Miscellaneous improvements

- Fix #694: added sanitization during the public IP address configuration and switch to AWS checkip since the Akamai service doesn't support HTTPS. - Add validation to cover an unlikely case where: server is behind NAT, checkip service is unreachable and user doesn't provide input when asked for the public IP address or hostname. - Other small improvements not worth describing in detail.
2024-07-02 17:55:47 +02:00 · 2020-04-21 02:28:29 +02:00 · 2020-04-21 02:28:29 +02:00 · cec053def4
commit cec053def4
parent c6159aefb8
2 changed files with 14 additions and 8 deletions
--- a/README.md
+++ b/README.md
@ -1,7 +1,7 @@
 ## openvpn-install
 OpenVPN [road warrior](http://en.wikipedia.org/wiki/Road_warrior_%28computing%29) installer for Debian, Ubuntu and CentOS.

-This script will let you setup your own VPN server in no more than a minute, even if you haven't used OpenVPN before. It has been designed to be as unobtrusive and universal as possible.
+This script will let you set up your own VPN server in no more than a minute, even if you haven't used OpenVPN before. It has been designed to be as unobtrusive and universal as possible.

 ### Installation
 Run the script and follow the assistant:
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@ -62,15 +62,15 @@ new_client () {
 	cat /etc/openvpn/server/easy-rsa/pki/ca.crt
 	echo "</ca>"
 	echo "<cert>"
-	sed -ne '/BEGIN CERTIFICATE/,$ p' /etc/openvpn/server/easy-rsa/pki/issued/"$1".crt
+	sed -ne '/BEGIN CERTIFICATE/,$ p' /etc/openvpn/server/easy-rsa/pki/issued/"$client".crt
 	echo "</cert>"
 	echo "<key>"
-	cat /etc/openvpn/server/easy-rsa/pki/private/"$1".key
+	cat /etc/openvpn/server/easy-rsa/pki/private/"$client".key
 	echo "</key>"
 	echo "<tls-crypt>"
 	sed -ne '/BEGIN OpenVPN Static key/,$ p' /etc/openvpn/server/tc.key
 	echo "</tls-crypt>"
-	} > ~/"$1".ovpn
+	} > ~/"$client".ovpn
 }

 if [[ ! -e /etc/openvpn/server/server.conf ]]; then
@ -99,8 +99,14 @@ if [[ ! -e /etc/openvpn/server/server.conf ]]; then
 	if echo "$ip" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then
 		echo
 		echo "This server is behind NAT. What is the public IPv4 address or hostname?"
-		get_public_ip=$(wget -4qO- "http://whatismyip.akamai.com/" || curl -4Ls "http://whatismyip.akamai.com/")
+		# Get public IP and sanitize with grep
+		get_public_ip=$(grep -oE '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$' <<< "$(wget -T 5 -t 1 -4qO- "https://checkip.amazonaws.com/" || curl -m 5 -4Ls "https://checkip.amazonaws.com/")")
 		read -p "Public IPv4 address / hostname [$get_public_ip]: " public_ip
+		# If the checkip service is unavailable and user didn't provide input, ask again
+		until [[ -n "$get_public_ip" || -n $public_ip ]]; do
+    		echo "Invalid input."
+			read -p "Public IPv4 address / hostname: " public_ip
+		done
 		[[ -z "$public_ip" ]] && public_ip="$get_public_ip"
 	fi
 	# If system has a single IPv6, it is selected automatically
@ -142,7 +148,7 @@ if [[ ! -e /etc/openvpn/server/server.conf ]]; then
 	echo "What port do you want OpenVPN listening to?"
 	read -p "Port [1194]: " port
 	until [[ -z "$port" || "$port" =~ ^[0-9]+$ && "$port" -le 65535 ]]; do
-		echo "$port: invalid selection."
+		echo "$port: invalid port."
 		read -p "Port [1194]: " port
 	done
 	[[ -z "$port" ]] && port="1194"
@ -368,7 +374,7 @@ verb 3" > /etc/openvpn/server/client-common.txt
 	# Enable and start the OpenVPN service
 	systemctl enable --now openvpn-server@server.service
 	# Generates the custom client.ovpn
-	new_client "$client"
+	new_client
 	echo
 	echo "Finished!"
 	echo
@ -402,7 +408,7 @@ else
 			cd /etc/openvpn/server/easy-rsa/
 			EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" nopass
 			# Generates the custom client.ovpn
-			new_client "$client"
+			new_client
 			echo
 			echo "Client $client added, configuration is available at:" ~/"$client.ovpn"
 			exit