#!/usr/bin/env bash script_dir="$(dirname $(realpath $0))" conf_file=${script_dir}/conf/install_openvpn.conf _needed_debian_packages="openvpn easy-rsa" # - Used if system does NOT support systemd # - init_script="/etc/init.d/openvpn" # - Used if systemd is supported # - service_name=openvpn openvpn_binary="/usr/sbin/openvpn" log_file="$(mktemp)" _date="$(date +%Y-%m-%d-%H%M)" #--------------------------------------- #----------------------------- # Base Function(s) #----------------------------- #--------------------------------------- clean_up() { # Perform program exit housekeeping rm $log_file exit $1 } echononl(){ echo X\\c > /tmp/shprompt$$ if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then echo -e -n "$*\\c" 1>&2 else echo -e -n "$*" 1>&2 fi rm /tmp/shprompt$$ } fatal(){ echo "" echo -e "\t[ \033[31m\033[1mFatal\033[m ]: $*" echo "" echo -e "\t\033[37m\033[1mInstalllation will be interrupted\033[m\033[m" echo "" clean_up 1 exit 1 } error(){ echo "" echo -e "\t[ \033[31m\033[1mError\033[m ]: $*" echo "" } warn (){ echo "" echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*" echo "" } info (){ echo "" echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*" echo "" } echo_done() { echo -e "\033[80G[ \033[32mdone\033[m ]" } echo_ok() { echo -e "\033[80G[ \033[32mok\033[m ]" } echo_warning() { echo -e "\033[80G[ \033[33m\033[1mwarn\033[m ]" } echo_failed(){ echo -e "\033[80G[ \033[1;31mfailed\033[m ]" } echo_skipped() { echo -e "\033[80G[ \033[37mskipped\033[m ]" } trap clean_up SIGHUP SIGINT SIGTERM #--------------------------------------- #----------------------------- # Check some prerequisites #----------------------------- #--------------------------------------- # - Is 'systemd' supported on this system # - systemd=$(which systemd) systemctl=$(which systemctl) systemd_supported=false if [[ -n "$systemd" ]] && [[ -n "$systemctl" ]] ; then systemd_supported=true else if [[ ! -x $init_script ]]; then fatal "$(basename $0): Missing OpenVPN Init-Script!" fi fi echo "" #--------------------------------------- #----------------------------- # Read Configurations from $conf_file #----------------------------- #--------------------------------------- echononl " Load configuration file.." if [[ ! -f "$conf_file" ]]; then echo_failed fatal "Configuration file \033[37m\033[1m$(basename ${conf_file})\033[m not found!" else source "${conf_file}" if [[ $? -eq 0 ]]; then echo_ok else echo_failed fatal "$(cat $log_file)" fi fi #--------------------------------------- #----------------------------- # Start Installation #----------------------------- #--------------------------------------- check_string_ps="" check_string_ps_plus="" if [[ -f "$openvpn_binary" ]] ; then check_string_ps="$openvpn_binary" check_string_ps_plus="--daemon" fi if [[ -n "$check_string_ps" ]]; then echononl " Stopping OpenVPN Daemon" PID=$(ps -e f | grep -E "[[:digit:]]\ ${check_string_ps}" | grep "\ ${check_string_ps_plus}\ " | grep -v grep | awk '{print$2}') if [[ "X${PID}" = "X" ]]; then echo_skipped else if $systemd_supported ; then $systemctl stop $service_name > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat $log_file)" else echo_ok fi else $init_script stop > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat $log_file)" else echo_ok fi fi fi fi # - Install needed debian packages # - echononl " Install needed debian packages.." needed_debian_packages="" for _pkg in $_needed_debian_packages ; do if aptitude search "$_pkg" | grep " $_pkg " | grep -e "^i" > /dev/null 2>&1 ; then continue else needed_debian_packages="$needed_debian_packages $_pkg" fi done if [[ -n "$needed_debian_packages" ]]; then DEBIAN_FRONTEND=noninteractive apt-get -y install $needed_debian_packages > /dev/null 2> "$log_file" if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fatal "$(cat $log_file)" fi else echo_skipped fi # - Make the package included scripts available in directory # - "/etc/openvpn/easy-rsa" # - echononl " Backup directory '${EASY_RSA_DIR}'.." if [[ -d "$EASY_RSA_DIR" ]]; then mv $EASY_RSA_DIR ${EASY_RSA_DIR}.$_date > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi else echo_skipped fi echononl " Create directory '${EASY_RSA_DIR}'.." /usr/bin/make-cadir $EASY_RSA_DIR > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi # - Create key directory # - echononl " Backup key directory '${OPENVPN_BASE_DIR}/keys'.." if [[ -d "${OPENVPN_BASE_DIR}/keys" ]]; then mv ${OPENVPN_BASE_DIR}/keys ${OPENVPN_BASE_DIR}/keys.$_date > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi else echo_skipped fi echononl " Create key directory '${OPENVPN_BASE_DIR}/keys'.." mkdir ${OPENVPN_BASE_DIR}/keys > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi echononl " Change permissions (700) in directory '${OPENVPN_BASE_DIR}/keys'.." chmod 700 "${OPENVPN_BASE_DIR}/keys" > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi # - Create Log Directory # - openvpn_log_dir="/var/log/openvpn" echononl " Create log directoy '${openvpn_log_dir}'" if [[ -d "${openvpn_log_dir}" ]] ; then echo_skipped else mkdir /var/log/openvpn > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi fi # - Backup existing 'ccd' directory # - echononl " Backup directory '${OPENVPN_BASE_DIR}/ccd'.." if [[ -d "${OPENVPN_BASE_DIR}/ccd" ]] ; then mv "${OPENVPN_BASE_DIR}/ccd" "${OPENVPN_BASE_DIR}/ccd.${_date}" > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi else echo_skipped fi # - Create Directory 'ccd' # - echononl " Create log directoy '${OPENVPN_BASE_DIR}/ccd'" if [[ -d "${OPENVPN_BASE_DIR}/ccd" ]] ; then echo_skipped else mkdir "${OPENVPN_BASE_DIR}/ccd" > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi fi # - Backup file keys-created.txt # - echononl " Backup file '${OPENVPN_BASE_DIR}/keys-created.txt" if [[ -f "${OPENVPN_BASE_DIR}/keys-created.txt" ]]; then mv "${OPENVPN_BASE_DIR}/keys-created.txt" "${OPENVPN_BASE_DIR}/keys-created.txt.${_date}" > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi else echo_skipped fi # - Adjust /etc/default/openvpn # - # - AUTOSTART="all" # - _file="/etc/default/openvpn" echononl " Adjust '/etc/default/openvpn'. Set AUTOSTART=\"all\"" if ! grep -i -q -E "^\s*AUTOSTART=\"all\"" ${_file} ; then if grep -i -q -E "^\s*#\s*AUTOSTART=\"all\"" ${_file} ; then perl -i -n -p -e "s/^(\s*#\s*AUTOSTART=\"all\".*)/##\1\nAUTOSTART=\"all\"/" ${_file} > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi else echo "" >> ${_file} echo "AUTOSTART=\"all\"" >> ${_file} if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi fi else echo_skipped fi # - Adjust /etc/openvpn/easy-rsa/vars # - # - add: # - export BASE_DIR=$OPENVPN_BASE_DIR # - # - replace: # - export EASY_RSA=\$BASE_DIR/easy_rsa # - export KEY_DIR=\$BASE_DIR/keys # - # - export KEY_SIZE=$KEY_SIZE # - # - # root CA expires in 30 years (= 10950 days) # - export CA_EXPIRE=$CA_EXPIRE # - # - # certificates expires in 20 years (=7300 days) # - export KEY_EXPIRE=$KEY_EXPIRE # - # - export KEY_COUNTRY="$KEY_COUNTRY" # - export KEY_PROVINCE="$KEY_PROVINCE" # - export KEY_CITY="$KEY_CITY" # - export KEY_ORG="$KEY_ORG" # - export KEY_EMAIL="$KEY_EMAIL" # - export KEY_OU="$KEY_OU" # - # - export KEY_NAME="$KEY_NAME" # - # - #export KEY_CN="$KEY_CN" # - _failed=false echononl " Adjust '${EASY_RSA_DIR}/vars'.." perl -i.$_date -n -p -e "s&^(\s*#*\s*export\s+EASY_RSA=.*)&##\1\nexport BASE_DIR=\"${OPENVPN_BASE_DIR}\"\nexport EASY_RSA=\"\\\$BASE_DIR/easy-rsa\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s&^(\s*#*\s*export\s+KEY_DIR=.*)&##\1\nexport KEY_DIR=\"\\\$BASE_DIR/keys\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_SIZE=.*)/##\1\nexport KEY_SIZE=$KEY_SIZE/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s/^(\s*#*\s*export\s+CA_EXPIRE=.*)/##\1\nexport CA_EXPIRE=$CA_EXPIRE/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_EXPIRE=.*)/##\1\nexport KEY_EXPIRE=$KEY_EXPIRE/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_COUNTRY=.*)/##\1\nexport KEY_COUNTRY=\"${KEY_COUNTRY}\"/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_PROVINCE=.*)/##\1\nexport KEY_PROVINCE=\"${KEY_PROVINCE}\"/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_CITY=.*)/##\1\nexport KEY_CITY=\"${KEY_CITY}\"/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_ORG=.*)/##\1\nexport KEY_ORG=\"${KEY_ORG}\"/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_EMAIL=.*)/##\1\nexport KEY_EMAIL=\"${KEY_EMAIL}\"/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_OU=.*)/##\1\nexport KEY_OU=\"${KEY_OU}\"/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_NAME=.*)/##\1\nexport KEY_NAME=\"${KEY_NAME}\"/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_CN=.*)/#\1\nexport KEY_CN=\"${KEY_CN}\"/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi echo -e "\nexport KEY_ALTNAMES=\"$KEY_ALTNAMES\"" >> ${EASY_RSA_DIR}/vars 2> "$log_file" if [[ $? -ne 0 ]]; then _failed=true fi if $_failed ; then echo_failed error "$(cat $log_file)" else echo_ok fi #--------------------------------------- #----------------------------- # Initial Setup OpenVPN (Root ca / Server key /..) #----------------------------- #--------------------------------------- echo "" # - source file vars # - echononl " Load configuration '${EASY_RSA_DIR}/vars'.." source ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi # --- # - Create Keys and Certs # --- echo "" echo -e "\033[32m--\033[m" echo "Create Keys and Certs .." echo -e "\033[32m--\033[m" echo "" # - Create file 'serial' with value '01' - the serial for the next # - created certificate # - echononl " Create '${OPENVPN_BASE_DIR}/keys/serial'.." echo "01" > "${OPENVPN_BASE_DIR}/keys/serial" 2> "$log_file" if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi # - Create empty file index.txt at key-directory # - echononl " Create empty file '${OPENVPN_BASE_DIR}/keys/index.txt'.." touch $OPENVPN_BASE_DIR/keys/index.txt if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi # - Create Root CA # - echononl " Create Root CA.." printf "\n\n\n\n\n\n\n\n" | ${EASY_RSA_DIR}/build-ca > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi # - Build Diffie-Hellman parameters for the server side # - of an SSL/TLS connection. # . echononl " Build Diffie-Hellman parameter (dh key).." ${EASY_RSA_DIR}/build-dh > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi # - Build Sever Key # - #echononl " Create Sever Key" echo "" echo -e " \033[32mNow create the server key. Tis procedure works interactive.\033[m" echo -e " Use \033[37m\033[1m${KEY_CN}-server\033[m as commonName" echo "" echononl "Type to continue: " read ok echo "" ${EASY_RSA_DIR}/build-key-server server if [[ $? -eq 0 ]] ; then info "Building server key was successfully." else error "Building server key failed!" fi echo "" echononl "Type to continue: " read ok echo "" #printf "\n\n\n\n\n${KEY_CN}-server\n\n\n\ny\ny\n" | ${EASY_RSA_DIR}/build-key-server server # - For extra security beyond that provided # - by SSL/TLS, create an "HMAC firewall" # - to help block DoS attacks and UDP port flooding. # - echononl " Create 'ta.key' for additional security" openvpn --genkey --secret ${OPENVPN_BASE_DIR}/keys/ta.key > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi # - Create empty CRL (Certificate Revokation List) # - echononl " Create CRL (Certificate Revokation List) '${OPENVPN_BASE_DIR}/crl.pem'.." openssl ca -gencrl -out /etc/openvpn/crl.pem -config $KEY_CONFIG > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi echononl " Create symlink for '${OPENVPN_BASE_DIR}/keys/crl.pem'.." ln -s ../crl.pem /etc/openvpn/keys/crl.pem > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi # ---- # - Create server configurations # ---- echo "" echo -e "\033[32m--\033[m" echo "Server configurations .." echo -e "\033[32m--\033[m" echo "" echononl " Backup Client configuration directory '$CCD_HOME'" if [[ -d "$CCD_HOME" ]]; then mv "$CCD_HOME" "${CCD_HOME}.$_date" if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi else echo_skipped fi echononl " Create Client configuration directory '$CCD_HOME'" mkdir "$CCD_HOME" > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi echononl " Backup file ${OPENVPN_BASE_DIR}/server-home.conf" if [[ -f "${OPENVPN_BASE_DIR}/server-home.conf" ]] ; then mv "${OPENVPN_BASE_DIR}/server-home.conf" "${OPENVPN_BASE_DIR}/server-home.conf.$_date" > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi else echo_skipped fi echononl " Create configuration '${OPENVPN_BASE_DIR}/server-home.conf" cat < ${OPENVPN_BASE_DIR}/server-home.conf 2> "$log_file" ################################################# # Sample OpenVPN 2.0 config file for # # multi-client server. # # # # This file is for the server side # # of a many-clients <-> one-server # # OpenVPN configuration. # # # # OpenVPN also supports # # single-machine <-> single-machine # # configurations (See the Examples page # # on the web site for more info). # # # # This config should work on Windows # # or Linux/BSD systems. Remember on # # Windows to quote pathnames and use # # double backslashes, e.g.: # # "C:\\Program Files\\OpenVPN\\config\\foo.key" # # # # Comments are preceded with '#' or ';' # ################################################# # Which local IP address should OpenVPN # listen on? (optional) ;local a.b.c.d # Which TCP/UDP port should OpenVPN listen on? # If you want to run multiple OpenVPN instances # on the same machine, use a different port # number for each one. You will need to # open up this port on your firewall. port $SERVER_PORT_HOME # TCP or UDP server? ;proto tcp proto udp topology subnet #route 192.168.63.0 255.255.255.0 10.1.72.1 #route 192.168.64.0 255.255.255.0 10.1.72.1 # "dev tun" will create a routed IP tunnel, # "dev tap" will create an ethernet tunnel. # Use "dev tap" if you are ethernet bridging. # If you want to control access policies # over the VPN, you must create firewall # rules for the the TUN/TAP interface. # On non-Windows systems, you can give # an explicit unit number, such as tun0. # On Windows, use "dev-node" for this. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. ;dev tap dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel if you # have more than one. On XP SP2 or higher, # you may need to selectively disable the # Windows firewall for the TAP adapter. # Non-Windows systems usually don't need this. ;dev-node MyTap # SSL/TLS root certificate (ca), certificate # (cert), and private key (key). Each client # and the server must have their own cert and # key file. The server and all clients will # use the same ca file. # # See the "easy-rsa" directory for a series # of scripts for generating RSA certificates # and private keys. Remember to use # a unique Common Name for the server # and each of the client certificates. # # Any X509 key management system can be used. # OpenVPN can also use a PKCS #12 formatted key file # (see "pkcs12" directive in man page). ca ${OPENVPN_BASE_DIR}/keys/ca.crt cert ${OPENVPN_BASE_DIR}/keys/server.crt key ${OPENVPN_BASE_DIR}/keys/server.key # This file should be kept secret # Diffie hellman parameters. # Generate your own with: # openssl dhparam -out dh1024.pem 1024 # Substitute 2048 for 1024 if you are using # 2048 bit keys. dh ${OPENVPN_BASE_DIR}/keys/dh2048.pem # Configure server mode and supply a VPN subnet # for OpenVPN to draw client addresses from. # The server will take 10.8.0.1 for itself, # the rest will be made available to clients. # Each client will be able to reach the server # on 10.8.0.1. Comment this line out if you are # ethernet bridging. See the man page for more info. server $OPENVPN_NETWORK_HOME 255.255.255.0 # Maintain a record of client <-> virtual IP address # associations in this file. If OpenVPN goes down or # is restarted, reconnecting clients can be assigned # the same virtual IP address from the pool that was # previously assigned. ifconfig-pool-persist /etc/openvpn/ipp.txt # Configure server mode for ethernet bridging. # You must first use your OS's bridging capability # to bridge the TAP interface with the ethernet # NIC interface. Then you must manually set the # IP/netmask on the bridge interface, here we # assume 10.8.0.4/255.255.255.0. Finally we # must set aside an IP range in this subnet # (start=10.8.0.50 end=10.8.0.100) to allocate # to connecting clients. Leave this line commented # out unless you are ethernet bridging. ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 # Push routes to the client to allow it # to reach other private subnets behind # the server. Remember that these # private subnets will also need # to know to route the OpenVPN client # address pool (10.8.0.0/255.255.255.0) # back to the OpenVPN server. ;push "route 10.8.0.0 255.255.255.0" push "route $MAIN_NETWORK 255.255.255.0" # To assign specific IP addresses to specific # clients or if a connecting client has a private # subnet behind it that should also have VPN access, # use the subdirectory "ccd" for client-specific # configuration files (see man page for more info). client-config-dir $CCD_HOME # --- # EXAMPLE: Suppose the client # having the certificate common name "Thelonious" # also has a small subnet behind his connecting # machine, such as 192.168.40.128/255.255.255.248. # First, uncomment out these lines: ;client-config-dir /etc/openvpn/ccd ;route 192.168.40.128 255.255.255.248 # Then create a file ccd/Thelonious with this line: # iroute 192.168.40.128 255.255.255.248 # This will allow Thelonious' private subnet to # access the VPN. This example will only work # if you are routing, not bridging, i.e. you are # using "dev tun" and "server" directives. # --- # --- # EXAMPLE: Suppose you want to give # Thelonious a fixed VPN IP address of 10.9.0.1. # First uncomment out these lines: ;client-config-dir ccd ;route 10.9.0.0 255.255.255.252 # Then add this line to ccd/Thelonious: # ifconfig-push 10.9.0.1 10.9.0.2 # --- # --- # Suppose that you want to enable different # firewall access policies for different groups # of clients. There are two methods: # (1) Run multiple OpenVPN daemons, one for each # group, and firewall the TUN/TAP interface # for each group/daemon appropriately. # (2) (Advanced) Create a script to dynamically # modify the firewall in response to access # from different clients. See man # page for more info on learn-address script. ;learn-address ./script # --- # If enabled, this directive will configure # all clients to redirect their default # network gateway through the VPN, causing # all IP traffic such as web browsing and # and DNS lookups to go through the VPN # (The OpenVPN server machine may need to NAT # the TUN/TAP interface to the internet in # order for this to work properly). # CAVEAT: May break client's network config if # client's local DHCP server packets get routed # through the tunnel. Solution: make sure # client's local DHCP server is reachable via # a more specific route than the default route # of 0.0.0.0/0.0.0.0. ;push "redirect-gateway" # Certain Windows-specific network settings # can be pushed to clients, such as DNS # or WINS server addresses. CAVEAT: # http://openvpn.net/faq.html#dhcpcaveats ;push "dhcp-option WINS 10.8.0.1" push "dhcp-option DNS ${DNS_SERVER}" push "dhcp-option DOMAIN ${DOMAIN}" # Uncomment this directive to allow different # clients to be able to "see" each other. # By default, clients will only see the server. # To force clients to only see the server, you # will also need to appropriately firewall the # server's TUN/TAP interface. client-to-client # Uncomment this directive if multiple clients # might connect with the same certificate/key # files or common names. This is recommended # only for testing purposes. For production use, # each client should have its own certificate/key # pair. # # IF YOU HAVE NOT GENERATED INDIVIDUAL # CERTIFICATE/KEY PAIRS FOR EACH CLIENT, # EACH HAVING ITS OWN UNIQUE "COMMON NAME", # UNCOMMENT THIS LINE OUT. ;duplicate-cn # The keepalive directive causes ping-like # messages to be sent back and forth over # the link so that each side knows when # the other side has gone down. # Ping every 10 seconds, assume that remote # peer is down if no ping received during # a 120 second time period. keepalive 10 120 # For extra security beyond that provided # by SSL/TLS, create an "HMAC firewall" # to help block DoS attacks and UDP port flooding. # # Generate with: # openvpn --genkey --secret ta.key # # The server and each client must have # a copy of this key. # The second parameter should be '0' # on the server and '1' on the clients. ;tls-auth ta.key 0 # This file is secret tls-auth ${OPENVPN_BASE_DIR}/keys/ta.key 0 # Select a cryptographic cipher. # This config item must be copied to # the client config file as well. ;cipher BF-CBC # Blowfish (default) ;cipher AES-128-CBC # AES ;cipher DES-EDE3-CBC # Triple-DES cipher AES-256-CBC # Enable compression on the VPN link. # If you enable it here, you must also # enable it in the client config file. comp-lzo # The maximum number of concurrently connected # clients we want to allow. ;max-clients 100 # It's a good idea to reduce the OpenVPN # daemon's privileges after initialization. # # You can uncomment this out on # non-Windows systems. user nobody group