Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Patch 3 #3

Open
wants to merge 14 commits into
base: master
Choose a base branch
from
Open

Patch 3 #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
2cce459
Check for wget or curl
Nyr Aug 16, 2021
94c94bb
Add support for AlmaLinux and Rocky Linux
Nyr Sep 3, 2021
8b6c81f
Ubuntu 22.04 support
Nyr Apr 21, 2022
36f1d82
Replace git.io
Nyr Apr 27, 2022
a7474c9
Restore git.io
Nyr Apr 29, 2022
0709b94
Update easy-rsa to v3.0.9-rc1 for Ubuntu 22.04
Nyr May 5, 2022
2c5bb08
Update to easy-rsa v3.0.9
Nyr May 18, 2022
c0a3562
Update to easy-rsa v3.1.0
Nyr May 19, 2022
1a118b7
Update README.md
Nyr Aug 21, 2022
d28c8e7
Fix resolv.conf detection
Nyr Aug 21, 2022
f2c44de
Change "block-outside-dns" placement
Nyr Sep 23, 2022
f943387
Update to easy-rsa v3.1.1
Nyr Oct 13, 2022
d4ae10e
Update to easy-rsa v3.1.2
Nyr Jan 18, 2023
b3bf3d1
Deprecated openvpn option update
ClassOdUa May 11, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
**New: [wireguard-install](https://github.com/Nyr/wireguard-install) is also available.**

## openvpn-install
OpenVPN [road warrior](http://en.wikipedia.org/wiki/Road_warrior_%28computing%29) installer for Ubuntu, Debian, CentOS and Fedora.
OpenVPN [road warrior](http://en.wikipedia.org/wiki/Road_warrior_%28computing%29) installer for Ubuntu, Debian, AlmaLinux, Rocky Linux, CentOS and Fedora.

This script will let you set up your own VPN server in no more than a minute, even if you haven't used OpenVPN before. It has been designed to be as unobtrusive and universal as possible.

Expand All @@ -13,7 +13,7 @@ Run the script and follow the assistant:
Once it ends, you can run it again to add more users, remove some of them or even completely uninstall OpenVPN.

### I want to run my own VPN but don't have a server for that
You can get a VPS from just $1/month at [VirMach](https://billing.virmach.com/aff.php?aff=4109&url=billing.virmach.com/cart.php?gid=18).
You can get a VPS from just 2€/month at [AlphaVPS](https://alphavps.com/clients/aff.php?aff=474&pid=422).

### Donations

Expand Down
46 changes: 27 additions & 19 deletions openvpn-install.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,17 +30,17 @@ elif [[ -e /etc/debian_version ]]; then
os="debian"
os_version=$(grep -oE '[0-9]+' /etc/debian_version | head -1)
group_name="nogroup"
elif [[ -e /etc/centos-release ]]; then
elif [[ -e /etc/almalinux-release || -e /etc/rocky-release || -e /etc/centos-release ]]; then
os="centos"
os_version=$(grep -oE '[0-9]+' /etc/centos-release | head -1)
os_version=$(grep -shoE '[0-9]+' /etc/almalinux-release /etc/rocky-release /etc/centos-release | head -1)
group_name="nobody"
elif [[ -e /etc/fedora-release ]]; then
os="fedora"
os_version=$(grep -oE '[0-9]+' /etc/fedora-release | head -1)
group_name="nobody"
else
echo "This installer seems to be running on an unsupported distribution.
Supported distributions are Ubuntu, Debian, CentOS, and Fedora."
Supported distros are Ubuntu, Debian, AlmaLinux, Rocky Linux, CentOS and Fedora."
exit
fi

Expand Down Expand Up @@ -99,6 +99,13 @@ new_client () {
}

if [[ ! -e /etc/openvpn/server/server.conf ]]; then
# Detect some Debian minimal setups where neither wget nor curl are installed
if ! hash wget 2>/dev/null && ! hash curl 2>/dev/null; then
echo "Wget is required to use this installer."
read -n1 -r -p "Press any key to install Wget and continue..."
apt-get update
apt-get install -y wget
fi
clear
echo 'Welcome to this OpenVPN road warrior installer!'
# If system has a single IPv4, it is selected automatically. Else, ask the user
Expand Down Expand Up @@ -195,7 +202,7 @@ if [[ ! -e /etc/openvpn/server/server.conf ]]; then
[[ -z "$client" ]] && client="client"
echo
echo "OpenVPN installation is ready to begin."
# Install a firewall in the rare case where one is not already available
# Install a firewall if firewalld or iptables are not already available
if ! systemctl is-active --quiet firewalld.service && ! hash iptables 2>/dev/null; then
if [[ "$os" == "centos" || "$os" == "fedora" ]]; then
firewall="firewalld"
Expand All @@ -216,7 +223,7 @@ LimitNPROC=infinity" > /etc/systemd/system/[email protected]/disab
fi
if [[ "$os" = "debian" || "$os" = "ubuntu" ]]; then
apt-get update
apt-get install -y openvpn openssl ca-certificates $firewall
apt-get install -y --no-install-recommends openvpn openssl ca-certificates $firewall
elif [[ "$os" = "centos" ]]; then
yum install -y epel-release
yum install -y openvpn openssl ca-certificates tar $firewall
Expand All @@ -229,25 +236,25 @@ LimitNPROC=infinity" > /etc/systemd/system/[email protected]/disab
systemctl enable --now firewalld.service
fi
# Get easy-rsa
easy_rsa_url='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz'
easy_rsa_url='https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.2/EasyRSA-3.1.2.tgz'
mkdir -p /etc/openvpn/server/easy-rsa/
{ wget -qO- "$easy_rsa_url" 2>/dev/null || curl -sL "$easy_rsa_url" ; } | tar xz -C /etc/openvpn/server/easy-rsa/ --strip-components 1
chown -R root:root /etc/openvpn/server/easy-rsa/
cd /etc/openvpn/server/easy-rsa/
# Create the PKI, set up the CA and the server and client certificates
./easyrsa init-pki
./easyrsa --batch init-pki
./easyrsa --batch build-ca nopass
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server nopass
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" nopass
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
./easyrsa --batch --days=3650 build-server-full server nopass
./easyrsa --batch --days=3650 build-client-full "$client" nopass
./easyrsa --batch --days=3650 gen-crl
# Move the stuff we need
cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn/server
# CRL is read with each client connection, while OpenVPN is dropped to nobody
chown nobody:"$group_name" /etc/openvpn/server/crl.pem
# Without +x in the directory, OpenVPN can't run a stat() on the CRL file
chmod o+x /etc/openvpn/server/
# Generate key for tls-crypt
openvpn --genkey --secret /etc/openvpn/server/tc.key
openvpn --genkey secret /etc/openvpn/server/tc.key
# Create the DH parameters file using the predefined ffdhe2048 group
echo '-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
Expand Down Expand Up @@ -283,13 +290,13 @@ server 10.8.0.0 255.255.255.0" > /etc/openvpn/server/server.conf
1|"")
# Locate the proper resolv.conf
# Needed for systems running systemd-resolved
if grep -q '^nameserver 127.0.0.53' "/etc/resolv.conf"; then
resolv_conf="/run/systemd/resolve/resolv.conf"
else
if grep '^nameserver' "/etc/resolv.conf" | grep -qv '127.0.0.53' ; then
resolv_conf="/etc/resolv.conf"
else
resolv_conf="/run/systemd/resolve/resolv.conf"
fi
# Obtain the resolvers from resolv.conf and use them for OpenVPN
grep -v '^#\|^;' "$resolv_conf" | grep '^nameserver' | grep -oE '[0-9]{1,3}(\.[0-9]{1,3}){3}' | while read line; do
grep -v '^#\|^;' "$resolv_conf" | grep '^nameserver' | grep -v '127.0.0.53' | grep -oE '[0-9]{1,3}(\.[0-9]{1,3}){3}' | while read line; do
echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server/server.conf
done
;;
Expand All @@ -314,6 +321,7 @@ server 10.8.0.0 255.255.255.0" > /etc/openvpn/server/server.conf
echo 'push "dhcp-option DNS 94.140.15.15"' >> /etc/openvpn/server/server.conf
;;
esac
echo 'push "block-outside-dns"' >> /etc/openvpn/server/server.conf
echo "keepalive 10 120
cipher AES-256-CBC
user nobody
Expand Down Expand Up @@ -417,7 +425,6 @@ remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
verb 3" > /etc/openvpn/server/client-common.txt
# Enable and start the OpenVPN service
systemctl enable --now [email protected]
Expand Down Expand Up @@ -454,7 +461,7 @@ else
client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client")
done
cd /etc/openvpn/server/easy-rsa/
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" nopass
./easyrsa --batch --days=3650 build-client-full "$client" nopass
# Generates the custom client.ovpn
new_client
echo
Expand Down Expand Up @@ -488,7 +495,7 @@ else
if [[ "$revoke" =~ ^[yY]$ ]]; then
cd /etc/openvpn/server/easy-rsa/
./easyrsa --batch revoke "$client"
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
./easyrsa --batch --days=3650 gen-crl
rm -f /etc/openvpn/server/crl.pem
cp /etc/openvpn/server/easy-rsa/pki/crl.pem /etc/openvpn/server/crl.pem
# CRL is read with each client connection, when OpenVPN is dropped to nobody
Expand Down Expand Up @@ -535,14 +542,15 @@ else
semanage port -d -t openvpn_port_t -p "$protocol" "$port"
fi
systemctl disable --now [email protected]
rm -rf /etc/openvpn/server
rm -f /etc/systemd/system/[email protected]/disable-limitnproc.conf
rm -f /etc/sysctl.d/99-openvpn-forward.conf
if [[ "$os" = "debian" || "$os" = "ubuntu" ]]; then
rm -rf /etc/openvpn/server
apt-get remove --purge -y openvpn
else
# Else, OS must be CentOS or Fedora
yum remove -y openvpn
rm -rf /etc/openvpn/server
fi
echo
echo "OpenVPN removed!"
Expand Down