install/openvpn
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add support for debian 12.

Browse Source
This commit is contained in:
Christoph 2023-09-25 01:27:48 +02:00
parent 9af06213a6
commit 3af24ada04
5 changed files with 406 additions and 167 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
README.fix-error-md-too-weak Normal file
View File

@ -0,0 +1,21 @@
# ---
# -
# - Error was:
# - 2023-04-30 11:36:05 OpenSSL: error:0A00018E:SSL routines::ca md too weak
# -
# - see:
# - https://www.rffuste.com/2023/05/01/fix-ssl-routinesca-md-too-weak/
# - https://forum.hackthebox.com/t/openvpn-negotiated-cipher-not-allowed/259904/4
# -
# ---
You just have to add tls-cert-profile insecure and modify cipher AES-128-CBC to data-ciphers-fallback AES-128-CBC
# - Note:
# - I changed to
# -
# - data-ciphers-fallback BF-CBC

115
build_key-pass.sh
View File

@ -228,12 +228,19 @@ fi
[[ -n "$OPENVPN_SERVER" ]] || fatal "OpenVPN Server (parameter OPENVPN_SERVER ) not present!" [[ -n "$OPENVPN_SERVER" ]] || fatal "OpenVPN Server (parameter OPENVPN_SERVER ) not present!"
[[ -n "$SERVER_PORT" ]] || fatal "Server Port (parameter SERVER_PORT ) not present!" [[ -n "$SERVER_PORT" ]] || fatal "Server Port (parameter SERVER_PORT ) not present!"
if [[ -z "$LZO_COMPRESSION" ]]; then if [[ -z "$LZO_COMPRESSION" ]]; then
LZO_COMPRESSION=true
elif [[ "$LZO_COMPRESSION" = "yes" ]] ; then
LZO_COMPRESSION=true
else
LZO_COMPRESSION=false LZO_COMPRESSION=false
elif [[ "${LZO_COMPRESSION,,}" = "yes" ]] ; then
LZO_COMPRESSION=true
elif [[ "${LZO_COMPRESSION,,}" = "no" ]] ; then
LZO_COMPRESSION=false
elif [[ "$LZO_COMPRESSION" != "true" ]] && [[ "$LZO_COMPRESSION" != "false" ]] ; then
fatal "Wrong value for variable 'LZO_COMPRESSION' (${LZO_COMPRESSION})"
elif ! $LZO_COMPRESSION ; then
LZO_COMPRESSION=false
elif $LZO_COMPRESSION ; then
LZO_COMPRESSION=true
fi fi
@ -264,10 +271,6 @@ _CA_CERT="${OPENVPN_KEY_DIR}/ca.crt"
_TA_KEY="${OPENVPN_KEY_DIR}/ta.key" _TA_KEY="${OPENVPN_KEY_DIR}/ta.key"
EMAIL_PREFIX="$(echo $KEY_EMAIL | cut -d '\' -f1)"
EMAIL_DOMAIN="$(echo $KEY_EMAIL | cut -d '@' -f2)"
echo "" echo ""
echo -e "\033[32m--\033[m" echo -e "\033[32m--\033[m"
echo "" echo ""
@ -302,6 +305,7 @@ if [[ -f "${_CLIENT_KEY}" ]]; then
fatal "Name '$NEW_KEY_NAME' is already in use" fatal "Name '$NEW_KEY_NAME' is already in use"
fi fi
echo "" echo ""
echo -e "\033[32m--\033[m" echo -e "\033[32m--\033[m"
echo "" echo ""
@ -486,9 +490,17 @@ client
;dev tap ;dev tap
dev tun dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or # Are we connecting to a TCP or
# UDP server? Use the same setting as # UDP server? Use the same setting as
# on the server # on the server
;proto tcp
proto udp proto udp
# The hostname/IP and port of the server. # The hostname/IP and port of the server.
@ -498,6 +510,11 @@ remote $OPENVPN_SERVER $SERVER_PORT udp4
topology subnet topology subnet
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the # Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful # host name of the OpenVPN server. Very useful
# on machines which are not permanently connected # on machines which are not permanently connected
@ -508,10 +525,39 @@ resolv-retry infinite
# a specific local port number. # a specific local port number.
nobind nobind
# Downgrade privileges after initialization (non-Windows only)
;user openvpn
;group openvpn
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# Try to preserve some state across restarts. # Try to preserve some state across restarts.
persist-key persist-key
persist-tun persist-tun
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
;ca ${_CA_CERT}
;cert ${_CLIENT_CERT}
;key ${_CLIENT_KEY}
# Server CA # Server CA
<ca> <ca>
EOF EOF
@ -576,34 +622,24 @@ done < $_file
cat << EOF >> "$_client_conf_file" 2> $log_file cat << EOF >> "$_client_conf_file" 2> $log_file
</key> </key>
# Verify server certificate by checking # Verify server certificate by checking that the
# that the certicate has the nsCertType # certificate has the correct key usage set.
# field set to "server". This is an # This is an important precaution to protect against
# important precaution to protect against
# a potential attack discussed here: # a potential attack discussed here:
# http://openvpn.net/howto.html#mitm # http://openvpn.net/howto.html#mitm
# #
# To use this feature, you will need to generate # To use this feature, you will need to generate
# your server certificates with the nsCertType # your server certificates with the keyUsage set to
# field set to "server". The build-key-server # digitalSignature, keyEncipherment
# script in the easy-rsa folder will do this. # and the extendedKeyUsage to
# # serverAuth
# Note! # EasyRSA can do this for you.
# The option "ns-cert-type" has been deprecated since
# version 2.4 and will be removed from later distributions.
#
# Use the modern equivalent "remote-cert-tls"
#
;ns-cert-type server
remote-cert-tls server remote-cert-tls server
# If a tls-auth key is used on the server # If a tls-auth key is used on the server
# then every client must also have the key. # then every client must also have the key.
# ;tls-auth ${_TA_KEY} 1
# Don't forget to set the 'key-direction' Parameter if using
# Inline Key. Usualy , sever has key direction '0', while client
# has ke direction '1'.
#
key-direction 1 key-direction 1
<tls-auth> <tls-auth>
EOF EOF
@ -628,24 +664,15 @@ cat << EOF >> "$_client_conf_file" 2> $log_file
# Select a cryptographic cipher. # Select a cryptographic cipher.
# If the cipher option is used on the server # If the cipher option is used on the server
# then you must also specify it here. # then you must also specify it here.
;cipher BF-CBC # Blowfish (default) # Note that v2.4 client/server will automatically
;cipher AES-128-CBC # AES # negotiate AES-256-GCM in TLS mode.
;cipher DES-EDE3-CBC # Triple-DES # See also the data-ciphers option in the manpage
;cipher AES-256-CBC
EOF EOF
if [[ -n "$SERVER_CIPHER" ]]; then if [[ "${SERVER_CIPHER,,}" != "none" ]]; then
if [[ "${SERVER_CIPHER,,}" = "none" ]]; then cat <<EOF >> ${_server_conf_file} 2>> "$log_file"
cat <<EOF >> "$_client_conf_file" 2>> "$log_file" cipher ${SERVER_CIPHER}
cipher BF-CBC
EOF
else
cat <<EOF >> "$_client_conf_file" 2>> "$log_file"
cipher $SERVER_CIPHER
EOF
fi
else
cat <<EOF >> "$_client_conf_file" 2>> "$log_file"
cipher BF-CBC
EOF EOF
fi fi

38
conf/install_openvpn.conf.sample
View File

@ -93,9 +93,45 @@ KEY_ALTNAMES=""
# - # -
LZO_COMPRESSION="no" LZO_COMPRESSION="no"
# - DATA_CIPHERS
# -
# - Server cryptographic cipher # - Server cryptographic cipher
# - # -
SERVER_CIPHER="AES-256-CBC" # - Example:
# - DATA_CIPHERS="AES-256-CBC"
# - DATA_CIPHERS="AES-256-GCM:AES-128-GCM:AES-256-CBC"
# -
# - Defaults to "AES-256-GCM:AES-128-GCM"
# -
# -
DATA_CIPHERS=""
# - SERVER_CIPHER
# -
# - Server additional cryptographic cipher
# -
# - Example:
# - SERVER_CIPHER="AES-256-CBC"
# - SERVER_AES-256-GCM"
# -
# - Defaults to "AES-256-CBC" and is added to DATA_CIPHERS if DATA_CIPHERS was leaave empty.
# -
# - Note:
# - if set, also add the cipher to "DATA_CIPHERS"
# -
SERVER_CIPHER=""
# - DATA_CIPHERS_FALLBACK
# -
# - Server fallback cryptographic cipher
# -
# - Example:
# - DATA_CIPHERS_FALLBACK="BF-CBC"
# -
# - Defaults to "BF-CBC"
# -
# -
DATA_CIPHERS_FALLBACK=""
# - OpenVPN Network(s) used for this server. # - OpenVPN Network(s) used for this server.
# - # -

97
create_key_config.sh
View File

@ -223,10 +223,12 @@ else
fi fi
[[ "${SERVER_CIPHER,,}" = "none" ]] && SERVER_CIPHER="BF-CBC" [[ -n "$OPENVPN_SERVER" ]] || fatal "OpenVPN Server (parameter OPENVPN_SERVER ) not present!"
[[ "${SERVER_CIPHER,,}" = "" ]] && SERVER_CIPHER="BF-CBC" [[ -n "$SERVER_PORT" ]] || fatal "Server Port (parameter SERVER_PORT ) not present!"
if [[ -z "$LZO_COMPRESSION" ]]; then if [[ -z "$LZO_COMPRESSION" ]]; then
LZO_COMPRESSION=true LZO_COMPRESSION=false
elif [[ "${LZO_COMPRESSION,,}" = "yes" ]] ; then elif [[ "${LZO_COMPRESSION,,}" = "yes" ]] ; then
LZO_COMPRESSION=true LZO_COMPRESSION=true
elif [[ "${LZO_COMPRESSION,,}" = "no" ]] ; then elif [[ "${LZO_COMPRESSION,,}" = "no" ]] ; then
@ -239,6 +241,7 @@ elif $LZO_COMPRESSION ; then
LZO_COMPRESSION=true LZO_COMPRESSION=true
fi fi
EASY_RSA_DIR="${OPENVPN_BASE_DIR}/easy-rsa" EASY_RSA_DIR="${OPENVPN_BASE_DIR}/easy-rsa"
if [[ -d "${OPENVPN_BASE_DIR}/pki" ]] ; then if [[ -d "${OPENVPN_BASE_DIR}/pki" ]] ; then
@ -431,9 +434,17 @@ client
;dev tap ;dev tap
dev tun dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or # Are we connecting to a TCP or
# UDP server? Use the same setting as # UDP server? Use the same setting as
# on the server # on the server
;proto tcp
proto udp proto udp
# The hostname/IP and port of the server. # The hostname/IP and port of the server.
@ -443,6 +454,11 @@ remote $OPENVPN_SERVER $SERVER_PORT udp4
topology subnet topology subnet
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the # Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful # host name of the OpenVPN server. Very useful
# on machines which are not permanently connected # on machines which are not permanently connected
@ -453,10 +469,39 @@ resolv-retry infinite
# a specific local port number. # a specific local port number.
nobind nobind
# Downgrade privileges after initialization (non-Windows only)
;user openvpn
;group openvpn
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# Try to preserve some state across restarts. # Try to preserve some state across restarts.
persist-key persist-key
persist-tun persist-tun
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
;ca ${_CA_CERT}
;cert ${_CLIENT_CERT}
;key ${_CLIENT_KEY}
# Server CA # Server CA
<ca> <ca>
EOF EOF
@ -520,34 +565,24 @@ done < $_file
cat << EOF >> "$_client_conf_file" 2> $log_file cat << EOF >> "$_client_conf_file" 2> $log_file
</key> </key>
# Verify server certificate by checking # Verify server certificate by checking that the
# that the certicate has the nsCertType # certificate has the correct key usage set.
# field set to "server". This is an # This is an important precaution to protect against
# important precaution to protect against
# a potential attack discussed here: # a potential attack discussed here:
# http://openvpn.net/howto.html#mitm # http://openvpn.net/howto.html#mitm
# #
# To use this feature, you will need to generate # To use this feature, you will need to generate
# your server certificates with the nsCertType # your server certificates with the keyUsage set to
# field set to "server". The build-key-server # digitalSignature, keyEncipherment
# script in the easy-rsa folder will do this. # and the extendedKeyUsage to
# # serverAuth
# Note! # EasyRSA can do this for you.
# The option "ns-cert-type" has been deprecated since
# version 2.4 and will be removed from later distributions.
#
# Use the modern equivalent "remote-cert-tls"
#
;ns-cert-type server
remote-cert-tls server remote-cert-tls server
# If a tls-auth key is used on the server # If a tls-auth key is used on the server
# then every client must also have the key. # then every client must also have the key.
# ;tls-auth ${_TA_KEY} 1
# Don't forget to set the 'key-direction' Parameter if using
# Inline Key. Usualy , sever has key direction '0', while client
# has ke direction '1'.
#
key-direction 1 key-direction 1
<tls-auth> <tls-auth>
EOF EOF
@ -572,18 +607,14 @@ cat << EOF >> "$_client_conf_file" 2> $log_file
# Select a cryptographic cipher. # Select a cryptographic cipher.
# If the cipher option is used on the server # If the cipher option is used on the server
# then you must also specify it here. # then you must also specify it here.
;cipher BF-CBC # Blowfish (default) # Note that v2.4 client/server will automatically
;cipher AES-128-CBC # AES # negotiate AES-256-GCM in TLS mode.
