From 1be7733c0b13bd3b5a257ca47a960c7b1ae8d727 Mon Sep 17 00:00:00 2001 From: DrXala Date: Sun, 16 Jul 2017 12:55:09 +0200 Subject: [PATCH 1/8] Install iptables systemd service for Debian, Ubuntu and Centos. Fix iptables install for ArchLinux. --- openvpn-install.sh | 67 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 66 insertions(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 3bcd725..0211023 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -23,6 +23,7 @@ if [[ -e /etc/debian_version ]]; then OS="debian" # Getting the version number, to verify that a recent version of OpenVPN is available VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID") + IPTABLES='/etc/iptables/iptables.rules' RCLOCAL='/etc/rc.local' SYSCTL='/etc/sysctl.conf' if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.04"' ]]; then @@ -42,12 +43,14 @@ if [[ -e /etc/debian_version ]]; then fi elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then OS=centos + IPTABLES='/etc/iptables/iptables.rules' RCLOCAL='/etc/rc.d/rc.local' SYSCTL='/etc/sysctl.conf' # Needed for CentOS 7 chmod +x /etc/rc.d/rc.local elif [[ -e /etc/arch-release ]]; then OS=arch + IPTABLES='/etc/iptables/iptables.rules' RCLOCAL='/etc/rc.local' SYSCTL='/etc/sysctl.d/openvpn.conf' else @@ -338,9 +341,71 @@ else # Ubuntu >= 16.04 and Debian > 8 have OpenVPN > 2.3.3 without the need of a third party repository. # The we install OpenVPN apt-get install openvpn iptables openssl wget ca-certificates curl -y + # Install iptables service + if [[ ! -e /etc/systemd/system/iptables.service ]]; then + mkdir /etc/iptables + iptables-save > /etc/iptables/iptables.rules + echo "#!/bin/sh +iptables -F +iptables -X +iptables -t nat -F +iptables -t nat -X +iptables -t mangle -F +iptables -t mangle -X +iptables -P INPUT ACCEPT +iptables -P FORWARD ACCEPT +iptables -P OUTPUT ACCEPT" > /etc/iptables/flush-iptables.sh + chmod +x /etc/iptables/flush-iptables.sh + echo "[Unit] +Description=Packet Filtering Framework +DefaultDependencies=no +After=systemd-sysctl.service +Before=sysinit.target +[Service] +Type=oneshot +ExecStart=/sbin/iptables-restore < /etc/iptables/iptables.rules +ExecReload=/sbin/iptables-restore < /etc/iptables/iptables.rules +ExecStop=/etc/iptables/flush-iptables.sh +RemainAfterExit=yes +[Install] +WantedBy=multi-user.target" > /etc/systemd/system/iptables.service + systemctl daemon-reload + systemctl enable iptables.service + fi elif [[ "$OS" = 'centos' ]]; then yum install epel-release -y yum install openvpn iptables openssl wget ca-certificates curl -y + # Install iptables service + if [[ ! -e /etc/systemd/system/iptables.service ]]; then + mkdir /etc/iptables + iptables-save > /etc/iptables/iptables.rules + echo "#!/bin/sh +iptables -F +iptables -X +iptables -t nat -F +iptables -t nat -X +iptables -t mangle -F +iptables -t mangle -X +iptables -P INPUT ACCEPT +iptables -P FORWARD ACCEPT +iptables -P OUTPUT ACCEPT" > /etc/iptables/flush-iptables.sh + chmod +x /etc/iptables/flush-iptables.sh + echo "[Unit] +Description=Packet Filtering Framework +DefaultDependencies=no +After=systemd-sysctl.service +Before=sysinit.target +[Service] +Type=oneshot +ExecStart=/sbin/iptables-restore < /etc/iptables/iptables.rules +ExecReload=/sbin/iptables-restore < /etc/iptables/iptables.rules +ExecStop=/etc/iptables/flush-iptables.sh +RemainAfterExit=yes +[Install] +WantedBy=multi-user.target" > /etc/systemd/system/iptables.service + systemctl daemon-reload + systemctl enable iptables.service + fi else # Else, the distro is ArchLinux echo "" @@ -379,7 +444,7 @@ WantedBy=multi-user.target" > /etc/systemd/system/rc-local.service # Install dependencies pacman -Syu openvpn iptables openssl wget ca-certificates curl --needed --noconfirm if [[ "$OS" = 'arch' ]]; then - touch /etc/iptables/iptables.rules # iptables won't start if this file does not exist + iptables-save > /etc/iptables/iptables.rules # iptables won't start if this file does not exist systemctl enable iptables systemctl start iptables fi From d3d7d18ab157c21b001a23c13d8fc66318cf6c6d Mon Sep 17 00:00:00 2001 From: DrXala Date: Sun, 16 Jul 2017 14:11:29 +0200 Subject: [PATCH 2/8] Removing the use of rc.local file --- openvpn-install.sh | 55 ++++++++++++---------------------------------- 1 file changed, 14 insertions(+), 41 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 0211023..6e5f308 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -24,7 +24,6 @@ if [[ -e /etc/debian_version ]]; then # Getting the version number, to verify that a recent version of OpenVPN is available VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID") IPTABLES='/etc/iptables/iptables.rules' - RCLOCAL='/etc/rc.local' SYSCTL='/etc/sysctl.conf' if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.04"' ]]; then echo "Your version of Debian/Ubuntu is not supported." @@ -44,14 +43,10 @@ if [[ -e /etc/debian_version ]]; then elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then OS=centos IPTABLES='/etc/iptables/iptables.rules' - RCLOCAL='/etc/rc.d/rc.local' SYSCTL='/etc/sysctl.conf' - # Needed for CentOS 7 - chmod +x /etc/rc.d/rc.local elif [[ -e /etc/arch-release ]]; then OS=arch IPTABLES='/etc/iptables/iptables.rules' - RCLOCAL='/etc/rc.local' SYSCTL='/etc/sysctl.d/openvpn.conf' else echo "Looks like you aren't running this installer on a Debian, Ubuntu, CentOS or ArchLinux system" @@ -157,11 +152,16 @@ if [[ -e /etc/openvpn/server.conf ]]; then firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24 fi if iptables -L -n | grep -qE 'REJECT|DROP'; then - sed -i "/iptables -I INPUT -p udp --dport $PORT -j ACCEPT/d" $RCLOCAL - sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL - sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL + if [[ "$PROTOCOL" = 'udp' ]]; then + iptables -D INPUT -p udp --dport $PORT -j ACCEPT + else + iptables -D INPUT -p tcp --dport $PORT -j ACCEPT + fi + iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT + iptables-save > $IPTABLES fi - sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL + iptables -t nat -D POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE + iptables-save > $IPTABLES if hash sestatus 2>/dev/null; then if sestatus | grep "Current mode" | grep -qs "enforcing"; then if [[ "$PORT" != '1194' ]]; then @@ -423,28 +423,11 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service fi if [[ "$OS" = 'arch' ]]; then - # Install rc.local - echo "[Unit] -Description=/etc/rc.local compatibility - -[Service] -Type=oneshot -ExecStart=/etc/rc.local -RemainAfterExit=yes - -[Install] -WantedBy=multi-user.target" > /etc/systemd/system/rc-local.service - chmod +x /etc/rc.local - systemctl enable rc-local.service - if ! grep '#!' $RCLOCAL; then - echo "#!/bin/bash" > $RCLOCAL - fi - fi - # Install dependencies pacman -Syu openvpn iptables openssl wget ca-certificates curl --needed --noconfirm if [[ "$OS" = 'arch' ]]; then iptables-save > /etc/iptables/iptables.rules # iptables won't start if this file does not exist + systemctl daemon-reload systemctl enable iptables systemctl start iptables fi @@ -555,15 +538,10 @@ verb 3" >> /etc/openvpn/server.conf fi # Avoid an unneeded reboot echo 1 > /proc/sys/net/ipv4/ip_forward - # Needed to use rc.local with some systemd distros - if [[ "$OS" = 'debian' && ! -e $RCLOCAL ]]; then - echo '#!/bin/sh -e - exit 0' > $RCLOCAL - fi - chmod +x $RCLOCAL # Set NAT for the VPN subnet iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE - sed -i "1 a\iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE" $RCLOCAL + # Save persitent iptables rules + iptables-save > $IPTABLES if pgrep firewalld; then # We don't use --add-service=openvpn because that would only work with # the default port. Using both permanent and not permanent rules to @@ -589,13 +567,8 @@ verb 3" >> /etc/openvpn/server.conf fi iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT - if [[ "$PROTOCOL" = 'UDP' ]]; then - sed -i "1 a\iptables -I INPUT -p udp --dport $PORT -j ACCEPT" $RCLOCAL - elif [[ "$PROTOCOL" = 'TCP' ]]; then - sed -i "1 a\iptables -I INPUT -p tcp --dport $PORT -j ACCEPT" $RCLOCAL - fi - sed -i "1 a\iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" $RCLOCAL - sed -i "1 a\iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" $RCLOCAL + # save persitant OpenVPN rules + iptables-save > $IPTABLES fi # If SELinux is enabled and a custom port was selected, we need this if hash sestatus 2>/dev/null; then From 23222fd59faf75dfbe45ca75dc88c218e569fbac Mon Sep 17 00:00:00 2001 From: DrXala Date: Sun, 16 Jul 2017 15:39:14 +0200 Subject: [PATCH 3/8] Fix syntax error... --- openvpn-install.sh | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 6e5f308..99740d8 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -423,14 +423,13 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service fi if [[ "$OS" = 'arch' ]]; then - # Install dependencies - pacman -Syu openvpn iptables openssl wget ca-certificates curl --needed --noconfirm - if [[ "$OS" = 'arch' ]]; then - iptables-save > /etc/iptables/iptables.rules # iptables won't start if this file does not exist + # Install dependencies + pacman -Syu openvpn iptables openssl wget ca-certificates curl --needed --noconfirm + iptables-save > /etc/iptables/iptables.rules # iptables won't start if this file does not exist systemctl daemon-reload - systemctl enable iptables - systemctl start iptables - fi + systemctl enable iptables + systemctl start iptables + fi fi # Find out if the machine uses nogroup or nobody for the permissionless group if grep -qs "^nogroup:" /etc/group; then @@ -567,7 +566,7 @@ verb 3" >> /etc/openvpn/server.conf fi iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT - # save persitant OpenVPN rules + # Save persitent OpenVPN rules iptables-save > $IPTABLES fi # If SELinux is enabled and a custom port was selected, we need this From 8f28593112f03205392b6be4d6f208e0684d7db9 Mon Sep 17 00:00:00 2001 From: DrXala Date: Sun, 16 Jul 2017 16:01:05 +0200 Subject: [PATCH 4/8] Fix iptables.service --- openvpn-install.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 99740d8..24a5c70 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -363,8 +363,8 @@ After=systemd-sysctl.service Before=sysinit.target [Service] Type=oneshot -ExecStart=/sbin/iptables-restore < /etc/iptables/iptables.rules -ExecReload=/sbin/iptables-restore < /etc/iptables/iptables.rules +ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules +ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules ExecStop=/etc/iptables/flush-iptables.sh RemainAfterExit=yes [Install] @@ -397,8 +397,8 @@ After=systemd-sysctl.service