From e1e49f58b89db5ea637f2671bf8c1ce35af68e5f Mon Sep 17 00:00:00 2001 From: Ian Kelling Date: Mon, 23 Jan 2017 21:37:58 -0800 Subject: [PATCH] update settings --- vpn-mk-client-cert | 78 +++++++++++++++++++++++++++++++++++----------- vpn-server-setup | 32 +++++++++++++++---- 2 files changed, 85 insertions(+), 25 deletions(-) diff --git a/vpn-mk-client-cert b/vpn-mk-client-cert index 306cb22..4e41bac 100755 --- a/vpn-mk-client-cert +++ b/vpn-mk-client-cert @@ -25,7 +25,10 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR usage() { cat <= 1)) || usage 1 - -host=$1 shell="bash -c" -if [[ $2 ]]; then - shell="ssh $2" -fi +name=client + +temp=$(getopt -l help hc:n: "$@") || usage 1 +eval set -- "$temp" +while true; do + case $1 in + -c) shell="ssh $2"; shift 2 ;; + -n) name="$2"; shift 2 ;; + -h|--help) usage ;; + --) shift; break ;; + *) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;; + esac +done +host=$1 +[[ $host ]] || usage 1 # bash or else we get motd spam. note sleep 2, sleep 1 failed. -ssh $host bash </dev/null # uuidgen because common name must be unique -{ echo -e '\n\n\n\n\n'\$(uuidgen)'\n\n\n\n\n'; sleep 2; echo -e 'y\ny\n'; } | ./build-key client &>/dev/null +{ echo -e '\n\n\n\n\n'\$(uuidgen)'\n\n\n\n\n'; sleep 2; echo -e 'y\ny\n'; } | ./build-key $name &>/dev/null d=\$(mktemp -d) -cp /etc/openvpn/easy-rsa/keys/ca.crt \ - /etc/openvpn/update-resolv-conf \ - /usr/share/doc/openvpn/examples/sample-config-files/client.conf \$d -mv /etc/openvpn/easy-rsa/keys/client.{crt,key} \$d - -sed -i --follow-symlinks "s/^remote .*/remote $host 1194/" \$d/client.conf +cp /etc/openvpn/easy-rsa/keys/ca.crt \$d/$name-ca.crt +mv /etc/openvpn/easy-rsa/keys/$name.{crt,key} \$d tar cz -C \$d . rm -rf \$d EOF + +cat > /etc/openvpn/client/$name.conf <&2' ERR [[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@" +dns=true case $1 in + -d) + dns=false + ;; -h|--help|*) cat <<'EOF' -usage: ${0##*/} +usage: ${0##*/} [-d|-h|--help] + +-d Do not push dns +-h --help print help Sets up a vpn server which pushes gateway route and dns server so all traffic goes through the vpn. requires systemd, and might have some debian specific paths. EOF + exit ;; esac - apt-get update # suggests get's us openssl & easy rsa apt-get install --install-suggests -y openvpn @@ -54,7 +61,12 @@ echo -e '\n\n\n\n\n\n\n\n' | ./build-ca cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ cp /etc/openvpn/easy-rsa/keys/{ca.crt,server.{crt,key},dh2048.pem} /etc/openvpn gzip -df /etc/openvpn/server.conf.gz -sed -i --follow-symlinks 's/^dh dh1024.pem/dh dh2048.pem/' /etc/openvpn/server.conf +# dh improve security, +# remove comp-lzo to increase perf +sed -i --follow-symlinks -f - /etc/openvpn/server.conf <<'EOF' +s/^dh dh1024.pem/dh dh2048.pem/ +/^comp-lzo.*/d +EOF teeu() { while read -r line; do @@ -62,15 +74,23 @@ teeu() { done } -# Be the default gateway for clients. teeu /etc/openvpn/server.conf <<'EOF' +# not in example config, but openvpn outputs a warning about insecure +# cipher without a setting like this (the default i can understand due +# to compatibility issues, but not changing the example config... not +# cool). exact cipher taken from config of vpn provider I trust. This +# requires the same setting on the client side. +cipher aes-256-cbc +# Be the default gateway for clients. push "redirect-gateway def1" EOF -# Be the dns server for clients -teeu /etc/openvpn/server.conf <<'EOF' +if $dns; then + # Be the dns server for clients + teeu /etc/openvpn/server.conf <<'EOF' push "dhcp-option DNS 10.8.0.1" EOF +fi echo "1" > /proc/sys/net/ipv4/ip_forward sed -i --follow-symlinks '/^ *net\.ipv4\.ip_forward=.*/d' /etc/sysctl.conf -- 2.30.2