diff --git a/auto_install/install.sh b/auto_install/install.sh index 29cc897..464ecd3 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -15,7 +15,8 @@ pivpnGitUrl="https://github.com/pivpn/pivpn.git" pivpnFilesDir="/etc/.pivpn" -easyrsaRel="https://github.com/pivpn/easy-rsa/releases/download/3.0.1-pivpn/EasyRSA-3.0.1-pivpn.tgz" +easyrsaVer="3.0.1-pivpn1" +easyrsaRel="https://github.com/pivpn/easy-rsa/releases/download/${easyrsaVer}/EasyRSA-${easyrsaVer}.tgz" # Find the rows and columns. Will default to 80x24 if it can not be detected. screen_size=$(stty size 2>/dev/null || echo 24 80) @@ -461,7 +462,7 @@ checkForDependencies() { echo ":::" echo "::: Checking dependencies:" - dependencies=( openvpn easy-rsa git iptables-persistent dnsutils expect whiptail ) + dependencies=( openvpn git iptables-persistent dnsutils expect whiptail ) for i in "${dependencies[@]}"; do echo -n "::: Checking for $i..." if [ "$(dpkg-query -W -f='${Status}' "$i" 2>/dev/null | grep -c "ok installed")" -eq 0 ]; then @@ -594,12 +595,13 @@ setClientDNS() { DNSChooseOptions=(Google "" on OpenDNS "" off Level3 "" off + DNS.WATCH "" off Norton "" off Custom "" off) if DNSchoices=$("${DNSChoseCmd[@]}" "${DNSChooseOptions[@]}" 2>&1 >/dev/tty) then - case $DNSchoices in + case ${DNSchoices} in Google) echo "::: Using Google DNS servers." OVPNDNS1="8.8.8.8" @@ -620,6 +622,13 @@ setClientDNS() { $SUDO sed -i '0,/\(dhcp-option DNS \)/ s/\(dhcp-option DNS \).*/\1'${OVPNDNS1}'\"/' /etc/openvpn/server.conf $SUDO sed -i '0,/\(dhcp-option DNS \)/! s/\(dhcp-option DNS \).*/\1'${OVPNDNS2}'\"/' /etc/openvpn/server.conf ;; + DNS.WATCH) + echo "::: Using DNS.WATCH servers." + OVPNDNS1="82.200.69.80" + OVPNDNS2="84.200.70.40" + $SUDO sed -i '0,/\(dhcp-option DNS \)/ s/\(dhcp-option DNS \).*/\1'${OVPNDNS1}'\"/' /etc/openvpn/server.conf + $SUDO sed -i '0,/\(dhcp-option DNS \)/! s/\(dhcp-option DNS \).*/\1'${OVPNDNS2}'\"/' /etc/openvpn/server.conf + ;; Norton) echo "::: Using Norton ConnectSafe servers." OVPNDNS1="199.85.126.10" @@ -695,125 +704,65 @@ confOpenVPN() { exit 1 fi - # Copy the easy-rsa files to a directory inside the new openvpn directory - $SUDO cp -r /usr/share/easy-rsa /etc/openvpn + # If easy-rsa exists, remove it + if [[ -d /etc/openvpn/easy-rsa/ ]]; then + $SUDO rm -rf /etc/openvpn/easy-rsa/ + fi - # Edit the EASY_RSA variable in the vars file to point to the new easy-rsa directory, - # And set the chosen key size + # zzz Get the PiVPN easy-rsa + wget -q -O "/tmp/EasyRSA-${easyrsaVer}" "${easyrsaRel}" + tar xzf /tmp/EasyRSA-${easyrsaVer} -C /tmp + $SUDO mv /tmp/EasyRSA-${easyrsaVer}/ /etc/openvpn/easy-rsa/ + $SUDO chown -R root:root /etc/openvpn/easy-rsa + $SUDO mkdir /etc/openvpn/easy-rsa/pki + + # Write out new vars file + IFS= read -d '' String <<"EOF" +if [ -z "$EASYRSA_CALLER" ]; then + echo "Nope." >&2 + return 1 +fi +set_var EASYRSA "/etc/openvpn/easy-rsa" +set_var EASYRSA_PKI "$EASYRSA/pki" +set_var EASYRSA_KEY_SIZE 2048 +set_var EASYRSA_ALGO ec +set_var EASYRSA_CURVE secp384r1 +EOF + +echo "${String}" | $SUDO tee /etc/openvpn/easy-rsa/vars >/dev/null + + # Edit the KEY_SIZE variable in the vars file to set user chosen key size cd /etc/openvpn/easy-rsa || exit - $SUDO sed -i 's:"`pwd`":"/etc/openvpn/easy-rsa":' vars - $SUDO sed -i "s/\(KEY_SIZE=\).*/\1${ENCRYPT}/" vars - - # Init Cert Values - COUNTRY="US" - STATE="CA" - CITY="SanFrancisco" - ORG="Fort-Funston" - SERVER_NAME="server" - KEY_NAME="EasyRSA" - EMAIL="me@myhost.mydomain" - - whiptail --title "Certificate Information" --msgbox "You will now be shown the default values for fields that will be used in the certificate. \nIt is fine to leave these as-is since only you and the clients you create will ever see this. \nHowever, if you want to change the values, simply select the ones you wish to modify." ${r} ${c} - - until [[ $CERTVALCorrect = True ]] - do - CERTVAL=$(whiptail --title "Certificate Information" --checklist "Choose any certificate values you want to change" ${r} ${c} 7 \ - "COUNTRY" "= US" OFF \ - "STATE" "= CA" OFF \ - "CITY" "= SanFranciso" OFF \ - "ORG" "= Fort-Funston" OFF \ - "SERVER_NAME" "= server" OFF \ - "KEY_NAME" "= EasyRSA" OFF \ - "EMAIL" "= me@myhost.mydomain" OFF 3>&1 1>&2 2>&3) - - exitstatus=$? - if [ $exitstatus != 0 ]; then - echo "::: Cancel selected. Exiting..." - exit 1 - fi - - for i in $CERTVAL - do - if [ "$i" == '"COUNTRY"' ]; then - COUNTRY=$(whiptail --title "Certificate Country" --inputbox \ - "Enter a 2 letter abbreviation for Country" ${r} ${c} US 3>&1 1>&2 2>&3) - $SUDO sed -i "s/\(KEY_COUNTRY=\"\).*/\1${COUNTRY}\"/" vars - fi - if [ "$i" == '"STATE"' ]; then - STATE=$(whiptail --title "Certificate State" --inputbox \ - "Enter a 2 letter abbreviated State or Province" ${r} ${c} CA 3>&1 1>&2 2>&3) - $SUDO sed -i "s/\(KEY_PROVINCE=\"\).*/\1${STATE}\"/" vars - fi - if [ "$i" == '"CITY"' ]; then - CITY=$(whiptail --title "Certificate City" --inputbox \ - "Enter a City name" ${r} ${c} SanFrancisco 3>&1 1>&2 2>&3) - $SUDO sed -i "s/\(KEY_CITY=\"\).*/\1${CITY}\"/" vars - fi - if [ "$i" == '"ORG"' ]; then - ORG=$(whiptail --title "Certificate Org" --inputbox \ - "Enter an Organization name" ${r} ${c} Fort-Funston 3>&1 1>&2 2>&3) - $SUDO sed -i "s/\(KEY_ORG=\"\).*/\1${ORG}\"/" vars - fi - if [ "$i" == '"EMAIL"' ]; then - EMAIL=$(whiptail --title "Certificate Email" --inputbox \ - "Enter an Email Address" ${r} ${c} "me@myhost.mydomain" 3>&1 1>&2 2>&3) - $SUDO sed -i "s/\(KEY_EMAIL=\"\).*/\1${EMAIL}\"/" vars - fi - if [ "$i" == '"SERVER_NAME"' ]; then - SERVER_NAME=$(whiptail --title "Server Name" --inputbox \ - "Enter a Server Name" ${r} ${c} "pivpn" 3>&1 1>&2 2>&3) - # This began a rabbit hole of errors. Nope. - #sed -i '/export KEY_CN/s/^#//g' vars - #sed -i "s/\(KEY_CN=\"\).*/\1${SERVER_NAME}\"/" vars - fi - if [ "$i" == '"KEY_NAME"' ]; then - KEY_NAME=$(whiptail --title "Key Name" --inputbox \ - "Enter a Key Name" ${r} ${c} "EasyRSA" 3>&1 1>&2 2>&3) - $SUDO sed -i "s/\(KEY_NAME=\"\).*/\1${KEY_NAME}\"/" vars - fi - done - if (whiptail --backtitle "Confirm Certificate Fields" --title "Confirm Certificate Fields" --yesno "Are these values correct?\n\n Country: $COUNTRY\n State: $STATE\n City: $CITY\n Org: $ORG\n Email: $EMAIL\n Server Name: $SERVER_NAME\n Key Name: $KEY_NAME" ${r} ${c}) then - CERTVALCorrect=True - else - CERTVALCorrect=False - fi - done - # Make PiVPN the OU - KEY_OU=PiVPN - $SUDO sed -i "s/\(KEY_OU=\"\).*/\1${KEY_OU}\"/" vars - - # It seems you have to set this if you mess with key_cn, lets not. - # grep -q 'KEY_ALTNAMES=' vars || printf '\nexport KEY_ALTNAMES="PiVPN_KEYALT"\n' >> vars - echo "export KEY_ALTNAMES=\"PiVPN_ALTNAME\"" >> vars - # source the vars file just edited - source ./vars + $SUDO sed -i "s/\(KEY_SIZE=\).*/\1 ${ENCRYPT}/" vars # Remove any previous keys - ${SUDOE} ./clean-all + ${SUDOE} ./easyrsa init-pki # Build the certificate authority - echo "::: Building CA..." - ${SUDOE} ./build-ca < /etc/.pivpn/ca_info.txt + printf "::: Building CA...\n" + ${SUDOE} ./easyrsa --batch build-ca nopass printf "\n::: CA Complete.\n" whiptail --msgbox --backtitle "Setup OpenVPN" --title "Server Information" "The server key, Diffie-Hellman key, and HMAC key will now be generated." ${r} ${c} # Build the server - ${SUDOE} ./build-key-server --batch "$SERVER_NAME" + ${SUDOE} ./easyrsa build-server-full server nopass if ([ "$ENCRYPT" -ge "4096" ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\n\nGenerating DH parameters for a $ENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from a pool of the last 128 generated.\nMore information about this service can be found here: https://2ton.com.au/dhtool/\n\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c}) then - # Downloading parameters, $KEY_DIR and $KEY_SIZE get set by sourcing ./vars + # Downloading parameters RANDOM_INDEX=$(( RANDOM % 128 )) - ${SUDOE} curl "https://2ton.com.au/dhparam/${ENCRYPT}/${RANDOM_INDEX}" -o "${KEY_DIR}/dh${KEY_SIZE}.pem" + ${SUDOE} curl "https://2ton.com.au/dhparam/${ENCRYPT}/${RANDOM_INDEX}" -o "/etc/openvpn/easy-rsa/pki/dh${ENCRYPT}.pem" else # Generate Diffie-Hellman key exchange - ${SUDOE} ./build-dh + ${SUDOE} ./easyrsa gen-dh + ${SUDOE} mv pki/dh.pem pki/dh${ENCRYPT}.pem fi # Generate static HMAC key to defend against DDoS - ${SUDOE} openvpn --genkey --secret keys/ta.key + ${SUDOE} openvpn --genkey --secret pki/ta.key +#zzz up to here # Write config file for server using the template .txt file $SUDO cp /etc/.pivpn/server_config.txt /etc/openvpn/server.conf