update code
This commit is contained in:
daizack
parent
e3a675de0d
commit
45a01c0d32
25
README.md
25
README.md
@ -24,7 +24,22 @@ If you want to show your appreciation, you can donate via [PayPal](https://www.p
|
|||||||
|
|
||||||
`bash openvpn-install.sh`
|
`bash openvpn-install.sh`
|
||||||
|
|
||||||
|
|
||||||
|
### Make ccd and make a file named as the client username (change 10.10.0.101 to the ip you want to assgin to the client)
|
||||||
|
|
||||||
|
```
|
||||||
|
sudo mkdir /etc/openvpn/ccd
|
||||||
|
|
||||||
|
sudo echo "ifconfig-push 10.10.0.101 255.255.255.0" >/etc/openvon/ccd/client
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
### Install client on ubuntu server
|
### Install client on ubuntu server
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
```
|
```
|
||||||
sudo apt update
|
sudo apt update
|
||||||
sudo apt install openvpn
|
sudo apt install openvpn
|
||||||
@ -36,7 +51,7 @@ Copy <USERNAME>.ovpn to the target machine
|
|||||||
sudo service openvpn@client start
|
sudo service openvpn@client start
|
||||||
```
|
```
|
||||||
|
|
||||||
### Some note
|
### Some change made in the code, no action needed below:
|
||||||
|
|
||||||
partial routing (if do not want redirect all traffic to the vpn server. If you have a machine that host public app e.g. website server, you will need this setting.)
|
partial routing (if do not want redirect all traffic to the vpn server. If you have a machine that host public app e.g. website server, you will need this setting.)
|
||||||
|
|
||||||
@ -45,7 +60,7 @@ add
|
|||||||
|
|
||||||
```
|
```
|
||||||
route-nopull
|
route-nopull
|
||||||
route 10.8.0.0 255.255.255.0
|
route 10.10.0.0 255.255.255.0
|
||||||
```
|
```
|
||||||
|
|
||||||
make a file
|
make a file
|
||||||
@ -54,7 +69,7 @@ make a file
|
|||||||
|
|
||||||
```
|
```
|
||||||
route-nopull
|
route-nopull
|
||||||
route 10.8.0.0 255.255.255.0
|
route 10.10.0.0 255.255.255.0
|
||||||
```
|
```
|
||||||
|
|
||||||
another file
|
another file
|
||||||
@ -80,6 +95,4 @@ client-config-dir /etc/openvpn/ccd
|
|||||||
client-to-client
|
client-to-client
|
||||||
```
|
```
|
||||||
|
|
||||||
Then go to /etc/openvpn/ccd to create file named as user name and put something like (in this example, the ip is set to 10.8.0.101 for the user)
|
T
|
||||||
|
|
||||||
`ifconfig-push 10.8.0.101 255.255.255.0`
|
|
||||||
|
|||||||
@ -236,7 +236,7 @@ LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disab
|
|||||||
systemctl enable --now firewalld.service
|
systemctl enable --now firewalld.service
|
||||||
fi
|
fi
|
||||||
# Get easy-rsa
|
# Get easy-rsa
|
||||||
easy_rsa_url='https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.2/EasyRSA-3.1.2.tgz'
|
easy_rsa_url='https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.3/EasyRSA-3.1.3.tgz'
|
||||||
mkdir -p /etc/openvpn/server/easy-rsa/
|
mkdir -p /etc/openvpn/server/easy-rsa/
|
||||||
{ wget -qO- "$easy_rsa_url" 2>/dev/null || curl -sL "$easy_rsa_url" ; } | tar xz -C /etc/openvpn/server/easy-rsa/ --strip-components 1
|
{ wget -qO- "$easy_rsa_url" 2>/dev/null || curl -sL "$easy_rsa_url" ; } | tar xz -C /etc/openvpn/server/easy-rsa/ --strip-components 1
|
||||||
chown -R root:root /etc/openvpn/server/easy-rsa/
|
chown -R root:root /etc/openvpn/server/easy-rsa/
|
||||||
@ -276,7 +276,9 @@ dh dh.pem
|
|||||||
auth SHA512
|
auth SHA512
|
||||||
tls-crypt tc.key
|
tls-crypt tc.key
|
||||||
topology subnet
|
topology subnet
|
||||||
server 10.8.0.0 255.255.255.0" > /etc/openvpn/server/server.conf
|
client-config-dir /etc/openvpn/ccd
|
||||||
|
client-to-client
|
||||||
|
server 10.10.0.0 255.255.255.0" > /etc/openvpn/server/server.conf
|
||||||
# IPv6
|
