Add server and client sctipts for OpenVPN

This commit is contained in:
tar 2023-10-21 23:48:33 +02:00
parent c02ee5f187
commit d23d28a2cc
2 changed files with 262 additions and 0 deletions

109
openvpn-client.sh Executable file
View File

@ -0,0 +1,109 @@
#!/bin/bash
# this script is to be run on server after the server script!
# tested on Oracle cloud with Ubuntu 20.04 (IPv6 was not configured there, traffic goes through IPv4)
# to connect on Linux:
# sudo openvpn --config ovpnc01.ovpn
SERVER='vpn_domain_name_goes_here.com'
PORT=443
PROTOCOL='tcp'
USR=$(logname)
RSA_DIR="/home/${USR}/easy-rsa"
CLIENT_DIR="/home/${USR}/client-configs"
KEY_DIR="${CLIENT_DIR}/keys"
FILES_DIR="${CLIENT_DIR}/files"
user=$(whoami)
if [ $user != root ]; then
echo "You are using a non-privileged account"
exit -1
fi
if ! test -d $RSA_DIR; then
echo 'Run the server script first!'
exit -1
fi
if [[ ! ${1+x} ]]; then
echo 'Provide a client name as an argument to this script!'
exit -1
else
CLIENT=$1
fi
if ! test -d $CLIENT_DIR; then
mkdir $CLIENT_DIR
mkdir $KEY_DIR
mkdir $FILES_DIR
cp /etc/openvpn/server/ta.key "${KEY_DIR}/"
cp /etc/openvpn/server/ca.crt "${KEY_DIR}/"
else
echo 'Well, hello friend!'
fi
# create a request and get a signed certificate out of it
cd $RSA_DIR
./easyrsa gen-req $CLIENT nopass
./easyrsa import-req "${RSA_DIR}/pki/reqs/${CLIENT}.req" $CLIENT
./easyrsa sign-req client $CLIENT
cp "${RSA_DIR}/pki/private/${CLIENT}.key" "${KEY_DIR}/"
cp "${RSA_DIR}/pki/issued/${CLIENT}.crt" "${KEY_DIR}/"
# create a config file for the client
cd $FILES_DIR
CFG=$(cat <<EOF
client
dev tun
proto ${PROTOCOL}
remote ${SERVER} ${PORT}
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
verb 3
mute-replay-warnings
cipher AES-256-GCM
auth SHA256
key-direction 1
# ipv6 params, basically it breaks IPv6 stuff so traffic only goes though IPv4
ifconfig-ipv6 fd00::2 fd00::1
redirect-gateway ipv6 def1
# for linux clients that do not use systemd-resolved to manage DNS
; script-security 2
; up /etc/openvpn/update-resolv-conf
; down /etc/openvpn/update-resolv-conf
# for linux clients that use systemd-resolved
; script-security 2
; up /etc/openvpn/update-systemd-resolved
; down /etc/openvpn/update-systemd-resolved
; down-pre
; dhcp-option DOMAIN-ROUTE .
# keys:
EOF
)
cat <(echo "$CFG") \
<(echo -e '<ca>') \
${KEY_DIR}/ca.crt \
<(echo -e '</ca>\n<cert>') \
${KEY_DIR}/${CLIENT}.crt \
<(echo -e '</cert>\n<key>') \
${KEY_DIR}/${CLIENT}.key \
<(echo -e '</key>\n<tls-crypt>') \
${KEY_DIR}/ta.key \
<(echo -e '</tls-crypt>') \
> ${CLIENT}.ovpn
chown -hR "${USR}:${USR}" "${CLIENT_DIR}"
chmod -R 700 $CLIENT_DIR

153
openvpn-server.sh Executable file
View File

@ -0,0 +1,153 @@
#!/bin/bash
USR=$(logname)
RSA_DIR="/home/${USR}/easy-rsa"
user=$(whoami)
if [ $user != root ]; then
echo "You are using a non-privileged account"
exit -1
fi
# install Easy-RSA & OpenVPN
apt update
apt install -y easy-rsa openvpn
if test -d $RSA_DIR; then
echo "Script is meant to be run only once and it seems to have already been executed"
exit -1
else
echo "Creating a new dir for PKI: ${RSA_DIR}"
mkdir $RSA_DIR
fi
cd $RSA_DIR
ln -s /usr/share/easy-rsa/* "${RSA_DIR}/"
# create Public Key Infrastructure (PKI)
cat <<EOF > vars
set_var EASYRSA_REQ_COUNTRY "AS"
set_var EASYRSA_REQ_PROVINCE "Maoputasi"
set_var EASYRSA_REQ_CITY "Pago Pago"
set_var EASYRSA_REQ_ORG "E Corp"
set_var EASYRSA_REQ_EMAIL "admin@ecorp.com"
set_var EASYRSA_REQ_OU "IT"
set_var EASYRSA_ALGO "ec"
set_var EASYRSA_DIGEST "sha512"
EOF
./easyrsa init-pki
# create root public and private pair
./easyrsa build-ca nopass
# create a signed server sertificate
./easyrsa gen-req server nopass
./easyrsa import-req "${RSA_DIR}/pki/reqs/server.req" server
./easyrsa sign-req server server
cp "${RSA_DIR}/pki/ca.crt" /etc/openvpn/server/
cp "${RSA_DIR}/pki/private/server.key" /etc/openvpn/server/
cp "${RSA_DIR}/pki/issued/server.crt" /etc/openvpn/server/
# additional security (tls-crypt pre-shared key)
openvpn --genkey --secret ta.key
cp "${RSA_DIR}/ta.key" /etc/openvpn/server/
chown -hR "${USR}:${USR}" "${RSA_DIR}"
chmod -R 700 $RSA_DIR
# for enabling IPv6:
# proto udp6 or tcp6?
# ifconfig-ipv6 fd00::1 fd00::2
#
# ip6tables -A FORWARD -i tun0 -o ens3 -s fd00::/64 -m state --state NEW -j ACCEPT
# ip6tables -A FORWARD -i tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# ip6tables -A POSTROUTING -s fd00::/64 -o ens3 -t nat -j MASQUERADE
# make a config for the server
# example is here /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz
cat <<EOF > /etc/openvpn/server/server.conf
port 443
proto tcp
dev tun
server 10.8.0.0 255.255.255.0
client-to-client
max-clients 16
ca ca.crt
cert server.crt
key server.key
tls-crypt ta.key
cipher AES-256-GCM
auth SHA256
dh none
verb 3
ifconfig-pool-persist /var/log/openvpn/ipp.txt
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
user nobody
group nogroup
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
persist-key
persist-tun
keepalive 10 120
explicit-exit-notify 0
EOF
# enable IP forwarding for IPv4
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
# enable IP forwarding for IPv6
# echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.conf
sysctl -p
# set up ufw
UFW_BEFORE='/etc/ufw/before.rules'
UFW_DEFAULT='/etc/default/ufw'
if grep -Fxq '# START OPENVPN RULES' $UFW_BEFORE; then
echo "File ${UFW_BEFORE} has already been set up"
else
line=$(grep -n "# Don't delete these required lines, otherwise there will be errors" "$UFW_BEFORE" | cut -f1 -d:)
nic=$(ip route list default | grep -Eo "dev\s*[[:alnum:]]+" | sed 's/dev\s//g')
sed -i "$((line+0)) i # START OPENVPN RULES" $UFW_BEFORE
sed -i "$((line+1)) i # NAT table rules" $UFW_BEFORE
sed -i "$((line+2)) i *nat" $UFW_BEFORE
sed -i "$((line+3)) i :POSTROUTING ACCEPT [0:0]" $UFW_BEFORE
sed -i "$((line+4)) i # Allow traffic from OpenVPN client to ${nic}" $UFW_BEFORE
sed -i "$((line+5)) i -A POSTROUTING -s 10.8.0.0/8 -o ${nic} -j MASQUERADE" $UFW_BEFORE
sed -i "$((line+6)) i COMMIT" $UFW_BEFORE
sed -i "$((line+7)) i # END OPENVPN RULES\n" $UFW_BEFORE
fi
if grep -Fxq 'DEFAULT_FORWARD_POLICY="ACCEPT"' $UFW_DEFAULT; then
echo "File ${UFW_DEFAULT} has already been set up"
else
sed -i 's~DEFAULT_FORWARD_POLICY="DROP"~DEFAULT_FORWARD_POLICY="ACCEPT"~' $UFW_DEFAULT
fi
ufw disable
ufw allow 443/tcp
ufw allow OpenSSH
ufw enable
# start the OpenVPN service
systemctl -f enable openvpn-server@server.service
systemctl start openvpn-server@server.service
systemctl status openvpn-server@server.service