2 # Copyright (C) 2016 Ian Kelling
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
18 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
20 [[ $EUID == 0 ]] ||
exec sudo
-E "$BASH_SOURCE" "$@"
24 usage: ${0##*/} [OPTIONS] [IPV6_ADDR/BITS]
26 -4 Prefix of range for ipv4, default 10.8.0
27 -6 IP6_NETWORK Do ip6 nat for this network. ipv6 will work without nat,
28 but you may want it in certain circumstances.
30 -n NAME default = server. 2 servers on the same host need different names.
32 -r Do not push default route
33 -s Do not start openvpn
36 IPV6_ADDR/BITS Ipv6 address of the vpn interface.
38 Sets up a vpn server which pushes gateway route and dns server so all
39 traffic goes through the vpn. requires systemd, and might have some
40 debian specific paths.
42 For ipv6, we assume ipv6_addr routes to the server.
44 You can save all the keys by storing /etc/openvpn/easy-rsa-NAME/keys, and
45 the script will not generate them if it sees they exist already.
47 For future updates to this script, this is a good place to
49 https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh
51 Note: Uses GNU getopt options parsing style
61 temp
=$
(getopt
-l help 4:6:dn
:p
:rsh "$@") || usage
1
65 -4) ip4
=$2; shift 2 ;;
66 -6) ip6net
=$2; shift 2 ;;
67 -d) dns
=false
; shift ;;
68 -n) name
=$2; shift 2 ;;
69 -p) port
=$2; shift 2 ;;
70 -r) route
=false
; shift ;;
71 -s) start
=false
; shift ;;
74 *) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;;
78 read -r ip6 ip6route
<<<"$@"
80 source /a
/bin
/distro-functions
/src
/package-manager-abstractions
82 pi-nostart openvpn openssl easy-rsa uuid-runtime
84 if [[ -e /lib
/systemd
/system
/openvpn-server@.service
]]; then
85 vpn_service
=openvpn-server@
$name
87 vpn_service
=openvpn@
$name
89 rsadir
=/etc
/openvpn
/easy-rsa-
$name
92 cp -r /usr
/share
/easy-rsa
/* .
93 if [[ -e openssl-1.0
.0.cnf
&& ! -e openssl.cnf
]]; then
94 # there's a debian bug about this.
95 ln -s openssl-1.0
.0.cnf openssl.cnf
98 server_dir
=/etc
/openvpn
/server
100 chmod 700 $server_dir
101 conf
=$server_dir/$name.conf
105 ca_origin
=$rsadir/pki
/ca.crt
107 $rsadir/pki
/private
/$name.key
108 $rsadir/pki
/issued
/$name.crt
110 if [[ -e /etc
/openvpn
/easy-rsa
/build-ca
]]; then
112 ca_origin
=$rsadir/ca.crt
114 $rsadir/keys
/$name.key
115 $rsadir/keys
/$name.crt
120 for f
in ${keyfiles[@]}; do
121 if [[ ! -e $f ]]; then
127 f
=$server_dir/dh2048.pem
128 if [[ ! -e $f ]]; then
129 openssl dhparam
-out $f 2048
132 f
=$server_dir/ta-
$name.key
133 if [[ ! -e $f ]]; then
134 openvpn
--genkey --secret $server_dir/ta-
$name.key
138 if ! $keys_exist; then
139 # newer sample configs (post stretch) use ta.key. no harm making it for earlier oses
141 echo 'set_var EASYRSA_NS_SUPPORT "yes"' >vars
143 .
/easyrsa
--batch build-ca nopass
144 .
/easyrsa build-server-full
$name nopass
146 # dun care about settning cert cn etc from the non-example values
148 # doesnt exist in buster
149 .
/clean-all
# note: removes and creates /etc/openvpn/easy-rsa/keys
150 # accept default prompts
151 echo -e '\n\n\n\n\n\n\n\n' | .
/build-ca
153 # This builds the server's key/cert. argument is the name of the file,
154 # but it also is the default common name of the cert.
155 # 'server' is the default name in our conf file for the name of the file
156 # and I've seen no reason to change it.
157 # Note, this is not idempotent.
158 { echo -e '\n\n\n\n\n\n\n\n\n\n'; sleep 1; echo -e 'y\ny\n'; } | .
/build-key-server
$name
164 gzip -dc /usr
/share
/doc
/openvpn
/examples
/sample-config-files
/server.conf.gz
>$conf
166 cafile
=$server_dir/ca-
$name.crt
167 cp $ca_origin $cafile
168 cp ${keyfiles[@]} $server_dir
170 for f
in ${keyfiles[@]} $cafile; do
171 ln -sf server
/${f##*/} /etc
/openvpn
176 # I cat an extra blank line to start because the example config does
177 # not have a final newline. ....
179 # not in example config, but openvpn outputs a warning about insecure
180 # cipher without a setting like this (the default i can understand due
181 # to compatibility issues, but not changing the example config... not
183 # requires the same setting on the client side.
185 # just sets up the ability to have client specific configs
186 client-config-dir /etc/openvpn/client-config
188 # duplicate in newer sample configs
189 tls-auth ta-$name.key 0 # This file is secret
191 # depending on sample config, this may not be there, which means i can't
192 # talk to $ip4.1, there might be some other way, but stretch's
193 # sample config says:
194 # Should be subnet (addressing via IP)
195 # unless Windows clients v2.0.9 and lower have to
196 # be supported (then net30, i.e. a /30 per client)
197 # Defaults to net30 (not recommended)
200 status /var/log/openvpn/openvpn-status-$name.log
201 ifconfig-pool-persist /var/log/openvpn/ipp-$name.txt
205 client-config-dir /etc/openvpn/client-config-$name
206 server $ip4.0 255.255.255.0
208 mkdir
-p /etc
/openvpn
/client-config-
$name
210 # dh improve security,
211 # remove comp-lzo to increase perf
212 sed -i --follow-symlinks -f - $conf <<'EOF'
213 s/^dh dh1024.pem/dh dh2048.pem/
219 # Be the dns server for clients
221 push "dhcp-option DNS $ip4.1"
227 push tun-ipv6 # legacy option that flidas needs, has no harm.
228 # the ::1 is not used, i just put a short valid address there
229 ifconfig-ipv6 $ip6 ::1
232 sed -i --follow-symlinks '/^ *net.ipv6.conf.all.forwarding=.*/d' /etc
/sysctl.conf
233 cat >>/etc
/sysctl.conf
<<'EOF'
234 net.ipv6.conf.all.forwarding=1
242 # Be the default gateway for clients.
243 push "redirect-gateway def1"
247 push "route-ipv6 2000::/3"
258 sed -i --follow-symlinks '/^ *net\.ipv4\.ip_forward=.*/d' /etc
/sysctl.conf
259 cat >>/etc
/sysctl.conf
<<'EOF'
260 net.ipv4.ip_forward=1
262 sysctl
-p /etc
/sysctl.conf
264 gw
=$
(ip route |
sed -rn 's/^default via .* dev (\S+).*/\1/p' |
head -n1)
266 d
=/etc
/systemd
/system
/$vpn_service.service.d
271 ExecStartPre=/sbin/iptables -t nat -A POSTROUTING -s $ip4.0/24 -o $gw -j MASQUERADE
272 ExecStopPost=/sbin/iptables -t nat -D POSTROUTING -s $ip4.0/24 -o $gw -j MASQUERADE
274 if [[ $ip6net ]]; then
276 ExecStartPre=/sbin/ip6tables -t nat -A POSTROUTING -s $ip6net -o $gw -j MASQUERADE
277 ExecStopPost=/sbin/ip6tables -t nat -D POSTROUTING -s $ip6net -o $gw -j MASQUERADE
279 systemctl daemon-reload
# needed if the file was already there
282 systemctl
enable $vpn_service
283 systemctl restart
$vpn_service