1
0
mirror of https://github.com/Nyr/openvpn-install.git synced 2024-11-28 07:56:07 +03:00
openvpn-install/openvpn-install.sh

447 lines
16 KiB
Bash
Raw Normal View History

2013-05-14 16:04:19 +04:00
#!/bin/bash
2015-02-11 21:51:19 +03:00
# OpenVPN road warrior installer for Debian, Ubuntu and CentOS
2013-05-14 16:04:19 +04:00
2015-02-11 21:51:19 +03:00
# This script will work on Debian, Ubuntu, CentOS and probably other distros
# of the same families, although no support is offered for them. It isn't
# bulletproof but it will probably work if you simply want to setup a VPN on
# your Debian/Ubuntu/CentOS box. It has been designed to be as unobtrusive and
# universal as possible.
2013-05-14 16:04:19 +04:00
2015-11-15 13:34:19 +03:00
if [[ "$EUID" -ne 0 ]]; then
2013-05-14 16:04:19 +04:00
echo "Sorry, you need to run this as root"
2015-11-15 13:34:34 +03:00
exit 1
2013-05-14 16:04:19 +04:00
fi
if [[ ! -e /dev/net/tun ]]; then
2016-03-14 23:22:08 +03:00
echo "TUN is not available"
2015-11-15 13:34:34 +03:00
exit 2
fi
2015-06-29 10:23:44 +03:00
if grep -qs "CentOS release 5" "/etc/redhat-release"; then
2015-02-11 21:51:19 +03:00
echo "CentOS 5 is too old and not supported"
2015-11-15 13:34:34 +03:00
exit 3
2015-02-11 21:51:19 +03:00
fi
if [[ -e /etc/debian_version ]]; then
OS="debian"
#We get the version number, to verify we can get a recent version of OpenVPN
VERSION_ID=$(cat /etc/*-release | grep "VERSION_ID")
2015-02-11 21:51:19 +03:00
RCLOCAL='/etc/rc.local'
if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="15.10"' ]]; then
echo "Your version of Debian/Ubuntu is not supported. Please look at the documentation."
exit 4
fi
2015-02-11 21:51:19 +03:00
elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then
OS=centos
RCLOCAL='/etc/rc.d/rc.local'
# Needed for CentOS 7
chmod +x /etc/rc.d/rc.local
else
echo "Looks like you aren't running this installer on a Debian, Ubuntu or CentOS system"
2015-11-15 13:34:34 +03:00
exit 4
2013-05-14 16:04:19 +04:00
fi
2014-10-23 02:19:08 +04:00
newclient () {
# Generates the custom client.ovpn
cp /etc/openvpn/client-common.txt ~/$1.ovpn
2014-10-23 05:16:09 +04:00
echo "<ca>" >> ~/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/ca.crt >> ~/$1.ovpn
2014-10-23 05:16:09 +04:00
echo "</ca>" >> ~/$1.ovpn
echo "<cert>" >> ~/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/issued/$1.crt >> ~/$1.ovpn
2014-10-23 05:16:09 +04:00
echo "</cert>" >> ~/$1.ovpn
echo "<key>" >> ~/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/private/$1.key >> ~/$1.ovpn
2014-10-23 05:16:09 +04:00
echo "</key>" >> ~/$1.ovpn
2014-10-23 02:19:08 +04:00
}
2013-05-14 16:04:19 +04:00
# Try to get our IP from the system and fallback to the Internet.
# I do this to make the script compatible with NATed servers (LowEndSpirit/Scaleway)
2013-05-14 16:04:19 +04:00
# and to avoid getting an IPv6.
2015-02-11 21:51:19 +03:00
IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -o -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
if [[ "$IP" = "" ]]; then
IP=$(wget -qO- ipv4.icanhazip.com)
2013-05-14 16:04:19 +04:00
fi
if [[ -e /etc/openvpn/server.conf ]]; then
2013-05-14 16:04:19 +04:00
while :
do
clear
echo "Looks like OpenVPN is already installed"
echo ""
echo "What do you want to do?"
echo " 1) Add a cert for a new user"
echo " 2) Revoke existing user cert"
echo " 3) Remove OpenVPN"
echo " 4) Exit"
read -p "Select an option [1-4]: " option
2013-05-14 16:04:19 +04:00
case $option in
1)
echo ""
echo "Tell me a name for the client cert"
echo "Please, use one word only, no special characters"
read -p "Client name: " -e -i client CLIENT
cd /etc/openvpn/easy-rsa/
./easyrsa build-client-full $CLIENT nopass
# Generates the custom client.ovpn
2014-10-23 02:19:08 +04:00
newclient "$CLIENT"
2013-05-14 16:04:19 +04:00
echo ""
2014-10-23 05:16:09 +04:00
echo "Client $CLIENT added, certs available at ~/$CLIENT.ovpn"
2013-05-14 16:04:19 +04:00
exit
;;
2)
# This option could be documented a bit better and maybe even be simplimplified
# ...but what can I say, I want some sleep too
NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")
if [[ "$NUMBEROFCLIENTS" = '0' ]]; then
echo ""
echo "You have no existing clients!"
2015-11-15 13:34:34 +03:00
exit 5
fi
echo ""
echo "Select the existing client certificate you want to revoke"
tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
if [[ "$NUMBEROFCLIENTS" = '1' ]]; then
read -p "Select one client [1]: " CLIENTNUMBER
else
read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
fi
CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
cd /etc/openvpn/easy-rsa/
./easyrsa --batch revoke $CLIENT
./easyrsa gen-crl
rm -rf pki/reqs/$CLIENT.req
rm -rf pki/private/$CLIENT.key
rm -rf pki/issued/$CLIENT.crt
2016-02-27 12:52:51 +03:00
rm -rf /etc/openvpn/crl.pem
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
2015-02-11 21:51:19 +03:00
echo ""
echo "Certificate for client $CLIENT revoked"
exit
;;
3)
2013-05-14 16:04:19 +04:00
echo ""
read -p "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
if [[ "$REMOVE" = 'y' ]]; then
PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
if pgrep firewalld; then
# Using both permanent and not permanent rules to avoid a firewalld reload.
firewall-cmd --zone=public --remove-port=$PORT/udp
firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
firewall-cmd --permanent --zone=public --remove-port=$PORT/udp
firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
fi
2015-10-07 20:57:04 +03:00
if iptables -L | grep -qE 'REJECT|DROP'; then
sed -i "/iptables -I INPUT -p udp --dport $PORT -j ACCEPT/d" $RCLOCAL
sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL
sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL
fi
sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL
if hash sestatus 2>/dev/null; then
2016-02-27 12:52:51 +03:00
if sestatus | grep "Current mode" | grep -qs "enforcing"; then
if [[ "$PORT" != '1194' ]]; then
semanage port -d -t openvpn_port_t -p udp $PORT
fi
fi
fi
2015-02-11 21:51:19 +03:00
if [[ "$OS" = 'debian' ]]; then
apt-get remove --purge -y openvpn openvpn-blacklist
else
yum remove openvpn -y
fi
rm -rf /etc/openvpn
2015-02-11 21:51:19 +03:00
rm -rf /usr/share/doc/openvpn*
echo ""
echo "OpenVPN removed!"
2015-01-25 22:45:07 +03:00
else
echo ""
echo "Removal aborted!"
fi
2013-05-14 16:04:19 +04:00
exit
;;
4) exit;;
2013-05-14 16:04:19 +04:00
esac
done
else
clear
2013-05-14 16:04:19 +04:00
echo 'Welcome to this quick OpenVPN "road warrior" installer'
echo ""
# OpenVPN setup and first user creation
echo "I need to ask you a few questions before starting the setup"
echo "You can leave the default options and just press enter if you are ok with them"
echo ""
2016-03-15 21:11:35 +03:00
echo "First, choose which variant of the script you want to use."
echo '"Fast" is secure, but "slow" is the best encryption you can get, at the cost of speed (not that slow though)'
echo " 1) Fast (2048 bits RSA and DH, 128 bits AES)"
echo " 2) Slow (4096 bits RSA and DH, 256 bits AES)"
while [[ $VARIANT != "1" && $VARIANT != "2" ]]; do
read -p "Variant [1-2]: " -e -i 1 VARIANT
done
2016-03-15 21:11:35 +03:00
echo ""
echo "I need to know the IPv4 address of the network interface you want OpenVPN listening to."
echo "If you server is running behind a NAT, (e.g. LowEndSpirit, Scaleway) leave the IP adress as it is. (10.x.x.x)"
echo "Otherwise, it sould be your public IPv4 address."
2013-05-14 16:04:19 +04:00
read -p "IP address: " -e -i $IP IP
echo ""
echo "What port do you want for OpenVPN?"
read -p "Port: " -e -i 1194 PORT
echo ""
echo "What DNS do you want to use with the VPN?"
echo " 1) Current system resolvers"
2016-03-09 01:53:30 +03:00
echo " 2) FDN (recommended)"
echo " 3) OpenNIC (nearest servers)"
echo " 4) OpenDNS"
2016-03-09 01:53:30 +03:00
echo " 5) Google"
2016-03-13 17:13:46 +03:00
read -p "DNS [1-6]: " -e -i 2 DNS
echo ""
2013-05-14 16:04:19 +04:00
echo "Finally, tell me your name for the client cert"
echo "Please, use one word only, no special characters"
read -p "Client name: " -e -i client CLIENT
echo ""
echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now"
read -n1 -r -p "Press any key to continue..."
2016-03-15 21:11:35 +03:00
if [[ "$OS" = 'debian' ]]; then
2016-03-20 00:51:00 +03:00
apt-get install ca-certificates -y
# We add the OpenVPN repo to get the latest version.
# Debian 7
if [[ "$VERSION_ID" = 'VERSION_ID="7"' ]]; then
echo "deb http://swupdate.openvpn.net/apt wheezy main" > /etc/apt/sources.list.d/swupdate-openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update
fi
# Debian 8
if [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then
echo "deb http://swupdate.openvpn.net/apt jessie main" > /etc/apt/sources.list.d/swupdate-openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt update
fi
# Ubuntu 12.04
if [[ "$VERSION_ID" = 'VERSION_ID="12.04"' ]]; then
echo "deb http://swupdate.openvpn.net/apt precise main" > /etc/apt/sources.list.d/swupdate-openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update
fi
# Ubuntu 14.04
if [[ "$VERSION_ID" = 'VERSION_ID="14.04"' ]]; then
echo "deb http://swupdate.openvpn.net/apt trusty main" > /etc/apt/sources.list.d/swupdate-openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update
fi
# The repo, is not available for Ubuntu 15.10, but it has OpenVPN > 2.3.3, so we do nothing.
# The we install OpnVPN
apt-get install openvpn iptables openssl wget ca-certificates curl -y
2015-02-11 21:51:19 +03:00
else
# Else, the distro is CentOS
yum install epel-release -y
yum install openvpn iptables openssl wget ca-certificates curl -y
fi
# An old version of easy-rsa was available by default in some openvpn packages
if [[ -d /etc/openvpn/easy-rsa/ ]]; then
rm -rf /etc/openvpn/easy-rsa/
fi
# Get easy-rsa
wget -O ~/EasyRSA-3.0.1.tgz https://github.com/OpenVPN/easy-rsa/releases/download/3.0.1/EasyRSA-3.0.1.tgz
2015-11-21 17:35:51 +03:00
tar xzf ~/EasyRSA-3.0.1.tgz -C ~/
mv ~/EasyRSA-3.0.1/ /etc/openvpn/
mv /etc/openvpn/EasyRSA-3.0.1/ /etc/openvpn/easy-rsa/
chown -R root:root /etc/openvpn/easy-rsa/
2015-11-21 17:35:51 +03:00
rm -rf ~/EasyRSA-3.0.1.tgz
cd /etc/openvpn/easy-rsa/
# If the user selected the fast, less hardened version
if [[ "$VARIANT" = '1' ]]; then
echo "set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_DIGEST "sha256"" > vars
fi
# If the user selected the relatively slow, ultra hardened version
if [[ "$VARIANT" = '2' ]]; then
echo "set_var EASYRSA_KEY_SIZE 4096
set_var EASYRSA_KEY_SIZE 4096
set_var EASYRSA_DIGEST "sha384"" > vars
fi
# Create the PKI, set up the CA, the DH params and the server + client certificates
./easyrsa init-pki
./easyrsa --batch build-ca nopass
./easyrsa gen-dh
./easyrsa build-server-full server nopass
./easyrsa build-client-full $CLIENT nopass
./easyrsa gen-crl
# Move the stuff we need
2016-02-27 12:52:51 +03:00
cp pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
# Generate server.conf
echo "port $PORT
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
cipher AES-256-CBC
auth SHA512
tls-version-min 1.2" > /etc/openvpn/server.conf
if [[ "$VARIANT" = '1' ]]; then
# If the user selected the fast, less hardened version
# Or if the user selected a non-existant variant, we fallback to fast
echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/server.conf
elif [[ "$VARIANT" = '2' ]]; then
# If the user selected the relatively slow, ultra hardened version
echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/server.conf
2016-03-15 21:11:35 +03:00
fi
echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf
# DNS
case $DNS in
1)
# Obtain the resolvers from resolv.conf and use them for OpenVPN
grep -v '#' /etc/resolv.conf | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
done
;;
2) #FDN
2016-03-09 01:53:30 +03:00
echo 'push "dhcp-option DNS 80.67.169.12"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/server.conf
2016-02-27 12:52:51 +03:00
;;
3) #OpenNIC
#Getting the nearest OpenNIC servers using the geoip API
read ns1 ns2 <<< $(curl -s https://api.opennicproject.org/geoip/ | head -2 | awk '{print $1}')
echo -e "nameserver $ns1
nameserver $ns2" >> /etc/resolv.conf #Set the DNS servers
echo "push "dhcp-option DNS $ns1"" >> /etc/openvpn/server.conf
echo "push "dhcp-option DNS $ns2"" >> /etc/openvpn/server.conf
;;
4) #OpenDNS
echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf
;;
5) #Google
2016-03-09 01:53:30 +03:00
echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf
2016-02-29 19:47:01 +03:00
;;
esac
echo "keepalive 10 120
##comp-lzo
persist-key
persist-tun
2016-02-27 12:52:51 +03:00
crl-verify crl.pem" >> /etc/openvpn/server.conf
2013-05-14 16:04:19 +04:00
# Enable net.ipv4.ip_forward for the system
2015-02-11 21:51:19 +03:00
if [[ "$OS" = 'debian' ]]; then
sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf
else
# CentOS 5 and 6
sed -i 's|net.ipv4.ip_forward = 0|net.ipv4.ip_forward = 1|' /etc/sysctl.conf
# CentOS 7
if ! grep -q "net.ipv4.ip_forward=1" "/etc/sysctl.conf"; then
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
fi
fi
2013-05-14 16:04:19 +04:00
# Avoid an unneeded reboot
echo 1 > /proc/sys/net/ipv4/ip_forward
# Set NAT for the VPN subnet
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP
sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL
if pgrep firewalld; then
# We don't use --add-service=openvpn because that would only work with
# the default port. Using both permanent and not permanent rules to
# avoid a firewalld reload.
firewall-cmd --zone=public --add-port=$PORT/udp
firewall-cmd --zone=trusted --add-source=10.8.0.0/24
firewall-cmd --permanent --zone=public --add-port=$PORT/udp
firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
fi
2015-10-07 20:57:04 +03:00
if iptables -L | grep -qE 'REJECT|DROP'; then
# If iptables has at least one REJECT rule, we asume this is needed.
# Not the best approach but I can't think of other and this shouldn't
# cause problems.
iptables -I INPUT -p udp --dport $PORT -j ACCEPT
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
sed -i "1 a\iptables -I INPUT -p udp --dport $PORT -j ACCEPT" $RCLOCAL
sed -i "1 a\iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" $RCLOCAL
sed -i "1 a\iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" $RCLOCAL
fi
2016-02-27 12:52:51 +03:00
# If SELinux is enabled and a custom port was selected, we need this
if hash sestatus 2>/dev/null; then
2016-02-27 12:52:51 +03:00
if sestatus | grep "Current mode" | grep -qs "enforcing"; then
if [[ "$PORT" != '1194' ]]; then
# semanage isn't available in CentOS 6 by default
if ! hash semanage 2>/dev/null; then
2016-02-27 12:52:51 +03:00
yum install policycoreutils-python -y
fi
semanage port -a -t openvpn_port_t -p udp $PORT
fi
fi
fi
2013-05-14 16:04:19 +04:00
# And finally, restart OpenVPN
2015-02-11 21:51:19 +03:00
if [[ "$OS" = 'debian' ]]; then
# Little hack to check for systemd
if pgrep systemd-journal; then
systemctl restart openvpn@server.service
else
/etc/init.d/openvpn restart
fi
else
if pgrep systemd-journal; then
2015-02-11 21:51:19 +03:00
systemctl restart openvpn@server.service
systemctl enable openvpn@server.service
else
service openvpn restart
chkconfig openvpn on
fi
fi
# Try to detect a NATed connection and ask about it to potential LowEndSpirit/Scaleway users
EXTERNALIP=$(wget -qO- ipv4.icanhazip.com)
if [[ "$IP" != "$EXTERNALIP" ]]; then
echo ""
echo "Looks like your server is behind a NAT!"
echo ""
echo "If your server is NATed (e.g. LowEndSpirit, Scaleway), I need to know the external IP"
echo "If that's not the case, just ignore this and leave the next field blank"
read -p "External IP: " -e USEREXTERNALIP
if [[ "$USEREXTERNALIP" != "" ]]; then
IP=$USEREXTERNALIP
fi
fi
# client-common.txt is created so we have a template to add further users later
echo "client
dev tun
proto udp
sndbuf 0
rcvbuf 0
remote $IP $PORT
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
comp-lzo
cipher AES-256-CBC
auth SHA512
tls-version-min 1.2" > /etc/openvpn/client-common.txt
if [[ "$VARIANT" = '1' ]]; then
# If the user selected the fast, less hardened version
# Or if the user selected a non-existant variant, we fallback to fast
echo "tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256" >> /etc/openvpn/client-common.txt
elif [[ "$VARIANT" = '2' ]]; then
# If the user selected the relatively slow, ultra hardened version
echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384" >> /etc/openvpn/client-common.txt
2016-03-15 21:11:35 +03:00
fi
# Generates the custom client.ovpn
2014-10-23 02:19:08 +04:00
newclient "$CLIENT"
2013-05-14 16:04:19 +04:00
echo ""
echo "Finished!"
echo ""
2014-10-23 05:16:09 +04:00
echo "Your client config is available at ~/$CLIENT.ovpn"
2013-05-14 16:04:19 +04:00
echo "If you want to add more clients, you simply need to run this script another time!"
2013-08-05 02:58:43 +04:00
fi