From 3f3d8449dd388391a3398bf183afa1e3bfa449dd Mon Sep 17 00:00:00 2001 From: Christoph Date: Mon, 10 Jan 2022 01:12:37 +0100 Subject: [PATCH] Can't recognize changes - hopefuly they are useful. --- OLD/install_openvpn.sh | 2988 ++++++++++++++++++++++++++++++++++++++++ build_key-pass.sh | 30 +- install_openvpn.sh | 127 +- revoke_key.sh | 33 +- 4 files changed, 3163 insertions(+), 15 deletions(-) create mode 100755 OLD/install_openvpn.sh diff --git a/OLD/install_openvpn.sh b/OLD/install_openvpn.sh new file mode 100755 index 0000000..feb5626 --- /dev/null +++ b/OLD/install_openvpn.sh @@ -0,0 +1,2988 @@ +#!/usr/bin/env bash + +script_dir="$(dirname $(realpath $0))" +conf_file=${script_dir}/conf/install_openvpn.conf + +_needed_debian_packages="openvpn easy-rsa" + +# - Used if system does NOT support systemd +# - +init_script="/etc/init.d/openvpn" + +# - Used if systemd is supported +# - +service_name=openvpn + +openvpn_binary="/usr/sbin/openvpn" + +log_file="$(mktemp)" +_date="$(date +%Y-%m-%d-%H%M)" + +#--------------------------------------- +#----------------------------- +# Base Function(s) +#----------------------------- +#--------------------------------------- +clean_up() { + + # Perform program exit housekeeping + rm $log_file + blank_line + exit $1 +} + +trim() { + local var="$*" + var="${var#"${var%%[![:space:]]*}"}" # remove leading whitespace characters + var="${var%"${var##*[![:space:]]}"}" # remove trailing whitespace characters + echo -n "$var" +} + + +blank_line() { + if $terminal ; then + echo "" + fi +} + +is_number() { + + return $(test ! -z "${1##*[!0-9]*}" > /dev/null 2>&1); + + # - also possible + # - + #[[ ! -z "${1##*[!0-9]*}" ]] && return 0 || return 1 + #return $([[ ! -z "${1##*[!0-9]*}" ]]) +} + +is_int() { + return $(test "$@" -eq "$@" > /dev/null 2>&1); +} + + + +# - Test of valid IPv4 Address +# - +# - Returns 0 if valid, > 0 otherwise +# - +is_valid_ipv4() { + local -a octets=( ${1//\./ } ) + local RETURNVALUE=0 + + # return an error if the IP doesn't have exactly 4 octets + [[ ${#octets[@]} -ne 4 ]] && return 1 + + for octet in ${octets[@]} + do + if [[ ${octet} =~ ^[0-9]{1,3}$ ]] + then # shift number by 8 bits, anything larger than 255 will be > 0 + ((RETURNVALUE += octet>>8 )) + else # octet wasn't numeric, return error + return 1 + fi + done + return ${RETURNVALUE} +} + +# - Convert CIDR to netmask +# - +cidr2mask() { + local i mask="" + local full_octets=$(($1/8)) + local partial_octet=$(($1%8)) + + for ((i=0;i<4;i+=1)); do + if [ $i -lt $full_octets ]; then + mask+=255 + elif [ $i -eq $full_octets ]; then + mask+=$((256 - 2**(8-$partial_octet))) + else + mask+=0 + fi + test $i -lt 3 && mask+=. + done + + echo $mask +} + +echononl(){ + echo X\\c > /tmp/shprompt$$ + if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then + echo -e -n "$*\\c" 1>&2 + else + echo -e -n "$*" 1>&2 + fi + rm /tmp/shprompt$$ +} + +fatal(){ + echo "" + echo -e "\t[ \033[31m\033[1mFatal\033[m ]: $*" + echo "" + echo -e "\t\033[37m\033[1mInstalllation will be interrupted\033[m\033[m" + echo "" + clean_up 1 + exit 1 +} + +error(){ + echo "" + echo -e "\t[ \033[31m\033[1mError\033[m ]: $*" + echo "" +} + +warn (){ + echo "" + echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*" + echo "" +} + +info (){ + echo "" + echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*" + echo "" +} + +echo_done() { + echo -e "\033[80G[ \033[32mdone\033[m ]" +} +echo_ok() { + echo -e "\033[80G[ \033[32mok\033[m ]" +} +echo_warning() { + echo -e "\033[80G[ \033[33m\033[1mwarn\033[m ]" +} +echo_failed(){ + echo -e "\033[80G[ \033[1;31mfailed\033[m ]" +} +echo_skipped() { + echo -e "\033[80G[ \033[37mskipped\033[m ]" +} + +detect_os_1 () { + + if $(which lsb_release > /dev/null 2>&1) ; then + + os_dist="$(lsb_release -i | awk '{print tolower($3)}')" + os_version="$(lsb_release -r | awk '{print tolower($2)}')" + os_codename="$(lsb_release -c | awk '{print tolower($2)}')" + + if [[ "$os_dist" = "debian" ]]; then + if $(echo "$os_version" | grep -q '\.') ; then + os_version=$(echo "$os_version" | cut --delimiter='.' -f1) + fi + fi + + elif [[ -e "/etc/os-release" ]]; then + + . /etc/os-release + + os_dist=$ID + os_version=${os_version_ID} + + fi + + # remove whitespace from os_dist and os_version + os_dist="${os_dist// /}" + os_version="${os_version// /}" + +} + + +trap clean_up SIGHUP SIGINT SIGTERM + +#--------------------------------------- +#----------------------------- +# Check some prerequisites +#----------------------------- +#--------------------------------------- + +# - Is 'systemd' supported on this system +# - +systemd=$(which systemd) +systemctl=$(which systemctl) + +systemd_supported=false +if [[ -n "$systemd" ]] && [[ -n "$systemctl" ]] ; then + systemd_supported=true +else + if [[ ! -x $init_script ]]; then + fatal "$(basename $0): Missing OpenVPN Init-Script!" + fi +fi + +# - Set variable +# - os_dist +# - os_version +# - os_codename +# - +detect_os_1 + + +clear +echo -e "\n\t\033[32mStart script for installation of OpenVPN on this Server..\033[m" + +#--------------------------------------- +#----------------------------- +# Setting Defaults +#----------------------------- +#--------------------------------------- + +DEFAULT_SERVER_PORT="1194 1195" +DEFAULT_OPENVPN_NAME="home gw-ckubu" + +DEFAULT_CA_EXPIRE=11688 +DEFAULT_CERT_EXPIRE=7305 + +DEFAULT_KEY_SIZE=4096 + +DEFAULT_KEY_COUNTRY="DE" +DEFAULT_KEY_PROVINCE="Berlin" +DEFAULT_KEY_CITY="Berlin" +DEFAULT_KEY_EMAIL='argus@oopen.de' +DEFAULT_KEY_ORG='o.open' +DEFAULT_KEY_OU="Network Services" + +DEFAULT_SERVER_CIPHER="AES-256-CBC" + + +#--------------------------------------- +#----------------------------- +# Load default values from install_openvpn.conf +# +# Overwrites the settings above +# +#----------------------------- +#--------------------------------------- + +echo "" +echo "" +echononl " Load Configuration File $(basename ${conf_file}).." +if [[ ! -f "$conf_file" ]]; then + echo_skipped +else + source "${conf_file}" > $log_file 2>&1 + if [[ $? -eq 0 ]]; then + echo_ok + else + echo_failed + fatal "$(cat $log_file)" + fi +fi +[[ -z "$DEFAULT_SERVER_CIPHER" ]] && DEFAULT_SERVER_CIPHER='None' + +[[ -n "$OPENVPN_SERVER" ]] && DEFAULT_SERVER="$(trim "$OPENVPN_SERVER")" + +#[[ -n "$SERVER_PORT" ]] && DEFAULT_SERVER_PORT="$( trim "$SERVER_PORT")" + +declare -a DEFAULT_SERVER_PORT_ARR=() +if [[ -n "$SERVER_PORT" ]] ; then + for _port in $SERVER_PORT ; do + DEFAULT_SERVER_PORT_ARR+=("$_port") + done +else + for _port in $DEFAULT_SERVER_PORT ; do + DEFAULT_SERVER_PORT_ARR+=("$_port") + done +fi + +[[ -n "$ORG_SHORTCUT" ]] && DEFAULT_ORG_SHORTCUT="$(trim "$ORG_SHORTCUT")" + +declare -a DEFAULT_OPENVPN_NAME_ARR=() +if [[ -n "$OPENVPN_NAME" ]] ; then + for _name in $OPENVPN_NAME ; do + DEFAULT_OPENVPN_NAME_ARR+=("$_name") + done +else + for _name in $DEFAULT_OPENVPN_NAME ; do + DEFAULT_OPENVPN_NAME_ARR+=("$_name") + done +fi + +[[ -n "$OPENVPN_BASE_DIR" ]] && DEFAULT_OPENVPN_BASE_DIR="$OPENVPN_BASE_DIR" + +[[ -n "$CA_EXPIRE" ]] && DEFAULT_CERT_EXPIRE="$(trim "$CA_EXPIRE")" +[[ -n "$KEY_PROVINCE" ]] && DEFAULT_KEY_PROVINCE="$(trim "$KEY_PROVINCE")" +[[ -n "$KEY_CITY" ]] && DEFAULT_KEY_CITY="$(trim "$KEY_CITY")" +[[ -n "$KEY_ORG" ]] && DEFAULT_KEY_ORG="$(trim "$KEY_ORG")" +[[ -n "$KEY_EMAIL" ]] && DEFAULT_KEY_EMAIL="$(trim "$KEY_EMAIL")" +[[ -n "$KEY_OU" ]] && DEFAULT_KEY_OU="$(trim "$KEY_OU")" + +[[ -n "$LZO_COMPRESSION" ]] && DEFAULT_LZO_COMPRESSION="$(trim "$LZO_COMPRESSION")" +[[ -n "$SERVER_CIPHER" ]] && DEFAULT_SERVER_CIPHER="$(trim "$SERVER_CIPHER")" +#[[ -n "$" ]] && DEFAULT_="$(trim "$")" + +declare -a DEFAULT_OPENVPN_NETWORK=() +if [[ -n "$OPENVPN_NETWORK" ]] ; then + for _net in $OPENVPN_NETWORK ; do + DEFAULT_OPENVPN_NETWORK_ARR+=("$_net") + done +fi + +[[ -n "$REMOTE_NETWORKS" ]] && DEFAULT_REMOTE_NETWORKS="$(trim "$REMOTE_NETWORKS")" +[[ -n "$DNS_SERVER" ]] && DEFAULT_DNS_SERVER="$(trim "$DNS_SERVER")" +[[ -n "$SEARCH_DOMAINS" ]] && DEFAULT_SEARCH_DOMAINS="$(trim "$SEARCH_DOMAINS")" +[[ -n "$LOCAL_NETWORKS" ]] && DEFAULT_LOCAL_NETWORKS="$(trim "$LOCAL_NETWORKS")" + + + +echo "" +echo "" +echo -e "\033[32m==========\033[m" +echo "" +echononl "Only create Configuration file (yes/no) [no]: " +read OK +echo "" +if [[ "$(trim ${OK,,})" = "yes" ]] ; then + _only_create_config_file=true +else + _only_create_config_file=false +fi + +echo "" +echo "" +echo -e "\033[32m--\033[m" +echo "Common parameters" +echo -e "\033[32m--\033[m" + +echo "" +echo "Insert IP-Address/Hostname of OpenVPN Server" +echo "" +OPENVPN_SERVER="" +if [[ -n "$DEFAULT_SERVER" ]] ; then + echononl "OpenVPN Server [${DEFAULT_SERVER}]: " + read OPENVPN_SERVER + if [[ "X$OPENVPN_SERVER" = "X" ]]; then + OPENVPN_SERVER="$DEFAULT_SERVER" + fi +else + echononl "OpenVPN Server: " + read OPENVPN_SERVER + while [ "X$OPENVPN_SERVER" = "X" ] ; do + echo -e "\n\t\033[33m\033[1mSetting 'OpenVPN Server' is required!\033[m\n" + echononl "OpenVPN Server: " + read OPENVPN_SERVER + done +fi + + +echo "" +SERVER_PORT="" + +#echononl "Server Port [${DEFAULT_SERVER_PORT}]: " +#while [[ "X${SERVER_PORT}" = "X" ]]; do +# read SERVER_PORT +# if [[ "X$SERVER_PORT" = "X" ]]; then +# SERVER_PORT="$DEFAULT_SERVER_PORT" +# fi +#done + +declare -i i=0 +echo "" +echo "Which Server Port should be used:" +echo "" +for _port in "${DEFAULT_SERVER_PORT_ARR[@]}" ; do + echo " [${i}] ${DEFAULT_SERVER_PORT_ARR[${i}]}" + (( i++ )) +done +echo "" +echo " [${i}] other" +_OK=false +echo "" +echononl "Eingabe: " +while ! $_OK ; do + read _IN + if is_number "$_IN" && [[ -n ${DEFAULT_SERVER_PORT_ARR[$_IN]} ]]; then + SERVER_PORT="${DEFAULT_SERVER_PORT_ARR[$_IN]}" + _OK=true + elif is_number "$_IN" && [[ $_IN -eq $i ]]; then + echo "" + echononl "Server Port: " + read SERVER_PORT + while [[ "X${SERVER_PORT}" = "X" ]]; do + echo -e "\n\t\033[33m\033[1mSetting 'Server Port' is required!\033[m\n" + echononl "Server Port: " + read SERVER_PORT + done + _OK=true + else + echo "" + echo -e "\tFalsche Eingabe !" + echo "" + echononl "Eingabe: " + fi +done + + +if $(grep -q -E "SERVER_PORT=$SERVER_PORT" ${script_dir}/conf/server-*.conf 2> /dev/null) ; then + warn "Port '$SERVER_PORT' is already in use by an other OpenVPN Service on this Server" +fi + +echo "" +echo "Insert shortcut (acronym) for the company or organisation" +echo "" +echo " Example: 'AKB' or 'FLR' or 'OPP' or.." +echo "" + +ORG_SHORTCUT="" +echononl "Organisations shortcut: " +if [[ -n "$DEFAULT_ORG_SHORTCUT" ]] ; then + echononl "Organisations shortcut [${DEFAULT_ORG_SHORTCUT}]: " + read ORG_SHORTCUT + if [[ "X$ORG_SHORTCUT" = "X" ]]; then + ORG_SHORTCUT="$DEFAULT_ORG_SHORTCUT" + fi +else + echononl "Organisations shortcut: " + read ORG_SHORTCUT + while [ "X$ORG_SHORTCUT" = "X" ] ; do + echo -e "\n\t\033[33m\033[1mSetting 'OpenVPN Name' is required!\033[m\n" + echononl "Organisations shortcut: " + read ORG_SHORTCUT + done +fi + +DEFAULT_KEY_NAME="VPN $ORG_SHORTCUT" +DEFAULT_KEY_CN="VPN-$ORG_SHORTCUT" +DEFAULT_KEY_ALTNAMES="VPN $ORG_SHORTCUT" + + +#echo "" +#echo "Insert Name of OpenVPN Service (i.e. so36, gw-ckubu, opferperspektive)" +#echo "" +#echo " Example: 'so36' or 'gw-ckubu' or 'opferperspektive' or.." +#echo "" +#OPENVPN_NAME="" +#echononl "OpenVPN Name: " +#read OPENVPN_NAME +#while [ "X$OPENVPN_NAME" = "X" ] ; do +# echo -e "\n\t\033[33m\033[1mSetting 'OpenVPN Name' is required!\033[m\n" +# echononl "OpenVPN Name: " +# read OPENVPN_NAME +#done + + + +OPENVPN_NAME="" +declare -i i=0 +echo "" +echo "Select Name of OpenVPN Service" +echo "" +for _port in "${DEFAULT_OPENVPN_NAME_ARR[@]}" ; do + echo " [${i}] ${DEFAULT_OPENVPN_NAME_ARR[${i}]}" + (( i++ )) +done +echo "" +echo " [${i}] other" +_OK=false +echo "" +echononl "Eingabe: " +while ! $_OK ; do + read _IN + if is_number "$_IN" && [[ -n ${DEFAULT_OPENVPN_NAME_ARR[$_IN]} ]]; then + OPENVPN_NAME="${DEFAULT_OPENVPN_NAME_ARR[$_IN]}" + _OK=true + elif is_number "$_IN" && [[ $_IN -eq $i ]]; then + echo "" + echo "Give Name of OpenVPN Service (i.e. home, so36, gw-ckubu, opferperspektive, opp)" + echo "" + echononl "Name of OpenVPN Service: " + read OPENVPN_NAME + while [[ "X${OPENVPN_NAME}" = "X" ]]; do + echo -e "\n\t\033[33m\033[1mSetting 'Name of OpenVPN Service' is required!\033[m\n" + echononl "Name of OpenVPN Service: " + read OPENVPN_NAME + done + _OK=true + else + echo "" + echo -e "\tFalsche Eingabe !" + echo "" + echononl "Eingabe: " + fi +done + + + + +[[ -z "$DEFAULT_OPENVPN_BASE_DIR" ]] && DEFAULT_OPENVPN_BASE_DIR="/etc/openvpn/server/${OPENVPN_NAME}" + + +echo "" +echo "" +echo "Insert OpenVPN Base Directory for Service '$OPENVPN_NAME'" +echo "" +if ! $_only_create_config_file ; then + echo " Note: must be a subdirectory of '/etc/openvpn'" + echo "" +fi +OPENVPN_BASE_DIR="" + +echononl "OpenVPN Base Directory [${DEFAULT_OPENVPN_BASE_DIR}]: " +while [[ "X${OPENVPN_BASE_DIR}" = "X" ]]; do + read OPENVPN_BASE_DIR + if [[ "X$OPENVPN_BASE_DIR" = "X" ]]; then + OPENVPN_BASE_DIR="$DEFAULT_OPENVPN_BASE_DIR" + else + if [[ ! "$(dirname ${OPENVPN_BASE_DIR})" = "/etc/openvpn" ]] && ! $_only_create_config_file ; then + echo -e "\n\t\033[33m\033[1mGiven entry is NOT a subdirectory of '/etc/openvpn'. Retry..\033[m\n" + echononl "OpenVPN Base Directory [${DEFAULT_OPENVPN_BASE_DIR}]: " + OPENVPN_BASE_DIR="" + fi + fi +done + +EASY_RSA_DIR="${OPENVPN_BASE_DIR}/easy-rsa" +if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 9 ]] ; then + OPENVPN_KEY_DIR="${OPENVPN_BASE_DIR}/pki" + OPENVPN_CCD_DIR="${OPENVPN_BASE_DIR}/ccd" +else + OPENVPN_KEY_DIR="${OPENVPN_BASE_DIR}/keys" + OPENVPN_CCD_DIR="${OPENVPN_BASE_DIR}/ccd/server-${OPENVPN_NAME}" +fi + +echo "" +echo -e "\033[32m--\033[m" +echo "KEY generation parameters" +echo -e "\033[32m--\033[m" + +echo "" +echo "Insert expiration time for ROOT CA" +echo "" +echo " Example: (3*365+366)*8 = 11688 = 32 Jahre" +echo " expiration time: 11688" +echo "" +CA_EXPIRE="" + +echononl "Expiration time ROOT CA [${DEFAULT_CA_EXPIRE}]: " +while [[ "X${CA_EXPIRE}" = "X" ]]; do + read CA_EXPIRE + if [[ "X$CA_EXPIRE" = "X" ]]; then + CA_EXPIRE="$DEFAULT_CA_EXPIRE" + fi +done + +echo "" +echo "" +echo "Insert expiration time for user/server certificates" +echo "" +echo " Example: (3*365+366)*5 = 7305 = 20 Jahre" +echo " expiration time: 7305" +echo "" +CERT_EXPIRE="" + +echononl "Expiration time certificates [${DEFAULT_CERT_EXPIRE}]: " +while [[ "X${CERT_EXPIRE}" = "X" ]]; do + read CERT_EXPIRE + if [[ "X$CERT_EXPIRE" = "X" ]]; then + CERT_EXPIRE="$DEFAULT_CERT_EXPIRE" + fi +done + +echo "" +echo "" +echo "Insert key size for user/server keys" +echo "" +KEY_SIZE="" + +echononl "KEY_SIZE [${DEFAULT_KEY_SIZE}]: " +while [[ "X${KEY_SIZE}" = "X" ]]; do + read KEY_SIZE + if [[ "X$KEY_SIZE" = "X" ]]; then + KEY_SIZE="$DEFAULT_KEY_SIZE" + fi +done + +echo "" +echo "" +echo "Insert key meta-data" +echo "" +KEY_COUNTRY="" +echononl "KEY_COUNTRY [${DEFAULT_KEY_COUNTRY}]: " +read KEY_COUNTRY +if [[ "X$KEY_COUNTRY" = "X" ]]; then + KEY_COUNTRY="$DEFAULT_KEY_COUNTRY" +fi + +KEY_PROVINCE="" +echo "" +echononl "KEY_PROVINCE [${DEFAULT_KEY_PROVINCE}]: " +read KEY_PROVINCE +if [[ "X$KEY_PROVINCE" = "X" ]]; then + KEY_PROVINCE="$DEFAULT_KEY_PROVINCE" +fi + +KEY_CITY="" +echo "" +echononl "KEY_CITY [${DEFAULT_KEY_CITY}]: " +read KEY_CITY +if [[ "X$KEY_CITY" = "X" ]]; then + KEY_CITY="$DEFAULT_KEY_CITY" +fi + +KEY_ORG="" +echo "" +echononl "KEY_ORG [${DEFAULT_KEY_ORG}]: " +read KEY_ORG +if [[ "X$KEY_ORG" = "X" ]]; then + KEY_ORG="$DEFAULT_KEY_ORG" +fi + +KEY_EMAIL="" +echo "" +echononl "KEY_EMAIL [${DEFAULT_KEY_EMAIL}]: " +read KEY_EMAIL +if [[ "X$KEY_EMAIL" = "X" ]]; then + KEY_EMAIL="$DEFAULT_KEY_EMAIL" +fi +EMAIL_PREFIX="$(echo $KEY_EMAIL | cut -d '@' -f1)" +EMAIL_DOMAIN="$(echo $KEY_EMAIL | cut -d '@' -f2)" + +KEY_OU="" +echo "" +echononl "KEY_OU [${DEFAULT_KEY_OU}]: " +read KEY_OU +if [[ "X$KEY_OU" = "X" ]]; then + KEY_OU="$DEFAULT_KEY_OU" +fi + +KEY_NAME= +echo "" +echononl "KEY_NAME [${DEFAULT_KEY_NAME}]: " +read KEY_NAME +if [[ "X$KEY_NAME" = "X" ]]; then + KEY_NAME="$DEFAULT_KEY_NAME" +else + DEFAULT_KEY_CN="$KEY_NAME" + DEFAULT_KEY_ALTNAMES="$KEY_NAME" +fi + +KEY_CN="" +echo "" +echo "" +echo -e " Type \"\033[33mNone\033[m\" if no CN Prefix should be used" +echo "" +echononl "KEY_CN [${DEFAULT_KEY_CN}]: " +read KEY_CN +if [[ "X$KEY_CN" = "X" ]]; then + KEY_CN="$DEFAULT_KEY_CN" + DEFAULT_KEY_ALTNAMES="$KEY_CN" +else + DEFAULT_KEY_ALTNAMES="$KEY_CN" + if [[ "$(trim ${KEY_CN,,})" = 'none' ]] ; then + KEY_CN="" + fi +fi + +KEY_ALTNAMES="" +echo "" +echononl "KEY_ALTNAMES [${DEFAULT_KEY_ALTNAMES}]: " +read KEY_ALTNAMES +if [[ "X$KEY_ALTNAMES" = "X" ]]; then + KEY_ALTNAMES="$DEFAULT_KEY_ALTNAMES" +fi +if [[ "$(trim ${KEY_ALTNAMES,,})" = 'none' ]] ; then + KEY_ALTNAMES="" +fi + +echo "" +echo -e "\033[32m--\033[m" +echo "Parameters for Server Configurations" +echo -e "\033[32m--\033[m" + +echo "" +echo "Set server-side 'cryptographic cipher'." +echo "" +echo "Note: if setting this parameter at the server configuration, this parameter *must'" +echo " also set this parameter at client configuration" +echo "" +echo " cipher BF-CBC # Blowfish (default)" +echo " cipher AES-128-CBC # AES 128Bit" +echo " cipher AES-256-CBC # AES 256Bit" +echo " cipher DES-EDE3-CBC # Triple-DES" +echo " ..." +echo "" +echo -e "Type \"\033[33mNone\033[m\" if no default cipher should be set." +echo "" +SERVER_CIPHER="" +echononl "Server cryptographic cipher [${DEFAULT_SERVER_CIPHER}]: " +read SERVER_CIPHER +if [[ "X$SERVER_CIPHER" = "X" ]]; then + SERVER_CIPHER="$DEFAULT_SERVER_CIPHER" +fi +if [[ "$(trim ${SERVER_CIPHER,,})" = none ]]; then + SERVER_CIPHER="$DEFAULT_SERVER_CIPHER" +fi + +echo "" +echo "" +echononl "Enable LZO compression (yes/no) [no]: " +read OK +echo "" +if [[ "$(trim ${OK,,})" = "yes" ]] ; then + LZO_COMPRESSION=true +else + LZO_COMPRESSION=false +fi + +#echo "" +#echo "Set OpenVPN Network used for the connection." +#echo "" +#OPENVPN_NETWORK="" +#echononl "OpenVPN Network: " +#read OPENVPN_NETWORK +#while [ "X$OPENVPN_NETWORK" = "X" ] ; do +# echo -e "\n\t\033[33m\033[1mSetting 'OpenVPN Server' is required!\033[m\n" +# echononl "OpenVPN Network: " +# read OPENVPN_NETWORK +#done +#OPENVPN_SERVER_IP="${OPENVPN_NETWORK%.*}.1" + + +OPENVPN_NETWORK="" +declare -i i=0 +echo "" +echo "Select OpenVPN Network used for the connection." +echo "" +for _port in "${DEFAULT_OPENVPN_NETWORK_ARR[@]}" ; do + echo " [${i}] ${DEFAULT_OPENVPN_NETWORK_ARR[${i}]}" + (( i++ )) +done + +if [[ $i -eq 0 ]] ; then + echononl "OpenVPN Network: " + read OPENVPN_NETWORK + while [ "X$OPENVPN_NETWORK" = "X" ] ; do + echo -e "\n\t\033[33m\033[1mSetting 'OpenVPN Server' is required!\033[m\n" + echononl "OpenVPN Network: " + read OPENVPN_NETWORK + done +else + echo "" + echo " [${i}] other" + _OK=false + echo "" + echononl "Eingabe: " + while ! $_OK ; do + read _IN + if is_number "$_IN" && [[ -n ${DEFAULT_OPENVPN_NETWORK_ARR[$_IN]} ]]; then + OPENVPN_NETWORK="${DEFAULT_OPENVPN_NETWORK_ARR[$_IN]}" + _OK=true + elif is_number "$_IN" && [[ $_IN -eq $i ]]; then + echo "" + echo "Give Name of OpenVPN Service (i.e. home, so36, gw-ckubu, opferperspektive, opp)" + echo "" + echononl "Name of OpenVPN Service: " + read OPENVPN_NETWORK + while [[ "X${OPENVPN_NETWORK}" = "X" ]]; do + echo -e "\n\t\033[33m\033[1mSetting 'Name of OpenVPN Service' is required!\033[m\n" + echononl "Name of OpenVPN Service: " + read OPENVPN_NETWORK + done + _OK=true + else + echo "" + echo -e "\tFalsche Eingabe !" + echo "" + echononl "Eingabe: " + fi + done +fi +OPENVPN_SERVER_IP="${OPENVPN_NETWORK%.*}.1" + + +echo "" +echo -e "\033[32m--\033[m" +echo "" + +echo "" +echo "Networks to push from OpenVPN server to the client" +echo "" + + +declare -i i=0 +REMOTE_NETWORKS="" +declare -a REMOTE_NETWORK_ARR=() + +if [[ -z "$DEFAULT_REMOTE_NETWORKS" ]] || [[ "$(trim ${DEFAULT_REMOTE_NETWORKS,,})" = none ]]; then + echo -e "[${i}] \033[33mNone\033[m" + (( i++ )) + echo "" + echo -e "[${i}] other" + + _OK=false + echo "" + echononl "Eingabe: " + + while ! $_OK ; do + read _IN + if is_number "$_IN" && [[ $_IN -lt 2 ]]; then + if [[ $_IN -eq 0 ]] ; then + REMOTE_NETWORKS="" + _OK=true + else + + echo "" + echo "Networks to push from OpenVPN server to the client" + echo "" + echo " - use CIDR notation" + echo " - multiple networks are possible: use blank separated list of CIDR-networks" + echo -e " - \"\033[33mNone\033[m\" if no network should be pushed from OpenVPN server." + echo "" + + echononl "Networks to push from server: " + while [[ "X$REMOTE_NETWORKS" = "X" ]] ; do + read REMOTE_NETWORKS + _to_lower_remote_networks="$(trim ${REMOTE_NETWORKS,,})" + if [[ "$_to_lower_remote_networks" = "none" ]]; then + REMOTE_NETWORKS="" + break + fi + if [[ "X$REMOTE_NETWORKS" = "X" ]] ; then + echo -e "\n\t\033[33m\033[1mWrong Entry!\033[m\n" + echononl "Networks to push from server: " + continue + fi + + for _net in ${REMOTE_NETWORKS} ; do + IFS='/' read -a _net_arr <<< "${_net}" + if ! is_valid_ipv4 ${_net_arr[0]} ; then + REMOTE_NETWORKS="" + REMOTE_NETWORK_ARR=() + echo -e "\n\t\033[33m\033[1mNo valid network(s) given!\033[m\n" + echononl "Networks to push from server: " + break + fi + REMOTE_NETWORK_ARR+=("$_net") + done + done + _OK=true + + fi + else + echo "" + echo -e "\tFalsche Eingabe !" + echo "" + echononl "Eingabe: " + fi + done + +else + echo -e "[${i}] $DEFAULT_REMOTE_NETWORKS" + (( i++ )) + echo -e "[${i}] \033[33mNone\033[m" + (( i++ )) + echo "" + echo -e "[${i}] other" + + _OK=false + echo "" + echononl "Eingabe: " + + while ! $_OK ; do + read _IN + if is_number "$_IN" && [[ $_IN -lt 3 ]]; then + if [[ $_IN -eq 0 ]] ; then + + REMOTE_NETWORKS="$DEFAULT_REMOTE_NETWORKS" + for _net in ${REMOTE_NETWORKS} ; do + IFS='/' read -a _net_arr <<< "${_net}" + if ! is_valid_ipv4 ${_net_arr[0]} ; then + REMOTE_NETWORKS="" + REMOTE_NETWORK_ARR=() + echo -e "\n\t\033[33m\033[1mNo valid network(s) given!\033[m\n" + echononl "Networks to push from server: " + break + fi + REMOTE_NETWORK_ARR+=("$_net") + done + _OK=true + + elif [[ $_IN -eq 1 ]] ; then + + REMOTE_NETWORKS="" + _OK=true + + else + + echo "" + echo "Networks to push from OpenVPN server to the client" + echo "" + echo " - use CIDR notation" + echo " - multiple networks are possible: use blank separated list of CIDR-networks" + echo -e " - \"\033[33mNone\033[m\" if no network should be pushed from OpenVPN server." + echo "" + + echononl "Networks to push from server: " + while [[ "X$REMOTE_NETWORKS" = "X" ]] ; do + read REMOTE_NETWORKS + _to_lower_remote_networks="$(trim ${REMOTE_NETWORKS,,})" + if [[ "$_to_lower_remote_networks" = "none" ]]; then + REMOTE_NETWORKS="" + break + fi + if [[ "X$REMOTE_NETWORKS" = "X" ]] ; then + echo -e "\n\t\033[33m\033[1mWrong Entry!\033[m\n" + echononl "Networks to push from server: " + continue + fi + + for _net in ${REMOTE_NETWORKS} ; do + IFS='/' read -a _net_arr <<< "${_net}" + if ! is_valid_ipv4 ${_net_arr[0]} ; then + REMOTE_NETWORKS="" + REMOTE_NETWORK_ARR=() + echo -e "\n\t\033[33m\033[1mNo valid network(s) given!\033[m\n" + echononl "Networks to push from server: " + break + fi + REMOTE_NETWORK_ARR+=("$_net") + done + done + _OK=true + + fi # if [[ $_IN -eq 0 ]] ; then + else + echo "" + echo -e "\tFalsche Eingabe !" + echo "" + echononl "Eingabe: " + fi # if is_number "$_IN" && [[ $_IN -lt 2 ]]; then + + done + +fi + +#REMOTE_NETWORKS="" +#declare -a REMOTE_NETWORK_ARR=() +#echononl "Networks to push from server: " +#while [[ "X$REMOTE_NETWORKS" = "X" ]] ; do +# read REMOTE_NETWORKS +# _to_lower_remote_networks="$(trim ${REMOTE_NETWORKS,,})" +# if [[ "$_to_lower_remote_networks" = "none" ]]; then +# REMOTE_NETWORKS="" +# break +# fi +# if [[ "X$REMOTE_NETWORKS" = "X" ]] ; then +# echo -e "\n\t\033[33m\033[1mWrong Entry!\033[m\n" +# echononl "Networks to push from server: " +# continue +# fi +# +# for _net in ${REMOTE_NETWORKS} ; do +# IFS='/' read -a _net_arr <<< "${_net}" +# if ! is_valid_ipv4 ${_net_arr[0]} ; then +# REMOTE_NETWORKS="" +# REMOTE_NETWORK_ARR=() +# echo -e "\n\t\033[33m\033[1mNo valid network(s) given!\033[m\n" +# echononl "Networks to push from server: " +# break +# fi +# REMOTE_NETWORK_ARR+=("$_net") +# done +#done + +echo "" +echo -e "\033[32m--\033[m" +echo "" + +declare -i i=0 +echo "" +echo "IP-Address of DNS server to push from OpenVPN server to the client." +echo "" +if [[ -z "$DEFAULT_DNS_SERVER" ]] || [[ "$(trim ${DEFAULT_DNS_SERVER,,})" = "none" ]]; then + + echo -e " [${i}] \033[33mNone\033[m" + (( i++ )) + echo "" + echo -e " [${i}] other" + + _OK=false + echo "" + echononl "Eingabe: " + + while ! $_OK ; do + read _IN + if is_number "$_IN" && [[ $_IN -lt 2 ]]; then + if [[ $_IN -eq 0 ]] ; then + DNS_SERVER="" + _OK=true + else + + echo "IP-Address of DNS server to push from OpenVPN server to the client." + echo "" + echo -e "Type \"\033[33mNone\033[m\" if no DNS Server should be pushed." + echo "" + DNS_SERVER="" + echononl "DNS server to push to clients: " + while [[ "X$DNS_SERVER" = "X" ]]; do + read DNS_SERVER + if [[ "X$DNS_SERVER" = "X" ]]; then + echo -e "\n\t\033[33m\033[1mWrong Entry!\033[m\n" + echononl "DNS server to pusch to clients" + continue + else + _to_lower_dns_server="$(trim ${DNS_SERVER,,})" + if [[ "$_to_lower_dns_server" = "none" ]]; then + DNS_SERVER="" + break; + fi + fi + done + _OK=true + + fi # if [[ $_IN -eq 0 ]] ; then + + else + echo "" + echo -e "\tFalsche Eingabe !" + echo "" + echononl "Eingabe: " + fi # if is_number "$_IN" && [[ $_IN -lt 2 ]]; then + + done # while ! $_OK ; do + + +else + + echo -e " [${i}] $DEFAULT_DNS_SERVER" + (( i++ )) + echo -e " [${i}] \033[33mNone\033[m" + (( i++ )) + echo "" + echo -e " [${i}] other" + + _OK=false + echo "" + echononl "Eingabe: " + + while ! $_OK ; do + read _IN + if is_number "$_IN" && [[ $_IN -lt 3 ]]; then + if [[ $_IN -eq 0 ]] ; then + DNS_SERVER="$DEFAULT_DNS_SERVER" + _OK=true + elif [[ $_IN -eq 1 ]] ; then + DNS_SERVER="" + _OK=true + else + + echo "IP-Address of DNS server to push from OpenVPN server to the client." + echo "" + echo -e "Type \"\033[33mNone\033[m\" if no DNS Server should be pushed." + echo "" + DNS_SERVER="" + echononl "DNS server to push to clients: " + while [[ "X$DNS_SERVER" = "X" ]]; do + read DNS_SERVER + if [[ "X$DNS_SERVER" = "X" ]]; then + echo -e "\n\t\033[33m\033[1mWrong Entry!\033[m\n" + echononl "DNS server to pusch to clients" + continue + else + _to_lower_dns_server="$(trim ${DNS_SERVER,,})" + if [[ "$_to_lower_dns_server" = "none" ]]; then + DNS_SERVER="" + break; + fi + fi + done + _OK=true + + fi # if [[ $_IN -eq 0 ]] ; then + + else + echo "" + echo -e "\tFalsche Eingabe !" + echo "" + echononl "Eingabe: " + fi # if is_number "$_IN" && [[ $_IN -lt 2 ]]; then + + done # while ! $_OK ; do + +fi # if [[ -z "$DEFAULT_DNS_SERVER" ]] || [[ "$(trim ${DNS_SERVER,,})" = "none" ]]; then + + + +#echo "IP-Address of DNS server to push from OpenVPN server to the client." +#echo "" +#echo -e "Type \"\033[33mNone\033[m\" if no DNS Server should be pushed." +#echo "" +#DNS_SERVER="" +#echononl "DNS server to push to clients: " +#while [[ "X$DNS_SERVER" = "X" ]]; do +# read DNS_SERVER +# if [[ "X$DNS_SERVER" = "X" ]]; then +# echo -e "\n\t\033[33m\033[1mWrong Entry!\033[m\n" +# echononl "DNS server to pusch to clients" +# continue +# else +# _to_lower_dns_server="$(trim ${DNS_SERVER,,})" +# if [[ "$_to_lower_dns_server" = "none" ]]; then +# DNS_SERVER="" +# break; +# fi +# fi +#done + +echo "" +echo -e "\033[32m--\033[m" +echo "" + + +declare -i i=0 +SEARCH_DOMAINS="" +echo "" +echo "Select Search Domain(s) to push from OpenVPN server to the client." +echo "" + +if [[ -z "$DEFAULT_SEARCH_DOMAINS" ]] || [[ "$(trim ${DEFAULT_SEARCH_DOMAINS,,})" = "none" ]]; then + + echo -e " [${i}] \033[33mNone\033[m" + (( i++ )) + echo "" + echo -e " [${i}] other" + + _OK=false + echo "" + echononl "Eingabe: " + + while ! $_OK ; do + read _IN + if is_number "$_IN" && [[ $_IN -lt 2 ]]; then + if [[ $_IN -eq 0 ]] ; then + SEARCH_DOMAINS="" + _OK=true + else + + SEARCH_DOMAINS="" + echononl "Default Domain to push to clients: " + while [[ "X$SEARCH_DOMAINS" = "X" ]]; do + read SEARCH_DOMAINS + if [[ "X$SEARCH_DOMAINS" = "X" ]]; then + echo -e "\n\t\033[33m\033[1mWrong Entry!\033[m\n" + echononl "Search Domain(s) to pusch to clients" + continue + else + _to_lower_search_domains="$(trim ${SEARCH_DOMAINS,,})" + if [[ "$_to_lower_search_domains" = "none" ]]; then + SEARCH_DOMAINS="" + break; + fi + fi + done + _OK=true + +echo "" +echo "SEARCH_DOMAINS: $SEARCH_DOMAINS" +echo "" + + fi # if [[ $_IN -eq 0 ]] ; then + + else + echo "" + echo -e "\tFalsche Eingabe !" + echo "" + echononl "Eingabe: " + fi # if is_number "$_IN" && [[ $_IN -lt 2 ]]; then + + done #while ! $_OK ; do + +else + echo -e " [${i}] $DEFAULT_SEARCH_DOMAINS" + (( i++ )) + echo -e " [${i}] \033[33mNone\033[m" + (( i++ )) + echo "" + echo -e " [${i}] other" + + _OK=false + echo "" + echononl "Eingabe: " + + while ! $_OK ; do + read _IN + if is_number "$_IN" && [[ $_IN -lt 3 ]]; then + if [[ $_IN -eq 0 ]] ; then + SEARCH_DOMAINS="$DEFAULT_SEARCH_DOMAINS" + _OK=true + elif [[ $_IN -eq 1 ]] ; then + SEARCH_DOMAINS="" + _OK=true + else + + echo "" + echo "Search Domain(s) to push from OpenVPN server to the client." + echo "" + echo " - multiple domains are possible: use blank separated list of search domains" + echo -e " - Type \"\033[33mNone\033[m\" if no default domain should be pushed." + echo "" + + SEARCH_DOMAINS="" + echononl "Default Domain to push to clients: " + while [[ "X$SEARCH_DOMAINS" = "X" ]]; do + read SEARCH_DOMAINS + if [[ "X$SEARCH_DOMAINS" = "X" ]]; then + echo -e "\n\t\033[33m\033[1mWrong Entry!\033[m\n" + echononl "Search Domain(s) to pusch to clients" + continue + else + _to_lower_search_domains="$(trim ${SEARCH_DOMAINS,,})" + if [[ "$_to_lower_search_domains" = "none" ]]; then + SEARCH_DOMAINS="" + break; + fi + fi + done + _OK=true + + fi # if [[ $_IN -eq 0 ]] ; then + + else + echo "" + echo -e "\tFalsche Eingabe !" + echo "" + echononl "Eingabe: " + fi # if is_number "$_IN" && [[ $_IN -lt 2 ]]; then + + done #while ! $_OK ; do + +fi # if [[ -z "$DEFAULT_SEARCH_DOMAINS" ]] || [[ "$(trim ${SEARCH_DOMAINS,,})" = none ]] + +for _domain in ${SEARCH_DOMAINS} ; do + SEARCH_DOMAINS_ARR+=("$_domain") +done + + +#SEARCH_DOMAINS="" +#echononl "Default Domain to push to clients: " +#while [[ "X$SEARCH_DOMAINS" = "X" ]]; do +# read SEARCH_DOMAINS +# if [[ "X$SEARCH_DOMAINS" = "X" ]]; then +# echo -e "\n\t\033[33m\033[1mWrong Entry!\033[m\n" +# echononl "Search Domain(s) to pusch to clients" +# continue +# else +# _to_lower_search_domains="$(trim ${SEARCH_DOMAINS,,})" +# if [[ "$_to_lower_search_domains" = "none" ]]; then +# SEARCH_DOMAINS="" +# break; +# fi +# fi +#done +#declare -a SEARCH_DOMAINS_ARR=() +#for _domain in ${SEARCH_DOMAINS} ; do +# SEARCH_DOMAINS_ARR+=("$_domain") +#done + +echo "" +echo -e "\033[32m--\033[m" +echo "" + +echo "" +echo "Local client networks to route through OpenVPN line." +echo "" + + +declare -i i=0 +LOCAL_NETWORKS="" +declare -a LOCAL_NETWORK_ARR=() + +if [[ -z "$DEFAULT_LOCAL_NETWORKS" ]] || [[ "$(trim ${DEFAULT_LOCAL_NETWORKS,,})" = none ]]; then + echo -e " [${i}] \033[33mNone\033[m" + (( i++ )) + echo "" + echo -e " [${i}] other" + + _OK=false + echo "" + echononl "Eingabe: " + + while ! $_OK ; do + read _IN + if is_number "$_IN" && [[ $_IN -lt 2 ]]; then + if [[ $_IN -eq 0 ]] ; then + LOCAL_NETWORKS="" + _OK=true + else + + echo "" + echo "Give client networks to route through OpenVPN line." + echo "" + echo " - use CIDR notation" + echo " - multiple networks are possible: use blank separated list of CIDR-networks" + echo -e " - \"\033[33mNone\033[m\" if no local client network should routed through OpenVPN line." + echo "" + + echononl "Client Networks routed through VPN line: " + while [[ "X$LOCAL_NETWORKS" = "X" ]] ; do + read LOCAL_NETWORKS + _to_lower_local_networks="$(trim ${LOCAL_NETWORKS,,})" + if [[ "$_to_lower_local_networks" = "none" ]]; then + LOCAL_NETWORKS="" + break + fi + if [[ "X$LOCAL_NETWORKS" = "X" ]] ; then + echo -e "\n\t\033[33m\033[1mWrong Entry!\033[m\n" + echononl "Client Networks routed through VPN line: " + continue + fi + + for _net in ${LOCAL_NETWORKS} ; do + IFS='/' read -a _net_arr <<< "${_net}" + if ! is_valid_ipv4 ${_net_arr[0]} ; then + LOCAL_NETWORKS="" + LOCAL_NETWORK_ARR=() + echo -e "\n\t\033[33m\033[1mNo valid network(s) given!\033[m\n" + echononl "Client Networks routed through VPN line: " + break + fi + LOCAL_NETWORK_ARR+=("$_net") + done + done + _OK=true + + fi + else + echo "" + echo -e "\tFalsche Eingabe !" + echo "" + echononl "Eingabe: " + fi + done + +else + echo -e " [${i}] $DEFAULT_LOCAL_NETWORKS" + (( i++ )) + echo -e " [${i}] \033[33mNone\033[m" + (( i++ )) + echo "" + echo -e " [${i}] other" + + _OK=false + echo "" + echononl "Eingabe: " + + while ! $_OK ; do + read _IN + if is_number "$_IN" && [[ $_IN -lt 3 ]]; then + if [[ $_IN -eq 0 ]] ; then + + LOCAL_NETWORKS="$DEFAULT_LOCAL_NETWORKS" + for _net in ${LOCAL_NETWORKS} ; do + IFS='/' read -a _net_arr <<< "${_net}" + if ! is_valid_ipv4 ${_net_arr[0]} ; then + LOCAL_NETWORKS="" + LOCAL_NETWORK_ARR=() + echo -e "\n\t\033[33m\033[1mNo valid network(s) given!\033[m\n" + echononl "Client Networks routed through VPN line: " + break + fi + LOCAL_NETWORK_ARR+=("$_net") + done + _OK=true + + elif [[ $_IN -eq 1 ]] ; then + + LOCAL_NETWORKS="" + _OK=true + + else + + echo "" + echo "Give client networks to route through OpenVPN line." + echo "" + echo " - use CIDR notation" + echo " - multiple networks are possible: use blank separated list of CIDR-networks" + echo -e " - \"\033[33mNone\033[m\" if no local client network should routed through OpenVPN line." + echo "" + + echononl "Client Networks routed through VPN line: " + while [[ "X$LOCAL_NETWORKS" = "X" ]] ; do + read LOCAL_NETWORKS + _to_lower_local_networks="$(trim ${LOCAL_NETWORKS,,})" + if [[ "$_to_lower_local_networks" = "none" ]]; then + LOCAL_NETWORKS="" + break + fi + if [[ "X$LOCAL_NETWORKS" = "X" ]] ; then + echo -e "\n\t\033[33m\033[1mWrong Entry!\033[m\n" + echononl "Client Networks routed through VPN line: " + continue + fi + + for _net in ${LOCAL_NETWORKS} ; do + IFS='/' read -a _net_arr <<< "${_net}" + if ! is_valid_ipv4 ${_net_arr[0]} ; then + LOCAL_NETWORKS="" + LOCAL_NETWORK_ARR=() + echo -e "\n\t\033[33m\033[1mNo valid network(s) given!\033[m\n" + echononl "Client Networks routed through VPN line: " + break + fi + LOCAL_NETWORK_ARR+=("$_net") + done + done + _OK=true + + fi # if [[ $_IN -eq 0 ]] ; then + else + echo "" + echo -e "\tFalsche Eingabe !" + echo "" + echononl "Eingabe: " + fi # if is_number "$_IN" && [[ $_IN -lt 2 ]]; then + + done + +fi + + + + +#LOCAL_NETWORKS="" +#declare -a LOCAL_NETWORK_ARR=() +#echononl "Local networks to route through OpenVPN line: " +#while [[ "X$LOCAL_NETWORKS" = "X" ]] ; do +# read LOCAL_NETWORKS +# _to_lower_local_networks="$(trim ${LOCAL_NETWORKS,,})" +# if [[ "$_to_lower_local_networks" = "none" ]]; then +# LOCAL_NETWORKS="" +# break +# fi +# if [[ "X$LOCAL_NETWORKS" = "X" ]] ; then +# echo -e "\n\t\033[33m\033[1mWrong Entry!\033[m\n" +# echononl "Local networks to route through OpenVPN line: " +# continue +# fi +# +# for _net in ${LOCAL_NETWORKS} ; do +# IFS='/' read -a _net_arr <<< "${_net}" +# if ! is_valid_ipv4 ${_net_arr[0]} ; then +# LOCAL_NETWORKS="" +# LOCAL_NETWORK_ARR=() +# echo -e "\n\t\033[33m\033[1mNo valid network(s) given!\033[m\n" +# echononl "Local networks to route through OpenVPN line: " +# break +# fi +# LOCAL_NETWORK_ARR+=("$_net") +# done +#done + + +echo "" +echo "" +if $_only_create_config_file ; then + echo -e "\033[1;32mCreate Configuration file for OpenVPN service \033[1;37m$OPENVPN_NAME\033[m " +else + echo -e "\033[1;32mSettings for installation of \033[1;37mOpenVPN\033[m" +fi +echo "" +echo -e "\tOpenVPN IP-Address/Hostname.........: $OPENVPN_SERVER" +echo -e "\tOpenVPN Server.Port.................: $SERVER_PORT" +echo "" +echo -e "\tOrganisation shortcut...............: $ORG_SHORTCUT" +echo "" +echo -e "\tOpenVPN Service Name................: $OPENVPN_NAME" +echo -e "\tOpenVPN Base Directory..............: $OPENVPN_BASE_DIR" +echo -e "\tOpenVPN 'easy-rsa' Directory........: $EASY_RSA_DIR" +echo -e "\tOpenVPN 'key' Directory.............: $OPENVPN_KEY_DIR" +echo -e "\tOpenVPN 'ccd' Directory.............: $OPENVPN_CCD_DIR" +echo "" +echo -e "\tExpiration time ROOT CA.............: $CA_EXPIRE" +echo -e "\tExpiration time certificates........: $CERT_EXPIRE" +echo -e "\tKey size............................: $KEY_SIZE" +echo "" +echo -e "\tKEY_COUNTRY.........................: $KEY_COUNTRY" +echo -e "\tKEY_PROVINCE........................: $KEY_PROVINCE" +echo -e "\tKEY_CITY............................: $KEY_CITY" +echo -e "\tKEY_ORG.............................: $KEY_ORG" +echo -e "\tKEY_EMAIL...........................: $KEY_EMAIL" +echo -e "\tKEY_OU..............................: $KEY_OU" +echo "" +echo -e "\tKEY_NAME............................: $KEY_NAME" +if [[ -n "$KEY_CN" ]] ; then + echo -e "\tKEY_CN (Prefix).....................: $KEY_CN" +else + echo -e "\tKEY_CN (Prefix).....................: \033[33mNone\033[m" +fi +echo "" +if [[ -n "$KEY_ALTNAMES" ]] ; then + echo -e "\tKEY_ALTNAMES (Prefix)...............: $KEY_ALTNAMES" +else + echo -e "\tKEY_ALTNAMES (Prefix)...............: \033[33mNone\033[m" +fi +echo "" +echo -e "\tOpenVPN Network.....................: $OPENVPN_NETWORK" +echo -e "\tOpenVPN Server IP-Address...........: $OPENVPN_SERVER_IP" +echo "" +if [[ -n "$SERVER_CIPHER" ]] ; then + echo -e "\tServer cipher setting...............: $SERVER_CIPHER" +else + echo -e "\tServer cipher setting...............: \033[33mNone\033[m" +fi +echo -e "\tLZO compression.....................: $LZO_COMPRESSION" +echo "" +if [[ ${#REMOTE_NETWORK_ARR[@]} -gt 0 ]]; then + echo -e "\tRemote networks to push to cliente..: ${REMOTE_NETWORK_ARR[@]}" +else + echo -e "\tRemote networks to push to cliente..: \033[33mNone\033[m" +fi +if [[ -n "$DNS_SERVER" ]]; then + echo -e "\tDNS Server (push from server).......: $DNS_SERVER" +else + echo -e "\tDNS Server (push from server).......: \033[33mNone\033[m" +fi +if [[ ${#SEARCH_DOMAINS_ARR[@]} -gt 0 ]]; then + echo -e "\tDefault Domain (push from server)...: ${SEARCH_DOMAINS_ARR[@]}" +else + echo -e "\tDefault Domain (push from server)...: \033[33mNone\033[m" +fi +echo "" +if [[ ${#LOCAL_NETWORK_ARR[@]} -gt 0 ]]; then + echo -e "\tLocal networks to route through VPN.: ${LOCAL_NETWORK_ARR[@]}" +else + echo -e "\tLocal networks to route through VPN.: \033[33mNone\033[m" +fi + + +echo "" +if $_only_create_config_file ; then + info "Create configuration file for OpenVPN Service \033[37m\033[1m${OPENVPN_NAME}\033[m.." +else + info "Starting Installation of OpenVPN Service \033[37m\033[1m${OPENVPN_NAME}\033[m.." +fi +echo -n "To continue type uppercase 'YES': " +read OK +echo "" +if [[ "$OK" != "YES" ]] ; then + fatal "Abort by user request - Answer as not 'YES'" +fi + + + +#--------------------------------------- +#----------------------------- +# Write Configuration for $OPENVPN_NAME +#----------------------------- +#--------------------------------------- + + +_openvpn_name_conf_file="${script_dir}/conf/server-${OPENVPN_NAME}.conf" + +echononl " Write Configuration for OpenVPN Service '$OPENVPN_NAME'" +cat << EOF > $_openvpn_name_conf_file 2> $log_file +## - Configuration/Initialization OpenVPN +## - + +# ==================== +# - Some Parameter Settings +# ==================== + +# --- +# - Common parameters +# --- + +OPENVPN_SERVER="$OPENVPN_SERVER" +SERVER_PORT=$SERVER_PORT + +ORG_SHORTCUT="$ORG_SHORTCUT" + +OPENVPN_NAME="$OPENVPN_NAME" + +OPENVPN_BASE_DIR="$OPENVPN_BASE_DIR" + +OPENVPN_KEY_DIR="$OPENVPN_KEY_DIR" + +OPENVPN_CCD_DIR="$OPENVPN_CCD_DIR" + +# --- +# - Parameters OpenVPN Configuration / KEY Creation +# --- + +# - Example: (3*365+366)*8 = 11688 = 32 Jahre +# - CA_EXPIRE=11688 +# - +CA_EXPIRE=$CA_EXPIRE + +# - Example: (3*365+366)*5 = 7305 = 20 Jahre +# - CERT_EXPIRE=7305 +# - +CERT_EXPIRE=$CERT_EXPIRE + +KEY_SIZE=$KEY_SIZE + +KEY_COUNTRY="$KEY_COUNTRY" +KEY_PROVINCE="$KEY_PROVINCE" +KEY_CITY="$KEY_CITY" +KEY_ORG="$KEY_ORG" +KEY_EMAIL="${EMAIL_PREFIX}\\@${EMAIL_DOMAIN}" +KEY_OU="$KEY_OU" + +KEY_NAME="$KEY_NAME" +EOF +if [[ -n "$KEY_CN" ]] ; then + cat << EOF >> $_openvpn_name_conf_file 2> $log_file +KEY_CN="$KEY_CN" +EOF +else + cat << EOF >> $_openvpn_name_conf_file 2> $log_file +KEY_CN="none" + +EOF +fi + +if [[ -n "$KEY_ALTNAMES" ]] ; then + cat << EOF >> $_openvpn_name_conf_file 2> $log_file +KEY_ALTNAMES="$KEY_ALTNAMES" +EOF +else + cat << EOF >> $_openvpn_name_conf_file 2> $log_file +KEY_ALTNAMES="none" +EOF +fi + +cat << EOF >> $_openvpn_name_conf_file 2> $log_file + + +# --- +# - Parameters for Server Configurations +# --- + +EOF +if $LZO_COMPRESSION ; then + cat << EOF >> $_openvpn_name_conf_file 2> $log_file +LZO_COMPRESSION="yes" + +EOF +else + cat << EOF >> $_openvpn_name_conf_file 2> $log_file +LZO_COMPRESSION="no" + +EOF +fi + +if [[ -n "$SERVER_CIPHER" ]] ; then + if [[ "${SERVER_CIPHER,,}" = "none" ]]; then + cat <> "$_client_conf_file" 2>> "$log_file" +cipher BF-CBC + +EOF + else + cat << EOF >> $_openvpn_name_conf_file 2> $log_file +SERVER_CIPHER="$SERVER_CIPHER" + +EOF + fi +else + cat << EOF >> $_openvpn_name_conf_file 2> $log_file +SERVER_CIPHER="$DEFAULT_SERVER_CIPHER" + +EOF +fi + +cat << EOF >> $_openvpn_name_conf_file 2> $log_file +OPENVPN_NETWORK="$OPENVPN_NETWORK" + +EOF + +if [[ ${#REMOTE_NETWORK_ARR[@]} -gt 0 ]] ; then + cat << EOF >> $_openvpn_name_conf_file 2> $log_file +REMOTE_NETWORKS="${REMOTE_NETWORK_ARR[@]}" +EOF +else + cat << EOF >> $_openvpn_name_conf_file 2> $log_file +REMOTE_NETWORKS="none" +EOF +fi + +if [[ -n "$DNS_SERVER" ]] ; then + cat << EOF >> $_openvpn_name_conf_file 2> $log_file +DNS_SERVER="$DNS_SERVER" +EOF +else + cat << EOF >> $_openvpn_name_conf_file 2> $log_file +DNS_SERVER="none" +EOF +fi + +if [[ ${#SEARCH_DOMAINS_ARR[@]} -gt 0 ]] ; then + cat << EOF >> $_openvpn_name_conf_file 2> $log_file +SEARCH_DOMAINS="${SEARCH_DOMAINS_ARR[@]}" + +EOF +else + cat << EOF >> $_openvpn_name_conf_file 2> $log_file +SEARCH_DOMAINS="none" + +EOF +fi + +if [[ ${#LOCAL_NETWORK_ARR[@]} -gt 0 ]]; then + cat << EOF >> $_openvpn_name_conf_file 2> $log_file +LOCAL_NETWORKS="${LOCAL_NETWORK_ARR[@]}" +EOF +else + cat << EOF >> $_openvpn_name_conf_file 2> $log_file +LOCAL_NETWORKS="none" +EOF +fi +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + fatal "$(cat $log_file)" +fi + + +if $_only_create_config_file ; then + info "Configuration filr for OpenVPN Service \033[1;37m$OPENVPN_NAME\033[m was written \n to file \033[1;37m$_openvpn_name_conf_file\033[m." + clean_up 0 +fi + + + +#--------------------------------------- +#----------------------------- +# Start Installation +#----------------------------- +#--------------------------------------- + +check_string_ps="" +check_string_ps_plus="" +if [[ -f "$openvpn_binary" ]] ; then + check_string_ps="$openvpn_binary" + check_string_ps_plus="--daemon" +fi + + +if [[ -n "$check_string_ps" ]]; then + echononl " Stopping OpenVPN Daemon" + PID=$(ps -e f | grep -E "[[:digit:]]\ ${check_string_ps}" | grep "\ ${check_string_ps_plus}\ " | grep -v grep | awk '{print$2}') + if [[ "X${PID}" = "X" ]]; then + echo_skipped + else + if $systemd_supported ; then + $systemctl stop $service_name > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + echo_failed + error "$(cat $log_file)" + else + echo_ok + fi + else + $init_script stop > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + echo_failed + error "$(cat $log_file)" + else + echo_ok + fi + fi + fi +fi + + +# - Install needed debian packages +# - +echononl " Install needed debian packages.." +needed_debian_packages="" +for _pkg in $_needed_debian_packages ; do + if aptitude search "$_pkg" | grep " $_pkg " | grep -e "^i" > /dev/null 2>&1 ; then + continue + else + needed_debian_packages="$needed_debian_packages $_pkg" + fi +done +if [[ -n "$needed_debian_packages" ]]; then + DEBIAN_FRONTEND=noninteractive apt-get -y install $needed_debian_packages > /dev/null 2> "$log_file" + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fatal "$(cat $log_file)" + fi +else + echo_skipped +fi + +echononl " Backup directory '${OPENVPN_BASE_DIR}'.." +if [[ -d "$OPENVPN_BASE_DIR" ]]; then + mv $OPENVPN_BASE_DIR ${OPENVPN_BASE_DIR}.$_date > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi +else + echo_skipped +fi + +# - Make the package included scripts available in directory +# - "/etc/openvpn/easy-rsa" +# - +echononl " Create directory '${EASY_RSA_DIR}'.." +/usr/bin/make-cadir $EASY_RSA_DIR > "$log_file" 2>&1 +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" +fi + +# - Create Key Directory +# - +# - Note: +# - Not needed on debian 10 or up. 'easyrsa init-pki' does the job. +# - +if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 10 ]] ; then + echononl " Create key directory '${OPENVPN_BASE_DIR}/keys'.." + mkdir ${OPENVPN_BASE_DIR}/keys > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi + echononl " Change permissions (700) in directory '${OPENVPN_BASE_DIR}/keys'.." + chmod 700 "${OPENVPN_BASE_DIR}/keys" > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi +fi + +# - Create Log Directory +# - +openvpn_log_dir="/var/log/openvpn" +echononl " Create log directoy '${openvpn_log_dir}'" +if [[ -d "${openvpn_log_dir}" ]] ; then + echo_skipped +else + mkdir /var/log/openvpn > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi +fi + +# - Create client configuration directory +# - +echononl " Create Client configuration directory '$OPENVPN_CCD_DIR'" +if [[ -d "${OPENVPN_CCD_DIR}" ]] ; then + echo_skipped +else + mkdir -p "${OPENVPN_CCD_DIR}" > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi +fi + +# - Backup file keys-created.txt +# - +echononl " Backup file '${OPENVPN_BASE_DIR}/keys-created.txt" +if [[ -f "${OPENVPN_BASE_DIR}/keys-created.txt" ]]; then + mv "${OPENVPN_BASE_DIR}/keys-created.txt" "${OPENVPN_BASE_DIR}/keys-created.txt.${_date}" > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi +else + echo_skipped +fi + + +# - Adjust /etc/default/openvpn +# - +# - AUTOSTART="all" +# - +_file="/etc/default/openvpn" +echononl " Adjust '/etc/default/openvpn'. Set AUTOSTART=\"all\"" +if ! grep -i -q -E "^\s*AUTOSTART=\"all\"" ${_file} ; then + if grep -i -q -E "^\s*#\s*AUTOSTART=\"all\"" ${_file} ; then + perl -i -n -p -e "s/^(\s*#\s*AUTOSTART=\"all\".*)/##\1\nAUTOSTART=\"all\"/" ${_file} > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi + else + echo "" >> ${_file} + echo "AUTOSTART=\"all\"" >> ${_file} + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi + fi +else + echo_skipped +fi + +# - Adjust /etc/openvpn/easy-rsa/vars +# - +# - Debian Version <= 9 +# - add: +# - export BASE_DIR=$OPENVPN_BASE_DIR +# - +# - replace: +# - export EASY_RSA=\$BASE_DIR/easy_rsa +# - export KEY_DIR=\$OPENVPN_KEY_DIR +# - +# - export KEY_SIZE=$KEY_SIZE +# - +# - # root CA expires in 30 years (= 10950 days) +# - export CA_EXPIRE=$CA_EXPIRE +# - +# - # certificates expires in 20 years (=7300 days) +# - export CERT_EXPIRE=$CERT_EXPIRE +# - +# - export KEY_COUNTRY="$KEY_COUNTRY" +# - export KEY_PROVINCE="$KEY_PROVINCE" +# - export KEY_CITY="$KEY_CITY" +# - export KEY_ORG="$KEY_ORG" +# - export KEY_EMAIL="$KEY_EMAIL" +# - export KEY_OU="$KEY_OU" +# - +# - export KEY_NAME="$KEY_NAME" +# - +# - #export KEY_CN="$KEY_CN" +# - +# - Debiab Version >= 10 +# - set_var EASYRSA "${0%/*}" +# - set_var EASYRSA_OPENSSL "openssl" +# - set_var EASYRSA_PKI "$OPENVPN_KEY_DIR" +# - set_var EASYRSA_ALGO rsa +# - set_var EASYRSA_DN "org" + +# - set_var EASYRSA_REQ_COUNTRY "$KEY_COUNTRY" +# - set_var EASYRSA_REQ_PROVINCE "$KEY_PROVINCE" +# - set_var EASYRSA_REQ_CITY "$KEY_CITY" +# - set_var EASYRSA_REQ_ORG "$KEY_ORG" +# - set_var EASYRSA_REQ_EMAIL "$KEY_EMAIL" +# - set_var EASYRSA_REQ_OU "$KEY_OU" +# - +# - set:var EASYRSA_REQ_CN "$KEY_CN" +# - +# - set_var EASYRSA_CA_EXPIRE "$CA_EXPIRE" +# - set_var EASYRSA_CERT_EXPIRE "$CERT_EXPIRE" +# - +# - set_var EASYRSA_CRL_DAYS "$CERT_EXPIRE" +# - set_var EASYRSA_CERT_RENEW "365" +# - +_failed=false +echononl " Adjust '${EASY_RSA_DIR}/vars'.." +if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 9 ]] ; then + + #perl -i.$_date -n -p -e "s&^(\s*#*\s*#set_var\s+EASYRSA\s+.*)&##\1\nset_var EASYRSA\t \"\\\${0%/*}\"&" ${EASY_RSA_DIR}/vars > "$log_file" + + perl -i.$_date -n -p -e "s&^(\s*#*\s*#set_var\s+EASYRSA\s+.*)&##\1\nset_var EASYRSA\t \"${OPENVPN_BASE_DIR}/easy-rsa\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + _key="EASYRSA_OPENSSL" + _val="openssl" + perl -i.$_date -n -p -e "s&^(\s*#*\s*#set_var\s+${_key}\s+.*)&##\1\nset_var ${_key}\t \"${_val}\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + + if [[ $? -ne 0 ]]; then + _failed=true + fi + + _key="EASYRSA_PKI" + _val="${OPENVPN_KEY_DIR}" + perl -i.$_date -n -p -e "s&^(\s*#*\s*#set_var\s+${_key}\s+.*)&##\1\nset_var ${_key}\t \"${_val}\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + # EASYRSA_KEY_SIZE + perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+EASYRSA_KEY_SIZE\s+.*)&##\1\nset_var EASYRSA_KEY_SIZE\t\t ${KEY_SIZE}&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + # EASYRSA_ALGO + perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+EASYRSA_ALGO\s+.*)&##\1\nset_var EASYRSA_ALGO\t\t rsa&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + # EASYRSA_KEY_SIZE + perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+EASYRSA_KEY_SIZE\s+.*)&##\1\nset_var EASYRSA_KEY_SIZE\t\t ${KEY_SIZE}&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + _key="EASYRSA_DN" + _val=""org + perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+EASYRSA_DN\s+.*)&##\1\nset_var EASYRSA_DN\t\t \"org\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + _key="EASYRSA_REQ_COUNTRY" + _val="$KEY_COUNTRY" + perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + _key="EASYRSA_REQ_PROVINCE" + _val="$KEY_PROVINCE" + perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + _key="EASYRSA_REQ_CITY" + _val="$KEY_CITY" + perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + _key="EASYRSA_REQ_ORG" + _val="$KEY_ORG" + perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + _key="EASYRSA_REQ_EMAIL" + _val="$KEY_EMAIL" + perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + _key="EASYRSA_REQ_OU" + _val="$KEY_OU" + perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + _key="EASYRSA_REQ_CN" + _val="$KEY_CN" + perl -i.$_date -n -p -e "s&^(\s*#*\s*#set_var\s+${_key}\s+.*)&##\1\nset_var ${_key}\t \"${_val}\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + + if [[ $? -ne 0 ]]; then + _failed=true + fi + + _key="EASYRSA_CA_EXPIRE" + _val="$CA_EXPIRE" + perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + _key="EASYRSA_CERT_EXPIRE" + _val="$CERT_EXPIRE" + perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + _key="EASYRSA_CRL_DAYS" + _val="$CERT_EXPIRE" + perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + _key="EASYRSA_CERT_RENEW" + _val="365" + perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + _key="EASYRSA_REQ_CN" + _val="$KEY_CN" + perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + _key="EASYRSA_BATCH" + _val="1" + perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + +else + perl -i.$_date -n -p -e "s&^(\s*#*\s*export\s+EASY_RSA=.*)&##\1\nexport BASE_DIR=\"${OPENVPN_BASE_DIR}\"\nexport EASY_RSA=\"\\\$BASE_DIR/easy-rsa\"&" ${EASY_RSA_DIR}/vars > "$log_file" + 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + perl -i -n -p -e "s&^(\s*#*\s*export\s+KEY_DIR=.*)&##\1\nexport KEY_DIR=\"${OPENVPN_KEY_DIR}\"&" ${EASY_RSA_DIR}/vars > "$log_file" + 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + + perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_SIZE=.*)/##\1\nexport KEY_SIZE=$KEY_SIZE/" ${EASY_RSA_DIR}/vars > "$log_file" + 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + perl -i -n -p -e "s/^(\s*#*\s*export\s+CA_EXPIRE=.*)/##\1\nexport CA_EXPIRE=$CA_EXPIRE/" ${EASY_RSA_DIR}/vars > "$log_file" + 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + perl -i -n -p -e "s/^(\s*#*\s*export\s+CERT_EXPIRE=.*)/##\1\nexport CERT_EXPIRE=$CERT_EXPIRE/" ${EASY_RSA_DIR}/vars > "$log_file" + 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_COUNTRY=.*)/##\1\nexport KEY_COUNTRY=\"${KEY_COUNTRY}\"/" ${EASY_RSA_DIR}/vars > "$log_file" + 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_PROVINCE=.*)/##\1\nexport KEY_PROVINCE=\"${KEY_PROVINCE}\"/" ${EASY_RSA_DIR}/vars > "$log_file" + 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_CITY=.*)/##\1\nexport KEY_CITY=\"${KEY_CITY}\"/" ${EASY_RSA_DIR}/vars > "$log_file" + 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_ORG=.*)/##\1\nexport KEY_ORG=\"${KEY_ORG}\"/" ${EASY_RSA_DIR}/vars > "$log_file" + 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_EMAIL=.*)/##\1\nexport KEY_EMAIL=\"${EMAIL_PREFIX}\@${EMAIL_DOMAIN}\"/" ${EASY_RSA_DIR}/vars > "$log_file" + 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_OU=.*)/##\1\nexport KEY_OU=\"${KEY_OU}\"/" ${EASY_RSA_DIR}/vars > "$log_file" + 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_NAME=.*)/##\1\nexport KEY_NAME=\"${KEY_NAME}\"/" ${EASY_RSA_DIR}/vars > "$log_file" + 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_CN=.*)/#\1\nexport KEY_CN=\"${KEY_CN}\"/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi +fi + +echo -e "\nexport KEY_ALTNAMES=\"$KEY_ALTNAMES\"" >> ${EASY_RSA_DIR}/vars 2> "$log_file" +if [[ $? -ne 0 ]]; then + _failed=true +fi + +if $_failed ; then + echo_failed + error "$(cat $log_file)" +else + echo_ok +fi + +#--------------------------------------- +#----------------------------- +# Initial Setup OpenVPN (Root ca / Server key /..) +#----------------------------- +#--------------------------------------- + +echo "" + +# - source file vars +# - +# - Note: +# - since debian buster, sourcing an Easy-RSA 'vars' file is no longer +# - necessary and is disallowed. The vars file is automatically read when +# - you call easyrsa commands. +# - +if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 10 ]] ; then + echononl " Load configuration '${EASY_RSA_DIR}/vars'.." + source ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi + + if [[ ! -f "$KEY_CONFIG" ]] ; then + echononl " Create Symlink '$(basename $KEY_CONFIG)'.." + if [[ -f "$(dirname $KEY_CONFIG)/openssl-1.0.0.cnf" ]]; then + ln -s "$(dirname $KEY_CONFIG)/openssl-1.0.0.cnf" "$KEY_CONFIG" + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + error "Cannot create symlink '$KEY_CONFIG'!" + + echononl "continue anyway [yes/no]: " + read OK + OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')" + while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do + echononl "Wrong entry! - repeat [yes/nno]: " + read OK + done + [[ $OK = "yes" ]] || fatal "Abbruch durch User" + fi + else + echo_failed + error "No OpenSSL configuration file present!" + + echononl "continue anyway [yes/no]: " + read OK + OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')" + while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do + echononl "Wrong entry! - repeat [yes/nno]: " + read OK + done + [[ $OK = "yes" ]] || fatal "Abbruch durch User" + fi + fi + + _failed=false + OPENSSL_CONFIG_FILE="$(realpath "$KEY_CONFIG")" + echononl " Adjust '$OPENSSL_CONFIG_FILE'.." + perl -i.ORIG -n -p -e "s/^(\s*default_days\s*=.*)/#\1\ndefault_days = $CA_EXPIRE/" $OPENSSL_CONFIG_FILE > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + perl -i -n -p -e "s/^(\s*default_crl_days\s*=.*)/#\1\ndefault_crl_days = $CA_EXPIRE/" $OPENSSL_CONFIG_FILE > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + if $_failed ; then + echo_failed + error "$(cat $log_file)" + else + echo_ok + fi + +fi + + + +# --- +# - Create Keys and Certs +# --- +echo "" +echo -e "\033[32m--\033[m" +echo "Create Keys and Certs .." +echo -e "\033[32m--\033[m" + +# - Initialise key directory +# - +if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 10 ]] ; then + + # - Create file 'serial' with value '01' - the serial for the next + # - created certificate + # - + echononl " Create '${OPENVPN_KEY_DIR}/serial'.." + echo "01" > "${OPENVPN_KEY_DIR}/serial" 2> "$log_file" + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi + + # - Create empty file index.txt at key-directory + # - + echononl " Create empty file '${OPENVPN_KEY_DIR}/index.txt'.." + touch ${OPENVPN_KEY_DIR}/index.txt + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi + +else + + # - Removes & re-initializes the PKI dir for a clean PKI + # - + echononl " Initialise PKI Directory" + ${EASY_RSA_DIR}/easyrsa init-pki > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi + +fi + + +# - Create Root CA +# - +echononl " Create Root CA.." +if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 10 ]] ; then + printf "\n\n\n\n\n\n\n\n" | ${EASY_RSA_DIR}/build-ca > "$log_file" 2>&1 +else + printf "\n\n\n\n\n\n\n" | ${EASY_RSA_DIR}/easyrsa build-ca nopass > "$log_file" 2>&1 +fi +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" +fi + + +# - Generate Diffie-Hellman parameters for the server side +# - of an SSL/TLS connection. +# - +echononl " Generates DH (Diffie-Hellman) parameters (dh key).." +if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 10 ]] ; then + if [[ -f "${script_dir}/dh${KEY_SIZE}.pem" ]]; then + #cp "${script_dir}/dh${KEY_SIZE}.pem" "${OPENVPN_KEY_DIR}/dh${KEY_SIZE}.pem" > "$log_file" 2>&1 + openssl dhparam -dsaparam -out "${OPENVPN_KEY_DIR}/dh${KEY_SIZE}.pem" ${KEY_SIZE} > "$log_file" 2>&1 + else + ${EASY_RSA_DIR}/build-dh > "$log_file" 2>&1 + fi + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi + _DH_KEY=${OPENVPN_KEY_DIR}/dh${KEY_SIZE}.pem +else + if [[ -f "${script_dir}/dh${KEY_SIZE}.pem" ]]; then + cp "${script_dir}/dh${KEY_SIZE}.pem" "${OPENVPN_KEY_DIR}/dh.pem" > "$log_file" 2>&1 + else + #${EASY_RSA_DIR}/easyrsa gen-dh > "$log_file" 2>&1 + openssl dhparam -dsaparam -out "${OPENVPN_KEY_DIR}/dh.pem" ${KEY_SIZE} > "$log_file" 2>&1 + fi + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi + _DH_KEY="${OPENVPN_KEY_DIR}/dh.pem" +fi + + +# - Generate Sever Key +# - +if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 10 ]] ; then + + echo "" + echo -e " \033[32mNow create the server key. Tis procedure works interactive.\033[m" + echo -e " Use \033[37m\033[1m${KEY_CN}-server\033[m as 'commonName'" + echo "" + echononl "Type to continue: " + read ok + echo "" + + ${EASY_RSA_DIR}/build-key-server server + if [[ $? -eq 0 ]] ; then + info "Building server key was successfully." + else + error "Building server key failed!" + fi + + echo "" + echononl "Type to continue: " + read ok + echo "" + _SERVER_KEY="${OPENVPN_KEY_DIR}/server.key" + _SERVER_CERT="${OPENVPN_KEY_DIR}/server.crt" + +else + + # - Generate server keypair + # - + # - build-server-full [ cmd-opts ] + # - Generate a keypair and sign locally for a client and/or server + # - + # - This mode uses the as the X509 CN. + # - + # - cmd-opts is an optional set of command options from this list: + # - nopass - do not encrypt the private key (default is encrypted) + # - + echononl " Generate server keypair '${KEY_CN}-server'.." + ${EASY_RSA_DIR}/easyrsa build-server-full "${KEY_CN}-server" nopass > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi + _SERVER_KEY="${OPENVPN_KEY_DIR}/private/${KEY_CN}-server.key" + _SERVER_CERT="${OPENVPN_KEY_DIR}/issued//${KEY_CN}-server.crt" + +fi + + +# - For extra security beyond that provided +# - by SSL/TLS, create an "HMAC firewall" +# - to help block DoS attacks and UDP port flooding. +# - +echononl " Create 'ta.key' for additional security" +openvpn --genkey --secret ${OPENVPN_KEY_DIR}/ta.key > "$log_file" 2>&1 +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" +fi + +# - Create empty CRL (Certificate Revokation List) +# - +if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 10 ]] ; then + echononl " Create CRL (Certificate Revokation List) '${OPENVPN_BASE_DIR}/crl.pem'.." + openssl ca -gencrl -out ${OPENVPN_KEY_DIR}/crl.pem -config $KEY_CONFIG > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi +else + echononl " Create CRL (Certificate Revokation List) '${OPENVPN_KEY_DIR}/crl.pem'.." + ${EASY_RSA_DIR}/easyrsa gen-crl > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi +fi + + +echononl " Change permissions (750) for '${OPENVPN_KEY_DIR}'.." +chmod 750 "${OPENVPN_KEY_DIR}" > "$log_file" 2>&1 +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" +fi + +echononl " Change group (to nogroup) for '${OPENVPN_KEY_DIR}'.." +chgrp nogroup "${OPENVPN_KEY_DIR}" > "$log_file" 2>&1 +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" +fi + +echononl " Change group (to nogroup) for '${OPENVPN_KEY_DIR}/crl.pem'.." +chgrp nogroup "${OPENVPN_KEY_DIR}/crl.pem" > "$log_file" 2>&1 +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" +fi + +echononl " Change permissions (640) for ${OPENVPN_KEY_DIR}/crl.pem" +chmod 644 ${OPENVPN_KEY_DIR}/crl.pem > "$log_file" 2>&1 +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" +fi + + +# ---- +# - Create server configurations +# ---- + +echo "" +echo -e "\033[32m--\033[m" +echo "Server configurations .." +echo -e "\033[32m--\033[m" + + +#--------------------------------------- +#----------------------------- +# Write Server Configuration for $OPENVPN_NAME +#----------------------------- +#--------------------------------------- +_server_conf_file="/etc/openvpn/server-${OPENVPN_NAME}.conf" + +echononl " Backup file $_server_conf_file" +if [[ -f "$_server_conf_file" ]] ; then + mv "$_server_conf_file" "${_server_conf_file}.$_date" > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi +else + echo_skipped +fi + +echononl " Create configuration '${_server_conf_file}" +cat < ${_server_conf_file} 2> "$log_file" +################################################# +# Sample OpenVPN 2.0 config file for # +# multi-client server. # +# # +# This file is for the server side # +# of a many-clients <-> one-server # +# OpenVPN configuration. # +# # +# OpenVPN also supports # +# single-machine <-> single-machine # +# configurations (See the Examples page # +# on the web site for more info). # +# # +# This config should work on Windows # +# or Linux/BSD systems. Remember on # +# Windows to quote pathnames and use # +# double backslashes, e.g.: # +# "C:\\\\Program Files\\\\OpenVPN\\\\config\\\\foo.key" # +# # +# Comments are preceded with '#' or ';' # +################################################# + +# Which local IP address should OpenVPN +# listen on? (optional) +;local a.b.c.d + +# Which TCP/UDP port should OpenVPN listen on? +# If you want to run multiple OpenVPN instances +# on the same machine, use a different port +# number for each one. You will need to +# open up this port on your firewall. +port $SERVER_PORT + +# TCP or UDP server? +;proto tcp +proto udp + +topology subnet +EOF + +if [[ ${#LOCAL_NETWORK_ARR[@]} -gt 0 ]]; then + for _local_network in ${LOCAL_NETWORK_ARR[@]} ; do + IFS='/' read -a _net_arr <<< "${_local_network}" + if [[ -n ${_net_arr[1]} ]]; then + _netmask=$(cidr2mask ${_net_arr[1]}) + else + _netmask="255.255.255.0" + fi + cat <> ${_server_conf_file} 2>> "$log_file" +route ${_net_arr[0]} $_netmask $OPENVPN_SERVER_IP +EOF + done +fi + +cat <> ${_server_conf_file} 2>> "$log_file" + +# "dev tun" will create a routed IP tunnel, +# "dev tap" will create an ethernet tunnel. +# Use "dev tap" if you are ethernet bridging. +# If you want to control access policies +# over the VPN, you must create firewall +# rules for the the TUN/TAP interface. +# On non-Windows systems, you can give +# an explicit unit number, such as tun0. +# On Windows, use "dev-node" for this. +# On most systems, the VPN will not function +# unless you partially or fully disable +# the firewall for the TUN/TAP interface. +;dev tap +dev tun + +# Enable TUN IPv6 module +;tun-ipv6 + +# Windows needs the TAP-Win32 adapter name +# from the Network Connections panel if you +# have more than one. On XP SP2 or higher, +# you may need to selectively disable the +# Windows firewall for the TAP adapter. +# Non-Windows systems usually don't need this. +;dev-node MyTap + +# SSL/TLS root certificate (ca), certificate +# (cert), and private key (key). Each client +# and the server must have their own cert and +# key file. The server and all clients will +# use the same ca file. +# +# See the "easy-rsa" directory for a series +# of scripts for generating RSA certificates +# and private keys. Remember to use +# a unique Common Name for the server +# and each of the client certificates. +# +# Any X509 key management system can be used. +# OpenVPN can also use a PKCS #12 formatted key file +# (see "pkcs12" directive in man page). +ca ${OPENVPN_KEY_DIR}/ca.crt +cert $_SERVER_CERT +key $_SERVER_KEY # This file should be kept secret + +# Diffie hellman parameters. +# Generate your own with: +# openssl dhparam -out dh1024.pem 1024 +# Substitute 2048 for 1024 if you are using +# 2048 bit keys. +dh $_DH_KEY + +# Configure server mode and supply a VPN subnet +# for OpenVPN to draw client addresses from. +# The server will take 10.8.0.1 for itself, +# the rest will be made available to clients. +# Each client will be able to reach the server +# on 10.8.0.1. Comment this line out if you are +# ethernet bridging. See the man page for more info. +;server 10.8.0.0 255.255.255.0 +;server-ipv6 2a01:30:1fff:fd00::/64 +server $OPENVPN_NETWORK 255.255.255.0 + +# Maintain a record of client <-> virtual IP address +# associations in this file. If OpenVPN goes down or +# is restarted, reconnecting clients can be assigned +# the same virtual IP address from the pool that was +# previously assigned. +ifconfig-pool-persist ${OPENVPN_BASE_DIR}/ipp.txt + +# Configure server mode for ethernet bridging. +# You must first use your OS's bridging capability +# to bridge the TAP interface with the ethernet +# NIC interface. Then you must manually set the +# IP/netmask on the bridge interface, here we +# assume 10.8.0.4/255.255.255.0. Finally we +# must set aside an IP range in this subnet +# (start=10.8.0.50 end=10.8.0.100) to allocate +# to connecting clients. Leave this line commented +# out unless you are ethernet bridging. +;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 + +# Push routes to the client to allow it +# to reach other private subnets behind +# the server. Remember that these +# private subnets will also need +# to know to route the OpenVPN client +# address pool (10.8.0.0/255.255.255.0) +# back to the OpenVPN server. +;push "route 10.8.0.0 255.255.255.0" +EOF +if [[ ${#REMOTE_NETWORK_ARR[@]} -gt 0 ]]; then + for _remote_network in ${REMOTE_NETWORK_ARR[@]} ; do + IFS='/' read -a _net_arr <<< "${_remote_network}" + if [[ -n ${_net_arr[1]} ]]; then + _netmask=$(cidr2mask ${_net_arr[1]}) + else + _netmask="255.255.255.0" + fi + cat <> ${_server_conf_file} 2>> "$log_file" +push "route ${_net_arr[0]} $_netmask" +EOF + done +fi + +cat <> ${_server_conf_file} 2>> "$log_file" + +# To assign specific IP addresses to specific +# clients or if a connecting client has a private +# subnet behind it that should also have VPN access, +# use the subdirectory "ccd" for client-specific +# configuration files (see man page for more info). +client-config-dir $OPENVPN_CCD_DIR + +# --- +# EXAMPLE: Suppose the client +# having the certificate common name "Thelonious" +# also has a small subnet behind his connecting +# machine, such as 192.168.40.128/255.255.255.248. +# First, uncomment out these lines: +;client-config-dir /etc/openvpn/ccd +;route 192.168.40.128 255.255.255.248 + +# Then create a file ccd/Thelonious with this line: +# iroute 192.168.40.128 255.255.255.248 +# This will allow Thelonious' private subnet to +# access the VPN. This example will only work +# if you are routing, not bridging, i.e. you are +# using "dev tun" and "server" directives. +# --- + +# --- +# EXAMPLE: Suppose you want to give +# Thelonious a fixed VPN IP address of 10.9.0.1. +# First uncomment out these lines: +;client-config-dir ccd +;route 10.9.0.0 255.255.255.252 + +# Then add this line to ccd/Thelonious: +# ifconfig-push 10.9.0.1 10.9.0.2 +# --- + +# --- +# Suppose that you want to enable different +# firewall access policies for different groups +# of clients. There are two methods: +# (1) Run multiple OpenVPN daemons, one for each +# group, and firewall the TUN/TAP interface +# for each group/daemon appropriately. +# (2) (Advanced) Create a script to dynamically +# modify the firewall in response to access +# from different clients. See man +# page for more info on learn-address script. +;learn-address ./script +# --- + +# If enabled, this directive will configure +# all clients to redirect their default +# network gateway through the VPN, causing +# all IP traffic such as web browsing and +# and DNS lookups to go through the VPN +# (The OpenVPN server machine may need to NAT +# the TUN/TAP interface to the internet in +# order for this to work properly). +# CAVEAT: May break client's network config if +# client's local DHCP server packets get routed +# through the tunnel. Solution: make sure +# client's local DHCP server is reachable via +# a more specific route than the default route +# of 0.0.0.0/0.0.0.0. +;push "redirect-gateway" + +# Certain Windows-specific network settings +# can be pushed to clients, such as DNS +# or WINS server addresses. CAVEAT: +# http://openvpn.net/faq.html#dhcpcaveats +;push "dhcp-option WINS 10.8.0.1" +EOF +if [[ -n "$DNS_SERVER" ]]; then + cat <> ${_server_conf_file} 2>> "$log_file" +push "dhcp-option DNS ${DNS_SERVER}" +EOF +fi + +if [[ ${#SEARCH_DOMAINS_ARR[@]} -gt 0 ]]; then + for _domain in ${SEARCH_DOMAINS_ARR[@]} ; do + cat <> ${_server_conf_file} 2>> "$log_file" +push "dhcp-option DOMAIN ${_domain}" +EOF + done +fi + +cat <> ${_server_conf_file} 2>> "$log_file" + +# Uncomment this directive to allow different +# clients to be able to "see" each other. +# By default, clients will only see the server. +# To force clients to only see the server, you +# will also need to appropriately firewall the +# server's TUN/TAP interface. +client-to-client + +# Uncomment this directive if multiple clients +# might connect with the same certificate/key +# files or common names. This is recommended +# only for testing purposes. For production use, +# each client should have its own certificate/key +# pair. +# +# IF YOU HAVE NOT GENERATED INDIVIDUAL +# CERTIFICATE/KEY PAIRS FOR EACH CLIENT, +# EACH HAVING ITS OWN UNIQUE "COMMON NAME", +# UNCOMMENT THIS LINE OUT. +;duplicate-cn + +# The keepalive directive causes ping-like +# messages to be sent back and forth over +# the link so that each side knows when +# the other side has gone down. +# Ping every 10 seconds, assume that remote +# peer is down if no ping received during +# a 120 second time period. +keepalive 10 120 + +# For extra security beyond that provided +# by SSL/TLS, create an "HMAC firewall" +# to help block DoS attacks and UDP port flooding. +# +# Generate with: +# openvpn --genkey --secret ta.key +# +# The server and each client must have +# a copy of this key. +# The second parameter should be '0' +# on the server and '1' on the clients. +;tls-auth ta.key 0 # This file is secret +tls-auth ${OPENVPN_KEY_DIR}/ta.key 0 + +# Select a cryptographic cipher. +# This config item must be copied to +# the client config file as well. +;cipher BF-CBC # Blowfish (default) +;cipher AES-128-CBC # AES +;cipher DES-EDE3-CBC # Triple-DES +EOF + +if [[ -n "$SERVER_CIPHER" ]]; then + cat <> ${_server_conf_file} 2>> "$log_file" +cipher $SERVER_CIPHER +EOF + +fi + +cat <> ${_server_conf_file} 2>> "$log_file" + +# Enable compression on the VPN link. +# If you enable it here, you must also +# enable it in the client config file. +;comp-lzo +EOF + +if $LZO_COMPRESSION ; then + cat <> ${_server_conf_file} 2>> "$log_file" +comp-lzo +EOF +fi + +cat <> ${_server_conf_file} 2>> "$log_file" + +# The maximum number of concurrently connected +# clients we want to allow. +;max-clients 100 + +# It's a good idea to reduce the OpenVPN +# daemon's privileges after initialization. +# +# You can uncomment this out on +# non-Windows systems. +user nobody +group nogroup + +# The persist options will try to avoid +# accessing certain resources on restart +# that may no longer be accessible because +# of the privilege downgrade. +persist-key +persist-tun +persist-local-ip +persist-remote-ip + +# Output a short status file showing +# current connections, truncated +# and rewritten every minute. +;status openvpn-status.log +status /var/log/openvpn/status-server-${OPENVPN_NAME}.log + +# By default, log messages will go to the syslog (or +# on Windows, if running as a service, they will go to +# the "\Program Files\OpenVPN\log" directory). +# Use log or log-append to override this default. +# "log" will truncate the log file on OpenVPN startup, +# while "log-append" will append to it. Use one +# or the other (but not both). +;log-append openvpn.log +;log openvpn.log +log /var/log/openvpn/server-${OPENVPN_NAME}.log + +# Set the appropriate level of log +# file verbosity. +# +# 0 is silent, except for fatal errors +# 4 is reasonable for general usage +# 5 and 6 can help to debug connection problems +# 9 is extremely verbose +verb 1 + +# Silence repeating messages. At most 20 +# sequential messages of the same message +# category will be output to the log. +;mute 20 +EOF + +if [[ -h "${OPENVPN_BASE_DIR}/crl.pem" ]] ; then + cat <> ${_server_conf_file} 2>> "$log_file" + +# CRL (certificate revocation list) verification +crl-verify ${OPENVPN_BASE_DIR}/crl.pem +EOF +elif [[ -f "${OPENVPN_KEY_DIR}/crl.pem" ]]; then + cat <> ${_server_conf_file} 2>> "$log_file" + +# CRL (certificate revocation list) verification +crl-verify ${OPENVPN_KEY_DIR}/crl.pem +EOF +fi +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" +fi + +echo "" + + +# - Start OpenVPN Service +# - +echononl " Start OpenVPN Service" +if $systemd_supported ; then + $systemctl start $service_name > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + echo_failed + error "$(cat $log_file)" + else + echo_ok + fi +else + $init_script start > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + echo_failed + error "$(cat $log_file)" + else + echo_ok + fi +fi + + +# - See if OpenVPN Service is running/has started +# +check_string_ps="$openvpn_binary" +check_string_ps_plus="--daemon" +sleep 2 +PID=$(ps -e f | grep -E "[[:digit:]]\ ${check_string_ps}" | grep "\ ${check_string_ps_plus}\ " | grep -v grep | awk '{print$2}') +if [[ "X${PID}" = "X" ]]; then + warn "\033[37m\033[1mOpenVPN Service is NOT running.\033[m\n Maybe you have to restart the machine in order to start openvpn daemon." +fi + + +echo "" +clean_up 0 diff --git a/build_key-pass.sh b/build_key-pass.sh index 56af24f..c117b66 100755 --- a/build_key-pass.sh +++ b/build_key-pass.sh @@ -78,6 +78,12 @@ info (){ echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*" echo "" } + +print_command () { + echo "" + echo -e "\t\033[33m\033[1mCommand was\033[m: $*" + echo "" +} echo_done() { echo -e "\033[80G[ \033[32mdone\033[m ]" } @@ -397,7 +403,7 @@ read ok echo "" if $EASYRSA_LAYOUT_NEW ; then - ${EASY_RSA_DIR}/easyrsa build-client-full ${_CLIENT_CN} + ${EASY_RSA_DIR}/easyrsa --vars="${EASY_RSA_DIR}/vars" build-client-full ${_CLIENT_CN} else ${EASY_RSA_DIR}/build-key-pass ${NEW_KEY_NAME} fi @@ -405,12 +411,23 @@ if [[ $? -eq 0 ]] ; then info "Building key '${NEW_KEY_NAME}.key' was successfully." else error "Building key '${NEW_KEY_NAME}.key' failed!" + + print_command "${EASY_RSA_DIR}/easyrsa --vars=\"${EASY_RSA_DIR}/vars\" init-pki" + + echononl "continue anyway [yes/no]: " + read OK + OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')" + while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do + echononl "Wrong entry! - repeat [yes/nno]: " + read OK + done + [[ $OK = "yes" ]] || fatal "Abbruch durch User" fi -echo "" -echononl "Type to continue: " -read ok -echo "" +#echo "" +#echononl "Type to continue: " +#read ok +#echo "" echononl " Add new key credentials to file ${OPENVPN_BASE_DIR}/keys-created.txt" cat << EOF >> ${OPENVPN_BASE_DIR}/keys-created.txt @@ -723,7 +740,8 @@ else fi done fi - + +blank_line if $_copy_to_user_home_dir ; then _home_dir=$(eval echo "~$user_name") _target_dir="${_home_dir}/VPN/${_CLIENT_CN}" diff --git a/install_openvpn.sh b/install_openvpn.sh index feb5626..180c9c8 100755 --- a/install_openvpn.sh +++ b/install_openvpn.sh @@ -143,6 +143,12 @@ info (){ echo "" } +print_command () { + echo "" + echo -e "\t\033[33m\033[1mCommand was\033[m: $*" + echo "" +} + echo_done() { echo -e "\033[80G[ \033[32mdone\033[m ]" } @@ -1559,7 +1565,50 @@ if [[ "$OK" != "YES" ]] ; then fatal "Abort by user request - Answer as not 'YES'" fi - +#cat < "$log_file" 2>&1 + ${EASY_RSA_DIR}/easyrsa --vars="${EASY_RSA_DIR}/vars" init-pki > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" + + print_command "${EASY_RSA_DIR}/easyrsa --vars=\"${EASY_RSA_DIR}/vars\" init-pki" + + echononl "continue anyway [yes/no]: " + read OK + OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')" + while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do + echononl "Wrong entry! - repeat [yes/nno]: " + read OK + done + [[ $OK = "yes" ]] || fatal "Abbruch durch User" fi fi @@ -2348,13 +2408,25 @@ echononl " Create Root CA.." if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 10 ]] ; then printf "\n\n\n\n\n\n\n\n" | ${EASY_RSA_DIR}/build-ca > "$log_file" 2>&1 else - printf "\n\n\n\n\n\n\n" | ${EASY_RSA_DIR}/easyrsa build-ca nopass > "$log_file" 2>&1 + printf "\n\n\n\n\n\n\n" | ${EASY_RSA_DIR}/easyrsa --vars="${EASY_RSA_DIR}/vars" build-ca nopass > "$log_file" 2>&1 fi if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" + + print_command "${EASY_RSA_DIR}/easyrsa --vars=\"${EASY_RSA_DIR}/vars\" build-ca nopass" + + echononl "continue anyway [yes/no]: " + read OK + OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')" + while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do + echononl "Wrong entry! - repeat [yes/nno]: " + read OK + done + [[ $OK = "yes" ]] || fatal "Abbruch durch User" + fi @@ -2380,7 +2452,7 @@ else if [[ -f "${script_dir}/dh${KEY_SIZE}.pem" ]]; then cp "${script_dir}/dh${KEY_SIZE}.pem" "${OPENVPN_KEY_DIR}/dh.pem" > "$log_file" 2>&1 else - #${EASY_RSA_DIR}/easyrsa gen-dh > "$log_file" 2>&1 + #${EASY_RSA_DIR}/easyrsa --vars="${EASY_RSA_DIR}/vars gen-dh > "$log_file" 2>&1 openssl dhparam -dsaparam -out "${OPENVPN_KEY_DIR}/dh.pem" ${KEY_SIZE} > "$log_file" 2>&1 fi if [[ $? -eq 0 ]] ; then @@ -2388,6 +2460,18 @@ else else echo_failed error "$(cat $log_file)" + + print_command "openssl dhparam -dsaparam -out \"${OPENVPN_KEY_DIR}/dh.pem\" ${KEY_SIZE}" + + echononl "continue anyway [yes/no]: " + read OK + OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')" + while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do + echononl "Wrong entry! - repeat [yes/nno]: " + read OK + done + [[ $OK = "yes" ]] || fatal "Abbruch durch User" + fi _DH_KEY="${OPENVPN_KEY_DIR}/dh.pem" fi @@ -2432,12 +2516,24 @@ else # - nopass - do not encrypt the private key (default is encrypted) # - echononl " Generate server keypair '${KEY_CN}-server'.." - ${EASY_RSA_DIR}/easyrsa build-server-full "${KEY_CN}-server" nopass > "$log_file" 2>&1 + ${EASY_RSA_DIR}/easyrsa --vars="${EASY_RSA_DIR}/vars" build-server-full "${KEY_CN}-server" nopass > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" + + print_command "${EASY_RSA_DIR}/easyrsa --vars=\"${EASY_RSA_DIR}/vars\" build-server-full \"${KEY_CN}-server\" nopass" + + echononl "continue anyway [yes/no]: " + read OK + OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')" + while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do + echononl "Wrong entry! - repeat [yes/nno]: " + read OK + done + [[ $OK = "yes" ]] || fatal "Abbruch durch User" + fi _SERVER_KEY="${OPENVPN_KEY_DIR}/private/${KEY_CN}-server.key" _SERVER_CERT="${OPENVPN_KEY_DIR}/issued//${KEY_CN}-server.crt" @@ -2450,7 +2546,12 @@ fi # - to help block DoS attacks and UDP port flooding. # - echononl " Create 'ta.key' for additional security" -openvpn --genkey --secret ${OPENVPN_KEY_DIR}/ta.key > "$log_file" 2>&1 +if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 11 ]] ; then + openvpn --genkey --secret ${OPENVPN_KEY_DIR}/ta.key > "$log_file" 2>&1 +else + openvpn --genkey secret ${OPENVPN_KEY_DIR}/ta.key > "$log_file" 2>&1 +fi + if [[ $? -eq 0 ]] ; then echo_ok else @@ -2471,12 +2572,23 @@ if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 10 ]] ; then fi else echononl " Create CRL (Certificate Revokation List) '${OPENVPN_KEY_DIR}/crl.pem'.." - ${EASY_RSA_DIR}/easyrsa gen-crl > "$log_file" 2>&1 + ${EASY_RSA_DIR}/easyrsa --vars="${EASY_RSA_DIR}/vars" gen-crl > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" + + print_command "${EASY_RSA_DIR}/easyrsa --vars=\"${EASY_RSA_DIR}/vars\" "gen-crl + + echononl "continue anyway [yes/no]: " + read OK + OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')" + while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do + echononl "Wrong entry! - repeat [yes/nno]: " + read OK + done + [[ $OK = "yes" ]] || fatal "Abbruch durch User" fi fi @@ -2896,6 +3008,7 @@ persist-tun persist-local-ip persist-remote-ip + # Output a short status file showing # current connections, truncated # and rewritten every minute. diff --git a/revoke_key.sh b/revoke_key.sh index e79c4e1..d3e7173 100755 --- a/revoke_key.sh +++ b/revoke_key.sh @@ -83,6 +83,11 @@ info (){ echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*" echo "" } +print_command () { + echo "" + echo -e "\t\033[33m\033[1mCommand was\033[m: $*" + echo "" +} echo_done() { echo -e "\033[80G[ \033[32mdone\033[m ]" } @@ -312,24 +317,48 @@ if $EASYRSA_LAYOUT_NEW ; then # - Revoke Key # --- echononl "Revoke key '$(basename "$_CLIENT_KEY")'.." - $EASY_RSA_DIR/easyrsa revoke "$_CLIENT_CN" > "$log_file" 2>&1 + $EASY_RSA_DIR/easyrsa --vars="${EASY_RSA_DIR}/vars" revoke "$_CLIENT_CN" > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" + + print_command "${EASY_RSA_DIR}/easyrsa --vars=\"${EASY_RSA_DIR}/vars\" revoke \"$_CLIENT_CN\"" + + echononl "continue anyway [yes/no]: " + read OK + OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')" + while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do + echononl "Wrong entry! - repeat [yes/nno]: " + read OK + done + [[ $OK = "yes" ]] || fatal "Abbruch durch User" + fi # --- # - Generate new crl.pem # --- echononl "Generate new CRL (Certificate Revokation List) 'crl.pem'.." - $EASY_RSA_DIR/easyrsa gen-crl > "$log_file" 2>&1 + $EASY_RSA_DIR/easyrsa --vars="${EASY_RSA_DIR}/vars" gen-crl > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" + + print_command "${EASY_RSA_DIR}/easyrsa --vars=\"${EASY_RSA_DIR}/vars\" gen-crl" + + echononl "continue anyway [yes/no]: " + read OK + OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')" + while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do + echononl "Wrong entry! - repeat [yes/nno]: " + read OK + done + [[ $OK = "yes" ]] || fatal "Abbruch durch User" + fi else