Pi-hole/pivpn
Pi-hole/pivpn
1
0
Fork 0
mirror of https://github.com/pivpn/pivpn.git synced 2024-12-18 19:00:15 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge remote-tracking branch 'origin/test'

Browse source
This commit is contained in:
redfast00 2018-02-21 17:36:09 +01:00
commit 25aaf24c89
No known key found for this signature in database
GPG key ID: 5946E0E34FD0553C
4 changed files with 96 additions and 47 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
Default.txt Normal file → Executable file
View file

@ -13,4 +13,4 @@ verify-x509-name SRVRNAME name
cipher AES-256-CBC cipher AES-256-CBC
auth SHA256 auth SHA256
comp-lzo comp-lzo
verb 1 verb 3

90
auto_install/install.sh
View file

@ -370,16 +370,6 @@ setStaticIPv4() {
fi fi
} }
setNetwork() {
# Sets the Network IP and Mask correctly
export PATH=${PATH}:/sbin:/usr/sbin
LOCALMASK=$(ifconfig "${pivpnInterface}" | awk '/Mask:/{ print $4;} ' | cut -c6-)
LOCALIP=$(ifconfig "${pivpnInterface}" | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*')
IFS=. read -r i1 i2 i3 i4 <<< "$LOCALIP"
IFS=. read -r m1 m2 m3 m4 <<< "$LOCALMASK"
LOCALNET=$(printf "%d.%d.%d.%d\n" "$((i1 & m1))" "$((i2 & m2))" "$((i3 & m3))" "$((i4 & m4))")
}
function valid_ip() function valid_ip()
{ {
local ip=$1 local ip=$1
@ -863,16 +853,26 @@ EOF
${SUDOE} ./easyrsa build-server-full ${SERVER_NAME} nopass ${SUDOE} ./easyrsa build-server-full ${SERVER_NAME} nopass
if [[ ${useUpdateVars} == false ]]; then if [[ ${useUpdateVars} == false ]]; then
if ([ "$ENCRYPT" -ge "4096" ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\n\nGenerating DH parameters for a $ENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from a pool of the last 128 generated.\nMore information about this service can be found here: https://2ton.com.au/dhtool/\n\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c}) if (whiptail --backtitle "Setup OpenVPN" --title "Version 2.4 improvements" --yesno --defaultno "OpenVPN 2.4 brings support for stronger key exchange using Elliptic Curves and encrypted control channel, along with faster LZ4 compression.\n\nIf you your clients do run OpenVPN 2.4 or later you can enable these features, otherwise choose 'No' for best compatibility.\n\nNOTE: Current mobile app, that is OpenVPN connect, is supported." ${r} ${c}); then
then APPLY_TWO_POINT_FOUR=true
$SUDO touch /etc/pivpn/TWO_POINT_FOUR
else
APPLY_TWO_POINT_FOUR=false
fi
fi
if [[ ${useUpdateVars} == false ]]; then
if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then
if ([ "$ENCRYPT" -ge "4096" ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\n\nGenerating DH parameters for a $ENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from a pool of the last 128 generated.\nMore information about this service can be found here: https://2ton.com.au/dhtool/\n\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c}); then
DOWNLOAD_DH_PARAM=true DOWNLOAD_DH_PARAM=true
else else
DOWNLOAD_DH_PARAM=false DOWNLOAD_DH_PARAM=false
fi fi
fi fi
fi
if [ "$ENCRYPT" -ge "4096" ] && [[ ${DOWNLOAD_DH_PARAM} == true ]] if [[ ${APPLY_TWO_POINT_FOUR} == false ]]; then
then if [ "$ENCRYPT" -ge "4096" ] && [[ ${DOWNLOAD_DH_PARAM} == true ]]; then
# Downloading parameters # Downloading parameters
RANDOM_INDEX=$(( RANDOM % 128 )) RANDOM_INDEX=$(( RANDOM % 128 ))
${SUDOE} curl "https://2ton.com.au/dhparam/${ENCRYPT}/${RANDOM_INDEX}" -o "/etc/openvpn/easy-rsa/pki/dh${ENCRYPT}.pem" ${SUDOE} curl "https://2ton.com.au/dhparam/${ENCRYPT}/${RANDOM_INDEX}" -o "/etc/openvpn/easy-rsa/pki/dh${ENCRYPT}.pem"
@ -881,6 +881,7 @@ EOF
${SUDOE} ./easyrsa gen-dh ${SUDOE} ./easyrsa gen-dh
${SUDOE} mv pki/dh.pem pki/dh${ENCRYPT}.pem ${SUDOE} mv pki/dh.pem pki/dh${ENCRYPT}.pem
fi fi
fi
# Generate static HMAC key to defend against DDoS # Generate static HMAC key to defend against DDoS
${SUDOE} openvpn --genkey --secret pki/ta.key ${SUDOE} openvpn --genkey --secret pki/ta.key
@ -893,11 +894,19 @@ EOF
# Write config file for server using the template .txt file # Write config file for server using the template .txt file
$SUDO cp /etc/.pivpn/server_config.txt /etc/openvpn/server.conf $SUDO cp /etc/.pivpn/server_config.txt /etc/openvpn/server.conf
$SUDO sed -i "s/LOCALNET/${LOCALNET}/g" /etc/openvpn/server.conf if [[ ${APPLY_TWO_POINT_FOUR} == true ]]; then
$SUDO sed -i "s/LOCALMASK/${LOCALMASK}/g" /etc/openvpn/server.conf #If they enabled 2.4 change compression algorithm and use tls-crypt instead of tls-auth to encrypt control channel
$SUDO sed -i "s/comp-lzo/compress lz4/" /etc/openvpn/server.conf
$SUDO sed -i "s/tls-auth \/etc\/openvpn\/easy-rsa\/pki\/ta.key 0/tls-crypt \/etc\/openvpn\/easy-rsa\/pki\/ta.key/" /etc/openvpn/server.conf
fi
# Set the user encryption key size if [[ ${APPLY_TWO_POINT_FOUR} == true ]]; then
#If they enabled 2.4 disable dh parameters
$SUDO sed -i "s/\(dh \/etc\/openvpn\/easy-rsa\/pki\/dh\).*/dh none/" /etc/openvpn/server.conf
else
# Otherwise set the user encryption key size
$SUDO sed -i "s/\(dh \/etc\/openvpn\/easy-rsa\/pki\/dh\).*/\1${ENCRYPT}.pem/" /etc/openvpn/server.conf $SUDO sed -i "s/\(dh \/etc\/openvpn\/easy-rsa\/pki\/dh\).*/\1${ENCRYPT}.pem/" /etc/openvpn/server.conf
fi
# if they modified port put value in server.conf # if they modified port put value in server.conf
if [ $PORT != 1194 ]; then if [ $PORT != 1194 ]; then
@ -1000,6 +1009,12 @@ confOVPN() {
$SUDO cp /etc/.pivpn/Default.txt /etc/openvpn/easy-rsa/pki/Default.txt $SUDO cp /etc/.pivpn/Default.txt /etc/openvpn/easy-rsa/pki/Default.txt
if [[ ${APPLY_TWO_POINT_FOUR} == true ]]; then
#If they enabled 2.4 change compression algorithm and remove key-direction options since it's not required
$SUDO sed -i "s/comp-lzo/compress lz4/" /etc/openvpn/easy-rsa/pki/Default.txt
$SUDO sed -i "/key-direction 1/d" /etc/openvpn/easy-rsa/pki/Default.txt
fi
if [[ ${useUpdateVars} == false ]]; then if [[ ${useUpdateVars} == false ]]; then
METH=$(whiptail --title "Public IP or DNS" --radiolist "Will clients use a Public IP or DNS Name to connect to your server (press space to select)?" ${r} ${c} 2 \ METH=$(whiptail --title "Public IP or DNS" --radiolist "Will clients use a Public IP or DNS Name to connect to your server (press space to select)?" ${r} ${c} 2 \
"$IPv4pub" "Use this public IP" "ON" \ "$IPv4pub" "Use this public IP" "ON" \
@ -1053,6 +1068,42 @@ confOVPN() {
$SUDO chmod 0777 -R "/home/$pivpnUser/ovpns" $SUDO chmod 0777 -R "/home/$pivpnUser/ovpns"
} }
confLogging(){
# Tell rsyslog to log openvpn messages to a specific file
cat << 'EOT' | $SUDO tee /etc/rsyslog.d/30-openvpn.conf >/dev/null
if $programname == 'ovpn-server' then /var/log/openvpn.log
if $programname == 'ovpn-server' then ~
EOT
# Enable log rotation, it rotates weekly and keeps the current log and the previous uncompressed, with the older 4 compressed
cat << 'EOT' | $SUDO tee /etc/logrotate.d/openvpn >/dev/null
/var/log/openvpn.log
{
rotate 4
weekly
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
invoke-rc.d rsyslog rotate >/dev/null 2>&1 || true
endscript
}
EOT
# Restart the logging service
case ${PLAT} in
Ubuntu|Debian|*vuan)
$SUDO service rsyslog restart || true
;;
*)
$SUDO systemctl restart rsyslog.service || true
;;
esac
}
finalExports() { finalExports() {
# Update variables in setupVars.conf file # Update variables in setupVars.conf file
if [ -e "${setupVars}" ]; then if [ -e "${setupVars}" ]; then
@ -1068,6 +1119,7 @@ finalExports() {
echo "pivpnProto=${pivpnProto}" echo "pivpnProto=${pivpnProto}"
echo "PORT=${PORT}" echo "PORT=${PORT}"
echo "ENCRYPT=${ENCRYPT}" echo "ENCRYPT=${ENCRYPT}"
echo "APPLY_TWO_POINT_FOUR"="${APPLY_TWO_POINT_FOUR}"
echo "DOWNLOAD_DH_PARAM=${DOWNLOAD_DH_PARAM}" echo "DOWNLOAD_DH_PARAM=${DOWNLOAD_DH_PARAM}"
echo "PUBLICDNS=${PUBLICDNS}" echo "PUBLICDNS=${PUBLICDNS}"
echo "OVPNDNS1=${OVPNDNS1}" echo "OVPNDNS1=${OVPNDNS1}"
@ -1108,6 +1160,7 @@ installPiVPN() {
confNetwork confNetwork
confOVPN confOVPN
setClientDNS setClientDNS
confLogging
finalExports finalExports
} }
@ -1270,9 +1323,6 @@ main() {
setStaticIPv4 setStaticIPv4
fi fi
# Set the Network IP and Mask correctly
setNetwork
# Choose the user for the ovpns # Choose the user for the ovpns
chooseUser chooseUser

7
scripts/makeOVPN.sh Normal file → Executable file
View file

@ -238,9 +238,16 @@ echo "tls-auth Private Key found: $TA"
echo "</key>" echo "</key>"
#Finally, append the TA Private Key #Finally, append the TA Private Key
if [ -f /etc/pivpn/TWO_POINT_FOUR ]; then
echo "<tls-crypt>"
cat "${TA}"
echo "</tls-crypt>"
else
echo "<tls-auth>" echo "<tls-auth>"
cat "${TA}" cat "${TA}"
echo "</tls-auth>" echo "</tls-auth>"
fi
} > "${NAME}${FILEEXT}" } > "${NAME}${FILEEXT}"
# Copy the .ovpn profile to the home directory for convenient remote access # Copy the .ovpn profile to the home directory for convenient remote access

12
server_config.txt Normal file → Executable file
View file

@ -7,14 +7,6 @@ key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh2048.pem dh /etc/openvpn/easy-rsa/pki/dh2048.pem
topology subnet topology subnet
server 10.8.0.0 255.255.255.0 server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OPenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route LOCALNET LOCALMASK"
# Set your primary domain name server address for clients # Set your primary domain name server address for clients
push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4" push "dhcp-option DNS 8.8.4.4"
@ -37,6 +29,6 @@ persist-tun
crl-verify /etc/openvpn/crl.pem crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20 status /var/log/openvpn-status.log 20
status-version 3 status-version 3
log /var/log/openvpn.log syslog
verb 1 verb 3
# Generated for use by PiVPN.io # Generated for use by PiVPN.io