diff --git a/install_openvpn.sh b/install_openvpn.sh index 909e217..4b91a9b 100755 --- a/install_openvpn.sh +++ b/install_openvpn.sh @@ -230,12 +230,6 @@ DEFAULT_KEY_OU="Network Services" #DEFAULT_SERVER_CIPHER="BF-CBC" DEFAULT_SERVER_CIPHER="AES-256-CBC" -#if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 9 ]] ; then -# EASYRSA_CALLER=1 -#else -# EASYRSA_CALLER="" -#fi - #--------------------------------------- #----------------------------- @@ -324,7 +318,7 @@ echo "" echo " Example: 'AKB' or 'FLR' or 'OPP' or.." echo "" ORG_SHORTCUT="" -echononl "Organisations acronym: " +echononl "Organisations shortcut: " read ORG_SHORTCUT while [ "X$ORG_SHORTCUT" = "X" ] ; do echo -e "\n\t\033[33m\033[1mSetting 'OpenVPN Name' is required!\033[m\n" @@ -1629,18 +1623,26 @@ if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 10 ]] ; then else ${EASY_RSA_DIR}/build-dh > "$log_file" 2>&1 fi + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi + _DH_KEY=${OPENVPN_KEY_DIR}/dh${KEY_SIZE}.pem else if [[ -f "${script_dir}/dh${KEY_SIZE}.pem" ]]; then cp "${script_dir}/dh${KEY_SIZE}.pem" "${OPENVPN_KEY_DIR}/dh.pem" > "$log_file" 2>&1 else ${EASY_RSA_DIR}/easyrsa gen-dh > "$log_file" 2>&1 fi -fi -if [[ $? -eq 0 ]] ; then - echo_ok -else - echo_failed - error "$(cat $log_file)" + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi + _DH_KEY="${OPENVPN_KEY_DIR}/dh.pem" fi @@ -1667,6 +1669,8 @@ if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 10 ]] ; then echononl "Type to continue: " read ok echo "" + _SERVER_KEY="${OPENVPN_KEY_DIR}/server.key" + _SERVER_CERT="${OPENVPN_KEY_DIR}/server.crt" else @@ -1681,13 +1685,15 @@ else # - nopass - do not encrypt the private key (default is encrypted) # - echononl " Generate server keypair '${KEY_CN}-server'.." - ${EASY_RSA_DIR}/easyrsa build-server-full "server" nopass > "$log_file" 2>&1 + ${EASY_RSA_DIR}/easyrsa build-server-full "${KEY_CN}-server" nopass > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi + _SERVER_KEY="${OPENVPN_KEY_DIR}/private/${KEY_CN}-server.key" + _SERVER_CERT="${OPENVPN_KEY_DIR}/issued//${KEY_CN}-server.crt" fi @@ -1709,23 +1715,13 @@ fi # - if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 10 ]] ; then echononl " Create CRL (Certificate Revokation List) '${OPENVPN_BASE_DIR}/crl.pem'.." - openssl ca -gencrl -out ${OPENVPN_BASE_DIR}/crl.pem -config $KEY_CONFIG > "$log_file" 2>&1 + openssl ca -gencrl -out ${OPENVPN_KEY_DIR}/crl.pem -config $KEY_CONFIG > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi - - echononl " Create symlink for '${OPENVPN_KEY_DIR}/crl.pem'.." - ln -s ../crl.pem ${OPENVPN_KEY_DIR}/crl.pem > "$log_file" 2>&1 - if [[ $? -eq 0 ]] ; then - echo_ok - else - echo_failed - error "$(cat $log_file)" - fi - else echononl " Create CRL (Certificate Revokation List) '${OPENVPN_KEY_DIR}/crl.pem'.." ${EASY_RSA_DIR}/easyrsa gen-crl > "$log_file" 2>&1 @@ -1735,16 +1731,43 @@ else echo_failed error "$(cat $log_file)" fi +fi - echononl " Change permissions (644) for ${OPENVPN_KEY_DIR}/crl.pem" - chmod 644 ${OPENVPN_KEY_DIR}/crl.pem > "$log_file" 2>&1 - if [[ $? -eq 0 ]] ; then - echo_ok - else - echo_failed - error "$(cat $log_file)" - fi +echononl " Change permissions (750) for '${OPENVPN_KEY_DIR}'.." +chmod 750 "${OPENVPN_KEY_DIR}" > "$log_file" 2>&1 +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" +fi + +echononl " Change group (to nogroup) for '${OPENVPN_KEY_DIR}'.." +chgrp nogroup "${OPENVPN_KEY_DIR}" > "$log_file" 2>&1 +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" +fi + +echononl " Change group (to nogroup) for '${OPENVPN_KEY_DIR}/crl.pem'.." +chgrp nogroup "${OPENVPN_KEY_DIR}/crl.pem" > "$log_file" 2>&1 +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" +fi + +echononl " Change permissions (640) for ${OPENVPN_KEY_DIR}/crl.pem" +chmod 644 ${OPENVPN_KEY_DIR}/crl.pem > "$log_file" 2>&1 +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" fi @@ -1878,35 +1901,15 @@ dev tun # OpenVPN can also use a PKCS #12 formatted key file # (see "pkcs12" directive in man page). ca ${OPENVPN_KEY_DIR}/ca.crt -EOF - -if [[ -d "${OPENVPN_KEY_DIR}/issued" ]] ; then - cat <> ${_server_conf_file} 2>> "$log_file" -cert ${OPENVPN_KEY_DIR}/issued/server.crt -key ${OPENVPN_KEY_DIR}/private/server.key # This file should be kept secret +cert $_SERVER_CERT +key $_SERVER_KEY # This file should be kept secret # Diffie hellman parameters. # Generate your own with: # openssl dhparam -out dh1024.pem 1024 # Substitute 2048 for 1024 if you are using # 2048 bit keys. -dh ${OPENVPN_KEY_DIR}/dh.pem -EOF -else - cat <> ${_server_conf_file} 2>> "$log_file" -cert ${OPENVPN_BASE_DIR}/keys/server.crt -key ${OPENVPN_BASE_DIR}/keys/server.key # This file should be kept secret - -# Diffie hellman parameters. -# Generate your own with: -# openssl dhparam -out dh1024.pem 1024 -# Substitute 2048 for 1024 if you are using -# 2048 bit keys. -dh ${OPENVPN_KEY_DIR}/dh${KEY_SIZE}.pem -EOF -fi - -cat <> ${_server_conf_file} 2>> "$log_file" +dh $_DH_KEY # Configure server mode and supply a VPN subnet # for OpenVPN to draw client addresses from. @@ -2236,677 +2239,3 @@ fi echo "" clean_up 0 - - - -clean_up 0 - - -#--------------------------------------- -#----------------------------- -# Initial Setup OpenVPN (Root ca / Server key /..) -#----------------------------- -#--------------------------------------- - -echo "" - -# - source file vars -# - -echononl " Load configuration '${EASY_RSA_DIR}/vars'.." -source ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 -if [[ $? -eq 0 ]] ; then - echo_ok -else - echo_failed - error "$(cat $log_file)" -fi - -if [[ ! -f "$KEY_CONFIG" ]] ; then - echononl " Create Symlink '$(basename $KEY_CONFIG)'.." - if [[ -f "$(dirname $KEY_CONFIG)/openssl-1.0.0.cnf" ]]; then - ln -s "$(dirname $KEY_CONFIG)/openssl-1.0.0.cnf" "$KEY_CONFIG" - if [[ $? -eq 0 ]] ; then - echo_ok - else - echo_failed - error "$(cat $log_file)" - #fatal "No OpenSSL configuration file present!" - fi - elif [[ -f "$(dirname $KEY_CONFIG)/openssl-easyrsa.cnf" ]]; then - ln -s "$(dirname $KEY_CONFIG)//openssl-easyrsa.cnf" "$KEY_CONFIG" - if [[ $? -eq 0 ]] ; then - echo_ok - else - echo_failed - error "$(cat $log_file)" - fi - else - echo_failed - fatal "No OpenSSL configuration file present!" - - echononl "continue anyway [yes/no]: " - read OK - OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')" - while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do - echononl "Wrong entry! - repeat [yes/nno]: " - read OK - done - [[ $OK = "yes" ]] || fatal "Abbruch durch User" - fi -fi - -_failed=false -OPENSSL_CONFIG_FILE="$(realpath "$KEY_CONFIG")" -echononl " Adjust '$OPENSSL_CONFIG_FILE'.." -perl -i.ORIG -n -p -e "s/^(\s*default_days\s*=.*)/#\1\ndefault_days = $CA_EXPIRE/" $OPENSSL_CONFIG_FILE > "$log_file" 2>&1 -if [[ $? -ne 0 ]]; then - _failed=true -fi -perl -i -n -p -e "s/^(\s*default_crl_days\s*=.*)/#\1\ndefault_crl_days = $CA_EXPIRE/" $OPENSSL_CONFIG_FILE > "$log_file" 2>&1 -if [[ $? -ne 0 ]]; then - _failed=true -fi - -if $_failed ; then - echo_failed - error "$(cat $log_file)" -else - echo_ok -fi - - - -# --- -# - Create Keys and Certs -# --- -echo "" -echo -e "\033[32m--\033[m" -echo "Create Keys and Certs .." -echo -e "\033[32m--\033[m" -echo "" - -# - Create file 'serial' with value '01' - the serial for the next -# - created certificate -# - -#echononl " Create '${OPENVPN_BASE_DIR}/keys/serial'.." -#echo "01" > "${OPENVPN_BASE_DIR}/keys/serial" 2> "$log_file" -#if [[ $? -eq 0 ]] ; then -# echo_ok -#else -# echo_failed -# error "$(cat $log_file)" -#fi -# -## - Create empty file index.txt at key-directory -## - -#echononl " Create empty file '${OPENVPN_BASE_DIR}/keys/index.txt'.." -#touch $OPENVPN_BASE_DIR/keys/index.txt -#if [[ $? -eq 0 ]] ; then -# echo_ok -#else -# echo_failed -# error "$(cat $log_file)" -#fi - -# - Create Root CA -# - -echononl " Create Root CA.." -printf "\n\n\n\n\n\n\n\n" | ${EASY_RSA_DIR}/build-ca > "$log_file" 2>&1 -if [[ $? -eq 0 ]] ; then - echo_ok -else - echo_failed - error "$(cat $log_file)" -fi - -# - Build Diffie-Hellman parameters for the server side -# - of an SSL/TLS connection. -# . -echononl " Build Diffie-Hellman parameter (dh key).." -${EASY_RSA_DIR}/build-dh > "$log_file" 2>&1 -if [[ $? -eq 0 ]] ; then - echo_ok -else - echo_failed - error "$(cat $log_file)" -fi - -# - Build Sever Key -# - -#echononl " Create Sever Key" -echo "" -echo -e " \033[32mNow create the server key. Tis procedure works interactive.\033[m" -echo -e " Use \033[37m\033[1m${KEY_CN}-server\033[m as 'commonName'" -echo "" -echononl "Type to continue: " -read ok -echo "" - -${EASY_RSA_DIR}/build-key-server server -if [[ $? -eq 0 ]] ; then - info "Building server key was successfully." -else - error "Building server key failed!" -fi - -echo "" -echononl "Type to continue: " -read ok -echo "" -#printf "\n\n\n\n\n${KEY_CN}-server\n\n\n\ny\ny\n" | ${EASY_RSA_DIR}/build-key-server server - -# - For extra security beyond that provided -# - by SSL/TLS, create an "HMAC firewall" -# - to help block DoS attacks and UDP port flooding. -# - -echononl " Create 'ta.key' for additional security" -openvpn --genkey --secret ${OPENVPN_BASE_DIR}/keys/ta.key > "$log_file" 2>&1 -if [[ $? -eq 0 ]] ; then - echo_ok -else - echo_failed - error "$(cat $log_file)" -fi - -# - Create empty CRL (Certificate Revokation List) -# - -echononl " Create CRL (Certificate Revokation List) '${OPENVPN_BASE_DIR}/crl.pem'.." -openssl ca -gencrl -out ${OPENVPN_BASE_DIR}/crl.pem -config $KEY_CONFIG > "$log_file" 2>&1 -if [[ $? -eq 0 ]] ; then - echo_ok -else - echo_failed - error "$(cat $log_file)" -fi - -echononl " Create symlink for '${OPENVPN_BASE_DIR}/keys/crl.pem'.." -ln -s ../crl.pem ${OPENVPN_BASE_DIR}/keys/crl.pem > "$log_file" 2>&1 -if [[ $? -eq 0 ]] ; then - echo_ok -else - echo_failed - error "$(cat $log_file)" -fi - - -# ---- -# - Create server configurations -# ---- - -echo "" -echo -e "\033[32m--\033[m" -echo "Server configurations .." -echo -e "\033[32m--\033[m" -echo "" - -echononl " Backup Client configuration directory '$OPENVPN_CCD_DIR'" -if [[ -d "$OPENVPN_CCD_DIR" ]]; then - mv "$OPENVPN_CCD_DIR" "${OPENVPN_CCD_DIR}.$_date" - if [[ $? -eq 0 ]] ; then - echo_ok - else - echo_failed - error "$(cat $log_file)" - fi -else - echo_skipped -fi - - -echononl " Create Client configuration directory '$OPENVPN_CCD_DIR'" -mkdir "$OPENVPN_CCD_DIR" > "$log_file" 2>&1 -if [[ $? -eq 0 ]] ; then - echo_ok -else - echo_failed - error "$(cat $log_file)" -fi - - -#--------------------------------------- -#----------------------------- -# Write Server Configuration for $OPENVPN_NAME -#----------------------------- -#--------------------------------------- -_server_conf_file="/etc/openvpn/server-${OPENVPN_NAME}.conf" - -echononl " Backup file $_server_conf_file" -if [[ -f "$_server_conf_file" ]] ; then - mv "$_server_conf_file" "${_server_conf_file}.$_date" > "$log_file" 2>&1 - if [[ $? -eq 0 ]] ; then - echo_ok - else - echo_failed - error "$(cat $log_file)" - fi -else - echo_skipped -fi - -echononl " Create configuration '${_server_conf_file}" -cat < ${_server_conf_file} 2> "$log_file" -################################################# -# Sample OpenVPN 2.0 config file for # -# multi-client server. # -# # -# This file is for the server side # -# of a many-clients <-> one-server # -# OpenVPN configuration. # -# # -# OpenVPN also supports # -# single-machine <-> single-machine # -# configurations (See the Examples page # -# on the web site for more info). # -# # -# This config should work on Windows # -# or Linux/BSD systems. Remember on # -# Windows to quote pathnames and use # -# double backslashes, e.g.: # -# "C:\\\\Program Files\\\\OpenVPN\\\\config\\\\foo.key" # -# # -# Comments are preceded with '#' or ';' # -################################################# - -# Which local IP address should OpenVPN -# listen on? (optional) -;local a.b.c.d - -# Which TCP/UDP port should OpenVPN listen on? -# If you want to run multiple OpenVPN instances -# on the same machine, use a different port -# number for each one. You will need to -# open up this port on your firewall. -port $SERVER_PORT - -# TCP or UDP server? -;proto tcp -proto udp - -topology subnet -EOF - -if [[ ${#LOCAL_NETWORK_ARR[@]} -gt 0 ]]; then - for _local_network in ${LOCAL_NETWORK_ARR[@]} ; do - IFS='/' read -a _net_arr <<< "${_local_network}" - if [[ -n ${_net_arr[1]} ]]; then - _netmask=$(cidr2mask ${_net_arr[1]}) - else - _netmask="255.255.255.0" - fi - cat <> ${_server_conf_file} 2>> "$log_file" -route ${_net_arr[0]} $_netmask $OPENVPN_SERVER_IP -EOF - done -fi - -cat <> ${_server_conf_file} 2>> "$log_file" - -# "dev tun" will create a routed IP tunnel, -# "dev tap" will create an ethernet tunnel. -# Use "dev tap" if you are ethernet bridging. -# If you want to control access policies -# over the VPN, you must create firewall -# rules for the the TUN/TAP interface. -# On non-Windows systems, you can give -# an explicit unit number, such as tun0. -# On Windows, use "dev-node" for this. -# On most systems, the VPN will not function -# unless you partially or fully disable -# the firewall for the TUN/TAP interface. -;dev tap -dev tun - -# Enable TUN IPv6 module -;tun-ipv6 - -# Windows needs the TAP-Win32 adapter name -# from the Network Connections panel if you -# have more than one. On XP SP2 or higher, -# you may need to selectively disable the -# Windows firewall for the TAP adapter. -# Non-Windows systems usually don't need this. -;dev-node MyTap - -# SSL/TLS root certificate (ca), certificate -# (cert), and private key (key). Each client -# and the server must have their own cert and -# key file. The server and all clients will -# use the same ca file. -# -# See the "easy-rsa" directory for a series -# of scripts for generating RSA certificates -# and private keys. Remember to use -# a unique Common Name for the server -# and each of the client certificates. -# -# Any X509 key management system can be used. -# OpenVPN can also use a PKCS #12 formatted key file -# (see "pkcs12" directive in man page). -ca ${OPENVPN_BASE_DIR}/keys/ca.crt -cert ${OPENVPN_BASE_DIR}/keys/server.crt -key ${OPENVPN_BASE_DIR}/keys/server.key # This file should be kept secret - -# Diffie hellman parameters. -# Generate your own with: -# openssl dhparam -out dh1024.pem 1024 -# Substitute 2048 for 1024 if you are using -# 2048 bit keys. -dh ${OPENVPN_BASE_DIR}/keys/dh${KEY_SIZE}.pem - -# Configure server mode and supply a VPN subnet -# for OpenVPN to draw client addresses from. -# The server will take 10.8.0.1 for itself, -# the rest will be made available to clients. -# Each client will be able to reach the server -# on 10.8.0.1. Comment this line out if you are -# ethernet bridging. See the man page for more info. -;server 10.8.0.0 255.255.255.0 -;server-ipv6 2a01:30:1fff:fd00::/64 -server $OPENVPN_NETWORK 255.255.255.0 - -# Maintain a record of client <-> virtual IP address -# associations in this file. If OpenVPN goes down or -# is restarted, reconnecting clients can be assigned -# the same virtual IP address from the pool that was -# previously assigned. -ifconfig-pool-persist ${OPENVPN_BASE_DIR}/ipp.txt - -# Configure server mode for ethernet bridging. -# You must first use your OS's bridging capability -# to bridge the TAP interface with the ethernet -# NIC interface. Then you must manually set the -# IP/netmask on the bridge interface, here we -# assume 10.8.0.4/255.255.255.0. Finally we -# must set aside an IP range in this subnet -# (start=10.8.0.50 end=10.8.0.100) to allocate -# to connecting clients. Leave this line commented -# out unless you are ethernet bridging. -;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 - -# Push routes to the client to allow it -# to reach other private subnets behind -# the server. Remember that these -# private subnets will also need -# to know to route the OpenVPN client -# address pool (10.8.0.0/255.255.255.0) -# back to the OpenVPN server. -;push "route 10.8.0.0 255.255.255.0" -EOF -if [[ ${#REMOTE_NETWORK_ARR[@]} -gt 0 ]]; then - for _remote_network in ${REMOTE_NETWORK_ARR[@]} ; do - IFS='/' read -a _net_arr <<< "${_remote_network}" - if [[ -n ${_net_arr[1]} ]]; then - _netmask=$(cidr2mask ${_net_arr[1]}) - else - _netmask="255.255.255.0" - fi - cat <> ${_server_conf_file} 2>> "$log_file" -push "route ${_net_arr[0]} $_netmask" -EOF - done -fi - -cat <> ${_server_conf_file} 2>> "$log_file" - -# To assign specific IP addresses to specific -# clients or if a connecting client has a private -# subnet behind it that should also have VPN access, -# use the subdirectory "ccd" for client-specific -# configuration files (see man page for more info). -client-config-dir $OPENVPN_CCD_DIR - -# --- -# EXAMPLE: Suppose the client -# having the certificate common name "Thelonious" -# also has a small subnet behind his connecting -# machine, such as 192.168.40.128/255.255.255.248. -# First, uncomment out these lines: -;client-config-dir /etc/openvpn/ccd -;route 192.168.40.128 255.255.255.248 - -# Then create a file ccd/Thelonious with this line: -# iroute 192.168.40.128 255.255.255.248 -# This will allow Thelonious' private subnet to -# access the VPN. This example will only work -# if you are routing, not bridging, i.e. you are -# using "dev tun" and "server" directives. -# --- - -# --- -# EXAMPLE: Suppose you want to give -# Thelonious a fixed VPN IP address of 10.9.0.1. -# First uncomment out these lines: -;client-config-dir ccd -;route 10.9.0.0 255.255.255.252 - -# Then add this line to ccd/Thelonious: -# ifconfig-push 10.9.0.1 10.9.0.2 -# --- - -# --- -# Suppose that you want to enable different -# firewall access policies for different groups -# of clients. There are two methods: -# (1) Run multiple OpenVPN daemons, one for each -# group, and firewall the TUN/TAP interface -# for each group/daemon appropriately. -# (2) (Advanced) Create a script to dynamically -# modify the firewall in response to access -# from different clients. See man -# page for more info on learn-address script. -;learn-address ./script -# --- - -# If enabled, this directive will configure -# all clients to redirect their default -# network gateway through the VPN, causing -# all IP traffic such as web browsing and -# and DNS lookups to go through the VPN -# (The OpenVPN server machine may need to NAT -# the TUN/TAP interface to the internet in -# order for this to work properly). -# CAVEAT: May break client's network config if -# client's local DHCP server packets get routed -# through the tunnel. Solution: make sure -# client's local DHCP server is reachable via -# a more specific route than the default route -# of 0.0.0.0/0.0.0.0. -;push "redirect-gateway" - -# Certain Windows-specific network settings -# can be pushed to clients, such as DNS -# or WINS server addresses. CAVEAT: -# http://openvpn.net/faq.html#dhcpcaveats -;push "dhcp-option WINS 10.8.0.1" -EOF -if [[ -n "$DNS_SERVER" ]]; then - cat <> ${_server_conf_file} 2>> "$log_file" -push "dhcp-option DNS ${DNS_SERVER}" -EOF -fi - -if [[ ${#SEARCH_DOMAINS_ARR[@]} -gt 0 ]]; then - for _domain in ${SEARCH_DOMAINS_ARR[@]} ; do - cat <> ${_server_conf_file} 2>> "$log_file" -push "dhcp-option DOMAIN ${_domain}" -EOF - done -fi - -cat <> ${_server_conf_file} 2>> "$log_file" - -# Uncomment this directive to allow different -# clients to be able to "see" each other. -# By default, clients will only see the server. -# To force clients to only see the server, you -# will also need to appropriately firewall the -# server's TUN/TAP interface. -client-to-client - -# Uncomment this directive if multiple clients -# might connect with the same certificate/key -# files or common names. This is recommended -# only for testing purposes. For production use, -# each client should have its own certificate/key -# pair. -# -# IF YOU HAVE NOT GENERATED INDIVIDUAL -# CERTIFICATE/KEY PAIRS FOR EACH CLIENT, -# EACH HAVING ITS OWN UNIQUE "COMMON NAME", -# UNCOMMENT THIS LINE OUT. -;duplicate-cn - -# The keepalive directive causes ping-like -# messages to be sent back and forth over -# the link so that each side knows when -# the other side has gone down. -# Ping every 10 seconds, assume that remote -# peer is down if no ping received during -# a 120 second time period. -keepalive 10 120 - -# For extra security beyond that provided -# by SSL/TLS, create an "HMAC firewall" -# to help block DoS attacks and UDP port flooding. -# -# Generate with: -# openvpn --genkey --secret ta.key -# -# The server and each client must have -# a copy of this key. -# The second parameter should be '0' -# on the server and '1' on the clients. -;tls-auth ta.key 0 # This file is secret -tls-auth ${OPENVPN_BASE_DIR}/keys/ta.key 0 - -# Select a cryptographic cipher. -# This config item must be copied to -# the client config file as well. -;cipher BF-CBC # Blowfish (default) -;cipher AES-128-CBC # AES -;cipher DES-EDE3-CBC # Triple-DES -EOF - -if [[ -n "$SERVER_CIPHER" ]]; then - cat <> ${_server_conf_file} 2>> "$log_file" -cipher $SERVER_CIPHER -EOF - -fi - -cat <> ${_server_conf_file} 2>> "$log_file" - -# Enable compression on the VPN link. -# If you enable it here, you must also -# enable it in the client config file. -;comp-lzo -EOF - -if $LZO_COMPRESSION ; then - cat <> ${_server_conf_file} 2>> "$log_file" -comp-lzo -EOF -fi - -cat <> ${_server_conf_file} 2>> "$log_file" - -# The maximum number of concurrently connected -# clients we want to allow. -;max-clients 100 - -# It's a good idea to reduce the OpenVPN -# daemon's privileges after initialization. -# -# You can uncomment this out on -# non-Windows systems. -user nobody -group nogroup - -# The persist options will try to avoid -# accessing certain resources on restart -# that may no longer be accessible because -# of the privilege downgrade. -persist-key -persist-tun -persist-local-ip -persist-remote-ip - -# Output a short status file showing -# current connections, truncated -# and rewritten every minute. -;status openvpn-status.log -status /var/log/openvpn/status-server-${OPENVPN_NAME}.log - -# By default, log messages will go to the syslog (or -# on Windows, if running as a service, they will go to -# the "\Program Files\OpenVPN\log" directory). -# Use log or log-append to override this default. -# "log" will truncate the log file on OpenVPN startup, -# while "log-append" will append to it. Use one -# or the other (but not both). -;log-append openvpn.log -;log openvpn.log -log /var/log/openvpn/server-${OPENVPN_NAME}.log - -# Set the appropriate level of log -# file verbosity. -# -# 0 is silent, except for fatal errors -# 4 is reasonable for general usage -# 5 and 6 can help to debug connection problems -# 9 is extremely verbose -verb 1 - -# Silence repeating messages. At most 20 -# sequential messages of the same message -# category will be output to the log. -;mute 20 - -# CRL (certificate revocation list) verification -crl-verify ${OPENVPN_BASE_DIR}/crl.pem -EOF -if [[ $? -eq 0 ]] ; then - echo_ok -else - echo_failed - error "$(cat $log_file)" -fi - -echo "" - - -# - Start OpenVPN Service -# - -echononl " Start OpenVPN Service" -if $systemd_supported ; then - $systemctl start $service_name > "$log_file" 2>&1 - if [[ $? -ne 0 ]]; then - echo_failed - error "$(cat $log_file)" - else - echo_ok - fi -else - $init_script start > "$log_file" 2>&1 - if [[ $? -ne 0 ]]; then - echo_failed - error "$(cat $log_file)" - else - echo_ok - fi -fi - - -# - See if OpenVPN Service is running/has started -# -check_string_ps="$openvpn_binary" -check_string_ps_plus="--daemon" -sleep 2 -PID=$(ps -e f | grep -E "[[:digit:]]\ ${check_string_ps}" | grep "\ ${check_string_ps_plus}\ " | grep -v grep | awk '{print$2}') -if [[ "X${PID}" = "X" ]]; then - warn "\033[37m\033[1mOpenVPN Service is NOT running.\033[m\n Maybe you have to restart the machine in order to start openvpn daemon." -fi - - -echo "" -clean_up 0