You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
106 lines
3.0 KiB
106 lines
3.0 KiB
#!/bin/bash
|
|
#
|
|
|
|
BORDER=">>>>>>>>>>>>>>"
|
|
printf "$BORDER Installing openvpn and EasyRSA $BORDER \n\n"
|
|
|
|
sudo apt-get update -y
|
|
sudo apt-get install openvpn easy-rsa -y
|
|
|
|
|
|
printf "$BORDER Setting default openvpn vars $BORDER \n\n"
|
|
|
|
make-cadir ~/openvpn-ca
|
|
cd ~/openvpn-ca
|
|
|
|
|
|
sed -i "s/KEY_PROVINCE=\"CA\"/KEY_PROVINCE=\"NM\"/g" vars
|
|
sed -i "s/KEY_CITY=\"SanFrancisco\"/KEY_CITY=\"Albuquerque\"/g" vars
|
|
sed -i "s/KEY_ORG=\"Fort-Funston\"/KEY_ORG=\"BreakpointingBad\"/g" vars
|
|
sed -i "s/KEY_NAME=\"EasyRSA\"/KEY_NAME=\"server\"/g" vars
|
|
|
|
|
|
|
|
cd ~/openvpn-ca
|
|
source vars
|
|
|
|
|
|
printf "$BORDER Building the certificate authority $BORDER \n\n"
|
|
|
|
./clean-all
|
|
./build-ca
|
|
|
|
printf "$BORDER Creating the server certificate $BORDER \n\n"
|
|
|
|
./build-key-server server
|
|
|
|
printf "$BORDER Generating Diffie-Hellman keys to use during key exchange $BORDER \n\n"
|
|
|
|
./build-dh
|
|
|
|
printf "$BORDER Generating HMAC signature to strengthen the server’s TLS integrity verification"
|
|
|
|
openvpn --genkey --secret keys/ta.key
|
|
|
|
|
|
printf "$BORDER Generating client certificate and key pair $BORDER \n\n"
|
|
cd ~/openvpn-ca
|
|
source vars
|
|
./build-key client1
|
|
|
|
|
|
printf "$BORDER Configuring the openvpn service using generated keys + certs $BORDER \n\n"
|
|
|
|
cd ~/openvpn-ca/keys
|
|
sudo cp ca.crt server.crt server.key ta.key dh2048.pem /etc/openvpn
|
|
|
|
gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf
|
|
|
|
|
|
sudo sed -i "s/;tls-auth ta.key 0/tls-auth ta.key 0/g" /etc/openvpn/server.conf
|
|
sudo sed -i "s/;cipher AES-128-CBC/cipher AES-128-CBC/g" /etc/openvpn/server.conf
|
|
|
|
sudo sed -i "s/;user nobody/user nobody/g" /etc/openvpn/server.conf
|
|
sudo sed -i "s/;group nogroup/group nogroup/g" /etc/openvpn/server.conf
|
|
|
|
#sudo sed -i "s/;push \"redirect-gateway def1 bypass-dhcp\"/push \"redirect-gateway def1 bypass-dhcp\"/g" /etc/openvpn/server.conf
|
|
#sudo sed -i "s/;push \"dhcp-option DNS 208.67.222.222\"/push \"dhcp-option DNS 208.67.222.222\"/g" /etc/openvpn/server.conf
|
|
#sudo sed -i "s/;push \"dhcp-option DNS 208.67.220.220\"/push \"dhcp-option DNS 208.67.220.220\"/g" /etc/openvpn/server.conf
|
|
|
|
sudo bash -c 'cat >> /etc/openvpn/server.conf << EOF
|
|
auth SHA256
|
|
EOF'
|
|
|
|
sudo sed -i "s/port 1194/port 443/g" /etc/openvpn/server.conf
|
|
sudo sed -i "s/proto udp/proto tcp/g" /etc/openvpn/server.conf
|
|
|
|
|
|
printf "$BORDER Adjusting the servers network config to allow for vpn things $BORDER \n\n"
|
|
|
|
sudo sed -i "s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g" /etc/sysctl.conf
|
|
sudo sysctl -p
|
|
|
|
|
|
sudo bash -c 'cat >> /etc/ufw/before.rules << EOF
|
|
# START OPENVPN RULES
|
|
# NAT table rules
|
|
*nat
|
|
:POSTROUTING ACCEPT [0:0]
|
|
# Allow traffic from OpenVPN client to enp0s8
|
|
-A POSTROUTING -s 10.8.0.0/8 -o enp0s8 -j MASQUERADE
|
|
COMMIT
|
|
# END OPENVPN RULES
|
|
EOF'
|
|
|
|
|
|
sudo sed -i "s/DEFAULT_FORWARD_POLICY=\"DROP\"/DEFAULT_FORWARD_POLICY=\"ACCEPT\"/g" /etc/default/ufw
|
|
sudo ufw allow 443/tcp
|
|
sudo ufw allow OpenSSH
|
|
|
|
sudo ufw disable
|
|
sudo ufw enable
|
|
|
|
printf "$BORDER Enabling the openvpn service $BORDER \n\n"
|
|
|
|
sudo systemctl start openvpn@server
|
|
sudo systemctl enable openvpn@server
|