scripts/openvpn-server.sh

#!/bin/bash

USR=$(logname)
RSA_DIR="/home/${USR}/easy-rsa"

user=$(whoami)
if [ $user != root ]; then
    echo "You are using a non-privileged account"
    exit -1
fi

# install Easy-RSA & OpenVPN
apt update
apt install -y easy-rsa openvpn

if test -d $RSA_DIR; then
    echo "Script is meant to be run only once and it seems to have already been executed"
    exit -1
else
    echo "Creating a new dir for PKI: ${RSA_DIR}"
    mkdir $RSA_DIR
fi

cd $RSA_DIR
ln -s /usr/share/easy-rsa/* "${RSA_DIR}/"

# create Public Key Infrastructure (PKI)
cat <<EOF > vars
set_var EASYRSA_REQ_COUNTRY    "AS"
set_var EASYRSA_REQ_PROVINCE   "Maoputasi"
set_var EASYRSA_REQ_CITY       "Pago Pago"
set_var EASYRSA_REQ_ORG        "E Corp"
set_var EASYRSA_REQ_EMAIL      "admin@ecorp.com"
set_var EASYRSA_REQ_OU         "IT"
set_var EASYRSA_ALGO           "ec"
set_var EASYRSA_DIGEST         "sha512"
EOF
./easyrsa init-pki

# create root public and private pair
./easyrsa build-ca nopass

# create a signed server sertificate
./easyrsa gen-req server nopass
./easyrsa import-req "${RSA_DIR}/pki/reqs/server.req" server
./easyrsa sign-req server server

cp "${RSA_DIR}/pki/ca.crt" /etc/openvpn/server/
cp "${RSA_DIR}/pki/private/server.key" /etc/openvpn/server/
cp "${RSA_DIR}/pki/issued/server.crt" /etc/openvpn/server/

# additional security (tls-crypt pre-shared key)
openvpn --genkey --secret ta.key
cp "${RSA_DIR}/ta.key" /etc/openvpn/server/

chown -hR "${USR}:${USR}" "${RSA_DIR}"
chmod -R 700 $RSA_DIR


# for enabling IPv6:
# proto udp6 or tcp6?
# ifconfig-ipv6 fd00::1 fd00::2
#
# ip6tables -A FORWARD -i tun0 -o ens3 -s fd00::/64 -m state --state NEW -j ACCEPT
# ip6tables -A FORWARD -i tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# ip6tables -A POSTROUTING -s fd00::/64  -o ens3 -t nat -j MASQUERADE

# make a config for the server
# example is here /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz
cat <<EOF > /etc/openvpn/server/server.conf
port 443
proto tcp
dev tun
server 10.8.0.0 255.255.255.0
client-to-client
max-clients 16

ca ca.crt
cert server.crt
key server.key
tls-crypt ta.key
cipher AES-256-GCM
auth SHA256
dh none

verb 3
ifconfig-pool-persist /var/log/openvpn/ipp.txt
status /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/openvpn.log

user nobody
group nogroup

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

persist-key
persist-tun
keepalive 10 120
explicit-exit-notify 0
EOF

# enable IP forwarding for IPv4
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf

# enable IP forwarding for IPv6
# echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.conf

sysctl -p

# set up ufw
UFW_BEFORE='/etc/ufw/before.rules'
UFW_DEFAULT='/etc/default/ufw'

if grep -Fxq '# START OPENVPN RULES' $UFW_BEFORE; then
    echo "File ${UFW_BEFORE} has already been set up"
else
    line=$(grep -n "# Don't delete these required lines, otherwise there will be errors" "$UFW_BEFORE" | cut -f1 -d:)
    nic=$(ip route list default | grep -Eo "dev\s*[[:alnum:]]+" | sed 's/dev\s//g')

    sed -i "$((line+0)) i # START OPENVPN RULES" $UFW_BEFORE
    sed -i "$((line+1)) i # NAT table rules" $UFW_BEFORE
    sed -i "$((line+2)) i *nat" $UFW_BEFORE
    sed -i "$((line+3)) i :POSTROUTING ACCEPT [0:0]" $UFW_BEFORE
    sed -i "$((line+4)) i # Allow traffic from OpenVPN client to ${nic}" $UFW_BEFORE
    sed -i "$((line+5)) i -A POSTROUTING -s 10.8.0.0/8 -o ${nic} -j MASQUERADE" $UFW_BEFORE
    sed -i "$((line+6)) i COMMIT" $UFW_BEFORE
    sed -i "$((line+7)) i # END OPENVPN RULES\n" $UFW_BEFORE
fi

if grep -Fxq 'DEFAULT_FORWARD_POLICY="ACCEPT"' $UFW_DEFAULT; then
    echo "File ${UFW_DEFAULT} has already been set up"
else
    sed -i 's~DEFAULT_FORWARD_POLICY="DROP"~DEFAULT_FORWARD_POLICY="ACCEPT"~' $UFW_DEFAULT
fi

ufw disable
ufw allow 443/tcp
ufw allow OpenSSH
ufw enable

# start the OpenVPN service
systemctl -f enable openvpn-server@server.service
systemctl start openvpn-server@server.service
systemctl status openvpn-server@server.service