diff --git a/build_key-pass.sh b/build_key-pass.sh new file mode 100755 index 0000000..1e9e226 --- /dev/null +++ b/build_key-pass.sh @@ -0,0 +1,303 @@ +#!/usr/bin/env bash + +script_dir="$(dirname $(realpath $0))" +conf_file=${script_dir}/conf/install_openvpn.conf + +log_file="$(mktemp)" +_date="$(date +%Y-%m-%d-%H%M)" + +#--------------------------------------- +#----------------------------- +# Base Function(s) +#----------------------------- +#--------------------------------------- + +echononl(){ + echo X\\c > /tmp/shprompt$$ + if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then + echo -e -n "$*\\c" 1>&2 + else + echo -e -n "$*" 1>&2 + fi + rm /tmp/shprompt$$ +} + +fatal(){ + echo "" + echo -e "\t[ \033[31m\033[1mFatal\033[m ]: $*" + echo "" + echo -e "\t\033[37m\033[1mInstalllation will be interrupted\033[m\033[m" + echo "" + exit 1 +} + +error(){ + echo "" + echo -e "\t[ \033[31m\033[1mError\033[m ]: $*" + echo "" +} + +warn (){ + echo "" + echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*" + echo "" +} + +info (){ + echo "" + echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*" + echo "" +} + +echo_done() { + echo -e "\033[80G[ \033[32mdone\033[m ]" +} +echo_ok() { + echo -e "\033[80G[ \033[32mok\033[m ]" +} +echo_warning() { + echo -e "\033[80G[ \033[33m\033[1mwarn\033[m ]" +} +echo_failed(){ + echo -e "\033[80G[ \033[1;31mfailed\033[m ]" +} +echo_skipped() { + echo -e "\033[80G[ \033[37mskipped\033[m ]" +} + +clear +echo "" +echo -e "\033[32m--\033[m" +echo "" +NEW_KEY_NAME="" +if [ -z "$NEW_KEY_NAME" ]; then + echo "Insert key name." + echo "" + echo "" + echononl "key name: " + read NEW_KEY_NAME + while [ "X$NEW_KEY_NAME" = "X" ] ; do + echo -e "\n\t\033[33m\033[1mKey name is required!\033[m\n" + echononl "key name: " + read NEW_KEY_NAME + done +fi + +echo "" +echo -e "\033[32m--\033[m" +echo "" +echo "Enter a password for the new key" +echo "" +_KEY_PW_1="X" +_KEY_PW_2="Y" +while [ "$_KEY_PW_1" != "$_KEY_PW_2" ] +do + echononl "Password: " + read -s _KEY_PW_1 + echo + if [ "X$_KEY_PW_1" = "X" ]; then + echo -e "\n\t\033[33m\033[1mA password is required!\033[m\n" + continue + fi + echononl "Repeat the password: " + read -s _KEY_PW_2 + echo + if [ "$_KEY_PW_1" != "$_KEY_PW_2" ];then + echo -e "\n\t\033[33m\033[1mpassword entries are NOT identical!\033[m\n" + else + KEY_PW=$_KEY_PW_1 + fi +done + +info "Going to create key \033[37m\033[1m${NEW_KEY_NAME}.key\033[m.." +echo -n "To continue type uppercase 'YES': " +read OK +echo "" +if [[ "$OK" != "YES" ]] ; then + fatal "Abort by user request - Answer as not 'YES'" +fi + + + +#--------------------------------------- +#----------------------------- +# Read Configurations from $conf_file +#----------------------------- +#--------------------------------------- + +echononl " Load configuration file.." +if [[ ! -f "$conf_file" ]]; then + echo_failed + fatal "Configuration file \033[37m\033[1m$(basename ${conf_file})\033[m not found!" +else + source "${conf_file}" + if [[ $? -eq 0 ]]; then + echo_ok + else + echo_failed + fatal "$(cat $log_file)" + fi +fi + + +#--------------------------------------- +#----------------------------- +# Create Certificate +#----------------------------- +#--------------------------------------- + +echo "" + +# - source file vars +# - +echononl " Load configuration '${EASY_RSA_DIR}/vars'.." +source ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" +fi + + +# --- +# - Create Keys and Certs +# --- +echo "" +echo -e "\033[32m--\033[m" +echo "Create Keys and Certs .." +echo -e "\033[32m--\033[m" +echo "" + +# - Build Key +# - +echo -e " \033[32mNow create the key \033[37m${NEW_KEY_NAME}.key\033[32m. This is an interactive procedure.