Advertisement
Guest User

Untitled

a guest
Nov 21st, 2018
303
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 19.83 KB | None | 0 0
  1. #!/bin/bash
  2. #
  3. # https://github.com/Nyr/openvpn-install
  4. #
  5. # Copyright (c) 2013 Nyr. Released under the MIT License.
  6.  
  7.  
  8. # Detect Debian users running the script with "sh" instead of bash
  9. if readlink /proc/$$/exe | grep -q "dash"; then
  10. echo "This script needs to be run with bash, not sh"
  11. exit
  12. fi
  13.  
  14. if [[ "$EUID" -ne 0 ]]; then
  15. echo "Sorry, you need to run this as root"
  16. exit
  17. fi
  18.  
  19. if [[ ! -e /dev/net/tun ]]; then
  20. echo "The TUN device is not available
  21. You need to enable TUN before running this script"
  22. exit
  23. fi
  24.  
  25. if [[ -e /etc/debian_version ]]; then
  26. OS=debian
  27. GROUPNAME=nogroup
  28. RCLOCAL='/etc/rc.local'
  29. elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then
  30. OS=centos
  31. GROUPNAME=nobody
  32. RCLOCAL='/etc/rc.d/rc.local'
  33. else
  34. echo "Looks like you aren't running this installer on Debian, Ubuntu or CentOS"
  35. exit
  36. fi
  37.  
  38. newclient () {
  39. # Generates the custom client.ovpn
  40. cp /etc/openvpn/client-common.txt ~/$1.ovpn
  41. echo "<ca>" >> ~/$1.ovpn
  42. cat /etc/openvpn/easy-rsa/pki/ca.crt >> ~/$1.ovpn
  43. echo "</ca>" >> ~/$1.ovpn
  44. echo "<cert>" >> ~/$1.ovpn
  45. cat /etc/openvpn/easy-rsa/pki/issued/$1.crt >> ~/$1.ovpn
  46. echo "</cert>" >> ~/$1.ovpn
  47. echo "<key>" >> ~/$1.ovpn
  48. cat /etc/openvpn/easy-rsa/pki/private/$1.key >> ~/$1.ovpn
  49. echo "</key>" >> ~/$1.ovpn
  50. echo "<tls-auth>" >> ~/$1.ovpn
  51. cat /etc/openvpn/ta.key >> ~/$1.ovpn
  52. echo "</tls-auth>" >> ~/$1.ovpn
  53. }
  54.  
  55. if [[ -e /etc/openvpn/server.conf ]]; then
  56. while :
  57. do
  58. clear
  59. echo "Looks like OpenVPN is already installed."
  60. echo
  61. echo "What do you want to do?"
  62. echo " 1) Add a new user"
  63. echo " 2) Revoke an existing user"
  64. echo " 3) Remove OpenVPN"
  65. echo " 4) Exit"
  66. read -p "Select an option [1-4]: " option
  67. case $option in
  68. 1)
  69. echo
  70. echo "Tell me a name for the client certificate."
  71. echo "Please, use one word only, no special characters."
  72. read -p "Client name: " -e CLIENT
  73. cd /etc/openvpn/easy-rsa/
  74. EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full $CLIENT nopass
  75. # Generates the custom client.ovpn
  76. newclient "$CLIENT"
  77. echo
  78. echo "Client $CLIENT added, configuration is available at:" ~/"$CLIENT.ovpn"
  79. exit
  80. ;;
  81. 2)
  82. # This option could be documented a bit better and maybe even be simplified
  83. # ...but what can I say, I want some sleep too
  84. NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")
  85. if [[ "$NUMBEROFCLIENTS" = '0' ]]; then
  86. echo
  87. echo "You have no existing clients!"
  88. exit
  89. fi
  90. echo
  91. echo "Select the existing client certificate you want to revoke:"
  92. tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
  93. if [[ "$NUMBEROFCLIENTS" = '1' ]]; then
  94. read -p "Select one client [1]: " CLIENTNUMBER
  95. else
  96. read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
  97. fi
  98. CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
  99. echo
  100. read -p "Do you really want to revoke access for client $CLIENT? [y/N]: " -e REVOKE
  101. if [[ "$REVOKE" = 'y' || "$REVOKE" = 'Y' ]]; then
  102. cd /etc/openvpn/easy-rsa/
  103. ./easyrsa --batch revoke $CLIENT
  104. EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
  105. rm -f pki/reqs/$CLIENT.req
  106. rm -f pki/private/$CLIENT.key
  107. rm -f pki/issued/$CLIENT.crt
  108. rm -f /etc/openvpn/crl.pem
  109. cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
  110. # CRL is read with each client connection, when OpenVPN is dropped to nobody
  111. chown nobody:$GROUPNAME /etc/openvpn/crl.pem
  112. echo
  113. echo "Certificate for client $CLIENT revoked!"
  114. else
  115. echo
  116. echo "Certificate revocation for client $CLIENT aborted!"
  117. fi
  118. exit
  119. ;;
  120. 3)
  121. echo
  122. read -p "Do you really want to remove OpenVPN? [y/N]: " -e REMOVE
  123. if [[ "$REMOVE" = 'y' || "$REMOVE" = 'Y' ]]; then
  124. PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
  125. PROTOCOL=$(grep '^proto ' /etc/openvpn/server.conf | cut -d " " -f 2)
  126. if pgrep firewalld; then
  127. IP=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24 -j SNAT --to ' | cut -d " " -f 10)
  128. # Using both permanent and not permanent rules to avoid a firewalld reload.
  129. firewall-cmd --zone=public --remove-port=$PORT/$PROTOCOL
  130. firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
  131. firewall-cmd --permanent --zone=public --remove-port=$PORT/$PROTOCOL
  132. firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
  133. firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
  134. firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
  135. else
  136. IP=$(grep 'iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to ' $RCLOCAL | cut -d " " -f 14)
  137. iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
  138. sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 ! -d 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL
  139. if iptables -L -n | grep -qE '^ACCEPT'; then
  140. iptables -D INPUT -p $PROTOCOL --dport $PORT -j ACCEPT
  141. iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
  142. iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  143. sed -i "/iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT/d" $RCLOCAL
  144. sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL
  145. sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL
  146. fi
  147. fi
  148. if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$PORT" != '1194' ]]; then
  149. semanage port -d -t openvpn_port_t -p $PROTOCOL $PORT
  150. fi
  151. if [[ "$OS" = 'debian' ]]; then
  152. apt-get remove --purge -y openvpn
  153. else
  154. yum remove openvpn -y
  155. fi
  156. rm -rf /etc/openvpn
  157. rm -f /etc/sysctl.d/30-openvpn-forward.conf
  158. echo
  159. echo "OpenVPN removed!"
  160. else
  161. echo
  162. echo "Removal aborted!"
  163. fi
  164. exit
  165. ;;
  166. 4) exit;;
  167. esac
  168. done
  169. else
  170. clear
  171. echo 'Welcome to this OpenVPN "road warrior" installer!'
  172. echo
  173. # OpenVPN setup and first user creation
  174. echo "I need to ask you a few questions before starting the setup."
  175. echo "You can leave the default options and just press enter if you are ok with them."
  176. echo
  177. echo "First, provide the IPv4 address of the network interface you want OpenVPN"
  178. echo "listening to."
  179. # Autodetect IP address and pre-fill for the user
  180. IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
  181. read -p "IP address: " -e -i $IP IP
  182. # If $IP is a private IP address, the server must be behind NAT
  183. if echo "$IP" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then
  184. echo
  185. echo "This server is behind NAT. What is the public IPv4 address or hostname?"
  186. read -p "Public IP address / hostname: " -e PUBLICIP
  187. fi
  188. echo
  189. echo "Which protocol do you want for OpenVPN connections?"
  190. echo " 1) UDP (recommended)"
  191. echo " 2) TCP"
  192. read -p "Protocol [1-2]: " -e -i 1 PROTOCOL
  193. case $PROTOCOL in
  194. 1)
  195. PROTOCOL=udp
  196. ;;
  197. 2)
  198. PROTOCOL=tcp
  199. ;;
  200. esac
  201. echo
  202. echo "What port do you want OpenVPN listening to?"
  203. read -p "Port: " -e -i 1194 PORT
  204. echo
  205. echo "Which DNS do you want to use with the VPN?"
  206. echo " 1) Current system resolvers"
  207. echo " 2) 1.1.1.1"
  208. echo " 3) Google"
  209. echo " 4) OpenDNS"
  210. echo " 5) Verisign"
  211. read -p "DNS [1-5]: " -e -i 1 DNS
  212. echo
  213. echo "Finally, tell me your name for the client certificate."
  214. echo "Please, use one word only, no special characters."
  215. read -p "Client name: " -e -i client CLIENT
  216. echo
  217. echo "Okay, that was all I needed. We are ready to set up your OpenVPN server now."
  218. read -n1 -r -p "Press any key to continue..."
  219. if [[ "$OS" = 'debian' ]]; then
  220. apt-get update
  221. apt-get install openvpn iptables openssl ca-certificates -y
  222. else
  223. # Else, the distro is CentOS
  224. yum install epel-release -y
  225. yum install openvpn iptables openssl ca-certificates -y
  226. fi
  227. # Get easy-rsa
  228. EASYRSAURL='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-nix-3.0.5.tgz'
  229. wget -O ~/easyrsa.tgz "$EASYRSAURL" 2>/dev/null || curl -Lo ~/easyrsa.tgz "$EASYRSAURL"
  230. tar xzf ~/easyrsa.tgz -C ~/
  231. mv ~/EasyRSA-3.0.5/ /etc/openvpn/
  232. mv /etc/openvpn/EasyRSA-3.0.5/ /etc/openvpn/easy-rsa/
  233. chown -R root:root /etc/openvpn/easy-rsa/
  234. rm -f ~/easyrsa.tgz
  235. cd /etc/openvpn/easy-rsa/
  236. # Create the PKI, set up the CA and the server and client certificates
  237. ./easyrsa init-pki
  238. ./easyrsa --batch build-ca nopass
  239. EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server nopass
  240. EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full $CLIENT nopass
  241. EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
  242. # Move the stuff we need
  243. cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn
  244. # CRL is read with each client connection, when OpenVPN is dropped to nobody
  245. chown nobody:$GROUPNAME /etc/openvpn/crl.pem
  246. # Generate key for tls-auth
  247. openvpn --genkey --secret /etc/openvpn/ta.key
  248. # Create the DH parameters file using the predefined ffdhe2048 group
  249. echo '-----BEGIN DH PARAMETERS-----
  250. MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
  251. +8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
  252. 87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
  253. YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
  254. 7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
  255. ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
  256. -----END DH PARAMETERS-----' > /etc/openvpn/dh.pem
  257. # Generate server.conf
  258. echo "port $PORT
  259. proto $PROTOCOL
  260. dev tun
  261. sndbuf 0
  262. rcvbuf 0
  263. ca ca.crt
  264. cert server.crt
  265. key server.key
  266. dh dh.pem
  267. auth SHA512
  268. tls-auth ta.key 0
  269. topology subnet
  270. server 10.8.0.0 255.255.255.0
  271. ifconfig-pool-persist ipp.txt" > /etc/openvpn/server.conf
  272. echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf
  273. # DNS
  274. case $DNS in
  275. 1)
  276. # Locate the proper resolv.conf
  277. # Needed for systems running systemd-resolved
  278. if grep -q "127.0.0.53" "/etc/resolv.conf"; then
  279. RESOLVCONF='/run/systemd/resolve/resolv.conf'
  280. else
  281. RESOLVCONF='/etc/resolv.conf'
  282. fi
  283. # Obtain the resolvers from resolv.conf and use them for OpenVPN
  284. grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
  285. echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
  286. done
  287. ;;
  288. 2)
  289. echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server.conf
  290. echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server.conf
  291. ;;
  292. 3)
  293. echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf
  294. echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf
  295. ;;
  296. 4)
  297. echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf
  298. echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf
  299. ;;
  300. 5)
  301. echo 'push "dhcp-option DNS 64.6.64.6"' >> /etc/openvpn/server.conf
  302. echo 'push "dhcp-option DNS 64.6.65.6"' >> /etc/openvpn/server.conf
  303. ;;
  304. esac
  305. echo "keepalive 10 120
  306. cipher AES-256-CBC
  307. user nobody
  308. group $GROUPNAME
  309. persist-key
  310. persist-tun
  311. status openvpn-status.log
  312. verb 3
  313. crl-verify crl.pem" >> /etc/openvpn/server.conf
  314. # Enable net.ipv4.ip_forward for the system
  315. echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/30-openvpn-forward.conf
  316. # Enable without waiting for a reboot or service restart
  317. echo 1 > /proc/sys/net/ipv4/ip_forward
  318. if pgrep firewalld; then
  319. # Using both permanent and not permanent rules to avoid a firewalld
  320. # reload.
  321. # We don't use --add-service=openvpn because that would only work with
  322. # the default port and protocol.
  323. firewall-cmd --zone=public --add-port=$PORT/$PROTOCOL
  324. firewall-cmd --zone=trusted --add-source=10.8.0.0/24
  325. firewall-cmd --permanent --zone=public --add-port=$PORT/$PROTOCOL
  326. firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
  327. # Set NAT for the VPN subnet
  328. firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
  329. firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
  330. else
  331. # Needed to use rc.local with some systemd distros
  332. if [[ "$OS" = 'debian' && ! -e $RCLOCAL ]]; then
  333. echo '#!/bin/sh -e
  334. exit 0' > $RCLOCAL
  335. fi
  336. chmod +x $RCLOCAL
  337. # Set NAT for the VPN subnet
  338. iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
  339. sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL
  340. if iptables -L -n | grep -qE '^(REJECT|DROP)'; then
  341. # If iptables has at least one REJECT rule, we asume this is needed.
  342. # Not the best approach but I can't think of other and this shouldn't
  343. # cause problems.
  344. iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT
  345. iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
  346. iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  347. sed -i "1 a\iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT" $RCLOCAL
  348. sed -i "1 a\iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" $RCLOCAL
  349. sed -i "1 a\iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" $RCLOCAL
  350. fi
  351. fi
  352. # If SELinux is enabled and a custom port was selected, we need this
  353. if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$PORT" != '1194' ]]; then
  354. # Install semanage if not already present
  355. if ! hash semanage 2>/dev/null; then
  356. yum install policycoreutils-python -y
  357. fi
  358. semanage port -a -t openvpn_port_t -p $PROTOCOL $PORT
  359. fi
  360. # And finally, restart OpenVPN
  361. if [[ "$OS" = 'debian' ]]; then
  362. # Little hack to check for systemd
  363. if pgrep systemd-journal; then
  364. systemctl restart openvpn@server.service
  365. else
  366. /etc/init.d/openvpn restart
  367. fi
  368. else
  369. if pgrep systemd-journal; then
  370. systemctl restart openvpn@server.service
  371. systemctl enable openvpn@server.service
  372. else
  373. service openvpn restart
  374. chkconfig openvpn on
  375. fi
  376. fi
  377. # If the server is behind a NAT, use the correct IP address
  378. if [[ "$PUBLICIP" != "" ]]; then
  379. IP=$PUBLICIP
  380. fi
  381. # client-common.txt is created so we have a template to add further users later
  382. echo "client
  383. dev tun
  384. proto $PROTOCOL
  385. sndbuf 0
  386. rcvbuf 0
  387. remote $IP $PORT
  388. resolv-retry infinite
  389. nobind
  390. persist-key
  391. persist-tun
  392. remote-cert-tls server
  393. auth SHA512
  394. cipher AES-256-CBC
  395. setenv opt block-outside-dns
  396. key-direction 1
  397. verb 3" > /etc/openvpn/client-common.txt
  398. # Generates the custom client.ovpn
  399. newclient "$CLIENT"
  400. echo
  401. echo "Finished!"
  402. echo
  403. echo "Your client configuration is available at:" ~/"$CLIENT.ovpn"
  404. echo "If you want to add more clients, you simply need to run this script again!"
  405. fi
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement