mirror of
https://github.com/angristan/openvpn-install.git
synced 2024-11-22 08:49:03 +01:00
Merge pull request #3 from jtbr/master
changes to harden server and fix opennic DNS
This commit is contained in:
commit
5f6159ce9f
@ -10,9 +10,12 @@ This fork includes :
|
||||
- Better encryption (see below)
|
||||
- TLS 1.2 only
|
||||
- AES-256-CBC and SHA-512 for HMAC (instead of BF-128-CBC and SHA1)
|
||||
- Run server in unprivileged mode, reducing risks to the system
|
||||
- TLS-auth to help [thwart DoS attacks](https://openvpn.net/index.php/open-source/documentation/howto.html#security) and provide a 2nd line of defense to the TLS channel.
|
||||
- [FDN's DNS Servers](http://www.fdn.fr/actions/dns/)
|
||||
- Nearest [OpenNIC DNS Servers](https://www.opennicproject.org/)
|
||||
- Up-to-date OpenVPN (2.3.11) thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos)
|
||||
- Support for either SNAT or MASQUERADE for forwarding
|
||||
- Every feature of the [original script](https://github.com/Nyr/openvpn-install) (I check periodically to sync the latest commits from source)
|
||||
|
||||
## Variants
|
||||
|
@ -56,6 +56,10 @@ newclient () {
|
||||
echo "<key>" >> ~/$1.ovpn
|
||||
cat /etc/openvpn/easy-rsa/pki/private/$1.key >> ~/$1.ovpn
|
||||
echo "</key>" >> ~/$1.ovpn
|
||||
echo "key-direction 1" >> ~/$1.ovpn
|
||||
echo "<tls-auth>" >> ~/$1.ovpn
|
||||
cat /etc/openvpn/tls-auth.key >> ~/$1.ovpn
|
||||
echo "</tls-auth>" >> ~/$1.ovpn
|
||||
}
|
||||
|
||||
|
||||
@ -141,7 +145,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then
|
||||
sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL
|
||||
sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL
|
||||
fi
|
||||
sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL
|
||||
sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 /d' $RCLOCAL
|
||||
if hash sestatus 2>/dev/null; then
|
||||
if sestatus | grep "Current mode" | grep -qs "enforcing"; then
|
||||
if [[ "$PORT" != '1194' ]]; then
|
||||
@ -200,6 +204,14 @@ else
|
||||
echo " 5) Google"
|
||||
read -p "DNS [1-6]: " -e -i 2 DNS
|
||||
echo ""
|
||||
echo "Some setups (e.g. Amazon Web Services), require use of MASQUERADE rather than SNAT"
|
||||
echo "Which forwarding method do you want to use [if unsure, leave as default]?"
|
||||
echo " 1) SNAT (default)"
|
||||
echo " 2) MASQUERADE"
|
||||
while [[ $FORWARD_TYPE != "1" && $FORWARD_TYPE != "2" ]]; do
|
||||
read -p "Forwarding type: " -e -i 1 FORWARD_TYPE
|
||||
done
|
||||
echo ""
|
||||
echo "Finally, tell me your name for the client cert"
|
||||
echo "Please, use one word only, no special characters"
|
||||
read -p "Client name: " -e -i client CLIENT
|
||||
@ -241,6 +253,12 @@ else
|
||||
yum install epel-release -y
|
||||
yum install openvpn iptables openssl wget ca-certificates curl -y
|
||||
fi
|
||||
# find out if the machine uses nogroup or nobody for the permissionless group
|
||||
if grep -qs "^nogroup:" /etc/group; then
|
||||
NOGROUP=nogroup
|
||||
else
|
||||
NOGROUP=nobody
|
||||
fi
|
||||
|
||||
# An old version of easy-rsa was available by default in some openvpn packages
|
||||
if [[ -d /etc/openvpn/easy-rsa/ ]]; then
|
||||
@ -273,8 +291,12 @@ set_var EASYRSA_DIGEST "sha384"" > vars
|
||||
./easyrsa build-server-full server nopass
|
||||
./easyrsa build-client-full $CLIENT nopass
|
||||
./easyrsa gen-crl
|
||||
# generate tls-auth key
|
||||
openvpn --genkey --secret /etc/openvpn/tls-auth.key
|
||||
# Move the stuff we need
|
||||
cp pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
|
||||
# Make cert revocation list readable for non-root
|
||||
chmod 644 /etc/openvpn/crl.pem
|
||||
# Generate server.conf
|
||||
echo "port $PORT
|
||||
proto udp
|
||||
@ -283,6 +305,8 @@ ca ca.crt
|
||||
cert server.crt
|
||||
key server.key
|
||||
dh dh.pem
|
||||
user nobody
|
||||
group $NOGROUP
|
||||
topology subnet
|
||||
server 10.8.0.0 255.255.255.0
|
||||
ifconfig-pool-persist ipp.txt
|
||||
@ -291,7 +315,6 @@ auth SHA512
|
||||
tls-version-min 1.2" > /etc/openvpn/server.conf
|
||||
if [[ "$VARIANT" = '1' ]]; then
|
||||
# If the user selected the fast, less hardened version
|
||||
# Or if the user selected a non-existant variant, we fallback to fast
|
||||
echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/server.conf
|
||||
elif [[ "$VARIANT" = '2' ]]; then
|
||||
# If the user selected the relatively slow, ultra hardened version
|
||||
@ -313,10 +336,8 @@ tls-version-min 1.2" > /etc/openvpn/server.conf
|
||||
3) #OpenNIC
|
||||
#Getting the nearest OpenNIC servers using the geoip API
|
||||
read ns1 ns2 <<< $(curl -s https://api.opennicproject.org/geoip/ | head -2 | awk '{print $1}')
|
||||
echo -e "nameserver $ns1
|
||||
nameserver $ns2" >> /etc/resolv.conf #Set the DNS servers
|
||||
echo "push "dhcp-option DNS $ns1"" >> /etc/openvpn/server.conf
|
||||
echo "push "dhcp-option DNS $ns2"" >> /etc/openvpn/server.conf
|
||||
echo "push \"dhcp-option DNS $ns1\"" >> /etc/openvpn/server.conf
|
||||
echo "push \"dhcp-option DNS $ns2\"" >> /etc/openvpn/server.conf
|
||||
;;
|
||||
4) #OpenDNS
|
||||
echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf
|
||||
@ -330,7 +351,9 @@ tls-version-min 1.2" > /etc/openvpn/server.conf
|
||||
echo "keepalive 10 120
|
||||
persist-key
|
||||
persist-tun
|
||||
crl-verify crl.pem" >> /etc/openvpn/server.conf
|
||||
crl-verify crl.pem
|
||||
tls-server
|
||||
tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf
|
||||
# Enable net.ipv4.ip_forward for the system
|
||||
if [[ "$OS" = 'debian' ]]; then
|
||||
sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf
|
||||
@ -345,8 +368,13 @@ crl-verify crl.pem" >> /etc/openvpn/server.conf
|
||||
# Avoid an unneeded reboot
|
||||
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
# Set NAT for the VPN subnet
|
||||
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP
|
||||
sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL
|
||||
if [[ "$FORWARD_TYPE" = '1' ]]; then
|
||||
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP
|
||||
sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL
|
||||
else
|
||||
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
|
||||
sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE" $RCLOCAL
|
||||
fi
|
||||
if pgrep firewalld; then
|
||||
# We don't use --add-service=openvpn because that would only work with
|
||||
# the default port. Using both permanent and not permanent rules to
|
||||
@ -402,9 +430,10 @@ crl-verify crl.pem" >> /etc/openvpn/server.conf
|
||||
echo ""
|
||||
echo "Looks like your server is behind a NAT!"
|
||||
echo ""
|
||||
echo "If your server is NATed (e.g. LowEndSpirit, Scaleway), I need to know the external IP"
|
||||
echo "If that's not the case, just ignore this and leave the next field blank"
|
||||
read -p "External IP: " -e USEREXTERNALIP
|
||||
echo "If your server is NATed (e.g. LowEndSpirit, Scaleway, or behind a router),"
|
||||
echo "then I need to know the address that can be used to access it from outside."
|
||||
echo "If that's not the case, just ignore this and leave the next field blank"
|
||||
read -p "External IP or domain name: " -e USEREXTERNALIP
|
||||
if [[ "$USEREXTERNALIP" != "" ]]; then
|
||||
IP=$USEREXTERNALIP
|
||||
fi
|
||||
@ -421,10 +450,10 @@ persist-tun
|
||||
remote-cert-tls server
|
||||
cipher AES-256-CBC
|
||||
auth SHA512
|
||||
tls-version-min 1.2" > /etc/openvpn/client-common.txt
|
||||
tls-version-min 1.2
|
||||
tls-client" > /etc/openvpn/client-common.txt
|
||||
if [[ "$VARIANT" = '1' ]]; then
|
||||
# If the user selected the fast, less hardened version
|
||||
# Or if the user selected a non-existant variant, we fallback to fast
|
||||
echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/client-common.txt
|
||||
elif [[ "$VARIANT" = '2' ]]; then
|
||||
# If the user selected the relatively slow, ultra hardened version
|
||||
|
Loading…
Reference in New Issue
Block a user