octoleo
/
openvpn-install
mirror of https://github.com/namibia/openvpn-install.git
1
1
Fork 0
Code Issues Releases Activity

style(script): format with shfmt (#638) 

shfmt -w -s
This commit is contained in:
Stanislas 2020-04-27 14:59:19 +02:00 committed by GitHub
parent e3139cd877
commit 6cc0022dff
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 380 additions and 380 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

308
openvpn-install.sh
View File

@ -3,26 +3,26 @@
# Secure OpenVPN server installer for Debian, Ubuntu, CentOS, Amazon Linux 2, Fedora and Arch Linux
# https://github.com/angristan/openvpn-install
function isRoot () {
function isRoot() {
if [ "$EUID" -ne 0 ]; then
return 1
fi
}
function tunAvailable () {
function tunAvailable() {
if [ ! -e /dev/net/tun ]; then
return 1
fi
}
function checkOS () {
function checkOS() {
if [[ -e /etc/debian_version ]]; then
OS="debian"
# shellcheck disable=SC1091
source /etc/os-release
if [[ "$ID" == "debian" || "$ID" == "raspbian" ]]; then
if [[ "$VERSION_ID" -lt 8 ]]; then
if [[ $ID == "debian" || $ID == "raspbian" ]]; then
if [[ $VERSION_ID -lt 8 ]]; then
echo "⚠️ Your version of Debian is not supported."
echo ""
echo "However, if you're using Debian >= 8 or unstable/testing then you can continue, at your own risk."
@ -30,11 +30,11 @@ function checkOS () {
until [[ $CONTINUE =~ (y|n) ]]; do
read -rp "Continue? [y/n]: " -e CONTINUE
done
if [[ "$CONTINUE" == "n" ]]; then
if [[ $CONTINUE == "n" ]]; then
exit 1
fi
fi
elif [[ "$ID" == "ubuntu" ]];then
elif [[ $ID == "ubuntu" ]]; then
OS="ubuntu"
MAJOR_UBUNTU_VERSION=$(echo "$VERSION_ID" | cut -d '.' -f1)
if [[ $MAJOR_UBUNTU_VERSION -lt 16 ]]; then
@ -45,7 +45,7 @@ function checkOS () {
until [[ $CONTINUE =~ (y|n) ]]; do
read -rp "Continue? [y/n]: " -e CONTINUE
done
if [[ "$CONTINUE" == "n" ]]; then
if [[ $CONTINUE == "n" ]]; then
exit 1
fi
fi
@ -53,10 +53,10 @@ function checkOS () {
elif [[ -e /etc/system-release ]]; then
# shellcheck disable=SC1091
source /etc/os-release
if [[ "$ID" == "fedora" ]]; then
if [[ $ID == "fedora" ]]; then
OS="fedora"
fi
if [[ "$ID" == "centos" ]]; then
if [[ $ID == "centos" ]]; then
OS="centos"
if [[ ! $VERSION_ID =~ (7|8) ]]; then
echo "⚠️ Your version of CentOS is not supported."
@ -66,9 +66,9 @@ function checkOS () {
exit 1
fi
fi
if [[ "$ID" == "amzn" ]]; then
if [[ $ID == "amzn" ]]; then
OS="amzn"
if [[ ! $VERSION_ID == "2" ]]; then
if [[ $VERSION_ID != "2" ]]; then
echo "⚠️ Your version of Amazon Linux is not supported."
echo ""
echo "The script only support Amazon Linux 2."
@ -84,7 +84,7 @@ function checkOS () {
fi
}
function initialCheck () {
function initialCheck() {
if ! isRoot; then
echo "Sorry, you need to run this as root"
exit 1
@ -96,11 +96,11 @@ function initialCheck () {
checkOS
}
function installUnbound () {
function installUnbound() {
# If Unbound isn't installed, install it
if [[ ! -e /etc/unbound/unbound.conf ]]; then
if [[ "$OS" =~ (debian|ubuntu) ]]; then
if [[ $OS =~ (debian|ubuntu) ]]; then
apt-get install -y unbound
# Configuration
@ -109,9 +109,9 @@ access-control: 10.8.0.1/24 allow
hide-identity: yes
hide-version: yes
use-caps-for-id: yes
prefetch: yes' >> /etc/unbound/unbound.conf
prefetch: yes' >>/etc/unbound/unbound.conf
elif [[ "$OS" =~ (centos|amzn) ]]; then
elif [[ $OS =~ (centos|amzn) ]]; then
yum install -y unbound
# Configuration
@ -121,7 +121,7 @@ prefetch: yes' >> /etc/unbound/unbound.conf
sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf
sed -i 's|use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf
elif [[ "$OS" == "fedora" ]]; then
elif [[ $OS == "fedora" ]]; then
dnf install -y unbound
# Configuration
@ -131,7 +131,7 @@ prefetch: yes' >> /etc/unbound/unbound.conf
sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf
sed -i 's|# use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf
elif [[ "$OS" == "arch" ]]; then
elif [[ $OS == "arch" ]]; then
pacman -Syu --noconfirm unbound
# Get root servers list
@ -157,10 +157,10 @@ prefetch: yes' >> /etc/unbound/unbound.conf
hide-identity: yes
hide-version: yes
qname-minimisation: yes
prefetch: yes' > /etc/unbound/unbound.conf
prefetch: yes' >/etc/unbound/unbound.conf
fi
if [[ ! "$OS" =~ (fedora|centos|amzn) ]];then
if [[ ! $OS =~ (fedora|centos|amzn) ]]; then
# DNS Rebinding fix
echo "private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
@ -169,10 +169,10 @@ private-address: 169.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
private-address: 127.0.0.0/8
private-address: ::ffff:0:0/96" >> /etc/unbound/unbound.conf
private-address: ::ffff:0:0/96" >>/etc/unbound/unbound.conf
fi
else # Unbound is already installed
echo 'include: /etc/unbound/openvpn.conf' >> /etc/unbound/unbound.conf
echo 'include: /etc/unbound/openvpn.conf' >>/etc/unbound/unbound.conf
# Add Unbound 'server' for the OpenVPN subnet
echo 'server:
@ -189,14 +189,14 @@ private-address: 169.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
private-address: 127.0.0.0/8
private-address: ::ffff:0:0/96' > /etc/unbound/openvpn.conf
private-address: ::ffff:0:0/96' >/etc/unbound/openvpn.conf
fi
systemctl enable unbound
systemctl restart unbound
}
function installQuestions () {
function installQuestions() {
echo "Welcome to the OpenVPN installer!"
echo "The git repository is available at: https://github.com/angristan/openvpn-install"
echo ""
@ -218,7 +218,7 @@ function installQuestions () {
echo ""
echo "It seems this server is behind NAT. What is its public IPv4 address or hostname?"
echo "We need it for the clients to connect to the server."
until [[ "$ENDPOINT" != "" ]]; do
until [[ $ENDPOINT != "" ]]; do
read -rp "Public IPv4 address or hostname: " -e ENDPOINT
done
fi
@ -227,7 +227,7 @@ function installQuestions () {
echo "Checking for IPv6 connectivity..."
echo ""
# "ping6" and "ping -6" availability varies depending on the distribution
if type ping6 > /dev/null 2>&1; then
if type ping6 >/dev/null 2>&1; then
PING6="ping6 -c3 ipv6.google.com > /dev/null 2>&1"
else
PING6="ping -6 -c3 ipv6.google.com > /dev/null 2>&1"
@ -249,7 +249,7 @@ function installQuestions () {
echo " 1) Default: 1194"
echo " 2) Custom"
echo " 3) Random [49152-65535]"
until [[ "$PORT_CHOICE" =~ ^[1-3]$ ]]; do
until [[ $PORT_CHOICE =~ ^[1-3]$ ]]; do
read -rp "Port choice [1-3]: " -e -i 1 PORT_CHOICE
done
case $PORT_CHOICE in
@ -257,7 +257,7 @@ function installQuestions () {
PORT="1194"
;;
2)
until [[ "$PORT" =~ ^[0-9]+$ ]] && [ "$PORT" -ge 1 ] && [ "$PORT" -le 65535 ]; do
until [[ $PORT =~ ^[0-9]+$ ]] && [ "$PORT" -ge 1 ] && [ "$PORT" -le 65535 ]; do
read -rp "Custom port [1-65535]: " -e -i 1194 PORT
done
;;
@ -272,7 +272,7 @@ function installQuestions () {
echo "UDP is faster. Unless it is not available, you shouldn't use TCP."
echo " 1) UDP"
echo " 2) TCP"
until [[ "$PROTOCOL_CHOICE" =~ ^[1-2]$ ]]; do
until [[ $PROTOCOL_CHOICE =~ ^[1-2]$ ]]; do
read -rp "Protocol [1-2]: " -e -i 1 PROTOCOL_CHOICE
done
case $PROTOCOL_CHOICE in
@ -298,7 +298,7 @@ function installQuestions () {
echo " 11) AdGuard DNS (Anycast: worldwide)"
echo " 12) NextDNS (Anycast: worldwide)"
echo " 13) Custom"
until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 13 ]; do
until [[ $DNS =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 13 ]; do
read -rp "DNS [1-12]: " -e -i 3 DNS
if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then
echo ""
@ -311,18 +311,18 @@ function installQuestions () {
until [[ $CONTINUE =~ (y|n) ]]; do
read -rp "Apply configuration changes to Unbound? [y/n]: " -e CONTINUE
done
if [[ $CONTINUE == "n" ]];then
if [[ $CONTINUE == "n" ]]; then
# Break the loop and cleanup
unset DNS
unset CONTINUE
fi
elif [[ $DNS == "13" ]]; then
until [[ "$DNS1" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
until [[ $DNS1 =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
read -rp "Primary DNS: " -e DNS1
done
until [[ "$DNS2" =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
until [[ $DNS2 =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do
read -rp "Secondary DNS (optional): " -e DNS2
if [[ "$DNS2" == "" ]]; then
if [[ $DNS2 == "" ]]; then
break
fi
done
@ -333,7 +333,7 @@ function installQuestions () {
until [[ $COMPRESSION_ENABLED =~ (y|n) ]]; do
read -rp"Enable compression? [y/n]: " -e -i n COMPRESSION_ENABLED
done
if [[ $COMPRESSION_ENABLED == "y" ]];then
if [[ $COMPRESSION_ENABLED == "y" ]]; then
echo "Choose which compression algorithm you want to use: (they are ordered by efficiency)"
echo " 1) LZ4-v2"
echo " 2) LZ4"
@ -362,7 +362,7 @@ function installQuestions () {
until [[ $CUSTOMIZE_ENC =~ (y|n) ]]; do
read -rp "Customize encryption settings? [y/n]: " -e -i n CUSTOMIZE_ENC
done
if [[ $CUSTOMIZE_ENC == "n" ]];then
if [[ $CUSTOMIZE_ENC == "n" ]]; then
# Use default, sane and fast parameters
CIPHER="AES-128-GCM"
CERT_TYPE="1" # ECDSA
@ -381,7 +381,7 @@ function installQuestions () {
echo " 4) AES-128-CBC"
echo " 5) AES-192-CBC"
echo " 6) AES-256-CBC"
until [[ "$CIPHER_CHOICE" =~ ^[1-6]$ ]]; do
until [[ $CIPHER_CHOICE =~ ^[1-6]$ ]]; do
read -rp "Cipher [1-6]: " -e -i 1 CIPHER_CHOICE
done
case $CIPHER_CHOICE in
@ -439,7 +439,7 @@ function installQuestions () {
echo " 1) 2048 bits (recommended)"
echo " 2) 3072 bits"
echo " 3) 4096 bits"
until [[ "$RSA_KEY_SIZE_CHOICE" =~ ^[1-3]$ ]]; do
until [[ $RSA_KEY_SIZE_CHOICE =~ ^[1-3]$ ]]; do
read -rp "RSA key size [1-3]: " -e -i 1 RSA_KEY_SIZE_CHOICE
done
case $RSA_KEY_SIZE_CHOICE in
@ -524,7 +524,7 @@ function installQuestions () {
echo " 1) 2048 bits (recommended)"
echo " 2) 3072 bits"
echo " 3) 4096 bits"
until [[ "$DH_KEY_SIZE_CHOICE" =~ ^[1-3]$ ]]; do
until [[ $DH_KEY_SIZE_CHOICE =~ ^[1-3]$ ]]; do
read -rp "DH key size [1-3]: " -e -i 1 DH_KEY_SIZE_CHOICE
done
case $DH_KEY_SIZE_CHOICE in
@ -542,9 +542,9 @@ function installQuestions () {
esac
echo ""
# The "auth" options behaves differently with AEAD ciphers
if [[ "$CIPHER" =~ CBC$ ]]; then
if [[ $CIPHER =~ CBC$ ]]; then
echo "The digest algorithm authenticates data channel packets and tls-auth packets from the control channel."
elif [[ "$CIPHER" =~ GCM$ ]]; then
elif [[ $CIPHER =~ GCM$ ]]; then
echo "The digest algorithm authenticates tls-auth packets from the control channel."
fi
echo "Which digest algorithm do you want to use for HMAC?"
