scripts/openvpn-server.sh

#!/bin/bash

USR=$(logname)
RSA_DIR="/home/${USR}/easy-rsa"

user=$(whoami)
if [ $user != root ]; then
    echo "You are using a non-privileged account"
    exit -1
fi

# install Easy-RSA & OpenVPN
apt update
apt install -y easy-rsa openvpn

if test -d $RSA_DIR; then
    echo "Script is meant to be run only once and it seems to have already been executed"
    exit -1
else
    echo "Creating a new dir for PKI: ${RSA_DIR}"
    mkdir $RSA_DIR
fi

cd $RSA_DIR
ln -s /usr/share/easy-rsa/* "${RSA_DIR}/"

# create Public Key Infrastructure (PKI)
cat <<EOF > vars
set_var EASYRSA_REQ_COUNTRY    "AS"
set_var EASYRSA_REQ_PROVINCE   "Maoputasi"
set_var EASYRSA_REQ_CITY       "Pago Pago"
set_var EASYRSA_REQ_ORG        "E Corp"
set_var EASYRSA_REQ_EMAIL      "admin@ecorp.com"
set_var EASYRSA_REQ_OU         "IT"
set_var EASYRSA_ALGO           "ec"
set_var EASYRSA_DIGEST         "sha512"
EOF
./easyrsa init-pki

# create root public and private pair
./easyrsa build-ca nopass

# create a signed server sertificate
./easyrsa gen-req server nopass
./easyrsa import-req "${RSA_DIR}/pki/reqs/server.req" server
./easyrsa sign-req server server

cp "${RSA_DIR}/pki/ca.crt" /etc/openvpn/server/
cp "${RSA_DIR}/pki/private/server.key" /etc/openvpn/server/
cp "${RSA_DIR}/pki/issued/server.crt" /etc/openvpn/server/

# additional security (tls-crypt pre-shared key)
openvpn --genkey --secret ta.key
cp "${RSA_DIR}/ta.key" /etc/openvpn/server/

chown -hR "${USR}:${USR}" "${RSA_DIR}"
chmod -R 700 $RSA_DIR


# for enabling IPv6:
# proto udp6 or tcp6?
# ifconfig-ipv6 fd00::1 fd00::2
#
# ip6tables -A FORWARD -i tun0 -o ens3 -s fd00::/64 -m state --state NEW -j ACCEPT
# ip6tables -A FORWARD -i tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# ip6tables -A POSTROUTING -s fd00::/64  -o ens3 -t nat -j MASQUERADE

# make a config for the server
# example is here /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz
cat <<EOF > /etc/openvpn/server/server.conf
port 443
proto tcp
dev tun
server 10.8.0.0 255.255.255.0
client-to-client
max-clients 16

ca ca.crt
cert server.crt
key server.key
tls-crypt ta.key
cipher AES-256-GCM
auth SHA256
dh none

verb 3
ifconfig-pool-persist /var/log/openvpn/ipp.txt
status /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/openvpn.log

user nobody
group nogroup

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

persist-key
persist-tun
keepalive 10 120
explicit-exit-notify 0
EOF

# enable IP forwarding for IPv4
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf

# enable IP forwarding for IPv6
# echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.conf

sysctl -p

# set up ufw
UFW_BEFORE='/etc/ufw/before.rules'
UFW_DEFAULT='/etc/default/ufw'

if grep -Fxq '# START OPENVPN RULES' $UFW_BEFORE; then
    echo "File ${UFW_BEFORE} has already been set up"
else
    line=$(grep -n "# Don't delete these required lines, otherwise there will be errors" "$UFW_BEFORE" | cut -f1 -d:)
    nic=$(ip route list default | grep -Eo "dev\s*[[:alnum:]]+" | sed 's/dev\s//g')

    sed -i "$((line+0)) i # START OPENVPN RULES" $UFW_BEFORE
    sed -i "$((line+1)) i # NAT table rules" $UFW_BEFORE
    sed -i "$((line+2)) i *nat" $UFW_BEFORE
    sed -i "$((line+3)) i :POSTROUTING ACCEPT [0:0]" $UFW_BEFORE
    sed -i "$((line+4)) i # Allow traffic from OpenVPN client to ${nic}" $UFW_BEFORE
    sed -i "$((line+5)) i -A POSTROUTING -s 10.8.0.0/8 -o ${nic} -j MASQUERADE" $UFW_BEFORE
    sed -i "$((line+6)) i COMMIT" $UFW_BEFORE
    sed -i "$((line+7)) i # END OPENVPN RULES\n" $UFW_BEFORE
fi

if grep -Fxq 'DEFAULT_FORWARD_POLICY="ACCEPT"' $UFW_DEFAULT; then
    echo "File ${UFW_DEFAULT} has already been set up"
else
    sed -i 's~DEFAULT_FORWARD_POLICY="DROP"~DEFAULT_FORWARD_POLICY="ACCEPT"~' $UFW_DEFAULT
fi

ufw disable
ufw allow 443/tcp
ufw allow OpenSSH
ufw enable

# start the OpenVPN service
systemctl -f enable openvpn-server@server.service
systemctl start openvpn-server@server.service
systemctl status openvpn-server@server.service
Add server and client sctipts for OpenVPN 2023-10-21 21:48:33 +00:00			`#!/bin/bash`

			`USR=$(logname)`
			`RSA_DIR="/home/${USR}/easy-rsa"`

			`user=$(whoami)`
			`if [ $user != root ]; then`
			`echo "You are using a non-privileged account"`
			`exit -1`
			`fi`

			`# install Easy-RSA & OpenVPN`
			`apt update`
			`apt install -y easy-rsa openvpn`

			`if test -d $RSA_DIR; then`
			`echo "Script is meant to be run only once and it seems to have already been executed"`
			`exit -1`
			`else`
			`echo "Creating a new dir for PKI: ${RSA_DIR}"`
			`mkdir $RSA_DIR`
			`fi`

			`cd $RSA_DIR`
			`ln -s /usr/share/easy-rsa/* "${RSA_DIR}/"`

			`# create Public Key Infrastructure (PKI)`
			`cat <<EOF > vars`
			`set_var EASYRSA_REQ_COUNTRY "AS"`
			`set_var EASYRSA_REQ_PROVINCE "Maoputasi"`
			`set_var EASYRSA_REQ_CITY "Pago Pago"`
			`set_var EASYRSA_REQ_ORG "E Corp"`
			`set_var EASYRSA_REQ_EMAIL "admin@ecorp.com"`
			`set_var EASYRSA_REQ_OU "IT"`
			`set_var EASYRSA_ALGO "ec"`
			`set_var EASYRSA_DIGEST "sha512"`
			`EOF`
			`./easyrsa init-pki`

			`# create root public and private pair`
			`./easyrsa build-ca nopass`

			`# create a signed server sertificate`
			`./easyrsa gen-req server nopass`
			`./easyrsa import-req "${RSA_DIR}/pki/reqs/server.req" server`
			`./easyrsa sign-req server server`

			`cp "${RSA_DIR}/pki/ca.crt" /etc/openvpn/server/`
			`cp "${RSA_DIR}/pki/private/server.key" /etc/openvpn/server/`
			`cp "${RSA_DIR}/pki/issued/server.crt" /etc/openvpn/server/`

			`# additional security (tls-crypt pre-shared key)`
			`openvpn --genkey --secret ta.key`
			`cp "${RSA_DIR}/ta.key" /etc/openvpn/server/`

			`chown -hR "${USR}:${USR}" "${RSA_DIR}"`
			`chmod -R 700 $RSA_DIR`


			`# for enabling IPv6:`
			`# proto udp6 or tcp6?`
			`# ifconfig-ipv6 fd00::1 fd00::2`
			`#`
			`# ip6tables -A FORWARD -i tun0 -o ens3 -s fd00::/64 -m state --state NEW -j ACCEPT`
			`# ip6tables -A FORWARD -i tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT`
			`# ip6tables -A POSTROUTING -s fd00::/64 -o ens3 -t nat -j MASQUERADE`

			`# make a config for the server`
			`# example is here /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz`
			`cat <<EOF > /etc/openvpn/server/server.conf`
			`port 443`
			`proto tcp`
			`dev tun`
			`server 10.8.0.0 255.255.255.0`
			`client-to-client`
			`max-clients 16`

			`ca ca.crt`
			`cert server.crt`
			`key server.key`
			`tls-crypt ta.key`
			`cipher AES-256-GCM`
			`auth SHA256`
			`dh none`

			`verb 3`
			`ifconfig-pool-persist /var/log/openvpn/ipp.txt`
			`status /var/log/openvpn/openvpn-status.log`
			`log /var/log/openvpn/openvpn.log`

			`user nobody`
			`group nogroup`

			`push "redirect-gateway def1 bypass-dhcp"`
			`push "dhcp-option DNS 208.67.222.222"`
			`push "dhcp-option DNS 208.67.220.220"`

			`persist-key`
			`persist-tun`
			`keepalive 10 120`
			`explicit-exit-notify 0`
			`EOF`

			`# enable IP forwarding for IPv4`
			`echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf`

			`# enable IP forwarding for IPv6`
			`# echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.conf`

			`sysctl -p`

			`# set up ufw`
			`UFW_BEFORE='/etc/ufw/before.rules'`
			`UFW_DEFAULT='/etc/default/ufw'`

			`if grep -Fxq '# START OPENVPN RULES' $UFW_BEFORE; then`
			`echo "File ${UFW_BEFORE} has already been set up"`
			`else`
			`line=$(grep -n "# Don't delete these required lines, otherwise there will be errors" "$UFW_BEFORE" \| cut -f1 -d:)`
			`nic=$(ip route list default \| grep -Eo "dev\s*[[:alnum:]]+" \| sed 's/dev\s//g')`

			`sed -i "$((line+0)) i # START OPENVPN RULES" $UFW_BEFORE`
			`sed -i "$((line+1)) i # NAT table rules" $UFW_BEFORE`
			`sed -i "$((line+2)) i *nat" $UFW_BEFORE`
			`sed -i "$((line+3)) i :POSTROUTING ACCEPT [0:0]" $UFW_BEFORE`
			`sed -i "$((line+4)) i # Allow traffic from OpenVPN client to ${nic}" $UFW_BEFORE`
			`sed -i "$((line+5)) i -A POSTROUTING -s 10.8.0.0/8 -o ${nic} -j MASQUERADE" $UFW_BEFORE`
			`sed -i "$((line+6)) i COMMIT" $UFW_BEFORE`
			`sed -i "$((line+7)) i # END OPENVPN RULES\n" $UFW_BEFORE`
			`fi`

			`if grep -Fxq 'DEFAULT_FORWARD_POLICY="ACCEPT"' $UFW_DEFAULT; then`
			`echo "File ${UFW_DEFAULT} has already been set up"`
			`else`
			`sed -i 's~DEFAULT_FORWARD_POLICY="DROP"~DEFAULT_FORWARD_POLICY="ACCEPT"~' $UFW_DEFAULT`
			`fi`

			`ufw disable`
			`ufw allow 443/tcp`
			`ufw allow OpenSSH`
			`ufw enable`

			`# start the OpenVPN service`
			`systemctl -f enable openvpn-server@server.service`
			`systemctl start openvpn-server@server.service`
			`systemctl status openvpn-server@server.service`