mirror of
https://github.com/angristan/openvpn-install.git
synced 2024-11-22 08:49:03 +01:00
Merge pull request #3 from jtbr/master
changes to harden server and fix opennic DNS
This commit is contained in:
commit
5f6159ce9f
@ -10,9 +10,12 @@ This fork includes :
|
|||||||
- Better encryption (see below)
|
- Better encryption (see below)
|
||||||
- TLS 1.2 only
|
- TLS 1.2 only
|
||||||
- AES-256-CBC and SHA-512 for HMAC (instead of BF-128-CBC and SHA1)
|
- AES-256-CBC and SHA-512 for HMAC (instead of BF-128-CBC and SHA1)
|
||||||
|
- Run server in unprivileged mode, reducing risks to the system
|
||||||
|
- TLS-auth to help [thwart DoS attacks](https://openvpn.net/index.php/open-source/documentation/howto.html#security) and provide a 2nd line of defense to the TLS channel.
|
||||||
- [FDN's DNS Servers](http://www.fdn.fr/actions/dns/)
|
- [FDN's DNS Servers](http://www.fdn.fr/actions/dns/)
|
||||||
- Nearest [OpenNIC DNS Servers](https://www.opennicproject.org/)
|
- Nearest [OpenNIC DNS Servers](https://www.opennicproject.org/)
|
||||||
- Up-to-date OpenVPN (2.3.11) thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos)
|
- Up-to-date OpenVPN (2.3.11) thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos)
|
||||||
|
- Support for either SNAT or MASQUERADE for forwarding
|
||||||
- Every feature of the [original script](https://github.com/Nyr/openvpn-install) (I check periodically to sync the latest commits from source)
|
- Every feature of the [original script](https://github.com/Nyr/openvpn-install) (I check periodically to sync the latest commits from source)
|
||||||
|
|
||||||
## Variants
|
## Variants
|
||||||
|
@ -56,6 +56,10 @@ newclient () {
|
|||||||
echo "<key>" >> ~/$1.ovpn
|
echo "<key>" >> ~/$1.ovpn
|
||||||
cat /etc/openvpn/easy-rsa/pki/private/$1.key >> ~/$1.ovpn
|
cat /etc/openvpn/easy-rsa/pki/private/$1.key >> ~/$1.ovpn
|
||||||
echo "</key>" >> ~/$1.ovpn
|
echo "</key>" >> ~/$1.ovpn
|
||||||
|
echo "key-direction 1" >> ~/$1.ovpn
|
||||||
|
echo "<tls-auth>" >> ~/$1.ovpn
|
||||||
|
cat /etc/openvpn/tls-auth.key >> ~/$1.ovpn
|
||||||
|
echo "</tls-auth>" >> ~/$1.ovpn
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -141,7 +145,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then
|
|||||||
sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL
|
sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL
|
||||||
sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL
|
sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL
|
||||||
fi
|
fi
|
||||||
sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL
|
sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 /d' $RCLOCAL
|
||||||
if hash sestatus 2>/dev/null; then
|
if hash sestatus 2>/dev/null; then
|
||||||
if sestatus | grep "Current mode" | grep -qs "enforcing"; then
|
if sestatus | grep "Current mode" | grep -qs "enforcing"; then
|
||||||
if [[ "$PORT" != '1194' ]]; then
|
if [[ "$PORT" != '1194' ]]; then
|
||||||
@ -200,6 +204,14 @@ else
|
|||||||
echo " 5) Google"
|
echo " 5) Google"
|
||||||
read -p "DNS [1-6]: " -e -i 2 DNS
|
read -p "DNS [1-6]: " -e -i 2 DNS
|
||||||
echo ""
|
echo ""
|
||||||
|
echo "Some setups (e.g. Amazon Web Services), require use of MASQUERADE rather than SNAT"
|
||||||
|
echo "Which forwarding method do you want to use [if unsure, leave as default]?"
|
||||||
|
echo " 1) SNAT (default)"
|
||||||
|
echo " 2) MASQUERADE"
|
||||||
|
while [[ $FORWARD_TYPE != "1" && $FORWARD_TYPE != "2" ]]; do
|
||||||
|
read -p "Forwarding type: " -e -i 1 FORWARD_TYPE
|
||||||
|
done
|
||||||
|
echo ""
|
||||||
echo "Finally, tell me your name for the client cert"
|
echo "Finally, tell me your name for the client cert"
|
||||||
echo "Please, use one word only, no special characters"
|
echo "Please, use one word only, no special characters"
|
||||||
read -p "Client name: " -e -i client CLIENT
|
read -p "Client name: " -e -i client CLIENT
|
||||||
@ -241,6 +253,12 @@ else
|
|||||||
yum install epel-release -y
|
yum install epel-release -y
|
||||||
yum install openvpn iptables openssl wget ca-certificates curl -y
|
yum install openvpn iptables openssl wget ca-certificates curl -y
|
||||||
fi
|
fi
|
||||||
|
# find out if the machine uses nogroup or nobody for the permissionless group
|
||||||
|
if grep -qs "^nogroup:" /etc/group; then
|
||||||
|
NOGROUP=nogroup
|
||||||
|
else
|
||||||
|
NOGROUP=nobody
|
||||||
|
fi
|
||||||
|
|
||||||
# An old version of easy-rsa was available by default in some openvpn packages
|
# An old version of easy-rsa was available by default in some openvpn packages
|
||||||
if [[ -d /etc/openvpn/easy-rsa/ ]]; then
|
if [[ -d /etc/openvpn/easy-rsa/ ]]; then
|
||||||
@ -273,8 +291,12 @@ set_var EASYRSA_DIGEST "sha384"" > vars
|
|||||||
./easyrsa build-server-full server nopass
|
./easyrsa build-server-full server nopass
|
||||||
./easyrsa build-client-full $CLIENT nopass
|
./easyrsa build-client-full $CLIENT nopass
|
||||||
./easyrsa gen-crl
|
./easyrsa gen-crl
|
||||||
|
# generate tls-auth key
|
||||||
|
openvpn --genkey --secret /etc/openvpn/tls-auth.key
|
||||||
# Move the stuff we need
|
# Move the stuff we need
|
||||||
cp pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
|
cp pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
|
||||||
|
# Make cert revocation list readable for non-root
|
||||||
|
chmod 644 /etc/openvpn/crl.pem
|
||||||
# Generate server.conf
|
# Generate server.conf
|
||||||
echo "port $PORT
|
echo "port $PORT
|
||||||
proto udp
|
proto udp
|
||||||
@ -283,6 +305,8 @@ ca ca.crt
|
|||||||
cert server.crt
|
cert server.crt
|
||||||
key server.key
|
key server.key
|
||||||
dh dh.pem
|
dh dh.pem
|
||||||
|
user nobody
|
||||||
|
group $NOGROUP
|
||||||
topology subnet
|
topology subnet
|
||||||
server 10.8.0.0 255.255.255.0
|
server 10.8.0.0 255.255.255.0
|
||||||
ifconfig-pool-persist ipp.txt
|
ifconfig-pool-persist ipp.txt
|
||||||
@ -291,7 +315,6 @@ auth SHA512
|
|||||||
tls-version-min 1.2" > /etc/openvpn/server.conf
|
tls-version-min 1.2" > /etc/openvpn/server.conf
|
||||||
if [[ "$VARIANT" = '1' ]]; then
|
if [[ "$VARIANT" = '1' ]]; then
|
||||||
# If the user selected the fast, less hardened version
|
# If the user selected the fast, less hardened version
|
||||||
# Or if the user selected a non-existant variant, we fallback to fast
|
|
||||||
echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/server.conf
|
echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/server.conf
|
||||||
elif [[ "$VARIANT" = '2' ]]; then
|
elif [[ "$VARIANT" = '2' ]]; then
|
||||||
# If the user selected the relatively slow, ultra hardened version
|
# If the user selected the relatively slow, ultra hardened version
|
||||||
@ -313,10 +336,8 @@ tls-version-min 1.2" > /etc/openvpn/server.conf
|
|||||||
3) #OpenNIC
|
3) #OpenNIC
|
||||||
#Getting the nearest OpenNIC servers using the geoip API
|
#Getting the nearest OpenNIC servers using the geoip API
|
||||||
read ns1 ns2 <<< $(curl -s https://api.opennicproject.org/geoip/ | head -2 | awk '{print $1}')
|
read ns1 ns2 <<< $(curl -s https://api.opennicproject.org/geoip/ | head -2 | awk '{print $1}')
|
||||||
echo -e "nameserver $ns1
|
echo "push \"dhcp-option DNS $ns1\"" >> /etc/openvpn/server.conf
|
||||||
nameserver $ns2" >> /etc/resolv.conf #Set the DNS servers
|
echo "push \"dhcp-option DNS $ns2\"" >> /etc/openvpn/server.conf
|
||||||
echo "push "dhcp-option DNS $ns1"" >> /etc/openvpn/server.conf
|
|
||||||
echo "push "dhcp-option DNS $ns2"" >> /etc/openvpn/server.conf
|
|
||||||
;;
|
;;
|
||||||
4) #OpenDNS
|
4) #OpenDNS
|
||||||
echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf
|
echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf
|
||||||
@ -330,7 +351,9 @@ tls-version-min 1.2" > /etc/openvpn/server.conf
|
|||||||
echo "keepalive 10 120
|
echo "keepalive 10 120
|
||||||
persist-key
|
persist-key
|
||||||
persist-tun
|
persist-tun
|
||||||
crl-verify crl.pem" >> /etc/openvpn/server.conf
|
crl-verify crl.pem
|
||||||
|
tls-server
|
||||||
|
tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf
|
||||||
# Enable net.ipv4.ip_forward for the system
|
# Enable net.ipv4.ip_forward for the system
|
||||||
if [[ "$OS" = 'debian' ]]; then
|
if [[ "$OS" = 'debian' ]]; then
|
||||||
sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf
|
sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf
|
||||||
@ -345,8 +368,13 @@ crl-verify crl.pem" >> /etc/openvpn/server.conf
|
|||||||
# Avoid an unneeded reboot
|
# Avoid an unneeded reboot
|
||||||
echo 1 > /proc/sys/net/ipv4/ip_forward
|
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||||
# Set NAT for the VPN subnet
|
# Set NAT for the VPN subnet
|
||||||
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP
|
if [[ "$FORWARD_TYPE" = '1' ]]; then
|
||||||
sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL
|
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP
|
||||||
|
sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL
|
||||||
|
else
|
||||||
|
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
|
||||||
|
sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE" $RCLOCAL
|
||||||
|
fi
|
||||||
if pgrep firewalld; then
|
if pgrep firewalld; then
|
||||||
# We don't use --add-service=openvpn because that would only work with
|
# We don't use --add-service=openvpn because that would only work with
|
||||||
# the default port. Using both permanent and not permanent rules to
|
# the default port. Using both permanent and not permanent rules to
|
||||||
@ -402,9 +430,10 @@ crl-verify crl.pem" >> /etc/openvpn/server.conf
|
|||||||
echo ""
|
echo ""
|
||||||
echo "Looks like your server is behind a NAT!"
|
echo "Looks like your server is behind a NAT!"
|
||||||
echo ""
|
echo ""
|
||||||
echo "If your server is NATed (e.g. LowEndSpirit, Scaleway), I need to know the external IP"
|
echo "If your server is NATed (e.g. LowEndSpirit, Scaleway, or behind a router),"
|
||||||
echo "If that's not the case, just ignore this and leave the next field blank"
|
echo "then I need to know the address that can be used to access it from outside."
|
||||||
read -p "External IP: " -e USEREXTERNALIP
|
echo "If that's not the case, just ignore this and leave the next field blank"
|
||||||
|
read -p "External IP or domain name: " -e USEREXTERNALIP
|
||||||
if [[ "$USEREXTERNALIP" != "" ]]; then
|
if [[ "$USEREXTERNALIP" != "" ]]; then
|
||||||
IP=$USEREXTERNALIP
|
IP=$USEREXTERNALIP
|
||||||
fi
|
fi
|
||||||
@ -421,10 +450,10 @@ persist-tun
|
|||||||
remote-cert-tls server
|
remote-cert-tls server
|
||||||
cipher AES-256-CBC
|
cipher AES-256-CBC
|
||||||
auth SHA512
|
auth SHA512
|
||||||
tls-version-min 1.2" > /etc/openvpn/client-common.txt
|
tls-version-min 1.2
|
||||||
|
tls-client" > /etc/openvpn/client-common.txt
|
||||||
if [[ "$VARIANT" = '1' ]]; then
|
if [[ "$VARIANT" = '1' ]]; then
|
||||||
# If the user selected the fast, less hardened version
|
# If the user selected the fast, less hardened version
|
||||||
# Or if the user selected a non-existant variant, we fallback to fast
|
|
||||||
echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/client-common.txt
|
echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/client-common.txt
|
||||||
elif [[ "$VARIANT" = '2' ]]; then
|
elif [[ "$VARIANT" = '2' ]]; then
|
||||||
# If the user selected the relatively slow, ultra hardened version
|
# If the user selected the relatively slow, ultra hardened version
|
||||||
|
Loading…
Reference in New Issue
Block a user