From db7cd23a75387ecb417b4b621d6610bc6ff4eb6d Mon Sep 17 00:00:00 2001 From: Ian Kelling Date: Sun, 21 Jan 2018 20:37:50 -0500 Subject: [PATCH] add trisquel flidas support, small fixes and additions --- vpn-mk-client-cert | 71 ++++++++++++---- vpn-server-setup | 199 +++++++++++++++++++++++++++++---------------- 2 files changed, 182 insertions(+), 88 deletions(-) diff --git a/vpn-mk-client-cert b/vpn-mk-client-cert index f480d02..d495754 100755 --- a/vpn-mk-client-cert +++ b/vpn-mk-client-cert @@ -18,20 +18,23 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR [[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@" + usage() { cat <&2' ERR [[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@" -dns=true -route=true -case $1 in - -r) route=false ;; - -d) dns=false ;; - -h|--help|*) - cat <<'EOF' +usage() { + cat <<'EOF' usage: ${0##*/} [-d|-h|--help] -r Do not push default route -d Do not push dns +-s Do not start openvpn -h --help print help -Sets up a vpn server which pushes gateway route and dns server -so all traffic goes through the vpn. requires systemd, -and might have some debian specific paths. +Sets up a vpn server which pushes gateway route and dns server so all +traffic goes through the vpn. requires systemd, and might have some +debian specific paths. + +You can save all the keys by storing /etc/openvpn/easy-rsa/keys, and +the script will not generate them if it sees they exist already. + +Note: Uses GNU getopt options parsing style EOF - exit - ;; -esac + exit $1 +} + +dns=true +route=true +start=true +temp=$(getopt -l help drsh "$@") || usage 1 +eval set -- "$temp" +while true; do + case $1 in + -d) dns=false; shift ;; + -r) route=false; shift ;; + -s) start=false; shift ;; + -h|--help) usage ;; + --) shift; break ;; + *) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;; + esac +done apt-get update -# suggests get's us openssl & easy rsa +# suggests get's us openssl apt-get install --install-suggests -y openvpn -apt-get install -y uuid-runtime -mkdir -p /etc/openvpn/easy-rsa/keys +if [[ -e /lib/systemd/system/openvpn-server@.service ]]; then + vpn_service=openvpn-server@server +else + vpn_service=openvpn@server +fi +apt-get install -y uuid-runtime easy-rsa +mkdir -p /etc/openvpn/easy-rsa cd /etc/openvpn/easy-rsa cp -r /usr/share/easy-rsa/* . -source vars # dun care about setting cert cn etc from the non-example values -./clean-all -# accept default prompts -echo -e '\n\n\n\n\n\n\n\n' | ./build-ca - -# This builds the server's key/cert. argument is the name of the file, -# but it also is the default common name of the cert. -# 'server' is the default name in our conf file for the name of the file -# and I've seen no reason to change it. -# Note, this is not idempotent. -{ echo -e '\n\n\n\n\n\n\n\n\n\n'; sleep 1; echo -e 'y\ny\n'; } | ./build-key-server server -./build-dh -cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ -cp /etc/openvpn/easy-rsa/keys/{ca.crt,server.{crt,key},dh2048.pem} /etc/openvpn -gzip -df /etc/openvpn/server.conf.gz -# dh improve security, -# remove comp-lzo to increase perf -sed -i --follow-symlinks -f - /etc/openvpn/server.conf <<'EOF' -s/^dh dh1024.pem/dh dh2048.pem/ -/^comp-lzo.*/d -EOF +if [[ -e openssl-1.0.0.cnf && ! -e openssl.cnf ]]; then + # there's a debian bug about this. + ln -s openssl-1.0.0.cnf openssl.cnf +fi + +keys_exist=true +keyfiles=(/etc/openvpn/easy-rsa/keys/{ca.crt,server.{crt,key},dh2048.pem,ta.key}) +for f in ${keyfiles[@]}; do + if [[ ! -e $f ]]; then + keys_exist=false + break + fi +done + +if ! $keys_exist; then + source vars # dun care about setting cert cn etc from the non-example values + ./clean-all # note: removes and creates /etc/openvpn/easy-rsa/keys + # newer sample configs (post stretch) use ta.key. no harm making it for earlier oses + openvpn --genkey --secret /etc/openvpn/easy-rsa/keys/ta.key + # accept default prompts + echo -e '\n\n\n\n\n\n\n\n' | ./build-ca + + # This builds the server's key/cert. argument is the name of the file, + # but it also is the default common name of the cert. + # 'server' is the default name in our conf file for the name of the file + # and I've seen no reason to change it. + # Note, this is not idempotent. + { echo -e '\n\n\n\n\n\n\n\n\n\n'; sleep 1; echo -e 'y\ny\n'; } | ./build-key-server server + ./build-dh +fi + +server_dir=/etc/openvpn/server +mkdir -p $server_dir +chmod 700 $server_dir + +cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz $server_dir +gzip -df $server_dir/server.conf.gz + + +cp ${keyfiles[@]} $server_dir +# for legacy systems +for f in ${keyfiles[@]}; do + ln -sf server/${f##*/} /etc/openvpn +done + +cat >>$server_dir/server.conf <<'EOF' +# I cat an extra blank line to start because the example config does +# not have a final newline. .... -cat >>/etc/openvpn/server.conf <<'EOF' # not in example config, but openvpn outputs a warning about insecure # cipher without a setting like this (the default i can understand due # to compatibility issues, but not changing the example config... not -# cool). exact cipher taken from config of vpn provider I trust. This +# cool). # requires the same setting on the client side. -cipher aes-256-cbc +cipher AES-256-CBC # just sets up the ability to have client specific configs client-config-dir /etc/openvpn/client-config -# 30 days. default is 3600, 1 hour. we momentarily disconnect -# after this time, and get a new tls key. The idea is that -# if someone is working very hard to break our encryption, -# they have less time to do it, and less time in the past -# for it to be broken. online sources say that there is no -# good objective idea about what a good value is here, since -# we don't expect our encryption to be breakable, but 1 hour -# seems very conservative. Since I want to support hosting -# a server over the tunnel, having the server break up to once -# an hour is very tough. I've seen a vpn service that seems -# very on top of things set this to 5 days. -reneg-sec 2592000 + +# duplicate in newer sample configs +tls-auth ta.key 0 # This file is secret + +# depending on sample config, this may not be there, which means i can't +# talk to 10.8.0.1, there might be some other way, but stretch's +# sample config says: +# Should be subnet (addressing via IP) +# unless Windows clients v2.0.9 and lower have to +# be supported (then net30, i.e. a /30 per client) +# Defaults to net30 (not recommended) +topology subnet EOF -mkdir -p /etc/openvpn/client-config -if $route; then - cat >>/etc/openvpn/server.conf <<'EOF' -# Be the default gateway for clients. -push "redirect-gateway def1" + +# dh improve security, +# remove comp-lzo to increase perf +sed -i --follow-symlinks -f - $server_dir/server.conf <<'EOF' +s/^dh dh1024.pem/dh dh2048.pem/ +/^comp-lzo.*/d EOF -fi + + +mkdir -p /etc/openvpn/client-config + if $dns; then # Be the dns server for clients - cat >>/etc/openvpn/server.conf <<'EOF' + cat >>$server_dir/server.conf <<'EOF' push "dhcp-option DNS 10.8.0.1" EOF fi -echo "1" > /proc/sys/net/ipv4/ip_forward -sed -i --follow-symlinks '/^ *net\.ipv4\.ip_forward=.*/d' /etc/sysctl.conf -cat >>/etc/sysctl.conf <<'EOF' +if $route; then + cat >>$server_dir/server.conf <<'EOF' +# Be the default gateway for clients. +push "redirect-gateway def1" +EOF + echo "1" > /proc/sys/net/ipv4/ip_forward + sed -i --follow-symlinks '/^ *net\.ipv4\.ip_forward=.*/d' /etc/sysctl.conf + cat >>/etc/sysctl.conf <<'EOF' net.ipv4.ip_forward=1 EOF -gw=$(ip route | sed -rn 's/^default via .* dev (\S+).*/\1/p') + gw=$(ip route | sed -rn 's/^default via .* dev (\S+).*/\1/p') -cat >/etc/systemd/system/vpnnat.service </etc/systemd/system/vpnnat.service <