;cipher DES-EDE3-CBC # Triple-DES # See also the data-ciphers option in the manpage
EOF EOF
if [[ -n "$SERVER_CIPHER" ]]; then if [[ "${SERVER_CIPHER,,}" != "none" ]]; then
cat <<EOF >> "$_client_conf_file" 2>> "$log_file" cat <<EOF >> ${_server_conf_file} 2>> "$log_file"
cipher $SERVER_CIPHER cipher ${SERVER_CIPHER}
EOF
else
cat <<EOF >> "$_client_conf_file" 2>> "$log_file"
cipher BF-CBC
EOF EOF
fi fi

266
install_openvpn.sh
View File

@ -249,7 +249,10 @@ DEFAULT_KEY_EMAIL='argus@oopen.de'
DEFAULT_KEY_ORG='o.open' DEFAULT_KEY_ORG='o.open'
DEFAULT_KEY_OU="Network Services" DEFAULT_KEY_OU="Network Services"
DEFAULT_SERVER_CIPHER="AES-256-GCM" #DEFAULT_SERVER_CIPHER="AES-256-GCM"
DEFAULT_SERVER_CIPHER="None"
DEFAULT_DATA_CIPHERS="None"
DEFAULT_DATA_CIPHERS_FALLBACK="None"
#--------------------------------------- #---------------------------------------
@ -275,7 +278,11 @@ else
fatal "$(cat $log_file)" fatal "$(cat $log_file)"
fi fi
fi fi
[[ -z "$DEFAULT_SERVER_CIPHER" ]] && DEFAULT_SERVER_CIPHER='None'
[[ -z "${SERVER_CIPHER}" ]] && SERVER_CIPHER="${DEFAULT_SERVER_CIPHER}"
[[ -z "${DATA_CIPHERS}" ]] && DATA_CIPHERS="${DEFAULT_DATA_CIPHERS}"
[[ -z "${DATA_CIPHERS_FALLBACK}" ]] && DATA_CIPHERS_FALLBACK="${DEFAULT_DATA_CIPHERS_FALLBACK}"
[[ -n "$OPENVPN_SERVER" ]] && DEFAULT_SERVER="$(trim "$OPENVPN_SERVER")" [[ -n "$OPENVPN_SERVER" ]] && DEFAULT_SERVER="$(trim "$OPENVPN_SERVER")"
@ -313,8 +320,6 @@ fi
[[ -n "$KEY_OU" ]] && DEFAULT_KEY_OU="$(trim "$KEY_OU")" [[ -n "$KEY_OU" ]] && DEFAULT_KEY_OU="$(trim "$KEY_OU")"
[[ -n "$LZO_COMPRESSION" ]] && DEFAULT_LZO_COMPRESSION="$(trim "$LZO_COMPRESSION")" [[ -n "$LZO_COMPRESSION" ]] && DEFAULT_LZO_COMPRESSION="$(trim "$LZO_COMPRESSION")"
[[ -n "$SERVER_CIPHER" ]] && DEFAULT_SERVER_CIPHER="$(trim "$SERVER_CIPHER")"
#[[ -n "$" ]] && DEFAULT_="$(trim "$")"
declare -a DEFAULT_OPENVPN_NETWORK=() declare -a DEFAULT_OPENVPN_NETWORK=()
if [[ -n "$OPENVPN_NETWORK" ]] ; then if [[ -n "$OPENVPN_NETWORK" ]] ; then
@ -697,13 +702,43 @@ echo ""
echo "Note: if setting this parameter at the server configuration, this parameter *must'" echo "Note: if setting this parameter at the server configuration, this parameter *must'"
echo " also set this parameter at client configuration" echo " also set this parameter at client configuration"
echo "" echo ""
echo " cipher BF-CBC # Blowfish (default)" echo " cipher BF-CBC # Blowfish"
echo " cipher AES-128-CBC # AES 128Bit"
echo " cipher AES-256-CBC # AES 256Bit"
echo " cipher DES-EDE3-CBC # Triple-DES"
echo " cipher AES-256-GCM # GCM 256Bit (default)"
echo " ..."
echo ""
echo " Give a colon separated list (i.e.\"AES-256-GCM:DES-EDE3-CBC:AES-256-CBC\")"
echo ""
echo -e "Type \"\033[33mNone\033[m\" if no default cipher should be set - the recommendation."
echo ""
DATA_CIPHERS=""
echononl "Server cryptographic cipher [${DEFAULT_DATA_CIPHERS}]: "
read DATA_CIPHERS
if [[ "X$DATA_CIPHERS" = "X" ]]; then
DATA_CIPHERS="$DEFAULT_DATA_CIPHERS"
fi
if [[ "$(trim ${DATA_CIPHERS,,})" = "none" ]] || [[ "$(trim ${DATA_CIPHERS,,})" = "default" ]] ; then
DATA_CIPHERS="None"
fi
echo ""
echo "Set server-side additional 'cryptographic cipher'."
echo ""
echo "Note: if setting this parameter at the server configuration, this parameter *must'"
echo " also set this parameter at client configuration"
echo ""
echo " cipher BF-CBC # Blowfish"
echo " cipher AES-128-CBC # AES 128Bit" echo " cipher AES-128-CBC # AES 128Bit"
echo " cipher AES-256-CBC # AES 256Bit" echo " cipher AES-256-CBC # AES 256Bit"
echo " cipher DES-EDE3-CBC # Triple-DES" echo " cipher DES-EDE3-CBC # Triple-DES"
echo " ..." echo " ..."
echo "" echo ""
echo -e "Type \"\033[33mNone\033[m\" if no default cipher should be set." echo " Only one cipher ist possible (i.e.\"AES-256-CBC\")"
echo ""
echo -e "Type \"\033[33mNone\033[m\" if no default cipher should be set - the recommendation."
echo "" echo ""
SERVER_CIPHER="" SERVER_CIPHER=""
echononl "Server cryptographic cipher [${DEFAULT_SERVER_CIPHER}]: " echononl "Server cryptographic cipher [${DEFAULT_SERVER_CIPHER}]: "
@ -711,10 +746,35 @@ read SERVER_CIPHER
if [[ "X$SERVER_CIPHER" = "X" ]]; then if [[ "X$SERVER_CIPHER" = "X" ]]; then
SERVER_CIPHER="$DEFAULT_SERVER_CIPHER" SERVER_CIPHER="$DEFAULT_SERVER_CIPHER"
fi fi
if [[ "$(trim ${SERVER_CIPHER,,})" = none ]]; then if [[ "$(trim ${SERVER_CIPHER,,})" = "none" ]] || "$(trim ${SERVER_CIPHER,,})" = "default" ]]; then
SERVER_CIPHER="$DEFAULT_SERVER_CIPHER" SERVER_CIPHER="$DEFAULT_SERVER_CIPHER"
fi fi
echo ""
echo "Set server-side fallback 'cryptographic cipher'."
echo ""
echo " cipher BF-CBC # Blowfish (default)"
echo " cipher AES-128-CBC # AES 128Bit"
echo " cipher AES-256-CBC # AES 256Bit"
echo " cipher DES-EDE3-CBC # Triple-DES"
echo " ..."
echo ""
echo " Only one cipher ist possible (i.e.\"BF-CBC\")"
echo ""
echo -e "Type \"\033[33mNone\033[m\" if no default cipher should be set - the recommendation."
echo ""
DATA_CIPHERS_FALLBACK=""
echononl "Fallback cryptographic cipher [${DEFAULT_DATA_CIPHERS_FALLBACK}]: "
read DATA_CIPHERS_FALLBACK
if [[ "X$DATA_CIPHERS_FALLBACK" = "X" ]]; then
DATA_CIPHERS_FALLBACK="$DEFAULT_DATA_CIPHERS_FALLBACK"
fi
if [[ "$(trim ${DATA_CIPHERS_FALLBACK,,})" = "none" ]] || [[ "$(trim ${DATA_CIPHERS_FALLBACK,,})" = "default" ]] ; then
DATA_CIPHERS_FALLBACK="None"
fi
echo "" echo ""
echo "" echo ""
echononl "Enable LZO compression (yes/no) [no]: " echononl "Enable LZO compression (yes/no) [no]: "
@ -1517,10 +1577,20 @@ echo ""
echo -e "\tOpenVPN Network.....................: $OPENVPN_NETWORK" echo -e "\tOpenVPN Network.....................: $OPENVPN_NETWORK"
echo -e "\tOpenVPN Server IP-Address...........: $OPENVPN_SERVER_IP" echo -e "\tOpenVPN Server IP-Address...........: $OPENVPN_SERVER_IP"
echo "" echo ""
if [[ -n "$SERVER_CIPHER" ]] ; then if [[ -n "$DATA_CIPHERS" ]] && [[ "${DATA_CIPHERS,,}" != "none" ]] ; then
echo -e "\tServer cipher setting...............: $SERVER_CIPHER" echo -e "\tServer ciphers .....................: $DATA_CIPHERS"
else else
echo -e "\tServer cipher setting...............: \033[33mNone\033[m" echo -e "\tServer ciphers .....................: \033[33mNone\033[m"
fi
if [[ -n "$SERVER_CIPHER" ]] && [[ "${SERVER_CIPHER,,}" != "none" ]] ; then
echo -e "\tAdditional Server cipher............: $SERVER_CIPHER"
else
echo -e "\tAdditional Server cipher............: \033[33mNone\033[m"
fi
if [[ -n "$DATA_CIPHERS_FALLBACK" ]] && [[ "${DATA_CIPHERS_FALLBACK,,}" != "none" ]] ; then
echo -e "\tFallback Server cipher..............: $DATA_CIPHERS_FALLBACK"
else
echo -e "\tFallback Server cipher..............: \033[33mNone\033[m"
fi fi
echo -e "\tLZO compression.....................: $LZO_COMPRESSION" echo -e "\tLZO compression.....................: $LZO_COMPRESSION"
echo "" echo ""
@ -1591,7 +1661,9 @@ fi
# #
#OPENVPN_SERVER_IP="$OPENVPN_SERVER_IP" #OPENVPN_SERVER_IP="$OPENVPN_SERVER_IP"
# #
#DATA_CIPHERS="$DATA_CIPHERS"
#SERVER_CIPHER="$SERVER_CIPHER" #SERVER_CIPHER="$SERVER_CIPHER"
#DATA_CIPHERS_FALLBACK="$DATA_CIPHERS_FALLBACK"
# #
#LZO_COMPRESSION="$LZO_COMPRESSION" #LZO_COMPRESSION="$LZO_COMPRESSION"
# #
@ -1706,26 +1778,11 @@ LZO_COMPRESSION="no"
EOF EOF
fi fi
if [[ -n "$SERVER_CIPHER" ]] ; then cat <<EOF >> "$_openvpn_name_conf_file" 2>> "$log_file"
if [[ "${SERVER_CIPHER,,}" = "none" ]]; then DATA_CIPHERS="${DATA_CIPHERS}"
cat <<EOF >> "$_client_conf_file" 2>> "$log_file" SERVER_CIPHER="${SERVER_CIPHER}"
cipher BF-CBC DATA_CIPHERS_FALLBACK="${DATA_CIPHERS_FALLBACK}"
EOF
else
cat << EOF >> $_openvpn_name_conf_file 2> $log_file
SERVER_CIPHER="$SERVER_CIPHER"
EOF
fi
else
cat << EOF >> $_openvpn_name_conf_file 2> $log_file
SERVER_CIPHER="$DEFAULT_SERVER_CIPHER"
EOF
fi
cat << EOF >> $_openvpn_name_conf_file 2> $log_file
OPENVPN_NETWORK="$OPENVPN_NETWORK" OPENVPN_NETWORK="$OPENVPN_NETWORK"
EOF EOF
@ -2032,11 +2089,6 @@ if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 9 ]] ; then
#perl -i.$_date -n -p -e "s&^(\s*#*\s*#set_var\s+EASYRSA\s+.*)&##\1\nset_var EASYRSA\t \"\\\${0%/*}\"&" ${EASY_RSA_DIR}/vars > "$log_file" #perl -i.$_date -n -p -e "s&^(\s*#*\s*#set_var\s+EASYRSA\s+.*)&##\1\nset_var EASYRSA\t \"\\\${0%/*}\"&" ${EASY_RSA_DIR}/vars > "$log_file"
perl -i.$_date -n -p -e "s&^(\s*#*\s*#set_var\s+EASYRSA\s+.*)&##\1\nset_var EASYRSA\t \"${OPENVPN_BASE_DIR}/easy-rsa\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
_failed=true
fi
_key="EASYRSA_OPENSSL" _key="EASYRSA_OPENSSL"
_val="openssl" _val="openssl"
perl -i.$_date -n -p -e "s&^(\s*#*\s*#set_var\s+${_key}\s+.*)&##\1\nset_var ${_key}\t \"${_val}\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 perl -i.$_date -n -p -e "s&^(\s*#*\s*#set_var\s+${_key}\s+.*)&##\1\nset_var ${_key}\t \"${_val}\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1
@ -2064,12 +2116,6 @@ if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 9 ]] ; then
_failed=true _failed=true
fi fi
# EASYRSA_KEY_SIZE
perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+EASYRSA_KEY_SIZE\s+.*)&##\1\nset_var EASYRSA_KEY_SIZE\t\t ${KEY_SIZE}&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
_failed=true
fi
_key="EASYRSA_DN" _key="EASYRSA_DN"
_val=""org _val=""org
perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+EASYRSA_DN\s+.*)&##\1\nset_var EASYRSA_DN\t\t \"org\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+EASYRSA_DN\s+.*)&##\1\nset_var EASYRSA_DN\t\t \"org\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1
@ -2121,7 +2167,11 @@ if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 9 ]] ; then
_key="EASYRSA_REQ_CN" _key="EASYRSA_REQ_CN"
_val="$KEY_CN" _val="$KEY_CN"
perl -i.$_date -n -p -e "s&^(\s*#*\s*#set_var\s+${_key}\s+.*)&##\1\nset_var ${_key}\t \"${_val}\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 12 ]] ; then
perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1
else
perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\n#set_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1
fi
if [[ $? -ne 0 ]]; then if [[ $? -ne 0 ]]; then
_failed=true _failed=true
@ -2155,13 +2205,6 @@ if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 9 ]] ; then
_failed=true _failed=true
fi fi
_key="EASYRSA_REQ_CN"
_val="$KEY_CN"
perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
_failed=true
fi
_key="EASYRSA_BATCH" _key="EASYRSA_BATCH"
_val="1" _val="1"
perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1
@ -2375,6 +2418,7 @@ else
# - Removes & re-initializes the PKI dir for a clean PKI # - Removes & re-initializes the PKI dir for a clean PKI
# - # -
echononl " Initialise PKI Directory" echononl " Initialise PKI Directory"
if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 12 ]] ; then
${EASY_RSA_DIR}/easyrsa --vars="${EASY_RSA_DIR}/vars" init-pki > "$log_file" 2>&1 ${EASY_RSA_DIR}/easyrsa --vars="${EASY_RSA_DIR}/vars" init-pki > "$log_file" 2>&1
if [[ $? -eq 0 ]] ; then if [[ $? -eq 0 ]] ; then
echo_ok echo_ok
@ -2393,6 +2437,49 @@ else
done done
[[ $OK = "yes" ]] || fatal "Abbruch durch User" [[ $OK = "yes" ]] || fatal "Abbruch durch User"
fi fi
else
${EASY_RSA_DIR}/easyrsa --pki-dir=${OPENVPN_KEY_DIR} init-pki > "$log_file" 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
print_command "${EASY_RSA_DIR}/easyrsa --pki-dir=${OPENVPN_KEY_DIR} init-pki"
echononl "continue anyway [yes/no]: "
read OK
OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do
echononl "Wrong entry! - repeat [yes/nno]: "
read OK
done
[[ $OK = "yes" ]] || fatal "Abbruch durch User"
fi
echononl " Backup .'${OPENVPN_KEY_DIR}/vars'."
