Last active
July 8, 2019 21:53
-
-
Save lookingcloudy/237cde0f66c82a4af65d1f6605429e55 to your computer and use it in GitHub Desktop.
OpenVPN
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| client | |
| dev tun | |
| # Windows needs the TAP-Win32 adapter name | |
| # from the Network Connections panel | |
| # if you have more than one. On XP SP2, | |
| # you may need to disable the firewall | |
| # for the TAP adapter. | |
| ;dev-node MyTap | |
| proto tcp | |
| remote x.x.x.x 443 | |
| resolv-retry infinite | |
| nobind | |
| persist-key | |
| persist-tun | |
| remote-cert-tls server | |
| cipher AES-128-CBC | |
| auth SHA256 | |
| key-direction 1 | |
| #compress lz4 | |
| comp-lzo | |
| verb 3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| client | |
| dev tun | |
| # Windows needs the TAP-Win32 adapter name | |
| # from the Network Connections panel | |
| # if you have more than one. On XP SP2, | |
| # you may need to disable the firewall | |
| # for the TAP adapter. | |
| ;dev-node MyTap | |
| proto tcp | |
| remote x.x.x.x 443 | |
| resolv-retry infinite | |
| nobind | |
| persist-key | |
| persist-tun | |
| remote-cert-tls server | |
| #for google authenticator | |
| ns-cert-type server | |
| auth-user-pass | |
| cipher AES-128-CBC | |
| auth SHA256 | |
| key-direction 1 | |
| #compress lz4 | |
| comp-lzo | |
| verb 3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # First argument: Client identifier | |
| KEY_DIR=~/openvpn-ca/keys | |
| OUTPUT_DIR=~/client-configs/files | |
| BASE_CONFIG=~/client-configs/base.conf | |
| cat ${BASE_CONFIG} \ | |
| <(echo -e '<ca>') \ | |
| ${KEY_DIR}/ca.crt \ | |
| <(echo -e '</ca>\n<cert>') \ | |
| ${KEY_DIR}/${1}.crt \ | |
| <(echo -e '</cert>\n<key>') \ | |
| ${KEY_DIR}/${1}.key \ | |
| <(echo -e '</key>\n<tls-auth>') \ | |
| ${KEY_DIR}/ta.key \ | |
| <(echo -e '</tls-auth>') \ | |
| > ${OUTPUT_DIR}/${1}.ovpn |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # goes into ~/client_configs | |
| # OpenVPN configuration Directory | |
| OPENVPN_CFG_DIR=/etc/openvpn | |
| # Directory where EasyRSA outputs the client keys and certificates | |
| KEY_DIR=~/openvpn-ca/keys | |
| # Where this script should create the OpenVPN client config files | |
| OUTPUT_DIR=~/client-configs/files | |
| # Base configuration for the client | |
| BASE_CONFIG=~/client-configs/base-mfa.conf | |
| # MFA Label | |
| MFA_LABEL='OpenVPN Server' | |
| # MFA User | |
| MFA_USER=gauth | |
| # MFA Directory | |
| MFA_DIR=/etc/openvpn/google-authenticator | |
| # ############################################################################## | |
| function send_mail() { | |
| attachment=$1 | |
| which mutt 2>&1 >/dev/null | |
| if [ $? -ne 0 ]; then | |
| echo "INFO: mail program not found, an email will not be sent to the user" | |
| else | |
| echo -en "Please, provide the e-mail of the user\n> " | |
| read email | |
| echo "INFO: Sending email" | |
| echo "Here is your OpenVPN client configuration" | mutt -s "Your OpenVPN configuration" -a "$attachment" -- "$email" | |
| fi | |
| } | |
| function generate_mfa() { | |
| user_id=$1 | |
| if [ "$user_id" == "" ]; then | |
| echo "ERROR: No user id provided to generate MFA token" | |
| exit 1 | |
| fi | |
| echo "INFO: Creating user ${user_id}" | |
| sudo useradd -s /bin/nologin "$user_id" | |
| # echo "> Please provide a password for the user" | |
| # passwd "$user_id" | |
| echo "INFO: Generating MFA Token" | |
| su -c "google-authenticator -t -d -r3 -w3 -R30 -f -l \"${MFA_LABEL}-${user_id}\" -s $MFA_DIR/${user_id}" - $MFA_USER | |
| } | |
| function main() { | |
| user_id=$1 | |
| if [ "$user_id" == "" ]; then | |
| echo "ERROR: No user id provided" | |
| exit 1 | |
| fi | |
| if [ ! -f ${KEY_DIR}/ca.crt ]; then | |
| echo "ERROR: CA certificate not found" | |
| exit 1 | |
| fi | |
| if [ ! -f ${KEY_DIR}/${user_id}.crt ]; then | |
| echo "ERROR: User certificate not found" | |
| exit 1 | |
| fi | |
| if [ ! -f ${KEY_DIR}/${user_id}.key ]; then | |
| echo "ERROR: User private key not found" | |
| exit 1 | |
| fi | |
| if [ ! -f ${OPENVPN_CFG_DIR}/ta.key ]; then | |
| echo "ERROR: TLS Auth key not found" | |
| exit 1 | |
| fi | |
| cat ${BASE_CONFIG} \ | |
| <(echo -e '<ca>') \ | |
| ${KEY_DIR}/ca.crt \ | |
| <(echo -e '</ca>\n<cert>') \ | |
| ${KEY_DIR}/${user_id}.crt \ | |
| <(echo -e '</cert>\n<key>') \ | |
| ${KEY_DIR}/${user_id}.key \ | |
| <(echo -e '</key>\n<tls-auth>') \ | |
| ${KEY_DIR}/ta.key \ | |
| <(echo -e '</tls-auth>') \ | |
| > ${OUTPUT_DIR}/${user_id}-mfa.ovpn | |
| echo "INFO: Key created in ${OUTPUT_DIR}/${user_id}.ovpn" | |
| generate_mfa $user_id | |
| # send_mail "${OUTPUT_DIR}/${user_id}.ovpn" | |
| exit 0 | |
| } | |
| # ############################################################################## | |
| main $1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #uncomment last line for MFA | |
| port 443 | |
| proto tcp | |
| dev tun | |
| ca ca.crt | |
| cert server.crt | |
| key server.key | |
| dh dh2048.pem | |
| topology subnet | |
| server 10.8.0.0 255.255.255.0 | |
| ifconfig-pool-persist ipp.txt | |
| # Push routes to the client to allow it | |
| # to reach other private subnets behind | |
| # the server. Remember that these | |
| # private subnets will also need | |
| # to know to route the OpenVPN client | |
| # address pool (10.8.0.0/255.255.255.0) | |
| # back to the OpenVPN server. | |
| ;push "route 192.168.10.0 255.255.255.0" | |
| ;push "route 192.168.20.0 255.255.255.0" | |
| push "redirect-gateway def1 bypass-dhcp" | |
| push "dhcp-option DNS 208.67.222.222" | |
| push "dhcp-option DNS 208.67.220.220" | |
| # IF YOU HAVE NOT GENERATED INDIVIDUAL | |
| # CERTIFICATE/KEY PAIRS FOR EACH CLIENT, | |
| # EACH HAVING ITS OWN UNIQUE "COMMON NAME", | |
| # UNCOMMENT THIS LINE OUT. | |
| ;duplicate-cn | |
| keepalive 10 120 | |
| tls-auth ta.key 0 | |
| key-direction 0 | |
| # the client config file as well. | |
| ;cipher BF-CBC # Blowfish (default) | |
| cipher AES-128-CBC # AES | |
| ;cipher DES-EDE3-CBC # Triple-DES | |
| auth SHA256 | |
| ;compress lz4 | |
| comp-lzo | |
| # The maximum number of concurrently connected | |
| # clients we want to allow. | |
| ;max-clients 100 | |
| user nobody | |
| group nogroup | |
| persist-key | |
| persist-tun | |
| status openvpn-status.log | |
| ;log openvpn.log | |
| ;log-append openvpn.log | |
| # Set the appropriate level of log | |
| # file verbosity. | |
| # | |
| # 0 is silent, except for fatal errors | |
| # 4 is reasonable for general usage | |
| # 5 and 6 can help to debug connection problems | |
| # 9 is extremely verbose | |
| verb 5 | |
| # Silence repeating messages. At most 20 | |
| # sequential messages of the same message | |
| # category will be output to the log. | |
| ;mute 20 | |
| #plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment