-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathopensetup
executable file
·246 lines (221 loc) · 6.87 KB
/
opensetup
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
#!/bin/bash
set -e
echo -e "\n\033[1m --------- \033[0m"
echo -e "\n\033[1m || OPENSETUP || \033[0m\n"
echo -e "\033[1m --------- \033[0m\n"
#Defaults
PORT="443"
PROTO="tcp"
SERVER_NAME="openserver"
PACKAGES="openvpn easy-rsa"
OPENSETUP_DIR="$HOME/.opensetup"
CA_DIR="$OPENSETUP_DIR/ca"
CLIENT_CONF_DIR="$OPENSETUP_DIR/client"
if [ -z "$1" ];
then
CLIENT_NAME="openclient"
echo -e "CLIENT_NAME is set to default: openclient\n"
else
CLIENT_NAME=$1
fi
function create_home_dir() {
echo -e "Creating opensetup directory...\n"
if [ ! -d "$OPENSETUP_DIR" ]; then
mkdir -p $CA_DIR/keys
chmod -R 700 $OPENSETUP_DIR
cp /usr/share/easy-rsa/* $CA_DIR
cp $CA_DIR/openssl-1.0.0.cnf $CA_DIR/openssl.cnf
echo -e "Created new opensetup directory: $OPENSETUP_DIR\n"
fi
}
function set_key_variables() {
echo -e "Exporting key variables...\n"
export EASY_RSA="$CA_DIR"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="$EASY_RSA/keys"
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=2048
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="[email protected]"
export KEY_OU="MyVPN"
export KEY_NAME="$SERVER_NAME"
}
function clean_key_dir() {
echo -e "Removing existing keys...\n"
if [ "$KEY_DIR" ]; then
rm -rf "$KEY_DIR"
mkdir "$KEY_DIR" && chmod go-rwx "$KEY_DIR" && touch "$KEY_DIR/index.txt" && echo 01 >"$KEY_DIR/serial"
fi
}
function build_certificate_authority() {
echo -e "Building ca.cert...\n"
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --batch --initca $*
}
function build_server_key() {
echo -e "Building server key for $SERVER_NAME...\n"
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --batch --server $SERVER_NAME
}
function build_diffie_helman() {
echo -e "Building diffie helman pem...\n"
if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then
$OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
fi
}
function generate_client_cert() {
echo -e "Generating client certificates...\n"
export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" --batch $CLIENT_NAME
}
function generate_server_conf_for_openvpn() {
echo -e "Generating server configuration files for openvpn...\n"
echo -e "port $PORT
proto $PROTO
dev tun
ca ca.crt
cert $SERVER_NAME.crt
key $SERVER_NAME.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push \042redirect-gateway def1 bypass-dhcp\042
push \042dhcp-option DNS 8.8.8.8\042
push \042dhcp-option DNS 8.8.4.4\042
keepalive 10 120
tls-auth ta.key 0
key-direction 0
cipher AES-128-CBC
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
# no logging
verb 0
" > /etc/openvpn/$SERVER_NAME.conf
}
function allow_ipv4_forwarding() {
echo -e "Enabling ipv4 forwarding...\n"
if sysctl net.ipv4.ip_forward | grep 0; then
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl -p
fi
}
function set_firewall() {
echo -e "Setting firewall rules...\n"
echo -e "*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/8 -o $(ip route | grep default | grep -Po '(?<=dev )(\S+)') -j MASQUERADE
COMMIT
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
COMMIT" > /etc/ufw/before.rules
sed -i 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/' /etc/default/ufw
ufw allow OpenSSH
ufw allow $PORT/$PROTO
ufw disable
ufw --force enable
}
function create_client_conf() {
echo -e "Creating client configuration(.ovpn) for client: $CLIENT_NAME...\n"
OVPN_OUTPUT_DIR=$CLIENT_CONF_DIR/files
CLIENT_BASE_CONFIG=$CLIENT_CONF_DIR/client.conf
mkdir -p $OVPN_OUTPUT_DIR
chmod -R 700 $CLIENT_CONF_DIR
echo -e "client
dev tun
proto $PROTO
remote $(curl -s checkip.dyndns.org | sed -e 's/.*Current IP Address: //' -e 's/<.*$//') $PORT
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
cipher AES-128-CBC
auth SHA256
key-direction 1
remote-cert-tls server
comp-lzo
verb 3
# UPDATE RESOLVE CONF (UBUNTU)
# script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf" > $CLIENT_BASE_CONFIG
cat ${CLIENT_BASE_CONFIG} \
<(echo -e '<ca>') \
${KEY_DIR}/ca.crt \
<(echo -e '</ca>\n<cert>') \
${KEY_DIR}/${CLIENT_NAME}.crt \
<(echo -e '</cert>\n<key>') \
${KEY_DIR}/${CLIENT_NAME}.key \
<(echo -e '</key>\n<tls-auth>') \
${KEY_DIR}/ta.key \
<(echo -e '</tls-auth>') \
> ${OVPN_OUTPUT_DIR}/${CLIENT_NAME}.ovpn
}
IAM=$(whoami)
if [ ${IAM} != "root" ]; then
echo -e "\033[0;31m\033[1m Only root is allowed to use this! \033[0m\n"
exit 1
fi
apt-get update
apt-get install -y $PACKAGES
create_home_dir
set_key_variables
clean_key_dir
build_certificate_authority
build_server_key
build_diffie_helman
openvpn --genkey --secret $CA_DIR/keys/ta.key
generate_client_cert
cd $CA_DIR/keys
cp ca.crt $SERVER_NAME.crt $SERVER_NAME.key ta.key dh2048.pem /etc/openvpn
generate_server_conf_for_openvpn
allow_ipv4_forwarding
set_firewall
create_client_conf
systemctl start openvpn@$SERVER_NAME
systemctl enable openvpn@$SERVER_NAME
echo -e "\n\nSetup completed successfully. Get ${OVPN_OUTPUT_DIR}/${CLIENT_NAME}.ovpn via sftp\n"