install/openvpn
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add support for debian 12.

Browse Source
This commit is contained in:
Christoph
2023-09-25 01:27:48 +02:00
parent 9af06213a6
commit 3af24ada04
5 changed files with 406 additions and 167 deletions
Download Patch File Download Diff File Expand all files Collapse all files

300
install_openvpn.sh
View File

@@ -249,7 +249,10 @@ DEFAULT_KEY_EMAIL='argus@oopen.de'
DEFAULT_KEY_ORG='o.open'
DEFAULT_KEY_OU="Network Services"
DEFAULT_SERVER_CIPHER="AES-256-GCM"
#DEFAULT_SERVER_CIPHER="AES-256-GCM"
DEFAULT_SERVER_CIPHER="None"
DEFAULT_DATA_CIPHERS="None"
DEFAULT_DATA_CIPHERS_FALLBACK="None"
#---------------------------------------
@@ -275,7 +278,11 @@ else
fatal "$(cat $log_file)"
fi
fi
[[ -z "$DEFAULT_SERVER_CIPHER" ]] && DEFAULT_SERVER_CIPHER='None'
[[ -z "${SERVER_CIPHER}" ]] && SERVER_CIPHER="${DEFAULT_SERVER_CIPHER}"
[[ -z "${DATA_CIPHERS}" ]] && DATA_CIPHERS="${DEFAULT_DATA_CIPHERS}"
[[ -z "${DATA_CIPHERS_FALLBACK}" ]] && DATA_CIPHERS_FALLBACK="${DEFAULT_DATA_CIPHERS_FALLBACK}"
[[ -n "$OPENVPN_SERVER" ]] && DEFAULT_SERVER="$(trim "$OPENVPN_SERVER")"
@@ -313,8 +320,6 @@ fi
[[ -n "$KEY_OU" ]] && DEFAULT_KEY_OU="$(trim "$KEY_OU")"
[[ -n "$LZO_COMPRESSION" ]] && DEFAULT_LZO_COMPRESSION="$(trim "$LZO_COMPRESSION")"
[[ -n "$SERVER_CIPHER" ]] && DEFAULT_SERVER_CIPHER="$(trim "$SERVER_CIPHER")"
#[[ -n "$" ]] && DEFAULT_="$(trim "$")"
declare -a DEFAULT_OPENVPN_NETWORK=()
if [[ -n "$OPENVPN_NETWORK" ]] ; then
@@ -697,13 +702,43 @@ echo ""
echo "Note: if setting this parameter at the server configuration, this parameter *must'"
echo " also set this parameter at client configuration"
echo ""
echo " cipher BF-CBC # Blowfish (default)"
echo " cipher BF-CBC # Blowfish"
echo " cipher AES-128-CBC # AES 128Bit"
echo " cipher AES-256-CBC # AES 256Bit"
echo " cipher DES-EDE3-CBC # Triple-DES"
echo " cipher AES-256-GCM # GCM 256Bit (default)"
echo " ..."
echo ""
echo " Give a colon separated list (i.e.\"AES-256-GCM:DES-EDE3-CBC:AES-256-CBC\")"
echo ""
echo -e "Type \"\033[33mNone\033[m\" if no default cipher should be set - the recommendation."
echo ""
DATA_CIPHERS=""
echononl "Server cryptographic cipher [${DEFAULT_DATA_CIPHERS}]: "
read DATA_CIPHERS
if [[ "X$DATA_CIPHERS" = "X" ]]; then
DATA_CIPHERS="$DEFAULT_DATA_CIPHERS"
fi
if [[ "$(trim ${DATA_CIPHERS,,})" = "none" ]] || [[ "$(trim ${DATA_CIPHERS,,})" = "default" ]] ; then
DATA_CIPHERS="None"
fi
echo ""
echo "Set server-side additional 'cryptographic cipher'."
