xiagw
parent
b50fd7cec6
commit
3cbefc8b1b
1 changed files with 85 additions and 107 deletions
|
|
@ -24,9 +24,9 @@ dir_openvpn='/etc/openvpn'
|
|||
dir_easy="${dir_openvpn}/easy-rsa"
|
||||
dir_pki="${dir_easy}/pki"
|
||||
bin_easy="${dir_easy}/easyrsa"
|
||||
conf_client_tpl="${dir_openvpn}/client-template.txt"
|
||||
conf_server="${dir_openvpn}/server.conf"
|
||||
conf_iptables='/etc/sysconfig/iptables.rules'
|
||||
file_client_tpl="${dir_openvpn}/client-template.txt"
|
||||
file_openvpn_conf="${dir_openvpn}/server.conf"
|
||||
file_iptables='/etc/sysconfig/iptables.rules'
|
||||
|
||||
## function: config the firewall
|
||||
set_firewall(){
|
||||
|
|
@ -46,7 +46,7 @@ echo 1 > /proc/sys/net/ipv4/ip_forward
|
|||
# Set NAT for the VPN subnet
|
||||
iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE
|
||||
# Save persitent iptables rules
|
||||
iptables-save > $conf_iptables
|
||||
iptables-save > $file_iptables
|
||||
if pgrep firewalld; then
|
||||
# We don't use --add-service=openvpn because that would only work with
|
||||
# the default port. Using both permanent and not permanent rules to
|
||||
|
|
@ -64,7 +64,7 @@ if iptables -L -n | grep -qE 'REJECT|DROP'; then
|
|||
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
|
||||
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
# Save persitent OpenVPN rules
|
||||
iptables-save > $conf_iptables
|
||||
iptables-save > $file_iptables
|
||||
fi
|
||||
# If SELinux is enabled and a custom port was selected, we need this
|
||||
if hash sestatus 2>/dev/null; then
|
||||
|
|
@ -83,82 +83,42 @@ fi
|
|||
## function: generate the new client??.ovpn
|
||||
generate_newclient() {
|
||||
|
||||
echo ""
|
||||
echo "Tell me a name for the client cert"
|
||||
echo "Please, use one word only, no special characters"
|
||||
echo "Here are the files that already exist,do not repeat that"
|
||||
tail -n +2 ${file_index} | grep "^V" | cut -d '=' -f 2 | nl -s ') '
|
||||
read -p "Client name: " -e -i client CLIENT
|
||||
cd ${dir_easy}
|
||||
${bin_easy} build-client-full $CLIENT nopass
|
||||
|
||||
# Generates the custom client.ovpn
|
||||
# Where to write the custom client.ovpn?
|
||||
if [ -e /home/$CLIENT ]; then # if $CLIENT is a user name
|
||||
homeDir="/home/$CLIENT"
|
||||
if [ -e /home/$1 ]; then # if $1 is a user name
|
||||
homeDir="/home/$1"
|
||||
elif [ ${SUDO_USER} ]; then # if not, use SUDO_USER
|
||||
homeDir="/home/${SUDO_USER}"
|
||||
else # if not SUDO_USER, use /root
|
||||
homeDir="${dir_openvpn}"
|
||||
fi
|
||||
# Generates the custom client.ovpn
|
||||
file_client="$homeDir/$CLIENT.ovpn"
|
||||
cp ${conf_client_tpl} ${file_client}
|
||||
file_client="$homeDir/$1.ovpn"
|
||||
cp ${file_client_tpl} ${file_client}
|
||||
echo "<ca>" >> ${file_client}
|
||||
cat ${dir_pki}/ca.crt >> ${file_client}
|
||||
echo "</ca>" >> ${file_client}
|
||||
echo "<cert>" >> ${file_client}
|
||||
cat ${dir_pki}/issued/$CLIENT.crt >> ${file_client}
|
||||
cat ${dir_pki}/issued/$1.crt >> ${file_client}
|
||||
echo "</cert>" >> ${file_client}
|
||||
echo "<key>" >> ${file_client}
|
||||
cat ${dir_pki}/private/$CLIENT.key >> ${file_client}
|
||||
cat ${dir_pki}/private/$1.key >> ${file_client}
|
||||
echo "</key>" >> ${file_client}
|
||||
echo "key-direction 1" >> ${file_client}
|
||||
echo "<tls-auth>" >> ${file_client}
|
||||
cat ${dir_openvpn}/tls-auth.key >> ${file_client}
|
||||
echo "</tls-auth>" >> ${file_client}
|
||||
|
||||
echo ""
|
||||
echo "Client $CLIENT added, certs available at $homeDir/$CLIENT.ovpn"
|
||||
|
||||
}
|
||||
|
||||
## function: revoke a exist client??.ovpn
|
||||
revoke_openvpn_client(){
|
||||
|
||||
NUMBEROFCLIENTS=$(tail -n +2 ${file_index} | grep -c "^V")
|
||||
if [[ "$NUMBEROFCLIENTS" = '0' ]]; then
|
||||
echo ""
|
||||
echo "You have no existing clients!"
|
||||
exit 5
|
||||
fi
|
||||
echo ""
|
||||
echo "Select the existing client certificate you want to revoke"
|
||||
tail -n +2 ${file_index} | grep "^V" | cut -d '=' -f 2 | nl -s ') '
|
||||
if [[ "$NUMBEROFCLIENTS" = '1' ]]; then
|
||||
read -p "Select one client [1]: " CLIENTNUMBER
|
||||
else
|
||||
read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
|
||||
fi
|
||||
CLIENT=$(tail -n +2 ${file_index} | grep "^V" | cut -d '=' -f 2 | sed -n "${CLIENTNUMBER:?empty-var}"p)
|
||||
cd ${dir_easy}
|
||||
${bin_easy} --batch revoke $CLIENT
|
||||
EASYRSA_CRL_DAYS=3650 ${bin_easy} gen-crl
|
||||
rm -f ${dir_pki}/reqs/$CLIENT.req ${dir_pki}/private/$CLIENT.key ${dir_pki}/issued/$CLIENT.crt
|
||||
#rm -f ${dir_openvpn}/crl.pem
|
||||
/bin/cp -f ${dir_pki}/crl.pem ${dir_openvpn}/crl.pem
|
||||
chmod 644 ${dir_openvpn}/crl.pem
|
||||
echo ""
|
||||
echo "Certificate for client $CLIENT revoked"
|
||||
echo "Exiting..."
|
||||
}
|
||||
|
||||
## function: install easyrsa 3.0.3
|
||||
install_easyrsa(){
|
||||
|
||||
# An old version of easy-rsa was available by default in some openvpn packages
|
||||
rm -rf ${dir_easy}
|
||||
mkdir -p ${dir_easy}
|
||||
if [[ -d ${dir_easy}/ ]]; then
|
||||
rm -rf ${dir_easy}/
|
||||
mkdir -p ${dir_easy}
|
||||
else
|
||||
mkdir -p ${dir_easy}
|
||||
fi
|
||||
# Get easy-rsa
|
||||
url_easy='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.3/EasyRSA-3.0.3.tgz'
|
||||
file_easy=${url_easy##*/}
|
||||
|
|
@ -170,7 +130,7 @@ rm -rf ~/${file_easy}
|
|||
}
|
||||
|
||||
## function: install iptables for debian
|
||||
systemd_ipt_service(){
|
||||
install_ipt_service(){
|
||||
|
||||
dir_ipt='/etc/iptables'
|
||||
file_ipt_svc='/etc/systemd/system/iptables.service'
|
||||
|
|
@ -178,7 +138,7 @@ file_ipt_sh="${dir_ipt}/flush-iptables.sh"
|
|||
# Install iptables service
|
||||
if [[ ! -e ${file_ipt_svc} ]]; then
|
||||
mkdir ${dir_ipt}
|
||||
iptables-save > ${conf_iptables}
|
||||
iptables-save > ${file_iptables}
|
||||
echo "#!/bin/sh
|
||||
iptables -F
|
||||
iptables -X
|
||||
|
|
@ -197,8 +157,8 @@ Before=network-pre.target
|
|||
Wants=network-pre.target
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/sbin/iptables-restore ${conf_iptables}
|
||||
ExecReload=/sbin/iptables-restore ${conf_iptables}
|
||||
ExecStart=/sbin/iptables-restore ${file_iptables}
|
||||
ExecReload=/sbin/iptables-restore ${file_iptables}
|
||||
ExecStop=/etc/iptables/flush-iptables.sh
|
||||
RemainAfterExit=yes
|
||||
[Install]
|
||||
|
|
@ -213,19 +173,6 @@ WantedBy=multi-user.target" > ${file_ipt_svc}
|
|||
fi
|
||||
}
|
||||
|
||||
##
|
||||
config_iptables(){
|
||||
echo "Please manually set the firewall"
|
||||
read -p "press any key continue..."
