diff --git a/README.md b/README.md index c577f5f..2f7d52d 100644 --- a/README.md +++ b/README.md @@ -1,24 +1,65 @@ -**New: [wireguard-install](https://github.com/Nyr/wireguard-install) is also available.** - ## openvpn-install -OpenVPN [road warrior](http://en.wikipedia.org/wiki/Road_warrior_%28computing%29) installer for Ubuntu, Debian, AlmaLinux, Rocky Linux, CentOS and Fedora. -This script will let you set up your own VPN server in no more than a minute, even if you haven't used OpenVPN before. It has been designed to be as unobtrusive and universal as possible. +OpenVPN Server installer for Ubuntu, Debian, AlmaLinux, Rocky Linux, CentOS, and Fedora. -### Installation -Run the script and follow the assistant: +This repo is originally a fork of https://github.com/Nyr/openvpn-install with some changes and added features. -`wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh` +### Instructions + +Download and execute the script: + +``` +wget https://raw.githubusercontent.com/davift/openvpn-install/master/openvpn-install.sh +chmod +x openvpn-install.sh +./openvpn-install.sh +``` Once it ends, you can run it again to add more users, remove some of them or even completely uninstall OpenVPN. -### I want to run my own VPN but don't have a server for that -You can get a VPS from just 2€/month at [AlphaVPS](https://alphavps.com/clients/aff.php?aff=474&pid=422). +### Automation -### Donations -If you want to show your appreciation, you can donate via [PayPal](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=VBAYDL34Z7J6L) or [cryptocurrency](https://pastebin.com/raw/M2JJpQpC). Thanks! +Download the CLI script: -### Sponsors -This project is proudly sponsored by our friends at [FrogeHost](https://froge.host/?utm_source=nyr). +``` +wget https://raw.githubusercontent.com/davift/openvpn-install/master/openvpn-cli.sh +chmod +x openvpn-cli.sh +./openvpn-cli.sh +``` -For a commercial VPN with strong anti-censorship capabilities (最强翻墙VPN) from $1/month, check out [Clever VPN](https://www.clever-vpn.net/?wg-referral=01LOULuQoi). \ No newline at end of file +The CLI script allows you to add and revoke users with a single command or for using with Ansible or Terraform. + +``` +See examples: + + ./openvpn-cli.sh add username add a new client + ./openvpn-cli.sh revoke username revoke a client + ./openvpn-cli.sh add username@domain.com add a new client and send the configuration via email + ./openvpn-cli.sh revoke username@domain.com revoke client and send the configuration via email + +``` + +### Optional + +If the new client account is a valid email address, the configuration file is automatically sent, as long as MSMTP is installed and configured. + +``` +sudo apt install msmtp msmtp-mta -y +sudo nano /etc/msmtprc +``` + +MSMTP Configuration Example (for Gmail): + +``` +defaults +auth on +tls on +tls_trust_file /etc/ssl/certs/ca-certificates.crt +logfile ~/.msmtp.log +account gmail +host smtp.gmail.com +port 587 +from username@gmail.com +user username@gmail.com +password password +account default : gmail +``` diff --git a/openvpn-cli.sh b/openvpn-cli.sh new file mode 100644 index 0000000..68dfc58 --- /dev/null +++ b/openvpn-cli.sh @@ -0,0 +1,141 @@ +#!/bin/bash +# +# https://github.com/davift/openvpn-install +# firked from https://github.com/Nyr/openvpn-install +# +# Released under the same MIT License. + +if [[ ! -e /etc/openvpn/server/server.conf ]]; then + echo 'OpenVPN server is not installed yet.' + echo 'Run the following command first:' + echo + echo ' ./openvpn-install.sh' + echo + exit +fi + +# Detect Debian users running the script with "sh" instead of bash +if readlink /proc/$$/exe | grep -q "dash"; then + echo 'This installer needs to be run with "bash", not "sh".' + exit +fi + +# Discard stdin. Needed when running from an one-liner which includes a newline +read -N 999999 -t 0.001 + +# Detect environments where $PATH does not include the sbin directories +if ! grep -q sbin <<< "$PATH"; then + echo '$PATH does not include sbin. Try using "su -" instead of "su".' + exit +fi + +if [[ "$EUID" -ne 0 ]]; then + echo "This installer needs to be run with superuser privileges." + exit +fi + +option=$1 +unsanitized_client=$2 + client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_@-\.]/_/g' <<< "$unsanitized_client") + if [[ -z "$option" || ( "$option" != "add" && "$option" != "revoke" ) ]]; then + echo 'Invalid option.' + elif [[ -z "$client" ]]; then + echo 'The client name cannto be empty.' + exit 1 + fi + +case "$option" in + add) + if [[ -e /etc/openvpn/server/easy-rsa/pki/issued/"$client".crt || -e /etc/openvpn/server/easy-rsa/pki/private/"$client".key ]]; then + echo 'The client already exist.' + exit 1 + fi + + # Adding + cd /etc/openvpn/server/easy-rsa/ + if ./easyrsa --batch --days=3650 build-client-full "$client" nopass &>/dev/null; then + { + cat /etc/openvpn/server/client-common.txt + echo "" + cat /etc/openvpn/server/easy-rsa/pki/ca.crt + echo "" + echo "" + sed -ne '/BEGIN CERTIFICATE/,$ p' /etc/openvpn/server/easy-rsa/pki/issued/"$client".crt + echo "" + echo "" + cat /etc/openvpn/server/easy-rsa/pki/private/"$client".key + echo "" + echo "" + sed -ne '/BEGIN OpenVPN Static key/,$ p' /etc/openvpn/server/tc.key + echo "" + } > /root/"$client".ovpn + echo "Client's configuration:" /root/"$client.ovpn" + + # Regular expression for a basic email validation + regex="^[a-zA-Z0-9._-]+@[a-zA-Z0-9._-]{1,2}+\.[a-zA-Z]{2,10}$" + if [[ $client =~ $regex ]]; then + boundaystring=($(md5sum /root/$client.ovpn)) + { + echo "From: davift-canada@gmail.com" + echo "To: $client" + echo "Subject: OpenVPN Client Configuration" + echo "MIME-Version: 1.0" + echo "Content-Type: multipart/mixed; boundary=\"$boundaystring\"" + echo "" + echo "--$boundaystring" + echo "Content-Type: text/plain; charset=\"UTF-8\"" + echo "Content-Transfer-Encoding: 7bit" + echo "" + echo "Please find attached your OpenVPN client configuration." + echo "" + echo "--$boundaystring" + echo "Content-Type: application/octet-stream; name=\"$client.ovpn\"" + echo "Content-Transfer-Encoding: base64" + echo "Content-Disposition: attachment; filename=\"$client.ovpn\"" + echo "" + cat /root/$client.ovpn | base64 + echo "--$boundaystring--" + echo "" + } > /root/"$client".email + if [[ ! $(which msmtp) ]]; then + echo 'Email NOT sent! MSMTP was not found.' + elif msmtp -a default $client < /root/$client.email; then + echo 'Configuration send via email.' + else + echo 'Email NOT sent! MSMTP failed.' + fi + fi + else + echo 'Certificate conflict.' + exit 1 + fi + ;; + revoke) + if [[ ! -e /etc/openvpn/server/easy-rsa/pki/issued/"$client".crt ]]; then + echo 'The client does not exist.' + exit 1 + fi + if ! tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | grep -q "$client"; then + echo 'The client does not exist.' + exit 1 + fi + + # Revoking + cd /etc/openvpn/server/easy-rsa/ + rm pki/reqs/$client.req + ./easyrsa --batch revoke "$client" &>/dev/null + ./easyrsa --batch --days=3650 gen-crl &>/dev/null + cat /etc/openvpn/server/easy-rsa/pki/crl.pem > /etc/openvpn/server/crl.pem + exit + ;; + *) + echo 'See examples:' + echo '' + echo ' ./openvpn-cli.sh add username add a new client' + echo ' ./openvpn-cli.sh revoke username revoke a client' + echo ' ./openvpn-cli.sh add username@domain.com add a new client and send the configuration via email' + echo ' ./openvpn-cli.sh revoke username@domain.com revoke client and send the configuration via email' + echo '' + exit + ;; +esac diff --git a/openvpn-install.sh b/openvpn-install.sh index e0785b8..1abcb8e 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -96,7 +96,7 @@ new_client () { echo "" sed -ne '/BEGIN OpenVPN Static key/,$ p' /etc/openvpn/server/tc.key echo "" - } > ~/"$client".ovpn + } > /root/"$client".ovpn } if [[ ! -e /etc/openvpn/server/server.conf ]]; then @@ -454,7 +454,7 @@ verb 3" > /etc/openvpn/server/client-common.txt echo echo "Finished!" echo - echo "The client configuration is available in:" ~/"$client.ovpn" + echo "The client configuration is available in:" /root/"$client.ovpn" echo "New clients can be added by running this script again." else clear @@ -482,11 +482,12 @@ else client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client") done cd /etc/openvpn/server/easy-rsa/ + rm pki/reqs/$client.req ./easyrsa --batch --days=3650 build-client-full "$client" nopass # Generates the custom client.ovpn new_client echo - echo "$client added. Configuration available in:" ~/"$client.ovpn" + echo "$client added. Configuration available in:" /root/"$client.ovpn" exit ;; 2)