mirror of
https://github.com/angristan/openvpn-install.git
synced 2024-11-22 08:49:03 +01:00
Add ECDSA support and make tls-cipher configurable
This commit is contained in:
parent
06e7597942
commit
4d1baca0c7
@ -283,8 +283,10 @@ function installOpenVPN () {
|
|||||||
if [[ $CUSTOMIZE_ENC == "n" ]];then
|
if [[ $CUSTOMIZE_ENC == "n" ]];then
|
||||||
# Use default, sane and fast paramters
|
# Use default, sane and fast paramters
|
||||||
CIPHER="cipher AES-128-GCM"
|
CIPHER="cipher AES-128-GCM"
|
||||||
|
CERT_TYPE="1"
|
||||||
|
CERT_CURVE="secp256r1"
|
||||||
|
CC_CIPHER="TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"
|
||||||
DH_KEY_SIZE="2048"
|
DH_KEY_SIZE="2048"
|
||||||
RSA_KEY_SIZE="2048"
|
|
||||||
else
|
else
|
||||||
echo ""
|
echo ""
|
||||||
echo "Choose which cipher you want to use for the data channel:"
|
echo "Choose which cipher you want to use for the data channel:"
|
||||||
@ -318,6 +320,91 @@ function installOpenVPN () {
|
|||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
echo ""
|
echo ""
|
||||||
|
echo "Choose what kind of certificate you want to use."
|
||||||
|
echo " 1) ECDSA (recommended)"
|
||||||
|
echo " 2) RSA"
|
||||||
|
until [[ $CERT_TYPE =~ [1-2] ]]; do
|
||||||
|
read -p "Certificate key type [1-2]: " -e -i 1 CERT_TYPE
|
||||||
|
done
|
||||||
|
case $CERT_TYPE in
|
||||||
|
1)
|
||||||
|
echo ""
|
||||||
|
echo "Choose which curve you want to use for the certificate's key:"
|
||||||
|
echo " 1) secp256r1 (recommended)"
|
||||||
|
echo " 2) secp384r1"
|
||||||
|
echo " 3) secp521r1"
|
||||||
|
until [[ $CERT_CURVE_CHOICE =~ [1-3] ]]; do
|
||||||
|
read -p "Curve [1-3]: " -e -i 1 CERT_CURVE_CHOICE
|
||||||
|
done
|
||||||
|
case $CERT_CURVE_CHOICE in
|
||||||
|
1)
|
||||||
|
CERT_CURVE="secp256r1"
|
||||||
|
;;
|
||||||
|
2)
|
||||||
|
CERT_CURVE="secp384r1"
|
||||||
|
;;
|
||||||
|
3)
|
||||||
|
CERT_CURVE="secp521r1"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
2)
|
||||||
|
echo ""
|
||||||
|
echo "Choose which size you want to use for the certificate's RSA key:"
|
||||||
|
echo " 1) 2048 bits (recommended)"
|
||||||
|
echo " 2) 3072 bits"
|
||||||
|
echo " 3) 4096 bits"
|
||||||
|
until [[ "$RSA_KEY_SIZE_CHOICE" =~ ^[1-3]$ ]]; do
|
||||||
|
read -rp "RSA key size [1-3]: " -e -i 1 RSA_KEY_SIZE_CHOICE
|
||||||
|
done
|
||||||
|
case $RSA_KEY_SIZE_CHOICE in
|
||||||
|
1)
|
||||||
|
RSA_KEY_SIZE="2048"
|
||||||
|
;;
|
||||||
|
2)
|
||||||
|
RSA_KEY_SIZE="3072"
|
||||||
|
;;
|
||||||
|
3)
|
||||||
|
RSA_KEY_SIZE="4096"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
echo ""
|
||||||
|
echo "Choose which cipher you want to use for the control channel:"
|
||||||
|
case $CERT_TYPE in
|
||||||
|
1)
|
||||||
|
echo " 1) ECDHE-ECDSA-AES-128-GCM-SHA256 (recommended)"
|
||||||
|
echo " 2) ECDHE-ECDSA-AES-256-GCM-SHA384"
|
||||||
|
until [[ $CC_CIPHER_CHOICE =~ [1-2] ]]; do
|
||||||
|
read -p "Control channel cipher [1-2]: " -e -i 1 CC_CIPHER_CHOICE
|
||||||
|
done
|
||||||
|
case $CC_CIPHER_CHOICE in
|
||||||
|
1)
|
||||||
|
CC_CIPHER="TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"
|
||||||
|
;;
|
||||||
|
2)
|
||||||
|
CC_CIPHER="TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
2)
|
||||||
|
echo " 1) ECDHE-RSA-AES-128-GCM-SHA256 (recommended)"
|
||||||
|
echo " 2) ECDHE-RSA-AES-256-GCM-SHA384"
|
||||||
|
until [[ $CC_CIPHER_CHOICE =~ [1-2] ]]; do
|
||||||
|
read -p "Control channel cipher [1-2]: " -e -i 1 CC_CIPHER_CHOICE
|
||||||
|
done
|
||||||
|
case $CC_CIPHER_CHOICE in
|
||||||
|
1)
|
||||||
|
CC_CIPHER="TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"
|
||||||
|
;;
|
||||||
|
2)
|
