Bernhard.Linz/openvpn-install
1
0
Fork 0
mirror of https://github.com/angristan/openvpn-install.git synced 2025-07-01 20:14:22 +02:00
Code Issues Projects Releases Wiki Activity

Cleanup and rewrites

Browse Source
This commit is contained in:
Angristan 2017-09-17 18:09:52 +02:00 committed by GitHub
parent f4b6742f36
commit f6eecf3dcb
1 changed files with 79 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

154
openvpn-install.sh
View File

@ -238,10 +238,12 @@ else
done done
echo "" echo ""
echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about " echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about "
echo "the encryption in OpenVPN and the choices I made in this script." echo "the encryption in OpenVPN and the choices proposed in this script."
echo "Please note that all the choices proposed are secure enough considering today's strandards," echo "Please note that all the choices proposed are secure enough considering today's strandards, unlike some default OpenVPN options"
echo "unlike some default OpenVPN options" echo "You can just type "enter" if you don't know what to choose."
echo '' echo "Note that if you want to use an OpenVPN 2.3 client, You'll have to choose OpenVPN 2.3-compatible options."
echo "All OpenVPN 2.3-compatible choices are specified for each following option."
echo ""
echo "Choose which cipher you want to use for the data channel:" echo "Choose which cipher you want to use for the data channel:"
echo " 1) AES-128-GCM (recommended)" echo " 1) AES-128-GCM (recommended)"
echo " 2) AES-192-GCM" echo " 2) AES-192-GCM"
@ -251,7 +253,7 @@ else
echo " 5) AES-192-CBC" echo " 5) AES-192-CBC"
echo " 6) AES-256-CBC" echo " 6) AES-256-CBC"
while [[ $CIPHER != "1" && $CIPHER != "2" && $CIPHER != "3" && $CIPHER != "4" && $CIPHER != "5" && $CIPHER != "6" ]]; do while [[ $CIPHER != "1" && $CIPHER != "2" && $CIPHER != "3" && $CIPHER != "4" && $CIPHER != "5" && $CIPHER != "6" ]]; do
read -p "Cipher [1-7]: " -e -i 1 CIPHER read -p "Data channel cipher [1-6]: " -e -i 1 CIPHER
done done
case $CIPHER in case $CIPHER in
1) 1)
@ -274,76 +276,23 @@ else
;; ;;
esac esac
echo "" echo ""
echo "Choose what kind of Diffie-Hellman key you want to use." echo "Choose what kind of certificate you want to use:"
echo "Elleptic Curves (EC) are recommended, they're faster, lighter and more secure." echo "Elleptic Curves keys (EC) are recommended, they're faster, lighter and more secure."
echo "Use DH for OpenVPN 2.3 compatibilty"
echo " 1) ECDH (recommended)"
echo " 2) DH"
while [[ $DH_TYPE != "1" && $DH_TYPE != "2" ]]; do
read -p "DH key size [1-2]: " -e -i 1 DH_TYPE
done
case $DH_TYPE in
1)
echo ""
echo "Choose which curve you want to use"
echo " 1) secp256r1"
echo " 2) secp384r1 (recommended)"
echo " 3) secp521r1"
while [[ $DH_CURVE != "1" && $DH_CURVE != "2" && $DH_CURVE != "3" ]]; do
read -p "ECDH [1-3]: " -e -i 2 DH_CURVE
done
case $DH_CURVE in
1)
DH_CURVE="secp256r1"
;;
2)
DH_CURVE="secp384r1"
;;
3)
DH_CURVE="secp521r1"
;;
esac
;;
2)
echo""
echo "Choose which DH key size do you want to use"
echo " 1) 2048 bits"
echo " 2) 3072 bits (recommended)"
echo " 3) 4096 bits"
while [[ $DH_SIZE != "1" && $DH_SIZE != "2" && $DH_SIZE != "3" ]]; do
read -p "DH key size [1-3]: " -e -i 2 DH_SIZE
done
case $DH_SIZE in
1)
DH_SIZE="2048"
;;
2)
DH_SIZE="3072"
;;
3)
DH_SIZE="4096"
;;
esac
;;
esac
echo ""
echo "Choose what kind Certificate key you want to use."
echo "Elleptic Curves (EC) are recommended, they're faster, lighter and more secure."
echo "Use RSA for OpenVPN 2.3 compatibilty" echo "Use RSA for OpenVPN 2.3 compatibilty"
echo " 1) ECDSA (recommended)" echo " 1) ECDSA (recommended)"
echo " 2) RSA" echo " 2) RSA"
while [[ $CERT_TYPE != "1" && $CERT_TYPE != "2" ]]; do while [[ $CERT_TYPE != "1" && $CERT_TYPE != "2" ]]; do
read -p "Certificate key [1-2]: " -e -i 1 CERT_TYPE read -p "Certificate type [1-2]: " -e -i 1 CERT_TYPE
done done
case $CERT_TYPE in case $CERT_TYPE in
1) 1)
echo "" echo ""
echo "Choose which curve you want to use:" echo "Choose which curve you want to use for the EC key:"
echo " 1) secp256r1" echo " 1) secp256r1"
echo " 2) secp384r1 (recommended)" echo " 2) secp384r1 (recommended)"
echo " 3) secp521r1" echo " 3) secp521r1"
while [[ $CERT_CURVE != "1" && $CERT_CURVE != "2" && $CERT_CURVE != "3" ]]; do while [[ $CERT_CURVE != "1" && $CERT_CURVE != "2" && $CERT_CURVE != "3" ]]; do
read -p "ECDH [1-3]: " -e -i 2 CERT_CURVE read -p "Curve [1-3]: " -e -i 2 CERT_CURVE
done done
case $CERT_CURVE in case $CERT_CURVE in
1) 1)
@ -359,7 +308,7 @@ else
;; ;;
2) 2)
echo "" echo ""
echo "Choose which RSA key size do you want to use:" echo "Choose which RSA key size you want to use:"
echo " 1) 2048 bits" echo " 1) 2048 bits"
echo " 2) 3072 bits (recommended)" echo " 2) 3072 bits (recommended)"
echo " 3) 4096 bits" echo " 3) 4096 bits"
@ -385,7 +334,7 @@ else
echo " 2) SHA-384 (recommended)" echo " 2) SHA-384 (recommended)"
echo " 3) SHA-512" echo " 3) SHA-512"
while [[ $CERT_HASH != "1" && $CERT_HASH != "2" && $CERT_HASH != "3" ]]; do while [[ $CERT_HASH != "1" && $CERT_HASH != "2" && $CERT_HASH != "3" ]]; do
read -p "Cert hash algo [1-3]: " -e -i 2 CERT_HASH read -p "Hash algorithm [1-3]: " -e -i 2 CERT_HASH
done done
case $CERT_HASH in case $CERT_HASH in
1) 1)
@ -399,12 +348,65 @@ else
;; ;;
esac esac
echo "" echo ""
echo "Which cipher to use for the control channel ?" echo "Choose what kind of Diffie-Hellman key you want to use."
echo "Elleptic Curves (EC) are recommended, they're faster, lighter and more secure."