if [[ -f "${OPENVPN_KEY_DIR}/vars" ]]; then
mv "${OPENVPN_KEY_DIR}/vars" "${OPENVPN_KEY_DIR}/vars.$_date" > "$log_file" 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
echononl " Copy 'vars' to PKI directory '${OPENVPN_KEY_DIR}'.."
cp "${EASY_RSA_DIR}/vars" "${OPENVPN_KEY_DIR}/vars" > "$log_file" 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
fi fi
@ -2403,7 +2490,12 @@ echononl " Create Root CA.."
if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 10 ]] ; then if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 10 ]] ; then
printf "\n\n\n\n\n\n\n\n" | ${EASY_RSA_DIR}/build-ca > "$log_file" 2>&1 printf "\n\n\n\n\n\n\n\n" | ${EASY_RSA_DIR}/build-ca > "$log_file" 2>&1
else else
if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 12 ]] ; then
printf "\n\n\n\n\n\n\n" | ${EASY_RSA_DIR}/easyrsa --vars="${EASY_RSA_DIR}/vars" build-ca nopass > "$log_file" 2>&1 printf "\n\n\n\n\n\n\n" | ${EASY_RSA_DIR}/easyrsa --vars="${EASY_RSA_DIR}/vars" build-ca nopass > "$log_file" 2>&1
else
printf "\n\n\n\n\n\n\n" | ${EASY_RSA_DIR}/easyrsa --vars="${EASY_RSA_DIR}/vars" build-ca nopass > "$log_file" 2>&1
#printf "\n\n\n\n\n\n\n" | ${EASY_RSA_DIR}/easyrsa build-ca nopass > "$log_file" 2>&1
fi
fi fi
if [[ $? -eq 0 ]] ; then if [[ $? -eq 0 ]] ; then
echo_ok echo_ok
@ -2715,7 +2807,9 @@ cat <<EOF >> ${_server_conf_file} 2>> "$log_file"
# "dev tun" will create a routed IP tunnel, # "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel. # "dev tap" will create an ethernet tunnel.
# Use "dev tap" if you are ethernet bridging. # Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies # If you want to control access policies
# over the VPN, you must create firewall # over the VPN, you must create firewall
# rules for the the TUN/TAP interface. # rules for the the TUN/TAP interface.
@ -2760,8 +2854,7 @@ key $_SERVER_KEY # This file should be kept secret
# Diffie hellman parameters. # Diffie hellman parameters.
# Generate your own with: # Generate your own with:
# openssl dhparam -out dh1024.pem 1024 # openssl dhparam -out dh2048.pem 2048
# Substitute 2048 for 1024 if you are using
# 2048 bit keys. # 2048 bit keys.
dh $_DH_KEY dh $_DH_KEY
@ -2795,6 +2888,18 @@ ifconfig-pool-persist ${OPENVPN_BASE_DIR}/ipp.txt
# out unless you are ethernet bridging. # out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
# Configure server mode for ethernet bridging
# using a DHCP-proxy, where clients talk
# to the OpenVPN server-side DHCP server
# to receive their IP address allocation
# and DNS server addresses. You must first use
# your OS's bridging capability to bridge the TAP
# interface with the ethernet NIC interface.
# Note: this mode only works on clients (such as
# Windows), where the client-side TAP adapter is
# bound to a DHCP client.
;server-bridge
# Push routes to the client to allow it # Push routes to the client to allow it
# to reach other private subnets behind # to reach other private subnets behind
# the server. Remember that these # the server. Remember that these
@ -2802,7 +2907,8 @@ ifconfig-pool-persist ${OPENVPN_BASE_DIR}/ipp.txt
# to know to route the OpenVPN client # to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0) # address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server. # back to the OpenVPN server.
;push "route 10.8.0.0 255.255.255.0" ;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
EOF EOF
if [[ ${#REMOTE_NETWORK_ARR[@]} -gt 0 ]]; then if [[ ${#REMOTE_NETWORK_ARR[@]} -gt 0 ]]; then
for _remote_network in ${REMOTE_NETWORK_ARR[@]} ; do for _remote_network in ${REMOTE_NETWORK_ARR[@]} ; do
@ -2875,21 +2981,18 @@ client-config-dir $OPENVPN_CCD_DIR
# all IP traffic such as web browsing and # all IP traffic such as web browsing and
# and DNS lookups to go through the VPN # and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT # (The OpenVPN server machine may need to NAT
# the TUN/TAP interface to the internet in # or bridge the TUN/TAP interface to the internet
# order for this to work properly). # in order for this to work properly).
# CAVEAT: May break client's network config if ;push "redirect-gateway def1 bypass-dhcp"
# client's local DHCP server packets get routed
# through the tunnel. Solution: make sure
# client's local DHCP server is reachable via
# a more specific route than the default route
# of 0.0.0.0/0.0.0.0.
;push "redirect-gateway"
# Certain Windows-specific network settings # Certain Windows-specific network settings
# can be pushed to clients, such as DNS # can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT: # or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats # http://openvpn.net/faq.html#dhcpcaveats
;push "dhcp-option WINS 10.8.0.1" # The addresses below refer to the public
# DNS servers provided by opendns.com.
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
EOF EOF
if [[ -n "$DNS_SERVER" ]]; then if [[ -n "$DNS_SERVER" ]]; then
cat <<EOF >> ${_server_conf_file} 2>> "$log_file" cat <<EOF >> ${_server_conf_file} 2>> "$log_file"
@ -2954,21 +3057,38 @@ tls-auth ${OPENVPN_KEY_DIR}/ta.key 0
# Select a cryptographic cipher. # Select a cryptographic cipher.
# This config item must be copied to # This config item must be copied to
# the client config file as well. # the client config file as well.
;cipher BF-CBC # Blowfish (default) # Note that v2.4 client/server will automatically
;cipher AES-128-CBC # AES # negotiate AES-256-GCM in TLS mode.
;cipher DES-EDE3-CBC # Triple-DES # See also the ncp-cipher option in the manpage
;cipher AES-256-CBC
EOF EOF
if [[ -n "$SERVER_CIPHER" ]]; then if [[ "${SERVER_CIPHER,,}" != "none" ]]; then
cat <<EOF >> ${_server_conf_file} 2>> "$log_file" cat <<EOF >> ${_server_conf_file} 2>> "$log_file"
cipher $SERVER_CIPHER cipher ${SERVER_CIPHER}
EOF
fi
if [[ "${DATA_CIPHERS,,}" != "none" ]]; then
cat <<EOF >> ${_server_conf_file} 2>> "$log_file"
data-ciphers ${DATA_CIPHERS}
EOF
fi
if [[ "${DATA_CIPHERS_FALLBACK,,}" != "none" ]]; then
cat <<EOF >> ${_server_conf_file} 2>> "$log_file"
data-ciphers-fallback ${DATA_CIPHERS_FALLBACK}
EOF EOF
fi fi
cat <<EOF >> ${_server_conf_file} 2>> "$log_file" cat <<EOF >> ${_server_conf_file} 2>> "$log_file"
# Enable compression on the VPN link. # Enable compression on the VPN link and push the
# option to the client (v2.4+ only, for earlier
# versions see below)
;compress lz4-v2
;push "compress lz4-v2"
# For compression compatible with older clients use comp-lzo
# If you enable it here, you must also # If you enable it here, you must also
# enable it in the client config file. # enable it in the client config file.
;comp-lzo ;comp-lzo
@ -3017,8 +3137,8 @@ status /var/log/openvpn/status-server-${OPENVPN_NAME}.log
# "log" will truncate the log file on OpenVPN startup, # "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it. Use one # while "log-append" will append to it. Use one
# or the other (but not both). # or the other (but not both).
;log-append openvpn.log ;log /var/log/openvpn/openvpn.log
;log openvpn.log ;log-append /var/log/openvpn/openvpn.log
log /var/log/openvpn/server-${OPENVPN_NAME}.log log /var/log/openvpn/server-${OPENVPN_NAME}.log
# Set the appropriate level of log # Set the appropriate level of log
@ -3034,6 +3154,10 @@ verb 1
# sequential messages of the same message # sequential messages of the same message
# category will be output to the log. # category will be output to the log.
;mute 20 ;mute 20
# Notify the client that when the server restarts so it
# can automatically reconnect.
explicit-exit-notify 1
EOF EOF
if [[ -h "${OPENVPN_BASE_DIR}/crl.pem" ]] ; then if [[ -h "${OPENVPN_BASE_DIR}/crl.pem" ]] ; then