From 2d06663a3ca5dbd0d3b876af4e29f66a693c233e Mon Sep 17 00:00:00 2001 From: Johan Date: Wed, 19 Mar 2025 14:03:04 +0100 Subject: [PATCH] Add OpenVPN installation scripts --- BashScripts/add-openvpn-client.sh | 58 +++++++++++++++++++ BashScripts/install-openvpn-server.sh | 81 +++++++++++++++++++++++++++ 2 files changed, 139 insertions(+) create mode 100644 BashScripts/add-openvpn-client.sh create mode 100644 BashScripts/install-openvpn-server.sh diff --git a/BashScripts/add-openvpn-client.sh b/BashScripts/add-openvpn-client.sh new file mode 100644 index 0000000..8cb6948 --- /dev/null +++ b/BashScripts/add-openvpn-client.sh @@ -0,0 +1,58 @@ +# Make sure script is ran as root +if [[ $EUID -ne 0 ]]; then + exec sudo /bin/bash "$0" "$@" +fi + +DIR=$(pwd) +for i in {1..255}; do + CLIENT_NAME="client$i" + if [ ! -f "/etc/openvpn/easy-rsa/pki/issued/$CLIENT_NAME.crt" ]; then + break + fi +done +read -e -p "Enter client name: " -i "$CLIENT_NAME" CLIENT_NAME +if [ -f "/etc/openvpn/easy-rsa/pki/issued/$CLIENT_NAME.crt" ]; then + echo Client $CLIENT_NAME already exists... + exit 1 +fi + +cd /etc/openvpn/easy-rsa +./easyrsa gen-req $CLIENT_NAME nopass +./easyrsa sign-req client $CLIENT_NAME + +CA_CERT=$(cat "/etc/openvpn/ca.crt") +CLIENT_CERT=$(cat "/etc/openvpn/easy-rsa/pki/issued/$CLIENT_NAME.crt") +CLIENT_KEY=$(cat "/etc/openvpn/easy-rsa/pki/private/$CLIENT_NAME.key") +TA_KEY=$(cat "/etc/openvpn/ta.key") + +cd "$DIR" +cat > $CLIENT_NAME.conf < +$CA_CERT + + +$CLIENT_CERT + + +$CLIENT_KEY + +key-direction 1 + +$TA_KEY + +EOL + diff --git a/BashScripts/install-openvpn-server.sh b/BashScripts/install-openvpn-server.sh new file mode 100644 index 0000000..7f0d8f4 --- /dev/null +++ b/BashScripts/install-openvpn-server.sh @@ -0,0 +1,81 @@ +# Install using: sudo su -c "bash <(wget -qO- /url/to/install-openvpn-server.sh)" + +# Make sure script is ran as root +if [[ $EUID -ne 0 ]]; then + exec sudo /bin/bash "$0" "$@" +fi +read -e -p "Enter lan NIC: " -i $(ip route | grep default | sed -e 's/^.*dev.//' -e 's/.proto.*//') NIC_NAME +read -e -p "Enter VPN subnet: " -i "172.19.100" VPN_SUBNET +read -e -p "Enter LAN subnet: " -i "192.168.0" LAN_SUBNET +read -e -p "Enter VPN public hostname: " -i "home.myspace.nu" VPN_PUBLIC_HOST +read -e -p "Enter VPN public portnumber: " -i "1194" VPN_PUBLIC_PORT + +if [ $(dpkg-query -W -f='${Status}' openvpn 2>/dev/null | grep -c "ok installed") -eq 0 ]; then + echo "Installing OpenVPN..." + apt install openvpn easy-rsa -y +fi +if [ ! -d /etc/openvpn/easy-rsa ]; then + echo "Setting up Certificate Authority" + make-cadir /etc/openvpn/easy-rsa + cd /etc/openvpn/easy-rsa + ./easyrsa init-pki + ./easyrsa build-ca + ./easyrsa gen-req myservername nopass + ./easyrsa gen-dh + ./easyrsa sign-req server myservername + cp pki/dh.pem pki/ca.crt pki/issued/myservername.crt pki/private/myservername.key /etc/openvpn/ +fi +if [ ! -d /var/log/openvpn ]; then + mkdir -p /var/log/openvpn +fi +if ufw status | grep -q "Status: active"; then + echo Adding firewall rules... + ufw allow $VPN_PUBLIC_PORT/udp + ufw allow OpenSSH + ufw enable + ufw status verbose + echo You might need to enable NAT / MASQUERADE forwarding in /etc/ufw/before.rules + systemctl restart ufw +fi + +if [ ! -f /etc/openvpn/myserver.conf ]; then + tee /etc/openvpn/myserver.conf > /dev/null <