Bernhard.Linz/openvpn-install
1
0
Fork 0
mirror of https://github.com/angristan/openvpn-install.git synced 2025-07-05 14:04:23 +02:00
Code Issues Projects Releases Wiki Activity

Merge branch 'master' into patch-7

Browse Source
This commit is contained in:
Henry N 2020-04-07 21:43:36 +02:00 committed by GitHub
commit ac6d93b31e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 88 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/ISSUE_TEMPLATE.md vendored
View File

@ -7,7 +7,7 @@ Before opening an issue, please make sure:
- Your issue is about the script, NOT OpenVPN itself - Your issue is about the script, NOT OpenVPN itself
- ⚠ PLEASE Post your OpenVPN version and OS for both the server and the client if needed - ⚠ PLEASE Post your OpenVPN version and OS for both the server and the client if needed
FYI, you can excute the script with `bash -x openvpn-install.sh` to enable debug mode. FYI, you can execute the script with `bash -x openvpn-install.sh` to enable debug mode.
You can format your comments with Markdown: https://guides.github.com/features/mastering-markdown/ You can format your comments with Markdown: https://guides.github.com/features/mastering-markdown/
---> --->

47
FAQ.md Normal file
View File

@ -0,0 +1,47 @@
# FAQ
**Q:** The script has been updated since I installed OpenVPN. How do I update?
**A:** You can't. Managing updates and new features from the script would require way too much work. Your only solution is to uninstall OpenVPN and reinstall with the updated script.
You can, of course, it's even recommended, update the `openvpn` package with your package manager.
---
**Q:** How do I check for DNS leaks?
**A:** Go to [dnsleaktest.com](https://dnsleaktest.com/) or [ipleak.net](https://ipleak.net/) with your browser. Only your server's IP should show up.
---
**Q:** Can I use an OpenVPN 2.3 client?
**A:** Yes. I really recommend using an up-to-date client, but if you really need it, choose the following options:
- No compression or LZ0
- RSA certificate
- DH Key
- AES CBC
- tls-auth
If your client is <2.3.3, remove `tls-version-min 1.2` from your `/etc/openvpn/server.conf` and `.ovpn` files.
---
**Q:** IPv6 is not working on my Hetzner VM
**A:** This an issue on their side. See https://angristan.xyz/fix-ipv6-hetzner-cloud/
---
**Q:** DNS is not working on my Linux client
**A:** Make sure the `resolvconf` package is installed. If it does not solve the issue, look at https://wiki.archlinux.org/index.php/OpenVPN#Update_systemd-resolved_script
---
**Q:** How to setup openVPN in a LXC container? (f.e. Proxmox)
**A:** See https://github.com/Nyr/openvpn-install/wiki/How-to-setup-openVPN-in-a-LXC-container-(f.e.-Proxmox)
---

10
README.md
View File

@ -33,7 +33,9 @@ When OpenVPN is installed, you can run the script again, and you will get the ch
In your home directory, you will have `.ovpn` files. These are the client configuration files. Download them from your server and connect using your favorite OpenVPN client. In your home directory, you will have `.ovpn` files. These are the client configuration files. Download them from your server and connect using your favorite OpenVPN client.
If you have any question, head to the [FAQ](#faq) first. If you have any question, head to the [FAQ](#faq) first. Please read everything before opening an issue.
**PLEASE do net send me emails or private messages asking for help.** The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you. My time is not available for free just for you, you're not special.
### Headless install ### Headless install
@ -134,9 +136,7 @@ Since 2016, the two scripts have diverged and are not alike anymore, especially
## FAQ ## FAQ
**LOOK AT THE [WIKI](https://github.com/angristan/openvpn-install/wiki/FAQ) FOR MORE INFORMATION. PLEASE READ BOTH BEFORE OPENING AN ISSUE.** More Q&A in [FAQ.md](FAQ.md).
**PLEASE do net send me emails or private messages asking for help.** The only place to get help is the issues. Other people may be able to help and in the future, other users may also run into the same issue as you.
**Q:** Which provider do you recommend? **Q:** Which provider do you recommend?
@ -172,6 +172,8 @@ Since 2016, the two scripts have diverged and are not alike anymore, especially
--- ---
More Q&A in [FAQ.md](FAQ.md).
## One-stop solutions for public cloud ## One-stop solutions for public cloud
Solutions that provision a ready to use OpenVPN server based on this script in one go are available for: Solutions that provision a ready to use OpenVPN server based on this script in one go are available for:

68
openvpn-install.sh
View File

@ -31,7 +31,7 @@ function checkOS () {
until [[ $CONTINUE =~ (y|n) ]]; do until [[ $CONTINUE =~ (y|n) ]]; do
read -rp "Continue? [y/n]: " -e CONTINUE read -rp "Continue? [y/n]: " -e CONTINUE
done done
if [[ "$CONTINUE" = "n" ]]; then if [[ "$CONTINUE" == "n" ]]; then
exit 1 exit 1
fi fi
fi fi
@ -46,7 +46,7 @@ function checkOS () {
until [[ $CONTINUE =~ (y|n) ]]; do until [[ $CONTINUE =~ (y|n) ]]; do
read -rp "Continue? [y/n]: " -e CONTINUE read -rp "Continue? [y/n]: " -e CONTINUE
done done
if [[ "$CONTINUE" = "n" ]]; then if [[ "$CONTINUE" == "n" ]]; then
exit 1 exit 1
fi fi
fi fi
@ -54,10 +54,10 @@ function checkOS () {
elif [[ -e /etc/system-release ]]; then elif [[ -e /etc/system-release ]]; then
# shellcheck disable=SC1091 # shellcheck disable=SC1091
source /etc/os-release source /etc/os-release
if [[ "$ID" = "fedora" ]]; then if [[ "$ID" == "fedora" ]]; then
OS="fedora" OS="fedora"
fi fi
if [[ "$ID" = "centos" ]]; then if [[ "$ID" == "centos" ]]; then
OS="centos" OS="centos"
if [[ ! $VERSION_ID =~ (7|8) ]]; then if [[ ! $VERSION_ID =~ (7|8) ]]; then
echo "⚠️ Your version of CentOS is not supported." echo "⚠️ Your version of CentOS is not supported."
@ -67,7 +67,7 @@ function checkOS () {
exit 1 exit 1
fi fi
fi fi
if [[ "$ID" = "amzn" ]]; then if [[ "$ID" == "amzn" ]]; then
OS="amzn" OS="amzn"
if [[ ! $VERSION_ID == "2" ]]; then if [[ ! $VERSION_ID == "2" ]]; then
echo "⚠️ Your version of Amazon Linux is not supported." echo "⚠️ Your version of Amazon Linux is not supported."
@ -269,7 +269,7 @@ function installQuestions () {
until [[ $CONTINUE =~ (y|n) ]]; do until [[ $CONTINUE =~ (y|n) ]]; do
read -rp "Apply configuration changes to Unbound? [y/n]: " -e CONTINUE read -rp "Apply configuration changes to Unbound? [y/n]: " -e CONTINUE
done done
if [[ $CONTINUE = "n" ]];then if [[ $CONTINUE == "n" ]];then
# Break the loop and cleanup # Break the loop and cleanup
unset DNS unset DNS
unset CONTINUE unset CONTINUE
@ -566,7 +566,7 @@ function installOpenVPN () {
# Get the "public" interface from the default route # Get the "public" interface from the default route
NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1) NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)
if [[ -z "$NIC" ]] && [[ "$IPV6_SUPPORT" = 'y' ]]; then if [[ -z "$NIC" ]] && [[ "$IPV6_SUPPORT" == 'y' ]]; then
NIC=$(ip -6 route show default | sed -ne 's/^default .* dev \([^ ]*\) .*$/\1/p') NIC=$(ip -6 route show default | sed -ne 's/^default .* dev \([^ ]*\) .*$/\1/p')
fi fi
@ -578,7 +578,7 @@ function installOpenVPN () {
until [[ $CONTINUE =~ (y|n) ]]; do until [[ $CONTINUE =~ (y|n) ]]; do
read -rp "Continue? [y/n]: " -e CONTINUE read -rp "Continue? [y/n]: " -e CONTINUE
done done
if [[ "$CONTINUE" = "n" ]]; then if [[ "$CONTINUE" == "n" ]]; then
exit 1 exit 1
fi fi
fi fi
@ -587,27 +587,27 @@ function installOpenVPN () {
apt-get update apt-get update
apt-get -y install ca-certificates gnupg apt-get -y install ca-certificates gnupg
# We add the OpenVPN repo to get the latest version. # We add the OpenVPN repo to get the latest version.
if [[ "$VERSION_ID" = "8" ]]; then if [[ "$VERSION_ID" == "8" ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update apt-get update
fi fi
if [[ "$VERSION_ID" = "16.04" ]]; then if [[ "$VERSION_ID" == "16.04" ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" > /etc/apt/sources.list.d/openvpn.list echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" > /etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update apt-get update
fi fi
# Ubuntu > 16.04 and Debian > 8 have OpenVPN >= 2.4 without the need of a third party repository. # Ubuntu > 16.04 and Debian > 8 have OpenVPN >= 2.4 without the need of a third party repository.
apt-get install -y openvpn iptables openssl wget ca-certificates curl apt-get install -y openvpn iptables openssl wget ca-certificates curl
elif [[ "$OS" = 'centos' ]]; then elif [[ "$OS" == 'centos' ]]; then
yum install -y epel-release yum install -y epel-release
yum install -y openvpn iptables openssl wget ca-certificates curl tar 'policycoreutils-python*' yum install -y openvpn iptables openssl wget ca-certificates curl tar 'policycoreutils-python*'
elif [[ "$OS" = 'amzn' ]]; then elif [[ "$OS" == 'amzn' ]]; then
amazon-linux-extras install -y epel amazon-linux-extras install -y epel
yum install -y openvpn iptables openssl wget ca-certificates curl yum install -y openvpn iptables openssl wget ca-certificates curl
elif [[ "$OS" = 'fedora' ]]; then elif [[ "$OS" == 'fedora' ]]; then
dnf install -y openvpn iptables openssl wget ca-certificates curl dnf install -y openvpn iptables openssl wget ca-certificates curl
elif [[ "$OS" = 'arch' ]]; then elif [[ "$OS" == 'arch' ]]; then
# Install required dependencies and upgrade the system # Install required dependencies and upgrade the system
pacman --needed --noconfirm -Syu openvpn iptables openssl wget ca-certificates curl pacman --needed --noconfirm -Syu openvpn iptables openssl wget ca-certificates curl
fi fi
@ -687,9 +687,9 @@ function installOpenVPN () {
# Generate server.conf # Generate server.conf
echo "port $PORT" > /etc/openvpn/server.conf echo "port $PORT" > /etc/openvpn/server.conf
if [[ "$IPV6_SUPPORT" = 'n' ]]; then if [[ "$IPV6_SUPPORT" == 'n' ]]; then
echo "proto $PROTOCOL" >> /etc/openvpn/server.conf echo "proto $PROTOCOL" >> /etc/openvpn/server.conf
elif [[ "$IPV6_SUPPORT" = 'y' ]]; then elif [[ "$IPV6_SUPPORT" == 'y' ]]; then
echo "proto ${PROTOCOL}6" >> /etc/openvpn/server.conf echo "proto ${PROTOCOL}6" >> /etc/openvpn/server.conf
fi fi
@ -705,7 +705,7 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
# DNS resolvers # DNS resolvers
case $DNS in case $DNS in
1) 1) # Current system resolvers
# Locate the proper resolv.conf # Locate the proper resolv.conf
# Needed for systems running systemd-resolved # Needed for systems running systemd-resolved
if grep -q "127.0.0.53" "/etc/resolv.conf"; then if grep -q "127.0.0.53" "/etc/resolv.conf"; then
@ -718,7 +718,7 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
done done
;; ;;
2) 2) # Self-hosted DNS resolver (Unbound)
echo 'push "dhcp-option DNS 10.8.0.1"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 10.8.0.1"' >> /etc/openvpn/server.conf
;; ;;
3) # Cloudflare 3) # Cloudflare
@ -771,7 +771,7 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf
# IPv6 network settings if needed # IPv6 network settings if needed
if [[ "$IPV6_SUPPORT" = 'y' ]]; then if [[ "$IPV6_SUPPORT" == 'y' ]]; then
echo 'server-ipv6 fd42:42:42:42::/112 echo 'server-ipv6 fd42:42:42:42::/112
tun-ipv6 tun-ipv6
push tun-ipv6 push tun-ipv6
@ -817,7 +817,7 @@ verb 3" >> /etc/openvpn/server.conf
# Enable routing # Enable routing
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.d/20-openvpn.conf echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.d/20-openvpn.conf
if [[ "$IPV6_SUPPORT" = 'y' ]]; then if [[ "$IPV6_SUPPORT" == 'y' ]]; then
echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.d/20-openvpn.conf echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.d/20-openvpn.conf
fi fi
# Apply sysctl rules # Apply sysctl rules
@ -833,7 +833,7 @@ verb 3" >> /etc/openvpn/server.conf
fi fi
# Finally, restart and enable OpenVPN # Finally, restart and enable OpenVPN
if [[ "$OS" = 'arch' || "$OS" = 'fedora' || "$OS" = 'centos' ]]; then if [[ "$OS" == 'arch' || "$OS" == 'fedora' || "$OS" == 'centos' ]]; then
# Don't modify package-provided service # Don't modify package-provided service
cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service
@ -883,7 +883,7 @@ iptables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT
iptables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT iptables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT
iptables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/add-openvpn-rules.sh iptables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/add-openvpn-rules.sh
if [[ "$IPV6_SUPPORT" = 'y' ]]; then if [[ "$IPV6_SUPPORT" == 'y' ]]; then
echo "ip6tables -t nat -I POSTROUTING 1 -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE echo "ip6tables -t nat -I POSTROUTING 1 -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
ip6tables -I INPUT 1 -i tun0 -j ACCEPT ip6tables -I INPUT 1 -i tun0 -j ACCEPT
ip6tables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT ip6tables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT
@ -898,7 +898,7 @@ iptables -D FORWARD -i $NIC -o tun0 -j ACCEPT
iptables -D FORWARD -i tun0 -o $NIC -j ACCEPT iptables -D FORWARD -i tun0 -o $NIC -j ACCEPT
iptables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/rm-openvpn-rules.sh iptables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/rm-openvpn-rules.sh
if [[ "$IPV6_SUPPORT" = 'y' ]]; then if [[ "$IPV6_SUPPORT" == 'y' ]]; then
echo "ip6tables -t nat -D POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE echo "ip6tables -t nat -D POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
ip6tables -D INPUT -i tun0 -j ACCEPT ip6tables -D INPUT -i tun0 -j ACCEPT
ip6tables -D FORWARD -i $NIC -o tun0 -j ACCEPT ip6tables -D FORWARD -i $NIC -o tun0 -j ACCEPT
@ -935,10 +935,10 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables-openvpn.service
# client-template.txt is created so we have a template to add further users later # client-template.txt is created so we have a template to add further users later
echo "client" > /etc/openvpn/client-template.txt echo "client" > /etc/openvpn/client-template.txt
if [[ "$PROTOCOL" = 'udp' ]]; then if [[ "$PROTOCOL" == 'udp' ]]; then
echo "proto udp" >> /etc/openvpn/client-template.txt echo "proto udp" >> /etc/openvpn/client-template.txt
echo "explicit-exit-notify" >> /etc/openvpn/client-template.txt echo "explicit-exit-notify" >> /etc/openvpn/client-template.txt
elif [[ "$PROTOCOL" = 'tcp' ]]; then elif [[ "$PROTOCOL" == 'tcp' ]]; then
echo "proto tcp-client" >> /etc/openvpn/client-template.txt echo "proto tcp-client" >> /etc/openvpn/client-template.txt
fi fi
echo "remote $IP $PORT echo "remote $IP $PORT
@ -1052,7 +1052,7 @@ function newClient () {
function revokeClient () { function revokeClient () {
NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V") NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")
