mirror of
https://github.com/Nyr/openvpn-install.git
synced 2024-11-27 15:36:07 +03:00
Migrate to the new systemd service
OpenVPN 2.4 packages provide a new systemd service unit which uses a different directory structure. This commit drops support for Ubuntu 16.04 which has v2.3 packages.
This commit is contained in:
parent
22f1fca4c1
commit
a46a23d84a
@ -5,6 +5,12 @@
|
|||||||
# Copyright (c) 2013 Nyr. Released under the MIT License.
|
# Copyright (c) 2013 Nyr. Released under the MIT License.
|
||||||
|
|
||||||
|
|
||||||
|
if grep -qs "Ubuntu 16.04" "/etc/os-release"; then
|
||||||
|
echo 'Ubuntu 16.04 is no longer supported in the current version of openvpn-install
|
||||||
|
Use an older version if Ubuntu 16.04 support is needed: https://git.io/vpn1604'
|
||||||
|
exit
|
||||||
|
fi
|
||||||
|
|
||||||
# Detect Debian users running the script with "sh" instead of bash
|
# Detect Debian users running the script with "sh" instead of bash
|
||||||
if readlink /proc/$$/exe | grep -q "dash"; then
|
if readlink /proc/$$/exe | grep -q "dash"; then
|
||||||
echo "This script needs to be run with bash, not sh"
|
echo "This script needs to be run with bash, not sh"
|
||||||
@ -35,22 +41,22 @@ fi
|
|||||||
|
|
||||||
newclient () {
|
newclient () {
|
||||||
# Generates the custom client.ovpn
|
# Generates the custom client.ovpn
|
||||||
cp /etc/openvpn/client-common.txt ~/$1.ovpn
|
cp /etc/openvpn/server/client-common.txt ~/$1.ovpn
|
||||||
echo "<ca>" >> ~/$1.ovpn
|
echo "<ca>" >> ~/$1.ovpn
|
||||||
cat /etc/openvpn/easy-rsa/pki/ca.crt >> ~/$1.ovpn
|
cat /etc/openvpn/server/easy-rsa/pki/ca.crt >> ~/$1.ovpn
|
||||||
echo "</ca>" >> ~/$1.ovpn
|
echo "</ca>" >> ~/$1.ovpn
|
||||||
echo "<cert>" >> ~/$1.ovpn
|
echo "<cert>" >> ~/$1.ovpn
|
||||||
sed -ne '/BEGIN CERTIFICATE/,$ p' /etc/openvpn/easy-rsa/pki/issued/$1.crt >> ~/$1.ovpn
|
sed -ne '/BEGIN CERTIFICATE/,$ p' /etc/openvpn/server/easy-rsa/pki/issued/$1.crt >> ~/$1.ovpn
|
||||||
echo "</cert>" >> ~/$1.ovpn
|
echo "</cert>" >> ~/$1.ovpn
|
||||||
echo "<key>" >> ~/$1.ovpn
|
echo "<key>" >> ~/$1.ovpn
|
||||||
cat /etc/openvpn/easy-rsa/pki/private/$1.key >> ~/$1.ovpn
|
cat /etc/openvpn/server/easy-rsa/pki/private/$1.key >> ~/$1.ovpn
|
||||||
echo "</key>" >> ~/$1.ovpn
|
echo "</key>" >> ~/$1.ovpn
|
||||||
echo "<tls-auth>" >> ~/$1.ovpn
|
echo "<tls-auth>" >> ~/$1.ovpn
|
||||||
sed -ne '/BEGIN OpenVPN Static key/,$ p' /etc/openvpn/ta.key >> ~/$1.ovpn
|
sed -ne '/BEGIN OpenVPN Static key/,$ p' /etc/openvpn/server/ta.key >> ~/$1.ovpn
|
||||||
echo "</tls-auth>" >> ~/$1.ovpn
|
echo "</tls-auth>" >> ~/$1.ovpn
|
||||||
}
|
}
|
||||||
|
|
||||||
if [[ -e /etc/openvpn/server.conf ]]; then
|
if [[ -e /etc/openvpn/server/server.conf ]]; then
|
||||||
while :
|
while :
|
||||||
do
|
do
|
||||||
clear
|
clear
|
||||||
@ -68,7 +74,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then
|
|||||||
echo "Tell me a name for the client certificate."
|
echo "Tell me a name for the client certificate."
|
||||||
echo "Please, use one word only, no special characters."
|
echo "Please, use one word only, no special characters."
