mirror of
https://github.com/Nyr/openvpn-install.git
synced 2024-11-23 21:46:08 +03:00
Fixed firewall and SELinux for TCP
- Firewall/SELinux configuration wasn't updated to work with TCP (fixes #250) - Uncluttered protocol selection a bit
This commit is contained in:
parent
0e4bba792b
commit
6939dffb09
@ -131,23 +131,24 @@ if [[ -e /etc/openvpn/server.conf ]]; then
|
|||||||
read -p "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
|
read -p "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
|
||||||
if [[ "$REMOVE" = 'y' ]]; then
|
if [[ "$REMOVE" = 'y' ]]; then
|
||||||
PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
|
PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
|
||||||
|
PROTOCOL=$(grep '^proto ' /etc/openvpn/server.conf | cut -d " " -f 2)
|
||||||
if pgrep firewalld; then
|
if pgrep firewalld; then
|
||||||
# Using both permanent and not permanent rules to avoid a firewalld reload.
|
# Using both permanent and not permanent rules to avoid a firewalld reload.
|
||||||
firewall-cmd --zone=public --remove-port=$PORT/udp
|
firewall-cmd --zone=public --remove-port=$PORT/$PROTOCOL
|
||||||
firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
|
firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
|
||||||
firewall-cmd --permanent --zone=public --remove-port=$PORT/udp
|
firewall-cmd --permanent --zone=public --remove-port=$PORT/$PROTOCOL
|
||||||
firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
|
firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
|
||||||
fi
|
fi
|
||||||
if iptables -L -n | grep -qE 'REJECT|DROP'; then
|
if iptables -L -n | grep -qE 'REJECT|DROP'; then
|
||||||
sed -i "/iptables -I INPUT -p udp --dport $PORT -j ACCEPT/d" $RCLOCAL
|
sed -i "/iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT/d" $RCLOCAL
|
||||||
sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL
|
sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL
|
||||||
sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL
|
sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL
|
||||||
fi
|
fi
|
||||||
sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL
|
sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL
|
||||||
if hash sestatus 2>/dev/null; then
|
if hash sestatus 2>/dev/null; then
|
||||||
if sestatus | grep "Current mode" | grep -qs "enforcing"; then
|
if sestatus | grep "Current mode" | grep -qs "enforcing"; then
|
||||||
if [[ "$PORT" != '1194' ]]; then
|
if [[ "$PORT" != '1194' || "$PROTOCOL" = 'tcp' ]]; then
|
||||||
semanage port -d -t openvpn_port_t -p udp $PORT
|
semanage port -d -t openvpn_port_t -p $PROTOCOL $PORT
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -185,6 +186,14 @@ else
|
|||||||
echo " 1) UDP (recommended)"
|
echo " 1) UDP (recommended)"
|
||||||
echo " 2) TCP"
|
echo " 2) TCP"
|
||||||
read -p "Protocol [1-2]: " -e -i 1 PROTOCOL
|
read -p "Protocol [1-2]: " -e -i 1 PROTOCOL
|
||||||
|
case $PROTOCOL in
|
||||||
|
1)
|
||||||
|
PROTOCOL=udp
|
||||||
|
;;
|
||||||
|
2)
|
||||||
|
PROTOCOL=tcp
|
||||||
|
;;
|
||||||
|
esac
|
||||||
echo ""
|
echo ""
|
||||||
echo "What port do you want OpenVPN listening to?"
|
echo "What port do you want OpenVPN listening to?"
|
||||||
read -p "Port: " -e -i 1194 PORT
|
read -p "Port: " -e -i 1194 PORT
|
||||||
@ -204,7 +213,7 @@ else
|
|||||||
echo ""
|
echo ""
|
||||||
echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now"
|
echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now"
|
||||||
read -n1 -r -p "Press any key to continue..."
|
read -n1 -r -p "Press any key to continue..."
|
||||||
if [[ "$OS" = 'debian' ]]; then
|
if [[ "$OS" = 'debian' ]]; then
|
||||||
apt-get update
|
apt-get update
|
||||||
apt-get install openvpn iptables openssl ca-certificates -y
|
apt-get install openvpn iptables openssl ca-certificates -y
|
||||||
else
|
else
|
||||||
@ -238,16 +247,9 @@ else
|
|||||||
# Generate key for tls-auth
|
# Generate key for tls-auth
|
||||||
openvpn --genkey --secret /etc/openvpn/ta.key
|
openvpn --genkey --secret /etc/openvpn/ta.key
|
||||||
# Generate server.conf
|
# Generate server.conf
|
||||||
echo "port $PORT" > /etc/openvpn/server.conf
|
echo "port $PORT
|
||||||
case $PROTOCOL in
|
proto $PROTOCOL
|
||||||
1)
|
dev tun
|
||||||
echo "proto udp" >> /etc/openvpn/server.conf
|
|
||||||
;;
|
|
||||||
2)
