Continue refactoring, backport stuff

2018-09-19 14:30:44 +02:00 · 2018-09-19 14:30:44 +02:00 · ea83bbed76
commit ea83bbed76
parent 3fc3fa42ab
1 changed files with 221 additions and 211 deletions
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@ -22,7 +22,6 @@ function checkOS () {
 		OS="debian"
 		# Getting the version number, to verify that a recent version of OpenVPN is available
 		VERSION_ID=$(grep "VERSION_ID" /etc/os-release)
 		IPTABLES='/etc/iptables/iptables.rules'
 		if [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="18.04"' ]]; then
 			echo "Your version of Debian/Ubuntu is not supported."
 			echo "I can't install a recent version of OpenVPN on your system."
@ -40,7 +39,6 @@ function checkOS () {
 		fi
 	elif [[ -e /etc/fedora-release ]]; then
 		OS=fedora
 		IPTABLES='/etc/iptables/iptables.rules'
 	elif [[ -e /etc/centos-release ]]; then
 		if ! grep -qs "^CentOS Linux release 7" /etc/centos-release; then
 			echo "Your version of CentOS is not supported."
@ -56,7 +54,6 @@ function checkOS () {
 			fi
 		fi
 		OS=centos
 		IPTABLES='/etc/iptables/iptables.rules'
 	else
 		echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora or CentOS system"
 		exit 4
@ -80,6 +77,11 @@ function getNIC () {
 }
 function installEasyRsa () {
 	# An old version of easy-rsa was available by default in some openvpn packages
 	if [[ -d /etc/openvpn/easy-rsa/ ]]; then
 		rm -rf /etc/openvpn/easy-rsa/
 	fi
 	local version="3.0.4"
 	wget -O ~/EasyRSA-${version}.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-${version}.tgz
 	tar xzf ~/EasyRSA-${version}.tgz -C ~/
@ -108,6 +110,10 @@ function newClient () {
 		read -rp "Client name: " -e local client
 	done
 	generateClient
 }
 function generateClient () {
 	cd /etc/openvpn/easy-rsa/ || return
 	case $pass in
 		1)
@ -228,35 +234,7 @@ private-address: ::ffff:0:0/96' > /etc/unbound/openvpn.conf
 	fi
 }
-# Main
+function revokeClient () {
 initialCheck
 # Get Internet network interface with default route
 NIC=$(getNIC)
 if [[ -e /etc/openvpn/server.conf ]]; then
 	while :
 	do
 	clear
 		echo "OpenVPN-install (github.com/Angristan/OpenVPN-install)"
 		echo ""
 		echo "Looks like OpenVPN is already installed"
 		echo ""
 		echo "What do you want to do?"
 		echo "   1) Add a cert for a new user"
 		echo "   2) Revoke existing user cert"
 		echo "   3) Remove OpenVPN"
 		echo "   4) Exit"
 		read -rp "Select an option [1-4]: " option
 		case $option in
 			1)
 				# Generates the custom client.ovpn
 				newclient
 			;;
 			2)
 	NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")
 	if [[ "$NUMBEROFCLIENTS" = '0' ]]; then
 		echo ""
@ -290,8 +268,9 @@ if [[ -e /etc/openvpn/server.conf ]]; then
 	echo "Certificate for client $CLIENT revoked"
 	echo "Exiting..."
 	exit
-			;;
+}
-			3)
+
 function removeOpenVPN () {
 	echo ""
 	read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
 	if [[ "$REMOVE" = 'y' ]]; then
@ -362,14 +341,40 @@ if [[ -e /etc/openvpn/server.conf ]]; then
 		echo "Removal aborted!"
 	fi
 	exit
 }
 function manageMenu () {
 	clear
 	echo "OpenVPN-install (github.com/Angristan/OpenVPN-install)"
 	echo ""
 	echo "Looks like OpenVPN is already installed"
 	echo ""
 	echo "What do you want to do?"
 	echo "   1) Add a cert for a new user"
 	echo "   2) Revoke existing user cert"
 	echo "   3) Remove OpenVPN"
 	echo "   4) Exit"
 	read -rp "Select an option [1-4]: " option
 	case $option in
 		1)
 			# Generates the custom client.ovpn
 			newclient
 		;;
 		2)
 			revokeClient
 		;;
 		3)
 			removeOpenVPN
 		;;
 		4)
 			exit
 		;;
 	esac
-	done
+}
-else
+
-	clear
+function installQuestions () {
 	echo "Welcome to the secure OpenVPN installer (github.com/Angristan/OpenVPN-install)"
 	echo ""
@ -560,68 +565,50 @@ else
 	echo ""
 	echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now"
 	read -n1 -r -p "Press any key to continue..."
 }
-	if [[ "$OS" = 'debian' ]]; then
+function configureIptables () {
 		apt-get update
 		apt-get install ca-certificates gnupg -y
 		# We add the OpenVPN repo to get the latest version.
 		# Debian 8
 		if [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then
 			echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list
 			wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
 			apt-get update
 		fi
 		# Ubuntu >= 16.04 and Debian > 8 have OpenVPN > 2.3.3 without the need of a third party repository.
 		# The we install OpenVPN
 		apt-get install openvpn iptables openssl wget ca-certificates curl -y
 	elif [[ "$OS" = 'centos' || "$OS" = 'fedora' ]]; then
 		if [[ "$OS" = 'centos' ]]; then
 			yum install epel-release -y
 		fi
 		yum install openvpn iptables openssl wget ca-certificates curl -y
 	fi
 	# Install iptables service
 	mkdir /etc/iptables
 	# Script to add rules
 	echo "#!/bin/sh
-iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
+iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $NIC -j MASQUERADE
 iptables -A INPUT -i tun0 -j ACCEPT
-iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
+iptables -A FORWARD -i $NIC -o tun0 -j ACCEPT
-iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT" > /etc/iptables/add-openvpn-rules.sh
+iptables -A FORWARD -i tun0 -o $NIC -j ACCEPT" > /etc/iptables/add-openvpn-rules.sh
 	if [[ "$PROTOCOL" = 'UDP' ]]; then
-		echo "iptables -A INPUT -i eth0 -p udp --dport $PORT -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh
+		echo "iptables -A INPUT -i $NIC -p udp --dport $PORT -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh
 	elif [[ "$PROTOCOL" = 'TCP' ]]; then
-		echo "iptables -A INPUT -i eth0 -p tcp --dport $PORT -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh
+		echo "iptables -A INPUT -i $NIC -p tcp --dport $PORT -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh
 	fi
 	if [[ "$IPV6" = 'y' ]]; then
-		echo "ip6tables -t nat -A POSTROUTING -s fd42:42:42:42::/112 -o eth0 -j MASQUERADE
+		echo "ip6tables -t nat -A POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
 ip6tables -A INPUT -i tun0 -j ACCEPT
-ip6tables -A FORWARD -i eth0 -o tun0 -j ACCEPT
+ip6tables -A FORWARD -i $NIC -o tun0 -j ACCEPT
-ip6tables -A FORWARD -i tun0 -o eth0 -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh
+ip6tables -A FORWARD -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh
 	fi
 	# Script to remove rules
 	echo "#!/bin/sh
-iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
+iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o $NIC -j MASQUERADE
 iptables -D INPUT -i tun0 -j ACCEPT
-iptables -D FORWARD -i eth0 -o tun0 -j ACCEPT
+iptables -D FORWARD -i $NIC -o tun0 -j ACCEPT
-iptables -D FORWARD -i tun0 -o eth0 -j ACCEPT" > /etc/iptables/rm-openvpn-rules.sh
+iptables -D FORWARD -i tun0 -o $NIC -j ACCEPT" > /etc/iptables/rm-openvpn-rules.sh
 	if [[ "$PROTOCOL" = 'UDP' ]]; then
-		echo "iptables -D INPUT -i eth0 -p udp --dport $PORT -j ACCEPT" >> /etc/iptables/rm-openvpn-rules.sh
+		echo "iptables -D INPUT -i $NIC -p udp --dport $PORT -j ACCEPT" >> /etc/iptables/rm-openvpn-rules.sh
 	elif [[ "$PROTOCOL" = 'TCP' ]]; then
-		echo "iptables -D INPUT -i eth0 -p tcp --dport $PORT -j ACCEPT" >> /etc/iptables/rm-openvpn-rules.sh
+		echo "iptables -D INPUT -i $NIC -p tcp --dport $PORT -j ACCEPT" >> /etc/iptables/rm-openvpn-rules.sh
 	fi
 	if [[ "$IPV6" = 'y' ]]; then
-		echo "ip6tables -t nat -D POSTROUTING -s fd42:42:42:42::/112 -o eth0 -j MASQUERADE
+		echo "ip6tables -t nat -D POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
 ip6tables -D INPUT -i tun0 -j ACCEPT
-ip6tables -D FORWARD -i eth0 -o tun0 -j ACCEPT
+ip6tables -D FORWARD -i $NIC -o tun0 -j ACCEPT
-ip6tables -D FORWARD -i tun0 -o eth0 -j ACCEPT" >> /etc/iptables/rm-openvpn-rules.sh
+ip6tables -D FORWARD -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/rm-openvpn-rules.sh
 	fi
 	chmod +x /etc/iptables/add-openvpn-rules.sh
@ -646,6 +633,30 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables-openvpn.service
 	systemctl daemon-reload
 	systemctl enable iptables-openvpn
 	systemctl start iptables-openvpn
 }
 function installOpenVPN () {
 	installQuestions
 	if [[ "$OS" = 'debian' ]]; then
 		apt-get update
 		apt-get install ca-certificates gnupg -y
 		# We add the OpenVPN repo to get the latest version.
 		# Debian 8
 		if [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then
 			echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list
 			wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
 			apt-get update
 		fi
 		# Ubuntu >= 16.04 and Debian > 8 have OpenVPN > 2.3.3 without the need of a third party repository.
 		# The we install OpenVPN
 		apt-get install openvpn iptables openssl wget ca-certificates curl -y
 	elif [[ "$OS" = 'centos' || "$OS" = 'fedora' ]]; then
 		if [[ "$OS" = 'centos' ]]; then
 			yum install epel-release -y
 		fi
 		yum install openvpn iptables openssl wget ca-certificates curl -y
 	fi
 	# Find out if the machine uses nogroup or nobody for the permissionless group
 	if grep -qs "^nogroup:" /etc/group; then
@ -654,12 +665,9 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables-openvpn.service
 		NOGROUP=nobody
 	fi
 	# An old version of easy-rsa was available by default in some openvpn packages
 	if [[ -d /etc/openvpn/easy-rsa/ ]]; then
 		rm -rf /etc/openvpn/easy-rsa/
 	fi
 	# Install easy-rsa
 	installEasyRsa
 	cd /etc/openvpn/easy-rsa/
 	# Generate a random, alphanumeric identifier of 16 characters for CN and one for server name
 	SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
@ -818,39 +826,27 @@ verb 3" >> /etc/openvpn/server.conf
 		fi
 	fi
-	# And finally, restart OpenVPN
+	# Finally, restart and enable OpenVPN
-	if [[ "$OS" = 'debian' ]]; then
+	if [[ "$OS" = 'fedora' ]]; then
-		# Little hack to check for systemd
+		# Workaround to fix OpenVPN service on OpenVZ
-		if pgrep systemd-journal; then
+		sed -i 's|LimitNPROC|#LimitNPROC|' /usr/lib/systemd/system/openvpn-server@.service
 		# Another workaround to keep using /etc/openvpn/
 		sed -i 's|/etc/openvpn/server|/etc/openvpn|' /usr/lib/systemd/system/openvpn-server@.service
 		systemctl daemon-reload
 		systemctl restart openvpn-server@server
 		systemctl enable openvpn-server@server
 	else
 		# Workaround to fix OpenVPN service on OpenVZ
 		sed -i 's|LimitNPROC|#LimitNPROC|' /lib/systemd/system/openvpn\@.service
 		# Another workaround to keep using /etc/openvpn/
 		sed -i 's|/etc/openvpn/server|/etc/openvpn|' /lib/systemd/system/openvpn\@.service
 				sed -i 's|%i.conf|server.conf|' /lib/systemd/system/openvpn\@.service
 		systemctl daemon-reload
-				systemctl restart openvpn
+		systemctl restart openvpn@server
-				systemctl enable openvpn
+		systemctl enable openvpn@server
 		else
 			/etc/init.d/openvpn restart
 		fi
 	else
 		if pgrep systemd-journal; then
 			if [[ "$OS" = 'fedora' ]]; then
 				# Workaround to avoid rewriting the entire script for Fedora
 				sed -i 's|/etc/openvpn/server|/etc/openvpn|' /usr/lib/systemd/system/openvpn-server@.service
 				sed -i 's|%i.conf|server.conf|' /usr/lib/systemd/system/openvpn-server@.service
 				systemctl daemon-reload
 				systemctl restart openvpn-server@openvpn.service
 				systemctl enable openvpn-server@openvpn.service
 			else
 				systemctl restart openvpn@server.service
 				systemctl enable openvpn@server.service
 			fi
 		else
 			service openvpn restart
 			chkconfig openvpn on
 		fi
 	fi
 	configureIptables
 	# If the server is behind a NAT, use the correct IP address
 	if [[ "$PUBLICIP" != "" ]]; then
 		IP=$PUBLICIP
@ -883,5 +879,19 @@ verb 3" >> /etc/openvpn/client-template.txt
 	# Generate the custom client.ovpn
 	newclient
 	echo "If you want to add more clients, you simply need to run this script another time!"
 }
 # Main
 initialCheck
 # Get Internet network interface with default route
 NIC=$(getNIC)
 if [[ -e /etc/openvpn/server.conf ]]; then
 	manageMenu
 else
 	installOpenVPN
 fi
 exit 0