Patch/openvpn-install
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Google Authenticator OTP added

Browse Source
This commit is contained in:
Gizem Gür 2018-04-19 22:08:02 +03:00 committed by GitHub
parent 00e824c86d
commit 4143f15105
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 20 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
openvpn-install.sh
View File

@ -57,6 +57,9 @@ newclient () {
echo "<tls-auth>" >> ~/$1.ovpn echo "<tls-auth>" >> ~/$1.ovpn
cat /etc/openvpn/ta.key >> ~/$1.ovpn cat /etc/openvpn/ta.key >> ~/$1.ovpn
echo "</tls-auth>" >> ~/$1.ovpn echo "</tls-auth>" >> ~/$1.ovpn
useradd $1
google-authenticator -t -d -r3 -R30 -f -l $1-vpn -s /etc/openvpn/google-authenticator/$1
chown gauth. /etc/openvpn/google-authenticator/$1
} }
# Try to get our IP from the system and fallback to the Internet. # Try to get our IP from the system and fallback to the Internet.
@ -118,6 +121,8 @@ if [[ -e /etc/openvpn/server.conf ]]; then
rm -rf pki/private/$CLIENT.key rm -rf pki/private/$CLIENT.key
rm -rf pki/issued/$CLIENT.crt rm -rf pki/issued/$CLIENT.crt
rm -rf /etc/openvpn/crl.pem rm -rf /etc/openvpn/crl.pem
userdel $CLIENT
rm -rf /etc/openvpn/google-authenticator/$CLIENT
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
# CRL is read with each client connection, when OpenVPN is dropped to nobody # CRL is read with each client connection, when OpenVPN is dropped to nobody
chown nobody:$GROUPNAME /etc/openvpn/crl.pem chown nobody:$GROUPNAME /etc/openvpn/crl.pem
@ -161,7 +166,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then
fi fi
fi fi
if [[ "$OS" = 'debian' ]]; then if [[ "$OS" = 'debian' ]]; then
apt-get remove --purge -y openvpn apt-get remove --purge -y openvpn libpam-google-authenticator
else else
yum remove openvpn -y yum remove openvpn -y
fi fi
@ -222,6 +227,7 @@ else
if [[ "$OS" = 'debian' ]]; then if [[ "$OS" = 'debian' ]]; then
apt-get update apt-get update
apt-get install openvpn iptables openssl ca-certificates -y apt-get install openvpn iptables openssl ca-certificates -y
apt-get install libqrencode3 libpam-google-authenticator -y
else else
# Else, the distro is CentOS # Else, the distro is CentOS
yum install epel-release -y yum install epel-release -y
@ -252,6 +258,12 @@ else
chown nobody:$GROUPNAME /etc/openvpn/crl.pem chown nobody:$GROUPNAME /etc/openvpn/crl.pem
# Generate key for tls-auth # Generate key for tls-auth
openvpn --genkey --secret /etc/openvpn/ta.key openvpn --genkey --secret /etc/openvpn/ta.key
# Create Google Authenticator
addgroup gauth
useradd -g gauth gauth
mkdir /etc/openvpn/google-authenticator
chown gauth:gauth /etc/openvpn/google-authenticator
chmod 0700 /etc/openvpn/google-authenticator
# Generate server.conf # Generate server.conf
echo "port $PORT echo "port $PORT
proto $PROTOCOL proto $PROTOCOL
@ -309,7 +321,9 @@ persist-key
persist-tun persist-tun
status openvpn-status.log status openvpn-status.log
verb 3 verb 3
crl-verify crl.pem" >> /etc/openvpn/server.conf crl-verify crl.pem
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn" >> /etc/openvpn/server.conf
echo "auth required /lib/security/pam_google_authenticator.so secret=/etc/openvpn/google-authenticator/\${USER} user=gauth forward_pass" > /etc/pam.d/openvpn
# Enable net.ipv4.ip_forward for the system # Enable net.ipv4.ip_forward for the system
sed -i '/\<net.ipv4.ip_forward\>/c\net.ipv4.ip_forward=1' /etc/sysctl.conf sed -i '/\<net.ipv4.ip_forward\>/c\net.ipv4.ip_forward=1' /etc/sysctl.conf
if ! grep -q "\<net.ipv4.ip_forward\>" /etc/sysctl.conf; then if ! grep -q "\<net.ipv4.ip_forward\>" /etc/sysctl.conf; then
@ -410,7 +424,9 @@ cipher AES-256-CBC
comp-lzo comp-lzo
setenv opt block-outside-dns setenv opt block-outside-dns
key-direction 1 key-direction 1
verb 3" > /etc/openvpn/client-common.txt verb 3
ns-cert-type server
auth-user-pass" > /etc/openvpn/client-common.txt
# Generates the custom client.ovpn # Generates the custom client.ovpn
newclient "$CLIENT" newclient "$CLIENT"
echo "" echo ""
@ -418,4 +434,4 @@ verb 3" > /etc/openvpn/client-common.txt
echo "" echo ""
echo "Your client configuration is available at" ~/"$CLIENT.ovpn" echo "Your client configuration is available at" ~/"$CLIENT.ovpn"
echo "If you want to add more clients, you simply need to run this script again!" echo "If you want to add more clients, you simply need to run this script again!"
fi fi