Last active
August 12, 2018 21:54
-
-
Save ZedYeung/6ceefadc81f8c087d8bfbc009882bb79 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# CA | |
# https://help.ubuntu.com/community/VirtualBox/SharedFolders | |
sudo mkdir ca_shared | |
sudo mount -t vboxsf ca_shared ~/ca_shared -o uid=akb,gid=akb | |
# need to specify the uid to your user and gid to your group, otherwise the mount device would belong to root:root | |
# That means you would have permission problem to access this shared folder | |
# When you import req from this root owned shared folder, you would see this error: | |
# Note: using Easy-RSA configuration from: ./vars | |
# Easy-RSA error: | |
# The input file does not appear to be a certificate request. Aborting import. | |
# Offending file: /home/akb/ca_shared/mac.req | |
# sudo umount ~/ca_shared | |
# Install OpenVPN and EasyRSA | |
# sudo apt install openvpn | |
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz -O EasyRSA.tgz && \ | |
mkdir EasyRSA && \ | |
tar xvf EasyRSA.tgz -C ~/EasyRSA --strip-components 1 && \ | |
rm EasyRSA.tgz | |
# Configuring the EasyRSA Variables and Building the CA | |
# ca | |
cd ~/EasyRSA | |
cp vars.example vars | |
# modify vars file | |
#set_var EASYRSA_REQ_COUNTRY "US" | |
#set_var EASYRSA_REQ_PROVINCE "California" | |
#set_var EASYRSA_REQ_CITY "San Francisco" | |
#set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" | |
#set_var EASYRSA_REQ_EMAIL "me@example.net" | |
#set_var EASYRSA_REQ_OU "My Organizational Unit" | |
# Creating the Server Certificate, Key, and Encryption Files | |
cd ~/EasyRSA | |
./easyrsa init-pki | |
./easyrsa build-ca | |
# vpn server | |
./easyrsa init-pki | |
# This will create a private key for the server and a certificate request file called server.req. | |
./easyrsa gen-req zed-ubuntu18 nopass | |
# Copy the server key to the /etc/openvpn/ directory: | |
sudo cp ~/EasyRSA/pki/private/zed-ubuntu18.key /etc/openvpn/ | |
# transfer the server req file to your CA machine: | |
cp zed-ubuntu18.req ~/ca_shared/ | |
# CA | |
# Using a secure method (like SCP, in our example below), transfer the server.req file to your CA machine: | |
# scp ~/EasyRSA/pki/reqs/server.req User@your_CA_ip:/mnt/ca_shared | |
cd ~/EasyRSA | |
# import request | |
./easyrsa import-req ~/ca_shared/zed-ubuntu18.req zed-ubuntu18 | |
# sign request | |
./easyrsa sign-req server zed-ubuntu18 | |
# Next, transfer the signed certificate back to your VPN server using a secure method: | |
# scp pki/issued/server.crt User@your_server_ip:/mnt/ca_shared | |
# Before logging out of your CA machine, transfer the ca.crt file to your server as well: | |
# scp pki/ca.crt User@your_server_ip:/mnt/ca_shared | |
# VPN server | |
sudo cp ~/ca_shared/{server.crt,ca.crt} /etc/openvpn/ | |
cd EasyRSA | |
./easyrsa gen-dh | |
openvpn --genkey --secret ta.key | |
sudo cp ~/EasyRSA/ta.key /etc/openvpn/ | |
sudo cp ~/EasyRSA/pki/dh.pem /etc/openvpn/ | |
# Generating a Client Certificate and Key Pair | |
mkdir -p ~/client-configs/keys | |
# security | |
chmod -R 700 ~/client-configs | |
cd ~/EasyRSA | |
./easyrsa gen-req mac nopass | |
cp ~/EasyRSA/pki/private/mac.key ~/client-configs/keys/ | |
# Next, transfer the req file to your CA machine using a secure method: | |
cp ~/EasyRSA/pki/reqs/mac.req ~/ca_shared | |
# CA | |
cd EasyRSA | |
./easyrsa import-req ~/ca_shared/mac.req mac | |
./easyrsa sign-req client mac | |
# Transfer crt file back to the server: | |
cp ~/EasyRSA/pki/issued/mac.crt ~/ca_shared | |
# VPN server | |
cp ~/ca_shared/mac.crt ~/client-configs/keys/ | |
# Next, copy the ca.crt and ta.key files to the /client-configs/keys/ directory as well: | |
sudo cp /etc/openvpn/ta.key ~/client-configs/keys/ | |
sudo cp /etc/openvpn/ca.crt ~/client-configs/keys/ | |
# Configuring the OpenVPN Service | |
# copy a sample OpenVPN configuration file into the config directory and then extract it to use it as a basis for your setup: | |
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ | |
sudo gzip -d /etc/openvpn/server.conf.gz | |
# modify config file | |
sudo vim /etc/openvpn/server.conf | |
# change the file name accordingly | |
ca ca.crt | |
cert zed-ubuntu18.crt | |
key zed-ubuntu18.key # This file should be kept secret | |
dh dh.pem | |
# https://stosb.com/blog/explaining-my-configs-openvpn/ | |
# key-direction, and needs to be 0 for server and 1 for client. | |
# but in the config file comment | |
# The second parameter should be '0' | |
# on the server and '1' on the clients. | |
# tls-auth ta.key 0 # This file is secret | |
# that means key-direction already set, so we do not need this line | |
# key-direction 0 | |
cipher AES-256-CBC | |
# add an auth directive to select the HMAC message digest algorithm. For this, SHA256 is a good choice: | |
auth SHA256 | |
user nobody | |
group nogroup | |
# Adjusting the Server Networking Configuration | |
# vim /etc/sysctl.com | |
# net.ipv4.ip_forward=1 | |
# sudo sed -i '/net.ipv4.ip_forward=1/s/^/#/g' /etc/sysctl.conf | |
sudo sed -i '/net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf | |
sysctl -p | |
# Your public interface is the string found within this command’s output that follows the word "dev" | |
export interface=$(ip route | grep default | awk '{print $5}') | |
# sudo vim /etc/ufw/before.rules | |
sudo sed -i '10 a \ | |
# START OPENVPN RULES \ | |
# NAT table rules \ | |
*nat \ | |
:POSTROUTING ACCEPT [0:0] \ | |
# Allow traffic from OpenVPN client to eth0(changeto the interface you discovered!) \ | |
-A POSTROUTING -s 10.8.0.0/8 -o '"${interface}"' -j MASQUERADE \ | |
COMMIT' /etc/ufw/before.rules | |
# sudo vim /etc/default/ufw | |
# DEFAULT_FORWARD_POLICY="ACCEPT" | |
sudo sed -i '/DEFAULT_FORWARD_POLICY/s/DROP/ACCEPT/' /etc/default/ufw | |
sudo ufw allow 1194/udp | |
sudo ufw allow OpenSSH | |
sudo ufw disable | |
sudo ufw enable | |
# Starting and Enabling the OpenVPN Service | |
sudo systemctl start openvpn@server | |
sudo systemctl status openvpn@server | |
ip addr show tun0 | |
sudo systemctl enable openvpn@server | |
# Creating the Client Configuration Infrastructure | |
mkdir -p ~/client-configs/files | |
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf | |
# vim ~/client-configs/base.conf | |
``` | |
proto udp | |
remote your_server_ip 1194 | |
user nobody | |
group nogroup | |
# ca ca.crt | |
# cert client.crt | |
# key client.key | |
# tls-auth ta.key 1 | |
key-direction 1 | |
cipher AES-256-CBCcipher AES-256-CBC | |
auth SHA256auth SHA256 | |
# you only need to enable them for Linux clients that ship with an /etc/openvpn/update-resolv-conf file. | |
# This script uses the resolvconf utility to update DNS information for Linux clients. | |
# script-security 2# script-security 2 | |
# up /etc/openvpn/update-resolv-conf# up /etc/openvpn/update-r | |
# down /etc/openvpn/update-resolv-conf | |
vim ~/client-configs/make_config.sh | |
``` | |
#!/bin/bash | |
# First argument: Client identifier | |
KEY_DIR=~/client-configs/keys | |
OUTPUT_DIR=~/client-configs/files | |
BASE_CONFIG=~/client-configs/base.conf | |
cat ${BASE_CONFIG} \ | |
<(echo -e '<ca>') \ | |
${KEY_DIR}/ca.crt \ | |
<(echo -e '</ca>\n<cert>') \ | |
${KEY_DIR}/${1}.crt \ | |
<(echo -e '</cert>\n<key>') \ | |
${KEY_DIR}/${1}.key \ | |
<(echo -e '</key>\n<tls-auth>') \ | |
${KEY_DIR}/ta.key \ | |
<(echo -e '</tls-auth>') \ | |
> ${OUTPUT_DIR}/${1}.ovpn | |
``` | |
chmod 700 ~/client-configs/make_config.sh | |
# Generating Client Configurations | |
cd ~/client-configs | |
sudo ./make_config.sh mac | |
# activation of network connection failed | |
# sudo tail -f /var/log/syslog | |
# OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak | |
# tls-cipher=DEFAULT:@SECLEVEL=0 | |
# sudo nmcli connection reload | |
# https://askubuntu.com/questions/1043899/openvpn-on-ubuntu-18-04 | |
# https://forums.openvpn.net/viewtopic.php?t=23979 | |
# https://bugzilla.redhat.com/show_bug.cgi?id=1498322 | |
# can only connect vpn internet | |
# https://bbs.deepin.org/forum.php?mod=viewthread&tid=155262 | |
# About DNS, ns-cert-type | |
# https://askubuntu.com/questions/1032476/ubuntu-18-04-no-dns-resolution-when-connected-to-openvpn/1036209#1036209 | |
# https://matthewtift.com/openvpn-ubuntu-1804 | |
# https://blog.csdn.net/blackzer0/article/details/79580761 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment