MySpace/Docs
1
1
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add OpenVPN installation scripts

Browse Source
This commit is contained in:
Johan 2025-03-19 14:03:04 +01:00
parent 3aae380de4
commit 2d06663a3c
2 changed files with 139 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
BashScripts/add-openvpn-client.sh Normal file
View File

@ -0,0 +1,58 @@
# Make sure script is ran as root
if [[ $EUID -ne 0 ]]; then
exec sudo /bin/bash "$0" "$@"
fi
DIR=$(pwd)
for i in {1..255}; do
CLIENT_NAME="client$i"
if [ ! -f "/etc/openvpn/easy-rsa/pki/issued/$CLIENT_NAME.crt" ]; then
break
fi
done
read -e -p "Enter client name: " -i "$CLIENT_NAME" CLIENT_NAME
if [ -f "/etc/openvpn/easy-rsa/pki/issued/$CLIENT_NAME.crt" ]; then
echo Client $CLIENT_NAME already exists...
exit 1
fi
cd /etc/openvpn/easy-rsa
./easyrsa gen-req $CLIENT_NAME nopass
./easyrsa sign-req client $CLIENT_NAME
CA_CERT=$(cat "/etc/openvpn/ca.crt")
CLIENT_CERT=$(cat "/etc/openvpn/easy-rsa/pki/issued/$CLIENT_NAME.crt")
CLIENT_KEY=$(cat "/etc/openvpn/easy-rsa/pki/private/$CLIENT_NAME.key")
TA_KEY=$(cat "/etc/openvpn/ta.key")
cd "$DIR"
cat > $CLIENT_NAME.conf <<EOL
dev tun
persist-tun
persist-key
cipher AES-256-CBC
ncp-ciphers AES-256-GCM:AES-128-GCM
auth SHA1
# tls-client
client
resolv-retry infinite
remote home.myspace.nu 1294 udp
# remote-cert-tls server
float
verb 3
<ca>
$CA_CERT
</ca>
<cert>
$CLIENT_CERT
</cert>
<key>
$CLIENT_KEY
</key>
key-direction 1
<tls-auth>
$TA_KEY
</tls-auth>
EOL

81
BashScripts/install-openvpn-server.sh Normal file
View File

@ -0,0 +1,81 @@
# Install using: sudo su -c "bash <(wget -qO- /url/to/install-openvpn-server.sh)"
# Make sure script is ran as root
if [[ $EUID -ne 0 ]]; then
exec sudo /bin/bash "$0" "$@"
fi
read -e -p "Enter lan NIC: " -i $(ip route | grep default | sed -e 's/^.*dev.//' -e 's/.proto.*//') NIC_NAME
read -e -p "Enter VPN subnet: " -i "172.19.100" VPN_SUBNET
read -e -p "Enter LAN subnet: " -i "192.168.0" LAN_SUBNET
read -e -p "Enter VPN public hostname: " -i "home.myspace.nu" VPN_PUBLIC_HOST
read -e -p "Enter VPN public portnumber: " -i "1194" VPN_PUBLIC_PORT
if [ $(dpkg-query -W -f='${Status}' openvpn 2>/dev/null | grep -c "ok installed") -eq 0 ]; then
echo "Installing OpenVPN..."
apt install openvpn easy-rsa -y
fi
if [ ! -d /etc/openvpn/easy-rsa ]; then
echo "Setting up Certificate Authority"
make-cadir /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-req myservername nopass
./easyrsa gen-dh
./easyrsa sign-req server myservername
cp pki/dh.pem pki/ca.crt pki/issued/myservername.crt pki/private/myservername.key /etc/openvpn/
fi
if [ ! -d /var/log/openvpn ]; then
mkdir -p /var/log/openvpn
fi
if ufw status | grep -q "Status: active"; then
echo Adding firewall rules...
ufw allow $VPN_PUBLIC_PORT/udp
ufw allow OpenSSH
ufw enable
ufw status verbose
echo You might need to enable NAT / MASQUERADE forwarding in /etc/ufw/before.rules
systemctl restart ufw
fi
if [ ! -f /etc/openvpn/myserver.conf ]; then
tee /etc/openvpn/myserver.conf > /dev/null <<EOL
port $VPN_PUBLIC_PORT
proto udp
dev tun
ca ca.crt
cert myservername.crt
key myservername.key
dh dh.pem
server $VPN_SUBNET.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "route $LAN_SUBNET.0 255.255.255.0"
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1
EOL
fi
if [ ! -f /etc/openvpn/ta.key ]; then
openvpn --genkey secret /etc/openvpn/ta.key
fi
sed -i -e 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf
systemctl start openvpn@myserver
echo Settings up NAT rules...
iptables -t nat -A POSTROUTING -s $VPN_SUBNET.0/24 -o $NIC_NAME -j MASQUERADE
iptables -A FORWARD -i tun0 -o $NIC_NAME -j ACCEPT
iptables -A FORWARD -i $NIC_NAME -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
apt install iptables-persistent -y
netfilter-persistent save