echo "Use DH for OpenVPN 2.3 compatibilty"
echo " 1) ECDH (recommended)"
echo " 2) DH"
while [[ $DH_TYPE != "1" && $DH_TYPE != "2" ]]; do
read -p "DH key type [1-2]: " -e -i 1 DH_TYPE
done
case $DH_TYPE in
1)
echo ""
echo "Choose which curve you want to use for the ECDH key"
echo " 1) secp256r1"
echo " 2) secp384r1 (recommended)"
echo " 3) secp521r1"
while [[ $DH_CURVE != "1" && $DH_CURVE != "2" && $DH_CURVE != "3" ]]; do
read -p "Curve [1-3]: " -e -i 2 DH_CURVE
done
case $DH_CURVE in
1)
DH_CURVE="secp256r1"
;;
2)
DH_CURVE="secp384r1"
;;
3)
DH_CURVE="secp521r1"
;;
esac
;;
2)
echo""
echo "Choose which DH key size you want to use"
echo " 1) 2048 bits"
echo " 2) 3072 bits (recommended)"
echo " 3) 4096 bits"
while [[ $DH_SIZE != "1" && $DH_SIZE != "2" && $DH_SIZE != "3" ]]; do
read -p "DH key size [1-3]: " -e -i 2 DH_SIZE
done
case $DH_SIZE in
1)
DH_SIZE="2048"
;;
2)
DH_SIZE="3072"
;;
3)
DH_SIZE="4096"
;;
esac
;;
esac
echo ""
echo "Choose which cipher you want to use for the control channel:"
if [[ "$CERT_TYPE" = '1' ]]; then if [[ "$CERT_TYPE" = '1' ]]; then
echo " 1) ECDHE-ECDSA-AES-256-GCM-SHA384 (recommended)" echo " 1) ECDHE-ECDSA-AES-256-GCM-SHA384 (recommended)"
echo " 2) ECDHE-ECDSA-AES-128-GCM-SHA256" echo " 2) ECDHE-ECDSA-AES-128-GCM-SHA256"
while [[ $CC_ENC != "1" && $CC_ENC != "2" ]]; do while [[ $CC_ENC != "1" && $CC_ENC != "2" ]]; do
read -p "Control Channel encryption [1-2]: " -e -i 1 CC_ENC read -p "Control channel cipher [1-2]: " -e -i 1 CC_ENC
done done
case $CC_ENC in case $CC_ENC in
1) 1)
@ -418,7 +420,7 @@ else
echo " 1) ECDHE-RSA-AES-256-GCM-SHA384 (recommended)" echo " 1) ECDHE-RSA-AES-256-GCM-SHA384 (recommended)"
echo " 2) ECDHE-RSA-AES-128-GCM-SHA256" echo " 2) ECDHE-RSA-AES-128-GCM-SHA256"
while [[ $CC_ENC != "1" && $CC_ENC != "2" ]]; do while [[ $CC_ENC != "1" && $CC_ENC != "2" ]]; do
read -p "Control Channel encryption [1-2]: " -e -i 1 CC_ENC read -p "Control channel cipher [1-2]: " -e -i 1 CC_ENC
done done
case $CC_ENC in case $CC_ENC in
1) 1)
@ -429,6 +431,15 @@ else
;; ;;
esac esac
fi fi
echo ""
echo "Do you want to use tls-crypt or tls-auth?"
echo "They both encrypt and authenticate all control channel packets with a key."
echo "tls-crypt is more advanced and secure than tls-auth, but it's an OpenVPN 2.4 feature."
echo " 1) tls-crypt (recommended)"
echo " 2) tls-auth (use only for OpenVPN 2.3 client compatibility)"
while [[ $TLS_SIG != "1" && $TLS_SIG != "2" ]]; do
read -p "Crontrol channel additional security layer [1-2]: " -e -i 1 TLS_SIG
done
echo"" echo""
if [[ $CIPHER = "cipher AES-256-GCM" ]] || [[ $CIPHER = "cipher AES-192-GCM" ]] || [[ $CIPHER = "cipher AES-128-GCM" ]]; then if [[ $CIPHER = "cipher AES-256-GCM" ]] || [[ $CIPHER = "cipher AES-192-GCM" ]] || [[ $CIPHER = "cipher AES-128-GCM" ]]; then
echo "Choose which message digest algorithm you want to use for the tls-auth/tls-crypt control channel packets:" echo "Choose which message digest algorithm you want to use for the tls-auth/tls-crypt control channel packets:"
@ -454,13 +465,6 @@ else
;; ;;
esac esac
echo "" echo ""
echo "tls crypt or tls auth"
echo " 1) tls-crypt (recommended)"
echo " 2) tls-auth (use only for openvpn 2.3 compat)"
while [[ $TLS_SIG != "1" && $TLS_SIG != "2" ]]; do
read -p "tls sig [1-2]: " -e -i 1 TLS_SIG
done
echo ""
echo "Finally, tell me a name for the client certificate and configuration" echo "Finally, tell me a name for the client certificate and configuration"
while [[ $CLIENT = "" ]]; do while [[ $CLIENT = "" ]]; do
echo "Please, use one word only, no special characters" echo "Please, use one word only, no special characters"