forked from viljoviitanen/setup-simple-openvpn
-
Notifications
You must be signed in to change notification settings - Fork 1
/
setup.sh
265 lines (226 loc) · 7.73 KB
/
setup.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
#!/bin/sh
# Setup Simple OpenVPN server for Amazon Linux, Centos, Ubuntu and Debian
# Copyright (C) 2012-2013 Viljo Viitanen <[email protected]>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
# 2012-12-11: initial version, tested only on amazon linux
# 2012-12-12: added centos 6.3 compability
# 2013-03-30: amazon linux 2013.03 - service iptables is missing, use rc.local
# whatismyip automation has stopped working, use ipchicken.com
# change from embedded tar gz to repo zip download
# 2013-10-02: add debian squeeze&wheezy and ubuntu 12.04 compatibility
# workaround for amazon ec2 rhel 6.4 image bug https://bugzilla.redhat.com/show_bug.cgi?id=956531
# use http://ipecho.net/plain - http://ipecho.net/developers.html
# 2013-10-06: add port, protocol and server name as optional parameters
#do not use any funny characters here, just lower case a-z.
OPENVPN='/etc/openvpn'
if [ "x$1" = "x-h" -o "x$1" = "x--help" ]
then
echo "Usage: $0 [port] [protocol] [servername]"
echo "Default: port 1194, protocol udp, servername simpleopenvpn."
echo "The server name is just for your convinience, it does not"
echo "have to be related to the dns name of the server."
exit 0
fi
if [ "x$1" = "x" ]
then
PORT=1194
else
PORT=$1
fi
EXIT=0
TEST=`echo "$1" | tr -d [0-9]`
if [ "x$TEST" != "x" ]
then
echo "Port must be a number."
EXIT=1
fi
#make absolutely sure it's a simple number, not something silly like 007
PORT=`expr 0 + $PORT`
if [ $PORT -lt 1 -o $PORT -gt 65535 ]
then
echo "Port must be between 1 and 65535".
EXIT=1
fi
if [ "x$2" = "x" ]
then
PROTO="udp"
else
PROTO=$2
fi
if [ "$PROTO" != "udp" -a "$PROTO" != "tcp" ]
then
echo "Unknown protocol, must be udp or tcp".
EXIT=1
fi
if [ "x$3" = "x" ]
then
ME="simpleopenvpn"
else
ME=$3
fi
TEST=`echo "$3" | tr -d [a-zA-Z]`
if [ "x$TEST" != "x" ]
then
echo "Server name must only contain letters a-z."
EXIT=1
fi
TEST=`expr length "$3"`
if [ $TEST -ge 64 ]
then
echo "Server name must be less than 64 characters."
#it's used in the certificate and config file names
EXIT=1
fi
if [ $EXIT = "1" ]
then
exit 1
fi
if [ $PORT -eq 22 -a "$PROTO" = "tcp" ]
then
echo "NOTE: you are using the SSH port and protocol."
echo "Sleeping for 10 seconds, press control-C to abort."
sleep 10
fi
if [ -d $OPENVPN ]
then
echo "$OPENVPN exists, aborting!"
exit 1
fi
if [ ! -f template-client-config ]
then
echo "Necessary files missing. Run script from same directory where you unzipped the zip file?"
exit 1
fi
if [ `id -u` -ne 0 ]
then
echo "Need root, try with sudo"
exit 0
fi
#install openvpn, zip and dependencies
if which apt-get 2>/dev/null
then
apt-get -y install openvpn zip || {
echo "============================================================"
echo "Could not install openvpn and zip with apt-get. Huh?"
echo "============================================================"
exit 1
}
elif which yum 2>/dev/null
then
yum -y install openvpn zip || {
echo "============================================================"
echo "Could not install openvpn and zip with yum."
echo "Enable EPEL repository?"
echo "See http://fedoraproject.org/wiki/EPEL"
echo "============================================================"
exit 1
}
else
echo "============================================================"
echo "Cannot find apt-get or yum. Can't continue."
echo "============================================================"
exit 1
fi
mkdir -p $OPENVPN || { echo "Cannot mkdir $OPENVPN, aborting!"; exit 1; }
#openvpn config files and easy-rsa tool
cp -r easy-rsa $OPENVPN/
cp template-server-config $OPENVPN/openvpn.conf
sed -i -e "s/VPN_PROTO/$PROTO/" -e "s/VPN_PORT/$PORT/" $OPENVPN/openvpn.conf
if grep -q "cat <<EOL >> /etc/ssh/sshd_config" /etc/rc.d/rc.local
then
echo "Note: working around a bug in Amazon EC2 RHEL 6.4 image"
sed -i.bak 19,21d /etc/rc.d/rc.local
fi
#ubuntu has exit 0 at the end of the file.
sed -i '/^exit 0/d' /etc/rc.local
#set up nat for the vpn
cat >> /etc/rc.local << END
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -I INPUT -p $PROTO --dport $PORT -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -d 0.0.0.0/0 -o eth0 -j MASQUERADE
#default firewall in centos forbids these
iptables -I FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o eth0 -j ACCEPT
#not sure if these are really necessary, they probably are the default.
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
END
sh /etc/rc.local
#setup keys
( cd $OPENVPN/easy-rsa || { echo "Cannot cd into $OPENVPN/easy-rsa, aborting!"; exit 1; }
[ -d keys ] && { echo "easy-rsa/keys directory already exists, aborting!"; exit 1; }
cp vars myvars
sed -i -e 's/Fort-Funston/$ME/' -e 's/SanFrancisco/Simple OpenVPN server/' myvars
. ./myvars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server myserver
./pkitool client1-$ME
)
#for more client certificates:
# cd easy-rsa
# . ./myvars
# ./pkitool [unique-client-name]
#by default this server allows multiple connections per client certificate
#generate the client config file
#first find out external ip
#cache the result so this can be tested safely without hitting any limits
if [ `find "$HOME/.my.ip" -mmin -5 2>/dev/null` ]
then
IP=`cat "$HOME/.my.ip" | tr -cd [0-9].`
echo "Using cached external ip address"
else
echo "Detecting external ip address"
IP=`wget -q -O - http://ipecho.net/plain`
echo "$IP" > "$HOME/.my.ip"
fi
if [ "x$IP" = "x" ]
then
IP="UNKNOWN-ADDRESS"
echo "============================================================"
echo " !!! COULD NOT DETECT SERVER EXTERNAL IP ADDRESS !!!"
echo "============================================================"
echo "Make sure you edit the $ME.ovpn file before trying to use it"
echo "Search 'UNKNOWN-ADDRESS' and replace it with the correct ip address"
else
echo "============================================================"
echo "Detected your server external ip address: $IP"
echo "============================================================"
echo "Make sure it is correct before using the client configuration files!"
fi
sleep 2
TMPDIR=`mktemp -d --tmpdir=. openvpn.XXX` || { echo "Cannot make temporary directory, aborting!"; exit 1; }
cp template-client-config $TMPDIR/$ME.ovpn
cd $TMPDIR || { echo "Cannot cd into a temporary directory, aborting!"; exit 1; }
cp $OPENVPN/easy-rsa/keys/ca.crt "ca-$ME.crt"
cp $OPENVPN/easy-rsa/keys/client1-$ME.key $OPENVPN/easy-rsa/keys/client1-$ME.crt .
sed -i -e "s/VPN_SERVER_ADDRESS/$IP/" -e "s/client1/client1-$ME/" -e "s/^ca ca.crt/ca ca-$ME.crt/" $ME.ovpn
sed -i -e "s/VPN_PROTO/$PROTO/" -e "s/VPN_PORT/$PORT/" $ME.ovpn
zip $ME-$IP.zip $ME.ovpn ca-$ME.crt client1-$ME.key client1-$ME.crt
chmod -R a+rX .
echo "----"
echo "Generated configuration files are in $TMPDIR/ !"
echo "----"
echo "The server '$ME' uses port $PORT protocol $PROTO."
echo "Make sure they are open in an external firewall if there is one."
#enable openvpn at boot and start server!
if which yum 2>/dev/null
then
chkconfig openvpn on
fi
service openvpn start
exit 0