if [[ "$NUMBEROFCLIENTS" = '0' ]]; then if [[ "$NUMBEROFCLIENTS" == '0' ]]; then
echo "" echo ""
echo "You have no existing clients!" echo "You have no existing clients!"
exit 1 exit 1
@ -1061,7 +1061,7 @@ function revokeClient () {
echo "" echo ""
echo "Select the existing client certificate you want to revoke" echo "Select the existing client certificate you want to revoke"
tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') ' tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
if [[ "$NUMBEROFCLIENTS" = '1' ]]; then if [[ "$NUMBEROFCLIENTS" == '1' ]]; then
read -rp "Select one client [1]: " CLIENTNUMBER read -rp "Select one client [1]: " CLIENTNUMBER
else else
read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
@ -1090,7 +1090,6 @@ function removeUnbound () {
# Remove OpenVPN-related config # Remove OpenVPN-related config
sed -i '/include: \/etc\/unbound\/unbound\.conf\.d\/openvpn\.conf/d' /etc/unbound/unbound.conf sed -i '/include: \/etc\/unbound\/unbound\.conf\.d\/openvpn\.conf/d' /etc/unbound/unbound.conf
rm /etc/unbound/unbound.conf.d/openvpn.conf rm /etc/unbound/unbound.conf.d/openvpn.conf
systemctl restart unbound
until [[ $REMOVE_UNBOUND =~ (y|n) ]]; do until [[ $REMOVE_UNBOUND =~ (y|n) ]]; do
echo "" echo ""
@ -1098,17 +1097,17 @@ function removeUnbound () {
read -rp "Do you want to completely remove Unbound? [y/n]: " -e REMOVE_UNBOUND read -rp "Do you want to completely remove Unbound? [y/n]: " -e REMOVE_UNBOUND
done done
if [[ "$REMOVE_UNBOUND" = 'y' ]]; then if [[ "$REMOVE_UNBOUND" == 'y' ]]; then
# Stop Unbound # Stop Unbound
systemctl stop unbound systemctl stop unbound
if [[ "$OS" =~ (debian|ubuntu) ]]; then if [[ "$OS" =~ (debian|ubuntu) ]]; then
apt-get autoremove --purge -y unbound apt-get autoremove --purge -y unbound
elif [[ "$OS" = 'arch' ]]; then elif [[ "$OS" == 'arch' ]]; then
pacman --noconfirm -R unbound pacman --noconfirm -R unbound
elif [[ "$OS" =~ (centos|amzn) ]]; then elif [[ "$OS" =~ (centos|amzn) ]]; then
yum remove -y unbound yum remove -y unbound
elif [[ "$OS" = 'fedora' ]]; then elif [[ "$OS" == 'fedora' ]]; then
dnf remove -y unbound dnf remove -y unbound
fi fi
@ -1117,6 +1116,7 @@ function removeUnbound () {
echo "" echo ""
echo "Unbound removed!" echo "Unbound removed!"
else else
systemctl restart unbound
echo "" echo ""
echo "Unbound wasn't removed." echo "Unbound wasn't removed."
fi fi
@ -1126,7 +1126,7 @@ function removeOpenVPN () {
echo "" echo ""
# shellcheck disable=SC2034 # shellcheck disable=SC2034
read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
if [[ "$REMOVE" = 'y' ]]; then if [[ "$REMOVE" == 'y' ]]; then
# Get OpenVPN port from the configuration # Get OpenVPN port from the configuration
PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2) PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
@ -1170,11 +1170,11 @@ function removeOpenVPN () {
rm /etc/apt/sources.list.d/openvpn.list rm /etc/apt/sources.list.d/openvpn.list
apt-get update apt-get update
fi fi
elif [[ "$OS" = 'arch' ]]; then elif [[ "$OS" == 'arch' ]]; then
pacman --noconfirm -R openvpn pacman --noconfirm -R openvpn
elif [[ "$OS" =~ (centos|amzn) ]]; then elif [[ "$OS" =~ (centos|amzn) ]]; then
yum remove -y openvpn yum remove -y openvpn
elif [[ "$OS" = 'fedora' ]]; then elif [[ "$OS" == 'fedora' ]]; then
dnf remove -y openvpn dnf remove -y openvpn
fi fi