From ff7a7a5c3d4c35dffd16e5e0ae96b9aa57bd4466 Mon Sep 17 00:00:00 2001 From: jtbr Date: Sat, 14 May 2016 21:15:58 +0000 Subject: [PATCH 1/8] Prevent DNS leaks on windows (v2.3.9+, ignored on other platforms) --- openvpn-install.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/openvpn-install.sh b/openvpn-install.sh index 7b33f04..8d122a9 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -450,6 +450,7 @@ persist-tun remote-cert-tls server cipher AES-256-CBC auth SHA512 +block-outside-dns tls-version-min 1.2 tls-client" > /etc/openvpn/client-common.txt if [[ "$VARIANT" = '1' ]]; then From e2b9f116d4ed58c2a7427c178b4eb5876e0e1870 Mon Sep 17 00:00:00 2001 From: jtbr Date: Tue, 17 May 2016 04:20:44 +0200 Subject: [PATCH 2/8] Add setup for ufw firewall when using MASQUERADE --- openvpn-install.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/openvpn-install.sh b/openvpn-install.sh index 8d122a9..c95d424 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -133,6 +133,10 @@ if [[ -e /etc/openvpn/server.conf ]]; then read -p "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE if [[ "$REMOVE" = 'y' ]]; then PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2) + if ufw status | grep -qw active; then + sed -i '/^##OPENVPN_START/,/^##OPENVPN_END/d' /etc/ufw/before.rules + sed -i 's/^DEFAULT_FORWARD_POLICY="ACCEPT" #before ovpn: /DEFAULT_FORWARD_POLICY=/g' /etc/default/ufw + fi if pgrep firewalld; then # Using both permanent and not permanent rules to avoid a firewalld reload. firewall-cmd --zone=public --remove-port=$PORT/udp @@ -374,6 +378,10 @@ tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf else iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE" $RCLOCAL + if ufw status | grep -qw active; then + sed -i '1s/^/##OPENVPN_START\n*nat\n:POSTROUTING ACCEPT [0:0]\n-A POSTROUTING -s 10.8.0.0\/24 -o eth0 -j MASQUERADE\nCOMMIT\n##OPENVPN_END\n\n/' /etc/ufw/before.rules + sed -ie 's/^DEFAULT_FORWARD_POLICY\s*=\s*/DEFAULT_FORWARD_POLICY="ACCEPT" #before ovpn: /g' /etc/default/ufw + fi fi if pgrep firewalld; then # We don't use --add-service=openvpn because that would only work with From 4f8cad83cf1b89e7a1fe3dafc4cfef069c2851c0 Mon Sep 17 00:00:00 2001 From: jtbr Date: Tue, 17 May 2016 05:28:48 +0200 Subject: [PATCH 3/8] add ufw rule to allow traffic on chosen udp port --- openvpn-install.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/openvpn-install.sh b/openvpn-install.sh index c95d424..0957d28 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -134,6 +134,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then if [[ "$REMOVE" = 'y' ]]; then PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2) if ufw status | grep -qw active; then + ufw delete allow $PORT/udp sed -i '/^##OPENVPN_START/,/^##OPENVPN_END/d' /etc/ufw/before.rules sed -i 's/^DEFAULT_FORWARD_POLICY="ACCEPT" #before ovpn: /DEFAULT_FORWARD_POLICY=/g' /etc/default/ufw fi @@ -392,6 +393,9 @@ tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf firewall-cmd --permanent --zone=public --add-port=$PORT/udp firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24 fi + if ufw status | grep -qw active; then + ufw allow $PORT/udp + fi if iptables -L | grep -qE 'REJECT|DROP'; then # If iptables has at least one REJECT rule, we asume this is needed. # Not the best approach but I can't think of other and this shouldn't From a420a6cbcd2dc5aa01ef107ad5ec77e19d0de112 Mon Sep 17 00:00:00 2001 From: jtbr Date: Tue, 17 May 2016 05:44:47 +0200 Subject: [PATCH 4/8] add firewalld configuration for masquerading and reorganize to ensure firewalld command ordering is safe --- openvpn-install.sh | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 0957d28..9b7a357 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -379,10 +379,6 @@ tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf else iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE" $RCLOCAL - if ufw status | grep -qw active; then - sed -i '1s/^/##OPENVPN_START\n*nat\n:POSTROUTING ACCEPT [0:0]\n-A POSTROUTING -s 10.8.0.0\/24 -o eth0 -j MASQUERADE\nCOMMIT\n##OPENVPN_END\n\n/' /etc/ufw/before.rules - sed -ie 's/^DEFAULT_FORWARD_POLICY\s*=\s*/DEFAULT_FORWARD_POLICY="ACCEPT" #before ovpn: /g' /etc/default/ufw - fi fi if pgrep firewalld; then # We don't use --add-service=openvpn because that would only work with @@ -392,9 +388,16 @@ tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf firewall-cmd --zone=trusted --add-source=10.8.0.0/24 firewall-cmd --permanent --zone=public --add-port=$PORT/udp firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24 - fi - if ufw status | grep -qw active; then + if [[ "$FORWARD_TYPE" = '1' ]]; then + firewall-cmd --zone=trusted --add-masquerade + firewall-cmd --permanent --zone=trusted --add-masquerade + fi + elif ufw status | grep -qw active; then ufw allow $PORT/udp + if [[ "$FORWARD_TYPE" = '1' ]]; then + sed -i '1s/^/##OPENVPN_START\n*nat\n:POSTROUTING ACCEPT [0:0]\n-A POSTROUTING -s 10.8.0.0\/24 -o eth0 -j MASQUERADE\nCOMMIT\n##OPENVPN_END\n\n/' /etc/ufw/before.rules + sed -ie 's/^DEFAULT_FORWARD_POLICY\s*=\s*/DEFAULT_FORWARD_POLICY="ACCEPT" #before ovpn: /g' /etc/default/ufw + fi fi if iptables -L | grep -qE 'REJECT|DROP'; then # If iptables has at least one REJECT rule, we asume this is needed. From 4a075419534b6e2fc87ba6f7be2769497b0507b9 Mon Sep 17 00:00:00 2001 From: jtbr Date: Tue, 17 May 2016 05:54:26 +0200 Subject: [PATCH 5/8] uninstall new firewalld rules --- openvpn-install.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 9b7a357..9b0b6fb 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -137,13 +137,14 @@ if [[ -e /etc/openvpn/server.conf ]]; then ufw delete allow $PORT/udp sed -i '/^##OPENVPN_START/,/^##OPENVPN_END/d' /etc/ufw/before.rules sed -i 's/^DEFAULT_FORWARD_POLICY="ACCEPT" #before ovpn: /DEFAULT_FORWARD_POLICY=/g' /etc/default/ufw - fi - if pgrep firewalld; then + elif pgrep firewalld; then # Using both permanent and not permanent rules to avoid a firewalld reload. firewall-cmd --zone=public --remove-port=$PORT/udp firewall-cmd --zone=trusted --remove-source=10.8.0.0/24 firewall-cmd --permanent --zone=public --remove-port=$PORT/udp firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24 + firewall-cmd --zone=trusted --remove-masquerade + firewall-cmd --permanent --zone=trusted --remove-masquerade fi if iptables -L | grep -qE 'REJECT|DROP'; then sed -i "/iptables -I INPUT -p udp --dport $PORT -j ACCEPT/d" $RCLOCAL From eff3b83fe30ea28198d93f48a94cfd4d4fa8b9a3 Mon Sep 17 00:00:00 2001 From: jtbr Date: Fri, 3 Jun 2016 13:09:00 +0200 Subject: [PATCH 6/8] Support old clients that might not recognize blocking --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 9b0b6fb..8e1ccba 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -466,7 +466,7 @@ persist-tun remote-cert-tls server cipher AES-256-CBC auth SHA512 -block-outside-dns +setenv opt block-outside-dns tls-version-min 1.2 tls-client" > /etc/openvpn/client-common.txt if [[ "$VARIANT" = '1' ]]; then From b93a3369fbfcfe65e9f6466fe263c5b85f0bdca3 Mon Sep 17 00:00:00 2001 From: jtbr Date: Fri, 10 Jun 2016 14:33:26 +0200 Subject: [PATCH 7/8] Avoid inline comments in /etc/default/ufw; place pre-openvpn settings on new line --- openvpn-install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 8e1ccba..bfe3269 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -136,7 +136,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then if ufw status | grep -qw active; then ufw delete allow $PORT/udp sed -i '/^##OPENVPN_START/,/^##OPENVPN_END/d' /etc/ufw/before.rules - sed -i 's/^DEFAULT_FORWARD_POLICY="ACCEPT" #before ovpn: /DEFAULT_FORWARD_POLICY=/g' /etc/default/ufw + sed -i '/^DEFAULT_FORWARD/{N;s/DEFAULT_FORWARD_POLICY="ACCEPT"\n#before openvpn: /DEFAULT_FORWARD_POLICY=/}' /etc/default/ufw elif pgrep firewalld; then # Using both permanent and not permanent rules to avoid a firewalld reload. firewall-cmd --zone=public --remove-port=$PORT/udp @@ -397,7 +397,7 @@ tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf ufw allow $PORT/udp if [[ "$FORWARD_TYPE" = '1' ]]; then sed -i '1s/^/##OPENVPN_START\n*nat\n:POSTROUTING ACCEPT [0:0]\n-A POSTROUTING -s 10.8.0.0\/24 -o eth0 -j MASQUERADE\nCOMMIT\n##OPENVPN_END\n\n/' /etc/ufw/before.rules - sed -ie 's/^DEFAULT_FORWARD_POLICY\s*=\s*/DEFAULT_FORWARD_POLICY="ACCEPT" #before ovpn: /g' /etc/default/ufw + sed -ie 's/^DEFAULT_FORWARD_POLICY\s*=\s*/DEFAULT_FORWARD_POLICY="ACCEPT"\n#before ovpn: /' /etc/default/ufw fi fi if iptables -L | grep -qE 'REJECT|DROP'; then From 52cae768739f2990e03309eac082567262dd6cd5 Mon Sep 17 00:00:00 2001 From: jtbr Date: Fri, 10 Jun 2016 14:36:22 +0200 Subject: [PATCH 8/8] fix typo --- openvpn-install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index bfe3269..0c1ea1d 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -397,7 +397,7 @@ tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf ufw allow $PORT/udp if [[ "$FORWARD_TYPE" = '1' ]]; then sed -i '1s/^/##OPENVPN_START\n*nat\n:POSTROUTING ACCEPT [0:0]\n-A POSTROUTING -s 10.8.0.0\/24 -o eth0 -j MASQUERADE\nCOMMIT\n##OPENVPN_END\n\n/' /etc/ufw/before.rules - sed -ie 's/^DEFAULT_FORWARD_POLICY\s*=\s*/DEFAULT_FORWARD_POLICY="ACCEPT"\n#before ovpn: /' /etc/default/ufw + sed -ie 's/^DEFAULT_FORWARD_POLICY\s*=\s*/DEFAULT_FORWARD_POLICY="ACCEPT"\n#before openvpn: /' /etc/default/ufw fi fi if iptables -L | grep -qE 'REJECT|DROP'; then