toodooleedoo/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Openvpn Safe start

This script accepts an openvpn file as an input parameter and will inject you're username and password into the ovpn file
to allow login without having to type a password.  Additionally you can configure a default ovpn file by naming the file default.ovpn.
It will also use iptables to ONLY allow connections to the IP in the .ovpn file.  This prevents any leaks from a VPN drop as
all other connections will not be allowed.

  
## openvpn-safe-start.sh
#!/bin/bash
############################
#
# Title: Allow passwordless login and prevent leaks.
# Requirements:  Linux with a working OpenVPN using ovpn files
# @Author: Eric Soukenka
# @Date: April 6th 2017
#
#######################


if [ "$EUID" -ne 0 ]
  then echo "Please run with sudo or as root"
  exit
fi

# Base directory with .ovpn files
CONFIG_BASEDIR=/etc/openvpn/configs
# Setup passwordless login for vpn.  Note password will be left behind in ovpn file!
## Example:
### echo "myusername@vpn.com" > /etc/openvpn/userpass
### echo "mypassword" >> /etc/openvpn/userpass
PASSWORDFILE=/etc/openvpn/userpass
#Waits this many seconds for determining external ip
WAITTIME=15
#Place daemon will log to
OPENVPNLOGFILE=/var/log/openvpn.log

if [ -z "${1}" ]; then
	if [ -f "${CONFIG_BASEDIR}/default.ovpn" ]; then
		CONFIG_FILE="default.ovpn";
	else
		echo "${CONFIG_BASEDIR}/default.ovpn does not exist and no config file name passed in";
		exit;
	fi
else
	CONFIG_FILE="${1}"
fi

VPNIP=`cat ${CONFIG_BASEDIR}/${CONFIG_FILE} |grep "remote " |awk '{print $2}'`

# Let's make sure we have a valid IP Address
if [[ ${VPNIP} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
	echo "SUCCESS: FOUND IP ${VPNIP} in ${CONFIG_BASEDIR}/${CONFIG_FILE}";
else
	echo "FAILURE: IP \"${VPNIP}\" doesn't seem valid from ${CONFIG_BASEDIR}/${CONFIG_FILE}";
	exit;
fi

# Staging passwordless login
# https://forums.openvpn.net/viewtopic.php?t=11342
if [ -f ${PASSWORDFILE} ]; then
	sed -i 's/auth-user-pass.*/auth-user-pass \/etc\/openvpn\/userpass/g' ${CONFIG_BASEDIR}/${CONFIG_FILE};
else
	echo "WARNING: Skipping adding credentials to conf file";
fi

# Prevent IP leaks.  Disconnects will immediatly cut all internet traffic
## Flush all IP rules then add ONLY VPNIP.
echo "# Empty the entire filter table'" > clear-all-rules
echo "*filter" >> clear-all-rules
echo ":INPUT ACCEPT [0:0]" >> clear-all-rules
echo ":FORWARD ACCEPT [0:0]" >> clear-all-rules
echo ":OUTPUT ACCEPT [0:0]" >> clear-all-rules
echo "COMMIT" >> clear-all-rules
iptables-restore < clear-all-rules
rm clear-all-rules
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT #allow loopback access
iptables -A OUTPUT -d 255.255.255.255 -j  ACCEPT #make sure you can communicate with any DHCP server
iptables -A INPUT -s 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server
iptables -A INPUT -s 192.168.1.0/16 -d 192.168.1.0/16 -j ACCEPT #make sure that you can communicate within your own network
iptables -A OUTPUT -s 192.168.1.0/16 -d 192.168.1.0/16 -j ACCEPT
iptables -A FORWARD -i eth+ -o tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o eth+ -j ACCEPT # make sure that eth+ and tun+ can communicate
iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE # in the POSTROUTING chain of the NAT table, map the tun+ interface outgoing packet IP address, cease examining rules and let the header be modified, so that we don't have to worry about ports or any other issue - please check this rule with care if you have already a NAT table in your chain
iptables -A OUTPUT -o eth+ ! -d ${VPNIP} -j DROP  # if destination for outgoing packet on eth+ is NOT a.b.c.d, drop the packet, so that nothing leaks if VPN disconnects


echo "SUCCESS: Set iptables for allowing only ${VPNIP}";
pkill -f "openvpn --config";
sleep 5;
openvpn --config ${CONFIG_BASEDIR}/${CONFIG_FILE} --daemon --log ${OPENVPNLOGFILE};
echo "SUCCESS: Starting OPENVPN in daemon mode.  Check ${OPENVPNLOGFILE} for details";
sleep 5
echo "NOTICE: Running curl to determine your external IP with max wait of ${WAITTIME} seconds";
EXTERNALIP="`curl -m ${WAITTIME} -s http://whatismijnip.nl |cut -d ' ' -f 5`";
if [ "${EXTERNALIP}" = ${VPNIP} ]; then
	echo "SUCCESS: External IP - ${EXTERNALIP}";
else
	echo "FAILURE: External IP: ${EXTERNALIP}";
fi
echo "NOTICE: You can stop the daemon anytime by running pkill -f openvpn";
	#!/bin/bash
	############################
	#
	# Title: Allow passwordless login and prevent leaks.
	# Requirements: Linux with a working OpenVPN using ovpn files
	# @Author: Eric Soukenka
	# @Date: April 6th 2017
	#
	#######################


	if [ "$EUID" -ne 0 ]
	then echo "Please run with sudo or as root"
	exit
	fi

	# Base directory with .ovpn files
	CONFIG_BASEDIR=/etc/openvpn/configs
	# Setup passwordless login for vpn. Note password will be left behind in ovpn file!
	## Example:
	### echo "myusername@vpn.com" > /etc/openvpn/userpass
	### echo "mypassword" >> /etc/openvpn/userpass
	PASSWORDFILE=/etc/openvpn/userpass
	#Waits this many seconds for determining external ip
	WAITTIME=15
	#Place daemon will log to
	OPENVPNLOGFILE=/var/log/openvpn.log

	if [ -z "${1}" ]; then
	if [ -f "${CONFIG_BASEDIR}/default.ovpn" ]; then
	CONFIG_FILE="default.ovpn";
	else
	echo "${CONFIG_BASEDIR}/default.ovpn does not exist and no config file name passed in";
	exit;
	fi
	else
	CONFIG_FILE="${1}"
	fi

	VPNIP=`cat ${CONFIG_BASEDIR}/${CONFIG_FILE} \|grep "remote " \|awk '{print $2}'`

	# Let's make sure we have a valid IP Address
	if [[ ${VPNIP} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
	echo "SUCCESS: FOUND IP ${VPNIP} in ${CONFIG_BASEDIR}/${CONFIG_FILE}";
	else
	echo "FAILURE: IP \"${VPNIP}\" doesn't seem valid from ${CONFIG_BASEDIR}/${CONFIG_FILE}";
	exit;
	fi

	# Staging passwordless login
	# https://forums.openvpn.net/viewtopic.php?t=11342
	if [ -f ${PASSWORDFILE} ]; then
	sed -i 's/auth-user-pass.*/auth-user-pass \/etc\/openvpn\/userpass/g' ${CONFIG_BASEDIR}/${CONFIG_FILE};
	else
	echo "WARNING: Skipping adding credentials to conf file";
	fi

	# Prevent IP leaks. Disconnects will immediatly cut all internet traffic
	## Flush all IP rules then add ONLY VPNIP.
	echo "# Empty the entire filter table'" > clear-all-rules
	echo "*filter" >> clear-all-rules
	echo ":INPUT ACCEPT [0:0]" >> clear-all-rules
	echo ":FORWARD ACCEPT [0:0]" >> clear-all-rules
	echo ":OUTPUT ACCEPT [0:0]" >> clear-all-rules
	echo "COMMIT" >> clear-all-rules
	iptables-restore < clear-all-rules
	rm clear-all-rules
	iptables -A INPUT -i lo -j ACCEPT
	iptables -A OUTPUT -o lo -j ACCEPT #allow loopback access
	iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server
	iptables -A INPUT -s 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server
	iptables -A INPUT -s 192.168.1.0/16 -d 192.168.1.0/16 -j ACCEPT #make sure that you can communicate within your own network
	iptables -A OUTPUT -s 192.168.1.0/16 -d 192.168.1.0/16 -j ACCEPT
	iptables -A FORWARD -i eth+ -o tun+ -j ACCEPT
	iptables -A FORWARD -i tun+ -o eth+ -j ACCEPT # make sure that eth+ and tun+ can communicate
	iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE # in the POSTROUTING chain of the NAT table, map the tun+ interface outgoing packet IP address, cease examining rules and let the header be modified, so that we don't have to worry about ports or any other issue - please check this rule with care if you have already a NAT table in your chain
	iptables -A OUTPUT -o eth+ ! -d ${VPNIP} -j DROP # if destination for outgoing packet on eth+ is NOT a.b.c.d, drop the packet, so that nothing leaks if VPN disconnects


	echo "SUCCESS: Set iptables for allowing only ${VPNIP}";
	pkill -f "openvpn --config";
	sleep 5;
	openvpn --config ${CONFIG_BASEDIR}/${CONFIG_FILE} --daemon --log ${OPENVPNLOGFILE};
	echo "SUCCESS: Starting OPENVPN in daemon mode. Check ${OPENVPNLOGFILE} for details";
	sleep 5
	echo "NOTICE: Running curl to determine your external IP with max wait of ${WAITTIME} seconds";
	EXTERNALIP="`curl -m ${WAITTIME} -s http://whatismijnip.nl \|cut -d ' ' -f 5`";
	if [ "${EXTERNALIP}" = ${VPNIP} ]; then
	echo "SUCCESS: External IP - ${EXTERNALIP}";
	else
	echo "FAILURE: External IP: ${EXTERNALIP}";
	fi
	echo "NOTICE: You can stop the daemon anytime by running pkill -f openvpn";