Bernhard.Linz/openvpn-install
1
0
Fork 0
mirror of https://github.com/angristan/openvpn-install.git synced 2025-07-01 20:14:22 +02:00
Code Issues Projects Releases Wiki Activity

Initial commit for OpenVPN 2.4 support

Browse Source 
- Add support for AES-GCM ciphers for the data channel
- Add support for tls-crypt
- Add support for ECDSA certificates
- Add support for ECDHE
- Add choice for HMAC auth algorithm
- Add choice for certificate hash algorithm
- Add choice for the control channel's cipher

All these options have an OpenVPN 2.3-compatible choice (example : RSA cert and DH key)
This commit is contained in:
Angristan 2017-09-14 12:35:18 +02:00 committed by GitHub
parent 37d42e25fe
commit 4fa0544c72
1 changed files with 246 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

322
openvpn-install.sh
View File

@ -25,7 +25,7 @@ if [[ -e /etc/debian_version ]]; then
VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID") VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID")
RCLOCAL='/etc/rc.local' RCLOCAL='/etc/rc.local'
SYSCTL='/etc/sysctl.conf' SYSCTL='/etc/sysctl.conf'
if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.04"' ]]; then if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.04"' ]]; then
echo "Your version of Debian/Ubuntu is not supported." echo "Your version of Debian/Ubuntu is not supported."
echo "I can't install a recent version of OpenVPN on your system." echo "I can't install a recent version of OpenVPN on your system."
echo "" echo ""
@ -75,10 +75,17 @@ newclient () {
echo "<key>" >> $homeDir/$1.ovpn echo "<key>" >> $homeDir/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/private/$1.key >> $homeDir/$1.ovpn cat /etc/openvpn/easy-rsa/pki/private/$1.key >> $homeDir/$1.ovpn
echo "</key>" >> $homeDir/$1.ovpn echo "</key>" >> $homeDir/$1.ovpn
echo "key-direction 1" >> $homeDir/$1.ovpn #We verify if we used tls-crypt or tls-auth during the installation
echo "<tls-auth>" >> $homeDir/$1.ovpn TLS_SIG=$(cat /etc/openvpn/TLS_SIG)
cat /etc/openvpn/tls-auth.key >> $homeDir/$1.ovpn if [[ $TLS_SIG == "1" ]]; then
echo "</tls-auth>" >> $homeDir/$1.ovpn cat /etc/openvpn/tls-crypt.key >> ~/$1.ovpn
echo "</tls-crypt>" >> ~/$1.ovpn
elif [[ $TLS_SIG == "2" ]]; then
echo "key-direction 1" >> $homeDir/$1.ovpn
echo "<tls-auth>" >> $homeDir/$1.ovpn
cat /etc/openvpn/tls-auth.key >> $homeDir/$1.ovpn
echo "</tls-auth>" >> $homeDir/$1.ovpn
fi
} }
# Try to get our IP from the system and fallback to the Internet. # Try to get our IP from the system and fallback to the Internet.
@ -212,8 +219,10 @@ else
echo "" echo ""
echo "What protocol do you want for OpenVPN?" echo "What protocol do you want for OpenVPN?"
echo "Unless UDP is blocked, you should not use TCP (unnecessarily slower)" echo "Unless UDP is blocked, you should not use TCP (unnecessarily slower)"
while [[ $PROTOCOL != "UDP" && $PROTOCOL != "TCP" ]]; do echo " 1) UDP (recommended)"
read -p "Protocol [UDP/TCP]: " -e -i UDP PROTOCOL echo " 2) TCP"
while [[ $PROTOCOL != "1" && $PROTOCOL != "2" ]]; do
read -p "Protocol [1-2]: " -e -i 1 PROTOCOL
done done
echo "" echo ""
echo "What DNS do you want to use with the VPN?" echo "What DNS do you want to use with the VPN?"
