The crypto update 🔐
- Removed "fast" and "slow" mode (not a good idea, I prefer to give the choice for the parameters directly) - Corrected some confusion between the cipher for the data channel and the control channel, my bad. - using TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 by default for the control channel - using SHA384 by default for HMAC auth and RSA certificate - giving the choice for the cipher of the data channel, the size of the DH key and the RSA Key I will explain all my choices here : https://github.com/Angristan/OpenVPN-install#encryption (likely tomorrow)
This commit is contained in:
parent
c03a55f11f
commit
56477bba34
@ -1,6 +1,6 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
# Secure OpenVPN server installer for Debian, Ubuntu and CentOS.
|
# Secure OpenVPN server installer for Debian, Ubuntu, CentOS and Arch Linux
|
||||||
# https://github.com/Angristan/OpenVPN-install
|
# https://github.com/Angristan/OpenVPN-install
|
||||||
|
|
||||||
|
|
||||||
@ -57,7 +57,7 @@ fi
|
|||||||
|
|
||||||
newclient () {
|
newclient () {
|
||||||
# Generates the custom client.ovpn
|
# Generates the custom client.ovpn
|
||||||
cp /etc/openvpn/client-common.txt ~/$1.ovpn
|
cp /etc/openvpn/client-template.txt ~/$1.ovpn
|
||||||
echo "<ca>" >> ~/$1.ovpn
|
echo "<ca>" >> ~/$1.ovpn
|
||||||
cat /etc/openvpn/easy-rsa/pki/ca.crt >> ~/$1.ovpn
|
cat /etc/openvpn/easy-rsa/pki/ca.crt >> ~/$1.ovpn
|
||||||
echo "</ca>" >> ~/$1.ovpn
|
echo "</ca>" >> ~/$1.ovpn
|
||||||
@ -85,6 +85,8 @@ if [[ -e /etc/openvpn/server.conf ]]; then
|
|||||||
while :
|
while :
|
||||||
do
|
do
|
||||||
clear
|
clear
|
||||||
|
echo "OpenVPN-install (github.com/Angristan/OpenVPN-install)"
|
||||||
|
echo ""
|
||||||
echo "Looks like OpenVPN is already installed"
|
echo "Looks like OpenVPN is already installed"
|
||||||
echo ""
|
echo ""
|
||||||
echo "What do you want to do?"
|
echo "What do you want to do?"
|
||||||
@ -183,21 +185,12 @@ if [[ -e /etc/openvpn/server.conf ]]; then
|
|||||||
done
|
done
|
||||||
else
|
else
|
||||||
clear
|
clear
|
||||||
echo 'Welcome to the secure OpenVPN installer'
|
echo "Welcome to the secure OpenVPN installer (github.com/Angristan/OpenVPN-install)"
|
||||||
echo ""
|
echo ""
|
||||||
# OpenVPN setup and first user creation
|
# OpenVPN setup and first user creation
|
||||||
echo "I need to ask you a few questions before starting the setup"
|
echo "I need to ask you a few questions before starting the setup"
|
||||||
echo "You can leave the default options and just press enter if you are ok with them"
|
echo "You can leave the default options and just press enter if you are ok with them"
|
||||||
echo ""
|
echo ""
|
||||||
echo "First, choose which variant of the script you want to use."
|
|
||||||
echo '"Fast" is secure, but "slow" provides you the best encryption you can get,'
|
|
||||||
echo "at the cost of some speed (not that slow though)"
|
|
||||||
echo " 1) Fast (2048 bits RSA and DH, 128 bits AES)"
|
|
||||||
echo " 2) Slow (4096 bits RSA and DH, 256 bits AES)"
|
|
||||||
while [[ $VARIANT != "1" && $VARIANT != "2" ]]; do
|
|
||||||
read -p "Variant [1-2]: " -e -i 1 VARIANT
|
|
||||||
done
|
|
||||||
echo ""
|
|
||||||
echo "I need to know the IPv4 address of the network interface you want OpenVPN listening to."
|
echo "I need to know the IPv4 address of the network interface you want OpenVPN listening to."
|
||||||
echo "If you server is running behind a NAT, (e.g. LowEndSpirit, Scaleway) leave the IP adress as it is. (local/private IP)"
|
echo "If you server is running behind a NAT, (e.g. LowEndSpirit, Scaleway) leave the IP adress as it is. (local/private IP)"
|
||||||
echo "Otherwise, it sould be your public IPv4 address."
|
echo "Otherwise, it sould be your public IPv4 address."
|
||||||
@ -222,6 +215,86 @@ else
|
|||||||
read -p "DNS [1-5]: " -e -i 2 DNS
|
read -p "DNS [1-5]: " -e -i 2 DNS
|
||||||
done
|
done
|
||||||
echo ""
|
echo ""
|
||||||
|
echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about "
|
||||||
|
echo "the encryption in OpenVPN and the choices I made in this script."
|
||||||
|
echo "Please note that all the choices proposed are secure (to a different degree)"
|
||||||
|
echo "and are still viable to date, unlike some default OpenVPN options"
|
||||||
|
echo ''
|
||||||
|
echo "Choose which cipher you want to use for the data channel:"
|
||||||
|
echo " 1) AES-128-CBC (fastest, recommended)"
|
||||||
|
echo " 2) AES-192-CBC"
|
||||||
|
echo " 3) AES-256-CBC (most secure)"
|
||||||
|
echo "Alternatives to AES, use them only if you know what you're doing."
|
||||||
|
echo "They are relatively slower but as secure as AES."
|
||||||
|
echo " 4) CAMELLIA-128-CBC"
|
||||||
|
echo " 5) CAMELLIA-192-CBC"
|
||||||
|
echo " 6) CAMELLIA-256-CBC"
|
||||||
|
echo " 7) SEED-CBC"
|
||||||
|
while [[ $CIPHER != "1" && $CIPHER != "2" && $CIPHER != "3" && $CIPHER != "4" && $CIPHER != "5" && $CIPHER != "6" && $CIPHER != "7" ]]; do
|
||||||
|
read -p "Cipher [1-7]: " -e -i 1 CIPHER
|
||||||
|
done
|
||||||
|
case $CIPHER in
|
||||||
|
1)
|
||||||
|
CIPHER="cipher AES-128-CBC"
|
||||||
|
;;
|
||||||
|
2)
|
||||||
|
CIPHER="cipher AES-192-CBC"
|
||||||
|
;;
|
||||||
|
3)
|
||||||
|
CIPHER="cipher AES-256-CBC"
|
||||||
|
;;
|
||||||
|
4)
|
||||||
|
CIPHER="cipher CAMELLIA-128-CBC"
|
||||||
|
;;
|
||||||
|
5)
|
||||||
|
CIPHER="cipher CAMELLIA-192-CBC"
|
||||||
|
;;
|
||||||
|
6)
|
||||||
|
CIPHER="cipher CAMELLIA-256-CBC"
|
||||||
|
;;
|
||||||
|
5)
|
||||||
|
CIPHER="cipher SEED-CBC"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
echo ""
|
||||||
|
echo "Choose what size of Diffie-Hellman key you want to use:"
|
||||||
|
echo " 1) 2048 bits (fastest)"
|
||||||
|
echo " 2) 3072 bits (recommended, best compromise)"
|
||||||
|
echo " 3) 4096 bits (most secure)"
|
||||||
|
while [[ $DH_KEY_SIZE != "1" && $DH_KEY_SIZE != "2" && $DH_KEY_SIZE != "3" ]]; do
|
||||||
|
read -p "DH key size [1-3]: " -e -i 2 DH_KEY_SIZE
|
||||||
|
done
|
||||||
|
case $DH_KEY_SIZE in
|
||||||
|
1)
|
||||||
|
DH_KEY_SIZE="2048"
|
||||||
|
;;
|
||||||
|
2)
|
||||||
|
DH_KEY_SIZE="3072"
|
||||||
|
;;
|
||||||
|
3)
|
||||||
|
DH_KEY_SIZE="4096"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
echo ""
|
||||||
|
echo "Choose what size of RSA key you want to use:"
|
||||||
|
echo " 1) 2048 bits (fastest)"
|
||||||
|
echo " 2) 3072 bits (recommended, best compromise)"
|
||||||
|
echo " 3) 4096 bits (most secure)"
|
||||||
|
while [[ $RSA_KEY_SIZE != "1" && $RSA_KEY_SIZE != "2" && $RSA_KEY_SIZE != "3" ]]; do
|
||||||
|
read -p "DH key size [1-3]: " -e -i 2 RSA_KEY_SIZE
|
||||||
|
done
|
||||||
|
case $RSA_KEY_SIZE in
|
||||||
|
1)
|
||||||
|
RSA_KEY_SIZE="2048"
|
||||||
|
;;
|
||||||
|
2)
|
||||||
|
RSA_KEY_SIZE="3072"
|
||||||
|
;;
|
||||||
|
3)
|
||||||
|
RSA_KEY_SIZE="4096"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
echo ""
|
||||||
echo "Finally, tell me a name for the client certificate and configuration"
|
echo "Finally, tell me a name for the client certificate and configuration"
|
||||||
while [[ $CLIENT = "" ]]; do
|
while [[ $CLIENT = "" ]]; do
|
||||||
echo "Please, use one word only, no special characters"
|
echo "Please, use one word only, no special characters"
|
||||||
@ -326,29 +399,22 @@ WantedBy=multi-user.target" > /etc/systemd/system/rc-local.service
|
|||||||
chown -R root:root /etc/openvpn/easy-rsa/
|
chown -R root:root /etc/openvpn/easy-rsa/
|
||||||
rm -rf ~/EasyRSA-3.0.1.tgz
|
rm -rf ~/EasyRSA-3.0.1.tgz
|
||||||
cd /etc/openvpn/easy-rsa/
|
cd /etc/openvpn/easy-rsa/
|
||||||
# If the user selected the fast, less hardened version
|
echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars
|
||||||
if [[ "$VARIANT" = '1' ]]; then
|
echo 'set_var EASYRSA_DIGEST "sha384"' >> vars
|
||||||
echo "set_var EASYRSA_KEY_SIZE 2048
|
|
||||||
set_var EASYRSA_DIGEST "sha256"" > vars
|
|
||||||
fi
|
|
||||||
# If the user selected the relatively slow, ultra hardened version
|
|
||||||
if [[ "$VARIANT" = '2' ]]; then
|
|
||||||
echo "set_var EASYRSA_KEY_SIZE 4096
|
|
||||||
set_var EASYRSA_DIGEST "sha384"" > vars
|
|
||||||
fi
|
|
||||||
# Create the PKI, set up the CA, the DH params and the server + client certificates
|
# Create the PKI, set up the CA, the DH params and the server + client certificates
|
||||||
./easyrsa init-pki
|
./easyrsa init-pki
|
||||||
./easyrsa --batch build-ca nopass
|
./easyrsa --batch build-ca nopass
|
||||||
./easyrsa gen-dh
|
openssl dhparam $DH_KEY_SIZE -out dh.pem
|
||||||
./easyrsa build-server-full server nopass
|
./easyrsa build-server-full server nopass
|
||||||
./easyrsa build-client-full $CLIENT nopass
|
./easyrsa build-client-full $CLIENT nopass
|
||||||
./easyrsa gen-crl
|
./easyrsa gen-crl
|
||||||
# generate tls-auth key
|
# generate tls-auth key
|
||||||
openvpn --genkey --secret /etc/openvpn/tls-auth.key
|
openvpn --genkey --secret /etc/openvpn/tls-auth.key
|
||||||
# Move all the generated files
|
# Move all the generated files
|
||||||
cp pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
|
cp pki/ca.crt pki/private/ca.key dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
|
||||||
# Make cert revocation list readable for non-root
|
# Make cert revocation list readable for non-root
|
||||||
chmod 644 /etc/openvpn/crl.pem
|
chmod 644 /etc/openvpn/crl.pem
|
||||||
|
|
||||||
# Generate server.conf
|
# Generate server.conf
|
||||||
echo "port $PORT" > /etc/openvpn/server.conf
|
echo "port $PORT" > /etc/openvpn/server.conf
|
||||||
if [[ "$PROTOCOL" = 'UDP' ]]; then
|
if [[ "$PROTOCOL" = 'UDP' ]]; then
|
||||||
@ -357,26 +423,14 @@ set_var EASYRSA_DIGEST "sha384"" > vars
|
|||||||
echo "proto tcp" >> /etc/openvpn/server.conf
|
echo "proto tcp" >> /etc/openvpn/server.conf
|
||||||
fi
|
fi
|
||||||
echo "dev tun
|
echo "dev tun
|
||||||
ca ca.crt
|
|
||||||
cert server.crt
|
|
||||||
key server.key
|
|
||||||
dh dh.pem
|
|
||||||
user nobody
|
user nobody
|
||||||
group $NOGROUP
|
group $NOGROUP
|
||||||
|
persist-key
|
||||||
|
persist-tun
|
||||||
|
keepalive 10 120
|
||||||
topology subnet
|
topology subnet
|
||||||
server 10.8.0.0 255.255.255.0
|
server 10.8.0.0 255.255.255.0
|
||||||
ifconfig-pool-persist ipp.txt
|
ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
|
||||||
cipher AES-256-CBC
|
|
||||||
auth SHA512
|
|
||||||
tls-version-min 1.2" >> /etc/openvpn/server.conf
|
|
||||||
if [[ "$VARIANT" = '1' ]]; then
|
|
||||||
# If the user selected the fast, less hardened version
|
|
||||||
echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/server.conf
|
|
||||||
elif [[ "$VARIANT" = '2' ]]; then
|
|
||||||
# If the user selected the relatively slow, hardened version
|
|
||||||
echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/server.conf
|
|
||||||
fi
|
|
||||||
echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf
|
|
||||||
# DNS resolvers
|
# DNS resolvers
|
||||||
case $DNS in
|
case $DNS in
|
||||||
1)
|
1)
|
||||||
@ -402,13 +456,19 @@ tls-version-min 1.2" >> /etc/openvpn/server.conf
|
|||||||
echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf
|
echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
echo "keepalive 10 120
|
echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf
|
||||||
persist-key
|
echo "crl-verify crl.pem
|
||||||
persist-tun
|
ca ca.crt
|
||||||
crl-verify crl.pem
|
cert server.crt
|
||||||
tls-server
|
key server.key
|
||||||
tls-auth tls-auth.key 0
|
tls-auth tls-auth.key 0
|
||||||
status openvpn-status.log
|
dh dh.pem
|
||||||
|
auth SHA384
|
||||||
|
$CIPHER
|
||||||
|
tls-server
|
||||||
|
tls-version-min 1.2
|
||||||
|
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
|
||||||
|
status openvpn.log
|
||||||
verb 3" >> /etc/openvpn/server.conf
|
verb 3" >> /etc/openvpn/server.conf
|
||||||
|
|
||||||
# Create the sysctl configuration file if needed (mainly for Arch Linux)
|
# Create the sysctl configuration file if needed (mainly for Arch Linux)
|
||||||
@ -506,12 +566,12 @@ verb 3" >> /etc/openvpn/server.conf
|
|||||||
IP=$USEREXTERNALIP
|
IP=$USEREXTERNALIP
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
# client-common.txt is created so we have a template to add further users later
|
# client-template.txt is created so we have a template to add further users later
|
||||||
echo "client" > /etc/openvpn/client-common.txt
|
echo "client" > /etc/openvpn/client-template.txt
|
||||||
if [[ "$PROTOCOL" = 'UDP' ]]; then
|
if [[ "$PROTOCOL" = 'UDP' ]]; then
|
||||||
echo "proto udp" >> /etc/openvpn/client-common.txt
|
echo "proto udp" >> /etc/openvpn/client-template.txt
|
||||||
elif [[ "$PROTOCOL" = 'TCP' ]]; then
|
elif [[ "$PROTOCOL" = 'TCP' ]]; then
|
||||||
echo "proto tcp-client" >> /etc/openvpn/client-common.txt
|
echo "proto tcp-client" >> /etc/openvpn/client-template.txt
|
||||||
fi
|
fi
|
||||||
echo "remote $IP $PORT
|
echo "remote $IP $PORT
|
||||||
dev tun
|
dev tun
|
||||||
@ -519,20 +579,15 @@ resolv-retry infinite
|
|||||||
nobind
|
nobind
|
||||||
persist-key
|
persist-key
|
||||||
persist-tun
|
persist-tun
|
||||||
setenv opt block-outside-dns
|
|
||||||
verb 3
|
|
||||||
remote-cert-tls server
|
remote-cert-tls server
|
||||||
cipher AES-256-CBC
|
auth SHA384
|
||||||
auth SHA512
|
$CIPHER
|
||||||
|
tls-client
|
||||||
tls-version-min 1.2
|
tls-version-min 1.2
|
||||||
tls-client" >> /etc/openvpn/client-common.txt
|
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
|
||||||
if [[ "$VARIANT" = '1' ]]; then
|
setenv opt block-outside-dns
|
||||||
# If the user selected the fast, less hardened version
|
verb 3" >> /etc/openvpn/client-template.txt
|
||||||
echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/client-common.txt
|
|
||||||
elif [[ "$VARIANT" = '2' ]]; then
|
|
||||||
# If the user selected the relatively slow, hardened version
|
|
||||||
echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/client-common.txt
|
|
||||||
fi
|
|
||||||
# Generate the custom client.ovpn
|
# Generate the custom client.ovpn
|
||||||
newclient "$CLIENT"
|
newclient "$CLIENT"
|
||||||
echo ""
|
echo ""
|
||||||
|
Loading…
x
Reference in New Issue
Block a user