X-Git-Url: https://iankelling.org/git/?p=vpn-setup;a=blobdiff_plain;f=vpn-server-setup;h=0710dc801072e749df602364226a5fbd216d082b;hp=dec98e91385a3cd9619ba218ff8580fa388822b0;hb=1b488c8053cff1f09d025a20dc765a2079417eff;hpb=45b747be876918d04c2013b9ba519a2770b61cd0 diff --git a/vpn-server-setup b/vpn-server-setup index dec98e9..0710dc8 100755 --- a/vpn-server-setup +++ b/vpn-server-setup @@ -19,103 +19,246 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR [[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@" -dns=true -route=true -case $1 in - -r) route=false ;; - -d) dns=false ;; - -h|--help|*) - cat <<'EOF' -usage: ${0##*/} [-d|-h|--help] +usage() { + cat <<'EOF' +usage: ${0##*/} [OPTIONS] [IPV6_ADDR/BITS IPV6_DEFAULT_ROUTE] --r Do not push default route +-4 I prefix of range for ipv4, default 10.8.0 -d Do not push dns +-n Name. default = server. 2 servers on the same host need different names. +-p Port. default 1194 +-r Do not push default route +-s Do not start openvpn -h --help print help -Sets up a vpn server which pushes gateway route and dns server -so all traffic goes through the vpn. requires systemd, -and might have some debian specific paths. +Sets up a vpn server which pushes gateway route and dns server so all +traffic goes through the vpn. requires systemd, and might have some +debian specific paths. + +For ipv6, we assume ipv6_addr routes to the server. + +You can save all the keys by storing /etc/openvpn/easy-rsa/keys, and +the script will not generate them if it sees they exist already. + +For future updates to this script, this is a good place to +take inspiration. +https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh + +Note: Uses GNU getopt options parsing style EOF - exit - ;; -esac - -apt-get update -# suggests get's us openssl & easy rsa -apt-get install --install-suggests -y openvpn -apt-get install -y uuid-runtime -mkdir -p /etc/openvpn/easy-rsa/keys -cd /etc/openvpn/easy-rsa + exit $1 +} + +dns=true +route=true +start=true +ip4=10.8.0 +name=server +temp=$(getopt -l help 4:dn:p:rsh "$@") || usage 1 +eval set -- "$temp" +while true; do + case $1 in + -4) ip4=$2; shift 2 ;; + -d) dns=false; shift ;; + -n) name=$2; shift 2 ;; + -p) port=$2; shift 2 ;; + -r) route=false; shift ;; + -s) start=false; shift ;; + -h|--help) usage ;; + --) shift; break ;; + *) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;; + esac +done + +read -r ip6 ip6route <<<"$@" + +source /a/bin/distro-functions/src/package-manager-abstractions + +pi-nostart openvpn openssl resolvconf easy-rsa uuid-runtime + +if [[ -e /lib/systemd/system/openvpn-server@.service ]]; then + vpn_service=openvpn-server@$name +else + vpn_service=openvpn@$name +fi +rsadir=/etc/openvpn/easy-rsa-$name +mkdir -p $rsadir +cd $rsadir cp -r /usr/share/easy-rsa/* . -source vars # dun care about setting cert cn etc from the non-example values -./clean-all -# accept default prompts -echo -e '\n\n\n\n\n\n\n\n' | ./build-ca - -# This builds the server's key/cert. argument is the name of the file, -# but it also is the default common name of the cert. -# 'server' is the default name in our conf file for the name of the file -# and I've seen no reason to change it. -# Note, this is not idempotent. -{ echo -e '\n\n\n\n\n\n\n\n\n\n'; sleep 1; echo -e 'y\ny\n'; } | ./build-key-server server -./build-dh -cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ -cp /etc/openvpn/easy-rsa/keys/{ca.crt,server.{crt,key},dh2048.pem} /etc/openvpn -gzip -df /etc/openvpn/server.conf.gz -# dh improve security, -# remove comp-lzo to increase perf -sed -i --follow-symlinks -f - /etc/openvpn/server.conf <<'EOF' -s/^dh dh1024.pem/dh dh2048.pem/ -/^comp-lzo.*/d -EOF +if [[ -e openssl-1.0.0.cnf && ! -e openssl.cnf ]]; then + # there's a debian bug about this. + ln -s openssl-1.0.0.cnf openssl.cnf +fi + +server_dir=/etc/openvpn/server +mkdir -p $server_dir +chmod 700 $server_dir +conf=$server_dir/$name.conf + + +new=true +ca_origin=$rsadir/pki/ca.crt +keyfiles=( + $rsadir/pki/private/$name.key + $rsadir/pki/issued/$name.crt +) +if [[ -e /etc/openvpn/easy-rsa/build-ca ]]; then + new=false + ca_origin=$rsadir/ca.crt + keyfiles=( + $rsadir/keys/$name.key + $rsadir/keys/$name.crt + ) +fi + +keys_exist=true +for f in ${keyfiles[@]}; do + if [[ ! -e $f ]]; then + keys_exist=false + break + fi +done + +f=$server_dir/dh2048.pem +if [[ ! -e $f ]]; then + openssl dhparam -out $f 2048 +fi + +f=$server_dir/ta-$name.key +if [[ ! -e $f ]]; then + openvpn --genkey --secret $server_dir/ta-$name.key +fi + + +if ! $keys_exist; then + # newer sample configs (post stretch) use ta.key. no harm making it for earlier oses + if $new; then + echo 'set_var EASYRSA_NS_SUPPORT "yes"' >vars + ./easyrsa init-pki + ./easyrsa --batch build-ca nopass + ./easyrsa build-server-full $name nopass + else + # dun care about settning cert cn etc from the non-example values + source vars + # doesnt exist in buster + ./clean-all # note: removes and creates /etc/openvpn/easy-rsa/keys + # accept default prompts + echo -e '\n\n\n\n\n\n\n\n' | ./build-ca + + # This builds the server's key/cert. argument is the name of the file, + # but it also is the default common name of the cert. + # 'server' is the default name in our conf file for the name of the file + # and I've seen no reason to change it. + # Note, this is not idempotent. + { echo -e '\n\n\n\n\n\n\n\n\n\n'; sleep 1; echo -e 'y\ny\n'; } | ./build-key-server $name + ./build-dh + fi +fi + + +gzip -dc /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz >$conf + +cafile=$server_dir/ca-$name.crt +cp $ca_origin $cafile +cp ${keyfiles[@]} $server_dir +# for legacy systems +for f in ${keyfiles[@]} $cafile; do + ln -sf server/${f##*/} /etc/openvpn +done + +cat >>$conf <>/etc/openvpn/server.conf <<'EOF' # not in example config, but openvpn outputs a warning about insecure # cipher without a setting like this (the default i can understand due # to compatibility issues, but not changing the example config... not -# cool). exact cipher taken from config of vpn provider I trust. This +# cool). # requires the same setting on the client side. -cipher aes-256-cbc +cipher AES-256-CBC # just sets up the ability to have client specific configs client-config-dir /etc/openvpn/client-config -# 30 days. default is 3600, 1 hour. we momentarily disconnect -# after this time, and get a new tls key. The idea is that -# if someone is working very hard to break our encryption, -# they have less time to do it, and less time in the past -# for it to be broken. online sources say that there is no -# good objective idea about what a good value is here, since -# we don't expect our encryption to be breakable, but 1 hour -# seems very conservative. Since I want to support hosting -# a server over the tunnel, having the server break up to once -# an hour is very tough. I've seen a vpn service that seems -# very on top of things set this to 5 days. -reneg-sec 2592000 + +# duplicate in newer sample configs +tls-auth ta-$name.key 0 # This file is secret + +# depending on sample config, this may not be there, which means i can't +# talk to $ip4.1, there might be some other way, but stretch's +# sample config says: +# Should be subnet (addressing via IP) +# unless Windows clients v2.0.9 and lower have to +# be supported (then net30, i.e. a /30 per client) +# Defaults to net30 (not recommended) +topology subnet + +status /var/log/openvpn/openvpn-status-$name.log +ifconfig-pool-persist /var/log/openvpn/ipp-$name.txt +ca ca-$name.crt +cert $name.crt +key $name.key +client-config-dir /etc/openvpn/client-config-$name +server $ip4.0 255.255.255.0 EOF +mkdir -p /etc/openvpn/client-config-$name + +# dh improve security, +# remove comp-lzo to increase perf +sed -i --follow-symlinks -f - $conf <<'EOF' +s/^dh dh1024.pem/dh dh2048.pem/ +/^comp-lzo.*/d +EOF + + mkdir -p /etc/openvpn/client-config + +if $dns; then + # Be the dns server for clients + cat >>$conf <>$conf <>/etc/sysctl.conf <<'EOF' +net.ipv6.conf.all.forwarding=1 +EOF + +fi + + if $route; then - cat >>/etc/openvpn/server.conf <<'EOF' + cat >>$conf <<'EOF' # Be the default gateway for clients. push "redirect-gateway def1" EOF + if [[ $ip6 ]]; then + cat >>$conf <<'EOF' +push "route-ipv6 2000::/3" +EOF + fi fi - -if $dns; then - # Be the dns server for clients - cat >>/etc/openvpn/server.conf <<'EOF' -push "dhcp-option DNS 10.8.0.1" +if [[ $port ]]; then + cat >>$conf < /proc/sys/net/ipv4/ip_forward + sed -i --follow-symlinks '/^ *net\.ipv4\.ip_forward=.*/d' /etc/sysctl.conf cat >>/etc/sysctl.conf <<'EOF' net.ipv4.ip_forward=1 EOF +sysctl -p /etc/sysctl.conf - -gw=$(ip route | sed -rn 's/^default via .* dev (\S+).*/\1/p') +gw=$(ip route | sed -rn 's/^default via .* dev (\S+).*/\1/p' | head -n1) cat >/etc/systemd/system/vpnnat.service <