From 50a29b33506900a8bc5d87e67ea0d3fd9bd69369 Mon Sep 17 00:00:00 2001 From: Ian Kelling Date: Sun, 11 Aug 2019 19:47:56 -0400 Subject: [PATCH] support buster --- README | 4 ++ client-cert-helper | 58 +++++++++++++++++++++++ vpn-mk-client-cert | 88 +++++++++++++---------------------- vpn-server-setup | 112 ++++++++++++++++++++++++++++----------------- 4 files changed, 165 insertions(+), 97 deletions(-) create mode 100755 client-cert-helper diff --git a/README b/README index 82f1d8a..8d0b24e 100644 --- a/README +++ b/README @@ -1,5 +1,9 @@ Setup openvpn client & server +For a general purpose script, I would recommend +https://github.com/Angristan/openvpn-install instead of this, but this +should still work for other people if they want to try. + The main documentation is availiable via --help and near the top of the bash script files which sit next to this file. diff --git a/client-cert-helper b/client-cert-helper new file mode 100755 index 0000000..aedc4cd --- /dev/null +++ b/client-cert-helper @@ -0,0 +1,58 @@ +#!/bin/bash +set -eE -o pipefail + +rm -f /tmp/vpn-mk-client-cert.log +exec 2>/tmp/vpn-mk-client-cert.log + +name=$1 +common_name=$2 + +echo common_name=$common_name >&2 + +server_dir=/etc/openvpn +if [[ -e /etc/openvpn/server ]]; then + server_dir=/etc/openvpn/server +fi + +cafile=$server_dir/ca.crt + +new=true +keyfiles=(/etc/openvpn/easy-rsa/pki/{issued/$common_name.crt,private/$common_name.key}) +if [[ -e /etc/openvpn/easy-rsa/build-ca ]]; then + new=false + keyfiles=(/etc/openvpn/easy-rsa/keys/$name.{crt,key}) +fi + +if [[ ! -e $cafile ]]; then + echo: error no cafile found at $cafile >/tmp/errors + exit 1 +fi + +exists=true +for x in ${keyfiles[@]}; do + if [[ ! -e $x ]]; then + exists=false + break + fi +done + + +if ! $exists; then + cd /etc/openvpn/easy-rsa + if $new; then + ./easyrsa build-client-full $common_name nopass >/dev/null + else + source vars >/dev/null + + { echo -e '\n\n\n\n\n'$common_name'\n\n\n\n\n'; sleep 2; echo -e 'y\ny\n'; } | ./build-key $name >/dev/null + fi +fi + +d=$(mktemp -d) +cp $cafile $d/$name-ca.crt +cp ${keyfiles[@]} $d + +cp $server_dir/ta.key $d/$name-ta.key + +tar cz -C $d . +rm -rf $d diff --git a/vpn-mk-client-cert b/vpn-mk-client-cert index 440cfe9..b094c92 100755 --- a/vpn-mk-client-cert +++ b/vpn-mk-client-cert @@ -18,9 +18,11 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR [[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@" +readonly this_file="$(readlink -f -- "${BASH_SOURCE[0]}")"; cd "${this_file%/*}" + usage() { - cat </dev/null - - { echo -e '\n\n\n\n\n'$common_name'\n\n\n\n\n'; sleep 2; echo -e 'y\ny\n'; } | ./build-key $name &>/dev/null -fi - -d=\$(mktemp -d) -cp /etc/openvpn/easy-rsa/keys/ca.crt \$d/$name-ca.crt -cp /etc/openvpn/easy-rsa/keys/$name.{crt,key} \$d - -cp \$server_dir/ta.key \$d/$name-ta.key - -tar cz -C \$d . -rm -rf \$d -EOF f=/etc/openvpn/client/$name.crt if ! $shell "test -s $f"; then - # if common name is not unique, you get empty file. and if we didn't silence - # build-key, you'd see an error "TXT_DB error number 2" - echo "$0: error: $f is empty or otherwise bad. is this common name unique?" - exit 1 + # if common name is not unique, you get empty file. and if we didn't silence + # build-key, you'd see an error "TXT_DB error number 2" + echo "$0: error: $f is empty or otherwise bad. is this common name unique?" + exit 1 fi $shell "dd of=/etc/openvpn/client/$name.conf" <&2' ERR [[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@" usage() { - cat <<'EOF' + cat <<'EOF' usage: ${0##*/} [-d|-h|--help] -r Do not push default route @@ -37,7 +37,7 @@ the script will not generate them if it sees they exist already. Note: Uses GNU getopt options parsing style EOF - exit $1 + exit $1 } dns=true @@ -46,47 +46,74 @@ start=true temp=$(getopt -l help drsh "$@") || usage 1 eval set -- "$temp" while true; do - case $1 in - -d) dns=false; shift ;; - -r) route=false; shift ;; - -s) start=false; shift ;; - -h|--help) usage ;; - --) shift; break ;; - *) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;; - esac + case $1 in + -d) dns=false; shift ;; + -r) route=false; shift ;; + -s) start=false; shift ;; + -h|--help) usage ;; + --) shift; break ;; + *) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;; + esac done apt-get update -# suggests get's us openssl +# suggests get's us openssl. policy-rc.d is to prevent install from starting services +f=/usr/sbin/policy-rc.d; +dd of=$f <>$server_dir/server.conf <<'EOF' @@ -153,27 +178,30 @@ mkdir -p /etc/openvpn/client-config if $dns; then - # Be the dns server for clients - cat >>$server_dir/server.conf <<'EOF' + # Be the dns server for clients + cat >>$server_dir/server.conf <<'EOF' push "dhcp-option DNS 10.8.0.1" EOF fi if $route; then - cat >>$server_dir/server.conf <<'EOF' + cat >>$server_dir/server.conf <<'EOF' # Be the default gateway for clients. push "redirect-gateway def1" EOF - echo "1" > /proc/sys/net/ipv4/ip_forward - sed -i --follow-symlinks '/^ *net\.ipv4\.ip_forward=.*/d' /etc/sysctl.conf - cat >>/etc/sysctl.conf <<'EOF' +fi + +sed -i --follow-symlinks '/^ *net\.ipv4\.ip_forward=.*/d' /etc/sysctl.conf +sed -i --follow-symlinks '/^ *net.ipv6.conf.all.forwarding=.*/d' /etc/sysctl.conf +cat >>/etc/sysctl.conf <<'EOF' net.ipv4.ip_forward=1 +net.ipv6.conf.all.forwarding=1 EOF +sysctl -p /etc/sysctl.conf +gw=$(ip route | sed -rn 's/^default via .* dev (\S+).*/\1/p') - gw=$(ip route | sed -rn 's/^default via .* dev (\S+).*/\1/p') - - cat >/etc/systemd/system/vpnnat.service </etc/systemd/system/vpnnat.service <