1
1
mirror of https://github.com/namibia/openvpn-install.git synced 2025-01-24 04:48:25 +00:00
openvpn-install/openvpn-install.sh

1259 lines
37 KiB
Bash
Raw Normal View History

2013-05-14 14:04:19 +02:00
#!/bin/bash
2019-08-19 23:25:48 +02:00
# Secure OpenVPN server installer for Debian, Ubuntu, CentOS, Amazon Linux 2, Fedora and Arch Linux
2018-09-20 17:16:04 +02:00
# https://github.com/angristan/openvpn-install
2013-05-14 14:04:19 +02:00
2018-09-20 00:05:02 +02:00
function isRoot () {
if [ "$EUID" -ne 0 ]; then
return 1
fi
}
2013-05-14 14:04:19 +02:00
2018-09-20 00:05:02 +02:00
function tunAvailable () {
if [ ! -e /dev/net/tun ]; then
return 1
fi
}
2018-09-20 00:05:02 +02:00
function checkOS () {
if [[ -e /etc/debian_version ]]; then
OS="debian"
2019-11-11 15:37:09 +09:00
# shellcheck disable=SC1091
source /etc/os-release
2018-09-23 22:22:59 +02:00
2019-08-20 21:01:35 +02:00
if [[ "$ID" == "debian" || "$ID" == "raspbian" ]]; then
2019-06-30 23:06:33 +02:00
if [[ ! $VERSION_ID =~ (8|9|10) ]]; then
2018-09-23 22:22:59 +02:00
echo "⚠️ Your version of Debian is not supported."
echo ""
echo "However, if you're using Debian >= 9 or unstable/testing then you can continue."
echo "Keep in mind they are not supported, though."
echo ""
until [[ $CONTINUE =~ (y|n) ]]; do
read -rp "Continue? [y/n]: " -e CONTINUE
done
if [[ "$CONTINUE" = "n" ]]; then
exit 1
fi
fi
elif [[ "$ID" == "ubuntu" ]];then
OS="ubuntu"
2019-04-22 21:59:04 +02:00
if [[ ! $VERSION_ID =~ (16.04|18.04|19.04) ]]; then
2018-09-23 22:22:59 +02:00
echo "⚠️ Your version of Ubuntu is not supported."
echo ""
echo "However, if you're using Ubuntu > 17 or beta, then you can continue."
echo "Keep in mind they are not supported, though."
echo ""
until [[ $CONTINUE =~ (y|n) ]]; do
read -rp "Continue? [y/n]: " -e CONTINUE
done
if [[ "$CONTINUE" = "n" ]]; then
exit 1
fi
2018-09-20 00:05:02 +02:00
fi
fi
2019-08-19 23:25:48 +02:00
elif [[ -e /etc/system-release ]]; then
2019-11-11 15:37:09 +09:00
# shellcheck disable=SC1091
2019-08-19 23:25:48 +02:00
source /etc/os-release
if [[ "$ID" = "centos" ]]; then
OS="centos"
2019-11-11 01:18:34 -05:00
if [[ ! $VERSION_ID =~ (7|8) ]]; then
echo "⚠️ Your version of CentOS is not supported."
echo ""
echo "The script only support CentOS 7."
echo ""
exit 1
fi
fi
if [[ "$ID" = "amzn" ]]; then
2019-08-19 23:25:48 +02:00
OS="amzn"
if [[ ! $VERSION_ID == "2" ]]; then
2019-08-19 23:25:48 +02:00
echo "⚠️ Your version of Amazon Linux is not supported."
echo ""
echo "The script only support Amazon Linux 2."
