API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Sep 14th, 2015
219
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 20.42 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/sh -x
  2. # OpenVPN road warrior installer for Debian, Ubuntu and CentOS
  3.  
  4. # This script will work on Debian, Ubuntu, CentOS and probably other distros
  5. # of the same families, although no support is offered for them. It isn't
  6. # bulletproof but it will probably work if you simply want to setup a VPN on
  7. # your Debian/Ubuntu/CentOS box. It has been designed to be as unobtrusive and
  8. # universal as possible.
  9.  
  10.  
  11. if [[ "$USER" != 'root' ]]; then
  12.     echo "Sorry, you need to run this as root"
  13.     exit
  14. fi
  15.  
  16.  
  17. if [[ ! -e /dev/net/tun ]]; then
  18.     echo "TUN/TAP is not available"
  19.     exit
  20. fi
  21.  
  22.  
  23. if grep -q "CentOS release 5" "/etc/redhat-release"; then
  24.     echo "CentOS 5 is too old and not supported"
  25.     exit
  26. fi
  27.  
  28. if [[ -e /etc/debian_version ]]; then
  29.     OS=debian
  30.     RCLOCAL='/etc/rc.local'
  31.     conf_file="/etc/openvpn/server.conf"
  32. elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then
  33.     OS=centos
  34.     RCLOCAL='/etc/rc.d/rc.local'
  35.     conf_file="/etc/openvpn/server.conf"
  36.     # Needed for CentOS 7
  37.     chmod +x /etc/rc.d/rc.local
  38. elif  [[ -e /etc/openwrt_version  ]]; then
  39.     OS=openwrt
  40.     RCLOCAL='/etc/rc.local'
  41.     chmod +x /etc/rc.local
  42.     conf_file="/etc/config/openvpn"
  43. else
  44.     echo "Looks like you aren't running this installer on a Debian, Ubuntu, CentOS, OpenWrt  systems"
  45.     exit
  46. fi
  47. newclient_wrt () {
  48. # Generates the client.ovpn
  49.                 if [[ ! -e /etc/openvpn/client.conf ]];then
  50.                         wget  -O /etc/openvpn/client.conf http://etele.com.ua/OpenVPN/easy-rsa/archive/client.conf
  51.                         sed -i "s|remote my-server-1 1194|remote $IP $PORT|" /etc/openvpn/client.conf
  52.                 fi
  53.                 cp /etc/openvpn/client.conf ~/$1.ovpn
  54.         cd /etc/easy-rsa
  55.     source ./vars
  56.  
  57.         build-key $CLIENT
  58.         sed -i "/ca ca.crt/d" ~/$1.ovpn
  59.         sed -i "/cert client.crt/d" ~/$1.ovpn
  60.         sed -i "/key client.key/d" ~/$1.ovpn
  61.         echo "<ca>" >> ~/$1.ovpn
  62.         cat  /etc/easy-rsa/keys/ca.crt >> ~/$1.ovpn
  63.         echo "</ca>" >> ~/$1.ovpn
  64.         echo "<cert>" >> ~/$1.ovpn
  65.         cat  /etc/easy-rsa/keys/$1.crt >> ~/$1.ovpn
  66.         echo "</cert>" >> ~/$1.ovpn
  67.         echo "<key>" >> ~/$1.ovpn
  68.         cat  /etc/easy-rsa/keys/$1.key >> ~/$1.ovpn
  69.         echo "</key>" >> ~/$1.ovpn
  70. }
  71. newclient () {
  72. # Generates the client.ovpn
  73.     if [[ "$OS" == 'openwrt' ]]; then
  74.     newclient_wrt $1
  75.     else
  76.  
  77.         cp /usr/share/doc/openvpn*/*ample*/sample-config-files/client.conf ~/$1.ovpn
  78.  
  79.         sed -i "/ca ca.crt/d" ~/$1.ovpn
  80.         sed -i "/cert client.crt/d" ~/$1.ovpn
  81.         sed -i "/key client.key/d" ~/$1.ovpn
  82.         echo "<ca>" >> ~/$1.ovpn
  83.         cat /etc/openvpn/easy-rsa/2.0/keys/ca.crt >> ~/$1.ovpn
  84.         echo "</ca>" >> ~/$1.ovpn
  85.         echo "<cert>" >> ~/$1.ovpn
  86.         cat /etc/openvpn/easy-rsa/2.0/keys/$1.crt >> ~/$1.ovpn
  87.         echo "</cert>" >> ~/$1.ovpn
  88.         echo "<key>" >> ~/$1.ovpn
  89.         cat /etc/openvpn/easy-rsa/2.0/keys/$1.key >> ~/$1.ovpn
  90.         echo "</key>" >> ~/$1.ovpn
  91.     fi
  92. }
  93.  
  94. geteasyrsa () {
  95.     if  [[ -e /etc/openwrt_version  ]]; then
  96.             wget  -O ~/easy-rsa.tar.gz http://etele.com.ua/OpenVPN/easy-rsa/archive/2.2.2.tar.gz
  97.             tar xzf ~/easy-rsa.tar.gz -C ~/
  98.  
  99.             mkdir -p /etc/openvpn/
  100.             mkdir -p /etc/openvpn/easy-rsa/
  101.             mkdir -p /etc/openvpn/easy-rsa/2.0/
  102.             cp ~/easy-rsa-2.2.2/easy-rsa/2.0/* /etc/openvpn/easy-rsa/2.0/
  103.             rm -rf ~/easy-rsa-2.2.2
  104.             rm -rf ~/easy-rsa.tar.gz
  105.     else
  106.         wget --no-check-certificate -O ~/easy-rsa.tar.gz https://github.com/OpenVPN/easy-rsa/archive/2.2.2.tar.gz
  107.         tar xzf ~/easy-rsa.tar.gz -C ~/
  108.         mkdir -p /etc/openvpn/easy-rsa/2.0/
  109.         cp ~/easy-rsa-2.2.2/easy-rsa/2.0/* /etc/openvpn/easy-rsa/2.0/
  110.         rm -rf ~/easy-rsa-2.2.2
  111.         rm -rf ~/easy-rsa.tar.gz
  112.  
  113.     fi
  114. }
  115.  
  116.  
  117. # Try to get our IP from the system and fallback to the Internet.
  118. # I do this to make the script compatible with NATed servers (lowendspirit.com)
  119. # and to avoid getting an IPv6.
  120. if [[ "$OS" == 'openwrt' ]]; then
  121.     IP=$(ifconfig | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -o -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
  122. else
  123.     IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -o -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
  124. fi
  125. if [[ "$IP" = "" ]]; then
  126.         IP=$(wget -qO- http://ipv4.icanhazip.com)
  127. fi
  128.  
  129.  
  130. if [[ -e $conf_file ]]; then
  131.     while :
  132.     do
  133.     clear
  134.         echo "Looks like OpenVPN is already installed"
  135.         echo "What do you want to do?"
  136.         echo ""
  137.         echo "1) Add a cert for a new user"
  138.         echo "2) Revoke existing user cert"
  139.         echo "3) Remove OpenVPN"
  140.         echo "4) Exit"
  141.         echo ""
  142.         read -p "Select an option [1-4]: " option
  143.         case $option in
  144.             1)
  145.             echo ""
  146.             echo "Tell me a name for the client cert"
  147.             echo "Please, use one word only, no special characters"
  148.  
  149.             read -p "Client name: "  CLIENT
  150.             if [[  -z $CLIENT ]]; then
  151.                 CLIENT="client"
  152.  
  153.  
  154.             fi
  155.             #read -p "Client name: " -e -i client CLIENT
  156.             if [[ "$OS" != 'openwrt' ]]; then
  157.                 cd /etc/openvpn/easy-rsa/2.0/
  158.             else
  159.                 cd /etc/easy-rsa/
  160.             fi
  161.             source ./vars
  162.  
  163.             # build-key for the client
  164.             export KEY_CN="$CLIENT"
  165.             export EASY_RSA="${EASY_RSA:-.}"
  166.             "$EASY_RSA/pkitool" $CLIENT
  167.             # Generate the client.ovpn
  168.             newclient "$CLIENT"
  169.             echo ""
  170.             echo "Client $CLIENT added, certs available at ~/$CLIENT.ovpn"
  171.             exit
  172.             ;;
  173.             2)
  174.  
  175.             echo ""
  176.             echo "Tell me the existing client name"
  177.  
  178.  
  179.             read -p "Client name: "  CLIENT
  180.             if [[  -z $CLIENT ]]; then
  181.                 CLIENT="client"
  182.             fi
  183.             if [[ "$OS" != 'openwrt' ]]; then
  184.             cd /etc/openvpn/easy-rsa/2.0/
  185.             . /etc/openvpn/easy-rsa/2.0/vars
  186.             . /etc/openvpn/easy-rsa/2.0/revoke-full $CLIENT
  187.             # If it's the first time revoking a cert, we need to add the crl-verify line
  188.             if ! grep -q "crl-verify" "/etc/openvpn/server.conf"; then
  189.                 echo "crl-verify /etc/openvpn/easy-rsa/2.0/keys/crl.pem" >> "/etc/openvpn/server.conf"
  190.                 # And restart
  191.                 if pgrep systemd-journal; then
  192.                     systemctl restart openvpn@server.service
  193.                 else
  194.                     if [[ "$OS" = 'debian' ]]; then
  195.                         /etc/init.d/openvpn restart
  196.  
  197.                     else
  198.                         service openvpn restart
  199.                     fi
  200.                 fi
  201.             fi
  202.             else
  203.                 cd /etc/easy-rsa
  204.                 . /etc/easy-rsa/vars
  205.                 revoke-full $CLIENT
  206.                 /etc/init.d/opevpn restart
  207.             fi
  208.             echo ""
  209.             echo "Certificate for client $CLIENT revoked"
  210.             exit
  211.             ;;
  212.             3)
  213.             echo ""
  214.  
  215.             read -p "Do you really want to remove OpenVPN? [y/n]: " REMOVE
  216.             if [[ "$REMOVE" !=  "n" &&  "$REMOVE" !=  "y" ]]; then
  217.                 REMOVE="n"
  218.             fi
  219.             if [[ "$REMOVE" = 'y' ]]; then
  220.  
  221.                 if [[ "$OS" = 'openwrt' ]]; then
  222.                     opkg remove openvpn-devel-openssl openvpn-easy-rsa
  223.                     rm /etc/config/openvpn
  224.                     rm -fr /etc/openvpn
  225.                     rm -fr /etc/easy-rsa/
  226.                     #exit
  227.                 elif [[ "$OS" = 'debian' ]]; then
  228.                     apt-get remove --purge -y openvpn openvpn-blacklist
  229.                 else
  230.                     yum remove openvpn -y
  231.                 fi
  232.                 rm -rf /etc/openvpn
  233.                 rm -rf /usr/share/doc/openvpn*
  234.                 sed -i '/iptables -I INPUT -p udp --dport $PORT/d' $RCLOCAL
  235.                 sed -i '/--dport 53 -j REDIRECT --to-port/d' $RCLOCAL
  236.                 sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0/d' $RCLOCAL
  237.                 echo ""
  238.                 echo "OpenVPN removed!"
  239.             else
  240.                 echo ""
  241.                 echo "Removal aborted!"
  242.             fi
  243.             exit
  244.             ;;
  245.             4) exit;;
  246.         esac
  247.     done
  248. else
  249.     clear
  250.     echo 'Welcome to this quick OpenVPN "road warrior" installer'
  251.     echo ""
  252.     # OpenVPN setup and first user creation
  253.     echo "I need to ask you a few questions before starting the setup"
  254.     echo "You can leave the default options and just press enter if you are ok with them"
  255.     echo ""
  256.     echo "First I need to know the IPv4 address of the network interface you want OpenVPN"
  257.     echo "listening to."
  258.     #read -p "IP address: " -e -i $IP IP
  259. if [[ "$OS" = 'openwrt' ]]; then
  260.  
  261.             read -p "IP address:[$IP] "  IP1
  262.             if [[ ! -z "$IP1"&& "$IP1" !=  "$IP" ]]; then
  263.                 IP=$IP1
  264.             fi
  265.             echo "$IP"
  266.             echo "What port do you want for OpenVPN?"
  267.  
  268.             read -p "Port [1194]: " PORT
  269.             if [[ "$PORT" ==  "" ]]; then
  270.                 PORT=1194
  271.             fi
  272.  
  273.             echo "$PORT"
  274.             echo "Do you want OpenVPN to be available at port 53 too?"
  275.             echo "This can be useful to connect under restrictive networks"
  276.             read -p "Listen at port 53 [y/n]: " ALTPORT
  277.             if [[ "$ALTPORT" !=  "n" && "$ALTPORT" !=  "y" ]]; then
  278.                 ALTPORT="n"
  279.             fi
  280.             echo "$ALTPORT"
  281.             echo "Do you want to enable internal networking for the VPN?"
  282.             echo "This can allow VPN clients to communicate between them"
  283.             read -p "Allow internal networking [y/n]: " INTERNALNETWORK
  284.             if [[ "$INTERNALNETWORK" !=  "n" &&  "$INTERNALNETWORK" !=  "y" ]]; then
  285.                 INTERNALNETWORK="n"
  286.             fi
  287.             echo "$INTERNALNETWORK"
  288.             echo "What DNS do you want to use with the VPN?"
  289.             echo "   1) Current system resolvers"
  290.             echo "   2) OpenDNS"
  291.             echo "   3) Level 3"
  292.             echo "   4) NTT"
  293.             echo "   5) Hurricane Electric"
  294.             echo "   6) Yandex"
  295.             read -p "DNS [1-6]: "   DNS
  296.             if [[ "$DNS" !=  "2" || "$DNS" !=  "3" || "$DNS" !=  "4" || "$DNS" !=  "5" || "$DNS" !=  "6" ]]; then
  297.             DNS="1"
  298.             fi
  299.             echo "$DNS"
  300.             echo "Finally, tell me your name for the client cert"
  301.             echo "Please, use one word only, no special characters"
  302.             read -p "Client name: "   CLIENT
  303.                 if [[  -z $CLIENT ]]; then
  304.                 CLIENT="client"
  305.                 fi
  306.  
  307.     else
  308.         echo ""
  309.         echo "What port do you want for OpenVPN?"
  310.         read -p "Port: " -e -i 1194 PORT
  311.         echo ""
  312.         echo "Do you want OpenVPN to be available at port 53 too?"
  313.         echo "This can be useful to connect under restrictive networks"
  314.         read -p "Listen at port 53 [y/n]: " -e -i n ALTPORT
  315.         echo ""
  316.         echo "Do you want to enable internal networking for the VPN?"
  317.         echo "This can allow VPN clients to communicate between them"
  318.         read -p "Allow internal networking [y/n]: " -e -i n INTERNALNETWORK
  319.         echo ""
  320.         echo "What DNS do you want to use with the VPN?"
  321.         echo "   1) Current system resolvers"
  322.         echo "   2) OpenDNS"
  323.         echo "   3) Level 3"
  324.         echo "   4) NTT"
  325.         echo "   5) Hurricane Electric"
  326.         echo "   6) Yandex"
  327.         read -p "DNS [1-6]: " -e -i 1 DNS
  328.         echo ""
  329.         echo "Finally, tell me your name for the client cert"
  330.         echo "Please, use one word only, no special characters"
  331.         read -p "Client name: " -e -i client CLIENT
  332.     fi
  333.     echo ""
  334.     echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now"
  335.     read -n1 -r -p "Press any key to continue..."
  336.     if [[ "$OS" == 'openwrt' ]]; then
  337.         opkg update
  338.         opkg install openvpn-devel-openssl openvpn-easy-rsa
  339.         ln -s /etc/config/openvpn /etc/openwrt/server.conf
  340.         #if [[ ! -d /etc/openvpn/easy-rsa/2.0/ ]]; then
  341.         geteasyrsa
  342.         fi
  343.  
  344.     if [[ "$OS" == 'debian' ]]; then
  345.         apt-get update
  346.         apt-get install openvpn iptables openssl -y
  347.         cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
  348.         # easy-rsa isn't available by default for Debian Jessie and newer
  349.         if [[ ! -d /etc/openvpn/easy-rsa/2.0/ ]]; then
  350.             geteasyrsa
  351.         fi
  352.     else
  353.         # Else, the distro is CentOS
  354.         yum install epel-release -y
  355.         yum install openvpn iptables openssl wget -y
  356.         geteasyrsa
  357.     fi
  358.  
  359.  
  360.     # Let's fix one thing first...
  361.     if [[ "$OS" != 'openwrt' ]]; then
  362.         cd /etc/openvpn/easy-rsa/2.0/
  363.         cp -u -p openssl-1.0.0.cnf openssl.cnf
  364.  
  365.         # Fuck you NSA - 1024 bits was the default for Debian Wheezy and older
  366.         sed -i 's|export KEY_SIZE=1024|export KEY_SIZE=2048|' /etc/openvpn/easy-rsa/2.0/vars
  367.         # Create the PKI
  368.         . /etc/openvpn/easy-rsa/2.0/vars
  369.         . /etc/openvpn/easy-rsa/2.0/clean-all
  370.         # The following lines are from build-ca. I don't use that script directly
  371.         # because it's interactive and we don't want that. Yes, this could break
  372.         # the installation script if build-ca changes in the future.
  373.         export EASY_RSA="${EASY_RSA:-.}"
  374.         "$EASY_RSA/pkitool" --initca $*
  375.         # Same as the last time, we are going to run build-key-server
  376.         export EASY_RSA="${EASY_RSA:-.}"
  377.         "$EASY_RSA/pkitool" --server server
  378.         # Now the client keys. We need to set KEY_CN or the stupid pkitool will cry
  379.         export KEY_CN="$CLIENT"
  380.         export EASY_RSA="${EASY_RSA:-.}"
  381.         "$EASY_RSA/pkitool" $CLIENT
  382.         # DH params
  383.         . /etc/openvpn/easy-rsa/2.0/build-dh
  384.         # Let's configure the server no openwrt
  385.  
  386.  
  387.         cd /usr/share/doc/openvpn*/*ample*/sample-config-files
  388.         if [[ "$OS" = 'debian' ]]; then
  389.             gunzip -d server.conf.gz
  390.         fi
  391.         cp server.conf /etc/openvpn/
  392.         cd /etc/openvpn/easy-rsa/2.0/keys
  393.         cp ca.crt ca.key dh2048.pem server.crt server.key /etc/openvpn
  394.         cd /etc/openvpn/
  395.         # Set the server configuration
  396.         sed -i 's|dh dh1024.pem|dh dh2048.pem|' server.conf
  397.         sed -i 's|;push "redirect-gateway def1 bypass-dhcp"|push "redirect-gateway def1 bypass-dhcp"|' server.conf
  398.         sed -i "s|port 1194|port $PORT|" server.conf
  399.         # DNS
  400.         case $DNS in
  401.             1)
  402.             # Obtain the resolvers from resolv.conf and use them for OpenVPN
  403.             grep -v '#' /etc/resolv.conf | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
  404.                 sed -i "/;push \"dhcp-option DNS 208.67.220.220\"/a\push \"dhcp-option DNS $line\"" server.conf
  405.             done
  406.             ;;
  407.             2)
  408.             sed -i 's|;push "dhcp-option DNS 208.67.222.222"|push "dhcp-option DNS 208.67.222.222"|' server.conf
  409.             sed -i 's|;push "dhcp-option DNS 208.67.220.220"|push "dhcp-option DNS 208.67.220.220"|' server.conf
  410.             ;;
  411.             3)
  412.             sed -i 's|;push "dhcp-option DNS 208.67.222.222"|push "dhcp-option DNS 4.2.2.2"|' server.conf
  413.             sed -i 's|;push "dhcp-option DNS 208.67.220.220"|push "dhcp-option DNS 4.2.2.4"|' server.conf
  414.             ;;
  415.             4)
  416.             sed -i 's|;push "dhcp-option DNS 208.67.222.222"|push "dhcp-option DNS 129.250.35.250"|' server.conf
  417.             sed -i 's|;push "dhcp-option DNS 208.67.220.220"|push "dhcp-option DNS 129.250.35.251"|' server.conf
  418.             ;;
  419.             5)
  420.             sed -i 's|;push "dhcp-option DNS 208.67.222.222"|push "dhcp-option DNS 74.82.42.42"|' server.conf
  421.             ;;
  422.             6)
  423.             sed -i 's|;push "dhcp-option DNS 208.67.222.222"|push "dhcp-option DNS 77.88.8.8"|' server.conf
  424.             sed -i 's|;push "dhcp-option DNS 208.67.220.220"|push "dhcp-option DNS 77.88.8.1"|' server.conf
  425.             ;;
  426.         esac
  427.         # Listen at port 53 too if user wants that
  428.         if [[ "$ALTPORT" = 'y' ]]; then
  429.             iptables -t nat -A PREROUTING -p udp -d $IP --dport 53 -j REDIRECT --to-port $PORT
  430.             sed -i "1 a\iptables -t nat -A PREROUTING -p udp -d $IP --dport 53 -j REDIRECT --to-port $PORT" $RCLOCAL
  431.         fi
  432.         # Enable net.ipv4.ip_forward for the system
  433.         if [[ "$OS" = 'debian' ]]; then
  434.             sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf
  435.         else
  436.             # CentOS 5 and 6
  437.             sed -i 's|net.ipv4.ip_forward = 0|net.ipv4.ip_forward = 1|' /etc/sysctl.conf
  438.             # CentOS 7
  439.             if ! grep -q "net.ipv4.ip_forward=1" "/etc/sysctl.conf"; then
  440.                 echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
  441.             fi
  442.         fi
  443.         # Avoid an unneeded reboot
  444.         echo 1 > /proc/sys/net/ipv4/ip_forward
  445.         # Set iptables
  446.         if [[ "$INTERNALNETWORK" = 'y' ]]; then
  447.             iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
  448.             sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL
  449.         else
  450.             iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP
  451.             sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL
  452.         fi
  453.     else
  454.  
  455.         # Fuck you NSA - 1024 bits was the default for Debian Wheezy and older
  456.  
  457.         # Create the PKI
  458.         #. /etc/openvpn/easy-rsa/2.0/vars
  459.         #. /etc/openvpn/easy-rsa/2.0/clean-all
  460.         # The following lines are from build-ca. I don't use that script directly
  461.         # because it's interactive and we don't want that. Yes, this could break
  462.         # the installation script if build-ca changes in the future.
  463.         #export EASY_RSA="${EASY_RSA:-.}"
  464.         #"$EASY_RSA/pkitool" --initca $*
  465.         # Same as the last time, we are going to run build-key-server
  466.         #export EASY_RSA="${EASY_RSA:-.}"
  467.         #"$EASY_RSA/pkitool" --server server
  468.         # Now the client keys. We need to set KEY_CN or the stupid pkitool will cry
  469.         #export KEY_CN="$CLIENT"
  470.         #export EASY_RSA="${EASY_RSA:-.}"
  471.         cd /etc/easy-rsa/
  472.         sed -i 's|export KEY_SIZE=1024|export KEY_SIZE=2048|' /etc/easy-rsa/vars
  473.         source ./vars
  474.         clean-all
  475.         export EASY_RSA="${EASY_RSA:-.}"
  476.         pkitool --initca $*
  477.         # Same as the last time, we are going to run build-key-server
  478.         export EASY_RSA="${EASY_RSA:-.}"
  479.         pkitool --server server
  480.         # Now the client keys. We need to set KEY_CN or the stupid pkitool will cry
  481.         export KEY_CN="$CLIENT"
  482.         export EASY_RSA="${EASY_RSA:-.}"
  483.         "pkitool" $CLIENT
  484.         #build-ca
  485.         build-dh
  486.         #build-key-server server
  487.         cd /etc/easy-rsa/keys
  488.         cp ca.crt ca.key dh2048.pem server.crt server.key /etc/openvpn
  489.         uci set network.vpn0=interface
  490.         uci set network.vpn0.ifname=tun0
  491.         uci set network.vpn0.proto=none
  492.         uci commit network
  493.         /etc/init.d/network reload
  494.  
  495.         echo > /etc/config/openvpn
  496.         uci set openvpn.myvpn=openvpn
  497.         uci set openvpn.myvpn.enabled=1
  498.         uci set openvpn.myvpn.dev=tun
  499.         uci set openvpn.myvpn.port=$PORT
  500.         uci set openvpn.myvpn.proto=udp
  501.         uci set openvpn.myvpn.log=/tmp/openvpn.log
  502.         uci set openvpn.myvpn.verb=3
  503.         uci set openvpn.myvpn.ca=/etc/openvpn/ca.crt
  504.         uci set openvpn.myvpn.cert=/etc/openvpn/server.crt
  505.         uci set openvpn.myvpn.key=/etc/openvpn/server.key
  506.         uci set openvpn.myvpn.server='10.8.0.0 255.255.255.0'
  507.         uci set openvpn.myvpn.dh=/etc/openvpn/dh2048.pem
  508.         uci commit openvpn
  509.  
  510.         case $DNS in
  511.             1)
  512.             # Obtain the resolvers from resolv.conf and use them for OpenVPN
  513.             grep -v '#' /etc/resolv.conf | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
  514.                 echo "push \"dhcp-option DNS $line\"" >>  $conf_file
  515.             done
  516.             ;;
  517.             2)
  518.             echo "push \"dhcp-option DNS 208.67.222.222\"" >> $conf_file
  519.             echo "push \"dhcp-option DNS 208.67.220.220\"" >> $conf_file
  520.  
  521.             ;;
  522.             3)
  523.             echo "push \"dhcp-option DNS 4.2.2.2\"" >> $conf_file
  524.             echo "push \"dhcp-option DNS 4.2.2.4\"" >> $conf_file
  525.  
  526.             ;;
  527.             4)
  528.             echo "push \"dhcp-option DNS 129.250.35.250\"" >> $conf_file
  529.             echo "push \"dhcp-option DNS 129.250.35.251\"" >> $conf_file
  530.  
  531.             ;;
  532.             5)
  533.             echo "push \"dhcp-option DNS 74.82.42.42\"" >> $conf_file
  534.             ;;
  535.             6)
  536.             echo "push \"dhcp-option DNS 77.88.8.8\"" >> $conf_file
  537.             echo "push \"dhcp-option DNS 77.88.8.1\"" >> $conf_file
  538.  
  539.             ;;
  540.         esac
  541.  
  542.         iptables -I INPUT -p udp --dport $PORT -j ACCEPT
  543.         sed -i "1 a\iptables -I INPUT -p udp --dport $PORT -j ACCEPT" $RCLOCAL
  544.  
  545.         # Listen at port 53 too if user wants that
  546.         if [[ "$ALTPORT" = 'y' ]]; then
  547.             iptables -t nat -I PREROUTING -p udp -d $IP --dport 53 -j REDIRECT --to-port $PORT
  548.             sed -i "1 a\iptables -t nat -I PREROUTING -p udp -d $IP --dport 53 -j REDIRECT --to-port $PORT" $RCLOCAL
  549.         fi
  550.  
  551.         # Set iptables
  552.         if [[ "$INTERNALNETWORK" = 'y' ]]; then
  553.             iptables -t nat -I POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
  554.             sed -i "1 a\iptables -t nat -I POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL
  555.         else
  556.             iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP
  557.             sed -i "1 a\iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL
  558.         fi
  559.         /etc/init.d/openvpn enable
  560.         /etc/init.d/openvpn restart
  561.     fi
  562.  
  563.  
  564.     if [[ "$OS" == 'debian' ]]; then
  565.         # Little hack to check for systemd
  566.         if pgrep systemd-journal; then
  567.             systemctl restart openvpn@server.service
  568.         else
  569.             /etc/init.d/openvpn restart
  570.         fi
  571.     else
  572.         if pgrep systemd-journal; then
  573.             systemctl restart openvpn@server.service
  574.             systemctl enable openvpn@server.service
  575.         else
  576.             service openvpn restart
  577.             chkconfig openvpn on
  578.         fi
  579.     fi
  580.     # Try to detect a NATed connection and ask about it to potential LowEndSpirit
  581.     # users
  582.     EXTERNALIP=$(wget -qO- http://ipv4.icanhazip.com)
  583.     if [[ "$IP" != "$EXTERNALIP" ]]; then
  584.         echo ""
  585.         echo "Looks like your server is behind a NAT!"
  586.         echo ""
  587.         echo "If your server is NATed (LowEndSpirit), I need to know the external IP"
  588.         echo "If that's not the case, just ignore this and leave the next field blank"
  589.         read -p "External IP: "  USEREXTERNALIP
  590.         if [[ "$USEREXTERNALIP" != "" ]]; then
  591.             IP=$USEREXTERNALIP
  592.         fi
  593.     fi
  594.     # IP/port set on the default client.conf so we can add further users
  595.     # without asking for them
  596.     if [[ "$OS" == 'openwrt' ]]; then
  597.         if [[ ! -e ~/client.conf ]]; then
  598.             wget  -O ~/openvpn/client.conf http://etele.com.ua/OpenVPN/easy-rsa/archive/client.conf
  599.         fi
  600.         sed -i "s|remote my-server-1 1194|remote $IP $PORT|" ~/client.conf
  601.         newclient "$CLIENT"
  602.     else
  603.         sed -i "s|remote my-server-1 1194|remote $IP $PORT|" /usr/share/doc/openvpn*/*ample*/sample-config-files/client.conf
  604.     fi
  605.     # Generate the client.ovpn
  606.  
  607.     #fi
  608.     newclient "$CLIENT"
  609.     echo ""
  610.     echo "Finished!"
  611.     echo ""
  612.     echo "Your client config is available at ~/$CLIENT.ovpn"
  613.     echo "If you want to add more clients, you simply need to run this script another time!"
  614. fi
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!