Revert "merged from master"

This reverts commit 331e0c1d17.
2018-01-08 18:23:45 +08:00 · 2018-01-08 18:23:45 +08:00 · 3cbefc8b1b
commit 3cbefc8b1b
parent b50fd7cec6
1 changed files with 85 additions and 107 deletions
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@ -24,9 +24,9 @@ dir_openvpn='/etc/openvpn'
 dir_easy="${dir_openvpn}/easy-rsa"
 dir_pki="${dir_easy}/pki"
 bin_easy="${dir_easy}/easyrsa"
-conf_client_tpl="${dir_openvpn}/client-template.txt"
+file_client_tpl="${dir_openvpn}/client-template.txt"
-conf_server="${dir_openvpn}/server.conf"
+file_openvpn_conf="${dir_openvpn}/server.conf"
-conf_iptables='/etc/sysconfig/iptables.rules'
+file_iptables='/etc/sysconfig/iptables.rules'
 ## function: config the firewall
 set_firewall(){
@ -46,7 +46,7 @@ echo 1 > /proc/sys/net/ipv4/ip_forward
 # Set NAT for the VPN subnet
 iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE
 # Save persitent iptables rules
-iptables-save > $conf_iptables
+iptables-save > $file_iptables
 if pgrep firewalld; then
 	# We don't use --add-service=openvpn because that would only work with
 	# the default port. Using both permanent and not permanent rules to
@ -64,7 +64,7 @@ if iptables -L -n | grep -qE 'REJECT|DROP'; then
 	iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
 	iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 	# Save persitent OpenVPN rules
-	iptables-save > $conf_iptables
+	iptables-save > $file_iptables
 fi
 # If SELinux is enabled and a custom port was selected, we need this
 if hash sestatus 2>/dev/null; then
@ -83,82 +83,42 @@ fi
 ## function: generate the new client??.ovpn
 generate_newclient() {
 echo ""
 echo "Tell me a name for the client cert"
 echo "Please, use one word only, no special characters"
 echo "Here are the files that already exist,do not repeat that"
 tail -n +2 ${file_index} | grep "^V" | cut -d '=' -f 2 | nl -s ') '
 read -p "Client name: " -e -i client CLIENT
 cd ${dir_easy}
 ${bin_easy} build-client-full $CLIENT nopass
 # Generates the custom client.ovpn
 # Where to write the custom client.ovpn?
-if [ -e /home/$CLIENT ]; then  # if $CLIENT is a user name
+if [ -e /home/$1 ]; then  # if $1 is a user name
-	homeDir="/home/$CLIENT"
+	homeDir="/home/$1"
 elif [ ${SUDO_USER} ]; then   # if not, use SUDO_USER
 	homeDir="/home/${SUDO_USER}"
 else  # if not SUDO_USER, use /root
 	homeDir="${dir_openvpn}"
 fi
 # Generates the custom client.ovpn
-file_client="$homeDir/$CLIENT.ovpn"
+file_client="$homeDir/$1.ovpn"
-cp ${conf_client_tpl} ${file_client}
+cp ${file_client_tpl} ${file_client}
 echo "<ca>" >> ${file_client}
 cat ${dir_pki}/ca.crt >> ${file_client}
 echo "</ca>" >> ${file_client}
 echo "<cert>" >> ${file_client}
-cat ${dir_pki}/issued/$CLIENT.crt >> ${file_client}
+cat ${dir_pki}/issued/$1.crt >> ${file_client}
 echo "</cert>" >> ${file_client}
 echo "<key>" >> ${file_client}
-cat ${dir_pki}/private/$CLIENT.key >> ${file_client}
+cat ${dir_pki}/private/$1.key >> ${file_client}
 echo "</key>" >> ${file_client}
 echo "key-direction 1" >> ${file_client}
 echo "<tls-auth>" >> ${file_client}
 cat ${dir_openvpn}/tls-auth.key >> ${file_client}
 echo "</tls-auth>" >> ${file_client}
 echo ""
 echo "Client $CLIENT added, certs available at $homeDir/$CLIENT.ovpn"
 }
 ## function: revoke a exist client??.ovpn
 revoke_openvpn_client(){
 NUMBEROFCLIENTS=$(tail -n +2 ${file_index} | grep -c "^V")
 if [[ "$NUMBEROFCLIENTS" = '0' ]]; then
 	echo ""
 	echo "You have no existing clients!"
 	exit 5
 fi
 echo ""
 echo "Select the existing client certificate you want to revoke"
 tail -n +2 ${file_index} | grep "^V" | cut -d '=' -f 2 | nl -s ') '
 if [[ "$NUMBEROFCLIENTS" = '1' ]]; then
 	read -p "Select one client [1]: " CLIENTNUMBER
 else
 	read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
 fi
 CLIENT=$(tail -n +2 ${file_index} | grep "^V" | cut -d '=' -f 2 | sed -n "${CLIENTNUMBER:?empty-var}"p)
 cd ${dir_easy}
 ${bin_easy} --batch revoke $CLIENT
 EASYRSA_CRL_DAYS=3650 ${bin_easy} gen-crl
 rm -f ${dir_pki}/reqs/$CLIENT.req ${dir_pki}/private/$CLIENT.key ${dir_pki}/issued/$CLIENT.crt 
 #rm -f ${dir_openvpn}/crl.pem
 /bin/cp -f ${dir_pki}/crl.pem ${dir_openvpn}/crl.pem
 chmod 644 ${dir_openvpn}/crl.pem
 echo ""
 echo "Certificate for client $CLIENT revoked"
 echo "Exiting..."
 }
 ## function: install easyrsa 3.0.3
 install_easyrsa(){
 # An old version of easy-rsa was available by default in some openvpn packages
-rm -rf ${dir_easy}
+if [[ -d ${dir_easy}/ ]]; then
 	rm -rf ${dir_easy}/
 	mkdir -p ${dir_easy}
 else
 	mkdir -p ${dir_easy}
 fi
 # Get easy-rsa
 url_easy='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.3/EasyRSA-3.0.3.tgz'
 file_easy=${url_easy##*/}
@ -170,7 +130,7 @@ rm -rf ~/${file_easy}
 }
 ## function: install iptables for debian
-systemd_ipt_service(){
+install_ipt_service(){
 dir_ipt='/etc/iptables'
 file_ipt_svc='/etc/systemd/system/iptables.service'
@ -178,7 +138,7 @@ file_ipt_sh="${dir_ipt}/flush-iptables.sh"
 # Install iptables service
 if [[ ! -e ${file_ipt_svc} ]]; then
 	mkdir ${dir_ipt}
-	iptables-save > ${conf_iptables}
+	iptables-save > ${file_iptables}
 	echo "#!/bin/sh
 iptables -F
 iptables -X
@ -197,8 +157,8 @@ Before=network-pre.target
 Wants=network-pre.target
 [Service]
 Type=oneshot
-ExecStart=/sbin/iptables-restore ${conf_iptables}
+ExecStart=/sbin/iptables-restore ${file_iptables}
-ExecReload=/sbin/iptables-restore ${conf_iptables}
+ExecReload=/sbin/iptables-restore ${file_iptables}
 ExecStop=/etc/iptables/flush-iptables.sh
 RemainAfterExit=yes
 [Install]
@ -213,19 +173,6 @@ WantedBy=multi-user.target" > ${file_ipt_svc}
 fi
 }
 ##
 config_iptables(){
 	echo "Please manually set the firewall"
 	read -p "press any key continue..."
 }
 ##
 config_firewalld(){
 	echo "Please manually set the firewall"
 	read -p "press any key continue..."
 }
 ## function: install openvpn server
 install_openvpn(){
@ -390,17 +337,19 @@ if [[ "$OS" = 'debian' ]]; then
 	# Ubuntu >= 16.04 and Debian > 8 have OpenVPN > 2.3.3 without the need of a third party repository.
 	## The we install OpenVPN
 	apt-get install openvpn iptables openssl wget ca-certificates curl -y
-	systemd_ipt_service ## call function
+	install_ipt_service ## call function
-elif [[ "$OS" = 'centos6' || "$OS" = 'centos7' || "$OS" = 'fedora' ]]; then
+elif [[ "$OS" = 'centos7' || "$OS" = 'fedora' ]]; then
-	if [[ "$OS" != 'fedora' ]]; then
+	if [[ "$OS" = 'centos7'  ]]; then
 		yum install epel-release -y
 	fi
 	yum --enablerepo=epel install openvpn iptables openssl wget ca-certificates curl -y
-	if [[ "$OS" = 'centos6' ]]; then 
+	# install_ipt_service ## call function
-		config_iptables ## call function
+	read -p "Please manually set the firewall,press anykey continue"
-	else
+elif [[ "$OS" = 'centos6' ]]; then
-		config_firewalld ## call function
+	yum install epel-release -y
-	fi
+	yum --enablerepo=epel install openvpn iptables openssl wget ca-certificates curl -y
 	# install_ipt_service ## call function
 	read -p "Please manually set the firewall,press anykey continue"
 else
 	# Else, the distro is ArchLinux
 	echo ""
@ -420,14 +369,13 @@ else
 	if [[ "$OS" = 'arch' ]]; then
 		# Install dependencies
 		pacman -Syu openvpn iptables openssl wget ca-certificates curl --needed --noconfirm
-		iptables-save > ${conf_iptables} # iptables won't start if this file does not exist
+		iptables-save > ${file_iptables} # iptables won't start if this file does not exist
 		systemctl daemon-reload
 		systemctl enable iptables
 		systemctl start iptables
 	fi
 fi
 # Find out if the machine uses nogroup or nobody for the permissionless group
 if grep -qs "^nogroup:" /etc/group; then
 	NOGROUP=nogroup
@ -466,7 +414,7 @@ topology subnet
 server 10.8.0.0 255.255.255.0
 ifconfig-pool-persist ipp.txt
 #client-config-dir ccd
-#route 10.8.0.0 255.255.255.252" >> ${conf_server}
+#route 10.8.0.0 255.255.255.252" >> ${file_openvpn_conf}
 # DNS resolvers
 case $DNS in
 	1)
@ -502,8 +450,8 @@ case $DNS in
 	echo 'push "dhcp-option DNS 176.103.130.130"'
 	echo 'push "dhcp-option DNS 176.103.130.131"'
 	;;
-esac >> ${conf_server}
+esac >> ${file_openvpn_conf}
-echo 'push "redirect-gateway def1 bypass-dhcp" '>> ${conf_server}
+echo 'push "redirect-gateway def1 bypass-dhcp" '>> ${file_openvpn_conf}
 echo "client-to-client
 crl-verify crl.pem
 ca ca.crt
@ -519,7 +467,7 @@ tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
 status openvpn-status.log
 log openvpn.log
 log-append openvpn.log
-verb 3" >> ${conf_server}
+verb 3" >> ${file_openvpn_conf}
 set_firewall ## call function
@ -572,11 +520,11 @@ if [[ "$IP" != "$EXTERNALIP" ]]; then
 fi
 # client-template.txt is created so we have a template to add further users later
-echo "client" > ${conf_client_tpl}
+echo "client" > ${file_client_tpl}
 if [[ "$PROTOCOL" = 'udp' ]]; then
-	echo "proto ${PROTOCOL}" >> ${conf_client_tpl}
+	echo "proto ${PROTOCOL}" >> ${file_client_tpl}
 elif [[ "$PROTOCOL" = 'tcp' ]]; then
-	echo "proto ${PROTOCOL}-client" >> ${conf_client_tpl}
+	echo "proto ${PROTOCOL}-client" >> ${file_client_tpl}
 fi
 echo "remote $IP $PORT
 dev tun
@ -592,7 +540,7 @@ tls-client
 tls-version-min 1.2
 tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
 setenv opt block-outside-dns
-verb 3" >> ${conf_client_tpl}
+verb 3" >> ${file_client_tpl}
 # call function Generate the custom client.ovpn
 generate_newclient "$CLIENT"
@ -609,8 +557,8 @@ remove_openvpn(){
 echo ""
 read -p "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
 if [[ 'y' = "$REMOVE" ]]; then
-	PORT=$(grep '^port ' ${conf_server} | cut -d " " -f 2)
+	PORT=$(grep '^port ' ${file_openvpn_conf} | cut -d " " -f 2)
-	PROTOCOL=$(grep '^proto ' ${conf_server} | cut -d " " -f 2)
+	PROTOCOL=$(grep '^proto ' ${file_openvpn_conf} | cut -d " " -f 2)
 	if pgrep firewalld; then
 		# Using both permanent and not permanent rules to avoid a firewalld reload.
 		firewall-cmd --zone=public --remove-port=$PORT/${PROTOCOL}
@ -621,10 +569,10 @@ if [[ 'y' = "$REMOVE" ]]; then
 	if iptables -L -n | grep -qE 'REJECT|DROP'; then
 		iptables -D INPUT -p ${PROTOCOL} --dport $PORT -j ACCEPT
 		iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
-		iptables-save > $conf_iptables
+		iptables-save > $file_iptables
 	fi
 	iptables -t nat -D POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE
-	iptables-save > $conf_iptables
+	iptables-save > $file_iptables
 	if hash sestatus 2>/dev/null; then
 		if sestatus | grep "Current mode" | grep -qs "enforcing"; then
 			if [[ "$PORT" != '1194' ]]; then
@ -648,13 +596,6 @@ else
 fi
 }
 config_openvpn_server(){
 :
 }
 config_openvpn_client(){
 :
 }
 config_openvpn(){
@ -662,7 +603,7 @@ while :
 do
 	clear
 	cat <<EOF
-OpenVPN-install (github.com/xiagw/OpenVPN-install)
+OpenVPN-install (github.com/Angristan/OpenVPN-install)
 Looks like OpenVPN is already installed
@ -676,11 +617,46 @@ EOF
 	read -p 'Select an option [1-4]: ' option
 	case $option in
 		1)
-		generate_newclient
+		echo ""
 		echo "Tell me a name for the client cert"
 		echo "Please, use one word only, no special characters"
 		echo "Here are the files that already exist,do not repeat that"
 		tail -n +2 ${file_index} | grep "^V" | cut -d '=' -f 2 | nl -s ') '
 		read -p "Client name: " -e -i client CLIENT
 		cd ${dir_easy}
 		${bin_easy} build-client-full $CLIENT nopass
 		# Generates the custom client.ovpn
 		generate_newclient "$CLIENT"
 		echo ""
 		echo "Client $CLIENT added, certs available at $homeDir/$CLIENT.ovpn"
 		exit
 		;;
 		2)
-		revoke_openvpn_client
+		NUMBEROFCLIENTS=$(tail -n +2 ${file_index} | grep -c "^V")
 		if [[ "$NUMBEROFCLIENTS" = '0' ]]; then
 			echo ""
 			echo "You have no existing clients!"
 			exit 5
 		fi
 		echo ""
 		echo "Select the existing client certificate you want to revoke"
 		tail -n +2 ${file_index} | grep "^V" | cut -d '=' -f 2 | nl -s ') '
 		if [[ "$NUMBEROFCLIENTS" = '1' ]]; then
 			read -p "Select one client [1]: " CLIENTNUMBER
 		else
 			read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
 		fi
 		CLIENT=$(tail -n +2 ${file_index} | grep "^V" | cut -d '=' -f 2 | sed -n "${CLIENTNUMBER:?empty-var}"p)
 		cd ${dir_easy}
 		${bin_easy} --batch revoke $CLIENT
 		EASYRSA_CRL_DAYS=3650 ${bin_easy} gen-crl
 		rm -f ${dir_pki}/reqs/$CLIENT.req ${dir_pki}/private/$CLIENT.key ${dir_pki}/issued/$CLIENT.crt 
 		#rm -f ${dir_openvpn}/crl.pem
 		/bin/cp -f ${dir_pki}/crl.pem ${dir_openvpn}/crl.pem
 		chmod 644 ${dir_openvpn}/crl.pem
 		echo ""
 		echo "Certificate for client $CLIENT revoked"
 		echo "Exiting..."
 		exit
 		;;
 		3)
@ -702,6 +678,8 @@ if [[ -e /etc/debian_version ]]; then
 	# VERSION_ID=$(grep "VERSION_ID" /etc/os-release)
 	source /etc/os-release
 	SYSCTL='/etc/sysctl.conf'
 	# if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.04"' ]]; then
 	# if [[ "$VERSION_ID" != [789] && "$VERSION_ID" != '12.04' && "$VERSION_ID" != '14.04' && "$VERSION_ID" != '16.04' && "$VERSION_ID" != '16.10' && "$VERSION_ID" != '17.04' ]]; then
 	case "$VERSION_ID" in 
 	7|8|9|12.04|14.04|16.04|16.10|17.04)
 		:
@ -759,7 +737,7 @@ detect_os_ver ## call function
 detect_IP_NIC ## call function
 ## OpenVPN setup and first user creation
-if [[ -e ${conf_server} ]]; then
+if [[ -e ${file_openvpn_conf} ]]; then
 	config_openvpn ## call function
 else
 	install_openvpn ## call function