1
1
mirror of https://github.com/namibia/openvpn-install.git synced 2024-11-15 16:57:09 +00:00
Commit Graph

258 Commits

Author SHA1 Message Date
patlol
3c5c87b031 Update openvpn-install.sh 2017-07-22 20:18:46 +02:00
patlol
5787c45a03 Update openvpn-install.sh 2017-07-22 19:40:29 +02:00
patlol
031afd587e fix #8 Client files not beeing created in the right folder when using sudo 2017-07-22 19:30:36 +02:00
DrXala
b5c624eb76 Adjust indents + change iptables.service 2017-07-20 17:12:40 +02:00
DrXala
8f28593112 Fix iptables.service 2017-07-16 16:01:05 +02:00
DrXala
23222fd59f Fix syntax error... 2017-07-16 15:39:14 +02:00
DrXala
d3d7d18ab1 Removing the use of rc.local file 2017-07-16 14:11:29 +02:00
DrXala
1be7733c0b Install iptables systemd service for Debian, Ubuntu and Centos. Fix iptables install for ArchLinux. 2017-07-16 12:55:09 +02:00
Angristan
c703d41795 Fix for Debian 9 on OpenVZ 2017-07-14 17:15:07 +02:00
Angristan
276284458f Fix DNS choice 2017-07-08 13:30:58 +02:00
jackdwyer
d1f665c458 fixes last case statement for SEED-CBC 2017-07-03 14:14:39 -04:00
Angristan
cd01329585 Add support for Debian 9 Stretch 2017-06-26 02:41:40 +02:00
Angristan
e185698445 Use current system resolvers as default
That makes more sense that putting French servers.

What is in /etc/resolv.conf is not always good, but most of the time it's the hoster's or something nearby. Thus it makes more sense for the user to use them by default.
2017-06-26 02:37:41 +02:00
Angristan
6800ef35f7 Typo
It's late.
2017-06-26 02:20:38 +02:00
Angristan
19fe6626f1 Implements OpenVPN 2.4 changes for Arch Linux (kind of)
Since OpenVPN 2.4 is out on Arch, the script wasn't working completely because of this : https://www.archlinux.org/news/openvpn-240-update-requires-administrative-interaction/

There is a new path for OpenVPN server config. This is just needed on Arch for now, and you're probably not going to run an OpenVPN client on an OpenVPN server. 

Thus I modified the systemd script to use `/etc/openvpn/` and `server.conf` instead of the new `/etc/openvpn/server/` and `openvpn.conf`.

By using the same paths as the other distros, I avoid to rewrite the entire script to change the paths...

It's not 100% clean, but it works pretty well. If you have any objection please leave a comment.

Also, I updated the new service name.

As far as I tested, it's working fine on Arch Linux for now.

Fixes #63 and #61
2017-06-26 02:17:14 +02:00
Angristan
ac203dd5ee Fix iptables rules on reboot for some OS
Thanks a lot to Nyr for the fix : a31aaf82f3

Fixes https://github.com/Angristan/OpenVPN-install/issues/6.

On Ubuntu 17.04, 16.10 and Debian 9, the iptables rules were not applied because of rc.local
2017-06-25 22:01:05 +02:00
Angristan
10351305e3 Google Compute Engine support
Merge pull request #57 and close issue #46
2017-06-25 20:21:36 +02:00
Angristan
8c66c8e684 Fix client revocation
A client revocation would make crl.pem unreadable and thus blocking any other client to connect.

Fixes https://github.com/Angristan/OpenVPN-install/pull/47, https://github.com/Angristan/OpenVPN-install/issues/25 and https://github.com/Angristan/OpenVPN-install/issues/49.
2017-06-25 19:58:41 +02:00
Kenneth Zhao
d74318562d adding support for debian 9 stretch 2017-06-25 09:38:52 -07:00
Angristan
a2a3bfc605 Added Yandex Basic DNS resolvers
https://dns.yandex.com/

Nice for Russia.
2017-06-23 14:30:57 +02:00
Angristan
d712e15795 Support OpenSSL 1.1.0 DH generation
Fixes dh.pem gen on Debian 9 and Arch Linux

https://github.com/Angristan/OpenVPN-install/issues/64
https://github.com/Angristan/OpenVPN-install/issues/74

https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#openssl-issues
2017-06-18 21:12:25 +02:00
Angristan
5d40c041dd More proper remove
openvpn-blacklist isn't installed with Debian 9.
2017-06-18 21:07:15 +02:00
Angristan
823ff21fcc Add support for Ubuntu 17.04 2017-05-07 23:56:19 +02:00
DrXala
fa9e5235f9 Close Angristan/OpenVPN-install#46
This patch is for Angristan/OpenVPN-install#46
2017-04-23 12:43:33 +02:00
Seeder101
89925cbbe8 Update openvpn-install.sh
change sould to should and correct adress to address in line 195
2016-12-11 16:03:40 +03:00
Seeder101
e548a61dcc Update openvpn-install.sh
change sould to should
2016-12-11 15:58:06 +03:00
Angristan
316ecfe7f4 Use SHA-256 instead of SHA-384
Following 693bd13fa7
2016-12-11 12:11:11 +01:00
Angristan
7a5bb93cbe AES-256 is not necessarily the most secure cipher
Indeed, it it most vulnerable to Timing Attacks : https://en.wikipedia.org/wiki/Length_extension_attack

Also, AES 128 is secure enough for every one, so it's still the recommended cipher.
2016-12-04 17:21:41 +01:00
Angristan
56477bba34 The crypto update 🔐
- Removed "fast" and "slow" mode (not a good idea, I prefer to give the choice for the parameters directly)
- Corrected some confusion between the cipher for the data channel and the control channel, my bad.
- using TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 by default for the control channel
- using SHA384 by default for HMAC auth and RSA certificate
- giving the choice for the cipher of the data channel, the size of the DH key and the RSA Key

I will explain all my choices here : https://github.com/Angristan/OpenVPN-install#encryption (likely tomorrow)
2016-11-28 22:13:32 +01:00
Angristan
c03a55f11f Making sure a correct DNS option is selected 2016-11-27 14:31:25 +01:00
TheKinrar
f76db9f589 Merge branch 'master' of https://github.com/TheKinrar/OpenVPN-install into TheKinrar-master 2016-11-26 16:13:02 +01:00
TheKinrar
f3ff29d6c7 rc.local fix 2016-11-25 18:25:37 +01:00
Angristan
17a9d76ae9 Remove ufw and MASQUERADE support
Not useful, badly implemented.
2016-11-25 00:59:03 +01:00
Angristan
218e474f85 Add logs
Can be useful.
2016-11-24 23:34:15 +01:00
Angristan
98ca79a9de Move rc.local and sysctl installation after the confirmation 2016-11-24 20:28:49 +01:00
TheKinrar
358e80b5a6 sysctl fix, again. 2016-11-24 19:37:45 +01:00
TheKinrar
cc657fa459 Fixed rc.local and sysctl.conf files on ArchLinux 2016-11-24 18:07:23 +01:00
TheKinrar
9b261809eb Automatically enable and start iptables on ArchLinux. 2016-11-22 19:55:17 +01:00
TheKinrar
6e2b5cb439 Added ArchLinux support. 2016-11-21 20:59:00 +01:00
Angristan
80dbca6e63 Add TCP support
There is now the choice to use TCP or UDP for OpenVPN protocol. You should always use UDP, but TCP can be useful sometimes : on lossy networks or to bypass some blockage
2016-11-21 19:57:52 +01:00
Angristan
662fe26f5b I don't know why it wasn't like this from the beginning 2016-11-20 23:09:42 +01:00
Angristan
552709059e Fix my previous commit
My bad.
2016-11-20 22:50:51 +01:00
Angristan
a09ef4868a The user can choose to continue the installer even if its OS is not supported
At its own risk of course. But usefull if using Ubuntu beta or Debian unstable/testing
2016-11-20 22:47:23 +01:00
Angristan
903270be4b Remove OpenNIC servers
Not consistant and can't really be trusted
2016-11-20 15:01:42 +01:00
Angristan
b0f271bc5f Specify the location of the DNS servers 2016-11-20 14:52:47 +01:00
Angristan
3f58eb781c Some cleanup 2016-11-20 14:22:08 +01:00
Angristan
7295627e67 Removing support for Ubuntu 15.10
Ubuntu 15.10 is not supported anymore since july 2016 : not safe to use it now
2016-10-20 14:33:16 +02:00
Angristan
fce638b552 Add support for Ubuntu 16.10 Yakketi Yak 2016-10-13 22:55:04 +02:00
Angristan
2c9701d477 Better way to enable IP forwarding
791c54786c
2016-10-04 17:34:11 +02:00
Angristan
aefb516958 Changed iptables to not lookup hosts
56f079289e
2016-10-04 17:31:35 +02:00
Kcchouette
87a191f8a1 Update openvpn-install.sh 2016-09-07 17:41:57 +02:00
Angristan
c8eed87ebd Fix UFW error 2016-08-18 18:52:58 +02:00
Super-Baleine
a14809e7c3 delete read 2016-07-12 11:07:08 +02:00
Super-Baleine
72ca23e880 let the choice
because it's more clean

