vpn_builder/setup_openvpn.sh

#!/bin/bash

# Exit on error
set -e

# Check if running as root
if [ "$EUID" -ne 0 ]; then 
    echo "Please run as root"
    exit 1
fi

# Clean up any existing installation
echo "Cleaning up any existing installation..."
systemctl stop openvpn@server || true
rm -rf /etc/openvpn/server/easy-rsa
rm -rf /etc/openvpn/server/pki
rm -f /etc/openvpn/server/*.crt
rm -f /etc/openvpn/server/*.key
rm -f /etc/openvpn/server/*.pem
rm -f /etc/openvpn/server/server.conf
rm -f /etc/openvpn/server/generate-client.sh
rm -rf /etc/openvpn/client/*

# Verify cleanup
if [ -d "/etc/openvpn/server/easy-rsa" ]; then
    echo "Failed to remove easy-rsa directory. Please check permissions and try again."
    exit 1
fi

# Update system
echo "Updating system..."
apt-get update
apt-get upgrade -y

# Install OpenVPN and required packages
echo "Installing OpenVPN and required packages..."
apt-get install -y openvpn easy-rsa ufw

# Create directory for OpenVPN
echo "Creating OpenVPN directory..."
mkdir -p /etc/openvpn/server/easy-rsa
mkdir -p /etc/openvpn/client

# Copy easy-rsa files
echo "Setting up easy-rsa..."
cp -r /usr/share/easy-rsa/* /etc/openvpn/server/easy-rsa/
cd /etc/openvpn/server/easy-rsa/

# Initialize PKI
echo "Initializing PKI..."
./easyrsa init-pki

# Build CA
echo "Building CA..."
./easyrsa build-ca nopass

# Generate server certificate and key
echo "Generating server certificate and key..."
./easyrsa gen-req server nopass
./easyrsa sign-req server server

# Generate Diffie-Hellman parameters
echo "Generating Diffie-Hellman parameters..."
./easyrsa gen-dh

# Copy server certificates and keys
echo "Copying server certificates and keys..."
cp pki/ca.crt /etc/openvpn/server/
cp pki/issued/server.crt /etc/openvpn/server/
cp pki/private/server.key /etc/openvpn/server/
cp pki/dh.pem /etc/openvpn/server/

# Create server configuration
echo "Creating server configuration..."
cat > /etc/openvpn/server/server.conf << EOF
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
EOF

# Enable IP forwarding
echo "Enabling IP forwarding..."
echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/99-openvpn.conf
sysctl --system

# Configure firewall
echo "Configuring firewall..."
ufw allow 1194/udp
ufw allow OpenSSH
echo "y" | ufw enable

# Start OpenVPN service
echo "Starting OpenVPN service..."
systemctl start openvpn@server
systemctl enable openvpn@server

# Create client certificate generation script
echo "Creating client certificate generation script..."
cat > /etc/openvpn/server/generate-client.sh << 'EOF'
#!/bin/bash

if [ -z "$1" ]; then
    echo "Usage: $0 <client-name>"
    exit 1
fi

CLIENT_NAME=$1
cd /etc/openvpn/server/easy-rsa

# Generate client certificate and key
./easyrsa gen-req $CLIENT_NAME nopass
./easyrsa sign-req client $CLIENT_NAME

# Create client configuration
cat > /etc/openvpn/client/$CLIENT_NAME.ovpn << EOL
client
proto udp
explicit-exit-notify
remote $(curl -s ifconfig.me) 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth-user-pass auth.txt
cipher AES-256-CBC
verb 3
<ca>
$(cat /etc/openvpn/server/ca.crt)
</ca>
<cert>
$(cat /etc/openvpn/server/easy-rsa/pki/issued/$CLIENT_NAME.crt)
</cert>
<key>
$(cat /etc/openvpn/server/easy-rsa/pki/private/$CLIENT_NAME.key)
</key>
EOL

echo "Client configuration created: /etc/openvpn/client/$CLIENT_NAME.ovpn"
EOF

chmod +x /etc/openvpn/server/generate-client.sh

echo "OpenVPN server setup completed!"
echo "To generate a client certificate, run: /etc/openvpn/server/generate-client.sh <client-name>"
echo "The client configuration file will be created in /etc/openvpn/client/"