Skip to content

Instantly share code, notes, and snippets.

@WaaromZoMoeilijk

WaaromZoMoeilijk/openvpn_server.sh

Last active August 6, 2016 19:51
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save WaaromZoMoeilijk/6153cade6078626e8f95d994e864b7ee to your computer and use it in GitHub Desktop.
Save WaaromZoMoeilijk/6153cade6078626e8f95d994e864b7ee to your computer and use it in GitHub Desktop.
Download ZIP
Raw
openvpn_server.sh
#!/bin/bash
ROUTER="192.168.1.1"
IP=$(hostname -I | cut -d ' ' -f 1)
IF="/sbin/ip"
IFACE=$($IF -o link show | awk '{print $2,$9}' | grep "UP" | cut -d ":" -f 1)
DOMAIN="vpn.waaromzomoeilijk.nl"
# Check if root
if [ "$(whoami)" != "root" ]; then
echo
echo -e "\e[31mSorry, you are not root.\n\e[0mYou must type: \e[36msudo \e[0mbash openvpn_server.sh"
echo
exit 1
fi
sudo apt-get install openvpn -y
git clone https://github.com/OpenVPN/easy-rsa.git
cd easy-rsa
git checkout 2.2.2
cp -r easy-rsa/2.0/ /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
sed -i 's|`pwd`|/etc/openvpn/easy-rsa|g' /etc/openvpn/easy-rsa/vars
source ./vars
./clean-all
./build-ca
./build-key-server Pi
./build-key-pass User1
cd keys
openssl rsa -in User1.key -des3 -out User1.3des.key
cd ..
./build-dh
openvpn --genkey --secret keys/ta.key
cat <<-CONF > "/etc/openvpn/server.conf"
local $IP # SWAP THIS NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
dev tun
proto udp #Some people prefer to use tcp. Don't change it if you don't know.
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/Pi.crt # SWAP WITH YOUR CRT NAME
key /etc/openvpn/easy-rsa/keys/Pi.key # SWAP WITH YOUR KEY NAME
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OpenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route $IP 255.255.255.0" # SWAP THE IP NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
# Set primary domain name server address to the SOHO Router
# If your router does not do DNS, you can use Google DNS 8.8.8.8
push "dhcp-option DNS $ROUTER" # This should match your router's IP address.
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1
CONF
sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|g' /etc/sysctl.conf
sysctl -p
echo "iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $IFACE -j SNAT --to-source $IP" > /etc/firewall-openvpn-rules.sh
chmod 700 /etc/firewall-openvpn-rules.sh
chown root /etc/firewall-openvpn-rules.sh
rm /etc/network/interfaces
cat <<-CONF1 > "/etc/network/interfaces"
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto $IFACE
allow-hotplug $IFACE
iface $IFACE inet static
pre-up /sbin/ethtool -K $IFACE tso off
pre-up /sbin/ethtool -K $IFACE gso off
pre-up /etc/firewall-openvpn-rules.sh
address $IP
netmask 255.255.255.0
gateway $ROUTER
dns-nameservers 8.8.8.8 8.8.4.4
CONF1
cat <<-CONF2 > "/etc/openvpn/easy-rsa/keys/Default.txt"
client
dev tun
proto udp
remote $DOMAIN 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
key-direction 1
cipher AES-128-CBC
comp-lzo
verb 1
mute 20
CONF2
touch /etc/openvpn/easy-rsa/keys/MakeOVPN.sh
cat <<-CONF3 > "/etc/openvpn/easy-rsa/keys/MakeOVPN.sh"
#!/bin/bash
# Default Variable Declarations
DEFAULT="Default.txt"
FILEEXT=".ovpn"
CRT=".crt"
KEY=".3des.key"
NODES_KEY=".key"
CA="ca.crt"
TA="ta.key"
NAME="${1}"
if [ -z "${NAME}" ]; then
# Ask for a Client name
echo "Please enter an existing Client Name:"
read NAME
fi
#1st Verify that client's Public Key Exists
if [ ! -f $NAME$CRT ]; then
echo "[ERROR]: Client Public Key Certificate not found: $NAME$CRT"
exit
fi
echo "Client's cert found: $NAME$CR"
#Then, verify that there is a private key for that client
if [ ! -f $NAME$KEY ]; then
echo "[INFO]: Client 3des Private Key not found: $NAME$KEY"
KEY="${NODES_KEY}"
fi
if [ ! -f $NAME$KEY ]; then
echo "[ERROR]: Client Private Key not found: $NAME$KEY"
exit
fi
echo "Client's Private Key found: $NAME$KEY"
#Confirm the CA public key exists
if [ ! -f $CA ]; then
echo "[ERROR]: CA Public Key not found: $CA"
exit
fi
echo "CA public Key found: $CA"
#Confirm the tls-auth ta key file exists
if [ ! -f $TA ]; then
echo "[ERROR]: tls-auth Key not found: $TA"
exit
fi
echo "tls-auth Private Key found: $TA"
#Ready to make a new .opvn file - Start by populating with the default file
cat $DEFAULT > $NAME$FILEEXT
#Now, append the CA Public Cert
echo "<ca>" >> $NAME$FILEEXT
cat $CA >> $NAME$FILEEXT
echo "</ca>" >> $NAME$FILEEXT
#Next append the client Public Cert
echo "<cert>" >> $NAME$FILEEXT
cat $NAME$CRT | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $NAME$FILEEXT
echo "</cert>" >> $NAME$FILEEXT
#Then, append the client Private Key
echo "<key>" >> $NAME$FILEEXT
cat $NAME$KEY >> $NAME$FILEEXT
echo "</key>" >> $NAME$FILEEXT
#Finally, append the TA Private Key
echo "<tls-auth>" >> $NAME$FILEEXT
cat $TA >> $NAME$FILEEXT
echo "</tls-auth>" >> $NAME$FILEEXT
echo "Done! $NAME$FILEEXT Successfully Created."
#Script written by Eric Jodoin
CONF3
chmod 700 /etc/openvpn/easy-rsa/keys/MakeOVPN.sh
bash /etc/openvpn/easy-rsa/keys/MakeOVPN.sh
exit 0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment