Fabio/openvpn-install
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Refactor update

Browse source
This commit is contained in:
randomshell 2018-09-14 15:15:05 +02:00
parent 3f377de681
commit e8352c40a4
1 changed files with 244 additions and 130 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

374
openvpn-install.sh
View file

@ -39,6 +39,7 @@ function checkOS () {
echo "However, if you're using Debian unstable/testing, or Ubuntu beta," echo "However, if you're using Debian unstable/testing, or Ubuntu beta,"
echo "then you can continue, a recent version of OpenVPN is available on these." echo "then you can continue, a recent version of OpenVPN is available on these."
echo "Keep in mind they are not supported, though." echo "Keep in mind they are not supported, though."
while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do
read -rp "Continue ? [y/n]: " -e local CONTINUE read -rp "Continue ? [y/n]: " -e local CONTINUE
done done
@ -70,6 +71,7 @@ function initialCheck () {
echo "Sorry, you need to run this as root" echo "Sorry, you need to run this as root"
exit 1 exit 1
fi fi
if ! tunAvailable; then if ! tunAvailable; then
echo "TUN is not available" echo "TUN is not available"
exit 1 exit 1
@ -91,7 +93,7 @@ function installEasyRsa () {
rm -f ~/EasyRSA-3.0.4.tgz rm -f ~/EasyRSA-3.0.4.tgz
} }
function newclient () { function newClient () {
echo "" echo ""
echo "Do you want to protect the configuration file with a password?" echo "Do you want to protect the configuration file with a password?"
echo "(e.g. encrypt the private key with a password)" echo "(e.g. encrypt the private key with a password)"
@ -129,6 +131,7 @@ function newclient () {
else # if not SUDO_USER, use /root else # if not SUDO_USER, use /root
homeDir="/root" homeDir="/root"
fi fi
# Generates the custom client.ovpn # Generates the custom client.ovpn
cp /etc/openvpn/client-template.txt "$homeDir/$client.ovpn" cp /etc/openvpn/client-template.txt "$homeDir/$client.ovpn"
{ {
@ -155,6 +158,108 @@ function newclient () {
exit exit
} }
function revokeClient() {
NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")
if [[ "$NUMBEROFCLIENTS" = '0' ]]; then
echo ""
echo "You have no existing clients!"
exit 5
fi
echo ""
echo "Select the existing client certificate you want to revoke"
tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
if [[ "$NUMBEROFCLIENTS" = '1' ]]; then
read -rp "Select one client [1]: " CLIENTNUMBER
else
read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
fi
CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
cd /etc/openvpn/easy-rsa/ || return
./easyrsa --batch revoke $CLIENT
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
rm -f pki/reqs/$CLIENT.req
rm -f pki/private/$CLIENT.key
rm -f pki/issued/$CLIENT.crt
rm -f /etc/openvpn/crl.pem
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
chmod 644 /etc/openvpn/crl.pem
rm -f $(find /home -maxdepth 2 | grep $CLIENT.ovpn) 2>/dev/null
rm -f /root/$CLIENT.ovpn 2>/dev/null
echo ""
echo "Certificate for client $CLIENT revoked"
echo "Exiting..."
exit
}
function removeOpenVPN() {
echo ""
read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
if [[ "$REMOVE" = 'y' ]]; then
PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
if pgrep firewalld; then
# Using both permanent and not permanent rules to avoid a firewalld reload.
firewall-cmd --zone=public --remove-port=$PORT/udp
firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
firewall-cmd --permanent --zone=public --remove-port=$PORT/udp
firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
fi
if iptables -L -n | grep -qE 'REJECT|DROP'; then
if [[ "$PROTOCOL" = 'udp' ]]; then
iptables -D INPUT -p udp --dport $PORT -j ACCEPT
else
iptables -D INPUT -p tcp --dport $PORT -j ACCEPT
fi
iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables-save > $IPTABLES
fi
iptables -t nat -D POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE
iptables-save > $IPTABLES
if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing"; then
if [[ "$PORT" != '1194' ]]; then
semanage port -d -t openvpn_port_t -p udp $PORT
fi
fi
fi
if [[ "$OS" = 'debian' ]]; then
apt-get autoremove --purge -y openvpn
elif [[ "$OS" = 'arch' ]]; then
pacman -R openvpn --noconfirm
else
yum remove openvpn -y
fi
# Remove generated ovpn profiles from home directory
OVPNS=$(ls /etc/openvpn/easy-rsa/pki/issued | awk -F "." {'print $1'})
for ovpn in $OVPNS
do
rm $(find /home -maxdepth 2 | grep $ovpn.ovpn) 2>/dev/null
rm /root/$ovpn.ovpn 2>/dev/null
done
rm -rf /etc/openvpn
rm -rf /usr/share/doc/openvpn*
echo ""
echo "OpenVPN removed!"
else
echo ""
echo "Removal aborted!"
fi
exit
}
########################################## ##########################################
############### MAIN ############### ############### MAIN ###############
########################################## ##########################################
@ -182,99 +287,24 @@ if [[ -e /etc/openvpn/server.conf ]]; then
case $option in case $option in
1) 1)
# Generates the custom client.ovpn # Generates the custom client.ovpn
newclient newClient
;; ;;
2) 2)
NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V") # Revokes existing certificate
if [[ "$NUMBEROFCLIENTS" = '0' ]]; then revokeClient
echo ""
echo "You have no existing clients!"
exit 5
fi
echo ""
echo "Select the existing client certificate you want to revoke"
tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
if [[ "$NUMBEROFCLIENTS" = '1' ]]; then
read -rp "Select one client [1]: " CLIENTNUMBER
else
read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
fi
CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
cd /etc/openvpn/easy-rsa/ || return
./easyrsa --batch revoke $CLIENT
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
rm -f pki/reqs/$CLIENT.req
rm -f pki/private/$CLIENT.key
rm -f pki/issued/$CLIENT.crt
rm -f /etc/openvpn/crl.pem
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
chmod 644 /etc/openvpn/crl.pem
rm -f $(find /home -maxdepth 2 | grep $CLIENT.ovpn) 2>/dev/null
rm -f /root/$CLIENT.ovpn 2>/dev/null
echo ""
echo "Certificate for client $CLIENT revoked"
echo "Exiting..."
exit
;; ;;
3) 3)
echo "" # Remove OpenVPN
read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE removeOpenVPN
if [[ "$REMOVE" = 'y' ]]; then
PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2) ;;
if pgrep firewalld; then 4)
# Using both permanent and not permanent rules to avoid a firewalld reload. exit
firewall-cmd --zone=public --remove-port=$PORT/udp
firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
firewall-cmd --permanent --zone=public --remove-port=$PORT/udp
firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
fi
if iptables -L -n | grep -qE 'REJECT|DROP'; then
if [[ "$PROTOCOL" = 'udp' ]]; then
iptables -D INPUT -p udp --dport $PORT -j ACCEPT
else
iptables -D INPUT -p tcp --dport $PORT -j ACCEPT
fi
iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables-save > $IPTABLES
fi
iptables -t nat -D POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE
iptables-save > $IPTABLES
if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing"; then
if [[ "$PORT" != '1194' ]]; then
semanage port -d -t openvpn_port_t -p udp $PORT
fi
fi
fi
if [[ "$OS" = 'debian' ]]; then
apt-get autoremove --purge -y openvpn
elif [[ "$OS" = 'arch' ]]; then
pacman -R openvpn --noconfirm
else
yum remove openvpn -y
fi
OVPNS=$(ls /etc/openvpn/easy-rsa/pki/issued | awk -F "." {'print $1'})
for i in $OVPNS
do
rm $(find /home -maxdepth 2 | grep $i.ovpn) 2>/dev/null
rm /root/$i.ovpn 2>/dev/null
done
rm -rf /etc/openvpn
rm -rf /usr/share/doc/openvpn*
echo ""
echo "OpenVPN removed!"
else
echo ""
echo "Removal aborted!"
fi
exit
;; ;;
4) exit;;
esac esac
done done
else else
@ -298,22 +328,27 @@ else
echo " 1) Default: 1194" echo " 1) Default: 1194"
echo " 2) Custom" echo " 2) Custom"
echo " 3) Random [49152-65535]" echo " 3) Random [49152-65535]"
until [[ "$PORT_CHOICE" =~ ^[1-3]$ ]]; do until [[ "$PORT_CHOICE" =~ ^[1-3]$ ]]; do
read -p "Port choice [1-3]: " -e -i 1 PORT_CHOICE read -p "Port choice [1-3]: " -e -i 1 PORT_CHOICE
done done
case $PORT_CHOICE in case $PORT_CHOICE in
1) 1)
PORT="1194" PORT="1194"
;; ;;
2) 2)
until [[ "$PORT" =~ ^[0-9]+$ ]] && [ "$PORT" -ge 1 -a "$PORT" -le 65535 ]; do until [[ "$PORT" =~ ^[0-9]+$ ]] && [ "$PORT" -ge 1 -a "$PORT" -le 65535 ]; do
read -p "Custom port [1-65535]: " -e -i 1194 PORT read -p "Custom port [1-65535]: " -e -i 1194 PORT
done done
;; ;;
3) 3)
# Generate random number within private ports range # Generate random number within private ports range
PORT=$(shuf -i49152-65535 -n1) PORT=$(shuf -i49152-65535 -n1)
echo "Random Port: $PORT" echo "Random Port: $PORT"
;; ;;
esac esac
@ -323,12 +358,15 @@ else
echo "This server is behind NAT. What is the public IPv4 address or hostname?" echo "This server is behind NAT. What is the public IPv4 address or hostname?"
read -rp "Public IP address / hostname: " -e PUBLICIP read -rp "Public IP address / hostname: " -e PUBLICIP
fi fi
echo "" echo ""
echo "What protocol do you want for OpenVPN?" echo "What protocol do you want for OpenVPN?"
echo "Unless UDP is blocked, you should not use TCP (unnecessarily slower)" echo "Unless UDP is blocked, you should not use TCP (unnecessarily slower)"
until [[ "$PROTOCOL" == "UDP" || "$PROTOCOL" == "TCP" ]]; do until [[ "$PROTOCOL" == "UDP" || "$PROTOCOL" == "TCP" ]]; do
read -rp "Protocol [UDP/TCP]: " -e -i UDP PROTOCOL read -rp "Protocol [UDP/TCP]: " -e -i UDP PROTOCOL
done done
echo "" echo ""
echo "What DNS do you want to use with the VPN?" echo "What DNS do you want to use with the VPN?"
echo " 1) Current system resolvers (from /etc/resolv.conf)" echo " 1) Current system resolvers (from /etc/resolv.conf)"
@ -340,9 +378,11 @@ else
echo " 7) Google (Anycast: worldwide)" echo " 7) Google (Anycast: worldwide)"
echo " 8) Yandex Basic (Russia)" echo " 8) Yandex Basic (Russia)"
echo " 9) AdGuard DNS (Russia)" echo " 9) AdGuard DNS (Russia)"
until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 -a "$DNS" -le 9 ]; do until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 -a "$DNS" -le 9 ]; do
read -rp "DNS [1-9]: " -e -i 1 DNS read -rp "DNS [1-9]: " -e -i 1 DNS
done done
echo "" echo ""
echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about " echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about "
echo "the encryption in OpenVPN and the choices I made in this script." echo "the encryption in OpenVPN and the choices I made in this script."
