Init

2025-03-19 19:27:42 -05:00
commit 135626f4a0
2 changed files with 224 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,80 @@
+# OpenVPN Server Setup Script
+
+This script automates the process of setting up an OpenVPN server on a VPS running Ubuntu/Debian. It handles the installation, certificate generation, and configuration of OpenVPN.
+
+## Prerequisites
+
+- A VPS running Ubuntu/Debian
+- Root access to the server
+- OpenSSH access to the server
+
+## Installation
+
+1. Copy the `setup_openvpn.sh` script to your server
+2. Make the script executable:
+   ```bash
+   chmod +x setup_openvpn.sh
+   ```
+3. Run the script as root:
+   ```bash
+   sudo ./setup_openvpn.sh
+   ```
+
+## What the Script Does
+
+1. Updates the system
+2. Installs OpenVPN and required packages
+3. Sets up the PKI (Public Key Infrastructure)
+4. Generates server certificates and keys
+5. Configures the OpenVPN server
+6. Sets up firewall rules
+7. Creates a client certificate generation script
+
+## Generating Client Certificates
+
+After the server is set up, you can generate client certificates using the provided script:
+
+```bash
+sudo /etc/openvpn/server/generate-client.sh <client-name>
+```
+
+This will create a client configuration file in `/etc/openvpn/client/<client-name>.ovpn`
+
+## Connecting to the VPN
+
+1. Copy the generated `.ovpn` file from `/etc/openvpn/client/` to your local machine
+2. Install OpenVPN client on your local machine
+3. Import the `.ovpn` file into your OpenVPN client
+4. Connect to the VPN
+
+## Security Notes
+
+- The script uses UDP port 1194 (default OpenVPN port)
+- AES-256-CBC encryption is used
+- The server uses Google DNS (8.8.8.8 and 8.8.4.4)
+- The VPN subnet is set to 10.8.0.0/24
+- The script enables IP forwarding and configures the firewall
+
+## Troubleshooting
+
+If you encounter any issues:
+
+1. Check the OpenVPN server logs:
+   ```bash
+   sudo journalctl -u openvpn@server
+   ```
+2. Verify the firewall rules:
+   ```bash
+   sudo ufw status
+   ```
+3. Check if the OpenVPN service is running:
+   ```bash
+   sudo systemctl status openvpn@server
+   ```
+
+## Important Files
+
+- Server configuration: `/etc/openvpn/server/server.conf`
+- Client configurations: `/etc/openvpn/client/`
+- Server certificates: `/etc/openvpn/server/`
+- Client certificate generation script: `/etc/openvpn/server/generate-client.sh` 
--- a/setup_openvpn.sh
+++ b/setup_openvpn.sh
@ -0,0 +1,144 @@
+#!/bin/bash
+
+# Exit on error
+set -e
+
+# Check if running as root
+if [ "$EUID" -ne 0 ]; then 
+    echo "Please run as root"
+    exit 1
+fi
+
+# Update system
+echo "Updating system..."
+apt-get update
+apt-get upgrade -y
+
+# Install OpenVPN and required packages
+echo "Installing OpenVPN and required packages..."
+apt-get install -y openvpn easy-rsa ufw
+
+# Create directory for OpenVPN
+echo "Creating OpenVPN directory..."
+mkdir -p /etc/openvpn/server
+mkdir -p /etc/openvpn/client
+
+# Copy easy-rsa files
+echo "Setting up easy-rsa..."
+cp -r /usr/share/easy-rsa/* /etc/openvpn/server/easy-rsa/
+cd /etc/openvpn/server/easy-rsa/
+
+# Initialize PKI
+echo "Initializing PKI..."
+./easyrsa init-pki
+
+# Build CA
+echo "Building CA..."
+./easyrsa build-ca nopass
+
+# Generate server certificate and key
+echo "Generating server certificate and key..."
+./easyrsa gen-req server nopass
+./easyrsa sign-req server server
+
+# Generate Diffie-Hellman parameters
+echo "Generating Diffie-Hellman parameters..."
+./easyrsa gen-dh
+
+# Copy server certificates and keys
+echo "Copying server certificates and keys..."
+cp pki/ca.crt /etc/openvpn/server/
+cp pki/issued/server.crt /etc/openvpn/server/
+cp pki/private/server.key /etc/openvpn/server/
+cp pki/dh.pem /etc/openvpn/server/
+
+# Create server configuration
+echo "Creating server configuration..."
+cat > /etc/openvpn/server/server.conf << EOF
+port 1194
+proto udp
+dev tun
+ca ca.crt
+cert server.crt
+key server.key
+dh dh.pem
+server 10.8.0.0 255.255.255.0
+push "redirect-gateway def1 bypass-dhcp"
+push "dhcp-option DNS 8.8.8.8"
+push "dhcp-option DNS 8.8.4.4"
+keepalive 10 120
+cipher AES-256-CBC
+user nobody
+group nogroup
+persist-key
+persist-tun
+status openvpn-status.log
+verb 3
+EOF
+
+# Enable IP forwarding
+echo "Enabling IP forwarding..."
+echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/99-openvpn.conf
+sysctl --system
+
+# Configure firewall
+echo "Configuring firewall..."
+ufw allow 1194/udp
+ufw allow OpenSSH
+echo "y" | ufw enable
+
+# Start OpenVPN service
+echo "Starting OpenVPN service..."
+systemctl start openvpn@server
+systemctl enable openvpn@server
+
+# Create client certificate generation script
+echo "Creating client certificate generation script..."
+cat > /etc/openvpn/server/generate-client.sh << 'EOF'
+#!/bin/bash
+
+if [ -z "$1" ]; then
+    echo "Usage: $0 <client-name>"
+    exit 1
+fi
+
+CLIENT_NAME=$1
+cd /etc/openvpn/server/easy-rsa
+
+# Generate client certificate and key
+./easyrsa gen-req $CLIENT_NAME nopass
+./easyrsa sign-req client $CLIENT_NAME
+
+# Create client configuration
+cat > /etc/openvpn/client/$CLIENT_NAME.ovpn << EOL
+client
+proto udp
+explicit-exit-notify
+remote $(curl -s ifconfig.me) 1194
+resolv-retry infinite
+nobind
+persist-key
+persist-tun
+remote-cert-tls server
+auth-user-pass auth.txt
+cipher AES-256-CBC
+verb 3
+<ca>
+$(cat /etc/openvpn/server/ca.crt)
+</ca>
+<cert>
+$(cat /etc/openvpn/server/easy-rsa/pki/issued/$CLIENT_NAME.crt)
+</cert>
+<key>
+$(cat /etc/openvpn/server/easy-rsa/pki/private/$CLIENT_NAME.key)
+</key>
+EOL
+
+echo "Client configuration created: /etc/openvpn/client/$CLIENT_NAME.ovpn"
+EOF
+
+chmod +x /etc/openvpn/server/generate-client.sh
+
+echo "OpenVPN server setup completed!"
+echo "To generate a client certificate, run: /etc/openvpn/server/generate-client.sh <client-name>"
+echo "The client configuration file will be created in /etc/openvpn/client/"