Patch/openvpn-install
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge 6e6f5c3f7b into e58addc2c5

Browse Source
This commit is contained in:
Julien Reichardt 2015-12-13 10:58:44 +00:00
commit 1b9593460d
2 changed files with 105 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -6,7 +6,7 @@ This script will let you setup your own VPN server in no more than a minute, eve
###Installation ###Installation
Run the script and follow the assistant: Run the script and follow the assistant:
`wget git.io/vpn --no-check-certificate -O openvpn-install.sh && bash openvpn-install.sh` `wget git.io/vpn --no-check-certificate -O openvpn-install.sh && sh openvpn-install.sh`
Once it ends, you can run it again to add more users, remove some of them or even completely uninstall OpenVPN. Once it ends, you can run it again to add more users, remove some of them or even completely uninstall OpenVPN.

174
openvpn-install.sh
View File

@ -1,34 +1,40 @@
#!/bin/bash #!/bin/sh
# OpenVPN road warrior installer for Debian, Ubuntu and CentOS # OpenVPN road warrior installer for Debian, Ubuntu and CentOS
# This script will work on Debian, Ubuntu, CentOS and probably other distros # This script is implemented as POSIX-compliant.
# of the same families, although no support is offered for them. It isn't # It should work on sh, dash, bash, ksh, zsh on Debian, Ubuntu, CentOS
# bulletproof but it will probably work if you simply want to setup a VPN on # and probably other distros of the same families,
# your Debian/Ubuntu/CentOS box. It has been designed to be as unobtrusive and # although no support is offered for them. It isn't bulletproof but
# universal as possible. # it will probably work if you simply want to setup a VPN on
# your Debian/Ubuntu/CentOS box. It has been designed to be
# as unobtrusive and universal as possible.
if [[ "$EUID" -ne 0 ]]; then if [ "$(id -u)" != "0" ]
then
echo "Sorry, you need to run this as root" echo "Sorry, you need to run this as root"
exit 1 exit 1
fi fi
if [ ! -e /dev/net/tun ]
if [[ ! -e /dev/net/tun ]]; then then
echo "TUN/TAP is not available" echo "TUN/TAP is not available"
exit 2 exit 2
fi fi
if grep -qs "CentOS release 5" "/etc/redhat-release"; then if grep -qs "CentOS release 5" "/etc/redhat-release"
then
echo "CentOS 5 is too old and not supported" echo "CentOS 5 is too old and not supported"
exit 3 exit 3
fi fi
if [[ -e /etc/debian_version ]]; then if [ -e /etc/debian_version ]
then
OS=debian OS=debian
RCLOCAL='/etc/rc.local' RCLOCAL='/etc/rc.local'
elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then elif [ -e /etc/centos-release || -e /etc/redhat-release ]
then
OS=centos OS=centos
RCLOCAL='/etc/rc.d/rc.local' RCLOCAL='/etc/rc.d/rc.local'
# Needed for CentOS 7 # Needed for CentOS 7
@ -38,7 +44,18 @@ else
exit 4 exit 4
fi fi
newclient () { # Detect the init system
# Return the PID of systemd if running
pidof /sbin/init && INITSYS=sysvinit
# Return the PID of systemd if running
pidof systemd && INITSYS=systemd
if [ "$INITSYS" = "" ]
then
echo "Your init system isn't supported"
exit 5
fi
newclient() {
# Generates the custom client.ovpn # Generates the custom client.ovpn
cp /etc/openvpn/client-common.txt ~/$1.ovpn cp /etc/openvpn/client-common.txt ~/$1.ovpn
echo "<ca>" >> ~/$1.ovpn echo "<ca>" >> ~/$1.ovpn
@ -52,17 +69,16 @@ newclient () {
echo "</key>" >> ~/$1.ovpn echo "</key>" >> ~/$1.ovpn
} }
# Try to get our IP from the system and fallback to the Internet. # Try to get our IP from the system and fallback to the Internet.
# I do this to make the script compatible with NATed servers (lowendspirit.com) # I do this to make the script compatible with NATed servers (lowendspirit.com)
# and to avoid getting an IPv6. # and to avoid getting an IPv6.
IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -o -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1) IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -o -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
if [[ "$IP" = "" ]]; then if [ "$IP" = "" ]
IP=$(wget -qO- ipv4.icanhazip.com) then IP=$(wget -qO- ipv4.icanhazip.com)
fi fi
if [ -e /etc/openvpn/server.conf ]
if [[ -e /etc/openvpn/server.conf ]]; then then
while : while :
do do
clear clear
@ -79,20 +95,21 @@ if [[ -e /etc/openvpn/server.conf ]]; then
echo "" echo ""
echo "Tell me a name for the client cert" echo "Tell me a name for the client cert"
echo "Please, use one word only, no special characters" echo "Please, use one word only, no special characters"
read -p "Client name: " -e -i client CLIENT read -p "Client name: client " CLIENT
CLIENT=${CLIENT:-client}
cd /etc/openvpn/easy-rsa/ cd /etc/openvpn/easy-rsa/
./easyrsa build-client-full $CLIENT nopass ./easyrsa build-client-full $CLIENT nopass
# Generates the custom client.ovpn # Generates the custom client.ovpn
newclient "$CLIENT" newclient "$CLIENT"
echo "" echo ""
echo "Client $CLIENT added, certs available at ~/$CLIENT.ovpn" echo "Client $CLIENT added, certs available at ~/$CLIENT.ovpn"
exit exit;;
;;
2) 2)
# This option could be documented a bit better and maybe even be simplimplified # This option could be documented a bit better and maybe even be simplimplified
# ...but what can I say, I want some sleep too # ...but what can I say, I want some sleep too
NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V") NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")
if [[ "$NUMBEROFCLIENTS" = '0' ]]; then if [ "$NUMBEROFCLIENTS" = 0 ]
then
echo "" echo ""
echo "You have no existing clients!" echo "You have no existing clients!"
exit 5 exit 5
@ -100,8 +117,8 @@ if [[ -e /etc/openvpn/server.conf ]]; then
echo "" echo ""
echo "Select the existing client certificate you want to revoke" echo "Select the existing client certificate you want to revoke"
tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') ' tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
if [[ "$NUMBEROFCLIENTS" = '1' ]]; then if [ "$NUMBEROFCLIENTS" = 1 ]
read -p "Select one client [1]: " CLIENTNUMBER then read -p "Select one client [1]: " CLIENTNUMBER
else else
read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
fi fi
@ -110,39 +127,35 @@ if [[ -e /etc/openvpn/server.conf ]]; then
./easyrsa --batch revoke $CLIENT ./easyrsa --batch revoke $CLIENT
./easyrsa gen-crl ./easyrsa gen-crl
# And restart # And restart
if pgrep systemd-journal; then if [ $INITSYS = systemd ]
systemctl restart openvpn@server.service then systemctl restart openvpn@server.service
else
if [[ "$OS" = 'debian' ]]; then
/etc/init.d/openvpn restart
else else
service openvpn restart service openvpn restart
fi fi
fi
echo "" echo ""
echo "Certificate for client $CLIENT revoked" echo "Certificate for client $CLIENT revoked"
exit exit;;
;;
3) 3)
echo "" echo ""
read -p "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE read -p "Do you really want to remove OpenVPN? [N/y]: " REMOVE
if [[ "$REMOVE" = 'y' ]]; then if [ $REMOVE = y ]
PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2) then PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
if pgrep firewalld; then if pgrep firewalld
# Using both permanent and not permanent rules to avoid a firewalld reload. then # Using both permanent and not permanent rules to avoid a firewalld reload.
firewall-cmd --zone=public --remove-port=$PORT/udp firewall-cmd --zone=public --remove-port=$PORT/udp
firewall-cmd --zone=trusted --remove-source=10.8.0.0/24 firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
firewall-cmd --permanent --zone=public --remove-port=$PORT/udp firewall-cmd --permanent --zone=public --remove-port=$PORT/udp
firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24 firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
fi fi
if iptables -L | grep -qE 'REJECT|DROP'; then if iptables -L | grep -qE 'REJECT|DROP'
then
sed -i "/iptables -I INPUT -p udp --dport $PORT -j ACCEPT/d" $RCLOCAL sed -i "/iptables -I INPUT -p udp --dport $PORT -j ACCEPT/d" $RCLOCAL
sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL
sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL
fi fi
sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL
if [[ "$OS" = 'debian' ]]; then if [ $OS = debian ]
apt-get remove --purge -y openvpn openvpn-blacklist then apt-get remove --purge -y openvpn openvpn-blacklist
else else
yum remove openvpn -y yum remove openvpn -y
fi fi
@ -154,8 +167,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then
echo "" echo ""
echo "Removal aborted!" echo "Removal aborted!"
fi fi
exit exit;;
;;
4) exit;; 4) exit;;
esac esac
done done
@ -169,10 +181,12 @@ else
echo "" echo ""
echo "First I need to know the IPv4 address of the network interface you want OpenVPN" echo "First I need to know the IPv4 address of the network interface you want OpenVPN"
echo "listening to." echo "listening to."
read -p "IP address: " -e -i $IP IP read -p "IP address: $IP " IP
IP=${IP:-$IP}
echo "" echo ""
echo "What port do you want for OpenVPN?" echo "What port do you want for OpenVPN?"
read -p "Port: " -e -i 1194 PORT read -p "Port: 1194 " PORT
PORT=${PORT:-1194}
echo "" echo ""
echo "What DNS do you want to use with the VPN?" echo "What DNS do you want to use with the VPN?"
echo " 1) Current system resolvers" echo " 1) Current system resolvers"
@ -181,15 +195,19 @@ else
echo " 4) NTT" echo " 4) NTT"
echo " 5) Hurricane Electric" echo " 5) Hurricane Electric"
echo " 6) Google" echo " 6) Google"
read -p "DNS [1-6]: " -e -i 1 DNS read -p "DNS [1-6]: 1 " DNS
DNS=${DNS:-1}
echo "" echo ""
echo "Finally, tell me your name for the client cert" echo "Finally, tell me your name for the client cert"
echo "Please, use one word only, no special characters" echo "Please, use one word only, no special characters"
read -p "Client name: " -e -i client CLIENT read -p "Client name: client " CLIENT
CLIENT=${CLIENT:-client}
echo "" echo ""
echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now" echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now"
read -n1 -r -p "Press any key to continue..." echo "Press [ENTER] to continue... \c "
if [[ "$OS" = 'debian' ]]; then read
if [ $OS = debian ]
then
apt-get update apt-get update
apt-get install openvpn iptables openssl ca-certificates -y apt-get install openvpn iptables openssl ca-certificates -y
else else
@ -198,8 +216,8 @@ else
yum install openvpn iptables openssl wget ca-certificates -y yum install openvpn iptables openssl wget ca-certificates -y
fi fi
# An old version of easy-rsa was available by default in some openvpn packages # An old version of easy-rsa was available by default in some openvpn packages
if [[ -d /etc/openvpn/easy-rsa/ ]]; then if [ -d /etc/openvpn/easy-rsa/ ]
rm -rf /etc/openvpn/easy-rsa/ then rm -rf /etc/openvpn/easy-rsa/
fi fi
# Get easy-rsa # Get easy-rsa
wget -O ~/EasyRSA-3.0.1.tgz https://github.com/OpenVPN/easy-rsa/releases/download/3.0.1/EasyRSA-3.0.1.tgz wget -O ~/EasyRSA-3.0.1.tgz https://github.com/OpenVPN/easy-rsa/releases/download/3.0.1/EasyRSA-3.0.1.tgz
@ -236,29 +254,24 @@ ifconfig-pool-persist ipp.txt" > /etc/openvpn/server.conf
case $DNS in case $DNS in
1) 1)
# Obtain the resolvers from resolv.conf and use them for OpenVPN # Obtain the resolvers from resolv.conf and use them for OpenVPN
grep -v '#' /etc/resolv.conf | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do grep -v '#' /etc/resolv.conf | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line
do
echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
done done;;
;;
2) 2)
echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf;;
;;
3) 3)
echo 'push "dhcp-option DNS 4.2.2.2"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 4.2.2.2"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 4.2.2.4"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 4.2.2.4"' >> /etc/openvpn/server.conf;;
;;
4) 4)
echo 'push "dhcp-option DNS 129.250.35.250"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 129.250.35.250"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 129.250.35.251"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 129.250.35.251"' >> /etc/openvpn/server.conf;;
;;
5) 5)
echo 'push "dhcp-option DNS 74.82.42.42"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 74.82.42.42"' >> /etc/openvpn/server.conf;;
;;
6) 6)
echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf;;
;;
esac esac
echo "keepalive 10 120 echo "keepalive 10 120
comp-lzo comp-lzo
@ -268,14 +281,14 @@ status openvpn-status.log
verb 3 verb 3
crl-verify /etc/openvpn/easy-rsa/pki/crl.pem" >> /etc/openvpn/server.conf crl-verify /etc/openvpn/easy-rsa/pki/crl.pem" >> /etc/openvpn/server.conf
# Enable net.ipv4.ip_forward for the system # Enable net.ipv4.ip_forward for the system
if [[ "$OS" = 'debian' ]]; then if [ $OS = debian ]
sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf then sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf
else else
# CentOS 5 and 6 # CentOS 5 and 6
sed -i 's|net.ipv4.ip_forward = 0|net.ipv4.ip_forward = 1|' /etc/sysctl.conf sed -i 's|net.ipv4.ip_forward = 0|net.ipv4.ip_forward = 1|' /etc/sysctl.conf
# CentOS 7 # CentOS 7
if ! grep -q "net.ipv4.ip_forward=1" "/etc/sysctl.conf"; then if ! grep -q "net.ipv4.ip_forward=1" "/etc/sysctl.conf"
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf then echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
fi fi
fi fi
# Avoid an unneeded reboot # Avoid an unneeded reboot
@ -283,7 +296,8 @@ crl-verify /etc/openvpn/easy-rsa/pki/crl.pem" >> /etc/openvpn/server.conf
# Set NAT for the VPN subnet # Set NAT for the VPN subnet
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP
sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL
if pgrep firewalld; then if pgrep firewalld
then
# We don't use --add-service=openvpn because that would only work with # We don't use --add-service=openvpn because that would only work with
# the default port. Using both permanent and not permanent rules to # the default port. Using both permanent and not permanent rules to
# avoid a firewalld reload. # avoid a firewalld reload.
@ -292,7 +306,8 @@ crl-verify /etc/openvpn/easy-rsa/pki/crl.pem" >> /etc/openvpn/server.conf
firewall-cmd --permanent --zone=public --add-port=$PORT/udp firewall-cmd --permanent --zone=public --add-port=$PORT/udp
firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24 firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
fi fi
if iptables -L | grep -qE 'REJECT|DROP'; then if iptables -L | grep -qE 'REJECT|DROP'
then
# If iptables has at least one REJECT rule, we asume this is needed. # If iptables has at least one REJECT rule, we asume this is needed.
# Not the best approach but I can't think of other and this shouldn't # Not the best approach but I can't think of other and this shouldn't
# cause problems. # cause problems.
@ -304,33 +319,26 @@ crl-verify /etc/openvpn/easy-rsa/pki/crl.pem" >> /etc/openvpn/server.conf
sed -i "1 a\iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" $RCLOCAL sed -i "1 a\iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" $RCLOCAL
fi fi
# And finally, restart OpenVPN # And finally, restart OpenVPN
if [[ "$OS" = 'debian' ]]; then if [ $INITSYS = systemd ]
# Little hack to check for systemd then
if pgrep systemd-journal; then
systemctl restart openvpn@server.service
else
/etc/init.d/openvpn restart
fi
else
if pgrep systemd-journal; then
systemctl restart openvpn@server.service systemctl restart openvpn@server.service
systemctl enable openvpn@server.service systemctl enable openvpn@server.service
else else
service openvpn restart service openvpn restart
chkconfig openvpn on chkconfig openvpn on
fi fi
fi
# Try to detect a NATed connection and ask about it to potential LowEndSpirit users # Try to detect a NATed connection and ask about it to potential LowEndSpirit users
EXTERNALIP=$(wget -qO- ipv4.icanhazip.com) EXTERNALIP=$(wget -qO- ipv4.icanhazip.com)
if [[ "$IP" != "$EXTERNALIP" ]]; then if [ $IP != "$EXTERNALIP" ]
then
echo "" echo ""
echo "Looks like your server is behind a NAT!" echo "Looks like your server is behind a NAT!"
echo "" echo ""
echo "If your server is NATed (LowEndSpirit), I need to know the external IP" echo "If your server is NATed (LowEndSpirit), I need to know the external IP"
echo "If that's not the case, just ignore this and leave the next field blank" echo "If that's not the case, just ignore this and leave the next field blank"
read -p "External IP: " -e USEREXTERNALIP read -p "External IP: " USEREXTERNALIP
if [[ "$USEREXTERNALIP" != "" ]]; then if [ "$USEREXTERNALIP" != "" ]
IP=$USEREXTERNALIP then echo IP=$USEREXTERNALIP
fi fi
fi fi
# client-common.txt is created so we have a template to add further users later # client-common.txt is created so we have a template to add further users later