Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
OpenVPN_against_censorship
#!/bin/sh
OVPNCFG=/etc/openvpn
RSADIR=/etc/openvpn/easy-rsa
IPV6PFX=fda5:e1a5:a801
if [ $# -ne 4 ]; then
echo "Usage: $0 VPNID FQDN NETNUM PORT" 1>&2
exit 1
fi
VPNID=$1
shift
FQDN=$1
shift
NETNUM=$1
shift
PORT=$1
if [ ${NETNUM} -lt 0 -o ${NETNUM} -gt 255 ]; then
echo "NETNUM can only be an integer 0..255" 1>&2
exit 1
fi
GWADDR=172.16.${NETNUM}.1
NETMASK=255.255.255.0
POOLSTART=172.16.${NETNUM}.50
POOLEND=172.16.${NETNUM}.100
TAPIF=tap${PORT}
for v in VPNID FQDN NETNUM PORT GWADDR NETMASK POOLSTART POOLEND; do
echo $v = `eval 'echo ${'$v'}'`
done
SERVER=${FQDN}
CLIENT=vpn${VPNID}.${FQDN}
SRV_CRT=${RSADIR}/keys/${SERVER}.crt
SRV_KEY=${RSADIR}/keys/${SERVER}.key
if [ ! -e ${SRV_CRT} ]; then
cd ${RSADIR}
. ./vars
./pkitool --server ${SERVER}
fi
if [ ! -f $SRV_CRT ]; then
echo "no such file: $SRV_CRT" 1>&2
exit
fi
if [ ! -f $SRV_KEY ]; then
echo "no such file: $SRV_KEY" 1>&2
exit
fi
CL_CRT=${RSADIR}/keys/${CLIENT}.crt
CL_KEY=${RSADIR}/keys/${CLIENT}.key
if [ ! -e ${CL_CRT} ]; then
cd ${RSADIR}
. ./vars
./pkitool ${CLIENT}
fi
if [ ! -f $CL_CRT ]; then
echo "no such file: $CL_CRT" 1>&2
exit
fi
if [ ! -f $CL_KEY ]; then
echo "no such file: $CL_KEY" 1>&2
exit
fi
cd ${OVPNCFG}
cat >${VPNID}_${SERVER}.conf <<EOF
port ${PORT}
proto udp
fragment 1400
dev ${TAPIF}
mode server
tls-server
verify-x509-name ${CLIENT} name
ifconfig ${GWADDR} ${NETMASK}
ifconfig-ipv6 ${IPV6PFX}:${NETNUM}::1/64 ${IPV6PFX}:${NETNUM}::2
ca ${RSADIR}/keys/ca.crt
cert ${SRV_CRT}
key ${SRV_KEY}
dh ${RSADIR}/keys/dh2048.pem
keepalive 10 120
persist-key
persist-tun
status /var/log/openvpn_${VPNID}_${SERVER}.status.log
verb 3
EOF
if [ ! -d client_configs ]; then mkdir client_configs; fi
CONF=client_configs/${CLIENT}.conf
cat >$CONF <<EOF
client
dev tap
proto udp
fragment 1400
remote ${SERVER} ${PORT}
nobind
script-security 2
up /etc/openvpn/addtobridge_br1
persist-key
persist-tun
verb 3
EOF
echo "<ca>" >> $CONF
cat ${RSADIR}/keys/ca.crt | \
grep -A 100 "BEGIN CERTIFICATE" | \
grep -B 100 "END CERTIFICATE" >> $CONF
echo "</ca>" >> $CONF
echo "<cert>" >> $CONF
cat $CL_CRT | \
grep -A 100 "BEGIN CERTIFICATE" | \
grep -B 100 "END CERTIFICATE" >> $CONF
echo "</cert>" >> $CONF
echo "<key>" >> $CONF
cat $CL_KEY | \
grep -A 100 "BEGIN PRIVATE KEY" | \
grep -B 100 "END PRIVATE KEY" >> $CONF
echo "</key>" >> $CONF
systemctl reenable openvpn
systemctl restart openvpn
cat >/etc/dnsmasq.d/${TAPIF} <<EOT
dhcp-range=::,constructor:${TAPIF},ra-stateless,slaac,1h
dhcp-range=${POOLSTART},${POOLEND},1h
EOT
systemctl restart dnsmasq
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.