Add IPv6 NAT support (#238)

This commit is contained in:
Stanislas 2018-09-16 17:55:50 +02:00 committed by GitHub
parent 019da89be9
commit bfed14544e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 70 additions and 19 deletions

View File

@ -78,6 +78,7 @@ This fork includes the following features :
- Better encryption, see below
- Better DNS resolvers, see below
- Choice between TCP and UDP (UDP is still recommended)
- IPv6 (NATed) support
- Run server in [unprivileged mode](https://github.com/Angristan/OpenVPN-install/blob/master/openvpn-install.sh#L426), reducing risks to the system
- [Block DNS leak on Windows 10](https://community.openvpn.net/openvpn/ticket/605)
- No comp-lzo, as [compression is a vector for oracle attacks, e.g. CRIME or BREACH](https://github.com/BetterCrypto/Applied-Crypto-Hardening/pull/91#issuecomment-75388575)

View File

@ -280,6 +280,9 @@ if [[ -e /etc/openvpn/server.conf ]]; then
iptables-save > $IPTABLES
fi
iptables -t nat -D POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE
if [[ "$IPV6" = 'y' ]]; then
ip6tables -t nat -D POSTROUTING -o $NIC -s fd42:42:42:42::/112 -j MASQUERADE
fi
iptables-save > $IPTABLES
if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing"; then
@ -357,6 +360,25 @@ else
# Autodetect IP address and pre-fill for the user
IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
read -rp "IP address: " -e -i $IP IP
# If $IP is a private IP address, the server must be behind NAT
if echo "$IP" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then
echo ""
echo "This server is behind NAT. What is the public IPv4 address or hostname?"
read -rp "Public IP address / hostname: " -e PUBLICIP
fi
echo ""
echo "Checking for IPv6 connectivity..."
ping6 -c4 ipv6.google.com > /dev/null 2>&1;
echo ""
if [[ $? == 0 ]]; then
echo "Your host appears to have IPv6 connectivity."
else
echo "Your host does not appear to have IPv6 connectivity."
fi
echo ""
while [[ $IPV6 != "y" && $IPV6 != "n" ]]; do
read -rp "Do you want to enable IPv6 support? [y/n]: " -e IPV6
done
echo ""
echo "What port do you want for OpenVPN?"
echo " 1) Default: 1194"
@ -380,13 +402,6 @@ else
echo "Random Port: $PORT"
;;
esac
# If $IP is a private IP address, the server must be behind NAT
if echo "$IP" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then
echo ""
echo "This server is behind NAT. What is the public IPv4 address or hostname?"
read -rp "Public IP address / hostname: " -e PUBLICIP
fi
echo ""
echo "What protocol do you want for OpenVPN?"
echo "Unless UDP is blocked, you should not use TCP (unnecessarily slower)"
@ -523,13 +538,14 @@ else
read -n1 -r -p "Press any key to continue..."
if [[ "$OS" = 'debian' ]]; then
apt-get update
apt-get install ca-certificates gnupg -y
# We add the OpenVPN repo to get the latest version.
# Debian 8
if [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt update
apt-get update
fi
# Ubuntu 14.04
if [[ "$VERSION_ID" = 'VERSION_ID="14.04"' ]]; then
@ -658,7 +674,19 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
# Generate server.conf
echo "port $PORT" > /etc/openvpn/server.conf
echo "proto $(echo $PROTOCOL | tr '[:upper:]' '[:lower:]')" >> /etc/openvpn/server.conf
if [[ "$IPV6" = 'n' ]]; then
if [[ "$PROTOCOL" = 'UDP' ]]; then
echo "proto udp" >> /etc/openvpn/server.conf
elif [[ "$PROTOCOL" = 'TCP' ]]; then
echo "proto tcp" >> /etc/openvpn/server.conf
fi
elif [[ "$IPV6" = 'y' ]]; then
if [[ "$PROTOCOL" = 'UDP' ]]; then
echo "proto udp6" >> /etc/openvpn/server.conf
elif [[ "$PROTOCOL" = 'TCP' ]]; then
echo "proto tcp6" >> /etc/openvpn/server.conf
fi
fi
echo "dev tun
user nobody
group $NOGROUP
@ -721,8 +749,17 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf
;;
esac
echo 'push "redirect-gateway def1 bypass-dhcp" ' >> /etc/openvpn/server.conf
echo "crl-verify crl.pem
echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf
if [[ "$IPV6" = 'y' ]]; then
echo 'server-ipv6 fd42:42:42:42::/112
tun-ipv6
push tun-ipv6
push "route-ipv6 2000::/3"
push "redirect-gateway ipv6"' >> /etc/openvpn/server.conf
fi
echo "crl-verify crl.pem
ca ca.crt
cert $SERVER_NAME.crt
key $SERVER_NAME.key
@ -744,18 +781,19 @@ mkdir -p /var/log/openvpn
touch $SYSCTL
fi
# Enable net.ipv4.ip_forward for the system
sed -i '/\<net.ipv4.ip_forward\>/c\net.ipv4.ip_forward=1' $SYSCTL
if ! grep -q "\<net.ipv4.ip_forward\>" $SYSCTL; then
echo 'net.ipv4.ip_forward=1' >> $SYSCTL
# Enable routing
echo 'net.ipv4.ip_forward=1' >> $SYSCTL
if [[ "$IPV6" = 'y' ]]; then
echo 'net.ipv6.conf.all.forwarding=1' >> $SYSCTL
fi
# Avoid an unneeded reboot
echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl --system
# Set NAT for the VPN subnet
iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE
if [[ "$IPV6" = 'y' ]]; then
ip6tables -t nat -A POSTROUTING -o $NIC -s fd42:42:42:42::/112 -j MASQUERADE
fi
# Save persitent iptables rules
iptables-save > $IPTABLES
@ -788,7 +826,19 @@ mkdir -p /var/log/openvpn
# Save persitent OpenVPN rules
iptables-save > $IPTABLES
fi
if [[ "$IPV6" = 'y' ]]; then
if ip6tables -L -n | grep -qE 'REJECT|DROP'; then
if [[ "$PROTOCOL" = 'UDP' ]]; then
ip6tables -I INPUT -p udp --dport $PORT -j ACCEPT
elif [[ "$PROTOCOL" = 'TCP' ]]; then
ip6tables -I INPUT -p tcp --dport $PORT -j ACCEPT
fi
ip6tables -I FORWARD -s fd42:42:42:42::/112 -j ACCEPT
ip6tables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# Save persitent OpenVPN rules
iptables-save > $IPTABLES
fi
fi
# If SELinux is enabled and a custom port was selected, we need this
if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing"; then