X-Git-Url: https://iankelling.org/git/?p=vpn-setup;a=blobdiff_plain;f=vpn-server-setup;h=dec98e91385a3cd9619ba218ff8580fa388822b0;hp=5c21d4ea250f281756f2697bcfa85c6d90ada81e;hb=45b747be876918d04c2013b9ba519a2770b61cd0;hpb=727a80d387c2cdd395e77e5bfcd1fbf04bf34e3f diff --git a/vpn-server-setup b/vpn-server-setup index 5c21d4e..dec98e9 100755 --- a/vpn-server-setup +++ b/vpn-server-setup @@ -19,19 +19,27 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR [[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@" +dns=true +route=true case $1 in + -r) route=false ;; + -d) dns=false ;; -h|--help|*) cat <<'EOF' -usage: ${0##*/} +usage: ${0##*/} [-d|-h|--help] + +-r Do not push default route +-d Do not push dns +-h --help print help Sets up a vpn server which pushes gateway route and dns server so all traffic goes through the vpn. requires systemd, and might have some debian specific paths. EOF + exit ;; esac - apt-get update # suggests get's us openssl & easy rsa apt-get install --install-suggests -y openvpn @@ -54,34 +62,62 @@ echo -e '\n\n\n\n\n\n\n\n' | ./build-ca cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ cp /etc/openvpn/easy-rsa/keys/{ca.crt,server.{crt,key},dh2048.pem} /etc/openvpn gzip -df /etc/openvpn/server.conf.gz -sed -i --follow-symlinks 's/^dh dh1024.pem/dh dh2048.pem/' /etc/openvpn/server.conf +# dh improve security, +# remove comp-lzo to increase perf +sed -i --follow-symlinks -f - /etc/openvpn/server.conf <<'EOF' +s/^dh dh1024.pem/dh dh2048.pem/ +/^comp-lzo.*/d +EOF -teeu() { - while read -r line; do - grep -xFq "$line" "$1" || echo "$line" | tee -a "$1" - done -} +cat >>/etc/openvpn/server.conf <<'EOF' +# not in example config, but openvpn outputs a warning about insecure +# cipher without a setting like this (the default i can understand due +# to compatibility issues, but not changing the example config... not +# cool). exact cipher taken from config of vpn provider I trust. This +# requires the same setting on the client side. +cipher aes-256-cbc +# just sets up the ability to have client specific configs +client-config-dir /etc/openvpn/client-config +# 30 days. default is 3600, 1 hour. we momentarily disconnect +# after this time, and get a new tls key. The idea is that +# if someone is working very hard to break our encryption, +# they have less time to do it, and less time in the past +# for it to be broken. online sources say that there is no +# good objective idea about what a good value is here, since +# we don't expect our encryption to be breakable, but 1 hour +# seems very conservative. Since I want to support hosting +# a server over the tunnel, having the server break up to once +# an hour is very tough. I've seen a vpn service that seems +# very on top of things set this to 5 days. +reneg-sec 2592000 +EOF +mkdir -p /etc/openvpn/client-config + +if $route; then + cat >>/etc/openvpn/server.conf <<'EOF' # Be the default gateway for clients. -teeu /etc/openvpn/server.conf <<'EOF' push "redirect-gateway def1" EOF +fi -# Be the dns server for clients -teeu /etc/openvpn/server.conf <<'EOF' +if $dns; then + # Be the dns server for clients + cat >>/etc/openvpn/server.conf <<'EOF' push "dhcp-option DNS 10.8.0.1" EOF +fi echo "1" > /proc/sys/net/ipv4/ip_forward sed -i --follow-symlinks '/^ *net\.ipv4\.ip_forward=.*/d' /etc/sysctl.conf -teeu /etc/sysctl.conf <<'EOF' +cat >>/etc/sysctl.conf <<'EOF' net.ipv4.ip_forward=1 EOF gw=$(ip route | sed -rn 's/^default via .* dev (\S+).*/\1/p') -sudo dd of=/etc/systemd/system/mynat.service </etc/systemd/system/vpnnat.service <