diff --git a/Documentation/client-ssl.md b/Documentation/client-ssl.md index 35932d9..79b2f78 100644 --- a/Documentation/client-ssl.md +++ b/Documentation/client-ssl.md @@ -12,7 +12,12 @@ ## Windows - Configure `stunnel` - - Download and install [stunnel](https://www.stunnel.org/downloads.html) + - Download and install [stunnel](https://www.stunnel.org/downloads.html) + - Copy `stunnel.conf` and `stunnel.crt` to the `config` folder in `stunnel`'s install directory. + - On 64-bit Windows systems, `stunnel`'s install directory is `C:\Program Files (x86)\stunnel`, unless you + changed it during installation. + - On 32-bit Windows systems, `stunnel`'s install directory is `C:\Program Files\stunnel`, unless you + changed it during installation. - Start `stunnel` by launching `stunnel GUI start ` from the Start Menu - Locate the `stunnel` icon in the Task Bar, right click, and select `Edit Configuration` - Copy everything in `stunnel.conf` and paste into the `stunnel` configuration file. Save and close it after editing. @@ -38,15 +43,21 @@ ```bash brew install stunnel ``` + - Open `stunnel.conf` with a text editor (e.g. `TextEdit`), locate this line: + `CAfile = /etc/stunnel/stunnel.crt` + + Replace the entire line with: + + `CAfile = /usr/local/etc/stunnel/stunnel.crt` - Configure and start `stunnel` ```bash # In order to run these, you need to log in to your Mac with an administrator account. # When prompted for password, enter the password of the current user, - # Run this in the directory that contains 'stunnel.conf' - sudo cp stunnel.conf /usr/local/etc/stunnel/stunnel.conf + # Run this in the directory that contains 'stunnel.conf' and 'stunnel.crt' + sudo cp stunnel.conf stunnel.crt /usr/local/etc/stunnel/ # Start stunnel sudo stunnel ``` @@ -81,8 +92,8 @@ - Configure and start `stunnel` ```bash - # Run this in the directory that contains 'stunnel.conf' - sudo cp stunnel.conf /etc/stunnel/ + # Run this in the directory that contains 'stunnel.conf' and 'stunnel.crt' + sudo cp stunnel.conf stunnel.crt /etc/stunnel/ # Start stunnel sudo stunnel ``` diff --git a/README.md b/README.md index 43cfab9..3b736d0 100644 --- a/README.md +++ b/README.md @@ -27,24 +27,22 @@ If you run into any issues during installation, please refer to [Troubleshooting - **Please note: if your server is running the following OS versions, please select `AES-256-CBC` when you're asked to select a cipher mode.** - - CentOS 6 or older - - Debian 8 (Jessie) or older - - Ubuntu 16.10 or older + - CentOS 6 or older + - Debian 8 (Jessie) or older + - Ubuntu 16.10 or older - Run this in a terminal on your server, and follow the on-screen instructions: - ```bash - # Download the script - wget https://raw.githubusercontent.com/birkhoffcheng/openvpn-install/master/openvpn-install.sh + ```bash + # Download the script + wget https://raw.githubusercontent.com/birkhoffcheng/openvpn-install/master/openvpn-install.sh - # Run the install script - sudo bash openvpn-install.sh + # Run the install script + sudo bash openvpn-install.sh - # Note: If you're running Ubuntu 16.10 or older - - # Start stunnel (only if you're using OpenVPN over SSL) - sudo stunnel - ``` + # Start stunnel (only if you're using OpenVPN over SSL) + sudo stunnel + ``` - Once it finishes, your OpenVPN server is up and running! You should [set up client devices](#client-setup) next. @@ -52,9 +50,10 @@ If you run into any issues during installation, please refer to [Troubleshooting ### Before continuing... -- Download `stunnel.conf` and the `.ovpn` file from your server. -- If your username is `root`, they're located at `/root`. -- Otherwise, they're located at `/home/`. +- Download the `.ovpn` file from your server. +- If you're using OpenVPN with SSL, also download `stunnel.crt` and `stunnel.conf` from your server. +- If your username is `root`, they're located at `/root`. +- Otherwise, they're located at `/home/`. ### OS-specific setup processes @@ -97,7 +96,7 @@ If you run into any issues during installation, please refer to [Troubleshooting ps -A | grep openvpn ``` - - If you still can't connect, try removing and reinstalling OpenVPN on your server. + - If you still can't connect, try removing and reinstalling OpenVPN on your server. - Run the install script and select `Uninstall` - Run the install script again and make sure you enter the correct information. @@ -109,4 +108,4 @@ You can get a VPS for as little as $2.50/month (IPv6 only) or $5/month (with IPv ## Donations -If you want to show your appreciation, you can donate via [PayPal](https://paypal.me/birkhoffcheng) or Bitcoin (12R4euPg17EfJyYNfdTxjiQ2SctW1b4CRz). Thanks! +If you want to show some appreciation, you can donate via [PayPal](https://paypal.me/birkhoffcheng) or Bitcoin (12R4euPg17EfJyYNfdTxjiQ2SctW1b4CRz). Thanks! diff --git a/openvpn-install.sh b/openvpn-install.sh index 1c23aec..044237d 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -149,9 +149,9 @@ if [[ -e /etc/openvpn/server.conf ]]; then semanage port -d -t openvpn_port_t -p $PROTOCOL $PORT fi if [[ "$OS" = 'debian' ]]; then - apt remove --purge openvpn stunnel4 easy-rsa -y + apt remove --purge openvpn stunnel4 -y else - yum remove openvpn stunnel4 easy-rsa -y + yum remove openvpn stunnel4 -y fi rm -rf /etc/openvpn /etc/stunnel rm -f /etc/sysctl.d/30-openvpn-forward.conf @@ -240,21 +240,28 @@ else if [[ "$OS" = 'debian' ]]; then apt update apt dist-upgrade -y - apt install openvpn iptables openssl ca-certificates stunnel4 easy-rsa -y + apt install curl openvpn iptables openssl ca-certificates stunnel4 -y else # Else, the distro is CentOS yum install epel-release -y - yum install openvpn iptables openssl ca-certificates stunnel4 easy-rsa -y + yum install curl openvpn iptables openssl ca-certificates stunnel -y fi - mkdir /etc/openvpn/easy-rsa/ + # Get easy-rsa + EASYRSAURL='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz' + wget -O ~/easyrsa.tgz "$EASYRSAURL" 2>/dev/null || curl -Lo ~/easyrsa.tgz "$EASYRSAURL" + tar xzf ~/easyrsa.tgz -C ~/ + mv ~/EasyRSA-3.0.4/ /etc/openvpn/ + mv /etc/openvpn/EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/ + chown -R root:root /etc/openvpn/easy-rsa/ + rm -f ~/easyrsa.tgz cd /etc/openvpn/easy-rsa/ # Create the PKI, set up the CA, the DH params and the server + client certificates - easyrsa init-pki - easyrsa --batch build-ca nopass - easyrsa gen-dh - easyrsa build-server-full server nopass - easyrsa build-client-full $CLIENT nopass - EASYRSA_CRL_DAYS=3650 easyrsa gen-crl + ./easyrsa init-pki + ./easyrsa --batch build-ca nopass + ./easyrsa gen-dh + ./easyrsa build-server-full server nopass + ./easyrsa build-client-full $CLIENT nopass + EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl # Move the stuff we need csplit -f /etc/openvpn/easy-rsa/pki/issued/cert. /etc/openvpn/easy-rsa/pki/issued/server.crt '/-----BEGIN CERTIFICATE-----/' '{*}' rm /etc/openvpn/easy-rsa/pki/issued/cert.00 /etc/openvpn/easy-rsa/pki/issued/server.crt @@ -441,13 +448,13 @@ debug = 7 accept = 127.0.0.1:1194 connect = $IP:$PORT verify = 2 -CAfile = stunnel.crt +CAfile = /etc/stunnel/stunnel.crt TIMEOUTclose = 1000 session=300 stack=65536 sslVersion=TLSv1.2" > /etc/stunnel/stunnel-client.conf cp /etc/stunnel/stunnel-client.conf $HOME/stunnel.conf - cp /etc/openvpn/server.crt $HOME/stunnel.crt + cp /etc/openvpn/ca.crt $HOME/stunnel.crt fi # Generates the custom client.ovpn newclient "$CLIENT"