|
||||
}
|
||||
|
||||
##
|
||||
config_firewalld(){
|
||||
echo "Please manually set the firewall"
|
||||
read -p "press any key continue..."
|
||||
}
|
||||
|
||||
|
||||
## function: install openvpn server
|
||||
install_openvpn(){
|
||||
|
||||
|
|
@ -390,17 +337,19 @@ if [[ "$OS" = 'debian' ]]; then
|
|||
# Ubuntu >= 16.04 and Debian > 8 have OpenVPN > 2.3.3 without the need of a third party repository.
|
||||
## The we install OpenVPN
|
||||
apt-get install openvpn iptables openssl wget ca-certificates curl -y
|
||||
systemd_ipt_service ## call function
|
||||
elif [[ "$OS" = 'centos6' || "$OS" = 'centos7' || "$OS" = 'fedora' ]]; then
|
||||
if [[ "$OS" != 'fedora' ]]; then
|
||||
install_ipt_service ## call function
|
||||
elif [[ "$OS" = 'centos7' || "$OS" = 'fedora' ]]; then
|
||||
if [[ "$OS" = 'centos7' ]]; then
|
||||
yum install epel-release -y
|
||||
fi
|
||||
yum --enablerepo=epel install openvpn iptables openssl wget ca-certificates curl -y
|
||||
if [[ "$OS" = 'centos6' ]]; then
|
||||
config_iptables ## call function
|
||||
else
|
||||
config_firewalld ## call function
|
||||
fi
|
||||
# install_ipt_service ## call function
|
||||
read -p "Please manually set the firewall,press anykey continue"
|
||||
elif [[ "$OS" = 'centos6' ]]; then
|
||||
yum install epel-release -y
|
||||
yum --enablerepo=epel install openvpn iptables openssl wget ca-certificates curl -y
|
||||
# install_ipt_service ## call function
|
||||
read -p "Please manually set the firewall,press anykey continue"
|
||||
else
|
||||
# Else, the distro is ArchLinux
|
||||
echo ""
|
||||
|
|
@ -420,14 +369,13 @@ else
|
|||
if [[ "$OS" = 'arch' ]]; then
|
||||
# Install dependencies
|
||||
pacman -Syu openvpn iptables openssl wget ca-certificates curl --needed --noconfirm
|
||||
iptables-save > ${conf_iptables} # iptables won't start if this file does not exist
|
||||
iptables-save > ${file_iptables} # iptables won't start if this file does not exist
|
||||
systemctl daemon-reload
|
||||
systemctl enable iptables
|
||||
systemctl start iptables
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
# Find out if the machine uses nogroup or nobody for the permissionless group
|
||||
if grep -qs "^nogroup:" /etc/group; then
|
||||
NOGROUP=nogroup
|
||||
|
|
@ -466,7 +414,7 @@ topology subnet
|
|||
server 10.8.0.0 255.255.255.0
|
||||
ifconfig-pool-persist ipp.txt
|
||||
#client-config-dir ccd
|
||||
#route 10.8.0.0 255.255.255.252" >> ${conf_server}
|
||||
#route 10.8.0.0 255.255.255.252" >> ${file_openvpn_conf}
|
||||
# DNS resolvers
|
||||
case $DNS in
|
||||
1)
|
||||
|
|
@ -502,8 +450,8 @@ case $DNS in
|
|||
echo 'push "dhcp-option DNS 176.103.130.130"'
|
||||
echo 'push "dhcp-option DNS 176.103.130.131"'
|
||||
;;
|
||||
esac >> ${conf_server}
|
||||
echo 'push "redirect-gateway def1 bypass-dhcp" '>> ${conf_server}
|
||||
esac >> ${file_openvpn_conf}
|
||||
echo 'push "redirect-gateway def1 bypass-dhcp" '>> ${file_openvpn_conf}