@ -359,90 +399,117 @@ else
echo " 5) CAMELLIA-192-CBC" echo " 5) CAMELLIA-192-CBC"
echo " 6) CAMELLIA-256-CBC" echo " 6) CAMELLIA-256-CBC"
echo " 7) SEED-CBC" echo " 7) SEED-CBC"
until [[ "$CIPHER" =~ ^[0-9]+$ ]] && [ "$CIPHER" -ge 1 -a "$CIPHER" -le 7 ]; do until [[ "$CIPHER" =~ ^[0-9]+$ ]] && [ "$CIPHER" -ge 1 -a "$CIPHER" -le 7 ]; do
read -rp "Cipher [1-7]: " -e -i 1 CIPHER read -rp "Cipher [1-7]: " -e -i 1 CIPHER
done done
case $CIPHER in case $CIPHER in
1) 1)
CIPHER="cipher AES-128-CBC" CIPHER="cipher AES-128-CBC"
;; ;;
2) 2)
CIPHER="cipher AES-192-CBC" CIPHER="cipher AES-192-CBC"
;; ;;
3) 3)
CIPHER="cipher AES-256-CBC" CIPHER="cipher AES-256-CBC"
;; ;;
4) 4)
CIPHER="cipher CAMELLIA-128-CBC" CIPHER="cipher CAMELLIA-128-CBC"
;; ;;
5) 5)
CIPHER="cipher CAMELLIA-192-CBC" CIPHER="cipher CAMELLIA-192-CBC"
;; ;;
6) 6)
CIPHER="cipher CAMELLIA-256-CBC" CIPHER="cipher CAMELLIA-256-CBC"
;; ;;
7) 7)
CIPHER="cipher SEED-CBC" CIPHER="cipher SEED-CBC"
;; ;;
esac esac
echo "" echo ""
echo "Choose what size of Diffie-Hellman key you want to use:" echo "Choose what size of Diffie-Hellman key you want to use:"
echo " 1) 2048 bits (fastest)" echo " 1) 2048 bits (fastest)"
echo " 2) 3072 bits (recommended, best compromise)" echo " 2) 3072 bits (recommended, best compromise)"
echo " 3) 4096 bits (most secure)" echo " 3) 4096 bits (most secure)"
until [[ "$DH_KEY_SIZE" =~ ^[0-9]+$ ]] && [ "$DH_KEY_SIZE" -ge 1 -a "$DH_KEY_SIZE" -le 3 ]; do until [[ "$DH_KEY_SIZE" =~ ^[0-9]+$ ]] && [ "$DH_KEY_SIZE" -ge 1 -a "$DH_KEY_SIZE" -le 3 ]; do
read -rp "DH key size [1-3]: " -e -i 2 DH_KEY_SIZE read -rp "DH key size [1-3]: " -e -i 2 DH_KEY_SIZE
done done
case $DH_KEY_SIZE in case $DH_KEY_SIZE in
1) 1)
DH_KEY_SIZE="2048" DH_KEY_SIZE="2048"
;; ;;
2) 2)
DH_KEY_SIZE="3072" DH_KEY_SIZE="3072"
;; ;;
3) 3)
DH_KEY_SIZE="4096" DH_KEY_SIZE="4096"
;; ;;
esac esac
echo "" echo ""
echo "Choose what size of RSA key you want to use:" echo "Choose what size of RSA key you want to use:"
echo " 1) 2048 bits (fastest)" echo " 1) 2048 bits (fastest)"
echo " 2) 3072 bits (recommended, best compromise)" echo " 2) 3072 bits (recommended, best compromise)"
echo " 3) 4096 bits (most secure)" echo " 3) 4096 bits (most secure)"
until [[ "$RSA_KEY_SIZE" =~ ^[0-9]+$ ]] && [ "$RSA_KEY_SIZE" -ge 1 -a "$RSA_KEY_SIZE" -le 3 ]; do until [[ "$RSA_KEY_SIZE" =~ ^[0-9]+$ ]] && [ "$RSA_KEY_SIZE" -ge 1 -a "$RSA_KEY_SIZE" -le 3 ]; do
read -rp "RSA key size [1-3]: " -e -i 2 RSA_KEY_SIZE read -rp "RSA key size [1-3]: " -e -i 2 RSA_KEY_SIZE
done done
case $RSA_KEY_SIZE in case $RSA_KEY_SIZE in
1) 1)
RSA_KEY_SIZE="2048" RSA_KEY_SIZE="2048"
;; ;;
2) 2)
RSA_KEY_SIZE="3072" RSA_KEY_SIZE="3072"
;; ;;
3) 3)
RSA_KEY_SIZE="4096" RSA_KEY_SIZE="4096"
;; ;;
esac esac
echo "" echo ""
echo "Do you want to protect the configuration file with a password?" echo "Do you want to protect the configuration file with a password?"
