diff --git a/README.md b/README.md index 3f3f023..332b80b 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ About Visit the [PiVPN](http://pivpn.io) site for more information. This is a set of shell scripts that serve to easily turn your Raspberry Pi (TM) -into a VPN server using the free, open-source [OpenVPN](https://openvpn.net) software. +into a VPN server using the free, open-source [OpenVPN](https://openvpn.net) software. Have you been looking for a good guide or tutorial for installing openvpn on a raspberry pi or ubuntu based server? Run this script and you don't need a guide or tutorial, this will do it all for you, in a fraction of the time and with hardened security settings in place by default. @@ -31,7 +31,7 @@ You should also setup your Pi with a static IP address (see either source 1 or 2 at the bottom of this Readme) but it is not required as the script can do this for you. You will need to have your router forward UDP port 1194 (or whatever custom port you may have chose in the installer) (varies by model & manufacturer; consult your router manufacturer's - documentation to do this). + documentation to do this). Enabling SSH on your Pi is also highly recommended, so that you can run a very compact headless server without a monitor or keyboard and be able to access it even more conveniently (This is also covered by source 2). @@ -54,7 +54,7 @@ If you're unsure or don't have a convincing reason one way or the other I'd use > Up to 4096-bit is accepted by nearly all RSA systems (including OpenVPN,) but use of keys this large will dramatically increase generation time, TLS handshake delays, and CPU usage for TLS operations; the benefit beyond 2048-bit keys is small enough not to be of great use at the current time. It is often a larger benefit to consider lower validity times than more bits past 2048, but that is for you to decide. After this, the script will go back to the command line as it builds the server's own -certificate authority. The script will ask you if you'd like to change the certificate fields, +certificate authority. The script will ask you if you'd like to change the certificate fields, the default port, client's DNS server, etc. If you know you want to change these things, feel free, and the script will put all the information where it needs to go in the various config files. If you aren't sure, it has been designed that you can simply hit 'Enter' through all the questions @@ -73,7 +73,7 @@ Managing the PiVPN After the installation is complete you can use the command 'pivpn' to manage the server. -"pivpn add" +"pivpn add" You will be prompted to enter a name for your client. Pick anything you like and hit 'enter'. You will be asked to enter a pass phrase for the client key; make sure it's one you'll remember. The script will assemble the client .ovpn file and place it in the directory 'ovpns' within your @@ -83,10 +83,10 @@ If you need to create a client certificate that is not password protected (IE fo then you can use the 'pivpn add nopass' option to generate that. "pivpn revoke" -Asks you for the name of the client to revoke. Once you revoke a client, it will no longer allow you to use +Asks you for the name of the client to revoke. Once you revoke a client, it will no longer allow you to use the given client certificate (ovpn config) to connect. This is useful for many reasons but some ex: -You have a profile on a mobile phone and it was lost or stolen. Revoke its cert and generate a new -one for your new phone. Or even if you suspect that a cert may have been compromised in any way, +You have a profile on a mobile phone and it was lost or stolen. Revoke its cert and generate a new +one for your new phone. Or even if you suspect that a cert may have been compromised in any way, just revoke it and generate a new one. "pivpn list" @@ -123,7 +123,7 @@ Removing PiVPN If at any point you wish to remove OpenVPN from your Pi and revert it to a pre-installation state, such as if you want to undo a failed installation to try again or you want to remove OpenVPN without installing a fresh Raspbian image, just run -'pivpn uninstall' +'pivpn uninstall' Feedback & Support -------- @@ -135,14 +135,25 @@ to keep things sorted. [[DISCONTINUED APRIL 17]] You can also post on the [Google Space](https://goo.gl/spaces/kgp2Mcy5RDfZ5SSf8) I created for PiVPN, especially suited for general questions or discussions. -You can also join #pivpn on freenode in IRC for community support or general questions. +You can also join #pivpn on freenode in IRC for community support or general questions. + +Related Projects +-------- +[StarshipEngineer/OpenVPN-Setup](https://github.com/StarshipEngineer/OpenVPN-Setup) +Shell script to set up a OpenVPN server. + +[InnovativeInventor/docker-pivpn](https://github.com/InnovativeInventor/docker-pivpn) +A secure docker container that sets up PiVPN and SSH. + +[OpenVPN](https://openvpn.net) +The foundation for all open-source VPN projects. Contributions ------------- -I'm also interested in improving this script, please check the current issues to see where you can help. If you have any +I'm also interested in improving this script, please check the current issues to see where you can help. If you have any feature ideas or requests, or are interested in adding your ideas to it, -testing it on other platforms, please comment or leave a pull request. +testing it on other platforms, please comment or leave a pull request. If you contribute often I can add you as a member of the PiVPN project. I will be happy to work with you! @@ -158,4 +169,3 @@ sources. 4. And as always the ever vigilant [EFF](https://www.eff.org/) I don't take donations at this time but if you want to show your appreciation to me, then contribute or leave feedback on suggestions or improvements. - diff --git a/auto_install/install.sh b/auto_install/install.sh index 33ca2a4..7d32278 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -61,14 +61,14 @@ dhcpcdFile=/etc/dhcpcd.conf # Next see if we are on a tested and supported OS function noOS_Support() { whiptail --msgbox --backtitle "INVALID OS DETECTED" --title "Invalid OS" "We have not been able to detect a supported OS. -Currently this installer supports Raspbian (or Devuan) jessie, Ubuntu 14.04 (trusty), and Ubuntu 16.04 (xenial). +Currently this installer supports Raspbian and Debian (Jessie and Stretch), Devuan (Jessie) and Ubuntu from 14.04 (trusty) to 17.04 (zesty). If you think you received this message in error, you can post an issue on the GitHub at https://github.com/pivpn/pivpn/issues." ${r} ${c} exit 1 } function maybeOS_Support() { if (whiptail --backtitle "Not Supported OS" --title "Not Supported OS" --yesno "You are on an OS that we have not tested but MAY work. -Currently this installer supports Raspbian (or Devuan) jessie, Ubuntu 14.04 (trusty), and Ubuntu 16.04 (xenial). +Currently this installer supports Raspbian and Debian (Jessie and Stretch), Devuan (Jessie) and Ubuntu from 14.04 (trusty) to 17.04 (zesty). Would you like to continue anyway?" ${r} ${c}) then echo "::: Did not detect perfectly supported OS but," echo "::: Continuing installation at user's own risk..." @@ -88,7 +88,7 @@ distro_check() { case ${PLAT} in Ubuntu|Raspbian|Debian|Devuan) case ${OSCN} in - trusty|xenial|jessie) + trusty|xenial|jessie|stretch) ;; *) maybeOS_Support @@ -111,6 +111,9 @@ distro_check() { if grep -q jessie /etc/os-release; then PLAT="Raspbian" OSCN="jessie" + elif grep -q stretch /etc/os-release; then + PLAT="Raspbian" + OSCN="stretch" else PLAT="Ubuntu" OSCN="unknown" @@ -435,19 +438,6 @@ update_package_cache() { timestampAsDate=$(date -d @"${timestamp}" "+%b %e") today=$(date "+%b %e") - case ${PLAT} in - Ubuntu|Debian|Devuan) - case ${OSCN} in - trusty|jessie|wheezy) - wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg| $SUDO apt-key add - - echo "deb http://swupdate.openvpn.net/apt $OSCN main" | $SUDO tee /etc/apt/sources.list.d/swupdate.openvpn.net.list > /dev/null - echo -n "::: Adding OpenVPN repo for $PLAT $OSCN ..." - $SUDO apt-get -qq update & spinner $! - echo " done!" - ;; - esac - ;; - esac if [ ! "${today}" == "${timestampAsDate}" ]; then #update package lists @@ -534,7 +524,7 @@ checkForDependencies() { case ${PLAT} in Ubuntu|Debian|Devuan) case ${OSCN} in - trusty|jessie|wheezy) + trusty|jessie|wheezy|stretch) wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg| $SUDO apt-key add - echo "deb http://swupdate.openvpn.net/apt $OSCN main" | $SUDO tee /etc/apt/sources.list.d/swupdate.openvpn.net.list > /dev/null echo -n "::: Adding OpenVPN repo for $PLAT $OSCN ..." @@ -544,6 +534,15 @@ checkForDependencies() { esac ;; esac + if [[ $PLAT == "Ubuntu" || $PLAT == "Debian" ]]; then + if [[ $OSCN == "trusty" || $OSCN == "jessie" || $OSCN == "wheezy" || $OSCN == "stretch" ]]; then + wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg| $SUDO apt-key add - + echo "deb http://build.openvpn.net/debian/openvpn/stable $OSCN main" | $SUDO tee /etc/apt/sources.list.d/swupdate.openvpn.net.list > /dev/null + echo -n "::: Adding OpenVPN repo for $PLAT $OSCN ..." + $SUDO apt-get -qq update & spinner $! + echo " done!" + fi + fi if [ ! "$today" == "$timestampAsDate" ]; then #update package lists @@ -797,15 +796,17 @@ setClientDNS() { } confOpenVPN() { - SERVER_NAME="server" + # Generate a random, alphanumeric identifier of 16 characters for this server so that we can use verify-x509-name later that is unique for this server installation. Source: Earthgecko (https://gist.github.com/earthgecko/3089509) + NEW_UUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1) + SERVER_NAME="server_${NEW_UUID}" if [[ ${useUpdateVars} == false ]]; then # Ask user for desired level of encryption - ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "Encryption Strength" --radiolist \ - "Choose your desired level of encryption (press space to select):\n This is an encryption key that will be generated on your system. The larger the key, the more time this will take. For most applications it is recommended to use 2048 bit. If you are testing or just want to get through it quicker you can use 1024. If you are paranoid about ... things... then grab a cup of joe and pick 4096." ${r} ${c} 3 \ - "2048" "Use 2048-bit encryption. Recommended level." ON \ - "1024" "Use 1024-bit encryption. Test level." OFF \ - "4096" "Use 4096-bit encryption. Paranoid level." OFF 3>&1 1>&2 2>&3) + ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "Encryption strength" --radiolist \ + "Choose your desired level of encryption (press space to select):\n This is an encryption key that will be generated on your system. The larger the key, the more time this will take. For most applications, it is recommended to use 2048 bits. If you are testing, you can use 1024 bits to speed things up, but do not use this for normal use! If you are paranoid about ... things... then grab a cup of joe and pick 4096 bits." ${r} ${c} 3 \ + "1024" "Use 1024-bit encryption (testing only)" OFF \ + "2048" "Use 2048-bit encryption (recommended level)" ON \ + "4096" "Use 4096-bit encryption (paranoid level)" OFF 3>&1 1>&2 2>&3) exitstatus=$? if [ $exitstatus != 0 ]; then @@ -859,7 +860,7 @@ EOF fi # Build the server - ${SUDOE} ./easyrsa build-server-full server nopass + ${SUDOE} ./easyrsa build-server-full ${SERVER_NAME} nopass if [[ ${useUpdateVars} == false ]]; then if ([ "$ENCRYPT" -ge "4096" ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\n\nGenerating DH parameters for a $ENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from a pool of the last 128 generated.\nMore information about this service can be found here: https://2ton.com.au/dhtool/\n\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c}) @@ -884,6 +885,11 @@ EOF # Generate static HMAC key to defend against DDoS ${SUDOE} openvpn --genkey --secret pki/ta.key + # Generate an empty Certificate Revocation List + ${SUDOE} ./easyrsa gen-crl + ${SUDOE} cp pki/crl.pem /etc/openvpn/crl.pem + ${SUDOE} chown nobody:nogroup /etc/openvpn/crl.pem + # Write config file for server using the template .txt file $SUDO cp /etc/.pivpn/server_config.txt /etc/openvpn/server.conf @@ -992,10 +998,6 @@ confOVPN() { $SUDO cp /tmp/pivpnUSR /etc/pivpn/INSTALL_USER $SUDO cp /tmp/DET_PLATFORM /etc/pivpn/DET_PLATFORM - # Set status that no certs have been revoked - echo 0 > /tmp/REVOKE_STATUS - $SUDO cp /tmp/REVOKE_STATUS /etc/pivpn/REVOKE_STATUS - $SUDO cp /etc/.pivpn/Default.txt /etc/openvpn/easy-rsa/pki/Default.txt if [[ ${useUpdateVars} == false ]]; then @@ -1344,7 +1346,7 @@ main() { echo ":::" if [[ "${useUpdateVars}" == false ]]; then echo "::: Installation Complete!" - echo "::: Now run 'pivpn add' to create the ovpn profiles." + echo "::: Now run 'pivpn add' to create an ovpn profile for each of your devices." echo "::: Run 'pivpn help' to see what else you can do!" echo "::: It is strongly recommended you reboot after installation." else diff --git a/scripts/clientStat.sh b/scripts/clientStat.sh index 834b0dd..6a5ff97 100644 --- a/scripts/clientStat.sh +++ b/scripts/clientStat.sh @@ -2,6 +2,11 @@ # PiVPN: client status script STATUS_LOG="/var/log/openvpn-status.log" + +function hr() { + numfmt --to=iec-i --suffix=B "$1" +} + printf "\n" if [ ! -f "${STATUS_LOG}" ]; then echo "The file: $STATUS_LOG was not found!" @@ -15,7 +20,15 @@ printf "\e[1m::: Client Status List :::\e[0m\n" printf "\t\t\t\t\t\t\tBytes\t\tBytes\t\n" printf "\e[4mName\e[0m\t\t\e[4mRemote IP\e[0m\t\t\e[4mVirtual IP\e[0m\t\e[4mReceived\e[0m\t\e[4mSent\e[0m\t\t\e[4mConnected Since\e[0m \n" if grep -q "^CLIENT_LIST" "${STATUS_LOG}"; then - awk -F' ' -v s='CLIENT_LIST' '$1 == s {print $2"\t\t"$3"\t"$4"\t"$5"\t\t"$6"\t\t"$8" "$9" "$11" -- "$10}' ${STATUS_LOG} + if [ -n $(type -t numfmt) ]; then + while read -r line; do + read -r -a array <<< $line + [[ ${array[0]} = CLIENT_LIST ]] || continue + printf "%s\t\t%s\t%s\t%s\t\t%s\t\t%s %s %s - %s" ${array[1]} ${array[2]} ${array[3]} $(hr ${array[4]}) $(hr ${array[5]}) ${array[7]} ${array[8]} ${array[10]} ${array[9]} + done <$STATUS_LOG + else + awk -F' ' -v s='CLIENT_LIST' '$1 == s {print $2"\t\t"$3"\t"$4"\t"$5"\t\t"$6"\t\t"$8" "$9" "$11" - "$10}' ${STATUS_LOG} + fi else printf "\nNo Clients Connected!\n" fi diff --git a/scripts/makeOVPN.sh b/scripts/makeOVPN.sh index f1308f1..d9101f3 100644 --- a/scripts/makeOVPN.sh +++ b/scripts/makeOVPN.sh @@ -240,5 +240,6 @@ printf "========================================================\n" printf "\e[1mDone! %s successfully created!\e[0m \n" "$NAME$FILEEXT" printf "%s was copied to:\n" "$NAME$FILEEXT" printf " /home/%s/ovpns\n" "$INSTALL_USER" -printf "for easy transfer.\n" +printf "for easy transfer. Please use this profile only on one\n" +printf "device and create additional profiles for other devices.\n" printf "========================================================\n\n" diff --git a/scripts/removeOVPN.sh b/scripts/removeOVPN.sh index 4e3515c..6bf0610 100644 --- a/scripts/removeOVPN.sh +++ b/scripts/removeOVPN.sh @@ -2,7 +2,6 @@ # PiVPN: revoke client script INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER) -REVOKE_STATUS=$(cat /etc/pivpn/REVOKE_STATUS) PLAT=$(cat /etc/pivpn/DET_PLATFORM) INDEX="/etc/openvpn/easy-rsa/pki/index.txt" @@ -105,22 +104,6 @@ fi cd /etc/openvpn/easy-rsa || exit -if [ "${REVOKE_STATUS}" == 0 ]; then - echo 1 > /etc/pivpn/REVOKE_STATUS - printf "\nThis seems to be the first time you have revoked a cert.\n" - printf "First we need to initialize the Certificate Revocation List.\n" - printf "Then add the CRL to your server config and restart openvpn.\n" - ./easyrsa gen-crl - cp pki/crl.pem /etc/openvpn/crl.pem - chown nobody:nogroup /etc/openvpn/crl.pem - sed -i '/#crl-verify/c\crl-verify /etc/openvpn/crl.pem' /etc/openvpn/server.conf - if [[ ${PLAT} == "Ubuntu" || ${PLAT} == "Debian" ]]; then - service openvpn restart - else - systemctl restart openvpn.service - fi -fi - for (( ii = 0; ii < ${#CERTS_TO_REVOKE[@]}; ii++)); do printf "\n::: Revoking certificate '"%s"'.\n" "${CERTS_TO_REVOKE[ii]}" ./easyrsa --batch revoke "${CERTS_TO_REVOKE[ii]}" diff --git a/server_config.txt b/server_config.txt index 70625e7..a7e6b17 100644 --- a/server_config.txt +++ b/server_config.txt @@ -4,7 +4,7 @@ port 1194 ca /etc/openvpn/easy-rsa/pki/ca.crt cert /etc/openvpn/easy-rsa/pki/issued/server.crt key /etc/openvpn/easy-rsa/pki/private/server.key -dh /etc/openvpn/easy-rsa/pki/dh1024.pem +dh /etc/openvpn/easy-rsa/pki/dh2048.pem topology subnet server 10.8.0.0 255.255.255.0 # server and remote endpoints @@ -23,8 +23,8 @@ push "dhcp-option DNS 8.8.4.4" # overriding but not wiping out the original default gateway. push "redirect-gateway def1" client-to-client -duplicate-cn keepalive 10 120 +remote-cert-tls client tls-version-min 1.2 tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0 cipher AES-256-CBC @@ -34,7 +34,7 @@ user nobody group nogroup persist-key persist-tun -#crl-verify /etc/openvpn/crl.pem +crl-verify /etc/openvpn/crl.pem status /var/log/openvpn-status.log 20 status-version 3 log /var/log/openvpn.log