#!/bin/bash

# Exit on error
set -e

# Check if running as root
if [ "$EUID" -ne 0 ]; then 
    echo "Please run as root"
    exit 1
fi

# Clean up any existing installation
echo "Cleaning up any existing installation..."
systemctl stop openvpn@server || true
rm -rf /etc/openvpn/server/easy-rsa
rm -rf /etc/openvpn/server/pki
rm -f /etc/openvpn/server/*.crt
rm -f /etc/openvpn/server/*.key
rm -f /etc/openvpn/server/*.pem
rm -f /etc/openvpn/server/server.conf
rm -f /etc/openvpn/server/generate-client.sh
rm -rf /etc/openvpn/client/*
rm -f /etc/openvpn/server.conf

# Verify cleanup
if [ -d "/etc/openvpn/server/easy-rsa" ]; then
    echo "Failed to remove easy-rsa directory. Please check permissions and try again."
    exit 1
fi

# Update system
echo "Updating system..."
apt-get update
apt-get upgrade -y

# Install OpenVPN and required packages
echo "Installing OpenVPN and required packages..."
apt-get install -y openvpn easy-rsa ufw

# Create directory for OpenVPN
echo "Creating OpenVPN directory..."
mkdir -p /etc/openvpn/server/easy-rsa
mkdir -p /etc/openvpn/client

# Copy easy-rsa files
echo "Setting up easy-rsa..."
cp -r /usr/share/easy-rsa/* /etc/openvpn/server/easy-rsa/
cd /etc/openvpn/server/easy-rsa/

# Initialize PKI
echo "Initializing PKI..."
./easyrsa init-pki

# Build CA
echo "Building CA..."
./easyrsa build-ca nopass

# Generate server certificate and key
echo "Generating server certificate and key..."
./easyrsa gen-req server nopass
./easyrsa sign-req server server

# Generate Diffie-Hellman parameters
echo "Generating Diffie-Hellman parameters..."
./easyrsa gen-dh

# Copy server certificates and keys
echo "Copying server certificates and keys..."
cp pki/ca.crt /etc/openvpn/server/
cp pki/issued/server.crt /etc/openvpn/server/
cp pki/private/server.key /etc/openvpn/server/
cp pki/dh.pem /etc/openvpn/server/

# Create server configuration
echo "Creating server configuration..."
cat > /etc/openvpn/server/server.conf << EOF
port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
EOF

# Make sure log directory exists
echo "Creating log directory..."
mkdir -p /var/log/openvpn

# Copy server.conf to the correct location for systemd
echo "Copying server.conf to the correct location for systemd..."
cp /etc/openvpn/server/server.conf /etc/openvpn/server.conf

# Enable IP forwarding
echo "Enabling IP forwarding..."
echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/99-openvpn.conf
sysctl --system

# Configure firewall
echo "Configuring firewall..."
ufw allow 1194/udp
ufw allow OpenSSH

# Set up NAT for VPN clients
echo "Setting up NAT for VPN clients..."
# Get the primary network interface
PRIMARY_NIC=$(ip route | grep default | awk '{print $5}')
echo "Primary network interface: $PRIMARY_NIC"

# Add NAT rules
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $PRIMARY_NIC -j MASQUERADE
iptables -A FORWARD -s 10.8.0.0/24 -m state --state NEW -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# Make NAT rules persistent
echo "Making NAT rules persistent..."
apt-get install -y iptables-persistent
echo "y" | netfilter-persistent save

echo "y" | ufw enable

# Start OpenVPN service
echo "Starting OpenVPN service..."
systemctl start openvpn@server
systemctl enable openvpn@server

# Create client certificate generation script
echo "Creating client certificate generation script..."
cat > /etc/openvpn/server/generate-client.sh << 'EOF'
#!/bin/bash

if [ -z "$1" ]; then
    echo "Usage: $0 <client-name>"
    exit 1
fi

CLIENT_NAME=$1
cd /etc/openvpn/server/easy-rsa

# Generate client certificate and key
./easyrsa gen-req $CLIENT_NAME nopass
./easyrsa sign-req client $CLIENT_NAME

# Make sure client directory exists
mkdir -p /etc/openvpn/client

# Create client configuration
cat > /etc/openvpn/client/$CLIENT_NAME.ovpn << EOL
client
proto udp
dev tun
explicit-exit-notify
remote $(curl -s ifconfig.me) 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth-user-pass auth.txt
cipher AES-256-CBC
verb 3
<ca>
$(cat /etc/openvpn/server/ca.crt)
</ca>
<cert>
$(cat /etc/openvpn/server/easy-rsa/pki/issued/$CLIENT_NAME.crt)
</cert>
<key>
$(cat /etc/openvpn/server/easy-rsa/pki/private/$CLIENT_NAME.key)
</key>
EOL

# Create auth.txt file
cat > /etc/openvpn/client/auth.txt << EOL
# Add your username and password here if needed
# username
# password
EOL

echo "Client configuration created: /etc/openvpn/client/$CLIENT_NAME.ovpn"
echo "Don't forget to configure auth.txt with your credentials if needed"
EOF

chmod +x /etc/openvpn/server/generate-client.sh

echo "OpenVPN server setup completed!"
echo "To generate a client certificate, run: /etc/openvpn/server/generate-client.sh <client-name>"
echo "The client configuration file will be created in /etc/openvpn/client/"