@ -229,83 +238,215 @@ else
echo "" echo ""
echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about " echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about "
echo "the encryption in OpenVPN and the choices I made in this script." echo "the encryption in OpenVPN and the choices I made in this script."
echo "Please note that all the choices proposed are secure (to a different degree)" echo "Please note that all the choices proposed are secure enough considering today's strandards,"
echo "and are still viable to date, unlike some default OpenVPN options" echo "unlike some default OpenVPN options"
echo '' echo ''
echo "Choose which cipher you want to use for the data channel:" echo "Choose which cipher you want to use for the data channel:"
echo " 1) AES-128-CBC (fastest and sufficiently secure for everyone, recommended)" echo ""
echo " 2) AES-192-CBC" echo " 1) AES-128-GCM (recommended)"
echo " 3) AES-256-CBC" echo " 2) AES-192-GCM"
echo "Alternatives to AES, use them only if you know what you're doing." echo " 3) AES-256-GCM"
echo "They are relatively slower but as secure as AES." echo "Only use AES-CBC for OpenVPN 2.3 compatibilty"
echo " 4) CAMELLIA-128-CBC" echo " 4) AES-128-CBC"
echo " 5) CAMELLIA-192-CBC" echo " 5) AES-192-CBC"
echo " 6) CAMELLIA-256-CBC" echo " 6) AES-256-CBC"
echo " 7) SEED-CBC" while [[ $CIPHER != "1" && $CIPHER != "2" && $CIPHER != "3" && $CIPHER != "4" && $CIPHER != "5" && $CIPHER != "6" ]]; do
while [[ $CIPHER != "1" && $CIPHER != "2" && $CIPHER != "3" && $CIPHER != "4" && $CIPHER != "5" && $CIPHER != "6" && $CIPHER != "7" ]]; do
read -p "Cipher [1-7]: " -e -i 1 CIPHER read -p "Cipher [1-7]: " -e -i 1 CIPHER
done done
case $CIPHER in case $CIPHER in
1) 1)
CIPHER="cipher AES-128-CBC" CIPHER="cipher AES-128-GCM"
;; ;;
2) 2)
CIPHER="cipher AES-192-CBC" CIPHER="cipher AES-192-GCM"
;; ;;
3) 3)
CIPHER="cipher AES-256-CBC" CIPHER="cipher AES-256-GCM"
;; ;;
4) 4)
CIPHER="cipher CAMELLIA-128-CBC" CIPHER="cipher AES-128-CBC"
;; ;;
5) 5)
CIPHER="cipher CAMELLIA-192-CBC" CIPHER="cipher AES-192-CBC"
;; ;;
6) 6)
CIPHER="cipher CAMELLIA-256-CBC" CIPHER="cipher AES-256-CBC"
;;
7)
CIPHER="cipher SEED-CBC"
;; ;;
esac esac
echo "" echo ""
echo "Choose what size of Diffie-Hellman key you want to use:" echo "Choose what kind of Diffie-Hellman key you want to use."
echo " 1) 2048 bits (fastest)" echo "Elleptic Curves (EC) are recommended, they're faster, lighter and more secure."
echo " 2) 3072 bits (recommended, best compromise)" echo "Use DH for OpenVPN 2.3 compatibilty"
echo " 3) 4096 bits (most secure)" echo " 1) ECDH (recommended)"
while [[ $DH_KEY_SIZE != "1" && $DH_KEY_SIZE != "2" && $DH_KEY_SIZE != "3" ]]; do echo " 2) DH"
read -p "DH key size [1-3]: " -e -i 2 DH_KEY_SIZE while [[ $DH_TYPE != "1" && $DH_TYPE != "2" ]]; do
read -p "DH key size [1-2]: " -e -i 1 DH_TYPE
done done
case $DH_KEY_SIZE in case $DH_TYPE in
1) 1)
DH_KEY_SIZE="2048" echo "Choose which curve you want to use"
echo " 1) secp256r1"
echo " 2) secp384r1 (recommended)"
echo " 3) secp521r1"
while [[ $DH_CURVE != "1" && $DH_CURVE != "2" && $DH_CURVE != "3" ]]; do
read -p "ECDH [1-3]: " -e -i 2 DH_CURVE
done
case $DH_CURVE in
1)
DH_CURVE="secp256r1"
;;
2)
DH_CURVE="secp384r1"
;;
3)
DH_CURVE"secp521r1"
;;
esac
;; ;;
2) 2)
DH_KEY_SIZE="3072" echo "Choose which DH key size do you want to use"
;; echo " 1) 2048 bits"
3) echo " 2) 3072 bits (recommended)"
DH_KEY_SIZE="4096" echo " 3) 4096 bits"
while [[ $DH_SIZE != "1" && $DH_SIZE != "2" && $DH_SIZE != "3" ]]; do
read -p "DH key size [1-3]: " -e -i 2 DH_SIZE
done
case $DH_SIZE in
1)
DH_SIZE="2048"
;;
2)
DH_SIZE="3072"
;;
3)
DH_SIZE"4096"
;;
esac
;; ;;
esac esac
echo "" echo ""
echo "Choose what size of RSA key you want to use:" echo "Choose what kind Certificate key you want to use."
echo " 1) 2048 bits (fastest)" echo "Elleptic Curves (EC) are recommended, they're faster, lighter and more secure."
echo " 2) 3072 bits (recommended, best compromise)" echo "Use RSA for OpenVPN 2.3 compatibilty"
echo " 3) 4096 bits (most secure)" echo " 1) ECDSA (recommended)"
while [[ $RSA_KEY_SIZE != "1" && $RSA_KEY_SIZE != "2" && $RSA_KEY_SIZE != "3" ]]; do echo " 2) RSA"
read -p "DH key size [1-3]: " -e -i 2 RSA_KEY_SIZE while [[ $CERT_TYPE != "1" && $CERT_TYPE != "2" ]]; do
read -p "Certificate key [1-2]: " -e -i 1 CERT_TYPE
done done
case $RSA_KEY_SIZE in case $CERT_TYPE in
1) 1)
RSA_KEY_SIZE="2048" echo "Choose which curve you want to use:"
echo " 1) secp256r1"
echo " 2) secp384r1 (recommended)"
echo " 3) secp521r1"
while [[ $CERT_CURVE != "1" && $CERT_CURVE != "2" && $CERT_CURVE != "3" ]]; do
read -p "ECDH [1-3]: " -e -i 2 CERT_CURVE
done
case $CERT_CURVE in
1)
CERT_CURVE="secp256r1"
;;
2)
CERT_CURVE="secp384r1"
;;
3)
CERT_CURVE"secp521r1"
;;
esac
;; ;;
2) 2)
RSA_KEY_SIZE="3072" echo "Choose which RSA key size do you want to use:"
;; echo " 1) 2048 bits"
3) echo " 2) 3072 bits (recommended)"
RSA_KEY_SIZE="4096" echo " 3) 4096 bits"
while [[ $RSA_SIZE != "1" && $RSA_SIZE != "2" && $RSA_SIZE != "3" ]]; do
read -p "DH key size [1-3]: " -e -i 2 RSA_SIZE
done
case $RSA_SIZE in
1)
RSA_SIZE="2048"
;;
2)
RSA_SIZE="3072"
;;
3)
RSA_SIZE"4096"
;;
esac
;; ;;
esac esac
echo "Choose which hash algorithm you want to use for the certificate:"
echo " 1) SHA-256"
echo " 2) SHA-384 (recommended)"
echo " 3) SHA-512"
while [[ $CERT_HASH != "1" && $CERT_HASH != "2" ]]; do
read -p "Cert hash algo [1-3]: " -e -i 2 CERT_HASH
done
case $CERT_HASH in
1)
CERT_HASH="sha256"
;;
2)
CERT_HASH="sha384"
;;
3)
CERT_HASH="sha512"
;;
esac
echo "Which cipher to use for the control channel ?"