|
|
||||||
echo "proto tcp" >> /etc/openvpn/server.conf
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
echo "dev tun
|
|
||||||
sndbuf 0
|
sndbuf 0
|
||||||
rcvbuf 0
|
rcvbuf 0
|
||||||
ca ca.crt
|
ca ca.crt
|
||||||
@ -257,7 +259,7 @@ dh dh.pem
|
|||||||
tls-auth ta.key 0
|
tls-auth ta.key 0
|
||||||
topology subnet
|
topology subnet
|
||||||
server 10.8.0.0 255.255.255.0
|
server 10.8.0.0 255.255.255.0
|
||||||
ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
|
ifconfig-pool-persist ipp.txt" > /etc/openvpn/server.conf
|
||||||
echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf
|
echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf
|
||||||
# DNS
|
# DNS
|
||||||
case $DNS in
|
case $DNS in
|
||||||
@ -311,31 +313,31 @@ crl-verify crl.pem" >> /etc/openvpn/server.conf
|
|||||||
# We don't use --add-service=openvpn because that would only work with
|
# We don't use --add-service=openvpn because that would only work with
|
||||||
# the default port. Using both permanent and not permanent rules to
|
# the default port. Using both permanent and not permanent rules to
|
||||||
# avoid a firewalld reload.
|
# avoid a firewalld reload.
|
||||||
firewall-cmd --zone=public --add-port=$PORT/udp
|
firewall-cmd --zone=public --add-port=$PORT/$PROTOCOL
|
||||||
firewall-cmd --zone=trusted --add-source=10.8.0.0/24
|
firewall-cmd --zone=trusted --add-source=10.8.0.0/24
|
||||||
firewall-cmd --permanent --zone=public --add-port=$PORT/udp
|
firewall-cmd --permanent --zone=public --add-port=$PORT/$PROTOCOL
|
||||||
firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
|
firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
|
||||||
fi
|
fi
|
||||||
if iptables -L -n | grep -qE 'REJECT|DROP'; then
|
if iptables -L -n | grep -qE 'REJECT|DROP'; then
|
||||||
# If iptables has at least one REJECT rule, we asume this is needed.
|
# If iptables has at least one REJECT rule, we asume this is needed.
|
||||||
# Not the best approach but I can't think of other and this shouldn't
|
# Not the best approach but I can't think of other and this shouldn't
|
||||||
# cause problems.
|
# cause problems.
|
||||||
iptables -I INPUT -p udp --dport $PORT -j ACCEPT
|
iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT
|
||||||
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
|
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
|
||||||
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
|
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||||
sed -i "1 a\iptables -I INPUT -p udp --dport $PORT -j ACCEPT" $RCLOCAL
|
sed -i "1 a\iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT" $RCLOCAL
|
||||||
sed -i "1 a\iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" $RCLOCAL
|
sed -i "1 a\iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" $RCLOCAL
|
||||||
sed -i "1 a\iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" $RCLOCAL
|
sed -i "1 a\iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" $RCLOCAL
|
||||||
fi
|
fi
|
||||||
# If SELinux is enabled and a custom port was selected, we need this
|
# If SELinux is enabled and a custom port was selected, we need this
|
||||||
if hash sestatus 2>/dev/null; then
|
if hash sestatus 2>/dev/null; then
|
||||||
if sestatus | grep "Current mode" | grep -qs "enforcing"; then
|
if sestatus | grep "Current mode" | grep -qs "enforcing"; then
|
||||||
if [[ "$PORT" != '1194' ]]; then
|
if [[ "$PORT" != '1194' || "$PROTOCOL" = 'tcp' ]]; then
|
||||||
# semanage isn't available in CentOS 6 by default
|
# semanage isn't available in CentOS 6 by default
|
||||||
if ! hash semanage 2>/dev/null; then
|
if ! hash semanage 2>/dev/null; then
|
||||||
yum install policycoreutils-python -y
|
yum install policycoreutils-python -y
|
||||||
fi
|
fi
|
||||||
semanage port -a -t openvpn_port_t -p udp $PORT
|
semanage port -a -t openvpn_port_t -p $PROTOCOL $PORT
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -371,16 +373,9 @@ crl-verify crl.pem" >> /etc/openvpn/server.conf
|
|||||||
fi
|
fi
|
||||||
# client-common.txt is created so we have a template to add further users later
|
# client-common.txt is created so we have a template to add further users later
|
||||||
echo "client
|
echo "client
|
||||||
dev tun" > /etc/openvpn/client-common.txt
|
dev tun
|
||||||
case $PROTOCOL in
|
proto $PROTOCOL
|
||||||
1)
|
sndbuf 0
|
||||||
echo "proto udp" >> /etc/openvpn/client-common.txt
|
|
||||||
;;
|
|
||||||
2)
|
|
||||||
echo "proto tcp" >> /etc/openvpn/client-common.txt
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
echo "sndbuf 0
|
|
||||||
rcvbuf 0
|
rcvbuf 0
|
||||||
remote $IP $PORT
|
remote $IP $PORT
|
||||||
resolv-retry infinite
|
resolv-retry infinite
|
||||||
@ -392,7 +387,7 @@ cipher AES-256-CBC
|
|||||||
comp-lzo
|
comp-lzo
|
||||||
setenv opt block-outside-dns
|
setenv opt block-outside-dns
|
||||||
key-direction 1
|
key-direction 1
|
||||||
verb 3" >> /etc/openvpn/client-common.txt
|
verb 3" > /etc/openvpn/client-common.txt
|
||||||
# Generates the custom client.ovpn
|
# Generates the custom client.ovpn
|
||||||
newclient "$CLIENT"
|
newclient "$CLIENT"
|
||||||
echo ""
|
echo ""
|
||||||
|
Loading…
Reference in New Issue
Block a user