API tools faq
paste
stspringer

Script to setup an Openvpn Server in Linux Mint 22

stspringer
Jan 18th, 2025
103
0
Never
1
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.37 KB | Source Code | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2. # Script to automate OpenVPN and EasyRSA setup on Linux Mint 22
  3. # Run this script as root.
  4.  
  5. # Check for root privileges
  6. if [[ $EUID -ne 0 ]]; then
  7. echo "This script must be run as root." >&2
  8. exit 1
  9. fi
  10.  
  11. # Update and install OpenVPN and EasyRSA
  12. apt update && apt install -y openvpn easy-rsa
  13.  
  14. # Create necessary directories
  15. mkdir -p /etc/openvpn/server /etc/openvpn/easy-rsa/clients
  16.  
  17. # Copy server configuration file
  18. cat <<EOF > /etc/openvpn/server/server.conf
  19. port 1194
  20. proto tcp
  21. dev tun
  22. ca ca.crt
  23. cert server.crt
  24. key server.key # This file should be kept secret
  25. dh dh.pem
  26. tls-crypt-v2 server.pem
  27. server 10.8.0.0 255.255.255.0
  28. ifconfig-pool-persist /var/log/openvpn/ipp.txt
  29. push "redirect-gateway def1 bypass-dhcp"
  30. push "dhcp-option DNS 208.67.222.222"
  31. keepalive 10 120
  32. cipher AES-256-GCM
  33. user nobody
  34. group nogroup
  35. persist-key
  36. persist-tun
  37. status /var/log/openvpn/openvpn-status.log
  38. verb 3
  39. EOF
  40.  
  41. # Set up EasyRSA
  42. cp -Ra /usr/share/easy-rsa/ /etc/openvpn/easy-rsa
  43. cd /etc/openvpn/easy-rsa
  44. cp vars.example vars
  45. cp openssl-easyrsa.cnf openssl.cnf
  46.  
  47. # Update EasyRSA vars file
  48. sed -i 's/^set_var EASYRSA_REQ_COUNTRY.*/set_var EASYRSA_REQ_COUNTRY "US"/' vars
  49. sed -i 's/^set_var EASYRSA_REQ_PROVINCE.*/set_var EASYRSA_REQ_PROVINCE "NY"/' vars
  50. sed -i 's/^set_var EASYRSA_REQ_CITY.*/set_var EASYRSA_REQ_CITY "Buffalo"/' vars
  51. sed -i 's/^set_var EASYRSA_REQ_ORG.*/set_var EASYRSA_REQ_ORG "HomeServer"/' vars
  52. sed -i 's/^set_var EASYRSA_REQ_EMAIL.*/set_var EASYRSA_REQ_EMAIL "[email protected]"/' vars
  53. sed -i 's/^set_var EASYRSA_REQ_OU.*/set_var EASYRSA_REQ_OU "My Organizational Unit"/' vars
  54.  
  55. # Build PKI and certificates
  56. ./easyrsa init-pki
  57. echo | ./easyrsa build-ca nopass
  58. ./easyrsa build-server-full server nopass
  59. echo yes | ./easyrsa sign-req server server
  60. ./easyrsa gen-dh
  61. openvpn --genkey tls-crypt-v2-server /etc/openvpn/server/server.pem
  62.  
  63. # Move certificates and keys
  64. cp pki/ca.crt pki/dh.pem pki/private/server.key pki/issued/server.crt /etc/openvpn/server/
  65.  
  66. # Enable IP forwarding
  67. sed -i '/^net.ipv4.ip_forward/s/0/1/' /etc/sysctl.conf
  68. sysctl -p
  69.  
  70. # Configure firewall (UFW)
  71. default_int=$(ip route list default | awk '{ print $5 }')
  72. cat <<EOF > /etc/ufw/before.rules
  73. *nat
  74. :POSTROUTING ACCEPT [0:0]
  75. -A POSTROUTING -s 10.8.0.0/24 -o $default_int -j MASQUERADE
  76. COMMIT
  77. EOF
  78.  
  79. sed -i 's/^DEFAULT_FORWARD_POLICY.*/DEFAULT_FORWARD_POLICY="ACCEPT"/' /etc/default/ufw
  80. ufw allow 1194/tcp
  81. ufw disable
  82. ufw enable
  83.  
  84. # Enable and start OpenVPN service
  85. systemctl enable [email protected]
  86. systemctl start [email protected]
  87.  
  88. # Generate client configuration script
  89. cat <<'EOC' > /usr/local/bin/create-client-config.sh
  90. #!/bin/bash
  91. CLIENT_PATH=/etc/openvpn/server/clients
  92. cd /etc/openvpn/easy-rsa
  93. if [ -z "$1" ]; then
  94. echo "Usage: $0 <client_name>"
  95. exit 1
  96. fi
  97.  
  98. mkdir -p $CLIENT_PATH/$1
  99. echo | ./easyrsa gen-req $1 nopass
  100. echo yes | ./easyrsa sign-req client $1
  101. openvpn --tls-crypt-v2 /etc/openvpn/server/server.pem --genkey tls-crypt-v2-client /etc/openvpn/server/$1.pem
  102. cp pki/ca.crt pki/issued/$1.crt pki/private/$1.key /etc/openvpn/server/$1.pem $CLIENT_PATH/$1
  103.  
  104. cat <<EOF > /etc/openvpn/server/clients/$1/$1.ovpn
  105. client
  106. dev tun
  107. proto tcp
  108. remote YOUR_EXTERNAL_IP 1194
  109. resolv-retry infinite#!/bin/bash
  110. # Script to automate OpenVPN and EasyRSA setup on Linux Mint 22
  111. # Run this script as root.
  112.  
  113. # Check for root privileges
  114. if [[ $EUID -ne 0 ]]; then
  115. echo "This script must be run as root." >&2
  116. exit 1
  117. fi
  118.  
  119. # Update and install OpenVPN and EasyRSA
  120. apt update && apt install -y openvpn easy-rsa
  121.  
  122. # Create necessary directories
  123. mkdir -p /etc/openvpn/server /etc/openvpn/easy-rsa/clients
  124.  
  125. # Copy server configuration file
  126. cat <<EOF > /etc/openvpn/server/server.conf
  127. port 1194
  128. proto tcp
  129. dev tun
  130. ca ca.crt
  131. cert server.crt#!/bin/bash
  132. # Script to automate OpenVPN and EasyRSA setup on Linux Mint 22
  133. # Run this script as root.
  134.  
  135. # Check for root privileges
  136. if [[ $EUID -ne 0 ]]; then
  137. echo "This script must be run as root." >&2
  138. exit 1
  139. fi
  140.  
  141. # Update and install OpenVPN and EasyRSA
  142. apt update && apt install -y openvpn easy-rsa
  143.  
  144. # Create necessary directories
  145. mkdir -p /etc/openvpn/server /etc/openvpn/easy-rsa/clients
  146.  
  147. # Copy server configuration file
  148. cat <<EOF > /etc/openvpn/server/server.conf
  149. port 1194
  150. proto tcp
  151. dev tun
  152. ca ca.crt
  153. cert server.crt
  154. key server.key # This file should be kept secret
  155. dh dh.pem
  156. tls-crypt-v2 server.pem
  157. server 10.8.0.0 255.255.255.0
  158. ifconfig-pool-persist /var/log/openvpn/ipp.txt
  159. push "redirect-gateway def1 bypass-dhcp"
  160. push "dhcp-option DNS 208.67.222.222"
  161. keepalive 10 120
  162. cipher AES-256-GCM
  163. user nobody
  164. group nogroup
  165. persist-key
  166. persist-tun
  167. status /var/log/openvpn/openvpn-status.log
  168. verb 3
  169. EOF
  170.  
  171. # Set up EasyRSA
  172. cp -Ra /usr/share/easy-rsa/ /etc/openvpn/easy-rsa
  173. cd /etc/openvpn/easy-rsa
  174. cp vars.example vars
  175. cp openssl-easyrsa.cnf openssl.cnf
  176.  
  177. # Update EasyRSA vars file
  178. sed -i 's/^set_var EASYRSA_REQ_COUNTRY.*/set_var EASYRSA_REQ_COUNTRY "US"/' vars
  179. sed -i 's/^set_var EASYRSA_REQ_PROVINCE.*/set_var EASYRSA_REQ_PROVINCE "NY"/' vars
  180. sed -i 's/^set_var EASYRSA_REQ_CITY.*/set_var EASYRSA_REQ_CITY "Buffalo"/' vars
  181. sed -i 's/^set_var EASYRSA_REQ_ORG.*/set_var EASYRSA_REQ_ORG "HomeServer"/' vars
  182. sed -i 's/^set_var EASYRSA_REQ_EMAIL.*/set_var EASYRSA_REQ_EMAIL "[email protected]"/' vars
  183. sed -i 's/^set_var EASYRSA_REQ_OU.*/set_var EASYRSA_REQ_OU "My Organizational Unit"/' vars
  184.  
  185. # Build PKI and certificates
  186. ./easyrsa init-pki
  187. echo | ./easyrsa build-ca nopass
  188. ./easyrsa build-server-full server nopass
  189. echo yes | ./easyrsa sign-req server server
  190. ./easyrsa gen-dh
  191. openvpn --genkey tls-crypt-v2-server /etc/openvpn/server/server.pem
  192.  
  193. # Move certificates and keys
  194. cp pki/ca.crt pki/dh.pem pki/private/server.key pki/issued/server.crt /etc/openvpn/server/
  195.  
  196. # Enable IP forwarding
  197. sed -i '/^net.ipv4.ip_forward/s/0/1/' /etc/sysctl.conf
  198. sysctl -p
  199.  
  200. # Configure firewall (UFW)
  201. default_int=$(ip route list default | awk '{ print $5 }')
  202. cat <<EOF > /etc/ufw/before.rules
  203. *nat
  204. :POSTROUTING ACCEPT [0:0]
  205. -A POSTROUTING -s 10.8.0.0/24 -o $default_int -j MASQUERADE
  206. COMMIT
  207. EOF
  208.  
  209. sed -i 's/^DEFAULT_FORWARD_POLICY.*/DEFAULT_FORWARD_POLICY="ACCEPT"/' /etc/default/ufw
  210. ufw allow 1194/tcp
  211. ufw disable
  212. ufw enable
  213.  
  214. # Enable and start OpenVPN service
  215. systemctl enable [email protected]
  216. systemctl start [email protected]
  217.  
  218. # Generate client configuration script
  219. cat <<'EOC' > /usr/local/bin/create-client-config.sh
  220. #!/bin/bash
  221. CLIENT_PATH=/etc/openvpn/server/clients
  222. cd /etc/openvpn/easy-rsa
  223. if [ -z "$1" ]; then
  224. echo "Usage: $0 <client_name>"
  225. exit 1
  226. fi
  227.  
  228. mkdir -p $CLIENT_PATH/$1
  229. echo | ./easyrsa gen-req $1 nopass
  230. echo yes | ./easyrsa sign-req client $1
  231. openvpn --tls-crypt-v2 /etc/openvpn/server/server.pem --genkey tls-crypt-v2-client /etc/openvpn/server/$1.pem
  232. cp pki/ca.crt pki/issued/$1.crt pki/private/$1.key /etc/openvpn/server/$1.pem $CLIENT_PATH/$1
  233.  
  234. cat <<EOF > /etc/openvpn/server/clients/$1/$1.ovpn
  235. client
  236. dev tun
  237. proto tcp
  238. remote YOUR_EXTERNAL_IP 1194
  239. resolv-retry infinite
  240. nobind
  241. tls-client
  242. cipher AES-256-GCM
  243. remote-cert-tls server
  244. persist-key
  245. persist-tun
  246. verb 3
  247. <ca>
  248. $(cat $CLIENT_PATH/$1/ca.crt)
  249. </ca>
  250. <cert>
  251. $(cat $CLIENT_PATH/$1/$1.crt)
  252. </cert>
  253. <key>
  254. $(cat $CLIENT_PATH/$1/$1.key)
  255. </key>
  256. <tls-crypt-v2>
  257. $(cat $CLIENT_PATH/$1/$1.pem)
  258. </tls-crypt-v2>
  259. EOF
  260.  
  261. chown $(logname): $CLIENT_PATH/$1/$1.ovpn
  262. EOC
  263.  
  264. chmod +x /usr/local/bin/create-client-config.sh
  265.  
  266. # Final message
  267. echo "Setup complete. Use /usr/local/bin/create-client-config.sh to create client configurations."
  268. exit 0
  269.  
  270. key server.key # This file should be kept secret
  271. dh dh.pem
  272. tls-crypt-v2 server.pem
  273. server 10.8.0.0 255.255.255.0
  274. ifconfig-pool-persist /var/log/openvpn/ipp.txt
  275. push "redirect-gateway def1 bypass-dhcp"
  276. push "dhcp-option DNS 208.67.222.222"
  277. keepalive 10 120
  278. cipher AES-256-GCM
  279. user nobody
  280. group nogroup
  281. persist-key
  282. persist-tun
  283. status /var/log/openvpn/openvpn-status.log
  284. verb 3
  285. EOF
  286.  
  287. # Set up EasyRSA
  288. cp -Ra /usr/share/easy-rsa/ /etc/openvpn/easy-rsa
  289. cd /etc/openvpn/easy-rsa
  290. cp vars.example vars
  291. cp openssl-easyrsa.cnf openssl.cnf
  292.  
  293. # Update EasyRSA vars file
  294. sed -i 's/^set_var EASYRSA_REQ_COUNTRY.*/set_var EASYRSA_REQ_COUNTRY "US"/' vars
  295. sed -i 's/^set_var EASYRSA_REQ_PROVINCE.*/set_var EASYRSA_REQ_PROVINCE "NY"/' vars
  296. sed -i 's/^set_var EASYRSA_REQ_CITY.*/set_var EASYRSA_REQ_CITY "Buffalo"/' vars
  297. sed -i 's/^set_var EASYRSA_REQ_ORG.*/set_var EASYRSA_REQ_ORG "HomeServer"/' vars
  298. sed -i 's/^set_var EASYRSA_REQ_EMAIL.*/set_var EASYRSA_REQ_EMAIL "[email protected]"/' vars
  299. sed -i 's/^set_var EASYRSA_REQ_OU.*/set_var EASYRSA_REQ_OU "My Organizational Unit"/' vars
  300.  
  301. # Build PKI and certificates
  302. ./easyrsa init-pki
  303. echo | ./easyrsa build-ca nopass
  304. ./easyrsa build-server-full server nopass
  305. echo yes | ./easyrsa sign-req server server
  306. ./easyrsa gen-dh
  307. openvpn --genkey tls-crypt-v2-server /etc/openvpn/server/server.pem
  308.  
  309. # Move certificates and keys
  310. cp pki/ca.crt pki/dh.pem pki/private/server.key pki/issued/server.crt /etc/openvpn/server/
  311.  
  312. # Enable IP forwarding
  313. sed -i '/^net.ipv4.ip_forward/s/0/1/' /etc/sysctl.conf
  314. sysctl -p
  315.  
  316. # Configure firewall (UFW)
  317. default_int=$(ip route list default | awk '{ print $5 }')
  318. cat <<EOF > /etc/ufw/before.rules
  319. *nat
  320. :POSTROUTING ACCEPT [0:0]
  321. -A POSTROUTING -s 10.8.0.0/24 -o $default_int -j MASQUERADE
  322. COMMIT
  323. EOF
  324.  
  325. sed -i 's/^DEFAULT_FORWARD_POLICY.*/DEFAULT_FORWARD_POLICY="ACCEPT"/' /etc/default/ufw
  326. ufw allow 1194/tcp
  327. ufw disable
  328. ufw enable
  329.  
  330. # Enable and start OpenVPN service
  331. systemctl enable [email protected]
  332. systemctl start [email protected]
  333.  
  334. # Generate client configuration script
  335. cat <<'EOC' > /usr/local/bin/create-client-config.sh
  336. #!/bin/bash
  337. CLIENT_PATH=/etc/openvpn/server/clients
  338. cd /etc/openvpn/easy-rsa
  339. if [ -z "$1" ]; then
  340. echo "Usage: $0 <client_name>"
  341. exit 1
  342. fi
  343.  
  344. mkdir -p $CLIENT_PATH/$1
  345. echo | ./easyrsa gen-req $1 nopass
  346. echo yes | ./easyrsa sign-req client $1
  347. openvpn --tls-crypt-v2 /etc/openvpn/server/server.pem --genkey tls-crypt-v2-client /etc/openvpn/server/$1.pem
  348. cp pki/ca.crt pki/issued/$1.crt pki/private/$1.key /etc/openvpn/server/$1.pem $CLIENT_PATH/$1
  349.  
  350. cat <<EOF > /etc/openvpn/server/clients/$1/$1.ovpn
  351. client
  352. dev tun
  353. proto tcp
  354. remote YOUR_EXTERNAL_IP 1194
  355. resolv-retry infinite
  356. nobind
  357. tls-client
  358. cipher AES-256-GCM
  359. remote-cert-tls server
  360. persist-key
  361. persist-tun
  362. verb 3
  363. <ca>
  364. $(cat $CLIENT_PATH/$1/ca.crt)
  365. </ca>
  366. <cert>
  367. $(cat $CLIENT_PATH/$1/$1.crt)
  368. </cert>
  369. <key>
  370. $(cat $CLIENT_PATH/$1/$1.key)
  371. </key>
  372. <tls-crypt-v2>
  373. $(cat $CLIENT_PATH/$1/$1.pem)
  374. </tls-crypt-v2>
  375. EOF
  376.  
  377. chown $(logname): $CLIENT_PATH/$1/$1.ovpn
  378. EOC
  379.  
  380. chmod +x /usr/local/bin/create-client-config.sh
  381.  
  382. # Final message
  383. echo "Setup complete. Use /usr/local/bin/create-client-config.sh to create client configurations."
  384. exit 0
  385.  
  386. nobind
  387. tls-client
  388. cipher AES-256-GCM
  389. remote-cert-tls server
  390. persist-key
  391. persist-tun
  392. verb 3
  393. <ca>
  394. $(cat $CLIENT_PATH/$1/ca.crt)
  395. </ca>
  396. <cert>
  397. $(cat $CLIENT_PATH/$1/$1.crt)
  398. </cert>
  399. <key>
  400. $(cat $CLIENT_PATH/$1/$1.key)
  401. </key>
  402. <tls-crypt-v2>
  403. $(cat $CLIENT_PATH/$1/$1.pem)
  404. </tls-crypt-v2>
  405. EOF
  406.  
  407. chown $(logname): $CLIENT_PATH/$1/$1.ovpn
  408. EOC
  409.  
  410. chmod +x /usr/local/bin/create-client-config.sh
  411.  
  412. # Final message
  413. echo "Setup complete. Use /usr/local/bin/create-client-config.sh to create client configurations."
  414. exit 0
  415.  
Tags: Script Linux Mint 22
Advertisement
Comments
  • stspringer
    stspringer
    298 days
    # text 0.80 KB | 0 0
    view report reply
    1. Hello Everyone,
    2. I am posting this not for newbies but for people familiar with Linux. This script will build an OpenVPN server on Linux Mint 22. You have to run this script as root. Ensure you have a static IP address for the PC you plan to set up on. Change the data under # Update EasyRSA vars file "in the script" with your information, country, city etc.
    3.  
    4. After you run the script you can create .ovpn files for any client PC's or phones that you want to have connect to the server which will put you on your local LAN.
    5.  
    6. I have an Android phone and I installed OpenVPN from the Play Store and then added the .opvn onto my phone and I can connect from any place on the planet to my local LAN. I use it to open and close my garage door and turn on and off my garage lights from anywhere.
    7.  
    8. Hope this helps
    9.  
    10.  
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!