Pi-hole/pivpn
Pi-hole/pivpn
1
0
Fork 0
mirror of https://github.com/pivpn/pivpn.git synced 2024-12-18 19:00:15 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'test'

Browse source
This commit is contained in:
Kaladin Light 2016-12-07 13:07:08 -05:00
commit 794897eb28
6 changed files with 134 additions and 218 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

197
auto_install/install.sh
View file

@ -15,7 +15,8 @@
pivpnGitUrl="https://github.com/pivpn/pivpn.git" pivpnGitUrl="https://github.com/pivpn/pivpn.git"
pivpnFilesDir="/etc/.pivpn" pivpnFilesDir="/etc/.pivpn"
easyrsaRel="https://github.com/pivpn/easy-rsa/releases/download/3.0.1-pivpn/EasyRSA-3.0.1-pivpn.tgz" easyrsaVer="3.0.1-pivpn1"
easyrsaRel="https://github.com/pivpn/easy-rsa/releases/download/${easyrsaVer}/EasyRSA-${easyrsaVer}.tgz"
# Find the rows and columns. Will default to 80x24 if it can not be detected. # Find the rows and columns. Will default to 80x24 if it can not be detected.
screen_size=$(stty size 2>/dev/null || echo 24 80) screen_size=$(stty size 2>/dev/null || echo 24 80)
@ -143,10 +144,9 @@ chooseUser() {
then then
# See http://askubuntu.com/a/667842/459815 # See http://askubuntu.com/a/667842/459815
PASSWORD=$(whiptail --title "password dialog" --passwordbox "Please enter the new user password" ${r} ${c} 3>&1 1>&2 2>&3) PASSWORD=$(whiptail --title "password dialog" --passwordbox "Please enter the new user password" ${r} ${c} 3>&1 1>&2 2>&3)
CRYPT=$(perl -e 'printf("%s\n", crypt($ARGV[0], "password"))' "$password") CRYPT=$(perl -e 'printf("%s\n", crypt($ARGV[0], "password"))' "${PASSWORD}")
$SUDO useradd -m -p "$CRYPT" -s /bin/bash "$userToAdd" $SUDO useradd -m -p "${CRYPT}" -s /bin/bash "${userToAdd}"
if [ $? -eq 0 ] if [[ $? = 0 ]]; then
then
echo "Succeeded" echo "Succeeded"
((numUsers+=1)) ((numUsers+=1))
else else
@ -157,8 +157,8 @@ chooseUser() {
fi fi
fi fi
availableUsers=$(awk -F':' '$3>=500 && $3<=60000 {print $1}' /etc/passwd) availableUsers=$(awk -F':' '$3>=500 && $3<=60000 {print $1}' /etc/passwd)
userArray=() local userArray=()
firstloop=1 local firstloop=1
while read -r line while read -r line
do do
@ -167,13 +167,12 @@ chooseUser() {
firstloop=0 firstloop=0
mode="ON" mode="ON"
fi fi
userArray+=("$line" "" "$mode") userArray+=("${line}" "" "${mode}")
done <<< "${availableUsers}" done <<< "${availableUsers}"
chooseUserCmd=(whiptail --title "Choose A User" --separate-output --radiolist "Choose:" ${r} ${c} ${numUsers}) chooseUserCmd=(whiptail --title "Choose A User" --separate-output --radiolist "Choose:" ${r} ${c} ${numUsers})
if chooseUserOptions=$("${chooseUserCmd[@]}" "${userArray[@]}" 2>&1 >/dev/tty) chooseUserOptions=$("${chooseUserCmd[@]}" "${userArray[@]}" 2>&1 >/dev/tty)
then if [[ $? = 0 ]]; then
for desiredUser in ${chooseUserOptions} for desiredUser in ${chooseUserOptions}; do
do
pivpnUser=${desiredUser} pivpnUser=${desiredUser}
echo "::: Using User: $pivpnUser" echo "::: Using User: $pivpnUser"
echo "${pivpnUser}" > /tmp/pivpnUSR echo "${pivpnUser}" > /tmp/pivpnUSR
@ -184,7 +183,6 @@ chooseUser() {
fi fi
} }
verifyFreeDiskSpace() { verifyFreeDiskSpace() {
# If user installs unattended-upgrades we'd need about 60MB so will check for 75MB free # If user installs unattended-upgrades we'd need about 60MB so will check for 75MB free
echo "::: Verifying free disk space..." echo "::: Verifying free disk space..."
@ -239,7 +237,7 @@ chooseInterface() {
mode="ON" mode="ON"
fi fi
interfacesArray+=("${line}" "available" "${mode}") interfacesArray+=("${line}" "available" "${mode}")
done <<< "$availableInterfaces" done <<< "${availableInterfaces}"
# Find out how many interfaces are available to choose from # Find out how many interfaces are available to choose from
interfaceCount=$(echo "${availableInterfaces}" | wc -l) interfaceCount=$(echo "${availableInterfaces}" | wc -l)
@ -320,7 +318,7 @@ It is also possible to use a DHCP reservation, but if you are going to do that,
setDHCPCD() { setDHCPCD() {
# Append these lines to dhcpcd.conf to enable a static IP # Append these lines to dhcpcd.conf to enable a static IP
echo "## interface ${pivpnInterface} echo "interface ${pivpnInterface}
static ip_address=${IPv4addr} static ip_address=${IPv4addr}
static routers=${IPv4gw} static routers=${IPv4gw}
static domain_name_servers=${IPv4dns}" | $SUDO tee -a ${dhcpcdFile} >/dev/null static domain_name_servers=${IPv4dns}" | $SUDO tee -a ${dhcpcdFile} >/dev/null
@ -461,7 +459,7 @@ checkForDependencies() {
echo ":::" echo ":::"
echo "::: Checking dependencies:" echo "::: Checking dependencies:"
dependencies=( openvpn easy-rsa git iptables-persistent dnsutils expect whiptail ) dependencies=( openvpn git dhcpcd5 tar wget iptables-persistent dnsutils expect whiptail )
for i in "${dependencies[@]}"; do for i in "${dependencies[@]}"; do
echo -n "::: Checking for $i..." echo -n "::: Checking for $i..."
if [ "$(dpkg-query -W -f='${Status}' "$i" 2>/dev/null | grep -c "ok installed")" -eq 0 ]; then if [ "$(dpkg-query -W -f='${Status}' "$i" 2>/dev/null | grep -c "ok installed")" -eq 0 ]; then
@ -471,7 +469,7 @@ checkForDependencies() {
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | $SUDO debconf-set-selections echo iptables-persistent iptables-persistent/autosave_v4 boolean true | $SUDO debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean false | $SUDO debconf-set-selections echo iptables-persistent iptables-persistent/autosave_v6 boolean false | $SUDO debconf-set-selections
fi fi
if [[ $i = "expect" ]]; then if [[ $i == "expect" ]] || [[ $i == "openvpn" ]]; then
$SUDO apt-get --yes --quiet --no-install-recommends install "$i" > /dev/null & spinner $! $SUDO apt-get --yes --quiet --no-install-recommends install "$i" > /dev/null & spinner $!
else else
$SUDO apt-get --yes --quiet install "$i" > /dev/null & spinner $! $SUDO apt-get --yes --quiet install "$i" > /dev/null & spinner $!
@ -590,16 +588,17 @@ setCustomPort() {
} }
setClientDNS() { setClientDNS() {
DNSChoseCmd=(whiptail --separate-output --radiolist "Select the DNS Provider for your VPN Clients. To use your own, select Custom." ${r} ${c} 5) DNSChoseCmd=(whiptail --separate-output --radiolist "Select the DNS Provider for your VPN Clients. To use your own, select Custom." ${r} ${c} 6)
DNSChooseOptions=(Google "" on DNSChooseOptions=(Google "" on
OpenDNS "" off OpenDNS "" off
Level3 "" off Level3 "" off
DNS.WATCH "" off
Norton "" off Norton "" off
Custom "" off) Custom "" off)
if DNSchoices=$("${DNSChoseCmd[@]}" "${DNSChooseOptions[@]}" 2>&1 >/dev/tty) if DNSchoices=$("${DNSChoseCmd[@]}" "${DNSChooseOptions[@]}" 2>&1 >/dev/tty)
then then
case $DNSchoices in case ${DNSchoices} in
Google) Google)
echo "::: Using Google DNS servers." echo "::: Using Google DNS servers."
OVPNDNS1="8.8.8.8" OVPNDNS1="8.8.8.8"
@ -620,6 +619,13 @@ setClientDNS() {
$SUDO sed -i '0,/\(dhcp-option DNS \)/ s/\(dhcp-option DNS \).*/\1'${OVPNDNS1}'\"/' /etc/openvpn/server.conf $SUDO sed -i '0,/\(dhcp-option DNS \)/ s/\(dhcp-option DNS \).*/\1'${OVPNDNS1}'\"/' /etc/openvpn/server.conf
$SUDO sed -i '0,/\(dhcp-option DNS \)/! s/\(dhcp-option DNS \).*/\1'${OVPNDNS2}'\"/' /etc/openvpn/server.conf $SUDO sed -i '0,/\(dhcp-option DNS \)/! s/\(dhcp-option DNS \).*/\1'${OVPNDNS2}'\"/' /etc/openvpn/server.conf
;; ;;
DNS.WATCH)
echo "::: Using DNS.WATCH servers."
OVPNDNS1="82.200.69.80"
OVPNDNS2="84.200.70.40"
$SUDO sed -i '0,/\(dhcp-option DNS \)/ s/\(dhcp-option DNS \).*/\1'${OVPNDNS1}'\"/' /etc/openvpn/server.conf
$SUDO sed -i '0,/\(dhcp-option DNS \)/! s/\(dhcp-option DNS \).*/\1'${OVPNDNS2}'\"/' /etc/openvpn/server.conf
;;
Norton) Norton)
echo "::: Using Norton ConnectSafe servers." echo "::: Using Norton ConnectSafe servers."
OVPNDNS1="199.85.126.10" OVPNDNS1="199.85.126.10"
@ -695,124 +701,63 @@ confOpenVPN() {
exit 1 exit 1
fi fi
# Copy the easy-rsa files to a directory inside the new openvpn directory # If easy-rsa exists, remove it
$SUDO cp -r /usr/share/easy-rsa /etc/openvpn if [[ -d /etc/openvpn/easy-rsa/ ]]; then
$SUDO rm -rf /etc/openvpn/easy-rsa/
fi
# Edit the EASY_RSA variable in the vars file to point to the new easy-rsa directory, # Get the PiVPN easy-rsa
# And set the chosen key size wget -q -O "/tmp/EasyRSA-${easyrsaVer}" "${easyrsaRel}"
tar xzf /tmp/EasyRSA-${easyrsaVer} -C /tmp
$SUDO mv /tmp/EasyRSA-${easyrsaVer}/ /etc/openvpn/easy-rsa/
$SUDO chown -R root:root /etc/openvpn/easy-rsa
$SUDO mkdir /etc/openvpn/easy-rsa/pki
# Write out new vars file
IFS= read -d '' String <<"EOF"
if [ -z "$EASYRSA_CALLER" ]; then
echo "Nope." >&2
return 1
fi
set_var EASYRSA "/etc/openvpn/easy-rsa"
set_var EASYRSA_PKI "$EASYRSA/pki"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_ALGO rsa
set_var EASYRSA_CURVE secp384r1
EOF
echo "${String}" | $SUDO tee /etc/openvpn/easy-rsa/vars >/dev/null
# Edit the KEY_SIZE variable in the vars file to set user chosen key size
cd /etc/openvpn/easy-rsa || exit cd /etc/openvpn/easy-rsa || exit
$SUDO sed -i 's:"`pwd`":"/etc/openvpn/easy-rsa":' vars $SUDO sed -i "s/\(KEY_SIZE\).*/\1 ${ENCRYPT}/" vars
$SUDO sed -i "s/\(KEY_SIZE=\).*/\1${ENCRYPT}/" vars
# Init Cert Values
COUNTRY="US"
STATE="CA"
CITY="SanFrancisco"
ORG="Fort-Funston"
SERVER_NAME="server"
KEY_NAME="EasyRSA"
EMAIL="me@myhost.mydomain"
whiptail --title "Certificate Information" --msgbox "You will now be shown the default values for fields that will be used in the certificate. \nIt is fine to leave these as-is since only you and the clients you create will ever see this. \nHowever, if you want to change the values, simply select the ones you wish to modify." ${r} ${c}
until [[ $CERTVALCorrect = True ]]
do
CERTVAL=$(whiptail --title "Certificate Information" --checklist "Choose any certificate values you want to change" ${r} ${c} 7 \
"COUNTRY" "= US" OFF \
"STATE" "= CA" OFF \
"CITY" "= SanFranciso" OFF \
"ORG" "= Fort-Funston" OFF \
"SERVER_NAME" "= server" OFF \
"KEY_NAME" "= EasyRSA" OFF \
"EMAIL" "= me@myhost.mydomain" OFF 3>&1 1>&2 2>&3)
exitstatus=$?
if [ $exitstatus != 0 ]; then
echo "::: Cancel selected. Exiting..."
exit 1
fi
for i in $CERTVAL
do
if [ "$i" == '"COUNTRY"' ]; then
COUNTRY=$(whiptail --title "Certificate Country" --inputbox \
"Enter a 2 letter abbreviation for Country" ${r} ${c} US 3>&1 1>&2 2>&3)
$SUDO sed -i "s/\(KEY_COUNTRY=\"\).*/\1${COUNTRY}\"/" vars
fi
if [ "$i" == '"STATE"' ]; then
STATE=$(whiptail --title "Certificate State" --inputbox \
"Enter a 2 letter abbreviated State or Province" ${r} ${c} CA 3>&1 1>&2 2>&3)
$SUDO sed -i "s/\(KEY_PROVINCE=\"\).*/\1${STATE}\"/" vars
fi
if [ "$i" == '"CITY"' ]; then
CITY=$(whiptail --title "Certificate City" --inputbox \
"Enter a City name" ${r} ${c} SanFrancisco 3>&1 1>&2 2>&3)
$SUDO sed -i "s/\(KEY_CITY=\"\).*/\1${CITY}\"/" vars
fi
if [ "$i" == '"ORG"' ]; then
ORG=$(whiptail --title "Certificate Org" --inputbox \
"Enter an Organization name" ${r} ${c} Fort-Funston 3>&1 1>&2 2>&3)
$SUDO sed -i "s/\(KEY_ORG=\"\).*/\1${ORG}\"/" vars
fi
if [ "$i" == '"EMAIL"' ]; then
EMAIL=$(whiptail --title "Certificate Email" --inputbox \
"Enter an Email Address" ${r} ${c} "me@myhost.mydomain" 3>&1 1>&2 2>&3)
$SUDO sed -i "s/\(KEY_EMAIL=\"\).*/\1${EMAIL}\"/" vars
fi
if [ "$i" == '"SERVER_NAME"' ]; then
SERVER_NAME=$(whiptail --title "Server Name" --inputbox \
"Enter a Server Name" ${r} ${c} "pivpn" 3>&1 1>&2 2>&3)
# This began a rabbit hole of errors. Nope.
#sed -i '/export KEY_CN/s/^#//g' vars
#sed -i "s/\(KEY_CN=\"\).*/\1${SERVER_NAME}\"/" vars
fi
if [ "$i" == '"KEY_NAME"' ]; then
KEY_NAME=$(whiptail --title "Key Name" --inputbox \
"Enter a Key Name" ${r} ${c} "EasyRSA" 3>&1 1>&2 2>&3)
$SUDO sed -i "s/\(KEY_NAME=\"\).*/\1${KEY_NAME}\"/" vars
fi
done
if (whiptail --backtitle "Confirm Certificate Fields" --title "Confirm Certificate Fields" --yesno "Are these values correct?\n\n Country: $COUNTRY\n State: $STATE\n City: $CITY\n Org: $ORG\n Email: $EMAIL\n Server Name: $SERVER_NAME\n Key Name: $KEY_NAME" ${r} ${c}) then
CERTVALCorrect=True
else
CERTVALCorrect=False
fi
done
# Make PiVPN the OU
KEY_OU=PiVPN
$SUDO sed -i "s/\(KEY_OU=\"\).*/\1${KEY_OU}\"/" vars
# It seems you have to set this if you mess with key_cn, lets not.
# grep -q 'KEY_ALTNAMES=' vars || printf '\nexport KEY_ALTNAMES="PiVPN_KEYALT"\n' >> vars
echo "export KEY_ALTNAMES=\"PiVPN_ALTNAME\"" >> vars
# source the vars file just edited
source ./vars
# Remove any previous keys # Remove any previous keys
${SUDOE} ./clean-all ${SUDOE} ./easyrsa --batch init-pki
# Build the certificate authority # Build the certificate authority
echo "::: Building CA..." printf "::: Building CA...\n"
${SUDOE} ./build-ca < /etc/.pivpn/ca_info.txt ${SUDOE} ./easyrsa --batch build-ca nopass
printf "\n::: CA Complete.\n" printf "\n::: CA Complete.\n"
whiptail --msgbox --backtitle "Setup OpenVPN" --title "Server Information" "The server key, Diffie-Hellman key, and HMAC key will now be generated." ${r} ${c} whiptail --msgbox --backtitle "Setup OpenVPN" --title "Server Information" "The server key, Diffie-Hellman key, and HMAC key will now be generated." ${r} ${c}
# Build the server # Build the server
${SUDOE} ./build-key-server --batch "$SERVER_NAME" ${SUDOE} ./easyrsa build-server-full server nopass
if ([ "$ENCRYPT" -ge "4096" ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\n\nGenerating DH parameters for a $ENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from a pool of the last 128 generated.\nMore information about this service can be found here: https://2ton.com.au/dhtool/\n\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c}) if ([ "$ENCRYPT" -ge "4096" ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\n\nGenerating DH parameters for a $ENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from a pool of the last 128 generated.\nMore information about this service can be found here: https://2ton.com.au/dhtool/\n\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c})
then then
# Downloading parameters, $KEY_DIR and $KEY_SIZE get set by sourcing ./vars # Downloading parameters
RANDOM_INDEX=$(( RANDOM % 128 )) RANDOM_INDEX=$(( RANDOM % 128 ))
${SUDOE} curl "https://2ton.com.au/dhparam/${ENCRYPT}/${RANDOM_INDEX}" -o "${KEY_DIR}/dh${KEY_SIZE}.pem" ${SUDOE} curl "https://2ton.com.au/dhparam/${ENCRYPT}/${RANDOM_INDEX}" -o "/etc/openvpn/easy-rsa/pki/dh${ENCRYPT}.pem"
else else
# Generate Diffie-Hellman key exchange # Generate Diffie-Hellman key exchange
${SUDOE} ./build-dh ${SUDOE} ./easyrsa gen-dh
${SUDOE} mv pki/dh.pem pki/dh${ENCRYPT}.pem
fi fi
# Generate static HMAC key to defend against DDoS # Generate static HMAC key to defend against DDoS
${SUDOE} openvpn --genkey --secret keys/ta.key ${SUDOE} openvpn --genkey --secret pki/ta.key
# Write config file for server using the template .txt file # Write config file for server using the template .txt file
$SUDO cp /etc/.pivpn/server_config.txt /etc/openvpn/server.conf $SUDO cp /etc/.pivpn/server_config.txt /etc/openvpn/server.conf
@ -821,7 +766,7 @@ fi
$SUDO sed -i "s/LOCALMASK/${LOCALMASK}/g" /etc/openvpn/server.conf $SUDO sed -i "s/LOCALMASK/${LOCALMASK}/g" /etc/openvpn/server.conf
# Set the user encryption key size # Set the user encryption key size
$SUDO sed -i "s/\(dh \/etc\/openvpn\/easy-rsa\/keys\/dh\).*/\1${ENCRYPT}.pem/" /etc/openvpn/server.conf $SUDO sed -i "s/\(dh \/etc\/openvpn\/easy-rsa\/pki\/dh\).*/\1${ENCRYPT}.pem/" /etc/openvpn/server.conf
# if they modified port put value in server.conf # if they modified port put value in server.conf
if [ $PORT != 1194 ]; then if [ $PORT != 1194 ]; then
@ -834,8 +779,8 @@ fi
fi fi
# write out server certs to conf file # write out server certs to conf file
$SUDO sed -i "s/\(key \/etc\/openvpn\/easy-rsa\/keys\/\).*/\1${SERVER_NAME}.key/" /etc/openvpn/server.conf $SUDO sed -i "s/\(key \/etc\/openvpn\/easy-rsa\/pki\/private\/\).*/\1${SERVER_NAME}.key/" /etc/openvpn/server.conf
$SUDO sed -i "s/\(cert \/etc\/openvpn\/easy-rsa\/keys\/\).*/\1${SERVER_NAME}.crt/" /etc/openvpn/server.conf $SUDO sed -i "s/\(cert \/etc\/openvpn\/easy-rsa\/pki\/issued\/\).*/\1${SERVER_NAME}.crt/" /etc/openvpn/server.conf
} }
confUnattendedUpgrades() { confUnattendedUpgrades() {
@ -932,10 +877,10 @@ confOVPN() {
exit 1 exit 1
fi fi
$SUDO cp /etc/.pivpn/Default.txt /etc/openvpn/easy-rsa/keys/Default.txt $SUDO cp /etc/.pivpn/Default.txt /etc/openvpn/easy-rsa/pki/Default.txt
if [ "$METH" == "$IPv4pub" ]; then if [ "$METH" == "$IPv4pub" ]; then
$SUDO sed -i 's/IPv4pub/'"$IPv4pub"'/' /etc/openvpn/easy-rsa/keys/Default.txt $SUDO sed -i 's/IPv4pub/'"$IPv4pub"'/' /etc/openvpn/easy-rsa/pki/Default.txt
else else
until [[ $publicDNSCorrect = True ]] until [[ $publicDNSCorrect = True ]]
do do
@ -947,7 +892,7 @@ confOVPN() {
fi fi
if (whiptail --backtitle "Confirm DNS Name" --title "Confirm DNS Name" --yesno "Is this correct?\n\n Public DNS Name: $PUBLICDNS" ${r} ${c}) then if (whiptail --backtitle "Confirm DNS Name" --title "Confirm DNS Name" --yesno "Is this correct?\n\n Public DNS Name: $PUBLICDNS" ${r} ${c}) then
publicDNSCorrect=True publicDNSCorrect=True
$SUDO sed -i 's/IPv4pub/'"$PUBLICDNS"'/' /etc/openvpn/easy-rsa/keys/Default.txt $SUDO sed -i 's/IPv4pub/'"$PUBLICDNS"'/' /etc/openvpn/easy-rsa/pki/Default.txt
else else
publicDNSCorrect=False publicDNSCorrect=False
@ -957,16 +902,16 @@ confOVPN() {
# if they modified port put value in Default.txt for clients to use # if they modified port put value in Default.txt for clients to use
if [ $PORT != 1194 ]; then if [ $PORT != 1194 ]; then
$SUDO sed -i -e "s/1194/${PORT}/g" /etc/openvpn/easy-rsa/keys/Default.txt $SUDO sed -i -e "s/1194/${PORT}/g" /etc/openvpn/easy-rsa/pki/Default.txt
fi fi
# if they modified protocol put value in Default.txt for clients to use # if they modified protocol put value in Default.txt for clients to use
if [ "$PROTO" != "udp" ]; then if [ "$PROTO" != "udp" ]; then
$SUDO sed -i -e "s/proto udp/proto tcp/g" /etc/openvpn/easy-rsa/keys/Default.txt $SUDO sed -i -e "s/proto udp/proto tcp/g" /etc/openvpn/easy-rsa/pki/Default.txt
fi fi
# verify server name to strengthen security # verify server name to strengthen security
$SUDO sed -i "s/SRVRNAME/${SERVER_NAME}/" /etc/openvpn/easy-rsa/keys/Default.txt $SUDO sed -i "s/SRVRNAME/${SERVER_NAME}/" /etc/openvpn/easy-rsa/pki/Default.txt
$SUDO mkdir "/home/$pivpnUser/ovpns" $SUDO mkdir "/home/$pivpnUser/ovpns"
$SUDO chmod 0777 -R "/home/$pivpnUser/ovpns" $SUDO chmod 0777 -R "/home/$pivpnUser/ovpns"

2
pivpn
View file

@ -42,7 +42,7 @@ function uninstallFunc {
} }
function versionFunc { function versionFunc {
printf "\e[1mVersion 1.6\e[0m\n" printf "\e[1mVersion 1.7\e[0m\n"
} }
function helpFunc { function helpFunc {

12
scripts/listOVPN.sh
View file

@ -1,9 +1,9 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# PiVPN: list clients script # PiVPN: list clients script
INDEX="/etc/openvpn/easy-rsa/keys/index.txt" INDEX="/etc/openvpn/easy-rsa/pki/index.txt"
printf "\n" printf "\n"
if [ ! -f "$INDEX" ]; then if [ ! -f "${INDEX}" ]; then
echo "The file: $INDEX was not found!" echo "The file: $INDEX was not found!"
exit 1 exit 1
fi fi
@ -15,13 +15,13 @@ printf " ::\e[4m Status \e[0m||\e[4m Name \e[0m:: \n"
while read -r line || [ -n "$line" ]; do while read -r line || [ -n "$line" ]; do
STATUS=$(echo "$line" | awk '{print $1}') STATUS=$(echo "$line" | awk '{print $1}')
NAME=$(echo "$line" | sed -e 's/^.*CN=\([^/]*\)\/.*/\1/') NAME=$(echo "$line" | sed -e 's:.*/CN=::')
if [ "$STATUS" = "V" ]; then if [ "${STATUS}" == "V" ]; then
printf " Valid :: %s\n" "$NAME" printf " Valid :: %s\n" "$NAME"
elif [ "$STATUS" = "R" ]; then elif [ "${STATUS}" == "R" ]; then
printf " Revoked :: %s\n" "$NAME" printf " Revoked :: %s\n" "$NAME"
else else
printf " Unknown :: %s\n" "$NAME" printf " Unknown :: %s\n" "$NAME"
fi fi
done <$INDEX done <${INDEX}
printf "\n" printf "\n"

91
scripts/makeOVPN.sh
View file

@ -4,40 +4,24 @@
DEFAULT="Default.txt" DEFAULT="Default.txt"
FILEEXT=".ovpn" FILEEXT=".ovpn"
CRT=".crt" CRT=".crt"
OKEY=".key" KEY=".key"
KEY=".3des.key"
CA="ca.crt" CA="ca.crt"
TA="ta.key" TA="ta.key"
INDEX="/etc/openvpn/easy-rsa/keys/index.txt" INDEX="/etc/openvpn/easy-rsa/pki/index.txt"
INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER) INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER)
# Functions def # Functions def
function keynoPASS() { function keynoPASS() {
# Override key def
KEY=".key"
#Build the client key #Build the client key
expect << EOF expect << EOF
set timeout -1 set timeout -1
spawn ./build-key "$NAME" spawn ./easyrsa build-client-full "$NAME" nopass
expect "Country Name" { send "\r" }
expect "State or Province Name" { send "\r" }
expect "Locality Name" { send "\r" }
expect "Organization Name" { send "\r" }
expect "Organizational Unit" { send "\r" }
expect "Common Name" { send "\r" }
expect "Name" { send "\r" }
expect "Email Address" { send "\r" }
expect "challenge password" { send "\r" }
expect "optional company name" { send "\r" }
expect "Sign the certificate" { send "y\r" }
expect "commit" { send "y\r" }
expect eof expect eof
EOF EOF
cd keys || exit cd pki || exit
} }
@ -75,65 +59,44 @@ function keyPASS() {
expect << EOF expect << EOF
set timeout -1 set timeout -1
spawn ./build-key-pass "$NAME" spawn ./easyrsa build-client-full "$NAME"
expect "Enter PEM pass phrase" { send "${PASSWD}\r" } expect "Enter PEM pass phrase" { send "${PASSWD}\r" }
expect "Verifying - Enter PEM pass phrase" { send "${PASSWD}\r" } expect "Verifying - Enter PEM pass phrase" { send "${PASSWD}\r" }
expect "Country Name" { send "\r" }
expect "State or Province Name" { send "\r" }
expect "Locality Name" { send "\r" }
expect "Organization Name" { send "\r" }
expect "Organizational Unit" { send "\r" }
expect "Common Name" { send "\r" }
expect "Name" { send "\r" }
expect "Email Address" { send "\r" }
expect "challenge password" { send "\r" }
expect "optional company name" { send "\r" }
expect "Sign the certificate" { send "y\r" }
expect "commit" { send "y\r" }
expect eof expect eof
EOF EOF
cd keys || exit cd pki || exit
expect << EOF
set timeout -1
spawn openssl rsa -in "$NAME$OKEY" -des3 -out "$NAME$KEY"
expect "Enter pass phrase for" { send "${PASSWD}\r" }
expect "Enter PEM pass phrase" { send "${PASSWD}\r" }
expect "Verifying - Enter PEM pass" { send "${PASSWD}\r" }
expect eof
EOF
} }
printf "Enter a Name for the Client: " printf "Enter a Name for the Client: "
read -r NAME read -r NAME
if [[ "$NAME" =~ [^a-zA-Z0-9] ]]; then if [[ "${NAME}" =~ [^a-zA-Z0-9] ]]; then
echo "Name can only contain alphanumeric characters" echo "Name can only contain alphanumeric characters."
exit 1 exit 1
fi fi
if [[ -z "$NAME" ]]; then if [[ -z "${NAME}" ]]; then
echo "You cannot leave the name blank" echo "You cannot leave the name blank."
exit 1 exit 1
fi fi
# Check if name is already in use # Check if name is already in use
while read -r line || [ -n "$line" ]; do while read -r line || [ -n "$line" ]; do
if [ "$(echo "$line" | sed -e 's/^.*CN=\([^/]*\)\/.*/\1/')" = "$NAME" ]; then if [ "$(echo "$line" | sed -e 's:.*/CN=::')" == "${NAME}" ]; then
echo "Name is already in use" echo "Name is already in use."
exit 1 exit 1
fi fi
done <$INDEX done <${INDEX}
# Check if name is reserved # Check if name is reserved
if [ "$NAME" = "ta" ] || [ "$NAME" = "server" ] || [ "$NAME" = "ca" ]; then if [ "${NAME}" == "ta" ] || [ "${NAME}" == "server" ] || [ "${NAME}" == "ca" ]; then
echo "Sorry, this name is unavailable, please choose another one" echo "Sorry, this is in use by the server and cannot be used by clients."
exit 1 exit 1
fi fi
cd /etc/openvpn/easy-rsa || exit cd /etc/openvpn/easy-rsa || exit
source /etc/openvpn/easy-rsa/vars
if [[ "$@" =~ "nopass" ]]; then if [[ "$@" =~ "nopass" ]]; then
keynoPASS keynoPASS
@ -142,28 +105,28 @@ else
fi fi
#1st Verify that clients Public Key Exists #1st Verify that clients Public Key Exists
if [ ! -f "$NAME$CRT" ]; then if [ ! -f "issued/${NAME}${CRT}" ]; then
echo "[ERROR]: Client Public Key Certificate not found: $NAME$CRT" echo "[ERROR]: Client Public Key Certificate not found: $NAME$CRT"
exit exit
fi fi
echo "Client's cert found: $NAME$CRT" echo "Client's cert found: $NAME$CRT"
#Then, verify that there is a private key for that client #Then, verify that there is a private key for that client
if [ ! -f "$NAME$KEY" ]; then if [ ! -f "private/${NAME}${KEY}" ]; then
echo "[ERROR]: Client 3des Private Key not found: $NAME$KEY" echo "[ERROR]: Client Private Key not found: $NAME$KEY"
exit exit
fi fi
echo "Client's Private Key found: $NAME$KEY" echo "Client's Private Key found: $NAME$KEY"
#Confirm the CA public key exists #Confirm the CA public key exists
if [ ! -f "$CA" ]; then if [ ! -f "${CA}" ]; then
echo "[ERROR]: CA Public Key not found: $CA" echo "[ERROR]: CA Public Key not found: $CA"
exit exit
fi fi
echo "CA public Key found: $CA" echo "CA public Key found: $CA"
#Confirm the tls-auth ta key file exists #Confirm the tls-auth ta key file exists
if [ ! -f "$TA" ]; then if [ ! -f "${TA}" ]; then
echo "[ERROR]: tls-auth Key not found: $TA" echo "[ERROR]: tls-auth Key not found: $TA"
exit exit
fi fi
@ -172,31 +135,31 @@ echo "tls-auth Private Key found: $TA"
#Ready to make a new .ovpn file #Ready to make a new .ovpn file
{ {
# Start by populating with the default file # Start by populating with the default file
cat "$DEFAULT" cat "${DEFAULT}"
#Now, append the CA Public Cert #Now, append the CA Public Cert
echo "<ca>" echo "<ca>"
cat "$CA" cat "${CA}"
echo "</ca>" echo "</ca>"
#Next append the client Public Cert #Next append the client Public Cert
echo "<cert>" echo "<cert>"
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' < "$NAME$CRT" sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' < "issued/${NAME}${CRT}"
echo "</cert>" echo "</cert>"
#Then, append the client Private Key #Then, append the client Private Key
echo "<key>" echo "<key>"
cat "$NAME$KEY" cat "private/${NAME}${KEY}"
echo "</key>" echo "</key>"
#Finally, append the TA Private Key #Finally, append the TA Private Key
echo "<tls-auth>" echo "<tls-auth>"
cat "$TA" cat "${TA}"
echo "</tls-auth>" echo "</tls-auth>"
} > "$NAME$FILEEXT" } > "${NAME}${FILEEXT}"
# Copy the .ovpn profile to the home directory for convenient remote access # Copy the .ovpn profile to the home directory for convenient remote access
cp "/etc/openvpn/easy-rsa/keys/$NAME$FILEEXT" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT" cp "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT"
chown "$INSTALL_USER" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT" chown "$INSTALL_USER" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT"
printf "\n\n" printf "\n\n"
printf "========================================================\n" printf "========================================================\n"

37
scripts/removeOVPN.sh
View file

@ -4,9 +4,9 @@
INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER) INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER)
REVOKE_STATUS=$(cat /etc/pivpn/REVOKE_STATUS) REVOKE_STATUS=$(cat /etc/pivpn/REVOKE_STATUS)
PLAT=$(cat /etc/pivpn/DET_PLATFORM) PLAT=$(cat /etc/pivpn/DET_PLATFORM)
INDEX="/etc/openvpn/easy-rsa/keys/index.txt" INDEX="/etc/openvpn/easy-rsa/pki/index.txt"
if [ ! -f "$INDEX" ]; then if [ ! -f "${INDEX}" ]; then
printf "The file: %s was not found\n" "$INDEX" printf "The file: %s was not found\n" "$INDEX"
exit 1 exit 1
fi fi
@ -18,7 +18,7 @@ i=0
while read -r line || [ -n "$line" ]; do while read -r line || [ -n "$line" ]; do
STATUS=$(echo "$line" | awk '{print $1}') STATUS=$(echo "$line" | awk '{print $1}')
if [[ "$STATUS" = "V" ]]; then if [[ "$STATUS" = "V" ]]; then
NAME=$(echo "$line" | sed -e 's/^.*CN=\([^/]*\)\/.*/\1/') NAME=$(echo "$line" | sed -e 's:.*/CN=::')
CERTS[$i]=$NAME CERTS[$i]=$NAME
if [ "$i" != 0 ]; then if [ "$i" != 0 ]; then
# Prevent printing "server" certificate # Prevent printing "server" certificate
@ -26,13 +26,13 @@ while read -r line || [ -n "$line" ]; do
fi fi
let i=i+1 let i=i+1
fi fi
done <$INDEX done <${INDEX}
printf "\n" printf "\n"
echo "::: Please enter the Name of the client to be revoked from the list above:" echo "::: Please enter the Name of the client to be revoked from the list above:"
read -r NAME read -r NAME
if [[ -z "$NAME" ]]; then if [[ -z "${NAME}" ]]; then
echo "::: You can not leave this blank!" echo "::: You can not leave this blank!"
exit 1 exit 1
fi fi
@ -43,24 +43,21 @@ for((x=1;x<=i;++x)); do
fi fi
done done
if [ -z "$VALID" ]; then if [ -z "${VALID}" ]; then
printf "::: You didn't enter a valid cert name!\n" printf "::: You didn't enter a valid cert name!\n"
exit 1 exit 1
fi fi
cd /etc/openvpn/easy-rsa || exit cd /etc/openvpn/easy-rsa || exit
source /etc/openvpn/easy-rsa/vars
./revoke-full "$NAME" if [ "${REVOKE_STATUS}" == 0 ]; then
echo "::: Certificate revoked, removing ovpns from /home/$INSTALL_USER/ovpns"
rm "/home/$INSTALL_USER/ovpns/$NAME.ovpn"
cp /etc/openvpn/easy-rsa/keys/crl.pem /etc/openvpn/crl.pem
echo "::: Completed!"
if [ "$REVOKE_STATUS" == 0 ]; then
echo 1 > /etc/pivpn/REVOKE_STATUS echo 1 > /etc/pivpn/REVOKE_STATUS
printf "\nThis seems to be the first time you have revoked a cert.\n" printf "\nThis seems to be the first time you have revoked a cert.\n"
printf "We are adding the CRL to the server.conf and restarting openvpn.\n" printf "First we need to initialize the Certificate Revocation List.\n"
printf "Then add the CRL to your server config and restart openvpn.\n"
./easyrsa gen-crl
cp pki/crl.pem /etc/openvpn/crl.pem
chown nobody:nogroup /etc/openvpn/crl.pem
sed -i '/#crl-verify/c\crl-verify /etc/openvpn/crl.pem' /etc/openvpn/server.conf sed -i '/#crl-verify/c\crl-verify /etc/openvpn/crl.pem' /etc/openvpn/server.conf
if [[ ${PLAT} == "Ubuntu" || ${PLAT} == "Debian" ]]; then if [[ ${PLAT} == "Ubuntu" || ${PLAT} == "Debian" ]]; then
service openvpn restart service openvpn restart
@ -68,3 +65,13 @@ if [ "$REVOKE_STATUS" == 0 ]; then
systemctl restart openvpn.service systemctl restart openvpn.service
fi fi
fi fi
./easyrsa --batch revoke "${NAME}"
printf "\n::: Certificate revoked, and CRL file updated.\n"
printf "::: Removing certs and client configuration for this profile.\n"
rm -rf "pki/reqs/${NAME}.req"
rm -rf "pki/private/${NAME}.key"
rm -rf "pki/issued/${NAME}.crt"
rm -rf "/home/$INSTALL_USER/ovpns/${NAME}.ovpn"
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
printf "::: Completed!\n"

13
server_config.txt
View file

@ -1,10 +1,11 @@
dev tun dev tun
proto udp proto udp
port 1194 port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/keys/server.key key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem dh /etc/openvpn/easy-rsa/pki/dh1024.pem
topology subnet
server 10.8.0.0 255.255.255.0 server 10.8.0.0 255.255.255.0
# server and remote endpoints # server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2 ifconfig 10.8.0.1 10.8.0.2
@ -25,7 +26,7 @@ client-to-client
duplicate-cn duplicate-cn
keepalive 10 120 keepalive 10 120
tls-version-min 1.2 tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC cipher AES-256-CBC
auth SHA256 auth SHA256
comp-lzo comp-lzo
@ -37,4 +38,4 @@ persist-tun
status /var/log/openvpn-status.log 20 status /var/log/openvpn-status.log 20
log /var/log/openvpn.log log /var/log/openvpn.log
verb 1 verb 1
# This configuration file was originally written by Lauren Orsini at ReadWrite. # Generated for use by PiVPN.io