From 0ceb6e8d59421dbb5e6909da19bc52f6377cdb7e Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sun, 24 Sep 2017 22:48:01 +0100 Subject: [PATCH 01/62] Add openvpn --- src/freedombone-app-vpn | 157 +++++++++++++++++++++++++++++---- src/freedombone-utils-firewall | 23 +++++ 2 files changed, 164 insertions(+), 16 deletions(-) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index a22a0bd6..719dcea4 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -9,6 +9,8 @@ # Freedom in the Cloud # # VPN functions +# https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-8 +# https://jamielinux.com/blog/force-all-network-traffic-through-openvpn-using-iptables/ # # License # ======= @@ -28,12 +30,16 @@ # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . -VARIANTS='' +VARIANTS='full full-vim' IN_DEFAULT_INSTALL=0 SHOW_ON_ABOUT=0 -vpn_variables=() +OPENVPN_SERVER_NAME="${PROJECT_NAME}-vpn" + +vpn_variables=(MY_EMAIL_ADDRESS + LOCAL_NETWORK_STATIC_IP_ADDRESS + MY_USERNAME) function logging_on_vpn { echo -n '' @@ -73,24 +79,143 @@ function restore_remote_vpn { } function remove_vpn { - apt-get -yq remove --purge fastd + apt-get -yq remove --purge fastd openvpn easy-rsa + if [ -d /etc/openvpn ]; then + rm -rf /etc/openvpn + fi + firewall_deny_forwarding remove_completion_param install_vpn } -function install_vpn { - if ! grep -q "repo.universe-factory.net" /etc/apt/sources.list; then - echo 'deb http://repo.universe-factory.net/debian/ sid main' >> /etc/apt/sources.list - gpg --keyserver pgpkeys.mit.edu --recv-key 16EF3F64CB201D9C - if [ ! "$?" = "0" ]; then - exit 76272 - fi - gpg -a --export 16EF3F64CB201D9C | sudo apt-key add - - apt-get update - apt-get -yq install fastd - if [ ! "$?" = "0" ]; then - exit 52026 - fi +function create_user_vpn_key { + username=$1 + + if [ ! -d /home/$username ]; then + return fi + + echo $"Creating VPN key for $username" + + cd /etc/openvpn/easy-rsa + echo ' + +y +y +' | ./build-key "$username" + + if [ ! -f /etc/openvpn/easy-rsa/keys/$username.crt ]; then + echo $'VPN user cert not generated' + exit 783528 + fi + if [ ! -f /etc/openvpn/easy-rsa/keys/$username.key ]; then + echo $'VPN user key not generated' + exit 682523 + fi + + user_vpn_cert_file=/home/$username/vpn.ovpn + + cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf $user_vpn_cert_file + sed -i "s|remote .*|remote $DEFAULT_DOMAIN_NAME 1194|g" $user_vpn_cert_file + sed -i 's|;user nobody|user nobody|g' $user_vpn_cert_file + sed -i 's|;group nogroup|group nogroup|g' $user_vpn_cert_file + + sed -i 's|ca ca.crt|;ca ca.crt|g' $user_vpn_cert_file + sed -i 's|cert client.crt|;cert client.crt|g' $user_vpn_cert_file + sed -i 's|key client.key|;key client.key|g' $user_vpn_cert_file + + echo '' >> $user_vpn_cert_file + cat /etc/openvpn/ca.crt >> $user_vpn_cert_file + echo '' >> $user_vpn_cert_file + + echo '' >> $user_vpn_cert_file + cat /etc/openvpn/easy-rsa/keys/$username.crt >> $user_vpn_cert_file + echo '' >> $user_vpn_cert_file + + echo '' >> $user_vpn_cert_file + cat /etc/openvpn/easy-rsa/keys/$username.key >> $user_vpn_cert_file + echo '' >> $user_vpn_cert_file + + chown $username:$username $user_vpn_cert_file + + rm /etc/openvpn/easy-rsa/keys/$username.crt + shred -zu /etc/openvpn/easy-rsa/keys/$username.key + + echo $"VPN key created at $user_vpn_cert_file" +} + +function add_user_vpn { + new_username="$1" + new_user_password="$2" + + create_user_vpn_key $new_username +} + +function remove_user_vpn { + new_username="$1" +} + +function install_vpn { + if [ ! $LOCAL_NETWORK_STATIC_IP_ADDRESS ]; then + return + fi + + apt-get -yq install fastd openvpn easy-rsa + + if [ ! -f /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz ]; then + echo $'Example openvpn server config not found' + exit 783953 + fi + gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf + sed -i "s|;push \"redirect-gateway|push \"redirect-gateway|g" /etc/openvpn/server.conf + sed -i 's|;push "dhcp-option|push "dhcp-option|g' /etc/openvpn/server.conf + sed -i 's|;user nobody|user nobody|g' /etc/openvpn/server.conf + sed -i 's|;group nogroup|group nogroup|g' /etc/openvpn/server.conf + echo 1 > /proc/sys/net/ipv4/ip_forward + sed -i 's|# net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf + sed -i 's|#net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf + sed -i 's|net.ipv4.ip_forward.*|net.ipv4.ip_forward=1|g' /etc/sysctl.conf + + cp -r /usr/share/easy-rsa/ /etc/openvpn + if [ ! -d /etc/openvpn/easy-rsa/keys ]; then + mkdir /etc/openvpn/easy-rsa/keys + fi + + sed -i "s|export KEY_COUNTRY.*|export KEY_COUNTRY=\"US\"|g" /etc/openvpn/easy-rsa/vars + sed -i "s|export KEY_PROVINCE.*|export KEY_PROVINCE=\"TX\"|g" /etc/openvpn/easy-rsa/vars + sed -i "s|export KEY_CITY.*|export KEY_CITY=\"Dallas\"|g" /etc/openvpn/easy-rsa/vars + sed -i "s|export KEY_ORG.*|export KEY_ORG=\"$PROJECT_NAME\"|g" /etc/openvpn/easy-rsa/vars + sed -i "s|export KEY_EMAIL.*|export KEY_EMAIL=\"$MY_EMAIL_ADDRESS\"|g" /etc/openvpn/easy-rsa/vars + sed -i "s|export KEY_OU=.*|export KEY_OU=\"MoonUnit\"|g" /etc/openvpn/easy-rsa/vars + sed -i "s|export KEY_NAME.*|export KEY_NAME=\"$OPENVPN_SERVER_NAME\"|g" /etc/openvpn/easy-rsa/vars + openssl dhparam -out /etc/openvpn/dh2048.pem 2048 + cd /etc/openvpn/easy-rsa + . ./vars + ./clean-all + ./build-ca + echo ' + +y +y +' | ./build-key-server $OPENVPN_SERVER_NAME + if [ ! -f /etc/openvpn/easy-rsa/keys/$OPENVPN_SERVER_NAME.crt ]; then + echo $'OpenVPN crt not found' + exit 7823352 + fi + if [ ! -f /etc/openvpn/easy-rsa/keys/$OPENVPN_SERVER_NAME.key ]; then + echo $'OpenVPN key not found' + exit 6839436 + fi + if [ ! -f /etc/openvpn/easy-rsa/keys/ca.key ]; then + echo $'OpenVPN ca not found' + exit 7935203 + fi + cp /etc/openvpn/easy-rsa/keys/{$OPENVPN_SERVER_NAME.crt,$OPENVPN_SERVER_NAME.key,ca.crt} /etc/openvpn + + create_user_vpn_key $MY_USERNAME + + firewall_allow_forwarding + systemctl openvpn start + APP_INSTALLED=1 } diff --git a/src/freedombone-utils-firewall b/src/freedombone-utils-firewall index 56460df7..b2187d51 100755 --- a/src/freedombone-utils-firewall +++ b/src/freedombone-utils-firewall @@ -32,6 +32,7 @@ FIREWALL_CONFIG=$HOME/${PROJECT_NAME}-firewall.cfg FIREWALL_DOMAINS=$HOME/${PROJECT_NAME}-firewall-domains.cfg +FIREWALL_EIFACE=eth0 function save_firewall_settings { iptables-save > /etc/firewall.conf @@ -108,6 +109,28 @@ function enable_ipv6 { echo 1 > /proc/sys/net/ipv6/conf/all/forwarding } +function firewall_deny_forwarding { + iptables -D INPUT -i $FIREWALL_EIFACE -m state --state NEW -p udp --dport 1194 -j ACCEPT + iptables -D INPUT -i tun+ -j ACCEPT + iptables -D FORWARD -i tun+ -j ACCEPT + iptables -D FORWARD -i tun+ -o $FIREWALL_EIFACE -m state --state RELATED,ESTABLISHED -j ACCEPT + iptables -D FORWARD -i $FIREWALL_EIFACE -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT + iptables -t nat -D POSTROUTING -s $(get_ipv4_address)/24 -o $FIREWALL_EIFACE -j MASQUERADE + iptables -D OUTPUT -o tun+ -j ACCEPT + save_firewall_settings +} + +function firewall_allow_forwarding { + iptables -A INPUT -i $FIREWALL_EIFACE -m state --state NEW -p udp --dport 1194 -j ACCEPT + iptables -A INPUT -i tun+ -j ACCEPT + iptables -A FORWARD -i tun+ -j ACCEPT + iptables -A FORWARD -i tun+ -o $FIREWALL_EIFACE -m state --state RELATED,ESTABLISHED -j ACCEPT + iptables -A FORWARD -i $FIREWALL_EIFACE -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT + iptables -t nat -A POSTROUTING -s $(get_ipv4_address)/24 -o $FIREWALL_EIFACE -j MASQUERADE + iptables -A OUTPUT -o tun+ -j ACCEPT + save_firewall_settings +} + function configure_firewall { if [ $INSTALLING_MESH ]; then mesh_firewall From 42a6706480ab36c063a4d9584afe510477f0174c Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sun, 24 Sep 2017 22:49:43 +0100 Subject: [PATCH 02/62] Year --- src/freedombone-app-vpn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index 719dcea4..2c68c08b 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -15,7 +15,7 @@ # License # ======= # -# Copyright (C) 2014-2016 Bob Mottram +# Copyright (C) 2014-2017 Bob Mottram # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as published by From c432d69551503d606cd8e14d619f11f20827a151 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sun, 24 Sep 2017 23:12:53 +0100 Subject: [PATCH 03/62] Remove vpn client keys --- src/freedombone-app-vpn | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index 2c68c08b..323242fb 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -36,6 +36,7 @@ IN_DEFAULT_INSTALL=0 SHOW_ON_ABOUT=0 OPENVPN_SERVER_NAME="${PROJECT_NAME}-vpn" +OPENVPN_KEY_FILENAME='vpn.ovpn' vpn_variables=(MY_EMAIL_ADDRESS LOCAL_NETWORK_STATIC_IP_ADDRESS @@ -85,6 +86,14 @@ function remove_vpn { fi firewall_deny_forwarding remove_completion_param install_vpn + + # remove any client keys + for d in /home/*/ ; do + USERNAME=$(echo "$d" | awk -F '/' '{print $3}') + if [ -f /home/$USERNAME/$OPENVPN_KEY_FILENAME ]; then + shred -zu /home/$USERNAME/$OPENVPN_KEY_FILENAME + fi + done } function create_user_vpn_key { @@ -112,7 +121,7 @@ y exit 682523 fi - user_vpn_cert_file=/home/$username/vpn.ovpn + user_vpn_cert_file=/home/$username/$OPENVPN_KEY_FILENAME cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf $user_vpn_cert_file sed -i "s|remote .*|remote $DEFAULT_DOMAIN_NAME 1194|g" $user_vpn_cert_file From 54bc008961ef226a8b477dd3a69aca08b8ada6de Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sun, 24 Sep 2017 23:21:46 +0100 Subject: [PATCH 04/62] Check vpn client template exists --- src/freedombone-app-vpn | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index 323242fb..f915febf 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -123,6 +123,11 @@ y user_vpn_cert_file=/home/$username/$OPENVPN_KEY_FILENAME + if [ ! -f /usr/share/doc/openvpn/examples/sample-config-files/client.conf ]; then + echo $'No VPN client template found' + exit 429823 + fi + cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf $user_vpn_cert_file sed -i "s|remote .*|remote $DEFAULT_DOMAIN_NAME 1194|g" $user_vpn_cert_file sed -i 's|;user nobody|user nobody|g' $user_vpn_cert_file From 01c182b6689cfd48b9a1f72d90ccf10a5c41863e Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sun, 24 Sep 2017 23:37:41 +0100 Subject: [PATCH 05/62] Backup and restore vpn keys --- src/freedombone-app-vpn | 50 +++++++++++++++++++++++++++++++++++++---- 1 file changed, 46 insertions(+), 4 deletions(-) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index f915febf..3a138060 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -64,19 +64,61 @@ function upgrade_vpn { } function backup_local_vpn { - echo -n '' + for d in /home/*/ ; do + USERNAME=$(echo "$d" | awk -F '/' '{print $3}') + if [ -f /home/$USERNAME/$OPENVPN_KEY_FILENAME ]; then + cp /home/$USERNAME/$OPENVPN_KEY_FILENAME /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} + fi + done + + function_check backup_directory_to_usb + backup_directory_to_usb /etc/openvpn/easy-rsa/keys vpn } function restore_local_vpn { - echo -n '' + temp_restore_dir=/root/tempvpn + restore_directory_from_usb $temp_restore_dir vpn + if [ -d ${temp_restore_dir} ]; then + cp -r ${temp_restore_dir}/* /etc/openvpn/easy-rsa/keys + rm -rf ${temp_restore_dir} + + for d in /home/*/ ; do + USERNAME=$(echo "$d" | awk -F '/' '{print $3}') + if [ -f /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} ]; then + cp /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} /home/$USERNAME/$OPENVPN_KEY_FILENAME + chown $USERNAME:$USERNAME /home/$USERNAME/$OPENVPN_KEY_FILENAME + fi + done + fi } function backup_remote_vpn { - echo -n '' + for d in /home/*/ ; do + USERNAME=$(echo "$d" | awk -F '/' '{print $3}') + if [ -f /home/$USERNAME/$OPENVPN_KEY_FILENAME ]; then + cp /home/$USERNAME/$OPENVPN_KEY_FILENAME /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} + fi + done + + function_check backup_directory_to_friend + backup_directory_to_friend /etc/openvpn/easy-rsa/keys vpn } function restore_remote_vpn { - echo -n '' + temp_restore_dir=/root/tempvpn + restore_directory_from_friend $temp_restore_dir vpn + if [ -d ${temp_restore_dir} ]; then + cp -r ${temp_restore_dir}/* /etc/openvpn/easy-rsa/keys + rm -rf ${temp_restore_dir} + + for d in /home/*/ ; do + USERNAME=$(echo "$d" | awk -F '/' '{print $3}') + if [ -f /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} ]; then + cp /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} /home/$USERNAME/$OPENVPN_KEY_FILENAME + chown $USERNAME:$USERNAME /home/$USERNAME/$OPENVPN_KEY_FILENAME + fi + done + fi } function remove_vpn { From 29671b04adbfa969d4e09ccc1ddd838b275eda14 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 25 Sep 2017 10:23:03 +0100 Subject: [PATCH 06/62] Store ip address used for forwarding --- src/freedombone-utils-firewall | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/src/freedombone-utils-firewall b/src/freedombone-utils-firewall index b2187d51..90f31a1c 100755 --- a/src/freedombone-utils-firewall +++ b/src/freedombone-utils-firewall @@ -110,24 +110,30 @@ function enable_ipv6 { } function firewall_deny_forwarding { - iptables -D INPUT -i $FIREWALL_EIFACE -m state --state NEW -p udp --dport 1194 -j ACCEPT + read_config_param CURRENT_IPV4_ADDRESS + if [ ! $CURRENT_IPV4_ADDRESS ]; then + return + fi + iptables -D INPUT -i ${FIREWALL_EIFACE} -m state --state NEW -p udp --dport 1194 -j ACCEPT iptables -D INPUT -i tun+ -j ACCEPT iptables -D FORWARD -i tun+ -j ACCEPT - iptables -D FORWARD -i tun+ -o $FIREWALL_EIFACE -m state --state RELATED,ESTABLISHED -j ACCEPT - iptables -D FORWARD -i $FIREWALL_EIFACE -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT - iptables -t nat -D POSTROUTING -s $(get_ipv4_address)/24 -o $FIREWALL_EIFACE -j MASQUERADE + iptables -D FORWARD -i tun+ -o ${FIREWALL_EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT + iptables -D FORWARD -i ${FIREWALL_EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT + iptables -t nat -D POSTROUTING -s ${CURRENT_IPV4_ADDRESS}/24 -o ${FIREWALL_EIFACE} -j MASQUERADE iptables -D OUTPUT -o tun+ -j ACCEPT save_firewall_settings } function firewall_allow_forwarding { - iptables -A INPUT -i $FIREWALL_EIFACE -m state --state NEW -p udp --dport 1194 -j ACCEPT + curr_ipv4_address=$(get_ipv4_address) + iptables -A INPUT -i ${FIREWALL_EIFACE} -m state --state NEW -p udp --dport 1194 -j ACCEPT iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT - iptables -A FORWARD -i tun+ -o $FIREWALL_EIFACE -m state --state RELATED,ESTABLISHED -j ACCEPT - iptables -A FORWARD -i $FIREWALL_EIFACE -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT - iptables -t nat -A POSTROUTING -s $(get_ipv4_address)/24 -o $FIREWALL_EIFACE -j MASQUERADE + iptables -A FORWARD -i tun+ -o ${FIREWALL_EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT + iptables -A FORWARD -i ${FIREWALL_EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT + iptables -t nat -A POSTROUTING -s ${curr_ipv4_address}/24 -o ${FIREWALL_EIFACE} -j MASQUERADE iptables -A OUTPUT -o tun+ -j ACCEPT + write_config_param CURRENT_IPV4_ADDRESS "$curr_ipv4_address" save_firewall_settings } From 021a850a5eb837136fe674168be1cb1fb58d0d68 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 25 Sep 2017 10:52:17 +0100 Subject: [PATCH 07/62] Change dns used for external IP address detection --- src/freedombone-utils-network | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/freedombone-utils-network b/src/freedombone-utils-network index 2befcc1a..7ae83975 100755 --- a/src/freedombone-utils-network +++ b/src/freedombone-utils-network @@ -31,6 +31,12 @@ # If the system is on an IPv6 network IPV6_NETWORK='2001:470:26:307' +# Destinations used to get the external IP address of this system +# Google ipv6 DNS is 2001:4860:4860::8888 +IPV4_ADDRESS_TEST_DESTINATION='85.214.73.63' +IPV6_ADDRESS_TEST_DESTINATION='2620:0:ccc::2' + + # The static IP address of the system within the local network # By default the IP address is dynamic within your LAN LOCAL_NETWORK_STATIC_IP_ADDRESS= @@ -65,12 +71,12 @@ function install_static_network { } function get_ipv4_address { - IPv4dev=$(ip route get 8.8.8.8 | awk '{for(i=1;i<=NF;i++)if($i~/dev/)print $(i+1)}') + IPv4dev=$(ip route get $IPV4_ADDRESS_TEST_DESTINATION | awk '{for(i=1;i<=NF;i++)if($i~/dev/)print $(i+1)}') echo $(ip -o -f inet addr show dev "$IPv4dev" | awk '{print $4}' | awk 'END {print}' | awk -F '/' '{print $1}') } function get_ipv6_address { - echo $(ip -6 route get 2001:4860:4860::8888 | awk -F " " '{ for(i=1;i<=NF;i++) if ($i == "src") print $(i+1) }') + echo $(ip -6 route get $IPV6_ADDRESS_TEST_DESTINATION | awk -F " " '{ for(i=1;i<=NF;i++) if ($i == "src") print $(i+1) }') } # NOTE: deliberately no exit 0 From aec19a487698e12781820d107e3c00276a512e4c Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 25 Sep 2017 11:10:26 +0100 Subject: [PATCH 08/62] Show external ipv4 address on about screen --- src/freedombone-controlpanel | 2 +- src/freedombone-utils-network | 11 ++++++++--- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/src/freedombone-controlpanel b/src/freedombone-controlpanel index c4eb712d..db4ae9c8 100755 --- a/src/freedombone-controlpanel +++ b/src/freedombone-controlpanel @@ -519,7 +519,7 @@ function show_ip_addresses { echo $'IP/DNS addresses' echo '================' echo '' - echo -n "IPv4: $(get_ipv4_address)" + echo -n "IPv4: $(get_ipv4_address)/$(get_external_ipv4_address)" ipv6_address="$(get_ipv6_address)" if [ ${#ipv6_address} -gt 0 ]; then echo " IPv6: ${ipv6_address}" diff --git a/src/freedombone-utils-network b/src/freedombone-utils-network index 7ae83975..51c3b4d7 100755 --- a/src/freedombone-utils-network +++ b/src/freedombone-utils-network @@ -31,11 +31,12 @@ # If the system is on an IPv6 network IPV6_NETWORK='2001:470:26:307' -# Destinations used to get the external IP address of this system -# Google ipv6 DNS is 2001:4860:4860::8888 +# Destinations used to get the local IP address of this system +# Google ipv6 DNS 2001:4860:4860::8888 +# OpenDNS ipv6 DNS 2620:0:ccc::2 IPV4_ADDRESS_TEST_DESTINATION='85.214.73.63' IPV6_ADDRESS_TEST_DESTINATION='2620:0:ccc::2' - +EXTERNAL_IP_LOOKUP_URL='ifcfg.me' # The static IP address of the system within the local network # By default the IP address is dynamic within your LAN @@ -70,6 +71,10 @@ function install_static_network { mark_completed $FUNCNAME } +function get_external_ipv4_address { + nslookup . $EXTERNAL_IP_LOOKUP_URL | grep Address | tail -n 1 | awk -F ' ' '{print $2}' +} + function get_ipv4_address { IPv4dev=$(ip route get $IPV4_ADDRESS_TEST_DESTINATION | awk '{for(i=1;i<=NF;i++)if($i~/dev/)print $(i+1)}') echo $(ip -o -f inet addr show dev "$IPv4dev" | awk '{print $4}' | awk 'END {print}' | awk -F '/' '{print $1}') From 71add551754aaad6fbffcfd4fea4eb3b3a8e6cd3 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 25 Sep 2017 11:35:27 +0100 Subject: [PATCH 09/62] More obvious variable name --- src/freedombone-utils-firewall | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/src/freedombone-utils-firewall b/src/freedombone-utils-firewall index 90f31a1c..d2f28188 100755 --- a/src/freedombone-utils-firewall +++ b/src/freedombone-utils-firewall @@ -33,6 +33,7 @@ FIREWALL_CONFIG=$HOME/${PROJECT_NAME}-firewall.cfg FIREWALL_DOMAINS=$HOME/${PROJECT_NAME}-firewall-domains.cfg FIREWALL_EIFACE=eth0 +EXTERNAL_IPV4_ADDRESS= function save_firewall_settings { iptables-save > /etc/firewall.conf @@ -110,8 +111,8 @@ function enable_ipv6 { } function firewall_deny_forwarding { - read_config_param CURRENT_IPV4_ADDRESS - if [ ! $CURRENT_IPV4_ADDRESS ]; then + read_config_param EXTERNAL_IPV4_ADDRESS + if [ ! $EXTERNAL_IPV4_ADDRESS ]; then return fi iptables -D INPUT -i ${FIREWALL_EIFACE} -m state --state NEW -p udp --dport 1194 -j ACCEPT @@ -119,13 +120,13 @@ function firewall_deny_forwarding { iptables -D FORWARD -i tun+ -j ACCEPT iptables -D FORWARD -i tun+ -o ${FIREWALL_EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -D FORWARD -i ${FIREWALL_EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT - iptables -t nat -D POSTROUTING -s ${CURRENT_IPV4_ADDRESS}/24 -o ${FIREWALL_EIFACE} -j MASQUERADE + iptables -t nat -D POSTROUTING -s ${EXTERNAL_IPV4_ADDRESS}/24 -o ${FIREWALL_EIFACE} -j MASQUERADE iptables -D OUTPUT -o tun+ -j ACCEPT save_firewall_settings } function firewall_allow_forwarding { - curr_ipv4_address=$(get_ipv4_address) + curr_ipv4_address=$(get_external_ipv4_address) iptables -A INPUT -i ${FIREWALL_EIFACE} -m state --state NEW -p udp --dport 1194 -j ACCEPT iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT @@ -133,7 +134,7 @@ function firewall_allow_forwarding { iptables -A FORWARD -i ${FIREWALL_EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -t nat -A POSTROUTING -s ${curr_ipv4_address}/24 -o ${FIREWALL_EIFACE} -j MASQUERADE iptables -A OUTPUT -o tun+ -j ACCEPT - write_config_param CURRENT_IPV4_ADDRESS "$curr_ipv4_address" + write_config_param EXTERNAL_IPV4_ADDRESS "$curr_external_ipv4_address" save_firewall_settings } From 6745a213248cf4ca6f5897d6fb1d2e19f0ded77c Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 25 Sep 2017 11:37:15 +0100 Subject: [PATCH 10/62] External --- src/freedombone-utils-firewall | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/freedombone-utils-firewall b/src/freedombone-utils-firewall index d2f28188..7ebc5a4f 100755 --- a/src/freedombone-utils-firewall +++ b/src/freedombone-utils-firewall @@ -126,13 +126,13 @@ function firewall_deny_forwarding { } function firewall_allow_forwarding { - curr_ipv4_address=$(get_external_ipv4_address) + curr_external_ipv4_address=$(get_external_ipv4_address) iptables -A INPUT -i ${FIREWALL_EIFACE} -m state --state NEW -p udp --dport 1194 -j ACCEPT iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -o ${FIREWALL_EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i ${FIREWALL_EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT - iptables -t nat -A POSTROUTING -s ${curr_ipv4_address}/24 -o ${FIREWALL_EIFACE} -j MASQUERADE + iptables -t nat -A POSTROUTING -s ${curr_external_ipv4_address}/24 -o ${FIREWALL_EIFACE} -j MASQUERADE iptables -A OUTPUT -o tun+ -j ACCEPT write_config_param EXTERNAL_IPV4_ADDRESS "$curr_external_ipv4_address" save_firewall_settings From 7e888f5de5a90fc1a139396f058d684d52f24f9e Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 25 Sep 2017 11:38:39 +0100 Subject: [PATCH 11/62] Better vpn function names --- src/freedombone-app-vpn | 4 ++-- src/freedombone-utils-firewall | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index 3a138060..3d66e343 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -126,7 +126,7 @@ function remove_vpn { if [ -d /etc/openvpn ]; then rm -rf /etc/openvpn fi - firewall_deny_forwarding + firewall_disable_vpn remove_completion_param install_vpn # remove any client keys @@ -269,7 +269,7 @@ y create_user_vpn_key $MY_USERNAME - firewall_allow_forwarding + firewall_enable_vpn systemctl openvpn start APP_INSTALLED=1 diff --git a/src/freedombone-utils-firewall b/src/freedombone-utils-firewall index 7ebc5a4f..e23943ab 100755 --- a/src/freedombone-utils-firewall +++ b/src/freedombone-utils-firewall @@ -110,7 +110,7 @@ function enable_ipv6 { echo 1 > /proc/sys/net/ipv6/conf/all/forwarding } -function firewall_deny_forwarding { +function firewall_disable_vpn { read_config_param EXTERNAL_IPV4_ADDRESS if [ ! $EXTERNAL_IPV4_ADDRESS ]; then return @@ -125,7 +125,7 @@ function firewall_deny_forwarding { save_firewall_settings } -function firewall_allow_forwarding { +function firewall_enable_vpn { curr_external_ipv4_address=$(get_external_ipv4_address) iptables -A INPUT -i ${FIREWALL_EIFACE} -m state --state NEW -p udp --dport 1194 -j ACCEPT iptables -A INPUT -i tun+ -j ACCEPT From d73f5a6785b407078ea153f75f1f579249ede95d Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 25 Sep 2017 14:28:18 +0100 Subject: [PATCH 12/62] cron entry to update external IP for vpn --- src/freedombone-utils-firewall | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/src/freedombone-utils-firewall b/src/freedombone-utils-firewall index e23943ab..be7beb57 100755 --- a/src/freedombone-utils-firewall +++ b/src/freedombone-utils-firewall @@ -110,11 +110,27 @@ function enable_ipv6 { echo 1 > /proc/sys/net/ipv6/conf/all/forwarding } +function firewall_update_external_ip { + ip_update_script=/usr/bin/externalipupdate + echo '#!/bin/bash' >> $ip_update_script + echo "existing_ip=\$(cat $CONFIGURATION_FILE | grep \"EXTERNAL_IPV4_ADDRESS=\" | head -n 1 | awk -F '=' '{print \$2}')'" >> $ip_update_script + echo "curr_ip=\$(nslookup . $EXTERNAL_IP_LOOKUP_URL | grep Address | tail -n 1 | awk -F ' ' '{print \$2}')" >> $ip_update_script + echo 'if [[ "$curr_ip" != "$existing_ip" ]]; then' >> $ip_update_script + echo " sed -i \"s|EXTERNAL_IPV4_ADDRESS=.*|EXTERNAL_IPV4_ADDRESS=\${curr_ip}|g\" $CONFIGURATION_FILE" >> $ip_update_script + echo " iptables -t nat -D POSTROUTING -s \${curr_ip}/24 -o ${FIREWALL_EIFACE} -j MASQUERADE" >> $ip_update_script + echo " iptables -t nat -A POSTROUTING -s \${curr_ip}/24 -o ${FIREWALL_EIFACE} -j MASQUERADE" >> $ip_update_script + echo ' iptables-save > /etc/firewall.conf' >> $ip_update_script + echo 'fi' >> $ip_update_script + + cron_add_mins 10 $ip_update_script +} + function firewall_disable_vpn { read_config_param EXTERNAL_IPV4_ADDRESS if [ ! $EXTERNAL_IPV4_ADDRESS ]; then return fi + sed -i '/externalipupdate/d' /etc/crontab iptables -D INPUT -i ${FIREWALL_EIFACE} -m state --state NEW -p udp --dport 1194 -j ACCEPT iptables -D INPUT -i tun+ -j ACCEPT iptables -D FORWARD -i tun+ -j ACCEPT @@ -136,6 +152,8 @@ function firewall_enable_vpn { iptables -A OUTPUT -o tun+ -j ACCEPT write_config_param EXTERNAL_IPV4_ADDRESS "$curr_external_ipv4_address" save_firewall_settings + + firewall_update_external_ip } function configure_firewall { From 88d45d0b23019213f0dfdd8ba4ffe164f8f5b081 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 25 Sep 2017 14:40:12 +0100 Subject: [PATCH 13/62] Don't display unreachable address --- src/freedombone-controlpanel | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/freedombone-controlpanel b/src/freedombone-controlpanel index db4ae9c8..cc126b91 100755 --- a/src/freedombone-controlpanel +++ b/src/freedombone-controlpanel @@ -522,7 +522,9 @@ function show_ip_addresses { echo -n "IPv4: $(get_ipv4_address)/$(get_external_ipv4_address)" ipv6_address="$(get_ipv6_address)" if [ ${#ipv6_address} -gt 0 ]; then - echo " IPv6: ${ipv6_address}" + if [[ "$ipv6_address" != *'unreachable'* ]]; then + echo " IPv6: ${ipv6_address}" + fi fi echo '' echo '' From 6e15f791d84eaab785ac233670c4d2bdb7172430 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 25 Sep 2017 14:54:23 +0100 Subject: [PATCH 14/62] Different way of trapping ipv6 address error --- src/freedombone-controlpanel | 4 +--- src/freedombone-utils-network | 3 ++- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/src/freedombone-controlpanel b/src/freedombone-controlpanel index cc126b91..db4ae9c8 100755 --- a/src/freedombone-controlpanel +++ b/src/freedombone-controlpanel @@ -522,9 +522,7 @@ function show_ip_addresses { echo -n "IPv4: $(get_ipv4_address)/$(get_external_ipv4_address)" ipv6_address="$(get_ipv6_address)" if [ ${#ipv6_address} -gt 0 ]; then - if [[ "$ipv6_address" != *'unreachable'* ]]; then - echo " IPv6: ${ipv6_address}" - fi + echo " IPv6: ${ipv6_address}" fi echo '' echo '' diff --git a/src/freedombone-utils-network b/src/freedombone-utils-network index 51c3b4d7..9812a9b8 100755 --- a/src/freedombone-utils-network +++ b/src/freedombone-utils-network @@ -81,7 +81,8 @@ function get_ipv4_address { } function get_ipv6_address { - echo $(ip -6 route get $IPV6_ADDRESS_TEST_DESTINATION | awk -F " " '{ for(i=1;i<=NF;i++) if ($i == "src") print $(i+1) }') + retval=$(ip -6 route get $IPV6_ADDRESS_TEST_DESTINATION 2> /dev/null) + echo $(echo "$retval" | awk -F " " '{ for(i=1;i<=NF;i++) if ($i == "src") print $(i+1) }') } # NOTE: deliberately no exit 0 From 334dbce583325fbce6539c03dc0b4c5a89395a35 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 25 Sep 2017 15:28:52 +0100 Subject: [PATCH 15/62] Don't need static IP --- src/freedombone-app-vpn | 5 ----- 1 file changed, 5 deletions(-) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index 3d66e343..98bd9874 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -39,7 +39,6 @@ OPENVPN_SERVER_NAME="${PROJECT_NAME}-vpn" OPENVPN_KEY_FILENAME='vpn.ovpn' vpn_variables=(MY_EMAIL_ADDRESS - LOCAL_NETWORK_STATIC_IP_ADDRESS MY_USERNAME) function logging_on_vpn { @@ -211,10 +210,6 @@ function remove_user_vpn { } function install_vpn { - if [ ! $LOCAL_NETWORK_STATIC_IP_ADDRESS ]; then - return - fi - apt-get -yq install fastd openvpn easy-rsa if [ ! -f /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz ]; then From 190e37043d8e51cbf3073d9869ae65fcd24f821f Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 25 Sep 2017 15:33:00 +0100 Subject: [PATCH 16/62] Only generate dhparams if needed --- src/freedombone-app-vpn | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index 98bd9874..95a4eecd 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -238,7 +238,9 @@ function install_vpn { sed -i "s|export KEY_EMAIL.*|export KEY_EMAIL=\"$MY_EMAIL_ADDRESS\"|g" /etc/openvpn/easy-rsa/vars sed -i "s|export KEY_OU=.*|export KEY_OU=\"MoonUnit\"|g" /etc/openvpn/easy-rsa/vars sed -i "s|export KEY_NAME.*|export KEY_NAME=\"$OPENVPN_SERVER_NAME\"|g" /etc/openvpn/easy-rsa/vars - openssl dhparam -out /etc/openvpn/dh2048.pem 2048 + if [ ! -f /etc/openvpn/dh2048.pem ]; then + openssl dhparam -out /etc/openvpn/dh2048.pem 2048 + fi cd /etc/openvpn/easy-rsa . ./vars ./clean-all From e33b9ff6c5a27f254d63302fc7b71304f6d51ced Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 25 Sep 2017 15:45:30 +0100 Subject: [PATCH 17/62] More carriage returns --- src/freedombone-app-vpn | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index 95a4eecd..59ffedb1 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -244,9 +244,26 @@ function install_vpn { cd /etc/openvpn/easy-rsa . ./vars ./clean-all - ./build-ca + cp openssl-1.0.0.cnf openssl.cnf echo ' + + + + + + +' | ./build-ca + echo ' + + + + + + + + + y y ' | ./build-key-server $OPENVPN_SERVER_NAME From 88814202a6e9a58ba55d8c1a567b66a9256ea746 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 25 Sep 2017 15:46:59 +0100 Subject: [PATCH 18/62] More carriage returns --- src/freedombone-app-vpn | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index 59ffedb1..08b4f86b 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -149,6 +149,14 @@ function create_user_vpn_key { cd /etc/openvpn/easy-rsa echo ' + + + + + + + + y y ' | ./build-key "$username" From 26d3d9dcd3d6d4c1ac90d79ace3a269dcf1e752f Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 25 Sep 2017 16:04:10 +0100 Subject: [PATCH 19/62] Add vpn port to firewall --- src/freedombone-utils-firewall | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/freedombone-utils-firewall b/src/freedombone-utils-firewall index be7beb57..c80ba763 100755 --- a/src/freedombone-utils-firewall +++ b/src/freedombone-utils-firewall @@ -139,6 +139,7 @@ function firewall_disable_vpn { iptables -t nat -D POSTROUTING -s ${EXTERNAL_IPV4_ADDRESS}/24 -o ${FIREWALL_EIFACE} -j MASQUERADE iptables -D OUTPUT -o tun+ -j ACCEPT save_firewall_settings + sed -i '/VPN=/d' $FIREWALL_CONFIG } function firewall_enable_vpn { @@ -154,6 +155,7 @@ function firewall_enable_vpn { save_firewall_settings firewall_update_external_ip + echo "VPN=1194" >> $FIREWALL_CONFIG } function configure_firewall { From 1ed9361f77722cce54e473a7643aa33bd791883f Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 25 Sep 2017 16:18:37 +0100 Subject: [PATCH 20/62] Check for versioned configuration --- src/freedombone-app-vpn | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index 08b4f86b..ef00b7dc 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -252,6 +252,10 @@ function install_vpn { cd /etc/openvpn/easy-rsa . ./vars ./clean-all + if [ ! -f openssl-1.0.0.cnf ]; then + echo $'openssl-1.0.0.cnf was not found' + exit 7392353 + fi cp openssl-1.0.0.cnf openssl.cnf echo ' From e9c47c397e893a2ea6a1e6f51e6a2e860a6b05ca Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 25 Sep 2017 17:10:33 +0100 Subject: [PATCH 21/62] vpn ip range --- src/freedombone-utils-firewall | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/src/freedombone-utils-firewall b/src/freedombone-utils-firewall index c80ba763..94f161f4 100755 --- a/src/freedombone-utils-firewall +++ b/src/freedombone-utils-firewall @@ -110,15 +110,13 @@ function enable_ipv6 { echo 1 > /proc/sys/net/ipv6/conf/all/forwarding } -function firewall_update_external_ip { +function update_external_ip { ip_update_script=/usr/bin/externalipupdate echo '#!/bin/bash' >> $ip_update_script echo "existing_ip=\$(cat $CONFIGURATION_FILE | grep \"EXTERNAL_IPV4_ADDRESS=\" | head -n 1 | awk -F '=' '{print \$2}')'" >> $ip_update_script echo "curr_ip=\$(nslookup . $EXTERNAL_IP_LOOKUP_URL | grep Address | tail -n 1 | awk -F ' ' '{print \$2}')" >> $ip_update_script echo 'if [[ "$curr_ip" != "$existing_ip" ]]; then' >> $ip_update_script echo " sed -i \"s|EXTERNAL_IPV4_ADDRESS=.*|EXTERNAL_IPV4_ADDRESS=\${curr_ip}|g\" $CONFIGURATION_FILE" >> $ip_update_script - echo " iptables -t nat -D POSTROUTING -s \${curr_ip}/24 -o ${FIREWALL_EIFACE} -j MASQUERADE" >> $ip_update_script - echo " iptables -t nat -A POSTROUTING -s \${curr_ip}/24 -o ${FIREWALL_EIFACE} -j MASQUERADE" >> $ip_update_script echo ' iptables-save > /etc/firewall.conf' >> $ip_update_script echo 'fi' >> $ip_update_script @@ -126,35 +124,28 @@ function firewall_update_external_ip { } function firewall_disable_vpn { - read_config_param EXTERNAL_IPV4_ADDRESS - if [ ! $EXTERNAL_IPV4_ADDRESS ]; then - return - fi - sed -i '/externalipupdate/d' /etc/crontab iptables -D INPUT -i ${FIREWALL_EIFACE} -m state --state NEW -p udp --dport 1194 -j ACCEPT iptables -D INPUT -i tun+ -j ACCEPT iptables -D FORWARD -i tun+ -j ACCEPT iptables -D FORWARD -i tun+ -o ${FIREWALL_EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -D FORWARD -i ${FIREWALL_EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT - iptables -t nat -D POSTROUTING -s ${EXTERNAL_IPV4_ADDRESS}/24 -o ${FIREWALL_EIFACE} -j MASQUERADE + iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o ${FIREWALL_EIFACE} -j MASQUERADE iptables -D OUTPUT -o tun+ -j ACCEPT save_firewall_settings + sed -i '/VPN=/d' $FIREWALL_CONFIG } function firewall_enable_vpn { - curr_external_ipv4_address=$(get_external_ipv4_address) iptables -A INPUT -i ${FIREWALL_EIFACE} -m state --state NEW -p udp --dport 1194 -j ACCEPT iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -o ${FIREWALL_EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i ${FIREWALL_EIFACE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT - iptables -t nat -A POSTROUTING -s ${curr_external_ipv4_address}/24 -o ${FIREWALL_EIFACE} -j MASQUERADE + iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${FIREWALL_EIFACE} -j MASQUERADE iptables -A OUTPUT -o tun+ -j ACCEPT - write_config_param EXTERNAL_IPV4_ADDRESS "$curr_external_ipv4_address" save_firewall_settings - firewall_update_external_ip echo "VPN=1194" >> $FIREWALL_CONFIG } From e6e7711f65387bce7f598982c18f34cc203bf7a3 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 25 Sep 2017 17:11:18 +0100 Subject: [PATCH 22/62] Only append to firewall list if needed --- src/freedombone-utils-firewall | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/freedombone-utils-firewall b/src/freedombone-utils-firewall index 94f161f4..574faffa 100755 --- a/src/freedombone-utils-firewall +++ b/src/freedombone-utils-firewall @@ -146,7 +146,9 @@ function firewall_enable_vpn { iptables -A OUTPUT -o tun+ -j ACCEPT save_firewall_settings - echo "VPN=1194" >> $FIREWALL_CONFIG + if ! grep -q "VPN=" $FIREWALL_CONFIG; then + echo "VPN=1194" >> $FIREWALL_CONFIG + fi } function configure_firewall { From d29cc73898f02d8ada26683081aa142b5bae64d4 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 25 Sep 2017 17:18:59 +0100 Subject: [PATCH 23/62] Move external ip function --- src/freedombone-utils-firewall | 13 ------------- src/freedombone-utils-network | 13 +++++++++++++ 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/src/freedombone-utils-firewall b/src/freedombone-utils-firewall index 574faffa..803ed5e5 100755 --- a/src/freedombone-utils-firewall +++ b/src/freedombone-utils-firewall @@ -110,19 +110,6 @@ function enable_ipv6 { echo 1 > /proc/sys/net/ipv6/conf/all/forwarding } -function update_external_ip { - ip_update_script=/usr/bin/externalipupdate - echo '#!/bin/bash' >> $ip_update_script - echo "existing_ip=\$(cat $CONFIGURATION_FILE | grep \"EXTERNAL_IPV4_ADDRESS=\" | head -n 1 | awk -F '=' '{print \$2}')'" >> $ip_update_script - echo "curr_ip=\$(nslookup . $EXTERNAL_IP_LOOKUP_URL | grep Address | tail -n 1 | awk -F ' ' '{print \$2}')" >> $ip_update_script - echo 'if [[ "$curr_ip" != "$existing_ip" ]]; then' >> $ip_update_script - echo " sed -i \"s|EXTERNAL_IPV4_ADDRESS=.*|EXTERNAL_IPV4_ADDRESS=\${curr_ip}|g\" $CONFIGURATION_FILE" >> $ip_update_script - echo ' iptables-save > /etc/firewall.conf' >> $ip_update_script - echo 'fi' >> $ip_update_script - - cron_add_mins 10 $ip_update_script -} - function firewall_disable_vpn { iptables -D INPUT -i ${FIREWALL_EIFACE} -m state --state NEW -p udp --dport 1194 -j ACCEPT iptables -D INPUT -i tun+ -j ACCEPT diff --git a/src/freedombone-utils-network b/src/freedombone-utils-network index 9812a9b8..f1e45cea 100755 --- a/src/freedombone-utils-network +++ b/src/freedombone-utils-network @@ -85,4 +85,17 @@ function get_ipv6_address { echo $(echo "$retval" | awk -F " " '{ for(i=1;i<=NF;i++) if ($i == "src") print $(i+1) }') } +function update_external_ip { + ip_update_script=/usr/bin/externalipupdate + echo '#!/bin/bash' >> $ip_update_script + echo "existing_ip=\$(cat $CONFIGURATION_FILE | grep \"EXTERNAL_IPV4_ADDRESS=\" | head -n 1 | awk -F '=' '{print \$2}')'" >> $ip_update_script + echo "curr_ip=\$(nslookup . $EXTERNAL_IP_LOOKUP_URL | grep Address | tail -n 1 | awk -F ' ' '{print \$2}')" >> $ip_update_script + echo 'if [[ "$curr_ip" != "$existing_ip" ]]; then' >> $ip_update_script + echo " sed -i \"s|EXTERNAL_IPV4_ADDRESS=.*|EXTERNAL_IPV4_ADDRESS=\${curr_ip}|g\" $CONFIGURATION_FILE" >> $ip_update_script + echo ' iptables-save > /etc/firewall.conf' >> $ip_update_script + echo 'fi' >> $ip_update_script + + cron_add_mins 10 $ip_update_script +} + # NOTE: deliberately no exit 0 From 496aa4c5dcb9f3e0dff02bd2af3ca7d75639fe9b Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 25 Sep 2017 17:21:53 +0100 Subject: [PATCH 24/62] Log the times when external IP address changes --- src/freedombone-utils-network | 1 + 1 file changed, 1 insertion(+) diff --git a/src/freedombone-utils-network b/src/freedombone-utils-network index f1e45cea..e67bc877 100755 --- a/src/freedombone-utils-network +++ b/src/freedombone-utils-network @@ -93,6 +93,7 @@ function update_external_ip { echo 'if [[ "$curr_ip" != "$existing_ip" ]]; then' >> $ip_update_script echo " sed -i \"s|EXTERNAL_IPV4_ADDRESS=.*|EXTERNAL_IPV4_ADDRESS=\${curr_ip}|g\" $CONFIGURATION_FILE" >> $ip_update_script echo ' iptables-save > /etc/firewall.conf' >> $ip_update_script + echo " echo \"\$(date)\" >> ~/${PROJECT_NAME}-external-ip-changes.txt" >> $ip_update_script echo 'fi' >> $ip_update_script cron_add_mins 10 $ip_update_script From dbe966bb9087b86d5a75153451419405e4906d4d Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 25 Sep 2017 17:29:27 +0100 Subject: [PATCH 25/62] Tidying --- src/freedombone-app-vpn | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index ef00b7dc..31845d7b 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -252,11 +252,12 @@ function install_vpn { cd /etc/openvpn/easy-rsa . ./vars ./clean-all - if [ ! -f openssl-1.0.0.cnf ]; then - echo $'openssl-1.0.0.cnf was not found' + vpn_openssl_version='1.0.0' + if [ ! -f openssl-${vpn_openssl_version}.cnf ]; then + echo $"openssl-${vpn_openssl_version}.cnf was not found" exit 7392353 fi - cp openssl-1.0.0.cnf openssl.cnf + cp openssl-${vpn_openssl_version}.cnf openssl.cnf echo ' From 6cd292e51a8d233e16859f23f1851644b4a9a722 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 25 Sep 2017 17:57:58 +0100 Subject: [PATCH 26/62] Tidying --- src/freedombone-utils-network | 1 - 1 file changed, 1 deletion(-) diff --git a/src/freedombone-utils-network b/src/freedombone-utils-network index e67bc877..ce0fb3c6 100755 --- a/src/freedombone-utils-network +++ b/src/freedombone-utils-network @@ -92,7 +92,6 @@ function update_external_ip { echo "curr_ip=\$(nslookup . $EXTERNAL_IP_LOOKUP_URL | grep Address | tail -n 1 | awk -F ' ' '{print \$2}')" >> $ip_update_script echo 'if [[ "$curr_ip" != "$existing_ip" ]]; then' >> $ip_update_script echo " sed -i \"s|EXTERNAL_IPV4_ADDRESS=.*|EXTERNAL_IPV4_ADDRESS=\${curr_ip}|g\" $CONFIGURATION_FILE" >> $ip_update_script - echo ' iptables-save > /etc/firewall.conf' >> $ip_update_script echo " echo \"\$(date)\" >> ~/${PROJECT_NAME}-external-ip-changes.txt" >> $ip_update_script echo 'fi' >> $ip_update_script From 00d1e643c6f44114f99417a02c051e23c92bf807 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 25 Sep 2017 18:42:51 +0100 Subject: [PATCH 27/62] Starting vpn daemon --- src/freedombone-app-vpn | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index 31845d7b..8abd7819 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -121,6 +121,7 @@ function restore_remote_vpn { } function remove_vpn { + systemctl stop openvpn apt-get -yq remove --purge fastd openvpn easy-rsa if [ -d /etc/openvpn ]; then rm -rf /etc/openvpn @@ -297,7 +298,7 @@ y create_user_vpn_key $MY_USERNAME firewall_enable_vpn - systemctl openvpn start + systemctl start openvpn APP_INSTALLED=1 } From 5ec792bcd6fb840418a77fa66a92a223abe812ec Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 25 Sep 2017 19:06:00 +0100 Subject: [PATCH 28/62] Stop forwarding when removing vpn --- src/freedombone-app-vpn | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index 8abd7819..d3612e6f 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -127,6 +127,10 @@ function remove_vpn { rm -rf /etc/openvpn fi firewall_disable_vpn + + echo 0 > /proc/sys/net/ipv4/ip_forward + sed -i 's|net.ipv4.ip_forward=.*|net.ipv4.ip_forward=0|g' /etc/sysctl.conf + remove_completion_param install_vpn # remove any client keys From dea56279e40433ed9209bb19e0c896683dafaa4e Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 25 Sep 2017 21:54:54 +0100 Subject: [PATCH 29/62] Don't use ta.key --- src/freedombone-app-vpn | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index d3612e6f..5285c22a 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -190,6 +190,7 @@ y sed -i 's|ca ca.crt|;ca ca.crt|g' $user_vpn_cert_file sed -i 's|cert client.crt|;cert client.crt|g' $user_vpn_cert_file sed -i 's|key client.key|;key client.key|g' $user_vpn_cert_file + sed -i 's|tls-auth ta.key|;tls-auth ta.key|g' $user_vpn_cert_file echo '' >> $user_vpn_cert_file cat /etc/openvpn/ca.crt >> $user_vpn_cert_file @@ -229,11 +230,14 @@ function install_vpn { echo $'Example openvpn server config not found' exit 783953 fi + + # server configuration gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf sed -i "s|;push \"redirect-gateway|push \"redirect-gateway|g" /etc/openvpn/server.conf sed -i 's|;push "dhcp-option|push "dhcp-option|g' /etc/openvpn/server.conf sed -i 's|;user nobody|user nobody|g' /etc/openvpn/server.conf sed -i 's|;group nogroup|group nogroup|g' /etc/openvpn/server.conf + echo 1 > /proc/sys/net/ipv4/ip_forward sed -i 's|# net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf sed -i 's|#net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf @@ -244,6 +248,7 @@ function install_vpn { mkdir /etc/openvpn/easy-rsa/keys fi + # keys configuration sed -i "s|export KEY_COUNTRY.*|export KEY_COUNTRY=\"US\"|g" /etc/openvpn/easy-rsa/vars sed -i "s|export KEY_PROVINCE.*|export KEY_PROVINCE=\"TX\"|g" /etc/openvpn/easy-rsa/vars sed -i "s|export KEY_CITY.*|export KEY_CITY=\"Dallas\"|g" /etc/openvpn/easy-rsa/vars @@ -251,6 +256,8 @@ function install_vpn { sed -i "s|export KEY_EMAIL.*|export KEY_EMAIL=\"$MY_EMAIL_ADDRESS\"|g" /etc/openvpn/easy-rsa/vars sed -i "s|export KEY_OU=.*|export KEY_OU=\"MoonUnit\"|g" /etc/openvpn/easy-rsa/vars sed -i "s|export KEY_NAME.*|export KEY_NAME=\"$OPENVPN_SERVER_NAME\"|g" /etc/openvpn/easy-rsa/vars + + # generate host keys if [ ! -f /etc/openvpn/dh2048.pem ]; then openssl dhparam -out /etc/openvpn/dh2048.pem 2048 fi From 31fdd2dd2bf35e0bf1c6cf906637e2424a6cdb02 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 25 Sep 2017 22:00:52 +0100 Subject: [PATCH 30/62] Additional cert checks --- src/freedombone-app-vpn | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index 5285c22a..6147a86c 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -170,10 +170,22 @@ y echo $'VPN user cert not generated' exit 783528 fi + user_cert=$(cat /etc/openvpn/easy-rsa/keys/$username.crt) + if [ ${#user_cert} -lt 10 ]; then + cat /etc/openvpn/easy-rsa/keys/$username.crt + echo $'User cert generation failed' + exit 634659 + fi if [ ! -f /etc/openvpn/easy-rsa/keys/$username.key ]; then echo $'VPN user key not generated' exit 682523 fi + user_key=$(cat /etc/openvpn/easy-rsa/keys/$username.key) + if [ ${#user_key} -lt 10 ]; then + cat /etc/openvpn/easy-rsa/keys/$username.key + echo $'User key generation failed' + exit 285838 + fi user_vpn_cert_file=/home/$username/$OPENVPN_KEY_FILENAME From 0a44e11e3fa7703349018c04acbf47e8afbd0dd9 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 25 Sep 2017 22:13:50 +0100 Subject: [PATCH 31/62] Server vpn cert check --- src/freedombone-app-vpn | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index 6147a86c..cd1a2462 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -304,11 +304,18 @@ function install_vpn { y y ' | ./build-key-server $OPENVPN_SERVER_NAME - if [ ! -f /etc/openvpn/easy-rsa/keys/$OPENVPN_SERVER_NAME.crt ]; then + if [ ! -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt ]; then echo $'OpenVPN crt not found' exit 7823352 fi - if [ ! -f /etc/openvpn/easy-rsa/keys/$OPENVPN_SERVER_NAME.key ]; then + server_cert=$(cat /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt) + if [ ${#server_cert} -lt 10 ]; then + cat /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt + echo $'Server cert generation failed' + exit 3284682 + fi + + if [ ! -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key ]; then echo $'OpenVPN key not found' exit 6839436 fi From 76f8d4e47c5f02cd0680ff315937b36796e33b99 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 25 Sep 2017 22:17:52 +0100 Subject: [PATCH 32/62] Delete existing vpn certs if needed --- src/freedombone-app-vpn | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index cd1a2462..335686e5 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -152,6 +152,17 @@ function create_user_vpn_key { echo $"Creating VPN key for $username" cd /etc/openvpn/easy-rsa + + if [ -f /etc/openvpn/easy-rsa/keys/$username.crt ]; then + rm /etc/openvpn/easy-rsa/keys/$username.crt + fi + if [ -f /etc/openvpn/easy-rsa/keys/$username.key ]; then + rm /etc/openvpn/easy-rsa/keys/$username.key + fi + if [ -f /etc/openvpn/easy-rsa/keys/$username.csr ]; then + rm /etc/openvpn/easy-rsa/keys/$username.csr + fi + echo ' @@ -282,6 +293,17 @@ function install_vpn { exit 7392353 fi cp openssl-${vpn_openssl_version}.cnf openssl.cnf + + if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt ]; then + rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt + fi + if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key ]; then + rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key + fi + if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.csr ]; then + rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.csr + fi + echo ' From fdaad4e96f54bed478c987d869f82d01676af0a0 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 25 Sep 2017 22:34:35 +0100 Subject: [PATCH 33/62] non-interactive vpn install --- src/freedombone-app-vpn | 42 ++++++----------------------------------- 1 file changed, 6 insertions(+), 36 deletions(-) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index 335686e5..4c9df8f7 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -163,19 +163,8 @@ function create_user_vpn_key { rm /etc/openvpn/easy-rsa/keys/$username.csr fi - echo ' - - - - - - - - - -y -y -' | ./build-key "$username" + sed -i 's| --interact||g' build-key + ./build-key "$username" if [ ! -f /etc/openvpn/easy-rsa/keys/$username.crt ]; then echo $'VPN user cert not generated' @@ -303,29 +292,10 @@ function install_vpn { if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.csr ]; then rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.csr fi - - echo ' - - - - - - - -' | ./build-ca - echo ' - - - - - - - - - -y -y -' | ./build-key-server $OPENVPN_SERVER_NAME + sed -i 's| --interact||g' build-key-server + sed -i 's| --interact||g' build-ca + ./build-ca + ./build-key-server $OPENVPN_SERVER_NAME if [ ! -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt ]; then echo $'OpenVPN crt not found' exit 7823352 From 874816cd053cd35d812589bf5d07621a60101c26 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 25 Sep 2017 22:43:50 +0100 Subject: [PATCH 34/62] nobody --- src/freedombone-app-vpn | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index 4c9df8f7..4fcb6abb 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -197,7 +197,7 @@ function create_user_vpn_key { cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf $user_vpn_cert_file sed -i "s|remote .*|remote $DEFAULT_DOMAIN_NAME 1194|g" $user_vpn_cert_file sed -i 's|;user nobody|user nobody|g' $user_vpn_cert_file - sed -i 's|;group nogroup|group nogroup|g' $user_vpn_cert_file + sed -i 's|;group nogroup|group nobody|g' $user_vpn_cert_file sed -i 's|ca ca.crt|;ca ca.crt|g' $user_vpn_cert_file sed -i 's|cert client.crt|;cert client.crt|g' $user_vpn_cert_file @@ -248,7 +248,7 @@ function install_vpn { sed -i "s|;push \"redirect-gateway|push \"redirect-gateway|g" /etc/openvpn/server.conf sed -i 's|;push "dhcp-option|push "dhcp-option|g' /etc/openvpn/server.conf sed -i 's|;user nobody|user nobody|g' /etc/openvpn/server.conf - sed -i 's|;group nogroup|group nogroup|g' /etc/openvpn/server.conf + sed -i 's|;group nogroup|group nobody|g' /etc/openvpn/server.conf echo 1 > /proc/sys/net/ipv4/ip_forward sed -i 's|# net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf From f4281adfcdd25f6d0ee4248c82a8d26c4adfa023 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 25 Sep 2017 23:13:36 +0100 Subject: [PATCH 35/62] tcp vpn port --- src/freedombone-utils-firewall | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/freedombone-utils-firewall b/src/freedombone-utils-firewall index 803ed5e5..6da00a26 100755 --- a/src/freedombone-utils-firewall +++ b/src/freedombone-utils-firewall @@ -111,7 +111,8 @@ function enable_ipv6 { } function firewall_disable_vpn { - iptables -D INPUT -i ${FIREWALL_EIFACE} -m state --state NEW -p udp --dport 1194 -j ACCEPT + iptables -D INPUT -p tcp --dport 1194 -j ACCEPT + iptables -D INPUT -p udp --dport 1194 -j ACCEPT iptables -D INPUT -i tun+ -j ACCEPT iptables -D FORWARD -i tun+ -j ACCEPT iptables -D FORWARD -i tun+ -o ${FIREWALL_EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT @@ -124,7 +125,8 @@ function firewall_disable_vpn { } function firewall_enable_vpn { - iptables -A INPUT -i ${FIREWALL_EIFACE} -m state --state NEW -p udp --dport 1194 -j ACCEPT + iptables -A INPUT -p tcp --dport 1194 -j ACCEPT + iptables -A INPUT -p udp --dport 1194 -j ACCEPT iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -o ${FIREWALL_EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT From 193f5aa20c3574cfd684e554b1d2efeaba552156 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 25 Sep 2017 23:35:11 +0100 Subject: [PATCH 36/62] Set maximum vpn clients --- src/freedombone-app-vpn | 1 + 1 file changed, 1 insertion(+) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index 4fcb6abb..d48de147 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -249,6 +249,7 @@ function install_vpn { sed -i 's|;push "dhcp-option|push "dhcp-option|g' /etc/openvpn/server.conf sed -i 's|;user nobody|user nobody|g' /etc/openvpn/server.conf sed -i 's|;group nogroup|group nobody|g' /etc/openvpn/server.conf + sed -i 's|;max-clients.*|max-clients 2|g' /etc/openvpn/server.conf echo 1 > /proc/sys/net/ipv4/ip_forward sed -i 's|# net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf From 8434e38c9ef25afc9a3c7844bba7c7147249d788 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Tue, 26 Sep 2017 12:19:06 +0100 Subject: [PATCH 37/62] Don't remove user certs --- src/freedombone-app-vpn | 3 ++- src/freedombone-utils-firewall | 2 -- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index d48de147..69866a17 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -218,7 +218,8 @@ function create_user_vpn_key { chown $username:$username $user_vpn_cert_file - rm /etc/openvpn/easy-rsa/keys/$username.crt + #rm /etc/openvpn/easy-rsa/keys/$username.crt + #rm /etc/openvpn/easy-rsa/keys/$username.csr shred -zu /etc/openvpn/easy-rsa/keys/$username.key echo $"VPN key created at $user_vpn_cert_file" diff --git a/src/freedombone-utils-firewall b/src/freedombone-utils-firewall index 6da00a26..75869cc2 100755 --- a/src/freedombone-utils-firewall +++ b/src/freedombone-utils-firewall @@ -111,7 +111,6 @@ function enable_ipv6 { } function firewall_disable_vpn { - iptables -D INPUT -p tcp --dport 1194 -j ACCEPT iptables -D INPUT -p udp --dport 1194 -j ACCEPT iptables -D INPUT -i tun+ -j ACCEPT iptables -D FORWARD -i tun+ -j ACCEPT @@ -125,7 +124,6 @@ function firewall_disable_vpn { } function firewall_enable_vpn { - iptables -A INPUT -p tcp --dport 1194 -j ACCEPT iptables -A INPUT -p udp --dport 1194 -j ACCEPT iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT From bbb9220883eea7b577497892fb1dd854357c3992 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Tue, 26 Sep 2017 14:09:51 +0100 Subject: [PATCH 38/62] Use same names as vpn examples --- src/freedombone-app-vpn | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index 69866a17..1647f01e 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -35,8 +35,8 @@ VARIANTS='full full-vim' IN_DEFAULT_INSTALL=0 SHOW_ON_ABOUT=0 -OPENVPN_SERVER_NAME="${PROJECT_NAME}-vpn" -OPENVPN_KEY_FILENAME='vpn.ovpn' +OPENVPN_SERVER_NAME="server" +OPENVPN_KEY_FILENAME='client.ovpn' vpn_variables=(MY_EMAIL_ADDRESS MY_USERNAME) From 62854406f148a2beadf0281926b2166752076dba Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Tue, 26 Sep 2017 14:25:34 +0100 Subject: [PATCH 39/62] vpn user --- src/freedombone-app-vpn | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index 1647f01e..9b3931e5 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -140,6 +140,8 @@ function remove_vpn { shred -zu /home/$USERNAME/$OPENVPN_KEY_FILENAME fi done + userdel -f vpn + groupdel -f vpn } function create_user_vpn_key { @@ -196,8 +198,8 @@ function create_user_vpn_key { cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf $user_vpn_cert_file sed -i "s|remote .*|remote $DEFAULT_DOMAIN_NAME 1194|g" $user_vpn_cert_file - sed -i 's|;user nobody|user nobody|g' $user_vpn_cert_file - sed -i 's|;group nogroup|group nobody|g' $user_vpn_cert_file + sed -i 's|;user no.*|user vpn|g' $user_vpn_cert_file + sed -i 's|;group no.*|group vpn|g' $user_vpn_cert_file sed -i 's|ca ca.crt|;ca ca.crt|g' $user_vpn_cert_file sed -i 's|cert client.crt|;cert client.crt|g' $user_vpn_cert_file @@ -244,12 +246,15 @@ function install_vpn { exit 783953 fi + groupadd vpn + useradd -r -s /bin/false -g vpn vpn + # server configuration gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf sed -i "s|;push \"redirect-gateway|push \"redirect-gateway|g" /etc/openvpn/server.conf sed -i 's|;push "dhcp-option|push "dhcp-option|g' /etc/openvpn/server.conf - sed -i 's|;user nobody|user nobody|g' /etc/openvpn/server.conf - sed -i 's|;group nogroup|group nobody|g' /etc/openvpn/server.conf + sed -i 's|;user no.*|user vpn|g' /etc/openvpn/server.conf + sed -i 's|;group no.*|group vpn|g' /etc/openvpn/server.conf sed -i 's|;max-clients.*|max-clients 2|g' /etc/openvpn/server.conf echo 1 > /proc/sys/net/ipv4/ip_forward From f9a6339f14cfcee6b91da32baa93a13617ffa4ac Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Tue, 26 Sep 2017 14:36:09 +0100 Subject: [PATCH 40/62] Include tcp --- src/freedombone-utils-firewall | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/freedombone-utils-firewall b/src/freedombone-utils-firewall index 75869cc2..ac1940c5 100755 --- a/src/freedombone-utils-firewall +++ b/src/freedombone-utils-firewall @@ -112,6 +112,7 @@ function enable_ipv6 { function firewall_disable_vpn { iptables -D INPUT -p udp --dport 1194 -j ACCEPT + iptables -D INPUT -p tcp --dport 1194 -j ACCEPT iptables -D INPUT -i tun+ -j ACCEPT iptables -D FORWARD -i tun+ -j ACCEPT iptables -D FORWARD -i tun+ -o ${FIREWALL_EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT @@ -125,6 +126,7 @@ function firewall_disable_vpn { function firewall_enable_vpn { iptables -A INPUT -p udp --dport 1194 -j ACCEPT + iptables -A INPUT -p tcp --dport 1194 -j ACCEPT iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -o ${FIREWALL_EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT From 1f79a451b5f36c81843ad3fed92058622cca1a27 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Tue, 26 Sep 2017 14:37:36 +0100 Subject: [PATCH 41/62] Nobody on the client --- src/freedombone-app-vpn | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index 9b3931e5..7f7af5ad 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -198,8 +198,8 @@ function create_user_vpn_key { cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf $user_vpn_cert_file sed -i "s|remote .*|remote $DEFAULT_DOMAIN_NAME 1194|g" $user_vpn_cert_file - sed -i 's|;user no.*|user vpn|g' $user_vpn_cert_file - sed -i 's|;group no.*|group vpn|g' $user_vpn_cert_file + sed -i 's|;user .*|user nobody|g' $user_vpn_cert_file + sed -i 's|;group .*|group nobody|g' $user_vpn_cert_file sed -i 's|ca ca.crt|;ca ca.crt|g' $user_vpn_cert_file sed -i 's|cert client.crt|;cert client.crt|g' $user_vpn_cert_file From 63df10c2257decaabaf59c58c407f32aaafbe725 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Tue, 26 Sep 2017 15:31:51 +0100 Subject: [PATCH 42/62] Original vpn firewall --- src/freedombone-utils-firewall | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/freedombone-utils-firewall b/src/freedombone-utils-firewall index ac1940c5..fa839d69 100755 --- a/src/freedombone-utils-firewall +++ b/src/freedombone-utils-firewall @@ -111,7 +111,7 @@ function enable_ipv6 { } function firewall_disable_vpn { - iptables -D INPUT -p udp --dport 1194 -j ACCEPT + iptables -D INPUT -i ${FIREWALL_EIFACE} -m state --state NEW -p udp --dport 1194 -j ACCEPT iptables -D INPUT -p tcp --dport 1194 -j ACCEPT iptables -D INPUT -i tun+ -j ACCEPT iptables -D FORWARD -i tun+ -j ACCEPT @@ -125,7 +125,7 @@ function firewall_disable_vpn { } function firewall_enable_vpn { - iptables -A INPUT -p udp --dport 1194 -j ACCEPT + iptables -A INPUT -i ${FIREWALL_EIFACE} -m state --state NEW -p udp --dport 1194 -j ACCEPT iptables -A INPUT -p tcp --dport 1194 -j ACCEPT iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT From 10da38da0cfea60b14d14e393e07e7484d5bb53c Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Tue, 26 Sep 2017 15:51:43 +0100 Subject: [PATCH 43/62] vpn on tcp --- src/freedombone-app-vpn | 10 ++++++++-- src/freedombone-utils-firewall | 6 ++---- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index 7f7af5ad..7e1ec4dc 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -122,7 +122,7 @@ function restore_remote_vpn { function remove_vpn { systemctl stop openvpn - apt-get -yq remove --purge fastd openvpn easy-rsa + apt-get -yq remove --purge fastd openvpn easy-rsa stunnel4 if [ -d /etc/openvpn ]; then rm -rf /etc/openvpn fi @@ -206,6 +206,9 @@ function create_user_vpn_key { sed -i 's|key client.key|;key client.key|g' $user_vpn_cert_file sed -i 's|tls-auth ta.key|;tls-auth ta.key|g' $user_vpn_cert_file + sed -i 's|;proto tcp|proto tcp|g' $user_vpn_cert_file + sed -i 's|proto udp|;proto udp|g' $user_vpn_cert_file + echo '' >> $user_vpn_cert_file cat /etc/openvpn/ca.crt >> $user_vpn_cert_file echo '' >> $user_vpn_cert_file @@ -239,7 +242,7 @@ function remove_user_vpn { } function install_vpn { - apt-get -yq install fastd openvpn easy-rsa + apt-get -yq install fastd openvpn easy-rsa stunnel4 if [ ! -f /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz ]; then echo $'Example openvpn server config not found' @@ -257,6 +260,9 @@ function install_vpn { sed -i 's|;group no.*|group vpn|g' /etc/openvpn/server.conf sed -i 's|;max-clients.*|max-clients 2|g' /etc/openvpn/server.conf + sed -i 's|;proto tcp|proto tcp|g' /etc/openvpn/server.conf + sed -i 's|proto udp|;proto udp|g' /etc/openvpn/server.conf + echo 1 > /proc/sys/net/ipv4/ip_forward sed -i 's|# net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf sed -i 's|#net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf diff --git a/src/freedombone-utils-firewall b/src/freedombone-utils-firewall index fa839d69..785ea7fe 100755 --- a/src/freedombone-utils-firewall +++ b/src/freedombone-utils-firewall @@ -111,8 +111,7 @@ function enable_ipv6 { } function firewall_disable_vpn { - iptables -D INPUT -i ${FIREWALL_EIFACE} -m state --state NEW -p udp --dport 1194 -j ACCEPT - iptables -D INPUT -p tcp --dport 1194 -j ACCEPT + iptables -D INPUT -i ${FIREWALL_EIFACE} -m state --state NEW -p tcp --dport 1194 -j ACCEPT iptables -D INPUT -i tun+ -j ACCEPT iptables -D FORWARD -i tun+ -j ACCEPT iptables -D FORWARD -i tun+ -o ${FIREWALL_EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT @@ -125,8 +124,7 @@ function firewall_disable_vpn { } function firewall_enable_vpn { - iptables -A INPUT -i ${FIREWALL_EIFACE} -m state --state NEW -p udp --dport 1194 -j ACCEPT - iptables -A INPUT -p tcp --dport 1194 -j ACCEPT + iptables -A INPUT -i ${FIREWALL_EIFACE} -m state --state NEW -p tcp --dport 1194 -j ACCEPT iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -o ${FIREWALL_EIFACE} -m state --state RELATED,ESTABLISHED -j ACCEPT From 43c6406e2faecb279eda2fb451ab4c578ceae703 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Tue, 26 Sep 2017 16:31:51 +0100 Subject: [PATCH 44/62] Use firewall function for vpn --- src/freedombone-app-vpn | 1 + src/freedombone-utils-firewall | 8 ++------ 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index 7e1ec4dc..c2715a2a 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -11,6 +11,7 @@ # VPN functions # https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-8 # https://jamielinux.com/blog/force-all-network-traffic-through-openvpn-using-iptables/ +# http://www.farrellf.com/projects/software/2016-05-04_Running_a_VPN_Server_with_OpenVPN_and_Stunnel/index_.php # # License # ======= diff --git a/src/freedombone-utils-firewall b/src/freedombone-utils-firewall index 785ea7fe..f9b02827 100755 --- a/src/freedombone-utils-firewall +++ b/src/freedombone-utils-firewall @@ -111,6 +111,7 @@ function enable_ipv6 { } function firewall_disable_vpn { + firewall_remove VPN 1194 iptables -D INPUT -i ${FIREWALL_EIFACE} -m state --state NEW -p tcp --dport 1194 -j ACCEPT iptables -D INPUT -i tun+ -j ACCEPT iptables -D FORWARD -i tun+ -j ACCEPT @@ -119,11 +120,10 @@ function firewall_disable_vpn { iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o ${FIREWALL_EIFACE} -j MASQUERADE iptables -D OUTPUT -o tun+ -j ACCEPT save_firewall_settings - - sed -i '/VPN=/d' $FIREWALL_CONFIG } function firewall_enable_vpn { + firewall_add VPN 1194 tcp iptables -A INPUT -i ${FIREWALL_EIFACE} -m state --state NEW -p tcp --dport 1194 -j ACCEPT iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT @@ -132,10 +132,6 @@ function firewall_enable_vpn { iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ${FIREWALL_EIFACE} -j MASQUERADE iptables -A OUTPUT -o tun+ -j ACCEPT save_firewall_settings - - if ! grep -q "VPN=" $FIREWALL_CONFIG; then - echo "VPN=1194" >> $FIREWALL_CONFIG - fi } function configure_firewall { From b738afa07a92254b8b8c8060c70d1a5ce594c201 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Tue, 26 Sep 2017 17:12:47 +0100 Subject: [PATCH 45/62] Extra vpn settings --- src/freedombone-app-vpn | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index c2715a2a..6bdc1ced 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -264,6 +264,9 @@ function install_vpn { sed -i 's|;proto tcp|proto tcp|g' /etc/openvpn/server.conf sed -i 's|proto udp|;proto udp|g' /etc/openvpn/server.conf + sed -i 's|explicit-exit-notify.*|explicit-exit-notify 0|g' /etc/openvpn/server.conf + sed -i 's|tls-auth|;tls-auth|g' /etc/openvpn/server.conf + echo 1 > /proc/sys/net/ipv4/ip_forward sed -i 's|# net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf sed -i 's|#net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf From 57f8b11c0757e33ecc50524b56aa72ecccee4b68 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Tue, 26 Sep 2017 22:47:19 +0100 Subject: [PATCH 46/62] Add tls wrapper to vpn --- src/freedombone-addcert | 2 +- src/freedombone-app-vpn | 230 +++++++++++++++++++++++++++++++++++++++- 2 files changed, 226 insertions(+), 6 deletions(-) diff --git a/src/freedombone-addcert b/src/freedombone-addcert index 701ceb53..5f729922 100755 --- a/src/freedombone-addcert +++ b/src/freedombone-addcert @@ -49,7 +49,7 @@ HOSTNAME= remove_cert= LETSENCRYPT_HOSTNAME= COUNTRY_CODE="US" -AREA="Free Speech Zone" +AREA="Apparent Free Speech Zone" LOCATION="Freedomville" ORGANISATION="Freedombone" UNIT="Freedombone Unit" diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index 6bdc1ced..afcc601c 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -39,8 +39,23 @@ SHOW_ON_ABOUT=0 OPENVPN_SERVER_NAME="server" OPENVPN_KEY_FILENAME='client.ovpn' +VPN_COUNTRY_CODE="US" +VPN_AREA="Apparent Free Speech Zone" +VPN_LOCATION="Freedomville" +VPN_ORGANISATION="Freedombone" +VPN_UNIT="Freedombone Unit" +STUNNEL_PORT=3439 +VPN_TLS_PORT=553 + vpn_variables=(MY_EMAIL_ADDRESS - MY_USERNAME) + DEFAULT_DOMAIN_NAME + MY_USERNAME + VPN_COUNTRY_CODE + VPN_AREA + VPN_LOCATION + VPN_ORGANISATION + VPN_UNIT + VPN_TLS_PORT) function logging_on_vpn { echo -n '' @@ -51,10 +66,101 @@ function logging_off_vpn { } function install_interactive_vpn { - echo -n '' + VPN_DETAILS_COMPLETE= + while [ ! $VPN_DETAILS_COMPLETE ] + do + data=$(tempfile 2>/dev/null) + trap "rm -f $data" 0 1 2 5 15 + dialog --backtitle $"Freedombone Configuration" \ + --title $"VPN Configuration" \ + --form $"\nPlease enter your VPN details. Changing the port to 443 will help defend against censorship but will prevent other web apps from running." 12 65 1 \ + $"TLS port:" 1 1 "$(grep 'VPN_TLS_PORT' temp.cfg | awk -F '=' '{print $2}')" 1 12 4 4 \ + 2> $data + sel=$? + case $sel in + 1) exit 1;; + 255) exit 1;; + esac + tlsport=$(cat $data | sed -n 1p) + if [ ${#tlsport} -gt 1 ]; then + if [[ "$tlsport" != *' '* && "$tlsport" != *'.'* ]]; then + VPN_TLS_PORT="$tlsport" + VPN_DETAILS_COMPLETE="yes" + write_config_param "VPN_TLS_PORT" "$VPN_TLS_PORT" + fi + fi + done APP_INSTALLED=1 } +function vpn_change_tls_port { + EXISTING_VPN_TLS_PORT=$VPN_TLS_PORT + + data=$(tempfile 2>/dev/null) + trap "rm -f $data" 0 1 2 5 15 + dialog --title $"VPN Configuration" \ + --backtitle $"Freedombone Control Panel" \ + --inputbox $'Change TLS port' 10 50 $VPN_TLS_PORT 2>$data + sel=$? + case $sel in + 0) + tlsport=$(<$data) + if [ ${#tlsport} -gt 0 ]; then + if [[ "$tlsport" != "$EXISTING_VPN_TLS_PORT" ]]; then + VPN_TLS_PORT=$tlsport + write_config_param "VPN_TLS_PORT" "$VPN_TLS_PORT" + sed -i "s|accept =.*|accept = $VPN_TLS_PORT|g" /etc/stunnel/stunnel.conf + sed -i "s|accept =.*|accept = $VPN_TLS_PORT|g" /etc/stunnel/stunnel-client.conf + + for d in /home/*/ ; do + USERNAME=$(echo "$d" | awk -F '/' '{print $3}') + if [ -f /home/$USERNAME/stunnel-client.conf ]; then + cp /etc/stunnel/stunnel-client.conf /home/$USERNAME/stunnel-client.conf + chown $USERNAME:$USERNAME /home/$USERNAME/stunnel-client.conf + fi + done + + if [ $VPN_TLS_PORT -eq 443 ]; then + systemctl stop nginx + systemctl disable nginx + else + systemctl enable nginx + systemctl restart nginx + fi + + systemctl restart stunnel + + dialog --title $"VPN Configuration" \ + --msgbox $"TLS port changed to $VPN_TLS_PORT" 6 60 + fi + fi + ;; + esac +} + +function configure_interactive_vpn { + read_config_param VPN_TLS_PORT + while true + do + data=$(tempfile 2>/dev/null) + trap "rm -f $data" 0 1 2 5 15 + dialog --backtitle $"Freedombone Control Panel" \ + --title $"VPN Configuration" \ + --radiolist $"Choose an operation:" 12 70 2 \ + 1 $"Change TLS port (currently $VPN_TLS_PORT)" off \ + 2 $"Exit" on 2> $data + sel=$? + case $sel in + 1) return;; + 255) return;; + esac + case $(cat $data) in + 1) vpn_change_tls_port;; + 2) break;; + esac + done +} + function reconfigure_vpn { echo -n '' } @@ -123,7 +229,12 @@ function restore_remote_vpn { function remove_vpn { systemctl stop openvpn - apt-get -yq remove --purge fastd openvpn easy-rsa stunnel4 + if [ $VPN_TLS_PORT -ne 443 ]; then + firewall_remove VPN-TLS $VPN_TLS_PORT + fi + + apt-get -yq remove --purge fastd openvpn easy-rsa + apt-get -yq remove stunnel4 if [ -d /etc/openvpn ]; then rm -rf /etc/openvpn fi @@ -140,9 +251,14 @@ function remove_vpn { if [ -f /home/$USERNAME/$OPENVPN_KEY_FILENAME ]; then shred -zu /home/$USERNAME/$OPENVPN_KEY_FILENAME fi + rm /home/$USERNAME/stunnel* done userdel -f vpn groupdel -f vpn + + if [ -d /etc/stunnel ]; then + rm -rf /etc/stunnel + fi } function create_user_vpn_key { @@ -198,7 +314,7 @@ function create_user_vpn_key { fi cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf $user_vpn_cert_file - sed -i "s|remote .*|remote $DEFAULT_DOMAIN_NAME 1194|g" $user_vpn_cert_file + sed -i "s|remote .*|remote $DEFAULT_DOMAIN_NAME $STUNNEL_PORT|g" $user_vpn_cert_file sed -i 's|;user .*|user nobody|g' $user_vpn_cert_file sed -i 's|;group .*|group nobody|g' $user_vpn_cert_file @@ -236,14 +352,111 @@ function add_user_vpn { new_user_password="$2" create_user_vpn_key $new_username + if [ -f /etc/stunnel/stunnel.pem ]; then + cp /etc/stunnel/stunnel.pem /home/$new_username/stunnel.pem + chown $new_username:$new_username /home/$new_username/stunnel.pem + fi + if [ -f /etc/stunnel/stunnel.p12 ]; then + cp /etc/stunnel/stunnel.p12 /home/$new_username/stunnel.p12 + chown $new_username:$new_username /home/$new_username/stunnel.p12 + fi + cp /etc/stunnel/stunnel-client.conf /home/$new_username/stunnel-client.conf + chown $new_username:$new_username /home/$new_username/stunnel-client.conf } function remove_user_vpn { new_username="$1" } +function install_stunnel { + apt-get -yq install stunnel4 + + cd /etc/stunnel + + openssl req -x509 -nodes -days 3650 -sha256 \ + -subj "/O=$VPN_ORGANISATION/OU=$VPN_UNIT/C=$VPN_COUNTRY_CODE/ST=$VPN_AREA/L=$VPN_LOCATION/CN=$HOSTNAME" \ + -newkey rsa:2048 -keyout key.pem \ + -out cert.pem + if [ ! -f key.pem ]; then + echo $'stunnel key not created' + exit 793530 + fi + if [ ! -f cert.pem ]; then + echo $'stunnel cert not created' + exit 204587 + fi + chmod 400 key.pem + chmod 640 cert.pem + + cat key.pem cert.pem >> stunnel.pem + chmod 640 stunnel.pem + + openssl pkcs12 -export -out stunnel.p12 -inkey key.pem -in cert.pem -passout pass: + if [ ! -f stunnel.p12 ]; then + echo $'stunnel pkcs12 not created' + exit 639353 + fi + chmod 640 stunnel.p12 + + echo 'chroot = /var/lib/stunnel4' > stunnel.conf + echo 'pid = /stunnel4.pid' >> stunnel.conf + echo 'setuid = stunnel4' >> stunnel.conf + echo 'setgid = stunnel4' >> stunnel.conf + echo 'socket = l:TCP_NODELAY=1' >> stunnel.conf + echo 'socket = r:TCP_NODELAY=1' >> stunnel.conf + echo 'cert = /etc/stunnel/stunnel.pem' >> stunnel.conf + echo '[openvpn]' >> stunnel.conf + echo "accept = $VPN_TLS_PORT" >> stunnel.conf + echo 'connect = localhost:1194' >> stunnel.conf + echo 'cert = /etc/stunnel/stunnel.pem' >> stunnel.conf + + sed -i 's|ENABLED=.*|ENABLED=1|g' /etc/default/stunnel4 + + echo '[openvpn]' > stunnel-client.conf + echo 'client = yes' >> stunnel-client.conf + echo "accept = $STUNNEL_PORT" >> stunnel-client.conf + echo "connect = $DEFAULT_DOMAIN_NAME:$VPN_TLS_PORT" >> stunnel-client.conf + echo 'cert = /etc/stunnel/stunnel.pem' >> stunnel-client.conf + + echo '[Unit]' > /etc/systemd/system/stunnel.service + echo 'Description=SSL tunnel for network daemons' >> /etc/systemd/system/stunnel.service + echo 'Documentation=man:stunnel https://www.stunnel.org/docs.html' >> /etc/systemd/system/stunnel.service + echo 'DefaultDependencies=no' >> /etc/systemd/system/stunnel.service + echo 'After=network.target' >> /etc/systemd/system/stunnel.service + echo 'After=syslog.target' >> /etc/systemd/system/stunnel.service + echo '' >> /etc/systemd/system/stunnel.service + echo '[Install]' >> /etc/systemd/system/stunnel.service + echo 'WantedBy=multi-user.target' >> /etc/systemd/system/stunnel.service + echo 'Alias=stunnel.target' >> /etc/systemd/system/stunnel.service + echo '' >> /etc/systemd/system/stunnel.service + echo '[Service]' >> /etc/systemd/system/stunnel.service + echo 'Type=forking' >> /etc/systemd/system/stunnel.service + echo 'RuntimeDirectory=stunnel' >> /etc/systemd/system/stunnel.service + echo 'EnvironmentFile=-/etc/stunnel/stunnel.conf' >> /etc/systemd/system/stunnel.service + echo 'ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf' >> /etc/systemd/system/stunnel.service + echo 'ExecStop=/usr/bin/killall -9 stunnel' >> /etc/systemd/system/stunnel.service + echo 'RemainAfterExit=yes' >> /etc/systemd/system/stunnel.service + + if [ $VPN_TLS_PORT -eq 443 ]; then + systemctl stop nginx + systemctl disable nginx + else + systemctl enable nginx + systemctl restart nginx + fi + + systemctl enable stunnel + systemctl daemon-reload + systemctl start stunnel + + cp /etc/stunnel/stunnel.pem /home/$MY_USERNAME/stunnel.pem + cp /etc/stunnel/stunnel.p12 /home/$MY_USERNAME/stunnel.p12 + cp /etc/stunnel/stunnel-client.conf /home/$MY_USERNAME/stunnel-client.conf + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/stunnel* +} + function install_vpn { - apt-get -yq install fastd openvpn easy-rsa stunnel4 + apt-get -yq install fastd openvpn easy-rsa if [ ! -f /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz ]; then echo $'Example openvpn server config not found' @@ -337,8 +550,15 @@ function install_vpn { create_user_vpn_key $MY_USERNAME firewall_enable_vpn + + if [ $VPN_TLS_PORT -ne 443 ]; then + firewall_add VPN-TLS $VPN_TLS_PORT tcp + fi + systemctl start openvpn + install_stunnel + APP_INSTALLED=1 } From d35b5af059f0ab00aa772407fdb6202b84c3c398 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Tue, 26 Sep 2017 23:05:01 +0100 Subject: [PATCH 47/62] Keep a backup of client keys --- src/freedombone-app-vpn | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index afcc601c..c890dff7 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -340,6 +340,9 @@ function create_user_vpn_key { chown $username:$username $user_vpn_cert_file + # keep a backup + cp $user_vpn_cert_file /etc/openvpn/easy-rsa/keys/$username.ovpn + #rm /etc/openvpn/easy-rsa/keys/$username.crt #rm /etc/openvpn/easy-rsa/keys/$username.csr shred -zu /etc/openvpn/easy-rsa/keys/$username.key From 063bcca516337744196a1c9502ca620e948f8904 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Tue, 26 Sep 2017 23:12:32 +0100 Subject: [PATCH 48/62] Regenerating user vpn keys --- src/freedombone-app-vpn | 31 ++++++++++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index c890dff7..e2638400 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -107,6 +107,7 @@ function vpn_change_tls_port { tlsport=$(<$data) if [ ${#tlsport} -gt 0 ]; then if [[ "$tlsport" != "$EXISTING_VPN_TLS_PORT" ]]; then + clear VPN_TLS_PORT=$tlsport write_config_param "VPN_TLS_PORT" "$VPN_TLS_PORT" sed -i "s|accept =.*|accept = $VPN_TLS_PORT|g" /etc/stunnel/stunnel.conf @@ -138,6 +139,28 @@ function vpn_change_tls_port { esac } +function vpn_regenerate_client_keys { + data=$(tempfile 2>/dev/null) + trap "rm -f $data" 0 1 2 5 15 + dialog --title $"Regenerate VPN keys for a user" \ + --backtitle $"Freedombone Control Panel" \ + --inputbox $'username' 10 50 2>$data + sel=$? + case $sel in + 0) + USERNAME=$(<$data) + if [ ${#USERNAME} -gt 0 ]; then + if [ -d /home/$USERNAME ]; then + clear + create_user_vpn_key $USERNAME + dialog --title $"Regenerate VPN keys for a user" \ + --msgbox $"VPN keys were regenerated for $USERNAME" 6 60 + fi + fi + ;; + esac +} + function configure_interactive_vpn { read_config_param VPN_TLS_PORT while true @@ -146,9 +169,10 @@ function configure_interactive_vpn { trap "rm -f $data" 0 1 2 5 15 dialog --backtitle $"Freedombone Control Panel" \ --title $"VPN Configuration" \ - --radiolist $"Choose an operation:" 12 70 2 \ + --radiolist $"Choose an operation:" 13 70 3 \ 1 $"Change TLS port (currently $VPN_TLS_PORT)" off \ - 2 $"Exit" on 2> $data + 2 $"Regenerate keys for a user" off \ + 3 $"Exit" on 2> $data sel=$? case $sel in 1) return;; @@ -156,7 +180,8 @@ function configure_interactive_vpn { esac case $(cat $data) in 1) vpn_change_tls_port;; - 2) break;; + 2) vpn_regenerate_client_keys;; + 3) break;; esac done } From acd6db9a6ced8c419c1c067a6869b7b1aa2a9d10 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Tue, 26 Sep 2017 23:44:43 +0100 Subject: [PATCH 49/62] Remove stunnel daemon --- src/freedombone-app-vpn | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index e2638400..77958db2 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -253,6 +253,10 @@ function restore_remote_vpn { } function remove_vpn { + systemctl stop stunnel + systemctl disable stunnel + rm /etc/systemd/system/stunnel.service + systemctl stop openvpn if [ $VPN_TLS_PORT -ne 443 ]; then firewall_remove VPN-TLS $VPN_TLS_PORT From 0e2a95659a300211e35f6d827812eecd0a7f8c4d Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Tue, 26 Sep 2017 23:48:05 +0100 Subject: [PATCH 50/62] Restart nginx if needed after vpn removal --- src/freedombone-app-vpn | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index 77958db2..014322f2 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -260,6 +260,9 @@ function remove_vpn { systemctl stop openvpn if [ $VPN_TLS_PORT -ne 443 ]; then firewall_remove VPN-TLS $VPN_TLS_PORT + else + systemctl enable nginx + systemctl restart nginx fi apt-get -yq remove --purge fastd openvpn easy-rsa From 3c9ca52c77d60b5ea17c7fba33907bc60e243833 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Wed, 27 Sep 2017 12:36:13 +0100 Subject: [PATCH 51/62] Defailt vpn tls port --- src/freedombone-app-vpn | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index 014322f2..55270d2f 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -66,6 +66,10 @@ function logging_off_vpn { } function install_interactive_vpn { + read_config_param VPN_TLS_PORT + if [ ! $VPN_TLS_PORT ]; then + VPN_TLS_PORT=553 + fi VPN_DETAILS_COMPLETE= while [ ! $VPN_DETAILS_COMPLETE ] do From 9122145f1e0aa7134189001f6531b9ff5b2bc454 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Wed, 27 Sep 2017 12:40:35 +0100 Subject: [PATCH 52/62] Temporary vpn tls port --- src/freedombone-app-vpn | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index 55270d2f..cdc5e7d8 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -75,10 +75,14 @@ function install_interactive_vpn { do data=$(tempfile 2>/dev/null) trap "rm -f $data" 0 1 2 5 15 + currtlsport=$(grep 'VPN_TLS_PORT' temp.cfg | awk -F '=' '{print $2}') + if [ $currtlsport ]; then + VPN_TLS_PORT=$currtlsport + fi dialog --backtitle $"Freedombone Configuration" \ --title $"VPN Configuration" \ --form $"\nPlease enter your VPN details. Changing the port to 443 will help defend against censorship but will prevent other web apps from running." 12 65 1 \ - $"TLS port:" 1 1 "$(grep 'VPN_TLS_PORT' temp.cfg | awk -F '=' '{print $2}')" 1 12 4 4 \ + $"TLS port:" 1 1 "$VPN_TLS_PORT" 1 12 4 4 \ 2> $data sel=$? case $sel in From 0c148120d6c078d76ff0352383e8ae820143a2f7 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Wed, 27 Sep 2017 12:42:36 +0100 Subject: [PATCH 53/62] Field width --- src/freedombone-app-vpn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index cdc5e7d8..1a3a8210 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -82,7 +82,7 @@ function install_interactive_vpn { dialog --backtitle $"Freedombone Configuration" \ --title $"VPN Configuration" \ --form $"\nPlease enter your VPN details. Changing the port to 443 will help defend against censorship but will prevent other web apps from running." 12 65 1 \ - $"TLS port:" 1 1 "$VPN_TLS_PORT" 1 12 4 4 \ + $"TLS port:" 1 1 "$VPN_TLS_PORT" 1 12 5 5 \ 2> $data sel=$? case $sel in From 0d12d944fd414ab996dd209a686cc4383f091679 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Wed, 27 Sep 2017 12:44:08 +0100 Subject: [PATCH 54/62] Clear after entering vpn settings --- src/freedombone-app-vpn | 1 + 1 file changed, 1 insertion(+) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index 1a3a8210..181f94ff 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -98,6 +98,7 @@ function install_interactive_vpn { fi fi done + clear APP_INSTALLED=1 } From 5fac7b57ad91484d9380cabfb10f4360daa8cb8e Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Wed, 27 Sep 2017 14:16:20 +0100 Subject: [PATCH 55/62] Fix vpn configs --- src/freedombone-app-vpn | 76 ++++++++++++++++++++++------------------- 1 file changed, 40 insertions(+), 36 deletions(-) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index 181f94ff..6d38347b 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -349,23 +349,23 @@ function create_user_vpn_key { user_vpn_cert_file=/home/$username/$OPENVPN_KEY_FILENAME - if [ ! -f /usr/share/doc/openvpn/examples/sample-config-files/client.conf ]; then - echo $'No VPN client template found' - exit 429823 - fi - - cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf $user_vpn_cert_file - sed -i "s|remote .*|remote $DEFAULT_DOMAIN_NAME $STUNNEL_PORT|g" $user_vpn_cert_file - sed -i 's|;user .*|user nobody|g' $user_vpn_cert_file - sed -i 's|;group .*|group nobody|g' $user_vpn_cert_file - - sed -i 's|ca ca.crt|;ca ca.crt|g' $user_vpn_cert_file - sed -i 's|cert client.crt|;cert client.crt|g' $user_vpn_cert_file - sed -i 's|key client.key|;key client.key|g' $user_vpn_cert_file - sed -i 's|tls-auth ta.key|;tls-auth ta.key|g' $user_vpn_cert_file - - sed -i 's|;proto tcp|proto tcp|g' $user_vpn_cert_file - sed -i 's|proto udp|;proto udp|g' $user_vpn_cert_file + echo 'client' > $user_vpn_cert_file + echo 'dev tun' >> $user_vpn_cert_file + echo 'proto tcp' >> $user_vpn_cert_file + echo "remote localhost $STUNNEL_PORT" >> $user_vpn_cert_file + echo "route $DEFAULT_DOMAIN_NAME 255.255.255.255 net_gateway" >> $user_vpn_cert_file + echo 'resolv-retry infinite' >> $user_vpn_cert_file + echo 'nobind' >> $user_vpn_cert_file + echo 'tun-mtu 1500' >> $user_vpn_cert_file + echo 'tun-mtu-extra 32' >> $user_vpn_cert_file + echo 'mssfix 1450' >> $user_vpn_cert_file + echo 'persist-key' >> $user_vpn_cert_file + echo 'persist-tun' >> $user_vpn_cert_file + echo 'auth-nocache' >> $user_vpn_cert_file + echo 'remote-cert-tls server' >> $user_vpn_cert_file + echo 'comp-lzo' >> $user_vpn_cert_file + echo 'verb 3' >> $user_vpn_cert_file + echo '' >> $user_vpn_cert_file echo '' >> $user_vpn_cert_file cat /etc/openvpn/ca.crt >> $user_vpn_cert_file @@ -460,7 +460,7 @@ function install_stunnel { echo 'client = yes' >> stunnel-client.conf echo "accept = $STUNNEL_PORT" >> stunnel-client.conf echo "connect = $DEFAULT_DOMAIN_NAME:$VPN_TLS_PORT" >> stunnel-client.conf - echo 'cert = /etc/stunnel/stunnel.pem' >> stunnel-client.conf + echo 'cert = stunnel.pem' >> stunnel-client.conf echo '[Unit]' > /etc/systemd/system/stunnel.service echo 'Description=SSL tunnel for network daemons' >> /etc/systemd/system/stunnel.service @@ -502,27 +502,31 @@ function install_stunnel { function install_vpn { apt-get -yq install fastd openvpn easy-rsa - if [ ! -f /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz ]; then - echo $'Example openvpn server config not found' - exit 783953 - fi - groupadd vpn useradd -r -s /bin/false -g vpn vpn # server configuration - gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf - sed -i "s|;push \"redirect-gateway|push \"redirect-gateway|g" /etc/openvpn/server.conf - sed -i 's|;push "dhcp-option|push "dhcp-option|g' /etc/openvpn/server.conf - sed -i 's|;user no.*|user vpn|g' /etc/openvpn/server.conf - sed -i 's|;group no.*|group vpn|g' /etc/openvpn/server.conf - sed -i 's|;max-clients.*|max-clients 2|g' /etc/openvpn/server.conf - - sed -i 's|;proto tcp|proto tcp|g' /etc/openvpn/server.conf - sed -i 's|proto udp|;proto udp|g' /etc/openvpn/server.conf - - sed -i 's|explicit-exit-notify.*|explicit-exit-notify 0|g' /etc/openvpn/server.conf - sed -i 's|tls-auth|;tls-auth|g' /etc/openvpn/server.conf + echo 'port 1194' > /etc/openvpn/server.conf + echo 'proto tcp' >> /etc/openvpn/server.conf + echo 'dev tun' >> /etc/openvpn/server.conf + echo 'tun-mtu 1500' >> /etc/openvpn/server.conf + echo 'tun-mtu-extra 32' >> /etc/openvpn/server.conf + echo 'mssfix 1450' >> /etc/openvpn/server.conf + echo 'ca /etc/openvpn/easy-rsa/keys/ca.crt' >> /etc/openvpn/server.conf + echo 'cert /etc/openvpn/easy-rsa/keys/server.crt' >> /etc/openvpn/server.conf + echo 'key /etc/openvpn/easy-rsa/keys/server.key' >> /etc/openvpn/server.conf + echo 'dh /etc/openvpn/easy-rsa/keys/dh2048.pem' >> /etc/openvpn/server.conf + echo 'server 10.8.0.0 255.255.255.0' >> /etc/openvpn/server.conf + echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf + echo "push \"dhcp-option DNS 85.214.73.63\"" >> /etc/openvpn/server.conf + echo "push \"dhcp-option DNS 213.73.91.35\"" >> /etc/openvpn/server.conf + echo 'keepalive 5 30' >> /etc/openvpn/server.conf + echo 'comp-lzo' >> /etc/openvpn/server.conf + echo 'persist-key' >> /etc/openvpn/server.conf + echo 'persist-tun' >> /etc/openvpn/server.conf + echo 'status /dev/null' >> /etc/openvpn/server.conf + echo 'verb 3' >> /etc/openvpn/server.conf + echo '' >> /etc/openvpn/server.conf echo 1 > /proc/sys/net/ipv4/ip_forward sed -i 's|# net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf @@ -545,7 +549,7 @@ function install_vpn { # generate host keys if [ ! -f /etc/openvpn/dh2048.pem ]; then - openssl dhparam -out /etc/openvpn/dh2048.pem 2048 + openssl dhparam -out /etc/openvpn/easy-rsa/keys/dh2048.pem 2048 fi cd /etc/openvpn/easy-rsa . ./vars From 9229d27db0bf149c422b848c466ec391ebb515f8 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Wed, 27 Sep 2017 14:23:32 +0100 Subject: [PATCH 56/62] Check if vpn dhparams get generated --- src/freedombone-app-vpn | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index 6d38347b..07f3e6d6 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -549,8 +549,14 @@ function install_vpn { # generate host keys if [ ! -f /etc/openvpn/dh2048.pem ]; then - openssl dhparam -out /etc/openvpn/easy-rsa/keys/dh2048.pem 2048 + openssl dhparam -out /etc/openvpn/dh2048.pem 2048 fi + if [ ! -f /etc/openvpn/dh2048.pem ]; then + echo $'vpn dhparams were not generated' + exit 73724523 + fi + cp /etc/openvpn/dh2048.pem /etc/openvpn/easy-rsa/keys/dh2048.pem + cd /etc/openvpn/easy-rsa . ./vars ./clean-all From 1cb7f221094f9afaa9a5daf5d5e8a94d177f0ecf Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Wed, 27 Sep 2017 14:56:17 +0100 Subject: [PATCH 57/62] Shorten paths --- src/freedombone-app-vpn | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index 07f3e6d6..61a3c03c 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -512,10 +512,10 @@ function install_vpn { echo 'tun-mtu 1500' >> /etc/openvpn/server.conf echo 'tun-mtu-extra 32' >> /etc/openvpn/server.conf echo 'mssfix 1450' >> /etc/openvpn/server.conf - echo 'ca /etc/openvpn/easy-rsa/keys/ca.crt' >> /etc/openvpn/server.conf - echo 'cert /etc/openvpn/easy-rsa/keys/server.crt' >> /etc/openvpn/server.conf - echo 'key /etc/openvpn/easy-rsa/keys/server.key' >> /etc/openvpn/server.conf - echo 'dh /etc/openvpn/easy-rsa/keys/dh2048.pem' >> /etc/openvpn/server.conf + echo 'ca /etc/openvpn/ca.crt' >> /etc/openvpn/server.conf + echo 'cert /etc/openvpn/server.crt' >> /etc/openvpn/server.conf + echo 'key /etc/openvpn/server.key' >> /etc/openvpn/server.conf + echo 'dh /etc/openvpn/dh2048.pem' >> /etc/openvpn/server.conf echo 'server 10.8.0.0 255.255.255.0' >> /etc/openvpn/server.conf echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf echo "push \"dhcp-option DNS 85.214.73.63\"" >> /etc/openvpn/server.conf From 78c55d7e233927732cfa9cfcaf0ec2ff84a29e9f Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Wed, 27 Sep 2017 15:06:53 +0100 Subject: [PATCH 58/62] Restore vpn server certs --- src/freedombone-app-vpn | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index 61a3c03c..fe2ad878 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -220,6 +220,8 @@ function restore_local_vpn { restore_directory_from_usb $temp_restore_dir vpn if [ -d ${temp_restore_dir} ]; then cp -r ${temp_restore_dir}/* /etc/openvpn/easy-rsa/keys + cp -r ${temp_restore_dir}/${OPENVPN_SERVER_NAME}* /etc/openvpn/ + cp -r ${temp_restore_dir}/dh* /etc/openvpn/ rm -rf ${temp_restore_dir} for d in /home/*/ ; do @@ -249,6 +251,8 @@ function restore_remote_vpn { restore_directory_from_friend $temp_restore_dir vpn if [ -d ${temp_restore_dir} ]; then cp -r ${temp_restore_dir}/* /etc/openvpn/easy-rsa/keys + cp -r ${temp_restore_dir}/${OPENVPN_SERVER_NAME}* /etc/openvpn/ + cp -r ${temp_restore_dir}/dh* /etc/openvpn/ rm -rf ${temp_restore_dir} for d in /home/*/ ; do From a7f783c3a86711a3bea093700b1c301fa6f23766 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Wed, 27 Sep 2017 15:13:00 +0100 Subject: [PATCH 59/62] Restart openvpn after stunnel install --- src/freedombone-app-vpn | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index fe2ad878..7b394bd4 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -617,6 +617,8 @@ function install_vpn { install_stunnel + systemctl restart openvpn + APP_INSTALLED=1 } From 886e9a8c493d5d086fcd9664a4b9a4d0af87b3f3 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Wed, 27 Sep 2017 15:31:50 +0100 Subject: [PATCH 60/62] Backup and restore stunnel --- src/freedombone-app-vpn | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/src/freedombone-app-vpn b/src/freedombone-app-vpn index 7b394bd4..b32e4c36 100755 --- a/src/freedombone-app-vpn +++ b/src/freedombone-app-vpn @@ -213,6 +213,7 @@ function backup_local_vpn { function_check backup_directory_to_usb backup_directory_to_usb /etc/openvpn/easy-rsa/keys vpn + backup_directory_to_usb /etc/stunnel vpnstunnel } function restore_local_vpn { @@ -232,6 +233,23 @@ function restore_local_vpn { fi done fi + temp_restore_dir=/root/tempvpnstunnel + restore_directory_from_usb $temp_restore_dir vpnstunnel + if [ -d ${temp_restore_dir} ]; then + cp -r ${temp_restore_dir}/* /etc/stunnel + rm -rf ${temp_restore_dir} + for d in /home/*/ ; do + USERNAME=$(echo "$d" | awk -F '/' '{print $3}') + if [ -f /home/$USERNAME/stunnel.pem ]; then + cp /etc/stunnel/stunnel.pem /home/$USERNAME/stunnel.pem + chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.pem + fi + if [ -f /home/$USERNAME/stunnel.p12 ]; then + cp /etc/stunnel/stunnel.p12 /home/$USERNAME/stunnel.p12 + chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.p12 + fi + done + fi } function backup_remote_vpn { @@ -244,6 +262,7 @@ function backup_remote_vpn { function_check backup_directory_to_friend backup_directory_to_friend /etc/openvpn/easy-rsa/keys vpn + backup_directory_to_friend /etc/stunnel vpnstunnel } function restore_remote_vpn { @@ -263,6 +282,23 @@ function restore_remote_vpn { fi done fi + temp_restore_dir=/root/tempvpnstunnel + restore_directory_from_friend $temp_restore_dir vpnstunnel + if [ -d ${temp_restore_dir} ]; then + cp -r ${temp_restore_dir}/* /etc/stunnel + rm -rf ${temp_restore_dir} + for d in /home/*/ ; do + USERNAME=$(echo "$d" | awk -F '/' '{print $3}') + if [ -f /home/$USERNAME/stunnel.pem ]; then + cp /etc/stunnel/stunnel.pem /home/$USERNAME/stunnel.pem + chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.pem + fi + if [ -f /home/$USERNAME/stunnel.p12 ]; then + cp /etc/stunnel/stunnel.p12 /home/$USERNAME/stunnel.p12 + chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.p12 + fi + done + fi } function remove_vpn { From a326d38ebab65fb889a172e8b09b5546beb4fab7 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Wed, 27 Sep 2017 17:46:45 +0100 Subject: [PATCH 61/62] Documentation on vpn --- doc/EN/app_vpn.org | 81 +++++++++ doc/EN/apps.org | 4 + website/EN/app_vpn.html | 386 ++++++++++++++++++++++++++++++++++++++++ website/EN/apps.html | 220 ++++++++++++----------- 4 files changed, 587 insertions(+), 104 deletions(-) create mode 100644 doc/EN/app_vpn.org create mode 100644 website/EN/app_vpn.html diff --git a/doc/EN/app_vpn.org b/doc/EN/app_vpn.org new file mode 100644 index 00000000..d25c3e0c --- /dev/null +++ b/doc/EN/app_vpn.org @@ -0,0 +1,81 @@ +#+TITLE: +#+AUTHOR: Bob Mottram +#+EMAIL: bob@freedombone.net +#+KEYWORDS: freedombone, openvpn +#+DESCRIPTION: How to use OpenVPN on Freedombone +#+OPTIONS: ^:nil toc:nil +#+HTML_HEAD: + +#+BEGIN_CENTER +[[file:images/logo.png]] +#+END_CENTER + +#+BEGIN_EXPORT html +
+

OpenVPN

+
+#+END_EXPORT + +#+begin_quote +"/The Net interprets censorship as damage and routes around it./" -- John Gilmore +#+end_quote + +A Virtual Private Network (VPN) allows you to move your internet traffic to a different machine in a different geographical location by creating a private cryptographically protected route to that location. The usual use cases are to get around local censorship of the internet such as when you see the message "/this content is not available in your area/" when trying to play a video. Maybe you're on holiday and your hotel or workplace internet connection is censored. Using a VPN you can connect to your home server and then use the internet normally. + +Using a Tor browser is another way to get around censorship, but there might be occasions where you don't want to use a Tor browser or where Tor relays and bridges are blocked or where you want to run internet apps which aren't within a browser. + +* Installation + +ssh into the system with: + +#+BEGIN_SRC bash +ssh myusername@mydomainname -p 2222 +#+END_SRC + +Select *Administrator controls* then *Add/Remove apps* then *vpn*. Choose the port which you want the VPN to operate on and then the install will continue. + +Only use ports 443 or 80 for VPN as an /absolute last resort/, since doing so will prevent other web based apps from running on your server. + +* Usage + +When the installation is complete you can download your VPN keys and configuration files onto your local machine. + +#+begin_src bash +scp -P 2222 myusername@mydomainname:/home/myusername/client.ovpn . +scp -P 2222 myusername@mydomainname:/home/myusername/stunnel* . +#+end_src + +You will need to ensure that the /openvpn/ and /stunnel/ packages are installed. On an Arch based system: + +#+begin_src bash +sudp pacman -S openvpn stunnel4 +#+end_src + +Or on a Debian based system: + +#+begin_src bash +sudo apt-get install openvpn stunnel4 +#+end_src + +Now you can connect to your VPN with: + +#+begin_src bash +sudo stunnel stunnel-client.conf +sudo openvpn client.ovpn +#+end_src + +You should see a series of messages with "/Initialization Sequence Completed/" showing at the end. Leave the terminal open and perhaps minimize it to remain connected to the VPN. To leave the VPN close the terminal window. + +* Changing port number + +Avoiding censorship can be a cat and mouse game, and so if the port you're using for VPN gets blocked then you may want to change it. + +#+BEGIN_SRC bash +ssh myusername@mydomainname -p 2222 +#+END_SRC + +Select *Administrator controls* then *App Settings* then *vpn*. Choose *Change TLS port* and enter a new port value. You can then either manually change the port within your VPN configuration files, or download them again as described in the [[Usage]] section above. + +* Generating new keys + +It's possible that your VPN keys might get lost or compromised on your local machine. If that happens you can generate new ones from the *Administrator controls* by going to *App Settings* then *vpn* then choosing *Regenerate keys for a user* and downloading the new keys as described in the [[Usage]] section above. diff --git a/doc/EN/apps.org b/doc/EN/apps.org index 7126510a..d46d7daf 100644 --- a/doc/EN/apps.org +++ b/doc/EN/apps.org @@ -154,6 +154,10 @@ A system for privately creating and sharing notes and images, similar to Evernot * Vim If you use the Mutt client to read your email then this will set it up to use vim for composing new mail. +* Virtual Private Network (VPN) +Set up a VPN on your server so that you can bypass local internet censorship. + +[[./app_vpn.html][How to use it]] * XMPP Chat server which can be used together with client such as Gajim or Conversations to provide end-to-end content security and also onion routed metadata security. Includes advanced features such as /client state notification/ to save battery power on your mobile devices, support for seamless roaming between networks and /message carbons/ so that you can receive the same messages while being simultaneously logged in to your account on more than one device. diff --git a/website/EN/app_vpn.html b/website/EN/app_vpn.html new file mode 100644 index 00000000..59283898 --- /dev/null +++ b/website/EN/app_vpn.html @@ -0,0 +1,386 @@ + + + + + + + + + + + + + + + + + +
+ +
+
+
+ +
+

logo.png +

+
+
+ +
+

OpenVPN

+
+ +
+

+"The Net interprets censorship as damage and routes around it." – John Gilmore +

+
+ +

+A Virtual Private Network (VPN) allows you to move your internet traffic to a different machine in a different geographical location by creating a private cryptographically protected route to that location. The usual use cases are to get around local censorship of the internet such as when you see the message "this content is not available in your area" when trying to play a video. Maybe you're on holiday and your hotel or workplace internet connection is censored. Using a VPN you can connect to your home server and then use the internet normally. +

+ +

+Using a Tor browser is another way to get around censorship, but there might be occasions where you don't want to use a Tor browser or where Tor relays and bridges are blocked or where you want to run internet apps which aren't within a browser. +

+ +
+

Installation

+
+

+ssh into the system with: +

+ +
+
ssh myusername@mydomainname -p 2222
+
+
+ +

+Select Administrator controls then Add/Remove apps then vpn. Choose the port which you want the VPN to operate on and then the install will continue. +

+ +

+Only use ports 443 or 80 for VPN as an absolute last resort, since doing so will prevent other web based apps from running on your server. +

+
+
+ +
+

Usage

+
+

+When the installation is complete you can download your VPN keys and configuration files onto your local machine. +

+ +
+
scp -P 2222 myusername@mydomainname:/home/myusername/client.ovpn .
+scp -P 2222 myusername@mydomainname:/home/myusername/stunnel* .
+
+
+ +

+You will need to ensure that the openvpn and stunnel packages are installed. On an Arch based system: +

+ +
+
sudp pacman -S openvpn stunnel4
+
+
+ +

+Or on a Debian based system: +

+ +
+
sudo apt-get install openvpn stunnel4
+
+
+ +

+Now you can connect to your VPN with: +

+ +
+
sudo stunnel stunnel-client.conf
+sudo openvpn client.ovpn
+
+
+ +

+You should see a series of messages with "Initialization Sequence Completed" showing at the end. Leave the terminal open and perhaps minimize it to remain connected to the VPN. To leave the VPN close the terminal window. +

+
+
+ +
+

Changing port number

+
+

+Avoiding censorship can be a cat and mouse game, and so if the port you're using for VPN gets blocked then you may want to change it. +

+ +
+
ssh myusername@mydomainname -p 2222
+
+
+ +

+Select Administrator controls then App Settings then vpn. Choose Change TLS port and enter a new port value. You can then either manually change the port within your VPN configuration files, or download them again as described in the Usage section above. +

+
+
+ +
+

Generating new keys

+
+

+It's possible that your VPN keys might get lost or compromised on your local machine. If that happens you can generate new ones from the Administrator controls by going to App Settings then vpn then choosing Regenerate keys for a user and downloading the new keys as described in the Usage section above. +

+
+
+
+
+ + + + +
+ + diff --git a/website/EN/apps.html b/website/EN/apps.html index d6ba427d..843c3e34 100644 --- a/website/EN/apps.html +++ b/website/EN/apps.html @@ -3,10 +3,10 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> - + - + -
-

CryptPad

-
+
+

CryptPad

+

Collaborate on editing documents, presentations and source code, or vote on things. All with a good level of security.

@@ -276,9 +276,9 @@ Collaborate on editing documents, presentations and source code, or vote on thin

-
-

DLNA

-
+
+

DLNA

+

Enables you to use the system as a music server which any DLNA compatible devices can connect to within your home network.

@@ -288,9 +288,9 @@ Enables you to use the system as a music server which any DLNA compatible device

-
-

Dokuwiki

-
+
+

Dokuwiki

+

A databaseless wiki system.

@@ -300,9 +300,9 @@ A databaseless wiki system.

-
-

Emacs

-
+
+

Emacs

+

If you use the Mutt client to read your email then this will set it up to use emacs for composing new mail.

@@ -312,9 +312,9 @@ If you use the Mutt client to read your email then this will set it up to use em

-
-

Etherpad

-
+
+

Etherpad

+

Collaborate on creating documents in real time. Maybe you're planning a holiday with other family members or creating documentation for a Free Software project along with other volunteers. Etherpad is hard to beat for simplicity and speed. Only users of the system will be able to access it.

@@ -324,9 +324,9 @@ Collaborate on creating documents in real time. Maybe you're planning a holiday

-
-

Friendica

-
+
+

Friendica

+

Federated social network system.

@@ -336,9 +336,9 @@ Federated social network system.

-
-

Ghost

-
+
+

Ghost

+

Modern looking blogging system.

@@ -348,9 +348,9 @@ Modern looking blogging system.

-
-

GNU Social

-
+
+

GNU Social

+

Federated social network. You can "remote follow" other users within the GNU Social federation.

@@ -360,9 +360,9 @@ Federated social network. You can "remote follow" other users within the

-
-

Gogs

-
+
+

Gogs

+

Lightweight git project hosting system. You can mirror projects from Github, or if Github turns evil then just host your own projects while retaining the familiar fork-and-pull workflow. If you can use Github then you can also use Gogs.

@@ -372,9 +372,9 @@ Lightweight git project hosting system. You can mirror projects from Github, or

-
-

HTMLy

-
+
+

HTMLy

+

Databaseless blogging system. Quite simple and with a markdown-like format.

@@ -384,9 +384,9 @@ Databaseless blogging system. Quite simple and with a markdown-like format.

-
-

Hubzilla

-
+
+

Hubzilla

+

Web publishing platform with social network like features and good privacy controls so that it's possible to specify who can see which content. Includes photo albums, calendar, wiki and file storage.

@@ -396,9 +396,9 @@ Web publishing platform with social network like features and good privacy contr

-
-

IRC Server (ngirc)

-
+
+

IRC Server (ngirc)

+

Run your own IRC chat channel which can be secured with a password and accessible via an onion address. A bouncer is included so that you can receive messages sent while you were offline. Works with Hexchat and other popular clients.

@@ -408,18 +408,18 @@ Run your own IRC chat channel which can be secured with a password and accessibl

-
-

Jitsi Meet

-
+
+

Jitsi Meet

+

Experimental WebRTC video conferencing system, similar to Google Hangouts. This may not be fully functional, but is hoped to be in the near future.

-
-

KanBoard

-
+
+

KanBoard

+

A simple kanban system for managing projects or TODO lists.

@@ -429,9 +429,9 @@ A simple kanban system for managing projects or TODO lists.

-
-

Key Server

-
+
+

Key Server

+

An OpenPGP key server for storing and retrieving GPG public keys.

@@ -441,9 +441,9 @@ An OpenPGP key server for storing and retrieving GPG public keys.

-
-

Koel

-
+
+

Koel

+

Access your music collection from any internet connected device.

@@ -453,9 +453,9 @@ Access your music collection from any internet connected device.

-
-

Lychee

-
+
+

Lychee

+

Make your photo albums available on the web.

@@ -465,9 +465,9 @@ Make your photo albums available on the web.

-
-

Mailpile

-
+
+

Mailpile

+

Modern email client which supports GPG encryption.

@@ -477,9 +477,9 @@ Modern email client which supports GPG encryption.

-
-

Matrix

-
+
+

Matrix

+

Multi-user chat with some security and moderation controls.

@@ -489,9 +489,9 @@ Multi-user chat with some security and moderation controls.

-
-

Mediagoblin

-
+
+

Mediagoblin

+

Publicly host video and audio files so that you don't need to use YouTube/Vimeo/etc.

@@ -501,9 +501,9 @@ Publicly host video and audio files so that you don't need to use YouTube/Vimeo/

-
-

Mumble

-
+
+

Mumble

+

The popular VoIP and text chat system. Say goodbye to old-fashioned telephony conferences with silly dial codes. Also works well on mobile.

@@ -513,9 +513,9 @@ The popular VoIP and text chat system. Say goodbye to old-fashioned telephony co

-
-

NextCloud

-
+
+

NextCloud

+

Store files on your server and sync them with laptops or mobile devices. Includes many plugins including videoconferencing and collaborative document editing.

@@ -525,9 +525,9 @@ Store files on your server and sync them with laptops or mobile devices. Include

-
-

PI-Hole

-
+
+

PI-Hole

+

The black hole for web adverts. Block adverts at the domain name level within your local network. It can significantly reduce bandwidth, speed up page load times and protect your systems from being tracked by spyware.

@@ -537,9 +537,9 @@ The black hole for web adverts. Block adverts at the domain name level within yo

-
-

PostActiv

-
+
+

PostActiv

+

An alternative federated social networking system compatible with GNU Social. It includes some optimisations and fixes currently not available within the main GNU Social project.

@@ -549,9 +549,9 @@ An alternative federated social networking system compatible with GNU Social. It

-
-

Profanity

-
+
+

Profanity

+

A shell based XMPP client which you can run on the Freedombone server via ssh.

@@ -561,9 +561,9 @@ A shell based XMPP client which you can run on the Freedombone server via ssh.

-
-

Riot Web

-
+
+

Riot Web

+

A browser based user interface for the Matrix federated communications system, including WebRTC audio and video chat.

@@ -573,9 +573,9 @@ A browser based user interface for the Matrix federated communications system, i

-
-

SearX

-
+
+

SearX

+

A metasearch engine for customised and private web searches.

@@ -585,9 +585,9 @@ A metasearch engine for customised and private web searches.

-
-

tt-rss

-
+
+

tt-rss

+

Private RSS reader. Pulls in RSS/Atom feeds via Tor and is only accessible via an onion address. Have "the right to read" without the Surveillance State knowing what you're reading. Also available with a user interface suitable for viewing on mobile devices via a browser such as OrFox.

@@ -597,9 +597,9 @@ Private RSS reader. Pulls in RSS/Atom feeds via Tor and is only accessible via a

-
-

Syncthing

-
+
+

Syncthing

+

Possibly the best way to synchronise files across all of your devices. Once it has been set up it "just works" with no user intervention needed.

@@ -609,9 +609,9 @@ Possibly the best way to synchronise files across all of your devices. Once it h

-
-

Tahoe-LAFS

-
+
+

Tahoe-LAFS

+

Robust and encrypted storage of files on one or more server.

@@ -621,9 +621,9 @@ Robust and encrypted storage of files on one or more server.

-
-

Tox

-
+
+

Tox

+

Client and bootstrap node for the Tox chat/VoIP system.

@@ -633,9 +633,9 @@ Client and bootstrap node for the Tox chat/VoIP system.

-
-

Turtl

-
+
+

Turtl

+

A system for privately creating and sharing notes and images, similar to Evernote but without the spying.

@@ -645,18 +645,30 @@ A system for privately creating and sharing notes and images, similar to Evernot

-
-

Vim

-
+
+

Vim

+

If you use the Mutt client to read your email then this will set it up to use vim for composing new mail.

-
-

XMPP

-
+
+

Virtual Private Network (VPN)

+
+

+Set up a VPN on your server so that you can bypass local internet censorship. +

+ +

+How to use it +

+
+
+
+

XMPP

+

Chat server which can be used together with client such as Gajim or Conversations to provide end-to-end content security and also onion routed metadata security. Includes advanced features such as client state notification to save battery power on your mobile devices, support for seamless roaming between networks and message carbons so that you can receive the same messages while being simultaneously logged in to your account on more than one device.

From 0359de62c1901c447d27b8e45d9d859cf6aae26f Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Wed, 27 Sep 2017 17:58:18 +0100 Subject: [PATCH 62/62] Mention TLS wrapper --- doc/EN/app_vpn.org | 2 ++ website/EN/app_vpn.html | 34 +++++++++++++++++++--------------- 2 files changed, 21 insertions(+), 15 deletions(-) diff --git a/doc/EN/app_vpn.org b/doc/EN/app_vpn.org index d25c3e0c..0d991799 100644 --- a/doc/EN/app_vpn.org +++ b/doc/EN/app_vpn.org @@ -24,6 +24,8 @@ A Virtual Private Network (VPN) allows you to move your internet traffic to a di Using a Tor browser is another way to get around censorship, but there might be occasions where you don't want to use a Tor browser or where Tor relays and bridges are blocked or where you want to run internet apps which aren't within a browser. +On Freedombone the VPN is wrapped within a TLS layer of encryption, making it difficult for any deep packet inspection systems to know whether you are using a VPN or not. Since there is lots of TLS traffic on the internet your connection looks like any other TLS connection to a server, and this may help to avoid being censored. It's probably not possible for your local ISP to block TLS traffic without immediately generating a lot of irate customers, and stopping any kind of commercial activity. + * Installation ssh into the system with: diff --git a/website/EN/app_vpn.html b/website/EN/app_vpn.html index 59283898..566214c0 100644 --- a/website/EN/app_vpn.html +++ b/website/EN/app_vpn.html @@ -3,7 +3,7 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> - + @@ -262,9 +262,13 @@ A Virtual Private Network (VPN) allows you to move your internet traffic to a di Using a Tor browser is another way to get around censorship, but there might be occasions where you don't want to use a Tor browser or where Tor relays and bridges are blocked or where you want to run internet apps which aren't within a browser.

-
-

Installation

-
+

+On Freedombone the VPN is wrapped within a TLS layer of encryption, making it difficult for any deep packet inspection systems to know whether you are using a VPN or not. Since there is lots of TLS traffic on the internet your connection looks like any other TLS connection to a server, and this may help to avoid being censored. It's probably not possible for your local ISP to block TLS traffic without immediately generating a lot of irate customers, and stopping any kind of commercial activity. +

+ +
+

Installation

+

ssh into the system with:

@@ -284,9 +288,9 @@ Only use ports 443 or 80 for VPN as an absolute last resort, since doing
-
-

Usage

-
+
+

Usage

+

When the installation is complete you can download your VPN keys and configuration files onto your local machine.

@@ -331,9 +335,9 @@ You should see a series of messages with "Initialization Sequence Completed
-
-

Changing port number

-
+
+

Changing port number

+

Avoiding censorship can be a cat and mouse game, and so if the port you're using for VPN gets blocked then you may want to change it.

@@ -344,16 +348,16 @@ Avoiding censorship can be a cat and mouse game, and so if the port you're using

-Select Administrator controls then App Settings then vpn. Choose Change TLS port and enter a new port value. You can then either manually change the port within your VPN configuration files, or download them again as described in the Usage section above. +Select Administrator controls then App Settings then vpn. Choose Change TLS port and enter a new port value. You can then either manually change the port within your VPN configuration files, or download them again as described in the Usage section above.

-
-

Generating new keys

-
+
+

Generating new keys

+

-It's possible that your VPN keys might get lost or compromised on your local machine. If that happens you can generate new ones from the Administrator controls by going to App Settings then vpn then choosing Regenerate keys for a user and downloading the new keys as described in the Usage section above. +It's possible that your VPN keys might get lost or compromised on your local machine. If that happens you can generate new ones from the Administrator controls by going to App Settings then vpn then choosing Regenerate keys for a user and downloading the new keys as described in the Usage section above.