Patch/openvpn-install
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
e64937c528
openvpn-install/openvpn-install.sh.diff
JWSmythe e64937c528
First upload changes for Slackware Linux 
openvpn-install.sh.orig is the original file provided by Nyr, used for the diff. 
openvpn-install.sh is the patched OpenVPN installer script.
openvpn-install.sh.diff is simply the diff, created with: diff -Naruw openvpn-install.sh.orig openvpn-install.sh > openvpn-install.sh.diff
2023-11-04 23:29:28 -04:00

332 lines
12 KiB
Diff
Raw Blame History

--- openvpn-install.sh.orig 2023-11-04 23:10:18.964945448 -0400
+++ openvpn-install.sh 2023-11-04 23:13:50.088945866 -0400
@@ -3,7 +3,7 @@
# https://github.com/Nyr/openvpn-install
#
# Copyright (c) 2013 Nyr. Released under the MIT License.
-
+# Slackware support added by JWSmythe v20231028.2034
# Detect Debian users running the script with "sh" instead of bash
if readlink /proc/$$/exe | grep -q "dash"; then
@@ -38,9 +38,13 @@
os="fedora"
os_version=$(grep -oE '[0-9]+' /etc/fedora-release | head -1)
group_name="nobody"
+elif grep -qs "slackware" /etc/os-release; then
+ os="slackware"
+ os_version=$(grep 'VERSION_ID' /etc/os-release | cut -d '"' -f 2 | tr -d '.')
+ group_name="nobody"
else
echo "This installer seems to be running on an unsupported distribution.
-Supported distros are Ubuntu, Debian, AlmaLinux, Rocky Linux, CentOS and Fedora."
+Supported distros are Ubuntu, Debian, AlmaLinux, Rocky Linux, CentOS, Fedora, and Slackware."
exit
fi
@@ -68,6 +72,12 @@
exit
fi
+if [[ "$os" == "slackware" && "$os_version" -lt 14 ]]; then
+ echo "Slackware 14.0 or higher is required to use this installer.
+This version of Slackware is too old and unsupported."
+ exit
+fi
+
# Detect environments where $PATH does not include the sbin directories
if ! grep -q sbin <<< "$PATH"; then
echo '$PATH does not include sbin. Try using "su -" instead of "su".'
@@ -85,6 +95,13 @@
exit
fi
+# Slackware's OpenVPN install doesn't include the server directory. Create it.
+if [[ "$os" == "slackware" ]]; then
+ if [ ! -d /etc/openvpn/server ]; then
+ mkdir /etc/openvpn/server
+ fi
+fi
+
new_client () {
# Generates the custom client.ovpn
{
@@ -208,6 +225,11 @@
[[ -z "$client" ]] && client="client"
echo
echo "OpenVPN installation is ready to begin."
+
+ if [[ "$os" == "slackware" ]]; then
+ # No systemctl for Slackware. Can't use the test.
+ firewall="iptables"
+ else
# Install a firewall if firewalld or iptables are not already available
if ! systemctl is-active --quiet firewalld.service && ! hash iptables 2>/dev/null; then
if [[ "$os" == "centos" || "$os" == "fedora" ]]; then
@@ -215,11 +237,13 @@
# We don't want to silently enable firewalld, so we give a subtle warning
# If the user continues, firewalld will be installed and enabled during setup
echo "firewalld, which is required to manage routing tables, will also be installed."
- elif [[ "$os" == "debian" || "$os" == "ubuntu" ]]; then
+ elif [[ "$os" == "debian" || "$os" == "ubuntu" || "$os" == "slackware" ]]; then
# iptables is way less invasive than firewalld so no warning is given
firewall="iptables"
fi
fi
+ fi
+
read -n1 -r -p "Press any key to continue..."
# If running inside a container, disable LimitNPROC to prevent conflicts
if systemd-detect-virt -cq; then
@@ -227,12 +251,14 @@
echo "[Service]
LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disable-limitnproc.conf
fi
- if [[ "$os" = "debian" || "$os" = "ubuntu" ]]; then
+ if [[ "$os" == "debian" || "$os" == "ubuntu" ]]; then
apt-get update
apt-get install -y --no-install-recommends openvpn openssl ca-certificates $firewall
- elif [[ "$os" = "centos" ]]; then
+ elif [[ "$os" == "centos" ]]; then
yum install -y epel-release
yum install -y openvpn openssl ca-certificates tar $firewall
+ elif [[ "$os" == "slackware" ]]; then
+ slackpkg install openvpn openssl ca-certificates tar $firewall
else
# Else, OS must be Fedora
dnf install -y openvpn openssl ca-certificates tar $firewall
@@ -271,16 +297,21 @@
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----' > /etc/openvpn/server/dh.pem
# Generate server.conf
+ # Note -JWS 20231027 server.conf should always have full paths to the
+ # config files. Relative paths failed with Slackware's rc.openvpn, if it
+ # is called from outside of the /etc/openvpn/server directory. This should
+ # help users on other distros too.
+
echo "local $ip
port $port
proto $protocol
dev tun
-ca ca.crt
-cert server.crt
-key server.key
-dh dh.pem
+ca /etc/openvpn/server/ca.crt
+cert /etc/openvpn/server/server.crt
+key /etc/openvpn/server/server.key
+dh /etc/openvpn/server/dh.pem
auth SHA512
-tls-crypt tc.key
+tls-crypt /etc/openvpn/server/tc.key
topology subnet
server 10.8.0.0 255.255.255.0" > /etc/openvpn/server/server.conf
# IPv6
@@ -334,12 +365,18 @@
persist-key
persist-tun
verb 3
-crl-verify crl.pem" >> /etc/openvpn/server/server.conf
+crl-verify /etc/openvpn/server/crl.pem" >> /etc/openvpn/server/server.conf
if [[ "$protocol" = "udp" ]]; then
echo "explicit-exit-notify" >> /etc/openvpn/server/server.conf
fi
# Enable net.ipv4.ip_forward for the system
echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/99-openvpn-forward.conf
+ if [[ "$os" == "slackware" ]]; then
+ echo "Enabling /etc/rc.d/rc.ip_forward.
+ "
+ chmod 755 /etc/rc.d/rc.ip_forward
+ /etc/rc.d/rc.ip_forward start
+ fi
# Enable without waiting for a reboot or service restart
echo 1 > /proc/sys/net/ipv4/ip_forward
if [[ -n "$ip6" ]]; then
@@ -348,7 +385,14 @@
# Enable without waiting for a reboot or service restart
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
fi
+ if [[ "$os" == "slackware" ]]; then
+ echo "
+ *** Slackware Admins: Disregard systemctl, systemd, and firewall-cmd errors below. ***
+ "
+ fi
+
if systemctl is-active --quiet firewalld.service; then
+ # if systemctl is-active --quiet firewalld.service && [[ "$os" != "slackware" ]]; then
# Using both permanent and not permanent rules to avoid a firewalld
# reload.
# We don't use --add-service=openvpn because that would only work with
@@ -401,6 +445,83 @@
WantedBy=multi-user.target" >> /etc/systemd/system/openvpn-iptables.service
systemctl enable --now openvpn-iptables.service
fi
+ if [[ "$os" == "slackware" ]]; then
+ out="#!/bin/sh
+# Start/stop/restart the OpenVPN Routing
+# 20231025 JWSmythe (https://jwsmythe.com) for https://github.com/Nyr/openvpn-install
+# Copyright (c) 2013 Nyr. Released under the MIT License.
+
+routing_start() {
+ $iptables_path -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip
+ $iptables_path -I INPUT -p $protocol --dport $port -j ACCEPT
+ $iptables_path -I FORWARD -s 10.8.0.0/24 -j ACCEPT
+ $iptables_path -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+"
+ if [[ -n "$ip6" ]]; then
+ out+="
+ $ip6tables_path -t nat -A POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to $ip6
+ $ip6tables_path -I FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT
+ $ip6tables_path -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+"
+ fi
+
+out+="}
+
+routing_stop() {
+ $iptables_path -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip
+ $iptables_path -D INPUT -p $protocol --dport $port -j ACCEPT
+ $iptables_path -D FORWARD -s 10.8.0.0/24 -j ACCEPT
+ $iptables_path -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+ $iptables_path -F
+ $iptables_path -t nat -F
+"
+
+ if [[ -n "$ip6" ]]; then
+ out+="
+ $ip6tables_path -t nat -D POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to $ip6
+ $ip6tables_path -D FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT
+ $ip6tables_path -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+ $ip6tables_path -F
+ $ip6tables_path -t nat -F
+ "
+ fi
+
+ out+="}
+
+routing_restart() {
+ routing_stop
+ sleep 1
+ routing_start
+}
+
+case \"\$1\" in
+'start')
+ routing_start
+ ;;
+'stop')
+ routing_stop
+ ;;
+'restart')
+ routing_restart
+ ;;
+*)
+ echo \"usage $0 start|stop|restart\"
+esac
+"
+ if [[ ! -f /etc/rc.d/rc.ovpn_routing ]]; then
+ echo "Writing startup routing to /etc/rc.d/rc.ovpn_routing"
+ echo "$out" > /etc/rc.d/rc.ovpn_routing
+ chmod 755 /etc/rc.d/rc.ovpn_routing
+ /etc/rc.d/rc.ovpn_routing
+ else
+ echo "!!! Writing startup routing to /etc/rc.d/rc.ovpn_routing.new !!!"
+ echo " You need to copy it over and run it."
+ echo "$out" > /etc/rc.d/rc.ovpn_routing.new
+ fi
+
+
+ fi
+
# If SELinux is enabled and a custom port was selected, we need this
if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$port" != 1194 ]]; then
# Install semanage if not already present
@@ -431,7 +552,17 @@
ignore-unknown-option block-outside-dns
verb 3" > /etc/openvpn/server/client-common.txt
# Enable and start the OpenVPN service
+ if [[ "$os" == "slackware" ]]; then
+ echo "iii Starting up services. rc.openvpn and rc.ovpn_routing "
+ echo "!!! You need to add them to rc.local, so they will run at boot time !!!"
+ # Make sure they're executable
+ chmod 755 /etc/rc.d/rc.openvpn
+ chmod 755 /etc/rc.d/rc.ovpn_routing
+ /etc/rc.d/rc.openvpn start /etc/openvpn/server/server.conf
+ /etc/rc.d/rc.ovpn_routing start
+ else
systemctl enable --now openvpn-server@server.service
+ fi
# Generates the custom client.ovpn
new_client
echo
@@ -439,6 +570,33 @@
echo
echo "The client configuration is available in:" ~/"$client.ovpn"
echo "New clients can be added by running this script again."
+
+ if [[ "$os" == "slackware" ]]; then
+ echo "
+ ************************************************************
+ !!!!! Slackware Admins !!!!!
+ ************************************************************
+ If this isn't the first time you've run this script, you may need to
+ overwrite rc.ovpn_routing with rc.ovpn_routing.new. It was left in case
+ you made customizations.
+
+ You need to add these lines to the end of your /etc/rc.d/rc.local,
+ so OpenVPN will start, and it will route the VPN clients correctly.
+
+ #==== Begin /etc/rc.d/rc.local lines =======================
+ # Start OpenVPN Server
+ if [ -x /etc/rc.d/rc.openvpn ]; then
+ . /etc/rc.d/rc.openvpn start /etc/openvpn/server/server.conf
+ fi
+
+ # Start OpenVPN Routing
+ if [ -x /etc/rc.d/rc.ovpn_routing ]; then
+ . /etc/rc.d/rc.ovpn_routing start
+ fi
+ #===== END /etc/rc.d/rc.local lines ========================
+ ************************************************************
+ "
+ fi
else
clear
echo "OpenVPN is already installed."
@@ -522,6 +680,18 @@
if [[ "$remove" =~ ^[yY]$ ]]; then
port=$(grep '^port ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
protocol=$(grep '^proto ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
+ if [[ "$os" == "slackware" ]]; then
+ # Re-enabling so the stops will work. Disabling immediately after.
+ chmod 755 /etc/rc.d/rc.openvpn
+ chmod 755 /etc/rc.d/rc.ovpn_routing
+ /etc/rc.d/rc.ovpn_routing stop
+ /etc/rc.d/rc.openvpn stop
+ rm -rf /etc/openvpn/server
+ chmod 644 /etc/rc.d/rc.openvpn
+ chmod 644 /etc/rc.d/rc.ovpn_routing
+ # We're not uninstalling anything. The user can if they want.
+ # slackpkg remove openvpn
+ else
if systemctl is-active --quiet firewalld.service; then
ip=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24' | grep -oE '[^ ]+$')
# Using both permanent and not permanent rules to avoid a firewalld reload.
@@ -548,7 +718,7 @@
systemctl disable --now openvpn-server@server.service
rm -f /etc/systemd/system/openvpn-server@server.service.d/disable-limitnproc.conf
rm -f /etc/sysctl.d/99-openvpn-forward.conf
- if [[ "$os" = "debian" || "$os" = "ubuntu" ]]; then
+ if [[ "$os" == "debian" || "$os" == "ubuntu" ]]; then
rm -rf /etc/openvpn/server
apt-get remove --purge -y openvpn
else
@@ -556,6 +726,7 @@
yum remove -y openvpn
rm -rf /etc/openvpn/server
fi
+ fi
echo
echo "OpenVPN removed!"
else
Reference in New Issue View Git Blame Copy Permalink