dptole/install-openvpn.sh

## install-openvpn.sh
#!/bin/bash
set -x

IDU="$(id -u)"
IDG="$(id -g)"

if [ "0" != "$IDU" ]
then
  echo "Utilizar usuário root"
  exit 1
fi

if [ "0" != "$IDG" ]
then
  echo "Utilizar usuário root"
  exit 1
fi

cd /root/

echo "Limpeza..."
systemctl stop openvpn@server

rm -rf '/root/client-configs/' /root/EasyRSA* '/etc/openvpn/server.key' '/etc/openvpn/server.crt' '/etc/openvpn/ca.crt' '/etc/openvpn/ta.key' '/etc/openvpn/dh.pem' '/etc/openvpn/server.conf'

set -e

echo "This file should be run only once"
echo "Install EasyRSA and OpenVPN"
echo "https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-18-04"
echo ""

read -p "Digite o nome do primeiro usuário: " OPENVPN_USERNAME
read -p "Qual é o IPv4 público desse servidor? " OPENVPN_SERVER_IP

read -p "Digite a porta na qual os clientes irão se conectar: " OPENVPN_SERVER_PORT

set +x
# Intervenção manual
echo ""
ip route | grep default
echo ""
echo "O texto acima deve ser semelhante ao exemplo abaixo"
echo ""
echo "default via XXX.XXX.XXX.XXX dev eth0 proto dhcp src XXX.XXX.XXX.XXX metric XX"
echo "                                ^^^^"
echo "                                ||||"
echo ""
read -p "Digite a parte do primeiro texto que equivale a posição das setas acima: " INTERFACE

set -x
apt update
apt install -y openvpn
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz
tar xvf EasyRSA-3.0.4.tgz
cp -rf EasyRSA-3.0.4 EasyRSA-server-3.0.4
cd ~/EasyRSA-3.0.4/
cp vars.example vars
sed -ri 's/^#set_var EASYRSA_REQ_COUNTRY\s+"US"/set_var EASYRSA_REQ_COUNTRY    "US"/' vars
sed -ri 's/^#set_var EASYRSA_REQ_PROVINCE\s+"California"/set_var EASYRSA_REQ_PROVINCE   "NewYork"/' vars
sed -ri 's/^#set_var EASYRSA_REQ_CITY\s+"San Francisco"/set_var EASYRSA_REQ_CITY       "New York City"/' vars
sed -ri 's/^#set_var EASYRSA_REQ_ORG\s+"Copyleft Certificate Co"/set_var EASYRSA_REQ_ORG        "DigitalOcean"/' vars
sed -ri 's/^#set_var EASYRSA_REQ_EMAIL\s+"me@example.net"/set_var EASYRSA_REQ_EMAIL      "admin@example.com"/' vars
sed -ri 's/^#set_var EASYRSA_REQ_OU\s+"My Organizational Unit"/set_var EASYRSA_REQ_OU         "Community"/' vars
./easyrsa init-pki

# Esse comando pede confirmação dos dados
# Pressione <Enter> em todos os campos
./easyrsa build-ca nopass

cd /root/EasyRSA-server-3.0.4
./easyrsa init-pki

# Esse comando pede confirmação dos dados
# Pressione <Enter> em todos os campos
./easyrsa gen-req server nopass

cp pki/private/server.key /etc/openvpn/server.key
cd /root/EasyRSA-3.0.4
./easyrsa import-req /root/EasyRSA-server-3.0.4/pki/reqs/server.req server

# Esse comando pede confirmação
# Digite <yes> e depois <Enter>
./easyrsa sign-req server server

cp /root/EasyRSA-3.0.4/pki/issued/server.crt /etc/openvpn/server.crt
cp /root/EasyRSA-3.0.4/pki/ca.crt /etc/openvpn/ca.crt
cd /root/EasyRSA-server-3.0.4
./easyrsa gen-dh
openvpn --genkey --secret ta.key
cp ta.key /etc/openvpn/ta.key
cp pki/dh.pem /etc/openvpn/dh.pem
cd /root/
mkdir -p client-configs/keys
mkdir -p client-configs/files
chmod -R 700 client-configs
cd EasyRSA-server-3.0.4

# Esse comando pede confirmação dos dados
# Pressione <Enter> em todos os campos
./easyrsa gen-req $OPENVPN_USERNAME nopass

cp pki/private/$OPENVPN_USERNAME.key /root/client-configs/keys/$OPENVPN_USERNAME.key
cd /root/EasyRSA-3.0.4
./easyrsa import-req /root/EasyRSA-server-3.0.4/pki/reqs/$OPENVPN_USERNAME.req $OPENVPN_USERNAME

# Esse comando pede confirmação
# Digite <yes> e depois <Enter>
./easyrsa sign-req client $OPENVPN_USERNAME

cd /root/EasyRSA-server-3.0.4
cp /root/EasyRSA-3.0.4/pki/issued/$OPENVPN_USERNAME.crt /root/client-configs/keys/$OPENVPN_USERNAME.crt
cp ta.key /root/client-configs/keys/ta.key
cp /etc/openvpn/ca.crt /root/client-configs/keys/ca.crt

# Configurar o serviço do OpenVPN
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
gzip -d /etc/openvpn/server.conf.gz

cd /etc/openvpn/
sed -ri 's/^(cipher AES-256-CBC)/\1\nauth SHA256/' server.conf
sed -i 's/dh dh2048.pem/dh dh.pem/' server.conf
sed -i 's/;user nobody/user nobody/' server.conf
sed -i 's/;group nogroup/group nogroup/' server.conf
sed -i 's/;push "redirect-gateway def1 bypass-dhcp"/push "redirect-gateway def1 bypass-dhcp"/' server.conf
sed -i 's/;push "dhcp-option DNS 208.67.222.222"/push "dhcp-option DNS 208.67.222.222"/' server.conf
sed -i 's/;push "dhcp-option DNS 208.67.220.220"/push "dhcp-option DNS 208.67.220.220"/' server.conf
sed -i 's/port 1194/port '$OPENVPN_SERVER_PORT'/' server.conf

sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf

# O comando abaixo deve escrever no stdout o texto abaixo
# net.ipv4.ip_forward = 1
sysctl -p

cd /etc/ufw/

if [ -e /etc/ufw/before.rules.old ]
then
  cp before.rules.old before.rules
fi

cat <<EOF -> /etc/ufw/openvpn.rules
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to $INTERFACE (change to the interface you discovered!)
-A POSTROUTING -s 10.8.0.0/8 -o $INTERFACE -j MASQUERADE
COMMIT
# END OPENVPN RULES
EOF
cat openvpn.rules before.rules > before.rules.tmp
cp before.rules before.rules.old
cp before.rules.tmp before.rules
rm before.rules.tmp
sed -i 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/' /etc/default/ufw
ufw allow $OPENVPN_SERVER_PORT/udp
ufw allow OpenSSH
ufw disable

# O comando abaixo pede por confirmação
# Digite <y> e depois <Enter>
ufw enable

# Gerando credenciais do usuário
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /root/client-configs/base.conf
cd /root/
sed -i 's/remote my-server-1 1194/remote '$OPENVPN_SERVER_IP' '$OPENVPN_SERVER_PORT'/' client-configs/base.conf
sed -i 's/;user nobody/user nobody/' client-configs/base.conf
sed -i 's/;group nogroup/group nogroup/' client-configs/base.conf
sed -i 's/ca ca.crt/#ca ca.crt/' client-configs/base.conf
sed -i 's/cert client.crt/#cert client.crt/' client-configs/base.conf
sed -i 's/key client.key/#key client.key/' client-configs/base.conf
sed -i 's/tls-auth ta.key 1/#tls-auth ta.key 1/' client-configs/base.conf
sed -ri 's/^(cipher AES-256-CBC)/\1\nauth SHA256/' client-configs/base.conf
echo 'key-direction 1' >> client-configs/base.conf
echo 'script-security 2' >> client-configs/base.conf
echo 'up /etc/openvpn/update-resolv-conf' >> client-configs/base.conf
echo 'down /etc/openvpn/update-resolv-conf' >> client-configs/base.conf

cat <<'EOF' -> client-configs/make_config.sh
#!/bin/bash

# First argument: Client identifier

KEY_DIR=~/client-configs/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf

cat ${BASE_CONFIG} \
    <(echo -e '<ca>') \
    ${KEY_DIR}/ca.crt \
    <(echo -e '</ca>\n<cert>') \
    ${KEY_DIR}/${1}.crt \
    <(echo -e '</cert>\n<key>') \
    ${KEY_DIR}/${1}.key \
    <(echo -e '</key>\n<tls-auth>') \
    ${KEY_DIR}/ta.key \
    <(echo -e '</tls-auth>') \
    > ${OUTPUT_DIR}/${1}.ovpn
EOF

chmod 700 client-configs/make_config.sh
./client-configs/make_config.sh $OPENVPN_USERNAME
cp client-configs/files/$OPENVPN_USERNAME.ovpn client-configs/files/$OPENVPN_USERNAME.comment.ovpn

grep -v '^#' client-configs/files/$OPENVPN_USERNAME.comment.ovpn | grep -v '^;' | grep -v '^$' > client-configs/files/$OPENVPN_USERNAME.ovpn

# Habilitar o OpenVPN para iniciar no boot da VM
systemctl enable openvpn@server

# Iniciar o OpenVPN agora
systemctl start openvpn@server

set +x
echo ""
echo "O texto abaixo representa as credenciais do usuário $OPENVPN_USERNAME"
echo "Você deve copiar esse texto e salvar em um arquivo $OPENVPN_USERNAME.ovpn para acesso ao servidor"
echo "com o comando abaixo"
echo ""
echo "sudo openvpn --config $OPENVPN_USERNAME.ovpn"
echo ""
read -p "Pression enter para ver..."

echo ""
cat client-configs/files/$OPENVPN_USERNAME.ovpn

# ---start server---
# systemctl start openvpn@server
# systemctl restart openvpn@server
# systemctl status openvpn@server
# systemctl stop openvpn@server
# systemctl enable openvpn@server

# ---log server---
# journalctl -u openvpn@server -f

# ---connect to server---
# sudo openvpn --config dan.ovpn

# ---test connection---
# clear; curl -i wtfismyip.com/json; echo ''; curl -i ipv4.wtfismyip.com/json; echo ''
	#!/bin/bash
	set -x

	IDU="$(id -u)"
	IDG="$(id -g)"

	if [ "0" != "$IDU" ]
	then
	echo "Utilizar usuário root"
	exit 1
	fi

	if [ "0" != "$IDG" ]
	then
	echo "Utilizar usuário root"
	exit 1
	fi

	cd /root/

	echo "Limpeza..."
	systemctl stop openvpn@server

	rm -rf '/root/client-configs/' /root/EasyRSA* '/etc/openvpn/server.key' '/etc/openvpn/server.crt' '/etc/openvpn/ca.crt' '/etc/openvpn/ta.key' '/etc/openvpn/dh.pem' '/etc/openvpn/server.conf'

	set -e

	echo "This file should be run only once"
	echo "Install EasyRSA and OpenVPN"
	echo "https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-18-04"
	echo ""

	read -p "Digite o nome do primeiro usuário: " OPENVPN_USERNAME
	read -p "Qual é o IPv4 público desse servidor? " OPENVPN_SERVER_IP

	read -p "Digite a porta na qual os clientes irão se conectar: " OPENVPN_SERVER_PORT

	set +x
	# Intervenção manual
	echo ""
	ip route \| grep default
	echo ""
	echo "O texto acima deve ser semelhante ao exemplo abaixo"
	echo ""
	echo "default via XXX.XXX.XXX.XXX dev eth0 proto dhcp src XXX.XXX.XXX.XXX metric XX"
	echo " ^^^^"
	echo " \|\|\|\|"
	echo ""
	read -p "Digite a parte do primeiro texto que equivale a posição das setas acima: " INTERFACE

	set -x
	apt update
	apt install -y openvpn
	wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz
	tar xvf EasyRSA-3.0.4.tgz
	cp -rf EasyRSA-3.0.4 EasyRSA-server-3.0.4
	cd ~/EasyRSA-3.0.4/
	cp vars.example vars
	sed -ri 's/^#set_var EASYRSA_REQ_COUNTRY\s+"US"/set_var EASYRSA_REQ_COUNTRY "US"/' vars
	sed -ri 's/^#set_var EASYRSA_REQ_PROVINCE\s+"California"/set_var EASYRSA_REQ_PROVINCE "NewYork"/' vars
	sed -ri 's/^#set_var EASYRSA_REQ_CITY\s+"San Francisco"/set_var EASYRSA_REQ_CITY "New York City"/' vars
	sed -ri 's/^#set_var EASYRSA_REQ_ORG\s+"Copyleft Certificate Co"/set_var EASYRSA_REQ_ORG "DigitalOcean"/' vars
	sed -ri 's/^#set_var EASYRSA_REQ_EMAIL\s+"me@example.net"/set_var EASYRSA_REQ_EMAIL "admin@example.com"/' vars
	sed -ri 's/^#set_var EASYRSA_REQ_OU\s+"My Organizational Unit"/set_var EASYRSA_REQ_OU "Community"/' vars
	./easyrsa init-pki

