openvpn-install.sh

1. #!/bin/bash
2. # OpenVPN road warrior installer for Debian, Ubuntu and CentOS
3.  
4. # This script will work on Debian, Ubuntu, CentOS and probably other distros
5. # of the same families, although no support is offered for them. It isn't
6. # bulletproof but it will probably work if you simply want to setup a VPN on
7. # your Debian/Ubuntu/CentOS box. It has been designed to be as unobtrusive and
8. # universal as possible.
9.  
10.  
11. # Detect Debian users running the script with "sh" instead of bash
12. if readlink /proc/$$/exe | grep -qs "dash"; then
13. echo "This script needs to be run with bash, not sh"
14. exit 1
15. fi
16.  
17. if [[ "$EUID" -ne 0 ]]; then
18. echo "Sorry, you need to run this as root"
19. exit 2
20. fi
21.  
22. if [[ ! -e /dev/net/tun ]]; then
23. echo "TUN is not available"
24. exit 3
25. fi
26.  
27. if grep -qs "CentOS release 5" "/etc/redhat-release"; then
28. echo "CentOS 5 is too old and not supported"
29. exit 4
30. fi
31. if [[ -e /etc/debian_version ]]; then
32. OS=debian
33. GROUPNAME=nogroup
34. RCLOCAL='/etc/rc.local'
35. elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then
36. OS=centos
37. GROUPNAME=nobody
38. RCLOCAL='/etc/rc.d/rc.local'
39. # Needed for CentOS 7
40. chmod +x /etc/rc.d/rc.local
41. else
42. echo "Looks like you aren't running this installer on a Debian, Ubuntu or CentOS system"
43. exit 5
44. fi
45.  
46. newclient () {
47. # Generates the custom client.ovpn
48. cp /etc/openvpn/client-common.txt ~/$1.ovpn
49. echo "<ca>" >> ~/$1.ovpn
50. cat /etc/openvpn/easy-rsa/pki/ca.crt >> ~/$1.ovpn
51. echo "</ca>" >> ~/$1.ovpn
52. echo "<cert>" >> ~/$1.ovpn
53. cat /etc/openvpn/easy-rsa/pki/issued/$1.crt >> ~/$1.ovpn
54. echo "</cert>" >> ~/$1.ovpn
55. echo "<key>" >> ~/$1.ovpn
56. cat /etc/openvpn/easy-rsa/pki/private/$1.key >> ~/$1.ovpn
57. echo "</key>" >> ~/$1.ovpn
58. echo "<tls-auth>" >> ~/$1.ovpn
59. cat /etc/openvpn/ta.key >> ~/$1.ovpn
60. echo "</tls-auth>" >> ~/$1.ovpn
61. }
62.  
63. # Try to get our IP from the system and fallback to the Internet.
64. # I do this to make the script compatible with NATed servers (lowendspirit.com)
65. # and to avoid getting an IPv6.
66. IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -o -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
67. if [[ "$IP" = "" ]]; then
68. IP=$(wget -qO- ipv4.icanhazip.com)
69. fi
70.  
71. if [[ -e /etc/openvpn/server.conf ]]; then
72. while :
73. do
74. clear
75. echo "Looks like OpenVPN is already installed"
76. echo ""
77. echo "What do you want to do?"
78. echo " 1) Add a cert for a new user"
79. echo " 2) Revoke existing user cert"
80. echo " 3) Remove OpenVPN"
81. echo " 4) Exit"
82. read -p "Select an option [1-4]: " option
83. case $option in
84. 1)
85. echo ""
86. echo "Tell me a name for the client cert"
87. echo "Please, use one word only, no special characters"
88. read -p "Client name: " -e -i client CLIENT
89. cd /etc/openvpn/easy-rsa/
90. ./easyrsa build-client-full $CLIENT nopass
91. # Generates the custom client.ovpn
92. newclient "$CLIENT"
93. echo ""
94. echo "Client $CLIENT added, certs available at ~/$CLIENT.ovpn"
95. exit
96. ;;
97. 2)
98. # This option could be documented a bit better and maybe even be simplimplified
99. # ...but what can I say, I want some sleep too
100. NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")
101. if [[ "$NUMBEROFCLIENTS" = '0' ]]; then
102. echo ""
103. echo "You have no existing clients!"
104. exit 6
105. fi
106. echo ""
107. echo "Select the existing client certificate you want to revoke"
108. tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
109. if [[ "$NUMBEROFCLIENTS" = '1' ]]; then
110. read -p "Select one client [1]: " CLIENTNUMBER
111. else
112. read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
113. fi
114. CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
115. cd /etc/openvpn/easy-rsa/
116. ./easyrsa --batch revoke $CLIENT
117. ./easyrsa gen-crl
118. rm -rf pki/reqs/$CLIENT.req
119. rm -rf pki/private/$CLIENT.key
120. rm -rf pki/issued/$CLIENT.crt
121. rm -rf /etc/openvpn/crl.pem
122. cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
123. # CRL is read with each client connection, when OpenVPN is dropped to nobody
124. chown nobody:$GROUPNAME /etc/openvpn/crl.pem
125. echo ""
126. echo "Certificate for client $CLIENT revoked"
127. exit
128. ;;
129. 3)
130. echo ""
131. read -p "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
132. if [[ "$REMOVE" = 'y' ]]; then
133. PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
134. if pgrep firewalld; then
135. # Using both permanent and not permanent rules to avoid a firewalld reload.
136. firewall-cmd --zone=public --remove-port=$PORT/udp
137. firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
138. firewall-cmd --permanent --zone=public --remove-port=$PORT/udp
139. firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
140. fi
141. if iptables -L | grep -qE 'REJECT|DROP'; then
142. sed -i "/iptables -I INPUT -p udp --dport $PORT -j ACCEPT/d" $RCLOCAL
143. sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL
144. sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL
145. fi
146. sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL
147. if hash sestatus 2>/dev/null; then
148. if sestatus | grep "Current mode" | grep -qs "enforcing"; then
149. if [[ "$PORT" != '1194' ]]; then
150. semanage port -d -t openvpn_port_t -p udp $PORT
151. fi
152. fi
153. fi
154. if [[ "$OS" = 'debian' ]]; then
155. apt-get remove --purge -y openvpn openvpn-blacklist
156. else
157. yum remove openvpn -y
158. fi
159. rm -rf /etc/openvpn
160. rm -rf /usr/share/doc/openvpn*
161. echo ""
162. echo "OpenVPN removed!"
163. else
164. echo ""
165. echo "Removal aborted!"
166. fi
167. exit
168. ;;
169. 4) exit;;
170. esac
171. done
172. else
173. clear
174. echo 'Welcome to this quick OpenVPN "road warrior" installer'
175. echo ""
176. # OpenVPN setup and first user creation
177. echo "I need to ask you a few questions before starting the setup"
178. echo "You can leave the default options and just press enter if you are ok with them"
179. echo ""
180. echo "First I need to know the IPv4 address of the network interface you want OpenVPN"
181. echo "listening to."
182. read -p "IP address: " -e -i $IP IP
183. echo ""
184. echo "What port do you want for OpenVPN?"
185. read -p "Port: " -e -i 1194 PORT
186. echo ""
187. echo "What DNS do you want to use with the VPN?"
188. echo " 1) Current system resolvers"
189. echo " 2) Google"
190. echo " 3) OpenDNS"
191. echo " 4) NTT"
192. echo " 5) Hurricane Electric"
193. echo " 6) Verisign"
194. read -p "DNS [1-6]: " -e -i 1 DNS
195. echo ""
196. echo "Finally, tell me your name for the client cert"
197. echo "Please, use one word only, no special characters"
198. read -p "Client name: " -e -i client CLIENT
199. echo ""
200. echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now"
201. read -n1 -r -p "Press any key to continue..."
202. if [[ "$OS" = 'debian' ]]; then
203. apt-get update
204. apt-get install openvpn iptables openssl ca-certificates -y
205. else
206. # Else, the distro is CentOS
207. yum install epel-release -y
208. yum install openvpn iptables openssl wget ca-certificates -y
209. fi
210. # An old version of easy-rsa was available by default in some openvpn packages
211. if [[ -d /etc/openvpn/easy-rsa/ ]]; then
212. rm -rf /etc/openvpn/easy-rsa/
213. fi
214. # Get easy-rsa
215. wget -O ~/EasyRSA-3.0.1.tgz https://github.com/OpenVPN/easy-rsa/releases/download/3.0.1/EasyRSA-3.0.1.tgz
216. tar xzf ~/EasyRSA-3.0.1.tgz -C ~/
217. mv ~/EasyRSA-3.0.1/ /etc/openvpn/
218. mv /etc/openvpn/EasyRSA-3.0.1/ /etc/openvpn/easy-rsa/
219. chown -R root:root /etc/openvpn/easy-rsa/
220. rm -rf ~/EasyRSA-3.0.1.tgz
221. cd /etc/openvpn/easy-rsa/
222. # Create the PKI, set up the CA, the DH params and the server + client certificates
223. ./easyrsa init-pki
224. ./easyrsa --batch build-ca nopass
225. ./easyrsa gen-dh
226. ./easyrsa build-server-full server nopass
227. ./easyrsa build-client-full $CLIENT nopass
228. ./easyrsa gen-crl
229. # Move the stuff we need
230. cp pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
231. # CRL is read with each client connection, when OpenVPN is dropped to nobody
232. chown nobody:$GROUPNAME /etc/openvpn/crl.pem
233. # Generate key for tls-auth
234. openvpn --genkey --secret /etc/openvpn/ta.key
235. # Generate server.conf
236. echo "port $PORT
237. proto udp
238. dev tun
239. sndbuf 0
240. rcvbuf 0
241. ca ca.crt
242. cert server.crt
243. key server.key
244. dh dh.pem
245. tls-auth ta.key 0
246. topology subnet
247. server 10.8.0.0 255.255.255.0
248. ifconfig-pool-persist ipp.txt" > /etc/openvpn/server.conf
249. echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf
250. # DNS
251. case $DNS in
252. 1)
253. # Obtain the resolvers from resolv.conf and use them for OpenVPN
254. grep -v '#' /etc/resolv.conf | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
255. echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
256. done
257. ;;
258. 2)
259. echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf
260. echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf
261. ;;
262. 3)
263. echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf
264. echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf
265. ;;
266. 4)
267. echo 'push "dhcp-option DNS 129.250.35.250"' >> /etc/openvpn/server.conf
268. echo 'push "dhcp-option DNS 129.250.35.251"' >> /etc/openvpn/server.conf
269. ;;
270. 5)
271. echo 'push "dhcp-option DNS 74.82.42.42"' >> /etc/openvpn/server.conf
272. ;;
273. 6)
274. echo 'push "dhcp-option DNS 64.6.64.6"' >> /etc/openvpn/server.conf
275. echo 'push "dhcp-option DNS 64.6.65.6"' >> /etc/openvpn/server.conf
276. ;;
277. esac
278. echo "keepalive 10 120
279. cipher AES-128-CBC
280. comp-lzo
281. user nobody
282. group $GROUPNAME
283. persist-key
284. persist-tun
285. status openvpn-status.log
286. verb 3
287. crl-verify crl.pem" >> /etc/openvpn/server.conf
288. # Enable net.ipv4.ip_forward for the system
289. if [[ "$OS" = 'debian' ]]; then
290. sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf
291. else
292. # CentOS 5 and 6
293. sed -i 's|net.ipv4.ip_forward = 0|net.ipv4.ip_forward = 1|' /etc/sysctl.conf
294. # CentOS 7
295. if ! grep -q "net.ipv4.ip_forward=1" "/etc/sysctl.conf"; then
296. echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
297. fi
298. fi
299. # Avoid an unneeded reboot
300. echo 1 > /proc/sys/net/ipv4/ip_forward
301. # Set NAT for the VPN subnet
302. iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP
303. sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL
304. if pgrep firewalld; then
305. # We don't use --add-service=openvpn because that would only work with
306. # the default port. Using both permanent and not permanent rules to
307. # avoid a firewalld reload.
308. firewall-cmd --zone=public --add-port=$PORT/udp
309. firewall-cmd --zone=trusted --add-source=10.8.0.0/24
310. firewall-cmd --permanent --zone=public --add-port=$PORT/udp
311. firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
312. fi
313. if iptables -L | grep -qE 'REJECT|DROP'; then
314. # If iptables has at least one REJECT rule, we asume this is needed.
315. # Not the best approach but I can't think of other and this shouldn't
316. # cause problems.
317. iptables -I INPUT -p udp --dport $PORT -j ACCEPT
318. iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
319. iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
320. sed -i "1 a\iptables -I INPUT -p udp --dport $PORT -j ACCEPT" $RCLOCAL
321. sed -i "1 a\iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" $RCLOCAL
322. sed -i "1 a\iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" $RCLOCAL
323. fi
324. # If SELinux is enabled and a custom port was selected, we need this
325. if hash sestatus 2>/dev/null; then
326. if sestatus | grep "Current mode" | grep -qs "enforcing"; then
327. if [[ "$PORT" != '1194' ]]; then
328. # semanage isn't available in CentOS 6 by default
329. if ! hash semanage 2>/dev/null; then
330. yum install policycoreutils-python -y
331. fi
332. semanage port -a -t openvpn_port_t -p udp $PORT
333. fi
334. fi
335. fi
336. # And finally, restart OpenVPN
337. if [[ "$OS" = 'debian' ]]; then
338. # Little hack to check for systemd
339. if pgrep systemd-journal; then
340. systemctl restart openvpn@server.service
341. else
342. /etc/init.d/openvpn restart
343. fi
344. else
345. if pgrep systemd-journal; then
346. systemctl restart openvpn@server.service
347. systemctl enable openvpn@server.service
348. else
349. service openvpn restart
350. chkconfig openvpn on
351. fi
352. fi
353. # Try to detect a NATed connection and ask about it to potential LowEndSpirit users
354. EXTERNALIP=$(wget -qO- ipv4.icanhazip.com)
355. if [[ "$IP" != "$EXTERNALIP" ]]; then
356. echo ""
357. echo "Looks like your server is behind a NAT!"
358. echo ""
359. echo "If your server is NATed (e.g. LowEndSpirit), I need to know the external IP"
360. echo "If that's not the case, just ignore this and leave the next field blank"
361. read -p "External IP: " -e USEREXTERNALIP
362. if [[ "$USEREXTERNALIP" != "" ]]; then
363. IP=$USEREXTERNALIP
364. fi
365. fi
366. # client-common.txt is created so we have a template to add further users later
367. echo "client
368. dev tun
369. proto udp
370. sndbuf 0
371. rcvbuf 0
372. remote $IP $PORT
373. resolv-retry infinite
374. nobind
375. persist-key
376. persist-tun
377. remote-cert-tls server
378. cipher AES-128-CBC
379. comp-lzo
380. setenv opt block-outside-dns
381. key-direction 1
382. verb 3" > /etc/openvpn/client-common.txt
383. # Generates the custom client.ovpn
384. newclient "$CLIENT"
385. echo ""
386. echo "Finished!"
387. echo ""
388. echo "Your client config is available at ~/$CLIENT.ovpn"
389. echo "If you want to add more clients, you simply need to run this script another time!"
390. fi