Bernhard.Linz/openvpn-install
1
0
Fork 0
mirror of https://github.com/angristan/openvpn-install.git synced 2025-03-14 14:43:13 +01:00
Code Issues Projects Releases Wiki Activity

Update openvpn-install.sh

Browse Source
This commit is contained in:
CarlosMarques420 2022-08-11 04:35:30 +01:00 committed by GitHub
parent deb5867979
commit f72f5e35fd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 141 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

178
openvpn-install.sh
View File

@ -1,13 +1,15 @@
#!/bin/bash #!/bin/bash
# shellcheck disable=SC1091,SC2164,SC2034,SC1072,SC1073,SC1009 # shellcheck disable=SC1091,SC2164,SC2034,SC1072,SC1073,SC1009
# Secure OpenVPN server installer for Debian, Ubuntu, CentOS, Amazon Linux 2, Fedora, Oracle Linux 8, Arch Linux, Rocky Linux and AlmaLinux. #If you're using OpenWrt you'll probably need to install the coreutils-fold and bash packages. Don't forget to run this as "bash openvpn-install.sh"
# Secure OpenVPN server installer for Debian, Ubuntu, CentOS, Amazon Linux 2, Fedora, Oracle Linux 8, Arch Linux, Rocky Linux and AlmaLinux(and now OpenWrt!!).
# https://github.com/angristan/openvpn-install # https://github.com/angristan/openvpn-install
function isRoot() { function isRoot() {
if [ "$EUID" -ne 0 ]; then if [ "$EUID" -ne 0 ]; then
return 1 return 1
fi fi
} }
function tunAvailable() { function tunAvailable() {
@ -17,7 +19,13 @@ function tunAvailable() {
} }
function checkOS() { function checkOS() {
if [[ -e /etc/debian_version ]]; then if [[ -e /etc/os-release ]]; then
source /etc/os-release
if [[ $ID == "openwrt" ]]; then
echo "Running on OpenWrt. Compatibility is still in beta phase. Please report any bug. Thank you"
OS="openwrt"
fi
elif [[ -e /etc/debian_version ]]; then
OS="debian" OS="debian"
source /etc/os-release source /etc/os-release
@ -50,7 +58,7 @@ function checkOS() {
fi fi
fi fi
fi fi
elif [[ -e /etc/system-release ]]; then elif [[ -e /etc/system-release ]]; then
source /etc/os-release source /etc/os-release
if [[ $ID == "fedora" || $ID_LIKE == "fedora" ]]; then if [[ $ID == "fedora" || $ID_LIKE == "fedora" ]]; then
OS="fedora" OS="fedora"
@ -84,10 +92,11 @@ function checkOS() {
exit 1 exit 1
fi fi
fi fi
elif [[ -e /etc/arch-release ]]; then elif [[ -e /etc/arch-release ]]; then
OS=arch OS=arch
else else
echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora, CentOS, Amazon Linux 2, Oracle Linux 8 or Arch Linux system" echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora, CentOS, Amazon Linux 2, Oracle Linux 8, Arch Linux or OpenWrt system"
exit 1 exit 1
fi fi
} }
@ -166,6 +175,32 @@ prefetch: yes' >>/etc/unbound/unbound.conf
hide-version: yes hide-version: yes
qname-minimisation: yes qname-minimisation: yes
prefetch: yes' >/etc/unbound/unbound.conf prefetch: yes' >/etc/unbound/unbound.conf
elif [[ $OS == "openwrt" ]]; then
opkg -V[0] install luci-app-unbound
if [[ ! -f /etc/unbound/unbound.conf.old ]]; then
mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old
fi
echo 'server:
use-syslog: yes
do-daemonize: no
username: "unbound"
directory: "/etc/unbound"
trust-anchor-file: trusted-key.key
root-hints: root.hints
interface: 10.8.0.1
access-control: 10.8.0.1/24 allow
port: 53
num-threads: 2
use-caps-for-id: yes
harden-glue: yes
hide-identity: yes
hide-version: yes
qname-minimisation: yes
prefetch: yes' >/etc/unbound/unbound.conf
fi fi
# IPv6 DNS for all OS # IPv6 DNS for all OS
@ -212,8 +247,15 @@ access-control: fd42:42:42:42::/112 allow' >>/etc/unbound/openvpn.conf
fi fi
fi fi
systemctl enable unbound if [[ $OS == "openwrt" ]]; then
systemctl restart unbound /etc/init.d/unbound enable
/etc/init.d/unbound start
/etc/init.d/unbound restart
else
systemctl enable unbound
systemctl restart unbound
fi
} }
function installQuestions() { function installQuestions() {
@ -238,7 +280,7 @@ function installQuestions() {
if [[ $APPROVE_IP =~ n ]]; then if [[ $APPROVE_IP =~ n ]]; then
read -rp "IP address: " -e -i "$IP" IP read -rp "IP address: " -e -i "$IP" IP
fi fi
# If $IP is a private IP address, the server must be behind NAT # If $IP is a private IP address, the server must be behind NAT
if echo "$IP" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then if echo "$IP" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then
echo "" echo ""
echo "It seems this server is behind NAT. What is its public IPv4 address or hostname?" echo "It seems this server is behind NAT. What is its public IPv4 address or hostname?"
