octoleo/openvpn-install
1
1
Fork 0
mirror of https://github.com/namibia/openvpn-install.git synced 2024-11-17 09:45:11 +00:00
Code Issues Releases Activity

Add IPv6 NAT support (#238)

Browse Source
This commit is contained in:
Stanislas 2018-09-16 17:55:50 +02:00 committed by GitHub
parent 019da89be9
commit bfed14544e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 70 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@ -78,6 +78,7 @@ This fork includes the following features :
- Better encryption, see below - Better encryption, see below
- Better DNS resolvers, see below - Better DNS resolvers, see below
- Choice between TCP and UDP (UDP is still recommended) - Choice between TCP and UDP (UDP is still recommended)
- IPv6 (NATed) support
- Run server in [unprivileged mode](https://github.com/Angristan/OpenVPN-install/blob/master/openvpn-install.sh#L426), reducing risks to the system - Run server in [unprivileged mode](https://github.com/Angristan/OpenVPN-install/blob/master/openvpn-install.sh#L426), reducing risks to the system
- [Block DNS leak on Windows 10](https://community.openvpn.net/openvpn/ticket/605) - [Block DNS leak on Windows 10](https://community.openvpn.net/openvpn/ticket/605)
- No comp-lzo, as [compression is a vector for oracle attacks, e.g. CRIME or BREACH](https://github.com/BetterCrypto/Applied-Crypto-Hardening/pull/91#issuecomment-75388575) - No comp-lzo, as [compression is a vector for oracle attacks, e.g. CRIME or BREACH](https://github.com/BetterCrypto/Applied-Crypto-Hardening/pull/91#issuecomment-75388575)

