The BIG update

Deleted latest and legacy mode Use OpenVPN 2.3.10 with custom repo Add a check at start for Debian/Ubuntu Fast mode with 2048 bits RSA and DH, 128 bits AES, SHA-256 certificate Slow mode with 4096 bits RSA and DH, 256 bits AES, SHA-384 certificate AES-256-CBC and SHA512 for HMAC auth Add OpenNIC as a DNS option + GeoIP API Delete NTT and Huricane Electric DNS Other improvements
2024-09-27 22:51:36 +02:00 · 2016-03-19 17:41:18 +01:00 · 2016-03-19 17:41:18 +01:00 · 1bf105e809
commit 1bf105e809
parent 25448611c2
1 changed files with 91 additions and 41 deletions
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@ -26,8 +26,14 @@ if grep -qs "CentOS release 5" "/etc/redhat-release"; then
 fi
 if [[ -e /etc/debian_version ]]; then
-	OS=debian
+	OS="debian"
 	#We get the version number, to verify we can get a recent version of OpenVPN
 	VERSION_ID=$(cat /etc/*-release | grep "VERSION_ID")
 	RCLOCAL='/etc/rc.local'
 	if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="15.10"' ]]; then
 		echo "Your version of Debian/Ubuntu is not supported. Please look at the documentation."
 		exit 4
 	fi
 elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then
 	OS=centos
 	RCLOCAL='/etc/rc.d/rc.local'
@ -170,10 +176,13 @@ else
 	echo "You can leave the default options and just press enter if you are ok with them"
 	echo ""
 	echo "First, choose which variant of the script you want to use."
-	echo "Read carefully the README on GitHub before choosing. Use legacy of you're not sure."
+	echo '"Fast" is secure, but "slow" is the best encryption you can get, at the cost of speed (not that slow though)'
-	echo "   1) Latest (High encryption, not compatible with all servers and clients)"
+	echo "   1) Fast (2048 bits RSA and DH, 128 bits AES)"
-	echo "   2) Legacy (Work with most devices)"
+	echo "   2) Slow (4096 bits RSA and DH, 256 bits AES)"
-	read -p "Variant [1-2]: " -e -i 2 VER
+	while [[ $VARIANT !=  "1" && $VARIANT != "2" ]]; do
 		read -p "Variant [1-2]: " -e -i 1 VARIANT
 	done
 	echo ""
 	echo "I need to know the IPv4 address of the network interface you want OpenVPN listening to."
 	echo "If you server is running behind a NAT, (e.g. LowEndSpirit, Scaleway) leave the IP adress as it is. (10.x.x.x)"
@ -186,10 +195,9 @@ else
 	echo "What DNS do you want to use with the VPN?"
 	echo "   1) Current system resolvers"
 	echo "   2) FDN (recommended)"
-	echo "   3) OpenDNS"
+	echo "   3) OpenNIC (nearest servers)"
-	echo "   4) NTT"
+	echo "   4) OpenDNS"
 	echo "   5) Google"
 	echo "   6) Hurricane Electric"
 	read -p "DNS [1-6]: " -e -i 2 DNS
 	echo ""
 	echo "Finally, tell me your name for the client cert"
@ -199,13 +207,40 @@ else
 	echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now"
 	read -n1 -r -p "Press any key to continue..."
 	if [[ "$OS" = 'debian' ]]; then
-		apt-get update
+		# We add the OpenVPN repo to get the latest version.
-		apt-get install openvpn iptables openssl ca-certificates -y
+		# Debian 7
 		if [[ "$VERSION_ID" = 'VERSION_ID="7"' ]]; then
 			echo "deb http://swupdate.openvpn.net/apt wheezy main" > /etc/apt/sources.list.d/swupdate-openvpn.list
 			wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
 			apt-get update
 		fi
 		# Debian 8
 		if [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then
 			echo "deb http://swupdate.openvpn.net/apt jessie main" > /etc/apt/sources.list.d/swupdate-openvpn.list
 			wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
 			apt update
 		fi
 		# Ubuntu 12.04
 		if [[ "$VERSION_ID" = 'VERSION_ID="12.04"' ]]; then
 			echo "deb http://swupdate.openvpn.net/apt precise main" > /etc/apt/sources.list.d/swupdate-openvpn.list
 			wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
 			apt-get update
 		fi
 		# Ubuntu 14.04
 		if [[ "$VERSION_ID" = 'VERSION_ID="14.04"' ]]; then
 			echo "deb http://swupdate.openvpn.net/apt trusty main" > /etc/apt/sources.list.d/swupdate-openvpn.list
 			wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
 			apt-get update
 		fi
 		# The repo, is not available for Ubuntu 15.10, but it has OpenVPN > 2.3.3, so we do nothing.
 		# The we install OpnVPN
 		apt-get install openvpn iptables openssl wget ca-certificates curl -y
 	else
 		# Else, the distro is CentOS
 		yum install epel-release -y
-		yum install openvpn iptables openssl wget ca-certificates -y
+		yum install openvpn iptables openssl wget ca-certificates curl -y
 	fi
 	# An old version of easy-rsa was available by default in some openvpn packages
 	if [[ -d /etc/openvpn/easy-rsa/ ]]; then
 		rm -rf /etc/openvpn/easy-rsa/
@ -218,8 +253,18 @@ else
 	chown -R root:root /etc/openvpn/easy-rsa/
 	rm -rf ~/EasyRSA-3.0.1.tgz
 	cd /etc/openvpn/easy-rsa/
-	#Use 4096 bits DH instead of 2048 bits
+	# If the user selected the fast, less hardened version
-	echo "set_var EASYRSA_KEY_SIZE 4096" > vars
+	if [[ "$VARIANT" = '1' ]]; then
 		echo "set_var EASYRSA_KEY_SIZE 2048
 set_var EASYRSA_KEY_SIZE 2048
 set_var EASYRSA_DIGEST "sha256"" > vars
 	fi
 	# If the user selected the relatively slow, ultra hardened version
 	if [[ "$VARIANT" = '2' ]]; then
 		echo "set_var EASYRSA_KEY_SIZE 4096
 set_var EASYRSA_KEY_SIZE 4096
 set_var EASYRSA_DIGEST "sha384"" > vars
 	fi
 	# Create the PKI, set up the CA, the DH params and the server + client certificates
 	./easyrsa init-pki
 	./easyrsa --batch build-ca nopass
@ -241,15 +286,17 @@ key server.key
 dh dh.pem
 topology subnet
 server 10.8.0.0 255.255.255.0
-ifconfig-pool-persist ipp.txt" > /etc/openvpn/server.conf
+ifconfig-pool-persist ipp.txt
-	if [[ "$VER" = '1' ]]; then 
+cipher AES-256-CBC
-		#If we're using the latest variant
+auth SHA512
-		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
+tls-version-min 1.2" > /etc/openvpn/server.conf
-tls-version-min 1.2" >> /etc/openvpn/server.conf
+	if [[ "$VARIANT" = '1' ]]; then
-	else
+		# If the user selected the fast, less hardened version
-		# If the user slected legacy
+		# Or if the user selected a non-existant variant, we fallback to fast
-		# Or if the user selected a non-existant variant, we fallback to legacy
+		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/server.conf
-		echo "cipher AES-256-CBC" >> /etc/openvpn/server.conf
+	elif [[ "$VARIANT" = '2' ]]; then
 		# If the user selected the relatively slow, ultra hardened version
 		echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/server.conf
 	fi
 	echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf
 	# DNS
@ -260,25 +307,26 @@ tls-version-min 1.2" >> /etc/openvpn/server.conf
 			echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
 		done
 		;;
-		2) 
+		2) #FDN
 		echo 'push "dhcp-option DNS 80.67.169.12"' >> /etc/openvpn/server.conf
 		echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/server.conf
 		;;
-		3)
+		3) #OpenNIC
 		#Getting the nearest OpenNIC servers using the geoip API
 		read ns1 ns2 <<< $(curl -s https://api.opennicproject.org/geoip/ | head -2 | awk '{print $1}')
 		echo -e "nameserver $ns1
 		nameserver $ns2" >> /etc/resolv.conf #Set the DNS servers
 		echo "push "dhcp-option DNS $ns1"" >> /etc/openvpn/server.conf
 		echo "push "dhcp-option DNS $ns2"" >> /etc/openvpn/server.conf
 		;;
 		4) #OpenDNS 
 		echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf
 		echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf
 		;;
-		4) 
+		5) #Google 
 		echo 'push "dhcp-option DNS 129.250.35.250"' >> /etc/openvpn/server.conf
 		echo 'push "dhcp-option DNS 129.250.35.251"' >> /etc/openvpn/server.conf
 		;;
 		5)
 		echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf
 		echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf
 		;;
 		6) 
 		echo 'push "dhcp-option DNS 74.82.42.42"' >> /etc/openvpn/server.conf
 		;;
 	esac
 	echo "keepalive 10 120
 comp-lzo
@ -375,15 +423,17 @@ nobind
 persist-key
 persist-tun
 remote-cert-tls server
-comp-lzo" > /etc/openvpn/client-common.txt
+comp-lzo
-	if [[ "$VER" = '1' ]]; then 
+cipher AES-256-CBC
-		#If we're using the latest variant
+auth SHA512
-		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
+tls-version-min 1.2" > /etc/openvpn/client-common.txt
-tls-version-min 1.2" >> /etc/openvpn/client-common.txt
+	if [[ "$VARIANT" = '1' ]]; then
-	else
+		# If the user selected the fast, less hardened version
-		# If the user slected legacy
+		# Or if the user selected a non-existant variant, we fallback to fast
-		# Or if the user selected a non-existant variant, we fallback to legacy
+		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/client-common.txt
-		echo "cipher AES-256-CBC" >> /etc/openvpn/client-common.txt
+	elif [[ "$VARIANT" = '2' ]]; then
 		# If the user selected the relatively slow, ultra hardened version
 		echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/client-common.txt
 	fi
 	# Generates the custom client.ovpn
 	newclient "$CLIENT"