Patch/openvpn-install
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge a265c407c7 into 6d89279940

Browse Source
This commit is contained in:
Hoang Huynh 2014-03-12 17:58:09 +00:00
commit 43f55aa56b
2 changed files with 78 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
README.md
View File

@ -6,16 +6,12 @@ This script will let you setup your own VPN server in no more than one minute, e
###Installation ###Installation
Run the script and follow the assistant: Run the script and follow the assistant:
`wget http://git.io/vpn --no-check-certificate -O openvpn-install.sh; chmod +x openvpn-install.sh; ./openvpn-install.sh` `wget http://git.io/ovpn --no-check-certificate -O openvpn-install.sh; chmod +x openvpn-install.sh; sudo ./openvpn-install.sh`
Once it ends, you can run it again to add more users. Once it ends, you can run it again to add more users.
###I want to run my own VPN but don't have a server for that ###I want to run my own VPN but don't have a server for that
There are reliable providers where you can get a little VPS for even less than one buck a month. There are reliable providers where you can get a little VPS for even less than one buck a month.
- [Secure Dragon (Tampa, FL - Denver, CO - Los Angeles, CA - Chicago, IL)](https://securedragon.net/openvz.php) - [Low End Box](http://lowendbox.com/)
- [High Speed Web (Los Angeles, CA)](http://www.highspeedweb.net/) - [Digital Ocean (Hourly charged, instant VPS creation and deletion)](https://www.digitalocean.com/)
- [IperWeb (Dallas, TX)](http://my.iperweb.com/cart/)
- [HTTP Zoom (Berkshire, UK)](http://httpzoom.com/)
If you don't care about sharing an IP address with more people, you should check out the awesome [LowEndSpirit](http://lowendspirit.com/) project. They are providing IPv6-only VPS with NATed IPv4 for only 3€/year.

127
openvpn-install.sh
View File

@ -1,32 +1,36 @@
#!/bin/bash #!/bin/bash
# OpenVPN road warrior installer for Debian-based distros # OpenVPN road warrior installer for Debian-based distros
# This script will only work on Debian-based systems. It isn't bulletproof but # Check for Debian-based distro
# it will probably work if you simply want to setup a VPN on your Debian/Ubuntu if [ ! -e /etc/debian_version ]; then
# VPS. It has been designed to be as unobtrusive and universal as possible. echo "Sorry, you need to be on a Debian-based OS to run this"
exit 1
fi
# Check for root
if [ $USER != 'root' ]; then if [ $USER != 'root' ]; then
echo "Sorry, you need to run this as root" echo "Sorry, you need to run this as root"
exit exit 1
fi fi
# check for tun/tap
if [ ! -e /dev/net/tun ]; then if [ ! -e /dev/net/tun ]; then
echo "TUN/TAP is not available" echo "TUN/TAP is not available, please enable it first (contact your provider if you don't know how)"
exit exit 1
fi fi
# Try to get our IP from the system and fallback to the Internet. # Try to get our IP from the system and fallback to the Internet.
# I do this to make the script compatible with NATed servers (lowendspirit.com) # I do this to make the script compatible with NATed servers (lowendspirit.com)
# and to avoid getting an IPv6. # and to avoid getting an IPv6.
IP=$(ifconfig | grep 'inet addr:' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d: -f2 | awk '{ print $1}' | head -1) IP=$(ifconfig | grep 'inet addr:' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d: -f2 | awk '{ print $1}' | head -1)
if [ "$IP" = "" ]; then if [ "$IP" = "" ]; then
IP=$(wget -qO- ipv4.icanhazip.com) IP=$(wget -qO- ipv4.icanhazip.com)
fi fi
# Get the machine host name
HOSTNAME=$(hostname)
# If OpenVPN is already installed
if [ -e /etc/openvpn/server.conf ]; then if [ -e /etc/openvpn/server.conf ]; then
while : while :
do do
@ -39,42 +43,46 @@ if [ -e /etc/openvpn/server.conf ]; then
echo "3) Remove OpenVPN" echo "3) Remove OpenVPN"
echo "4) Exit" echo "4) Exit"
echo "" echo ""
read -p "Select an option [1-4]:" option read -p "Select an option [1-4]: " option
case $option in case $option in
1) 1)
echo "" echo ""
echo "Tell me a name for the client cert" echo "Tell me a name for the client cert"
echo "Please, use one word only, no special characters" echo "Please, use words and spaces only, no special characters"
read -p "Client name: " -e -i client CLIENT read -p "Client name: " -e -i $(id -un) CLIENT
cd /etc/openvpn/easy-rsa/2.0/ cd /etc/openvpn/easy-rsa/2.0/
source ./vars source ./vars
# build-key for the client # build-key for the client
export KEY_CN="$CLIENT" export KEY_CN="$CLIENT"
export EASY_RSA="${EASY_RSA:-.}" export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" $CLIENT "$EASY_RSA/pkitool" "$CLIENT"
# Let's generate the client config # Let's generate the client config
mkdir ~/ovpn-$CLIENT mkdir ~/ovpn-"$CLIENT"
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/ovpn-$CLIENT/$CLIENT.conf # add server IP to the file names to prevent duplication on client configs
cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt ~/ovpn-$CLIENT cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/ovpn-"$CLIENT"/"$CLIENT"@$HOSTNAME.conf
cp /etc/openvpn/easy-rsa/2.0/keys/$CLIENT.crt ~/ovpn-$CLIENT cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt ~/ovpn-"$CLIENT"/ca@$HOSTNAME.crt
cp /etc/openvpn/easy-rsa/2.0/keys/$CLIENT.key ~/ovpn-$CLIENT cp /etc/openvpn/easy-rsa/2.0/keys/"$CLIENT".crt ~/ovpn-"$CLIENT"/"$CLIENT"@$HOSTNAME.crt
cd ~/ovpn-$CLIENT cp /etc/openvpn/easy-rsa/2.0/keys/"$CLIENT".key ~/ovpn-"$CLIENT"/"$CLIENT"@$HOSTNAME.key
sed -i "s|cert client.crt|cert $CLIENT.crt|" $CLIENT.conf cd ~/ovpn-"$CLIENT"
sed -i "s|key client.key|key $CLIENT.key|" $CLIENT.conf sed -i "s|ca ca.crt|ca ca@$HOSTNAME.crt|" "$CLIENT"@$HOSTNAME.conf
tar -czf ../ovpn-$CLIENT.tar.gz $CLIENT.conf ca.crt $CLIENT.crt $CLIENT.key sed -i "s|cert client.crt|cert \"$CLIENT@$HOSTNAME.crt\"|" "$CLIENT"@$HOSTNAME.conf
sed -i "s|key client.key|key \"$CLIENT@$HOSTNAME.key\"|" "$CLIENT"@$HOSTNAME.conf
# add an .ovpn file which is essentially the .conf file for client-side openvpn GUI tool on Windows
cp "$CLIENT"@$HOSTNAME.conf "$CLIENT"@$HOSTNAME.ovpn
tar -czf ../ovpn-"$CLIENT".tar.gz "$CLIENT"@$HOSTNAME.conf "$CLIENT"@$HOSTNAME.ovpn ca@$HOSTNAME.crt "$CLIENT"@$HOSTNAME.crt "$CLIENT"@$HOSTNAME.key
cd ~/ cd ~/
rm -rf ovpn-$CLIENT rm -rf ovpn-"$CLIENT"
echo "" echo ""
echo "Client $CLIENT added, certs available at ~/ovpn-$CLIENT.tar.gz" echo "Client $CLIENT added, certs available at `pwd`/ovpn-$CLIENT.tar.gz"
exit exit 0
;; ;;
2) 2)
echo "" echo ""
echo "Tell me the existing client name" echo "Tell me the existing client name"
read -p "Client name: " -e -i client CLIENT read -p "Client name: " -e CLIENT
cd /etc/openvpn/easy-rsa/2.0/ cd /etc/openvpn/easy-rsa/2.0/
. /etc/openvpn/easy-rsa/2.0/vars . /etc/openvpn/easy-rsa/2.0/vars
. /etc/openvpn/easy-rsa/2.0/revoke-full $CLIENT . /etc/openvpn/easy-rsa/2.0/revoke-full "$CLIENT"
# If it's the first time revoking a cert, we need to add the crl-verify line # If it's the first time revoking a cert, we need to add the crl-verify line
if grep -q "crl-verify" "/etc/openvpn/server.conf"; then if grep -q "crl-verify" "/etc/openvpn/server.conf"; then
echo "" echo ""
@ -85,24 +93,28 @@ if [ -e /etc/openvpn/server.conf ]; then
echo "" echo ""
echo "Certificate for client $CLIENT revoked" echo "Certificate for client $CLIENT revoked"
fi fi
exit exit 0
;; ;;
3) 3)
apt-get remove --purge -y openvpn openvpn-blacklist apt-get remove --purge -y openvpn openvpn-blacklist
rm -rf /etc/openvpn rm -rf /etc/openvpn
rm -rf /usr/share/doc/openvpn rm -rf /usr/share/doc/openvpn
sed -i '/--dport 53 -j REDIRECT --to-port 1194/d' /etc/rc.local sed -i '/--dport 53 -j REDIRECT --to-port/d' /etc/rc.local
sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0/d' /etc/rc.local sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0/d' /etc/rc.local
echo "" echo ""
echo "OpenVPN removed!" echo "OpenVPN removed!"
exit exit 0
;; ;;
4) exit;; 4) exit 0;;
esac esac
done done
else else
echo 'Welcome to this quick OpenVPN "road warrior" installer' echo 'Welcome to this quick OpenVPN "road warrior" installer'
echo "" echo ""
echo "This script will only work on Debian-based systems. It isn't bulletproof but"
echo "it will probably work if you simply want to setup a VPN on your Debian/Ubuntu"
echo "VPS. It has been designed to be as unobtrusive and universal as possible."
echo ""
# OpenVPN setup and first user creation # OpenVPN setup and first user creation
echo "I need to ask you a few questions before starting the setup" echo "I need to ask you a few questions before starting the setup"
echo "You can leave the default options and just press enter if you are ok with them" echo "You can leave the default options and just press enter if you are ok with them"
@ -116,11 +128,15 @@ else
echo "" echo ""
echo "Do you want OpenVPN to be available at port 53 too?" echo "Do you want OpenVPN to be available at port 53 too?"
echo "This can be useful to connect under restrictive networks" echo "This can be useful to connect under restrictive networks"
read -p "Listen at port 53 [y/n]:" -e -i n ALTPORT read -p "Listen at port 53 [y/n]: " -e -i n ALTPORT
echo ""
echo "Do you want to allow multiple clients to connect with the same"
echo "certificate/key files? This is recommended only for trusted clients."
read -p "Duplicate certificate [y/n]: " -e -i n DUPLICATECN
echo "" echo ""
echo "Finally, tell me your name for the client cert" echo "Finally, tell me your name for the client cert"
echo "Please, use one word only, no special characters" echo "Please, use words and spaces only, no special characters"
read -p "Client name: " -e -i client CLIENT read -p "Client name: " -e -i $(id -un) CLIENT
echo "" echo ""
echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now" echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now"
read -n1 -r -p "Press any key to continue..." read -n1 -r -p "Press any key to continue..."
@ -155,7 +171,7 @@ else
# Now the client keys. We need to set KEY_CN or the stupid pkitool will cry # Now the client keys. We need to set KEY_CN or the stupid pkitool will cry
export KEY_CN="$CLIENT" export KEY_CN="$CLIENT"
export EASY_RSA="${EASY_RSA:-.}" export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" $CLIENT "$EASY_RSA/pkitool" "$CLIENT"
# DH params # DH params
. /etc/openvpn/easy-rsa/2.0/build-dh . /etc/openvpn/easy-rsa/2.0/build-dh
# Let's configure the server # Let's configure the server
@ -168,13 +184,17 @@ else
# Set the server configuration # Set the server configuration
sed -i 's|dh dh1024.pem|dh dh2048.pem|' server.conf sed -i 's|dh dh1024.pem|dh dh2048.pem|' server.conf
sed -i 's|;push "redirect-gateway def1 bypass-dhcp"|push "redirect-gateway def1 bypass-dhcp"|' server.conf sed -i 's|;push "redirect-gateway def1 bypass-dhcp"|push "redirect-gateway def1 bypass-dhcp"|' server.conf
sed -i 's|;push "dhcp-option DNS 208.67.222.222"|push "dhcp-option DNS 129.250.35.250"|' server.conf sed -i 's|;push "dhcp-option DNS 208.67.222.222"|push "dhcp-option DNS 8.8.8.8"|' server.conf
sed -i 's|;push "dhcp-option DNS 208.67.220.220"|push "dhcp-option DNS 74.82.42.42"|' server.conf sed -i 's|;push "dhcp-option DNS 208.67.220.220"|push "dhcp-option DNS 74.82.42.42"|' server.conf
sed -i "s|port 1194|port $PORT|" server.conf sed -i "s|port 1194|port $PORT|" server.conf
# Listen at port 53 too if user wants that # Listen at port 53 too if user wants that
if [ $ALTPORT = 'y' ]; then if [ $ALTPORT = 'y' ]; then
iptables -t nat -A PREROUTING -p udp -d $IP --dport 53 -j REDIRECT --to-port 1194 iptables -t nat -A PREROUTING -p udp -d $IP --dport 53 -j REDIRECT --to-port $PORT
sed -i "/# By default this script does nothing./a\iptables -t nat -A PREROUTING -p udp -d $IP --dport 53 -j REDIRECT --to-port 1194" /etc/rc.local sed -i "/# By default this script does nothing./a\iptables -t nat -A PREROUTING -p udp -d $IP --dport 53 -j REDIRECT --to-port $PORT" /etc/rc.local
fi
# Allow duplicate certificate/key files if user wants that
if [ $DUPLICATECN = 'y' ]; then
sed -i 's|;duplicate-cn|duplicate-cn|' server.conf
fi fi
# Enable net.ipv4.ip_forward for the system # Enable net.ipv4.ip_forward for the system
sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf
@ -186,7 +206,7 @@ else
# And finally, restart OpenVPN # And finally, restart OpenVPN
/etc/init.d/openvpn restart /etc/init.d/openvpn restart
# Let's generate the client config # Let's generate the client config
mkdir ~/ovpn-$CLIENT mkdir ~/ovpn-"$CLIENT"
# Try to detect a NATed connection and ask about it to potential LowEndSpirit # Try to detect a NATed connection and ask about it to potential LowEndSpirit
# users # users
EXTERNALIP=$(wget -qO- ipv4.icanhazip.com) EXTERNALIP=$(wget -qO- ipv4.icanhazip.com)
@ -204,19 +224,22 @@ else
# IP/port set on the default client.conf so we can add further users # IP/port set on the default client.conf so we can add further users
# without asking for them # without asking for them
sed -i "s|remote my-server-1 1194|remote $IP $PORT|" /usr/share/doc/openvpn/examples/sample-config-files/client.conf sed -i "s|remote my-server-1 1194|remote $IP $PORT|" /usr/share/doc/openvpn/examples/sample-config-files/client.conf
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/ovpn-$CLIENT/$CLIENT.conf cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/ovpn-"$CLIENT"/"$CLIENT"@$HOSTNAME.conf
cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt ~/ovpn-$CLIENT cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt ~/ovpn-"$CLIENT"/ca@$HOSTNAME.crt
cp /etc/openvpn/easy-rsa/2.0/keys/$CLIENT.crt ~/ovpn-$CLIENT cp /etc/openvpn/easy-rsa/2.0/keys/"$CLIENT".crt ~/ovpn-"$CLIENT"/"$CLIENT"@$HOSTNAME.crt
cp /etc/openvpn/easy-rsa/2.0/keys/$CLIENT.key ~/ovpn-$CLIENT cp /etc/openvpn/easy-rsa/2.0/keys/"$CLIENT".key ~/ovpn-"$CLIENT"/"$CLIENT"@$HOSTNAME.key
cd ~/ovpn-$CLIENT cd ~/ovpn-"$CLIENT"
sed -i "s|cert client.crt|cert $CLIENT.crt|" $CLIENT.conf sed -i "s|ca ca.crt|ca ca@$HOSTNAME.crt|" "$CLIENT"@$HOSTNAME.conf
sed -i "s|key client.key|key $CLIENT.key|" $CLIENT.conf sed -i "s|cert client.crt|cert \"$CLIENT@$HOSTNAME.crt\"|" "$CLIENT"@$HOSTNAME.conf
tar -czf ../ovpn-$CLIENT.tar.gz $CLIENT.conf ca.crt $CLIENT.crt $CLIENT.key sed -i "s|key client.key|key \"$CLIENT@$HOSTNAME.key\"|" "$CLIENT"@$HOSTNAME.conf
cp "$CLIENT"@$HOSTNAME.conf "$CLIENT"@$HOSTNAME.ovpn
tar -czf ../ovpn-"$CLIENT".tar.gz "$CLIENT"@$HOSTNAME.conf "$CLIENT"@$HOSTNAME.ovpn ca@$HOSTNAME.crt "$CLIENT"@$HOSTNAME.crt "$CLIENT"@$HOSTNAME.key
cd ~/ cd ~/
rm -rf ovpn-$CLIENT rm -rf ovpn-"$CLIENT"
echo "" echo ""
echo "Finished!" echo "Finished!"
echo "" echo ""
echo "Your client config is available at ~/ovpn-$CLIENT.tar.gz" echo "Your client config is available at `pwd`/ovpn-$CLIENT.tar.gz"
echo "If you want to add more clients, you simply need to run this script another time!" echo "If you want to add more clients, you simply need to run this script another time!"
exit 0
fi fi