#!/usr/bin/env bash script_dir="$(dirname $(realpath $0))" conf_file=${script_dir}/conf/install_openvpn.conf _needed_debian_packages="openvpn easy-rsa" # - Used if system does NOT support systemd # - init_script="/etc/init.d/openvpn" # - Used if systemd is supported # - service_name=openvpn openvpn_binary="/usr/sbin/openvpn" log_file="$(mktemp)" _date="$(date +%Y-%m-%d-%H%M)" #--------------------------------------- #----------------------------- # Base Function(s) #----------------------------- #--------------------------------------- clean_up() { # Perform program exit housekeeping rm $log_file blank_line exit $1 } trim() { local var="$*" var="${var#"${var%%[![:space:]]*}"}" # remove leading whitespace characters var="${var%"${var##*[![:space:]]}"}" # remove trailing whitespace characters echo -n "$var" } blank_line() { if $terminal ; then echo "" fi } is_number() { return $(test ! -z "${1##*[!0-9]*}" > /dev/null 2>&1); # - also possible # - #[[ ! -z "${1##*[!0-9]*}" ]] && return 0 || return 1 #return $([[ ! -z "${1##*[!0-9]*}" ]]) } is_int() { return $(test "$@" -eq "$@" > /dev/null 2>&1); } # - Test of valid IPv4 Address # - # - Returns 0 if valid, > 0 otherwise # - is_valid_ipv4() { local -a octets=( ${1//\./ } ) local RETURNVALUE=0 # return an error if the IP doesn't have exactly 4 octets [[ ${#octets[@]} -ne 4 ]] && return 1 for octet in ${octets[@]} do if [[ ${octet} =~ ^[0-9]{1,3}$ ]] then # shift number by 8 bits, anything larger than 255 will be > 0 ((RETURNVALUE += octet>>8 )) else # octet wasn't numeric, return error return 1 fi done return ${RETURNVALUE} } # - Convert CIDR to netmask # - cidr2mask() { local i mask="" local full_octets=$(($1/8)) local partial_octet=$(($1%8)) for ((i=0;i<4;i+=1)); do if [ $i -lt $full_octets ]; then mask+=255 elif [ $i -eq $full_octets ]; then mask+=$((256 - 2**(8-$partial_octet))) else mask+=0 fi test $i -lt 3 && mask+=. done echo $mask } echononl(){ echo X\\c > /tmp/shprompt$$ if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then echo -e -n "$*\\c" 1>&2 else echo -e -n "$*" 1>&2 fi rm /tmp/shprompt$$ } fatal(){ echo "" echo -e "\t[ \033[31m\033[1mFatal\033[m ]: $*" echo "" echo -e "\t\033[37m\033[1mInstalllation will be interrupted\033[m\033[m" echo "" clean_up 1 exit 1 } error(){ echo "" echo -e "\t[ \033[31m\033[1mError\033[m ]: $*" echo "" } warn (){ echo "" echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*" echo "" } info (){ echo "" echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*" echo "" } echo_done() { echo -e "\033[80G[ \033[32mdone\033[m ]" } echo_ok() { echo -e "\033[80G[ \033[32mok\033[m ]" } echo_warning() { echo -e "\033[80G[ \033[33m\033[1mwarn\033[m ]" } echo_failed(){ echo -e "\033[80G[ \033[1;31mfailed\033[m ]" } echo_skipped() { echo -e "\033[80G[ \033[37mskipped\033[m ]" } detect_os_1 () { if $(which lsb_release > /dev/null 2>&1) ; then os_dist="$(lsb_release -i | awk '{print tolower($3)}')" os_version="$(lsb_release -r | awk '{print tolower($2)}')" os_codename="$(lsb_release -c | awk '{print tolower($2)}')" if [[ "$os_dist" = "debian" ]]; then if $(echo "$os_version" | grep -q '\.') ; then os_version=$(echo "$os_version" | cut --delimiter='.' -f1) fi fi elif [[ -e "/etc/os-release" ]]; then . /etc/os-release os_dist=$ID os_version=${os_version_ID} fi # remove whitespace from os_dist and os_version os_dist="${os_dist// /}" os_version="${os_version// /}" } trap clean_up SIGHUP SIGINT SIGTERM #--------------------------------------- #----------------------------- # Check some prerequisites #----------------------------- #--------------------------------------- # - Is 'systemd' supported on this system # - systemd=$(which systemd) systemctl=$(which systemctl) systemd_supported=false if [[ -n "$systemd" ]] && [[ -n "$systemctl" ]] ; then systemd_supported=true else if [[ ! -x $init_script ]]; then fatal "$(basename $0): Missing OpenVPN Init-Script!" fi fi # - Set variable # - os_dist # - os_version # - os_codename # - detect_os_1 clear echo -e "\n\t\033[32mStart script for installation of OpenVPN on this Server..\033[m" #--------------------------------------- #----------------------------- # Setting Defaults #----------------------------- #--------------------------------------- DEFAULT_SERVER_PORT="1194 1195" DEFAULT_OPENVPN_NAME="home gw-ckubu" DEFAULT_CA_EXPIRE=11688 DEFAULT_CERT_EXPIRE=7305 DEFAULT_KEY_SIZE=4096 DEFAULT_KEY_COUNTRY="DE" DEFAULT_KEY_PROVINCE="Berlin" DEFAULT_KEY_CITY="Berlin" DEFAULT_KEY_EMAIL='argus@oopen.de' DEFAULT_KEY_ORG='o.open' DEFAULT_KEY_OU="Network Services" DEFAULT_SERVER_CIPHER="AES-256-CBC" #--------------------------------------- #----------------------------- # Load default values from install_openvpn.conf # # Overwrites the settings above # #----------------------------- #--------------------------------------- echo "" echo "" echononl " Load Configuration File $(basename ${conf_file}).." if [[ ! -f "$conf_file" ]]; then echo_skipped else source "${conf_file}" > $log_file 2>&1 if [[ $? -eq 0 ]]; then echo_ok else echo_failed fatal "$(cat $log_file)" fi fi [[ -z "$DEFAULT_SERVER_CIPHER" ]] && DEFAULT_SERVER_CIPHER='None' [[ -n "$OPENVPN_SERVER" ]] && DEFAULT_SERVER="$(trim "$OPENVPN_SERVER")" #[[ -n "$SERVER_PORT" ]] && DEFAULT_SERVER_PORT="$( trim "$SERVER_PORT")" declare -a DEFAULT_SERVER_PORT_ARR=() if [[ -n "$SERVER_PORT" ]] ; then for _port in $SERVER_PORT ; do DEFAULT_SERVER_PORT_ARR+=("$_port") done else for _port in $DEFAULT_SERVER_PORT ; do DEFAULT_SERVER_PORT_ARR+=("$_port") done fi [[ -n "$ORG_SHORTCUT" ]] && DEFAULT_ORG_SHORTCUT="$(trim "$ORG_SHORTCUT")" declare -a DEFAULT_OPENVPN_NAME_ARR=() if [[ -n "$OPENVPN_NAME" ]] ; then for _name in $OPENVPN_NAME ; do DEFAULT_OPENVPN_NAME_ARR+=("$_name") done else for _name in $DEFAULT_OPENVPN_NAME ; do DEFAULT_OPENVPN_NAME_ARR+=("$_name") done fi [[ -n "$OPENVPN_BASE_DIR" ]] && DEFAULT_OPENVPN_BASE_DIR="$OPENVPN_BASE_DIR" [[ -n "$CA_EXPIRE" ]] && DEFAULT_CERT_EXPIRE="$(trim "$CA_EXPIRE")" [[ -n "$KEY_PROVINCE" ]] && DEFAULT_KEY_PROVINCE="$(trim "$KEY_PROVINCE")" [[ -n "$KEY_CITY" ]] && DEFAULT_KEY_CITY="$(trim "$KEY_CITY")" [[ -n "$KEY_ORG" ]] && DEFAULT_KEY_ORG="$(trim "$KEY_ORG")" [[ -n "$KEY_EMAIL" ]] && DEFAULT_KEY_EMAIL="$(trim "$KEY_EMAIL")" [[ -n "$KEY_OU" ]] && DEFAULT_KEY_OU="$(trim "$KEY_OU")" [[ -n "$LZO_COMPRESSION" ]] && DEFAULT_LZO_COMPRESSION="$(trim "$LZO_COMPRESSION")" [[ -n "$SERVER_CIPHER" ]] && DEFAULT_SERVER_CIPHER="$(trim "$SERVER_CIPHER")" #[[ -n "$" ]] && DEFAULT_="$(trim "$")" declare -a DEFAULT_OPENVPN_NETWORK=() if [[ -n "$OPENVPN_NETWORK" ]] ; then for _net in $OPENVPN_NETWORK ; do DEFAULT_OPENVPN_NETWORK_ARR+=("$_net") done fi [[ -n "$REMOTE_NETWORKS" ]] && DEFAULT_REMOTE_NETWORKS="$(trim "$REMOTE_NETWORKS")" [[ -n "$DNS_SERVER" ]] && DEFAULT_DNS_SERVER="$(trim "$DNS_SERVER")" [[ -n "$SEARCH_DOMAINS" ]] && DEFAULT_SEARCH_DOMAINS="$(trim "$SEARCH_DOMAINS")" [[ -n "$LOCAL_NETWORKS" ]] && DEFAULT_LOCAL_NETWORKS="$(trim "$LOCAL_NETWORKS")" echo "" echo "" echo -e "\033[32m==========\033[m" echo "" echononl "Only create Configuration file (yes/no) [no]: " read OK echo "" if [[ "$(trim ${OK,,})" = "yes" ]] ; then _only_create_config_file=true else _only_create_config_file=false fi echo "" echo "" echo -e "\033[32m--\033[m" echo "Common parameters" echo -e "\033[32m--\033[m" echo "" echo "Insert IP-Address/Hostname of OpenVPN Server" echo "" OPENVPN_SERVER="" if [[ -n "$DEFAULT_SERVER" ]] ; then echononl "OpenVPN Server [${DEFAULT_SERVER}]: " read OPENVPN_SERVER if [[ "X$OPENVPN_SERVER" = "X" ]]; then OPENVPN_SERVER="$DEFAULT_SERVER" fi else echononl "OpenVPN Server: " read OPENVPN_SERVER while [ "X$OPENVPN_SERVER" = "X" ] ; do echo -e "\n\t\033[33m\033[1mSetting 'OpenVPN Server' is required!\033[m\n" echononl "OpenVPN Server: " read OPENVPN_SERVER done fi echo "" SERVER_PORT="" #echononl "Server Port [${DEFAULT_SERVER_PORT}]: " #while [[ "X${SERVER_PORT}" = "X" ]]; do # read SERVER_PORT # if [[ "X$SERVER_PORT" = "X" ]]; then # SERVER_PORT="$DEFAULT_SERVER_PORT" # fi #done declare -i i=0 echo "" echo "Which Server Port should be used:" echo "" for _port in "${DEFAULT_SERVER_PORT_ARR[@]}" ; do echo " [${i}] ${DEFAULT_SERVER_PORT_ARR[${i}]}" (( i++ )) done echo "" echo " [${i}] other" _OK=false echo "" echononl "Eingabe: " while ! $_OK ; do read _IN if is_number "$_IN" && [[ -n ${DEFAULT_SERVER_PORT_ARR[$_IN]} ]]; then SERVER_PORT="${DEFAULT_SERVER_PORT_ARR[$_IN]}" _OK=true elif is_number "$_IN" && [[ $_IN -eq $i ]]; then echo "" echononl "Server Port: " read SERVER_PORT while [[ "X${SERVER_PORT}" = "X" ]]; do echo -e "\n\t\033[33m\033[1mSetting 'Server Port' is required!\033[m\n" echononl "Server Port: " read SERVER_PORT done _OK=true else echo "" echo -e "\tFalsche Eingabe !" echo "" echononl "Eingabe: " fi done if $(grep -q -E "SERVER_PORT=$SERVER_PORT" ${script_dir}/conf/server-*.conf 2> /dev/null) ; then warn "Port '$SERVER_PORT' is already in use by an other OpenVPN Service on this Server" fi echo "" echo "Insert shortcut (acronym) for the company or organisation" echo "" echo " Example: 'AKB' or 'FLR' or 'OPP' or.." echo "" ORG_SHORTCUT="" echononl "Organisations shortcut: " if [[ -n "$DEFAULT_ORG_SHORTCUT" ]] ; then echononl "Organisations shortcut [${DEFAULT_ORG_SHORTCUT}]: " read ORG_SHORTCUT if [[ "X$ORG_SHORTCUT" = "X" ]]; then ORG_SHORTCUT="$DEFAULT_ORG_SHORTCUT" fi else echononl "Organisations shortcut: " read ORG_SHORTCUT while [ "X$ORG_SHORTCUT" = "X" ] ; do echo -e "\n\t\033[33m\033[1mSetting 'OpenVPN Name' is required!\033[m\n" echononl "Organisations shortcut: " read ORG_SHORTCUT done fi DEFAULT_KEY_NAME="VPN $ORG_SHORTCUT" DEFAULT_KEY_CN="VPN-$ORG_SHORTCUT" DEFAULT_KEY_ALTNAMES="VPN $ORG_SHORTCUT" #echo "" #echo "Insert Name of OpenVPN Service (i.e. so36, gw-ckubu, opferperspektive)" #echo "" #echo " Example: 'so36' or 'gw-ckubu' or 'opferperspektive' or.." #echo "" #OPENVPN_NAME="" #echononl "OpenVPN Name: " #read OPENVPN_NAME #while [ "X$OPENVPN_NAME" = "X" ] ; do # echo -e "\n\t\033[33m\033[1mSetting 'OpenVPN Name' is required!\033[m\n" # echononl "OpenVPN Name: " # read OPENVPN_NAME #done OPENVPN_NAME="" declare -i i=0 echo "" echo "Select Name of OpenVPN Service" echo "" for _port in "${DEFAULT_OPENVPN_NAME_ARR[@]}" ; do echo " [${i}] ${DEFAULT_OPENVPN_NAME_ARR[${i}]}" (( i++ )) done echo "" echo " [${i}] other" _OK=false echo "" echononl "Eingabe: " while ! $_OK ; do read _IN if is_number "$_IN" && [[ -n ${DEFAULT_OPENVPN_NAME_ARR[$_IN]} ]]; then OPENVPN_NAME="${DEFAULT_OPENVPN_NAME_ARR[$_IN]}" _OK=true elif is_number "$_IN" && [[ $_IN -eq $i ]]; then echo "" echo "Give Name of OpenVPN Service (i.e. home, so36, gw-ckubu, opferperspektive, opp)" echo "" echononl "Name of OpenVPN Service: " read OPENVPN_NAME while [[ "X${OPENVPN_NAME}" = "X" ]]; do echo -e "\n\t\033[33m\033[1mSetting 'Name of OpenVPN Service' is required!\033[m\n" echononl "Name of OpenVPN Service: " read OPENVPN_NAME done _OK=true else echo "" echo -e "\tFalsche Eingabe !" echo "" echononl "Eingabe: " fi done [[ -z "$DEFAULT_OPENVPN_BASE_DIR" ]] && DEFAULT_OPENVPN_BASE_DIR="/etc/openvpn/server/${OPENVPN_NAME}" echo "" echo "" echo "Insert OpenVPN Base Directory for Service '$OPENVPN_NAME'" echo "" if ! $_only_create_config_file ; then echo " Note: must be a subdirectory of '/etc/openvpn'" echo "" fi OPENVPN_BASE_DIR="" echononl "OpenVPN Base Directory [${DEFAULT_OPENVPN_BASE_DIR}]: " while [[ "X${OPENVPN_BASE_DIR}" = "X" ]]; do read OPENVPN_BASE_DIR if [[ "X$OPENVPN_BASE_DIR" = "X" ]]; then OPENVPN_BASE_DIR="$DEFAULT_OPENVPN_BASE_DIR" else if [[ ! "$(dirname ${OPENVPN_BASE_DIR})" = "/etc/openvpn" ]] && ! $_only_create_config_file ; then echo -e "\n\t\033[33m\033[1mGiven entry is NOT a subdirectory of '/etc/openvpn'. Retry..\033[m\n" echononl "OpenVPN Base Directory [${DEFAULT_OPENVPN_BASE_DIR}]: " OPENVPN_BASE_DIR="" fi fi done EASY_RSA_DIR="${OPENVPN_BASE_DIR}/easy-rsa" if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 9 ]] ; then OPENVPN_KEY_DIR="${OPENVPN_BASE_DIR}/pki" OPENVPN_CCD_DIR="${OPENVPN_BASE_DIR}/ccd" else OPENVPN_KEY_DIR="${OPENVPN_BASE_DIR}/keys" OPENVPN_CCD_DIR="${OPENVPN_BASE_DIR}/ccd/server-${OPENVPN_NAME}" fi echo "" echo -e "\033[32m--\033[m" echo "KEY generation parameters" echo -e "\033[32m--\033[m" echo "" echo "Insert expiration time for ROOT CA" echo "" echo " Example: (3*365+366)*8 = 11688 = 32 Jahre" echo " expiration time: 11688" echo "" CA_EXPIRE="" echononl "Expiration time ROOT CA [${DEFAULT_CA_EXPIRE}]: " while [[ "X${CA_EXPIRE}" = "X" ]]; do read CA_EXPIRE if [[ "X$CA_EXPIRE" = "X" ]]; then CA_EXPIRE="$DEFAULT_CA_EXPIRE" fi done echo "" echo "" echo "Insert expiration time for user/server certificates" echo "" echo " Example: (3*365+366)*5 = 7305 = 20 Jahre" echo " expiration time: 7305" echo "" CERT_EXPIRE="" echononl "Expiration time certificates [${DEFAULT_CERT_EXPIRE}]: " while [[ "X${CERT_EXPIRE}" = "X" ]]; do read CERT_EXPIRE if [[ "X$CERT_EXPIRE" = "X" ]]; then CERT_EXPIRE="$DEFAULT_CERT_EXPIRE" fi done echo "" echo "" echo "Insert key size for user/server keys" echo "" KEY_SIZE="" echononl "KEY_SIZE [${DEFAULT_KEY_SIZE}]: " while [[ "X${KEY_SIZE}" = "X" ]]; do read KEY_SIZE if [[ "X$KEY_SIZE" = "X" ]]; then KEY_SIZE="$DEFAULT_KEY_SIZE" fi done echo "" echo "" echo "Insert key meta-data" echo "" KEY_COUNTRY="" echononl "KEY_COUNTRY [${DEFAULT_KEY_COUNTRY}]: " read KEY_COUNTRY if [[ "X$KEY_COUNTRY" = "X" ]]; then KEY_COUNTRY="$DEFAULT_KEY_COUNTRY" fi KEY_PROVINCE="" echo "" echononl "KEY_PROVINCE [${DEFAULT_KEY_PROVINCE}]: " read KEY_PROVINCE if [[ "X$KEY_PROVINCE" = "X" ]]; then KEY_PROVINCE="$DEFAULT_KEY_PROVINCE" fi KEY_CITY="" echo "" echononl "KEY_CITY [${DEFAULT_KEY_CITY}]: " read KEY_CITY if [[ "X$KEY_CITY" = "X" ]]; then KEY_CITY="$DEFAULT_KEY_CITY" fi KEY_ORG="" echo "" echononl "KEY_ORG [${DEFAULT_KEY_ORG}]: " read KEY_ORG if [[ "X$KEY_ORG" = "X" ]]; then KEY_ORG="$DEFAULT_KEY_ORG" fi KEY_EMAIL="" echo "" echononl "KEY_EMAIL [${DEFAULT_KEY_EMAIL}]: " read KEY_EMAIL if [[ "X$KEY_EMAIL" = "X" ]]; then KEY_EMAIL="$DEFAULT_KEY_EMAIL" fi EMAIL_PREFIX="$(echo $KEY_EMAIL | cut -d '@' -f1)" EMAIL_DOMAIN="$(echo $KEY_EMAIL | cut -d '@' -f2)" KEY_OU="" echo "" echononl "KEY_OU [${DEFAULT_KEY_OU}]: " read KEY_OU if [[ "X$KEY_OU" = "X" ]]; then KEY_OU="$DEFAULT_KEY_OU" fi KEY_NAME= echo "" echononl "KEY_NAME [${DEFAULT_KEY_NAME}]: " read KEY_NAME if [[ "X$KEY_NAME" = "X" ]]; then KEY_NAME="$DEFAULT_KEY_NAME" else DEFAULT_KEY_CN="$KEY_NAME" DEFAULT_KEY_ALTNAMES="$KEY_NAME" fi KEY_CN="" echo "" echo "" echo -e " Type \"\033[33mNone\033[m\" if no CN Prefix should be used" echo "" echononl "KEY_CN [${DEFAULT_KEY_CN}]: " read KEY_CN if [[ "X$KEY_CN" = "X" ]]; then KEY_CN="$DEFAULT_KEY_CN" DEFAULT_KEY_ALTNAMES="$KEY_CN" else DEFAULT_KEY_ALTNAMES="$KEY_CN" if [[ "$(trim ${KEY_CN,,})" = 'none' ]] ; then KEY_CN="" fi fi KEY_ALTNAMES="" echo "" echononl "KEY_ALTNAMES [${DEFAULT_KEY_ALTNAMES}]: " read KEY_ALTNAMES if [[ "X$KEY_ALTNAMES" = "X" ]]; then KEY_ALTNAMES="$DEFAULT_KEY_ALTNAMES" fi if [[ "$(trim ${KEY_ALTNAMES,,})" = 'none' ]] ; then KEY_ALTNAMES="" fi echo "" echo -e "\033[32m--\033[m" echo "Parameters for Server Configurations" echo -e "\033[32m--\033[m" echo "" echo "Set server-side 'cryptographic cipher'." echo "" echo "Note: if setting this parameter at the server configuration, this parameter *must'" echo " also set this parameter at client configuration" echo "" echo " cipher BF-CBC # Blowfish (default)" echo " cipher AES-128-CBC # AES 128Bit" echo " cipher AES-256-CBC # AES 256Bit" echo " cipher DES-EDE3-CBC # Triple-DES" echo " ..." echo "" echo -e "Type \"\033[33mNone\033[m\" if no default cipher should be set." echo "" SERVER_CIPHER="" echononl "Server cryptographic cipher [${DEFAULT_SERVER_CIPHER}]: " read SERVER_CIPHER if [[ "X$SERVER_CIPHER" = "X" ]]; then SERVER_CIPHER="$DEFAULT_SERVER_CIPHER" fi if [[ "$(trim ${SERVER_CIPHER,,})" = none ]]; then SERVER_CIPHER="$DEFAULT_SERVER_CIPHER" fi echo "" echo "" echononl "Enable LZO compression (yes/no) [no]: " read OK echo "" if [[ "$(trim ${OK,,})" = "yes" ]] ; then LZO_COMPRESSION=true else LZO_COMPRESSION=false fi #echo "" #echo "Set OpenVPN Network used for the connection." #echo "" #OPENVPN_NETWORK="" #echononl "OpenVPN Network: " #read OPENVPN_NETWORK #while [ "X$OPENVPN_NETWORK" = "X" ] ; do # echo -e "\n\t\033[33m\033[1mSetting 'OpenVPN Server' is required!\033[m\n" # echononl "OpenVPN Network: " # read OPENVPN_NETWORK #done #OPENVPN_SERVER_IP="${OPENVPN_NETWORK%.*}.1" OPENVPN_NETWORK="" declare -i i=0 echo "" echo "Select OpenVPN Network used for the connection." echo "" for _port in "${DEFAULT_OPENVPN_NETWORK_ARR[@]}" ; do echo " [${i}] ${DEFAULT_OPENVPN_NETWORK_ARR[${i}]}" (( i++ )) done if [[ $i -eq 0 ]] ; then echononl "OpenVPN Network: " read OPENVPN_NETWORK while [ "X$OPENVPN_NETWORK" = "X" ] ; do echo -e "\n\t\033[33m\033[1mSetting 'OpenVPN Server' is required!\033[m\n" echononl "OpenVPN Network: " read OPENVPN_NETWORK done else echo "" echo " [${i}] other" _OK=false echo "" echononl "Eingabe: " while ! $_OK ; do read _IN if is_number "$_IN" && [[ -n ${DEFAULT_OPENVPN_NETWORK_ARR[$_IN]} ]]; then OPENVPN_NETWORK="${DEFAULT_OPENVPN_NETWORK_ARR[$_IN]}" _OK=true elif is_number "$_IN" && [[ $_IN -eq $i ]]; then echo "" echo "Give Name of OpenVPN Service (i.e. home, so36, gw-ckubu, opferperspektive, opp)" echo "" echononl "Name of OpenVPN Service: " read OPENVPN_NETWORK while [[ "X${OPENVPN_NETWORK}" = "X" ]]; do echo -e "\n\t\033[33m\033[1mSetting 'Name of OpenVPN Service' is required!\033[m\n" echononl "Name of OpenVPN Service: " read OPENVPN_NETWORK done _OK=true else echo "" echo -e "\tFalsche Eingabe !" echo "" echononl "Eingabe: " fi done fi OPENVPN_SERVER_IP="${OPENVPN_NETWORK%.*}.1" echo "" echo -e "\033[32m--\033[m" echo "" echo "" echo "Networks to push from OpenVPN server to the client" echo "" declare -i i=0 REMOTE_NETWORKS="" declare -a REMOTE_NETWORK_ARR=() if [[ -z "$DEFAULT_REMOTE_NETWORKS" ]] || [[ "$(trim ${DEFAULT_REMOTE_NETWORKS,,})" = none ]]; then echo -e "[${i}] \033[33mNone\033[m" (( i++ )) echo "" echo -e "[${i}] other" _OK=false echo "" echononl "Eingabe: " while ! $_OK ; do read _IN if is_number "$_IN" && [[ $_IN -lt 2 ]]; then if [[ $_IN -eq 0 ]] ; then REMOTE_NETWORKS="" _OK=true else echo "" echo "Networks to push from OpenVPN server to the client" echo "" echo " - use CIDR notation" echo " - multiple networks are possible: use blank separated list of CIDR-networks" echo -e " - \"\033[33mNone\033[m\" if no network should be pushed from OpenVPN server." echo "" echononl "Networks to push from server: " while [[ "X$REMOTE_NETWORKS" = "X" ]] ; do read REMOTE_NETWORKS _to_lower_remote_networks="$(trim ${REMOTE_NETWORKS,,})" if [[ "$_to_lower_remote_networks" = "none" ]]; then REMOTE_NETWORKS="" break fi if [[ "X$REMOTE_NETWORKS" = "X" ]] ; then echo -e "\n\t\033[33m\033[1mWrong Entry!\033[m\n" echononl "Networks to push from server: " continue fi for _net in ${REMOTE_NETWORKS} ; do IFS='/' read -a _net_arr <<< "${_net}" if ! is_valid_ipv4 ${_net_arr[0]} ; then REMOTE_NETWORKS="" REMOTE_NETWORK_ARR=() echo -e "\n\t\033[33m\033[1mNo valid network(s) given!\033[m\n" echononl "Networks to push from server: " break fi REMOTE_NETWORK_ARR+=("$_net") done done _OK=true fi else echo "" echo -e "\tFalsche Eingabe !" echo "" echononl "Eingabe: " fi done else echo -e "[${i}] $DEFAULT_REMOTE_NETWORKS" (( i++ )) echo -e "[${i}] \033[33mNone\033[m" (( i++ )) echo "" echo -e "[${i}] other" _OK=false echo "" echononl "Eingabe: " while ! $_OK ; do read _IN if is_number "$_IN" && [[ $_IN -lt 3 ]]; then if [[ $_IN -eq 0 ]] ; then REMOTE_NETWORKS="$DEFAULT_REMOTE_NETWORKS" for _net in ${REMOTE_NETWORKS} ; do IFS='/' read -a _net_arr <<< "${_net}" if ! is_valid_ipv4 ${_net_arr[0]} ; then REMOTE_NETWORKS="" REMOTE_NETWORK_ARR=() echo -e "\n\t\033[33m\033[1mNo valid network(s) given!\033[m\n" echononl "Networks to push from server: " break fi REMOTE_NETWORK_ARR+=("$_net") done _OK=true elif [[ $_IN -eq 1 ]] ; then REMOTE_NETWORKS="" _OK=true else echo "" echo "Networks to push from OpenVPN server to the client" echo "" echo " - use CIDR notation" echo " - multiple networks are possible: use blank separated list of CIDR-networks" echo -e " - \"\033[33mNone\033[m\" if no network should be pushed from OpenVPN server." echo "" echononl "Networks to push from server: " while [[ "X$REMOTE_NETWORKS" = "X" ]] ; do read REMOTE_NETWORKS _to_lower_remote_networks="$(trim ${REMOTE_NETWORKS,,})" if [[ "$_to_lower_remote_networks" = "none" ]]; then REMOTE_NETWORKS="" break fi if [[ "X$REMOTE_NETWORKS" = "X" ]] ; then echo -e "\n\t\033[33m\033[1mWrong Entry!\033[m\n" echononl "Networks to push from server: " continue fi for _net in ${REMOTE_NETWORKS} ; do IFS='/' read -a _net_arr <<< "${_net}" if ! is_valid_ipv4 ${_net_arr[0]} ; then REMOTE_NETWORKS="" REMOTE_NETWORK_ARR=() echo -e "\n\t\033[33m\033[1mNo valid network(s) given!\033[m\n" echononl "Networks to push from server: " break fi REMOTE_NETWORK_ARR+=("$_net") done done _OK=true fi # if [[ $_IN -eq 0 ]] ; then else echo "" echo -e "\tFalsche Eingabe !" echo "" echononl "Eingabe: " fi # if is_number "$_IN" && [[ $_IN -lt 2 ]]; then done fi #REMOTE_NETWORKS="" #declare -a REMOTE_NETWORK_ARR=() #echononl "Networks to push from server: " #while [[ "X$REMOTE_NETWORKS" = "X" ]] ; do # read REMOTE_NETWORKS # _to_lower_remote_networks="$(trim ${REMOTE_NETWORKS,,})" # if [[ "$_to_lower_remote_networks" = "none" ]]; then # REMOTE_NETWORKS="" # break # fi # if [[ "X$REMOTE_NETWORKS" = "X" ]] ; then # echo -e "\n\t\033[33m\033[1mWrong Entry!\033[m\n" # echononl "Networks to push from server: " # continue # fi # # for _net in ${REMOTE_NETWORKS} ; do # IFS='/' read -a _net_arr <<< "${_net}" # if ! is_valid_ipv4 ${_net_arr[0]} ; then # REMOTE_NETWORKS="" # REMOTE_NETWORK_ARR=() # echo -e "\n\t\033[33m\033[1mNo valid network(s) given!\033[m\n" # echononl "Networks to push from server: " # break # fi # REMOTE_NETWORK_ARR+=("$_net") # done #done echo "" echo -e "\033[32m--\033[m" echo "" declare -i i=0 echo "" echo "IP-Address of DNS server to push from OpenVPN server to the client." echo "" if [[ -z "$DEFAULT_DNS_SERVER" ]] || [[ "$(trim ${DEFAULT_DNS_SERVER,,})" = "none" ]]; then echo -e " [${i}] \033[33mNone\033[m" (( i++ )) echo "" echo -e " [${i}] other" _OK=false echo "" echononl "Eingabe: " while ! $_OK ; do read _IN if is_number "$_IN" && [[ $_IN -lt 2 ]]; then if [[ $_IN -eq 0 ]] ; then DNS_SERVER="" _OK=true else echo "IP-Address of DNS server to push from OpenVPN server to the client." echo "" echo -e "Type \"\033[33mNone\033[m\" if no DNS Server should be pushed." echo "" DNS_SERVER="" echononl "DNS server to push to clients: " while [[ "X$DNS_SERVER" = "X" ]]; do read DNS_SERVER if [[ "X$DNS_SERVER" = "X" ]]; then echo -e "\n\t\033[33m\033[1mWrong Entry!\033[m\n" echononl "DNS server to pusch to clients" continue else _to_lower_dns_server="$(trim ${DNS_SERVER,,})" if [[ "$_to_lower_dns_server" = "none" ]]; then DNS_SERVER="" break; fi fi done _OK=true fi # if [[ $_IN -eq 0 ]] ; then else echo "" echo -e "\tFalsche Eingabe !" echo "" echononl "Eingabe: " fi # if is_number "$_IN" && [[ $_IN -lt 2 ]]; then done # while ! $_OK ; do else echo -e " [${i}] $DEFAULT_DNS_SERVER" (( i++ )) echo -e " [${i}] \033[33mNone\033[m" (( i++ )) echo "" echo -e " [${i}] other" _OK=false echo "" echononl "Eingabe: " while ! $_OK ; do read _IN if is_number "$_IN" && [[ $_IN -lt 3 ]]; then if [[ $_IN -eq 0 ]] ; then DNS_SERVER="$DEFAULT_DNS_SERVER" _OK=true elif [[ $_IN -eq 1 ]] ; then DNS_SERVER="" _OK=true else echo "IP-Address of DNS server to push from OpenVPN server to the client." echo "" echo -e "Type \"\033[33mNone\033[m\" if no DNS Server should be pushed." echo "" DNS_SERVER="" echononl "DNS server to push to clients: " while [[ "X$DNS_SERVER" = "X" ]]; do read DNS_SERVER if [[ "X$DNS_SERVER" = "X" ]]; then echo -e "\n\t\033[33m\033[1mWrong Entry!\033[m\n" echononl "DNS server to pusch to clients" continue else _to_lower_dns_server="$(trim ${DNS_SERVER,,})" if [[ "$_to_lower_dns_server" = "none" ]]; then DNS_SERVER="" break; fi fi done _OK=true fi # if [[ $_IN -eq 0 ]] ; then else echo "" echo -e "\tFalsche Eingabe !" echo "" echononl "Eingabe: " fi # if is_number "$_IN" && [[ $_IN -lt 2 ]]; then done # while ! $_OK ; do fi # if [[ -z "$DEFAULT_DNS_SERVER" ]] || [[ "$(trim ${DNS_SERVER,,})" = "none" ]]; then #echo "IP-Address of DNS server to push from OpenVPN server to the client." #echo "" #echo -e "Type \"\033[33mNone\033[m\" if no DNS Server should be pushed." #echo "" #DNS_SERVER="" #echononl "DNS server to push to clients: " #while [[ "X$DNS_SERVER" = "X" ]]; do # read DNS_SERVER # if [[ "X$DNS_SERVER" = "X" ]]; then # echo -e "\n\t\033[33m\033[1mWrong Entry!\033[m\n" # echononl "DNS server to pusch to clients" # continue # else # _to_lower_dns_server="$(trim ${DNS_SERVER,,})" # if [[ "$_to_lower_dns_server" = "none" ]]; then # DNS_SERVER="" # break; # fi # fi #done echo "" echo -e "\033[32m--\033[m" echo "" declare -i i=0 SEARCH_DOMAINS="" echo "" echo "Select Search Domain(s) to push from OpenVPN server to the client." echo "" if [[ -z "$DEFAULT_SEARCH_DOMAINS" ]] || [[ "$(trim ${DEFAULT_SEARCH_DOMAINS,,})" = "none" ]]; then echo -e " [${i}] \033[33mNone\033[m" (( i++ )) echo "" echo -e " [${i}] other" _OK=false echo "" echononl "Eingabe: " while ! $_OK ; do read _IN if is_number "$_IN" && [[ $_IN -lt 2 ]]; then if [[ $_IN -eq 0 ]] ; then SEARCH_DOMAINS="" _OK=true else SEARCH_DOMAINS="" echononl "Default Domain to push to clients: " while [[ "X$SEARCH_DOMAINS" = "X" ]]; do read SEARCH_DOMAINS if [[ "X$SEARCH_DOMAINS" = "X" ]]; then echo -e "\n\t\033[33m\033[1mWrong Entry!\033[m\n" echononl "Search Domain(s) to pusch to clients" continue else _to_lower_search_domains="$(trim ${SEARCH_DOMAINS,,})" if [[ "$_to_lower_search_domains" = "none" ]]; then SEARCH_DOMAINS="" break; fi fi done _OK=true echo "" echo "SEARCH_DOMAINS: $SEARCH_DOMAINS" echo "" fi # if [[ $_IN -eq 0 ]] ; then else echo "" echo -e "\tFalsche Eingabe !" echo "" echononl "Eingabe: " fi # if is_number "$_IN" && [[ $_IN -lt 2 ]]; then done #while ! $_OK ; do else echo -e " [${i}] $DEFAULT_SEARCH_DOMAINS" (( i++ )) echo -e " [${i}] \033[33mNone\033[m" (( i++ )) echo "" echo -e " [${i}] other" _OK=false echo "" echononl "Eingabe: " while ! $_OK ; do read _IN if is_number "$_IN" && [[ $_IN -lt 3 ]]; then if [[ $_IN -eq 0 ]] ; then SEARCH_DOMAINS="$DEFAULT_SEARCH_DOMAINS" _OK=true elif [[ $_IN -eq 1 ]] ; then SEARCH_DOMAINS="" _OK=true else echo "" echo "Search Domain(s) to push from OpenVPN server to the client." echo "" echo " - multiple domains are possible: use blank separated list of search domains" echo -e " - Type \"\033[33mNone\033[m\" if no default domain should be pushed." echo "" SEARCH_DOMAINS="" echononl "Default Domain to push to clients: " while [[ "X$SEARCH_DOMAINS" = "X" ]]; do read SEARCH_DOMAINS if [[ "X$SEARCH_DOMAINS" = "X" ]]; then echo -e "\n\t\033[33m\033[1mWrong Entry!\033[m\n" echononl "Search Domain(s) to pusch to clients" continue else _to_lower_search_domains="$(trim ${SEARCH_DOMAINS,,})" if [[ "$_to_lower_search_domains" = "none" ]]; then SEARCH_DOMAINS="" break; fi fi done _OK=true fi # if [[ $_IN -eq 0 ]] ; then else echo "" echo -e "\tFalsche Eingabe !" echo "" echononl "Eingabe: " fi # if is_number "$_IN" && [[ $_IN -lt 2 ]]; then done #while ! $_OK ; do fi # if [[ -z "$DEFAULT_SEARCH_DOMAINS" ]] || [[ "$(trim ${SEARCH_DOMAINS,,})" = none ]] for _domain in ${SEARCH_DOMAINS} ; do SEARCH_DOMAINS_ARR+=("$_domain") done #SEARCH_DOMAINS="" #echononl "Default Domain to push to clients: " #while [[ "X$SEARCH_DOMAINS" = "X" ]]; do # read SEARCH_DOMAINS # if [[ "X$SEARCH_DOMAINS" = "X" ]]; then # echo -e "\n\t\033[33m\033[1mWrong Entry!\033[m\n" # echononl "Search Domain(s) to pusch to clients" # continue # else # _to_lower_search_domains="$(trim ${SEARCH_DOMAINS,,})" # if [[ "$_to_lower_search_domains" = "none" ]]; then # SEARCH_DOMAINS="" # break; # fi # fi #done #declare -a SEARCH_DOMAINS_ARR=() #for _domain in ${SEARCH_DOMAINS} ; do # SEARCH_DOMAINS_ARR+=("$_domain") #done echo "" echo -e "\033[32m--\033[m" echo "" echo "" echo "Local client networks to route through OpenVPN line." echo "" declare -i i=0 LOCAL_NETWORKS="" declare -a LOCAL_NETWORK_ARR=() if [[ -z "$DEFAULT_LOCAL_NETWORKS" ]] || [[ "$(trim ${DEFAULT_LOCAL_NETWORKS,,})" = none ]]; then echo -e " [${i}] \033[33mNone\033[m" (( i++ )) echo "" echo -e " [${i}] other" _OK=false echo "" echononl "Eingabe: " while ! $_OK ; do read _IN if is_number "$_IN" && [[ $_IN -lt 2 ]]; then if [[ $_IN -eq 0 ]] ; then LOCAL_NETWORKS="" _OK=true else echo "" echo "Give client networks to route through OpenVPN line." echo "" echo " - use CIDR notation" echo " - multiple networks are possible: use blank separated list of CIDR-networks" echo -e " - \"\033[33mNone\033[m\" if no local client network should routed through OpenVPN line." echo "" echononl "Client Networks routed through VPN line: " while [[ "X$LOCAL_NETWORKS" = "X" ]] ; do read LOCAL_NETWORKS _to_lower_local_networks="$(trim ${LOCAL_NETWORKS,,})" if [[ "$_to_lower_local_networks" = "none" ]]; then LOCAL_NETWORKS="" break fi if [[ "X$LOCAL_NETWORKS" = "X" ]] ; then echo -e "\n\t\033[33m\033[1mWrong Entry!\033[m\n" echononl "Client Networks routed through VPN line: " continue fi for _net in ${LOCAL_NETWORKS} ; do IFS='/' read -a _net_arr <<< "${_net}" if ! is_valid_ipv4 ${_net_arr[0]} ; then LOCAL_NETWORKS="" LOCAL_NETWORK_ARR=() echo -e "\n\t\033[33m\033[1mNo valid network(s) given!\033[m\n" echononl "Client Networks routed through VPN line: " break fi LOCAL_NETWORK_ARR+=("$_net") done done _OK=true fi else echo "" echo -e "\tFalsche Eingabe !" echo "" echononl "Eingabe: " fi done else echo -e " [${i}] $DEFAULT_LOCAL_NETWORKS" (( i++ )) echo -e " [${i}] \033[33mNone\033[m" (( i++ )) echo "" echo -e " [${i}] other" _OK=false echo "" echononl "Eingabe: " while ! $_OK ; do read _IN if is_number "$_IN" && [[ $_IN -lt 3 ]]; then if [[ $_IN -eq 0 ]] ; then LOCAL_NETWORKS="$DEFAULT_LOCAL_NETWORKS" for _net in ${LOCAL_NETWORKS} ; do IFS='/' read -a _net_arr <<< "${_net}" if ! is_valid_ipv4 ${_net_arr[0]} ; then LOCAL_NETWORKS="" LOCAL_NETWORK_ARR=() echo -e "\n\t\033[33m\033[1mNo valid network(s) given!\033[m\n" echononl "Client Networks routed through VPN line: " break fi LOCAL_NETWORK_ARR+=("$_net") done _OK=true elif [[ $_IN -eq 1 ]] ; then LOCAL_NETWORKS="" _OK=true else echo "" echo "Give client networks to route through OpenVPN line." echo "" echo " - use CIDR notation" echo " - multiple networks are possible: use blank separated list of CIDR-networks" echo -e " - \"\033[33mNone\033[m\" if no local client network should routed through OpenVPN line." echo "" echononl "Client Networks routed through VPN line: " while [[ "X$LOCAL_NETWORKS" = "X" ]] ; do read LOCAL_NETWORKS _to_lower_local_networks="$(trim ${LOCAL_NETWORKS,,})" if [[ "$_to_lower_local_networks" = "none" ]]; then LOCAL_NETWORKS="" break fi if [[ "X$LOCAL_NETWORKS" = "X" ]] ; then echo -e "\n\t\033[33m\033[1mWrong Entry!\033[m\n" echononl "Client Networks routed through VPN line: " continue fi for _net in ${LOCAL_NETWORKS} ; do IFS='/' read -a _net_arr <<< "${_net}" if ! is_valid_ipv4 ${_net_arr[0]} ; then LOCAL_NETWORKS="" LOCAL_NETWORK_ARR=() echo -e "\n\t\033[33m\033[1mNo valid network(s) given!\033[m\n" echononl "Client Networks routed through VPN line: " break fi LOCAL_NETWORK_ARR+=("$_net") done done _OK=true fi # if [[ $_IN -eq 0 ]] ; then else echo "" echo -e "\tFalsche Eingabe !" echo "" echononl "Eingabe: " fi # if is_number "$_IN" && [[ $_IN -lt 2 ]]; then done fi #LOCAL_NETWORKS="" #declare -a LOCAL_NETWORK_ARR=() #echononl "Local networks to route through OpenVPN line: " #while [[ "X$LOCAL_NETWORKS" = "X" ]] ; do # read LOCAL_NETWORKS # _to_lower_local_networks="$(trim ${LOCAL_NETWORKS,,})" # if [[ "$_to_lower_local_networks" = "none" ]]; then # LOCAL_NETWORKS="" # break # fi # if [[ "X$LOCAL_NETWORKS" = "X" ]] ; then # echo -e "\n\t\033[33m\033[1mWrong Entry!\033[m\n" # echononl "Local networks to route through OpenVPN line: " # continue # fi # # for _net in ${LOCAL_NETWORKS} ; do # IFS='/' read -a _net_arr <<< "${_net}" # if ! is_valid_ipv4 ${_net_arr[0]} ; then # LOCAL_NETWORKS="" # LOCAL_NETWORK_ARR=() # echo -e "\n\t\033[33m\033[1mNo valid network(s) given!\033[m\n" # echononl "Local networks to route through OpenVPN line: " # break # fi # LOCAL_NETWORK_ARR+=("$_net") # done #done echo "" echo "" if $_only_create_config_file ; then echo -e "\033[1;32mCreate Configuration file for OpenVPN service \033[1;37m$OPENVPN_NAME\033[m " else echo -e "\033[1;32mSettings for installation of \033[1;37mOpenVPN\033[m" fi echo "" echo -e "\tOpenVPN IP-Address/Hostname.........: $OPENVPN_SERVER" echo -e "\tOpenVPN Server.Port.................: $SERVER_PORT" echo "" echo -e "\tOrganisation shortcut...............: $ORG_SHORTCUT" echo "" echo -e "\tOpenVPN Service Name................: $OPENVPN_NAME" echo -e "\tOpenVPN Base Directory..............: $OPENVPN_BASE_DIR" echo -e "\tOpenVPN 'easy-rsa' Directory........: $EASY_RSA_DIR" echo -e "\tOpenVPN 'key' Directory.............: $OPENVPN_KEY_DIR" echo -e "\tOpenVPN 'ccd' Directory.............: $OPENVPN_CCD_DIR" echo "" echo -e "\tExpiration time ROOT CA.............: $CA_EXPIRE" echo -e "\tExpiration time certificates........: $CERT_EXPIRE" echo -e "\tKey size............................: $KEY_SIZE" echo "" echo -e "\tKEY_COUNTRY.........................: $KEY_COUNTRY" echo -e "\tKEY_PROVINCE........................: $KEY_PROVINCE" echo -e "\tKEY_CITY............................: $KEY_CITY" echo -e "\tKEY_ORG.............................: $KEY_ORG" echo -e "\tKEY_EMAIL...........................: $KEY_EMAIL" echo -e "\tKEY_OU..............................: $KEY_OU" echo "" echo -e "\tKEY_NAME............................: $KEY_NAME" if [[ -n "$KEY_CN" ]] ; then echo -e "\tKEY_CN (Prefix).....................: $KEY_CN" else echo -e "\tKEY_CN (Prefix).....................: \033[33mNone\033[m" fi echo "" if [[ -n "$KEY_ALTNAMES" ]] ; then echo -e "\tKEY_ALTNAMES (Prefix)...............: $KEY_ALTNAMES" else echo -e "\tKEY_ALTNAMES (Prefix)...............: \033[33mNone\033[m" fi echo "" echo -e "\tOpenVPN Network.....................: $OPENVPN_NETWORK" echo -e "\tOpenVPN Server IP-Address...........: $OPENVPN_SERVER_IP" echo "" if [[ -n "$SERVER_CIPHER" ]] ; then echo -e "\tServer cipher setting...............: $SERVER_CIPHER" else echo -e "\tServer cipher setting...............: \033[33mNone\033[m" fi echo -e "\tLZO compression.....................: $LZO_COMPRESSION" echo "" if [[ ${#REMOTE_NETWORK_ARR[@]} -gt 0 ]]; then echo -e "\tRemote networks to push to cliente..: ${REMOTE_NETWORK_ARR[@]}" else echo -e "\tRemote networks to push to cliente..: \033[33mNone\033[m" fi if [[ -n "$DNS_SERVER" ]]; then echo -e "\tDNS Server (push from server).......: $DNS_SERVER" else echo -e "\tDNS Server (push from server).......: \033[33mNone\033[m" fi if [[ ${#SEARCH_DOMAINS_ARR[@]} -gt 0 ]]; then echo -e "\tDefault Domain (push from server)...: ${SEARCH_DOMAINS_ARR[@]}" else echo -e "\tDefault Domain (push from server)...: \033[33mNone\033[m" fi echo "" if [[ ${#LOCAL_NETWORK_ARR[@]} -gt 0 ]]; then echo -e "\tLocal networks to route through VPN.: ${LOCAL_NETWORK_ARR[@]}" else echo -e "\tLocal networks to route through VPN.: \033[33mNone\033[m" fi echo "" if $_only_create_config_file ; then info "Create configuration file for OpenVPN Service \033[37m\033[1m${OPENVPN_NAME}\033[m.." else info "Starting Installation of OpenVPN Service \033[37m\033[1m${OPENVPN_NAME}\033[m.." fi echo -n "To continue type uppercase 'YES': " read OK echo "" if [[ "$OK" != "YES" ]] ; then fatal "Abort by user request - Answer as not 'YES'" fi #--------------------------------------- #----------------------------- # Write Configuration for $OPENVPN_NAME #----------------------------- #--------------------------------------- _openvpn_name_conf_file="${script_dir}/conf/server-${OPENVPN_NAME}.conf" echononl " Write Configuration for OpenVPN Service '$OPENVPN_NAME'" cat << EOF > $_openvpn_name_conf_file 2> $log_file ## - Configuration/Initialization OpenVPN ## - # ==================== # - Some Parameter Settings # ==================== # --- # - Common parameters # --- OPENVPN_SERVER="$OPENVPN_SERVER" SERVER_PORT=$SERVER_PORT ORG_SHORTCUT="$ORG_SHORTCUT" OPENVPN_NAME="$OPENVPN_NAME" OPENVPN_BASE_DIR="$OPENVPN_BASE_DIR" OPENVPN_KEY_DIR="$OPENVPN_KEY_DIR" OPENVPN_CCD_DIR="$OPENVPN_CCD_DIR" # --- # - Parameters OpenVPN Configuration / KEY Creation # --- # - Example: (3*365+366)*8 = 11688 = 32 Jahre # - CA_EXPIRE=11688 # - CA_EXPIRE=$CA_EXPIRE # - Example: (3*365+366)*5 = 7305 = 20 Jahre # - CERT_EXPIRE=7305 # - CERT_EXPIRE=$CERT_EXPIRE KEY_SIZE=$KEY_SIZE KEY_COUNTRY="$KEY_COUNTRY" KEY_PROVINCE="$KEY_PROVINCE" KEY_CITY="$KEY_CITY" KEY_ORG="$KEY_ORG" KEY_EMAIL="${EMAIL_PREFIX}\\@${EMAIL_DOMAIN}" KEY_OU="$KEY_OU" KEY_NAME="$KEY_NAME" EOF if [[ -n "$KEY_CN" ]] ; then cat << EOF >> $_openvpn_name_conf_file 2> $log_file KEY_CN="$KEY_CN" EOF else cat << EOF >> $_openvpn_name_conf_file 2> $log_file KEY_CN="none" EOF fi if [[ -n "$KEY_ALTNAMES" ]] ; then cat << EOF >> $_openvpn_name_conf_file 2> $log_file KEY_ALTNAMES="$KEY_ALTNAMES" EOF else cat << EOF >> $_openvpn_name_conf_file 2> $log_file KEY_ALTNAMES="none" EOF fi cat << EOF >> $_openvpn_name_conf_file 2> $log_file # --- # - Parameters for Server Configurations # --- EOF if $LZO_COMPRESSION ; then cat << EOF >> $_openvpn_name_conf_file 2> $log_file LZO_COMPRESSION="yes" EOF else cat << EOF >> $_openvpn_name_conf_file 2> $log_file LZO_COMPRESSION="no" EOF fi if [[ -n "$SERVER_CIPHER" ]] ; then if [[ "${SERVER_CIPHER,,}" = "none" ]]; then cat <> "$_client_conf_file" 2>> "$log_file" cipher BF-CBC EOF else cat << EOF >> $_openvpn_name_conf_file 2> $log_file SERVER_CIPHER="$SERVER_CIPHER" EOF fi else cat << EOF >> $_openvpn_name_conf_file 2> $log_file SERVER_CIPHER="$DEFAULT_SERVER_CIPHER" EOF fi cat << EOF >> $_openvpn_name_conf_file 2> $log_file OPENVPN_NETWORK="$OPENVPN_NETWORK" EOF if [[ ${#REMOTE_NETWORK_ARR[@]} -gt 0 ]] ; then cat << EOF >> $_openvpn_name_conf_file 2> $log_file REMOTE_NETWORKS="${REMOTE_NETWORK_ARR[@]}" EOF else cat << EOF >> $_openvpn_name_conf_file 2> $log_file REMOTE_NETWORKS="none" EOF fi if [[ -n "$DNS_SERVER" ]] ; then cat << EOF >> $_openvpn_name_conf_file 2> $log_file DNS_SERVER="$DNS_SERVER" EOF else cat << EOF >> $_openvpn_name_conf_file 2> $log_file DNS_SERVER="none" EOF fi if [[ ${#SEARCH_DOMAINS_ARR[@]} -gt 0 ]] ; then cat << EOF >> $_openvpn_name_conf_file 2> $log_file SEARCH_DOMAINS="${SEARCH_DOMAINS_ARR[@]}" EOF else cat << EOF >> $_openvpn_name_conf_file 2> $log_file SEARCH_DOMAINS="none" EOF fi if [[ ${#LOCAL_NETWORK_ARR[@]} -gt 0 ]]; then cat << EOF >> $_openvpn_name_conf_file 2> $log_file LOCAL_NETWORKS="${LOCAL_NETWORK_ARR[@]}" EOF else cat << EOF >> $_openvpn_name_conf_file 2> $log_file LOCAL_NETWORKS="none" EOF fi if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fatal "$(cat $log_file)" fi if $_only_create_config_file ; then info "Configuration filr for OpenVPN Service \033[1;37m$OPENVPN_NAME\033[m was written \n to file \033[1;37m$_openvpn_name_conf_file\033[m." clean_up 0 fi #--------------------------------------- #----------------------------- # Start Installation #----------------------------- #--------------------------------------- check_string_ps="" check_string_ps_plus="" if [[ -f "$openvpn_binary" ]] ; then check_string_ps="$openvpn_binary" check_string_ps_plus="--daemon" fi if [[ -n "$check_string_ps" ]]; then echononl " Stopping OpenVPN Daemon" PID=$(ps -e f | grep -E "[[:digit:]]\ ${check_string_ps}" | grep "\ ${check_string_ps_plus}\ " | grep -v grep | awk '{print$2}') if [[ "X${PID}" = "X" ]]; then echo_skipped else if $systemd_supported ; then $systemctl stop $service_name > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat $log_file)" else echo_ok fi else $init_script stop > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat $log_file)" else echo_ok fi fi fi fi # - Install needed debian packages # - echononl " Install needed debian packages.." needed_debian_packages="" for _pkg in $_needed_debian_packages ; do if aptitude search "$_pkg" | grep " $_pkg " | grep -e "^i" > /dev/null 2>&1 ; then continue else needed_debian_packages="$needed_debian_packages $_pkg" fi done if [[ -n "$needed_debian_packages" ]]; then DEBIAN_FRONTEND=noninteractive apt-get -y install $needed_debian_packages > /dev/null 2> "$log_file" if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fatal "$(cat $log_file)" fi else echo_skipped fi echononl " Backup directory '${OPENVPN_BASE_DIR}'.." if [[ -d "$OPENVPN_BASE_DIR" ]]; then mv $OPENVPN_BASE_DIR ${OPENVPN_BASE_DIR}.$_date > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi else echo_skipped fi # - Make the package included scripts available in directory # - "/etc/openvpn/easy-rsa" # - echononl " Create directory '${EASY_RSA_DIR}'.." /usr/bin/make-cadir $EASY_RSA_DIR > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi # - Create Key Directory # - # - Note: # - Not needed on debian 10 or up. 'easyrsa init-pki' does the job. # - if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 10 ]] ; then echononl " Create key directory '${OPENVPN_BASE_DIR}/keys'.." mkdir ${OPENVPN_BASE_DIR}/keys > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi echononl " Change permissions (700) in directory '${OPENVPN_BASE_DIR}/keys'.." chmod 700 "${OPENVPN_BASE_DIR}/keys" > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi fi # - Create Log Directory # - openvpn_log_dir="/var/log/openvpn" echononl " Create log directoy '${openvpn_log_dir}'" if [[ -d "${openvpn_log_dir}" ]] ; then echo_skipped else mkdir /var/log/openvpn > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi fi # - Create client configuration directory # - echononl " Create Client configuration directory '$OPENVPN_CCD_DIR'" if [[ -d "${OPENVPN_CCD_DIR}" ]] ; then echo_skipped else mkdir -p "${OPENVPN_CCD_DIR}" > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi fi # - Backup file keys-created.txt # - echononl " Backup file '${OPENVPN_BASE_DIR}/keys-created.txt" if [[ -f "${OPENVPN_BASE_DIR}/keys-created.txt" ]]; then mv "${OPENVPN_BASE_DIR}/keys-created.txt" "${OPENVPN_BASE_DIR}/keys-created.txt.${_date}" > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi else echo_skipped fi # - Adjust /etc/default/openvpn # - # - AUTOSTART="all" # - _file="/etc/default/openvpn" echononl " Adjust '/etc/default/openvpn'. Set AUTOSTART=\"all\"" if ! grep -i -q -E "^\s*AUTOSTART=\"all\"" ${_file} ; then if grep -i -q -E "^\s*#\s*AUTOSTART=\"all\"" ${_file} ; then perl -i -n -p -e "s/^(\s*#\s*AUTOSTART=\"all\".*)/##\1\nAUTOSTART=\"all\"/" ${_file} > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi else echo "" >> ${_file} echo "AUTOSTART=\"all\"" >> ${_file} if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi fi else echo_skipped fi # - Adjust /etc/openvpn/easy-rsa/vars # - # - Debian Version <= 9 # - add: # - export BASE_DIR=$OPENVPN_BASE_DIR # - # - replace: # - export EASY_RSA=\$BASE_DIR/easy_rsa # - export KEY_DIR=\$OPENVPN_KEY_DIR # - # - export KEY_SIZE=$KEY_SIZE # - # - # root CA expires in 30 years (= 10950 days) # - export CA_EXPIRE=$CA_EXPIRE # - # - # certificates expires in 20 years (=7300 days) # - export CERT_EXPIRE=$CERT_EXPIRE # - # - export KEY_COUNTRY="$KEY_COUNTRY" # - export KEY_PROVINCE="$KEY_PROVINCE" # - export KEY_CITY="$KEY_CITY" # - export KEY_ORG="$KEY_ORG" # - export KEY_EMAIL="$KEY_EMAIL" # - export KEY_OU="$KEY_OU" # - # - export KEY_NAME="$KEY_NAME" # - # - #export KEY_CN="$KEY_CN" # - # - Debiab Version >= 10 # - set_var EASYRSA "${0%/*}" # - set_var EASYRSA_OPENSSL "openssl" # - set_var EASYRSA_PKI "$OPENVPN_KEY_DIR" # - set_var EASYRSA_ALGO rsa # - set_var EASYRSA_DN "org" # - set_var EASYRSA_REQ_COUNTRY "$KEY_COUNTRY" # - set_var EASYRSA_REQ_PROVINCE "$KEY_PROVINCE" # - set_var EASYRSA_REQ_CITY "$KEY_CITY" # - set_var EASYRSA_REQ_ORG "$KEY_ORG" # - set_var EASYRSA_REQ_EMAIL "$KEY_EMAIL" # - set_var EASYRSA_REQ_OU "$KEY_OU" # - # - set:var EASYRSA_REQ_CN "$KEY_CN" # - # - set_var EASYRSA_CA_EXPIRE "$CA_EXPIRE" # - set_var EASYRSA_CERT_EXPIRE "$CERT_EXPIRE" # - # - set_var EASYRSA_CRL_DAYS "$CERT_EXPIRE" # - set_var EASYRSA_CERT_RENEW "365" # - _failed=false echononl " Adjust '${EASY_RSA_DIR}/vars'.." if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 9 ]] ; then #perl -i.$_date -n -p -e "s&^(\s*#*\s*#set_var\s+EASYRSA\s+.*)&##\1\nset_var EASYRSA\t \"\\\${0%/*}\"&" ${EASY_RSA_DIR}/vars > "$log_file" perl -i.$_date -n -p -e "s&^(\s*#*\s*#set_var\s+EASYRSA\s+.*)&##\1\nset_var EASYRSA\t \"${OPENVPN_BASE_DIR}/easy-rsa\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi _key="EASYRSA_OPENSSL" _val="openssl" perl -i.$_date -n -p -e "s&^(\s*#*\s*#set_var\s+${_key}\s+.*)&##\1\nset_var ${_key}\t \"${_val}\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi _key="EASYRSA_PKI" _val="${OPENVPN_KEY_DIR}" perl -i.$_date -n -p -e "s&^(\s*#*\s*#set_var\s+${_key}\s+.*)&##\1\nset_var ${_key}\t \"${_val}\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi # EASYRSA_KEY_SIZE perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+EASYRSA_KEY_SIZE\s+.*)&##\1\nset_var EASYRSA_KEY_SIZE\t\t ${KEY_SIZE}&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi # EASYRSA_ALGO perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+EASYRSA_ALGO\s+.*)&##\1\nset_var EASYRSA_ALGO\t\t rsa&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi # EASYRSA_KEY_SIZE perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+EASYRSA_KEY_SIZE\s+.*)&##\1\nset_var EASYRSA_KEY_SIZE\t\t ${KEY_SIZE}&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi _key="EASYRSA_DN" _val=""org perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+EASYRSA_DN\s+.*)&##\1\nset_var EASYRSA_DN\t\t \"org\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi _key="EASYRSA_REQ_COUNTRY" _val="$KEY_COUNTRY" perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi _key="EASYRSA_REQ_PROVINCE" _val="$KEY_PROVINCE" perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi _key="EASYRSA_REQ_CITY" _val="$KEY_CITY" perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi _key="EASYRSA_REQ_ORG" _val="$KEY_ORG" perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi _key="EASYRSA_REQ_EMAIL" _val="$KEY_EMAIL" perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi _key="EASYRSA_REQ_OU" _val="$KEY_OU" perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi _key="EASYRSA_REQ_CN" _val="$KEY_CN" perl -i.$_date -n -p -e "s&^(\s*#*\s*#set_var\s+${_key}\s+.*)&##\1\nset_var ${_key}\t \"${_val}\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi _key="EASYRSA_CA_EXPIRE" _val="$CA_EXPIRE" perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi _key="EASYRSA_CERT_EXPIRE" _val="$CERT_EXPIRE" perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi _key="EASYRSA_CRL_DAYS" _val="$CERT_EXPIRE" perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi _key="EASYRSA_CERT_RENEW" _val="365" perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi _key="EASYRSA_REQ_CN" _val="$KEY_CN" perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi _key="EASYRSA_BATCH" _val="1" perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi else perl -i.$_date -n -p -e "s&^(\s*#*\s*export\s+EASY_RSA=.*)&##\1\nexport BASE_DIR=\"${OPENVPN_BASE_DIR}\"\nexport EASY_RSA=\"\\\$BASE_DIR/easy-rsa\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s&^(\s*#*\s*export\s+KEY_DIR=.*)&##\1\nexport KEY_DIR=\"${OPENVPN_KEY_DIR}\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_SIZE=.*)/##\1\nexport KEY_SIZE=$KEY_SIZE/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s/^(\s*#*\s*export\s+CA_EXPIRE=.*)/##\1\nexport CA_EXPIRE=$CA_EXPIRE/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s/^(\s*#*\s*export\s+CERT_EXPIRE=.*)/##\1\nexport CERT_EXPIRE=$CERT_EXPIRE/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_COUNTRY=.*)/##\1\nexport KEY_COUNTRY=\"${KEY_COUNTRY}\"/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_PROVINCE=.*)/##\1\nexport KEY_PROVINCE=\"${KEY_PROVINCE}\"/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_CITY=.*)/##\1\nexport KEY_CITY=\"${KEY_CITY}\"/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_ORG=.*)/##\1\nexport KEY_ORG=\"${KEY_ORG}\"/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_EMAIL=.*)/##\1\nexport KEY_EMAIL=\"${EMAIL_PREFIX}\@${EMAIL_DOMAIN}\"/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_OU=.*)/##\1\nexport KEY_OU=\"${KEY_OU}\"/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_NAME=.*)/##\1\nexport KEY_NAME=\"${KEY_NAME}\"/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_CN=.*)/#\1\nexport KEY_CN=\"${KEY_CN}\"/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi fi echo -e "\nexport KEY_ALTNAMES=\"$KEY_ALTNAMES\"" >> ${EASY_RSA_DIR}/vars 2> "$log_file" if [[ $? -ne 0 ]]; then _failed=true fi if $_failed ; then echo_failed error "$(cat $log_file)" else echo_ok fi #--------------------------------------- #----------------------------- # Initial Setup OpenVPN (Root ca / Server key /..) #----------------------------- #--------------------------------------- echo "" # - source file vars # - # - Note: # - since debian buster, sourcing an Easy-RSA 'vars' file is no longer # - necessary and is disallowed. The vars file is automatically read when # - you call easyrsa commands. # - if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 10 ]] ; then echononl " Load configuration '${EASY_RSA_DIR}/vars'.." source ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi if [[ ! -f "$KEY_CONFIG" ]] ; then echononl " Create Symlink '$(basename $KEY_CONFIG)'.." if [[ -f "$(dirname $KEY_CONFIG)/openssl-1.0.0.cnf" ]]; then ln -s "$(dirname $KEY_CONFIG)/openssl-1.0.0.cnf" "$KEY_CONFIG" if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" error "Cannot create symlink '$KEY_CONFIG'!" echononl "continue anyway [yes/no]: " read OK OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')" while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do echononl "Wrong entry! - repeat [yes/nno]: " read OK done [[ $OK = "yes" ]] || fatal "Abbruch durch User" fi else echo_failed error "No OpenSSL configuration file present!" echononl "continue anyway [yes/no]: " read OK OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')" while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do echononl "Wrong entry! - repeat [yes/nno]: " read OK done [[ $OK = "yes" ]] || fatal "Abbruch durch User" fi fi _failed=false OPENSSL_CONFIG_FILE="$(realpath "$KEY_CONFIG")" echononl " Adjust '$OPENSSL_CONFIG_FILE'.." perl -i.ORIG -n -p -e "s/^(\s*default_days\s*=.*)/#\1\ndefault_days = $CA_EXPIRE/" $OPENSSL_CONFIG_FILE > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s/^(\s*default_crl_days\s*=.*)/#\1\ndefault_crl_days = $CA_EXPIRE/" $OPENSSL_CONFIG_FILE > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi if $_failed ; then echo_failed error "$(cat $log_file)" else echo_ok fi fi # --- # - Create Keys and Certs # --- echo "" echo -e "\033[32m--\033[m" echo "Create Keys and Certs .." echo -e "\033[32m--\033[m" # - Initialise key directory # - if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 10 ]] ; then # - Create file 'serial' with value '01' - the serial for the next # - created certificate # - echononl " Create '${OPENVPN_KEY_DIR}/serial'.." echo "01" > "${OPENVPN_KEY_DIR}/serial" 2> "$log_file" if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi # - Create empty file index.txt at key-directory # - echononl " Create empty file '${OPENVPN_KEY_DIR}/index.txt'.." touch ${OPENVPN_KEY_DIR}/index.txt if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi else # - Removes & re-initializes the PKI dir for a clean PKI # - echononl " Initialise PKI Directory" ${EASY_RSA_DIR}/easyrsa init-pki > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi fi # - Create Root CA # - echononl " Create Root CA.." if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 10 ]] ; then printf "\n\n\n\n\n\n\n\n" | ${EASY_RSA_DIR}/build-ca > "$log_file" 2>&1 else printf "\n\n\n\n\n\n\n" | ${EASY_RSA_DIR}/easyrsa build-ca nopass > "$log_file" 2>&1 fi if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi # - Generate Diffie-Hellman parameters for the server side # - of an SSL/TLS connection. # - echononl " Generates DH (Diffie-Hellman) parameters (dh key).." if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 10 ]] ; then if [[ -f "${script_dir}/dh${KEY_SIZE}.pem" ]]; then #cp "${script_dir}/dh${KEY_SIZE}.pem" "${OPENVPN_KEY_DIR}/dh${KEY_SIZE}.pem" > "$log_file" 2>&1 openssl dhparam -dsaparam -out "${OPENVPN_KEY_DIR}/dh${KEY_SIZE}.pem" ${KEY_SIZE} > "$log_file" 2>&1 else ${EASY_RSA_DIR}/build-dh > "$log_file" 2>&1 fi if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi _DH_KEY=${OPENVPN_KEY_DIR}/dh${KEY_SIZE}.pem else if [[ -f "${script_dir}/dh${KEY_SIZE}.pem" ]]; then cp "${script_dir}/dh${KEY_SIZE}.pem" "${OPENVPN_KEY_DIR}/dh.pem" > "$log_file" 2>&1 else #${EASY_RSA_DIR}/easyrsa gen-dh > "$log_file" 2>&1 openssl dhparam -dsaparam -out "${OPENVPN_KEY_DIR}/dh.pem" ${KEY_SIZE} > "$log_file" 2>&1 fi if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi _DH_KEY="${OPENVPN_KEY_DIR}/dh.pem" fi # - Generate Sever Key # - if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 10 ]] ; then echo "" echo -e " \033[32mNow create the server key. Tis procedure works interactive.\033[m" echo -e " Use \033[37m\033[1m${KEY_CN}-server\033[m as 'commonName'" echo "" echononl "Type to continue: " read ok echo "" ${EASY_RSA_DIR}/build-key-server server if [[ $? -eq 0 ]] ; then info "Building server key was successfully." else error "Building server key failed!" fi echo "" echononl "Type to continue: " read ok echo "" _SERVER_KEY="${OPENVPN_KEY_DIR}/server.key" _SERVER_CERT="${OPENVPN_KEY_DIR}/server.crt" else # - Generate server keypair # - # - build-server-full [ cmd-opts ] # - Generate a keypair and sign locally for a client and/or server # - # - This mode uses the as the X509 CN. # - # - cmd-opts is an optional set of command options from this list: # - nopass - do not encrypt the private key (default is encrypted) # - echononl " Generate server keypair '${KEY_CN}-server'.." ${EASY_RSA_DIR}/easyrsa build-server-full "${KEY_CN}-server" nopass > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi _SERVER_KEY="${OPENVPN_KEY_DIR}/private/${KEY_CN}-server.key" _SERVER_CERT="${OPENVPN_KEY_DIR}/issued//${KEY_CN}-server.crt" fi # - For extra security beyond that provided # - by SSL/TLS, create an "HMAC firewall" # - to help block DoS attacks and UDP port flooding. # - echononl " Create 'ta.key' for additional security" openvpn --genkey --secret ${OPENVPN_KEY_DIR}/ta.key > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi # - Create empty CRL (Certificate Revokation List) # - if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 10 ]] ; then echononl " Create CRL (Certificate Revokation List) '${OPENVPN_BASE_DIR}/crl.pem'.." openssl ca -gencrl -out ${OPENVPN_KEY_DIR}/crl.pem -config $KEY_CONFIG > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi else echononl " Create CRL (Certificate Revokation List) '${OPENVPN_KEY_DIR}/crl.pem'.." ${EASY_RSA_DIR}/easyrsa gen-crl > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi fi echononl " Change permissions (750) for '${OPENVPN_KEY_DIR}'.." chmod 750 "${OPENVPN_KEY_DIR}" > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi echononl " Change group (to nogroup) for '${OPENVPN_KEY_DIR}'.." chgrp nogroup "${OPENVPN_KEY_DIR}" > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi echononl " Change group (to nogroup) for '${OPENVPN_KEY_DIR}/crl.pem'.." chgrp nogroup "${OPENVPN_KEY_DIR}/crl.pem" > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi echononl " Change permissions (640) for ${OPENVPN_KEY_DIR}/crl.pem" chmod 644 ${OPENVPN_KEY_DIR}/crl.pem > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi # ---- # - Create server configurations # ---- echo "" echo -e "\033[32m--\033[m" echo "Server configurations .." echo -e "\033[32m--\033[m" #--------------------------------------- #----------------------------- # Write Server Configuration for $OPENVPN_NAME #----------------------------- #--------------------------------------- _server_conf_file="/etc/openvpn/server-${OPENVPN_NAME}.conf" echononl " Backup file $_server_conf_file" if [[ -f "$_server_conf_file" ]] ; then mv "$_server_conf_file" "${_server_conf_file}.$_date" > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi else echo_skipped fi echononl " Create configuration '${_server_conf_file}" cat < ${_server_conf_file} 2> "$log_file" ################################################# # Sample OpenVPN 2.0 config file for # # multi-client server. # # # # This file is for the server side # # of a many-clients <-> one-server # # OpenVPN configuration. # # # # OpenVPN also supports # # single-machine <-> single-machine # # configurations (See the Examples page # # on the web site for more info). # # # # This config should work on Windows # # or Linux/BSD systems. Remember on # # Windows to quote pathnames and use # # double backslashes, e.g.: # # "C:\\\\Program Files\\\\OpenVPN\\\\config\\\\foo.key" # # # # Comments are preceded with '#' or ';' # ################################################# # Which local IP address should OpenVPN # listen on? (optional) ;local a.b.c.d # Which TCP/UDP port should OpenVPN listen on? # If you want to run multiple OpenVPN instances # on the same machine, use a different port # number for each one. You will need to # open up this port on your firewall. port $SERVER_PORT # TCP or UDP server? ;proto tcp proto udp topology subnet EOF if [[ ${#LOCAL_NETWORK_ARR[@]} -gt 0 ]]; then for _local_network in ${LOCAL_NETWORK_ARR[@]} ; do IFS='/' read -a _net_arr <<< "${_local_network}" if [[ -n ${_net_arr[1]} ]]; then _netmask=$(cidr2mask ${_net_arr[1]}) else _netmask="255.255.255.0" fi cat <> ${_server_conf_file} 2>> "$log_file" route ${_net_arr[0]} $_netmask $OPENVPN_SERVER_IP EOF done fi cat <> ${_server_conf_file} 2>> "$log_file" # "dev tun" will create a routed IP tunnel, # "dev tap" will create an ethernet tunnel. # Use "dev tap" if you are ethernet bridging. # If you want to control access policies # over the VPN, you must create firewall # rules for the the TUN/TAP interface. # On non-Windows systems, you can give # an explicit unit number, such as tun0. # On Windows, use "dev-node" for this. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. ;dev tap dev tun # Enable TUN IPv6 module ;tun-ipv6 # Windows needs the TAP-Win32 adapter name # from the Network Connections panel if you # have more than one. On XP SP2 or higher, # you may need to selectively disable the # Windows firewall for the TAP adapter. # Non-Windows systems usually don't need this. ;dev-node MyTap # SSL/TLS root certificate (ca), certificate # (cert), and private key (key). Each client # and the server must have their own cert and # key file. The server and all clients will # use the same ca file. # # See the "easy-rsa" directory for a series # of scripts for generating RSA certificates # and private keys. Remember to use # a unique Common Name for the server # and each of the client certificates. # # Any X509 key management system can be used. # OpenVPN can also use a PKCS #12 formatted key file # (see "pkcs12" directive in man page). ca ${OPENVPN_KEY_DIR}/ca.crt cert $_SERVER_CERT key $_SERVER_KEY # This file should be kept secret # Diffie hellman parameters. # Generate your own with: # openssl dhparam -out dh1024.pem 1024 # Substitute 2048 for 1024 if you are using # 2048 bit keys. dh $_DH_KEY # Configure server mode and supply a VPN subnet # for OpenVPN to draw client addresses from. # The server will take 10.8.0.1 for itself, # the rest will be made available to clients. # Each client will be able to reach the server # on 10.8.0.1. Comment this line out if you are # ethernet bridging. See the man page for more info. ;server 10.8.0.0 255.255.255.0 ;server-ipv6 2a01:30:1fff:fd00::/64 server $OPENVPN_NETWORK 255.255.255.0 # Maintain a record of client <-> virtual IP address # associations in this file. If OpenVPN goes down or # is restarted, reconnecting clients can be assigned # the same virtual IP address from the pool that was # previously assigned. ifconfig-pool-persist ${OPENVPN_BASE_DIR}/ipp.txt # Configure server mode for ethernet bridging. # You must first use your OS's bridging capability # to bridge the TAP interface with the ethernet # NIC interface. Then you must manually set the # IP/netmask on the bridge interface, here we # assume 10.8.0.4/255.255.255.0. Finally we # must set aside an IP range in this subnet # (start=10.8.0.50 end=10.8.0.100) to allocate # to connecting clients. Leave this line commented # out unless you are ethernet bridging. ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 # Push routes to the client to allow it # to reach other private subnets behind # the server. Remember that these # private subnets will also need # to know to route the OpenVPN client # address pool (10.8.0.0/255.255.255.0) # back to the OpenVPN server. ;push "route 10.8.0.0 255.255.255.0" EOF if [[ ${#REMOTE_NETWORK_ARR[@]} -gt 0 ]]; then for _remote_network in ${REMOTE_NETWORK_ARR[@]} ; do IFS='/' read -a _net_arr <<< "${_remote_network}" if [[ -n ${_net_arr[1]} ]]; then _netmask=$(cidr2mask ${_net_arr[1]}) else _netmask="255.255.255.0" fi cat <> ${_server_conf_file} 2>> "$log_file" push "route ${_net_arr[0]} $_netmask" EOF done fi cat <> ${_server_conf_file} 2>> "$log_file" # To assign specific IP addresses to specific # clients or if a connecting client has a private # subnet behind it that should also have VPN access, # use the subdirectory "ccd" for client-specific # configuration files (see man page for more info). client-config-dir $OPENVPN_CCD_DIR # --- # EXAMPLE: Suppose the client # having the certificate common name "Thelonious" # also has a small subnet behind his connecting # machine, such as 192.168.40.128/255.255.255.248. # First, uncomment out these lines: ;client-config-dir /etc/openvpn/ccd ;route 192.168.40.128 255.255.255.248 # Then create a file ccd/Thelonious with this line: # iroute 192.168.40.128 255.255.255.248 # This will allow Thelonious' private subnet to # access the VPN. This example will only work # if you are routing, not bridging, i.e. you are # using "dev tun" and "server" directives. # --- # --- # EXAMPLE: Suppose you want to give # Thelonious a fixed VPN IP address of 10.9.0.1. # First uncomment out these lines: ;client-config-dir ccd ;route 10.9.0.0 255.255.255.252 # Then add this line to ccd/Thelonious: # ifconfig-push 10.9.0.1 10.9.0.2 # --- # --- # Suppose that you want to enable different # firewall access policies for different groups # of clients. There are two methods: # (1) Run multiple OpenVPN daemons, one for each # group, and firewall the TUN/TAP interface # for each group/daemon appropriately. # (2) (Advanced) Create a script to dynamically # modify the firewall in response to access # from different clients. See man # page for more info on learn-address script. ;learn-address ./script # --- # If enabled, this directive will configure # all clients to redirect their default # network gateway through the VPN, causing # all IP traffic such as web browsing and # and DNS lookups to go through the VPN # (The OpenVPN server machine may need to NAT # the TUN/TAP interface to the internet in # order for this to work properly). # CAVEAT: May break client's network config if # client's local DHCP server packets get routed # through the tunnel. Solution: make sure # client's local DHCP server is reachable via # a more specific route than the default route # of 0.0.0.0/0.0.0.0. ;push "redirect-gateway" # Certain Windows-specific network settings # can be pushed to clients, such as DNS # or WINS server addresses. CAVEAT: # http://openvpn.net/faq.html#dhcpcaveats ;push "dhcp-option WINS 10.8.0.1" EOF if [[ -n "$DNS_SERVER" ]]; then cat <> ${_server_conf_file} 2>> "$log_file" push "dhcp-option DNS ${DNS_SERVER}" EOF fi if [[ ${#SEARCH_DOMAINS_ARR[@]} -gt 0 ]]; then for _domain in ${SEARCH_DOMAINS_ARR[@]} ; do cat <> ${_server_conf_file} 2>> "$log_file" push "dhcp-option DOMAIN ${_domain}" EOF done fi cat <> ${_server_conf_file} 2>> "$log_file" # Uncomment this directive to allow different # clients to be able to "see" each other. # By default, clients will only see the server. # To force clients to only see the server, you # will also need to appropriately firewall the # server's TUN/TAP interface. client-to-client # Uncomment this directive if multiple clients # might connect with the same certificate/key # files or common names. This is recommended # only for testing purposes. For production use, # each client should have its own certificate/key # pair. # # IF YOU HAVE NOT GENERATED INDIVIDUAL # CERTIFICATE/KEY PAIRS FOR EACH CLIENT, # EACH HAVING ITS OWN UNIQUE "COMMON NAME", # UNCOMMENT THIS LINE OUT. ;duplicate-cn # The keepalive directive causes ping-like # messages to be sent back and forth over # the link so that each side knows when # the other side has gone down. # Ping every 10 seconds, assume that remote # peer is down if no ping received during # a 120 second time period. keepalive 10 120 # For extra security beyond that provided # by SSL/TLS, create an "HMAC firewall" # to help block DoS attacks and UDP port flooding. # # Generate with: # openvpn --genkey --secret ta.key # # The server and each client must have # a copy of this key. # The second parameter should be '0' # on the server and '1' on the clients. ;tls-auth ta.key 0 # This file is secret tls-auth ${OPENVPN_KEY_DIR}/ta.key 0 # Select a cryptographic cipher. # This config item must be copied to # the client config file as well. ;cipher BF-CBC # Blowfish (default) ;cipher AES-128-CBC # AES ;cipher DES-EDE3-CBC # Triple-DES EOF if [[ -n "$SERVER_CIPHER" ]]; then cat <> ${_server_conf_file} 2>> "$log_file" cipher $SERVER_CIPHER EOF fi cat <> ${_server_conf_file} 2>> "$log_file" # Enable compression on the VPN link. # If you enable it here, you must also # enable it in the client config file. ;comp-lzo EOF if $LZO_COMPRESSION ; then cat <> ${_server_conf_file} 2>> "$log_file" comp-lzo EOF fi cat <> ${_server_conf_file} 2>> "$log_file" # The maximum number of concurrently connected # clients we want to allow. ;max-clients 100 # It's a good idea to reduce the OpenVPN # daemon's privileges after initialization. # # You can uncomment this out on # non-Windows systems. user nobody group nogroup # The persist options will try to avoid # accessing certain resources on restart # that may no longer be accessible because # of the privilege downgrade. persist-key persist-tun persist-local-ip persist-remote-ip # Output a short status file showing # current connections, truncated # and rewritten every minute. ;status openvpn-status.log status /var/log/openvpn/status-server-${OPENVPN_NAME}.log # By default, log messages will go to the syslog (or # on Windows, if running as a service, they will go to # the "\Program Files\OpenVPN\log" directory). # Use log or log-append to override this default. # "log" will truncate the log file on OpenVPN startup, # while "log-append" will append to it. Use one # or the other (but not both). ;log-append openvpn.log ;log openvpn.log log /var/log/openvpn/server-${OPENVPN_NAME}.log # Set the appropriate level of log # file verbosity. # # 0 is silent, except for fatal errors # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 1 # Silence repeating messages. At most 20 # sequential messages of the same message # category will be output to the log. ;mute 20 EOF if [[ -h "${OPENVPN_BASE_DIR}/crl.pem" ]] ; then cat <> ${_server_conf_file} 2>> "$log_file" # CRL (certificate revocation list) verification crl-verify ${OPENVPN_BASE_DIR}/crl.pem EOF elif [[ -f "${OPENVPN_KEY_DIR}/crl.pem" ]]; then cat <> ${_server_conf_file} 2>> "$log_file" # CRL (certificate revocation list) verification crl-verify ${OPENVPN_KEY_DIR}/crl.pem EOF fi if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi echo "" # - Start OpenVPN Service # - echononl " Start OpenVPN Service" if $systemd_supported ; then $systemctl start $service_name > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat $log_file)" else echo_ok fi else $init_script start > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat $log_file)" else echo_ok fi fi # - See if OpenVPN Service is running/has started # check_string_ps="$openvpn_binary" check_string_ps_plus="--daemon" sleep 2 PID=$(ps -e f | grep -E "[[:digit:]]\ ${check_string_ps}" | grep "\ ${check_string_ps_plus}\ " | grep -v grep | awk '{print$2}') if [[ "X${PID}" = "X" ]]; then warn "\033[37m\033[1mOpenVPN Service is NOT running.\033[m\n Maybe you have to restart the machine in order to start openvpn daemon." fi echo "" clean_up 0