|
||||||
read -p "Client name: " -e CLIENT
|
read -p "Client name: " -e CLIENT
|
||||||
cd /etc/openvpn/easy-rsa/
|
cd /etc/openvpn/server/easy-rsa/
|
||||||
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full $CLIENT nopass
|
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full $CLIENT nopass
|
||||||
# Generates the custom client.ovpn
|
# Generates the custom client.ovpn
|
||||||
newclient "$CLIENT"
|
newclient "$CLIENT"
|
||||||
@ -79,7 +85,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then
|
|||||||
2)
|
2)
|
||||||
# This option could be documented a bit better and maybe even be simplified
|
# This option could be documented a bit better and maybe even be simplified
|
||||||
# ...but what can I say, I want some sleep too
|
# ...but what can I say, I want some sleep too
|
||||||
NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")
|
NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep -c "^V")
|
||||||
if [[ "$NUMBEROFCLIENTS" = '0' ]]; then
|
if [[ "$NUMBEROFCLIENTS" = '0' ]]; then
|
||||||
echo
|
echo
|
||||||
echo "You have no existing clients!"
|
echo "You have no existing clients!"
|
||||||
@ -87,26 +93,26 @@ if [[ -e /etc/openvpn/server.conf ]]; then
|
|||||||
fi
|
fi
|
||||||
echo
|
echo
|
||||||
echo "Select the existing client certificate you want to revoke:"
|
echo "Select the existing client certificate you want to revoke:"
|
||||||
tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
|
tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
|
||||||
if [[ "$NUMBEROFCLIENTS" = '1' ]]; then
|
if [[ "$NUMBEROFCLIENTS" = '1' ]]; then
|
||||||
read -p "Select one client [1]: " CLIENTNUMBER
|
read -p "Select one client [1]: " CLIENTNUMBER
|
||||||
else
|
else
|
||||||
read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
|
read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
|
||||||
fi
|
fi
|
||||||
CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
|
CLIENT=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
|
||||||
echo
|
echo
|
||||||
read -p "Do you really want to revoke access for client $CLIENT? [y/N]: " -e REVOKE
|
read -p "Do you really want to revoke access for client $CLIENT? [y/N]: " -e REVOKE
|
||||||
if [[ "$REVOKE" = 'y' || "$REVOKE" = 'Y' ]]; then
|
if [[ "$REVOKE" = 'y' || "$REVOKE" = 'Y' ]]; then
|
||||||
cd /etc/openvpn/easy-rsa/
|
cd /etc/openvpn/server/easy-rsa/
|
||||||
./easyrsa --batch revoke $CLIENT
|
./easyrsa --batch revoke $CLIENT
|
||||||
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
|
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
|
||||||
rm -f pki/reqs/$CLIENT.req
|
rm -f pki/reqs/$CLIENT.req
|
||||||
rm -f pki/private/$CLIENT.key
|
rm -f pki/private/$CLIENT.key
|
||||||
rm -f pki/issued/$CLIENT.crt
|
rm -f pki/issued/$CLIENT.crt
|
||||||
rm -f /etc/openvpn/crl.pem
|
rm -f /etc/openvpn/server/crl.pem
|
||||||
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
|
cp /etc/openvpn/server/easy-rsa/pki/crl.pem /etc/openvpn/server/crl.pem
|
||||||
# CRL is read with each client connection, when OpenVPN is dropped to nobody
|
# CRL is read with each client connection, when OpenVPN is dropped to nobody
|
||||||
chown nobody:$GROUPNAME /etc/openvpn/crl.pem
|
chown nobody:$GROUPNAME /etc/openvpn/server/crl.pem
|
||||||
echo
|
echo
|
||||||
echo "Certificate for client $CLIENT revoked!"
|
echo "Certificate for client $CLIENT revoked!"
|
||||||
else
|
else
|
||||||
@ -119,8 +125,8 @@ if [[ -e /etc/openvpn/server.conf ]]; then
|
|||||||
echo
|
echo
|
||||||
read -p "Do you really want to remove OpenVPN? [y/N]: " -e REMOVE
|
read -p "Do you really want to remove OpenVPN? [y/N]: " -e REMOVE
|
||||||
if [[ "$REMOVE" = 'y' || "$REMOVE" = 'Y' ]]; then
|
if [[ "$REMOVE" = 'y' || "$REMOVE" = 'Y' ]]; then
|
||||||
PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
|
PORT=$(grep '^port ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
|
||||||
PROTOCOL=$(grep '^proto ' /etc/openvpn/server.conf | cut -d " " -f 2)
|
PROTOCOL=$(grep '^proto ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
|
||||||
if pgrep firewalld; then
|
if pgrep firewalld; then
|
||||||
IP=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24 -j SNAT --to ' | cut -d " " -f 10)
|
IP=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24 -j SNAT --to ' | cut -d " " -f 10)
|
||||||
# Using both permanent and not permanent rules to avoid a firewalld reload.
|
# Using both permanent and not permanent rules to avoid a firewalld reload.
|
||||||
@ -137,13 +143,14 @@ if [[ -e /etc/openvpn/server.conf ]]; then
|
|||||||
if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$PORT" != '1194' ]]; then
|
if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$PORT" != '1194' ]]; then
|
||||||
semanage port -d -t openvpn_port_t -p $PROTOCOL $PORT
|
semanage port -d -t openvpn_port_t -p $PROTOCOL $PORT
|
||||||
fi
|
fi
|
||||||
|
systemctl disable --now openvpn-server@server.service
|
||||||
|
rm -rf /etc/openvpn/server
|
||||||
|
rm -f /etc/sysctl.d/30-openvpn-forward.conf
|
||||||
if [[ "$OS" = 'debian' ]]; then
|
if [[ "$OS" = 'debian' ]]; then
|
||||||
apt-get remove --purge -y openvpn
|
apt-get remove --purge -y openvpn
|
||||||
else
|
else
|
||||||
yum remove openvpn -y
|
yum remove openvpn -y
|
||||||
fi
|
fi
|
||||||
rm -rf /etc/openvpn
|
|
||||||
rm -f /etc/sysctl.d/30-openvpn-forward.conf
|
|
||||||
echo
|
echo
|
||||||
echo "OpenVPN removed!"
|
echo "OpenVPN removed!"
|
||||||
else
|
else
|
||||||
@ -217,11 +224,11 @@ else
|
|||||||
EASYRSAURL='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-nix-3.0.5.tgz'
|
EASYRSAURL='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-nix-3.0.5.tgz'
|
||||||
wget -O ~/easyrsa.tgz "$EASYRSAURL" 2>/dev/null || curl -Lo ~/easyrsa.tgz "$EASYRSAURL"
|
wget -O ~/easyrsa.tgz "$EASYRSAURL" 2>/dev/null || curl -Lo ~/easyrsa.tgz "$EASYRSAURL"
|
||||||
tar xzf ~/easyrsa.tgz -C ~/
|
tar xzf ~/easyrsa.tgz -C ~/
|
||||||
mv ~/EasyRSA-3.0.5/ /etc/openvpn/
|
mv ~/EasyRSA-3.0.5/ /etc/openvpn/server/
|
||||||
mv /etc/openvpn/EasyRSA-3.0.5/ /etc/openvpn/easy-rsa/
|
mv /etc/openvpn/server/EasyRSA-3.0.5/ /etc/openvpn/server/easy-rsa/
|
||||||
chown -R root:root /etc/openvpn/easy-rsa/
|
chown -R root:root /etc/openvpn/server/easy-rsa/
|
||||||
rm -f ~/easyrsa.tgz
|
rm -f ~/easyrsa.tgz
|
||||||
cd /etc/openvpn/easy-rsa/
|
cd /etc/openvpn/server/easy-rsa/
|
||||||
# Create the PKI, set up the CA and the server and client certificates
|
# Create the PKI, set up the CA and the server and client certificates
|
||||||
./easyrsa init-pki
|
./easyrsa init-pki
|
||||||
./easyrsa --batch build-ca nopass
|
./easyrsa --batch build-ca nopass
|
||||||
@ -229,11 +236,11 @@ else
|
|||||||
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full $CLIENT nopass
|
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full $CLIENT nopass
|
||||||
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
|
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
|
||||||
# Move the stuff we need
|
# Move the stuff we need
|
||||||
cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn
|
cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn/server
|
||||||
# CRL is read with each client connection, when OpenVPN is dropped to nobody
|
# CRL is read with each client connection, when OpenVPN is dropped to nobody
|
||||||
chown nobody:$GROUPNAME /etc/openvpn/crl.pem
|
chown nobody:$GROUPNAME /etc/openvpn/server/crl.pem
|
||||||
# Generate key for tls-auth
|
# Generate key for tls-auth
|
||||||
openvpn --genkey --secret /etc/openvpn/ta.key
|
openvpn --genkey --secret /etc/openvpn/server/ta.key
|
||||||
# Create the DH parameters file using the predefined ffdhe2048 group
|
# Create the DH parameters file using the predefined ffdhe2048 group
|
||||||
echo '-----BEGIN DH PARAMETERS-----
|
echo '-----BEGIN DH PARAMETERS-----
|
||||||
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
|
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
|
||||||
@ -242,7 +249,7 @@ MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
|
|||||||
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
|
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
|
||||||
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
|
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
|
||||||
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
|
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
|
||||||
-----END DH PARAMETERS-----' > /etc/openvpn/dh.pem
|
-----END DH PARAMETERS-----' > /etc/openvpn/server/dh.pem
|
||||||
# Generate server.conf
|
# Generate server.conf
|
||||||
echo "port $PORT
|
echo "port $PORT
|
||||||
proto $PROTOCOL
|
proto $PROTOCOL
|
||||||
@ -257,8 +264,8 @@ auth SHA512
|
|||||||
tls-auth ta.key 0
|
tls-auth ta.key 0
|
