Creates openVPN server config (and server/client keys) with routing for LAN subnet resources to VPN subnet clients [as OSX/macOS bash script]

ddwrt-openvpn-server-config-generator.sh

PUBLIC_IP=$(curl -s ipecho.net/plain)
COUNTRY="US"
PROVINCE="California"
CITY="San Francisco"
ORG="Copyleft Certificate Co"
EMAIL="me@example.com"
OU="My Organizational Unit"
CN="."
CLIENT_NAME="client1"
PORT=1194
VPN_SUBNET=192.168.2.0
LAN_SUBNET=192.168.1.0

# Get the users name
echo "What is your IP? (default: $PUBLIC_IP)"
read
PUBLIC_IP=${REPLY:-$PUBLIC_IP}

# Useful flowchart: http://www.ircpimps.org/serverlan.png
brew install openssl # probably already installed, tbh

#Pulled from:
#  https://secure.sparklabs.com/support/kb/article/creating-certificates-and-keys-for-your-openvpn-server/
git clone https://github.com/OpenVPN/easy-rsa.git
cd easy-rsa/easyrsa3
mkdir -p client/keys
mkdir -p server/keys
cp vars.example vars

# Set Certificate Information
sed -i .bak "s/#set_var EASYRSA_REQ_COUNTRY.*$/set_var EASYRSA_REQ_COUNTRY \"$COUNTRY\"/" vars
sed -i .bak "s/#set_var EASYRSA_REQ_PROVINCE.*$/set_var EASYRSA_REQ_PROVINCE \"$PROVINCE\"/" vars
sed -i .bak "s/#set_var EASYRSA_REQ_CITY.*$/set_var EASYRSA_REQ_CITY \"$CITY\"/" vars
sed -i .bak "s/#set_var EASYRSA_REQ_ORG.*$/set_var EASYRSA_REQ_ORG \"$ORG\"/" vars
sed -i .bak "s/#set_var EASYRSA_REQ_EMAIL.*$/set_var EASYRSA_REQ_EMAIL \"$EMAIL\"/" vars
sed -i .bak "s/#set_var EASYRSA_REQ_OU.*$/set_var EASYRSA_REQ_OU \"$OU\"/" vars
sed -i .bak "s/#set_var EASYRSA_REQ_CN.*$/set_var EASYRSA_REQ_CN \"$CN\"/" vars

# Generating the Server Credentials
# create Certificate Authority
mv pki pki.$(date +%s).bak
./easyrsa init-pki
./easyrsa --batch build-ca nopass
./easyrsa gen-dh
./easyrsa build-server-full server nopass

cp pki/ca.crt server/keys/ca.crt

# creating certificates for your OpenVPN server
cp pki/issued/server.crt server/keys/server.crt
cp pki/private/server.key server/keys/server.key
cp pki/dh.pem server/keys/dh2048.pem

# Generating the Client Credentials
./easyrsa build-client-full $CLIENT_NAME nopass
cp pki/issued/$CLIENT_NAME.crt client/keys/$CLIENT_NAME.crt
cp pki/private/$CLIENT_NAME.key client/keys/$CLIENT_NAME.key
cp pki/ca.crt client/keys/ca.crt

# Create OVPN file for use by client
echo "
client
dev tun0
proto udp
remote $PUBLIC_IP $PORT
nobind
persist-key
persist-tun
verb 5
float
ca ca.crt
cert $CLIENT_NAME.crt
key $CLIENT_NAME.key
comp-lzo yes
tun-mtu 1500
auth SHA256
cipher AES-256-CBC
" > client/keys/$CLIENT_NAME.ovpn

# ref: https://www.howtogeek.com/64433/how-to-install-and-configure-openvpn-on-your-dd-wrt-router/
echo "TO ENABLE OPENVPN SERVER:"
echo " PUT THESE SETTINGS IN DD-WRT > SERVICES > VPN > 'OpenVPN Server/Daemon'"
echo "---"
echo "
OpenVPN: Enable
Start Type: WAN Up
Config as: Server
Server Mode: TUN
Network: $VPN_SUBNET
Netmask: 255.255.255.0
Port: $PORT
Tunnel Protocol: UDP
Encryption Cipher: AES-256 CBC
Hash Algorithm: SHA256
Advanced Options: Disabled
Public Server Cert:
$(cat server/keys/server.crt)
CA Cert:
$(cat server/keys/ca.crt)
Private Server Key:
$(cat server/keys/server.key)
DH PEM:
$(cat server/keys/dh2048.pem)
"
echo "---"
echo
echo "THEN:"
echo " PUT THESE SETTINGS IN \"Additional Config\""
echo "---"
echo "
push \"route $LAN_SUBNET 255.255.255.0\"
dev tun0
verb 5
"
echo "---"
echo
echo "TO ENABLE REMOTE LAN ACCESS:"
echo " PUT THESE RULES IN DD-WRT > ADMINISTRATION > COMMANDS. SAVE AS 'FIREWALL RULES'"
echo "---"
echo "
# These rules take a few moments to take hold after restarting VPN server for
# whatever reason..
# In DDWRT Admin Commands:
iptables -I INPUT 1 -p udp –dport $PORT -j ACCEPT
# Adds rule to accept routing across subnets
iptables -I FORWARD 1 --source $VPN_SUBNET/24 -j ACCEPT
# probably unnecessary, but advised here:
# ref: https://www.dd-wrt.com/wiki/index.php/VPN_(the_easy_way)_v24%2B#The_Server_Firewall_Script
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
"

cd -