From 56b755f93796dbeadef5aecb76ef16a4b1ae7f5e Mon Sep 17 00:00:00 2001 From: Angristan Date: Mon, 6 Feb 2017 12:05:01 +0100 Subject: [PATCH 01/16] Update AES data channel ciphers --- openvpn-install.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index cee3e36..9478855 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -221,9 +221,9 @@ else echo "and are still viable to date, unlike some default OpenVPN options" echo '' echo "Choose which cipher you want to use for the data channel:" - echo " 1) AES-128-CBC (fastest and sufficiently secure for everyone, recommended)" - echo " 2) AES-192-CBC" - echo " 3) AES-256-CBC" + echo " 1) AES-128-GCM (fastest and sufficiently secure for everyone, recommended)" + echo " 2) AES-192-GCM" + echo " 3) AES-256-GCM" echo "Alternatives to AES, use them only if you know what you're doing." echo "They are relatively slower but as secure as AES." echo " 4) CAMELLIA-128-CBC" @@ -235,13 +235,13 @@ else done case $CIPHER in 1) - CIPHER="cipher AES-128-CBC" + CIPHER="cipher AES-128-GCM" ;; 2) - CIPHER="cipher AES-192-CBC" + CIPHER="cipher AES-192-GCM" ;; 3) - CIPHER="cipher AES-256-CBC" + CIPHER="cipher AES-256-GCM" ;; 4) CIPHER="cipher CAMELLIA-128-CBC" From fa6cf4e5696507a50f28922f496c36f2cca09c31 Mon Sep 17 00:00:00 2001 From: Angristan Date: Thu, 16 Feb 2017 17:54:08 +0100 Subject: [PATCH 02/16] Update tls-cipher to use ECDHE and ECDSA --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 9478855..dfe9954 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -466,7 +466,7 @@ auth SHA256 $CIPHER tls-server tls-version-min 1.2 -tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 +tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 status openvpn.log verb 3" >> /etc/openvpn/server.conf @@ -583,7 +583,7 @@ auth SHA256 $CIPHER tls-client tls-version-min 1.2 -tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 +tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 setenv opt block-outside-dns verb 3" >> /etc/openvpn/client-template.txt From 56fad22cad64dbb176b26a8ac83546958a880b4a Mon Sep 17 00:00:00 2001 From: Angristan Date: Thu, 16 Feb 2017 18:30:40 +0100 Subject: [PATCH 03/16] Disable DH and enable ECDH cf. https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage#lbAK --- openvpn-install.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index dfe9954..199b355 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -403,7 +403,6 @@ WantedBy=multi-user.target" > /etc/systemd/system/rc-local.service # Create the PKI, set up the CA, the DH params and the server + client certificates ./easyrsa init-pki ./easyrsa --batch build-ca nopass - openssl dhparam $DH_KEY_SIZE -out dh.pem ./easyrsa build-server-full server nopass ./easyrsa build-client-full $CLIENT nopass ./easyrsa gen-crl @@ -461,7 +460,7 @@ ca ca.crt cert server.crt key server.key tls-auth tls-auth.key 0 -dh dh.pem +dh none auth SHA256 $CIPHER tls-server From 23daeca80a20ef2e237445351d57b83bfbc45c89 Mon Sep 17 00:00:00 2001 From: Angristan Date: Thu, 16 Feb 2017 18:34:33 +0100 Subject: [PATCH 04/16] Use secp256k1 curve for ECDH cf. https://github.com/Angristan/OpenVPN-install/pull/33#issuecomment-280399196 --- openvpn-install.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/openvpn-install.sh b/openvpn-install.sh index 199b355..0041a08 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -461,6 +461,7 @@ cert server.crt key server.key tls-auth tls-auth.key 0 dh none +ecdh-curve auth SHA256 $CIPHER tls-server From da947d8ae3395b63d3ac77aaa9e0a59bfe3b2b48 Mon Sep 17 00:00:00 2001 From: Angristan Date: Thu, 16 Feb 2017 19:07:17 +0100 Subject: [PATCH 05/16] Update repo for Debian and Ubuntu --- openvpn-install.sh | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 0041a08..49a0c98 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -27,11 +27,12 @@ if [[ -e /etc/debian_version ]]; then SYSCTL='/etc/sysctl.conf' if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.10"' ]]; then echo "Your version of Debian/Ubuntu is not supported." - echo "I can't install a recent version of OpenVPN on your system." + echo "I can't install OpenVPN 2.4 on your system." echo "" echo "However, if you're using Debian unstable/testing, or Ubuntu beta," - echo "then you can continue, a recent version of OpenVPN is available on these." - echo "Keep in mind they are not supported, though." + echo "then you can continue, this version of OpenVPN is available on these." + echo "Keep in mind these releases are not supported, though." + while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do read -p "Continue ? [y/n]: " -e CONTINUE done @@ -309,30 +310,35 @@ else # We add the OpenVPN repo to get the latest version. # Debian 7 if [[ "$VERSION_ID" = 'VERSION_ID="7"' ]]; then - echo "deb http://swupdate.openvpn.net/apt wheezy main" > /etc/apt/sources.list.d/swupdate-openvpn.list + echo "deb http://build.openvpn.net/debian/openvpn/release/2.4 wheezy main" > /etc/apt/sources.list.d/openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt-get update fi # Debian 8 if [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then - echo "deb http://swupdate.openvpn.net/apt jessie main" > /etc/apt/sources.list.d/swupdate-openvpn.list + echo "deb http://build.openvpn.net/debian/openvpn/release/2.4 jessie main" > /etc/apt/sources.list.d/openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt update fi # Ubuntu 12.04 if [[ "$VERSION_ID" = 'VERSION_ID="12.04"' ]]; then - echo "deb http://swupdate.openvpn.net/apt precise main" > /etc/apt/sources.list.d/swupdate-openvpn.list + echo "deb http://build.openvpn.net/debian/openvpn/release/2.4 precise main" > /etc/apt/sources.list.d/openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt-get update fi # Ubuntu 14.04 if [[ "$VERSION_ID" = 'VERSION_ID="14.04"' ]]; then - echo "deb http://swupdate.openvpn.net/apt trusty main" > /etc/apt/sources.list.d/swupdate-openvpn.list + echo "deb http://build.openvpn.net/debian/openvpn/release/2.4 trusty main" > /etc/apt/sources.list.d/openvpn.list wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - apt-get update fi - # Ubuntu >= 16.04 and Debian > 8 have OpenVPN > 2.3.3 without the need of a third party repository. - # The we install OpenVPN + # Ubuntu 16.04 + if [[ "$VERSION_ID" = 'VERSION_ID="16.04"' ]]; then + echo "deb http://build.openvpn.net/debian/openvpn/release/2.4 xenial main" > /etc/apt/sources.list.d/openvpn.list + wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - + apt-get update + fi + # Then we install OpenVPN apt-get install openvpn iptables openssl wget ca-certificates curl -y elif [[ "$OS" = 'centos' ]]; then yum install epel-release -y From 64433208d6fdca721a57e88c124775057f6a86fe Mon Sep 17 00:00:00 2001 From: Angristan Date: Thu, 16 Feb 2017 19:10:53 +0100 Subject: [PATCH 06/16] Remove DH key size input, remove cipher input And use AES-128-GCM as the data channel's cipher --- openvpn-install.sh | 67 +++------------------------------------------- 1 file changed, 3 insertions(+), 64 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 49a0c98..0334b5c 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -201,7 +201,7 @@ else read -p "Port: " -e -i 1194 PORT echo "" echo "What protocol do you want for OpenVPN?" - echo "Unless UDP is blocked, you should not use TCP (unnecessarily slower)" + echo "Unless UDP is blocked, you should not use TCP (slower)" while [[ $PROTOCOL != "UDP" && $PROTOCOL != "TCP" ]]; do read -p "Protocol [UDP/TCP]: " -e -i UDP PROTOCOL done @@ -216,67 +216,6 @@ else read -p "DNS [1-5]: " -e -i 2 DNS done echo "" - echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about " - echo "the encryption in OpenVPN and the choices I made in this script." - echo "Please note that all the choices proposed are secure (to a different degree)" - echo "and are still viable to date, unlike some default OpenVPN options" - echo '' - echo "Choose which cipher you want to use for the data channel:" - echo " 1) AES-128-GCM (fastest and sufficiently secure for everyone, recommended)" - echo " 2) AES-192-GCM" - echo " 3) AES-256-GCM" - echo "Alternatives to AES, use them only if you know what you're doing." - echo "They are relatively slower but as secure as AES." - echo " 4) CAMELLIA-128-CBC" - echo " 5) CAMELLIA-192-CBC" - echo " 6) CAMELLIA-256-CBC" - echo " 7) SEED-CBC" - while [[ $CIPHER != "1" && $CIPHER != "2" && $CIPHER != "3" && $CIPHER != "4" && $CIPHER != "5" && $CIPHER != "6" && $CIPHER != "7" ]]; do - read -p "Cipher [1-7]: " -e -i 1 CIPHER - done - case $CIPHER in - 1) - CIPHER="cipher AES-128-GCM" - ;; - 2) - CIPHER="cipher AES-192-GCM" - ;; - 3) - CIPHER="cipher AES-256-GCM" - ;; - 4) - CIPHER="cipher CAMELLIA-128-CBC" - ;; - 5) - CIPHER="cipher CAMELLIA-192-CBC" - ;; - 6) - CIPHER="cipher CAMELLIA-256-CBC" - ;; - 5) - CIPHER="cipher SEED-CBC" - ;; - esac - echo "" - echo "Choose what size of Diffie-Hellman key you want to use:" - echo " 1) 2048 bits (fastest)" - echo " 2) 3072 bits (recommended, best compromise)" - echo " 3) 4096 bits (most secure)" - while [[ $DH_KEY_SIZE != "1" && $DH_KEY_SIZE != "2" && $DH_KEY_SIZE != "3" ]]; do - read -p "DH key size [1-3]: " -e -i 2 DH_KEY_SIZE - done - case $DH_KEY_SIZE in - 1) - DH_KEY_SIZE="2048" - ;; - 2) - DH_KEY_SIZE="3072" - ;; - 3) - DH_KEY_SIZE="4096" - ;; - esac - echo "" echo "Choose what size of RSA key you want to use:" echo " 1) 2048 bits (fastest)" echo " 2) 3072 bits (recommended, best compromise)" @@ -469,7 +408,7 @@ tls-auth tls-auth.key 0 dh none ecdh-curve auth SHA256 -$CIPHER +cipher cipher AES-128-GCM tls-server tls-version-min 1.2 tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 @@ -586,7 +525,7 @@ persist-key persist-tun remote-cert-tls server auth SHA256 -$CIPHER +cipher AES-128-GCM tls-client tls-version-min 1.2 tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 From 935896dbc7da51755e69fe8da86d7acca7ee51b0 Mon Sep 17 00:00:00 2001 From: Angristan Date: Thu, 16 Feb 2017 19:33:07 +0100 Subject: [PATCH 07/16] Remove cp for dh --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 0334b5c..5671368 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -354,7 +354,7 @@ WantedBy=multi-user.target" > /etc/systemd/system/rc-local.service # generate tls-auth key openvpn --genkey --secret /etc/openvpn/tls-auth.key # Move all the generated files - cp pki/ca.crt pki/private/ca.key dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn + cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn # Make cert revocation list readable for non-root chmod 644 /etc/openvpn/crl.pem From 547f689f0049cce8561ec308262be5ca480ae876 Mon Sep 17 00:00:00 2001 From: Angristan Date: Thu, 16 Feb 2017 19:35:50 +0100 Subject: [PATCH 08/16] Use secp256k1 curve for ECDH (fix) I forgot the curve in https://github.com/Angristan/OpenVPN-install/pull/33/commits/23daeca80a20ef2e237445351d57b83bfbc45c89 --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 5671368..1142376 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -406,7 +406,7 @@ cert server.crt key server.key tls-auth tls-auth.key 0 dh none -ecdh-curve +ecdh-curve secp256k1 auth SHA256 cipher cipher AES-128-GCM tls-server From ed779b9b5253fb8aeb8d408e15ea44d87fad8a28 Mon Sep 17 00:00:00 2001 From: Angristan Date: Thu, 16 Feb 2017 19:36:24 +0100 Subject: [PATCH 09/16] Fix cipher --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 1142376..55033a7 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -408,7 +408,7 @@ tls-auth tls-auth.key 0 dh none ecdh-curve secp256k1 auth SHA256 -cipher cipher AES-128-GCM +cipher AES-128-GCM tls-server tls-version-min 1.2 tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 From afa0162c4c1513ac9f8d69b418e4e39f737ef321 Mon Sep 17 00:00:00 2001 From: Angristan Date: Thu, 16 Feb 2017 20:27:57 +0100 Subject: [PATCH 10/16] Use ECDSA cert instead of RSA --- openvpn-install.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 55033a7..fa75069 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -344,7 +344,8 @@ WantedBy=multi-user.target" > /etc/systemd/system/rc-local.service chown -R root:root /etc/openvpn/easy-rsa/ rm -rf ~/EasyRSA-3.0.1.tgz cd /etc/openvpn/easy-rsa/ - echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars + echo "set_var EASYRSA_ALGO ec +set_var EASYRSA_CURVE secp384r1" > vars # Create the PKI, set up the CA, the DH params and the server + client certificates ./easyrsa init-pki ./easyrsa --batch build-ca nopass From 5fe4bf62d63d7dba98ed5fd6df033de5b272123c Mon Sep 17 00:00:00 2001 From: Angristan Date: Thu, 16 Feb 2017 22:32:09 +0100 Subject: [PATCH 11/16] Replace tls-auth with tls-crypt --- openvpn-install.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index fa75069..88d6445 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -58,6 +58,7 @@ fi newclient () { # Generates the custom client.ovpn + # We put everything in the client file cp /etc/openvpn/client-template.txt ~/$1.ovpn echo "" >> ~/$1.ovpn cat /etc/openvpn/easy-rsa/pki/ca.crt >> ~/$1.ovpn @@ -68,10 +69,9 @@ newclient () { echo "" >> ~/$1.ovpn cat /etc/openvpn/easy-rsa/pki/private/$1.key >> ~/$1.ovpn echo "" >> ~/$1.ovpn - echo "key-direction 1" >> ~/$1.ovpn - echo "" >> ~/$1.ovpn - cat /etc/openvpn/tls-auth.key >> ~/$1.ovpn - echo "" >> ~/$1.ovpn + echo "" >> ~/$1.ovpn + cat /etc/openvpn/tls-crypt.key >> ~/$1.ovpn + echo "" >> ~/$1.ovpn } # Try to get our IP from the system and fallback to the Internet. @@ -352,8 +352,8 @@ set_var EASYRSA_CURVE secp384r1" > vars ./easyrsa build-server-full server nopass ./easyrsa build-client-full $CLIENT nopass ./easyrsa gen-crl - # generate tls-auth key - openvpn --genkey --secret /etc/openvpn/tls-auth.key + # Generate tls-crypt key + openvpn --genkey --secret /etc/openvpn/tls-crypt.key # Move all the generated files cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn # Make cert revocation list readable for non-root @@ -405,7 +405,7 @@ echo "crl-verify crl.pem ca ca.crt cert server.crt key server.key -tls-auth tls-auth.key 0 +tls-crypt tls-crypt.key 0 dh none ecdh-curve secp256k1 auth SHA256 From 624774736d6728dfd79d4fd8e522a8b3e8227cfb Mon Sep 17 00:00:00 2001 From: Angristan Date: Thu, 16 Feb 2017 22:33:12 +0100 Subject: [PATCH 12/16] Remove RSA key size input --- openvpn-install.sh | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 88d6445..9abf3b0 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -216,25 +216,6 @@ else read -p "DNS [1-5]: " -e -i 2 DNS done echo "" - echo "Choose what size of RSA key you want to use:" - echo " 1) 2048 bits (fastest)" - echo " 2) 3072 bits (recommended, best compromise)" - echo " 3) 4096 bits (most secure)" - while [[ $RSA_KEY_SIZE != "1" && $RSA_KEY_SIZE != "2" && $RSA_KEY_SIZE != "3" ]]; do - read -p "DH key size [1-3]: " -e -i 2 RSA_KEY_SIZE - done - case $RSA_KEY_SIZE in - 1) - RSA_KEY_SIZE="2048" - ;; - 2) - RSA_KEY_SIZE="3072" - ;; - 3) - RSA_KEY_SIZE="4096" - ;; - esac - echo "" echo "Finally, tell me a name for the client certificate and configuration" while [[ $CLIENT = "" ]]; do echo "Please, use one word only, no special characters" From f5ec9f3a17e4fbe6017845668fad2f543f83ee06 Mon Sep 17 00:00:00 2001 From: Angristan Date: Fri, 17 Feb 2017 22:54:29 +0100 Subject: [PATCH 13/16] Remove Arch Linux support Revert PR#2 :https://github.com/Angristan/OpenVPN-install/pull/2/files#diff-cda9722285f1718b319bb88e134e9efe Too much work to do with OpenVPN 2.4 for a distro that is not much used on servers. --- openvpn-install.sh | 54 ++++++---------------------------------------- 1 file changed, 7 insertions(+), 47 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 9abf3b0..4919f6a 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -24,7 +24,6 @@ if [[ -e /etc/debian_version ]]; then # Getting the version number, to verify that a recent version of OpenVPN is available VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID") RCLOCAL='/etc/rc.local' - SYSCTL='/etc/sysctl.conf' if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.10"' ]]; then echo "Your version of Debian/Ubuntu is not supported." echo "I can't install OpenVPN 2.4 on your system." @@ -44,15 +43,10 @@ if [[ -e /etc/debian_version ]]; then elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then OS=centos RCLOCAL='/etc/rc.d/rc.local' - SYSCTL='/etc/sysctl.conf' # Needed for CentOS 7 chmod +x /etc/rc.d/rc.local -elif [[ -e /etc/arch-release ]]; then - OS=arch - RCLOCAL='/etc/rc.local' - SYSCTL='/etc/sysctl.d/openvpn.conf' else - echo "Looks like you aren't running this installer on a Debian, Ubuntu, CentOS or ArchLinux system" + echo "Looks like you aren't running this installer on a Debian, Ubuntu or CentOS system" exit 4 fi @@ -166,8 +160,6 @@ if [[ -e /etc/openvpn/server.conf ]]; then fi if [[ "$OS" = 'debian' ]]; then apt-get remove --purge -y openvpn openvpn-blacklist - elif [[ "$OS" = 'arch' ]]; then - pacman -R openvpn --noconfirm else yum remove openvpn -y fi @@ -260,43 +252,11 @@ else fi # Then we install OpenVPN apt-get install openvpn iptables openssl wget ca-certificates curl -y - elif [[ "$OS" = 'centos' ]]; then + else + # Else, the distro is CentOS yum install epel-release -y yum install openvpn iptables openssl wget ca-certificates curl -y - else - # Else, the distro is ArchLinux - echo "" - echo "" - echo "As you're using ArchLinux, I need to update the packages on your system to install those I need." - echo "Not doing that could cause problems between dependencies, or missing files in repositories." - echo "" - echo "Continuing will update your installed packages and install needed ones." - while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do - read -p "Continue ? [y/n]: " -e -i y CONTINUE - done - if [[ "$CONTINUE" = "n" ]]; then - echo "Ok, bye !" - exit 4 - fi - - if [[ "$OS" = 'arch' ]]; then - # Install rc.local - echo "[Unit] -Description=/etc/rc.local compatibility - -[Service] -Type=oneshot -ExecStart=/etc/rc.local -RemainAfterExit=yes - -[Install] -WantedBy=multi-user.target" > /etc/systemd/system/rc-local.service - chmod +x /etc/rc.local - systemctl enable rc-local.service - if ! grep '#!' $RCLOCAL; then - echo "#!/bin/bash" > $RCLOCAL - fi - fi + fi # Install dependencies pacman -Syu openvpn iptables openssl wget ca-certificates curl --needed --noconfirm @@ -403,9 +363,9 @@ verb 3" >> /etc/openvpn/server.conf fi # Enable net.ipv4.ip_forward for the system - sed -i '/\/c\net.ipv4.ip_forward=1' $SYSCTL - if ! grep -q "\" $SYSCTL; then - echo 'net.ipv4.ip_forward=1' >> $SYSCTL + sed -i '/\/c\net.ipv4.ip_forward=1' /etc/sysctl.conf + if ! grep -q "\" /etc/sysctl.conf; then + echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf fi # Avoid an unneeded reboot echo 1 > /proc/sys/net/ipv4/ip_forward From 135729d0ab1858923d15f26b5d4a0efe418af843 Mon Sep 17 00:00:00 2001 From: Kcchouette Date: Thu, 23 Feb 2017 22:47:40 +0100 Subject: [PATCH 14/16] Remove the archlinux part that @Angristan had forgotten --- openvpn-install.sh | 8 -------- 1 file changed, 8 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 4919f6a..6f54509 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -258,14 +258,6 @@ else yum install openvpn iptables openssl wget ca-certificates curl -y fi - # Install dependencies - pacman -Syu openvpn iptables openssl wget ca-certificates curl --needed --noconfirm - if [[ "$OS" = 'arch' ]]; then - touch /etc/iptables/iptables.rules # iptables won't start if this file does not exist - systemctl enable iptables - systemctl start iptables - fi - fi # Find out if the machine uses nogroup or nobody for the permissionless group if grep -qs "^nogroup:" /etc/group; then NOGROUP=nogroup From 2a6422057e066a7dff1c2a4f250ecf52242008f4 Mon Sep 17 00:00:00 2001 From: Kcchouette Date: Fri, 24 Feb 2017 10:33:52 +0100 Subject: [PATCH 15/16] Remove the last $SYSCTL var This var was indeed removed with the commit https://github.com/Angristan/OpenVPN-install/pull/33/commits/f5ec9f3a17e4fbe6017845668fad2f543f83ee06 --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 6f54509..8e6d04f 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -350,8 +350,8 @@ status openvpn.log verb 3" >> /etc/openvpn/server.conf # Create the sysctl configuration file if needed (mainly for Arch Linux) - if [[ ! -e $SYSCTL ]]; then - touch $SYSCTL + if [[ ! -e /etc/sysctl.conf ]]; then + touch /etc/sysctl.conf fi # Enable net.ipv4.ip_forward for the system From b205980053910f6ec1da324865efc78e1b9a290a Mon Sep 17 00:00:00 2001 From: Angristan Date: Thu, 2 Mar 2017 23:42:23 +0100 Subject: [PATCH 16/16] Use best encryption available Does not affect speed significantly, if at all. --- openvpn-install.sh | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 8e6d04f..19f1213 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -277,8 +277,9 @@ else chown -R root:root /etc/openvpn/easy-rsa/ rm -rf ~/EasyRSA-3.0.1.tgz cd /etc/openvpn/easy-rsa/ - echo "set_var EASYRSA_ALGO ec -set_var EASYRSA_CURVE secp384r1" > vars + echo 'set_var EASYRSA_ALGO ec +set_var EASYRSA_CURVE sect571r1 +set_var EASYRSA_DIGEST "sha512"' > vars # Create the PKI, set up the CA, the DH params and the server + client certificates ./easyrsa init-pki ./easyrsa --batch build-ca nopass @@ -340,12 +341,12 @@ cert server.crt key server.key tls-crypt tls-crypt.key 0 dh none -ecdh-curve secp256k1 -auth SHA256 -cipher AES-128-GCM +ecdh-curve sect571r1 +auth SHA512 +cipher AES-256-GCM tls-server tls-version-min 1.2 -tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 +tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 status openvpn.log verb 3" >> /etc/openvpn/server.conf @@ -458,11 +459,11 @@ nobind persist-key persist-tun remote-cert-tls server -auth SHA256 -cipher AES-128-GCM +auth SHA512 +cipher AES-256-GCM tls-client tls-version-min 1.2 -tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 +tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 setenv opt block-outside-dns verb 3" >> /etc/openvpn/client-template.txt