From 3af24ada047e3fe0b3df8a41256717f9e1b53c7a Mon Sep 17 00:00:00 2001 From: Christoph Date: Mon, 25 Sep 2023 01:27:48 +0200 Subject: [PATCH] Add support for debian 12. --- README.fix-error-md-too-weak | 21 +++ build_key-pass.sh | 117 +++++++----- conf/install_openvpn.conf.sample | 38 +++- create_key_config.sh | 97 ++++++---- install_openvpn.sh | 300 ++++++++++++++++++++++--------- 5 files changed, 406 insertions(+), 167 deletions(-) create mode 100644 README.fix-error-md-too-weak diff --git a/README.fix-error-md-too-weak b/README.fix-error-md-too-weak new file mode 100644 index 0000000..14d8ed4 --- /dev/null +++ b/README.fix-error-md-too-weak @@ -0,0 +1,21 @@ +# --- +# - +# - Error was: +# - 2023-04-30 11:36:05 OpenSSL: error:0A00018E:SSL routines::ca md too weak +# - +# - see: +# - https://www.rffuste.com/2023/05/01/fix-ssl-routinesca-md-too-weak/ +# - https://forum.hackthebox.com/t/openvpn-negotiated-cipher-not-allowed/259904/4 +# - +# --- + + +You just have to add tls-cert-profile insecure and modify cipher AES-128-CBC to data-ciphers-fallback AES-128-CBC + +# - Note: +# - I changed to +# - +# - data-ciphers-fallback BF-CBC + + + diff --git a/build_key-pass.sh b/build_key-pass.sh index 77136b4..a7856a8 100755 --- a/build_key-pass.sh +++ b/build_key-pass.sh @@ -228,14 +228,21 @@ fi [[ -n "$OPENVPN_SERVER" ]] || fatal "OpenVPN Server (parameter OPENVPN_SERVER ) not present!" [[ -n "$SERVER_PORT" ]] || fatal "Server Port (parameter SERVER_PORT ) not present!" + if [[ -z "$LZO_COMPRESSION" ]]; then - LZO_COMPRESSION=true -elif [[ "$LZO_COMPRESSION" = "yes" ]] ; then - LZO_COMPRESSION=true -else LZO_COMPRESSION=false +elif [[ "${LZO_COMPRESSION,,}" = "yes" ]] ; then + LZO_COMPRESSION=true +elif [[ "${LZO_COMPRESSION,,}" = "no" ]] ; then + LZO_COMPRESSION=false +elif [[ "$LZO_COMPRESSION" != "true" ]] && [[ "$LZO_COMPRESSION" != "false" ]] ; then + fatal "Wrong value for variable 'LZO_COMPRESSION' (${LZO_COMPRESSION})" +elif ! $LZO_COMPRESSION ; then + LZO_COMPRESSION=false +elif $LZO_COMPRESSION ; then + LZO_COMPRESSION=true fi - + EASY_RSA_DIR="${OPENVPN_BASE_DIR}/easy-rsa" @@ -264,10 +271,6 @@ _CA_CERT="${OPENVPN_KEY_DIR}/ca.crt" _TA_KEY="${OPENVPN_KEY_DIR}/ta.key" -EMAIL_PREFIX="$(echo $KEY_EMAIL | cut -d '\' -f1)" -EMAIL_DOMAIN="$(echo $KEY_EMAIL | cut -d '@' -f2)" - - echo "" echo -e "\033[32m--\033[m" echo "" @@ -302,6 +305,7 @@ if [[ -f "${_CLIENT_KEY}" ]]; then fatal "Name '$NEW_KEY_NAME' is already in use" fi + echo "" echo -e "\033[32m--\033[m" echo "" @@ -486,9 +490,17 @@ client ;dev tap dev tun +# Windows needs the TAP-Win32 adapter name +# from the Network Connections panel +# if you have more than one. On XP SP2, +# you may need to disable the firewall +# for the TAP adapter. +;dev-node MyTap + # Are we connecting to a TCP or # UDP server? Use the same setting as # on the server +;proto tcp proto udp # The hostname/IP and port of the server. @@ -498,6 +510,11 @@ remote $OPENVPN_SERVER $SERVER_PORT udp4 topology subnet +# Choose a random host from the remote +# list for load-balancing. Otherwise +# try hosts in the order specified. +;remote-random + # Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected @@ -508,10 +525,39 @@ resolv-retry infinite # a specific local port number. nobind +# Downgrade privileges after initialization (non-Windows only) +;user openvpn +;group openvpn + +# If you are connecting through an +# HTTP proxy to reach the actual OpenVPN +# server, put the proxy server/IP and +# port number here. See the man page +# if your proxy server requires +# authentication. +;http-proxy-retry # retry on connection failures +;http-proxy [proxy server] [proxy port #] + +# Wireless networks often produce a lot +# of duplicate packets. Set this flag +# to silence duplicate packet warnings. +;mute-replay-warnings + + # Try to preserve some state across restarts. persist-key persist-tun +# SSL/TLS parms. +# See the server config file for more +# description. It's best to use +# a separate .crt/.key file pair +# for each client. A single ca +# file can be used for all clients. +;ca ${_CA_CERT} +;cert ${_CLIENT_CERT} +;key ${_CLIENT_KEY} + # Server CA EOF @@ -576,34 +622,24 @@ done < $_file cat << EOF >> "$_client_conf_file" 2> $log_file -# Verify server certificate by checking -# that the certicate has the nsCertType -# field set to "server". This is an -# important precaution to protect against +# Verify server certificate by checking that the +# certificate has the correct key usage set. +# This is an important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate -# your server certificates with the nsCertType -# field set to "server". The build-key-server -# script in the easy-rsa folder will do this. -# -# Note! -# The option "ns-cert-type" has been deprecated since -# version 2.4 and will be removed from later distributions. -# -# Use the modern equivalent "remote-cert-tls" -# -;ns-cert-type server +# your server certificates with the keyUsage set to +# digitalSignature, keyEncipherment +# and the extendedKeyUsage to +# serverAuth +# EasyRSA can do this for you. remote-cert-tls server # If a tls-auth key is used on the server # then every client must also have the key. -# -# Don't forget to set the 'key-direction' Parameter if using -# Inline Key. Usualy , sever has key direction '0', while client -# has ke direction '1'. -# +;tls-auth ${_TA_KEY} 1 + key-direction 1 EOF @@ -628,24 +664,15 @@ cat << EOF >> "$_client_conf_file" 2> $log_file # Select a cryptographic cipher. # If the cipher option is used on the server # then you must also specify it here. -;cipher BF-CBC # Blowfish (default) -;cipher AES-128-CBC # AES -;cipher DES-EDE3-CBC # Triple-DES +# Note that v2.4 client/server will automatically +# negotiate AES-256-GCM in TLS mode. +# See also the data-ciphers option in the manpage +;cipher AES-256-CBC EOF -if [[ -n "$SERVER_CIPHER" ]]; then - if [[ "${SERVER_CIPHER,,}" = "none" ]]; then - cat <> "$_client_conf_file" 2>> "$log_file" -cipher BF-CBC -EOF - else - cat <> "$_client_conf_file" 2>> "$log_file" -cipher $SERVER_CIPHER -EOF - fi -else - cat <> "$_client_conf_file" 2>> "$log_file" -cipher BF-CBC +if [[ "${SERVER_CIPHER,,}" != "none" ]]; then + cat <> ${_server_conf_file} 2>> "$log_file" +cipher ${SERVER_CIPHER} EOF fi diff --git a/conf/install_openvpn.conf.sample b/conf/install_openvpn.conf.sample index 6fbd060..5dc2d61 100644 --- a/conf/install_openvpn.conf.sample +++ b/conf/install_openvpn.conf.sample @@ -93,9 +93,45 @@ KEY_ALTNAMES="" # - LZO_COMPRESSION="no" +# - DATA_CIPHERS +# - # - Server cryptographic cipher # - -SERVER_CIPHER="AES-256-CBC" +# - Example: +# - DATA_CIPHERS="AES-256-CBC" +# - DATA_CIPHERS="AES-256-GCM:AES-128-GCM:AES-256-CBC" +# - +# - Defaults to "AES-256-GCM:AES-128-GCM" +# - +# - +DATA_CIPHERS="" + +# - SERVER_CIPHER +# - +# - Server additional cryptographic cipher +# - +# - Example: +# - SERVER_CIPHER="AES-256-CBC" +# - SERVER_AES-256-GCM" +# - +# - Defaults to "AES-256-CBC" and is added to DATA_CIPHERS if DATA_CIPHERS was leaave empty. +# - +# - Note: +# - if set, also add the cipher to "DATA_CIPHERS" +# - +SERVER_CIPHER="" + +# - DATA_CIPHERS_FALLBACK +# - +# - Server fallback cryptographic cipher +# - +# - Example: +# - DATA_CIPHERS_FALLBACK="BF-CBC" +# - +# - Defaults to "BF-CBC" +# - +# - +DATA_CIPHERS_FALLBACK="" # - OpenVPN Network(s) used for this server. # - diff --git a/create_key_config.sh b/create_key_config.sh index baebe59..80c9ef5 100755 --- a/create_key_config.sh +++ b/create_key_config.sh @@ -223,10 +223,12 @@ else fi -[[ "${SERVER_CIPHER,,}" = "none" ]] && SERVER_CIPHER="BF-CBC" -[[ "${SERVER_CIPHER,,}" = "" ]] && SERVER_CIPHER="BF-CBC" +[[ -n "$OPENVPN_SERVER" ]] || fatal "OpenVPN Server (parameter OPENVPN_SERVER ) not present!" +[[ -n "$SERVER_PORT" ]] || fatal "Server Port (parameter SERVER_PORT ) not present!" + + if [[ -z "$LZO_COMPRESSION" ]]; then - LZO_COMPRESSION=true + LZO_COMPRESSION=false elif [[ "${LZO_COMPRESSION,,}" = "yes" ]] ; then LZO_COMPRESSION=true elif [[ "${LZO_COMPRESSION,,}" = "no" ]] ; then @@ -239,6 +241,7 @@ elif $LZO_COMPRESSION ; then LZO_COMPRESSION=true fi + EASY_RSA_DIR="${OPENVPN_BASE_DIR}/easy-rsa" if [[ -d "${OPENVPN_BASE_DIR}/pki" ]] ; then @@ -431,9 +434,17 @@ client ;dev tap dev tun +# Windows needs the TAP-Win32 adapter name +# from the Network Connections panel +# if you have more than one. On XP SP2, +# you may need to disable the firewall +# for the TAP adapter. +;dev-node MyTap + # Are we connecting to a TCP or # UDP server? Use the same setting as # on the server +;proto tcp proto udp # The hostname/IP and port of the server. @@ -443,6 +454,11 @@ remote $OPENVPN_SERVER $SERVER_PORT udp4 topology subnet +# Choose a random host from the remote +# list for load-balancing. Otherwise +# try hosts in the order specified. +;remote-random + # Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected @@ -453,10 +469,39 @@ resolv-retry infinite # a specific local port number. nobind +# Downgrade privileges after initialization (non-Windows only) +;user openvpn +;group openvpn + +# If you are connecting through an +# HTTP proxy to reach the actual OpenVPN +# server, put the proxy server/IP and +# port number here. See the man page +# if your proxy server requires +# authentication. +;http-proxy-retry # retry on connection failures +;http-proxy [proxy server] [proxy port #] + +# Wireless networks often produce a lot +# of duplicate packets. Set this flag +# to silence duplicate packet warnings. +;mute-replay-warnings + + # Try to preserve some state across restarts. persist-key persist-tun +# SSL/TLS parms. +# See the server config file for more +# description. It's best to use +# a separate .crt/.key file pair +# for each client. A single ca +# file can be used for all clients. +;ca ${_CA_CERT} +;cert ${_CLIENT_CERT} +;key ${_CLIENT_KEY} + # Server CA EOF @@ -520,34 +565,24 @@ done < $_file cat << EOF >> "$_client_conf_file" 2> $log_file -# Verify server certificate by checking -# that the certicate has the nsCertType -# field set to "server". This is an -# important precaution to protect against +# Verify server certificate by checking that the +# certificate has the correct key usage set. +# This is an important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate -# your server certificates with the nsCertType -# field set to "server". The build-key-server -# script in the easy-rsa folder will do this. -# -# Note! -# The option "ns-cert-type" has been deprecated since -# version 2.4 and will be removed from later distributions. -# -# Use the modern equivalent "remote-cert-tls" -# -;ns-cert-type server +# your server certificates with the keyUsage set to +# digitalSignature, keyEncipherment +# and the extendedKeyUsage to +# serverAuth +# EasyRSA can do this for you. remote-cert-tls server # If a tls-auth key is used on the server # then every client must also have the key. -# -# Don't forget to set the 'key-direction' Parameter if using -# Inline Key. Usualy , sever has key direction '0', while client -# has ke direction '1'. -# +;tls-auth ${_TA_KEY} 1 + key-direction 1 EOF @@ -572,18 +607,14 @@ cat << EOF >> "$_client_conf_file" 2> $log_file # Select a cryptographic cipher. # If the cipher option is used on the server # then you must also specify it here. -;cipher BF-CBC # Blowfish (default) -;cipher AES-128-CBC # AES -;cipher DES-EDE3-CBC # Triple-DES +# Note that v2.4 client/server will automatically +# negotiate AES-256-GCM in TLS mode. +# See also the data-ciphers option in the manpage EOF -if [[ -n "$SERVER_CIPHER" ]]; then - cat <> "$_client_conf_file" 2>> "$log_file" -cipher $SERVER_CIPHER -EOF -else - cat <> "$_client_conf_file" 2>> "$log_file" -cipher BF-CBC +if [[ "${SERVER_CIPHER,,}" != "none" ]]; then + cat <> ${_server_conf_file} 2>> "$log_file" +cipher ${SERVER_CIPHER} EOF fi diff --git a/install_openvpn.sh b/install_openvpn.sh index 0600b3e..4924e79 100755 --- a/install_openvpn.sh +++ b/install_openvpn.sh @@ -249,7 +249,10 @@ DEFAULT_KEY_EMAIL='argus@oopen.de' DEFAULT_KEY_ORG='o.open' DEFAULT_KEY_OU="Network Services" -DEFAULT_SERVER_CIPHER="AES-256-GCM" +#DEFAULT_SERVER_CIPHER="AES-256-GCM" +DEFAULT_SERVER_CIPHER="None" +DEFAULT_DATA_CIPHERS="None" +DEFAULT_DATA_CIPHERS_FALLBACK="None" #--------------------------------------- @@ -275,7 +278,11 @@ else fatal "$(cat $log_file)" fi fi -[[ -z "$DEFAULT_SERVER_CIPHER" ]] && DEFAULT_SERVER_CIPHER='None' + +[[ -z "${SERVER_CIPHER}" ]] && SERVER_CIPHER="${DEFAULT_SERVER_CIPHER}" +[[ -z "${DATA_CIPHERS}" ]] && DATA_CIPHERS="${DEFAULT_DATA_CIPHERS}" + +[[ -z "${DATA_CIPHERS_FALLBACK}" ]] && DATA_CIPHERS_FALLBACK="${DEFAULT_DATA_CIPHERS_FALLBACK}" [[ -n "$OPENVPN_SERVER" ]] && DEFAULT_SERVER="$(trim "$OPENVPN_SERVER")" @@ -313,8 +320,6 @@ fi [[ -n "$KEY_OU" ]] && DEFAULT_KEY_OU="$(trim "$KEY_OU")" [[ -n "$LZO_COMPRESSION" ]] && DEFAULT_LZO_COMPRESSION="$(trim "$LZO_COMPRESSION")" -[[ -n "$SERVER_CIPHER" ]] && DEFAULT_SERVER_CIPHER="$(trim "$SERVER_CIPHER")" -#[[ -n "$" ]] && DEFAULT_="$(trim "$")" declare -a DEFAULT_OPENVPN_NETWORK=() if [[ -n "$OPENVPN_NETWORK" ]] ; then @@ -697,13 +702,43 @@ echo "" echo "Note: if setting this parameter at the server configuration, this parameter *must'" echo " also set this parameter at client configuration" echo "" -echo " cipher BF-CBC # Blowfish (default)" +echo " cipher BF-CBC # Blowfish" +echo " cipher AES-128-CBC # AES 128Bit" +echo " cipher AES-256-CBC # AES 256Bit" +echo " cipher DES-EDE3-CBC # Triple-DES" +echo " cipher AES-256-GCM # GCM 256Bit (default)" +echo " ..." +echo "" +echo " Give a colon separated list (i.e.\"AES-256-GCM:DES-EDE3-CBC:AES-256-CBC\")" +echo "" +echo -e "Type \"\033[33mNone\033[m\" if no default cipher should be set - the recommendation." +echo "" +DATA_CIPHERS="" +echononl "Server cryptographic cipher [${DEFAULT_DATA_CIPHERS}]: " +read DATA_CIPHERS +if [[ "X$DATA_CIPHERS" = "X" ]]; then + DATA_CIPHERS="$DEFAULT_DATA_CIPHERS" +fi +if [[ "$(trim ${DATA_CIPHERS,,})" = "none" ]] || [[ "$(trim ${DATA_CIPHERS,,})" = "default" ]] ; then + DATA_CIPHERS="None" +fi + + +echo "" +echo "Set server-side additional 'cryptographic cipher'." +echo "" +echo "Note: if setting this parameter at the server configuration, this parameter *must'" +echo " also set this parameter at client configuration" +echo "" +echo " cipher BF-CBC # Blowfish" echo " cipher AES-128-CBC # AES 128Bit" echo " cipher AES-256-CBC # AES 256Bit" echo " cipher DES-EDE3-CBC # Triple-DES" echo " ..." echo "" -echo -e "Type \"\033[33mNone\033[m\" if no default cipher should be set." +echo " Only one cipher ist possible (i.e.\"AES-256-CBC\")" +echo "" +echo -e "Type \"\033[33mNone\033[m\" if no default cipher should be set - the recommendation." echo "" SERVER_CIPHER="" echononl "Server cryptographic cipher [${DEFAULT_SERVER_CIPHER}]: " @@ -711,10 +746,35 @@ read SERVER_CIPHER if [[ "X$SERVER_CIPHER" = "X" ]]; then SERVER_CIPHER="$DEFAULT_SERVER_CIPHER" fi -if [[ "$(trim ${SERVER_CIPHER,,})" = none ]]; then +if [[ "$(trim ${SERVER_CIPHER,,})" = "none" ]] || "$(trim ${SERVER_CIPHER,,})" = "default" ]]; then SERVER_CIPHER="$DEFAULT_SERVER_CIPHER" fi + +echo "" +echo "Set server-side fallback 'cryptographic cipher'." +echo "" +echo " cipher BF-CBC # Blowfish (default)" +echo " cipher AES-128-CBC # AES 128Bit" +echo " cipher AES-256-CBC # AES 256Bit" +echo " cipher DES-EDE3-CBC # Triple-DES" +echo " ..." +echo "" +echo " Only one cipher ist possible (i.e.\"BF-CBC\")" +echo "" +echo -e "Type \"\033[33mNone\033[m\" if no default cipher should be set - the recommendation." +echo "" +DATA_CIPHERS_FALLBACK="" +echononl "Fallback cryptographic cipher [${DEFAULT_DATA_CIPHERS_FALLBACK}]: " +read DATA_CIPHERS_FALLBACK +if [[ "X$DATA_CIPHERS_FALLBACK" = "X" ]]; then + DATA_CIPHERS_FALLBACK="$DEFAULT_DATA_CIPHERS_FALLBACK" +fi +if [[ "$(trim ${DATA_CIPHERS_FALLBACK,,})" = "none" ]] || [[ "$(trim ${DATA_CIPHERS_FALLBACK,,})" = "default" ]] ; then + DATA_CIPHERS_FALLBACK="None" +fi + + echo "" echo "" echononl "Enable LZO compression (yes/no) [no]: " @@ -1517,10 +1577,20 @@ echo "" echo -e "\tOpenVPN Network.....................: $OPENVPN_NETWORK" echo -e "\tOpenVPN Server IP-Address...........: $OPENVPN_SERVER_IP" echo "" -if [[ -n "$SERVER_CIPHER" ]] ; then - echo -e "\tServer cipher setting...............: $SERVER_CIPHER" +if [[ -n "$DATA_CIPHERS" ]] && [[ "${DATA_CIPHERS,,}" != "none" ]] ; then + echo -e "\tServer ciphers .....................: $DATA_CIPHERS" else - echo -e "\tServer cipher setting...............: \033[33mNone\033[m" + echo -e "\tServer ciphers .....................: \033[33mNone\033[m" +fi +if [[ -n "$SERVER_CIPHER" ]] && [[ "${SERVER_CIPHER,,}" != "none" ]] ; then + echo -e "\tAdditional Server cipher............: $SERVER_CIPHER" +else + echo -e "\tAdditional Server cipher............: \033[33mNone\033[m" +fi +if [[ -n "$DATA_CIPHERS_FALLBACK" ]] && [[ "${DATA_CIPHERS_FALLBACK,,}" != "none" ]] ; then + echo -e "\tFallback Server cipher..............: $DATA_CIPHERS_FALLBACK" +else + echo -e "\tFallback Server cipher..............: \033[33mNone\033[m" fi echo -e "\tLZO compression.....................: $LZO_COMPRESSION" echo "" @@ -1591,7 +1661,9 @@ fi # #OPENVPN_SERVER_IP="$OPENVPN_SERVER_IP" # +#DATA_CIPHERS="$DATA_CIPHERS" #SERVER_CIPHER="$SERVER_CIPHER" +#DATA_CIPHERS_FALLBACK="$DATA_CIPHERS_FALLBACK" # #LZO_COMPRESSION="$LZO_COMPRESSION" # @@ -1706,26 +1778,11 @@ LZO_COMPRESSION="no" EOF fi -if [[ -n "$SERVER_CIPHER" ]] ; then - if [[ "${SERVER_CIPHER,,}" = "none" ]]; then - cat <> "$_client_conf_file" 2>> "$log_file" -cipher BF-CBC +cat <> "$_openvpn_name_conf_file" 2>> "$log_file" +DATA_CIPHERS="${DATA_CIPHERS}" +SERVER_CIPHER="${SERVER_CIPHER}" +DATA_CIPHERS_FALLBACK="${DATA_CIPHERS_FALLBACK}" -EOF - else - cat << EOF >> $_openvpn_name_conf_file 2> $log_file -SERVER_CIPHER="$SERVER_CIPHER" - -EOF - fi -else - cat << EOF >> $_openvpn_name_conf_file 2> $log_file -SERVER_CIPHER="$DEFAULT_SERVER_CIPHER" - -EOF -fi - -cat << EOF >> $_openvpn_name_conf_file 2> $log_file OPENVPN_NETWORK="$OPENVPN_NETWORK" EOF @@ -2032,11 +2089,6 @@ if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 9 ]] ; then #perl -i.$_date -n -p -e "s&^(\s*#*\s*#set_var\s+EASYRSA\s+.*)&##\1\nset_var EASYRSA\t \"\\\${0%/*}\"&" ${EASY_RSA_DIR}/vars > "$log_file" - perl -i.$_date -n -p -e "s&^(\s*#*\s*#set_var\s+EASYRSA\s+.*)&##\1\nset_var EASYRSA\t \"${OPENVPN_BASE_DIR}/easy-rsa\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 - if [[ $? -ne 0 ]]; then - _failed=true - fi - _key="EASYRSA_OPENSSL" _val="openssl" perl -i.$_date -n -p -e "s&^(\s*#*\s*#set_var\s+${_key}\s+.*)&##\1\nset_var ${_key}\t \"${_val}\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 @@ -2064,12 +2116,6 @@ if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 9 ]] ; then _failed=true fi - # EASYRSA_KEY_SIZE - perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+EASYRSA_KEY_SIZE\s+.*)&##\1\nset_var EASYRSA_KEY_SIZE\t\t ${KEY_SIZE}&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 - if [[ $? -ne 0 ]]; then - _failed=true - fi - _key="EASYRSA_DN" _val=""org perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+EASYRSA_DN\s+.*)&##\1\nset_var EASYRSA_DN\t\t \"org\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 @@ -2121,7 +2167,11 @@ if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 9 ]] ; then _key="EASYRSA_REQ_CN" _val="$KEY_CN" - perl -i.$_date -n -p -e "s&^(\s*#*\s*#set_var\s+${_key}\s+.*)&##\1\nset_var ${_key}\t \"${_val}\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 12 ]] ; then + perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + else + perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\n#set_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + fi if [[ $? -ne 0 ]]; then _failed=true @@ -2155,13 +2205,6 @@ if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 9 ]] ; then _failed=true fi - _key="EASYRSA_REQ_CN" - _val="$KEY_CN" - perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 - if [[ $? -ne 0 ]]; then - _failed=true - fi - _key="EASYRSA_BATCH" _val="1" perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 @@ -2375,24 +2418,68 @@ else # - Removes & re-initializes the PKI dir for a clean PKI # - echononl " Initialise PKI Directory" - ${EASY_RSA_DIR}/easyrsa --vars="${EASY_RSA_DIR}/vars" init-pki > "$log_file" 2>&1 - if [[ $? -eq 0 ]] ; then - echo_ok - else - echo_failed - error "$(cat $log_file)" - - print_command "${EASY_RSA_DIR}/easyrsa --vars=\"${EASY_RSA_DIR}/vars\" init-pki" + if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 12 ]] ; then + ${EASY_RSA_DIR}/easyrsa --vars="${EASY_RSA_DIR}/vars" init-pki > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + + print_command "${EASY_RSA_DIR}/easyrsa --vars=\"${EASY_RSA_DIR}/vars\" init-pki" - echononl "continue anyway [yes/no]: " - read OK - OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')" - while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do - echononl "Wrong entry! - repeat [yes/nno]: " + echononl "continue anyway [yes/no]: " read OK - done - [[ $OK = "yes" ]] || fatal "Abbruch durch User" - fi + OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')" + while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do + echononl "Wrong entry! - repeat [yes/nno]: " + read OK + done + [[ $OK = "yes" ]] || fatal "Abbruch durch User" + fi + else + ${EASY_RSA_DIR}/easyrsa --pki-dir=${OPENVPN_KEY_DIR} init-pki > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + + print_command "${EASY_RSA_DIR}/easyrsa --pki-dir=${OPENVPN_KEY_DIR} init-pki" + + echononl "continue anyway [yes/no]: " + read OK + OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')" + while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do + echononl "Wrong entry! - repeat [yes/nno]: " + read OK + done + [[ $OK = "yes" ]] || fatal "Abbruch durch User" + fi + + echononl " Backup .'${OPENVPN_KEY_DIR}/vars'." + if [[ -f "${OPENVPN_KEY_DIR}/vars" ]]; then + mv "${OPENVPN_KEY_DIR}/vars" "${OPENVPN_KEY_DIR}/vars.$_date" > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi + else + echo_skipped + fi + + echononl " Copy 'vars' to PKI directory '${OPENVPN_KEY_DIR}'.." + cp "${EASY_RSA_DIR}/vars" "${OPENVPN_KEY_DIR}/vars" > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi + + fi fi @@ -2403,7 +2490,12 @@ echononl " Create Root CA.." if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 10 ]] ; then printf "\n\n\n\n\n\n\n\n" | ${EASY_RSA_DIR}/build-ca > "$log_file" 2>&1 else - printf "\n\n\n\n\n\n\n" | ${EASY_RSA_DIR}/easyrsa --vars="${EASY_RSA_DIR}/vars" build-ca nopass > "$log_file" 2>&1 + if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 12 ]] ; then + printf "\n\n\n\n\n\n\n" | ${EASY_RSA_DIR}/easyrsa --vars="${EASY_RSA_DIR}/vars" build-ca nopass > "$log_file" 2>&1 + else + printf "\n\n\n\n\n\n\n" | ${EASY_RSA_DIR}/easyrsa --vars="${EASY_RSA_DIR}/vars" build-ca nopass > "$log_file" 2>&1 + #printf "\n\n\n\n\n\n\n" | ${EASY_RSA_DIR}/easyrsa build-ca nopass > "$log_file" 2>&1 + fi fi if [[ $? -eq 0 ]] ; then echo_ok @@ -2715,7 +2807,9 @@ cat <> ${_server_conf_file} 2>> "$log_file" # "dev tun" will create a routed IP tunnel, # "dev tap" will create an ethernet tunnel. -# Use "dev tap" if you are ethernet bridging. +# Use "dev tap0" if you are ethernet bridging +# and have precreated a tap0 virtual interface +# and bridged it with your ethernet interface. # If you want to control access policies # over the VPN, you must create firewall # rules for the the TUN/TAP interface. @@ -2760,8 +2854,7 @@ key $_SERVER_KEY # This file should be kept secret # Diffie hellman parameters. # Generate your own with: -# openssl dhparam -out dh1024.pem 1024 -# Substitute 2048 for 1024 if you are using +# openssl dhparam -out dh2048.pem 2048 # 2048 bit keys. dh $_DH_KEY @@ -2795,6 +2888,18 @@ ifconfig-pool-persist ${OPENVPN_BASE_DIR}/ipp.txt # out unless you are ethernet bridging. ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 +# Configure server mode for ethernet bridging +# using a DHCP-proxy, where clients talk +# to the OpenVPN server-side DHCP server +# to receive their IP address allocation +# and DNS server addresses. You must first use +# your OS's bridging capability to bridge the TAP +# interface with the ethernet NIC interface. +# Note: this mode only works on clients (such as +# Windows), where the client-side TAP adapter is +# bound to a DHCP client. +;server-bridge + # Push routes to the client to allow it # to reach other private subnets behind # the server. Remember that these @@ -2802,7 +2907,8 @@ ifconfig-pool-persist ${OPENVPN_BASE_DIR}/ipp.txt # to know to route the OpenVPN client # address pool (10.8.0.0/255.255.255.0) # back to the OpenVPN server. -;push "route 10.8.0.0 255.255.255.0" +;push "route 192.168.10.0 255.255.255.0" +;push "route 192.168.20.0 255.255.255.0" EOF if [[ ${#REMOTE_NETWORK_ARR[@]} -gt 0 ]]; then for _remote_network in ${REMOTE_NETWORK_ARR[@]} ; do @@ -2875,21 +2981,18 @@ client-config-dir $OPENVPN_CCD_DIR # all IP traffic such as web browsing and # and DNS lookups to go through the VPN # (The OpenVPN server machine may need to NAT -# the TUN/TAP interface to the internet in -# order for this to work properly). -# CAVEAT: May break client's network config if -# client's local DHCP server packets get routed -# through the tunnel. Solution: make sure -# client's local DHCP server is reachable via -# a more specific route than the default route -# of 0.0.0.0/0.0.0.0. -;push "redirect-gateway" +# or bridge the TUN/TAP interface to the internet +# in order for this to work properly). +;push "redirect-gateway def1 bypass-dhcp" # Certain Windows-specific network settings # can be pushed to clients, such as DNS # or WINS server addresses. CAVEAT: # http://openvpn.net/faq.html#dhcpcaveats -;push "dhcp-option WINS 10.8.0.1" +# The addresses below refer to the public +# DNS servers provided by opendns.com. +;push "dhcp-option DNS 208.67.222.222" +;push "dhcp-option DNS 208.67.220.220" EOF if [[ -n "$DNS_SERVER" ]]; then cat <> ${_server_conf_file} 2>> "$log_file" @@ -2954,21 +3057,38 @@ tls-auth ${OPENVPN_KEY_DIR}/ta.key 0 # Select a cryptographic cipher. # This config item must be copied to # the client config file as well. -;cipher BF-CBC # Blowfish (default) -;cipher AES-128-CBC # AES -;cipher DES-EDE3-CBC # Triple-DES +# Note that v2.4 client/server will automatically +# negotiate AES-256-GCM in TLS mode. +# See also the ncp-cipher option in the manpage +;cipher AES-256-CBC + EOF -if [[ -n "$SERVER_CIPHER" ]]; then +if [[ "${SERVER_CIPHER,,}" != "none" ]]; then cat <> ${_server_conf_file} 2>> "$log_file" -cipher $SERVER_CIPHER +cipher ${SERVER_CIPHER} +EOF +fi +if [[ "${DATA_CIPHERS,,}" != "none" ]]; then + cat <> ${_server_conf_file} 2>> "$log_file" +data-ciphers ${DATA_CIPHERS} +EOF +fi +if [[ "${DATA_CIPHERS_FALLBACK,,}" != "none" ]]; then + cat <> ${_server_conf_file} 2>> "$log_file" +data-ciphers-fallback ${DATA_CIPHERS_FALLBACK} EOF - fi cat <> ${_server_conf_file} 2>> "$log_file" -# Enable compression on the VPN link. +# Enable compression on the VPN link and push the +# option to the client (v2.4+ only, for earlier +# versions see below) +;compress lz4-v2 +;push "compress lz4-v2" + +# For compression compatible with older clients use comp-lzo # If you enable it here, you must also # enable it in the client config file. ;comp-lzo @@ -3017,8 +3137,8 @@ status /var/log/openvpn/status-server-${OPENVPN_NAME}.log # "log" will truncate the log file on OpenVPN startup, # while "log-append" will append to it. Use one # or the other (but not both). -;log-append openvpn.log -;log openvpn.log +;log /var/log/openvpn/openvpn.log +;log-append /var/log/openvpn/openvpn.log log /var/log/openvpn/server-${OPENVPN_NAME}.log # Set the appropriate level of log @@ -3034,6 +3154,10 @@ verb 1 # sequential messages of the same message # category will be output to the log. ;mute 20 + +# Notify the client that when the server restarts so it +# can automatically reconnect. +explicit-exit-notify 1 EOF if [[ -h "${OPENVPN_BASE_DIR}/crl.pem" ]] ; then