From 135626f4a0dd0e49d08e6ea8fbc247d697f50e11 Mon Sep 17 00:00:00 2001 From: master Date: Wed, 19 Mar 2025 19:27:42 -0500 Subject: [PATCH] Init --- README.md | 80 ++++++++++++++++++++++++++ setup_openvpn.sh | 144 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 224 insertions(+) create mode 100644 README.md create mode 100644 setup_openvpn.sh diff --git a/README.md b/README.md new file mode 100644 index 0000000..f88fcff --- /dev/null +++ b/README.md @@ -0,0 +1,80 @@ +# OpenVPN Server Setup Script + +This script automates the process of setting up an OpenVPN server on a VPS running Ubuntu/Debian. It handles the installation, certificate generation, and configuration of OpenVPN. + +## Prerequisites + +- A VPS running Ubuntu/Debian +- Root access to the server +- OpenSSH access to the server + +## Installation + +1. Copy the `setup_openvpn.sh` script to your server +2. Make the script executable: + ```bash + chmod +x setup_openvpn.sh + ``` +3. Run the script as root: + ```bash + sudo ./setup_openvpn.sh + ``` + +## What the Script Does + +1. Updates the system +2. Installs OpenVPN and required packages +3. Sets up the PKI (Public Key Infrastructure) +4. Generates server certificates and keys +5. Configures the OpenVPN server +6. Sets up firewall rules +7. Creates a client certificate generation script + +## Generating Client Certificates + +After the server is set up, you can generate client certificates using the provided script: + +```bash +sudo /etc/openvpn/server/generate-client.sh +``` + +This will create a client configuration file in `/etc/openvpn/client/.ovpn` + +## Connecting to the VPN + +1. Copy the generated `.ovpn` file from `/etc/openvpn/client/` to your local machine +2. Install OpenVPN client on your local machine +3. Import the `.ovpn` file into your OpenVPN client +4. Connect to the VPN + +## Security Notes + +- The script uses UDP port 1194 (default OpenVPN port) +- AES-256-CBC encryption is used +- The server uses Google DNS (8.8.8.8 and 8.8.4.4) +- The VPN subnet is set to 10.8.0.0/24 +- The script enables IP forwarding and configures the firewall + +## Troubleshooting + +If you encounter any issues: + +1. Check the OpenVPN server logs: + ```bash + sudo journalctl -u openvpn@server + ``` +2. Verify the firewall rules: + ```bash + sudo ufw status + ``` +3. Check if the OpenVPN service is running: + ```bash + sudo systemctl status openvpn@server + ``` + +## Important Files + +- Server configuration: `/etc/openvpn/server/server.conf` +- Client configurations: `/etc/openvpn/client/` +- Server certificates: `/etc/openvpn/server/` +- Client certificate generation script: `/etc/openvpn/server/generate-client.sh` \ No newline at end of file diff --git a/setup_openvpn.sh b/setup_openvpn.sh new file mode 100644 index 0000000..74de992 --- /dev/null +++ b/setup_openvpn.sh @@ -0,0 +1,144 @@ +#!/bin/bash + +# Exit on error +set -e + +# Check if running as root +if [ "$EUID" -ne 0 ]; then + echo "Please run as root" + exit 1 +fi + +# Update system +echo "Updating system..." +apt-get update +apt-get upgrade -y + +# Install OpenVPN and required packages +echo "Installing OpenVPN and required packages..." +apt-get install -y openvpn easy-rsa ufw + +# Create directory for OpenVPN +echo "Creating OpenVPN directory..." +mkdir -p /etc/openvpn/server +mkdir -p /etc/openvpn/client + +# Copy easy-rsa files +echo "Setting up easy-rsa..." +cp -r /usr/share/easy-rsa/* /etc/openvpn/server/easy-rsa/ +cd /etc/openvpn/server/easy-rsa/ + +# Initialize PKI +echo "Initializing PKI..." +./easyrsa init-pki + +# Build CA +echo "Building CA..." +./easyrsa build-ca nopass + +# Generate server certificate and key +echo "Generating server certificate and key..." +./easyrsa gen-req server nopass +./easyrsa sign-req server server + +# Generate Diffie-Hellman parameters +echo "Generating Diffie-Hellman parameters..." +./easyrsa gen-dh + +# Copy server certificates and keys +echo "Copying server certificates and keys..." +cp pki/ca.crt /etc/openvpn/server/ +cp pki/issued/server.crt /etc/openvpn/server/ +cp pki/private/server.key /etc/openvpn/server/ +cp pki/dh.pem /etc/openvpn/server/ + +# Create server configuration +echo "Creating server configuration..." +cat > /etc/openvpn/server/server.conf << EOF +port 1194 +proto udp +dev tun +ca ca.crt +cert server.crt +key server.key +dh dh.pem +server 10.8.0.0 255.255.255.0 +push "redirect-gateway def1 bypass-dhcp" +push "dhcp-option DNS 8.8.8.8" +push "dhcp-option DNS 8.8.4.4" +keepalive 10 120 +cipher AES-256-CBC +user nobody +group nogroup +persist-key +persist-tun +status openvpn-status.log +verb 3 +EOF + +# Enable IP forwarding +echo "Enabling IP forwarding..." +echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/99-openvpn.conf +sysctl --system + +# Configure firewall +echo "Configuring firewall..." +ufw allow 1194/udp +ufw allow OpenSSH +echo "y" | ufw enable + +# Start OpenVPN service +echo "Starting OpenVPN service..." +systemctl start openvpn@server +systemctl enable openvpn@server + +# Create client certificate generation script +echo "Creating client certificate generation script..." +cat > /etc/openvpn/server/generate-client.sh << 'EOF' +#!/bin/bash + +if [ -z "$1" ]; then + echo "Usage: $0 " + exit 1 +fi + +CLIENT_NAME=$1 +cd /etc/openvpn/server/easy-rsa + +# Generate client certificate and key +./easyrsa gen-req $CLIENT_NAME nopass +./easyrsa sign-req client $CLIENT_NAME + +# Create client configuration +cat > /etc/openvpn/client/$CLIENT_NAME.ovpn << EOL +client +proto udp +explicit-exit-notify +remote $(curl -s ifconfig.me) 1194 +resolv-retry infinite +nobind +persist-key +persist-tun +remote-cert-tls server +auth-user-pass auth.txt +cipher AES-256-CBC +verb 3 + +$(cat /etc/openvpn/server/ca.crt) + + +$(cat /etc/openvpn/server/easy-rsa/pki/issued/$CLIENT_NAME.crt) + + +$(cat /etc/openvpn/server/easy-rsa/pki/private/$CLIENT_NAME.key) + +EOL + +echo "Client configuration created: /etc/openvpn/client/$CLIENT_NAME.ovpn" +EOF + +chmod +x /etc/openvpn/server/generate-client.sh + +echo "OpenVPN server setup completed!" +echo "To generate a client certificate, run: /etc/openvpn/server/generate-client.sh " +echo "The client configuration file will be created in /etc/openvpn/client/" \ No newline at end of file