Thanks to @nyr for the best script. Just added a few touches as a Kali Debian user, as well as the introduction of duplicate-cn in the server.conf
This helps to add Kali support (but breaks Pre Debian 9, so be careful. Ideally, We are well past using Debian 8 or lower though, all honesty. We could almost call it deprecated except for the backwards compatibility, so be forewarned.
The duplicate-cn in servers.conf is something that should be there anyway, I don't see the average person only wishing to make a single connection without breaking the rest of their connections. If I try to add this to a second device, I can block the original from using the tunnel.
While we can create separate tunnels, this one flag is sufficient to allow the multiple connections we need from other locations. Obviously that is bad for IPsec, because anyone that gets ahold of the servers.conf can have open access to your server of linux host. That is the case anyway, so you really don't want to let your .ovpn get out of your hands. Adding multiple connection effectively broadens the ability for this leaks to become threatening.
Personally, I trust how I store this information, and handle it very carefully, where it isn't already well place in the /root directory anyway. I transfer the .ovpn over an SFTP tunnel, and store it on an encrypted drive in case I need it later.
Absolutely wonderful to have this script!! I am able to use this server's IP address and tunnel other servers' outbound traffic while also use the same VPN at home. I don't pay for a VPN anymore, but being able to use it and also re-use it simultaneously is, well, amazing.
MY server is a 64GB RAM 12 CPU, and is now my beautiful security OS (Kali, with a lot of custom fireballing, etc) and I can traffic all my connection to my 'work' IP address when desired. This script worked well in comparison to some other examples I tried. I can install it on a VPN router and select devices to traffic to work. And my other server also can reuse it, to proxy one server connection as another, while still being able to have the VPN at home on our router.
I hope these changes were helpful.
@SatoriHoshiAiko
While it looks hackish, I don't think there's a better way (in Bash) to open
the /dev/net/tun character device.
Checking for presence of /dev/net/tun like were doing is not good enough.
nf_tables is not available in old OpenVZ kernels, so we need to use
iptables-legacy instead.
This issue only affects Debian 10 as it is the only distribution using iptables
with a nf_tables backend by default.
This is supposedly resolved in the newest kernels: https://bit.ly/3fgNZCh
Additionally, a bugfix for the ip6tables path is also included.
The new systemd service at `/usr/lib/systemd/system/openvpn-server@.service` that comes with openvpn 2.4 includes the status option in `ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf`
Using this default allows to have multiple servers with their own status files and all in the same log directory. Example `/run/openvpn-server/status-server.log` `/run/openvpn-server/status-server2.log`
New logic makes way more sense:
- If either firewalld or iptables are present, use whatever we have
- If not, install firewalld in CentOS/Fedora and iptables in Debian/Ubuntu
- Use a checkip service which works fine over HTTP to avoid issues in systems
where ca-certificates is not available
- Increase timeout to 10 seconds, because the new service is a bit slower from
some locations
- Improve grep sanitization
- Fix#694: added sanitization during the public IP address configuration and
switch to AWS checkip since the Akamai service doesn't support HTTPS.
- Add validation to cover an unlikely case where: server is behind NAT,
checkip service is unreachable and user doesn't provide input when asked for
the public IP address or hostname.
- Other small improvements not worth describing in detail.
LowEndSpirit fixed the issue on their end, so this is longer needed.
Additionally, the check causes unneeded trouble for users whose system doesn't
have the iptables package installed.
This commit contains lots changes which are not very significant on its own but
provide important usability improvements and future proofing.
It also includes changes which required OpenVPN v2.4+ and were pending until
that version became widely available.
- General cleanup
- Improved IP address and NAT configuration
- Added input validation and sanitization
- Fix#603
- Remove "sndbuf" and "recvbuf" parameters
- Add server-side "explicit-exit-notify"
- Switch from "setenv opt" to "ignore-unknown-option"
- Switch from "tls-auth" to "tls-crypt"
- Other minor bugfixes and optimizations
