#!/bin/bash
#

BORDER=">>>>>>>>>>>>>>"
printf "$BORDER Installing openvpn and EasyRSA $BORDER \n\n"

sudo apt-get update -y
sudo apt-get install openvpn easy-rsa -y


printf "$BORDER Setting default openvpn vars $BORDER \n\n"

make-cadir ~/openvpn-ca
cd ~/openvpn-ca


sed -i "s/KEY_PROVINCE=\"CA\"/KEY_PROVINCE=\"NM\"/g" vars
sed -i "s/KEY_CITY=\"SanFrancisco\"/KEY_CITY=\"Albuquerque\"/g" vars
sed -i "s/KEY_ORG=\"Fort-Funston\"/KEY_ORG=\"BreakpointingBad\"/g" vars
sed -i "s/KEY_NAME=\"EasyRSA\"/KEY_NAME=\"server\"/g" vars



sed -i 's/--interact//' build-ca
sed -i 's/--interact//' build-key-server
sed -i 's/--interact//' build-dh
sed -i 's/--interact//' build-key

cd ~/openvpn-ca
source vars


printf "$BORDER Building the certificate authority $BORDER \n\n"

./clean-all
./build-ca

printf "$BORDER Creating the server certificate $BORDER \n\n"

./build-key-server server

printf "$BORDER Generating Diffie-Hellman keys to use during key exchange $BORDER \n\n"

./build-dh

printf "$BORDER Generating HMAC signature to strengthen the server’s TLS integrity verification"

openvpn --genkey --secret keys/ta.key


printf "$BORDER Generating client certificate and key pair $BORDER \n\n"
cd ~/openvpn-ca
source vars
./build-key client1


printf "$BORDER Configuring the openvpn service using generated keys + certs $BORDER \n\n"

cd ~/openvpn-ca/keys
sudo cp ca.crt server.crt server.key ta.key dh2048.pem /etc/openvpn

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf


sudo sed -i "s/;tls-auth ta.key 0/tls-auth ta.key 0/g"  /etc/openvpn/server.conf
sudo sed -i "s/;cipher AES-128-CBC/cipher AES-128-CBC/g"  /etc/openvpn/server.conf

sudo sed -i "s/;user nobody/user nobody/g"  /etc/openvpn/server.conf
sudo sed -i "s/;group nogroup/group nogroup/g"  /etc/openvpn/server.conf

#sudo sed -i "s/;push \"redirect-gateway def1 bypass-dhcp\"/push \"redirect-gateway def1 bypass-dhcp\"/g"  /etc/openvpn/server.conf
#sudo sed -i "s/;push \"dhcp-option DNS 208.67.222.222\"/push \"dhcp-option DNS 208.67.222.222\"/g"  /etc/openvpn/server.conf
#sudo sed -i "s/;push \"dhcp-option DNS 208.67.220.220\"/push \"dhcp-option DNS 208.67.220.220\"/g"  /etc/openvpn/server.conf

sudo bash -c 'cat >> /etc/openvpn/server.conf << EOF
auth SHA256
EOF'

sudo sed -i "s/port 1194/port 443/g"  /etc/openvpn/server.conf
sudo sed -i "s/proto udp/proto tcp/g"  /etc/openvpn/server.conf


printf "$BORDER Adjusting the servers network config to allow for vpn things $BORDER \n\n"

sudo sed -i "s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g"  /etc/sysctl.conf
sudo sysctl -p


sudo bash -c 'cat >> /etc/ufw/before.rules << EOF
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to enp0s8
-A POSTROUTING -s 10.8.0.0/8 -o enp0s8 -j MASQUERADE
COMMIT
# END OPENVPN RULES
EOF'


sudo sed -i "s/DEFAULT_FORWARD_POLICY=\"DROP\"/DEFAULT_FORWARD_POLICY=\"ACCEPT\"/g" /etc/default/ufw
sudo ufw allow 443/tcp
sudo ufw allow OpenSSH

sudo ufw disable
sudo ufw --force enable

printf "$BORDER Enabling the openvpn service $BORDER \n\n"

sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server











BORDER=">>>>>>>>>>>>>>>>"

printf "$BORDER Setting up base client config file\n\n"

mkdir -p ~/client-configs/files
chmod 700 ~/client-configs/files


cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/client-configs/base.conf


sed -i "s/my-server-1 1194/192.168.2.2 443/g" ~/client-configs/base.conf
sed -i "s/proto udp/proto tcp/g" ~/client-configs/base.conf

sed -i "s/;user nobody/user nobody/g" ~/client-configs/base.conf
sed -i "s/;group nobody/group nobody/g" ~/client-configs/base.conf

sed -i "s/ca ca.crt/# ca ca.crt/g" ~/client-configs/base.conf
sed -i "s/cert client.crt/# cert client.crt/g" ~/client-configs/base.conf
sed -i "s/key client.key/# key client.key/g" ~/client-configs/base.conf


cat >> ~/client-configs/base.conf << EOF
cipher AES-128-CBC
auth SHA256
key-direction 1
# script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
EOF


printf "$BORDER Creating make client config script..\n\n"

touch ~/client-configs/make_config.sh

cat >> ~/client-configs/make_config.sh << EOF

# First argument: Client identifier

KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf

cat \${BASE_CONFIG} <(echo -e '<ca>') \${KEY_DIR}/ca.crt <(echo -e '</ca>\n<cert>') \${KEY_DIR}/\${1}.crt <(echo -e '</cert>\n<key>') \${KEY_DIR}/\${1}.key <(echo -e '</key>\n<tls-auth>') \${KEY_DIR}/ta.key <(echo -e '</tls-auth>') > \${OUTPUT_DIR}/\${1}.ovpn
EOF

chmod 700 ~/client-configs/make_config.sh


printf "$BORDER Making client config file for client1\n\n"

cd ~/client-configs
./make_config.sh client1
ls ~/client-configs/files