#!/usr/bin/env bash script_dir="$(dirname $(realpath $0))" conf_file=${script_dir}/conf/install_openvpn.conf _needed_debian_packages="openvpn easy-rsa" # - Used if system does NOT support systemd # - init_script="/etc/init.d/openvpn" # - Used if systemd is supported # - service_name=openvpn openvpn_binary="/usr/sbin/openvpn" log_file="$(mktemp)" _date="$(date +%Y-%m-%d-%H%M)" #--------------------------------------- #----------------------------- # Base Function(s) #----------------------------- #--------------------------------------- clean_up() { # Perform program exit housekeeping rm $log_file exit $1 } trim() { local var="$*" var="${var#"${var%%[![:space:]]*}"}" # remove leading whitespace characters var="${var%"${var##*[![:space:]]}"}" # remove trailing whitespace characters echo -n "$var" } # - Test of valid IPv4 Address # - # - Returns 0 if valid, > 0 otherwise # - is_valid_ipv4() { local -a octets=( ${1//\./ } ) local RETURNVALUE=0 # return an error if the IP doesn't have exactly 4 octets [[ ${#octets[@]} -ne 4 ]] && return 1 for octet in ${octets[@]} do if [[ ${octet} =~ ^[0-9]{1,3}$ ]] then # shift number by 8 bits, anything larger than 255 will be > 0 ((RETURNVALUE += octet>>8 )) else # octet wasn't numeric, return error return 1 fi done return ${RETURNVALUE} } # - Convert CIDR to netmask # - cidr2mask() { local i mask="" local full_octets=$(($1/8)) local partial_octet=$(($1%8)) for ((i=0;i<4;i+=1)); do if [ $i -lt $full_octets ]; then mask+=255 elif [ $i -eq $full_octets ]; then mask+=$((256 - 2**(8-$partial_octet))) else mask+=0 fi test $i -lt 3 && mask+=. done echo $mask } echononl(){ echo X\\c > /tmp/shprompt$$ if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then echo -e -n "$*\\c" 1>&2 else echo -e -n "$*" 1>&2 fi rm /tmp/shprompt$$ } fatal(){ echo "" echo -e "\t[ \033[31m\033[1mFatal\033[m ]: $*" echo "" echo -e "\t\033[37m\033[1mInstalllation will be interrupted\033[m\033[m" echo "" clean_up 1 exit 1 } error(){ echo "" echo -e "\t[ \033[31m\033[1mError\033[m ]: $*" echo "" } warn (){ echo "" echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*" echo "" } info (){ echo "" echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*" echo "" } echo_done() { echo -e "\033[80G[ \033[32mdone\033[m ]" } echo_ok() { echo -e "\033[80G[ \033[32mok\033[m ]" } echo_warning() { echo -e "\033[80G[ \033[33m\033[1mwarn\033[m ]" } echo_failed(){ echo -e "\033[80G[ \033[1;31mfailed\033[m ]" } echo_skipped() { echo -e "\033[80G[ \033[37mskipped\033[m ]" } trap clean_up SIGHUP SIGINT SIGTERM #--------------------------------------- #----------------------------- # Check some prerequisites #----------------------------- #--------------------------------------- # - Is 'systemd' supported on this system # - systemd=$(which systemd) systemctl=$(which systemctl) systemd_supported=false if [[ -n "$systemd" ]] && [[ -n "$systemctl" ]] ; then systemd_supported=true else if [[ ! -x $init_script ]]; then fatal "$(basename $0): Missing OpenVPN Init-Script!" fi fi clear echo -e "\n\t\033[32mStart script for installation of OpenVPN on this Server..\033[m" #--------------------------------------- #----------------------------- # Setting Defaults #----------------------------- #--------------------------------------- DEFAULT_SERVER_PORT=1194 DEFAULT_CA_EXPIRE=11688 DEFAULT_KEY_EXPIRE=7305 DEFAULT_KEY_SIZE=4096 DEFAULT_KEY_COUNTRY="DE" DEFAULT_KEY_PROVINCE="Berlin" DEFAULT_KEY_CITY="Berlin" DEFAULT_KEY_EMAIL='argus@oopen.de' DEFAULT_KEY_ORG='o.open' DEFAULT_KEY_OU="Network Services" DEFAULT_SERVER_CIPHER="None" #DEFAULT_SERVER_CIPHER="AES-256-CBC" #--------------------------------------- #----------------------------- # Load default values from install_openvpn.conf # # Overwrites the settings above # #----------------------------- #--------------------------------------- echo "" echo "" echononl " Load Configuration File $(basename ${conf_file}).." if [[ ! -f "$conf_file" ]]; then echo_skipped else source "${conf_file}" > $log_file 2>&1 if [[ $? -eq 0 ]]; then echo_ok else echo_failed fatal "$(cat $log_file)" fi fi [[ -z "$DEFAULT_SERVER_CIPHER" ]] && DEFAULT_SERVER_CIPHER='None' echo "" echo "" echo -e "\033[32m==========\033[m" echo "" echononl "Only create Configuration file (yes/no) [no]: " read OK echo "" if [[ "$(trim ${OK,,})" = "yes" ]] ; then _only_create_config_file=true else _only_create_config_file=false fi echo "" echo "" echo -e "\033[32m--\033[m" echo "Common parameters" echo -e "\033[32m--\033[m" echo "" echo "Insert IP-Address/Hostname of OpenVPN Server" echo "" OPENVPN_SERVER="" if [[ -n "$DEFAULT_SERVER" ]] ; then echononl "OpenVPN Server [${DEFAULT_SERVER}]: " read OPENVPN_SERVER if [[ "X$OPENVPN_SERVER" = "X" ]]; then OPENVPN_SERVER="$DEFAULT_SERVER" fi else echononl "OpenVPN Server: " read OPENVPN_SERVER while [ "X$OPENVPN_SERVER" = "X" ] ; do echo -e "\n\t\033[33m\033[1mSetting 'OpenVPN Server' is required!\033[m\n" echononl "OpenVPN Server: " read OPENVPN_SERVER done fi echo "" SERVER_PORT="" echononl "Server Port [${DEFAULT_SERVER_PORT}]: " while [[ "X${SERVER_PORT}" = "X" ]]; do read SERVER_PORT if [[ "X$SERVER_PORT" = "X" ]]; then SERVER_PORT="$DEFAULT_SERVER_PORT" fi done if $(grep -q -E "SERVER_PORT=$SERVER_PORT" ${script_dir}/conf/server-*.conf 2> /dev/null) ; then warn "Port '$SERVER_PORT' is already in use by an other OpenVPN Service on this Server" fi echo "" echo "Insert abbreviation (acronym) for the company or organisation" echo "" echo " Example: 'AKB' or 'FLR' or 'OPP' or.." echo "" ORG_ACRONYM="" echononl "Organisations acronym: " read ORG_ACRONYM while [ "X$ORG_ACRONYM" = "X" ] ; do echo -e "\n\t\033[33m\033[1mSetting 'OpenVPN Name' is required!\033[m\n" echononl "Organisations acronym: " read ORG_ACRONYM done DEFAULT_KEY_NAME="VPN $ORG_ACRONYM" DEFAULT_KEY_CN="VPN-$ORG_ACRONYM" DEFAULT_KEY_ALTNAMES="VPN $ORG_ACRONYM" echo "" echo "Insert Name of OpenVPN Service (i.e. so36, gw-ckubu, opferperspektive)" echo "" echo " Example: 'so36' or 'gw-ckubu' or 'opferperspektive' or.." echo "" OPENVPN_NAME="" echononl "OpenVPN Name: " read OPENVPN_NAME while [ "X$OPENVPN_NAME" = "X" ] ; do echo -e "\n\t\033[33m\033[1mSetting 'OpenVPN Name' is required!\033[m\n" echononl "OpenVPN Name: " read OPENVPN_NAME done DEFAULT_OPENVPN_BASE_DIR="/etc/openvpn/${OPENVPN_NAME}" echo "" echo "" echo "Insert OpenVPN Base Directory for Service '$OPENVPN_NAME'" echo "" if ! $_only_create_config_file ; then echo " Note: must be a subdirectory of '/etc/openvpn'" echo "" fi OPENVPN_BASE_DIR="" echononl "OpenVPN Base Directory [${DEFAULT_OPENVPN_BASE_DIR}]: " while [[ "X${OPENVPN_BASE_DIR}" = "X" ]]; do read OPENVPN_BASE_DIR if [[ "X$OPENVPN_BASE_DIR" = "X" ]]; then OPENVPN_BASE_DIR="$DEFAULT_OPENVPN_BASE_DIR" else if [[ ! "$(dirname ${OPENVPN_BASE_DIR})" = "/etc/openvpn" ]] && ! $_only_create_config_file ; then echo -e "\n\t\033[33m\033[1mGiven entry is NOT a subdirectory of '/etc/openvpn'. Retry..\033[m\n" echononl "OpenVPN Base Directory [${DEFAULT_OPENVPN_BASE_DIR}]: " OPENVPN_BASE_DIR="" fi fi done EASY_RSA_DIR="${OPENVPN_BASE_DIR}/easy-rsa" OPENVPN_CCD_DIR="${OPENVPN_BASE_DIR}/ccd/server-${OPENVPN_NAME}" echo "" echo -e "\033[32m--\033[m" echo "KEY generation parameters" echo -e "\033[32m--\033[m" echo "" echo "Insert expiration time for ROOT CA" echo "" echo " Example: (3*365+366)*8 = 11688 = 32 Jahre" echo " expiration time: 11688" echo "" CA_EXPIRE="" echononl "Expiration time ROOT CA [${DEFAULT_CA_EXPIRE}]: " while [[ "X${CA_EXPIRE}" = "X" ]]; do read CA_EXPIRE if [[ "X$CA_EXPIRE" = "X" ]]; then CA_EXPIRE="$DEFAULT_CA_EXPIRE" fi done echo "" echo "" echo "Insert expiration time for user/server certificates" echo "" echo " Example: (3*365+366)*5 = 7305 = 20 Jahre" echo " expiration time: 7305" echo "" KEY_EXPIRE="" echononl "Expiration time certificates [${DEFAULT_KEY_EXPIRE}]: " while [[ "X${KEY_EXPIRE}" = "X" ]]; do read KEY_EXPIRE if [[ "X$KEY_EXPIRE" = "X" ]]; then KEY_EXPIRE="$DEFAULT_KEY_EXPIRE" fi done echo "" echo "" echo "Insert key size for user/server keys" echo "" KEY_SIZE="" echononl "KEY_SIZE [${DEFAULT_KEY_SIZE}]: " while [[ "X${KEY_SIZE}" = "X" ]]; do read KEY_SIZE if [[ "X$KEY_SIZE" = "X" ]]; then KEY_SIZE="$DEFAULT_KEY_SIZE" fi done echo "" echo "" echo "Insert key meta-data" echo "" KEY_COUNTRY="" echononl "KEY_COUNTRY [${DEFAULT_KEY_COUNTRY}]: " read KEY_COUNTRY if [[ "X$KEY_COUNTRY" = "X" ]]; then KEY_COUNTRY="$DEFAULT_KEY_COUNTRY" fi KEY_PROVINCE="" echo "" echononl "KEY_PROVINCE [${DEFAULT_KEY_PROVINCE}]: " read KEY_PROVINCE if [[ "X$KEY_PROVINCE" = "X" ]]; then KEY_PROVINCE="$DEFAULT_KEY_PROVINCE" fi KEY_CITY="" echo "" echononl "KEY_CITY [${DEFAULT_KEY_CITY}]: " read KEY_CITY if [[ "X$KEY_CITY" = "X" ]]; then KEY_CITY="$DEFAULT_KEY_CITY" fi KEY_ORG="" echo "" echononl "KEY_ORG [${DEFAULT_KEY_ORG}]: " read KEY_ORG if [[ "X$KEY_ORG" = "X" ]]; then KEY_ORG="$DEFAULT_KEY_ORG" fi KEY_EMAIL="" echo "" echononl "KEY_EMAIL [${DEFAULT_KEY_EMAIL}]: " read KEY_EMAIL if [[ "X$KEY_EMAIL" = "X" ]]; then KEY_EMAIL="$DEFAULT_KEY_EMAIL" fi EMAIL_PREFIX="$(echo $KEY_EMAIL | cut -d '@' -f1)" EMAIL_DOMAIN="$(echo $KEY_EMAIL | cut -d '@' -f2)" KEY_OU="" echo "" echononl "KEY_OU [${DEFAULT_KEY_OU}]: " read KEY_OU if [[ "X$KEY_OU" = "X" ]]; then KEY_OU="$DEFAULT_KEY_OU" fi KEY_NAME= echo "" echononl "KEY_NAME [${DEFAULT_KEY_NAME}]: " read KEY_NAME if [[ "X$KEY_NAME" = "X" ]]; then KEY_NAME="$DEFAULT_KEY_NAME" else DEFAULT_KEY_CN="$KEY_NAME" DEFAULT_KEY_ALTNAMES="$KEY_NAME" fi KEY_CN="" echo "" echo "" echo -e " Type \"\033[33mNone\033[m\" if no CN Prefix should be used" echo "" echononl "KEY_CN [${DEFAULT_KEY_CN}]: " read KEY_CN if [[ "X$KEY_CN" = "X" ]]; then KEY_CN="$DEFAULT_KEY_CN" DEFAULT_KEY_ALTNAMES="$KEY_CN" else DEFAULT_KEY_ALTNAMES="$KEY_CN" if [[ "$(trim ${KEY_CN,,})" = 'none' ]] ; then KEY_CN="" fi fi KEY_ALTNAMES="" echo "" echononl "KEY_ALTNAMES [${DEFAULT_KEY_ALTNAMES}]: " read KEY_ALTNAMES if [[ "X$KEY_ALTNAMES" = "X" ]]; then KEY_ALTNAMES="$DEFAULT_KEY_ALTNAMES" fi if [[ "$(trim ${KEY_ALTNAMES,,})" = 'none' ]] ; then KEY_ALTNAMES="" fi echo "" echo -e "\033[32m--\033[m" echo "Parameters for Server Configurations" echo -e "\033[32m--\033[m" echo "" echo "Set server-side 'cryptographic cipher'." echo "" echo "Note: if setting this parameter at the server configuration, this parameter *must'" echo " also set this parameter at client configuration" echo "" echo " cipher BF-CBC # Blowfish (default)" echo " cipher AES-128-CBC # AES 128Bit" echo " cipher AES-256-CBC # AES 256Bit" echo " cipher DES-EDE3-CBC # Triple-DES" echo " ..." echo "" echo -e "Type \"\033[33mNone\033[m\" if no default cipher should be set." echo "" SERVER_CIPHER="" echononl "Server cryptographic cipher [${DEFAULT_SERVER_CIPHER}]: " read SERVER_CIPHER if [[ "X$SERVER_CIPHER" = "X" ]]; then SERVER_CIPHER="$DEFAULT_SERVER_CIPHER" fi if [[ "$(trim ${SERVER_CIPHER,,})" = none ]]; then SERVER_CIPHER="" fi echo "" echo "" echo "Enable LZO compression" echo "" echononl "Enable LZO compression (yes/no) [no]: " read OK echo "" if [[ "$(trim ${OK,,})" = "yes" ]] ; then LZO_COMPRESSION=true else LZO_COMPRESSION=false fi echo "" echo "Set OpenVPN Network used for the connection." echo "" OPENVPN_NETWORK="" echononl "OpenVPN Network: " read OPENVPN_NETWORK while [ "X$OPENVPN_NETWORK" = "X" ] ; do echo -e "\n\t\033[33m\033[1mSetting 'OpenVPN Server' is required!\033[m\n" echononl "OpenVPN Network: " read OPENVPN_NETWORK done OPENVPN_SERVER_IP="${OPENVPN_NETWORK%.*}.1" echo "" echo -e "\033[32m--\033[m" echo "" echo "" echo -e "\033[32m--\033[m" echo "" echo "" echo "Networks to push from OpenVPN server to the client" echo "" echo " - use CIDR notation" echo " - multiple networks are possible: use blank separated list of CIDR-networks" echo "" echo -e "Type \"\033[33mNone\033[m\" if no network should be pushed from OpenVPN server." echo "" REMOTE_NETWORKS="" declare -a REMOTE_NETWORK_ARR=() echononl "Networks to push from server: " while [[ "X$REMOTE_NETWORKS" = "X" ]] ; do read REMOTE_NETWORKS _to_lower_remote_networks="$(trim ${REMOTE_NETWORKS,,})" if [[ "$_to_lower_remote_networks" = "none" ]]; then REMOTE_NETWORKS="" break fi if [[ "X$REMOTE_NETWORKS" = "X" ]] ; then echo -e "\n\t\033[33m\033[1mWrong Entry!\033[m\n" echononl "Networks to push from server: " continue fi for _net in ${REMOTE_NETWORKS} ; do IFS='/' read -a _net_arr <<< "${_net}" if ! is_valid_ipv4 ${_net_arr[0]} ; then REMOTE_NETWORKS="" REMOTE_NETWORK_ARR=() echo -e "\n\t\033[33m\033[1mNo valid network(s) given!\033[m\n" echononl "Networks to push from server: " break fi REMOTE_NETWORK_ARR+=("$_net") done done echo "" echo -e "\033[32m--\033[m" echo "" echo "" echo "IP-Address of DNS server to push from OpenVPN server to the client." echo "" echo -e "Type \"\033[33mNone\033[m\" if no DNS Server should be pushed." echo "" DNS_SERVER="" echononl "DNS server to push to clients: " while [[ "X$DNS_SERVER" = "X" ]]; do read DNS_SERVER if [[ "X$DNS_SERVER" = "X" ]]; then echo -e "\n\t\033[33m\033[1mWrong Entry!\033[m\n" echononl "DNS server to pusch to clients" continue else _to_lower_dns_server="$(trim ${DNS_SERVER,,})" if [[ "$_to_lower_dns_server" = "none" ]]; then DNS_SERVER="" break; fi fi done echo "" echo -e "\033[32m--\033[m" echo "" echo "" echo "Default Domain to push from OpenVPN server to the client." echo "" echo -e "Type \"\033[33mNone\033[m\" if no default domain should be pushed." echo "" DEFAULT_DOMAIN="" echononl "Default Domain to push to clients: " while [[ "X$DEFAULT_DOMAIN" = "X" ]]; do read DEFAULT_DOMAIN if [[ "X$DEFAULT_DOMAIN" = "X" ]]; then echo -e "\n\t\033[33m\033[1mWrong Entry!\033[m\n" echononl "Default Domain to pusch to clients" continue else _to_lower_default_domain="$(trim ${DEFAULT_DOMAIN,,})" if [[ "$_to_lower_default_domain" = "none" ]]; then DEFAULT_DOMAIN="" break; fi fi done echo "" echo -e "\033[32m--\033[m" echo "" echo "" echo "Local networks to route through OpenVPN line" echo "" echo " - use CIDR notation" echo " - multiple networks are possible: use blank separated list of CIDR-networks" echo "" echo -e "Type \"\033[33mNone\033[m\" if no network should be pushed from OpenVPN server." echo "" LOCAL_NETWORKS="" declare -a LOCAL_NETWORK_ARR=() echononl "Local networks to route through OpenVPN line: " while [[ "X$LOCAL_NETWORKS" = "X" ]] ; do read LOCAL_NETWORKS _to_lower_local_networks="$(trim ${LOCAL_NETWORKS,,})" if [[ "$_to_lower_local_networks" = "none" ]]; then LOCAL_NETWORKS="" break fi if [[ "X$LOCAL_NETWORKS" = "X" ]] ; then echo -e "\n\t\033[33m\033[1mWrong Entry!\033[m\n" echononl "Local networks to route through OpenVPN line: " continue fi for _net in ${LOCAL_NETWORKS} ; do IFS='/' read -a _net_arr <<< "${_net}" if ! is_valid_ipv4 ${_net_arr[0]} ; then LOCAL_NETWORKS="" LOCAL_NETWORK_ARR=() echo -e "\n\t\033[33m\033[1mNo valid network(s) given!\033[m\n" echononl "Local networks to route through OpenVPN line: " break fi LOCAL_NETWORK_ARR+=("$_net") done done echo "" echo "" if $_only_create_config_file ; then echo -e "\033[1;32mCreate Configuration file for OpenVPN service \033[1;37m$OPENVPN_NAME\033[m " else echo -e "\033[1;32mSettings for installation of \033[1;37mOpenVPN\033[m" fi echo "" echo -e "\tOpenVPN IP-Address/Hostname.........: $OPENVPN_SERVER" echo -e "\tOpenVPN Server.Port.................: $SERVER_PORT" echo "" echo -e "\tOpenVPN Servive Name................: $OPENVPN_NAME" echo -e "\tOpenVPN Base Directory..............: $OPENVPN_BASE_DIR" echo -e "\tOpenVPN 'easy-rsa' Directory........: $EASY_RSA_DIR" echo -e "\tOpenVPN 'ccd' Directory.............: $OPENVPN_CCD_DIR" echo "" echo -e "\tExpiration time ROOT CA.............: $CA_EXPIRE" echo -e "\tExpiration time certificates........: $KEY_EXPIRE" echo -e "\tKey size............................: $KEY_SIZE" echo "" echo -e "\tKEY_COUNTRY.........................: $KEY_COUNTRY" echo -e "\tKEY_PROVINCE........................: $KEY_PROVINCE" echo -e "\tKEY_CITY............................: $KEY_CITY" echo -e "\tKEY_ORG.............................: $KEY_ORG" echo -e "\tKEY_EMAIL...........................: $KEY_EMAIL" echo -e "\tKEY_OU..............................: $KEY_OU" echo "" echo -e "\tKEY_NAME............................: $KEY_NAME" if [[ -n "$KEY_CN" ]] ; then echo -e "\tKEY_CN (Prefix).....................: $KEY_CN" else echo -e "\tKEY_CN (Prefix).....................: \033[33mNone\033[m" fi echo "" if [[ -n "$KEY_ALTNAMES" ]] ; then echo -e "\tKEY_ALTNAMES (Prefix)...............: $KEY_ALTNAMES" else echo -e "\tKEY_ALTNAMES (Prefix)...............: \033[33mNone\033[m" fi echo "" echo -e "\tOpenVPN Network.....................: $OPENVPN_NETWORK" echo -e "\tOpenVPN Server IP-Address...........: $OPENVPN_SERVER_IP" echo "" if [[ -n "$SERVER_CIPHER" ]] ; then echo -e "\tServer cipher setting...............: $SERVER_CIPHER" else echo -e "\tServer cipher setting...............: \033[33mNone\033[m" fi echo -e "\tLZO compression.....................: $LZO_COMPRESSION" echo "" if [[ ${#REMOTE_NETWORK_ARR[@]} -gt 0 ]]; then echo -e "\tRemote networks to push to cliente..: ${REMOTE_NETWORK_ARR[@]}" else echo -e "\tRemote networks to push to cliente..: \033[33mNone\033[m" fi if [[ -n "$DNS_SERVER" ]]; then echo -e "\tDNS Server (push from server).......: $DNS_SERVER" else echo -e "\tDNS Server (push from server).......: \033[33mNone\033[m" fi if [[ -n "$DEFAULT_DOMAIN" ]]; then echo -e "\tDefault Domain (push from server)...: $DEFAULT_DOMAIN" else echo -e "\tDefault Domain (push from server)...: \033[33mNone\033[m" fi echo "" if [[ ${#LOCAL_NETWORK_ARR[@]} -gt 0 ]]; then echo -e "\tLocal networks to route through VPN.: ${LOCAL_NETWORK_ARR[@]}" else echo -e "\tLocal networks to route through VPN.: \033[33mNone\033[m" fi echo "" if $_only_create_config_file ; then info "Create configuration file for OpenVPN Service \033[37m\033[1m${OPENVPN_NAME}\033[m.." else info "Starting Installation of OpenVPN Service \033[37m\033[1m${OPENVPN_NAME}\033[m.." fi echo -n "To continue type uppercase 'YES': " read OK echo "" if [[ "$OK" != "YES" ]] ; then fatal "Abort by user request - Answer as not 'YES'" fi #--------------------------------------- #----------------------------- # Write Configuration for $OPENVPN_NAME #----------------------------- #--------------------------------------- _openvpn_name_conf_file="${script_dir}/conf/server-${OPENVPN_NAME}.conf" echononl " Write Configuration for OpenVPN Service '$OPENVPN_NAME'" cat << EOF > $_openvpn_name_conf_file 2> $log_file ## - Configuration/Initialization OpenVPN ## - # ==================== # - Some Parameter Settings # ==================== # --- # - Common parameters # --- OPENVPN_SERVER="$OPENVPN_SERVER" SERVER_PORT=$SERVER_PORT OPENVPN_NAME="$OPENVPN_NAME" OPENVPN_BASE_DIR="$OPENVPN_BASE_DIR" # --- # - Parameters OpenVPN Configuration / KEY Creation # --- # - Example: (3*365+366)*8 = 11688 = 32 Jahre # - CA_EXPIRE=11688 # - CA_EXPIRE=$CA_EXPIRE # - Example: (3*365+366)*5 = 7305 = 20 Jahre # - KEY_EXPIRE=7305 # - KEY_EXPIRE=$KEY_EXPIRE KEY_SIZE=$KEY_SIZE KEY_COUNTRY="$KEY_COUNTRY" KEY_PROVINCE="$KEY_PROVINCE" KEY_CITY="$KEY_CITY" KEY_ORG="$KEY_ORG" KEY_EMAIL="${EMAIL_PREFIX}\\@${EMAIL_DOMAIN}" KEY_OU="$KEY_OU" KEY_NAME="$KEY_NAME" EOF if [[ -n "$KEY_CN" ]] ; then cat << EOF >> $_openvpn_name_conf_file 2> $log_file KEY_CN="$KEY_CN" EOF else cat << EOF >> $_openvpn_name_conf_file 2> $log_file KEY_CN="none" EOF fi if [[ -n "$KEY_ALTNAMES" ]] ; then cat << EOF >> $_openvpn_name_conf_file 2> $log_file KEY_ALTNAMES="$KEY_ALTNAMES" EOF else cat << EOF >> $_openvpn_name_conf_file 2> $log_file KEY_ALTNAMES="none" EOF fi cat << EOF >> $_openvpn_name_conf_file 2> $log_file # --- # - Parameters for Server Configurations # --- EOF if $LZO_COMPRESSION ; then cat << EOF >> $_openvpn_name_conf_file 2> $log_file LZO_COMPRESSION="yes" EOF else cat << EOF >> $_openvpn_name_conf_file 2> $log_file LZO_COMPRESSION="no" EOF fi if [[ -n "$SERVER_CIPHER" ]] ; then cat << EOF >> $_openvpn_name_conf_file 2> $log_file SERVER_CIPHER="$SERVER_CIPHER" EOF else cat << EOF >> $_openvpn_name_conf_file 2> $log_file SERVER_CIPHER="none" EOF fi cat << EOF >> $_openvpn_name_conf_file 2> $log_file OPENVPN_NETWORK="$OPENVPN_NETWORK" EOF if [[ ${#REMOTE_NETWORK_ARR[@]} -gt 0 ]] ; then cat << EOF >> $_openvpn_name_conf_file 2> $log_file REMOTE_NETWORKS="${REMOTE_NETWORK_ARR[@]}" EOF else cat << EOF >> $_openvpn_name_conf_file 2> $log_file REMOTE_NETWORKS="none" EOF fi if [[ -n "$DNS_SERVER" ]] ; then cat << EOF >> $_openvpn_name_conf_file 2> $log_file DNS_SERVER="$DNS_SERVER" EOF else cat << EOF >> $_openvpn_name_conf_file 2> $log_file DNS_SERVER="none" EOF fi if [[ -n "$DEFAULT_DOMAIN" ]] ; then cat << EOF >> $_openvpn_name_conf_file 2> $log_file DEFAULT_DOMAIN="$DEFAULT_DOMAIN" EOF else cat << EOF >> $_openvpn_name_conf_file 2> $log_file DEFAULT_DOMAIN="none" EOF fi if [[ ${#LOCAL_NETWORK_ARR[@]} -gt 0 ]]; then cat << EOF >> $_openvpn_name_conf_file 2> $log_file LOCAL_NETWORKS="${LOCAL_NETWORK_ARR[@]}" EOF else cat << EOF >> $_openvpn_name_conf_file 2> $log_file LOCAL_NETWORKS="none" EOF fi if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fatal "$(cat $log_file)" fi if $_only_create_config_file ; then info "Configuration filr for OpenVPN Service \033[1;37m$OPENVPN_NAME\033[m was written \n to file \033[1;37m$_openvpn_name_conf_file\033[m." clean_up 0 fi #--------------------------------------- #----------------------------- # Start Installation #----------------------------- #--------------------------------------- check_string_ps="" check_string_ps_plus="" if [[ -f "$openvpn_binary" ]] ; then check_string_ps="$openvpn_binary" check_string_ps_plus="--daemon" fi if [[ -n "$check_string_ps" ]]; then echononl " Stopping OpenVPN Daemon" PID=$(ps -e f | grep -E "[[:digit:]]\ ${check_string_ps}" | grep "\ ${check_string_ps_plus}\ " | grep -v grep | awk '{print$2}') if [[ "X${PID}" = "X" ]]; then echo_skipped else if $systemd_supported ; then $systemctl stop $service_name > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat $log_file)" else echo_ok fi else $init_script stop > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat $log_file)" else echo_ok fi fi fi fi # - Install needed debian packages # - echononl " Install needed debian packages.." needed_debian_packages="" for _pkg in $_needed_debian_packages ; do if aptitude search "$_pkg" | grep " $_pkg " | grep -e "^i" > /dev/null 2>&1 ; then continue else needed_debian_packages="$needed_debian_packages $_pkg" fi done if [[ -n "$needed_debian_packages" ]]; then DEBIAN_FRONTEND=noninteractive apt-get -y install $needed_debian_packages > /dev/null 2> "$log_file" if [[ $? -eq 0 ]] ; then echo_ok else echo_failed fatal "$(cat $log_file)" fi else echo_skipped fi # - Make the package included scripts available in directory # - "/etc/openvpn/easy-rsa" # - echononl " Backup directory '${EASY_RSA_DIR}'.." if [[ -d "$EASY_RSA_DIR" ]]; then mv $EASY_RSA_DIR ${EASY_RSA_DIR}.$_date > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi else echo_skipped fi echononl " Create directory '${EASY_RSA_DIR}'.." /usr/bin/make-cadir $EASY_RSA_DIR > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi # - Create key directory # - echononl " Backup key directory '${OPENVPN_BASE_DIR}/keys'.." if [[ -d "${OPENVPN_BASE_DIR}/keys" ]]; then mv ${OPENVPN_BASE_DIR}/keys ${OPENVPN_BASE_DIR}/keys.$_date > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi else echo_skipped fi echononl " Create key directory '${OPENVPN_BASE_DIR}/keys'.." mkdir ${OPENVPN_BASE_DIR}/keys > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi echononl " Change permissions (700) in directory '${OPENVPN_BASE_DIR}/keys'.." chmod 700 "${OPENVPN_BASE_DIR}/keys" > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi # - Create Log Directory # - openvpn_log_dir="/var/log/openvpn" echononl " Create log directoy '${openvpn_log_dir}'" if [[ -d "${openvpn_log_dir}" ]] ; then echo_skipped else mkdir /var/log/openvpn > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi fi # - Backup existing 'ccd' directory # - echononl " Backup directory '${OPENVPN_BASE_DIR}/ccd'.." if [[ -d "${OPENVPN_BASE_DIR}/ccd" ]] ; then mv "${OPENVPN_BASE_DIR}/ccd" "${OPENVPN_BASE_DIR}/ccd.${_date}" > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi else echo_skipped fi # - Create Directory 'ccd' # - echononl " Create log directoy '${OPENVPN_BASE_DIR}/ccd'" if [[ -d "${OPENVPN_BASE_DIR}/ccd" ]] ; then echo_skipped else mkdir "${OPENVPN_BASE_DIR}/ccd" > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi fi # - Backup file keys-created.txt # - echononl " Backup file '${OPENVPN_BASE_DIR}/keys-created.txt" if [[ -f "${OPENVPN_BASE_DIR}/keys-created.txt" ]]; then mv "${OPENVPN_BASE_DIR}/keys-created.txt" "${OPENVPN_BASE_DIR}/keys-created.txt.${_date}" > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi else echo_skipped fi # - Adjust /etc/default/openvpn # - # - AUTOSTART="all" # - _file="/etc/default/openvpn" echononl " Adjust '/etc/default/openvpn'. Set AUTOSTART=\"all\"" if ! grep -i -q -E "^\s*AUTOSTART=\"all\"" ${_file} ; then if grep -i -q -E "^\s*#\s*AUTOSTART=\"all\"" ${_file} ; then perl -i -n -p -e "s/^(\s*#\s*AUTOSTART=\"all\".*)/##\1\nAUTOSTART=\"all\"/" ${_file} > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi else echo "" >> ${_file} echo "AUTOSTART=\"all\"" >> ${_file} if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi fi else echo_skipped fi # - Adjust /etc/openvpn/easy-rsa/vars # - # - add: # - export BASE_DIR=$OPENVPN_BASE_DIR # - # - replace: # - export EASY_RSA=\$BASE_DIR/easy_rsa # - export KEY_DIR=\$BASE_DIR/keys # - # - export KEY_SIZE=$KEY_SIZE # - # - # root CA expires in 30 years (= 10950 days) # - export CA_EXPIRE=$CA_EXPIRE # - # - # certificates expires in 20 years (=7300 days) # - export KEY_EXPIRE=$KEY_EXPIRE # - # - export KEY_COUNTRY="$KEY_COUNTRY" # - export KEY_PROVINCE="$KEY_PROVINCE" # - export KEY_CITY="$KEY_CITY" # - export KEY_ORG="$KEY_ORG" # - export KEY_EMAIL="$KEY_EMAIL" # - export KEY_OU="$KEY_OU" # - # - export KEY_NAME="$KEY_NAME" # - # - #export KEY_CN="$KEY_CN" # - _failed=false echononl " Adjust '${EASY_RSA_DIR}/vars'.." perl -i.$_date -n -p -e "s&^(\s*#*\s*export\s+EASY_RSA=.*)&##\1\nexport BASE_DIR=\"${OPENVPN_BASE_DIR}\"\nexport EASY_RSA=\"\\\$BASE_DIR/easy-rsa\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s&^(\s*#*\s*export\s+KEY_DIR=.*)&##\1\nexport KEY_DIR=\"\\\$BASE_DIR/keys\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_SIZE=.*)/##\1\nexport KEY_SIZE=$KEY_SIZE/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s/^(\s*#*\s*export\s+CA_EXPIRE=.*)/##\1\nexport CA_EXPIRE=$CA_EXPIRE/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_EXPIRE=.*)/##\1\nexport KEY_EXPIRE=$KEY_EXPIRE/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_COUNTRY=.*)/##\1\nexport KEY_COUNTRY=\"${KEY_COUNTRY}\"/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_PROVINCE=.*)/##\1\nexport KEY_PROVINCE=\"${KEY_PROVINCE}\"/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_CITY=.*)/##\1\nexport KEY_CITY=\"${KEY_CITY}\"/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_ORG=.*)/##\1\nexport KEY_ORG=\"${KEY_ORG}\"/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_EMAIL=.*)/##\1\nexport KEY_EMAIL=\"${EMAIL_PREFIX}\@${EMAIL_DOMAIN}\"/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_OU=.*)/##\1\nexport KEY_OU=\"${KEY_OU}\"/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_NAME=.*)/##\1\nexport KEY_NAME=\"${KEY_NAME}\"/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_CN=.*)/#\1\nexport KEY_CN=\"${KEY_CN}\"/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi echo -e "\nexport KEY_ALTNAMES=\"$KEY_ALTNAMES\"" >> ${EASY_RSA_DIR}/vars 2> "$log_file" if [[ $? -ne 0 ]]; then _failed=true fi if $_failed ; then echo_failed error "$(cat $log_file)" else echo_ok fi #--------------------------------------- #----------------------------- # Initial Setup OpenVPN (Root ca / Server key /..) #----------------------------- #--------------------------------------- echo "" # - source file vars # - echononl " Load configuration '${EASY_RSA_DIR}/vars'.." source ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi if [[ ! -f "$KEY_CONFIG" ]] ; then echononl " Create Symlink '$(basename $KEY_CONFIG)'.." if [[ -f "$(dirname $KEY_CONFIG)/openssl-1.0.0.cnf" ]]; then ln -s "$(dirname $KEY_CONFIG)/openssl-1.0.0.cnf" "$KEY_CONFIG" if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fatal "No OpenSSL configuration file present!" fi else fatal "No OpenSSL configuration file present!" fi fi _failed=false OPENSSL_CONFIG_FILE="$(realpath "$KEY_CONFIG")" echononl " Adjust '$OPENSSL_CONFIG_FILE'.." perl -i.ORIG -n -p -e "s/^(\s*default_days\s*=.*)/#\1\ndefault_days = $CA_EXPIRE/" $OPENSSL_CONFIG_FILE > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi perl -i -n -p -e "s/^(\s*default_crl_days\s*=.*)/#\1\ndefault_crl_days = $CA_EXPIRE/" $OPENSSL_CONFIG_FILE > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then _failed=true fi if $_failed ; then echo_failed error "$(cat $log_file)" else echo_ok fi # --- # - Create Keys and Certs # --- echo "" echo -e "\033[32m--\033[m" echo "Create Keys and Certs .." echo -e "\033[32m--\033[m" echo "" # - Create file 'serial' with value '01' - the serial for the next # - created certificate # - echononl " Create '${OPENVPN_BASE_DIR}/keys/serial'.." echo "01" > "${OPENVPN_BASE_DIR}/keys/serial" 2> "$log_file" if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi # - Create empty file index.txt at key-directory # - echononl " Create empty file '${OPENVPN_BASE_DIR}/keys/index.txt'.." touch $OPENVPN_BASE_DIR/keys/index.txt if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi # - Create Root CA # - echononl " Create Root CA.." printf "\n\n\n\n\n\n\n\n" | ${EASY_RSA_DIR}/build-ca > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi # - Build Diffie-Hellman parameters for the server side # - of an SSL/TLS connection. # . echononl " Build Diffie-Hellman parameter (dh key).." #${EASY_RSA_DIR}/build-dh > "$log_file" 2>&1 cp /home/chris/dh4096.pem $OPENVPN_BASE_DIR/keys/ > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi # - Build Sever Key # - #echononl " Create Sever Key" echo "" echo -e " \033[32mNow create the server key. Tis procedure works interactive.\033[m" echo -e " Use \033[37m\033[1m${KEY_CN}-server\033[m as 'commonName'" echo "" echononl "Type to continue: " read ok echo "" ${EASY_RSA_DIR}/build-key-server server if [[ $? -eq 0 ]] ; then info "Building server key was successfully." else error "Building server key failed!" fi echo "" echononl "Type to continue: " read ok echo "" #printf "\n\n\n\n\n${KEY_CN}-server\n\n\n\ny\ny\n" | ${EASY_RSA_DIR}/build-key-server server # - For extra security beyond that provided # - by SSL/TLS, create an "HMAC firewall" # - to help block DoS attacks and UDP port flooding. # - echononl " Create 'ta.key' for additional security" openvpn --genkey --secret ${OPENVPN_BASE_DIR}/keys/ta.key > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi # - Create empty CRL (Certificate Revokation List) # - echononl " Create CRL (Certificate Revokation List) '${OPENVPN_BASE_DIR}/crl.pem'.." openssl ca -gencrl -out ${OPENVPN_BASE_DIR}/crl.pem -config $KEY_CONFIG > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi echononl " Create symlink for '${OPENVPN_BASE_DIR}/keys/crl.pem'.." ln -s ../crl.pem ${OPENVPN_BASE_DIR}/keys/crl.pem > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi # ---- # - Create server configurations # ---- echo "" echo -e "\033[32m--\033[m" echo "Server configurations .." echo -e "\033[32m--\033[m" echo "" echononl " Backup Client configuration directory '$OPENVPN_CCD_DIR'" if [[ -d "$OPENVPN_CCD_DIR" ]]; then mv "$OPENVPN_CCD_DIR" "${OPENVPN_CCD_DIR}.$_date" if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi else echo_skipped fi echononl " Create Client configuration directory '$OPENVPN_CCD_DIR'" mkdir "$OPENVPN_CCD_DIR" > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi #--------------------------------------- #----------------------------- # Write Server Configuration for $OPENVPN_NAME #----------------------------- #--------------------------------------- _server_conf_file="/etc/openvpn/server-${OPENVPN_NAME}.conf" echononl " Backup file $_server_conf_file" if [[ -f "$_server_conf_file" ]] ; then mv "$_server_conf_file" "${_server_conf_file}.$_date" > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi else echo_skipped fi echononl " Create configuration '${_server_conf_file}" cat < ${_server_conf_file} 2> "$log_file" ################################################# # Sample OpenVPN 2.0 config file for # # multi-client server. # # # # This file is for the server side # # of a many-clients <-> one-server # # OpenVPN configuration. # # # # OpenVPN also supports # # single-machine <-> single-machine # # configurations (See the Examples page # # on the web site for more info). # # # # This config should work on Windows # # or Linux/BSD systems. Remember on # # Windows to quote pathnames and use # # double backslashes, e.g.: # # "C:\\\\Program Files\\\\OpenVPN\\\\config\\\\foo.key" # # # # Comments are preceded with '#' or ';' # ################################################# # Which local IP address should OpenVPN # listen on? (optional) ;local a.b.c.d # Which TCP/UDP port should OpenVPN listen on? # If you want to run multiple OpenVPN instances # on the same machine, use a different port # number for each one. You will need to # open up this port on your firewall. port $SERVER_PORT # TCP or UDP server? ;proto tcp proto udp topology subnet EOF if [[ ${#LOCAL_NETWORK_ARR[@]} -gt 0 ]]; then for _local_network in ${LOCAL_NETWORK_ARR[@]} ; do IFS='/' read -a _net_arr <<< "${_local_network}" if [[ -n ${_net_arr[1]} ]]; then _netmask=$(cidr2mask ${_net_arr[1]}) else _netmask="255.255.255.0" fi cat <> ${_server_conf_file} 2>> "$log_file" route ${_net_arr[0]} $_netmask $OPENVPN_SERVER_IP EOF done fi cat <> ${_server_conf_file} 2>> "$log_file" # "dev tun" will create a routed IP tunnel, # "dev tap" will create an ethernet tunnel. # Use "dev tap" if you are ethernet bridging. # If you want to control access policies # over the VPN, you must create firewall # rules for the the TUN/TAP interface. # On non-Windows systems, you can give # an explicit unit number, such as tun0. # On Windows, use "dev-node" for this. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. ;dev tap dev tun # Enable TUN IPv6 module ;tun-ipv6 # Windows needs the TAP-Win32 adapter name # from the Network Connections panel if you # have more than one. On XP SP2 or higher, # you may need to selectively disable the # Windows firewall for the TAP adapter. # Non-Windows systems usually don't need this. ;dev-node MyTap # SSL/TLS root certificate (ca), certificate # (cert), and private key (key). Each client # and the server must have their own cert and # key file. The server and all clients will # use the same ca file. # # See the "easy-rsa" directory for a series # of scripts for generating RSA certificates # and private keys. Remember to use # a unique Common Name for the server # and each of the client certificates. # # Any X509 key management system can be used. # OpenVPN can also use a PKCS #12 formatted key file # (see "pkcs12" directive in man page). ca ${OPENVPN_BASE_DIR}/keys/ca.crt cert ${OPENVPN_BASE_DIR}/keys/server.crt key ${OPENVPN_BASE_DIR}/keys/server.key # This file should be kept secret # Diffie hellman parameters. # Generate your own with: # openssl dhparam -out dh1024.pem 1024 # Substitute 2048 for 1024 if you are using # 2048 bit keys. dh ${OPENVPN_BASE_DIR}/keys/dh${KEY_SIZE}.pem # Configure server mode and supply a VPN subnet # for OpenVPN to draw client addresses from. # The server will take 10.8.0.1 for itself, # the rest will be made available to clients. # Each client will be able to reach the server # on 10.8.0.1. Comment this line out if you are # ethernet bridging. See the man page for more info. ;server 10.8.0.0 255.255.255.0 ;server-ipv6 2a01:30:1fff:fd00::/64 server $OPENVPN_NETWORK 255.255.255.0 # Maintain a record of client <-> virtual IP address # associations in this file. If OpenVPN goes down or # is restarted, reconnecting clients can be assigned # the same virtual IP address from the pool that was # previously assigned. ifconfig-pool-persist ${OPENVPN_BASE_DIR}/ipp.txt # Configure server mode for ethernet bridging. # You must first use your OS's bridging capability # to bridge the TAP interface with the ethernet # NIC interface. Then you must manually set the # IP/netmask on the bridge interface, here we # assume 10.8.0.4/255.255.255.0. Finally we # must set aside an IP range in this subnet # (start=10.8.0.50 end=10.8.0.100) to allocate # to connecting clients. Leave this line commented # out unless you are ethernet bridging. ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 # Push routes to the client to allow it # to reach other private subnets behind # the server. Remember that these # private subnets will also need # to know to route the OpenVPN client # address pool (10.8.0.0/255.255.255.0) # back to the OpenVPN server. ;push "route 10.8.0.0 255.255.255.0" EOF if [[ ${#REMOTE_NETWORK_ARR[@]} -gt 0 ]]; then for _remote_network in ${REMOTE_NETWORK_ARR[@]} ; do IFS='/' read -a _net_arr <<< "${_remote_network}" if [[ -n ${_net_arr[1]} ]]; then _netmask=$(cidr2mask ${_net_arr[1]}) else _netmask="255.255.255.0" fi cat <> ${_server_conf_file} 2>> "$log_file" push "route ${_net_arr[0]} $_netmask" EOF done fi cat <> ${_server_conf_file} 2>> "$log_file" # To assign specific IP addresses to specific # clients or if a connecting client has a private # subnet behind it that should also have VPN access, # use the subdirectory "ccd" for client-specific # configuration files (see man page for more info). client-config-dir $OPENVPN_CCD_DIR # --- # EXAMPLE: Suppose the client # having the certificate common name "Thelonious" # also has a small subnet behind his connecting # machine, such as 192.168.40.128/255.255.255.248. # First, uncomment out these lines: ;client-config-dir /etc/openvpn/ccd ;route 192.168.40.128 255.255.255.248 # Then create a file ccd/Thelonious with this line: # iroute 192.168.40.128 255.255.255.248 # This will allow Thelonious' private subnet to # access the VPN. This example will only work # if you are routing, not bridging, i.e. you are # using "dev tun" and "server" directives. # --- # --- # EXAMPLE: Suppose you want to give # Thelonious a fixed VPN IP address of 10.9.0.1. # First uncomment out these lines: ;client-config-dir ccd ;route 10.9.0.0 255.255.255.252 # Then add this line to ccd/Thelonious: # ifconfig-push 10.9.0.1 10.9.0.2 # --- # --- # Suppose that you want to enable different # firewall access policies for different groups # of clients. There are two methods: # (1) Run multiple OpenVPN daemons, one for each # group, and firewall the TUN/TAP interface # for each group/daemon appropriately. # (2) (Advanced) Create a script to dynamically # modify the firewall in response to access # from different clients. See man # page for more info on learn-address script. ;learn-address ./script # --- # If enabled, this directive will configure # all clients to redirect their default # network gateway through the VPN, causing # all IP traffic such as web browsing and # and DNS lookups to go through the VPN # (The OpenVPN server machine may need to NAT # the TUN/TAP interface to the internet in # order for this to work properly). # CAVEAT: May break client's network config if # client's local DHCP server packets get routed # through the tunnel. Solution: make sure # client's local DHCP server is reachable via # a more specific route than the default route # of 0.0.0.0/0.0.0.0. ;push "redirect-gateway" # Certain Windows-specific network settings # can be pushed to clients, such as DNS # or WINS server addresses. CAVEAT: # http://openvpn.net/faq.html#dhcpcaveats ;push "dhcp-option WINS 10.8.0.1" EOF if [[ -n "$DNS_SERVER" ]]; then cat <> ${_server_conf_file} 2>> "$log_file" push "dhcp-option DNS ${DNS_SERVER}" EOF fi if [[ -n "$DEFAULT_DOMAIN" ]]; then cat <> ${_server_conf_file} 2>> "$log_file" push "dhcp-option DOMAIN ${DEFAULT_DOMAIN}" EOF fi cat <> ${_server_conf_file} 2>> "$log_file" # Uncomment this directive to allow different # clients to be able to "see" each other. # By default, clients will only see the server. # To force clients to only see the server, you # will also need to appropriately firewall the # server's TUN/TAP interface. client-to-client # Uncomment this directive if multiple clients # might connect with the same certificate/key # files or common names. This is recommended # only for testing purposes. For production use, # each client should have its own certificate/key # pair. # # IF YOU HAVE NOT GENERATED INDIVIDUAL # CERTIFICATE/KEY PAIRS FOR EACH CLIENT, # EACH HAVING ITS OWN UNIQUE "COMMON NAME", # UNCOMMENT THIS LINE OUT. ;duplicate-cn # The keepalive directive causes ping-like # messages to be sent back and forth over # the link so that each side knows when # the other side has gone down. # Ping every 10 seconds, assume that remote # peer is down if no ping received during # a 120 second time period. keepalive 10 120 # For extra security beyond that provided # by SSL/TLS, create an "HMAC firewall" # to help block DoS attacks and UDP port flooding. # # Generate with: # openvpn --genkey --secret ta.key # # The server and each client must have # a copy of this key. # The second parameter should be '0' # on the server and '1' on the clients. ;tls-auth ta.key 0 # This file is secret tls-auth ${OPENVPN_BASE_DIR}/keys/ta.key 0 # Select a cryptographic cipher. # This config item must be copied to # the client config file as well. ;cipher BF-CBC # Blowfish (default) ;cipher AES-128-CBC # AES ;cipher DES-EDE3-CBC # Triple-DES EOF if [[ -n "$SERVER_CIPHER" ]]; then cat <> ${_server_conf_file} 2>> "$log_file" cipher $SERVER_CIPHER EOF fi cat <> ${_server_conf_file} 2>> "$log_file" # Enable compression on the VPN link. # If you enable it here, you must also # enable it in the client config file. ;comp-lzo EOF if $LZO_COMPRESSION ; then cat <> ${_server_conf_file} 2>> "$log_file" comp-lzo EOF fi cat <> ${_server_conf_file} 2>> "$log_file" # The maximum number of concurrently connected # clients we want to allow. ;max-clients 100 # It's a good idea to reduce the OpenVPN # daemon's privileges after initialization. # # You can uncomment this out on # non-Windows systems. user nobody group nogroup # The persist options will try to avoid # accessing certain resources on restart # that may no longer be accessible because # of the privilege downgrade. persist-key persist-tun persist-local-ip persist-remote-ip # Output a short status file showing # current connections, truncated # and rewritten every minute. ;status openvpn-status.log status /var/log/openvpn/status-server-${OPENVPN_NAME}.log # By default, log messages will go to the syslog (or # on Windows, if running as a service, they will go to # the "\Program Files\OpenVPN\log" directory). # Use log or log-append to override this default. # "log" will truncate the log file on OpenVPN startup, # while "log-append" will append to it. Use one # or the other (but not both). ;log-append openvpn.log ;log openvpn.log log /var/log/openvpn/server-${OPENVPN_NAME}.log # Set the appropriate level of log # file verbosity. # # 0 is silent, except for fatal errors # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 1 # Silence repeating messages. At most 20 # sequential messages of the same message # category will be output to the log. ;mute 20 # CRL (certificate revocation list) verification crl-verify ${OPENVPN_BASE_DIR}/crl.pem EOF if [[ $? -eq 0 ]] ; then echo_ok else echo_failed error "$(cat $log_file)" fi echo "" # - Start OpenVPN Service # - echononl " Start OpenVPN Service" if $systemd_supported ; then $systemctl start $service_name > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat $log_file)" else echo_ok fi else $init_script start > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then echo_failed error "$(cat $log_file)" else echo_ok fi fi # - See if OpenVPN Service is running/has started # check_string_ps="$openvpn_binary" check_string_ps_plus="--daemon" sleep 2 PID=$(ps -e f | grep -E "[[:digit:]]\ ${check_string_ps}" | grep "\ ${check_string_ps_plus}\ " | grep -v grep | awk '{print$2}') if [[ "X${PID}" = "X" ]]; then warn "\033[37m\033[1mOpenVPN Service is NOT running.\033[m\n Maybe you have to restart the machine in order to start openvpn daemon." fi echo "" clean_up 0