API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jun 24th, 2017
523
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.24 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2. # OpenVPN installer for Debian, Ubuntu and CentOS
  3. # Author: zeroonehacker
  4.  
  5.  
  6. if [[ "$USER" != 'root' ]]; then
  7. echo "Sorry, you need to run this as root"
  8. exit
  9. fi
  10.  
  11.  
  12. if [[ ! -e /dev/net/tun ]]; then
  13. echo "TUN/TAP is not available"
  14. exit
  15. fi
  16.  
  17. if [[ -e /etc/debian_version ]]; then
  18. OS=debian
  19. RCLOCAL='/etc/rc.local'
  20. elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then
  21. OS=centos
  22. RCLOCAL='/etc/rc.d/rc.local'
  23. # Needed for CentOS 7
  24. chmod +x /etc/rc.d/rc.local
  25. else
  26. echo "Looks like you aren't running this installer on a Debian, Ubuntu or CentOS system"
  27. exit
  28. fi
  29.  
  30. newclient () {
  31. # Generates the client.ovpn
  32. cp /usr/share/doc/openvpn*/*ample*/sample-config-files/client.conf ~/$1.ovpn
  33. sed -i "/ca ca.crt/d" ~/$1.ovpn
  34. sed -i "/cert client.crt/d" ~/$1.ovpn
  35. sed -i "/key client.key/d" ~/$1.ovpn
  36. echo "<ca>" >> ~/$1.ovpn
  37. cat /etc/openvpn/easy-rsa/2.0/keys/ca.crt >> ~/$1.ovpn
  38. echo "</ca>" >> ~/$1.ovpn
  39. echo "<cert>" >> ~/$1.ovpn
  40. cat /etc/openvpn/easy-rsa/2.0/keys/$1.crt >> ~/$1.ovpn
  41. echo "</cert>" >> ~/$1.ovpn
  42. echo "<key>" >> ~/$1.ovpn
  43. cat /etc/openvpn/easy-rsa/2.0/keys/$1.key >> ~/$1.ovpn
  44. echo "</key>" >> ~/$1.ovpn
  45. }
  46.  
  47. geteasyrsa () {
  48. wget --no-check-certificate -O ~/easy-rsa.tar.gz https://github.com/OpenVPN/easy-rsa/archive/2.2.2.tar.gz
  49. tar xzf ~/easy-rsa.tar.gz -C ~/
  50. mkdir -p /etc/openvpn/easy-rsa/2.0/
  51. cp ~/easy-rsa-2.2.2/easy-rsa/2.0/* /etc/openvpn/easy-rsa/2.0/
  52. rm -rf ~/easy-rsa-2.2.2
  53. rm -rf ~/easy-rsa.tar.gz
  54. }
  55.  
  56.  
  57. # Try to get our IP from the system and fallback to the Internet.
  58. IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -o -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
  59. if [[ "$IP" = "" ]]; then
  60. IP=$(wget -qO- ipv4.icanhazip.com)
  61. fi
  62.  
  63.  
  64. if [[ -e /etc/openvpn/server.conf ]]; then
  65. while :
  66. do
  67. clear
  68. echo "Looks like OpenVPN is already installed"
  69. echo "What do you want to do?"
  70. echo ""
  71. echo "1) Add a cert for a new user"
  72. echo "2) Revoke existing user cert"
  73. echo "3) Remove OpenVPN"
  74. echo "4) Exit"
  75. echo ""
  76. read -p "Select an option [1-4]: " option
  77. case $option in
  78. 1)
  79. echo ""
  80. echo "Tell me a name for the client cert"
  81. echo "Please, use one word only, no special characters"
  82. read -p "Client name: " -e -i client CLIENT
  83. cd /etc/openvpn/easy-rsa/2.0/
  84. source ./vars
  85. # build-key for the client
  86. export KEY_CN="$CLIENT"
  87. export EASY_RSA="${EASY_RSA:-.}"
  88. "$EASY_RSA/pkitool" $CLIENT
  89. # Generate the client.ovpn
  90. newclient "$CLIENT"
  91. echo ""
  92. echo "Client $CLIENT added, certs available at ~/$CLIENT.ovpn"
  93. exit
  94. ;;
  95. 2)
  96. echo ""
  97. echo "Tell me the existing client name"
  98. read -p "Client name: " -e -i client CLIENT
  99. cd /etc/openvpn/easy-rsa/2.0/
  100. . /etc/openvpn/easy-rsa/2.0/vars
  101. . /etc/openvpn/easy-rsa/2.0/revoke-full $CLIENT
  102. # If it's the first time revoking a cert, we need to add the crl-verify line
  103. if ! grep -q "crl-verify" "/etc/openvpn/server.conf"; then
  104. echo "crl-verify /etc/openvpn/easy-rsa/2.0/keys/crl.pem" >> "/etc/openvpn/server.conf"
  105. # And restart
  106. if pgrep systemd-journal; then
  107. systemctl restart openvpn@server.service
  108. else
  109. if [[ "$OS" = 'debian' ]]; then
  110. /etc/init.d/openvpn restart
  111. else
  112. service openvpn restart
  113. fi
  114. fi
  115. fi
  116. echo ""
  117. echo "Certificate for client $CLIENT revoked"
  118. exit
  119. ;;
  120. 3)
  121. echo ""
  122. read -p "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
  123. if [[ "$REMOVE" = 'y' ]]; then
  124. if [[ "$OS" = 'debian' ]]; then
  125. apt-get remove --purge -y openvpn openvpn-blacklist
  126. else
  127. yum remove openvpn -y
  128. fi
  129. rm -rf /etc/openvpn
  130. rm -rf /usr/share/doc/openvpn*
  131. sed -i '/--dport 53 -j REDIRECT --to-port/d' $RCLOCAL
  132. sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0/d' $RCLOCAL
  133. echo ""
  134. echo "OpenVPN removed!"
  135. else
  136. echo ""
  137. echo "Removal aborted!"
  138. fi
  139. exit
  140. ;;
  141. 4) exit;;
  142. esac
  143. done
  144. else
  145. clear
  146. echo 'Welcome to this quick OpenVPN installer'
  147. echo ""
  148. # OpenVPN setup and first user creation
  149. echo "I need to ask you a few questions before starting the setup"
  150. echo "You can leave the default options and just press enter if you are ok with them"
  151. echo ""
  152. echo "First I need to know the IPv4 address of the network interface you want OpenVPN"
  153. echo "listening to."
  154. read -p "IP address: " -e -i $IP IP
  155. echo ""
  156. echo "What port do you want for OpenVPN?"
  157. read -p "Port: " -e -i 1194 PORT
  158. echo ""
  159. echo "Do you want OpenVPN to be available at port 53 too?"
  160. echo "This can be useful to connect under restrictive networks"
  161. read -p "Listen at port 53 [y/n]: " -e -i n ALTPORT
  162. echo ""
  163. echo "Do you want to enable internal networking for the VPN?"
  164. echo "This can allow VPN clients to communicate between them"
  165. read -p "Allow internal networking [y/n]: " -e -i n INTERNALNETWORK
  166. echo ""
  167. echo "What DNS do you want to use with the VPN?"
  168. echo " 1) Current system resolvers"
  169. echo " 2) OpenDNS"
  170. echo " 3) Level 3"
  171. echo " 4) NTT"
  172. echo " 5) Hurricane Electric"
  173. echo " 6) Yandex"
  174. read -p "DNS [1-6]: " -e -i 1 DNS
  175. echo ""
  176. echo "Finally, tell me your name for the client cert"
  177. echo "Please, use one word only, no special characters"
  178. read -p "Client name: " -e -i client CLIENT
  179. echo ""
  180. echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now"
  181. read -n1 -r -p "Press any key to continue..."
  182. if [[ "$OS" = 'debian' ]]; then
  183. apt-get update
  184. apt-get install openvpn iptables openssl -y
  185. cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
  186. # easy-rsa isn't available by default for Debian Jessie and newer
  187. if [[ ! -d /etc/openvpn/easy-rsa/2.0/ ]]; then
  188. geteasyrsa
  189. fi
  190. else
  191. # Else, the distro is CentOS
  192. yum install epel-release -y
  193. yum install openvpn iptables openssl wget -y
  194. geteasyrsa
  195. fi
  196. cd /etc/openvpn/easy-rsa/2.0/
  197. # Let's fix one thing first...
  198. cp -u -p openssl-1.0.0.cnf openssl.cnf
  199. # Fuck you NSA - 1024 bits was the default for Debian Wheezy and older
  200. sed -i 's|export KEY_SIZE=1024|export KEY_SIZE=2048|' /etc/openvpn/easy-rsa/2.0/vars
  201. # Create the PKI
  202. . /etc/openvpn/easy-rsa/2.0/vars
  203. . /etc/openvpn/easy-rsa/2.0/clean-all
  204. # The following lines are from build-ca. I don't use that script directly
  205. # because it's interactive and we don't want that. Yes, this could break
  206. # the installation script if build-ca changes in the future.
  207. export EASY_RSA="${EASY_RSA:-.}"
  208. "$EASY_RSA/pkitool" --initca $*
  209. # Same as the last time, we are going to run build-key-server
  210. export EASY_RSA="${EASY_RSA:-.}"
  211. "$EASY_RSA/pkitool" --server server
  212. # Now the client keys. We need to set KEY_CN or the stupid pkitool will cry
  213. export KEY_CN="$CLIENT"
  214. export EASY_RSA="${EASY_RSA:-.}"
  215. "$EASY_RSA/pkitool" $CLIENT
  216. # DH params
  217. . /etc/openvpn/easy-rsa/2.0/build-dh
  218. # Let's configure the server
  219. cd /usr/share/doc/openvpn*/*ample*/sample-config-files
  220. if [[ "$OS" = 'debian' ]]; then
  221. gunzip -d server.conf.gz
  222. fi
  223. cp server.conf /etc/openvpn/
  224. cd /etc/openvpn/easy-rsa/2.0/keys
  225. cp ca.crt ca.key dh2048.pem server.crt server.key /etc/openvpn
  226. cd /etc/openvpn/
  227. # Set the server configuration
  228. sed -i 's|dh dh1024.pem|dh dh2048.pem|' server.conf
  229. sed -i 's|;push "redirect-gateway def1 bypass-dhcp"|push "redirect-gateway def1 bypass-dhcp"|' server.conf
  230. sed -i "s|port 1194|port $PORT|" server.conf
  231. # DNS
  232. case $DNS in
  233. 1)
  234. # Obtain the resolvers from resolv.conf and use them for OpenVPN
  235. grep -v '#' /etc/resolv.conf | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
  236. sed -i "/;push \"dhcp-option DNS 208.67.220.220\"/a\push \"dhcp-option DNS $line\"" server.conf
  237. done
  238. ;;
  239. 2)
  240. sed -i 's|;push "dhcp-option DNS 208.67.222.222"|push "dhcp-option DNS 208.67.222.222"|' server.conf
  241. sed -i 's|;push "dhcp-option DNS 208.67.220.220"|push "dhcp-option DNS 208.67.220.220"|' server.conf
  242. ;;
  243. 3)
  244. sed -i 's|;push "dhcp-option DNS 208.67.222.222"|push "dhcp-option DNS 4.2.2.2"|' server.conf
  245. sed -i 's|;push "dhcp-option DNS 208.67.220.220"|push "dhcp-option DNS 4.2.2.4"|' server.conf
  246. ;;
  247. 4)
  248. sed -i 's|;push "dhcp-option DNS 208.67.222.222"|push "dhcp-option DNS 129.250.35.250"|' server.conf
  249. sed -i 's|;push "dhcp-option DNS 208.67.220.220"|push "dhcp-option DNS 129.250.35.251"|' server.conf
  250. ;;
  251. 5)
  252. sed -i 's|;push "dhcp-option DNS 208.67.222.222"|push "dhcp-option DNS 74.82.42.42"|' server.conf
  253. ;;
  254. 6)
  255. sed -i 's|;push "dhcp-option DNS 208.67.222.222"|push "dhcp-option DNS 77.88.8.8"|' server.conf
  256. sed -i 's|;push "dhcp-option DNS 208.67.220.220"|push "dhcp-option DNS 77.88.8.1"|' server.conf
  257. ;;
  258. esac
  259. # Listen at port 53 too if user wants that
  260. if [[ "$ALTPORT" = 'y' ]]; then
  261. iptables -t nat -A PREROUTING -p udp -d $IP --dport 53 -j REDIRECT --to-port $PORT
  262. sed -i "1 a\iptables -t nat -A PREROUTING -p udp -d $IP --dport 53 -j REDIRECT --to-port $PORT" $RCLOCAL
  263. fi
  264. # Enable net.ipv4.ip_forward for the system
  265. if [[ "$OS" = 'debian' ]]; then
  266. sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf
  267. else
  268. # CentOS 5 and 6
  269. sed -i 's|net.ipv4.ip_forward = 0|net.ipv4.ip_forward = 1|' /etc/sysctl.conf
  270. # CentOS 7
  271. if ! grep -q "net.ipv4.ip_forward=1" "/etc/sysctl.conf"; then
  272. echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
  273. fi
  274. fi
  275. # Avoid an unneeded reboot
  276. echo 1 > /proc/sys/net/ipv4/ip_forward
  277. # Set iptables
  278. if [[ "$INTERNALNETWORK" = 'y' ]]; then
  279. iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
  280. sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL
  281. else
  282. iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP
  283. sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL
  284. fi
  285. # And finally, restart OpenVPN
  286. if [[ "$OS" = 'debian' ]]; then
  287. # Little hack to check for systemd
  288. if pgrep systemd-journal; then
  289. systemctl restart openvpn@server.service
  290. else
  291. /etc/init.d/openvpn restart
  292. fi
  293. else
  294. if pgrep systemd-journal; then
  295. systemctl restart openvpn@server.service
  296. systemctl enable openvpn@server.service
  297. else
  298. service openvpn restart
  299. chkconfig openvpn on
  300. fi
  301. fi
  302. # Try to detect a NATed connection and ask about it to potential LowEndSpirit
  303. # users
  304. EXTERNALIP=$(wget -qO- ipv4.icanhazip.com)
  305. if [[ "$IP" != "$EXTERNALIP" ]]; then
  306. echo ""
  307. echo "Looks like your server is behind a NAT!"
  308. echo ""
  309. echo "If your server is NATed (LowEndSpirit), I need to know the external IP"
  310. echo "If that's not the case, just ignore this and leave the next field blank"
  311. read -p "External IP: " -e USEREXTERNALIP
  312. if [[ "$USEREXTERNALIP" != "" ]]; then
  313. IP=$USEREXTERNALIP
  314. fi
  315. fi
  316. # IP/port set on the default client.conf so we can add further users
  317. # without asking for them
  318. sed -i "s|remote my-server-1 1194|remote $IP $PORT|" /usr/share/doc/openvpn*/*ample*/sample-config-files/client.conf
  319. # Generate the client.ovpn
  320. newclient "$CLIENT"
  321. echo ""
  322. echo "Finished!"
  323. echo ""
  324. echo "Your client config is available at ~/$CLIENT.ovpn"
  325. echo "If you want to add more clients, you simply need to run this script another time!"
  326. fi
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!