1
0
mirror of https://github.com/Nyr/openvpn-install.git synced 2024-11-24 05:56:08 +03:00

get easy-rsa from github, validate CA on client side

This commit is contained in:
Chris Xiao 2018-07-26 20:57:37 -04:00
parent 7bfa2bb2be
commit 6e4454d92a
No known key found for this signature in database
GPG Key ID: F6C6CFB7122581AE
3 changed files with 53 additions and 36 deletions

View File

@ -12,7 +12,12 @@
## Windows ## Windows
- Configure `stunnel` - Configure `stunnel`
- Download and install [stunnel](https://www.stunnel.org/downloads.html) - Download and install [stunnel](https://www.stunnel.org/downloads.html)
- Copy `stunnel.conf` and `stunnel.crt` to the `config` folder in `stunnel`'s install directory.
- On 64-bit Windows systems, `stunnel`'s install directory is `C:\Program Files (x86)\stunnel`, unless you
changed it during installation.
- On 32-bit Windows systems, `stunnel`'s install directory is `C:\Program Files\stunnel`, unless you
changed it during installation.
- Start `stunnel` by launching `stunnel GUI start ` from the Start Menu - Start `stunnel` by launching `stunnel GUI start ` from the Start Menu
- Locate the `stunnel` icon in the Task Bar, right click, and select `Edit Configuration` - Locate the `stunnel` icon in the Task Bar, right click, and select `Edit Configuration`
- Copy everything in `stunnel.conf` and paste into the `stunnel` configuration file. Save and close it after editing. - Copy everything in `stunnel.conf` and paste into the `stunnel` configuration file. Save and close it after editing.
@ -38,15 +43,21 @@
```bash ```bash
brew install stunnel brew install stunnel
``` ```
- Open `stunnel.conf` with a text editor (e.g. `TextEdit`), locate this line:
`CAfile = /etc/stunnel/stunnel.crt`
Replace the entire line with:
`CAfile = /usr/local/etc/stunnel/stunnel.crt`
- Configure and start `stunnel` - Configure and start `stunnel`
```bash ```bash
# In order to run these, you need to log in to your Mac with an administrator account. # In order to run these, you need to log in to your Mac with an administrator account.
# When prompted for password, enter the password of the current user, # When prompted for password, enter the password of the current user,
# Run this in the directory that contains 'stunnel.conf' # Run this in the directory that contains 'stunnel.conf' and 'stunnel.crt'
sudo cp stunnel.conf /usr/local/etc/stunnel/stunnel.conf sudo cp stunnel.conf stunnel.crt /usr/local/etc/stunnel/
# Start stunnel # Start stunnel
sudo stunnel sudo stunnel
``` ```
@ -81,8 +92,8 @@
- Configure and start `stunnel` - Configure and start `stunnel`
```bash ```bash
# Run this in the directory that contains 'stunnel.conf' # Run this in the directory that contains 'stunnel.conf' and 'stunnel.crt'
sudo cp stunnel.conf /etc/stunnel/ sudo cp stunnel.conf stunnel.crt /etc/stunnel/
# Start stunnel # Start stunnel
sudo stunnel sudo stunnel
``` ```

View File

@ -27,24 +27,22 @@ If you run into any issues during installation, please refer to [Troubleshooting
- **Please note: if your server is running the following OS versions, please select `AES-256-CBC` when you're asked to select a cipher mode.** - **Please note: if your server is running the following OS versions, please select `AES-256-CBC` when you're asked to select a cipher mode.**
- CentOS 6 or older - CentOS 6 or older
- Debian 8 (Jessie) or older - Debian 8 (Jessie) or older
- Ubuntu 16.10 or older - Ubuntu 16.10 or older
- Run this in a terminal on your server, and follow the on-screen instructions: - Run this in a terminal on your server, and follow the on-screen instructions:
```bash ```bash
# Download the script # Download the script
wget https://raw.githubusercontent.com/birkhoffcheng/openvpn-install/master/openvpn-install.sh wget https://raw.githubusercontent.com/birkhoffcheng/openvpn-install/master/openvpn-install.sh
# Run the install script # Run the install script
sudo bash openvpn-install.sh sudo bash openvpn-install.sh
# Note: If you're running Ubuntu 16.10 or older # Start stunnel (only if you're using OpenVPN over SSL)
sudo stunnel
# Start stunnel (only if you're using OpenVPN over SSL) ```
sudo stunnel
```
- Once it finishes, your OpenVPN server is up and running! You should [set up client devices](#client-setup) next. - Once it finishes, your OpenVPN server is up and running! You should [set up client devices](#client-setup) next.
@ -52,9 +50,10 @@ If you run into any issues during installation, please refer to [Troubleshooting
### Before continuing... ### Before continuing...
- Download `stunnel.conf` and the `.ovpn` file from your server. - Download the `.ovpn` file from your server.
- If your username is `root`, they're located at `/root`. - If you're using OpenVPN with SSL, also download `stunnel.crt` and `stunnel.conf` from your server.
- Otherwise, they're located at `/home/<YOUR USERNAME>`. - If your username is `root`, they're located at `/root`.
- Otherwise, they're located at `/home/<YOUR USERNAME>`.
### OS-specific setup processes ### OS-specific setup processes
@ -97,7 +96,7 @@ If you run into any issues during installation, please refer to [Troubleshooting
ps -A | grep openvpn ps -A | grep openvpn
``` ```
- If you still can't connect, try removing and reinstalling OpenVPN on your server. - If you still can't connect, try removing and reinstalling OpenVPN on your server.
- Run the install script and select `Uninstall` - Run the install script and select `Uninstall`
- Run the install script again and make sure you enter the correct information. - Run the install script again and make sure you enter the correct information.
@ -109,4 +108,4 @@ You can get a VPS for as little as $2.50/month (IPv6 only) or $5/month (with IPv
## Donations ## Donations
If you want to show your appreciation, you can donate via [PayPal](https://paypal.me/birkhoffcheng) or Bitcoin (12R4euPg17EfJyYNfdTxjiQ2SctW1b4CRz). Thanks! If you want to show some appreciation, you can donate via [PayPal](https://paypal.me/birkhoffcheng) or Bitcoin (12R4euPg17EfJyYNfdTxjiQ2SctW1b4CRz). Thanks!

View File

@ -149,9 +149,9 @@ if [[ -e /etc/openvpn/server.conf ]]; then
semanage port -d -t openvpn_port_t -p $PROTOCOL $PORT semanage port -d -t openvpn_port_t -p $PROTOCOL $PORT
fi fi
if [[ "$OS" = 'debian' ]]; then if [[ "$OS" = 'debian' ]]; then
apt remove --purge openvpn stunnel4 easy-rsa -y apt remove --purge openvpn stunnel4 -y
else else
yum remove openvpn stunnel4 easy-rsa -y yum remove openvpn stunnel4 -y
fi fi
rm -rf /etc/openvpn /etc/stunnel rm -rf /etc/openvpn /etc/stunnel
rm -f /etc/sysctl.d/30-openvpn-forward.conf rm -f /etc/sysctl.d/30-openvpn-forward.conf
@ -240,21 +240,28 @@ else
if [[ "$OS" = 'debian' ]]; then if [[ "$OS" = 'debian' ]]; then
apt update apt update
apt dist-upgrade -y apt dist-upgrade -y
apt install openvpn iptables openssl ca-certificates stunnel4 easy-rsa -y apt install curl openvpn iptables openssl ca-certificates stunnel4 -y
else else
# Else, the distro is CentOS # Else, the distro is CentOS
yum install epel-release -y yum install epel-release -y
yum install openvpn iptables openssl ca-certificates stunnel4 easy-rsa -y yum install curl openvpn iptables openssl ca-certificates stunnel -y
fi fi
mkdir /etc/openvpn/easy-rsa/ # Get easy-rsa
EASYRSAURL='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz'
wget -O ~/easyrsa.tgz "$EASYRSAURL" 2>/dev/null || curl -Lo ~/easyrsa.tgz "$EASYRSAURL"
tar xzf ~/easyrsa.tgz -C ~/
mv ~/EasyRSA-3.0.4/ /etc/openvpn/
mv /etc/openvpn/EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/
chown -R root:root /etc/openvpn/easy-rsa/
rm -f ~/easyrsa.tgz
cd /etc/openvpn/easy-rsa/ cd /etc/openvpn/easy-rsa/
# Create the PKI, set up the CA, the DH params and the server + client certificates # Create the PKI, set up the CA, the DH params and the server + client certificates
easyrsa init-pki ./easyrsa init-pki
easyrsa --batch build-ca nopass ./easyrsa --batch build-ca nopass
easyrsa gen-dh ./easyrsa gen-dh
easyrsa build-server-full server nopass ./easyrsa build-server-full server nopass
easyrsa build-client-full $CLIENT nopass ./easyrsa build-client-full $CLIENT nopass
EASYRSA_CRL_DAYS=3650 easyrsa gen-crl EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
# Move the stuff we need # Move the stuff we need
csplit -f /etc/openvpn/easy-rsa/pki/issued/cert. /etc/openvpn/easy-rsa/pki/issued/server.crt '/-----BEGIN CERTIFICATE-----/' '{*}' csplit -f /etc/openvpn/easy-rsa/pki/issued/cert. /etc/openvpn/easy-rsa/pki/issued/server.crt '/-----BEGIN CERTIFICATE-----/' '{*}'
rm /etc/openvpn/easy-rsa/pki/issued/cert.00 /etc/openvpn/easy-rsa/pki/issued/server.crt rm /etc/openvpn/easy-rsa/pki/issued/cert.00 /etc/openvpn/easy-rsa/pki/issued/server.crt
@ -441,13 +448,13 @@ debug = 7
accept = 127.0.0.1:1194 accept = 127.0.0.1:1194
connect = $IP:$PORT connect = $IP:$PORT
verify = 2 verify = 2
CAfile = stunnel.crt CAfile = /etc/stunnel/stunnel.crt
TIMEOUTclose = 1000 TIMEOUTclose = 1000
session=300 session=300
stack=65536 stack=65536
sslVersion=TLSv1.2" > /etc/stunnel/stunnel-client.conf sslVersion=TLSv1.2" > /etc/stunnel/stunnel-client.conf
cp /etc/stunnel/stunnel-client.conf $HOME/stunnel.conf cp /etc/stunnel/stunnel-client.conf $HOME/stunnel.conf
cp /etc/openvpn/server.crt $HOME/stunnel.crt cp /etc/openvpn/ca.crt $HOME/stunnel.crt
fi fi
# Generates the custom client.ovpn # Generates the custom client.ovpn
newclient "$CLIENT" newclient "$CLIENT"