Continue refactoring, backport stuff

2018-09-19 14:30:44 +02:00 · 2018-09-19 14:30:44 +02:00 · ea83bbed76
commit ea83bbed76
parent 3fc3fa42ab
1 changed files with 221 additions and 211 deletions
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@ -22,7 +22,6 @@ function checkOS () {
 		OS="debian"
 		# Getting the version number, to verify that a recent version of OpenVPN is available
 		VERSION_ID=$(grep "VERSION_ID" /etc/os-release)
-		IPTABLES='/etc/iptables/iptables.rules'
 		if [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="18.04"' ]]; then
 			echo "Your version of Debian/Ubuntu is not supported."
 			echo "I can't install a recent version of OpenVPN on your system."
@ -40,7 +39,6 @@ function checkOS () {
 		fi
 	elif [[ -e /etc/fedora-release ]]; then
 		OS=fedora
-		IPTABLES='/etc/iptables/iptables.rules'
 	elif [[ -e /etc/centos-release ]]; then
 		if ! grep -qs "^CentOS Linux release 7" /etc/centos-release; then
 			echo "Your version of CentOS is not supported."
@ -56,7 +54,6 @@ function checkOS () {
 			fi
 		fi
 		OS=centos
-		IPTABLES='/etc/iptables/iptables.rules'
 	else
 		echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora or CentOS system"
 		exit 4
@ -80,6 +77,11 @@ function getNIC () {
 }

 function installEasyRsa () {
+	# An old version of easy-rsa was available by default in some openvpn packages
+	if [[ -d /etc/openvpn/easy-rsa/ ]]; then
+		rm -rf /etc/openvpn/easy-rsa/
+	fi
+
 	local version="3.0.4"
 	wget -O ~/EasyRSA-${version}.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-${version}.tgz
 	tar xzf ~/EasyRSA-${version}.tgz -C ~/
@ -108,6 +110,10 @@ function newClient () {
 		read -rp "Client name: " -e local client
 	done

+	generateClient
+}
+
+function generateClient () {
 	cd /etc/openvpn/easy-rsa/ || return
 	case $pass in
 		1)
@ -228,35 +234,7 @@ private-address: ::ffff:0:0/96' > /etc/unbound/openvpn.conf
 	fi
 }

-# Main
-
-initialCheck
-
-# Get Internet network interface with default route
-NIC=$(getNIC)
-
-if [[ -e /etc/openvpn/server.conf ]]; then
-	while :
-	do
-	clear
-		echo "OpenVPN-install (github.com/Angristan/OpenVPN-install)"
-		echo ""
-		echo "Looks like OpenVPN is already installed"
-		echo ""
-
-		echo "What do you want to do?"
-		echo "   1) Add a cert for a new user"
-		echo "   2) Revoke existing user cert"
-		echo "   3) Remove OpenVPN"
-		echo "   4) Exit"
-		read -rp "Select an option [1-4]: " option
-
-		case $option in
-			1)
-				# Generates the custom client.ovpn
-				newclient
-			;;
-			2)
+function revokeClient () {
 	NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")
 	if [[ "$NUMBEROFCLIENTS" = '0' ]]; then
 		echo ""
@ -290,8 +268,9 @@ if [[ -e /etc/openvpn/server.conf ]]; then
 	echo "Certificate for client $CLIENT revoked"
 	echo "Exiting..."
 	exit
-			;;
-			3)
+}
+
+function removeOpenVPN () {
 	echo ""
 	read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
 	if [[ "$REMOVE" = 'y' ]]; then
@ -362,14 +341,40 @@ if [[ -e /etc/openvpn/server.conf ]]; then
 		echo "Removal aborted!"
 	fi
 	exit
+}
+
+function manageMenu () {
+	clear
+	echo "OpenVPN-install (github.com/Angristan/OpenVPN-install)"
+	echo ""
+	echo "Looks like OpenVPN is already installed"
+	echo ""
+
+	echo "What do you want to do?"
+	echo "   1) Add a cert for a new user"
+	echo "   2) Revoke existing user cert"
+	echo "   3) Remove OpenVPN"
+	echo "   4) Exit"
+	read -rp "Select an option [1-4]: " option
+
+	case $option in
+		1)
+			# Generates the custom client.ovpn
+			newclient
+		;;
+		2)
+			revokeClient
+		;;
+		3)
+			removeOpenVPN
 		;;
 		4)
 			exit
 		;;
 	esac
-	done
-else
-	clear
+}
+
+function installQuestions () {
 	echo "Welcome to the secure OpenVPN installer (github.com/Angristan/OpenVPN-install)"
 	echo ""

@ -560,68 +565,50 @@ else
 	echo ""
 	echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now"
 	read -n1 -r -p "Press any key to continue..."
+}

