From abc0676b4c5f62d366d77267c9fb2171c97b2da3 Mon Sep 17 00:00:00 2001 From: jduo Date: Thu, 10 Sep 2020 05:31:48 -0300 Subject: [PATCH] Sync with upstream. Add new environment variables usage --- openvpn-install.sh | 67 +++++++++++++++++++++++++++++----------------- 1 file changed, 42 insertions(+), 25 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 685f607..6b2f42c 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -102,19 +102,19 @@ function installUnbound() { apt-get install -y unbound # Configuration - echo 'interface: 10.8.0.1 -access-control: 10.8.0.1/24 allow + echo "interface: $VPN_NETWORK.1 +access-control: $VPN_NETWORK.1/24 allow hide-identity: yes hide-version: yes use-caps-for-id: yes -prefetch: yes' >>/etc/unbound/unbound.conf +prefetch: yes" >>/etc/unbound/unbound.conf elif [[ $OS =~ (centos|amzn) ]]; then yum install -y unbound # Configuration - sed -i 's|# interface: 0.0.0.0$|interface: 10.8.0.1|' /etc/unbound/unbound.conf - sed -i 's|# access-control: 127.0.0.0/8 allow|access-control: 10.8.0.1/24 allow|' /etc/unbound/unbound.conf + sed -i "s|# interface: 0.0.0.0$|interface: $VPN_NETWORK.1|" /etc/unbound/unbound.conf + sed -i "s|# access-control: 127.0.0.0/8 allow|access-control: $VPN_NETWORK.1/24 allow|" /etc/unbound/unbound.conf sed -i 's|# hide-identity: no|hide-identity: yes|' /etc/unbound/unbound.conf sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf sed -i 's|use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf @@ -123,8 +123,8 @@ prefetch: yes' >>/etc/unbound/unbound.conf dnf install -y unbound # Configuration - sed -i 's|# interface: 0.0.0.0$|interface: 10.8.0.1|' /etc/unbound/unbound.conf - sed -i 's|# access-control: 127.0.0.0/8 allow|access-control: 10.8.0.1/24 allow|' /etc/unbound/unbound.conf + sed -i "s|# interface: 0.0.0.0$|interface: $VPN_NETWORK.1|" /etc/unbound/unbound.conf + sed -i "s|# access-control: 127.0.0.0/8 allow|access-control: $VPN_NETWORK.1/24 allow|" /etc/unbound/unbound.conf sed -i 's|# hide-identity: no|hide-identity: yes|' /etc/unbound/unbound.conf sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf sed -i 's|# use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf @@ -139,15 +139,15 @@ prefetch: yes' >>/etc/unbound/unbound.conf mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old fi - echo 'server: + echo "server: use-syslog: yes do-daemonize: no username: "unbound" directory: "/etc/unbound" trust-anchor-file: trusted-key.key root-hints: root.hints - interface: 10.8.0.1 - access-control: 10.8.0.1/24 allow + interface: $VPN_NETWORK.1 + access-control: $VPN_NETWORK.1/24 allow port: 53 num-threads: 2 use-caps-for-id: yes @@ -155,7 +155,7 @@ prefetch: yes' >>/etc/unbound/unbound.conf hide-identity: yes hide-version: yes qname-minimisation: yes - prefetch: yes' >/etc/unbound/unbound.conf + prefetch: yes" >/etc/unbound/unbound.conf fi # IPv6 DNS for all OS @@ -180,9 +180,9 @@ private-address: ::ffff:0:0/96" >>/etc/unbound/unbound.conf echo 'include: /etc/unbound/openvpn.conf' >>/etc/unbound/unbound.conf # Add Unbound 'server' for the OpenVPN subnet - echo 'server: -interface: 10.8.0.1 -access-control: 10.8.0.1/24 allow + echo "server: +interface: $VPN_NETWORK.1 +access-control: $VPN_NETWORK.1/24 allow hide-identity: yes hide-version: yes use-caps-for-id: yes @@ -195,7 +195,7 @@ private-address: 169.254.0.0/16 private-address: fd00::/8 private-address: fe80::/10 private-address: 127.0.0.0/8 -private-address: ::ffff:0:0/96' >/etc/unbound/openvpn.conf +private-address: ::ffff:0:0/96" >/etc/unbound/openvpn.conf if [[ $IPV6_SUPPORT == 'y' ]]; then echo 'interface: fd42:42:42:42::1 access-control: fd42:42:42:42::/112 allow' >>/etc/unbound/openvpn.conf @@ -214,9 +214,16 @@ function installQuestions() { echo "I need to ask you a few questions before starting the setup." echo "You can leave the default options and just press enter if you are ok with them." echo "" + + echo "Please provide the VPN network prefix. If you are going to use 10.8.0.0/24, then type prefix 10.8.0" + until [[ $VPN_NETWORK =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){2}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do + echo "Format bust be like XXX.XXX.XXX" + VPN_NETWORK=${VPN_NETWORK:-10.8.0} + read -rp "VPN_NETWORK: " -e -i "$VPN_NETWORK" VPN_NETWORK + done + echo "I need to know the IPv4 address of the network interface you want OpenVPN listening to." echo "Unless your server is behind NAT, it should be your public IPv4 address." - # Detect public IPv4 address and pre-fill for the user IP=$(ip -4 addr | sed -ne 's|^.