mirror of
https://github.com/angristan/openvpn-install.git
synced 2024-11-22 00:39:03 +01:00
parent
a34d13adbb
commit
5844a8440f
@ -100,6 +100,7 @@ The script supports these OS and architectures:
|
|||||||
| CentOS 7 | ❔ | ✅ | ❌ | ✅ |
|
| CentOS 7 | ❔ | ✅ | ❌ | ✅ |
|
||||||
| Debian 8 | ✅ | ✅ | ❌ | ❌ |
|
| Debian 8 | ✅ | ✅ | ❌ | ❌ |
|
||||||
| Debian 9 | ❌ | ✅ | ✅ | ✅ |
|
| Debian 9 | ❌ | ✅ | ✅ | ✅ |
|
||||||
|
| Debian 10 | ❔ | ✅ | ❔ | ❔ |
|
||||||
| Fedora 27 | ❔ | ✅ | ❔ | ❔ |
|
| Fedora 27 | ❔ | ✅ | ❔ | ❔ |
|
||||||
| Fedora 28 | ❔ | ✅ | ❔ | ❔ |
|
| Fedora 28 | ❔ | ✅ | ❔ | ❔ |
|
||||||
| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ |
|
| Ubuntu 16.04 | ✅ | ✅ | ❌ | ❌ |
|
||||||
@ -264,7 +265,7 @@ It defaults to `prime256v1`.
|
|||||||
From the OpenVPN wiki, about `--auth`:
|
From the OpenVPN wiki, about `--auth`:
|
||||||
|
|
||||||
> Authenticate data channel packets and (if enabled) tls-auth control channel packets with HMAC using message digest algorithm alg. (The default is SHA1 ). HMAC is a commonly used message authentication algorithm (MAC) that uses a data string, a secure hash algorithm, and a key, to produce a digital signature.
|
> Authenticate data channel packets and (if enabled) tls-auth control channel packets with HMAC using message digest algorithm alg. (The default is SHA1 ). HMAC is a commonly used message authentication algorithm (MAC) that uses a data string, a secure hash algorithm, and a key, to produce a digital signature.
|
||||||
>
|
>
|
||||||
> If an AEAD cipher mode (e.g. GCM) is chosen, the specified --auth algorithm is ignored for the data channel, and the authentication method of the AEAD cipher is used instead. Note that alg still specifies the digest used for tls-auth.
|
> If an AEAD cipher mode (e.g. GCM) is chosen, the specified --auth algorithm is ignored for the data channel, and the authentication method of the AEAD cipher is used instead. Note that alg still specifies the digest used for tls-auth.
|
||||||
|
|
||||||
SHA1 [isn't safe anymore](https://en.wikipedia.org/wiki/SHA-1#Attacks).
|
SHA1 [isn't safe anymore](https://en.wikipedia.org/wiki/SHA-1#Attacks).
|
||||||
@ -282,13 +283,13 @@ It defaults to `SHA256`.
|
|||||||
From the OpenVPN wiki, about `tls-auth`:
|
From the OpenVPN wiki, about `tls-auth`:
|
||||||
|
|
||||||
> Add an additional layer of HMAC authentication on top of the TLS control channel to mitigate DoS attacks and attacks on the TLS stack.
|
> Add an additional layer of HMAC authentication on top of the TLS control channel to mitigate DoS attacks and attacks on the TLS stack.
|
||||||
>
|
>
|
||||||
> In a nutshell, --tls-auth enables a kind of "HMAC firewall" on OpenVPN's TCP/UDP port, where TLS control channel packets bearing an incorrect HMAC signature can be dropped immediately without response.
|
> In a nutshell, --tls-auth enables a kind of "HMAC firewall" on OpenVPN's TCP/UDP port, where TLS control channel packets bearing an incorrect HMAC signature can be dropped immediately without response.
|
||||||
|
|
||||||
About `tls-crypt`:
|
About `tls-crypt`:
|
||||||
|
|
||||||
> Encrypt and authenticate all control channel packets with the key from keyfile. (See --tls-auth for more background.)
|
> Encrypt and authenticate all control channel packets with the key from keyfile. (See --tls-auth for more background.)
|
||||||
>
|
>
|
||||||
> Encrypting (and authenticating) control channel packets:
|
> Encrypting (and authenticating) control channel packets:
|
||||||
> - provides more privacy by hiding the certificate used for the TLS connection,
|
> - provides more privacy by hiding the certificate used for the TLS connection,
|
||||||
> - makes it harder to identify OpenVPN traffic as such,
|
> - makes it harder to identify OpenVPN traffic as such,
|
||||||
|
1
Vagrantfile
vendored
1
Vagrantfile
vendored
@ -5,6 +5,7 @@ autostart_machines = ENV['VAGRANT_AUTOSTART'] == 'true' || false
|
|||||||
# else, run `vagrant up <hostname>`
|
# else, run `vagrant up <hostname>`
|
||||||
|
|
||||||
machines = [
|
machines = [
|
||||||
|
{ hostname: 'debian-10', box: 'debian/stretch64' },
|
||||||
{ hostname: 'debian-9', box: 'debian/stretch64' },
|
{ hostname: 'debian-9', box: 'debian/stretch64' },
|
||||||
{ hostname: 'debian-8', box: 'debian/jessie64' },
|
{ hostname: 'debian-8', box: 'debian/jessie64' },
|
||||||
{ hostname: 'ubuntu-1604', box: 'ubuntu/bionic64' },
|
{ hostname: 'ubuntu-1604', box: 'ubuntu/bionic64' },
|
||||||
|
@ -21,7 +21,7 @@ function checkOS () {
|
|||||||
source /etc/os-release
|
source /etc/os-release
|
||||||
|
|
||||||
if [[ "$ID" == "debian" ]]; then
|
if [[ "$ID" == "debian" ]]; then
|
||||||
if [[ ! $VERSION_ID =~ (8|9) ]]; then
|
if [[ ! $VERSION_ID =~ (8|9|10) ]]; then
|
||||||
echo "⚠️ Your version of Debian is not supported."
|
echo "⚠️ Your version of Debian is not supported."
|
||||||
echo ""
|
echo ""
|
||||||
echo "However, if you're using Debian >= 9 or unstable/testing then you can continue."
|
echo "However, if you're using Debian >= 9 or unstable/testing then you can continue."
|
||||||
@ -128,7 +128,7 @@ prefetch: yes' >> /etc/unbound/unbound.conf
|
|||||||
curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache
|
curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache
|
||||||
|
|
||||||
mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old
|
mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old
|
||||||
|
|
||||||
echo 'server:
|
echo 'server:
|
||||||
use-syslog: yes
|
use-syslog: yes
|
||||||
do-daemonize: no
|
do-daemonize: no
|
||||||
@ -650,10 +650,10 @@ function installOpenVPN () {
|
|||||||
# ECDH keys are generated on-the-fly so we don't need to generate them beforehand
|
# ECDH keys are generated on-the-fly so we don't need to generate them beforehand
|
||||||
openssl dhparam -out dh.pem $DH_KEY_SIZE
|
openssl dhparam -out dh.pem $DH_KEY_SIZE
|
||||||
fi
|
fi
|
||||||
|
|
||||||
./easyrsa build-server-full "$SERVER_NAME" nopass
|
./easyrsa build-server-full "$SERVER_NAME" nopass
|
||||||
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
|
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
|
||||||
|
|
||||||
case $TLS_SIG in
|
case $TLS_SIG in
|
||||||
1)
|
1)
|
||||||
# Generate tls-crypt key
|
# Generate tls-crypt key
|
||||||
@ -664,13 +664,13 @@ function installOpenVPN () {
|
|||||||
openvpn --genkey --secret /etc/openvpn/tls-auth.key
|
openvpn --genkey --secret /etc/openvpn/tls-auth.key
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
# Move all the generated files
|
# Move all the generated files
|
||||||
cp pki/ca.crt pki/private/ca.key "pki/issued/$SERVER_NAME.crt" "pki/private/$SERVER_NAME.key" /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
|
cp pki/ca.crt pki/private/ca.key "pki/issued/$SERVER_NAME.crt" "pki/private/$SERVER_NAME.key" /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
|
||||||
if [[ $DH_TYPE == "2" ]]; then
|
if [[ $DH_TYPE == "2" ]]; then
|
||||||
cp dh.pem /etc/openvpn
|
cp dh.pem /etc/openvpn
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Make cert revocation list readable for non-root
|
# Make cert revocation list readable for non-root
|
||||||
chmod 644 /etc/openvpn/crl.pem
|
chmod 644 /etc/openvpn/crl.pem
|
||||||
|
|
||||||
@ -781,7 +781,7 @@ push "redirect-gateway ipv6"' >> /etc/openvpn/server.conf
|
|||||||
echo "crl-verify crl.pem
|
echo "crl-verify crl.pem
|
||||||
ca ca.crt
|
ca ca.crt
|
||||||
cert $SERVER_NAME.crt
|
cert $SERVER_NAME.crt
|
||||||
key $SERVER_NAME.key
|
key $SERVER_NAME.key
|
||||||
auth $HMAC_ALG
|
auth $HMAC_ALG
|
||||||
cipher $CIPHER
|
cipher $CIPHER
|
||||||
ncp-ciphers $CIPHER
|
ncp-ciphers $CIPHER
|
||||||
@ -815,7 +815,7 @@ verb 3" >> /etc/openvpn/server.conf
|
|||||||
if [[ "$OS" = 'arch' || "$OS" = 'fedora' ]]; then
|
if [[ "$OS" = 'arch' || "$OS" = 'fedora' ]]; then
|
||||||
# Don't modify package-provided service
|
# Don't modify package-provided service
|
||||||
cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service
|
cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service
|
||||||
|
|
||||||
# Workaround to fix OpenVPN service on OpenVZ
|
# Workaround to fix OpenVPN service on OpenVZ
|
||||||
sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn-server@.service
|
sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn-server@.service
|
||||||
# Another workaround to keep using /etc/openvpn/
|
# Another workaround to keep using /etc/openvpn/
|
||||||
@ -836,12 +836,12 @@ verb 3" >> /etc/openvpn/server.conf
|
|||||||
else
|
else
|
||||||
# Don't modify package-provided service
|
# Don't modify package-provided service
|
||||||
cp /lib/systemd/system/openvpn\@.service /etc/systemd/system/openvpn\@.service
|
cp /lib/systemd/system/openvpn\@.service /etc/systemd/system/openvpn\@.service
|
||||||
|
|
||||||
# Workaround to fix OpenVPN service on OpenVZ
|
# Workaround to fix OpenVPN service on OpenVZ
|
||||||
sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn\@.service
|
sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn\@.service
|
||||||
# Another workaround to keep using /etc/openvpn/
|
# Another workaround to keep using /etc/openvpn/
|
||||||
sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn\@.service
|
sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn\@.service
|
||||||
|
|
||||||
systemctl daemon-reload
|
systemctl daemon-reload
|
||||||
systemctl restart openvpn@server
|
systemctl restart openvpn@server
|
||||||
systemctl enable openvpn@server
|
systemctl enable openvpn@server
|
||||||
|
Loading…
Reference in New Issue
Block a user