||||||
|
CC_CIPHER="TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
echo ""
|
||||||
echo "Choose what size of Diffie-Hellman key you want to use:"
|
echo "Choose what size of Diffie-Hellman key you want to use:"
|
||||||
echo " 1) 2048 bits (recommended)"
|
echo " 1) 2048 bits (recommended)"
|
||||||
echo " 2) 3072 bits"
|
echo " 2) 3072 bits"
|
||||||
@ -336,25 +423,6 @@ function installOpenVPN () {
|
|||||||
DH_KEY_SIZE="4096"
|
DH_KEY_SIZE="4096"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
echo ""
|
|
||||||
echo "Choose what size of RSA key you want to use for the certificate:"
|
|
||||||
echo " 1) 2048 bits (recommended)"
|
|
||||||
echo " 2) 3072 bits"
|
|
||||||
echo " 3) 4096 bits"
|
|
||||||
until [[ "$RSA_KEY_SIZE_CHOICE" =~ ^[0-9]+$ ]] && [ "$RSA_KEY_SIZE_CHOICE" -ge 1 ] && [ "$RSA_KEY_SIZE_CHOICE" -le 3 ]; do
|
|
||||||
read -rp "RSA key size [1-3]: " -e -i 1 RSA_KEY_SIZE_CHOICE
|
|
||||||
done
|
|
||||||
case $RSA_KEY_SIZE_CHOICE in
|
|
||||||
1)
|
|
||||||
RSA_KEY_SIZE="2048"
|
|
||||||
;;
|
|
||||||
2)
|
|
||||||
RSA_KEY_SIZE="3072"
|
|
||||||
;;
|
|
||||||
3)
|
|
||||||
RSA_KEY_SIZE="4096"
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
fi
|
fi
|
||||||
echo ""
|
echo ""
|
||||||
echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now."
|
echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now."
|
||||||
@ -403,10 +471,18 @@ function installOpenVPN () {
|
|||||||
rm -f ~/EasyRSA-${version}.tgz
|
rm -f ~/EasyRSA-${version}.tgz
|
||||||
|
|
||||||
cd /etc/openvpn/easy-rsa/
|
cd /etc/openvpn/easy-rsa/
|
||||||
|
case $CERT_TYPE in
|
||||||
|
1)
|
||||||
|
echo "set_var EASYRSA_ALGO ec" > vars
|
||||||
|
echo "set_var EASYRSA_CURVE $CERT_CURVE" >> vars
|
||||||
|
;;
|
||||||
|
2)
|
||||||
|
echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars
|
||||||
|
;;
|
||||||
|
esac
|
||||||
# Generate a random, alphanumeric identifier of 16 characters for CN and one for server name
|
# Generate a random, alphanumeric identifier of 16 characters for CN and one for server name
|
||||||
SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
|
SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
|
||||||
SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
|
SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
|
||||||
echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars
|
|
||||||
echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars
|
echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars
|
||||||
# Create the PKI, set up the CA, the DH params and the server certificate
|
# Create the PKI, set up the CA, the DH params and the server certificate
|
||||||
./easyrsa init-pki
|
./easyrsa init-pki
|
||||||
@ -515,7 +591,7 @@ auth SHA256
|
|||||||
$CIPHER
|
$CIPHER
|
||||||
tls-server
|
tls-server
|
||||||
tls-version-min 1.2
|
tls-version-min 1.2
|
||||||
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
|
tls-cipher $CC_CIPHER
|
||||||
status /var/log/openvpn/status.log
|
status /var/log/openvpn/status.log
|
||||||
verb 3" >> /etc/openvpn/server.conf
|
verb 3" >> /etc/openvpn/server.conf
|
||||||
|
|
||||||
@ -643,7 +719,7 @@ auth-nocache
|
|||||||
$CIPHER
|
$CIPHER
|
||||||
tls-client
|
tls-client
|
||||||
tls-version-min 1.2
|
tls-version-min 1.2
|
||||||
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
|
tls-cipher $CC_CIPHER
|
||||||
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
|
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
|
||||||
verb 3" >> /etc/openvpn/client-template.txt
|
verb 3" >> /etc/openvpn/client-template.txt
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user