Merge pull request #3 from jtbr/master

changes to harden server and fix opennic DNS

README.md

@@ -10,9 +10,12 @@ This fork includes :
 - Better encryption (see below)
 - TLS 1.2 only
 - AES-256-CBC and SHA-512 for HMAC (instead of BF-128-CBC and SHA1)
+- Run server in unprivileged mode, reducing risks to the system
+- TLS-auth to help [thwart DoS attacks](https://openvpn.net/index.php/open-source/documentation/howto.html#security) and provide a 2nd line of defense to the TLS channel.
 - [FDN's DNS Servers](http://www.fdn.fr/actions/dns/)
 - Nearest [OpenNIC DNS Servers](https://www.opennicproject.org/)
 - Up-to-date OpenVPN (2.3.11) thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos)
+- Support for either SNAT or MASQUERADE for forwarding
 - Every feature of the [original script](https://github.com/Nyr/openvpn-install) (I check periodically to sync the latest commits from source)
 
 ## Variants

openvpn-install.sh

@@ -56,6 +56,10 @@ newclient () {
 	echo "<key>" >> ~/$1.ovpn
 	cat /etc/openvpn/easy-rsa/pki/private/$1.key >> ~/$1.ovpn
 	echo "</key>" >> ~/$1.ovpn
+	echo "key-direction 1" >> ~/$1.ovpn
+	echo "<tls-auth>" >> ~/$1.ovpn
+	cat /etc/openvpn/tls-auth.key >> ~/$1.ovpn
+	echo "</tls-auth>" >> ~/$1.ovpn
 }
 
 
@@ -141,7 +145,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then
 					sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL
 					sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL
 				fi
-				sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL
+				sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 /d' $RCLOCAL
 				if hash sestatus 2>/dev/null; then
 					if sestatus | grep "Current mode" | grep -qs "enforcing"; then
 						if [[ "$PORT" != '1194' ]]; then
@@ -200,6 +204,14 @@ else
 	echo "   5) Google"
 	read -p "DNS [1-6]: " -e -i 2 DNS
 	echo ""
+	echo "Some setups (e.g. Amazon Web Services), require use of MASQUERADE rather than SNAT"
+	echo "Which forwarding method do you want to use [if unsure, leave as default]?"
+	echo "   1) SNAT (default)"
+	echo "   2) MASQUERADE"
+	while [[ $FORWARD_TYPE !=  "1" && $FORWARD_TYPE != "2" ]]; do
+		read -p "Forwarding type: " -e -i 1 FORWARD_TYPE
+	done
+	echo ""
 	echo "Finally, tell me your name for the client cert"
 	echo "Please, use one word only, no special characters"
 	read -p "Client name: " -e -i client CLIENT
@@ -241,6 +253,12 @@ else
 		yum install epel-release -y
 		yum install openvpn iptables openssl wget ca-certificates curl -y
 	fi
+	# find out if the machine uses nogroup or nobody for the permissionless group
+	if grep -qs "^nogroup:" /etc/group; then
+	        NOGROUP=nogroup
+	else
+        	NOGROUP=nobody
+	fi
 	
 	# An old version of easy-rsa was available by default in some openvpn packages
 	if [[ -d /etc/openvpn/easy-rsa/ ]]; then
@@ -273,8 +291,12 @@ set_var EASYRSA_DIGEST "sha384"" > vars
 	./easyrsa build-server-full server nopass
 	./easyrsa build-client-full $CLIENT nopass
 	./easyrsa gen-crl
+	# generate tls-auth key
+	openvpn --genkey --secret /etc/openvpn/tls-auth.key
 	# Move the stuff we need
 	cp pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
+	# Make cert revocation list readable for non-root
+	chmod 644 /etc/openvpn/crl.pem
 	# Generate server.conf
 	echo "port $PORT
 proto udp
@@ -283,6 +305,8 @@ ca ca.crt
 cert server.crt
 key server.key
 dh dh.pem
+user nobody
+group $NOGROUP
 topology subnet
 server 10.8.0.0 255.255.255.0
 ifconfig-pool-persist ipp.txt
@@ -291,7 +315,6 @@ auth SHA512
 tls-version-min 1.2" > /etc/openvpn/server.conf
 	if [[ "$VARIANT" = '1' ]]; then
 		# If the user selected the fast, less hardened version
-		# Or if the user selected a non-existant variant, we fallback to fast
 		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/server.conf
 	elif [[ "$VARIANT" = '2' ]]; then
 		# If the user selected the relatively slow, ultra hardened version
@@ -313,10 +336,8 @@ tls-version-min 1.2" > /etc/openvpn/server.conf
 		3) #OpenNIC
 		#Getting the nearest OpenNIC servers using the geoip API
 		read ns1 ns2 <<< $(curl -s https://api.opennicproject.org/geoip/ | head -2 | awk '{print $1}')
-		echo -e "nameserver $ns1
+		echo "push \"dhcp-option DNS $ns1\"" >> /etc/openvpn/server.conf
-		nameserver $ns2" >> /etc/resolv.conf #Set the DNS servers
+		echo "push \"dhcp-option DNS $ns2\"" >> /etc/openvpn/server.conf
-		echo "push "dhcp-option DNS $ns1"" >> /etc/openvpn/server.conf
-		echo "push "dhcp-option DNS $ns2"" >> /etc/openvpn/server.conf
 		;;
 		4) #OpenDNS 
 		echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf
@@ -330,7 +351,9 @@ tls-version-min 1.2" > /etc/openvpn/server.conf
 	echo "keepalive 10 120
 persist-key
 persist-tun
-crl-verify crl.pem" >> /etc/openvpn/server.conf
+crl-verify crl.pem
+tls-server
+tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf
 	# Enable net.ipv4.ip_forward for the system
 	if [[ "$OS" = 'debian' ]]; then
 		sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf
@@ -345,8 +368,13 @@ crl-verify crl.pem" >> /etc/openvpn/server.conf
 	# Avoid an unneeded reboot
 	echo 1 > /proc/sys/net/ipv4/ip_forward
 	# Set NAT for the VPN subnet
+	if [[ "$FORWARD_TYPE" = '1' ]]; then
 		iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP
 		sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL
+	else
+		iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
+		sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE" $RCLOCAL
+	fi
 	if pgrep firewalld; then
 		# We don't use --add-service=openvpn because that would only work with
 		# the default port. Using both permanent and not permanent rules to
@@ -402,9 +430,10 @@ crl-verify crl.pem" >> /etc/openvpn/server.conf
 		echo ""
 		echo "Looks like your server is behind a NAT!"
 		echo ""
-		echo "If your server is NATed (e.g. LowEndSpirit, Scaleway), I need to know the external IP"
+                echo "If your server is NATed (e.g. LowEndSpirit, Scaleway, or behind a router),"
+                echo "then I need to know the address that can be used to access it from outside."
                 echo "If that's not the case, just ignore this and leave the next field blank"
-		read -p "External IP: " -e USEREXTERNALIP
+                read -p "External IP or domain name: " -e USEREXTERNALIP
 		if [[ "$USEREXTERNALIP" != "" ]]; then
 			IP=$USEREXTERNALIP
 		fi
@@ -421,10 +450,10 @@ persist-tun
 remote-cert-tls server
 cipher AES-256-CBC
 auth SHA512
-tls-version-min 1.2" > /etc/openvpn/client-common.txt
+tls-version-min 1.2
+tls-client" > /etc/openvpn/client-common.txt
 	if [[ "$VARIANT" = '1' ]]; then
 		# If the user selected the fast, less hardened version
-		# Or if the user selected a non-existant variant, we fallback to fast
 		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/client-common.txt
 	elif [[ "$VARIANT" = '2' ]]; then
 		# If the user selected the relatively slow, ultra hardened version