From 6939dffb0918e0dd8ac51c7f6f2b5b2579597f7d Mon Sep 17 00:00:00 2001 From: Nyr Date: Fri, 20 Jan 2017 15:12:54 +0100 Subject: [PATCH] Fixed firewall and SELinux for TCP - Firewall/SELinux configuration wasn't updated to work with TCP (fixes #250) - Uncluttered protocol selection a bit --- openvpn-install.sh | 63 +++++++++++++++++++++------------------------- 1 file changed, 29 insertions(+), 34 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 941fffc..89a4102 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -131,23 +131,24 @@ if [[ -e /etc/openvpn/server.conf ]]; then read -p "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE if [[ "$REMOVE" = 'y' ]]; then PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2) + PROTOCOL=$(grep '^proto ' /etc/openvpn/server.conf | cut -d " " -f 2) if pgrep firewalld; then # Using both permanent and not permanent rules to avoid a firewalld reload. - firewall-cmd --zone=public --remove-port=$PORT/udp + firewall-cmd --zone=public --remove-port=$PORT/$PROTOCOL firewall-cmd --zone=trusted --remove-source=10.8.0.0/24 - firewall-cmd --permanent --zone=public --remove-port=$PORT/udp + firewall-cmd --permanent --zone=public --remove-port=$PORT/$PROTOCOL firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24 fi if iptables -L -n | grep -qE 'REJECT|DROP'; then - sed -i "/iptables -I INPUT -p udp --dport $PORT -j ACCEPT/d" $RCLOCAL + sed -i "/iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT/d" $RCLOCAL sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL fi sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL if hash sestatus 2>/dev/null; then if sestatus | grep "Current mode" | grep -qs "enforcing"; then - if [[ "$PORT" != '1194' ]]; then - semanage port -d -t openvpn_port_t -p udp $PORT + if [[ "$PORT" != '1194' || "$PROTOCOL" = 'tcp' ]]; then + semanage port -d -t openvpn_port_t -p $PROTOCOL $PORT fi fi fi @@ -185,6 +186,14 @@ else echo " 1) UDP (recommended)" echo " 2) TCP" read -p "Protocol [1-2]: " -e -i 1 PROTOCOL + case $PROTOCOL in + 1) + PROTOCOL=udp + ;; + 2) + PROTOCOL=tcp + ;; + esac echo "" echo "What port do you want OpenVPN listening to?" read -p "Port: " -e -i 1194 PORT @@ -204,7 +213,7 @@ else echo "" echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now" read -n1 -r -p "Press any key to continue..." - if [[ "$OS" = 'debian' ]]; then + if [[ "$OS" = 'debian' ]]; then apt-get update apt-get install openvpn iptables openssl ca-certificates -y else @@ -238,16 +247,9 @@ else # Generate key for tls-auth openvpn --genkey --secret /etc/openvpn/ta.key # Generate server.conf - echo "port $PORT" > /etc/openvpn/server.conf - case $PROTOCOL in - 1) - echo "proto udp" >> /etc/openvpn/server.conf - ;; - 2) - echo "proto tcp" >> /etc/openvpn/server.conf - ;; - esac - echo "dev tun + echo "port $PORT +proto $PROTOCOL +dev tun sndbuf 0 rcvbuf 0 ca ca.crt @@ -257,7 +259,7 @@ dh dh.pem tls-auth ta.key 0 topology subnet server 10.8.0.0 255.255.255.0 -ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf +ifconfig-pool-persist ipp.txt" > /etc/openvpn/server.conf echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf # DNS case $DNS in @@ -311,31 +313,31 @@ crl-verify crl.pem" >> /etc/openvpn/server.conf # We don't use --add-service=openvpn because that would only work with # the default port. Using both permanent and not permanent rules to # avoid a firewalld reload. - firewall-cmd --zone=public --add-port=$PORT/udp + firewall-cmd --zone=public --add-port=$PORT/$PROTOCOL firewall-cmd --zone=trusted --add-source=10.8.0.0/24 - firewall-cmd --permanent --zone=public --add-port=$PORT/udp + firewall-cmd --permanent --zone=public --add-port=$PORT/$PROTOCOL firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24 fi if iptables -L -n | grep -qE 'REJECT|DROP'; then # If iptables has at least one REJECT rule, we asume this is needed. # Not the best approach but I can't think of other and this shouldn't # cause problems. - iptables -I INPUT -p udp --dport $PORT -j ACCEPT + iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT - sed -i "1 a\iptables -I INPUT -p udp --dport $PORT -j ACCEPT" $RCLOCAL + sed -i "1 a\iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT" $RCLOCAL sed -i "1 a\iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" $RCLOCAL sed -i "1 a\iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" $RCLOCAL fi # If SELinux is enabled and a custom port was selected, we need this if hash sestatus 2>/dev/null; then if sestatus | grep "Current mode" | grep -qs "enforcing"; then - if [[ "$PORT" != '1194' ]]; then + if [[ "$PORT" != '1194' || "$PROTOCOL" = 'tcp' ]]; then # semanage isn't available in CentOS 6 by default if ! hash semanage 2>/dev/null; then yum install policycoreutils-python -y fi - semanage port -a -t openvpn_port_t -p udp $PORT + semanage port -a -t openvpn_port_t -p $PROTOCOL $PORT fi fi fi @@ -371,16 +373,9 @@ crl-verify crl.pem" >> /etc/openvpn/server.conf fi # client-common.txt is created so we have a template to add further users later echo "client -dev tun" > /etc/openvpn/client-common.txt - case $PROTOCOL in - 1) - echo "proto udp" >> /etc/openvpn/client-common.txt - ;; - 2) - echo "proto tcp" >> /etc/openvpn/client-common.txt - ;; - esac - echo "sndbuf 0 +dev tun +proto $PROTOCOL +sndbuf 0 rcvbuf 0 remote $IP $PORT resolv-retry infinite @@ -392,7 +387,7 @@ cipher AES-256-CBC comp-lzo setenv opt block-outside-dns key-direction 1 -verb 3" >> /etc/openvpn/client-common.txt +verb 3" > /etc/openvpn/client-common.txt # Generates the custom client.ovpn newclient "$CLIENT" echo ""