mirror of
https://github.com/pivpn/pivpn.git
synced 2024-12-19 03:10:16 +00:00
Jelle Dekker
GitHub
commit
e3f77afc95
6 changed files with 72 additions and 63 deletions
12
README.md
12
README.md
|
|
@ -137,6 +137,17 @@ to keep things sorted.
|
|||
|
||||
You can also join #pivpn <ircs://freenode/pivpn> on freenode in IRC for community support or general questions.
|
||||
|
||||
Related Projects
|
||||
--------
|
||||
[StarshipEngineer/OpenVPN-Setup](https://github.com/StarshipEngineer/OpenVPN-Setup)
|
||||
Shell script to set up a OpenVPN server.
|
||||
|
||||
[InnovativeInventor/docker-pivpn](https://github.com/InnovativeInventor/docker-pivpn)
|
||||
A secure docker container that sets up PiVPN and SSH.
|
||||
|
||||
[OpenVPN](https://openvpn.net)
|
||||
The foundation for all open-source VPN projects.
|
||||
|
||||
Contributions
|
||||
-------------
|
||||
|
||||
|
|
@ -158,4 +169,3 @@ sources.
|
|||
4. And as always the ever vigilant [EFF](https://www.eff.org/)
|
||||
|
||||
I don't take donations at this time but if you want to show your appreciation to me, then contribute or leave feedback on suggestions or improvements.
|
||||
|
||||
|
|
|
|||
|
|
@ -61,14 +61,14 @@ dhcpcdFile=/etc/dhcpcd.conf
|
|||
# Next see if we are on a tested and supported OS
|
||||
function noOS_Support() {
|
||||
whiptail --msgbox --backtitle "INVALID OS DETECTED" --title "Invalid OS" "We have not been able to detect a supported OS.
|
||||
Currently this installer supports Raspbian (or Devuan) jessie, Ubuntu 14.04 (trusty), and Ubuntu 16.04 (xenial).
|
||||
Currently this installer supports Raspbian and Debian (Jessie and Stretch), Devuan (Jessie) and Ubuntu from 14.04 (trusty) to 17.04 (zesty).
|
||||
If you think you received this message in error, you can post an issue on the GitHub at https://github.com/pivpn/pivpn/issues." ${r} ${c}
|
||||
exit 1
|
||||
}
|
||||
|
||||
function maybeOS_Support() {
|
||||
if (whiptail --backtitle "Not Supported OS" --title "Not Supported OS" --yesno "You are on an OS that we have not tested but MAY work.
|
||||
Currently this installer supports Raspbian (or Devuan) jessie, Ubuntu 14.04 (trusty), and Ubuntu 16.04 (xenial).
|
||||
Currently this installer supports Raspbian and Debian (Jessie and Stretch), Devuan (Jessie) and Ubuntu from 14.04 (trusty) to 17.04 (zesty).
|
||||
Would you like to continue anyway?" ${r} ${c}) then
|
||||
echo "::: Did not detect perfectly supported OS but,"
|
||||
echo "::: Continuing installation at user's own risk..."
|
||||
|
|
@ -88,7 +88,7 @@ distro_check() {
|
|||
case ${PLAT} in
|
||||
Ubuntu|Raspbian|Debian|Devuan)
|
||||
case ${OSCN} in
|
||||
trusty|xenial|jessie)
|
||||
trusty|xenial|jessie|stretch)
|
||||
;;
|
||||
*)
|
||||
maybeOS_Support
|
||||
|
|
@ -111,6 +111,9 @@ distro_check() {
|
|||
if grep -q jessie /etc/os-release; then
|
||||
PLAT="Raspbian"
|
||||
OSCN="jessie"
|
||||
elif grep -q stretch /etc/os-release; then
|
||||
PLAT="Raspbian"
|
||||
OSCN="stretch"
|
||||
else
|
||||
PLAT="Ubuntu"
|
||||
OSCN="unknown"
|
||||
|
|
@ -435,19 +438,6 @@ update_package_cache() {
|
|||
timestampAsDate=$(date -d @"${timestamp}" "+%b %e")
|
||||
today=$(date "+%b %e")
|
||||
|
||||
case ${PLAT} in
|
||||
Ubuntu|Debian|Devuan)
|
||||
case ${OSCN} in
|
||||
trusty|jessie|wheezy)
|
||||
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg| $SUDO apt-key add -
|
||||
echo "deb http://swupdate.openvpn.net/apt $OSCN main" | $SUDO tee /etc/apt/sources.list.d/swupdate.openvpn.net.list > /dev/null
|
||||
echo -n "::: Adding OpenVPN repo for $PLAT $OSCN ..."
|
||||
$SUDO apt-get -qq update & spinner $!
|
||||
echo " done!"
