Update OpenVPN installation script
This commit is contained in:
Johan
parent
3a2ffa191b
commit
c336788346
@ -1,9 +1,29 @@
|
|||||||
|
#!/bin/bash
|
||||||
# Install using: sudo su -c "bash <(wget -qO- /url/to/install-openvpn-server.sh)"
|
# Install using: sudo su -c "bash <(wget -qO- /url/to/install-openvpn-server.sh)"
|
||||||
|
|
||||||
# Make sure script is ran as root
|
# Make sure script is ran as root
|
||||||
if [[ $EUID -ne 0 ]]; then
|
if [[ $EUID -ne 0 ]]; then
|
||||||
exec sudo /bin/bash "$0" "$@"
|
exec sudo /bin/bash "$0" "$@"
|
||||||
fi
|
fi
|
||||||
|
# Helper functions
|
||||||
|
add_iptables_rule() {
|
||||||
|
local RULE="$1"
|
||||||
|
local TABLE="filter" # Default table is filter
|
||||||
|
if [[ "$RULE" =~ -t[[:space:]]+(nat|mangle|raw|filter) ]]; then
|
||||||
|
TABLE="${BASH_REMATCH[1]}"
|
||||||
|
RULE="${RULE/-t ${BASH_REMATCH[1]}/}" # Remove "-t <table>" from RULE
|
||||||
|
fi
|
||||||
|
local RULE_ACTION=$(echo "$RULE" | awk '{print $1}')
|
||||||
|
local RULE_REST=$(echo "$RULE" | cut -d' ' -f2-)
|
||||||
|
if iptables-save -t "$TABLE" | grep -Fq -- "$RULE_REST"; then
|
||||||
|
echo "Rule already exists in table $TABLE, skipping: -t $TABLE $RULE"
|
||||||
|
else
|
||||||
|
echo "Adding iptables rule to table $TABLE: -t $TABLE $RULE"
|
||||||
|
iptables -t "$TABLE" $RULE
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Setup script
|
||||||
read -e -p "Enter lan NIC: " -i $(ip route | grep default | sed -e 's/^.*dev.//' -e 's/.proto.*//') NIC_NAME
|
read -e -p "Enter lan NIC: " -i $(ip route | grep default | sed -e 's/^.*dev.//' -e 's/.proto.*//') NIC_NAME
|
||||||
read -e -p "Enter VPN subnet: " -i "172.19.100" VPN_SUBNET
|
read -e -p "Enter VPN subnet: " -i "172.19.100" VPN_SUBNET
|
||||||
read -e -p "Enter LAN subnet: " -i "192.168.0" LAN_SUBNET
|
read -e -p "Enter LAN subnet: " -i "192.168.0" LAN_SUBNET
|
||||||
@ -44,6 +64,7 @@ fi
|
|||||||
if [ ! -f /etc/openvpn/myserver.conf ]; then
|
if [ ! -f /etc/openvpn/myserver.conf ]; then
|
||||||
tee /etc/openvpn/myserver.conf > /dev/null <<EOL
|
tee /etc/openvpn/myserver.conf > /dev/null <<EOL
|
||||||
|
|
||||||
|
#public-host $VPN_PUBLIC_HOST
|
||||||
port $VPN_PUBLIC_PORT
|
port $VPN_PUBLIC_PORT
|
||||||
proto udp
|
proto udp
|
||||||
dev tun
|
dev tun
|
||||||
@ -79,9 +100,86 @@ sudo sysctl -p /etc/sysctl.conf
|
|||||||
systemctl start openvpn@myserver
|
systemctl start openvpn@myserver
|
||||||
|
|
||||||
echo Settings up NAT rules...
|
echo Settings up NAT rules...
|
||||||
iptables -t nat -A POSTROUTING -s $VPN_SUBNET.0/24 -o $NIC_NAME -j MASQUERADE
|
add_iptables_rule "-t nat -A POSTROUTING -s $VPN_SUBNET.0/24 -o $NIC_NAME -j MASQUERADE"
|
||||||
iptables -A FORWARD -i tun0 -o $NIC_NAME -j ACCEPT
|
add_iptables_rule "-A FORWARD -i tun0 -o $NIC_NAME -j ACCEPT"
|
||||||
iptables -A FORWARD -i $NIC_NAME -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
|
add_iptables_rule "-A FORWARD -i $NIC_NAME -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT"
|
||||||
apt install iptables-persistent -y
|
apt install iptables-persistent -y
|
||||||
netfilter-persistent save
|
netfilter-persistent save
|
||||||
|
|
||||||
|
# Settings up helper scripts using Heredoc 'EOF'
|
||||||
|
cat << 'EOF' > /usr/local/bin/add-openvpn-client.sh
|
||||||
|
#!/bin/bash
|
||||||
|
# Make sure script is ran as root
|
||||||
|
if [[ $EUID -ne 0 ]]; then
|
||||||
|
exec sudo /bin/bash "$0" "$@"
|
||||||
|
fi
|
||||||
|
|
||||||
|
DIR=$(pwd)
|
||||||
|
for i in {1..255}; do
|
||||||
|
CLIENT_NAME="client$i"
|
||||||
|
if [ ! -f "/etc/openvpn/easy-rsa/pki/issued/$CLIENT_NAME.crt" ]; then
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
VPN_SUBNET=$(grep -E '^server ' "/etc/openvpn/myserver.conf" | awk '{print $2}')
|
||||||
|
VPN_PUBLIC_HOST=$(grep -E '^#public-host ' "/etc/openvpn/myserver.conf" | awk '{print $2}')
|
||||||
|
VPN_PUBLIC_PORT=$(grep -E '^port ' "/etc/openvpn/myserver.conf" | awk '{print $2}')
|
||||||
|
echo "Adding VPN client to $VPN_PUBLIC_HOST:$VPN_PUBLIC_PORT"
|
||||||
|
read -e -p "Enter client name: " -i "$CLIENT_NAME" CLIENT_NAME
|
||||||
|
if [ -f "/etc/openvpn/easy-rsa/pki/issued/$CLIENT_NAME.crt" ]; then
|
||||||
|
echo Client $CLIENT_NAME already exists...
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
read -e -p "Use static IP for this client? VPN subnet is $VPN_SUBNET (Leave empty for dynamic): " -i "" CLIENT_IP
|
||||||
|
if [ ! -z "${CLIENT_IP}" ]; then
|
||||||
|
echo Setting IP...
|
||||||
|
cat > "/etc/openvpn/ccd/$CLIENT_NAME" <<EOL
|
||||||
|
ifconfig-push $CLIENT_IP 255.255.255.0
|
||||||
|
EOL
|
||||||
|
fi
|
||||||
|
|
||||||
|
cd /etc/openvpn/easy-rsa
|
||||||
|
./easyrsa gen-req $CLIENT_NAME nopass
|
||||||
|
./easyrsa sign-req client $CLIENT_NAME
|
||||||
|
|
||||||
|
CA_CERT=$(cat "/etc/openvpn/ca.crt")
|
||||||
|
CLIENT_CERT=$(cat "/etc/openvpn/easy-rsa/pki/issued/$CLIENT_NAME.crt")
|
||||||
|
CLIENT_KEY=$(cat "/etc/openvpn/easy-rsa/pki/private/$CLIENT_NAME.key")
|
||||||
|
TA_KEY=$(cat "/etc/openvpn/ta.key")
|
||||||
|
|
||||||
|
cd "$DIR"
|
||||||
|
cat > $CLIENT_NAME.conf <<EOL
|
||||||
|
dev tun
|
||||||
|
persist-tun
|
||||||
|
persist-key
|
||||||
|
cipher AES-256-CBC
|
||||||
|
ncp-ciphers AES-256-GCM:AES-128-GCM
|
||||||
|
auth SHA1
|
||||||
|
# tls-client
|
||||||
|
client
|
||||||
|
resolv-retry infinite
|
||||||
|
remote $VPN_PUBLIC_HOST $VPN_PUBLIC_PORT udp
|
||||||
|
# remote-cert-tls server
|
||||||
|
float
|
||||||
|
verb 3
|
||||||
|
|
||||||
|
<ca>
|
||||||
|
$CA_CERT
|
||||||
|
</ca>
|
||||||
|
<cert>
|
||||||
|
$CLIENT_CERT
|
||||||
|
</cert>
|
||||||
|
<key>
|
||||||
|
$CLIENT_KEY
|
||||||
|
</key>
|
||||||
|
key-direction 1
|
||||||
|
<tls-auth>
|
||||||
|
$TA_KEY
|
||||||
|
</tls-auth>
|
||||||
|
EOL
|
||||||
|
EOF
|
||||||
|
chmod +755 /usr/local/bin/add-openvpn-client.sh
|
||||||
|
cat << 'EOF' > /usr/local/bin/remove-iptable-dups.sh
|
||||||
|
#!/bin/bash
|
||||||
|
iptables-save | awk '!seen[$0]++ || /^(\*|COMMIT)/' | iptables-restore
|
||||||
|
EOF
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user