1
0
mirror of https://github.com/Nyr/openvpn-install.git synced 2024-11-24 14:06:07 +03:00

The BIG update

Deleted latest and legacy mode
Use OpenVPN 2.3.10 with custom repo
Add a check at start for Debian/Ubuntu
Fast mode with 2048 bits RSA and DH, 128 bits AES, SHA-256 certificate
Slow mode with 4096 bits RSA and DH, 256 bits AES, SHA-384 certificate
AES-256-CBC and SHA512 for HMAC auth
Add OpenNIC as a DNS option + GeoIP API
Delete NTT and Huricane Electric DNS
Other improvements
This commit is contained in:
Angristan 2016-03-19 17:41:18 +01:00
parent 25448611c2
commit 1bf105e809

View File

@ -26,8 +26,14 @@ if grep -qs "CentOS release 5" "/etc/redhat-release"; then
fi fi
if [[ -e /etc/debian_version ]]; then if [[ -e /etc/debian_version ]]; then
OS=debian OS="debian"
#We get the version number, to verify we can get a recent version of OpenVPN
VERSION_ID=$(cat /etc/*-release | grep "VERSION_ID")
RCLOCAL='/etc/rc.local' RCLOCAL='/etc/rc.local'
if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="15.10"' ]]; then
echo "Your version of Debian/Ubuntu is not supported. Please look at the documentation."
exit 4
fi
elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then
OS=centos OS=centos
RCLOCAL='/etc/rc.d/rc.local' RCLOCAL='/etc/rc.d/rc.local'
@ -170,10 +176,13 @@ else
echo "You can leave the default options and just press enter if you are ok with them" echo "You can leave the default options and just press enter if you are ok with them"
echo "" echo ""
echo "First, choose which variant of the script you want to use." echo "First, choose which variant of the script you want to use."
echo "Read carefully the README on GitHub before choosing. Use legacy of you're not sure." echo '"Fast" is secure, but "slow" is the best encryption you can get, at the cost of speed (not that slow though)'
echo " 1) Latest (High encryption, not compatible with all servers and clients)" echo " 1) Fast (2048 bits RSA and DH, 128 bits AES)"
echo " 2) Legacy (Work with most devices)" echo " 2) Slow (4096 bits RSA and DH, 256 bits AES)"
read -p "Variant [1-2]: " -e -i 2 VER while [[ $VARIANT != "1" && $VARIANT != "2" ]]; do
read -p "Variant [1-2]: " -e -i 1 VARIANT
done
echo "" echo ""
echo "I need to know the IPv4 address of the network interface you want OpenVPN listening to." echo "I need to know the IPv4 address of the network interface you want OpenVPN listening to."
echo "If you server is running behind a NAT, (e.g. LowEndSpirit, Scaleway) leave the IP adress as it is. (10.x.x.x)" echo "If you server is running behind a NAT, (e.g. LowEndSpirit, Scaleway) leave the IP adress as it is. (10.x.x.x)"
@ -186,10 +195,9 @@ else
echo "What DNS do you want to use with the VPN?" echo "What DNS do you want to use with the VPN?"
echo " 1) Current system resolvers" echo " 1) Current system resolvers"
echo " 2) FDN (recommended)" echo " 2) FDN (recommended)"
echo " 3) OpenDNS" echo " 3) OpenNIC (nearest servers)"
echo " 4) NTT" echo " 4) OpenDNS"
echo " 5) Google" echo " 5) Google"
echo " 6) Hurricane Electric"
read -p "DNS [1-6]: " -e -i 2 DNS read -p "DNS [1-6]: " -e -i 2 DNS
echo "" echo ""
echo "Finally, tell me your name for the client cert" echo "Finally, tell me your name for the client cert"
@ -199,13 +207,40 @@ else
echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now" echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now"
read -n1 -r -p "Press any key to continue..." read -n1 -r -p "Press any key to continue..."
if [[ "$OS" = 'debian' ]]; then if [[ "$OS" = 'debian' ]]; then
apt-get update # We add the OpenVPN repo to get the latest version.
apt-get install openvpn iptables openssl ca-certificates -y # Debian 7
if [[ "$VERSION_ID" = 'VERSION_ID="7"' ]]; then
echo "deb http://swupdate.openvpn.net/apt wheezy main" > /etc/apt/sources.list.d/swupdate-openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update
fi
# Debian 8
if [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then
echo "deb http://swupdate.openvpn.net/apt jessie main" > /etc/apt/sources.list.d/swupdate-openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt update
fi
# Ubuntu 12.04
if [[ "$VERSION_ID" = 'VERSION_ID="12.04"' ]]; then
echo "deb http://swupdate.openvpn.net/apt precise main" > /etc/apt/sources.list.d/swupdate-openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update
fi
# Ubuntu 14.04
if [[ "$VERSION_ID" = 'VERSION_ID="14.04"' ]]; then
echo "deb http://swupdate.openvpn.net/apt trusty main" > /etc/apt/sources.list.d/swupdate-openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update
fi
# The repo, is not available for Ubuntu 15.10, but it has OpenVPN > 2.3.3, so we do nothing.
# The we install OpnVPN
apt-get install openvpn iptables openssl wget ca-certificates curl -y
else else
# Else, the distro is CentOS # Else, the distro is CentOS
yum install epel-release -y yum install epel-release -y
yum install openvpn iptables openssl wget ca-certificates -y yum install openvpn iptables openssl wget ca-certificates curl -y
fi fi
# An old version of easy-rsa was available by default in some openvpn packages # An old version of easy-rsa was available by default in some openvpn packages
if [[ -d /etc/openvpn/easy-rsa/ ]]; then if [[ -d /etc/openvpn/easy-rsa/ ]]; then
rm -rf /etc/openvpn/easy-rsa/ rm -rf /etc/openvpn/easy-rsa/
@ -218,8 +253,18 @@ else
chown -R root:root /etc/openvpn/easy-rsa/ chown -R root:root /etc/openvpn/easy-rsa/
rm -rf ~/EasyRSA-3.0.1.tgz rm -rf ~/EasyRSA-3.0.1.tgz
cd /etc/openvpn/easy-rsa/ cd /etc/openvpn/easy-rsa/
#Use 4096 bits DH instead of 2048 bits # If the user selected the fast, less hardened version
echo "set_var EASYRSA_KEY_SIZE 4096" > vars if [[ "$VARIANT" = '1' ]]; then
echo "set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_DIGEST "sha256"" > vars
fi
# If the user selected the relatively slow, ultra hardened version
if [[ "$VARIANT" = '2' ]]; then
echo "set_var EASYRSA_KEY_SIZE 4096
set_var EASYRSA_KEY_SIZE 4096
set_var EASYRSA_DIGEST "sha384"" > vars
fi
# Create the PKI, set up the CA, the DH params and the server + client certificates # Create the PKI, set up the CA, the DH params and the server + client certificates
./easyrsa init-pki ./easyrsa init-pki
./easyrsa --batch build-ca nopass ./easyrsa --batch build-ca nopass
@ -241,15 +286,17 @@ key server.key
dh dh.pem dh dh.pem
topology subnet topology subnet
server 10.8.0.0 255.255.255.0 server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt" > /etc/openvpn/server.conf ifconfig-pool-persist ipp.txt
if [[ "$VER" = '1' ]]; then cipher AES-256-CBC
#If we're using the latest variant auth SHA512
echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 tls-version-min 1.2" > /etc/openvpn/server.conf
tls-version-min 1.2" >> /etc/openvpn/server.conf if [[ "$VARIANT" = '1' ]]; then
else # If the user selected the fast, less hardened version
# If the user slected legacy # Or if the user selected a non-existant variant, we fallback to fast
# Or if the user selected a non-existant variant, we fallback to legacy echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/server.conf
echo "cipher AES-256-CBC" >> /etc/openvpn/server.conf elif [[ "$VARIANT" = '2' ]]; then
# If the user selected the relatively slow, ultra hardened version
echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/server.conf
fi fi
echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf
# DNS # DNS
@ -260,25 +307,26 @@ tls-version-min 1.2" >> /etc/openvpn/server.conf
echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
done done
;; ;;
2) 2) #FDN
echo 'push "dhcp-option DNS 80.67.169.12"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 80.67.169.12"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/server.conf
;; ;;
3) 3) #OpenNIC
#Getting the nearest OpenNIC servers using the geoip API
read ns1 ns2 <<< $(curl -s https://api.opennicproject.org/geoip/ | head -2 | awk '{print $1}')
echo -e "nameserver $ns1
nameserver $ns2" >> /etc/resolv.conf #Set the DNS servers
echo "push "dhcp-option DNS $ns1"" >> /etc/openvpn/server.conf
echo "push "dhcp-option DNS $ns2"" >> /etc/openvpn/server.conf
;;
4) #OpenDNS
echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf
;; ;;
4) 5) #Google
echo 'push "dhcp-option DNS 129.250.35.250"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 129.250.35.251"' >> /etc/openvpn/server.conf
;;
5)
echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf
;; ;;
6)
echo 'push "dhcp-option DNS 74.82.42.42"' >> /etc/openvpn/server.conf
;;
esac esac
echo "keepalive 10 120 echo "keepalive 10 120
comp-lzo comp-lzo
@ -375,15 +423,17 @@ nobind
persist-key persist-key
persist-tun persist-tun
remote-cert-tls server remote-cert-tls server
comp-lzo" > /etc/openvpn/client-common.txt comp-lzo
if [[ "$VER" = '1' ]]; then cipher AES-256-CBC
#If we're using the latest variant auth SHA512
echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256 tls-version-min 1.2" > /etc/openvpn/client-common.txt
tls-version-min 1.2" >> /etc/openvpn/client-common.txt if [[ "$VARIANT" = '1' ]]; then
else # If the user selected the fast, less hardened version
# If the user slected legacy # Or if the user selected a non-existant variant, we fallback to fast
# Or if the user selected a non-existant variant, we fallback to legacy echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/client-common.txt
echo "cipher AES-256-CBC" >> /etc/openvpn/client-common.txt elif [[ "$VARIANT" = '2' ]]; then
# If the user selected the relatively slow, ultra hardened version
echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/client-common.txt
fi fi
# Generates the custom client.ovpn # Generates the custom client.ovpn
newclient "$CLIENT" newclient "$CLIENT"