From 58059bc9a358d405936bc71e0fa8d85e7a84931a Mon Sep 17 00:00:00 2001 From: "Moshchev, Alex" Date: Tue, 29 Oct 2024 10:20:00 +0300 Subject: [PATCH] Add support for tls-scrypt-v2 --- openvpn-install.sh | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index c580529..b9932d7 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -601,11 +601,13 @@ function installQuestions() { ;; esac echo "" - echo "You can add an additional layer of security to the control channel with tls-auth and tls-crypt" + echo "You can add an additional layer of security to the control channel with tls-auth, tls-crypt or tls-crypt-v2" echo "tls-auth authenticates the packets, while tls-crypt authenticate and encrypt them." + echo "The tls-crypt-v2 is like tls-crypt but uses private keys which makes it the most secure." echo " 1) tls-crypt (recommended)" echo " 2) tls-auth" - until [[ $TLS_SIG =~ [1-2] ]]; do + echo " 3) tls-crypt-v2" + until [[ $TLS_SIG =~ [1-3] ]]; do read -rp "Control channel additional security mechanism [1-2]: " -e -i 1 TLS_SIG done fi @@ -758,6 +760,11 @@ function installOpenVPN() { # Generate tls-auth key openvpn --genkey --secret /etc/openvpn/tls-auth.key ;; + 3) + # Generate tls-crypt-v2 key + openvpn --genkey tls-crypt-v2-server /etc/openvpn/tls-crypt-v2.key + mkdir -p /etc/openvpn/keys-v2 + ;; esac else # If easy-rsa is already installed, grab the generated SERVER_NAME @@ -893,6 +900,9 @@ push "redirect-gateway ipv6"' >>/etc/openvpn/server.conf 2) echo "tls-auth tls-auth.key 0" >>/etc/openvpn/server.conf ;; + 3) + echo "tls-crypt-v2 tls-crypt-v2.key" >>/etc/openvpn/server.conf + ;; esac echo "crl-verify crl.pem @@ -1121,7 +1131,9 @@ function newClient() { fi # Determine if we use tls-auth or tls-crypt - if grep -qs "^tls-crypt" /etc/openvpn/server.conf; then + if grep -qs "^tls-crypt-v2" /etc/openvpn/server.conf; then + TLS_SIG="3" + elif grep -qs "^tls-crypt" /etc/openvpn/server.conf; then TLS_SIG="1" elif grep -qs "^tls-auth" /etc/openvpn/server.conf; then TLS_SIG="2" @@ -1154,6 +1166,12 @@ function newClient() { cat /etc/openvpn/tls-auth.key echo "" ;; + 3) + openvpn --tls-crypt-v2 /etc/openvpn/tls-crypt-v2.key --genkey tls-crypt-v2-client "/etc/openvpn/keys-v2/$CLIENT.key" + echo "" + cat "/etc/openvpn/keys-v2/$CLIENT.key" + echo "" + ;; esac } >>"$homeDir/$CLIENT.ovpn"