Pi-hole/pivpn
Pi-hole/pivpn
1
0
Fork 0
mirror of https://github.com/pivpn/pivpn.git synced 2024-12-18 19:00:15 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #376 from redfast00/master

Browse source 
Merge test branch into master
This commit is contained in:
redfast00 2017-10-11 18:46:48 +02:00 committed by GitHub
commit ad6f5b6c8b
6 changed files with 671 additions and 276 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

658
auto_install/install.sh
View file

@ -10,11 +10,13 @@
# curl -L https://install.pivpn.io | bash
# Make sure you have `curl` installed
set -e
######## VARIABLES #########
tmpLog="/tmp/pivpn-install.log"
instalLogLoc="/etc/pivpn/install.log"
setupVars=/etc/pivpn/setupVars.conf
useUpdateVars=false
### PKG Vars ###
PKG_MANAGER="apt-get"
@ -22,7 +24,7 @@ PKG_CACHE="/var/lib/apt/lists/"
UPDATE_PKG_CACHE="${PKG_MANAGER} update"
PKG_INSTALL="${PKG_MANAGER} --yes --no-install-recommends install"
PKG_COUNT="${PKG_MANAGER} -s -o Debug::NoLocking=true upgrade | grep -c ^Inst || true"
PIVPN_DEPS=( openvpn git dhcpcd5 tar wget grep iptables-persistent dnsutils expect whiptail )
PIVPN_DEPS=( openvpn git dhcpcd5 tar wget grep iptables-persistent dnsutils expect whiptail net-tools)
### ###
pivpnGitUrl="https://github.com/pivpn/pivpn.git"
@ -42,6 +44,11 @@ c=$(( columns / 2 ))
r=$(( r < 20 ? 20 : r ))
c=$(( c < 70 ? 70 : c ))
######## Undocumented Flags. Shhh ########
skipSpaceCheck=false
reconfigure=false
runUnattended=false
# Find IP used to route to outside world
IPv4dev=$(ip route get 8.8.8.8 | awk '{for(i=1;i<=NF;i++)if($i~/dev/)print $(i+1)}')
@ -51,72 +58,74 @@ IPv4gw=$(ip route get 8.8.8.8 | awk '{print $3}')
availableInterfaces=$(ip -o link | grep "state UP" | awk '{print $2}' | cut -d':' -f1 | cut -d'@' -f1)
dhcpcdFile=/etc/dhcpcd.conf
######## FIRST CHECK ########
# Must be root to install
echo ":::"
if [[ $EUID -eq 0 ]];then
echo "::: You are root."
else
echo "::: sudo will be used for the install."
# Check if it is actually installed
# If it isn't, exit because the install cannot complete
if [[ $(dpkg-query -s sudo) ]];then
export SUDO="sudo"
export SUDOE="sudo -E"
else
echo "::: Please install sudo or run this as root."
exit 1
fi
fi
# Next see if we are on a tested and supported OS
function noOS_Support() {
whiptail --msgbox --backtitle "INVALID OS DETECTED" --title "Invalid OS" "We have not been able to detect a supported OS.
Currently this installer supports Raspbian jessie, Ubuntu 14.04 (trusty), and Ubuntu 16.04 (xenial).
Currently this installer supports Raspbian and Debian (Jessie and Stretch), Devuan (Jessie) and Ubuntu from 14.04 (trusty) to 17.04 (zesty).
If you think you received this message in error, you can post an issue on the GitHub at https://github.com/pivpn/pivpn/issues." ${r} ${c}
exit 1
}
function maybeOS_Support() {
if (whiptail --backtitle "Not Supported OS" --title "Not Supported OS" --yesno "You are on an OS that we have not tested but MAY work.
Currently this installer supports Raspbian jessie, Ubuntu 14.04 (trusty), and Ubuntu 16.04 (xenial).
Would you like to continue anyway?" ${r} ${c}) then
echo "::: Did not detect perfectly supported OS but,"
echo "::: Continuing installation at user's own risk..."
else
echo "::: Exiting due to unsupported OS"
exit 1
fi
Currently this installer supports Raspbian and Debian (Jessie and Stretch), Devuan (Jessie) and Ubuntu from 14.04 (trusty) to 17.04 (zesty).
Would you like to continue anyway?" ${r} ${c}) then
echo "::: Did not detect perfectly supported OS but,"
echo "::: Continuing installation at user's own risk..."
else
echo "::: Exiting due to unsupported OS"
exit 1
fi
}
# if lsb_release command is on their system
if hash lsb_release 2>/dev/null; then
PLAT=$(lsb_release -si)
OSCN=$(lsb_release -sc) # We want this to be trusty xenial or jessie
# Compatibility
distro_check() {
# if lsb_release command is on their system
if hash lsb_release 2>/dev/null; then
PLAT=$(lsb_release -si)
OSCN=$(lsb_release -sc) # We want this to be trusty xenial or jessie
if [[ $PLAT == "Ubuntu" || $PLAT == "Raspbian" || $PLAT == "Debian" ]]; then
if [[ $OSCN != "trusty" && $OSCN != "xenial" && $OSCN != "jessie" ]]; then
maybeOS_Support
fi
else
noOS_Support
fi
# else get info from os-release
elif grep -q debian /etc/os-release; then
if grep -q jessie /etc/os-release; then
PLAT="Raspbian"
OSCN="jessie"
else
PLAT="Ubuntu"
OSCN="unknown"
maybeOS_Support
fi
# else we prob don't want to install
else
noOS_Support
fi
case ${PLAT} in
Ubuntu|Raspbian|Debian|Devuan)
case ${OSCN} in
trusty|xenial|jessie|stretch)
;;
*)
maybeOS_Support
;;
esac
;;
*)
noOS_Support
;;
esac
# else get info from os-release
elif grep -q devuan /etc/os-release; then
if grep -q jessie /etc/os-release; then
PLAT="Raspvuan"
OSCN="jessie"
else
noOS_Support
fi
elif grep -q debian /etc/os-release; then
if grep -q jessie /etc/os-release; then
PLAT="Raspbian"
OSCN="jessie"
elif grep -q stretch /etc/os-release; then
PLAT="Raspbian"
OSCN="stretch"
else
PLAT="Ubuntu"
OSCN="unknown"
maybeOS_Support
fi
# else we prob don't want to install
else
noOS_Support
fi
echo "${PLAT}" > /tmp/DET_PLATFORM
echo "${PLAT}" > /tmp/DET_PLATFORM
}
####### FUNCTIONS ##########
spinner()
@ -181,7 +190,7 @@ chooseUser() {
fi
userArray+=("${line}" "" "${mode}")
done <<< "${availableUsers}"
chooseUserCmd=(whiptail --title "Choose A User" --separate-output --radiolist "Choose:" ${r} ${c} ${numUsers})
chooseUserCmd=(whiptail --title "Choose A User" --separate-output --radiolist "Choose (press space to select):" ${r} ${c} ${numUsers})
chooseUserOptions=$("${chooseUserCmd[@]}" "${userArray[@]}" 2>&1 >/dev/tty)
if [[ $? = 0 ]]; then
for desiredUser in ${chooseUserOptions}; do
@ -259,7 +268,7 @@ chooseInterface() {
# Find out how many interfaces are available to choose from
interfaceCount=$(echo "${availableInterfaces}" | wc -l)
chooseInterfaceCmd=(whiptail --separate-output --radiolist "Choose An Interface (press space to select)" ${r} ${c} ${interfaceCount})
chooseInterfaceCmd=(whiptail --separate-output --radiolist "Choose An Interface (press space to select):" ${r} ${c} ${interfaceCount})
chooseInterfaceOptions=$("${chooseInterfaceCmd[@]}" "${interfacesArray[@]}" 2>&1 >/dev/tty)
if [[ $? = 0 ]]; then
for desiredInterface in ${chooseInterfaceOptions}; do
@ -280,6 +289,7 @@ If you are in Amazon then you can not configure a static IP anyway. Just ensure
}
getStaticIPv4Settings() {
local ipSettingsCorrect
# Grab their current DNS Server
IPv4dns=$(nslookup 127.0.0.1 | grep Server: | awk '{print $2}')
# Ask if the user wants to use DHCP settings as their static IP
@ -347,7 +357,6 @@ setStaticIPv4() {
if [[ -f /etc/dhcpcd.conf ]]; then
if grep -q "${IPv4addr}" ${dhcpcdFile}; then
echo "::: Static IP already configured."
:
else
setDHCPCD
$SUDO ip addr replace dev "${pivpnInterface}" "${IPv4addr}"
@ -363,6 +372,7 @@ setStaticIPv4() {
setNetwork() {
# Sets the Network IP and Mask correctly
export PATH=${PATH}:/sbin:/usr/sbin
LOCALMASK=$(ifconfig "${pivpnInterface}" | awk '/Mask:/{ print $4;} ' | cut -c6-)
LOCALIP=$(ifconfig "${pivpnInterface}" | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*')
IFS=. read -r i1 i2 i3 i4 <<< "$LOCALIP"
@ -428,15 +438,6 @@ update_package_cache() {
timestampAsDate=$(date -d @"${timestamp}" "+%b %e")
today=$(date "+%b %e")
if [[ ${PLAT} == "Ubuntu" || ${PLAT} == "Debian" ]]; then
if [[ ${OSCN} == "trusty" || ${OSCN} == "jessie" || ${OSCN} == "wheezy" ]]; then
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg| $SUDO apt-key add -
echo "deb http://build.openvpn.net/debian/openvpn/stable $OSCN main" | $SUDO tee /etc/apt/sources.list.d/swupdate.openvpn.net.list > /dev/null
echo -n "::: Adding OpenVPN repo for $PLAT $OSCN ..."
$SUDO apt-get -qq update & spinner $!
echo " done!"
fi
fi
if [ ! "${today}" == "${timestampAsDate}" ]; then
#update package lists
@ -488,7 +489,6 @@ unattendedUpgrades() {
if (whiptail --backtitle "Security Updates" --title "Unattended Upgrades" --yesno "Do you want to enable unattended upgrades of security patches to this server?" ${r} ${c}) then
UNATTUPG="unattended-upgrades"
$SUDO apt-get --yes --quiet --no-install-recommends install "$UNATTUPG" > /dev/null & spinner $!
else
UNATTUPG=""
fi
@ -498,11 +498,14 @@ stopServices() {
# Stop openvpn
$SUDO echo ":::"
$SUDO echo -n "::: Stopping OpenVPN service..."
if [[ $PLAT == "Ubuntu" || $PLAT == "Debian" ]]; then
$SUDO service openvpn stop || true
else
$SUDO systemctl stop openvpn.service || true
fi
case ${PLAT} in
Ubuntu|Debian|*vuan)
$SUDO service openvpn stop || true
;;
*)
$SUDO systemctl stop openvpn.service || true
;;
esac
$SUDO echo " done."
}
@ -518,8 +521,21 @@ checkForDependencies() {
timestampAsDate=$(date -d @"$timestamp" "+%b %e")
today=$(date "+%b %e")
case ${PLAT} in
Ubuntu|Debian|Devuan)
case ${OSCN} in
trusty|jessie|wheezy|stretch)
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg| $SUDO apt-key add -
echo "deb http://swupdate.openvpn.net/apt $OSCN main" | $SUDO tee /etc/apt/sources.list.d/swupdate.openvpn.net.list > /dev/null
echo -n "::: Adding OpenVPN repo for $PLAT $OSCN ..."
$SUDO apt-get -qq update & spinner $!
echo " done!"
;;
esac
;;
esac
if [[ $PLAT == "Ubuntu" || $PLAT == "Debian" ]]; then
if [[ $OSCN == "trusty" || $OSCN == "jessie" || $OSCN == "wheezy" ]]; then
if [[ $OSCN == "trusty" || $OSCN == "jessie" || $OSCN == "wheezy" || $OSCN == "stretch" ]]; then
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg| $SUDO apt-key add -
echo "deb http://build.openvpn.net/debian/openvpn/stable $OSCN main" | $SUDO tee /etc/apt/sources.list.d/swupdate.openvpn.net.list > /dev/null
echo -n "::: Adding OpenVPN repo for $PLAT $OSCN ..."
@ -550,7 +566,7 @@ checkForDependencies() {
echo ":::"
echo "::: Checking dependencies:"
dependencies=( openvpn git dhcpcd5 tar wget grep iptables-persistent dnsutils expect whiptail )
dependencies=( openvpn git dhcpcd5 tar wget grep iptables-persistent dnsutils expect whiptail net-tools)
for i in "${dependencies[@]}"; do
echo -n "::: Checking for $i..."
if [ "$(dpkg-query -W -f='${Status}' "$i" 2>/dev/null | grep -c "ok installed")" -eq 0 ]; then
@ -604,23 +620,27 @@ make_repo() {
}
update_repo() {
# Pull the latest commits
echo -n "::: Updating repo in $1..."
cd "${1}" || exit 1
$SUDO git stash -q > /dev/null & spinner $!
$SUDO git pull -q > /dev/null & spinner $!
if [ -z "${TESTING+x}" ]; then
:
if [[ "${reconfigure}" == true ]]; then
echo "::: --reconfigure passed to install script. Not downloading/updating local repos"
else
${SUDOE} git checkout test
# Pull the latest commits
echo -n "::: Updating repo in $1..."
cd "${1}" || exit 1
$SUDO git stash -q > /dev/null & spinner $!
$SUDO git pull -q > /dev/null & spinner $!
if [ -z "${TESTING+x}" ]; then
:
else
${SUDOE} git checkout test
fi
echo " done!"
fi
echo " done!"
}
setCustomProto() {
# Set the available protocols into an array so it can be used with a whiptail dialog
if protocol=$(whiptail --title "Protocol" --radiolist \
"Choose a protocol. Please only choose TCP if you know why you need TCP." ${r} ${c} 2 \
"Choose a protocol (press space to select). Please only choose TCP if you know why you need TCP." ${r} ${c} 2 \
"UDP" "" ON \
"TCP" "" OFF 3>&1 1>&2 2>&3)
then
@ -679,7 +699,7 @@ setCustomPort() {
}
setClientDNS() {
DNSChoseCmd=(whiptail --separate-output --radiolist "Select the DNS Provider for your VPN Clients. To use your own, select Custom." ${r} ${c} 6)
DNSChoseCmd=(whiptail --separate-output --radiolist "Select the DNS Provider for your VPN Clients (press space to select). To use your own, select Custom." ${r} ${c} 6)
DNSChooseOptions=(Google "" on
OpenDNS "" off
Level3 "" off
@ -776,20 +796,23 @@ setClientDNS() {
}
confOpenVPN() {
# Ask user if want to modify default port
SERVER_NAME="server"
# Generate a random, alphanumeric identifier of 16 characters for this server so that we can use verify-x509-name later that is unique for this server installation. Source: Earthgecko (https://gist.github.com/earthgecko/3089509)
NEW_UUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)
SERVER_NAME="server_${NEW_UUID}"
# Ask user for desired level of encryption
ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "Encryption Strength" --radiolist \
"Choose your desired level of encryption:\n This is an encryption key that will be generated on your system. The larger the key, the more time this will take. For most applications it is recommended to use 2048 bit. If you are testing or just want to get through it quicker you can use 1024. If you are paranoid about ... things... then grab a cup of joe and pick 4096." ${r} ${c} 3 \
"2048" "Use 2048-bit encryption. Recommended level." ON \
"1024" "Use 1024-bit encryption. Test level." OFF \
"4096" "Use 4096-bit encryption. Paranoid level." OFF 3>&1 1>&2 2>&3)
if [[ ${useUpdateVars} == false ]]; then
# Ask user for desired level of encryption
ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "Encryption strength" --radiolist \
"Choose your desired level of encryption (press space to select):\n This is an encryption key that will be generated on your system. The larger the key, the more time this will take. For most applications, it is recommended to use 2048 bits. If you are testing, you can use 1024 bits to speed things up, but do not use this for normal use! If you are paranoid about ... things... then grab a cup of joe and pick 4096 bits." ${r} ${c} 3 \
"1024" "Use 1024-bit encryption (testing only)" OFF \
"2048" "Use 2048-bit encryption (recommended level)" ON \
"4096" "Use 4096-bit encryption (paranoid level)" OFF 3>&1 1>&2 2>&3)
exitstatus=$?
if [ $exitstatus != 0 ]; then
echo "::: Cancel selected. Exiting..."
exit 1
exitstatus=$?
if [ $exitstatus != 0 ]; then
echo "::: Cancel selected. Exiting..."
exit 1
fi
fi
# If easy-rsa exists, remove it
@ -804,6 +827,7 @@ confOpenVPN() {
$SUDO mkdir /etc/openvpn/easy-rsa/pki
# Write out new vars file
set +e
IFS= read -d '' String <<"EOF"
if [ -z "$EASYRSA_CALLER" ]; then
echo "Nope." >&2
@ -816,7 +840,8 @@ set_var EASYRSA_ALGO rsa
set_var EASYRSA_CURVE secp384r1
EOF
echo "${String}" | $SUDO tee /etc/openvpn/easy-rsa/vars >/dev/null
echo "${String}" | $SUDO tee /etc/openvpn/easy-rsa/vars >/dev/null
set -e
# Edit the KEY_SIZE variable in the vars file to set user chosen key size
cd /etc/openvpn/easy-rsa || exit
@ -830,25 +855,41 @@ echo "${String}" | $SUDO tee /etc/openvpn/easy-rsa/vars >/dev/null
${SUDOE} ./easyrsa --batch build-ca nopass
printf "\n::: CA Complete.\n"
whiptail --msgbox --backtitle "Setup OpenVPN" --title "Server Information" "The server key, Diffie-Hellman key, and HMAC key will now be generated." ${r} ${c}
if [[ ${useUpdateVars} == false ]]; then
whiptail --msgbox --backtitle "Setup OpenVPN" --title "Server Information" "The server key, Diffie-Hellman key, and HMAC key will now be generated." ${r} ${c}
fi
# Build the server
${SUDOE} ./easyrsa build-server-full server nopass
${SUDOE} ./easyrsa build-server-full ${SERVER_NAME} nopass
if ([ "$ENCRYPT" -ge "4096" ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\n\nGenerating DH parameters for a $ENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from a pool of the last 128 generated.\nMore information about this service can be found here: https://2ton.com.au/dhtool/\n\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c})
then
# Downloading parameters
RANDOM_INDEX=$(( RANDOM % 128 ))
${SUDOE} curl "https://2ton.com.au/dhparam/${ENCRYPT}/${RANDOM_INDEX}" -o "/etc/openvpn/easy-rsa/pki/dh${ENCRYPT}.pem"
else
# Generate Diffie-Hellman key exchange
${SUDOE} ./easyrsa gen-dh
${SUDOE} mv pki/dh.pem pki/dh${ENCRYPT}.pem
fi
if [[ ${useUpdateVars} == false ]]; then
if ([ "$ENCRYPT" -ge "4096" ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\n\nGenerating DH parameters for a $ENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from a pool of the last 128 generated.\nMore information about this service can be found here: https://2ton.com.au/dhtool/\n\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c})
then
DOWNLOAD_DH_PARAM=true
else
DOWNLOAD_DH_PARAM=false
fi
fi
if [ "$ENCRYPT" -ge "4096" ] && [[ ${DOWNLOAD_DH_PARAM} == true ]]
then
# Downloading parameters
RANDOM_INDEX=$(( RANDOM % 128 ))
${SUDOE} curl "https://2ton.com.au/dhparam/${ENCRYPT}/${RANDOM_INDEX}" -o "/etc/openvpn/easy-rsa/pki/dh${ENCRYPT}.pem"
else
# Generate Diffie-Hellman key exchange
${SUDOE} ./easyrsa gen-dh
${SUDOE} mv pki/dh.pem pki/dh${ENCRYPT}.pem
fi
# Generate static HMAC key to defend against DDoS
${SUDOE} openvpn --genkey --secret pki/ta.key
# Generate an empty Certificate Revocation List
${SUDOE} ./easyrsa gen-crl
${SUDOE} cp pki/crl.pem /etc/openvpn/crl.pem
${SUDOE} chown nobody:nogroup /etc/openvpn/crl.pem
# Write config file for server using the template .txt file
$SUDO cp /etc/.pivpn/server_config.txt /etc/openvpn/server.conf
@ -875,6 +916,7 @@ fi
confUnattendedUpgrades() {
if [[ $UNATTUPG == "unattended-upgrades" ]]; then
$SUDO apt-get --yes --quiet --no-install-recommends install "$UNATTUPG" > /dev/null & spinner $!
if [[ $PLAT == "Ubuntu" ]]; then
# Ubuntu 50unattended-upgrades should already just have security enabled
# so we just need to configure the 10periodic file
@ -928,11 +970,14 @@ confNetwork() {
if [[ $noUFW -eq 1 ]]; then
echo 1 > /tmp/noUFW
$SUDO iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o "$IPv4dev" -j MASQUERADE
if [[ $PLAT == "Ubuntu" || $PLAT == "Debian" ]]; then
$SUDO iptables-save | $SUDO tee /etc/iptables/rules.v4 > /dev/null
else
$SUDO netfilter-persistent save
fi
case ${PLAT} in
Ubuntu|Debian|Devuan)
$SUDO iptables-save | $SUDO tee /etc/iptables/rules.v4 > /dev/null
;;
*)
$SUDO netfilter-persistent save
;;
esac
else
echo 0 > /tmp/noUFW
fi
@ -953,41 +998,40 @@ confOVPN() {
$SUDO cp /tmp/pivpnUSR /etc/pivpn/INSTALL_USER
$SUDO cp /tmp/DET_PLATFORM /etc/pivpn/DET_PLATFORM
# Set status that no certs have been revoked
echo 0 > /tmp/REVOKE_STATUS
$SUDO cp /tmp/REVOKE_STATUS /etc/pivpn/REVOKE_STATUS
METH=$(whiptail --title "Public IP or DNS" --radiolist "Will clients use a Public IP or DNS Name to connect to your server?" ${r} ${c} 2 \
"$IPv4pub" "Use this public IP" "ON" \
"DNS Entry" "Use a public DNS" "OFF" 3>&1 1>&2 2>&3)
exitstatus=$?
if [ $exitstatus != 0 ]; then
echo "::: Cancel selected. Exiting..."
exit 1
fi
$SUDO cp /etc/.pivpn/Default.txt /etc/openvpn/easy-rsa/pki/Default.txt
if [ "$METH" == "$IPv4pub" ]; then
$SUDO sed -i 's/IPv4pub/'"$IPv4pub"'/' /etc/openvpn/easy-rsa/pki/Default.txt
else
until [[ $publicDNSCorrect = True ]]
do
PUBLICDNS=$(whiptail --title "PiVPN Setup" --inputbox "What is the public DNS name of this Server?" ${r} ${c} 3>&1 1>&2 2>&3)
exitstatus=$?
if [ $exitstatus != 0 ]; then
if [[ ${useUpdateVars} == false ]]; then
METH=$(whiptail --title "Public IP or DNS" --radiolist "Will clients use a Public IP or DNS Name to connect to your server (press space to select)?" ${r} ${c} 2 \
"$IPv4pub" "Use this public IP" "ON" \
"DNS Entry" "Use a public DNS" "OFF" 3>&1 1>&2 2>&3)
exitstatus=$?
if [ $exitstatus != 0 ]; then
echo "::: Cancel selected. Exiting..."
exit 1
fi
if (whiptail --backtitle "Confirm DNS Name" --title "Confirm DNS Name" --yesno "Is this correct?\n\n Public DNS Name: $PUBLICDNS" ${r} ${c}) then
publicDNSCorrect=True
$SUDO sed -i 's/IPv4pub/'"$PUBLICDNS"'/' /etc/openvpn/easy-rsa/pki/Default.txt
else
publicDNSCorrect=False
fi
fi
done
if [ "$METH" == "$IPv4pub" ]; then
$SUDO sed -i 's/IPv4pub/'"$IPv4pub"'/' /etc/openvpn/easy-rsa/pki/Default.txt
else
until [[ $publicDNSCorrect = True ]]
do
PUBLICDNS=$(whiptail --title "PiVPN Setup" --inputbox "What is the public DNS name of this Server?" ${r} ${c} 3>&1 1>&2 2>&3)
exitstatus=$?
if [ $exitstatus != 0 ]; then
echo "::: Cancel selected. Exiting..."
exit 1
fi
if (whiptail --backtitle "Confirm DNS Name" --title "Confirm DNS Name" --yesno "Is this correct?\n\n Public DNS Name: $PUBLICDNS" ${r} ${c}) then
publicDNSCorrect=True
$SUDO sed -i 's/IPv4pub/'"$PUBLICDNS"'/' /etc/openvpn/easy-rsa/pki/Default.txt
else
publicDNSCorrect=False
fi
done
fi
else
$SUDO sed -i 's/IPv4pub/'"$PUBLICDNS"'/' /etc/openvpn/easy-rsa/pki/Default.txt
fi
# if they modified port put value in Default.txt for clients to use
@ -1003,15 +1047,60 @@ confOVPN() {
# verify server name to strengthen security
$SUDO sed -i "s/SRVRNAME/${SERVER_NAME}/" /etc/openvpn/easy-rsa/pki/Default.txt
$SUDO mkdir "/home/$pivpnUser/ovpns"
if [ ! -d "/home/$pivpnUser/ovpns" ]; then
$SUDO mkdir "/home/$pivpnUser/ovpns"
fi
$SUDO chmod 0777 -R "/home/$pivpnUser/ovpns"
}
finalExports() {
# Update variables in setupVars.conf file
if [ -e "${setupVars}" ]; then
sed -i.update.bak '/pivpnUser/d;/UNATTUPG/d;/pivpnInterface/d;/IPv4dns/d;/IPv4addr/d;/IPv4gw/d;/pivpnProto/d;/PORT/d;/ENCRYPT/d;/DOWNLOAD_DH_PARAM/d;/PUBLICDNS/d;/OVPNDNS1/d;/OVPNDNS2/d;' "${setupVars}"
fi
{
echo "pivpnUser=${pivpnUser}"
echo "UNATTUPG=${UNATTUPG}"
echo "pivpnInterface=${pivpnInterface}"
echo "IPv4dns=${IPv4dns}"
echo "IPv4addr=${IPv4addr}"
echo "IPv4gw=${IPv4gw}"
echo "pivpnProto=${pivpnProto}"
echo "PORT=${PORT}"
echo "ENCRYPT=${ENCRYPT}"
echo "DOWNLOAD_DH_PARAM=${DOWNLOAD_DH_PARAM}"
echo "PUBLICDNS=${PUBLICDNS}"
echo "OVPNDNS1=${OVPNDNS1}"
echo "OVPNDNS2=${OVPNDNS2}"
}>> "${setupVars}"
}
# I suggest replacing some of these names.
#accountForRefactor() {
# # At some point in the future this list can be pruned, for now we'll need it to ensure updates don't break.
#
# # Refactoring of install script has changed the name of a couple of variables. Sort them out here.
# sed -i 's/pivpnUser/PIVPN_USER/g' ${setupVars}
# #sed -i 's/UNATTUPG/UNATTUPG/g' ${setupVars}
# sed -i 's/pivpnInterface/PIVPN_INTERFACE/g' ${setupVars}
# sed -i 's/IPv4dns/IPV4_DNS/g' ${setupVars}
# sed -i 's/IPv4addr/IPV4_ADDRESS/g' ${setupVars}
# sed -i 's/IPv4gw/IPV4_GATEWAY/g' ${setupVars}
# sed -i 's/pivpnProto/TRANSPORT_LAYER/g' ${setupVars}
# #sed -i 's/PORT/PORT/g' ${setupVars}
# #sed -i 's/ENCRYPT/ENCRYPT/g' ${setupVars}
# #sed -i 's/DOWNLOAD_DH_PARAM/DOWNLOAD_DH_PARAM/g' ${setupVars}
# sed -i 's/PUBLICDNS/PUBLIC_DNS/g' ${setupVars}
# sed -i 's/OVPNDNS1/OVPN_DNS_1/g' ${setupVars}
# sed -i 's/OVPNDNS2/OVPN_DNS_2/g' ${setupVars}
#}
installPiVPN() {
stopServices
confUnattendedUpgrades
$SUDO mkdir -p /etc/pivpn/
getGitFiles ${pivpnFilesDir} ${pivpnGitUrl}
confUnattendedUpgrades
installScripts
setCustomProto
setCustomPort
@ -1019,17 +1108,38 @@ installPiVPN() {
confNetwork
confOVPN
setClientDNS
finalExports
}
updatePiVPN() {
#accountForRefactor
stopServices
confUnattendedUpgrades
installScripts
# setCustomProto
# write out the PROTO
PROTO=$pivpnProto
$SUDO cp /tmp/pivpnPROTO /etc/pivpn/INSTALL_PROTO
#setCustomPort
# write out the port
$SUDO cp /tmp/INSTALL_PORT /etc/pivpn/INSTALL_PORT
confOpenVPN
confNetwork
confOVPN
# ?? Is this always OK? Also if you only select one DNS server ??
$SUDO sed -i '0,/\(dhcp-option DNS \)/ s/\(dhcp-option DNS \).*/\1'${OVPNDNS1}'\"/' /etc/openvpn/server.conf
$SUDO sed -i '0,/\(dhcp-option DNS \)/! s/\(dhcp-option DNS \).*/\1'${OVPNDNS2}'\"/' /etc/openvpn/server.conf
finalExports #re-export setupVars.conf to account for any new vars added in new versions
}
displayFinalMessage() {
# Final completion message to user
if [[ $PLAT == "Ubuntu" || $PLAT == "Debian" ]]; then
$SUDO service openvpn start
else
$SUDO systemctl enable openvpn.service
$SUDO systemctl start openvpn.service
fi
whiptail --msgbox --backtitle "Make it so." --title "Installation Complete!" "Now run 'pivpn add' to create the ovpn profiles.
Run 'pivpn help' to see what else you can do!
The install log is in /etc/pivpn." ${r} ${c}
@ -1041,46 +1151,212 @@ The install log is in /etc/pivpn." ${r} ${c}
fi
}
update_dialogs() {
# reconfigure
if [ "${reconfigure}" = true ]; then
opt1a="Repair"
opt1b="This will retain existing settings"
strAdd="You will remain on the same version"
else
opt1a="Update"
opt1b="This will retain existing settings."
strAdd="You will be updated to the latest version."
fi
opt2a="Reconfigure"
opt2b="This will allow you to enter new settings"
UpdateCmd=$(whiptail --title "Existing Install Detected!" --menu "\n\nWe have detected an existing install.\n\nPlease choose from the following options: \n($strAdd)" ${r} ${c} 2 \
"${opt1a}" "${opt1b}" \
"${opt2a}" "${opt2b}" 3>&2 2>&1 1>&3) || \
{ echo "::: Cancel selected. Exiting"; exit 1; }
case ${UpdateCmd} in
${opt1a})
echo "::: ${opt1a} option selected."
useUpdateVars=true
;;
${opt2a})
echo "::: ${opt2a} option selected"
useUpdateVars=false
;;
esac
}
clone_or_update_repos() {
if [[ "${reconfigure}" == true ]]; then
echo "::: --reconfigure passed to install script. Not downloading/updating local repos"
else
# Get Git files
getGitFiles ${pivpnFilesDir} ${pivpnGitUrl} || \
{ echo "!!! Unable to clone ${pivpnGitUrl} into ${pivpnFilesDir}, unable to continue."; \
exit 1; \
}
fi
}
######## SCRIPT ############
# Verify there is enough disk space for the install
verifyFreeDiskSpace
# Install the packages (we do this first because we need whiptail)
#checkForDependencies
update_package_cache
main() {
notify_package_updates_available
######## FIRST CHECK ########
# Must be root to install
echo ":::"
if [[ $EUID -eq 0 ]];then
echo "::: You are root."
else
echo "::: sudo will be used for the install."
# Check if it is actually installed
# If it isn't, exit because the install cannot complete
if [[ $(dpkg-query -s sudo) ]];then
export SUDO="sudo"
export SUDOE="sudo -E"
else
echo "::: Please install sudo or run this as root."
exit 1
fi
fi
install_dependent_packages PIVPN_DEPS[@]
# Check for supported distribution
distro_check
# Start the installer
welcomeDialogs
# Check arguments for the undocumented flags
for var in "$@"; do
case "$var" in
"--reconfigure" ) reconfigure=true;;
"--i_do_not_follow_recommendations" ) skipSpaceCheck=false;;
"--unattended" ) runUnattended=true;;
esac
done
# Find interfaces and let the user choose one
chooseInterface
if [[ -f ${setupVars} ]]; then
if [[ "${runUnattended}" == true ]]; then
echo "::: --unattended passed to install script, no whiptail dialogs will be displayed"
useUpdateVars=true
else
update_dialogs
fi
fi
# Only try to set static on Raspbian, otherwise let user do it
if [[ $PLAT != "Raspbian" ]]; then
avoidStaticIPv4Ubuntu
else
getStaticIPv4Settings
setStaticIPv4
# Start the installer
# Verify there is enough disk space for the install
if [[ "${skipSpaceCheck}" == true ]]; then
echo "::: --i_do_not_follow_recommendations passed to script, skipping free disk space verification!"
else
verifyFreeDiskSpace
fi
# Install the packages (we do this first because we need whiptail)
#checkForDependencies
update_package_cache
# Notify user of package availability
notify_package_updates_available
# Install packages used by this installation script
install_dependent_packages PIVPN_DEPS[@]
if [[ ${useUpdateVars} == false ]]; then
# Display welcome dialogs
welcomeDialogs
# Find interfaces and let the user choose one
chooseInterface
# Only try to set static on Raspbian, otherwise let user do it
if [[ $PLAT != "Raspbian" ]]; then
avoidStaticIPv4Ubuntu
else
getStaticIPv4Settings
setStaticIPv4
fi
# Set the Network IP and Mask correctly
setNetwork
# Choose the user for the ovpns
chooseUser
# Ask if unattended-upgrades will be enabled
unattendedUpgrades
# Clone/Update the repos
clone_or_update_repos
# Install and log everything to a file
installPiVPN | tee ${tmpLog}
echo "::: Install Complete..."
else
# Source ${setupVars} for use in the rest of the functions.
source ${setupVars}
echo "::: Using IP address: $IPv4addr"
echo "${IPv4addr%/*}" > /tmp/pivpnIP
echo "::: Using interface: $pivpnInterface"
echo "${pivpnInterface}" > /tmp/pivpnINT
echo "::: Using User: $pivpnUser"
echo "${pivpnUser}" > /tmp/pivpnUSR
echo "::: Using protocol: $pivpnProto"
echo "${pivpnProto}" > /tmp/pivpnPROTO
echo "::: Using port: $PORT"
echo ${PORT} > /tmp/INSTALL_PORT
echo ":::"
# Only try to set static on Raspbian
case ${PLAT} in
Rasp*)
setStaticIPv4 # This might be a problem if a user tries to modify the ip in the config file and then runs an update because of the way we check for previous configuration in /etc/dhcpcd.conf
;;
*)
echo "::: IP Information"
echo "::: Since we think you are not using Raspbian, we will not configure a static IP for you."
echo "::: If you are in Amazon then you can not configure a static IP anyway."
echo "::: Just ensure before this installer started you had set an elastic IP on your instance."
;;
esac
# Clone/Update the repos
clone_or_update_repos
updatePiVPN | tee ${tmpLog}
fi
#Move the install log into /etc/pivpn for storage
$SUDO mv ${tmpLog} ${instalLogLoc}
echo "::: Restarting services..."
# Start services
case ${PLAT} in
Ubuntu|Debian|*vuan)
$SUDO service openvpn start
;;
*)
$SUDO systemctl enable openvpn.service
$SUDO systemctl start openvpn.service
;;
esac
echo "::: done."
if [[ "${useUpdateVars}" == false ]]; then
displayFinalMessage
fi
echo ":::"
if [[ "${useUpdateVars}" == false ]]; then
echo "::: Installation Complete!"
echo "::: Now run 'pivpn add' to create an ovpn profile for each of your devices."
echo "::: Run 'pivpn help' to see what else you can do!"
echo "::: It is strongly recommended you reboot after installation."
else
echo "::: Update complete!"
fi
echo ":::"
echo "::: The install log is located at: ${instalLogLoc}"
}
if [[ "${PIVPN_TEST}" != true ]] ; then
main "$@"
fi
setNetwork
# Choose the user for the ovpns
chooseUser
# Ask if unattended-upgrades will be enabled
unattendedUpgrades
# Install
installPiVPN | tee ${tmpLog}
#Move the install log into /etc/pivpn for storage
$SUDO mv ${tmpLog} ${instalLogLoc}
displayFinalMessage
echo "::: Install Complete..."

