2 # Copyright (C) 2016 Ian Kelling
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
18 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
20 [[ $EUID == 0 ]] ||
exec sudo
-E "$BASH_SOURCE" "$@"
24 usage: ${0##*/} [-d|-h|--help] [IPV6_ADDR/BITS IPV6_DEFAULT_ROUTE]
26 -r Do not push default route
28 -s Do not start openvpn
31 Sets up a vpn server which pushes gateway route and dns server so all
32 traffic goes through the vpn. requires systemd, and might have some
33 debian specific paths.
35 For ipv6, we assume ipv6_addr routes to the server.
37 You can save all the keys by storing /etc/openvpn/easy-rsa/keys, and
38 the script will not generate them if it sees they exist already.
40 Note: Uses GNU getopt options parsing style
48 temp
=$
(getopt
-l help drsh
"$@") || usage
1
52 -d) dns
=false
; shift ;;
53 -r) route
=false
; shift ;;
54 -s) start
=false
; shift ;;
57 *) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;;
61 read -r ip6 ip6route
<<<"$@"
65 # suggests get's us openssl. policy-rc.d is to prevent install from starting services
66 f
=/usr
/sbin
/policy-rc.d
;
72 apt-get
install --install-suggests -y openvpn
75 if [[ -e /lib
/systemd
/system
/openvpn-server@.service
]]; then
76 vpn_service
=openvpn-server@server
78 vpn_service
=openvpn@server
80 apt-get
install -y uuid-runtime easy-rsa
81 mkdir
-p /etc
/openvpn
/easy-rsa
82 cd /etc
/openvpn
/easy-rsa
83 cp -r /usr
/share
/easy-rsa
/* .
84 if [[ -e openssl-1.0
.0.cnf
&& ! -e openssl.cnf
]]; then
85 # there's a debian bug about this.
86 ln -s openssl-1.0
.0.cnf openssl.cnf
89 server_dir
=/etc
/openvpn
/server
95 keyfiles
=(/etc
/openvpn
/easy-rsa
/pki
/{ca.crt
,private
/server.key
,issued
/server.crt
})
96 if [[ -e /etc
/openvpn
/easy-rsa
/build-ca
]]; then
98 keyfiles
=(/etc
/openvpn
/easy-rsa
/keys
/{ca.crt
,server.
{crt
,key
}})
102 for f
in ${keyfiles[@]}; do
103 if [[ ! -e $f ]]; then
109 if ! $keys_exist; then
110 # newer sample configs (post stretch) use ta.key. no harm making it for earlier oses
111 openvpn
--genkey --secret $server_dir/ta.key
114 .
/easyrsa
--batch build-ca nopass
115 .
/easyrsa build-server-full server nopass
116 openssl dhparam
-out $server_dir/dh2048.pem
2048
118 # dun care about settning cert cn etc from the non-example values
120 # doesnt exist in buster
121 .
/clean-all
# note: removes and creates /etc/openvpn/easy-rsa/keys
122 # accept default prompts
123 echo -e '\n\n\n\n\n\n\n\n' | .
/build-ca
125 # This builds the server's key/cert. argument is the name of the file,
126 # but it also is the default common name of the cert.
127 # 'server' is the default name in our conf file for the name of the file
128 # and I've seen no reason to change it.
129 # Note, this is not idempotent.
130 { echo -e '\n\n\n\n\n\n\n\n\n\n'; sleep 1; echo -e 'y\ny\n'; } | .
/build-key-server server
136 cp /usr
/share
/doc
/openvpn
/examples
/sample-config-files
/server.conf.gz
$server_dir
137 gzip -df $server_dir/server.conf.gz
140 cp ${keyfiles[@]} $server_dir
142 for f
in ${keyfiles[@]}; do
143 ln -sf server
/${f##*/} /etc
/openvpn
146 cat >>$server_dir/server.conf
<<'EOF'
148 # I cat an extra blank line to start because the example config does
149 # not have a final newline. ....
151 # not in example config, but openvpn outputs a warning about insecure
152 # cipher without a setting like this (the default i can understand due
153 # to compatibility issues, but not changing the example config... not
155 # requires the same setting on the client side.
157 # just sets up the ability to have client specific configs
158 client-config-dir /etc/openvpn/client-config
160 # duplicate in newer sample configs
161 tls-auth ta.key 0 # This file is secret
163 # depending on sample config, this may not be there, which means i can't
164 # talk to 10.8.0.1, there might be some other way, but stretch's
165 # sample config says:
166 # Should be subnet (addressing via IP)
167 # unless Windows clients v2.0.9 and lower have to
168 # be supported (then net30, i.e. a /30 per client)
169 # Defaults to net30 (not recommended)
174 # dh improve security,
175 # remove comp-lzo to increase perf
176 sed -i --follow-symlinks -f - $server_dir/server.conf
<<'EOF'
177 s/^dh dh1024.pem/dh dh2048.pem/
182 mkdir
-p /etc
/openvpn
/client-config
186 # Be the dns server for clients
187 cat >>$server_dir/server.conf
<<'EOF'
188 push "dhcp-option DNS 10.8.0.1"
193 cat >>$server_dir/server.conf
<<EOF
194 push tun-ipv6 # legacy option that flidas needs, has no harm.
195 ifconfig-ipv6 $ip6 $ip6_route
201 cat >>$server_dir/server.conf
<<'EOF'
202 # Be the default gateway for clients.
203 push "redirect-gateway def1"
206 cat >>$server_dir/server.conf
<<'EOF'
207 push "route-ipv6 2000::/3"
212 sed -i --follow-symlinks '/^ *net\.ipv4\.ip_forward=.*/d' /etc
/sysctl.conf
213 sed -i --follow-symlinks '/^ *net.ipv6.conf.all.forwarding=.*/d' /etc
/sysctl.conf
214 cat >>/etc
/sysctl.conf
<<'EOF'
215 net.ipv4.ip_forward=1
216 net.ipv6.conf.all.forwarding=1
218 sysctl
-p /etc
/sysctl.conf
220 gw
=$
(ip route |
sed -rn 's/^default via .* dev (\S+).*/\1/p')
222 cat >/etc
/systemd
/system
/vpnnat.service
<<EOF
224 Description=Turns on nat iptables setting
229 ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $gw -j MASQUERADE
230 ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o $gw -j MASQUERADE
233 WantedBy=$vpn_service.service
235 systemctl daemon-reload
# needed if the file was already there
236 # note, no need to start it, the vpn_service does that.
237 systemctl
enable vpnnat
240 systemctl
enable $vpn_service
241 systemctl restart
$vpn_service