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ ! "${today}" == "${timestampAsDate}" ]; then
|
||||
#update package lists
|
||||
|
|
@ -534,7 +524,7 @@ checkForDependencies() {
|
|||
case ${PLAT} in
|
||||
Ubuntu|Debian|Devuan)
|
||||
case ${OSCN} in
|
||||
trusty|jessie|wheezy)
|
||||
trusty|jessie|wheezy|stretch)
|
||||
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg| $SUDO apt-key add -
|
||||
echo "deb http://swupdate.openvpn.net/apt $OSCN main" | $SUDO tee /etc/apt/sources.list.d/swupdate.openvpn.net.list > /dev/null
|
||||
echo -n "::: Adding OpenVPN repo for $PLAT $OSCN ..."
|
||||
|
|
@ -544,6 +534,15 @@ checkForDependencies() {
|
|||
esac
|
||||
;;
|
||||
esac
|
||||
if [[ $PLAT == "Ubuntu" || $PLAT == "Debian" ]]; then
|
||||
if [[ $OSCN == "trusty" || $OSCN == "jessie" || $OSCN == "wheezy" || $OSCN == "stretch" ]]; then
|
||||
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg| $SUDO apt-key add -
|
||||
echo "deb http://build.openvpn.net/debian/openvpn/stable $OSCN main" | $SUDO tee /etc/apt/sources.list.d/swupdate.openvpn.net.list > /dev/null
|
||||
echo -n "::: Adding OpenVPN repo for $PLAT $OSCN ..."
|
||||
$SUDO apt-get -qq update & spinner $!
|
||||
echo " done!"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ ! "$today" == "$timestampAsDate" ]; then
|
||||
#update package lists
|
||||
|
|
@ -797,15 +796,17 @@ setClientDNS() {
|
|||
}
|
||||
|
||||
confOpenVPN() {
|
||||
SERVER_NAME="server"
|
||||
# Generate a random, alphanumeric identifier of 16 characters for this server so that we can use verify-x509-name later that is unique for this server installation. Source: Earthgecko (https://gist.github.com/earthgecko/3089509)
|
||||
NEW_UUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)
|
||||
SERVER_NAME="server_${NEW_UUID}"
|
||||
|
||||
if [[ ${useUpdateVars} == false ]]; then
|
||||
# Ask user for desired level of encryption
|
||||
ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "Encryption Strength" --radiolist \
|
||||
"Choose your desired level of encryption (press space to select):\n This is an encryption key that will be generated on your system. The larger the key, the more time this will take. For most applications it is recommended to use 2048 bit. If you are testing or just want to get through it quicker you can use 1024. If you are paranoid about ... things... then grab a cup of joe and pick 4096." ${r} ${c} 3 \
|
||||
"2048" "Use 2048-bit encryption. Recommended level." ON \
|
||||
"1024" "Use 1024-bit encryption. Test level." OFF \
|
||||
"4096" "Use 4096-bit encryption. Paranoid level." OFF 3>&1 1>&2 2>&3)
|
||||
ENCRYPT=$(whiptail --backtitle "Setup OpenVPN" --title "Encryption strength" --radiolist \
|
||||
"Choose your desired level of encryption (press space to select):\n This is an encryption key that will be generated on your system. The larger the key, the more time this will take. For most applications, it is recommended to use 2048 bits. If you are testing, you can use 1024 bits to speed things up, but do not use this for normal use! If you are paranoid about ... things... then grab a cup of joe and pick 4096 bits." ${r} ${c} 3 \
|
||||
"1024" "Use 1024-bit encryption (testing only)" OFF \
|
||||
"2048" "Use 2048-bit encryption (recommended level)" ON \
|
||||
"4096" "Use 4096-bit encryption (paranoid level)" OFF 3>&1 1>&2 2>&3)
|
||||
|
||||
exitstatus=$?
|
||||
if [ $exitstatus != 0 ]; then
|
||||
|
|
@ -859,7 +860,7 @@ EOF
|
|||
fi
|
||||
|
||||
# Build the server
|
||||
${SUDOE} ./easyrsa build-server-full server nopass
|
||||
${SUDOE} ./easyrsa build-server-full ${SERVER_NAME} nopass
|
||||
|
||||
if [[ ${useUpdateVars} == false ]]; then
|
||||
if ([ "$ENCRYPT" -ge "4096" ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\n\nGenerating DH parameters for a $ENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from a pool of the last 128 generated.\nMore information about this service can be found here: https://2ton.com.au/dhtool/\n\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c})
|
||||
|
|
@ -884,6 +885,11 @@ EOF
|
|||
# Generate static HMAC key to defend against DDoS
|
||||
${SUDOE} openvpn --genkey --secret pki/ta.key
|
||||
|
||||
# Generate an empty Certificate Revocation List
|
||||
${SUDOE} ./easyrsa gen-crl
|
||||
${SUDOE} cp pki/crl.pem /etc/openvpn/crl.pem
|
||||
${SUDOE} chown nobody:nogroup /etc/openvpn/crl.pem
|
||||
|
||||
# Write config file for server using the template .txt file
|
||||
$SUDO cp /etc/.pivpn/server_config.txt /etc/openvpn/server.conf
|
||||
|
||||
|
|
@ -992,10 +998,6 @@ confOVPN() {
|
|||
$SUDO cp /tmp/pivpnUSR /etc/pivpn/INSTALL_USER
|
||||
$SUDO cp /tmp/DET_PLATFORM /etc/pivpn/DET_PLATFORM
|
||||
|
||||
# Set status that no certs have been revoked
|
||||
echo 0 > /tmp/REVOKE_STATUS
|
||||
$SUDO cp /tmp/REVOKE_STATUS /etc/pivpn/REVOKE_STATUS
|
||||
|
||||
$SUDO cp /etc/.pivpn/Default.txt /etc/openvpn/easy-rsa/pki/Default.txt
|
||||
|
||||
if [[ ${useUpdateVars} == false ]]; then
|
||||
|
|
@ -1344,7 +1346,7 @@ main() {
|
|||
echo ":::"
|
||||
if [[ "${useUpdateVars}" == false ]]; then
|
||||
echo "::: Installation Complete!"
|
||||
echo "::: Now run 'pivpn add' to create the ovpn profiles."
|
||||
echo "::: Now run 'pivpn add' to create an ovpn profile for each of your devices."
|
||||
echo "::: Run 'pivpn help' to see what else you can do!"
|
||||
echo "::: It is strongly recommended you reboot after installation."
|
||||
else
|
||||
|
|
|
|||
|
|
@ -2,6 +2,11 @@
|
|||
# PiVPN: client status script
|
||||
|
||||
STATUS_LOG="/var/log/openvpn-status.log"
|
||||
|
||||
function hr() {
|
||||
numfmt --to=iec-i --suffix=B "$1"
|
||||
}
|
||||
|
||||
printf "\n"
|
||||
if [ ! -f "${STATUS_LOG}" ]; then
|
||||
echo "The file: $STATUS_LOG was not found!"
|
||||
|
|
@ -15,7 +20,15 @@ printf "\e[1m::: Client Status List :::\e[0m\n"
|
|||
printf "\t\t\t\t\t\t\tBytes\t\tBytes\t\n"
|
||||
printf "\e[4mName\e[0m\t\t\e[4mRemote IP\e[0m\t\t\e[4mVirtual IP\e[0m\t\e[4mReceived\e[0m\t\e[4mSent\e[0m\t\t\e[4mConnected Since\e[0m \n"
|
||||
if grep -q "^CLIENT_LIST" "${STATUS_LOG}"; then
|
||||
awk -F' ' -v s='CLIENT_LIST' '$1 == s {print $2"\t\t"$3"\t"$4"\t"$5"\t\t"$6"\t\t"$8" "$9" "$11" -- "$10}' ${STATUS_LOG}
|
||||
if [ -n $(type -t numfmt) ]; then
|
||||
while read -r line; do
|
||||
read -r -a array <<< $line
|
||||
[[ ${array[0]} = CLIENT_LIST ]] || continue
|
||||
printf "%s\t\t%s\t%s\t%s\t\t%s\t\t%s %s %s - %s" ${array[1]} ${array[2]} ${array[3]} $(hr ${array[4]}) $(hr ${array[5]}) ${array[7]} ${array[8]} ${array[10]} ${array[9]}
|
||||
done <$STATUS_LOG
|
||||
else
|
||||
awk -F' ' -v s='CLIENT_LIST' '$1 == s {print $2"\t\t"$3"\t"$4"\t"$5"\t\t"$6"\t\t"$8" "$9" "$11" - "$10}' ${STATUS_LOG}
|
||||
fi
|
||||
else
|
||||
printf "\nNo Clients Connected!\n"
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -240,5 +240,6 @@ printf "========================================================\n"
|
|||
printf "\e[1mDone! %s successfully created!\e[0m \n" "$NAME$FILEEXT"
|
||||
printf "%s was copied to:\n" "$NAME$FILEEXT"
|
||||
printf " /home/%s/ovpns\n" "$INSTALL_USER"
|
||||
printf "for easy transfer.\n"
|
||||
printf "for easy transfer. Please use this profile only on one\n"
|
||||
printf "device and create additional profiles for other devices.\n"
|
||||
printf "========================================================\n\n"
|
||||
|
|
|
|||
|
|
@ -2,7 +2,6 @@
|
|||
# PiVPN: revoke client script
|
||||
|
||||
INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER)
|
||||
REVOKE_STATUS=$(cat /etc/pivpn/REVOKE_STATUS)
|
||||
PLAT=$(cat /etc/pivpn/DET_PLATFORM)
|
||||
INDEX="/etc/openvpn/easy-rsa/pki/index.txt"
|
||||
|
||||
|
|
@ -105,22 +104,6 @@ fi
|
|||
|
||||
cd /etc/openvpn/easy-rsa || exit
|
||||
|
||||
if [ "${REVOKE_STATUS}" == 0 ]; then
|
||||
echo 1 > /etc/pivpn/REVOKE_STATUS
|
||||
printf "\nThis seems to be the first time you have revoked a cert.\n"
|
||||
printf "First we need to initialize the Certificate Revocation List.\n"
|
||||
printf "Then add the CRL to your server config and restart openvpn.\n"
|
||||
./easyrsa gen-crl
|
||||
cp pki/crl.pem /etc/openvpn/crl.pem
|
||||
chown nobody:nogroup /etc/openvpn/crl.pem
|
||||
sed -i '/#crl-verify/c\crl-verify /etc/openvpn/crl.pem' /etc/openvpn/server.conf
|
||||
if [[ ${PLAT} == "Ubuntu" || ${PLAT} == "Debian" ]]; then
|
||||
service openvpn restart
|
||||
else
|
||||
systemctl restart openvpn.service
|
||||
fi
|
||||
fi
|
||||
|
||||
for (( ii = 0; ii < ${#CERTS_TO_REVOKE[@]}; ii++)); do
|
||||
printf "\n::: Revoking certificate '"%s"'.\n" "${CERTS_TO_REVOKE[ii]}"
|
||||
./easyrsa --batch revoke "${CERTS_TO_REVOKE[ii]}"
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ port 1194
|
|||
ca /etc/openvpn/easy-rsa/pki/ca.crt
|
||||
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
|
||||
key /etc/openvpn/easy-rsa/pki/private/server.key
|
||||
dh /etc/openvpn/easy-rsa/pki/dh1024.pem
|
||||
dh /etc/openvpn/easy-rsa/pki/dh2048.pem
|
||||
topology subnet
|
||||
server 10.8.0.0 255.255.255.0
|
||||
# server and remote endpoints
|
||||
|
|
@ -23,8 +23,8 @@ push "dhcp-option DNS 8.8.4.4"
|
|||
# overriding but not wiping out the original default gateway.
|
||||
push "redirect-gateway def1"
|
||||
client-to-client
|
||||
duplicate-cn
|
||||
keepalive 10 120
|
||||
remote-cert-tls client
|
||||
tls-version-min 1.2
|
||||
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
|
||||
cipher AES-256-CBC
|
||||
|
|
@ -34,7 +34,7 @@ user nobody
|
|||
group nogroup
|
||||
persist-key
|
||||
persist-tun
|
||||
#crl-verify /etc/openvpn/crl.pem
|
||||
crl-verify /etc/openvpn/crl.pem
|
||||
status /var/log/openvpn-status.log 20
|
||||
status-version 3
|
||||
log /var/log/openvpn.log
|
||||
|
|
|
|||
Loading…
Reference in a new issue