echo ""
echo "Note: if setting this parameter at the server configuration, this parameter *must'"
echo " also set this parameter at client configuration"
echo ""
echo " cipher BF-CBC # Blowfish"
echo " cipher AES-128-CBC # AES 128Bit"
echo " cipher AES-256-CBC # AES 256Bit"
echo " cipher DES-EDE3-CBC # Triple-DES"
echo " ..."
echo ""
echo -e "Type \"\033[33mNone\033[m\" if no default cipher should be set."
echo " Only one cipher ist possible (i.e.\"AES-256-CBC\")"
echo ""
echo -e "Type \"\033[33mNone\033[m\" if no default cipher should be set - the recommendation."
echo ""
SERVER_CIPHER=""
echononl "Server cryptographic cipher [${DEFAULT_SERVER_CIPHER}]: "
@@ -711,10 +746,35 @@ read SERVER_CIPHER
if [[ "X$SERVER_CIPHER" = "X" ]]; then
SERVER_CIPHER="$DEFAULT_SERVER_CIPHER"
fi
if [[ "$(trim ${SERVER_CIPHER,,})" = none ]]; then
if [[ "$(trim ${SERVER_CIPHER,,})" = "none" ]] || "$(trim ${SERVER_CIPHER,,})" = "default" ]]; then
SERVER_CIPHER="$DEFAULT_SERVER_CIPHER"
fi
echo ""
echo "Set server-side fallback 'cryptographic cipher'."
echo ""
echo " cipher BF-CBC # Blowfish (default)"
echo " cipher AES-128-CBC # AES 128Bit"
echo " cipher AES-256-CBC # AES 256Bit"
echo " cipher DES-EDE3-CBC # Triple-DES"
echo " ..."
echo ""
echo " Only one cipher ist possible (i.e.\"BF-CBC\")"
echo ""
echo -e "Type \"\033[33mNone\033[m\" if no default cipher should be set - the recommendation."
echo ""
DATA_CIPHERS_FALLBACK=""
echononl "Fallback cryptographic cipher [${DEFAULT_DATA_CIPHERS_FALLBACK}]: "
read DATA_CIPHERS_FALLBACK
if [[ "X$DATA_CIPHERS_FALLBACK" = "X" ]]; then
DATA_CIPHERS_FALLBACK="$DEFAULT_DATA_CIPHERS_FALLBACK"
fi
if [[ "$(trim ${DATA_CIPHERS_FALLBACK,,})" = "none" ]] || [[ "$(trim ${DATA_CIPHERS_FALLBACK,,})" = "default" ]] ; then
DATA_CIPHERS_FALLBACK="None"
fi
echo ""
echo ""
echononl "Enable LZO compression (yes/no) [no]: "
@@ -1517,10 +1577,20 @@ echo ""
echo -e "\tOpenVPN Network.....................: $OPENVPN_NETWORK"
echo -e "\tOpenVPN Server IP-Address...........: $OPENVPN_SERVER_IP"
echo ""
if [[ -n "$SERVER_CIPHER" ]] ; then
echo -e "\tServer cipher setting...............: $SERVER_CIPHER"
if [[ -n "$DATA_CIPHERS" ]] && [[ "${DATA_CIPHERS,,}" != "none" ]] ; then
echo -e "\tServer ciphers .....................: $DATA_CIPHERS"
else
echo -e "\tServer cipher setting...............: \033[33mNone\033[m"
echo -e "\tServer ciphers .....................: \033[33mNone\033[m"
fi
if [[ -n "$SERVER_CIPHER" ]] && [[ "${SERVER_CIPHER,,}" != "none" ]] ; then
echo -e "\tAdditional Server cipher............: $SERVER_CIPHER"
else
echo -e "\tAdditional Server cipher............: \033[33mNone\033[m"
fi
if [[ -n "$DATA_CIPHERS_FALLBACK" ]] && [[ "${DATA_CIPHERS_FALLBACK,,}" != "none" ]] ; then
echo -e "\tFallback Server cipher..............: $DATA_CIPHERS_FALLBACK"
else
echo -e "\tFallback Server cipher..............: \033[33mNone\033[m"
fi
echo -e "\tLZO compression.....................: $LZO_COMPRESSION"
echo ""
@@ -1591,7 +1661,9 @@ fi
#
#OPENVPN_SERVER_IP="$OPENVPN_SERVER_IP"
#
#DATA_CIPHERS="$DATA_CIPHERS"
#SERVER_CIPHER="$SERVER_CIPHER"
#DATA_CIPHERS_FALLBACK="$DATA_CIPHERS_FALLBACK"
#
#LZO_COMPRESSION="$LZO_COMPRESSION"
#
@@ -1706,26 +1778,11 @@ LZO_COMPRESSION="no"
EOF
fi
if [[ -n "$SERVER_CIPHER" ]] ; then
if [[ "${SERVER_CIPHER,,}" = "none" ]]; then
cat <<EOF >> "$_client_conf_file" 2>> "$log_file"
cipher BF-CBC
cat <<EOF >> "$_openvpn_name_conf_file" 2>> "$log_file"
DATA_CIPHERS="${DATA_CIPHERS}"
SERVER_CIPHER="${SERVER_CIPHER}"
DATA_CIPHERS_FALLBACK="${DATA_CIPHERS_FALLBACK}"
EOF
else
cat << EOF >> $_openvpn_name_conf_file 2> $log_file
SERVER_CIPHER="$SERVER_CIPHER"
EOF
fi
else
cat << EOF >> $_openvpn_name_conf_file 2> $log_file
SERVER_CIPHER="$DEFAULT_SERVER_CIPHER"
EOF
fi
cat << EOF >> $_openvpn_name_conf_file 2> $log_file
OPENVPN_NETWORK="$OPENVPN_NETWORK"
EOF
@@ -2032,11 +2089,6 @@ if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 9 ]] ; then
#perl -i.$_date -n -p -e "s&^(\s*#*\s*#set_var\s+EASYRSA\s+.*)&##\1\nset_var EASYRSA\t \"\\\${0%/*}\"&" ${EASY_RSA_DIR}/vars > "$log_file"
perl -i.$_date -n -p -e "s&^(\s*#*\s*#set_var\s+EASYRSA\s+.*)&##\1\nset_var EASYRSA\t \"${OPENVPN_BASE_DIR}/easy-rsa\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
_failed=true
fi
_key="EASYRSA_OPENSSL"
_val="openssl"
perl -i.$_date -n -p -e "s&^(\s*#*\s*#set_var\s+${_key}\s+.*)&##\1\nset_var ${_key}\t \"${_val}\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1
@@ -2064,12 +2116,6 @@ if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 9 ]] ; then
_failed=true
fi
# EASYRSA_KEY_SIZE
perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+EASYRSA_KEY_SIZE\s+.*)&##\1\nset_var EASYRSA_KEY_SIZE\t\t ${KEY_SIZE}&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
_failed=true
fi
_key="EASYRSA_DN"
_val=""org
perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+EASYRSA_DN\s+.*)&##\1\nset_var EASYRSA_DN\t\t \"org\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1
@@ -2121,7 +2167,11 @@ if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 9 ]] ; then
_key="EASYRSA_REQ_CN"
_val="$KEY_CN"
perl -i.$_date -n -p -e "s&^(\s*#*\s*#set_var\s+${_key}\s+.*)&##\1\nset_var ${_key}\t \"${_val}\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1
if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 12 ]] ; then
perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1
else
perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\n#set_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1
fi
if [[ $? -ne 0 ]]; then
_failed=true
@@ -2155,13 +2205,6 @@ if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 9 ]] ; then
_failed=true
fi
_key="EASYRSA_REQ_CN"
_val="$KEY_CN"
perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1
if [[ $? -ne 0 ]]; then
_failed=true
fi
_key="EASYRSA_BATCH"
_val="1"
perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1
@@ -2375,24 +2418,68 @@ else
# - Removes & re-initializes the PKI dir for a clean PKI
# -
echononl " Initialise PKI Directory"
${EASY_RSA_DIR}/easyrsa --vars="${EASY_RSA_DIR}/vars" init-pki > "$log_file" 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
print_command "${EASY_RSA_DIR}/easyrsa --vars=\"${EASY_RSA_DIR}/vars\" init-pki"
if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 12 ]] ; then
${EASY_RSA_DIR}/easyrsa --vars="${EASY_RSA_DIR}/vars" init-pki > "$log_file" 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
print_command "${EASY_RSA_DIR}/easyrsa --vars=\"${EASY_RSA_DIR}/vars\" init-pki"
echononl "continue anyway [yes/no]: "
read OK
OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do
echononl "Wrong entry! - repeat [yes/nno]: "
echononl "continue anyway [yes/no]: "
read OK
done
[[ $OK = "yes" ]] || fatal "Abbruch durch User"
fi
OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do
echononl "Wrong entry! - repeat [yes/nno]: "
read OK
done
[[ $OK = "yes" ]] || fatal "Abbruch durch User"
fi
else
${EASY_RSA_DIR}/easyrsa --pki-dir=${OPENVPN_KEY_DIR} init-pki > "$log_file" 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
print_command "${EASY_RSA_DIR}/easyrsa --pki-dir=${OPENVPN_KEY_DIR} init-pki"
echononl "continue anyway [yes/no]: "
read OK
OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')"
while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do
echononl "Wrong entry! - repeat [yes/nno]: "
read OK
done
[[ $OK = "yes" ]] || fatal "Abbruch durch User"
fi
echononl " Backup .'${OPENVPN_KEY_DIR}/vars'."
if [[ -f "${OPENVPN_KEY_DIR}/vars" ]]; then
mv "${OPENVPN_KEY_DIR}/vars" "${OPENVPN_KEY_DIR}/vars.$_date" > "$log_file" 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
else
echo_skipped
fi
echononl " Copy 'vars' to PKI directory '${OPENVPN_KEY_DIR}'.."
cp "${EASY_RSA_DIR}/vars" "${OPENVPN_KEY_DIR}/vars" > "$log_file" 2>&1
if [[ $? -eq 0 ]] ; then
echo_ok
else
echo_failed
error "$(cat $log_file)"
fi
fi
fi
@@ -2403,7 +2490,12 @@ echononl " Create Root CA.."
if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 10 ]] ; then
printf "\n\n\n\n\n\n\n\n" | ${EASY_RSA_DIR}/build-ca > "$log_file" 2>&1
else
printf "\n\n\n\n\n\n\n" | ${EASY_RSA_DIR}/easyrsa --vars="${EASY_RSA_DIR}/vars" build-ca nopass > "$log_file" 2>&1
if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 12 ]] ; then
printf "\n\n\n\n\n\n\n" | ${EASY_RSA_DIR}/easyrsa --vars="${EASY_RSA_DIR}/vars" build-ca nopass > "$log_file" 2>&1
else
printf "\n\n\n\n\n\n\n" | ${EASY_RSA_DIR}/easyrsa --vars="${EASY_RSA_DIR}/vars" build-ca nopass > "$log_file" 2>&1
#printf "\n\n\n\n\n\n\n" | ${EASY_RSA_DIR}/easyrsa build-ca nopass > "$log_file" 2>&1
fi
fi
if [[ $? -eq 0 ]] ; then
echo_ok
@@ -2715,7 +2807,9 @@ cat <<EOF >> ${_server_conf_file} 2>> "$log_file"
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap" if you are ethernet bridging.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
@@ -2760,8 +2854,7 @@ key $_SERVER_KEY # This file should be kept secret
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# openssl dhparam -out dh2048.pem 2048
# 2048 bit keys.
dh $_DH_KEY
@@ -2795,6 +2888,18 @@ ifconfig-pool-persist ${OPENVPN_BASE_DIR}/ipp.txt
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
# Configure server mode for ethernet bridging
# using a DHCP-proxy, where clients talk
# to the OpenVPN server-side DHCP server
# to receive their IP address allocation
# and DNS server addresses. You must first use
# your OS's bridging capability to bridge the TAP
# interface with the ethernet NIC interface.
# Note: this mode only works on clients (such as
# Windows), where the client-side TAP adapter is
# bound to a DHCP client.
;server-bridge
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
@@ -2802,7 +2907,8 @@ ifconfig-pool-persist ${OPENVPN_BASE_DIR}/ipp.txt
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 10.8.0.0 255.255.255.0"
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
EOF
if [[ ${#REMOTE_NETWORK_ARR[@]} -gt 0 ]]; then
for _remote_network in ${REMOTE_NETWORK_ARR[@]} ; do
@@ -2875,21 +2981,18 @@ client-config-dir $OPENVPN_CCD_DIR
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# the TUN/TAP interface to the internet in
# order for this to work properly).
# CAVEAT: May break client's network config if
# client's local DHCP server packets get routed
# through the tunnel. Solution: make sure
# client's local DHCP server is reachable via
# a more specific route than the default route
# of 0.0.0.0/0.0.0.0.
;push "redirect-gateway"
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
;push "redirect-gateway def1 bypass-dhcp"
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
;push "dhcp-option WINS 10.8.0.1"
# The addresses below refer to the public
# DNS servers provided by opendns.com.
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
EOF
if [[ -n "$DNS_SERVER" ]]; then
cat <<EOF >> ${_server_conf_file} 2>> "$log_file"
@@ -2954,21 +3057,38 @@ tls-auth ${OPENVPN_KEY_DIR}/ta.key 0
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
;cipher AES-256-CBC
EOF
if [[ -n "$SERVER_CIPHER" ]]; then
if [[ "${SERVER_CIPHER,,}" != "none" ]]; then
cat <<EOF >> ${_server_conf_file} 2>> "$log_file"
cipher $SERVER_CIPHER
cipher ${SERVER_CIPHER}
EOF
fi
if [[ "${DATA_CIPHERS,,}" != "none" ]]; then
cat <<EOF >> ${_server_conf_file} 2>> "$log_file"
data-ciphers ${DATA_CIPHERS}
EOF
fi
if [[ "${DATA_CIPHERS_FALLBACK,,}" != "none" ]]; then
cat <<EOF >> ${_server_conf_file} 2>> "$log_file"
data-ciphers-fallback ${DATA_CIPHERS_FALLBACK}
EOF
fi
cat <<EOF >> ${_server_conf_file} 2>> "$log_file"
# Enable compression on the VPN link.
# Enable compression on the VPN link and push the
# option to the client (v2.4+ only, for earlier
# versions see below)
;compress lz4-v2
;push "compress lz4-v2"
# For compression compatible with older clients use comp-lzo
# If you enable it here, you must also
# enable it in the client config file.
;comp-lzo
@@ -3017,8 +3137,8 @@ status /var/log/openvpn/status-server-${OPENVPN_NAME}.log
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it. Use one
# or the other (but not both).
;log-append openvpn.log
;log openvpn.log
;log /var/log/openvpn/openvpn.log
;log-append /var/log/openvpn/openvpn.log
log /var/log/openvpn/server-${OPENVPN_NAME}.log
# Set the appropriate level of log
@@ -3034,6 +3154,10 @@ verb 1
# sequential messages of the same message
# category will be output to the log.
;mute 20
# Notify the client that when the server restarts so it
# can automatically reconnect.
explicit-exit-notify 1
EOF
if [[ -h "${OPENVPN_BASE_DIR}/crl.pem" ]] ; then