mirror/openvpn-install
1
0
Fork 0
mirror of https://github.com/Nyr/openvpn-install.git synced 2024-11-23 21:46:08 +03:00
Code Issues Projects Releases Wiki Activity

Migrate to the new systemd service

Browse Source 
OpenVPN 2.4 packages provide a new systemd service unit which uses a different
directory structure. This commit drops support for Ubuntu 16.04 which has v2.3
packages.
This commit is contained in:
Nyr 2019-06-12 21:28:55 +02:00
parent 22f1fca4c1
commit a46a23d84a
1 changed files with 48 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
openvpn-install.sh
View File

@ -5,6 +5,12 @@
# Copyright (c) 2013 Nyr. Released under the MIT License. # Copyright (c) 2013 Nyr. Released under the MIT License.
if grep -qs "Ubuntu 16.04" "/etc/os-release"; then
echo 'Ubuntu 16.04 is no longer supported in the current version of openvpn-install
Use an older version if Ubuntu 16.04 support is needed: https://git.io/vpn1604'
exit
fi
# Detect Debian users running the script with "sh" instead of bash # Detect Debian users running the script with "sh" instead of bash
if readlink /proc/$$/exe | grep -q "dash"; then if readlink /proc/$$/exe | grep -q "dash"; then
echo "This script needs to be run with bash, not sh" echo "This script needs to be run with bash, not sh"
@ -35,22 +41,22 @@ fi
newclient () { newclient () {
# Generates the custom client.ovpn # Generates the custom client.ovpn
cp /etc/openvpn/client-common.txt ~/$1.ovpn cp /etc/openvpn/server/client-common.txt ~/$1.ovpn
echo "<ca>" >> ~/$1.ovpn echo "<ca>" >> ~/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/ca.crt >> ~/$1.ovpn cat /etc/openvpn/server/easy-rsa/pki/ca.crt >> ~/$1.ovpn
echo "</ca>" >> ~/$1.ovpn echo "</ca>" >> ~/$1.ovpn
echo "<cert>" >> ~/$1.ovpn echo "<cert>" >> ~/$1.ovpn
sed -ne '/BEGIN CERTIFICATE/,$ p' /etc/openvpn/easy-rsa/pki/issued/$1.crt >> ~/$1.ovpn sed -ne '/BEGIN CERTIFICATE/,$ p' /etc/openvpn/server/easy-rsa/pki/issued/$1.crt >> ~/$1.ovpn
echo "</cert>" >> ~/$1.ovpn echo "</cert>" >> ~/$1.ovpn
echo "<key>" >> ~/$1.ovpn echo "<key>" >> ~/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/private/$1.key >> ~/$1.ovpn cat /etc/openvpn/server/easy-rsa/pki/private/$1.key >> ~/$1.ovpn
echo "</key>" >> ~/$1.ovpn echo "</key>" >> ~/$1.ovpn
echo "<tls-auth>" >> ~/$1.ovpn echo "<tls-auth>" >> ~/$1.ovpn
sed -ne '/BEGIN OpenVPN Static key/,$ p' /etc/openvpn/ta.key >> ~/$1.ovpn sed -ne '/BEGIN OpenVPN Static key/,$ p' /etc/openvpn/server/ta.key >> ~/$1.ovpn
echo "</tls-auth>" >> ~/$1.ovpn echo "</tls-auth>" >> ~/$1.ovpn
} }
if [[ -e /etc/openvpn/server.conf ]]; then if [[ -e /etc/openvpn/server/server.conf ]]; then
while : while :
do do
clear clear
@ -68,7 +74,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then
echo "Tell me a name for the client certificate." echo "Tell me a name for the client certificate."
echo "Please, use one word only, no special characters." echo "Please, use one word only, no special characters."
read -p "Client name: " -e CLIENT read -p "Client name: " -e CLIENT
cd /etc/openvpn/easy-rsa/ cd /etc/openvpn/server/easy-rsa/
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full $CLIENT nopass EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full $CLIENT nopass
# Generates the custom client.ovpn # Generates the custom client.ovpn
newclient "$CLIENT" newclient "$CLIENT"
@ -79,7 +85,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then
2) 2)
# This option could be documented a bit better and maybe even be simplified # This option could be documented a bit better and maybe even be simplified
# ...but what can I say, I want some sleep too # ...but what can I say, I want some sleep too
NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V") NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep -c "^V")
if [[ "$NUMBEROFCLIENTS" = '0' ]]; then if [[ "$NUMBEROFCLIENTS" = '0' ]]; then
echo echo
echo "You have no existing clients!" echo "You have no existing clients!"
@ -87,26 +93,26 @@ if [[ -e /etc/openvpn/server.conf ]]; then
fi fi
echo echo
echo "Select the existing client certificate you want to revoke:" echo "Select the existing client certificate you want to revoke:"
tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') ' tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
if [[ "$NUMBEROFCLIENTS" = '1' ]]; then if [[ "$NUMBEROFCLIENTS" = '1' ]]; then
read -p "Select one client [1]: " CLIENTNUMBER read -p "Select one client [1]: " CLIENTNUMBER
else else
read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
fi fi
CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p) CLIENT=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
echo echo
read -p "Do you really want to revoke access for client $CLIENT? [y/N]: " -e REVOKE read -p "Do you really want to revoke access for client $CLIENT? [y/N]: " -e REVOKE
if [[ "$REVOKE" = 'y' || "$REVOKE" = 'Y' ]]; then if [[ "$REVOKE" = 'y' || "$REVOKE" = 'Y' ]]; then
cd /etc/openvpn/easy-rsa/ cd /etc/openvpn/server/easy-rsa/
./easyrsa --batch revoke $CLIENT ./easyrsa --batch revoke $CLIENT
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
rm -f pki/reqs/$CLIENT.req rm -f pki/reqs/$CLIENT.req
rm -f pki/private/$CLIENT.key rm -f pki/private/$CLIENT.key
rm -f pki/issued/$CLIENT.crt rm -f pki/issued/$CLIENT.crt
rm -f /etc/openvpn/crl.pem rm -f /etc/openvpn/server/crl.pem
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem cp /etc/openvpn/server/easy-rsa/pki/crl.pem /etc/openvpn/server/crl.pem
# CRL is read with each client connection, when OpenVPN is dropped to nobody # CRL is read with each client connection, when OpenVPN is dropped to nobody
chown nobody:$GROUPNAME /etc/openvpn/crl.pem chown nobody:$GROUPNAME /etc/openvpn/server/crl.pem
echo echo
echo "Certificate for client $CLIENT revoked!" echo "Certificate for client $CLIENT revoked!"
else else
@ -119,8 +125,8 @@ if [[ -e /etc/openvpn/server.conf ]]; then
echo echo
read -p "Do you really want to remove OpenVPN? [y/N]: " -e REMOVE read -p "Do you really want to remove OpenVPN? [y/N]: " -e REMOVE
if [[ "$REMOVE" = 'y' || "$REMOVE" = 'Y' ]]; then if [[ "$REMOVE" = 'y' || "$REMOVE" = 'Y' ]]; then
PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2) PORT=$(grep '^port ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
PROTOCOL=$(grep '^proto ' /etc/openvpn/server.conf | cut -d " " -f 2) PROTOCOL=$(grep '^proto ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
if pgrep firewalld; then if pgrep firewalld; then
IP=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24 -j SNAT --to ' | cut -d " " -f 10) IP=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24 -j SNAT --to ' | cut -d " " -f 10)
# Using both permanent and not permanent rules to avoid a firewalld reload. # Using both permanent and not permanent rules to avoid a firewalld reload.
@ -137,13 +143,14 @@ if [[ -e /etc/openvpn/server.conf ]]; then
if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$PORT" != '1194' ]]; then if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$PORT" != '1194' ]]; then
semanage port -d -t openvpn_port_t -p $PROTOCOL $PORT semanage port -d -t openvpn_port_t -p $PROTOCOL $PORT
fi fi
systemctl disable --now openvpn-server@server.service
rm -rf /etc/openvpn/server
rm -f /etc/sysctl.d/30-openvpn-forward.conf
if [[ "$OS" = 'debian' ]]; then if [[ "$OS" = 'debian' ]]; then
apt-get remove --purge -y openvpn apt-get remove --purge -y openvpn
else else
yum remove openvpn -y yum remove openvpn -y
fi fi
rm -rf /etc/openvpn
rm -f /etc/sysctl.d/30-openvpn-forward.conf
echo echo
echo "OpenVPN removed!" echo "OpenVPN removed!"
else else
@ -217,11 +224,11 @@ else
EASYRSAURL='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-nix-3.0.5.tgz' EASYRSAURL='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-nix-3.0.5.tgz'
wget -O ~/easyrsa.tgz "$EASYRSAURL" 2>/dev/null || curl -Lo ~/easyrsa.tgz "$EASYRSAURL" wget -O ~/easyrsa.tgz "$EASYRSAURL" 2>/dev/null || curl -Lo ~/easyrsa.tgz "$EASYRSAURL"
tar xzf ~/easyrsa.tgz -C ~/ tar xzf ~/easyrsa.tgz -C ~/
mv ~/EasyRSA-3.0.5/ /etc/openvpn/ mv ~/EasyRSA-3.0.5/ /etc/openvpn/server/
mv /etc/openvpn/EasyRSA-3.0.5/ /etc/openvpn/easy-rsa/ mv /etc/openvpn/server/EasyRSA-3.0.5/ /etc/openvpn/server/easy-rsa/
chown -R root:root /etc/openvpn/easy-rsa/ chown -R root:root /etc/openvpn/server/easy-rsa/
rm -f ~/easyrsa.tgz rm -f ~/easyrsa.tgz
cd /etc/openvpn/easy-rsa/ cd /etc/openvpn/server/easy-rsa/
# Create the PKI, set up the CA and the server and client certificates # Create the PKI, set up the CA and the server and client certificates
./easyrsa init-pki ./easyrsa init-pki
./easyrsa --batch build-ca nopass ./easyrsa --batch build-ca nopass
@ -229,11 +236,11 @@ else
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full $CLIENT nopass EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full $CLIENT nopass
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
# Move the stuff we need # Move the stuff we need
cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn/server
# CRL is read with each client connection, when OpenVPN is dropped to nobody # CRL is read with each client connection, when OpenVPN is dropped to nobody
chown nobody:$GROUPNAME /etc/openvpn/crl.pem chown nobody:$GROUPNAME /etc/openvpn/server/crl.pem
# Generate key for tls-auth # Generate key for tls-auth
openvpn --genkey --secret /etc/openvpn/ta.key openvpn --genkey --secret /etc/openvpn/server/ta.key
# Create the DH parameters file using the predefined ffdhe2048 group # Create the DH parameters file using the predefined ffdhe2048 group
echo '-----BEGIN DH PARAMETERS----- echo '-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
@ -242,7 +249,7 @@ MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD 7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----' > /etc/openvpn/dh.pem -----END DH PARAMETERS-----' > /etc/openvpn/server/dh.pem
# Generate server.conf # Generate server.conf
echo "port $PORT echo "port $PORT
proto $PROTOCOL proto $PROTOCOL
@ -257,8 +264,8 @@ auth SHA512
tls-auth ta.key 0 tls-auth ta.key 0
topology subnet topology subnet
server 10.8.0.0 255.255.255.0 server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt" > /etc/openvpn/server.conf ifconfig-pool-persist ipp.txt" > /etc/openvpn/server/server.conf
echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server/server.conf
# DNS # DNS
case $DNS in case $DNS in
1) 1)
@ -271,24 +278,24 @@ ifconfig-pool-persist ipp.txt" > /etc/openvpn/server.conf
fi fi
# Obtain the resolvers from resolv.conf and use them for OpenVPN # Obtain the resolvers from resolv.conf and use them for OpenVPN
grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server/server.conf
done done
;; ;;
2) 2)
echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server/server.conf
echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server/server.conf
;; ;;
3) 3)
echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server/server.conf
echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server/server.conf
;; ;;
4) 4)
echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server/server.conf
echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server/server.conf
;; ;;
5) 5)
echo 'push "dhcp-option DNS 64.6.64.6"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 64.6.64.6"' >> /etc/openvpn/server/server.conf
echo 'push "dhcp-option DNS 64.6.65.6"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 64.6.65.6"' >> /etc/openvpn/server/server.conf
;; ;;
esac esac
echo "keepalive 10 120 echo "keepalive 10 120
@ -299,7 +306,7 @@ persist-key
persist-tun persist-tun
status openvpn-status.log status openvpn-status.log
verb 3 verb 3
crl-verify crl.pem" >> /etc/openvpn/server.conf crl-verify crl.pem" >> /etc/openvpn/server/server.conf
# Enable net.ipv4.ip_forward for the system # Enable net.ipv4.ip_forward for the system
echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/30-openvpn-forward.conf echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/30-openvpn-forward.conf
# Enable without waiting for a reboot or service restart # Enable without waiting for a reboot or service restart
@ -343,11 +350,8 @@ WantedBy=multi-user.target" > /etc/systemd/system/openvpn-iptables.service
fi fi
semanage port -a -t openvpn_port_t -p $PROTOCOL $PORT semanage port -a -t openvpn_port_t -p $PROTOCOL $PORT
fi fi
# And finally, restart OpenVPN # And finally, enable and start the OpenVPN service
systemctl restart openvpn@server.service systemctl enable --now openvpn-server@server.service
if [[ "$OS" = 'centos' ]]; then
systemctl enable openvpn@server.service
fi
# If the server is behind a NAT, use the correct IP address # If the server is behind a NAT, use the correct IP address
if [[ "$PUBLICIP" != "" ]]; then if [[ "$PUBLICIP" != "" ]]; then
IP=$PUBLICIP IP=$PUBLICIP
@ -368,7 +372,7 @@ auth SHA512
cipher AES-256-CBC cipher AES-256-CBC
setenv opt block-outside-dns setenv opt block-outside-dns
key-direction 1 key-direction 1
verb 3" > /etc/openvpn/client-common.txt verb 3" > /etc/openvpn/server/client-common.txt
# Generates the custom client.ovpn # Generates the custom client.ovpn
newclient "$CLIENT" newclient "$CLIENT"
echo echo