-
Notifications
You must be signed in to change notification settings - Fork 7
/
build
209 lines (166 loc) · 8.69 KB
/
build
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
#!/bin/bash
###############################################################################################################
# author: milesgratz
# website: serveradventures.com
# purpose: script to automate OpenVPN configuration on a DigitalOcean Ubuntu/Debian droplet
# links: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04
# links: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-8
# links: http://www.serveradventures.com/the-adventures/setting-up-your-own-cloud-vpn-server-in-under-30-minutes
################################################################################################################
# define number of client certificates for totally automated script
certqty=''
# check if certificate quantity was already specified, otherwise specify it
if [ -z "$certqty" ];
then
read -p "How many client certificates will you need?: " certqty
if ! [[ "$certqty" =~ ^[0-9]+$ ]];
then
echo '===================================================='
echo 'Certificate quantity must be an integer. Exiting...'
echo '===================================================='
exit
fi
fi
# determine OS
dist=$(lsb_release -si)
ver=$(lsb_release -sr | cut -d. -f1)
# check if Ubuntu 14+ or Debian 8+
if ([ $dist == 'Ubuntu' ] && ( [ $ver == '14' ] || [ $ver == '15' ] || [ $ver = '16' ] )) || ( [ $dist == 'Debian' ] && [ $ver == '8' ] )
then
# detected compatible operating system
echo '===================================================='
echo 'Operating System: Ubuntu 14+ or Debian 8+'
echo
echo 'Starting installation...'
echo '===================================================='
# update and install openvpn easy-rsa ufw vnstat
apt-get update && apt-get -y install openvpn easy-rsa ufw vnstat
# extract default openvpn config files
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
# replace dh1024.pem with dh2048.pem in default openvpn config file
sed -i -e 's/dh1024.pem/dh2048.pem/g' /etc/openvpn/server.conf
# uncomment ;push "redirect-gateway def1 bypass-dhcp"
sed -i -e 's/;push "redirect-gateway def1 bypass-dhcp"/push "redirect-gateway def1 bypass-dhcp"/g' /etc/openvpn/server.conf
# uncomment ;push "dhcp-option DNS 208.67.222.222"
# uncomment ;push "dhcp-option DNS 208.67.220.220"
sed -i -e 's/;push "dhcp-option DNS 208.67.222.222"/push "dhcp-option DNS 208.67.222.222"/g' /etc/openvpn/server.conf
sed -i -e 's/;push "dhcp-option DNS 208.67.220.220"/push "dhcp-option DNS 208.67.220.220"/g' /etc/openvpn/server.conf
# uncomment ;tls-auth ta.key 0 # This file is secret
sed -i -e 's/;tls-auth ta.key 0/tls-auth ta.key 0/g' /etc/openvpn/server.conf
# uncomment ;user nobody
# uncomment ;group nogroup
sed -i -e 's/;user nobody/user nobody/g' /etc/openvpn/server.conf
sed -i -e 's/;group nogroup/group nogroup/g' /etc/openvpn/server.conf
# enable packet forwarding during runtime
echo 1 > /proc/sys/net/ipv4/ip_forward
# enable packet forwarding permanently
sed -i -e 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
# configure ufw with ssh and openvpn (1194/udp)
ufw allow ssh
ufw allow 1194/udp
# replace ufw policy DEFAULT_FORWARD_POLICY="DROP" to "ACCEPT"
sed -i -e 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/g' /etc/default/ufw
# split ufw rules into two files
head -n 9 /etc/ufw/before.rules > /etc/ufw/before.rules.topsplit
tail -n +10 /etc/ufw/before.rules > /etc/ufw/before.rules.bottomsplit
# add openvpn rules into ufw topsplit
echo "" >> /etc/ufw/before.rules.topsplit
echo "# START OPENVPN RULES" >> /etc/ufw/before.rules.topsplit
echo "# NAT table rules" >> /etc/ufw/before.rules.topsplit
echo "*nat" >> /etc/ufw/before.rules.topsplit
echo ":POSTROUTING ACCEPT [0:0]" >> /etc/ufw/before.rules.topsplit
echo "# Allow traffic from OpenVPN client to eth0" >> /etc/ufw/before.rules.topsplit
echo "-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE" >> /etc/ufw/before.rules.topsplit
echo "COMMIT" >> /etc/ufw/before.rules.topsplit
echo "# END OPENVPN RULES" >> /etc/ufw/before.rules.topsplit
echo "" >> /etc/ufw/before.rules.topsplit
# combine ufw split files and delete split files
cat /etc/ufw/before.rules.topsplit /etc/ufw/before.rules.bottomsplit > /etc/ufw/before.rules
rm /etc/ufw/before.rules.*split
# enable ufw without confirmation
ufw --force enable
# copy easy-rsa generation scripts
cp -r /usr/share/easy-rsa/ /etc/openvpn
# make storage directory for keys
mkdir /etc/openvpn/easy-rsa/keys
# prepare for certificate generation based on $HOSTNAME
sed -i -e "s|export\ KEY\_EMAIL\=\"me\@myhost\.mydomain\"|export\ KEY\_EMAIL\=\"$(hostname)\@digitalocean.com\"|g" /etc/openvpn/easy-rsa/vars
sed -i -e "s/MyOrganizationalUnit/$(hostname)/g" /etc/openvpn/easy-rsa/vars
sed -i -e "s/EasyRSA/$(hostname)/g" /etc/openvpn/easy-rsa/vars
# generate Diffie-Hellman parameters
openssl dhparam -out /etc/openvpn/dh2048.pem 2048
# build CA and server certificates
cd /etc/openvpn/easy-rsa
. ./vars
./clean-all
./build-ca --batch ca
./build-key-server --batch server
# copy certificates to /etc/openvpn
cp /etc/openvpn/easy-rsa/keys/{server.crt,server.key,ca.crt} /etc/openvpn
# create tls-auth key
openvpn --genkey --secret /etc/openvpn/ta.key
# start openvpn service
service openvpn start
# define IP address of server
ip=$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut -f1 -d'/')
# loop to generate client certificates (based on $certqty)
i=1
while [ $i -le $certqty ]; do
# define $client variable with iteration of certificate
client=client$i
# build client certificates
cd /etc/openvpn/easy-rsa
./build-key --batch $client
# create ovpn config file from template
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/$client.ovpn
# replace my-server-1 in client1.ovpn to server IP address
sed -i -e "s/my-server-1/${ip}/g" /etc/openvpn/easy-rsa/keys/$client.ovpn
#uncomment 'user nobody' and 'group nogroup' from client1.ovpn
sed -i -e 's/#user nobody/user nobody/g' /etc/openvpn/easy-rsa/keys/$client.ovpn
sed -i -e 's/#group nogroup/group nogroup/g' /etc/openvpn/easy-rsa/keys/$client.ovpn
# recomment ca.crt, client.crt, and client.key
sed -i -e 's/ca ca.crt/#ca ca.crt/g' /etc/openvpn/easy-rsa/keys/$client.ovpn
sed -i -e 's/cert client.crt/#cert client.crt/g' /etc/openvpn/easy-rsa/keys/$client.ovpn
sed -i -e 's/key client.key/#key client.key/g' /etc/openvpn/easy-rsa/keys/$client.ovpn
# turn on key-direction
echo 'key-direction 1' >> /etc/openvpn/easy-rsa/keys/$client.ovpn
# paste actual certificates into $client.ovpn
echo '<ca>' >> /etc/openvpn/easy-rsa/keys/$client.ovpn
cat /etc/openvpn/ca.crt >> /etc/openvpn/easy-rsa/keys/$client.ovpn
echo '</ca>' >> /etc/openvpn/easy-rsa/keys/$client.ovpn
echo '<cert>' >> /etc/openvpn/easy-rsa/keys/$client.ovpn
cat /etc/openvpn/easy-rsa/keys/$client.crt >> /etc/openvpn/easy-rsa/keys/$client.ovpn
echo '</cert>' >> /etc/openvpn/easy-rsa/keys/$client.ovpn
echo '<key>' >> /etc/openvpn/easy-rsa/keys/$client.ovpn
cat /etc/openvpn/easy-rsa/keys/$client.key >> /etc/openvpn/easy-rsa/keys/$client.ovpn
echo '</key>' >> /etc/openvpn/easy-rsa/keys/$client.ovpn
echo '<tls-auth>' >> /etc/openvpn/easy-rsa/keys/$client.ovpn
cat /etc/openvpn/ta.key >> /etc/openvpn/easy-rsa/keys/$client.ovpn
echo '</tls-auth>' >> /etc/openvpn/easy-rsa/keys/$client.ovpn
# copy client1.ovpn to /root
cp /etc/openvpn/easy-rsa/keys/$client.ovpn /root/$client.ovpn
# increment $client loop by 1
i=$(($i + 1))
# complete client certificate generation loop
done
# script is finished
echo '========================================================================'
echo 'Completed.'
echo
echo 'Your client configuration file is in /etc/openvpn/easy-rsa/keys'
echo 'It is called "client.ovpn"'
echo
echo 'Download FileZilla, SCP, or comparable SFTP software to retrieve file'
echo
echo ' -------------------------------------------'
echo ' Rebooting in 1 minute to complete configuration...'
echo ' -------------------------------------------'
echo
echo '========================================================================'
shutdown -r +1
else
# could not find compatible operating system
echo '========================================================================'
echo 'ERROR. Could not detect compatible operating system...'
echo '========================================================================'
fi