echo ""
exit 1
fi
fi
2018-09-20 00:05:02 +02:00
elif [[ -e /etc/fedora-release ]]; then
OS=fedora
2018-09-23 16:27:36 +02:00
elif [[ -e /etc/arch-release ]]; then
OS=arch
2018-09-20 00:05:02 +02:00
else
2019-08-19 23:25:48 +02:00
echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora, CentOS, Amazon Linux 2 or Arch Linux system"
2018-09-20 00:05:02 +02:00
exit 1
2018-09-16 01:26:30 +02:00
fi
2018-09-20 00:05:02 +02:00
}
2013-05-14 14:04:19 +02:00
2018-09-20 00:05:02 +02:00
function initialCheck () {
if ! isRoot; then
echo "Sorry, you need to run this as root"
exit 1
fi
2018-09-20 00:05:02 +02:00
if ! tunAvailable; then
echo "TUN is not available"
exit 1
fi
checkOS
2014-10-23 00:19:08 +02:00
}
2018-09-20 00:05:02 +02:00
function installUnbound () {
2018-09-16 00:53:33 +02:00
if [[ ! -e /etc/unbound/unbound.conf ]]; then
2018-09-23 22:22:59 +02:00
if [[ "$OS" =~ (debian|ubuntu) ]]; then
2018-09-16 00:53:33 +02:00
apt-get install -y unbound
2018-09-20 00:05:02 +02:00
# Configuration
2018-09-16 00:53:33 +02:00
echo 'interface: 10.8.0.1
access-control: 10.8.0.1/24 allow
hide-identity: yes
hide-version: yes
use-caps-for-id: yes
prefetch: yes' >> /etc/unbound/unbound.conf
2019-08-19 23:25:48 +02:00
elif [[ "$OS" =~ (centos|amzn) ]]; then
2018-09-16 00:53:33 +02:00
yum install -y unbound
# Configuration
sed -i 's|# interface: 0.0.0.0$|interface: 10.8.0.1|' /etc/unbound/unbound.conf
sed -i 's|# access-control: 127.0.0.0/8 allow|access-control: 10.8.0.1/24 allow|' /etc/unbound/unbound.conf
sed -i 's|# hide-identity: no|hide-identity: yes|' /etc/unbound/unbound.conf
sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf
sed -i 's|use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf
elif [[ "$OS" = "fedora" ]]; then
dnf install -y unbound
# Configuration
sed -i 's|# interface: 0.0.0.0$|interface: 10.8.0.1|' /etc/unbound/unbound.conf
sed -i 's|# access-control: 127.0.0.0/8 allow|access-control: 10.8.0.1/24 allow|' /etc/unbound/unbound.conf
sed -i 's|# hide-identity: no|hide-identity: yes|' /etc/unbound/unbound.conf
sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf
sed -i 's|# use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf
2018-09-23 16:27:36 +02:00
elif [[ "$OS" = "arch" ]]; then
pacman -Syu --noconfirm unbound
# Get root servers list
curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache
mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old
2019-06-30 23:06:33 +02:00
2018-09-23 16:27:36 +02:00
echo 'server:
use-syslog: yes
do-daemonize: no
username: "unbound"
directory: "/etc/unbound"
trust-anchor-file: trusted-key.key
root-hints: root.hints
interface: 10.8.0.1
access-control: 10.8.0.1/24 allow
port: 53
num-threads: 2
use-caps-for-id: yes
harden-glue: yes
hide-identity: yes
hide-version: yes
qname-minimisation: yes
prefetch: yes' > /etc/unbound/unbound.conf
2018-09-16 00:53:33 +02:00
fi
2019-08-19 23:25:48 +02:00
if [[ ! "$OS" =~ (fedora|centos|amzn) ]];then
2018-09-16 00:53:33 +02:00
# DNS Rebinding fix
echo "private-address: 10.0.0.0/8
2018-09-20 00:05:02 +02:00
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
private-address: 127.0.0.0/8
private-address: ::ffff:0:0/96" >> /etc/unbound/unbound.conf
2018-09-16 00:53:33 +02:00
fi
2018-09-20 00:05:02 +02:00
else # Unbound is already installed
2018-09-16 00:53:33 +02:00
echo 'include: /etc/unbound/openvpn.conf' >> /etc/unbound/unbound.conf
2018-09-20 00:05:02 +02:00
# Add Unbound 'server' for the OpenVPN subnet
2018-09-16 00:53:33 +02:00
echo 'server:
interface: 10.8.0.1
access-control: 10.8.0.1/24 allow
hide-identity: yes
hide-version: yes
use-caps-for-id: yes
prefetch: yes
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
private-address: 127.0.0.0/8
private-address: ::ffff:0:0/96' > /etc/unbound/openvpn.conf
fi
systemctl enable unbound
2018-09-20 00:05:02 +02:00
systemctl restart unbound
2018-09-16 00:53:33 +02:00
}
function installQuestions () {
2018-09-20 00:05:02 +02:00
echo "Welcome to the OpenVPN installer!"
echo "The git repository is available at: https://github.com/angristan/openvpn-install"
echo ""
2018-07-15 15:25:59 +06:00
2018-09-20 00:05:02 +02:00
echo "I need to ask you a few questions before starting the setup."
echo "You can leave the default options and just press enter if you are ok with them."
echo ""
echo "I need to know the IPv4 address of the network interface you want OpenVPN listening to."
2018-09-21 21:53:39 +02:00
echo "Unless your server is behind NAT, it should be your public IPv4 address."
2018-07-15 15:25:59 +06:00
2018-09-20 00:05:02 +02:00
# Detect public IPv4 address and pre-fill for the user
IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
APPROVE_IP=${APPROVE_IP:-n}
if [[ $APPROVE_IP =~ n ]]; then
read -rp "IP address: " -e -i "$IP" IP
fi
2018-09-16 17:55:50 +02:00
# If $IP is a private IP address, the server must be behind NAT
if echo "$IP" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then
echo ""
echo "It seems this server is behind NAT. What is its public IPv4 address or hostname?"
2018-09-21 21:53:39 +02:00
echo "We need it for the clients to connect to the server."
until [[ "$ENDPOINT" != "" ]]; do
read -rp "Public IPv4 address or hostname: " -e ENDPOINT
2018-09-21 21:53:39 +02:00
done
2018-09-16 17:55:50 +02:00
fi
2018-09-20 00:05:02 +02:00
2018-09-16 17:55:50 +02:00
echo ""
echo "Checking for IPv6 connectivity..."
echo ""
2018-10-01 21:00:26 +02:00
# "ping6" and "ping -6" availability varies depending on the distribution
if type ping6 > /dev/null 2>&1; then
PING6="ping6 -c3 ipv6.google.com > /dev/null 2>&1"
else
PING6="ping -6 -c3 ipv6.google.com > /dev/null 2>&1"
fi
if eval "$PING6"; then
2018-09-16 17:55:50 +02:00
echo "Your host appears to have IPv6 connectivity."
2018-09-20 00:05:02 +02:00
SUGGESTION="y"
2018-09-16 17:55:50 +02:00
else
echo "Your host does not appear to have IPv6 connectivity."
2018-09-20 00:05:02 +02:00
SUGGESTION="n"
2018-09-16 17:55:50 +02:00
fi
echo ""
2018-09-20 00:05:02 +02:00
# Ask the user if they want to enable IPv6 regardless its availability.
2018-09-22 15:23:01 +02:00
until [[ $IPV6_SUPPORT =~ (y|n) ]]; do
2018-09-20 00:05:02 +02:00
read -rp "Do you want to enable IPv6 support (NAT)? [y/n]: " -e -i $SUGGESTION IPV6_SUPPORT
2018-09-16 17:55:50 +02:00
done
echo ""
2018-09-20 00:05:02 +02:00
echo "What port do you want OpenVPN to listen to?"
