From 0ce2775a3a3fe6e9ed746b19000f812e6ca1f2d2 Mon Sep 17 00:00:00 2001 From: Nyr Date: Thu, 21 Mar 2019 14:33:37 +0100 Subject: [PATCH 01/42] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index abd0664..7990dc9 100644 --- a/README.md +++ b/README.md @@ -11,8 +11,8 @@ Run the script and follow the assistant: Once it ends, you can run it again to add more users, remove some of them or even completely uninstall OpenVPN. ### I want to run my own VPN but don't have a server for that -You can get a little VPS from just $1/month at [VirMach](https://billing.virmach.com/aff.php?aff=4109&url=billing.virmach.com/cart.php?gid=1). +You can get a VPS from just $1/month at [VirMach](https://billing.virmach.com/aff.php?aff=4109&url=billing.virmach.com/cart.php?gid=1). ### Donations -If you want to show your appreciation, you can donate via [PayPal](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=VBAYDL34Z7J6L) or [cryptocurrency](https://pastebin.com/raw/M2JJpQpC). Thanks! \ No newline at end of file +If you want to show your appreciation, you can donate via [PayPal](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=VBAYDL34Z7J6L) or [cryptocurrency](https://pastebin.com/raw/M2JJpQpC). Thanks! From d4efae3b1081867ffce420267f8c20a7c7336047 Mon Sep 17 00:00:00 2001 From: Nyr Date: Wed, 24 Apr 2019 16:52:47 +0200 Subject: [PATCH 02/42] Revert "Update to easy-rsa v3.0.6" This reverts commit 43ccc5fd1c1e17d86e5bf31892e299e7be3db6a9. --- openvpn-install.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 45ebe1b..0c78e50 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -102,6 +102,9 @@ if [[ -e /etc/openvpn/server.conf ]]; then cd /etc/openvpn/easy-rsa/ ./easyrsa --batch revoke $CLIENT EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl + rm -f pki/reqs/$CLIENT.req + rm -f pki/private/$CLIENT.key + rm -f pki/issued/$CLIENT.crt rm -f /etc/openvpn/crl.pem cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem # CRL is read with each client connection, when OpenVPN is dropped to nobody @@ -222,11 +225,11 @@ else yum install openvpn iptables openssl ca-certificates -y fi # Get easy-rsa - EASYRSAURL='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz' + EASYRSAURL='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-nix-3.0.5.tgz' wget -O ~/easyrsa.tgz "$EASYRSAURL" 2>/dev/null || curl -Lo ~/easyrsa.tgz "$EASYRSAURL" tar xzf ~/easyrsa.tgz -C ~/ - mv ~/EasyRSA-v3.0.6/ /etc/openvpn/ - mv /etc/openvpn/EasyRSA-v3.0.6/ /etc/openvpn/easy-rsa/ + mv ~/EasyRSA-3.0.5/ /etc/openvpn/ + mv /etc/openvpn/EasyRSA-3.0.5/ /etc/openvpn/easy-rsa/ chown -R root:root /etc/openvpn/easy-rsa/ rm -f ~/easyrsa.tgz cd /etc/openvpn/easy-rsa/ From 510f9e1bf8b9a681d224299ee7c82953752555ef Mon Sep 17 00:00:00 2001 From: Nyr Date: Fri, 24 May 2019 14:47:02 +0200 Subject: [PATCH 03/42] Remove support for old init systems It was broken since b3953963bac3ef048ffd09d7dcb9992eea383acb anyway. --- openvpn-install.sh | 18 +++--------------- 1 file changed, 3 insertions(+), 15 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 0c78e50..9a500d8 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -358,21 +358,9 @@ exit 0' > $RCLOCAL semanage port -a -t openvpn_port_t -p $PROTOCOL $PORT fi # And finally, restart OpenVPN - if [[ "$OS" = 'debian' ]]; then - # Little hack to check for systemd - if pgrep systemd-journal; then - systemctl restart openvpn@server.service - else - /etc/init.d/openvpn restart - fi - else - if pgrep systemd-journal; then - systemctl restart openvpn@server.service - systemctl enable openvpn@server.service - else - service openvpn restart - chkconfig openvpn on - fi + systemctl restart openvpn@server.service + if [[ "$OS" = 'centos' ]]; then + systemctl enable openvpn@server.service fi # If the server is behind a NAT, use the correct IP address if [[ "$PUBLICIP" != "" ]]; then From a6048d509fff11c28cbabc36633f76c1ac5ce988 Mon Sep 17 00:00:00 2001 From: Nyr Date: Fri, 7 Jun 2019 16:17:14 +0200 Subject: [PATCH 04/42] Switch to systemd for iptables configuration See #464. --- openvpn-install.sh | 52 +++++++++++++++++----------------------------- 1 file changed, 19 insertions(+), 33 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 9a500d8..c39d959 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -25,11 +25,9 @@ fi if [[ -e /etc/debian_version ]]; then OS=debian GROUPNAME=nogroup - RCLOCAL='/etc/rc.local' elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then OS=centos GROUPNAME=nobody - RCLOCAL='/etc/rc.d/rc.local' else echo "Looks like you aren't running this installer on Debian, Ubuntu or CentOS" exit @@ -133,17 +131,8 @@ if [[ -e /etc/openvpn/server.conf ]]; then firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP else - IP=$(grep 'iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to ' $RCLOCAL | cut -d " " -f 14) - iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP - sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 ! -d 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL - if iptables -L -n | grep -qE '^ACCEPT'; then - iptables -D INPUT -p $PROTOCOL --dport $PORT -j ACCEPT - iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT - iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT - sed -i "/iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT/d" $RCLOCAL - sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL - sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL - fi + systemctl disable --now openvpn-iptables.service + rm -f /etc/systemd/system/openvpn-iptables.service fi if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$PORT" != '1194' ]]; then semanage port -d -t openvpn_port_t -p $PROTOCOL $PORT @@ -328,26 +317,23 @@ crl-verify crl.pem" >> /etc/openvpn/server.conf firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP else - # Needed to use rc.local with some systemd distros - if [[ "$OS" = 'debian' && ! -e $RCLOCAL ]]; then - echo '#!/bin/sh -e -exit 0' > $RCLOCAL - fi - chmod +x $RCLOCAL - # Set NAT for the VPN subnet - iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP - sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL - if iptables -L -n | grep -qE '^(REJECT|DROP)'; then - # If iptables has at least one REJECT rule, we asume this is needed. - # Not the best approach but I can't think of other and this shouldn't - # cause problems. - iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT - iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT - iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT - sed -i "1 a\iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT" $RCLOCAL - sed -i "1 a\iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" $RCLOCAL - sed -i "1 a\iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" $RCLOCAL - fi + # Create a service to set up persistent iptables rules + echo "[Unit] +Before=network.target +[Service] +Type=oneshot +ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP +ExecStart=/sbin/iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT +ExecStart=/sbin/iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT +ExecStart=/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT +ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP +ExecStop=/sbin/iptables -D INPUT -p $PROTOCOL --dport $PORT -j ACCEPT +ExecStop=/sbin/iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT +ExecStop=/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT +RemainAfterExit=yes +[Install] +WantedBy=multi-user.target" > /etc/systemd/system/openvpn-iptables.service + systemctl enable --now openvpn-iptables.service fi # If SELinux is enabled and a custom port was selected, we need this if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$PORT" != '1194' ]]; then From 22f1fca4c159521c2b11d643291c7e5801b832f7 Mon Sep 17 00:00:00 2001 From: Nyr Date: Wed, 12 Jun 2019 14:17:51 +0200 Subject: [PATCH 05/42] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7990dc9..cad322c 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,7 @@ Run the script and follow the assistant: Once it ends, you can run it again to add more users, remove some of them or even completely uninstall OpenVPN. ### I want to run my own VPN but don't have a server for that -You can get a VPS from just $1/month at [VirMach](https://billing.virmach.com/aff.php?aff=4109&url=billing.virmach.com/cart.php?gid=1). +You can get a VPS from just $1/month at [VirMach](https://billing.virmach.com/aff.php?aff=4109&url=billing.virmach.com/cart.php?gid=18). ### Donations From a46a23d84a4b007dc8f6e964219331f876a21602 Mon Sep 17 00:00:00 2001 From: Nyr Date: Wed, 12 Jun 2019 21:28:55 +0200 Subject: [PATCH 06/42] Migrate to the new systemd service OpenVPN 2.4 packages provide a new systemd service unit which uses a different directory structure. This commit drops support for Ubuntu 16.04 which has v2.3 packages. --- openvpn-install.sh | 92 ++++++++++++++++++++++++---------------------- 1 file changed, 48 insertions(+), 44 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index c39d959..6a15842 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -5,6 +5,12 @@ # Copyright (c) 2013 Nyr. Released under the MIT License. +if grep -qs "Ubuntu 16.04" "/etc/os-release"; then + echo 'Ubuntu 16.04 is no longer supported in the current version of openvpn-install +Use an older version if Ubuntu 16.04 support is needed: https://git.io/vpn1604' + exit +fi + # Detect Debian users running the script with "sh" instead of bash if readlink /proc/$$/exe | grep -q "dash"; then echo "This script needs to be run with bash, not sh" @@ -35,22 +41,22 @@ fi newclient () { # Generates the custom client.ovpn - cp /etc/openvpn/client-common.txt ~/$1.ovpn + cp /etc/openvpn/server/client-common.txt ~/$1.ovpn echo "" >> ~/$1.ovpn - cat /etc/openvpn/easy-rsa/pki/ca.crt >> ~/$1.ovpn + cat /etc/openvpn/server/easy-rsa/pki/ca.crt >> ~/$1.ovpn echo "" >> ~/$1.ovpn echo "" >> ~/$1.ovpn - sed -ne '/BEGIN CERTIFICATE/,$ p' /etc/openvpn/easy-rsa/pki/issued/$1.crt >> ~/$1.ovpn + sed -ne '/BEGIN CERTIFICATE/,$ p' /etc/openvpn/server/easy-rsa/pki/issued/$1.crt >> ~/$1.ovpn echo "" >> ~/$1.ovpn echo "" >> ~/$1.ovpn - cat /etc/openvpn/easy-rsa/pki/private/$1.key >> ~/$1.ovpn + cat /etc/openvpn/server/easy-rsa/pki/private/$1.key >> ~/$1.ovpn echo "" >> ~/$1.ovpn echo "" >> ~/$1.ovpn - sed -ne '/BEGIN OpenVPN Static key/,$ p' /etc/openvpn/ta.key >> ~/$1.ovpn + sed -ne '/BEGIN OpenVPN Static key/,$ p' /etc/openvpn/server/ta.key >> ~/$1.ovpn echo "" >> ~/$1.ovpn } -if [[ -e /etc/openvpn/server.conf ]]; then +if [[ -e /etc/openvpn/server/server.conf ]]; then while : do clear @@ -68,7 +74,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then echo "Tell me a name for the client certificate." echo "Please, use one word only, no special characters." read -p "Client name: " -e CLIENT - cd /etc/openvpn/easy-rsa/ + cd /etc/openvpn/server/easy-rsa/ EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full $CLIENT nopass # Generates the custom client.ovpn newclient "$CLIENT" @@ -79,7 +85,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then 2) # This option could be documented a bit better and maybe even be simplified # ...but what can I say, I want some sleep too - NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V") + NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep -c "^V") if [[ "$NUMBEROFCLIENTS" = '0' ]]; then echo echo "You have no existing clients!" @@ -87,26 +93,26 @@ if [[ -e /etc/openvpn/server.conf ]]; then fi echo echo "Select the existing client certificate you want to revoke:" - tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') ' + tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') ' if [[ "$NUMBEROFCLIENTS" = '1' ]]; then read -p "Select one client [1]: " CLIENTNUMBER else read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER fi - CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p) + CLIENT=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p) echo read -p "Do you really want to revoke access for client $CLIENT? [y/N]: " -e REVOKE if [[ "$REVOKE" = 'y' || "$REVOKE" = 'Y' ]]; then - cd /etc/openvpn/easy-rsa/ + cd /etc/openvpn/server/easy-rsa/ ./easyrsa --batch revoke $CLIENT EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl rm -f pki/reqs/$CLIENT.req rm -f pki/private/$CLIENT.key rm -f pki/issued/$CLIENT.crt - rm -f /etc/openvpn/crl.pem - cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem + rm -f /etc/openvpn/server/crl.pem + cp /etc/openvpn/server/easy-rsa/pki/crl.pem /etc/openvpn/server/crl.pem # CRL is read with each client connection, when OpenVPN is dropped to nobody - chown nobody:$GROUPNAME /etc/openvpn/crl.pem + chown nobody:$GROUPNAME /etc/openvpn/server/crl.pem echo echo "Certificate for client $CLIENT revoked!" else @@ -119,8 +125,8 @@ if [[ -e /etc/openvpn/server.conf ]]; then echo read -p "Do you really want to remove OpenVPN? [y/N]: " -e REMOVE if [[ "$REMOVE" = 'y' || "$REMOVE" = 'Y' ]]; then - PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2) - PROTOCOL=$(grep '^proto ' /etc/openvpn/server.conf | cut -d " " -f 2) + PORT=$(grep '^port ' /etc/openvpn/server/server.conf | cut -d " " -f 2) + PROTOCOL=$(grep '^proto ' /etc/openvpn/server/server.conf | cut -d " " -f 2) if pgrep firewalld; then IP=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24 -j SNAT --to ' | cut -d " " -f 10) # Using both permanent and not permanent rules to avoid a firewalld reload. @@ -137,13 +143,14 @@ if [[ -e /etc/openvpn/server.conf ]]; then if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$PORT" != '1194' ]]; then semanage port -d -t openvpn_port_t -p $PROTOCOL $PORT fi + systemctl disable --now openvpn-server@server.service + rm -rf /etc/openvpn/server + rm -f /etc/sysctl.d/30-openvpn-forward.conf if [[ "$OS" = 'debian' ]]; then apt-get remove --purge -y openvpn else yum remove openvpn -y fi - rm -rf /etc/openvpn - rm -f /etc/sysctl.d/30-openvpn-forward.conf echo echo "OpenVPN removed!" else @@ -217,11 +224,11 @@ else EASYRSAURL='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-nix-3.0.5.tgz' wget -O ~/easyrsa.tgz "$EASYRSAURL" 2>/dev/null || curl -Lo ~/easyrsa.tgz "$EASYRSAURL" tar xzf ~/easyrsa.tgz -C ~/ - mv ~/EasyRSA-3.0.5/ /etc/openvpn/ - mv /etc/openvpn/EasyRSA-3.0.5/ /etc/openvpn/easy-rsa/ - chown -R root:root /etc/openvpn/easy-rsa/ + mv ~/EasyRSA-3.0.5/ /etc/openvpn/server/ + mv /etc/openvpn/server/EasyRSA-3.0.5/ /etc/openvpn/server/easy-rsa/ + chown -R root:root /etc/openvpn/server/easy-rsa/ rm -f ~/easyrsa.tgz - cd /etc/openvpn/easy-rsa/ + cd /etc/openvpn/server/easy-rsa/ # Create the PKI, set up the CA and the server and client certificates ./easyrsa init-pki ./easyrsa --batch build-ca nopass @@ -229,11 +236,11 @@ else EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full $CLIENT nopass EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl # Move the stuff we need - cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn + cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn/server # CRL is read with each client connection, when OpenVPN is dropped to nobody - chown nobody:$GROUPNAME /etc/openvpn/crl.pem + chown nobody:$GROUPNAME /etc/openvpn/server/crl.pem # Generate key for tls-auth - openvpn --genkey --secret /etc/openvpn/ta.key + openvpn --genkey --secret /etc/openvpn/server/ta.key # Create the DH parameters file using the predefined ffdhe2048 group echo '-----BEGIN DH PARAMETERS----- MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz @@ -242,7 +249,7 @@ MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi 7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== ------END DH PARAMETERS-----' > /etc/openvpn/dh.pem +-----END DH PARAMETERS-----' > /etc/openvpn/server/dh.pem # Generate server.conf echo "port $PORT proto $PROTOCOL @@ -257,8 +264,8 @@ auth SHA512 tls-auth ta.key 0 topology subnet server 10.8.0.0 255.255.255.0 -ifconfig-pool-persist ipp.txt" > /etc/openvpn/server.conf - echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf +ifconfig-pool-persist ipp.txt" > /etc/openvpn/server/server.conf + echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server/server.conf # DNS case $DNS in 1) @@ -271,24 +278,24 @@ ifconfig-pool-persist ipp.txt" > /etc/openvpn/server.conf fi # Obtain the resolvers from resolv.conf and use them for OpenVPN grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do - echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf + echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server/server.conf done ;; 2) - echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server.conf - echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server.conf + echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server/server.conf + echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server/server.conf ;; 3) - echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf - echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf + echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server/server.conf + echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server/server.conf ;; 4) - echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf - echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf + echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server/server.conf + echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server/server.conf ;; 5) - echo 'push "dhcp-option DNS 64.6.64.6"' >> /etc/openvpn/server.conf - echo 'push "dhcp-option DNS 64.6.65.6"' >> /etc/openvpn/server.conf + echo 'push "dhcp-option DNS 64.6.64.6"' >> /etc/openvpn/server/server.conf + echo 'push "dhcp-option DNS 64.6.65.6"' >> /etc/openvpn/server/server.conf ;; esac echo "keepalive 10 120 @@ -299,7 +306,7 @@ persist-key persist-tun status openvpn-status.log verb 3 -crl-verify crl.pem" >> /etc/openvpn/server.conf +crl-verify crl.pem" >> /etc/openvpn/server/server.conf # Enable net.ipv4.ip_forward for the system echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/30-openvpn-forward.conf # Enable without waiting for a reboot or service restart @@ -343,11 +350,8 @@ WantedBy=multi-user.target" > /etc/systemd/system/openvpn-iptables.service fi semanage port -a -t openvpn_port_t -p $PROTOCOL $PORT fi - # And finally, restart OpenVPN - systemctl restart openvpn@server.service - if [[ "$OS" = 'centos' ]]; then - systemctl enable openvpn@server.service - fi + # And finally, enable and start the OpenVPN service + systemctl enable --now openvpn-server@server.service # If the server is behind a NAT, use the correct IP address if [[ "$PUBLICIP" != "" ]]; then IP=$PUBLICIP @@ -368,7 +372,7 @@ auth SHA512 cipher AES-256-CBC setenv opt block-outside-dns key-direction 1 -verb 3" > /etc/openvpn/client-common.txt +verb 3" > /etc/openvpn/server/client-common.txt # Generates the custom client.ovpn newclient "$CLIENT" echo From 43ef4f920d50c0bc16bf8e087ddcacf5f97c0d65 Mon Sep 17 00:00:00 2001 From: Nyr Date: Thu, 13 Jun 2019 03:15:18 +0200 Subject: [PATCH 07/42] Fedora support The installer now works with Fedora and is probably ready for CentOS 8 too. --- openvpn-install.sh | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 6a15842..136e7d9 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -130,9 +130,9 @@ if [[ -e /etc/openvpn/server/server.conf ]]; then if pgrep firewalld; then IP=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24 -j SNAT --to ' | cut -d " " -f 10) # Using both permanent and not permanent rules to avoid a firewalld reload. - firewall-cmd --zone=public --remove-port=$PORT/$PROTOCOL + firewall-cmd --remove-port=$PORT/$PROTOCOL firewall-cmd --zone=trusted --remove-source=10.8.0.0/24 - firewall-cmd --permanent --zone=public --remove-port=$PORT/$PROTOCOL + firewall-cmd --permanent --remove-port=$PORT/$PROTOCOL firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24 firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP @@ -316,9 +316,9 @@ crl-verify crl.pem" >> /etc/openvpn/server/server.conf # reload. # We don't use --add-service=openvpn because that would only work with # the default port and protocol. - firewall-cmd --zone=public --add-port=$PORT/$PROTOCOL + firewall-cmd --add-port=$PORT/$PROTOCOL firewall-cmd --zone=trusted --add-source=10.8.0.0/24 - firewall-cmd --permanent --zone=public --add-port=$PORT/$PROTOCOL + firewall-cmd --permanent --add-port=$PORT/$PROTOCOL firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24 # Set NAT for the VPN subnet firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP @@ -346,7 +346,11 @@ WantedBy=multi-user.target" > /etc/systemd/system/openvpn-iptables.service if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$PORT" != '1194' ]]; then # Install semanage if not already present if ! hash semanage 2>/dev/null; then - yum install policycoreutils-python -y + if grep -qs "CentOS Linux release 7" "/etc/centos-release"; then + yum install policycoreutils-python -y + else + yum install policycoreutils-python-utils -y + fi fi semanage port -a -t openvpn_port_t -p $PROTOCOL $PORT fi From 1c79a9603b0eb54cea2248ee0005453655ae5fca Mon Sep 17 00:00:00 2001 From: Nyr Date: Fri, 6 Sep 2019 02:44:17 +0200 Subject: [PATCH 08/42] Fix LimitNPROC in containers See #206 for context. --- openvpn-install.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/openvpn-install.sh b/openvpn-install.sh index 136e7d9..3850328 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -145,6 +145,7 @@ if [[ -e /etc/openvpn/server/server.conf ]]; then fi systemctl disable --now openvpn-server@server.service rm -rf /etc/openvpn/server + rm -f /etc/systemd/system/openvpn-server@server.service.d/disable-limitnproc.conf rm -f /etc/sysctl.d/30-openvpn-forward.conf if [[ "$OS" = 'debian' ]]; then apt-get remove --purge -y openvpn @@ -212,6 +213,12 @@ else echo echo "Okay, that was all I needed. We are ready to set up your OpenVPN server now." read -n1 -r -p "Press any key to continue..." + # If running inside a container, disable LimitNPROC to prevent conflicts + if systemd-detect-virt -cq; then + mkdir /etc/systemd/system/openvpn-server@server.service.d/ 2>/dev/null + echo '[Service] +LimitNPROC=infinity' > /etc/systemd/system/openvpn-server@server.service.d/disable-limitnproc.conf + fi if [[ "$OS" = 'debian' ]]; then apt-get update apt-get install openvpn iptables openssl ca-certificates -y From 68e48d21b6859c26b04b4713e326d1cd2d40d214 Mon Sep 17 00:00:00 2001 From: Nyr Date: Sat, 21 Sep 2019 14:39:58 +0200 Subject: [PATCH 09/42] Check for unsupported distributions --- openvpn-install.sh | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/openvpn-install.sh b/openvpn-install.sh index 3850328..646ff87 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -5,6 +5,21 @@ # Copyright (c) 2013 Nyr. Released under the MIT License. +if grep -qs "14.04" "/etc/os-release"; then + echo "Ubuntu 14.04 is too old and not supported" + exit +fi + +if grep -qs "jessie" "/etc/os-release"; then + echo "Debian 8 is too old and not supported" + exit +fi + +if grep -qs "CentOS release 6" "/etc/redhat-release"; then + echo "CentOS 6 is too old and not supported" + exit +fi + if grep -qs "Ubuntu 16.04" "/etc/os-release"; then echo 'Ubuntu 16.04 is no longer supported in the current version of openvpn-install Use an older version if Ubuntu 16.04 support is needed: https://git.io/vpn1604' From 6a29a6babdb6e2d813c6c585800debc1558ead2d Mon Sep 17 00:00:00 2001 From: Nyr Date: Thu, 26 Sep 2019 19:13:33 +0200 Subject: [PATCH 10/42] Miscellaneous improvements This commit contains lots changes which are not very significant on its own but provide important usability improvements and future proofing. It also includes changes which required OpenVPN v2.4+ and were pending until that version became widely available. - General cleanup - Improved IP address and NAT configuration - Added input validation and sanitization - Fix #603 - Remove "sndbuf" and "recvbuf" parameters - Add server-side "explicit-exit-notify" - Switch from "setenv opt" to "ignore-unknown-option" - Switch from "tls-auth" to "tls-crypt" - Other minor bugfixes and optimizations --- openvpn-install.sh | 291 ++++++++++++++++++++++++++------------------- 1 file changed, 168 insertions(+), 123 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 646ff87..1216b50 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -5,22 +5,22 @@ # Copyright (c) 2013 Nyr. Released under the MIT License. -if grep -qs "14.04" "/etc/os-release"; then +if grep -qs "14.04" /etc/os-release; then echo "Ubuntu 14.04 is too old and not supported" exit fi -if grep -qs "jessie" "/etc/os-release"; then +if grep -qs "jessie" /etc/os-release; then echo "Debian 8 is too old and not supported" exit fi -if grep -qs "CentOS release 6" "/etc/redhat-release"; then +if grep -qs "CentOS release 6" /etc/redhat-release; then echo "CentOS 6 is too old and not supported" exit fi -if grep -qs "Ubuntu 16.04" "/etc/os-release"; then +if grep -qs "Ubuntu 16.04" /etc/os-release; then echo 'Ubuntu 16.04 is no longer supported in the current version of openvpn-install Use an older version if Ubuntu 16.04 support is needed: https://git.io/vpn1604' exit @@ -44,31 +44,33 @@ You need to enable TUN before running this script" fi if [[ -e /etc/debian_version ]]; then - OS=debian - GROUPNAME=nogroup + os="debian" + group_name="nogroup" elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then - OS=centos - GROUPNAME=nobody + os="centos" + group_name="nobody" else echo "Looks like you aren't running this installer on Debian, Ubuntu or CentOS" exit fi -newclient () { +new_client () { # Generates the custom client.ovpn - cp /etc/openvpn/server/client-common.txt ~/$1.ovpn - echo "" >> ~/$1.ovpn - cat /etc/openvpn/server/easy-rsa/pki/ca.crt >> ~/$1.ovpn - echo "" >> ~/$1.ovpn - echo "" >> ~/$1.ovpn - sed -ne '/BEGIN CERTIFICATE/,$ p' /etc/openvpn/server/easy-rsa/pki/issued/$1.crt >> ~/$1.ovpn - echo "" >> ~/$1.ovpn - echo "" >> ~/$1.ovpn - cat /etc/openvpn/server/easy-rsa/pki/private/$1.key >> ~/$1.ovpn - echo "" >> ~/$1.ovpn - echo "" >> ~/$1.ovpn - sed -ne '/BEGIN OpenVPN Static key/,$ p' /etc/openvpn/server/ta.key >> ~/$1.ovpn - echo "" >> ~/$1.ovpn + { + cat /etc/openvpn/server/client-common.txt + echo "" + cat /etc/openvpn/server/easy-rsa/pki/ca.crt + echo "" + echo "" + sed -ne '/BEGIN CERTIFICATE/,$ p' /etc/openvpn/server/easy-rsa/pki/issued/"$1".crt + echo "" + echo "" + cat /etc/openvpn/server/easy-rsa/pki/private/"$1".key + echo "" + echo "" + sed -ne '/BEGIN OpenVPN Static key/,$ p' /etc/openvpn/server/tc.key + echo "" + } > ~/"$1".ovpn } if [[ -e /etc/openvpn/server/server.conf ]]; then @@ -82,26 +84,35 @@ if [[ -e /etc/openvpn/server/server.conf ]]; then echo " 2) Revoke an existing user" echo " 3) Remove OpenVPN" echo " 4) Exit" - read -p "Select an option [1-4]: " option - case $option in + read -p "Select an option: " option + until [[ "$option" =~ ^[1-4]$ ]]; do + echo "$option: invalid selection." + read -p "Select an option: " option + done + case "$option" in 1) echo echo "Tell me a name for the client certificate." - echo "Please, use one word only, no special characters." - read -p "Client name: " -e CLIENT + read -p "Client name: " unsanitized_client + client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client") + while [[ -z "$client" || -e /etc/openvpn/server/easy-rsa/pki/issued/"$client".crt ]]; do + echo "$client: invalid client name." + read -p "Client name: " unsanitized_client + client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client") + done cd /etc/openvpn/server/easy-rsa/ - EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full $CLIENT nopass + EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" nopass # Generates the custom client.ovpn - newclient "$CLIENT" + new_client "$client" echo - echo "Client $CLIENT added, configuration is available at:" ~/"$CLIENT.ovpn" + echo "Client $client added, configuration is available at:" ~/"$client.ovpn" exit ;; 2) # This option could be documented a bit better and maybe even be simplified # ...but what can I say, I want some sleep too - NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep -c "^V") - if [[ "$NUMBEROFCLIENTS" = '0' ]]; then + number_of_clients=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep -c "^V") + if [[ "$number_of_clients" = 0 ]]; then echo echo "You have no existing clients!" exit @@ -109,60 +120,68 @@ if [[ -e /etc/openvpn/server/server.conf ]]; then echo echo "Select the existing client certificate you want to revoke:" tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') ' - if [[ "$NUMBEROFCLIENTS" = '1' ]]; then - read -p "Select one client [1]: " CLIENTNUMBER - else - read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER - fi - CLIENT=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p) + read -p "Select one client: " client_number + until [[ "$client_number" =~ ^[0-9]+$ && "$client_number" -le "$number_of_clients" ]]; do + echo "$client_number: invalid selection." + read -p "Select one client: " client_number + done + client=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$client_number"p) echo - read -p "Do you really want to revoke access for client $CLIENT? [y/N]: " -e REVOKE - if [[ "$REVOKE" = 'y' || "$REVOKE" = 'Y' ]]; then + read -p "Do you really want to revoke access for client $client? [y/N]: " revoke + until [[ "$revoke" =~ ^[yYnN]*$ ]]; do + echo "$revoke: invalid selection." + read -p "Do you really want to revoke access for client $client? [y/N]: " revoke + done + if [[ "$revoke" =~ ^[yY]$ ]]; then cd /etc/openvpn/server/easy-rsa/ - ./easyrsa --batch revoke $CLIENT + ./easyrsa --batch revoke "$client" EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl - rm -f pki/reqs/$CLIENT.req - rm -f pki/private/$CLIENT.key - rm -f pki/issued/$CLIENT.crt + rm -f pki/reqs/"$client".req + rm -f pki/private/"$client".key + rm -f pki/issued/"$client".crt rm -f /etc/openvpn/server/crl.pem cp /etc/openvpn/server/easy-rsa/pki/crl.pem /etc/openvpn/server/crl.pem # CRL is read with each client connection, when OpenVPN is dropped to nobody - chown nobody:$GROUPNAME /etc/openvpn/server/crl.pem + chown nobody:"$group_name" /etc/openvpn/server/crl.pem echo - echo "Certificate for client $CLIENT revoked!" + echo "Certificate for client $client revoked!" else echo - echo "Certificate revocation for client $CLIENT aborted!" + echo "Certificate revocation for client $client aborted!" fi exit ;; 3) echo - read -p "Do you really want to remove OpenVPN? [y/N]: " -e REMOVE - if [[ "$REMOVE" = 'y' || "$REMOVE" = 'Y' ]]; then - PORT=$(grep '^port ' /etc/openvpn/server/server.conf | cut -d " " -f 2) - PROTOCOL=$(grep '^proto ' /etc/openvpn/server/server.conf | cut -d " " -f 2) + read -p "Do you really want to remove OpenVPN? [y/N]: " remove + until [[ "$remove" =~ ^[yYnN]*$ ]]; do + echo "$remove: invalid selection." + read -p "Do you really want to remove OpenVPN? [y/N]: " remove + done + if [[ "$remove" =~ ^[yY]$ ]]; then + port=$(grep '^port ' /etc/openvpn/server/server.conf | cut -d " " -f 2) + protocol=$(grep '^proto ' /etc/openvpn/server/server.conf | cut -d " " -f 2) if pgrep firewalld; then - IP=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24 -j SNAT --to ' | cut -d " " -f 10) + ip=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24 -j SNAT --to ' | cut -d " " -f 10) # Using both permanent and not permanent rules to avoid a firewalld reload. - firewall-cmd --remove-port=$PORT/$PROTOCOL + firewall-cmd --remove-port="$port"/"$protocol" firewall-cmd --zone=trusted --remove-source=10.8.0.0/24 - firewall-cmd --permanent --remove-port=$PORT/$PROTOCOL + firewall-cmd --permanent --remove-port="$port"/"$protocol" firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24 - firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP - firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP + firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip" + firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip" else systemctl disable --now openvpn-iptables.service rm -f /etc/systemd/system/openvpn-iptables.service fi - if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$PORT" != '1194' ]]; then - semanage port -d -t openvpn_port_t -p $PROTOCOL $PORT + if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$port" != 1194 ]]; then + semanage port -d -t openvpn_port_t -p "$protocol" "$port" fi systemctl disable --now openvpn-server@server.service rm -rf /etc/openvpn/server rm -f /etc/systemd/system/openvpn-server@server.service.d/disable-limitnproc.conf rm -f /etc/sysctl.d/30-openvpn-forward.conf - if [[ "$OS" = 'debian' ]]; then + if [[ "$os" = "debian" ]]; then apt-get remove --purge -y openvpn else yum remove openvpn -y @@ -180,39 +199,59 @@ if [[ -e /etc/openvpn/server/server.conf ]]; then done else clear - echo 'Welcome to this OpenVPN "road warrior" installer!' + echo "Welcome to this OpenVPN "road warrior" installer!" echo - # OpenVPN setup and first user creation - echo "I need to ask you a few questions before starting the setup." - echo "You can leave the default options and just press enter if you are ok with them." - echo - echo "First, provide the IPv4 address of the network interface you want OpenVPN" - echo "listening to." - # Autodetect IP address and pre-fill for the user - IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1) - read -p "IP address: " -e -i $IP IP + echo "I need to ask you a few questions before starting setup." + echo "You can use the default options and just press enter if you are ok with them." + # If system has a single IPv4, it is selected automatically. Else, ask the user + if [[ $(ip addr | grep inet | grep -v inet6 | grep -vEc '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') -eq 1 ]]; then + ip=$(ip addr | grep inet | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') + else + number_of_ips=$(ip addr | grep inet | grep -v inet6 | grep -vEc '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') + echo + echo "What IPv4 address should the OpenVPN server bind to?" + ip addr | grep inet | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | nl -s ') ' + read -p "IPv4 address [1]: " ip_number + until [[ -z "$ip_number" || "$ip_number" =~ ^[0-9]+$ && "$ip_number" -le "$number_of_ips" ]]; do + echo "$ip_number: invalid selection." + read -p "IPv4 address [1]: " ip_number + done + [[ -z "$ip_number" ]] && ip_number="1" + ip=$(ip addr | grep inet | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | sed -n "$ip_number"p) + fi # If $IP is a private IP address, the server must be behind NAT - if echo "$IP" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then + if echo "$ip" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then echo echo "This server is behind NAT. What is the public IPv4 address or hostname?" - read -p "Public IP address / hostname: " -e PUBLICIP + get_public_ip=$(wget -4qO- "http://whatismyip.akamai.com/" || curl -4Ls "http://whatismyip.akamai.com/") + read -p "Public IPv4 address / hostname [$get_public_ip]: " public_ip + [ -z "$public_ip" ] && public_ip="$get_public_ip" fi echo echo "Which protocol do you want for OpenVPN connections?" echo " 1) UDP (recommended)" echo " 2) TCP" - read -p "Protocol [1-2]: " -e -i 1 PROTOCOL - case $PROTOCOL in - 1) - PROTOCOL=udp + read -p "Protocol [1]: " protocol + until [[ -z "$protocol" || "$protocol" =~ ^[12]$ ]]; do + echo "$protocol: invalid selection." + read -p "Protocol [1]: " protocol + done + case "$protocol" in + 1|"") + protocol=udp ;; 2) - PROTOCOL=tcp + protocol=tcp ;; esac echo echo "What port do you want OpenVPN listening to?" - read -p "Port: " -e -i 1194 PORT + read -p "Port [1194]: " port + until [[ -z "$port" || "$port" =~ ^[0-9]+$ && "$port" -le 65535 ]]; do + echo "$port: invalid selection." + read -p "Port [1194]: " port + done + [[ -z "$port" ]] && port="1194" echo echo "Which DNS do you want to use with the VPN?" echo " 1) Current system resolvers" @@ -220,21 +259,27 @@ else echo " 3) Google" echo " 4) OpenDNS" echo " 5) Verisign" - read -p "DNS [1-5]: " -e -i 1 DNS + read -p "DNS [1]: " dns + until [[ -z "$dns" || "$dns" =~ ^[1-5]$ ]]; do + echo "$dns: invalid selection." + read -p "DNS [1]: " dns + done echo - echo "Finally, tell me your name for the client certificate." - echo "Please, use one word only, no special characters." - read -p "Client name: " -e -i client CLIENT + echo "Finally, tell me a name for the client certificate." + read -p "Client name [client]: " unsanitized_client + # Allow a limited set of characters to avoid conflicts + client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client") + [[ -z "$client" ]] && client="client" echo echo "Okay, that was all I needed. We are ready to set up your OpenVPN server now." read -n1 -r -p "Press any key to continue..." # If running inside a container, disable LimitNPROC to prevent conflicts if systemd-detect-virt -cq; then mkdir /etc/systemd/system/openvpn-server@server.service.d/ 2>/dev/null - echo '[Service] -LimitNPROC=infinity' > /etc/systemd/system/openvpn-server@server.service.d/disable-limitnproc.conf + echo "[Service] +LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disable-limitnproc.conf fi - if [[ "$OS" = 'debian' ]]; then + if [[ "$os" = "debian" ]]; then apt-get update apt-get install openvpn iptables openssl ca-certificates -y else @@ -243,8 +288,8 @@ LimitNPROC=infinity' > /etc/systemd/system/openvpn-server@server.service.d/disab yum install openvpn iptables openssl ca-certificates -y fi # Get easy-rsa - EASYRSAURL='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-nix-3.0.5.tgz' - wget -O ~/easyrsa.tgz "$EASYRSAURL" 2>/dev/null || curl -Lo ~/easyrsa.tgz "$EASYRSAURL" + easy_rsa_url='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-nix-3.0.5.tgz' + wget -O ~/easyrsa.tgz "$easy_rsa_url" 2>/dev/null || curl -Lo ~/easyrsa.tgz "$easy_rsa_url" tar xzf ~/easyrsa.tgz -C ~/ mv ~/EasyRSA-3.0.5/ /etc/openvpn/server/ mv /etc/openvpn/server/EasyRSA-3.0.5/ /etc/openvpn/server/easy-rsa/ @@ -255,14 +300,14 @@ LimitNPROC=infinity' > /etc/systemd/system/openvpn-server@server.service.d/disab ./easyrsa init-pki ./easyrsa --batch build-ca nopass EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server nopass - EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full $CLIENT nopass + EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" nopass EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl # Move the stuff we need cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn/server # CRL is read with each client connection, when OpenVPN is dropped to nobody - chown nobody:$GROUPNAME /etc/openvpn/server/crl.pem - # Generate key for tls-auth - openvpn --genkey --secret /etc/openvpn/server/ta.key + chown nobody:"$group_name" /etc/openvpn/server/crl.pem + # Generate key for tls-crypt + openvpn --genkey --secret /etc/openvpn/server/tc.key # Create the DH parameters file using the predefined ffdhe2048 group echo '-----BEGIN DH PARAMETERS----- MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz @@ -273,33 +318,32 @@ YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== -----END DH PARAMETERS-----' > /etc/openvpn/server/dh.pem # Generate server.conf - echo "port $PORT -proto $PROTOCOL + echo "local $ip +port $port +proto $protocol dev tun -sndbuf 0 -rcvbuf 0 ca ca.crt cert server.crt key server.key dh dh.pem auth SHA512 -tls-auth ta.key 0 +tls-crypt tc.key topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt" > /etc/openvpn/server/server.conf echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server/server.conf # DNS - case $DNS in - 1) + case "$dns" in + 1|"") # Locate the proper resolv.conf # Needed for systems running systemd-resolved if grep -q "127.0.0.53" "/etc/resolv.conf"; then - RESOLVCONF='/run/systemd/resolve/resolv.conf' + resolv_conf="/run/systemd/resolve/resolv.conf" else - RESOLVCONF='/etc/resolv.conf' + resolv_conf="/etc/resolv.conf" fi # Obtain the resolvers from resolv.conf and use them for OpenVPN - grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do + grep -v '#' "$resolv_conf" | grep nameserver | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server/server.conf done ;; @@ -323,12 +367,15 @@ ifconfig-pool-persist ipp.txt" > /etc/openvpn/server/server.conf echo "keepalive 10 120 cipher AES-256-CBC user nobody -group $GROUPNAME +group $group_name persist-key persist-tun status openvpn-status.log verb 3 crl-verify crl.pem" >> /etc/openvpn/server/server.conf + if [[ "$protocol" = "udp" ]]; then + echo "explicit-exit-notify" >> /etc/openvpn/server/server.conf + fi # Enable net.ipv4.ip_forward for the system echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/30-openvpn-forward.conf # Enable without waiting for a reboot or service restart @@ -338,25 +385,25 @@ crl-verify crl.pem" >> /etc/openvpn/server/server.conf # reload. # We don't use --add-service=openvpn because that would only work with # the default port and protocol. - firewall-cmd --add-port=$PORT/$PROTOCOL + firewall-cmd --add-port="$port"/"$protocol" firewall-cmd --zone=trusted --add-source=10.8.0.0/24 - firewall-cmd --permanent --add-port=$PORT/$PROTOCOL + firewall-cmd --permanent --add-port="$port"/"$protocol" firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24 # Set NAT for the VPN subnet - firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP - firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP + firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip" + firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip" else # Create a service to set up persistent iptables rules echo "[Unit] Before=network.target [Service] Type=oneshot -ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP -ExecStart=/sbin/iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT +ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip +ExecStart=/sbin/iptables -I INPUT -p $protocol --dport $port -j ACCEPT ExecStart=/sbin/iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT ExecStart=/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP -ExecStop=/sbin/iptables -D INPUT -p $PROTOCOL --dport $PORT -j ACCEPT +ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip +ExecStop=/sbin/iptables -D INPUT -p $protocol --dport $port -j ACCEPT ExecStop=/sbin/iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT ExecStop=/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT RemainAfterExit=yes @@ -365,7 +412,7 @@ WantedBy=multi-user.target" > /etc/systemd/system/openvpn-iptables.service systemctl enable --now openvpn-iptables.service fi # If SELinux is enabled and a custom port was selected, we need this - if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$PORT" != '1194' ]]; then + if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$port" != 1194 ]]; then # Install semanage if not already present if ! hash semanage 2>/dev/null; then if grep -qs "CentOS Linux release 7" "/etc/centos-release"; then @@ -374,21 +421,17 @@ WantedBy=multi-user.target" > /etc/systemd/system/openvpn-iptables.service yum install policycoreutils-python-utils -y fi fi - semanage port -a -t openvpn_port_t -p $PROTOCOL $PORT + semanage port -a -t openvpn_port_t -p "$protocol" "$port" fi - # And finally, enable and start the OpenVPN service - systemctl enable --now openvpn-server@server.service # If the server is behind a NAT, use the correct IP address - if [[ "$PUBLICIP" != "" ]]; then - IP=$PUBLICIP + if [[ "$public_ip" != "" ]]; then + ip="$public_ip" fi # client-common.txt is created so we have a template to add further users later echo "client dev tun -proto $PROTOCOL -sndbuf 0 -rcvbuf 0 -remote $IP $PORT +proto $protocol +remote $ip $port resolv-retry infinite nobind persist-key @@ -396,14 +439,16 @@ persist-tun remote-cert-tls server auth SHA512 cipher AES-256-CBC -setenv opt block-outside-dns -key-direction 1 +ignore-unknown-option block-outside-dns +block-outside-dns verb 3" > /etc/openvpn/server/client-common.txt + # Enable and start the OpenVPN service + systemctl enable --now openvpn-server@server.service # Generates the custom client.ovpn - newclient "$CLIENT" + new_client "$client" echo echo "Finished!" echo - echo "Your client configuration is available at:" ~/"$CLIENT.ovpn" - echo "If you want to add more clients, you simply need to run this script again!" + echo "Your client configuration is available at:" ~/"$client.ovpn" + echo "If you want to add more clients, just run this script again!" fi From 71f5fcc023ad533c89b88e43381bba2d6bb9d281 Mon Sep 17 00:00:00 2001 From: Nyr Date: Wed, 16 Oct 2019 22:09:25 +0200 Subject: [PATCH 11/42] Resolves #664 --- openvpn-install.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/openvpn-install.sh b/openvpn-install.sh index 1216b50..6adaf40 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -43,6 +43,13 @@ You need to enable TUN before running this script" exit fi +if ! iptables -t nat -nL &>/dev/null; then + echo "Unable to initialize the iptables/netfilter NAT table, setup can't continue. +If you are a LowEndSpirit customer, see here: https://git.io/nfLES +If you are getting this message on any other provider, ask them for support." + exit +fi + if [[ -e /etc/debian_version ]]; then os="debian" group_name="nogroup" From 92d90dac29596487306df0e1cca48f85b74221d3 Mon Sep 17 00:00:00 2001 From: Nyr Date: Mon, 23 Dec 2019 20:19:57 +0100 Subject: [PATCH 12/42] Update error message LowEndSpirit no longer requires that. --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 6adaf40..39a9f42 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -45,8 +45,8 @@ fi if ! iptables -t nat -nL &>/dev/null; then echo "Unable to initialize the iptables/netfilter NAT table, setup can't continue. -If you are a LowEndSpirit customer, see here: https://git.io/nfLES -If you are getting this message on any other provider, ask them for support." +Make sure that your system has iptables/netfilter available. +If using OpenVZ, ask your provider to enable full netfilter support." exit fi From 6c4a21b5b9f5350981e8b0ad26fab18d9d204de4 Mon Sep 17 00:00:00 2001 From: Nyr Date: Wed, 18 Mar 2020 19:38:35 +0100 Subject: [PATCH 13/42] Fix #727 --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 39a9f42..d57c918 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -292,7 +292,7 @@ LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disab else # Else, the distro is CentOS yum install epel-release -y - yum install openvpn iptables openssl ca-certificates -y + yum install openvpn iptables openssl ca-certificates tar -y fi # Get easy-rsa easy_rsa_url='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-nix-3.0.5.tgz' From 9ea14fcbfc3e8d4254bb19f6dab6c2dffdd04d69 Mon Sep 17 00:00:00 2001 From: Nyr Date: Tue, 31 Mar 2020 02:35:50 +0200 Subject: [PATCH 14/42] Update to easy-rsa v3.0.7 --- openvpn-install.sh | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index d57c918..062590b 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -143,9 +143,6 @@ if [[ -e /etc/openvpn/server/server.conf ]]; then cd /etc/openvpn/server/easy-rsa/ ./easyrsa --batch revoke "$client" EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl - rm -f pki/reqs/"$client".req - rm -f pki/private/"$client".key - rm -f pki/issued/"$client".crt rm -f /etc/openvpn/server/crl.pem cp /etc/openvpn/server/easy-rsa/pki/crl.pem /etc/openvpn/server/crl.pem # CRL is read with each client connection, when OpenVPN is dropped to nobody @@ -295,11 +292,11 @@ LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disab yum install openvpn iptables openssl ca-certificates tar -y fi # Get easy-rsa - easy_rsa_url='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-nix-3.0.5.tgz' + easy_rsa_url='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.7/EasyRSA-3.0.7.tgz' wget -O ~/easyrsa.tgz "$easy_rsa_url" 2>/dev/null || curl -Lo ~/easyrsa.tgz "$easy_rsa_url" tar xzf ~/easyrsa.tgz -C ~/ - mv ~/EasyRSA-3.0.5/ /etc/openvpn/server/ - mv /etc/openvpn/server/EasyRSA-3.0.5/ /etc/openvpn/server/easy-rsa/ + mv ~/EasyRSA-3.0.7/ /etc/openvpn/server/ + mv /etc/openvpn/server/EasyRSA-3.0.7/ /etc/openvpn/server/easy-rsa/ chown -R root:root /etc/openvpn/server/easy-rsa/ rm -f ~/easyrsa.tgz cd /etc/openvpn/server/easy-rsa/ From 67e8427ba532eef211d08b3ae3afb98e24fa2806 Mon Sep 17 00:00:00 2001 From: Nyr Date: Wed, 1 Apr 2020 00:54:00 +0200 Subject: [PATCH 15/42] Remove the iptables NAT table check LowEndSpirit fixed the issue on their end, so this is longer needed. Additionally, the check causes unneeded trouble for users whose system doesn't have the iptables package installed. --- openvpn-install.sh | 7 ------- 1 file changed, 7 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 062590b..5134b2f 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -43,13 +43,6 @@ You need to enable TUN before running this script" exit fi -if ! iptables -t nat -nL &>/dev/null; then - echo "Unable to initialize the iptables/netfilter NAT table, setup can't continue. -Make sure that your system has iptables/netfilter available. -If using OpenVZ, ask your provider to enable full netfilter support." - exit -fi - if [[ -e /etc/debian_version ]]; then os="debian" group_name="nogroup" From 5229459f99c5204f59697f880508f05cbb6d3999 Mon Sep 17 00:00:00 2001 From: Nyr Date: Wed, 1 Apr 2020 01:17:17 +0200 Subject: [PATCH 16/42] IPv6 support Clients will be provided with IPv6 connectivity if the server has it. Other very small and unimportant improvements are also included in this commit. --- openvpn-install.sh | 81 +++++++++++++++++++++++++++++++++++++--------- 1 file changed, 66 insertions(+), 15 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 5134b2f..d3c3f00 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -159,7 +159,7 @@ if [[ -e /etc/openvpn/server/server.conf ]]; then port=$(grep '^port ' /etc/openvpn/server/server.conf | cut -d " " -f 2) protocol=$(grep '^proto ' /etc/openvpn/server/server.conf | cut -d " " -f 2) if pgrep firewalld; then - ip=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24 -j SNAT --to ' | cut -d " " -f 10) + ip=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24' | grep -oE '[^ ]+$') # Using both permanent and not permanent rules to avoid a firewalld reload. firewall-cmd --remove-port="$port"/"$protocol" firewall-cmd --zone=trusted --remove-source=10.8.0.0/24 @@ -167,6 +167,13 @@ if [[ -e /etc/openvpn/server/server.conf ]]; then firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24 firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip" firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip" + if grep -qs "server-ipv6" /etc/openvpn/server/server.conf; then + ip6=$(firewall-cmd --direct --get-rules ipv6 nat POSTROUTING | grep '\-s fddd:1194:1194:1194::/64 '"'"'!'"'"' -d fddd:1194:1194:1194::/64' | grep -oE '[^ ]+$') + firewall-cmd --zone=trusted --remove-source=fddd:1194:1194:1194::/64 + firewall-cmd --permanent --zone=trusted --remove-source=fddd:1194:1194:1194::/64 + firewall-cmd --direct --remove-rule ipv6 nat POSTROUTING 0 -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to "$ip6" + firewall-cmd --permanent --direct --remove-rule ipv6 nat POSTROUTING 0 -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to "$ip6" + fi else systemctl disable --now openvpn-iptables.service rm -f /etc/systemd/system/openvpn-iptables.service @@ -201,22 +208,22 @@ else echo "I need to ask you a few questions before starting setup." echo "You can use the default options and just press enter if you are ok with them." # If system has a single IPv4, it is selected automatically. Else, ask the user - if [[ $(ip addr | grep inet | grep -v inet6 | grep -vEc '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') -eq 1 ]]; then - ip=$(ip addr | grep inet | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') + if [[ $(ip -4 addr | grep inet | grep -vEc '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') -eq 1 ]]; then + ip=$(ip -4 addr | grep inet | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') else - number_of_ips=$(ip addr | grep inet | grep -v inet6 | grep -vEc '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') + number_of_ip=$(ip -4 addr | grep inet | grep -vEc '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') echo - echo "What IPv4 address should the OpenVPN server bind to?" - ip addr | grep inet | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | nl -s ') ' + echo "What IPv4 address should the OpenVPN server use?" + ip -4 addr | grep inet | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | nl -s ') ' read -p "IPv4 address [1]: " ip_number - until [[ -z "$ip_number" || "$ip_number" =~ ^[0-9]+$ && "$ip_number" -le "$number_of_ips" ]]; do + until [[ -z "$ip_number" || "$ip_number" =~ ^[0-9]+$ && "$ip_number" -le "$number_of_ip" ]]; do echo "$ip_number: invalid selection." read -p "IPv4 address [1]: " ip_number done [[ -z "$ip_number" ]] && ip_number="1" - ip=$(ip addr | grep inet | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | sed -n "$ip_number"p) + ip=$(ip -4 addr | grep inet | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | sed -n "$ip_number"p) fi - # If $IP is a private IP address, the server must be behind NAT + # If $ip is a private IP address, the server must be behind NAT if echo "$ip" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then echo echo "This server is behind NAT. What is the public IPv4 address or hostname?" @@ -224,6 +231,24 @@ else read -p "Public IPv4 address / hostname [$get_public_ip]: " public_ip [ -z "$public_ip" ] && public_ip="$get_public_ip" fi + # If system has a single IPv6, it is selected automatically + if [[ $(ip -6 addr | grep -c 'inet6 [23]') -eq 1 ]]; then + ip6=$(ip -6 addr | grep 'inet6 [23]' | cut -d '/' -f 1 | grep -oE '([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}') + fi + # If system has multiple IPv6, ask the user to select one + if [[ $(ip -6 addr | grep -c 'inet6 [23]') -gt 1 ]]; then + number_of_ip6=$(ip -6 addr | grep -c 'inet6 [23]') + echo + echo "What IPv6 address should the OpenVPN server use?" + ip -6 addr | grep 'inet6 [23]' | cut -d '/' -f 1 | grep -oE '([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}' | nl -s ') ' + read -p "IPv6 address [1]: " ip6_number + until [[ -z "$ip6_number" || "$ip6_number" =~ ^[0-9]+$ && "$ip6_number" -le "$number_of_ip6" ]]; do + echo "$ip6_number: invalid selection." + read -p "IPv6 address [1]: " ip6_number + done + [[ -z "$ip6_number" ]] && ip6_number="1" + ip6=$(ip -6 addr | grep 'inet6 [23]' | cut -d '/' -f 1 | grep -oE '([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}' | sed -n "$ip6_number"p) + fi echo echo "Which protocol do you want for OpenVPN connections?" echo " 1) UDP (recommended)" @@ -326,9 +351,15 @@ dh dh.pem auth SHA512 tls-crypt tc.key topology subnet -server 10.8.0.0 255.255.255.0 -ifconfig-pool-persist ipp.txt" > /etc/openvpn/server/server.conf - echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server/server.conf +server 10.8.0.0 255.255.255.0" > /etc/openvpn/server/server.conf + # IPv6 + if [[ -z "$ip6" ]]; then + echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server/server.conf + else + echo 'server-ipv6 fddd:1194:1194:1194::/64' >> /etc/openvpn/server/server.conf + echo 'push "redirect-gateway def1 ipv6 bypass-dhcp"' >> /etc/openvpn/server/server.conf + fi + echo 'ifconfig-pool-persist ipp.txt' >> /etc/openvpn/server/server.conf # DNS case "$dns" in 1|"") @@ -377,6 +408,12 @@ crl-verify crl.pem" >> /etc/openvpn/server/server.conf echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/30-openvpn-forward.conf # Enable without waiting for a reboot or service restart echo 1 > /proc/sys/net/ipv4/ip_forward + if [[ -n "$ip6" ]]; then + # Enable net.ipv6.conf.all.forwarding for the system + echo "net.ipv6.conf.all.forwarding=1" >> /etc/sysctl.d/30-openvpn-forward.conf + # Enable without waiting for a reboot or service restart + echo 1 > /proc/sys/net/ipv6/conf/all/forwarding + fi if pgrep firewalld; then # Using both permanent and not permanent rules to avoid a firewalld # reload. @@ -389,6 +426,12 @@ crl-verify crl.pem" >> /etc/openvpn/server/server.conf # Set NAT for the VPN subnet firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip" firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip" + if [[ -n "$ip6" ]]; then + firewall-cmd --zone=trusted --add-source=fddd:1194:1194:1194::/64 + firewall-cmd --permanent --zone=trusted --add-source=fddd:1194:1194:1194::/64 + firewall-cmd --direct --add-rule ipv6 nat POSTROUTING 0 -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to "$ip6" + firewall-cmd --permanent --direct --add-rule ipv6 nat POSTROUTING 0 -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to "$ip6" + fi else # Create a service to set up persistent iptables rules echo "[Unit] @@ -402,10 +445,18 @@ ExecStart=/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCE ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip ExecStop=/sbin/iptables -D INPUT -p $protocol --dport $port -j ACCEPT ExecStop=/sbin/iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT -ExecStop=/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -RemainAfterExit=yes +ExecStop=/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" > /etc/systemd/system/openvpn-iptables.service + if [[ -n "$ip6" ]]; then + echo "ExecStart=/sbin/ip6tables -t nat -A POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to $ip6 +ExecStart=/sbin/ip6tables -I FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT +ExecStart=/sbin/ip6tables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT +ExecStop=/sbin/ip6tables -t nat -D POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to $ip6 +ExecStop=/sbin/ip6tables -D FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT +ExecStop=/sbin/ip6tables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" >> /etc/systemd/system/openvpn-iptables.service + fi + echo "RemainAfterExit=yes [Install] -WantedBy=multi-user.target" > /etc/systemd/system/openvpn-iptables.service +WantedBy=multi-user.target" >> /etc/systemd/system/openvpn-iptables.service systemctl enable --now openvpn-iptables.service fi # If SELinux is enabled and a custom port was selected, we need this From 6f9daf49f54c7f564f00a771b2f9b5fd9ac38fb0 Mon Sep 17 00:00:00 2001 From: Nyr Date: Thu, 16 Apr 2020 23:33:14 +0200 Subject: [PATCH 17/42] Small style improvements --- openvpn-install.sh | 305 ++++++++++++++++++++++----------------------- 1 file changed, 151 insertions(+), 154 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index d3c3f00..fde6489 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -73,137 +73,9 @@ new_client () { } > ~/"$1".ovpn } -if [[ -e /etc/openvpn/server/server.conf ]]; then - while : - do +if [[ ! -e /etc/openvpn/server/server.conf ]]; then clear - echo "Looks like OpenVPN is already installed." - echo - echo "What do you want to do?" - echo " 1) Add a new user" - echo " 2) Revoke an existing user" - echo " 3) Remove OpenVPN" - echo " 4) Exit" - read -p "Select an option: " option - until [[ "$option" =~ ^[1-4]$ ]]; do - echo "$option: invalid selection." - read -p "Select an option: " option - done - case "$option" in - 1) - echo - echo "Tell me a name for the client certificate." - read -p "Client name: " unsanitized_client - client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client") - while [[ -z "$client" || -e /etc/openvpn/server/easy-rsa/pki/issued/"$client".crt ]]; do - echo "$client: invalid client name." - read -p "Client name: " unsanitized_client - client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client") - done - cd /etc/openvpn/server/easy-rsa/ - EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" nopass - # Generates the custom client.ovpn - new_client "$client" - echo - echo "Client $client added, configuration is available at:" ~/"$client.ovpn" - exit - ;; - 2) - # This option could be documented a bit better and maybe even be simplified - # ...but what can I say, I want some sleep too - number_of_clients=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep -c "^V") - if [[ "$number_of_clients" = 0 ]]; then - echo - echo "You have no existing clients!" - exit - fi - echo - echo "Select the existing client certificate you want to revoke:" - tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') ' - read -p "Select one client: " client_number - until [[ "$client_number" =~ ^[0-9]+$ && "$client_number" -le "$number_of_clients" ]]; do - echo "$client_number: invalid selection." - read -p "Select one client: " client_number - done - client=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$client_number"p) - echo - read -p "Do you really want to revoke access for client $client? [y/N]: " revoke - until [[ "$revoke" =~ ^[yYnN]*$ ]]; do - echo "$revoke: invalid selection." - read -p "Do you really want to revoke access for client $client? [y/N]: " revoke - done - if [[ "$revoke" =~ ^[yY]$ ]]; then - cd /etc/openvpn/server/easy-rsa/ - ./easyrsa --batch revoke "$client" - EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl - rm -f /etc/openvpn/server/crl.pem - cp /etc/openvpn/server/easy-rsa/pki/crl.pem /etc/openvpn/server/crl.pem - # CRL is read with each client connection, when OpenVPN is dropped to nobody - chown nobody:"$group_name" /etc/openvpn/server/crl.pem - echo - echo "Certificate for client $client revoked!" - else - echo - echo "Certificate revocation for client $client aborted!" - fi - exit - ;; - 3) - echo - read -p "Do you really want to remove OpenVPN? [y/N]: " remove - until [[ "$remove" =~ ^[yYnN]*$ ]]; do - echo "$remove: invalid selection." - read -p "Do you really want to remove OpenVPN? [y/N]: " remove - done - if [[ "$remove" =~ ^[yY]$ ]]; then - port=$(grep '^port ' /etc/openvpn/server/server.conf | cut -d " " -f 2) - protocol=$(grep '^proto ' /etc/openvpn/server/server.conf | cut -d " " -f 2) - if pgrep firewalld; then - ip=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24' | grep -oE '[^ ]+$') - # Using both permanent and not permanent rules to avoid a firewalld reload. - firewall-cmd --remove-port="$port"/"$protocol" - firewall-cmd --zone=trusted --remove-source=10.8.0.0/24 - firewall-cmd --permanent --remove-port="$port"/"$protocol" - firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24 - firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip" - firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip" - if grep -qs "server-ipv6" /etc/openvpn/server/server.conf; then - ip6=$(firewall-cmd --direct --get-rules ipv6 nat POSTROUTING | grep '\-s fddd:1194:1194:1194::/64 '"'"'!'"'"' -d fddd:1194:1194:1194::/64' | grep -oE '[^ ]+$') - firewall-cmd --zone=trusted --remove-source=fddd:1194:1194:1194::/64 - firewall-cmd --permanent --zone=trusted --remove-source=fddd:1194:1194:1194::/64 - firewall-cmd --direct --remove-rule ipv6 nat POSTROUTING 0 -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to "$ip6" - firewall-cmd --permanent --direct --remove-rule ipv6 nat POSTROUTING 0 -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to "$ip6" - fi - else - systemctl disable --now openvpn-iptables.service - rm -f /etc/systemd/system/openvpn-iptables.service - fi - if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$port" != 1194 ]]; then - semanage port -d -t openvpn_port_t -p "$protocol" "$port" - fi - systemctl disable --now openvpn-server@server.service - rm -rf /etc/openvpn/server - rm -f /etc/systemd/system/openvpn-server@server.service.d/disable-limitnproc.conf - rm -f /etc/sysctl.d/30-openvpn-forward.conf - if [[ "$os" = "debian" ]]; then - apt-get remove --purge -y openvpn - else - yum remove openvpn -y - fi - echo - echo "OpenVPN removed!" - else - echo - echo "Removal aborted!" - fi - exit - ;; - 4) exit;; - esac - done -else - clear - echo "Welcome to this OpenVPN "road warrior" installer!" + echo 'Welcome to this OpenVPN road warrior installer!' echo echo "I need to ask you a few questions before starting setup." echo "You can use the default options and just press enter if you are ok with them." @@ -229,7 +101,7 @@ else echo "This server is behind NAT. What is the public IPv4 address or hostname?" get_public_ip=$(wget -4qO- "http://whatismyip.akamai.com/" || curl -4Ls "http://whatismyip.akamai.com/") read -p "Public IPv4 address / hostname [$get_public_ip]: " public_ip - [ -z "$public_ip" ] && public_ip="$get_public_ip" + [[ -z "$public_ip" ]] && public_ip="$get_public_ip" fi # If system has a single IPv6, it is selected automatically if [[ $(ip -6 addr | grep -c 'inet6 [23]') -eq 1 ]]; then @@ -363,33 +235,33 @@ server 10.8.0.0 255.255.255.0" > /etc/openvpn/server/server.conf # DNS case "$dns" in 1|"") - # Locate the proper resolv.conf - # Needed for systems running systemd-resolved - if grep -q "127.0.0.53" "/etc/resolv.conf"; then - resolv_conf="/run/systemd/resolve/resolv.conf" - else - resolv_conf="/etc/resolv.conf" - fi - # Obtain