diff --git a/Documentation/client-ovpn.md b/Documentation/client-ovpn.md new file mode 100644 index 0000000..ab95519 --- /dev/null +++ b/Documentation/client-ovpn.md @@ -0,0 +1,96 @@ +# Client Setup: OpenVPN + +## Table of Contents + +- [Windows](#windows) +- [MacOS](#macos) +- [Linux](#linux) +- [Android](#android) +- [iOS](#ios) +- [Troubleshooting](#troubleshooting) + +## Windows + +- Configure OpenVPN + - Download and install [OpenVPN](https://openvpn.net/index.php/open-source/downloads.html) + - Start `OpenVPN GUI` from the Start Menu + - Locate the OpenVPN icon in the Task Bar, right click, and select `Import file...` + - Select your OVPN file + - Right click on the OpenVPN icon again, and select `Connect` +- To disconnect + - Locate the OpenVPN icon in the Task Bar, right click, and select `Disconnect` + - Locate the `stunnel` icon in the Task Bar, right click, and select `Exit` + +## MacOS + +- Configure OpenVPN + - Download and install [Tunnelblick](https://tunnelblick.net/) + - Locate your OVPN file in `Finder`, and double-click to open it. + - Locate the `Tunnelblick` icon on the top-right corner. Click on it, and select the server you want to connect to. +- To disconnect + - Locate the `Tunnelblick` icon on the top-right corner. Click on it, and select `Disconnect All`. + - To stop `stunnel`, run this in `Terminal`: `sudo killall stunnel` + +## Linux + +- Install `openvpn` on your device. + + ```bash + # Debian/Ubuntu + sudo apt install -y openvpn + + # CentOS/RHEL + sudo yum install -y epel-release + sudo yum install -y openvpn + + # Fedora + sudo dnf install -y openvpn + ``` + +- Connect to OpenVPN + + ```bash + # Run this in the directory that contains your OVPN file + # Replace 'client' with your OVPN filename + openvpn --config client.ovpn + ``` + +- To disconnect + + ```bash + # Stop OpenVPN + sudo killall openvpn + ``` + +## Android + +- Download [OpenVPN for Android](https://play.google.com/store/apps/details?id=de.blinkt.openvpn) from Google Play Store +- Transfer your OVPN file to your device. +- Click on the `import` icon (between `+` and `Menu` icon), and select your OVPN file. +- Click on the check mark to confirm import. +- Click on a profile name to connect. + - If you see a `connection request` popup, select `Connect` or `OK`. +- To disconnect: Select the `VPN connection` notification in your notification center, and click `Disconnect` in the popup. + +## iOS + +- Download [OpenVPN Connect](https://itunes.apple.com/app/openvpn-connect/id590379981) from App Store +- Send the OVPN file as an attachment to yourself via email, and open it in your email app on the iOS device. + - If you see a popup with a list of different apps, select `OpenVPN Connect`. +- Click on the switch next to `Connection`, make sure it's at the `ON` position. +- To disconnect: click on the switch next to `Connection`, make sure it's at the `OFF` position. + +## Troubleshooting + +- If you're unable to connect to your server with OpenVPN... + + - Check if OpenVPN is running on your server. + + ```bash + # You should see openvpn in the output + ps -A | grep openvpn + ``` + + - If you still can't connect, try removing and reinstalling OpenVPN on your server. + - Run the install script and select `Uninstall` + - Run the install script again and make sure you enter the correct information. diff --git a/Documentation/client-ssl.md b/Documentation/client-ssl.md new file mode 100644 index 0000000..79b2f78 --- /dev/null +++ b/Documentation/client-ssl.md @@ -0,0 +1,155 @@ +# Client Setup: OpenVPN over SSL + +## Table of Contents + +- [Windows](#windows) +- [MacOS](#macos) +- [Linux](#linux) +- [Android](#android) +- [iOS](#ios) +- [Troubleshooting](#troubleshooting) + +## Windows + +- Configure `stunnel` + - Download and install [stunnel](https://www.stunnel.org/downloads.html) + - Copy `stunnel.conf` and `stunnel.crt` to the `config` folder in `stunnel`'s install directory. + - On 64-bit Windows systems, `stunnel`'s install directory is `C:\Program Files (x86)\stunnel`, unless you + changed it during installation. + - On 32-bit Windows systems, `stunnel`'s install directory is `C:\Program Files\stunnel`, unless you + changed it during installation. + - Start `stunnel` by launching `stunnel GUI start ` from the Start Menu + - Locate the `stunnel` icon in the Task Bar, right click, and select `Edit Configuration` + - Copy everything in `stunnel.conf` and paste into the `stunnel` configuration file. Save and close it after editing. + - Right click on the `stunnel` icon again, and select `Reload Configuration` +- Configure OpenVPN + - Download and install [OpenVPN](https://openvpn.net/index.php/open-source/downloads.html) + - Start `OpenVPN GUI` from the Start Menu + - Locate the OpenVPN icon in the Task Bar, right click, and select `Import file...` + - Select your OVPN file + - Right click on the OpenVPN icon again, and select `Connect` +- To disconnect + - Locate the OpenVPN icon in the Task Bar, right click, and select `Disconnect` + - Locate the `stunnel` icon in the Task Bar, right click, and select `Exit` + +## MacOS + +- Configure `stunnel` + + - Install [Homebrew](https://brew.sh/) + + - Install `stunnel` via Homebrew by running this in `Terminal`: + + ```bash + brew install stunnel + ``` + - Open `stunnel.conf` with a text editor (e.g. `TextEdit`), locate this line: + + `CAfile = /etc/stunnel/stunnel.crt` + + Replace the entire line with: + + `CAfile = /usr/local/etc/stunnel/stunnel.crt` + - Configure and start `stunnel` + + ```bash + # In order to run these, you need to log in to your Mac with an administrator account. + # When prompted for password, enter the password of the current user, + + # Run this in the directory that contains 'stunnel.conf' and 'stunnel.crt' + sudo cp stunnel.conf stunnel.crt /usr/local/etc/stunnel/ + # Start stunnel + sudo stunnel + ``` + +- Configure OpenVPN + + - Download and install [Tunnelblick](https://tunnelblick.net/) + - Locate your OVPN file in `Finder`, and double-click to open it. + - Locate the `Tunnelblick` icon on the top-right corner. Click on it, and select the server you want to connect to. + +- To disconnect + + - Locate the `Tunnelblick` icon on the top-right corner. Click on it, and select `Disconnect All`. + - To stop `stunnel`, run this in `Terminal`: `sudo killall stunnel` + +## Linux + +- Install `stunnel` and `openvpn` on your device. + + ```bash + # Debian/Ubuntu + sudo apt install -y stunnel openvpn + + # CentOS/RHEL + sudo yum install -y epel-release + sudo yum install -y stunnel openvpn + + # Fedora + sudo dnf install -y stunnel openvpn + ``` + +- Configure and start `stunnel` + + ```bash + # Run this in the directory that contains 'stunnel.conf' and 'stunnel.crt' + sudo cp stunnel.conf stunnel.crt /etc/stunnel/ + # Start stunnel + sudo stunnel + ``` + +- Connect to OpenVPN + + ```bash + # Run this in the directory that contains your OVPN file + # Replace 'client' with your OVPN filename + openvpn --config client.ovpn + ``` + +- To disconnect + + ```bash + # Stop OpenVPN + sudo killall openvpn + + # Stop stunnel + sudo killall stunnel + ``` + +## Android + +- OpenVPN is supported on Android, but OpenVPN over SSL support isn't very good. +- If you installed OpenVPN without SSL, see [Client Setup: OpenVPN](client-ovpn.md) + +## iOS + +- OpenVPN is supported on iOS, but OpenVPN over SSL is not supported. +- If you installed OpenVPN without SSL, see [Client Setup: OpenVPN](client-ovpn.md) + +## Troubleshooting + +- If you're unable to connect to your server with OpenVPN... + + - Please check if `stunnel` is running on your device. + + - On Windows, check if the `stunnel` icon is present in the Task Bar (bottom right). + - Run this to check on MacOS or Linux (both client and server) + + ```bash + # You should see stunnel in the output + ps -A | grep stunnel + ``` + + - Also check if both `stunnel` and OpenVPN are running on your server. + + ```bash + # You should see stunnel in the output + ps -A | grep stunnel + + # You should see openvpn in the output + ps -A | grep openvpn + ``` + + - If you still can't connect, try removing and reinstalling OpenVPN on your server. + - Run the install script and select `Uninstall` + - Run the install script again and make sure you enter the correct information. diff --git a/LICENSE.txt b/LICENSE similarity index 100% rename from LICENSE.txt rename to LICENSE diff --git a/README.md b/README.md index abd0664..3b736d0 100644 --- a/README.md +++ b/README.md @@ -1,18 +1,111 @@ -## openvpn-install -OpenVPN [road warrior](http://en.wikipedia.org/wiki/Road_warrior_%28computing%29) installer for Debian, Ubuntu and CentOS. +# OpenVPN Installer -This script will let you setup your own VPN server in no more than a minute, even if you haven't used OpenVPN before. It has been designed to be as unobtrusive and universal as possible. +## To Developers and Users -### Installation -Run the script and follow the assistant: +**WARNING: Only Trust Signed Commits.** -`wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh` +## Table of Contents -Once it ends, you can run it again to add more users, remove some of them or even completely uninstall OpenVPN. +- [Description](#description) +- [Installation](#installation) +- [Client setup](#client-setup) +- [Troubleshooting](#troubleshooting) +- [FAQ](#faq) +- [Donations](#donations) -### I want to run my own VPN but don't have a server for that -You can get a little VPS from just $1/month at [VirMach](https://billing.virmach.com/aff.php?aff=4109&url=billing.virmach.com/cart.php?gid=1). +## Description -### Donations +OpenVPN installer for Debian, Ubuntu and CentOS, with support for OpenVPN over SSL. -If you want to show your appreciation, you can donate via [PayPal](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=VBAYDL34Z7J6L) or [cryptocurrency](https://pastebin.com/raw/M2JJpQpC). Thanks! \ No newline at end of file +This script lets you set up your own OpenVPN server in minutes, even if you no experience OpenVPN before. It's designed to be as simple, unobtrusive, and universal as possible. + +## Installation + +If you run into any issues during installation, please refer to [Troubleshooting](#troubleshooting). + +### Install on CentOS/Debian/Ubuntu + +- **Please note: if your server is running the following OS versions, please select `AES-256-CBC` when you're asked to select a cipher mode.** + + - CentOS 6 or older + - Debian 8 (Jessie) or older + - Ubuntu 16.10 or older + +- Run this in a terminal on your server, and follow the on-screen instructions: + + ```bash + # Download the script + wget https://raw.githubusercontent.com/birkhoffcheng/openvpn-install/master/openvpn-install.sh + + # Run the install script + sudo bash openvpn-install.sh + + # Start stunnel (only if you're using OpenVPN over SSL) + sudo stunnel + ``` + +- Once it finishes, your OpenVPN server is up and running! You should [set up client devices](#client-setup) next. + +## Client setup + +### Before continuing... + +- Download the `.ovpn` file from your server. +- If you're using OpenVPN with SSL, also download `stunnel.crt` and `stunnel.conf` from your server. +- If your username is `root`, they're located at `/root`. +- Otherwise, they're located at `/home/`. + +### OS-specific setup processes + +- [OpenVPN (without SSL)](Documentation/client-ovpn.md) +- [OpenVPN over SSL](Documentation/client-ssl.md) + +## Troubleshooting + +- `wget: command not found`: This means that `wget` isn't install it on your server. Just install it and try again. To install `wget`: + + ```bash + # Run this on Debian/Ubuntu + sudo apt -y install wget + + # Run this on CentOS + sudo yum -y install wget + ``` + +- `The TUN device is not available. You need to enable TUN before running this script`: Follow [this guide](https://help.skysilk.com/support/solutions/articles/9000136471-how-to-enable-tun-tap-on-linux-vps-with-skysilk). + +- If you're unable to connect to your server with OpenVPN... + + - Please check if `stunnel` is running on your device. (if you're using OpenVPN over SSL) + + - On Windows, check if the `stunnel` icon is present in the Task Bar (bottom right). + - Run this to check on MacOS or Linux (both client and server) + + ```bash + # You should see stunnel in the output + ps -A | grep stunnel + ``` + + - Also check if both `stunnel` (if applicable) and OpenVPN are running on your server. + + ```bash + # You should see stunnel in the output (if you're using OpenVPN over SSL) + ps -A | grep stunnel + + # You should see openvpn in the output + ps -A | grep openvpn + ``` + + - If you still can't connect, try removing and reinstalling OpenVPN on your server. + - Run the install script and select `Uninstall` + - Run the install script again and make sure you enter the correct information. + +## FAQ + +### Where to find a VPS + +You can get a VPS for as little as $2.50/month (IPv6 only) or $5/month (with IPv4) at [Vultr](https://www.vultr.com/?ref=7088313) or $5/month (with IPv4) at [DigitalOcean](https://m.do.co/c/c51ec51bb352). + +## Donations + +If you want to show some appreciation, you can donate via [PayPal](https://paypal.me/birkhoffcheng) or Bitcoin (12R4euPg17EfJyYNfdTxjiQ2SctW1b4CRz). Thanks! diff --git a/openvpn-install.sh b/openvpn-install.sh index 403e0fd..5935a29 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -1,9 +1,5 @@ #!/bin/bash -# -# https://github.com/Nyr/openvpn-install -# -# Copyright (c) 2013 Nyr. Released under the MIT License. - +# https://github.com/birkhoffcheng/openvpn-install # Detect Debian users running the script with "sh" instead of bash if readlink /proc/$$/exe | grep -q "dash"; then @@ -65,17 +61,21 @@ if [[ -e /etc/openvpn/server.conf ]]; then echo " 4) Exit" read -p "Select an option [1-4]: " option case $option in - 1) + 1) echo echo "Tell me a name for the client certificate." echo "Please, use one word only, no special characters." read -p "Client name: " -e CLIENT cd /etc/openvpn/easy-rsa/ ./easyrsa build-client-full $CLIENT nopass - # Generates the custom client.ovpn newclient "$CLIENT" echo echo "Client $CLIENT added, configuration is available at:" ~/"$CLIENT.ovpn" + if [ -f /etc/stunnel/stunnel-client.conf ]; then + cp /etc/stunnel/stunnel-client.conf $HOME/stunnel.conf + cp /etc/openvpn/server.crt $HOME/stunnel.crt + echo "~/stunnel.crt and ~/stunnel.conf." + fi exit ;; 2) @@ -117,7 +117,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then fi exit ;; - 3) + 3) echo read -p "Do you really want to remove OpenVPN? [y/N]: " -e REMOVE if [[ "$REMOVE" = 'y' || "$REMOVE" = 'Y' ]]; then @@ -149,11 +149,12 @@ if [[ -e /etc/openvpn/server.conf ]]; then semanage port -d -t openvpn_port_t -p $PROTOCOL $PORT fi if [[ "$OS" = 'debian' ]]; then - apt-get remove --purge -y openvpn + apt purge openvpn stunnel4 -y + apt autoremove --purge -y else - yum remove openvpn -y + yum remove openvpn stunnel4 -y fi - rm -rf /etc/openvpn + rm -rf /etc/openvpn /etc/stunnel rm -f /etc/sysctl.d/30-openvpn-forward.conf echo echo "OpenVPN removed!" @@ -168,7 +169,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then done else clear - echo 'Welcome to this OpenVPN "road warrior" installer!' + echo 'Welcome to OpenVPN installer!' echo # OpenVPN setup and first user creation echo "I need to ask you a few questions before starting the setup." @@ -189,18 +190,38 @@ else echo "Which protocol do you want for OpenVPN connections?" echo " 1) UDP (recommended)" echo " 2) TCP" - read -p "Protocol [1-2]: " -e -i 1 PROTOCOL - case $PROTOCOL in - 1) + echo " 3) OpenVPN over SSL" + read -p "Protocol [1-3]: " -e -i 1 PROTOCOLCHOICE + case $PROTOCOLCHOICE in + 1) PROTOCOL=udp + SSL=0 ;; - 2) + 2) PROTOCOL=tcp + SSL=0 + ;; + 3) + PROTOCOL=tcp + SSL=1 ;; esac echo echo "What port do you want OpenVPN listening to?" - read -p "Port: " -e -i 1194 PORT + read -p "Port: " -e -i 443 PORT + echo + echo "Which cipher mode do you want to use?" + echo " 1) AES-256-GCM (provides authenticated encryption)" + echo " 2) AES-256-CBC (compatible with versions of OpenVPN older than 2.4)" + read -p "Cipher Mode [1-2]: " -e -i 1 CIPHERCHOICE + case $CIPHERCHOICE in + 1) + CIPHER=AES-256-GCM + ;; + 2) + CIPHER=AES-256-CBC + ;; + esac echo echo "Which DNS do you want to use with the VPN?" echo " 1) Current system resolvers" @@ -210,6 +231,8 @@ else echo " 5) Verisign" read -p "DNS [1-5]: " -e -i 1 DNS echo + read -p "For how long should each session key be used? (seconds) " -e -i 3600 RENEGKEY + echo echo "Finally, tell me your name for the client certificate." echo "Please, use one word only, no special characters." read -p "Client name: " -e -i client CLIENT @@ -217,12 +240,13 @@ else echo "Okay, that was all I needed. We are ready to set up your OpenVPN server now." read -n1 -r -p "Press any key to continue..." if [[ "$OS" = 'debian' ]]; then - apt-get update - apt-get install openvpn iptables openssl ca-certificates -y + apt update + apt dist-upgrade -y + apt install curl openvpn iptables openssl ca-certificates stunnel4 -y else # Else, the distro is CentOS yum install epel-release -y - yum install openvpn iptables openssl ca-certificates -y + yum install curl openvpn iptables openssl ca-certificates stunnel -y fi # Get easy-rsa EASYRSAURL='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz' @@ -241,14 +265,39 @@ else ./easyrsa build-client-full $CLIENT nopass EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl # Move the stuff we need + csplit -f /etc/openvpn/easy-rsa/pki/issued/cert. /etc/openvpn/easy-rsa/pki/issued/server.crt '/-----BEGIN CERTIFICATE-----/' '{*}' + rm /etc/openvpn/easy-rsa/pki/issued/cert.00 /etc/openvpn/easy-rsa/pki/issued/server.crt + mv /etc/openvpn/easy-rsa/pki/issued/cert.01 /etc/openvpn/easy-rsa/pki/issued/server.crt cp pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn # CRL is read with each client connection, when OpenVPN is dropped to nobody chown nobody:$GROUPNAME /etc/openvpn/crl.pem # Generate key for tls-auth openvpn --genkey --secret /etc/openvpn/ta.key # Generate server.conf - echo "port $PORT -proto $PROTOCOL + if [[ $SSL==1 ]]; then + echo "local 127.0.0.1" > /etc/openvpn/server.conf + echo "port 1194" >> /etc/openvpn/server.conf + echo "sslVersion = all +;chroot = /var/lib/stunnel4/ +pid = /var/run/stunnel4.pid +debug = 7 +output = /var/log/stunnel4/stunnel.log +socket = l:TCP_NODELAY=1 +socket = r:TCP_NODELAY=1 +[openvpn] +accept = 0.0.0.0:$PORT +connect = 127.0.0.1:1194 +cert=/etc/openvpn/server.crt +key=/etc/openvpn/server.key" > /etc/stunnel/stunnel.conf + echo 'ENABLED=1 +FILES="/etc/stunnel/*.conf" +OPTIONS="" +PPP_RESTART=0 +RLIMITS=""' > /etc/default/stunnel4 + else + echo "port $PORT" > /etc/openvpn/server.conf + fi + echo "proto $PROTOCOL dev tun sndbuf 0 rcvbuf 0 @@ -260,7 +309,7 @@ auth SHA512 tls-auth ta.key 0 topology subnet server 10.8.0.0 255.255.255.0 -ifconfig-pool-persist ipp.txt" > /etc/openvpn/server.conf +ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf # DNS case $DNS in @@ -295,7 +344,7 @@ ifconfig-pool-persist ipp.txt" > /etc/openvpn/server.conf ;; esac echo "keepalive 10 120 -cipher AES-256-CBC +cipher $CIPHER comp-lzo user nobody group $GROUPNAME @@ -376,24 +425,47 @@ exit 0' > $RCLOCAL dev tun proto $PROTOCOL sndbuf 0 -rcvbuf 0 -remote $IP $PORT -resolv-retry infinite +rcvbuf 0" > /etc/openvpn/client-common.txt + if [[ $SSL=1 ]]; then + echo "remote 127.0.0.1 1194" >> /etc/openvpn/client-common.txt + else + echo "remote $IP $PORT" >> /etc/openvpn/client-common.txt + fi + echo "resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server auth SHA512 -cipher AES-256-CBC +cipher $CIPHER comp-lzo setenv opt block-outside-dns key-direction 1 -verb 3" > /etc/openvpn/client-common.txt +reneg-sec $RENEGKEY +verb 3" >> /etc/openvpn/client-common.txt + if [[ $SSL=1 ]]; then + echo "client = yes +debug = 7 +[openvpn] +accept = 127.0.0.1:1194 +connect = $IP:$PORT +verify = 2 +CAfile = /etc/stunnel/stunnel.crt +TIMEOUTclose = 1000 +session=300 +stack=65536 +sslVersion=TLSv1.2" > /etc/stunnel/stunnel-client.conf + cp /etc/stunnel/stunnel-client.conf $HOME/stunnel.conf + cp /etc/openvpn/ca.crt $HOME/stunnel.crt + fi # Generates the custom client.ovpn newclient "$CLIENT" echo echo "Finished!" echo - echo "Your client configuration is available at:" ~/"$CLIENT.ovpn" + echo "Your client configuration is available at: ~/$CLIENT.ovpn" + if [[ $SSL=1 ]]; then + echo "~/stunnel.crt and ~/stunnel.conf." + fi echo "If you want to add more clients, you simply need to run this script again!" fi