nyr / openvpn-install Goto Github PK
View Code? Open in Web Editor NEWOpenVPN road warrior installer for Ubuntu, Debian, AlmaLinux, Rocky Linux, CentOS and Fedora
License: MIT License
OpenVPN road warrior installer for Ubuntu, Debian, AlmaLinux, Rocky Linux, CentOS and Fedora
License: MIT License
Yo,
I really love your script! Seriously! At last. I won't be using OpenVPN's Access Client that has 2 concurrent connections limit. Really, thanks.
Have an awesome day! Also, I hope your script is compatible with CentOS :)
Hello Nyr,
very nice script, thank you very much!!
Is it possible to change the script to RSA v3 or is there any issue with it?
Thank you very much!
Best regards!
Hi I'm running this script successfully on linode but I can't get it to work for LES.
I can connect to the server but I can't browse/ping anything on my mac after that.
I can't find anything in my syslog or the openvpn-status.log
I tried this with Debian, Ubuntu12/14 with no success.
Seems the $6.99 offer is "out of stock", cheapest is now $9.99/y.
Thanks for the great script Nyr, it is quite embarrassing to have to ask this question but I can't find the .ovpn file anywhere, I have done a file scan of my whole system but cant find the file anywhere, can you please advise were the script has copied the .ovpn file too, its definitely not in /etc/openvpn/easy-rsa/2.0/keys.
Cheers
The possibility of creating a password would be welcome;)
The ca.crt generated also should be renamed to something with a unique filename. Other wise, copying it the config directory on Windows, leads to overwriting the file of other configurations.
Also, I have modified the script to make a duplicate of the .conf file, named as .ovpn, which is the Windows counterpart.
Kudos on the great work.
The message I got is:
Write out database with 1 new entries
Data Base Updated
Client xxxx added, certs available at ~/xxxx.ovpn
But if I tried to find it,I got
cannot access /home/xxx/xxxx.ovpn: No such file or directory
Thank you very much
Hi
Amazing script....awsum ....really loved it...Could you add support for selection of udp or tcp?
This script is superb! Best way to get OpenVPN running for sure but I'm wondering which steps would be required to get OpenVPN working with a properly signed certificate.
This is not a issue, but a suggestion.
How hard is to make it work with non-Debian distros.
Hi! Great work!
On Android clients at least, it helps to have a .ovpn file which is the conf file, plus inline ca.crt, key, and client cert files (and remove the reference to them as external files.)
If I rig something up for this, would you be interested?
I need to add a user name and password for user to be able to connect instead of using the certificate. What changes are required?
When creating a new cert with a name previously used, the new cert generated cannot connect. This could probably be fixed with a quick check to see if the name has already been used.
When using the generated .ovpn file on windows I got the following error windows PEM_read_bio:bad base64 encode
I have googled around alot and it seems to be that some people got this error with problems with line endings not being unix, I have done everything that was suggested and cannot fix the encoding. Really stuck on what to do about this one
At the end it says "Your client config is available at ~/ovpn-$CLIENT.tar.gz" but when I cd ~/, there is nothing there. pls help!
Or is it possible to change the destination of ovpn-$CLIENT.tar.gz file?
Thanks!
Hello,
First, thanks for your great script! But the new installation command doesn't work:
wget http://git.io/vpn; ./openvpn-install.sh
Error:
-bash: ./openvpn-install.sh: No such file or directory
There is just one file vpn. So you have to use the old way:
wget https://raw.github.com/Nyr/openvpn-install/master/openvpn-install.sh; chmod +x openvpn-install.sh; ./openvpn-install.sh
Tested on debian 6.0 32 bit.
Regards,
I just ran the script and can confirm that I am running something on port 1194, but I can't really figure how to connect. It looks like I need to get a certificate somewhere?
Script seems to work well, I am just confused about where to go after running it. Googling for it yields a ton of information and I am not sure what applies to what this script setup.
What kind of VPN is setup, PTPP? What would the username/password be, etc...
As a side note, I am trying to connect from an android phone, perhaps that isn't supported without some third party apps?
Hello,
I encounter many problems with your script. I did something wrong this morning, and so I wanted to reinstall the script but I am having errors. At the beginning of the script, I get errors like "
openvpn-install.sh: 9: openvpn-install.sh: [[: not found
openvpn-install.sh: 15: openvpn-install.sh: [[: not found
openvpn-install.sh: 21: openvpn-install.sh: [[: not found
openvpn-install.sh: 48: openvpn-install.sh: [[: not found
openvpn-install.sh: 53: openvpn-install.sh: [[: not found "
or "openvpn-install.sh 154: read: Illegal -e"
Can you help me?
Best Regards
in linux doing something like "cd Hey You" wont work it wil tell u no such file or directory ,same with files
if you want it to work youl have to use "cd Hey\ You"
same when a client enters a name that has a space in it lets say "Yaseen Eltii"
it will say Finished but you wont find a .cert file you should add a note there :))
I really like the idea, but why do you use --no-check-certificate? Downloading something from the Internet and executing it straight away is scary, but not checking the SSL certificates while doing so is really dangerous. Should not be necessary, no?
Hello Nyr, firstly thank you for a great script.
When I run the script and select that the alternate port 53 to be configured, it appears that there is no command to add the entry into the default client.conf file. So when the client profile is created the IP and port 53 are missing from the file.
Are you able to replicate this?
My server is:
CentOS Linux release 7.1.1503 (Core)
Linux C7-OVPN.localdomain 3.10.0-229.11.1.el7.x86_64 #1 SMP Thu Aug 6 01:06:18
Thank you,
ZT
Hello,
I used your older script from May 14 and everything worked great. Today I reinstalled my VPS (LowEndSpirit UK Location) and I would like to set up a VPN again with your script. The installation works great and I can connect to the VPN via OpenVPN. But my IP doesn't change. I tried different browsers and different sites (utrace.de, whoer.net ...).
My system:
Windows 7 Ultimate x64
OpenVPN (newest version)
started as admin
My VPS:
Debian 6.0.7 32 bit (newest version)
minimal image from LowEndSpirit = nothing else is running
Thanks for your help in advance :)
It would be nice if you can run the script on an existing OpenVPN installation and check for any available upgrades and install if it finds one.
This would be beneficial especially after the heartbleed venerability.
I install Openvpn but when i connect then no browsing. I can't do any thing in internet.
Please give me the solution.
Thanks
If I run the script and select "1" to add a new user with name "peter" no certificate is added to the ovpn file.
Output:
1) Add a cert for a new user
2) Revoke existing user cert
3) Remove OpenVPN
4) Exit
Select an option [1-4]: 1
Tell me a name for the client cert
Please, use one word only, no special characters
Client name: peter
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys
Using Common Name: peter
Generating a 2048 bit RSA private key
............................................................................................................+++
...............+++
writing new private key to 'peter.key'
-----
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'SanFrancisco'
organizationName :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'MyOrganizationalUnit'
commonName :PRINTABLE:'peter'
name :PRINTABLE:'EasyRSA'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Jun 26 07:06:29 2025 GMT (3650 days)
failed to update database
TXT_DB error number 2
Client peter added, certs available at ~/peter.ovpn
-----END CERTIFICATE-----
</ca>
<cert>
</cert>
<key>
-----BEGIN PRIVATE KEY-----
I've tried to remove it first, as well as deleting the files manually.
Creating other users does not lead to the same problem.
Hi,
Thanks for this script but it seems that every time I attempt to start it on debian 7 kernal 3.2.0-4-amd64 I get the following error:
[FAIL] VPN 'server' is not running ... failed!
sherief@PersonalServer:~$ sudo service openvpn start
[....] Starting virtual private network daemon: serverSIOCSIFADDR: No such device
: ERROR while getting interface flags: No such device
SIOCSIFDSTADDR: No such device
: ERROR while getting interface flags: No such device
SIOCSIFMTU: No such device
failed!
The script assumes dpkg isn't locked and tries to work normally.
Would it be possible to adapt this script to work with 8192 bit keys, or prompt for a key size out of several sizes? (1024, 2028, 4096, 8192)
How can I use the ovpn config file to put another server in VPN?
I'm using Ubuntu 14.04...
I'm installing the OpenVPN server on CentOS 6 64 bit, and then trying to connect via Windows 8.1 OpenVPN client v2.3.7 (latest as of this writing), but it kept failing during TLS negotiation.
I have turned off every firewall (Windows Firewall and iptables) as well as SPI firewall on the router, but still unavailable.
I have another OpenVPN AS server on different server and this same Windows PC can connect to it, so I assume this isn't a problem within the PC at all. Any advise are welcome...
I can connect to the server but no websites it all times out I ran the installed like the readme said.
Just curious if their was anyway to make sure OpenVPN never logs anything (dns, ip addresses, time stamps, etc). If so, the script could be adjusted to ask the user if that want to disable all logging?
Just a thought.
Thanks for the great script! Seems to work great on my Ubuntu 14.04 server.
However, I'm not able to connect to the server using OpenVPN. I think it is a iptables problem. Here's my output for: iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
11158 743K fail2ban-ssh tcp -- any any anywhere anywhere multiport dports ssh
4513 476K ACCEPT all -- lo any anywhere anywhere
0 0 REJECT all -- any any anywhere 127.0.0.0/8 reject-with icmp-port-unreachable
75723 109M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
2158 119K ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
3 140 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
193 11180 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
675 41193 LOG all -- any any anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
0 0 ACCEPT all -- any any nb-96-126-119-66.dallas.nodebalancer.linode.com anywhere
713 43313 DROP all -- any any anywhere anywhere
0 0 ACCEPT all -- tun+ any anywhere anywhere
0 0 ACCEPT all -- tap+ any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- any any 10.8.0.0/24 anywhere
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
0 0 ACCEPT all -- tun+ any anywhere anywhere
0 0 ACCEPT all -- tap+ any anywhere anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
74475 17M ACCEPT all -- any any anywhere anywhere
0 0 ACCEPT all -- any any anywhere nb-96-126-119-66.dallas.nodebalancer.linode.com
Chain fail2ban-ssh (1 references)
pkts bytes target prot opt in out source destination
10981 731K RETURN all -- any any anywhere anywhere
Any suggests on how to deal with this issue?
It took me a while to figure out that additional configuration is required to get OpenVPN working with UFW enabled. You may want to consider adding an FAQ into the README with the following steps.
[The following steps are borrowed from How To Set Up an OpenVPN Server on Ubuntu 14.04]
This tutorial will use OpenVPN over UDP, so ufw must also allow UDP traffic over port 1194. [Set this to your preferred port]
ufw allow 1194/udp
The ufw forwarding policy needs to be set as well. We'll do this in ufw's primary configuration file.
vim /etc/default/ufw
Look for DEFAULT_FORWARD_POLICY="DROP"
. This must be changed from DROP
to ACCEPT
. It should look like this when done:
DEFAULT_FORWARD_POLICY="ACCEPT"
Next we will add additional ufw rules for network address translation and IP masquerading of connected clients.
vim /etc/ufw/before.rules
Add the lines between # START OPENVPN RULES
and # END OPENVPN RULES
to make the top of your before.rules
file look like below.
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
# Don't delete these required lines, otherwise there will be errors
*filter
With the changes made to ufw, we can now enable it. Enter into the command prompt:
ufw reload
First off, loving this tool!
During a recent setup I opted to use port 53 in addition to 1194 :
Do you want OpenVPN to be available at port 53 too?
This can be useful to connect under restrictive networks
Listen at port 53 [y/n]: y
When I downloaded the .ovpn profile I wasn't able to connect, so I took a look at open ports on the server
root@crain:~# netstat -ltnup
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
shh-ports blah blah blah ...
udp 0 0 0.0.0.0:53 0.0.0.0:* 922/openvpn
It looks like port 1194 isn't attached to anything, but I took a look from my computer just to make sure.
echo -e "\x38\x01\x00\x00\x00\x00\x00\x00\x00" | nc -w 10 -u server.ip 1194 | cat -v
And no response came back, 'pinging' openvpn it should output something like @??e?tg]T^@^@^@^@^@@.....
I'd love to have both ports working, is there anything else I can do to help debug this issue?
Here's my test system info
root@crain:~# lsb_release -a
Distributor ID: Ubuntu
Description: Ubuntu 14.04.2 LTS
Release: 14.04
Codename: trusty
Thanks again!
Hello! Great work buddy ! But what about IPV6 ?
I'm using DO so they have IPV6, I think it will be AWESOME to have IPV6 with it.
Hello there sir, I installed your script on my server , and everything seems to be fine
the only problem is when i open the OpenVPN and connect via my server
the ip of my computer still the same , not mention that I have another server from another company come with the openvpn installed and it’s work just fine .
Hey,
Does this script install and configure the openvpn as server to multiple clients?
Thanks,
First a complement, thanks for this amazing script, it just makes my life so much easier.
So I'm running. Digital ocean Vps, with IPv6. After doing some looking online, I've realized this is pretty difficult to do. How I propose this can be added since not everyone has IPv6, is to add it to the list of things to do after installing openvpn. It could also be done just if the machine openvpn is being installed on has IPv6 during installation.
This is a neat little script. It would be great if it setup some hardened security defaults out of the box. For example:
There are probably other hardening things that should be done out fo the box as well, but I'm not a security expert. These turned up as acceptable starts from my searching around:
ciphers: AES-128-CBC:AES-192-CBC:AES-256-CBC
auth: SHA256:SHA1
tls-ciphers: DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
My server had the file /etc/dpkg/dpkg.cfg.d/01_nodoc
which contained ignore rules for the /usr/share/doc directory. Seems like digitalocean added that file.
This script failed with
./vpn: line 239: cd: /usr/share/doc/openvpn*/*ample*/sample-config-files: No such file or directory
gzip: server.conf.gz: No such file or directory
cp: cannot stat ‘server.conf’: No such file or directory
sed: can't read server.conf: No such file or directory
sed: can't read server.conf: No such file or directory
sed: can't read server.conf: No such file or directory
sed: can't read server.conf: No such file or directory
sed: can't read server.conf: No such file or directory
sed: can't read server.conf: No such file or directory```
I think a check if that folder exists with a message about the possible cause would be helpful
Also, it might make sense to add `set -e` to the beginning of the script.
Hi,
this is a feature requests. Given this bug of NetworkManager importing the configuration file (e.g. client.ovpn
) in NetworkManager on Linux does not work.
The idea is to add an option/request in the script to have all the files already separated.
Hoping that this is useful to otherrs here's a quick manual workaround.
A workaround is to manually copy-paste the certificates from the configuration file to the respective ca.crt
, client.crt
and client.key
files.
In practice (do not copy the tags, only what is inside):
<ca>...</ca>
-> ca.crt
<cert>...</cert>
-> client.crt
<key>...</key>
-> client.key
Then add to the config file (client.ovpn
) the fllowing lines after the corresponding commented paragraph:
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert wash.crt
key wash.key
(and of course one can delete everything between the tags <ca></ca>
, <cert></cert>
, <key></key>
tags in the original client.ovpn
).
Add this point you can successfully import the configuration in NetworkManager.
Forgive me if this has already been done but is there a fork that uses a .ovpn file with a client password but without the certificate files required... So I only need to import the .ovpn and enter the password.
Thanks in advance
Hi, Congrats is a very nice script, very useful.
I have a problem,
I try to share a directory from server with the clients in a mixed enviroment server cloud linux, remote clients win and mac, i was installed and configured samba.
I use the script to config openvpn, i write y about share clients. i can connect with every client but I can't view the server, don't appears in the network list. and i can't search or connect the samba directory.
can you help me?
It would be cool to have a non-interactive version of this script that will make sure openvpn is running & configured if it isn't, and allocate an initial user.
hey.
in windows, openvpn gui expecting .ovpn files in configuration directory.
you give out .conf file as configuration file. it would be nice to have same file in .ovpn extension for ease of use for windows openvpn gui users.
thanks.
Hi,
I've 2 IPs on my VPS. Can I use both IPs for making VPN connection?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.