the resolvers from resolv.conf and use them for OpenVPN - grep -v '#' "$resolv_conf" | grep nameserver | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do - echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server/server.conf - done + # Locate the proper resolv.conf + # Needed for systems running systemd-resolved + if grep -q "127.0.0.53" "/etc/resolv.conf"; then + resolv_conf="/run/systemd/resolve/resolv.conf" + else + resolv_conf="/etc/resolv.conf" + fi + # Obtain the resolvers from resolv.conf and use them for OpenVPN + grep -v '#' "$resolv_conf" | grep nameserver | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do + echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server/server.conf + done ;; 2) - echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server/server.conf - echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server/server.conf + echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server/server.conf + echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server/server.conf ;; 3) - echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server/server.conf - echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server/server.conf + echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server/server.conf + echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server/server.conf ;; 4) - echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server/server.conf - echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server/server.conf + echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server/server.conf + echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server/server.conf ;; 5) - echo 'push "dhcp-option DNS 64.6.64.6"' >> /etc/openvpn/server/server.conf - echo 'push "dhcp-option DNS 64.6.65.6"' >> /etc/openvpn/server/server.conf + echo 'push "dhcp-option DNS 64.6.64.6"' >> /etc/openvpn/server/server.conf + echo 'push "dhcp-option DNS 64.6.65.6"' >> /etc/openvpn/server/server.conf ;; esac echo "keepalive 10 120 @@ -471,10 +343,8 @@ WantedBy=multi-user.target" >> /etc/systemd/system/openvpn-iptables.service fi semanage port -a -t openvpn_port_t -p "$protocol" "$port" fi - # If the server is behind a NAT, use the correct IP address - if [[ "$public_ip" != "" ]]; then - ip="$public_ip" - fi + # If the server is behind NAT, use the correct IP address + [[ ! -z "$public_ip" ]] && ip="$public_ip" # client-common.txt is created so we have a template to add further users later echo "client dev tun @@ -499,4 +369,131 @@ verb 3" > /etc/openvpn/server/client-common.txt echo echo "Your client configuration is available at:" ~/"$client.ovpn" echo "If you want to add more clients, just run this script again!" +else + clear + echo "Looks like OpenVPN is already installed." + echo + echo "What do you want to do?" + echo " 1) Add a new user" + echo " 2) Revoke an existing user" + echo " 3) Remove OpenVPN" + echo " 4) Exit" + read -p "Select an option: " option + until [[ "$option" =~ ^[1-4]$ ]]; do + echo "$option: invalid selection." + read -p "Select an option: " option + done + case "$option" in + 1) + echo + echo "Tell me a name for the client certificate." + read -p "Client name: " unsanitized_client + client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client") + while [[ -z "$client" || -e /etc/openvpn/server/easy-rsa/pki/issued/"$client".crt ]]; do + echo "$client: invalid client name." + read -p "Client name: " unsanitized_client + client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client") + done + cd /etc/openvpn/server/easy-rsa/ + EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" nopass + # Generates the custom client.ovpn + new_client "$client" + echo + echo "Client $client added, configuration is available at:" ~/"$client.ovpn" + exit + ;; + 2) + # This option could be documented a bit better and maybe even be simplified + # ...but what can I say, I want some sleep too + number_of_clients=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep -c "^V") + if [[ "$number_of_clients" = 0 ]]; then + echo + echo "You have no existing clients!" + exit + fi + echo + echo "Select the existing client certificate you want to revoke:" + tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') ' + read -p "Select one client: " client_number + until [[ "$client_number" =~ ^[0-9]+$ && "$client_number" -le "$number_of_clients" ]]; do + echo "$client_number: invalid selection." + read -p "Select one client: " client_number + done + client=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$client_number"p) + echo + read -p "Do you really want to revoke access for client $client? [y/N]: " revoke + until [[ "$revoke" =~ ^[yYnN]*$ ]]; do + echo "$revoke: invalid selection." + read -p "Do you really want to revoke access for client $client? [y/N]: " revoke + done + if [[ "$revoke" =~ ^[yY]$ ]]; then + cd /etc/openvpn/server/easy-rsa/ + ./easyrsa --batch revoke "$client" + EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl + rm -f /etc/openvpn/server/crl.pem + cp /etc/openvpn/server/easy-rsa/pki/crl.pem /etc/openvpn/server/crl.pem + # CRL is read with each client connection, when OpenVPN is dropped to nobody + chown nobody:"$group_name" /etc/openvpn/server/crl.pem + echo + echo "Certificate for client $client revoked!" + else + echo + echo "Certificate revocation for client $client aborted!" + fi + exit + ;; + 3) + echo + read -p "Do you really want to remove OpenVPN? [y/N]: " remove + until [[ "$remove" =~ ^[yYnN]*$ ]]; do + echo "$remove: invalid selection." + read -p "Do you really want to remove OpenVPN? [y/N]: " remove + done + if [[ "$remove" =~ ^[yY]$ ]]; then + port=$(grep '^port ' /etc/openvpn/server/server.conf | cut -d " " -f 2) + protocol=$(grep '^proto ' /etc/openvpn/server/server.conf | cut -d " " -f 2) + if pgrep firewalld; then + ip=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24' | grep -oE '[^ ]+$') + # Using both permanent and not permanent rules to avoid a firewalld reload. + firewall-cmd --remove-port="$port"/"$protocol" + firewall-cmd --zone=trusted --remove-source=10.8.0.0/24 + firewall-cmd --permanent --remove-port="$port"/"$protocol" + firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24 + firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip" + firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip" + if grep -qs "server-ipv6" /etc/openvpn/server/server.conf; then + ip6=$(firewall-cmd --direct --get-rules ipv6 nat POSTROUTING | grep '\-s fddd:1194:1194:1194::/64 '"'"'!'"'"' -d fddd:1194:1194:1194::/64' | grep -oE '[^ ]+$') + firewall-cmd --zone=trusted --remove-source=fddd:1194:1194:1194::/64 + firewall-cmd --permanent --zone=trusted --remove-source=fddd:1194:1194:1194::/64 + firewall-cmd --direct --remove-rule ipv6 nat POSTROUTING 0 -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to "$ip6" + firewall-cmd --permanent --direct --remove-rule ipv6 nat POSTROUTING 0 -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to "$ip6" + fi + else + systemctl disable --now openvpn-iptables.service + rm -f /etc/systemd/system/openvpn-iptables.service + fi + if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$port" != 1194 ]]; then + semanage port -d -t openvpn_port_t -p "$protocol" "$port" + fi + systemctl disable --now openvpn-server@server.service + rm -rf /etc/openvpn/server + rm -f /etc/systemd/system/openvpn-server@server.service.d/disable-limitnproc.conf + rm -f /etc/sysctl.d/30-openvpn-forward.conf + if [[ "$os" = "debian" ]]; then + apt-get remove --purge -y openvpn + else + yum remove openvpn -y + fi + echo + echo "OpenVPN removed!" + else + echo + echo "Removal aborted!" + fi + exit + ;; + 4) + exit + ;; + esac fi From c6159aefb8cd6b065062a419f681e84af47ba425 Mon Sep 17 00:00:00 2001 From: Nyr Date: Thu, 16 Apr 2020 23:42:11 +0200 Subject: [PATCH 18/42] Update DNS providers - Verisign removed (performance is subpar compared to competitors) - NTT is back (fast and reliable) - AdGuard added (for ad blocking) --- openvpn-install.sh | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index fde6489..d64b47a 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -152,9 +152,10 @@ if [[ ! -e /etc/openvpn/server/server.conf ]]; then echo " 2) 1.1.1.1" echo " 3) Google" echo " 4) OpenDNS" - echo " 5) Verisign" + echo " 5) NTT" + echo " 6) AdGuard" read -p "DNS [1]: " dns - until [[ -z "$dns" || "$dns" =~ ^[1-5]$ ]]; do + until [[ -z "$dns" || "$dns" =~ ^[1-6]$ ]]; do echo "$dns: invalid selection." read -p "DNS [1]: " dns done @@ -260,8 +261,12 @@ server 10.8.0.0 255.255.255.0" > /etc/openvpn/server/server.conf echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server/server.conf ;; 5) - echo 'push "dhcp-option DNS 64.6.64.6"' >> /etc/openvpn/server/server.conf - echo 'push "dhcp-option DNS 64.6.65.6"' >> /etc/openvpn/server/server.conf + echo 'push "dhcp-option DNS 129.250.35.250"' >> /etc/openvpn/server/server.conf + echo 'push "dhcp-option DNS 129.250.35.251"' >> /etc/openvpn/server/server.conf + ;; + 6) + echo 'push "dhcp-option DNS 176.103.130.130"' >> /etc/openvpn/server/server.conf + echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server/server.conf ;; esac echo "keepalive 10 120 From cec053def4aea0c8c9bc9cc4fcc4ce3def2d5695 Mon Sep 17 00:00:00 2001 From: Nyr Date: Tue, 21 Apr 2020 02:28:29 +0200 Subject: [PATCH 19/42] Miscellaneous improvements - Fix #694: added sanitization during the public IP address configuration and switch to AWS checkip since the Akamai service doesn't support HTTPS. - Add validation to cover an unlikely case where: server is behind NAT, checkip service is unreachable and user doesn't provide input when asked for the public IP address or hostname. - Other small improvements not worth describing in detail. --- README.md | 2 +- openvpn-install.sh | 20 +++++++++++++------- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index cad322c..3c08cc5 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ ## openvpn-install OpenVPN [road warrior](http://en.wikipedia.org/wiki/Road_warrior_%28computing%29) installer for Debian, Ubuntu and CentOS. -This script will let you setup your own VPN server in no more than a minute, even if you haven't used OpenVPN before. It has been designed to be as unobtrusive and universal as possible. +This script will let you set up your own VPN server in no more than a minute, even if you haven't used OpenVPN before. It has been designed to be as unobtrusive and universal as possible. ### Installation Run the script and follow the assistant: diff --git a/openvpn-install.sh b/openvpn-install.sh index d64b47a..f5c1c38 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -62,15 +62,15 @@ new_client () { cat /etc/openvpn/server/easy-rsa/pki/ca.crt echo "" echo "" - sed -ne '/BEGIN CERTIFICATE/,$ p' /etc/openvpn/server/easy-rsa/pki/issued/"$1".crt + sed -ne '/BEGIN CERTIFICATE/,$ p' /etc/openvpn/server/easy-rsa/pki/issued/"$client".crt echo "" echo "" - cat /etc/openvpn/server/easy-rsa/pki/private/"$1".key + cat /etc/openvpn/server/easy-rsa/pki/private/"$client".key echo "" echo "" sed -ne '/BEGIN OpenVPN Static key/,$ p' /etc/openvpn/server/tc.key echo "" - } > ~/"$1".ovpn + } > ~/"$client".ovpn } if [[ ! -e /etc/openvpn/server/server.conf ]]; then @@ -99,8 +99,14 @@ if [[ ! -e /etc/openvpn/server/server.conf ]]; then if echo "$ip" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then echo echo "This server is behind NAT. What is the public IPv4 address or hostname?" - get_public_ip=$(wget -4qO- "http://whatismyip.akamai.com/" || curl -4Ls "http://whatismyip.akamai.com/") + # Get public IP and sanitize with grep + get_public_ip=$(grep -oE '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$' <<< "$(wget -T 5 -t 1 -4qO- "https://checkip.amazonaws.com/" || curl -m 5 -4Ls "https://checkip.amazonaws.com/")") read -p "Public IPv4 address / hostname [$get_public_ip]: " public_ip + # If the checkip service is unavailable and user didn't provide input, ask again + until [[ -n "$get_public_ip" || -n $public_ip ]]; do + echo "Invalid input." + read -p "Public IPv4 address / hostname: " public_ip + done [[ -z "$public_ip" ]] && public_ip="$get_public_ip" fi # If system has a single IPv6, it is selected automatically @@ -142,7 +148,7 @@ if [[ ! -e /etc/openvpn/server/server.conf ]]; then echo "What port do you want OpenVPN listening to?" read -p "Port [1194]: " port until [[ -z "$port" || "$port" =~ ^[0-9]+$ && "$port" -le 65535 ]]; do - echo "$port: invalid selection." + echo "$port: invalid port." read -p "Port [1194]: " port done [[ -z "$port" ]] && port="1194" @@ -368,7 +374,7 @@ verb 3" > /etc/openvpn/server/client-common.txt # Enable and start the OpenVPN service systemctl enable --now openvpn-server@server.service # Generates the custom client.ovpn - new_client "$client" + new_client echo echo "Finished!" echo @@ -402,7 +408,7 @@ else cd /etc/openvpn/server/easy-rsa/ EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" nopass # Generates the custom client.ovpn - new_client "$client" + new_client echo echo "Client $client added, configuration is available at:" ~/"$client.ovpn" exit From f659724a6f222bfbd03f5399426f2dbe97ec5f6b Mon Sep 17 00:00:00 2001 From: Nyr Date: Tue, 21 Apr 2020 16:45:49 +0200 Subject: [PATCH 20/42] Addresses #694 - Use a checkip service which works fine over HTTP to avoid issues in systems where ca-certificates is not available - Increase timeout to 10 seconds, because the new service is a bit slower from some locations - Improve grep sanitization --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index f5c1c38..d35419c 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -100,7 +100,7 @@ if [[ ! -e /etc/openvpn/server/server.conf ]]; then echo echo "This server is behind NAT. What is the public IPv4 address or hostname?" # Get public IP and sanitize with grep - get_public_ip=$(grep -oE '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$' <<< "$(wget -T 5 -t 1 -4qO- "https://checkip.amazonaws.com/" || curl -m 5 -4Ls "https://checkip.amazonaws.com/")") + get_public_ip=$(grep -m 1 -oE '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$' <<< "$(wget -T 10 -t 1 -4qO- "http://ip1.dynupdate.no-ip.com/" || curl -m 10 -4Ls "http://ip1.dynupdate.no-ip.com/")") read -p "Public IPv4 address / hostname [$get_public_ip]: " public_ip # If the checkip service is unavailable and user didn't provide input, ask again until [[ -n "$get_public_ip" || -n $public_ip ]]; do From 11b929ac82fc0854edaecc86d849e8b6eca1fe0d Mon Sep 17 00:00:00 2001 From: Nyr Date: Fri, 24 Apr 2020 17:48:24 +0200 Subject: [PATCH 21/42] Reworked OS detection - Made OS detection more flexible and fine-grained - Fedora is now officially supported --- README.md | 2 +- openvpn-install.sh | 96 ++++++++++++++++++++++++++-------------------- 2 files changed, 55 insertions(+), 43 deletions(-) diff --git a/README.md b/README.md index 3c08cc5..f48d81a 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ ## openvpn-install -OpenVPN [road warrior](http://en.wikipedia.org/wiki/Road_warrior_%28computing%29) installer for Debian, Ubuntu and CentOS. +OpenVPN [road warrior](http://en.wikipedia.org/wiki/Road_warrior_%28computing%29) installer for Ubuntu, Debian, CentOS and Fedora. This script will let you set up your own VPN server in no more than a minute, even if you haven't used OpenVPN before. It has been designed to be as unobtrusive and universal as possible. diff --git a/openvpn-install.sh b/openvpn-install.sh index d35419c..2b21209 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -5,27 +5,6 @@ # Copyright (c) 2013 Nyr. Released under the MIT License. -if grep -qs "14.04" /etc/os-release; then - echo "Ubuntu 14.04 is too old and not supported" - exit -fi - -if grep -qs "jessie" /etc/os-release; then - echo "Debian 8 is too old and not supported" - exit -fi - -if grep -qs "CentOS release 6" /etc/redhat-release; then - echo "CentOS 6 is too old and not supported" - exit -fi - -if grep -qs "Ubuntu 16.04" /etc/os-release; then - echo 'Ubuntu 16.04 is no longer supported in the current version of openvpn-install -Use an older version if Ubuntu 16.04 support is needed: https://git.io/vpn1604' - exit -fi - # Detect