install script and config files for openvpn server with password auth on ubuntu 16.04

README.md

Openvpn Server install and config files

These scripts and config files are expected to be used as a cloudconfig and will install Openvpn server from the default Ubuntu 16.04 repository.
It is setup with certificates to prevent MITM attacks however uses username/password for client authentication.

The following is a generic client config.

client
dev tun
<connection>
remote 77.40.156.9 1194 udp
</connection>
<connection>
remote 77.40.156.9 53 udp
</connection>
<connection>
remote 77.40.156.9 443 tcp
</connection>
persist-key
persist-tun
mute-replay-warnings
<ca>
$(cat /etc/openvpn/etc/ca.crt)
</ca>
auth-user-pass
setenv CLIENT_CERT 0
ns-cert-type server
verb 3

This has not been security checked and is by far from production ready

auth

#!/bin/bash
#- /etc/openvpn/bin/auth

[ -f "$1" ] || exit 1
mapfile -t args < "$1"
user="${args[0]}"
[ "${user}" != "" ] || exit 1
pass="${args[1]}"
[ "${pass}" != "" ] || exit 1
file="/etc/openvpn/etc/${user}.password"
[ -f "${file}" ] || exit 1
save="$(<${file})"
[ "${save}" != "" ] || exit 1
[ "${save}" = "${pass}" ] && exit 0
exit 1

cloudconfig.yml

## Put this in Ubuntu's cloudconfig
runcmd:
  - curl --silent https://gist.githubusercontent.com/aussielunix/407618e1746f5af4dbba4c988c09f524/raw/install_p1.sh | bash
  - curl --silent https://gist.githubusercontent.com/aussielunix/407618e1746f5af4dbba4c988c09f524/raw/server-common.conf -o /etc/openvpn/server-common.conf
  - curl --silent https://gist.githubusercontent.com/aussielunix/407618e1746f5af4dbba4c988c09f524/raw/server-1194-udp.conf -o /etc/openvpn/server-1194-udp.conf
  - curl --silent https://gist.githubusercontent.com/aussielunix/407618e1746f5af4dbba4c988c09f524/raw/server-443-tcp.conf -o /etc/openvpn/server-443-tcp.conf
  - curl --silent https://gist.githubusercontent.com/aussielunix/407618e1746f5af4dbba4c988c09f524/raw/auth -o /etc/openvpn/bin/auth
  - curl --silent https://gist.githubusercontent.com/aussielunix/407618e1746f5af4dbba4c988c09f524/raw/event -o /etc/openvpn/bin/event
  - curl --silent https://gist.githubusercontent.com/aussielunix/407618e1746f5af4dbba4c988c09f524/raw/easy_rsa_vars -o /etc/openvpn/etc/easy_rsa_vars
  - curl --silent https://gist.githubusercontent.com/aussielunix/407618e1746f5af4dbba4c988c09f524/raw/install_p2.sh | bash
  - chmod +x /etc/openvpn/bin/auth
  - chmod +x /etc/openvpn/bin/event
  - echo 'AUTOSTART="server-1194-udp server-443-tcp"' > /etc/default/openvpn
  - systemctl daemon-reload
  - service openvpn@server-1194-udp start
  - service openvpn@server-443-tcp start
  - curl --silent https://gist.githubusercontent.com/aussielunix/407618e1746f5af4dbba4c988c09f524/raw/networking.sh | bash

easy_rsa_vars

# easy-rsa parameter settings
export KEY_SIZE=2048

# In how many days should the root CA key expire?
export CA_EXPIRE=365
# In how many days should certificates expire?
export KEY_EXPIRE=365

export KEY_COUNTRY="AU"
export KEY_PROVINCE="ACT"
export KEY_CITY="Canberra"
export KEY_ORG="Aussielunix"
export KEY_EMAIL="vpns@example.com"
export KEY_OU="Example"

# -------- #
export EASY_RSA="/usr/share/easy-rsa"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="/etc/openvpn/etc/keys"
# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
# PKCS11 fixes
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"

# X509 Subject Field
export KEY_NAME="EasyRSA"

event

#!/bin/bash

# /etc/openvpn/bin/event
echo "$(date): ${common_name} ${script_type} ${trusted_ip}" >> /etc/openvpn/tmp/openvpn.event.log

install_p1.sh

#!/bin/bash

set -e

# Install openvpn
apt-get update
apt-get install openvpn iptables openssl ca-certificates easy-rsa -y
# remove default openvpn config
rm -Rf /etc/openvpn/*
# Create user, group and folders
mkdir /etc/openvpn/{bin,etc,tmp,user}
groupadd openvpn
useradd -d / -g openvpn openvpn
chmod 0755 /etc/openvpn/{bin,etc,user}
chown openvpn:openvpn /etc/openvpn/tmp
chmod 1777 /etc/openvpn/tmp

install_p2.sh

#!/bin/bash

set -e
echo "install_p2.sh start"

# Setup Easy-RSA environments
source /etc/openvpn/etc/easy_rsa_vars
/usr/share/easy-rsa/clean-all
echo "pkitooll --initca"
/usr/share/easy-rsa/pkitool --initca
echo "pkitool --server server"
/usr/share/easy-rsa/pkitool --server server
echo "openssl dhparam..."
openssl dhparam -out /etc/openvpn/etc/dh2048.pem 2048

echo "install_p2.sh finished"

networking.sh

#!/bin/bash
#
# Setup various IPTABLES / NAT rules for OpenVPN Clients
set -e

iptables -I FORWARD --match state --state ESTABLISHED,RELATED --jump ACCEPT
iptables -A FORWARD -p tcp -s 172.17.3.0/24  -j ACCEPT
iptables -A FORWARD -p tcp -s 172.17.4.0/24  -j ACCEPT

iptables -t nat -A POSTROUTING -s 172.17.3.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.17.4.0/24 -o eth0 -j MASQUERADE

echo 1 > /proc/sys/net/ipv4/ip_forward

server-1194-udp.conf

config /etc/openvpn/server-common.conf
port 1194
proto udp
server 172.17.3.0 255.255.255.0

server-443-tcp.conf

config /etc/openvpn/server-common.conf
port 443
proto tcp
server 172.17.4.0 255.255.255.0

server-common.conf

# OpenVPN Server Common
local 0.0.0.0
dev tun
float
keepalive 10 120
ca /etc/openvpn/etc/keys/ca.crt
cert /etc/openvpn/etc/keys/server.crt
key /etc/openvpn/etc/keys/server.key
dh /etc/openvpn/etc/dh2048.pem
topology subnet
client-config-dir /etc/openvpn/user
ccd-exclusive
client-cert-not-required
username-as-common-name
tmp-dir /etc/openvpn/tmp
user openvpn
group openvpn
persist-key
persist-tun
verb 3
mute 20
script-security 2
client-connect /etc/openvpn/bin/event
client-disconnect /etc/openvpn/bin/event
auth-user-pass-verify /etc/openvpn/bin/auth via-file