\033[m" +echo "" +echo -e " Enter \033[37m\033[1m${KEY_PW}\033[m for Password" +echo -e " Enter \033[37m\033[1m${KEY_CN}-${NEW_KEY_NAME}\033[m as commonName" +echo "" +echo " For all other entries simply type or confirm with 'y'" +echo "" +echononl "Type to continue: " +read ok +echo "" + +${EASY_RSA_DIR}/build-key-pass ${NEW_KEY_NAME} +if [[ $? -eq 0 ]] ; then + info "Building key '${NEW_KEY_NAME}.key' was successfully." +else + error "Building key '${NEW_KEY_NAME}.key' failed!" +fi + +echo "" +echononl "Type to continue: " +read ok +echo "" + +echononl " Add new key credentials to file ${OPENVPN_BASE_DIR}/keys-created.txt" +cat << EOF >> ${OPENVPN_BASE_DIR}/keys-created.txt + +key...............: ${NEW_KEY_NAME}.key +common name.......: ${KEY_CN}-${NEW_KEY_NAME} +password..........: ${KEY_PW} +EOF +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" +fi + + + +echo "" +echo -e "\033[32m--\033[m" +echo "" +echo "Do you want me to copy the created key material into the home directory " +echo "of a specified user?" +echo "" +echo -e " Specify a username or type \033[33mNone\033[m to ommit this step." +echo "" +if [[ -n "$DEFAULT_USER_TO_COPY_CREDENTIALS" ]] ; then + echo -e " Defaults to user '${DEFAULT_USER_TO_COPY_CREDENTIALS}'" + echo "" +fi +user_name="" +if [[ -n "$DEFAULT_USER_TO_COPY_CREDENTIALS" ]] ; then + echononl "Username: [${DEFAULT_USER_TO_COPY_CREDENTIALS}]: " + read user_name + if [[ "X$user_name" = "X" ]]; then + user_name="${DEFAULT_USER_TO_COPY_CREDENTIALS}" + _copy_to_user_home_dir=true + elif [[ "$(echo "${user_name,,}")" = "none" ]]; then + _copy_to_user_home_dir=false + else + _copy_to_user_home_dir=true + fi +else + while [[ "X$user_name" = "X" ]]; do + echononl "Username: " + read user_name + if [[ "X$user_name" = "X" ]]; then + echo + echo -e " Give a Username or type \033[33mNone\033[m" + echo + continue + elif [[ "$(echo "${user_name,,}")" = "none" ]]; then + _copy_to_user_home_dir=false + else + _copy_to_user_home_dir=true + fi + done +fi + +if $_copy_to_user_home_dir ; then + _home_dir=$(eval echo "~$user_name") + _failed=false + echo "" + echononl " Copy key material into dir '${_home_dir}/${KEY_CN}-${NEW_KEY_NAME}'.." + mkdir -p "${_home_dir}/VPN/${KEY_CN}-${NEW_KEY_NAME}" > $log_file 2>&1 + if [[ $? -ne 0 ]] ; then + _failed=true + fi + cp -a ${OPENVPN_BASE_DIR}/keys/${NEW_KEY_NAME}.key "${_home_dir}/VPN/${KEY_CN}-${NEW_KEY_NAME}" >> $log_file 2>&1 + if [[ $? -ne 0 ]] ; then + _failed=true + fi + cp -a -a ${OPENVPN_BASE_DIR}/keys/${NEW_KEY_NAME}.crt "${_home_dir}/VPN/${KEY_CN}-${NEW_KEY_NAME}" >> $log_file 2>&1 + if [[ $? -ne 0 ]] ; then + _failed=true + fi + cp -a -a ${OPENVPN_BASE_DIR}/keys/ca.crt "${_home_dir}/VPN/${KEY_CN}-${NEW_KEY_NAME}" >> $log_file 2>&1 + if [[ $? -ne 0 ]] ; then + _failed=true + fi + cp -a -a ${OPENVPN_BASE_DIR}/keys/ta.key "${_home_dir}/VPN/${KEY_CN}-${NEW_KEY_NAME}" >> $log_file 2>&1 + if [[ $? -ne 0 ]] ; then + _failed=true + fi + cat << EOF > "${_home_dir}/VPN/${KEY_CN}-${NEW_KEY_NAME}/passwd.txt" + key...............: ${NEW_KEY_NAME}.key + common name.......: ${KEY_CN}-${NEW_KEY_NAME} + password..........: ${KEY_PW} +EOF + if [[ $? -ne 0 ]] ; then + _failed=true + fi + chown -R ${user_name}:$user_name "${_home_dir}/VPN" >> $log_file 2>&1 + if [[ $? -ne 0 ]] ; then + _failed=true + fi + if $_failed ; then + echo_failed + error "$(cat $log_file)" + else + echo_ok + fi +fi + + + +rm -f $log_file +echo "" +exit 0 diff --git a/install_openvpn.txt b/install_openvpn.sh old mode 100644 new mode 100755 similarity index 57% rename from install_openvpn.txt rename to install_openvpn.sh index ce87e06..edf160c --- a/install_openvpn.txt +++ b/install_openvpn.sh @@ -1,235 +1,632 @@ -## - Configuration/Initialization OpenVPN -## - +#!/usr/bin/env bash -# ==================== -# - Some Parameter Settings for using this installation howto -# ==================== +script_dir="$(dirname $(realpath $0))" +conf_file=${script_dir}/conf/install_openvpn.conf -# --- -# - Parameters OpenVPN Configuration / KEY Creation -# --- +_needed_debian_packages="openvpn easy-rsa" -OPENVPN_BASE_DIR=/etc/openvpn -EASY_RSA_DIR=${OPENVPN_BASE_DIR}/easy-rsa - -# - (3*365+366)*8 = 11688 = 32 Jahre -CA_EXPIRE=11688 -# - (3*365+366)*5 = 7305 = 20 Jahre -KEY_EXPIRE=7305 - -KEY_COUNTRY="DE" -KEY_PROVINCE="Berlin" -KEY_CITY="Berlin" -KEY_ORG="O.OPEN" -KEY_EMAIL="ckubu-adm\@oopen.de" -KEY_OU="Network Services" - -KEY_NAME="VPN 123Comics" -KEY_CN="VPN-123Comics" - -KEY_ALTNAMES="VPN 123Comics" - - -# --- -# - Parameters for Server Configurations ( server-home.conf / server-gw-ckubu.conf) -# --- - -SERVER_PORT_HOME=1194 -OPENVPN_NETWORK_HOME="10.0.142.0" -CCD_HOME="/etc/openvpn/ccd/server-home" - -SERVER_PORT_GW_CKUBU=1195 -OPENVPN_NETWORK_GW_CKUBU="10.1.142.0" -IPV4_OPENVPN_GW_CKUBU="10.1.142.1" -CCD_GW_CKUBU="/etc/openvpn/ccd/server-gw-ckubu" - -MAIN_NETWORK=192.168.142.0 -DNS_SERVER=192.168.142.1 -DOMAIN=123.netz - - - -# ==================== -# - Base Installation OpenVPN -# ==================== - - -## - Package "easy-rsa" contains shell based helper scripts for building -## - certs/keys OpenVPN service and clients. -## - -## - Use the package included scripts for building the keys -## - -apt-get install openvpn easy-rsa - - -## - Make the package included scripts available in directory -## - "/etc/openvpn/easy-rsa" -## - -if [ -d "$EASY_RSA_DIR" ]; then - mv $EASY_RSA_DIR ${EASY_RSA_DIR}.`date +%Y%m%d-%H%M` -fi -/usr/bin/make-cadir $EASY_RSA_DIR - -## - Create key directory -## - -if [ -d "${OPENVPN_BASE_DIR}/keys" ]; then - mv ${OPENVPN_BASE_DIR}/keys ${OPENVPN_BASE_DIR}/keys.`date +%Y%m%d-%H%M` -fi -mkdir ${OPENVPN_BASE_DIR}/keys - - -## - Adjust /etc/default/openvpn -## - -## - AUTOSTART="all" -## - -perl -i -n -p -e "s/^(\s*#\s*AUTOSTART=\"all\".*)/##\1\nAUTOSTART=\"all\"/" /etc/default/openvpn - - -## - Adjust /etc/openvpn/easy-rsa/vars -## - -## - add: -## - export BASE_DIR=$OPENVPN_BASE_DIR -## - -## - replace: -## - export EASY_RSA=\$BASE_DIR/easy_rsa -## - export KEY_DIR=\$BASE_DIR/keys -## - -## - # root CA expires in 30 years (= 10950 days) -## - export CA_EXPIRE=$CA_EXPIRE -## - -## - # certificates expires in 20 years (=7300 days) -## - export KEY_EXPIRE=$KEY_EXPIRE -## - -## - export KEY_COUNTRY="$KEY_COUNTRY" -## - export KEY_PROVINCE="$KEY_PROVINCE" -## - export KEY_CITY="$KEY_CITY" -## - export KEY_ORG="$KEY_ORG" -## - export KEY_EMAIL="$KEY_EMAIL" -## - export KEY_OU="$KEY_OU" -## - -## - export KEY_NAME="$KEY_NAME" -## - -## - #export KEY_CN="$KEY_CN" -## - - -perl -i.ORIG -n -p -e "s&^(\s*#*\s*export\s+EASY_RSA=.*)&##\1\nexport BASE_DIR=\"${OPENVPN_BASE_DIR}\"\nexport EASY_RSA=\"\\\$BASE_DIR/easy-rsa\"&" ${EASY_RSA_DIR}/vars -perl -i -n -p -e "s&^(\s*#*\s*export\s+KEY_DIR=.*)&##\1\nexport KEY_DIR=\"\\\$BASE_DIR/keys\"&" ${EASY_RSA_DIR}/vars - -perl -i -n -p -e "s/^(\s*#*\s*export\s+CA_EXPIRE=.*)/##\1\nexport CA_EXPIRE=$CA_EXPIRE/" ${EASY_RSA_DIR}/vars -perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_EXPIRE=.*)/##\1\nexport KEY_EXPIRE=$KEY_EXPIRE/" ${EASY_RSA_DIR}/vars - -perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_COUNTRY=.*)/##\1\nexport KEY_COUNTRY=\"${KEY_COUNTRY}\"/" ${EASY_RSA_DIR}/vars -perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_PROVINCE=.*)/##\1\nexport KEY_PROVINCE=\"${KEY_PROVINCE}\"/" ${EASY_RSA_DIR}/vars -perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_CITY=.*)/##\1\nexport KEY_CITY=\"${KEY_CITY}\"/" ${EASY_RSA_DIR}/vars -perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_ORG=.*)/##\1\nexport KEY_ORG=\"${KEY_ORG}\"/" ${EASY_RSA_DIR}/vars -perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_EMAIL=.*)/##\1\nexport KEY_EMAIL=\"${KEY_EMAIL}\"/" ${EASY_RSA_DIR}/vars -perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_OU=.*)/##\1\nexport KEY_OU=\"${KEY_OU}\"/" ${EASY_RSA_DIR}/vars -perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_NAME=.*)/##\1\nexport KEY_NAME=\"${KEY_NAME}\"/" ${EASY_RSA_DIR}/vars - -perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_CN=.