nogroup # The persist options will try to avoid # accessing certain resources on restart # that may no longer be accessible because # of the privilege downgrade. persist-key persist-tun persist-local-ip persist-remote-ip # Output a short status file showing # current connections, truncated # and rewritten every minute. status /var/log/openvpn/status-server-home.log # By default, log messages will go to the syslog (or # on Windows, if running as a service, they will go to # the "\Program Files\OpenVPN\log" directory). # Use log or log-append to override this default. # "log" will truncate the log file on OpenVPN startup, # while "log-append" will append to it. Use one # or the other (but not both). log /var/log/openvpn/server-home.log ;log-append openvpn.log # Set the appropriate level of log # file verbosity. # # 0 is silent, except for fatal errors # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 4 # Silence repeating messages. At most 20 # sequential messages of the same message # category will be output to the log. ;mute 20 # CRL (certificate revocation list) verification crl-verify ${OPENVPN_BASE_DIR}/crl.pem EOF if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi echo "" echononl " Backup Client configuration directory '$CCD_GW_CKUBU'" if [[ -d "$CCD_GW_CKUBU" ]]; then mv "$CCD_GW_CKUBU" "${CCD_GW_CKUBU}.$_date" if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi else echo_skipped fi echononl " Create Client configuration directory '$CCD_HOME'" mkdir "$CCD_GW_CKUBU" > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi echononl " Backup file ${OPENVPN_BASE_DIR}/server-gw-ckubu.conf" if [[ -f "${OPENVPN_BASE_DIR}/server-gw-ckubu.conf" ]]; then mv "${OPENVPN_BASE_DIR}/server-gw-ckubu.conf" "${OPENVPN_BASE_DIR}/server-gw-ckubu.conf.$_date" > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi else echo_skipped fi echononl " Create configuration '${OPENVPN_BASE_DIR}/erver-gw-ckubu.conf" cat < ${OPENVPN_BASE_DIR}/server-gw-ckubu.conf 2> "$log_file" ################################################# # Sample OpenVPN 2.0 config file for # # multi-client server. # # # # This file is for the server side # # of a many-clients <-> one-server # # OpenVPN configuration. # # # # OpenVPN also supports # # single-machine <-> single-machine # # configurations (See the Examples page # # on the web site for more info). # # # # This config should work on Windows # # or Linux/BSD systems. Remember on # # Windows to quote pathnames and use # # double backslashes, e.g.: # # "C:\\Program Files\\OpenVPN\\config\\foo.key" # # # # Comments are preceded with '#' or ';' # ################################################# # Which local IP address should OpenVPN # listen on? (optional) ;local a.b.c.d # Which TCP/UDP port should OpenVPN listen on? # If you want to run multiple OpenVPN instances # on the same machine, use a different port # number for each one. You will need to # open up this port on your firewall. port $SERVER_PORT_GW_CKUBU # TCP or UDP server? ;proto tcp proto udp topology subnet route 192.168.63.0 255.255.255.0 $IPV4_OPENVPN_GW_CKUBU route 192.168.64.0 255.255.255.0 $IPV4_OPENVPN_GW_CKUBU # "dev tun" will create a routed IP tunnel, # "dev tap" will create an ethernet tunnel. # Use "dev tap" if you are ethernet bridging. # If you want to control access policies # over the VPN, you must create firewall # rules for the the TUN/TAP interface. # On non-Windows systems, you can give # an explicit unit number, such as tun0. # On Windows, use "dev-node" for this. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. ;dev tap dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel if you # have more than one. On XP SP2 or higher, # you may need to selectively disable the # Windows firewall for the TAP adapter. # Non-Windows systems usually don't need this. ;dev-node MyTap # SSL/TLS root certificate (ca), certificate # (cert), and private key (key). Each client # and the server must have their own cert and # key file. The server and all clients will # use the same ca file. # # See the "easy-rsa" directory for a series # of scripts for generating RSA certificates # and private keys. Remember to use # a unique Common Name for the server # and each of the client certificates. # # Any X509 key management system can be used. # OpenVPN can also use a PKCS #12 formatted key file # (see "pkcs12" directive in man page). ca keys/ca.crt cert keys/server.crt key keys/server.key # This file should be kept secret # Diffie hellman parameters. # Generate your own with: # openssl dhparam -out dh1024.pem 1024 # Substitute 2048 for 1024 if you are using # 2048 bit keys. dh keys/dh2048.pem # Configure server mode and supply a VPN subnet # for OpenVPN to draw client addresses from. # The server will take 10.8.0.1 for itself, # the rest will be made available to clients. # Each client will be able to reach the server # on 10.8.0.1. Comment this line out if you are # ethernet bridging. See the man page for more info. server $OPENVPN_NETWORK_GW_CKUBU 255.255.255.0 # Maintain a record of client <-> virtual IP address # associations in this file. If OpenVPN goes down or # is restarted, reconnecting clients can be assigned # the same virtual IP address from the pool that was # previously assigned. ifconfig-pool-persist /etc/openvpn/ipp.txt # Configure server mode for ethernet bridging. # You must first use your OS's bridging capability # to bridge the TAP interface with the ethernet # NIC interface. Then you must manually set the # IP/netmask on the bridge interface, here we # assume 10.8.0.4/255.255.255.0. Finally we # must set aside an IP range in this subnet # (start=10.8.0.50 end=10.8.0.100) to allocate # to connecting clients. Leave this line commented # out unless you are ethernet bridging. ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 # Push routes to the client to allow it # to reach other private subnets behind # the server. Remember that these # private subnets will also need # to know to route the OpenVPN client # address pool (10.8.0.0/255.255.255.0) # back to the OpenVPN server. ;push "route 10.8.0.0 255.255.255.0" push "route $MAIN_NETWORK 255.255.255.0" # To assign specific IP addresses to specific # clients or if a connecting client has a private # subnet behind it that should also have VPN access, # use the subdirectory "ccd" for client-specific # configuration files (see man page for more info). client-config-dir $CCD_GW_CKUBU # --- # EXAMPLE: Suppose the client # having the certificate common name "Thelonious" # also has a small subnet behind his connecting # machine, such as 192.168.40.128/255.255.255.248. # First, uncomment out these lines: ;client-config-dir /etc/openvpn/ccd ;route 192.168.40.128 255.255.255.248 # Then create a file ccd/Thelonious with this line: # iroute 192.168.40.128 255.255.255.248 # This will allow Thelonious' private subnet to # access the VPN. This example will only work # if you are routing, not bridging, i.e. you are # using "dev tun" and "server" directives. # --- # --- # EXAMPLE: Suppose you want to give # Thelonious a fixed VPN IP address of 10.9.0.1. # First uncomment out these lines: ;client-config-dir ccd ;route 10.9.0.0 255.255.255.252 # Then add this line to ccd/Thelonious: # ifconfig-push 10.9.0.1 10.9.0.2 # --- # --- # Suppose that you want to enable different # firewall access policies for different groups # of clients. There are two methods: # (1) Run multiple OpenVPN daemons, one for each # group, and firewall the TUN/TAP interface # for each group/daemon appropriately. # (2) (Advanced) Create a script to dynamically # modify the firewall in response to access # from different clients. See man # page for more info on learn-address script. ;learn-address ./script # --- # If enabled, this directive will configure # all clients to redirect their default # network gateway through the VPN, causing # all IP traffic such as web browsing and # and DNS lookups to go through the VPN # (The OpenVPN server machine may need to NAT # the TUN/TAP interface to the internet in # order for this to work properly). # CAVEAT: May break client's network config if # client's local DHCP server packets get routed # through the tunnel. Solution: make sure # client's local DHCP server is reachable via # a more specific route than the default route # of 0.0.0.0/0.0.0.0. ;push "redirect-gateway" # Certain Windows-specific network settings # can be pushed to clients, such as DNS # or WINS server addresses. CAVEAT: # http://openvpn.net/faq.html#dhcpcaveats ;push "dhcp-option WINS 10.8.0.1" # - Do NOT push DNS settings in THIS configuration. We use # - this VPN tunnel as a static line, and the remote host # - should user his own dns settings. # - ;push "dhcp-option DNS ${DNS_SERVER}" ;push "dhcp-option DOMAIN ${DOMAIN}" # Uncomment this directive to allow different # clients to be able to "see" each other. # By default, clients will only see the server. # To force clients to only see the server, you # will also need to appropriately firewall the # server's TUN/TAP interface. client-to-client # Uncomment this directive if multiple clients # might connect with the same certificate/key # files or common names. This is recommended # only for testing purposes. For production use, # each client should have its own certificate/key # pair. # # IF YOU HAVE NOT GENERATED INDIVIDUAL # CERTIFICATE/KEY PAIRS FOR EACH CLIENT, # EACH HAVING ITS OWN UNIQUE "COMMON NAME", # UNCOMMENT THIS LINE OUT. ;duplicate-cn # The keepalive directive causes ping-like # messages to be sent back and forth over # the link so that each side knows when # the other side has gone down. # Ping every 10 seconds, assume that remote # peer is down if no ping received during # a 120 second time period. keepalive 10 120 # For extra security beyond that provided # by SSL/TLS, create an "HMAC firewall" # to help block DoS attacks and UDP port flooding. # # Generate with: # openvpn --genkey --secret ta.key # # The server and each client must have # a copy of this key. # The second parameter should be '0' # on the server and '1' on the clients. ;tls-auth ta.key 0 # This file is secret tls-auth keys/ta.key 0 # Select a cryptographic cipher. # This config item must be copied to # the client config file as well. ;cipher BF-CBC # Blowfish (default) ;cipher AES-128-CBC # AES ;cipher DES-EDE3-CBC # Triple-DES cipher AES-256-CBC # Enable compression on the VPN link. # If you enable it here, you must also # enable it in the client config file. comp-lzo # The maximum number of concurrently connected # clients we want to allow. ;max-clients 100 # It's a good idea to reduce the OpenVPN # daemon's privileges after initialization. # # You can uncomment this out on # non-Windows systems. user nobody group nogroup # The persist options will try to avoid # accessing certain resources on restart # that may no longer be accessible because # of the privilege downgrade. persist-key persist-tun persist-local-ip persist-remote-ip # Output a short status file showing # current connections, truncated # and rewritten every minute. status /var/log/openvpn/status-server-gw-ckubu.log # By default, log messages will go to the syslog (or # on Windows, if running as a service, they will go to # the "\Program Files\OpenVPN\log" directory). # Use log or log-append to override this default. # "log" will truncate the log file on OpenVPN startup, # while "log-append" will append to it. Use one # or the other (but not both). log /var/log/openvpn/server-gw-ckubu.log ;log-append openvpn.log # Set the appropriate level of log # file verbosity. # # 0 is silent, except for fatal errors # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 4 # Silence repeating messages. At most 20 # sequential messages of the same message # category will be output to the log. ;mute 20 #crl-verify /etc/openvpn/keys/crl.pem crl-verify /etc/openvpn/crl.pem EOF if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi # - Start OpenVPN Service # - echononl " Start OpenVPN Service" if $systemd_supported ; then $systemctl start $service_name > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat $log_file)" else echo_ok fi else $init_script start > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat $log_file)" else echo_ok fi fi # - See if OpenVPN Service is running/has started # check_string_ps="$openvpn_binary" check_string_ps_plus="--daemon" sleep 2 PID=$(ps -e f | grep -E "[[:digit:]]\ ${check_string_ps}" | grep "\ ${check_string_ps_plus}\ " | grep -v grep | awk '{print$2}') if [[ "X${PID}" = "X" ]]; then warn "\033[37m\033[1mOpenVPN Service is NOT running.\033[m\n Maybe you have to restart the machine in order to start openvpn daemon." fi echo "" clean_up