5
pivpn
View file

@ -55,7 +55,8 @@ function debugFunc {
}
function removeOVPNFunc {
$SUDO /opt/pivpn/removeOVPN.sh
shift
$SUDO /opt/pivpn/removeOVPN.sh "$@"
exit 1
}
@ -94,7 +95,7 @@ case "$1" in
"-c" | "clients" ) listClientsFunc;;
"-d" | "debug" ) debugFunc;;
"-l" | "list" ) listOVPNFunc;;
"-r" | "revoke" ) removeOVPNFunc;;
"-r" | "revoke" ) removeOVPNFunc "$@";;
"-h" | "help" ) helpFunc;;
"-u" | "uninstall" ) uninstallFunc;;
"-v" ) versionFunc;;

15
scripts/clientStat.sh
View file

@ -2,6 +2,11 @@
# PiVPN: client status script
STATUS_LOG="/var/log/openvpn-status.log"
function hr() {
numfmt --to=iec-i --suffix=B "$1"
}
printf "\n"
if [ ! -f "${STATUS_LOG}" ]; then
echo "The file: $STATUS_LOG was not found!"
@ -15,7 +20,15 @@ printf "\e[1m::: Client Status List :::\e[0m\n"
printf "\t\t\t\t\t\t\tBytes\t\tBytes\t\n"
printf "\e[4mName\e[0m\t\t\e[4mRemote IP\e[0m\t\t\e[4mVirtual IP\e[0m\t\e[4mReceived\e[0m\t\e[4mSent\e[0m\t\t\e[4mConnected Since\e[0m \n"
if grep -q "^CLIENT_LIST" "${STATUS_LOG}"; then
awk -F' ' -v s='CLIENT_LIST' '$1 == s {print $2"\t\t"$3"\t"$4"\t"$5"\t\t"$6"\t\t"$8" "$9" "$11" -- "$10}' ${STATUS_LOG}
if [ -n $(type -t numfmt) ]; then
while read -r line; do
read -r -a array <<< $line
[[ ${array[0]} = CLIENT_LIST ]] || continue
printf "%s\t\t%s\t%s\t%s\t\t%s\t\t%s %s %s - %s" ${array[1]} ${array[2]} ${array[3]} $(hr ${array[4]}) $(hr ${array[5]}) ${array[7]} ${array[8]} ${array[10]} ${array[9]}
done <$STATUS_LOG
else
awk -F' ' -v s='CLIENT_LIST' '$1 == s {print $2"\t\t"$3"\t"$4"\t"$5"\t\t"$6"\t\t"$8" "$9" "$11" - "$10}' ${STATUS_LOG}
fi
else
printf "\nNo Clients Connected!\n"
fi

108
scripts/makeOVPN.sh
View file

@ -10,6 +10,60 @@ TA="ta.key"
INDEX="/etc/openvpn/easy-rsa/pki/index.txt"
INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER)
helpFunc() {
echo "::: Create a client ovpn profile, optional nopass"
echo ":::"
echo "::: Usage: pivpn <-a|add> [-n|--name <arg>] [-p|--password <arg>]|[nopass] [-h|--help]"
echo ":::"
echo "::: Commands:"
echo "::: [none] Interactive mode"
echo "::: nopass Create a client without a password"
echo "::: -n,--name Name for the Client (default: '"$(hostname)"')"
echo "::: -p,--password Password for the Client (no default)"
echo "::: -h,--help Show this help dialog"
}
# Parse input arguments
while test $# -gt 0
do
_key="$1"
case "$_key" in
-n|--name|--name=*)
_val="${_key##--name=}"
if test "$_val" = "$_key"
then
test $# -lt 2 && echo "Missing value for the optional argument '$_key'." && exit 1
_val="$2"
shift
fi
NAME="$_val"
;;
-p|--password|--password=*)
_val="${_key##--password=}"
if test "$_val" = "$_key"
then
test $# -lt 2 && echo "Missing value for the optional argument '$_key'." && exit 1
_val="$2"
shift
fi
PASSWD="$_val"
;;
-h|--help)
helpFunc
exit 0
;;
nopass)
NO_PASS="1"
;;
*)
echo "Error: Got an unexpected argument '$1'"
helpFunc
exit 1
;;
esac
shift
done
# Functions def
function keynoPASS() {
@ -27,24 +81,26 @@ EOF
function keyPASS() {
stty -echo
while true
do
printf "Enter the password for the client: "
read -r PASSWD
printf "\n"
printf "Enter the password again to verify: "
read -r PASSWD2
printf "\n"
[ "${PASSWD}" = "${PASSWD2}" ] && break
printf "Passwords do not match! Please try again.\n"
done
stty echo
if [[ -z "${PASSWD}" ]]; then
echo "You left the password blank"
echo "If you don't want a password, please run:"
echo "pivpn add nopass"
exit 1
stty -echo
while true
do
printf "Enter the password for the client: "
read -r PASSWD
printf "\n"
printf "Enter the password again to verify: "
read -r PASSWD2
printf "\n"
[ "${PASSWD}" = "${PASSWD2}" ] && break
printf "Passwords do not match! Please try again.\n"
done
stty echo
if [[ -z "${PASSWD}" ]]; then
echo "You left the password blank"
echo "If you don't want a password, please run:"
echo "pivpn add nopass"
exit 1
fi
fi
if [ ${#PASSWD} -lt 4 ] || [ ${#PASSWD} -gt 1024 ]
then
@ -69,8 +125,10 @@ EOF
}
printf "Enter a Name for the Client: "
read -r NAME
if [ -z "${NAME}" ]; then
printf "Enter a Name for the Client: "
read -r NAME
fi
if [[ "${NAME}" =~ [^a-zA-Z0-9] ]]; then
echo "Name can only contain alphanumeric characters."
@ -109,8 +167,13 @@ fi
cd /etc/openvpn/easy-rsa || exit
if [[ "$@" =~ "nopass" ]]; then
keynoPASS
if [[ "${NO_PASS}" =~ "1" ]]; then
if [[ -n "${PASSWD}" ]]; then
echo "Both nopass and password arguments passed to the script. Please use either one."
exit 1
else
keynoPASS
fi
else
keyPASS
fi
@ -177,5 +240,6 @@ printf "========================================================\n"
printf "\e[1mDone! %s successfully created!\e[0m \n" "$NAME$FILEEXT"
printf "%s was copied to:\n" "$NAME$FILEEXT"
printf " /home/%s/ovpns\n" "$INSTALL_USER"
printf "for easy transfer.\n"
printf "for easy transfer. Please use this profile only on one\n"
printf "device and create additional profiles for other devices.\n"
printf "========================================================\n\n"

155
scripts/removeOVPN.sh
View file

@ -2,77 +2,118 @@
# PiVPN: revoke client script
INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER)
REVOKE_STATUS=$(cat /etc/pivpn/REVOKE_STATUS)
PLAT=$(cat /etc/pivpn/DET_PLATFORM)
INDEX="/etc/openvpn/easy-rsa/pki/index.txt"
helpFunc() {
echo "::: Revoke a client ovpn profile"
echo ":::"
echo "::: Usage: pivpn <-r|revoke> [-h|--help] [<client-1>] ... [<client-n>] ..."