echo " 1) Default: 1194"
echo " 2) Custom"
echo " 3) Random [49152-65535]"
until [[ "$PORT_CHOICE" =~ ^[1-3]$ ]]; do
read -rp "Port choice [1-3]: " -e -i 1 PORT_CHOICE
done
case $PORT_CHOICE in
1)
PORT="1194"
;;
2)
until [[ "$PORT" =~ ^[0-9]+$ ]] && [ "$PORT" -ge 1 ] && [ "$PORT" -le 65535 ]; do
read -rp "Custom port [1-65535]: " -e -i 1194 PORT
done
;;
3)
# Generate random number within private ports range
PORT=$(shuf -i49152-65535 -n1)
echo "Random Port: $PORT"
;;
esac
echo ""
2018-09-20 00:05:02 +02:00
echo "What protocol do you want OpenVPN to use?"
2018-09-28 14:36:00 +00:00
echo "UDP is faster. Unless it is not available, you shouldn't use TCP."
2018-09-20 00:05:02 +02:00
echo " 1) UDP"
echo " 2) TCP"
2018-09-22 15:23:01 +02:00
until [[ "$PROTOCOL_CHOICE" =~ ^[1-2]$ ]]; do
2018-09-20 00:05:02 +02:00
read -rp "Protocol [1-2]: " -e -i 1 PROTOCOL_CHOICE
done
2018-09-20 00:05:02 +02:00
case $PROTOCOL_CHOICE in
1)
PROTOCOL="udp"
;;
2)
PROTOCOL="tcp"
;;
esac
echo ""
2018-09-20 00:05:02 +02:00
echo "What DNS resolvers do you want to use with the VPN?"
2017-11-29 11:17:06 +01:00
echo " 1) Current system resolvers (from /etc/resolv.conf)"
2018-09-16 00:53:33 +02:00
echo " 2) Self-hosted DNS Resolver (Unbound)"
echo " 3) Cloudflare (Anycast: worldwide)"
echo " 4) Quad9 (Anycast: worldwide)"
2018-09-24 11:42:29 +02:00
echo " 5) Quad9 uncensored (Anycast: worldwide)"
echo " 6) FDN (France)"
echo " 7) DNS.WATCH (Germany)"
echo " 8) OpenDNS (Anycast: worldwide)"
echo " 9) Google (Anycast: worldwide)"
echo " 10) Yandex Basic (Russia)"
echo " 11) AdGuard DNS (Russia)"
echo " 12) Custom"
until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 12 ]; do
read -rp "DNS [1-12]: " -e -i 3 DNS
2018-09-16 00:53:33 +02:00
if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then
echo ""
echo "Unbound is already installed."
echo "You can allow the script to configure it in order to use it from your OpenVPN clients"
echo "We will simply add a second server to /etc/unbound/unbound.conf for the OpenVPN subnet."
echo "No changes are made to the current configuration."
echo ""
2018-09-22 15:23:01 +02:00
until [[ $CONTINUE =~ (y|n) ]]; do
2018-09-16 00:53:33 +02:00
read -rp "Apply configuration changes to Unbound? [y/n]: " -e CONTINUE
done
if [[ $CONTINUE = "n" ]];then
2018-09-20 00:05:02 +02:00
# Break the loop and cleanup
2018-09-16 01:26:37 +02:00
unset DNS
unset CONTINUE
2018-09-16 00:53:33 +02:00
fi
elif [[ $DNS == "12" ]]; then
until [[ "$DNS1" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
read -rp "Primary DNS: " -e DNS1
done
until [[ "$DNS2" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
read -rp "Secondary DNS (optional): " -e DNS2
if [[ "$DNS2" == "" ]]; then
break
fi
done
2018-09-16 00:53:33 +02:00
fi
done
echo ""
echo "Do you want to use compression? It is not recommended since the VORACLE attack make use of it."
