mirror of
https://github.com/pivpn/pivpn.git
synced 2024-12-24 05:40:16 +00:00
Phase 1 (of 3?): Server modifications for easy-rsa3
This commit is contained in:
parent
f61b26f669
commit
0b96cae1a3
1 changed files with 50 additions and 101 deletions
|
@ -15,7 +15,8 @@
|
||||||
|
|
||||||
pivpnGitUrl="https://github.com/pivpn/pivpn.git"
|
pivpnGitUrl="https://github.com/pivpn/pivpn.git"
|
||||||
pivpnFilesDir="/etc/.pivpn"
|
pivpnFilesDir="/etc/.pivpn"
|
||||||
easyrsaRel="https://github.com/pivpn/easy-rsa/releases/download/3.0.1-pivpn/EasyRSA-3.0.1-pivpn.tgz"
|
easyrsaVer="3.0.1-pivpn1"
|
||||||
|
easyrsaRel="https://github.com/pivpn/easy-rsa/releases/download/${easyrsaVer}/EasyRSA-${easyrsaVer}.tgz"
|
||||||
|
|
||||||
# Find the rows and columns. Will default to 80x24 if it can not be detected.
|
# Find the rows and columns. Will default to 80x24 if it can not be detected.
|
||||||
screen_size=$(stty size 2>/dev/null || echo 24 80)
|
screen_size=$(stty size 2>/dev/null || echo 24 80)
|
||||||
|
@ -461,7 +462,7 @@ checkForDependencies() {
|
||||||
echo ":::"
|
echo ":::"
|
||||||
echo "::: Checking dependencies:"
|
echo "::: Checking dependencies:"
|
||||||
|
|
||||||
dependencies=( openvpn easy-rsa git iptables-persistent dnsutils expect whiptail )
|
dependencies=( openvpn git iptables-persistent dnsutils expect whiptail )
|
||||||
for i in "${dependencies[@]}"; do
|
for i in "${dependencies[@]}"; do
|
||||||
echo -n "::: Checking for $i..."
|
echo -n "::: Checking for $i..."
|
||||||
if [ "$(dpkg-query -W -f='${Status}' "$i" 2>/dev/null | grep -c "ok installed")" -eq 0 ]; then
|
if [ "$(dpkg-query -W -f='${Status}' "$i" 2>/dev/null | grep -c "ok installed")" -eq 0 ]; then
|
||||||
|
@ -594,12 +595,13 @@ setClientDNS() {
|
||||||
DNSChooseOptions=(Google "" on
|
DNSChooseOptions=(Google "" on
|
||||||
OpenDNS "" off
|
OpenDNS "" off
|
||||||
Level3 "" off
|
Level3 "" off
|
||||||
|
DNS.WATCH "" off
|
||||||
Norton "" off
|
Norton "" off
|
||||||
Custom "" off)
|
Custom "" off)
|
||||||
|
|
||||||
if DNSchoices=$("${DNSChoseCmd[@]}" "${DNSChooseOptions[@]}" 2>&1 >/dev/tty)
|
if DNSchoices=$("${DNSChoseCmd[@]}" "${DNSChooseOptions[@]}" 2>&1 >/dev/tty)
|
||||||
then
|
then
|
||||||
case $DNSchoices in
|
case ${DNSchoices} in
|
||||||
Google)
|
Google)
|
||||||
echo "::: Using Google DNS servers."
|
echo "::: Using Google DNS servers."
|
||||||
OVPNDNS1="8.8.8.8"
|
OVPNDNS1="8.8.8.8"
|
||||||
|
@ -620,6 +622,13 @@ setClientDNS() {
|
||||||
$SUDO sed -i '0,/\(dhcp-option DNS \)/ s/\(dhcp-option DNS \).*/\1'${OVPNDNS1}'\"/' /etc/openvpn/server.conf
|
$SUDO sed -i '0,/\(dhcp-option DNS \)/ s/\(dhcp-option DNS \).*/\1'${OVPNDNS1}'\"/' /etc/openvpn/server.conf
|
||||||
$SUDO sed -i '0,/\(dhcp-option DNS \)/! s/\(dhcp-option DNS \).*/\1'${OVPNDNS2}'\"/' /etc/openvpn/server.conf
|
$SUDO sed -i '0,/\(dhcp-option DNS \)/! s/\(dhcp-option DNS \).*/\1'${OVPNDNS2}'\"/' /etc/openvpn/server.conf
|
||||||
;;
|
;;
|
||||||
|
DNS.WATCH)
|
||||||
|
echo "::: Using DNS.WATCH servers."
|
||||||
|
OVPNDNS1="82.200.69.80"
|
||||||
|
OVPNDNS2="84.200.70.40"
|
||||||
|
$SUDO sed -i '0,/\(dhcp-option DNS \)/ s/\(dhcp-option DNS \).*/\1'${OVPNDNS1}'\"/' /etc/openvpn/server.conf
|
||||||
|
$SUDO sed -i '0,/\(dhcp-option DNS \)/! s/\(dhcp-option DNS \).*/\1'${OVPNDNS2}'\"/' /etc/openvpn/server.conf
|
||||||
|
;;
|
||||||
Norton)
|
Norton)
|
||||||
echo "::: Using Norton ConnectSafe servers."
|
echo "::: Using Norton ConnectSafe servers."
|
||||||
OVPNDNS1="199.85.126.10"
|
OVPNDNS1="199.85.126.10"
|
||||||
|
@ -695,125 +704,65 @@ confOpenVPN() {
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Copy the easy-rsa files to a directory inside the new openvpn directory
|
# If easy-rsa exists, remove it
|
||||||
$SUDO cp -r /usr/share/easy-rsa /etc/openvpn
|
if [[ -d /etc/openvpn/easy-rsa/ ]]; then
|
||||||
|
$SUDO rm -rf /etc/openvpn/easy-rsa/
|
||||||
|
fi
|
||||||
|
|
||||||
# Edit the EASY_RSA variable in the vars file to point to the new easy-rsa directory,
|
# zzz Get the PiVPN easy-rsa
|
||||||
# And set the chosen key size
|
wget -q -O "/tmp/EasyRSA-${easyrsaVer}" "${easyrsaRel}"
|
||||||
|
tar xzf /tmp/EasyRSA-${easyrsaVer} -C /tmp
|
||||||
|
$SUDO mv /tmp/EasyRSA-${easyrsaVer}/ /etc/openvpn/easy-rsa/
|
||||||
|
$SUDO chown -R root:root /etc/openvpn/easy-rsa
|
||||||
|
$SUDO mkdir /etc/openvpn/easy-rsa/pki
|
||||||
|
|
||||||
|
# Write out new vars file
|
||||||
|
IFS= read -d '' String <<"EOF"
|
||||||
|
if [ -z "$EASYRSA_CALLER" ]; then
|
||||||
|
echo "Nope." >&2
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
set_var EASYRSA "/etc/openvpn/easy-rsa"
|
||||||
|
set_var EASYRSA_PKI "$EASYRSA/pki"
|
||||||
|
set_var EASYRSA_KEY_SIZE 2048
|
||||||
|
set_var EASYRSA_ALGO ec
|
||||||
|
set_var EASYRSA_CURVE secp384r1
|
||||||
|
EOF
|
||||||
|
|
||||||
|
echo "${String}" | $SUDO tee /etc/openvpn/easy-rsa/vars >/dev/null
|
||||||
|
|
||||||
|
# Edit the KEY_SIZE variable in the vars file to set user chosen key size
|
||||||
cd /etc/openvpn/easy-rsa || exit
|
cd /etc/openvpn/easy-rsa || exit
|
||||||
$SUDO sed -i 's:"`pwd`":"/etc/openvpn/easy-rsa":' vars
|
$SUDO sed -i "s/\(KEY_SIZE=\).*/\1 ${ENCRYPT}/" vars
|
||||||
$SUDO sed -i "s/\(KEY_SIZE=\).*/\1${ENCRYPT}/" vars
|
|
||||||
|
|
||||||
# Init Cert Values
|
|
||||||
COUNTRY="US"
|
|
||||||
STATE="CA"
|
|
||||||
CITY="SanFrancisco"
|
|
||||||
ORG="Fort-Funston"
|
|
||||||
SERVER_NAME="server"
|
|
||||||
KEY_NAME="EasyRSA"
|
|
||||||
EMAIL="me@myhost.mydomain"
|
|
||||||
|
|
||||||
whiptail --title "Certificate Information" --msgbox "You will now be shown the default values for fields that will be used in the certificate. \nIt is fine to leave these as-is since only you and the clients you create will ever see this. \nHowever, if you want to change the values, simply select the ones you wish to modify." ${r} ${c}
|
|
||||||
|
|
||||||
until [[ $CERTVALCorrect = True ]]
|
|
||||||
do
|
|
||||||
CERTVAL=$(whiptail --title "Certificate Information" --checklist "Choose any certificate values you want to change" ${r} ${c} 7 \
|
|
||||||
"COUNTRY" "= US" OFF \
|
|
||||||
"STATE" "= CA" OFF \
|
|
||||||
"CITY" "= SanFranciso" OFF \
|
|
||||||
"ORG" "= Fort-Funston" OFF \
|
|
||||||
"SERVER_NAME" "= server" OFF \
|
|
||||||
"KEY_NAME" "= EasyRSA" OFF \
|
|
||||||
"EMAIL" "= me@myhost.mydomain" OFF 3>&1 1>&2 2>&3)
|
|
||||||
|
|
||||||
exitstatus=$?
