# Install using: sudo su -c "bash <(wget -qO- /url/to/install-openvpn-server.sh)"

# Make sure script is ran as root
if [[ $EUID -ne 0 ]]; then
	exec sudo /bin/bash "$0" "$@"
fi
read -e -p "Enter lan NIC: " -i $(ip route | grep default | sed -e 's/^.*dev.//' -e 's/.proto.*//') NIC_NAME
read -e -p "Enter VPN subnet: " -i "172.19.100" VPN_SUBNET
read -e -p "Enter LAN subnet: " -i "192.168.0" LAN_SUBNET
read -e -p "Enter VPN public hostname: " -i "home.myspace.nu" VPN_PUBLIC_HOST
read -e -p "Enter VPN public portnumber: " -i "1194" VPN_PUBLIC_PORT

if [ $(dpkg-query -W -f='${Status}' openvpn 2>/dev/null | grep -c "ok installed") -eq 0 ]; then
        echo "Installing OpenVPN..."
        apt install openvpn easy-rsa -y
fi
if [ ! -d /etc/openvpn/easy-rsa ]; then
        echo "Setting up Certificate Authority"
        make-cadir /etc/openvpn/easy-rsa
        cd /etc/openvpn/easy-rsa
        ./easyrsa init-pki
        ./easyrsa build-ca
        ./easyrsa gen-req myservername nopass
        ./easyrsa gen-dh
        ./easyrsa sign-req server myservername
		cp pki/dh.pem pki/ca.crt pki/issued/myservername.crt pki/private/myservername.key /etc/openvpn/
fi
if [ ! -d /var/log/openvpn ]; then
	mkdir -p /var/log/openvpn
fi
if ufw status | grep -q "Status: active"; then
	echo Adding firewall rules...
	ufw allow $VPN_PUBLIC_PORT/udp
	ufw allow OpenSSH
	ufw enable
	ufw status verbose
	echo You might need to enable NAT / MASQUERADE forwarding in /etc/ufw/before.rules
	systemctl restart ufw
fi

if [ ! -f /etc/openvpn/myserver.conf ]; then
	tee /etc/openvpn/myserver.conf > /dev/null <<EOL

port $VPN_PUBLIC_PORT
proto udp
dev tun

ca ca.crt
cert myservername.crt
key myservername.key
dh dh.pem

server $VPN_SUBNET.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "route $LAN_SUBNET.0 255.255.255.0"

keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1
EOL
fi
if [ ! -f /etc/openvpn/ta.key ]; then
	openvpn --genkey secret /etc/openvpn/ta.key
fi

sed -i -e 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf
systemctl start openvpn@myserver

echo Settings up NAT rules...
iptables -t nat -A POSTROUTING -s $VPN_SUBNET.0/24 -o $NIC_NAME -j MASQUERADE
iptables -A FORWARD -i tun0 -o $NIC_NAME -j ACCEPT
iptables -A FORWARD -i $NIC_NAME -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
apt install iptables-persistent -y
netfilter-persistent save