until [[ $COMPRESSION_ENABLED =~ (y|n) ]]; do
2018-09-22 16:42:48 +02:00
read -rp"Enable compression? [y/n]: " -e -i n COMPRESSION_ENABLED
done
if [[ $COMPRESSION_ENABLED == "y" ]];then
echo "Choose which compression algorithm you want to use: (they are ordered by efficiency)"
echo " 1) LZ4-v2"
echo " 2) LZ4"
echo " 3) LZ0"
until [[ $COMPRESSION_CHOICE =~ ^[1-3]$ ]]; do
read -rp"Compression algorithm [1-3]: " -e -i 1 COMPRESSION_CHOICE
done
case $COMPRESSION_CHOICE in
1)
COMPRESSION_ALG="lz4-v2"
;;
2)
COMPRESSION_ALG="lz4"
;;
3)
COMPRESSION_ALG="lzo"
;;
esac
fi
echo ""
echo "Do you want to customize encryption settings?"
echo "Unless you know what you're doing, you should stick with the default parameters provided by the script."
echo "Note that whatever you choose, all the choices presented in the script are safe. (Unlike OpenVPN's defaults)"
2018-09-24 11:45:12 +02:00
echo "See https://github.com/angristan/openvpn-install#security-and-encryption to learn more."
2018-09-20 00:05:02 +02:00
echo ""
until [[ $CUSTOMIZE_ENC =~ (y|n) ]]; do
read -rp "Customize encryption settings? [y/n]: " -e -i n CUSTOMIZE_ENC
done
if [[ $CUSTOMIZE_ENC == "n" ]];then
2018-09-28 14:36:00 +00:00
# Use default, sane and fast parameters
2018-09-22 22:33:25 +02:00
CIPHER="AES-128-GCM"
CERT_TYPE="1" # ECDSA
2018-09-23 17:06:15 +02:00
CERT_CURVE="prime256v1"
CC_CIPHER="TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"
2018-09-22 22:33:25 +02:00
DH_TYPE="1" # ECDH
2018-09-23 17:06:15 +02:00
DH_CURVE="prime256v1"
HMAC_ALG="SHA256"
TLS_SIG="1" # tls-crypt
else
echo ""
echo "Choose which cipher you want to use for the data channel:"
2018-09-22 14:20:20 +02:00
echo " 1) AES-128-GCM (recommended)"
echo " 2) AES-192-GCM"
echo " 3) AES-256-GCM"
echo " 4) AES-128-CBC"
echo " 5) AES-192-CBC"
echo " 6) AES-256-CBC"
until [[ "$CIPHER_CHOICE" =~ ^[1-6]$ ]]; do
read -rp "Cipher [1-6]: " -e -i 1 CIPHER_CHOICE
done
case $CIPHER_CHOICE in
1)
CIPHER="AES-128-GCM"
;;
2)
CIPHER="AES-192-GCM"
;;
3)
CIPHER="AES-256-GCM"
2018-09-22 14:20:20 +02:00
;;
4)
CIPHER="AES-128-CBC"
2018-09-22 14:20:20 +02:00
;;
5)
CIPHER="AES-192-CBC"
2018-09-22 14:20:20 +02:00
;;
6)
CIPHER="AES-256-CBC"
;;
esac
echo ""
2018-09-28 14:36:00 +00:00
echo "Choose what kind of certificate you want to use:"
echo " 1) ECDSA (recommended)"
echo " 2) RSA"
2018-09-22 15:23:01 +02:00
until [[ $CERT_TYPE =~ ^[1-2]$ ]]; do
2018-09-22 16:42:48 +02:00
read -rp"Certificate key type [1-2]: " -e -i 1 CERT_TYPE
done
case $CERT_TYPE in
1)
echo ""
echo "Choose which curve you want to use for the certificate's key:"
2018-09-23 17:06:15 +02:00
echo " 1) prime256v1 (recommended)"
echo " 2) secp384r1"
echo " 3) secp521r1"
2018-09-22 15:23:01 +02:00
until [[ $CERT_CURVE_CHOICE =~ ^[1-3]$ ]]; do
2018-09-22 16:42:48 +02:00
read -rp"Curve [1-3]: " -e -i 1 CERT_CURVE_CHOICE
done
case $CERT_CURVE_CHOICE in
1)
2018-09-23 17:06:15 +02:00
CERT_CURVE="prime256v1"
;;
2)
CERT_CURVE="secp384r1"
;;
3)
CERT_CURVE="secp521r1"
;;
esac
;;
2)
echo ""
echo "Choose which size you want to use for the certificate's RSA key:"
echo " 1) 2048 bits (recommended)"
echo " 2) 3072 bits"
echo " 3) 4096 bits"
until [[ "$RSA_KEY_SIZE_CHOICE" =~ ^[1-3]$ ]]; do
read -rp "RSA key size [1-3]: " -e -i 1 RSA_KEY_SIZE_CHOICE
done
case $RSA_KEY_SIZE_CHOICE in
1)
RSA_KEY_SIZE="2048"
;;
2)
RSA_KEY_SIZE="3072"
;;
3)
RSA_KEY_SIZE="4096"
;;
esac
;;
esac
echo ""
echo "Choose which cipher you want to use for the control channel:"
case $CERT_TYPE in
1)
echo " 1) ECDHE-ECDSA-AES-128-GCM-SHA256 (recommended)"
echo " 2) ECDHE-ECDSA-AES-256-GCM-SHA384"
2018-09-22 15:23:01 +02:00
until [[ $CC_CIPHER_CHOICE =~ ^[1-2]$ ]]; do
2018-09-22 16:42:48 +02:00
read -rp"Control channel cipher [1-2]: " -e -i 1 CC_CIPHER_CHOICE
done
case $CC_CIPHER_CHOICE in
1)
CC_CIPHER="TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"
;;
2)
CC_CIPHER="TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
;;
esac
;;
2)
echo " 1) ECDHE-RSA-AES-128-GCM-SHA256 (recommended)"
echo " 2) ECDHE-RSA-AES-256-GCM-SHA384"
2018-09-22 15:23:01 +02:00
until [[ $CC_CIPHER_CHOICE =~ ^[1-2]$ ]]; do
2018-09-22 16:42:48 +02:00
read -rp"Control channel cipher [1-2]: " -e -i 1 CC_CIPHER_CHOICE
done
case $CC_CIPHER_CHOICE in
1)
CC_CIPHER="TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"
;;
2)
CC_CIPHER="TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"
;;
esac
;;
esac
echo ""
2018-09-28 14:36:00 +00:00
echo "Choose what kind of Diffie-Hellman key you want to use:"
2018-09-22 16:41:28 +02:00
echo " 1) ECDH (recommended)"
echo " 2) DH"
until [[ $DH_TYPE =~ [1-2] ]]; do
2018-09-22 16:42:48 +02:00
read -rp"DH key type [1-2]: " -e -i 1 DH_TYPE
done
2018-09-22 16:41:28 +02:00
case $DH_TYPE in
1)
2018-09-22 16:41:28 +02:00
echo ""
2018-09-28 14:36:00 +00:00
echo "Choose which curve you want to use for the ECDH key:"
2018-09-23 17:06:15 +02:00
echo " 1) prime256v1 (recommended)"
2018-09-22 16:41:28 +02:00
echo " 2) secp384r1"
echo " 3) secp521r1"
while [[ $DH_CURVE_CHOICE != "1" && $DH_CURVE_CHOICE != "2" && $DH_CURVE_CHOICE != "3" ]]; do
2018-09-22 16:42:48 +02:00
read -rp"Curve [1-3]: " -e -i 1 DH_CURVE_CHOICE
2018-09-22 16:41:28 +02:00
done
case $DH_CURVE_CHOICE in
1)
2018-09-23 17:06:15 +02:00
DH_CURVE="prime256v1"
2018-09-22 16:41:28 +02:00
;;
2)
DH_CURVE="secp384r1"
;;
3)
DH_CURVE="secp521r1"
;;
esac
;;
2)
2018-09-22 16:41:28 +02:00
echo ""
echo "Choose what size of Diffie-Hellman key you want to use:"
echo " 1) 2048 bits (recommended)"
echo " 2) 3072 bits"
echo " 3) 4096 bits"
until [[ "$DH_KEY_SIZE_CHOICE" =~ ^[1-3]$ ]]; do
read -rp "DH key size [1-3]: " -e -i 1 DH_KEY_SIZE_CHOICE
done
case $DH_KEY_SIZE_CHOICE in
1)
DH_KEY_SIZE="2048"
;;
2)
DH_KEY_SIZE="3072"
;;
3)
DH_KEY_SIZE="4096"
;;
esac
;;
esac
echo ""
# The "auth" options behaves differently with AEAD ciphers
if [[ "$CIPHER" =~ CBC$ ]]; then
echo "The digest algorithm authenticates data channel packets and tls-auth packets from the control channel."
elif [[ "$CIPHER" =~ GCM$ ]]; then
echo "The digest algorithm authenticates tls-auth packets from the control channel."
fi
echo "Which digest algorithm do you want to use for HMAC?"
echo " 1) SHA-256 (recommended)"
echo " 2) SHA-384"
echo " 3) SHA-512"
until [[ $HMAC_ALG_CHOICE =~ ^[1-3]$ ]]; do
read -rp "Digest algorithm [1-3]: " -e -i 1 HMAC_ALG_CHOICE
done
case $HMAC_ALG_CHOICE in
1)
HMAC_ALG="SHA256"
;;
2)
HMAC_ALG="SHA384"
;;
3)
HMAC_ALG="SHA512"
;;
esac
echo ""
echo "You can add an additional layer of security to the control channel with tls-auth and tls-crypt"
echo "tls-auth authenticates the packets, while tls-crypt authenticate and encrypt them."
echo " 1) tls-crypt (recommended)"
echo " 2) tls-auth"
until [[ $TLS_SIG =~ [1-2] ]]; do
read -rp "Control channel additional security mechanism [1-2]: " -e -i 1 TLS_SIG
done
fi
echo ""
echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now."
2018-09-28 14:36:00 +00:00
echo "You will be able to generate a client at the end of the installation."
APPROVE_INSTALL=${APPROVE_INSTALL:-n}
if [[ $APPROVE_INSTALL =~ n ]]; then
read -n1 -r -p "Press any key to continue..."
fi
}
function installOpenVPN () {
if [[ $AUTO_INSTALL == "y" ]]; then
# Set default choices so that no questions will be asked.
APPROVE_INSTALL=${APPROVE_INSTALL:-y}
APPROVE_IP=${APPROVE_IP:-y}
IPV6_SUPPORT=${IPV6_SUPPORT:-n}
PORT_CHOICE=${PORT_CHOICE:-1}
PROTOCOL_CHOICE=${PROTOCOL_CHOICE:-1}
DNS=${DNS:-1}
COMPRESSION_ENABLED=${COMPRESSION_ENABLED:-n}
CUSTOMIZE_ENC=${CUSTOMIZE_ENC:-n}
CLIENT=${CLIENT:-client}
PASS=${PASS:-1}
CONTINUE=${CONTINUE:-y}
# Behind NAT, we'll default to the publicly reachable IPv4.
PUBLIC_IPV4=$(curl ifconfig.co)
ENDPOINT=${ENDPOINT:-$PUBLIC_IPV4}
fi
2019-02-25 21:54:36 +01:00
# Run setup questions first, and set other variales if auto-install
installQuestions
2018-09-20 00:05:02 +02:00
# Get the "public" interface from the default route
NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)
