Update OpenVPN installation script
This commit is contained in:
Johan
parent
3a2ffa191b
commit
c336788346
@ -1,9 +1,29 @@
|
||||
#!/bin/bash
|
||||
# Install using: sudo su -c "bash <(wget -qO- /url/to/install-openvpn-server.sh)"
|
||||
|
||||
# Make sure script is ran as root
|
||||
if [[ $EUID -ne 0 ]]; then
|
||||
exec sudo /bin/bash "$0" "$@"
|
||||
fi
|
||||
# Helper functions
|
||||
add_iptables_rule() {
|
||||
local RULE="$1"
|
||||
local TABLE="filter" # Default table is filter
|
||||
if [[ "$RULE" =~ -t[[:space:]]+(nat|mangle|raw|filter) ]]; then
|
||||
TABLE="${BASH_REMATCH[1]}"
|
||||
RULE="${RULE/-t ${BASH_REMATCH[1]}/}" # Remove "-t <table>" from RULE
|
||||
fi
|
||||
local RULE_ACTION=$(echo "$RULE" | awk '{print $1}')
|
||||
local RULE_REST=$(echo "$RULE" | cut -d' ' -f2-)
|
||||
if iptables-save -t "$TABLE" | grep -Fq -- "$RULE_REST"; then
|
||||
echo "Rule already exists in table $TABLE, skipping: -t $TABLE $RULE"
|
||||
else
|
||||
echo "Adding iptables rule to table $TABLE: -t $TABLE $RULE"
|
||||
iptables -t "$TABLE" $RULE
|
||||
fi
|
||||
}
|
||||
|
||||
# Setup script
|
||||
read -e -p "Enter lan NIC: " -i $(ip route | grep default | sed -e 's/^.*dev.//' -e 's/.proto.*//') NIC_NAME
|
||||
read -e -p "Enter VPN subnet: " -i "172.19.100" VPN_SUBNET
|
||||
read -e -p "Enter LAN subnet: " -i "192.168.0" LAN_SUBNET
|
||||
@ -44,6 +64,7 @@ fi
|
||||
if [ ! -f /etc/openvpn/myserver.conf ]; then
|
||||
tee /etc/openvpn/myserver.conf > /dev/null <<EOL
|
||||
|
||||
#public-host $VPN_PUBLIC_HOST
|
||||
port $VPN_PUBLIC_PORT
|
||||
proto udp
|
||||
dev tun
|
||||
@ -79,9 +100,86 @@ sudo sysctl -p /etc/sysctl.conf
|
||||
systemctl start openvpn@myserver
|
||||
|
||||
echo Settings up NAT rules...
|
||||
iptables -t nat -A POSTROUTING -s $VPN_SUBNET.0/24 -o $NIC_NAME -j MASQUERADE
|
||||
iptables -A FORWARD -i tun0 -o $NIC_NAME -j ACCEPT
|
||||
iptables -A FORWARD -i $NIC_NAME -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
add_iptables_rule "-t nat -A POSTROUTING -s $VPN_SUBNET.0/24 -o $NIC_NAME -j MASQUERADE"
|
||||
add_iptables_rule "-A FORWARD -i tun0 -o $NIC_NAME -j ACCEPT"
|
||||
add_iptables_rule "-A FORWARD -i $NIC_NAME -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT"
|
||||
apt install iptables-persistent -y
|
||||
netfilter-persistent save
|
||||
|
||||
# Settings up helper scripts using Heredoc 'EOF'
|
||||
cat << 'EOF' > /usr/local/bin/add-openvpn-client.sh
|
||||
#!/bin/bash
|
||||
# Make sure script is ran as root
|
||||
if [[ $EUID -ne 0 ]]; then
|
||||
exec sudo /bin/bash "$0" "$@"
|
||||
fi
|
||||
|
||||
DIR=$(pwd)
|
||||
for i in {1..255}; do
|
||||
CLIENT_NAME="client$i"
|
||||
if [ ! -f "/etc/openvpn/easy-rsa/pki/issued/$CLIENT_NAME.crt" ]; then
|
||||
break
|
||||
fi
|
||||
done
|
||||
VPN_SUBNET=$(grep -E '^server ' "/etc/openvpn/myserver.conf" | awk '{print $2}')
|
||||
VPN_PUBLIC_HOST=$(grep -E '^#public-host ' "/etc/openvpn/myserver.conf" | awk '{print $2}')
|
||||
VPN_PUBLIC_PORT=$(grep -E '^port ' "/etc/openvpn/myserver.conf" | awk '{print $2}')
|
||||
echo "Adding VPN client to $VPN_PUBLIC_HOST:$VPN_PUBLIC_PORT"
|
||||
read -e -p "Enter client name: " -i "$CLIENT_NAME" CLIENT_NAME
|
||||
if [ -f "/etc/openvpn/easy-rsa/pki/issued/$CLIENT_NAME.crt" ]; then
|
||||
echo Client $CLIENT_NAME already exists...
|
||||
exit 1
|
||||
fi
|
||||
read -e -p "Use static IP for this client? VPN subnet is $VPN_SUBNET (Leave empty for dynamic): " -i "" CLIENT_IP
|
||||
if [ ! -z "${CLIENT_IP}" ]; then
|
||||
echo Setting IP...
|
||||
cat > "/etc/openvpn/ccd/$CLIENT_NAME" <<EOL
|
||||
ifconfig-push $CLIENT_IP 255.255.255.0
|
||||
EOL
|
||||
fi
|
||||
|
||||
cd /etc/openvpn/easy-rsa
|
||||
./easyrsa gen-req $CLIENT_NAME nopass
|
||||
./easyrsa sign-req client $CLIENT_NAME
|
||||
|
||||
CA_CERT=$(cat "/etc/openvpn/ca.crt")
|
||||
CLIENT_CERT=$(cat "/etc/openvpn/easy-rsa/pki/issued/$CLIENT_NAME.crt")
|
||||
CLIENT_KEY=$(cat "/etc/openvpn/easy-rsa/pki/private/$CLIENT_NAME.key")
|
||||
TA_KEY=$(cat "/etc/openvpn/ta.key")
|
||||
|
||||
cd "$DIR"
|
||||
cat > $CLIENT_NAME.conf <<EOL
|
||||
dev tun
|
||||
persist-tun
|
||||
persist-key
|
||||
cipher AES-256-CBC
|
||||
ncp-ciphers AES-256-GCM:AES-128-GCM
|
||||
auth SHA1
|
||||
# tls-client
|
||||
client
|
||||
resolv-retry infinite
|
||||
remote $VPN_PUBLIC_HOST $VPN_PUBLIC_PORT udp
|
||||
# remote-cert-tls server
|
||||
float
|
||||
verb 3
|
||||
|
||||
<ca>
|
||||
$CA_CERT
|
||||
</ca>
|
||||
<cert>
|
||||
$CLIENT_CERT
|
||||
</cert>
|
||||
<key>
|
||||
$CLIENT_KEY
|
||||
</key>
|
||||
key-direction 1
|
||||
<tls-auth>
|
||||
$TA_KEY
|
||||
</tls-auth>
|
||||
EOL
|
||||
EOF
|
||||
chmod +755 /usr/local/bin/add-openvpn-client.sh
|
||||
cat << 'EOF' > /usr/local/bin/remove-iptable-dups.sh
|
||||
#!/bin/bash
|
||||
iptables-save | awk '!seen[$0]++ || /^(\*|COMMIT)/' | iptables-restore
|
||||
EOF
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user