From d23d28a2cc24792204df86161711a942877c2c67 Mon Sep 17 00:00:00 2001
From: tar <vunmnn@gmail.com>
Date: Sat, 21 Oct 2023 23:48:33 +0200
Subject: [PATCH] Add server and client sctipts for OpenVPN

---
 openvpn-client.sh | 109 +++++++++++++++++++++++++++++++++
 openvpn-server.sh | 153 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 262 insertions(+)
 create mode 100755 openvpn-client.sh
 create mode 100755 openvpn-server.sh

diff --git a/openvpn-client.sh b/openvpn-client.sh
new file mode 100755
index 0000000..9228ffa
--- /dev/null
+++ b/openvpn-client.sh
@@ -0,0 +1,109 @@
+#!/bin/bash
+
+# this script is to be run on server after the server script!
+# tested on Oracle cloud with Ubuntu 20.04 (IPv6 was not configured there, traffic goes through IPv4)
+# to connect on Linux:
+# sudo openvpn --config ovpnc01.ovpn
+
+SERVER='vpn_domain_name_goes_here.com'
+PORT=443
+PROTOCOL='tcp'
+
+USR=$(logname)
+RSA_DIR="/home/${USR}/easy-rsa"
+CLIENT_DIR="/home/${USR}/client-configs"
+KEY_DIR="${CLIENT_DIR}/keys"
+FILES_DIR="${CLIENT_DIR}/files"
+
+user=$(whoami)
+if [ $user != root ]; then
+    echo "You are using a non-privileged account"
+    exit -1
+fi
+
+if ! test -d $RSA_DIR; then
+    echo 'Run the server script first!'
+    exit -1
+fi
+
+if [[ ! ${1+x} ]]; then
+    echo 'Provide a client name as an argument to this script!'
+    exit -1
+else
+    CLIENT=$1
+fi
+
+if ! test -d $CLIENT_DIR; then
+    mkdir $CLIENT_DIR
+    mkdir $KEY_DIR
+    mkdir $FILES_DIR
+    cp /etc/openvpn/server/ta.key "${KEY_DIR}/"
+    cp /etc/openvpn/server/ca.crt "${KEY_DIR}/"
+else
+    echo 'Well, hello friend!'
+fi
+
+# create a request and get a signed certificate out of it
+cd $RSA_DIR
+./easyrsa gen-req $CLIENT nopass
+./easyrsa import-req "${RSA_DIR}/pki/reqs/${CLIENT}.req" $CLIENT
+./easyrsa sign-req client $CLIENT
+
+cp "${RSA_DIR}/pki/private/${CLIENT}.key" "${KEY_DIR}/"
+cp "${RSA_DIR}/pki/issued/${CLIENT}.crt" "${KEY_DIR}/"
+
+# create a config file for the client
+cd $FILES_DIR
+CFG=$(cat <<EOF
+client
+dev tun
+proto ${PROTOCOL}
+remote ${SERVER} ${PORT}
+resolv-retry infinite
+nobind
+user nobody
+group nogroup
+persist-key
+persist-tun
+remote-cert-tls server
+verb 3
+mute-replay-warnings
+cipher AES-256-GCM
+auth SHA256
+key-direction 1
+
+# ipv6 params, basically it breaks IPv6 stuff so traffic only goes though IPv4
+ifconfig-ipv6 fd00::2 fd00::1
+redirect-gateway ipv6 def1
+
+# for linux clients that do not use systemd-resolved to manage DNS 
+; script-security 2
+; up /etc/openvpn/update-resolv-conf
+; down /etc/openvpn/update-resolv-conf
+
+# for linux clients that use systemd-resolved
+; script-security 2
+; up /etc/openvpn/update-systemd-resolved
+; down /etc/openvpn/update-systemd-resolved
+; down-pre
+; dhcp-option DOMAIN-ROUTE .
+
+# keys:
+EOF
+   )
+
+cat <(echo "$CFG") \
+    <(echo -e '<ca>') \
+    ${KEY_DIR}/ca.crt \
+    <(echo -e '</ca>\n<cert>') \
+    ${KEY_DIR}/${CLIENT}.crt \
+    <(echo -e '</cert>\n<key>') \
+    ${KEY_DIR}/${CLIENT}.key \
+    <(echo -e '</key>\n<tls-crypt>') \
+    ${KEY_DIR}/ta.key \
+    <(echo -e '</tls-crypt>') \
+    > ${CLIENT}.ovpn
+
+chown -hR "${USR}:${USR}" "${CLIENT_DIR}"
+chmod -R 700 $CLIENT_DIR
+
diff --git a/openvpn-server.sh b/openvpn-server.sh
new file mode 100755
index 0000000..05b42ba
--- /dev/null
+++ b/openvpn-server.sh
@@ -0,0 +1,153 @@
+#!/bin/bash
+
+USR=$(logname)
+RSA_DIR="/home/${USR}/easy-rsa"
+
+user=$(whoami)
+if [ $user != root ]; then
+    echo "You are using a non-privileged account"
+    exit -1
+fi
+
+# install Easy-RSA & OpenVPN
+apt update
+apt install -y easy-rsa openvpn
+
+if test -d $RSA_DIR; then
+    echo "Script is meant to be run only once and it seems to have already been executed"
+    exit -1
+else
+    echo "Creating a new dir for PKI: ${RSA_DIR}"
+    mkdir $RSA_DIR
+fi
+
+cd $RSA_DIR
+ln -s /usr/share/easy-rsa/* "${RSA_DIR}/"
+
+# create Public Key Infrastructure (PKI)
+cat <<EOF > vars
+set_var EASYRSA_REQ_COUNTRY    "AS"
+set_var EASYRSA_REQ_PROVINCE   "Maoputasi"
+set_var EASYRSA_REQ_CITY       "Pago Pago"
+set_var EASYRSA_REQ_ORG        "E Corp"
+set_var EASYRSA_REQ_EMAIL      "admin@ecorp.com"
+set_var EASYRSA_REQ_OU         "IT"
+set_var EASYRSA_ALGO           "ec"
+set_var EASYRSA_DIGEST         "sha512"
+EOF
+./easyrsa init-pki
+
+# create root public and private pair
+./easyrsa build-ca nopass
+
+# create a signed server sertificate
+./easyrsa gen-req server nopass
+./easyrsa import-req "${RSA_DIR}/pki/reqs/server.req" server
+./easyrsa sign-req server server
+
+cp "${RSA_DIR}/pki/ca.crt" /etc/openvpn/server/
+cp "${RSA_DIR}/pki/private/server.key" /etc/openvpn/server/
+cp "${RSA_DIR}/pki/issued/server.crt" /etc/openvpn/server/
+
+# additional security (tls-crypt pre-shared key)
+openvpn --genkey --secret ta.key
+cp "${RSA_DIR}/ta.key" /etc/openvpn/server/
+
+chown -hR "${USR}:${USR}" "${RSA_DIR}"
+chmod -R 700 $RSA_DIR
+
+
+# for enabling IPv6:
+# proto udp6 or tcp6?
+# ifconfig-ipv6 fd00::1 fd00::2
+#
+# ip6tables -A FORWARD -i tun0 -o ens3 -s fd00::/64 -m state --state NEW -j ACCEPT
+# ip6tables -A FORWARD -i tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
+# ip6tables -A POSTROUTING -s fd00::/64  -o ens3 -t nat -j MASQUERADE
+
+# make a config for the server
+# example is here /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz
+cat <<EOF > /etc/openvpn/server/server.conf
+port 443
+proto tcp
+dev tun
+server 10.8.0.0 255.255.255.0
+client-to-client
+max-clients 16
+
+ca ca.crt
+cert server.crt
+key server.key
+tls-crypt ta.key
+cipher AES-256-GCM
+auth SHA256
+dh none
+
+verb 3
+ifconfig-pool-persist /var/log/openvpn/ipp.txt
+status /var/log/openvpn/openvpn-status.log
+log         /var/log/openvpn/openvpn.log
+
+user nobody
+group nogroup
+
+push "redirect-gateway def1 bypass-dhcp"
+push "dhcp-option DNS 208.67.222.222"
+push "dhcp-option DNS 208.67.220.220"
+
+persist-key
+persist-tun
+keepalive 10 120
+explicit-exit-notify 0
+EOF
+
+# enable IP forwarding for IPv4
+echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
+
+# enable IP forwarding for IPv6
+# echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.conf
+
+sysctl -p
+
+# set up ufw
+UFW_BEFORE='/etc/ufw/before.rules'
+UFW_DEFAULT='/etc/default/ufw'
+
+if grep -Fxq '# START OPENVPN RULES' $UFW_BEFORE; then
+    echo "File ${UFW_BEFORE} has already been set up"
+else
+    line=$(grep -n "# Don't delete these required lines, otherwise there will be errors" "$UFW_BEFORE" | cut -f1 -d:)
+    nic=$(ip route list default | grep -Eo "dev\s*[[:alnum:]]+" | sed 's/dev\s//g')
+
+    sed -i "$((line+0)) i # START OPENVPN RULES" $UFW_BEFORE
+    sed -i "$((line+1)) i # NAT table rules" $UFW_BEFORE
+    sed -i "$((line+2)) i *nat" $UFW_BEFORE
+    sed -i "$((line+3)) i :POSTROUTING ACCEPT [0:0]" $UFW_BEFORE
+    sed -i "$((line+4)) i # Allow traffic from OpenVPN client to ${nic}" $UFW_BEFORE
+    sed -i "$((line+5)) i -A POSTROUTING -s 10.8.0.0/8 -o ${nic} -j MASQUERADE" $UFW_BEFORE
+    sed -i "$((line+6)) i COMMIT" $UFW_BEFORE
+    sed -i "$((line+7)) i # END OPENVPN RULES\n" $UFW_BEFORE
+fi
+
+if grep -Fxq 'DEFAULT_FORWARD_POLICY="ACCEPT"' $UFW_DEFAULT; then
+    echo "File ${UFW_DEFAULT} has already been set up"
+else
+    sed -i 's~DEFAULT_FORWARD_POLICY="DROP"~DEFAULT_FORWARD_POLICY="ACCEPT"~' $UFW_DEFAULT
+fi
+
+ufw disable
+ufw allow 443/tcp
+ufw allow OpenSSH
+ufw enable
+
+# start the OpenVPN service
+systemctl -f enable openvpn-server@server.service
+systemctl start openvpn-server@server.service
+systemctl status openvpn-server@server.service
+
+
+
+
+
+
+