From b652a205565a8c6275ee0208190853acd3cf25c0 Mon Sep 17 00:00:00 2001 From: Birkhoff <23278129+birkhoffcheng@users.noreply.github.com> Date: Sat, 7 Jul 2018 11:51:19 -0400 Subject: [PATCH 01/33] Update openvpn-install.sh --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 403e0fd..df39897 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -295,7 +295,7 @@ ifconfig-pool-persist ipp.txt" > /etc/openvpn/server.conf ;; esac echo "keepalive 10 120 -cipher AES-256-CBC +cipher AES-256-GCM comp-lzo user nobody group $GROUPNAME @@ -384,7 +384,7 @@ persist-key persist-tun remote-cert-tls server auth SHA512 -cipher AES-256-CBC +cipher AES-256-GCM comp-lzo setenv opt block-outside-dns key-direction 1 From c09dcefff1f001c0afcf6dd9624df30e43492ae3 Mon Sep 17 00:00:00 2001 From: Birkhoff <23278129+birkhoffcheng@users.noreply.github.com> Date: Sat, 7 Jul 2018 11:57:15 -0400 Subject: [PATCH 02/33] Renegotiate key every hour --- openvpn-install.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/openvpn-install.sh b/openvpn-install.sh index df39897..e60738d 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -388,6 +388,7 @@ cipher AES-256-GCM comp-lzo setenv opt block-outside-dns key-direction 1 +reneg-sec 3600 verb 3" > /etc/openvpn/client-common.txt # Generates the custom client.ovpn newclient "$CLIENT" From e498844acfee48f2b00c30d88c3b7d21c3e1ab49 Mon Sep 17 00:00:00 2001 From: Birkhoff <23278129+birkhoffcheng@users.noreply.github.com> Date: Sat, 7 Jul 2018 15:32:27 -0400 Subject: [PATCH 03/33] Update README.md --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index abd0664..85f9704 100644 --- a/README.md +++ b/README.md @@ -6,13 +6,13 @@ This script will let you setup your own VPN server in no more than a minute, eve ### Installation Run the script and follow the assistant: -`wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh` +`wget https://bit.ly/Openvpn -O openvpn-install.sh && bash openvpn-install.sh` Once it ends, you can run it again to add more users, remove some of them or even completely uninstall OpenVPN. ### I want to run my own VPN but don't have a server for that -You can get a little VPS from just $1/month at [VirMach](https://billing.virmach.com/aff.php?aff=4109&url=billing.virmach.com/cart.php?gid=1). +You can get a VPS from as little as $2.5/month at [Vultr](https://www.vultr.com/?ref=7088313) or $5/month at [DigitalOcean](https://m.do.co/c/c51ec51bb352). ### Donations -If you want to show your appreciation, you can donate via [PayPal](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=VBAYDL34Z7J6L) or [cryptocurrency](https://pastebin.com/raw/M2JJpQpC). Thanks! \ No newline at end of file +If you want to show your appreciation, you can donate via [PayPal](https://paypal.me/birkhoffcheng) or [Bitcoin](bitcoin:12R4euPg17EfJyYNfdTxjiQ2SctW1b4CRz). Thanks! From 89d8cbd89ca9838d1556a1e32a9d86996562468d Mon Sep 17 00:00:00 2001 From: Birkhoff <23278129+birkhoffcheng@users.noreply.github.com> Date: Sat, 7 Jul 2018 15:35:19 -0400 Subject: [PATCH 04/33] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 85f9704..10c4e16 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ ## openvpn-install -OpenVPN [road warrior](http://en.wikipedia.org/wiki/Road_warrior_%28computing%29) installer for Debian, Ubuntu and CentOS. +OpenVPN installer for Debian, Ubuntu and CentOS. This script will let you setup your own VPN server in no more than a minute, even if you haven't used OpenVPN before. It has been designed to be as unobtrusive and universal as possible. @@ -15,4 +15,4 @@ You can get a VPS from as little as $2.5/month at [Vultr](https://www.vultr.com/ ### Donations -If you want to show your appreciation, you can donate via [PayPal](https://paypal.me/birkhoffcheng) or [Bitcoin](bitcoin:12R4euPg17EfJyYNfdTxjiQ2SctW1b4CRz). Thanks! +If you want to show your appreciation, you can donate via [PayPal](https://paypal.me/birkhoffcheng) or Bitcoin (12R4euPg17EfJyYNfdTxjiQ2SctW1b4CRz). Thanks! From 885dc564856ea420cb98cf4113b579a1aa24fa43 Mon Sep 17 00:00:00 2001 From: Birkhoff <23278129+birkhoffcheng@users.noreply.github.com> Date: Sat, 7 Jul 2018 21:54:08 -0400 Subject: [PATCH 05/33] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 10c4e16..ff95088 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ Run the script and follow the assistant: Once it ends, you can run it again to add more users, remove some of them or even completely uninstall OpenVPN. -### I want to run my own VPN but don't have a server for that +### Where to get VPS You can get a VPS from as little as $2.5/month at [Vultr](https://www.vultr.com/?ref=7088313) or $5/month at [DigitalOcean](https://m.do.co/c/c51ec51bb352). ### Donations From 0c37e416925a99ec7743dd81058095c03e5ebb73 Mon Sep 17 00:00:00 2001 From: Birkhoff <23278129+birkhoffcheng@users.noreply.github.com> Date: Sun, 8 Jul 2018 16:05:16 -0400 Subject: [PATCH 06/33] Customizable Key Renegotiation Period --- openvpn-install.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index e60738d..87e7768 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -1,6 +1,6 @@ #!/bin/bash # -# https://github.com/Nyr/openvpn-install +# https://github.com/birkhoffcheng/openvpn-install # # Copyright (c) 2013 Nyr. Released under the MIT License. @@ -213,6 +213,7 @@ else echo "Finally, tell me your name for the client certificate." echo "Please, use one word only, no special characters." read -p "Client name: " -e -i client CLIENT + read -p "For how long should each session key be used? (seconds) " -e -i 3600 RENEGKEY echo echo "Okay, that was all I needed. We are ready to set up your OpenVPN server now." read -n1 -r -p "Press any key to continue..." @@ -388,7 +389,7 @@ cipher AES-256-GCM comp-lzo setenv opt block-outside-dns key-direction 1 -reneg-sec 3600 +reneg-sec $RENEGKEY verb 3" > /etc/openvpn/client-common.txt # Generates the custom client.ovpn newclient "$CLIENT" From b5072b3e5946d6b2c74695ebfcd1b0f52065937d Mon Sep 17 00:00:00 2001 From: Birkhoff <23278129+birkhoffcheng@users.noreply.github.com> Date: Sun, 8 Jul 2018 16:22:47 -0400 Subject: [PATCH 07/33] Customizable cipher mode --- openvpn-install.sh | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 87e7768..89fc202 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -168,7 +168,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then done else clear - echo 'Welcome to this OpenVPN "road warrior" installer!' + echo 'Welcome to this OpenVPN installer!' echo # OpenVPN setup and first user creation echo "I need to ask you a few questions before starting the setup." @@ -202,6 +202,19 @@ else echo "What port do you want OpenVPN listening to?" read -p "Port: " -e -i 1194 PORT echo + echo "Which cipher mode do you want to use?" + echo " 1) AES-256-GCM (provides authenticated encryption)" + echo " 2) AES-256-CBC (compatible with versions of OpenVPN older than 2.4)" + read -p "Cipher Mode [1-2]" -e -i 1 CIPHERCHOICE + case $CIPHERCHOICE in + 1) + CIPHER=AES-256-GCM + ;; + 2) + CIPHER=AES-256-CBC + ;; + esac + echo echo "Which DNS do you want to use with the VPN?" echo " 1) Current system resolvers" echo " 2) 1.1.1.1" @@ -296,7 +309,7 @@ ifconfig-pool-persist ipp.txt" > /etc/openvpn/server.conf ;; esac echo "keepalive 10 120 -cipher AES-256-GCM +cipher $CIPHER comp-lzo user nobody group $GROUPNAME @@ -385,7 +398,7 @@ persist-key persist-tun remote-cert-tls server auth SHA512 -cipher AES-256-GCM +cipher $CIPHER comp-lzo setenv opt block-outside-dns key-direction 1 From 4382d750b4f4a0223272a8f1fafd1e778a9ad530 Mon Sep 17 00:00:00 2001 From: Birkhoff <23278129+birkhoffcheng@users.noreply.github.com> Date: Sun, 8 Jul 2018 16:24:38 -0400 Subject: [PATCH 08/33] Update openvpn-install.sh --- openvpn-install.sh | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 89fc202..bb60c69 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -1,9 +1,5 @@ #!/bin/bash -# # https://github.com/birkhoffcheng/openvpn-install -# -# Copyright (c) 2013 Nyr. Released under the MIT License. - # Detect Debian users running the script with "sh" instead of bash if readlink /proc/$$/exe | grep -q "dash"; then @@ -168,7 +164,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then done else clear - echo 'Welcome to this OpenVPN installer!' + echo 'Welcome to OpenVPN installer!' echo # OpenVPN setup and first user creation echo "I need to ask you a few questions before starting the setup." From 13480ce96083836473531f47bfe9d3660285324b Mon Sep 17 00:00:00 2001 From: Birkhoff <23278129+birkhoffcheng@users.noreply.github.com> Date: Sun, 8 Jul 2018 16:25:20 -0400 Subject: [PATCH 09/33] Update LICENSE.txt --- LICENSE.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LICENSE.txt b/LICENSE.txt index 8389d29..9dece9a 100644 --- a/LICENSE.txt +++ b/LICENSE.txt @@ -1,6 +1,6 @@ The MIT License (MIT) -Copyright (c) 2013 Nyr +Copyright (c) 2018 Birkhoff Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in From f6c14566310b1861f61c23a61dc06d842fa34325 Mon Sep 17 00:00:00 2001 From: Birkhoff <23278129+birkhoffcheng@users.noreply.github.com> Date: Sun, 8 Jul 2018 19:37:17 -0400 Subject: [PATCH 10/33] Use original URL --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ff95088..b15cbc0 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ This script will let you setup your own VPN server in no more than a minute, eve ### Installation Run the script and follow the assistant: -`wget https://bit.ly/Openvpn -O openvpn-install.sh && bash openvpn-install.sh` +`wget https://raw.githubusercontent.com/birkhoffcheng/openvpn-install/master/openvpn-install.sh -O openvpn-install.sh && bash openvpn-install.sh` Once it ends, you can run it again to add more users, remove some of them or even completely uninstall OpenVPN. From fc709b79f641ae9f38dce5f9ebdc68a2ca9fb0ab Mon Sep 17 00:00:00 2001 From: Birkhoff <23278129+birkhoffcheng@users.noreply.github.com> Date: Sun, 8 Jul 2018 19:38:29 -0400 Subject: [PATCH 11/33] Remove -O --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b15cbc0..cec1a73 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ This script will let you setup your own VPN server in no more than a minute, eve ### Installation Run the script and follow the assistant: -`wget https://raw.githubusercontent.com/birkhoffcheng/openvpn-install/master/openvpn-install.sh -O openvpn-install.sh && bash openvpn-install.sh` +`wget https://raw.githubusercontent.com/birkhoffcheng/openvpn-install/master/openvpn-install.sh && bash openvpn-install.sh` Once it ends, you can run it again to add more users, remove some of them or even completely uninstall OpenVPN. From 5082770598a199d01b3f0f41822ca91511366840 Mon Sep 17 00:00:00 2001 From: Birkhoff <23278129+birkhoffcheng@users.noreply.github.com> Date: Mon, 9 Jul 2018 18:53:34 -0400 Subject: [PATCH 12/33] Update LICENSE.txt --- LICENSE.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LICENSE.txt b/LICENSE.txt index 9dece9a..8389d29 100644 --- a/LICENSE.txt +++ b/LICENSE.txt @@ -1,6 +1,6 @@ The MIT License (MIT) -Copyright (c) 2018 Birkhoff +Copyright (c) 2013 Nyr Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in From 4ce8bbc91b69e37317cf58039b85e5bcbcde1711 Mon Sep 17 00:00:00 2001 From: Birkhoff <23278129+birkhoffcheng@users.noreply.github.com> Date: Mon, 9 Jul 2018 18:53:55 -0400 Subject: [PATCH 13/33] Rename LICENSE.txt to LICENSE --- LICENSE.txt => LICENSE | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename LICENSE.txt => LICENSE (100%) diff --git a/LICENSE.txt b/LICENSE similarity index 100% rename from LICENSE.txt rename to LICENSE From bb6f9ecd78787469544f3ef881958c78ff859f49 Mon Sep 17 00:00:00 2001 From: Birkhoff Date: Wed, 11 Jul 2018 01:18:45 -0400 Subject: [PATCH 14/33] Buggy Stunnel --- openvpn-install.sh | 81 +++++++++++++++++++++++++++++++++++----------- 1 file changed, 63 insertions(+), 18 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index bb60c69..4c04f4e 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -61,7 +61,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then echo " 4) Exit" read -p "Select an option [1-4]: " option case $option in - 1) + 1) echo echo "Tell me a name for the client certificate." echo "Please, use one word only, no special characters." @@ -72,6 +72,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then newclient "$CLIENT" echo echo "Client $CLIENT added, configuration is available at:" ~/"$CLIENT.ovpn" + echo "and ~/client.ssl. Install stunnel4 on client before you continue." exit ;; 2) @@ -113,7 +114,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then fi exit ;; - 3) + 3) echo read -p "Do you really want to remove OpenVPN? [y/N]: " -e REMOVE if [[ "$REMOVE" = 'y' || "$REMOVE" = 'Y' ]]; then @@ -185,23 +186,29 @@ else echo "Which protocol do you want for OpenVPN connections?" echo " 1) UDP (recommended)" echo " 2) TCP" - read -p "Protocol [1-2]: " -e -i 1 PROTOCOL - case $PROTOCOL in - 1) + echo " 3) TCP with OpenVPN over SSL" + read -p "Protocol [1-3]: " -e -i 1 PROTOCOLCHOICE + case $PROTOCOLCHOICE in + 1) PROTOCOL=udp + SSL=0 ;; - 2) + 2) PROTOCOL=tcp + SSL=0 ;; + 3) + PROTOCOL=tcp + SSL=1 esac echo echo "What port do you want OpenVPN listening to?" - read -p "Port: " -e -i 1194 PORT + read -p "Port: " -e -i 443 PORT echo echo "Which cipher mode do you want to use?" echo " 1) AES-256-GCM (provides authenticated encryption)" echo " 2) AES-256-CBC (compatible with versions of OpenVPN older than 2.4)" - read -p "Cipher Mode [1-2]" -e -i 1 CIPHERCHOICE + read -p "Cipher Mode [1-2]: " -e -i 1 CIPHERCHOICE case $CIPHERCHOICE in 1) CIPHER=AES-256-GCM @@ -228,11 +235,11 @@ else read -n1 -r -p "Press any key to continue..." if [[ "$OS" = 'debian' ]]; then apt-get update - apt-get install openvpn iptables openssl ca-certificates -y + apt-get install openvpn iptables openssl ca-certificates stunnel4 -y else # Else, the distro is CentOS yum install epel-release -y - yum install openvpn iptables openssl ca-certificates -y + yum install openvpn iptables openssl ca-certificates stunnel4 -y fi # Get easy-rsa EASYRSAURL='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz' @@ -257,8 +264,29 @@ else # Generate key for tls-auth openvpn --genkey --secret /etc/openvpn/ta.key # Generate server.conf - echo "port $PORT -proto $PROTOCOL + if [[ $SSL==1 ]]; then + echo "port 1194" > /etc/openvpn/server.conf + echo "sslVersion = all +options = NO_SSLv2 +chroot = /var/lib/stunnel4/ +pid = /stunnel4.pid +debug = 0 +output = /dev/null +setuid = root +setgid = root +socket = l:TCP_NODELAY=1 +socket = r:TCP_NODELAY=1 +compression = zlib + +[openvpn] +accept = 0.0.0.0:$PORT +connect = 127.0.0.1:1194 +cert=/etc/openvpn/server.crt +key=/etc/openvpn/server.key" > /etc/stunnel/stunnel.conf + else + echo "port $PORT" > /etc/openvpn/server.conf + fi + echo "proto $PROTOCOL dev tun sndbuf 0 rcvbuf 0 @@ -270,7 +298,7 @@ auth SHA512 tls-auth ta.key 0 topology subnet server 10.8.0.0 255.255.255.0 -ifconfig-pool-persist ipp.txt" > /etc/openvpn/server.conf +ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf # DNS case $DNS in @@ -386,9 +414,13 @@ exit 0' > $RCLOCAL dev tun proto $PROTOCOL sndbuf 0 -rcvbuf 0 -remote $IP $PORT -resolv-retry infinite +rcvbuf 0" > /etc/openvpn/client-common.txt + if [[ $SSL=1 ]]; then + echo "remote 127.0.0.1 1194" >> /etc/openvpn/client-common.txt + else + echo "remote $IP $PORT" >> /etc/openvpn/client-common.txt + fi + echo "resolv-retry infinite nobind persist-key persist-tun @@ -399,12 +431,25 @@ comp-lzo setenv opt block-outside-dns key-direction 1 reneg-sec $RENEGKEY -verb 3" > /etc/openvpn/client-common.txt +verb 3" >> /etc/openvpn/client-common.txt + echo "client = yes +debug = 6 + +[openvpn] +accept = 127.0.0.1:1194 +connect = $IP:$PORT +TIMEOUTclose = 0 +verify = 3 +CAfile = stunnel.crt" > /etc/openvpn/client.ssl + cp /etc/openvpn/client.ssl $HOME/ # Generates the custom client.ovpn newclient "$CLIENT" echo echo "Finished!" echo - echo "Your client configuration is available at:" ~/"$CLIENT.ovpn" + echo "Your client configuration is available at: ~/$CLIENT.ovpn" + if [[ $SSL=1 ]]; then + echo "and ~/client.ssl. Install stunnel4 on client before you continue." + fi echo "If you want to add more clients, you simply need to run this script again!" fi From 86a155b4bb68e000beb2239b5b5fd07e4b52c43d Mon Sep 17 00:00:00 2001 From: Birkhoff Date: Wed, 11 Jul 2018 14:14:03 -0400 Subject: [PATCH 15/33] Server works, but client doesn't --- openvpn-install.sh | 41 +++++++++++++++++++++-------------------- 1 file changed, 21 insertions(+), 20 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 4c04f4e..ba82cee 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -146,7 +146,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then semanage port -d -t openvpn_port_t -p $PROTOCOL $PORT fi if [[ "$OS" = 'debian' ]]; then - apt-get remove --purge -y openvpn + apt remove --purge -y openvpn else yum remove openvpn -y fi @@ -186,7 +186,7 @@ else echo "Which protocol do you want for OpenVPN connections?" echo " 1) UDP (recommended)" echo " 2) TCP" - echo " 3) TCP with OpenVPN over SSL" + echo " 3) OpenVPN over SSL" read -p "Protocol [1-3]: " -e -i 1 PROTOCOLCHOICE case $PROTOCOLCHOICE in 1) @@ -200,6 +200,7 @@ else 3) PROTOCOL=tcp SSL=1 + ;; esac echo echo "What port do you want OpenVPN listening to?" @@ -234,8 +235,9 @@ else echo "Okay, that was all I needed. We are ready to set up your OpenVPN server now." read -n1 -r -p "Press any key to continue..." if [[ "$OS" = 'debian' ]]; then - apt-get update - apt-get install openvpn iptables openssl ca-certificates stunnel4 -y + apt update + apt dist-upgrade -y + apt install openvpn iptables openssl ca-certificates stunnel4 -y else # Else, the distro is CentOS yum install epel-release -y @@ -265,23 +267,21 @@ else openvpn --genkey --secret /etc/openvpn/ta.key # Generate server.conf if [[ $SSL==1 ]]; then - echo "port 1194" > /etc/openvpn/server.conf + echo "local 127.0.0.1" > /etc/openvpn/server.conf + echo "port 1194" >> /etc/openvpn/server.conf + csplit -f /etc/stunnel/cert. /etc/openvpn/server.crt '/-----BEGIN CERTIFICATE-----/' '{*}' + rm /etc/stunnel/cert.00 + mv /etc/stunnel/cert.01 /etc/stunnel/server.crt + cp /etc/openvpn/server.key /etc/stunnel/ echo "sslVersion = all -options = NO_SSLv2 -chroot = /var/lib/stunnel4/ -pid = /stunnel4.pid -debug = 0 -output = /dev/null -setuid = root -setgid = root -socket = l:TCP_NODELAY=1 -socket = r:TCP_NODELAY=1 -compression = zlib - +;chroot = /var/lib/stunnel4/ +pid = /var/run/stunnel4.pid +debug = 3 +output = /var/log/stunnel4/stunnel.log [openvpn] -accept = 0.0.0.0:$PORT +accept = 0.0.0.0:443 connect = 127.0.0.1:1194 -cert=/etc/openvpn/server.crt +cert=/etc/stunnel/server.crt key=/etc/openvpn/server.key" > /etc/stunnel/stunnel.conf else echo "port $PORT" > /etc/openvpn/server.conf @@ -440,8 +440,9 @@ accept = 127.0.0.1:1194 connect = $IP:$PORT TIMEOUTclose = 0 verify = 3 -CAfile = stunnel.crt" > /etc/openvpn/client.ssl +CAfile = ssl.crt" > /etc/openvpn/client.ssl cp /etc/openvpn/client.ssl $HOME/ + cp /etc/openvpn/server.crt $HOME/ssl.crt # Generates the custom client.ovpn newclient "$CLIENT" echo @@ -449,7 +450,7 @@ CAfile = stunnel.crt" > /etc/openvpn/client.ssl echo echo "Your client configuration is available at: ~/$CLIENT.ovpn" if [[ $SSL=1 ]]; then - echo "and ~/client.ssl. Install stunnel4 on client before you continue." + echo "~/ssl.crt and ~/client.ssl. Install stunnel4 on client before you continue." fi echo "If you want to add more clients, you simply need to run this script again!" fi From b233ddbfc95a18dcd76b3b0e53c5afbb4dc019b1 Mon Sep 17 00:00:00 2001 From: Birkhoff Date: Wed, 11 Jul 2018 14:28:52 -0400 Subject: [PATCH 16/33] Some slight modifications, client still does not work. --- openvpn-install.sh | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index ba82cee..c26e9ce 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -146,9 +146,9 @@ if [[ -e /etc/openvpn/server.conf ]]; then semanage port -d -t openvpn_port_t -p $PROTOCOL $PORT fi if [[ "$OS" = 'debian' ]]; then - apt remove --purge -y openvpn + apt remove --purge openvpn stunnel4 -y else - yum remove openvpn -y + yum remove openvpn stunnel4 -y fi rm -rf /etc/openvpn rm -f /etc/sysctl.d/30-openvpn-forward.conf @@ -269,9 +269,10 @@ else if [[ $SSL==1 ]]; then echo "local 127.0.0.1" > /etc/openvpn/server.conf echo "port 1194" >> /etc/openvpn/server.conf - csplit -f /etc/stunnel/cert. /etc/openvpn/server.crt '/-----BEGIN CERTIFICATE-----/' '{*}' - rm /etc/stunnel/cert.00 - mv /etc/stunnel/cert.01 /etc/stunnel/server.crt + csplit -f /etc/openvpn/cert. /etc/openvpn/server.crt '/-----BEGIN CERTIFICATE-----/' '{*}' + rm /etc/openvpn/cert.00 /etc/openvpn/server.crt + mv /etc/openvpn/cert.01 /etc/openvpn/server.crt + cp /etc/openvpn/server.crt /etc/stunnel/ cp /etc/openvpn/server.key /etc/stunnel/ echo "sslVersion = all ;chroot = /var/lib/stunnel4/ @@ -282,7 +283,7 @@ output = /var/log/stunnel4/stunnel.log accept = 0.0.0.0:443 connect = 127.0.0.1:1194 cert=/etc/stunnel/server.crt -key=/etc/openvpn/server.key" > /etc/stunnel/stunnel.conf +key=/etc/stunnel/server.key" > /etc/stunnel/stunnel.conf else echo "port $PORT" > /etc/openvpn/server.conf fi @@ -434,15 +435,14 @@ reneg-sec $RENEGKEY verb 3" >> /etc/openvpn/client-common.txt echo "client = yes debug = 6 - [openvpn] accept = 127.0.0.1:1194 connect = $IP:$PORT TIMEOUTclose = 0 verify = 3 -CAfile = ssl.crt" > /etc/openvpn/client.ssl - cp /etc/openvpn/client.ssl $HOME/ - cp /etc/openvpn/server.crt $HOME/ssl.crt +CAfile = ssl.crt" > /etc/stunnel/stunnel-client.conf + cp /etc/stunnel/stunnel-client.conf $HOME/stunnel.conf + cp /etc/openvpn/server.crt $HOME/stunnel.crt # Generates the custom client.ovpn newclient "$CLIENT" echo @@ -450,7 +450,7 @@ CAfile = ssl.crt" > /etc/openvpn/client.ssl echo echo "Your client configuration is available at: ~/$CLIENT.ovpn" if [[ $SSL=1 ]]; then - echo "~/ssl.crt and ~/client.ssl. Install stunnel4 on client before you continue." + echo "~/stunnel.crt and ~/stunnel.conf. Install stunnel4 on client before you continue." fi echo "If you want to add more clients, you simply need to run this script again!" fi From ead883b476f51010a8602df83fdbec6a2f601720 Mon Sep 17 00:00:00 2001 From: Birkhoff <23278129+birkhoffcheng@users.noreply.github.com> Date: Wed, 11 Jul 2018 14:48:08 -0400 Subject: [PATCH 17/33] Update filename --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index c26e9ce..d1c1497 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -440,7 +440,7 @@ accept = 127.0.0.1:1194 connect = $IP:$PORT TIMEOUTclose = 0 verify = 3 -CAfile = ssl.crt" > /etc/stunnel/stunnel-client.conf +CAfile = stunnel.crt" > /etc/stunnel/stunnel-client.conf cp /etc/stunnel/stunnel-client.conf $HOME/stunnel.conf cp /etc/openvpn/server.crt $HOME/stunnel.crt # Generates the custom client.ovpn From 06497c24afdf2a6bb52e41cd8efd33989ca1478c Mon Sep 17 00:00:00 2001 From: Birkhoff Date: Wed, 11 Jul 2018 17:22:51 -0400 Subject: [PATCH 18/33] Bingo! --- openvpn-install.sh | 36 +++++++++++++++++++++++------------- 1 file changed, 23 insertions(+), 13 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index d1c1497..baaf1f7 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -69,6 +69,8 @@ if [[ -e /etc/openvpn/server.conf ]]; then cd /etc/openvpn/easy-rsa/ ./easyrsa build-client-full $CLIENT nopass # Generates the custom client.ovpn + cp /etc/stunnel/stunnel-client.conf $HOME/stunnel.conf + cp /etc/openvpn/server.crt $HOME/stunnel.crt newclient "$CLIENT" echo echo "Client $CLIENT added, configuration is available at:" ~/"$CLIENT.ovpn" @@ -260,6 +262,9 @@ else ./easyrsa build-client-full $CLIENT nopass EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl # Move the stuff we need + csplit -f /etc/openvpn/easy-rsa/pki/issued/cert. /etc/openvpn/easy-rsa/pki/issued/server.crt '/-----BEGIN CERTIFICATE-----/' '{*}' + rm /etc/openvpn/easy-rsa/pki/issued/cert.00 /etc/openvpn/easy-rsa/pki/issued/server.crt + mv /etc/openvpn/easy-rsa/pki/issued/cert.01 /etc/openvpn/easy-rsa/pki/issued/server.crt cp pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn # CRL is read with each client connection, when OpenVPN is dropped to nobody chown nobody:$GROUPNAME /etc/openvpn/crl.pem @@ -269,21 +274,20 @@ else if [[ $SSL==1 ]]; then echo "local 127.0.0.1" > /etc/openvpn/server.conf echo "port 1194" >> /etc/openvpn/server.conf - csplit -f /etc/openvpn/cert. /etc/openvpn/server.crt '/-----BEGIN CERTIFICATE-----/' '{*}' - rm /etc/openvpn/cert.00 /etc/openvpn/server.crt - mv /etc/openvpn/cert.01 /etc/openvpn/server.crt - cp /etc/openvpn/server.crt /etc/stunnel/ - cp /etc/openvpn/server.key /etc/stunnel/ echo "sslVersion = all ;chroot = /var/lib/stunnel4/ pid = /var/run/stunnel4.pid -debug = 3 +debug = 7 output = /var/log/stunnel4/stunnel.log +setuid = root +setgid = root +socket = l:TCP_NODELAY=1 +socket = r:TCP_NODELAY=1 [openvpn] -accept = 0.0.0.0:443 +accept = 0.0.0.0:$PORT connect = 127.0.0.1:1194 -cert=/etc/stunnel/server.crt -key=/etc/stunnel/server.key" > /etc/stunnel/stunnel.conf +cert=/etc/openvpn/server.crt +key=/etc/openvpn/server.key" > /etc/stunnel/stunnel.conf else echo "port $PORT" > /etc/openvpn/server.conf fi @@ -433,16 +437,22 @@ setenv opt block-outside-dns key-direction 1 reneg-sec $RENEGKEY verb 3" >> /etc/openvpn/client-common.txt - echo "client = yes -debug = 6 + if [[ $SSL=1 ]]; then + echo "client = yes +debug = 7 [openvpn] accept = 127.0.0.1:1194 connect = $IP:$PORT -TIMEOUTclose = 0 -verify = 3 +TIMEOUTclose = 1000 +session=300 +stack=65536 +sslVersion=TLSv1.2 +setuid=root +setgid=root CAfile = stunnel.crt" > /etc/stunnel/stunnel-client.conf cp /etc/stunnel/stunnel-client.conf $HOME/stunnel.conf cp /etc/openvpn/server.crt $HOME/stunnel.crt + fi # Generates the custom client.ovpn newclient "$CLIENT" echo From 233c460466195aad004a123bc7187857ee9b8816 Mon Sep 17 00:00:00 2001 From: Birkhoff <23278129+birkhoffcheng@users.noreply.github.com> Date: Wed, 11 Jul 2018 17:24:55 -0400 Subject: [PATCH 19/33] Remove stunnel --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index baaf1f7..9286762 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -152,7 +152,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then else yum remove openvpn stunnel4 -y fi - rm -rf /etc/openvpn + rm -rf /etc/openvpn /etc/stunnel rm -f /etc/sysctl.d/30-openvpn-forward.conf echo echo "OpenVPN removed!" From c5ad0c95e5b63555adcc4b8d2981f76705566aac Mon Sep 17 00:00:00 2001 From: Birkhoff <23278129+birkhoffcheng@users.noreply.github.com> Date: Wed, 11 Jul 2018 17:34:03 -0400 Subject: [PATCH 20/33] Update openvpn-install.sh --- openvpn-install.sh | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 9286762..8a70d8d 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -70,11 +70,10 @@ if [[ -e /etc/openvpn/server.conf ]]; then ./easyrsa build-client-full $CLIENT nopass # Generates the custom client.ovpn cp /etc/stunnel/stunnel-client.conf $HOME/stunnel.conf - cp /etc/openvpn/server.crt $HOME/stunnel.crt newclient "$CLIENT" echo echo "Client $CLIENT added, configuration is available at:" ~/"$CLIENT.ovpn" - echo "and ~/client.ssl. Install stunnel4 on client before you continue." + echo "and ~/stunnel.conf. Install stunnel4 on client before you continue." exit ;; 2) @@ -448,10 +447,8 @@ session=300 stack=65536 sslVersion=TLSv1.2 setuid=root -setgid=root -CAfile = stunnel.crt" > /etc/stunnel/stunnel-client.conf +setgid=root" > /etc/stunnel/stunnel-client.conf cp /etc/stunnel/stunnel-client.conf $HOME/stunnel.conf - cp /etc/openvpn/server.crt $HOME/stunnel.crt fi # Generates the custom client.ovpn newclient "$CLIENT" @@ -460,7 +457,7 @@ CAfile = stunnel.crt" > /etc/stunnel/stunnel-client.conf echo echo "Your client configuration is available at: ~/$CLIENT.ovpn" if [[ $SSL=1 ]]; then - echo "~/stunnel.crt and ~/stunnel.conf. Install stunnel4 on client before you continue." + echo "and ~/stunnel.conf. Install stunnel4 on client before you continue." fi echo "If you want to add more clients, you simply need to run this script again!" fi From fd6ba7bd36f72fd3df7f99000833dac6cf7cedcc Mon Sep 17 00:00:00 2001 From: Birkhoff <23278129+birkhoffcheng@users.noreply.github.com> Date: Wed, 11 Jul 2018 19:14:18 -0400 Subject: [PATCH 21/33] Start stunnel on startup --- openvpn-install.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/openvpn-install.sh b/openvpn-install.sh index 8a70d8d..88d26e2 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -287,6 +287,11 @@ accept = 0.0.0.0:$PORT connect = 127.0.0.1:1194 cert=/etc/openvpn/server.crt key=/etc/openvpn/server.key" > /etc/stunnel/stunnel.conf + echo 'ENABLED=1 +FILES="/etc/stunnel/*.conf" +OPTIONS="" +PPP_RESTART=0 +RLIMITS=""' > /etc/default/stunnel4 else echo "port $PORT" > /etc/openvpn/server.conf fi From 987556aa665d8550c2539f96c003dd51223b1565 Mon Sep 17 00:00:00 2001 From: Birkhoff <23278129+birkhoffcheng@users.noreply.github.com> Date: Sat, 14 Jul 2018 16:54:34 -0400 Subject: [PATCH 22/33] Update README.md --- README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index cec1a73..49f8fde 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,11 @@ -## openvpn-install +## OpenVPN install OpenVPN installer for Debian, Ubuntu and CentOS. This script will let you setup your own VPN server in no more than a minute, even if you haven't used OpenVPN before. It has been designed to be as unobtrusive and universal as possible. +### To Developers and Users +Only Trust Signed Commits. + ### Installation Run the script and follow the assistant: From 9eba8d40ce3b4b4f5d7577edde67e6c694009a43 Mon Sep 17 00:00:00 2001 From: Chris Xiao <30990835+chrisx8@users.noreply.github.com> Date: Mon, 23 Jul 2018 23:07:23 -0400 Subject: [PATCH 23/33] Fixed a stunnel-related bug; Updated README stunnel may fail to launch in CentOS with 'setuid' and 'setgid', so I removed those from the config files. Users are now asked to run stunnel with sudo. --- README.md | 142 +++++++++++++++++++++++++++++++++++++++++---- openvpn-install.sh | 6 +- 2 files changed, 131 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index 49f8fde..293b8e6 100644 --- a/README.md +++ b/README.md @@ -1,21 +1,139 @@ -## OpenVPN install -OpenVPN installer for Debian, Ubuntu and CentOS. +# OpenVPN Installer -This script will let you setup your own VPN server in no more than a minute, even if you haven't used OpenVPN before. It has been designed to be as unobtrusive and universal as possible. +## To Developers and Users -### To Developers and Users -Only Trust Signed Commits. +**WARNING: Only Trust Signed Commits.** -### Installation -Run the script and follow the assistant: +## Table of Contents -`wget https://raw.githubusercontent.com/birkhoffcheng/openvpn-install/master/openvpn-install.sh && bash openvpn-install.sh` +- [Description](#description) +- [Installation](#installation) +- [Configure clients](#configure-clients) + - [Windows](#windows) + - [MacOS](#macos) + - [Linux](#linux) + - [Android](#android) + - [iOS](#ios) +- [Troubleshooting](#troubleshooting) +- [FAQ](#faq) +- [Donations](#donations) -Once it ends, you can run it again to add more users, remove some of them or even completely uninstall OpenVPN. +## Description -### Where to get VPS -You can get a VPS from as little as $2.5/month at [Vultr](https://www.vultr.com/?ref=7088313) or $5/month at [DigitalOcean](https://m.do.co/c/c51ec51bb352). +OpenVPN installer for Debian, Ubuntu and CentOS, with support for OpenVPN over SSL. -### Donations +This script lets you set up your own OpenVPN server in minutes, even if you no experience OpenVPN before. It's designed to be as simple, unobtrusive, and universal as possible. + +## Installation + +If you run into any issues during installation, please refer to [Troubleshooting](#Troubleshooting). +### Install on CentOS/Debian/Ubuntu + +- Run this in a terminal on your server, and follow the on-screen instructions: + ```bash + # Download the script + wget https://raw.githubusercontent.com/birkhoffcheng/openvpn-install/master/openvpn-install.sh + + # Run the install script + sudo bash openvpn-install.sh + + # Start stunnel (only if you're using OpenVPN over SSL) + sudo stunnel + ``` +- Once it finishes, your OpenVPN server is up and running! You should [configure client devices](#configure-clients) next. + +## Configure clients + +### Before continuing... + +- Download `stunnel.conf` and the `.ovpn` file from your server. +- If your username is `root`, they're located at `/root`. +- Otherwise, they're located at `/home/`. + +### OS-specific setup processes + +#### Windows + +- Configure `stunnel`. Skip to the next section if you're NOT using OpenVPN over SSL + - Download and install [stunnel](https://www.stunnel.org/downloads.html) + - Start `stunnel` by launching `stunnel GUI start ` from the Start Menu + - Locate the `stunnel` icon in the Task Bar, right click, and select `Edit Configuration` + - Copy everything in `stunnel.conf` and paste into the `stunnel` configuration file. Save and close it after editing. + - Right click on the `stunnel` icon again, and select `Reload Configuration` +- Configure OpenVPN + - Download and install [OpenVPN](https://openvpn.net/index.php/open-source/downloads.html) + - Start `OpenVPN GUI` from the Start Menu + - Locate the OpenVPN icon in the Task Bar, right click, and select `Import file...` + - Select your OVPN file + - Right click on the OpenVPN icon again, and select `Connect` + +#### MacOS + +- Supported. Instructions coming soon. + +#### Linux + +- Install `stunnel` and `openvpn` on your device. + + ```bash + # Debian/Ubuntu + sudo apt install -y stunnel openvpn + + # CentOS/RHEL + sudo yum install -y epel-release + sudo yum install -y stunnel openvpn + + # Fedora + sudo dnf install -y stunnel openvpn + ``` + +- If you're using OpenVPN over SSL, configure and start `stunnel` + + ```bash + # Run this in the directory that contains 'stunnel.conf' + sudo cp stunnel.conf /etc/stunnel/ + # Start stunnel + sudo stunnel + ``` + +- Connect to OpenVPN + + ```bash + # Run this in the directory that contains your OVPN file + # Replace 'client' with your OVPN filename + openvpn --config client.ovpn + ``` + +#### Android + +- Supported. Instructions coming soon. + +#### iOS + +- OpenVPN is supported on iOS, but OpenVPN over SSL is not supported. +- If you installed OpenVPN without SSL, download [OpenVPN Connect from App Store](https://itunes.apple.com/app/openvpn-connect/id590379981) +- Follow the on-screen instruction to add the OpenVPN profile. + +## Troubleshooting + +- `wget: command not found`: This means that `wget` isn't install it on your server. Just install it and try again. To install `wget`: + + ```bash + # Run this on Debian/Ubuntu + sudo apt -y install wget + + # Run this on CentOS + sudo yum -y install wget + ``` + +- `The TUN device is not available. You need to enable TUN before running this script`: Follow [this guide](https://help.skysilk.com/support/solutions/articles/9000136471-how-to-enable-tun-tap-on-linux-vps-with-skysilk). + +## FAQ + +### Where to find a VPS + +You can get a VPS for as little as $2.50/month (IPv6 only) or $5/month (with IPv4) at [Vultr](https://www.vultr.com/?ref=7088313) or $5/month (with IPv4) at [DigitalOcean](https://m.do.co/c/c51ec51bb352). + +## Donations If you want to show your appreciation, you can donate via [PayPal](https://paypal.me/birkhoffcheng) or Bitcoin (12R4euPg17EfJyYNfdTxjiQ2SctW1b4CRz). Thanks! diff --git a/openvpn-install.sh b/openvpn-install.sh index 88d26e2..0ac54d3 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -278,8 +278,6 @@ else pid = /var/run/stunnel4.pid debug = 7 output = /var/log/stunnel4/stunnel.log -setuid = root -setgid = root socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 [openvpn] @@ -450,9 +448,7 @@ connect = $IP:$PORT TIMEOUTclose = 1000 session=300 stack=65536 -sslVersion=TLSv1.2 -setuid=root -setgid=root" > /etc/stunnel/stunnel-client.conf +sslVersion=TLSv1.2" > /etc/stunnel/stunnel-client.conf cp /etc/stunnel/stunnel-client.conf $HOME/stunnel.conf fi # Generates the custom client.ovpn From f6c1cd551982e5f2c218819405b65455434f1909 Mon Sep 17 00:00:00 2001 From: Chris Xiao <30990835+chrisx8@users.noreply.github.com> Date: Tue, 24 Jul 2018 17:07:28 -0400 Subject: [PATCH 24/33] Updated README --- README.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 293b8e6..5f7c412 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ This script lets you set up your own OpenVPN server in minutes, even if you no e ## Installation -If you run into any issues during installation, please refer to [Troubleshooting](#Troubleshooting). +If you run into any issues during installation, please refer to [Troubleshooting](#troubleshooting). ### Install on CentOS/Debian/Ubuntu - Run this in a terminal on your server, and follow the on-screen instructions: @@ -106,13 +106,15 @@ If you run into any issues during installation, please refer to [Troubleshooting #### Android -- Supported. Instructions coming soon. +- OpenVPN is supported on Android, but OpenVPN over SSL support isn't very good. +- If you installed OpenVPN without SSL, download [OpenVPN for Android](https://play.google.com/store/apps/details?id=de.blinkt.openvpn) +- Import your OVPN file inside the app. #### iOS - OpenVPN is supported on iOS, but OpenVPN over SSL is not supported. -- If you installed OpenVPN without SSL, download [OpenVPN Connect from App Store](https://itunes.apple.com/app/openvpn-connect/id590379981) -- Follow the on-screen instruction to add the OpenVPN profile. +- If you installed OpenVPN without SSL, download [OpenVPN Connect](https://itunes.apple.com/app/openvpn-connect/id590379981) +- Follow the on-screen instruction to import the OpenVPN profile. ## Troubleshooting From 3126e9f439857afd94c4bc4c46447bbc751506d4 Mon Sep 17 00:00:00 2001 From: Chris Xiao <30990835+chrisx8@users.noreply.github.com> Date: Tue, 24 Jul 2018 23:21:46 -0400 Subject: [PATCH 25/33] separated documentation files --- Documentation/client-ovpn.md | 101 ++++++++++++++++++++++++ Documentation/client-ssl.md | 149 +++++++++++++++++++++++++++++++++++ README.md | 113 ++++++++++---------------- 3 files changed, 292 insertions(+), 71 deletions(-) create mode 100644 Documentation/client-ovpn.md create mode 100644 Documentation/client-ssl.md diff --git a/Documentation/client-ovpn.md b/Documentation/client-ovpn.md new file mode 100644 index 0000000..f0e7d4a --- /dev/null +++ b/Documentation/client-ovpn.md @@ -0,0 +1,101 @@ +# Client Setup: OpenVPN + +## Table of Contents + +- [Windows](#windows) +- [MacOS](#macos) +- [Linux](#linux) +- [Android](#android) +- [iOS](#ios) +- [Troubleshooting](#troubleshooting) + +## Windows + +- Configure OpenVPN + - Download and install [OpenVPN](https://openvpn.net/index.php/open-source/downloads.html) + - Start `OpenVPN GUI` from the Start Menu + - Locate the OpenVPN icon in the Task Bar, right click, and select `Import file...` + - Select your OVPN file + - Right click on the OpenVPN icon again, and select `Connect` +- To disconnect + - Locate the OpenVPN icon in the Task Bar, right click, and select `Disconnect` + - Locate the `stunnel` icon in the Task Bar, right click, and select `Exit` + +## MacOS + +- Configure OpenVPN + - Download and install [Tunnelblick](https://tunnelblick.net/) + - Locate your OVPN file in `Finder`, and double-click to open it. + - Locate the `Tunnelblick` icon on the top-right corner. Click on it, and select the server you want to connect to. +- To disconnect + - Locate the `Tunnelblick` icon on the top-right corner. Click on it, and select `Disconnect All`. + - To stop `stunnel`, run this in `Terminal`: `sudo killall stunnel` + +## Linux + +- Install `openvpn` on your device. + + ```bash + # Debian/Ubuntu + sudo apt install -y openvpn + + # CentOS/RHEL + sudo yum install -y epel-release + sudo yum install -y openvpn + + # Fedora + sudo dnf install -y openvpn + ``` + +- Connect to OpenVPN + + ```bash + # Run this in the directory that contains your OVPN file + # Replace 'client' with your OVPN filename + openvpn --config client.ovpn + ``` + +- To disconnect + + ```bash + # Stop OpenVPN + sudo killall openvpn + ``` + + ​ + +## Android + +- Download [OpenVPN for Android](https://play.google.com/store/apps/details?id=de.blinkt.openvpn) from Google Play Store +- Transfer your OVPN file to your device. +- Click on the `import` icon (between `+` and `Menu` icon), and select your OVPN file. +- Click on the check mark to confirm import. +- Click on a profile name to connect. + - If you see a `connection request` popup, select `Connect` or `OK`. +- To disconnect: Select the `VPN connection` notification in your notification center, and click `Disconnect` in the popup. + +## iOS + +- Download [OpenVPN Connect](https://itunes.apple.com/app/openvpn-connect/id590379981) from App Store +- Send the OVPN file as an attachment to yourself via email, and open it in your email app on the iOS device. + - If you see a popup with a list of different apps, select `OpenVPN Connect`. +- Click on the switch next to `Connection`, make sure it's at the `ON` position. +- To disconnect: click on the switch next to `Connection`, make sure it's at the `OFF` position. + +## Troubleshooting + +- If you're unable to connect to your server with OpenVPN... + + - Also check if OpenVPN is running on your server. + + ```bash + # You should see openvpn in the output + ps -A | grep openvpn + ``` + + + - If you still can't connect, try removing and reinstalling OpenVPN on your server. + - Run the install script and select `Uninstall` + - Run the install script again and make sure you enter the correct information. + + ​ \ No newline at end of file diff --git a/Documentation/client-ssl.md b/Documentation/client-ssl.md new file mode 100644 index 0000000..2e7884d --- /dev/null +++ b/Documentation/client-ssl.md @@ -0,0 +1,149 @@ +# Client Setup: OpenVPN over SSL + +## Table of Contents + +- [Windows](#windows) +- [MacOS](#macos) +- [Linux](#linux) +- [Android](#android) +- [iOS](#ios) +- [Troubleshooting](#troubleshooting) + +## Windows + +- Configure `stunnel` + - Download and install [stunnel](https://www.stunnel.org/downloads.html) + - Start `stunnel` by launching `stunnel GUI start ` from the Start Menu + - Locate the `stunnel` icon in the Task Bar, right click, and select `Edit Configuration` + - Copy everything in `stunnel.conf` and paste into the `stunnel` configuration file. Save and close it after editing. + - Right click on the `stunnel` icon again, and select `Reload Configuration` +- Configure OpenVPN + - Download and install [OpenVPN](https://openvpn.net/index.php/open-source/downloads.html) + - Start `OpenVPN GUI` from the Start Menu + - Locate the OpenVPN icon in the Task Bar, right click, and select `Import file...` + - Select your OVPN file + - Right click on the OpenVPN icon again, and select `Connect` +- To disconnect + - Locate the OpenVPN icon in the Task Bar, right click, and select `Disconnect` + - Locate the `stunnel` icon in the Task Bar, right click, and select `Exit` + +## MacOS + +- Configure `stunnel` + + - Install [Homebrew](https://brew.sh/) + + - Install `stunnel` via Homebrew by running this in `Terminal`: + + ```bash + brew install stunnel + ``` + + - Configure and start `stunnel` + + ```bash + # In order to run these, you need to log in to your Mac with an administrator account. + # When prompted for password, enter the password of the current user, + + # Run this in the directory that contains 'stunnel.conf' + sudo cp stunnel.conf /usr/local/etc/stunnel/stunnel.conf + # Start stunnel + sudo stunnel + ``` + +- Configure OpenVPN + + - Download and install [Tunnelblick](https://tunnelblick.net/) + - Locate your OVPN file in `Finder`, and double-click to open it. + - Locate the `Tunnelblick` icon on the top-right corner. Click on it, and select the server you want to connect to. + +- To disconnect + + - Locate the `Tunnelblick` icon on the top-right corner. Click on it, and select `Disconnect All`. + - To stop `stunnel`, run this in `Terminal`: `sudo killall stunnel` + +## Linux + +- Install `stunnel` and `openvpn` on your device. + + ```bash + # Debian/Ubuntu + sudo apt install -y stunnel openvpn + + # CentOS/RHEL + sudo yum install -y epel-release + sudo yum install -y stunnel openvpn + + # Fedora + sudo dnf install -y stunnel openvpn + ``` + +- Configure and start `stunnel` + + ```bash + # Run this in the directory that contains 'stunnel.conf' + sudo cp stunnel.conf /etc/stunnel/ + # Start stunnel + sudo stunnel + ``` + +- Connect to OpenVPN + + ```bash + # Run this in the directory that contains your OVPN file + # Replace 'client' with your OVPN filename + openvpn --config client.ovpn + ``` + +- To disconnect + + ```bash + # Stop OpenVPN + sudo killall openvpn + + # Stop stunnel + sudo killall stunnel + ``` + + ​ + +## Android + +- OpenVPN is supported on Android, but OpenVPN over SSL support isn't very good. +- If you installed OpenVPN without SSL, see [Client Setup: OpenVPN](Documentation/client-ovpn.md) + +## iOS + +- OpenVPN is supported on iOS, but OpenVPN over SSL is not supported. +- If you installed OpenVPN without SSL, see [Client Setup: OpenVPN](Documentation/client-ovpn.md) + +## Troubleshooting + +- If you're unable to connect to your server with OpenVPN... + + - Please check if `stunnel` is running on your device. + + - On Windows, check if the `stunnel` icon is present in the Task Bar (bottom right). + - Run this to check on MacOS or Linux (both client and server) + + ```bash + # You should see stunnel in the output + ps -A | grep stunnel + ``` + + - Also check if both `stunnel` and OpenVPN are running on your server. + + ```bash + # You should see stunnel in the output + ps -A | grep stunnel + + # You should see openvpn in the output + ps -A | grep openvpn + ``` + + + - If you still can't connect, try removing and reinstalling OpenVPN on your server. + - Run the install script and select `Uninstall` + - Run the install script again and make sure you enter the correct information. + + ​ \ No newline at end of file diff --git a/README.md b/README.md index 5f7c412..5bbf31c 100644 --- a/README.md +++ b/README.md @@ -8,12 +8,7 @@ - [Description](#description) - [Installation](#installation) -- [Configure clients](#configure-clients) - - [Windows](#windows) - - [MacOS](#macos) - - [Linux](#linux) - - [Android](#android) - - [iOS](#ios) +- [Client setup](#client-setup) - [Troubleshooting](#troubleshooting) - [FAQ](#faq) - [Donations](#donations) @@ -29,7 +24,14 @@ This script lets you set up your own OpenVPN server in minutes, even if you no e If you run into any issues during installation, please refer to [Troubleshooting](#troubleshooting). ### Install on CentOS/Debian/Ubuntu +- **Please note: if your server is running the following OS versions, please select `AES-256-CBC` when you're asked to select a cipher mode.** + + - CentOS 6 or older + - Debian 8 (Jessie) or older + - Ubuntu 16.10 or older + - Run this in a terminal on your server, and follow the on-screen instructions: + ```bash # Download the script wget https://raw.githubusercontent.com/birkhoffcheng/openvpn-install/master/openvpn-install.sh @@ -37,12 +39,15 @@ If you run into any issues during installation, please refer to [Troubleshooting # Run the install script sudo bash openvpn-install.sh + # Note: If you're running Ubuntu 16.10 or older + # Start stunnel (only if you're using OpenVPN over SSL) sudo stunnel ``` -- Once it finishes, your OpenVPN server is up and running! You should [configure client devices](#configure-clients) next. -## Configure clients +- Once it finishes, your OpenVPN server is up and running! You should [set up client devices](#client-setup) next. + +## Client setup ### Before continuing... @@ -52,69 +57,8 @@ If you run into any issues during installation, please refer to [Troubleshooting ### OS-specific setup processes -#### Windows - -- Configure `stunnel`. Skip to the next section if you're NOT using OpenVPN over SSL - - Download and install [stunnel](https://www.stunnel.org/downloads.html) - - Start `stunnel` by launching `stunnel GUI start ` from the Start Menu - - Locate the `stunnel` icon in the Task Bar, right click, and select `Edit Configuration` - - Copy everything in `stunnel.conf` and paste into the `stunnel` configuration file. Save and close it after editing. - - Right click on the `stunnel` icon again, and select `Reload Configuration` -- Configure OpenVPN - - Download and install [OpenVPN](https://openvpn.net/index.php/open-source/downloads.html) - - Start `OpenVPN GUI` from the Start Menu - - Locate the OpenVPN icon in the Task Bar, right click, and select `Import file...` - - Select your OVPN file - - Right click on the OpenVPN icon again, and select `Connect` - -#### MacOS - -- Supported. Instructions coming soon. - -#### Linux - -- Install `stunnel` and `openvpn` on your device. - - ```bash - # Debian/Ubuntu - sudo apt install -y stunnel openvpn - - # CentOS/RHEL - sudo yum install -y epel-release - sudo yum install -y stunnel openvpn - - # Fedora - sudo dnf install -y stunnel openvpn - ``` - -- If you're using OpenVPN over SSL, configure and start `stunnel` - - ```bash - # Run this in the directory that contains 'stunnel.conf' - sudo cp stunnel.conf /etc/stunnel/ - # Start stunnel - sudo stunnel - ``` - -- Connect to OpenVPN - - ```bash - # Run this in the directory that contains your OVPN file - # Replace 'client' with your OVPN filename - openvpn --config client.ovpn - ``` - -#### Android - -- OpenVPN is supported on Android, but OpenVPN over SSL support isn't very good. -- If you installed OpenVPN without SSL, download [OpenVPN for Android](https://play.google.com/store/apps/details?id=de.blinkt.openvpn) -- Import your OVPN file inside the app. - -#### iOS - -- OpenVPN is supported on iOS, but OpenVPN over SSL is not supported. -- If you installed OpenVPN without SSL, download [OpenVPN Connect](https://itunes.apple.com/app/openvpn-connect/id590379981) -- Follow the on-screen instruction to import the OpenVPN profile. +- [OpenVPN (without SSL)](Documentation/client-ovpn.md) +- [OpenVPN over SSL](Documentation/client-ssl.md) ## Troubleshooting @@ -130,6 +74,33 @@ If you run into any issues during installation, please refer to [Troubleshooting - `The TUN device is not available. You need to enable TUN before running this script`: Follow [this guide](https://help.skysilk.com/support/solutions/articles/9000136471-how-to-enable-tun-tap-on-linux-vps-with-skysilk). +- If you're unable to connect to your server with OpenVPN... + + - Please check if `stunnel` is running on your device. (if you're using OpenVPN over SSL) + + - On Windows, check if the `stunnel` icon is present in the Task Bar (bottom right). + - Run this to check on MacOS or Linux (both client and server) + + ```bash + # You should see stunnel in the output + ps -A | grep stunnel + ``` + + - Also check if both `stunnel` (if applicable) and OpenVPN are running on your server. + + ```bash + # You should see stunnel in the output (if you're using OpenVPN over SSL) + ps -A | grep stunnel + + # You should see openvpn in the output + ps -A | grep openvpn + ``` + + + - If you still can't connect, try removing and reinstalling OpenVPN on your server. + - Run the install script and select `Uninstall` + - Run the install script again and make sure you enter the correct information. + ## FAQ ### Where to find a VPS From e52970decc365f5331efdc9ba6f0904971fe9269 Mon Sep 17 00:00:00 2001 From: Chris Xiao <30990835+chrisx8@users.noreply.github.com> Date: Tue, 24 Jul 2018 23:25:48 -0400 Subject: [PATCH 26/33] fixed formatting in documentation --- Documentation/client-ovpn.md | 7 +------ Documentation/client-ssl.md | 5 ----- README.md | 2 +- 3 files changed, 2 insertions(+), 12 deletions(-) diff --git a/Documentation/client-ovpn.md b/Documentation/client-ovpn.md index f0e7d4a..ab95519 100644 --- a/Documentation/client-ovpn.md +++ b/Documentation/client-ovpn.md @@ -62,8 +62,6 @@ sudo killall openvpn ``` - ​ - ## Android - Download [OpenVPN for Android](https://play.google.com/store/apps/details?id=de.blinkt.openvpn) from Google Play Store @@ -86,16 +84,13 @@ - If you're unable to connect to your server with OpenVPN... - - Also check if OpenVPN is running on your server. + - Check if OpenVPN is running on your server. ```bash # You should see openvpn in the output ps -A | grep openvpn ``` - - If you still can't connect, try removing and reinstalling OpenVPN on your server. - Run the install script and select `Uninstall` - Run the install script again and make sure you enter the correct information. - - ​ \ No newline at end of file diff --git a/Documentation/client-ssl.md b/Documentation/client-ssl.md index 2e7884d..ac50db9 100644 --- a/Documentation/client-ssl.md +++ b/Documentation/client-ssl.md @@ -105,8 +105,6 @@ sudo killall stunnel ``` - ​ - ## Android - OpenVPN is supported on Android, but OpenVPN over SSL support isn't very good. @@ -141,9 +139,6 @@ ps -A | grep openvpn ``` - - If you still can't connect, try removing and reinstalling OpenVPN on your server. - Run the install script and select `Uninstall` - Run the install script again and make sure you enter the correct information. - - ​ \ No newline at end of file diff --git a/README.md b/README.md index 5bbf31c..43cfab9 100644 --- a/README.md +++ b/README.md @@ -22,6 +22,7 @@ This script lets you set up your own OpenVPN server in minutes, even if you no e ## Installation If you run into any issues during installation, please refer to [Troubleshooting](#troubleshooting). + ### Install on CentOS/Debian/Ubuntu - **Please note: if your server is running the following OS versions, please select `AES-256-CBC` when you're asked to select a cipher mode.** @@ -96,7 +97,6 @@ If you run into any issues during installation, please refer to [Troubleshooting ps -A | grep openvpn ``` - - If you still can't connect, try removing and reinstalling OpenVPN on your server. - Run the install script and select `Uninstall` - Run the install script again and make sure you enter the correct information. From 54d7f66d96a3ba3f5b45635c27cd96d827c2c62e Mon Sep 17 00:00:00 2001 From: Chris Xiao <30990835+chrisx8@users.noreply.github.com> Date: Tue, 24 Jul 2018 23:27:25 -0400 Subject: [PATCH 27/33] fixed links in ssl docs --- Documentation/client-ssl.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Documentation/client-ssl.md b/Documentation/client-ssl.md index ac50db9..35932d9 100644 --- a/Documentation/client-ssl.md +++ b/Documentation/client-ssl.md @@ -108,12 +108,12 @@ ## Android - OpenVPN is supported on Android, but OpenVPN over SSL support isn't very good. -- If you installed OpenVPN without SSL, see [Client Setup: OpenVPN](Documentation/client-ovpn.md) +- If you installed OpenVPN without SSL, see [Client Setup: OpenVPN](client-ovpn.md) ## iOS - OpenVPN is supported on iOS, but OpenVPN over SSL is not supported. -- If you installed OpenVPN without SSL, see [Client Setup: OpenVPN](Documentation/client-ovpn.md) +- If you installed OpenVPN without SSL, see [Client Setup: OpenVPN](client-ovpn.md) ## Troubleshooting From dc2ff7fb755f6bb08778497521baa494230f60fe Mon Sep 17 00:00:00 2001 From: Birkhoff Date: Wed, 25 Jul 2018 17:17:17 -0400 Subject: [PATCH 28/33] Install easy-rsa instead of downloading tarball from GitHub --- openvpn-install.sh | 29 +++++++++++------------------ 1 file changed, 11 insertions(+), 18 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 0ac54d3..b217a38 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -147,9 +147,9 @@ if [[ -e /etc/openvpn/server.conf ]]; then semanage port -d -t openvpn_port_t -p $PROTOCOL $PORT fi if [[ "$OS" = 'debian' ]]; then - apt remove --purge openvpn stunnel4 -y + apt remove --purge openvpn stunnel4 easy-rsa -y else - yum remove openvpn stunnel4 -y + yum remove openvpn stunnel4 easy-rsa -y fi rm -rf /etc/openvpn /etc/stunnel rm -f /etc/sysctl.d/30-openvpn-forward.conf @@ -238,28 +238,21 @@ else if [[ "$OS" = 'debian' ]]; then apt update apt dist-upgrade -y - apt install openvpn iptables openssl ca-certificates stunnel4 -y + apt install openvpn iptables openssl ca-certificates stunnel4 easy-rsa -y else # Else, the distro is CentOS yum install epel-release -y - yum install openvpn iptables openssl ca-certificates stunnel4 -y + yum install openvpn iptables openssl ca-certificates stunnel4 easy-rsa -y fi - # Get easy-rsa - EASYRSAURL='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz' - wget -O ~/easyrsa.tgz "$EASYRSAURL" 2>/dev/null || curl -Lo ~/easyrsa.tgz "$EASYRSAURL" - tar xzf ~/easyrsa.tgz -C ~/ - mv ~/EasyRSA-3.0.4/ /etc/openvpn/ - mv /etc/openvpn/EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/ - chown -R root:root /etc/openvpn/easy-rsa/ - rm -f ~/easyrsa.tgz + mkdir /etc/openvpn/easy-rsa/ cd /etc/openvpn/easy-rsa/ # Create the PKI, set up the CA, the DH params and the server + client certificates - ./easyrsa init-pki - ./easyrsa --batch build-ca nopass - ./easyrsa gen-dh - ./easyrsa build-server-full server nopass - ./easyrsa build-client-full $CLIENT nopass - EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl + easyrsa init-pki + easyrsa --batch build-ca nopass + easyrsa gen-dh + easyrsa build-server-full server nopass + easyrsa build-client-full $CLIENT nopass + EASYRSA_CRL_DAYS=3650 easyrsa gen-crl # Move the stuff we need csplit -f /etc/openvpn/easy-rsa/pki/issued/cert. /etc/openvpn/easy-rsa/pki/issued/server.crt '/-----BEGIN CERTIFICATE-----/' '{*}' rm /etc/openvpn/easy-rsa/pki/issued/cert.00 /etc/openvpn/easy-rsa/pki/issued/server.crt From 7bfa2bb2beb2a4b91baccd9b2cf3cfad16e5cb54 Mon Sep 17 00:00:00 2001 From: Birkhoff Date: Wed, 25 Jul 2018 17:35:27 -0400 Subject: [PATCH 29/33] Verify SSL certificate --- openvpn-install.sh | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index b217a38..1c23aec 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -67,13 +67,15 @@ if [[ -e /etc/openvpn/server.conf ]]; then echo "Please, use one word only, no special characters." read -p "Client name: " -e CLIENT cd /etc/openvpn/easy-rsa/ - ./easyrsa build-client-full $CLIENT nopass - # Generates the custom client.ovpn - cp /etc/stunnel/stunnel-client.conf $HOME/stunnel.conf + easyrsa build-client-full $CLIENT nopass newclient "$CLIENT" echo echo "Client $CLIENT added, configuration is available at:" ~/"$CLIENT.ovpn" - echo "and ~/stunnel.conf. Install stunnel4 on client before you continue." + if [ -f /etc/stunnel/stunnel-client.conf ]; then + cp /etc/stunnel/stunnel-client.conf $HOME/stunnel.conf + cp /etc/openvpn/server.crt $HOME/stunnel.crt + echo "~/stunnel.crt and ~/stunnel.conf." + fi exit ;; 2) @@ -98,8 +100,8 @@ if [[ -e /etc/openvpn/server.conf ]]; then read -p "Do you really want to revoke access for client $CLIENT? [y/N]: " -e REVOKE if [[ "$REVOKE" = 'y' || "$REVOKE" = 'Y' ]]; then cd /etc/openvpn/easy-rsa/ - ./easyrsa --batch revoke $CLIENT - EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl + easyrsa --batch revoke $CLIENT + EASYRSA_CRL_DAYS=3650 easyrsa gen-crl rm -f pki/reqs/$CLIENT.req rm -f pki/private/$CLIENT.key rm -f pki/issued/$CLIENT.crt @@ -438,11 +440,14 @@ debug = 7 [openvpn] accept = 127.0.0.1:1194 connect = $IP:$PORT +verify = 2 +CAfile = stunnel.crt TIMEOUTclose = 1000 session=300 stack=65536 sslVersion=TLSv1.2" > /etc/stunnel/stunnel-client.conf cp /etc/stunnel/stunnel-client.conf $HOME/stunnel.conf + cp /etc/openvpn/server.crt $HOME/stunnel.crt fi # Generates the custom client.ovpn newclient "$CLIENT" @@ -451,7 +456,7 @@ sslVersion=TLSv1.2" > /etc/stunnel/stunnel-client.conf echo echo "Your client configuration is available at: ~/$CLIENT.ovpn" if [[ $SSL=1 ]]; then - echo "and ~/stunnel.conf. Install stunnel4 on client before you continue." + echo "~/stunnel.crt and ~/stunnel.conf." fi echo "If you want to add more clients, you simply need to run this script again!" fi From 6e4454d92a639aae0b8355acaab8d75444279402 Mon Sep 17 00:00:00 2001 From: Chris Xiao <30990835+chrisx8@users.noreply.github.com> Date: Thu, 26 Jul 2018 20:57:37 -0400 Subject: [PATCH 30/33] get easy-rsa from github, validate CA on client side --- Documentation/client-ssl.md | 21 ++++++++++++++++----- README.md | 35 +++++++++++++++++------------------ openvpn-install.sh | 33 ++++++++++++++++++++------------- 3 files changed, 53 insertions(+), 36 deletions(-) diff --git a/Documentation/client-ssl.md b/Documentation/client-ssl.md index 35932d9..79b2f78 100644 --- a/Documentation/client-ssl.md +++ b/Documentation/client-ssl.md @@ -12,7 +12,12 @@ ## Windows - Configure `stunnel` - - Download and install [stunnel](https://www.stunnel.org/downloads.html) + - Download and install [stunnel](https://www.stunnel.org/downloads.html) + - Copy `stunnel.conf` and `stunnel.crt` to the `config` folder in `stunnel`'s install directory. + - On 64-bit Windows systems, `stunnel`'s install directory is `C:\Program Files (x86)\stunnel`, unless you + changed it during installation. + - On 32-bit Windows systems, `stunnel`'s install directory is `C:\Program Files\stunnel`, unless you + changed it during installation. - Start `stunnel` by launching `stunnel GUI start ` from the Start Menu - Locate the `stunnel` icon in the Task Bar, right click, and select `Edit Configuration` - Copy everything in `stunnel.conf` and paste into the `stunnel` configuration file. Save and close it after editing. @@ -38,15 +43,21 @@ ```bash brew install stunnel ``` + - Open `stunnel.conf` with a text editor (e.g. `TextEdit`), locate this line: + `CAfile = /etc/stunnel/stunnel.crt` + + Replace the entire line with: + + `CAfile = /usr/local/etc/stunnel/stunnel.crt` - Configure and start `stunnel` ```bash # In order to run these, you need to log in to your Mac with an administrator account. # When prompted for password, enter the password of the current user, - # Run this in the directory that contains 'stunnel.conf' - sudo cp stunnel.conf /usr/local/etc/stunnel/stunnel.conf + # Run this in the directory that contains 'stunnel.conf' and 'stunnel.crt' + sudo cp stunnel.conf stunnel.crt /usr/local/etc/stunnel/ # Start stunnel sudo stunnel ``` @@ -81,8 +92,8 @@ - Configure and start `stunnel` ```bash - # Run this in the directory that contains 'stunnel.conf' - sudo cp stunnel.conf /etc/stunnel/ + # Run this in the directory that contains 'stunnel.conf' and 'stunnel.crt' + sudo cp stunnel.conf stunnel.crt /etc/stunnel/ # Start stunnel sudo stunnel ``` diff --git a/README.md b/README.md index 43cfab9..3b736d0 100644 --- a/README.md +++ b/README.md @@ -27,24 +27,22 @@ If you run into any issues during installation, please refer to [Troubleshooting - **Please note: if your server is running the following OS versions, please select `AES-256-CBC` when you're asked to select a cipher mode.** - - CentOS 6 or older - - Debian 8 (Jessie) or older - - Ubuntu 16.10 or older + - CentOS 6 or older + - Debian 8 (Jessie) or older + - Ubuntu 16.10 or older - Run this in a terminal on your server, and follow the on-screen instructions: - ```bash - # Download the script - wget https://raw.githubusercontent.com/birkhoffcheng/openvpn-install/master/openvpn-install.sh + ```bash + # Download the script + wget https://raw.githubusercontent.com/birkhoffcheng/openvpn-install/master/openvpn-install.sh - # Run the install script - sudo bash openvpn-install.sh + # Run the install script + sudo bash openvpn-install.sh - # Note: If you're running Ubuntu 16.10 or older - - # Start stunnel (only if you're using OpenVPN over SSL) - sudo stunnel - ``` + # Start stunnel (only if you're using OpenVPN over SSL) + sudo stunnel + ``` - Once it finishes, your OpenVPN server is up and running! You should [set up client devices](#client-setup) next. @@ -52,9 +50,10 @@ If you run into any issues during installation, please refer to [Troubleshooting ### Before continuing... -- Download `stunnel.conf` and the `.ovpn` file from your server. -- If your username is `root`, they're located at `/root`. -- Otherwise, they're located at `/home/`. +- Download the `.ovpn` file from your server. +- If you're using OpenVPN with SSL, also download `stunnel.crt` and `stunnel.conf` from your server. +- If your username is `root`, they're located at `/root`. +- Otherwise, they're located at `/home/`. ### OS-specific setup processes @@ -97,7 +96,7 @@ If you run into any issues during installation, please refer to [Troubleshooting ps -A | grep openvpn ``` - - If you still can't connect, try removing and reinstalling OpenVPN on your server. + - If you still can't connect, try removing and reinstalling OpenVPN on your server. - Run the install script and select `Uninstall` - Run the install script again and make sure you enter the correct information. @@ -109,4 +108,4 @@ You can get a VPS for as little as $2.50/month (IPv6 only) or $5/month (with IPv ## Donations -If you want to show your appreciation, you can donate via [PayPal](https://paypal.me/birkhoffcheng) or Bitcoin (12R4euPg17EfJyYNfdTxjiQ2SctW1b4CRz). Thanks! +If you want to show some appreciation, you can donate via [PayPal](https://paypal.me/birkhoffcheng) or Bitcoin (12R4euPg17EfJyYNfdTxjiQ2SctW1b4CRz). Thanks! diff --git a/openvpn-install.sh b/openvpn-install.sh index 1c23aec..044237d 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -149,9 +149,9 @@ if [[ -e /etc/openvpn/server.conf ]]; then semanage port -d -t openvpn_port_t -p $PROTOCOL $PORT fi if [[ "$OS" = 'debian' ]]; then - apt remove --purge openvpn stunnel4 easy-rsa -y + apt remove --purge openvpn stunnel4 -y else - yum remove openvpn stunnel4 easy-rsa -y + yum remove openvpn stunnel4 -y fi rm -rf /etc/openvpn /etc/stunnel rm -f /etc/sysctl.d/30-openvpn-forward.conf @@ -240,21 +240,28 @@ else if [[ "$OS" = 'debian' ]]; then apt update apt dist-upgrade -y - apt install openvpn iptables openssl ca-certificates stunnel4 easy-rsa -y + apt install curl openvpn iptables openssl ca-certificates stunnel4 -y else # Else, the distro is CentOS yum install epel-release -y - yum install openvpn iptables openssl ca-certificates stunnel4 easy-rsa -y + yum install curl openvpn iptables openssl ca-certificates stunnel -y fi - mkdir /etc/openvpn/easy-rsa/ + # Get easy-rsa + EASYRSAURL='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz' + wget -O ~/easyrsa.tgz "$EASYRSAURL" 2>/dev/null || curl -Lo ~/easyrsa.tgz "$EASYRSAURL" + tar xzf ~/easyrsa.tgz -C ~/ + mv ~/EasyRSA-3.0.4/ /etc/openvpn/ + mv /etc/openvpn/EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/ + chown -R root:root /etc/openvpn/easy-rsa/ + rm -f ~/easyrsa.tgz cd /etc/openvpn/easy-rsa/ # Create the PKI, set up the CA, the DH params and the server + client certificates - easyrsa init-pki - easyrsa --batch build-ca nopass - easyrsa gen-dh - easyrsa build-server-full server nopass - easyrsa build-client-full $CLIENT nopass - EASYRSA_CRL_DAYS=3650 easyrsa gen-crl + ./easyrsa init-pki + ./easyrsa --batch build-ca nopass + ./easyrsa gen-dh + ./easyrsa build-server-full server nopass + ./easyrsa build-client-full $CLIENT nopass + EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl # Move the stuff we need csplit -f /etc/openvpn/easy-rsa/pki/issued/cert. /etc/openvpn/easy-rsa/pki/issued/server.crt '/-----BEGIN CERTIFICATE-----/' '{*}' rm /etc/openvpn/easy-rsa/pki/issued/cert.00 /etc/openvpn/easy-rsa/pki/issued/server.crt @@ -441,13 +448,13 @@ debug = 7 accept = 127.0.0.1:1194 connect = $IP:$PORT verify = 2 -CAfile = stunnel.crt +CAfile = /etc/stunnel/stunnel.crt TIMEOUTclose = 1000 session=300 stack=65536 sslVersion=TLSv1.2" > /etc/stunnel/stunnel-client.conf cp /etc/stunnel/stunnel-client.conf $HOME/stunnel.conf - cp /etc/openvpn/server.crt $HOME/stunnel.crt + cp /etc/openvpn/ca.crt $HOME/stunnel.crt fi # Generates the custom client.ovpn newclient "$CLIENT" From 055e841bd758bce8a828d692165150cde349a226 Mon Sep 17 00:00:00 2001 From: Birkhoff Date: Tue, 31 Jul 2018 00:09:06 -0400 Subject: [PATCH 31/33] Order issues --- openvpn-install.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 044237d..d92e9e4 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -230,10 +230,11 @@ else echo " 5) Verisign" read -p "DNS [1-5]: " -e -i 1 DNS echo + read -p "For how long should each session key be used? (seconds) " -e -i 3600 RENEGKEY + echo echo "Finally, tell me your name for the client certificate." echo "Please, use one word only, no special characters." read -p "Client name: " -e -i client CLIENT - read -p "For how long should each session key be used? (seconds) " -e -i 3600 RENEGKEY echo echo "Okay, that was all I needed. We are ready to set up your OpenVPN server now." read -n1 -r -p "Press any key to continue..." From e37fa065eaaf69137d9a6d46a55e922968a0d00b Mon Sep 17 00:00:00 2001 From: Birkhoff Date: Tue, 31 Jul 2018 00:22:30 -0400 Subject: [PATCH 32/33] Fixed easyrsa execution bug --- openvpn-install.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index d92e9e4..86bb7eb 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -67,7 +67,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then echo "Please, use one word only, no special characters." read -p "Client name: " -e CLIENT cd /etc/openvpn/easy-rsa/ - easyrsa build-client-full $CLIENT nopass + ./easyrsa build-client-full $CLIENT nopass newclient "$CLIENT" echo echo "Client $CLIENT added, configuration is available at:" ~/"$CLIENT.ovpn" @@ -100,8 +100,8 @@ if [[ -e /etc/openvpn/server.conf ]]; then read -p "Do you really want to revoke access for client $CLIENT? [y/N]: " -e REVOKE if [[ "$REVOKE" = 'y' || "$REVOKE" = 'Y' ]]; then cd /etc/openvpn/easy-rsa/ - easyrsa --batch revoke $CLIENT - EASYRSA_CRL_DAYS=3650 easyrsa gen-crl + ./easyrsa --batch revoke $CLIENT + EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl rm -f pki/reqs/$CLIENT.req rm -f pki/private/$CLIENT.key rm -f pki/issued/$CLIENT.crt From 7d6e9bf1e189110b73274d4d0c54b8a408b5c76f Mon Sep 17 00:00:00 2001 From: Birkhoff <23278129+birkhoffcheng@users.noreply.github.com> Date: Sat, 18 Aug 2018 16:04:36 -0700 Subject: [PATCH 33/33] Autoremove after purging --- openvpn-install.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 86bb7eb..5935a29 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -149,7 +149,8 @@ if [[ -e /etc/openvpn/server.conf ]]; then semanage port -d -t openvpn_port_t -p $PROTOCOL $PORT fi if [[ "$OS" = 'debian' ]]; then - apt remove --purge openvpn stunnel4 -y + apt purge openvpn stunnel4 -y + apt autoremove --purge -y else yum remove openvpn stunnel4 -y fi