# IPv6
|
||||||
if [[ -z "$ip6" ]]; then
|
if [[ -z "$ip6" ]]; then
|
||||||
echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server/server.conf
|
echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server/server.conf
|
||||||
@ -284,7 +286,7 @@ server 10.8.0.0 255.255.255.0" > /etc/openvpn/server/server.conf
|
|||||||
echo 'server-ipv6 fddd:1194:1194:1194::/64' >> /etc/openvpn/server/server.conf
|
echo 'server-ipv6 fddd:1194:1194:1194::/64' >> /etc/openvpn/server/server.conf
|
||||||
echo 'push "redirect-gateway def1 ipv6 bypass-dhcp"' >> /etc/openvpn/server/server.conf
|
echo 'push "redirect-gateway def1 ipv6 bypass-dhcp"' >> /etc/openvpn/server/server.conf
|
||||||
fi
|
fi
|
||||||
echo 'ifconfig-pool-persist ipp.txt' >> /etc/openvpn/server/server.conf
|
# echo 'ifconfig-pool-persist ipp.txt' >> /etc/openvpn/server/server.conf
|
||||||
# DNS
|
# DNS
|
||||||
case "$dns" in
|
case "$dns" in
|
||||||
1|"")
|
1|"")
|
||||||
@ -349,12 +351,12 @@ crl-verify crl.pem" >> /etc/openvpn/server/server.conf
|
|||||||
# We don't use --add-service=openvpn because that would only work with
|
# We don't use --add-service=openvpn because that would only work with
|
||||||
# the default port and protocol.
|
# the default port and protocol.
|
||||||
firewall-cmd --add-port="$port"/"$protocol"
|
firewall-cmd --add-port="$port"/"$protocol"
|
||||||
firewall-cmd --zone=trusted --add-source=10.8.0.0/24
|
firewall-cmd --zone=trusted --add-source=10.10.0.0/24
|
||||||
firewall-cmd --permanent --add-port="$port"/"$protocol"
|
firewall-cmd --permanent --add-port="$port"/"$protocol"
|
||||||
firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
|
firewall-cmd --permanent --zone=trusted --add-source=10.10.0.0/24
|
||||||
# Set NAT for the VPN subnet
|
# Set NAT for the VPN subnet
|
||||||
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"
|
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.10.0.0/24 ! -d 10.10.0.0/24 -j SNAT --to "$ip"
|
||||||
firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"
|
firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.10.0.0/24 ! -d 10.10.0.0/24 -j SNAT --to "$ip"
|
||||||
if [[ -n "$ip6" ]]; then
|
if [[ -n "$ip6" ]]; then
|
||||||
firewall-cmd --zone=trusted --add-source=fddd:1194:1194:1194::/64
|
firewall-cmd --zone=trusted --add-source=fddd:1194:1194:1194::/64
|
||||||
firewall-cmd --permanent --zone=trusted --add-source=fddd:1194:1194:1194::/64
|
firewall-cmd --permanent --zone=trusted --add-source=fddd:1194:1194:1194::/64
|
||||||
@ -375,13 +377,13 @@ crl-verify crl.pem" >> /etc/openvpn/server/server.conf
|
|||||||
Before=network.target
|
Before=network.target
|
||||||
[Service]
|
[Service]
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
ExecStart=$iptables_path -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip
|
ExecStart=$iptables_path -t nat -A POSTROUTING -s 10.10.0.0/24 ! -d 10.10.0.0/24 -j SNAT --to $ip
|
||||||
ExecStart=$iptables_path -I INPUT -p $protocol --dport $port -j ACCEPT
|
ExecStart=$iptables_path -I INPUT -p $protocol --dport $port -j ACCEPT
|
||||||
ExecStart=$iptables_path -I FORWARD -s 10.8.0.0/24 -j ACCEPT
|
ExecStart=$iptables_path -I FORWARD -s 10.10.0.0/24 -j ACCEPT
|
||||||
ExecStart=$iptables_path -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
|
ExecStart=$iptables_path -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||||
ExecStop=$iptables_path -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip
|
ExecStop=$iptables_path -t nat -D POSTROUTING -s 10.10.0.0/24 ! -d 10.10.0.0/24 -j SNAT --to $ip
|
||||||
ExecStop=$iptables_path -D INPUT -p $protocol --dport $port -j ACCEPT
|
ExecStop=$iptables_path -D INPUT -p $protocol --dport $port -j ACCEPT
|
||||||
ExecStop=$iptables_path -D FORWARD -s 10.8.0.0/24 -j ACCEPT
|
ExecStop=$iptables_path -D FORWARD -s 10.10.0.0/24 -j ACCEPT
|
||||||
ExecStop=$iptables_path -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" > /etc/systemd/system/openvpn-iptables.service
|
ExecStop=$iptables_path -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" > /etc/systemd/system/openvpn-iptables.service
|
||||||
if [[ -n "$ip6" ]]; then
|
if [[ -n "$ip6" ]]; then
|
||||||
echo "ExecStart=$ip6tables_path -t nat -A POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to $ip6
|
echo "ExecStart=$ip6tables_path -t nat -A POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to $ip6
|
||||||
@ -425,6 +427,8 @@ remote-cert-tls server
|
|||||||
auth SHA512
|
auth SHA512
|
||||||
cipher AES-256-CBC
|
cipher AES-256-CBC
|
||||||
ignore-unknown-option block-outside-dns
|
ignore-unknown-option block-outside-dns
|
||||||
|
route-nopull
|
||||||
|
route 10.10.0.0 255.255.255.0
|
||||||
verb 3" > /etc/openvpn/server/client-common.txt
|
verb 3" > /etc/openvpn/server/client-common.txt
|
||||||
# Enable and start the OpenVPN service
|
# Enable and start the OpenVPN service
|
||||||
systemctl enable --now openvpn-server@server.service
|
systemctl enable --now openvpn-server@server.service
|
||||||
@ -519,14 +523,14 @@ else
|
|||||||
port=$(grep '^port ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
|
port=$(grep '^port ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
|
||||||
protocol=$(grep '^proto ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
|
protocol=$(grep '^proto ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
|
||||||
if systemctl is-active --quiet firewalld.service; then
|
if systemctl is-active --quiet firewalld.service; then
|
||||||
ip=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24' | grep -oE '[^ ]+$')
|
ip=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.10.0.0/24 '"'"'!'"'"' -d 10.10.0.0/24' | grep -oE '[^ ]+$')
|
||||||
# Using both permanent and not permanent rules to avoid a firewalld reload.
|
# Using both permanent and not permanent rules to avoid a firewalld reload.
|
||||||
firewall-cmd --remove-port="$port"/"$protocol"
|
firewall-cmd --remove-port="$port"/"$protocol"
|
||||||
firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
|
firewall-cmd --zone=trusted --remove-source=10.10.0.0/24
|
||||||
firewall-cmd --permanent --remove-port="$port"/"$protocol"
|
firewall-cmd --permanent --remove-port="$port"/"$protocol"
|
||||||
firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
|
firewall-cmd --permanent --zone=trusted --remove-source=10.10.0.0/24
|
||||||
firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"
|
firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.10.0.0/24 ! -d 10.10.0.0/24 -j SNAT --to "$ip"
|
||||||
firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"
|
firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.10.0.0/24 ! -d 10.10.0.0/24 -j SNAT --to "$ip"
|
||||||
if grep -qs "server-ipv6" /etc/openvpn/server/server.conf; then
|
if grep -qs "server-ipv6" /etc/openvpn/server/server.conf; then
|
||||||
ip6=$(firewall-cmd --direct --get-rules ipv6 nat POSTROUTING | grep '\-s fddd:1194:1194:1194::/64 '"'"'!'"'"' -d fddd:1194:1194:1194::/64' | grep -oE '[^ ]+$')
|
ip6=$(firewall-cmd --direct --get-rules ipv6 nat POSTROUTING | grep '\-s fddd:1194:1194:1194::/64 '"'"'!'"'"' -d fddd:1194:1194:1194::/64' | grep -oE '[^ ]+$')
|
||||||
firewall-cmd --zone=trusted --remove-source=fddd:1194:1194:1194::/64
|
firewall-cmd --zone=trusted --remove-source=fddd:1194:1194:1194::/64
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user