-	if [[ "$OS" = 'debian' ]]; then
-		apt-get update
-		apt-get install ca-certificates gnupg -y
-		# We add the OpenVPN repo to get the latest version.
-		# Debian 8
-		if [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then
-			echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list
-			wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
-			apt-get update
-		fi
-		# Ubuntu >= 16.04 and Debian > 8 have OpenVPN > 2.3.3 without the need of a third party repository.
-		# The we install OpenVPN
-		apt-get install openvpn iptables openssl wget ca-certificates curl -y
-	elif [[ "$OS" = 'centos' || "$OS" = 'fedora' ]]; then
-		if [[ "$OS" = 'centos' ]]; then
-			yum install epel-release -y
-		fi
-		yum install openvpn iptables openssl wget ca-certificates curl -y
-	fi
-
+function configureIptables () {
 	# Install iptables service
 	mkdir /etc/iptables

 	# Script to add rules
 	echo "#!/bin/sh
-iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
+iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $NIC -j MASQUERADE
 iptables -A INPUT -i tun0 -j ACCEPT
-iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
-iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT" > /etc/iptables/add-openvpn-rules.sh
+iptables -A FORWARD -i $NIC -o tun0 -j ACCEPT
+iptables -A FORWARD -i tun0 -o $NIC -j ACCEPT" > /etc/iptables/add-openvpn-rules.sh

 	if [[ "$PROTOCOL" = 'UDP' ]]; then
-		echo "iptables -A INPUT -i eth0 -p udp --dport $PORT -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh
+		echo "iptables -A INPUT -i $NIC -p udp --dport $PORT -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh
 	elif [[ "$PROTOCOL" = 'TCP' ]]; then
-		echo "iptables -A INPUT -i eth0 -p tcp --dport $PORT -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh
+		echo "iptables -A INPUT -i $NIC -p tcp --dport $PORT -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh
 	fi

 	if [[ "$IPV6" = 'y' ]]; then
-		echo "ip6tables -t nat -A POSTROUTING -s fd42:42:42:42::/112 -o eth0 -j MASQUERADE
+		echo "ip6tables -t nat -A POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
 ip6tables -A INPUT -i tun0 -j ACCEPT
-ip6tables -A FORWARD -i eth0 -o tun0 -j ACCEPT
-ip6tables -A FORWARD -i tun0 -o eth0 -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh
+ip6tables -A FORWARD -i $NIC -o tun0 -j ACCEPT
+ip6tables -A FORWARD -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/add-openvpn-rules.sh
 	fi

 	# Script to remove rules
 	echo "#!/bin/sh
-iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
+iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o $NIC -j MASQUERADE
 iptables -D INPUT -i tun0 -j ACCEPT
-iptables -D FORWARD -i eth0 -o tun0 -j ACCEPT
-iptables -D FORWARD -i tun0 -o eth0 -j ACCEPT" > /etc/iptables/rm-openvpn-rules.sh
+iptables -D FORWARD -i $NIC -o tun0 -j ACCEPT
+iptables -D FORWARD -i tun0 -o $NIC -j ACCEPT" > /etc/iptables/rm-openvpn-rules.sh

 	if [[ "$PROTOCOL" = 'UDP' ]]; then
-		echo "iptables -D INPUT -i eth0 -p udp --dport $PORT -j ACCEPT" >> /etc/iptables/rm-openvpn-rules.sh
+		echo "iptables -D INPUT -i $NIC -p udp --dport $PORT -j ACCEPT" >> /etc/iptables/rm-openvpn-rules.sh
 	elif [[ "$PROTOCOL" = 'TCP' ]]; then
-		echo "iptables -D INPUT -i eth0 -p tcp --dport $PORT -j ACCEPT" >> /etc/iptables/rm-openvpn-rules.sh
+		echo "iptables -D INPUT -i $NIC -p tcp --dport $PORT -j ACCEPT" >> /etc/iptables/rm-openvpn-rules.sh
 	fi

 	if [[ "$IPV6" = 'y' ]]; then
-		echo "ip6tables -t nat -D POSTROUTING -s fd42:42:42:42::/112 -o eth0 -j MASQUERADE
+		echo "ip6tables -t nat -D POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
 ip6tables -D INPUT -i tun0 -j ACCEPT
-ip6tables -D FORWARD -i eth0 -o tun0 -j ACCEPT
-ip6tables -D FORWARD -i tun0 -o eth0 -j ACCEPT" >> /etc/iptables/rm-openvpn-rules.sh
+ip6tables -D FORWARD -i $NIC -o tun0 -j ACCEPT
+ip6tables -D FORWARD -i tun0 -o $NIC -j ACCEPT" >> /etc/iptables/rm-openvpn-rules.sh
 	fi

 	chmod +x /etc/iptables/add-openvpn-rules.sh
@ -646,6 +633,30 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables-openvpn.service
 	systemctl daemon-reload
 	systemctl enable iptables-openvpn
 	systemctl start iptables-openvpn
+}
+
+function installOpenVPN () {
+	installQuestions
+
+	if [[ "$OS" = 'debian' ]]; then
+		apt-get update
+		apt-get install ca-certificates gnupg -y
+		# We add the OpenVPN repo to get the latest version.
+		# Debian 8
+		if [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then
+			echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list
+			wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
+			apt-get update
+		fi
+		# Ubuntu >= 16.04 and Debian > 8 have OpenVPN > 2.3.3 without the need of a third party repository.
+		# The we install OpenVPN
+		apt-get install openvpn iptables openssl wget ca-certificates curl -y
+	elif [[ "$OS" = 'centos' || "$OS" = 'fedora' ]]; then
+		if [[ "$OS" = 'centos' ]]; then
+			yum install epel-release -y
+		fi
+		yum install openvpn iptables openssl wget ca-certificates curl -y
+	fi

 	# Find out if the machine uses nogroup or nobody for the permissionless group
 	if grep -qs "^nogroup:" /etc/group; then
@ -654,12 +665,9 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables-openvpn.service
 		NOGROUP=nobody
 	fi

-	# An old version of easy-rsa was available by default in some openvpn packages
-	if [[ -d /etc/openvpn/easy-rsa/ ]]; then
-		rm -rf /etc/openvpn/easy-rsa/
-	fi
 	# Install easy-rsa
 	installEasyRsa
+
 	cd /etc/openvpn/easy-rsa/
 	# Generate a random, alphanumeric identifier of 16 characters for CN and one for server name
 	SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
@ -818,39 +826,27 @@ verb 3" >> /etc/openvpn/server.conf
 		fi
 	fi

-	# And finally, restart OpenVPN
-	if [[ "$OS" = 'debian' ]]; then
-		# Little hack to check for systemd
-		if pgrep systemd-journal; then
+	# Finally, restart and enable OpenVPN
+	if [[ "$OS" = 'fedora' ]]; then
+		# Workaround to fix OpenVPN service on OpenVZ
+		sed -i 's|LimitNPROC|#LimitNPROC|' /usr/lib/systemd/system/openvpn-server@.service
+		# Another workaround to keep using /etc/openvpn/
+		sed -i 's|/etc/openvpn/server|/etc/openvpn|' /usr/lib/systemd/system/openvpn-server@.service
+		systemctl daemon-reload
+		systemctl restart openvpn-server@server
+		systemctl enable openvpn-server@server
+	else
 		# Workaround to fix OpenVPN service on OpenVZ
 		sed -i 's|LimitNPROC|#LimitNPROC|' /lib/systemd/system/openvpn\@.service
+		# Another workaround to keep using /etc/openvpn/
 		sed -i 's|/etc/openvpn/server|/etc/openvpn|' /lib/systemd/system/openvpn\@.service
-				sed -i 's|%i.conf|server.conf|' /lib/systemd/system/openvpn\@.service
 		systemctl daemon-reload
-				systemctl restart openvpn
-				systemctl enable openvpn
-		else
-			/etc/init.d/openvpn restart
-		fi
-	else
-		if pgrep systemd-journal; then
-			if [[ "$OS" = 'fedora' ]]; then
-				# Workaround to avoid rewriting the entire script for Fedora
-				sed -i 's|/etc/openvpn/server|/etc/openvpn|' /usr/lib/systemd/system/openvpn-server@.service
-				sed -i 's|%i.conf|server.conf|' /usr/lib/systemd/system/openvpn-server@.service
-				systemctl daemon-reload
-				systemctl restart openvpn-server@openvpn.service
-				systemctl enable openvpn-server@openvpn.service
-			else
-				systemctl restart openvpn@server.service
-				systemctl enable openvpn@server.service
-			fi
-		else
-			service openvpn restart
-			chkconfig openvpn on
-		fi
+		systemctl restart openvpn@server
+		systemctl enable openvpn@server
 	fi

+	configureIptables
+
 	# If the server is behind a NAT, use the correct IP address
 	if [[ "$PUBLICIP" != "" ]]; then
 		IP=$PUBLICIP
@ -883,5 +879,19 @@ verb 3" >> /etc/openvpn/client-template.txt
 	# Generate the custom client.ovpn
 	newclient
 	echo "If you want to add more clients, you simply need to run this script another time!"
+}
+
+# Main
+
+initialCheck
+
+# Get Internet network interface with default route
+NIC=$(getNIC)
+
+if [[ -e /etc/openvpn/server.conf ]]; then
+	manageMenu
+else
+	installOpenVPN
 fi
+
 exit 0