XMB5 · July 28, 2024 19:43 · umlumpa · Mar 10, 2023 · Depth-monster · Jul 28, 2024
diff --git a/openvpn-setup.sh b/openvpn-setup.sh
 #!/bin/bash
 #do not use for security

 read -p "port: " PORT
 read -p "protocol (udp or tcp): " PROTOCOL

 if [ -z "$(command -v openvpn)" ]; then
  OPENVPN_VERSION=2.4.6
  echo "installing openvpn from source"
  sudo apt install -y libssl-dev liblz4-dev liblzo2-dev libpam-dev
  wget --quiet "https://swupdate.openvpn.org/community/releases/openvpn-${OPENVPN_VERSION}.tar.xz" -O- | tar xfJ -
  cd "openvpn-${OPENVPN_VERSION}"
  for PATCH in 02-tunnelblick-openvpn_xorpatch-a 03-tunnelblick-openvpn_xorpatch-b 04-tunnelblick-openvpn_xorpatch-c 05-tunnelblick-openvpn_xorpatch-d 06-tunnelblick-openvpn_xorpatch-e; do
    wget --quiet "https://raw.githubusercontent.com/Tunnelblick/Tunnelblick/master/third_party/sources/openvpn/openvpn-${OPENVPN_VERSION}/patches/${PATCH}.diff"
    patch -Np1 -i "${PATCH}.diff"
  done
  ./configure
  make
  sudo make install
  cd ..
  rm -rf "openvpn-${OPENVPN_VERSION}"
 fi

 EASYRSA_VERSION=3.0.5
 if [ ! -d "EasyRSA-${EASYRSA_VERSION}" ]; then
  echo "downloading easyrsa"
  wget --quiet "https://github.com/OpenVPN/easy-rsa/releases/download/v${EASYRSA_VERSION}/EasyRSA-nix-${EASYRSA_VERSION}.tgz" -O- | tar xfz -
 fi

 if [ ! -d "pki" ]; then
  echo "generating keys"
  easyrsa="EasyRSA-${EASYRSA_VERSION}/easyrsa"
  $easyrsa init-pki
  $easyrsa --batch build-ca nopass
  $easyrsa gen-dh
  EASYRSA_CERT_EXPIRE=3650 $easyrsa build-server-full server nopass
  EASYRSA_CERT_EXPIRE=3650 $easyrsa build-client-full client nopass
  EASYRSA_CRL_DAYS=3650 $easyrsa gen-crl
  openvpn --genkey --secret ta.key
 fi

 #network configuration
 cat > run-openvpn.sh << 'EOF'
 #!/bin/bash
 echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward > /dev/null
 IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
 if [ -z "$(sudo iptables -t nat -L POSTROUTING -n | grep -F 10.8.0.0/24)" ]; then
  echo "adding iptables rule"
  sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
 fi
 EOF

 chmod +x run-openvpn.sh

 #run-openvpn only contains routing rules so far
 source run-openvpn.sh

 echo 'cd "$(dirname "$BASH_SOURCE")"
 sudo openvpn --config server.conf' >> run-openvpn.sh

 SERVICE_FILE="/etc/systemd/system/openvpn-server.service"
 if [ ! -f "$SERVICE_FILE" ]; then
  echo "installing systemd service"
  echo "[Unit]
 Description=OpenVPN Server
 After=network.target
 After=systemd-user-sessions.service
 After=network-online.target

 [Service]
 ExecStart='$(readlink -f run-openvpn.sh)'

 [Install]
 WantedBy=multi-user.target" | sudo tee /etc/systemd/system/openvpn-server.service > /dev/null
  sudo systemctl daemon-reload
  echo 'installed systemd service, run sudo systemctl start|enable openvpn-server to use'
 fi

 #generate server.conf
 echo "port $PORT
 proto $PROTOCOL
 compress lz4
 dev tun
 sndbuf 0
 rcvbuf 0
 ca pki/ca.crt
 cert pki/issued/server.crt
 key pki/private/server.key
 dh pki/dh.pem
 auth SHA512
 tls-auth ta.key 0
 topology subnet
 duplicate-cn
 server 10.8.0.0 255.255.255.0
 ifconfig-pool-persist ipp.txt" > server.conf
 echo 'push "redirect-gateway def1 bypass-dhcp"
 push "dhcp-option DNS 128.52.130.209"' >> server.conf
 echo "keepalive 10 120
 cipher AES-256-CBC
 persist-key
 persist-tun
 status openvpn-status.log
 verb 3
 crl-verify pki/crl.pem" >> server.conf

 #generate client.conf
 PUB_IP=`curl -s http://checkip.amazonaws.com/`
 echo "client
 compress lz4
 dev tun
 proto $PROTOCOL
 sndbuf 0
 rcvbuf 0
 remote $PUB_IP $PORT
 resolv-retry infinite
 nobind
 persist-key
 persist-tun
 remote-cert-tls server
 auth SHA512
 cipher AES-256-CBC
 setenv opt block-outside-dns
 key-direction 1
 verb 3
 <ca>
 $(cat pki/ca.crt)
 </ca>
 <cert>
 $(cat pki/issued/client.crt)
 </cert>
 <key>
 $(cat pki/private/client.key)
 </key>
 <tls-auth>
 $(cat ta.key)
 </tls-auth>" > client.conf
	#!/bin/bash
	#do not use for security

	read -p "port: " PORT
	read -p "protocol (udp or tcp): " PROTOCOL

	if [ -z "$(command -v openvpn)" ]; then
	OPENVPN_VERSION=2.4.6
	echo "installing openvpn from source"
	sudo apt install -y libssl-dev liblz4-dev liblzo2-dev libpam-dev
	wget --quiet "https://swupdate.openvpn.org/community/releases/openvpn-${OPENVPN_VERSION}.tar.xz" -O- \| tar xfJ -
	cd "openvpn-${OPENVPN_VERSION}"
	for PATCH in 02-tunnelblick-openvpn_xorpatch-a 03-tunnelblick-openvpn_xorpatch-b 04-tunnelblick-openvpn_xorpatch-c 05-tunnelblick-openvpn_xorpatch-d 06-tunnelblick-openvpn_xorpatch-e; do
	wget --quiet "https://raw.githubusercontent.com/Tunnelblick/Tunnelblick/master/third_party/sources/openvpn/openvpn-${OPENVPN_VERSION}/patches/${PATCH}.diff"
	patch -Np1 -i "${PATCH}.diff"
	done
	./configure
	make
	sudo make install
	cd ..
	rm -rf "openvpn-${OPENVPN_VERSION}"
	fi

	EASYRSA_VERSION=3.0.5
	if [ ! -d "EasyRSA-${EASYRSA_VERSION}" ]; then
	echo "downloading easyrsa"
	wget --quiet "https://github.com/OpenVPN/easy-rsa/releases/download/v${EASYRSA_VERSION}/EasyRSA-nix-${EASYRSA_VERSION}.tgz" -O- \| tar xfz -
	fi

	if [ ! -d "pki" ]; then
	echo "generating keys"
	easyrsa="EasyRSA-${EASYRSA_VERSION}/easyrsa"
	$easyrsa init-pki
	$easyrsa --batch build-ca nopass
	$easyrsa gen-dh
	EASYRSA_CERT_EXPIRE=3650 $easyrsa build-server-full server nopass
	EASYRSA_CERT_EXPIRE=3650 $easyrsa build-client-full client nopass
	EASYRSA_CRL_DAYS=3650 $easyrsa gen-crl
	openvpn --genkey --secret ta.key
	fi

	#network configuration
	cat > run-openvpn.sh << 'EOF'
	#!/bin/bash
	echo 1 \| sudo tee /proc/sys/net/ipv4/ip_forward > /dev/null
	IP=$(ip addr \| grep 'inet' \| grep -v inet6 \| grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' \| grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' \| head -1)
	if [ -z "$(sudo iptables -t nat -L POSTROUTING -n \| grep -F 10.8.0.0/24)" ]; then
	echo "adding iptables rule"
	sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
	fi
	EOF

	chmod +x run-openvpn.sh

	#run-openvpn only contains routing rules so far
	source run-openvpn.sh

	echo 'cd "$(dirname "$BASH_SOURCE")"
	sudo openvpn --config server.conf' >> run-openvpn.sh

	SERVICE_FILE="/etc/systemd/system/openvpn-server.service"
	if [ ! -f "$SERVICE_FILE" ]; then
	echo "installing systemd service"
	echo "[Unit]
	Description=OpenVPN Server
	After=network.target
	After=systemd-user-sessions.service
	After=network-online.target

	[Service]
	ExecStart='$(readlink -f run-openvpn.sh)'

	[Install]
	WantedBy=multi-user.target" \| sudo tee /etc/systemd/system/openvpn-server.service > /dev/null
	sudo systemctl daemon-reload
	echo 'installed systemd service, run sudo systemctl start\|enable openvpn-server to use'
	fi

	#generate server.conf
	echo "port $PORT
	proto $PROTOCOL
	compress lz4
	dev tun
	sndbuf 0
	rcvbuf 0
	ca pki/ca.crt
	cert pki/issued/server.crt
	key pki/private/server.key
	dh pki/dh.pem
	auth SHA512
	tls-auth ta.key 0
	topology subnet
	duplicate-cn
	server 10.8.0.0 255.255.255.0
	ifconfig-pool-persist ipp.txt" > server.conf
	echo 'push "redirect-gateway def1 bypass-dhcp"
	push "dhcp-option DNS 128.52.130.209"' >> server.conf
	echo "keepalive 10 120
	cipher AES-256-CBC
	persist-key
	persist-tun
	status openvpn-status.log
	verb 3
	crl-verify pki/crl.pem" >> server.conf

	#generate client.conf
	PUB_IP=`curl -s http://checkip.amazonaws.com/`
	echo "client
	compress lz4
	dev tun
	proto $PROTOCOL
	sndbuf 0
	rcvbuf 0
	remote $PUB_IP $PORT
	resolv-retry infinite
	nobind
	persist-key
	persist-tun
	remote-cert-tls server
	auth SHA512
	cipher AES-256-CBC
	setenv opt block-outside-dns
	key-direction 1
	verb 3
	<ca>
	$(cat pki/ca.crt)
	</ca>
	<cert>
	$(cat pki/issued/client.crt)
	</cert>
	<key>
	$(cat pki/private/client.key)
	</key>
	<tls-auth>
	$(cat ta.key)
	</tls-auth>" > client.conf
No results found