mirror of
https://github.com/Nyr/openvpn-install.git
synced 2024-11-24 05:56:08 +03:00
Added CLI Script for Managing Clients
This commit is contained in:
commit
6e63867b6b
69
README.md
69
README.md
@ -1,24 +1,65 @@
|
|||||||
**New: [wireguard-install](https://github.com/Nyr/wireguard-install) is also available.**
|
|
||||||
|
|
||||||
## openvpn-install
|
## openvpn-install
|
||||||
OpenVPN [road warrior](http://en.wikipedia.org/wiki/Road_warrior_%28computing%29) installer for Ubuntu, Debian, AlmaLinux, Rocky Linux, CentOS and Fedora.
|
|
||||||
|
|
||||||
This script will let you set up your own VPN server in no more than a minute, even if you haven't used OpenVPN before. It has been designed to be as unobtrusive and universal as possible.
|
OpenVPN Server installer for Ubuntu, Debian, AlmaLinux, Rocky Linux, CentOS, and Fedora.
|
||||||
|
|
||||||
### Installation
|
This repo is originally a fork of https://github.com/Nyr/openvpn-install with some changes and added features.
|
||||||
Run the script and follow the assistant:
|
|
||||||
|
|
||||||
`wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh`
|
### Instructions
|
||||||
|
|
||||||
|
Download and execute the script:
|
||||||
|
|
||||||
|
```
|
||||||
|
wget https://raw.githubusercontent.com/davift/openvpn-install/master/openvpn-install.sh
|
||||||
|
chmod +x openvpn-install.sh
|
||||||
|
./openvpn-install.sh
|
||||||
|
```
|
||||||
|
|
||||||
Once it ends, you can run it again to add more users, remove some of them or even completely uninstall OpenVPN.
|
Once it ends, you can run it again to add more users, remove some of them or even completely uninstall OpenVPN.
|
||||||
|
|
||||||
### I want to run my own VPN but don't have a server for that
|
### Automation
|
||||||
You can get a VPS from just 2€/month at [AlphaVPS](https://alphavps.com/clients/aff.php?aff=474&pid=422).
|
|
||||||
|
|
||||||
### Donations
|
Download the CLI script:
|
||||||
If you want to show your appreciation, you can donate via [PayPal](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=VBAYDL34Z7J6L) or [cryptocurrency](https://pastebin.com/raw/M2JJpQpC). Thanks!
|
|
||||||
|
|
||||||
### Sponsors
|
```
|
||||||
This project is proudly sponsored by our friends at [FrogeHost](https://froge.host/?utm_source=nyr).
|
wget https://raw.githubusercontent.com/davift/openvpn-install/master/openvpn-cli.sh
|
||||||
|
chmod +x openvpn-cli.sh
|
||||||
|
./openvpn-cli.sh
|
||||||
|
```
|
||||||
|
|
||||||
For a commercial VPN with strong anti-censorship capabilities (最强翻墙VPN) from $1/month, check out [Clever VPN](https://www.clever-vpn.net/?wg-referral=01LOULuQoi).
|
The CLI script allows you to add and revoke users with a single command or for using with Ansible or Terraform.
|
||||||
|
|
||||||
|
```
|
||||||
|
See examples:
|
||||||
|
|
||||||
|
./openvpn-cli.sh add username add a new client
|
||||||
|
./openvpn-cli.sh revoke username revoke a client
|
||||||
|
./openvpn-cli.sh add username@domain.com add a new client and send the configuration via email
|
||||||
|
./openvpn-cli.sh revoke username@domain.com revoke client and send the configuration via email
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
### Optional
|
||||||
|
|
||||||
|
If the new client account is a valid email address, the configuration file is automatically sent, as long as MSMTP is installed and configured.
|
||||||
|
|
||||||
|
```
|
||||||
|
sudo apt install msmtp msmtp-mta -y
|
||||||
|
sudo nano /etc/msmtprc
|
||||||
|
```
|
||||||
|
|
||||||
|
MSMTP Configuration Example (for Gmail):
|
||||||
|
|
||||||
|
```
|
||||||
|
defaults
|
||||||
|
auth on
|
||||||
|
tls on
|
||||||
|
tls_trust_file /etc/ssl/certs/ca-certificates.crt
|
||||||
|
logfile ~/.msmtp.log
|
||||||
|
account gmail
|
||||||
|
host smtp.gmail.com
|
||||||
|
port 587
|
||||||
|
from username@gmail.com
|
||||||
|
user username@gmail.com
|
||||||
|
password password
|
||||||
|
account default : gmail
|
||||||
|
```
|
||||||
|
141
openvpn-cli.sh
Normal file
141
openvpn-cli.sh
Normal file
@ -0,0 +1,141 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# https://github.com/davift/openvpn-install
|
||||||
|
# firked from https://github.com/Nyr/openvpn-install
|
||||||
|
#
|
||||||
|
# Released under the same MIT License.
|
||||||
|
|
||||||
|
if [[ ! -e /etc/openvpn/server/server.conf ]]; then
|
||||||
|
echo 'OpenVPN server is not installed yet.'
|
||||||
|
echo 'Run the following command first:'
|
||||||
|
echo
|
||||||
|
echo ' ./openvpn-install.sh'
|
||||||
|
echo
|
||||||
|
exit
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Detect Debian users running the script with "sh" instead of bash
|
||||||
|
if readlink /proc/$$/exe | grep -q "dash"; then
|
||||||
|
echo 'This installer needs to be run with "bash", not "sh".'
|
||||||
|
exit
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Discard stdin. Needed when running from an one-liner which includes a newline
|
||||||
|
read -N 999999 -t 0.001
|
||||||
|
|
||||||
|
# Detect environments where $PATH does not include the sbin directories
|
||||||
|
if ! grep -q sbin <<< "$PATH"; then
|
||||||
|
echo '$PATH does not include sbin. Try using "su -" instead of "su".'
|
||||||
|
exit
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ "$EUID" -ne 0 ]]; then
|
||||||
|
echo "This installer needs to be run with superuser privileges."
|
||||||
|
exit
|
||||||
|
fi
|
||||||
|
|
||||||
|
option=$1
|
||||||
|
unsanitized_client=$2
|
||||||
|
client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_@-\.]/_/g' <<< "$unsanitized_client")
|
||||||
|
if [[ -z "$option" || ( "$option" != "add" && "$option" != "revoke" ) ]]; then
|
||||||
|
echo 'Invalid option.'
|
||||||
|
elif [[ -z "$client" ]]; then
|
||||||
|
echo 'The client name cannto be empty.'
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
case "$option" in
|
||||||
|
add)
|
||||||
|
if [[ -e /etc/openvpn/server/easy-rsa/pki/issued/"$client".crt || -e /etc/openvpn/server/easy-rsa/pki/private/"$client".key ]]; then
|
||||||
|
echo 'The client already exist.'
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Adding
|
||||||
|
cd /etc/openvpn/server/easy-rsa/
|
||||||
|
if ./easyrsa --batch --days=3650 build-client-full "$client" nopass &>/dev/null; then
|
||||||
|
{
|
||||||
|
cat /etc/openvpn/server/client-common.txt
|
||||||
|
echo "<ca>"
|
||||||
|
cat /etc/openvpn/server/easy-rsa/pki/ca.crt
|
||||||
|
echo "</ca>"
|
||||||
|
echo "<cert>"
|
||||||
|
sed -ne '/BEGIN CERTIFICATE/,$ p' /etc/openvpn/server/easy-rsa/pki/issued/"$client".crt
|
||||||
|
echo "</cert>"
|
||||||
|
echo "<key>"
|
||||||
|
cat /etc/openvpn/server/easy-rsa/pki/private/"$client".key
|
||||||
|
echo "</key>"
|
||||||
|
echo "<tls-crypt>"
|
||||||
|
sed -ne '/BEGIN OpenVPN Static key/,$ p' /etc/openvpn/server/tc.key
|
||||||
|
echo "</tls-crypt>"
|
||||||
|
} > /root/"$client".ovpn
|
||||||
|
echo "Client's configuration:" /root/"$client.ovpn"
|
||||||
|
|
||||||
|
# Regular expression for a basic email validation
|
||||||
|
regex="^[a-zA-Z0-9._-]+@[a-zA-Z0-9._-]{1,2}+\.[a-zA-Z]{2,10}$"
|
||||||
|
if [[ $client =~ $regex ]]; then
|
||||||
|
boundaystring=($(md5sum /root/$client.ovpn))
|
||||||
|
{
|
||||||
|
echo "From: davift-canada@gmail.com"
|
||||||
|
echo "To: $client"
|
||||||
|
echo "Subject: OpenVPN Client Configuration"
|
||||||
|
echo "MIME-Version: 1.0"
|
||||||
|
echo "Content-Type: multipart/mixed; boundary=\"$boundaystring\""
|
||||||
|
echo ""
|
||||||
|
echo "--$boundaystring"
|
||||||
|
echo "Content-Type: text/plain; charset=\"UTF-8\""
|
||||||
|
echo "Content-Transfer-Encoding: 7bit"
|
||||||
|
echo ""
|
||||||
|
echo "Please find attached your OpenVPN client configuration."
|
||||||
|
echo ""
|
||||||
|
echo "--$boundaystring"
|
||||||
|
echo "Content-Type: application/octet-stream; name=\"$client.ovpn\""
|
||||||
|
echo "Content-Transfer-Encoding: base64"
|
||||||
|
echo "Content-Disposition: attachment; filename=\"$client.ovpn\""
|
||||||
|
echo ""
|
||||||
|
cat /root/$client.ovpn | base64
|
||||||
|
echo "--$boundaystring--"
|
||||||
|
echo ""
|
||||||
|
} > /root/"$client".email
|
||||||
|
if [[ ! $(which msmtp) ]]; then
|
||||||
|
echo 'Email NOT sent! MSMTP was not found.'
|
||||||
|
elif msmtp -a default $client < /root/$client.email; then
|
||||||
|
echo 'Configuration send via email.'
|
||||||
|
else
|
||||||
|
echo 'Email NOT sent! MSMTP failed.'
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo 'Certificate conflict.'
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
revoke)
|
||||||
|
if [[ ! -e /etc/openvpn/server/easy-rsa/pki/issued/"$client".crt ]]; then
|
||||||
|
echo 'The client does not exist.'
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
if ! tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | grep -q "$client"; then
|
||||||
|
echo 'The client does not exist.'
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Revoking
|
||||||
|
cd /etc/openvpn/server/easy-rsa/
|
||||||
|
rm pki/reqs/$client.req
|
||||||
|
./easyrsa --batch revoke "$client" &>/dev/null
|
||||||
|
./easyrsa --batch --days=3650 gen-crl &>/dev/null
|
||||||
|
cat /etc/openvpn/server/easy-rsa/pki/crl.pem > /etc/openvpn/server/crl.pem
|
||||||
|
exit
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo 'See examples:'
|
||||||
|
echo ''
|
||||||
|
echo ' ./openvpn-cli.sh add username add a new client'
|
||||||
|
echo ' ./openvpn-cli.sh revoke username revoke a client'
|
||||||
|
echo ' ./openvpn-cli.sh add username@domain.com add a new client and send the configuration via email'
|
||||||
|
echo ' ./openvpn-cli.sh revoke username@domain.com revoke client and send the configuration via email'
|
||||||
|
echo ''
|
||||||
|
exit
|
||||||
|
;;
|
||||||
|
esac
|
@ -96,7 +96,7 @@ new_client () {
|
|||||||
echo "<tls-crypt>"
|
echo "<tls-crypt>"
|
||||||
sed -ne '/BEGIN OpenVPN Static key/,$ p' /etc/openvpn/server/tc.key
|
sed -ne '/BEGIN OpenVPN Static key/,$ p' /etc/openvpn/server/tc.key
|
||||||
echo "</tls-crypt>"
|
echo "</tls-crypt>"
|
||||||
} > ~/"$client".ovpn
|
} > /root/"$client".ovpn
|
||||||
}
|
}
|
||||||
|
|
||||||
if [[ ! -e /etc/openvpn/server/server.conf ]]; then
|
if [[ ! -e /etc/openvpn/server/server.conf ]]; then
|
||||||
@ -454,7 +454,7 @@ verb 3" > /etc/openvpn/server/client-common.txt
|
|||||||
echo
|
echo
|
||||||
echo "Finished!"
|
echo "Finished!"
|
||||||
echo
|
echo
|
||||||
echo "The client configuration is available in:" ~/"$client.ovpn"
|
echo "The client configuration is available in:" /root/"$client.ovpn"
|
||||||
echo "New clients can be added by running this script again."
|
echo "New clients can be added by running this script again."
|
||||||
else
|
else
|
||||||
clear
|
clear
|
||||||
@ -482,11 +482,12 @@ else
|
|||||||
client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client")
|
client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client")
|
||||||
done
|
done
|
||||||
cd /etc/openvpn/server/easy-rsa/
|
cd /etc/openvpn/server/easy-rsa/
|
||||||
|
rm pki/reqs/$client.req
|
||||||
./easyrsa --batch --days=3650 build-client-full "$client" nopass
|
./easyrsa --batch --days=3650 build-client-full "$client" nopass
|
||||||
# Generates the custom client.ovpn
|
# Generates the custom client.ovpn
|
||||||
new_client
|
new_client
|
||||||
echo
|
echo
|
||||||
echo "$client added. Configuration available in:" ~/"$client.ovpn"
|
echo "$client added. Configuration available in:" /root/"$client.ovpn"
|
||||||
exit
|
exit
|
||||||
;;
|
;;
|
||||||
2)
|
2)
|
||||||
|
Loading…
Reference in New Issue
Block a user