echo "(e.g. encrypt the private key with a password)" echo "(e.g. encrypt the private key with a password)"
echo " 1) Add a passwordless client" echo " 1) Add a passwordless client"
echo " 2) Use a password for the client" echo " 2) Use a password for the client"
until [[ "$pass" =~ ^[1-2]$ ]]; do until [[ "$pass" =~ ^[1-2]$ ]]; do
read -rp "Select an option [1-2]: " -e -i 1 pass read -rp "Select an option [1-2]: " -e -i 1 pass
done done
echo "" echo ""
echo "Finally, tell me a name for the client certificate and configuration" echo "Finally, tell me a name for the client certificate and configuration"
echo "Use one word only, no special characters" echo "Use one word only, no special characters"
until [[ "$CLIENT" =~ ^[a-zA-Z0-9_]+$ ]]; do until [[ "$CLIENT" =~ ^[a-zA-Z0-9_]+$ ]]; do
read -rp "Client name: " -e -i client CLIENT read -rp "Client name: " -e -i client CLIENT
done done
echo "" echo ""
echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now" echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now"
read -n1 -r -p "Press any key to continue..." read -n1 -r -p "Press any key to continue..."
if [[ "$OS" = 'debian' ]]; then if [[ "$OS" = 'debian' ]]; then
apt-get install ca-certificates gnupg -y apt-get install ca-certificates gnupg -y
# We add the OpenVPN repo to get the latest version. # We add the OpenVPN repo to get the latest version.
# Debian 7 # Debian 7
if [[ "$VERSION_ID" = 'VERSION_ID="7"' ]]; then if [[ "$VERSION_ID" = 'VERSION_ID="7"' ]]; then
@ -450,25 +517,31 @@ else
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update apt-get update
fi fi
# Debian 8 # Debian 8
if [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then if [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt update apt update
fi fi
# Ubuntu 14.04 # Ubuntu 14.04
if [[ "$VERSION_ID" = 'VERSION_ID="14.04"' ]]; then if [[ "$VERSION_ID" = 'VERSION_ID="14.04"' ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/stable trusty main" > /etc/apt/sources.list.d/openvpn.list echo "deb http://build.openvpn.net/debian/openvpn/stable trusty main" > /etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update apt-get update
fi fi
# Ubuntu >= 16.04 and Debian > 8 have OpenVPN > 2.3.3 without the need of a third party repository. # Ubuntu >= 16.04 and Debian > 8 have OpenVPN > 2.3.3 without the need of a third party repository.
