X-Git-Url: https://iankelling.org/git/?p=vpn-setup;a=blobdiff_plain;f=vpn-server-setup;h=dec98e91385a3cd9619ba218ff8580fa388822b0;hp=8d25c1f4c62918ade08c916ec35c2fa5a3918b51;hb=45b747be876918d04c2013b9ba519a2770b61cd0;hpb=e1e49f58b89db5ea637f2671bf8c1ce35af68e5f

diff --git a/vpn-server-setup b/vpn-server-setup
index 8d25c1f..dec98e9 100755
--- a/vpn-server-setup
+++ b/vpn-server-setup
@@ -20,14 +20,15 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 [[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"
 
 dns=true
+route=true
 case $1 in
-    -d)
-        dns=false
-        ;;
+    -r) route=false ;;
+    -d) dns=false ;;
     -h|--help|*)
         cat <<'EOF'
 usage: ${0##*/} [-d|-h|--help]
 
+-r  Do not push default route
 -d  Do not push dns
 -h --help print help
 
@@ -68,40 +69,55 @@ s/^dh dh1024.pem/dh dh2048.pem/
 /^comp-lzo.*/d
 EOF
 
-teeu() {
-    while read -r line; do
-        grep -xFq "$line" "$1" || echo "$line" | tee -a "$1"
-    done
-}
 
-teeu /etc/openvpn/server.conf <<'EOF'
+cat >>/etc/openvpn/server.conf <<'EOF'
 # not in example config, but openvpn outputs a warning about insecure
 # cipher without a setting like this (the default i can understand due
 # to compatibility issues, but not changing the example config... not
 # cool). exact cipher taken from config of vpn provider I trust. This
 # requires the same setting on the client side.
 cipher aes-256-cbc
+# just sets up the ability to have client specific configs
+client-config-dir /etc/openvpn/client-config
+# 30 days. default is 3600, 1 hour. we momentarily disconnect
+# after this time, and get a new tls key. The idea is that
+# if someone is working very hard to break our encryption,
+# they have less time to do it, and less time in the past
+# for it to be broken. online sources say that there is no
+# good objective idea about what a good value is here, since
+# we don't expect our encryption to be breakable, but 1 hour
+# seems very conservative. Since I want to support hosting
+# a server over the tunnel, having the server break up to once
+# an hour is very tough. I've seen a vpn service that seems
+# very on top of things set this to 5 days.
+reneg-sec 2592000
+EOF
+mkdir -p /etc/openvpn/client-config
+
+if $route; then
+    cat >>/etc/openvpn/server.conf <<'EOF'
 # Be the default gateway for clients.
 push "redirect-gateway def1"
 EOF
+fi
 
 if $dns; then
     # Be the dns server for clients
-    teeu /etc/openvpn/server.conf <<'EOF'
+    cat >>/etc/openvpn/server.conf <<'EOF'
 push "dhcp-option DNS 10.8.0.1"
 EOF
 fi
 
 echo "1" > /proc/sys/net/ipv4/ip_forward
 sed -i --follow-symlinks '/^ *net\.ipv4\.ip_forward=.*/d' /etc/sysctl.conf
-teeu /etc/sysctl.conf <<'EOF'
+cat >>/etc/sysctl.conf <<'EOF'
 net.ipv4.ip_forward=1
 EOF
 
 
 gw=$(ip route | sed -rn 's/^default via .* dev (\S+).*/\1/p')
 
-sudo dd of=/etc/systemd/system/mynat.service <<EOF
+cat >/etc/systemd/system/vpnnat.service <<EOF
 [Unit]
 Description=Turns on nat iptables setting
 
@@ -112,10 +128,10 @@ ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $gw -j MASQUERA
 ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o $gw -j MASQUERADE
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=openvpn.service
 EOF
 systemctl daemon-reload # needed if the file was already there
-systemctl enable mynat.service
-systemctl start mynat.service
+systemctl enable vpnnat.service
+systemctl start vpnnat.service
 
 systemctl restart openvpn@server