echo ":::"
echo "::: Commands:"
echo "::: [none] Interactive mode"
echo "::: <client> Client(s) to to revoke"
echo "::: -h,--help Show this help dialog"
}
# Parse input arguments
while test $# -gt 0
do
_key="$1"
case "$_key" in
-h|--help)
helpFunc
exit 0
;;
*)
CERTS_TO_REVOKE+=("$1")
;;
esac
shift
done
if [ ! -f "${INDEX}" ]; then
printf "The file: %s was not found\n" "$INDEX"
exit 1
fi
printf "\n"
printf " ::\e[4m Certificate List \e[0m:: \n"
i=0
while read -r line || [ -n "$line" ]; do
STATUS=$(echo "$line" | awk '{print $1}')
if [[ "${STATUS}" = "V" ]]; then
NAME=$(echo "$line" | sed -e 's:.*/CN=::')
CERTS[$i]=${NAME}
if [ "$i" != 0 ]; then
# Prevent printing "server" certificate
printf " %s\n" "$NAME"
if [[ -z "${CERTS_TO_REVOKE}" ]]; then
printf "\n"
printf " ::\e[4m Certificate List \e[0m:: \n"
i=0
while read -r line || [ -n "$line" ]; do
STATUS=$(echo "$line" | awk '{print $1}')
if [[ "${STATUS}" = "V" ]]; then
NAME=$(echo "$line" | sed -e 's:.*/CN=::')
CERTS[$i]=${NAME}
if [ "$i" != 0 ]; then
# Prevent printing "server" certificate
printf " %s\n" "$NAME"
fi
let i=i+1
fi
let i=i+1
done <${INDEX}
printf "\n"
echo "::: Please enter the Name of the client to be revoked from the list above:"
read -r NAME
if [[ -z "${NAME}" ]]; then
echo "You can not leave this blank!"
exit 1
fi
done <${INDEX}
printf "\n"
echo "::: Please enter the Name of the client to be revoked from the list above:"
read -r NAME
if [[ -z "${NAME}" ]]; then
echo "::: You can not leave this blank!"
exit 1
fi
for((x=1;x<=i;++x)); do
if [ "${CERTS[$x]}" = "${NAME}" ]; then
VALID=1
for((x=1;x<=i;++x)); do
if [ "${CERTS[$x]}" = "${NAME}" ]; then
VALID=1
fi
done
if [ -z "${VALID}" ]; then
printf "You didn't enter a valid cert name!\n"
exit 1
fi
done
if [ -z "${VALID}" ]; then
printf "::: You didn't enter a valid cert name!\n"
exit 1
CERTS_TO_REVOKE=( "${NAME}" )
else
i=0
while read -r line || [ -n "$line" ]; do
STATUS=$(echo "$line" | awk '{print $1}')
if [[ "${STATUS}" = "V" ]]; then
NAME=$(echo "$line" | sed -e 's:.*/CN=::')
CERTS[$i]=${NAME}
let i=i+1
fi
done <${INDEX}
for (( ii = 0; ii < ${#CERTS_TO_REVOKE[@]}; ii++)); do
VALID=0
for((x=1;x<=i;++x)); do
if [ "${CERTS[$x]}" = "${CERTS_TO_REVOKE[ii]}" ]; then
VALID=1
fi
done
if [ "${VALID}" != 1 ]; then
printf "You passed an invalid cert name: '"%s"'!\n" "${CERTS_TO_REVOKE[ii]}"
exit 1
fi
done
fi
cd /etc/openvpn/easy-rsa || exit
if [ "${REVOKE_STATUS}" == 0 ]; then
echo 1 > /etc/pivpn/REVOKE_STATUS
printf "\nThis seems to be the first time you have revoked a cert.\n"
printf "First we need to initialize the Certificate Revocation List.\n"
printf "Then add the CRL to your server config and restart openvpn.\n"
for (( ii = 0; ii < ${#CERTS_TO_REVOKE[@]}; ii++)); do
printf "\n::: Revoking certificate '"%s"'.\n" "${CERTS_TO_REVOKE[ii]}"
./easyrsa --batch revoke "${CERTS_TO_REVOKE[ii]}"
./easyrsa gen-crl
cp pki/crl.pem /etc/openvpn/crl.pem
chown nobody:nogroup /etc/openvpn/crl.pem
sed -i '/#crl-verify/c\crl-verify /etc/openvpn/crl.pem' /etc/openvpn/server.conf
if [[ ${PLAT} == "Ubuntu" || ${PLAT} == "Debian" ]]; then
service openvpn restart
else
systemctl restart openvpn.service
fi
fi
./easyrsa --batch revoke "${NAME}"
./easyrsa gen-crl
printf "\n::: Certificate revoked, and CRL file updated.\n"
printf "::: Removing certs and client configuration for this profile.\n"
rm -rf "pki/reqs/${NAME}.req"
rm -rf "pki/private/${NAME}.key"
rm -rf "pki/issued/${NAME}.crt"
rm -rf "/home/${INSTALL_USER}/ovpns/${NAME}.ovpn"
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
printf "\n::: Certificate revoked, and CRL file updated.\n"
printf "::: Removing certs and client configuration for this profile.\n"
rm -rf "pki/reqs/${CERTS_TO_REVOKE[ii]}.req"
rm -rf "pki/private/${CERTS_TO_REVOKE[ii]}.key"
rm -rf "pki/issued/${CERTS_TO_REVOKE[ii]}.crt"
rm -rf "/home/${INSTALL_USER}/ovpns/${CERTS_TO_REVOKE[ii]}.ovpn"
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
done
printf "::: Completed!\n"

6
server_config.txt
View file

@ -4,7 +4,7 @@ port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh1024.pem
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
# server and remote endpoints
@ -23,8 +23,8 @@ push "dhcp-option DNS 8.8.4.4"
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
remote-cert-tls client
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
@ -34,7 +34,7 @@ user nobody
group nogroup
persist-key
persist-tun
#crl-verify /etc/openvpn/crl.pem
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
log /var/log/openvpn.log