Remove installing ufw

generate-client.sh

@@ -0,0 +1,58 @@
+#!/bin/bash
+
+# Check if running as root
+if [ "$EUID" -ne 0 ]; then 
+    echo "Please run as root"
+    exit 1
+fi
+
+if [ -z "$1" ]; then
+    echo "Usage: $0 <client-name>"
+    exit 1
+fi
+
+CLIENT_NAME=$1
+cd /etc/openvpn/server/easy-rsa
+
+# Generate client certificate and key
+./easyrsa gen-req $CLIENT_NAME nopass
+./easyrsa sign-req client $CLIENT_NAME
+
+# Make sure client directory exists
+mkdir -p /etc/openvpn/client
+
+# Create client configuration
+cat > /etc/openvpn/client/$CLIENT_NAME.ovpn << EOL
+client
+dev tun
+proto udp4
+remote $(curl -s -4 ifconfig.me) 1194
+resolv-retry infinite
+nobind
+persist-key
+persist-tun
+remote-cert-tls server
+cipher AES-256-GCM
+data-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM:CHACHA20-POLY1305
+block-outside-dns
+verb 3
+dhcp-option DNS 1.1.1.1
+dhcp-option DNS 1.0.0.1
+<ca>
+$(cat /etc/openvpn/server/ca.crt)
+</ca>
+<cert>
+$(cat /etc/openvpn/server/easy-rsa/pki/issued/$CLIENT_NAME.crt)
+</cert>
+<key>
+$(cat /etc/openvpn/server/easy-rsa/pki/private/$CLIENT_NAME.key)
+</key>
+EOL
+
+# Copy the configuration file to the current working directory
+WORKING_DIR=$(pwd)
+cp /etc/openvpn/client/$CLIENT_NAME.ovpn $WORKING_DIR/
+chmod 644 $WORKING_DIR/$CLIENT_NAME.ovpn
+
+echo "Client configuration created: /etc/openvpn/client/$CLIENT_NAME.ovpn"
+echo "A copy has also been saved to: $WORKING_DIR/$CLIENT_NAME.ovpn" 

setup_openvpn.sh

@@ -11,6 +11,7 @@ fi
 
 # Clean up any existing installation
 echo "Cleaning up any existing installation..."
+systemctl stop openvpn@server || true
 rm -rf /etc/openvpn/server/easy-rsa
 rm -rf /etc/openvpn/server/pki
 rm -f /etc/openvpn/server/*.crt
@@ -18,6 +19,14 @@ rm -f /etc/openvpn/server/*.key
 rm -f /etc/openvpn/server/*.pem
 rm -f /etc/openvpn/server/server.conf
 rm -f /etc/openvpn/server/generate-client.sh
+rm -rf /etc/openvpn/client/*
+rm -f /etc/openvpn/server.conf
+
+# Verify cleanup
+if [ -d "/etc/openvpn/server/easy-rsa" ]; then
+    echo "Failed to remove easy-rsa directory. Please check permissions and try again."
+    exit 1
+fi
 
 # Update system
 echo "Updating system..."
@@ -26,7 +35,7 @@ apt-get upgrade -y
 
 # Install OpenVPN and required packages
 echo "Installing OpenVPN and required packages..."
-apt-get install -y openvpn easy-rsa ufw
+apt-get install -y openvpn easy-rsa
 
 # Create directory for OpenVPN
 echo "Creating OpenVPN directory..."
@@ -35,7 +44,7 @@ mkdir -p /etc/openvpn/client
 
 # Copy easy-rsa files
 echo "Setting up easy-rsa..."
-make-cadir /etc/openvpn/server/easy-rsa
+cp -r /usr/share/easy-rsa/* /etc/openvpn/server/easy-rsa/
 cd /etc/openvpn/server/easy-rsa/
 
 # Initialize PKI
@@ -66,26 +75,36 @@ cp pki/dh.pem /etc/openvpn/server/
 echo "Creating server configuration..."
 cat > /etc/openvpn/server/server.conf << EOF
 port 1194
-proto udp
+proto udp4
 dev tun
-ca ca.crt
+ca /etc/openvpn/server/ca.crt
-cert server.crt
+cert /etc/openvpn/server/server.crt
-key server.key
+key /etc/openvpn/server/server.key
-dh dh.pem
+dh /etc/openvpn/server/dh.pem
 server 10.8.0.0 255.255.255.0
 push "redirect-gateway def1 bypass-dhcp"
-push "dhcp-option DNS 8.8.8.8"
+push "dhcp-option DNS 1.1.1.1"
-push "dhcp-option DNS 8.8.4.4"
+push "dhcp-option DNS 1.0.0.1"
+push "block-outside-dns"
 keepalive 10 120
-cipher AES-256-CBC
+cipher AES-256-GCM
 user nobody
 group nogroup
 persist-key
 persist-tun
-status openvpn-status.log
+status /var/log/openvpn/openvpn-status.log
+log-append /var/log/openvpn/openvpn.log
 verb 3
 EOF
 
