From 095ebee8c3bc3a02adbd22d57f341c91ee3b180a Mon Sep 17 00:00:00 2001
From: Philipp Menge <pmenge@me.com>
Date: Sat, 28 Nov 2015 18:39:55 +0100
Subject: [PATCH 1/4] added support for tls key

---
 openvpn-install.sh | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index 2398498..1c48b6d 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -50,6 +50,9 @@ newclient () {
 	echo "<key>" >> ~/$1.ovpn
 	cat /etc/openvpn/easy-rsa/pki/private/$1.key >> ~/$1.ovpn
 	echo "</key>" >> ~/$1.ovpn
+	echo "<tls-auth>" >> ~/$1.ovpn
+	cat /etc/openvpn/easy-rsa/ta.key >> ~/$1.ovpn
+	echo "</tls-auth>"
 }
 
 
@@ -75,7 +78,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then
 		echo "   4) Exit"
 		read -p "Select an option [1-4]: " option
 		case $option in
-			1) 
+			1)
 			echo ""
 			echo "Tell me a name for the client cert"
 			echo "Please, use one word only, no special characters"
@@ -123,7 +126,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then
 			echo "Certificate for client $CLIENT revoked"
 			exit
 			;;
-			3) 
+			3)
 			echo ""
 			read -p "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
 			if [[ "$REMOVE" = 'y' ]]; then
@@ -216,8 +219,9 @@ else
 	./easyrsa build-server-full server nopass
 	./easyrsa build-client-full $CLIENT nopass
 	./easyrsa gen-crl
+	openvpn --genkey --secret ta.key
 	# Move the stuff we need
-	cp pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn
+	cp ta.key pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn
 	# Generate server.conf
 	echo "port $PORT
 proto udp
@@ -230,11 +234,12 @@ key server.key
 dh dh.pem
 topology subnet
 server 10.8.0.0 255.255.255.0
-ifconfig-pool-persist ipp.txt" > /etc/openvpn/server.conf
+ifconfig-pool-persist ipp.txt
+tls-auth ta.key 0" > /etc/openvpn/server.conf
 	echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf
 	# DNS
 	case $DNS in
-		1) 
+		1)
 		# Obtain the resolvers from resolv.conf and use them for OpenVPN
 		grep -v '#' /etc/resolv.conf | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
 			echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
@@ -244,18 +249,18 @@ ifconfig-pool-persist ipp.txt" > /etc/openvpn/server.conf
 		echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf
 		echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf
 		;;
-		3) 
+		3)
 		echo 'push "dhcp-option DNS 4.2.2.2"' >> /etc/openvpn/server.conf
 		echo 'push "dhcp-option DNS 4.2.2.4"' >> /etc/openvpn/server.conf
 		;;
-		4) 
+		4)
 		echo 'push "dhcp-option DNS 129.250.35.250"' >> /etc/openvpn/server.conf
 		echo 'push "dhcp-option DNS 129.250.35.251"' >> /etc/openvpn/server.conf
 		;;
-		5) 
+		5)
 		echo 'push "dhcp-option DNS 74.82.42.42"' >> /etc/openvpn/server.conf
 		;;
-		6) 
+		6)
 		echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf
 		echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf
 		;;

From a0217f2a9f311b26e102a9161b978e4508686479 Mon Sep 17 00:00:00 2001
From: Philipp Menge <pmenge@me.com>
Date: Sat, 28 Nov 2015 18:50:02 +0100
Subject: [PATCH 2/4] drop privileges

---
 openvpn-install.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index 1c48b6d..c064005 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -52,7 +52,7 @@ newclient () {
 	echo "</key>" >> ~/$1.ovpn
 	echo "<tls-auth>" >> ~/$1.ovpn
 	cat /etc/openvpn/easy-rsa/ta.key >> ~/$1.ovpn
-	echo "</tls-auth>"
+	echo "</tls-auth>" >> ~/$1.ovpn
 }
 
 
@@ -224,6 +224,8 @@ else
 	cp ta.key pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn
 	# Generate server.conf
 	echo "port $PORT
+user nobody
+group nobody
 proto udp
 dev tun
 sndbuf 0

From f7175ad586c78beb4823a86f0995a1c611be0588 Mon Sep 17 00:00:00 2001
From: Philipp Menge <pmenge@me.com>
Date: Sat, 28 Nov 2015 19:03:02 +0100
Subject: [PATCH 3/4] fixed missing reference to tls auth in client config

---
 openvpn-install.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index c064005..0bcc419 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -353,7 +353,8 @@ persist-key
 persist-tun
 remote-cert-tls server
 comp-lzo
-verb 3" > /etc/openvpn/client-common.txt
+verb 3
+key-direction 1" > /etc/openvpn/client-common.txt
 	# Generates the custom client.ovpn
 	newclient "$CLIENT"
 	echo ""

From 4fc5994600fc85a5f812118450082564b29410ed Mon Sep 17 00:00:00 2001
From: Philipp Menge <pmenge@me.com>
Date: Sat, 28 Nov 2015 19:11:29 +0100
Subject: [PATCH 4/4] reverted dropping privileges

---
 openvpn-install.sh | 2 --
 1 file changed, 2 deletions(-)

diff --git a/openvpn-install.sh b/openvpn-install.sh
index 0bcc419..65a3db5 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -224,8 +224,6 @@ else
 	cp ta.key pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn
 	# Generate server.conf
 	echo "port $PORT
-user nobody
-group nobody
 proto udp
 dev tun
 sndbuf 0