From 4f5f43e503ad4078f31a2589fca7d7af2ec8cb0d Mon Sep 17 00:00:00 2001 From: cezar97 <34601855+cezar97@users.noreply.github.com> Date: Thu, 18 Jan 2018 17:19:51 +0100 Subject: [PATCH 1/3] Randomize CN and server name, fixed #48 Solution taken from pivpn install script here: https://github.com/pivpn/pivpn/blob/master/auto_install/install.sh. Repo in https://github.com/pivpn/pivpn. --- openvpn-install.sh | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index ec21f40..65170e5 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -469,18 +469,25 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service chown -R root:root /etc/openvpn/easy-rsa/ rm -rf ~/EasyRSA-3.0.3.tgz cd /etc/openvpn/easy-rsa/ + # Generate a random, alphanumeric identifier of 16 characters for CN and one for server name => + ### => FROM https://github.com/pivpn/pivpn/blob/master/auto_install/install.sh ### + NEW_UUID_CN=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1) + NEW_UUID_SERVER=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1) + SERVER_CN="cn_$NEW_UUID_CN" + SERVER_NAME="server_$NEW_UUID_SERVER" echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars + echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars # Create the PKI, set up the CA, the DH params and the server + client certificates ./easyrsa init-pki ./easyrsa --batch build-ca nopass openssl dhparam -out dh.pem $DH_KEY_SIZE - ./easyrsa build-server-full server nopass + ./easyrsa build-server-full $SERVER_NAME nopass ./easyrsa build-client-full $CLIENT nopass EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl # generate tls-auth key openvpn --genkey --secret /etc/openvpn/tls-auth.key # Move all the generated files - cp pki/ca.crt pki/private/ca.key dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn + cp pki/ca.crt pki/private/ca.key dh.pem pki/issued/$SERVER_NAME.crt pki/private/$SERVER_NAME.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn # Make cert revocation list readable for non-root chmod 644 /etc/openvpn/crl.pem @@ -539,8 +546,8 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf echo "crl-verify crl.pem ca ca.crt -cert server.crt -key server.key +cert $SERVER_NAME.crt +key $SERVER_NAME.key tls-auth tls-auth.key 0 dh dh.pem auth SHA256 From 931190dd59ff48237ee9a8592ff61ad3aadf9f00 Mon Sep 17 00:00:00 2001 From: cezar97 <34601855+cezar97@users.noreply.github.com> Date: Thu, 18 Jan 2018 17:36:31 +0100 Subject: [PATCH 2/3] Verify server name to strengthen security --- openvpn-install.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/openvpn-install.sh b/openvpn-install.sh index 65170e5..4553502 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -678,6 +678,7 @@ nobind persist-key persist-tun remote-cert-tls server +verify-x509-name $SERVER_NAME name auth SHA256 auth-nocache $CIPHER From d19283c46ffe5333639a9fb6bf275326fc78102b Mon Sep 17 00:00:00 2001 From: Angristan Date: Thu, 25 Jan 2018 12:23:25 +0100 Subject: [PATCH 3/3] Optmize vars I'm not removing the PiVPN mention because I don't want to credit them, but to not bloat the script. Their contribution will be available via git blame + https://github.com/Angristan/OpenVPN-install/pull/151 :) --- openvpn-install.sh | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 4553502..338a544 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -469,12 +469,9 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service chown -R root:root /etc/openvpn/easy-rsa/ rm -rf ~/EasyRSA-3.0.3.tgz cd /etc/openvpn/easy-rsa/ - # Generate a random, alphanumeric identifier of 16 characters for CN and one for server name => - ### => FROM https://github.com/pivpn/pivpn/blob/master/auto_install/install.sh ### - NEW_UUID_CN=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1) - NEW_UUID_SERVER=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1) - SERVER_CN="cn_$NEW_UUID_CN" - SERVER_NAME="server_$NEW_UUID_SERVER" + # Generate a random, alphanumeric identifier of 16 characters for CN and one for server name + SERVER_CN="cn_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" + SERVER_NAME="server_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars # Create the PKI, set up the CA, the DH params and the server + client certificates