mirror of
https://github.com/Nyr/openvpn-install.git
synced 2024-11-23 21:46:08 +03:00
Small style improvements
This commit is contained in:
parent
5229459f99
commit
6f9daf49f5
@ -73,137 +73,9 @@ new_client () {
|
|||||||
} > ~/"$1".ovpn
|
} > ~/"$1".ovpn
|
||||||
}
|
}
|
||||||
|
|
||||||
if [[ -e /etc/openvpn/server/server.conf ]]; then
|
if [[ ! -e /etc/openvpn/server/server.conf ]]; then
|
||||||
while :
|
|
||||||
do
|
|
||||||
clear
|
clear
|
||||||
echo "Looks like OpenVPN is already installed."
|
echo 'Welcome to this OpenVPN road warrior installer!'
|
||||||
echo
|
|
||||||
echo "What do you want to do?"
|
|
||||||
echo " 1) Add a new user"
|
|
||||||
echo " 2) Revoke an existing user"
|
|
||||||
echo " 3) Remove OpenVPN"
|
|
||||||
echo " 4) Exit"
|
|
||||||
read -p "Select an option: " option
|
|
||||||
until [[ "$option" =~ ^[1-4]$ ]]; do
|
|
||||||
echo "$option: invalid selection."
|
|
||||||
read -p "Select an option: " option
|
|
||||||
done
|
|
||||||
case "$option" in
|
|
||||||
1)
|
|
||||||
echo
|
|
||||||
echo "Tell me a name for the client certificate."
|
|
||||||
read -p "Client name: " unsanitized_client
|
|
||||||
client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client")
|
|
||||||
while [[ -z "$client" || -e /etc/openvpn/server/easy-rsa/pki/issued/"$client".crt ]]; do
|
|
||||||
echo "$client: invalid client name."
|
|
||||||
read -p "Client name: " unsanitized_client
|
|
||||||
client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client")
|
|
||||||
done
|
|
||||||
cd /etc/openvpn/server/easy-rsa/
|
|
||||||
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" nopass
|
|
||||||
# Generates the custom client.ovpn
|
|
||||||
new_client "$client"
|
|
||||||
echo
|
|
||||||
echo "Client $client added, configuration is available at:" ~/"$client.ovpn"
|
|
||||||
exit
|
|
||||||
;;
|
|
||||||
2)
|
|
||||||
# This option could be documented a bit better and maybe even be simplified
|
|
||||||
# ...but what can I say, I want some sleep too
|
|
||||||
number_of_clients=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep -c "^V")
|
|
||||||
if [[ "$number_of_clients" = 0 ]]; then
|
|
||||||
echo
|
|
||||||
echo "You have no existing clients!"
|
|
||||||
exit
|
|
||||||
fi
|
|
||||||
echo
|
|
||||||
echo "Select the existing client certificate you want to revoke:"
|
|
||||||
tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
|
|
||||||
read -p "Select one client: " client_number
|
|
||||||
until [[ "$client_number" =~ ^[0-9]+$ && "$client_number" -le "$number_of_clients" ]]; do
|
|
||||||
echo "$client_number: invalid selection."
|
|
||||||
read -p "Select one client: " client_number
|
|
||||||
done
|
|
||||||
client=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$client_number"p)
|
|
||||||
echo
|
|
||||||
read -p "Do you really want to revoke access for client $client? [y/N]: " revoke
|
|
||||||
until [[ "$revoke" =~ ^[yYnN]*$ ]]; do
|
|
||||||
echo "$revoke: invalid selection."
|
|
||||||
read -p "Do you really want to revoke access for client $client? [y/N]: " revoke
|
|
||||||
done
|
|
||||||
if [[ "$revoke" =~ ^[yY]$ ]]; then
|
|
||||||
cd /etc/openvpn/server/easy-rsa/
|
|
||||||
./easyrsa --batch revoke "$client"
|
|
||||||
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
|
|
||||||
rm -f /etc/openvpn/server/crl.pem
|
|
||||||
cp /etc/openvpn/server/easy-rsa/pki/crl.pem /etc/openvpn/server/crl.pem
|
|
||||||
# CRL is read with each client connection, when OpenVPN is dropped to nobody
|
|
||||||
chown nobody:"$group_name" /etc/openvpn/server/crl.pem
|
|
||||||
echo
|
|
||||||
echo "Certificate for client $client revoked!"
|
|
||||||
else
|
|
||||||
echo
|
|
||||||
echo "Certificate revocation for client $client aborted!"
|
|
||||||
fi
|
|
||||||
exit
|
|
||||||
;;
|
|
||||||
3)
|
|
||||||
echo
|
|
||||||
read -p "Do you really want to remove OpenVPN? [y/N]: " remove
|
|
||||||
until [[ "$remove" =~ ^[yYnN]*$ ]]; do
|
|
||||||
echo "$remove: invalid selection."
|
|
||||||
read -p "Do you really want to remove OpenVPN? [y/N]: " remove
|
|
||||||
done
|
|
||||||
if [[ "$remove" =~ ^[yY]$ ]]; then
|
|
||||||
port=$(grep '^port ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
|
|
||||||
protocol=$(grep '^proto ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
|
|
||||||
if pgrep firewalld; then
|
|
||||||
ip=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24' | grep -oE '[^ ]+$')
|
|
||||||
# Using both permanent and not permanent rules to avoid a firewalld reload.
|
|
||||||
firewall-cmd --remove-port="$port"/"$protocol"
|
|
||||||
firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
|
|
||||||
firewall-cmd --permanent --remove-port="$port"/"$protocol"
|
|
||||||
firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
|
|
||||||
firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"
|
|
||||||
firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"
|
|
||||||
if grep -qs "server-ipv6" /etc/openvpn/server/server.conf; then
|
|
||||||
ip6=$(firewall-cmd --direct --get-rules ipv6 nat POSTROUTING | grep '\-s fddd:1194:1194:1194::/64 '"'"'!'"'"' -d fddd:1194:1194:1194::/64' | grep -oE '[^ ]+$')
|
|
||||||
firewall-cmd --zone=trusted --remove-source=fddd:1194:1194:1194::/64
|
|
||||||
firewall-cmd --permanent --zone=trusted --remove-source=fddd:1194:1194:1194::/64
|
|
||||||
firewall-cmd --direct --remove-rule ipv6 nat POSTROUTING 0 -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to "$ip6"
|
|
||||||
firewall-cmd --permanent --direct --remove-rule ipv6 nat POSTROUTING 0 -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to "$ip6"
|
|
||||||
fi
|
|
||||||
else
|
|
||||||
systemctl disable --now openvpn-iptables.service
|
|
||||||
rm -f /etc/systemd/system/openvpn-iptables.service
|
|
||||||
fi
|
|
||||||
if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$port" != 1194 ]]; then
|
|
||||||
semanage port -d -t openvpn_port_t -p "$protocol" "$port"
|
|
||||||
fi
|
|
||||||
systemctl disable --now openvpn-server@server.service
|
|
||||||
rm -rf /etc/openvpn/server
|
|
||||||
rm -f /etc/systemd/system/openvpn-server@server.service.d/disable-limitnproc.conf
|
|
||||||
rm -f /etc/sysctl.d/30-openvpn-forward.conf
|
|
||||||
if [[ "$os" = "debian" ]]; then
|
|
||||||
apt-get remove --purge -y openvpn
|
|
||||||
else
|
|
||||||
yum remove openvpn -y
|
|
||||||
fi
|
|
||||||
echo
|
|
||||||
echo "OpenVPN removed!"
|
|
||||||
else
|
|
||||||
echo
|
|
||||||
echo "Removal aborted!"
|
|
||||||
fi
|
|
||||||
exit
|
|
||||||
;;
|
|
||||||
4) exit;;
|
|
||||||
esac
|
|
||||||
done
|
|
||||||
else
|
|
||||||
clear
|
|
||||||
echo "Welcome to this OpenVPN "road warrior" installer!"
|
|
||||||
echo
|
echo
|
||||||
echo "I need to ask you a few questions before starting setup."
|
echo "I need to ask you a few questions before starting setup."
|
||||||
echo "You can use the default options and just press enter if you are ok with them."
|
echo "You can use the default options and just press enter if you are ok with them."
|
||||||
@ -229,7 +101,7 @@ else
|
|||||||
echo "This server is behind NAT. What is the public IPv4 address or hostname?"
|
echo "This server is behind NAT. What is the public IPv4 address or hostname?"
|
||||||
get_public_ip=$(wget -4qO- "http://whatismyip.akamai.com/" || curl -4Ls "http://whatismyip.akamai.com/")
|
get_public_ip=$(wget -4qO- "http://whatismyip.akamai.com/" || curl -4Ls "http://whatismyip.akamai.com/")
|
||||||
read -p "Public IPv4 address / hostname [$get_public_ip]: " public_ip
|
read -p "Public IPv4 address / hostname [$get_public_ip]: " public_ip
|
||||||
[ -z "$public_ip" ] && public_ip="$get_public_ip"
|
[[ -z "$public_ip" ]] && public_ip="$get_public_ip"
|
||||||
fi
|
fi
|
||||||
# If system has a single IPv6, it is selected automatically
|
# If system has a single IPv6, it is selected automatically
|
||||||
if [[ $(ip -6 addr | grep -c 'inet6 [23]') -eq 1 ]]; then
|
if [[ $(ip -6 addr | grep -c 'inet6 [23]') -eq 1 ]]; then
|
||||||
@ -471,10 +343,8 @@ WantedBy=multi-user.target" >> /etc/systemd/system/openvpn-iptables.service
|
|||||||
fi
|
fi
|
||||||
semanage port -a -t openvpn_port_t -p "$protocol" "$port"
|
semanage port -a -t openvpn_port_t -p "$protocol" "$port"
|
||||||
fi
|
fi
|
||||||
# If the server is behind a NAT, use the correct IP address
|
# If the server is behind NAT, use the correct IP address
|
||||||
if [[ "$public_ip" != "" ]]; then
|
[[ ! -z "$public_ip" ]] && ip="$public_ip"
|
||||||
ip="$public_ip"
|
|
||||||
fi
|
|
||||||
# client-common.txt is created so we have a template to add further users later
|
# client-common.txt is created so we have a template to add further users later
|
||||||
echo "client
|
echo "client
|
||||||
dev tun
|
dev tun
|
||||||
@ -499,4 +369,131 @@ verb 3" > /etc/openvpn/server/client-common.txt
|
|||||||
echo
|
echo
|
||||||
echo "Your client configuration is available at:" ~/"$client.ovpn"
|
echo "Your client configuration is available at:" ~/"$client.ovpn"
|
||||||
echo "If you want to add more clients, just run this script again!"
|
echo "If you want to add more clients, just run this script again!"
|
||||||
|
else
|
||||||
|
clear
|
||||||
|
echo "Looks like OpenVPN is already installed."
|
||||||
|
echo
|
||||||
|
echo "What do you want to do?"
|
||||||
|
echo " 1) Add a new user"
|
||||||
|
echo " 2) Revoke an existing user"
|
||||||
|
echo " 3) Remove OpenVPN"
|
||||||
|
echo " 4) Exit"
|
||||||
|
read -p "Select an option: " option
|
||||||
|
until [[ "$option" =~ ^[1-4]$ ]]; do
|
||||||
|
echo "$option: invalid selection."
|
||||||
|
read -p "Select an option: " option
|
||||||
|
done
|
||||||
|
case "$option" in
|
||||||
|
1)
|
||||||
|
echo
|
||||||
|
echo "Tell me a name for the client certificate."
|
||||||
|
read -p "Client name: " unsanitized_client
|
||||||
|
client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client")
|
||||||
|
while [[ -z "$client" || -e /etc/openvpn/server/easy-rsa/pki/issued/"$client".crt ]]; do
|
||||||
|
echo "$client: invalid client name."
|
||||||
|
read -p "Client name: " unsanitized_client
|
||||||
|
client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client")
|
||||||
|
done
|
||||||
|
cd /etc/openvpn/server/easy-rsa/
|
||||||
|
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" nopass
|
||||||
|
# Generates the custom client.ovpn
|
||||||
|
new_client "$client"
|
||||||
|
echo
|
||||||
|
echo "Client $client added, configuration is available at:" ~/"$client.ovpn"
|
||||||
|
exit
|
||||||
|
;;
|
||||||
|
2)
|
||||||
|
# This option could be documented a bit better and maybe even be simplified
|
||||||
|
# ...but what can I say, I want some sleep too
|
||||||
|
number_of_clients=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep -c "^V")
|
||||||
|
if [[ "$number_of_clients" = 0 ]]; then
|
||||||
|
echo
|
||||||
|
echo "You have no existing clients!"
|
||||||
|
exit
|
||||||
|
fi
|
||||||
|
echo
|
||||||
|
echo "Select the existing client certificate you want to revoke:"
|
||||||
|
tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
|
||||||
|
read -p "Select one client: " client_number
|
||||||
|
until [[ "$client_number" =~ ^[0-9]+$ && "$client_number" -le "$number_of_clients" ]]; do
|
||||||
|
echo "$client_number: invalid selection."
|
||||||
|
read -p "Select one client: " client_number
|
||||||
|
done
|
||||||
|
client=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$client_number"p)
|
||||||
|
echo
|
||||||
|
read -p "Do you really want to revoke access for client $client? [y/N]: " revoke
|
||||||
|
until [[ "$revoke" =~ ^[yYnN]*$ ]]; do
|
||||||
|
echo "$revoke: invalid selection."
