mirror of
https://github.com/Nyr/openvpn-install.git
synced 2024-11-23 21:46:08 +03:00
Migrate to the new systemd service
OpenVPN 2.4 packages provide a new systemd service unit which uses a different directory structure. This commit drops support for Ubuntu 16.04 which has v2.3 packages.
This commit is contained in:
Nyr
parent
22f1fca4c1
commit
a46a23d84a
@ -5,6 +5,12 @@
|
||||
# Copyright (c) 2013 Nyr. Released under the MIT License.
|
||||
|
||||
|
||||
if grep -qs "Ubuntu 16.04" "/etc/os-release"; then
|
||||
echo 'Ubuntu 16.04 is no longer supported in the current version of openvpn-install
|
||||
Use an older version if Ubuntu 16.04 support is needed: https://git.io/vpn1604'
|
||||
exit
|
||||
fi
|
||||
|
||||
# Detect Debian users running the script with "sh" instead of bash
|
||||
if readlink /proc/$$/exe | grep -q "dash"; then
|
||||
echo "This script needs to be run with bash, not sh"
|
||||
@ -35,22 +41,22 @@ fi
|
||||
|
||||
newclient () {
|
||||
# Generates the custom client.ovpn
|
||||
cp /etc/openvpn/client-common.txt ~/$1.ovpn
|
||||
cp /etc/openvpn/server/client-common.txt ~/$1.ovpn
|
||||
echo "<ca>" >> ~/$1.ovpn
|
||||
cat /etc/openvpn/easy-rsa/pki/ca.crt >> ~/$1.ovpn
|
||||
cat /etc/openvpn/server/easy-rsa/pki/ca.crt >> ~/$1.ovpn
|
||||
echo "</ca>" >> ~/$1.ovpn
|
||||
echo "<cert>" >> ~/$1.ovpn
|
||||
sed -ne '/BEGIN CERTIFICATE/,$ p' /etc/openvpn/easy-rsa/pki/issued/$1.crt >> ~/$1.ovpn
|
||||
sed -ne '/BEGIN CERTIFICATE/,$ p' /etc/openvpn/server/easy-rsa/pki/issued/$1.crt >> ~/$1.ovpn
|
||||
echo "</cert>" >> ~/$1.ovpn
|
||||
echo "<key>" >> ~/$1.ovpn
|
||||
cat /etc/openvpn/easy-rsa/pki/private/$1.key >> ~/$1.ovpn
|
||||
cat /etc/openvpn/server/easy-rsa/pki/private/$1.key >> ~/$1.ovpn
|
||||
echo "</key>" >> ~/$1.ovpn
|
||||
echo "<tls-auth>" >> ~/$1.ovpn
|
||||
sed -ne '/BEGIN OpenVPN Static key/,$ p' /etc/openvpn/ta.key >> ~/$1.ovpn
|
||||
sed -ne '/BEGIN OpenVPN Static key/,$ p' /etc/openvpn/server/ta.key >> ~/$1.ovpn
|
||||
echo "</tls-auth>" >> ~/$1.ovpn
|
||||
}
|
||||
|
||||
if [[ -e /etc/openvpn/server.conf ]]; then
|
||||
if [[ -e /etc/openvpn/server/server.conf ]]; then
|
||||
while :
|
||||
do
|
||||
clear
|
||||
@ -68,7 +74,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then
|
||||
echo "Tell me a name for the client certificate."
|
||||
echo "Please, use one word only, no special characters."
|
||||
read -p "Client name: " -e CLIENT
|
||||
cd /etc/openvpn/easy-rsa/
|
||||
cd /etc/openvpn/server/easy-rsa/
|
||||
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full $CLIENT nopass
|
||||
# Generates the custom client.ovpn
|
||||
newclient "$CLIENT"
|
||||
@ -79,7 +85,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then
|
||||
2)
|
||||
# This option could be documented a bit better and maybe even be simplified
|
||||
# ...but what can I say, I want some sleep too
|
||||
NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")
|
||||
NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep -c "^V")
|
||||
if [[ "$NUMBEROFCLIENTS" = '0' ]]; then
|
||||
echo
|
||||
echo "You have no existing clients!"
|
||||
@ -87,26 +93,26 @@ if [[ -e /etc/openvpn/server.conf ]]; then
|
||||
fi
|
||||
echo
|
||||
echo "Select the existing client certificate you want to revoke:"
|
||||
tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
|
||||
tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
|
||||
if [[ "$NUMBEROFCLIENTS" = '1' ]]; then
|
||||
read -p "Select one client [1]: " CLIENTNUMBER
|
||||
else
|
||||
read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
|
||||
fi
|
||||
CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
|
||||
CLIENT=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
|
||||
echo
|
||||
read -p "Do you really want to revoke access for client $CLIENT? [y/N]: " -e REVOKE
|
||||
if [[ "$REVOKE" = 'y' || "$REVOKE" = 'Y' ]]; then
|
||||
cd /etc/openvpn/easy-rsa/
|
||||
cd /etc/openvpn/server/easy-rsa/
|
||||
./easyrsa --batch revoke $CLIENT
|
||||
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
|
||||
rm -f pki/reqs/$CLIENT.req
|
||||
rm -f pki/private/$CLIENT.key
|
||||
rm -f pki/issued/$CLIENT.crt
|
||||
rm -f /etc/openvpn/crl.pem
|
||||
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
|
||||
rm -f /etc/openvpn/server/crl.pem
|
||||
cp /etc/openvpn/server/easy-rsa/pki/crl.pem /etc/openvpn/server/crl.pem
|
||||
# CRL is read with each client connection, when OpenVPN is dropped to nobody
|
||||
chown nobody:$GROUPNAME /etc/openvpn/crl.pem
|
||||
chown nobody:$GROUPNAME /etc/openvpn/server/crl.pem
|
||||
echo
|
||||
echo "Certificate for client $CLIENT revoked!"
|
||||
else
|
||||
@ -119,8 +125,8 @@ if [[ -e /etc/openvpn/server.conf ]]; then
|
||||
echo
|
||||
read -p "Do you really want to remove OpenVPN? [y/N]: " -e REMOVE
|
||||
if [[ "$REMOVE" = 'y' || "$REMOVE" = 'Y' ]]; then
|
||||
PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
|
||||
PROTOCOL=$(grep '^proto ' /etc/openvpn/server.conf | cut -d " " -f 2)
|
||||
PORT=$(grep '^port ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
|
||||
PROTOCOL=$(grep '^proto ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
|
||||
if pgrep firewalld; then
|
||||
IP=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24 -j SNAT --to ' | cut -d " " -f 10)
|
||||
# Using both permanent and not permanent rules to avoid a firewalld reload.
|
||||
@ -137,13 +143,14 @@ if [[ -e /etc/openvpn/server.conf ]]; then
|
||||
if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$PORT" != '1194' ]]; then
|
||||
semanage port -d -t openvpn_port_t -p $PROTOCOL $PORT
|
||||
fi
|
||||
systemctl disable --now openvpn-server@server.service
|
||||
rm -rf /etc/openvpn/server
|
||||
rm -f /etc/sysctl.d/30-openvpn-forward.conf
|
||||
if [[ "$OS" = 'debian' ]]; then
|
||||
apt-get remove --purge -y openvpn
|
||||
else
|
||||
yum remove openvpn -y
|
||||
fi
|
||||
rm -rf /etc/openvpn
|
||||
rm -f /etc/sysctl.d/30-openvpn-forward.conf
|
||||
echo
|
||||
echo "OpenVPN removed!"
|
||||
else
|
||||
@ -217,11 +224,11 @@ else
|
||||
EASYRSAURL='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-nix-3.0.5.tgz'
|
||||
wget -O ~/easyrsa.tgz "$EASYRSAURL" 2>/dev/null || curl -Lo ~/easyrsa.tgz "$EASYRSAURL"
|
||||
tar xzf ~/easyrsa.tgz -C ~/
|
||||
mv ~/EasyRSA-3.0.5/ /etc/openvpn/
|
||||
mv /etc/openvpn/EasyRSA-3.0.5/ /etc/openvpn/easy-rsa/
|
||||
chown -R root:root /etc/openvpn/easy-rsa/
|
||||
mv ~/EasyRSA-3.0.5/ /etc/openvpn/server/
|
||||
mv /etc/openvpn/server/EasyRSA-3.0.5/ /etc/openvpn/server/easy-rsa/
|
||||
chown -R root:root /etc/openvpn/server/easy-rsa/
|
||||
rm -f ~/easyrsa.tgz
|
||||
cd /etc/openvpn/easy-rsa/
|
||||
cd /etc/openvpn/server/easy-rsa/
|
||||
# Create the PKI, set up the CA and the server and client certificates
|
||||
./easyrsa init-pki
|
||||
./easyrsa --batch build-ca nopass
|
||||
@ -229,11 +236,11 @@ else
|
||||
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full $CLIENT nopass
|
||||
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
|
||||
# Move the stuff we need
|
||||
cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn
|
||||
cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn/server
|
||||
# CRL is read with each client connection, when OpenVPN is dropped to nobody
|
||||
chown nobody:$GROUPNAME /etc/openvpn/crl.pem
|
||||
chown nobody:$GROUPNAME /etc/openvpn/server/crl.pem
|
||||
# Generate key for tls-auth
|
||||
openvpn --genkey --secret /etc/openvpn/ta.key
|
||||
openvpn --genkey --secret /etc/openvpn/server/ta.key
|
||||
# Create the DH parameters file using the predefined ffdhe2048 group
|
||||
echo '-----BEGIN DH PARAMETERS-----
|
||||
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
|
||||
@ -242,7 +249,7 @@ MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
|
||||
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
|
||||
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
|
||||
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
|
||||
-----END DH PARAMETERS-----' > /etc/openvpn/dh.pem
|
||||
-----END DH PARAMETERS-----' > /etc/openvpn/server/dh.pem
|
||||
# Generate server.conf
|
||||
echo "port $PORT
|
||||
proto $PROTOCOL
|
||||
@ -257,8 +264,8 @@ auth SHA512
|
||||
tls-auth ta.key 0
|
||||
topology subnet
|
||||
server 10.8.0.0 255.255.255.0
|
||||
ifconfig-pool-persist ipp.txt" > /etc/openvpn/server.conf
|
||||
echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf
|
||||
ifconfig-pool-persist ipp.txt" > /etc/openvpn/server/server.conf
|
||||
echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server/server.conf
|
||||
# DNS
|
||||
case $DNS in
|
||||
1)
|
||||
@ -271,24 +278,24 @@ ifconfig-pool-persist ipp.txt" > /etc/openvpn/server.conf
|
||||
fi
|
||||
# Obtain the resolvers from resolv.conf and use them for OpenVPN
|
||||
grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
|
||||
echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
|
||||
echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server/server.conf
|
||||
done
|
||||
;;
|
||||
2)
|
||||
echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server.conf
|
||||
echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server.conf
|
||||
echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server/server.conf
|
||||
echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server/server.conf
|
||||
;;
|
||||
3)
|
||||
echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf
|
||||
echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf
|
||||
echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server/server.conf
|
||||
echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server/server.conf
|
||||
;;
|
||||
4)
|
||||
echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf
|
||||
echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf
|
||||
echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server/server.conf
|
||||
echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server/server.conf
|
||||
;;
|
||||
5)
|
||||
echo 'push "dhcp-option DNS 64.6.64.6"' >> /etc/openvpn/server.conf
|
||||
echo 'push "dhcp-option DNS 64.6.65.6"' >> /etc/openvpn/server.conf
|
||||
echo 'push "dhcp-option DNS 64.6.64.6"' >> /etc/openvpn/server/server.conf
|
||||
echo 'push "dhcp-option DNS 64.6.65.6"' >> /etc/openvpn/server/server.conf
|
||||
;;
|
||||
esac
|
||||
echo "keepalive 10 120
|
||||
@ -299,7 +306,7 @@ persist-key
|
||||
persist-tun
|
||||
status openvpn-status.log
|
||||
verb 3
|
||||
crl-verify crl.pem" >> /etc/openvpn/server.conf
|
||||
crl-verify crl.pem" >> /etc/openvpn/server/server.conf
|
||||
# Enable net.ipv4.ip_forward for the system
|
||||
echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/30-openvpn-forward.conf
|
||||
# Enable without waiting for a reboot or service restart
|
||||
@ -343,11 +350,8 @@ WantedBy=multi-user.target" > /etc/systemd/system/openvpn-iptables.service
|
||||
fi
|
||||
semanage port -a -t openvpn_port_t -p $PROTOCOL $PORT
|
||||
fi
|
||||
# And finally, restart OpenVPN
|
||||
systemctl restart openvpn@server.service
|
||||
if [[ "$OS" = 'centos' ]]; then
|
||||
systemctl enable openvpn@server.service
|
||||
fi
|
||||
# And finally, enable and start the OpenVPN service
|
||||
systemctl enable --now openvpn-server@server.service
|
||||
# If the server is behind a NAT, use the correct IP address
|
||||
if [[ "$PUBLICIP" != "" ]]; then
|
||||
IP=$PUBLICIP
|
||||
@ -368,7 +372,7 @@ auth SHA512
|
||||
cipher AES-256-CBC
|
||||
setenv opt block-outside-dns
|
||||
key-direction 1
|
||||
verb 3" > /etc/openvpn/client-common.txt
|
||||
verb 3" > /etc/openvpn/server/client-common.txt
|
||||
# Generates the custom client.ovpn
|
||||
newclient "$CLIENT"
|
||||
echo
|
||||
|
||||
Loading…
Reference in New Issue
Block a user