gwopenvpn.bash

gwopenvpn.bash

yum -y install epel-release
yum -y install openvpn easy-rsa bind-utils

cp -pav /usr/share/easy-rsa/3.0.7 /etc/openvpn/easyrsa
cd /etc/openvpn/easyrsa

cat<< 'EOF' > /etc/openvpn/easyrsa/vars
if [ -z "$EASYRSA_CALLER" ]; then
    echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
    echo "This is no longer necessary and is disallowed. See the section called" >&2
    echo "'How to use this file' near the top comments for more details." >&2
    return 1
fi

set_var EASYRSA        "$PWD"
set_var EASYRSA_OPENSSL        "openssl"
set_var EASYRSA_PKI            "$EASYRSA/pki"
set_var EASYRSA_DN     "org"

set_var EASYRSA_REQ_COUNTRY    "UK"
set_var EASYRSA_REQ_PROVINCE   "Oxfordshire"
set_var EASYRSA_REQ_CITY       "Oxford"
set_var EASYRSA_REQ_ORG        "Alces Flight Ltd"
set_var EASYRSA_REQ_EMAIL      "ssl@alces-flight.com"
set_var EASYRSA_REQ_OU         "Infrastructure"
set_var EASYRSA_KEY_SIZE       2048

set_var EASYRSA_ALGO           rsa

set_var EASYRSA_CA_EXPIRE      3650
set_var EASYRSA_CERT_EXPIRE    3650
set_var EASYRSA_CRL_DAYS       180

set_var EASYRSA_TEMP_FILE      "$EASYRSA_PKI/extensions.temp"

set_var EASYRSA_BATCH 		"true"
EOF

./easyrsa init-pki  
./easyrsa init-pki  
./easyrsa --req-cn=cluster0 build-ca nopass 
./easyrsa --req-cn=cluster0 gen-req cluster0 nopass
./easyrsa sign-req server cluster0

./easyrsa --req-cn=clusterX gen-req clusterX nopass
./easyrsa sign-req client clusterX

./easyrsa gen-dh
./easyrsa gen-crl
openvpn --genkey --secret ta.key

#Do config
cat << EOF > /etc/openvpn/flightconnector.conf
mode server
tls-server
port 443
proto tcp-server
dev tun0
ca /etc/openvpn/easyrsa/pki/ca.crt
cert /etc/openvpn/easyrsa/pki/issued/hub.crt
key /etc/openvpn/easyrsa/pki/private/hub.key
dh /etc/openvpn/easyrsa/pki/dh.pem
crl-verify /etc/openvpn/easyrsa/pki/crl.pem

client-config-dir ccd-clusters
ccd-exclusive
client-to-client

ifconfig 10.115.0.1 255.255.255.0
topology subnet

#Cluster X routes
route 10.10.0.0 255.255.0.0 10.115.0.2
route 10.11.0.0 255.255.0.0 10.115.0.2

keepalive 10 120
comp-lzo adaptive

tls-auth /etc/openvpn/easyrsa/ta.key 0
cipher AES-256-CBC
auth SHA512
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
persist-key
persist-tun

status openvpn-status.log
log         /var/log/openvpn-fc.log
log-append  /var/log/openvpn-fc.log
verb 3
EOF

cat << EOF > /etc/pam.d/openvpn-flightconnector
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       substack     system-auth
auth       include      postlogin
auth       required     pam_listfile.so onerr=fail item=user sense=allow file=/etc/openvpn/flightconnector.users
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    include      postlogin
-session   optional     pam_ck_connector.so
EOF

systemctl enable openvpn@flightconnector
systemctl restart openvpn@flightconnector

openvpn --genkey --secret /etc/openvpn/easyrsa/ta.key

mkdir /etc/openvpn/ccd-clusters

cat << EOF > /etc/openvpn/ccd-clusters/clusterX
ifconfig-push 10.110.0.2 255.255.255.0
#CLUSTER 0 ROUTE PUSH
push "route 10.110.0.0 255.255.0.0 10.115.0.1"
#CLUSTER X ROUTE PULL
iroute 10.10.0.0 255.255.0.0
iroute 10.11.0.0 255.255.0.0
EOF