Merge branch 'Nyr:master' into master
This commit is contained in:
simopunkc
GitHub
commit
471931c324
@ -13,7 +13,7 @@ Run the script and follow the assistant:
|
|||||||
Once it ends, you can run it again to add more users, remove some of them or even completely uninstall OpenVPN.
|
Once it ends, you can run it again to add more users, remove some of them or even completely uninstall OpenVPN.
|
||||||
|
|
||||||
### I want to run my own VPN but don't have a server for that
|
### I want to run my own VPN but don't have a server for that
|
||||||
You can get a VPS from just $1/month at [VirMach](https://billing.virmach.com/aff.php?aff=4109&url=billing.virmach.com/cart.php?gid=18).
|
You can get a VPS from just 2€/month at [AlphaVPS](https://alphavps.com/clients/aff.php?aff=474&pid=422).
|
||||||
|
|
||||||
### Donations
|
### Donations
|
||||||
|
|
||||||
|
|||||||
@ -227,7 +227,7 @@ LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disab
|
|||||||
fi
|
fi
|
||||||
if [[ "$os" = "debian" || "$os" = "ubuntu" ]]; then
|
if [[ "$os" = "debian" || "$os" = "ubuntu" ]]; then
|
||||||
apt-get update
|
apt-get update
|
||||||
apt-get install -y openvpn openssl ca-certificates $firewall
|
apt-get install -y --no-install-recommends openvpn openssl ca-certificates $firewall
|
||||||
elif [[ "$os" = "centos" ]]; then
|
elif [[ "$os" = "centos" ]]; then
|
||||||
yum install -y epel-release
|
yum install -y epel-release
|
||||||
yum install -y openvpn openssl ca-certificates tar $firewall
|
yum install -y openvpn openssl ca-certificates tar $firewall
|
||||||
@ -240,17 +240,17 @@ LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disab
|
|||||||
systemctl enable --now firewalld.service
|
systemctl enable --now firewalld.service
|
||||||
fi
|
fi
|
||||||
# Get easy-rsa
|
# Get easy-rsa
|
||||||
easy_rsa_url='https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.0/EasyRSA-3.1.0.tgz'
|
easy_rsa_url='https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.1/EasyRSA-3.1.1.tgz'
|
||||||
mkdir -p /etc/openvpn/server/easy-rsa/
|
mkdir -p /etc/openvpn/server/easy-rsa/
|
||||||
{ wget -qO- "$easy_rsa_url" 2>/dev/null || curl -sL "$easy_rsa_url" ; } | tar xz -C /etc/openvpn/server/easy-rsa/ --strip-components 1
|
{ wget -qO- "$easy_rsa_url" 2>/dev/null || curl -sL "$easy_rsa_url" ; } | tar xz -C /etc/openvpn/server/easy-rsa/ --strip-components 1
|
||||||
chown -R root:root /etc/openvpn/server/easy-rsa/
|
chown -R root:root /etc/openvpn/server/easy-rsa/
|
||||||
cd /etc/openvpn/server/easy-rsa/
|
cd /etc/openvpn/server/easy-rsa/
|
||||||
# Create the PKI, set up the CA and the server and client certificates
|
# Create the PKI, set up the CA and the server and client certificates
|
||||||
./easyrsa init-pki
|
./easyrsa --batch init-pki
|
||||||
./easyrsa --batch build-ca nopass
|
./easyrsa --batch build-ca nopass
|
||||||
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server nopass
|
./easyrsa --batch --days=3650 build-server-full server nopass
|
||||||
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" nopass
|
./easyrsa --batch --days=3650 build-client-full "$client" nopass
|
||||||
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
|
./easyrsa --batch --days=3650 gen-crl
|
||||||
# Move the stuff we need
|
# Move the stuff we need
|
||||||
cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn/server
|
cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn/server
|
||||||
# CRL is read with each client connection, while OpenVPN is dropped to nobody
|
# CRL is read with each client connection, while OpenVPN is dropped to nobody
|
||||||
@ -294,13 +294,13 @@ server 10.8.0.0 255.255.255.0" > /etc/openvpn/server/server.conf
|
|||||||
1|"")
|
1|"")
|
||||||
# Locate the proper resolv.conf
|
# Locate the proper resolv.conf
|
||||||
# Needed for systems running systemd-resolved
|
# Needed for systems running systemd-resolved
|
||||||
if grep -q '^nameserver 127.0.0.53' "/etc/resolv.conf"; then
|
if grep '^nameserver' "/etc/resolv.conf" | grep -qv '127.0.0.53' ; then
|
||||||
resolv_conf="/run/systemd/resolve/resolv.conf"
|
|
||||||
else
|
|
||||||
resolv_conf="/etc/resolv.conf"
|
resolv_conf="/etc/resolv.conf"
|
||||||
|
else
|
||||||
|
resolv_conf="/run/systemd/resolve/resolv.conf"
|
||||||
fi
|
fi
|
||||||
# Obtain the resolvers from resolv.conf and use them for OpenVPN
|
# Obtain the resolvers from resolv.conf and use them for OpenVPN
|
||||||
grep -v '^#\|^;' "$resolv_conf" | grep '^nameserver' | grep -oE '[0-9]{1,3}(\.[0-9]{1,3}){3}' | while read line; do
|
grep -v '^#\|^;' "$resolv_conf" | grep '^nameserver' | grep -v '127.0.0.53' | grep -oE '[0-9]{1,3}(\.[0-9]{1,3}){3}' | while read line; do
|
||||||
echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server/server.conf
|
echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server/server.conf
|
||||||
done
|
done
|
||||||
;;
|
;;
|
||||||
@ -325,6 +325,7 @@ server 10.8.0.0 255.255.255.0" > /etc/openvpn/server/server.conf
|
|||||||
echo 'push "dhcp-option DNS 94.140.15.15"' >> /etc/openvpn/server/server.conf
|
echo 'push "dhcp-option DNS 94.140.15.15"' >> /etc/openvpn/server/server.conf
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
echo 'push "block-outside-dns"' >> /etc/openvpn/server/server.conf
|
||||||
echo "keepalive 10 120
|
echo "keepalive 10 120
|
||||||
cipher AES-256-CBC
|
cipher AES-256-CBC
|
||||||
user nobody
|
user nobody
|
||||||
@ -428,7 +429,6 @@ remote-cert-tls server
|
|||||||
auth SHA512
|
auth SHA512
|
||||||
cipher AES-256-CBC
|
cipher AES-256-CBC
|
||||||
ignore-unknown-option block-outside-dns
|
ignore-unknown-option block-outside-dns
|
||||||
block-outside-dns
|
|
||||||
verb 3" > /etc/openvpn/server/client-common.txt
|
verb 3" > /etc/openvpn/server/client-common.txt
|
||||||
# Enable and start the OpenVPN service
|
# Enable and start the OpenVPN service
|
||||||
systemctl enable --now openvpn-server@server.service
|
systemctl enable --now openvpn-server@server.service
|
||||||
@ -465,7 +465,7 @@ else
|
|||||||
client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client")
|
client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client")
|
||||||
done
|
done
|
||||||
cd /etc/openvpn/server/easy-rsa/
|
cd /etc/openvpn/server/easy-rsa/
|
||||||
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" nopass
|
./easyrsa --batch --days=3650 build-client-full "$client" nopass
|
||||||
# Generates the custom client.ovpn
|
# Generates the custom client.ovpn
|
||||||
new_client
|
new_client
|
||||||
echo
|
echo
|
||||||
@ -499,7 +499,7 @@ else
|
|||||||
if [[ "$revoke" =~ ^[yY]$ ]]; then
|
if [[ "$revoke" =~ ^[yY]$ ]]; then
|
||||||
cd /etc/openvpn/server/easy-rsa/
|
cd /etc/openvpn/server/easy-rsa/
|
||||||
./easyrsa --batch revoke "$client"
|
./easyrsa --batch revoke "$client"
|
||||||
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
|
./easyrsa --batch --days=3650 gen-crl
|
||||||
rm -f /etc/openvpn/server/crl.pem
|
rm -f /etc/openvpn/server/crl.pem
|
||||||
cp /etc/openvpn/server/easy-rsa/pki/crl.pem /etc/openvpn/server/crl.pem
|
cp /etc/openvpn/server/easy-rsa/pki/crl.pem /etc/openvpn/server/crl.pem
|
||||||
# CRL is read with each client connection, when OpenVPN is dropped to nobody
|
# CRL is read with each client connection, when OpenVPN is dropped to nobody
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user