enhancement
2016-07-12 00:09:39 +02:00
Kcchouette
8550d3474c fix the dns case error 2016-07-07 13:45:14 +02:00
Angristan
52f4e471bb Add DNS.WATCH DNS resolvers 2016-06-11 00:32:08 +02:00
jtbr
52cae76873 fix typo 2016-06-10 14:36:22 +02:00
jtbr
b93a3369fb Avoid inline comments in /etc/default/ufw; place pre-openvpn settings on new line 2016-06-10 14:33:26 +02:00
jtbr
eff3b83fe3 Support old clients that might not recognize blocking 2016-06-03 13:09:00 +02:00
jtbr
4a07541953 uninstall new firewalld rules 2016-05-17 05:55:27 +02:00
jtbr
a420a6cbcd add firewalld configuration for masquerading and reorganize to ensure firewalld command ordering is safe 2016-05-17 05:44:47 +02:00
jtbr
4f8cad83cf add ufw rule to allow traffic on chosen udp port 2016-05-17 05:29:31 +02:00
jtbr
e2b9f116d4 Add setup for ufw firewall when using MASQUERADE 2016-05-17 05:04:23 +02:00
jtbr
ff7a7a5c3d Prevent DNS leaks on windows (v2.3.9+, ignored on other platforms) 2016-05-17 05:03:26 +02:00
jtbr
b910dbb9ec clarify that the external address can be either an IP or a domain name 2016-05-10 22:50:58 +00:00
jtbr
3c8a6a0469 Merge branch 'master' of https://github.com/jtbr/OpenVPN-install
Conflicts:
	README.md
	openvpn-install.sh
2016-05-10 22:34:51 +00:00
jtbr
ecf2a3ed81 Undo TLS-CIPHER changes in f376ce91 in deference to harvester57's pull request 2016-05-10 22:30:38 +00:00
jtbr
2d39183284 Revert "my personal preferences, and limit 3 simultaneous clients"
This reverts commit 804c7aa9ed.
2016-05-10 22:30:38 +00:00
jtbr
de648aaa83 my personal preferences, and limit 3 simultaneous clients 2016-05-10 22:30:38 +00:00
jtbr
73eb665b82 merging readme changes 2016-05-10 22:29:43 +00:00
jtbr
868eea3477 Support ios openvpn connect using CBC, SHA128 tls-cipher. Update readme. 2016-05-10 22:21:52 +00:00
jtbr
30958ac55e this time actually fix the quoting issue for ip option 3 2016-05-10 22:21:52 +00:00
jtbr
3e913ea286 enable tls-auth and perfect forwarding secrecy 2016-05-10 22:21:52 +00:00
jtbr
891951fec8 run openvpn unprivileged 2016-05-10 22:21:52 +00:00
jtbr
950e307fbf fix dns option 3 with single quotes 2016-05-10 22:21:52 +00:00
jtbr
5824365ebc support either nogroup or nobody for permissionless group 2016-05-07 22:58:18 +02:00
Angristan
2f541b5399 Ubuntu 16.04 compatibility 2016-05-06 20:32:34 +02:00
jtbr
4baf845e36 Undo TLS-CIPHER changes in f376ce91 in deference to harvester57's pull request 2016-04-29 20:00:09 +00:00
jtbr
d87e87036f Revert "my personal preferences, and limit 3 simultaneous clients"
This reverts commit 804c7aa9ed.
2016-04-20 22:55:25 +00:00
jtbr
804c7aa9ed my personal preferences, and limit 3 simultaneous clients 2016-04-12 10:16:58 +00:00
jtbr
2fe0fa2062 Allow forwarding using either SNAT or MASQUERADE (as required by some setups) 2016-04-12 10:05:28 +00:00
jtbr
f376ce912f Support ios openvpn connect using CBC, SHA128 tls-cipher. Update readme. 2016-04-12 09:38:14 +00:00
jtbr
a65523eb1c this time actually fix the quoting issue for ip option 3 2016-04-10 19:45:33 +02:00
jtbr
b3fb14bcb4 enable tls-auth and perfect forwarding secrecy 2016-04-10 18:53:29 +02:00
jtbr
d844154a45 run openvpn unprivileged 2016-04-10 18:36:15 +02:00
jtbr
01003c88f8 fix dns option 3 with single quotes 2016-04-10 18:26:49 +02:00
Florian STOSSE
9aeb5b7c47 Remove old fix
This fix was intended to overcome hardcoded buffers values in old OpenVPN revisions (see https://www.lowendtalk.com/discussion/40099/why-openvpn-is-so-slow-cool-story). This is not needed anymore, as OpenVPN now use OS buffers (see https://community.openvpn.net/openvpn/ticket/461 and https://community.openvpn.net/openvpn/changeset/c72dbb8b470ab7b25fc74e41aed4212db48a9d2f/). It should lead to better performances over fast networks.

Signed-off-by: Florian STOSSE <contact@harvester.fr>
2016-03-22 11:47:24 +01:00
Angristan
6b4c00c394 Clarification for NAT 2016-03-21 21:43:34 +01:00
Angristan
21d8f78f4f Disable compression 2016-03-21 17:43:48 +01:00
Harvester
bf97d67f26 Revert ciphers
My bad !
2016-03-21 17:13:36 +01:00
Harvester
787784058a Disable compression client-side too 2016-03-21 16:18:18 +01:00
Florian Stosse
064c5bfe4a Typo
OpenVPN doesn't really like the way it was written
2016-03-21 13:30:17 +01:00
Florian Stosse
1a73a20240 Also change tls-cipher for clients 2016-03-21 13:26:37 +01:00
Florian Stosse
b15cd6cf81 Add more than one cipogers to tls-cipher
Just in case we need to fallback or downgrade
2016-03-21 13:20:35 +01:00
Florian Stosse
8b89b1743c Disable compression
For a hardened OpenVPN configuration, compression should be disabled : https://github.com/BetterCrypto/Applied-Crypto-Hardening/pull/91#issuecomment-75388575
2016-03-21 13:13:57 +01:00
Angristan
faaa48d372 Fix ca-certificates errors 2016-03-19 22:51:00 +01:00
Angristan
1bf105e809 The BIG update
Deleted latest and legacy mode
Use OpenVPN 2.3.10 with custom repo
Add a check at start for Debian/Ubuntu
Fast mode with 2048 bits RSA and DH, 128 bits AES, SHA-256 certificate
Slow mode with 4096 bits RSA and DH, 256 bits AES, SHA-384 certificate
AES-256-CBC and SHA512 for HMAC auth
Add OpenNIC as a DNS option + GeoIP API
Delete NTT and Huricane Electric DNS
Other improvements
2016-03-19 17:41:18 +01:00
Angristan
157c27512a Combine latest and legacy version 2016-03-15 19:11:35 +01:00
Angristan
4fef7869d9 Fix which bug on CentOS 7 minimal
7fb12dc5cb
2016-03-14 21:37:14 +01:00
Angristan
1be02be239 TAP is not needed 2016-03-14 21:22:08 +01:00
Angristan
cbc7abc3dd Clarifies that it supports Scaleway NATed servers 2016-03-14 18:03:02 +01:00
Angristan
48252378ff Revert changes 2016-03-13 20:47:18 +01:00
Angristan
f49f187de2 Install which 2016-03-13 19:21:58 +01:00
Angristan
e9d6191925 Set FDN as default DNS 2016-03-13 15:13:46 +01:00
Angristan
f22fbc3cf0 No need to cp vars.example 2016-03-10 13:17:07 +01:00
Angristan
9b8ad887c3 New cipher 2016-03-09 22:59:03 +01:00
Angristan
5bc1d8e37a Add 4096 bits DH 2016-03-09 21:11:13 +01:00
Angristan
85c466e634 Remove 4096 bits DH 2016-03-09 21:10:41 +01:00
Angristan
a7e89ed0dd Add 4096 bits DH 2016-03-09 21:08:24 +01:00
Angristan
9146fd5523 Reorder DNS Servers 2016-03-08 23:53:30 +01:00
Angristan
1614923b1a TLS 1.2 only 2016-03-08 23:15:52 +01:00
Angristan
0ac534115a Use real encryption : AES-256-CBC 2016-03-08 17:40:22 +01:00
Angristan
6463979cc7 Update openvpn-install.sh 2016-03-08 17:12:09 +01:00
Angristan
efdd53c79f Remove logs and add FDN's DNS servers 2016-02-29 17:47:01 +01:00
Angristan
8d95e922ce update from source with latest commits 2016-02-27 10:52:51 +01:00
Angristan
c428975b66 Delete logs 2015-12-25 22:17:51 +01:00
angrysnarl
a1b57a1c31 Fixed rm -rf commands for revoking user certs 2015-12-16 00:15:08 +08:00
Nyr
0df84e4541 Fix #105 2015-12-14 22:36:40 +01:00
Nyr
e58addc2c5 Verify server certificate during easy-rsa download 2015-11-24 23:04:56 +01:00
Nyr
d55effb08c Update to easy-rsa 3.0.1 2015-11-21 15:35:51 +01:00
Nyr
73da43b872 Merge pull request #88 from ValdikSS/buf
Do not allow OpenVPN to set (low) buffer sizes
2015-11-15 19:36:15 +01:00
Nyr
51998f0d56 Merge pull request #87 from ValdikSS/euid
Use EUID to check root
2015-11-15 19:35:26 +01:00
ValdikSS
0265fc0e06 Use different exit codes on error 2015-11-15 13:37:22 +03:00
ValdikSS
15a39afd11 Do not allow OpenVPN to set (low) buffer sizes 2015-11-15 13:36:20 +03:00
ValdikSS
2574097eb4 Use EUID to check root 2015-11-15 13:34:19 +03:00
Nyr
d32416561b Grep for DROP as well as REJECT 2015-10-07 19:57:04 +02:00
Nyr
eb8d8257a0 The BIG commit
- Upgrade to easy-rsa 3.0.0
- Firewall support: rules are added for both FirewallD and iptables if
needed.
- Creation of our own configuration files for both the server and
clients.
- Using subnet topology instead of the deprecated net30.
- Removed port 53 question during install: user can just choose that
port during setup.
- Removed internal networking option: this is a road warrior installer
after all.
- Bugfix: the default easy-rsa directory was not correctly deleted if
one was already there.
2015-09-12 21:48:08 +02:00
Nyr
b46a0541dd Replaced Yandex DNS with Google
Yandex DNS is not stable enough, Google was previously missing.
2015-08-05 02:17:24 +02:00
Hyacinthe Cartiaux
91e09dedf1 Remove a useless use of wc 2015-08-01 20:27:30 +02:00
Nyr
7d467d9666 Multiple improvements
- Better UX for client certificate revocation: a list of the current
client names is shown to the user
- easy-rsa 2.2.2 now used by default: it’s easier for me to maintain a
single version
2015-07-22 08:02:59 +02:00
Nyr
b778c1aed9 Cosmetic bugfix 2015-06-29 09:23:44 +02:00
Nyr
cf48ecd3b0 Bugfixes
- Little fix for Debian Jessie
- Better systemd detection
- Fixed revocation on CentOS
2015-04-28 18:35:54 +02:00
Nyr
68b5ff7e99 Revert "Cleaner port 53 setup"
This reverts commit fb036d575b.
2015-03-10 10:44:47 +01:00
Nyr
fb036d575b Cleaner port 53 setup 2015-02-16 17:33:22 +01:00
Nyr
fad088013c CentOS support and other improvements 2015-02-11 19:51:19 +01:00
Nyr
a256194ecb Add feedback during removal abortion 2015-01-25 20:45:07 +01:00
Nyr
98b39e7354 Added a confirmation dialog before removing 2015-01-21 03:03:14 +01:00
Nyr
6d4af520b8 Bugfix for systems with a non-standard rc.local 2014-11-07 00:53:28 +01:00
Nyr
215140b682 Options for custom DNS and intra-VPN connectivity 2014-11-04 21:57:36 +01:00
Nyr
2174037768 Now using in-line certificates 2014-10-23 03:16:09 +02:00
Nyr
091e487472 Cleanup 2014-10-23 00:19:08 +02:00
Nyr
936a8b8ff0 Removed useless cat 2014-09-25 04:00:32 +02:00
Nyr
091ef01a8b Bug fix + future bulletproofness
- Use always double [[]] blocks (bug fix for the test at line 208 under
some circumstances)
- bash shell is now forced
- All variables are now quoted
2014-09-18 23:34:22 +02:00
Nyr
afb30c44da Now using resolvers from resolv.conf
This will help with some ISPs restricting access to third party DNS
servers like it happens with LowEndSpirit and Torqhost.
2014-05-15 18:20:53 +02:00
Nyr
c72a4d2b5e Bugfix: port redirect wasn't correctly set when a custom port was in place 2014-03-12 21:14:38 +01:00
Nyr
a69dae3021 Check if the script is running on a Debian-based system before starting
Fixed some spacing too
2014-03-12 21:06:57 +01:00
Nyr
6d89279940 Bugfix for systems with multiple IPv4 addresses available 2013-12-20 18:50:30 +01:00
Nyr
ee9750a210 Use Easy-RSA 2.2.2 instead of the master branch with Debian Jessie and Ubuntu Saucy
This was needed for Debian Jessie, but using always the latest Easy-RSA
was a bad idea.

I will force Easy-RSA 2.2.2 for now and until Jessie becomes stable.
Then we can probably just use the distro packages instead of Github,
but for now this will work.
2013-12-19 22:09:20 +01:00
Nyr
b30130b506 Bugfixes
- easy-rsa was downloaded from Github even on systems where it was available by default.
- easy-rsa.tar.gz is now removed when no longer needed.
2013-10-04 19:04:12 +02:00
Nyr
6c22c657f7 Update openvpn-install.sh 2013-08-22 17:00:53 +02:00