2018-09-23 22:22:59 +02:00
if [[ "$OS" =~ (debian|ubuntu) ]]; then
2018-09-16 17:55:50 +02:00
apt-get update
2018-09-27 22:23:40 +02:00
apt-get -y install ca-certificates gnupg
# We add the OpenVPN repo to get the latest version.
2018-09-22 11:40:54 +02:00
if [[ "$VERSION_ID" = "8" ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
2018-09-16 17:55:50 +02:00
apt-get update
fi
if [[ "$VERSION_ID" = "16.04" ]]; then
2019-05-13 18:38:10 +02:00
echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" > /etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update
fi
# Ubuntu > 16.04 and Debian > 8 have OpenVPN >= 2.4 without the need of a third party repository.
2018-09-27 22:23:40 +02:00
apt-get install -y openvpn iptables openssl wget ca-certificates curl
2018-09-20 00:05:02 +02:00
elif [[ "$OS" = 'centos' ]]; then
2018-09-27 22:23:40 +02:00
yum install -y epel-release
2019-11-11 01:18:34 -05:00
yum install -y openvpn iptables openssl wget ca-certificates curl tar
2019-08-19 23:25:48 +02:00
elif [[ "$OS" = 'amzn' ]]; then
amazon-linux-extras install -y epel
yum install -y openvpn iptables openssl wget ca-certificates curl
2018-09-20 00:05:02 +02:00
elif [[ "$OS" = 'fedora' ]]; then
2018-09-27 22:23:40 +02:00
dnf install -y openvpn iptables openssl wget ca-certificates curl
2018-09-23 16:27:36 +02:00
elif [[ "$OS" = 'arch' ]]; then
# Install required dependencies and upgrade the system
pacman --needed --noconfirm -Syu openvpn iptables openssl wget ca-certificates curl
2018-09-17 01:11:30 +02:00
fi
# Find out if the machine uses nogroup or nobody for the permissionless group
if grep -qs "^nogroup:" /etc/group; then
NOGROUP=nogroup
else
NOGROUP=nobody
fi
# An old version of easy-rsa was available by default in some openvpn packages
if [[ -d /etc/openvpn/easy-rsa/ ]]; then
rm -rf /etc/openvpn/easy-rsa/
fi
2018-09-20 00:05:02 +02:00
# Install the latest version of easy-rsa from source
2019-02-21 14:59:58 +00:00
local version="3.0.6"
wget -O ~/EasyRSA-unix-v${version}.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-unix-v${version}.tgz
tar xzf ~/EasyRSA-unix-v${version}.tgz -C ~/
mv ~/EasyRSA-v${version} /etc/openvpn/easy-rsa
chown -R root:root /etc/openvpn/easy-rsa/
2019-02-21 14:59:58 +00:00
rm -f ~/EasyRSA-unix-v${version}.tgz
2018-09-20 00:05:02 +02:00
2019-11-11 15:37:09 +09:00
cd /etc/openvpn/easy-rsa/ || return
case $CERT_TYPE in
1)
echo "set_var EASYRSA_ALGO ec" > vars
echo "set_var EASYRSA_CURVE $CERT_CURVE" >> vars
;;
2)
echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars
;;
esac
2018-09-23 16:27:36 +02:00
# Generate a random, alphanumeric identifier of 16 characters for CN and one for server name
SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars
2018-09-20 00:05:02 +02:00
# Create the PKI, set up the CA, the DH params and the server certificate
./easyrsa init-pki
2019-11-11 01:18:34 -05:00
# Workaround to remove unharmful error until easy-rsa 3.0.7
# https://github.com/OpenVPN/easy-rsa/issues/261
sed -i 's/^RANDFILE/#RANDFILE/g' pki/openssl-easyrsa.cnf
./easyrsa --batch build-ca nopass
2018-09-23 16:27:36 +02:00
2018-09-22 16:41:28 +02:00
if [[ $DH_TYPE == "2" ]]; then
# ECDH keys are generated on-the-fly so we don't need to generate them beforehand
openssl dhparam -out dh.pem $DH_KEY_SIZE
fi
2019-06-30 23:06:33 +02:00
./easyrsa build-server-full "$SERVER_NAME" nopass