-
Notifications
You must be signed in to change notification settings - Fork 29
/
openvpn-install-advanced.sh
859 lines (802 loc) · 29.3 KB
/
openvpn-install-advanced.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
#!/bin/bash
# OpenVPN road warrior installer for Debian, Ubuntu and CentOS
# This script will work on Debian, Ubuntu, CentOS and probably other distros
# of the same families, although no support is offered for them. It isn't
# bulletproof but it will probably work if you simply want to setup a VPN on
# your Debian/Ubuntu/CentOS box. It has been designed to be as unobtrusive and
# universal as possible.
###############################################################################################################
# START_VARIABLE_SECTION
# This section contains setup and variables
###############################################################################################################
TCP_SERVICE_AND_CONFIG_NAME="openvpn_tcp"
UDP_SERVICE_AND_CONFIG_NAME="openvpn_udp"
if [[ "$USER" != 'root' ]]; then
echo "Sorry, you need to run this as root"
exit
fi
if [[ ! -e /dev/net/tun ]]; then
echo "TUN/TAP is not available"
exit
fi
if grep -qs "CentOS release 5" "/etc/redhat-release"; then
echo "CentOS 5 is too old and not supported"
exit
fi
if [[ -e /etc/debian_version ]]; then
OS=debian
RCLOCAL='/etc/rc.local'
elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then
OS=centos
RCLOCAL='/etc/rc.d/rc.local'
# Needed for CentOS 7
chmod +x /etc/rc.d/rc.local
else
echo "Looks like you aren't running this installer on a Debian, Ubuntu or CentOS system"
exit
fi
###############################################################################################################
# END_VARIABLE_SECTION
###############################################################################################################
newclient () {
# This function is used to create udp client .ovpn file
cp /etc/openvpn/client-common.txt ~/"$1.ovpn"
echo "<ca>" >> ~/"$1.ovpn"
cat /etc/openvpn/easy-rsa/pki/ca.crt >> ~/"$1.ovpn"
echo "</ca>" >> ~/"$1.ovpn"
echo "<cert>" >> ~/"$1.ovpn"
cat /etc/openvpn/easy-rsa/pki/issued/"$1.crt" >> ~/"$1.ovpn"
echo "</cert>" >> ~/"$1.ovpn"
echo "<key>" >> ~/"$1.ovpn"
cat /etc/openvpn/easy-rsa/pki/private/"$1.key" >> ~/"$1.ovpn"
echo "</key>" >> ~/"$1.ovpn"
if [ "$TLS" = "1" ]; then #check if TLS is selected to add a TLS static key
echo "key-direction 1" >> ~/"$1.ovpn"
echo "<tls-auth>" >> ~/"$1.ovpn"
cat /etc/openvpn/easy-rsa/pki/private/ta.key >> ~/"$1.ovpn"
echo "</tls-auth>" >> ~/"$1.ovpn"
fi
if [ $TLSNEW = 1 ]; then
echo "--tls-version-min 1.2" >> ~/"$1.ovpn"
fi
}
newclienttcp () {
# This function is used to create tcp client .ovpn file
cp /etc/openvpn/clienttcp-common.txt ~/"$1tcp.ovpn"
echo "<ca>" >> ~/"$1tcp.ovpn"
cat /etc/openvpn/easy-rsa/pki/ca.crt >> ~/"$1tcp.ovpn"
echo "</ca>" >> ~/"$1tcp.ovpn"
echo "<cert>" >> ~/"$1tcp.ovpn"
cat /etc/openvpn/easy-rsa/pki/issued/"$1.crt" >> ~/"$1tcp.ovpn"
echo "</cert>" >> ~/"$1tcp.ovpn"
echo "<key>" >> ~/"$1tcp.ovpn"
cat /etc/openvpn/easy-rsa/pki/private/"$1.key" >> ~/"$1tcp.ovpn"
echo "</key>" >> ~/"$1tcp.ovpn"
if [ "$TLS" = "1" ]; then #check if TLS is selected to add a TLS static key
echo "key-direction 1" >> ~/"$1tcp.ovpn"
echo "<tls-auth>" >> ~/"$1tcp.ovpn"
cat /etc/openvpn/easy-rsa/pki/private/ta.key >> ~/"$1tcp.ovpn"
echo "</tls-auth>" >> ~/"$1tcp.ovpn"
fi
if [ $TLSNEW = 1 ]; then
echo "--tls-version-min 1.2" >> ~/"$1.ovpn"
fi
}
function version_gt() { test "$(echo "$@" | tr " " "\n" | sort -V | head -n 1)" != "$1"; }
# This function is used to compare installed openvpn and specific version
# Try to get our IP from the system and fallback to the Internet.
# I do this to make the script compatible with NATed servers (lowendspirit.com)
# and to avoid getting an IPv6.
IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -o -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
if [[ "$IP" = "" ]]; then
IP=$(wget -qO- ipv4.icanhazip.com)
fi
if [ -e /etc/openvpn/$UDP_SERVICE_AND_CONFIG_NAME.conf -o -e /etc/openvpn/$TCP_SERVICE_AND_CONFIG_NAME.conf ]; then #check if udp or tcp config file is present
while :
do
clear
echo "Looks like OpenVPN is already installed"
echo ""
echo "What do you want to do?"
echo " 1) Add a cert for a new user"
echo " 2) Revoke existing user cert"
echo " 3) Remove OpenVPN"
echo " 4) Exit"
read -p "Select an option [1-4]: " option
case $option in
1)
echo ""
echo "Tell me a name for the client cert"
echo "Please, use one word only, no special characters"
read -p "Client name: " -e -i client CLIENT
cd /etc/openvpn/easy-rsa/
./easyrsa build-client-full "$CLIENT" nopass
# Generates the custom client.ovpn
if [[ -e /etc/openvpn/$UDP_SERVICE_AND_CONFIG_NAME.conf ]]; then
TLS=0
TLSNEW=0
if [ -n "$(cat /etc/openvpn/$UDP_SERVICE_AND_CONFIG_NAME.conf | grep tls-auth)" ]; then #check if TLS is enabled in server config file so that static TLS key can be added to new client
TLS=1
fi
if [ -n "$(cat /etc/openvpn/$UDP_SERVICE_AND_CONFIG_NAME.conf | grep "tls-version-min 1.2")" ]; then #check if TLS 1.2 is enabled in server config file so that static TLS key can be added to new client
TLSNEW=1
fi
newclient "$CLIENT"
echo "UDP client $CLIENT added, certs available at ~/$CLIENT.ovpn"
fi
#everything here is the same as above just for the tcp client
if [[ -e /etc/openvpn/$TCP_SERVICE_AND_CONFIG_NAME.conf ]]; then
TLS=0
TLSNEW=0
if [ -n "$(cat /etc/openvpn/$TCP_SERVICE_AND_CONFIG_NAME.conf | grep tls-auth)" ]; then
TLS=1
fi
if [ -n "$(cat /etc/openvpn/$UDP_SERVICE_AND_CONFIG_NAME.conf | grep "tls-version-min 1.2")" ]; then
TLSNEW=1
fi
newclienttcp "$CLIENT"
echo "TCP client $CLIENT added, certs available at ~/${CLIENT}tcp.ovpn"
fi
echo ""
exit
;;
2)
# This option could be documented a bit better and maybe even be simplimplified
# ...but what can I say, I want some sleep too
NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")
if [[ "$NUMBEROFCLIENTS" = '0' ]]; then
echo ""
echo "You have no existing clients!"
exit
fi
echo ""
echo "Select the existing client certificate you want to revoke"
tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
if [[ "$NUMBEROFCLIENTS" = '1' ]]; then
read -p "Select one client [1]: " CLIENTNUMBER
else
read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
fi
CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
cd /etc/openvpn/easy-rsa/
./easyrsa --batch revoke "$CLIENT"
./easyrsa gen-crl
rm -rf "pki/reqs/$CLIENT.req"
rm -rf "pki/private/$CLIENT.key"
rm -rf "pki/issued/$CLIENT.crt"
# And restart
if pgrep systemd-journal; then
systemctl restart openvpn
else
if [[ "$OS" = 'debian' ]]; then
/etc/init.d/openvpn restart
else
service openvpn restart
fi
fi
echo ""
echo "Certificate for client \"$CLIENT\" revoked"
exit
;;
###############################################################################################################
# START_OPENVPN_REMOVAL_SECTION
# This section contains to remove openvpn as installed by this script
###############################################################################################################
3)
echo ""
read -p "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
if [[ "$REMOVE" = 'y' ]]; then
if [[ -e /etc/openvpn/$UDP_SERVICE_AND_CONFIG_NAME.conf ]]; then #removal of udp firewall rules
PORT=$(grep '^port ' /etc/openvpn/$UDP_SERVICE_AND_CONFIG_NAME.conf | cut -d " " -f 2)
iptables -L | grep -q REJECT
sed -i "/iptables -I INPUT -p udp --dport $PORT -j ACCEPT/d" $RCLOCAL
sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL
sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL
sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL
fi
if [[ -e /etc/openvpn/$TCP_SERVICE_AND_CONFIG_NAME.conf ]]; then #removal of tcp firewall rules
PORT=$(grep '^port ' /etc/openvpn/$TCP_SERVICE_AND_CONFIG_NAME.conf | cut -d " " -f 2)
iptables -L | grep -q REJECT
sed -i "/iptables -I INPUT -p tcp --dport $PORT -j ACCEPT/d" $RCLOCAL
sed -i "/iptables -I FORWARD -s 10.9.0.0\/24 -j ACCEPT/d" $RCLOCAL
sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL
sed -i '/iptables -t nat -A POSTROUTING -s 10.9.0.0\/24 -j SNAT --to /d' $RCLOCAL
fi
sed -i '/iptables -t nat -A PREROUTING -p tcp -i tun+ --dport 80 -j REDIRECT --to-port 8080/d' $RCLOCAL #Remove HAVP proxy
iptables -t nat -D PREROUTING -i tun+ -p tcp --dport 80 -j REDIRECT --to-port 8080
apt-get remove --purge -y openvpn openvpn-blacklist unbound clamav clamav-daemon privoxy havp
rm -rf /etc/openvpn
rm -rf /usr/share/doc/openvpn*
if pgrep systemd-journal; then
sudo systemctl disable $UDP_SERVICE_AND_CONFIG_NAME.service
sudo systemctl disable $TCP_SERVICE_AND_CONFIG_NAME.service
fi
rm -rf /etc/systemd/system/$UDP_SERVICE_AND_CONFIG_NAME.service
rm -rf /etc/systemd/system/$TCP_SERVICE_AND_CONFIG_NAME.service
echo ""
echo "OpenVPN removed!"
fi
exit
;;
###############################################################################################################
# END_OPENVPN_REMOVAL_SECTION
###############################################################################################################
4) exit;;
esac
done
else
clear
echo 'Welcome to this quick OpenVPN "road warrior" installer'
echo ""
# OpenVPN setup and first user creation
echo "I need to ask you a few questions before starting the setup"
echo "You can leave the default options and just press enter if you are ok with them"
echo ""
echo "First I need to know the IPv4 address of the network interface you want OpenVPN"
echo "listening to."
read -p "IP address: " -e -i $IP IP
echo ""
while :
do
while :
do
clear
read -p "Do you want to run a UDP server [y/n]: " -e -i y UDP
case $UDP in
y) UDP=1
break ;;
n) UDP=0
break ;;
esac
done
while :
do
clear
echo "***************************************************"
echo "* !!!!!NB!!!!! *"
echo "* *"
echo "* Here be dragons!!! If you're using this to get *"
echo "* past firewalls then go ahead and choose *y*, *"
echo "* but please read and understand *"
echo "* *"
echo "* http://sites.inka.de/bigred/devel/tcp-tcp.html *"
echo "* http://tinyurl.com/34qzu5z *"
echo "***************************************************"
echo ""
read -p "Do you want to run a TCP server [y/n]: " -e -i n TCP
case $TCP in
y) TCP=1
break ;;
n) TCP=0
break ;;
esac
done
if [ "$UDP" = 1 -o "$TCP" = 1 ]; then
break
fi
done
if [ "$UDP" = 1 ]; then
clear
read -p "What UDP port do you want to run OpenVPN on?: " -e -i 1194 PORT
fi
if [ "$TCP" = 1 ]; then
clear
read -p "What TCP port do you want to run OpenVPN on?: " -e -i 443 PORTTCP
fi
while :
do
clear
echo "What size do you want your key to be? :"
echo " 1) 2048bits"
echo " 2) 4096bits"
echo ""
read -p "Key Size [1-2]: " -e -i 1 KEYSIZE
case $KEYSIZE in
1)
KEYSIZE=2048
break
;;
2)
KEYSIZE=4096
break
;;
esac
done
while :
do
clear
echo "What size do you want your SHA digest to be? :"
echo " 1) 256bits"
echo " 2) 512bits"
echo ""
read -p "Digest Size [1-2]: " -e -i 1 DIGEST
case $DIGEST in
1)
DIGEST=SHA256
break
;;
2)
DIGEST=SHA512
break
;;
esac
done
AES=0
grep -q aes /proc/cpuinfo #Check for AES-NI availability
if [[ "$?" -eq 0 ]]; then
AES=1
fi
while :
do
clear
if [[ "$AES" -eq 1 ]]; then
echo "Your CPU supports AES-NI instruction set."
echo "It enables faster AES encryption/decryption."
echo "Choosing AES will decrease CPU usage."
fi
echo "Which cipher do you want to use? :"
echo " 1) AES-256-CBC"
echo " 2) AES-128-CBC"
echo " 3) BF-CBC"
echo " 4) CAMELLIA-256-CBC"
echo " 5) CAMELLIA-128-CBC"
echo ""
read -p "Cipher [1-5]: " -e -i 1 CIPHER
case $CIPHER in
1) CIPHER=AES-256-CBC
break ;;
2) CIPHER=AES-128-CBC
break ;;
3) CIPHER=BF-CBC
break ;;
4) CIPHER=CAMELLIA-256-CBC
break ;;
5) CIPHER=CAMELLIA-128-CBC
break ;;
esac
done
while :
do
clear
read -p "Do you want to use additional TLS authentication [y/n]: " -e -i y TLS
case $TLS in
y) TLS=1
break ;;
n) TLS=0
break ;;
esac
done
while :
do
clear
echo "Do you want to enable internal networking for the VPN(iptables only)?"
echo "This can allow VPN clients to communicate between them"
read -p "Allow internal networking [y/n]: " -e -i y INTERNALNETWORK
case $INTERNALNETWORK in
y) INTERNALNETWORK=1
break ;;
n) INTERNALNETWORK=0
break ;;
esac
done
while :
do
clear
echo "Do you want to create self hosted DNS resolver ?"
echo "This resolver will be only accessible through VPN to prevent"
echo "your server to be used for DNS amplification attack"
read -p "Create DNS resolver [y/n]: " -e -i n DNSRESOLVER
case $DNSRESOLVER in
y) DNSRESOLVER=1
break;;
n) DNSRESOLVER=0
break;;
esac
done
while :
do
clear
echo "Do you want to setup Privoxy+ClamAV+HAVP?"
echo "Privoxy will be used to block ads."
echo "ClamAV+HAVP will be used to scan all of your web traffic for viruses."
echo "This will only work with unencrypted traffic."
echo "You should have at least 1GB RAM for this option."
read -p "[y/n]: " -e -i n ANTIVIR
case $ANTIVIR in
y) ANTIVIR=1
break;;
n) ANTIVIR=0
break;;
esac
done
clear
if [ "$DNSRESOLVER" = 0 ]; then #If user wants to use his own DNS resolver this selection is skipped
echo "What DNS do you want to use with the VPN?"
echo " 1) Current system resolvers"
echo " 2) OpenDNS"
echo " 3) Verisign"
echo " 4) NTT"
echo " 5) Hurricane Electric"
echo " 6) Google"
echo ""
read -p "DNS [1-6]: " -e -i 1 DNS
fi
clear
echo "Tell me your name for the client cert"
echo "Please, use one word only, no special characters"
read -p "Client name: " -e -i client CLIENT
echo ""
if [[ "$OS" = 'debian' ]]; then
apt-get update -qq
apt-get install openvpn iptables openssl -y -qq
if [ "$DNSRESOLVER" = 1 ]; then
DNS=7
#Installation of "Unbound" caching DNS resolver
sudo apt-get install unbound -y -qq
if [ "$TCP" -eq 1 ]; then
echo "interface: 10.9.0.1" >> /etc/unbound/unbound.conf
fi
if [ "$UDP" -eq 1 ]; then
echo "interface: 10.8.0.1" >> /etc/unbound/unbound.conf
fi
echo "access-control: 0.0.0.0/0 allow" >> /etc/unbound/unbound.conf
fi
if [ "$ANTIVIR" = 1 ]; then
apt-get install clamav clamav-daemon -qq -y
service clamav-freshclam stop
freshclam
service clamav-freshclam start
sed -i "s/AllowSupplementaryGroups false/AllowSupplementaryGroups true/" /etc/clamav/clamd.conf
service clamav-daemon restart
apt-get install havp -y
sed -i '/ENABLECLAMLIB true/c\ENABLECLAMLIB false' /etc/havp/havp.config
sed -i '/ENABLECLAMD false/c\ENABLECLAMD true' /etc/havp/havp.config
sed -i '/RANGE false/c\RANGE true' /etc/havp/havp.config
sed -i '/SCANIMAGES true/c\ENABLECLAMD false' /etc/havp/havp.config
sed -i 's/\# SKIPMIME/SKIPMIME/' /etc/havp/havp.config
sed -i '/\LOG_OKS true/c\LOG_OKS false' /etc/havp/havp.config
gpasswd -a clamav havp
service clamav-daemon restart
service havp restart
apt-get install privoxy -y -qq
sed -i '/listen-address localhost:8118/c\listen-address 127.0.0.1:8118' /etc/privoxy/config
HOST=$(hostname -f)
sed -i "/hostname hostname.example.org/c\hostname "$HOST"" /etc/privoxy/config
service privoxy restart
sed -i '/PARENTPROXY localhost/c\PARENTPROXY 127.0.0.1' /etc/havp/havp.config
sed -i '/PARENTPORT 3128/c\PARENTPORT 8118' /etc/havp/havp.config
sed -i '/TRANSPARENT false/c\TRANSPARENT true' /etc/havp/havp.config
sed -i "3 a\iptables -t nat -A PREROUTING -p tcp -i tun+ --dport 80 -j REDIRECT --to-port 8080" $RCLOCAL #Add this firewall rule to startup(redirect traffic on port 80 to privoxy)
service havp restart
iptables -t nat -A PREROUTING -i tun+ -p tcp --dport 80 -j REDIRECT --to-port 8080
fi
else
echo "Only Debian-based distros supported currently"
fi
ovpnversion=$(openvpn --status-version | grep -o "([0-9].*)" | sed 's/[^0-9.]//g')
if version_gt $ovpnversion "2.3.3"; then
while :
do
clear
echo "Your OpenVPN version is $ovpnversion and it supports"
echo "newer and more secure TLS 1.2 protocol for its control channel."
echo "Do you want to force usage of TLS 1.2 ?"
echo "NOTE: Your client also must use version 2.3.3 or newer"
read -p "Force TLS 1.2 [y/n]: " -e -i n TLSNEW
case $TLSNEW in
y) TLSNEW=1
break ;;
n) TLSNEW=0
break ;;
esac
done
fi
echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now"
read -n1 -r -p "Press any key to continue..."
# An old version of easy-rsa was available by default in some openvpn packages
if [[ -d /etc/openvpn/easy-rsa/ ]]; then
rm -rf /etc/openvpn/easy-rsa/
fi
# Get easy-rsa
wget --no-check-certificate -O ~/EasyRSA-3.0.1.tgz https://github.com/OpenVPN/easy-rsa/releases/download/3.0.1/EasyRSA-3.0.1.tgz
tar xzf ~/EasyRSA-3.0.1.tgz -C ~/
mv ~/EasyRSA-3.0.1/ /etc/openvpn/
mv /etc/openvpn/EasyRSA-3.0.1/ /etc/openvpn/easy-rsa/
chown -R root:root /etc/openvpn/easy-rsa/
rm -rf ~/EasyRSA-3.0.1.tgz
cd /etc/openvpn/easy-rsa/
# Create the PKI, set up the CA, the DH params and the server + client certificates
./easyrsa init-pki
cp vars.example vars
sed -i 's/#set_var EASYRSA_KEY_SIZE 2048/set_var EASYRSA_KEY_SIZE '$KEYSIZE'/' vars #change key size to desired size
./easyrsa --batch build-ca nopass
./easyrsa gen-dh
./easyrsa build-server-full server nopass
./easyrsa build-client-full "$CLIENT" nopass
./easyrsa gen-crl
openvpn --genkey --secret /etc/openvpn/easy-rsa/pki/private/ta.key #generate TLS key for additional security
# Move the stuff we need
cp pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn
if [ "$UDP" = 1 ]; then
# Generate udp.conf
echo "port $PORT
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
push \"register-dns\"
topology subnet
server 10.8.0.0 255.255.255.0
cipher $CIPHER
auth $DIGEST
ifconfig-pool-persist ipp.txt" > /etc/openvpn/$UDP_SERVICE_AND_CONFIG_NAME.conf
echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/$UDP_SERVICE_AND_CONFIG_NAME.conf
if [ $TLS = 1 ]; then
echo "--tls-auth /etc/openvpn/easy-rsa/pki/private/ta.key 0" >> /etc/openvpn/$UDP_SERVICE_AND_CONFIG_NAME.conf #TLS key information added to config file
fi
if [ $TLSNEW = 1 ]; then
echo "--tls-version-min 1.2" >> /etc/openvpn/$UDP_SERVICE_AND_CONFIG_NAME.conf
fi
# DNS
case $DNS in
1)
# Obtain the resolvers from resolv.conf and use them for OpenVPN
grep -v '#' /etc/resolv.conf | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/$UDP_SERVICE_AND_CONFIG_NAME.conf
done
;;
2)
echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/$UDP_SERVICE_AND_CONFIG_NAME.conf
echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/$UDP_SERVICE_AND_CONFIG_NAME.conf
;;
3)
echo 'push "dhcp-option DNS 64.6.64.6"' >> /etc/openvpn/$UDP_SERVICE_AND_CONFIG_NAME.conf
echo 'push "dhcp-option DNS 64.6.65.6"' >> /etc/openvpn/$UDP_SERVICE_AND_CONFIG_NAME.conf
;;
4)
echo 'push "dhcp-option DNS 129.250.35.250"' >> /etc/openvpn/$UDP_SERVICE_AND_CONFIG_NAME.conf
echo 'push "dhcp-option DNS 129.250.35.251"' >> /etc/openvpn/$UDP_SERVICE_AND_CONFIG_NAME.conf
;;
5)
echo 'push "dhcp-option DNS 74.82.42.42"' >> /etc/openvpn/$UDP_SERVICE_AND_CONFIG_NAME.conf
;;
6)
echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/$UDP_SERVICE_AND_CONFIG_NAME.conf
echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/$UDP_SERVICE_AND_CONFIG_NAME.conf
;;
7)
echo 'push "dhcp-option DNS 10.8.0.1"' >> /etc/openvpn/$UDP_SERVICE_AND_CONFIG_NAME.conf
esac
echo "keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify /etc/openvpn/easy-rsa/pki/crl.pem" >> /etc/openvpn/$UDP_SERVICE_AND_CONFIG_NAME.conf
if [ "$INTERNALNETWORK" = 1 ]; then
echo "client-to-client" >> /etc/openvpn/$UDP_SERVICE_AND_CONFIG_NAME.conf
fi
fi
if [ "$TCP" = 1 ]; then
echo "port $PORTTCP
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
push \"register-dns\"
topology subnet
server 10.9.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
cipher $CIPHER
auth $DIGEST
sndbuf 0
rcvbuf 0" > /etc/openvpn/$TCP_SERVICE_AND_CONFIG_NAME.conf
echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/$TCP_SERVICE_AND_CONFIG_NAME.conf
if [ $TLS = 1 ]; then
echo "--tls-auth /etc/openvpn/easy-rsa/pki/private/ta.key 0" >> /etc/openvpn/$TCP_SERVICE_AND_CONFIG_NAME.conf #TLS key information added to config file
fi
if [ $TLSNEW = 1 ]; then
echo "--tls-version-min 1.2" >> /etc/openvpn/$TCP_SERVICE_AND_CONFIG_NAME.conf
fi
# DNS
case $DNS in
1)
# Obtain the resolvers from resolv.conf and use them for OpenVPN
grep -v '#' /etc/resolv.conf | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/$TCP_SERVICE_AND_CONFIG_NAME.conf
done
;;
2)
echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/$TCP_SERVICE_AND_CONFIG_NAME.conf
echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/$TCP_SERVICE_AND_CONFIG_NAME.conf
;;
3)
echo 'push "dhcp-option DNS 64.6.64.6"' >> /etc/openvpn/$TCP_SERVICE_AND_CONFIG_NAME.conf
echo 'push "dhcp-option DNS 64.6.65.6"' >> /etc/openvpn/$TCP_SERVICE_AND_CONFIG_NAME.conf
;;
4)
echo 'push "dhcp-option DNS 129.250.35.250"' >> /etc/openvpn/$TCP_SERVICE_AND_CONFIG_NAME.conf
echo 'push "dhcp-option DNS 129.250.35.251"' >> /etc/openvpn/$TCP_SERVICE_AND_CONFIG_NAME.conf
;;
5)
echo 'push "dhcp-option DNS 74.82.42.42"' >> /etc/openvpn/$TCP_SERVICE_AND_CONFIG_NAME.conf
;;
6)
echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/$TCP_SERVICE_AND_CONFIG_NAME.conf
echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/$TCP_SERVICE_AND_CONFIG_NAME.conf
;;
7)
echo 'push "dhcp-option DNS 10.9.0.1"' >> /etc/openvpn/$TCP_SERVICE_AND_CONFIG_NAME.conf
esac
echo "keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify /etc/openvpn/easy-rsa/pki/crl.pem" >> /etc/openvpn/$TCP_SERVICE_AND_CONFIG_NAME.conf
if [ "$INTERNALNETWORK" = 1 ]; then
echo "client-to-client" >> /etc/openvpn/$TCP_SERVICE_AND_CONFIG_NAME.conf
fi
fi
# Enable net.ipv4.ip_forward for the system
sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf
sed -i " 5 a\echo 1 > /proc/sys/net/ipv4/ip_forward" $RCLOCAL # Added for servers that don't read from sysctl at startup
# Avoid an unneeded reboot
echo 1 > /proc/sys/net/ipv4/ip_forward
# Set NAT for the VPN subnet
if [ "$INTERNALNETWORK" = 1 ]; then
if [ "$UDP" = 1 ]; then
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL
fi
if [ "$TCP" = 1 ]; then
iptables -t nat -A POSTROUTING -s 10.9.0.0/24 ! -d 10.9.0.0/24 -j SNAT --to $IP
sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.9.0.0/24 ! -d 10.9.0.0/24 -j SNAT --to $IP" $RCLOCAL
fi
else
if [ "$UDP" = 1 ]; then
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.1 -j SNAT --to $IP
sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL
fi
if [ "$TCP" = 1 ]; then
iptables -t nat -A POSTROUTING -s 10.9.0.0/24 ! -d 10.9.0.1 -j SNAT --to $IP #This line and the next one are added for tcp server instance
sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.9.0.0/24 -j SNAT --to $IP" $RCLOCAL
fi
fi
if iptables -L | grep -q REJECT; then
# If iptables has at least one REJECT rule, we asume this is needed.
# Not the best approach but I can't think of other and this shouldn't
# cause problems.
if [ "$UDP" = 1 ]; then
iptables -I INPUT -p udp --dport $PORT -j ACCEPT
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
sed -i "1 a\iptables -I INPUT -p udp --dport $PORT -j ACCEPT" $RCLOCAL
sed -i "1 a\iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" $RCLOCAL
sed -i "1 a\iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" $RCLOCAL
fi
if [ "$TCP" = 1 ]; then
iptables -I INPUT -p udp --dport $PORTTCP -j ACCEPT #This line and next 5 lines have been added for tcp support
iptables -I FORWARD -s 10.9.0.0/24 -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
sed -i "1 a\iptables -I INPUT -p tcp --dport $PORTTCP -j ACCEPT" $RCLOCAL
sed -i "1 a\iptables -I FORWARD -s 10.9.0.0/24 -j ACCEPT" $RCLOCAL
sed -i "1 a\iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" $RCLOCAL
fi
fi
###############################################################################################################
# START_SERVICE_SECTION
# Install and start service for both UDP and TCP
###############################################################################################################
if [ "$UDP" = 1 ]; then
echo "[Unit]
#Created by openvpn-install-advanced (https://github.com/pl48415/openvpn-install-advanced)
Description=OpenVPN Robust And Highly Flexible Tunneling Application On <server>
After=syslog.target network.target
[Service]
Type=forking
PIDFile=/var/run/openvpn/$UDP_SERVICE_AND_CONFIG_NAME.pid
ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/$UDP_SERVICE_AND_CONFIG_NAME.pid --cd /etc/openvpn/ --config $UDP_SERVICE_AND_CONFIG_NAME.conf
[Install]
WantedBy=multi-user.target" > /etc/systemd/system/$UDP_SERVICE_AND_CONFIG_NAME.service
if pgrep systemd-journal; then
sudo systemctl enable $UDP_SERVICE_AND_CONFIG_NAME.service
fi
fi
if [ "$TCP" = 1 ]; then
echo "[Unit]
#Created by openvpn-install-advanced (https://github.com/pl48415/openvpn-install-advanced)
Description=OpenVPN Robust And Highly Flexible Tunneling Application On <server>
After=syslog.target network.target
[Service]
Type=forking
PIDFile=/var/run/openvpn/$TCP_SERVICE_AND_CONFIG_NAME.pid
ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/$TCP_SERVICE_AND_CONFIG_NAME.pid --cd /etc/openvpn/ --config $TCP_SERVICE_AND_CONFIG_NAME.conf
[Install]
WantedBy=multi-user.target" > /etc/systemd/system/$TCP_SERVICE_AND_CONFIG_NAME.service
if pgrep systemd-journal; then
sudo systemctl enable $TCP_SERVICE_AND_CONFIG_NAME.service
fi
fi
if pgrep systemd-journal; then
sudo systemctl start openvpn.service
else
if [[ "$OS" = 'debian' ]]; then
/etc/init.d/openvpn start
else
service openvpn start
fi
fi
###############################################################################################################
# END_SERVICE_SECTION
###############################################################################################################
# Try to detect a NATed connection and ask about it to potential LowEndSpirit or Scaleway users
EXTERNALIP=$(wget -qO- ipv4.icanhazip.com)
if [[ "$IP" != "$EXTERNALIP" ]]; then
echo ""
echo "Looks like your server is behind a NAT!"
echo ""
echo "If your server is NATed (LowEndSpirit or Scaleway), I need to know the external IP"
echo "If that's not the case, just ignore this and leave the next field blank"
read -p "External IP: " -e USEREXTERNALIP
if [[ "$USEREXTERNALIP" != "" ]]; then
IP=$USEREXTERNALIP
fi
fi
# client-common.txt is created so we have a template to add further UDP users later
if [ "$UDP" = 1 ]; then
echo "client
dev tun
cipher $CIPHER
auth $DIGEST
proto udp
remote $IP $PORT
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
comp-lzo
verb 3" > /etc/openvpn/client-common.txt
newclient "$CLIENT"
fi
if [ "$TCP" = 1 ]; then
echo "client
cipher $CIPHER
auth $DIGEST
dev tun
proto tcp
remote $IP $PORTTCP
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
comp-lzo
verb 3
sndbuf 0
rcvbuf 0
" > /etc/openvpn/clienttcp-common.txt # clienttcp-common.txt is created so we have a template to add further TCP users later
newclienttcp "$CLIENT"
fi
# Generates the custom client.ovpn
echo ""
echo "Finished!"
echo ""
if [ "$UDP" = 1 ]; then
echo "Your UDP client config is available at ~/$CLIENT.ovpn"
fi
if [ "$TCP" = 1 ]; then
echo "Your TCP client config is available at ~/${CLIENT}tcp.ovpn"
fi
echo "If you want to add more clients, you simply need to run this script another time!"
fi
if [ "$DNSRESOLVER" = 1 ]; then
sudo service unbound restart
fi