#!/bin/bash
ROUTER="192.168.1.1"
IP=$(hostname -I | cut -d ' ' -f 1)
IF="/sbin/ip"
IFACE=$($IF -o link show | awk '{print $2,$9}' | grep "UP" | cut -d ":" -f 1)
DOMAIN="vpn.waaromzomoeilijk.nl"

# Check if root
        if [ "$(whoami)" != "root" ]; then
        echo
        echo -e "\e[31mSorry, you are not root.\n\e[0mYou must type: \e[36msudo \e[0mbash openvpn_server.sh"
        echo
        exit 1
fi

sudo apt-get install openvpn -y  
git clone https://github.com/OpenVPN/easy-rsa.git
cd easy-rsa  
git checkout 2.2.2  
cp -r easy-rsa/2.0/ /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
sed -i 's|`pwd`|/etc/openvpn/easy-rsa|g' /etc/openvpn/easy-rsa/vars
source ./vars
./clean-all
./build-ca
./build-key-server Pi
./build-key-pass User1 
cd keys  
openssl rsa -in User1.key -des3 -out User1.3des.key 
cd ..  
./build-dh
openvpn --genkey --secret keys/ta.key 

cat <<-CONF > "nano /etc/openvpn/server.conf"
local $IP # SWAP THIS NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
dev tun 
proto udp #Some people prefer to use tcp. Don't change it if you don't know.
port 1194 
ca /etc/openvpn/easy-rsa/keys/ca.crt 
cert /etc/openvpn/easy-rsa/keys/Pi.crt # SWAP WITH YOUR CRT NAME
key /etc/openvpn/easy-rsa/keys/Pi.key # SWAP WITH YOUR KEY NAME
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0 
# server and remote endpoints 
ifconfig 10.8.0.1 10.8.0.2 
# Add route to Client routing table for the OpenVPN Server 
push "route 10.8.0.1 255.255.255.255" 
# Add route to Client routing table for the OpenVPN Subnet 
push "route 10.8.0.0 255.255.255.0" 
# your local subnet 
push "route $IP 255.255.255.0" # SWAP THE IP NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
# Set primary domain name server address to the SOHO Router 
# If your router does not do DNS, you can use Google DNS 8.8.8.8 
push "dhcp-option DNS $ROUTER" # This should match your router's IP address.
# Override the Client default gateway by using 0.0.0.0/1 and 
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of 
# overriding but not wiping out the original default gateway. 
push "redirect-gateway def1" 
client-to-client 
duplicate-cn 
keepalive 10 120 
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 
cipher AES-128-CBC 
comp-lzo 
user nobody 
group nogroup 
persist-key 
persist-tun 
status /var/log/openvpn-status.log 20 
log /var/log/openvpn.log 
verb 1
CONF

sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|g' /etc/sysctl.conf
sysctl -p  
echo "iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $IFACE -j SNAT --to-source $IP" > /etc/firewall-openvpn-rules.sh
chmod 700 /etc/firewall-openvpn-rules.sh  
chown root /etc/firewall-openvpn-rules.sh  

rm /etc/network/interfaces
cat <<-CONF1 > "/etc/network/interfaces"
# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto $IFACE
allow-hotplug $IFACE
iface $IFACE inet static
        pre-up /sbin/ethtool -K $IFACE tso off
        pre-up /sbin/ethtool -K $IFACE gso off
        pre-up /etc/firewall-openvpn-rules.sh
        address $IP
        netmask 255.255.255.0
        gateway $ROUTER
        dns-nameservers 8.8.8.8 8.8.4.4
CONF1

cat <<-CONF2 > "/etc/openvpn/easy-rsa/keys/Default.txt"
client
dev tun
proto udp
remote $DOMAIN 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
key-direction 1
cipher AES-128-CBC
comp-lzo
verb 1
mute 20 
CONF2

touch /etc/openvpn/easy-rsa/keys/MakeOVPN.sh
cat <<-CONF3 > "/etc/openvpn/easy-rsa/keys/MakeOVPN.sh"
#!/bin/bash

# Default Variable Declarations
DEFAULT="Default.txt"
FILEEXT=".ovpn"
CRT=".crt"
KEY=".3des.key"
NODES_KEY=".key"
CA="ca.crt"
TA="ta.key"
NAME="${1}"

if [ -z "${NAME}" ]; then
  # Ask for a Client name
  echo "Please enter an existing Client Name:"
  read NAME
fi


#1st Verify that client's Public Key Exists
if [ ! -f $NAME$CRT ]; then
  echo "[ERROR]: Client Public Key Certificate not found: $NAME$CRT"
  exit
fi
echo "Client's cert found: $NAME$CR"


#Then, verify that there is a private key for that client
if [ ! -f $NAME$KEY ]; then
  echo "[INFO]: Client 3des Private Key not found: $NAME$KEY"
  KEY="${NODES_KEY}"
fi
if [ ! -f $NAME$KEY ]; then
  echo "[ERROR]: Client Private Key not found: $NAME$KEY"
  exit
fi
echo "Client's Private Key found: $NAME$KEY"

#Confirm the CA public key exists
if [ ! -f $CA ]; then
  echo "[ERROR]: CA Public Key not found: $CA"
  exit
fi
echo "CA public Key found: $CA"

#Confirm the tls-auth ta key file exists
if [ ! -f $TA ]; then
  echo "[ERROR]: tls-auth Key not found: $TA"
  exit
fi
echo "tls-auth Private Key found: $TA"

#Ready to make a new .opvn file - Start by populating with the default file
cat $DEFAULT > $NAME$FILEEXT

#Now, append the CA Public Cert
echo "<ca>" >> $NAME$FILEEXT
cat $CA >> $NAME$FILEEXT
echo "</ca>" >> $NAME$FILEEXT

#Next append the client Public Cert
echo "<cert>" >> $NAME$FILEEXT
cat $NAME$CRT | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $NAME$FILEEXT
echo "</cert>" >> $NAME$FILEEXT

#Then, append the client Private Key
echo "<key>" >> $NAME$FILEEXT
cat $NAME$KEY >> $NAME$FILEEXT
echo "</key>" >> $NAME$FILEEXT

#Finally, append the TA Private Key
echo "<tls-auth>" >> $NAME$FILEEXT
cat $TA >> $NAME$FILEEXT
echo "</tls-auth>" >> $NAME$FILEEXT

echo "Done! $NAME$FILEEXT Successfully Created."

#Script written by Eric Jodoin
CONF3

chmod 700 /etc/openvpn/easy-rsa/keys/MakeOVPN.sh
bash /etc/openvpn/easy-rsa/keys/MakeOVPN.sh

exit 0