mirror of
https://github.com/angristan/openvpn-install.git
synced 2025-03-13 14:13:14 +01:00
Merge 00f77871d4e08eb3d167d10abfb02b760801a65f into 2950fd445752fd0515cdbf37b28ab8a494bc8299
This commit is contained in:
randomshell
GitHub
commit
90c4157dbf
4
FAQ.md
4
FAQ.md
@ -63,7 +63,7 @@ down /usr/share/openvpn/contrib/pull-resolv-conf/client.down
|
|||||||
- AES CBC
|
- AES CBC
|
||||||
- tls-auth
|
- tls-auth
|
||||||
|
|
||||||
If your client is <2.3.3, remove `tls-version-min 1.2` from your `/etc/openvpn/server.conf` and `.ovpn` files.
|
If your client is <2.3.3, remove `tls-version-min 1.2` from your `/etc/openvpn/server/server.conf` and `.ovpn` files.
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
@ -109,7 +109,7 @@ Sysctl options are at `/etc/sysctl.d/20-openvpn.conf`
|
|||||||
|
|
||||||
**Q:** How can I access computers the OpenVPN server's remote LAN?
|
**Q:** How can I access computers the OpenVPN server's remote LAN?
|
||||||
|
|
||||||
**A:** Add a route with the subnet of the remote network to `/etc/openvpn/server.conf` and restart openvpn. Example: `push "route 192.168.1.0 255.255.255.0"` if the server's LAN is `192.168.1.0/24`
|
**A:** Add a route with the subnet of the remote network to `/etc/openvpn/server/server.conf` and restart openvpn. Example: `push "route 192.168.1.0 255.255.255.0"` if the server's LAN is `192.168.1.0/24`
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
|||||||
@ -646,7 +646,7 @@ function installOpenVPN() {
|
|||||||
# If OpenVPN isn't installed yet, install it. This script is more-or-less
|
# If OpenVPN isn't installed yet, install it. This script is more-or-less
|
||||||
# idempotent on multiple runs, but will only install OpenVPN from upstream
|
# idempotent on multiple runs, but will only install OpenVPN from upstream
|
||||||
# the first time.
|
# the first time.
|
||||||
if [[ ! -e /etc/openvpn/server.conf ]]; then
|
if [[ ! -e /etc/openvpn/server/server.conf ]]; then
|
||||||
if [[ $OS =~ (debian|ubuntu) ]]; then
|
if [[ $OS =~ (debian|ubuntu) ]]; then
|
||||||
apt-get update
|
apt-get update
|
||||||
apt-get -y install ca-certificates gnupg
|
apt-get -y install ca-certificates gnupg
|
||||||
@ -670,6 +670,7 @@ function installOpenVPN() {
|
|||||||
# Install required dependencies and upgrade the system
|
# Install required dependencies and upgrade the system
|
||||||
pacman --needed --noconfirm -Syu openvpn iptables openssl wget ca-certificates curl
|
pacman --needed --noconfirm -Syu openvpn iptables openssl wget ca-certificates curl
|
||||||
fi
|
fi
|
||||||
|
mkdir -p /etc/openvpn/server /etc/openvpn/client
|
||||||
# An old version of easy-rsa was available by default in some openvpn packages
|
# An old version of easy-rsa was available by default in some openvpn packages
|
||||||
if [[ -d /etc/openvpn/easy-rsa/ ]]; then
|
if [[ -d /etc/openvpn/easy-rsa/ ]]; then
|
||||||
rm -rf /etc/openvpn/easy-rsa/
|
rm -rf /etc/openvpn/easy-rsa/
|
||||||
@ -684,14 +685,14 @@ function installOpenVPN() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Install the latest version of easy-rsa from source, if not already installed.
|
# Install the latest version of easy-rsa from source, if not already installed.
|
||||||
if [[ ! -d /etc/openvpn/easy-rsa/ ]]; then
|
if [[ ! -d /etc/openvpn/server/easy-rsa/ ]]; then
|
||||||
local version="3.0.7"
|
local version="3.0.7"
|
||||||
wget -O ~/easy-rsa.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-${version}.tgz
|
wget -O ~/easy-rsa.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-${version}.tgz
|
||||||
mkdir -p /etc/openvpn/easy-rsa
|
mkdir -p /etc/openvpn/server/easy-rsa
|
||||||
tar xzf ~/easy-rsa.tgz --strip-components=1 --directory /etc/openvpn/easy-rsa
|
tar xzf ~/easy-rsa.tgz --strip-components=1 --directory /etc/openvpn/server/easy-rsa
|
||||||
rm -f ~/easy-rsa.tgz
|
rm -f ~/easy-rsa.tgz
|
||||||
|
|
||||||
cd /etc/openvpn/easy-rsa/ || return
|
cd /etc/openvpn/server/easy-rsa/ || return
|
||||||
case $CERT_TYPE in
|
case $CERT_TYPE in
|
||||||
1)
|
1)
|
||||||
echo "set_var EASYRSA_ALGO ec" >vars
|
echo "set_var EASYRSA_ALGO ec" >vars
|
||||||
@ -725,35 +726,35 @@ function installOpenVPN() {
|
|||||||
case $TLS_SIG in
|
case $TLS_SIG in
|
||||||
1)
|
1)
|
||||||
# Generate tls-crypt key
|
# Generate tls-crypt key
|
||||||
openvpn --genkey --secret /etc/openvpn/tls-crypt.key
|
openvpn --genkey --secret /etc/openvpn/server/tls-crypt.key
|
||||||
;;
|
;;
|
||||||
2)
|
2)
|
||||||
# Generate tls-auth key
|
# Generate tls-auth key
|
||||||
openvpn --genkey --secret /etc/openvpn/tls-auth.key
|
openvpn --genkey --secret /etc/openvpn/server/tls-auth.key
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
else
|
else
|
||||||
# If easy-rsa is already installed, grab the generated SERVER_NAME
|
# If easy-rsa is already installed, grab the generated SERVER_NAME
|
||||||
# for client configs
|
# for client configs
|
||||||
cd /etc/openvpn/easy-rsa/ || return
|
cd /etc/openvpn/server/easy-rsa/ || return
|
||||||
SERVER_NAME=$(cat SERVER_NAME_GENERATED)
|
SERVER_NAME=$(cat SERVER_NAME_GENERATED)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Move all the generated files
|
# Move all the generated files
|
||||||
cp pki/ca.crt pki/private/ca.key "pki/issued/$SERVER_NAME.crt" "pki/private/$SERVER_NAME.key" /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
|
cp pki/ca.crt pki/private/ca.key "pki/issued/$SERVER_NAME.crt" "pki/private/$SERVER_NAME.key" /etc/openvpn/server/easy-rsa/pki/crl.pem /etc/openvpn/server
|
||||||
if [[ $DH_TYPE == "2" ]]; then
|
if [[ $DH_TYPE == "2" ]]; then
|
||||||
cp dh.pem /etc/openvpn
|
cp dh.pem /etc/openvpn/server
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Make cert revocation list readable for non-root
|
# Make cert revocation list readable for non-root
|
||||||
chmod 644 /etc/openvpn/crl.pem
|
chmod 644 /etc/openvpn/server/crl.pem
|
||||||
|
|
||||||
# Generate server.conf
|
# Generate server.conf
|
||||||
echo "port $PORT" >/etc/openvpn/server.conf
|
echo "port $PORT" >/etc/openvpn/server/server.conf
|
||||||
if [[ $IPV6_SUPPORT == 'n' ]]; then
|
if [[ $IPV6_SUPPORT == 'n' ]]; then
|
||||||
echo "proto $PROTOCOL" >>/etc/openvpn/server.conf
|
echo "proto $PROTOCOL" >>/etc/openvpn/server/server.conf
|
||||||
elif [[ $IPV6_SUPPORT == 'y' ]]; then
|
elif [[ $IPV6_SUPPORT == 'y' ]]; then
|
||||||
echo "proto ${PROTOCOL}6" >>/etc/openvpn/server.conf
|
echo "proto ${PROTOCOL}6" >>/etc/openvpn/server/server.conf
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "dev tun
|
echo "dev tun
|
||||||
@ -764,7 +765,7 @@ persist-tun
|
|||||||
keepalive 10 120
|
keepalive 10 120
|
||||||
topology subnet
|
topology subnet
|
||||||
server 10.8.0.0 255.255.255.0
|
server 10.8.0.0 255.255.255.0
|
||||||
ifconfig-pool-persist ipp.txt" >>/etc/openvpn/server.conf
|
ifconfig-pool-persist ipp.txt" >>/etc/openvpn/server/server.conf
|
||||||
|
|
||||||
# DNS resolvers
|
# DNS resolvers
|
||||||
case $DNS in
|
case $DNS in
|
||||||
@ -780,64 +781,64 @@ ifconfig-pool-persist ipp.txt" >>/etc/openvpn/server.conf
|
|||||||
sed -ne 's/^nameserver[[:space:]]\+\([^[:space:]]\+\).*$/\1/p' $RESOLVCONF | while read -r line; do
|
sed -ne 's/^nameserver[[:space:]]\+\([^[:space:]]\+\).*$/\1/p' $RESOLVCONF | while read -r line; do
|
||||||
# Copy, if it's a IPv4 |or| if IPv6 is enabled, IPv4/IPv6 does not matter
|
# Copy, if it's a IPv4 |or| if IPv6 is enabled, IPv4/IPv6 does not matter
|
||||||
if [[ $line =~ ^[0-9.]*$ ]] || [[ $IPV6_SUPPORT == 'y' ]]; then
|
if [[ $line =~ ^[0-9.]*$ ]] || [[ $IPV6_SUPPORT == 'y' ]]; then
|
||||||
echo "push \"dhcp-option DNS $line\"" >>/etc/openvpn/server.conf
|
echo "push \"dhcp-option DNS $line\"" >>/etc/openvpn/server/server.conf
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
;;
|
;;
|
||||||
2) # Self-hosted DNS resolver (Unbound)
|
2) # Self-hosted DNS resolver (Unbound)
|
||||||
echo 'push "dhcp-option DNS 10.8.0.1"' >>/etc/openvpn/server.conf
|
echo 'push "dhcp-option DNS 10.8.0.1"' >>/etc/openvpn/server/server.conf
|
||||||
if [[ $IPV6_SUPPORT == 'y' ]]; then
|
if [[ $IPV6_SUPPORT == 'y' ]]; then
|
||||||
echo 'push "dhcp-option DNS fd42:42:42:42::1"' >>/etc/openvpn/server.conf
|
echo 'push "dhcp-option DNS fd42:42:42:42::1"' >>/etc/openvpn/server/server.conf
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
3) # Cloudflare
|
3) # Cloudflare
|
||||||
echo 'push "dhcp-option DNS 1.0.0.1"' >>/etc/openvpn/server.conf
|
echo 'push "dhcp-option DNS 1.0.0.1"' >>/etc/openvpn/server/server.conf
|
||||||
echo 'push "dhcp-option DNS 1.1.1.1"' >>/etc/openvpn/server.conf
|
echo 'push "dhcp-option DNS 1.1.1.1"' >>/etc/openvpn/server/server.conf
|
||||||
;;
|
;;
|
||||||
4) # Quad9
|
4) # Quad9
|
||||||
echo 'push "dhcp-option DNS 9.9.9.9"' >>/etc/openvpn/server.conf
|
echo 'push "dhcp-option DNS 9.9.9.9"' >>/etc/openvpn/server/server.conf
|
||||||
echo 'push "dhcp-option DNS 149.112.112.112"' >>/etc/openvpn/server.conf
|
echo 'push "dhcp-option DNS 149.112.112.112"' >>/etc/openvpn/server/server.conf
|
||||||
;;
|
;;
|
||||||
5) # Quad9 uncensored
|
5) # Quad9 uncensored
|
||||||
echo 'push "dhcp-option DNS 9.9.9.10"' >>/etc/openvpn/server.conf
|
echo 'push "dhcp-option DNS 9.9.9.10"' >>/etc/openvpn/server/server.conf
|
||||||
echo 'push "dhcp-option DNS 149.112.112.10"' >>/etc/openvpn/server.conf
|
echo 'push "dhcp-option DNS 149.112.112.10"' >>/etc/openvpn/server/server.conf
|
||||||
;;
|
;;
|
||||||
6) # FDN
|
6) # FDN
|
||||||
echo 'push "dhcp-option DNS 80.67.169.40"' >>/etc/openvpn/server.conf
|
echo 'push "dhcp-option DNS 80.67.169.40"' >>/etc/openvpn/server/server.conf
|
||||||
echo 'push "dhcp-option DNS 80.67.169.12"' >>/etc/openvpn/server.conf
|
echo 'push "dhcp-option DNS 80.67.169.12"' >>/etc/openvpn/server/server.conf
|
||||||
;;
|
;;
|
||||||
7) # DNS.WATCH
|
7) # DNS.WATCH
|
||||||
echo 'push "dhcp-option DNS 84.200.69.80"' >>/etc/openvpn/server.conf
|
echo 'push "dhcp-option DNS 84.200.69.80"' >>/etc/openvpn/server/server.conf
|
||||||
echo 'push "dhcp-option DNS 84.200.70.40"' >>/etc/openvpn/server.conf
|
echo 'push "dhcp-option DNS 84.200.70.40"' >>/etc/openvpn/server/server.conf
|
||||||
;;
|
;;
|
||||||
8) # OpenDNS
|
8) # OpenDNS
|
||||||
echo 'push "dhcp-option DNS 208.67.222.222"' >>/etc/openvpn/server.conf
|
echo 'push "dhcp-option DNS 208.67.222.222"' >>/etc/openvpn/server/server.conf
|
||||||
echo 'push "dhcp-option DNS 208.67.220.220"' >>/etc/openvpn/server.conf
|
echo 'push "dhcp-option DNS 208.67.220.220"' >>/etc/openvpn/server/server.conf
|
||||||
;;
|
;;
|
||||||
9) # Google
|
9) # Google
|
||||||
echo 'push "dhcp-option DNS 8.8.8.8"' >>/etc/openvpn/server.conf
|
echo 'push "dhcp-option DNS 8.8.8.8"' >>/etc/openvpn/server/server.conf
|
||||||
echo 'push "dhcp-option DNS 8.8.4.4"' >>/etc/openvpn/server.conf
|
echo 'push "dhcp-option DNS 8.8.4.4"' >>/etc/openvpn/server/server.conf
|
||||||
;;
|
;;
|
||||||
10) # Yandex Basic
|
10) # Yandex Basic
|
||||||
echo 'push "dhcp-option DNS 77.88.8.8"' >>/etc/openvpn/server.conf
|
echo 'push "dhcp-option DNS 77.88.8.8"' >>/etc/openvpn/server/server.conf
|
||||||
echo 'push "dhcp-option DNS 77.88.8.1"' >>/etc/openvpn/server.conf
|
echo 'push "dhcp-option DNS 77.88.8.1"' >>/etc/openvpn/server/server.conf
|
||||||
;;
|
;;
|
||||||
11) # AdGuard DNS
|
11) # AdGuard DNS
|
||||||
echo 'push "dhcp-option DNS 176.103.130.130"' >>/etc/openvpn/server.conf
|
echo 'push "dhcp-option DNS 176.103.130.130"' >>/etc/openvpn/server/server.conf
|
||||||
echo 'push "dhcp-option DNS 176.103.130.131"' >>/etc/openvpn/server.conf
|
echo 'push "dhcp-option DNS 176.103.130.131"' >>/etc/openvpn/server/server.conf
|
||||||
;;
|
;;
|
||||||
12) # NextDNS
|
12) # NextDNS
|
||||||
echo 'push "dhcp-option DNS 45.90.28.167"' >>/etc/openvpn/server.conf
|
echo 'push "dhcp-option DNS 45.90.28.167"' >>/etc/openvpn/server/server.conf
|
||||||
echo 'push "dhcp-option DNS 45.90.30.167"' >>/etc/openvpn/server.conf
|
echo 'push "dhcp-option DNS 45.90.30.167"' >>/etc/openvpn/server/server.conf
|
||||||
;;
|
;;
|
||||||
13) # Custom DNS
|
13) # Custom DNS
|
||||||
echo "push \"dhcp-option DNS $DNS1\"" >>/etc/openvpn/server.conf
|
echo "push \"dhcp-option DNS $DNS1\"" >>/etc/openvpn/server/server.conf
|
||||||
if [[ $DNS2 != "" ]]; then
|
if [[ $DNS2 != "" ]]; then
|
||||||
echo "push \"dhcp-option DNS $DNS2\"" >>/etc/openvpn/server.conf
|
echo "push \"dhcp-option DNS $DNS2\"" >>/etc/openvpn/server/server.conf
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
echo 'push "redirect-gateway def1 bypass-dhcp"' >>/etc/openvpn/server.conf
|
echo 'push "redirect-gateway def1 bypass-dhcp"' >>/etc/openvpn/server/server.conf
|
||||||
|
|
||||||
# IPv6 network settings if needed
|
# IPv6 network settings if needed
|
||||||
if [[ $IPV6_SUPPORT == 'y' ]]; then
|
if [[ $IPV6_SUPPORT == 'y' ]]; then
|
||||||
@ -845,26 +846,26 @@ ifconfig-pool-persist ipp.txt" >>/etc/openvpn/server.conf
|
|||||||
tun-ipv6
|
tun-ipv6
|
||||||
push tun-ipv6
|
push tun-ipv6
|
||||||
push "route-ipv6 2000::/3"
|
push "route-ipv6 2000::/3"
|
||||||
push "redirect-gateway ipv6"' >>/etc/openvpn/server.conf
|
push "redirect-gateway ipv6"' >>/etc/openvpn/server/server.conf
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ $COMPRESSION_ENABLED == "y" ]]; then
|
if [[ $COMPRESSION_ENABLED == "y" ]]; then
|
||||||
echo "compress $COMPRESSION_ALG" >>/etc/openvpn/server.conf
|
echo "compress $COMPRESSION_ALG" >>/etc/openvpn/server/server.conf
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [[ $DH_TYPE == "1" ]]; then
|
if [[ $DH_TYPE == "1" ]]; then
|
||||||
echo "dh none" >>/etc/openvpn/server.conf
|
echo "dh none" >>/etc/openvpn/server/server.conf
|
||||||
echo "ecdh-curve $DH_CURVE" >>/etc/openvpn/server.conf
|
echo "ecdh-curve $DH_CURVE" >>/etc/openvpn/server/server.conf
|
||||||
elif [[ $DH_TYPE == "2" ]]; then
|
elif [[ $DH_TYPE == "2" ]]; then
|
||||||
echo "dh dh.pem" >>/etc/openvpn/server.conf
|
echo "dh dh.pem" >>/etc/openvpn/server/server.conf
|
||||||
fi
|
fi
|
||||||
|
|
||||||
case $TLS_SIG in
|
case $TLS_SIG in
|
||||||
1)
|
1)
|
||||||
echo "tls-crypt tls-crypt.key 0" >>/etc/openvpn/server.conf
|
echo "tls-crypt tls-crypt.key 0" >>/etc/openvpn/server/server.conf
|
||||||
;;
|
;;
|
||||||
2)
|
2)
|
||||||
echo "tls-auth tls-auth.key 0" >>/etc/openvpn/server.conf
|
echo "tls-auth tls-auth.key 0" >>/etc/openvpn/server/server.conf
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
@ -878,14 +879,11 @@ ncp-ciphers $CIPHER
|
|||||||
tls-server
|
tls-server
|
||||||
tls-version-min 1.2
|
tls-version-min 1.2
|
||||||
tls-cipher $CC_CIPHER
|
tls-cipher $CC_CIPHER
|
||||||
client-config-dir /etc/openvpn/ccd
|
client-config-dir /etc/openvpn/server/ccd
|
||||||
status /var/log/openvpn/status.log
|
verb 3" >>/etc/openvpn/server/server.conf
|
||||||
verb 3" >>/etc/openvpn/server.conf
|
|
||||||
|
|
||||||
# Create client-config-dir dir
|
# Create client-config-dir dir
|
||||||
mkdir -p /etc/openvpn/ccd
|
mkdir -p /etc/openvpn/server/ccd
|
||||||
# Create log dir
|
|
||||||
mkdir -p /var/log/openvpn
|
|
||||||
|
|
||||||
# Enable routing
|
# Enable routing
|
||||||
echo 'net.ipv4.ip_forward=1' >/etc/sysctl.d/20-openvpn.conf
|
echo 'net.ipv4.ip_forward=1' >/etc/sysctl.d/20-openvpn.conf
|
||||||
@ -904,42 +902,21 @@ verb 3" >>/etc/openvpn/server.conf
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Finally, restart and enable OpenVPN
|
# Don't modify package-provided service
|
||||||
if [[ $OS == 'arch' || $OS == 'fedora' || $OS == 'centos' ]]; then
|
cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service
|
||||||
# Don't modify package-provided service
|
|
||||||
cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service
|
|
||||||
|
|
||||||
# Workaround to fix OpenVPN service on OpenVZ
|
# Workaround to fix OpenVPN service on OpenVZ
|
||||||
sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn-server@.service
|
sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn-server@.service
|
||||||
# Another workaround to keep using /etc/openvpn/
|
# On fedora, the service hardcodes the ciphers. We want to manage the cipher ourselves, so we remove it from the service
|
||||||
sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn-server@.service
|
if [[ $OS == "fedora" ]]; then
|
||||||
# On fedora, the service hardcodes the ciphers. We want to manage the cipher ourselves, so we remove it from the service
|
sed -i 's|--cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC||' /etc/systemd/system/openvpn-server@.service
|
||||||
if [[ $OS == "fedora" ]]; then
|
|
||||||
sed -i 's|--cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC||' /etc/systemd/system/openvpn-server@.service
|
|
||||||
fi
|
|
||||||
|
|
||||||
systemctl daemon-reload
|
|
||||||
systemctl enable openvpn-server@server
|
|
||||||
systemctl restart openvpn-server@server
|
|
||||||
elif [[ $OS == "ubuntu" ]] && [[ $VERSION_ID == "16.04" ]]; then
|
|
||||||
# On Ubuntu 16.04, we use the package from the OpenVPN repo
|
|
||||||
# This package uses a sysvinit service
|
|
||||||
systemctl enable openvpn
|
|
||||||
systemctl start openvpn
|
|
||||||
else
|
|
||||||
# Don't modify package-provided service
|
|
||||||
cp /lib/systemd/system/openvpn\@.service /etc/systemd/system/openvpn\@.service
|
|
||||||
|
|
||||||
# Workaround to fix OpenVPN service on OpenVZ
|
|
||||||
sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn\@.service
|
|
||||||
# Another workaround to keep using /etc/openvpn/
|
|
||||||
sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn\@.service
|
|
||||||
|
|
||||||
systemctl daemon-reload
|
|
||||||
systemctl enable openvpn@server
|
|
||||||
systemctl restart openvpn@server
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Finally, restart and enable OpenVPN
|
||||||
|
systemctl daemon-reload
|
||||||
|
systemctl enable openvpn-server@server
|
||||||
|
systemctl restart openvpn-server@server
|
||||||
|
|
||||||
if [[ $DNS == 2 ]]; then
|
if [[ $DNS == 2 ]]; then
|
||||||
installUnbound
|
installUnbound
|
||||||
fi
|
fi
|
||||||
@ -1008,12 +985,12 @@ WantedBy=multi-user.target" >/etc/systemd/system/iptables-openvpn.service
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# client-template.txt is created so we have a template to add further users later
|
# client-template.txt is created so we have a template to add further users later
|
||||||
echo "client" >/etc/openvpn/client-template.txt
|
echo "client" >/etc/openvpn/server/client-template.txt
|
||||||
if [[ $PROTOCOL == 'udp' ]]; then
|
if [[ $PROTOCOL == 'udp' ]]; then
|
||||||
echo "proto udp" >>/etc/openvpn/client-template.txt
|
echo "proto udp" >>/etc/openvpn/server/client-template.txt
|
||||||
echo "explicit-exit-notify" >>/etc/openvpn/client-template.txt
|
echo "explicit-exit-notify" >>/etc/openvpn/server/client-template.txt
|
||||||
elif [[ $PROTOCOL == 'tcp' ]]; then
|
elif [[ $PROTOCOL == 'tcp' ]]; then
|
||||||
echo "proto tcp-client" >>/etc/openvpn/client-template.txt
|
echo "proto tcp-client" >>/etc/openvpn/server/client-template.txt
|
||||||
fi
|
fi
|
||||||
echo "remote $IP $PORT
|
echo "remote $IP $PORT
|
||||||
dev tun
|
dev tun
|
||||||
@ -1031,10 +1008,10 @@ tls-version-min 1.2
|
|||||||
tls-cipher $CC_CIPHER
|
tls-cipher $CC_CIPHER
|
||||||
ignore-unknown-option block-outside-dns
|
ignore-unknown-option block-outside-dns
|
||||||
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
|
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
|
||||||
verb 3" >>/etc/openvpn/client-template.txt
|
verb 3" >>/etc/openvpn/server/client-template.txt
|
||||||
|
|
||||||
if [[ $COMPRESSION_ENABLED == "y" ]]; then
|
if [[ $COMPRESSION_ENABLED == "y" ]]; then
|
||||||
echo "compress $COMPRESSION_ALG" >>/etc/openvpn/client-template.txt
|
echo "compress $COMPRESSION_ALG" >>/etc/openvpn/server/client-template.txt
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Generate the custom client.ovpn
|
# Generate the custom client.ovpn
|
||||||
@ -1061,13 +1038,13 @@ function newClient() {
|
|||||||
read -rp "Select an option [1-2]: " -e -i 1 PASS
|
read -rp "Select an option [1-2]: " -e -i 1 PASS
|
||||||
done
|
done
|
||||||
|
|
||||||
CLIENTEXISTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c -E "/CN=$CLIENT\$")
|
CLIENTEXISTS=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep -c -E "/CN=$CLIENT\$")
|
||||||
if [[ $CLIENTEXISTS == '1' ]]; then
|
if [[ $CLIENTEXISTS == '1' ]]; then
|
||||||
echo ""
|
echo ""
|
||||||
echo "The specified client CN was already found in easy-rsa, please choose another name."
|
echo "The specified client CN was already found in easy-rsa, please choose another name."
|
||||||
exit
|
exit
|
||||||
else
|
else
|
||||||
cd /etc/openvpn/easy-rsa/ || return
|
cd /etc/openvpn/server/easy-rsa/ || return
|
||||||
case $PASS in
|
case $PASS in
|
||||||
1)
|
1)
|
||||||
./easyrsa build-client-full "$CLIENT" nopass
|
./easyrsa build-client-full "$CLIENT" nopass
|
||||||
@ -1090,37 +1067,37 @@ function newClient() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Determine if we use tls-auth or tls-crypt
|
# Determine if we use tls-auth or tls-crypt
|
||||||
if grep -qs "^tls-crypt" /etc/openvpn/server.conf; then
|
if grep -qs "^tls-crypt" /etc/openvpn/server/server.conf; then
|
||||||
TLS_SIG="1"
|
TLS_SIG="1"
|
||||||
elif grep -qs "^tls-auth" /etc/openvpn/server.conf; then
|
elif grep -qs "^tls-auth" /etc/openvpn/server/server.conf; then
|
||||||
TLS_SIG="2"
|
TLS_SIG="2"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Generates the custom client.ovpn
|
# Generates the custom client.ovpn
|
||||||
cp /etc/openvpn/client-template.txt "$homeDir/$CLIENT.ovpn"
|
cp /etc/openvpn/server/client-template.txt "$homeDir/$CLIENT.ovpn"
|
||||||
{
|
{
|
||||||
echo "<ca>"
|
echo "<ca>"
|
||||||
cat "/etc/openvpn/easy-rsa/pki/ca.crt"
|
cat "/etc/openvpn/server/easy-rsa/pki/ca.crt"
|
||||||
echo "</ca>"
|
echo "</ca>"
|
||||||
|
|
||||||
echo "<cert>"
|
echo "<cert>"
|
||||||
awk '/BEGIN/,/END/' "/etc/openvpn/easy-rsa/pki/issued/$CLIENT.crt"
|
awk '/BEGIN/,/END/' "/etc/openvpn/server/easy-rsa/pki/issued/$CLIENT.crt"
|
||||||
echo "</cert>"
|
echo "</cert>"
|
||||||
|
|
||||||
echo "<key>"
|
echo "<key>"
|
||||||
cat "/etc/openvpn/easy-rsa/pki/private/$CLIENT.key"
|
cat "/etc/openvpn/server/easy-rsa/pki/private/$CLIENT.key"
|
||||||
echo "</key>"
|
echo "</key>"
|
||||||
|
|
||||||
case $TLS_SIG in
|
case $TLS_SIG in
|
||||||
1)
|
1)
|
||||||
echo "<tls-crypt>"
|
echo "<tls-crypt>"
|
||||||
cat /etc/openvpn/tls-crypt.key
|
cat /etc/openvpn/server/tls-crypt.key
|
||||||
echo "</tls-crypt>"
|
echo "</tls-crypt>"
|
||||||
;;
|
;;
|
||||||
2)
|
2)
|
||||||
echo "key-direction 1"
|
echo "key-direction 1"
|
||||||
echo "<tls-auth>"
|
echo "<tls-auth>"
|
||||||
cat /etc/openvpn/tls-auth.key
|
cat /etc/openvpn/server/tls-auth.key
|
||||||
echo "</tls-auth>"
|
echo "</tls-auth>"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
@ -1134,7 +1111,7 @@ function newClient() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
function revokeClient() {
|
function revokeClient() {
|
||||||
NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")
|
NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep -c "^V")
|
||||||
if [[ $NUMBEROFCLIENTS == '0' ]]; then
|
if [[ $NUMBEROFCLIENTS == '0' ]]; then
|
||||||
echo ""
|
echo ""
|
||||||
echo "You have no existing clients!"
|
echo "You have no existing clients!"
|
||||||
@ -1143,7 +1120,7 @@ function revokeClient() {
|
|||||||
|
|
||||||
echo ""
|
echo ""
|
||||||
echo "Select the existing client certificate you want to revoke"
|
echo "Select the existing client certificate you want to revoke"
|
||||||
tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
|
tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
|
||||||
until [[ $CLIENTNUMBER -ge 1 && $CLIENTNUMBER -le $NUMBEROFCLIENTS ]]; do
|
until [[ $CLIENTNUMBER -ge 1 && $CLIENTNUMBER -le $NUMBEROFCLIENTS ]]; do
|
||||||
if [[ $CLIENTNUMBER == '1' ]]; then
|
if [[ $CLIENTNUMBER == '1' ]]; then
|
||||||
read -rp "Select one client [1]: " CLIENTNUMBER
|
read -rp "Select one client [1]: " CLIENTNUMBER
|
||||||
@ -1151,16 +1128,16 @@ function revokeClient() {
|
|||||||
read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
|
read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
|
CLIENT=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
|
||||||
cd /etc/openvpn/easy-rsa/ || return
|
cd /etc/openvpn/server/easy-rsa/ || return
|
||||||
./easyrsa --batch revoke "$CLIENT"
|
./easyrsa --batch revoke "$CLIENT"
|
||||||
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
|
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
|
||||||
rm -f /etc/openvpn/crl.pem
|
rm -f /etc/openvpn/server/crl.pem
|
||||||
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
|
cp /etc/openvpn/server/easy-rsa/pki/crl.pem /etc/openvpn/server/crl.pem
|
||||||
chmod 644 /etc/openvpn/crl.pem
|
chmod 644 /etc/openvpn/server/crl.pem
|
||||||
find /home/ -maxdepth 2 -name "$CLIENT.ovpn" -delete
|
find /home/ -maxdepth 2 -name "$CLIENT.ovpn" -delete
|
||||||
rm -f "/root/$CLIENT.ovpn"
|
rm -f "/root/$CLIENT.ovpn"
|
||||||
sed -i "/^$CLIENT,.*/d" /etc/openvpn/ipp.txt
|
sed -i "/^$CLIENT,.*/d" /etc/openvpn/server/ipp.txt
|
||||||
|
|
||||||
echo ""
|
echo ""
|
||||||
echo "Certificate for client $CLIENT revoked."
|
echo "Certificate for client $CLIENT revoked."
|
||||||
@ -1207,24 +1184,14 @@ function removeOpenVPN() {
|
|||||||
read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
|
read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
|
||||||
if [[ $REMOVE == 'y' ]]; then
|
if [[ $REMOVE == 'y' ]]; then
|
||||||
# Get OpenVPN port from the configuration
|
# Get OpenVPN port from the configuration
|
||||||
PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
|
PORT=$(grep '^port ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
|
||||||
PROTOCOL=$(grep '^proto ' /etc/openvpn/server.conf | cut -d " " -f 2)
|
PROTOCOL=$(grep '^proto ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
|
||||||
|
|
||||||
# Stop OpenVPN
|
# Stop OpenVPN
|
||||||
if [[ $OS =~ (fedora|arch|centos) ]]; then
|
systemctl disable openvpn-server@server
|
||||||
systemctl disable openvpn-server@server
|
systemctl stop openvpn-server@server
|
||||||
systemctl stop openvpn-server@server
|
# Remove customised service
|
||||||
# Remove customised service
|
rm /etc/systemd/system/openvpn-server@.service
|
||||||
rm /etc/systemd/system/openvpn-server@.service
|
|
||||||
elif [[ $OS == "ubuntu" ]] && [[ $VERSION_ID == "16.04" ]]; then
|
|
||||||
systemctl disable openvpn
|
|
||||||
systemctl stop openvpn
|
|
||||||
else
|
|
||||||
systemctl disable openvpn@server
|
|
||||||
systemctl stop openvpn@server
|
|
||||||
# Remove customised service
|
|
||||||
rm /etc/systemd/system/openvpn\@.service
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Remove the iptables rules related to the script
|
# Remove the iptables rules related to the script
|
||||||
systemctl stop iptables-openvpn
|
systemctl stop iptables-openvpn
|
||||||
@ -1261,10 +1228,9 @@ function removeOpenVPN() {
|
|||||||
# Cleanup
|
# Cleanup
|
||||||
find /home/ -maxdepth 2 -name "*.ovpn" -delete
|
find /home/ -maxdepth 2 -name "*.ovpn" -delete
|
||||||
find /root/ -maxdepth 1 -name "*.ovpn" -delete
|
find /root/ -maxdepth 1 -name "*.ovpn" -delete
|
||||||
rm -rf /etc/openvpn
|
rm -rf /etc/openvpn/server
|
||||||
rm -rf /usr/share/doc/openvpn*
|
rm -rf /usr/share/doc/openvpn*
|
||||||
rm -f /etc/sysctl.d/20-openvpn.conf
|
rm -f /etc/sysctl.d/20-openvpn.conf
|
||||||
rm -rf /var/log/openvpn
|
|
||||||
|
|
||||||
# Unbound
|
# Unbound
|
||||||
if [[ -e /etc/unbound/openvpn.conf ]]; then
|
if [[ -e /etc/unbound/openvpn.conf ]]; then
|
||||||
@ -1313,7 +1279,7 @@ function manageMenu() {
|
|||||||
initialCheck
|
initialCheck
|
||||||
|
|
||||||
# Check if OpenVPN is already installed
|
# Check if OpenVPN is already installed
|
||||||
if [[ -e /etc/openvpn/server.conf && $AUTO_INSTALL != "y" ]]; then
|
if [[ -e /etc/openvpn/server/server.conf && $AUTO_INSTALL != "y" ]]; then
|
||||||
manageMenu
|
manageMenu
|
||||||
else
|
else
|
||||||
installOpenVPN
|
installOpenVPN
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user