From 97a50c66efe712bf998afa510514529af2a1a758 Mon Sep 17 00:00:00 2001 From: Jelle Dekker Date: Thu, 21 Sep 2017 10:49:45 -0500 Subject: [PATCH 1/5] Commented out a number of excess options that were set implicitly by using the 'server' option. --- server_config.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/server_config.txt b/server_config.txt index 70625e7..9fa8e0c 100644 --- a/server_config.txt +++ b/server_config.txt @@ -8,11 +8,11 @@ dh /etc/openvpn/easy-rsa/pki/dh1024.pem topology subnet server 10.8.0.0 255.255.255.0 # server and remote endpoints -ifconfig 10.8.0.1 10.8.0.2 +#ifconfig 10.8.0.1 10.8.0.2 # Add route to Client routing table for the OpenVPN Server -push "route 10.8.0.1 255.255.255.255" +#push "route 10.8.0.1 255.255.255.255" # Add route to Client routing table for the OPenVPN Subnet -push "route 10.8.0.0 255.255.255.0" +#push "route 10.8.0.0 255.255.255.0" # your local subnet push "route LOCALNET LOCALMASK" # Set your primary domain name server address for clients From 4e77245a97010bd93c44b57b3327a0b0c6fd16e4 Mon Sep 17 00:00:00 2001 From: Jelle Dekker Date: Fri, 22 Sep 2017 16:03:38 -0500 Subject: [PATCH 2/5] Commented out code related to adding a route to the remote subnet (e.g. 192.168.0.0). --- auto_install/install.sh | 20 ++++++++++---------- server_config.txt | 2 +- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 33ca2a4..5f7c5b2 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -367,15 +367,15 @@ setStaticIPv4() { fi } -setNetwork() { +#setNetwork() { # Sets the Network IP and Mask correctly - export PATH=${PATH}:/sbin:/usr/sbin - LOCALMASK=$(ifconfig "${pivpnInterface}" | awk '/Mask:/{ print $4;} ' | cut -c6-) - LOCALIP=$(ifconfig "${pivpnInterface}" | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') - IFS=. read -r i1 i2 i3 i4 <<< "$LOCALIP" - IFS=. read -r m1 m2 m3 m4 <<< "$LOCALMASK" - LOCALNET=$(printf "%d.%d.%d.%d\n" "$((i1 & m1))" "$((i2 & m2))" "$((i3 & m3))" "$((i4 & m4))") -} + #export PATH=${PATH}:/sbin:/usr/sbin + #LOCALMASK=$(ifconfig "${pivpnInterface}" | awk '/Mask:/{ print $4;} ' | cut -c6-) + #LOCALIP=$(ifconfig "${pivpnInterface}" | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') + #IFS=. read -r i1 i2 i3 i4 <<< "$LOCALIP" + #IFS=. read -r m1 m2 m3 m4 <<< "$LOCALMASK" + #LOCALNET=$(printf "%d.%d.%d.%d\n" "$((i1 & m1))" "$((i2 & m2))" "$((i3 & m3))" "$((i4 & m4))") +#} function valid_ip() { @@ -887,8 +887,8 @@ EOF # Write config file for server using the template .txt file $SUDO cp /etc/.pivpn/server_config.txt /etc/openvpn/server.conf - $SUDO sed -i "s/LOCALNET/${LOCALNET}/g" /etc/openvpn/server.conf - $SUDO sed -i "s/LOCALMASK/${LOCALMASK}/g" /etc/openvpn/server.conf + #$SUDO sed -i "s/LOCALNET/${LOCALNET}/g" /etc/openvpn/server.conf + #$SUDO sed -i "s/LOCALMASK/${LOCALMASK}/g" /etc/openvpn/server.conf # Set the user encryption key size $SUDO sed -i "s/\(dh \/etc\/openvpn\/easy-rsa\/pki\/dh\).*/\1${ENCRYPT}.pem/" /etc/openvpn/server.conf diff --git a/server_config.txt b/server_config.txt index 9fa8e0c..2498464 100644 --- a/server_config.txt +++ b/server_config.txt @@ -14,7 +14,7 @@ server 10.8.0.0 255.255.255.0 # Add route to Client routing table for the OPenVPN Subnet #push "route 10.8.0.0 255.255.255.0" # your local subnet -push "route LOCALNET LOCALMASK" +#push "route LOCALNET LOCALMASK" # Set your primary domain name server address for clients push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" From 14b13d3a4156b89be026adcdff775bd57a0998f4 Mon Sep 17 00:00:00 2001 From: Jelle Dekker Date: Sat, 23 Sep 2017 19:17:35 -0500 Subject: [PATCH 3/5] Removed the previously commented-out code. --- auto_install/install.sh | 13 ------------- server_config.txt | 8 -------- 2 files changed, 21 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 5f7c5b2..be833ce 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -367,16 +367,6 @@ setStaticIPv4() { fi } -#setNetwork() { - # Sets the Network IP and Mask correctly - #export PATH=${PATH}:/sbin:/usr/sbin - #LOCALMASK=$(ifconfig "${pivpnInterface}" | awk '/Mask:/{ print $4;} ' | cut -c6-) - #LOCALIP=$(ifconfig "${pivpnInterface}" | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*') - #IFS=. read -r i1 i2 i3 i4 <<< "$LOCALIP" - #IFS=. read -r m1 m2 m3 m4 <<< "$LOCALMASK" - #LOCALNET=$(printf "%d.%d.%d.%d\n" "$((i1 & m1))" "$((i2 & m2))" "$((i3 & m3))" "$((i4 & m4))") -#} - function valid_ip() { local ip=$1 @@ -887,9 +877,6 @@ EOF # Write config file for server using the template .txt file $SUDO cp /etc/.pivpn/server_config.txt /etc/openvpn/server.conf - #$SUDO sed -i "s/LOCALNET/${LOCALNET}/g" /etc/openvpn/server.conf - #$SUDO sed -i "s/LOCALMASK/${LOCALMASK}/g" /etc/openvpn/server.conf - # Set the user encryption key size $SUDO sed -i "s/\(dh \/etc\/openvpn\/easy-rsa\/pki\/dh\).*/\1${ENCRYPT}.pem/" /etc/openvpn/server.conf diff --git a/server_config.txt b/server_config.txt index 2498464..f3d208b 100644 --- a/server_config.txt +++ b/server_config.txt @@ -7,14 +7,6 @@ key /etc/openvpn/easy-rsa/pki/private/server.key dh /etc/openvpn/easy-rsa/pki/dh1024.pem topology subnet server 10.8.0.0 255.255.255.0 -# server and remote endpoints -#ifconfig 10.8.0.1 10.8.0.2 -# Add route to Client routing table for the OpenVPN Server -#push "route 10.8.0.1 255.255.255.255" -# Add route to Client routing table for the OPenVPN Subnet -#push "route 10.8.0.0 255.255.255.0" -# your local subnet -#push "route LOCALNET LOCALMASK" # Set your primary domain name server address for clients push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" From 9f46f1ef91045a6b7cfb92721843dc3d36b32fa2 Mon Sep 17 00:00:00 2001 From: Jelle Dekker Date: Wed, 11 Oct 2017 22:55:58 -0500 Subject: [PATCH 4/5] Removed call to deleted method. --- auto_install/install.sh | 3 --- 1 file changed, 3 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index be833ce..379ea47 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -1255,9 +1255,6 @@ main() { setStaticIPv4 fi - # Set the Network IP and Mask correctly - setNetwork - # Choose the user for the ovpns chooseUser From 4b47b5aa61c1379ebd36226ca4777e746368bcd7 Mon Sep 17 00:00:00 2001 From: Piero Date: Thu, 15 Feb 2018 10:14:03 +0100 Subject: [PATCH 5/5] 2.4 --- Default.txt | 2 +- auto_install/install.sh | 98 ++++++++++++++++++++++++++++++++++------- scripts/makeOVPN.sh | 17 ++++--- server_config.txt | 4 +- 4 files changed, 97 insertions(+), 24 deletions(-) mode change 100644 => 100755 Default.txt mode change 100644 => 100755 scripts/makeOVPN.sh mode change 100644 => 100755 server_config.txt diff --git a/Default.txt b/Default.txt old mode 100644 new mode 100755 index cd519e1..1503e25 --- a/Default.txt +++ b/Default.txt @@ -13,4 +13,4 @@ verify-x509-name SRVRNAME name cipher AES-256-CBC auth SHA256 comp-lzo -verb 1 +verb 3 diff --git a/auto_install/install.sh b/auto_install/install.sh index 4d59171..8e94f43 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -852,26 +852,37 @@ EOF # Build the server ${SUDOE} ./easyrsa build-server-full ${SERVER_NAME} nopass - if [[ ${useUpdateVars} == false ]]; then - if ([ "$ENCRYPT" -ge "4096" ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\n\nGenerating DH parameters for a $ENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from a pool of the last 128 generated.\nMore information about this service can be found here: https://2ton.com.au/dhtool/\n\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c}) - then - DOWNLOAD_DH_PARAM=true + if [[ ${useUpdateVars} == false ]]; then + if (whiptail --backtitle "Setup OpenVPN" --title "Version 2.4 improvements" --yesno --defaultno "OpenVPN 2.4 brings support for stronger key exchange using Elliptic Curves and encrypted control channel, along with faster LZ4 compression.\n\nIf you your clients do run OpenVPN 2.4 or later you can enable these features, otherwise choose 'No' for best compatibility.\n\nNOTE: Current mobile app, that is OpenVPN connect, is supported." ${r} ${c}); then + APPLY_TWO_POINT_FOUR=true + $SUDO touch /etc/pivpn/TWO_POINT_FOUR else - DOWNLOAD_DH_PARAM=false + APPLY_TWO_POINT_FOUR=false fi fi - if [ "$ENCRYPT" -ge "4096" ] && [[ ${DOWNLOAD_DH_PARAM} == true ]] - then - # Downloading parameters - RANDOM_INDEX=$(( RANDOM % 128 )) - ${SUDOE} curl "https://2ton.com.au/dhparam/${ENCRYPT}/${RANDOM_INDEX}" -o "/etc/openvpn/easy-rsa/pki/dh${ENCRYPT}.pem" - else - # Generate Diffie-Hellman key exchange - ${SUDOE} ./easyrsa gen-dh - ${SUDOE} mv pki/dh.pem pki/dh${ENCRYPT}.pem + if [[ ${useUpdateVars} == false ]]; then + if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then + if ([ "$ENCRYPT" -ge "4096" ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\n\nGenerating DH parameters for a $ENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from a pool of the last 128 generated.\nMore information about this service can be found here: https://2ton.com.au/dhtool/\n\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c}); then + DOWNLOAD_DH_PARAM=true + else + DOWNLOAD_DH_PARAM=false + fi + fi fi + if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then + if [ "$ENCRYPT" -ge "4096" ] && [[ ${DOWNLOAD_DH_PARAM} == true ]]; then + # Downloading parameters + RANDOM_INDEX=$(( RANDOM % 128 )) + ${SUDOE} curl "https://2ton.com.au/dhparam/${ENCRYPT}/${RANDOM_INDEX}" -o "/etc/openvpn/easy-rsa/pki/dh${ENCRYPT}.pem" + else + # Generate Diffie-Hellman key exchange + ${SUDOE} ./easyrsa gen-dh + ${SUDOE} mv pki/dh.pem pki/dh${ENCRYPT}.pem + fi + fi + # Generate static HMAC key to defend against DDoS ${SUDOE} openvpn --genkey --secret pki/ta.key @@ -883,8 +894,19 @@ EOF # Write config file for server using the template .txt file $SUDO cp /etc/.pivpn/server_config.txt /etc/openvpn/server.conf - # Set the user encryption key size - $SUDO sed -i "s/\(dh \/etc\/openvpn\/easy-rsa\/pki\/dh\).*/\1${ENCRYPT}.pem/" /etc/openvpn/server.conf + if [[ ${APPLY_TWO_POINT_FOUR} == true ]]; then + #If they enabled 2.4 change compression algorithm and use tls-crypt instead of tls-auth to encrypt control channel + $SUDO sed -i "s/comp-lzo/compress lz4/" /etc/openvpn/server.conf + $SUDO sed -i "s/tls-auth \/etc\/openvpn\/easy-rsa\/pki\/ta.key 0/tls-crypt \/etc\/openvpn\/easy-rsa\/pki\/ta.key/" /etc/openvpn/server.conf + fi + + if [[ ${APPLY_TWO_POINT_FOUR} == true ]]; then + #If they enabled 2.4 disable dh parameters + $SUDO sed -i "s/\(dh \/etc\/openvpn\/easy-rsa\/pki\/dh\).*/dh none/" /etc/openvpn/server.conf + else + # Otherwise set the user encryption key size + $SUDO sed -i "s/\(dh \/etc\/openvpn\/easy-rsa\/pki\/dh\).*/\1${ENCRYPT}.pem/" /etc/openvpn/server.conf + fi # if they modified port put value in server.conf if [ $PORT != 1194 ]; then @@ -987,6 +1009,12 @@ confOVPN() { $SUDO cp /etc/.pivpn/Default.txt /etc/openvpn/easy-rsa/pki/Default.txt + if [[ ${APPLY_TWO_POINT_FOUR} == true ]]; then + #If they enabled 2.4 change compression algorithm and remove key-direction options since it's not required + $SUDO sed -i "s/comp-lzo/compress lz4/" /etc/openvpn/easy-rsa/pki/Default.txt + $SUDO sed -i "/key-direction 1/d" /etc/openvpn/easy-rsa/pki/Default.txt + fi + if [[ ${useUpdateVars} == false ]]; then METH=$(whiptail --title "Public IP or DNS" --radiolist "Will clients use a Public IP or DNS Name to connect to your server (press space to select)?" ${r} ${c} 2 \ "$IPv4pub" "Use this public IP" "ON" \ @@ -1040,6 +1068,42 @@ confOVPN() { $SUDO chmod 0777 -R "/home/$pivpnUser/ovpns" } +confLogging(){ + # Tell rsyslog to log openvpn messages to a specific file + cat << 'EOT' | $SUDO tee /etc/rsyslog.d/30-openvpn.conf >/dev/null +if $programname == 'ovpn-server' then /var/log/openvpn.log +if $programname == 'ovpn-server' then ~ +EOT + + # Enable log rotation, it rotates weekly and keeps the current log and the previous uncompressed, with the older 4 compressed + cat << 'EOT' | $SUDO tee /etc/logrotate.d/openvpn >/dev/null +/var/log/openvpn.log +{ + rotate 4 + weekly + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + invoke-rc.d rsyslog rotate >/dev/null 2>&1 || true + endscript +} +EOT + + # Restart the logging service + case ${PLAT} in + Ubuntu|Debian|*vuan) + $SUDO service rsyslog restart || true + ;; + *) + $SUDO systemctl restart rsyslog.service || true + ;; + esac + +} + finalExports() { # Update variables in setupVars.conf file if [ -e "${setupVars}" ]; then @@ -1055,6 +1119,7 @@ finalExports() { echo "pivpnProto=${pivpnProto}" echo "PORT=${PORT}" echo "ENCRYPT=${ENCRYPT}" + echo "APPLY_TWO_POINT_FOUR"="${APPLY_TWO_POINT_FOUR}" echo "DOWNLOAD_DH_PARAM=${DOWNLOAD_DH_PARAM}" echo "PUBLICDNS=${PUBLICDNS}" echo "OVPNDNS1=${OVPNDNS1}" @@ -1095,6 +1160,7 @@ installPiVPN() { confNetwork confOVPN setClientDNS + confLogging finalExports } diff --git a/scripts/makeOVPN.sh b/scripts/makeOVPN.sh old mode 100644 new mode 100755 index 31dbb23..09ef655 --- a/scripts/makeOVPN.sh +++ b/scripts/makeOVPN.sh @@ -56,7 +56,7 @@ do NO_PASS="1" ;; *) - echo "Error: Got an unexpected argument '$1'" + echo "Error: Got an unexpected argument '$1'" helpFunc exit 1 ;; @@ -237,10 +237,17 @@ echo "tls-auth Private Key found: $TA" cat "private/${NAME}${KEY}" echo "" - #Finally, append the TA Private Key - echo "" - cat "${TA}" - echo "" + #Finally, append the TA Private Key + if [ -f /etc/pivpn/TWO_POINT_FOUR ]; then + echo "" + cat "${TA}" + echo "" + else + echo "" + cat "${TA}" + echo "" + fi + } > "${NAME}${FILEEXT}" # Copy the .ovpn profile to the home directory for convenient remote access diff --git a/server_config.txt b/server_config.txt old mode 100644 new mode 100755 index 128528e..fe909ca --- a/server_config.txt +++ b/server_config.txt @@ -29,6 +29,6 @@ persist-tun crl-verify /etc/openvpn/crl.pem status /var/log/openvpn-status.log 20 status-version 3 -log /var/log/openvpn.log -verb 1 +syslog +verb 3 # Generated for use by PiVPN.io