#!/bin/bash # Copyright (C) 2016 Ian Kelling # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # http://www.apache.org/licenses/LICENSE-2.0 # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. set -eE -o pipefail trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR [[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@" dns=true route=true case $1 in -r) route=false ;; -d) dns=false ;; -h|--help|*) cat <<'EOF' usage: ${0##*/} [-d|-h|--help] -r Do not push default route -d Do not push dns -h --help print help Sets up a vpn server which pushes gateway route and dns server so all traffic goes through the vpn. requires systemd, and might have some debian specific paths. EOF exit ;; esac apt-get update # suggests get's us openssl & easy rsa apt-get install --install-suggests -y openvpn apt-get install -y uuid-runtime mkdir -p /etc/openvpn/easy-rsa/keys cd /etc/openvpn/easy-rsa cp -r /usr/share/easy-rsa/* . source vars # dun care about setting cert cn etc from the non-example values ./clean-all # accept default prompts echo -e '\n\n\n\n\n\n\n\n' | ./build-ca # This builds the server's key/cert. argument is the name of the file, # but it also is the default common name of the cert. # 'server' is the default name in our conf file for the name of the file # and I've seen no reason to change it. # Note, this is not idempotent. { echo -e '\n\n\n\n\n\n\n\n\n\n'; sleep 1; echo -e 'y\ny\n'; } | ./build-key-server server ./build-dh cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ cp /etc/openvpn/easy-rsa/keys/{ca.crt,server.{crt,key},dh2048.pem} /etc/openvpn gzip -df /etc/openvpn/server.conf.gz # dh improve security, # remove comp-lzo to increase perf sed -i --follow-symlinks -f - /etc/openvpn/server.conf <<'EOF' s/^dh dh1024.pem/dh dh2048.pem/ /^comp-lzo.*/d EOF cat >>/etc/openvpn/server.conf <<'EOF' # not in example config, but openvpn outputs a warning about insecure # cipher without a setting like this (the default i can understand due # to compatibility issues, but not changing the example config... not # cool). exact cipher taken from config of vpn provider I trust. This # requires the same setting on the client side. cipher aes-256-cbc # just sets up the ability to have client specific configs client-config-dir /etc/openvpn/client-config # 30 days. default is 3600, 1 hour. we momentarily disconnect # after this time, and get a new tls key. The idea is that # if someone is working very hard to break our encryption, # they have less time to do it, and less time in the past # for it to be broken. online sources say that there is no # good objective idea about what a good value is here, since # we don't expect our encryption to be breakable, but 1 hour # seems very conservative. Since I want to support hosting # a server over the tunnel, having the server break up to once # an hour is very tough. I've seen a vpn service that seems # very on top of things set this to 5 days. reneg-sec 2592000 EOF mkdir -p /etc/openvpn/client-config if $route; then cat >>/etc/openvpn/server.conf <<'EOF' # Be the default gateway for clients. push "redirect-gateway def1" EOF fi if $dns; then # Be the dns server for clients cat >>/etc/openvpn/server.conf <<'EOF' push "dhcp-option DNS 10.8.0.1" EOF fi echo "1" > /proc/sys/net/ipv4/ip_forward sed -i --follow-symlinks '/^ *net\.ipv4\.ip_forward=.*/d' /etc/sysctl.conf cat >>/etc/sysctl.conf <<'EOF' net.ipv4.ip_forward=1 EOF gw=$(ip route | sed -rn 's/^default via .* dev (\S+).*/\1/p') cat >/etc/systemd/system/vpnnat.service <