Last active
August 6, 2016 19:51
-
-
Save WaaromZoMoeilijk/6153cade6078626e8f95d994e864b7ee to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
ROUTER="192.168.1.1" | |
IP=$(hostname -I | cut -d ' ' -f 1) | |
IF="/sbin/ip" | |
IFACE=$($IF -o link show | awk '{print $2,$9}' | grep "UP" | cut -d ":" -f 1) | |
DOMAIN="vpn.waaromzomoeilijk.nl" | |
# Check if root | |
if [ "$(whoami)" != "root" ]; then | |
echo | |
echo -e "\e[31mSorry, you are not root.\n\e[0mYou must type: \e[36msudo \e[0mbash openvpn_server.sh" | |
echo | |
exit 1 | |
fi | |
sudo apt-get install openvpn -y | |
git clone https://github.com/OpenVPN/easy-rsa.git | |
cd easy-rsa | |
git checkout 2.2.2 | |
cp -r easy-rsa/2.0/ /etc/openvpn/easy-rsa | |
cd /etc/openvpn/easy-rsa | |
sed -i 's|`pwd`|/etc/openvpn/easy-rsa|g' /etc/openvpn/easy-rsa/vars | |
source ./vars | |
./clean-all | |
./build-ca | |
./build-key-server Pi | |
./build-key-pass User1 | |
cd keys | |
openssl rsa -in User1.key -des3 -out User1.3des.key | |
cd .. | |
./build-dh | |
openvpn --genkey --secret keys/ta.key | |
cat <<-CONF > "/etc/openvpn/server.conf" | |
local $IP # SWAP THIS NUMBER WITH YOUR RASPBERRY PI IP ADDRESS | |
dev tun | |
proto udp #Some people prefer to use tcp. Don't change it if you don't know. | |
port 1194 | |
ca /etc/openvpn/easy-rsa/keys/ca.crt | |
cert /etc/openvpn/easy-rsa/keys/Pi.crt # SWAP WITH YOUR CRT NAME | |
key /etc/openvpn/easy-rsa/keys/Pi.key # SWAP WITH YOUR KEY NAME | |
dh /etc/openvpn/easy-rsa/keys/dh2048.pem | |
server 10.8.0.0 255.255.255.0 | |
# server and remote endpoints | |
ifconfig 10.8.0.1 10.8.0.2 | |
# Add route to Client routing table for the OpenVPN Server | |
push "route 10.8.0.1 255.255.255.255" | |
# Add route to Client routing table for the OpenVPN Subnet | |
push "route 10.8.0.0 255.255.255.0" | |
# your local subnet | |
push "route $IP 255.255.255.0" # SWAP THE IP NUMBER WITH YOUR RASPBERRY PI IP ADDRESS | |
# Set primary domain name server address to the SOHO Router | |
# If your router does not do DNS, you can use Google DNS 8.8.8.8 | |
push "dhcp-option DNS $ROUTER" # This should match your router's IP address. | |
# Override the Client default gateway by using 0.0.0.0/1 and | |
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of | |
# overriding but not wiping out the original default gateway. | |
push "redirect-gateway def1" | |
client-to-client | |
duplicate-cn | |
keepalive 10 120 | |
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 | |
cipher AES-128-CBC | |
comp-lzo | |
user nobody | |
group nogroup | |
persist-key | |
persist-tun | |
status /var/log/openvpn-status.log 20 | |
log /var/log/openvpn.log | |
verb 1 | |
CONF | |
sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|g' /etc/sysctl.conf | |
sysctl -p | |
echo "iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $IFACE -j SNAT --to-source $IP" > /etc/firewall-openvpn-rules.sh | |
chmod 700 /etc/firewall-openvpn-rules.sh | |
chown root /etc/firewall-openvpn-rules.sh | |
rm /etc/network/interfaces | |
cat <<-CONF1 > "/etc/network/interfaces" | |
# The loopback network interface | |
auto lo | |
iface lo inet loopback | |
# The primary network interface | |
auto $IFACE | |
allow-hotplug $IFACE | |
iface $IFACE inet static | |
pre-up /sbin/ethtool -K $IFACE tso off | |
pre-up /sbin/ethtool -K $IFACE gso off | |
pre-up /etc/firewall-openvpn-rules.sh | |
address $IP | |
netmask 255.255.255.0 | |
gateway $ROUTER | |
dns-nameservers 8.8.8.8 8.8.4.4 | |
CONF1 | |
cat <<-CONF2 > "/etc/openvpn/easy-rsa/keys/Default.txt" | |
client | |
dev tun | |
proto udp | |
remote $DOMAIN 1194 | |
resolv-retry infinite | |
nobind | |
persist-key | |
persist-tun | |
mute-replay-warnings | |
ns-cert-type server | |
key-direction 1 | |
cipher AES-128-CBC | |
comp-lzo | |
verb 1 | |
mute 20 | |
CONF2 | |
touch /etc/openvpn/easy-rsa/keys/MakeOVPN.sh | |
cat <<-CONF3 > "/etc/openvpn/easy-rsa/keys/MakeOVPN.sh" | |
#!/bin/bash | |
# Default Variable Declarations | |
DEFAULT="Default.txt" | |
FILEEXT=".ovpn" | |
CRT=".crt" | |
KEY=".3des.key" | |
NODES_KEY=".key" | |
CA="ca.crt" | |
TA="ta.key" | |
NAME="${1}" | |
if [ -z "${NAME}" ]; then | |
# Ask for a Client name | |
echo "Please enter an existing Client Name:" | |
read NAME | |
fi | |
#1st Verify that client's Public Key Exists | |
if [ ! -f $NAME$CRT ]; then | |
echo "[ERROR]: Client Public Key Certificate not found: $NAME$CRT" | |
exit | |
fi | |
echo "Client's cert found: $NAME$CR" | |
#Then, verify that there is a private key for that client | |
if [ ! -f $NAME$KEY ]; then | |
echo "[INFO]: Client 3des Private Key not found: $NAME$KEY" | |
KEY="${NODES_KEY}" | |
fi | |
if [ ! -f $NAME$KEY ]; then | |
echo "[ERROR]: Client Private Key not found: $NAME$KEY" | |
exit | |
fi | |
echo "Client's Private Key found: $NAME$KEY" | |
#Confirm the CA public key exists | |
if [ ! -f $CA ]; then | |
echo "[ERROR]: CA Public Key not found: $CA" | |
exit | |
fi | |
echo "CA public Key found: $CA" | |
#Confirm the tls-auth ta key file exists | |
if [ ! -f $TA ]; then | |
echo "[ERROR]: tls-auth Key not found: $TA" | |
exit | |
fi | |
echo "tls-auth Private Key found: $TA" | |
#Ready to make a new .opvn file - Start by populating with the default file | |
cat $DEFAULT > $NAME$FILEEXT | |
#Now, append the CA Public Cert | |
echo "<ca>" >> $NAME$FILEEXT | |
cat $CA >> $NAME$FILEEXT | |
echo "</ca>" >> $NAME$FILEEXT | |
#Next append the client Public Cert | |
echo "<cert>" >> $NAME$FILEEXT | |
cat $NAME$CRT | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $NAME$FILEEXT | |
echo "</cert>" >> $NAME$FILEEXT | |
#Then, append the client Private Key | |
echo "<key>" >> $NAME$FILEEXT | |
cat $NAME$KEY >> $NAME$FILEEXT | |
echo "</key>" >> $NAME$FILEEXT | |
#Finally, append the TA Private Key | |
echo "<tls-auth>" >> $NAME$FILEEXT | |
cat $TA >> $NAME$FILEEXT | |
echo "</tls-auth>" >> $NAME$FILEEXT | |
echo "Done! $NAME$FILEEXT Successfully Created." | |
#Script written by Eric Jodoin | |
CONF3 | |
chmod 700 /etc/openvpn/easy-rsa/keys/MakeOVPN.sh | |
bash /etc/openvpn/easy-rsa/keys/MakeOVPN.sh | |
exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment