nyr / openvpn-install Goto Github PK

If I run the script and select "1" to add a new user with name "peter" no certificate is added to the ovpn file.

Output:

1) Add a cert for a new user
2) Revoke existing user cert
3) Remove OpenVPN
4) Exit

Select an option [1-4]: 1

Tell me a name for the client cert
Please, use one word only, no special characters
Client name: peter
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys
Using Common Name: peter
Generating a 2048 bit RSA private key
............................................................................................................+++
...............+++
writing new private key to 'peter.key'
-----
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'SanFrancisco'
organizationName      :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'MyOrganizationalUnit'
commonName            :PRINTABLE:'peter'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'[email protected]'
Certificate is to be certified until Jun 26 07:06:29 2025 GMT (3650 days)
failed to update database
TXT_DB error number 2

Client peter added, certs available at ~/peter.ovpn


-----END CERTIFICATE-----
</ca>
<cert>
</cert>
<key>
-----BEGIN PRIVATE KEY-----

I've tried to remove it first, as well as deleting the files manually.

Creating other users does not lead to the same problem.

Hi I'm running this script successfully on linode but I can't get it to work for LES.

I can connect to the server but I can't browse/ping anything on my mac after that.
I can't find anything in my syslog or the openvpn-status.log

I tried this with Debian, Ubuntu12/14 with no success.

Would it be possible to adapt this script to work with 8192 bit keys, or prompt for a key size out of several sizes? (1024, 2028, 4096, 8192)

It would be nice if you can run the script on an existing OpenVPN installation and check for any available upgrades and install if it finds one.

This would be beneficial especially after the heartbleed venerability.

I'm installing the OpenVPN server on CentOS 6 64 bit, and then trying to connect via Windows 8.1 OpenVPN client v2.3.7 (latest as of this writing), but it kept failing during TLS negotiation.

I have turned off every firewall (Windows Firewall and iptables) as well as SPI firewall on the router, but still unavailable.

I have another OpenVPN AS server on different server and this same Windows PC can connect to it, so I assume this isn't a problem within the PC at all. Any advise are welcome...

Hello,

First, thanks for your great script! But the new installation command doesn't work:
wget http://git.io/vpn; ./openvpn-install.sh

Error:
-bash: ./openvpn-install.sh: No such file or directory

There is just one file vpn. So you have to use the old way:
wget https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh; chmod +x openvpn-install.sh; ./openvpn-install.sh

Tested on debian 6.0 32 bit.

Regards,

The possibility of creating a password would be welcome;)

I can connect to the server but no websites it all times out I ran the installed like the readme said.

Hi! Great work!

On Android clients at least, it helps to have a .ovpn file which is the conf file, plus inline ca.crt, key, and client cert files (and remove the reference to them as external files.)

If I rig something up for this, would you be interested?

The ca.crt generated also should be renamed to something with a unique filename. Other wise, copying it the config directory on Windows, leads to overwriting the file of other configurations.

Also, I have modified the script to make a duplicate of the .conf file, named as .ovpn, which is the Windows counterpart.

Kudos on the great work.

Just curious if their was anyway to make sure OpenVPN never logs anything (dns, ip addresses, time stamps, etc). If so, the script could be adjusted to ask the user if that want to disable all logging?

Just a thought.

Hey,

Does this script install and configure the openvpn as server to multiple clients?

Thanks,

Seems the $6.99 offer is "out of stock", cheapest is now $9.99/y.

Hi,

this is a feature requests. Given this bug of NetworkManager importing the configuration file (e.g. client.ovpn) in NetworkManager on Linux does not work.

The idea is to add an option/request in the script to have all the files already separated.

A workaround

Hoping that this is useful to otherrs here's a quick manual workaround.
A workaround is to manually copy-paste the certificates from the configuration file to the respective ca.crt, client.crt and client.key files.
In practice (do not copy the tags, only what is inside):

• everything that is inside <ca>...</ca> -> ca.crt
• everything that is inside <cert>...</cert> -> client.crt
• everything that is inside <key>...</key> -> client.key

Then add to the config file (client.ovpn) the fllowing lines after the corresponding commented paragraph:

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca ca.crt
cert wash.crt
key wash.key

(and of course one can delete everything between the tags <ca></ca>, <cert></cert>, <key></key> tags in the original client.ovpn).

Add this point you can successfully import the configuration in NetworkManager.

I really like the idea, but why do you use --no-check-certificate? Downloading something from the Internet and executing it straight away is scary, but not checking the SSL certificates while doing so is really dangerous. Should not be necessary, no?

Hello,
I encounter many problems with your script. I did something wrong this morning, and so I wanted to reinstall the script but I am having errors. At the beginning of the script, I get errors like "
openvpn-install.sh: 9: openvpn-install.sh: [[: not found
openvpn-install.sh: 15: openvpn-install.sh: [[: not found
openvpn-install.sh: 21: openvpn-install.sh: [[: not found
openvpn-install.sh: 48: openvpn-install.sh: [[: not found
openvpn-install.sh: 53: openvpn-install.sh: [[: not found "
or "openvpn-install.sh 154: read: Illegal -e"
Can you help me?
Best Regards

At the end it says "Your client config is available at ~/ovpn-$CLIENT.tar.gz" but when I cd ~/, there is nothing there. pls help!

Or is it possible to change the destination of ovpn-$CLIENT.tar.gz file?

Thanks!

The script assumes dpkg isn't locked and tries to work normally.

When creating a new cert with a name previously used, the new cert generated cannot connect. This could probably be fixed with a quick check to see if the name has already been used.

Yo,

I really love your script! Seriously! At last. I won't be using OpenVPN's Access Client that has 2 concurrent connections limit. Really, thanks.

Have an awesome day! Also, I hope your script is compatible with CentOS :)

First off, loving this tool!

During a recent setup I opted to use port 53 in addition to 1194 :

Do you want OpenVPN to be available at port 53 too?
This can be useful to connect under restrictive networks
Listen at port 53 [y/n]: y

When I downloaded the .ovpn profile I wasn't able to connect, so I took a look at open ports on the server

root@crain:~# netstat -ltnup
Proto Recv-Q Send-Q Local Address   Foreign Address    State   PID/Program name
shh-ports blah blah blah ...
udp    0   0 0.0.0.0:53    0.0.0.0:*      922/openvpn

It looks like port 1194 isn't attached to anything, but I took a look from my computer just to make sure.

echo -e "\x38\x01\x00\x00\x00\x00\x00\x00\x00" | nc -w 10 -u server.ip 1194 | cat -v

And no response came back, 'pinging' openvpn it should output something like @??e?tg]T^@^@^@^@^@@.....

I'd love to have both ports working, is there anything else I can do to help debug this issue?

Here's my test system info

root@crain:~# lsb_release -a
Distributor ID: Ubuntu
Description:    Ubuntu 14.04.2 LTS
Release:    14.04
Codename:   trusty

Thanks again!

My server had the file /etc/dpkg/dpkg.cfg.d/01_nodoc which contained ignore rules for the /usr/share/doc directory. Seems like digitalocean added that file.

This script failed with

./vpn: line 239: cd: /usr/share/doc/openvpn*/*ample*/sample-config-files: No such file or directory
gzip: server.conf.gz: No such file or directory
cp: cannot stat ‘server.conf’: No such file or directory
sed: can't read server.conf: No such file or directory
sed: can't read server.conf: No such file or directory
sed: can't read server.conf: No such file or directory
sed: can't read server.conf: No such file or directory
sed: can't read server.conf: No such file or directory
sed: can't read server.conf: No such file or directory```

I think a check if that folder exists with a message about the possible cause would be helpful

Also, it might make sense to add `set -e` to the beginning of the script.

It took me a while to figure out that additional configuration is required to get OpenVPN working with UFW enabled. You may want to consider adding an FAQ into the README with the following steps.

[The following steps are borrowed from How To Set Up an OpenVPN Server on Ubuntu 14.04]

This tutorial will use OpenVPN over UDP, so ufw must also allow UDP traffic over port 1194. [Set this to your preferred port]

ufw allow 1194/udp

The ufw forwarding policy needs to be set as well. We'll do this in ufw's primary configuration file.

vim /etc/default/ufw

Look for DEFAULT_FORWARD_POLICY="DROP". This must be changed from DROP to ACCEPT. It should look like this when done:

DEFAULT_FORWARD_POLICY="ACCEPT"

Next we will add additional ufw rules for network address translation and IP masquerading of connected clients.

vim /etc/ufw/before.rules

Add the lines between # START OPENVPN RULES and # END OPENVPN RULES to make the top of your before.rules file look like below.

#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0] 
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES

# Don't delete these required lines, otherwise there will be errors
*filter

With the changes made to ufw, we can now enable it. Enter into the command prompt:

ufw reload

When using the generated .ovpn file on windows I got the following error windows PEM_read_bio:bad base64 encode

I have googled around alot and it seems to be that some people got this error with problems with line endings not being unix, I have done everything that was suggested and cannot fix the encoding. Really stuck on what to do about this one

Thanks for the great script! Seems to work great on my Ubuntu 14.04 server.

However, I'm not able to connect to the server using OpenVPN. I think it is a iptables problem. Here's my output for: iptables -L -v

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
11158  743K fail2ban-ssh  tcp  --  any    any     anywhere             anywhere             multiport dports ssh
 4513  476K ACCEPT     all  --  lo     any     anywhere             anywhere
    0     0 REJECT     all  --  any    any     anywhere             127.0.0.0/8          reject-with icmp-port-unreachable
75723  109M ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
 2158  119K ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:http
    3   140 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:https
  193 11180 ACCEPT     tcp  --  any    any     anywhere             anywhere             state NEW tcp dpt:ssh
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request
  675 41193 LOG        all  --  any    any     anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
    0     0 ACCEPT     all  --  any    any     nb-96-126-119-66.dallas.nodebalancer.linode.com  anywhere
  713 43313 DROP       all  --  any    any     anywhere             anywhere
    0     0 ACCEPT     all  --  tun+   any     anywhere             anywhere
    0     0 ACCEPT     all  --  tap+   any     anywhere             anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    any     anywhere             anywhere
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  any    any     10.8.0.0/24          anywhere
    0     0 REJECT     all  --  any    any     anywhere             anywhere             reject-with icmp-port-unreachable
    0     0 ACCEPT     all  --  tun+   any     anywhere             anywhere
    0     0 ACCEPT     all  --  tap+   any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
74475   17M ACCEPT     all  --  any    any     anywhere             anywhere
    0     0 ACCEPT     all  --  any    any     anywhere             nb-96-126-119-66.dallas.nodebalancer.linode.com

Chain fail2ban-ssh (1 references)
 pkts bytes target     prot opt in     out     source               destination
10981  731K RETURN     all  --  any    any     anywhere             anywhere

Any suggests on how to deal with this issue?

The message I got is:

Write out database with 1 new entries
Data Base Updated

Client xxxx added, certs available at ~/xxxx.ovpn

But if I tried to find it,I got

cannot access /home/xxx/xxxx.ovpn: No such file or directory

Thank you very much

How can I use the ovpn config file to put another server in VPN?
I'm using Ubuntu 14.04...

Hello Nyr,

very nice script, thank you very much!!
Is it possible to change the script to RSA v3 or is there any issue with it?

Thank you very much!

Best regards!

I need to add a user name and password for user to be able to connect instead of using the certificate. What changes are required?

Hello,

I used your older script from May 14 and everything worked great. Today I reinstalled my VPS (LowEndSpirit UK Location) and I would like to set up a VPN again with your script. The installation works great and I can connect to the VPN via OpenVPN. But my IP doesn't change. I tried different browsers and different sites (utrace.de, whoer.net ...).

My system:
Windows 7 Ultimate x64
OpenVPN (newest version)
started as admin

My VPS:
Debian 6.0.7 32 bit (newest version)
minimal image from LowEndSpirit = nothing else is running

Thanks for your help in advance :)

This is a neat little script. It would be great if it setup some hardened security defaults out of the box. For example:

• limit accepted encryption ciphers to say AES 128 CBC [or 256]
• Limit and order TLS cipher preferences
• Set a TLS auth shared key

There are probably other hardening things that should be done out fo the box as well, but I'm not a security expert. These turned up as acceptable starts from my searching around:

ciphers: AES-128-CBC:AES-192-CBC:AES-256-CBC
auth: SHA256:SHA1
tls-ciphers: DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

I install Openvpn but when i connect then no browsing. I can't do any thing in internet.
Please give me the solution.
Thanks

Hi,

Thanks for this script but it seems that every time I attempt to start it on debian 7 kernal 3.2.0-4-amd64 I get the following error:

[FAIL] VPN 'server' is not running ... failed!
sherief@PersonalServer:~$ sudo service openvpn start
[....] Starting virtual private network daemon: serverSIOCSIFADDR: No such device
: ERROR while getting interface flags: No such device
SIOCSIFDSTADDR: No such device
: ERROR while getting interface flags: No such device
SIOCSIFMTU: No such device
 failed!

Hi, Congrats is a very nice script, very useful.

I have a problem,

I try to share a directory from server with the clients in a mixed enviroment server cloud linux, remote clients win and mac, i was installed and configured samba.

I use the script to config openvpn, i write y about share clients. i can connect with every client but I can't view the server, don't appears in the network list. and i can't search or connect the samba directory.

can you help me?

Hello there sir, I installed your script on my server , and everything seems to be fine
the only problem is when i open the OpenVPN and connect via my server
the ip of my computer still the same , not mention that I have another server from another company come with the openvpn installed and it’s work just fine .

This is not a issue, but a suggestion.

How hard is to make it work with non-Debian distros.

This script is superb! Best way to get OpenVPN running for sure but I'm wondering which steps would be required to get OpenVPN working with a properly signed certificate.

Hello Nyr, firstly thank you for a great script.

When I run the script and select that the alternate port 53 to be configured, it appears that there is no command to add the entry into the default client.conf file. So when the client profile is created the IP and port 53 are missing from the file.

Are you able to replicate this?

My server is:
CentOS Linux release 7.1.1503 (Core)
Linux C7-OVPN.localdomain 3.10.0-229.11.1.el7.x86_64 #1 SMP Thu Aug 6 01:06:18

Thank you,

ZT

Forgive me if this has already been done but is there a fork that uses a .ovpn file with a client password but without the certificate files required... So I only need to import the .ovpn and enter the password.

Thanks in advance

It would be cool to have a non-interactive version of this script that will make sure openvpn is running & configured if it isn't, and allocate an initial user.

Hello! Great work buddy ! But what about IPV6 ?
I'm using DO so they have IPV6, I think it will be AWESOME to have IPV6 with it.

hey.

in windows, openvpn gui expecting .ovpn files in configuration directory.

you give out .conf file as configuration file. it would be nice to have same file in .ovpn extension for ease of use for windows openvpn gui users.

thanks.

I just ran the script and can confirm that I am running something on port 1194, but I can't really figure how to connect. It looks like I need to get a certificate somewhere?

Script seems to work well, I am just confused about where to go after running it. Googling for it yields a ton of information and I am not sure what applies to what this script setup.

What kind of VPN is setup, PTPP? What would the username/password be, etc...

As a side note, I am trying to connect from an android phone, perhaps that isn't supported without some third party apps?

in linux doing something like "cd Hey You" wont work it wil tell u no such file or directory ,same with files
if you want it to work youl have to use "cd Hey\ You"
same when a client enters a name that has a space in it lets say "Yaseen Eltii"
it will say Finished but you wont find a .cert file you should add a note there :))

Hi,
I've 2 IPs on my VPS. Can I use both IPs for making VPN connection?

Thanks for the great script Nyr, it is quite embarrassing to have to ask this question but I can't find the .ovpn file anywhere, I have done a file scan of my whole system but cant find the file anywhere, can you please advise were the script has copied the .ovpn file too, its definitely not in /etc/openvpn/easy-rsa/2.0/keys.

Cheers

First a complement, thanks for this amazing script, it just makes my life so much easier.

So I'm running. Digital ocean Vps, with IPv6. After doing some looking online, I've realized this is pretty difficult to do. How I propose this can be added since not everyone has IPv6, is to add it to the list of things to do after installing openvpn. It could also be done just if the machine openvpn is being installed on has IPv6 during installation.

Hi
Amazing script....awsum ....really loved it...Could you add support for selection of udp or tcp?