2 # Copyright (C) 2016 Ian Kelling
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
18 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
20 [[ $EUID == 0 ]] ||
exec sudo
-E "$BASH_SOURCE" "$@"
29 usage: ${0##*/} [-d|-h|--help]
31 -r Do not push default route
35 Sets up a vpn server which pushes gateway route and dns server
36 so all traffic goes through the vpn. requires systemd,
37 and might have some debian specific paths.
44 # suggests get's us openssl & easy rsa
45 apt-get
install --install-suggests -y openvpn
46 apt-get
install -y uuid-runtime
47 mkdir
-p /etc
/openvpn
/easy-rsa
/keys
48 cd /etc
/openvpn
/easy-rsa
49 cp -r /usr
/share
/easy-rsa
/* .
50 source vars
# dun care about setting cert cn etc from the non-example values
52 # accept default prompts
53 echo -e '\n\n\n\n\n\n\n\n' | .
/build-ca
55 # This builds the server's key/cert. argument is the name of the file,
56 # but it also is the default common name of the cert.
57 # 'server' is the default name in our conf file for the name of the file
58 # and I've seen no reason to change it.
59 # Note, this is not idempotent.
60 { echo -e '\n\n\n\n\n\n\n\n\n\n'; sleep 1; echo -e 'y\ny\n'; } | .
/build-key-server server
62 cp /usr
/share
/doc
/openvpn
/examples
/sample-config-files
/server.conf.gz
/etc
/openvpn
/
63 cp /etc
/openvpn
/easy-rsa
/keys
/{ca.crt
,server.
{crt
,key
},dh2048.pem
} /etc
/openvpn
64 gzip -df /etc
/openvpn
/server.conf.gz
65 # dh improve security,
66 # remove comp-lzo to increase perf
67 sed -i --follow-symlinks -f - /etc
/openvpn
/server.conf
<<'EOF'
68 s/^dh dh1024.pem/dh dh2048.pem/
73 cat >>/etc
/openvpn
/server.conf
<<'EOF'
74 # not in example config, but openvpn outputs a warning about insecure
75 # cipher without a setting like this (the default i can understand due
76 # to compatibility issues, but not changing the example config... not
77 # cool). exact cipher taken from config of vpn provider I trust. This
78 # requires the same setting on the client side.
80 # just sets up the ability to have client specific configs
81 client-config-dir /etc/openvpn/client-config
82 # 30 days. default is 3600, 1 hour. we momentarily disconnect
83 # after this time, and get a new tls key. The idea is that
84 # if someone is working very hard to break our encryption,
85 # they have less time to do it, and less time in the past
86 # for it to be broken. online sources say that there is no
87 # good objective idea about what a good value is here, since
88 # we don't expect our encryption to be breakable, but 1 hour
89 # seems very conservative. Since I want to support hosting
90 # a server over the tunnel, having the server break up to once
91 # an hour is very tough. I've seen a vpn service that seems
92 # very on top of things set this to 5 days.
95 mkdir
-p /etc
/openvpn
/client-config
98 cat >>/etc
/openvpn
/server.conf
<<'EOF'
99 # Be the default gateway for clients.
100 push "redirect-gateway def1"
105 # Be the dns server for clients
106 cat >>/etc
/openvpn
/server.conf
<<'EOF'
107 push "dhcp-option DNS 10.8.0.1"
111 echo "1" > /proc
/sys
/net
/ipv
4/ip_forward
112 sed -i --follow-symlinks '/^ *net\.ipv4\.ip_forward=.*/d' /etc
/sysctl.conf
113 cat >>/etc
/sysctl.conf
<<'EOF'
114 net.ipv4.ip_forward=1
118 gw
=$
(ip route |
sed -rn 's/^default via .* dev (\S+).*/\1/p')
120 cat >/etc
/systemd
/system
/vpnnat.service
<<EOF
122 Description=Turns on nat iptables setting
127 ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $gw -j MASQUERADE
128 ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o $gw -j MASQUERADE
131 WantedBy=openvpn.service
133 systemctl daemon-reload
# needed if the file was already there
134 systemctl
enable vpnnat.service
135 systemctl start vpnnat.service
137 systemctl restart openvpn@server