forked from Nyr/openvpn-install
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Improved firewall installation logic
New logic makes way more sense: - If either firewalld or iptables are present, use whatever we have - If not, install firewalld in CentOS/Fedora and iptables in Debian/Ubuntu
- Loading branch information
Showing
1 changed file
with
18 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -182,12 +182,18 @@ if [[ ! -e /etc/openvpn/server/server.conf ]]; then | |
| [[ -z "$client" ]] && client="client" | ||
| echo | ||
| echo "We are ready to set up your OpenVPN server now." | ||
| # DigitalOcean ships their CentOS and Fedora images without firewalld | ||
| # We don't want to silently enable a firewall, so we give a subtle warning | ||
| # If the user continues, firewalld will be installed and enabled during setup | ||
| if [[ "$os" == "centos" || "$os" == "fedora" ]] && ! systemctl is-active --quiet firewalld.service; then | ||
| echo | ||
| echo "firewalld, which is required to manage routing tables, will also be installed." | ||
| # Install a firewall in the rare case where one is not already available | ||
| if ! systemctl is-active --quiet firewalld.service && ! hash iptables 2>/dev/null; then | ||
| if [[ "$os" == "centos" || "$os" == "fedora" ]]; then | ||
| firewall="firewalld" | ||
| # We don't want to silently enable firewalld, so we give a subtle warning | ||
| # If the user continues, firewalld will be installed and enabled during setup | ||
| echo | ||
| echo "firewalld, which is required to manage routing tables, will also be installed." | ||
| elif [[ "$os" == "debian" || "$os" == "ubuntu" ]]; then | ||
| # iptables is way less invasive than firewalld so no warning is given | ||
| firewall="iptables" | ||
| fi | ||
| fi | ||
| echo | ||
| read -n1 -r -p "Press any key to continue..." | ||
|
|
@@ -199,14 +205,16 @@ LimitNPROC=infinity" > /etc/systemd/system/[email protected]/disab | |
| fi | ||
| if [[ "$os" = "debian" || "$os" = "ubuntu" ]]; then | ||
| apt-get update | ||
| apt-get install -y openvpn iptables openssl ca-certificates | ||
| apt-get install -y openvpn openssl ca-certificates $firewall | ||
| elif [[ "$os" = "centos" ]]; then | ||
| yum install -y epel-release | ||
| yum install -y openvpn firewalld openssl ca-certificates tar | ||
| systemctl enable --now firewalld.service | ||
| yum install -y openvpn openssl ca-certificates tar $firewall | ||
| else | ||
| # Else, OS must be Fedora | ||
| dnf install -y openvpn firewalld openssl ca-certificates tar | ||
| dnf install -y openvpn openssl ca-certificates tar $firewall | ||
| fi | ||
| # If firewalld was just installed, enable it | ||
| if [[ "$firewall" == "firewalld" ]]; then | ||
| systemctl enable --now firewalld.service | ||
| fi | ||
| # Get easy-rsa | ||
|
|
||