@ -583,7 +583,7 @@ function installQuestions () {
fi
}
function installOpenVPN () {
function installOpenVPN() {
if [[ $AUTO_INSTALL == "y" ]]; then
# Set default choices so that no questions will be asked.
APPROVE_INSTALL=${APPROVE_INSTALL:-y}
@ -612,19 +612,19 @@ function installOpenVPN () {
# Get the "public" interface from the default route
NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)
if [[ -z "$NIC" ]] && [[ "$IPV6_SUPPORT" == 'y' ]]; then
if [[ -z $NIC ]] && [[ $IPV6_SUPPORT == 'y' ]]; then
NIC=$(ip -6 route show default | sed -ne 's/^default .* dev \([^ ]*\) .*$/\1/p')
fi
# $NIC can not be empty for script rm-openvpn-rules.sh
if [[ -z "$NIC" ]]; then
if [[ -z $NIC ]]; then
echo
echo "Can not detect public interface."
echo "This needs for setup MASQUERADE."
until [[ $CONTINUE =~ (y|n) ]]; do
read -rp "Continue? [y/n]: " -e CONTINUE
done
if [[ "$CONTINUE" == "n" ]]; then
if [[ $CONTINUE == "n" ]]; then
exit 1
fi
fi
@ -633,31 +633,31 @@ function installOpenVPN () {
# idempotent on multiple runs, but will only install OpenVPN from upstream
# the first time.
if [[ ! -e /etc/openvpn/server.conf ]]; then
if [[ "$OS" =~ (debian|ubuntu) ]]; then
if [[ $OS =~ (debian|ubuntu) ]]; then
apt-get update
apt-get -y install ca-certificates gnupg
# We add the OpenVPN repo to get the latest version.
if [[ "$VERSION_ID" = "8" ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list
if [[ $VERSION_ID == "8" ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" >/etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update
fi
if [[ "$VERSION_ID" = "16.04" ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" > /etc/apt/sources.list.d/openvpn.list
if [[ $VERSION_ID == "16.04" ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" >/etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update
fi
# Ubuntu > 16.04 and Debian > 8 have OpenVPN >= 2.4 without the need of a third party repository.
apt-get install -y openvpn iptables openssl wget ca-certificates curl
elif [[ "$OS" = 'centos' ]]; then
elif [[ $OS == 'centos' ]]; then
yum install -y epel-release
yum install -y openvpn iptables openssl wget ca-certificates curl tar 'policycoreutils-python*'
elif [[ "$OS" = 'amzn' ]]; then
elif [[ $OS == 'amzn' ]]; then
amazon-linux-extras install -y epel
yum install -y openvpn iptables openssl wget ca-certificates curl
elif [[ "$OS" = 'fedora' ]]; then
elif [[ $OS == 'fedora' ]]; then
dnf install -y openvpn iptables openssl wget ca-certificates curl
elif [[ "$OS" = 'arch' ]]; then
elif [[ $OS == 'arch' ]]; then
# Install required dependencies and upgrade the system
pacman --needed --noconfirm -Syu openvpn iptables openssl wget ca-certificates curl
fi
@ -688,21 +688,21 @@ function installOpenVPN () {
cd /etc/openvpn/easy-rsa/ || return
case $CERT_TYPE in
1)
echo "set_var EASYRSA_ALGO ec" > vars
echo "set_var EASYRSA_CURVE $CERT_CURVE" >> vars
echo "set_var EASYRSA_ALGO ec" >vars
echo "set_var EASYRSA_CURVE $CERT_CURVE" >>vars
;;
2)
echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars
echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" >vars
;;
esac
# Generate a random, alphanumeric identifier of 16 characters for CN and one for server name
SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
echo "$SERVER_CN" > SERVER_CN_GENERATED
echo "$SERVER_CN" >SERVER_CN_GENERATED
SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
echo "$SERVER_NAME" > SERVER_NAME_GENERATED
echo "$SERVER_NAME" >SERVER_NAME_GENERATED
echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars
echo "set_var EASYRSA_REQ_CN $SERVER_CN" >>vars
# Create the PKI, set up the CA, the DH params and the server certificate
./easyrsa init-pki
@ -748,11 +748,11 @@ function installOpenVPN () {
chmod 644 /etc/openvpn/crl.pem
# Generate server.conf
echo "port $PORT" > /etc/openvpn/server.conf
if [[ "$IPV6_SUPPORT" == 'n' ]]; then
echo "proto $PROTOCOL" >> /etc/openvpn/server.conf
elif [[ "$IPV6_SUPPORT" == 'y' ]]; then
echo "proto ${PROTOCOL}6" >> /etc/openvpn/server.conf
