1
0
mirror of https://github.com/Nyr/openvpn-install.git synced 2024-11-23 21:46:08 +03:00

Miscellaneous improvements

- Fix #694: added sanitization during the public IP address configuration and
switch to AWS checkip since the Akamai service doesn't support HTTPS.
- Add validation to cover an unlikely case where: server is behind NAT,
checkip service is unreachable and user doesn't provide input when asked for
the public IP address or hostname.
- Other small improvements not worth describing in detail.
This commit is contained in:
Nyr 2020-04-21 02:28:29 +02:00
parent c6159aefb8
commit cec053def4
2 changed files with 14 additions and 8 deletions

View File

@ -62,15 +62,15 @@ new_client () {
cat /etc/openvpn/server/easy-rsa/pki/ca.crt cat /etc/openvpn/server/easy-rsa/pki/ca.crt
echo "</ca>" echo "</ca>"
echo "<cert>" echo "<cert>"
sed -ne '/BEGIN CERTIFICATE/,$ p' /etc/openvpn/server/easy-rsa/pki/issued/"$1".crt sed -ne '/BEGIN CERTIFICATE/,$ p' /etc/openvpn/server/easy-rsa/pki/issued/"$client".crt
echo "</cert>" echo "</cert>"
echo "<key>" echo "<key>"
cat /etc/openvpn/server/easy-rsa/pki/private/"$1".key cat /etc/openvpn/server/easy-rsa/pki/private/"$client".key
echo "</key>" echo "</key>"
echo "<tls-crypt>" echo "<tls-crypt>"
sed -ne '/BEGIN OpenVPN Static key/,$ p' /etc/openvpn/server/tc.key sed -ne '/BEGIN OpenVPN Static key/,$ p' /etc/openvpn/server/tc.key
echo "</tls-crypt>" echo "</tls-crypt>"
} > ~/"$1".ovpn } > ~/"$client".ovpn
} }
if [[ ! -e /etc/openvpn/server/server.conf ]]; then if [[ ! -e /etc/openvpn/server/server.conf ]]; then
@ -99,8 +99,14 @@ if [[ ! -e /etc/openvpn/server/server.conf ]]; then
if echo "$ip" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then if echo "$ip" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then
echo echo
echo "This server is behind NAT. What is the public IPv4 address or hostname?" echo "This server is behind NAT. What is the public IPv4 address or hostname?"
get_public_ip=$(wget -4qO- "http://whatismyip.akamai.com/" || curl -4Ls "http://whatismyip.akamai.com/") # Get public IP and sanitize with grep
get_public_ip=$(grep -oE '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$' <<< "$(wget -T 5 -t 1 -4qO- "https://checkip.amazonaws.com/" || curl -m 5 -4Ls "https://checkip.amazonaws.com/")")
read -p "Public IPv4 address / hostname [$get_public_ip]: " public_ip read -p "Public IPv4 address / hostname [$get_public_ip]: " public_ip
# If the checkip service is unavailable and user didn't provide input, ask again
until [[ -n "$get_public_ip" || -n $public_ip ]]; do
echo "Invalid input."
read -p "Public IPv4 address / hostname: " public_ip
done
[[ -z "$public_ip" ]] && public_ip="$get_public_ip" [[ -z "$public_ip" ]] && public_ip="$get_public_ip"
fi fi
# If system has a single IPv6, it is selected automatically # If system has a single IPv6, it is selected automatically
@ -142,7 +148,7 @@ if [[ ! -e /etc/openvpn/server/server.conf ]]; then
echo "What port do you want OpenVPN listening to?" echo "What port do you want OpenVPN listening to?"
read -p "Port [1194]: " port read -p "Port [1194]: " port
until [[ -z "$port" || "$port" =~ ^[0-9]+$ && "$port" -le 65535 ]]; do until [[ -z "$port" || "$port" =~ ^[0-9]+$ && "$port" -le 65535 ]]; do
echo "$port: invalid selection." echo "$port: invalid port."
read -p "Port [1194]: " port read -p "Port [1194]: " port
done done
[[ -z "$port" ]] && port="1194" [[ -z "$port" ]] && port="1194"
@ -368,7 +374,7 @@ verb 3" > /etc/openvpn/server/client-common.txt
# Enable and start the OpenVPN service # Enable and start the OpenVPN service
systemctl enable --now openvpn-server@server.service systemctl enable --now openvpn-server@server.service
# Generates the custom client.ovpn # Generates the custom client.ovpn
new_client "$client" new_client
echo echo
echo "Finished!" echo "Finished!"
echo echo
@ -402,7 +408,7 @@ else
cd /etc/openvpn/server/easy-rsa/ cd /etc/openvpn/server/easy-rsa/
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" nopass EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" nopass
# Generates the custom client.ovpn # Generates the custom client.ovpn
new_client "$client" new_client
echo echo
echo "Client $client added, configuration is available at:" ~/"$client.ovpn" echo "Client $client added, configuration is available at:" ~/"$client.ovpn"
exit exit