|
||||||
|
read -p "Do you really want to revoke access for client $client? [y/N]: " revoke
|
||||||
|
done
|
||||||
|
if [[ "$revoke" =~ ^[yY]$ ]]; then
|
||||||
|
cd /etc/openvpn/server/easy-rsa/
|
||||||
|
./easyrsa --batch revoke "$client"
|
||||||
|
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
|
||||||
|
rm -f /etc/openvpn/server/crl.pem
|
||||||
|
cp /etc/openvpn/server/easy-rsa/pki/crl.pem /etc/openvpn/server/crl.pem
|
||||||
|
# CRL is read with each client connection, when OpenVPN is dropped to nobody
|
||||||
|
chown nobody:"$group_name" /etc/openvpn/server/crl.pem
|
||||||
|
echo
|
||||||
|
echo "Certificate for client $client revoked!"
|
||||||
|
else
|
||||||
|
echo
|
||||||
|
echo "Certificate revocation for client $client aborted!"
|
||||||
|
fi
|
||||||
|
exit
|
||||||
|
;;
|
||||||
|
3)
|
||||||
|
echo
|
||||||
|
read -p "Do you really want to remove OpenVPN? [y/N]: " remove
|
||||||
|
until [[ "$remove" =~ ^[yYnN]*$ ]]; do
|
||||||
|
echo "$remove: invalid selection."
|
||||||
|
read -p "Do you really want to remove OpenVPN? [y/N]: " remove
|
||||||
|
done
|
||||||
|
if [[ "$remove" =~ ^[yY]$ ]]; then
|
||||||
|
port=$(grep '^port ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
|
||||||
|
protocol=$(grep '^proto ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
|
||||||
|
if pgrep firewalld; then
|
||||||
|
ip=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24' | grep -oE '[^ ]+$')
|
||||||
|
# Using both permanent and not permanent rules to avoid a firewalld reload.
|
||||||
|
firewall-cmd --remove-port="$port"/"$protocol"
|
||||||
|
firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
|
||||||
|
firewall-cmd --permanent --remove-port="$port"/"$protocol"
|
||||||
|
firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
|
||||||
|
firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"
|
||||||
|
firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"
|
||||||
|
if grep -qs "server-ipv6" /etc/openvpn/server/server.conf; then
|
||||||
|
ip6=$(firewall-cmd --direct --get-rules ipv6 nat POSTROUTING | grep '\-s fddd:1194:1194:1194::/64 '"'"'!'"'"' -d fddd:1194:1194:1194::/64' | grep -oE '[^ ]+$')
|
||||||
|
firewall-cmd --zone=trusted --remove-source=fddd:1194:1194:1194::/64
|
||||||
|
firewall-cmd --permanent --zone=trusted --remove-source=fddd:1194:1194:1194::/64
|
||||||
|
firewall-cmd --direct --remove-rule ipv6 nat POSTROUTING 0 -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to "$ip6"
|
||||||
|
firewall-cmd --permanent --direct --remove-rule ipv6 nat POSTROUTING 0 -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to "$ip6"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
systemctl disable --now openvpn-iptables.service
|
||||||
|
rm -f /etc/systemd/system/openvpn-iptables.service
|
||||||
|
fi
|
||||||
|
if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$port" != 1194 ]]; then
|
||||||
|
semanage port -d -t openvpn_port_t -p "$protocol" "$port"
|
||||||
|
fi
|
||||||
|
systemctl disable --now openvpn-server@server.service
|
||||||
|
rm -rf /etc/openvpn/server
|
||||||
|
rm -f /etc/systemd/system/openvpn-server@server.service.d/disable-limitnproc.conf
|
||||||
|
rm -f /etc/sysctl.d/30-openvpn-forward.conf
|
||||||
|
if [[ "$os" = "debian" ]]; then
|
||||||
|
apt-get remove --purge -y openvpn
|
||||||
|
else
|
||||||
|
yum remove openvpn -y
|
||||||
|
fi
|
||||||
|
echo
|
||||||
|
echo "OpenVPN removed!"
|
||||||
|
else
|
||||||
|
echo
|
||||||
|
echo "Removal aborted!"
|
||||||
|
fi
|
||||||
|
exit
|
||||||
|
;;
|
||||||
|
4)
|
||||||
|
exit
|
||||||
|
;;
|
||||||
|
esac
|
||||||
fi
|
fi
|
||||||
|
Loading…
Reference in New Issue
Block a user