if [[ "$CERT_TYPE" = '1' ]]; then
echo " 1) ECDHE-ECDSA-AES-256-GCM-SHA384 (recommended)"
echo " 2) ECDHE-ECDSA-AES-128-GCM-SHA256"
while [[ $CC_ENC != "1" && $CC_ENC != "2" ]]; do
read -p "Control Channel encryption [1-2]: " -e -i 1 CC_ENC
done
case $CC_ENC in
1)
CC_ENC="TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
;;
2)
CC_ENC="TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"
;;
esac
elif [[ "$CERT_TYPE" = '2' ]]; then
echo " 1) ECDHE-RSA-AES-256-GCM-SHA384 (recommended)"
echo " 2) ECDHE-RSA-AES-128-GCM-SHA256"
while [[ $CC_ENC != "1" && $CC_ENC != "2" ]]; do
read -p "Control Channel encryption [1-2]: " -e -i 1 CC_ENC
done
case $CC_ENC in
1)
CC_ENC="TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"
;;
2)
CC_ENC="TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"
;;
esac
fi
echo "Choose which HMAC authentication algorithm you want to use"
echo " 1) SHA-256"
echo " 2) SHA-384 (recommended)"
echo " 3) SHA-512"
while [[ $HMAC_AUTH != "1" && $HMAC_AUTH != "2" ]]; do
read -p "HMAC authentication algorithmHMAC_AUTH [1-3]: " -e -i 2 HMAC_AUTH
done
case $HMAC_AUTH in
1)
HMAC_AUTH="sha256"
;;
2)
HMAC_AUTH="sha384"
;;
3)
HMAC_AUTH="sha512"
;;
esac
echo "tls crypt or tls auth"
echo " 1) tls-crypt (recommended)"
echo " 2) tls-auth (use only for openvpn 2.3 compat)"
while [[ $TLS_SIG != "1" && $TLS_SIG != "2" ]]; do
read -p "tls sig [1-2]: " -e -i 1 TLS_SIG
done
echo "" echo ""
echo "Finally, tell me a name for the client certificate and configuration" echo "Finally, tell me a name for the client certificate and configuration"
while [[ $CLIENT = "" ]]; do while [[ $CLIENT = "" ]]; do
@ -392,6 +533,10 @@ WantedBy=multi-user.target" > /etc/systemd/system/rc-local.service
systemctl start iptables systemctl start iptables
fi fi
fi fi
#To remember if we use tls-crypt or tls-auth when generating a new client conf
echo $TLS_SIG > /etc/openvpn/TLS_SIG
# Find out if the machine uses nogroup or nobody for the permissionless group # Find out if the machine uses nogroup or nobody for the permissionless group
if grep -qs "^nogroup:" /etc/group; then if grep -qs "^nogroup:" /etc/group; then
NOGROUP=nogroup NOGROUP=nogroup
@ -411,27 +556,43 @@ WantedBy=multi-user.target" > /etc/systemd/system/rc-local.service
chown -R root:root /etc/openvpn/easy-rsa/ chown -R root:root /etc/openvpn/easy-rsa/
rm -rf ~/EasyRSA-3.0.3.tgz rm -rf ~/EasyRSA-3.0.3.tgz
cd /etc/openvpn/easy-rsa/ cd /etc/openvpn/easy-rsa/
echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars if [[ $CERT_TYPE == "1" ]]; then
echo "set_var EASYRSA_ALGO ec
set_var EASYRSA_CURVE $CERT_CURVE" > vars
elif [[ $CERT_TYPE == "2" ]]; then
echo "set_var EASYRSA_KEY_SIZE $RSA_SIZE" > vars
fi
echo 'set_var EASYRSA_DIGEST "'$CERT_HASH'"' >> vars
# Create the PKI, set up the CA, the DH params and the server + client certificates # Create the PKI, set up the CA, the DH params and the server + client certificates
./easyrsa init-pki ./easyrsa init-pki
./easyrsa --batch build-ca nopass ./easyrsa --batch build-ca nopass
openssl dhparam -out dh.pem $DH_KEY_SIZE if [[ $DH_TYPE == "2" ]]; then
openssl dhparam -out dh.pem $DH_SIZE
fi
./easyrsa build-server-full server nopass ./easyrsa build-server-full server nopass
./easyrsa build-client-full $CLIENT nopass ./easyrsa build-client-full $CLIENT nopass
./easyrsa gen-crl ./easyrsa gen-crl
# generate tls-auth key if [[ $TLS_SIG == "1" ]]; then
openvpn --genkey --secret /etc/openvpn/tls-auth.key # Generate tls-crypt key
openvpn --genkey --secret /etc/openvpn/tls-crypt.key
elif [[ $TLS_SIG == "2" ]]; then
# Generate tls-auth key
openvpn --genkey --secret /etc/openvpn/tls-auth.key
fi
# Move all the generated files # Move all the generated files
cp pki/ca.crt pki/private/ca.key dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
if [[ $DH_TYPE == "2" ]]; then
cp dh.pem /etc/openvpn
fi
# Make cert revocation list readable for non-root # Make cert revocation list readable for non-root
chmod 644 /etc/openvpn/crl.pem chmod 644 /etc/openvpn/crl.pem
# Generate server.conf # Generate server.conf
echo "local $IP" > /etc/openvpn/server.conf echo "local $IP" > /etc/openvpn/server.conf
echo "port $PORT" >> /etc/openvpn/server.conf echo "port $PORT" >> /etc/openvpn/server.conf
if [[ "$PROTOCOL" = 'UDP' ]]; then if [[ "$PROTOCOL" = '1' ]]; then
echo "proto udp" >> /etc/openvpn/server.conf echo "proto udp" >> /etc/openvpn/server.conf
elif [[ "$PROTOCOL" = 'TCP' ]]; then elif [[ "$PROTOCOL" = '2' ]]; then
echo "proto tcp" >> /etc/openvpn/server.conf echo "proto tcp" >> /etc/openvpn/server.conf
fi fi
echo "dev tun echo "dev tun
@ -476,14 +637,23 @@ echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf
echo "crl-verify crl.pem echo "crl-verify crl.pem
ca ca.crt ca ca.crt
cert server.crt cert server.crt
key server.key key server.key" >> /etc/openvpn/server.conf
tls-auth tls-auth.key 0 if [[ $TLS_SIG == "1" ]]; then
dh dh.pem echo "tls-auth tls-crypt.key 0" >> /etc/openvpn/server.conf
auth SHA256 elif [[ $TLS_SIG == "2" ]]; then
echo "tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf
fi
if [[ $DH_TYPE == "1" ]]; then
echo "dh none
ecdh-curve $DH_CURVE" >> /etc/openvpn/server.conf
elif [[ $DH_TYPE == "2" ]]; then
echo "dh dh.pem" >> /etc/openvpn/server.conf
fi
echo "auth $HMAC_AUTH
$CIPHER $CIPHER
tls-server tls-server
tls-version-min 1.2 tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 tls-cipher $CC_ENC
status openvpn.log status openvpn.log
verb 3" >> /etc/openvpn/server.conf verb 3" >> /etc/openvpn/server.conf
@ -512,10 +682,10 @@ verb 3" >> /etc/openvpn/server.conf
# We don't use --add-service=openvpn because that would only work with # We don't use --add-service=openvpn because that would only work with
# the default port. Using both permanent and not permanent rules to # the default port. Using both permanent and not permanent rules to
# avoid a firewalld reload. # avoid a firewalld reload.
if [[ "$PROTOCOL" = 'UDP' ]]; then if [[ "$PROTOCOL" = '1' ]]; then
firewall-cmd --zone=public --add-port=$PORT/udp firewall-cmd --zone=public --add-port=$PORT/udp
firewall-cmd --permanent --zone=public --add-port=$PORT/udp firewall-cmd --permanent --zone=public --add-port=$PORT/udp
elif [[ "$PROTOCOL" = 'TCP' ]]; then elif [[ "$PROTOCOL" = '2' ]]; then
firewall-cmd --zone=public --add-port=$PORT/tcp firewall-cmd --zone=public --add-port=$PORT/tcp
firewall-cmd --permanent --zone=public --add-port=$PORT/tcp firewall-cmd --permanent --zone=public --add-port=$PORT/tcp
fi fi
@ -526,16 +696,16 @@ verb 3" >> /etc/openvpn/server.conf
# If iptables has at least one REJECT rule, we asume this is needed. # If iptables has at least one REJECT rule, we asume this is needed.
# Not the best approach but I can't think of other and this shouldn't # Not the best approach but I can't think of other and this shouldn't
# cause problems. # cause problems.
if [[ "$PROTOCOL" = 'UDP' ]]; then if [[ "$PROTOCOL" = '1' ]]; then
iptables -I INPUT -p udp --dport $PORT -j ACCEPT iptables -I INPUT -p udp --dport $PORT -j ACCEPT
elif [[ "$PROTOCOL" = 'TCP' ]]; then elif [[ "$PROTOCOL" = '2' ]]; then
iptables -I INPUT -p tcp --dport $PORT -j ACCEPT iptables -I INPUT -p tcp --dport $PORT -j ACCEPT
fi fi
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
if [[ "$PROTOCOL" = 'UDP' ]]; then if [[ "$PROTOCOL" = '1' ]]; then
sed -i "1 a\iptables -I INPUT -p udp --dport $PORT -j ACCEPT" $RCLOCAL sed -i "1 a\iptables -I INPUT -p udp --dport $PORT -j ACCEPT" $RCLOCAL
elif [[ "$PROTOCOL" = 'TCP' ]]; then elif [[ "$PROTOCOL" = '2' ]]; then
sed -i "1 a\iptables -I INPUT -p tcp --dport $PORT -j ACCEPT" $RCLOCAL sed -i "1 a\iptables -I INPUT -p tcp --dport $PORT -j ACCEPT" $RCLOCAL
fi fi
sed -i "1 a\iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" $RCLOCAL sed -i "1 a\iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" $RCLOCAL
@ -549,9 +719,9 @@ verb 3" >> /etc/openvpn/server.conf
if ! hash semanage 2>/dev/null; then if ! hash semanage 2>/dev/null; then
yum install policycoreutils-python -y yum install policycoreutils-python -y
fi fi
if [[ "$PROTOCOL" = 'UDP' ]]; then if [[ "$PROTOCOL" = '1' ]]; then
semanage port -a -t openvpn_port_t -p udp $PORT semanage port -a -t openvpn_port_t -p udp $PORT
elif [[ "$PROTOCOL" = 'TCP' ]]; then elif [[ "$PROTOCOL" = '2' ]]; then
semanage port -a -t openvpn_port_t -p tcp $PORT semanage port -a -t openvpn_port_t -p tcp $PORT
fi fi
fi fi
@ -609,9 +779,9 @@ verb 3" >> /etc/openvpn/server.conf
fi fi
# client-template.txt is created so we have a template to add further users later # client-template.txt is created so we have a template to add further users later
echo "client" > /etc/openvpn/client-template.txt echo "client" > /etc/openvpn/client-template.txt
if [[ "$PROTOCOL" = 'UDP' ]]; then if [[ "$PROTOCOL" = '1' ]]; then
echo "proto udp" >> /etc/openvpn/client-template.txt echo "proto udp" >> /etc/openvpn/client-template.txt
elif [[ "$PROTOCOL" = 'TCP' ]]; then elif [[ "$PROTOCOL" = '2' ]]; then
echo "proto tcp-client" >> /etc/openvpn/client-template.txt echo "proto tcp-client" >> /etc/openvpn/client-template.txt
fi fi
echo "remote $IP $PORT echo "remote $IP $PORT
@ -621,11 +791,11 @@ nobind
persist-key persist-key
persist-tun persist-tun
remote-cert-tls server remote-cert-tls server
auth SHA256 auth $HMAC_AUTH
$CIPHER $CIPHER
tls-client tls-client
tls-version-min 1.2 tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 tls-cipher $CC_ENC
setenv opt block-outside-dns setenv opt block-outside-dns
verb 3" >> /etc/openvpn/client-template.txt verb 3" >> /etc/openvpn/client-template.txt