-#!/bin/bash
+#!/bin/bash -x
# Copyright (C) 2016 Ian Kelling
# Licensed under the Apache License, Version 2.0 (the "License");
[[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"
-dns=true
-route=true
-case $1 in
- -r) route=false ;;
- -d) dns=false ;;
- -h|--help|*)
- cat <<'EOF'
+usage() {
+ cat <<'EOF'
usage: ${0##*/} [-d|-h|--help]
-r Do not push default route
-d Do not push dns
+-s Do not start openvpn
-h --help print help
-Sets up a vpn server which pushes gateway route and dns server
-so all traffic goes through the vpn. requires systemd,
-and might have some debian specific paths.
+Sets up a vpn server which pushes gateway route and dns server so all
+traffic goes through the vpn. requires systemd, and might have some
+debian specific paths.
+
+You can save all the keys by storing /etc/openvpn/easy-rsa/keys, and
+the script will not generate them if it sees they exist already.
+
+Note: Uses GNU getopt options parsing style
EOF
- exit
- ;;
-esac
+ exit $1
+}
+
+dns=true
+route=true
+start=true
+temp=$(getopt -l help drsh "$@") || usage 1
+eval set -- "$temp"
+while true; do
+ case $1 in
+ -d) dns=false; shift ;;
+ -r) route=false; shift ;;
+ -s) start=false; shift ;;
+ -h|--help) usage ;;
+ --) shift; break ;;
+ *) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;;
+ esac
+done
apt-get update
-# suggests get's us openssl & easy rsa
+# suggests get's us openssl
apt-get install --install-suggests -y openvpn
-apt-get install -y uuid-runtime
-mkdir -p /etc/openvpn/easy-rsa/keys
+if [[ -e /lib/systemd/system/openvpn-server@.service ]]; then
+ vpn_service=openvpn-server@server
+else
+ vpn_service=openvpn@server
+fi
+apt-get install -y uuid-runtime easy-rsa
+mkdir -p /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
cp -r /usr/share/easy-rsa/* .
-source vars # dun care about setting cert cn etc from the non-example values
-./clean-all
-# accept default prompts
-echo -e '\n\n\n\n\n\n\n\n' | ./build-ca
-
-# This builds the server's key/cert. argument is the name of the file,
-# but it also is the default common name of the cert.
-# 'server' is the default name in our conf file for the name of the file
-# and I've seen no reason to change it.
-# Note, this is not idempotent.
-{ echo -e '\n\n\n\n\n\n\n\n\n\n'; sleep 1; echo -e 'y\ny\n'; } | ./build-key-server server
-./build-dh
-cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
-cp /etc/openvpn/easy-rsa/keys/{ca.crt,server.{crt,key},dh2048.pem} /etc/openvpn
-gzip -df /etc/openvpn/server.conf.gz
-# dh improve security,
-# remove comp-lzo to increase perf
-sed -i --follow-symlinks -f - /etc/openvpn/server.conf <<'EOF'
-s/^dh dh1024.pem/dh dh2048.pem/
-/^comp-lzo.*/d
-EOF
+if [[ -e openssl-1.0.0.cnf && ! -e openssl.cnf ]]; then
+ # there's a debian bug about this.
+ ln -s openssl-1.0.0.cnf openssl.cnf
+fi
+
+keys_exist=true
+keyfiles=(/etc/openvpn/easy-rsa/keys/{ca.crt,server.{crt,key},dh2048.pem,ta.key})
+for f in ${keyfiles[@]}; do
+ if [[ ! -e $f ]]; then
+ keys_exist=false
+ break
+ fi
+done
+
+if ! $keys_exist; then
+ source vars # dun care about setting cert cn etc from the non-example values
+ ./clean-all # note: removes and creates /etc/openvpn/easy-rsa/keys
+ # newer sample configs (post stretch) use ta.key. no harm making it for earlier oses
+ openvpn --genkey --secret /etc/openvpn/easy-rsa/keys/ta.key
+ # accept default prompts
+ echo -e '\n\n\n\n\n\n\n\n' | ./build-ca
+
+ # This builds the server's key/cert. argument is the name of the file,
+ # but it also is the default common name of the cert.
+ # 'server' is the default name in our conf file for the name of the file
+ # and I've seen no reason to change it.
+ # Note, this is not idempotent.
+ { echo -e '\n\n\n\n\n\n\n\n\n\n'; sleep 1; echo -e 'y\ny\n'; } | ./build-key-server server
+ ./build-dh
+fi
+
+server_dir=/etc/openvpn/server
+mkdir -p $server_dir
+chmod 700 $server_dir
+
+cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz $server_dir
+gzip -df $server_dir/server.conf.gz
+
+
+cp ${keyfiles[@]} $server_dir
+# for legacy systems
+for f in ${keyfiles[@]}; do
+ ln -sf server/${f##*/} /etc/openvpn
+done
+
+cat >>$server_dir/server.conf <<'EOF'
+# I cat an extra blank line to start because the example config does
+# not have a final newline. ....
-cat >>/etc/openvpn/server.conf <<'EOF'
# not in example config, but openvpn outputs a warning about insecure
# cipher without a setting like this (the default i can understand due
# to compatibility issues, but not changing the example config... not
-# cool). exact cipher taken from config of vpn provider I trust. This
+# cool).
# requires the same setting on the client side.
-cipher aes-256-cbc
+cipher AES-256-CBC
# just sets up the ability to have client specific configs
client-config-dir /etc/openvpn/client-config
-# 30 days. default is 3600, 1 hour. we momentarily disconnect
-# after this time, and get a new tls key. The idea is that
-# if someone is working very hard to break our encryption,
-# they have less time to do it, and less time in the past
-# for it to be broken. online sources say that there is no
-# good objective idea about what a good value is here, since
-# we don't expect our encryption to be breakable, but 1 hour
-# seems very conservative. Since I want to support hosting
-# a server over the tunnel, having the server break up to once
-# an hour is very tough. I've seen a vpn service that seems
-# very on top of things set this to 5 days.
-reneg-sec 2592000
+
+# duplicate in newer sample configs
+tls-auth ta.key 0 # This file is secret
+
+# depending on sample config, this may not be there, which means i can't
+# talk to 10.8.0.1, there might be some other way, but stretch's
+# sample config says:
+# Should be subnet (addressing via IP)
+# unless Windows clients v2.0.9 and lower have to
+# be supported (then net30, i.e. a /30 per client)
+# Defaults to net30 (not recommended)
+topology subnet
EOF
-mkdir -p /etc/openvpn/client-config
-if $route; then
- cat >>/etc/openvpn/server.conf <<'EOF'
-# Be the default gateway for clients.
-push "redirect-gateway def1"
+
+# dh improve security,
+# remove comp-lzo to increase perf
+sed -i --follow-symlinks -f - $server_dir/server.conf <<'EOF'
+s/^dh dh1024.pem/dh dh2048.pem/
+/^comp-lzo.*/d
EOF
-fi
+
+
+mkdir -p /etc/openvpn/client-config
+
if $dns; then
# Be the dns server for clients
- cat >>/etc/openvpn/server.conf <<'EOF'
+ cat >>$server_dir/server.conf <<'EOF'
push "dhcp-option DNS 10.8.0.1"
EOF
fi
-echo "1" > /proc/sys/net/ipv4/ip_forward
-sed -i --follow-symlinks '/^ *net\.ipv4\.ip_forward=.*/d' /etc/sysctl.conf
-cat >>/etc/sysctl.conf <<'EOF'
+if $route; then
+ cat >>$server_dir/server.conf <<'EOF'
+# Be the default gateway for clients.
+push "redirect-gateway def1"
+EOF
+ echo "1" > /proc/sys/net/ipv4/ip_forward
+ sed -i --follow-symlinks '/^ *net\.ipv4\.ip_forward=.*/d' /etc/sysctl.conf
+ cat >>/etc/sysctl.conf <<'EOF'
net.ipv4.ip_forward=1
EOF
-gw=$(ip route | sed -rn 's/^default via .* dev (\S+).*/\1/p')
+ gw=$(ip route | sed -rn 's/^default via .* dev (\S+).*/\1/p')
-cat >/etc/systemd/system/vpnnat.service <<EOF
+ cat >/etc/systemd/system/vpnnat.service <<EOF
[Unit]
Description=Turns on nat iptables setting
ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o $gw -j MASQUERADE
[Install]
-WantedBy=openvpn.service
+WantedBy=$vpn_service
EOF
-systemctl daemon-reload # needed if the file was already there
-systemctl enable vpnnat.service
-systemctl start vpnnat.service
+ systemctl daemon-reload # needed if the file was already there
+ # note, no need to start it, the vpn_service does that.
+fi
-systemctl restart openvpn@server
+if $start; then
+ systemctl enable $vpn_service
+ systemctl restart $vpn_service
+fi