88
openvpn-install.sh
View File

@ -280,6 +280,9 @@ if [[ -e /etc/openvpn/server.conf ]]; then
iptables-save > $IPTABLES iptables-save > $IPTABLES
fi fi
iptables -t nat -D POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE iptables -t nat -D POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE
if [[ "$IPV6" = 'y' ]]; then
ip6tables -t nat -D POSTROUTING -o $NIC -s fd42:42:42:42::/112 -j MASQUERADE
fi
iptables-save > $IPTABLES iptables-save > $IPTABLES
if hash sestatus 2>/dev/null; then if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing"; then if sestatus | grep "Current mode" | grep -qs "enforcing"; then
@ -357,6 +360,25 @@ else
# Autodetect IP address and pre-fill for the user # Autodetect IP address and pre-fill for the user
IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1) IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
read -rp "IP address: " -e -i $IP IP read -rp "IP address: " -e -i $IP IP
# If $IP is a private IP address, the server must be behind NAT
if echo "$IP" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then
echo ""
echo "This server is behind NAT. What is the public IPv4 address or hostname?"
read -rp "Public IP address / hostname: " -e PUBLICIP
fi
echo ""
echo "Checking for IPv6 connectivity..."
ping6 -c4 ipv6.google.com > /dev/null 2>&1;
echo ""
if [[ $? == 0 ]]; then
echo "Your host appears to have IPv6 connectivity."
else
echo "Your host does not appear to have IPv6 connectivity."
fi
echo ""
while [[ $IPV6 != "y" && $IPV6 != "n" ]]; do
read -rp "Do you want to enable IPv6 support? [y/n]: " -e IPV6
done
echo "" echo ""
echo "What port do you want for OpenVPN?" echo "What port do you want for OpenVPN?"
echo " 1) Default: 1194" echo " 1) Default: 1194"
@ -380,13 +402,6 @@ else
echo "Random Port: $PORT" echo "Random Port: $PORT"
;; ;;
esac esac
# If $IP is a private IP address, the server must be behind NAT
if echo "$IP" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then
echo ""
echo "This server is behind NAT. What is the public IPv4 address or hostname?"
read -rp "Public IP address / hostname: " -e PUBLICIP
fi
echo "" echo ""
echo "What protocol do you want for OpenVPN?" echo "What protocol do you want for OpenVPN?"
echo "Unless UDP is blocked, you should not use TCP (unnecessarily slower)" echo "Unless UDP is blocked, you should not use TCP (unnecessarily slower)"
@ -523,13 +538,14 @@ else
read -n1 -r -p "Press any key to continue..." read -n1 -r -p "Press any key to continue..."
if [[ "$OS" = 'debian' ]]; then if [[ "$OS" = 'debian' ]]; then
apt-get update
apt-get install ca-certificates gnupg -y apt-get install ca-certificates gnupg -y
# We add the OpenVPN repo to get the latest version. # We add the OpenVPN repo to get the latest version.
# Debian 8 # Debian 8
if [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then if [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt update apt-get update
fi fi
# Ubuntu 14.04 # Ubuntu 14.04
if [[ "$VERSION_ID" = 'VERSION_ID="14.04"' ]]; then if [[ "$VERSION_ID" = 'VERSION_ID="14.04"' ]]; then
@ -658,7 +674,19 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
# Generate server.conf # Generate server.conf
echo "port $PORT" > /etc/openvpn/server.conf echo "port $PORT" > /etc/openvpn/server.conf
echo "proto $(echo $PROTOCOL | tr '[:upper:]' '[:lower:]')" >> /etc/openvpn/server.conf if [[ "$IPV6" = 'n' ]]; then
if [[ "$PROTOCOL" = 'UDP' ]]; then
echo "proto udp" >> /etc/openvpn/server.conf
elif [[ "$PROTOCOL" = 'TCP' ]]; then
echo "proto tcp" >> /etc/openvpn/server.conf
fi
elif [[ "$IPV6" = 'y' ]]; then
if [[ "$PROTOCOL" = 'UDP' ]]; then
echo "proto udp6" >> /etc/openvpn/server.conf
elif [[ "$PROTOCOL" = 'TCP' ]]; then
echo "proto tcp6" >> /etc/openvpn/server.conf
fi
fi
echo "dev tun echo "dev tun
user nobody user nobody
group $NOGROUP group $NOGROUP
@ -721,8 +749,17 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf
;; ;;
esac esac
echo 'push "redirect-gateway def1 bypass-dhcp" ' >> /etc/openvpn/server.conf echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf
echo "crl-verify crl.pem
if [[ "$IPV6" = 'y' ]]; then
echo 'server-ipv6 fd42:42:42:42::/112
tun-ipv6
push tun-ipv6
push "route-ipv6 2000::/3"
push "redirect-gateway ipv6"' >> /etc/openvpn/server.conf
fi
echo "crl-verify crl.pem
ca ca.crt ca ca.crt
cert $SERVER_NAME.crt cert $SERVER_NAME.crt
key $SERVER_NAME.key key $SERVER_NAME.key
@ -744,18 +781,19 @@ mkdir -p /var/log/openvpn
touch $SYSCTL touch $SYSCTL
fi fi
# Enable net.ipv4.ip_forward for the system # Enable routing
sed -i '/\<net.ipv4.ip_forward\>/c\net.ipv4.ip_forward=1' $SYSCTL echo 'net.ipv4.ip_forward=1' >> $SYSCTL
if ! grep -q "\<net.ipv4.ip_forward\>" $SYSCTL; then if [[ "$IPV6" = 'y' ]]; then
echo 'net.ipv4.ip_forward=1' >> $SYSCTL echo 'net.ipv6.conf.all.forwarding=1' >> $SYSCTL
fi fi
# Avoid an unneeded reboot # Avoid an unneeded reboot
echo 1 > /proc/sys/net/ipv4/ip_forward sysctl --system
# Set NAT for the VPN subnet # Set NAT for the VPN subnet
iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE
if [[ "$IPV6" = 'y' ]]; then
ip6tables -t nat -A POSTROUTING -o $NIC -s fd42:42:42:42::/112 -j MASQUERADE
fi
# Save persitent iptables rules # Save persitent iptables rules
iptables-save > $IPTABLES iptables-save > $IPTABLES
@ -788,7 +826,19 @@ mkdir -p /var/log/openvpn
# Save persitent OpenVPN rules # Save persitent OpenVPN rules
iptables-save > $IPTABLES iptables-save > $IPTABLES
fi fi
if [[ "$IPV6" = 'y' ]]; then
if ip6tables -L -n | grep -qE 'REJECT|DROP'; then
if [[ "$PROTOCOL" = 'UDP' ]]; then
ip6tables -I INPUT -p udp --dport $PORT -j ACCEPT
elif [[ "$PROTOCOL" = 'TCP' ]]; then
ip6tables -I INPUT -p tcp --dport $PORT -j ACCEPT
fi
ip6tables -I FORWARD -s fd42:42:42:42::/112 -j ACCEPT
ip6tables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# Save persitent OpenVPN rules
iptables-save > $IPTABLES
fi
fi
# If SELinux is enabled and a custom port was selected, we need this # If SELinux is enabled and a custom port was selected, we need this
if hash sestatus 2>/dev/null; then if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing"; then if sestatus | grep "Current mode" | grep -qs "enforcing"; then