openvpn-bash-setup-script/server.sh at master · actuallymentor/openvpn-bash-setup-script · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
# Checks
if [[ "$EUID" -ne 0 ]]; then
	echo "Sorry, you need to run this as root"
	exit 1
fi

if [[ ! -e /dev/net/tun ]]; then
	echo "TUN is not available"
	exit 2
fi
IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -o -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
if [[ "$IP" = "" ]]; then
	IP=$(wget -qO- ipv4.icanhazip.com)
fi

# Get Internet network interface with default route
NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)')
SUBNET=$(od -A n -t d -N 1 /dev/urandom |tr -d ' ')

# Ask for user input, used for inspiration: https://github.com/Angristan/OpenVPN-install/blob/master/openvpn-install.sh
echo "This should be your public IPv4 address."
read -p "IP address: " -e -i $IP IP


echo "What port do you want for OpenVPN?"
read -p "Port: " -e -i 1194 PORT


echo "What protocol do you want for OpenVPN?"
echo "Unless UDP is blocked, you should not use TCP (unnecessarily slower)"
while [[ $PROTOCOL != "udp" && $PROTOCOL != "tcp" ]]; do
	read -p "Protocol [udp/tcp]: " -e -i udp PROTOCOL
done

echo "What DNS do you want to use with the VPN?"
echo "   1) Current system resolvers (in /etc/resolv.conf)"
echo "   2) FDN (France)"
echo "   3) DNS.WATCH (Germany)"
echo "   4) OpenDNS (Anycast: worldwide)"
echo "   5) Google (Anycast: worldwide)"
echo "   6) Yandex Basic (Russia)"
while [[ $DNS != "1" && $DNS != "2" && $DNS != "3" && $DNS != "4" && $DNS != "5" ]]; do
	read -p "DNS [1-5]: " -e -i 1 DNS
done

echo "Choose what size of Diffie-Hellman key you want to use:"
echo "   1) 2048 bits (fastest)"
echo "   2) 3072 bits (recommended, best compromise)"
echo "   3) 4096 bits (most secure)"
while [[ $DH_KEY_SIZE != "1" && $DH_KEY_SIZE != "2" && $DH_KEY_SIZE != "3" ]]; do
	read -p "DH key size [1-3]: " -e -i 2 DH_KEY_SIZE
done
case $DH_KEY_SIZE in
	1)
	DH_KEY_SIZE="2048"
	;;
	2)
	DH_KEY_SIZE="3072"
	;;
	3)
	DH_KEY_SIZE="4096"
	;;
esac

echo "Choose what size of RSA key you want to use:"
echo "   1) 2048 bits (fastest)"
echo "   2) 3072 bits (recommended, best compromise)"
echo "   3) 4096 bits (most secure)"
while [[ $RSA_KEY_SIZE != "1" && $RSA_KEY_SIZE != "2" && $RSA_KEY_SIZE != "3" ]]; do
	read -p "DH key size [1-3]: " -e -i 2 RSA_KEY_SIZE
done
case $RSA_KEY_SIZE in
	1)
	RSA_KEY_SIZE="2048"
	;;
	2)
	RSA_KEY_SIZE="3072"
	;;
	3)
	RSA_KEY_SIZE="4096"
	;;
esac

echo "Choose which cipher you want to use for the data channel:"
echo "   1) AES-128-CBC (fastest and sufficiently secure for everyone, recommended)"
echo "   2) AES-192-CBC"
echo "   3) AES-256-CBC"
while [[ $CIPHER != "1" && $CIPHER != "2" && $CIPHER != "3" ]]; do
	read -p "Cipher [1-3]: " -e -i 1 CIPHER
done
case $CIPHER in
	1)
	CIPHER="AES-128-CBC"
	;;
	2)
	CIPHER="AES-192-CBC"
	;;
	3)
	CIPHER="AES-256-CBC"
	;;
esac

while [[ ${SERVER} = "" ]]; do
	echo "Please, use one word only, no special characters"
	read -p "Server name: " -e -i server SERVER
done

# Make certificate authority
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
# Build CA
cd ~/openvpn-ca
source vars
# Override any variables from ~/openvpn-ca/vars
export KEY_NAME="${SERVER}server"
export KEY_SIZE=$RSA_KEY_SIZE
# Clean up and product keys
echo "Building CA with RSA key size ${KEY_SIZE}"
./clean-all
./build-ca --batch $SERVER nopass

# Build keys
./build-key-server --batch "${SERVER}server" nopass

# Build dh
if [ -d $KEY_DIR ] && [ $DH_KEY_SIZE ]; then
    $OPENSSL dhparam -out ${KEY_DIR}/${SERVER}dh${DH_KEY_SIZE}.pem ${DH_KEY_SIZE}
else
    echo 'Please source the vars script first (i.e. "source ./vars")'
    echo 'Make sure you have edited it to reflect your configuration.'
fi

# ta handshake key
openvpn --genkey --secret "keys/${SERVER}ta.key"

# Copy keys to openvpn folder & sae to vars
cp ~/openvpn-ca/keys/{"ca.crt","ca.key","${SERVER}server.crt","${SERVER}server.key","${SERVER}ta.key","${SERVER}dh$DH_KEY_SIZE.pem"} /etc/openvpn
# Rename CA key and crt
mv /etc/openvpn/ca.key /etc/openvpn/${SERVER}ca.key
mv /etc/openvpn/ca.crt /etc/openvpn/${SERVER}ca.crt
TA="keys/${SERVER}ta.key"
KEY="${SERVER}ca.key"
CA="${SERVER}ca.crt"
CRT="${SERVER}server.crt"
DH="${SERVER}dh$DH_KEY_SIZE.pem"

# Make server config
touch /etc/openvpn/$SERVER.conf
echo "
	port ${PORT}
	proto ${PROTOCOL}
	dh ${SERVER}dh${DH_KEY_SIZE}.pem
	cipher ${CIPHER}
	ca ${SERVER}ca.crt
	cert ${SERVER}server.crt
	key ${SERVER}server.key
	tls-auth ${SERVER}ta.key 0
	persist-key
	persist-tun
	user nobody
	group nogroup
	server 10.8.${SUBNET}.0 255.255.255.0
	ifconfig-pool-persist ipp.txt
	keepalive 10 120
	dev tun${RANDOM}
	key-direction 0
	auth SHA256
	verb 0
"  >> /etc/openvpn/$SERVER.conf
# Reroute all traffic over vpn
echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/$SERVER.conf

# DNS resolvers
case $DNS in
	1)
	# Obtain the resolvers from resolv.conf and use them for OpenVPN
	grep -v '#' /etc/resolv.conf | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
		echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/$SERVER.conf
	done
	;;
	2) #FDN
	echo 'push "dhcp-option DNS 80.67.169.12"' >> /etc/openvpn/$SERVER.conf
	echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/$SERVER.conf
	;;
	3) #DNS.WATCH
	echo 'push "dhcp-option DNS 84.200.69.80"' >> /etc/openvpn/$SERVER.conf
	echo 'push "dhcp-option DNS 84.200.70.40"' >> /etc/openvpn/$SERVER.conf
	;;
	4) #OpenDNS
	echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/$SERVER.conf
	echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/$SERVER.conf
	;;
	5) #Google
	echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/$SERVER.conf
	echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/$SERVER.conf
	;;
	6) #Yandex Basic
	echo 'push "dhcp-option DNS 77.88.8.8"' >> /etc/openvpn/$SERVER.conf
	echo 'push "dhcp-option DNS 77.88.8.1"' >> /etc/openvpn/$SERVER.conf
	;;
esac

# Save the parameters
echo "
	export SERVER=${SERVER}
	export IP=${IP}
	export NIC=${NIC}
	export PORT=${PORT}
	export PROTOCOL=${PROTOCOL}
	export DNS=${DNS}
	export DH_KEY_SIZE=${DH_KEY_SIZE}
	export RSA_KEY_SIZE=${RSA_KEY_SIZE}
	export CIPHER=${CIPHER}
	export CA=${CA}
	export CRT=${CRT}
	export KEY=${KEY}
	export TA=${TA}
	export DH=${DH}
" >> /etc/openvpn/${SERVER}.server


# Set up firewall
ufw allow "${PORT}/${PROTOCOL}"
systemctl start openvpn@$SERVER