Merge pull request #3 from jtbr/master

changes to harden server and fix opennic DNS
This commit is contained in:
Angristan 2016-05-11 13:02:34 +02:00
commit 5f6159ce9f
2 changed files with 46 additions and 14 deletions

View File

@ -10,9 +10,12 @@ This fork includes :
- Better encryption (see below) - Better encryption (see below)
- TLS 1.2 only - TLS 1.2 only
- AES-256-CBC and SHA-512 for HMAC (instead of BF-128-CBC and SHA1) - AES-256-CBC and SHA-512 for HMAC (instead of BF-128-CBC and SHA1)
- Run server in unprivileged mode, reducing risks to the system
- TLS-auth to help [thwart DoS attacks](https://openvpn.net/index.php/open-source/documentation/howto.html#security) and provide a 2nd line of defense to the TLS channel.
- [FDN's DNS Servers](http://www.fdn.fr/actions/dns/) - [FDN's DNS Servers](http://www.fdn.fr/actions/dns/)
- Nearest [OpenNIC DNS Servers](https://www.opennicproject.org/) - Nearest [OpenNIC DNS Servers](https://www.opennicproject.org/)
- Up-to-date OpenVPN (2.3.11) thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos) - Up-to-date OpenVPN (2.3.11) thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos)
- Support for either SNAT or MASQUERADE for forwarding
- Every feature of the [original script](https://github.com/Nyr/openvpn-install) (I check periodically to sync the latest commits from source) - Every feature of the [original script](https://github.com/Nyr/openvpn-install) (I check periodically to sync the latest commits from source)
## Variants ## Variants

View File

@ -56,6 +56,10 @@ newclient () {
echo "<key>" >> ~/$1.ovpn echo "<key>" >> ~/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/private/$1.key >> ~/$1.ovpn cat /etc/openvpn/easy-rsa/pki/private/$1.key >> ~/$1.ovpn
echo "</key>" >> ~/$1.ovpn echo "</key>" >> ~/$1.ovpn
echo "key-direction 1" >> ~/$1.ovpn
echo "<tls-auth>" >> ~/$1.ovpn
cat /etc/openvpn/tls-auth.key >> ~/$1.ovpn
echo "</tls-auth>" >> ~/$1.ovpn
} }
@ -141,7 +145,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then
sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL
sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL
fi fi
sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 /d' $RCLOCAL
if hash sestatus 2>/dev/null; then if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing"; then if sestatus | grep "Current mode" | grep -qs "enforcing"; then
if [[ "$PORT" != '1194' ]]; then if [[ "$PORT" != '1194' ]]; then
@ -200,6 +204,14 @@ else
echo " 5) Google" echo " 5) Google"
read -p "DNS [1-6]: " -e -i 2 DNS read -p "DNS [1-6]: " -e -i 2 DNS
echo "" echo ""
echo "Some setups (e.g. Amazon Web Services), require use of MASQUERADE rather than SNAT"
echo "Which forwarding method do you want to use [if unsure, leave as default]?"
echo " 1) SNAT (default)"
echo " 2) MASQUERADE"
while [[ $FORWARD_TYPE != "1" && $FORWARD_TYPE != "2" ]]; do
read -p "Forwarding type: " -e -i 1 FORWARD_TYPE
done
echo ""
echo "Finally, tell me your name for the client cert" echo "Finally, tell me your name for the client cert"
echo "Please, use one word only, no special characters" echo "Please, use one word only, no special characters"
read -p "Client name: " -e -i client CLIENT read -p "Client name: " -e -i client CLIENT
@ -241,6 +253,12 @@ else
yum install epel-release -y yum install epel-release -y
yum install openvpn iptables openssl wget ca-certificates curl -y yum install openvpn iptables openssl wget ca-certificates curl -y
fi fi
# find out if the machine uses nogroup or nobody for the permissionless group
if grep -qs "^nogroup:" /etc/group; then
NOGROUP=nogroup
else
NOGROUP=nobody
fi
# An old version of easy-rsa was available by default in some openvpn packages # An old version of easy-rsa was available by default in some openvpn packages
if [[ -d /etc/openvpn/easy-rsa/ ]]; then if [[ -d /etc/openvpn/easy-rsa/ ]]; then
@ -273,8 +291,12 @@ set_var EASYRSA_DIGEST "sha384"" > vars
./easyrsa build-server-full server nopass ./easyrsa build-server-full server nopass
./easyrsa build-client-full $CLIENT nopass ./easyrsa build-client-full $CLIENT nopass
./easyrsa gen-crl ./easyrsa gen-crl
# generate tls-auth key
openvpn --genkey --secret /etc/openvpn/tls-auth.key
# Move the stuff we need # Move the stuff we need
cp pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn cp pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
# Make cert revocation list readable for non-root
chmod 644 /etc/openvpn/crl.pem
# Generate server.conf # Generate server.conf
echo "port $PORT echo "port $PORT
proto udp proto udp
@ -283,6 +305,8 @@ ca ca.crt
cert server.crt cert server.crt
key server.key key server.key
dh dh.pem dh dh.pem
user nobody
group $NOGROUP
topology subnet topology subnet
server 10.8.0.0 255.255.255.0 server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt ifconfig-pool-persist ipp.txt
@ -291,7 +315,6 @@ auth SHA512
tls-version-min 1.2" > /etc/openvpn/server.conf tls-version-min 1.2" > /etc/openvpn/server.conf
if [[ "$VARIANT" = '1' ]]; then if [[ "$VARIANT" = '1' ]]; then
# If the user selected the fast, less hardened version # If the user selected the fast, less hardened version
# Or if the user selected a non-existant variant, we fallback to fast
echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/server.conf echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/server.conf
elif [[ "$VARIANT" = '2' ]]; then elif [[ "$VARIANT" = '2' ]]; then
# If the user selected the relatively slow, ultra hardened version # If the user selected the relatively slow, ultra hardened version
@ -313,10 +336,8 @@ tls-version-min 1.2" > /etc/openvpn/server.conf
3) #OpenNIC 3) #OpenNIC
#Getting the nearest OpenNIC servers using the geoip API #Getting the nearest OpenNIC servers using the geoip API
read ns1 ns2 <<< $(curl -s https://api.opennicproject.org/geoip/ | head -2 | awk '{print $1}') read ns1 ns2 <<< $(curl -s https://api.opennicproject.org/geoip/ | head -2 | awk '{print $1}')
echo -e "nameserver $ns1 echo "push \"dhcp-option DNS $ns1\"" >> /etc/openvpn/server.conf
nameserver $ns2" >> /etc/resolv.conf #Set the DNS servers echo "push \"dhcp-option DNS $ns2\"" >> /etc/openvpn/server.conf
echo "push "dhcp-option DNS $ns1"" >> /etc/openvpn/server.conf
echo "push "dhcp-option DNS $ns2"" >> /etc/openvpn/server.conf
;; ;;
4) #OpenDNS 4) #OpenDNS
echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf
@ -330,7 +351,9 @@ tls-version-min 1.2" > /etc/openvpn/server.conf
echo "keepalive 10 120 echo "keepalive 10 120
persist-key persist-key
persist-tun persist-tun
crl-verify crl.pem" >> /etc/openvpn/server.conf crl-verify crl.pem
tls-server
tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf
# Enable net.ipv4.ip_forward for the system # Enable net.ipv4.ip_forward for the system
if [[ "$OS" = 'debian' ]]; then if [[ "$OS" = 'debian' ]]; then
sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf
@ -345,8 +368,13 @@ crl-verify crl.pem" >> /etc/openvpn/server.conf
# Avoid an unneeded reboot # Avoid an unneeded reboot
echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_forward
# Set NAT for the VPN subnet # Set NAT for the VPN subnet
if [[ "$FORWARD_TYPE" = '1' ]]; then
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP
sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL
else
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE" $RCLOCAL
fi
if pgrep firewalld; then if pgrep firewalld; then
# We don't use --add-service=openvpn because that would only work with # We don't use --add-service=openvpn because that would only work with
# the default port. Using both permanent and not permanent rules to # the default port. Using both permanent and not permanent rules to
@ -402,9 +430,10 @@ crl-verify crl.pem" >> /etc/openvpn/server.conf
echo "" echo ""
echo "Looks like your server is behind a NAT!" echo "Looks like your server is behind a NAT!"
echo "" echo ""
echo "If your server is NATed (e.g. LowEndSpirit, Scaleway), I need to know the external IP" echo "If your server is NATed (e.g. LowEndSpirit, Scaleway, or behind a router),"
echo "then I need to know the address that can be used to access it from outside."
echo "If that's not the case, just ignore this and leave the next field blank" echo "If that's not the case, just ignore this and leave the next field blank"
read -p "External IP: " -e USEREXTERNALIP read -p "External IP or domain name: " -e USEREXTERNALIP
if [[ "$USEREXTERNALIP" != "" ]]; then if [[ "$USEREXTERNALIP" != "" ]]; then
IP=$USEREXTERNALIP IP=$USEREXTERNALIP
fi fi
@ -421,10 +450,10 @@ persist-tun
remote-cert-tls server remote-cert-tls server
cipher AES-256-CBC cipher AES-256-CBC
auth SHA512 auth SHA512
tls-version-min 1.2" > /etc/openvpn/client-common.txt tls-version-min 1.2
tls-client" > /etc/openvpn/client-common.txt
if [[ "$VARIANT" = '1' ]]; then if [[ "$VARIANT" = '1' ]]; then
# If the user selected the fast, less hardened version # If the user selected the fast, less hardened version
# Or if the user selected a non-existant variant, we fallback to fast
echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/client-common.txt echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/client-common.txt
elif [[ "$VARIANT" = '2' ]]; then elif [[ "$VARIANT" = '2' ]]; then
# If the user selected the relatively slow, ultra hardened version # If the user selected the relatively slow, ultra hardened version