iankelling.org Git - vpn-setup/blob - vpn-server-setup

   1 #!/bin/bash
   2 # Copyright (C) 2016 Ian Kelling
   3
   4 # Licensed under the Apache License, Version 2.0 (the "License");
   5 # you may not use this file except in compliance with the License.
   6 # You may obtain a copy of the License at
   7
   8 #     http://www.apache.org/licenses/LICENSE-2.0
   9
  10 # Unless required by applicable law or agreed to in writing, software
  11 # distributed under the License is distributed on an "AS IS" BASIS,
  12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13 # See the License for the specific language governing permissions and
  14 # limitations under the License.
  15
  16
  17 set -eE -o pipefail
  18 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
  19
  20 [[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"
  21
  22 case $1 in
  23     -h|--help|*)
  24         cat <<'EOF'
  25 usage: ${0##*/}
  26
  27 Sets up a vpn server which pushes gateway route and dns server
  28 so all traffic goes through the vpn. requires systemd,
  29 and might have some debian specific paths.
  30 EOF
  31         ;;
  32 esac
  33
  34
  35 apt-get update
  36 # suggests get's us openssl & easy rsa
  37 apt-get install --install-suggests -y openvpn
  38 apt-get install -y uuid-runtime
  39 mkdir -p /etc/openvpn/easy-rsa/keys
  40 cd /etc/openvpn/easy-rsa
  41 cp -r /usr/share/easy-rsa/* .
  42 source vars # dun care about setting cert cn etc from the non-example values
  43 ./clean-all
  44 # accept default prompts
  45 echo -e '\n\n\n\n\n\n\n\n' | ./build-ca
  46
  47 # This builds the server's key/cert. argument is the name of the file,
  48 # but it also is the default common name of the cert.
  49 # 'server' is the default name in our conf file for the name of the file
  50 # and I've seen no reason to change it.
  51 # Note, this is not idempotent.
  52 { echo -e '\n\n\n\n\n\n\n\n\n\n'; sleep 1; echo -e 'y\ny\n'; } | ./build-key-server server
  53 ./build-dh
  54 cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
  55 cp /etc/openvpn/easy-rsa/keys/{ca.crt,server.{crt,key},dh2048.pem} /etc/openvpn
  56 gzip -df /etc/openvpn/server.conf.gz
  57 sed -i --follow-symlinks 's/^dh dh1024.pem/dh dh2048.pem/' /etc/openvpn/server.conf
  58
  59 teeu() {
  60     while read -r line; do
  61         grep -xFq "$line" "$1" || echo "$line" | tee -a "$1"
  62     done
  63 }
  64
  65 # Be the default gateway for clients.
  66 teeu /etc/openvpn/server.conf <<'EOF'
  67 push "redirect-gateway def1"
  68 EOF
  69
  70 # Be the dns server for clients
  71 teeu /etc/openvpn/server.conf <<'EOF'
  72 push "dhcp-option DNS 10.8.0.1"
  73 EOF
  74
  75 echo "1" > /proc/sys/net/ipv4/ip_forward
  76 sed -i --follow-symlinks '/^ *net\.ipv4\.ip_forward=.*/d' /etc/sysctl.conf
  77 teeu /etc/sysctl.conf <<'EOF'
  78 net.ipv4.ip_forward=1
  79 EOF
  80
  81
  82 gw=$(ip route | sed -rn 's/^default via .* dev (\S+).*/\1/p')
  83
  84 sudo dd of=/etc/systemd/system/mynat.service <<EOF
  85 [Unit]
  86 Description=Turns on nat iptables setting
  87
  88 [Service]
  89 Type=oneshot
  90 RemainAfterExit=yes
  91 ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $gw -j MASQUERADE
  92 ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o $gw -j MASQUERADE
  93
  94 [Install]
  95 WantedBy=multi-user.target
  96 EOF
  97 systemctl daemon-reload # needed if the file was already there
  98 systemctl enable mynat.service
  99 systemctl start mynat.service
 100
 101 systemctl restart openvpn@server