From 891af62a92b8d8796a6ef5c5a16de70a94e5ed0e Mon Sep 17 00:00:00 2001 From: zabullet Date: Tue, 29 Dec 2015 17:21:49 +0200 Subject: [PATCH] Added support for configuring OVPN for tcp - Added protocol selection for udp or tcp. - Selection is added to the client and server config. - Firewall is correctly modified for protocol selection --- openvpn-install.sh | 32 +++++++++++++++++++++++--------- 1 file changed, 23 insertions(+), 9 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 9fa1186..65c731c 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -131,15 +131,16 @@ if [[ -e /etc/openvpn/server.conf ]]; then read -p "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE if [[ "$REMOVE" = 'y' ]]; then PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2) + PROTOCOL=$(grep '^proto ' /etc/openvpn/server.conf | cut -d " " -f 2) if pgrep firewalld; then # Using both permanent and not permanent rules to avoid a firewalld reload. - firewall-cmd --zone=public --remove-port=$PORT/udp + firewall-cmd --zone=public --remove-port=$PORT/$PROTOCOL firewall-cmd --zone=trusted --remove-source=10.8.0.0/24 - firewall-cmd --permanent --zone=public --remove-port=$PORT/udp + firewall-cmd --permanent --zone=public --remove-port=$PORT/$PROTOCOL firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24 fi if iptables -L | grep -qE 'REJECT|DROP'; then - sed -i "/iptables -I INPUT -p udp --dport $PORT -j ACCEPT/d" $RCLOCAL + sed -i "/iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT/d" $RCLOCAL sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL fi @@ -177,6 +178,19 @@ else echo "What port do you want for OpenVPN?" read -p "Port: " -e -i 1194 PORT echo "" + echo "What protocol do you want for OpenVPN?" + echo " 1) udp" + echo " 2) tcp" + read -p "Protocol [1-2]: " -e -i 1 PROTOCOL + case $PROTOCOL in + 1) + PROTOCOL="udp" + ;; + 2) + PROTOCOL="tcp" + ;; + esac + echo "" echo "What DNS do you want to use with the VPN?" echo " 1) Current system resolvers" echo " 2) OpenDNS" @@ -223,7 +237,7 @@ else cp pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn # Generate server.conf echo "port $PORT -proto udp +proto $PROTOCOL dev tun sndbuf 0 rcvbuf 0 @@ -290,19 +304,19 @@ crl-verify /etc/openvpn/easy-rsa/pki/crl.pem" >> /etc/openvpn/server.conf # We don't use --add-service=openvpn because that would only work with # the default port. Using both permanent and not permanent rules to # avoid a firewalld reload. - firewall-cmd --zone=public --add-port=$PORT/udp + firewall-cmd --zone=public --add-port=$PORT/$PROTOCOL firewall-cmd --zone=trusted --add-source=10.8.0.0/24 - firewall-cmd --permanent --zone=public --add-port=$PORT/udp + firewall-cmd --permanent --zone=public --add-port=$PORT/$PROTOCOL firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24 fi if iptables -L | grep -qE 'REJECT|DROP'; then # If iptables has at least one REJECT rule, we asume this is needed. # Not the best approach but I can't think of other and this shouldn't # cause problems. - iptables -I INPUT -p udp --dport $PORT -j ACCEPT + iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT - sed -i "1 a\iptables -I INPUT -p udp --dport $PORT -j ACCEPT" $RCLOCAL + sed -i "1 a\iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT" $RCLOCAL sed -i "1 a\iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" $RCLOCAL sed -i "1 a\iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" $RCLOCAL fi @@ -339,7 +353,7 @@ crl-verify /etc/openvpn/easy-rsa/pki/crl.pem" >> /etc/openvpn/server.conf # client-common.txt is created so we have a template to add further users later echo "client dev tun -proto udp +proto $PROTOCOL sndbuf 0 rcvbuf 0 remote $IP $PORT