mauricioprado00/create-openvpn-server.sh

## create-openvpn-server.sh
# a fully automated script to configure an openvpn server and create the config for one user
# tested only on ubuntu

# Configurar un Servidor OpenVPN en Ubuntu 16.04
# from https://www.digitalocean.com/community/tutorials/como-configurar-un-servidor-openvpn-en-ubuntu-16-04-es

server_name="NY-DO"
client_1=mauricio
port=443
server_ip=$(dig +short myip.opendns.com @resolver1.opendns.com)
int=$(ip route | grep default | awk '{print $5}')
proto='udp'


function cavars-change() {
    local filename=$1
    local change=$2
    local varname=$(echo "$change" | sed 's#=.*##g')
    local content=$(echo "$change" | sed 's#.*=##g')
    local replacement=$(echo "$content" | sed -e 's/[\/&]/\\&/g' )

    if [ $(cat ${filename} | grep ${varname} | wc -l) -eq 0 ]; then
        echo "Adding new var ${varname} with ${content}"
        printf "\n\n"${varname}'='${replacement}"\n\n"  >> ${filename}
    else
        echo "changing cavar ${varname} with ${content}"
        sed -i 's/'${varname}.*'/'${varname}'='${replacement}'/g' ${filename}
    fi
}


function cavar-changes() {
    cat <<VARS > new-vars
KEY_NAME="${server_name}"
KEY_COUNTRY="US"
KEY_PROVINCE="CA"
KEY_CITY="Muenster"
KEY_ORG="Niemand"
KEY_EMAIL="mauricioprado00@gmailcom"
KEY_OU="Mr.Robot"
VARS


    for new in $(cat new-vars); do
        cavars-change vars "$new"
    done
}

function uncomment() {
    local filename=$1
    local commentchar=$2
    local findstr=$3
    local wrapper='#'

    if [ ${commentchar} == '#' ]; then
        wrapper='/'
    fi

    sed -i 's'${wrapper}${commentchar}'\(.*'${findstr}'\)'${wrapper}'\1'${wrapper}'g' ${filename}
}

cp /etc/sysctl.conf /etc/sysctl.conf.default
cp /etc/ufw/before.rules /etc/ufw/before.rules.default


# Paso 1 — Instalar OpenVPN
apt-get update
apt-get install -y openvpn easy-rsa

# Paso 2 — Configurar el Directorio de CA
make-cadir ~/openvpn-ca

cd ~/openvpn-ca
cp vars vars.default

# Paso 3 — Configurar las Variables de CA
cd ~/openvpn-ca
cavar-changes

# Paso 4 — Construir el Certificado de Autoridad
cd ~/openvpn-ca
source vars
./clean-all
./pkitool --initca | tee ~/pkitool-initca.log

# Paso 5 — Crear los certificados del servidor, llaves y archivos cifrados
cd ~/openvpn-ca
./pkitool --server ${server_name} | tee ~/pkitool-server.log
./build-dh
openvpn --genkey --secret keys/ta.key

# Paso 6 — Generar un Certificado de Cliente y un Par de Llaves
cd ~/openvpn-ca
source vars
./pkitool ${client_1} | tee ~/pkitool-client

# Paso 7 — Configurar el Servicio OpenVPN
cd ~/openvpn-ca/keys
cp ca.crt ca.key ${server_name}.crt ${server_name}.key ta.key dh2048.pem /etc/openvpn
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf

# Ajuste la Configuración de OpenVPN
sed -i 's#^;tls-auth.*#tls-auth ta.key 0\nkey-direction 0#g' /etc/openvpn/server.conf
sed -i 's#^;*cipher AES-128-CBC#cipher AES-128-CBC\nauth SHA256#g' /etc/openvpn/server.conf
sed -i 's#^;user#user#g' /etc/openvpn/server.conf
sed -i 's#^;group#group#g' /etc/openvpn/server.conf
sed -i 's#;\(.*redirect-gateway\)#\1#g' /etc/openvpn/server.conf
sed -i 's#;\(.*dhcp-option\)#\1#g' /etc/openvpn/server.conf
sed -i 's#^port.*#port '${port}'#g' /etc/openvpn/server.conf
if [ ${proto} == 'tcp' ]; then
	sed -i 's#^proto udp#;proto udp#g' /etc/openvpn/server.conf
	sed -i 's#^;proto tcp#proto tcp#g' /etc/openvpn/server.conf
fi
sed -i 's#^cert server.crt#cert '${server_name}'.crt#g' /etc/openvpn/server.conf
sed -i 's#^key server.key#key '${server_name}'.key#g' /etc/openvpn/server.conf


# Paso 8 — Ajuste la Configuración de Red del Servidor
uncomment /etc/sysctl.conf '#' "net.ipv4.ip_forward"
sysctl -p

# Ajuste las Reglas UFW a las Conexiones del Cliente Masquerade

cat <<NEW_RULES > /tmp/new-rules
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to ${int}
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES


NEW_RULES

echo -e "$(cat /tmp/new-rules)\n\n\n$(cat /etc/ufw/before.rules)" > /etc/ufw/before.rules

sed -i 's#DEFAULT_FORWARD_POLICY.*#DEFAULT_FORWARD_POLICY="ACCEPT"#' /etc/default/ufw

# Abrir el Puerto OpenVPN y Habilitar los Cambios
ufw allow ${port}/${proto}
ufw allow OpenSSH
ufw disable
yes y | ufw enable

# Paso 9 — Iniciar y Habilitar el Servicio OpenVPN
systemctl start openvpn@server
systemctl enable openvpn@server

# Paso 10 — Crear Infraestructura de Configuración de Cliente
mkdir -p ~/client-configs/files
chmod 700 ~/client-configs/files

# Creando una Configuración Base
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
sed -i 's#^remote .*#remote '${server_ip}' '${port}'#g' ~/client-configs/base.conf
sed -i 's#^proto .*#proto '${proto}'#g' ~/client-configs/base.conf
sed -i 's#^;user#user#g' ~/client-configs/base.conf
sed -i 's#^;group#group#g' ~/client-configs/base.conf
sed -i 's#^ca #;ca #g' ~/client-configs/base.conf
sed -i 's#^cert #;cert  #g' ~/client-configs/base.conf
sed -i 's#^key #;key  #g' ~/client-configs/base.conf

cat << NEW_CONFIG >> ~/client-configs/base.conf


cipher AES-128-CBC
auth SHA256
key-direction 1
# uncomment this only for linux clients
# script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
NEW_CONFIG

# Creando un Script Generador de configuración

cat << CONFIG_MAKER | base64 -d > ~/client-configs/make_config.sh
IyEvYmluL2Jhc2gKCiMgRmlyc3QgYXJndW1lbnQ6IENsaWVudCBpZGVudGlmaWVyCgpLRVlfRElS
PX4vb3BlbnZwbi1jYS9rZXlzCk9VVFBVVF9ESVI9fi9jbGllbnQtY29uZmlncy9maWxlcwpCQVNF
X0NPTkZJRz1+L2NsaWVudC1jb25maWdzL2Jhc2UuY29uZgoKY2F0ICR7QkFTRV9DT05GSUd9IFwK
ICAgIDwoZWNobyAtZSAnPGNhPicpIFwKICAgICR7S0VZX0RJUn0vY2EuY3J0IFwKICAgIDwoZWNo
byAtZSAnPC9jYT5cbjxjZXJ0PicpIFwKICAgICR7S0VZX0RJUn0vJHsxfS5jcnQgXAogICAgPChl
Y2hvIC1lICc8L2NlcnQ+XG48a2V5PicpIFwKICAgICR7S0VZX0RJUn0vJHsxfS5rZXkgXAogICAg
PChlY2hvIC1lICc8L2tleT5cbjx0bHMtYXV0aD4nKSBcCiAgICAke0tFWV9ESVJ9L3RhLmtleSBc
CiAgICA8KGVjaG8gLWUgJzwvdGxzLWF1dGg+JykgXAogICAgPiAke09VVFBVVF9ESVJ9LyR7MX0u
b3Zwbgo=
CONFIG_MAKER

chmod 700 ~/client-configs/make_config.sh

# Paso 11 — Generar Configuraciones de Cliente
cd ~/client-configs
./make_config.sh mauricio
ls ~/client-configs/files # configuration para ovpn user

# Transferencia de Configuración a Dispositivos Cliente
	# a fully automated script to configure an openvpn server and create the config for one user
	# tested only on ubuntu

	# Configurar un Servidor OpenVPN en Ubuntu 16.04
	# from https://www.digitalocean.com/community/tutorials/como-configurar-un-servidor-openvpn-en-ubuntu-16-04-es

	server_name="NY-DO"
	client_1=mauricio
	port=443
	server_ip=$(dig +short myip.opendns.com @resolver1.opendns.com)
	int=$(ip route \| grep default \| awk '{print $5}')
	proto='udp'


	function cavars-change() {
	local filename=$1
	local change=$2
	local varname=$(echo "$change" \| sed 's#=.*##g')
	local content=$(echo "$change" \| sed 's#.*=##g')
	local replacement=$(echo "$content" \| sed -e 's/[\/&]/\\&/g' )

	if [ $(cat ${filename} \| grep ${varname} \| wc -l) -eq 0 ]; then
	echo "Adding new var ${varname} with ${content}"
	printf "\n\n"${varname}'='${replacement}"\n\n" >> ${filename}
	else
	echo "changing cavar ${varname} with ${content}"
	sed -i 's/'${varname}.*'/'${varname}'='${replacement}'/g' ${filename}
	fi
	}


	function cavar-changes() {
	cat <<VARS > new-vars
	KEY_NAME="${server_name}"
	KEY_COUNTRY="US"
	KEY_PROVINCE="CA"
	KEY_CITY="Muenster"
	KEY_ORG="Niemand"
	KEY_EMAIL="mauricioprado00@gmailcom"
	KEY_OU="Mr.Robot"
	VARS


	for new in $(cat new-vars); do
	cavars-change vars "$new"
	done
	}

	function uncomment() {
	local filename=$1
	local commentchar=$2
	local findstr=$3
	local wrapper='#'

	if [ ${commentchar} == '#' ]; then
	wrapper='/'
	fi

	sed -i 's'${wrapper}${commentchar}'\(.*'${findstr}'\)'${wrapper}'\1'${wrapper}'g' ${filename}
	}

	cp /etc/sysctl.conf /etc/sysctl.conf.default
	cp /etc/ufw/before.rules /etc/ufw/before.rules.default


	# Paso 1 — Instalar OpenVPN
	apt-get update
	apt-get install -y openvpn easy-rsa

	# Paso 2 — Configurar el Directorio de CA
	make-cadir ~/openvpn-ca

	cd ~/openvpn-ca
	cp vars vars.default

	# Paso 3 — Configurar las Variables de CA
	cd ~/openvpn-ca
	cavar-changes

	# Paso 4 — Construir el Certificado de Autoridad
	cd ~/openvpn-ca
	source vars
	./clean-all
	./pkitool --initca \| tee ~/pkitool-initca.log

	# Paso 5 — Crear los certificados del servidor, llaves y archivos cifrados
	cd ~/openvpn-ca
	./pkitool --server ${server_name} \| tee ~/pkitool-server.log
	./build-dh
	openvpn --genkey --secret keys/ta.key

	# Paso 6 — Generar un Certificado de Cliente y un Par de Llaves
	cd ~/openvpn-ca
	source vars
	./pkitool ${client_1} \| tee ~/pkitool-client

	# Paso 7 — Configurar el Servicio OpenVPN
	cd ~/openvpn-ca/keys
	cp ca.crt ca.key ${server_name}.crt ${server_name}.key ta.key dh2048.pem /etc/openvpn
	gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz \| sudo tee /etc/openvpn/server.conf

	# Ajuste la Configuración de OpenVPN
	sed -i 's#^;tls-auth.*#tls-auth ta.key 0\nkey-direction 0#g' /etc/openvpn/server.conf
	sed -i 's#^;*cipher AES-128-CBC#cipher AES-128-CBC\nauth SHA256#g' /etc/openvpn/server.conf
	sed -i 's#^;user#user#g' /etc/openvpn/server.conf
	sed -i 's#^;group#group#g' /etc/openvpn/server.conf
	sed -i 's#;\(.*redirect-gateway\)#\1#g' /etc/openvpn/server.conf
	sed -i 's#;\(.*dhcp-option\)#\1#g' /etc/openvpn/server.conf
	sed -i 's#^port.*#port '${port}'#g' /etc/openvpn/server.conf
	if [ ${proto} == 'tcp' ]; then
	sed -i 's#^proto udp#;proto udp#g' /etc/openvpn/server.conf
	sed -i 's#^;proto tcp#proto tcp#g' /etc/openvpn/server.conf
	fi
	sed -i 's#^cert server.crt#cert '${server_name}'.crt#g' /etc/openvpn/server.conf
	sed -i 's#^key server.key#key '${server_name}'.key#g' /etc/openvpn/server.conf



	# Paso 8 — Ajuste la Configuración de Red del Servidor
	uncomment /etc/sysctl.conf '#' "net.ipv4.ip_forward"
	sysctl -p

	# Ajuste las Reglas UFW a las Conexiones del Cliente Masquerade

	cat <<NEW_RULES > /tmp/new-rules
	# START OPENVPN RULES
	# NAT table rules
	*nat
	:POSTROUTING ACCEPT [0:0]
	# Allow traffic from OpenVPN client to ${int}
	-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
	COMMIT
	# END OPENVPN RULES


	NEW_RULES

	echo -e "$(cat /tmp/new-rules)\n\n\n$(cat /etc/ufw/before.rules)" > /etc/ufw/before.rules

	sed -i 's#DEFAULT_FORWARD_POLICY.*#DEFAULT_FORWARD_POLICY="ACCEPT"#' /etc/default/ufw

	# Abrir el Puerto OpenVPN y Habilitar los Cambios
	ufw allow ${port}/${proto}
	ufw allow OpenSSH
	ufw disable
	yes y \| ufw enable

	# Paso 9 — Iniciar y Habilitar el Servicio OpenVPN
	systemctl start openvpn@server
	systemctl enable openvpn@server

	# Paso 10 — Crear Infraestructura de Configuración de Cliente
	mkdir -p ~/client-configs/files
	chmod 700 ~/client-configs/files

	# Creando una Configuración Base
	cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf
	sed -i 's#^remote .*#remote '${server_ip}' '${port}'#g' ~/client-configs/base.conf
	sed -i 's#^proto .*#proto '${proto}'#g' ~/client-configs/base.conf
	sed -i 's#^;user#user#g' ~/client-configs/base.conf
	sed -i 's#^;group#group#g' ~/client-configs/base.conf
	sed -i 's#^ca #;ca #g' ~/client-configs/base.conf
	sed -i 's#^cert #;cert #g' ~/client-configs/base.conf
	sed -i 's#^key #;key #g' ~/client-configs/base.conf

	cat << NEW_CONFIG >> ~/client-configs/base.conf


	cipher AES-128-CBC
	auth SHA256
	key-direction 1
	# uncomment this only for linux clients
	# script-security 2
	# up /etc/openvpn/update-resolv-conf
	# down /etc/openvpn/update-resolv-conf
	NEW_CONFIG

	# Creando un Script Generador de configuración

	cat << CONFIG_MAKER \| base64 -d > ~/client-configs/make_config.sh
	IyEvYmluL2Jhc2gKCiMgRmlyc3QgYXJndW1lbnQ6IENsaWVudCBpZGVudGlmaWVyCgpLRVlfRElS
	PX4vb3BlbnZwbi1jYS9rZXlzCk9VVFBVVF9ESVI9fi9jbGllbnQtY29uZmlncy9maWxlcwpCQVNF
	X0NPTkZJRz1+L2NsaWVudC1jb25maWdzL2Jhc2UuY29uZgoKY2F0ICR7QkFTRV9DT05GSUd9IFwK
	ICAgIDwoZWNobyAtZSAnPGNhPicpIFwKICAgICR7S0VZX0RJUn0vY2EuY3J0IFwKICAgIDwoZWNo
	byAtZSAnPC9jYT5cbjxjZXJ0PicpIFwKICAgICR7S0VZX0RJUn0vJHsxfS5jcnQgXAogICAgPChl
	Y2hvIC1lICc8L2NlcnQ+XG48a2V5PicpIFwKICAgICR7S0VZX0RJUn0vJHsxfS5rZXkgXAogICAg
	PChlY2hvIC1lICc8L2tleT5cbjx0bHMtYXV0aD4nKSBcCiAgICAke0tFWV9ESVJ9L3RhLmtleSBc
	CiAgICA8KGVjaG8gLWUgJzwvdGxzLWF1dGg+JykgXAogICAgPiAke09VVFBVVF9ESVJ9LyR7MX0u
	b3Zwbgo=
	CONFIG_MAKER

	chmod 700 ~/client-configs/make_config.sh

	# Paso 11 — Generar Configuraciones de Cliente
	cd ~/client-configs
	./make_config.sh mauricio
	ls ~/client-configs/files # configuration para ovpn user

	# Transferencia de Configuración a Dispositivos Cliente