diff --git a/openvpn-install.sh b/openvpn-install.sh
index d79620f..7c2cffc 100755
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -3,26 +3,26 @@
# Secure OpenVPN server installer for Debian, Ubuntu, CentOS, Amazon Linux 2, Fedora and Arch Linux
# https://github.com/angristan/openvpn-install
-function isRoot () {
+function isRoot() {
if [ "$EUID" -ne 0 ]; then
return 1
fi
}
-function tunAvailable () {
+function tunAvailable() {
if [ ! -e /dev/net/tun ]; then
return 1
fi
}
-function checkOS () {
+function checkOS() {
if [[ -e /etc/debian_version ]]; then
OS="debian"
# shellcheck disable=SC1091
source /etc/os-release
- if [[ "$ID" == "debian" || "$ID" == "raspbian" ]]; then
- if [[ "$VERSION_ID" -lt 8 ]]; then
+ if [[ $ID == "debian" || $ID == "raspbian" ]]; then
+ if [[ $VERSION_ID -lt 8 ]]; then
echo "⚠️ Your version of Debian is not supported."
echo ""
echo "However, if you're using Debian >= 8 or unstable/testing then you can continue, at your own risk."
@@ -30,11 +30,11 @@ function checkOS () {
until [[ $CONTINUE =~ (y|n) ]]; do
read -rp "Continue? [y/n]: " -e CONTINUE
done
- if [[ "$CONTINUE" == "n" ]]; then
+ if [[ $CONTINUE == "n" ]]; then
exit 1
fi
fi
- elif [[ "$ID" == "ubuntu" ]];then
+ elif [[ $ID == "ubuntu" ]]; then
OS="ubuntu"
MAJOR_UBUNTU_VERSION=$(echo "$VERSION_ID" | cut -d '.' -f1)
if [[ $MAJOR_UBUNTU_VERSION -lt 16 ]]; then
@@ -45,7 +45,7 @@ function checkOS () {
until [[ $CONTINUE =~ (y|n) ]]; do
read -rp "Continue? [y/n]: " -e CONTINUE
done
- if [[ "$CONTINUE" == "n" ]]; then
+ if [[ $CONTINUE == "n" ]]; then
exit 1
fi
fi
@@ -53,10 +53,10 @@ function checkOS () {
elif [[ -e /etc/system-release ]]; then
# shellcheck disable=SC1091
source /etc/os-release
- if [[ "$ID" == "fedora" ]]; then
+ if [[ $ID == "fedora" ]]; then
OS="fedora"
fi
- if [[ "$ID" == "centos" ]]; then
+ if [[ $ID == "centos" ]]; then
OS="centos"
if [[ ! $VERSION_ID =~ (7|8) ]]; then
echo "⚠️ Your version of CentOS is not supported."
@@ -66,9 +66,9 @@ function checkOS () {
exit 1
fi
fi
- if [[ "$ID" == "amzn" ]]; then
+ if [[ $ID == "amzn" ]]; then
OS="amzn"
- if [[ ! $VERSION_ID == "2" ]]; then
+ if [[ $VERSION_ID != "2" ]]; then
echo "⚠️ Your version of Amazon Linux is not supported."
echo ""
echo "The script only support Amazon Linux 2."
@@ -84,7 +84,7 @@ function checkOS () {
fi
}
-function initialCheck () {
+function initialCheck() {
if ! isRoot; then
echo "Sorry, you need to run this as root"
exit 1
@@ -96,11 +96,11 @@ function initialCheck () {
checkOS
}
-function installUnbound () {
+function installUnbound() {
# If Unbound isn't installed, install it
if [[ ! -e /etc/unbound/unbound.conf ]]; then
- if [[ "$OS" =~ (debian|ubuntu) ]]; then
+ if [[ $OS =~ (debian|ubuntu) ]]; then
apt-get install -y unbound
# Configuration
@@ -109,9 +109,9 @@ access-control: 10.8.0.1/24 allow
hide-identity: yes
hide-version: yes
use-caps-for-id: yes
-prefetch: yes' >> /etc/unbound/unbound.conf
+prefetch: yes' >>/etc/unbound/unbound.conf
- elif [[ "$OS" =~ (centos|amzn) ]]; then
+ elif [[ $OS =~ (centos|amzn) ]]; then
yum install -y unbound
# Configuration
@@ -121,7 +121,7 @@ prefetch: yes' >> /etc/unbound/unbound.conf
sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf
sed -i 's|use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf
- elif [[ "$OS" == "fedora" ]]; then
+ elif [[ $OS == "fedora" ]]; then
dnf install -y unbound
# Configuration
@@ -131,7 +131,7 @@ prefetch: yes' >> /etc/unbound/unbound.conf
sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf
sed -i 's|# use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf
- elif [[ "$OS" == "arch" ]]; then
+ elif [[ $OS == "arch" ]]; then
pacman -Syu --noconfirm unbound
# Get root servers list
@@ -157,10 +157,10 @@ prefetch: yes' >> /etc/unbound/unbound.conf
hide-identity: yes
hide-version: yes
qname-minimisation: yes
- prefetch: yes' > /etc/unbound/unbound.conf
+ prefetch: yes' >/etc/unbound/unbound.conf
fi
- if [[ ! "$OS" =~ (fedora|centos|amzn) ]];then
+ if [[ ! $OS =~ (fedora|centos|amzn) ]]; then
# DNS Rebinding fix
echo "private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
@@ -169,10 +169,10 @@ private-address: 169.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
private-address: 127.0.0.0/8
-private-address: ::ffff:0:0/96" >> /etc/unbound/unbound.conf
+private-address: ::ffff:0:0/96" >>/etc/unbound/unbound.conf
fi
else # Unbound is already installed
- echo 'include: /etc/unbound/openvpn.conf' >> /etc/unbound/unbound.conf
+ echo 'include: /etc/unbound/openvpn.conf' >>/etc/unbound/unbound.conf
# Add Unbound 'server' for the OpenVPN subnet
echo 'server:
@@ -189,14 +189,14 @@ private-address: 169.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
private-address: 127.0.0.0/8
-private-address: ::ffff:0:0/96' > /etc/unbound/openvpn.conf
+private-address: ::ffff:0:0/96' >/etc/unbound/openvpn.conf
fi
- systemctl enable unbound
- systemctl restart unbound
+ systemctl enable unbound
+ systemctl restart unbound
}
-function installQuestions () {
+function installQuestions() {
echo "Welcome to the OpenVPN installer!"
echo "The git repository is available at: https://github.com/angristan/openvpn-install"
echo ""
@@ -218,7 +218,7 @@ function installQuestions () {
echo ""
echo "It seems this server is behind NAT. What is its public IPv4 address or hostname?"
echo "We need it for the clients to connect to the server."
- until [[ "$ENDPOINT" != "" ]]; do
+ until [[ $ENDPOINT != "" ]]; do
read -rp "Public IPv4 address or hostname: " -e ENDPOINT
done
fi
@@ -227,7 +227,7 @@ function installQuestions () {
echo "Checking for IPv6 connectivity..."
echo ""
# "ping6" and "ping -6" availability varies depending on the distribution
- if type ping6 > /dev/null 2>&1; then
+ if type ping6 >/dev/null 2>&1; then
PING6="ping6 -c3 ipv6.google.com > /dev/null 2>&1"
else
PING6="ping -6 -c3 ipv6.google.com > /dev/null 2>&1"
@@ -249,22 +249,22 @@ function installQuestions () {
echo " 1) Default: 1194"
echo " 2) Custom"
echo " 3) Random [49152-65535]"
- until [[ "$PORT_CHOICE" =~ ^[1-3]$ ]]; do
+ until [[ $PORT_CHOICE =~ ^[1-3]$ ]]; do
read -rp "Port choice [1-3]: " -e -i 1 PORT_CHOICE
done
case $PORT_CHOICE in
- 1)
- PORT="1194"
+ 1)
+ PORT="1194"
;;
- 2)
- until [[ "$PORT" =~ ^[0-9]+$ ]] && [ "$PORT" -ge 1 ] && [ "$PORT" -le 65535 ]; do
- read -rp "Custom port [1-65535]: " -e -i 1194 PORT
- done
+ 2)
+ until [[ $PORT =~ ^[0-9]+$ ]] && [ "$PORT" -ge 1 ] && [ "$PORT" -le 65535 ]; do
+ read -rp "Custom port [1-65535]: " -e -i 1194 PORT
+ done
;;
- 3)
- # Generate random number within private ports range
- PORT=$(shuf -i49152-65535 -n1)
- echo "Random Port: $PORT"
+ 3)
+ # Generate random number within private ports range
+ PORT=$(shuf -i49152-65535 -n1)
+ echo "Random Port: $PORT"
;;
esac
echo ""
@@ -272,15 +272,15 @@ function installQuestions () {
echo "UDP is faster. Unless it is not available, you shouldn't use TCP."
echo " 1) UDP"
echo " 2) TCP"
- until [[ "$PROTOCOL_CHOICE" =~ ^[1-2]$ ]]; do
+ until [[ $PROTOCOL_CHOICE =~ ^[1-2]$ ]]; do
read -rp "Protocol [1-2]: " -e -i 1 PROTOCOL_CHOICE
done
case $PROTOCOL_CHOICE in
- 1)
- PROTOCOL="udp"
+ 1)
+ PROTOCOL="udp"
;;
- 2)
- PROTOCOL="tcp"
+ 2)
+ PROTOCOL="tcp"
;;
esac
echo ""
@@ -298,42 +298,42 @@ function installQuestions () {
echo " 11) AdGuard DNS (Anycast: worldwide)"
echo " 12) NextDNS (Anycast: worldwide)"
echo " 13) Custom"
- until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 13 ]; do
+ until [[ $DNS =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 13 ]; do
read -rp "DNS [1-12]: " -e -i 3 DNS
- if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then
- echo ""
- echo "Unbound is already installed."
- echo "You can allow the script to configure it in order to use it from your OpenVPN clients"
- echo "We will simply add a second server to /etc/unbound/unbound.conf for the OpenVPN subnet."
- echo "No changes are made to the current configuration."
- echo ""
+ if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then
+ echo ""
+ echo "Unbound is already installed."
+ echo "You can allow the script to configure it in order to use it from your OpenVPN clients"
+ echo "We will simply add a second server to /etc/unbound/unbound.conf for the OpenVPN subnet."
+ echo "No changes are made to the current configuration."
+ echo ""
- until [[ $CONTINUE =~ (y|n) ]]; do
- read -rp "Apply configuration changes to Unbound? [y/n]: " -e CONTINUE
- done
- if [[ $CONTINUE == "n" ]];then
- # Break the loop and cleanup
- unset DNS
- unset CONTINUE
- fi
- elif [[ $DNS == "13" ]]; then
- until [[ "$DNS1" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
- read -rp "Primary DNS: " -e DNS1
- done
- until [[ "$DNS2" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
- read -rp "Secondary DNS (optional): " -e DNS2
- if [[ "$DNS2" == "" ]]; then
- break
- fi
- done
+ until [[ $CONTINUE =~ (y|n) ]]; do
+ read -rp "Apply configuration changes to Unbound? [y/n]: " -e CONTINUE
+ done
+ if [[ $CONTINUE == "n" ]]; then
+ # Break the loop and cleanup
+ unset DNS
+ unset CONTINUE
fi
+ elif [[ $DNS == "13" ]]; then
+ until [[ $DNS1 =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
+ read -rp "Primary DNS: " -e DNS1
+ done
+ until [[ $DNS2 =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
+ read -rp "Secondary DNS (optional): " -e DNS2
+ if [[ $DNS2 == "" ]]; then
+ break
+ fi
+ done
+ fi
done
echo ""
echo "Do you want to use compression? It is not recommended since the VORACLE attack make use of it."
