2 # Copyright (C) 2016 Ian Kelling
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
18 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
20 [[ $EUID == 0 ]] ||
exec sudo
-E "$BASH_SOURCE" "$@"
27 Sets up a vpn server which pushes gateway route and dns server
28 so all traffic goes through the vpn. requires systemd,
29 and might have some debian specific paths.
36 # suggests get's us openssl & easy rsa
37 apt-get
install --install-suggests -y openvpn
38 apt-get
install -y uuid-runtime
39 mkdir
-p /etc
/openvpn
/easy-rsa
/keys
40 cd /etc
/openvpn
/easy-rsa
41 cp -r /usr
/share
/easy-rsa
/* .
42 source vars
# dun care about setting cert cn etc from the non-example values
44 # accept default prompts
45 echo -e '\n\n\n\n\n\n\n\n' | .
/build-ca
47 # This builds the server's key/cert. argument is the name of the file,
48 # but it also is the default common name of the cert.
49 # 'server' is the default name in our conf file for the name of the file
50 # and I've seen no reason to change it.
51 # Note, this is not idempotent.
52 { echo -e '\n\n\n\n\n\n\n\n\n\n'; sleep 1; echo -e 'y\ny\n'; } | .
/build-key-server server
54 cp /usr
/share
/doc
/openvpn
/examples
/sample-config-files
/server.conf.gz
/etc
/openvpn
/
55 cp /etc
/openvpn
/easy-rsa
/keys
/{ca.crt
,server.
{crt
,key
},dh2048.pem
} /etc
/openvpn
56 gzip -df /etc
/openvpn
/server.conf.gz
57 sed -i --follow-symlinks 's/^dh dh1024.pem/dh dh2048.pem/' /etc
/openvpn
/server.conf
60 while read -r line
; do
61 grep -xFq "$line" "$1" ||
echo "$line" |
tee -a "$1"
65 # Be the default gateway for clients.
66 teeu
/etc
/openvpn
/server.conf
<<'EOF'
67 push "redirect-gateway def1"
70 # Be the dns server for clients
71 teeu
/etc
/openvpn
/server.conf
<<'EOF'
72 push "dhcp-option DNS 10.8.0.1"
75 echo "1" > /proc
/sys
/net
/ipv
4/ip_forward
76 sed -i --follow-symlinks '/^ *net\.ipv4\.ip_forward=.*/d' /etc
/sysctl.conf
77 teeu
/etc
/sysctl.conf
<<'EOF'
82 gw
=$
(ip route |
sed -rn 's/^default via .* dev (\S+).*/\1/p')
84 sudo
dd of
=/etc
/systemd
/system
/mynat.service
<<EOF
86 Description=Turns on nat iptables setting
91 ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $gw -j MASQUERADE
92 ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o $gw -j MASQUERADE
95 WantedBy=multi-user.target
97 systemctl daemon-reload
# needed if the file was already there
98 systemctl
enable mynat.service
99 systemctl start mynat.service
101 systemctl restart openvpn@server