+# Make sure log directory exists
+echo "Creating log directory..."
+mkdir -p /var/log/openvpn
+
+# Copy server.conf to the correct location for systemd
+echo "Copying server.conf to the correct location for systemd..."
+cp /etc/openvpn/server/server.conf /etc/openvpn/server.conf
+
 # Enable IP forwarding
 echo "Enabling IP forwarding..."
 echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/99-openvpn.conf
@@ -93,18 +112,44 @@ sysctl --system
 
 # Configure firewall
 echo "Configuring firewall..."
-ufw allow 1194/udp
+# Allow OpenVPN and SSH traffic
-ufw allow OpenSSH
+iptables -A INPUT -p udp --dport 1194 -j ACCEPT
-echo "y" | ufw enable
+iptables -A INPUT -p tcp --dport 22 -j ACCEPT
+# Allow established connections
+iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+# Allow loopback interface
+iptables -A INPUT -i lo -j ACCEPT
 
-# Start OpenVPN service
+# Set up NAT for VPN clients
-echo "Starting OpenVPN service..."
+echo "Setting up NAT for VPN clients..."
-systemctl start openvpn@server
+# Get the primary network interface
+PRIMARY_NIC=$(ip route | grep default | awk '{print $5}')
+echo "Primary network interface: $PRIMARY_NIC"
+
+# Add NAT rules
+iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $PRIMARY_NIC -j MASQUERADE
+iptables -A FORWARD -s 10.8.0.0/24 -m state --state NEW -j ACCEPT
+iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+# Make NAT rules persistent
+echo "Making NAT rules persistent..."
+apt-get install -y iptables-persistent
+echo "y" | netfilter-persistent save
+
+# Start and enable OpenVPN service
+echo "Starting and enabling OpenVPN service..."
+systemctl daemon-reload
 systemctl enable openvpn@server
+systemctl restart openvpn@server
+sleep 2
+
+# Verify the service is running
+echo "Verifying OpenVPN service status..."
+systemctl status openvpn@server || true
 
 # Create client certificate generation script
 echo "Creating client certificate generation script..."
-cat > /etc/openvpn/server/generate-client.sh << 'EOF'
+cat > /etc/openvpn/server/generate-client.sh << 'ENDOFFILE'
 #!/bin/bash
 
 if [ -z "$1" ]; then
@@ -119,33 +164,45 @@ cd /etc/openvpn/server/easy-rsa
 ./easyrsa gen-req $CLIENT_NAME nopass
 ./easyrsa sign-req client $CLIENT_NAME
 
+# Make sure client directory exists
+mkdir -p /etc/openvpn/client
+
 # Create client configuration
 cat > /etc/openvpn/client/$CLIENT_NAME.ovpn << EOL
 client
-proto udp
+dev tun
-explicit-exit-notify
+proto udp4
-remote $(curl -s ifconfig.me) 1194
+remote \$(curl -s -4 ifconfig.me) 1194
 resolv-retry infinite
 nobind
 persist-key
 persist-tun
 remote-cert-tls server
-auth-user-pass auth.txt
+cipher AES-256-GCM
-cipher AES-256-CBC
+data-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM:CHACHA20-POLY1305
+block-outside-dns
 verb 3
+dhcp-option DNS 1.1.1.1
+dhcp-option DNS 1.0.0.1
 <ca>
-$(cat /etc/openvpn/server/ca.crt)
+\$(cat /etc/openvpn/server/ca.crt)
 </ca>
 <cert>
-$(cat /etc/openvpn/server/easy-rsa/pki/issued/$CLIENT_NAME.crt)
+\$(cat /etc/openvpn/server/easy-rsa/pki/issued/\$CLIENT_NAME.crt)
 </cert>
 <key>
-$(cat /etc/openvpn/server/easy-rsa/pki/private/$CLIENT_NAME.key)
+\$(cat /etc/openvpn/server/easy-rsa/pki/private/\$CLIENT_NAME.key)
 </key>
 EOL
 
-echo "Client configuration created: /etc/openvpn/client/$CLIENT_NAME.ovpn"
+# Copy the configuration file to the current working directory
-EOF
+WORKING_DIR=\$(dirname \$(readlink -f \$0))
+cp /etc/openvpn/client/\$CLIENT_NAME.ovpn \$WORKING_DIR/
+chmod 644 \$WORKING_DIR/\$CLIENT_NAME.ovpn
+
+echo "Client configuration created: /etc/openvpn/client/\$CLIENT_NAME.ovpn"
+echo "A copy has also been saved to: \$WORKING_DIR/\$CLIENT_NAME.ovpn"
+ENDOFFILE
 
 chmod +x /etc/openvpn/server/generate-client.sh