|
|
||||||
if [ $exitstatus != 0 ]; then
|
|
||||||
echo "::: Cancel selected. Exiting..."
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
for i in $CERTVAL
|
|
||||||
do
|
|
||||||
if [ "$i" == '"COUNTRY"' ]; then
|
|
||||||
COUNTRY=$(whiptail --title "Certificate Country" --inputbox \
|
|
||||||
"Enter a 2 letter abbreviation for Country" ${r} ${c} US 3>&1 1>&2 2>&3)
|
|
||||||
$SUDO sed -i "s/\(KEY_COUNTRY=\"\).*/\1${COUNTRY}\"/" vars
|
|
||||||
fi
|
|
||||||
if [ "$i" == '"STATE"' ]; then
|
|
||||||
STATE=$(whiptail --title "Certificate State" --inputbox \
|
|
||||||
"Enter a 2 letter abbreviated State or Province" ${r} ${c} CA 3>&1 1>&2 2>&3)
|
|
||||||
$SUDO sed -i "s/\(KEY_PROVINCE=\"\).*/\1${STATE}\"/" vars
|
|
||||||
fi
|
|
||||||
if [ "$i" == '"CITY"' ]; then
|
|
||||||
CITY=$(whiptail --title "Certificate City" --inputbox \
|
|
||||||
"Enter a City name" ${r} ${c} SanFrancisco 3>&1 1>&2 2>&3)
|
|
||||||
$SUDO sed -i "s/\(KEY_CITY=\"\).*/\1${CITY}\"/" vars
|
|
||||||
fi
|
|
||||||
if [ "$i" == '"ORG"' ]; then
|
|
||||||
ORG=$(whiptail --title "Certificate Org" --inputbox \
|
|
||||||
"Enter an Organization name" ${r} ${c} Fort-Funston 3>&1 1>&2 2>&3)
|
|
||||||
$SUDO sed -i "s/\(KEY_ORG=\"\).*/\1${ORG}\"/" vars
|
|
||||||
fi
|
|
||||||
if [ "$i" == '"EMAIL"' ]; then
|
|
||||||
EMAIL=$(whiptail --title "Certificate Email" --inputbox \
|
|
||||||
"Enter an Email Address" ${r} ${c} "me@myhost.mydomain" 3>&1 1>&2 2>&3)
|
|
||||||
$SUDO sed -i "s/\(KEY_EMAIL=\"\).*/\1${EMAIL}\"/" vars
|
|
||||||
fi
|
|
||||||
if [ "$i" == '"SERVER_NAME"' ]; then
|
|
||||||
SERVER_NAME=$(whiptail --title "Server Name" --inputbox \
|
|
||||||
"Enter a Server Name" ${r} ${c} "pivpn" 3>&1 1>&2 2>&3)
|
|
||||||
# This began a rabbit hole of errors. Nope.
|
|
||||||
#sed -i '/export KEY_CN/s/^#//g' vars
|
|
||||||
#sed -i "s/\(KEY_CN=\"\).*/\1${SERVER_NAME}\"/" vars
|
|
||||||
fi
|
|
||||||
if [ "$i" == '"KEY_NAME"' ]; then
|
|
||||||
KEY_NAME=$(whiptail --title "Key Name" --inputbox \
|
|
||||||
"Enter a Key Name" ${r} ${c} "EasyRSA" 3>&1 1>&2 2>&3)
|
|
||||||
$SUDO sed -i "s/\(KEY_NAME=\"\).*/\1${KEY_NAME}\"/" vars
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
if (whiptail --backtitle "Confirm Certificate Fields" --title "Confirm Certificate Fields" --yesno "Are these values correct?\n\n Country: $COUNTRY\n State: $STATE\n City: $CITY\n Org: $ORG\n Email: $EMAIL\n Server Name: $SERVER_NAME\n Key Name: $KEY_NAME" ${r} ${c}) then
|
|
||||||
CERTVALCorrect=True
|
|
||||||
else
|
|
||||||
CERTVALCorrect=False
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
# Make PiVPN the OU
|
|
||||||
KEY_OU=PiVPN
|
|
||||||
$SUDO sed -i "s/\(KEY_OU=\"\).*/\1${KEY_OU}\"/" vars
|
|
||||||
|
|
||||||
# It seems you have to set this if you mess with key_cn, lets not.
|
|
||||||
# grep -q 'KEY_ALTNAMES=' vars || printf '\nexport KEY_ALTNAMES="PiVPN_KEYALT"\n' >> vars
|
|
||||||
echo "export KEY_ALTNAMES=\"PiVPN_ALTNAME\"" >> vars
|
|
||||||
# source the vars file just edited
|
|
||||||
source ./vars
|
|
||||||
|
|
||||||
# Remove any previous keys
|
# Remove any previous keys
|
||||||
${SUDOE} ./clean-all
|
${SUDOE} ./easyrsa init-pki
|
||||||
|
|
||||||
# Build the certificate authority
|
# Build the certificate authority
|
||||||
echo "::: Building CA..."
|
printf "::: Building CA...\n"
|
||||||
${SUDOE} ./build-ca < /etc/.pivpn/ca_info.txt
|
${SUDOE} ./easyrsa --batch build-ca nopass
|
||||||
printf "\n::: CA Complete.\n"
|
printf "\n::: CA Complete.\n"
|
||||||
|
|
||||||
whiptail --msgbox --backtitle "Setup OpenVPN" --title "Server Information" "The server key, Diffie-Hellman key, and HMAC key will now be generated." ${r} ${c}
|
whiptail --msgbox --backtitle "Setup OpenVPN" --title "Server Information" "The server key, Diffie-Hellman key, and HMAC key will now be generated." ${r} ${c}
|
||||||
|
|
||||||
# Build the server
|
# Build the server
|
||||||
${SUDOE} ./build-key-server --batch "$SERVER_NAME"
|
${SUDOE} ./easyrsa build-server-full server nopass
|
||||||
|
|
||||||
if ([ "$ENCRYPT" -ge "4096" ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\n\nGenerating DH parameters for a $ENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from a pool of the last 128 generated.\nMore information about this service can be found here: https://2ton.com.au/dhtool/\n\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c})
|
if ([ "$ENCRYPT" -ge "4096" ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\n\nGenerating DH parameters for a $ENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from a pool of the last 128 generated.\nMore information about this service can be found here: https://2ton.com.au/dhtool/\n\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c})
|
||||||
then
|
then
|
||||||
# Downloading parameters, $KEY_DIR and $KEY_SIZE get set by sourcing ./vars
|
# Downloading parameters
|
||||||
RANDOM_INDEX=$(( RANDOM % 128 ))
|
RANDOM_INDEX=$(( RANDOM % 128 ))
|
||||||
${SUDOE} curl "https://2ton.com.au/dhparam/${ENCRYPT}/${RANDOM_INDEX}" -o "${KEY_DIR}/dh${KEY_SIZE}.pem"
|
${SUDOE} curl "https://2ton.com.au/dhparam/${ENCRYPT}/${RANDOM_INDEX}" -o "/etc/openvpn/easy-rsa/pki/dh${ENCRYPT}.pem"
|
||||||
else
|
else
|
||||||
# Generate Diffie-Hellman key exchange
|
# Generate Diffie-Hellman key exchange
|
||||||
${SUDOE} ./build-dh
|
${SUDOE} ./easyrsa gen-dh
|
||||||
|
${SUDOE} mv pki/dh.pem pki/dh${ENCRYPT}.pem
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Generate static HMAC key to defend against DDoS
|
# Generate static HMAC key to defend against DDoS
|
||||||
${SUDOE} openvpn --genkey --secret keys/ta.key
|
${SUDOE} openvpn --genkey --secret pki/ta.key
|
||||||
|
|
||||||
|
#zzz up to here
|
||||||
# Write config file for server using the template .txt file
|
# Write config file for server using the template .txt file
|
||||||
$SUDO cp /etc/.pivpn/server_config.txt /etc/openvpn/server.conf
|
$SUDO cp /etc/.pivpn/server_config.txt /etc/openvpn/server.conf
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue