[[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"
+dns=true
+route=true
case $1 in
+ -r) route=false ;;
+ -d) dns=false ;;
-h|--help|*)
cat <<'EOF'
-usage: ${0##*/}
+usage: ${0##*/} [-d|-h|--help]
+
+-r Do not push default route
+-d Do not push dns
+-h --help print help
Sets up a vpn server which pushes gateway route and dns server
so all traffic goes through the vpn. requires systemd,
and might have some debian specific paths.
EOF
+ exit
;;
esac
-
apt-get update
# suggests get's us openssl & easy rsa
apt-get install --install-suggests -y openvpn
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
cp /etc/openvpn/easy-rsa/keys/{ca.crt,server.{crt,key},dh2048.pem} /etc/openvpn
gzip -df /etc/openvpn/server.conf.gz
-sed -i --follow-symlinks 's/^dh dh1024.pem/dh dh2048.pem/' /etc/openvpn/server.conf
+# dh improve security,
+# remove comp-lzo to increase perf
+sed -i --follow-symlinks -f - /etc/openvpn/server.conf <<'EOF'
+s/^dh dh1024.pem/dh dh2048.pem/
+/^comp-lzo.*/d
+EOF
-teeu() {
- while read -r line; do
- grep -xFq "$line" "$1" || echo "$line" | tee -a "$1"
- done
-}
+cat >>/etc/openvpn/server.conf <<'EOF'
+# not in example config, but openvpn outputs a warning about insecure
+# cipher without a setting like this (the default i can understand due
+# to compatibility issues, but not changing the example config... not
+# cool). exact cipher taken from config of vpn provider I trust. This
+# requires the same setting on the client side.
+cipher aes-256-cbc
+# just sets up the ability to have client specific configs
+client-config-dir /etc/openvpn/client-config
+# 30 days. default is 3600, 1 hour. we momentarily disconnect
+# after this time, and get a new tls key. The idea is that
+# if someone is working very hard to break our encryption,
+# they have less time to do it, and less time in the past
+# for it to be broken. online sources say that there is no
+# good objective idea about what a good value is here, since
+# we don't expect our encryption to be breakable, but 1 hour
+# seems very conservative. Since I want to support hosting
+# a server over the tunnel, having the server break up to once
+# an hour is very tough. I've seen a vpn service that seems
+# very on top of things set this to 5 days.
+reneg-sec 2592000
+EOF
+mkdir -p /etc/openvpn/client-config
+
+if $route; then
+ cat >>/etc/openvpn/server.conf <<'EOF'
# Be the default gateway for clients.
-teeu /etc/openvpn/server.conf <<'EOF'
push "redirect-gateway def1"
EOF
+fi
-# Be the dns server for clients
-teeu /etc/openvpn/server.conf <<'EOF'
+if $dns; then
+ # Be the dns server for clients
+ cat >>/etc/openvpn/server.conf <<'EOF'
push "dhcp-option DNS 10.8.0.1"
EOF
+fi
echo "1" > /proc/sys/net/ipv4/ip_forward
sed -i --follow-symlinks '/^ *net\.ipv4\.ip_forward=.*/d' /etc/sysctl.conf
-teeu /etc/sysctl.conf <<'EOF'
+cat >>/etc/sysctl.conf <<'EOF'
net.ipv4.ip_forward=1
EOF
gw=$(ip route | sed -rn 's/^default via .* dev (\S+).*/\1/p')
-sudo dd of=/etc/systemd/system/mynat.service <<EOF
+cat >/etc/systemd/system/vpnnat.service <<EOF
[Unit]
Description=Turns on nat iptables setting
ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o $gw -j MASQUERADE
[Install]
-WantedBy=multi-user.target
+WantedBy=openvpn.service
EOF
systemctl daemon-reload # needed if the file was already there
-systemctl enable mynat.service
-systemctl start mynat.service
+systemctl enable vpnnat.service
+systemctl start vpnnat.service
systemctl restart openvpn@server
iankelling.org / git / vpn-setup / blobdiff