mirror of
https://github.com/Nyr/openvpn-install.git
synced 2024-11-24 05:56:08 +03:00
get easy-rsa from github, validate CA on client side
This commit is contained in:
parent
7bfa2bb2be
commit
6e4454d92a
@ -12,7 +12,12 @@
|
|||||||
## Windows
|
## Windows
|
||||||
|
|
||||||
- Configure `stunnel`
|
- Configure `stunnel`
|
||||||
- Download and install [stunnel](https://www.stunnel.org/downloads.html)
|
- Download and install [stunnel](https://www.stunnel.org/downloads.html)
|
||||||
|
- Copy `stunnel.conf` and `stunnel.crt` to the `config` folder in `stunnel`'s install directory.
|
||||||
|
- On 64-bit Windows systems, `stunnel`'s install directory is `C:\Program Files (x86)\stunnel`, unless you
|
||||||
|
changed it during installation.
|
||||||
|
- On 32-bit Windows systems, `stunnel`'s install directory is `C:\Program Files\stunnel`, unless you
|
||||||
|
changed it during installation.
|
||||||
- Start `stunnel` by launching `stunnel GUI start ` from the Start Menu
|
- Start `stunnel` by launching `stunnel GUI start ` from the Start Menu
|
||||||
- Locate the `stunnel` icon in the Task Bar, right click, and select `Edit Configuration`
|
- Locate the `stunnel` icon in the Task Bar, right click, and select `Edit Configuration`
|
||||||
- Copy everything in `stunnel.conf` and paste into the `stunnel` configuration file. Save and close it after editing.
|
- Copy everything in `stunnel.conf` and paste into the `stunnel` configuration file. Save and close it after editing.
|
||||||
@ -38,15 +43,21 @@
|
|||||||
```bash
|
```bash
|
||||||
brew install stunnel
|
brew install stunnel
|
||||||
```
|
```
|
||||||
|
- Open `stunnel.conf` with a text editor (e.g. `TextEdit`), locate this line:
|
||||||
|
|
||||||
|
`CAfile = /etc/stunnel/stunnel.crt`
|
||||||
|
|
||||||
|
Replace the entire line with:
|
||||||
|
|
||||||
|
`CAfile = /usr/local/etc/stunnel/stunnel.crt`
|
||||||
- Configure and start `stunnel`
|
- Configure and start `stunnel`
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# In order to run these, you need to log in to your Mac with an administrator account.
|
# In order to run these, you need to log in to your Mac with an administrator account.
|
||||||
# When prompted for password, enter the password of the current user,
|
# When prompted for password, enter the password of the current user,
|
||||||
|
|
||||||
# Run this in the directory that contains 'stunnel.conf'
|
# Run this in the directory that contains 'stunnel.conf' and 'stunnel.crt'
|
||||||
sudo cp stunnel.conf /usr/local/etc/stunnel/stunnel.conf
|
sudo cp stunnel.conf stunnel.crt /usr/local/etc/stunnel/
|
||||||
# Start stunnel
|
# Start stunnel
|
||||||
sudo stunnel
|
sudo stunnel
|
||||||
```
|
```
|
||||||
@ -81,8 +92,8 @@
|
|||||||
- Configure and start `stunnel`
|
- Configure and start `stunnel`
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# Run this in the directory that contains 'stunnel.conf'
|
# Run this in the directory that contains 'stunnel.conf' and 'stunnel.crt'
|
||||||
sudo cp stunnel.conf /etc/stunnel/
|
sudo cp stunnel.conf stunnel.crt /etc/stunnel/
|
||||||
# Start stunnel
|
# Start stunnel
|
||||||
sudo stunnel
|
sudo stunnel
|
||||||
```
|
```
|
||||||
|
35
README.md
35
README.md
@ -27,24 +27,22 @@ If you run into any issues during installation, please refer to [Troubleshooting
|
|||||||
|
|
||||||
- **Please note: if your server is running the following OS versions, please select `AES-256-CBC` when you're asked to select a cipher mode.**
|
- **Please note: if your server is running the following OS versions, please select `AES-256-CBC` when you're asked to select a cipher mode.**
|
||||||
|
|
||||||
- CentOS 6 or older
|
- CentOS 6 or older
|
||||||
- Debian 8 (Jessie) or older
|
- Debian 8 (Jessie) or older
|
||||||
- Ubuntu 16.10 or older
|
- Ubuntu 16.10 or older
|
||||||
|
|
||||||
- Run this in a terminal on your server, and follow the on-screen instructions:
|
- Run this in a terminal on your server, and follow the on-screen instructions:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# Download the script
|
# Download the script
|
||||||
wget https://raw.githubusercontent.com/birkhoffcheng/openvpn-install/master/openvpn-install.sh
|
wget https://raw.githubusercontent.com/birkhoffcheng/openvpn-install/master/openvpn-install.sh
|
||||||
|
|
||||||
# Run the install script
|
# Run the install script
|
||||||
sudo bash openvpn-install.sh
|
sudo bash openvpn-install.sh
|
||||||
|
|
||||||
# Note: If you're running Ubuntu 16.10 or older
|
# Start stunnel (only if you're using OpenVPN over SSL)
|
||||||
|
sudo stunnel
|
||||||
# Start stunnel (only if you're using OpenVPN over SSL)
|
```
|
||||||
sudo stunnel
|
|
||||||
```
|
|
||||||
|
|
||||||
- Once it finishes, your OpenVPN server is up and running! You should [set up client devices](#client-setup) next.
|
- Once it finishes, your OpenVPN server is up and running! You should [set up client devices](#client-setup) next.
|
||||||
|
|
||||||
@ -52,9 +50,10 @@ If you run into any issues during installation, please refer to [Troubleshooting
|
|||||||
|
|
||||||
### Before continuing...
|
### Before continuing...
|
||||||
|
|
||||||
- Download `stunnel.conf` and the `.ovpn` file from your server.
|
- Download the `.ovpn` file from your server.
|
||||||
- If your username is `root`, they're located at `/root`.
|
- If you're using OpenVPN with SSL, also download `stunnel.crt` and `stunnel.conf` from your server.
|
||||||
- Otherwise, they're located at `/home/<YOUR USERNAME>`.
|
- If your username is `root`, they're located at `/root`.
|
||||||
|
- Otherwise, they're located at `/home/<YOUR USERNAME>`.
|
||||||
|
|
||||||
### OS-specific setup processes
|
### OS-specific setup processes
|
||||||
|
|
||||||
@ -97,7 +96,7 @@ If you run into any issues during installation, please refer to [Troubleshooting
|
|||||||
ps -A | grep openvpn
|
ps -A | grep openvpn
|
||||||
```
|
```
|
||||||
|
|
||||||
- If you still can't connect, try removing and reinstalling OpenVPN on your server.
|
- If you still can't connect, try removing and reinstalling OpenVPN on your server.
|
||||||
- Run the install script and select `Uninstall`
|
- Run the install script and select `Uninstall`
|
||||||
- Run the install script again and make sure you enter the correct information.
|
- Run the install script again and make sure you enter the correct information.
|
||||||
|
|
||||||
@ -109,4 +108,4 @@ You can get a VPS for as little as $2.50/month (IPv6 only) or $5/month (with IPv
|
|||||||
|
|
||||||
## Donations
|
## Donations
|
||||||
|
|
||||||
If you want to show your appreciation, you can donate via [PayPal](https://paypal.me/birkhoffcheng) or Bitcoin (12R4euPg17EfJyYNfdTxjiQ2SctW1b4CRz). Thanks!
|
If you want to show some appreciation, you can donate via [PayPal](https://paypal.me/birkhoffcheng) or Bitcoin (12R4euPg17EfJyYNfdTxjiQ2SctW1b4CRz). Thanks!