* inet \([^/]*\)/.* scope global.*$|\1|p' | head -1) if [[ -z $IP ]]; then @@ -312,8 +319,9 @@ function installQuestions() { echo " 11) AdGuard DNS (Anycast: worldwide)" echo " 12) NextDNS (Anycast: worldwide)" echo " 13) Custom" - until [[ $DNS =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 13 ]; do - read -rp "DNS [1-12]: " -e -i 11 DNS + echo " 14) None" + until [[ $DNS =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 14 ]; do + read -rp "DNS [1-14]: " -e -i 11 DNS if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then echo "" echo "Unbound is already installed." @@ -763,7 +771,7 @@ persist-key persist-tun keepalive 10 120 topology subnet -server 10.8.0.0 255.255.255.0 +server $VPN_NETWORK.0 255.255.255.0 ifconfig-pool-persist ipp.txt" >>/etc/openvpn/server.conf # DNS resolvers @@ -785,7 +793,7 @@ ifconfig-pool-persist ipp.txt" >>/etc/openvpn/server.conf done ;; 2) # Self-hosted DNS resolver (Unbound) - echo 'push "dhcp-option DNS 10.8.0.1"' >>/etc/openvpn/server.conf + echo 'push "dhcp-option DNS $VPN_NETWORK.1"' >>/etc/openvpn/server.conf if [[ $IPV6_SUPPORT == 'y' ]]; then echo 'push "dhcp-option DNS fd42:42:42:42::1"' >>/etc/openvpn/server.conf fi @@ -836,8 +844,13 @@ ifconfig-pool-persist ipp.txt" >>/etc/openvpn/server.conf echo "push \"dhcp-option DNS $DNS2\"" >>/etc/openvpn/server.conf fi ;; + 14) # No DNS + echo "No DNS push config" + ;; esac - echo 'push "redirect-gateway def1 bypass-dhcp"' >>/etc/openvpn/server.conf + if (($DNS != 14)); then + echo 'push "redirect-gateway def1 bypass-dhcp"' >>/etc/openvpn/server.conf + fi # IPv6 network settings if needed if [[ $IPV6_SUPPORT == 'y' ]]; then @@ -949,7 +962,7 @@ verb 3" >>/etc/openvpn/server.conf # Script to add rules echo "#!/bin/sh -iptables -t nat -I POSTROUTING 1 -s 10.8.0.0/24 -o $NIC -j MASQUERADE +iptables -t nat -I POSTROUTING 1 -s $VPN_NETWORK.0/24 -o $NIC -j MASQUERADE iptables -I INPUT 1 -i tun0 -j ACCEPT iptables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT iptables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT @@ -965,7 +978,7 @@ ip6tables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >>/etc/iptabl # Script to remove rules echo "#!/bin/sh -iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o $NIC -j MASQUERADE +iptables -t nat -D POSTROUTING -s $VPN_NETWORK.0/24 -o $NIC -j MASQUERADE iptables -D INPUT -i tun0 -j ACCEPT iptables -D FORWARD -i $NIC -o tun0 -j ACCEPT iptables -D FORWARD -i tun0 -o $NIC -j ACCEPT @@ -1032,10 +1045,14 @@ tls-cipher $CC_CIPHER ignore-unknown-option block-outside-dns setenv opt block-outside-dns # Prevent Windows 10 DNS leak verb 3" >>/etc/openvpn/client-template.txt - if [[ $COMPRESSION_ENABLED == "y" ]]; then echo "compress $COMPRESSION_ALG" >>/etc/openvpn/client-template.txt fi + if [[ "$CLIENT_TEMPLATE_APPEND" != "" ]]; then + echo "appending costum config CLIENT_TEMPLATE_APPEND to /etc/openvpn/client-template.txt ..." + echo "" >> /etc/openvpn/client-template.txt + echo "$CLIENT_TEMPLATE_APPEND" >> /etc/openvpn/client-template.txt + fi # Generate the custom client.ovpn newClient @@ -1280,7 +1297,7 @@ function removeOpenVPN() { function manageMenu() { echo "Welcome to OpenVPN-install!" - echo "The git repository is available at: https://github.com/angristan/openvpn-install" + echo "The git repository is available at: https://github.com/joaduo/openvpn-install" echo "" echo "It looks like OpenVPN is already installed." echo ""