Patch/openvpn-install
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' into master

Browse Source
This commit is contained in:
Skipperro 2024-01-04 18:48:15 +01:00 committed by GitHub
commit 327648dd62
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 48 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
README.md
View File

@ -1,5 +1,5 @@
## openvpn-install ## openvpn-install
OpenVPN [road warrior](http://en.wikipedia.org/wiki/Road_warrior_%28computing%29) installer for Ubuntu, Debian, CentOS and Fedora. OpenVPN [road warrior](http://en.wikipedia.org/wiki/Road_warrior_%28computing%29) installer for Ubuntu, Debian, AlmaLinux, Rocky Linux, CentOS and Fedora.
This script will let you set up your own VPN server in no more than a minute, even if you haven't used OpenVPN before. It has been designed to be as unobtrusive and universal as possible. This script will let you set up your own VPN server in no more than a minute, even if you haven't used OpenVPN before. It has been designed to be as unobtrusive and universal as possible.
@ -11,3 +11,12 @@ Run the script and follow the assistant:
`wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh` `wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh`
Once it ends, you can run it again to add more users, remove some of them or even completely uninstall OpenVPN. Once it ends, you can run it again to add more users, remove some of them or even completely uninstall OpenVPN.
### I want to run my own VPN but don't have a server for that
You can get a VPS from just 2€/month at [AlphaVPS](https://alphavps.com/clients/aff.php?aff=474&pid=422).
### Donations
If you want to show your appreciation, you can donate via [PayPal](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=VBAYDL34Z7J6L) or [cryptocurrency](https://pastebin.com/raw/M2JJpQpC). Thanks!
### Sponsor
This project is proudly sponsored by our friends at [FrogeHost](https://froge.host/?utm_source=nyr).

64
openvpn-install.sh
View File

@ -30,9 +30,9 @@ elif [[ -e /etc/debian_version ]]; then
os="debian" os="debian"
os_version=$(grep -oE '[0-9]+' /etc/debian_version | head -1) os_version=$(grep -oE '[0-9]+' /etc/debian_version | head -1)
group_name="nogroup" group_name="nogroup"
elif [[ -e /etc/centos-release ]]; then elif [[ -e /etc/almalinux-release || -e /etc/rocky-release || -e /etc/centos-release ]]; then
os="centos" os="centos"
os_version=$(grep -oE '[0-9]+' /etc/centos-release | head -1) os_version=$(grep -shoE '[0-9]+' /etc/almalinux-release /etc/rocky-release /etc/centos-release | head -1)
group_name="nobody" group_name="nobody"
elif [[ -e /etc/fedora-release ]]; then elif [[ -e /etc/fedora-release ]]; then
os="fedora" os="fedora"
@ -40,7 +40,7 @@ elif [[ -e /etc/fedora-release ]]; then
group_name="nobody" group_name="nobody"
else else
echo "This installer seems to be running on an unsupported distribution. echo "This installer seems to be running on an unsupported distribution.
Supported distributions are Ubuntu, Debian, CentOS, and Fedora." Supported distros are Ubuntu, Debian, AlmaLinux, Rocky Linux, CentOS and Fedora."
exit exit
fi fi
@ -50,10 +50,16 @@ This version of Ubuntu is too old and unsupported."
exit exit
fi fi
if [[ "$os" == "debian" && "$os_version" -lt 9 ]]; then if [[ "$os" == "debian" ]]; then
echo "Debian 9 or higher is required to use this installer. if grep -q '/sid' /etc/debian_version; then
echo "Debian Testing and Debian Unstable are unsupported by this installer."
exit
fi
if [[ "$os_version" -lt 9 ]]; then
echo "Debian 9 or higher is required to use this installer.
This version of Debian is too old and unsupported." This version of Debian is too old and unsupported."
exit exit
fi
fi fi
if [[ "$os" == "centos" && "$os_version" -lt 7 ]]; then if [[ "$os" == "centos" && "$os_version" -lt 7 ]]; then
@ -99,6 +105,13 @@ new_client () {
} }
if [[ ! -e /etc/openvpn/server/server.conf ]]; then if [[ ! -e /etc/openvpn/server/server.conf ]]; then
# Detect some Debian minimal setups where neither wget nor curl are installed
if ! hash wget 2>/dev/null && ! hash curl 2>/dev/null; then
echo "Wget is required to use this installer."
read -n1 -r -p "Press any key to install Wget and continue..."
apt-get update
apt-get install -y wget
fi
clear clear
echo 'Welcome to this OpenVPN road warrior installer!' echo 'Welcome to this OpenVPN road warrior installer!'
# If system has a single IPv4, it is selected automatically. Else, ask the user # If system has a single IPv4, it is selected automatically. Else, ask the user
@ -195,7 +208,7 @@ if [[ ! -e /etc/openvpn/server/server.conf ]]; then
[[ -z "$client" ]] && client="client" [[ -z "$client" ]] && client="client"
echo echo
echo "OpenVPN installation is ready to begin." echo "OpenVPN installation is ready to begin."
# Install a firewall in the rare case where one is not already available # Install a firewall if firewalld or iptables are not already available
if ! systemctl is-active --quiet firewalld.service && ! hash iptables 2>/dev/null; then if ! systemctl is-active --quiet firewalld.service && ! hash iptables 2>/dev/null; then
if [[ "$os" == "centos" || "$os" == "fedora" ]]; then if [[ "$os" == "centos" || "$os" == "fedora" ]]; then
firewall="firewalld" firewall="firewalld"
@ -216,7 +229,7 @@ LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disab
fi fi
if [[ "$os" = "debian" || "$os" = "ubuntu" ]]; then if [[ "$os" = "debian" || "$os" = "ubuntu" ]]; then
apt-get update apt-get update
apt-get install -y openvpn openssl ca-certificates $firewall apt-get install -y --no-install-recommends openvpn openssl ca-certificates $firewall
elif [[ "$os" = "centos" ]]; then elif [[ "$os" = "centos" ]]; then
yum install -y epel-release yum install -y epel-release
yum install -y openvpn openssl ca-certificates tar $firewall yum install -y openvpn openssl ca-certificates tar $firewall
@ -229,17 +242,17 @@ LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disab
systemctl enable --now firewalld.service systemctl enable --now firewalld.service
fi fi
# Get easy-rsa # Get easy-rsa
easy_rsa_url='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz' easy_rsa_url='https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.7/EasyRSA-3.1.7.tgz'
mkdir -p /etc/openvpn/server/easy-rsa/ mkdir -p /etc/openvpn/server/easy-rsa/
{ wget -qO- "$easy_rsa_url" 2>/dev/null || curl -sL "$easy_rsa_url" ; } | tar xz -C /etc/openvpn/server/easy-rsa/ --strip-components 1 { wget -qO- "$easy_rsa_url" 2>/dev/null || curl -sL "$easy_rsa_url" ; } | tar xz -C /etc/openvpn/server/easy-rsa/ --strip-components 1
chown -R root:root /etc/openvpn/server/easy-rsa/ chown -R root:root /etc/openvpn/server/easy-rsa/
cd /etc/openvpn/server/easy-rsa/ cd /etc/openvpn/server/easy-rsa/
# Create the PKI, set up the CA and the server and client certificates # Create the PKI, set up the CA and the server and client certificates
./easyrsa init-pki ./easyrsa --batch init-pki
./easyrsa --batch build-ca nopass ./easyrsa --batch build-ca nopass
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server nopass ./easyrsa --batch --days=3650 build-server-full server nopass
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" nopass ./easyrsa --batch --days=3650 build-client-full "$client" nopass
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl ./easyrsa --batch --days=3650 gen-crl
# Move the stuff we need # Move the stuff we need
cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn/server cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn/server
# CRL is read with each client connection, while OpenVPN is dropped to nobody # CRL is read with each client connection, while OpenVPN is dropped to nobody
@ -283,13 +296,13 @@ server 10.8.0.0 255.255.255.0" > /etc/openvpn/server/server.conf
1|"") 1|"")
# Locate the proper resolv.conf # Locate the proper resolv.conf
# Needed for systems running systemd-resolved # Needed for systems running systemd-resolved
if grep -q '^nameserver 127.0.0.53' "/etc/resolv.conf"; then if grep '^nameserver' "/etc/resolv.conf" | grep -qv '127.0.0.53' ; then
resolv_conf="/run/systemd/resolve/resolv.conf"
else
resolv_conf="/etc/resolv.conf" resolv_conf="/etc/resolv.conf"
else
resolv_conf="/run/systemd/resolve/resolv.conf"
fi fi
# Obtain the resolvers from resolv.conf and use them for OpenVPN # Obtain the resolvers from resolv.conf and use them for OpenVPN
grep -v '^#\|^;' "$resolv_conf" | grep '^nameserver' | grep -oE '[0-9]{1,3}(\.[0-9]{1,3}){3}' | while read line; do grep -v '^#\|^;' "$resolv_conf" | grep '^nameserver' | grep -v '127.0.0.53' | grep -oE '[0-9]{1,3}(\.[0-9]{1,3}){3}' | while read line; do
echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server/server.conf echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server/server.conf
done done
;; ;;
@ -314,8 +327,8 @@ server 10.8.0.0 255.255.255.0" > /etc/openvpn/server/server.conf
echo 'push "dhcp-option DNS 94.140.15.15"' >> /etc/openvpn/server/server.conf echo 'push "dhcp-option DNS 94.140.15.15"' >> /etc/openvpn/server/server.conf
;; ;;
esac esac
echo 'push "block-outside-dns"' >> /etc/openvpn/server/server.conf
echo "keepalive 10 120 echo "keepalive 10 120
cipher AES-256-CBC
user nobody user nobody
group $group_name group $group_name
persist-key persist-key
@ -326,12 +339,12 @@ crl-verify crl.pem" >> /etc/openvpn/server/server.conf
echo "explicit-exit-notify" >> /etc/openvpn/server/server.conf echo "explicit-exit-notify" >> /etc/openvpn/server/server.conf
fi fi
# Enable net.ipv4.ip_forward for the system # Enable net.ipv4.ip_forward for the system
echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/30-openvpn-forward.conf echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/99-openvpn-forward.conf
# Enable without waiting for a reboot or service restart # Enable without waiting for a reboot or service restart
echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_forward
if [[ -n "$ip6" ]]; then if [[ -n "$ip6" ]]; then
# Enable net.ipv6.conf.all.forwarding for the system # Enable net.ipv6.conf.all.forwarding for the system
echo "net.ipv6.conf.all.forwarding=1" >> /etc/sysctl.d/30-openvpn-forward.conf echo "net.ipv6.conf.all.forwarding=1" >> /etc/sysctl.d/99-openvpn-forward.conf
# Enable without waiting for a reboot or service restart # Enable without waiting for a reboot or service restart
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
fi fi
@ -415,9 +428,7 @@ persist-key
persist-tun persist-tun
remote-cert-tls server remote-cert-tls server
auth SHA512 auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns ignore-unknown-option block-outside-dns
block-outside-dns
verb 3" > /etc/openvpn/server/client-common.txt verb 3" > /etc/openvpn/server/client-common.txt
# Enable and start the OpenVPN service # Enable and start the OpenVPN service
systemctl enable --now openvpn-server@server.service systemctl enable --now openvpn-server@server.service
@ -454,7 +465,7 @@ else
client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client") client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client")
done done
cd /etc/openvpn/server/easy-rsa/ cd /etc/openvpn/server/easy-rsa/
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" nopass ./easyrsa --batch --days=3650 build-client-full "$client" nopass
# Generates the custom client.ovpn # Generates the custom client.ovpn
new_client new_client
echo echo
@ -488,7 +499,7 @@ else
if [[ "$revoke" =~ ^[yY]$ ]]; then if [[ "$revoke" =~ ^[yY]$ ]]; then
cd /etc/openvpn/server/easy-rsa/ cd /etc/openvpn/server/easy-rsa/
./easyrsa --batch revoke "$client" ./easyrsa --batch revoke "$client"
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl ./easyrsa --batch --days=3650 gen-crl
rm -f /etc/openvpn/server/crl.pem rm -f /etc/openvpn/server/crl.pem
cp /etc/openvpn/server/easy-rsa/pki/crl.pem /etc/openvpn/server/crl.pem cp /etc/openvpn/server/easy-rsa/pki/crl.pem /etc/openvpn/server/crl.pem
# CRL is read with each client connection, when OpenVPN is dropped to nobody # CRL is read with each client connection, when OpenVPN is dropped to nobody
@ -535,14 +546,15 @@ else
semanage port -d -t openvpn_port_t -p "$protocol" "$port" semanage port -d -t openvpn_port_t -p "$protocol" "$port"
fi fi
systemctl disable --now openvpn-server@server.service systemctl disable --now openvpn-server@server.service
rm -rf /etc/openvpn/server
rm -f /etc/systemd/system/openvpn-server@server.service.d/disable-limitnproc.conf rm -f /etc/systemd/system/openvpn-server@server.service.d/disable-limitnproc.conf
rm -f /etc/sysctl.d/30-openvpn-forward.conf rm -f /etc/sysctl.d/99-openvpn-forward.conf
if [[ "$os" = "debian" || "$os" = "ubuntu" ]]; then if [[ "$os" = "debian" || "$os" = "ubuntu" ]]; then
rm -rf /etc/openvpn/server
apt-get remove --purge -y openvpn apt-get remove --purge -y openvpn
else else
# Else, OS must be CentOS or Fedora # Else, OS must be CentOS or Fedora
yum remove -y openvpn yum remove -y openvpn
rm -rf /etc/openvpn/server
fi fi
echo echo
echo "OpenVPN removed!" echo "OpenVPN removed!"