Before=sysinit.target [Service] Type=oneshot -ExecStart=/sbin/iptables-restore < /etc/iptables/iptables.rules -ExecReload=/sbin/iptables-restore < /etc/iptables/iptables.rules +ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules +ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules ExecStop=/etc/iptables/flush-iptables.sh RemainAfterExit=yes [Install] From b5c624eb76f50c1edeb0e230d8e7fec042f95f5b Mon Sep 17 00:00:00 2001 From: DrXala Date: Thu, 20 Jul 2017 17:12:40 +0200 Subject: [PATCH 5/8] Adjust indents + change iptables.service --- openvpn-install.sh | 106 ++++++++++++++++++++++----------------------- 1 file changed, 53 insertions(+), 53 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 24a5c70..3580e5d 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -23,7 +23,7 @@ if [[ -e /etc/debian_version ]]; then OS="debian" # Getting the version number, to verify that a recent version of OpenVPN is available VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID") - IPTABLES='/etc/iptables/iptables.rules' + IPTABLES='/etc/iptables/iptables.rules' SYSCTL='/etc/sysctl.conf' if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.04"' ]]; then echo "Your version of Debian/Ubuntu is not supported." @@ -42,11 +42,11 @@ if [[ -e /etc/debian_version ]]; then fi elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then OS=centos - IPTABLES='/etc/iptables/iptables.rules' + IPTABLES='/etc/iptables/iptables.rules' SYSCTL='/etc/sysctl.conf' elif [[ -e /etc/arch-release ]]; then OS=arch - IPTABLES='/etc/iptables/iptables.rules' + IPTABLES='/etc/iptables/iptables.rules' SYSCTL='/etc/sysctl.d/openvpn.conf' else echo "Looks like you aren't running this installer on a Debian, Ubuntu, CentOS or ArchLinux system" @@ -152,16 +152,16 @@ if [[ -e /etc/openvpn/server.conf ]]; then firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24 fi if iptables -L -n | grep -qE 'REJECT|DROP'; then - if [[ "$PROTOCOL" = 'udp' ]]; then - iptables -D INPUT -p udp --dport $PORT -j ACCEPT - else - iptables -D INPUT -p tcp --dport $PORT -j ACCEPT - fi - iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT - iptables-save > $IPTABLES + if [[ "$PROTOCOL" = 'udp' ]]; then + iptables -D INPUT -p udp --dport $PORT -j ACCEPT + else + iptables -D INPUT -p tcp --dport $PORT -j ACCEPT + fi + iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT + iptables-save > $IPTABLES fi - iptables -t nat -D POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE - iptables-save > $IPTABLES + iptables -t nat -D POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE + iptables-save > $IPTABLES if hash sestatus 2>/dev/null; then if sestatus | grep "Current mode" | grep -qs "enforcing"; then if [[ "$PORT" != '1194' ]]; then @@ -341,11 +341,11 @@ else # Ubuntu >= 16.04 and Debian > 8 have OpenVPN > 2.3.3 without the need of a third party repository. # The we install OpenVPN apt-get install openvpn iptables openssl wget ca-certificates curl -y - # Install iptables service - if [[ ! -e /etc/systemd/system/iptables.service ]]; then - mkdir /etc/iptables - iptables-save > /etc/iptables/iptables.rules - echo "#!/bin/sh + # Install iptables service + if [[ ! -e /etc/systemd/system/iptables.service ]]; then + mkdir /etc/iptables + iptables-save > /etc/iptables/iptables.rules + echo "#!/bin/sh iptables -F iptables -X iptables -t nat -F @@ -355,12 +355,12 @@ iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT" > /etc/iptables/flush-iptables.sh - chmod +x /etc/iptables/flush-iptables.sh - echo "[Unit] + chmod +x /etc/iptables/flush-iptables.sh + echo "[Unit] Description=Packet Filtering Framework DefaultDependencies=no -After=systemd-sysctl.service -Before=sysinit.target +Before=network-pre.target +Wants=network-pre.target [Service] Type=oneshot ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules @@ -369,17 +369,17 @@ ExecStop=/etc/iptables/flush-iptables.sh RemainAfterExit=yes [Install] WantedBy=multi-user.target" > /etc/systemd/system/iptables.service - systemctl daemon-reload - systemctl enable iptables.service - fi + systemctl daemon-reload + systemctl enable iptables.service + fi elif [[ "$OS" = 'centos' ]]; then yum install epel-release -y yum install openvpn iptables openssl wget ca-certificates curl -y - # Install iptables service - if [[ ! -e /etc/systemd/system/iptables.service ]]; then - mkdir /etc/iptables - iptables-save > /etc/iptables/iptables.rules - echo "#!/bin/sh + # Install iptables service + if [[ ! -e /etc/systemd/system/iptables.service ]]; then + mkdir /etc/iptables + iptables-save > /etc/iptables/iptables.rules + echo "#!/bin/sh iptables -F iptables -X iptables -t nat -F @@ -389,12 +389,12 @@ iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT" > /etc/iptables/flush-iptables.sh - chmod +x /etc/iptables/flush-iptables.sh - echo "[Unit] + chmod +x /etc/iptables/flush-iptables.sh + echo "[Unit] Description=Packet Filtering Framework DefaultDependencies=no -After=systemd-sysctl.service -Before=sysinit.target +Before=network-pre.target +Wants=network-pre.target [Service] Type=oneshot ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules @@ -403,9 +403,9 @@ ExecStop=/etc/iptables/flush-iptables.sh RemainAfterExit=yes [Install] WantedBy=multi-user.target" > /etc/systemd/system/iptables.service - systemctl daemon-reload - systemctl enable iptables.service - fi + systemctl daemon-reload + systemctl enable iptables.service + fi else # Else, the distro is ArchLinux echo "" @@ -423,19 +423,19 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service fi if [[ "$OS" = 'arch' ]]; then - # Install dependencies - pacman -Syu openvpn iptables openssl wget ca-certificates curl --needed --noconfirm - iptables-save > /etc/iptables/iptables.rules # iptables won't start if this file does not exist - systemctl daemon-reload - systemctl enable iptables - systemctl start iptables - fi + # Install dependencies + pacman -Syu openvpn iptables openssl wget ca-certificates curl --needed --noconfirm + iptables-save > /etc/iptables/iptables.rules # iptables won't start if this file does not exist + systemctl daemon-reload + systemctl enable iptables + systemctl start iptables + fi fi # Find out if the machine uses nogroup or nobody for the permissionless group if grep -qs "^nogroup:" /etc/group; then - NOGROUP=nogroup + NOGROUP=nogroup else - NOGROUP=nobody + NOGROUP=nobody fi # An old version of easy-rsa was available by default in some openvpn packages @@ -539,8 +539,8 @@ verb 3" >> /etc/openvpn/server.conf echo 1 > /proc/sys/net/ipv4/ip_forward # Set NAT for the VPN subnet iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE - # Save persitent iptables rules - iptables-save > $IPTABLES + # Save persitent iptables rules + iptables-save > $IPTABLES if pgrep firewalld; then # We don't use --add-service=openvpn because that would only work with # the default port. Using both permanent and not permanent rules to @@ -566,8 +566,8 @@ verb 3" >> /etc/openvpn/server.conf fi iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT - # Save persitent OpenVPN rules - iptables-save > $IPTABLES + # Save persitent OpenVPN rules + iptables-save > $IPTABLES fi # If SELinux is enabled and a custom port was selected, we need this if hash sestatus 2>/dev/null; then @@ -627,10 +627,10 @@ verb 3" >> /etc/openvpn/server.conf echo "" echo "Looks like your server is behind a NAT!" echo "" - echo "If your server is NATed (e.g. LowEndSpirit, Scaleway, or behind a router)," - echo "then I need to know the address that can be used to access it from outside." - echo "If that's not the case, just ignore this and leave the next field blank" - read -p "External IP or domain name: " -e USEREXTERNALIP + echo "If your server is NATed (e.g. LowEndSpirit, Scaleway, or behind a router)," + echo "then I need to know the address that can be used to access it from outside." + echo "If that's not the case, just ignore this and leave the next field blank" + read -p "External IP or domain name: " -e USEREXTERNALIP if [[ "$USEREXTERNALIP" != "" ]]; then IP=$USEREXTERNALIP fi From ed17fc074d9c6d2a0441593b416d96e734152def Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 12 Nov 2017 18:07:07 +0100 Subject: [PATCH 6/8] Resolve conflicts Merge changes from master to resolve conflicts --- openvpn-install.sh | 86 +++++++++++++++++++++++++++------------------- 1 file changed, 50 insertions(+), 36 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 3580e5d..4b6f398 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -54,21 +54,29 @@ else fi newclient () { + # Where to write the custom client.ovpn? + if [ -e /home/$1 ]; then # if $1 is a user name + homeDir="/home/$1" + elif [ ${SUDO_USER} ]; then # if not, use SUDO_USER + homeDir="/home/${SUDO_USER}" + else # if not SUDO_USER, use /root + homeDir="/root" + fi # Generates the custom client.ovpn - cp /etc/openvpn/client-template.txt ~/$1.ovpn - echo "" >> ~/$1.ovpn - cat /etc/openvpn/easy-rsa/pki/ca.crt >> ~/$1.ovpn - echo "" >> ~/$1.ovpn - echo "" >> ~/$1.ovpn - cat /etc/openvpn/easy-rsa/pki/issued/$1.crt >> ~/$1.ovpn - echo "" >> ~/$1.ovpn - echo "" >> ~/$1.ovpn - cat /etc/openvpn/easy-rsa/pki/private/$1.key >> ~/$1.ovpn - echo "" >> ~/$1.ovpn - echo "key-direction 1" >> ~/$1.ovpn - echo "" >> ~/$1.ovpn - cat /etc/openvpn/tls-auth.key >> ~/$1.ovpn - echo "" >> ~/$1.ovpn + cp /etc/openvpn/client-template.txt $homeDir/$1.ovpn + echo "" >> $homeDir/$1.ovpn + cat /etc/openvpn/easy-rsa/pki/ca.crt >> $homeDir/$1.ovpn + echo "" >> $homeDir/$1.ovpn + echo "" >> $homeDir/$1.ovpn + cat /etc/openvpn/easy-rsa/pki/issued/$1.crt >> $homeDir/$1.ovpn + echo "" >> $homeDir/$1.ovpn + echo "" >> $homeDir/$1.ovpn + cat /etc/openvpn/easy-rsa/pki/private/$1.key >> $homeDir/$1.ovpn + echo "" >> $homeDir/$1.ovpn + echo "key-direction 1" >> $homeDir/$1.ovpn + echo "" >> $homeDir/$1.ovpn + cat /etc/openvpn/tls-auth.key >> $homeDir/$1.ovpn + echo "" >> $homeDir/$1.ovpn } # Try to get our IP from the system and fallback to the Internet. @@ -106,7 +114,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then # Generates the custom client.ovpn newclient "$CLIENT" echo "" - echo "Client $CLIENT added, certs available at ~/$CLIENT.ovpn" + echo "Client $CLIENT added, certs available at $homeDir/$CLIENT.ovpn" exit ;; 2) @@ -127,7 +135,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p) cd /etc/openvpn/easy-rsa/ ./easyrsa --batch revoke $CLIENT - ./easyrsa gen-crl + EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl rm -rf pki/reqs/$CLIENT.req rm -rf pki/private/$CLIENT.key rm -rf pki/issued/$CLIENT.crt @@ -218,8 +226,9 @@ else echo " 4) OpenDNS (Anycast: worldwide)" echo " 5) Google (Anycast: worldwide)" echo " 6) Yandex Basic (Russia)" - while [[ $DNS != "1" && $DNS != "2" && $DNS != "3" && $DNS != "4" && $DNS != "5" && $DNS != "6" ]]; do - read -p "DNS [1-6]: " -e -i 1 DNS + echo " 7) AdGuard DNS (Russia)" + while [[ $DNS != "1" && $DNS != "2" && $DNS != "3" && $DNS != "4" && $DNS != "5" && $DNS != "6" && $DNS != "7" ]]; do + read -p "DNS [1-7]: " -e -i 1 DNS done echo "" echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about " @@ -288,7 +297,7 @@ else echo " 2) 3072 bits (recommended, best compromise)" echo " 3) 4096 bits (most secure)" while [[ $RSA_KEY_SIZE != "1" && $RSA_KEY_SIZE != "2" && $RSA_KEY_SIZE != "3" ]]; do - read -p "DH key size [1-3]: " -e -i 2 RSA_KEY_SIZE + read -p "RSA key size [1-3]: " -e -i 2 RSA_KEY_SIZE done case $RSA_KEY_SIZE in 1) @@ -316,25 +325,25 @@ else # We add the OpenVPN repo to get the latest version. # Debian 7 if [[ "$VERSION_ID" = 'VERSION_ID="7"' ]]; then - echo "deb http://swupdate.openvpn.net/apt wheezy main" > /etc/apt/sources.list.d/swupdate-openvpn.list + echo "deb http://build.openvpn.net/debian/openvpn/stable wheezy main" > /etc/apt/sources.list.d/openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt-get update fi # Debian 8 if [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then - echo "deb http://swupdate.openvpn.net/apt jessie main" > /etc/apt/sources.list.d/swupdate-openvpn.list + echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt update fi # Ubuntu 12.04 if [[ "$VERSION_ID" = 'VERSION_ID="12.04"' ]]; then - echo "deb http://swupdate.openvpn.net/apt precise main" > /etc/apt/sources.list.d/swupdate-openvpn.list + echo "deb http://build.openvpn.net/debian/openvpn/stable precise main" > /etc/apt/sources.list.d/openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt-get update fi # Ubuntu 14.04 if [[ "$VERSION_ID" = 'VERSION_ID="14.04"' ]]; then - echo "deb http://swupdate.openvpn.net/apt trusty main" > /etc/apt/sources.list.d/swupdate-openvpn.list + echo "deb http://build.openvpn.net/debian/openvpn/stable trusty main" > /etc/apt/sources.list.d/openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt-get update fi @@ -443,12 +452,12 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service rm -rf /etc/openvpn/easy-rsa/ fi # Get easy-rsa - wget -O ~/EasyRSA-3.0.1.tgz https://github.com/OpenVPN/easy-rsa/releases/download/3.0.1/EasyRSA-3.0.1.tgz - tar xzf ~/EasyRSA-3.0.1.tgz -C ~/ - mv ~/EasyRSA-3.0.1/ /etc/openvpn/ - mv /etc/openvpn/EasyRSA-3.0.1/ /etc/openvpn/easy-rsa/ + wget -O ~/EasyRSA-3.0.3.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.3/EasyRSA-3.0.3.tgz + tar xzf ~/EasyRSA-3.0.3.tgz -C ~/ + mv ~/EasyRSA-3.0.3/ /etc/openvpn/ + mv /etc/openvpn/EasyRSA-3.0.3/ /etc/openvpn/easy-rsa/ chown -R root:root /etc/openvpn/easy-rsa/ - rm -rf ~/EasyRSA-3.0.1.tgz + rm -rf ~/EasyRSA-3.0.3.tgz cd /etc/openvpn/easy-rsa/ echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars # Create the PKI, set up the CA, the DH params and the server + client certificates @@ -457,14 +466,14 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service openssl dhparam -out dh.pem $DH_KEY_SIZE ./easyrsa build-server-full server nopass ./easyrsa build-client-full $CLIENT nopass - ./easyrsa gen-crl + EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl # generate tls-auth key openvpn --genkey --secret /etc/openvpn/tls-auth.key # Move all the generated files cp pki/ca.crt pki/private/ca.key dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn # Make cert revocation