88 lines
2.6 KiB
Bash
88 lines
2.6 KiB
Bash
# Install using: sudo su -c "bash <(wget -qO- /url/to/install-openvpn-server.sh)"
|
|
|
|
# Make sure script is ran as root
|
|
if [[ $EUID -ne 0 ]]; then
|
|
exec sudo /bin/bash "$0" "$@"
|
|
fi
|
|
read -e -p "Enter lan NIC: " -i $(ip route | grep default | sed -e 's/^.*dev.//' -e 's/.proto.*//') NIC_NAME
|
|
read -e -p "Enter VPN subnet: " -i "172.19.100" VPN_SUBNET
|
|
read -e -p "Enter LAN subnet: " -i "192.168.0" LAN_SUBNET
|
|
read -e -p "Enter VPN public hostname: " -i "home.myspace.nu" VPN_PUBLIC_HOST
|
|
read -e -p "Enter VPN public portnumber: " -i "1194" VPN_PUBLIC_PORT
|
|
|
|
if [ $(dpkg-query -W -f='${Status}' openvpn 2>/dev/null | grep -c "ok installed") -eq 0 ]; then
|
|
echo "Installing OpenVPN..."
|
|
apt install openvpn easy-rsa -y
|
|
fi
|
|
if [ ! -d /etc/openvpn/easy-rsa ]; then
|
|
echo "Setting up Certificate Authority"
|
|
make-cadir /etc/openvpn/easy-rsa
|
|
cd /etc/openvpn/easy-rsa
|
|
./easyrsa init-pki
|
|
./easyrsa build-ca
|
|
./easyrsa gen-req myservername nopass
|
|
./easyrsa gen-dh
|
|
./easyrsa sign-req server myservername
|
|
cp pki/dh.pem pki/ca.crt pki/issued/myservername.crt pki/private/myservername.key /etc/openvpn/
|
|
fi
|
|
if [ ! -d /var/log/openvpn ]; then
|
|
mkdir -p /var/log/openvpn
|
|
fi
|
|
if [ ! -d /etc/openvpn/ccd ]; then
|
|
mkdir -p /etc/openvpn/ccd
|
|
fi
|
|
if ufw status | grep -q "Status: active"; then
|
|
echo Adding firewall rules...
|
|
ufw allow $VPN_PUBLIC_PORT/udp
|
|
ufw allow OpenSSH
|
|
ufw enable
|
|
ufw status verbose
|
|
echo You might need to enable NAT / MASQUERADE forwarding in /etc/ufw/before.rules
|
|
systemctl restart ufw
|
|
fi
|
|
|
|
if [ ! -f /etc/openvpn/myserver.conf ]; then
|
|
tee /etc/openvpn/myserver.conf > /dev/null <<EOL
|
|
|
|
port $VPN_PUBLIC_PORT
|
|
proto udp
|
|
dev tun
|
|
|
|
ca ca.crt
|
|
cert myservername.crt
|
|
key myservername.key
|
|
dh dh.pem
|
|
|
|
server $VPN_SUBNET.0 255.255.255.0
|
|
ifconfig-pool-persist /var/log/openvpn/ipp.txt
|
|
client-config-dir /etc/openvpn/ccd
|
|
topology subnet
|
|
ifconfig-pool $VPN_SUBNET.2 $VPN_SUBNET.126
|
|
push "route $LAN_SUBNET.0 255.255.255.0"
|
|
|
|
keepalive 10 120
|
|
tls-auth ta.key 0
|
|
cipher AES-256-CBC
|
|
persist-key
|
|
persist-tun
|
|
status /var/log/openvpn/openvpn-status.log
|
|
verb 3
|
|
explicit-exit-notify 1
|
|
EOL
|
|
fi
|
|
if [ ! -f /etc/openvpn/ta.key ]; then
|
|
openvpn --genkey secret /etc/openvpn/ta.key
|
|
fi
|
|
|
|
sed -i -e 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
|
|
sudo sysctl -p /etc/sysctl.conf
|
|
systemctl start openvpn@myserver
|
|
|
|
echo Settings up NAT rules...
|
|
iptables -t nat -A POSTROUTING -s $VPN_SUBNET.0/24 -o $NIC_NAME -j MASQUERADE
|
|
iptables -A FORWARD -i tun0 -o $NIC_NAME -j ACCEPT
|
|
iptables -A FORWARD -i $NIC_NAME -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
apt install iptables-persistent -y
|
|
netfilter-persistent save
|
|
|