Bernhard.Linz/openvpn-install
1
0
Fork 0
mirror of https://github.com/angristan/openvpn-install.git synced 2025-05-09 18:28:23 +02:00
Code Issues Projects Releases Wiki Activity

Merge ab8a97deec607b7b74ef629c31d87a1cb36fd411 into e2d4990ae194e37fd5162168a8aac5e2d89e0e8d

Browse Source
This commit is contained in:
Aleix Quintana Alsius 2025-01-14 21:40:11 -05:00 committed by GitHub
commit 9d66027470
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 170 additions and 114 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

284
openvpn-install.sh
View File

@ -16,6 +16,39 @@ function tunAvailable() {
fi fi
} }
function serverChoice() {
if [[ ! "$SERVER_ID" ]]; then
SERVER_ID="server"
echo "Server name not defined using default server name"
else
# prepend 'server.' to the server_id
SERVER_ID="server.$SERVER_ID"
fi
# Get the higher subnet second octet and start from there
if [[ ! "$SERVER_SUBNET" ]]; then
if [[ ! -e /etc/openvpn/$SERVER_ID.conf ]]; then
SERVER_SUBNET=$(($(cat /etc/openvpn/server.*.conf | grep server | sed -e "s|server ||g"| cut -d . -f 2 | sort -n | tail -1) + 1))
echo "Server not defined using next +1 subnet ($SERVER_SUBNET)"
else
SERVER_SUBNET=$(cat /etc/openvpn/$SERVER_ID.conf | grep server | sed -e "s|server ||g"| cut -d . -f 2 | sort -n | tail -1)
#Server defined using used subnet
fi
fi
inrange='\b(1?[0-9]{1,2}|2[0-4][0-9]|25[0-5])\b'
if ! [[ $SERVER_SUBNET =~ $inrange ]];then
echo "Subnet second octet cannot be $SERVER_SUBNET"
return 1
fi
# if server name is not defined get the higher port and define next there
#if [[ ! -e /etc/openvpn/$SERVER_ID/$SERVER_ID.conf ]]; then
# PORT=confs/*.conf | grep port | sed -e "s|port ||g"| sort -n | tail -1
#fi
}
function checkOS() { function checkOS() {
if [[ -e /etc/debian_version ]]; then if [[ -e /etc/debian_version ]]; then
OS="debian" OS="debian"
@ -101,6 +134,9 @@ function initialCheck() {
echo "TUN is not available" echo "TUN is not available"
exit 1 exit 1
fi fi
if ! serverChoice;then
exit 1;
fi
checkOS checkOS
} }
@ -267,7 +303,15 @@ function installQuestions() {
echo "Unless your server is behind NAT, it should be your public IPv4 address." echo "Unless your server is behind NAT, it should be your public IPv4 address."
# Detect public IPv4 address and pre-fill for the user # Detect public IPv4 address and pre-fill for the user
IP=$(ip -4 addr | sed -ne 's|^.* inet \([^/]*\)/.* scope global.*$|\1|p' | head -1)
# First detect not private IPS
IP=$(ip -4 addr show type veth| sed -ne 's|^.* inet \([^/]*\)/.* scope global.*$|\1|p' | grep -vE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)' | head -1)
# If no public ip found fallback to search all including privates
if [[ -z $IP ]]; then
IP=$(ip -4 addr show type veth| sed -ne 's|^.* inet \([^/]*\)/.* scope global.*$|\1|p' | head -1)
fi
if [[ -z $IP ]]; then if [[ -z $IP ]]; then
# Detect public IPv6 address # Detect public IPv6 address
@ -678,7 +722,7 @@ function installOpenVPN() {
# Get the "public" interface from the default route # Get the "public" interface from the default route
NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1) NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)
if [[ -z $NIC ]] && [[ $IPV6_SUPPORT == 'y' ]]; then if [[ -z $NIC ]] && [[ $IPV6_SUPPORT == 'y' ]]; then
NIC=$(ip -6 route show default | sed -ne 's/^default .* dev \([^ ]*\) .*$/\1/p') NIC=$(ip -6 route show default | sed -ne 's/^default .* dev \([^ ]*\) .*$/\2/p')
fi fi
# $NIC can not be empty for script rm-openvpn-rules.sh # $NIC can not be empty for script rm-openvpn-rules.sh
@ -697,7 +741,7 @@ function installOpenVPN() {
# If OpenVPN isn't installed yet, install it. This script is more-or-less # If OpenVPN isn't installed yet, install it. This script is more-or-less
# idempotent on multiple runs, but will only install OpenVPN from upstream # idempotent on multiple runs, but will only install OpenVPN from upstream
# the first time. # the first time.
if [[ ! -e /etc/openvpn/server.conf ]]; then if [[ ! -e /etc/openvpn/$SERVER_ID.conf ]]; then
if [[ $OS =~ (debian|ubuntu) ]]; then if [[ $OS =~ (debian|ubuntu) ]]; then
apt-get update apt-get update
apt-get -y install ca-certificates gnupg apt-get -y install ca-certificates gnupg
@ -738,6 +782,9 @@ function installOpenVPN() {
NOGROUP=nobody NOGROUP=nobody
fi fi
# Create the specific openvpn server directory
mkdir /etc/openvpn/$SERVER_ID
# Install the latest version of easy-rsa from source, if not already installed. # Install the latest version of easy-rsa from source, if not already installed.
if [[ ! -d /etc/openvpn/easy-rsa/ ]]; then if [[ ! -d /etc/openvpn/easy-rsa/ ]]; then
local version="3.1.2" local version="3.1.2"
@ -758,9 +805,9 @@ function installOpenVPN() {
esac esac
# Generate a random, alphanumeric identifier of 16 characters for CN and one for server name # Generate a random, alphanumeric identifier of 16 characters for CN and one for server name
SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" SERVER_CN="cn_${SERVER_ID}_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
echo "$SERVER_CN" >SERVER_CN_GENERATED echo "$SERVER_CN" >SERVER_CN_GENERATED
SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" SERVER_NAME="server_${SERVER_ID}_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
echo "$SERVER_NAME" >SERVER_NAME_GENERATED echo "$SERVER_NAME" >SERVER_NAME_GENERATED
# Create the PKI, set up the CA, the DH params and the server certificate # Create the PKI, set up the CA, the DH params and the server certificate
@ -778,11 +825,11 @@ function installOpenVPN() {
case $TLS_SIG in case $TLS_SIG in
1) 1)
# Generate tls-crypt key # Generate tls-crypt key
openvpn --genkey --secret /etc/openvpn/tls-crypt.key openvpn --genkey --secret /etc/openvpn/$SERVER_ID/tls-crypt.key
;; ;;
2) 2)
# Generate tls-auth key # Generate tls-auth key
openvpn --genkey --secret /etc/openvpn/tls-auth.key openvpn --genkey --secret /etc/openvpn/$SERVER_ID/tls-auth.key
;; ;;
esac esac
else else
@ -793,20 +840,20 @@ function installOpenVPN() {
fi fi
# Move all the generated files # Move all the generated files
cp pki/ca.crt pki/private/ca.key "pki/issued/$SERVER_NAME.crt" "pki/private/$SERVER_NAME.key" /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn cp pki/ca.crt pki/private/ca.key "pki/issued/$SERVER_NAME.crt" "pki/private/$SERVER_NAME.key" /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/$SERVER_ID/
if [[ $DH_TYPE == "2" ]]; then if [[ $DH_TYPE == "2" ]]; then
cp dh.pem /etc/openvpn cp dh.pem /etc/openvpn/$SERVER_ID/
fi fi
# Make cert revocation list readable for non-root # Make cert revocation list readable for non-root
chmod 644 /etc/openvpn/crl.pem chmod 644 /etc/openvpn/$SERVER_ID/crl.pem
# Generate server.conf # Generate server.conf
echo "port $PORT" >/etc/openvpn/server.conf echo "port $PORT" >/etc/openvpn/$SERVER_ID.conf
if [[ $IPV6_SUPPORT == 'n' ]]; then if [[ $IPV6_SUPPORT == 'n' ]]; then
echo "proto $PROTOCOL" >>/etc/openvpn/server.conf echo "proto $PROTOCOL" >>/etc/openvpn/$SERVER_ID.conf
elif [[ $IPV6_SUPPORT == 'y' ]]; then elif [[ $IPV6_SUPPORT == 'y' ]]; then
echo "proto ${PROTOCOL}6" >>/etc/openvpn/server.conf echo "proto ${PROTOCOL}6" >>/etc/openvpn/$SERVER_ID.conf
fi fi
echo "dev tun echo "dev tun
@ -816,8 +863,8 @@ persist-key
persist-tun persist-tun
keepalive 10 120 keepalive 10 120
topology subnet topology subnet
server 10.8.0.0 255.255.255.0 server 10.${SERVER_SUBNET}.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt" >>/etc/openvpn/server.conf ifconfig-pool-persist $SERVER_ID/ipp.txt" >>/etc/openvpn/$SERVER_ID.conf
# DNS resolvers # DNS resolvers
case $DNS in case $DNS in
@ -833,64 +880,64 @@ ifconfig-pool-persist ipp.txt" >>/etc/openvpn/server.conf
sed -ne 's/^nameserver[[:space:]]\+\([^[:space:]]\+\).*$/\1/p' $RESOLVCONF | while read -r line; do sed -ne 's/^nameserver[[:space:]]\+\([^[:space:]]\+\).*$/\1/p' $RESOLVCONF | while read -r line; do
# Copy, if it's a IPv4 |or| if IPv6 is enabled, IPv4/IPv6 does not matter # Copy, if it's a IPv4 |or| if IPv6 is enabled, IPv4/IPv6 does not matter
if [[ $line =~ ^[0-9.]*$ ]] || [[ $IPV6_SUPPORT == 'y' ]]; then if [[ $line =~ ^[0-9.]*$ ]] || [[ $IPV6_SUPPORT == 'y' ]]; then
echo "push \"dhcp-option DNS $line\"" >>/etc/openvpn/server.conf echo "push \"dhcp-option DNS $line\"" >>/etc/openvpn/$SERVER_ID.conf
fi fi
done done
;; ;;
2) # Self-hosted DNS resolver (Unbound) 2) # Self-hosted DNS resolver (Unbound)
echo 'push "dhcp-option DNS 10.8.0.1"' >>/etc/openvpn/server.conf echo "push \"dhcp-option DNS 10.${SERVER_SUBNET}.0.1\"" >>/etc/openvpn/$SERVER_ID.conf
if [[ $IPV6_SUPPORT == 'y' ]]; then if [[ $IPV6_SUPPORT == 'y' ]]; then
echo 'push "dhcp-option DNS fd42:42:42:42::1"' >>/etc/openvpn/server.conf echo 'push "dhcp-option DNS fd42:42:42:42::1"' >>/etc/openvpn/$SERVER_ID.conf
fi fi
;; ;;
3) # Cloudflare 3) # Cloudflare
echo 'push "dhcp-option DNS 1.0.0.1"' >>/etc/openvpn/server.conf echo 'push "dhcp-option DNS 1.0.0.1"' >>/etc/openvpn/$SERVER_ID.conf
echo 'push "dhcp-option DNS 1.1.1.1"' >>/etc/openvpn/server.conf echo 'push "dhcp-option DNS 1.1.1.1"' >>/etc/openvpn/$SERVER_ID.conf
;; ;;
4) # Quad9 4) # Quad9
echo 'push "dhcp-option DNS 9.9.9.9"' >>/etc/openvpn/server.conf echo 'push "dhcp-option DNS 9.9.9.9"' >>/etc/openvpn/$SERVER_ID.conf
echo 'push "dhcp-option DNS 149.112.112.112"' >>/etc/openvpn/server.conf echo 'push "dhcp-option DNS 149.112.112.112"' >>/etc/openvpn/$SERVER_ID.conf
;; ;;
5) # Quad9 uncensored 5) # Quad9 uncensored
echo 'push "dhcp-option DNS 9.9.9.10"' >>/etc/openvpn/server.conf echo 'push "dhcp-option DNS 9.9.9.10"' >>/etc/openvpn/$SERVER_ID.conf
echo 'push "dhcp-option DNS 149.112.112.10"' >>/etc/openvpn/server.conf echo 'push "dhcp-option DNS 149.112.112.10"' >>/etc/openvpn/$SERVER_ID.conf
;; ;;
6) # FDN 6) # FDN
echo 'push "dhcp-option DNS 80.67.169.40"' >>/etc/openvpn/server.conf echo 'push "dhcp-option DNS 80.67.169.40"' >>/etc/openvpn/$SERVER_ID.conf
echo 'push "dhcp-option DNS 80.67.169.12"' >>/etc/openvpn/server.conf echo 'push "dhcp-option DNS 80.67.169.12"' >>/etc/openvpn/$SERVER_ID.conf
;; ;;
7) # DNS.WATCH 7) # DNS.WATCH
echo 'push "dhcp-option DNS 84.200.69.80"' >>/etc/openvpn/server.conf echo 'push "dhcp-option DNS 84.200.69.80"' >>/etc/openvpn/$SERVER_ID.conf
echo 'push "dhcp-option DNS 84.200.70.40"' >>/etc/openvpn/server.conf echo 'push "dhcp-option DNS 84.200.70.40"' >>/etc/openvpn/$SERVER_ID.conf
;; ;;
8) # OpenDNS 8) # OpenDNS
echo 'push "dhcp-option DNS 208.67.222.222"' >>/etc/openvpn/server.conf echo 'push "dhcp-option DNS 208.67.222.222"' >>/etc/openvpn/$SERVER_ID.conf
echo 'push "dhcp-option DNS 208.67.220.220"' >>/etc/openvpn/server.conf echo 'push "dhcp-option DNS 208.67.220.220"' >>/etc/openvpn/$SERVER_ID.conf
;; ;;
9) # Google 9) # Google
echo 'push "dhcp-option DNS 8.8.8.8"' >>/etc/openvpn/server.conf echo 'push "dhcp-option DNS 8.8.8.8"' >>/etc/openvpn/$SERVER_ID.conf
echo 'push "dhcp-option DNS 8.8.4.4"' >>/etc/openvpn/server.conf echo 'push "dhcp-option DNS 8.8.4.4"' >>/etc/openvpn/$SERVER_ID.conf
;; ;;
10) # Yandex Basic 10) # Yandex Basic
echo 'push "dhcp-option DNS 77.88.8.8"' >>/etc/openvpn/server.conf echo 'push "dhcp-option DNS 77.88.8.8"' >>/etc/openvpn/$SERVER_ID.conf
echo 'push "dhcp-option DNS 77.88.8.1"' >>/etc/openvpn/server.conf echo 'push "dhcp-option DNS 77.88.8.1"' >>/etc/openvpn/$SERVER_ID.conf
;; ;;
11) # AdGuard DNS 11) # AdGuard DNS
echo 'push "dhcp-option DNS 94.140.14.14"' >>/etc/openvpn/server.conf echo 'push "dhcp-option DNS 94.140.14.14"' >>/etc/openvpn/$SERVER_ID.conf
echo 'push "dhcp-option DNS 94.140.15.15"' >>/etc/openvpn/server.conf echo 'push "dhcp-option DNS 94.140.15.15"' >>/etc/openvpn/$SERVER_ID.conf
;; ;;
12) # NextDNS 12) # NextDNS
echo 'push "dhcp-option DNS 45.90.28.167"' >>/etc/openvpn/server.conf echo 'push "dhcp-option DNS 45.90.28.167"' >>/etc/openvpn/$SERVER_ID.conf
echo 'push "dhcp-option DNS 45.90.30.167"' >>/etc/openvpn/server.conf echo 'push "dhcp-option DNS 45.90.30.167"' >>/etc/openvpn/$SERVER_ID.conf
;; ;;
13) # Custom DNS 13) # Custom DNS
echo "push \"dhcp-option DNS $DNS1\"" >>/etc/openvpn/server.conf echo "push \"dhcp-option DNS $DNS1\"" >>/etc/openvpn/$SERVER_ID.conf
if [[ $DNS2 != "" ]]; then if [[ $DNS2 != "" ]]; then
echo "push \"dhcp-option DNS $DNS2\"" >>/etc/openvpn/server.conf echo "push \"dhcp-option DNS $DNS2\"" >>/etc/openvpn/$SERVER_ID.conf
fi fi
;; ;;
esac esac
echo 'push "redirect-gateway def1 bypass-dhcp"' >>/etc/openvpn/server.conf echo 'push "redirect-gateway def1 bypass-dhcp"' >>/etc/openvpn/$SERVER_ID.conf
# IPv6 network settings if needed # IPv6 network settings if needed
if [[ $IPV6_SUPPORT == 'y' ]]; then if [[ $IPV6_SUPPORT == 'y' ]]; then
@ -898,33 +945,33 @@ ifconfig-pool-persist ipp.txt" >>/etc/openvpn/server.conf
tun-ipv6 tun-ipv6
push tun-ipv6 push tun-ipv6
push "route-ipv6 2000::/3" push "route-ipv6 2000::/3"
push "redirect-gateway ipv6"' >>/etc/openvpn/server.conf push "redirect-gateway ipv6"' >>/etc/openvpn/$SERVER_ID.conf
fi fi
if [[ $COMPRESSION_ENABLED == "y" ]]; then if [[ $COMPRESSION_ENABLED == "y" ]]; then
echo "compress $COMPRESSION_ALG" >>/etc/openvpn/server.conf echo "compress $COMPRESSION_ALG" >>/etc/openvpn/$SERVER_ID.conf
fi fi
if [[ $DH_TYPE == "1" ]]; then if [[ $DH_TYPE == "1" ]]; then
echo "dh none" >>/etc/openvpn/server.conf echo "dh none" >>/etc/openvpn/$SERVER_ID.conf
echo "ecdh-curve $DH_CURVE" >>/etc/openvpn/server.conf echo "ecdh-curve $DH_CURVE" >>/etc/openvpn/$SERVER_ID.conf
elif [[ $DH_TYPE == "2" ]]; then elif [[ $DH_TYPE == "2" ]]; then
echo "dh dh.pem" >>/etc/openvpn/server.conf echo "dh $SERVER_ID/dh.pem" >>/etc/openvpn/$SERVER_ID.conf
fi fi
case $TLS_SIG in case $TLS_SIG in
1) 1)
echo "tls-crypt tls-crypt.key" >>/etc/openvpn/server.conf echo "tls-crypt $SERVER_ID/tls-crypt.key" >>/etc/openvpn/$SERVER_ID.conf
;; ;;
2) 2)
echo "tls-auth tls-auth.key 0" >>/etc/openvpn/server.conf echo "tls-auth $SERVER_ID/tls-auth.key 0" >>/etc/openvpn/$SERVER_ID.conf
;; ;;
esac esac
echo "crl-verify crl.pem echo "crl-verify $SERVER_ID/crl.pem
ca ca.crt ca $SERVER_ID/ca.crt
cert $SERVER_NAME.crt cert $SERVER_ID/$SERVER_NAME.crt
key $SERVER_NAME.key key $SERVER_ID/$SERVER_NAME.key
auth $HMAC_ALG auth $HMAC_ALG
cipher $CIPHER cipher $CIPHER
ncp-ciphers $CIPHER ncp-ciphers $CIPHER
@ -932,8 +979,8 @@ tls-server
tls-version-min 1.2 tls-version-min 1.2
tls-cipher $CC_CIPHER tls-cipher $CC_CIPHER
client-config-dir /etc/openvpn/ccd client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log status /var/log/openvpn/$SERVER_ID.status.log
verb 3" >>/etc/openvpn/server.conf verb 3" >>/etc/openvpn/$SERVER_ID.conf
# Create client-config-dir dir # Create client-config-dir dir
mkdir -p /etc/openvpn/ccd mkdir -p /etc/openvpn/ccd
@ -968,8 +1015,8 @@ verb 3" >>/etc/openvpn/server.conf
sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn-server@.service sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn-server@.service
systemctl daemon-reload systemctl daemon-reload
systemctl enable openvpn-server@server systemctl enable openvpn-server@$SERVER_ID
systemctl restart openvpn-server@server systemctl restart openvpn-server@$SERVER_ID