until [[ $COMPRESSION_ENABLED =~ (y|n) ]]; do
read -rp"Enable compression? [y/n]: " -e -i n COMPRESSION_ENABLED
done
- if [[ $COMPRESSION_ENABLED == "y" ]];then
+ if [[ $COMPRESSION_ENABLED == "y" ]]; then
echo "Choose which compression algorithm you want to use: (they are ordered by efficiency)"
echo " 1) LZ4-v2"
echo " 2) LZ4"
@@ -342,13 +342,13 @@ function installQuestions () {
read -rp"Compression algorithm [1-3]: " -e -i 1 COMPRESSION_CHOICE
done
case $COMPRESSION_CHOICE in
- 1)
+ 1)
COMPRESSION_ALG="lz4-v2"
;;
- 2)
+ 2)
COMPRESSION_ALG="lz4"
;;
- 3)
+ 3)
COMPRESSION_ALG="lzo"
;;
esac
@@ -362,7 +362,7 @@ function installQuestions () {
until [[ $CUSTOMIZE_ENC =~ (y|n) ]]; do
read -rp "Customize encryption settings? [y/n]: " -e -i n CUSTOMIZE_ENC
done
- if [[ $CUSTOMIZE_ENC == "n" ]];then
+ if [[ $CUSTOMIZE_ENC == "n" ]]; then
# Use default, sane and fast parameters
CIPHER="AES-128-GCM"
CERT_TYPE="1" # ECDSA
@@ -381,27 +381,27 @@ function installQuestions () {
echo " 4) AES-128-CBC"
echo " 5) AES-192-CBC"
echo " 6) AES-256-CBC"
- until [[ "$CIPHER_CHOICE" =~ ^[1-6]$ ]]; do
+ until [[ $CIPHER_CHOICE =~ ^[1-6]$ ]]; do
read -rp "Cipher [1-6]: " -e -i 1 CIPHER_CHOICE
done
case $CIPHER_CHOICE in
- 1)
- CIPHER="AES-128-GCM"
+ 1)
+ CIPHER="AES-128-GCM"
;;
- 2)
- CIPHER="AES-192-GCM"
+ 2)
+ CIPHER="AES-192-GCM"
;;
- 3)
- CIPHER="AES-256-GCM"
+ 3)
+ CIPHER="AES-256-GCM"
;;
- 4)
- CIPHER="AES-128-CBC"
+ 4)
+ CIPHER="AES-128-CBC"
;;
- 5)
- CIPHER="AES-192-CBC"
+ 5)
+ CIPHER="AES-192-CBC"
;;
- 6)
- CIPHER="AES-256-CBC"
+ 6)
+ CIPHER="AES-256-CBC"
;;
esac
echo ""
@@ -412,81 +412,81 @@ function installQuestions () {
read -rp"Certificate key type [1-2]: " -e -i 1 CERT_TYPE
done
case $CERT_TYPE in
+ 1)
+ echo ""
+ echo "Choose which curve you want to use for the certificate's key:"
+ echo " 1) prime256v1 (recommended)"
+ echo " 2) secp384r1"
+ echo " 3) secp521r1"
+ until [[ $CERT_CURVE_CHOICE =~ ^[1-3]$ ]]; do
+ read -rp"Curve [1-3]: " -e -i 1 CERT_CURVE_CHOICE
+ done
+ case $CERT_CURVE_CHOICE in
1)
- echo ""
- echo "Choose which curve you want to use for the certificate's key:"
- echo " 1) prime256v1 (recommended)"
- echo " 2) secp384r1"
- echo " 3) secp521r1"
- until [[ $CERT_CURVE_CHOICE =~ ^[1-3]$ ]]; do
- read -rp"Curve [1-3]: " -e -i 1 CERT_CURVE_CHOICE
- done
- case $CERT_CURVE_CHOICE in
- 1)
- CERT_CURVE="prime256v1"
- ;;
- 2)
- CERT_CURVE="secp384r1"
- ;;
- 3)
- CERT_CURVE="secp521r1"
- ;;
- esac
- ;;
+ CERT_CURVE="prime256v1"
+ ;;
2)
- echo ""
- echo "Choose which size you want to use for the certificate's RSA key:"
- echo " 1) 2048 bits (recommended)"
- echo " 2) 3072 bits"
- echo " 3) 4096 bits"
- until [[ "$RSA_KEY_SIZE_CHOICE" =~ ^[1-3]$ ]]; do
- read -rp "RSA key size [1-3]: " -e -i 1 RSA_KEY_SIZE_CHOICE
- done
- case $RSA_KEY_SIZE_CHOICE in
- 1)
- RSA_KEY_SIZE="2048"
- ;;
- 2)
- RSA_KEY_SIZE="3072"
- ;;
- 3)
- RSA_KEY_SIZE="4096"
- ;;
- esac
+ CERT_CURVE="secp384r1"
+ ;;
+ 3)
+ CERT_CURVE="secp521r1"
+ ;;
+ esac
+ ;;
+ 2)
+ echo ""
+ echo "Choose which size you want to use for the certificate's RSA key:"
+ echo " 1) 2048 bits (recommended)"
+ echo " 2) 3072 bits"
+ echo " 3) 4096 bits"
+ until [[ $RSA_KEY_SIZE_CHOICE =~ ^[1-3]$ ]]; do
+ read -rp "RSA key size [1-3]: " -e -i 1 RSA_KEY_SIZE_CHOICE
+ done
+ case $RSA_KEY_SIZE_CHOICE in
+ 1)
+ RSA_KEY_SIZE="2048"
+ ;;
+ 2)
+ RSA_KEY_SIZE="3072"
+ ;;
+ 3)
+ RSA_KEY_SIZE="4096"
+ ;;
+ esac
;;
esac
echo ""
echo "Choose which cipher you want to use for the control channel:"
case $CERT_TYPE in
+ 1)
+ echo " 1) ECDHE-ECDSA-AES-128-GCM-SHA256 (recommended)"
+ echo " 2) ECDHE-ECDSA-AES-256-GCM-SHA384"
+ until [[ $CC_CIPHER_CHOICE =~ ^[1-2]$ ]]; do
+ read -rp"Control channel cipher [1-2]: " -e -i 1 CC_CIPHER_CHOICE
+ done
+ case $CC_CIPHER_CHOICE in
1)
- echo " 1) ECDHE-ECDSA-AES-128-GCM-SHA256 (recommended)"
- echo " 2) ECDHE-ECDSA-AES-256-GCM-SHA384"
- until [[ $CC_CIPHER_CHOICE =~ ^[1-2]$ ]]; do
- read -rp"Control channel cipher [1-2]: " -e -i 1 CC_CIPHER_CHOICE
- done
- case $CC_CIPHER_CHOICE in
- 1)
- CC_CIPHER="TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"
- ;;
- 2)
- CC_CIPHER="TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
- ;;
- esac
- ;;
+ CC_CIPHER="TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"
+ ;;
2)
- echo " 1) ECDHE-RSA-AES-128-GCM-SHA256 (recommended)"
- echo " 2) ECDHE-RSA-AES-256-GCM-SHA384"
- until [[ $CC_CIPHER_CHOICE =~ ^[1-2]$ ]]; do
- read -rp"Control channel cipher [1-2]: " -e -i 1 CC_CIPHER_CHOICE
- done
- case $CC_CIPHER_CHOICE in
- 1)
- CC_CIPHER="TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"
- ;;
- 2)
- CC_CIPHER="TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"
- ;;
- esac
+ CC_CIPHER="TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
+ ;;
+ esac
+ ;;
+ 2)
+ echo " 1) ECDHE-RSA-AES-128-GCM-SHA256 (recommended)"
+ echo " 2) ECDHE-RSA-AES-256-GCM-SHA384"
+ until [[ $CC_CIPHER_CHOICE =~ ^[1-2]$ ]]; do
+ read -rp"Control channel cipher [1-2]: " -e -i 1 CC_CIPHER_CHOICE
+ done
+ case $CC_CIPHER_CHOICE in
+ 1)
+ CC_CIPHER="TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"
+ ;;
+ 2)
+ CC_CIPHER="TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"
+ ;;
+ esac
;;
esac
echo ""
@@ -497,54 +497,54 @@ function installQuestions () {
read -rp"DH key type [1-2]: " -e -i 1 DH_TYPE
done
case $DH_TYPE in
+ 1)
+ echo ""
+ echo "Choose which curve you want to use for the ECDH key:"
+ echo " 1) prime256v1 (recommended)"
+ echo " 2) secp384r1"
+ echo " 3) secp521r1"
+ while [[ $DH_CURVE_CHOICE != "1" && $DH_CURVE_CHOICE != "2" && $DH_CURVE_CHOICE != "3" ]]; do
+ read -rp"Curve [1-3]: " -e -i 1 DH_CURVE_CHOICE
+ done
+ case $DH_CURVE_CHOICE in
1)
- echo ""
- echo "Choose which curve you want to use for the ECDH key:"
- echo " 1) prime256v1 (recommended)"
- echo " 2) secp384r1"
- echo " 3) secp521r1"
- while [[ $DH_CURVE_CHOICE != "1" && $DH_CURVE_CHOICE != "2" && $DH_CURVE_CHOICE != "3" ]]; do
- read -rp"Curve [1-3]: " -e -i 1 DH_CURVE_CHOICE
- done
- case $DH_CURVE_CHOICE in
- 1)
- DH_CURVE="prime256v1"
- ;;
- 2)
- DH_CURVE="secp384r1"
- ;;
- 3)
- DH_CURVE="secp521r1"
- ;;
- esac
- ;;
+ DH_CURVE="prime256v1"
+ ;;
2)
- echo ""
- echo "Choose what size of Diffie-Hellman key you want to use:"
- echo " 1) 2048 bits (recommended)"
- echo " 2) 3072 bits"
- echo " 3) 4096 bits"
- until [[ "$DH_KEY_SIZE_CHOICE" =~ ^[1-3]$ ]]; do
- read -rp "DH key size [1-3]: " -e -i 1 DH_KEY_SIZE_CHOICE
- done
- case $DH_KEY_SIZE_CHOICE in
- 1)
- DH_KEY_SIZE="2048"
- ;;
- 2)
- DH_KEY_SIZE="3072"
- ;;
- 3)
- DH_KEY_SIZE="4096"
- ;;
- esac
+ DH_CURVE="secp384r1"
+ ;;
+ 3)
+ DH_CURVE="secp521r1"
+ ;;
+ esac
+ ;;
+ 2)
+ echo ""
+ echo "Choose what size of Diffie-Hellman key you want to use:"
+ echo " 1) 2048 bits (recommended)"
+ echo " 2) 3072 bits"
+ echo " 3) 4096 bits"
+ until [[ $DH_KEY_SIZE_CHOICE =~ ^[1-3]$ ]]; do
+ read -rp "DH key size [1-3]: " -e -i 1 DH_KEY_SIZE_CHOICE
+ done
+ case $DH_KEY_SIZE_CHOICE in
+ 1)
+ DH_KEY_SIZE="2048"
+ ;;
+ 2)
+ DH_KEY_SIZE="3072"
+ ;;
+ 3)
+ DH_KEY_SIZE="4096"
+ ;;
+ esac
;;
esac
echo ""
# The "auth" options behaves differently with AEAD ciphers
- if [[ "$CIPHER" =~ CBC$ ]]; then
+ if [[ $CIPHER =~ CBC$ ]]; then
echo "The digest algorithm authenticates data channel packets and tls-auth packets from the control channel."
- elif [[ "$CIPHER" =~ GCM$ ]]; then
+ elif [[ $CIPHER =~ GCM$ ]]; then
echo "The digest algorithm authenticates tls-auth packets from the control channel."
fi
echo "Which digest algorithm do you want to use for HMAC?"
@@ -555,14 +555,14 @@ function installQuestions () {
read -rp "Digest algorithm [1-3]: " -e -i 1 HMAC_ALG_CHOICE
done
case $HMAC_ALG_CHOICE in
- 1)
- HMAC_ALG="SHA256"
+ 1)
+ HMAC_ALG="SHA256"
;;
- 2)
- HMAC_ALG="SHA384"
+ 2)
+ HMAC_ALG="SHA384"
;;
- 3)
- HMAC_ALG="SHA512"
+ 3)
+ HMAC_ALG="SHA512"
;;
esac
echo ""
@@ -571,7 +571,7 @@ function installQuestions () {
echo " 1) tls-crypt (recommended)"
echo " 2) tls-auth"
until [[ $TLS_SIG =~ [1-2] ]]; do
- read -rp "Control channel additional security mechanism [1-2]: " -e -i 1 TLS_SIG
+ read -rp "Control channel additional security mechanism [1-2]: " -e -i 1 TLS_SIG
done
fi
echo ""
@@ -583,7 +583,7 @@ function installQuestions () {
fi
}
-function installOpenVPN () {
+function installOpenVPN() {
if [[ $AUTO_INSTALL == "y" ]]; then
# Set default choices so that no questions will be asked.
APPROVE_INSTALL=${APPROVE_INSTALL:-y}
@@ -612,52 +612,52 @@ function installOpenVPN () {
# Get the "public" interface from the default route
NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)
- if [[ -z "$NIC" ]] && [[ "$IPV6_SUPPORT" == 'y' ]]; then
+ if [[ -z $NIC ]] && [[ $IPV6_SUPPORT == 'y' ]]; then
NIC=$(ip -6 route show default | sed -ne 's/^default .* dev \([^ ]*\) .*$/\1/p')
fi
# $NIC can not be empty for script rm-openvpn-rules.sh
- if [[ -z "$NIC" ]]; then
- echo
- echo "Can not detect public interface."
- echo "This needs for setup MASQUERADE."
- until [[ $CONTINUE =~ (y|n) ]]; do
- read -rp "Continue? [y/n]: " -e CONTINUE
- done
- if [[ "$CONTINUE" == "n" ]]; then
- exit 1
- fi
- fi
+ if [[ -z $NIC ]]; then
+ echo
+ echo "Can not detect public interface."
+ echo "This needs for setup MASQUERADE."
+ until [[ $CONTINUE =~ (y|n) ]]; do
+ read -rp "Continue? [y/n]: " -e CONTINUE
+ done
+ if [[ $CONTINUE == "n" ]]; then
+ exit 1
+ fi
+ fi
# If OpenVPN isn't installed yet, install it. This script is more-or-less
# idempotent on multiple runs, but will only install OpenVPN from upstream
# the first time.
if [[ ! -e /etc/openvpn/server.conf ]]; then
- if [[ "$OS" =~ (debian|ubuntu) ]]; then
+ if [[ $OS =~ (debian|ubuntu) ]]; then
apt-get update
apt-get -y install ca-certificates gnupg
# We add the OpenVPN repo to get the latest version.
- if [[ "$VERSION_ID" = "8" ]]; then
- echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list
+ if [[ $VERSION_ID == "8" ]]; then
+ echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" >/etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update
fi
- if [[ "$VERSION_ID" = "16.04" ]]; then
- echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" > /etc/apt/sources.list.d/openvpn.list
+ if [[ $VERSION_ID == "16.04" ]]; then
+ echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" >/etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update
fi
# Ubuntu > 16.04 and Debian > 8 have OpenVPN >= 2.4 without the need of a third party repository.
apt-get install -y openvpn iptables openssl wget ca-certificates curl
- elif [[ "$OS" = 'centos' ]]; then
+ elif [[ $OS == 'centos' ]]; then
yum install -y epel-release
yum install -y openvpn iptables openssl wget ca-certificates curl tar 'policycoreutils-python*'
- elif [[ "$OS" = 'amzn' ]]; then
+ elif [[ $OS == 'amzn' ]]; then
amazon-linux-extras install -y epel
yum install -y openvpn iptables openssl wget ca-certificates curl
- elif [[ "$OS" = 'fedora' ]]; then
+ elif [[ $OS == 'fedora' ]]; then
dnf install -y openvpn iptables openssl wget ca-certificates curl
- elif [[ "$OS" = 'arch' ]]; then
+ elif [[ $OS == 'arch' ]]; then
# Install required dependencies and upgrade the system
pacman --needed --noconfirm -Syu openvpn iptables openssl wget ca-certificates curl
fi
@@ -687,22 +687,22 @@ function installOpenVPN () {
cd /etc/openvpn/easy-rsa/ || return
case $CERT_TYPE in
- 1)
- echo "set_var EASYRSA_ALGO ec" > vars
- echo "set_var EASYRSA_CURVE $CERT_CURVE" >> vars
+ 1)
+ echo "set_var EASYRSA_ALGO ec" >vars
+ echo "set_var EASYRSA_CURVE $CERT_CURVE" >>vars
;;
- 2)
- echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars
+ 2)
+ echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" >vars
;;
esac
# Generate a random, alphanumeric identifier of 16 characters for CN and one for server name
SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
- echo "$SERVER_CN" > SERVER_CN_GENERATED
+ echo "$SERVER_CN" >SERVER_CN_GENERATED
SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
- echo "$SERVER_NAME" > SERVER_NAME_GENERATED
+ echo "$SERVER_NAME" >SERVER_NAME_GENERATED
- echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars
+ echo "set_var EASYRSA_REQ_CN $SERVER_CN" >>vars
# Create the PKI, set up the CA, the DH params and the server certificate
./easyrsa init-pki
@@ -722,13 +722,13 @@ function installOpenVPN () {
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
case $TLS_SIG in
- 1)
- # Generate tls-crypt key
- openvpn --genkey --secret /etc/openvpn/tls-crypt.key
+ 1)
+ # Generate tls-crypt key
+ openvpn --genkey --secret /etc/openvpn/tls-crypt.key
;;
- 2)
- # Generate tls-auth key
- openvpn --genkey --secret /etc/openvpn/tls-auth.key
+ 2)
+ # Generate tls-auth key
+ openvpn --genkey --secret /etc/openvpn/tls-auth.key
;;
esac
else
@@ -748,11 +748,11 @@ function installOpenVPN () {
chmod 644 /etc/openvpn/crl.pem
# Generate server.conf
- echo "port $PORT" > /etc/openvpn/server.conf
- if [[ "$IPV6_SUPPORT" == 'n' ]]; then
- echo "proto $PROTOCOL" >> /etc/openvpn/server.conf
- elif [[ "$IPV6_SUPPORT" == 'y' ]]; then
- echo "proto ${PROTOCOL}6" >> /etc/openvpn/server.conf
+ echo "port $PORT" >/etc/openvpn/server.conf
+ if [[ $IPV6_SUPPORT == 'n' ]]; then
+ echo "proto $PROTOCOL" >>/etc/openvpn/server.conf
+ elif [[ $IPV6_SUPPORT == 'y' ]]; then
+ echo "proto ${PROTOCOL}6" >>/etc/openvpn/server.conf
fi
echo "dev tun
@@ -763,101 +763,101 @@ persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
-ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
+ifconfig-pool-persist ipp.txt" >>/etc/openvpn/server.conf
# DNS resolvers
case $DNS in
- 1) # Current system resolvers
- # Locate the proper resolv.conf
- # Needed for systems running systemd-resolved
- if grep -q "127.0.0.53" "/etc/resolv.conf"; then
- RESOLVCONF='/run/systemd/resolve/resolv.conf'
- else
- RESOLVCONF='/etc/resolv.conf'
- fi
- # Obtain the resolvers from resolv.conf and use them for OpenVPN
- grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read -r line; do
- echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
- done
+ 1) # Current system resolvers
+ # Locate the proper resolv.conf
+ # Needed for systems running systemd-resolved
+ if grep -q "127.0.0.53" "/etc/resolv.conf"; then
+ RESOLVCONF='/run/systemd/resolve/resolv.conf'
+ else
+ RESOLVCONF='/etc/resolv.conf'
+ fi
+ # Obtain the resolvers from resolv.conf and use them for OpenVPN
+ grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read -r line; do
+ echo "push \"dhcp-option DNS $line\"" >>/etc/openvpn/server.conf
+ done
;;
- 2) # Self-hosted DNS resolver (Unbound)
- echo 'push "dhcp-option DNS 10.8.0.1"' >> /etc/openvpn/server.conf
+ 2) # Self-hosted DNS resolver (Unbound)
+ echo 'push "dhcp-option DNS 10.8.0.1"' >>/etc/openvpn/server.conf
;;
- 3) # Cloudflare
- echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server.conf
+ 3) # Cloudflare
+ echo 'push "dhcp-option DNS 1.0.0.1"' >>/etc/openvpn/server.conf
+ echo 'push "dhcp-option DNS 1.1.1.1"' >>/etc/openvpn/server.conf
;;
- 4) # Quad9
- echo 'push "dhcp-option DNS 9.9.9.9"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 149.112.112.112"' >> /etc/openvpn/server.conf
+ 4) # Quad9
+ echo 'push "dhcp-option DNS 9.9.9.9"' >>/etc/openvpn/server.conf
+ echo 'push "dhcp-option DNS 149.112.112.112"' >>/etc/openvpn/server.conf
;;
- 5) # Quad9 uncensored
- echo 'push "dhcp-option DNS 9.9.9.10"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 149.112.112.10"' >> /etc/openvpn/server.conf
+ 5) # Quad9 uncensored
+ echo 'push "dhcp-option DNS 9.9.9.10"' >>/etc/openvpn/server.conf
+ echo 'push "dhcp-option DNS 149.112.112.10"' >>/etc/openvpn/server.conf
;;
- 6) # FDN
- echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 80.67.169.12"' >> /etc/openvpn/server.conf
+ 6) # FDN
+ echo 'push "dhcp-option DNS 80.67.169.40"' >>/etc/openvpn/server.conf
+ echo 'push "dhcp-option DNS 80.67.169.12"' >>/etc/openvpn/server.conf
;;
- 7) # DNS.WATCH
- echo 'push "dhcp-option DNS 84.200.69.80"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 84.200.70.40"' >> /etc/openvpn/server.conf
+ 7) # DNS.WATCH
+ echo 'push "dhcp-option DNS 84.200.69.80"' >>/etc/openvpn/server.conf
+ echo 'push "dhcp-option DNS 84.200.70.40"' >>/etc/openvpn/server.conf
;;
- 8) # OpenDNS
- echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf
+ 8) # OpenDNS
+ echo 'push "dhcp-option DNS 208.67.222.222"' >>/etc/openvpn/server.conf
+ echo 'push "dhcp-option DNS 208.67.220.220"' >>/etc/openvpn/server.conf
;;
- 9) # Google
- echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf
+ 9) # Google
+ echo 'push "dhcp-option DNS 8.8.8.8"' >>/etc/openvpn/server.conf
+ echo 'push "dhcp-option DNS 8.8.4.4"' >>/etc/openvpn/server.conf
;;
- 10) # Yandex Basic
- echo 'push "dhcp-option DNS 77.88.8.8"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 77.88.8.1"' >> /etc/openvpn/server.conf
+ 10) # Yandex Basic
+ echo 'push "dhcp-option DNS 77.88.8.8"' >>/etc/openvpn/server.conf
+ echo 'push "dhcp-option DNS 77.88.8.1"' >>/etc/openvpn/server.conf
;;
- 11) # AdGuard DNS
- echo 'push "dhcp-option DNS 176.103.130.130"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf
+ 11) # AdGuard DNS
+ echo 'push "dhcp-option DNS 176.103.130.130"' >>/etc/openvpn/server.conf
+ echo 'push "dhcp-option DNS 176.103.130.131"' >>/etc/openvpn/server.conf
;;
- 12) # NextDNS
- echo 'push "dhcp-option DNS 45.90.28.167"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 45.90.30.167"' >> /etc/openvpn/server.conf
+ 12) # NextDNS
+ echo 'push "dhcp-option DNS 45.90.28.167"' >>/etc/openvpn/server.conf
+ echo 'push "dhcp-option DNS 45.90.30.167"' >>/etc/openvpn/server.conf
;;
- 13) # Custom DNS
- echo "push \"dhcp-option DNS $DNS1\"" >> /etc/openvpn/server.conf
- if [[ "$DNS2" != "" ]]; then
- echo "push \"dhcp-option DNS $DNS2\"" >> /etc/openvpn/server.conf
+ 13) # Custom DNS
+ echo "push \"dhcp-option DNS $DNS1\"" >>/etc/openvpn/server.conf
+ if [[ $DNS2 != "" ]]; then
+ echo "push \"dhcp-option DNS $DNS2\"" >>/etc/openvpn/server.conf
fi
;;
esac
- echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf
+ echo 'push "redirect-gateway def1 bypass-dhcp"' >>/etc/openvpn/server.conf
# IPv6 network settings if needed
- if [[ "$IPV6_SUPPORT" == 'y' ]]; then
+ if [[ $IPV6_SUPPORT == 'y' ]]; then
echo 'server-ipv6 fd42:42:42:42::/112
tun-ipv6
push tun-ipv6
push "route-ipv6 2000::/3"
-push "redirect-gateway ipv6"' >> /etc/openvpn/server.conf
+push "redirect-gateway ipv6"' >>/etc/openvpn/server.conf
fi
- if [[ $COMPRESSION_ENABLED == "y" ]]; then
- echo "compress $COMPRESSION_ALG" >> /etc/openvpn/server.conf
+ if [[ $COMPRESSION_ENABLED == "y" ]]; then
+ echo "compress $COMPRESSION_ALG" >>/etc/openvpn/server.conf
fi
if [[ $DH_TYPE == "1" ]]; then
- echo "dh none" >> /etc/openvpn/server.conf
- echo "ecdh-curve $DH_CURVE" >> /etc/openvpn/server.conf
+ echo "dh none" >>/etc/openvpn/server.conf
+ echo "ecdh-curve $DH_CURVE" >>/etc/openvpn/server.conf
elif [[ $DH_TYPE == "2" ]]; then
- echo "dh dh.pem" >> /etc/openvpn/server.conf
+ echo "dh dh.pem" >>/etc/openvpn/server.conf
fi
case $TLS_SIG in
- 1)
- echo "tls-crypt tls-crypt.key 0" >> /etc/openvpn/server.conf
+ 1)
+ echo "tls-crypt tls-crypt.key 0" >>/etc/openvpn/server.conf
;;
- 2)
- echo "tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf
+ 2)
+ echo "tls-auth tls-auth.key 0" >>/etc/openvpn/server.conf
;;
esac
@@ -873,7 +873,7 @@ tls-version-min 1.2
tls-cipher $CC_CIPHER
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
-verb 3" >> /etc/openvpn/server.conf
+verb 3" >>/etc/openvpn/server.conf
# Create client-config-dir dir
mkdir -p /etc/openvpn/ccd
@@ -881,9 +881,9 @@ verb 3" >> /etc/openvpn/server.conf
mkdir -p /var/log/openvpn
# Enable routing
- echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/20-openvpn.conf
- if [[ "$IPV6_SUPPORT" = 'y' ]]; then
- echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.d/20-openvpn.conf
+ echo 'net.ipv4.ip_forward=1' >/etc/sysctl.d/20-openvpn.conf
+ if [[ $IPV6_SUPPORT == 'y' ]]; then
+ echo 'net.ipv6.conf.all.forwarding=1' >>/etc/sysctl.d/20-openvpn.conf
fi
# Apply sysctl rules
sysctl --system
@@ -891,14 +891,14 @@ verb 3" >> /etc/openvpn/server.conf
# If SELinux is enabled and a custom port was selected, we need this
if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing"; then
- if [[ "$PORT" != '1194' ]]; then
+ if [[ $PORT != '1194' ]]; then
semanage port -a -t openvpn_port_t -p "$PROTOCOL" "$PORT"
fi
fi
fi
# Finally, restart and enable OpenVPN
- if [[ "$OS" == 'arch' || "$OS" == 'fedora' || "$OS" == 'centos' ]]; then
+ if [[ $OS == 'arch' || $OS == 'fedora' || $OS == 'centos' ]]; then
# Don't modify package-provided service
cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service
@@ -907,14 +907,14 @@ verb 3" >> /etc/openvpn/server.conf
# Another workaround to keep using /etc/openvpn/
sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn-server@.service
# On fedora, the service hardcodes the ciphers. We want to manage the cipher ourselves, so we remove it from the service
- if [[ "$OS" == "fedora" ]];then
+ if [[ $OS == "fedora" ]]; then
sed -i 's|--cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC||' /etc/systemd/system/openvpn-server@.service
fi
systemctl daemon-reload
systemctl enable openvpn-server@server
systemctl restart openvpn-server@server
- elif [[ "$OS" == "ubuntu" ]] && [[ "$VERSION_ID" == "16.04" ]]; then
+ elif [[ $OS == "ubuntu" ]] && [[ $VERSION_ID == "16.04" ]]; then
# On Ubuntu 16.04, we use the package from the OpenVPN repo
# This package uses a sysvinit service
systemctl enable openvpn
@@ -933,7 +933,7 @@ verb 3" >> /etc/openvpn/server.conf
systemctl restart openvpn@server
fi
- if [[ $DNS == 2 ]];then
+ if [[ $DNS == 2 ]]; then
installUnbound
fi
@@ -946,13 +946,13 @@ iptables -t nat -I POSTROUTING 1 -s 10.8.0.0/24 -o $NIC -j MASQUERADE
iptables -I INPUT 1 -i tun0 -j ACCEPT
iptables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT
iptables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT
-iptables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/add-openvpn-rules.sh
+iptables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >/etc/iptables/add-openvpn-rules.sh
- if [[ "$IPV6_SUPPORT" == 'y' ]]; then
+ if [[ $IPV6_SUPPORT == 'y' ]]; then
echo "ip6tables -t nat -I POSTROUTING 1 -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
ip6tables -I INPUT 1 -i tun0 -j ACCEPT
ip6tables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT
-ip6tables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh
+ip6tables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT" >>/etc/iptables/add-openvpn-rules.sh
fi
# Script to remove rules
@@ -961,13 +961,13 @@ iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o $NIC -j MASQUERADE
iptables -D INPUT -i tun0 -j ACCEPT
iptables -D FORWARD -i $NIC -o tun0 -j ACCEPT
iptables -D FORWARD -i tun0 -o $NIC -j ACCEPT
-iptables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/rm-openvpn-rules.sh
+iptables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >/etc/iptables/rm-openvpn-rules.sh
- if [[ "$IPV6_SUPPORT" == 'y' ]]; then
+ if [[ $IPV6_SUPPORT == 'y' ]]; then
echo "ip6tables -t nat -D POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
ip6tables -D INPUT -i tun0 -j ACCEPT
ip6tables -D FORWARD -i $NIC -o tun0 -j ACCEPT
-ip6tables -D FORWARD -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/rm-openvpn-rules.sh
+ip6tables -D FORWARD -i tun0 -o $NIC -j ACCEPT" >>/etc/iptables/rm-openvpn-rules.sh
fi
chmod +x /etc/iptables/add-openvpn-rules.sh
@@ -986,7 +986,7 @@ ExecStop=/etc/iptables/rm-openvpn-rules.sh
RemainAfterExit=yes
[Install]
-WantedBy=multi-user.target" > /etc/systemd/system/iptables-openvpn.service
+WantedBy=multi-user.target" >/etc/systemd/system/iptables-openvpn.service
# Enable service and apply rules
systemctl daemon-reload
@@ -994,17 +994,17 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables-openvpn.service
systemctl start iptables-openvpn
# If the server is behind a NAT, use the correct IP address for the clients to connect to
- if [[ "$ENDPOINT" != "" ]]; then
+ if [[ $ENDPOINT != "" ]]; then
IP=$ENDPOINT
fi
# client-template.txt is created so we have a template to add further users later
- echo "client" > /etc/openvpn/client-template.txt
- if [[ "$PROTOCOL" == 'udp' ]]; then
- echo "proto udp" >> /etc/openvpn/client-template.txt
- echo "explicit-exit-notify" >> /etc/openvpn/client-template.txt
- elif [[ "$PROTOCOL" == 'tcp' ]]; then
- echo "proto tcp-client" >> /etc/openvpn/client-template.txt
+ echo "client" >/etc/openvpn/client-template.txt
+ if [[ $PROTOCOL == 'udp' ]]; then
+ echo "proto udp" >>/etc/openvpn/client-template.txt
+ echo "explicit-exit-notify" >>/etc/openvpn/client-template.txt
+ elif [[ $PROTOCOL == 'tcp' ]]; then
+ echo "proto tcp-client" >>/etc/openvpn/client-template.txt
fi
echo "remote $IP $PORT
dev tun
@@ -1022,23 +1022,23 @@ tls-version-min 1.2
tls-cipher $CC_CIPHER
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
-verb 3" >> /etc/openvpn/client-template.txt
+verb 3" >>/etc/openvpn/client-template.txt
-if [[ $COMPRESSION_ENABLED == "y" ]]; then
- echo "compress $COMPRESSION_ALG" >> /etc/openvpn/client-template.txt
-fi
+ if [[ $COMPRESSION_ENABLED == "y" ]]; then
+ echo "compress $COMPRESSION_ALG" >>/etc/openvpn/client-template.txt
+ fi
# Generate the custom client.ovpn
newClient
echo "If you want to add more clients, you simply need to run this script another time!"
}
-function newClient () {
+function newClient() {
echo ""
echo "Tell me a name for the client."
echo "Use one word only, no special characters."
- until [[ "$CLIENT" =~ ^[a-zA-Z0-9_]+$ ]]; do
+ until [[ $CLIENT =~ ^[a-zA-Z0-9_]+$ ]]; do
read -rp "Client name: " -e CLIENT
done
@@ -1048,30 +1048,30 @@ function newClient () {
echo " 1) Add a passwordless client"
echo " 2) Use a password for the client"
- until [[ "$PASS" =~ ^[1-2]$ ]]; do
+ until [[ $PASS =~ ^[1-2]$ ]]; do
read -rp "Select an option [1-2]: " -e -i 1 PASS
done
CLIENTEXISTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c -E "/CN=$CLIENT\$")
- if [[ "$CLIENTEXISTS" = '1' ]]; then
+ if [[ $CLIENTEXISTS == '1' ]]; then
echo ""
echo "The specified client CN was found in easy-rsa."
else
cd /etc/openvpn/easy-rsa/ || return
case $PASS in
- 1)
- ./easyrsa build-client-full "$CLIENT" nopass
+ 1)
+ ./easyrsa build-client-full "$CLIENT" nopass
;;
- 2)
+ 2)
echo "⚠️ You will be asked for the client password below ⚠️"
- ./easyrsa build-client-full "$CLIENT"
+ ./easyrsa build-client-full "$CLIENT"
;;
esac
echo "Client $CLIENT added."
fi
# Home directory of the user, where the client configuration (.ovpn) will be written
- if [ -e "/home/$CLIENT" ]; then # if $1 is a user name
+ if [ -e "/home/$CLIENT" ]; then # if $1 is a user name
homeDir="/home/$CLIENT"
elif [ "${SUDO_USER}" ]; then # if not, use SUDO_USER
homeDir="/home/${SUDO_USER}"
@@ -1102,19 +1102,19 @@ function newClient () {
echo ""
case $TLS_SIG in
- 1)
- echo ""
- cat /etc/openvpn/tls-crypt.key
- echo ""
+ 1)
+ echo ""
+ cat /etc/openvpn/tls-crypt.key
+ echo ""
;;
- 2)
- echo "key-direction 1"
- echo ""
- cat /etc/openvpn/tls-auth.key
- echo ""
+ 2)
+ echo "key-direction 1"
+ echo ""
+ cat /etc/openvpn/tls-auth.key
+ echo ""
;;
esac
- } >> "$homeDir/$CLIENT.ovpn"
+ } >>"$homeDir/$CLIENT.ovpn"
echo ""
echo "The configuration file has been written to $homeDir/$CLIENT.ovpn."
@@ -1123,9 +1123,9 @@ function newClient () {
exit 0
}
-function revokeClient () {
+function revokeClient() {
NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")
- if [[ "$NUMBEROFCLIENTS" == '0' ]]; then
+ if [[ $NUMBEROFCLIENTS == '0' ]]; then
echo ""
echo "You have no existing clients!"
exit 1
@@ -1134,7 +1134,7 @@ function revokeClient () {
echo ""
echo "Select the existing client certificate you want to revoke"
tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
- if [[ "$NUMBEROFCLIENTS" == '1' ]]; then
+ if [[ $NUMBEROFCLIENTS == '1' ]]; then
read -rp "Select one client [1]: " CLIENTNUMBER
else
read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
@@ -1155,7 +1155,7 @@ function revokeClient () {
echo "Certificate for client $CLIENT revoked."
}
-function removeUnbound () {
+function removeUnbound() {
# Remove OpenVPN-related config
sed -i '/include: \/etc\/unbound\/openvpn.conf/d' /etc/unbound/unbound.conf
rm /etc/unbound/openvpn.conf
@@ -1166,17 +1166,17 @@ function removeUnbound () {
read -rp "Do you want to completely remove Unbound? [y/n]: " -e REMOVE_UNBOUND
done
- if [[ "$REMOVE_UNBOUND" == 'y' ]]; then
+ if [[ $REMOVE_UNBOUND == 'y' ]]; then
# Stop Unbound
systemctl stop unbound
- if [[ "$OS" =~ (debian|ubuntu) ]]; then
+ if [[ $OS =~ (debian|ubuntu) ]]; then
apt-get autoremove --purge -y unbound
- elif [[ "$OS" == 'arch' ]]; then
+ elif [[ $OS == 'arch' ]]; then
pacman --noconfirm -R unbound
- elif [[ "$OS" =~ (centos|amzn) ]]; then
+ elif [[ $OS =~ (centos|amzn) ]]; then
yum remove -y unbound
- elif [[ "$OS" == 'fedora' ]]; then
+ elif [[ $OS == 'fedora' ]]; then
dnf remove -y unbound
fi
@@ -1191,21 +1191,21 @@ function removeUnbound () {
fi
}
-function removeOpenVPN () {
+function removeOpenVPN() {
echo ""
# shellcheck disable=SC2034
read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
- if [[ "$REMOVE" == 'y' ]]; then
+ if [[ $REMOVE == 'y' ]]; then
# Get OpenVPN port from the configuration
PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
# Stop OpenVPN
- if [[ "$OS" =~ (fedora|arch|centos) ]]; then
+ if [[ $OS =~ (fedora|arch|centos) ]]; then
systemctl disable openvpn-server@server
systemctl stop openvpn-server@server
# Remove customised service
rm /etc/systemd/system/openvpn-server@.service
- elif [[ "$OS" == "ubuntu" ]] && [[ "$VERSION_ID" == "16.04" ]]; then
+ elif [[ $OS == "ubuntu" ]] && [[ $VERSION_ID == "16.04" ]]; then
systemctl disable openvpn
systemctl stop openvpn
else
@@ -1227,23 +1227,23 @@ function removeOpenVPN () {
# SELinux
if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing"; then
- if [[ "$PORT" != '1194' ]]; then
+ if [[ $PORT != '1194' ]]; then
semanage port -d -t openvpn_port_t -p udp "$PORT"
fi
fi
fi
- if [[ "$OS" =~ (debian|ubuntu) ]]; then
+ if [[ $OS =~ (debian|ubuntu) ]]; then
apt-get autoremove --purge -y openvpn
- if [[ -e /etc/apt/sources.list.d/openvpn.list ]];then
+ if [[ -e /etc/apt/sources.list.d/openvpn.list ]]; then
rm /etc/apt/sources.list.d/openvpn.list
apt-get update
fi
- elif [[ "$OS" == 'arch' ]]; then
+ elif [[ $OS == 'arch' ]]; then
pacman --noconfirm -R openvpn
- elif [[ "$OS" =~ (centos|amzn) ]]; then
+ elif [[ $OS =~ (centos|amzn) ]]; then
yum remove -y openvpn
- elif [[ "$OS" == 'fedora' ]]; then
+ elif [[ $OS == 'fedora' ]]; then
dnf remove -y openvpn
fi
@@ -1267,7 +1267,7 @@ function removeOpenVPN () {
fi
}
-function manageMenu () {
+function manageMenu() {
clear
echo "Welcome to OpenVPN-install!"
echo "The git repository is available at: https://github.com/angristan/openvpn-install"
@@ -1279,22 +1279,22 @@ function manageMenu () {
echo " 2) Revoke existing user"
echo " 3) Remove OpenVPN"
echo " 4) Exit"
- until [[ "$MENU_OPTION" =~ ^[1-4]$ ]]; do
+ until [[ $MENU_OPTION =~ ^[1-4]$ ]]; do
read -rp "Select an option [1-4]: " MENU_OPTION
done
case $MENU_OPTION in
- 1)
- newClient
+ 1)
+ newClient
;;
- 2)
- revokeClient
+ 2)
+ revokeClient
;;
- 3)
- removeOpenVPN
+ 3)
+ removeOpenVPN
;;
- 4)
- exit 0
+ 4)
+ exit 0
;;
esac
}