||||||
topology subnet
|
topology subnet
|
||||||
server 10.8.0.0 255.255.255.0
|
server 10.8.0.0 255.255.255.0
|
||||||
ifconfig-pool-persist ipp.txt" > /etc/openvpn/server.conf
|
ifconfig-pool-persist ipp.txt" > /etc/openvpn/server/server.conf
|
||||||
echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf
|
echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server/server.conf
|
||||||
# DNS
|
# DNS
|
||||||
case $DNS in
|
case $DNS in
|
||||||
1)
|
1)
|
||||||
@ -271,24 +278,24 @@ ifconfig-pool-persist ipp.txt" > /etc/openvpn/server.conf
|
|||||||
fi
|
fi
|
||||||
# Obtain the resolvers from resolv.conf and use them for OpenVPN
|
# Obtain the resolvers from resolv.conf and use them for OpenVPN
|
||||||
grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
|
grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
|
||||||
echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
|
echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server/server.conf
|
||||||
done
|
done
|
||||||
;;
|
;;
|
||||||
2)
|
2)
|
||||||
echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server.conf
|
echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server/server.conf
|
||||||
echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server.conf
|
echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server/server.conf
|
||||||
;;
|
;;
|
||||||
3)
|
3)
|
||||||
echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf
|
echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server/server.conf
|
||||||
echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf
|
echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server/server.conf
|
||||||
;;
|
;;
|
||||||
4)
|
4)
|
||||||
echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf
|
echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server/server.conf
|
||||||
echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf
|
echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server/server.conf
|
||||||
;;
|
;;
|
||||||
5)
|
5)
|
||||||
echo 'push "dhcp-option DNS 64.6.64.6"' >> /etc/openvpn/server.conf
|
echo 'push "dhcp-option DNS 64.6.64.6"' >> /etc/openvpn/server/server.conf
|
||||||
echo 'push "dhcp-option DNS 64.6.65.6"' >> /etc/openvpn/server.conf
|
echo 'push "dhcp-option DNS 64.6.65.6"' >> /etc/openvpn/server/server.conf
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
echo "keepalive 10 120
|
echo "keepalive 10 120
|
||||||
@ -299,7 +306,7 @@ persist-key
|
|||||||
persist-tun
|
persist-tun
|
||||||
status openvpn-status.log
|
status openvpn-status.log
|
||||||
verb 3
|
verb 3
|
||||||
crl-verify crl.pem" >> /etc/openvpn/server.conf
|
crl-verify crl.pem" >> /etc/openvpn/server/server.conf
|
||||||
# Enable net.ipv4.ip_forward for the system
|
# Enable net.ipv4.ip_forward for the system
|
||||||
echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/30-openvpn-forward.conf
|
echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/30-openvpn-forward.conf
|
||||||
# Enable without waiting for a reboot or service restart
|
# Enable without waiting for a reboot or service restart
|
||||||
@ -343,11 +350,8 @@ WantedBy=multi-user.target" > /etc/systemd/system/openvpn-iptables.service
|
|||||||
fi
|
fi
|
||||||
semanage port -a -t openvpn_port_t -p $PROTOCOL $PORT
|
semanage port -a -t openvpn_port_t -p $PROTOCOL $PORT
|
||||||
fi
|
fi
|
||||||
# And finally, restart OpenVPN
|
# And finally, enable and start the OpenVPN service
|
||||||
systemctl restart openvpn@server.service
|
systemctl enable --now openvpn-server@server.service
|
||||||
if [[ "$OS" = 'centos' ]]; then
|
|
||||||
systemctl enable openvpn@server.service
|
|
||||||
fi
|
|
||||||
# If the server is behind a NAT, use the correct IP address
|
# If the server is behind a NAT, use the correct IP address
|
||||||
if [[ "$PUBLICIP" != "" ]]; then
|
if [[ "$PUBLICIP" != "" ]]; then
|
||||||
IP=$PUBLICIP
|
IP=$PUBLICIP
|
||||||
@ -368,7 +372,7 @@ auth SHA512
|
|||||||
cipher AES-256-CBC
|
cipher AES-256-CBC
|
||||||
setenv opt block-outside-dns
|
setenv opt block-outside-dns
|
||||||
key-direction 1
|
key-direction 1
|
||||||
verb 3" > /etc/openvpn/client-common.txt
|
verb 3" > /etc/openvpn/server/client-common.txt
|
||||||
# Generates the custom client.ovpn
|
# Generates the custom client.ovpn
|
||||||
newclient "$CLIENT"
|
newclient "$CLIENT"
|
||||||
echo
|
echo
|
||||||
|
Loading…
Reference in New Issue
Block a user