Created
November 2, 2017 23:00
-
-
Save mauricioprado00/293e9687ebf0e9ff7ba6b57b1b8b7963 to your computer and use it in GitHub Desktop.
create openvpn server
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# a fully automated script to configure an openvpn server and create the config for one user | |
# tested only on ubuntu | |
# Configurar un Servidor OpenVPN en Ubuntu 16.04 | |
# from https://www.digitalocean.com/community/tutorials/como-configurar-un-servidor-openvpn-en-ubuntu-16-04-es | |
server_name="NY-DO" | |
client_1=mauricio | |
port=443 | |
server_ip=$(dig +short myip.opendns.com @resolver1.opendns.com) | |
int=$(ip route | grep default | awk '{print $5}') | |
proto='udp' | |
function cavars-change() { | |
local filename=$1 | |
local change=$2 | |
local varname=$(echo "$change" | sed 's#=.*##g') | |
local content=$(echo "$change" | sed 's#.*=##g') | |
local replacement=$(echo "$content" | sed -e 's/[\/&]/\\&/g' ) | |
if [ $(cat ${filename} | grep ${varname} | wc -l) -eq 0 ]; then | |
echo "Adding new var ${varname} with ${content}" | |
printf "\n\n"${varname}'='${replacement}"\n\n" >> ${filename} | |
else | |
echo "changing cavar ${varname} with ${content}" | |
sed -i 's/'${varname}.*'/'${varname}'='${replacement}'/g' ${filename} | |
fi | |
} | |
function cavar-changes() { | |
cat <<VARS > new-vars | |
KEY_NAME="${server_name}" | |
KEY_COUNTRY="US" | |
KEY_PROVINCE="CA" | |
KEY_CITY="Muenster" | |
KEY_ORG="Niemand" | |
KEY_EMAIL="mauricioprado00@gmailcom" | |
KEY_OU="Mr.Robot" | |
VARS | |
for new in $(cat new-vars); do | |
cavars-change vars "$new" | |
done | |
} | |
function uncomment() { | |
local filename=$1 | |
local commentchar=$2 | |
local findstr=$3 | |
local wrapper='#' | |
if [ ${commentchar} == '#' ]; then | |
wrapper='/' | |
fi | |
sed -i 's'${wrapper}${commentchar}'\(.*'${findstr}'\)'${wrapper}'\1'${wrapper}'g' ${filename} | |
} | |
cp /etc/sysctl.conf /etc/sysctl.conf.default | |
cp /etc/ufw/before.rules /etc/ufw/before.rules.default | |
# Paso 1 — Instalar OpenVPN | |
apt-get update | |
apt-get install -y openvpn easy-rsa | |
# Paso 2 — Configurar el Directorio de CA | |
make-cadir ~/openvpn-ca | |
cd ~/openvpn-ca | |
cp vars vars.default | |
# Paso 3 — Configurar las Variables de CA | |
cd ~/openvpn-ca | |
cavar-changes | |
# Paso 4 — Construir el Certificado de Autoridad | |
cd ~/openvpn-ca | |
source vars | |
./clean-all | |
./pkitool --initca | tee ~/pkitool-initca.log | |
# Paso 5 — Crear los certificados del servidor, llaves y archivos cifrados | |
cd ~/openvpn-ca | |
./pkitool --server ${server_name} | tee ~/pkitool-server.log | |
./build-dh | |
openvpn --genkey --secret keys/ta.key | |
# Paso 6 — Generar un Certificado de Cliente y un Par de Llaves | |
cd ~/openvpn-ca | |
source vars | |
./pkitool ${client_1} | tee ~/pkitool-client | |
# Paso 7 — Configurar el Servicio OpenVPN | |
cd ~/openvpn-ca/keys | |
cp ca.crt ca.key ${server_name}.crt ${server_name}.key ta.key dh2048.pem /etc/openvpn | |
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf | |
# Ajuste la Configuración de OpenVPN | |
sed -i 's#^;tls-auth.*#tls-auth ta.key 0\nkey-direction 0#g' /etc/openvpn/server.conf | |
sed -i 's#^;*cipher AES-128-CBC#cipher AES-128-CBC\nauth SHA256#g' /etc/openvpn/server.conf | |
sed -i 's#^;user#user#g' /etc/openvpn/server.conf | |
sed -i 's#^;group#group#g' /etc/openvpn/server.conf | |
sed -i 's#;\(.*redirect-gateway\)#\1#g' /etc/openvpn/server.conf | |
sed -i 's#;\(.*dhcp-option\)#\1#g' /etc/openvpn/server.conf | |
sed -i 's#^port.*#port '${port}'#g' /etc/openvpn/server.conf | |
if [ ${proto} == 'tcp' ]; then | |
sed -i 's#^proto udp#;proto udp#g' /etc/openvpn/server.conf | |
sed -i 's#^;proto tcp#proto tcp#g' /etc/openvpn/server.conf | |
fi | |
sed -i 's#^cert server.crt#cert '${server_name}'.crt#g' /etc/openvpn/server.conf | |
sed -i 's#^key server.key#key '${server_name}'.key#g' /etc/openvpn/server.conf | |
# Paso 8 — Ajuste la Configuración de Red del Servidor | |
uncomment /etc/sysctl.conf '#' "net.ipv4.ip_forward" | |
sysctl -p | |
# Ajuste las Reglas UFW a las Conexiones del Cliente Masquerade | |
cat <<NEW_RULES > /tmp/new-rules | |
# START OPENVPN RULES | |
# NAT table rules | |
*nat | |
:POSTROUTING ACCEPT [0:0] | |
# Allow traffic from OpenVPN client to ${int} | |
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE | |
COMMIT | |
# END OPENVPN RULES | |
NEW_RULES | |
echo -e "$(cat /tmp/new-rules)\n\n\n$(cat /etc/ufw/before.rules)" > /etc/ufw/before.rules | |
sed -i 's#DEFAULT_FORWARD_POLICY.*#DEFAULT_FORWARD_POLICY="ACCEPT"#' /etc/default/ufw | |
# Abrir el Puerto OpenVPN y Habilitar los Cambios | |
ufw allow ${port}/${proto} | |
ufw allow OpenSSH | |
ufw disable | |
yes y | ufw enable | |
# Paso 9 — Iniciar y Habilitar el Servicio OpenVPN | |
systemctl start openvpn@server | |
systemctl enable openvpn@server | |
# Paso 10 — Crear Infraestructura de Configuración de Cliente | |
mkdir -p ~/client-configs/files | |
chmod 700 ~/client-configs/files | |
# Creando una Configuración Base | |
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf | |
sed -i 's#^remote .*#remote '${server_ip}' '${port}'#g' ~/client-configs/base.conf | |
sed -i 's#^proto .*#proto '${proto}'#g' ~/client-configs/base.conf | |
sed -i 's#^;user#user#g' ~/client-configs/base.conf | |
sed -i 's#^;group#group#g' ~/client-configs/base.conf | |
sed -i 's#^ca #;ca #g' ~/client-configs/base.conf | |
sed -i 's#^cert #;cert #g' ~/client-configs/base.conf | |
sed -i 's#^key #;key #g' ~/client-configs/base.conf | |
cat << NEW_CONFIG >> ~/client-configs/base.conf | |
cipher AES-128-CBC | |
auth SHA256 | |
key-direction 1 | |
# uncomment this only for linux clients | |
# script-security 2 | |
# up /etc/openvpn/update-resolv-conf | |
# down /etc/openvpn/update-resolv-conf | |
NEW_CONFIG | |
# Creando un Script Generador de configuración | |
cat << CONFIG_MAKER | base64 -d > ~/client-configs/make_config.sh | |
IyEvYmluL2Jhc2gKCiMgRmlyc3QgYXJndW1lbnQ6IENsaWVudCBpZGVudGlmaWVyCgpLRVlfRElS | |
PX4vb3BlbnZwbi1jYS9rZXlzCk9VVFBVVF9ESVI9fi9jbGllbnQtY29uZmlncy9maWxlcwpCQVNF | |
X0NPTkZJRz1+L2NsaWVudC1jb25maWdzL2Jhc2UuY29uZgoKY2F0ICR7QkFTRV9DT05GSUd9IFwK | |
ICAgIDwoZWNobyAtZSAnPGNhPicpIFwKICAgICR7S0VZX0RJUn0vY2EuY3J0IFwKICAgIDwoZWNo | |
byAtZSAnPC9jYT5cbjxjZXJ0PicpIFwKICAgICR7S0VZX0RJUn0vJHsxfS5jcnQgXAogICAgPChl | |
Y2hvIC1lICc8L2NlcnQ+XG48a2V5PicpIFwKICAgICR7S0VZX0RJUn0vJHsxfS5rZXkgXAogICAg | |
PChlY2hvIC1lICc8L2tleT5cbjx0bHMtYXV0aD4nKSBcCiAgICAke0tFWV9ESVJ9L3RhLmtleSBc | |
CiAgICA8KGVjaG8gLWUgJzwvdGxzLWF1dGg+JykgXAogICAgPiAke09VVFBVVF9ESVJ9LyR7MX0u | |
b3Zwbgo= | |
CONFIG_MAKER | |
chmod 700 ~/client-configs/make_config.sh | |
# Paso 11 — Generar Configuraciones de Cliente | |
cd ~/client-configs | |
./make_config.sh mauricio | |
ls ~/client-configs/files # configuration para ovpn user | |
# Transferencia de Configuración a Dispositivos Cliente |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment