Add OpenVPN installation scripts

BashScripts/add-openvpn-client.sh

@@ -0,0 +1,58 @@
+# Make sure script is ran as root
+if [[ $EUID -ne 0 ]]; then
+        exec sudo /bin/bash "$0" "$@"
+fi
+
+DIR=$(pwd)
+for i in {1..255}; do
+	CLIENT_NAME="client$i"
+	if [ ! -f "/etc/openvpn/easy-rsa/pki/issued/$CLIENT_NAME.crt" ]; then
+		break
+	fi
+done
+read -e -p "Enter client name: " -i "$CLIENT_NAME" CLIENT_NAME
+if [ -f "/etc/openvpn/easy-rsa/pki/issued/$CLIENT_NAME.crt" ]; then
+	echo Client $CLIENT_NAME already exists...
+	exit 1
+fi
+
+cd /etc/openvpn/easy-rsa
+./easyrsa gen-req $CLIENT_NAME nopass
+./easyrsa sign-req client $CLIENT_NAME
+
+CA_CERT=$(cat "/etc/openvpn/ca.crt")
+CLIENT_CERT=$(cat "/etc/openvpn/easy-rsa/pki/issued/$CLIENT_NAME.crt")
+CLIENT_KEY=$(cat "/etc/openvpn/easy-rsa/pki/private/$CLIENT_NAME.key")
+TA_KEY=$(cat "/etc/openvpn/ta.key")
+
+cd "$DIR"
+cat > $CLIENT_NAME.conf <<EOL
+dev tun
+persist-tun
+persist-key
+cipher AES-256-CBC
+ncp-ciphers AES-256-GCM:AES-128-GCM
+auth SHA1
+# tls-client
+client
+resolv-retry infinite
+remote home.myspace.nu 1294 udp
+# remote-cert-tls server
+float
+verb 3
+
+<ca>
+$CA_CERT
+</ca>
+<cert>
+$CLIENT_CERT
+</cert>
+<key>
+$CLIENT_KEY
+</key>
+key-direction 1
+<tls-auth>
+$TA_KEY
+</tls-auth>
+EOL
+

BashScripts/install-openvpn-server.sh

@@ -0,0 +1,81 @@
+# Install using: sudo su -c "bash <(wget -qO- /url/to/install-openvpn-server.sh)"
+
+# Make sure script is ran as root
+if [[ $EUID -ne 0 ]]; then
+	exec sudo /bin/bash "$0" "$@"
+fi
+read -e -p "Enter lan NIC: " -i $(ip route | grep default | sed -e 's/^.*dev.//' -e 's/.proto.*//') NIC_NAME
+read -e -p "Enter VPN subnet: " -i "172.19.100" VPN_SUBNET
+read -e -p "Enter LAN subnet: " -i "192.168.0" LAN_SUBNET
+read -e -p "Enter VPN public hostname: " -i "home.myspace.nu" VPN_PUBLIC_HOST
+read -e -p "Enter VPN public portnumber: " -i "1194" VPN_PUBLIC_PORT
+
+if [ $(dpkg-query -W -f='${Status}' openvpn 2>/dev/null | grep -c "ok installed") -eq 0 ]; then
+        echo "Installing OpenVPN..."
+        apt install openvpn easy-rsa -y
+fi
+if [ ! -d /etc/openvpn/easy-rsa ]; then
+        echo "Setting up Certificate Authority"
+        make-cadir /etc/openvpn/easy-rsa
+        cd /etc/openvpn/easy-rsa
+        ./easyrsa init-pki
+        ./easyrsa build-ca
+        ./easyrsa gen-req myservername nopass
+        ./easyrsa gen-dh
+        ./easyrsa sign-req server myservername
+		cp pki/dh.pem pki/ca.crt pki/issued/myservername.crt pki/private/myservername.key /etc/openvpn/
+fi
+if [ ! -d /var/log/openvpn ]; then
+	mkdir -p /var/log/openvpn
+fi
+if ufw status | grep -q "Status: active"; then
+	echo Adding firewall rules...
+	ufw allow $VPN_PUBLIC_PORT/udp
+	ufw allow OpenSSH
+	ufw enable
+	ufw status verbose
+	echo You might need to enable NAT / MASQUERADE forwarding in /etc/ufw/before.rules
+	systemctl restart ufw
+fi
+
+if [ ! -f /etc/openvpn/myserver.conf ]; then
+	tee /etc/openvpn/myserver.conf > /dev/null <<EOL
+
+port $VPN_PUBLIC_PORT
+proto udp
+dev tun
+
+ca ca.crt
+cert myservername.crt
+key myservername.key
+dh dh.pem
+
+server $VPN_SUBNET.0 255.255.255.0
+ifconfig-pool-persist /var/log/openvpn/ipp.txt
+push "route $LAN_SUBNET.0 255.255.255.0"
+
+keepalive 10 120
+tls-auth ta.key 0
+cipher AES-256-CBC
+persist-key
+persist-tun
+status /var/log/openvpn/openvpn-status.log
+verb 3
+explicit-exit-notify 1
+EOL
+fi
+if [ ! -f /etc/openvpn/ta.key ]; then
+	openvpn --genkey secret /etc/openvpn/ta.key
+fi
+
+sed -i -e 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
+sudo sysctl -p /etc/sysctl.conf
+systemctl start openvpn@myserver
+
+echo Settings up NAT rules...
+iptables -t nat -A POSTROUTING -s $VPN_SUBNET.0/24 -o $NIC_NAME -j MASQUERADE
+iptables -A FORWARD -i tun0 -o $NIC_NAME -j ACCEPT
+iptables -A FORWARD -i $NIC_NAME -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+apt install iptables-persistent -y
+netfilter-persistent save
+