Bernhard.Linz/openvpn-install
1
0
Fork 0
mirror of https://github.com/angristan/openvpn-install.git synced 2024-09-27 14:41:36 +02:00
Code Issues Projects Releases Wiki Activity

Adjust indents + change iptables.service

Browse Source
This commit is contained in:
DrXala 2017-07-20 17:12:40 +02:00
parent 8f28593112
commit b5c624eb76
1 changed files with 53 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

106
openvpn-install.sh
View File

@ -23,7 +23,7 @@ if [[ -e /etc/debian_version ]]; then
OS="debian" OS="debian"
# Getting the version number, to verify that a recent version of OpenVPN is available # Getting the version number, to verify that a recent version of OpenVPN is available
VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID") VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID")
IPTABLES='/etc/iptables/iptables.rules' IPTABLES='/etc/iptables/iptables.rules'
SYSCTL='/etc/sysctl.conf' SYSCTL='/etc/sysctl.conf'
if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.04"' ]]; then if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.04"' ]]; then
echo "Your version of Debian/Ubuntu is not supported." echo "Your version of Debian/Ubuntu is not supported."
@ -42,11 +42,11 @@ if [[ -e /etc/debian_version ]]; then
fi fi
elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then
OS=centos OS=centos
IPTABLES='/etc/iptables/iptables.rules' IPTABLES='/etc/iptables/iptables.rules'
SYSCTL='/etc/sysctl.conf' SYSCTL='/etc/sysctl.conf'
elif [[ -e /etc/arch-release ]]; then elif [[ -e /etc/arch-release ]]; then
OS=arch OS=arch
IPTABLES='/etc/iptables/iptables.rules' IPTABLES='/etc/iptables/iptables.rules'
SYSCTL='/etc/sysctl.d/openvpn.conf' SYSCTL='/etc/sysctl.d/openvpn.conf'
else else
echo "Looks like you aren't running this installer on a Debian, Ubuntu, CentOS or ArchLinux system" echo "Looks like you aren't running this installer on a Debian, Ubuntu, CentOS or ArchLinux system"
@ -152,16 +152,16 @@ if [[ -e /etc/openvpn/server.conf ]]; then
firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24 firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
fi fi
if iptables -L -n | grep -qE 'REJECT|DROP'; then if iptables -L -n | grep -qE 'REJECT|DROP'; then
if [[ "$PROTOCOL" = 'udp' ]]; then if [[ "$PROTOCOL" = 'udp' ]]; then
iptables -D INPUT -p udp --dport $PORT -j ACCEPT iptables -D INPUT -p udp --dport $PORT -j ACCEPT
else else
iptables -D INPUT -p tcp --dport $PORT -j ACCEPT iptables -D INPUT -p tcp --dport $PORT -j ACCEPT
fi fi
iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables-save > $IPTABLES iptables-save > $IPTABLES
fi fi
iptables -t nat -D POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE iptables -t nat -D POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE
iptables-save > $IPTABLES iptables-save > $IPTABLES
if hash sestatus 2>/dev/null; then if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing"; then if sestatus | grep "Current mode" | grep -qs "enforcing"; then
if [[ "$PORT" != '1194' ]]; then if [[ "$PORT" != '1194' ]]; then
@ -341,11 +341,11 @@ else
# Ubuntu >= 16.04 and Debian > 8 have OpenVPN > 2.3.3 without the need of a third party repository. # Ubuntu >= 16.04 and Debian > 8 have OpenVPN > 2.3.3 without the need of a third party repository.
# The we install OpenVPN # The we install OpenVPN
apt-get install openvpn iptables openssl wget ca-certificates curl -y apt-get install openvpn iptables openssl wget ca-certificates curl -y
# Install iptables service # Install iptables service
if [[ ! -e /etc/systemd/system/iptables.service ]]; then if [[ ! -e /etc/systemd/system/iptables.service ]]; then
mkdir /etc/iptables mkdir /etc/iptables
iptables-save > /etc/iptables/iptables.rules iptables-save > /etc/iptables/iptables.rules
echo "#!/bin/sh echo "#!/bin/sh
iptables -F iptables -F
iptables -X iptables -X
iptables -t nat -F iptables -t nat -F
@ -355,12 +355,12 @@ iptables -t mangle -X
iptables -P INPUT ACCEPT iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT" > /etc/iptables/flush-iptables.sh iptables -P OUTPUT ACCEPT" > /etc/iptables/flush-iptables.sh
chmod +x /etc/iptables/flush-iptables.sh chmod +x /etc/iptables/flush-iptables.sh
echo "[Unit] echo "[Unit]
Description=Packet Filtering Framework Description=Packet Filtering Framework
DefaultDependencies=no DefaultDependencies=no
After=systemd-sysctl.service Before=network-pre.target
Before=sysinit.target Wants=network-pre.target
[Service] [Service]
Type=oneshot Type=oneshot
ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
@ -369,17 +369,17 @@ ExecStop=/etc/iptables/flush-iptables.sh
RemainAfterExit=yes RemainAfterExit=yes
[Install] [Install]
WantedBy=multi-user.target" > /etc/systemd/system/iptables.service WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
systemctl daemon-reload systemctl daemon-reload
systemctl enable iptables.service systemctl enable iptables.service
fi fi
elif [[ "$OS" = 'centos' ]]; then elif [[ "$OS" = 'centos' ]]; then
yum install epel-release -y yum install epel-release -y
yum install openvpn iptables openssl wget ca-certificates curl -y yum install openvpn iptables openssl wget ca-certificates curl -y
# Install iptables service # Install iptables service
if [[ ! -e /etc/systemd/system/iptables.service ]]; then if [[ ! -e /etc/systemd/system/iptables.service ]]; then
mkdir /etc/iptables mkdir /etc/iptables
iptables-save > /etc/iptables/iptables.rules iptables-save > /etc/iptables/iptables.rules
echo "#!/bin/sh echo "#!/bin/sh
iptables -F iptables -F
iptables -X iptables -X
iptables -t nat -F iptables -t nat -F
@ -389,12 +389,12 @@ iptables -t mangle -X
iptables -P INPUT ACCEPT iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT" > /etc/iptables/flush-iptables.sh iptables -P OUTPUT ACCEPT" > /etc/iptables/flush-iptables.sh
chmod +x /etc/iptables/flush-iptables.sh chmod +x /etc/iptables/flush-iptables.sh
echo "[Unit] echo "[Unit]
Description=Packet Filtering Framework Description=Packet Filtering Framework
DefaultDependencies=no DefaultDependencies=no
After=systemd-sysctl.service Before=network-pre.target
Before=sysinit.target Wants=network-pre.target
[Service] [Service]
Type=oneshot Type=oneshot
ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
@ -403,9 +403,9 @@ ExecStop=/etc/iptables/flush-iptables.sh
RemainAfterExit=yes RemainAfterExit=yes
[Install] [Install]
WantedBy=multi-user.target" > /etc/systemd/system/iptables.service WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
systemctl daemon-reload systemctl daemon-reload
systemctl enable iptables.service systemctl enable iptables.service
fi fi
else else
# Else, the distro is ArchLinux # Else, the distro is ArchLinux
echo "" echo ""
@ -423,19 +423,19 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
fi fi
if [[ "$OS" = 'arch' ]]; then if [[ "$OS" = 'arch' ]]; then
# Install dependencies # Install dependencies
pacman -Syu openvpn iptables openssl wget ca-certificates curl --needed --noconfirm pacman -Syu openvpn iptables openssl wget ca-certificates curl --needed --noconfirm
iptables-save > /etc/iptables/iptables.rules # iptables won't start if this file does not exist iptables-save > /etc/iptables/iptables.rules # iptables won't start if this file does not exist
systemctl daemon-reload systemctl daemon-reload
systemctl enable iptables systemctl enable iptables
systemctl start iptables systemctl start iptables
fi fi
fi fi
# Find out if the machine uses nogroup or nobody for the permissionless group # Find out if the machine uses nogroup or nobody for the permissionless group
if grep -qs "^nogroup:" /etc/group; then if grep -qs "^nogroup:" /etc/group; then
NOGROUP=nogroup NOGROUP=nogroup
else else
NOGROUP=nobody NOGROUP=nobody
fi fi
# An old version of easy-rsa was available by default in some openvpn packages # An old version of easy-rsa was available by default in some openvpn packages
@ -539,8 +539,8 @@ verb 3" >> /etc/openvpn/server.conf
echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_forward
# Set NAT for the VPN subnet # Set NAT for the VPN subnet
iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE
# Save persitent iptables rules # Save persitent iptables rules
iptables-save > $IPTABLES iptables-save > $IPTABLES
if pgrep firewalld; then if pgrep firewalld; then
# We don't use --add-service=openvpn because that would only work with # We don't use --add-service=openvpn because that would only work with
# the default port. Using both permanent and not permanent rules to # the default port. Using both permanent and not permanent rules to
@ -566,8 +566,8 @@ verb 3" >> /etc/openvpn/server.conf
fi fi
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# Save persitent OpenVPN rules # Save persitent OpenVPN rules
iptables-save > $IPTABLES iptables-save > $IPTABLES
fi fi
# If SELinux is enabled and a custom port was selected, we need this # If SELinux is enabled and a custom port was selected, we need this
if hash sestatus 2>/dev/null; then if hash sestatus 2>/dev/null; then
@ -627,10 +627,10 @@ verb 3" >> /etc/openvpn/server.conf
echo "" echo ""
echo "Looks like your server is behind a NAT!" echo "Looks like your server is behind a NAT!"
echo "" echo ""
echo "If your server is NATed (e.g. LowEndSpirit, Scaleway, or behind a router)," echo "If your server is NATed (e.g. LowEndSpirit, Scaleway, or behind a router),"
echo "then I need to know the address that can be used to access it from outside." echo "then I need to know the address that can be used to access it from outside."
echo "If that's not the case, just ignore this and leave the next field blank" echo "If that's not the case, just ignore this and leave the next field blank"
read -p "External IP or domain name: " -e USEREXTERNALIP read -p "External IP or domain name: " -e USEREXTERNALIP
if [[ "$USEREXTERNALIP" != "" ]]; then if [[ "$USEREXTERNALIP" != "" ]]; then
IP=$USEREXTERNALIP IP=$USEREXTERNALIP
fi fi