Add support for debian 12.

2023-09-25 01:27:48 +02:00
parent 9af06213a6
commit 3af24ada04
5 changed files with 406 additions and 167 deletions
--- a/build_key-pass.sh
+++ b/build_key-pass.sh
@@ -228,14 +228,21 @@ fi
 [[ -n "$OPENVPN_SERVER" ]] || fatal "OpenVPN Server (parameter OPENVPN_SERVER ) not present!"
 [[ -n "$SERVER_PORT" ]] || fatal "Server Port (parameter SERVER_PORT ) not present!"

+
 if [[ -z "$LZO_COMPRESSION" ]]; then
-   LZO_COMPRESSION=true
-elif [[ "$LZO_COMPRESSION" = "yes" ]] ; then
-   LZO_COMPRESSION=true
-else
   LZO_COMPRESSION=false
+elif [[ "${LZO_COMPRESSION,,}" = "yes" ]] ; then
+   LZO_COMPRESSION=true
+elif  [[ "${LZO_COMPRESSION,,}" = "no" ]] ; then
+   LZO_COMPRESSION=false
+elif [[ "$LZO_COMPRESSION" != "true" ]] && [[ "$LZO_COMPRESSION" != "false" ]] ; then
+   fatal "Wrong value for variable 'LZO_COMPRESSION' (${LZO_COMPRESSION})"
+elif ! $LZO_COMPRESSION ; then
+   LZO_COMPRESSION=false
+elif $LZO_COMPRESSION ; then
+   LZO_COMPRESSION=true
 fi
-   
+ 

 EASY_RSA_DIR="${OPENVPN_BASE_DIR}/easy-rsa"

@@ -264,10 +271,6 @@ _CA_CERT="${OPENVPN_KEY_DIR}/ca.crt"
 _TA_KEY="${OPENVPN_KEY_DIR}/ta.key"


-EMAIL_PREFIX="$(echo $KEY_EMAIL | cut -d '\' -f1)"
-EMAIL_DOMAIN="$(echo $KEY_EMAIL | cut -d '@' -f2)"
-
-
 echo ""
 echo -e "\033[32m--\033[m"
 echo ""
@@ -302,6 +305,7 @@ if [[ -f "${_CLIENT_KEY}" ]]; then
   fatal "Name '$NEW_KEY_NAME' is already in use"
 fi

+
 echo ""
 echo -e "\033[32m--\033[m"
 echo ""
@@ -486,9 +490,17 @@ client
 ;dev tap
 dev tun

+# Windows needs the TAP-Win32 adapter name
+# from the Network Connections panel
+# if you have more than one.  On XP SP2,
+# you may need to disable the firewall
+# for the TAP adapter.
+;dev-node MyTap
+
 # Are we connecting to a TCP or
 # UDP server?  Use the same setting as
 # on the server
+;proto tcp
 proto udp

 # The hostname/IP and port of the server.
@@ -498,6 +510,11 @@ remote $OPENVPN_SERVER $SERVER_PORT udp4

 topology subnet

+# Choose a random host from the remote
+# list for load-balancing.  Otherwise
+# try hosts in the order specified.
+;remote-random
+
 # Keep trying indefinitely to resolve the
 # host name of the OpenVPN server.  Very useful
 # on machines which are not permanently connected
@@ -508,10 +525,39 @@ resolv-retry infinite
 # a specific local port number.
 nobind

+# Downgrade privileges after initialization (non-Windows only)
+;user openvpn
+;group openvpn
+
+# If you are connecting through an
+# HTTP proxy to reach the actual OpenVPN
+# server, put the proxy server/IP and
+# port number here.  See the man page
+# if your proxy server requires
+# authentication.
+;http-proxy-retry # retry on connection failures
+;http-proxy [proxy server] [proxy port #]
+
+# Wireless networks often produce a lot
+# of duplicate packets.  Set this flag
+# to silence duplicate packet warnings.
+;mute-replay-warnings
+
+
 # Try to preserve some state across restarts.
 persist-key
 persist-tun

+# SSL/TLS parms.
+# See the server config file for more
+# description.  It's best to use
+# a separate .crt/.key file pair
+# for each client.  A single ca
+# file can be used for all clients.
+;ca ${_CA_CERT}
+;cert ${_CLIENT_CERT}
+;key ${_CLIENT_KEY}
+
 # Server CA
 <ca>
 EOF
@@ -576,34 +622,24 @@ done < $_file
 cat << EOF >> "$_client_conf_file"  2> $log_file
 </key>

-# Verify server certificate by checking
-# that the certicate has the nsCertType
-# field set to "server".  This is an
-# important precaution to protect against
+# Verify server certificate by checking that the
+# certificate has the correct key usage set.
+# This is an important precaution to protect against
 # a potential attack discussed here:
 #  http://openvpn.net/howto.html#mitm
 #
 # To use this feature, you will need to generate
-# your server certificates with the nsCertType
-# field set to "server".  The build-key-server
-# script in the easy-rsa folder will do this.
-#
-# Note!
-# The option "ns-cert-type" has been deprecated since 
-# version 2.4 and will be removed from later distributions.
-#
-# Use the modern equivalent "remote-cert-tls"
-# 
-;ns-cert-type server
+# your server certificates with the keyUsage set to
+#   digitalSignature, keyEncipherment
+# and the extendedKeyUsage to
+#   serverAuth
+# EasyRSA can do this for you.
 remote-cert-tls server

 # If a tls-auth key is used on the server
 # then every client must also have the key.
-#
-# Don't forget to set the 'key-direction' Parameter if using
-# Inline Key. Usualy , sever has key direction '0', while client
-# has ke direction '1'.
-#
+;tls-auth ${_TA_KEY} 1
+
 key-direction 1
 <tls-auth>
 EOF
@@ -628,24 +664,15 @@ cat << EOF >> "$_client_conf_file"  2> $log_file
 # Select a cryptographic cipher.
 # If the cipher option is used on the server
 # then you must also specify it here.
-;cipher BF-CBC        # Blowfish (default)
-;cipher AES-128-CBC   # AES
-;cipher DES-EDE3-CBC  # Triple-DES
+# Note that v2.4 client/server will automatically
+# negotiate AES-256-GCM in TLS mode.
+# See also the data-ciphers option in the manpage
+;cipher AES-256-CBC
 EOF

-if [[ -n "$SERVER_CIPHER" ]]; then
-   if [[ "${SERVER_CIPHER,,}" = "none" ]]; then
-      cat <<EOF >> "$_client_conf_file" 2>> "$log_file"
-cipher BF-CBC
-EOF
-   else
-      cat <<EOF >> "$_client_conf_file" 2>> "$log_file"
-cipher $SERVER_CIPHER
-EOF
-   fi
-else
-   cat <<EOF >> "$_client_conf_file" 2>> "$log_file"
-cipher BF-CBC
+if [[ "${SERVER_CIPHER,,}" != "none" ]]; then
+   cat <<EOF >> ${_server_conf_file} 2>> "$log_file"
+cipher ${SERVER_CIPHER}
 EOF
 fi