2 # Copyright (C) 2016 Ian Kelling
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
18 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
20 [[ $EUID == 0 ]] ||
exec sudo
-E "$BASH_SOURCE" "$@"
24 usage: ${0##*/} [-d|-h|--help] [IPV6_ADDR/BITS IPV6_DEFAULT_ROUTE]
26 -r Do not push default route
28 -s Do not start openvpn
31 Sets up a vpn server which pushes gateway route and dns server so all
32 traffic goes through the vpn. requires systemd, and might have some
33 debian specific paths.
35 For ipv6, we assume ipv6_addr routes to the server.
37 You can save all the keys by storing /etc/openvpn/easy-rsa/keys, and
38 the script will not generate them if it sees they exist already.
40 For future updates to this script, this is a good place to
42 https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh
44 Note: Uses GNU getopt options parsing style
52 temp
=$
(getopt
-l help drsh
"$@") || usage
1
56 -d) dns
=false
; shift ;;
57 -r) route
=false
; shift ;;
58 -s) start
=false
; shift ;;
61 *) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;;
65 read -r ip6 ip6route
<<<"$@"
69 # suggests get's us openssl. policy-rc.d is to prevent install from starting services
70 f
=/usr
/sbin
/policy-rc.d
;
76 apt-get
install --install-suggests -y openvpn
79 if [[ -e /lib
/systemd
/system
/openvpn-server@.service
]]; then
80 vpn_service
=openvpn-server@server
82 vpn_service
=openvpn@server
84 apt-get
install -y uuid-runtime easy-rsa
85 mkdir
-p /etc
/openvpn
/easy-rsa
86 cd /etc
/openvpn
/easy-rsa
87 cp -r /usr
/share
/easy-rsa
/* .
88 if [[ -e openssl-1.0
.0.cnf
&& ! -e openssl.cnf
]]; then
89 # there's a debian bug about this.
90 ln -s openssl-1.0
.0.cnf openssl.cnf
93 server_dir
=/etc
/openvpn
/server
99 keyfiles
=(/etc
/openvpn
/easy-rsa
/pki
/{ca.crt
,private
/server.key
,issued
/server.crt
})
100 if [[ -e /etc
/openvpn
/easy-rsa
/build-ca
]]; then
102 keyfiles
=(/etc
/openvpn
/easy-rsa
/keys
/{ca.crt
,server.
{crt
,key
}})
106 for f
in ${keyfiles[@]}; do
107 if [[ ! -e $f ]]; then
113 if ! $keys_exist; then
114 # newer sample configs (post stretch) use ta.key. no harm making it for earlier oses
115 openvpn
--genkey --secret $server_dir/ta.key
118 .
/easyrsa
--batch build-ca nopass
119 .
/easyrsa build-server-full server nopass
120 openssl dhparam
-out $server_dir/dh2048.pem
2048
122 # dun care about settning cert cn etc from the non-example values
124 # doesnt exist in buster
125 .
/clean-all
# note: removes and creates /etc/openvpn/easy-rsa/keys
126 # accept default prompts
127 echo -e '\n\n\n\n\n\n\n\n' | .
/build-ca
129 # This builds the server's key/cert. argument is the name of the file,
130 # but it also is the default common name of the cert.
131 # 'server' is the default name in our conf file for the name of the file
132 # and I've seen no reason to change it.
133 # Note, this is not idempotent.
134 { echo -e '\n\n\n\n\n\n\n\n\n\n'; sleep 1; echo -e 'y\ny\n'; } | .
/build-key-server server
140 cp /usr
/share
/doc
/openvpn
/examples
/sample-config-files
/server.conf.gz
$server_dir
141 gzip -df $server_dir/server.conf.gz
144 cp ${keyfiles[@]} $server_dir
146 for f
in ${keyfiles[@]}; do
147 ln -sf server
/${f##*/} /etc
/openvpn
150 cat >>$server_dir/server.conf
<<'EOF'
152 # I cat an extra blank line to start because the example config does
153 # not have a final newline. ....
155 # not in example config, but openvpn outputs a warning about insecure
156 # cipher without a setting like this (the default i can understand due
157 # to compatibility issues, but not changing the example config... not
159 # requires the same setting on the client side.
161 # just sets up the ability to have client specific configs
162 client-config-dir /etc/openvpn/client-config
164 # duplicate in newer sample configs
165 tls-auth ta.key 0 # This file is secret
167 # depending on sample config, this may not be there, which means i can't
168 # talk to 10.8.0.1, there might be some other way, but stretch's
169 # sample config says:
170 # Should be subnet (addressing via IP)
171 # unless Windows clients v2.0.9 and lower have to
172 # be supported (then net30, i.e. a /30 per client)
173 # Defaults to net30 (not recommended)
178 # dh improve security,
179 # remove comp-lzo to increase perf
180 sed -i --follow-symlinks -f - $server_dir/server.conf
<<'EOF'
181 s/^dh dh1024.pem/dh dh2048.pem/
186 mkdir
-p /etc
/openvpn
/client-config
190 # Be the dns server for clients
191 cat >>$server_dir/server.conf
<<'EOF'
192 push "dhcp-option DNS 10.8.0.1"
197 cat >>$server_dir/server.conf
<<EOF
198 push tun-ipv6 # legacy option that flidas needs, has no harm.
199 ifconfig-ipv6 $ip6 $ip6_route
205 cat >>$server_dir/server.conf
<<'EOF'
206 # Be the default gateway for clients.
207 push "redirect-gateway def1"
210 cat >>$server_dir/server.conf
<<'EOF'
211 push "route-ipv6 2000::/3"
216 sed -i --follow-symlinks '/^ *net\.ipv4\.ip_forward=.*/d' /etc
/sysctl.conf
217 sed -i --follow-symlinks '/^ *net.ipv6.conf.all.forwarding=.*/d' /etc
/sysctl.conf
218 cat >>/etc
/sysctl.conf
<<'EOF'
219 net.ipv4.ip_forward=1
220 net.ipv6.conf.all.forwarding=1
222 sysctl
-p /etc
/sysctl.conf
224 gw
=$
(ip route |
sed -rn 's/^default via .* dev (\S+).*/\1/p')
226 cat >/etc
/systemd
/system
/vpnnat.service
<<EOF
228 Description=Turns on nat iptables setting
233 ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $gw -j MASQUERADE
234 ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o $gw -j MASQUERADE
237 WantedBy=$vpn_service.service
239 systemctl daemon-reload
# needed if the file was already there
240 # note, no need to start it, the vpn_service does that.
241 systemctl
enable vpnnat
244 systemctl
enable $vpn_service
245 systemctl restart
$vpn_service