Last active
July 28, 2024 19:43
-
-
Save XMB5/611ab1ecd0af0f7c1e6ec9e781e26bec to your computer and use it in GitHub Desktop.
Revisions
-
XMB5 revised this gist
Nov 4, 2018 . 1 changed file with 72 additions and 40 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,52 +1,80 @@ #!/bin/bash #easy openvpn server setup for ubuntu read -p "port (1-65535): " PORT read -p "protocol (udp or tcp): " PROTOCOL read -p "encrypt (y or n): " ENCRYPT read -p "hmac (y or n): " HMAC read -p "xor scramble (y or n): " SCRAMBLE read -p "compress (y or n): " COMPRESS_YN read -p "network number (0-255): " NETWORK_NUM read -p "service name affix (no special chars): " SERVICE_AFFIX if [ "$COMPRESS_YN" == y ]; then COMPRESS=lz4 fi if [ "$ENCRYPT" == y ]; then CIPHER=aes-128-cbc else CIPHER=none fi if [ "$HMAC" == y ]; then AUTH=sha256 else AUTH=none fi if [ "$SCRAMBLE" == y ]; then SCRAMBLE_LINE="scramble xormask $(hexdump -n 8 -e '4/4 "%08x" 1 "\n"' /dev/urandom)" fi if [ -z "$(command -v openvpn)" ]; then OPENVPN_VERSION=2.4.6 echo "installing openvpn from source" sudo apt install -y gcc make libssl-dev liblz4-dev liblzo2-dev libpam-dev echo "download openvpn $OPENVPN_VERSION" wget --quiet "https://swupdate.openvpn.org/community/releases/openvpn-$OPENVPN_VERSION.tar.xz" -O- | tar xfJ - cd "openvpn-$OPENVPN_VERSION" for PATCH in 02-tunnelblick-openvpn_xorpatch-a 03-tunnelblick-openvpn_xorpatch-b 04-tunnelblick-openvpn_xorpatch-c 05-tunnelblick-openvpn_xorpatch-d 06-tunnelblick-openvpn_xorpatch-e; do echo "downloading patch $PATCH" wget --quiet "https://raw.githubusercontent.com/Tunnelblick/Tunnelblick/master/third_party/sources/openvpn/openvpn-${OPENVPN_VERSION}/patches/${PATCH}.diff" patch -Np1 -i "$PATCH.diff" done ./configure make sudo make install cd .. rm -rf "openvpn-$OPENVPN_VERSION" fi EASYRSA_VERSION=3.0.5 if [ ! -d "EasyRSA-$EASYRSA_VERSION" ]; then echo "downloading easyrsa" wget --quiet "https://github.com/OpenVPN/easy-rsa/releases/download/v$EASYRSA_VERSION/EasyRSA-nix-$EASYRSA_VERSION.tgz" -O- | tar xfz - fi if [ ! -d "pki" ]; then echo "generating keys" easyrsa="EasyRSA-$EASYRSA_VERSION/easyrsa" $easyrsa init-pki $easyrsa --batch build-ca nopass $easyrsa gen-dh EASYRSA_CERT_EXPIRE=3650 $easyrsa build-server-full server nopass EASYRSA_CERT_EXPIRE=3650 $easyrsa build-client-full client nopass EASYRSA_CRL_DAYS=3650 $easyrsa gen-crl openvpn --genkey --secret tc.key fi #network configuration cat > run-openvpn.sh << EOF #!/bin/bash echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward > /dev/null IP=\$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1) if [ -z "\$(sudo iptables -t nat -L POSTROUTING -n | grep -F 10.$NETWORK_NUM.0.0/24)" ]; then echo "adding iptables rule" sudo iptables -t nat -A POSTROUTING -s 10.$NETWORK_NUM.0.0/24 ! -d 10.$NETWORK_NUM.0.0/24 -j SNAT --to \$IP fi EOF @@ -56,13 +84,14 @@ chmod +x run-openvpn.sh source run-openvpn.sh echo 'cd "$(dirname "$BASH_SOURCE")" exec sudo openvpn --config server.ovpn' >> run-openvpn.sh SERVICE_NAME="openvpn-server-$SERVICE_AFFIX" SERVICE_FILE="/etc/systemd/system/$SERVICE_NAME.service" if [ ! -f "$SERVICE_FILE" ]; then echo "installing systemd service" echo "[Unit] Description=$SERVICE_NAME After=network.target After=systemd-user-sessions.service After=network-online.target @@ -71,42 +100,44 @@ After=network-online.target ExecStart='$(readlink -f run-openvpn.sh)' [Install] WantedBy=multi-user.target" | sudo tee "$SERVICE_FILE" > /dev/null sudo systemctl daemon-reload echo "installed systemd service, run sudo systemctl start|enable $SERVICE_NAME to use" fi #generate server configuration echo "port $PORT proto $PROTOCOL sndbuf 0 rcvbuf 0 compress $COMPRESS dev tun ca pki/ca.crt cert pki/issued/server.crt key pki/private/server.key dh pki/dh.pem auth $AUTH tls-crypt tc.key topology subnet duplicate-cn server 10.$NETWORK_NUM.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push \"redirect-gateway def1 bypass-dhcp\" push \"dhcp-option DNS 128.52.130.209\" keepalive 10 60 cipher $CIPHER persist-key persist-tun status openvpn-status.log verb 3 crl-verify pki/crl.pem $SCRAMBLE_LINE" > server.ovpn #generate client.conf echo "finding public ip address" PUB_IP=`curl -s4 https://checkip.amazonaws.com/` echo "client compress $COMPRESS dev tun proto $PROTOCOL sndbuf 0 @@ -117,10 +148,9 @@ nobind persist-key persist-tun remote-cert-tls server auth $AUTH cipher $CIPHER setenv opt block-outside-dns verb 3 <ca> $(cat pki/ca.crt) @@ -131,7 +161,9 @@ $(cat pki/issued/client.crt) <key> $(cat pki/private/client.key) </key> <tls-crypt> $(cat tc.key) </tls-crypt> $SCRAMBLE_LINE" > client.ovpn echo "done - client config in client.ovpn" -
Nov 3, 2018 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,137 @@ #!/bin/bash #do not use for security read -p "port: " PORT read -p "protocol (udp or tcp): " PROTOCOL if [ -z "$(command -v openvpn)" ]; then OPENVPN_VERSION=2.4.6 echo "installing openvpn from source" sudo apt install -y libssl-dev liblz4-dev liblzo2-dev libpam-dev wget --quiet "https://swupdate.openvpn.org/community/releases/openvpn-${OPENVPN_VERSION}.tar.xz" -O- | tar xfJ - cd "openvpn-${OPENVPN_VERSION}" for PATCH in 02-tunnelblick-openvpn_xorpatch-a 03-tunnelblick-openvpn_xorpatch-b 04-tunnelblick-openvpn_xorpatch-c 05-tunnelblick-openvpn_xorpatch-d 06-tunnelblick-openvpn_xorpatch-e; do wget --quiet "https://raw.githubusercontent.com/Tunnelblick/Tunnelblick/master/third_party/sources/openvpn/openvpn-${OPENVPN_VERSION}/patches/${PATCH}.diff" patch -Np1 -i "${PATCH}.diff" done ./configure make sudo make install cd .. rm -rf "openvpn-${OPENVPN_VERSION}" fi EASYRSA_VERSION=3.0.5 if [ ! -d "EasyRSA-${EASYRSA_VERSION}" ]; then echo "downloading easyrsa" wget --quiet "https://github.com/OpenVPN/easy-rsa/releases/download/v${EASYRSA_VERSION}/EasyRSA-nix-${EASYRSA_VERSION}.tgz" -O- | tar xfz - fi if [ ! -d "pki" ]; then echo "generating keys" easyrsa="EasyRSA-${EASYRSA_VERSION}/easyrsa" $easyrsa init-pki $easyrsa --batch build-ca nopass $easyrsa gen-dh EASYRSA_CERT_EXPIRE=3650 $easyrsa build-server-full server nopass EASYRSA_CERT_EXPIRE=3650 $easyrsa build-client-full client nopass EASYRSA_CRL_DAYS=3650 $easyrsa gen-crl openvpn --genkey --secret ta.key fi #network configuration cat > run-openvpn.sh << 'EOF' #!/bin/bash echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward > /dev/null IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1) if [ -z "$(sudo iptables -t nat -L POSTROUTING -n | grep -F 10.8.0.0/24)" ]; then echo "adding iptables rule" sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP fi EOF chmod +x run-openvpn.sh #run-openvpn only contains routing rules so far source run-openvpn.sh echo 'cd "$(dirname "$BASH_SOURCE")" sudo openvpn --config server.conf' >> run-openvpn.sh SERVICE_FILE="/etc/systemd/system/openvpn-server.service" if [ ! -f "$SERVICE_FILE" ]; then echo "installing systemd service" echo "[Unit] Description=OpenVPN Server After=network.target After=systemd-user-sessions.service After=network-online.target [Service] ExecStart='$(readlink -f run-openvpn.sh)' [Install] WantedBy=multi-user.target" | sudo tee /etc/systemd/system/openvpn-server.service > /dev/null sudo systemctl daemon-reload echo 'installed systemd service, run sudo systemctl start|enable openvpn-server to use' fi #generate server.conf echo "port $PORT proto $PROTOCOL compress lz4 dev tun sndbuf 0 rcvbuf 0 ca pki/ca.crt cert pki/issued/server.crt key pki/private/server.key dh pki/dh.pem auth SHA512 tls-auth ta.key 0 topology subnet duplicate-cn server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt" > server.conf echo 'push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 128.52.130.209"' >> server.conf echo "keepalive 10 120 cipher AES-256-CBC persist-key persist-tun status openvpn-status.log verb 3 crl-verify pki/crl.pem" >> server.conf #generate client.conf PUB_IP=`curl -s http://checkip.amazonaws.com/` echo "client compress lz4 dev tun proto $PROTOCOL sndbuf 0 rcvbuf 0 remote $PUB_IP $PORT resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server auth SHA512 cipher AES-256-CBC setenv opt block-outside-dns key-direction 1 verb 3 <ca> $(cat pki/ca.crt) </ca> <cert> $(cat pki/issued/client.crt) </cert> <key> $(cat pki/private/client.key) </key> <tls-auth> $(cat ta.key) </tls-auth>" > client.conf