	# Esse comando pede confirmação dos dados
	# Pressione <Enter> em todos os campos
	./easyrsa build-ca nopass

	cd /root/EasyRSA-server-3.0.4
	./easyrsa init-pki

	# Esse comando pede confirmação dos dados
	# Pressione <Enter> em todos os campos
	./easyrsa gen-req server nopass

	cp pki/private/server.key /etc/openvpn/server.key
	cd /root/EasyRSA-3.0.4
	./easyrsa import-req /root/EasyRSA-server-3.0.4/pki/reqs/server.req server

	# Esse comando pede confirmação
	# Digite <yes> e depois <Enter>
	./easyrsa sign-req server server

	cp /root/EasyRSA-3.0.4/pki/issued/server.crt /etc/openvpn/server.crt
	cp /root/EasyRSA-3.0.4/pki/ca.crt /etc/openvpn/ca.crt
	cd /root/EasyRSA-server-3.0.4
	./easyrsa gen-dh
	openvpn --genkey --secret ta.key
	cp ta.key /etc/openvpn/ta.key
	cp pki/dh.pem /etc/openvpn/dh.pem
	cd /root/
	mkdir -p client-configs/keys
	mkdir -p client-configs/files
	chmod -R 700 client-configs
	cd EasyRSA-server-3.0.4

	# Esse comando pede confirmação dos dados
	# Pressione <Enter> em todos os campos
	./easyrsa gen-req $OPENVPN_USERNAME nopass

	cp pki/private/$OPENVPN_USERNAME.key /root/client-configs/keys/$OPENVPN_USERNAME.key
	cd /root/EasyRSA-3.0.4
	./easyrsa import-req /root/EasyRSA-server-3.0.4/pki/reqs/$OPENVPN_USERNAME.req $OPENVPN_USERNAME

	# Esse comando pede confirmação
	# Digite <yes> e depois <Enter>
	./easyrsa sign-req client $OPENVPN_USERNAME

	cd /root/EasyRSA-server-3.0.4
	cp /root/EasyRSA-3.0.4/pki/issued/$OPENVPN_USERNAME.crt /root/client-configs/keys/$OPENVPN_USERNAME.crt
	cp ta.key /root/client-configs/keys/ta.key
	cp /etc/openvpn/ca.crt /root/client-configs/keys/ca.crt

	# Configurar o serviço do OpenVPN
	cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
	gzip -d /etc/openvpn/server.conf.gz

	cd /etc/openvpn/
	sed -ri 's/^(cipher AES-256-CBC)/\1\nauth SHA256/' server.conf
	sed -i 's/dh dh2048.pem/dh dh.pem/' server.conf
	sed -i 's/;user nobody/user nobody/' server.conf
	sed -i 's/;group nogroup/group nogroup/' server.conf
	sed -i 's/;push "redirect-gateway def1 bypass-dhcp"/push "redirect-gateway def1 bypass-dhcp"/' server.conf
	sed -i 's/;push "dhcp-option DNS 208.67.222.222"/push "dhcp-option DNS 208.67.222.222"/' server.conf
	sed -i 's/;push "dhcp-option DNS 208.67.220.220"/push "dhcp-option DNS 208.67.220.220"/' server.conf
	sed -i 's/port 1194/port '$OPENVPN_SERVER_PORT'/' server.conf

	sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf

	# O comando abaixo deve escrever no stdout o texto abaixo
	# net.ipv4.ip_forward = 1
	sysctl -p

	cd /etc/ufw/

	if [ -e /etc/ufw/before.rules.old ]
	then
	cp before.rules.old before.rules
	fi

	cat <<EOF -> /etc/ufw/openvpn.rules
	# START OPENVPN RULES
	# NAT table rules
	*nat
	:POSTROUTING ACCEPT [0:0]
	# Allow traffic from OpenVPN client to $INTERFACE (change to the interface you discovered!)
	-A POSTROUTING -s 10.8.0.0/8 -o $INTERFACE -j MASQUERADE
	COMMIT
	# END OPENVPN RULES
	EOF
	cat openvpn.rules before.rules > before.rules.tmp
	cp before.rules before.rules.old
	cp before.rules.tmp before.rules
	rm before.rules.tmp
	sed -i 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/' /etc/default/ufw
	ufw allow $OPENVPN_SERVER_PORT/udp
	ufw allow OpenSSH
	ufw disable

	# O comando abaixo pede por confirmação
	# Digite <y> e depois <Enter>
	ufw enable

	# Gerando credenciais do usuário
	cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /root/client-configs/base.conf
	cd /root/
	sed -i 's/remote my-server-1 1194/remote '$OPENVPN_SERVER_IP' '$OPENVPN_SERVER_PORT'/' client-configs/base.conf
	sed -i 's/;user nobody/user nobody/' client-configs/base.conf
	sed -i 's/;group nogroup/group nogroup/' client-configs/base.conf
	sed -i 's/ca ca.crt/#ca ca.crt/' client-configs/base.conf
	sed -i 's/cert client.crt/#cert client.crt/' client-configs/base.conf
	sed -i 's/key client.key/#key client.key/' client-configs/base.conf
	sed -i 's/tls-auth ta.key 1/#tls-auth ta.key 1/' client-configs/base.conf
	sed -ri 's/^(cipher AES-256-CBC)/\1\nauth SHA256/' client-configs/base.conf
	echo 'key-direction 1' >> client-configs/base.conf
	echo 'script-security 2' >> client-configs/base.conf
	echo 'up /etc/openvpn/update-resolv-conf' >> client-configs/base.conf
	echo 'down /etc/openvpn/update-resolv-conf' >> client-configs/base.conf

	cat <<'EOF' -> client-configs/make_config.sh
	#!/bin/bash

	# First argument: Client identifier

	KEY_DIR=~/client-configs/keys
	OUTPUT_DIR=~/client-configs/files
	BASE_CONFIG=~/client-configs/base.conf

	cat ${BASE_CONFIG} \
	<(echo -e '<ca>') \
	${KEY_DIR}/ca.crt \
	<(echo -e '</ca>\n<cert>') \
	${KEY_DIR}/${1}.crt \
	<(echo -e '</cert>\n<key>') \
	${KEY_DIR}/${1}.key \
	<(echo -e '</key>\n<tls-auth>') \
	${KEY_DIR}/ta.key \
	<(echo -e '</tls-auth>') \
	> ${OUTPUT_DIR}/${1}.ovpn
	EOF

	chmod 700 client-configs/make_config.sh
	./client-configs/make_config.sh $OPENVPN_USERNAME
	cp client-configs/files/$OPENVPN_USERNAME.ovpn client-configs/files/$OPENVPN_USERNAME.comment.ovpn

	grep -v '^#' client-configs/files/$OPENVPN_USERNAME.comment.ovpn \| grep -v '^;' \| grep -v '^$' > client-configs/files/$OPENVPN_USERNAME.ovpn

	# Habilitar o OpenVPN para iniciar no boot da VM
	systemctl enable openvpn@server

	# Iniciar o OpenVPN agora
	systemctl start openvpn@server

	set +x
	echo ""
	echo "O texto abaixo representa as credenciais do usuário $OPENVPN_USERNAME"
	echo "Você deve copiar esse texto e salvar em um arquivo $OPENVPN_USERNAME.ovpn para acesso ao servidor"
	echo "com o comando abaixo"
	echo ""
	echo "sudo openvpn --config $OPENVPN_USERNAME.ovpn"
	echo ""
	read -p "Pression enter para ver..."

	echo ""
	cat client-configs/files/$OPENVPN_USERNAME.ovpn

	# ---start server---
	# systemctl start openvpn@server
	# systemctl restart openvpn@server
	# systemctl status openvpn@server
	# systemctl stop openvpn@server
	# systemctl enable openvpn@server

	# ---log server---
	# journalctl -u openvpn@server -f

	# ---connect to server---
	# sudo openvpn --config dan.ovpn

	# ---test connection---
	# clear; curl -i wtfismyip.com/json; echo ''; curl -i ipv4.wtfismyip.com/json; echo ''