From e949aadbc3b08c397e0b68ca17c2f638a9df34c3 Mon Sep 17 00:00:00 2001 From: Orazio Date: Fri, 31 Jan 2020 14:07:58 +0100 Subject: [PATCH] Copy files from git repo using the 'install' command, switch DH params from 2ton.com.au to RFC 7919 - Now using DH parameters suggested by the RFC 7919 for use by TLS servers (the user can still generate his own if he wishes). https://wiki.mozilla.org/Security/Archive/Server_Side_TLS_4.0#Pre-defined_DHE_groups --- auto_install/install.sh | 60 ++++++++----------- .../unattended_openvpn_example.conf | 2 +- .../unattended_wireguard_example.conf | 0 .../etc/openvpn/easy-rsa/pki/Default.txt | 0 files/etc/openvpn/easy-rsa/pki/ffdhe2048.pem | 8 +++ files/etc/openvpn/easy-rsa/pki/ffdhe3072.pem | 11 ++++ files/etc/openvpn/easy-rsa/pki/ffdhe4096.pem | 13 ++++ .../etc/openvpn/server_config.txt | 0 8 files changed, 59 insertions(+), 35 deletions(-) rename unattended_openvpn_example.conf => examples/unattended_openvpn_example.conf (91%) rename unattended_wireguard_example.conf => examples/unattended_wireguard_example.conf (100%) rename Default.txt => files/etc/openvpn/easy-rsa/pki/Default.txt (100%) create mode 100644 files/etc/openvpn/easy-rsa/pki/ffdhe2048.pem create mode 100644 files/etc/openvpn/easy-rsa/pki/ffdhe3072.pem create mode 100644 files/etc/openvpn/easy-rsa/pki/ffdhe4096.pem rename server_config.txt => files/etc/openvpn/server_config.txt (100%) diff --git a/auto_install/install.sh b/auto_install/install.sh index d2a1e96..5d9de4e 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -1626,17 +1626,21 @@ askEncryption(){ fi fi - if [ -z "$DOWNLOAD_DH_PARAM" ] || [ "$DOWNLOAD_DH_PARAM" -ne 1 ]; then - DOWNLOAD_DH_PARAM=0 - echo "::: DH parameters will be generated locally" + if [ -z "$USE_PREDEFINED_DH_PARAM" ]; then + USE_PREDEFINED_DH_PARAM=1 + echo "::: Pre-defined DH parameters will be used" else - echo "::: DH parameters will be downloaded from \"2 Ton Digital\"" + if [ "$USE_PREDEFINED_DH_PARAM" -eq 1 ]; then + echo "::: Pre-defined DH parameters will be used" + else + echo "::: DH parameters will be generated locally" + fi fi fi echo "TWO_POINT_FOUR=${TWO_POINT_FOUR}" >> /tmp/setupVars.conf echo "pivpnENCRYPT=${pivpnENCRYPT}" >> /tmp/setupVars.conf - echo "DOWNLOAD_DH_PARAM=${DOWNLOAD_DH_PARAM}" >> /tmp/setupVars.conf + echo "USE_PREDEFINED_DH_PARAM=${USE_PREDEFINED_DH_PARAM}" >> /tmp/setupVars.conf return fi @@ -1662,15 +1666,15 @@ askEncryption(){ exit 1 fi - if ([ "$pivpnENCRYPT" -ge 3072 ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\\n\\nGenerating DH parameters for a $pivpnENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from their database.\\nMore information about this service can be found here: https://2ton.com.au/safeprimes/\\n\\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c}); then - DOWNLOAD_DH_PARAM=1 + if ([ "$pivpnENCRYPT" -ge 2048 ] && whiptail --backtitle "Setup OpenVPN" --title "Generate Diffie-Hellman Parameters" --yesno "Generating DH parameters can take many hours on a Raspberry Pi. You can instead use Pre-defined DH parameters recommended by the Internet Engineering Task Force.