From f2c44dea4046a83cf012df916bdf9b0e1e537400 Mon Sep 17 00:00:00 2001 From: Nyr Date: Fri, 23 Sep 2022 17:07:43 +0200 Subject: [PATCH 1/3] Change "block-outside-dns" placement This is mainly to work around a bug in Viscosity for macOS: https://www.sparklabs.com/forum/viewtopic.php?t=3152 --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 36a17d0..815031e 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -321,6 +321,7 @@ server 10.8.0.0 255.255.255.0" > /etc/openvpn/server/server.conf echo 'push "dhcp-option DNS 94.140.15.15"' >> /etc/openvpn/server/server.conf ;; esac + echo 'push "block-outside-dns"' >> /etc/openvpn/server/server.conf echo "keepalive 10 120 cipher AES-256-CBC user nobody @@ -424,7 +425,6 @@ remote-cert-tls server auth SHA512 cipher AES-256-CBC ignore-unknown-option block-outside-dns -block-outside-dns verb 3" > /etc/openvpn/server/client-common.txt # Enable and start the OpenVPN service systemctl enable --now openvpn-server@server.service From f9433870836dfd008fca810780f639bafadaf8b0 Mon Sep 17 00:00:00 2001 From: Nyr Date: Thu, 13 Oct 2022 21:17:39 +0200 Subject: [PATCH 2/3] Update to easy-rsa v3.1.1 --no-install-recommends is now required for Debian: https://github.com/OpenVPN/easy-rsa/issues/725 --- openvpn-install.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 815031e..4235723 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -223,7 +223,7 @@ LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disab fi if [[ "$os" = "debian" || "$os" = "ubuntu" ]]; then apt-get update - apt-get install -y openvpn openssl ca-certificates $firewall + apt-get install -y --no-install-recommends openvpn openssl ca-certificates $firewall elif [[ "$os" = "centos" ]]; then yum install -y epel-release yum install -y openvpn openssl ca-certificates tar $firewall @@ -236,17 +236,17 @@ LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disab systemctl enable --now firewalld.service fi # Get easy-rsa - easy_rsa_url='https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.0/EasyRSA-3.1.0.tgz' + easy_rsa_url='https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.1/EasyRSA-3.1.1.tgz' mkdir -p /etc/openvpn/server/easy-rsa/ { wget -qO- "$easy_rsa_url" 2>/dev/null || curl -sL "$easy_rsa_url" ; } | tar xz -C /etc/openvpn/server/easy-rsa/ --strip-components 1 chown -R root:root /etc/openvpn/server/easy-rsa/ cd /etc/openvpn/server/easy-rsa/ # Create the PKI, set up the CA and the server and client certificates - ./easyrsa init-pki + ./easyrsa --batch init-pki ./easyrsa --batch build-ca nopass - EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server nopass - EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" nopass - EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl + ./easyrsa --batch --days=3650 build-server-full server nopass + ./easyrsa --batch --days=3650 build-client-full "$client" nopass + ./easyrsa --batch --days=3650 gen-crl # Move the stuff we need cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn/server # CRL is read with each client connection, while OpenVPN is dropped to nobody @@ -461,7 +461,7 @@ else client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client") done cd /etc/openvpn/server/easy-rsa/ - EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" nopass + ./easyrsa --batch --days=3650 build-client-full "$client" nopass # Generates the custom client.ovpn new_client echo @@ -495,7 +495,7 @@ else if [[ "$revoke" =~ ^[yY]$ ]]; then cd /etc/openvpn/server/easy-rsa/ ./easyrsa --batch revoke "$client" - EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl + ./easyrsa --batch --days=3650 gen-crl rm -f /etc/openvpn/server/crl.pem cp /etc/openvpn/server/easy-rsa/pki/crl.pem /etc/openvpn/server/crl.pem # CRL is read with each client connection, when OpenVPN is dropped to nobody From d4ae10ec2530747a1f5d78a7dea9e635a124db6c Mon Sep 17 00:00:00 2001 From: Nyr Date: Wed, 18 Jan 2023 18:40:18 +0100 Subject: [PATCH 3/3] Update to easy-rsa v3.1.2 --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 4235723..637fe3c 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -236,7 +236,7 @@ LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disab systemctl enable --now firewalld.service fi # Get easy-rsa - easy_rsa_url='https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.1/EasyRSA-3.1.1.tgz' + easy_rsa_url='https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.2/EasyRSA-3.1.2.tgz' mkdir -p /etc/openvpn/server/easy-rsa/ { wget -qO- "$easy_rsa_url" 2>/dev/null || curl -sL "$easy_rsa_url" ; } | tar xz -C /etc/openvpn/server/easy-rsa/ --strip-components 1 chown -R root:root /etc/openvpn/server/easy-rsa/