echo "port $PORT" >/etc/openvpn/server.conf
if [[ $IPV6_SUPPORT == 'n' ]]; then
echo "proto $PROTOCOL" >>/etc/openvpn/server.conf
elif [[ $IPV6_SUPPORT == 'y' ]]; then
echo "proto ${PROTOCOL}6" >>/etc/openvpn/server.conf
fi
echo "dev tun
@ -763,7 +763,7 @@ persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
ifconfig-pool-persist ipp.txt" >>/etc/openvpn/server.conf
# DNS resolvers
case $DNS in
@ -777,87 +777,87 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
fi
# Obtain the resolvers from resolv.conf and use them for OpenVPN
grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read -r line; do
echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
echo "push \"dhcp-option DNS $line\"" >>/etc/openvpn/server.conf
done
;;
2) # Self-hosted DNS resolver (Unbound)
echo 'push "dhcp-option DNS 10.8.0.1"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 10.8.0.1"' >>/etc/openvpn/server.conf
;;
3) # Cloudflare
echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 1.0.0.1"' >>/etc/openvpn/server.conf
echo 'push "dhcp-option DNS 1.1.1.1"' >>/etc/openvpn/server.conf
;;
4) # Quad9
echo 'push "dhcp-option DNS 9.9.9.9"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 149.112.112.112"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 9.9.9.9"' >>/etc/openvpn/server.conf
echo 'push "dhcp-option DNS 149.112.112.112"' >>/etc/openvpn/server.conf
;;
5) # Quad9 uncensored
echo 'push "dhcp-option DNS 9.9.9.10"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 149.112.112.10"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 9.9.9.10"' >>/etc/openvpn/server.conf
echo 'push "dhcp-option DNS 149.112.112.10"' >>/etc/openvpn/server.conf
;;
6) # FDN
echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 80.67.169.12"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 80.67.169.40"' >>/etc/openvpn/server.conf
echo 'push "dhcp-option DNS 80.67.169.12"' >>/etc/openvpn/server.conf
;;
7) # DNS.WATCH
echo 'push "dhcp-option DNS 84.200.69.80"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 84.200.70.40"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 84.200.69.80"' >>/etc/openvpn/server.conf
echo 'push "dhcp-option DNS 84.200.70.40"' >>/etc/openvpn/server.conf
;;
8) # OpenDNS
echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 208.67.222.222"' >>/etc/openvpn/server.conf
echo 'push "dhcp-option DNS 208.67.220.220"' >>/etc/openvpn/server.conf
;;
9) # Google
echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 8.8.8.8"' >>/etc/openvpn/server.conf
echo 'push "dhcp-option DNS 8.8.4.4"' >>/etc/openvpn/server.conf
;;
10) # Yandex Basic
echo 'push "dhcp-option DNS 77.88.8.8"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 77.88.8.1"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 77.88.8.8"' >>/etc/openvpn/server.conf
echo 'push "dhcp-option DNS 77.88.8.1"' >>/etc/openvpn/server.conf
;;
11) # AdGuard DNS
echo 'push "dhcp-option DNS 176.103.130.130"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 176.103.130.130"' >>/etc/openvpn/server.conf
echo 'push "dhcp-option DNS 176.103.130.131"' >>/etc/openvpn/server.conf
;;
12) # NextDNS
echo 'push "dhcp-option DNS 45.90.28.167"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 45.90.30.167"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 45.90.28.167"' >>/etc/openvpn/server.conf
echo 'push "dhcp-option DNS 45.90.30.167"' >>/etc/openvpn/server.conf
;;
13) # Custom DNS
echo "push \"dhcp-option DNS $DNS1\"" >> /etc/openvpn/server.conf
if [[ "$DNS2" != "" ]]; then
echo "push \"dhcp-option DNS $DNS2\"" >> /etc/openvpn/server.conf
echo "push \"dhcp-option DNS $DNS1\"" >>/etc/openvpn/server.conf
if [[ $DNS2 != "" ]]; then
echo "push \"dhcp-option DNS $DNS2\"" >>/etc/openvpn/server.conf
fi
;;
esac
echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf
echo 'push "redirect-gateway def1 bypass-dhcp"' >>/etc/openvpn/server.conf
# IPv6 network settings if needed
if [[ "$IPV6_SUPPORT" == 'y' ]]; then
if [[ $IPV6_SUPPORT == 'y' ]]; then
echo 'server-ipv6 fd42:42:42:42::/112
tun-ipv6
push tun-ipv6
push "route-ipv6 2000::/3"
push "redirect-gateway ipv6"' >> /etc/openvpn/server.conf
push "redirect-gateway ipv6"' >>/etc/openvpn/server.conf
fi
if [[ $COMPRESSION_ENABLED == "y" ]]; then
echo "compress $COMPRESSION_ALG" >> /etc/openvpn/server.conf
echo "compress $COMPRESSION_ALG" >>/etc/openvpn/server.conf
fi
if [[ $DH_TYPE == "1" ]]; then
echo "dh none" >> /etc/openvpn/server.conf
echo "ecdh-curve $DH_CURVE" >> /etc/openvpn/server.conf
echo "dh none" >>/etc/openvpn/server.conf
echo "ecdh-curve $DH_CURVE" >>/etc/openvpn/server.conf
elif [[ $DH_TYPE == "2" ]]; then
echo "dh dh.pem" >> /etc/openvpn/server.conf
echo "dh dh.pem" >>/etc/openvpn/server.conf
fi
case $TLS_SIG in
1)
echo "tls-crypt tls-crypt.key 0" >> /etc/openvpn/server.conf
echo "tls-crypt tls-crypt.key 0" >>/etc/openvpn/server.conf
;;
2)
echo "tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf
echo "tls-auth tls-auth.key 0" >>/etc/openvpn/server.conf
;;
esac
@ -873,7 +873,7 @@ tls-version-min 1.2
tls-cipher $CC_CIPHER
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3" >> /etc/openvpn/server.conf
verb 3" >>/etc/openvpn/server.conf
# Create client-config-dir dir
mkdir -p /etc/openvpn/ccd
@ -881,9 +881,9 @@ verb 3" >> /etc/openvpn/server.conf
mkdir -p /var/log/openvpn
# Enable routing
echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/20-openvpn.conf
if [[ "$IPV6_SUPPORT" = 'y' ]]; then
echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.d/20-openvpn.conf
echo 'net.ipv4.ip_forward=1' >/etc/sysctl.d/20-openvpn.conf
if [[ $IPV6_SUPPORT == 'y' ]]; then
echo 'net.ipv6.conf.all.forwarding=1' >>/etc/sysctl.d/20-openvpn.conf
fi
# Apply sysctl rules
sysctl --system
@ -891,14 +891,14 @@ verb 3" >> /etc/openvpn/server.conf
# If SELinux is enabled and a custom port was selected, we need this
if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing"; then
if [[ "$PORT" != '1194' ]]; then
if [[ $PORT != '1194' ]]; then
semanage port -a -t openvpn_port_t -p "$PROTOCOL" "$PORT"
fi
fi
fi
# Finally, restart and enable OpenVPN
if [[ "$OS" == 'arch' || "$OS" == 'fedora' || "$OS" == 'centos' ]]; then
if [[ $OS == 'arch' || $OS == 'fedora' || $OS == 'centos' ]]; then
# Don't modify package-provided service
cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service
@ -907,14 +907,14 @@ verb 3" >> /etc/openvpn/server.conf
# Another workaround to keep using /etc/openvpn/
sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn-server@.service
# On fedora, the service hardcodes the ciphers. We want to manage the cipher ourselves, so we remove it from the service
if [[ "$OS" == "fedora" ]];then
if [[ $OS == "fedora" ]]; then
sed -i 's|--cipher AES-256-GCM --ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:BF-CBC||' /etc/systemd/system/openvpn-server@.service
fi
systemctl daemon-reload
systemctl enable openvpn-server@server
systemctl restart openvpn-server@server
elif [[ "$OS" == "ubuntu" ]] && [[ "$VERSION_ID" == "16.04" ]]; then
elif [[ $OS == "ubuntu" ]] && [[ $VERSION_ID == "16.04" ]]; then
# On Ubuntu 16.04, we use the package from the OpenVPN repo
# This package uses a sysvinit service
systemctl enable openvpn
@ -933,7 +933,7 @@ verb 3" >> /etc/openvpn/server.conf
systemctl restart openvpn@server
fi
if [[ $DNS == 2 ]];then
if [[ $DNS == 2 ]]; then
installUnbound
fi
@ -946,13 +946,13 @@ iptables -t nat -I POSTROUTING 1 -s 10.8.0.0/24 -o $NIC -j MASQUERADE
iptables -I INPUT 1 -i tun0 -j ACCEPT
iptables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT
iptables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT
iptables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/add-openvpn-rules.sh
iptables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >/etc/iptables/add-openvpn-rules.sh
if [[ "$IPV6_SUPPORT" == 'y' ]]; then
if [[ $IPV6_SUPPORT == 'y' ]]; then
echo "ip6tables -t nat -I POSTROUTING 1 -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
ip6tables -I INPUT 1 -i tun0 -j ACCEPT
ip6tables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT
ip6tables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh
ip6tables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT" >>/etc/iptables/add-openvpn-rules.sh
fi
# Script to remove rules
@ -961,13 +961,13 @@ iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o $NIC -j MASQUERADE
iptables -D INPUT -i tun0 -j ACCEPT
iptables -D FORWARD -i $NIC -o tun0 -j ACCEPT
iptables -D FORWARD -i tun0 -o $NIC -j ACCEPT
iptables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" > /etc/iptables/rm-openvpn-rules.sh
iptables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >/etc/iptables/rm-openvpn-rules.sh
if [[ "$IPV6_SUPPORT" == 'y' ]]; then
if [[ $IPV6_SUPPORT == 'y' ]]; then
echo "ip6tables -t nat -D POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
ip6tables -D INPUT -i tun0 -j ACCEPT
ip6tables -D FORWARD -i $NIC -o tun0 -j ACCEPT
ip6tables -D FORWARD -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/rm-openvpn-rules.sh
ip6tables -D FORWARD -i tun0 -o $NIC -j ACCEPT" >>/etc/iptables/rm-openvpn-rules.sh
fi
chmod +x /etc/iptables/add-openvpn-rules.sh
@ -986,7 +986,7 @@ ExecStop=/etc/iptables/rm-openvpn-rules.sh
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target" > /etc/systemd/system/iptables-openvpn.service
WantedBy=multi-user.target" >/etc/systemd/system/iptables-openvpn.service
# Enable service and apply rules
systemctl daemon-reload
@ -994,17 +994,17 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables-openvpn.service
systemctl start iptables-openvpn
# If the server is behind a NAT, use the correct IP address for the clients to connect to
if [[ "$ENDPOINT" != "" ]]; then
if [[ $ENDPOINT != "" ]]; then
IP=$ENDPOINT
fi
# client-template.txt is created so we have a template to add further users later
echo "client" > /etc/openvpn/client-template.txt
if [[ "$PROTOCOL" == 'udp' ]]; then
echo "proto udp" >> /etc/openvpn/client-template.txt
echo "explicit-exit-notify" >> /etc/openvpn/client-template.txt
elif [[ "$PROTOCOL" == 'tcp' ]]; then
echo "proto tcp-client" >> /etc/openvpn/client-template.txt
echo "client" >/etc/openvpn/client-template.txt
if [[ $PROTOCOL == 'udp' ]]; then
echo "proto udp" >>/etc/openvpn/client-template.txt
echo "explicit-exit-notify" >>/etc/openvpn/client-template.txt
elif [[ $PROTOCOL == 'tcp' ]]; then
echo "proto tcp-client" >>/etc/openvpn/client-template.txt
fi
echo "remote $IP $PORT
dev tun
@ -1022,23 +1022,23 @@ tls-version-min 1.2
tls-cipher $CC_CIPHER
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3" >> /etc/openvpn/client-template.txt
verb 3" >>/etc/openvpn/client-template.txt
if [[ $COMPRESSION_ENABLED == "y" ]]; then
echo "compress $COMPRESSION_ALG" >> /etc/openvpn/client-template.txt
fi
if [[ $COMPRESSION_ENABLED == "y" ]]; then
echo "compress $COMPRESSION_ALG" >>/etc/openvpn/client-template.txt
fi
# Generate the custom client.ovpn
newClient
echo "If you want to add more clients, you simply need to run this script another time!"
}
function newClient () {
function newClient() {
echo ""
echo "Tell me a name for the client."
echo "Use one word only, no special characters."
until [[ "$CLIENT" =~ ^[a-zA-Z0-9_]+$ ]]; do
until [[ $CLIENT =~ ^[a-zA-Z0-9_]+$ ]]; do
read -rp "Client name: " -e CLIENT
done
@ -1048,12 +1048,12 @@ function newClient () {
echo " 1) Add a passwordless client"
echo " 2) Use a password for the client"
until [[ "$PASS" =~ ^[1-2]$ ]]; do
until [[ $PASS =~ ^[1-2]$ ]]; do
read -rp "Select an option [1-2]: " -e -i 1 PASS
done
CLIENTEXISTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c -E "/CN=$CLIENT\$")
if [[ "$CLIENTEXISTS" = '1' ]]; then
if [[ $CLIENTEXISTS == '1' ]]; then
echo ""
echo "The specified client CN was found in easy-rsa."
else
@ -1114,7 +1114,7 @@ function newClient () {
echo "</tls-auth>"
;;
esac
} >> "$homeDir/$CLIENT.ovpn"
} >>"$homeDir/$CLIENT.ovpn"
echo ""
echo "The configuration file has been written to $homeDir/$CLIENT.ovpn."
@ -1123,9 +1123,9 @@ function newClient () {
exit 0
}
function revokeClient () {
function revokeClient() {
NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")
if [[ "$NUMBEROFCLIENTS" == '0' ]]; then
if [[ $NUMBEROFCLIENTS == '0' ]]; then
echo ""
echo "You have no existing clients!"
exit 1
@ -1134,7 +1134,7 @@ function revokeClient () {
echo ""
echo "Select the existing client certificate you want to revoke"
tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
if [[ "$NUMBEROFCLIENTS" == '1' ]]; then
if [[ $NUMBEROFCLIENTS == '1' ]]; then
read -rp "Select one client [1]: " CLIENTNUMBER
else
read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
@ -1155,7 +1155,7 @@ function revokeClient () {
echo "Certificate for client $CLIENT revoked."
}
function removeUnbound () {
function removeUnbound() {
# Remove OpenVPN-related config
sed -i '/include: \/etc\/unbound\/openvpn.conf/d' /etc/unbound/unbound.conf
rm /etc/unbound/openvpn.conf
@ -1166,17 +1166,17 @@ function removeUnbound () {
read -rp "Do you want to completely remove Unbound? [y/n]: " -e REMOVE_UNBOUND
done
if [[ "$REMOVE_UNBOUND" == 'y' ]]; then
if [[ $REMOVE_UNBOUND == 'y' ]]; then
# Stop Unbound
systemctl stop unbound
if [[ "$OS" =~ (debian|ubuntu) ]]; then
if [[ $OS =~ (debian|ubuntu) ]]; then
apt-get autoremove --purge -y unbound
elif [[ "$OS" == 'arch' ]]; then
elif [[ $OS == 'arch' ]]; then
pacman --noconfirm -R unbound
elif [[ "$OS" =~ (centos|amzn) ]]; then
elif [[ $OS =~ (centos|amzn) ]]; then
yum remove -y unbound
elif [[ "$OS" == 'fedora' ]]; then
elif [[ $OS == 'fedora' ]]; then
dnf remove -y unbound
fi
@ -1191,21 +1191,21 @@ function removeUnbound () {
fi
}
function removeOpenVPN () {
function removeOpenVPN() {
echo ""
# shellcheck disable=SC2034
read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
if [[ "$REMOVE" == 'y' ]]; then
if [[ $REMOVE == 'y' ]]; then
# Get OpenVPN port from the configuration
PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
# Stop OpenVPN
if [[ "$OS" =~ (fedora|arch|centos) ]]; then
if [[ $OS =~ (fedora|arch|centos) ]]; then
systemctl disable openvpn-server@server
systemctl stop openvpn-server@server
# Remove customised service
rm /etc/systemd/system/openvpn-server@.service
elif [[ "$OS" == "ubuntu" ]] && [[ "$VERSION_ID" == "16.04" ]]; then
elif [[ $OS == "ubuntu" ]] && [[ $VERSION_ID == "16.04" ]]; then
systemctl disable openvpn
systemctl stop openvpn
else
@ -1227,23 +1227,23 @@ function removeOpenVPN () {
# SELinux
if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing"; then
if [[ "$PORT" != '1194' ]]; then
if [[ $PORT != '1194' ]]; then
semanage port -d -t openvpn_port_t -p udp "$PORT"
fi
fi
fi
if [[ "$OS" =~ (debian|ubuntu) ]]; then
if [[ $OS =~ (debian|ubuntu) ]]; then
apt-get autoremove --purge -y openvpn
if [[ -e /etc/apt/sources.list.d/openvpn.list ]];then
if [[ -e /etc/apt/sources.list.d/openvpn.list ]]; then
rm /etc/apt/sources.list.d/openvpn.list
apt-get update
fi
elif [[ "$OS" == 'arch' ]]; then
elif [[ $OS == 'arch' ]]; then
pacman --noconfirm -R openvpn
elif [[ "$OS" =~ (centos|amzn) ]]; then
elif [[ $OS =~ (centos|amzn) ]]; then
yum remove -y openvpn
elif [[ "$OS" == 'fedora' ]]; then
elif [[ $OS == 'fedora' ]]; then
dnf remove -y openvpn
fi
@ -1267,7 +1267,7 @@ function removeOpenVPN () {
fi
}
function manageMenu () {
function manageMenu() {
clear
echo "Welcome to OpenVPN-install!"
echo "The git repository is available at: https://github.com/angristan/openvpn-install"
@ -1279,7 +1279,7 @@ function manageMenu () {
echo " 2) Revoke existing user"
echo " 3) Remove OpenVPN"
echo " 4) Exit"
until [[ "$MENU_OPTION" =~ ^[1-4]$ ]]; do
until [[ $MENU_OPTION =~ ^[1-4]$ ]]; do
read -rp "Select an option [1-4]: " MENU_OPTION
done