Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

OpenVPN automated installer
New on LowEndTalk? Please Register and read our Community Rules.

OpenVPN automated installer

NyrNyr Member
Few people asked me for the link since it wast lost with the hacks:
https://github.com/Nyr/openvpn-install

It's an script that will set up OpenVPN on Debian-based systems and generate certs/config automagically.
«13456

Comments

  • Please add an option to install OpenVPN at TCP or UDP.
    Thanked by 1akhfa
  • NyrNyr Member
    edited May 2013
    @SayangAlif sorry, not at this time. OpenVPN over TCP isn't really useful for me.

    If I were to add something like that I would probably want a TCP+UDP option, but that involves two daemons and few more work.
  • Noob question, can openvpn be installed on the same vps as a controll panel, like kloxo?
    Thanks

  • NyrNyr Member
    edited May 2013

    @thedarkfox said:
    Noob question, can openvpn be installed on the same vps as a controll panel, like kloxo?
    Thanks

    Yes.

  • trexostrexos Member
    edited May 2013

    Wow! Thanks a lot. I've been trying to install OpenVPN now for about 3 days. I tried autoinstaller, different tutorials and nothing was working. But your installer works great! And with it I can easily set up new accounts or delete old ones. Thank you so much! :)

    Edit: just a short question: it uses 1024bit encryption right?

    OnePoundWebHosting.co.uk | UK XEN VPS from £2 | See their special offers starting from 12£/year here

  • NyrNyr Member

    @trexos said:
    Edit: just a short question: it uses 1024bit encryption right?

    OpenVPN only uses long PKI keys for authentication. 2048 bit keys by default IIRC, but doesn't really matter.

    During the session, symmetric-key algorithms with lower key lengths are used.

    TL;DR: don't worry.

  • just noticed line 27 and 31 are slightly different of using "grep -q '.'"

    not sure if supposed to be like this?

  • trexostrexos Member

    Ok thanks :)

    another question: you wrote that there might be a problem with using this script @lowendspirit boxes because of the NAT IPv4. Is this problem solved, when I set the right IP while the script is running?

    OnePoundWebHosting.co.uk | UK XEN VPS from £2 | See their special offers starting from 12£/year here

  • NyrNyr Member

    @yaocheng said:
    just noticed line 27 and 31 are slightly different of using "grep -q '.'"

    not sure if supposed to be like this?

    Yeah, the -q means it doesn't show the output and I didn't needed sdout the first time it's used :)

    @trexos said:
    Ok thanks :)

    another question: you wrote that there might be a problem with using this script lowendspirit boxes because of the NAT IPv4. Is this problem solved, when I set the right IP while the script is running?

    The internal IP with LowEndSpirit boxes is autodetected, so no need to touch that during the setup. Once installation finishes, you need to set the external IPv4 instead the internal one on your client.conf.

  • trexostrexos Member

    But the script asks about the Ip, doesn't it? Isn't it possible to set it there?

    OnePoundWebHosting.co.uk | UK XEN VPS from £2 | See their special offers starting from 12£/year here

  • NyrNyr Member

    @trexos said:
    But the script asks about the Ip, doesn't it? Isn't it possible to set it there?

    It's possible (and needed) to set the internal IP there. If you set the public IP instead, isn't going to work with a NATed box.

  • trexostrexos Member

    Okay but with a normal VPS I have to enter the external IP?

    OnePoundWebHosting.co.uk | UK XEN VPS from £2 | See their special offers starting from 12£/year here

  • NyrNyr Member

    @trexos said:
    Okay but with a normal VPS I have to enter the external IP?

    No.

  • trexostrexos Member

    I think we are meaning different things :P

    I mean this field:
    First I need to know the IPv4 address of the network interface you want OpenVPN
    listening to.
    IP address: 111.222.333.444

    Here I have to enter the IPv4 if it's not a NAT'ed VPS, haven't I?

    OnePoundWebHosting.co.uk | UK XEN VPS from £2 | See their special offers starting from 12£/year here

  • NyrNyr Member

    The IP should be autodetected. If it isn't, or it's wrong, you can enter your VPS IP there, but the default should work on most setups.

  • trexostrexos Member

    Yeah and I mean if it's possible to enter here the external IP from a NAT'ed VPS. Not possible right? I have leave the default IP and change the IP in the client.conf file to the external IP?

    OnePoundWebHosting.co.uk | UK XEN VPS from £2 | See their special offers starting from 12£/year here

  • NyrNyr Member

    @trexos said:
    I have leave the default IP and change the IP in the client.conf file to the external IP?

    Correct. Just follow the instructions.

  • ChanChan Member

    Fantastic script, I used it to setup a VPN for a friend of mine today on a httpzoom node and it worked perfect!

  • trexostrexos Member
    edited May 2013

    Yeah! Using this script @bandwagonhost and @httpzoom :) both debian 6.0.7 64bit minimal.

    OnePoundWebHosting.co.uk | UK XEN VPS from £2 | See their special offers starting from 12£/year here

  • udkudk Member

    Works perfectly, all done within minutes! Thanks

  • trexostrexos Member

    awesome update! thanks :)

    OnePoundWebHosting.co.uk | UK XEN VPS from £2 | See their special offers starting from 12£/year here

  • DroidzoneDroidzone Member
    edited July 2013

    Awesome script. You could use bash functions and reduce the size a bit. I'd also like an option to build openvpn from source too, instead of the apt package. I made a fork of it and trying that. The source package doesn't seem to have easy-rsa examples.

    C, Bash, Perl, Python, PHP, and JS hobbyist. VPS collector. Blog

  • awsonawson Member
    edited July 2013

    @joelgm said:
    Awesome script. You could use bash functions and reduce the size a bit. I'd also like an option to build openvpn from source too, instead of the apt package. I made a fork of it and trying that. The source package doesn't seem to have easy-rsa examples.

    Neither do new OpenVPN packages. Just use the easy-rsa directory from this repo:

    https://github.com/OpenVPN/easy-rsa

  • NyrNyr Member

    @joelgm @awson looks like easy-rsa will be available as a separate package with future Debian versions. I will update the script in the future to either use that package from the repos or a standalone one before jessie becomes stable :)

    @joelgm I know I should use some functions too. Will cleanup the script in the future before adding new features.

    I don't plan on compiling from the sources in the near future, I don't think that would be a good idea on very low RAM containers.

    Thanks for the suggestions, guys!

  • ideas: possible of adding more customized ports and option to listen to tcp as well?

  • NyrNyr Member

    @yaocheng said:
    ideas: possible of adding more customized ports and option to listen to tcp as well?

    Maybe in the future, that was requested by another user too :)

  • user123user123 Member
    edited August 2013

    Is anyone else having everything error out after the DH key is generated? Until that point, the script was working as expected. Any ideas what caused this or how to fix it?
    @Nyr

    ./openvpn-install.sh: line 160: cd: /usr/share/doc/openvpn/examples/sample-config-files: No such file or directory
    gzip: server.conf.gz: No such file or directory
    cp: cannot stat server.conf': No such file or directory sed: can't read server.conf: No such file or directory sed: can't read server.conf: No such file or directory sed: can't read server.conf: No such file or directory sed: can't read server.conf: No such file or directory sed: can't read server.conf: No such file or directory ./openvpn-install.sh: line 185: /etc/init.d/openvpn: No such file or directory sed: can't read /usr/share/doc/openvpn/examples/sample-config-files/client.conf: No such file or directory cp: cannot stat/usr/share/doc/openvpn/examples/sample-config-files/client.conf': No such file or directory
    sed: can't read client.conf: No such file or directory
    sed: can't read client.conf: No such file or directory
    tar: client.conf: Cannot stat: No such file or directory
    tar: Exiting with failure status due to previous errors

    Finished!

    Your client config is available at ~/ovpn-client.tar.gz

    If you want to add more clients, you simply need to run this script another time!

    Personal consultant to OP's Mom™

  • NyrNyr Member

    @user123 that's weird. Can you please tell me what Linux distro and version are you using the script in?

  • @Nyr Debian 6.0 32-bit. 2.6.32-042stab074.10.

    Personal consultant to OP's Mom™

  • NyrNyr Member

    @user123 there is definitely something weird going on, since the directory appearing as missing is definitely there on the official Debían Squeeze packages.

    I don't know if that's possible, but could I maybe get access to that box you are trying to install the script in?

    If not, please paste here the output of:
    dpkg --get-selections | grep openvpn

    Also a ls of:
    /usr/share/doc/openvpn

  • @Nyr

    [email protected]:~# dpkg --get-selections | grep openvpn
    [email protected]:~#
    [email protected]:~#
    [email protected]:/usr/share/doc/openvpn# ls

    COPYING README README.auth-pam README.polarssl
    COPYRIGHT.GPL README.IPv6 README.down-root management-notes.txt

    Personal consultant to OP's Mom™

  • NyrNyr Member

    @user123 did you try to install OpenVPN on that system before, by other means? Maybe compiling from the sources?

    You have some files present which aren't available on the Debían packages, so that's the only explanation I have for that.

  • user123user123 Member
    edited August 2013

    @Nyr It's possible, but as far as I recall, I had reinstalled the OS template after my last OpenVPN installation attempt failed (as it always does). No OpenVPN daemons are running, if that makes any difference.

    Personal consultant to OP's Mom™

  • NyrNyr Member

    @user123 you definitely have trails of a failed installation. If you run the script on a clean container it will work.

  • @Nyr I will reinstall the OS now and then run your script after updating and upgrading the OS

    Personal consultant to OP's Mom™

  • user123user123 Member
    edited August 2013

    @Nyr It installed properly after the OS reinstallation, but I notice that the client config is not set to push all traffic through the VPN (although, the connection log receives the server-side command "PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 129.250.35.250,dhcp-option DNS 74.82.42.42,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'") and that it is also not configured to use a good cipher (the connection log looks like BF-CBC is being used) for the connection (AES-256-CBC would be preferable). What is the best way to make the client use AES-256-CBC and also force routing all data through the VPN?

    ETA: https://www.dnsleaktest.com/ shows some overlapping DNS servers from my local ISP in the mix, though my IP and the VPS IP are (obviously) with different ISPs and different parts of the country.

    ETA2: I updated the client config (without changing the server config) to connect with the AES-256-CBC cipher and it does connect to the server, but I have no internet when connected to the VPN.

    Personal consultant to OP's Mom™

  • NyrNyr Member

    @user123 said:
    Nyr It installed properly after the OS reinstallation, but I notice that the client config is not set to push all traffic through the VPN (although, the connection log receives the server-side command "PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 129.250.35.250,dhcp-option DNS 74.82.42.42,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'") and that it is also not configured to use a good cipher (the connection log looks like BF-CBC is being used) for the connection (AES-256-CBC would be preferable). What is the best way to make the client use AES-256-CBC and also force routing all data through the VPN?

    ETA: https://www.dnsleaktest.com/ shows some overlapping DNS servers from my local ISP in the mix, though my IP and the VPS IP are (obviously) with different ISPs and different parts of the country.

    ETA2: I updated the client config (without changing the server config) to connect with the AES-256-CBC cipher and it does connect to the server, but I have no internet when connected to the VPN.

    Try to run the OpenVPN client as an administrator if you are on Windows.
    I don't think Blowfish CBC is a weak cipher.

    without changing the server config

    Then there's your problem, read the OpenVPN man.

  • @Nyr thanks :) I already had the OpenVPN client set to run as Administrator by default. Whenever I've edited the server config before, I break something. But, it looks like it works now. I also added a couple more DNS to my server config. Btw, I love that your script also offers to set up a daemon on port 53 as a routine thing.

    Now, to just figure out how to insert the certificates and key inline into the .ovpn file and have it actually work (already tried manually doing the <> thing like I read about, but get an error about loading inline certificate even though I follow the standard syntax).

    Personal consultant to OP's Mom™

  • SpiritSpirit Disabled

    @user123 said:
    Now, to just figure out how to insert the certificates and key inline into the .ovpn file and have it actually work (already tried manually doing the <> thing like I read about, but get an error about loading inline certificate even though I follow the standard syntax).

    I am not familair with this script/installer specifics but it seems like all you need to do is to is to enter proper file names into .ovpn file

    ca ca.crt
    cert user1.crt
    key user1.key

    ...and all four files (including .ovpn config) move into "config" dir at your local machine. All 3 files above can be renamed whatever you want just make sure to keep proper extensions and enter proper filenames into .ovpn file

  • NyrNyr Member

    @Spirit said:
    I am not familair with this script/installer specifics but it seems like all you need to do is to is to enter proper file names into .ovpn file

    If I understand, what he wants is to have is a single .ovpn file with the config, certs and key included. That's possible, but I don't remember the sintaxis for that. Google can help for sure.

  • @Nyr said:
    If I understand, what he wants is to have is a single .ovpn file with the config, certs and key included. That's possible, but I don't remember the sintaxis for that. Google can help for sure.

    Yeah, that's what I'm trying to do. I am following the syntax, but keep getting that "inline" error.

    Personal consultant to OP's Mom™

  • NyrNyr Member

    @user123 not all OpenVPN clients are compatible with inline certs and keys. That could maybe be the case.

  • @user123 have you tried remove
    cert user1.crt
    key user1.key
    in your .ovpn?

    lurker

  • Great little script, thanks.

  • @Nyr said:
    user123 not all OpenVPN clients are compatible with inline certs and keys. That could maybe be the case.

    That's probably true, but the ovpn file from another VPS I have running OpenVPN AS uses the inline syntax and I can connect from the same computer just fine.

    @madfish said:
    user123 have you tried remove
    cert user1.crt
    key user1.key
    in your .ovpn?

    Yup, I removed those three lines before adding the inline stuff.

    Personal consultant to OP's Mom™

  • Hi @Nyr, off-topic :-) are you familiar with installing/configuring strongswan for IKEv2 type of VPN (server side)? this is for the blackberry e.g Z10

  • @Nyr it's OK. thanks for reply!

  • @Nyr Thanks man it was very helpful

    But Is it possible to give clients a static IP?
    and How can I see online clients?

  • Well actually right now I was looking for a tutorial but I use centos xen vps I got from internet brothers south Korea the medium 1 Gig ram mentioned here centos

    http://www.internetbrothers.co.kr/webpromotion/english/vps-in-korea.html

    IT is not debian and they do not give debian OS

    Thanks

Sign In or Register to comment.