From e1e49f58b89db5ea637f2671bf8c1ce35af68e5f Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Mon, 23 Jan 2017 21:37:58 -0800
Subject: [PATCH 1/1] update settings

---
 vpn-mk-client-cert | 78 +++++++++++++++++++++++++++++++++++-----------
 vpn-server-setup   | 32 +++++++++++++++----
 2 files changed, 85 insertions(+), 25 deletions(-)

diff --git a/vpn-mk-client-cert b/vpn-mk-client-cert
index 306cb22..4e41bac 100755
--- a/vpn-mk-client-cert
+++ b/vpn-mk-client-cert
@@ -25,7 +25,10 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
 usage() {
     cat <<EOF
-usage: ${0##*/} VPN_SERVER_HOST [CLIENT_HOST]
+usage: ${0##*/} VPN_SERVER_HOST
+
+-c CLIENT_HOST   default is localhost
+-n CONFIG_NAME   default is client
 
 Generate a client cert and config and install it on locally or on
 CLIENT_HOST if given.  Uses default config options, and expects be able
@@ -34,35 +37,72 @@ EOF
     exit ${1:-0}
 }
 
-case $1 in
-    -h|--help) usage 0 ;;
-esac
-
-(($# >= 1)) || usage 1
-
-host=$1
 shell="bash -c"
-if [[ $2 ]]; then
-    shell="ssh $2"
-fi
+name=client
+
+temp=$(getopt -l help hc:n: "$@") || usage 1
+eval set -- "$temp"
+while true; do
+    case $1 in
+        -c) shell="ssh $2"; shift 2 ;;
+        -n) name="$2"; shift 2 ;;
+        -h|--help) usage ;;
+        --) shift; break ;;
+        *) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;;
+    esac
+done
+host=$1
+[[ $host ]] || usage 1
 
 # bash or else we get motd spam. note sleep 2, sleep 1 failed.
-ssh $host bash <<EOF | $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn'
+ssh $host bash <<EOF | $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn/client'
 set -eE -o pipefail
 cd /etc/openvpn/easy-rsa
 source vars >/dev/null
 
 # uuidgen because common name must be unique
-{ echo -e '\n\n\n\n\n'\$(uuidgen)'\n\n\n\n\n'; sleep 2; echo -e 'y\ny\n'; } | ./build-key client &>/dev/null
+{ echo -e '\n\n\n\n\n'\$(uuidgen)'\n\n\n\n\n'; sleep 2; echo -e 'y\ny\n'; } | ./build-key $name &>/dev/null
 
 d=\$(mktemp -d)
-cp /etc/openvpn/easy-rsa/keys/ca.crt \
-   /etc/openvpn/update-resolv-conf \
-   /usr/share/doc/openvpn/examples/sample-config-files/client.conf \$d
-mv /etc/openvpn/easy-rsa/keys/client.{crt,key} \$d
-
-sed -i --follow-symlinks "s/^remote .*/remote $host 1194/" \$d/client.conf
+cp /etc/openvpn/easy-rsa/keys/ca.crt \$d/$name-ca.crt
+mv /etc/openvpn/easy-rsa/keys/$name.{crt,key} \$d
 
 tar cz -C \$d .
 rm -rf \$d
 EOF
+
+cat > /etc/openvpn/client/$name.conf <<EOF
+# From example config, from debian stretch as of 1-2017
+client
+dev tun
+proto udp
+remote $host 1194
+resolv-retry infinite
+nobind
+persist-key
+persist-tun
+ca $name-ca.crt
+cert $name.crt
+key $name.key
+# disabled for better performance
+#comp-lzo
+verb 3
+
+# This script will update local dns
+# to what the server sends, if it sends dns.
+script-security 2
+up /etc/openvpn/update-resolv-conf
+down /etc/openvpn/update-resolv-conf
+
+# matching server config
+cipher aes-256-cbc
+
+
+# example config has the commented line, but this other thing looks stronger,
+# and I've seen it in a vpn provider I trust
+# ns-cert-type server
+remote-cert-tls server
+
+# more resilient when running as nonroot
+persist-key
+EOF
diff --git a/vpn-server-setup b/vpn-server-setup
index 5c21d4e..8d25c1f 100755
--- a/vpn-server-setup
+++ b/vpn-server-setup
@@ -19,19 +19,26 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
 [[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"
 
+dns=true
 case $1 in
+    -d)
+        dns=false
+        ;;
     -h|--help|*)
         cat <<'EOF'
-usage: ${0##*/}
+usage: ${0##*/} [-d|-h|--help]
+
+-d  Do not push dns
+-h --help print help
 
 Sets up a vpn server which pushes gateway route and dns server
 so all traffic goes through the vpn. requires systemd,
 and might have some debian specific paths.
 EOF
+        exit
         ;;
 esac
 
-
 apt-get update
 # suggests get's us openssl & easy rsa
 apt-get install --install-suggests -y openvpn
@@ -54,7 +61,12 @@ echo -e '\n\n\n\n\n\n\n\n' | ./build-ca
 cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
 cp /etc/openvpn/easy-rsa/keys/{ca.crt,server.{crt,key},dh2048.pem} /etc/openvpn
 gzip -df /etc/openvpn/server.conf.gz
-sed -i --follow-symlinks 's/^dh dh1024.pem/dh dh2048.pem/' /etc/openvpn/server.conf
+# dh improve security,
+# remove comp-lzo to increase perf
+sed -i --follow-symlinks -f - /etc/openvpn/server.conf <<'EOF'
+s/^dh dh1024.pem/dh dh2048.pem/
+/^comp-lzo.*/d
+EOF
 
 teeu() {
     while read -r line; do
@@ -62,15 +74,23 @@ teeu() {
     done
 }
 
-# Be the default gateway for clients.
 teeu /etc/openvpn/server.conf <<'EOF'
+# not in example config, but openvpn outputs a warning about insecure
+# cipher without a setting like this (the default i can understand due
+# to compatibility issues, but not changing the example config... not
+# cool). exact cipher taken from config of vpn provider I trust. This
+# requires the same setting on the client side.
+cipher aes-256-cbc
+# Be the default gateway for clients.
 push "redirect-gateway def1"
 EOF
 
-# Be the dns server for clients
-teeu /etc/openvpn/server.conf <<'EOF'
+if $dns; then
+    # Be the dns server for clients
+    teeu /etc/openvpn/server.conf <<'EOF'
 push "dhcp-option DNS 10.8.0.1"
 EOF
+fi
 
 echo "1" > /proc/sys/net/ipv4/ip_forward
 sed -i --follow-symlinks '/^ *net\.ipv4\.ip_forward=.*/d' /etc/sysctl.conf
-- 
2.30.2