elif [[ $OS == "ubuntu" ]] && [[ $VERSION_ID == "16.04" ]]; then elif [[ $OS == "ubuntu" ]] && [[ $VERSION_ID == "16.04" ]]; then
# On Ubuntu 16.04, we use the package from the OpenVPN repo # On Ubuntu 16.04, we use the package from the OpenVPN repo
# This package uses a sysvinit service # This package uses a sysvinit service
@ -985,8 +1032,8 @@ verb 3" >>/etc/openvpn/server.conf
sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn\@.service sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn\@.service
systemctl daemon-reload systemctl daemon-reload
systemctl enable openvpn@server systemctl enable openvpn@$SERVER_ID
systemctl restart openvpn@server systemctl restart openvpn@$SERVER_ID
fi fi
if [[ $DNS == 2 ]]; then if [[ $DNS == 2 ]]; then
@ -998,58 +1045,58 @@ verb 3" >>/etc/openvpn/server.conf
# Script to add rules # Script to add rules
echo "#!/bin/sh echo "#!/bin/sh
iptables -t nat -I POSTROUTING 1 -s 10.8.0.0/24 -o $NIC -j MASQUERADE iptables -t nat -I POSTROUTING 1 -s 10.${SERVER_SUBNET}.0.0/24 -o $NIC -j MASQUERADE
iptables -I INPUT 1 -i tun0 -j ACCEPT iptables -I INPUT 1 -i tun0 -j ACCEPT
iptables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT iptables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT
iptables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT iptables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT
iptables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >/etc/iptables/add-openvpn-rules.sh iptables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >/etc/iptables/add-openvpn-rules-$SERVER_ID.sh
if [[ $IPV6_SUPPORT == 'y' ]]; then if [[ $IPV6_SUPPORT == 'y' ]]; then
echo "ip6tables -t nat -I POSTROUTING 1 -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE echo "ip6tables -t nat -I POSTROUTING 1 -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
ip6tables -I INPUT 1 -i tun0 -j ACCEPT ip6tables -I INPUT 1 -i tun0 -j ACCEPT
ip6tables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT ip6tables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT
ip6tables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT ip6tables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT
ip6tables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >>/etc/iptables/add-openvpn-rules.sh ip6tables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >>/etc/iptables/add-openvpn-rules-$SERVER_ID.sh
fi fi
# Script to remove rules # Script to remove rules
echo "#!/bin/sh echo "#!/bin/sh
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o $NIC -j MASQUERADE iptables -t nat -D POSTROUTING -s 10.${SERVER_SUBNET}.0.0/24 -o $NIC -j MASQUERADE
iptables -D INPUT -i tun0 -j ACCEPT iptables -D INPUT -i tun0 -j ACCEPT
iptables -D FORWARD -i $NIC -o tun0 -j ACCEPT iptables -D FORWARD -i $NIC -o tun0 -j ACCEPT
iptables -D FORWARD -i tun0 -o $NIC -j ACCEPT iptables -D FORWARD -i tun0 -o $NIC -j ACCEPT
iptables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >/etc/iptables/rm-openvpn-rules.sh iptables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >/etc/iptables/rm-openvpn-rules-$SERVER_ID.sh
if [[ $IPV6_SUPPORT == 'y' ]]; then if [[ $IPV6_SUPPORT == 'y' ]]; then
echo "ip6tables -t nat -D POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE echo "ip6tables -t nat -D POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE
ip6tables -D INPUT -i tun0 -j ACCEPT ip6tables -D INPUT -i tun0 -j ACCEPT
ip6tables -D FORWARD -i $NIC -o tun0 -j ACCEPT ip6tables -D FORWARD -i $NIC -o tun0 -j ACCEPT
ip6tables -D FORWARD -i tun0 -o $NIC -j ACCEPT ip6tables -D FORWARD -i tun0 -o $NIC -j ACCEPT
ip6tables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >>/etc/iptables/rm-openvpn-rules.sh ip6tables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >>/etc/iptables/rm-openvpn-rules-$SERVER_ID.sh
fi fi
chmod +x /etc/iptables/add-openvpn-rules.sh chmod +x /etc/iptables/add-openvpn-rules-$SERVER_ID.sh
chmod +x /etc/iptables/rm-openvpn-rules.sh chmod +x /etc/iptables/rm-openvpn-rules-$SERVER_ID.sh
# Handle the rules via a systemd script # Handle the rules via a systemd script
echo "[Unit] echo "[Unit]
Description=iptables rules for OpenVPN Description=iptables rules for $SERVER_ID OpenVPN
Before=network-online.target Before=network-online.target
Wants=network-online.target Wants=network-online.target
[Service] [Service]
Type=oneshot Type=oneshot
ExecStart=/etc/iptables/add-openvpn-rules.sh ExecStart=/etc/iptables/add-openvpn-rules-$SERVER_ID.sh
ExecStop=/etc/iptables/rm-openvpn-rules.sh ExecStop=/etc/iptables/rm-openvpn-rules-$SERVER_ID.sh
RemainAfterExit=yes RemainAfterExit=yes
[Install] [Install]
WantedBy=multi-user.target" >/etc/systemd/system/iptables-openvpn.service WantedBy=multi-user.target" >/etc/systemd/system/iptables-openvpn-$SERVER_ID.service
# Enable service and apply rules # Enable service and apply rules
systemctl daemon-reload systemctl daemon-reload
systemctl enable iptables-openvpn systemctl enable iptables-openvpn-$SERVER_ID
systemctl start iptables-openvpn systemctl start iptables-openvpn-$SERVER_ID
# If the server is behind a NAT, use the correct IP address for the clients to connect to # If the server is behind a NAT, use the correct IP address for the clients to connect to
if [[ $ENDPOINT != "" ]]; then if [[ $ENDPOINT != "" ]]; then
@ -1057,12 +1104,12 @@ WantedBy=multi-user.target" >/etc/systemd/system/iptables-openvpn.service
fi fi
# client-template.txt is created so we have a template to add further users later # client-template.txt is created so we have a template to add further users later
echo "client" >/etc/openvpn/client-template.txt echo "client" >/etc/openvpn/$SERVER_ID/client-template.txt
if [[ $PROTOCOL == 'udp' ]]; then if [[ $PROTOCOL == 'udp' ]]; then
echo "proto udp" >>/etc/openvpn/client-template.txt echo "proto udp" >>/etc/openvpn/$SERVER_ID/client-template.txt
echo "explicit-exit-notify" >>/etc/openvpn/client-template.txt echo "explicit-exit-notify" >>/etc/openvpn/$SERVER_ID/client-template.txt
elif [[ $PROTOCOL == 'tcp' ]]; then elif [[ $PROTOCOL == 'tcp' ]]; then
echo "proto tcp-client" >>/etc/openvpn/client-template.txt echo "proto tcp-client" >>/etc/openvpn/$SERVER_ID/client-template.txt
fi fi
echo "remote $IP $PORT echo "remote $IP $PORT
dev tun dev tun
@ -1080,10 +1127,10 @@ tls-version-min 1.2
tls-cipher $CC_CIPHER tls-cipher $CC_CIPHER
ignore-unknown-option block-outside-dns ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3" >>/etc/openvpn/client-template.txt verb 3" >>/etc/openvpn/$SERVER_ID/client-template.txt
if [[ $COMPRESSION_ENABLED == "y" ]]; then if [[ $COMPRESSION_ENABLED == "y" ]]; then
echo "compress $COMPRESSION_ALG" >>/etc/openvpn/client-template.txt echo "compress $COMPRESSION_ALG" >>/etc/openvpn/$SERVER_ID/client-template.txt
fi fi
# Generate the custom client.ovpn # Generate the custom client.ovpn
@ -1147,14 +1194,14 @@ function newClient() {
fi fi
# Determine if we use tls-auth or tls-crypt # Determine if we use tls-auth or tls-crypt
if grep -qs "^tls-crypt" /etc/openvpn/server.conf; then if grep -qs "^tls-crypt" /etc/openvpn/$SERVER_ID.conf; then
TLS_SIG="1" TLS_SIG="1"
