port 51194"
Otherwise if you don't change .ovpn you have to set router open a channel port forwarder with "external port 1194 and local 192.168.1.4 with port 51194"
## How run
```bash
./openvpn-install.sh
Welcome to OpenVPN-install!
The git repository is available at: https://github.com/angristan/openvpn-install
It seems like OpenVPN is already installed.
What would you like to do?
1) Add a new user
2) Revoke an existing user
3) Remove OpenVPN
4) Exit
Select an option [1-4]:
```
# openvpn-install # openvpn-install
![Test](https://github.com/angristan/openvpn-install/workflows/Test/badge.svg) OpenVPN installer for Debian, Ubuntu, Fedora, CentOS and Arch Linux.
![Lint](https://github.com/angristan/openvpn-install/workflows/Lint/badge.svg)
[![Say Thanks!](https://img.shields.io/badge/Say%20Thanks-!-1EAEDB.svg)](https://saythanks.io/to/angristan)
OpenVPN installer for Debian, Ubuntu, Fedora, CentOS, Arch Linux, Oracle Linux, Rocky Linux and AlmaLinux.
This script will let you setup your own secure VPN server in just a few seconds. This script will let you setup your own secure VPN server in just a few seconds.
You can also check out [wireguard-install](https://github.com/angristan/wireguard-install), a simple installer for a simpler, safer, faster and more modern VPN protocol. You can also check out [wireguard-install](https://github.com/angristan/wireguard-install), a simple installer for a simpler, safer, faster and more modern VPN protocol.
## What is this?
This script is meant to be run on your own server, whether it's a VPS or a dedicated server, or even a computer at home.
Once set up, you will be able to generate client configuration files for every device you want to connect.
Each client will be able to route its internet traffic through the server, fully encrypted.
```mermaid
graph LR
A[Phone] --> VPN
B[Laptop] --> VPN
C[Computer] --> VPN
VPN[OpenVPN Server]
VPN -->|Encrypted Traffic| I[Internet]
```
## Usage ## Usage
First, get the script and make it executable : First, get the script and make it executable :
@ -100,14 +33,15 @@ When OpenVPN is installed, you can run the script again, and you will get the ch
In your home directory, you will have `.ovpn` files. These are the client configuration files. Download them from your server and connect using your favorite OpenVPN client. In your home directory, you will have `.ovpn` files. These are the client configuration files. Download them from your server and connect using your favorite OpenVPN client.
If you have any question, head to the [FAQ](#faq) first. And if you need help, you can open a [discussion](https://github.com/angristan/openvpn-install/discussions). Please search existing issues and dicussions first. If you have any question, head to the [FAQ](#faq) first. Please read everything before opening an issue.
**PLEASE do net send me emails or private messages asking for help.** The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you. My time is not available for free just for you, you're not special.
### Headless install ### Headless install
It's also possible to run the script headless, e.g. without waiting for user input, in an automated manner. It's also possible to run the script headless, e.g. without waiting for user input, in an automated manner.
Example usage: Example usage:
```bash ```bash
AUTO_INSTALL=y ./openvpn-install.sh AUTO_INSTALL=y ./openvpn-install.sh
@ -138,14 +72,11 @@ Other variables can be set depending on your choice (encryption, compression). Y
Password-protected clients are not supported by the headless installation method since user input is expected by Easy-RSA. Password-protected clients are not supported by the headless installation method since user input is expected by Easy-RSA.
The headless install is more-or-less idempotent, in that it has been made safe to run multiple times with the same parameters, e.g. by a state provisioner like Ansible/Terraform/Salt/Chef/Puppet. It will only install and regenerate the Easy-RSA PKI if it doesn't already exist, and it will only install OpenVPN and other upstream dependencies if OpenVPN isn't already installed. It will recreate all local config and re-generate the client file on each headless run.
### Headless User Addition ### Headless User Addition
It's also possible to automate the addition of a new user. Here, the key is to provide the (string) value of the `MENU_OPTION` variable along with the remaining mandatory variables before invoking the script. It's also possible to automate the addition of a new user. Here, the key is to provide the (string) value of the `MENU_OPTION` variable along with the remaining mandatory variables before invoking the script.
The following Bash script adds a new user `foo` to an existing OpenVPN configuration The following Bash script adds a new user `foo` to an existing OpenVPN configuration
```bash ```bash
#!/bin/bash #!/bin/bash
export MENU_OPTION="1" export MENU_OPTION="1"
@ -174,28 +105,28 @@ export PASS="1"
## Compatibility ## Compatibility
The script supports these Linux distributions: The script supports these OS and architectures:
| | Support | | | i386 | amd64 | armhf | arm64 |
| ------------------ | ------- | | -------------- | ---- | ----- | ----- | ----- |
| AlmaLinux 8 | ✅ | | Amazon Linux 2 | ❔ | ✅ | ❔ | ❔ |
| Amazon Linux 2 | ✅ | | Arch Linux | ❔ | ✅ | ❔ | ✅ |
| Arch Linux | ✅ | | Centos 8 | ❌ | ✅ | ❔ | ❔ |
| CentOS 7 | ✅ | | CentOS 7 | ❔ | ✅ | ❌ | ✅ |
| CentOS Stream >= 8 | ✅ 🤖 | | Debian 8 | ✅ | ✅ | ❌ | ❌ |
| Debian >= 10 | ✅ 🤖 | | Debian 9 | ❌ | ✅ | ✅ | ✅ |
| Fedora >= 35 | ✅ 🤖 | | Debian 10 | ❔ | ✅ | ✅ | ❔ |
| Oracle Linux 8 | ✅ | | Fedora 27 | ❔ | ✅ | ❔ | ❔ |
| Rocky Linux 8 | ✅ | | Fedora 28 | ❔ | ✅ | ❔ | ❔ |
| Ubuntu >= 18.04 | ✅ 🤖 | | Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ |
| Ubuntu 18.04 | ❌ | ✅ | ✅ | ✅ |
| Ubuntu 19.04 | ❌ | ✅ | ✅ | ✅ |
To be noted: To be noted:
- The script is regularly tested against the distributions marked with a 🤖 only. - It should work on Debian 8+ and Ubuntu 16.04+. But versions not in the table above are not officially supported.
- It's only tested on `amd64` architecture.
- It should work on older versions such as Debian 8+, Ubuntu 16.04+ and previous Fedora releases. But versions not in the table above are not officially supported.
- It should also support versions between the LTS versions, but these are not tested.
- The script requires `systemd`. - The script requires `systemd`.
- The script is regularly tested against `amd64` only.
## Fork ## Fork
@ -211,9 +142,9 @@ More Q&A in [FAQ.md](FAQ.md).
**A:** I recommend these: **A:** I recommend these:
- [Vultr](https://www.vultr.com/?ref=8948982-8H): Worldwide locations, IPv6 support, starting at \$5/month - [Vultr](https://goo.gl/Xyd1Sc): Worldwide locations, IPv6 support, starting at $3.50/month
- [Hetzner](https://hetzner.cloud/?ref=ywtlvZsjgeDq): Germany, Finland and USA. IPv6, 20 TB of traffic, starting at 4.5€/month - [PulseHeberg](https://goo.gl/76yqW5): France, unlimited bandwidth, starting at €3/month
- [Digital Ocean](https://m.do.co/c/ed0ba143fe53): Worldwide locations, IPv6 support, starting at \$4/month - [Digital Ocean](https://goo.gl/qXrNLK): Worldwide locations, IPv6 support, starting at $5/month
--- ---
@ -223,7 +154,7 @@ More Q&A in [FAQ.md](FAQ.md).
- Windows: [The official OpenVPN community client](https://openvpn.net/index.php/download/community-downloads.html). - Windows: [The official OpenVPN community client](https://openvpn.net/index.php/download/community-downloads.html).
- Linux: The `openvpn` package from your distribution. There is an [official APT repository](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos) for Debian/Ubuntu based distributions. - Linux: The `openvpn` package from your distribution. There is an [official APT repository](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos) for Debian/Ubuntu based distributions.
- macOS: [Tunnelblick](https://tunnelblick.net/), [Viscosity](https://www.sparklabs.com/viscosity/), [OpenVPN for Mac](https://openvpn.net/client-connect-vpn-for-mac-os/). - macOS: [Tunnelblick](https://tunnelblick.net/), [Viscosity](https://www.sparklabs.com/viscosity/).
- Android: [OpenVPN for Android](https://play.google.com/store/apps/details?id=de.blinkt.openvpn). - Android: [OpenVPN for Android](https://play.google.com/store/apps/details?id=de.blinkt.openvpn).
- iOS: [The official OpenVPN Connect client](https://itunes.apple.com/us/app/openvpn-connect/id590379981). - iOS: [The official OpenVPN Connect client](https://itunes.apple.com/us/app/openvpn-connect/id590379981).
@ -248,36 +179,22 @@ More Q&A in [FAQ.md](FAQ.md).
Solutions that provision a ready to use OpenVPN server based on this script in one go are available for: Solutions that provision a ready to use OpenVPN server based on this script in one go are available for:
- AWS using Terraform at [`openvpn-terraform-install`](https://github.com/dumrauf/openvpn-terraform-install) - AWS using Terraform at [`openvpn-terraform-install`](https://github.com/dumrauf/openvpn-terraform-install)
- Terraform AWS module [`openvpn-ephemeral`](https://registry.terraform.io/modules/paulmarsicloud/openvpn-ephemeral/aws/latest)
## Contributing
## Discuss changes
Please open an issue before submitting a PR if you want to discuss a change, especially if it's a big one.
### Code formatting
We use [shellcheck](https://github.com/koalaman/shellcheck) and [shfmt](https://github.com/mvdan/sh) to enforce bash styling guidelines and good practices. They are executed for each commit / PR with GitHub Actions, so you can check the configuration [here](https://github.com/angristan/openvpn-install/blob/master/.github/workflows/push.yml).
## Security and Encryption ## Security and Encryption
> **Warning**
> This has not been updated for OpenVPN 2.5 and later.
OpenVPN's default settings are pretty weak regarding encryption. This script aims to improve that. OpenVPN's default settings are pretty weak regarding encryption. This script aims to improve that.
OpenVPN 2.4 was a great update regarding encryption. It added support for ECDSA, ECDH, AES GCM, NCP and tls-crypt. OpenVPN 2.4 was a great update regarding encryption. It added support for ECDSA, ECDH, AES GCM, NCP and tls-crypt.
If you want more information about an option mentioned below, head to the [OpenVPN manual](https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage). It is very complete. If you want more information about an option mentioned below, head to the [OpenVPN manual](https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage). It is very complete.
Most of OpenVPN's encryption-related stuff is managed by [Easy-RSA](https://github.com/OpenVPN/easy-rsa). Defaults parameters are in the [vars.example](https://github.com/OpenVPN/easy-rsa/blob/v3.0.7/easyrsa3/vars.example) file. Most of OpenVPN's encryption-related stuff is managed by [Easy-RSA](https://github.com/OpenVPN/easy-rsa). Defaults parameters are in the [vars.example](https://github.com/OpenVPN/easy-rsa/blob/v3.0.6/easyrsa3/vars.example) file.
### Compression ### Compression
By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 (v1/v2) algorithms, the latter being more efficient. By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 (v1/v2) algorithms, the latter being more efficient.
However, it is discouraged to use compression since the [VORACLE attack](https://protonvpn.com/blog/voracle-attack/) makes use of it. However, it is discouraged to use compression since it since the [VORACLE attack](https://protonvpn.com/blog/voracle-attack/) makes use of it.
### TLS version ### TLS version
@ -308,12 +225,13 @@ By default, OpenVPN uses `BF-CBC` as the data channel cipher. Blowfish is an old
> The default is BF-CBC, an abbreviation for Blowfish in Cipher Block Chaining mode. > The default is BF-CBC, an abbreviation for Blowfish in Cipher Block Chaining mode.
> >
> Using BF-CBC is no longer recommended, because of its 64-bit block size. This small block size allows attacks based on collisions, as demonstrated by SWEET32. See <https://community.openvpn.net/openvpn/wiki/SWEET32> for details. > Using BF-CBC is no longer recommended, because of its 64-bit block size. This small block size allows attacks based on collisions, as demonstrated by SWEET32. See https://community.openvpn.net/openvpn/wiki/SWEET32 for details.
> Security researchers at INRIA published an attack on 64-bit block ciphers, such as 3DES and Blowfish. They show that they are able to recover plaintext when the same data is sent often enough, and show how they can use cross-site scripting vulnerabilities to send data of interest often enough. This works over HTTPS, but also works for HTTP-over-OpenVPN. See <https://sweet32.info/> for a much better and more elaborate explanation.
>Security researchers at INRIA published an attack on 64-bit block ciphers, such as 3DES and Blowfish. They show that they are able to recover plaintext when the same data is sent often enough, and show how they can use cross-site scripting vulnerabilities to send data of interest often enough. This works over HTTPS, but also works for HTTP-over-OpenVPN. See https://sweet32.info/ for a much better and more elaborate explanation.
> >
> OpenVPN's default cipher, BF-CBC, is affected by this attack. > OpenVPN's default cipher, BF-CBC, is affected by this attack.
Indeed, AES is today's standard. It's the fastest and more secure cipher available today. [SEED](https://en.wikipedia.org/wiki/SEED) and [Camellia](<https://en.wikipedia.org/wiki/Camellia_(cipher)>) are not vulnerable to date but are slower than AES and relatively less trusted. Indeed, AES is today's standard. It's the fastest and more secure cipher available today. [SEED](https://en.wikipedia.org/wiki/SEED) and [Camellia](https://en.wikipedia.org/wiki/Camellia_(cipher)) are not vulnerable to date but are slower than AES and relatively less trusted.
> Of the currently supported ciphers, OpenVPN currently recommends using AES-256-CBC or AES-128-CBC. OpenVPN 2.4 and newer will also support GCM. For 2.4+, we recommend using AES-256-GCM or AES-128-GCM. > Of the currently supported ciphers, OpenVPN currently recommends using AES-256-CBC or AES-128-CBC. OpenVPN 2.4 and newer will also support GCM. For 2.4+, we recommend using AES-256-GCM or AES-128-GCM.
@ -332,7 +250,7 @@ The script supports the following ciphers:
And defaults to `AES-128-GCM`. And defaults to `AES-128-GCM`.
OpenVPN 2.4 added a feature called "NCP": _Negotiable Crypto Parameters_. It means you can provide a cipher suite like with HTTPS. It is set to `AES-256-GCM:AES-128-GCM` by default and overrides the `--cipher` parameter when used with an OpenVPN 2.4 client. For the sake of simplicity, the script set both the `--cipher` and `--ncp-cipher` to the cipher chosen above. OpenVPN 2.4 added a feature called "NCP": *Negotiable Crypto Parameters*. It means you can provide a cipher suite like with HTTPS. It is set to `AES-256-GCM:AES-128-GCM` by default and overrides the `--cipher` parameter when used with an OpenVPN 2.4 client. For the sake of simplicity, the script set both the `--cipher` and `--ncp-cipher` to the cipher chosen above.
### Control channel ### Control channel
@ -393,7 +311,6 @@ About `tls-crypt`:
> Encrypt and authenticate all control channel packets with the key from keyfile. (See --tls-auth for more background.) > Encrypt and authenticate all control channel packets with the key from keyfile. (See --tls-auth for more background.)
> >
> Encrypting (and authenticating) control channel packets: > Encrypting (and authenticating) control channel packets:
>
> - provides more privacy by hiding the certificate used for the TLS connection, > - provides more privacy by hiding the certificate used for the TLS connection,
> - makes it harder to identify OpenVPN traffic as such, > - makes it harder to identify OpenVPN traffic as such,
> - provides "poor-man's" post-quantum security, against attackers who will never know the pre-shared key (i.e. no forward secrecy). > - provides "poor-man's" post-quantum security, against attackers who will never know the pre-shared key (i.e. no forward secrecy).
@ -406,14 +323,12 @@ The script supports both and uses `tls-crypt` by default.
## Say thanks ## Say thanks
You can [say thanks](https://saythanks.io/to/angristan) if you want! *Sadly saythanks.io doesn't exist anymore... Thanks for the dozens of messages! It's really meaninful to me.*
*Still want to help? Check the "sponsor" button at the top of the page!*
## Credits & Licence ## Credits & Licence
Many thanks to the [contributors](https://github.com/Angristan/OpenVPN-install/graphs/contributors) and Nyr's original work. Many thanks to the [contributors](https://github.com/Angristan/OpenVPN-install/graphs/contributors) and Nyr's original work.
This project is under the [MIT Licence](https://raw.githubusercontent.com/Angristan/openvpn-install/master/LICENSE) This project is under the [MIT Licence](https://raw.githubusercontent.com/Angristan/openvpn-install/master/LICENSE)
## Star History
[![Star History Chart](https://api.star-history.com/svg?repos=angristan/openvpn-install&type=Date)](https://star-history.com/#angristan/openvpn-install&Date)

35
Vagrantfile vendored Normal file
View file

@ -0,0 +1,35 @@
# This Vagrantfile is used to test the script
# To run the script on all machines, export VAGRANT_AUTOSTART=true
autostart_machines = ENV['VAGRANT_AUTOSTART'] == 'true' || false
# else, run `vagrant up <hostname>`
machines = [
{ hostname: 'debian-10', box: 'debian/stretch64' },
{ hostname: 'debian-9', box: 'debian/stretch64' },
{ hostname: 'debian-8', box: 'debian/jessie64' },
{ hostname: 'ubuntu-1604', box: 'ubuntu/bionic64' },
{ hostname: 'ubuntu-1804', box: 'ubuntu/xenial64' },
{ hostname: 'centos-7', box: 'centos/7' },
{ hostname: 'fedora-29', box: 'fedora/29-cloud-base' },
{ hostname: 'fedora-28', box: 'fedora/28-cloud-base' },
{ hostname: 'archlinux', box: 'archlinux/archlinux' }
]
Vagrant.configure('2') do |config|
machines.each do |machine|
config.vm.provider 'virtualbox' do |v|
v.memory = 1024
v.cpus = 2
end
config.vm.define machine[:hostname], autostart: autostart_machines do |machineconfig|
machineconfig.vm.hostname = machine[:hostname]
machineconfig.vm.box = machine[:box]
machineconfig.vm.provision 'shell', inline: <<-SHELL
AUTO_INSTALL=y /vagrant/openvpn-install.sh
ps aux | grep openvpn | grep -v grep > /dev/null 2>&1 && echo "Success: OpenVPN is running" && exit 0 || echo "Failure: OpenVPN is not running" && exit 1
SHELL
end
end
end

389
openvpn-install.sh
View file

@ -1,7 +1,7 @@
#!/bin/bash #!/usr/bin/env bash
# shellcheck disable=SC1091,SC2164,SC2034,SC1072,SC1073,SC1009 set -euo pipefail
# Secure OpenVPN server installer for Debian, Ubuntu, CentOS, Amazon Linux 2, Fedora, Oracle Linux 8, Arch Linux, Rocky Linux and AlmaLinux. # Secure OpenVPN server installer for Debian, Ubuntu, CentOS, Amazon Linux 2, Fedora and Arch Linux
# https://github.com/angristan/openvpn-install # https://github.com/angristan/openvpn-install
function isRoot () { function isRoot () {
@ -19,64 +19,58 @@ function tunAvailable() {
function checkOS () { function checkOS () {
if [[ -e /etc/debian_version ]]; then if [[ -e /etc/debian_version ]]; then
OS="debian" OS="debian"
# shellcheck disable=SC1091
source /etc/os-release source /etc/os-release
if [[ $ID == "debian" || $ID == "raspbian" ]]; then if [[ "$ID" == "debian" || "$ID" == "raspbian" ]]; then
if [[ $VERSION_ID -lt 9 ]]; then if [[ ! $VERSION_ID =~ (8|9|10) ]]; then
echo "⚠️ Your version of Debian is not supported." echo "⚠️ Your version of Debian is not supported."
echo "" echo ""
echo "However, if you're using Debian >= 9 or unstable/testing then you can continue, at your own risk." echo "However, if you're using Debian >= 9 or unstable/testing then you can continue."
echo "Keep in mind they are not supported, though."
echo "" echo ""
until [[ $CONTINUE =~ (y|n) ]]; do until [[ $CONTINUE =~ (y|n) ]]; do
read -rp "Continue? [y/n]: " -e CONTINUE read -rp "Continue? [y/n]: " -e CONTINUE
done done
if [[ $CONTINUE == "n" ]]; then if [[ "$CONTINUE" == "n" ]]; then
exit 1 exit 1
fi fi
fi fi
elif [[ $ID == "ubuntu" ]]; then elif [[ "$ID" == "ubuntu" ]];then
OS="ubuntu" OS="ubuntu"
MAJOR_UBUNTU_VERSION=$(echo "$VERSION_ID" | cut -d '.' -f1) if [[ ! $VERSION_ID =~ (16.04|18.04|19.04) ]]; then
if [[ $MAJOR_UBUNTU_VERSION -lt 16 ]]; then
echo "⚠️ Your version of Ubuntu is not supported." echo "⚠️ Your version of Ubuntu is not supported."
echo "" echo ""
echo "However, if you're using Ubuntu >= 16.04 or beta, then you can continue, at your own risk." echo "However, if you're using Ubuntu > 17 or beta, then you can continue."
echo "Keep in mind they are not supported, though."
echo "" echo ""
until [[ $CONTINUE =~ (y|n) ]]; do until [[ $CONTINUE =~ (y|n) ]]; do
read -rp "Continue? [y/n]: " -e CONTINUE read -rp "Continue? [y/n]: " -e CONTINUE
done done
if [[ $CONTINUE == "n" ]]; then if [[ "$CONTINUE" == "n" ]]; then
exit 1 exit 1
fi fi
fi fi
fi fi
elif [[ -e /etc/system-release ]]; then elif [[ -e /etc/system-release ]]; then
# shellcheck disable=SC1091
source /etc/os-release source /etc/os-release
if [[ $ID == "fedora" || $ID_LIKE == "fedora" ]]; then if [[ "$ID" == "fedora" ]]; then
OS="fedora" OS="fedora"
fi fi
if [[ $ID == "centos" || $ID == "rocky" || $ID == "almalinux" ]]; then if [[ "$ID" == "centos" ]]; then
OS="centos" OS="centos"
if [[ ${VERSION_ID%.*} -lt 7 ]]; then if [[ ! $VERSION_ID =~ (7|8) ]]; then
echo "⚠️ Your version of CentOS is not supported." echo "⚠️ Your version of CentOS is not supported."
echo "" echo ""
echo "The script only support CentOS 7 and CentOS 8." echo "The script only support CentOS 7."
echo "" echo ""
exit 1 exit 1
fi fi
fi fi
if [[ $ID == "ol" ]]; then if [[ "$ID" == "amzn" ]]; then
OS="oracle"
if [[ ! $VERSION_ID =~ (8) ]]; then
echo "Your version of Oracle Linux is not supported."
echo ""
echo "The script only support Oracle Linux 8."
exit 1
fi
fi
if [[ $ID == "amzn" ]]; then
OS="amzn" OS="amzn"
if [[ $VERSION_ID != "2" ]]; then if [[ ! $VERSION_ID == "2" ]]; then
echo "⚠️ Your version of Amazon Linux is not supported." echo "⚠️ Your version of Amazon Linux is not supported."
echo "" echo ""
echo "The script only support Amazon Linux 2." echo "The script only support Amazon Linux 2."
@ -87,7 +81,7 @@ function checkOS() {
elif [[ -e /etc/arch-release ]]; then elif [[ -e /etc/arch-release ]]; then
OS=arch OS=arch
else else
echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora, CentOS, Amazon Linux 2, Oracle Linux 8 or Arch Linux system" echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora, CentOS, Amazon Linux 2 or Arch Linux system"
exit 1 exit 1
fi fi
} }
@ -105,10 +99,9 @@ function initialCheck() {
} }
function installUnbound () { function installUnbound () {
# If Unbound isn't installed, install it
if [[ ! -e /etc/unbound/unbound.conf ]]; then if [[ ! -e /etc/unbound/unbound.conf ]]; then
if [[ $OS =~ (debian|ubuntu) ]]; then if [[ "$OS" =~ (debian|ubuntu) ]]; then
apt-get install -y unbound apt-get install -y unbound
# Configuration # Configuration
@ -119,7 +112,7 @@ hide-version: yes
use-caps-for-id: yes use-caps-for-id: yes
prefetch: yes' >> /etc/unbound/unbound.conf prefetch: yes' >> /etc/unbound/unbound.conf
elif [[ $OS =~ (centos|amzn|oracle) ]]; then elif [[ "$OS" =~ (centos|amzn) ]]; then
yum install -y unbound yum install -y unbound
# Configuration # Configuration
@ -129,7 +122,7 @@ prefetch: yes' >>/etc/unbound/unbound.conf
sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf
sed -i 's|use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf sed -i 's|use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf
elif [[ $OS == "fedora" ]]; then elif [[ "$OS" == "fedora" ]]; then
dnf install -y unbound dnf install -y unbound
# Configuration # Configuration
@ -139,15 +132,13 @@ prefetch: yes' >>/etc/unbound/unbound.conf
sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf
sed -i 's|# use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf sed -i 's|# use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf
elif [[ $OS == "arch" ]]; then elif [[ "$OS" == "arch" ]]; then
pacman -Syu --noconfirm unbound pacman -Syu --noconfirm unbound
# Get root servers list # Get root servers list
curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache
if [[ ! -f /etc/unbound/unbound.conf.old ]]; then
mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old
fi
echo 'server: echo 'server:
use-syslog: yes use-syslog: yes
@ -168,16 +159,9 @@ prefetch: yes' >>/etc/unbound/unbound.conf
prefetch: yes' > /etc/unbound/unbound.conf prefetch: yes' > /etc/unbound/unbound.conf
fi fi
# IPv6 DNS for all OS if [[ ! "$OS" =~ (fedora|centos|amzn) ]];then
if [[ $IPV6_SUPPORT == 'y' ]]; then
echo 'interface: fd42:42:42:42::1
access-control: fd42:42:42:42::/112 allow' >>/etc/unbound/unbound.conf
fi
if [[ ! $OS =~ (fedora|centos|amzn|oracle) ]]; then
# DNS Rebinding fix # DNS Rebinding fix
echo "private-address: 10.0.0.0/8 echo "private-address: 10.0.0.0/8
private-address: fd42:42:42:42::/112
private-address: 172.16.0.0/12 private-address: 172.16.0.0/12
private-address: 192.168.0.0/16 private-address: 192.168.0.0/16
private-address: 169.254.0.0/16 private-address: 169.254.0.0/16
@ -198,7 +182,6 @@ hide-version: yes
use-caps-for-id: yes use-caps-for-id: yes
prefetch: yes prefetch: yes
private-address: 10.0.0.0/8 private-address: 10.0.0.0/8
private-address: fd42:42:42:42::/112
private-address: 172.16.0.0/12 private-address: 172.16.0.0/12
private-address: 192.168.0.0/16 private-address: 192.168.0.0/16
private-address: 169.254.0.0/16 private-address: 169.254.0.0/16
@ -206,55 +189,12 @@ private-address: fd00::/8
private-address: fe80::/10 private-address: fe80::/10
private-address: 127.0.0.0/8 private-address: 127.0.0.0/8
private-address: ::ffff:0:0/96' > /etc/unbound/openvpn.conf private-address: ::ffff:0:0/96' > /etc/unbound/openvpn.conf
if [[ $IPV6_SUPPORT == 'y' ]]; then
echo 'interface: fd42:42:42:42::1
access-control: fd42:42:42:42::/112 allow' >>/etc/unbound/openvpn.conf
fi
fi fi
systemctl enable unbound systemctl enable unbound
systemctl restart unbound systemctl restart unbound
} }
function resolvePublicIP() {
# IP version flags, we'll use as default the IPv4
CURL_IP_VERSION_FLAG="-4"
DIG_IP_VERSION_FLAG="-4"
# Behind NAT, we'll default to the publicly reachable IPv4/IPv6.
if [[ $IPV6_SUPPORT == "y" ]]; then
CURL_IP_VERSION_FLAG=""
DIG_IP_VERSION_FLAG="-6"
fi
# If there is no public ip yet, we'll try to solve it using: https://api.seeip.org
if [[ -z $PUBLIC_IP ]]; then
PUBLIC_IP=$(curl -f -m 5 -sS --retry 2 --retry-connrefused "$CURL_IP_VERSION_FLAG" https://api.seeip.org 2>/dev/null)
fi
# If there is no public ip yet, we'll try to solve it using: https://ifconfig.me
if [[ -z $PUBLIC_IP ]]; then
PUBLIC_IP=$(curl -f -m 5 -sS --retry 2 --retry-connrefused "$CURL_IP_VERSION_FLAG" https://ifconfig.me 2>/dev/null)
fi
# If there is no public ip yet, we'll try to solve it using: https://api.ipify.org
if [[ -z $PUBLIC_IP ]]; then
PUBLIC_IP=$(curl -f -m 5 -sS --retry 2 --retry-connrefused "$CURL_IP_VERSION_FLAG" https://api.ipify.org 2>/dev/null)
fi
# If there is no public ip yet, we'll try to solve it using: ns1.google.com
if [[ -z $PUBLIC_IP ]]; then
PUBLIC_IP=$(dig $DIG_IP_VERSION_FLAG TXT +short o-o.myaddr.l.google.com @ns1.google.com | tr -d '"')
fi
if [[ -z $PUBLIC_IP ]]; then
echo >&2 echo "Couldn't solve the public IP"
exit 1
fi
echo "$PUBLIC_IP"
}
function installQuestions () { function installQuestions () {
echo "Welcome to the OpenVPN installer!" echo "Welcome to the OpenVPN installer!"
echo "The git repository is available at: https://github.com/angristan/openvpn-install" echo "The git repository is available at: https://github.com/angristan/openvpn-install"
@ -267,12 +207,7 @@ function installQuestions() {
echo "Unless your server is behind NAT, it should be your public IPv4 address." echo "Unless your server is behind NAT, it should be your public IPv4 address."
# Detect public IPv4 address and pre-fill for the user # Detect public IPv4 address and pre-fill for the user
IP=$(ip -4 addr | sed -ne 's|^.* inet \([^/]*\)/.* scope global.*$|\1|p' | head -1) IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
if [[ -z $IP ]]; then
# Detect public IPv6 address
IP=$(ip -6 addr | sed -ne 's|^.* inet6 \([^/]*\)/.* scope global.*$|\1|p' | head -1)
fi
APPROVE_IP=${APPROVE_IP:-n} APPROVE_IP=${APPROVE_IP:-n}
if [[ $APPROVE_IP =~ n ]]; then if [[ $APPROVE_IP =~ n ]]; then
read -rp "IP address: " -e -i "$IP" IP read -rp "IP address: " -e -i "$IP" IP
@ -282,13 +217,8 @@ function installQuestions() {
echo "" echo ""
echo "It seems this server is behind NAT. What is its public IPv4 address or hostname?" echo "It seems this server is behind NAT. What is its public IPv4 address or hostname?"
echo "We need it for the clients to connect to the server." echo "We need it for the clients to connect to the server."
until [[ "$ENDPOINT" != "" ]]; do
if [[ -z $ENDPOINT ]]; then read -rp "Public IPv4 address or hostname: " -e ENDPOINT
DEFAULT_ENDPOINT=$(resolvePublicIP)
fi
until [[ $ENDPOINT != "" ]]; do
read -rp "Public IPv4 address or hostname: " -e -i "$DEFAULT_ENDPOINT" ENDPOINT
done done
fi fi
@ -318,7 +248,7 @@ function installQuestions() {
echo " 1) Default: 1194" echo " 1) Default: 1194"
echo " 2) Custom" echo " 2) Custom"
echo " 3) Random [49152-65535]" echo " 3) Random [49152-65535]"
until [[ $PORT_CHOICE =~ ^[1-3]$ ]]; do until [[ "$PORT_CHOICE" =~ ^[1-3]$ ]]; do
read -rp "Port choice [1-3]: " -e -i 1 PORT_CHOICE read -rp "Port choice [1-3]: " -e -i 1 PORT_CHOICE
done done
case $PORT_CHOICE in case $PORT_CHOICE in
@ -326,7 +256,7 @@ function installQuestions() {
PORT="1194" PORT="1194"
;; ;;
2) 2)
until [[ $PORT =~ ^[0-9]+$ ]] && [ "$PORT" -ge 1 ] && [ "$PORT" -le 65535 ]; do until [[ "$PORT" =~ ^[0-9]+$ ]] && [ "$PORT" -ge 1 ] && [ "$PORT" -le 65535 ]; do
read -rp "Custom port [1-65535]: " -e -i 1194 PORT read -rp "Custom port [1-65535]: " -e -i 1194 PORT
done done
;; ;;
@ -341,7 +271,7 @@ function installQuestions() {
echo "UDP is faster. Unless it is not available, you shouldn't use TCP." echo "UDP is faster. Unless it is not available, you shouldn't use TCP."
echo " 1) UDP" echo " 1) UDP"
echo " 2) TCP" echo " 2) TCP"
until [[ $PROTOCOL_CHOICE =~ ^[1-2]$ ]]; do until [[ "$PROTOCOL_CHOICE" =~ ^[1-2]$ ]]; do
read -rp "Protocol [1-2]: " -e -i 1 PROTOCOL_CHOICE read -rp "Protocol [1-2]: " -e -i 1 PROTOCOL_CHOICE
done done
case $PROTOCOL_CHOICE in case $PROTOCOL_CHOICE in
@ -367,8 +297,8 @@ function installQuestions() {
echo " 11) AdGuard DNS (Anycast: worldwide)" echo " 11) AdGuard DNS (Anycast: worldwide)"
echo " 12) NextDNS (Anycast: worldwide)" echo " 12) NextDNS (Anycast: worldwide)"
echo " 13) Custom" echo " 13) Custom"
until [[ $DNS =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 13 ]; do until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 13 ]; do
read -rp "DNS [1-12]: " -e -i 11 DNS read -rp "DNS [1-12]: " -e -i 3 DNS
if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then
echo "" echo ""
echo "Unbound is already installed." echo "Unbound is already installed."
@ -386,19 +316,19 @@ function installQuestions() {
unset CONTINUE unset CONTINUE
fi fi
elif [[ $DNS == "13" ]]; then elif [[ $DNS == "13" ]]; then
until [[ $DNS1 =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do until [[ "$DNS1" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
read -rp "Primary DNS: " -e DNS1 read -rp "Primary DNS: " -e DNS1
done done
until [[ $DNS2 =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do until [[ "$DNS2" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
read -rp "Secondary DNS (optional): " -e DNS2 read -rp "Secondary DNS (optional): " -e DNS2
if [[ $DNS2 == "" ]]; then if [[ "$DNS2" == "" ]]; then
break break
fi fi
done done
fi fi
done done
echo "" echo ""
echo "Do you want to use compression? It is not recommended since the VORACLE attack makes use of it." echo "Do you want to use compression? It is not recommended since the VORACLE attack make use of it."
until [[ $COMPRESSION_ENABLED =~ (y|n) ]]; do until [[ $COMPRESSION_ENABLED =~ (y|n) ]]; do
read -rp"Enable compression? [y/n]: " -e -i n COMPRESSION_ENABLED read -rp"Enable compression? [y/n]: " -e -i n COMPRESSION_ENABLED
done done
@ -450,7 +380,7 @@ function installQuestions() {
echo " 4) AES-128-CBC" echo " 4) AES-128-CBC"
echo " 5) AES-192-CBC" echo " 5) AES-192-CBC"
echo " 6) AES-256-CBC" echo " 6) AES-256-CBC"
until [[ $CIPHER_CHOICE =~ ^[1-6]$ ]]; do until [[ "$CIPHER_CHOICE" =~ ^[1-6]$ ]]; do
read -rp "Cipher [1-6]: " -e -i 1 CIPHER_CHOICE read -rp "Cipher [1-6]: " -e -i 1 CIPHER_CHOICE
done done
case $CIPHER_CHOICE in case $CIPHER_CHOICE in
@ -508,7 +438,7 @@ function installQuestions() {
echo " 1) 2048 bits (recommended)" echo " 1) 2048 bits (recommended)"
echo " 2) 3072 bits" echo " 2) 3072 bits"
echo " 3) 4096 bits" echo " 3) 4096 bits"
until [[ $RSA_KEY_SIZE_CHOICE =~ ^[1-3]$ ]]; do until [[ "$RSA_KEY_SIZE_CHOICE" =~ ^[1-3]$ ]]; do
read -rp "RSA key size [1-3]: " -e -i 1 RSA_KEY_SIZE_CHOICE read -rp "RSA key size [1-3]: " -e -i 1 RSA_KEY_SIZE_CHOICE
done done
case $RSA_KEY_SIZE_CHOICE in case $RSA_KEY_SIZE_CHOICE in
@ -593,7 +523,7 @@ function installQuestions() {
echo " 1) 2048 bits (recommended)" echo " 1) 2048 bits (recommended)"
echo " 2) 3072 bits" echo " 2) 3072 bits"
echo " 3) 4096 bits" echo " 3) 4096 bits"
until [[ $DH_KEY_SIZE_CHOICE =~ ^[1-3]$ ]]; do until [[ "$DH_KEY_SIZE_CHOICE" =~ ^[1-3]$ ]]; do
read -rp "DH key size [1-3]: " -e -i 1 DH_KEY_SIZE_CHOICE read -rp "DH key size [1-3]: " -e -i 1 DH_KEY_SIZE_CHOICE
done done
case $DH_KEY_SIZE_CHOICE in case $DH_KEY_SIZE_CHOICE in
@ -611,9 +541,9 @@ function installQuestions() {
esac esac
echo "" echo ""
# The "auth" options behaves differently with AEAD ciphers # The "auth" options behaves differently with AEAD ciphers
if [[ $CIPHER =~ CBC$ ]]; then if [[ "$CIPHER" =~ CBC$ ]]; then
echo "The digest algorithm authenticates data channel packets and tls-auth packets from the control channel." echo "The digest algorithm authenticates data channel packets and tls-auth packets from the control channel."
elif [[ $CIPHER =~ GCM$ ]]; then elif [[ "$CIPHER" =~ GCM$ ]]; then
echo "The digest algorithm authenticates tls-auth packets from the control channel." echo "The digest algorithm authenticates tls-auth packets from the control channel."
fi fi
echo "Which digest algorithm do you want to use for HMAC?" echo "Which digest algorithm do you want to use for HMAC?"
@ -667,69 +597,61 @@ function installOpenVPN() {
PASS=${PASS:-1} PASS=${PASS:-1}
CONTINUE=${CONTINUE:-y} CONTINUE=${CONTINUE:-y}
if [[ -z $ENDPOINT ]]; then # Behind NAT, we'll default to the publicly reachable IPv4.
ENDPOINT=$(resolvePublicIP) PUBLIC_IPV4=$(curl ifconfig.co)
fi ENDPOINT=${ENDPOINT:-$PUBLIC_IPV4}
fi fi
# Run setup questions first, and set other variables if auto-install # Run setup questions first, and set other variales if auto-install
installQuestions installQuestions
# Get the "public" interface from the default route # Get the "public" interface from the default route
NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1) NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)
if [[ -z $NIC ]] && [[ $IPV6_SUPPORT == 'y' ]]; then if [[ -z "$NIC" ]] && [[ "$IPV6_SUPPORT" == 'y' ]]; then
NIC=$(ip -6 route show default | sed -ne 's/^default .* dev \([^ ]*\) .*$/\1/p') NIC=$(ip -6 route show default | sed -ne 's/^default .* dev \([^ ]*\) .*$/\1/p')
fi fi
# $NIC can not be empty for script rm-openvpn-rules.sh # $NIC can not be empty for script rm-openvpn-rules.sh
if [[ -z $NIC ]]; then if [[ -z "$NIC" ]]; then
echo echo
echo "Can not detect public interface." echo "Can not detect public interface."
echo "This needs for setup MASQUERADE." echo "This needs for setup MASQUERADE."
until [[ $CONTINUE =~ (y|n) ]]; do until [[ $CONTINUE =~ (y|n) ]]; do
read -rp "Continue? [y/n]: " -e CONTINUE read -rp "Continue? [y/n]: " -e CONTINUE
done done
if [[ $CONTINUE == "n" ]]; then if [[ "$CONTINUE" == "n" ]]; then
exit 1 exit 1
fi fi
fi fi
# If OpenVPN isn't installed yet, install it. This script is more-or-less if [[ "$OS" =~ (debian|ubuntu) ]]; then
# idempotent on multiple runs, but will only install OpenVPN from upstream
# the first time.
if [[ ! -e /etc/openvpn/server.conf ]]; then
if [[ $OS =~ (debian|ubuntu) ]]; then
apt-get update apt-get update
apt-get -y install ca-certificates gnupg apt-get -y install ca-certificates gnupg
# We add the OpenVPN repo to get the latest version. # We add the OpenVPN repo to get the latest version.
if [[ $VERSION_ID == "16.04" ]]; then if [[ "$VERSION_ID" == "8" ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update
fi
if [[ "$VERSION_ID" == "16.04" ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" > /etc/apt/sources.list.d/openvpn.list echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" > /etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update apt-get update
fi fi
# Ubuntu > 16.04 and Debian > 8 have OpenVPN >= 2.4 without the need of a third party repository. # Ubuntu > 16.04 and Debian > 8 have OpenVPN >= 2.4 without the need of a third party repository.
apt-get install -y openvpn iptables openssl wget ca-certificates curl apt-get install -y openvpn iptables openssl wget ca-certificates curl
elif [[ $OS == 'centos' ]]; then elif [[ "$OS" == 'centos' ]]; then
yum install -y epel-release yum install -y epel-release
yum install -y openvpn iptables openssl wget ca-certificates curl tar 'policycoreutils-python*' yum install -y openvpn iptables openssl wget ca-certificates curl tar 'policycoreutils-python*'
elif [[ $OS == 'oracle' ]]; then elif [[ "$OS" == 'amzn' ]]; then
yum install -y oracle-epel-release-el8
yum-config-manager --enable ol8_developer_EPEL
yum install -y openvpn iptables openssl wget ca-certificates curl tar policycoreutils-python-utils
elif [[ $OS == 'amzn' ]]; then
amazon-linux-extras install -y epel amazon-linux-extras install -y epel
yum install -y openvpn iptables openssl wget ca-certificates curl yum install -y openvpn iptables openssl wget ca-certificates curl
elif [[ $OS == 'fedora' ]]; then elif [[ "$OS" == 'fedora' ]]; then
dnf install -y openvpn iptables openssl wget ca-certificates curl policycoreutils-python-utils dnf install -y openvpn iptables openssl wget ca-certificates curl
elif [[ $OS == 'arch' ]]; then elif [[ "$OS" == 'arch' ]]; then
# Install required dependencies and upgrade the system # Install required dependencies and upgrade the system
pacman --needed --noconfirm -Syu openvpn iptables openssl wget ca-certificates curl pacman --needed --noconfirm -Syu openvpn iptables openssl wget ca-certificates curl
fi fi
# An old version of easy-rsa was available by default in some openvpn packages
if [[ -d /etc/openvpn/easy-rsa/ ]]; then
rm -rf /etc/openvpn/easy-rsa/
fi
fi
# Find out if the machine uses nogroup or nobody for the permissionless group # Find out if the machine uses nogroup or nobody for the permissionless group
if grep -qs "^nogroup:" /etc/group; then if grep -qs "^nogroup:" /etc/group; then
@ -738,13 +660,18 @@ function installOpenVPN() {
NOGROUP=nobody NOGROUP=nobody
fi fi
# Install the latest version of easy-rsa from source, if not already installed. # An old version of easy-rsa was available by default in some openvpn packages
if [[ ! -d /etc/openvpn/easy-rsa/ ]]; then if [[ -d /etc/openvpn/easy-rsa/ ]]; then
local version="3.1.2" rm -rf /etc/openvpn/easy-rsa/
wget -O ~/easy-rsa.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-${version}.tgz fi
mkdir -p /etc/openvpn/easy-rsa
tar xzf ~/easy-rsa.tgz --strip-components=1 --no-same-owner --directory /etc/openvpn/easy-rsa # Install the latest version of easy-rsa from source
rm -f ~/easy-rsa.tgz local version="3.0.6"
wget -O ~/EasyRSA-unix-v${version}.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-unix-v${version}.tgz
tar xzf ~/EasyRSA-unix-v${version}.tgz -C ~/
mv ~/EasyRSA-v${version} /etc/openvpn/easy-rsa
chown -R root:root /etc/openvpn/easy-rsa/
rm -f ~/EasyRSA-unix-v${version}.tgz
cd /etc/openvpn/easy-rsa/ || return cd /etc/openvpn/easy-rsa/ || return
case $CERT_TYPE in case $CERT_TYPE in
@ -759,20 +686,24 @@ function installOpenVPN() {
# Generate a random, alphanumeric identifier of 16 characters for CN and one for server name # Generate a random, alphanumeric identifier of 16 characters for CN and one for server name
SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
echo "$SERVER_CN" >SERVER_CN_GENERATED
SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
echo "$SERVER_NAME" >SERVER_NAME_GENERATED echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars
# Create the PKI, set up the CA, the DH params and the server certificate # Create the PKI, set up the CA, the DH params and the server certificate
./easyrsa init-pki ./easyrsa init-pki
EASYRSA_CA_EXPIRE=3650 ./easyrsa --batch --req-cn="$SERVER_CN" build-ca nopass
# Workaround to remove unharmful error until easy-rsa 3.0.7
# https://github.com/OpenVPN/easy-rsa/issues/261
sed -i 's/^RANDFILE/#RANDFILE/g' pki/openssl-easyrsa.cnf
./easyrsa --batch build-ca nopass
if [[ $DH_TYPE == "2" ]]; then if [[ $DH_TYPE == "2" ]]; then
# ECDH keys are generated on-the-fly so we don't need to generate them beforehand # ECDH keys are generated on-the-fly so we don't need to generate them beforehand
openssl dhparam -out dh.pem $DH_KEY_SIZE openssl dhparam -out dh.pem $DH_KEY_SIZE
fi fi
EASYRSA_CERT_EXPIRE=3650 ./easyrsa --batch build-server-full "$SERVER_NAME" nopass ./easyrsa build-server-full "$SERVER_NAME" nopass
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
case $TLS_SIG in case $TLS_SIG in
@ -785,12 +716,6 @@ function installOpenVPN() {
openvpn --genkey --secret /etc/openvpn/tls-auth.key openvpn --genkey --secret /etc/openvpn/tls-auth.key
;; ;;
esac esac
else
# If easy-rsa is already installed, grab the generated SERVER_NAME
# for client configs
cd /etc/openvpn/easy-rsa/ || return
SERVER_NAME=$(cat SERVER_NAME_GENERATED)
fi
# Move all the generated files # Move all the generated files
cp pki/ca.crt pki/private/ca.key "pki/issued/$SERVER_NAME.crt" "pki/private/$SERVER_NAME.key" /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn cp pki/ca.crt pki/private/ca.key "pki/issued/$SERVER_NAME.crt" "pki/private/$SERVER_NAME.key" /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
@ -803,9 +728,9 @@ function installOpenVPN() {
# Generate server.conf # Generate server.conf
echo "port $PORT" > /etc/openvpn/server.conf echo "port $PORT" > /etc/openvpn/server.conf
if [[ $IPV6_SUPPORT == 'n' ]]; then if [[ "$IPV6_SUPPORT" == 'n' ]]; then
echo "proto $PROTOCOL" >> /etc/openvpn/server.conf echo "proto $PROTOCOL" >> /etc/openvpn/server.conf
elif [[ $IPV6_SUPPORT == 'y' ]]; then elif [[ "$IPV6_SUPPORT" == 'y' ]]; then
echo "proto ${PROTOCOL}6" >> /etc/openvpn/server.conf echo "proto ${PROTOCOL}6" >> /etc/openvpn/server.conf
fi fi
@ -830,18 +755,12 @@ ifconfig-pool-persist ipp.txt" >>/etc/openvpn/server.conf
RESOLVCONF='/etc/resolv.conf' RESOLVCONF='/etc/resolv.conf'
fi fi
# Obtain the resolvers from resolv.conf and use them for OpenVPN # Obtain the resolvers from resolv.conf and use them for OpenVPN
sed -ne 's/^nameserver[[:space:]]\+\([^[:space:]]\+\).*$/\1/p' $RESOLVCONF | while read -r line; do grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read -r line; do
# Copy, if it's a IPv4 |or| if IPv6 is enabled, IPv4/IPv6 does not matter
if [[ $line =~ ^[0-9.]*$ ]] || [[ $IPV6_SUPPORT == 'y' ]]; then
echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
fi
done done
;; ;;
2) # Self-hosted DNS resolver (Unbound) 2) # Self-hosted DNS resolver (Unbound)
echo 'push "dhcp-option DNS 10.8.0.1"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 10.8.0.1"' >> /etc/openvpn/server.conf
if [[ $IPV6_SUPPORT == 'y' ]]; then
echo 'push "dhcp-option DNS fd42:42:42:42::1"' >>/etc/openvpn/server.conf
fi
;; ;;
3) # Cloudflare 3) # Cloudflare
echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server.conf
@ -876,8 +795,8 @@ ifconfig-pool-persist ipp.txt" >>/etc/openvpn/server.conf
echo 'push "dhcp-option DNS 77.88.8.1"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 77.88.8.1"' >> /etc/openvpn/server.conf
;; ;;
11) # AdGuard DNS 11) # AdGuard DNS
echo 'push "dhcp-option DNS 94.140.14.14"' >>/etc/openvpn/server.conf echo 'push "dhcp-option DNS 176.103.130.130"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 94.140.15.15"' >>/etc/openvpn/server.conf echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf
;; ;;
12) # NextDNS 12) # NextDNS
echo 'push "dhcp-option DNS 45.90.28.167"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 45.90.28.167"' >> /etc/openvpn/server.conf
@ -885,7 +804,7 @@ ifconfig-pool-persist ipp.txt" >>/etc/openvpn/server.conf
;; ;;
13) # Custom DNS 13) # Custom DNS
echo "push \"dhcp-option DNS $DNS1\"" >> /etc/openvpn/server.conf echo "push \"dhcp-option DNS $DNS1\"" >> /etc/openvpn/server.conf
if [[ $DNS2 != "" ]]; then if [[ "$DNS2" != "" ]]; then
echo "push \"dhcp-option DNS $DNS2\"" >> /etc/openvpn/server.conf echo "push \"dhcp-option DNS $DNS2\"" >> /etc/openvpn/server.conf
fi fi
;; ;;
@ -893,7 +812,7 @@ ifconfig-pool-persist ipp.txt" >>/etc/openvpn/server.conf
echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf
# IPv6 network settings if needed # IPv6 network settings if needed
if [[ $IPV6_SUPPORT == 'y' ]]; then if [[ "$IPV6_SUPPORT" == 'y' ]]; then
echo 'server-ipv6 fd42:42:42:42::/112 echo 'server-ipv6 fd42:42:42:42::/112
tun-ipv6 tun-ipv6
push tun-ipv6 push tun-ipv6
@ -914,7 +833,7 @@ push "redirect-gateway ipv6"' >>/etc/openvpn/server.conf
case $TLS_SIG in case $TLS_SIG in
1) 1)
echo "tls-crypt tls-crypt.key" >>/etc/openvpn/server.conf echo "tls-crypt tls-crypt.key 0" >> /etc/openvpn/server.conf
;; ;;
2) 2)
echo "tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf echo "tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf
@ -941,9 +860,9 @@ verb 3" >>/etc/openvpn/server.conf
mkdir -p /var/log/openvpn mkdir -p /var/log/openvpn
# Enable routing # Enable routing
echo 'net.ipv4.ip_forward=1' >/etc/sysctl.d/99-openvpn.conf echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.d/20-openvpn.conf
if [[ $IPV6_SUPPORT == 'y' ]]; then if [[ "$IPV6_SUPPORT" == 'y' ]]; then
echo 'net.ipv6.conf.all.forwarding=1' >>/etc/sysctl.d/99-openvpn.conf echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.d/20-openvpn.conf
fi fi
# Apply sysctl rules # Apply sysctl rules
sysctl --system sysctl --system
@ -951,14 +870,14 @@ verb 3" >>/etc/openvpn/server.conf
# If SELinux is enabled and a custom port was selected, we need this # If SELinux is enabled and a custom port was selected, we need this
if hash sestatus 2>/dev/null; then if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing"; then if sestatus | grep "Current mode" | grep -qs "enforcing"; then
if [[ $PORT != '1194' ]]; then if [[ "$PORT" != '1194' ]]; then
semanage port -a -t openvpn_port_t -p "$PROTOCOL" "$PORT" semanage port -a -t openvpn_port_t -p "$PROTOCOL" "$PORT"
fi fi
fi fi
fi fi
# Finally, restart and enable OpenVPN # Finally, restart and enable OpenVPN
if [[ $OS == 'arch' || $OS == 'fedora' || $OS == 'centos' || $OS == 'oracle' ]]; then if [[ "$OS" == 'arch' || "$OS" == 'fedora' || "$OS" == 'centos' ]]; then
# Don't modify package-provided service # Don't modify package-provided service
cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service
@ -966,11 +885,15 @@ verb 3" >>/etc/openvpn/server.conf
sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn-server@.service sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn-server@.service
# Another workaround to keep using /etc/openvpn/ # Another workaround to keep using /etc/openvpn/
sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn-server@.service sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn-server@.service
# On fedora, the service hardcodes the ciphers. We want to manage the cipher ourselves, so we remove it from the service
if [[ "$OS" == "fedora" ]];then
sed -i 's|--cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC||' /etc/systemd/system/openvpn-server@.service
fi
systemctl daemon-reload systemctl daemon-reload
systemctl enable openvpn-server@server systemctl enable openvpn-server@server
systemctl restart openvpn-server@server systemctl restart openvpn-server@server
elif [[ $OS == "ubuntu" ]] && [[ $VERSION_ID == "16.04" ]]; then elif [[ "$OS" == "ubuntu" ]] && [[ "$VERSION_ID" == "16.04" ]]; then
# On Ubuntu 16.04, we use the package from the OpenVPN repo # On Ubuntu 16.04, we use the package from the OpenVPN repo
# This package uses a sysvinit service # This package uses a sysvinit service
systemctl enable openvpn systemctl enable openvpn
@ -1004,12 +927,11 @@ iptables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT
iptables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT iptables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT
iptables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/add-openvpn-rules.sh iptables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/add-openvpn-rules.sh
if [[ $IPV6_SUPPORT == 'y' ]]; then if [[ "$IPV6_SUPPORT" == 'y' ]]; then
echo "ip6tables -t nat -I POSTROUTING 1 -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE echo "ip6tables -t nat -I POSTROUTING 1 -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
ip6tables -I INPUT 1 -i tun0 -j ACCEPT ip6tables -I INPUT 1 -i tun0 -j ACCEPT
ip6tables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT ip6tables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT
ip6tables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT ip6tables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh
ip6tables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >>/etc/iptables/add-openvpn-rules.sh
fi fi
# Script to remove rules # Script to remove rules
@ -1020,12 +942,11 @@ iptables -D FORWARD -i $NIC -o tun0 -j ACCEPT
iptables -D FORWARD -i tun0 -o $NIC -j ACCEPT iptables -D FORWARD -i tun0 -o $NIC -j ACCEPT
iptables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/rm-openvpn-rules.sh iptables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/rm-openvpn-rules.sh
if [[ $IPV6_SUPPORT == 'y' ]]; then if [[ "$IPV6_SUPPORT" == 'y' ]]; then
echo "ip6tables -t nat -D POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE echo "ip6tables -t nat -D POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
ip6tables -D INPUT -i tun0 -j ACCEPT ip6tables -D INPUT -i tun0 -j ACCEPT
ip6tables -D FORWARD -i $NIC -o tun0 -j ACCEPT ip6tables -D FORWARD -i $NIC -o tun0 -j ACCEPT
ip6tables -D FORWARD -i tun0 -o $NIC -j ACCEPT ip6tables -D FORWARD -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/rm-openvpn-rules.sh
ip6tables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >>/etc/iptables/rm-openvpn-rules.sh
fi fi
chmod +x /etc/iptables/add-openvpn-rules.sh chmod +x /etc/iptables/add-openvpn-rules.sh
@ -1052,16 +973,16 @@ WantedBy=multi-user.target" >/etc/systemd/system/iptables-openvpn.service
systemctl start iptables-openvpn systemctl start iptables-openvpn
# If the server is behind a NAT, use the correct IP address for the clients to connect to # If the server is behind a NAT, use the correct IP address for the clients to connect to
if [[ $ENDPOINT != "" ]]; then if [[ "$ENDPOINT" != "" ]]; then
IP=$ENDPOINT IP=$ENDPOINT
fi fi
# client-template.txt is created so we have a template to add further users later # client-template.txt is created so we have a template to add further users later
echo "client" > /etc/openvpn/client-template.txt echo "client" > /etc/openvpn/client-template.txt
if [[ $PROTOCOL == 'udp' ]]; then if [[ "$PROTOCOL" == 'udp' ]]; then
echo "proto udp" >> /etc/openvpn/client-template.txt echo "proto udp" >> /etc/openvpn/client-template.txt
echo "explicit-exit-notify" >> /etc/openvpn/client-template.txt echo "explicit-exit-notify" >> /etc/openvpn/client-template.txt
elif [[ $PROTOCOL == 'tcp' ]]; then elif [[ "$PROTOCOL" == 'tcp' ]]; then
echo "proto tcp-client" >> /etc/openvpn/client-template.txt echo "proto tcp-client" >> /etc/openvpn/client-template.txt
fi fi
echo "remote $IP $PORT echo "remote $IP $PORT
@ -1078,7 +999,6 @@ cipher $CIPHER
tls-client tls-client
tls-version-min 1.2 tls-version-min 1.2
tls-cipher $CC_CIPHER tls-cipher $CC_CIPHER
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3" >> /etc/openvpn/client-template.txt verb 3" >> /etc/openvpn/client-template.txt
@ -1094,9 +1014,9 @@ verb 3" >>/etc/openvpn/client-template.txt
function newClient () { function newClient () {
echo "" echo ""
echo "Tell me a name for the client." echo "Tell me a name for the client."
echo "The name must consist of alphanumeric character. It may also include an underscore or a dash." echo "Use one word only, no special characters."
until [[ $CLIENT =~ ^[a-zA-Z0-9_-]+$ ]]; do until [[ "$CLIENT" =~ ^[a-zA-Z0-9_]+$ ]]; do
read -rp "Client name: " -e CLIENT read -rp "Client name: " -e CLIENT
done done
@ -1106,43 +1026,27 @@ function newClient() {
echo " 1) Add a passwordless client" echo " 1) Add a passwordless client"
echo " 2) Use a password for the client" echo " 2) Use a password for the client"
until [[ $PASS =~ ^[1-2]$ ]]; do until [[ "$PASS" =~ ^[1-2]$ ]]; do
read -rp "Select an option [1-2]: " -e -i 1 PASS read -rp "Select an option [1-2]: " -e -i 1 PASS
done done
CLIENTEXISTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c -E "/CN=$CLIENT\$")
if [[ $CLIENTEXISTS == '1' ]]; then
echo ""
echo "The specified client CN was already found in easy-rsa, please choose another name."
exit
else
cd /etc/openvpn/easy-rsa/ || return cd /etc/openvpn/easy-rsa/ || return
case $PASS in case $PASS in
1) 1)
EASYRSA_CERT_EXPIRE=3650 ./easyrsa --batch build-client-full "$CLIENT" nopass ./easyrsa build-client-full "$CLIENT" nopass
;; ;;
2) 2)
echo "⚠️ You will be asked for the client password below ⚠️" echo "⚠️ You will be asked for the client password below ⚠️"
EASYRSA_CERT_EXPIRE=3650 ./easyrsa --batch build-client-full "$CLIENT" ./easyrsa build-client-full "$CLIENT"
;; ;;
esac esac
echo "Client $CLIENT added."
fi
# Home directory of the user, where the client configuration will be written # Home directory of the user, where the client configuration (.ovpn) will be written
if [ -e "/home/${CLIENT}" ]; then if [ -e "/home/$CLIENT" ]; then # if $1 is a user name
# if $1 is a user name homeDir="/home/$CLIENT"
homeDir="/home/${CLIENT}" elif [ "${SUDO_USER}" ]; then # if not, use SUDO_USER
elif [ "${SUDO_USER}" ]; then
# if not, use SUDO_USER
if [ "${SUDO_USER}" == "root" ]; then
# If running sudo as root
homeDir="/root"
else
homeDir="/home/${SUDO_USER}" homeDir="/home/${SUDO_USER}"
fi else # if not SUDO_USER, use /root
else
# if not SUDO_USER, use /root
homeDir="/root" homeDir="/root"
fi fi
@ -1161,7 +1065,7 @@ function newClient() {
echo "</ca>" echo "</ca>"
echo "<cert>" echo "<cert>"
awk '/BEGIN/,/END CERTIFICATE/' "/etc/openvpn/easy-rsa/pki/issued/$CLIENT.crt" awk '/BEGIN/,/END/' "/etc/openvpn/easy-rsa/pki/issued/$CLIENT.crt"
echo "</cert>" echo "</cert>"
echo "<key>" echo "<key>"
@ -1184,7 +1088,7 @@ function newClient() {
} >> "$homeDir/$CLIENT.ovpn" } >> "$homeDir/$CLIENT.ovpn"
echo "" echo ""
echo "The configuration file has been written to $homeDir/$CLIENT.ovpn." echo "Client $CLIENT added, the configuration file is available at $homeDir/$CLIENT.ovpn."
echo "Download the .ovpn file and import it in your OpenVPN client." echo "Download the .ovpn file and import it in your OpenVPN client."
exit 0 exit 0
@ -1192,7 +1096,7 @@ function newClient() {
function revokeClient () { function revokeClient () {
NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V") NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")
if [[ $NUMBEROFCLIENTS == '0' ]]; then if [[ "$NUMBEROFCLIENTS" == '0' ]]; then
echo "" echo ""
echo "You have no existing clients!" echo "You have no existing clients!"
exit 1 exit 1
@ -1201,24 +1105,26 @@ function revokeClient() {
echo "" echo ""
echo "Select the existing client certificate you want to revoke" echo "Select the existing client certificate you want to revoke"
tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') ' tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
until [[ $CLIENTNUMBER -ge 1 && $CLIENTNUMBER -le $NUMBEROFCLIENTS ]]; do if [[ "$NUMBEROFCLIENTS" == '1' ]]; then
if [[ $CLIENTNUMBER == '1' ]]; then
read -rp "Select one client [1]: " CLIENTNUMBER read -rp "Select one client [1]: " CLIENTNUMBER
else else
read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
fi fi
done
CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p) CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
cd /etc/openvpn/easy-rsa/ || return cd /etc/openvpn/easy-rsa/ || return
./easyrsa --batch revoke "$CLIENT" ./easyrsa --batch revoke "$CLIENT"
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
# Cleanup
rm -f "pki/reqs/$CLIENT.req"
rm -f "pki/private/$CLIENT.key"
rm -f "pki/issued/$CLIENT.crt"
rm -f /etc/openvpn/crl.pem rm -f /etc/openvpn/crl.pem
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
chmod 644 /etc/openvpn/crl.pem chmod 644 /etc/openvpn/crl.pem
find /home/ -maxdepth 2 -name "$CLIENT.ovpn" -delete find /home/ -maxdepth 2 -name "$CLIENT.ovpn" -delete
rm -f "/root/$CLIENT.ovpn" rm -f "/root/$CLIENT.ovpn"
sed -i "/^$CLIENT,.*/d" /etc/openvpn/ipp.txt sed -i "/^$CLIENT,.*/d" /etc/openvpn/ipp.txt
cp /etc/openvpn/easy-rsa/pki/index.txt{,.bk}
echo "" echo ""
echo "Certificate for client $CLIENT revoked." echo "Certificate for client $CLIENT revoked."
@ -1235,17 +1141,17 @@ function removeUnbound() {
read -rp "Do you want to completely remove Unbound? [y/n]: " -e REMOVE_UNBOUND read -rp "Do you want to completely remove Unbound? [y/n]: " -e REMOVE_UNBOUND
done done
if [[ $REMOVE_UNBOUND == 'y' ]]; then if [[ "$REMOVE_UNBOUND" == 'y' ]]; then
# Stop Unbound # Stop Unbound
systemctl stop unbound systemctl stop unbound
if [[ $OS =~ (debian|ubuntu) ]]; then if [[ "$OS" =~ (debian|ubuntu) ]]; then
apt-get remove --purge -y unbound apt-get autoremove --purge -y unbound
elif [[ $OS == 'arch' ]]; then elif [[ "$OS" == 'arch' ]]; then
pacman --noconfirm -R unbound pacman --noconfirm -R unbound
elif [[ $OS =~ (centos|amzn|oracle) ]]; then elif [[ "$OS" =~ (centos|amzn) ]]; then
yum remove -y unbound yum remove -y unbound
elif [[ $OS == 'fedora' ]]; then elif [[ "$OS" == 'fedora' ]]; then
dnf remove -y unbound dnf remove -y unbound
fi fi
@ -1262,19 +1168,19 @@ function removeUnbound() {
function removeOpenVPN () { function removeOpenVPN () {
echo "" echo ""
# shellcheck disable=SC2034
read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
if [[ $REMOVE == 'y' ]]; then if [[ "$REMOVE" == 'y' ]]; then
# Get OpenVPN port from the configuration # Get OpenVPN port from the configuration
PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2) PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
PROTOCOL=$(grep '^proto ' /etc/openvpn/server.conf | cut -d " " -f 2)
# Stop OpenVPN # Stop OpenVPN
if [[ $OS =~ (fedora|arch|centos|oracle) ]]; then if [[ "$OS" =~ (fedora|arch|centos) ]]; then
systemctl disable openvpn-server@server systemctl disable openvpn-server@server
systemctl stop openvpn-server@server systemctl stop openvpn-server@server
# Remove customised service # Remove customised service
rm /etc/systemd/system/openvpn-server@.service rm /etc/systemd/system/openvpn-server@.service
elif [[ $OS == "ubuntu" ]] && [[ $VERSION_ID == "16.04" ]]; then elif [[ "$OS" == "ubuntu" ]] && [[ "$VERSION_ID" == "16.04" ]]; then
systemctl disable openvpn systemctl disable openvpn
systemctl stop openvpn systemctl stop openvpn
else else
@ -1296,23 +1202,23 @@ function removeOpenVPN() {
# SELinux # SELinux
if hash sestatus 2>/dev/null; then if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing"; then if sestatus | grep "Current mode" | grep -qs "enforcing"; then
if [[ $PORT != '1194' ]]; then if [[ "$PORT" != '1194' ]]; then
semanage port -d -t openvpn_port_t -p "$PROTOCOL" "$PORT" semanage port -d -t openvpn_port_t -p udp "$PORT"
fi fi
fi fi
fi fi
if [[ $OS =~ (debian|ubuntu) ]]; then if [[ "$OS" =~ (debian|ubuntu) ]]; then
apt-get remove --purge -y openvpn apt-get autoremove --purge -y openvpn
if [[ -e /etc/apt/sources.list.d/openvpn.list ]];then if [[ -e /etc/apt/sources.list.d/openvpn.list ]];then
rm /etc/apt/sources.list.d/openvpn.list rm /etc/apt/sources.list.d/openvpn.list
apt-get update apt-get update
fi fi
elif [[ $OS == 'arch' ]]; then elif [[ "$OS" == 'arch' ]]; then
pacman --noconfirm -R openvpn pacman --noconfirm -R openvpn
elif [[ $OS =~ (centos|amzn|oracle) ]]; then elif [[ "$OS" =~ (centos|amzn) ]]; then
yum remove -y openvpn yum remove -y openvpn
elif [[ $OS == 'fedora' ]]; then elif [[ "$OS" == 'fedora' ]]; then
dnf remove -y openvpn dnf remove -y openvpn
fi fi
@ -1321,7 +1227,7 @@ function removeOpenVPN() {
find /root/ -maxdepth 1 -name "*.ovpn" -delete find /root/ -maxdepth 1 -name "*.ovpn" -delete
rm -rf /etc/openvpn rm -rf /etc/openvpn
rm -rf /usr/share/doc/openvpn* rm -rf /usr/share/doc/openvpn*
rm -f /etc/sysctl.d/99-openvpn.conf rm -f /etc/sysctl.d/20-openvpn.conf
rm -rf /var/log/openvpn rm -rf /var/log/openvpn
# Unbound # Unbound
@ -1337,6 +1243,7 @@ function removeOpenVPN() {
} }
function manageMenu () { function manageMenu () {
clear
echo "Welcome to OpenVPN-install!" echo "Welcome to OpenVPN-install!"
echo "The git repository is available at: https://github.com/angristan/openvpn-install" echo "The git repository is available at: https://github.com/angristan/openvpn-install"
echo "" echo ""
@ -1347,7 +1254,7 @@ function manageMenu() {
echo " 2) Revoke existing user" echo " 2) Revoke existing user"
echo " 3) Remove OpenVPN" echo " 3) Remove OpenVPN"
echo " 4) Exit" echo " 4) Exit"
until [[ $MENU_OPTION =~ ^[1-4]$ ]]; do until [[ "$MENU_OPTION" =~ ^[1-4]$ ]]; do
read -rp "Select an option [1-4]: " MENU_OPTION read -rp "Select an option [1-4]: " MENU_OPTION
done done
@ -1371,7 +1278,7 @@ function manageMenu() {
initialCheck initialCheck
# Check if OpenVPN is already installed # Check if OpenVPN is already installed
if [[ -e /etc/openvpn/server.conf && $AUTO_INSTALL != "y" ]]; then if [[ -e /etc/openvpn/server.conf ]]; then
manageMenu manageMenu
else else
installOpenVPN installOpenVPN