#!/bin/bash USR=$(logname) RSA_DIR="/home/${USR}/easy-rsa" user=$(whoami) if [ $user != root ]; then echo "You are using a non-privileged account" exit -1 fi # install Easy-RSA & OpenVPN apt update apt install -y easy-rsa openvpn if test -d $RSA_DIR; then echo "Script is meant to be run only once and it seems to have already been executed" exit -1 else echo "Creating a new dir for PKI: ${RSA_DIR}" mkdir $RSA_DIR fi cd $RSA_DIR ln -s /usr/share/easy-rsa/* "${RSA_DIR}/" # create Public Key Infrastructure (PKI) cat < vars set_var EASYRSA_REQ_COUNTRY "AS" set_var EASYRSA_REQ_PROVINCE "Maoputasi" set_var EASYRSA_REQ_CITY "Pago Pago" set_var EASYRSA_REQ_ORG "E Corp" set_var EASYRSA_REQ_EMAIL "admin@ecorp.com" set_var EASYRSA_REQ_OU "IT" set_var EASYRSA_ALGO "ec" set_var EASYRSA_DIGEST "sha512" EOF ./easyrsa init-pki # create root public and private pair ./easyrsa build-ca nopass # create a signed server sertificate ./easyrsa gen-req server nopass ./easyrsa import-req "${RSA_DIR}/pki/reqs/server.req" server ./easyrsa sign-req server server cp "${RSA_DIR}/pki/ca.crt" /etc/openvpn/server/ cp "${RSA_DIR}/pki/private/server.key" /etc/openvpn/server/ cp "${RSA_DIR}/pki/issued/server.crt" /etc/openvpn/server/ # additional security (tls-crypt pre-shared key) openvpn --genkey --secret ta.key cp "${RSA_DIR}/ta.key" /etc/openvpn/server/ chown -hR "${USR}:${USR}" "${RSA_DIR}" chmod -R 700 $RSA_DIR # for enabling IPv6: # proto udp6 or tcp6? # ifconfig-ipv6 fd00::1 fd00::2 # # ip6tables -A FORWARD -i tun0 -o ens3 -s fd00::/64 -m state --state NEW -j ACCEPT # ip6tables -A FORWARD -i tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT # ip6tables -A POSTROUTING -s fd00::/64 -o ens3 -t nat -j MASQUERADE # make a config for the server # example is here /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz cat < /etc/openvpn/server/server.conf port 443 proto tcp dev tun server 10.8.0.0 255.255.255.0 client-to-client max-clients 16 ca ca.crt cert server.crt key server.key tls-crypt ta.key cipher AES-256-GCM auth SHA256 dh none verb 3 ifconfig-pool-persist /var/log/openvpn/ipp.txt status /var/log/openvpn/openvpn-status.log log /var/log/openvpn/openvpn.log user nobody group nogroup push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220" persist-key persist-tun keepalive 10 120 explicit-exit-notify 0 EOF # enable IP forwarding for IPv4 echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf # enable IP forwarding for IPv6 # echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.conf sysctl -p # set up ufw UFW_BEFORE='/etc/ufw/before.rules' UFW_DEFAULT='/etc/default/ufw' if grep -Fxq '# START OPENVPN RULES' $UFW_BEFORE; then echo "File ${UFW_BEFORE} has already been set up" else line=$(grep -n "# Don't delete these required lines, otherwise there will be errors" "$UFW_BEFORE" | cut -f1 -d:) nic=$(ip route list default | grep -Eo "dev\s*[[:alnum:]]+" | sed 's/dev\s//g') sed -i "$((line+0)) i # START OPENVPN RULES" $UFW_BEFORE sed -i "$((line+1)) i # NAT table rules" $UFW_BEFORE sed -i "$((line+2)) i *nat" $UFW_BEFORE sed -i "$((line+3)) i :POSTROUTING ACCEPT [0:0]" $UFW_BEFORE sed -i "$((line+4)) i # Allow traffic from OpenVPN client to ${nic}" $UFW_BEFORE sed -i "$((line+5)) i -A POSTROUTING -s 10.8.0.0/8 -o ${nic} -j MASQUERADE" $UFW_BEFORE sed -i "$((line+6)) i COMMIT" $UFW_BEFORE sed -i "$((line+7)) i # END OPENVPN RULES\n" $UFW_BEFORE fi if grep -Fxq 'DEFAULT_FORWARD_POLICY="ACCEPT"' $UFW_DEFAULT; then echo "File ${UFW_DEFAULT} has already been set up" else sed -i 's~DEFAULT_FORWARD_POLICY="DROP"~DEFAULT_FORWARD_POLICY="ACCEPT"~' $UFW_DEFAULT fi ufw disable ufw allow 443/tcp ufw allow OpenSSH ufw enable # start the OpenVPN service systemctl -f enable openvpn-server@server.service systemctl start openvpn-server@server.service systemctl status openvpn-server@server.service