API tools faq
paste
Advertisement
alexdias2104

openvpn

alexdias2104
Jul 3rd, 2017
596
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PowerShell 20.58 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2.  
  3. # Secure OpenVPN server installer for Debian, Ubuntu, CentOS and Arch Linux
  4. # https://github.com/Angristan/OpenVPN-install
  5.  
  6.  
  7. if [[ "$EUID" -ne 0 ]]; then
  8.     echo "Sorry, you need to run this as root"
  9.     exit 1
  10. fi
  11.  
  12. if [[ ! -e /dev/net/tun ]]; then
  13.     echo "TUN is not available"
  14.     exit 2
  15. fi
  16.  
  17. if grep -qs "CentOS release 5" "/etc/redhat-release"; then
  18.     echo "CentOS 5 is too old and not supported"
  19.     exit 3
  20. fi
  21.  
  22. if [[ -e /etc/debian_version ]]; then
  23.     OS="debian"
  24.     # Getting the version number, to verify that a recent version of OpenVPN is available
  25.     VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID")
  26.     RCLOCAL='/etc/rc.local'
  27.     SYSCTL='/etc/sysctl.conf'
  28.     if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.10"' ]]; then
  29.         echo "Your version of Debian/Ubuntu is not supported."
  30.         echo "I can't install a recent version of OpenVPN on your system."
  31.         echo ""
  32.         echo "However, if you're using Debian unstable/testing, or Ubuntu beta,"
  33.         echo "then you can continue, a recent version of OpenVPN is available on these."
  34.         echo "Keep in mind they are not supported, though."
  35.         while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do
  36.             read -p "Continue ? [y/n]: " -e CONTINUE
  37.         done
  38.         if [[ "$CONTINUE" = "n" ]]; then
  39.             echo "Ok, bye !"
  40.             exit 4
  41.         fi
  42.     fi
  43. elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then
  44.     OS=centos
  45.     RCLOCAL='/etc/rc.d/rc.local'
  46.     SYSCTL='/etc/sysctl.conf'
  47.     # Needed for CentOS 7
  48.     chmod +x /etc/rc.d/rc.local
  49. elif [[ -e /etc/arch-release ]]; then
  50.     OS=arch
  51.     RCLOCAL='/etc/rc.local'
  52.     SYSCTL='/etc/sysctl.d/openvpn.conf'
  53. else
  54.     echo "Looks like you aren't running this installer on a Debian, Ubuntu, CentOS or ArchLinux system"
  55.     exit 4
  56. fi
  57.  
  58. newclient () {
  59.     # Generates the custom client.ovpn
  60.     cp /etc/openvpn/client-template.txt /var/www/html/openvpn/$1.ovpn
  61.     echo "<ca>" >> /var/www/html/openvpn/$1.ovpn
  62.     cat /etc/openvpn/easy-rsa/pki/ca.crt >> /var/www/html/openvpn/$1.ovpn
  63.     echo "</ca>" >> /var/www/html/openvpn/$1.ovpn
  64.     echo "<cert>" >> /var/www/html/openvpn/$1.ovpn
  65.     cat /etc/openvpn/easy-rsa/pki/issued/$1.crt >> /var/www/html/openvpn/$1.ovpn
  66.     echo "</cert>" >> /var/www/html/openvpn/$1.ovpn
  67.     echo "<key>" >> /var/www/html/openvpn/$1.ovpn
  68.     cat /etc/openvpn/easy-rsa/pki/private/$1.key >> /var/www/html/openvpn/$1.ovpn
  69.     echo "</key>" >> /var/www/html/openvpn/$1.ovpn
  70.     echo "key-direction 1" >> /var/www/html/openvpn/$1.ovpn
  71.     echo "<tls-auth>" >> /var/www/html/openvpn/$1.ovpn
  72.     cat /etc/openvpn/tls-auth.key >> /var/www/html/openvpn/$1.ovpn
  73.     echo "</tls-auth>" >> /var/www/html/openvpn/$1.ovpn
  74.    echo "http-proxy-option CUSTOM-HEADER X-Online-Host $host" >> /var/www/html/openvpn/$1.ovpn
  75.    echo "http-proxy $IP 80" >> /var/www/html/openvpn/$1.ovpn
  76. }
  77.  
  78. # Try to get our IP from the system and fallback to the Internet.
  79. # I do this to make the script compatible with NATed servers (LowEndSpirit/Scaleway)
  80. # and to avoid getting an IPv6.
  81. IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -o -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
  82. if [[ "$IP" = "" ]]; then
  83.     IP=$(wget -qO- ipv4.icanhazip.com)
  84. fi
  85.  
  86. if [[ -e /etc/openvpn/server.conf ]]; then
  87.     while :
  88.     do
  89.     clear
  90.         echo "OpenVPN"
  91.         echo ""
  92.         echo "OpenVpn já foi instalado"
  93.         echo ""
  94.         echo "O que deseja fazer ?"
  95.         echo "   1) Criar usuário"
  96.         echo "   2) Apagar usuário"
  97.         echo "   3) Desinstalar OpenVPN"
  98.         echo "   4) Sair"
  99.         read -p "Escolha uma opção [1-4]: " option
  100.         case $option in
  101.             1)
  102.             echo ""
  103.         echo "Qual host deseja usar ?"
  104.         read host
  105.          echo ""
  106.             echo "Qual nome para o novo usuário ?"
  107.         echo ""
  108.           echo "Não use acentos e pontos"
  109.         echo ""
  110.             read -p "Nome Usuário: " -e -i client CLIENT
  111.             cd /etc/openvpn/easy-rsa/
  112.             ./easyrsa build-client-full $CLIENT nopass
  113.             # Generates the custom client.ovpn
  114.             newclient "$CLIENT"
  115. cd /var/www/html/openvpn*
  116. zip $CLIENT.zip $CLIENT.ovpn
  117.             echo ""
  118.             echo "Usuário $CLIENT adicionado, disponível em http://$IP:88/openvpn/$CLIENT.zip"
  119.             exit
  120.             ;;
  121.             2)
  122.             NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")
  123.             if [[ "$NUMBEROFCLIENTS" = '0' ]]; then
  124.                 echo ""
  125.                 echo "Não existe nenhum usuário !"
  126.                 exit 5
  127.             fi
  128.             echo ""
  129.             echo "Qual usuário você deseja apagar ?"
  130.             tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
  131.             if [[ "$NUMBEROFCLIENTS" = '1' ]]; then
  132.                 read -p "Selecione um usuário [1]: " USUARIONUMERO
  133.             else
  134.                 read -p "Selecione um usuário [1-$NUMBEROFCLIENTS]: " USUARIONUMERO
  135.             fi
  136.             CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
  137.             cd /etc/openvpn/easy-rsa/
  138.             ./easyrsa --batch revoke $CLIENT
  139.             ./easyrsa gen-crl
  140.             rm -rf pki/reqs/$CLIENT.req
  141.             rm -rf pki/private/$CLIENT.key
  142.             rm -rf pki/issued/$CLIENT.crt
  143.             rm -rf /etc/openvpn/crl.pem
  144.             cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
  145.             echo ""
  146.             echo "Usuário $CLIENT apagado"
  147.             echo "Saindo..."
  148.             exit
  149.             ;;
  150.             3)
  151.             echo ""
  152.             read -p "Tem certeza que deseja remover o  OpenVPN? [y/n]: " -e -i n REMOVER
  153.             if [[ "$REMOVER" = 'y' ]]; then
  154.                 PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
  155.                 if pgrep firewalld; then
  156.                     # Using both permanent and not permanent rules to avoid a firewalld reload.
  157.                     firewall-cmd --zone=public --remove-port=$PORT/udp
  158.                     firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
  159.                     firewall-cmd --permanent --zone=public --remove-port=$PORT/udp
  160.                     firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
  161.                 fi
  162.                 if iptables -L -n | grep -qE 'REJECT|DROP'; then
  163.                     sed -i "/iptables -I INPUT -p udp --dport $PORT -j ACCEPT/d" $RCLOCAL
  164.                     sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL
  165.                     sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL
  166.                 fi
  167.                 sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL
  168.                 if hash sestatus 2>/dev/null; then
  169.                     if sestatus | grep "Current mode" | grep -qs "enforcing"; then
  170.                         if [[ "$PORT" != '1194' ]]; then
  171.                             semanage port -d -t openvpn_port_t -p udp $PORT
  172.                         fi
  173.                     fi
  174.                 fi
  175.                 if [[ "$OS" = 'debian' ]]; then
  176.                     apt-get remove --purge -y openvpn openvpn-blacklist
  177. apt-get remove apache2 -y
  178. apt-get remove zip -y
  179. apt-get remove autoremove -y
  180.                 elif [[ "$OS" = 'arch' ]]; then
  181.                     pacman -R openvpn --noconfirm
  182.                 else
  183.                     yum remove openvpn -y
  184.                 fi
  185.                 rm -rf /etc/openvpn
  186.                 rm -rf /usr/share/doc/openvpn*
  187.                 echo ""
  188.                 echo "OpenVPN removido !"
  189.             else
  190.                 echo ""
  191.                 echo "Operação cancelada !"
  192.             fi
  193.             exit
  194.             ;;
  195.             4) exit;;
  196.         esac
  197.     done
  198. else
  199.     clear
  200.     echo ""
  201.     # OpenVPN setup and first user creation.
  202.    echo "Confirme seu IP: "
  203.     read -p "IP : " -e -i $IP IP
  204.     echo ""
  205.     echo "Qual porta deseja usar o OpenVPN?"
  206.     read -p "Porta: " -e -i 1194 PORT
  207.     echo ""
  208.     echo "Qual protocolo para o OpenVPN?"
  209.     while [[ $PROTOCOL != "UDP" && $PROTOCOL != "TCP" ]]; do
  210.         read -p "Protocol [UDP/TCP]: " -e -i TCP PROTOCOL
  211.    echo ""
  212.    echo "Qual host deseja usar ?"
  213.    read host
  214.    echo ""
  215.     done
  216.     echo ""
  217.     echo "Qual DNS você quer usar ?"
  218.     echo "   1) Padrão (/etc/resolv.conf)"
  219.     echo "   2) FDN"
  220.     echo "   3) DNS.WATCH"
  221.     echo "   4) OpenDNS"
  222.     echo "   5) Google"
  223.     while [[ $DNS != "1" && $DNS != "2" && $DNS != "3" && $DNS != "4" && $DNS != "5" ]]; do
  224.         read -p "DNS [1-5]: " -e -i 1 DNS
  225.     done
  226.     echo ""
  227.     echo "Escolha qual cipher você deseja usar para ocanal de dados :"
  228.     echo "   1) AES-128-CBC (Rápido)"
  229.     echo "   2) AES-192-CBC"
  230.     echo "   3) AES-256-CBC"
  231.     echo "   4) CAMELLIA-128-CBC"
  232.     echo "   5) CAMELLIA-192-CBC"
  233.     echo "   6) CAMELLIA-256-CBC"
  234.     echo "   7) SEED-CBC"
  235.     while [[ $CIPHER != "1" && $CIPHER != "2" && $CIPHER != "3" && $CIPHER != "4" && $CIPHER != "5" && $CIPHER != "6" && $CIPHER != "7" ]]; do
  236.         read -p "Cipher [1-7]: " -e -i 1 CIPHER
  237.     done
  238.     case $CIPHER in
  239.         1)
  240.         CIPHER="cipher AES-128-CBC"
  241.         ;;
  242.         2)
  243.         CIPHER="cipher AES-192-CBC"
  244.         ;;
  245.         3)
  246.         CIPHER="cipher AES-256-CBC"
  247.         ;;
  248.         4)
  249.         CIPHER="cipher CAMELLIA-128-CBC"
  250.         ;;
  251.         5)
  252.         CIPHER="cipher CAMELLIA-192-CBC"
  253.         ;;
  254.         6)
  255.         CIPHER="cipher CAMELLIA-256-CBC"
  256.         ;;
  257.         5)
  258.         CIPHER="cipher SEED-CBC"
  259.         ;;
  260.     esac
  261.     echo ""
  262.     echo "Escolha o tamanho da chave Diffie-Hellman que deseja usar :"
  263.     echo "   1) 2048 bits (Rápido)"
  264.     echo "   2) 3072 bits "
  265.     echo "   3) 4096 bits (Seguro)"
  266.     while [[ $DH_KEY_SIZE != "1" && $DH_KEY_SIZE != "2" && $DH_KEY_SIZE != "3" ]]; do
  267.         read -p "DH key size [1-3]: " -e -i 1 DH_KEY_SIZE
  268.     done
  269.     case $DH_KEY_SIZE in
  270.         1)
  271.         DH_KEY_SIZE="2048"
  272.         ;;
  273.         2)
  274.         DH_KEY_SIZE="3072"
  275.         ;;
  276.         3)
  277.         DH_KEY_SIZE="4096"
  278.         ;;
  279.     esac
  280.     echo ""
  281.     echo "Escolha o tamanho da chave RSA que deseja usar :"
  282.     echo "   1) 2048 bits (Rápido)"
  283.     echo "   2) 3072 bits "
  284.     echo "   3) 4096 bits (Seguro)"
  285.     while [[ $RSA_KEY_SIZE != "1" && $RSA_KEY_SIZE != "2" && $RSA_KEY_SIZE != "3" ]]; do
  286.         read -p "DH key size [1-3]: " -e -i 1 RSA_KEY_SIZE
  287.     done
  288.     case $RSA_KEY_SIZE in
  289.         1)
  290.         RSA_KEY_SIZE="2048"
  291.         ;;
  292.         2)
  293.         RSA_KEY_SIZE="3072"
  294.         ;;
  295.         3)
  296.         RSA_KEY_SIZE="4096"
  297.         ;;
  298.     esac
  299.     echo ""
  300.     echo "Finalmente escolha um nome para o novo usuário"
  301.     while [[ $CLIENT = "" ]]; do
  302.         echo "Não use acentos e pontuações"
  303.         read -p "Nome Usuário: " -e -i client CLIENT
  304.     done
  305.     echo ""
  306.     echo "Vamos instalar o OpenVpn no seu servidor, aguarde até o fim da instalação"
  307.     read -n1 -r -p "Aperte qualquer tecla..."
  308.  
  309. apt-get install apache2 zip -y
  310. sed -i "s/Listen 80/Listen 88/g" /etc/apache2/ports.conf
  311. mkdir /var/www/html/
  312. mkdir /var/www/html/openvpn/
  313. chmod -R 755 /var/www
  314.  
  315.     if [[ "$OS" = 'debian' ]]; then
  316.         apt-get install ca-certificates -y
  317.         # We add the OpenVPN repo to get the latest version.
  318.         # Debian 7
  319.         if [[ "$VERSION_ID" = 'VERSION_ID="7"' ]]; then
  320.             echo "deb http://swupdate.openvpn.net/apt wheezy main" > /etc/apt/sources.list.d/swupdate-openvpn.list
  321.             wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
  322.             apt-get update
  323.         fi
  324.         # Debian 8
  325.         if [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then
  326.             echo "deb http://swupdate.openvpn.net/apt jessie main" > /etc/apt/sources.list.d/swupdate-openvpn.list
  327.             wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
  328.             apt update
  329.         fi
  330.         # Ubuntu 12.04
  331.         if [[ "$VERSION_ID" = 'VERSION_ID="12.04"' ]]; then
  332.             echo "deb http://swupdate.openvpn.net/apt precise main" > /etc/apt/sources.list.d/swupdate-openvpn.list
  333.             wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
  334.             apt-get update
  335.         fi
  336.         # Ubuntu 14.04
  337.         if [[ "$VERSION_ID" = 'VERSION_ID="14.04"' ]]; then
  338.             echo "deb http://swupdate.openvpn.net/apt trusty main" > /etc/apt/sources.list.d/swupdate-openvpn.list
  339.             wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
  340.             apt-get update
  341.         fi
  342.         # Ubuntu >= 16.04 and Debian > 8 have OpenVPN > 2.3.3 without the need of a third party repository.
  343.         # The we install OpenVPN
  344.         apt-get install openvpn iptables openssl wget ca-certificates curl -y
  345.     elif [[ "$OS" = 'centos' ]]; then
  346.         yum install epel-release -y
  347.         yum install openvpn iptables openssl wget ca-certificates curl -y
  348.     else
  349.         # Else, the distro is ArchLinux
  350.         echo ""
  351.         echo ""
  352.         echo "As you're using ArchLinux, I need to update the packages on your system to install those I need."
  353.         echo "Not doing that could cause problems between dependencies, or missing files in repositories."
  354.         echo ""
  355.         echo "Continuing will update your installed packages and install needed ones."
  356.         while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do
  357.             read -p "Continue ? [y/n]: " -e -i y CONTINUE
  358.         done
  359.         if [[ "$CONTINUE" = "n" ]]; then
  360.             echo "Ok, bye !"
  361.             exit 4
  362.         fi
  363.        
  364.         if [[ "$OS" = 'arch' ]]; then
  365.         # Install rc.local
  366.         echo "[Unit]
  367. Description=/etc/rc.local compatibility
  368.  
  369. [Service]
  370. Type=oneshot
  371. ExecStart=/etc/rc.local
  372. RemainAfterExit=yes
  373.  
  374. [Install]
  375. WantedBy=multi-user.target" > /etc/systemd/system/rc-local.service
  376.             chmod +x /etc/rc.local
  377.             systemctl enable rc-local.service
  378.             if ! grep '#!' $RCLOCAL; then
  379.                 echo "#!/bin/bash" > $RCLOCAL
  380.             fi
  381.         fi
  382.        
  383.         # Install dependencies
  384.         pacman -Syu openvpn iptables openssl wget ca-certificates curl --needed --noconfirm
  385.         if [[ "$OS" = 'arch' ]]; then
  386.             touch /etc/iptables/iptables.rules # iptables won't start if this file does not exist
  387.             systemctl enable iptables
  388.             systemctl start iptables
  389.         fi
  390.     fi
  391.     # Find out if the machine uses nogroup or nobody for the permissionless group
  392.     if grep -qs "^nogroup:" /etc/group; then
  393.             NOGROUP=nogroup
  394.     else
  395.             NOGROUP=nobody
  396.     fi
  397.  
  398.     # An old version of easy-rsa was available by default in some openvpn packages
  399.     if [[ -d /etc/openvpn/easy-rsa/ ]]; then
  400.         rm -rf /etc/openvpn/easy-rsa/
  401.     fi
  402.     # Get easy-rsa
  403.     wget -O ~/EasyRSA-3.0.1.tgz https://github.com/OpenVPN/easy-rsa/releases/download/3.0.1/EasyRSA-3.0.1.tgz
  404.     tar xzf ~/EasyRSA-3.0.1.tgz -C ~/
  405.     mv ~/EasyRSA-3.0.1/ /etc/openvpn/
  406.     mv /etc/openvpn/EasyRSA-3.0.1/ /etc/openvpn/easy-rsa/
  407.     chown -R root:root /etc/openvpn/easy-rsa/
  408.     rm -rf ~/EasyRSA-3.0.1.tgz
  409.     cd /etc/openvpn/easy-rsa/
  410.     echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars
  411.     # Create the PKI, set up the CA, the DH params and the server + client certificates
  412.     ./easyrsa init-pki
  413.     ./easyrsa --batch build-ca nopass
  414.     openssl dhparam $DH_KEY_SIZE -out dh.pem
  415.     ./easyrsa build-server-full server nopass
  416.     ./easyrsa build-client-full $CLIENT nopass
  417.     ./easyrsa gen-crl
  418.     # generate tls-auth key
  419.     openvpn --genkey --secret /etc/openvpn/tls-auth.key
  420.     # Move all the generated files
  421.     cp pki/ca.crt pki/private/ca.key dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
  422.     # Make cert revocation list readable for non-root
  423.     chmod 644 /etc/openvpn/crl.pem
  424.    
  425.     # Generate server.conf
  426.     echo "port $PORT" > /etc/openvpn/server.conf
  427.     if [[ "$PROTOCOL" = 'UDP' ]]; then
  428.         echo "proto udp" >> /etc/openvpn/server.conf
  429.     elif [[ "$PROTOCOL" = 'TCP' ]]; then
  430.         echo "proto tcp" >> /etc/openvpn/server.conf
  431.     fi
  432.     echo "dev tun
  433. user nobody
  434. group $NOGROUP
  435. persist-key
  436. persist-tun
  437. keepalive 10 120
  438. topology subnet
  439. server 10.8.0.0 255.255.255.0
  440. ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
  441.     # DNS resolvers
  442.     case $DNS in
  443.         1)
  444.         # Obtain the resolvers from resolv.conf and use them for OpenVPN
  445.         grep -v '#' /etc/resolv.conf | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
  446.             echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
  447.         done
  448.         ;;
  449.         2) #FDN
  450.         echo 'push "dhcp-option DNS 80.67.169.12"' >> /etc/openvpn/server.conf
  451.         echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/server.conf
  452.         ;;
  453.         3) #DNS.WATCH
  454.         echo 'push "dhcp-option DNS 84.200.69.80"' >> /etc/openvpn/server.conf
  455.         echo 'push "dhcp-option DNS 84.200.70.40"' >> /etc/openvpn/server.conf
  456.         ;;
  457.         4) #OpenDNS
  458.         echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf
  459.         echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf
  460.         ;;
  461.         5) #Google
  462.         echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf
  463.         echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf
  464.         ;;
  465.     esac
  466. echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf
  467. echo "crl-verify crl.pem
  468. ca ca.crt
  469. cert server.crt
  470. key server.key
  471. tls-auth tls-auth.key 0
  472. dh dh.pem
  473. auth SHA256
  474. $CIPHER
  475. tls-server
  476. tls-version-min 1.2
  477. tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
  478. status openvpn.log
  479. verb 3" >> /etc/openvpn/server.conf
  480.  
  481.     # Create the sysctl configuration file if needed (mainly for Arch Linux)
  482.     if [[ ! -e $SYSCTL ]]; then
  483.         touch $SYSCTL
  484.     fi
  485.  
  486.     # Enable net.ipv4.ip_forward for the system
  487.     sed -i '/\<net.ipv4.ip_forward\>/c\net.ipv4.ip_forward=1' $SYSCTL
  488.     if ! grep -q "\<net.ipv4.ip_forward\>" $SYSCTL; then
  489.         echo 'net.ipv4.ip_forward=1' >> $SYSCTL
  490.     fi
  491.     # Avoid an unneeded reboot
  492.     echo 1 > /proc/sys/net/ipv4/ip_forward
  493.     # Set NAT for the VPN subnet
  494.     iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP
  495.     sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL
  496.     if pgrep firewalld; then
  497.         # We don't use --add-service=openvpn because that would only work with
  498.         # the default port. Using both permanent and not permanent rules to
  499.         # avoid a firewalld reload.
  500.         if [[ "$PROTOCOL" = 'UDP' ]]; then
  501.             firewall-cmd --zone=public --add-port=$PORT/udp
  502.             firewall-cmd --permanent --zone=public --add-port=$PORT/udp
  503.         elif [[ "$PROTOCOL" = 'TCP' ]]; then
  504.             firewall-cmd --zone=public --add-port=$PORT/tcp
  505.             firewall-cmd --permanent --zone=public --add-port=$PORT/tcp
  506.         fi
  507.         firewall-cmd --zone=trusted --add-source=10.8.0.0/24
  508.         firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
  509.     fi
  510.     if iptables -L -n | grep -qE 'REJECT|DROP'; then
  511.         # If iptables has at least one REJECT rule, we asume this is needed.
  512.         # Not the best approach but I can't think of other and this shouldn't
  513.         # cause problems.
  514.         if [[ "$PROTOCOL" = 'UDP' ]]; then
  515.             iptables -I INPUT -p udp --dport $PORT -j ACCEPT
  516.         elif [[ "$PROTOCOL" = 'TCP' ]]; then
  517.             iptables -I INPUT -p tcp --dport $PORT -j ACCEPT
  518.         fi
  519.         iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
  520.         iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  521.         if [[ "$PROTOCOL" = 'UDP' ]]; then
  522.             sed -i "1 a\iptables -I INPUT -p udp --dport $PORT -j ACCEPT" $RCLOCAL
  523.         elif [[ "$PROTOCOL" = 'TCP' ]]; then
  524.             sed -i "1 a\iptables -I INPUT -p tcp --dport $PORT -j ACCEPT" $RCLOCAL
  525.         fi
  526.         sed -i "1 a\iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" $RCLOCAL
  527.         sed -i "1 a\iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" $RCLOCAL
  528.     fi
  529.     # If SELinux is enabled and a custom port was selected, we need this
  530.     if hash sestatus 2>/dev/null; then
  531.         if sestatus | grep "Current mode" | grep -qs "enforcing"; then
  532.             if [[ "$PORT" != '1194' ]]; then
  533.                 # semanage isn't available in CentOS 6 by default
  534.                 if ! hash semanage 2>/dev/null; then
  535.                     yum install policycoreutils-python -y
  536.                 fi
  537.                 if [[ "$PROTOCOL" = 'UDP' ]]; then
  538.                     semanage port -a -t openvpn_port_t -p udp $PORT
  539.                 elif [[ "$PROTOCOL" = 'TCP' ]]; then
  540.                     semanage port -a -t openvpn_port_t -p tcp $PORT
  541.                 fi
  542.             fi
  543.         fi
  544.     fi
  545.     # And finally, restart OpenVPN
  546.     if [[ "$OS" = 'debian' ]]; then
  547.         # Little hack to check for systemd
  548.         if pgrep systemd-journal; then
  549.             systemctl restart openvpn@server.service
  550.         else
  551.             /etc/init.d/openvpn restart
  552.         fi
  553.     else
  554.         if pgrep systemd-journal; then
  555.             systemctl restart openvpn@server.service
  556.             systemctl enable openvpn@server.service
  557.         else
  558.             service openvpn restart
  559.             chkconfig openvpn on
  560.         fi
  561.     fi
  562.     # Try to detect a NATed connection and ask about it to potential LowEndSpirit/Scaleway users
  563.     EXTERNALIP=$(wget -qO- ipv4.icanhazip.com)
  564.     if [[ "$IP" != "$EXTERNALIP" ]]; then
  565.         echo ""
  566.         echo "Looks like your server is behind a NAT!"
  567.         echo ""
  568.                 echo "If your server is NATed (e.g. LowEndSpirit, Scaleway, or behind a router),"
  569.                 echo "then I need to know the address that can be used to access it from outside."
  570.                 echo "If that's not the case, just ignore this and leave the next field blank"
  571.                 read -p "External IP or domain name: " -e USEREXTERNALIP
  572.         if [[ "$USEREXTERNALIP" != "" ]]; then
  573.             IP=$USEREXTERNALIP
  574.         fi
  575.     fi
  576.     # client-template.txt is created so we have a template to add further users later
  577.     echo "client" > /etc/openvpn/client-template.txt
  578.     if [[ "$PROTOCOL" = 'UDP' ]]; then
  579.         echo "proto udp" >> /etc/openvpn/client-template.txt
  580.     elif [[ "$PROTOCOL" = 'TCP' ]]; then
  581.         echo "proto tcp-client" >> /etc/openvpn/client-template.txt
  582.     fi
  583.     echo "remote $IP $PORT
  584. dev tun
  585. resolv-retry infinite
  586. nobind
  587. persist-key
  588. persist-tun
  589. remote-cert-tls server
  590. auth SHA256
  591. $CIPHER
  592. tls-client
  593. tls-version-min 1.2
  594. tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
  595. setenv opt block-outside-dns
  596. verb 3" >> /etc/openvpn/client-template.txt
  597.  
  598.     # Generate the custom client.ovpn
  599.     newclient "$CLIENT"
  600. cd /var/www/html/openvpn*
  601. zip $CLIENT.zip $CLIENT.ovpn
  602. service apache2 restart
  603. service apache2 restart
  604.     echo ""
  605.     echo "Instalação completa !"
  606.     echo ""
  607.     echo "Arquivo disponível em http://$IP:88/openvpn/$CLIENT.zip"
  608.     echo "Após baixar o arquivo apague o mesmo da pasta /var/www/html/openvpn/  Para envitar que outros usuários encontre ele."
  609. fi
  610. exit 0;
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!