Add support for Debian 10

Fix #439
This commit is contained in:
angristan 2019-06-30 23:06:33 +02:00
parent a34d13adbb
commit 5844a8440f
3 changed files with 15 additions and 13 deletions

View File

@ -100,6 +100,7 @@ The script supports these OS and architectures:
| CentOS 7 | ❔ | ✅ | ❌ | ✅ | | CentOS 7 | ❔ | ✅ | ❌ | ✅ |
| Debian 8 | ✅ | ✅ | ❌ | ❌ | | Debian 8 | ✅ | ✅ | ❌ | ❌ |
| Debian 9 | ❌ | ✅ | ✅ | ✅ | | Debian 9 | ❌ | ✅ | ✅ | ✅ |
| Debian 10 | ❔ | ✅ | ❔ | ❔ |
| Fedora 27 | ❔ | ✅ | ❔ | ❔ | | Fedora 27 | ❔ | ✅ | ❔ | ❔ |
| Fedora 28 | ❔ | ✅ | ❔ | ❔ | | Fedora 28 | ❔ | ✅ | ❔ | ❔ |
| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ | | Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ |
@ -264,7 +265,7 @@ It defaults to `prime256v1`.
From the OpenVPN wiki, about `--auth`: From the OpenVPN wiki, about `--auth`:
> Authenticate data channel packets and (if enabled) tls-auth control channel packets with HMAC using message digest algorithm alg. (The default is SHA1 ). HMAC is a commonly used message authentication algorithm (MAC) that uses a data string, a secure hash algorithm, and a key, to produce a digital signature. > Authenticate data channel packets and (if enabled) tls-auth control channel packets with HMAC using message digest algorithm alg. (The default is SHA1 ). HMAC is a commonly used message authentication algorithm (MAC) that uses a data string, a secure hash algorithm, and a key, to produce a digital signature.
> >
> If an AEAD cipher mode (e.g. GCM) is chosen, the specified --auth algorithm is ignored for the data channel, and the authentication method of the AEAD cipher is used instead. Note that alg still specifies the digest used for tls-auth. > If an AEAD cipher mode (e.g. GCM) is chosen, the specified --auth algorithm is ignored for the data channel, and the authentication method of the AEAD cipher is used instead. Note that alg still specifies the digest used for tls-auth.
SHA1 [isn't safe anymore](https://en.wikipedia.org/wiki/SHA-1#Attacks). SHA1 [isn't safe anymore](https://en.wikipedia.org/wiki/SHA-1#Attacks).
@ -282,13 +283,13 @@ It defaults to `SHA256`.
From the OpenVPN wiki, about `tls-auth`: From the OpenVPN wiki, about `tls-auth`:
> Add an additional layer of HMAC authentication on top of the TLS control channel to mitigate DoS attacks and attacks on the TLS stack. > Add an additional layer of HMAC authentication on top of the TLS control channel to mitigate DoS attacks and attacks on the TLS stack.
> >
> In a nutshell, --tls-auth enables a kind of "HMAC firewall" on OpenVPN's TCP/UDP port, where TLS control channel packets bearing an incorrect HMAC signature can be dropped immediately without response. > In a nutshell, --tls-auth enables a kind of "HMAC firewall" on OpenVPN's TCP/UDP port, where TLS control channel packets bearing an incorrect HMAC signature can be dropped immediately without response.
About `tls-crypt`: About `tls-crypt`:
> Encrypt and authenticate all control channel packets with the key from keyfile. (See --tls-auth for more background.) > Encrypt and authenticate all control channel packets with the key from keyfile. (See --tls-auth for more background.)
> >
> Encrypting (and authenticating) control channel packets: > Encrypting (and authenticating) control channel packets:
> - provides more privacy by hiding the certificate used for the TLS connection, > - provides more privacy by hiding the certificate used for the TLS connection,
> - makes it harder to identify OpenVPN traffic as such, > - makes it harder to identify OpenVPN traffic as such,

1
Vagrantfile vendored
View File

@ -5,6 +5,7 @@ autostart_machines = ENV['VAGRANT_AUTOSTART'] == 'true' || false
# else, run `vagrant up <hostname>` # else, run `vagrant up <hostname>`
machines = [ machines = [
{ hostname: 'debian-10', box: 'debian/stretch64' },
{ hostname: 'debian-9', box: 'debian/stretch64' }, { hostname: 'debian-9', box: 'debian/stretch64' },
{ hostname: 'debian-8', box: 'debian/jessie64' }, { hostname: 'debian-8', box: 'debian/jessie64' },
{ hostname: 'ubuntu-1604', box: 'ubuntu/bionic64' }, { hostname: 'ubuntu-1604', box: 'ubuntu/bionic64' },

View File

@ -21,7 +21,7 @@ function checkOS () {
source /etc/os-release source /etc/os-release
if [[ "$ID" == "debian" ]]; then if [[ "$ID" == "debian" ]]; then
if [[ ! $VERSION_ID =~ (8|9) ]]; then if [[ ! $VERSION_ID =~ (8|9|10) ]]; then
echo "⚠️ Your version of Debian is not supported." echo "⚠️ Your version of Debian is not supported."
echo "" echo ""
echo "However, if you're using Debian >= 9 or unstable/testing then you can continue." echo "However, if you're using Debian >= 9 or unstable/testing then you can continue."
@ -128,7 +128,7 @@ prefetch: yes' >> /etc/unbound/unbound.conf
curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache
mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old
echo 'server: echo 'server:
use-syslog: yes use-syslog: yes
do-daemonize: no do-daemonize: no
@ -650,10 +650,10 @@ function installOpenVPN () {
# ECDH keys are generated on-the-fly so we don't need to generate them beforehand # ECDH keys are generated on-the-fly so we don't need to generate them beforehand
openssl dhparam -out dh.pem $DH_KEY_SIZE openssl dhparam -out dh.pem $DH_KEY_SIZE
fi fi
./easyrsa build-server-full "$SERVER_NAME" nopass ./easyrsa build-server-full "$SERVER_NAME" nopass
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
case $TLS_SIG in case $TLS_SIG in
1) 1)
# Generate tls-crypt key # Generate tls-crypt key
@ -664,13 +664,13 @@ function installOpenVPN () {
openvpn --genkey --secret /etc/openvpn/tls-auth.key openvpn --genkey --secret /etc/openvpn/tls-auth.key
;; ;;
esac esac
# Move all the generated files # Move all the generated files
cp pki/ca.crt pki/private/ca.key "pki/issued/$SERVER_NAME.crt" "pki/private/$SERVER_NAME.key" /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn cp pki/ca.crt pki/private/ca.key "pki/issued/$SERVER_NAME.crt" "pki/private/$SERVER_NAME.key" /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
if [[ $DH_TYPE == "2" ]]; then if [[ $DH_TYPE == "2" ]]; then
cp dh.pem /etc/openvpn cp dh.pem /etc/openvpn
fi fi
# Make cert revocation list readable for non-root # Make cert revocation list readable for non-root
chmod 644 /etc/openvpn/crl.pem chmod 644 /etc/openvpn/crl.pem
@ -781,7 +781,7 @@ push "redirect-gateway ipv6"' >> /etc/openvpn/server.conf
echo "crl-verify crl.pem echo "crl-verify crl.pem
ca ca.crt ca ca.crt
cert $SERVER_NAME.crt cert $SERVER_NAME.crt
key $SERVER_NAME.key key $SERVER_NAME.key
auth $HMAC_ALG auth $HMAC_ALG
cipher $CIPHER cipher $CIPHER
ncp-ciphers $CIPHER ncp-ciphers $CIPHER
@ -815,7 +815,7 @@ verb 3" >> /etc/openvpn/server.conf
if [[ "$OS" = 'arch' || "$OS" = 'fedora' ]]; then if [[ "$OS" = 'arch' || "$OS" = 'fedora' ]]; then
# Don't modify package-provided service # Don't modify package-provided service
cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service
# Workaround to fix OpenVPN service on OpenVZ # Workaround to fix OpenVPN service on OpenVZ
sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn-server@.service sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn-server@.service
# Another workaround to keep using /etc/openvpn/ # Another workaround to keep using /etc/openvpn/
@ -836,12 +836,12 @@ verb 3" >> /etc/openvpn/server.conf
else else
# Don't modify package-provided service # Don't modify package-provided service
cp /lib/systemd/system/openvpn\@.service /etc/systemd/system/openvpn\@.service cp /lib/systemd/system/openvpn\@.service /etc/systemd/system/openvpn\@.service
# Workaround to fix OpenVPN service on OpenVZ # Workaround to fix OpenVPN service on OpenVZ
sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn\@.service sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn\@.service
# Another workaround to keep using /etc/openvpn/ # Another workaround to keep using /etc/openvpn/
sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn\@.service sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn\@.service
systemctl daemon-reload systemctl daemon-reload
systemctl restart openvpn@server systemctl restart openvpn@server
systemctl enable openvpn@server systemctl enable openvpn@server