From bb63e731f3497c4afe94973647410507a3551929 Mon Sep 17 00:00:00 2001 From: Kris Watson Date: Mon, 30 Jul 2018 21:02:11 -0700 Subject: [PATCH] Changed keys to EC. Added gpg verification check on easy-rsa installer. --- openvpn-install.sh | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 403e0fd..02634c6 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -22,6 +22,11 @@ You need to enable TUN before running this script" exit fi +if ! [ -x "$(command -v gpg)" ]; then + echo 'Missing program gpg.' + exit +fi + if [[ -e /etc/debian_version ]]; then OS=debian GROUPNAME=nogroup @@ -224,15 +229,30 @@ else yum install epel-release -y yum install openvpn iptables openssl ca-certificates -y fi + # Import easy-rsa key + gpg --keyserver keyserver.ubuntu.com --recv 9D7367F3 # Get easy-rsa EASYRSAURL='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz' + EASYRSAURLSIG='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz.sig' wget -O ~/easyrsa.tgz "$EASYRSAURL" 2>/dev/null || curl -Lo ~/easyrsa.tgz "$EASYRSAURL" + wget -O ~/easyrsa.tgz.sig "$EASYRSAURLSIG" 2>/dev/null || curl -Lo ~/easyrsa.tgz.sig "$EASYRSAURLSIG" + gpg --verify ~/easyrsa.tgz.sig ~/easyrsa.tgz + if [ $? -eq 1 ] + then + echo "Invalid signature on easy-rsa file." + exit + fi tar xzf ~/easyrsa.tgz -C ~/ mv ~/EasyRSA-3.0.4/ /etc/openvpn/ mv /etc/openvpn/EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/ chown -R root:root /etc/openvpn/easy-rsa/ rm -f ~/easyrsa.tgz cd /etc/openvpn/easy-rsa/ + # Setup vars to use EC. + echo 'set_var EASYRSA_ALGO ec +set_var EASYRSA_CURVE secp384r1 +set_var EASYRSA_DIGEST "sha512" +' > /etc/openvpn/easy-rsa/vars # Create the PKI, set up the CA, the DH params and the server + client certificates ./easyrsa init-pki ./easyrsa --batch build-ca nopass @@ -295,7 +315,7 @@ ifconfig-pool-persist ipp.txt" > /etc/openvpn/server.conf ;; esac echo "keepalive 10 120 -cipher AES-256-CBC +cipher AES-256-GCM comp-lzo user nobody group $GROUPNAME @@ -384,7 +404,7 @@ persist-key persist-tun remote-cert-tls server auth SHA512 -cipher AES-256-CBC +cipher AES-256-GCM comp-lzo setenv opt block-outside-dns key-direction 1