#!/bin/bash
# Secure OpenVPN server installer for Debian, Ubuntu, CentOS and Arch Linux
# https://github.com/Angristan/OpenVPN-install
if [[ "$EUID" -ne 0 ]]; then
echo "Sorry, you need to run this as root"
exit 1
fi
if [[ ! -e /dev/net/tun ]]; then
echo "TUN is not available"
exit 2
fi
if grep -qs "CentOS release 5" "/etc/redhat-release"; then
echo "CentOS 5 is too old and not supported"
exit 3
fi
if [[ -e /etc/debian_version ]]; then
OS="debian"
# Getting the version number, to verify that a recent version of OpenVPN is available
VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID")
RCLOCAL='/etc/rc.local'
if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.10"' ]]; then
echo "Your version of Debian/Ubuntu is not supported."
echo "I can't install OpenVPN 2.4 on your system."
echo ""
echo "However, if you're using Debian unstable/testing, or Ubuntu beta,"
echo "then you can continue, this version of OpenVPN is available on these."
echo "Keep in mind these releases are not supported, though."
while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do
read -p "Continue ? [y/n]: " -e CONTINUE
done
if [[ "$CONTINUE" = "n" ]]; then
echo "Ok, bye !"
exit 4
fi
fi
elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then
OS=centos
RCLOCAL='/etc/rc.d/rc.local'
# Needed for CentOS 7
chmod +x /etc/rc.d/rc.local
else
echo "Looks like you aren't running this installer on a Debian, Ubuntu or CentOS system"
exit 4
fi
newclient () {
# Generates the custom client.ovpn
# We put everything in the client file
cp /etc/openvpn/client-template.txt ~/$1.ovpn
echo "" >> ~/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/ca.crt >> ~/$1.ovpn
echo "" >> ~/$1.ovpn
echo "" >> ~/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/issued/$1.crt >> ~/$1.ovpn
echo "" >> ~/$1.ovpn
echo "" >> ~/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/private/$1.key >> ~/$1.ovpn
echo "" >> ~/$1.ovpn
echo "" >> ~/$1.ovpn
cat /etc/openvpn/tls-crypt.key >> ~/$1.ovpn
echo "" >> ~/$1.ovpn
}
# Try to get our IP from the system and fallback to the Internet.
# I do this to make the script compatible with NATed servers (LowEndSpirit/Scaleway)
# and to avoid getting an IPv6.
IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -o -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
if [[ "$IP" = "" ]]; then
IP=$(wget -qO- ipv4.icanhazip.com)
fi
if [[ -e /etc/openvpn/server.conf ]]; then
while :
do
clear
echo "OpenVPN-install (github.com/Angristan/OpenVPN-install)"
echo ""
echo "Looks like OpenVPN is already installed"
echo ""
echo "What do you want to do?"
echo " 1) Add a cert for a new user"
echo " 2) Revoke existing user cert"
echo " 3) Remove OpenVPN"
echo " 4) Exit"
read -p "Select an option [1-4]: " option
case $option in
1)
echo ""
echo "Tell me a name for the client cert"
echo "Please, use one word only, no special characters"
read -p "Client name: " -e -i client CLIENT
cd /etc/openvpn/easy-rsa/
./easyrsa build-client-full $CLIENT nopass
# Generates the custom client.ovpn
newclient "$CLIENT"
echo ""
echo "Client $CLIENT added, certs available at ~/$CLIENT.ovpn"
exit
;;
2)
NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")
if [[ "$NUMBEROFCLIENTS" = '0' ]]; then
echo ""
echo "You have no existing clients!"
exit 5
fi
echo ""
echo "Select the existing client certificate you want to revoke"
tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
if [[ "$NUMBEROFCLIENTS" = '1' ]]; then
read -p "Select one client [1]: " CLIENTNUMBER
else
read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
fi
CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
cd /etc/openvpn/easy-rsa/
./easyrsa --batch revoke $CLIENT
./easyrsa gen-crl
rm -rf pki/reqs/$CLIENT.req
rm -rf pki/private/$CLIENT.key
rm -rf pki/issued/$CLIENT.crt
rm -rf /etc/openvpn/crl.pem
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
echo ""
echo "Certificate for client $CLIENT revoked"
echo "Exiting..."
exit
;;
3)
echo ""
read -p "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
if [[ "$REMOVE" = 'y' ]]; then
PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
if pgrep firewalld; then
# Using both permanent and not permanent rules to avoid a firewalld reload.
firewall-cmd --zone=public --remove-port=$PORT/udp
firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
firewall-cmd --permanent --zone=public --remove-port=$PORT/udp
firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
fi
if iptables -L -n | grep -qE 'REJECT|DROP'; then
sed -i "/iptables -I INPUT -p udp --dport $PORT -j ACCEPT/d" $RCLOCAL
sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL
sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL
fi
sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL
# Remove ip6tables
sed -i "/ip6tables -I FORWARD -i tun+ -j ACCEPT/d" $RCLOCAL
sed -i "/ip6tables -I FORWARD -o tun+ -j ACCEPT/d" $RCLOCAL
sed -i "/ip6tables -t nat -A POSTROUTING -s fd42:42:42:42::\/64 -j SNAT --to /d" $RCLOCAL
if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing"; then
if [[ "$PORT" != '1194' ]]; then
semanage port -d -t openvpn_port_t -p udp $PORT
fi
fi
fi
if [[ "$OS" = 'debian' ]]; then
apt-get remove --purge -y openvpn openvpn-blacklist
if [[ -e /etc/npd6.conf ]]; then
dpkg -P npd6
rm -rf /etc/npd6.conf
fi
else
yum remove openvpn -y
fi
rm -rf /etc/openvpn
rm -rf /usr/share/doc/openvpn*
echo ""
echo "OpenVPN removed!"
else
echo ""
echo "Removal aborted!"
fi
exit
;;
4) exit;;
esac
done
else
clear
echo "Welcome to the secure OpenVPN installer (github.com/Angristan/OpenVPN-install)"
echo ""
# OpenVPN setup and first user creation
echo "I need to ask you a few questions before starting the setup"
echo "You can leave the default options and just press enter if you are ok with them"
echo ""
echo "I need to know the IPv4 address of the network interface you want OpenVPN listening to."
echo "If your server is running behind a NAT, (e.g. LowEndSpirit, Scaleway) leave the IP address as it is. (local/private IP)"
echo "Otherwise, it should be your public IPv4 address."
read -p "IP address: " -e -i $IP IP
if [[ "$VERSION_ID" = 'VERSION_ID="8"' || "$VERSION_ID" = 'VERSION_ID="12.04"' || "$VERSION_ID" != 'VERSION_ID="14.04"' || "$VERSION_ID" != 'VERSION_ID="16.04"' ]]; then
echo ""
echo "I can add IPv6 support inside the tunnel but in order for it to work you need to have either:"
echo ""
echo " - At least 1 IPv6 address on main interface + a different subnet (/112 or bigger) routed to it."
echo " OR"
echo " - 1 subnet to use on the main interface. Needs to be bigger than /112 as OpenVPN needs at least a /112 for itself."
echo " Does NOT work on Debian 7"
echo " OR"
echo " - At least 1 single IPv6 address on the main interface and ip6tables with NAT support."
echo " Minimum kernel 3.9.0 and ip6tables 1.4.18 required."
echo ""
echo "Do you want to add IPv6 support?"
echo " 1) Yes, i have a routed subnet."
echo " 2) Yes, i have a subnet on the main interface."
echo " 3) Yes, i have a single IPv6 and ip6tables with NAT."
echo " 4) No, i dont want IPv6 support."
while [[ $IPv6TYPE != "1" && $IPv6TYPE != "2" && $IPv6TYPE != "3" && $IPv6TYPE != "4" ]]; do
read -p "IPv6 [1-4]: " -e -i 4 IPv6TYPE
if [[ $IPv6TYPE = "2" && "$VERSION_ID" = 'VERSION_ID="7"' ]]; then
echo "This option does not work with Debian 7, we continue without IPv6 support..."
IPv6TYPE="4"
read -n1 -r -p "Press any key to continue..."
fi
done
if [[ $IPv6TYPE != "4" ]]; then
# TODO: Input for the subnet should be checked for validity
if [[ $IPv6TYPE = "1" || $IPv6TYPE = "2" ]]; then
echo ""
echo "What is the IPv6 subnet and netmask you want to use (between /64 and /112)?"
echo "Needs to be in the format of eg. AAAA:BBBB:CCCC:DDDD::/64"
read -p "IPv6 subnet: " -e IPv6
fi
if [[ $IPv6TYPE = "3" ]]; then
echo ""
echo "What is your IPv6 address?"
read -p "IPv6 address: " -e IPv6
fi
# We need an interface for ubuntu too not just for npd6
if [[ $IPv6TYPE = "2" || "$VERSION_ID" = 'VERSION_ID="12.04"' || "$VERSION_ID" != 'VERSION_ID="14.04"' || "$VERSION_ID" != 'VERSION_ID="16.04"' ]]; then
echo ""
echo "What is the main interface for IPv6 (eg. eth0)?"
INTERFACE=$(ip -6 route ls | grep default | grep -Po '(?<=dev )(\S+)')
if [[ $INTERFACE != "" ]]; then
echo ""
echo "Autodetected: $INTERFACE"
echo ""
fi
read -p "Interface to use: " -e -i $INTERFACE INTERFACE
fi
fi
else
IPv6TYPE="4"
fi
echo ""
echo "What port do you want for OpenVPN?"
read -p "Port: " -e -i 1194 PORT
echo ""
echo "What protocol do you want for OpenVPN?"
echo "Unless UDP is blocked, you should not use TCP (slower)"
while [[ $PROTOCOL != "UDP" && $PROTOCOL != "TCP" ]]; do
read -p "Protocol [UDP/TCP]: " -e -i UDP PROTOCOL
done
echo ""
echo "What DNS do you want to use with the VPN?"
echo " 1) Current system resolvers (/etc/resolv.conf)"
echo " 2) FDN (France)"
echo " 3) DNS.WATCH (Germany)"
echo " 4) OpenDNS (Anycast: worldwide)"
echo " 5) Google (Anycast: worldwide)"
while [[ $DNS != "1" && $DNS != "2" && $DNS != "3" && $DNS != "4" && $DNS != "5" ]]; do
read -p "DNS [1-5]: " -e -i 2 DNS
done
echo ""
echo "Finally, tell me a name for the client certificate and configuration"
while [[ $CLIENT = "" ]]; do
echo "Please, use one word only, no special characters"
read -p "Client name: " -e -i client CLIENT
done
echo ""
echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now"
read -n1 -r -p "Press any key to continue..."
if [[ "$OS" = 'debian' ]]; then
apt-get install ca-certificates -y
# We add the OpenVPN repo to get the latest version.
# Debian 7
if [[ "$VERSION_ID" = 'VERSION_ID="7"' ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/release/2.4 wheezy main" > /etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update
fi
# Debian 8
if [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/release/2.4 jessie main" > /etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt update
fi
# Ubuntu 12.04
if [[ "$VERSION_ID" = 'VERSION_ID="12.04"' ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/release/2.4 precise main" > /etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update
fi
# Ubuntu 14.04
if [[ "$VERSION_ID" = 'VERSION_ID="14.04"' ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/release/2.4 trusty main" > /etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update
fi
# Ubuntu 16.04
if [[ "$VERSION_ID" = 'VERSION_ID="16.04"' ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/release/2.4 xenial main" > /etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update
fi
# Then we install OpenVPN
apt-get install openvpn iptables openssl wget ca-certificates curl -y
else
# Else, the distro is CentOS
yum install epel-release -y
yum install openvpn iptables openssl wget ca-certificates curl -y
fi
# Find out if the machine uses nogroup or nobody for the permissionless group
if grep -qs "^nogroup:" /etc/group; then
NOGROUP=nogroup
else
NOGROUP=nobody
fi
# An old version of easy-rsa was available by default in some openvpn packages
if [[ -d /etc/openvpn/easy-rsa/ ]]; then
rm -rf /etc/openvpn/easy-rsa/
fi
# Get easy-rsa
wget -O ~/EasyRSA-3.0.1.tgz https://github.com/OpenVPN/easy-rsa/releases/download/3.0.1/EasyRSA-3.0.1.tgz
tar xzf ~/EasyRSA-3.0.1.tgz -C ~/
mv ~/EasyRSA-3.0.1/ /etc/openvpn/
mv /etc/openvpn/EasyRSA-3.0.1/ /etc/openvpn/easy-rsa/
chown -R root:root /etc/openvpn/easy-rsa/
rm -rf ~/EasyRSA-3.0.1.tgz
cd /etc/openvpn/easy-rsa/
echo 'set_var EASYRSA_ALGO ec
set_var EASYRSA_CURVE sect571r1
set_var EASYRSA_DIGEST "sha512"' > vars
# Create the PKI, set up the CA, the DH params and the server + client certificates
./easyrsa init-pki
./easyrsa --batch build-ca nopass
./easyrsa build-server-full server nopass
./easyrsa build-client-full $CLIENT nopass
./easyrsa gen-crl
# Generate tls-crypt key
openvpn --genkey --secret /etc/openvpn/tls-crypt.key
# Move all the generated files
cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
# Make cert revocation list readable for non-root
chmod 644 /etc/openvpn/crl.pem
# Generate server.conf
echo "port $PORT" > /etc/openvpn/server.conf
if [[ "$PROTOCOL" = 'UDP' ]]; then
echo "proto udp" >> /etc/openvpn/server.conf
elif [[ "$PROTOCOL" = 'TCP' ]]; then
echo "proto tcp" >> /etc/openvpn/server.conf
fi
echo "dev tun
user nobody
group $NOGROUP
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
# DNS resolvers
case $DNS in
1)
# Obtain the resolvers from resolv.conf and use them for OpenVPN
grep -v '#' /etc/resolv.conf | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
done
;;
2) #FDN
echo 'push "dhcp-option DNS 80.67.169.12"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/server.conf
;;
3) #DNS.WATCH
echo 'push "dhcp-option DNS 84.200.69.80"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 84.200.70.40"' >> /etc/openvpn/server.conf
;;
4) #OpenDNS
echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf
;;
5) #Google
echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf
;;
esac
echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf
if [[ $IPv6TYPE != "4" ]]; then
if [[ $IPv6TYPE = "1" || $IPv6TYPE = "2" ]]; then
echo "server-ipv6 $IPv6" >> /etc/openvpn/server.conf
fi
if [[ $IPv6TYPE = "3" ]]; then
echo "server-ipv6 fd42:42:42:42::/64" >> /etc/openvpn/server.conf
fi
echo 'push "redirect-gateway ipv6" '>> /etc/openvpn/server.conf
fi
echo "crl-verify crl.pem
ca ca.crt
cert server.crt
key server.key
tls-crypt tls-crypt.key 0
dh none
ecdh-curve sect571r1
auth SHA512
cipher AES-256-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
status openvpn.log
verb 3" >> /etc/openvpn/server.conf
# Create the sysctl configuration file if needed (mainly for Arch Linux)
if [[ ! -e /etc/sysctl.conf ]]; then
touch /etc/sysctl.conf
fi
# Enable net.ipv4.ip_forward for the system
sed -i '/\/c\net.ipv4.ip_forward=1' /etc/sysctl.conf
if ! grep -q "\" /etc/sysctl.conf; then
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
fi
# Avoid an unneeded reboot
echo 1 > /proc/sys/net/ipv4/ip_forward
if [[ $IPv6TYPE != "4" ]]; then
# Enable net.ipv6.conf.all.forwarding
sed -i '/\/c\net.ipv6.conf.all.forwarding=1' /etc/sysctl.conf
if ! grep -q "\" /etc/sysctl.conf; then
echo 'net.ipv6.conf.all.forwarding=1' >> /etc/sysctl.conf
fi
if [[ $IPv6TYPE = "2" ]]; then
sed -i '/\/c\net.ipv6.conf.all.proxy_ndp=1' /etc/sysctl.conf
if ! grep -q "\" /etc/sysctl.conf; then
echo 'net.ipv6.conf.all.proxy_ndp=1' >> /etc/sysctl.conf
fi
echo 1 > /proc/sys/net/ipv6/conf/all/proxy_ndp
# Ubuntu is special and needs special stuff
if [[ "$VERSION_ID" = 'VERSION_ID="12.04"' || "$VERSION_ID" != 'VERSION_ID="14.04"' || "$VERSION_ID" != 'VERSION_ID="16.04"' ]]; then
sed -i '/\/c\net.ipv6.conf.all.accept_ra=2' /etc/sysctl.conf
if ! grep -q "\" /etc/sysctl.conf; then
echo 'net.ipv6.conf.all.accept_ra=2' >> /etc/sysctl.conf
fi
sed -i "/\/c\net.ipv6.conf.$INTERFACE.accept_ra=2" /etc/sysctl.conf
if ! grep -q "\" /etc/sysctl.conf; then
echo "net.ipv6.conf.$INTERFACE.accept_ra=2" >> /etc/sysctl.conf
fi
echo 2 > /proc/sys/net/ipv6/conf/$INTERFACE/accept_ra
echo 2 > /proc/sys/net/ipv6/conf/all/accept_ra
fi
# We need to install npd6 for this to work
if [[ -e /etc/npd6.conf ]]; then
rm -rf /etc/npd6.conf
fi
PREFIX=$(echo $IPv6 | cut -d / -f 1 | rev | cut -c 2- | rev)
echo "prefix=$PREFIX" >> /etc/npd6.conf
echo "interface = $INTERFACE" >> /etc/npd6.conf
PF=$(uname -m)
if [[ $PF = "i686" ]]; then
wget -O ~/npd6_1.1.0_i386.deb https://github.com/npd6/npd6/releases/download/1.1.0/npd6_1.1.0_i386.deb
dpkg -i ~/npd6_1.1.0_i386.deb
rm -rf ~/npd6_1.1.0_i386.deb
elif [[ $PF = "x86_64" ]]; then
wget -O ~/npd6_1.1.0_amd64.deb https://github.com/npd6/npd6/releases/download/1.1.0/npd6_1.1.0_amd64.deb
dpkg -i ~/npd6_1.1.0_amd64.deb
rm -rf ~/npd6_1.1.0_amd64.deb
fi
fi
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
fi
# Set NAT for the VPN subnet
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP
sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL
if pgrep firewalld; then
# We don't use --add-service=openvpn because that would only work with
# the default port. Using both permanent and not permanent rules to
# avoid a firewalld reload.
if [[ "$PROTOCOL" = 'UDP' ]]; then
firewall-cmd --zone=public --add-port=$PORT/udp
firewall-cmd --permanent --zone=public --add-port=$PORT/udp
elif [[ "$PROTOCOL" = 'TCP' ]]; then
firewall-cmd --zone=public --add-port=$PORT/tcp
firewall-cmd --permanent --zone=public --add-port=$PORT/tcp
fi
firewall-cmd --zone=trusted --add-source=10.8.0.0/24
firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
fi
if iptables -L -n | grep -qE 'REJECT|DROP'; then
# If iptables has at least one REJECT rule, we asume this is needed.
# Not the best approach but I can't think of other and this shouldn't
# cause problems.
if [[ "$PROTOCOL" = 'UDP' ]]; then
iptables -I INPUT -p udp --dport $PORT -j ACCEPT
elif [[ "$PROTOCOL" = 'TCP' ]]; then
iptables -I INPUT -p tcp --dport $PORT -j ACCEPT
fi
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
if [[ "$PROTOCOL" = 'UDP' ]]; then
sed -i "1 a\iptables -I INPUT -p udp --dport $PORT -j ACCEPT" $RCLOCAL
elif [[ "$PROTOCOL" = 'TCP' ]]; then
sed -i "1 a\iptables -I INPUT -p tcp --dport $PORT -j ACCEPT" $RCLOCAL
fi
sed -i "1 a\iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" $RCLOCAL
sed -i "1 a\iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" $RCLOCAL
fi
# ip6tables rules
if [[ $IPv6TYPE != "4" ]]; then
ip6tables -I FORWARD -i tun+ -j ACCEPT
ip6tables -I FORWARD -o tun+ -j ACCEPT
sed -i "1 a\ip6tables -I FORWARD -i tun+ -j ACCEPT" $RCLOCAL
sed -i "1 a\ip6tables -I FORWARD -o tun+ -j ACCEPT" $RCLOCAL
if [[ $IPv6TYPE = "3" ]]; then
ip6tables -t nat -A POSTROUTING -s fd42:42:42:42::/64 -j SNAT --to $IPv6
sed -i "1 a\ip6tables -t nat -A POSTROUTING -s fd42:42:42:42::/64 -j SNAT --to $IPv6" $RCLOCAL
fi
fi
# If SELinux is enabled and a custom port was selected, we need this
if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing"; then
if [[ "$PORT" != '1194' ]]; then
# semanage isn't available in CentOS 6 by default
if ! hash semanage 2>/dev/null; then
yum install policycoreutils-python -y
fi
if [[ "$PROTOCOL" = 'UDP' ]]; then
semanage port -a -t openvpn_port_t -p udp $PORT
elif [[ "$PROTOCOL" = 'TCP' ]]; then
semanage port -a -t openvpn_port_t -p tcp $PORT
fi
fi
fi
fi
# And finally, restart OpenVPN
if [[ "$OS" = 'debian' ]]; then
# Little hack to check for systemd
if pgrep systemd-journal; then
systemctl restart openvpn@server.service
# Restart npd6 if option 2 was chosen
if [[ $IPv6TYPE = "2" ]]; then
systemctl restart npd6
fi
else
/etc/init.d/openvpn restart
# Restart npd6 if option 2 was chosen
if [[ $IPv6TYPE = "2" ]]; then
/etc/init.d/npd6 restart
fi
fi
else
if pgrep systemd-journal; then
systemctl restart openvpn@server.service
systemctl enable openvpn@server.service
else
service openvpn restart
chkconfig openvpn on
fi
fi
# Try to detect a NATed connection and ask about it to potential LowEndSpirit/Scaleway users
EXTERNALIP=$(wget -qO- ipv4.icanhazip.com)
if [[ "$IP" != "$EXTERNALIP" ]]; then
echo ""
echo "Looks like your server is behind a NAT!"
echo ""
echo "If your server is NATed (e.g. LowEndSpirit, Scaleway, or behind a router),"
echo "then I need to know the address that can be used to access it from outside."
echo "If that's not the case, just ignore this and leave the next field blank"
read -p "External IP or domain name: " -e USEREXTERNALIP
if [[ "$USEREXTERNALIP" != "" ]]; then
IP=$USEREXTERNALIP
fi
fi
# client-template.txt is created so we have a template to add further users later
echo "client" > /etc/openvpn/client-template.txt
if [[ "$PROTOCOL" = 'UDP' ]]; then
echo "proto udp" >> /etc/openvpn/client-template.txt
elif [[ "$PROTOCOL" = 'TCP' ]]; then
echo "proto tcp-client" >> /etc/openvpn/client-template.txt
fi
echo "remote $IP $PORT
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
setenv opt block-outside-dns
verb 3" >> /etc/openvpn/client-template.txt
# Generate the custom client.ovpn
newclient "$CLIENT"
echo ""
echo "Finished!"
echo ""
echo "Your client config is available at ~/$CLIENT.ovpn"
echo "If you want to add more clients, you simply need to run this script another time!"
fi
exit 0;