Bernhard.Linz/openvpn-install
1
0
Fork 0
mirror of https://github.com/angristan/openvpn-install.git synced 2025-01-08 15:50:09 +01:00
Code Issues Projects Releases Wiki Activity

Add support for tls-scrypt-v2

Browse Source
This commit is contained in:
Moshchev, Alex 2024-10-29 10:20:00 +03:00
parent 7e5c2f358e
commit 58059bc9a3
1 changed files with 21 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
openvpn-install.sh
View File

@ -601,11 +601,13 @@ function installQuestions() {
;; ;;
esac esac
echo "" echo ""
echo "You can add an additional layer of security to the control channel with tls-auth and tls-crypt" echo "You can add an additional layer of security to the control channel with tls-auth, tls-crypt or tls-crypt-v2"
echo "tls-auth authenticates the packets, while tls-crypt authenticate and encrypt them." echo "tls-auth authenticates the packets, while tls-crypt authenticate and encrypt them."
echo "The tls-crypt-v2 is like tls-crypt but uses private keys which makes it the most secure."
echo " 1) tls-crypt (recommended)" echo " 1) tls-crypt (recommended)"
echo " 2) tls-auth" echo " 2) tls-auth"
until [[ $TLS_SIG =~ [1-2] ]]; do echo " 3) tls-crypt-v2"
until [[ $TLS_SIG =~ [1-3] ]]; do
read -rp "Control channel additional security mechanism [1-2]: " -e -i 1 TLS_SIG read -rp "Control channel additional security mechanism [1-2]: " -e -i 1 TLS_SIG
done done
fi fi
@ -758,6 +760,11 @@ function installOpenVPN() {
# Generate tls-auth key # Generate tls-auth key
openvpn --genkey --secret /etc/openvpn/tls-auth.key openvpn --genkey --secret /etc/openvpn/tls-auth.key
;; ;;
3)
# Generate tls-crypt-v2 key
openvpn --genkey tls-crypt-v2-server /etc/openvpn/tls-crypt-v2.key
mkdir -p /etc/openvpn/keys-v2
;;
esac esac
else else
# If easy-rsa is already installed, grab the generated SERVER_NAME # If easy-rsa is already installed, grab the generated SERVER_NAME
@ -893,6 +900,9 @@ push "redirect-gateway ipv6"' >>/etc/openvpn/server.conf
2) 2)
echo "tls-auth tls-auth.key 0" >>/etc/openvpn/server.conf echo "tls-auth tls-auth.key 0" >>/etc/openvpn/server.conf
;; ;;
3)
echo "tls-crypt-v2 tls-crypt-v2.key" >>/etc/openvpn/server.conf
;;
esac esac
echo "crl-verify crl.pem echo "crl-verify crl.pem
@ -1121,7 +1131,9 @@ function newClient() {
fi fi
# Determine if we use tls-auth or tls-crypt # Determine if we use tls-auth or tls-crypt
if grep -qs "^tls-crypt" /etc/openvpn/server.conf; then if grep -qs "^tls-crypt-v2" /etc/openvpn/server.conf; then
TLS_SIG="3"
elif grep -qs "^tls-crypt" /etc/openvpn/server.conf; then
TLS_SIG="1" TLS_SIG="1"
elif grep -qs "^tls-auth" /etc/openvpn/server.conf; then elif grep -qs "^tls-auth" /etc/openvpn/server.conf; then
TLS_SIG="2" TLS_SIG="2"
@ -1154,6 +1166,12 @@ function newClient() {
cat /etc/openvpn/tls-auth.key cat /etc/openvpn/tls-auth.key
echo "</tls-auth>" echo "</tls-auth>"
;; ;;
3)
openvpn --tls-crypt-v2 /etc/openvpn/tls-crypt-v2.key --genkey tls-crypt-v2-client "/etc/openvpn/keys-v2/$CLIENT.key"
echo "<tls-crypt-v2>"
cat "/etc/openvpn/keys-v2/$CLIENT.key"
echo "</tls-crypt-v2>"
;;
esac esac
} >>"$homeDir/$CLIENT.ovpn" } >>"$homeDir/$CLIENT.ovpn"