# The we install OpenVPN
# Then we install OpenVPN
apt-get install openvpn iptables openssl wget ca-certificates curl -y apt-get install openvpn iptables openssl wget ca-certificates curl -y
# Install iptables service # Install iptables service
if [[ ! -e /etc/systemd/system/iptables.service ]]; then if [[ ! -e /etc/systemd/system/iptables.service ]]; then
mkdir /etc/iptables mkdir /etc/iptables
iptables-save > /etc/iptables/iptables.rules iptables-save > /etc/iptables/iptables.rules
echo "#!/bin/sh echo "#!/bin/sh
iptables -F iptables -F
iptables -X iptables -X
@ -479,7 +552,9 @@ iptables -t mangle -X
iptables -P INPUT ACCEPT iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT" > /etc/iptables/flush-iptables.sh iptables -P OUTPUT ACCEPT" > /etc/iptables/flush-iptables.sh
chmod +x /etc/iptables/flush-iptables.sh chmod +x /etc/iptables/flush-iptables.sh
echo "[Unit] echo "[Unit]
Description=Packet Filtering Framework Description=Packet Filtering Framework
DefaultDependencies=no DefaultDependencies=no
@ -493,18 +568,23 @@ ExecStop=/etc/iptables/flush-iptables.sh
RemainAfterExit=yes RemainAfterExit=yes
[Install] [Install]
WantedBy=multi-user.target" > /etc/systemd/system/iptables.service WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
systemctl daemon-reload systemctl daemon-reload
systemctl enable iptables.service systemctl enable iptables.service
fi fi
elif [[ "$OS" = 'centos' || "$OS" = 'fedora' ]]; then elif [[ "$OS" = 'centos' || "$OS" = 'fedora' ]]; then
if [[ "$OS" = 'centos' ]]; then if [[ "$OS" = 'centos' ]]; then
yum install epel-release -y yum install epel-release -y
fi fi
yum install openvpn iptables openssl wget ca-certificates curl -y yum install openvpn iptables openssl wget ca-certificates curl -y
# Install iptables service # Install iptables service
if [[ ! -e /etc/systemd/system/iptables.service ]]; then if [[ ! -e /etc/systemd/system/iptables.service ]]; then
mkdir /etc/iptables mkdir /etc/iptables
iptables-save > /etc/iptables/iptables.rules iptables-save > /etc/iptables/iptables.rules
echo "#!/bin/sh echo "#!/bin/sh
iptables -F iptables -F
iptables -X iptables -X
@ -515,7 +595,9 @@ iptables -t mangle -X
iptables -P INPUT ACCEPT iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT" > /etc/iptables/flush-iptables.sh iptables -P OUTPUT ACCEPT" > /etc/iptables/flush-iptables.sh
chmod +x /etc/iptables/flush-iptables.sh chmod +x /etc/iptables/flush-iptables.sh
echo "[Unit] echo "[Unit]
Description=Packet Filtering Framework Description=Packet Filtering Framework
DefaultDependencies=no DefaultDependencies=no
@ -529,8 +611,10 @@ ExecStop=/etc/iptables/flush-iptables.sh
RemainAfterExit=yes RemainAfterExit=yes
[Install] [Install]
WantedBy=multi-user.target" > /etc/systemd/system/iptables.service WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
systemctl daemon-reload systemctl daemon-reload
systemctl enable iptables.service systemctl enable iptables.service
# Disable firewalld to allow iptables to start upon reboot # Disable firewalld to allow iptables to start upon reboot
systemctl disable firewalld systemctl disable firewalld
systemctl mask firewalld systemctl mask firewalld
@ -543,9 +627,11 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
echo "Not doing that could cause problems between dependencies, or missing files in repositories." echo "Not doing that could cause problems between dependencies, or missing files in repositories."
echo "" echo ""
echo "Continuing will update your installed packages and install needed ones." echo "Continuing will update your installed packages and install needed ones."
until [[ $CONTINUE == "y" || $CONTINUE == "n" ]]; do until [[ $CONTINUE == "y" || $CONTINUE == "n" ]]; do
read -rp "Continue ? [y/n]: " -e -i y CONTINUE read -rp "Continue ? [y/n]: " -e -i y CONTINUE
done done
if [[ "$CONTINUE" = "n" ]]; then if [[ "$CONTINUE" = "n" ]]; then
echo "Ok, bye !" echo "Ok, bye !"
exit 4 exit 4
@ -555,11 +641,13 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
# Install dependencies # Install dependencies
pacman -Syu openvpn iptables openssl wget ca-certificates curl --needed --noconfirm pacman -Syu openvpn iptables openssl wget ca-certificates curl --needed --noconfirm
iptables-save > /etc/iptables/iptables.rules # iptables won't start if this file does not exist iptables-save > /etc/iptables/iptables.rules # iptables won't start if this file does not exist
systemctl daemon-reload systemctl daemon-reload
systemctl enable iptables systemctl enable iptables
systemctl start iptables systemctl start iptables
fi fi
fi fi
# Find out if the machine uses nogroup or nobody for the permissionless group # Find out if the machine uses nogroup or nobody for the permissionless group
if grep -qs "^nogroup:" /etc/group; then if grep -qs "^nogroup:" /etc/group; then
NOGROUP=nogroup NOGROUP=nogroup
@ -571,34 +659,44 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
if [[ -d /etc/openvpn/easy-rsa/ ]]; then if [[ -d /etc/openvpn/easy-rsa/ ]]; then
rm -rf /etc/openvpn/easy-rsa/ rm -rf /etc/openvpn/easy-rsa/
fi fi
# Install easy-rsa # Install easy-rsa
installEasyRsa installEasyRsa
cd /etc/openvpn/easy-rsa/ || return cd /etc/openvpn/easy-rsa/ || return
# Generate a random, alphanumeric identifier of 16 characters for CN and one for server name # Generate a random, alphanumeric identifier of 16 characters for CN and one for server name
SERVER_CN="cn_$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 16 | head -n 1)" SERVER_CN="cn_$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 16 | head -n 1)"
SERVER_NAME="server_$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 16 | head -n 1)" SERVER_NAME="server_$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 16 | head -n 1)"
echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars
echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars
# Create the PKI, set up the CA, the DH params and the server + client certificates # Create the PKI, set up the CA, the DH params and the server + client certificates
./easyrsa init-pki ./easyrsa init-pki
./easyrsa --batch build-ca nopass ./easyrsa --batch build-ca nopass
openssl dhparam -out dh.pem $DH_KEY_SIZE openssl dhparam -out dh.pem $DH_KEY_SIZE
./easyrsa build-server-full $SERVER_NAME nopass ./easyrsa build-server-full $SERVER_NAME nopass
case $pass in case $pass in
1) 1)
./easyrsa build-client-full $CLIENT nopass ./easyrsa build-client-full $CLIENT nopass
;; ;;
2) 2)
echo "⚠️ You will be asked for the client password below ⚠️" echo "⚠️ You will be asked for the client password below ⚠️"
./easyrsa build-client-full $CLIENT ./easyrsa build-client-full $CLIENT
;; ;;
esac esac
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
# generate tls-auth key # generate tls-auth key
openvpn --genkey --secret /etc/openvpn/tls-auth.key openvpn --genkey --secret /etc/openvpn/tls-auth.key
# Move all the generated files # Move all the generated files
cp pki/ca.crt pki/private/ca.key dh.pem pki/issued/$SERVER_NAME.crt pki/private/$SERVER_NAME.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn cp pki/ca.crt pki/private/ca.key dh.pem pki/issued/$SERVER_NAME.crt pki/private/$SERVER_NAME.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
# Make cert revocation list readable for non-root # Make cert revocation list readable for non-root
chmod 644 /etc/openvpn/crl.pem chmod 644 /etc/openvpn/crl.pem
@ -614,52 +712,64 @@ keepalive 10 120
topology subnet topology subnet
server 10.8.0.0 255.255.255.0 server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
# DNS resolvers # DNS resolvers
case $DNS in case $DNS in
1) 1)
# Locate the proper resolv.conf # Locate the proper resolv.conf
# Needed for systems running systemd-resolved # Needed for systems running systemd-resolved
if grep -q "127.0.0.53" "/etc/resolv.conf"; then if grep -q "127.0.0.53" "/etc/resolv.conf"; then
RESOLVCONF='/run/systemd/resolve/resolv.conf' RESOLVCONF='/run/systemd/resolve/resolv.conf'
else else
RESOLVCONF='/etc/resolv.conf' RESOLVCONF='/etc/resolv.conf'
fi fi
# Obtain the resolvers from resolv.conf and use them for OpenVPN
grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read -r line; do # Obtain the resolvers from resolv.conf and use them for OpenVPN
echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' |
done while read -r line; do
echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
done
;; ;;
2) # Cloudflare 2) # Cloudflare
echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server.conf
;; ;;
3) # Quad9 3) # Quad9
echo 'push "dhcp-option DNS 9.9.9.9"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 9.9.9.9"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 149.112.112.112"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 149.112.112.112"' >> /etc/openvpn/server.conf
;; ;;
4) # FDN 4) # FDN
echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 80.67.169.12"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 80.67.169.12"' >> /etc/openvpn/server.conf
;; ;;
5) # DNS.WATCH 5) # DNS.WATCH
echo 'push "dhcp-option DNS 84.200.69.80"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 84.200.69.80"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 84.200.70.40"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 84.200.70.40"' >> /etc/openvpn/server.conf
;; ;;
6) # OpenDNS 6) # OpenDNS
echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf
;; ;;
7) # Google 7) # Google
echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf
;; ;;
8) # Yandex Basic 8) # Yandex Basic
echo 'push "dhcp-option DNS 77.88.8.8"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 77.88.8.8"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 77.88.8.1"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 77.88.8.1"' >> /etc/openvpn/server.conf
;; ;;
9) # AdGuard DNS 9) # AdGuard DNS
echo 'push "dhcp-option DNS 176.103.130.130"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 176.103.130.130"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf
;; ;;
esac esac
echo 'push "redirect-gateway def1 bypass-dhcp" ' >> /etc/openvpn/server.conf echo 'push "redirect-gateway def1 bypass-dhcp" ' >> /etc/openvpn/server.conf
@ -723,6 +833,7 @@ verb 3" >> /etc/openvpn/server.conf
fi fi
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# Save persitent OpenVPN rules # Save persitent OpenVPN rules
iptables-save > $IPTABLES iptables-save > $IPTABLES
fi fi
@ -735,6 +846,7 @@ verb 3" >> /etc/openvpn/server.conf
if ! hash semanage 2>/dev/null; then if ! hash semanage 2>/dev/null; then
yum install policycoreutils-python -y yum install policycoreutils-python -y
fi fi
if [[ "$PROTOCOL" = 'UDP' ]]; then if [[ "$PROTOCOL" = 'UDP' ]]; then
semanage port -a -t openvpn_port_t -p udp $PORT semanage port -a -t openvpn_port_t -p udp $PORT
elif [[ "$PROTOCOL" = 'TCP' ]]; then elif [[ "$PROTOCOL" = 'TCP' ]]; then
@ -784,11 +896,13 @@ verb 3" >> /etc/openvpn/server.conf
# client-template.txt is created so we have a template to add further users later # client-template.txt is created so we have a template to add further users later
echo "client" > /etc/openvpn/client-template.txt echo "client" > /etc/openvpn/client-template.txt
if [[ "$PROTOCOL" = 'UDP' ]]; then if [[ "$PROTOCOL" = 'UDP' ]]; then
echo "proto udp" >> /etc/openvpn/client-template.txt echo "proto udp" >> /etc/openvpn/client-template.txt
elif [[ "$PROTOCOL" = 'TCP' ]]; then elif [[ "$PROTOCOL" = 'TCP' ]]; then
echo "proto tcp-client" >> /etc/openvpn/client-template.txt echo "proto tcp-client" >> /etc/openvpn/client-template.txt
fi fi
echo "remote $IP $PORT echo "remote $IP $PORT
dev tun dev tun
resolv-retry infinite resolv-retry infinite
@ -807,7 +921,7 @@ setenv opt block-outside-dns
verb 3" >> /etc/openvpn/client-template.txt verb 3" >> /etc/openvpn/client-template.txt
# Generate the custom client.ovpn # Generate the custom client.ovpn
newclient newClient
echo "If you want to add more clients, you simply need to run this script another time!" echo "If you want to add more clients, you simply need to run this script another time!"
fi fi
exit 0; exit 0