Openvpn automatic install

1. #!/bin/bash
2. # OpenVPN road warrior installer for Debian-based distros
3.  
4. # This script will only work on Debian-based systems. It isn't bulletproof but
5. # it will probably work if you simply want to setup a VPN on your Debian/Ubuntu
6. # VPS. It has been designed to be as unobtrusive and universal as possible.
7.  
8.  
9. if [ $USER != 'root' ]; then
10. echo "Sorry, you need to run this as root"
11. exit
12. fi
13.  
14.  
15. if [ ! -e /dev/net/tun ]; then
16. echo "TUN/TAP is not available"
17. exit
18. fi
19.  
20.  
21. if [ ! -e /etc/debian_version ]; then
22. echo "Looks like you aren't running this installer on a Debian-based system"
23. exit
24. fi
25.  
26.  
27. # Try to get our IP from the system and fallback to the Internet.
28. # I do this to make the script compatible with NATed servers (lowendspirit.com)
29. # and to avoid getting an IPv6.
30. IP=$(ifconfig | grep 'inet addr:' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d: -f2 | awk '{ print $1}' | head -1)
31. if [ "$IP" = "" ]; then
32. IP=$(wget -qO- ipv4.icanhazip.com)
33. fi
34.  
35.  
36. if [ -e /etc/openvpn/server.conf ]; then
37. while :
38. do
39. clear
40. echo "Looks like OpenVPN is already installed"
41. echo "What do you want to do?"
42. echo ""
43. echo "1) Add a cert for a new user"
44. echo "2) Revoke existing user cert"
45. echo "3) Remove OpenVPN"
46. echo "4) Exit"
47. echo ""
48. read -p "Select an option [1-4]: " option
49. case $option in
50. 1)
51. echo ""
52. echo "Tell me a name for the client cert"
53. echo "Please, use one word only, no special characters"
54. read -p "Client name: " -e -i client CLIENT
55. cd /etc/openvpn/easy-rsa/2.0/
56. source ./vars
57. # build-key for the client
58. export KEY_CN="$CLIENT"
59. export EASY_RSA="${EASY_RSA:-.}"
60. "$EASY_RSA/pkitool" $CLIENT
61. # Let's generate the client config
62. mkdir ~/ovpn-$CLIENT
63. cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/ovpn-$CLIENT/$CLIENT.conf
64. cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt ~/ovpn-$CLIENT
65. cp /etc/openvpn/easy-rsa/2.0/keys/$CLIENT.crt ~/ovpn-$CLIENT
66. cp /etc/openvpn/easy-rsa/2.0/keys/$CLIENT.key ~/ovpn-$CLIENT
67. cd ~/ovpn-$CLIENT
68. sed -i "s|cert client.crt|cert $CLIENT.crt|" $CLIENT.conf
69. sed -i "s|key client.key|key $CLIENT.key|" $CLIENT.conf
70. tar -czf ../ovpn-$CLIENT.tar.gz $CLIENT.conf ca.crt $CLIENT.crt $CLIENT.key
71. cd ~/
72. rm -rf ovpn-$CLIENT
73. echo ""
74. echo "Client $CLIENT added, certs available at ~/ovpn-$CLIENT.tar.gz"
75. exit
76. ;;
77. 2)
78. echo ""
79. echo "Tell me the existing client name"
80. read -p "Client name: " -e -i client CLIENT
81. cd /etc/openvpn/easy-rsa/2.0/
82. . /etc/openvpn/easy-rsa/2.0/vars
83. . /etc/openvpn/easy-rsa/2.0/revoke-full $CLIENT
84. # If it's the first time revoking a cert, we need to add the crl-verify line
85. if grep -q "crl-verify" "/etc/openvpn/server.conf"; then
86. echo ""
87. echo "Certificate for client $CLIENT revoked"
88. else
89. echo "crl-verify /etc/openvpn/easy-rsa/2.0/keys/crl.pem" >> "/etc/openvpn/server.conf"
90. /etc/init.d/openvpn restart
91. echo ""
92. echo "Certificate for client $CLIENT revoked"
93. fi
94. exit
95. ;;
96. 3)
97. apt-get remove --purge -y openvpn openvpn-blacklist
98. rm -rf /etc/openvpn
99. rm -rf /usr/share/doc/openvpn
100. sed -i '/--dport 53 -j REDIRECT --to-port/d' /etc/rc.local
101. sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0/d' /etc/rc.local
102. echo ""
103. echo "OpenVPN removed!"
104. exit
105. ;;
106. 4) exit;;
107. esac
108. done
109. else
110. echo 'Welcome to this quick OpenVPN "road warrior" installer'
111. echo ""
112. # OpenVPN setup and first user creation
113. echo "I need to ask you a few questions before starting the setup"
114. echo "You can leave the default options and just press enter if you are ok with them"
115. echo ""
116. echo "First I need to know the IPv4 address of the network interface you want OpenVPN"
117. echo "listening to."
118. read -p "IP address: " -e -i $IP IP
119. echo ""
120. echo "What port do you want for OpenVPN?"
121. read -p "Port: " -e -i 1194 PORT
122. echo ""
123. echo "Do you want OpenVPN to be available at port 53 too?"
124. echo "This can be useful to connect under restrictive networks"
125. read -p "Listen at port 53 [y/n]: " -e -i n ALTPORT
126. echo ""
127. echo "Finally, tell me your name for the client cert"
128. echo "Please, use one word only, no special characters"
129. read -p "Client name: " -e -i client CLIENT
130. echo ""
131. echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now"
132. read -n1 -r -p "Press any key to continue..."
133. apt-get update
134. apt-get install openvpn iptables openssl -y
135. cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
136. # easy-rsa isn't available by default for Debian Jessie and newer
137. if [ ! -d /etc/openvpn/easy-rsa/2.0/ ]; then
138. wget --no-check-certificate -O ~/easy-rsa.tar.gz https://github.com/OpenVPN/easy-rsa/archive/2.2.2.tar.gz
139. tar xzf ~/easy-rsa.tar.gz -C ~/
140. mkdir -p /etc/openvpn/easy-rsa/2.0/
141. cp ~/easy-rsa-2.2.2/easy-rsa/2.0/* /etc/openvpn/easy-rsa/2.0/
142. rm -rf ~/easy-rsa-2.2.2
143. rm -rf ~/easy-rsa.tar.gz
144. fi
145. cd /etc/openvpn/easy-rsa/2.0/
146. # Let's fix one thing first...
147. cp -u -p openssl-1.0.0.cnf openssl.cnf
148. # Fuck you NSA - 1024 bits was the default for Debian Wheezy and older
149. sed -i 's|export KEY_SIZE=1024|export KEY_SIZE=2048|' /etc/openvpn/easy-rsa/2.0/vars
150. # Create the PKI
151. . /etc/openvpn/easy-rsa/2.0/vars
152. . /etc/openvpn/easy-rsa/2.0/clean-all
153. # The following lines are from build-ca. I don't use that script directly
154. # because it's interactive and we don't want that. Yes, this could break
155. # the installation script if build-ca changes in the future.
156. export EASY_RSA="${EASY_RSA:-.}"
157. "$EASY_RSA/pkitool" --initca $*
158. # Same as the last time, we are going to run build-key-server
159. export EASY_RSA="${EASY_RSA:-.}"
160. "$EASY_RSA/pkitool" --server server
161. # Now the client keys. We need to set KEY_CN or the stupid pkitool will cry
162. export KEY_CN="$CLIENT"
163. export EASY_RSA="${EASY_RSA:-.}"
164. "$EASY_RSA/pkitool" $CLIENT
165. # DH params
166. . /etc/openvpn/easy-rsa/2.0/build-dh
167. # Let's configure the server
168. cd /usr/share/doc/openvpn/examples/sample-config-files
169. gunzip -d server.conf.gz
170. cp server.conf /etc/openvpn/
171. cd /etc/openvpn/easy-rsa/2.0/keys
172. cp ca.crt ca.key dh2048.pem server.crt server.key /etc/openvpn
173. cd /etc/openvpn/
174. # Set the server configuration
175. sed -i 's|dh dh1024.pem|dh dh2048.pem|' server.conf
176. sed -i 's|;push "redirect-gateway def1 bypass-dhcp"|push "redirect-gateway def1 bypass-dhcp"|' server.conf
177. sed -i "s|port 1194|port $PORT|" server.conf
178. # Obtain the resolvers from resolv.conf and use them for OpenVPN
179. cat /etc/resolv.conf | grep -v '#' | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
180. sed -i "/;push \"dhcp-option DNS 208.67.220.220\"/a\push \"dhcp-option DNS $line\"" server.conf
181. done
182. # Listen at port 53 too if user wants that
183. if [ $ALTPORT = 'y' ]; then
184. iptables -t nat -A PREROUTING -p udp -d $IP --dport 53 -j REDIRECT --to-port $PORT
185. sed -i "/# By default this script does nothing./a\iptables -t nat -A PREROUTING -p udp -d $IP --dport 53 -j REDIRECT --to-port $PORT" /etc/rc.local
186. fi
187. # Enable net.ipv4.ip_forward for the system
188. sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf
189. # Avoid an unneeded reboot
190. echo 1 > /proc/sys/net/ipv4/ip_forward
191. # Set iptables
192. iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP
193. sed -i "/# By default this script does nothing./a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" /etc/rc.local
194. # And finally, restart OpenVPN
195. /etc/init.d/openvpn restart
196. # Let's generate the client config
197. mkdir ~/ovpn-$CLIENT
198. # Try to detect a NATed connection and ask about it to potential LowEndSpirit
199. # users
200. EXTERNALIP=$(wget -qO- ipv4.icanhazip.com)
201. if [ "$IP" != "$EXTERNALIP" ]; then
202. echo ""
203. echo "Looks like your server is behind a NAT!"
204. echo ""
205. echo "If your server is NATed (LowEndSpirit), I need to know the external IP"
206. echo "If that's not the case, just ignore this and leave the next field blank"
207. read -p "External IP: " -e USEREXTERNALIP
208. if [ $USEREXTERNALIP != "" ]; then
209. IP=$USEREXTERNALIP
210. fi
211. fi
212. # IP/port set on the default client.conf so we can add further users
213. # without asking for them
214. sed -i "s|remote my-server-1 1194|remote $IP $PORT|" /usr/share/doc/openvpn/examples/sample-config-files/client.conf
215. cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/ovpn-$CLIENT/$CLIENT.conf
216. cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt ~/ovpn-$CLIENT
217. cp /etc/openvpn/easy-rsa/2.0/keys/$CLIENT.crt ~/ovpn-$CLIENT
218. cp /etc/openvpn/easy-rsa/2.0/keys/$CLIENT.key ~/ovpn-$CLIENT
219. cd ~/ovpn-$CLIENT
220. sed -i "s|cert client.crt|cert $CLIENT.crt|" $CLIENT.conf
221. sed -i "s|key client.key|key $CLIENT.key|" $CLIENT.conf
222. tar -czf ../ovpn-$CLIENT.tar.gz $CLIENT.conf ca.crt $CLIENT.crt $CLIENT.key
223. cd ~/
224. rm -rf ovpn-$CLIENT
225. echo ""
226. echo "Finished!"
227. echo ""
228. echo "Your client config is available at ~/ovpn-$CLIENT.tar.gz"
229. echo "If you want to add more clients, you simply need to run this script another time!"
230. fi