From 165c551e36c32e6b532dbc9b31fe32b039ac2893 Mon Sep 17 00:00:00 2001 From: MichaIng <28480705+MichaIng@users.noreply.github.com> Date: Tue, 30 Jul 2019 23:46:53 +0200 Subject: [PATCH] v6.26 (#3016) + DietPi-Software | OpenVPN: Remove rsyslog dependency + DietPi-Software | OpenVPN: Preserve existing configs, instead inform user that config creation, key and cert generation is skipped + DietPi-Software | OpenVPN: Use most current easy-rsa form GitHub, which allows us to use the same method on all systems. The APT package will use outdated methods earlier or later and the binaries are standalone scripts anyway. + DietPi-Software | OpenVPN: LibSSL1.0.0 is not required on Buster and was never required on Stretch, so it is not installed with OpenVPN anymore. + DietPi-Software | OpenVPN: Create Diffie-Hellman param via easy-rsa as well + DietPi-Software | Download_Install(): Add support for tgz and tbz2 file endings and use slightly simplified tar extraction option which allows to skip target dir pre-creation but was not available on Jessie + DietPi-Software | OpenVPN: Use new "remote-cert-tls" option as replacement for deprecated "ns-cert-type", which as well solves client connection issue with error: "VERIFY nsCertType ERROR: CN=DietPi_OpenVPN_Server, require nsCertType=SERVER" --- CHANGELOG.txt | 2 + dietpi/dietpi-software | 145 +++++++++++++++++++++-------------------- 2 files changed, 76 insertions(+), 71 deletions(-) diff --git a/CHANGELOG.txt b/CHANGELOG.txt index a2eeee6b36..4350547bb6 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -9,6 +9,7 @@ Changes / Improvements / Optimisations: - DietPi-Config | Some /etc/modprobe.d/ configs are merged to less files and mostly prefixed with "dietpi-", to allow easier differentiation between Debian/pre-image and DietPi files. - DietPi-Software | Pi-hole: Logging to /var/log/pihole.log is now disabled by default, since it is not required in usual cases. Query logs, shown in web UI, are stored in database. This might also resolve possible pihole-FTL crashes in combination with DietPi-RAMlog and DietPi-Logclear. Many thanks to @kuerious for reporting and @Mcat12 for providing helpful information on this topic: https://github.com/pi-hole/FTL/issues/614 - DietPi-Software | Pi-hole: Lighttpd config has been added to block access to .dot dirs (.git*) and enable local fonts for web UI, based on: https://github.com/pi-hole/pi-hole/blob/master/advanced/lighttpd.conf.debian +- DietPi-Software | OpenVPN: Rsyslog is not installed anymore together with OpenVPN server. Logs are available via "journalctl -u openvpn", all system logs via "journalctl". If you require persistent logs, uninstall DietPi-RAMlog via dietpi-software and make the journal boot persistent via: mkdir /var/log/journal - DietPi-Software | Gogs: On ARMv7 and x86_64 now the latest version from GitHub is installed. Reinstalls will upgrade the version while preserving existing settings. Many thanks to @LazyLama for doing this suggestion: https://github.com/MichaIng/DietPi/issues/2999 Bug Fixes: @@ -18,6 +19,7 @@ Bug Fixes: - DietPi-Software | Gitea: Resolved an issue where install fails on ARMv7 systems. Many thanks to @maschiw for reporting this issue: https://github.com/MichaIng/DietPi/issues/2959 - DietPi-Software | Node-RED: Resolved an issue where install fails due to missing data dir creation. Many thanks to @Orfait for reporting this isssue: https://github.com/MichaIng/DietPi/issues/2975 - DietPi-Software | Node-RED: Resolved an issue where user creation fails if "gpio" group is not present. Many thanks to @marcobrianza for reporting this issue: https://github.com/MichaIng/DietPi/issues/2975#issuecomment-513917360 +- DietPi-Software | OpenVPN: Resolved an issue where install failed on Debian Buster due to a new easy-rsa version with changed commands and options. Now the most recent easy-rsa is manually downloaded on all systems to generate server and client key + cert with modern methods and the client config is slighly updated to match modern settings. As always, many smaller code performance and stability improvements, visual and spelling fixes have been done, too much to list all of them here. Check out all code changes of this release on GitHub: https://github.com/MichaIng/DietPi/pull/XXXX diff --git a/dietpi/dietpi-software b/dietpi/dietpi-software index 167ecd463d..38230e5409 100644 --- a/dietpi/dietpi-software +++ b/dietpi/dietpi-software @@ -1921,7 +1921,6 @@ DietPi-Software will decrypt and use it for software installs. You can change it aSOFTWARE_WHIP_DESC[$software_id]='vpn server' aSOFTWARE_CATEGORY_INDEX[$software_id]=16 aSOFTWARE_TYPE[$software_id]=0 - aSOFTWARE_REQUIRES_RSYSLOG[$software_id]=1 aSOFTWARE_ONLINEDOC_URL[$software_id]='p=613#p613' #------------------ @@ -2481,12 +2480,11 @@ DietPi-Software will decrypt and use it for software installs. You can change it fi - # Software that requires LibSSL1.0.0, Stretch+ only + # Software that requires LibSSL1.0.0 # - Jackett (147) software_id=126 if (( ${aSOFTWARE_INSTALL_STATE[37]} == 1 || ${aSOFTWARE_INSTALL_STATE[60]} == 1 || - ${aSOFTWARE_INSTALL_STATE[97]} == 1 || ${aSOFTWARE_INSTALL_STATE[134]} == 1 || ${aSOFTWARE_INSTALL_STATE[147]} == 1 )); then @@ -3035,8 +3033,8 @@ Package: *php7.3*\nPin: release *\nPin-Priority: -1' > /etc/apt/preferences.d/di local url=$1 [[ ! $url && $fallback_url ]] && url=$fallback_url local target=$2 # Extract target - local type=${url##*.} # Grab ext from URL | compatbile with >> deb|zip|tar(.gz|.bz2)|7z - [[ $type == 'gz' || $type == 'bz2' ]] && type='tar' + local type=${url##*.} # Grab ext from URL | compatbile with >> deb|zip|tar(.gz|.bz2)|tgz|tbz2|7z + [[ $type =~ ^t?(gz|bz2)$ ]] && type='tar' local file="$software_id.$type" # DietPi-Software conf/service mode @@ -3089,8 +3087,7 @@ Package: *php7.3*\nPin: release *\nPin-Priority: -1' > /etc/apt/preferences.d/di elif [[ $type == 'tar' ]]; then - #[[ $target ]] && target="--one-top-level=$target" # Option exist not on Jessie - [[ $target ]] && G_RUN_CMD mkdir -p "$target" && target="-C $target" + [[ $target ]] && target="--one-top-level=$target" G_RUN_CMD tar xf $file "$target" elif [[ $type == '7z' ]]; then @@ -4639,7 +4636,9 @@ _EOF_ if (( ${aSOFTWARE_INSTALL_STATE[$software_id]} == 1 )); then Banner_Installing - G_AGI openvpn easy-rsa iptables + G_AGI openvpn iptables + # Remove obsolete sysvinit service + [[ -f '/etc/init.d/openvpn' ]] && rm /etc/init.d/openvpn fi @@ -9386,48 +9385,58 @@ _EOF_ Banner_Configuration - local key_size=2048 - - # Start Cert/Key generation. - cp -a /usr/share/easy-rsa/ /etc/openvpn - mkdir -p /etc/openvpn/easy-rsa/keys - cat << _EOF_ >> /etc/openvpn/easy-rsa/vars -export KEY_SIZE=$key_size -export KEY_COUNTRY='UK' -export KEY_PROVINCE='DietPi' -export KEY_CITY='DietPi' -export KEY_ORG='DietPi' -export KEY_EMAIL='noreply@DietPi.com' -export KEY_OU='DietPi' -export KEY_NAME='DietPi_OpenVPN_Server' -_EOF_ - - # Create Server Cert Auth - G_DIETPI-NOTIFY 2 'Generating unique OpenVPN certificates and keys. Please wait...\n' - openssl dhparam -out /etc/openvpn/dh${key_size}.pem $key_size - - # Build Server certs/keys - chmod -R +x /etc/openvpn/easy-rsa - cd /etc/openvpn/easy-rsa - # - https://github.com/MichaIng/DietPi/issues/1450#issuecomment-362608574 - cp -a openssl-1.0.0.cnf openssl.cnf + # Create initial server and client configs, if not yet present + # - Wildcard config file detection via for loop + local i + for i in /etc/openvpn/*.conf + do - . ./vars - ./clean-all - ./build-ca --batch DietPi_OpenVPN_Server - ./build-key-server --batch DietPi_OpenVPN_Server + # Inform user, if config exist, that config generation is skipped + if [[ -f $i ]]; then - # Copy Server cert/keys - cp -a /etc/openvpn/easy-rsa/keys/{DietPi_OpenVPN_Server.crt,DietPi_OpenVPN_Server.key,ca.crt} /etc/openvpn/ + G_DIETPI-NOTIFY 2 "Existing OpenVPN configuration found: $i + - Config generation will be skipped. + - If you need a fresh key/cert/config set, please remove $i + and run: dietpi-software reinstall 97" + break - # Build client cert/keys - ./build-key --batch DietPi_OpenVPN_Client + fi - cd /tmp/$G_PROGRAM_NAME - # End Cert/Key generation. + # Pre-v6.26 cleanup + [[ -f '/etc/openvpn/dh2048.pem' ]] && rm /etc/openvpn/dh2048.pem + dpkg-query -s easy-rsa &> /dev/null && G_AGP easy-rsa - # Server config - cat << _EOF_ > /etc/openvpn/server.conf + # Download latest easy-rsa from GitHub + G_DIETPI-NOTIFY 2 'Downloading latest easy-rsa for certificate and key generation...' + INSTALL_URL_ADDRESS='https://api.github.com/repos/OpenVPN/easy-rsa/releases/latest' + G_CHECK_URL "$INSTALL_URL_ADDRESS" + fallback_url='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz' + no_check_url=1 Download_Install "$(curl -s "$INSTALL_URL_ADDRESS" | grep -m1 '"browser_download_url.*EasyRSA-.*\.tgz' | cut -d \" -f 4)" + [[ -d '/etc/openvpn/easy-rsa' ]] && rm -R /etc/openvpn/easy-rsa + mv EasyRSA-* /etc/openvpn/easy-rsa + + # Cert and key generation via easy-rsa + G_DIETPI-NOTIFY 2 'Generating unique OpenVPN certificates and keys. Please wait...\n' + cd /etc/openvpn/easy-rsa + cat << _EOF_ > vars +set_var EASYRSA_REQ_COUNTRY "UK" +set_var EASYRSA_REQ_PROVINCE "DietPi" +set_var EASYRSA_REQ_CITY "DietPi" +set_var EASYRSA_REQ_ORG "DietPi" +set_var EASYRSA_REQ_EMAIL "noreply@dietpi.com" +set_var EASYRSA_REQ_OU "DietPi" +set_var EASYRSA_BATCH "1" +_EOF_ + ./easyrsa init-pki + ./easyrsa build-ca nopass + ./easyrsa gen-dh + ./easyrsa build-server-full DietPi_OpenVPN_Server nopass + ./easyrsa build-client-full DietPi_OpenVPN_Client nopass + + # Server config + cp -a pki/{ca.crt,dh.pem,issued/DietPi_OpenVPN_Server.crt,private/DietPi_OpenVPN_Server.key} /etc/openvpn/ + cd /etc/openvpn + cat << _EOF_ > server.conf port 1194 proto udp dev tun @@ -9435,7 +9444,7 @@ dev tun ca ca.crt cert DietPi_OpenVPN_Server.crt key DietPi_OpenVPN_Server.key -dh dh$key_size.pem +dh dh.pem server 10.8.0.0 255.255.255.0 @@ -9454,16 +9463,15 @@ verb 3 # Web Forwarding (uncomment to enable) #push "redirect-gateway" #push "dhcp-option DNS 10.8.0.1" - _EOF_ - # Client config - cat << _EOF_ > /etc/openvpn/easy-rsa/keys/DietPi_OpenVPN_Client.ovpn + # Client config + cat << _EOF_ > DietPi_OpenVPN_Client.ovpn client proto udp dev tun -# Ip/Domain name of DietPi system, running OpenVPN server. +# IP/domain name of DietPi system, running OpenVPN server remote mywebsite.com 1194 resolv-retry infinite @@ -9475,30 +9483,25 @@ group nogroup persist-key persist-tun -ns-cert-type server +remote-cert-tls server comp-lzo verb 3 - _EOF_ + # - Add CA cert, client cert and key + echo -e " +\n$( +\n$( +\n$(" >> DietPi_OpenVPN_Client.ovpn + + # - Copy to userdata + cp DietPi_OpenVPN_Client.ovpn $G_FP_DIETPI_USERDATA/ + # - and /boot partition + cp DietPi_OpenVPN_Client.ovpn /boot/ - # Unified client file. Add DietPi generated certs/keys. - # - Add Server Cert auth - echo '' >> /etc/openvpn/easy-rsa/keys/DietPi_OpenVPN_Client.ovpn - cat /etc/openvpn/ca.crt >> /etc/openvpn/easy-rsa/keys/DietPi_OpenVPN_Client.ovpn - echo '' >> /etc/openvpn/easy-rsa/keys/DietPi_OpenVPN_Client.ovpn - # - Add Client Cert - echo '' >> /etc/openvpn/easy-rsa/keys/DietPi_OpenVPN_Client.ovpn - cat /etc/openvpn/easy-rsa/keys/DietPi_OpenVPN_Client.crt >> /etc/openvpn/easy-rsa/keys/DietPi_OpenVPN_Client.ovpn - echo '' >> /etc/openvpn/easy-rsa/keys/DietPi_OpenVPN_Client.ovpn - # - Add Client Key - echo '' >> /etc/openvpn/easy-rsa/keys/DietPi_OpenVPN_Client.ovpn - cat /etc/openvpn/easy-rsa/keys/DietPi_OpenVPN_Client.key >> /etc/openvpn/easy-rsa/keys/DietPi_OpenVPN_Client.ovpn - echo '' >> /etc/openvpn/easy-rsa/keys/DietPi_OpenVPN_Client.ovpn - - # Copy client file to userdata location - cp /etc/openvpn/easy-rsa/keys/DietPi_OpenVPN_Client.ovpn $G_FP_DIETPI_USERDATA/ - # - and /boot partition - cp /etc/openvpn/easy-rsa/keys/DietPi_OpenVPN_Client.ovpn /boot/ + cd /tmp/$G_PROGRAM_NAME + break # Always break loop which is only for single wildcard file detection + + done # Enable IP forwarding echo -e 'net.ipv4.ip_forward=1\nnet.ipv6.conf.all.forwarding=1\nnet.ipv6.conf.default.forwarding=1' > /etc/sysctl.d/dietpi-openvpn.conf @@ -13334,7 +13337,7 @@ _EOF_ fi - software_id=97 # OpenVPN server + software_id=97 # OpenVPN Server if (( ${aSOFTWARE_INSTALL_STATE[$software_id]} == -1 )); then Banner_Uninstalling