list readable for non-root chmod 644 /etc/openvpn/crl.pem - + # Generate server.conf echo "port $PORT" > /etc/openvpn/server.conf if [[ "$PROTOCOL" = 'UDP' ]]; then @@ -509,6 +518,10 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 77.88.8.8"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 77.88.8.1"' >> /etc/openvpn/server.conf ;; + 7) #AdGuard DNS + echo 'push "dhcp-option DNS 176.103.130.130"' >> /etc/openvpn/server.conf + echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf + ;; esac echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf echo "crl-verify crl.pem @@ -567,7 +580,7 @@ verb 3" >> /etc/openvpn/server.conf iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT # Save persitent OpenVPN rules - iptables-save > $IPTABLES + iptables-save > $IPTABLES fi # If SELinux is enabled and a custom port was selected, we need this if hash sestatus 2>/dev/null; then @@ -627,10 +640,10 @@ verb 3" >> /etc/openvpn/server.conf echo "" echo "Looks like your server is behind a NAT!" echo "" - echo "If your server is NATed (e.g. LowEndSpirit, Scaleway, or behind a router)," - echo "then I need to know the address that can be used to access it from outside." - echo "If that's not the case, just ignore this and leave the next field blank" - read -p "External IP or domain name: " -e USEREXTERNALIP + echo "If your server is NATed (e.g. LowEndSpirit, Scaleway, or behind a router)," + echo "then I need to know the address that can be used to access it from outside." + echo "If that's not the case, just ignore this and leave the next field blank" + read -p "External IP or domain name: " -e USEREXTERNALIP if [[ "$USEREXTERNALIP" != "" ]]; then IP=$USEREXTERNALIP fi @@ -650,6 +663,7 @@ persist-key persist-tun remote-cert-tls server auth SHA256 +auth-nocache $CIPHER tls-client tls-version-min 1.2 @@ -662,7 +676,7 @@ verb 3" >> /etc/openvpn/client-template.txt echo "" echo "Finished!" echo "" - echo "Your client config is available at ~/$CLIENT.ovpn" + echo "Your client config is available at $homeDir/$CLIENT.ovpn" echo "If you want to add more clients, you simply need to run this script another time!" fi exit 0; From dcec3f12a469bb63668fcf1c051ca9811d9db94c Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 12 Nov 2017 18:30:05 +0100 Subject: [PATCH 7/8] Disable firewalld to allow iptables to start upon reboot --- openvpn-install.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openvpn-install.sh b/openvpn-install.sh index 4b6f398..e3b8f8e 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -414,6 +414,8 @@ RemainAfterExit=yes WantedBy=multi-user.target" > /etc/systemd/system/iptables.service systemctl daemon-reload systemctl enable iptables.service + # Disable firewalld to allow iptables to start upon reboot + systemctl disable firewalld fi else # Else, the distro is ArchLinux From aca3b4a019c3545331e2f8e39af65ac730501d6a Mon Sep 17 00:00:00 2001 From: Angristan Date: Sun, 12 Nov 2017 19:54:44 +0100 Subject: [PATCH 8/8] Fix the network interface variable Fix for https://github.com/Angristan/OpenVPN-install/pull/83#issuecomment-343758329 --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index e3b8f8e..2f0dfa4 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -87,7 +87,7 @@ if [[ "$IP" = "" ]]; then IP=$(wget -qO- ipv4.icanhazip.com) fi # Get Internet network interface with default route -NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)') +NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1) if [[ -e /etc/openvpn/server.conf ]]; then while :