peewpw/quick-and-dirty-vpn.sh

## quick-and-dirty-vpn.sh
#!/bin/bash

cd /opt

# Install openvpn
apt-get update
apt-get install openvpn easy-rsa -y

# force vpn server to use amazon's DNS (not dhcp options set)

echo "supersede domain-name-servers 10.0.0.2" >> /etc/dhcp/dhclient.conf

# make a directory for our stuffs

make-cadir certificates && cd certificates

# generate server things

sed -i 's/export KEY_CONFIG.*/export KEY_CONFIG="\$EASY_RSA\/openssl-1.0.0.cnf"/g' vars

source vars
./clean-all
touch keys/index.txt.attr
./pkitool --initca
./pkitool --server server
./build-dh
openvpn --genkey --secret keys/ta.key
cd /opt/certificates/keys
cp ca.crt server.crt server.key ta.key dh2048.pem /etc/openvpn

cd /opt/certificates

echo "port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
push \"route 10.0.0.0 255.255.0.0\"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth ta.key 0
key-direction 0
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
comp-lzo
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1" > /etc/openvpn/server.conf

IFS=', ' read -r -a domnames <<< "$1"
for element in "${domnames[@]}"
do
    echo "push \"dhcp-option DOMAIN $element\"" >> /etc/openvpn/server.conf
done

IFS=', ' read -r -a dnsnames <<< "$2"
for element in "${dnsnames[@]}"
do
    echo "push \"dhcp-option DNS $element\"" >> /etc/openvpn/server.conf
done

# allow ip forwarding

sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf

sysctl -p

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

echo "@reboot root iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE" >> /etc/crontab

# generate client things

./pkitool client

myip=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)

mkdir /opt/client-configs/ && cd /opt/client-configs/

echo "remote $myip 1194
client
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
key-direction 1
comp-lzo
verb 3
mute 20
user nobody
group nogroup
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf" > template.ovpn

cp template.ovpn client.ovpn

echo "<ca>" >> client.ovpn
cat /etc/openvpn/ca.crt >> client.ovpn
echo "</ca>
<cert>" >> client.ovpn
cat /opt/certificates/keys/client.crt >> client.ovpn
echo "</cert>
<key>" >> client.ovpn
cat /opt/certificates/keys/client.key >> client.ovpn
echo "</key>
<tls-auth>" >> client.ovpn
cat /etc/openvpn/ta.key >> client.ovpn
echo "</tls-auth>" >> client.ovpn

# start openvpn

sudo systemctl start openvpn@server
	#!/bin/bash

	cd /opt

	# Install openvpn
	apt-get update
	apt-get install openvpn easy-rsa -y

	# force vpn server to use amazon's DNS (not dhcp options set)

	echo "supersede domain-name-servers 10.0.0.2" >> /etc/dhcp/dhclient.conf

	# make a directory for our stuffs

	make-cadir certificates && cd certificates

	# generate server things

	sed -i 's/export KEY_CONFIG.*/export KEY_CONFIG="\$EASY_RSA\/openssl-1.0.0.cnf"/g' vars

	source vars
	./clean-all
	touch keys/index.txt.attr
	./pkitool --initca
	./pkitool --server server
	./build-dh
	openvpn --genkey --secret keys/ta.key
	cd /opt/certificates/keys
	cp ca.crt server.crt server.key ta.key dh2048.pem /etc/openvpn

	cd /opt/certificates

	echo "port 1194
	proto udp
	dev tun
	ca ca.crt
	cert server.crt
	key server.key
	dh dh2048.pem
	server 10.8.0.0 255.255.255.0
	push \"route 10.0.0.0 255.255.0.0\"
	client-to-client
	duplicate-cn
	keepalive 10 120
	tls-auth ta.key 0
	key-direction 0
	cipher AES-256-CBC
	auth SHA256
	user nobody
	group nogroup
	persist-key
	persist-tun
	comp-lzo
	status /var/log/openvpn/openvpn-status.log
	verb 3
	explicit-exit-notify 1" > /etc/openvpn/server.conf

	IFS=', ' read -r -a domnames <<< "$1"
	for element in "${domnames[@]}"
	do
	echo "push \"dhcp-option DOMAIN $element\"" >> /etc/openvpn/server.conf
	done

	IFS=', ' read -r -a dnsnames <<< "$2"
	for element in "${dnsnames[@]}"
	do
	echo "push \"dhcp-option DNS $element\"" >> /etc/openvpn/server.conf
	done

	# allow ip forwarding

	sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf

	sysctl -p

	iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

	echo "@reboot root iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE" >> /etc/crontab

	# generate client things

	./pkitool client

	myip=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)

	mkdir /opt/client-configs/ && cd /opt/client-configs/

	echo "remote $myip 1194
	client
	dev tun
	proto udp
	resolv-retry infinite
	nobind
	persist-key
	persist-tun
	remote-cert-tls server
	cipher AES-256-CBC
	auth SHA256
	key-direction 1
	comp-lzo
	verb 3
	mute 20
	user nobody
	group nogroup
	script-security 2
	up /etc/openvpn/update-resolv-conf
	down /etc/openvpn/update-resolv-conf" > template.ovpn

	cp template.ovpn client.ovpn

	echo "<ca>" >> client.ovpn
	cat /etc/openvpn/ca.crt >> client.ovpn
	echo "</ca>
	<cert>" >> client.ovpn
	cat /opt/certificates/keys/client.crt >> client.ovpn
	echo "</cert>
	<key>" >> client.ovpn
	cat /opt/certificates/keys/client.key >> client.ovpn
	echo "</key>
	<tls-auth>" >> client.ovpn
	cat /etc/openvpn/ta.key >> client.ovpn
	echo "</tls-auth>" >> client.ovpn

	# start openvpn

	sudo systemctl start openvpn@server