2 # Copyright (C) 2016 Ian Kelling
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
18 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
20 [[ $EUID == 0 ]] ||
exec sudo
-E "$BASH_SOURCE" "$@"
29 usage: ${0##*/} [-d|-h|--help]
34 Sets up a vpn server which pushes gateway route and dns server
35 so all traffic goes through the vpn. requires systemd,
36 and might have some debian specific paths.
43 # suggests get's us openssl & easy rsa
44 apt-get
install --install-suggests -y openvpn
45 apt-get
install -y uuid-runtime
46 mkdir
-p /etc
/openvpn
/easy-rsa
/keys
47 cd /etc
/openvpn
/easy-rsa
48 cp -r /usr
/share
/easy-rsa
/* .
49 source vars
# dun care about setting cert cn etc from the non-example values
51 # accept default prompts
52 echo -e '\n\n\n\n\n\n\n\n' | .
/build-ca
54 # This builds the server's key/cert. argument is the name of the file,
55 # but it also is the default common name of the cert.
56 # 'server' is the default name in our conf file for the name of the file
57 # and I've seen no reason to change it.
58 # Note, this is not idempotent.
59 { echo -e '\n\n\n\n\n\n\n\n\n\n'; sleep 1; echo -e 'y\ny\n'; } | .
/build-key-server server
61 cp /usr
/share
/doc
/openvpn
/examples
/sample-config-files
/server.conf.gz
/etc
/openvpn
/
62 cp /etc
/openvpn
/easy-rsa
/keys
/{ca.crt
,server.
{crt
,key
},dh2048.pem
} /etc
/openvpn
63 gzip -df /etc
/openvpn
/server.conf.gz
64 # dh improve security,
65 # remove comp-lzo to increase perf
66 sed -i --follow-symlinks -f - /etc
/openvpn
/server.conf
<<'EOF'
67 s/^dh dh1024.pem/dh dh2048.pem/
72 while read -r line
; do
73 grep -xFq "$line" "$1" ||
echo "$line" |
tee -a "$1"
77 teeu
/etc
/openvpn
/server.conf
<<'EOF'
78 # not in example config, but openvpn outputs a warning about insecure
79 # cipher without a setting like this (the default i can understand due
80 # to compatibility issues, but not changing the example config... not
81 # cool). exact cipher taken from config of vpn provider I trust. This
82 # requires the same setting on the client side.
84 # Be the default gateway for clients.
85 push "redirect-gateway def1"
86 # just sets up the ability to have client specific configs
87 client-config-dir /etc/openvpn/client-config
89 mkdir
-p /etc
/openvpn
/client-config
93 # Be the dns server for clients
94 teeu
/etc
/openvpn
/server.conf
<<'EOF'
95 push "dhcp-option DNS 10.8.0.1"
99 echo "1" > /proc
/sys
/net
/ipv
4/ip_forward
100 sed -i --follow-symlinks '/^ *net\.ipv4\.ip_forward=.*/d' /etc
/sysctl.conf
101 teeu
/etc
/sysctl.conf
<<'EOF'
102 net.ipv4.ip_forward=1
106 gw
=$
(ip route |
sed -rn 's/^default via .* dev (\S+).*/\1/p')
108 sudo
dd of
=/etc
/systemd
/system
/vpnnat.service
<<EOF
110 Description=Turns on nat iptables setting
115 ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $gw -j MASQUERADE
116 ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o $gw -j MASQUERADE
119 WantedBy=openvpn.service
121 systemctl daemon-reload
# needed if the file was already there
122 systemctl
enable vpnnat.service
123 systemctl start vpnnat.service
125 systemctl restart openvpn@server