From 5844a8440f05bc751873a7c5ccde7660c7653fd2 Mon Sep 17 00:00:00 2001 From: angristan Date: Sun, 30 Jun 2019 23:06:33 +0200 Subject: [PATCH] Add support for Debian 10 Fix #439 --- README.md | 7 ++++--- Vagrantfile | 1 + openvpn-install.sh | 20 ++++++++++---------- 3 files changed, 15 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 9fa3f59..b2c07ef 100644 --- a/README.md +++ b/README.md @@ -100,6 +100,7 @@ The script supports these OS and architectures: | CentOS 7 | ❔ | ✅ | ❌ | ✅ | | Debian 8 | ✅ | ✅ | ❌ | ❌ | | Debian 9 | ❌ | ✅ | ✅ | ✅ | +| Debian 10 | ❔ | ✅ | ❔ | ❔ | | Fedora 27 | ❔ | ✅ | ❔ | ❔ | | Fedora 28 | ❔ | ✅ | ❔ | ❔ | | Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ | @@ -264,7 +265,7 @@ It defaults to `prime256v1`. From the OpenVPN wiki, about `--auth`: > Authenticate data channel packets and (if enabled) tls-auth control channel packets with HMAC using message digest algorithm alg. (The default is SHA1 ). HMAC is a commonly used message authentication algorithm (MAC) that uses a data string, a secure hash algorithm, and a key, to produce a digital signature. -> +> > If an AEAD cipher mode (e.g. GCM) is chosen, the specified --auth algorithm is ignored for the data channel, and the authentication method of the AEAD cipher is used instead. Note that alg still specifies the digest used for tls-auth. SHA1 [isn't safe anymore](https://en.wikipedia.org/wiki/SHA-1#Attacks). @@ -282,13 +283,13 @@ It defaults to `SHA256`. From the OpenVPN wiki, about `tls-auth`: > Add an additional layer of HMAC authentication on top of the TLS control channel to mitigate DoS attacks and attacks on the TLS stack. -> +> > In a nutshell, --tls-auth enables a kind of "HMAC firewall" on OpenVPN's TCP/UDP port, where TLS control channel packets bearing an incorrect HMAC signature can be dropped immediately without response. About `tls-crypt`: > Encrypt and authenticate all control channel packets with the key from keyfile. (See --tls-auth for more background.) -> +> > Encrypting (and authenticating) control channel packets: > - provides more privacy by hiding the certificate used for the TLS connection, > - makes it harder to identify OpenVPN traffic as such, diff --git a/Vagrantfile b/Vagrantfile index b2a7847..4dd0973 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -5,6 +5,7 @@ autostart_machines = ENV['VAGRANT_AUTOSTART'] == 'true' || false # else, run `vagrant up ` machines = [ + { hostname: 'debian-10', box: 'debian/stretch64' }, { hostname: 'debian-9', box: 'debian/stretch64' }, { hostname: 'debian-8', box: 'debian/jessie64' }, { hostname: 'ubuntu-1604', box: 'ubuntu/bionic64' }, diff --git a/openvpn-install.sh b/openvpn-install.sh index 99e7bca..08daa7c 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -21,7 +21,7 @@ function checkOS () { source /etc/os-release if [[ "$ID" == "debian" ]]; then - if [[ ! $VERSION_ID =~ (8|9) ]]; then + if [[ ! $VERSION_ID =~ (8|9|10) ]]; then echo "⚠️ Your version of Debian is not supported." echo "" echo "However, if you're using Debian >= 9 or unstable/testing then you can continue." @@ -128,7 +128,7 @@ prefetch: yes' >> /etc/unbound/unbound.conf curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old - + echo 'server: use-syslog: yes do-daemonize: no @@ -650,10 +650,10 @@ function installOpenVPN () { # ECDH keys are generated on-the-fly so we don't need to generate them beforehand openssl dhparam -out dh.pem $DH_KEY_SIZE fi - + ./easyrsa build-server-full "$SERVER_NAME" nopass EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl - + case $TLS_SIG in 1) # Generate tls-crypt key @@ -664,13 +664,13 @@ function installOpenVPN () { openvpn --genkey --secret /etc/openvpn/tls-auth.key ;; esac - + # Move all the generated files cp pki/ca.crt pki/private/ca.key "pki/issued/$SERVER_NAME.crt" "pki/private/$SERVER_NAME.key" /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn if [[ $DH_TYPE == "2" ]]; then cp dh.pem /etc/openvpn fi - + # Make cert revocation list readable for non-root chmod 644 /etc/openvpn/crl.pem @@ -781,7 +781,7 @@ push "redirect-gateway ipv6"' >> /etc/openvpn/server.conf echo "crl-verify crl.pem ca ca.crt cert $SERVER_NAME.crt -key $SERVER_NAME.key +key $SERVER_NAME.key auth $HMAC_ALG cipher $CIPHER ncp-ciphers $CIPHER @@ -815,7 +815,7 @@ verb 3" >> /etc/openvpn/server.conf if [[ "$OS" = 'arch' || "$OS" = 'fedora' ]]; then # Don't modify package-provided service cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service - + # Workaround to fix OpenVPN service on OpenVZ sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn-server@.service # Another workaround to keep using /etc/openvpn/ @@ -836,12 +836,12 @@ verb 3" >> /etc/openvpn/server.conf else # Don't modify package-provided service cp /lib/systemd/system/openvpn\@.service /etc/systemd/system/openvpn\@.service - + # Workaround to fix OpenVPN service on OpenVZ sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn\@.service # Another workaround to keep using /etc/openvpn/ sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn\@.service - + systemctl daemon-reload systemctl restart openvpn@server systemctl enable openvpn@server