Debian users running the script with "sh" instead of bash if readlink /proc/$$/exe | grep -q "dash"; then echo "This script needs to be run with bash, not sh" @@ -37,20 +16,50 @@ if [[ "$EUID" -ne 0 ]]; then exit fi -if [[ ! -e /dev/net/tun ]]; then - echo "The TUN device is not available -You need to enable TUN before running this script" +# Detect OS +# $os_version variables aren't always in use, but are kept here for convenience +if grep -qs "ubuntu" /etc/os-release; then + os="ubuntu" + os_version=$(grep 'VERSION_ID' /etc/os-release | cut -d '"' -f 2 | tr -d '.') + group_name="nogroup" +elif [[ -e /etc/debian_version ]]; then + os="debian" + os_version=$(grep -oE '[0-9]+' /etc/debian_version | head -1) + group_name="nogroup" +elif [[ -e /etc/centos-release ]]; then + os="centos" + os_version=$(grep -oE '[0-9]+' /etc/centos-release | head -1) + group_name="nobody" +elif [[ -e /etc/fedora-release ]]; then + os="fedora" + os_version=$(grep -oE '[0-9]+' /etc/fedora-release | head -1) + group_name="nobody" +else + echo "Looks like you aren't running this installer on Ubuntu, Debian, CentOS or Fedora" exit fi -if [[ -e /etc/debian_version ]]; then - os="debian" - group_name="nogroup" -elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then - os="centos" - group_name="nobody" -else - echo "Looks like you aren't running this installer on Debian, Ubuntu or CentOS" +if [[ "$os" == "ubuntu" && "$os_version" -lt 1804 ]]; then + echo "Ubuntu 18.04 or higher is required to use this installer +This version of Ubuntu is too old and unsupported" + exit +fi + +if [[ "$os" == "debian" && "$os_version" -lt 9 ]]; then + echo "Debian 9 or higher is required to use this installer +This version of Debian is too old and unsupported" + exit +fi + +if [[ "$os" == "centos" && "$os_version" -lt 7 ]]; then + echo "CentOS 7 or higher is required to use this installer +This version of CentOS is too old and unsupported" + exit +fi + +if [[ ! -e /dev/net/tun ]]; then + echo "The TUN device is not available +You need to enable TUN before running this script" exit fi @@ -180,13 +189,15 @@ if [[ ! -e /etc/openvpn/server/server.conf ]]; then echo "[Service] LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disable-limitnproc.conf fi - if [[ "$os" = "debian" ]]; then + if [[ "$os" = "debian" || "$os" = "ubuntu" ]]; then apt-get update - apt-get install openvpn iptables openssl ca-certificates -y + apt-get install -y openvpn iptables openssl ca-certificates + elif [[ "$os" = "centos" ]]; then + yum install -y epel-release + yum install -y openvpn iptables openssl ca-certificates tar else - # Else, the distro is CentOS - yum install epel-release -y - yum install openvpn iptables openssl ca-certificates tar -y + # Else, OS must be Fedora + dnf install -y openvpn iptables openssl ca-certificates tar fi # Get easy-rsa easy_rsa_url='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.7/EasyRSA-3.0.7.tgz' @@ -346,10 +357,10 @@ WantedBy=multi-user.target" >> /etc/systemd/system/openvpn-iptables.service if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$port" != 1194 ]]; then # Install semanage if not already present if ! hash semanage 2>/dev/null; then - if grep -qs "CentOS Linux release 7" "/etc/centos-release"; then - yum install policycoreutils-python -y + if [[ "$os_version" -eq 7 ]]; then + yum install -y policycoreutils-python else - yum install policycoreutils-python-utils -y + yum install -y policycoreutils-python-utils fi fi semanage port -a -t openvpn_port_t -p "$protocol" "$port" @@ -490,10 +501,11 @@ else rm -rf /etc/openvpn/server rm -f /etc/systemd/system/openvpn-server@server.service.d/disable-limitnproc.conf rm -f /etc/sysctl.d/30-openvpn-forward.conf - if [[ "$os" = "debian" ]]; then + if [[ "$os" = "debian" || "$os" = "ubuntu" ]]; then apt-get remove --purge -y openvpn else - yum remove openvpn -y + # Else, OS must be CentOS or Fedora + yum remove -y openvpn fi echo echo "OpenVPN removed!" From e0fa45b688a6d64708194791848759e46ebc5db3 Mon Sep 17 00:00:00 2001 From: Nyr Date: Wed, 29 Apr 2020 13:24:55 +0200 Subject: [PATCH 22/42] Fixes #642 --- openvpn-install.sh | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 2b21209..86f6e1d 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -328,25 +328,27 @@ crl-verify crl.pem" >> /etc/openvpn/server/server.conf fi else # Create a service to set up persistent iptables rules + iptables_path=$(command -v iptables) + ip6tables_path=$(command -v ip6tables) echo "[Unit] Before=network.target [Service] Type=oneshot -ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip -ExecStart=/sbin/iptables -I INPUT -p $protocol --dport $port -j ACCEPT -ExecStart=/sbin/iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT -ExecStart=/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip -ExecStop=/sbin/iptables -D INPUT -p $protocol --dport $port -j ACCEPT -ExecStop=/sbin/iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT -ExecStop=/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" > /etc/systemd/system/openvpn-iptables.service +ExecStart=$iptables_path -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip +ExecStart=$iptables_path -I INPUT -p $protocol --dport $port -j ACCEPT +ExecStart=$iptables_path -I FORWARD -s 10.8.0.0/24 -j ACCEPT +ExecStart=$iptables_path -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT +ExecStop=$iptables_path -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip +ExecStop=$iptables_path -D INPUT -p $protocol --dport $port -j ACCEPT +ExecStop=$iptables_path -D FORWARD -s 10.8.0.0/24 -j ACCEPT +ExecStop=$iptables_path -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" > /etc/systemd/system/openvpn-iptables.service if [[ -n "$ip6" ]]; then echo "ExecStart=/sbin/ip6tables -t nat -A POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to $ip6 -ExecStart=/sbin/ip6tables -I FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT -ExecStart=/sbin/ip6tables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -ExecStop=/sbin/ip6tables -t nat -D POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to $ip6 -ExecStop=/sbin/ip6tables -D FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT -ExecStop=/sbin/ip6tables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" >> /etc/systemd/system/openvpn-iptables.service +ExecStart=$ip6tables_path -I FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT +ExecStart=$ip6tables_path -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT +ExecStop=$ip6tables_path -t nat -D POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to $ip6 +ExecStop=$ip6tables_path -D FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT +ExecStop=$ip6tables_path -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" >> /etc/systemd/system/openvpn-iptables.service fi echo "RemainAfterExit=yes [Install] From ef30d9863c0f858acee2e8ca6a17d60eaec608a0 Mon Sep 17 00:00:00 2001 From: Nyr Date: Thu, 30 Apr 2020 00:28:27 +0200 Subject: [PATCH 23/42] Improved firewall management - Always use firewalld for CentOS and Fedora - Cleaner check to find out if firewalld is active --- openvpn-install.sh | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 86f6e1d..943abeb 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -181,7 +181,15 @@ if [[ ! -e /etc/openvpn/server/server.conf ]]; then client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client") [[ -z "$client" ]] && client="client" echo - echo "Okay, that was all I needed. We are ready to set up your OpenVPN server now." + echo "We are ready to set up your OpenVPN server now." + # DigitalOcean ships their CentOS and Fedora images without firewalld + # We don't want to silently enable a firewall, so we give a subtle warning + # If the user continues, firewalld will be installed and enabled during setup + if [[ "$os" == "centos" || "$os" == "fedora" ]] && ! systemctl is-active --quiet firewalld.service; then + echo + echo "firewalld, which is required to manage routing tables, will also be installed." + fi + echo read -n1 -r -p "Press any key to continue..." # If running inside a container, disable LimitNPROC to prevent conflicts if systemd-detect-virt -cq; then @@ -194,10 +202,12 @@ LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disab apt-get install -y openvpn iptables openssl ca-certificates elif [[ "$os" = "centos" ]]; then yum install -y epel-release - yum install -y openvpn iptables openssl ca-certificates tar + yum install -y openvpn firewalld openssl ca-certificates tar + systemctl enable --now firewalld.service else # Else, OS must be Fedora - dnf install -y openvpn iptables openssl ca-certificates tar + dnf install -y openvpn firewalld openssl ca-certificates tar + systemctl enable --now firewalld.service fi # Get easy-rsa easy_rsa_url='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.7/EasyRSA-3.0.7.tgz' @@ -308,7 +318,7 @@ crl-verify crl.pem" >> /etc/openvpn/server/server.conf # Enable without waiting for a reboot or service restart echo 1 > /proc/sys/net/ipv6/conf/all/forwarding fi - if pgrep firewalld; then + if systemctl is-active --quiet firewalld.service; then # Using both permanent and not permanent rules to avoid a firewalld # reload. # We don't use --add-service=openvpn because that would only work with @@ -360,9 +370,11 @@ WantedBy=multi-user.target" >> /etc/systemd/system/openvpn-iptables.service # Install semanage if not already present if ! hash semanage 2>/dev/null; then if [[ "$os_version" -eq 7 ]]; then + # Centos 7 yum install -y policycoreutils-python else - yum install -y policycoreutils-python-utils + # CentOS 8 or Fedora + dnf install -y policycoreutils-python-utils fi fi semanage port -a -t openvpn_port_t -p "$protocol" "$port" @@ -476,7 +488,7 @@ else if [[ "$remove" =~ ^[yY]$ ]]; then port=$(grep '^port ' /etc/openvpn/server/server.conf | cut -d " " -f 2) protocol=$(grep '^proto ' /etc/openvpn/server/server.conf | cut -d " " -f 2) - if pgrep firewalld; then + if systemctl is-active --quiet firewalld.service; then ip=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24' | grep -oE '[^ ]+$') # Using both permanent and not permanent rules to avoid a firewalld reload. firewall-cmd --remove-port="$port"/"$protocol" From 61549ffcefcc372dc0ecaca889e5b55c9552c80a Mon Sep 17 00:00:00 2001 From: Nyr Date: Fri, 1 May 2020 17:52:12 +0200 Subject: [PATCH 24/42] Improved firewall installation logic New logic makes way more sense: - If either firewalld or iptables are present, use whatever we have - If not, install firewalld in CentOS/Fedora and iptables in Debian/Ubuntu --- openvpn-install.sh | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 943abeb..34f54d0 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -182,12 +182,18 @@ if [[ ! -e /etc/openvpn/server/server.conf ]]; then [[ -z "$client" ]] && client="client" echo echo "We are ready to set up your OpenVPN server now." - # DigitalOcean ships their CentOS and Fedora images without firewalld - # We don't want to silently enable a firewall, so we give a subtle warning - # If the user continues, firewalld will be installed and enabled during setup - if [[ "$os" == "centos" || "$os" == "fedora" ]] && ! systemctl is-active --quiet firewalld.service; then - echo - echo "firewalld, which is required to manage routing tables, will also be installed." + # Install a firewall in the rare case where one is not already available + if ! systemctl is-active --quiet firewalld.service && ! hash iptables 2>/dev/null; then + if [[ "$os" == "centos" || "$os" == "fedora" ]]; then + firewall="firewalld" + # We don't want to silently enable firewalld, so we give a subtle warning + # If the user continues, firewalld will be installed and enabled during setup + echo + echo "firewalld, which is required to manage routing tables, will also be installed." + elif [[ "$os" == "debian" || "$os" == "ubuntu" ]]; then + # iptables is way less invasive than firewalld so no warning is given + firewall="iptables" + fi fi echo read -n1 -r -p "Press any key to continue..." @@ -199,14 +205,16 @@ LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disab fi if [[ "$os" = "debian" || "$os" = "ubuntu" ]]; then apt-get update - apt-get install -y openvpn iptables openssl ca-certificates + apt-get install -y openvpn openssl ca-certificates $firewall elif [[ "$os" = "centos" ]]; then yum install -y epel-release - yum install -y openvpn firewalld openssl ca-certificates tar - systemctl enable --now firewalld.service + yum install -y openvpn openssl ca-certificates tar $firewall else # Else, OS must be Fedora - dnf install -y openvpn firewalld openssl ca-certificates tar + dnf install -y openvpn openssl ca-certificates tar $firewall + fi + # If firewalld was just installed, enable it + if [[ "$firewall" == "firewalld" ]]; then systemctl enable --now firewalld.service fi # Get easy-rsa From 2852150a5b7d611cb59dcfafbf900a8948a3210e Mon Sep 17 00:00:00 2001 From: Nyr Date: Tue, 5 May 2020 16:47:25 +0200 Subject: [PATCH 25/42] OpenVZ nf_tables workaround nf_tables is not available in old OpenVZ kernels, so we need to use iptables-legacy instead. This issue only affects Debian 10 as it is the only distribution using iptables with a nf_tables backend by default. This is supposedly resolved in the newest kernels: https://bit.ly/3fgNZCh Additionally, a bugfix for the ip6tables path is also included. --- openvpn-install.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 34f54d0..aa7e1c7 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -348,6 +348,12 @@ crl-verify crl.pem" >> /etc/openvpn/server/server.conf # Create a service to set up persistent iptables rules iptables_path=$(command -v iptables) ip6tables_path=$(command -v ip6tables) + # Old OpenVZ kernels don't have nf_tables support + # iptables-nft is the default in Debian 10, but we need to use iptables-legacy + if [[ "$os" == "debian" && "$os_version" -eq 10 && "$(systemd-detect-virt)" == "openvz" ]]; then + iptables_path=$(command -v iptables-legacy) + ip6tables_path=$(command -v ip6tables-legacy) + fi echo "[Unit] Before=network.target [Service] @@ -361,7 +367,7 @@ ExecStop=$iptables_path -D INPUT -p $protocol --dport $port -j ACCEPT ExecStop=$iptables_path -D FORWARD -s 10.8.0.0/24 -j ACCEPT ExecStop=$iptables_path -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" > /etc/systemd/system/openvpn-iptables.service if [[ -n "$ip6" ]]; then - echo "ExecStart=/sbin/ip6tables -t nat -A POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to $ip6 + echo "ExecStart=$ip6tables_path -t nat -A POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to $ip6 ExecStart=$ip6tables_path -I FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT ExecStart=$ip6tables_path -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT ExecStop=$ip6tables_path -t nat -D POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to $ip6 From 07249185dd5501bb68e196ca1e2df7bbd3f6e700 Mon Sep 17 00:00:00 2001 From: Nyr Date: Tue, 5 May 2020 18:23:21 +0200 Subject: [PATCH 26/42] Improve nf_tables test for OVZ This test is more reliable and flexible. --- openvpn-install.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index aa7e1c7..f374e79 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -348,9 +348,9 @@ crl-verify crl.pem" >> /etc/openvpn/server/server.conf # Create a service to set up persistent iptables rules iptables_path=$(command -v iptables) ip6tables_path=$(command -v ip6tables) - # Old OpenVZ kernels don't have nf_tables support - # iptables-nft is the default in Debian 10, but we need to use iptables-legacy - if [[ "$os" == "debian" && "$os_version" -eq 10 && "$(systemd-detect-virt)" == "openvz" ]]; then + # nf_tables is not available as standard in OVZ kernels. So use iptables-legacy + # if we are in OVZ, with a nf_tables backend and iptables-legacy is available. + if [[ $(systemd-detect-virt) == "openvz" ]] && readlink -f $(command -v iptables) | grep -q "nft" && hash iptables-legacy 2>/dev/null; then iptables_path=$(command -v iptables-legacy) ip6tables_path=$(command -v ip6tables-legacy) fi From b392e7da8b01d702b61b7b53e81fd062097f9e7e Mon Sep 17 00:00:00 2001 From: Nyr Date: Sun, 10 May 2020 20:02:08 +0200 Subject: [PATCH 27/42] Improved easy-rsa setup No need to write the tarball to disk. --- openvpn-install.sh | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index f374e79..bab1d8d 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -219,12 +219,9 @@ LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disab fi # Get easy-rsa easy_rsa_url='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.7/EasyRSA-3.0.7.tgz' - wget -O ~/easyrsa.tgz "$easy_rsa_url" 2>/dev/null || curl -Lo ~/easyrsa.tgz "$easy_rsa_url" - tar xzf ~/easyrsa.tgz -C ~/ - mv ~/EasyRSA-3.0.7/ /etc/openvpn/server/ - mv /etc/openvpn/server/EasyRSA-3.0.7/ /etc/openvpn/server/easy-rsa/ + mkdir -p /etc/openvpn/server/easy-rsa/ + { wget -qO- "$easy_rsa_url" 2>/dev/null || curl -sL "$easy_rsa_url" ; } | tar xz -C /etc/openvpn/server/easy-rsa/ --strip-components 1 chown -R root:root /etc/openvpn/server/easy-rsa/ - rm -f ~/easyrsa.tgz cd /etc/openvpn/server/easy-rsa/ # Create the PKI, set up the CA and the server and client certificates ./easyrsa init-pki From d30e11d019c80648b17d7f76eb81aba4ea8f742a Mon Sep 17 00:00:00 2001 From: Nyr Date: Thu, 14 May 2020 19:05:05 +0200 Subject: [PATCH 28/42] Improve TUN device check While it looks hackish, I don't think there's a better way (in Bash) to open the /dev/net/tun character device. Checking for presence of /dev/net/tun like were doing is not good enough. --- openvpn-install.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index bab1d8d..c87a88d 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -57,9 +57,11 @@ This version of CentOS is too old and unsupported" exit fi -if [[ ! -e /dev/net/tun ]]; then - echo "The TUN device is not available -You need to enable TUN before running this script" +if [[ -e /dev/net/tun ]] && exec 2>/dev/null 7<>/dev/net/tun; then + exec 7>&- +else + echo "This system does not have the TUN device available +TUN needs to be enabled before running this installer" exit fi From db0b51228b75b8350a283fa7aff872bffa8f0822 Mon Sep 17 00:00:00 2001 From: Nyr Date: Fri, 15 May 2020 18:19:24 +0200 Subject: [PATCH 29/42] Fix TUN device check Fix for the mistaken stderr redirection, sorry about that. Also, run in a subshell so we don't need to manually close the file descriptor. --- openvpn-install.sh | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index c87a88d..e9808a6 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -57,9 +57,7 @@ This version of CentOS is too old and unsupported" exit fi -if [[ -e /dev/net/tun ]] && exec 2>/dev/null 7<>/dev/net/tun; then - exec 7>&- -else +if [[ ! -e /dev/net/tun ]] || ! ( exec 7<>/dev/net/tun ) 2>/dev/null; then echo "This system does not have the TUN device available TUN needs to be enabled before running this installer" exit From e14c2359c80f0418967c1ca468a95c10200dfe9b Mon Sep 17 00:00:00 2001 From: Nyr Date: Wed, 20 May 2020 12:09:50 +0200 Subject: [PATCH 30/42] Small improvements --- openvpn-install.sh | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/openvpn-install.sh b/openvpn-install.sh index e9808a6..b6e1985 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -5,6 +5,9 @@ # Copyright (c) 2013 Nyr. Released under the MIT License. +# Discard stdin. Needed when running from an one-liner which includes a newline +read -N 999999999 -t 0.001 + # Detect Debian users running the script with "sh" instead of bash if readlink /proc/$$/exe | grep -q "dash"; then echo "This script needs to be run with bash, not sh" @@ -16,6 +19,12 @@ if [[ "$EUID" -ne 0 ]]; then exit fi +# Detect OpenVZ 6 +if [[ $(uname -r | cut -d "." -f 1) -eq 2 ]]; then + echo "The system is running an old kernel, which is incompatible with this installer" + exit +fi + # Detect OS # $os_version variables aren't always in use, but are kept here for convenience if grep -qs "ubuntu" /etc/os-release; then @@ -63,6 +72,13 @@ TUN needs to be enabled before running this installer" exit fi +# Detect environments where $PATH does not include the sbin directories +if ! grep -q sbin <<< $PATH; then + echo '$PATH does not include sbin +Try using "su -" instead of "su"' + exit +fi + new_client () { # Generates the custom client.ovpn { From 6f155b997dabd35b06b87785e6bc0fc5c9b863a4 Mon Sep 17 00:00:00 2001 From: Nyr Date: Wed, 20 May 2020 23:33:16 +0200 Subject: [PATCH 31/42] Grammar improvements --- openvpn-install.sh | 97 ++++++++++++++++++++++------------------------ 1 file changed, 46 insertions(+), 51 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index b6e1985..01b5ea8 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -10,18 +10,18 @@ read -N 999999999 -t 0.001 # Detect Debian users running the script with "sh" instead of bash if readlink /proc/$$/exe | grep -q "dash"; then - echo "This script needs to be run with bash, not sh" + echo 'This installer needs to be run with "bash", not "sh".' exit fi if [[ "$EUID" -ne 0 ]]; then - echo "Sorry, you need to run this as root" + echo "This installer needs to be run with superuser privileges." exit fi # Detect OpenVZ 6 if [[ $(uname -r | cut -d "." -f 1) -eq 2 ]]; then - echo "The system is running an old kernel, which is incompatible with this installer" + echo "The system is running an old kernel, which is incompatible with this installer." exit fi @@ -44,38 +44,38 @@ elif [[ -e /etc/fedora-release ]]; then os_version=$(grep -oE '[0-9]+' /etc/fedora-release | head -1) group_name="nobody" else - echo "Looks like you aren't running this installer on Ubuntu, Debian, CentOS or Fedora" + echo "This installer seems to be running on an unsupported distribution. +Supported distributions are Ubuntu, Debian, CentOS, and Fedora." exit fi if [[ "$os" == "ubuntu" && "$os_version" -lt 1804 ]]; then - echo "Ubuntu 18.04 or higher is required to use this installer -This version of Ubuntu is too old and unsupported" + echo "Ubuntu 18.04 or higher is required to use this installer. +This version of Ubuntu is too old and unsupported." exit fi if [[ "$os" == "debian" && "$os_version" -lt 9 ]]; then - echo "Debian 9 or higher is required to use this installer -This version of Debian is too old and unsupported" + echo "Debian 9 or higher is required to use this installer. +This version of Debian is too old and unsupported." exit fi if [[ "$os" == "centos" && "$os_version" -lt 7 ]]; then - echo "CentOS 7 or higher is required to use this installer -This version of CentOS is too old and unsupported" + echo "CentOS 7 or higher is required to use this installer. +This version of CentOS is too old and unsupported." exit fi if [[ ! -e /dev/net/tun ]] || ! ( exec 7<>/dev/net/tun ) 2>/dev/null; then - echo "This system does not have the TUN device available -TUN needs to be enabled before running this installer" + echo "The system does not have the TUN device available. +TUN needs to be enabled before running this installer." exit fi # Detect environments where $PATH does not include the sbin directories if ! grep -q sbin <<< $PATH; then - echo '$PATH does not include sbin -Try using "su -" instead of "su"' + echo '$PATH does not include sbin. Try using "su -" instead of "su".' exit fi @@ -101,16 +101,13 @@ new_client () { if [[ ! -e /etc/openvpn/server/server.conf ]]; then clear echo 'Welcome to this OpenVPN road warrior installer!' - echo - echo "I need to ask you a few questions before starting setup." - echo "You can use the default options and just press enter if you are ok with them." # If system has a single IPv4, it is selected automatically. Else, ask the user if [[ $(ip -4 addr | grep inet | grep -vEc '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') -eq 1 ]]; then ip=$(ip -4 addr | grep inet | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') else number_of_ip=$(ip -4 addr | grep inet | grep -vEc '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') echo - echo "What IPv4 address should the OpenVPN server use?" + echo "Which IPv4 address should be used?" ip -4 addr | grep inet | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | nl -s ') ' read -p "IPv4 address [1]: " ip_number until [[ -z "$ip_number" || "$ip_number" =~ ^[0-9]+$ && "$ip_number" -le "$number_of_ip" ]]; do @@ -142,7 +139,7 @@ if [[ ! -e /etc/openvpn/server/server.conf ]]; then if [[ $(ip -6 addr | grep -c 'inet6 [23]') -gt 1 ]]; then number_of_ip6=$(ip -6 addr | grep -c 'inet6 [23]') echo - echo "What IPv6 address should the OpenVPN server use?" + echo "Which IPv6 address should be used?" ip -6 addr | grep 'inet6 [23]' | cut -d '/' -f 1 | grep -oE '([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}' | nl -s ') ' read -p "IPv6 address [1]: " ip6_number until [[ -z "$ip6_number" || "$ip6_number" =~ ^[0-9]+$ && "$ip6_number" -le "$number_of_ip6" ]]; do @@ -153,7 +150,7 @@ if [[ ! -e /etc/openvpn/server/server.conf ]]; then ip6=$(ip -6 addr | grep 'inet6 [23]' | cut -d '/' -f 1 | grep -oE '([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}' | sed -n "$ip6_number"p) fi echo - echo "Which protocol do you want for OpenVPN connections?" + echo "Which protocol should OpenVPN use?" echo " 1) UDP (recommended)" echo " 2) TCP" read -p "Protocol [1]: " protocol @@ -170,7 +167,7 @@ if [[ ! -e /etc/openvpn/server/server.conf ]]; then ;; esac echo - echo "What port do you want OpenVPN listening to?" + echo "What port should OpenVPN listen to?" read -p "Port [1194]: " port until [[ -z "$port" || "$port" =~ ^[0-9]+$ && "$port" -le 65535 ]]; do echo "$port: invalid port." @@ -178,40 +175,38 @@ if [[ ! -e /etc/openvpn/server/server.conf ]]; then done [[ -z "$port" ]] && port="1194" echo - echo "Which DNS do you want to use with the VPN?" + echo "Select a DNS server for the clients:" echo " 1) Current system resolvers" echo " 2) 1.1.1.1" echo " 3) Google" echo " 4) OpenDNS" echo " 5) NTT" echo " 6) AdGuard" - read -p "DNS [1]: " dns + read -p "DNS server [1]: " dns until [[ -z "$dns" || "$dns" =~ ^[1-6]$ ]]; do echo "$dns: invalid selection." - read -p "DNS [1]: " dns + read -p "DNS server [1]: " dns done echo - echo "Finally, tell me a name for the client certificate." - read -p "Client name [client]: " unsanitized_client + echo "Enter a name for the first client:" + read -p "Name [client]: " unsanitized_client # Allow a limited set of characters to avoid conflicts client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client") [[ -z "$client" ]] && client="client" echo - echo "We are ready to set up your OpenVPN server now." + echo "OpenVPN installation is ready to begin now." # Install a firewall in the rare case where one is not already available if ! systemctl is-active --quiet firewalld.service && ! hash iptables 2>/dev/null; then if [[ "$os" == "centos" || "$os" == "fedora" ]]; then firewall="firewalld" # We don't want to silently enable firewalld, so we give a subtle warning # If the user continues, firewalld will be installed and enabled during setup - echo echo "firewalld, which is required to manage routing tables, will also be installed." elif [[ "$os" == "debian" || "$os" == "ubuntu" ]]; then # iptables is way less invasive than firewalld so no warning is given firewall="iptables" fi fi - echo read -n1 -r -p "Press any key to continue..." # If running inside a container, disable LimitNPROC to prevent conflicts if systemd-detect-virt -cq; then @@ -430,31 +425,31 @@ verb 3" > /etc/openvpn/server/client-common.txt echo echo "Finished!" echo - echo "Your client configuration is available at:" ~/"$client.ovpn" - echo "If you want to add more clients, just run this script again!" + echo "The client configuration is available in:" ~/"$client.ovpn" + echo "New clients can be added by running this script again." else clear - echo "Looks like OpenVPN is already installed." + echo "OpenVPN is already installed." echo - echo "What do you want to do?" + echo "Select an option:" echo " 1) Add a new user" echo " 2) Revoke an existing user" echo " 3) Remove OpenVPN" echo " 4) Exit" - read -p "Select an option: " option + read -p "Option: " option until [[ "$option" =~ ^[1-4]$ ]]; do echo "$option: invalid selection." - read -p "Select an option: " option + read -p "Option: " option done case "$option" in 1) echo - echo "Tell me a name for the client certificate." - read -p "Client name: " unsanitized_client + echo "Provide a name for the client:" + read -p "Name: " unsanitized_client client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client") while [[ -z "$client" || -e /etc/openvpn/server/easy-rsa/pki/issued/"$client".crt ]]; do - echo "$client: invalid client name." - read -p "Client name: " unsanitized_client + echo "$client: invalid name." + read -p "Name: " unsanitized_client client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client") done cd /etc/openvpn/server/easy-rsa/ @@ -462,7 +457,7 @@ else # Generates the custom client.ovpn new_client echo - echo "Client $client added, configuration is available at:" ~/"$client.ovpn" + echo "$client added. Configuration available in:" ~/"$client.ovpn" exit ;; 2) @@ -471,23 +466,23 @@ else number_of_clients=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep -c "^V") if [[ "$number_of_clients" = 0 ]]; then echo - echo "You have no existing clients!" + echo "There are no existing clients!" exit fi echo - echo "Select the existing client certificate you want to revoke:" + echo "Select the client to revoke:" tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') ' - read -p "Select one client: " client_number + read -p "Client: " client_number until [[ "$client_number" =~ ^[0-9]+$ && "$client_number" -le "$number_of_clients" ]]; do echo "$client_number: invalid selection." - read -p "Select one client: " client_number + read -p "Client: " client_number done client=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$client_number"p) echo - read -p "Do you really want to revoke access for client $client? [y/N]: " revoke + read -p "Confirm $client revocation? [y/N]: " revoke until [[ "$revoke" =~ ^[yYnN]*$ ]]; do echo "$revoke: invalid selection." - read -p "Do you really want to revoke access for client $client? [y/N]: " revoke + read -p "Confirm $client revocation? [y/N]: " revoke done if [[ "$revoke" =~ ^[yY]$ ]]; then cd /etc/openvpn/server/easy-rsa/ @@ -498,19 +493,19 @@ else # CRL is read with each client connection, when OpenVPN is dropped to nobody chown nobody:"$group_name" /etc/openvpn/server/crl.pem echo - echo "Certificate for client $client revoked!" + echo "$client revoked!" else echo - echo "Certificate revocation for client $client aborted!" + echo "$client revocation aborted!" fi exit ;; 3) echo - read -p "Do you really want to remove OpenVPN? [y/N]: " remove + read -p "Confirm OpenVPN removal? [y/N]: " remove until [[ "$remove" =~ ^[yYnN]*$ ]]; do echo "$remove: invalid selection." - read -p "Do you really want to remove OpenVPN? [y/N]: " remove + read -p "Confirm OpenVPN removal? [y/N]: " remove done if [[ "$remove" =~ ^[yY]$ ]]; then port=$(grep '^port ' /etc/openvpn/server/server.conf | cut -d " " -f 2) @@ -552,7 +547,7 @@ else echo "OpenVPN removed!" else echo - echo "Removal aborted!" + echo "OpenVPN removal aborted!" fi exit ;; From f737b02a9a0db77709313837bea0e227d95ddaca Mon Sep 17 00:00:00 2001 From: Nyr Date: Thu, 21 May 2020 19:19:31 +0200 Subject: [PATCH 32/42] Small style changes --- openvpn-install.sh | 44 ++++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 01b5ea8..e60b994 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -6,7 +6,7 @@ # Discard stdin. Needed when running from an one-liner which includes a newline -read -N 999999999 -t 0.001 +read -N 999999 -t 0.001 # Detect Debian users running the script with "sh" instead of bash if readlink /proc/$$/exe | grep -q "dash"; then @@ -14,11 +14,6 @@ if readlink /proc/$$/exe | grep -q "dash"; then exit fi -if [[ "$EUID" -ne 0 ]]; then - echo "This installer needs to be run with superuser privileges." - exit -fi - # Detect OpenVZ 6 if [[ $(uname -r | cut -d "." -f 1) -eq 2 ]]; then echo "The system is running an old kernel, which is incompatible with this installer." @@ -67,15 +62,20 @@ This version of CentOS is too old and unsupported." exit fi -if [[ ! -e /dev/net/tun ]] || ! ( exec 7<>/dev/net/tun ) 2>/dev/null; then - echo "The system does not have the TUN device available. -TUN needs to be enabled before running this installer." +# Detect environments where $PATH does not include the sbin directories +if ! grep -q sbin <<< "$PATH"; then + echo '$PATH does not include sbin. Try using "su -" instead of "su".' exit fi -# Detect environments where $PATH does not include the sbin directories -if ! grep -q sbin <<< $PATH; then - echo '$PATH does not include sbin. Try using "su -" instead of "su".' +if [[ "$EUID" -ne 0 ]]; then + echo "This installer needs to be run with superuser privileges." + exit +fi + +if [[ ! -e /dev/net/tun ]] || ! ( exec 7<>/dev/net/tun ) 2>/dev/null; then + echo "The system does not have the TUN device available. +TUN needs to be enabled before running this installer." exit fi @@ -125,8 +125,8 @@ if [[ ! -e /etc/openvpn/server/server.conf ]]; then get_public_ip=$(grep -m 1 -oE '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$' <<< "$(wget -T 10 -t 1 -4qO- "http://ip1.dynupdate.no-ip.com/" || curl -m 10 -4Ls "http://ip1.dynupdate.no-ip.com/")") read -p "Public IPv4 address / hostname [$get_public_ip]: " public_ip # If the checkip service is unavailable and user didn't provide input, ask again - until [[ -n "$get_public_ip" || -n $public_ip ]]; do - echo "Invalid input." + until [[ -n "$get_public_ip" || -n "$public_ip" ]]; do + echo "Invalid input." read -p "Public IPv4 address / hostname: " public_ip done [[ -z "$public_ip" ]] && public_ip="$get_public_ip" @@ -194,7 +194,7 @@ if [[ ! -e /etc/openvpn/server/server.conf ]]; then client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client") [[ -z "$client" ]] && client="client" echo - echo "OpenVPN installation is ready to begin now." + echo "OpenVPN installation is ready to begin." # Install a firewall in the rare case where one is not already available if ! systemctl is-active --quiet firewalld.service && ! hash iptables 2>/dev/null; then if [[ "$os" == "centos" || "$os" == "fedora" ]]; then @@ -216,13 +216,13 @@ LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disab fi if [[ "$os" = "debian" || "$os" = "ubuntu" ]]; then apt-get update - apt-get install -y openvpn openssl ca-certificates $firewall + apt-get install -y openvpn openssl ca-certificates "$firewall" elif [[ "$os" = "centos" ]]; then yum install -y epel-release - yum install -y openvpn openssl ca-certificates tar $firewall + yum install -y openvpn openssl ca-certificates tar "$firewall" else # Else, OS must be Fedora - dnf install -y openvpn openssl ca-certificates tar $firewall + dnf install -y openvpn openssl ca-certificates tar "$firewall" fi # If firewalld was just installed, enable it if [[ "$firewall" == "firewalld" ]]; then @@ -358,7 +358,7 @@ crl-verify crl.pem" >> /etc/openvpn/server/server.conf ip6tables_path=$(command -v ip6tables) # nf_tables is not available as standard in OVZ kernels. So use iptables-legacy # if we are in OVZ, with a nf_tables backend and iptables-legacy is available. - if [[ $(systemd-detect-virt) == "openvz" ]] && readlink -f $(command -v iptables) | grep -q "nft" && hash iptables-legacy 2>/dev/null; then + if [[ $(systemd-detect-virt) == "openvz" ]] && readlink -f "$(command -v iptables)" | grep -q "nft" && hash iptables-legacy 2>/dev/null; then iptables_path=$(command -v iptables-legacy) ip6tables_path=$(command -v ip6tables-legacy) fi @@ -402,7 +402,7 @@ WantedBy=multi-user.target" >> /etc/systemd/system/openvpn-iptables.service semanage port -a -t openvpn_port_t -p "$protocol" "$port" fi # If the server is behind NAT, use the correct IP address - [[ ! -z "$public_ip" ]] && ip="$public_ip" + [[ -n "$public_ip" ]] && ip="$public_ip" # client-common.txt is created so we have a template to add further users later echo "client dev tun @@ -432,8 +432,8 @@ else echo "OpenVPN is already installed." echo echo "Select an option:" - echo " 1) Add a new user" - echo " 2) Revoke an existing user" + echo " 1) Add a new client" + echo " 2) Revoke an existing client" echo " 3) Remove OpenVPN" echo " 4) Exit" read -p "Option: " option From bfdd480076a29137d5e0aa38cb5102d8730308f5 Mon Sep 17 00:00:00 2001 From: Nyr Date: Thu, 21 May 2020 22:36:12 +0200 Subject: [PATCH 33/42] Add Quad9 DNS servers --- openvpn-install.sh | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index e60b994..90aeb43 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -177,10 +177,10 @@ if [[ ! -e /etc/openvpn/server/server.conf ]]; then echo echo "Select a DNS server for the clients:" echo " 1) Current system resolvers" - echo " 2) 1.1.1.1" - echo " 3) Google" + echo " 2) Google" + echo " 3) 1.1.1.1" echo " 4) OpenDNS" - echo " 5) NTT" + echo " 5) Quad9" echo " 6) AdGuard" read -p "DNS server [1]: " dns until [[ -z "$dns" || "$dns" =~ ^[1-6]$ ]]; do @@ -292,20 +292,20 @@ server 10.8.0.0 255.255.255.0" > /etc/openvpn/server/server.conf done ;; 2) - echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server/server.conf - echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server/server.conf - ;; - 3) echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server/server.conf echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server/server.conf ;; + 3) + echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server/server.conf + echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server/server.conf + ;; 4) echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server/server.conf echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server/server.conf ;; 5) - echo 'push "dhcp-option DNS 129.250.35.250"' >> /etc/openvpn/server/server.conf - echo 'push "dhcp-option DNS 129.250.35.251"' >> /etc/openvpn/server/server.conf + echo 'push "dhcp-option DNS 9.9.9.9"' >> /etc/openvpn/server/server.conf + echo 'push "dhcp-option DNS 149.112.112.112"' >> /etc/openvpn/server/server.conf ;; 6) echo 'push "dhcp-option DNS 176.103.130.130"' >> /etc/openvpn/server/server.conf From ae7e6d7ae5aa8d87af6c9e0ced0472445b020c87 Mon Sep 17 00:00:00 2001 From: Orcun <59258329+sorcun@users.noreply.github.com> Date: Sat, 23 May 2020 13:52:26 +0000 Subject: [PATCH 34/42] egrep IP regex optimizations --- openvpn-install.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 90aeb43..e73c8c4 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -102,27 +102,27 @@ if [[ ! -e /etc/openvpn/server/server.conf ]]; then clear echo 'Welcome to this OpenVPN road warrior installer!' # If system has a single IPv4, it is selected automatically. Else, ask the user - if [[ $(ip -4 addr | grep inet | grep -vEc '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') -eq 1 ]]; then - ip=$(ip -4 addr | grep inet | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') + if [[ $(ip -4 addr | grep inet | grep -vEc '127(\.[0-9]{1,3}){3}') -eq 1 ]]; then + ip=$(ip -4 addr | grep inet | grep -vE '127(\.[0-9]{1,3}){3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}(\.[0-9]{1,3}){3}') else - number_of_ip=$(ip -4 addr | grep inet | grep -vEc '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') + number_of_ip=$(ip -4 addr | grep inet | grep -vEc '127(\.[0-9]{1,3}){3}') echo echo "Which IPv4 address should be used?" - ip -4 addr | grep inet | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | nl -s ') ' + ip -4 addr | grep inet | grep -vE '127(\.[0-9]{1,3}){3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}(\.[0-9]{1,3}){3}' | nl -s ') ' read -p "IPv4 address [1]: " ip_number until [[ -z "$ip_number" || "$ip_number" =~ ^[0-9]+$ && "$ip_number" -le "$number_of_ip" ]]; do echo "$ip_number: invalid selection." read -p "IPv4 address [1]: " ip_number done [[ -z "$ip_number" ]] && ip_number="1" - ip=$(ip -4 addr | grep inet | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | sed -n "$ip_number"p) + ip=$(ip -4 addr | grep inet | grep -vE '127(\.[0-9]{1,3}){3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}(\.[0-9]{1,3}){3}' | sed -n "$ip_number"p) fi # If $ip is a private IP address, the server must be behind NAT if echo "$ip" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then echo echo "This server is behind NAT. What is the public IPv4 address or hostname?" # Get public IP and sanitize with grep - get_public_ip=$(grep -m 1 -oE '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$' <<< "$(wget -T 10 -t 1 -4qO- "http://ip1.dynupdate.no-ip.com/" || curl -m 10 -4Ls "http://ip1.dynupdate.no-ip.com/")") + get_public_ip=$(grep -m 1 -oE '^[0-9]{1,3}(\.[0-9]{1,3}){3}$' <<< "$(wget -T 10 -t 1 -4qO- "http://ip1.dynupdate.no-ip.com/" || curl -m 10 -4Ls "http://ip1.dynupdate.no-ip.com/")") read -p "Public IPv4 address / hostname [$get_public_ip]: " public_ip # If the checkip service is unavailable and user didn't provide input, ask again until [[ -n "$get_public_ip" || -n "$public_ip" ]]; do @@ -287,7 +287,7 @@ server 10.8.0.0 255.255.255.0" > /etc/openvpn/server/server.conf resolv_conf="/etc/resolv.conf" fi # Obtain the resolvers from resolv.conf and use them for OpenVPN - grep -v '#' "$resolv_conf" | grep nameserver | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do + grep -v '#' "$resolv_conf" | grep nameserver | grep -E -o '[0-9]{1,3}(\.[0-9]{1,3}){3}' | while read line; do echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server/server.conf done ;; From 366d46a8ccfbb780b5d5dc1499c466b994a331e1 Mon Sep 17 00:00:00 2001 From: Nyr Date: Mon, 25 May 2020 17:23:55 +0200 Subject: [PATCH 35/42] Fix #762 Variables which can be empty, shouldn't be quoted in this situation. --- openvpn-install.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 90aeb43..2224338 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -216,13 +216,13 @@ LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disab fi if [[ "$os" = "debian" || "$os" = "ubuntu" ]]; then apt-get update - apt-get install -y openvpn openssl ca-certificates "$firewall" + apt-get install -y openvpn openssl ca-certificates $firewall elif [[ "$os" = "centos" ]]; then yum install -y epel-release - yum install -y openvpn openssl ca-certificates tar "$firewall" + yum install -y openvpn openssl ca-certificates tar $firewall else # Else, OS must be Fedora - dnf install -y openvpn openssl ca-certificates tar "$firewall" + dnf install -y openvpn openssl ca-certificates tar $firewall fi # If firewalld was just installed, enable it if [[ "$firewall" == "firewalld" ]]; then From 221319aa54db9bb5e6ae45facad03b6dacbaba47 Mon Sep 17 00:00:00 2001 From: Nyr Date: Thu, 28 May 2020 21:29:53 +0200 Subject: [PATCH 36/42] Fix #764 --- openvpn-install.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 9971636..b0de6d2 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -242,8 +242,10 @@ LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disab EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl # Move the stuff we need cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn/server - # CRL is read with each client connection, when OpenVPN is dropped to nobody + # CRL is read with each client connection, while OpenVPN is dropped to nobody chown nobody:"$group_name" /etc/openvpn/server/crl.pem + # Without +x in the directory, OpenVPN can't run a stat() on the CRL file + chmod o+x /etc/openvpn/server/ # Generate key for tls-crypt openvpn --genkey --secret /etc/openvpn/server/tc.key # Create the DH parameters file using the predefined ffdhe2048 group From 13f8b2e00cb3f6e2f670ffdba5f43787cacb3727 Mon Sep 17 00:00:00 2001 From: Nyr Date: Fri, 29 May 2020 14:16:29 +0200 Subject: [PATCH 37/42] resolv.conf parsing optimizations --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index b0de6d2..1a580d3 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -283,13 +283,13 @@ server 10.8.0.0 255.255.255.0" > /etc/openvpn/server/server.conf 1|"") # Locate the proper resolv.conf # Needed for systems running systemd-resolved - if grep -q "127.0.0.53" "/etc/resolv.conf"; then + if grep -q '^nameserver 127.0.0.53' "/etc/resolv.conf"; then resolv_conf="/run/systemd/resolve/resolv.conf" else resolv_conf="/etc/resolv.conf" fi # Obtain the resolvers from resolv.conf and use them for OpenVPN - grep -v '#' "$resolv_conf" | grep nameserver | grep -E -o '[0-9]{1,3}(\.[0-9]{1,3}){3}' | while read line; do + grep -v '^#\|^;' "$resolv_conf" | grep '^nameserver' | grep -oE '[0-9]{1,3}(\.[0-9]{1,3}){3}' | while read line; do echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server/server.conf done ;; From e32cb6db866177c24ee7775751e1775724bc4951 Mon Sep 17 00:00:00 2001 From: Nyr Date: Fri, 17 Jul 2020 19:04:07 +0200 Subject: [PATCH 38/42] Update README.md --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index f48d81a..ffcd052 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,5 @@ +**New:** [wireguard-install](https://github.com/Nyr/wireguard-install) is also available. + ## openvpn-install OpenVPN [road warrior](http://en.wikipedia.org/wiki/Road_warrior_%28computing%29) installer for Ubuntu, Debian, CentOS and Fedora. From 3ba1308a5050ad03500cecffc4dfa955e3854ed3 Mon Sep 17 00:00:00 2001 From: Nyr Date: Fri, 17 Jul 2020 19:06:11 +0200 Subject: [PATCH 39/42] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ffcd052..521d4c0 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -**New:** [wireguard-install](https://github.com/Nyr/wireguard-install) is also available. +**New: [wireguard-install](https://github.com/Nyr/wireguard-install) is also available.** ## openvpn-install OpenVPN [road warrior](http://en.wikipedia.org/wiki/Road_warrior_%28computing%29) installer for Ubuntu, Debian, CentOS and Fedora. From 7ddd20911b3544c55d822f898e93c8469e34ff04 Mon Sep 17 00:00:00 2001 From: Nyr Date: Sat, 18 Jul 2020 18:50:59 +0200 Subject: [PATCH 40/42] Bugfix -N is an illegal option for read in sh, so check if the user is using sh first. --- openvpn-install.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 1a580d3..2c22d78 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -5,15 +5,15 @@ # Copyright (c) 2013 Nyr. Released under the MIT License. -# Discard stdin. Needed when running from an one-liner which includes a newline -read -N 999999 -t 0.001 - # Detect Debian users running the script with "sh" instead of bash if readlink /proc/$$/exe | grep -q "dash"; then echo 'This installer needs to be run with "bash", not "sh".' exit fi +# Discard stdin. Needed when running from an one-liner which includes a newline +read -N 999999 -t 0.001 + # Detect OpenVZ 6 if [[ $(uname -r | cut -d "." -f 1) -eq 2 ]]; then echo "The system is running an old kernel, which is incompatible with this installer." From da299172df2f07aea38c0431d6f6eba42bafb4c6 Mon Sep 17 00:00:00 2001 From: Nyr Date: Wed, 9 Sep 2020 23:18:31 +0200 Subject: [PATCH 41/42] Update to easy-rsa v3.0.8 --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 2c22d78..379078b 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -229,7 +229,7 @@ LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disab systemctl enable --now firewalld.service fi # Get easy-rsa - easy_rsa_url='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.7/EasyRSA-3.0.7.tgz' + easy_rsa_url='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz' mkdir -p /etc/openvpn/server/easy-rsa/ { wget -qO- "$easy_rsa_url" 2>/dev/null || curl -sL "$easy_rsa_url" ; } | tar xz -C /etc/openvpn/server/easy-rsa/ --strip-components 1 chown -R root:root /etc/openvpn/server/easy-rsa/ From 26e39cf4d783694dd1e770670b5d2a0c61ab9fb2 Mon Sep 17 00:00:00 2001 From: Nyr Date: Wed, 30 Sep 2020 00:06:55 +0200 Subject: [PATCH 42/42] Update AdGuard DNS IP AdGuard changed their DNS IP recently: https://adguard.com/en/blog/adguard-dns-new-addresses.html Thanks @trantuanminh1754 for noticing. --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 379078b..1f0df4e 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -310,8 +310,8 @@ server 10.8.0.0 255.255.255.0" > /etc/openvpn/server/server.conf echo 'push "dhcp-option DNS 149.112.112.112"' >> /etc/openvpn/server/server.conf ;; 6) - echo 'push "dhcp-option DNS 176.103.130.130"' >> /etc/openvpn/server/server.conf - echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server/server.conf + echo 'push "dhcp-option DNS 94.140.14.14"' >> /etc/openvpn/server/server.conf + echo 'push "dhcp-option DNS 94.140.15.15"' >> /etc/openvpn/server/server.conf ;; esac echo "keepalive 10 120