-#!/bin/bash -x
-# Copyright (C) 2016 Ian Kelling
+#!/bin/bash
+# I, Ian Kelling, follow the GNU license recommendations at
+# https://www.gnu.org/licenses/license-recommendations.en.html. They
+# recommend that small programs, < 300 lines, be licensed under the
+# Apache License 2.0. This file contains or is part of one or more small
+# programs. If a small program grows beyond 300 lines, I plan to switch
+# its license to GPL.
+
+# Copyright 2024 Ian Kelling
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
usage() {
cat <<'EOF'
-usage: ${0##*/} [-d|-h|--help] [IPV6_ADDR/BITS IPV6_DEFAULT_ROUTE]
-
--r Do not push default route
--d Do not push dns
--s Do not start openvpn
+usage: ${0##*/} [OPTIONS] [IPV6_ADDR/BITS]
+
+-4 Prefix of range for ipv4, default 10.8.0
+-6 IP6_NETWORK Do ip6 nat for this network. ipv6 will work without nat,
+ but you may want it in certain circumstances.
+-d Do not push dns
+-i INTERFACE_NAME name of tun interface
+-n NAME default = server. 2 servers on the same host need different names.
+-p PORT default 1194
+-r Do not push default route
+-s Do not start openvpn
-h --help print help
+IPV6_ADDR/BITS Ipv6 address of the vpn interface.
+
Sets up a vpn server which pushes gateway route and dns server so all
traffic goes through the vpn. requires systemd, and might have some
debian specific paths.
For ipv6, we assume ipv6_addr routes to the server.
-You can save all the keys by storing /etc/openvpn/easy-rsa/keys, and
+You can save all the keys by storing /etc/openvpn/easy-rsa-NAME/keys, and
the script will not generate them if it sees they exist already.
For future updates to this script, this is a good place to
dns=true
route=true
start=true
-temp=$(getopt -l help drsh "$@") || usage 1
+ip4=10.8.0
+name=server
+temp=$(getopt -l help 4:6:di:n:p:rsh "$@") || usage 1
eval set -- "$temp"
while true; do
case $1 in
+ -4) ip4=$2; shift 2 ;;
+ -6) ip6net=$2; shift 2 ;;
-d) dns=false; shift ;;
+ -i) ifname=$2; shift 2 ;;
+ -n) name=$2; shift 2 ;;
+ -p) port=$2; shift 2 ;;
-r) route=false; shift ;;
-s) start=false; shift ;;
-h|--help) usage ;;
read -r ip6 ip6route <<<"$@"
+source /a/bin/distro-functions/src/package-manager-abstractions
-apt-get update
-# suggests get's us openssl. policy-rc.d is to prevent install from starting services
-f=/usr/sbin/policy-rc.d;
-dd of=$f <<EOF
-#!/bin/sh
-exit 101
-EOF
-chmod +x $f;
-apt-get install --install-suggests -y openvpn
-rm $f
+pi-nostart openvpn openssl easy-rsa uuid-runtime
if [[ -e /lib/systemd/system/openvpn-server@.service ]]; then
- vpn_service=openvpn-server@server
+ vpn_service=openvpn-server@$name
else
- vpn_service=openvpn@server
+ vpn_service=openvpn@$name
fi
-apt-get install -y uuid-runtime easy-rsa
-mkdir -p /etc/openvpn/easy-rsa
-cd /etc/openvpn/easy-rsa
+rsadir=/etc/openvpn/easy-rsa-$name
+mkdir -p $rsadir
+cd $rsadir
cp -r /usr/share/easy-rsa/* .
if [[ -e openssl-1.0.0.cnf && ! -e openssl.cnf ]]; then
# there's a debian bug about this.
server_dir=/etc/openvpn/server
mkdir -p $server_dir
chmod 700 $server_dir
+conf=$server_dir/$name.conf
new=true
-keyfiles=(/etc/openvpn/easy-rsa/pki/{ca.crt,private/server.key,issued/server.crt})
+ca_origin=$rsadir/pki/ca.crt
+keyfiles=(
+ $rsadir/pki/private/$name.key
+ $rsadir/pki/issued/$name.crt
+)
if [[ -e /etc/openvpn/easy-rsa/build-ca ]]; then
new=false
- keyfiles=(/etc/openvpn/easy-rsa/keys/{ca.crt,server.{crt,key}})
+ ca_origin=$rsadir/ca.crt
+ keyfiles=(
+ $rsadir/keys/$name.key
+ $rsadir/keys/$name.crt
+ )
fi
keys_exist=true
fi
done
+f=$server_dir/dh2048.pem
+if [[ ! -e $f ]]; then
+ openssl dhparam -out $f 2048
+fi
+
+f=$server_dir/ta-$name.key
+if [[ ! -e $f ]]; then
+ openvpn --genkey --secret $server_dir/ta-$name.key
+fi
+
+
if ! $keys_exist; then
# newer sample configs (post stretch) use ta.key. no harm making it for earlier oses
- openvpn --genkey --secret $server_dir/ta.key
if $new; then
+ echo 'set_var EASYRSA_NS_SUPPORT "yes"' >vars
./easyrsa init-pki
./easyrsa --batch build-ca nopass
- ./easyrsa build-server-full server nopass
- openssl dhparam -out $server_dir/dh2048.pem 2048
+ ./easyrsa --days=3650 build-server-full $name nopass
else
# dun care about settning cert cn etc from the non-example values
source vars
# 'server' is the default name in our conf file for the name of the file
# and I've seen no reason to change it.
# Note, this is not idempotent.
- { echo -e '\n\n\n\n\n\n\n\n\n\n'; sleep 1; echo -e 'y\ny\n'; } | ./build-key-server server
+ { echo -e '\n\n\n\n\n\n\n\n\n\n'; sleep 1; echo -e 'y\ny\n'; } | ./build-key-server $name
./build-dh
fi
fi
+if [[ -e /usr/share/doc/openvpn/examples/sample-config-files/server.conf ]]; then
+ cat /usr/share/doc/openvpn/examples/sample-config-files/server.conf >$conf
+else
+ # pre-bullsye name
+ gzip -dc /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz >$conf
+fi
-cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz $server_dir
-gzip -df $server_dir/server.conf.gz
-
-
+cafile=$server_dir/ca-$name.crt
+cp $ca_origin $cafile
cp ${keyfiles[@]} $server_dir
# for legacy systems
-for f in ${keyfiles[@]}; do
+for f in ${keyfiles[@]} $cafile; do
ln -sf server/${f##*/} /etc/openvpn
done
-cat >>$server_dir/server.conf <<'EOF'
+cat >>$conf <<EOF
# I cat an extra blank line to start because the example config does
# not have a final newline. ....
client-config-dir /etc/openvpn/client-config
# duplicate in newer sample configs
-tls-auth ta.key 0 # This file is secret
+tls-auth ta-$name.key 0 # This file is secret
# depending on sample config, this may not be there, which means i can't
-# talk to 10.8.0.1, there might be some other way, but stretch's
+# talk to $ip4.1, there might be some other way, but stretch's
# sample config says:
# Should be subnet (addressing via IP)
# unless Windows clients v2.0.9 and lower have to
# be supported (then net30, i.e. a /30 per client)
# Defaults to net30 (not recommended)
topology subnet
-EOF
+status /var/log/openvpn/openvpn-status-$name.log
+ifconfig-pool-persist /var/log/openvpn/ipp-$name.txt
+ca ca-$name.crt
+cert $name.crt
+key $name.key
+client-config-dir /etc/openvpn/client-config-$name
+server $ip4.0 255.255.255.0
+EOF
+mkdir -p /etc/openvpn/client-config-$name
# dh improve security,
# remove comp-lzo to increase perf
-sed -i --follow-symlinks -f - $server_dir/server.conf <<'EOF'
+sed -i --follow-symlinks -f - $conf <<'EOF'
s/^dh dh1024.pem/dh dh2048.pem/
/^comp-lzo.*/d
EOF
-mkdir -p /etc/openvpn/client-config
-
-
if $dns; then
# Be the dns server for clients
- cat >>$server_dir/server.conf <<'EOF'
-push "dhcp-option DNS 10.8.0.1"
+ cat >>$conf <<EOF
+push "dhcp-option DNS $ip4.1"
+EOF
+fi
+
+if [[ $ifname ]]; then
+ cat >>$conf <<EOF
+dev $ifname
EOF
fi
-if $ip6; then
- cat >>$server_dir/server.conf <<EOF
+if [[ $ip6 ]]; then
+ cat >>$conf <<EOF
push tun-ipv6 # legacy option that flidas needs, has no harm.
-ifconfig-ipv6 $ip6 $ip6_route
+# the ::1 is not used, i just put a short valid address there
+ifconfig-ipv6 $ip6 ::1
EOF
+
+ sed -i --follow-symlinks '/^ *net.ipv6.conf.all.forwarding=.*/d' /etc/sysctl.conf
+ cat >>/etc/sysctl.conf <<'EOF'
+net.ipv6.conf.all.forwarding=1
+EOF
+
fi
if $route; then
- cat >>$server_dir/server.conf <<'EOF'
+ cat >>$conf <<'EOF'
# Be the default gateway for clients.
push "redirect-gateway def1"
EOF
- if $ip6; then
- cat >>$server_dir/server.conf <<'EOF'
+ if [[ $ip6 ]]; then
+ cat >>$conf <<'EOF'
push "route-ipv6 2000::/3"
EOF
fi
fi
+if [[ $port ]]; then
+ cat >>$conf <<EOF
+port $port
+EOF
+fi
+
sed -i --follow-symlinks '/^ *net\.ipv4\.ip_forward=.*/d' /etc/sysctl.conf
-sed -i --follow-symlinks '/^ *net.ipv6.conf.all.forwarding=.*/d' /etc/sysctl.conf
cat >>/etc/sysctl.conf <<'EOF'
net.ipv4.ip_forward=1
-net.ipv6.conf.all.forwarding=1
EOF
sysctl -p /etc/sysctl.conf
-gw=$(ip route | sed -rn 's/^default via .* dev (\S+).*/\1/p')
-
-cat >/etc/systemd/system/vpnnat.service <<EOF
-[Unit]
-Description=Turns on nat iptables setting
+gw=$(ip route | sed -rn 's/^default via .* dev (\S+).*/\1/p' | head -n1)
+d=/etc/systemd/system/$vpn_service.service.d
+mkdir -p $d
+f=$d/nat.conf
+cat >$f <<EOF
[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $gw -j MASQUERADE
-ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o $gw -j MASQUERADE
-
-[Install]
-WantedBy=$vpn_service.service
+ExecStartPre=/sbin/iptables -t nat -A POSTROUTING -s $ip4.0/24 -o $gw -j MASQUERADE
+ExecStopPost=/sbin/iptables -t nat -D POSTROUTING -s $ip4.0/24 -o $gw -j MASQUERADE
EOF
-systemctl daemon-reload # needed if the file was already there
-# note, no need to start it, the vpn_service does that.
-systemctl enable vpnnat
+if [[ $ip6net ]]; then
+ cat >>$f <<EOF
+ExecStartPre=/sbin/ip6tables -t nat -A POSTROUTING -s $ip6net -o $gw -j MASQUERADE
+ExecStopPost=/sbin/ip6tables -t nat -D POSTROUTING -s $ip6net -o $gw -j MASQUERADE
+EOF
+ systemctl daemon-reload # needed if the file was already there
-if $start; then
- systemctl enable $vpn_service
- systemctl restart $vpn_service
+ if $start; then
+ systemctl enable $vpn_service
+ systemctl restart $vpn_service
+ fi
fi