Guest User

Linux_OpenVPN_Installation.sh

a guest
Aug 24th, 2018
399
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/bash
  2. #
  3. # https://github.com/Nyr/openvpn-install
  4. #
  5. # Copyright (c) 2013 Nyr. Released under the MIT License.
  6.  
  7.  
  8. # Detect Debian users running the script with "sh" instead of bash
  9. if readlink /proc/$$/exe | grep -q "dash"; then
  10.     echo "This script needs to be run with bash, not sh"
  11.     exit 1
  12. fi
  13.  
  14. if [[ "$EUID" -ne 0 ]]; then
  15.     echo "Sorry, you need to run this as root"
  16.     exit 2
  17. fi
  18.  
  19. if [[ ! -e /dev/net/tun ]]; then
  20.     echo "The TUN device is not available
  21. You need to enable TUN before running this script"
  22.     exit 3
  23. fi
  24.  
  25. if [[ -e /etc/debian_version ]]; then
  26.     OS=debian
  27.     GROUPNAME=nogroup
  28.     RCLOCAL='/etc/rc.local'
  29. elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then
  30.     OS=centos
  31.     GROUPNAME=nobody
  32.     RCLOCAL='/etc/rc.d/rc.local'
  33. else
  34.     echo "Looks like you aren't running this installer on Debian, Ubuntu or CentOS"
  35.     exit 4
  36. fi
  37.  
  38. newclient () {
  39.     # Generates the custom client.ovpn
  40.     cp /etc/openvpn/client-common.txt ~/$1.ovpn
  41.     echo "<ca>" >> ~/$1.ovpn
  42.     cat /etc/openvpn/easy-rsa/pki/ca.crt >> ~/$1.ovpn
  43.     echo "</ca>" >> ~/$1.ovpn
  44.     echo "<cert>" >> ~/$1.ovpn
  45.     cat /etc/openvpn/easy-rsa/pki/issued/$1.crt >> ~/$1.ovpn
  46.     echo "</cert>" >> ~/$1.ovpn
  47.     echo "<key>" >> ~/$1.ovpn
  48.     cat /etc/openvpn/easy-rsa/pki/private/$1.key >> ~/$1.ovpn
  49.     echo "</key>" >> ~/$1.ovpn
  50.     echo "<tls-auth>" >> ~/$1.ovpn
  51.     cat /etc/openvpn/ta.key >> ~/$1.ovpn
  52.     echo "</tls-auth>" >> ~/$1.ovpn
  53. }
  54.  
  55. if [[ -e /etc/openvpn/server.conf ]]; then
  56.     while :
  57.     do
  58.     clear
  59.         echo "Looks like OpenVPN is already installed."
  60.         echo
  61.         echo "What do you want to do?"
  62.         echo "   1) Add a new user"
  63.         echo "   2) Revoke an existing user"
  64.         echo "   3) Remove OpenVPN"
  65.         echo "   4) Exit"
  66.         read -p "Select an option [1-4]: " option
  67.         case $option in
  68.             1)
  69.             echo
  70.             echo "Tell me a name for the client certificate."
  71.             echo "Please, use one word only, no special characters."
  72.             read -p "Client name: " -e -i client CLIENT
  73.             cd /etc/openvpn/easy-rsa/
  74.             ./easyrsa build-client-full $CLIENT nopass
  75.             # Generates the custom client.ovpn
  76.             newclient "$CLIENT"
  77.             echo
  78.             echo "Client $CLIENT added, configuration is available at:" ~/"$CLIENT.ovpn"
  79.             exit
  80.             ;;
  81.             2)
  82.             # This option could be documented a bit better and maybe even be simplified
  83.             # ...but what can I say, I want some sleep too
  84.             NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")
  85.             if [[ "$NUMBEROFCLIENTS" = '0' ]]; then
  86.                 echo
  87.                 echo "You have no existing clients!"
  88.                 exit 5
  89.             fi
  90.             echo
  91.             echo "Select the existing client certificate you want to revoke:"
  92.             tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
  93.             if [[ "$NUMBEROFCLIENTS" = '1' ]]; then
  94.                 read -p "Select one client [1]: " CLIENTNUMBER
  95.             else
  96.                 read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
  97.             fi
  98.             CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
  99.             cd /etc/openvpn/easy-rsa/
  100.             ./easyrsa --batch revoke $CLIENT
  101.             EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
  102.             rm -f pki/reqs/$CLIENT.req
  103.             rm -f pki/private/$CLIENT.key
  104.             rm -f pki/issued/$CLIENT.crt
  105.             rm -f /etc/openvpn/crl.pem
  106.             cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
  107.             # CRL is read with each client connection, when OpenVPN is dropped to nobody
  108.             chown nobody:$GROUPNAME /etc/openvpn/crl.pem
  109.             echo
  110.             echo "Certificate for client $CLIENT revoked!"
  111.             exit
  112.             ;;
  113.             3)
  114.             echo
  115.             read -p "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
  116.             if [[ "$REMOVE" = 'y' ]]; then
  117.                 PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
  118.                 PROTOCOL=$(grep '^proto ' /etc/openvpn/server.conf | cut -d " " -f 2)
  119.                 if pgrep firewalld; then
  120.                     IP=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24 -j SNAT --to ' | cut -d " " -f 10)
  121.                     # Using both permanent and not permanent rules to avoid a firewalld reload.
  122.                     firewall-cmd --zone=public --remove-port=$PORT/$PROTOCOL
  123.                     firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
  124.                     firewall-cmd --permanent --zone=public --remove-port=$PORT/$PROTOCOL
  125.                     firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
  126.                     firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
  127.                     firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
  128.                 else
  129.                     IP=$(grep 'iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to ' $RCLOCAL | cut -d " " -f 14)
  130.                     iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
  131.                     sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 ! -d 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL
  132.                     if iptables -L -n | grep -qE '^ACCEPT'; then
  133.                         iptables -D INPUT -p $PROTOCOL --dport $PORT -j ACCEPT
  134.                         iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
  135.                         iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  136.                         sed -i "/iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT/d" $RCLOCAL
  137.                         sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL
  138.                         sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL
  139.                     fi
  140.                 fi
  141.                 if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$PORT" != '1194' ]]; then
  142.                     semanage port -d -t openvpn_port_t -p $PROTOCOL $PORT
  143.                 fi
  144.                 if [[ "$OS" = 'debian' ]]; then
  145.                     apt-get remove --purge -y openvpn
  146.                 else
  147.                     yum remove openvpn -y
  148.                 fi
  149.                 rm -rf /etc/openvpn
  150.                 echo
  151.                 echo "OpenVPN removed!"
  152.             else
  153.                 echo
  154.                 echo "Removal aborted!"
  155.             fi
  156.             exit
  157.             ;;
  158.             4) exit;;
  159.         esac
  160.     done
  161. else
  162.     clear
  163.     echo 'Welcome to this OpenVPN "road warrior" installer!'
  164.     echo
  165.     # OpenVPN setup and first user creation
  166.     echo "I need to ask you a few questions before starting the setup."
  167.     echo "You can leave the default options and just press enter if you are ok with them."
  168.     echo
  169.     echo "First, provide the IPv4 address of the network interface you want OpenVPN"
  170.     echo "listening to."
  171.     # Autodetect IP address and pre-fill for the user
  172.     IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
  173.     read -p "IP address: " -e -i $IP IP
  174.     # If $IP is a private IP address, the server must be behind NAT
  175.     if echo "$IP" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then
  176.         echo
  177.         echo "This server is behind NAT. What is the public IPv4 address or hostname?"
  178.         read -p "Public IP address / hostname: " -e PUBLICIP
  179.     fi
  180.     echo
  181.     echo "Which protocol do you want for OpenVPN connections?"
  182.     echo "   1) UDP (recommended)"
  183.     echo "   2) TCP"
  184.     read -p "Protocol [1-2]: " -e -i 1 PROTOCOL
  185.     case $PROTOCOL in
  186.         1)
  187.         PROTOCOL=udp
  188.         ;;
  189.         2)
  190.         PROTOCOL=tcp
  191.         ;;
  192.     esac
  193.     echo
  194.     echo "What port do you want OpenVPN listening to?"
  195.     read -p "Port: " -e -i 1194 PORT
  196.     echo
  197.     echo "Which DNS do you want to use with the VPN?"
  198.     echo "   1) Current system resolvers"
  199.     echo "   2) 1.1.1.1"
  200.     echo "   3) Google"
  201.     echo "   4) OpenDNS"
  202.     echo "   5) Verisign"
  203.     read -p "DNS [1-5]: " -e -i 1 DNS
  204.     echo
  205.     echo "Finally, tell me your name for the client certificate."
  206.     echo "Please, use one word only, no special characters."
  207.     read -p "Client name: " -e -i client CLIENT
  208.     echo
  209.     echo "Okay, that was all I needed. We are ready to set up your OpenVPN server now."
  210.     read -n1 -r -p "Press any key to continue..."
  211.     if [[ "$OS" = 'debian' ]]; then
  212.         apt-get update
  213.         apt-get install openvpn iptables openssl ca-certificates -y
  214.     else
  215.         # Else, the distro is CentOS
  216.         yum install epel-release -y
  217.         yum install openvpn iptables openssl ca-certificates -y
  218.     fi
  219.     # Get easy-rsa
  220.     EASYRSAURL='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz'
  221.     wget -O ~/easyrsa.tgz "$EASYRSAURL" 2>/dev/null || curl -Lo ~/easyrsa.tgz "$EASYRSAURL"
  222.     tar xzf ~/easyrsa.tgz -C ~/
  223.     mv ~/EasyRSA-3.0.4/ /etc/openvpn/
  224.     mv /etc/openvpn/EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/
  225.     chown -R root:root /etc/openvpn/easy-rsa/
  226.     rm -f ~/easyrsa.tgz
  227.     cd /etc/openvpn/easy-rsa/
  228.     # Create the PKI, set up the CA, the DH params and the server + client certificates
  229.     ./easyrsa init-pki
  230.     ./easyrsa --batch build-ca nopass
  231.     ./easyrsa gen-dh
  232.     ./easyrsa build-server-full server nopass
  233.     ./easyrsa build-client-full $CLIENT nopass
  234.     EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
  235.     # Move the stuff we need
  236.     cp pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn
  237.     # CRL is read with each client connection, when OpenVPN is dropped to nobody
  238.     chown nobody:$GROUPNAME /etc/openvpn/crl.pem
  239.     # Generate key for tls-auth
  240.     openvpn --genkey --secret /etc/openvpn/ta.key
  241.     # Generate server.conf
  242.     echo "port $PORT
  243. proto $PROTOCOL
  244. dev tun
  245. sndbuf 0
  246. rcvbuf 0
  247. ca ca.crt
  248. cert server.crt
  249. key server.key
  250. dh dh.pem
  251. auth SHA512
  252. tls-auth ta.key 0
  253. topology subnet
  254. server 10.8.0.0 255.255.255.0
  255. ifconfig-pool-persist ipp.txt" > /etc/openvpn/server.conf
  256.     echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf
  257.     # DNS
  258.     case $DNS in
  259.         1)
  260.         # Locate the proper resolv.conf
  261.         # Needed for systems running systemd-resolved
  262.         if grep -q "127.0.0.53" "/etc/resolv.conf"; then
  263.             RESOLVCONF='/run/systemd/resolve/resolv.conf'
  264.         else
  265.             RESOLVCONF='/etc/resolv.conf'
  266.         fi
  267.         # Obtain the resolvers from resolv.conf and use them for OpenVPN
  268.         grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
  269.             echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
  270.         done
  271.         ;;
  272.         2)
  273.         echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server.conf
  274.         echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server.conf
  275.         ;;
  276.         3)
  277.         echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf
  278.         echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf
  279.         ;;
  280.         4)
  281.         echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf
  282.         echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf
  283.         ;;
  284.         5)
  285.         echo 'push "dhcp-option DNS 64.6.64.6"' >> /etc/openvpn/server.conf
  286.         echo 'push "dhcp-option DNS 64.6.65.6"' >> /etc/openvpn/server.conf
  287.         ;;
  288.     esac
  289.     echo "keepalive 10 120
  290. cipher AES-256-CBC
  291. comp-lzo
  292. user nobody
  293. group $GROUPNAME
  294. persist-key
  295. persist-tun
  296. status openvpn-status.log
  297. verb 3
  298. crl-verify crl.pem" >> /etc/openvpn/server.conf
  299.     # Enable net.ipv4.ip_forward for the system
  300.     sed -i '/\<net.ipv4.ip_forward\>/c\net.ipv4.ip_forward=1' /etc/sysctl.conf
  301.     if ! grep -q "\<net.ipv4.ip_forward\>" /etc/sysctl.conf; then
  302.         echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
  303.     fi
  304.     # Avoid an unneeded reboot
  305.     echo 1 > /proc/sys/net/ipv4/ip_forward
  306.     if pgrep firewalld; then
  307.         # Using both permanent and not permanent rules to avoid a firewalld
  308.         # reload.
  309.         # We don't use --add-service=openvpn because that would only work with
  310.         # the default port and protocol.
  311.         firewall-cmd --zone=public --add-port=$PORT/$PROTOCOL
  312.         firewall-cmd --zone=trusted --add-source=10.8.0.0/24
  313.         firewall-cmd --permanent --zone=public --add-port=$PORT/$PROTOCOL
  314.         firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
  315.         # Set NAT for the VPN subnet
  316.         firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
  317.         firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
  318.     else
  319.         # Needed to use rc.local with some systemd distros
  320.         if [[ "$OS" = 'debian' && ! -e $RCLOCAL ]]; then
  321.             echo '#!/bin/sh -e
  322. exit 0' > $RCLOCAL
  323.         fi
  324.         chmod +x $RCLOCAL
  325.         # Set NAT for the VPN subnet
  326.         iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
  327.         sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL
  328.         if iptables -L -n | grep -qE '^(REJECT|DROP)'; then
  329.             # If iptables has at least one REJECT rule, we asume this is needed.
  330.             # Not the best approach but I can't think of other and this shouldn't
  331.             # cause problems.
  332.             iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT
  333.             iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
  334.             iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  335.             sed -i "1 a\iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT" $RCLOCAL
  336.             sed -i "1 a\iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" $RCLOCAL
  337.             sed -i "1 a\iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" $RCLOCAL
  338.         fi
  339.     fi
  340.     # If SELinux is enabled and a custom port was selected, we need this
  341.     if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$PORT" != '1194' ]]; then
  342.         # Install semanage if not already present
  343.         if ! hash semanage 2>/dev/null; then
  344.             yum install policycoreutils-python -y
  345.         fi
  346.         semanage port -a -t openvpn_port_t -p $PROTOCOL $PORT
  347.     fi
  348.     # And finally, restart OpenVPN
  349.     if [[ "$OS" = 'debian' ]]; then
  350.         # Little hack to check for systemd
  351.         if pgrep systemd-journal; then
  352.             systemctl restart openvpn@server.service
  353.         else
  354.             /etc/init.d/openvpn restart
  355.         fi
  356.     else
  357.         if pgrep systemd-journal; then
  358.             systemctl restart openvpn@server.service
  359.             systemctl enable openvpn@server.service
  360.         else
  361.             service openvpn restart
  362.             chkconfig openvpn on
  363.         fi
  364.     fi
  365.     # If the serrver is behind a NAT, use the correct IP address
  366.     if [[ "$PUBLICIP" != "" ]]; then
  367.         IP=$PUBLICIP
  368.     fi
  369.     # client-common.txt is created so we have a template to add further users later
  370.     echo "client
  371. dev tun
  372. proto $PROTOCOL
  373. sndbuf 0
  374. rcvbuf 0
  375. remote $IP $PORT
  376. resolv-retry infinite
  377. nobind
  378. persist-key
  379. persist-tun
  380. remote-cert-tls server
  381. auth SHA512
  382. cipher AES-256-CBC
  383. comp-lzo
  384. setenv opt block-outside-dns
  385. key-direction 1
  386. verb 3" > /etc/openvpn/client-common.txt
  387.     # Generates the custom client.ovpn
  388.     newclient "$CLIENT"
  389.     echo
  390.     echo "Finished!"
  391.     echo
  392.     echo "Your client configuration is available at:" ~/"$CLIENT.ovpn"
  393.     echo "If you want to add more clients, you simply need to run this script again!"
  394. fi
RAW Paste Data