annotate openvpn-install-Nyr.sh @ 0:ebdb0cecebc0 default tip

新增
author Pluto <meokcin@gmail.com>
date Sun, 01 Sep 2024 16:38:41 +0800
parents
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
0
Pluto <meokcin@gmail.com>
parents:
diff changeset
1 #!/bin/bash
Pluto <meokcin@gmail.com>
parents:
diff changeset
2 #
Pluto <meokcin@gmail.com>
parents:
diff changeset
3 # https://github.com/Nyr/openvpn-install
Pluto <meokcin@gmail.com>
parents:
diff changeset
4 #
Pluto <meokcin@gmail.com>
parents:
diff changeset
5 # Copyright (c) 2013 Nyr. Released under the MIT License.
Pluto <meokcin@gmail.com>
parents:
diff changeset
6
Pluto <meokcin@gmail.com>
parents:
diff changeset
7
Pluto <meokcin@gmail.com>
parents:
diff changeset
8 # Detect Debian users running the script with "sh" instead of bash
Pluto <meokcin@gmail.com>
parents:
diff changeset
9 if readlink /proc/$$/exe | grep -q "dash"; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
10 echo 'This installer needs to be run with "bash", not "sh".'
Pluto <meokcin@gmail.com>
parents:
diff changeset
11 exit
Pluto <meokcin@gmail.com>
parents:
diff changeset
12 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
13
Pluto <meokcin@gmail.com>
parents:
diff changeset
14 # Discard stdin. Needed when running from an one-liner which includes a newline
Pluto <meokcin@gmail.com>
parents:
diff changeset
15 read -N 999999 -t 0.001
Pluto <meokcin@gmail.com>
parents:
diff changeset
16
Pluto <meokcin@gmail.com>
parents:
diff changeset
17 # Detect OS
Pluto <meokcin@gmail.com>
parents:
diff changeset
18 # $os_version variables aren't always in use, but are kept here for convenience
Pluto <meokcin@gmail.com>
parents:
diff changeset
19 if grep -qs "ubuntu" /etc/os-release; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
20 os="ubuntu"
Pluto <meokcin@gmail.com>
parents:
diff changeset
21 os_version=$(grep 'VERSION_ID' /etc/os-release | cut -d '"' -f 2 | tr -d '.')
Pluto <meokcin@gmail.com>
parents:
diff changeset
22 group_name="nogroup"
Pluto <meokcin@gmail.com>
parents:
diff changeset
23 elif [[ -e /etc/debian_version ]]; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
24 os="debian"
Pluto <meokcin@gmail.com>
parents:
diff changeset
25 os_version=$(grep -oE '[0-9]+' /etc/debian_version | head -1)
Pluto <meokcin@gmail.com>
parents:
diff changeset
26 group_name="nogroup"
Pluto <meokcin@gmail.com>
parents:
diff changeset
27 elif [[ -e /etc/almalinux-release || -e /etc/rocky-release || -e /etc/centos-release ]]; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
28 os="centos"
Pluto <meokcin@gmail.com>
parents:
diff changeset
29 os_version=$(grep -shoE '[0-9]+' /etc/almalinux-release /etc/rocky-release /etc/centos-release | head -1)
Pluto <meokcin@gmail.com>
parents:
diff changeset
30 group_name="nobody"
Pluto <meokcin@gmail.com>
parents:
diff changeset
31 elif [[ -e /etc/fedora-release ]]; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
32 os="fedora"
Pluto <meokcin@gmail.com>
parents:
diff changeset
33 os_version=$(grep -oE '[0-9]+' /etc/fedora-release | head -1)
Pluto <meokcin@gmail.com>
parents:
diff changeset
34 group_name="nobody"
Pluto <meokcin@gmail.com>
parents:
diff changeset
35 else
Pluto <meokcin@gmail.com>
parents:
diff changeset
36 echo "This installer seems to be running on an unsupported distribution.
Pluto <meokcin@gmail.com>
parents:
diff changeset
37 Supported distros are Ubuntu, Debian, AlmaLinux, Rocky Linux, CentOS and Fedora."
Pluto <meokcin@gmail.com>
parents:
diff changeset
38 exit
Pluto <meokcin@gmail.com>
parents:
diff changeset
39 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
40
Pluto <meokcin@gmail.com>
parents:
diff changeset
41 if [[ "$os" == "ubuntu" && "$os_version" -lt 2204 ]]; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
42 echo "Ubuntu 22.04 or higher is required to use this installer.
Pluto <meokcin@gmail.com>
parents:
diff changeset
43 This version of Ubuntu is too old and unsupported."
Pluto <meokcin@gmail.com>
parents:
diff changeset
44 exit
Pluto <meokcin@gmail.com>
parents:
diff changeset
45 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
46
Pluto <meokcin@gmail.com>
parents:
diff changeset
47 if [[ "$os" == "debian" ]]; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
48 if grep -q '/sid' /etc/debian_version; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
49 echo "Debian Testing and Debian Unstable are unsupported by this installer."
Pluto <meokcin@gmail.com>
parents:
diff changeset
50 exit
Pluto <meokcin@gmail.com>
parents:
diff changeset
51 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
52 if [[ "$os_version" -lt 11 ]]; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
53 echo "Debian 11 or higher is required to use this installer.
Pluto <meokcin@gmail.com>
parents:
diff changeset
54 This version of Debian is too old and unsupported."
Pluto <meokcin@gmail.com>
parents:
diff changeset
55 exit
Pluto <meokcin@gmail.com>
parents:
diff changeset
56 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
57 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
58
Pluto <meokcin@gmail.com>
parents:
diff changeset
59 if [[ "$os" == "centos" && "$os_version" -lt 9 ]]; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
60 os_name=$(sed 's/ release.*//' /etc/almalinux-release /etc/rocky-release /etc/centos-release 2>/dev/null | head -1)
Pluto <meokcin@gmail.com>
parents:
diff changeset
61 echo "$os_name 9 or higher is required to use this installer.
Pluto <meokcin@gmail.com>
parents:
diff changeset
62 This version of $os_name is too old and unsupported."
Pluto <meokcin@gmail.com>
parents:
diff changeset
63 exit
Pluto <meokcin@gmail.com>
parents:
diff changeset
64 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
65
Pluto <meokcin@gmail.com>
parents:
diff changeset
66 # Detect environments where $PATH does not include the sbin directories
Pluto <meokcin@gmail.com>
parents:
diff changeset
67 if ! grep -q sbin <<< "$PATH"; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
68 echo '$PATH does not include sbin. Try using "su -" instead of "su".'
Pluto <meokcin@gmail.com>
parents:
diff changeset
69 exit
Pluto <meokcin@gmail.com>
parents:
diff changeset
70 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
71
Pluto <meokcin@gmail.com>
parents:
diff changeset
72 if [[ "$EUID" -ne 0 ]]; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
73 echo "This installer needs to be run with superuser privileges."
Pluto <meokcin@gmail.com>
parents:
diff changeset
74 exit
Pluto <meokcin@gmail.com>
parents:
diff changeset
75 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
76
Pluto <meokcin@gmail.com>
parents:
diff changeset
77 if [[ ! -e /dev/net/tun ]] || ! ( exec 7<>/dev/net/tun ) 2>/dev/null; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
78 echo "The system does not have the TUN device available.
Pluto <meokcin@gmail.com>
parents:
diff changeset
79 TUN needs to be enabled before running this installer."
Pluto <meokcin@gmail.com>
parents:
diff changeset
80 exit
Pluto <meokcin@gmail.com>
parents:
diff changeset
81 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
82
Pluto <meokcin@gmail.com>
parents:
diff changeset
83 new_client () {
Pluto <meokcin@gmail.com>
parents:
diff changeset
84 # Generates the custom client.ovpn
Pluto <meokcin@gmail.com>
parents:
diff changeset
85 {
Pluto <meokcin@gmail.com>
parents:
diff changeset
86 cat /etc/openvpn/server/client-common.txt
Pluto <meokcin@gmail.com>
parents:
diff changeset
87 echo "<ca>"
Pluto <meokcin@gmail.com>
parents:
diff changeset
88 cat /etc/openvpn/server/easy-rsa/pki/ca.crt
Pluto <meokcin@gmail.com>
parents:
diff changeset
89 echo "</ca>"
Pluto <meokcin@gmail.com>
parents:
diff changeset
90 echo "<cert>"
Pluto <meokcin@gmail.com>
parents:
diff changeset
91 sed -ne '/BEGIN CERTIFICATE/,$ p' /etc/openvpn/server/easy-rsa/pki/issued/"$client".crt
Pluto <meokcin@gmail.com>
parents:
diff changeset
92 echo "</cert>"
Pluto <meokcin@gmail.com>
parents:
diff changeset
93 echo "<key>"
Pluto <meokcin@gmail.com>
parents:
diff changeset
94 cat /etc/openvpn/server/easy-rsa/pki/private/"$client".key
Pluto <meokcin@gmail.com>
parents:
diff changeset
95 echo "</key>"
Pluto <meokcin@gmail.com>
parents:
diff changeset
96 echo "<tls-crypt>"
Pluto <meokcin@gmail.com>
parents:
diff changeset
97 sed -ne '/BEGIN OpenVPN Static key/,$ p' /etc/openvpn/server/tc.key
Pluto <meokcin@gmail.com>
parents:
diff changeset
98 echo "</tls-crypt>"
Pluto <meokcin@gmail.com>
parents:
diff changeset
99 } > ~/"$client".ovpn
Pluto <meokcin@gmail.com>
parents:
diff changeset
100 }
Pluto <meokcin@gmail.com>
parents:
diff changeset
101
Pluto <meokcin@gmail.com>
parents:
diff changeset
102 if [[ ! -e /etc/openvpn/server/server.conf ]]; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
103 # Detect some Debian minimal setups where neither wget nor curl are installed
Pluto <meokcin@gmail.com>
parents:
diff changeset
104 if ! hash wget 2>/dev/null && ! hash curl 2>/dev/null; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
105 echo "Wget is required to use this installer."
Pluto <meokcin@gmail.com>
parents:
diff changeset
106 read -n1 -r -p "Press any key to install Wget and continue..."
Pluto <meokcin@gmail.com>
parents:
diff changeset
107 apt-get update
Pluto <meokcin@gmail.com>
parents:
diff changeset
108 apt-get install -y wget
Pluto <meokcin@gmail.com>
parents:
diff changeset
109 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
110 clear
Pluto <meokcin@gmail.com>
parents:
diff changeset
111 echo 'Welcome to this OpenVPN road warrior installer!'
Pluto <meokcin@gmail.com>
parents:
diff changeset
112 # If system has a single IPv4, it is selected automatically. Else, ask the user
Pluto <meokcin@gmail.com>
parents:
diff changeset
113 if [[ $(ip -4 addr | grep inet | grep -vEc '127(\.[0-9]{1,3}){3}') -eq 1 ]]; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
114 ip=$(ip -4 addr | grep inet | grep -vE '127(\.[0-9]{1,3}){3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}(\.[0-9]{1,3}){3}')
Pluto <meokcin@gmail.com>
parents:
diff changeset
115 else
Pluto <meokcin@gmail.com>
parents:
diff changeset
116 number_of_ip=$(ip -4 addr | grep inet | grep -vEc '127(\.[0-9]{1,3}){3}')
Pluto <meokcin@gmail.com>
parents:
diff changeset
117 echo
Pluto <meokcin@gmail.com>
parents:
diff changeset
118 echo "Which IPv4 address should be used?"
Pluto <meokcin@gmail.com>
parents:
diff changeset
119 ip -4 addr | grep inet | grep -vE '127(\.[0-9]{1,3}){3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}(\.[0-9]{1,3}){3}' | nl -s ') '
Pluto <meokcin@gmail.com>
parents:
diff changeset
120 read -p "IPv4 address [1]: " ip_number
Pluto <meokcin@gmail.com>
parents:
diff changeset
121 until [[ -z "$ip_number" || "$ip_number" =~ ^[0-9]+$ && "$ip_number" -le "$number_of_ip" ]]; do
Pluto <meokcin@gmail.com>
parents:
diff changeset
122 echo "$ip_number: invalid selection."
Pluto <meokcin@gmail.com>
parents:
diff changeset
123 read -p "IPv4 address [1]: " ip_number
Pluto <meokcin@gmail.com>
parents:
diff changeset
124 done
Pluto <meokcin@gmail.com>
parents:
diff changeset
125 [[ -z "$ip_number" ]] && ip_number="1"
Pluto <meokcin@gmail.com>
parents:
diff changeset
126 ip=$(ip -4 addr | grep inet | grep -vE '127(\.[0-9]{1,3}){3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}(\.[0-9]{1,3}){3}' | sed -n "$ip_number"p)
Pluto <meokcin@gmail.com>
parents:
diff changeset
127 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
128 # If $ip is a private IP address, the server must be behind NAT
Pluto <meokcin@gmail.com>
parents:
diff changeset
129 if echo "$ip" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
130 echo
Pluto <meokcin@gmail.com>
parents:
diff changeset
131 echo "This server is behind NAT. What is the public IPv4 address or hostname?"
Pluto <meokcin@gmail.com>
parents:
diff changeset
132 # Get public IP and sanitize with grep
Pluto <meokcin@gmail.com>
parents:
diff changeset
133 get_public_ip=$(grep -m 1 -oE '^[0-9]{1,3}(\.[0-9]{1,3}){3}$' <<< "$(wget -T 10 -t 1 -4qO- "http://ip1.dynupdate.no-ip.com/" || curl -m 10 -4Ls "http://ip1.dynupdate.no-ip.com/")")
Pluto <meokcin@gmail.com>
parents:
diff changeset
134 read -p "Public IPv4 address / hostname [$get_public_ip]: " public_ip
Pluto <meokcin@gmail.com>
parents:
diff changeset
135 # If the checkip service is unavailable and user didn't provide input, ask again
Pluto <meokcin@gmail.com>
parents:
diff changeset
136 until [[ -n "$get_public_ip" || -n "$public_ip" ]]; do
Pluto <meokcin@gmail.com>
parents:
diff changeset
137 echo "Invalid input."
Pluto <meokcin@gmail.com>
parents:
diff changeset
138 read -p "Public IPv4 address / hostname: " public_ip
Pluto <meokcin@gmail.com>
parents:
diff changeset
139 done
Pluto <meokcin@gmail.com>
parents:
diff changeset
140 [[ -z "$public_ip" ]] && public_ip="$get_public_ip"
Pluto <meokcin@gmail.com>
parents:
diff changeset
141 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
142 # If system has a single IPv6, it is selected automatically
Pluto <meokcin@gmail.com>
parents:
diff changeset
143 if [[ $(ip -6 addr | grep -c 'inet6 [23]') -eq 1 ]]; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
144 ip6=$(ip -6 addr | grep 'inet6 [23]' | cut -d '/' -f 1 | grep -oE '([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}')
Pluto <meokcin@gmail.com>
parents:
diff changeset
145 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
146 # If system has multiple IPv6, ask the user to select one
Pluto <meokcin@gmail.com>
parents:
diff changeset
147 if [[ $(ip -6 addr | grep -c 'inet6 [23]') -gt 1 ]]; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
148 number_of_ip6=$(ip -6 addr | grep -c 'inet6 [23]')
Pluto <meokcin@gmail.com>
parents:
diff changeset
149 echo
Pluto <meokcin@gmail.com>
parents:
diff changeset
150 echo "Which IPv6 address should be used?"
Pluto <meokcin@gmail.com>
parents:
diff changeset
151 ip -6 addr | grep 'inet6 [23]' | cut -d '/' -f 1 | grep -oE '([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}' | nl -s ') '
Pluto <meokcin@gmail.com>
parents:
diff changeset
152 read -p "IPv6 address [1]: " ip6_number
Pluto <meokcin@gmail.com>
parents:
diff changeset
153 until [[ -z "$ip6_number" || "$ip6_number" =~ ^[0-9]+$ && "$ip6_number" -le "$number_of_ip6" ]]; do
Pluto <meokcin@gmail.com>
parents:
diff changeset
154 echo "$ip6_number: invalid selection."
Pluto <meokcin@gmail.com>
parents:
diff changeset
155 read -p "IPv6 address [1]: " ip6_number
Pluto <meokcin@gmail.com>
parents:
diff changeset
156 done
Pluto <meokcin@gmail.com>
parents:
diff changeset
157 [[ -z "$ip6_number" ]] && ip6_number="1"
Pluto <meokcin@gmail.com>
parents:
diff changeset
158 ip6=$(ip -6 addr | grep 'inet6 [23]' | cut -d '/' -f 1 | grep -oE '([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}' | sed -n "$ip6_number"p)
Pluto <meokcin@gmail.com>
parents:
diff changeset
159 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
160 echo
Pluto <meokcin@gmail.com>
parents:
diff changeset
161 echo "Which protocol should OpenVPN use?"
Pluto <meokcin@gmail.com>
parents:
diff changeset
162 echo " 1) UDP (recommended)"
Pluto <meokcin@gmail.com>
parents:
diff changeset
163 echo " 2) TCP"
Pluto <meokcin@gmail.com>
parents:
diff changeset
164 read -p "Protocol [1]: " protocol
Pluto <meokcin@gmail.com>
parents:
diff changeset
165 until [[ -z "$protocol" || "$protocol" =~ ^[12]$ ]]; do
Pluto <meokcin@gmail.com>
parents:
diff changeset
166 echo "$protocol: invalid selection."
Pluto <meokcin@gmail.com>
parents:
diff changeset
167 read -p "Protocol [1]: " protocol
Pluto <meokcin@gmail.com>
parents:
diff changeset
168 done
Pluto <meokcin@gmail.com>
parents:
diff changeset
169 case "$protocol" in
Pluto <meokcin@gmail.com>
parents:
diff changeset
170 1|"")
Pluto <meokcin@gmail.com>
parents:
diff changeset
171 protocol=udp
Pluto <meokcin@gmail.com>
parents:
diff changeset
172 ;;
Pluto <meokcin@gmail.com>
parents:
diff changeset
173 2)
Pluto <meokcin@gmail.com>
parents:
diff changeset
174 protocol=tcp
Pluto <meokcin@gmail.com>
parents:
diff changeset
175 ;;
Pluto <meokcin@gmail.com>
parents:
diff changeset
176 esac
Pluto <meokcin@gmail.com>
parents:
diff changeset
177 echo
Pluto <meokcin@gmail.com>
parents:
diff changeset
178 echo "What port should OpenVPN listen to?"
Pluto <meokcin@gmail.com>
parents:
diff changeset
179 read -p "Port [1194]: " port
Pluto <meokcin@gmail.com>
parents:
diff changeset
180 until [[ -z "$port" || "$port" =~ ^[0-9]+$ && "$port" -le 65535 ]]; do
Pluto <meokcin@gmail.com>
parents:
diff changeset
181 echo "$port: invalid port."
Pluto <meokcin@gmail.com>
parents:
diff changeset
182 read -p "Port [1194]: " port
Pluto <meokcin@gmail.com>
parents:
diff changeset
183 done
Pluto <meokcin@gmail.com>
parents:
diff changeset
184 [[ -z "$port" ]] && port="1194"
Pluto <meokcin@gmail.com>
parents:
diff changeset
185 echo
Pluto <meokcin@gmail.com>
parents:
diff changeset
186 echo "Select a DNS server for the clients:"
Pluto <meokcin@gmail.com>
parents:
diff changeset
187 echo " 1) Current system resolvers"
Pluto <meokcin@gmail.com>
parents:
diff changeset
188 echo " 2) Google"
Pluto <meokcin@gmail.com>
parents:
diff changeset
189 echo " 3) 1.1.1.1"
Pluto <meokcin@gmail.com>
parents:
diff changeset
190 echo " 4) OpenDNS"
Pluto <meokcin@gmail.com>
parents:
diff changeset
191 echo " 5) Quad9"
Pluto <meokcin@gmail.com>
parents:
diff changeset
192 echo " 6) AdGuard"
Pluto <meokcin@gmail.com>
parents:
diff changeset
193 read -p "DNS server [1]: " dns
Pluto <meokcin@gmail.com>
parents:
diff changeset
194 until [[ -z "$dns" || "$dns" =~ ^[1-6]$ ]]; do
Pluto <meokcin@gmail.com>
parents:
diff changeset
195 echo "$dns: invalid selection."
Pluto <meokcin@gmail.com>
parents:
diff changeset
196 read -p "DNS server [1]: " dns
Pluto <meokcin@gmail.com>
parents:
diff changeset
197 done
Pluto <meokcin@gmail.com>
parents:
diff changeset
198 echo
Pluto <meokcin@gmail.com>
parents:
diff changeset
199 echo "Enter a name for the first client:"
Pluto <meokcin@gmail.com>
parents:
diff changeset
200 read -p "Name [client]: " unsanitized_client
Pluto <meokcin@gmail.com>
parents:
diff changeset
201 # Allow a limited set of characters to avoid conflicts
Pluto <meokcin@gmail.com>
parents:
diff changeset
202 client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client")
Pluto <meokcin@gmail.com>
parents:
diff changeset
203 [[ -z "$client" ]] && client="client"
Pluto <meokcin@gmail.com>
parents:
diff changeset
204 echo
Pluto <meokcin@gmail.com>
parents:
diff changeset
205 echo "OpenVPN installation is ready to begin."
Pluto <meokcin@gmail.com>
parents:
diff changeset
206 # Install a firewall if firewalld or iptables are not already available
Pluto <meokcin@gmail.com>
parents:
diff changeset
207 if ! systemctl is-active --quiet firewalld.service && ! hash iptables 2>/dev/null; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
208 if [[ "$os" == "centos" || "$os" == "fedora" ]]; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
209 firewall="firewalld"
Pluto <meokcin@gmail.com>
parents:
diff changeset
210 # We don't want to silently enable firewalld, so we give a subtle warning
Pluto <meokcin@gmail.com>
parents:
diff changeset
211 # If the user continues, firewalld will be installed and enabled during setup
Pluto <meokcin@gmail.com>
parents:
diff changeset
212 echo "firewalld, which is required to manage routing tables, will also be installed."
Pluto <meokcin@gmail.com>
parents:
diff changeset
213 elif [[ "$os" == "debian" || "$os" == "ubuntu" ]]; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
214 # iptables is way less invasive than firewalld so no warning is given
Pluto <meokcin@gmail.com>
parents:
diff changeset
215 firewall="iptables"
Pluto <meokcin@gmail.com>
parents:
diff changeset
216 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
217 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
218 read -n1 -r -p "Press any key to continue..."
Pluto <meokcin@gmail.com>
parents:
diff changeset
219 # If running inside a container, disable LimitNPROC to prevent conflicts
Pluto <meokcin@gmail.com>
parents:
diff changeset
220 if systemd-detect-virt -cq; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
221 mkdir /etc/systemd/system/openvpn-server@server.service.d/ 2>/dev/null
Pluto <meokcin@gmail.com>
parents:
diff changeset
222 echo "[Service]
Pluto <meokcin@gmail.com>
parents:
diff changeset
223 LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disable-limitnproc.conf
Pluto <meokcin@gmail.com>
parents:
diff changeset
224 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
225 if [[ "$os" = "debian" || "$os" = "ubuntu" ]]; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
226 apt-get update
Pluto <meokcin@gmail.com>
parents:
diff changeset
227 apt-get install -y --no-install-recommends openvpn openssl ca-certificates $firewall
Pluto <meokcin@gmail.com>
parents:
diff changeset
228 elif [[ "$os" = "centos" ]]; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
229 dnf install -y epel-release
Pluto <meokcin@gmail.com>
parents:
diff changeset
230 dnf install -y openvpn openssl ca-certificates tar $firewall
Pluto <meokcin@gmail.com>
parents:
diff changeset
231 else
Pluto <meokcin@gmail.com>
parents:
diff changeset
232 # Else, OS must be Fedora
Pluto <meokcin@gmail.com>
parents:
diff changeset
233 dnf install -y openvpn openssl ca-certificates tar $firewall
Pluto <meokcin@gmail.com>
parents:
diff changeset
234 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
235 # If firewalld was just installed, enable it
Pluto <meokcin@gmail.com>
parents:
diff changeset
236 if [[ "$firewall" == "firewalld" ]]; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
237 systemctl enable --now firewalld.service
Pluto <meokcin@gmail.com>
parents:
diff changeset
238 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
239 # Get easy-rsa
Pluto <meokcin@gmail.com>
parents:
diff changeset
240 easy_rsa_url='https://github.com/OpenVPN/easy-rsa/releases/download/v3.2.0/EasyRSA-3.2.0.tgz'
Pluto <meokcin@gmail.com>
parents:
diff changeset
241 mkdir -p /etc/openvpn/server/easy-rsa/
Pluto <meokcin@gmail.com>
parents:
diff changeset
242 { wget -qO- "$easy_rsa_url" 2>/dev/null || curl -sL "$easy_rsa_url" ; } | tar xz -C /etc/openvpn/server/easy-rsa/ --strip-components 1
Pluto <meokcin@gmail.com>
parents:
diff changeset
243 chown -R root:root /etc/openvpn/server/easy-rsa/
Pluto <meokcin@gmail.com>
parents:
diff changeset
244 cd /etc/openvpn/server/easy-rsa/
Pluto <meokcin@gmail.com>
parents:
diff changeset
245 # Create the PKI, set up the CA and the server and client certificates
Pluto <meokcin@gmail.com>
parents:
diff changeset
246 ./easyrsa --batch init-pki
Pluto <meokcin@gmail.com>
parents:
diff changeset
247 ./easyrsa --batch build-ca nopass
Pluto <meokcin@gmail.com>
parents:
diff changeset
248 ./easyrsa --batch --days=3650 build-server-full server nopass
Pluto <meokcin@gmail.com>
parents:
diff changeset
249 ./easyrsa --batch --days=3650 build-client-full "$client" nopass
Pluto <meokcin@gmail.com>
parents:
diff changeset
250 ./easyrsa --batch --days=3650 gen-crl
Pluto <meokcin@gmail.com>
parents:
diff changeset
251 # Move the stuff we need
Pluto <meokcin@gmail.com>
parents:
diff changeset
252 cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn/server
Pluto <meokcin@gmail.com>
parents:
diff changeset
253 # CRL is read with each client connection, while OpenVPN is dropped to nobody
Pluto <meokcin@gmail.com>
parents:
diff changeset
254 chown nobody:"$group_name" /etc/openvpn/server/crl.pem
Pluto <meokcin@gmail.com>
parents:
diff changeset
255 # Without +x in the directory, OpenVPN can't run a stat() on the CRL file
Pluto <meokcin@gmail.com>
parents:
diff changeset
256 chmod o+x /etc/openvpn/server/
Pluto <meokcin@gmail.com>
parents:
diff changeset
257 # Generate key for tls-crypt
Pluto <meokcin@gmail.com>
parents:
diff changeset
258 openvpn --genkey secret /etc/openvpn/server/tc.key
Pluto <meokcin@gmail.com>
parents:
diff changeset
259 # Create the DH parameters file using the predefined ffdhe2048 group
Pluto <meokcin@gmail.com>
parents:
diff changeset
260 echo '-----BEGIN DH PARAMETERS-----
Pluto <meokcin@gmail.com>
parents:
diff changeset
261 MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
Pluto <meokcin@gmail.com>
parents:
diff changeset
262 +8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
Pluto <meokcin@gmail.com>
parents:
diff changeset
263 87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
Pluto <meokcin@gmail.com>
parents:
diff changeset
264 YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
Pluto <meokcin@gmail.com>
parents:
diff changeset
265 7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
Pluto <meokcin@gmail.com>
parents:
diff changeset
266 ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
Pluto <meokcin@gmail.com>
parents:
diff changeset
267 -----END DH PARAMETERS-----' > /etc/openvpn/server/dh.pem
Pluto <meokcin@gmail.com>
parents:
diff changeset
268 # Generate server.conf
Pluto <meokcin@gmail.com>
parents:
diff changeset
269 echo "local $ip
Pluto <meokcin@gmail.com>
parents:
diff changeset
270 port $port
Pluto <meokcin@gmail.com>
parents:
diff changeset
271 proto $protocol
Pluto <meokcin@gmail.com>
parents:
diff changeset
272 dev tun
Pluto <meokcin@gmail.com>
parents:
diff changeset
273 ca ca.crt
Pluto <meokcin@gmail.com>
parents:
diff changeset
274 cert server.crt
Pluto <meokcin@gmail.com>
parents:
diff changeset
275 key server.key
Pluto <meokcin@gmail.com>
parents:
diff changeset
276 dh dh.pem
Pluto <meokcin@gmail.com>
parents:
diff changeset
277 auth SHA512
Pluto <meokcin@gmail.com>
parents:
diff changeset
278 tls-crypt tc.key
Pluto <meokcin@gmail.com>
parents:
diff changeset
279 topology subnet
Pluto <meokcin@gmail.com>
parents:
diff changeset
280 server 10.8.0.0 255.255.255.0" > /etc/openvpn/server/server.conf
Pluto <meokcin@gmail.com>
parents:
diff changeset
281 # IPv6
Pluto <meokcin@gmail.com>
parents:
diff changeset
282 if [[ -z "$ip6" ]]; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
283 echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server/server.conf
Pluto <meokcin@gmail.com>
parents:
diff changeset
284 else
Pluto <meokcin@gmail.com>
parents:
diff changeset
285 echo 'server-ipv6 fddd:1194:1194:1194::/64' >> /etc/openvpn/server/server.conf
Pluto <meokcin@gmail.com>
parents:
diff changeset
286 echo 'push "redirect-gateway def1 ipv6 bypass-dhcp"' >> /etc/openvpn/server/server.conf
Pluto <meokcin@gmail.com>
parents:
diff changeset
287 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
288 echo 'ifconfig-pool-persist ipp.txt' >> /etc/openvpn/server/server.conf
Pluto <meokcin@gmail.com>
parents:
diff changeset
289 # DNS
Pluto <meokcin@gmail.com>
parents:
diff changeset
290 case "$dns" in
Pluto <meokcin@gmail.com>
parents:
diff changeset
291 1|"")
Pluto <meokcin@gmail.com>
parents:
diff changeset
292 # Locate the proper resolv.conf
Pluto <meokcin@gmail.com>
parents:
diff changeset
293 # Needed for systems running systemd-resolved
Pluto <meokcin@gmail.com>
parents:
diff changeset
294 if grep '^nameserver' "/etc/resolv.conf" | grep -qv '127.0.0.53' ; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
295 resolv_conf="/etc/resolv.conf"
Pluto <meokcin@gmail.com>
parents:
diff changeset
296 else
Pluto <meokcin@gmail.com>
parents:
diff changeset
297 resolv_conf="/run/systemd/resolve/resolv.conf"
Pluto <meokcin@gmail.com>
parents:
diff changeset
298 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
299 # Obtain the resolvers from resolv.conf and use them for OpenVPN
Pluto <meokcin@gmail.com>
parents:
diff changeset
300 grep -v '^#\|^;' "$resolv_conf" | grep '^nameserver' | grep -v '127.0.0.53' | grep -oE '[0-9]{1,3}(\.[0-9]{1,3}){3}' | while read line; do
Pluto <meokcin@gmail.com>
parents:
diff changeset
301 echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server/server.conf
Pluto <meokcin@gmail.com>
parents:
diff changeset
302 done
Pluto <meokcin@gmail.com>
parents:
diff changeset
303 ;;
Pluto <meokcin@gmail.com>
parents:
diff changeset
304 2)
Pluto <meokcin@gmail.com>
parents:
diff changeset
305 echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server/server.conf
Pluto <meokcin@gmail.com>
parents:
diff changeset
306 echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server/server.conf
Pluto <meokcin@gmail.com>
parents:
diff changeset
307 ;;
Pluto <meokcin@gmail.com>
parents:
diff changeset
308 3)
Pluto <meokcin@gmail.com>
parents:
diff changeset
309 echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server/server.conf
Pluto <meokcin@gmail.com>
parents:
diff changeset
310 echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server/server.conf
Pluto <meokcin@gmail.com>
parents:
diff changeset
311 ;;
Pluto <meokcin@gmail.com>
parents:
diff changeset
312 4)
Pluto <meokcin@gmail.com>
parents:
diff changeset
313 echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server/server.conf
Pluto <meokcin@gmail.com>
parents:
diff changeset
314 echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server/server.conf
Pluto <meokcin@gmail.com>
parents:
diff changeset
315 ;;
Pluto <meokcin@gmail.com>
parents:
diff changeset
316 5)
Pluto <meokcin@gmail.com>
parents:
diff changeset
317 echo 'push "dhcp-option DNS 9.9.9.9"' >> /etc/openvpn/server/server.conf
Pluto <meokcin@gmail.com>
parents:
diff changeset
318 echo 'push "dhcp-option DNS 149.112.112.112"' >> /etc/openvpn/server/server.conf
Pluto <meokcin@gmail.com>
parents:
diff changeset
319 ;;
Pluto <meokcin@gmail.com>
parents:
diff changeset
320 6)
Pluto <meokcin@gmail.com>
parents:
diff changeset
321 echo 'push "dhcp-option DNS 94.140.14.14"' >> /etc/openvpn/server/server.conf
Pluto <meokcin@gmail.com>
parents:
diff changeset
322 echo 'push "dhcp-option DNS 94.140.15.15"' >> /etc/openvpn/server/server.conf
Pluto <meokcin@gmail.com>
parents:
diff changeset
323 ;;
Pluto <meokcin@gmail.com>
parents:
diff changeset
324 esac
Pluto <meokcin@gmail.com>
parents:
diff changeset
325 echo 'push "block-outside-dns"' >> /etc/openvpn/server/server.conf
Pluto <meokcin@gmail.com>
parents:
diff changeset
326 echo "keepalive 10 120
Pluto <meokcin@gmail.com>
parents:
diff changeset
327 user nobody
Pluto <meokcin@gmail.com>
parents:
diff changeset
328 group $group_name
Pluto <meokcin@gmail.com>
parents:
diff changeset
329 persist-key
Pluto <meokcin@gmail.com>
parents:
diff changeset
330 persist-tun
Pluto <meokcin@gmail.com>
parents:
diff changeset
331 verb 3
Pluto <meokcin@gmail.com>
parents:
diff changeset
332 crl-verify crl.pem" >> /etc/openvpn/server/server.conf
Pluto <meokcin@gmail.com>
parents:
diff changeset
333 if [[ "$protocol" = "udp" ]]; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
334 echo "explicit-exit-notify" >> /etc/openvpn/server/server.conf
Pluto <meokcin@gmail.com>
parents:
diff changeset
335 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
336 # Enable net.ipv4.ip_forward for the system
Pluto <meokcin@gmail.com>
parents:
diff changeset
337 echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/99-openvpn-forward.conf
Pluto <meokcin@gmail.com>
parents:
diff changeset
338 # Enable without waiting for a reboot or service restart
Pluto <meokcin@gmail.com>
parents:
diff changeset
339 echo 1 > /proc/sys/net/ipv4/ip_forward
Pluto <meokcin@gmail.com>
parents:
diff changeset
340 if [[ -n "$ip6" ]]; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
341 # Enable net.ipv6.conf.all.forwarding for the system
Pluto <meokcin@gmail.com>
parents:
diff changeset
342 echo "net.ipv6.conf.all.forwarding=1" >> /etc/sysctl.d/99-openvpn-forward.conf
Pluto <meokcin@gmail.com>
parents:
diff changeset
343 # Enable without waiting for a reboot or service restart
Pluto <meokcin@gmail.com>
parents:
diff changeset
344 echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
Pluto <meokcin@gmail.com>
parents:
diff changeset
345 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
346 if systemctl is-active --quiet firewalld.service; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
347 # Using both permanent and not permanent rules to avoid a firewalld
Pluto <meokcin@gmail.com>
parents:
diff changeset
348 # reload.
Pluto <meokcin@gmail.com>
parents:
diff changeset
349 # We don't use --add-service=openvpn because that would only work with
Pluto <meokcin@gmail.com>
parents:
diff changeset
350 # the default port and protocol.
Pluto <meokcin@gmail.com>
parents:
diff changeset
351 firewall-cmd --add-port="$port"/"$protocol"
Pluto <meokcin@gmail.com>
parents:
diff changeset
352 firewall-cmd --zone=trusted --add-source=10.8.0.0/24
Pluto <meokcin@gmail.com>
parents:
diff changeset
353 firewall-cmd --permanent --add-port="$port"/"$protocol"
Pluto <meokcin@gmail.com>
parents:
diff changeset
354 firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
Pluto <meokcin@gmail.com>
parents:
diff changeset
355 # Set NAT for the VPN subnet
Pluto <meokcin@gmail.com>
parents:
diff changeset
356 firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"
Pluto <meokcin@gmail.com>
parents:
diff changeset
357 firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"
Pluto <meokcin@gmail.com>
parents:
diff changeset
358 if [[ -n "$ip6" ]]; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
359 firewall-cmd --zone=trusted --add-source=fddd:1194:1194:1194::/64
Pluto <meokcin@gmail.com>
parents:
diff changeset
360 firewall-cmd --permanent --zone=trusted --add-source=fddd:1194:1194:1194::/64
Pluto <meokcin@gmail.com>
parents:
diff changeset
361 firewall-cmd --direct --add-rule ipv6 nat POSTROUTING 0 -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to "$ip6"
Pluto <meokcin@gmail.com>
parents:
diff changeset
362 firewall-cmd --permanent --direct --add-rule ipv6 nat POSTROUTING 0 -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to "$ip6"
Pluto <meokcin@gmail.com>
parents:
diff changeset
363 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
364 else
Pluto <meokcin@gmail.com>
parents:
diff changeset
365 # Create a service to set up persistent iptables rules
Pluto <meokcin@gmail.com>
parents:
diff changeset
366 iptables_path=$(command -v iptables)
Pluto <meokcin@gmail.com>
parents:
diff changeset
367 ip6tables_path=$(command -v ip6tables)
Pluto <meokcin@gmail.com>
parents:
diff changeset
368 # nf_tables is not available as standard in OVZ kernels. So use iptables-legacy
Pluto <meokcin@gmail.com>
parents:
diff changeset
369 # if we are in OVZ, with a nf_tables backend and iptables-legacy is available.
Pluto <meokcin@gmail.com>
parents:
diff changeset
370 if [[ $(systemd-detect-virt) == "openvz" ]] && readlink -f "$(command -v iptables)" | grep -q "nft" && hash iptables-legacy 2>/dev/null; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
371 iptables_path=$(command -v iptables-legacy)
Pluto <meokcin@gmail.com>
parents:
diff changeset
372 ip6tables_path=$(command -v ip6tables-legacy)
Pluto <meokcin@gmail.com>
parents:
diff changeset
373 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
374 echo "[Unit]
Pluto <meokcin@gmail.com>
parents:
diff changeset
375 Before=network.target
Pluto <meokcin@gmail.com>
parents:
diff changeset
376 [Service]
Pluto <meokcin@gmail.com>
parents:
diff changeset
377 Type=oneshot
Pluto <meokcin@gmail.com>
parents:
diff changeset
378 ExecStart=$iptables_path -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip
Pluto <meokcin@gmail.com>
parents:
diff changeset
379 ExecStart=$iptables_path -I INPUT -p $protocol --dport $port -j ACCEPT
Pluto <meokcin@gmail.com>
parents:
diff changeset
380 ExecStart=$iptables_path -I FORWARD -s 10.8.0.0/24 -j ACCEPT
Pluto <meokcin@gmail.com>
parents:
diff changeset
381 ExecStart=$iptables_path -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
Pluto <meokcin@gmail.com>
parents:
diff changeset
382 ExecStop=$iptables_path -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip
Pluto <meokcin@gmail.com>
parents:
diff changeset
383 ExecStop=$iptables_path -D INPUT -p $protocol --dport $port -j ACCEPT
Pluto <meokcin@gmail.com>
parents:
diff changeset
384 ExecStop=$iptables_path -D FORWARD -s 10.8.0.0/24 -j ACCEPT
Pluto <meokcin@gmail.com>
parents:
diff changeset
385 ExecStop=$iptables_path -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" > /etc/systemd/system/openvpn-iptables.service
Pluto <meokcin@gmail.com>
parents:
diff changeset
386 if [[ -n "$ip6" ]]; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
387 echo "ExecStart=$ip6tables_path -t nat -A POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to $ip6
Pluto <meokcin@gmail.com>
parents:
diff changeset
388 ExecStart=$ip6tables_path -I FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT
Pluto <meokcin@gmail.com>
parents:
diff changeset
389 ExecStart=$ip6tables_path -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
Pluto <meokcin@gmail.com>
parents:
diff changeset
390 ExecStop=$ip6tables_path -t nat -D POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to $ip6
Pluto <meokcin@gmail.com>
parents:
diff changeset
391 ExecStop=$ip6tables_path -D FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT
Pluto <meokcin@gmail.com>
parents:
diff changeset
392 ExecStop=$ip6tables_path -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" >> /etc/systemd/system/openvpn-iptables.service
Pluto <meokcin@gmail.com>
parents:
diff changeset
393 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
394 echo "RemainAfterExit=yes
Pluto <meokcin@gmail.com>
parents:
diff changeset
395 [Install]
Pluto <meokcin@gmail.com>
parents:
diff changeset
396 WantedBy=multi-user.target" >> /etc/systemd/system/openvpn-iptables.service
Pluto <meokcin@gmail.com>
parents:
diff changeset
397 systemctl enable --now openvpn-iptables.service
Pluto <meokcin@gmail.com>
parents:
diff changeset
398 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
399 # If SELinux is enabled and a custom port was selected, we need this
Pluto <meokcin@gmail.com>
parents:
diff changeset
400 if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$port" != 1194 ]]; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
401 # Install semanage if not already present
Pluto <meokcin@gmail.com>
parents:
diff changeset
402 if ! hash semanage 2>/dev/null; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
403 dnf install -y policycoreutils-python-utils
Pluto <meokcin@gmail.com>
parents:
diff changeset
404 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
405 semanage port -a -t openvpn_port_t -p "$protocol" "$port"
Pluto <meokcin@gmail.com>
parents:
diff changeset
406 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
407 # If the server is behind NAT, use the correct IP address
Pluto <meokcin@gmail.com>
parents:
diff changeset
408 [[ -n "$public_ip" ]] && ip="$public_ip"
Pluto <meokcin@gmail.com>
parents:
diff changeset
409 # client-common.txt is created so we have a template to add further users later
Pluto <meokcin@gmail.com>
parents:
diff changeset
410 echo "client
Pluto <meokcin@gmail.com>
parents:
diff changeset
411 dev tun
Pluto <meokcin@gmail.com>
parents:
diff changeset
412 proto $protocol
Pluto <meokcin@gmail.com>
parents:
diff changeset
413 remote $ip $port
Pluto <meokcin@gmail.com>
parents:
diff changeset
414 resolv-retry infinite
Pluto <meokcin@gmail.com>
parents:
diff changeset
415 nobind
Pluto <meokcin@gmail.com>
parents:
diff changeset
416 persist-key
Pluto <meokcin@gmail.com>
parents:
diff changeset
417 persist-tun
Pluto <meokcin@gmail.com>
parents:
diff changeset
418 remote-cert-tls server
Pluto <meokcin@gmail.com>
parents:
diff changeset
419 auth SHA512
Pluto <meokcin@gmail.com>
parents:
diff changeset
420 ignore-unknown-option block-outside-dns
Pluto <meokcin@gmail.com>
parents:
diff changeset
421 verb 3" > /etc/openvpn/server/client-common.txt
Pluto <meokcin@gmail.com>
parents:
diff changeset
422 # Enable and start the OpenVPN service
Pluto <meokcin@gmail.com>
parents:
diff changeset
423 systemctl enable --now openvpn-server@server.service
Pluto <meokcin@gmail.com>
parents:
diff changeset
424 # Generates the custom client.ovpn
Pluto <meokcin@gmail.com>
parents:
diff changeset
425 new_client
Pluto <meokcin@gmail.com>
parents:
diff changeset
426 echo
Pluto <meokcin@gmail.com>
parents:
diff changeset
427 echo "Finished!"
Pluto <meokcin@gmail.com>
parents:
diff changeset
428 echo
Pluto <meokcin@gmail.com>
parents:
diff changeset
429 echo "The client configuration is available in:" ~/"$client.ovpn"
Pluto <meokcin@gmail.com>
parents:
diff changeset
430 echo "New clients can be added by running this script again."
Pluto <meokcin@gmail.com>
parents:
diff changeset
431 else
Pluto <meokcin@gmail.com>
parents:
diff changeset
432 clear
Pluto <meokcin@gmail.com>
parents:
diff changeset
433 echo "OpenVPN is already installed."
Pluto <meokcin@gmail.com>
parents:
diff changeset
434 echo
Pluto <meokcin@gmail.com>
parents:
diff changeset
435 echo "Select an option:"
Pluto <meokcin@gmail.com>
parents:
diff changeset
436 echo " 1) Add a new client"
Pluto <meokcin@gmail.com>
parents:
diff changeset
437 echo " 2) Revoke an existing client"
Pluto <meokcin@gmail.com>
parents:
diff changeset
438 echo " 3) Remove OpenVPN"
Pluto <meokcin@gmail.com>
parents:
diff changeset
439 echo " 4) Exit"
Pluto <meokcin@gmail.com>
parents:
diff changeset
440 read -p "Option: " option
Pluto <meokcin@gmail.com>
parents:
diff changeset
441 until [[ "$option" =~ ^[1-4]$ ]]; do
Pluto <meokcin@gmail.com>
parents:
diff changeset
442 echo "$option: invalid selection."
Pluto <meokcin@gmail.com>
parents:
diff changeset
443 read -p "Option: " option
Pluto <meokcin@gmail.com>
parents:
diff changeset
444 done
Pluto <meokcin@gmail.com>
parents:
diff changeset
445 case "$option" in
Pluto <meokcin@gmail.com>
parents:
diff changeset
446 1)
Pluto <meokcin@gmail.com>
parents:
diff changeset
447 echo
Pluto <meokcin@gmail.com>
parents:
diff changeset
448 echo "Provide a name for the client:"
Pluto <meokcin@gmail.com>
parents:
diff changeset
449 read -p "Name: " unsanitized_client
Pluto <meokcin@gmail.com>
parents:
diff changeset
450 client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client")
Pluto <meokcin@gmail.com>
parents:
diff changeset
451 while [[ -z "$client" || -e /etc/openvpn/server/easy-rsa/pki/issued/"$client".crt ]]; do
Pluto <meokcin@gmail.com>
parents:
diff changeset
452 echo "$client: invalid name."
Pluto <meokcin@gmail.com>
parents:
diff changeset
453 read -p "Name: " unsanitized_client
Pluto <meokcin@gmail.com>
parents:
diff changeset
454 client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client")
Pluto <meokcin@gmail.com>
parents:
diff changeset
455 done
Pluto <meokcin@gmail.com>
parents:
diff changeset
456 cd /etc/openvpn/server/easy-rsa/
Pluto <meokcin@gmail.com>
parents:
diff changeset
457 ./easyrsa --batch --days=3650 build-client-full "$client" nopass
Pluto <meokcin@gmail.com>
parents:
diff changeset
458 # Generates the custom client.ovpn
Pluto <meokcin@gmail.com>
parents:
diff changeset
459 new_client
Pluto <meokcin@gmail.com>
parents:
diff changeset
460 echo
Pluto <meokcin@gmail.com>
parents:
diff changeset
461 echo "$client added. Configuration available in:" ~/"$client.ovpn"
Pluto <meokcin@gmail.com>
parents:
diff changeset
462 exit
Pluto <meokcin@gmail.com>
parents:
diff changeset
463 ;;
Pluto <meokcin@gmail.com>
parents:
diff changeset
464 2)
Pluto <meokcin@gmail.com>
parents:
diff changeset
465 # This option could be documented a bit better and maybe even be simplified
Pluto <meokcin@gmail.com>
parents:
diff changeset
466 # ...but what can I say, I want some sleep too
Pluto <meokcin@gmail.com>
parents:
diff changeset
467 number_of_clients=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep -c "^V")
Pluto <meokcin@gmail.com>
parents:
diff changeset
468 if [[ "$number_of_clients" = 0 ]]; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
469 echo
Pluto <meokcin@gmail.com>
parents:
diff changeset
470 echo "There are no existing clients!"
Pluto <meokcin@gmail.com>
parents:
diff changeset
471 exit
Pluto <meokcin@gmail.com>
parents:
diff changeset
472 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
473 echo
Pluto <meokcin@gmail.com>
parents:
diff changeset
474 echo "Select the client to revoke:"
Pluto <meokcin@gmail.com>
parents:
diff changeset
475 tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
Pluto <meokcin@gmail.com>
parents:
diff changeset
476 read -p "Client: " client_number
Pluto <meokcin@gmail.com>
parents:
diff changeset
477 until [[ "$client_number" =~ ^[0-9]+$ && "$client_number" -le "$number_of_clients" ]]; do
Pluto <meokcin@gmail.com>
parents:
diff changeset
478 echo "$client_number: invalid selection."
Pluto <meokcin@gmail.com>
parents:
diff changeset
479 read -p "Client: " client_number
Pluto <meokcin@gmail.com>
parents:
diff changeset
480 done
Pluto <meokcin@gmail.com>
parents:
diff changeset
481 client=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$client_number"p)
Pluto <meokcin@gmail.com>
parents:
diff changeset
482 echo
Pluto <meokcin@gmail.com>
parents:
diff changeset
483 read -p "Confirm $client revocation? [y/N]: " revoke
Pluto <meokcin@gmail.com>
parents:
diff changeset
484 until [[ "$revoke" =~ ^[yYnN]*$ ]]; do
Pluto <meokcin@gmail.com>
parents:
diff changeset
485 echo "$revoke: invalid selection."
Pluto <meokcin@gmail.com>
parents:
diff changeset
486 read -p "Confirm $client revocation? [y/N]: " revoke
Pluto <meokcin@gmail.com>
parents:
diff changeset
487 done
Pluto <meokcin@gmail.com>
parents:
diff changeset
488 if [[ "$revoke" =~ ^[yY]$ ]]; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
489 cd /etc/openvpn/server/easy-rsa/
Pluto <meokcin@gmail.com>
parents:
diff changeset
490 ./easyrsa --batch revoke "$client"
Pluto <meokcin@gmail.com>
parents:
diff changeset
491 ./easyrsa --batch --days=3650 gen-crl
Pluto <meokcin@gmail.com>
parents:
diff changeset
492 rm -f /etc/openvpn/server/crl.pem
Pluto <meokcin@gmail.com>
parents:
diff changeset
493 cp /etc/openvpn/server/easy-rsa/pki/crl.pem /etc/openvpn/server/crl.pem
Pluto <meokcin@gmail.com>
parents:
diff changeset
494 # CRL is read with each client connection, when OpenVPN is dropped to nobody
Pluto <meokcin@gmail.com>
parents:
diff changeset
495 chown nobody:"$group_name" /etc/openvpn/server/crl.pem
Pluto <meokcin@gmail.com>
parents:
diff changeset
496 echo
Pluto <meokcin@gmail.com>
parents:
diff changeset
497 echo "$client revoked!"
Pluto <meokcin@gmail.com>
parents:
diff changeset
498 else
Pluto <meokcin@gmail.com>
parents:
diff changeset
499 echo
Pluto <meokcin@gmail.com>
parents:
diff changeset
500 echo "$client revocation aborted!"
Pluto <meokcin@gmail.com>
parents:
diff changeset
501 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
502 exit
Pluto <meokcin@gmail.com>
parents:
diff changeset
503 ;;
Pluto <meokcin@gmail.com>
parents:
diff changeset
504 3)
Pluto <meokcin@gmail.com>
parents:
diff changeset
505 echo
Pluto <meokcin@gmail.com>
parents:
diff changeset
506 read -p "Confirm OpenVPN removal? [y/N]: " remove
Pluto <meokcin@gmail.com>
parents:
diff changeset
507 until [[ "$remove" =~ ^[yYnN]*$ ]]; do
Pluto <meokcin@gmail.com>
parents:
diff changeset
508 echo "$remove: invalid selection."
Pluto <meokcin@gmail.com>
parents:
diff changeset
509 read -p "Confirm OpenVPN removal? [y/N]: " remove
Pluto <meokcin@gmail.com>
parents:
diff changeset
510 done
Pluto <meokcin@gmail.com>
parents:
diff changeset
511 if [[ "$remove" =~ ^[yY]$ ]]; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
512 port=$(grep '^port ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
Pluto <meokcin@gmail.com>
parents:
diff changeset
513 protocol=$(grep '^proto ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
Pluto <meokcin@gmail.com>
parents:
diff changeset
514 if systemctl is-active --quiet firewalld.service; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
515 ip=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24' | grep -oE '[^ ]+$')
Pluto <meokcin@gmail.com>
parents:
diff changeset
516 # Using both permanent and not permanent rules to avoid a firewalld reload.
Pluto <meokcin@gmail.com>
parents:
diff changeset
517 firewall-cmd --remove-port="$port"/"$protocol"
Pluto <meokcin@gmail.com>
parents:
diff changeset
518 firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
Pluto <meokcin@gmail.com>
parents:
diff changeset
519 firewall-cmd --permanent --remove-port="$port"/"$protocol"
Pluto <meokcin@gmail.com>
parents:
diff changeset
520 firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
Pluto <meokcin@gmail.com>
parents:
diff changeset
521 firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"
Pluto <meokcin@gmail.com>
parents:
diff changeset
522 firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"
Pluto <meokcin@gmail.com>
parents:
diff changeset
523 if grep -qs "server-ipv6" /etc/openvpn/server/server.conf; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
524 ip6=$(firewall-cmd --direct --get-rules ipv6 nat POSTROUTING | grep '\-s fddd:1194:1194:1194::/64 '"'"'!'"'"' -d fddd:1194:1194:1194::/64' | grep -oE '[^ ]+$')
Pluto <meokcin@gmail.com>
parents:
diff changeset
525 firewall-cmd --zone=trusted --remove-source=fddd:1194:1194:1194::/64
Pluto <meokcin@gmail.com>
parents:
diff changeset
526 firewall-cmd --permanent --zone=trusted --remove-source=fddd:1194:1194:1194::/64
Pluto <meokcin@gmail.com>
parents:
diff changeset
527 firewall-cmd --direct --remove-rule ipv6 nat POSTROUTING 0 -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to "$ip6"
Pluto <meokcin@gmail.com>
parents:
diff changeset
528 firewall-cmd --permanent --direct --remove-rule ipv6 nat POSTROUTING 0 -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to "$ip6"
Pluto <meokcin@gmail.com>
parents:
diff changeset
529 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
530 else
Pluto <meokcin@gmail.com>
parents:
diff changeset
531 systemctl disable --now openvpn-iptables.service
Pluto <meokcin@gmail.com>
parents:
diff changeset
532 rm -f /etc/systemd/system/openvpn-iptables.service
Pluto <meokcin@gmail.com>
parents:
diff changeset
533 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
534 if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$port" != 1194 ]]; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
535 semanage port -d -t openvpn_port_t -p "$protocol" "$port"
Pluto <meokcin@gmail.com>
parents:
diff changeset
536 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
537 systemctl disable --now openvpn-server@server.service
Pluto <meokcin@gmail.com>
parents:
diff changeset
538 rm -f /etc/systemd/system/openvpn-server@server.service.d/disable-limitnproc.conf
Pluto <meokcin@gmail.com>
parents:
diff changeset
539 rm -f /etc/sysctl.d/99-openvpn-forward.conf
Pluto <meokcin@gmail.com>
parents:
diff changeset
540 if [[ "$os" = "debian" || "$os" = "ubuntu" ]]; then
Pluto <meokcin@gmail.com>
parents:
diff changeset
541 rm -rf /etc/openvpn/server
Pluto <meokcin@gmail.com>
parents:
diff changeset
542 apt-get remove --purge -y openvpn
Pluto <meokcin@gmail.com>
parents:
diff changeset
543 else
Pluto <meokcin@gmail.com>
parents:
diff changeset
544 # Else, OS must be CentOS or Fedora
Pluto <meokcin@gmail.com>
parents:
diff changeset
545 dnf remove -y openvpn
Pluto <meokcin@gmail.com>
parents:
diff changeset
546 rm -rf /etc/openvpn/server
Pluto <meokcin@gmail.com>
parents:
diff changeset
547 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
548 echo
Pluto <meokcin@gmail.com>
parents:
diff changeset
549 echo "OpenVPN removed!"
Pluto <meokcin@gmail.com>
parents:
diff changeset
550 else
Pluto <meokcin@gmail.com>
parents:
diff changeset
551 echo
Pluto <meokcin@gmail.com>
parents:
diff changeset
552 echo "OpenVPN removal aborted!"
Pluto <meokcin@gmail.com>
parents:
diff changeset
553 fi
Pluto <meokcin@gmail.com>
parents:
diff changeset
554 exit
Pluto <meokcin@gmail.com>
parents:
diff changeset
555 ;;
Pluto <meokcin@gmail.com>
parents:
diff changeset
556 4)
Pluto <meokcin@gmail.com>
parents:
diff changeset
557 exit
Pluto <meokcin@gmail.com>
parents:
diff changeset
558 ;;
Pluto <meokcin@gmail.com>
parents:
diff changeset
559 esac
Pluto <meokcin@gmail.com>
parents:
diff changeset
560 fi
备案号:苏ICP备2024087954号-2 | 渝公网安备50010402001513