#!/usr/bin/env bash# Installs OpenVPN server on CentOS 7# Check yo' privilege

1. #!/usr/bin/env bash
2. # Installs OpenVPN server on CentOS 7
3.  
4. # Check yo' privilege
5. [[ $(id -u) != 0 ]] && echo 'You must run this script as root!' && exit 1
6.  
7. ################################################################################
8. ################################## VARIABLES ###################################
9. ################################################################################
10.  
11. # User-modifiable variables
12. ADDRESS=192.168.139.106
13. PORT=1194
14. DNS=192.168.139.104
15. SUBNET=192.168.139.128
16. MASK=255.255.255.128
17. IFACE='eth0'
18.  
19. # Script static variables
20. CLIENT_TAR='/tmp/openvpn-client.tar.gz'
21. EASY_RSA='/etc/openvpn/.easy-rsa'
22. KEYS_DIR='/etc/openvpn/keys'
23.  
24. ################################################################################
25. ################################## UTILITIES ###################################
26. ################################################################################
27.  
28. # Provides pretty colourful output with timestamps
29. output() {
30. local LABEL='OpenVPN'
31. local TIMESTAMP=$(date +%H:%M)
32. local COLOUR='\033[34m' # Blue
33. local RESET='\033[0m' # Standard
34. case $1 in
35. ERROR) local COLOUR='\033[31m' ;; # Red
36. SUCCESS) local COLOUR='\033[32m' ;; # Green
37. WARN) local COLOUR='\033[33m' ;; # Yellow
38. esac
39. while read LINE; do
40. echo -e "${COLOUR}${LABEL} [${TIMESTAMP}]${RESET} ${LINE}"
41. done
42. }
43.  
44. # Produces bold output
45. say() {
46. local BOLD=$(tput bold)
47. local STD=$(tput sgr0)
48. echo "${BOLD}$@${STD}"
49. }
50.  
51. # Creates a copy of $2 at $2.old
52. backup() {
53. [[ -z $1 ]] && echo 'backup() - No name variable set' | output ERROR
54. [[ -z $2 ]] && echo 'backup() - No file variable set' | output ERROR
55. local NAME=$1
56. local FILE=$2
57. if [[ -f $FILE ]]; then
58. echo "Backing up previous ${NAME} file..." | output
59. RESULT=$(cp -f ${FILE} ${FILE}.old 2>&1)
60. if [[ $? != 0 ]]; then
61. echo "Failed to backup previous ${FILE} file!" | output WARN
62. echo $RESULT | output WARN
63. else
64. echo "${NAME} backup created successfully" | output
65. fi
66. fi
67. }
68.  
69. # Just a pretty way of creating here documents, with error handling and backing
70. # up of the previous version.
71. createfile() {
72. [[ -z $1 ]] && echo 'createfile() - No name variable set' | output ERROR
73. [[ -z $2 ]] && echo 'createfile() - No file variable set' | output ERROR
74. local NAME=$1
75. local FILE=$2
76. backup "$NAME" "$FILE"
77. echo "Creating ${NAME}..." | output
78. while read -r LINE; do
79. # Add each line of STDIN to $CONTENT, along with a line break
80. local CONTENT+="${LINE}\n"
81. done
82. RESULT=$(echo -e ${CONTENT} > ${FILE} 2>&1)
83. if [[ $? != 0 ]]; then
84. echo "Failed to create ${NAME} file!" | output ERROR
85. echo $RESULT | output ERROR
86. exit 1
87. else
88. echo "${NAME} file created successfully" | output
89. fi
90. }
91.  
92. # Checks that the previous command exited correctly and quits the script if not,
93. # with a pretty error message. Optionally a second string can be provided to
94. # print on success.
95. onfail() {
96. if [[ $? != 0 ]]; then
97. echo $1 | output ERROR
98. elif [[ ! -z $2 ]]; then
99. echo $2 | output
100. fi
101. }
102.  
103.  
104. ################################################################################
105. ################################# INSTALLATION #################################
106. ################################################################################
107.  
108. say 'Installing RPM packages...' | output
109. yum install -e 0 -y openvpn \
110. easy-rsa \
111. iptables \
112. iptables-utils \
113. iptables-services | output
114. onfail 'Failed to install RPM packages!' 'RPM packages installed successfully'
115.  
116. say 'Setting up Easy-RSA...' | output
117. mkdir -p $EASY_RSA
118. onfail "Failed to create Easy-RSA directory at ${EASY_RSA}"
119. cp -rf /usr/share/easy-rsa/2.0/* $EASY_RSA/
120. onfail "Unable to copy Easy-RSA to $EASY_RSA"
121. cp -f $EASY_RSA/openssl-1.0.0.cnf $EASY_RSA/openssl.cnf
122. onfail "Unable to create $EASY_RSA/openssl.cnf to force the OpenSSL version"
123. restorecon -R $EASY_RSA
124. onfail "Unable to set SELinux context labels for ${EASY_RSA}"
125.  
126. ################################################################################
127. ################################ CONFIGURATION #################################
128. ################################################################################
129.  
130. say 'Generating configuration files...' | output
131.  
132. # This is the main configuration file for OpenVPN and provides the core
133. # configuration parameters for running the service.
134. createfile 'OpenVPN server configuration' '/etc/openvpn/server.conf' <<OPENVPN
135. local $ADDRESS
136. port $PORT
137. proto udp
138. dev tun
139. comp-lzo
140. topology subnet
141. user nobody
142. group nobody
143. persist-key
144. persist-tun
145. ifconfig-pool-persist ipp.txt
146. keepalive 10 120
147. max-clients 100
148. status openvpn-status.log
149. log-append openvpn.log
150. verb 3
151. mute 20
152.  
153. ca ${KEYS_DIR}/ca.crt
154. cert ${KEYS_DIR}/server.crt
155. key ${KEYS_DIR}/server.key
156. dh ${KEYS_DIR}/dh2048.pem
157. cipher AES-256-CBC
158. duplicate-cn
159. plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
160.  
161. server ${SUBNET} ${MASK}
162. push "route 192.168.139.0 255.255.255.128"
163. push "dhcp-option DNS $DNS"
164. OPENVPN
165.  
166. # The PAM configuration file permits access through the VPN to users with local
167. # POSIX accounts. Additional configuration can be added to only permit certain
168. # groups or users to authenticate using this method.
169. createfile 'OpenVPN PAM security configuration' '/etc/pam.d/openvpn' <<PAM
170. auth required pam_unix.so shadow nodelay
171. account required pam_unix.so
172. PAM
173.  
174. # This minimal firewall configuration permits only SSH and OpenVPN connections
175. # as well as allowing SNAT connections through the VPN.
176. createfile 'Firewall rules' '/etc/sysconfig/iptables' <<IPTABLES
177. *nat
178. :PREROUTING ACCEPT [0:0]
179. :INPUT ACCEPT [0:0]
180. :OUTPUT ACCEPT [0:0]
181. :POSTROUTING ACCEPT [0:0]
182.  
183. -A POSTROUTING -o $IFACE -j SNAT --to-source $ADDRESS
184. -A POSTROUTING -o $IFACE -j SNAT --to-source $ADDRESS
185. COMMIT
186.  
187. *filter
188. :INPUT ACCEPT [0:0]
189. :FORWARD ACCEPT [0:0]
190. :OUTPUT ACCEPT [0:0]
191. -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
192. -A INPUT -p icmp -j ACCEPT
193. -A INPUT -i lo -j ACCEPT
194. -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
195. -A INPUT -i $IFACE -p udp -m state --state NEW -m udp --dport $PORT -j ACCEPT
196. -A INPUT -j REJECT --reject-with icmp-host-prohibited
197. COMMIT
198. IPTABLES
199.  
200. createfile 'Easy-RSA configuration' "${EASY_RSA}/vars" <<EASYRSA
201. export EASY_RSA="$EASY_RSA"
202. export OPENSSL="openssl"
203. export PKCS11TOOL="pkcs11-tool"
204. export GREP="grep"
205. export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
206. export KEY_DIR="$KEYS_DIR"
207. export PKCS11_MODULE_PATH="dummy"
208. export PKCS11_PIN="dummy"
209. export KEY_SIZE=2048
210. export CA_EXPIRE=3650
211. export KEY_EXPIRE=3650
212. export KEY_COUNTRY="GB"
213. export KEY_PROVINCE="DEVON"
214. export KEY_CITY="PLYMOUTH"
215. export KEY_ORG="Land Registry"
216. export KEY_EMAIL="webops@digital.landregistry.gov.uk"
217. export KEY_OU="IT Operations"
218. export KEY_NAME="server"
219. export KEY_CN="$(hostname)"
220. EASYRSA
221.  
222. createfile 'Client OpenVPN configuration' '/etc/openvpn/client.ovpn' <<CLIENT
223. client
224. dev tun
225. proto udp
226. remote $ADDRESS $PORT
227. resolv-retry infinite
228. remote-cert-tls server
229. ns-cert-type server
230. auth-nocache
231. auth-user-pass
232. nobind
233. persist-key
234. persist-tun
235. comp-lzo
236. verb 3
237. ca ca.crt
238. cert client.crt
239. key client.key
240. cipher AES-256-CBC
241. CLIENT
242.  
243. say 'Configuring kernel parameters...' | output
244. createfile 'Kernel parameters' '/etc/sysctl.d/openvpn' <<KERNEL
245. net.ipv4.ip_forward = 1
246. net.ipv4.conf.default.rp_filter = 0
247. net.ipv4.conf.all.send_redirects = 0
248. net.ipv4.conf.all.accept_redirects = 0
249. net.ipv4.conf.default.send_redirects = 0
250. net.ipv4.conf.default.accept_source_route = 0
251. net.ipv4.icmp_ignore_bogus_error_responses = 1
252. KERNEL
253. sysctl -p
254. onfail 'Unable to set runtime parameters' 'Runtime parameters set'
255.  
256. ################################################################################
257. ################################### RUNTIME ####################################
258. ################################################################################
259.  
260. say 'Creating authentication certificates...' | output
261. source $EASY_RSA/vars
262. onfail "Failed to load Easy-RSA variables from ${EASY_RSA}/vars!"
263. bash $EASY_RSA/clean-all | output
264. onfail "Failed to clean up ${KEYS_DIR}!"
265.  
266. echo 'Creating Diffie Hellman key... (this may take some time)' | output
267. bash $EASY_RSA/build-dh 2>/dev/null | output
268. onfail 'Failed to create Diffie Hellman key!'
269.  
270. echo 'Creating Certificate Authority...' | output
271. bash $EASY_RSA/build-ca --batch 2>/dev/null | output
272. onfail 'Failed to create Certificate Authority!'
273. echo 'Creating server-side certificate...' | output
274. bash $EASY_RSA/build-key-server --batch server 2>/dev/null | output
275. onfail 'Failed to create server certificate!'
276. echo 'Creating client-side certificate...' | output
277. KEY_NAME="client" bash $EASY_RSA/build-key --batch client 2>/dev/null | output
278. onfail 'Failed to create client certificate!'
279.  
280. restorecon -R ${KEYS_DIR}
281. onfail "Unable to set SELinnux context labels for ${KEYS_DIR}"
282.  
283.  
284. say 'Reconfiguring SystemD network services...' | output
285. systemctl stop NetworkManager.service 2>&1 | output
286. onfail 'Failed to stop NetworkManager.service!'
287. systemctl stop firewalld.service 2>&1 | output
288. onfail 'Failed to stop firewalld.service!'
289. systemctl start iptables.service 2>&1 | output
290. onfail 'Failed to start iptables.service'
291. systemctl restart network.service 2>&1 | output
292. onfail 'Failed to restart network.service'
293. systemctl enable iptables.service >/dev/null 2>&1
294. systemctl disable firewalld.service >/dev/null 2>&1
295. systemctl disable NetworkManager.service >/dev/null 2>&1
296.  
297.  
298. say 'Starting OpenVPN service...' | output
299. systemctl stop openvpn@server.service 2>&1 | output
300. systemctl start openvpn@server.service 2>&1 | output
301. onfail 'Failed to start OpenVPN service'
302. systemctl enable openvpn@server.service >/dev/null 2>&1
303.  
304.  
305. say 'Packaging client configuration...' | output
306. TMP_DIR="/tmp/$(openssl rand -hex 6)"
307. mkdir -p $TMP_DIR
308. onfail "Unable to create temporary directory at $TMP_DIR"
309. cp $KEYS_DIR/{ca.crt,client.crt,client.key} $TMP_DIR
310. onfail "Unable to copy necessary certificates to $TMP_DIR"
311. cp /etc/openvpn/client.ovpn $TMP_DIR
312. onfail "Unable to copy client configuration to $TMP_DIR"
313. tar -C $TMP_DIR -caf $CLIENT_TAR .
314. onfail "Unable to create compressed archive at $CLIENT_TAR"
315. rm -rf $TMP_DIR
316. echo "Client configuration can be found at $CLIENT_TAR" | output
317. [[ -d '/vagrant' ]] && cp -f $CLIENT_TAR /vagrant
318.  
319. say 'Installation complete!' | output SUCCESS