The crypto update 🔐

- Removed "fast" and "slow" mode (not a good idea, I prefer to give the choice for the parameters directly) - Corrected some confusion between the cipher for the data channel and the control channel, my bad. - using TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 by default for the control channel - using SHA384 by default for HMAC auth and RSA certificate - giving the choice for the cipher of the data channel, the size of the DH key and the RSA Key I will explain all my choices here : https://github.com/Angristan/OpenVPN-install#encryption (likely tomorrow)
2016-11-28 22:13:32 +01:00 · 2016-11-28 22:13:32 +01:00 · 56477bba34
parent c03a55f11f
commit 56477bba34
1 changed files with 117 additions and 62 deletions
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@ -1,6 +1,6 @@
 #!/bin/bash

-# Secure OpenVPN server installer for Debian, Ubuntu and CentOS.
+# Secure OpenVPN server installer for Debian, Ubuntu, CentOS and Arch Linux
 # https://github.com/Angristan/OpenVPN-install


@ -57,7 +57,7 @@ fi

 newclient () {
 	# Generates the custom client.ovpn
-	cp /etc/openvpn/client-common.txt ~/$1.ovpn
+	cp /etc/openvpn/client-template.txt ~/$1.ovpn
 	echo "<ca>" >> ~/$1.ovpn
 	cat /etc/openvpn/easy-rsa/pki/ca.crt >> ~/$1.ovpn
 	echo "</ca>" >> ~/$1.ovpn
@ -85,6 +85,8 @@ if [[ -e /etc/openvpn/server.conf ]]; then
 	while :
 	do
 	clear
+		echo "OpenVPN-install (github.com/Angristan/OpenVPN-install)"
+		echo ""
 		echo "Looks like OpenVPN is already installed"
 		echo ""
 		echo "What do you want to do?"
@ -183,21 +185,12 @@ if [[ -e /etc/openvpn/server.conf ]]; then
 	done
 else
 	clear
-	echo 'Welcome to the secure OpenVPN installer'
+	echo "Welcome to the secure OpenVPN installer (github.com/Angristan/OpenVPN-install)"
 	echo ""
 	# OpenVPN setup and first user creation
 	echo "I need to ask you a few questions before starting the setup"
 	echo "You can leave the default options and just press enter if you are ok with them"
 	echo ""
-	echo "First, choose which variant of the script you want to use."
-	echo '"Fast" is secure, but "slow" provides you the best encryption you can get,'
-	echo "at the cost of some speed (not that slow though)"
-	echo "   1) Fast (2048 bits RSA and DH, 128 bits AES)"
-	echo "   2) Slow (4096 bits RSA and DH, 256 bits AES)"
-	while [[ $VARIANT !=  "1" && $VARIANT != "2" ]]; do
-		read -p "Variant [1-2]: " -e -i 1 VARIANT
-	done
-	echo ""
 	echo "I need to know the IPv4 address of the network interface you want OpenVPN listening to."
 	echo "If you server is running behind a NAT, (e.g. LowEndSpirit, Scaleway) leave the IP adress as it is. (local/private IP)"
 	echo "Otherwise, it sould be your public IPv4 address."
@ -222,6 +215,86 @@ else
 		read -p "DNS [1-5]: " -e -i 2 DNS
 	done
 	echo ""
+	echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about "
+	echo "the encryption in OpenVPN and the choices I made in this script."
+	echo "Please note that all the choices proposed are secure (to a different degree)"
+	echo "and are still viable to date, unlike some default OpenVPN options"
+	echo ''
+	echo "Choose which cipher you want to use for the data channel:"
+	echo "   1) AES-128-CBC (fastest, recommended)"
+	echo "   2) AES-192-CBC"
+	echo "   3) AES-256-CBC (most secure)"
+	echo "Alternatives to AES, use them only if you know what you're doing."
+	echo "They are relatively slower but as secure as AES."
+	echo "   4) CAMELLIA-128-CBC"
+	echo "   5) CAMELLIA-192-CBC"
+	echo "   6) CAMELLIA-256-CBC"
+	echo "   7) SEED-CBC"
+	while [[ $CIPHER != "1" && $CIPHER != "2" && $CIPHER != "3" && $CIPHER != "4" && $CIPHER != "5" && $CIPHER != "6" && $CIPHER != "7" ]]; do
+		read -p "Cipher [1-7]: " -e -i 1 CIPHER
+	done
+	case $CIPHER in
+		1)
+		CIPHER="cipher AES-128-CBC"
+		;;
+		2)
+		CIPHER="cipher AES-192-CBC"
+		;;
+		3)
+		CIPHER="cipher AES-256-CBC"
+		;;
+		4)
+		CIPHER="cipher CAMELLIA-128-CBC"
+		;;
+		5)
+		CIPHER="cipher CAMELLIA-192-CBC"
+		;;
+		6)
+		CIPHER="cipher CAMELLIA-256-CBC"
+		;;
+		5)
+		CIPHER="cipher SEED-CBC"
+		;;
+	esac
+	echo ""
+	echo "Choose what size of Diffie-Hellman key you want to use:"
+	echo "   1) 2048 bits (fastest)"
+	echo "   2) 3072 bits (recommended, best compromise)"
+	echo "   3) 4096 bits (most secure)"
+	while [[ $DH_KEY_SIZE != "1" && $DH_KEY_SIZE != "2" && $DH_KEY_SIZE != "3" ]]; do
+		read -p "DH key size [1-3]: " -e -i 2 DH_KEY_SIZE
+	done
+	case $DH_KEY_SIZE in
+		1)
+		DH_KEY_SIZE="2048"
+		;;
+		2)
+		DH_KEY_SIZE="3072"
+		;;
+		3)
+		DH_KEY_SIZE="4096"
+		;;
+	esac
+	echo ""
+	echo "Choose what size of RSA key you want to use:"
+	echo "   1) 2048 bits (fastest)"
+	echo "   2) 3072 bits (recommended, best compromise)"
+	echo "   3) 4096 bits (most secure)"
+	while [[ $RSA_KEY_SIZE != "1" && $RSA_KEY_SIZE != "2" && $RSA_KEY_SIZE != "3" ]]; do
+		read -p "DH key size [1-3]: " -e -i 2 RSA_KEY_SIZE
+	done
+	case $RSA_KEY_SIZE in
+		1)
+		RSA_KEY_SIZE="2048"
+		;;
+		2)
+		RSA_KEY_SIZE="3072"
+		;;
+		3)
+		RSA_KEY_SIZE="4096"
+		;;
+	esac
+	echo ""
 	echo "Finally, tell me a name for the client certificate and configuration"
 	while [[ $CLIENT = "" ]]; do
 		echo "Please, use one word only, no special characters"
@ -326,29 +399,22 @@ WantedBy=multi-user.target" > /etc/systemd/system/rc-local.service
 	chown -R root:root /etc/openvpn/easy-rsa/
 	rm -rf ~/EasyRSA-3.0.1.tgz
 	cd /etc/openvpn/easy-rsa/
-	# If the user selected the fast, less hardened version
-	if [[ "$VARIANT" = '1' ]]; then
-		echo "set_var EASYRSA_KEY_SIZE 2048
-set_var EASYRSA_DIGEST "sha256"" > vars
-	fi
-	# If the user selected the relatively slow, ultra hardened version
-	if [[ "$VARIANT" = '2' ]]; then
-		echo "set_var EASYRSA_KEY_SIZE 4096
-set_var EASYRSA_DIGEST "sha384"" > vars
-	fi
+	echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars
+	echo 'set_var EASYRSA_DIGEST "sha384"' >> vars
 	# Create the PKI, set up the CA, the DH params and the server + client certificates
 	./easyrsa init-pki
 	./easyrsa --batch build-ca nopass
-	./easyrsa gen-dh
+	openssl dhparam $DH_KEY_SIZE -out dh.pem
 	./easyrsa build-server-full server nopass
 	./easyrsa build-client-full $CLIENT nopass
 	./easyrsa gen-crl
 	# generate tls-auth key
 	openvpn --genkey --secret /etc/openvpn/tls-auth.key
 	# Move all the generated files
-	cp pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
+	cp pki/ca.crt pki/private/ca.key dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
 	# Make cert revocation list readable for non-root
 	chmod 644 /etc/openvpn/crl.pem
+	
 	# Generate server.conf
 	echo "port $PORT" > /etc/openvpn/server.conf
 	if [[ "$PROTOCOL" = 'UDP' ]]; then
@ -357,26 +423,14 @@ set_var EASYRSA_DIGEST "sha384"" > vars
 		echo "proto tcp" >> /etc/openvpn/server.conf
 	fi
 	echo "dev tun
-ca ca.crt
-cert server.crt
-key server.key
-dh dh.pem
 user nobody
 group $NOGROUP
+persist-key
+persist-tun
+keepalive 10 120
 topology subnet
 server 10.8.0.0 255.255.255.0
-ifconfig-pool-persist ipp.txt
-cipher AES-256-CBC
-auth SHA512
-tls-version-min 1.2" >> /etc/openvpn/server.conf
-	if [[ "$VARIANT" = '1' ]]; then
-		# If the user selected the fast, less hardened version
-		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/server.conf
-	elif [[ "$VARIANT" = '2' ]]; then
-		# If the user selected the relatively slow, hardened version
-		echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/server.conf
-	fi
-	echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf
+ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
 	# DNS resolvers
 	case $DNS in
 		1)
@ -402,13 +456,19 @@ tls-version-min 1.2" >> /etc/openvpn/server.conf
 		echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf
 		;;
 	esac
-	echo "keepalive 10 120
-persist-key
-persist-tun
-crl-verify crl.pem
-tls-server
+echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf
+echo "crl-verify crl.pem
+ca ca.crt
+cert server.crt
+key server.key
 tls-auth tls-auth.key 0
-status openvpn-status.log
+dh dh.pem
+auth SHA384 
+$CIPHER
+tls-server
+tls-version-min 1.2
+tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
+status openvpn.log
 verb 3" >> /etc/openvpn/server.conf

 	# Create the sysctl configuration file if needed (mainly for Arch Linux)
@ -506,12 +566,12 @@ verb 3" >> /etc/openvpn/server.conf
 			IP=$USEREXTERNALIP
 		fi
 	fi
-	# client-common.txt is created so we have a template to add further users later
-	echo "client" > /etc/openvpn/client-common.txt
+	# client-template.txt is created so we have a template to add further users later
+	echo "client" > /etc/openvpn/client-template.txt
 	if [[ "$PROTOCOL" = 'UDP' ]]; then
-		echo "proto udp" >> /etc/openvpn/client-common.txt
+		echo "proto udp" >> /etc/openvpn/client-template.txt
 	elif [[ "$PROTOCOL" = 'TCP' ]]; then
-		echo "proto tcp-client" >> /etc/openvpn/client-common.txt
+		echo "proto tcp-client" >> /etc/openvpn/client-template.txt
 	fi
 	echo "remote $IP $PORT
 dev tun
@ -519,20 +579,15 @@ resolv-retry infinite
 nobind
 persist-key
 persist-tun
-setenv opt block-outside-dns
-verb 3
 remote-cert-tls server
-cipher AES-256-CBC
-auth SHA512
+auth SHA384
+$CIPHER
+tls-client
 tls-version-min 1.2
-tls-client" >> /etc/openvpn/client-common.txt
-	if [[ "$VARIANT" = '1' ]]; then
-		# If the user selected the fast, less hardened version
-		echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/client-common.txt
-	elif [[ "$VARIANT" = '2' ]]; then
-		# If the user selected the relatively slow, hardened version
-		echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/client-common.txt
-	fi
+tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
+setenv opt block-outside-dns
+verb 3" >> /etc/openvpn/client-template.txt
+
 	# Generate the custom client.ovpn
 	newclient "$CLIENT"
 	echo ""