201 lines
5.1 KiB
Bash
Executable File
201 lines
5.1 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# Exit on error
|
|
set -e
|
|
|
|
# Check if running as root
|
|
if [ "$EUID" -ne 0 ]; then
|
|
echo "Please run as root"
|
|
exit 1
|
|
fi
|
|
|
|
# Clean up any existing installation
|
|
echo "Cleaning up any existing installation..."
|
|
systemctl stop openvpn@server || true
|
|
rm -rf /etc/openvpn/server/easy-rsa
|
|
rm -rf /etc/openvpn/server/pki
|
|
rm -f /etc/openvpn/server/*.crt
|
|
rm -f /etc/openvpn/server/*.key
|
|
rm -f /etc/openvpn/server/*.pem
|
|
rm -f /etc/openvpn/server/server.conf
|
|
rm -f /etc/openvpn/server/generate-client.sh
|
|
rm -rf /etc/openvpn/client/*
|
|
rm -f /etc/openvpn/server.conf
|
|
|
|
# Verify cleanup
|
|
if [ -d "/etc/openvpn/server/easy-rsa" ]; then
|
|
echo "Failed to remove easy-rsa directory. Please check permissions and try again."
|
|
exit 1
|
|
fi
|
|
|
|
# Update system
|
|
echo "Updating system..."
|
|
apt-get update
|
|
apt-get upgrade -y
|
|
|
|
# Install OpenVPN and required packages
|
|
echo "Installing OpenVPN and required packages..."
|
|
apt-get install -y openvpn easy-rsa ufw
|
|
|
|
# Create directory for OpenVPN
|
|
echo "Creating OpenVPN directory..."
|
|
mkdir -p /etc/openvpn/server/easy-rsa
|
|
mkdir -p /etc/openvpn/client
|
|
|
|
# Copy easy-rsa files
|
|
echo "Setting up easy-rsa..."
|
|
cp -r /usr/share/easy-rsa/* /etc/openvpn/server/easy-rsa/
|
|
cd /etc/openvpn/server/easy-rsa/
|
|
|
|
# Initialize PKI
|
|
echo "Initializing PKI..."
|
|
./easyrsa init-pki
|
|
|
|
# Build CA
|
|
echo "Building CA..."
|
|
./easyrsa build-ca nopass
|
|
|
|
# Generate server certificate and key
|
|
echo "Generating server certificate and key..."
|
|
./easyrsa gen-req server nopass
|
|
./easyrsa sign-req server server
|
|
|
|
# Generate Diffie-Hellman parameters
|
|
echo "Generating Diffie-Hellman parameters..."
|
|
./easyrsa gen-dh
|
|
|
|
# Copy server certificates and keys
|
|
echo "Copying server certificates and keys..."
|
|
cp pki/ca.crt /etc/openvpn/server/
|
|
cp pki/issued/server.crt /etc/openvpn/server/
|
|
cp pki/private/server.key /etc/openvpn/server/
|
|
cp pki/dh.pem /etc/openvpn/server/
|
|
|
|
# Create server configuration
|
|
echo "Creating server configuration..."
|
|
cat > /etc/openvpn/server/server.conf << EOF
|
|
port 1194
|
|
proto udp
|
|
dev tun
|
|
ca /etc/openvpn/server/ca.crt
|
|
cert /etc/openvpn/server/server.crt
|
|
key /etc/openvpn/server/server.key
|
|
dh /etc/openvpn/server/dh.pem
|
|
server 10.8.0.0 255.255.255.0
|
|
push "redirect-gateway def1 bypass-dhcp"
|
|
push "dhcp-option DNS 8.8.8.8"
|
|
push "dhcp-option DNS 8.8.4.4"
|
|
keepalive 10 120
|
|
cipher AES-256-CBC
|
|
user nobody
|
|
group nogroup
|
|
persist-key
|
|
persist-tun
|
|
status /var/log/openvpn/openvpn-status.log
|
|
log-append /var/log/openvpn/openvpn.log
|
|
verb 3
|
|
EOF
|
|
|
|
# Make sure log directory exists
|
|
echo "Creating log directory..."
|
|
mkdir -p /var/log/openvpn
|
|
|
|
# Copy server.conf to the correct location for systemd
|
|
echo "Copying server.conf to the correct location for systemd..."
|
|
cp /etc/openvpn/server/server.conf /etc/openvpn/server.conf
|
|
|
|
# Enable IP forwarding
|
|
echo "Enabling IP forwarding..."
|
|
echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/99-openvpn.conf
|
|
sysctl --system
|
|
|
|
# Configure firewall
|
|
echo "Configuring firewall..."
|
|
ufw allow 1194/udp
|
|
ufw allow OpenSSH
|
|
|
|
# Set up NAT for VPN clients
|
|
echo "Setting up NAT for VPN clients..."
|
|
# Get the primary network interface
|
|
PRIMARY_NIC=$(ip route | grep default | awk '{print $5}')
|
|
echo "Primary network interface: $PRIMARY_NIC"
|
|
|
|
# Add NAT rules
|
|
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $PRIMARY_NIC -j MASQUERADE
|
|
iptables -A FORWARD -s 10.8.0.0/24 -m state --state NEW -j ACCEPT
|
|
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
|
|
# Make NAT rules persistent
|
|
echo "Making NAT rules persistent..."
|
|
apt-get install -y iptables-persistent
|
|
echo "y" | netfilter-persistent save
|
|
|
|
echo "y" | ufw enable
|
|
|
|
# Start OpenVPN service
|
|
echo "Starting OpenVPN service..."
|
|
systemctl start openvpn@server
|
|
systemctl enable openvpn@server
|
|
|
|
# Create client certificate generation script
|
|
echo "Creating client certificate generation script..."
|
|
cat > /etc/openvpn/server/generate-client.sh << 'EOF'
|
|
#!/bin/bash
|
|
|
|
if [ -z "$1" ]; then
|
|
echo "Usage: $0 <client-name>"
|
|
exit 1
|
|
fi
|
|
|
|
CLIENT_NAME=$1
|
|
cd /etc/openvpn/server/easy-rsa
|
|
|
|
# Generate client certificate and key
|
|
./easyrsa gen-req $CLIENT_NAME nopass
|
|
./easyrsa sign-req client $CLIENT_NAME
|
|
|
|
# Make sure client directory exists
|
|
mkdir -p /etc/openvpn/client
|
|
|
|
# Create client configuration
|
|
cat > /etc/openvpn/client/$CLIENT_NAME.ovpn << EOL
|
|
client
|
|
proto udp
|
|
dev tun
|
|
explicit-exit-notify
|
|
remote $(curl -s ifconfig.me) 1194
|
|
resolv-retry infinite
|
|
nobind
|
|
persist-key
|
|
persist-tun
|
|
remote-cert-tls server
|
|
auth-user-pass auth.txt
|
|
cipher AES-256-CBC
|
|
verb 3
|
|
<ca>
|
|
$(cat /etc/openvpn/server/ca.crt)
|
|
</ca>
|
|
<cert>
|
|
$(cat /etc/openvpn/server/easy-rsa/pki/issued/$CLIENT_NAME.crt)
|
|
</cert>
|
|
<key>
|
|
$(cat /etc/openvpn/server/easy-rsa/pki/private/$CLIENT_NAME.key)
|
|
</key>
|
|
EOL
|
|
|
|
# Create auth.txt file
|
|
cat > /etc/openvpn/client/auth.txt << EOL
|
|
# Add your username and password here if needed
|
|
# username
|
|
# password
|
|
EOL
|
|
|
|
echo "Client configuration created: /etc/openvpn/client/$CLIENT_NAME.ovpn"
|
|
echo "Don't forget to configure auth.txt with your credentials if needed"
|
|
EOF
|
|
|
|
chmod +x /etc/openvpn/server/generate-client.sh
|
|
|
|
echo "OpenVPN server setup completed!"
|
|
echo "To generate a client certificate, run: /etc/openvpn/server/generate-client.sh <client-name>"
|
|
echo "The client configuration file will be created in /etc/openvpn/client/" |