2 # Copyright (C) 2016 Ian Kelling
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
18 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
20 [[ $EUID == 0 ]] ||
exec sudo
-E "$BASH_SOURCE" "$@"
24 usage: ${0##*/} [-d|-h|--help]
26 -r Do not push default route
28 -s Do not start openvpn
31 Sets up a vpn server which pushes gateway route and dns server so all
32 traffic goes through the vpn. requires systemd, and might have some
33 debian specific paths.
35 You can save all the keys by storing /etc/openvpn/easy-rsa/keys, and
36 the script will not generate them if it sees they exist already.
38 Note: Uses GNU getopt options parsing style
46 temp
=$
(getopt
-l help drsh
"$@") || usage
1
50 -d) dns
=false
; shift ;;
51 -r) route
=false
; shift ;;
52 -s) start
=false
; shift ;;
55 *) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;;
60 # suggests get's us openssl
61 apt-get
install --install-suggests -y openvpn
62 if [[ -e /lib
/systemd
/system
/openvpn-server@.service
]]; then
63 vpn_service
=openvpn-server@server
65 vpn_service
=openvpn@server
67 apt-get
install -y uuid-runtime easy-rsa
68 mkdir
-p /etc
/openvpn
/easy-rsa
69 cd /etc
/openvpn
/easy-rsa
70 cp -r /usr
/share
/easy-rsa
/* .
71 if [[ -e openssl-1.0
.0.cnf
&& ! -e openssl.cnf
]]; then
72 # there's a debian bug about this.
73 ln -s openssl-1.0
.0.cnf openssl.cnf
77 keyfiles
=(/etc
/openvpn
/easy-rsa
/keys
/{ca.crt
,server.
{crt
,key
},dh2048.pem
,ta.key
})
78 for f
in ${keyfiles[@]}; do
79 if [[ ! -e $f ]]; then
85 if ! $keys_exist; then
86 source vars
# dun care about setting cert cn etc from the non-example values
87 .
/clean-all
# note: removes and creates /etc/openvpn/easy-rsa/keys
88 # newer sample configs (post stretch) use ta.key. no harm making it for earlier oses
89 openvpn
--genkey --secret /etc
/openvpn
/easy-rsa
/keys
/ta.key
90 # accept default prompts
91 echo -e '\n\n\n\n\n\n\n\n' | .
/build-ca
93 # This builds the server's key/cert. argument is the name of the file,
94 # but it also is the default common name of the cert.
95 # 'server' is the default name in our conf file for the name of the file
96 # and I've seen no reason to change it.
97 # Note, this is not idempotent.
98 { echo -e '\n\n\n\n\n\n\n\n\n\n'; sleep 1; echo -e 'y\ny\n'; } | .
/build-key-server server
102 server_dir
=/etc
/openvpn
/server
104 chmod 700 $server_dir
106 cp /usr
/share
/doc
/openvpn
/examples
/sample-config-files
/server.conf.gz
$server_dir
107 gzip -df $server_dir/server.conf.gz
110 cp ${keyfiles[@]} $server_dir
112 for f
in ${keyfiles[@]}; do
113 ln -sf server
/${f##*/} /etc
/openvpn
116 cat >>$server_dir/server.conf
<<'EOF'
118 # I cat an extra blank line to start because the example config does
119 # not have a final newline. ....
121 # not in example config, but openvpn outputs a warning about insecure
122 # cipher without a setting like this (the default i can understand due
123 # to compatibility issues, but not changing the example config... not
125 # requires the same setting on the client side.
127 # just sets up the ability to have client specific configs
128 client-config-dir /etc/openvpn/client-config
130 # duplicate in newer sample configs
131 tls-auth ta.key 0 # This file is secret
133 # depending on sample config, this may not be there, which means i can't
134 # talk to 10.8.0.1, there might be some other way, but stretch's
135 # sample config says:
136 # Should be subnet (addressing via IP)
137 # unless Windows clients v2.0.9 and lower have to
138 # be supported (then net30, i.e. a /30 per client)
139 # Defaults to net30 (not recommended)
144 # dh improve security,
145 # remove comp-lzo to increase perf
146 sed -i --follow-symlinks -f - $server_dir/server.conf
<<'EOF'
147 s/^dh dh1024.pem/dh dh2048.pem/
152 mkdir
-p /etc
/openvpn
/client-config
156 # Be the dns server for clients
157 cat >>$server_dir/server.conf
<<'EOF'
158 push "dhcp-option DNS 10.8.0.1"
163 cat >>$server_dir/server.conf
<<'EOF'
164 # Be the default gateway for clients.
165 push "redirect-gateway def1"
167 echo "1" > /proc
/sys
/net
/ipv
4/ip_forward
168 sed -i --follow-symlinks '/^ *net\.ipv4\.ip_forward=.*/d' /etc
/sysctl.conf
169 cat >>/etc
/sysctl.conf
<<'EOF'
170 net.ipv4.ip_forward=1
174 gw
=$
(ip route |
sed -rn 's/^default via .* dev (\S+).*/\1/p')
176 cat >/etc
/systemd
/system
/vpnnat.service
<<EOF
178 Description=Turns on nat iptables setting
183 ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $gw -j MASQUERADE
184 ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o $gw -j MASQUERADE
187 WantedBy=$vpn_service
189 systemctl daemon-reload
# needed if the file was already there
190 # note, no need to start it, the vpn_service does that.
194 systemctl
enable $vpn_service
195 systemctl restart
$vpn_service