*)/#\1\nexport KEY_CN=\"${KEY_CN}\"/" ${EASY_RSA_DIR}/vars - -echo -e "\nexport KEY_ALTNAMES=\"$KEY_ALTNAMES\"" >> ${EASY_RSA_DIR}/vars - - -## - Ceate file "serial" in key-directory -## - -echo "01" > $OPENVPN_BASE_DIR/keys/serial - -## - Create empty file index.txt at key-directory -## - -touch $OPENVPN_BASE_DIR/keys/index.txt - - - -# ==================== -# - Initial Setup OpenVPN (Root ca / Server key /..) -# ==================== - -cd $EASY_RSA_DIR - -## - source file vars -## - -. vars - - -## - Create Root CA -## - -./build-ca - - -## - Build Diffie-Hellman parameters for the server side -## - of an SSL/TLS connection. -## . -./build-dh - - -## - Build Sever Key -## - -## - As CommonName choose: -## - AK-VPN-server -## - -./build-key-server server - - -## - For extra security beyond that provided -## - by SSL/TLS, create an "HMAC firewall" -## - to help block DoS attacks and UDP port flooding. -## - -## - Generate with: -## - openvpn --genkey --secret ta.key -openvpn --genkey --secret $OPENVPN_BASE_DIR/keys/ta.key - - -## - Create empty CRL (Certificate Revokation List) -## - -#openssl ca -gencrl -out /etc/openvpn/keys/crl.pem -config $KEY_CONFIG -openssl ca -gencrl -out /etc/openvpn/crl.pem -config $KEY_CONFIG -ln -s ../crl.pem /etc/openvpn/keys/crl.pem - -cd $OPENVPN_BASE_DIR -ln -s keys/crl.pem - - - -# ==================== -# - Generate Client Keys / Certs -# ==================== - -cd $EASY_RSA_DIR - -## - Build clent key with passphrase included -## - -## - As CommonName choose: -## - ${KEY_CN}- -## - -## - Example: -## - VPN-123Comics.chris -## - -./build-key-pass ## for example ./build-key-pass axel - ## results in axel.key, axel.crt - -./build-key-pass chris - - - -# ==================== -# - Setup OpenVPN Services -# ==================== - -# - Create Log Directorie +# - Used if system does NOT support systemd # - -mkdir /var/log/openvpn +init_script="/etc/init.d/openvpn" + +# - Used if systemd is supported +# - +service_name=openvpn + +openvpn_binary="/usr/sbin/openvpn" + +log_file="$(mktemp)" +_date="$(date +%Y-%m-%d-%H%M)" + +#--------------------------------------- +#----------------------------- +# Base Function(s) +#----------------------------- +#--------------------------------------- +clean_up() { + + # Perform program exit housekeeping + rm $log_file + exit $1 +} + +echononl(){ + echo X\\c > /tmp/shprompt$$ + if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then + echo -e -n "$*\\c" 1>&2 + else + echo -e -n "$*" 1>&2 + fi + rm /tmp/shprompt$$ +} + +fatal(){ + echo "" + echo -e "\t[ \033[31m\033[1mFatal\033[m ]: $*" + echo "" + echo -e "\t\033[37m\033[1mInstalllation will be interrupted\033[m\033[m" + echo "" + clean_up 1 + exit 1 +} + +error(){ + echo "" + echo -e "\t[ \033[31m\033[1mError\033[m ]: $*" + echo "" +} + +warn (){ + echo "" + echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*" + echo "" +} + +info (){ + echo "" + echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*" + echo "" +} + +echo_done() { + echo -e "\033[80G[ \033[32mdone\033[m ]" +} +echo_ok() { + echo -e "\033[80G[ \033[32mok\033[m ]" +} +echo_warning() { + echo -e "\033[80G[ \033[33m\033[1mwarn\033[m ]" +} +echo_failed(){ + echo -e "\033[80G[ \033[1;31mfailed\033[m ]" +} +echo_skipped() { + echo -e "\033[80G[ \033[37mskipped\033[m ]" +} + +trap clean_up SIGHUP SIGINT SIGTERM + +#--------------------------------------- +#----------------------------- +# Check some prerequisites +#----------------------------- +#--------------------------------------- + +# - Is 'systemd' supported on this system +# - +systemd=$(which systemd) +systemctl=$(which systemctl) + +systemd_supported=false +if [[ -n "$systemd" ]] && [[ -n "$systemctl" ]] ; then + systemd_supported=true +else + if [[ ! -x $init_script ]]; then + fatal "$(basename $0): Missing OpenVPN Init-Script!" + fi +fi + + + +echo "" + +#--------------------------------------- +#----------------------------- +# Read Configurations from $conf_file +#----------------------------- +#--------------------------------------- + +echononl " Load configuration file.." +if [[ ! -f "$conf_file" ]]; then + echo_failed + fatal "Configuration file \033[37m\033[1m$(basename ${conf_file})\033[m not found!" +else + source "${conf_file}" + if [[ $? -eq 0 ]]; then + echo_ok + else + echo_failed + fatal "$(cat $log_file)" + fi +fi + + +#--------------------------------------- +#----------------------------- +# Start Installation +#----------------------------- +#--------------------------------------- + +check_string_ps="" +check_string_ps_plus="" +if [[ -f "$openvpn_binary" ]] ; then + check_string_ps="$openvpn_binary" + check_string_ps_plus="--daemon" +fi + + +if [[ -n "$check_string_ps" ]]; then + echononl " Stopping OpenVPN Daemon" + PID=$(ps -e f | grep -E "[[:digit:]]\ ${check_string_ps}" | grep "\ ${check_string_ps_plus}\ " | grep -v grep | awk '{print$2}') + if [[ "X${PID}" = "X" ]]; then + echo_skipped + else + if $systemd_supported ; then + $systemctl stop $service_name > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + echo_failed + error "$(cat $log_file)" + else + echo_ok + fi + else + $init_script stop > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + echo_failed + error "$(cat $log_file)" + else + echo_ok + fi + fi + fi +fi + + +# - Install needed debian packages +# - +echononl " Install needed debian packages.." +needed_debian_packages="" +for _pkg in $_needed_debian_packages ; do + if aptitude search "$_pkg" | grep " $_pkg " | grep -e "^i" > /dev/null 2>&1 ; then + continue + else + needed_debian_packages="$needed_debian_packages $_pkg" + fi +done +if [[ -n "$needed_debian_packages" ]]; then + DEBIAN_FRONTEND=noninteractive apt-get -y install $needed_debian_packages > /dev/null 2> "$log_file" + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + fatal "$(cat $log_file)" + fi +else + echo_skipped +fi + +# - Make the package included scripts available in directory +# - "/etc/openvpn/easy-rsa" +# - +echononl " Backup directory '/etc/openvpn/easy-rsa'.." +if [[ -d "$EASY_RSA_DIR" ]]; then + mv $EASY_RSA_DIR ${EASY_RSA_DIR}.$_date > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi +else + echo_skipped +fi +echononl " Create directory '/etc/openvpn/easy-rsa'.." +/usr/bin/make-cadir $EASY_RSA_DIR > "$log_file" 2>&1 +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" +fi + +# - Create key directory +# - +echononl " Backup key directory '${OPENVPN_BASE_DIR}/keys'.." +if [[ -d "${OPENVPN_BASE_DIR}/keys" ]]; then + mv ${OPENVPN_BASE_DIR}/keys ${OPENVPN_BASE_DIR}/keys.$_date > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi +else + echo_skipped +fi +echononl " Create key directory '${OPENVPN_BASE_DIR}/keys'.." +mkdir ${OPENVPN_BASE_DIR}/keys > "$log_file" 2>&1 +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" +fi +echononl " Change permissions (700) in directory '${OPENVPN_BASE_DIR}/keys'.." +chmod 700 "${OPENVPN_BASE_DIR}/keys" > "$log_file" 2>&1 +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" +fi + +# - Create Log Directory +# - +openvpn_log_dir="/var/log/openvpn" +echononl " Create log directoy '${openvpn_log_dir}'" +if [[ -d "${openvpn_log_dir}" ]] ; then + echo_skipped +else + mkdir /var/log/openvpn > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi +fi + + +# - Backup existing 'ccd' directory +# - +echononl " Backup directory '${OPENVPN_BASE_DIR}/ccd'.." +if [[ -d "${OPENVPN_BASE_DIR}/ccd" ]] ; then + mv "${OPENVPN_BASE_DIR}/ccd" "${OPENVPN_BASE_DIR}/ccd.${_date}" > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi +else + echo_skipped +fi + +# - Create Directory 'ccd' +# - +echononl " Create log directoy '${OPENVPN_BASE_DIR}/ccd'" +if [[ -d "${OPENVPN_BASE_DIR}/ccd" ]] ; then + echo_skipped +else + mkdir "${OPENVPN_BASE_DIR}/ccd" > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi +fi + +# - Backup file keys-created.txt +# - +echononl " Backup file '${OPENVPN_BASE_DIR}/keys-created.txt" +if [[ -f "${OPENVPN_BASE_DIR}/keys-created.txt" ]]; then + mv "${OPENVPN_BASE_DIR}/keys-created.txt" "${OPENVPN_BASE_DIR}/keys-created.txt.${_date}" > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi +else + echo_skipped +fi + + +# - Adjust /etc/default/openvpn +# - +# - AUTOSTART="all" +# - +_file="/etc/default/openvpn" +echononl " Adjust '/etc/default/openvpn'. Set AUTOSTART=\"all\"" +if ! grep -i -q -E "^\s*AUTOSTART=\"all\"" ${_file} ; then + if grep -i -q -E "^\s*#\s*AUTOSTART=\"all\"" ${_file} ; then + perl -i -n -p -e "s/^(\s*#\s*AUTOSTART=\"all\".*)/##\1\nAUTOSTART=\"all\"/" ${_file} > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi + else + echo "" >> ${_file} + echo "AUTOSTART=\"all\"" >> ${_file} + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi + fi +else + echo_skipped +fi + +# - Adjust /etc/openvpn/easy-rsa/vars +# - +# - add: +# - export BASE_DIR=$OPENVPN_BASE_DIR +# - +# - replace: +# - export EASY_RSA=\$BASE_DIR/easy_rsa +# - export KEY_DIR=\$BASE_DIR/keys +# - +# - # root CA expires in 30 years (= 10950 days) +# - export CA_EXPIRE=$CA_EXPIRE +# - +# - # certificates expires in 20 years (=7300 days) +# - export KEY_EXPIRE=$KEY_EXPIRE +# - +# - export KEY_COUNTRY="$KEY_COUNTRY" +# - export KEY_PROVINCE="$KEY_PROVINCE" +# - export KEY_CITY="$KEY_CITY" +# - export KEY_ORG="$KEY_ORG" +# - export KEY_EMAIL="$KEY_EMAIL" +# - export KEY_OU="$KEY_OU" +# - +# - export KEY_NAME="$KEY_NAME" +# - +# - #export KEY_CN="$KEY_CN" +# - +_failed=false +echononl " Adjust '${EASY_RSA_DIR}/vars'.." +perl -i.$_date -n -p -e "s&^(\s*#*\s*export\s+EASY_RSA=.*)&##\1\nexport BASE_DIR=\"${OPENVPN_BASE_DIR}\"\nexport EASY_RSA=\"\\\$BASE_DIR/easy-rsa\"&" ${EASY_RSA_DIR}/vars > "$log_file" +2>&1 +if [[ $? -ne 0 ]]; then + _failed=true +fi +perl -i -n -p -e "s&^(\s*#*\s*export\s+KEY_DIR=.*)&##\1\nexport KEY_DIR=\"\\\$BASE_DIR/keys\"&" ${EASY_RSA_DIR}/vars > "$log_file" +2>&1 +if [[ $? -ne 0 ]]; then + _failed=true +fi + +perl -i -n -p -e "s/^(\s*#*\s*export\s+CA_EXPIRE=.*)/##\1\nexport CA_EXPIRE=$CA_EXPIRE/" ${EASY_RSA_DIR}/vars > "$log_file" +2>&1 +if [[ $? -ne 0 ]]; then + _failed=true +fi +perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_EXPIRE=.*)/##\1\nexport KEY_EXPIRE=$KEY_EXPIRE/" ${EASY_RSA_DIR}/vars > "$log_file" +2>&1 +if [[ $? -ne 0 ]]; then + _failed=true +fi + +perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_COUNTRY=.*)/##\1\nexport KEY_COUNTRY=\"${KEY_COUNTRY}\"/" ${EASY_RSA_DIR}/vars > "$log_file" +2>&1 +if [[ $? -ne 0 ]]; then + _failed=true +fi +perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_PROVINCE=.*)/##\1\nexport KEY_PROVINCE=\"${KEY_PROVINCE}\"/" ${EASY_RSA_DIR}/vars > "$log_file" +2>&1 +if [[ $? -ne 0 ]]; then + _failed=true +fi +perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_CITY=.*)/##\1\nexport KEY_CITY=\"${KEY_CITY}\"/" ${EASY_RSA_DIR}/vars > "$log_file" +2>&1 +if [[ $? -ne 0 ]]; then + _failed=true +fi +perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_ORG=.*)/##\1\nexport KEY_ORG=\"${KEY_ORG}\"/" ${EASY_RSA_DIR}/vars > "$log_file" +2>&1 +if [[ $? -ne 0 ]]; then + _failed=true +fi +perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_EMAIL=.*)/##\1\nexport KEY_EMAIL=\"${KEY_EMAIL}\"/" ${EASY_RSA_DIR}/vars > "$log_file" +2>&1 +if [[ $? -ne 0 ]]; then + _failed=true +fi +perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_OU=.*)/##\1\nexport KEY_OU=\"${KEY_OU}\"/" ${EASY_RSA_DIR}/vars > "$log_file" +2>&1 +if [[ $? -ne 0 ]]; then + _failed=true +fi +perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_NAME=.*)/##\1\nexport KEY_NAME=\"${KEY_NAME}\"/" ${EASY_RSA_DIR}/vars > "$log_file" +2>&1 +if [[ $? -ne 0 ]]; then + _failed=true +fi + +perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_CN=.*)/#\1\nexport KEY_CN=\"${KEY_CN}\"/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 +if [[ $? -ne 0 ]]; then + _failed=true +fi + +echo -e "\nexport KEY_ALTNAMES=\"$KEY_ALTNAMES\"" >> ${EASY_RSA_DIR}/vars 2> "$log_file" +if [[ $? -ne 0 ]]; then + _failed=true +fi + +if $_failed ; then + echo_failed + error "$(cat $log_file)" +else + echo_ok +fi + + +#--------------------------------------- +#----------------------------- +# Initial Setup OpenVPN (Root ca / Server key /..) +#----------------------------- +#--------------------------------------- + +echo "" + +# - source file vars +# - +echononl " Load configuration '${EASY_RSA_DIR}/vars'.." +source ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" +fi -# - Create (base) Client Directory -mkdir /etc/openvpn/ccd # --- -# - Service server-home +# - Create Keys and Certs # --- +echo "" +echo -e "\033[32m--\033[m" +echo "Create Keys and Certs .." +echo -e "\033[32m--\033[m" +echo "" -mkdir $CCD_HOME +# - Create file 'serial' with value '01' - the serial for the next +# - created certificate +# - +echononl " Create '${OPENVPN_BASE_DIR}/keys/serial'.." +echo "01" > "${OPENVPN_BASE_DIR}/keys/serial" 2> "$log_file" +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" +fi -cat < /etc/openvpn/server-home.conf +# - Create empty file index.txt at key-directory +# - +echononl " Create empty file '${OPENVPN_BASE_DIR}/keys/index.txt'.." +touch $OPENVPN_BASE_DIR/keys/index.txt +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" +fi + +# - Create Root CA +# - +echononl " Create Root CA.." +printf "\n\n\n\n\n\n\n\n" | ${EASY_RSA_DIR}/build-ca > "$log_file" 2>&1 +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" +fi + +# - Build Diffie-Hellman parameters for the server side +# - of an SSL/TLS connection. +# . +echononl " Build Diffie-Hellman parameter (dh key).." +${EASY_RSA_DIR}/build-dh > "$log_file" 2>&1 +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" +fi + +# - Build Sever Key +# - +#echononl " Create Sever Key" +echo "" +echo -e " \033[32mNow create the server key. Tis procedure works interactive.\033[m" +echo -e " Use \033[37m\033[1m${KEY_CN}-server\033[m as commonName" +echo "" +echononl "Type to continue: " +read ok +echo "" + +${EASY_RSA_DIR}/build-key-server server +if [[ $? -eq 0 ]] ; then + info "Building server key was successfully." +else + error "Building server key failed!" +fi + +echo "" +echononl "Type to continue: " +read ok +echo "" +#printf "\n\n\n\n\n${KEY_CN}-server\n\n\n\ny\ny\n" | ${EASY_RSA_DIR}/build-key-server server + +# - For extra security beyond that provided +# - by SSL/TLS, create an "HMAC firewall" +# - to help block DoS attacks and UDP port flooding. +# - +echononl " Create 'ta.key' for additional security" +openvpn --genkey --secret $OPENVPN_BASE_DIR/keys/ta.key > "$log_file" 2>&1 +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" +fi + +# - Create empty CRL (Certificate Revokation List) +# - +echononl " Create CRL (Certificate Revokation List) '${OPENVPN_BASE_DIR}/crl.pem'.." +openssl ca -gencrl -out /etc/openvpn/crl.pem -config $KEY_CONFIG > "$log_file" 2>&1 +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" +fi + +echononl " Create symlink for '${OPENVPN_BASE_DIR}/keys/crl.pem'.." +ln -s ../crl.pem /etc/openvpn/keys/crl.pem > "$log_file" 2>&1 +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" +fi + + +# ---- +# - Create server configurations +# ---- + +echo "" +echo -e "\033[32m--\033[m" +echo "Server configurations .." +echo -e "\033[32m--\033[m" +echo "" + +echononl " Backup Client configuration directory '$CCD_HOME'" +if [[ -d "$CCD_HOME" ]]; then + mv "$CCD_HOME" "${CCD_HOME}.$_date" + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi +else + echo_skipped +fi + + +echononl " Create Client configuration directory '$CCD_HOME'" +mkdir "$CCD_HOME" > "$log_file" 2>&1 +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" +fi + +echononl " Backup file ${OPENVPN_BASE_DIR}/server-home.conf" +if [[ -f "${OPENVPN_BASE_DIR}/server-home.conf" ]] ; then + mv "${OPENVPN_BASE_DIR}/server-home.conf" "${OPENVPN_BASE_DIR}/server-home.conf.$_date" > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi +else + echo_skipped +fi + +echononl " Create configuration '${OPENVPN_BASE_DIR}/server-home.conf" +cat < ${OPENVPN_BASE_DIR}/server-home.conf 2> "$log_file" ################################################# # Sample OpenVPN 2.0 config file for # # multi-client server. # @@ -318,7 +715,7 @@ key keys/server.key # This file should be kept secret # Generate your own with: # openssl dhparam -out dh1024.pem 1024 # Substitute 2048 for 1024 if you are using -# 2048 bit keys. +# 2048 bit keys. dh keys/dh2048.pem # Configure server mode and supply a VPN subnet @@ -515,7 +912,6 @@ persist-remote-ip # current connections, truncated # and rewritten every minute. status /var/log/openvpn/status-server-home.log - # By default, log messages will go to the syslog (or # on Windows, if running as a service, they will go to # the "\Program Files\OpenVPN\log" directory). @@ -544,15 +940,53 @@ verb 4 crl-verify /etc/openvpn/crl.pem EOF +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" +fi + +echo "" + +echononl " Backup Client configuration directory '$CCD_GW_CKUBU'" +if [[ -d "$CCD_GW_CKUBU" ]]; then + mv "$CCD_GW_CKUBU" "${CCD_GW_CKUBU}.$_date" + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi +else + echo_skipped +fi -# --- -# - Service server-gw-ckubu -# --- +echononl " Create Client configuration directory '$CCD_HOME'" +mkdir "$CCD_GW_CKUBU" > "$log_file" 2>&1 +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" +fi -mkdir $CCD_GW_CKUBU +echononl " Backup file ${OPENVPN_BASE_DIR}/server-gw-ckubu.conf" +if [[ -f "${OPENVPN_BASE_DIR}/server-gw-ckubu.conf" ]]; then + mv "${OPENVPN_BASE_DIR}/server-gw-ckubu.conf" "${OPENVPN_BASE_DIR}/server-gw-ckubu.conf.$_date" > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi +else + echo_skipped +fi -cat < /etc/openvpn/server-gw-ckubu.conf +echononl " Create configuration '${OPENVPN_BASE_DIR}/erver-gw-ckubu.conf" +cat < ${OPENVPN_BASE_DIR}/server-gw-ckubu.conf 2> "$log_file" ################################################# # Sample OpenVPN 2.0 config file for # # multi-client server. # @@ -641,7 +1075,7 @@ key keys/server.key # This file should be kept secret # Generate your own with: # openssl dhparam -out dh1024.pem 1024 # Substitute 2048 for 1024 if you are using -# 2048 bit keys. +# 2048 bit keys. dh keys/dh2048.pem # Configure server mode and supply a VPN subnet @@ -871,83 +1305,48 @@ verb 4 #crl-verify /etc/openvpn/keys/crl.pem crl-verify /etc/openvpn/crl.pem EOF +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" +fi - -# ==================== -# - Start OpenVPN Services -# ==================== - -# ---- -# - Notice 1: +# - Start OpenVPN Service # - -# - !!! -# - -# - On "systemd" systems, after Creating a new server configuration, you have -# - to reenable openvpn: -# - systemctl reenable openvpn -# - Alternatively restart the system. -# - -# - After Creating a new server configuration, you have to restart the -# - whole server. Restarting (only) the OpenVPN service does not work. -# - !!! -# --- +echononl " Start OpenVPN Service" +if $systemd_supported ; then + $systemctl start $service_name > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + echo_failed + error "$(cat $log_file)" + else + echo_ok + fi +else + $init_script start > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + echo_failed + error "$(cat $log_file)" + else + echo_ok + fi +fi -# --- -# - Notice 2: -# - -# - Add IP Forwarding -# - -# - this works immediately: -# - -# - echo "1" > /proc/sys/net/ipv4/ip_forward -# - -# - to make that persistent against rebooting, -# - adjust /etc/sysctl.conf -# - -# - net.ipv4.ip_forward = 1 -# --- -#service openvpn start -systemctl reenable openvpn -systemctl start openvpn +# - See if OpenVPN Service is running/has started +# +check_string_ps="$openvpn_binary" +check_string_ps_plus="--daemon" +sleep 2 +PID=$(ps -e f | grep -E "[[:digit:]]\ ${check_string_ps}" | grep "\ ${check_string_ps_plus}\ " | grep -v grep | awk '{print$2}') +if [[ "X${PID}" = "X" ]]; then + warn "\033[37m\033[1mOpenVPN Service is NOT running.\033[m\n Maybe you have to restart the machine in order to start openvpn daemon." +fi -## - ------------------------------------------------------------------ -## - ------------------------------------------------------------------ -## - ------------------------------------------------------------------ - - -## - Create /etc/openvpn/server-home.conf -## - -## - #local 192.168.0.25 -## - port $SERVER_PORT_HOME -## - proto udp -## - dev tun -## - ca keys/ca.crt -## - cert keys/server.crt -## - key keys/server.key -## - dh keys/dh2048.pem -## - server $OPENVPN_NETWORK_HOME 255.255.255.0 -## - ifconfig-pool-persist /etc/openvpn/ipp.txt -## - push "route $MAIN_NETWORK 255.255.255.0" -## - client-config-dir ccd -## - push "dhcp-option DOMAIN $DOMAIN" -## - push "dhcp-option DNS $" -## - client-to-client -## - keepalive 10 120 -## - tls-auth /etc/openvpn/keys/ta.key 0 -## - comp-lzo -## - user nobody -## - group nobody -## - persist-key -## - persist-tun -## - persist-local-ip -## - persist-remote-ip -## - status /var/log/openvpn/status-server-home.log -## - log /var/log/openvpn/server-home.log -## - verb 4 -## - crl-verify /etc/openvpn/keys/crl.pem -## - +echo "" +clean_up