OpenVPN_against_censorship
#!/bin/sh | |
OVPNCFG=/etc/openvpn | |
RSADIR=/etc/openvpn/easy-rsa | |
IPV6PFX=fda5:e1a5:a801 | |
if [ $# -ne 4 ]; then | |
echo "Usage: $0 VPNID FQDN NETNUM PORT" 1>&2 | |
exit 1 | |
fi | |
VPNID=$1 | |
shift | |
FQDN=$1 | |
shift | |
NETNUM=$1 | |
shift | |
PORT=$1 | |
if [ ${NETNUM} -lt 0 -o ${NETNUM} -gt 255 ]; then | |
echo "NETNUM can only be an integer 0..255" 1>&2 | |
exit 1 | |
fi | |
GWADDR=172.16.${NETNUM}.1 | |
NETMASK=255.255.255.0 | |
POOLSTART=172.16.${NETNUM}.50 | |
POOLEND=172.16.${NETNUM}.100 | |
TAPIF=tap${PORT} | |
for v in VPNID FQDN NETNUM PORT GWADDR NETMASK POOLSTART POOLEND; do | |
echo $v = `eval 'echo ${'$v'}'` | |
done | |
SERVER=${FQDN} | |
CLIENT=vpn${VPNID}.${FQDN} | |
SRV_CRT=${RSADIR}/keys/${SERVER}.crt | |
SRV_KEY=${RSADIR}/keys/${SERVER}.key | |
if [ ! -e ${SRV_CRT} ]; then | |
cd ${RSADIR} | |
. ./vars | |
./pkitool --server ${SERVER} | |
fi | |
if [ ! -f $SRV_CRT ]; then | |
echo "no such file: $SRV_CRT" 1>&2 | |
exit | |
fi | |
if [ ! -f $SRV_KEY ]; then | |
echo "no such file: $SRV_KEY" 1>&2 | |
exit | |
fi | |
CL_CRT=${RSADIR}/keys/${CLIENT}.crt | |
CL_KEY=${RSADIR}/keys/${CLIENT}.key | |
if [ ! -e ${CL_CRT} ]; then | |
cd ${RSADIR} | |
. ./vars | |
./pkitool ${CLIENT} | |
fi | |
if [ ! -f $CL_CRT ]; then | |
echo "no such file: $CL_CRT" 1>&2 | |
exit | |
fi | |
if [ ! -f $CL_KEY ]; then | |
echo "no such file: $CL_KEY" 1>&2 | |
exit | |
fi | |
cd ${OVPNCFG} | |
cat >${VPNID}_${SERVER}.conf <<EOF | |
port ${PORT} | |
proto udp | |
fragment 1400 | |
dev ${TAPIF} | |
mode server | |
tls-server | |
verify-x509-name ${CLIENT} name | |
ifconfig ${GWADDR} ${NETMASK} | |
ifconfig-ipv6 ${IPV6PFX}:${NETNUM}::1/64 ${IPV6PFX}:${NETNUM}::2 | |
ca ${RSADIR}/keys/ca.crt | |
cert ${SRV_CRT} | |
key ${SRV_KEY} | |
dh ${RSADIR}/keys/dh2048.pem | |
keepalive 10 120 | |
persist-key | |
persist-tun | |
status /var/log/openvpn_${VPNID}_${SERVER}.status.log | |
verb 3 | |
EOF | |
if [ ! -d client_configs ]; then mkdir client_configs; fi | |
CONF=client_configs/${CLIENT}.conf | |
cat >$CONF <<EOF | |
client | |
dev tap | |
proto udp | |
fragment 1400 | |
remote ${SERVER} ${PORT} | |
nobind | |
script-security 2 | |
up /etc/openvpn/addtobridge_br1 | |
persist-key | |
persist-tun | |
verb 3 | |
EOF | |
echo "<ca>" >> $CONF | |
cat ${RSADIR}/keys/ca.crt | \ | |
grep -A 100 "BEGIN CERTIFICATE" | \ | |
grep -B 100 "END CERTIFICATE" >> $CONF | |
echo "</ca>" >> $CONF | |
echo "<cert>" >> $CONF | |
cat $CL_CRT | \ | |
grep -A 100 "BEGIN CERTIFICATE" | \ | |
grep -B 100 "END CERTIFICATE" >> $CONF | |
echo "</cert>" >> $CONF | |
echo "<key>" >> $CONF | |
cat $CL_KEY | \ | |
grep -A 100 "BEGIN PRIVATE KEY" | \ | |
grep -B 100 "END PRIVATE KEY" >> $CONF | |
echo "</key>" >> $CONF | |
systemctl reenable openvpn | |
systemctl restart openvpn | |
cat >/etc/dnsmasq.d/${TAPIF} <<EOT | |
dhcp-range=::,constructor:${TAPIF},ra-stateless,slaac,1h | |
dhcp-range=${POOLSTART},${POOLEND},1h | |
EOT | |
systemctl restart dnsmasq |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment