Patch/openvpn-install
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Make the script POSIX-compliant

Browse Source
This commit is contained in:
JulR 2015-12-12 22:03:09 +01:00
parent e58addc2c5
commit b943ff314d
2 changed files with 96 additions and 98 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -6,7 +6,7 @@ This script will let you setup your own VPN server in no more than a minute, eve
###Installation ###Installation
Run the script and follow the assistant: Run the script and follow the assistant:
`wget git.io/vpn --no-check-certificate -O openvpn-install.sh && bash openvpn-install.sh` `wget git.io/vpn --no-check-certificate -O openvpn-install.sh && sh openvpn-install.sh`
Once it ends, you can run it again to add more users, remove some of them or even completely uninstall OpenVPN. Once it ends, you can run it again to add more users, remove some of them or even completely uninstall OpenVPN.

156
openvpn-install.sh
View File

@ -1,4 +1,4 @@
#!/bin/bash #!/bin/sh
# OpenVPN road warrior installer for Debian, Ubuntu and CentOS # OpenVPN road warrior installer for Debian, Ubuntu and CentOS
# This script will work on Debian, Ubuntu, CentOS and probably other distros # This script will work on Debian, Ubuntu, CentOS and probably other distros
@ -8,27 +8,30 @@
# universal as possible. # universal as possible.
if [[ "$EUID" -ne 0 ]]; then if [ "$(id -u)" != "0" ]
then
echo "Sorry, you need to run this as root" echo "Sorry, you need to run this as root"
exit 1 exit 1
fi fi
if [ ! -e /dev/net/tun ]
if [[ ! -e /dev/net/tun ]]; then then
echo "TUN/TAP is not available" echo "TUN/TAP is not available"
exit 2 exit 2
fi fi
if grep -qs "CentOS release 5" "/etc/redhat-release"; then if grep -qs "CentOS release 5" "/etc/redhat-release"
echo "CentOS 5 is too old and not supported" then echo "CentOS 5 is too old and not supported"
exit 3 exit 3
fi fi
if [[ -e /etc/debian_version ]]; then if [ -e /etc/debian_version ]
then
OS=debian OS=debian
RCLOCAL='/etc/rc.local' RCLOCAL='/etc/rc.local'
elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then elif [ -e /etc/centos-release || -e /etc/redhat-release ]
then
OS=centos OS=centos
RCLOCAL='/etc/rc.d/rc.local' RCLOCAL='/etc/rc.d/rc.local'
# Needed for CentOS 7 # Needed for CentOS 7
@ -38,7 +41,7 @@ else
exit 4 exit 4
fi fi
newclient () { newclient() {
# Generates the custom client.ovpn # Generates the custom client.ovpn
cp /etc/openvpn/client-common.txt ~/$1.ovpn cp /etc/openvpn/client-common.txt ~/$1.ovpn
echo "<ca>" >> ~/$1.ovpn echo "<ca>" >> ~/$1.ovpn
@ -52,17 +55,16 @@ newclient () {
echo "</key>" >> ~/$1.ovpn echo "</key>" >> ~/$1.ovpn
} }
# Try to get our IP from the system and fallback to the Internet. # Try to get our IP from the system and fallback to the Internet.
# I do this to make the script compatible with NATed servers (lowendspirit.com) # I do this to make the script compatible with NATed servers (lowendspirit.com)
# and to avoid getting an IPv6. # and to avoid getting an IPv6.
IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -o -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1) IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -o -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
if [[ "$IP" = "" ]]; then if [ "$IP" = "" ]
IP=$(wget -qO- ipv4.icanhazip.com) then IP=$(wget -qO- ipv4.icanhazip.com)
fi fi
if [ -e /etc/openvpn/server.conf ]
if [[ -e /etc/openvpn/server.conf ]]; then then
while : while :
do do
clear clear
@ -79,20 +81,21 @@ if [[ -e /etc/openvpn/server.conf ]]; then
echo "" echo ""
echo "Tell me a name for the client cert" echo "Tell me a name for the client cert"
echo "Please, use one word only, no special characters" echo "Please, use one word only, no special characters"
read -p "Client name: " -e -i client CLIENT read -p "Client name: client " CLIENT
CLIENT=${CLIENT:-client}
cd /etc/openvpn/easy-rsa/ cd /etc/openvpn/easy-rsa/
./easyrsa build-client-full $CLIENT nopass ./easyrsa build-client-full $CLIENT nopass
# Generates the custom client.ovpn # Generates the custom client.ovpn
newclient "$CLIENT" newclient "$CLIENT"
echo "" echo ""
echo "Client $CLIENT added, certs available at ~/$CLIENT.ovpn" echo "Client $CLIENT added, certs available at ~/$CLIENT.ovpn"
exit exit;;
;;
2) 2)
# This option could be documented a bit better and maybe even be simplimplified # This option could be documented a bit better and maybe even be simplimplified
# ...but what can I say, I want some sleep too # ...but what can I say, I want some sleep too
NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V") NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")
if [[ "$NUMBEROFCLIENTS" = '0' ]]; then if [ "$NUMBEROFCLIENTS" = 0 ]
then
echo "" echo ""
echo "You have no existing clients!" echo "You have no existing clients!"
exit 5 exit 5
@ -100,8 +103,8 @@ if [[ -e /etc/openvpn/server.conf ]]; then
echo "" echo ""
echo "Select the existing client certificate you want to revoke" echo "Select the existing client certificate you want to revoke"
tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') ' tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
if [[ "$NUMBEROFCLIENTS" = '1' ]]; then if [ "$NUMBEROFCLIENTS" = 1 ]
read -p "Select one client [1]: " CLIENTNUMBER then read -p "Select one client [1]: " CLIENTNUMBER
else else
read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
fi fi
@ -110,39 +113,37 @@ if [[ -e /etc/openvpn/server.conf ]]; then
./easyrsa --batch revoke $CLIENT ./easyrsa --batch revoke $CLIENT
./easyrsa gen-crl ./easyrsa gen-crl
# And restart # And restart
if pgrep systemd-journal; then if pgrep systemd-journal
systemctl restart openvpn@server.service then systemctl restart openvpn@server.service
else elif [ $OS = debian ]
if [[ "$OS" = 'debian' ]]; then then /etc/init.d/openvpn restart
/etc/init.d/openvpn restart
else else
service openvpn restart service openvpn restart
fi fi
fi
echo "" echo ""
echo "Certificate for client $CLIENT revoked" echo "Certificate for client $CLIENT revoked"
exit exit;;
;;
3) 3)
echo "" echo ""
read -p "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE read -p "Do you really want to remove OpenVPN? [N/y]: " REMOVE
if [[ "$REMOVE" = 'y' ]]; then if [ $REMOVE = y ]
PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2) then PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
if pgrep firewalld; then if pgrep firewalld
# Using both permanent and not permanent rules to avoid a firewalld reload. then # Using both permanent and not permanent rules to avoid a firewalld reload.
firewall-cmd --zone=public --remove-port=$PORT/udp firewall-cmd --zone=public --remove-port=$PORT/udp
firewall-cmd --zone=trusted --remove-source=10.8.0.0/24 firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
firewall-cmd --permanent --zone=public --remove-port=$PORT/udp firewall-cmd --permanent --zone=public --remove-port=$PORT/udp
firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24 firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
fi fi
if iptables -L | grep -qE 'REJECT|DROP'; then if iptables -L | grep -qE 'REJECT|DROP'
then
sed -i "/iptables -I INPUT -p udp --dport $PORT -j ACCEPT/d" $RCLOCAL sed -i "/iptables -I INPUT -p udp --dport $PORT -j ACCEPT/d" $RCLOCAL
sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL
sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL
fi fi
sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL
if [[ "$OS" = 'debian' ]]; then if [ $OS = debian ]
apt-get remove --purge -y openvpn openvpn-blacklist then apt-get remove --purge -y openvpn openvpn-blacklist
else else
yum remove openvpn -y yum remove openvpn -y
fi fi
@ -154,8 +155,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then
echo "" echo ""
echo "Removal aborted!" echo "Removal aborted!"
fi fi
exit exit;;
;;
4) exit;; 4) exit;;
esac esac
done done
@ -169,10 +169,12 @@ else
echo "" echo ""
echo "First I need to know the IPv4 address of the network interface you want OpenVPN" echo "First I need to know the IPv4 address of the network interface you want OpenVPN"
echo "listening to." echo "listening to."
read -p "IP address: " -e -i $IP IP read -p "IP address: $IP " IP
IP=${IP:-$IP}
echo "" echo ""
echo "What port do you want for OpenVPN?" echo "What port do you want for OpenVPN?"
read -p "Port: " -e -i 1194 PORT read -p "Port: 1194 " PORT
PORT=${PORT:-1194}
echo "" echo ""
echo "What DNS do you want to use with the VPN?" echo "What DNS do you want to use with the VPN?"
echo " 1) Current system resolvers" echo " 1) Current system resolvers"
@ -181,15 +183,19 @@ else
echo " 4) NTT" echo " 4) NTT"
echo " 5) Hurricane Electric" echo " 5) Hurricane Electric"
echo " 6) Google" echo " 6) Google"
read -p "DNS [1-6]: " -e -i 1 DNS read -p "DNS [1-6]: 1 " DNS
DNS=${DNS:-1}
echo "" echo ""
echo "Finally, tell me your name for the client cert" echo "Finally, tell me your name for the client cert"
echo "Please, use one word only, no special characters" echo "Please, use one word only, no special characters"
read -p "Client name: " -e -i client CLIENT read -p "Client name: client " CLIENT
CLIENT=${CLIENT:-client}
echo "" echo ""
echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now" echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now"
read -n1 -r -p "Press any key to continue..." echo "Press [ENTER] to continue... \c"
if [[ "$OS" = 'debian' ]]; then read
if [ $OS = debian ]
then
apt-get update apt-get update
apt-get install openvpn iptables openssl ca-certificates -y apt-get install openvpn iptables openssl ca-certificates -y
else else
@ -198,8 +204,8 @@ else
yum install openvpn iptables openssl wget ca-certificates -y yum install openvpn iptables openssl wget ca-certificates -y
fi fi
# An old version of easy-rsa was available by default in some openvpn packages # An old version of easy-rsa was available by default in some openvpn packages
if [[ -d /etc/openvpn/easy-rsa/ ]]; then if [ -d /etc/openvpn/easy-rsa/ ]
rm -rf /etc/openvpn/easy-rsa/ then rm -rf /etc/openvpn/easy-rsa/
fi fi
# Get easy-rsa # Get easy-rsa
wget -O ~/EasyRSA-3.0.1.tgz https://github.com/OpenVPN/easy-rsa/releases/download/3.0.1/EasyRSA-3.0.1.tgz wget -O ~/EasyRSA-3.0.1.tgz https://github.com/OpenVPN/easy-rsa/releases/download/3.0.1/EasyRSA-3.0.1.tgz
@ -236,29 +242,24 @@ ifconfig-pool-persist ipp.txt" > /etc/openvpn/server.conf
case $DNS in case $DNS in
1) 1)
# Obtain the resolvers from resolv.conf and use them for OpenVPN # Obtain the resolvers from resolv.conf and use them for OpenVPN
grep -v '#' /etc/resolv.conf | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do grep -v '#' /etc/resolv.conf | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line
do
echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
done done;;
;;
2) 2)
echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf;;
;;
3) 3)
echo 'push "dhcp-option DNS 4.2.2.2"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 4.2.2.2"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 4.2.2.4"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 4.2.2.4"' >> /etc/openvpn/server.conf;;
;;
4) 4)
echo 'push "dhcp-option DNS 129.250.35.250"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 129.250.35.250"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 129.250.35.251"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 129.250.35.251"' >> /etc/openvpn/server.conf;;
;;
5) 5)
echo 'push "dhcp-option DNS 74.82.42.42"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 74.82.42.42"' >> /etc/openvpn/server.conf;;
;;
6) 6)
echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf;;
;;
esac esac
echo "keepalive 10 120 echo "keepalive 10 120
comp-lzo comp-lzo
@ -268,14 +269,14 @@ status openvpn-status.log
verb 3 verb 3
crl-verify /etc/openvpn/easy-rsa/pki/crl.pem" >> /etc/openvpn/server.conf crl-verify /etc/openvpn/easy-rsa/pki/crl.pem" >> /etc/openvpn/server.conf
# Enable net.ipv4.ip_forward for the system # Enable net.ipv4.ip_forward for the system
if [[ "$OS" = 'debian' ]]; then if [ $OS = debian ]
sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf then sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf
else else
# CentOS 5 and 6 # CentOS 5 and 6
sed -i 's|net.ipv4.ip_forward = 0|net.ipv4.ip_forward = 1|' /etc/sysctl.conf sed -i 's|net.ipv4.ip_forward = 0|net.ipv4.ip_forward = 1|' /etc/sysctl.conf
# CentOS 7 # CentOS 7
if ! grep -q "net.ipv4.ip_forward=1" "/etc/sysctl.conf"; then if ! grep -q "net.ipv4.ip_forward=1" "/etc/sysctl.conf"
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf then echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
fi fi
fi fi
# Avoid an unneeded reboot # Avoid an unneeded reboot
@ -283,7 +284,8 @@ crl-verify /etc/openvpn/easy-rsa/pki/crl.pem" >> /etc/openvpn/server.conf
# Set NAT for the VPN subnet # Set NAT for the VPN subnet
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP
sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL
if pgrep firewalld; then if pgrep firewalld
then
# We don't use --add-service=openvpn because that would only work with # We don't use --add-service=openvpn because that would only work with
# the default port. Using both permanent and not permanent rules to # the default port. Using both permanent and not permanent rules to
# avoid a firewalld reload. # avoid a firewalld reload.
@ -292,7 +294,8 @@ crl-verify /etc/openvpn/easy-rsa/pki/crl.pem" >> /etc/openvpn/server.conf
firewall-cmd --permanent --zone=public --add-port=$PORT/udp firewall-cmd --permanent --zone=public --add-port=$PORT/udp
firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24 firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
fi fi
if iptables -L | grep -qE 'REJECT|DROP'; then if iptables -L | grep -qE 'REJECT|DROP'
then
# If iptables has at least one REJECT rule, we asume this is needed. # If iptables has at least one REJECT rule, we asume this is needed.
# Not the best approach but I can't think of other and this shouldn't # Not the best approach but I can't think of other and this shouldn't
# cause problems. # cause problems.
@ -304,33 +307,28 @@ crl-verify /etc/openvpn/easy-rsa/pki/crl.pem" >> /etc/openvpn/server.conf
sed -i "1 a\iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" $RCLOCAL sed -i "1 a\iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" $RCLOCAL
fi fi
# And finally, restart OpenVPN # And finally, restart OpenVPN
if [[ "$OS" = 'debian' ]]; then if pgrep systemd-journal
# Little hack to check for systemd then # Little hack to check for systemd
if pgrep systemd-journal; then
systemctl restart openvpn@server.service
else
/etc/init.d/openvpn restart
fi
else
if pgrep systemd-journal; then
systemctl restart openvpn@server.service systemctl restart openvpn@server.service
systemctl enable openvpn@server.service systemctl enable openvpn@server.service
elif [ $OS = debian ]
then /etc/init.d/openvpn restart
else else
service openvpn restart service openvpn restart
chkconfig openvpn on chkconfig openvpn on
fi fi
fi
# Try to detect a NATed connection and ask about it to potential LowEndSpirit users # Try to detect a NATed connection and ask about it to potential LowEndSpirit users
EXTERNALIP=$(wget -qO- ipv4.icanhazip.com) EXTERNALIP=$(wget -qO- ipv4.icanhazip.com)
if [[ "$IP" != "$EXTERNALIP" ]]; then if [ $IP != "$EXTERNALIP" ]
then
echo "" echo ""
echo "Looks like your server is behind a NAT!" echo "Looks like your server is behind a NAT!"
echo "" echo ""
echo "If your server is NATed (LowEndSpirit), I need to know the external IP" echo "If your server is NATed (LowEndSpirit), I need to know the external IP"
echo "If that's not the case, just ignore this and leave the next field blank" echo "If that's not the case, just ignore this and leave the next field blank"
read -p "External IP: " -e USEREXTERNALIP read -p "External IP: " USEREXTERNALIP
if [[ "$USEREXTERNALIP" != "" ]]; then if [ "$USEREXTERNALIP" != "" ]
IP=$USEREXTERNALIP then echo IP=$USEREXTERNALIP
fi fi
fi fi
# client-common.txt is created so we have a template to add further users later # client-common.txt is created so we have a template to add further users later