Copy files from git repo using the 'install' command, switch DH params from 2ton.com.au to RFC 7919

- Now using DH parameters suggested by the RFC 7919 for use by TLS servers (the user can still generate his own if he wishes). https://wiki.mozilla.org/Security/Archive/Server_Side_TLS_4.0#Pre-defined_DHE_groups
2024-12-18 19:00:15 +00:00 · 2020-01-31 14:07:58 +01:00 · 2020-01-31 14:07:58 +01:00 · e949aadbc3
commit e949aadbc3
parent 379ab50f5f
8 changed files with 59 additions and 35 deletions
--- a/auto_install/install.sh
+++ b/auto_install/install.sh
@ -1626,17 +1626,21 @@ askEncryption(){
 				fi
 			fi

-			if [ -z "$DOWNLOAD_DH_PARAM" ] || [ "$DOWNLOAD_DH_PARAM" -ne 1 ]; then
-				DOWNLOAD_DH_PARAM=0
-				echo "::: DH parameters will be generated locally"
+			if [ -z "$USE_PREDEFINED_DH_PARAM" ]; then
+				USE_PREDEFINED_DH_PARAM=1
+				echo "::: Pre-defined DH parameters will be used"
 			else
-				echo "::: DH parameters will be downloaded from \"2 Ton Digital\""
+				if [ "$USE_PREDEFINED_DH_PARAM" -eq 1 ]; then
+					echo "::: Pre-defined DH parameters will be used"
+				else
+					echo "::: DH parameters will be generated locally"
+				fi
 			fi
 		fi

 		echo "TWO_POINT_FOUR=${TWO_POINT_FOUR}" >> /tmp/setupVars.conf
 		echo "pivpnENCRYPT=${pivpnENCRYPT}" >> /tmp/setupVars.conf
-		echo "DOWNLOAD_DH_PARAM=${DOWNLOAD_DH_PARAM}" >> /tmp/setupVars.conf
+		echo "USE_PREDEFINED_DH_PARAM=${USE_PREDEFINED_DH_PARAM}" >> /tmp/setupVars.conf
 		return
 	fi

@ -1662,15 +1666,15 @@ askEncryption(){
 		exit 1
 	fi

-	if ([ "$pivpnENCRYPT" -ge 3072 ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\\n\\nGenerating DH parameters for a $pivpnENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from their database.\\nMore information about this service can be found here: https://2ton.com.au/safeprimes/\\n\\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c}); then
-		DOWNLOAD_DH_PARAM=1
+	if ([ "$pivpnENCRYPT" -ge 2048 ] && whiptail --backtitle "Setup OpenVPN" --title "Generate Diffie-Hellman Parameters" --yesno "Generating DH parameters can take many hours on a Raspberry Pi. You can instead use Pre-defined DH parameters recommended by the Internet Engineering Task Force.\\n\\nMore information about those can be found here: https://wiki.mozilla.org/Security/Archive/Server_Side_TLS_4.0#Pre-defined_DHE_groups\\n\\nIf you want unique parameters, choose 'No' and new Diffie-Hellman parameters will be generated on your device." ${r} ${c}); then
+		USE_PREDEFINED_DH_PARAM=1
 	else
-		DOWNLOAD_DH_PARAM=0
+		USE_PREDEFINED_DH_PARAM=0
 	fi

 	echo "TWO_POINT_FOUR=${TWO_POINT_FOUR}" >> /tmp/setupVars.conf
 	echo "pivpnENCRYPT=${pivpnENCRYPT}" >> /tmp/setupVars.conf
-	echo "DOWNLOAD_DH_PARAM=${DOWNLOAD_DH_PARAM}" >> /tmp/setupVars.conf
+	echo "USE_PREDEFINED_DH_PARAM=${USE_PREDEFINED_DH_PARAM}" >> /tmp/setupVars.conf
 }

 confOpenVPN(){
@ -1739,13 +1743,13 @@ set_var EASYRSA_ALGO       ${pivpnCERT}" | $SUDO tee vars >/dev/null
 	${SUDOE} ./easyrsa --batch build-ca nopass
 	printf "\\n::: CA Complete.\\n"

-	if [ "$pivpnCERT" = "rsa" ]; then
+	if [ "$pivpnCERT" = "rsa" ] && [ "$USE_PREDEFINED_DH_PARAM" -ne 1 ]; then
 		if [ "${runUnattended}" = 'true' ]; then
 			echo "::: The server key, Diffie-Hellman parameters, and HMAC key will now be generated."
 		else
 			whiptail --msgbox --backtitle "Setup OpenVPN" --title "Server Information" "The server key, Diffie-Hellman parameters, and HMAC key will now be generated." ${r} ${c}
 		fi
-	elif [ "$pivpnCERT" = "ec" ]; then
+	elif [ "$pivpnCERT" = "ec" ] || { [ "$pivpnCERT" = "rsa" ] && [ "$USE_PREDEFINED_DH_PARAM" -eq 1 ]; }; then
 		if [ "${runUnattended}" = 'true' ]; then
 			echo "::: The server key and HMAC key will now be generated."
 		else
@ -1757,22 +1761,13 @@ set_var EASYRSA_ALGO       ${pivpnCERT}" | $SUDO tee vars >/dev/null
 	EASYRSA_CERT_EXPIRE=3650 ${SUDOE} ./easyrsa build-server-full "${SERVER_NAME}" nopass

 	if [ "$pivpnCERT" = "rsa" ]; then
-		if [ ${DOWNLOAD_DH_PARAM} -eq 1 ]; then
-			# Downloading parameters
-			${SUDOE} curl -s "https://2ton.com.au/getprimes/random/dhparam/${pivpnENCRYPT}" -o "/etc/openvpn/easy-rsa/pki/dh${pivpnENCRYPT}.pem"
-			# Basic sanity check
-			if DH_MSG="$(${SUDOE} openssl dhparam -check -noout -in "/etc/openvpn/easy-rsa/pki/dh${pivpnENCRYPT}.pem" 2>&1 | tee /dev/tty)"; then
-				if [ "$DH_MSG" != "DH parameters appear to be ok." ]; then
-					echo "Invalid DH parameters, exiting..."
-					exit 1
-				fi
-			else
-				exit 1
-			fi
+		if [ "${USE_PREDEFINED_DH_PARAM}" -eq 1 ]; then
+			# Use Diffie-Hellman parameters from RFC 7919 (FFDHE)
+			${SUDOE} install -m 644 "${pivpnFilesDir}"/files/etc/openvpn/easy-rsa/pki/ffdhe"${pivpnENCRYPT}".pem pki/dh"${pivpnENCRYPT}".pem
 		else
 			# Generate Diffie-Hellman key exchange
 			${SUDOE} ./easyrsa gen-dh
-			${SUDOE} mv "pki/dh.pem" "pki/dh${pivpnENCRYPT}.pem"
+			${SUDOE} mv pki/dh.pem pki/dh"${pivpnENCRYPT}".pem
 		fi
 	fi

@ -1788,7 +1783,7 @@ set_var EASYRSA_ALGO       ${pivpnCERT}" | $SUDO tee vars >/dev/null
  ${SUDOE} chown "$debianOvpnUserGroup" /etc/openvpn/crl.pem

 	# Write config file for server using the template.txt file
-	$SUDO cp $pivpnFilesDir/server_config.txt /etc/openvpn/server.conf
+	$SUDO install -m 644 "$pivpnFilesDir"/files/etc/openvpn/server_config.txt /etc/openvpn/server.conf

 	# Apply client DNS settings
 	${SUDOE} sed -i '0,/\(dhcp-option DNS \)/ s/\(dhcp-option DNS \).*/\1'${pivpnDNS1}'\"/' /etc/openvpn/server.conf
@ -1835,7 +1830,7 @@ set_var EASYRSA_ALGO       ${pivpnCERT}" | $SUDO tee vars >/dev/null
 }

 confOVPN(){
-	$SUDO cp $pivpnFilesDir/Default.txt /etc/openvpn/easy-rsa/pki/Default.txt
+	$SUDO install -m 644 "$pivpnFilesDir"/files/etc/openvpn/easy-rsa/pki/Default.txt /etc/openvpn/easy-rsa/pki/Default.txt

 	$SUDO sed -i 's/IPv4pub/'"$pivpnHOST"'/' /etc/openvpn/easy-rsa/pki/Default.txt

@ -2128,14 +2123,11 @@ installScripts(){
 		$SUDO chmod 0755 /opt/pivpn
 	fi

-	$SUDO cp "$pivpnFilesDir"/scripts/*.sh /opt/pivpn/
-	$SUDO cp "$pivpnFilesDir"/scripts/"$VPN"/*.sh /opt/pivpn/
-	$SUDO chmod 0755 /opt/pivpn/*.sh
-	$SUDO cp "$pivpnFilesDir"/scripts/"$VPN"/pivpn /usr/local/bin/pivpn
-	$SUDO chmod 0755 /usr/local/bin/pivpn
-	$SUDO cp "$pivpnFilesDir"/scripts/"$VPN"/bash-completion /etc/bash_completion.d/pivpn
-	$SUDO chmod 0644 /etc/bash_completion.d/pivpn
-  # shellcheck disable=SC1091
+	$SUDO install -m 755 "$pivpnFilesDir"/scripts/*.sh -t /opt/pivpn
+	$SUDO install -m 755 "$pivpnFilesDir"/scripts/"$VPN"/*.sh -t /opt/pivpn
+	$SUDO install -m 755 "$pivpnFilesDir"/scripts/"$VPN"/pivpn /usr/local/bin/pivpn
+	$SUDO install -m 644 "$pivpnFilesDir"/scripts/"$VPN"/bash-completion /etc/bash_completion.d/pivpn
+	# shellcheck disable=SC1091
 	. /etc/bash_completion.d/pivpn
 	echo " done."
 }
--- a/examples/unattended_openvpn_example.conf
+++ b/examples/unattended_openvpn_example.conf
@ -12,5 +12,5 @@ pivpnHOST=pivpn.example.com
 pivpnENCRYPT=256
 pivpnSEARCHDOMAIN=searchdomain.example.com
 TWO_POINT_FOUR=1
-DOWNLOAD_DH_PARAM=0
+USE_PREDEFINED_DH_PARAM=1
 UNATTUPG=1
--- a/examples/unattended_wireguard_example.conf
+++ b/examples/unattended_wireguard_example.conf
--- a/files/etc/openvpn/easy-rsa/pki/Default.txt
+++ b/files/etc/openvpn/easy-rsa/pki/Default.txt
--- a/files/etc/openvpn/easy-rsa/pki/ffdhe2048.pem
+++ b/files/etc/openvpn/easy-rsa/pki/ffdhe2048.pem
@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----
--- a/files/etc/openvpn/easy-rsa/pki/ffdhe3072.pem
+++ b/files/etc/openvpn/easy-rsa/pki/ffdhe3072.pem
@ -0,0 +1,11 @@
+-----BEGIN DH PARAMETERS-----
+MIIBiAKCAYEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
+7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
+nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZsYu
+N///////////AgEC
+-----END DH PARAMETERS-----
--- a/files/etc/openvpn/easy-rsa/pki/ffdhe4096.pem
+++ b/files/etc/openvpn/easy-rsa/pki/ffdhe4096.pem
@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
+7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
+nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
+8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
+iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
+zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
+-----END DH PARAMETERS-----
--- a/files/etc/openvpn/server_config.txt
+++ b/files/etc/openvpn/server_config.txt