elif grep -qs "^tls-auth" /etc/openvpn/server.conf; then elif grep -qs "^tls-auth" /etc/openvpn/$SERVER_ID.conf; then
TLS_SIG="2" TLS_SIG="2"
fi fi
# Generates the custom client.ovpn # Generates the custom client.ovpn
cp /etc/openvpn/client-template.txt "$homeDir/$CLIENT.ovpn" cp /etc/openvpn/$SERVER_ID/client-template.txt "$homeDir/$CLIENT.ovpn"
{ {
echo "<ca>" echo "<ca>"
cat "/etc/openvpn/easy-rsa/pki/ca.crt" cat "/etc/openvpn/easy-rsa/pki/ca.crt"
@ -1171,13 +1218,13 @@ function newClient() {
case $TLS_SIG in case $TLS_SIG in
1) 1)
echo "<tls-crypt>" echo "<tls-crypt>"
cat /etc/openvpn/tls-crypt.key cat /etc/openvpn/$SERVER_ID/tls-crypt.key
echo "</tls-crypt>" echo "</tls-crypt>"
;; ;;
2) 2)
echo "key-direction 1" echo "key-direction 1"
echo "<tls-auth>" echo "<tls-auth>"
cat /etc/openvpn/tls-auth.key cat /etc/openvpn/$SERVER_ID/tls-auth.key
echo "</tls-auth>" echo "</tls-auth>"
;; ;;
esac esac
@ -1212,12 +1259,12 @@ function revokeClient() {
cd /etc/openvpn/easy-rsa/ || return cd /etc/openvpn/easy-rsa/ || return
./easyrsa --batch revoke "$CLIENT" ./easyrsa --batch revoke "$CLIENT"
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
rm -f /etc/openvpn/crl.pem rm -f /etc/openvpn/$SERVER_ID/crl.pem
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/$SERVER_ID/crl.pem
chmod 644 /etc/openvpn/crl.pem chmod 644 /etc/openvpn/$SERVER_ID/crl.pem
find /home/ -maxdepth 2 -name "$CLIENT.ovpn" -delete find /home/ -maxdepth 2 -name "$CLIENT.ovpn" -delete
rm -f "/root/$CLIENT.ovpn" rm -f "/root/$CLIENT.ovpn"
sed -i "/^$CLIENT,.*/d" /etc/openvpn/ipp.txt sed -i "/^$CLIENT,.*/d" /etc/openvpn/$SERVER_ID/ipp.txt
cp /etc/openvpn/easy-rsa/pki/index.txt{,.bk} cp /etc/openvpn/easy-rsa/pki/index.txt{,.bk}
echo "" echo ""
@ -1265,33 +1312,35 @@ function removeOpenVPN() {
read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
if [[ $REMOVE == 'y' ]]; then if [[ $REMOVE == 'y' ]]; then
# Get OpenVPN port from the configuration # Get OpenVPN port from the configuration
PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2) PORT=$(grep '^port ' /etc/openvpn/${SERVER_ID}.conf | cut -d " " -f 2)
PROTOCOL=$(grep '^proto ' /etc/openvpn/server.conf | cut -d " " -f 2) PROTOCOL=$(grep '^proto ' /etc/openvpn/${SERVER_ID}.conf | cut -d " " -f 2)
OTHER_SERVER_CONFS=$(ls /etc/openvpn/*.conf | grep -v $SERVER_ID.conf | wc -l)
[[ $OTHER_SERVER_CONFS -lt 1 ]] && LAST_SERVER=1
# Stop OpenVPN # Stop OpenVPN
if [[ $OS =~ (fedora|arch|centos|oracle) ]]; then if [[ $OS =~ (fedora|arch|centos|oracle) ]]; then
systemctl disable openvpn-server@server systemctl disable openvpn-server@${SERVER_ID}
systemctl stop openvpn-server@server systemctl stop openvpn-server@${SERVER_ID}
# Remove customised service # Remove customised service
rm /etc/systemd/system/openvpn-server@.service test $LAST_SERVER && rm /etc/systemd/system/openvpn-server@.service
elif [[ $OS == "ubuntu" ]] && [[ $VERSION_ID == "16.04" ]]; then elif [[ $OS == "ubuntu" ]] && [[ $VERSION_ID == "16.04" ]]; then
systemctl disable openvpn test $LAST_SERVER && systemctl disable openvpn
systemctl stop openvpn test $LAST_SERVER && systemctl stop openvpn
else else
systemctl disable openvpn@server systemctl disable openvpn@$SERVER_ID
systemctl stop openvpn@server systemctl stop openvpn@$SERVER_ID
# Remove customised service # Remove customised service
rm /etc/systemd/system/openvpn\@.service test $LAST_SERVER && rm /etc/systemd/system/openvpn\@.service
fi fi
# Remove the iptables rules related to the script # Remove the iptables rules related to the script
systemctl stop iptables-openvpn systemctl stop iptables-openvpn-$SERVER_ID
# Cleanup # Cleanup
systemctl disable iptables-openvpn systemctl disable iptables-openvpn-$SERVER_ID
rm /etc/systemd/system/iptables-openvpn.service rm /etc/systemd/system/iptables-openvpn-$SERVER_ID.service
systemctl daemon-reload systemctl daemon-reload
rm /etc/iptables/add-openvpn-rules.sh rm /etc/iptables/add-openvpn-rules-$SERVER_ID.sh
rm /etc/iptables/rm-openvpn-rules.sh rm /etc/iptables/rm-openvpn-rules-$SERVER_ID.sh
# SELinux # SELinux
if hash sestatus 2>/dev/null; then if hash sestatus 2>/dev/null; then
@ -1302,34 +1351,37 @@ function removeOpenVPN() {
fi fi
fi fi
if [[ $OS =~ (debian|ubuntu) ]]; then if [[ $OS =~ (debian|ubuntu) && $LAST_SERVER ]]; then
apt-get remove --purge -y openvpn apt-get remove --purge -y openvpn
if [[ -e /etc/apt/sources.list.d/openvpn.list ]]; then if [[ -e /etc/apt/sources.list.d/openvpn.list ]]; then
rm /etc/apt/sources.list.d/openvpn.list rm /etc/apt/sources.list.d/openvpn.list
apt-get update apt-get update
fi fi
elif [[ $OS == 'arch' ]]; then elif [[ $OS == 'arch' && $LAST_SERVER ]]; then
pacman --noconfirm -R openvpn pacman --noconfirm -R openvpn
elif [[ $OS =~ (centos|amzn|oracle) ]]; then elif [[ $OS =~ (centos|amzn|oracle) && $LAST_SERVER ]]; then
yum remove -y openvpn yum remove -y openvpn
elif [[ $OS == 'fedora' ]]; then elif [[ $OS == 'fedora' && $LAST_SERVER ]]; then
dnf remove -y openvpn dnf remove -y openvpn
fi fi
# Cleanup # Cleanup
find /home/ -maxdepth 2 -name "*.ovpn" -delete find /home/ -maxdepth 2 -name "*.ovpn" -delete
find /root/ -maxdepth 1 -name "*.ovpn" -delete find /root/ -maxdepth 1 -name "*.ovpn" -delete
rm -rf /etc/openvpn rm /etc/openvpn/$SERVER_ID.conf
rm -rf /usr/share/doc/openvpn* rm -rf /etc/openvpn/$SERVER_ID
rm -f /etc/sysctl.d/99-openvpn.conf test $LAST_SERVER && rm -rf /etc/openvpn
rm -rf /var/log/openvpn test $LAST_SERVER && rm -rf /usr/share/doc/openvpn*
test $LAST_SERVER && rm -f /etc/sysctl.d/99-openvpn.conf
test $LAST_SERVER && rm -rf /var/log/openvpn
# Unbound # Unbound
if [[ -e /etc/unbound/openvpn.conf ]]; then if [[ -e /etc/unbound/openvpn.conf ]]; then
removeUnbound test $LAST_SERVER && removeUnbound
fi fi
echo "" echo ""
echo "OpenVPN removed!" echo "OpenVPN $SERVER_ID removed!"
test $LAST_SERVER || echo "There are others openvpn servers configured so not cleaning all openvpn yet"
else else
echo "" echo ""
echo "Removal aborted!" echo "Removal aborted!"
@ -1340,7 +1392,10 @@ function manageMenu() {
echo "Welcome to OpenVPN-install!" echo "Welcome to OpenVPN-install!"
echo "The git repository is available at: https://github.com/angristan/openvpn-install" echo "The git repository is available at: https://github.com/angristan/openvpn-install"
echo "" echo ""
echo "It looks like OpenVPN is already installed." echo "It looks like OpenVPN $SERVER_ID is already installed."
echo ""
echo "(if you want to add or administer another server add \$SERVER_ID to your"
echo "environment)"
echo "" echo ""
echo "What do you want to do?" echo "What do you want to do?"
echo " 1) Add a new user" echo " 1) Add a new user"
@ -1367,11 +1422,12 @@ function manageMenu() {
esac esac
} }
# Check for root, TUN, OS... # Check for root, TUN, OS...
initialCheck initialCheck
# Check if OpenVPN is already installed # Check if OpenVPN is already installed
if [[ -e /etc/openvpn/server.conf && $AUTO_INSTALL != "y" ]]; then if [[ -e /etc/openvpn/$SERVER_ID.conf && $AUTO_INSTALL != "y" ]]; then
manageMenu manageMenu
else else
installOpenVPN installOpenVPN