Bernhard.Linz/openvpn-install
1
0
Fork 0
mirror of https://github.com/angristan/openvpn-install.git synced 2025-10-31 14:07:36 +01:00
Code Issues Projects Releases Wiki Activity

Some cleanup

Browse Source
This commit is contained in:
Angristan
2016-11-20 14:22:08 +01:00
committed by GitHub
parent 98d7d7a358
commit 3f58eb781c
1 changed files with 19 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
openvpn-install.sh
View File

@@ -1,11 +1,7 @@
#!/bin/bash #!/bin/bash
# OpenVPN road warrior installer for Debian, Ubuntu and CentOS
# This script will work on Debian, Ubuntu, CentOS and probably other distros # Secure OpenVPN server installer for Debian, Ubuntu and CentOS.
# of the same families, although no support is offered for them. It isn't # https://github.com/Angristan/OpenVPN-install
# bulletproof but it will probably work if you simply want to setup a VPN on
# your Debian/Ubuntu/CentOS box. It has been designed to be as unobtrusive and
# universal as possible.
if [[ "$EUID" -ne 0 ]]; then if [[ "$EUID" -ne 0 ]]; then
@@ -13,13 +9,11 @@ if [[ "$EUID" -ne 0 ]]; then
exit 1 exit 1
fi fi
if [[ ! -e /dev/net/tun ]]; then if [[ ! -e /dev/net/tun ]]; then
echo "TUN is not available" echo "TUN is not available"
exit 2 exit 2
fi fi
if grep -qs "CentOS release 5" "/etc/redhat-release"; then if grep -qs "CentOS release 5" "/etc/redhat-release"; then
echo "CentOS 5 is too old and not supported" echo "CentOS 5 is too old and not supported"
exit 3 exit 3
@@ -27,11 +21,12 @@ fi
if [[ -e /etc/debian_version ]]; then if [[ -e /etc/debian_version ]]; then
OS="debian" OS="debian"
#We get the version number, to verify we can get a recent version of OpenVPN # Getting the version number, to verify that a recent version of OpenVPN is available
VERSION_ID=$(cat /etc/*-release | grep "VERSION_ID") VERSION_ID=$(cat /etc/*-release | grep "VERSION_ID")
RCLOCAL='/etc/rc.local' RCLOCAL='/etc/rc.local'
if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.10"' ]]; then if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.10"' ]]; then
echo "Your version of Debian/Ubuntu is not supported. Please look at the documentation." echo "Your version of Debian/Ubuntu is not supported."
echo "I can't install a recent version of OpenVPN on your system."
exit 4 exit 4
fi fi
elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then
@@ -62,7 +57,6 @@ newclient () {
echo "</tls-auth>" >> ~/$1.ovpn echo "</tls-auth>" >> ~/$1.ovpn
} }
# Try to get our IP from the system and fallback to the Internet. # Try to get our IP from the system and fallback to the Internet.
# I do this to make the script compatible with NATed servers (LowEndSpirit/Scaleway) # I do this to make the script compatible with NATed servers (LowEndSpirit/Scaleway)
# and to avoid getting an IPv6. # and to avoid getting an IPv6.
@@ -71,7 +65,6 @@ if [[ "$IP" = "" ]]; then
IP=$(wget -qO- ipv4.icanhazip.com) IP=$(wget -qO- ipv4.icanhazip.com)
fi fi
if [[ -e /etc/openvpn/server.conf ]]; then if [[ -e /etc/openvpn/server.conf ]]; then
while : while :
do do
@@ -99,8 +92,6 @@ if [[ -e /etc/openvpn/server.conf ]]; then
exit exit
;; ;;
2) 2)
# This option could be documented a bit better and maybe even be simplimplified
# ...but what can I say, I want some sleep too
NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V") NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")
if [[ "$NUMBEROFCLIENTS" = '0' ]]; then if [[ "$NUMBEROFCLIENTS" = '0' ]]; then
echo "" echo ""
@@ -180,23 +171,23 @@ if [[ -e /etc/openvpn/server.conf ]]; then
done done
else else
clear clear
echo 'Welcome to this quick OpenVPN "road warrior" installer' echo 'Welcome to the secure OpenVPN installer'
echo "" echo ""
# OpenVPN setup and first user creation # OpenVPN setup and first user creation
echo "I need to ask you a few questions before starting the setup" echo "I need to ask you a few questions before starting the setup"
echo "You can leave the default options and just press enter if you are ok with them" echo "You can leave the default options and just press enter if you are ok with them"
echo "" echo ""
echo "First, choose which variant of the script you want to use." echo "First, choose which variant of the script you want to use."
echo '"Fast" is secure, but "slow" is the best encryption you can get, at the cost of speed (not that slow though)' echo '"Fast" is secure, but "slow" provides you the best encryption you can get,'
echo "at the cost of some speed (not that slow though)"
echo " 1) Fast (2048 bits RSA and DH, 128 bits AES)" echo " 1) Fast (2048 bits RSA and DH, 128 bits AES)"
echo " 2) Slow (4096 bits RSA and DH, 256 bits AES)" echo " 2) Slow (4096 bits RSA and DH, 256 bits AES)"
while [[ $VARIANT != "1" && $VARIANT != "2" ]]; do while [[ $VARIANT != "1" && $VARIANT != "2" ]]; do
read -p "Variant [1-2]: " -e -i 1 VARIANT read -p "Variant [1-2]: " -e -i 1 VARIANT
done done
echo "" echo ""
echo "I need to know the IPv4 address of the network interface you want OpenVPN listening to." echo "I need to know the IPv4 address of the network interface you want OpenVPN listening to."
echo "If you server is running behind a NAT, (e.g. LowEndSpirit, Scaleway) leave the IP adress as it is. (local/private IP" echo "If you server is running behind a NAT, (e.g. LowEndSpirit, Scaleway) leave the IP adress as it is. (local/private IP)"
echo "Otherwise, it sould be your public IPv4 address." echo "Otherwise, it sould be your public IPv4 address."
read -p "IP address: " -e -i $IP IP read -p "IP address: " -e -i $IP IP
echo "" echo ""
@@ -205,7 +196,7 @@ else
echo "" echo ""
echo "What DNS do you want to use with the VPN?" echo "What DNS do you want to use with the VPN?"
echo " 1) Current system resolvers" echo " 1) Current system resolvers"
echo " 2) FDN (recommended)" echo " 2) FDN"
echo " 3) OpenNIC" echo " 3) OpenNIC"
echo " 4) DNS.WATCH" echo " 4) DNS.WATCH"
echo " 5) OpenDNS" echo " 5) OpenDNS"
@@ -220,7 +211,7 @@ else
read -p "Forwarding type: " -e -i 1 FORWARD_TYPE read -p "Forwarding type: " -e -i 1 FORWARD_TYPE
done done
echo "" echo ""
echo "Finally, tell me your name for the client cert" echo "Finally, tell me a name for the client certificate and configuration"
while [[ $CLIENT = "" ]]; do while [[ $CLIENT = "" ]]; do
echo "Please, use one word only, no special characters" echo "Please, use one word only, no special characters"
read -p "Client name: " -e -i client CLIENT read -p "Client name: " -e -i client CLIENT
@@ -255,15 +246,15 @@ else
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update apt-get update
fi fi
# The repo, is not available for Ubuntu 15.10 and 16.04, but it has OpenVPN > 2.3.3, so we do nothing. # Ubuntu >= 16.04 have OpenVPN > 2.3.3 without the need of a third party repository.
# The we install OpnVPN # The we install OpenVPN
apt-get install openvpn iptables openssl wget ca-certificates curl -y apt-get install openvpn iptables openssl wget ca-certificates curl -y
else else
# Else, the distro is CentOS # Else, the distro is CentOS
yum install epel-release -y yum install epel-release -y
yum install openvpn iptables openssl wget ca-certificates curl -y yum install openvpn iptables openssl wget ca-certificates curl -y
fi fi
# find out if the machine uses nogroup or nobody for the permissionless group # Find out if the machine uses nogroup or nobody for the permissionless group
if grep -qs "^nogroup:" /etc/group; then if grep -qs "^nogroup:" /etc/group; then
NOGROUP=nogroup NOGROUP=nogroup
else else
@@ -301,7 +292,7 @@ set_var EASYRSA_DIGEST "sha384"" > vars
./easyrsa gen-crl ./easyrsa gen-crl
# generate tls-auth key # generate tls-auth key
openvpn --genkey --secret /etc/openvpn/tls-auth.key openvpn --genkey --secret /etc/openvpn/tls-auth.key
# Move the stuff we need # Move all the generated files
cp pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn cp pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
# Make cert revocation list readable for non-root # Make cert revocation list readable for non-root
chmod 644 /etc/openvpn/crl.pem chmod 644 /etc/openvpn/crl.pem
@@ -325,11 +316,11 @@ tls-version-min 1.2" > /etc/openvpn/server.conf
# If the user selected the fast, less hardened version # If the user selected the fast, less hardened version
echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/server.conf echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/server.conf
elif [[ "$VARIANT" = '2' ]]; then elif [[ "$VARIANT" = '2' ]]; then
# If the user selected the relatively slow, ultra hardened version # If the user selected the relatively slow, hardened version
echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/server.conf echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/server.conf
fi fi
echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf
# DNS # DNS resolvers
case $DNS in case $DNS in
1) 1)
# Obtain the resolvers from resolv.conf and use them for OpenVPN # Obtain the resolvers from resolv.conf and use them for OpenVPN
@@ -473,10 +464,10 @@ tls-client" > /etc/openvpn/client-common.txt
# If the user selected the fast, less hardened version # If the user selected the fast, less hardened version
echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/client-common.txt echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/client-common.txt
elif [[ "$VARIANT" = '2' ]]; then elif [[ "$VARIANT" = '2' ]]; then
# If the user selected the relatively slow, ultra hardened version # If the user selected the relatively slow, hardened version
echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/client-common.txt echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/client-common.txt
fi fi
# Generates the custom client.ovpn # Generate the custom client.ovpn
newclient "$CLIENT" newclient "$CLIENT"
echo "" echo ""
echo "Finished!" echo "Finished!"