From 01003c88f8059f18f33361d8c190484c4c7b08e9 Mon Sep 17 00:00:00 2001 From: jtbr Date: Sun, 10 Apr 2016 18:26:49 +0200 Subject: [PATCH 01/10] fix dns option 3 with single quotes --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 14f3698..364f33c 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -315,8 +315,8 @@ tls-version-min 1.2" > /etc/openvpn/server.conf read ns1 ns2 <<< $(curl -s https://api.opennicproject.org/geoip/ | head -2 | awk '{print $1}') echo -e "nameserver $ns1 nameserver $ns2" >> /etc/resolv.conf #Set the DNS servers - echo "push "dhcp-option DNS $ns1"" >> /etc/openvpn/server.conf - echo "push "dhcp-option DNS $ns2"" >> /etc/openvpn/server.conf + echo 'push "dhcp-option DNS $ns1"' >> /etc/openvpn/server.conf + echo 'push "dhcp-option DNS $ns2"' >> /etc/openvpn/server.conf ;; 4) #OpenDNS echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf From d844154a4555dc4e20b46ac33bf34bbece0c5414 Mon Sep 17 00:00:00 2001 From: jtbr Date: Sun, 10 Apr 2016 18:36:15 +0200 Subject: [PATCH 02/10] run openvpn unprivileged --- openvpn-install.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/openvpn-install.sh b/openvpn-install.sh index 364f33c..89ffa7a 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -275,6 +275,8 @@ set_var EASYRSA_DIGEST "sha384"" > vars ./easyrsa gen-crl # Move the stuff we need cp pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn + # Make cert revocation list readable for non-root + chmod 644 /etc/openvpn/crl.pem # Generate server.conf echo "port $PORT proto udp @@ -283,6 +285,8 @@ ca ca.crt cert server.crt key server.key dh dh.pem +user nobody +group nogroup topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt From b3fb14bcb484fe3e641104b3915c7d54578a6ee2 Mon Sep 17 00:00:00 2001 From: jtbr Date: Sun, 10 Apr 2016 18:53:29 +0200 Subject: [PATCH 03/10] enable tls-auth and perfect forwarding secrecy --- openvpn-install.sh | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 89ffa7a..661ebf5 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -56,6 +56,10 @@ newclient () { echo "" >> ~/$1.ovpn cat /etc/openvpn/easy-rsa/pki/private/$1.key >> ~/$1.ovpn echo "" >> ~/$1.ovpn + echo "key-direction 1" >> ~/$1.ovpn + echo "" >> ~/$1.ovpn + cat /etc/openvpn/tls-auth.key >> ~/$1.ovpn + echo "" >> ~/$1.ovpn } @@ -273,6 +277,8 @@ set_var EASYRSA_DIGEST "sha384"" > vars ./easyrsa build-server-full server nopass ./easyrsa build-client-full $CLIENT nopass ./easyrsa gen-crl + # generate tls-auth key + openvpn --genkey --secret /etc/openvpn/tls-auth.key # Move the stuff we need cp pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn # Make cert revocation list readable for non-root @@ -334,7 +340,9 @@ tls-version-min 1.2" > /etc/openvpn/server.conf echo "keepalive 10 120 persist-key persist-tun -crl-verify crl.pem" >> /etc/openvpn/server.conf +crl-verify crl.pem +tls-server +tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf # Enable net.ipv4.ip_forward for the system if [[ "$OS" = 'debian' ]]; then sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf @@ -425,7 +433,8 @@ persist-tun remote-cert-tls server cipher AES-256-CBC auth SHA512 -tls-version-min 1.2" > /etc/openvpn/client-common.txt +tls-version-min 1.2 +tls-client" > /etc/openvpn/client-common.txt if [[ "$VARIANT" = '1' ]]; then # If the user selected the fast, less hardened version # Or if the user selected a non-existant variant, we fallback to fast From a65523eb1c289d5434212b987a530dc152924663 Mon Sep 17 00:00:00 2001 From: jtbr Date: Sun, 10 Apr 2016 19:45:33 +0200 Subject: [PATCH 04/10] this time actually fix the quoting issue for ip option 3 --- openvpn-install.sh | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 661ebf5..1e3a87d 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -323,10 +323,8 @@ tls-version-min 1.2" > /etc/openvpn/server.conf 3) #OpenNIC #Getting the nearest OpenNIC servers using the geoip API read ns1 ns2 <<< $(curl -s https://api.opennicproject.org/geoip/ | head -2 | awk '{print $1}') - echo -e "nameserver $ns1 - nameserver $ns2" >> /etc/resolv.conf #Set the DNS servers - echo 'push "dhcp-option DNS $ns1"' >> /etc/openvpn/server.conf - echo 'push "dhcp-option DNS $ns2"' >> /etc/openvpn/server.conf + echo "push \"dhcp-option DNS $ns1\"" >> /etc/openvpn/server.conf + echo "push \"dhcp-option DNS $ns2\"" >> /etc/openvpn/server.conf ;; 4) #OpenDNS echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf From f376ce912f3aec0d0537228e38d9cad40bb8d824 Mon Sep 17 00:00:00 2001 From: jtbr Date: Tue, 12 Apr 2016 09:38:14 +0000 Subject: [PATCH 05/10] Support ios openvpn connect using CBC, SHA128 tls-cipher. Update readme. --- README.md | 9 ++++++--- openvpn-install.sh | 5 +++-- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index f049bb1..6205db2 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,9 @@ This fork includes : - Better encryption (see below) - TLS 1.2 only - AES-256-CBC and SHA-512 for HMAC (instead of BF-128-CBC and SHA1) +- Run server in unprivileged mode, reducing risks to the system +- TLS-auth to help [thwart DoS attacks](https://openvpn.net/index.php/open-source/documentation/howto.html#security) and provide a 2nd line of defense to the TLS channel. +- [Perfect forward secrecy](http://en.wikipedia.org/wiki/Forward_secrecy) - [FDN's DNS Servers](http://www.fdn.fr/actions/dns/) - Nearest [OpenNIC DNS Servers](https://www.opennicproject.org/) - Up-to-date OpenVPN (2.3.10) thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos) @@ -30,12 +33,12 @@ Features : - 256 bits AES-GCM - SHA-384 RSA certificate -### Fast (lower encryption) +### Fast (lower encryption, supports openvpn connect [ios/android] clients) Features : - 2048 bits RSA private key - 2048 bits Diffie-Hellman key -- 128 bits AES-GCM -- SHA-256 RSA certificate +- 128 bits AES-CBC +- SHA-128 RSA certificate ## Compatibility diff --git a/openvpn-install.sh b/openvpn-install.sh index 1e3a87d..d4f2b30 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -302,7 +302,8 @@ tls-version-min 1.2" > /etc/openvpn/server.conf if [[ "$VARIANT" = '1' ]]; then # If the user selected the fast, less hardened version # Or if the user selected a non-existant variant, we fallback to fast - echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/server.conf + # iOS OpenVPN connect doesn't support GCM or SHA256, use next best + echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" >> /etc/openvpn/server.conf elif [[ "$VARIANT" = '2' ]]; then # If the user selected the relatively slow, ultra hardened version echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/server.conf @@ -436,7 +437,7 @@ tls-client" > /etc/openvpn/client-common.txt if [[ "$VARIANT" = '1' ]]; then # If the user selected the fast, less hardened version # Or if the user selected a non-existant variant, we fallback to fast - echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/client-common.txt + echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" >> /etc/openvpn/client-common.txt elif [[ "$VARIANT" = '2' ]]; then # If the user selected the relatively slow, ultra hardened version echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/client-common.txt From 2fe0fa2062428cdcdb29f59588af7b165fc3694d Mon Sep 17 00:00:00 2001 From: jtbr Date: Tue, 12 Apr 2016 10:05:28 +0000 Subject: [PATCH 06/10] Allow forwarding using either SNAT or MASQUERADE (as required by some setups) --- README.md | 1 + openvpn-install.sh | 23 +++++++++++++++++------ 2 files changed, 18 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 6205db2..02695af 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,7 @@ This fork includes : - [FDN's DNS Servers](http://www.fdn.fr/actions/dns/) - Nearest [OpenNIC DNS Servers](https://www.opennicproject.org/) - Up-to-date OpenVPN (2.3.10) thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos) +- Support for either SNAT or MASQUERADE for forwarding - Every feature of the [original script](https://github.com/Nyr/openvpn-install) (I check periodically to sync the latest commits from source) ## Variants diff --git a/openvpn-install.sh b/openvpn-install.sh index d4f2b30..c390bfb 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -145,7 +145,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL fi - sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL + sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 /d' $RCLOCAL if hash sestatus 2>/dev/null; then if sestatus | grep "Current mode" | grep -qs "enforcing"; then if [[ "$PORT" != '1194' ]]; then @@ -204,6 +204,14 @@ else echo " 5) Google" read -p "DNS [1-6]: " -e -i 2 DNS echo "" + echo "Some setups (e.g. Amazon Web Services), require use of MASQUERADE rather than SNAT" + echo "Which forwarding method do you want to use [if unsure, leave as default]?" + echo " 1) SNAT (default)" + echo " 2) MASQUERADE" + while [[ $FORWARD_TYPE != "1" && $FORWARD_TYPE != "2" ]]; do + read -p "Forwarding type: " -e -i 1 FORWARD_TYPE + done + echo "" echo "Finally, tell me your name for the client cert" echo "Please, use one word only, no special characters" read -p "Client name: " -e -i client CLIENT @@ -301,8 +309,7 @@ auth SHA512 tls-version-min 1.2" > /etc/openvpn/server.conf if [[ "$VARIANT" = '1' ]]; then # If the user selected the fast, less hardened version - # Or if the user selected a non-existant variant, we fallback to fast - # iOS OpenVPN connect doesn't support GCM or SHA256, use next best + # iOS OpenVPN connect doesn't support GCM or SHA256; use next best echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" >> /etc/openvpn/server.conf elif [[ "$VARIANT" = '2' ]]; then # If the user selected the relatively slow, ultra hardened version @@ -356,8 +363,13 @@ tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf # Avoid an unneeded reboot echo 1 > /proc/sys/net/ipv4/ip_forward # Set NAT for the VPN subnet - iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP - sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL + if [[ "$FORWARD_TYPE" = '1' ]]; then + iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP + sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL + else + iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE + sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE" $RCLOCAL + fi if pgrep firewalld; then # We don't use --add-service=openvpn because that would only work with # the default port. Using both permanent and not permanent rules to @@ -436,7 +448,6 @@ tls-version-min 1.2 tls-client" > /etc/openvpn/client-common.txt if [[ "$VARIANT" = '1' ]]; then # If the user selected the fast, less hardened version - # Or if the user selected a non-existant variant, we fallback to fast echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" >> /etc/openvpn/client-common.txt elif [[ "$VARIANT" = '2' ]]; then # If the user selected the relatively slow, ultra hardened version From 804c7aa9ed91433a83749c64ad2ec47f22fc968f Mon Sep 17 00:00:00 2001 From: jtbr Date: Tue, 12 Apr 2016 10:16:58 +0000 Subject: [PATCH 07/10] my personal preferences, and limit 3 simultaneous clients --- openvpn-install.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index c390bfb..8971360 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -348,7 +348,10 @@ persist-key persist-tun crl-verify crl.pem tls-server -tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf +tls-auth tls-auth.key 0 +status openvpn-status.log +max-clients 3 +verb 3" >> /etc/openvpn/server.conf # Enable net.ipv4.ip_forward for the system if [[ "$OS" = 'debian' ]]; then sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf @@ -445,7 +448,8 @@ remote-cert-tls server cipher AES-256-CBC auth SHA512 tls-version-min 1.2 -tls-client" > /etc/openvpn/client-common.txt +tls-client +verb 3" > /etc/openvpn/client-common.txt if [[ "$VARIANT" = '1' ]]; then # If the user selected the fast, less hardened version echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" >> /etc/openvpn/client-common.txt From d87e87036f276234a26bfd49c81caa7648bba349 Mon Sep 17 00:00:00 2001 From: jtbr Date: Wed, 20 Apr 2016 22:55:25 +0000 Subject: [PATCH 08/10] Revert "my personal preferences, and limit 3 simultaneous clients" This reverts commit 804c7aa9ed91433a83749c64ad2ec47f22fc968f. --- openvpn-install.sh | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 8971360..c390bfb 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -348,10 +348,7 @@ persist-key persist-tun crl-verify crl.pem tls-server -tls-auth tls-auth.key 0 -status openvpn-status.log -max-clients 3 -verb 3" >> /etc/openvpn/server.conf +tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf # Enable net.ipv4.ip_forward for the system if [[ "$OS" = 'debian' ]]; then sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf @@ -448,8 +445,7 @@ remote-cert-tls server cipher AES-256-CBC auth SHA512 tls-version-min 1.2 -tls-client -verb 3" > /etc/openvpn/client-common.txt +tls-client" > /etc/openvpn/client-common.txt if [[ "$VARIANT" = '1' ]]; then # If the user selected the fast, less hardened version echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" >> /etc/openvpn/client-common.txt From 4baf845e36960c06d5e0aa511813c7b559c1f2dc Mon Sep 17 00:00:00 2001 From: jtbr Date: Fri, 29 Apr 2016 20:00:09 +0000 Subject: [PATCH 09/10] Undo TLS-CIPHER changes in f376ce91 in deference to harvester57's pull request --- README.md | 7 +++---- openvpn-install.sh | 5 ++--- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 02695af..26521cc 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,6 @@ This fork includes : - AES-256-CBC and SHA-512 for HMAC (instead of BF-128-CBC and SHA1) - Run server in unprivileged mode, reducing risks to the system - TLS-auth to help [thwart DoS attacks](https://openvpn.net/index.php/open-source/documentation/howto.html#security) and provide a 2nd line of defense to the TLS channel. -- [Perfect forward secrecy](http://en.wikipedia.org/wiki/Forward_secrecy) - [FDN's DNS Servers](http://www.fdn.fr/actions/dns/) - Nearest [OpenNIC DNS Servers](https://www.opennicproject.org/) - Up-to-date OpenVPN (2.3.10) thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos) @@ -34,12 +33,12 @@ Features : - 256 bits AES-GCM - SHA-384 RSA certificate -### Fast (lower encryption, supports openvpn connect [ios/android] clients) +### Fast (lower encryption) Features : - 2048 bits RSA private key - 2048 bits Diffie-Hellman key -- 128 bits AES-CBC -- SHA-128 RSA certificate +- 128 bits AES-GCM +- SHA-256 RSA certificate ## Compatibility diff --git a/openvpn-install.sh b/openvpn-install.sh index c390bfb..1222024 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -309,8 +309,7 @@ auth SHA512 tls-version-min 1.2" > /etc/openvpn/server.conf if [[ "$VARIANT" = '1' ]]; then # If the user selected the fast, less hardened version - # iOS OpenVPN connect doesn't support GCM or SHA256; use next best - echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" >> /etc/openvpn/server.conf + echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/server.conf elif [[ "$VARIANT" = '2' ]]; then # If the user selected the relatively slow, ultra hardened version echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/server.conf @@ -448,7 +447,7 @@ tls-version-min 1.2 tls-client" > /etc/openvpn/client-common.txt if [[ "$VARIANT" = '1' ]]; then # If the user selected the fast, less hardened version - echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-CBC-SHA" >> /etc/openvpn/client-common.txt + echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/client-common.txt elif [[ "$VARIANT" = '2' ]]; then # If the user selected the relatively slow, ultra hardened version echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/client-common.txt From 5824365ebc9bd59072991a809066d9949fc09e0d Mon Sep 17 00:00:00 2001 From: jtbr Date: Sat, 7 May 2016 22:58:18 +0200 Subject: [PATCH 10/10] support either nogroup or nobody for permissionless group --- openvpn-install.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 1222024..7761112 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -253,6 +253,12 @@ else yum install epel-release -y yum install openvpn iptables openssl wget ca-certificates curl -y fi + # find out if the machine uses nogroup or nobody for the permissionless group + if grep -qs "^nogroup:" /etc/group; then + NOGROUP=nogroup + else + NOGROUP=nobody + fi # An old version of easy-rsa was available by default in some openvpn packages if [[ -d /etc/openvpn/easy-rsa/ ]]; then @@ -300,7 +306,7 @@ cert server.crt key server.key dh dh.pem user nobody -group nogroup +group $NOGROUP topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt