API tools faq
paste
Advertisement
Guest User

.conf

a guest
Feb 21st, 2020
142
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 17.65 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2. #
  3. # https://github.com/Nyr/openvpn-install
  4. #
  5. # Copyright (c) 2013 Nyr. Released under the MIT License.
  6.  
  7.  
  8. if grep -qs "14.04" /etc/os-release; then
  9. echo "Ubuntu 14.04 is too old and not supported"
  10. exit
  11. fi
  12.  
  13. if grep -qs "jessie" /etc/os-release; then
  14. echo "Debian 8 is too old and not supported"
  15. exit
  16. fi
  17.  
  18. if grep -qs "CentOS release 6" /etc/redhat-release; then
  19. echo "CentOS 6 is too old and not supported"
  20. exit
  21. fi
  22.  
  23. if grep -qs "Ubuntu 16.04" /etc/os-release; then
  24. echo 'Ubuntu 16.04 is no longer supported in the current version of openvpn-install
  25. Use an older version if Ubuntu 16.04 support is needed: https://git.io/vpn1604'
  26. exit
  27. fi
  28.  
  29. # Detect Debian users running the script with "sh" instead of bash
  30. if readlink /proc/$$/exe | grep -q "dash"; then
  31. echo "This script needs to be run with bash, not sh"
  32. exit
  33. fi
  34.  
  35. if [[ "$EUID" -ne 0 ]]; then
  36. echo "Sorry, you need to run this as root"
  37. exit
  38. fi
  39.  
  40. if [[ ! -e /dev/net/tun ]]; then
  41. echo "The TUN device is not available
  42. You need to enable TUN before running this script"
  43. exit
  44. fi
  45.  
  46. if ! iptables -t nat -nL &>/dev/null; then
  47. echo "Unable to initialize the iptables/netfilter NAT table, setup can't continue.
  48. Make sure that your system has iptables/netfilter available.
  49. If using OpenVZ, ask your provider to enable full netfilter support."
  50. exit
  51. fi
  52.  
  53. if [[ -e /etc/debian_version ]]; then
  54. os="debian"
  55. group_name="nogroup"
  56. elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then
  57. os="centos"
  58. group_name="nobody"
  59. else
  60. echo "Looks like you aren't running this installer on Debian, Ubuntu or CentOS"
  61. exit
  62. fi
  63.  
  64. new_client () {
  65. # Generates the custom client.ovpn
  66. {
  67. cat /etc/openvpn/server/client-common.txt
  68. echo "<ca>"
  69. cat /etc/openvpn/server/easy-rsa/pki/ca.crt
  70. echo "</ca>"
  71. echo "<cert>"
  72. sed -ne '/BEGIN CERTIFICATE/,$ p' /etc/openvpn/server/easy-rsa/pki/issued/"$1".crt
  73. echo "</cert>"
  74. echo "<key>"
  75. cat /etc/openvpn/server/easy-rsa/pki/private/"$1".key
  76. echo "</key>"
  77. echo "<tls-crypt>"
  78. sed -ne '/BEGIN OpenVPN Static key/,$ p' /etc/openvpn/server/tc.key
  79. echo "</tls-crypt>"
  80. } > ~/"$1".ovpn
  81. }
  82.  
  83. if [[ -e /etc/openvpn/server/server.conf ]]; then
  84. while :
  85. do
  86. clear
  87. echo "Looks like OpenVPN is already installed."
  88. echo
  89. echo "What do you want to do?"
  90. echo " 1) Add a new user"
  91. echo " 2) Revoke an existing user"
  92. echo " 3) Remove OpenVPN"
  93. echo " 4) Exit"
  94. read -p "Select an option: " option
  95. until [[ "$option" =~ ^[1-4]$ ]]; do
  96. echo "$option: invalid selection."
  97. read -p "Select an option: " option
  98. done
  99. case "$option" in
  100. 1)
  101. echo
  102. echo "Tell me a name for the client certificate."
  103. read -p "Client name: " unsanitized_client
  104. client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client")
  105. while [[ -z "$client" || -e /etc/openvpn/server/easy-rsa/pki/issued/"$client".crt ]]; do
  106. echo "$client: invalid client name."
  107. read -p "Client name: " unsanitized_client
  108. client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client")
  109. done
  110. cd /etc/openvpn/server/easy-rsa/
  111. EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" nopass
  112. # Generates the custom client.ovpn
  113. new_client "$client"
  114. echo
  115. echo "Client $client added, configuration is available at:" ~/"$client.ovpn"
  116. exit
  117. ;;
  118. 2)
  119. # This option could be documented a bit better and maybe even be simplified
  120. # ...but what can I say, I want some sleep too
  121. number_of_clients=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep -c "^V")
  122. if [[ "$number_of_clients" = 0 ]]; then
  123. echo
  124. echo "You have no existing clients!"
  125. exit
  126. fi
  127. echo
  128. echo "Select the existing client certificate you want to revoke:"
  129. tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
  130. read -p "Select one client: " client_number
  131. until [[ "$client_number" =~ ^[0-9]+$ && "$client_number" -le "$number_of_clients" ]]; do
  132. echo "$client_number: invalid selection."
  133. read -p "Select one client: " client_number
  134. done
  135. client=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$client_number"p)
  136. echo
  137. read -p "Do you really want to revoke access for client $client? [y/N]: " revoke
  138. until [[ "$revoke" =~ ^[yYnN]*$ ]]; do
  139. echo "$revoke: invalid selection."
  140. read -p "Do you really want to revoke access for client $client? [y/N]: " revoke
  141. done
  142. if [[ "$revoke" =~ ^[yY]$ ]]; then
  143. cd /etc/openvpn/server/easy-rsa/
  144. ./easyrsa --batch revoke "$client"
  145. EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
  146. rm -f pki/reqs/"$client".req
  147. rm -f pki/private/"$client".key
  148. rm -f pki/issued/"$client".crt
  149. rm -f /etc/openvpn/server/crl.pem
  150. cp /etc/openvpn/server/easy-rsa/pki/crl.pem /etc/openvpn/server/crl.pem
  151. # CRL is read with each client connection, when OpenVPN is dropped to nobody
  152. chown nobody:"$group_name" /etc/openvpn/server/crl.pem
  153. echo
  154. echo "Certificate for client $client revoked!"
  155. else
  156. echo
  157. echo "Certificate revocation for client $client aborted!"
  158. fi
  159. exit
  160. ;;
  161. 3)
  162. echo
  163. read -p "Do you really want to remove OpenVPN? [y/N]: " remove
  164. until [[ "$remove" =~ ^[yYnN]*$ ]]; do
  165. echo "$remove: invalid selection."
  166. read -p "Do you really want to remove OpenVPN? [y/N]: " remove
  167. done
  168. if [[ "$remove" =~ ^[yY]$ ]]; then
  169. port=$(grep '^port ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
  170. protocol=$(grep '^proto ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
  171. if pgrep firewalld; then
  172. ip=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24 -j SNAT --to ' | cut -d " " -f 10)
  173. # Using both permanent and not permanent rules to avoid a firewalld reload.
  174. firewall-cmd --remove-port="$port"/"$protocol"
  175. firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
  176. firewall-cmd --permanent --remove-port="$port"/"$protocol"
  177. firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
  178. firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"
  179. firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"
  180. else
  181. systemctl disable --now openvpn-iptables.service
  182. rm -f /etc/systemd/system/openvpn-iptables.service
  183. fi
  184. if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$port" != 1194 ]]; then
  185. semanage port -d -t openvpn_port_t -p "$protocol" "$port"
  186. fi
  187. systemctl disable --now openvpn-server@server.service
  188. rm -rf /etc/openvpn/server
  189. rm -f /etc/systemd/system/openvpn-server@server.service.d/disable-limitnproc.conf
  190. rm -f /etc/sysctl.d/30-openvpn-forward.conf
  191. if [[ "$os" = "debian" ]]; then
  192. apt-get remove --purge -y openvpn
  193. else
  194. yum remove openvpn -y
  195. fi
  196. echo
  197. echo "OpenVPN removed!"
  198. else
  199. echo
  200. echo "Removal aborted!"
  201. fi
  202. exit
  203. ;;
  204. 4) exit;;
  205. esac
  206. done
  207. else
  208. clear
  209. echo "Welcome to this OpenVPN "road warrior" installer!"
  210. echo
  211. echo "I need to ask you a few questions before starting setup."
  212. echo "You can use the default options and just press enter if you are ok with them."
  213. # If system has a single IPv4, it is selected automatically. Else, ask the user
  214. if [[ $(ip addr | grep inet | grep -v inet6 | grep -vEc '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') -eq 1 ]]; then
  215. ip=$(ip addr | grep inet | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
  216. else
  217. number_of_ips=$(ip addr | grep inet | grep -v inet6 | grep -vEc '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
  218. echo
  219. echo "What IPv4 address should the OpenVPN server bind to?"
  220. ip addr | grep inet | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | nl -s ') '
  221. read -p "IPv4 address [1]: " ip_number
  222. until [[ -z "$ip_number" || "$ip_number" =~ ^[0-9]+$ && "$ip_number" -le "$number_of_ips" ]]; do
  223. echo "$ip_number: invalid selection."
  224. read -p "IPv4 address [1]: " ip_number
  225. done
  226. [[ -z "$ip_number" ]] && ip_number="1"
  227. ip=$(ip addr | grep inet | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | sed -n "$ip_number"p)
  228. fi
  229. # If $IP is a private IP address, the server must be behind NAT
  230. if echo "$ip" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then
  231. echo
  232. echo "This server is behind NAT. What is the public IPv4 address or hostname?"
  233. get_public_ip=$(wget -4qO- "http://whatismyip.akamai.com/" || curl -4Ls "http://whatismyip.akamai.com/")
  234. read -p "Public IPv4 address / hostname [$get_public_ip]: " public_ip
  235. [ -z "$public_ip" ] && public_ip="$get_public_ip"
  236. fi
  237. echo
  238. echo "Which protocol do you want for OpenVPN connections?"
  239. echo " 1) UDP (recommended)"
  240. echo " 2) TCP"
  241. read -p "Protocol [1]: " protocol
  242. until [[ -z "$protocol" || "$protocol" =~ ^[12]$ ]]; do
  243. echo "$protocol: invalid selection."
  244. read -p "Protocol [1]: " protocol
  245. done
  246. case "$protocol" in
  247. 1|"")
  248. protocol=udp
  249. ;;
  250. 2)
  251. protocol=tcp
  252. ;;
  253. esac
  254. echo
  255. echo "What port do you want OpenVPN listening to?"
  256. read -p "Port [1194]: " port
  257. until [[ -z "$port" || "$port" =~ ^[0-9]+$ && "$port" -le 65535 ]]; do
  258. echo "$port: invalid selection."
  259. read -p "Port [1194]: " port
  260. done
  261. [[ -z "$port" ]] && port="1194"
  262. echo
  263. echo "Which DNS do you want to use with the VPN?"
  264. echo " 1) Current system resolvers"
  265. echo " 2) 1.1.1.1"
  266. echo " 3) Google"
  267. echo " 4) OpenDNS"
  268. echo " 5) Verisign"
  269. read -p "DNS [1]: " dns
  270. until [[ -z "$dns" || "$dns" =~ ^[1-5]$ ]]; do
  271. echo "$dns: invalid selection."
  272. read -p "DNS [1]: " dns
  273. done
  274. echo
  275. echo "Finally, tell me a name for the client certificate."
  276. read -p "Client name [client]: " unsanitized_client
  277. # Allow a limited set of characters to avoid conflicts
  278. client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client")
  279. [[ -z "$client" ]] && client="client"
  280. echo
  281. echo "Okay, that was all I needed. We are ready to set up your OpenVPN server now."
  282. read -n1 -r -p "Press any key to continue..."
  283. # If running inside a container, disable LimitNPROC to prevent conflicts
  284. if systemd-detect-virt -cq; then
  285. mkdir /etc/systemd/system/openvpn-server@server.service.d/ 2>/dev/null
  286. echo "[Service]
  287. LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disable-limitnproc.conf
  288. fi
  289. if [[ "$os" = "debian" ]]; then
  290. apt-get update
  291. apt-get install openvpn iptables openssl ca-certificates -y
  292. else
  293. # Else, the distro is CentOS
  294. yum install epel-release -y
  295. yum install openvpn iptables openssl ca-certificates -y
  296. fi
  297. # Get easy-rsa
  298. easy_rsa_url='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-nix-3.0.5.tgz'
  299. wget -O ~/easyrsa.tgz "$easy_rsa_url" 2>/dev/null || curl -Lo ~/easyrsa.tgz "$easy_rsa_url"
  300. tar xzf ~/easyrsa.tgz -C ~/
  301. mv ~/EasyRSA-3.0.5/ /etc/openvpn/server/
  302. mv /etc/openvpn/server/EasyRSA-3.0.5/ /etc/openvpn/server/easy-rsa/
  303. chown -R root:root /etc/openvpn/server/easy-rsa/
  304. rm -f ~/easyrsa.tgz
  305. cd /etc/openvpn/server/easy-rsa/
  306. # Create the PKI, set up the CA and the server and client certificates
  307. ./easyrsa init-pki
  308. ./easyrsa --batch build-ca nopass
  309. EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server nopass
  310. EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" nopass
  311. EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
  312. # Move the stuff we need
  313. cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn/server
  314. # CRL is read with each client connection, when OpenVPN is dropped to nobody
  315. chown nobody:"$group_name" /etc/openvpn/server/crl.pem
  316. # Generate key for tls-crypt
  317. openvpn --genkey --secret /etc/openvpn/server/tc.key
  318. # Create the DH parameters file using the predefined ffdhe2048 group
  319. echo '-----BEGIN DH PARAMETERS-----
  320. MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
  321. +8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
  322. 87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
  323. YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
  324. 7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
  325. ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
  326. -----END DH PARAMETERS-----' > /etc/openvpn/server/dh.pem
  327. # Generate server.conf
  328. echo "local $ip
  329. port $port
  330. proto $protocol
  331. dev tun
  332. ca ca.crt
  333. cert server.crt
  334. key server.key
  335. dh dh.pem
  336. auth SHA512
  337. tls-crypt tc.key
  338. topology subnet
  339. server 10.8.0.0 255.255.255.0
  340. ifconfig-pool-persist ipp.txt" > /etc/openvpn/server/server.conf
  341. echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server/server.conf
  342. # DNS
  343. case "$dns" in
  344. 1|"")
  345. # Locate the proper resolv.conf
  346. # Needed for systems running systemd-resolved
  347. if grep -q "127.0.0.53" "/etc/resolv.conf"; then
  348. resolv_conf="/run/systemd/resolve/resolv.conf"
  349. else
  350. resolv_conf="/etc/resolv.conf"
  351. fi
  352. # Obtain the resolvers from resolv.conf and use them for OpenVPN
  353. grep -v '#' "$resolv_conf" | grep nameserver | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
  354. echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server/server.conf
  355. done
  356. ;;
  357. 2)
  358. echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server/server.conf
  359. echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server/server.conf
  360. ;;
  361. 3)
  362. echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server/server.conf
  363. echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server/server.conf
  364. ;;
  365. 4)
  366. echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server/server.conf
  367. echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server/server.conf
  368. ;;
  369. 5)
  370. echo 'push "dhcp-option DNS 64.6.64.6"' >> /etc/openvpn/server/server.conf
  371. echo 'push "dhcp-option DNS 64.6.65.6"' >> /etc/openvpn/server/server.conf
  372. ;;
  373. esac
  374. echo "keepalive 10 120
  375. cipher AES-256-CBC
  376. user nobody
  377. group $group_name
  378. persist-key
  379. persist-tun
  380. status openvpn-status.log
  381. verb 3
  382. crl-verify crl.pem" >> /etc/openvpn/server/server.conf
  383. if [[ "$protocol" = "udp" ]]; then
  384. echo "explicit-exit-notify" >> /etc/openvpn/server/server.conf
  385. fi
  386. # Enable net.ipv4.ip_forward for the system
  387. echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/30-openvpn-forward.conf
  388. # Enable without waiting for a reboot or service restart
  389. echo 1 > /proc/sys/net/ipv4/ip_forward
  390. if pgrep firewalld; then
  391. # Using both permanent and not permanent rules to avoid a firewalld
  392. # reload.
  393. # We don't use --add-service=openvpn because that would only work with
  394. # the default port and protocol.
  395. firewall-cmd --add-port="$port"/"$protocol"
  396. firewall-cmd --zone=trusted --add-source=10.8.0.0/24
  397. firewall-cmd --permanent --add-port="$port"/"$protocol"
  398. firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
  399. # Set NAT for the VPN subnet
  400. firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"
  401. firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"
  402. else
  403. # Create a service to set up persistent iptables rules
  404. echo "[Unit]
  405. Before=network.target
  406. [Service]
  407. Type=oneshot
  408. ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip
  409. ExecStart=/sbin/iptables -I INPUT -p $protocol --dport $port -j ACCEPT
  410. ExecStart=/sbin/iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
  411. ExecStart=/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  412. ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip
  413. ExecStop=/sbin/iptables -D INPUT -p $protocol --dport $port -j ACCEPT
  414. ExecStop=/sbin/iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
  415. ExecStop=/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  416. RemainAfterExit=yes
  417. [Install]
  418. WantedBy=multi-user.target" > /etc/systemd/system/openvpn-iptables.service
  419. systemctl enable --now openvpn-iptables.service
  420. fi
  421. # If SELinux is enabled and a custom port was selected, we need this
  422. if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$port" != 1194 ]]; then
  423. # Install semanage if not already present
  424. if ! hash semanage 2>/dev/null; then
  425. if grep -qs "CentOS Linux release 7" "/etc/centos-release"; then
  426. yum install policycoreutils-python -y
  427. else
  428. yum install policycoreutils-python-utils -y
  429. fi
  430. fi
  431. semanage port -a -t openvpn_port_t -p "$protocol" "$port"
  432. fi
  433. # If the server is behind a NAT, use the correct IP address
  434. if [[ "$public_ip" != "" ]]; then
  435. ip="$public_ip"
  436. fi
  437. # client-common.txt is created so we have a template to add further users later
  438. echo "client
  439. dev tun
  440. proto $protocol
  441. remote $ip $port
  442. resolv-retry infinite
  443. nobind
  444. persist-key
  445. persist-tun
  446. remote-cert-tls server
  447. auth SHA512
  448. cipher AES-256-CBC
  449. ignore-unknown-option block-outside-dns
  450. block-outside-dns
  451. verb 3" > /etc/openvpn/server/client-common.txt
  452. # Enable and start the OpenVPN service
  453. systemctl enable --now openvpn-server@server.service
  454. # Generates the custom client.ovpn
  455. new_client "$client"
  456. echo
  457. echo "Finished!"
  458. echo
  459. echo "Your client configuration is available at:" ~/"$client.ovpn"
  460. echo "If you want to add more clients, just run this script again!"
  461. fi
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!