Last active
April 4, 2017 21:01
-
-
Save JasonGhent/16913127d879f9869a225fcf2c03831c to your computer and use it in GitHub Desktop.
Creates openVPN server config (and server/client keys) with routing for LAN subnet resources to VPN subnet clients [as OSX/macOS bash script]
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
PUBLIC_IP=$(curl -s ipecho.net/plain) | |
COUNTRY="US" | |
PROVINCE="California" | |
CITY="San Francisco" | |
ORG="Copyleft Certificate Co" | |
EMAIL="me@example.com" | |
OU="My Organizational Unit" | |
CN="." | |
CLIENT_NAME="client1" | |
PORT=1194 | |
VPN_SUBNET=192.168.2.0 | |
LAN_SUBNET=192.168.1.0 | |
# Get the users name | |
echo "What is your IP? (default: $PUBLIC_IP)" | |
read | |
PUBLIC_IP=${REPLY:-$PUBLIC_IP} | |
# Useful flowchart: http://www.ircpimps.org/serverlan.png | |
brew install openssl # probably already installed, tbh | |
#Pulled from: | |
# https://secure.sparklabs.com/support/kb/article/creating-certificates-and-keys-for-your-openvpn-server/ | |
git clone https://github.com/OpenVPN/easy-rsa.git | |
cd easy-rsa/easyrsa3 | |
mkdir -p client/keys | |
mkdir -p server/keys | |
cp vars.example vars | |
# Set Certificate Information | |
sed -i .bak "s/#set_var EASYRSA_REQ_COUNTRY.*$/set_var EASYRSA_REQ_COUNTRY \"$COUNTRY\"/" vars | |
sed -i .bak "s/#set_var EASYRSA_REQ_PROVINCE.*$/set_var EASYRSA_REQ_PROVINCE \"$PROVINCE\"/" vars | |
sed -i .bak "s/#set_var EASYRSA_REQ_CITY.*$/set_var EASYRSA_REQ_CITY \"$CITY\"/" vars | |
sed -i .bak "s/#set_var EASYRSA_REQ_ORG.*$/set_var EASYRSA_REQ_ORG \"$ORG\"/" vars | |
sed -i .bak "s/#set_var EASYRSA_REQ_EMAIL.*$/set_var EASYRSA_REQ_EMAIL \"$EMAIL\"/" vars | |
sed -i .bak "s/#set_var EASYRSA_REQ_OU.*$/set_var EASYRSA_REQ_OU \"$OU\"/" vars | |
sed -i .bak "s/#set_var EASYRSA_REQ_CN.*$/set_var EASYRSA_REQ_CN \"$CN\"/" vars | |
# Generating the Server Credentials | |
# create Certificate Authority | |
mv pki pki.$(date +%s).bak | |
./easyrsa init-pki | |
./easyrsa --batch build-ca nopass | |
./easyrsa gen-dh | |
./easyrsa build-server-full server nopass | |
cp pki/ca.crt server/keys/ca.crt | |
# creating certificates for your OpenVPN server | |
cp pki/issued/server.crt server/keys/server.crt | |
cp pki/private/server.key server/keys/server.key | |
cp pki/dh.pem server/keys/dh2048.pem | |
# Generating the Client Credentials | |
./easyrsa build-client-full $CLIENT_NAME nopass | |
cp pki/issued/$CLIENT_NAME.crt client/keys/$CLIENT_NAME.crt | |
cp pki/private/$CLIENT_NAME.key client/keys/$CLIENT_NAME.key | |
cp pki/ca.crt client/keys/ca.crt | |
# Create OVPN file for use by client | |
echo " | |
client | |
dev tun0 | |
proto udp | |
remote $PUBLIC_IP $PORT | |
nobind | |
persist-key | |
persist-tun | |
verb 5 | |
float | |
ca ca.crt | |
cert $CLIENT_NAME.crt | |
key $CLIENT_NAME.key | |
comp-lzo yes | |
tun-mtu 1500 | |
auth SHA256 | |
cipher AES-256-CBC | |
" > client/keys/$CLIENT_NAME.ovpn | |
# ref: https://www.howtogeek.com/64433/how-to-install-and-configure-openvpn-on-your-dd-wrt-router/ | |
echo "TO ENABLE OPENVPN SERVER:" | |
echo " PUT THESE SETTINGS IN DD-WRT > SERVICES > VPN > 'OpenVPN Server/Daemon'" | |
echo "---" | |
echo " | |
OpenVPN: Enable | |
Start Type: WAN Up | |
Config as: Server | |
Server Mode: TUN | |
Network: $VPN_SUBNET | |
Netmask: 255.255.255.0 | |
Port: $PORT | |
Tunnel Protocol: UDP | |
Encryption Cipher: AES-256 CBC | |
Hash Algorithm: SHA256 | |
Advanced Options: Disabled | |
Public Server Cert: | |
$(cat server/keys/server.crt) | |
CA Cert: | |
$(cat server/keys/ca.crt) | |
Private Server Key: | |
$(cat server/keys/server.key) | |
DH PEM: | |
$(cat server/keys/dh2048.pem) | |
" | |
echo "---" | |
echo | |
echo "THEN:" | |
echo " PUT THESE SETTINGS IN \"Additional Config\"" | |
echo "---" | |
echo " | |
push \"route $LAN_SUBNET 255.255.255.0\" | |
dev tun0 | |
verb 5 | |
" | |
echo "---" | |
echo | |
echo "TO ENABLE REMOTE LAN ACCESS:" | |
echo " PUT THESE RULES IN DD-WRT > ADMINISTRATION > COMMANDS. SAVE AS 'FIREWALL RULES'" | |
echo "---" | |
echo " | |
# These rules take a few moments to take hold after restarting VPN server for | |
# whatever reason.. | |
# In DDWRT Admin Commands: | |
iptables -I INPUT 1 -p udp –dport $PORT -j ACCEPT | |
# Adds rule to accept routing across subnets | |
iptables -I FORWARD 1 --source $VPN_SUBNET/24 -j ACCEPT | |
# probably unnecessary, but advised here: | |
# ref: https://www.dd-wrt.com/wiki/index.php/VPN_(the_easy_way)_v24%2B#The_Server_Firewall_Script | |
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT | |
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT | |
" | |
cd - |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment