From 9eba8d40ce3b4b4f5d7577edde67e6c694009a43 Mon Sep 17 00:00:00 2001 From: Chris Xiao <30990835+chrisx8@users.noreply.github.com> Date: Mon, 23 Jul 2018 23:07:23 -0400 Subject: [PATCH 1/7] Fixed a stunnel-related bug; Updated README stunnel may fail to launch in CentOS with 'setuid' and 'setgid', so I removed those from the config files. Users are now asked to run stunnel with sudo. --- README.md | 142 +++++++++++++++++++++++++++++++++++++++++---- openvpn-install.sh | 6 +- 2 files changed, 131 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index 49f8fde..293b8e6 100644 --- a/README.md +++ b/README.md @@ -1,21 +1,139 @@ -## OpenVPN install -OpenVPN installer for Debian, Ubuntu and CentOS. +# OpenVPN Installer -This script will let you setup your own VPN server in no more than a minute, even if you haven't used OpenVPN before. It has been designed to be as unobtrusive and universal as possible. +## To Developers and Users -### To Developers and Users -Only Trust Signed Commits. +**WARNING: Only Trust Signed Commits.** -### Installation -Run the script and follow the assistant: +## Table of Contents -`wget https://raw.githubusercontent.com/birkhoffcheng/openvpn-install/master/openvpn-install.sh && bash openvpn-install.sh` +- [Description](#description) +- [Installation](#installation) +- [Configure clients](#configure-clients) + - [Windows](#windows) + - [MacOS](#macos) + - [Linux](#linux) + - [Android](#android) + - [iOS](#ios) +- [Troubleshooting](#troubleshooting) +- [FAQ](#faq) +- [Donations](#donations) -Once it ends, you can run it again to add more users, remove some of them or even completely uninstall OpenVPN. +## Description -### Where to get VPS -You can get a VPS from as little as $2.5/month at [Vultr](https://www.vultr.com/?ref=7088313) or $5/month at [DigitalOcean](https://m.do.co/c/c51ec51bb352). +OpenVPN installer for Debian, Ubuntu and CentOS, with support for OpenVPN over SSL. -### Donations +This script lets you set up your own OpenVPN server in minutes, even if you no experience OpenVPN before. It's designed to be as simple, unobtrusive, and universal as possible. + +## Installation + +If you run into any issues during installation, please refer to [Troubleshooting](#Troubleshooting). +### Install on CentOS/Debian/Ubuntu + +- Run this in a terminal on your server, and follow the on-screen instructions: + ```bash + # Download the script + wget https://raw.githubusercontent.com/birkhoffcheng/openvpn-install/master/openvpn-install.sh + + # Run the install script + sudo bash openvpn-install.sh + + # Start stunnel (only if you're using OpenVPN over SSL) + sudo stunnel + ``` +- Once it finishes, your OpenVPN server is up and running! You should [configure client devices](#configure-clients) next. + +## Configure clients + +### Before continuing... + +- Download `stunnel.conf` and the `.ovpn` file from your server. +- If your username is `root`, they're located at `/root`. +- Otherwise, they're located at `/home/`. + +### OS-specific setup processes + +#### Windows + +- Configure `stunnel`. Skip to the next section if you're NOT using OpenVPN over SSL + - Download and install [stunnel](https://www.stunnel.org/downloads.html) + - Start `stunnel` by launching `stunnel GUI start ` from the Start Menu + - Locate the `stunnel` icon in the Task Bar, right click, and select `Edit Configuration` + - Copy everything in `stunnel.conf` and paste into the `stunnel` configuration file. Save and close it after editing. + - Right click on the `stunnel` icon again, and select `Reload Configuration` +- Configure OpenVPN + - Download and install [OpenVPN](https://openvpn.net/index.php/open-source/downloads.html) + - Start `OpenVPN GUI` from the Start Menu + - Locate the OpenVPN icon in the Task Bar, right click, and select `Import file...` + - Select your OVPN file + - Right click on the OpenVPN icon again, and select `Connect` + +#### MacOS + +- Supported. Instructions coming soon. + +#### Linux + +- Install `stunnel` and `openvpn` on your device. + + ```bash + # Debian/Ubuntu + sudo apt install -y stunnel openvpn + + # CentOS/RHEL + sudo yum install -y epel-release + sudo yum install -y stunnel openvpn + + # Fedora + sudo dnf install -y stunnel openvpn + ``` + +- If you're using OpenVPN over SSL, configure and start `stunnel` + + ```bash + # Run this in the directory that contains 'stunnel.conf' + sudo cp stunnel.conf /etc/stunnel/ + # Start stunnel + sudo stunnel + ``` + +- Connect to OpenVPN + + ```bash + # Run this in the directory that contains your OVPN file + # Replace 'client' with your OVPN filename + openvpn --config client.ovpn + ``` + +#### Android + +- Supported. Instructions coming soon. + +#### iOS + +- OpenVPN is supported on iOS, but OpenVPN over SSL is not supported. +- If you installed OpenVPN without SSL, download [OpenVPN Connect from App Store](https://itunes.apple.com/app/openvpn-connect/id590379981) +- Follow the on-screen instruction to add the OpenVPN profile. + +## Troubleshooting + +- `wget: command not found`: This means that `wget` isn't install it on your server. Just install it and try again. To install `wget`: + + ```bash + # Run this on Debian/Ubuntu + sudo apt -y install wget + + # Run this on CentOS + sudo yum -y install wget + ``` + +- `The TUN device is not available. You need to enable TUN before running this script`: Follow [this guide](https://help.skysilk.com/support/solutions/articles/9000136471-how-to-enable-tun-tap-on-linux-vps-with-skysilk). + +## FAQ + +### Where to find a VPS + +You can get a VPS for as little as $2.50/month (IPv6 only) or $5/month (with IPv4) at [Vultr](https://www.vultr.com/?ref=7088313) or $5/month (with IPv4) at [DigitalOcean](https://m.do.co/c/c51ec51bb352). + +## Donations If you want to show your appreciation, you can donate via [PayPal](https://paypal.me/birkhoffcheng) or Bitcoin (12R4euPg17EfJyYNfdTxjiQ2SctW1b4CRz). Thanks! diff --git a/openvpn-install.sh b/openvpn-install.sh index 88d26e2..0ac54d3 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -278,8 +278,6 @@ else pid = /var/run/stunnel4.pid debug = 7 output = /var/log/stunnel4/stunnel.log -setuid = root -setgid = root socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 [openvpn] @@ -450,9 +448,7 @@ connect = $IP:$PORT TIMEOUTclose = 1000 session=300 stack=65536 -sslVersion=TLSv1.2 -setuid=root -setgid=root" > /etc/stunnel/stunnel-client.conf +sslVersion=TLSv1.2" > /etc/stunnel/stunnel-client.conf cp /etc/stunnel/stunnel-client.conf $HOME/stunnel.conf fi # Generates the custom client.ovpn From f6c1cd551982e5f2c218819405b65455434f1909 Mon Sep 17 00:00:00 2001 From: Chris Xiao <30990835+chrisx8@users.noreply.github.com> Date: Tue, 24 Jul 2018 17:07:28 -0400 Subject: [PATCH 2/7] Updated README --- README.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 293b8e6..5f7c412 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ This script lets you set up your own OpenVPN server in minutes, even if you no e ## Installation -If you run into any issues during installation, please refer to [Troubleshooting](#Troubleshooting). +If you run into any issues during installation, please refer to [Troubleshooting](#troubleshooting). ### Install on CentOS/Debian/Ubuntu - Run this in a terminal on your server, and follow the on-screen instructions: @@ -106,13 +106,15 @@ If you run into any issues during installation, please refer to [Troubleshooting #### Android -- Supported. Instructions coming soon. +- OpenVPN is supported on Android, but OpenVPN over SSL support isn't very good. +- If you installed OpenVPN without SSL, download [OpenVPN for Android](https://play.google.com/store/apps/details?id=de.blinkt.openvpn) +- Import your OVPN file inside the app. #### iOS - OpenVPN is supported on iOS, but OpenVPN over SSL is not supported. -- If you installed OpenVPN without SSL, download [OpenVPN Connect from App Store](https://itunes.apple.com/app/openvpn-connect/id590379981) -- Follow the on-screen instruction to add the OpenVPN profile. +- If you installed OpenVPN without SSL, download [OpenVPN Connect](https://itunes.apple.com/app/openvpn-connect/id590379981) +- Follow the on-screen instruction to import the OpenVPN profile. ## Troubleshooting From 3126e9f439857afd94c4bc4c46447bbc751506d4 Mon Sep 17 00:00:00 2001 From: Chris Xiao <30990835+chrisx8@users.noreply.github.com> Date: Tue, 24 Jul 2018 23:21:46 -0400 Subject: [PATCH 3/7] separated documentation files --- Documentation/client-ovpn.md | 101 ++++++++++++++++++++++++ Documentation/client-ssl.md | 149 +++++++++++++++++++++++++++++++++++ README.md | 113 ++++++++++---------------- 3 files changed, 292 insertions(+), 71 deletions(-) create mode 100644 Documentation/client-ovpn.md create mode 100644 Documentation/client-ssl.md diff --git a/Documentation/client-ovpn.md b/Documentation/client-ovpn.md new file mode 100644 index 0000000..f0e7d4a --- /dev/null +++ b/Documentation/client-ovpn.md @@ -0,0 +1,101 @@ +# Client Setup: OpenVPN + +## Table of Contents + +- [Windows](#windows) +- [MacOS](#macos) +- [Linux](#linux) +- [Android](#android) +- [iOS](#ios) +- [Troubleshooting](#troubleshooting) + +## Windows + +- Configure OpenVPN + - Download and install [OpenVPN](https://openvpn.net/index.php/open-source/downloads.html) + - Start `OpenVPN GUI` from the Start Menu + - Locate the OpenVPN icon in the Task Bar, right click, and select `Import file...` + - Select your OVPN file + - Right click on the OpenVPN icon again, and select `Connect` +- To disconnect + - Locate the OpenVPN icon in the Task Bar, right click, and select `Disconnect` + - Locate the `stunnel` icon in the Task Bar, right click, and select `Exit` + +## MacOS + +- Configure OpenVPN + - Download and install [Tunnelblick](https://tunnelblick.net/) + - Locate your OVPN file in `Finder`, and double-click to open it. + - Locate the `Tunnelblick` icon on the top-right corner. Click on it, and select the server you want to connect to. +- To disconnect + - Locate the `Tunnelblick` icon on the top-right corner. Click on it, and select `Disconnect All`. + - To stop `stunnel`, run this in `Terminal`: `sudo killall stunnel` + +## Linux + +- Install `openvpn` on your device. + + ```bash + # Debian/Ubuntu + sudo apt install -y openvpn + + # CentOS/RHEL + sudo yum install -y epel-release + sudo yum install -y openvpn + + # Fedora + sudo dnf install -y openvpn + ``` + +- Connect to OpenVPN + + ```bash + # Run this in the directory that contains your OVPN file + # Replace 'client' with your OVPN filename + openvpn --config client.ovpn + ``` + +- To disconnect + + ```bash + # Stop OpenVPN + sudo killall openvpn + ``` + + ​ + +## Android + +- Download [OpenVPN for Android](https://play.google.com/store/apps/details?id=de.blinkt.openvpn) from Google Play Store +- Transfer your OVPN file to your device. +- Click on the `import` icon (between `+` and `Menu` icon), and select your OVPN file. +- Click on the check mark to confirm import. +- Click on a profile name to connect. + - If you see a `connection request` popup, select `Connect` or `OK`. +- To disconnect: Select the `VPN connection` notification in your notification center, and click `Disconnect` in the popup. + +## iOS + +- Download [OpenVPN Connect](https://itunes.apple.com/app/openvpn-connect/id590379981) from App Store +- Send the OVPN file as an attachment to yourself via email, and open it in your email app on the iOS device. + - If you see a popup with a list of different apps, select `OpenVPN Connect`. +- Click on the switch next to `Connection`, make sure it's at the `ON` position. +- To disconnect: click on the switch next to `Connection`, make sure it's at the `OFF` position. + +## Troubleshooting + +- If you're unable to connect to your server with OpenVPN... + + - Also check if OpenVPN is running on your server. + + ```bash + # You should see openvpn in the output + ps -A | grep openvpn + ``` + + + - If you still can't connect, try removing and reinstalling OpenVPN on your server. + - Run the install script and select `Uninstall` + - Run the install script again and make sure you enter the correct information. + + ​ \ No newline at end of file diff --git a/Documentation/client-ssl.md b/Documentation/client-ssl.md new file mode 100644 index 0000000..2e7884d --- /dev/null +++ b/Documentation/client-ssl.md @@ -0,0 +1,149 @@ +# Client Setup: OpenVPN over SSL + +## Table of Contents + +- [Windows](#windows) +- [MacOS](#macos) +- [Linux](#linux) +- [Android](#android) +- [iOS](#ios) +- [Troubleshooting](#troubleshooting) + +## Windows + +- Configure `stunnel` + - Download and install [stunnel](https://www.stunnel.org/downloads.html) + - Start `stunnel` by launching `stunnel GUI start ` from the Start Menu + - Locate the `stunnel` icon in the Task Bar, right click, and select `Edit Configuration` + - Copy everything in `stunnel.conf` and paste into the `stunnel` configuration file. Save and close it after editing. + - Right click on the `stunnel` icon again, and select `Reload Configuration` +- Configure OpenVPN + - Download and install [OpenVPN](https://openvpn.net/index.php/open-source/downloads.html) + - Start `OpenVPN GUI` from the Start Menu + - Locate the OpenVPN icon in the Task Bar, right click, and select `Import file...` + - Select your OVPN file + - Right click on the OpenVPN icon again, and select `Connect` +- To disconnect + - Locate the OpenVPN icon in the Task Bar, right click, and select `Disconnect` + - Locate the `stunnel` icon in the Task Bar, right click, and select `Exit` + +## MacOS + +- Configure `stunnel` + + - Install [Homebrew](https://brew.sh/) + + - Install `stunnel` via Homebrew by running this in `Terminal`: + + ```bash + brew install stunnel + ``` + + - Configure and start `stunnel` + + ```bash + # In order to run these, you need to log in to your Mac with an administrator account. + # When prompted for password, enter the password of the current user, + + # Run this in the directory that contains 'stunnel.conf' + sudo cp stunnel.conf /usr/local/etc/stunnel/stunnel.conf + # Start stunnel + sudo stunnel + ``` + +- Configure OpenVPN + + - Download and install [Tunnelblick](https://tunnelblick.net/) + - Locate your OVPN file in `Finder`, and double-click to open it. + - Locate the `Tunnelblick` icon on the top-right corner. Click on it, and select the server you want to connect to. + +- To disconnect + + - Locate the `Tunnelblick` icon on the top-right corner. Click on it, and select `Disconnect All`. + - To stop `stunnel`, run this in `Terminal`: `sudo killall stunnel` + +## Linux + +- Install `stunnel` and `openvpn` on your device. + + ```bash + # Debian/Ubuntu + sudo apt install -y stunnel openvpn + + # CentOS/RHEL + sudo yum install -y epel-release + sudo yum install -y stunnel openvpn + + # Fedora + sudo dnf install -y stunnel openvpn + ``` + +- Configure and start `stunnel` + + ```bash + # Run this in the directory that contains 'stunnel.conf' + sudo cp stunnel.conf /etc/stunnel/ + # Start stunnel + sudo stunnel + ``` + +- Connect to OpenVPN + + ```bash + # Run this in the directory that contains your OVPN file + # Replace 'client' with your OVPN filename + openvpn --config client.ovpn + ``` + +- To disconnect + + ```bash + # Stop OpenVPN + sudo killall openvpn + + # Stop stunnel + sudo killall stunnel + ``` + + ​ + +## Android + +- OpenVPN is supported on Android, but OpenVPN over SSL support isn't very good. +- If you installed OpenVPN without SSL, see [Client Setup: OpenVPN](Documentation/client-ovpn.md) + +## iOS + +- OpenVPN is supported on iOS, but OpenVPN over SSL is not supported. +- If you installed OpenVPN without SSL, see [Client Setup: OpenVPN](Documentation/client-ovpn.md) + +## Troubleshooting + +- If you're unable to connect to your server with OpenVPN... + + - Please check if `stunnel` is running on your device. + + - On Windows, check if the `stunnel` icon is present in the Task Bar (bottom right). + - Run this to check on MacOS or Linux (both client and server) + + ```bash + # You should see stunnel in the output + ps -A | grep stunnel + ``` + + - Also check if both `stunnel` and OpenVPN are running on your server. + + ```bash + # You should see stunnel in the output + ps -A | grep stunnel + + # You should see openvpn in the output + ps -A | grep openvpn + ``` + + + - If you still can't connect, try removing and reinstalling OpenVPN on your server. + - Run the install script and select `Uninstall` + - Run the install script again and make sure you enter the correct information. + + ​ \ No newline at end of file diff --git a/README.md b/README.md index 5f7c412..5bbf31c 100644 --- a/README.md +++ b/README.md @@ -8,12 +8,7 @@ - [Description](#description) - [Installation](#installation) -- [Configure clients](#configure-clients) - - [Windows](#windows) - - [MacOS](#macos) - - [Linux](#linux) - - [Android](#android) - - [iOS](#ios) +- [Client setup](#client-setup) - [Troubleshooting](#troubleshooting) - [FAQ](#faq) - [Donations](#donations) @@ -29,7 +24,14 @@ This script lets you set up your own OpenVPN server in minutes, even if you no e If you run into any issues during installation, please refer to [Troubleshooting](#troubleshooting). ### Install on CentOS/Debian/Ubuntu +- **Please note: if your server is running the following OS versions, please select `AES-256-CBC` when you're asked to select a cipher mode.** + + - CentOS 6 or older + - Debian 8 (Jessie) or older + - Ubuntu 16.10 or older + - Run this in a terminal on your server, and follow the on-screen instructions: + ```bash # Download the script wget https://raw.githubusercontent.com/birkhoffcheng/openvpn-install/master/openvpn-install.sh @@ -37,12 +39,15 @@ If you run into any issues during installation, please refer to [Troubleshooting # Run the install script sudo bash openvpn-install.sh + # Note: If you're running Ubuntu 16.10 or older + # Start stunnel (only if you're using OpenVPN over SSL) sudo stunnel ``` -- Once it finishes, your OpenVPN server is up and running! You should [configure client devices](#configure-clients) next. -## Configure clients +- Once it finishes, your OpenVPN server is up and running! You should [set up client devices](#client-setup) next. + +## Client setup ### Before continuing... @@ -52,69 +57,8 @@ If you run into any issues during installation, please refer to [Troubleshooting ### OS-specific setup processes -#### Windows - -- Configure `stunnel`. Skip to the next section if you're NOT using OpenVPN over SSL - - Download and install [stunnel](https://www.stunnel.org/downloads.html) - - Start `stunnel` by launching `stunnel GUI start ` from the Start Menu - - Locate the `stunnel` icon in the Task Bar, right click, and select `Edit Configuration` - - Copy everything in `stunnel.conf` and paste into the `stunnel` configuration file. Save and close it after editing. - - Right click on the `stunnel` icon again, and select `Reload Configuration` -- Configure OpenVPN - - Download and install [OpenVPN](https://openvpn.net/index.php/open-source/downloads.html) - - Start `OpenVPN GUI` from the Start Menu - - Locate the OpenVPN icon in the Task Bar, right click, and select `Import file...` - - Select your OVPN file - - Right click on the OpenVPN icon again, and select `Connect` - -#### MacOS - -- Supported. Instructions coming soon. - -#### Linux - -- Install `stunnel` and `openvpn` on your device. - - ```bash - # Debian/Ubuntu - sudo apt install -y stunnel openvpn - - # CentOS/RHEL - sudo yum install -y epel-release - sudo yum install -y stunnel openvpn - - # Fedora - sudo dnf install -y stunnel openvpn - ``` - -- If you're using OpenVPN over SSL, configure and start `stunnel` - - ```bash - # Run this in the directory that contains 'stunnel.conf' - sudo cp stunnel.conf /etc/stunnel/ - # Start stunnel - sudo stunnel - ``` - -- Connect to OpenVPN - - ```bash - # Run this in the directory that contains your OVPN file - # Replace 'client' with your OVPN filename - openvpn --config client.ovpn - ``` - -#### Android - -- OpenVPN is supported on Android, but OpenVPN over SSL support isn't very good. -- If you installed OpenVPN without SSL, download [OpenVPN for Android](https://play.google.com/store/apps/details?id=de.blinkt.openvpn) -- Import your OVPN file inside the app. - -#### iOS - -- OpenVPN is supported on iOS, but OpenVPN over SSL is not supported. -- If you installed OpenVPN without SSL, download [OpenVPN Connect](https://itunes.apple.com/app/openvpn-connect/id590379981) -- Follow the on-screen instruction to import the OpenVPN profile. +- [OpenVPN (without SSL)](Documentation/client-ovpn.md) +- [OpenVPN over SSL](Documentation/client-ssl.md) ## Troubleshooting @@ -130,6 +74,33 @@ If you run into any issues during installation, please refer to [Troubleshooting - `The TUN device is not available. You need to enable TUN before running this script`: Follow [this guide](https://help.skysilk.com/support/solutions/articles/9000136471-how-to-enable-tun-tap-on-linux-vps-with-skysilk). +- If you're unable to connect to your server with OpenVPN... + + - Please check if `stunnel` is running on your device. (if you're using OpenVPN over SSL) + + - On Windows, check if the `stunnel` icon is present in the Task Bar (bottom right). + - Run this to check on MacOS or Linux (both client and server) + + ```bash + # You should see stunnel in the output + ps -A | grep stunnel + ``` + + - Also check if both `stunnel` (if applicable) and OpenVPN are running on your server. + + ```bash + # You should see stunnel in the output (if you're using OpenVPN over SSL) + ps -A | grep stunnel + + # You should see openvpn in the output + ps -A | grep openvpn + ``` + + + - If you still can't connect, try removing and reinstalling OpenVPN on your server. + - Run the install script and select `Uninstall` + - Run the install script again and make sure you enter the correct information. + ## FAQ ### Where to find a VPS From e52970decc365f5331efdc9ba6f0904971fe9269 Mon Sep 17 00:00:00 2001 From: Chris Xiao <30990835+chrisx8@users.noreply.github.com> Date: Tue, 24 Jul 2018 23:25:48 -0400 Subject: [PATCH 4/7] fixed formatting in documentation --- Documentation/client-ovpn.md | 7 +------ Documentation/client-ssl.md | 5 ----- README.md | 2 +- 3 files changed, 2 insertions(+), 12 deletions(-) diff --git a/Documentation/client-ovpn.md b/Documentation/client-ovpn.md index f0e7d4a..ab95519 100644 --- a/Documentation/client-ovpn.md +++ b/Documentation/client-ovpn.md @@ -62,8 +62,6 @@ sudo killall openvpn ``` - ​ - ## Android - Download [OpenVPN for Android](https://play.google.com/store/apps/details?id=de.blinkt.openvpn) from Google Play Store @@ -86,16 +84,13 @@ - If you're unable to connect to your server with OpenVPN... - - Also check if OpenVPN is running on your server. + - Check if OpenVPN is running on your server. ```bash # You should see openvpn in the output ps -A | grep openvpn ``` - - If you still can't connect, try removing and reinstalling OpenVPN on your server. - Run the install script and select `Uninstall` - Run the install script again and make sure you enter the correct information. - - ​ \ No newline at end of file diff --git a/Documentation/client-ssl.md b/Documentation/client-ssl.md index 2e7884d..ac50db9 100644 --- a/Documentation/client-ssl.md +++ b/Documentation/client-ssl.md @@ -105,8 +105,6 @@ sudo killall stunnel ``` - ​ - ## Android - OpenVPN is supported on Android, but OpenVPN over SSL support isn't very good. @@ -141,9 +139,6 @@ ps -A | grep openvpn ``` - - If you still can't connect, try removing and reinstalling OpenVPN on your server. - Run the install script and select `Uninstall` - Run the install script again and make sure you enter the correct information. - - ​ \ No newline at end of file diff --git a/README.md b/README.md index 5bbf31c..43cfab9 100644 --- a/README.md +++ b/README.md @@ -22,6 +22,7 @@ This script lets you set up your own OpenVPN server in minutes, even if you no e ## Installation If you run into any issues during installation, please refer to [Troubleshooting](#troubleshooting). + ### Install on CentOS/Debian/Ubuntu - **Please note: if your server is running the following OS versions, please select `AES-256-CBC` when you're asked to select a cipher mode.** @@ -96,7 +97,6 @@ If you run into any issues during installation, please refer to [Troubleshooting ps -A | grep openvpn ``` - - If you still can't connect, try removing and reinstalling OpenVPN on your server. - Run the install script and select `Uninstall` - Run the install script again and make sure you enter the correct information. From 54d7f66d96a3ba3f5b45635c27cd96d827c2c62e Mon Sep 17 00:00:00 2001 From: Chris Xiao <30990835+chrisx8@users.noreply.github.com> Date: Tue, 24 Jul 2018 23:27:25 -0400 Subject: [PATCH 5/7] fixed links in ssl docs --- Documentation/client-ssl.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Documentation/client-ssl.md b/Documentation/client-ssl.md index ac50db9..35932d9 100644 --- a/Documentation/client-ssl.md +++ b/Documentation/client-ssl.md @@ -108,12 +108,12 @@ ## Android - OpenVPN is supported on Android, but OpenVPN over SSL support isn't very good. -- If you installed OpenVPN without SSL, see [Client Setup: OpenVPN](Documentation/client-ovpn.md) +- If you installed OpenVPN without SSL, see [Client Setup: OpenVPN](client-ovpn.md) ## iOS - OpenVPN is supported on iOS, but OpenVPN over SSL is not supported. -- If you installed OpenVPN without SSL, see [Client Setup: OpenVPN](Documentation/client-ovpn.md) +- If you installed OpenVPN without SSL, see [Client Setup: OpenVPN](client-ovpn.md) ## Troubleshooting From dc2ff7fb755f6bb08778497521baa494230f60fe Mon Sep 17 00:00:00 2001 From: Birkhoff Date: Wed, 25 Jul 2018 17:17:17 -0400 Subject: [PATCH 6/7] Install easy-rsa instead of downloading tarball from GitHub --- openvpn-install.sh | 29 +++++++++++------------------ 1 file changed, 11 insertions(+), 18 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 0ac54d3..b217a38 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -147,9 +147,9 @@ if [[ -e /etc/openvpn/server.conf ]]; then semanage port -d -t openvpn_port_t -p $PROTOCOL $PORT fi if [[ "$OS" = 'debian' ]]; then - apt remove --purge openvpn stunnel4 -y + apt remove --purge openvpn stunnel4 easy-rsa -y else - yum remove openvpn stunnel4 -y + yum remove openvpn stunnel4 easy-rsa -y fi rm -rf /etc/openvpn /etc/stunnel rm -f /etc/sysctl.d/30-openvpn-forward.conf @@ -238,28 +238,21 @@ else if [[ "$OS" = 'debian' ]]; then apt update apt dist-upgrade -y - apt install openvpn iptables openssl ca-certificates stunnel4 -y + apt install openvpn iptables openssl ca-certificates stunnel4 easy-rsa -y else # Else, the distro is CentOS yum install epel-release -y - yum install openvpn iptables openssl ca-certificates stunnel4 -y + yum install openvpn iptables openssl ca-certificates stunnel4 easy-rsa -y fi - # Get easy-rsa - EASYRSAURL='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz' - wget -O ~/easyrsa.tgz "$EASYRSAURL" 2>/dev/null || curl -Lo ~/easyrsa.tgz "$EASYRSAURL" - tar xzf ~/easyrsa.tgz -C ~/ - mv ~/EasyRSA-3.0.4/ /etc/openvpn/ - mv /etc/openvpn/EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/ - chown -R root:root /etc/openvpn/easy-rsa/ - rm -f ~/easyrsa.tgz + mkdir /etc/openvpn/easy-rsa/ cd /etc/openvpn/easy-rsa/ # Create the PKI, set up the CA, the DH params and the server + client certificates - ./easyrsa init-pki - ./easyrsa --batch build-ca nopass - ./easyrsa gen-dh - ./easyrsa build-server-full server nopass - ./easyrsa build-client-full $CLIENT nopass - EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl + easyrsa init-pki + easyrsa --batch build-ca nopass + easyrsa gen-dh + easyrsa build-server-full server nopass + easyrsa build-client-full $CLIENT nopass + EASYRSA_CRL_DAYS=3650 easyrsa gen-crl # Move the stuff we need csplit -f /etc/openvpn/easy-rsa/pki/issued/cert. /etc/openvpn/easy-rsa/pki/issued/server.crt '/-----BEGIN CERTIFICATE-----/' '{*}' rm /etc/openvpn/easy-rsa/pki/issued/cert.00 /etc/openvpn/easy-rsa/pki/issued/server.crt From 7bfa2bb2beb2a4b91baccd9b2cf3cfad16e5cb54 Mon Sep 17 00:00:00 2001 From: Birkhoff Date: Wed, 25 Jul 2018 17:35:27 -0400 Subject: [PATCH 7/7] Verify SSL certificate --- openvpn-install.sh | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index b217a38..1c23aec 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -67,13 +67,15 @@ if [[ -e /etc/openvpn/server.conf ]]; then echo "Please, use one word only, no special characters." read -p "Client name: " -e CLIENT cd /etc/openvpn/easy-rsa/ - ./easyrsa build-client-full $CLIENT nopass - # Generates the custom client.ovpn - cp /etc/stunnel/stunnel-client.conf $HOME/stunnel.conf + easyrsa build-client-full $CLIENT nopass newclient "$CLIENT" echo echo "Client $CLIENT added, configuration is available at:" ~/"$CLIENT.ovpn" - echo "and ~/stunnel.conf. Install stunnel4 on client before you continue." + if [ -f /etc/stunnel/stunnel-client.conf ]; then + cp /etc/stunnel/stunnel-client.conf $HOME/stunnel.conf + cp /etc/openvpn/server.crt $HOME/stunnel.crt + echo "~/stunnel.crt and ~/stunnel.conf." + fi exit ;; 2) @@ -98,8 +100,8 @@ if [[ -e /etc/openvpn/server.conf ]]; then read -p "Do you really want to revoke access for client $CLIENT? [y/N]: " -e REVOKE if [[ "$REVOKE" = 'y' || "$REVOKE" = 'Y' ]]; then cd /etc/openvpn/easy-rsa/ - ./easyrsa --batch revoke $CLIENT - EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl + easyrsa --batch revoke $CLIENT + EASYRSA_CRL_DAYS=3650 easyrsa gen-crl rm -f pki/reqs/$CLIENT.req rm -f pki/private/$CLIENT.key rm -f pki/issued/$CLIENT.crt @@ -438,11 +440,14 @@ debug = 7 [openvpn] accept = 127.0.0.1:1194 connect = $IP:$PORT +verify = 2 +CAfile = stunnel.crt TIMEOUTclose = 1000 session=300 stack=65536 sslVersion=TLSv1.2" > /etc/stunnel/stunnel-client.conf cp /etc/stunnel/stunnel-client.conf $HOME/stunnel.conf + cp /etc/openvpn/server.crt $HOME/stunnel.crt fi # Generates the custom client.ovpn newclient "$CLIENT" @@ -451,7 +456,7 @@ sslVersion=TLSv1.2" > /etc/stunnel/stunnel-client.conf echo echo "Your client configuration is available at: ~/$CLIENT.ovpn" if [[ $SSL=1 ]]; then - echo "and ~/stunnel.conf. Install stunnel4 on client before you continue." + echo "~/stunnel.crt and ~/stunnel.conf." fi echo "If you want to add more clients, you simply need to run this script again!" fi