|
||||||
|
@ -149,9 +149,9 @@ if [[ -e /etc/openvpn/server.conf ]]; then
|
|||||||
semanage port -d -t openvpn_port_t -p $PROTOCOL $PORT
|
semanage port -d -t openvpn_port_t -p $PROTOCOL $PORT
|
||||||
fi
|
fi
|
||||||
if [[ "$OS" = 'debian' ]]; then
|
if [[ "$OS" = 'debian' ]]; then
|
||||||
apt remove --purge openvpn stunnel4 easy-rsa -y
|
apt remove --purge openvpn stunnel4 -y
|
||||||
else
|
else
|
||||||
yum remove openvpn stunnel4 easy-rsa -y
|
yum remove openvpn stunnel4 -y
|
||||||
fi
|
fi
|
||||||
rm -rf /etc/openvpn /etc/stunnel
|
rm -rf /etc/openvpn /etc/stunnel
|
||||||
rm -f /etc/sysctl.d/30-openvpn-forward.conf
|
rm -f /etc/sysctl.d/30-openvpn-forward.conf
|
||||||
@ -240,21 +240,28 @@ else
|
|||||||
if [[ "$OS" = 'debian' ]]; then
|
if [[ "$OS" = 'debian' ]]; then
|
||||||
apt update
|
apt update
|
||||||
apt dist-upgrade -y
|
apt dist-upgrade -y
|
||||||
apt install openvpn iptables openssl ca-certificates stunnel4 easy-rsa -y
|
apt install curl openvpn iptables openssl ca-certificates stunnel4 -y
|
||||||
else
|
else
|
||||||
# Else, the distro is CentOS
|
# Else, the distro is CentOS
|
||||||
yum install epel-release -y
|
yum install epel-release -y
|
||||||
yum install openvpn iptables openssl ca-certificates stunnel4 easy-rsa -y
|
yum install curl openvpn iptables openssl ca-certificates stunnel -y
|
||||||
fi
|
fi
|
||||||
mkdir /etc/openvpn/easy-rsa/
|
# Get easy-rsa
|
||||||
|
EASYRSAURL='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz'
|
||||||
|
wget -O ~/easyrsa.tgz "$EASYRSAURL" 2>/dev/null || curl -Lo ~/easyrsa.tgz "$EASYRSAURL"
|
||||||
|
tar xzf ~/easyrsa.tgz -C ~/
|
||||||
|
mv ~/EasyRSA-3.0.4/ /etc/openvpn/
|
||||||
|
mv /etc/openvpn/EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/
|
||||||
|
chown -R root:root /etc/openvpn/easy-rsa/
|
||||||
|
rm -f ~/easyrsa.tgz
|
||||||
cd /etc/openvpn/easy-rsa/
|
cd /etc/openvpn/easy-rsa/
|
||||||
# Create the PKI, set up the CA, the DH params and the server + client certificates
|
# Create the PKI, set up the CA, the DH params and the server + client certificates
|
||||||
easyrsa init-pki
|
./easyrsa init-pki
|
||||||
easyrsa --batch build-ca nopass
|
./easyrsa --batch build-ca nopass
|
||||||
easyrsa gen-dh
|
./easyrsa gen-dh
|
||||||
easyrsa build-server-full server nopass
|
./easyrsa build-server-full server nopass
|
||||||
easyrsa build-client-full $CLIENT nopass
|
./easyrsa build-client-full $CLIENT nopass
|
||||||
EASYRSA_CRL_DAYS=3650 easyrsa gen-crl
|
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
|
||||||
# Move the stuff we need
|
# Move the stuff we need
|
||||||
csplit -f /etc/openvpn/easy-rsa/pki/issued/cert. /etc/openvpn/easy-rsa/pki/issued/server.crt '/-----BEGIN CERTIFICATE-----/' '{*}'
|
csplit -f /etc/openvpn/easy-rsa/pki/issued/cert. /etc/openvpn/easy-rsa/pki/issued/server.crt '/-----BEGIN CERTIFICATE-----/' '{*}'
|
||||||
rm /etc/openvpn/easy-rsa/pki/issued/cert.00 /etc/openvpn/easy-rsa/pki/issued/server.crt
|
rm /etc/openvpn/easy-rsa/pki/issued/cert.00 /etc/openvpn/easy-rsa/pki/issued/server.crt
|
||||||
@ -441,13 +448,13 @@ debug = 7
|
|||||||
accept = 127.0.0.1:1194
|
accept = 127.0.0.1:1194
|
||||||
connect = $IP:$PORT
|
connect = $IP:$PORT
|
||||||
verify = 2
|
verify = 2
|
||||||
CAfile = stunnel.crt
|
CAfile = /etc/stunnel/stunnel.crt
|
||||||
TIMEOUTclose = 1000
|
TIMEOUTclose = 1000
|
||||||
session=300
|
session=300
|
||||||
stack=65536
|
stack=65536
|
||||||
sslVersion=TLSv1.2" > /etc/stunnel/stunnel-client.conf
|
sslVersion=TLSv1.2" > /etc/stunnel/stunnel-client.conf
|
||||||
cp /etc/stunnel/stunnel-client.conf $HOME/stunnel.conf
|
cp /etc/stunnel/stunnel-client.conf $HOME/stunnel.conf
|
||||||
cp /etc/openvpn/server.crt $HOME/stunnel.crt
|
cp /etc/openvpn/ca.crt $HOME/stunnel.crt
|
||||||
fi
|
fi
|
||||||
# Generates the custom client.ovpn
|
# Generates the custom client.ovpn
|
||||||
newclient "$CLIENT"
|
newclient "$CLIENT"
|
||||||
|
Loading…
Reference in New Issue
Block a user