scripts/openvpn-server.sh

154 lines
4.0 KiB
Bash
Raw Normal View History

#!/bin/bash
USR=$(logname)
RSA_DIR="/home/${USR}/easy-rsa"
user=$(whoami)
if [ $user != root ]; then
echo "You are using a non-privileged account"
exit -1
fi
# install Easy-RSA & OpenVPN
apt update
apt install -y easy-rsa openvpn
if test -d $RSA_DIR; then
echo "Script is meant to be run only once and it seems to have already been executed"
exit -1
else
echo "Creating a new dir for PKI: ${RSA_DIR}"
mkdir $RSA_DIR
fi
cd $RSA_DIR
ln -s /usr/share/easy-rsa/* "${RSA_DIR}/"
# create Public Key Infrastructure (PKI)
cat <<EOF > vars
set_var EASYRSA_REQ_COUNTRY "AS"
set_var EASYRSA_REQ_PROVINCE "Maoputasi"
set_var EASYRSA_REQ_CITY "Pago Pago"
set_var EASYRSA_REQ_ORG "E Corp"
set_var EASYRSA_REQ_EMAIL "admin@ecorp.com"
set_var EASYRSA_REQ_OU "IT"
set_var EASYRSA_ALGO "ec"
set_var EASYRSA_DIGEST "sha512"
EOF
./easyrsa init-pki
# create root public and private pair
./easyrsa build-ca nopass
# create a signed server sertificate
./easyrsa gen-req server nopass
./easyrsa import-req "${RSA_DIR}/pki/reqs/server.req" server
./easyrsa sign-req server server
cp "${RSA_DIR}/pki/ca.crt" /etc/openvpn/server/
cp "${RSA_DIR}/pki/private/server.key" /etc/openvpn/server/
cp "${RSA_DIR}/pki/issued/server.crt" /etc/openvpn/server/
# additional security (tls-crypt pre-shared key)
openvpn --genkey --secret ta.key
cp "${RSA_DIR}/ta.key" /etc/openvpn/server/
chown -hR "${USR}:${USR}" "${RSA_DIR}"
chmod -R 700 $RSA_DIR
# for enabling IPv6:
# proto udp6 or tcp6?
# ifconfig-ipv6 fd00::1 fd00::2
#
# ip6tables -A FORWARD -i tun0 -o ens3 -s fd00::/64 -m state --state NEW -j ACCEPT
# ip6tables -A FORWARD -i tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# ip6tables -A POSTROUTING -s fd00::/64 -o ens3 -t nat -j MASQUERADE
# make a config for the server
# example is here /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz
cat <<EOF > /etc/openvpn/server/server.conf
port 443
proto tcp
dev tun
server 10.8.0.0 255.255.255.0
client-to-client
max-clients 16
ca ca.crt
cert server.crt
key server.key
tls-crypt ta.key
cipher AES-256-GCM
auth SHA256
dh none
verb 3
ifconfig-pool-persist /var/log/openvpn/ipp.txt
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
user nobody
group nogroup
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
persist-key
persist-tun
keepalive 10 120
explicit-exit-notify 0
EOF
# enable IP forwarding for IPv4
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
# enable IP forwarding for IPv6
# echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.conf
sysctl -p
# set up ufw
UFW_BEFORE='/etc/ufw/before.rules'
UFW_DEFAULT='/etc/default/ufw'
if grep -Fxq '# START OPENVPN RULES' $UFW_BEFORE; then
echo "File ${UFW_BEFORE} has already been set up"
else
line=$(grep -n "# Don't delete these required lines, otherwise there will be errors" "$UFW_BEFORE" | cut -f1 -d:)
nic=$(ip route list default | grep -Eo "dev\s*[[:alnum:]]+" | sed 's/dev\s//g')
sed -i "$((line+0)) i # START OPENVPN RULES" $UFW_BEFORE
sed -i "$((line+1)) i # NAT table rules" $UFW_BEFORE
sed -i "$((line+2)) i *nat" $UFW_BEFORE
sed -i "$((line+3)) i :POSTROUTING ACCEPT [0:0]" $UFW_BEFORE
sed -i "$((line+4)) i # Allow traffic from OpenVPN client to ${nic}" $UFW_BEFORE
sed -i "$((line+5)) i -A POSTROUTING -s 10.8.0.0/8 -o ${nic} -j MASQUERADE" $UFW_BEFORE
sed -i "$((line+6)) i COMMIT" $UFW_BEFORE
sed -i "$((line+7)) i # END OPENVPN RULES\n" $UFW_BEFORE
fi
if grep -Fxq 'DEFAULT_FORWARD_POLICY="ACCEPT"' $UFW_DEFAULT; then
echo "File ${UFW_DEFAULT} has already been set up"
else
sed -i 's~DEFAULT_FORWARD_POLICY="DROP"~DEFAULT_FORWARD_POLICY="ACCEPT"~' $UFW_DEFAULT
fi
ufw disable
ufw allow 443/tcp
ufw allow OpenSSH
ufw enable
# start the OpenVPN service
systemctl -f enable openvpn-server@server.service
systemctl start openvpn-server@server.service
systemctl status openvpn-server@server.service