diff --git a/.editorconfig b/.editorconfig
new file mode 100644
index 0000000..b4d9ec4
--- /dev/null
+++ b/.editorconfig
@@ -0,0 +1,3 @@
+[*.sh]
+indent_style = tab
+indent_size = 4
diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
index 7d1aa44..42b3ecb 100644
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -1,3 +1,5 @@
-patreon: angristan
-liberapay: angristan
-ko_fi: angristan
+patreon: stanislas
+liberapay: stanislas
+ko_fi: stanislas
+github: angristan
+custom: https://coindrop.to/stanislas
diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md
deleted file mode 100644
index 617414b..0000000
--- a/.github/ISSUE_TEMPLATE.md
+++ /dev/null
@@ -1,13 +0,0 @@
-
diff --git a/.github/ISSUE_TEMPLATE/bug-report-or-suport-request.md b/.github/ISSUE_TEMPLATE/bug-report-or-suport-request.md
new file mode 100644
index 0000000..93b6be9
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/bug-report-or-suport-request.md
@@ -0,0 +1,35 @@
+---
+name: Bug report / Support request
+about: Create a report to help us improve
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**⚠️ Unless you are sure you find a bug with the script, please open a [discussion](https://github.com/angristan/openvpn-install/discussions) instead of an issue!**
+
+**Checklist**
+
+- [ ] I read the [README](https://github.com/angristan/openvpn-install/blob/master/README.md)
+- [ ] I read the [FAQ](https://github.com/angristan/openvpn-install/blob/master/FAQ.md)
+- [ ] I searched the [issues](https://github.com/angristan/openvpn-install/issues?q=is%3Aissue+)
+- [ ] I searched the [discussion](https://github.com/angristan/openvpn-install/discussions)
+- [ ] My issue is about the script, and not OpenVPN itself
+
+
+
+Pease include as much details as possible in your issue:
+
+- Description of the issue
+- How to reproduce the issue
+- What did you expected should happen
+- Logs
+- Server/Client versions (OS, OpenVPN, etc)
+- Any context or information that could help
+
+---
+
+
diff --git a/.github/ISSUE_TEMPLATE/feature-request.md b/.github/ISSUE_TEMPLATE/feature-request.md
new file mode 100644
index 0000000..e5dd037
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/feature-request.md
@@ -0,0 +1,31 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Checklist**
+
+- [ ] I read the [README](https://github.com/angristan/openvpn-install/blob/master/README.md)
+- [ ] I read the [FAQ](https://github.com/angristan/openvpn-install/blob/master/FAQ.md)
+- [ ] I searched the [issues](https://github.com/angristan/openvpn-install/issues?q=is%3Aissue+)
+- [ ] My issue is about the script, and not OpenVPN itself
+
+
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..8ac6b8c
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+ - package-ecosystem: "github-actions"
+ directory: "/"
+ schedule:
+ interval: "monthly"
diff --git a/.github/linters/.markdown-lint.yml b/.github/linters/.markdown-lint.yml
new file mode 100644
index 0000000..68d1fdf
--- /dev/null
+++ b/.github/linters/.markdown-lint.yml
@@ -0,0 +1 @@
+{ 'MD013': null, 'MD045': null, 'MD040': null, 'MD036': null }
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
new file mode 100644
index 0000000..fa26b23
--- /dev/null
+++ b/.github/workflows/lint.yml
@@ -0,0 +1,14 @@
+on: [push, pull_request]
+
+name: Lint
+
+jobs:
+ super-linter:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout Code
+ uses: actions/checkout@v2.3.4
+ - name: Lint Code Base
+ uses: github/super-linter@v4.1.0
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
deleted file mode 100644
index f1a5ccb..0000000
--- a/.github/workflows/push.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-on: push
-name: ShellCheck
-jobs:
- shellcheck:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@master
- - name: shellcheck
- uses: ludeeus/action-shellcheck@0.0.1
- with:
- args: openvpn-install.sh -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
new file mode 100644
index 0000000..ce068a1
--- /dev/null
+++ b/.github/workflows/test.yml
@@ -0,0 +1,97 @@
+on:
+ push:
+ branches:
+ - master
+
+name: Test
+jobs:
+ install:
+ runs-on: ubuntu-latest
+ if: github.repository == 'angristan/openvpn-install' && github.actor == 'angristan'
+ strategy:
+ matrix:
+ os-image:
+ - debian-9-x64
+ - debian-10-x64
+ - ubuntu-16-04-x64
+ - ubuntu-18-04-x64
+ - ubuntu-20-04-x64
+ - fedora-32-x64
+ - fedora-33-x64
+ - centos-7-x64
+ - centos-8-x64
+ steps:
+ - uses: actions/checkout@v2.3.4
+
+ - name: Setup doctl
+ uses: digitalocean/action-doctl@v2
+ with:
+ token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
+
+ - name: Create server
+ run: doctl compute droplet create openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }} --size s-1vcpu-1gb --image ${{ matrix.os-image }} --region lon1 --enable-ipv6 --ssh-keys be:66:76:61:a8:71:93:aa:e3:19:ba:d8:0d:d2:2d:d4 --wait
+
+ - name: Get server ID
+ run: echo ::set-output name=value::$(doctl compute droplet list -o json | jq -r '.[] | select(.name == "'openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }}'").id')
+ id: server_id
+
+ - name: Move server to dedicated project
+ run: doctl projects resources assign ${{ secrets.DIGITALOCEAN_PROJECT_ID }} --resource=do:droplet:${{ steps.server_id.outputs.value }}
+
+ - name: Wait for server to boot
+ run: sleep 90
+
+ - name: Get server IP
+ run: echo ::set-output name=value::$(doctl compute droplet list -o json | jq -r '.[] | select(.name == "'openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }}'").networks.v4 | .[] | select(.type == "'public'").ip_address')
+ id: server_ip
+
+ - name: Get server OS
+ run: echo ::set-output name=value::$(echo ${{ matrix.os-image }} | cut -d '-' -f1)
+ id: server_os
+
+ - name: Setup remote server (Debian/Ubuntu)
+ if: steps.server_os.outputs.value == 'debian' || steps.server_os.outputs.value == 'ubuntu'
+ uses: appleboy/ssh-action@v0.1.4
+ with:
+ host: ${{ steps.server_ip.outputs.value }}
+ username: root
+ key: ${{ secrets.SSH_KEY }}
+ script: set -x && apt-get update && apt-get install -y git
+
+ - name: Setup remote server (Fedora)
+ if: steps.server_os.outputs.value == 'fedora'
+ uses: appleboy/ssh-action@v0.1.4
+ with:
+ host: ${{ steps.server_ip.outputs.value }}
+ username: root
+ key: ${{ secrets.SSH_KEY }}
+ script: set -x && dnf install -y git
+
+ - name: Setup remote server (CentOS)
+ if: steps.server_os.outputs.value == 'centos'
+ uses: appleboy/ssh-action@v0.1.4
+ with:
+ host: ${{ steps.server_ip.outputs.value }}
+ username: root
+ key: ${{ secrets.SSH_KEY }}
+ script: set -x && yum install -y git
+
+ - name: Download repo and checkout current commit
+ uses: appleboy/ssh-action@v0.1.4
+ with:
+ host: ${{ steps.server_ip.outputs.value }}
+ username: root
+ key: ${{ secrets.SSH_KEY }}
+ script: set -x && git clone https://github.com/angristan/openvpn-install.git && cd openvpn-install && git checkout ${{ github.event.pull_request.head.sha }}
+
+ - name: Run openvpn-install.sh in headless mode
+ uses: appleboy/ssh-action@v0.1.4
+ with:
+ host: ${{ steps.server_ip.outputs.value }}
+ username: root
+ key: ${{ secrets.SSH_KEY }}
+ script: 'set -x && AUTO_INSTALL=y bash -x ~/openvpn-install/openvpn-install.sh && ps aux | grep openvpn | grep -v grep > /dev/null 2>&1 && echo "Success: OpenVPN is running" && exit 0 || echo "Failure: OpenVPN is not running" && exit 1'
+
+ - name: Delete server
+ run: doctl compute droplet delete -f openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }}
+ if: always()
diff --git a/.gitignore b/.gitignore
deleted file mode 100644
index 73ab2cf..0000000
--- a/.gitignore
+++ /dev/null
@@ -1,2 +0,0 @@
-.vagrant/
-*.log
diff --git a/FAQ.md b/FAQ.md
new file mode 100644
index 0000000..825a9ba
--- /dev/null
+++ b/FAQ.md
@@ -0,0 +1,153 @@
+# FAQ
+
+**Q:** The script has been updated since I installed OpenVPN. How do I update?
+
+**A:** You can't. Managing updates and new features from the script would require way too much work. Your only solution is to uninstall OpenVPN and reinstall with the updated script.
+
+You can, of course, it's even recommended, update the `openvpn` package with your package manager.
+
+---
+
+**Q:** How do I check for DNS leaks?
+
+**A:** Go to [browserleaks.com](https://browserleaks.com/dns) or [ipleak.net](https://ipleak.net/) (both perform IPv4 and IPv6 check) with your browser. Your IP should not show up (test without and without the VPN). The DNS servers should be the ones you selected during the setup, not your IP address nor your ISP's DNS servers' addresses.
+
+---
+
+**Q:** How do I fix DNS leaks?
+
+**A:** On Windows 10 DNS leaks are blocked by default with the `block-outside-dns` option.
+On Linux you need to add these lines to your `.ovpn` file based on your Distribution.
+
+Debian 9, 10 and Ubuntu 16.04, 18.04
+
+```
+script-security 2
+up /etc/openvpn/update-resolv-conf
+down /etc/openvpn/update-resolv-conf
+```
+
+Centos 6, 7
+
+```
+script-security 2
+up /usr/share/doc/openvpn-2.4.8/contrib/pull-resolv-conf/client.up
+down /usr/share/doc/openvpn-2.4.8/contrib/pull-resolv-conf/client.down
+```
+
+Centos 8, Fedora 30, 31
+
+```
+script-security 2
+up /usr/share/doc/openvpn/contrib/pull-resolv-conf/client.up
+down /usr/share/doc/openvpn/contrib/pull-resolv-conf/client.down
+```
+
+Arch Linux
+
+```
+script-security 2
+up /usr/share/openvpn/contrib/pull-resolv-conf/client.up
+down /usr/share/openvpn/contrib/pull-resolv-conf/client.down
+```
+
+---
+
+**Q:** Can I use an OpenVPN 2.3 client?
+
+**A:** Yes. I really recommend using an up-to-date client, but if you really need it, choose the following options:
+
+- No compression or LZ0
+- RSA certificate
+- DH Key
+- AES CBC
+- tls-auth
+
+If your client is <2.3.3, remove `tls-version-min 1.2` from your `/etc/openvpn/server.conf` and `.ovpn` files.
+
+---
+
+**Q:** IPv6 is not working on my Hetzner VM
+
+**A:** This an issue on their side. See
+
+---
+
+**Q:** DNS is not working on my Linux client
+
+**A:** See "How do I fix DNS leaks?" question
+
+---
+
+**Q:** What syctl and iptables changes are made by the script?
+
+**A:** Iptables rules are saved at `/etc/iptables/add-openvpn-rules.sh` and `/etc/iptables/rm-openvpn-rules.sh`. They are managed by the service `/etc/systemd/system/iptables-openvpn.service`
+
+Sysctl options are at `/etc/sysctl.d/20-openvpn.conf`
+
+---
+
+**Q:** How can I access other clients connected to the same OpenVPN server?
+
+**A:** Add `client-to-client` to your `server.conf`
+
+---
+
+**Q:** My router can't connect
+
+**A:**
+
+- `Options error: No closing quotation (") in config.ovpn:46` :
+
+ type `yes` when asked to customize encryption settings and choose `tls-auth`
+
+- `Options error: Unrecognized option or missing parameter(s) in config.ovpn:36: tls-version-min (2.3.2)` :
+
+ see question "Can I use an OpenVPN 2.3 client?"
+
+---
+
+**Q:** How can I access computers the OpenVPN server's remote LAN?
+
+**A:** Add a route with the subnet of the remote network to `/etc/openvpn/server.conf` and restart openvpn. Example: `push "route 192.168.1.0 255.255.255.0"` if the server's LAN is `192.168.1.0/24`
+
+---
+
+**Q:** How can I add multiple users in one go?
+
+**A:** Here is a sample bash script to achieve this:
+
+```sh
+userlist=(user1 user2 user3)
+
+for i in ${userlist[@]};do
+ MENU_OPTION=1 CLIENT=$i PASS=1 ./openvpn-install.sh
+done
+```
+
+From a list in a text file:
+
+```sh
+while read USER
+ do MENU_OPTION="1" CLIENT="$USER" PASS="1" ./openvpn-install.sh
+done < users.txt
+```
+
+---
+
+**Q:** How do I change the default `.ovpn` file created for future clients?
+
+**A:** You can edit the template out of which `.ovpn` files are created by editing `/etc/openvpn/client-template.txt`
+
+---
+
+**Q:** For my clients - I want to set my internal network to pass through the VPN and the rest to go through my internet?
+
+**A:** You would need to edit the `.ovpn` file. You can edit the template out of which those files are created by editing `/etc/openvpn/client-template.txt` file and adding
+
+```sh
+route-nopull
+route 10.0.0.0 255.0.0.0
+```
+
+So for example - here it would route all traffic of `10.0.0.0/8` to the vpn. And the rest through the internet.
diff --git a/README.md b/README.md
index 4357c6f..f13a6a2 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,10 @@
# openvpn-install
-OpenVPN installer for Debian, Ubuntu, Fedora, CentOS and Arch Linux.
+
+
+
+
+OpenVPN installer for Debian, Ubuntu, Fedora, CentOS, Oracle Linux and Arch Linux.
This script will let you setup your own secure VPN server in just a few seconds.
@@ -8,14 +12,14 @@ You can also check out [wireguard-install](https://github.com/angristan/wireguar
## Usage
-First, get the script and make it executable :
+First, get the script and make it executable:
```bash
curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh
```
-Then run it :
+Then run it:
```sh
./openvpn-install.sh
@@ -25,7 +29,7 @@ You need to run the script as root and have the TUN module enabled.
The first time you run it, you'll have to follow the assistant and answer a few questions to setup your VPN server.
-When OpenVPN is installed, you can run the script again, and you will get the choice to :
+When OpenVPN is installed, you can run the script again, and you will get the choice to:
- Add a client
- Remove a client
@@ -33,13 +37,16 @@ When OpenVPN is installed, you can run the script again, and you will get the ch
In your home directory, you will have `.ovpn` files. These are the client configuration files. Download them from your server and connect using your favorite OpenVPN client.
-If you have any question, head to the [FAQ](#faq) first.
+If you have any question, head to the [FAQ](#faq) first. Please read everything before opening an issue.
+
+**PLEASE do not send me emails or private messages asking for help.** The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you. My time is not available for free just for you, you're not special.
### Headless install
It's also possible to run the script headless, e.g. without waiting for user input, in an automated manner.
Example usage:
+
```bash
AUTO_INSTALL=y ./openvpn-install.sh
@@ -71,11 +78,14 @@ Other variables can be set depending on your choice (encryption, compression). Y
Password-protected clients are not supported by the headless installation method since user input is expected by Easy-RSA.
+The headless install is more-or-less idempotent, in that it has been made safe to run multiple times with the same parameters, e.g. by a state provisioner like Ansible/Terraform/Salt/Chef/Puppet. It will only install and regenerate the Easy-RSA PKI if it doesn't already exist, and it will only install OpenVPN and other upstream dependencies if OpenVPN isn't already installed. It will recreate all local config and re-generate the client file on each headless run.
+
### Headless User Addition
It's also possible to automate the addition of a new user. Here, the key is to provide the (string) value of the `MENU_OPTION` variable along with the remaining mandatory variables before invoking the script.
The following Bash script adds a new user `foo` to an existing OpenVPN configuration
+
```bash
#!/bin/bash
export MENU_OPTION="1"
@@ -106,20 +116,17 @@ export PASS="1"
The script supports these OS and architectures:
-| | i386 | amd64 | armhf | arm64 |
-| -------------- | ---- | ----- | ----- | ----- |
-| Amazon Linux 2 | ❔ | ✅ | ❔ | ❔ |
-| Arch Linux | ❔ | ✅ | ❔ | ✅ |
-| Centos 8 | ❌ | ✅ | ❔ | ❔ |
-| CentOS 7 | ❔ | ✅ | ❌ | ✅ |
-| Debian 8 | ✅ | ✅ | ❌ | ❌ |
-| Debian 9 | ❌ | ✅ | ✅ | ✅ |
-| Debian 10 | ❔ | ✅ | ✅ | ❔ |
-| Fedora 27 | ❔ | ✅ | ❔ | ❔ |
-| Fedora 28 | ❔ | ✅ | ❔ | ❔ |
-| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ |
-| Ubuntu 18.04 | ❌ | ✅ | ✅ | ✅ |
-| Ubuntu 19.04 | ❌ | ✅ | ✅ | ✅ |
+| | i386 | amd64 | armhf | arm64 |
+| --------------- | ---- | ----- | ----- | ----- |
+| Amazon Linux 2 | ❔ | ✅ | ❔ | ❔ |
+| Arch Linux | ❔ | ✅ | ❔ | ✅ |
+| CentOS 7 | ✅ | ✅ | ✅ | ✅ |
+| CentOS 8 | ❌ | ✅ | ❌ | ✅ |
+| Debian >= 9 | ✅ | ✅ | ✅ | ✅ |
+| Fedora >= 27 | ❔ | ✅ | ❔ | ❔ |
+| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ |
+| Ubuntu >= 18.04 | ✅ | ✅ | ✅ | ✅ |
+| Oracle Linux 8 | ❌ | ✅ | ❌ | ❔ |
To be noted:
@@ -135,17 +142,16 @@ Since 2016, the two scripts have diverged and are not alike anymore, especially
## FAQ
-**LOOK AT THE [WIKI](https://github.com/angristan/openvpn-install/wiki/FAQ) FOR MORE INFORMATION. PLEASE READ BOTH BEFORE OPENING AN ISSUE.**
-
-**PLEASE do net send me emails or private messages asking for help.** The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you.
+More Q&A in [FAQ.md](FAQ.md).
**Q:** Which provider do you recommend?
**A:** I recommend these:
-- [Vultr](https://goo.gl/Xyd1Sc): Worldwide locations, IPv6 support, starting at $3.50/month
+- [Vultr](https://www.vultr.com/?ref=8537055-6G): Worldwide locations, IPv6 support, starting at \$3.50/month
+- [Hetzner](https://hetzner.cloud/?ref=ywtlvZsjgeDq): Germany, IPv6, 20 TB of traffic, starting at €3/month
+- [Digital Ocean](https://goo.gl/qXrNLK): Worldwide locations, IPv6 support, starting at \$5/month
- [PulseHeberg](https://goo.gl/76yqW5): France, unlimited bandwidth, starting at €3/month
-- [Digital Ocean](https://goo.gl/qXrNLK): Worldwide locations, IPv6 support, starting at $5/month
---
@@ -173,12 +179,19 @@ Since 2016, the two scripts have diverged and are not alike anymore, especially
---
-## One-stop solutions for public cloud
+More Q&A in [FAQ.md](FAQ.md).
+
+## One-stop solutions for public cloud
Solutions that provision a ready to use OpenVPN server based on this script in one go are available for:
- - AWS using Terraform at [`openvpn-terraform-install`](https://github.com/dumrauf/openvpn-terraform-install)
+- AWS using Terraform at [`openvpn-terraform-install`](https://github.com/dumrauf/openvpn-terraform-install)
+## Contributing
+
+### Code formatting
+
+We use [shellcheck](https://github.com/koalaman/shellcheck) and [shfmt](https://github.com/mvdan/sh) to enforce bash styling guidelines and good practices. They are executed for each commit / PR with GitHub Actions, so you can check the configuration [here](https://github.com/angristan/openvpn-install/blob/master/.github/workflows/push.yml).
## Security and Encryption
@@ -188,12 +201,13 @@ OpenVPN 2.4 was a great update regarding encryption. It added support for ECDSA,
If you want more information about an option mentioned below, head to the [OpenVPN manual](https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage). It is very complete.
-Most of OpenVPN's encryption-related stuff is managed by [Easy-RSA](https://github.com/OpenVPN/easy-rsa). Defaults parameters are in the [vars.example](https://github.com/OpenVPN/easy-rsa/blob/v3.0.6/easyrsa3/vars.example) file.
+Most of OpenVPN's encryption-related stuff is managed by [Easy-RSA](https://github.com/OpenVPN/easy-rsa). Defaults parameters are in the [vars.example](https://github.com/OpenVPN/easy-rsa/blob/v3.0.7/easyrsa3/vars.example) file.
+
### Compression
By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 (v1/v2) algorithms, the latter being more efficient.
-However, it is discouraged to use compression since it since the [VORACLE attack](https://protonvpn.com/blog/voracle-attack/) makes use of it.
+However, it is discouraged to use compression since the [VORACLE attack](https://protonvpn.com/blog/voracle-attack/) makes use of it.
### TLS version
@@ -224,17 +238,16 @@ By default, OpenVPN uses `BF-CBC` as the data channel cipher. Blowfish is an old
> The default is BF-CBC, an abbreviation for Blowfish in Cipher Block Chaining mode.
>
-> Using BF-CBC is no longer recommended, because of its 64-bit block size. This small block size allows attacks based on collisions, as demonstrated by SWEET32. See https://community.openvpn.net/openvpn/wiki/SWEET32 for details.
-
->Security researchers at INRIA published an attack on 64-bit block ciphers, such as 3DES and Blowfish. They show that they are able to recover plaintext when the same data is sent often enough, and show how they can use cross-site scripting vulnerabilities to send data of interest often enough. This works over HTTPS, but also works for HTTP-over-OpenVPN. See https://sweet32.info/ for a much better and more elaborate explanation.
+> Using BF-CBC is no longer recommended, because of its 64-bit block size. This small block size allows attacks based on collisions, as demonstrated by SWEET32. See for details.
+> Security researchers at INRIA published an attack on 64-bit block ciphers, such as 3DES and Blowfish. They show that they are able to recover plaintext when the same data is sent often enough, and show how they can use cross-site scripting vulnerabilities to send data of interest often enough. This works over HTTPS, but also works for HTTP-over-OpenVPN. See for a much better and more elaborate explanation.
>
> OpenVPN's default cipher, BF-CBC, is affected by this attack.
-Indeed, AES is today's standard. It's the fastest and more secure cipher available today. [SEED](https://en.wikipedia.org/wiki/SEED) and [Camellia](https://en.wikipedia.org/wiki/Camellia_(cipher)) are not vulnerable to date but are slower than AES and relatively less trusted.
+Indeed, AES is today's standard. It's the fastest and more secure cipher available today. [SEED](https://en.wikipedia.org/wiki/SEED) and [Camellia]() are not vulnerable to date but are slower than AES and relatively less trusted.
> Of the currently supported ciphers, OpenVPN currently recommends using AES-256-CBC or AES-128-CBC. OpenVPN 2.4 and newer will also support GCM. For 2.4+, we recommend using AES-256-GCM or AES-128-GCM.
-AES-256 is 40% slower than AES-128, and there isn't any real reason to use a 256 bits key over a 128 bits key with AES. (Source : [1](http://security.stackexchange.com/questions/14068/why-most-people-use-256-bit-encryption-instead-of-128-bit),[2](http://security.stackexchange.com/questions/6141/amount-of-simple-operations-that-is-safely-out-of-reach-for-all-humanity/6149#6149)). Moreover, AES-256 is more vulnerable to [Timing attacks](https://en.wikipedia.org/wiki/Timing_attack).
+AES-256 is 40% slower than AES-128, and there isn't any real reason to use a 256 bits key over a 128 bits key with AES. (Source: [1](http://security.stackexchange.com/questions/14068/why-most-people-use-256-bit-encryption-instead-of-128-bit),[2](http://security.stackexchange.com/questions/6141/amount-of-simple-operations-that-is-safely-out-of-reach-for-all-humanity/6149#6149)). Moreover, AES-256 is more vulnerable to [Timing attacks](https://en.wikipedia.org/wiki/Timing_attack).
AES-GCM is an [AEAD cipher](https://en.wikipedia.org/wiki/Authenticated_encryption) which means it simultaneously provides confidentiality, integrity, and authenticity assurances on the data.
@@ -249,7 +262,7 @@ The script supports the following ciphers:
And defaults to `AES-128-GCM`.
-OpenVPN 2.4 added a feature called "NCP": *Negotiable Crypto Parameters*. It means you can provide a cipher suite like with HTTPS. It is set to `AES-256-GCM:AES-128-GCM` by default and overrides the `--cipher` parameter when used with an OpenVPN 2.4 client. For the sake of simplicity, the script set both the `--cipher` and `--ncp-cipher` to the cipher chosen above.
+OpenVPN 2.4 added a feature called "NCP": _Negotiable Crypto Parameters_. It means you can provide a cipher suite like with HTTPS. It is set to `AES-256-GCM:AES-128-GCM` by default and overrides the `--cipher` parameter when used with an OpenVPN 2.4 client. For the sake of simplicity, the script set both the `--cipher` and `--ncp-cipher` to the cipher chosen above.
### Control channel
@@ -310,6 +323,7 @@ About `tls-crypt`:
> Encrypt and authenticate all control channel packets with the key from keyfile. (See --tls-auth for more background.)
>
> Encrypting (and authenticating) control channel packets:
+>
> - provides more privacy by hiding the certificate used for the TLS connection,
> - makes it harder to identify OpenVPN traffic as such,
> - provides "poor-man's" post-quantum security, against attackers who will never know the pre-shared key (i.e. no forward secrecy).
@@ -322,9 +336,7 @@ The script supports both and uses `tls-crypt` by default.
## Say thanks
-*Sadly saythanks.io doesn't exist anymore... Thanks for the dozens of messages! It's really meaninful to me.*
-
-*Still want to help? Check the "sponsor" button at the top of the page!*
+You can [say thanks](https://saythanks.io/to/angristan%40pm.me) if you want!
## Credits & Licence
diff --git a/Vagrantfile b/Vagrantfile
deleted file mode 100644
index 4dd0973..0000000
--- a/Vagrantfile
+++ /dev/null
@@ -1,35 +0,0 @@
-# This Vagrantfile is used to test the script
-
-# To run the script on all machines, export VAGRANT_AUTOSTART=true
-autostart_machines = ENV['VAGRANT_AUTOSTART'] == 'true' || false
-# else, run `vagrant up `
-
-machines = [
- { hostname: 'debian-10', box: 'debian/stretch64' },
- { hostname: 'debian-9', box: 'debian/stretch64' },
- { hostname: 'debian-8', box: 'debian/jessie64' },
- { hostname: 'ubuntu-1604', box: 'ubuntu/bionic64' },
- { hostname: 'ubuntu-1804', box: 'ubuntu/xenial64' },
- { hostname: 'centos-7', box: 'centos/7' },
- { hostname: 'fedora-29', box: 'fedora/29-cloud-base' },
- { hostname: 'fedora-28', box: 'fedora/28-cloud-base' },
- { hostname: 'archlinux', box: 'archlinux/archlinux' }
-]
-
-Vagrant.configure('2') do |config|
- machines.each do |machine|
- config.vm.provider 'virtualbox' do |v|
- v.memory = 1024
- v.cpus = 2
- end
- config.vm.define machine[:hostname], autostart: autostart_machines do |machineconfig|
- machineconfig.vm.hostname = machine[:hostname]
- machineconfig.vm.box = machine[:box]
-
- machineconfig.vm.provision 'shell', inline: <<-SHELL
- AUTO_INSTALL=y /vagrant/openvpn-install.sh
- ps aux | grep openvpn | grep -v grep > /dev/null 2>&1 && echo "Success: OpenVPN is running" && exit 0 || echo "Failure: OpenVPN is not running" && exit 1
- SHELL
- end
- end
-end
diff --git a/openvpn-install.sh b/openvpn-install.sh
index c78a3e1..3b31e43 100755
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -1,75 +1,82 @@
#!/bin/bash
+# shellcheck disable=SC1091,SC2164,SC2034,SC1072,SC1073,SC1009
-# Secure OpenVPN server installer for Debian, Ubuntu, CentOS, Amazon Linux 2, Fedora and Arch Linux
+# Secure OpenVPN server installer for Debian, Ubuntu, CentOS, Amazon Linux 2, Fedora, Oracle Linux 8 and Arch Linux
# https://github.com/angristan/openvpn-install
-function isRoot () {
+function isRoot() {
if [ "$EUID" -ne 0 ]; then
return 1
fi
}
-function tunAvailable () {
+function tunAvailable() {
if [ ! -e /dev/net/tun ]; then
return 1
fi
}
-function checkOS () {
+function checkOS() {
if [[ -e /etc/debian_version ]]; then
OS="debian"
- # shellcheck disable=SC1091
source /etc/os-release
- if [[ "$ID" == "debian" || "$ID" == "raspbian" ]]; then
- if [[ ! $VERSION_ID =~ (8|9|10) ]]; then
+ if [[ $ID == "debian" || $ID == "raspbian" ]]; then
+ if [[ $VERSION_ID -lt 9 ]]; then
echo "⚠️ Your version of Debian is not supported."
echo ""
- echo "However, if you're using Debian >= 9 or unstable/testing then you can continue."
- echo "Keep in mind they are not supported, though."
+ echo "However, if you're using Debian >= 9 or unstable/testing then you can continue, at your own risk."
echo ""
until [[ $CONTINUE =~ (y|n) ]]; do
read -rp "Continue? [y/n]: " -e CONTINUE
done
- if [[ "$CONTINUE" = "n" ]]; then
+ if [[ $CONTINUE == "n" ]]; then
exit 1
fi
fi
- elif [[ "$ID" == "ubuntu" ]];then
+ elif [[ $ID == "ubuntu" ]]; then
OS="ubuntu"
- if [[ ! $VERSION_ID =~ (16.04|18.04|19.04) ]]; then
+ MAJOR_UBUNTU_VERSION=$(echo "$VERSION_ID" | cut -d '.' -f1)
+ if [[ $MAJOR_UBUNTU_VERSION -lt 16 ]]; then
echo "⚠️ Your version of Ubuntu is not supported."
echo ""
- echo "However, if you're using Ubuntu > 17 or beta, then you can continue."
- echo "Keep in mind they are not supported, though."
+ echo "However, if you're using Ubuntu >= 16.04 or beta, then you can continue, at your own risk."
echo ""
until [[ $CONTINUE =~ (y|n) ]]; do
read -rp "Continue? [y/n]: " -e CONTINUE
done
- if [[ "$CONTINUE" = "n" ]]; then
+ if [[ $CONTINUE == "n" ]]; then
exit 1
fi
fi
fi
elif [[ -e /etc/system-release ]]; then
- # shellcheck disable=SC1091
source /etc/os-release
- if [[ "$ID" = "fedora" ]]; then
+ if [[ $ID == "fedora" || $ID_LIKE == "fedora" ]]; then
OS="fedora"
fi
- if [[ "$ID" = "centos" ]]; then
+ if [[ $ID == "centos" ]]; then
OS="centos"
if [[ ! $VERSION_ID =~ (7|8) ]]; then
echo "⚠️ Your version of CentOS is not supported."
echo ""
- echo "The script only support CentOS 7."
+ echo "The script only support CentOS 7 and CentOS 8."
echo ""
exit 1
fi
fi
- if [[ "$ID" = "amzn" ]]; then
+ if [[ $ID == "ol" ]]; then
+ OS="oracle"
+ if [[ ! $VERSION_ID =~ (8) ]]; then
+ echo "Your version of Oracle Linux is not supported."
+ echo ""
+ echo "The script only support Oracle Linux 8."
+ exit 1
+ fi
+ fi
+ if [[ $ID == "amzn" ]]; then
OS="amzn"
- if [[ ! $VERSION_ID == "2" ]]; then
+ if [[ $VERSION_ID != "2" ]]; then
echo "⚠️ Your version of Amazon Linux is not supported."
echo ""
echo "The script only support Amazon Linux 2."
@@ -80,12 +87,12 @@ function checkOS () {
elif [[ -e /etc/arch-release ]]; then
OS=arch
else
- echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora, CentOS, Amazon Linux 2 or Arch Linux system"
+ echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora, CentOS, Amazon Linux 2, Oracle Linux 8 or Arch Linux system"
exit 1
fi
}
-function initialCheck () {
+function initialCheck() {
if ! isRoot; then
echo "Sorry, you need to run this as root"
exit 1
@@ -97,53 +104,56 @@ function initialCheck () {
checkOS
}
-function installUnbound () {
+function installUnbound() {
+ # If Unbound isn't installed, install it
if [[ ! -e /etc/unbound/unbound.conf ]]; then
- if [[ "$OS" =~ (debian|ubuntu) ]]; then
+ if [[ $OS =~ (debian|ubuntu) ]]; then
apt-get install -y unbound
# Configuration
- echo "interface: ${IP_RANGE: : -1}1
+ echo 'interface: ${IP_RANGE: : -1}1
access-control: ${IP_RANGE: : -1}1/24 allow
hide-identity: yes
hide-version: yes
use-caps-for-id: yes
-prefetch: yes" >> /etc/unbound/unbound.conf
+prefetch: yes' >>/etc/unbound/unbound.conf
- elif [[ "$OS" =~ (centos|amzn) ]]; then
+ elif [[ $OS =~ (centos|amzn|oracle) ]]; then
yum install -y unbound
# Configuration
- sed -i "s|# interface: 0.0.0.0$|interface: ${IP_RANGE: : -1}1|" /etc/unbound/unbound.conf
- sed -i "s|# access-control: 127.0.0.0/8 allow|access-control: ${IP_RANGE: : -1}1/24 allow|" /etc/unbound/unbound.conf
+ sed -i 's|# interface: 0.0.0.0$|interface: ${IP_RANGE: : -1}1|' /etc/unbound/unbound.conf
+ sed -i 's|# access-control: 127.0.0.0/8 allow|access-control: ${IP_RANGE: : -1}1/24 allow|' /etc/unbound/unbound.conf
sed -i 's|# hide-identity: no|hide-identity: yes|' /etc/unbound/unbound.conf
sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf
sed -i 's|use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf
- elif [[ "$OS" = "fedora" ]]; then
+ elif [[ $OS == "fedora" ]]; then
dnf install -y unbound
# Configuration
- sed -i "s|# interface: 0.0.0.0$|interface: ${IP_RANGE: : -1}1|" /etc/unbound/unbound.conf
- sed -i "s|# access-control: 127.0.0.0/8 allow|access-control: ${IP_RANGE: : -1}1/24 allow|" /etc/unbound/unbound.conf
+ sed -i 's|# interface: 0.0.0.0$|interface: ${IP_RANGE: : -1}1|' /etc/unbound/unbound.conf
+ sed -i 's|# access-control: 127.0.0.0/8 allow|access-control: ${IP_RANGE: : -1}1/24 allow|' /etc/unbound/unbound.conf
sed -i 's|# hide-identity: no|hide-identity: yes|' /etc/unbound/unbound.conf
sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf
sed -i 's|# use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf
- elif [[ "$OS" = "arch" ]]; then
+ elif [[ $OS == "arch" ]]; then
pacman -Syu --noconfirm unbound
# Get root servers list
curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache
- mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old
+ if [[ ! -f /etc/unbound/unbound.conf.old ]]; then
+ mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old
+ fi
- echo "server:
+ echo 'server:
use-syslog: yes
do-daemonize: no
- username: \"unbound\"
- directory: \"/etc/unbound\"
+ username: "unbound"
+ directory: "/etc/unbound"
trust-anchor-file: trusted-key.key
root-hints: root.hints
interface: ${IP_RANGE: : -1}1
@@ -155,25 +165,32 @@ prefetch: yes" >> /etc/unbound/unbound.conf
hide-identity: yes
hide-version: yes
qname-minimisation: yes
- prefetch: yes" > /etc/unbound/unbound.conf
+ prefetch: yes' >/etc/unbound/unbound.conf
fi
- if [[ ! "$OS" =~ (fedora|centos|amzn) ]];then
+ # IPv6 DNS for all OS
+ if [[ $IPV6_SUPPORT == 'y' ]]; then
+ echo 'interface: fd42:42:42:42::1
+access-control: fd42:42:42:42::/112 allow' >>/etc/unbound/unbound.conf
+ fi
+
+ if [[ ! $OS =~ (fedora|centos|amzn|oracle) ]]; then
# DNS Rebinding fix
echo "private-address: 10.0.0.0/8
+private-address: fd42:42:42:42::/112
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
private-address: 127.0.0.0/8
-private-address: ::ffff:0:0/96" >> /etc/unbound/unbound.conf
+private-address: ::ffff:0:0/96" >>/etc/unbound/unbound.conf
fi
else # Unbound is already installed
- echo 'include: /etc/unbound/openvpn.conf' >> /etc/unbound/unbound.conf
+ echo 'include: /etc/unbound/openvpn.conf' >>/etc/unbound/unbound.conf
# Add Unbound 'server' for the OpenVPN subnet
- echo "server:
+ echo 'server:
interface: ${IP_RANGE: : -1}1
access-control: ${IP_RANGE: : -1}1/24 allow
hide-identity: yes
@@ -181,20 +198,25 @@ hide-version: yes
use-caps-for-id: yes
prefetch: yes
private-address: 10.0.0.0/8
+private-address: fd42:42:42:42::/112
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
private-address: 127.0.0.0/8
-private-address: ::ffff:0:0/96" > /etc/unbound/openvpn.conf
+private-address: ::ffff:0:0/96' >/etc/unbound/openvpn.conf
+ if [[ $IPV6_SUPPORT == 'y' ]]; then
+ echo 'interface: fd42:42:42:42::1
+access-control: fd42:42:42:42::/112 allow' >>/etc/unbound/openvpn.conf
+ fi
fi
- systemctl enable unbound
- systemctl restart unbound
+ systemctl enable unbound
+ systemctl restart unbound
}
-function installQuestions () {
+function installQuestions() {
echo "Welcome to the OpenVPN installer!"
echo "The git repository is available at: https://github.com/angristan/openvpn-install"
echo ""
@@ -206,7 +228,12 @@ function installQuestions () {
echo "Unless your server is behind NAT, it should be your public IPv4 address."
# Detect public IPv4 address and pre-fill for the user
- IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
+ IP=$(ip -4 addr | sed -ne 's|^.* inet \([^/]*\)/.* scope global.*$|\1|p' | head -1)
+
+ if [[ -z $IP ]]; then
+ # Detect public IPv6 address
+ IP=$(ip -6 addr | sed -ne 's|^.* inet6 \([^/]*\)/.* scope global.*$|\1|p' | head -1)
+ fi
APPROVE_IP=${APPROVE_IP:-n}
if [[ $APPROVE_IP =~ n ]]; then
read -rp "IP address: " -e -i "$IP" IP
@@ -216,8 +243,10 @@ function installQuestions () {
echo ""
echo "It seems this server is behind NAT. What is its public IPv4 address or hostname?"
echo "We need it for the clients to connect to the server."
- until [[ "$ENDPOINT" != "" ]]; do
- read -rp "Public IPv4 address or hostname: " -e ENDPOINT
+
+ PUBLICIP=$(curl -s https://api.ipify.org)
+ until [[ $ENDPOINT != "" ]]; do
+ read -rp "Public IPv4 address or hostname: " -e -i "$PUBLICIP" ENDPOINT
done
fi
@@ -225,7 +254,7 @@ function installQuestions () {
echo "Checking for IPv6 connectivity..."
echo ""
# "ping6" and "ping -6" availability varies depending on the distribution
- if type ping6 > /dev/null 2>&1; then
+ if type ping6 >/dev/null 2>&1; then
PING6="ping6 -c3 ipv6.google.com > /dev/null 2>&1"
else
PING6="ping -6 -c3 ipv6.google.com > /dev/null 2>&1"
@@ -250,13 +279,13 @@ function installQuestions () {
read -rp "IP choice [1-2]: " -e -i 1 IP_CHOICE
done
case $IP_CHOICE in
- 1)
- IP_RANGE="10.8.0.0"
+ 1)
+ IP_RANGE="10.8.0.0"
;;
- 2)
- until [[ "$IP_RANGE" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}0$ ]]; do
- read -rp "Custom IP [x.x.x.0]: " -e -i 10.8.0.0 IP_RANGE
- done
+ 2)
+ until [[ "$IP_RANGE" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}0$ ]]; do
+ read -rp "Custom IP [x.x.x.0]: " -e -i 10.8.0.0 IP_RANGE
+ done
;;
esac
echo ""
@@ -264,22 +293,22 @@ function installQuestions () {
echo " 1) Default: 1194"
echo " 2) Custom"
echo " 3) Random [49152-65535]"
- until [[ "$PORT_CHOICE" =~ ^[1-3]$ ]]; do
+ until [[ $PORT_CHOICE =~ ^[1-3]$ ]]; do
read -rp "Port choice [1-3]: " -e -i 1 PORT_CHOICE
done
case $PORT_CHOICE in
- 1)
- PORT="1194"
+ 1)
+ PORT="1194"
;;
- 2)
- until [[ "$PORT" =~ ^[0-9]+$ ]] && [ "$PORT" -ge 1 ] && [ "$PORT" -le 65535 ]; do
- read -rp "Custom port [1-65535]: " -e -i 1194 PORT
- done
+ 2)
+ until [[ $PORT =~ ^[0-9]+$ ]] && [ "$PORT" -ge 1 ] && [ "$PORT" -le 65535 ]; do
+ read -rp "Custom port [1-65535]: " -e -i 1194 PORT
+ done
;;
- 3)
- # Generate random number within private ports range
- PORT=$(shuf -i49152-65535 -n1)
- echo "Random Port: $PORT"
+ 3)
+ # Generate random number within private ports range
+ PORT=$(shuf -i49152-65535 -n1)
+ echo "Random Port: $PORT"
;;
esac
echo ""
@@ -287,15 +316,15 @@ function installQuestions () {
echo "UDP is faster. Unless it is not available, you shouldn't use TCP."
echo " 1) UDP"
echo " 2) TCP"
- until [[ "$PROTOCOL_CHOICE" =~ ^[1-2]$ ]]; do
+ until [[ $PROTOCOL_CHOICE =~ ^[1-2]$ ]]; do
read -rp "Protocol [1-2]: " -e -i 1 PROTOCOL_CHOICE
done
case $PROTOCOL_CHOICE in
- 1)
- PROTOCOL="udp"
+ 1)
+ PROTOCOL="udp"
;;
- 2)
- PROTOCOL="tcp"
+ 2)
+ PROTOCOL="tcp"
;;
esac
echo ""
@@ -310,44 +339,45 @@ function installQuestions () {
echo " 8) OpenDNS (Anycast: worldwide)"
echo " 9) Google (Anycast: worldwide)"
echo " 10) Yandex Basic (Russia)"
- echo " 11) AdGuard DNS (Russia)"
- echo " 12) Custom"
- until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 12 ]; do
- read -rp "DNS [1-12]: " -e -i 3 DNS
- if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then
- echo ""
- echo "Unbound is already installed."
- echo "You can allow the script to configure it in order to use it from your OpenVPN clients"
- echo "We will simply add a second server to /etc/unbound/unbound.conf for the OpenVPN subnet."
- echo "No changes are made to the current configuration."
- echo ""
+ echo " 11) AdGuard DNS (Anycast: worldwide)"
+ echo " 12) NextDNS (Anycast: worldwide)"
+ echo " 13) Custom"
+ until [[ $DNS =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 13 ]; do
+ read -rp "DNS [1-12]: " -e -i 11 DNS
+ if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then
+ echo ""
+ echo "Unbound is already installed."
+ echo "You can allow the script to configure it in order to use it from your OpenVPN clients"
+ echo "We will simply add a second server to /etc/unbound/unbound.conf for the OpenVPN subnet."
+ echo "No changes are made to the current configuration."
+ echo ""
- until [[ $CONTINUE =~ (y|n) ]]; do
- read -rp "Apply configuration changes to Unbound? [y/n]: " -e CONTINUE
- done
- if [[ $CONTINUE = "n" ]];then
- # Break the loop and cleanup
- unset DNS
- unset CONTINUE
- fi
- elif [[ $DNS == "12" ]]; then
- until [[ "$DNS1" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
- read -rp "Primary DNS: " -e DNS1
- done
- until [[ "$DNS2" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
- read -rp "Secondary DNS (optional): " -e DNS2
- if [[ "$DNS2" == "" ]]; then
- break
- fi
- done
+ until [[ $CONTINUE =~ (y|n) ]]; do
+ read -rp "Apply configuration changes to Unbound? [y/n]: " -e CONTINUE
+ done
+ if [[ $CONTINUE == "n" ]]; then
+ # Break the loop and cleanup
+ unset DNS
+ unset CONTINUE
fi
+ elif [[ $DNS == "13" ]]; then
+ until [[ $DNS1 =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
+ read -rp "Primary DNS: " -e DNS1
+ done
+ until [[ $DNS2 =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
+ read -rp "Secondary DNS (optional): " -e DNS2
+ if [[ $DNS2 == "" ]]; then
+ break
+ fi
+ done
+ fi
done
echo ""
echo "Do you want to use compression? It is not recommended since the VORACLE attack make use of it."
until [[ $COMPRESSION_ENABLED =~ (y|n) ]]; do
read -rp"Enable compression? [y/n]: " -e -i n COMPRESSION_ENABLED
done
- if [[ $COMPRESSION_ENABLED == "y" ]];then
+ if [[ $COMPRESSION_ENABLED == "y" ]]; then
echo "Choose which compression algorithm you want to use: (they are ordered by efficiency)"
echo " 1) LZ4-v2"
echo " 2) LZ4"
@@ -356,13 +386,13 @@ function installQuestions () {
read -rp"Compression algorithm [1-3]: " -e -i 1 COMPRESSION_CHOICE
done
case $COMPRESSION_CHOICE in
- 1)
+ 1)
COMPRESSION_ALG="lz4-v2"
;;
- 2)
+ 2)
COMPRESSION_ALG="lz4"
;;
- 3)
+ 3)
COMPRESSION_ALG="lzo"
;;
esac
@@ -376,7 +406,7 @@ function installQuestions () {
until [[ $CUSTOMIZE_ENC =~ (y|n) ]]; do
read -rp "Customize encryption settings? [y/n]: " -e -i n CUSTOMIZE_ENC
done
- if [[ $CUSTOMIZE_ENC == "n" ]];then
+ if [[ $CUSTOMIZE_ENC == "n" ]]; then
# Use default, sane and fast parameters
CIPHER="AES-128-GCM"
CERT_TYPE="1" # ECDSA
@@ -395,27 +425,27 @@ function installQuestions () {
echo " 4) AES-128-CBC"
echo " 5) AES-192-CBC"
echo " 6) AES-256-CBC"
- until [[ "$CIPHER_CHOICE" =~ ^[1-6]$ ]]; do
+ until [[ $CIPHER_CHOICE =~ ^[1-6]$ ]]; do
read -rp "Cipher [1-6]: " -e -i 1 CIPHER_CHOICE
done
case $CIPHER_CHOICE in
- 1)
- CIPHER="AES-128-GCM"
+ 1)
+ CIPHER="AES-128-GCM"
;;
- 2)
- CIPHER="AES-192-GCM"
+ 2)
+ CIPHER="AES-192-GCM"
;;
- 3)
- CIPHER="AES-256-GCM"
+ 3)
+ CIPHER="AES-256-GCM"
;;
- 4)
- CIPHER="AES-128-CBC"
+ 4)
+ CIPHER="AES-128-CBC"
;;
- 5)
- CIPHER="AES-192-CBC"
+ 5)
+ CIPHER="AES-192-CBC"
;;
- 6)
- CIPHER="AES-256-CBC"
+ 6)
+ CIPHER="AES-256-CBC"
;;
esac
echo ""
@@ -426,81 +456,81 @@ function installQuestions () {
read -rp"Certificate key type [1-2]: " -e -i 1 CERT_TYPE
done
case $CERT_TYPE in
+ 1)
+ echo ""
+ echo "Choose which curve you want to use for the certificate's key:"
+ echo " 1) prime256v1 (recommended)"
+ echo " 2) secp384r1"
+ echo " 3) secp521r1"
+ until [[ $CERT_CURVE_CHOICE =~ ^[1-3]$ ]]; do
+ read -rp"Curve [1-3]: " -e -i 1 CERT_CURVE_CHOICE
+ done
+ case $CERT_CURVE_CHOICE in
1)
- echo ""
- echo "Choose which curve you want to use for the certificate's key:"
- echo " 1) prime256v1 (recommended)"
- echo " 2) secp384r1"
- echo " 3) secp521r1"
- until [[ $CERT_CURVE_CHOICE =~ ^[1-3]$ ]]; do
- read -rp"Curve [1-3]: " -e -i 1 CERT_CURVE_CHOICE
- done
- case $CERT_CURVE_CHOICE in
- 1)
- CERT_CURVE="prime256v1"
- ;;
- 2)
- CERT_CURVE="secp384r1"
- ;;
- 3)
- CERT_CURVE="secp521r1"
- ;;
- esac
- ;;
+ CERT_CURVE="prime256v1"
+ ;;
2)
- echo ""
- echo "Choose which size you want to use for the certificate's RSA key:"
- echo " 1) 2048 bits (recommended)"
- echo " 2) 3072 bits"
- echo " 3) 4096 bits"
- until [[ "$RSA_KEY_SIZE_CHOICE" =~ ^[1-3]$ ]]; do
- read -rp "RSA key size [1-3]: " -e -i 1 RSA_KEY_SIZE_CHOICE
- done
- case $RSA_KEY_SIZE_CHOICE in
- 1)
- RSA_KEY_SIZE="2048"
- ;;
- 2)
- RSA_KEY_SIZE="3072"
- ;;
- 3)
- RSA_KEY_SIZE="4096"
- ;;
- esac
+ CERT_CURVE="secp384r1"
+ ;;
+ 3)
+ CERT_CURVE="secp521r1"
+ ;;
+ esac
+ ;;
+ 2)
+ echo ""
+ echo "Choose which size you want to use for the certificate's RSA key:"
+ echo " 1) 2048 bits (recommended)"
+ echo " 2) 3072 bits"
+ echo " 3) 4096 bits"
+ until [[ $RSA_KEY_SIZE_CHOICE =~ ^[1-3]$ ]]; do
+ read -rp "RSA key size [1-3]: " -e -i 1 RSA_KEY_SIZE_CHOICE
+ done
+ case $RSA_KEY_SIZE_CHOICE in
+ 1)
+ RSA_KEY_SIZE="2048"
+ ;;
+ 2)
+ RSA_KEY_SIZE="3072"
+ ;;
+ 3)
+ RSA_KEY_SIZE="4096"
+ ;;
+ esac
;;
esac
echo ""
echo "Choose which cipher you want to use for the control channel:"
case $CERT_TYPE in
+ 1)
+ echo " 1) ECDHE-ECDSA-AES-128-GCM-SHA256 (recommended)"
+ echo " 2) ECDHE-ECDSA-AES-256-GCM-SHA384"
+ until [[ $CC_CIPHER_CHOICE =~ ^[1-2]$ ]]; do
+ read -rp"Control channel cipher [1-2]: " -e -i 1 CC_CIPHER_CHOICE
+ done
+ case $CC_CIPHER_CHOICE in
1)
- echo " 1) ECDHE-ECDSA-AES-128-GCM-SHA256 (recommended)"
- echo " 2) ECDHE-ECDSA-AES-256-GCM-SHA384"
- until [[ $CC_CIPHER_CHOICE =~ ^[1-2]$ ]]; do
- read -rp"Control channel cipher [1-2]: " -e -i 1 CC_CIPHER_CHOICE
- done
- case $CC_CIPHER_CHOICE in
- 1)
- CC_CIPHER="TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"
- ;;
- 2)
- CC_CIPHER="TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
- ;;
- esac
- ;;
+ CC_CIPHER="TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"
+ ;;
2)
- echo " 1) ECDHE-RSA-AES-128-GCM-SHA256 (recommended)"
- echo " 2) ECDHE-RSA-AES-256-GCM-SHA384"
- until [[ $CC_CIPHER_CHOICE =~ ^[1-2]$ ]]; do
- read -rp"Control channel cipher [1-2]: " -e -i 1 CC_CIPHER_CHOICE
- done
- case $CC_CIPHER_CHOICE in
- 1)
- CC_CIPHER="TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"
- ;;
- 2)
- CC_CIPHER="TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"
- ;;
- esac
+ CC_CIPHER="TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
+ ;;
+ esac
+ ;;
+ 2)
+ echo " 1) ECDHE-RSA-AES-128-GCM-SHA256 (recommended)"
+ echo " 2) ECDHE-RSA-AES-256-GCM-SHA384"
+ until [[ $CC_CIPHER_CHOICE =~ ^[1-2]$ ]]; do
+ read -rp"Control channel cipher [1-2]: " -e -i 1 CC_CIPHER_CHOICE
+ done
+ case $CC_CIPHER_CHOICE in
+ 1)
+ CC_CIPHER="TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"
+ ;;
+ 2)
+ CC_CIPHER="TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"
+ ;;
+ esac
;;
esac
echo ""
@@ -511,54 +541,54 @@ function installQuestions () {
read -rp"DH key type [1-2]: " -e -i 1 DH_TYPE
done
case $DH_TYPE in
+ 1)
+ echo ""
+ echo "Choose which curve you want to use for the ECDH key:"
+ echo " 1) prime256v1 (recommended)"
+ echo " 2) secp384r1"
+ echo " 3) secp521r1"
+ while [[ $DH_CURVE_CHOICE != "1" && $DH_CURVE_CHOICE != "2" && $DH_CURVE_CHOICE != "3" ]]; do
+ read -rp"Curve [1-3]: " -e -i 1 DH_CURVE_CHOICE
+ done
+ case $DH_CURVE_CHOICE in
1)
- echo ""
- echo "Choose which curve you want to use for the ECDH key:"
- echo " 1) prime256v1 (recommended)"
- echo " 2) secp384r1"
- echo " 3) secp521r1"
- while [[ $DH_CURVE_CHOICE != "1" && $DH_CURVE_CHOICE != "2" && $DH_CURVE_CHOICE != "3" ]]; do
- read -rp"Curve [1-3]: " -e -i 1 DH_CURVE_CHOICE
- done
- case $DH_CURVE_CHOICE in
- 1)
- DH_CURVE="prime256v1"
- ;;
- 2)
- DH_CURVE="secp384r1"
- ;;
- 3)
- DH_CURVE="secp521r1"
- ;;
- esac
- ;;
+ DH_CURVE="prime256v1"
+ ;;
2)
- echo ""
- echo "Choose what size of Diffie-Hellman key you want to use:"
- echo " 1) 2048 bits (recommended)"
- echo " 2) 3072 bits"
- echo " 3) 4096 bits"
- until [[ "$DH_KEY_SIZE_CHOICE" =~ ^[1-3]$ ]]; do
- read -rp "DH key size [1-3]: " -e -i 1 DH_KEY_SIZE_CHOICE
- done
- case $DH_KEY_SIZE_CHOICE in
- 1)
- DH_KEY_SIZE="2048"
- ;;
- 2)
- DH_KEY_SIZE="3072"
- ;;
- 3)
- DH_KEY_SIZE="4096"
- ;;
- esac
+ DH_CURVE="secp384r1"
+ ;;
+ 3)
+ DH_CURVE="secp521r1"
+ ;;
+ esac
+ ;;
+ 2)
+ echo ""
+ echo "Choose what size of Diffie-Hellman key you want to use:"
+ echo " 1) 2048 bits (recommended)"
+ echo " 2) 3072 bits"
+ echo " 3) 4096 bits"
+ until [[ $DH_KEY_SIZE_CHOICE =~ ^[1-3]$ ]]; do
+ read -rp "DH key size [1-3]: " -e -i 1 DH_KEY_SIZE_CHOICE
+ done
+ case $DH_KEY_SIZE_CHOICE in
+ 1)
+ DH_KEY_SIZE="2048"
+ ;;
+ 2)
+ DH_KEY_SIZE="3072"
+ ;;
+ 3)
+ DH_KEY_SIZE="4096"
+ ;;
+ esac
;;
esac
echo ""
# The "auth" options behaves differently with AEAD ciphers
- if [[ "$CIPHER" =~ CBC$ ]]; then
+ if [[ $CIPHER =~ CBC$ ]]; then
echo "The digest algorithm authenticates data channel packets and tls-auth packets from the control channel."
- elif [[ "$CIPHER" =~ GCM$ ]]; then
+ elif [[ $CIPHER =~ GCM$ ]]; then
echo "The digest algorithm authenticates tls-auth packets from the control channel."
fi
echo "Which digest algorithm do you want to use for HMAC?"
@@ -569,14 +599,14 @@ function installQuestions () {
read -rp "Digest algorithm [1-3]: " -e -i 1 HMAC_ALG_CHOICE
done
case $HMAC_ALG_CHOICE in
- 1)
- HMAC_ALG="SHA256"
+ 1)
+ HMAC_ALG="SHA256"
;;
- 2)
- HMAC_ALG="SHA384"
+ 2)
+ HMAC_ALG="SHA384"
;;
- 3)
- HMAC_ALG="SHA512"
+ 3)
+ HMAC_ALG="SHA512"
;;
esac
echo ""
@@ -585,7 +615,7 @@ function installQuestions () {
echo " 1) tls-crypt (recommended)"
echo " 2) tls-auth"
until [[ $TLS_SIG =~ [1-2] ]]; do
- read -rp "Control channel additional security mechanism [1-2]: " -e -i 1 TLS_SIG
+ read -rp "Control channel additional security mechanism [1-2]: " -e -i 1 TLS_SIG
done
fi
echo ""
@@ -597,7 +627,7 @@ function installQuestions () {
fi
}
-function installOpenVPN () {
+function installOpenVPN() {
if [[ $AUTO_INSTALL == "y" ]]; then
# Set default choices so that no questions will be asked.
APPROVE_INSTALL=${APPROVE_INSTALL:-y}
@@ -613,9 +643,13 @@ function installOpenVPN () {
PASS=${PASS:-1}
CONTINUE=${CONTINUE:-y}
- # Behind NAT, we'll default to the publicly reachable IPv4.
- PUBLIC_IPV4=$(curl ifconfig.co)
- ENDPOINT=${ENDPOINT:-$PUBLIC_IPV4}
+ # Behind NAT, we'll default to the publicly reachable IPv4/IPv6.
+ if [[ $IPV6_SUPPORT == "y" ]]; then
+ PUBLIC_IP=$(curl https://ifconfig.co)
+ else
+ PUBLIC_IP=$(curl -4 https://ifconfig.co)
+ fi
+ ENDPOINT=${ENDPOINT:-$PUBLIC_IP}
fi
# Run setup questions first, and set other variales if auto-install
@@ -623,34 +657,57 @@ function installOpenVPN () {
# Get the "public" interface from the default route
NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)
+ if [[ -z $NIC ]] && [[ $IPV6_SUPPORT == 'y' ]]; then
+ NIC=$(ip -6 route show default | sed -ne 's/^default .* dev \([^ ]*\) .*$/\1/p')
+ fi
- if [[ "$OS" =~ (debian|ubuntu) ]]; then
- apt-get update
- apt-get -y install ca-certificates gnupg
- # We add the OpenVPN repo to get the latest version.
- if [[ "$VERSION_ID" = "8" ]]; then
- echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list
- wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
- apt-get update
+ # $NIC can not be empty for script rm-openvpn-rules.sh
+ if [[ -z $NIC ]]; then
+ echo
+ echo "Can not detect public interface."
+ echo "This needs for setup MASQUERADE."
+ until [[ $CONTINUE =~ (y|n) ]]; do
+ read -rp "Continue? [y/n]: " -e CONTINUE
+ done
+ if [[ $CONTINUE == "n" ]]; then
+ exit 1
fi
- if [[ "$VERSION_ID" = "16.04" ]]; then
- echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" > /etc/apt/sources.list.d/openvpn.list
- wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
+ fi
+
+ # If OpenVPN isn't installed yet, install it. This script is more-or-less
+ # idempotent on multiple runs, but will only install OpenVPN from upstream
+ # the first time.
+ if [[ ! -e /etc/openvpn/server.conf ]]; then
+ if [[ $OS =~ (debian|ubuntu) ]]; then
apt-get update
+ apt-get -y install ca-certificates gnupg
+ # We add the OpenVPN repo to get the latest version.
+ if [[ $VERSION_ID == "16.04" ]]; then
+ echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" >/etc/apt/sources.list.d/openvpn.list
+ wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
+ apt-get update
+ fi
+ # Ubuntu > 16.04 and Debian > 8 have OpenVPN >= 2.4 without the need of a third party repository.
+ apt-get install -y openvpn iptables openssl wget ca-certificates curl
+ elif [[ $OS == 'centos' ]]; then
+ yum install -y epel-release
+ yum install -y openvpn iptables openssl wget ca-certificates curl tar 'policycoreutils-python*'
+ elif [[ $OS == 'oracle' ]]; then
+ yum install -y 'oracle-epel-release-*'
+ yum install -y openvpn iptables openssl wget ca-certificates curl tar 'policycoreutils-python*'
+ elif [[ $OS == 'amzn' ]]; then
+ amazon-linux-extras install -y epel
+ yum install -y openvpn iptables openssl wget ca-certificates curl
+ elif [[ $OS == 'fedora' ]]; then
+ dnf install -y openvpn iptables openssl wget ca-certificates curl policycoreutils-python-utils
+ elif [[ $OS == 'arch' ]]; then
+ # Install required dependencies and upgrade the system
+ pacman --needed --noconfirm -Syu openvpn iptables openssl wget ca-certificates curl
+ fi
+ # An old version of easy-rsa was available by default in some openvpn packages
+ if [[ -d /etc/openvpn/easy-rsa/ ]]; then
+ rm -rf /etc/openvpn/easy-rsa/
fi
- # Ubuntu > 16.04 and Debian > 8 have OpenVPN >= 2.4 without the need of a third party repository.
- apt-get install -y openvpn iptables openssl wget ca-certificates curl
- elif [[ "$OS" = 'centos' ]]; then
- yum install -y epel-release
- yum install -y openvpn iptables openssl wget ca-certificates curl tar
- elif [[ "$OS" = 'amzn' ]]; then
- amazon-linux-extras install -y epel
- yum install -y openvpn iptables openssl wget ca-certificates curl
- elif [[ "$OS" = 'fedora' ]]; then
- dnf install -y openvpn iptables openssl wget ca-certificates curl
- elif [[ "$OS" = 'arch' ]]; then
- # Install required dependencies and upgrade the system
- pacman --needed --noconfirm -Syu openvpn iptables openssl wget ca-certificates curl
fi
# Find out if the machine uses nogroup or nobody for the permissionless group
@@ -660,62 +717,61 @@ function installOpenVPN () {
NOGROUP=nobody
fi
- # An old version of easy-rsa was available by default in some openvpn packages
- if [[ -d /etc/openvpn/easy-rsa/ ]]; then
- rm -rf /etc/openvpn/easy-rsa/
- fi
+ # Install the latest version of easy-rsa from source, if not already installed.
+ if [[ ! -d /etc/openvpn/easy-rsa/ ]]; then
+ local version="3.0.7"
+ wget -O ~/easy-rsa.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-${version}.tgz
+ mkdir -p /etc/openvpn/easy-rsa
+ tar xzf ~/easy-rsa.tgz --strip-components=1 --directory /etc/openvpn/easy-rsa
+ rm -f ~/easy-rsa.tgz
- # Install the latest version of easy-rsa from source
- local version="3.0.6"
- wget -O ~/EasyRSA-unix-v${version}.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-unix-v${version}.tgz
- tar xzf ~/EasyRSA-unix-v${version}.tgz -C ~/
- mv ~/EasyRSA-v${version} /etc/openvpn/easy-rsa
- chown -R root:root /etc/openvpn/easy-rsa/
- rm -f ~/EasyRSA-unix-v${version}.tgz
-
- cd /etc/openvpn/easy-rsa/ || return
- case $CERT_TYPE in
+ cd /etc/openvpn/easy-rsa/ || return
+ case $CERT_TYPE in
1)
- echo "set_var EASYRSA_ALGO ec" > vars
- echo "set_var EASYRSA_CURVE $CERT_CURVE" >> vars
- ;;
+ echo "set_var EASYRSA_ALGO ec" >vars
+ echo "set_var EASYRSA_CURVE $CERT_CURVE" >>vars
+ ;;
2)
- echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars
- ;;
- esac
+ echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" >vars
+ ;;
+ esac
- # Generate a random, alphanumeric identifier of 16 characters for CN and one for server name
- SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
- SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
- echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars
+ # Generate a random, alphanumeric identifier of 16 characters for CN and one for server name
+ SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
+ echo "$SERVER_CN" >SERVER_CN_GENERATED
+ SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
+ echo "$SERVER_NAME" >SERVER_NAME_GENERATED
- # Create the PKI, set up the CA, the DH params and the server certificate
- ./easyrsa init-pki
+ echo "set_var EASYRSA_REQ_CN $SERVER_CN" >>vars
- # Workaround to remove unharmful error until easy-rsa 3.0.7
- # https://github.com/OpenVPN/easy-rsa/issues/261
- sed -i 's/^RANDFILE/#RANDFILE/g' pki/openssl-easyrsa.cnf
+ # Create the PKI, set up the CA, the DH params and the server certificate
+ ./easyrsa init-pki
+ ./easyrsa --batch build-ca nopass
- ./easyrsa --batch build-ca nopass
+ if [[ $DH_TYPE == "2" ]]; then
+ # ECDH keys are generated on-the-fly so we don't need to generate them beforehand
+ openssl dhparam -out dh.pem $DH_KEY_SIZE
+ fi
- if [[ $DH_TYPE == "2" ]]; then
- # ECDH keys are generated on-the-fly so we don't need to generate them beforehand
- openssl dhparam -out dh.pem $DH_KEY_SIZE
- fi
+ ./easyrsa build-server-full "$SERVER_NAME" nopass
+ EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
- ./easyrsa build-server-full "$SERVER_NAME" nopass
- EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
-
- case $TLS_SIG in
+ case $TLS_SIG in
1)
# Generate tls-crypt key
openvpn --genkey --secret /etc/openvpn/tls-crypt.key
- ;;
+ ;;
2)
# Generate tls-auth key
openvpn --genkey --secret /etc/openvpn/tls-auth.key
- ;;
- esac
+ ;;
+ esac
+ else
+ # If easy-rsa is already installed, grab the generated SERVER_NAME
+ # for client configs
+ cd /etc/openvpn/easy-rsa/ || return
+ SERVER_NAME=$(cat SERVER_NAME_GENERATED)
+ fi
# Move all the generated files
cp pki/ca.crt pki/private/ca.key "pki/issued/$SERVER_NAME.crt" "pki/private/$SERVER_NAME.key" /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
@@ -727,11 +783,11 @@ function installOpenVPN () {
chmod 644 /etc/openvpn/crl.pem
# Generate server.conf
- echo "port $PORT" > /etc/openvpn/server.conf
- if [[ "$IPV6_SUPPORT" = 'n' ]]; then
- echo "proto $PROTOCOL" >> /etc/openvpn/server.conf
- elif [[ "$IPV6_SUPPORT" = 'y' ]]; then
- echo "proto ${PROTOCOL}6" >> /etc/openvpn/server.conf
+ echo "port $PORT" >/etc/openvpn/server.conf
+ if [[ $IPV6_SUPPORT == 'n' ]]; then
+ echo "proto $PROTOCOL" >>/etc/openvpn/server.conf
+ elif [[ $IPV6_SUPPORT == 'y' ]]; then
+ echo "proto ${PROTOCOL}6" >>/etc/openvpn/server.conf
fi
echo "dev tun
@@ -742,97 +798,107 @@ persist-tun
keepalive 10 120
topology subnet
server ${IP_RANGE} 255.255.255.0
-ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
+ifconfig-pool-persist ipp.txt" >>/etc/openvpn/server.conf
# DNS resolvers
case $DNS in
- 1)
- # Locate the proper resolv.conf
- # Needed for systems running systemd-resolved
- if grep -q "127.0.0.53" "/etc/resolv.conf"; then
- RESOLVCONF='/run/systemd/resolve/resolv.conf'
- else
- RESOLVCONF='/etc/resolv.conf'
+ 1) # Current system resolvers
+ # Locate the proper resolv.conf
+ # Needed for systems running systemd-resolved
+ if grep -q "127.0.0.53" "/etc/resolv.conf"; then
+ RESOLVCONF='/run/systemd/resolve/resolv.conf'
+ else
+ RESOLVCONF='/etc/resolv.conf'
+ fi
+ # Obtain the resolvers from resolv.conf and use them for OpenVPN
+ sed -ne 's/^nameserver[[:space:]]\+\([^[:space:]]\+\).*$/\1/p' $RESOLVCONF | while read -r line; do
+ # Copy, if it's a IPv4 |or| if IPv6 is enabled, IPv4/IPv6 does not matter
+ if [[ $line =~ ^[0-9.]*$ ]] || [[ $IPV6_SUPPORT == 'y' ]]; then
+ echo "push \"dhcp-option DNS $line\"" >>/etc/openvpn/server.conf
fi
- # Obtain the resolvers from resolv.conf and use them for OpenVPN
- grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read -r line; do
- echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
- done
+ done
;;
- 2)
- echo "push \"dhcp-option DNS ${IP_RANGE: : -1}1\"" >> /etc/openvpn/server.conf
+ 2) # Self-hosted DNS resolver (Unbound)
+ echo 'push "dhcp-option DNS ${IP_RANGE: : -1}1"' >>/etc/openvpn/server.conf
+ if [[ $IPV6_SUPPORT == 'y' ]]; then
+ echo 'push "dhcp-option DNS fd42:42:42:42::1"' >>/etc/openvpn/server.conf
+ fi
;;
- 3) # Cloudflare
- echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server.conf
+ 3) # Cloudflare
+ echo 'push "dhcp-option DNS 1.0.0.1"' >>/etc/openvpn/server.conf
+ echo 'push "dhcp-option DNS 1.1.1.1"' >>/etc/openvpn/server.conf
;;
- 4) # Quad9
- echo 'push "dhcp-option DNS 9.9.9.9"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 149.112.112.112"' >> /etc/openvpn/server.conf
+ 4) # Quad9
+ echo 'push "dhcp-option DNS 9.9.9.9"' >>/etc/openvpn/server.conf
+ echo 'push "dhcp-option DNS 149.112.112.112"' >>/etc/openvpn/server.conf
;;
- 5) # Quad9 uncensored
- echo 'push "dhcp-option DNS 9.9.9.10"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 149.112.112.10"' >> /etc/openvpn/server.conf
+ 5) # Quad9 uncensored
+ echo 'push "dhcp-option DNS 9.9.9.10"' >>/etc/openvpn/server.conf
+ echo 'push "dhcp-option DNS 149.112.112.10"' >>/etc/openvpn/server.conf
;;
- 6) # FDN
- echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 80.67.169.12"' >> /etc/openvpn/server.conf
+ 6) # FDN
+ echo 'push "dhcp-option DNS 80.67.169.40"' >>/etc/openvpn/server.conf
+ echo 'push "dhcp-option DNS 80.67.169.12"' >>/etc/openvpn/server.conf
;;
- 7) # DNS.WATCH
- echo 'push "dhcp-option DNS 84.200.69.80"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 84.200.70.40"' >> /etc/openvpn/server.conf
+ 7) # DNS.WATCH
+ echo 'push "dhcp-option DNS 84.200.69.80"' >>/etc/openvpn/server.conf
+ echo 'push "dhcp-option DNS 84.200.70.40"' >>/etc/openvpn/server.conf
;;
- 8) # OpenDNS
- echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf
+ 8) # OpenDNS
+ echo 'push "dhcp-option DNS 208.67.222.222"' >>/etc/openvpn/server.conf
+ echo 'push "dhcp-option DNS 208.67.220.220"' >>/etc/openvpn/server.conf
;;
- 9) # Google
- echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf
+ 9) # Google
+ echo 'push "dhcp-option DNS 8.8.8.8"' >>/etc/openvpn/server.conf
+ echo 'push "dhcp-option DNS 8.8.4.4"' >>/etc/openvpn/server.conf
;;
- 10) # Yandex Basic
- echo 'push "dhcp-option DNS 77.88.8.8"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 77.88.8.1"' >> /etc/openvpn/server.conf
+ 10) # Yandex Basic
+ echo 'push "dhcp-option DNS 77.88.8.8"' >>/etc/openvpn/server.conf
+ echo 'push "dhcp-option DNS 77.88.8.1"' >>/etc/openvpn/server.conf
;;
- 11) # AdGuard DNS
- echo 'push "dhcp-option DNS 176.103.130.130"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf
+ 11) # AdGuard DNS
+ echo 'push "dhcp-option DNS 94.140.14.14"' >>/etc/openvpn/server.conf
+ echo 'push "dhcp-option DNS 94.140.15.15"' >>/etc/openvpn/server.conf
;;
- 12) # Custom DNS
- echo "push \"dhcp-option DNS $DNS1\"" >> /etc/openvpn/server.conf
- if [[ "$DNS2" != "" ]]; then
- echo "push \"dhcp-option DNS $DNS2\"" >> /etc/openvpn/server.conf
+ 12) # NextDNS
+ echo 'push "dhcp-option DNS 45.90.28.167"' >>/etc/openvpn/server.conf
+ echo 'push "dhcp-option DNS 45.90.30.167"' >>/etc/openvpn/server.conf
+ ;;
+ 13) # Custom DNS
+ echo "push \"dhcp-option DNS $DNS1\"" >>/etc/openvpn/server.conf
+ if [[ $DNS2 != "" ]]; then
+ echo "push \"dhcp-option DNS $DNS2\"" >>/etc/openvpn/server.conf
fi
;;
esac
- echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf
+ echo 'push "redirect-gateway def1 bypass-dhcp"' >>/etc/openvpn/server.conf
# IPv6 network settings if needed
- if [[ "$IPV6_SUPPORT" = 'y' ]]; then
+ if [[ $IPV6_SUPPORT == 'y' ]]; then
echo 'server-ipv6 fd42:42:42:42::/112
tun-ipv6
push tun-ipv6
push "route-ipv6 2000::/3"
-push "redirect-gateway ipv6"' >> /etc/openvpn/server.conf
+push "redirect-gateway ipv6"' >>/etc/openvpn/server.conf
fi
- if [[ $COMPRESSION_ENABLED == "y" ]]; then
- echo "compress $COMPRESSION_ALG" >> /etc/openvpn/server.conf
+ if [[ $COMPRESSION_ENABLED == "y" ]]; then
+ echo "compress $COMPRESSION_ALG" >>/etc/openvpn/server.conf
fi
if [[ $DH_TYPE == "1" ]]; then
- echo "dh none" >> /etc/openvpn/server.conf
- echo "ecdh-curve $DH_CURVE" >> /etc/openvpn/server.conf
+ echo "dh none" >>/etc/openvpn/server.conf
+ echo "ecdh-curve $DH_CURVE" >>/etc/openvpn/server.conf
elif [[ $DH_TYPE == "2" ]]; then
- echo "dh dh.pem" >> /etc/openvpn/server.conf
+ echo "dh dh.pem" >>/etc/openvpn/server.conf
fi
case $TLS_SIG in
- 1)
- echo "tls-crypt tls-crypt.key 0" >> /etc/openvpn/server.conf
+ 1)
+ echo "tls-crypt tls-crypt.key" >>/etc/openvpn/server.conf
;;
- 2)
- echo "tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf
+ 2)
+ echo "tls-auth tls-auth.key 0" >>/etc/openvpn/server.conf
;;
esac
@@ -846,16 +912,19 @@ ncp-ciphers $CIPHER
tls-server
tls-version-min 1.2
tls-cipher $CC_CIPHER
+client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
-verb 3" >> /etc/openvpn/server.conf
+verb 3" >>/etc/openvpn/server.conf
+ # Create client-config-dir dir
+ mkdir -p /etc/openvpn/ccd
# Create log dir
mkdir -p /var/log/openvpn
# Enable routing
- echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.d/20-openvpn.conf
- if [[ "$IPV6_SUPPORT" = 'y' ]]; then
- echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.d/20-openvpn.conf
+ echo 'net.ipv4.ip_forward=1' >/etc/sysctl.d/99-openvpn.conf
+ if [[ $IPV6_SUPPORT == 'y' ]]; then
+ echo 'net.ipv6.conf.all.forwarding=1' >>/etc/sysctl.d/99-openvpn.conf
fi
# Apply sysctl rules
sysctl --system
@@ -863,14 +932,14 @@ verb 3" >> /etc/openvpn/server.conf
# If SELinux is enabled and a custom port was selected, we need this
if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing"; then
- if [[ "$PORT" != '1194' ]]; then
+ if [[ $PORT != '1194' ]]; then
semanage port -a -t openvpn_port_t -p "$PROTOCOL" "$PORT"
fi
fi
fi
# Finally, restart and enable OpenVPN
- if [[ "$OS" = 'arch' || "$OS" = 'fedora' || "$OS" = 'centos' ]]; then
+ if [[ $OS == 'arch' || $OS == 'fedora' || $OS == 'centos' || $OS == 'oracle' ]]; then
# Don't modify package-provided service
cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service
@@ -879,14 +948,14 @@ verb 3" >> /etc/openvpn/server.conf
# Another workaround to keep using /etc/openvpn/
sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn-server@.service
# On fedora, the service hardcodes the ciphers. We want to manage the cipher ourselves, so we remove it from the service
- if [[ "$OS" == "fedora" ]];then
+ if [[ $OS == "fedora" ]]; then
sed -i 's|--cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC||' /etc/systemd/system/openvpn-server@.service
fi
systemctl daemon-reload
- systemctl restart openvpn-server@server
systemctl enable openvpn-server@server
- elif [[ "$OS" == "ubuntu" ]] && [[ "$VERSION_ID" == "16.04" ]]; then
+ systemctl restart openvpn-server@server
+ elif [[ $OS == "ubuntu" ]] && [[ $VERSION_ID == "16.04" ]]; then
# On Ubuntu 16.04, we use the package from the OpenVPN repo
# This package uses a sysvinit service
systemctl enable openvpn
@@ -901,16 +970,16 @@ verb 3" >> /etc/openvpn/server.conf
sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn\@.service
systemctl daemon-reload
- systemctl restart openvpn@server
systemctl enable openvpn@server
+ systemctl restart openvpn@server
fi
- if [[ $DNS == 2 ]];then
+ if [[ $DNS == 2 ]]; then
installUnbound
fi
# Add iptables rules in two scripts
- mkdir /etc/iptables
+ mkdir -p /etc/iptables
# Script to add rules
echo "#!/bin/sh
@@ -918,13 +987,14 @@ iptables -t nat -I POSTROUTING 1 -s ${IP_RANGE}/24 -o ${NIC} -j MASQUERADE
iptables -I INPUT 1 -i tun0 -j ACCEPT
iptables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT
iptables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT
-iptables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/add-openvpn-rules.sh
+iptables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >/etc/iptables/add-openvpn-rules.sh
- if [[ "$IPV6_SUPPORT" = 'y' ]]; then
+ if [[ $IPV6_SUPPORT == 'y' ]]; then
echo "ip6tables -t nat -I POSTROUTING 1 -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
ip6tables -I INPUT 1 -i tun0 -j ACCEPT
ip6tables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT
-ip6tables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh
+ip6tables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT
+ip6tables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >>/etc/iptables/add-openvpn-rules.sh
fi
# Script to remove rules
@@ -933,13 +1003,14 @@ iptables -t nat -D POSTROUTING -s ${IP_RANGE}/24 -o ${NIC} -j MASQUERADE
iptables -D INPUT -i tun0 -j ACCEPT
iptables -D FORWARD -i $NIC -o tun0 -j ACCEPT
iptables -D FORWARD -i tun0 -o $NIC -j ACCEPT
-iptables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/rm-openvpn-rules.sh
+iptables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >/etc/iptables/rm-openvpn-rules.sh
- if [[ "$IPV6_SUPPORT" = 'y' ]]; then
+ if [[ $IPV6_SUPPORT == 'y' ]]; then
echo "ip6tables -t nat -D POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
ip6tables -D INPUT -i tun0 -j ACCEPT
ip6tables -D FORWARD -i $NIC -o tun0 -j ACCEPT
-ip6tables -D FORWARD -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/rm-openvpn-rules.sh
+ip6tables -D FORWARD -i tun0 -o $NIC -j ACCEPT
+ip6tables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >>/etc/iptables/rm-openvpn-rules.sh
fi
chmod +x /etc/iptables/add-openvpn-rules.sh
@@ -958,7 +1029,7 @@ ExecStop=/etc/iptables/rm-openvpn-rules.sh
RemainAfterExit=yes
[Install]
-WantedBy=multi-user.target" > /etc/systemd/system/iptables-openvpn.service
+WantedBy=multi-user.target" >/etc/systemd/system/iptables-openvpn.service
# Enable service and apply rules
systemctl daemon-reload
@@ -966,16 +1037,17 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables-openvpn.service
systemctl start iptables-openvpn
# If the server is behind a NAT, use the correct IP address for the clients to connect to
- if [[ "$ENDPOINT" != "" ]]; then
+ if [[ $ENDPOINT != "" ]]; then
IP=$ENDPOINT
fi
# client-template.txt is created so we have a template to add further users later
- echo "client" > /etc/openvpn/client-template.txt
- if [[ "$PROTOCOL" = 'udp' ]]; then
- echo "proto udp" >> /etc/openvpn/client-template.txt
- elif [[ "$PROTOCOL" = 'tcp' ]]; then
- echo "proto tcp-client" >> /etc/openvpn/client-template.txt
+ echo "client" >/etc/openvpn/client-template.txt
+ if [[ $PROTOCOL == 'udp' ]]; then
+ echo "proto udp" >>/etc/openvpn/client-template.txt
+ echo "explicit-exit-notify" >>/etc/openvpn/client-template.txt
+ elif [[ $PROTOCOL == 'tcp' ]]; then
+ echo "proto tcp-client" >>/etc/openvpn/client-template.txt
fi
echo "remote $IP $PORT
dev tun
@@ -991,24 +1063,25 @@ cipher $CIPHER
tls-client
tls-version-min 1.2
tls-cipher $CC_CIPHER
+ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
-verb 3" >> /etc/openvpn/client-template.txt
+verb 3" >>/etc/openvpn/client-template.txt
-if [[ $COMPRESSION_ENABLED == "y" ]]; then
- echo "compress $COMPRESSION_ALG" >> /etc/openvpn/client-template.txt
-fi
+ if [[ $COMPRESSION_ENABLED == "y" ]]; then
+ echo "compress $COMPRESSION_ALG" >>/etc/openvpn/client-template.txt
+ fi
# Generate the custom client.ovpn
newClient
echo "If you want to add more clients, you simply need to run this script another time!"
}
-function newClient () {
+function newClient() {
echo ""
echo "Tell me a name for the client."
- echo "Use one word only, no special characters."
+ echo "The name must consist of alphanumeric character. It may also include an underscore or a dash."
- until [[ "$CLIENT" =~ ^[a-zA-Z0-9_]+$ ]]; do
+ until [[ $CLIENT =~ ^[a-zA-Z0-9_-]+$ ]]; do
read -rp "Client name: " -e CLIENT
done
@@ -1018,27 +1091,43 @@ function newClient () {
echo " 1) Add a passwordless client"
echo " 2) Use a password for the client"
- until [[ "$PASS" =~ ^[1-2]$ ]]; do
+ until [[ $PASS =~ ^[1-2]$ ]]; do
read -rp "Select an option [1-2]: " -e -i 1 PASS
done
- cd /etc/openvpn/easy-rsa/ || return
- case $PASS in
+ CLIENTEXISTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c -E "/CN=$CLIENT\$")
+ if [[ $CLIENTEXISTS == '1' ]]; then
+ echo ""
+ echo "The specified client CN was already found in easy-rsa, please choose another name."
+ exit
+ else
+ cd /etc/openvpn/easy-rsa/ || return
+ case $PASS in
1)
./easyrsa build-client-full "$CLIENT" nopass
- ;;
+ ;;
2)
- echo "⚠️ You will be asked for the client password below ⚠️"
+ echo "⚠️ You will be asked for the client password below ⚠️"
./easyrsa build-client-full "$CLIENT"
- ;;
- esac
+ ;;
+ esac
+ echo "Client $CLIENT added."
+ fi
- # Home directory of the user, where the client configuration (.ovpn) will be written
- if [ -e "/home/$CLIENT" ]; then # if $1 is a user name
- homeDir="/home/$CLIENT"
- elif [ "${SUDO_USER}" ]; then # if not, use SUDO_USER
- homeDir="/home/${SUDO_USER}"
- else # if not SUDO_USER, use /root
+ # Home directory of the user, where the client configuration will be written
+ if [ -e "/home/${CLIENT}" ]; then
+ # if $1 is a user name
+ homeDir="/home/${CLIENT}"
+ elif [ "${SUDO_USER}" ]; then
+ # if not, use SUDO_USER
+ if [ "${SUDO_USER}" == "root" ]; then
+ # If running sudo as root
+ homeDir="/root"
+ else
+ homeDir="/home/${SUDO_USER}"
+ fi
+ else
+ # if not SUDO_USER, use /root
homeDir="/root"
fi
@@ -1065,30 +1154,30 @@ function newClient () {
echo ""
case $TLS_SIG in
- 1)
- echo ""
- cat /etc/openvpn/tls-crypt.key
- echo ""
+ 1)
+ echo ""
+ cat /etc/openvpn/tls-crypt.key
+ echo ""
;;
- 2)
- echo "key-direction 1"
- echo ""
- cat /etc/openvpn/tls-auth.key
- echo ""
+ 2)
+ echo "key-direction 1"
+ echo ""
+ cat /etc/openvpn/tls-auth.key
+ echo ""
;;
esac
- } >> "$homeDir/$CLIENT.ovpn"
+ } >>"$homeDir/$CLIENT.ovpn"
echo ""
- echo "Client $CLIENT added, the configuration file is available at $homeDir/$CLIENT.ovpn."
+ echo "The configuration file has been written to $homeDir/$CLIENT.ovpn."
echo "Download the .ovpn file and import it in your OpenVPN client."
exit 0
}
-function revokeClient () {
+function revokeClient() {
NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")
- if [[ "$NUMBEROFCLIENTS" = '0' ]]; then
+ if [[ $NUMBEROFCLIENTS == '0' ]]; then
echo ""
echo "You have no existing clients!"
exit 1
@@ -1097,36 +1186,32 @@ function revokeClient () {
echo ""
echo "Select the existing client certificate you want to revoke"
tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
- if [[ "$NUMBEROFCLIENTS" = '1' ]]; then
- read -rp "Select one client [1]: " CLIENTNUMBER
- else
- read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
- fi
-
+ until [[ $CLIENTNUMBER -ge 1 && $CLIENTNUMBER -le $NUMBEROFCLIENTS ]]; do
+ if [[ $CLIENTNUMBER == '1' ]]; then
+ read -rp "Select one client [1]: " CLIENTNUMBER
+ else
+ read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
+ fi
+ done
CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
cd /etc/openvpn/easy-rsa/ || return
./easyrsa --batch revoke "$CLIENT"
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
- # Cleanup
- rm -f "pki/reqs/$CLIENT.req"
- rm -f "pki/private/$CLIENT.key"
- rm -f "pki/issued/$CLIENT.crt"
rm -f /etc/openvpn/crl.pem
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
chmod 644 /etc/openvpn/crl.pem
find /home/ -maxdepth 2 -name "$CLIENT.ovpn" -delete
rm -f "/root/$CLIENT.ovpn"
- sed -i "s|^$CLIENT,.*||" /etc/openvpn/ipp.txt
+ sed -i "/^$CLIENT,.*/d" /etc/openvpn/ipp.txt
echo ""
echo "Certificate for client $CLIENT revoked."
}
-function removeUnbound () {
+function removeUnbound() {
# Remove OpenVPN-related config
- sed -i 's|include: \/etc\/unbound\/openvpn.conf||' /etc/unbound/unbound.conf
+ sed -i '/include: \/etc\/unbound\/openvpn.conf/d' /etc/unbound/unbound.conf
rm /etc/unbound/openvpn.conf
- systemctl restart unbound
until [[ $REMOVE_UNBOUND =~ (y|n) ]]; do
echo ""
@@ -1134,17 +1219,17 @@ function removeUnbound () {
read -rp "Do you want to completely remove Unbound? [y/n]: " -e REMOVE_UNBOUND
done
- if [[ "$REMOVE_UNBOUND" = 'y' ]]; then
+ if [[ $REMOVE_UNBOUND == 'y' ]]; then
# Stop Unbound
systemctl stop unbound
- if [[ "$OS" =~ (debian|ubuntu) ]]; then
- apt-get autoremove --purge -y unbound
- elif [[ "$OS" = 'arch' ]]; then
+ if [[ $OS =~ (debian|ubuntu) ]]; then
+ apt-get remove --purge -y unbound
+ elif [[ $OS == 'arch' ]]; then
pacman --noconfirm -R unbound
- elif [[ "$OS" =~ (centos|amzn) ]]; then
+ elif [[ $OS =~ (centos|amzn|oracle) ]]; then
yum remove -y unbound
- elif [[ "$OS" = 'fedora' ]]; then
+ elif [[ $OS == 'fedora' ]]; then
dnf remove -y unbound
fi
@@ -1153,26 +1238,27 @@ function removeUnbound () {
echo ""
echo "Unbound removed!"
else
+ systemctl restart unbound
echo ""
echo "Unbound wasn't removed."
fi
}
-function removeOpenVPN () {
+function removeOpenVPN() {
echo ""
- # shellcheck disable=SC2034
read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
- if [[ "$REMOVE" = 'y' ]]; then
+ if [[ $REMOVE == 'y' ]]; then
# Get OpenVPN port from the configuration
PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
+ PROTOCOL=$(grep '^proto ' /etc/openvpn/server.conf | cut -d " " -f 2)
# Stop OpenVPN
- if [[ "$OS" =~ (fedora|arch|centos) ]]; then
+ if [[ $OS =~ (fedora|arch|centos|oracle) ]]; then
systemctl disable openvpn-server@server
systemctl stop openvpn-server@server
# Remove customised service
rm /etc/systemd/system/openvpn-server@.service
- elif [[ "$OS" == "ubuntu" ]] && [[ "$VERSION_ID" == "16.04" ]]; then
+ elif [[ $OS == "ubuntu" ]] && [[ $VERSION_ID == "16.04" ]]; then
systemctl disable openvpn
systemctl stop openvpn
else
@@ -1194,23 +1280,23 @@ function removeOpenVPN () {
# SELinux
if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing"; then
- if [[ "$PORT" != '1194' ]]; then
- semanage port -d -t openvpn_port_t -p udp "$PORT"
+ if [[ $PORT != '1194' ]]; then
+ semanage port -d -t openvpn_port_t -p "$PROTOCOL" "$PORT"
fi
fi
fi
- if [[ "$OS" =~ (debian|ubuntu) ]]; then
- apt-get autoremove --purge -y openvpn
- if [[ -e /etc/apt/sources.list.d/openvpn.list ]];then
+ if [[ $OS =~ (debian|ubuntu) ]]; then
+ apt-get remove --purge -y openvpn
+ if [[ -e /etc/apt/sources.list.d/openvpn.list ]]; then
rm /etc/apt/sources.list.d/openvpn.list
apt-get update
fi
- elif [[ "$OS" = 'arch' ]]; then
+ elif [[ $OS == 'arch' ]]; then
pacman --noconfirm -R openvpn
- elif [[ "$OS" =~ (centos|amzn) ]]; then
+ elif [[ $OS =~ (centos|amzn|oracle) ]]; then
yum remove -y openvpn
- elif [[ "$OS" = 'fedora' ]]; then
+ elif [[ $OS == 'fedora' ]]; then
dnf remove -y openvpn
fi
@@ -1219,7 +1305,7 @@ function removeOpenVPN () {
find /root/ -maxdepth 1 -name "*.ovpn" -delete
rm -rf /etc/openvpn
rm -rf /usr/share/doc/openvpn*
- rm -f /etc/sysctl.d/20-openvpn.conf
+ rm -f /etc/sysctl.d/99-openvpn.conf
rm -rf /var/log/openvpn
# Unbound
@@ -1234,8 +1320,7 @@ function removeOpenVPN () {
fi
}
-function manageMenu () {
- clear
+function manageMenu() {
echo "Welcome to OpenVPN-install!"
echo "The git repository is available at: https://github.com/angristan/openvpn-install"
echo ""
@@ -1246,22 +1331,22 @@ function manageMenu () {
echo " 2) Revoke existing user"
echo " 3) Remove OpenVPN"
echo " 4) Exit"
- until [[ "$MENU_OPTION" =~ ^[1-4]$ ]]; do
+ until [[ $MENU_OPTION =~ ^[1-4]$ ]]; do
read -rp "Select an option [1-4]: " MENU_OPTION
done
case $MENU_OPTION in
- 1)
- newClient
+ 1)
+ newClient
;;
- 2)
- revokeClient
+ 2)
+ revokeClient
;;
- 3)
- removeOpenVPN
+ 3)
+ removeOpenVPN
;;
- 4)
- exit 0
+ 4)
+ exit 0
;;
esac
}
@@ -1270,7 +1355,7 @@ function manageMenu () {
initialCheck
# Check if OpenVPN is already installed
-if [[ -e /etc/openvpn/server.conf ]]; then
+if [[ -e /etc/openvpn/server.conf && $AUTO_INSTALL != "y" ]]; then
manageMenu
else
installOpenVPN