OpenVPN-easy-setup/openvpnsetup.sh

504 lines (433 sloc)  13.1 KB

 

#! /bin/bash
#
# Express setup of OpenVPN server
# for CentOS 7.x and Ubuntu Server 16.x / 17.x
# by xl-tech https://github.com/xl-tech
#
# Version 0.1 12 August 2017
#
# Use only on fresh installed machine! It can rewrite your firewall rules
# or your current OpenVPN config (if you have it before).
#
# Script is licensed under the GNU General Public License v3.0
#
# Usage: just run openvpnsetup.sh 🙂
#
#check for root
IAM=$(whoami)
if [ ${IAM} != root ]; then
echo You must be root to use this script
exit 1
fi
#check for tun/tap
if [ -c /dev/net/tun ]; then
echo TUN/TAP is enabled
else
echo TUN/TAP is disabled. Contact your VPS provider to enable it
exit 1
fi
#enable IPv4 forwarding
if sysctl net.ipv4.ip_forward |grep 0; then
sysctl -w net.ipv4.ip_forward=1
echo net.ipv4.ip_forward = 1 >> /etc/sysctl.conf
else
echo IPv4 forwarding is already enabled
fi
#package install
yum_packages=openssl openvpn easy-rsa iptables iptables-services curl
deb_packages=openssl openvpn easy-rsa iptables netfilter-persistent iptables-persistent curl
if cat /etc/*release | grep ^NAME | grep CentOS; then
yum -y install epel-release
yum -y install $yum_packages
systemctl disable firewalld & systemctl stop firewalld
elif cat /etc/*release | grep ^NAME | grep Ubuntu; then
apt-get install -y $deb_packages
ufw disable
else
echo Unsupported distro, sorry
exit 1;
fi
#server settings
#internal IP
IIP=`hostname -I`
#external IP
EIP=`curl -s checkip.dyndns.org | sed -e s/.*Current IP Address: // -e s/<.*$//`
#internal IPv6 with mask
IIPv6=`ip -6 addr|grep inet6|grep fe80|awk -F [ \t]+| {print $3}`
echo Select server IP to listen on (only used for IPv4):
1) Internal IP – $IIP (in case you are behind NAT)
2) External IP – $EIP
read n
case $n in
1) IP=$IIP;;
2) IP=$EIP;;
*) invalid option;;
esac
echo Select server PORT to listen on:
1) tcp 443 (recommended)
2) udp 1194 (default)
3) Enter manually (proto (lowercase!) port)
read n
case $n in
1) PORT=tcp 443;;
2) PORT=udp 1194;;
3) echo -n Enter proto and port (like tcp 80 or udp 53): & read -e PORT;;
*) invalid option;;
esac
PORTN=`echo $PORT|grep -o [0-9]*`
PORTL=`echo $PORT|grep -o [a-z,A-Z]*`
PORTL6=$PORTL6
echo Select server cipher:
1) AES-256-GCM (default for OpenVPN 2.4.x, not supported by Ubuntu Server 16.x)
2) AES-256-CBC
3) AES-128-CBC (default for OpenVPN 2.3.x)
4) BF-CBC (insecure)
read n
case $n in
1) CIPHER=AES-256-GCM;;
2) CIPHER=AES-256-CBC;;
3) CIPHER=AES-128-CBC;;
4) CIPHER=BF-CBC;;
*) invalid option;;
esac
echo Enable IPv6? (ensure that your machine have IPv6 support):
1) Yes
2) No
read n
case $n in
1) IPV6E=1;;
2) IPV6E=0;;
*) invalid option;;
esac
echo Check your selection
echo Server will listen on $IP
echo Server will listen on $PORT
echo Server will use $CIPHER cipher
echo IPv6 – $IPV6E (1 is enabled, 0 is disabled)
read -rsp $’Press enter to continue…\n
#create dirs and files
mkdir /etc/openvpn/easy-rsa
mkdir /etc/openvpn/easy-rsa/keys
mkdir /etc/openvpn/logs
mkdir /etc/openvpn/bundles
mkdir /etc/openvpn/ccd
touch /etc/openvpn/easy-rsa/keys/index.txt
touch /etc/openvpn/easy-rsa/keys/serial
echo 00 >> /etc/openvpn/easy-rsa/keys/serial
#copy easy-rsa
if cat /etc/*release | grep ^NAME | grep CentOS; then
cp /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
elif cat /etc/*release | grep ^NAME | grep Ubuntu; then
cp /usr/share/easy-rsa/* /etc/openvpn/easy-rsa
fi
#vars for certs
export EASY_RSA=/etc/openvpn/easy-rsa
export OPENSSL=openssl
export PKCS11TOOL=pkcs11-tool
export GREP=grep
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR=$EASY_RSA/keys
export PKCS11_MODULE_PATH=dummy
export PKCS11_PIN=dummy
export KEY_SIZE=2048
export CA_EXPIRE=3650
export KEY_EXPIRE=1825
export KEY_COUNTRY=US
export KEY_PROVINCE=CA
export KEY_CITY=SanFrancisco
export KEY_ORG=Fort-Funston
export KEY_EMAIL=my@vpn.net
export KEY_OU=MyVPN
export KEY_NAME=EasyRSA
#issue certs and keys
#ca
export EASY_RSA=${EASY_RSA:-.}
$EASY_RSA/pkitool –batch –initca $*
#server
export EASY_RSA=${EASY_RSA:-.}
$EASY_RSA/pkitool –batch –server server-cert
#dh
$OPENSSL dhparam -out ${KEY_DIR}/dh.pem ${KEY_SIZE}
#ta
openvpn –genkey –secret ${KEY_DIR}/ta.key
#issue and revoke client cert to generate list of revoked certs
$EASY_RSA/pkitool –batch revoked
$EASY_RSA/revoke-full revoked
echo Error 23 indicates that revoke is successful
#generate server config
#ipv6 part
if (($IPV6E== 1 )); then
#enable IPv6 forwarding
if sysctl net.ipv6.conf.all.forwarding |grep 0; then
sysctl -w net.ipv6.conf.all.forwarding=1
echo net.ipv6.conf.all.forwarding = 1 >> /etc/sysctl.conf
else
echo IPv6 forwarding is already enabled
fi
echo -e #IPv6 config
server-ipv6 fd6c:62d9:eb8c::/112
proto $PORTL6
tun-ipv6
push tun-ipv6
push \042route-ipv6 2000::/3\042
push \042redirect-gateway ipv6\042
> /etc/openvpn/server.conf
else
echo local $IP > /etc/openvpn/server.conf
fi
#main part
echo -e port $PORTN
proto $PORTL
dev tun
#for cert revoke check
crl-verify /etc/openvpn/easy-rsa/keys/crl.pem
server 10.1.0.0 255.255.255.0
topology subnet
push \042redirect-gateway def1 bypass-dhcp\042
#duplicate-cn
push \042dhcp-option DNS 8.8.8.8\042
push \042dhcp-option DNS 8.8.4.4\042
comp-lzo adaptive
push \042comp-lzo adaptive\042
mssfix 0
push \042mssfix 0\042
#management 0.0.0.0 7000 /etc/openvpn/management-password
#duplicate-cn
keepalive 10 120
tls-timeout 160
hand-window 160
cipher $CIPHER
auth SHA256
#uncomment for 2.4.x feature to disable automatically negotiate in AES-256-GCM
#ncp-disable
#max-clients 300
#user nobody
#group nobody
persist-key
persist-tun
status /etc/openvpn/logs/openvpn-status.log
log-append /etc/openvpn/logs/openvpn.log
verb 2
#reneg-sec 864000
mute 3
tls-server
#script-security 3
#buffers
sndbuf 393216
rcvbuf 393216
push \042sndbuf 393216\042
push \042rcvbuf 393216\042
>> /etc/openvpn/server.conf
echo <ca> >> /etc/openvpn/server.conf
cat $KEY_DIR/ca.crt >> /etc/openvpn/server.conf
echo </ca> >> /etc/openvpn/server.conf
echo <cert> >> /etc/openvpn/server.conf
cat $KEY_DIR/server-cert.crt >> /etc/openvpn/server.conf
echo </cert> >> /etc/openvpn/server.conf
echo <key> >> /etc/openvpn/server.conf
cat $KEY_DIR/server-cert.key >> /etc/openvpn/server.conf
echo </key> >> /etc/openvpn/server.conf
if openvpn –version | grep 2.3; then
# ta tls auth OpenVPN 2.3.x
echo key-direction 0 >> /etc/openvpn/server.conf
echo <tls-auth> >> /etc/openvpn/server.conf
cat $KEY_DIR/ta.key >> /etc/openvpn/server.conf
echo </tls-auth> >> /etc/openvpn/server.conf
else
# ta tls crypt OpenVPN 2.4.x
echo <tls-crypt> >> /etc/openvpn/server.conf
cat $KEY_DIR/ta.key >> /etc/openvpn/server.conf
echo </tls-crypt> >> /etc/openvpn/server.conf
fi
echo <dh> >> /etc/openvpn/server.conf
cat $KEY_DIR/dh.pem >> /etc/openvpn/server.conf
echo </dh> >> /etc/openvpn/server.conf
#create iptables file
echo *filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:XL-Firewall-1-INPUT – [0:0]
-A INPUT -j XL-Firewall-1-INPUT
-A FORWARD -j XL-Firewall-1-INPUT
-A XL-Firewall-1-INPUT -p icmp –icmp-type any -s localhost -j ACCEPT
-A XL-Firewall-1-INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A XL-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A XL-Firewall-1-INPUT -m state –state NEW -m $PORTL -p $PORTL –dport $PORTN -j ACCEPT
-A XL-Firewall-1-INPUT -i tun+ -j ACCEPT
-A XL-Firewall-1-INPUT -j REJECT –reject-with icmp-host-prohibited
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 10.1.0.0/24 -j MASQUERADE
COMMIT > /tmp/iptables
#create ip6tables file
echo *filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:XL-Firewall-1-INPUT – [0:0]
-A INPUT -j XL-Firewall-1-INPUT
-A FORWARD -j XL-Firewall-1-INPUT
-A XL-Firewall-1-INPUT -i lo -j ACCEPT
-A XL-Firewall-1-INPUT -p icmpv6 -j ACCEPT
-A XL-Firewall-1-INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A XL-Firewall-1-INPUT -m state –state NEW -m $PORTL -p $PORTL –dport $PORTN -j ACCEPT
-A XL-Firewall-1-INPUT -i tun+ -j ACCEPT
-A XL-Firewall-1-INPUT -j REJECT –reject-with icmp6-adm-prohibited
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s fd6c:62d9:eb8c::/112 -j MASQUERADE
COMMIT > /tmp/ip6tables
#start services
if cat /etc/*release | grep ^NAME | grep CentOS; then
cp /tmp/ip6tables /etc/sysconfig/ip6tables
cp /tmp/iptables /etc/sysconfig/iptables
systemctl enable iptables & systemctl start iptables
systemctl enable ip6tables & systemctl start ip6tables
systemctl enable openvpn@server & systemctl start openvpn@server
systemctl restart iptables & systemctl restart ip6tables
elif cat /etc/*release | grep ^NAME | grep Ubuntu; then
cp /tmp/ip6tables /etc/iptables/rules.v6
cp /tmp/iptables /etc/iptables/rules.v4
systemctl enable netfilter-persistent & systemctl start netfilter-persistent
systemctl enable openvpn@server & systemctl start openvpn@server
systemctl restart netfilter-persistent
fi
#generate client config
echo -e client
dev tun
dev-type tun
#bind to interface if needed
#dev-node \042Ethernet 4\042
ns-cert-type server
setenv opt tls-version-min 1.0 or-highest
#block local dns
setenv opt block-outside-dns
nobind
remote $EIP $PORTN $PORTL
cipher $CIPHER
auth SHA256
resolv-retry infinite
persist-key
persist-tun
comp-lzo
mssfix 0
verb 3
ping 10
tls-client
float >> /etc/openvpn/client.ovpn
#generate bash script to create one-file config for clients
echo -e #! /bin/bash
# Script to automate creating new OpenVPN clients
#
# H Cooper – 05/02/11
# Y Frolov – 08/06/16 – bundle config added (unified format)
# Usage: newclient.sh <common-name>
echo \042Script to generate unified config for Windows App\042
echo \042sage: newclient.sh <common-name>\042
# Set vars
OPENVPN_DIR=/etc/openvpn
OPENVPN_RSA_DIR=/etc/openvpn/easy-rsa
OPENVPN_KEYS=\044OPENVPN_RSA_DIR/keys
BUNDLE_DIR=/etc/openvpn/bundles
# Either read the CN from \0441 or prompt for it
if [ -z \042\0441\042 ]
then echo -n \042Enter new client common name (CN): \042
read -e CN
else
CN=\u00241
fi
# Ensure CN isn’t blank
if [ -z \042\044CN\042 ]
then echo \042You must provide a CN.\042
exit
fi
# Check the CN doesn’t already exist
if [ -f \044OPENVPN_KEYS/\044CN.crt ]
then echo \042Error: certificate with the CN \044CN alread exists!\042
echo \042 \044OPENVPN_KEYS/\044CN.crt\042
exit
fi
# Establish the default variables
export EASY_RSA=\042/etc/openvpn/easy-rsa\042
export OPENSSL=\042openssl\042
export PKCS11TOOL=\042pkcs11-tool\042
export GREP=\042grep\042
export KEY_CONFIG=\x60\044EASY_RSA/whichopensslcnf \044EASY_RSA\x60
export KEY_DIR=\042\044EASY_RSA/keys\042
export PKCS11_MODULE_PATH=\042dummy\042
export PKCS11_PIN=\042dummy\042
export KEY_SIZE=2048
export CA_EXPIRE=3650
export KEY_EXPIRE=1825
export KEY_COUNTRY=\042US\042
export KEY_PROVINCE=\042CA\042
export KEY_CITY=\042SanFrancisco\042
export KEY_ORG=\042Fort-Funston\042
export KEY_EMAIL=\042my@vpn.net\042
export KEY_OU=\042MyVPN\042
export KEY_NAME=\042EasyRSA\042
# Copied from build-key script (to ensure it works!)
export EASY_RSA=\042\044{EASY_RSA:-.}\042
\042\044EASY_RSA/pkitool\042 –batch \044CN
# Add all certs to unified client config file
# Default config for client
cp \044OPENVPN_DIR/client.ovpn \044BUNDLE_DIR/\044CN.ovpn
# CA
echo \042<ca>\042 >> \044BUNDLE_DIR/\044CN.ovpn
cat \044OPENVPN_KEYS/ca.crt >> \044BUNDLE_DIR/\044CN.ovpn
echo \042</ca>\042 >> \044BUNDLE_DIR/\044CN.ovpn
# Client cert
echo \042<cert>\042 >> \044BUNDLE_DIR/\044CN.ovpn
cat \044OPENVPN_KEYS/\044CN.crt >> \044BUNDLE_DIR/\044CN.ovpn
echo \042</cert>\042 >> \044BUNDLE_DIR/\044CN.ovpn
# Client key
echo \042<key>\042 >> \044BUNDLE_DIR/\044CN.ovpn
cat \044OPENVPN_KEYS/\044CN.key >> \044BUNDLE_DIR/\044CN.ovpn
echo \042</key>\042 >> \044BUNDLE_DIR/\044CN.ovpn
if openvpn –version | grep 2.3; then
# ta tls auth OpenVPN 2.3.x
echo \042key-direction 1\042 >> \044BUNDLE_DIR/\044CN.ovpn
echo \042<tls-auth>\042 >> \044BUNDLE_DIR/\044CN.ovpn
cat \044OPENVPN_KEYS/ta.key >> \044BUNDLE_DIR/\044CN.ovpn
echo \042</tls-auth>\042 >> \044BUNDLE_DIR/\044CN.ovpn
else
# ta tls crypt OpenVPN 2.4.x
echo \042<tls-crypt>\042 >> \044BUNDLE_DIR/\044CN.ovpn
cat \044OPENVPN_KEYS/ta.key >> \044BUNDLE_DIR/\044CN.ovpn
echo \042</tls-crypt>\042 >> \044BUNDLE_DIR/\044CN.ovpn
fi
# DH key
echo \042<dh>\042 >> \044BUNDLE_DIR/\044CN.ovpn
cat \044OPENVPN_KEYS/dh.pem >> \044BUNDLE_DIR/\044CN.ovpn
echo \042</dh>\042 >> \044BUNDLE_DIR/\044CN.ovpn
#echo \042\042
echo \042COMPLETE! Copy the new unified config from here: /etc/openvpn/bundles/\044CN.ovpn\042 > /etc/openvpn/newclient.sh
chmod +x /etc/openvpn/newclient.sh
echo Setup is complete. Happy VPNing!
echo Use /etc/openvpn/newclient.sh to generate client config
exit 1

 

https://github.com/xl-tech/OpenVPN-easy-setup/blob/master/openvpnsetup.sh

Leave a Comment

Your email address will not be published. Required fields are marked *

Shares