Bernhard.Linz/openvpn-install
1
0
Fork 0
mirror of https://github.com/angristan/openvpn-install.git synced 2024-12-04 22:45:32 +01:00
Code Issues Projects Releases Wiki Activity

Merge branch 'master' into patch-7

Browse Source
This commit is contained in:
Henry N 2020-05-20 00:20:45 +02:00 committed by GitHub
commit 15fb5075ec
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 817 additions and 534 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
.github/ISSUE_TEMPLATE.md vendored
View File

@ -1,13 +0,0 @@
<!---
Before opening an issue, please make sure:
- You installed OpenVPN with the latest version of the script
- You read the FAQ
- Your issue is about the script, NOT OpenVPN itself
- ⚠ PLEASE Post your OpenVPN version and OS for both the server and the client if needed
FYI, you can execute the script with `bash -x openvpn-install.sh` to enable debug mode.
You can format your comments with Markdown: https://guides.github.com/features/mastering-markdown/
--->

49
.github/ISSUE_TEMPLATE/bug-report-or-suport-request.md vendored Normal file
View File

@ -0,0 +1,49 @@
---
name: Bug report / Support request
about: Create a report to help us improve
title: ''
labels: ''
assignees: ''
---
**Checklist**
- [ ] I read the [README](https://github.com/angristan/openvpn-install/blob/master/README.md)
- [ ] I read the [FAQ](https://github.com/angristan/openvpn-install/blob/master/FAQ.md)
- [ ] I searched the [issues](https://github.com/angristan/openvpn-install/issues?q=is%3Aissue+)
- [ ] My issue is about the script, and not OpenVPN itself
<!---
If you need help with OpenVPN itself, please us the [community forums](https://forums.openvpn.net/) or [Stack Overflow](https://stackoverflow.com/questions/tagged/openvpn)
--->
**Describe the issue**
A clear and concise description of what the bug is.
**To Reproduce**
Steps to reproduce the behavior:
1. ...
**Expected behavior**
A clear and concise description of what you expected to happen.
**Logs**
If applicable, add logs or screenshots to help explain your problem.
If you can reproduce the issue, please run the script in debug mode and post the output: `bash -x openvpn-install.sh`
**Server if applicable):**
- OS: [e.g. Debian 10]
- Hosting provider (if applicable): [e.g. Vultr, AWS]
**Client (if applicable):**
- Device: [e.g. iPhone6]
- OS: [e.g. iOS8.1]
- Client: [e.g. OpenVPN Connect]
**Additional context**
Add any other context about the problem here.

31
.github/ISSUE_TEMPLATE/feature-request.md vendored Normal file
View File

@ -0,0 +1,31 @@
---
name: Feature request
about: Suggest an idea for this project
title: ''
labels: ''
assignees: ''
---
**Checklist**
- [ ] I read the [README](https://github.com/angristan/openvpn-install/blob/master/README.md)
- [ ] I read the [FAQ](https://github.com/angristan/openvpn-install/blob/master/FAQ.md)
- [ ] I searched the [issues](https://github.com/angristan/openvpn-install/issues?q=is%3Aissue+)
- [ ] My issue is about the script, and not OpenVPN itself
<!---
If you need help with OpenVPN itself, please us the [community forums](https://forums.openvpn.net/) or [Stack Overflow](https://stackoverflow.com/questions/tagged/openvpn)
--->
**Is your feature request related to a problem? Please describe.**
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
**Describe the solution you'd like**
A clear and concise description of what you want to happen.
**Describe alternatives you've considered**
A clear and concise description of any alternative solutions or features you've considered.
**Additional context**
Add any other context or screenshots about the feature request here.

26
.github/workflows/lint.yml vendored Normal file
View File

@ -0,0 +1,26 @@
on:
push:
branches:
- master
pull_request:
branches:
- master
name: Lint
jobs:
shellcheck:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: shellcheck
uses: ludeeus/action-shellcheck@0.0.1
env:
SHELLCHECK_OPTS: -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009
shfmt:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: shfmt
uses: bltavares/actions/shfmt@master
env:
SHFMT_ARGS: -d

11
.github/workflows/push.yml vendored
View File

@ -1,11 +0,0 @@
on: [push, pull_request]
name: ShellCheck
jobs:
shellcheck:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: shellcheck
uses: ludeeus/action-shellcheck@0.0.1
with:
args: openvpn-install.sh -e SC1091,SC2164,SC2034,SC1072,SC1073,SC1009

97
.github/workflows/test.yml vendored Normal file
View File

@ -0,0 +1,97 @@
on:
push:
branches:
- master
name: Test
jobs:
install:
runs-on: ubuntu-latest
if: github.repository == 'angristan/openvpn-install' && github.actor == 'angristan'
strategy:
matrix:
os-image:
- debian-9-x64
- debian-10-x64
- ubuntu-18-04-x64
- ubuntu-16-04-x64
- ubuntu-20-04-x64
- fedora-30-x64
- fedora-31-x64
- centos-7-x64
- centos-8-x64
steps:
- uses: actions/checkout@master
- name: Setup doctl
uses: digitalocean/action-doctl@v2
with:
token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
- name: Create server
run: doctl compute droplet create openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }} --size s-1vcpu-1gb --image ${{ matrix.os-image }} --region lon1 --enable-ipv6 --ssh-keys be:66:76:61:a8:71:93:aa:e3:19:ba:d8:0d:d2:2d:d4 --wait
- name: Get server ID
run: echo ::set-output name=value::$(doctl compute droplet list -o json | jq -r '.[] | select(.name == "'openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }}'").id')
id: server_id
- name: Move server to dedicated project
run: doctl projects resources assign ${{ secrets.DIGITALOCEAN_PROJECT_ID }} --resource=do:droplet:${{ steps.server_id.outputs.value }}
- name: Wait for server to boot
run: sleep 90
- name: Get server IP
run: echo ::set-output name=value::$(doctl compute droplet list -o json | jq -r '.[] | select(.name == "'openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }}'").networks.v4 | .[0].ip_address')
id: server_ip
- name: Get server OS
run: echo ::set-output name=value::$(echo ${{ matrix.os-image }} | cut -d '-' -f1)
id: server_os
- name: Setup remote server (Debian/Ubuntu)
if: steps.server_os.outputs.value == 'debian' || steps.server_os.outputs.value == 'ubuntu'
uses: appleboy/ssh-action@master
with:
host: ${{ steps.server_ip.outputs.value }}
username: root
key: ${{ secrets.SSH_KEY }}
script: set -x && apt-get update && apt-get install -y git
- name: Setup remote server (Fedora)
if: steps.server_os.outputs.value == 'fedora'
uses: appleboy/ssh-action@master
with:
host: ${{ steps.server_ip.outputs.value }}
username: root
key: ${{ secrets.SSH_KEY }}
script: set -x && dnf install -y git
- name: Setup remote server (CentOS)
if: steps.server_os.outputs.value == 'centos'
uses: appleboy/ssh-action@master
with:
host: ${{ steps.server_ip.outputs.value }}
username: root
key: ${{ secrets.SSH_KEY }}
script: set -x && yum install -y git
- name: Download repo and checkout current commit
uses: appleboy/ssh-action@master
with:
host: ${{ steps.server_ip.outputs.value }}
username: root
key: ${{ secrets.SSH_KEY }}
script: set -x && git clone https://github.com/angristan/openvpn-install.git && cd openvpn-install && git checkout ${{ github.event.pull_request.head.sha }}
- name: Run openvpn-install.sh in headless mode
uses: appleboy/ssh-action@master
with:
host: ${{ steps.server_ip.outputs.value }}
username: root
key: ${{ secrets.SSH_KEY }}
script: 'set -x && AUTO_INSTALL=y bash -x ~/openvpn-install/openvpn-install.sh && ps aux | grep openvpn | grep -v grep > /dev/null 2>&1 && echo "Success: OpenVPN is running" && exit 0 || echo "Failure: OpenVPN is not running" && exit 1'
- name: Delete server
run: doctl compute droplet delete -f openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-${{ matrix.os-image }}
if: always()

2
.gitignore vendored
View File

@ -1,2 +0,0 @@
.vagrant/
*.log

85
FAQ.md
View File

@ -14,6 +14,45 @@ You can, of course, it's even recommended, update the `openvpn` package with you
---
**Q:** How do I fix DNS leaks?
**A:** On Windows 10 DNS leaks are blocked by default with the `block-outside-dns` option.
On Linux you need to add these lines to your `.ovpn` file based on your Distribution.
Debian 9, 10 and Ubuntu 16.04, 18.04
```
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
```
Centos 6, 7
```
script-security 2
up /usr/share/doc/openvpn-2.4.8/contrib/pull-resolv-conf/client.up
down /usr/share/doc/openvpn-2.4.8/contrib/pull-resolv-conf/client.down
```
Centos 8, Fedora 30, 31
```
script-security 2
up /usr/share/doc/openvpn/contrib/pull-resolv-conf/client.up
down /usr/share/doc/openvpn/contrib/pull-resolv-conf/client.down
```
Arch Linux
```
script-security 2
up /usr/share/openvpn/contrib/pull-resolv-conf/client.up
down /usr/share/openvpn/contrib/pull-resolv-conf/client.down
```
---
**Q:** Can I use an OpenVPN 2.3 client?
**A:** Yes. I really recommend using an up-to-date client, but if you really need it, choose the following options:
@ -36,12 +75,52 @@ If your client is <2.3.3, remove `tls-version-min 1.2` from your `/etc/openvpn/s
**Q:** DNS is not working on my Linux client
**A:** Make sure the `resolvconf` package is installed. If it does not solve the issue, look at https://wiki.archlinux.org/index.php/OpenVPN#Update_systemd-resolved_script
**A:** See "How do I fix DNS leaks?" question
---
**Q:** How to setup openVPN in a LXC container? (f.e. Proxmox)
**Q:** What syctl and iptables changes are made by the script?
**A:** See https://github.com/Nyr/openvpn-install/wiki/How-to-setup-openVPN-in-a-LXC-container-(f.e.-Proxmox)
**A:** Iptables rules are saved at `/etc/iptables/add-openvpn-rules.sh` and `/etc/iptables/rm-openvpn-rules.sh`. They are managed by the service `/etc/systemd/system/iptables-openvpn.service`
Sysctl options are at `/etc/sysctl.d/20-openvpn.conf`
---
**Q:** How can I access other clients connected to the same OpenVPN server?
**A:** Add `client-to-client` to your `server.conf`
---
**Q:** My router can't connect
**A:**
- `Options error: No closing quotation (") in config.ovpn:46` :
type `yes` when asked to customize encryption settings and choose `tls-auth`
- `Options error: Unrecognized option or missing parameter(s) in config.ovpn:36: tls-version-min (2.3.2)` :
see question "Can I use an OpenVPN 2.3 client?"
---
**Q:** How can I access computers the OpenVPN server's remote LAN?
**A:** Add a route with the subnet of the remote network to `/etc/openvpn/server.conf` and restart openvpn. Example: `push "route 192.168.1.0 255.255.255.0"` if the server's LAN is `192.168.1.0/24`
---
**Q:** How can I add multiple users in one go?
**A:** Here is a sample bash script to achieve this:
```sh
userlist=(user1 user2 user3)
for i in ${userlist[@]};do
MENU_OPTION=1 CLIENT=$i PASS=1 ./openvpn-install.sh
done
```

55
README.md
View File

@ -1,5 +1,7 @@
# openvpn-install
![Test](https://github.com/angristan/openvpn-install/workflows/Test/badge.svg) ![Lint](https://github.com/angristan/openvpn-install/workflows/Lint/badge.svg)
OpenVPN installer for Debian, Ubuntu, Fedora, CentOS and Arch Linux.
This script will let you setup your own secure VPN server in just a few seconds.
@ -35,13 +37,14 @@ In your home directory, you will have `.ovpn` files. These are the client config
If you have any question, head to the [FAQ](#faq) first. Please read everything before opening an issue.
**PLEASE do net send me emails or private messages asking for help.** The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you. My time is not available for free just for you, you're not special.
**PLEASE do not send me emails or private messages asking for help.** The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you. My time is not available for free just for you, you're not special.
### Headless install
It's also possible to run the script headless, e.g. without waiting for user input, in an automated manner.
Example usage:
```bash
AUTO_INSTALL=y ./openvpn-install.sh
@ -72,11 +75,14 @@ Other variables can be set depending on your choice (encryption, compression). Y
Password-protected clients are not supported by the headless installation method since user input is expected by Easy-RSA.
The headless install is more-or-less idempotent, in that it has been made safe to run multiple times with the same parameters, e.g. by a state provisioner like Ansible/Terraform/Salt/Chef/Puppet. It will only install and regenerate the Easy-RSA PKI if it doesn't already exist, and it will only install OpenVPN and other upstream dependencies if OpenVPN isn't already installed. It will recreate all local config and re-generate the client file on each headless run.
### Headless User Addition
It's also possible to automate the addition of a new user. Here, the key is to provide the (string) value of the `MENU_OPTION` variable along with the remaining mandatory variables before invoking the script.
The following Bash script adds a new user `foo` to an existing OpenVPN configuration
```bash
#!/bin/bash
export MENU_OPTION="1"
@ -108,19 +114,16 @@ export PASS="1"
The script supports these OS and architectures:
| | i386 | amd64 | armhf | arm64 |
| -------------- | ---- | ----- | ----- | ----- |
| --------------- | ---- | ----- | ----- | ----- |
| Amazon Linux 2 | ❔ | ✅ | ❔ | ❔ |
| Arch Linux | ❔ | ✅ | ❔ | ✅ |
| Centos 8 | ❌ | ✅ | ❔ | ❔ |
| CentOS 7 | ❔ | ✅ | ❌ | ✅ |
| CentOS 8 | ❌ | ✅ | ❔ | ❔ |
| Debian 8 | ✅ | ✅ | ❌ | ❌ |
| Debian 9 | ❌ | ✅ | ✅ | ✅ |
| Debian 10 | ❔ | ✅ | ✅ | ❔ |
| Fedora 27 | ❔ | ✅ | ❔ | ❔ |
| Fedora 28 | ❔ | ✅ | ❔ | ❔ |
| Debian >= 9 | ❌ | ✅ | ✅ | ✅ |
| Fedora >= 27 | ❔ | ✅ | ❔ | ❔ |
| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ |
| Ubuntu 18.04 | ❌ | ✅ | ✅ | ✅ |
| Ubuntu 19.04 | ❌ | ✅ | ✅ | ✅ |
| Ubuntu >= 18.04 | ❌ | ✅ | ✅ | ✅ |
To be noted:
@ -142,9 +145,9 @@ More Q&A in [FAQ.md](FAQ.md).
**A:** I recommend these:
- [Vultr](https://goo.gl/Xyd1Sc): Worldwide locations, IPv6 support, starting at $3.50/month
- [Vultr](https://goo.gl/Xyd1Sc): Worldwide locations, IPv6 support, starting at \$3.50/month
- [PulseHeberg](https://goo.gl/76yqW5): France, unlimited bandwidth, starting at €3/month
- [Digital Ocean](https://goo.gl/qXrNLK): Worldwide locations, IPv6 support, starting at $5/month
- [Digital Ocean](https://goo.gl/qXrNLK): Worldwide locations, IPv6 support, starting at \$5/month
---
@ -180,6 +183,24 @@ Solutions that provision a ready to use OpenVPN server based on this script in o
- AWS using Terraform at [`openvpn-terraform-install`](https://github.com/dumrauf/openvpn-terraform-install)
## Contributing
### Contributors hall-of-fame
Thanks ❤️
[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/0)](https://github.com/angristan/openvpn-install/graphs/contributors)
[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/1)](https://github.com/angristan/openvpn-install/graphs/contributors)
[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/2)](https://github.com/angristan/openvpn-install/graphs/contributors)
[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/3)](https://github.com/angristan/openvpn-install/graphs/contributors)
[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/4)](https://github.com/angristan/openvpn-install/graphs/contributors)
[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/5)](https://github.com/angristan/openvpn-install/graphs/contributors)
[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/6)](https://github.com/angristan/openvpn-install/graphs/contributors)
[![](https://sourcerer.io/fame/angristan/angristan/openvpn-install/images/7)](https://github.com/angristan/openvpn-install/graphs/contributors)
### Code formatting
We use [shellcheck](https://github.com/koalaman/shellcheck) and [shfmt](https://github.com/mvdan/sh) to enforce bash styling guidelines and good practices. They are executed for each commit / PR with GitHub Actions, so you can check the configuration [here](https://github.com/angristan/openvpn-install/blob/master/.github/workflows/push.yml).
## Security and Encryption
@ -190,6 +211,7 @@ OpenVPN 2.4 was a great update regarding encryption. It added support for ECDSA,
If you want more information about an option mentioned below, head to the [OpenVPN manual](https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage). It is very complete.
Most of OpenVPN's encryption-related stuff is managed by [Easy-RSA](https://github.com/OpenVPN/easy-rsa). Defaults parameters are in the [vars.example](https://github.com/OpenVPN/easy-rsa/blob/v3.0.6/easyrsa3/vars.example) file.
### Compression
By default, OpenVPN doesn't enable compression. This script provides support for LZ0 and LZ4 (v1/v2) algorithms, the latter being more efficient.
@ -227,11 +249,11 @@ By default, OpenVPN uses `BF-CBC` as the data channel cipher. Blowfish is an old
>
> Using BF-CBC is no longer recommended, because of its 64-bit block size. This small block size allows attacks based on collisions, as demonstrated by SWEET32. See https://community.openvpn.net/openvpn/wiki/SWEET32 for details.
>Security researchers at INRIA published an attack on 64-bit block ciphers, such as 3DES and Blowfish. They show that they are able to recover plaintext when the same data is sent often enough, and show how they can use cross-site scripting vulnerabilities to send data of interest often enough. This works over HTTPS, but also works for HTTP-over-OpenVPN. See https://sweet32.info/ for a much better and more elaborate explanation.
> Security researchers at INRIA published an attack on 64-bit block ciphers, such as 3DES and Blowfish. They show that they are able to recover plaintext when the same data is sent often enough, and show how they can use cross-site scripting vulnerabilities to send data of interest often enough. This works over HTTPS, but also works for HTTP-over-OpenVPN. See https://sweet32.info/ for a much better and more elaborate explanation.
>
> OpenVPN's default cipher, BF-CBC, is affected by this attack.
Indeed, AES is today's standard. It's the fastest and more secure cipher available today. [SEED](https://en.wikipedia.org/wiki/SEED) and [Camellia](https://en.wikipedia.org/wiki/Camellia_(cipher)) are not vulnerable to date but are slower than AES and relatively less trusted.
Indeed, AES is today's standard. It's the fastest and more secure cipher available today. [SEED](https://en.wikipedia.org/wiki/SEED) and [Camellia](<https://en.wikipedia.org/wiki/Camellia_(cipher)>) are not vulnerable to date but are slower than AES and relatively less trusted.
> Of the currently supported ciphers, OpenVPN currently recommends using AES-256-CBC or AES-128-CBC. OpenVPN 2.4 and newer will also support GCM. For 2.4+, we recommend using AES-256-GCM or AES-128-GCM.
@ -250,7 +272,7 @@ The script supports the following ciphers:
And defaults to `AES-128-GCM`.
OpenVPN 2.4 added a feature called "NCP": *Negotiable Crypto Parameters*. It means you can provide a cipher suite like with HTTPS. It is set to `AES-256-GCM:AES-128-GCM` by default and overrides the `--cipher` parameter when used with an OpenVPN 2.4 client. For the sake of simplicity, the script set both the `--cipher` and `--ncp-cipher` to the cipher chosen above.
OpenVPN 2.4 added a feature called "NCP": _Negotiable Crypto Parameters_. It means you can provide a cipher suite like with HTTPS. It is set to `AES-256-GCM:AES-128-GCM` by default and overrides the `--cipher` parameter when used with an OpenVPN 2.4 client. For the sake of simplicity, the script set both the `--cipher` and `--ncp-cipher` to the cipher chosen above.
### Control channel
@ -311,6 +333,7 @@ About `tls-crypt`:
> Encrypt and authenticate all control channel packets with the key from keyfile. (See --tls-auth for more background.)
>
> Encrypting (and authenticating) control channel packets:
>
> - provides more privacy by hiding the certificate used for the TLS connection,
> - makes it harder to identify OpenVPN traffic as such,
> - provides "poor-man's" post-quantum security, against attackers who will never know the pre-shared key (i.e. no forward secrecy).
@ -323,9 +346,7 @@ The script supports both and uses `tls-crypt` by default.
## Say thanks
*Sadly saythanks.io doesn't exist anymore... Thanks for the dozens of messages! It's really meaninful to me.*
*Still want to help? Check the "sponsor" button at the top of the page!*
You can [say thanks](https://saythanks.io/to/angristan%40pm.me) if you want!
## Credits & Licence

35
Vagrantfile vendored
View File

@ -1,35 +0,0 @@
# This Vagrantfile is used to test the script
# To run the script on all machines, export VAGRANT_AUTOSTART=true
autostart_machines = ENV['VAGRANT_AUTOSTART'] == 'true' || false
# else, run `vagrant up <hostname>`
machines = [
{ hostname: 'debian-10', box: 'debian/stretch64' },
{ hostname: 'debian-9', box: 'debian/stretch64' },
{ hostname: 'debian-8', box: 'debian/jessie64' },
{ hostname: 'ubuntu-1604', box: 'ubuntu/bionic64' },
{ hostname: 'ubuntu-1804', box: 'ubuntu/xenial64' },
{ hostname: 'centos-7', box: 'centos/7' },
{ hostname: 'fedora-29', box: 'fedora/29-cloud-base' },
{ hostname: 'fedora-28', box: 'fedora/28-cloud-base' },
{ hostname: 'archlinux', box: 'archlinux/archlinux' }
]
Vagrant.configure('2') do |config|
machines.each do |machine|
config.vm.provider 'virtualbox' do |v|
v.memory = 1024
v.cpus = 2
end
config.vm.define machine[:hostname], autostart: autostart_machines do |machineconfig|
machineconfig.vm.hostname = machine[:hostname]
machineconfig.vm.box = machine[:box]
machineconfig.vm.provision 'shell', inline: <<-SHELL
AUTO_INSTALL=y /vagrant/openvpn-install.sh
ps aux | grep openvpn | grep -v grep > /dev/null 2>&1 && echo "Success: OpenVPN is running" && exit 0 || echo "Failure: OpenVPN is not running" && exit 1
SHELL
end
end
end

261
openvpn-install.sh
View File

@ -21,32 +21,31 @@ function checkOS () {
# shellcheck disable=SC1091
source /etc/os-release
if [[ "$ID" == "debian" || "$ID" == "raspbian" ]]; then
if [[ ! $VERSION_ID =~ (8|9|10) ]]; then
if [[ $ID == "debian" || $ID == "raspbian" ]]; then
if [[ $VERSION_ID -lt 8 ]]; then
echo "⚠️ Your version of Debian is not supported."
echo ""
echo "However, if you're using Debian >= 9 or unstable/testing then you can continue."
echo "Keep in mind they are not supported, though."
echo "However, if you're using Debian >= 8 or unstable/testing then you can continue, at your own risk."
echo ""
until [[ $CONTINUE =~ (y|n) ]]; do
read -rp "Continue? [y/n]: " -e CONTINUE
done
if [[ "$CONTINUE" == "n" ]]; then
if [[ $CONTINUE == "n" ]]; then
exit 1
fi
fi
elif [[ "$ID" == "ubuntu" ]];then
elif [[ $ID == "ubuntu" ]]; then
OS="ubuntu"
if [[ ! $VERSION_ID =~ (16.04|18.04|19.04) ]]; then
MAJOR_UBUNTU_VERSION=$(echo "$VERSION_ID" | cut -d '.' -f1)
if [[ $MAJOR_UBUNTU_VERSION -lt 16 ]]; then
echo "⚠️ Your version of Ubuntu is not supported."
echo ""
echo "However, if you're using Ubuntu > 17 or beta, then you can continue."
echo "Keep in mind they are not supported, though."
echo "However, if you're using Ubuntu >= 16.04 or beta, then you can continue, at your own risk."
echo ""
until [[ $CONTINUE =~ (y|n) ]]; do
read -rp "Continue? [y/n]: " -e CONTINUE
done
if [[ "$CONTINUE" == "n" ]]; then
if [[ $CONTINUE == "n" ]]; then
exit 1
fi
fi
@ -54,10 +53,10 @@ function checkOS () {
elif [[ -e /etc/system-release ]]; then
# shellcheck disable=SC1091
source /etc/os-release
if [[ "$ID" == "fedora" ]]; then
if [[ $ID == "fedora" ]]; then
OS="fedora"
fi
if [[ "$ID" == "centos" ]]; then
if [[ $ID == "centos" ]]; then
OS="centos"
if [[ ! $VERSION_ID =~ (7|8) ]]; then
echo "⚠️ Your version of CentOS is not supported."
@ -67,9 +66,9 @@ function checkOS () {
exit 1
fi
fi
if [[ "$ID" == "amzn" ]]; then
if [[ $ID == "amzn" ]]; then
OS="amzn"
if [[ ! $VERSION_ID == "2" ]]; then
if [[ $VERSION_ID != "2" ]]; then
echo "⚠️ Your version of Amazon Linux is not supported."
echo ""
echo "The script only support Amazon Linux 2."
@ -98,24 +97,27 @@ function initialCheck () {
}
function installUnbound() {
# If Unbound isn't installed, install it
if [[ ! -e /etc/unbound/unbound.conf ]]; then
if [[ "$OS" =~ (debian|ubuntu) ]]; then
if [[ $OS =~ (debian|ubuntu) ]]; then
apt-get install -y unbound
elif [[ "$OS" =~ (centos|amzn) ]]; then
elif [[ $OS =~ (centos|amzn) ]]; then
yum install -y unbound
elif [[ "$OS" == "fedora" ]]; then
elif [[ $OS == "fedora" ]]; then
dnf install -y unbound
elif [[ "$OS" == "arch" ]]; then
elif [[ $OS == "arch" ]]; then
pacman -Syu --noconfirm unbound
# Get root servers list
curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache
if [[ ! -f /etc/unbound/unbound.conf.old ]]; then
mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old
fi
echo 'server:
trust-anchor-file: trusted-key.key
@ -129,10 +131,10 @@ function installUnbound () {
echo 'server:
interface: 10.8.0.1
access-control: 10.8.0.1/24 allow
hide-identity: yes
hide-version: yes
use-caps-for-id: yes
harden-glue: yes
hide-identity: yes
hide-version: yes
qname-minimisation: yes
prefetch: yes
# DNS Rebinding fix
@ -145,6 +147,12 @@ function installUnbound () {
private-address: 127.0.0.0/8
private-address: ::ffff:0:0/96' >/etc/unbound/unbound.conf.d/openvpn.conf
# IPv6 DNS for all OS
if [[ $IPV6_SUPPORT == 'y' ]]; then
echo ' interface: fd42:42:42:42::1
access-control: fd42:42:42:42::/112 allow' >>/etc/unbound/unbound.conf.d/openvpn.conf
fi
# Add as include, if no wildcard include exist
if ! grep -q '/etc/unbound/unbound.conf.d/' /etc/unbound/unbound.conf; then
echo 'include: /etc/unbound/unbound.conf.d/openvpn.conf' >>/etc/unbound/unbound.conf
@ -166,7 +174,11 @@ function installQuestions () {
echo "Unless your server is behind NAT, it should be your public IPv4 address."
# Detect public IPv4 address and pre-fill for the user
IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
IP=$(ip -4 addr | sed -ne 's|^.* inet \([^/]*\)/.* scope global.*$|\1|p' | head -1)
if [[ -z $IP ]]; then
# Detect public IPv6 address
IP=$(ip -6 addr | sed -ne 's|^.* inet6 \([^/]*\)/.* scope global.*$|\1|p' | head -1)
fi
APPROVE_IP=${APPROVE_IP:-n}
if [[ $APPROVE_IP =~ n ]]; then
read -rp "IP address: " -e -i "$IP" IP
@ -176,7 +188,7 @@ function installQuestions () {
echo ""
echo "It seems this server is behind NAT. What is its public IPv4 address or hostname?"
echo "We need it for the clients to connect to the server."
until [[ "$ENDPOINT" != "" ]]; do
until [[ $ENDPOINT != "" ]]; do
read -rp "Public IPv4 address or hostname: " -e ENDPOINT
done
fi
@ -207,7 +219,7 @@ function installQuestions () {
echo " 1) Default: 1194"
echo " 2) Custom"
echo " 3) Random [49152-65535]"
until [[ "$PORT_CHOICE" =~ ^[1-3]$ ]]; do
until [[ $PORT_CHOICE =~ ^[1-3]$ ]]; do
read -rp "Port choice [1-3]: " -e -i 1 PORT_CHOICE
done
case $PORT_CHOICE in
@ -215,7 +227,7 @@ function installQuestions () {
PORT="1194"
;;
2)
until [[ "$PORT" =~ ^[0-9]+$ ]] && [ "$PORT" -ge 1 ] && [ "$PORT" -le 65535 ]; do
until [[ $PORT =~ ^[0-9]+$ ]] && [ "$PORT" -ge 1 ] && [ "$PORT" -le 65535 ]; do
read -rp "Custom port [1-65535]: " -e -i 1194 PORT
done
;;
@ -230,7 +242,7 @@ function installQuestions () {
echo "UDP is faster. Unless it is not available, you shouldn't use TCP."
echo " 1) UDP"
echo " 2) TCP"
until [[ "$PROTOCOL_CHOICE" =~ ^[1-2]$ ]]; do
until [[ $PROTOCOL_CHOICE =~ ^[1-2]$ ]]; do
read -rp "Protocol [1-2]: " -e -i 1 PROTOCOL_CHOICE
done
case $PROTOCOL_CHOICE in
@ -256,7 +268,7 @@ function installQuestions () {
echo " 11) AdGuard DNS (Anycast: worldwide)"
echo " 12) NextDNS (Anycast: worldwide)"
echo " 13) Custom"
until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 13 ]; do
until [[ $DNS =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 13 ]; do
read -rp "DNS [1-12]: " -e -i 3 DNS
if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then
echo ""
@ -275,12 +287,12 @@ function installQuestions () {
unset CONTINUE
fi
elif [[ $DNS == "13" ]]; then
until [[ "$DNS1" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
until [[ $DNS1 =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
read -rp "Primary DNS: " -e DNS1
done
until [[ "$DNS2" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
until [[ $DNS2 =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
read -rp "Secondary DNS (optional): " -e DNS2
if [[ "$DNS2" == "" ]]; then
if [[ $DNS2 == "" ]]; then
break
fi
done
@ -339,7 +351,7 @@ function installQuestions () {
echo " 4) AES-128-CBC"
echo " 5) AES-192-CBC"
echo " 6) AES-256-CBC"
until [[ "$CIPHER_CHOICE" =~ ^[1-6]$ ]]; do
until [[ $CIPHER_CHOICE =~ ^[1-6]$ ]]; do
read -rp "Cipher [1-6]: " -e -i 1 CIPHER_CHOICE
done
case $CIPHER_CHOICE in
@ -397,7 +409,7 @@ function installQuestions () {
echo " 1) 2048 bits (recommended)"
echo " 2) 3072 bits"
echo " 3) 4096 bits"
until [[ "$RSA_KEY_SIZE_CHOICE" =~ ^[1-3]$ ]]; do
until [[ $RSA_KEY_SIZE_CHOICE =~ ^[1-3]$ ]]; do
read -rp "RSA key size [1-3]: " -e -i 1 RSA_KEY_SIZE_CHOICE
done
case $RSA_KEY_SIZE_CHOICE in
@ -482,7 +494,7 @@ function installQuestions () {
echo " 1) 2048 bits (recommended)"
echo " 2) 3072 bits"
echo " 3) 4096 bits"
until [[ "$DH_KEY_SIZE_CHOICE" =~ ^[1-3]$ ]]; do
until [[ $DH_KEY_SIZE_CHOICE =~ ^[1-3]$ ]]; do
read -rp "DH key size [1-3]: " -e -i 1 DH_KEY_SIZE_CHOICE
done
case $DH_KEY_SIZE_CHOICE in
@ -500,9 +512,9 @@ function installQuestions () {
esac
echo ""
# The "auth" options behaves differently with AEAD ciphers
if [[ "$CIPHER" =~ CBC$ ]]; then
if [[ $CIPHER =~ CBC$ ]]; then
echo "The digest algorithm authenticates data channel packets and tls-auth packets from the control channel."
elif [[ "$CIPHER" =~ GCM$ ]]; then
elif [[ $CIPHER =~ GCM$ ]]; then
echo "The digest algorithm authenticates tls-auth packets from the control channel."
fi
echo "Which digest algorithm do you want to use for HMAC?"
@ -556,9 +568,13 @@ function installOpenVPN () {
PASS=${PASS:-1}
CONTINUE=${CONTINUE:-y}
# Behind NAT, we'll default to the publicly reachable IPv4.
PUBLIC_IPV4=$(curl ifconfig.co)
ENDPOINT=${ENDPOINT:-$PUBLIC_IPV4}
# Behind NAT, we'll default to the publicly reachable IPv4/IPv6.
if [[ $IPV6_SUPPORT == "y" ]]; then
PUBLIC_IP=$(curl https://ifconfig.co)
else
PUBLIC_IP=$(curl -4 https://ifconfig.co)
fi
ENDPOINT=${ENDPOINT:-$PUBLIC_IP}
fi
# Run setup questions first, and set other variales if auto-install
@ -566,51 +582,60 @@ function installOpenVPN () {
# Get the "public" interface from the default route
NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)
if [[ -z "$NIC" ]] && [[ "$IPV6_SUPPORT" == 'y' ]]; then
if [[ -z $NIC ]] && [[ $IPV6_SUPPORT == 'y' ]]; then
NIC=$(ip -6 route show default | sed -ne 's/^default .* dev \([^ ]*\) .*$/\1/p')
fi
# $NIC can not be empty for script rm-openvpn-rules.sh
if [[ -z "$NIC" ]]; then
if [[ -z $NIC ]]; then
echo
echo "Can not detect public interface."
echo "This needs for setup MASQUERADE."
until [[ $CONTINUE =~ (y|n) ]]; do
read -rp "Continue? [y/n]: " -e CONTINUE
done
if [[ "$CONTINUE" == "n" ]]; then
if [[ $CONTINUE == "n" ]]; then
exit 1
fi
fi
if [[ "$OS" =~ (debian|ubuntu) ]]; then
# If OpenVPN isn't installed yet, install it. This script is more-or-less
# idempotent on multiple runs, but will only install OpenVPN from upstream
# the first time.
if [[ ! -e /etc/openvpn/server.conf ]]; then
if [[ $OS =~ (debian|ubuntu) ]]; then
apt-get update
apt-get -y install ca-certificates gnupg
# We add the OpenVPN repo to get the latest version.
if [[ "$VERSION_ID" == "8" ]]; then
if [[ $VERSION_ID == "8" ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" >/etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update
fi
if [[ "$VERSION_ID" == "16.04" ]]; then
if [[ $VERSION_ID == "16.04" ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" >/etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update
fi
# Ubuntu > 16.04 and Debian > 8 have OpenVPN >= 2.4 without the need of a third party repository.
apt-get install -y openvpn iptables openssl wget ca-certificates curl
elif [[ "$OS" == 'centos' ]]; then
elif [[ $OS == 'centos' ]]; then
yum install -y epel-release
yum install -y openvpn iptables openssl wget ca-certificates curl tar 'policycoreutils-python*'
elif [[ "$OS" == 'amzn' ]]; then
elif [[ $OS == 'amzn' ]]; then
amazon-linux-extras install -y epel
yum install -y openvpn iptables openssl wget ca-certificates curl
elif [[ "$OS" == 'fedora' ]]; then
dnf install -y openvpn iptables openssl wget ca-certificates curl
elif [[ "$OS" == 'arch' ]]; then
elif [[ $OS == 'fedora' ]]; then
dnf install -y openvpn iptables openssl wget ca-certificates curl policycoreutils-python-utils
elif [[ $OS == 'arch' ]]; then
# Install required dependencies and upgrade the system
pacman --needed --noconfirm -Syu openvpn iptables openssl wget ca-certificates curl
fi
# An old version of easy-rsa was available by default in some openvpn packages
if [[ -d /etc/openvpn/easy-rsa/ ]]; then
rm -rf /etc/openvpn/easy-rsa/
fi
fi
# Find out if the machine uses nogroup or nobody for the permissionless group
if grep -qs "^nogroup:" /etc/group; then
@ -619,18 +644,13 @@ function installOpenVPN () {
NOGROUP=nobody
fi
# An old version of easy-rsa was available by default in some openvpn packages
if [[ -d /etc/openvpn/easy-rsa/ ]]; then
rm -rf /etc/openvpn/easy-rsa/
fi
# Install the latest version of easy-rsa from source
local version="3.0.6"
wget -O ~/EasyRSA-unix-v${version}.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-unix-v${version}.tgz
tar xzf ~/EasyRSA-unix-v${version}.tgz -C ~/
mv ~/EasyRSA-v${version} /etc/openvpn/easy-rsa
chown -R root:root /etc/openvpn/easy-rsa/
rm -f ~/EasyRSA-unix-v${version}.tgz
# Install the latest version of easy-rsa from source, if not already installed.
if [[ ! -d /etc/openvpn/easy-rsa/ ]]; then
local version="3.0.7"
wget -O ~/easy-rsa.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-${version}.tgz
mkdir /etc/openvpn/easy-rsa
tar xzf ~/easy-rsa.tgz --strip-components=1 --directory /etc/openvpn/easy-rsa
rm -f ~/easy-rsa.tgz
cd /etc/openvpn/easy-rsa/ || return
case $CERT_TYPE in
@ -645,16 +665,14 @@ function installOpenVPN () {
# Generate a random, alphanumeric identifier of 16 characters for CN and one for server name
SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
echo "$SERVER_CN" >SERVER_CN_GENERATED
SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
echo "$SERVER_NAME" >SERVER_NAME_GENERATED
echo "set_var EASYRSA_REQ_CN $SERVER_CN" >>vars
# Create the PKI, set up the CA, the DH params and the server certificate
./easyrsa init-pki
# Workaround to remove unharmful error until easy-rsa 3.0.7
# https://github.com/OpenVPN/easy-rsa/issues/261
sed -i 's/^RANDFILE/#RANDFILE/g' pki/openssl-easyrsa.cnf
./easyrsa --batch build-ca nopass
if [[ $DH_TYPE == "2" ]]; then
@ -675,6 +693,12 @@ function installOpenVPN () {
openvpn --genkey --secret /etc/openvpn/tls-auth.key
;;
esac
else
# If easy-rsa is already installed, grab the generated SERVER_NAME
# for client configs
cd /etc/openvpn/easy-rsa/ || return
SERVER_NAME=$(cat SERVER_NAME_GENERATED)
fi
# Move all the generated files
cp pki/ca.crt pki/private/ca.key "pki/issued/$SERVER_NAME.crt" "pki/private/$SERVER_NAME.key" /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
@ -687,9 +711,9 @@ function installOpenVPN () {
# Generate server.conf
echo "port $PORT" >/etc/openvpn/server.conf
if [[ "$IPV6_SUPPORT" == 'n' ]]; then
if [[ $IPV6_SUPPORT == 'n' ]]; then
echo "proto $PROTOCOL" >>/etc/openvpn/server.conf
elif [[ "$IPV6_SUPPORT" == 'y' ]]; then
elif [[ $IPV6_SUPPORT == 'y' ]]; then
echo "proto ${PROTOCOL}6" >>/etc/openvpn/server.conf
fi
@ -714,12 +738,18 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
RESOLVCONF='/etc/resolv.conf'
fi
# Obtain the resolvers from resolv.conf and use them for OpenVPN
grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read -r line; do
sed -ne 's/^nameserver[[:space:]]\+\([^[:space:]]\+\).*$/\1/p' $RESOLVCONF | while read -r line; do
# Copy, if it's a IPv4 |or| if IPv6 is enabled, IPv4/IPv6 does not matter
if [[ $line =~ ^[0-9.]*$ ]] || [[ $IPV6_SUPPORT == 'y' ]]; then
echo "push \"dhcp-option DNS $line\"" >>/etc/openvpn/server.conf
fi
done
;;
2) # Self-hosted DNS resolver (Unbound)
echo 'push "dhcp-option DNS 10.8.0.1"' >>/etc/openvpn/server.conf
if [[ $IPV6_SUPPORT == 'y' ]]; then
echo 'push "dhcp-option DNS fd42:42:42:42::1"' >>/etc/openvpn/server.conf
fi
;;
3) # Cloudflare
echo 'push "dhcp-option DNS 1.0.0.1"' >>/etc/openvpn/server.conf
@ -763,7 +793,7 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
;;
13) # Custom DNS
echo "push \"dhcp-option DNS $DNS1\"" >>/etc/openvpn/server.conf
if [[ "$DNS2" != "" ]]; then
if [[ $DNS2 != "" ]]; then
echo "push \"dhcp-option DNS $DNS2\"" >>/etc/openvpn/server.conf
fi
;;
@ -771,7 +801,7 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
echo 'push "redirect-gateway def1 bypass-dhcp"' >>/etc/openvpn/server.conf
# IPv6 network settings if needed
if [[ "$IPV6_SUPPORT" == 'y' ]]; then
if [[ $IPV6_SUPPORT == 'y' ]]; then
echo 'server-ipv6 fd42:42:42:42::/112
tun-ipv6
push tun-ipv6
@ -809,15 +839,18 @@ ncp-ciphers $CIPHER
tls-server
tls-version-min 1.2
tls-cipher $CC_CIPHER
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3" >>/etc/openvpn/server.conf
# Create client-config-dir dir
mkdir -p /etc/openvpn/ccd
# Create log dir
mkdir -p /var/log/openvpn
# Enable routing
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.d/20-openvpn.conf
if [[ "$IPV6_SUPPORT" == 'y' ]]; then
echo 'net.ipv4.ip_forward=1' >/etc/sysctl.d/20-openvpn.conf
if [[ $IPV6_SUPPORT == 'y' ]]; then
echo 'net.ipv6.conf.all.forwarding=1' >>/etc/sysctl.d/20-openvpn.conf
fi
# Apply sysctl rules
@ -826,14 +859,14 @@ verb 3" >> /etc/openvpn/server.conf
# If SELinux is enabled and a custom port was selected, we need this
if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing"; then
if [[ "$PORT" != '1194' ]]; then
if [[ $PORT != '1194' ]]; then
semanage port -a -t openvpn_port_t -p "$PROTOCOL" "$PORT"
fi
fi
fi
# Finally, restart and enable OpenVPN
if [[ "$OS" == 'arch' || "$OS" == 'fedora' || "$OS" == 'centos' ]]; then
if [[ $OS == 'arch' || $OS == 'fedora' || $OS == 'centos' ]]; then
# Don't modify package-provided service
cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service
@ -842,14 +875,14 @@ verb 3" >> /etc/openvpn/server.conf
# Another workaround to keep using /etc/openvpn/
sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn-server@.service
# On fedora, the service hardcodes the ciphers. We want to manage the cipher ourselves, so we remove it from the service
if [[ "$OS" == "fedora" ]];then
if [[ $OS == "fedora" ]]; then
sed -i 's|--cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC||' /etc/systemd/system/openvpn-server@.service
fi
systemctl daemon-reload
systemctl enable openvpn-server@server
systemctl restart openvpn-server@server
elif [[ "$OS" == "ubuntu" ]] && [[ "$VERSION_ID" == "16.04" ]]; then
elif [[ $OS == "ubuntu" ]] && [[ $VERSION_ID == "16.04" ]]; then
# On Ubuntu 16.04, we use the package from the OpenVPN repo
# This package uses a sysvinit service
systemctl enable openvpn
@ -883,11 +916,12 @@ iptables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT
iptables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT
iptables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >/etc/iptables/add-openvpn-rules.sh
if [[ "$IPV6_SUPPORT" == 'y' ]]; then
if [[ $IPV6_SUPPORT == 'y' ]]; then
echo "ip6tables -t nat -I POSTROUTING 1 -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
ip6tables -I INPUT 1 -i tun0 -j ACCEPT
ip6tables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT
ip6tables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh
ip6tables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT
ip6tables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >>/etc/iptables/add-openvpn-rules.sh
fi
# Script to remove rules
@ -898,11 +932,12 @@ iptables -D FORWARD -i $NIC -o tun0 -j ACCEPT
iptables -D FORWARD -i tun0 -o $NIC -j ACCEPT
iptables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >/etc/iptables/rm-openvpn-rules.sh
if [[ "$IPV6_SUPPORT" == 'y' ]]; then
if [[ $IPV6_SUPPORT == 'y' ]]; then
echo "ip6tables -t nat -D POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
ip6tables -D INPUT -i tun0 -j ACCEPT
ip6tables -D FORWARD -i $NIC -o tun0 -j ACCEPT
ip6tables -D FORWARD -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/rm-openvpn-rules.sh
ip6tables -D FORWARD -i tun0 -o $NIC -j ACCEPT
ip6tables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >>/etc/iptables/rm-openvpn-rules.sh
fi
chmod +x /etc/iptables/add-openvpn-rules.sh
@ -929,16 +964,16 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables-openvpn.service
systemctl start iptables-openvpn
# If the server is behind a NAT, use the correct IP address for the clients to connect to
if [[ "$ENDPOINT" != "" ]]; then
if [[ $ENDPOINT != "" ]]; then
IP=$ENDPOINT
fi
# client-template.txt is created so we have a template to add further users later
echo "client" >/etc/openvpn/client-template.txt
if [[ "$PROTOCOL" == 'udp' ]]; then
if [[ $PROTOCOL == 'udp' ]]; then
echo "proto udp" >>/etc/openvpn/client-template.txt
echo "explicit-exit-notify" >>/etc/openvpn/client-template.txt
elif [[ "$PROTOCOL" == 'tcp' ]]; then
elif [[ $PROTOCOL == 'tcp' ]]; then
echo "proto tcp-client" >>/etc/openvpn/client-template.txt
fi
echo "remote $IP $PORT
@ -955,6 +990,7 @@ cipher $CIPHER
tls-client
tls-version-min 1.2
tls-cipher $CC_CIPHER
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3" >>/etc/openvpn/client-template.txt
@ -972,7 +1008,7 @@ function newClient () {
echo "Tell me a name for the client."
echo "Use one word only, no special characters."
until [[ "$CLIENT" =~ ^[a-zA-Z0-9_]+$ ]]; do
until [[ $CLIENT =~ ^[a-zA-Z0-9_]+$ ]]; do
read -rp "Client name: " -e CLIENT
done
@ -982,10 +1018,16 @@ function newClient () {
echo " 1) Add a passwordless client"
echo " 2) Use a password for the client"
until [[ "$PASS" =~ ^[1-2]$ ]]; do
until [[ $PASS =~ ^[1-2]$ ]]; do
read -rp "Select an option [1-2]: " -e -i 1 PASS
done
CLIENTEXISTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c -E "/CN=$CLIENT\$")
if [[ $CLIENTEXISTS == '1' ]]; then
echo ""
echo "The specified client CN was already found in easy-rsa, please choose another name."
exit
else
cd /etc/openvpn/easy-rsa/ || return
case $PASS in
1)
@ -996,6 +1038,8 @@ function newClient () {
./easyrsa build-client-full "$CLIENT"
;;
esac
echo "Client $CLIENT added."
fi
# Home directory of the user, where the client configuration (.ovpn) will be written
if [ -e "/home/$CLIENT" ]; then # if $1 is a user name
@ -1044,7 +1088,7 @@ function newClient () {
} >>"$homeDir/$CLIENT.ovpn"
echo ""
echo "Client $CLIENT added, the configuration file is available at $homeDir/$CLIENT.ovpn."
echo "The configuration file has been written to $homeDir/$CLIENT.ovpn."
echo "Download the .ovpn file and import it in your OpenVPN client."
exit 0
@ -1052,7 +1096,7 @@ function newClient () {
function revokeClient() {
NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")
if [[ "$NUMBEROFCLIENTS" == '0' ]]; then
if [[ $NUMBEROFCLIENTS == '0' ]]; then
echo ""
echo "You have no existing clients!"
exit 1
@ -1061,20 +1105,17 @@ function revokeClient () {
echo ""
echo "Select the existing client certificate you want to revoke"
tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
if [[ "$NUMBEROFCLIENTS" == '1' ]]; then
until [[ $CLIENTNUMBER -ge 1 && $CLIENTNUMBER -le $NUMBEROFCLIENTS ]]; do
if [[ $CLIENTNUMBER == '1' ]]; then
read -rp "Select one client [1]: " CLIENTNUMBER
else
read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
fi
done
CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
cd /etc/openvpn/easy-rsa/ || return
./easyrsa --batch revoke "$CLIENT"
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
# Cleanup
rm -f "pki/reqs/$CLIENT.req"
rm -f "pki/private/$CLIENT.key"
rm -f "pki/issued/$CLIENT.crt"
rm -f /etc/openvpn/crl.pem
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
chmod 644 /etc/openvpn/crl.pem
@ -1097,17 +1138,17 @@ function removeUnbound () {
read -rp "Do you want to completely remove Unbound? [y/n]: " -e REMOVE_UNBOUND
done
if [[ "$REMOVE_UNBOUND" == 'y' ]]; then
if [[ $REMOVE_UNBOUND == 'y' ]]; then
# Stop Unbound
systemctl stop unbound
if [[ "$OS" =~ (debian|ubuntu) ]]; then
if [[ $OS =~ (debian|ubuntu) ]]; then
apt-get autoremove --purge -y unbound
elif [[ "$OS" == 'arch' ]]; then
elif [[ $OS == 'arch' ]]; then
pacman --noconfirm -R unbound
elif [[ "$OS" =~ (centos|amzn) ]]; then
elif [[ $OS =~ (centos|amzn) ]]; then
yum remove -y unbound
elif [[ "$OS" == 'fedora' ]]; then
elif [[ $OS == 'fedora' ]]; then
dnf remove -y unbound
fi
@ -1126,17 +1167,18 @@ function removeOpenVPN () {
echo ""
# shellcheck disable=SC2034
read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
if [[ "$REMOVE" == 'y' ]]; then
if [[ $REMOVE == 'y' ]]; then
# Get OpenVPN port from the configuration
PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
PROTOCOL=$(grep '^proto ' /etc/openvpn/server.conf | cut -d " " -f 2)
# Stop OpenVPN
if [[ "$OS" =~ (fedora|arch|centos) ]]; then
if [[ $OS =~ (fedora|arch|centos) ]]; then
systemctl disable openvpn-server@server
systemctl stop openvpn-server@server
# Remove customised service
rm /etc/systemd/system/openvpn-server@.service
elif [[ "$OS" == "ubuntu" ]] && [[ "$VERSION_ID" == "16.04" ]]; then
elif [[ $OS == "ubuntu" ]] && [[ $VERSION_ID == "16.04" ]]; then
systemctl disable openvpn
systemctl stop openvpn
else
@ -1158,23 +1200,23 @@ function removeOpenVPN () {
# SELinux
if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing"; then
if [[ "$PORT" != '1194' ]]; then
semanage port -d -t openvpn_port_t -p udp "$PORT"
if [[ $PORT != '1194' ]]; then
semanage port -d -t openvpn_port_t -p "$PROTOCOL" "$PORT"
fi
fi
fi
if [[ "$OS" =~ (debian|ubuntu) ]]; then
if [[ $OS =~ (debian|ubuntu) ]]; then
apt-get autoremove --purge -y openvpn
if [[ -e /etc/apt/sources.list.d/openvpn.list ]]; then
rm /etc/apt/sources.list.d/openvpn.list
apt-get update
fi
elif [[ "$OS" == 'arch' ]]; then
elif [[ $OS == 'arch' ]]; then
pacman --noconfirm -R openvpn
elif [[ "$OS" =~ (centos|amzn) ]]; then
elif [[ $OS =~ (centos|amzn) ]]; then
yum remove -y openvpn
elif [[ "$OS" == 'fedora' ]]; then
elif [[ $OS == 'fedora' ]]; then
dnf remove -y openvpn
fi
@ -1199,7 +1241,6 @@ function removeOpenVPN () {
}
function manageMenu() {
clear
echo "Welcome to OpenVPN-install!"
echo "The git repository is available at: https://github.com/angristan/openvpn-install"
echo ""
@ -1210,7 +1251,7 @@ function manageMenu () {
echo " 2) Revoke existing user"
echo " 3) Remove OpenVPN"
echo " 4) Exit"
until [[ "$MENU_OPTION" =~ ^[1-4]$ ]]; do
until [[ $MENU_OPTION =~ ^[1-4]$ ]]; do
read -rp "Select an option [1-4]: " MENU_OPTION
done
@ -1234,7 +1275,7 @@ function manageMenu () {
initialCheck
# Check if OpenVPN is already installed
if [[ -e /etc/openvpn/server.conf ]]; then
if [[ -e /etc/openvpn/server.conf && $AUTO_INSTALL != "y" ]]; then
manageMenu
else
installOpenVPN