\\n\\nMore information about those can be found here: https://wiki.mozilla.org/Security/Archive/Server_Side_TLS_4.0#Pre-defined_DHE_groups\\n\\nIf you want unique parameters, choose 'No' and new Diffie-Hellman parameters will be generated on your device." ${r} ${c}); then + USE_PREDEFINED_DH_PARAM=1 else - DOWNLOAD_DH_PARAM=0 + USE_PREDEFINED_DH_PARAM=0 fi echo "TWO_POINT_FOUR=${TWO_POINT_FOUR}" >> /tmp/setupVars.conf echo "pivpnENCRYPT=${pivpnENCRYPT}" >> /tmp/setupVars.conf - echo "DOWNLOAD_DH_PARAM=${DOWNLOAD_DH_PARAM}" >> /tmp/setupVars.conf + echo "USE_PREDEFINED_DH_PARAM=${USE_PREDEFINED_DH_PARAM}" >> /tmp/setupVars.conf } confOpenVPN(){ @@ -1739,13 +1743,13 @@ set_var EASYRSA_ALGO ${pivpnCERT}" | $SUDO tee vars >/dev/null ${SUDOE} ./easyrsa --batch build-ca nopass printf "\\n::: CA Complete.\\n" - if [ "$pivpnCERT" = "rsa" ]; then + if [ "$pivpnCERT" = "rsa" ] && [ "$USE_PREDEFINED_DH_PARAM" -ne 1 ]; then if [ "${runUnattended}" = 'true' ]; then echo "::: The server key, Diffie-Hellman parameters, and HMAC key will now be generated." else whiptail --msgbox --backtitle "Setup OpenVPN" --title "Server Information" "The server key, Diffie-Hellman parameters, and HMAC key will now be generated." ${r} ${c} fi - elif [ "$pivpnCERT" = "ec" ]; then + elif [ "$pivpnCERT" = "ec" ] || { [ "$pivpnCERT" = "rsa" ] && [ "$USE_PREDEFINED_DH_PARAM" -eq 1 ]; }; then if [ "${runUnattended}" = 'true' ]; then echo "::: The server key and HMAC key will now be generated." else @@ -1757,22 +1761,13 @@ set_var EASYRSA_ALGO ${pivpnCERT}" | $SUDO tee vars >/dev/null EASYRSA_CERT_EXPIRE=3650 ${SUDOE} ./easyrsa build-server-full "${SERVER_NAME}" nopass if [ "$pivpnCERT" = "rsa" ]; then - if [ ${DOWNLOAD_DH_PARAM} -eq 1 ]; then - # Downloading parameters - ${SUDOE} curl -s "https://2ton.com.au/getprimes/random/dhparam/${pivpnENCRYPT}" -o "/etc/openvpn/easy-rsa/pki/dh${pivpnENCRYPT}.pem" - # Basic sanity check - if DH_MSG="$(${SUDOE} openssl dhparam -check -noout -in "/etc/openvpn/easy-rsa/pki/dh${pivpnENCRYPT}.pem" 2>&1 | tee /dev/tty)"; then - if [ "$DH_MSG" != "DH parameters appear to be ok." ]; then - echo "Invalid DH parameters, exiting..." - exit 1 - fi - else - exit 1 - fi + if [ "${USE_PREDEFINED_DH_PARAM}" -eq 1 ]; then + # Use Diffie-Hellman parameters from RFC 7919 (FFDHE) + ${SUDOE} install -m 644 "${pivpnFilesDir}"/files/etc/openvpn/easy-rsa/pki/ffdhe"${pivpnENCRYPT}".pem pki/dh"${pivpnENCRYPT}".pem else # Generate Diffie-Hellman key exchange ${SUDOE} ./easyrsa gen-dh - ${SUDOE} mv "pki/dh.pem" "pki/dh${pivpnENCRYPT}.pem" + ${SUDOE} mv pki/dh.pem pki/dh"${pivpnENCRYPT}".pem fi fi @@ -1788,7 +1783,7 @@ set_var EASYRSA_ALGO ${pivpnCERT}" | $SUDO tee vars >/dev/null ${SUDOE} chown "$debianOvpnUserGroup" /etc/openvpn/crl.pem # Write config file for server using the template.txt file - $SUDO cp $pivpnFilesDir/server_config.txt /etc/openvpn/server.conf + $SUDO install -m 644 "$pivpnFilesDir"/files/etc/openvpn/server_config.txt /etc/openvpn/server.conf # Apply client DNS settings ${SUDOE} sed -i '0,/\(dhcp-option DNS \)/ s/\(dhcp-option DNS \).*/\1'${pivpnDNS1}'\"/' /etc/openvpn/server.conf @@ -1835,7 +1830,7 @@ set_var EASYRSA_ALGO ${pivpnCERT}" | $SUDO tee vars >/dev/null } confOVPN(){ - $SUDO cp $pivpnFilesDir/Default.txt /etc/openvpn/easy-rsa/pki/Default.txt + $SUDO install -m 644 "$pivpnFilesDir"/files/etc/openvpn/easy-rsa/pki/Default.txt /etc/openvpn/easy-rsa/pki/Default.txt $SUDO sed -i 's/IPv4pub/'"$pivpnHOST"'/' /etc/openvpn/easy-rsa/pki/Default.txt @@ -2128,14 +2123,11 @@ installScripts(){ $SUDO chmod 0755 /opt/pivpn fi - $SUDO cp "$pivpnFilesDir"/scripts/*.sh /opt/pivpn/ - $SUDO cp "$pivpnFilesDir"/scripts/"$VPN"/*.sh /opt/pivpn/ - $SUDO chmod 0755 /opt/pivpn/*.sh - $SUDO cp "$pivpnFilesDir"/scripts/"$VPN"/pivpn /usr/local/bin/pivpn - $SUDO chmod 0755 /usr/local/bin/pivpn - $SUDO cp "$pivpnFilesDir"/scripts/"$VPN"/bash-completion /etc/bash_completion.d/pivpn - $SUDO chmod 0644 /etc/bash_completion.d/pivpn - # shellcheck disable=SC1091 + $SUDO install -m 755 "$pivpnFilesDir"/scripts/*.sh -t /opt/pivpn + $SUDO install -m 755 "$pivpnFilesDir"/scripts/"$VPN"/*.sh -t /opt/pivpn + $SUDO install -m 755 "$pivpnFilesDir"/scripts/"$VPN"/pivpn /usr/local/bin/pivpn + $SUDO install -m 644 "$pivpnFilesDir"/scripts/"$VPN"/bash-completion /etc/bash_completion.d/pivpn + # shellcheck disable=SC1091 . /etc/bash_completion.d/pivpn echo " done." } diff --git a/unattended_openvpn_example.conf b/examples/unattended_openvpn_example.conf similarity index 91% rename from unattended_openvpn_example.conf rename to examples/unattended_openvpn_example.conf index 969c915..a20f917 100644 --- a/unattended_openvpn_example.conf +++ b/examples/unattended_openvpn_example.conf @@ -12,5 +12,5 @@ pivpnHOST=pivpn.example.com pivpnENCRYPT=256 pivpnSEARCHDOMAIN=searchdomain.example.com TWO_POINT_FOUR=1 -DOWNLOAD_DH_PARAM=0 +USE_PREDEFINED_DH_PARAM=1 UNATTUPG=1 diff --git a/unattended_wireguard_example.conf b/examples/unattended_wireguard_example.conf similarity index 100% rename from unattended_wireguard_example.conf rename to examples/unattended_wireguard_example.conf diff --git a/Default.txt b/files/etc/openvpn/easy-rsa/pki/Default.txt similarity index 100% rename from Default.txt rename to files/etc/openvpn/easy-rsa/pki/Default.txt diff --git a/files/etc/openvpn/easy-rsa/pki/ffdhe2048.pem b/files/etc/openvpn/easy-rsa/pki/ffdhe2048.pem new file mode 100644 index 0000000..9b182b7 --- /dev/null +++ b/files/etc/openvpn/easy-rsa/pki/ffdhe2048.pem @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS----- diff --git a/files/etc/openvpn/easy-rsa/pki/ffdhe3072.pem b/files/etc/openvpn/easy-rsa/pki/ffdhe3072.pem new file mode 100644 index 0000000..fb31ccd --- /dev/null +++ b/files/etc/openvpn/easy-rsa/pki/ffdhe3072.pem @@ -0,0 +1,11 @@ +-----BEGIN DH PARAMETERS----- +MIIBiAKCAYEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3 +7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32 +nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZsYu +N///////////AgEC +-----END DH PARAMETERS----- diff --git a/files/etc/openvpn/easy-rsa/pki/ffdhe4096.pem b/files/etc/openvpn/easy-rsa/pki/ffdhe4096.pem new file mode 100644 index 0000000..3cf0fcb --- /dev/null +++ b/files/etc/openvpn/easy-rsa/pki/ffdhe4096.pem @@ -0,0 +1,13 @@ +-----BEGIN DH PARAMETERS----- +MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3 +7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32 +nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e +8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx +iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K +zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI= +-----END DH PARAMETERS----- diff --git a/server_config.txt b/files/etc/openvpn/server_config.txt similarity index 100% rename from server_config.txt rename to files/etc/openvpn/server_config.txt