@ -638,7 +680,7 @@ function installOpenVPN() {
installQuestions installQuestions
# Get the "public" interface from the default route # Get the "public" interface from the default route
NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1) NIC=$(ip -4 route | grep default | awk '{print $5}' | head -1) #removed ls option from ip command and switched from grep to awk to be compatible with openwrt
if [[ -z $NIC ]] && [[ $IPV6_SUPPORT == 'y' ]]; then if [[ -z $NIC ]] && [[ $IPV6_SUPPORT == 'y' ]]; then
NIC=$(ip -6 route show default | sed -ne 's/^default .* dev \([^ ]*\) .*$/\1/p') NIC=$(ip -6 route show default | sed -ne 's/^default .* dev \([^ ]*\) .*$/\1/p')
fi fi
@ -686,6 +728,11 @@ function installOpenVPN() {
elif [[ $OS == 'arch' ]]; then elif [[ $OS == 'arch' ]]; then
# Install required dependencies and upgrade the system # Install required dependencies and upgrade the system
pacman --needed --noconfirm -Syu openvpn iptables openssl wget ca-certificates curl pacman --needed --noconfirm -Syu openvpn iptables openssl wget ca-certificates curl
elif [[ $OS == 'openwrt' ]]; then
echo "Updating the repository..."
opkg -V[0] update
echo "Installing the necessary packages..."
opkg -V[0] install openvpn-openssl iptables wget ca-certificates curl coreutils-fold
fi fi
# An old version of easy-rsa was available by default in some openvpn packages # An old version of easy-rsa was available by default in some openvpn packages
if [[ -d /etc/openvpn/easy-rsa/ ]]; then if [[ -d /etc/openvpn/easy-rsa/ ]]; then
@ -701,11 +748,17 @@ function installOpenVPN() {
fi fi
# Install the latest version of easy-rsa from source, if not already installed. # Install the latest version of easy-rsa from source, if not already installed.
if [[ ! -d /etc/openvpn/easy-rsa/ ]]; then if [[ ! -f /etc/openvpn/easy-rsa/easyrsa ]]; then
local version="3.0.7" local version="3.0.7"
wget -O ~/easy-rsa.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-${version}.tgz wget -O ~/easy-rsa.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-${version}.tgz
mkdir -p /etc/openvpn/easy-rsa mkdir -p /etc/openvpn/easy-rsa
tar xzf ~/easy-rsa.tgz --strip-components=1 --directory /etc/openvpn/easy-rsa if [[ $OS == 'openwrt' ]]; then
tar xzf ~/easy-rsa.tgz
mv ~/EasyRSA-${version}/* /etc/openvpn/easy-rsa/
rm -rf ~/EasyRSA-${version}
else
tar xzf ~/easy-rsa.tgz --strip-components=1 --directory /etc/openvpn/easy-rsa
fi
rm -f ~/easy-rsa.tgz rm -f ~/easy-rsa.tgz
cd /etc/openvpn/easy-rsa/ || return cd /etc/openvpn/easy-rsa/ || return
@ -910,7 +963,11 @@ verb 3" >>/etc/openvpn/server.conf
echo 'net.ipv6.conf.all.forwarding=1' >>/etc/sysctl.d/99-openvpn.conf echo 'net.ipv6.conf.all.forwarding=1' >>/etc/sysctl.d/99-openvpn.conf
fi fi
# Apply sysctl rules # Apply sysctl rules
sysctl --system if [[ $OS == "openwrt" ]]; then
sysctl -w
else
sysctl --system
fi
# If SELinux is enabled and a custom port was selected, we need this # If SELinux is enabled and a custom port was selected, we need this
if hash sestatus 2>/dev/null; then if hash sestatus 2>/dev/null; then
@ -939,6 +996,10 @@ verb 3" >>/etc/openvpn/server.conf
# This package uses a sysvinit service # This package uses a sysvinit service
systemctl enable openvpn systemctl enable openvpn
systemctl start openvpn systemctl start openvpn
elif [[ $OS == "openwrt" ]]; then
/etc/init.d/openvpn enable
/etc/init.d/openvpn restart
/etc/init.d/openvpn start
else else
# Don't modify package-provided service # Don't modify package-provided service
cp /lib/systemd/system/openvpn\@.service /etc/systemd/system/openvpn\@.service cp /lib/systemd/system/openvpn\@.service /etc/systemd/system/openvpn\@.service
@ -957,10 +1018,26 @@ verb 3" >>/etc/openvpn/server.conf
installUnbound installUnbound
fi fi
# Script to add rules
if [[ $OS == "openwrt" ]]; then
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.lan.device="tun+"
uci add_list firewall.lan.device="tun+"
uci set firewall.ovpn="rule"
uci set firewall.ovpn.name="Allow-OpenVPN"
uci set firewall.ovpn.src="wan"
uci set firewall.ovpn.dest_port="${PORT}"
uci set firewall.ovpn.proto="${PROTOCOL}"
uci set firewall.ovpn.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart
else
# Add iptables rules in two scripts # Add iptables rules in two scripts
mkdir -p /etc/iptables mkdir -p /etc/iptables
# Script to add rules
echo "#!/bin/sh echo "#!/bin/sh
iptables -t nat -I POSTROUTING 1 -s 10.8.0.0/24 -o $NIC -j MASQUERADE iptables -t nat -I POSTROUTING 1 -s 10.8.0.0/24 -o $NIC -j MASQUERADE
iptables -I INPUT 1 -i tun0 -j ACCEPT iptables -I INPUT 1 -i tun0 -j ACCEPT
@ -1009,11 +1086,19 @@ RemainAfterExit=yes
[Install] [Install]
WantedBy=multi-user.target" >/etc/systemd/system/iptables-openvpn.service WantedBy=multi-user.target" >/etc/systemd/system/iptables-openvpn.service
fi
# Enable service and apply rules # Enable service and apply rules
systemctl daemon-reload if [[ $OS == "openwrt" ]]; then
systemctl enable iptables-openvpn fw3 reload
systemctl start iptables-openvpn /etc/init.d/firewall enable
/etc/init.d/firewall start
else
systemctl daemon-reload
systemctl enable iptables-openvpn
systemctl start iptables-openvpn
fi
# If the server is behind a NAT, use the correct IP address for the clients to connect to # If the server is behind a NAT, use the correct IP address for the clients to connect to
if [[ $ENDPOINT != "" ]]; then if [[ $ENDPOINT != "" ]]; then
@ -1200,17 +1285,22 @@ function removeUnbound() {
done done
if [[ $REMOVE_UNBOUND == 'y' ]]; then if [[ $REMOVE_UNBOUND == 'y' ]]; then
# Stop Unbound
systemctl stop unbound
if [[ $OS =~ (debian|ubuntu) ]]; then # Stop Unbound
apt-get remove --purge -y unbound if [[ $OS == 'openwrt' ]]; then
elif [[ $OS == 'arch' ]]; then /etc/init.d/unbound stop
pacman --noconfirm -R unbound opkg -V[0] remove unbound
elif [[ $OS =~ (centos|amzn|oracle) ]]; then else
yum remove -y unbound systemctl stop unbound
elif [[ $OS == 'fedora' ]]; then if [[ $OS =~ (debian|ubuntu) ]]; then
dnf remove -y unbound apt-get remove --purge -y unbound
elif [[ $OS == 'arch' ]]; then
pacman --noconfirm -R unbound
elif [[ $OS =~ (centos|amzn|oracle) ]]; then
yum remove -y unbound
elif [[ $OS == 'fedora' ]]; then
dnf remove -y unbound
fi
fi fi
rm -rf /etc/unbound/ rm -rf /etc/unbound/
@ -1218,7 +1308,7 @@ function removeUnbound() {
echo "" echo ""
echo "Unbound removed!" echo "Unbound removed!"
else else
systemctl restart unbound
echo "" echo ""
echo "Unbound wasn't removed." echo "Unbound wasn't removed."
fi fi
@ -1241,6 +1331,9 @@ function removeOpenVPN() {
elif [[ $OS == "ubuntu" ]] && [[ $VERSION_ID == "16.04" ]]; then elif [[ $OS == "ubuntu" ]] && [[ $VERSION_ID == "16.04" ]]; then
systemctl disable openvpn systemctl disable openvpn
systemctl stop openvpn systemctl stop openvpn
elif [[ $OS == "openwrt" ]]; then
/etc/init.d/openvpn disable
/etc/init.d/openvpn stop
else else
systemctl disable openvpn@server systemctl disable openvpn@server
systemctl stop openvpn@server systemctl stop openvpn@server
@ -1249,13 +1342,21 @@ function removeOpenVPN() {
fi fi
# Remove the iptables rules related to the script # Remove the iptables rules related to the script
systemctl stop iptables-openvpn if [[ $OS == "openwrt" ]]; then
# Cleanup uci delete firewall.ovpn
systemctl disable iptables-openvpn uci commit firewall
rm /etc/systemd/system/iptables-openvpn.service fw3 reload
systemctl daemon-reload /etc/init.d/firewall restart
rm /etc/iptables/add-openvpn-rules.sh
rm /etc/iptables/rm-openvpn-rules.sh else
systemctl stop iptables-openvpn
# Cleanup
systemctl disable iptables-openvpn
rm /etc/systemd/system/iptables-openvpn.service
systemctl daemon-reload
rm /etc/iptables/add-openvpn-rules.sh
rm /etc/iptables/rm-openvpn-rules.sh
fi
# SELinux # SELinux
if hash sestatus 2>/dev/null; then if hash sestatus 2>/dev/null; then
@ -1272,6 +1373,8 @@ function removeOpenVPN() {
rm /etc/apt/sources.list.d/openvpn.list rm /etc/apt/sources.list.d/openvpn.list
apt-get update apt-get update
fi fi
elif [[ $OS == 'openwrt' ]]; then
opkg -V[0] remove openvpn-openssl
elif [[ $OS == 'arch' ]]; then elif [[ $OS == 'arch' ]]; then
pacman --noconfirm -R openvpn pacman --noconfirm -R openvpn
elif [[ $OS =~ (centos|amzn|oracle) ]]; then elif [[ $OS =~ (centos|amzn|oracle) ]]; then
@ -1281,8 +1384,9 @@ function removeOpenVPN() {
fi fi
# Cleanup # Cleanup
find /home/ -maxdepth 2 -name "*.ovpn" -delete #slight change to the find commando for it to be compatible with openwrt
find /root/ -maxdepth 1 -name "*.ovpn" -delete find /home/ -maxdepth 2 -name "*.ovpn" -exec rm -rf {} \;
find /root/ -maxdepth 1 -name "*.ovpn" -exec rm -rf {} \;
rm -rf /etc/openvpn rm -rf /etc/openvpn
rm -rf /usr/share/doc/openvpn* rm -rf /usr/share/doc/openvpn*
rm -f /etc/sysctl.d/99-openvpn.conf rm -f /etc/sysctl.d/99-openvpn.conf