|
||||
echo "client-to-client
|
||||
crl-verify crl.pem
|
||||
ca ca.crt
|
||||
|
|
@ -519,7 +467,7 @@ tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
|
|||
status openvpn-status.log
|
||||
log openvpn.log
|
||||
log-append openvpn.log
|
||||
verb 3" >> ${conf_server}
|
||||
verb 3" >> ${file_openvpn_conf}
|
||||
|
||||
set_firewall ## call function
|
||||
|
||||
|
|
@ -572,11 +520,11 @@ if [[ "$IP" != "$EXTERNALIP" ]]; then
|
|||
fi
|
||||
|
||||
# client-template.txt is created so we have a template to add further users later
|
||||
echo "client" > ${conf_client_tpl}
|
||||
echo "client" > ${file_client_tpl}
|
||||
if [[ "$PROTOCOL" = 'udp' ]]; then
|
||||
echo "proto ${PROTOCOL}" >> ${conf_client_tpl}
|
||||
echo "proto ${PROTOCOL}" >> ${file_client_tpl}
|
||||
elif [[ "$PROTOCOL" = 'tcp' ]]; then
|
||||
echo "proto ${PROTOCOL}-client" >> ${conf_client_tpl}
|
||||
echo "proto ${PROTOCOL}-client" >> ${file_client_tpl}
|
||||
fi
|
||||
echo "remote $IP $PORT
|
||||
dev tun
|
||||
|
|
@ -592,7 +540,7 @@ tls-client
|
|||
tls-version-min 1.2
|
||||
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
|
||||
setenv opt block-outside-dns
|
||||
verb 3" >> ${conf_client_tpl}
|
||||
verb 3" >> ${file_client_tpl}
|
||||
|
||||
# call function Generate the custom client.ovpn
|
||||
generate_newclient "$CLIENT"
|
||||
|
|
@ -609,8 +557,8 @@ remove_openvpn(){
|
|||
echo ""
|
||||
read -p "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
|
||||
if [[ 'y' = "$REMOVE" ]]; then
|
||||
PORT=$(grep '^port ' ${conf_server} | cut -d " " -f 2)
|
||||
PROTOCOL=$(grep '^proto ' ${conf_server} | cut -d " " -f 2)
|
||||
PORT=$(grep '^port ' ${file_openvpn_conf} | cut -d " " -f 2)
|
||||
PROTOCOL=$(grep '^proto ' ${file_openvpn_conf} | cut -d " " -f 2)
|
||||
if pgrep firewalld; then
|
||||
# Using both permanent and not permanent rules to avoid a firewalld reload.
|
||||
firewall-cmd --zone=public --remove-port=$PORT/${PROTOCOL}
|
||||
|
|
@ -621,10 +569,10 @@ if [[ 'y' = "$REMOVE" ]]; then
|
|||
if iptables -L -n | grep -qE 'REJECT|DROP'; then
|
||||
iptables -D INPUT -p ${PROTOCOL} --dport $PORT -j ACCEPT
|
||||
iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
|
||||
iptables-save > $conf_iptables
|
||||
iptables-save > $file_iptables
|
||||
fi
|
||||
iptables -t nat -D POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE
|
||||
iptables-save > $conf_iptables
|
||||
iptables-save > $file_iptables
|
||||
if hash sestatus 2>/dev/null; then
|
||||
if sestatus | grep "Current mode" | grep -qs "enforcing"; then
|
||||
if [[ "$PORT" != '1194' ]]; then
|
||||
|
|
@ -648,13 +596,6 @@ else
|
|||
fi
|
||||
}
|
||||
|
||||
config_openvpn_server(){
|
||||
:
|
||||
}
|
||||
|
||||
config_openvpn_client(){
|
||||
:
|
||||
}
|
||||
|
||||
config_openvpn(){
|
||||
|
||||
|
|
@ -662,7 +603,7 @@ while :
|
|||
do
|
||||
clear
|
||||
cat <<EOF
|
||||
OpenVPN-install (github.com/xiagw/OpenVPN-install)
|
||||
OpenVPN-install (github.com/Angristan/OpenVPN-install)
|
||||
|
||||
Looks like OpenVPN is already installed
|
||||
|
||||
|
|
@ -676,11 +617,46 @@ EOF
|
|||
read -p 'Select an option [1-4]: ' option
|
||||
case $option in
|
||||
1)
|
||||
generate_newclient
|
||||
echo ""
|
||||
echo "Tell me a name for the client cert"
|
||||
echo "Please, use one word only, no special characters"
|
||||
echo "Here are the files that already exist,do not repeat that"
|
||||
tail -n +2 ${file_index} | grep "^V" | cut -d '=' -f 2 | nl -s ') '
|
||||
read -p "Client name: " -e -i client CLIENT
|
||||
cd ${dir_easy}
|
||||
${bin_easy} build-client-full $CLIENT nopass
|
||||
# Generates the custom client.ovpn
|
||||
generate_newclient "$CLIENT"
|
||||
echo ""
|
||||
echo "Client $CLIENT added, certs available at $homeDir/$CLIENT.ovpn"
|
||||
exit
|
||||
;;
|
||||
2)
|
||||
revoke_openvpn_client
|
||||
NUMBEROFCLIENTS=$(tail -n +2 ${file_index} | grep -c "^V")
|
||||
if [[ "$NUMBEROFCLIENTS" = '0' ]]; then
|
||||
echo ""
|
||||
echo "You have no existing clients!"
|
||||
exit 5
|
||||
fi
|
||||
echo ""
|
||||
echo "Select the existing client certificate you want to revoke"
|
||||
tail -n +2 ${file_index} | grep "^V" | cut -d '=' -f 2 | nl -s ') '
|
||||
if [[ "$NUMBEROFCLIENTS" = '1' ]]; then
|
||||
read -p "Select one client [1]: " CLIENTNUMBER
|
||||
else
|
||||
read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
|
||||
fi
|
||||
CLIENT=$(tail -n +2 ${file_index} | grep "^V" | cut -d '=' -f 2 | sed -n "${CLIENTNUMBER:?empty-var}"p)
|
||||
cd ${dir_easy}
|
||||
${bin_easy} --batch revoke $CLIENT
|
||||
EASYRSA_CRL_DAYS=3650 ${bin_easy} gen-crl
|
||||
rm -f ${dir_pki}/reqs/$CLIENT.req ${dir_pki}/private/$CLIENT.key ${dir_pki}/issued/$CLIENT.crt
|
||||
#rm -f ${dir_openvpn}/crl.pem
|
||||
/bin/cp -f ${dir_pki}/crl.pem ${dir_openvpn}/crl.pem
|
||||
chmod 644 ${dir_openvpn}/crl.pem
|
||||
echo ""
|
||||
echo "Certificate for client $CLIENT revoked"
|
||||
echo "Exiting..."
|
||||
exit
|
||||
;;
|
||||
3)
|
||||
|
|
@ -702,6 +678,8 @@ if [[ -e /etc/debian_version ]]; then
|
|||
# VERSION_ID=$(grep "VERSION_ID" /etc/os-release)
|
||||
source /etc/os-release
|
||||
SYSCTL='/etc/sysctl.conf'
|
||||
# if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.04"' ]]; then
|
||||
# if [[ "$VERSION_ID" != [789] && "$VERSION_ID" != '12.04' && "$VERSION_ID" != '14.04' && "$VERSION_ID" != '16.04' && "$VERSION_ID" != '16.10' && "$VERSION_ID" != '17.04' ]]; then
|
||||
case "$VERSION_ID" in
|
||||
7|8|9|12.04|14.04|16.04|16.10|17.04)
|
||||
:
|
||||
|
|
@ -759,7 +737,7 @@ detect_os_ver ## call function
|
|||
detect_IP_NIC ## call function
|
||||
|
||||
## OpenVPN setup and first user creation
|
||||
if [[ -e ${conf_server} ]]; then
|
||||
if [[ -e ${file_openvpn_conf} ]]; then
|
||||
config_openvpn ## call function
|
||||
else
|
||||
install_openvpn ## call function
|
||||
|
|
|
|||
Loading…
Reference in a new issue