-
-
Save cedriczirtacic/eb2ac58eaaff0922a32047570910fdd5 to your computer and use it in GitHub Desktop.
Installs OpenVPN
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # OpenVPN Installer | |
| # | |
| # This installer was designed to work with Ubuntu 14.04. It installs | |
| # an OpenVPN server, generates an associated OpenVPN client configuration file, | |
| # configures a firewall, and enables automatic security updates. | |
| # | |
| # Once the installer finishes, the `/root/$CLIENT.ovpn` file will have been generated. | |
| # Download this file to your local machine and open it in an OpenVPN client and you'll | |
| # be connected to your new private VPN server. | |
| # | |
| # OSX VPN Client: https://tunnelblick.net/ | |
| # Change me if you have personal DNS preferences | |
| DNS1=1.1.1.1 | |
| DNS2=1.0.0.1 | |
| IPADDR=$1 | |
| CLIENT=$2 | |
| if [ -z "$IPADDR" ] || [ -z "$CLIENT" ];then | |
| echo "usage: $0 <ipaddr> <client>" 1>&2 && exit 1 | |
| fi | |
| if [ $(id -u) != 0 ];then | |
| exit 2 | |
| fi | |
| # Make sure everything is up-to-date | |
| apt-get update | |
| apt-get upgrade -y | |
| apt-get install -y openvpn easy-rsa apparmor apparmor-utils | |
| echo ' | |
| APT::Periodic::Update-Package-Lists "1"; | |
| APT::Periodic::Download-Upgradeable-Packages "1"; | |
| APT::Periodic::AutocleanInterval "7"; | |
| APT::Periodic::Unattended-Upgrade "1"; | |
| ' > /etc/apt/apt.conf.d/10periodic | |
| # OpenVPN options | |
| gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf | |
| sed -ie 's/dh dh1024.pem/dh dh2048.pem/' /etc/openvpn/server.conf | |
| sed -ie 's/;push "redirect-gateway def1 bypass-dhcp"/push "redirect-gateway def1 bypass-dhcp"/' /etc/openvpn/server.conf | |
| sed -ie 's/;push "dhcp-option DNS 208.67.222.222"/push "dhcp-option DNS '$DNS1'"/' /etc/openvpn/server.conf | |
| sed -ie 's/;push "dhcp-option DNS 208.67.220.220"/push "dhcp-option DNS '$DNS2'"/' /etc/openvpn/server.conf | |
| sed -ie 's/;user nobody/user nobody/' /etc/openvpn/server.conf | |
| sed -ie 's/;group nogroup/group nogroup/' /etc/openvpn/server.conf | |
| echo 1 > /proc/sys/net/ipv4/ip_forward | |
| sed -ie 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf | |
| # if ufw is enabled | |
| UFW_STATUS=$(ufw status | cut -d' ' -f2) | |
| if [[ $UFW_STATUS == "inactive" ]];then | |
| ufw allow ssh | |
| ufw allow 1194/udp | |
| sed -ie 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/' /etc/default/ufw | |
| sed -i "1i# START OPENVPN RULES\n# NAT table rules\n*nat\n:POSTROUTING ACCEPT [0:0]\n# Allow traffic from OpenVPN client to eth0\n\n-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE\nCOMMIT\n# END OPENVPN RULES\n" /etc/ufw/before.rules | |
| ufw --force enable | |
| else | |
| iptables -t nat -I POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE | |
| fi | |
| # EasyRSA part | |
| cp -r /usr/share/easy-rsa/ /etc/openvpn | |
| mkdir /etc/openvpn/easy-rsa/keys | |
| sed -ie 's/KEY_NAME="EasyRSA"/KEY_NAME="server"/' /etc/openvpn/easy-rsa/vars | |
| openssl dhparam -out /etc/openvpn/dh2048.pem 2048 | |
| cd /etc/openvpn/easy-rsa && . ./vars | |
| ./clean-all | |
| ./build-ca --batch | |
| ./build-key-server --batch server | |
| cp /etc/openvpn/easy-rsa/keys/server.crt /etc/openvpn | |
| cp /etc/openvpn/easy-rsa/keys/server.key /etc/openvpn | |
| cp /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn | |
| systemctl enable openvpn | |
| systemctl start openvpn | |
| cd /etc/openvpn/easy-rsa && ./build-key --batch $CLIENT | |
| cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/$CLIENT.ovpn | |
| sed -ie "s/my-server-1/$IPADDR/" /etc/openvpn/easy-rsa/keys/$CLIENT.ovpn | |
| sed -ie 's/;user nobody/user nobody/' /etc/openvpn/easy-rsa/keys/$CLIENT.ovpn | |
| sed -ie 's/;group nogroup/group nogroup/' /etc/openvpn/easy-rsa/keys/$CLIENT.ovpn | |
| sed -ie 's/ca ca.crt//' /etc/openvpn/easy-rsa/keys/$CLIENT.ovpn | |
| sed -ie 's/cert client.crt//' /etc/openvpn/easy-rsa/keys/$CLIENT.ovpn | |
| sed -ie 's/key client.key//' /etc/openvpn/easy-rsa/keys/$CLIENT.ovpn | |
| echo "<ca>" >> /etc/openvpn/easy-rsa/keys/$CLIENT.ovpn | |
| cat /etc/openvpn/ca.crt >> /etc/openvpn/easy-rsa/keys/$CLIENT.ovpn | |
| echo "</ca>" >> /etc/openvpn/easy-rsa/keys/$CLIENT.ovpn | |
| echo "<cert>" >> /etc/openvpn/easy-rsa/keys/$CLIENT.ovpn | |
| openssl x509 -outform PEM -in /etc/openvpn/easy-rsa/keys/$CLIENT.crt >> /etc/openvpn/easy-rsa/keys/$CLIENT.ovpn | |
| echo "</cert>" >> /etc/openvpn/easy-rsa/keys/$CLIENT.ovpn | |
| echo "<key>" >> /etc/openvpn/easy-rsa/keys/$CLIENT.ovpn | |
| cat /etc/openvpn/easy-rsa/keys/$CLIENT.key >> /etc/openvpn/easy-rsa/keys/$CLIENT.ovpn | |
| echo "</key>" >> /etc/openvpn/easy-rsa/keys/$CLIENT.ovpn | |
| cp /etc/openvpn/easy-rsa/keys/$CLIENT.ovpn /root/ | |
| cp /etc/openvpn/easy-rsa/keys/$CLIENT.crt /root/ | |
| cp /etc/openvpn/easy-rsa/keys/$CLIENT.key /root/ | |
| cp /etc/openvpn/easy-rsa/keys/ca.crt /root/ | |
| file /root/$CLIENT.ovpn | |
| cd /etc/apparmor.d && cat > usr.sbin.openvpn <<EOF | |
| #include <tunables/global> | |
| /usr/sbin/openvpn { | |
| #include <abstractions/base> | |
| #include <abstractions/nameservice> | |
| capability setuid, | |
| capability setgid, | |
| capability net_admin, | |
| network packet, | |
| network raw, | |
| # no ipv6 | |
| deny network inet6 stream, | |
| deny network inet6 dgram, | |
| @{PROC}/[0-9]*/net/ r, | |
| @{PROC}/[0-9]*/net/** r, | |
| /dev/net/tun rw, | |
| /bin/ip Pixrm, | |
| /etc/openvpn/ r, | |
| /etc/openvpn/** rw, | |
| /run/openvpn/ r, | |
| /run/openvpn/** rw, | |
| #include <local/usr.sbin.openvpn> | |
| } | |
| EOF | |
| touch local/usr.sbin.openvpn | |
| # Just complain, don't enforce. It the apparmor policy | |
| # works like it should then enforce. | |
| aa-complain usr.sbin.openvpn | |
| exit 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment