Bernhard.Linz/openvpn-install
1
0
Fork 0
mirror of https://github.com/angristan/openvpn-install.git synced 2024-12-04 22:45:32 +01:00
Code Issues Projects Releases Wiki Activity

Merge pull request #1 from hybtoy/openvpn-2.4-update

Browse Source 
Openvpn 2.4 update
This commit is contained in:
hybtoy 2017-09-28 16:36:49 +05:00 committed by GitHub
commit ac1afd1c64
2 changed files with 467 additions and 110 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
README.md
View File

@ -1,4 +1,4 @@
## openvpn-install
## OpenVPN-install
Secure OpenVPN installer for Debian, Ubuntu, CentOS and Arch Linux.
This script will let you setup your own secure VPN server in just a few minutes.
@ -12,6 +12,8 @@ Here is a preview of the installer :
**You have to enable the TUN module otherwise OpenVPN won't work.** Ask your host if you don't know how to do it. If the TUN module is not enabled, the script will warn you and exit.
You can get a cheap VPS to run this script for $2.50/month worldwide at [Vultr](https://goo.gl/Xyd1Sc) or 3€/month for unlimited bandwidth in France at [PulseHeberg](https://goo.gl/oBhgaj).
First, get the script and make it executable :
```
@ -48,23 +50,27 @@ On the client-side, it's less problematic, but if you want to use an OpenVPN ser
## Compatibility
The script is made to work on these OS :
- Debian 7
- Debian 8
- Ubuntu 12.04 LTS
- Ubuntu 14.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 16.10
- CentOS 6
- CentOS 7
- Arch Linux
| | i386 | amd64 | armhf | arm64 |
|:------------:|:----:|:-----:|:-----:|:-----:|
| Debian 8 | ✔️ | ✔️ | ❌ | ❌ |
| Debian 9 | ✔️ | ✔️ | ✔️ | ✔️ |
| Ubuntu 14.04 | ✔️ | ✔️ | ❌ | ❌ |
| Ubuntu 16.04 | ✔️ | ✔️ | ❌ | ❌ |
| Ubuntu 17.04 | ✔️ | ✔️ | ✔️ | ✔️ |
| CentOS 6 | ✔️ | ✔️ | ❔ | ❔ |
| CentOS 7 | ✔️ | ✔️ | ✔️ | ❔ |
| Arch Linux | ✔️ | ✔️ | ❔ | ❌[(❔)](https://github.com/Angristan/OpenVPN-install/issues/99) |
- ✔️ = tested and compatible
- ❔ = untested
- ❌ = tested and not compatible
(It should also work on Debian unstable/testing and Ubuntu beta).
If your're using an Ubuntu version that is not supported by the script, be aware that it's not supported by Ubuntu either, thus it's insecure.
You can get a cheap VPS to run this script for 3€/month at [PulseHeberg](https://goo.gl/oBhgaj).
## Features
This fork includes the following features :
@ -79,7 +85,7 @@ This fork includes the following features :
- Up-to-date OpenVPN thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) for CentOS and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos) for Ubuntu and Debian. These are third-party yet trusted repositories.
- Other improvements !
##DNS
## DNS
The script will ask you which DNS resolvers you want to use when connected to the VPN.
@ -90,6 +96,7 @@ Here are the possibilities :
- [DNS.WATCH DNS Servers](https://dns.watch/index), recommended if you're in western europe (Germany)
- [OpenDNS](https://en.wikipedia.org/wiki/OpenDNS), not recommened but fast wordlwide (Anycast servers)
- [Google Public DNS](https://en.wikipedia.org/wiki/Google_Public_DNS), not recommended, but fast worldwide (Anycast servers)
- [Yandex Basic DNS](https://dns.yandex.com/), not recommended, but fast in Russia
- Soon : local resolver :D
Any other fast, trustable and neutral servers proposition is welcome.
@ -177,7 +184,7 @@ To quote the [OpenVPN documentation](https://community.openvpn.net/openvpn/wiki/
>Of the currently supported ciphers, OpenVPN currently recommends using AES-256-CBC or AES-128-CBC. OpenVPN 2.4 and newer will also support GCM. For 2.4+, we recommend using AES-256-GCM or AES-128-GCM.
Of course I will update the script to add AES-GCM mode (as weel as ECDH and ECDSA) as soon as OpenVPN 2.4 is released.
Of course I will update the script to add AES-GCM mode (as well as ECDH and ECDSA) as soon as OpenVPN 2.4 is released.
For now, these cipher are available in the setup :

540
openvpn-install.sh
View File

@ -24,14 +24,14 @@ if [[ -e /etc/debian_version ]]; then
# Getting the version number, to verify that a recent version of OpenVPN is available
VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID")
RCLOCAL='/etc/rc.local'
if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.10"' ]]; then
SYSCTL='/etc/sysctl.conf'
if [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.04"' ]]; then
echo "Your version of Debian/Ubuntu is not supported."
echo "I can't install OpenVPN 2.4 on your system."
echo "I can't install a recent version of OpenVPN on your system."
echo ""
echo "However, if you're using Debian unstable/testing, or Ubuntu beta,"
echo "then you can continue, this version of OpenVPN is available on these."
echo "Keep in mind these releases are not supported, though."
echo "then you can continue, a recent version of OpenVPN is available on these."
echo "Keep in mind they are not supported, though."
while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do
read -p "Continue ? [y/n]: " -e CONTINUE
done
@ -43,29 +43,50 @@ if [[ -e /etc/debian_version ]]; then
elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then
OS=centos
RCLOCAL='/etc/rc.d/rc.local'
SYSCTL='/etc/sysctl.conf'
# Needed for CentOS 7
chmod +x /etc/rc.d/rc.local
elif [[ -e /etc/arch-release ]]; then
OS=arch
RCLOCAL='/etc/rc.local'
SYSCTL='/etc/sysctl.d/openvpn.conf'
else
echo "Looks like you aren't running this installer on a Debian, Ubuntu or CentOS system"
echo "Looks like you aren't running this installer on a Debian, Ubuntu, CentOS or ArchLinux system"
exit 4
fi
newclient () {
# Where to write the custom client.ovpn?
if [ -e /home/$1 ]; then # if $1 is a user name
homeDir="/home/$1"
elif [ ${SUDO_USER} ]; then # if not, use SUDO_USER
homeDir="/home/${SUDO_USER}"
else # if not SUDO_USER, use /root
homeDir="/root"
fi
# Generates the custom client.ovpn
# We put everything in the client file
cp /etc/openvpn/client-template.txt ~/$1.ovpn
echo "<ca>" >> ~/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/ca.crt >> ~/$1.ovpn
echo "</ca>" >> ~/$1.ovpn
echo "<cert>" >> ~/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/issued/$1.crt >> ~/$1.ovpn
echo "</cert>" >> ~/$1.ovpn
echo "<key>" >> ~/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/private/$1.key >> ~/$1.ovpn
echo "</key>" >> ~/$1.ovpn
echo "<tls-crypt>" >> ~/$1.ovpn
cat /etc/openvpn/tls-crypt.key >> ~/$1.ovpn
echo "</tls-crypt>" >> ~/$1.ovpn
cp /etc/openvpn/client-template.txt $homeDir/$1.ovpn
echo "<ca>" >> $homeDir/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/ca.crt >> $homeDir/$1.ovpn
echo "</ca>" >> $homeDir/$1.ovpn
echo "<cert>" >> $homeDir/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/issued/$1.crt >> $homeDir/$1.ovpn
echo "</cert>" >> $homeDir/$1.ovpn
echo "<key>" >> $homeDir/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/private/$1.key >> $homeDir/$1.ovpn
echo "</key>" >> $homeDir/$1.ovpn
#We verify if we used tls-crypt or tls-auth during the installation
TLS_SIG=$(cat /etc/openvpn/TLS_SIG)
if [[ $TLS_SIG == "1" ]]; then
echo "<tls-crypt>" >> ~/$1.ovpn
cat /etc/openvpn/tls-crypt.key >> ~/$1.ovpn
echo "</tls-crypt>" >> ~/$1.ovpn
elif [[ $TLS_SIG == "2" ]]; then
echo "key-direction 1" >> $homeDir/$1.ovpn
echo "<tls-auth>" >> $homeDir/$1.ovpn
cat /etc/openvpn/tls-auth.key >> $homeDir/$1.ovpn
echo "</tls-auth>" >> $homeDir/$1.ovpn
fi
}
# Try to get our IP from the system and fallback to the Internet.
@ -75,6 +96,8 @@ IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,
if [[ "$IP" = "" ]]; then
IP=$(wget -qO- ipv4.icanhazip.com)
fi
# Get Internet network interface with default route
NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)')
if [[ -e /etc/openvpn/server.conf ]]; then
while :
@ -101,7 +124,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then
# Generates the custom client.ovpn
newclient "$CLIENT"
echo ""
echo "Client $CLIENT added, certs available at ~/$CLIENT.ovpn"
echo "Client $CLIENT added, certs available at $homeDir/$CLIENT.ovpn"
exit
;;
2)
@ -128,6 +151,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then
rm -rf pki/issued/$CLIENT.crt
rm -rf /etc/openvpn/crl.pem
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
chmod 644 /etc/openvpn/crl.pem
echo ""
echo "Certificate for client $CLIENT revoked"
echo "Exiting..."
@ -159,7 +183,9 @@ if [[ -e /etc/openvpn/server.conf ]]; then
fi
fi
if [[ "$OS" = 'debian' ]]; then
apt-get remove --purge -y openvpn openvpn-blacklist
apt-get autoremove --purge -y openvpn
elif [[ "$OS" = 'arch' ]]; then
pacman -R openvpn --noconfirm
else
yum remove openvpn -y
fi
@ -193,21 +219,260 @@ else
read -p "Port: " -e -i 1194 PORT
echo ""
echo "What protocol do you want for OpenVPN?"
echo "Unless UDP is blocked, you should not use TCP (slower)"
while [[ $PROTOCOL != "UDP" && $PROTOCOL != "TCP" ]]; do
read -p "Protocol [UDP/TCP]: " -e -i UDP PROTOCOL
echo "Unless UDP is blocked, you should not use TCP (unnecessarily slower)"
echo " 1) UDP (recommended)"
echo " 2) TCP"
while [[ $PROTOCOL != "1" && $PROTOCOL != "2" ]]; do
read -p "Protocol [1-2]: " -e -i 1 PROTOCOL
done
echo ""
echo "What DNS do you want to use with the VPN?"
echo " 1) Current system resolvers (/etc/resolv.conf)"
echo " 1) Current system resolvers (in /etc/resolv.conf)"
echo " 2) FDN (France)"
echo " 3) DNS.WATCH (Germany)"
echo " 4) OpenDNS (Anycast: worldwide)"
echo " 5) Google (Anycast: worldwide)"
while [[ $DNS != "1" && $DNS != "2" && $DNS != "3" && $DNS != "4" && $DNS != "5" ]]; do
read -p "DNS [1-5]: " -e -i 2 DNS
echo " 6) Yandex Basic (Russia)"
while [[ $DNS != "1" && $DNS != "2" && $DNS != "3" && $DNS != "4" && $DNS != "5" && $DNS != "6" ]]; do
read -p "DNS [1-6]: " -e -i 1 DNS
done
echo ""
echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about "
echo "the encryption in OpenVPN and the choices proposed in this script."
echo "Please note that all the choices proposed are secure enough considering today's strandards, unlike some default OpenVPN options"
echo "You can just type "enter" if you don't know what to choose."
echo "Note that if you want to use an OpenVPN 2.3 client, You'll have to choose OpenVPN 2.3-compatible options."
echo "All OpenVPN 2.3-compatible choices are specified for each following option."
echo ""
echo "Choose which cipher you want to use for the data channel:"
echo " 1) AES-128-GCM (recommended)"
echo " 2) AES-192-GCM"
echo " 3) AES-256-GCM"
echo "Only use AES-CBC for OpenVPN 2.3 compatibilty"
echo " 4) AES-128-CBC"
echo " 5) AES-192-CBC"
echo " 6) AES-256-CBC"
while [[ $CIPHER != "1" && $CIPHER != "2" && $CIPHER != "3" && $CIPHER != "4" && $CIPHER != "5" && $CIPHER != "6" ]]; do
read -p "Data channel cipher [1-6]: " -e -i 1 CIPHER
done
case $CIPHER in
1)
CIPHER="cipher AES-128-GCM"
;;
2)
CIPHER="cipher AES-192-GCM"
;;
3)
CIPHER="cipher AES-256-GCM"
;;
4)
CIPHER="cipher AES-128-CBC"
;;
5)
CIPHER="cipher AES-192-CBC"
;;
6)
CIPHER="cipher AES-256-CBC"
;;
esac
echo ""
echo "Choose what kind of certificate you want to use:"
echo "Elleptic Curves keys (EC) are recommended, they're faster, lighter and more secure."
echo "Use RSA for OpenVPN 2.3 compatibilty"
echo " 1) ECDSA (recommended)"
echo " 2) RSA"
while [[ $CERT_TYPE != "1" && $CERT_TYPE != "2" ]]; do
read -p "Certificate type [1-2]: " -e -i 1 CERT_TYPE
done
case $CERT_TYPE in
1)
echo ""
echo "Choose which curve you want to use for the EC key:"
echo " 1) secp256r1"
echo " 2) secp384r1 (recommended)"
echo " 3) secp521r1"
while [[ $CERT_CURVE != "1" && $CERT_CURVE != "2" && $CERT_CURVE != "3" ]]; do
read -p "Curve [1-3]: " -e -i 2 CERT_CURVE
done
case $CERT_CURVE in
1)
CERT_CURVE="secp256r1"
;;
2)
CERT_CURVE="secp384r1"
;;
3)
CERT_CURVE="secp521r1"
;;
esac
;;
2)
echo ""
echo "Choose which RSA key size you want to use:"
echo " 1) 2048 bits"
echo " 2) 3072 bits (recommended)"
echo " 3) 4096 bits"
while [[ $RSA_SIZE != "1" && $RSA_SIZE != "2" && $RSA_SIZE != "3" ]]; do
read -p "DH key size [1-3]: " -e -i 2 RSA_SIZE
done
case $RSA_SIZE in
1)
RSA_SIZE="2048"
;;
2)
RSA_SIZE="3072"
;;
3)
RSA_SIZE="4096"
;;
esac
;;
esac
echo ""
echo "Choose which hash algorithm you want to use for the certificate:"
echo " 1) SHA-256"
echo " 2) SHA-384 (recommended)"
echo " 3) SHA-512"
while [[ $CERT_HASH != "1" && $CERT_HASH != "2" && $CERT_HASH != "3" ]]; do
read -p "Hash algorithm [1-3]: " -e -i 2 CERT_HASH
done
case $CERT_HASH in
1)
CERT_HASH="sha256"
;;
2)
CERT_HASH="sha384"
;;
3)
CERT_HASH="sha512"
;;
esac
echo ""
echo "Choose what kind of Diffie-Hellman key you want to use."
echo "Elleptic Curves (EC) are recommended, they're faster, lighter and more secure."
echo "Use DH for OpenVPN 2.3 compatibilty"
echo " 1) ECDH (recommended)"
echo " 2) DH"
while [[ $DH_TYPE != "1" && $DH_TYPE != "2" ]]; do
read -p "DH key type [1-2]: " -e -i 1 DH_TYPE
done
case $DH_TYPE in
1)
echo ""
echo "Choose which curve you want to use for the ECDH key"
echo " 1) secp256r1"
echo " 2) secp384r1 (recommended)"
echo " 3) secp521r1"
while [[ $DH_CURVE != "1" && $DH_CURVE != "2" && $DH_CURVE != "3" ]]; do
read -p "Curve [1-3]: " -e -i 2 DH_CURVE
done
case $DH_CURVE in
1)
DH_CURVE="secp256r1"
;;
2)
DH_CURVE="secp384r1"
;;
3)
DH_CURVE="secp521r1"
;;
esac
;;
2)
echo""
echo "Choose which DH key size you want to use"
echo " 1) 2048 bits"
echo " 2) 3072 bits (recommended)"
echo " 3) 4096 bits"
while [[ $DH_SIZE != "1" && $DH_SIZE != "2" && $DH_SIZE != "3" ]]; do
read -p "DH key size [1-3]: " -e -i 2 DH_SIZE
done
case $DH_SIZE in
1)
DH_SIZE="2048"
;;
2)
DH_SIZE="3072"
;;
3)
DH_SIZE="4096"
;;
esac
;;
esac
echo ""
echo "Choose which cipher you want to use for the control channel:"
if [[ "$CERT_TYPE" = '1' ]]; then
echo " 1) ECDHE-ECDSA-AES-256-GCM-SHA384 (recommended)"
echo " 2) ECDHE-ECDSA-AES-128-GCM-SHA256"
while [[ $CC_ENC != "1" && $CC_ENC != "2" ]]; do
read -p "Control channel cipher [1-2]: " -e -i 1 CC_ENC
done
case $CC_ENC in
1)
CC_ENC="TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
;;
2)
CC_ENC="TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"
;;
esac
elif [[ "$CERT_TYPE" = '2' ]]; then
echo " 1) ECDHE-RSA-AES-256-GCM-SHA384 (recommended)"
echo " 2) ECDHE-RSA-AES-128-GCM-SHA256"
echo " 3) DHE-RSA-AES-128-GCM-SHA256"
while [[ $CC_ENC != "1" && $CC_ENC != "2" && $CC_ENC != "3" ]]; do
read -p "Control channel cipher [1-3]: " -e -i 1 CC_ENC
done
case $CC_ENC in
1)
CC_ENC="TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"
;;
2)
CC_ENC="TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"
;;
3)
CC_ENC="TLS-DHE-RSA-WITH-AES-128-GCM-SHA256"
;;
esac
fi
echo ""
echo "Do you want to use tls-crypt or tls-auth?"
echo "They both encrypt and authenticate all control channel packets with a key."
echo "tls-crypt is more advanced and secure than tls-auth, but it's an OpenVPN 2.4 feature."
echo " 1) tls-crypt (recommended)"
echo " 2) tls-auth (use only for OpenVPN 2.3 client compatibility)"
while [[ $TLS_SIG != "1" && $TLS_SIG != "2" ]]; do
read -p "Crontrol channel additional security layer [1-2]: " -e -i 1 TLS_SIG
done
echo""
if [[ $CIPHER = "cipher AES-256-GCM" ]] || [[ $CIPHER = "cipher AES-192-GCM" ]] || [[ $CIPHER = "cipher AES-128-GCM" ]]; then
echo "Choose which message digest algorithm you want to use for the tls-auth/tls-crypt control channel packets:"
elif [[ $CIPHER = "cipher AES-256-CBC" ]] || [[ $CIPHER = "cipher AES-192-CBC" ]] || [[ $CIPHER = "cipher AES-128-CBC" ]]; then
echo "Choose which message digest algorithm you want to use for the data channel packets"
echo "and the tls-auth/tls-crypt control channel packets:"
fi
echo " 1) SHA-224"
echo " 2) SHA-256"
echo " 3) SHA-384 (recommended)"
echo " 4) SHA-512"
while [[ $HMAC_AUTH != "1" && $HMAC_AUTH != "2" && $HMAC_AUTH != "3" && $HMAC_AUTH != "4" ]]; do
read -p "HMAC authentication algorithm [1-3]: " -e -i 2 HMAC_AUTH
done
case $HMAC_AUTH in
1)
HMAC_AUTH="SHA224"
;;
2)
HMAC_AUTH="SHA256"
;;
3)
HMAC_AUTH="SHA384"
;;
4)
HMAC_AUTH="SHA512"
;;
esac
echo ""
echo "Finally, tell me a name for the client certificate and configuration"
while [[ $CLIENT = "" ]]; do
echo "Please, use one word only, no special characters"
@ -220,44 +485,76 @@ else
if [[ "$OS" = 'debian' ]]; then
apt-get install ca-certificates -y
# We add the OpenVPN repo to get the latest version.
# Debian 7
if [[ "$VERSION_ID" = 'VERSION_ID="7"' ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/release/2.4 wheezy main" > /etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update
fi
# Debian 8
if [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/release/2.4 jessie main" > /etc/apt/sources.list.d/openvpn.list
echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt update
fi
# Ubuntu 12.04
if [[ "$VERSION_ID" = 'VERSION_ID="12.04"' ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/release/2.4 precise main" > /etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update
fi
# Ubuntu 14.04
if [[ "$VERSION_ID" = 'VERSION_ID="14.04"' ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/release/2.4 trusty main" > /etc/apt/sources.list.d/openvpn.list
elif [[ "$VERSION_ID" = 'VERSION_ID="14.04"' ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/stable trusty main" > /etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update
fi
# Ubuntu 16.04
if [[ "$VERSION_ID" = 'VERSION_ID="16.04"' ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/release/2.4 xenial main" > /etc/apt/sources.list.d/openvpn.list
elif [[ "$VERSION_ID" = 'VERSION_ID="16.04"' ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" > /etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update
fi
# Then we install OpenVPN
# Ubuntu >= 17.04 and Debian > 9 have OpenVPN 2.4 without the need of a third party repository.
# The we install OpenVPN
apt-get update
apt-get install openvpn iptables openssl wget ca-certificates curl -y
else
# Else, the distro is CentOS
elif [[ "$OS" = 'centos' ]]; then
yum install epel-release -y
yum install openvpn iptables openssl wget ca-certificates curl -y
else
# Else, the distro is ArchLinux
echo ""
echo ""
echo "As you're using ArchLinux, I need to update the packages on your system to install those I need."
echo "Not doing that could cause problems between dependencies, or missing files in repositories."
echo ""
echo "Continuing will update your installed packages and install needed ones."
while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do
read -p "Continue ? [y/n]: " -e -i y CONTINUE
done
if [[ "$CONTINUE" = "n" ]]; then
echo "Ok, bye !"
exit 4
fi
if [[ "$OS" = 'arch' ]]; then
# Install rc.local
echo "[Unit]
Description=/etc/rc.local compatibility
[Service]
Type=oneshot
ExecStart=/etc/rc.local
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target" > /etc/systemd/system/rc-local.service
chmod +x /etc/rc.local
systemctl enable rc-local.service
if ! grep '#!' $RCLOCAL; then
echo "#!/bin/bash" > $RCLOCAL
fi
fi
# Install dependencies
pacman -Syu openvpn iptables openssl wget ca-certificates curl --needed --noconfirm
if [[ "$OS" = 'arch' ]]; then
touch /etc/iptables/iptables.rules # iptables won't start if this file does not exist
systemctl enable iptables
systemctl start iptables
fi
fi
#To remember if we use tls-crypt or tls-auth when generating a new client conf
echo $TLS_SIG > /etc/openvpn/TLS_SIG
# Find out if the machine uses nogroup or nobody for the permissionless group
if grep -qs "^nogroup:" /etc/group; then
NOGROUP=nogroup
@ -270,34 +567,49 @@ else
rm -rf /etc/openvpn/easy-rsa/
fi
# Get easy-rsa
wget -O ~/EasyRSA-3.0.1.tgz https://github.com/OpenVPN/easy-rsa/releases/download/3.0.1/EasyRSA-3.0.1.tgz
tar xzf ~/EasyRSA-3.0.1.tgz -C ~/
mv ~/EasyRSA-3.0.1/ /etc/openvpn/
mv /etc/openvpn/EasyRSA-3.0.1/ /etc/openvpn/easy-rsa/
wget -O ~/EasyRSA-3.0.3.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.3/EasyRSA-3.0.3.tgz
tar xzf ~/EasyRSA-3.0.3.tgz -C ~/
mv ~/EasyRSA-3.0.3/ /etc/openvpn/
mv /etc/openvpn/EasyRSA-3.0.3/ /etc/openvpn/easy-rsa/
chown -R root:root /etc/openvpn/easy-rsa/
rm -rf ~/EasyRSA-3.0.1.tgz
rm -rf ~/EasyRSA-3.0.3.tgz
cd /etc/openvpn/easy-rsa/
echo 'set_var EASYRSA_ALGO ec
set_var EASYRSA_CURVE sect571r1
set_var EASYRSA_DIGEST "sha512"' > vars
if [[ $CERT_TYPE == "1" ]]; then
echo "set_var EASYRSA_ALGO ec
set_var EASYRSA_CURVE $CERT_CURVE" > vars
elif [[ $CERT_TYPE == "2" ]]; then
echo "set_var EASYRSA_KEY_SIZE $RSA_SIZE" > vars
fi
echo 'set_var EASYRSA_DIGEST "'$CERT_HASH'"' >> vars
# Create the PKI, set up the CA, the DH params and the server + client certificates
./easyrsa init-pki
./easyrsa --batch build-ca nopass
if [[ $DH_TYPE == "2" ]]; then
openssl dhparam -out dh.pem $DH_SIZE
fi
./easyrsa build-server-full server nopass
./easyrsa build-client-full $CLIENT nopass
./easyrsa gen-crl
# Generate tls-crypt key
openvpn --genkey --secret /etc/openvpn/tls-crypt.key
if [[ $TLS_SIG == "1" ]]; then
# Generate tls-crypt key
openvpn --genkey --secret /etc/openvpn/tls-crypt.key
elif [[ $TLS_SIG == "2" ]]; then
# Generate tls-auth key
openvpn --genkey --secret /etc/openvpn/tls-auth.key
fi
# Move all the generated files
cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
if [[ $DH_TYPE == "2" ]]; then
cp dh.pem /etc/openvpn
fi
# Make cert revocation list readable for non-root
chmod 644 /etc/openvpn/crl.pem
# Generate server.conf
echo "port $PORT" > /etc/openvpn/server.conf
if [[ "$PROTOCOL" = 'UDP' ]]; then
if [[ "$PROTOCOL" = '1' ]]; then
echo "proto udp" >> /etc/openvpn/server.conf
elif [[ "$PROTOCOL" = 'TCP' ]]; then
elif [[ "$PROTOCOL" = '2' ]]; then
echo "proto tcp" >> /etc/openvpn/server.conf
fi
echo "dev tun
@ -333,46 +645,65 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf
;;
6) #Yandex Basic
echo 'push "dhcp-option DNS 77.88.8.8"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 77.88.8.1"' >> /etc/openvpn/server.conf
;;
esac
echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf
echo "crl-verify crl.pem
ca ca.crt
cert server.crt
key server.key
tls-crypt tls-crypt.key 0
dh none
ecdh-curve sect571r1
auth SHA512
cipher AES-256-GCM
key server.key" >> /etc/openvpn/server.conf
if [[ $TLS_SIG == "1" ]]; then
echo "tls-crypt tls-crypt.key 0" >> /etc/openvpn/server.conf
elif [[ $TLS_SIG == "2" ]]; then
echo "tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf
fi
if [[ $DH_TYPE == "1" ]]; then
echo "dh none
ecdh-curve $DH_CURVE" >> /etc/openvpn/server.conf
elif [[ $DH_TYPE == "2" ]]; then
echo "dh dh.pem" >> /etc/openvpn/server.conf
fi
echo "auth $HMAC_AUTH
$CIPHER
ncp-disable
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
tls-cipher $CC_ENC
status openvpn.log
verb 3" >> /etc/openvpn/server.conf
# Create the sysctl configuration file if needed (mainly for Arch Linux)
if [[ ! -e /etc/sysctl.conf ]]; then
touch /etc/sysctl.conf
if [[ ! -e $SYSCTL ]]; then
touch $SYSCTL
fi
# Enable net.ipv4.ip_forward for the system
sed -i '/\<net.ipv4.ip_forward\>/c\net.ipv4.ip_forward=1' /etc/sysctl.conf
if ! grep -q "\<net.ipv4.ip_forward\>" /etc/sysctl.conf; then
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
sed -i '/\<net.ipv4.ip_forward\>/c\net.ipv4.ip_forward=1' $SYSCTL
if ! grep -q "\<net.ipv4.ip_forward\>" $SYSCTL; then
echo 'net.ipv4.ip_forward=1' >> $SYSCTL
fi
# Avoid an unneeded reboot
echo 1 > /proc/sys/net/ipv4/ip_forward
# Needed to use rc.local with some systemd distros
if [[ "$OS" = 'debian' && ! -e $RCLOCAL ]]; then
echo '#!/bin/sh -e
exit 0' > $RCLOCAL
fi
chmod +x $RCLOCAL
# Set NAT for the VPN subnet
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP
sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL
iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE
sed -i "1 a\iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE" $RCLOCAL
if pgrep firewalld; then
# We don't use --add-service=openvpn because that would only work with
# the default port. Using both permanent and not permanent rules to
# avoid a firewalld reload.
if [[ "$PROTOCOL" = 'UDP' ]]; then
if [[ "$PROTOCOL" = '1' ]]; then
firewall-cmd --zone=public --add-port=$PORT/udp
firewall-cmd --permanent --zone=public --add-port=$PORT/udp
elif [[ "$PROTOCOL" = 'TCP' ]]; then
elif [[ "$PROTOCOL" = '2' ]]; then
firewall-cmd --zone=public --add-port=$PORT/tcp
firewall-cmd --permanent --zone=public --add-port=$PORT/tcp
fi
@ -383,16 +714,16 @@ verb 3" >> /etc/openvpn/server.conf
# If iptables has at least one REJECT rule, we asume this is needed.
# Not the best approach but I can't think of other and this shouldn't
# cause problems.
if [[ "$PROTOCOL" = 'UDP' ]]; then
if [[ "$PROTOCOL" = '1' ]]; then
iptables -I INPUT -p udp --dport $PORT -j ACCEPT
elif [[ "$PROTOCOL" = 'TCP' ]]; then
elif [[ "$PROTOCOL" = '2' ]]; then
iptables -I INPUT -p tcp --dport $PORT -j ACCEPT
fi
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
if [[ "$PROTOCOL" = 'UDP' ]]; then
if [[ "$PROTOCOL" = '1' ]]; then
sed -i "1 a\iptables -I INPUT -p udp --dport $PORT -j ACCEPT" $RCLOCAL
elif [[ "$PROTOCOL" = 'TCP' ]]; then
elif [[ "$PROTOCOL" = '2' ]]; then
sed -i "1 a\iptables -I INPUT -p tcp --dport $PORT -j ACCEPT" $RCLOCAL
fi
sed -i "1 a\iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" $RCLOCAL
@ -406,9 +737,9 @@ verb 3" >> /etc/openvpn/server.conf
if ! hash semanage 2>/dev/null; then
yum install policycoreutils-python -y
fi
if [[ "$PROTOCOL" = 'UDP' ]]; then
if [[ "$PROTOCOL" = '1' ]]; then
semanage port -a -t openvpn_port_t -p udp $PORT
elif [[ "$PROTOCOL" = 'TCP' ]]; then
elif [[ "$PROTOCOL" = '2' ]]; then
semanage port -a -t openvpn_port_t -p tcp $PORT
fi
fi
@ -418,14 +749,33 @@ verb 3" >> /etc/openvpn/server.conf
if [[ "$OS" = 'debian' ]]; then
# Little hack to check for systemd
if pgrep systemd-journal; then
systemctl restart openvpn@server.service
if [[ "$VERSION_ID" = 'VERSION_ID="9"' ]]; then
#Workaround to fix OpenVPN service on Debian 9 OpenVZ
sed -i 's|LimitNPROC|#LimitNPROC|' /lib/systemd/system/openvpn-server\@.service
sed -i 's|/etc/openvpn/server|/etc/openvpn|' /lib/systemd/system/openvpn-server\@.service
sed -i 's|%i.conf|server.conf|' /lib/systemd/system/openvpn-server\@.service
systemctl daemon-reload
systemctl restart openvpn-server@openvpn.service
systemctl enable openvpn-server@openvpn.service
else
systemctl restart openvpn@server.service
fi
else
/etc/init.d/openvpn restart
fi
else
if pgrep systemd-journal; then
systemctl restart openvpn@server.service
systemctl enable openvpn@server.service
if [[ "$OS" = 'arch' ]]; then
#Workaround to avoid rewriting the entire script for Arch
sed -i 's|/etc/openvpn/server|/etc/openvpn|' /usr/lib/systemd/system/openvpn-server@.service
sed -i 's|%i.conf|server.conf|' /usr/lib/systemd/system/openvpn-server@.service
systemctl daemon-reload
systemctl restart openvpn-server@openvpn.service
systemctl enable openvpn-server@openvpn.service
else
systemctl restart openvpn@server.service
systemctl enable openvpn@server.service
fi
else
service openvpn restart
chkconfig openvpn on
@ -447,9 +797,9 @@ verb 3" >> /etc/openvpn/server.conf
fi
# client-template.txt is created so we have a template to add further users later
echo "client" > /etc/openvpn/client-template.txt
if [[ "$PROTOCOL" = 'UDP' ]]; then
if [[ "$PROTOCOL" = '1' ]]; then
echo "proto udp" >> /etc/openvpn/client-template.txt
elif [[ "$PROTOCOL" = 'TCP' ]]; then
elif [[ "$PROTOCOL" = '2' ]]; then
echo "proto tcp-client" >> /etc/openvpn/client-template.txt
fi
echo "remote $IP $PORT
@ -459,11 +809,11 @@ nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-GCM
auth $HMAC_AUTH
$CIPHER
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
tls-cipher $CC_ENC
setenv opt block-outside-dns
verb 3" >> /etc/openvpn/client-template.txt
@ -472,7 +822,7 @@ verb 3" >> /etc/openvpn/client-template.txt
echo ""
echo "Finished!"
echo ""
echo "Your client config is available at ~/$CLIENT.ovpn"
echo "Your client config is available at $homeDir/$CLIENT.ovpn"
echo "If you want to add more clients, you simply need to run this script another time!"
fi
exit 0;