earl/openvpn-install
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Improved code (#243)

Browse Source
This commit is contained in:
Sayem Chowdhury 2018-07-15 15:25:59 +06:00 committed by Angristan
parent 63ac18075d
commit 5501de73c8
1 changed files with 78 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

128
openvpn-install.sh
View File

@ -4,16 +4,19 @@
# https://github.com/Angristan/OpenVPN-install # https://github.com/Angristan/OpenVPN-install
# Verify root
if [[ "$EUID" -ne 0 ]]; then if [[ "$EUID" -ne 0 ]]; then
echo "Sorry, you need to run this as root" echo "Sorry, you need to run this as root"
exit 1 exit 1
fi fi
# Verify tun
if [[ ! -e /dev/net/tun ]]; then if [[ ! -e /dev/net/tun ]]; then
echo "TUN is not available" echo "TUN is not available"
exit 2 exit 2
fi fi
# Check if CentOS 5
if grep -qs "CentOS release 5" "/etc/redhat-release"; then if grep -qs "CentOS release 5" "/etc/redhat-release"; then
echo "CentOS 5 is too old and not supported" echo "CentOS 5 is too old and not supported"
exit 3 exit 3
@ -22,7 +25,7 @@ fi
if [[ -e /etc/debian_version ]]; then if [[ -e /etc/debian_version ]]; then
OS="debian" OS="debian"
# Getting the version number, to verify that a recent version of OpenVPN is available # Getting the version number, to verify that a recent version of OpenVPN is available
VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID") VERSION_ID=$(grep "VERSION_ID" /etc/os-release)
IPTABLES='/etc/iptables/iptables.rules' IPTABLES='/etc/iptables/iptables.rules'
SYSCTL='/etc/sysctl.conf' SYSCTL='/etc/sysctl.conf'
if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="18.04"' ]]; then if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="18.04"' ]]; then
@ -33,7 +36,7 @@ if [[ -e /etc/debian_version ]]; then
echo "then you can continue, a recent version of OpenVPN is available on these." echo "then you can continue, a recent version of OpenVPN is available on these."
echo "Keep in mind they are not supported, though." echo "Keep in mind they are not supported, though."
while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do
read -p "Continue ? [y/n]: " -e CONTINUE read -rp "Continue ? [y/n]: " -e CONTINUE
done done
if [[ "$CONTINUE" = "n" ]]; then if [[ "$CONTINUE" = "n" ]]; then
echo "Ok, bye !" echo "Ok, bye !"
@ -59,28 +62,33 @@ fi
newclient () { newclient () {
# Where to write the custom client.ovpn? # Where to write the custom client.ovpn?
if [ -e /home/$1 ]; then # if $1 is a user name if [ -e "/home/$1" ]; then # if $1 is a user name
homeDir="/home/$1" homeDir="/home/$1"
elif [ ${SUDO_USER} ]; then # if not, use SUDO_USER elif [ "${SUDO_USER}" ]; then # if not, use SUDO_USER
homeDir="/home/${SUDO_USER}" homeDir="/home/${SUDO_USER}"
else # if not SUDO_USER, use /root else # if not SUDO_USER, use /root
homeDir="/root" homeDir="/root"
fi fi
# Generates the custom client.ovpn # Generates the custom client.ovpn
cp /etc/openvpn/client-template.txt $homeDir/$1.ovpn cp /etc/openvpn/client-template.txt "$homeDir/$1.ovpn"
echo "<ca>" >> $homeDir/$1.ovpn {
cat /etc/openvpn/easy-rsa/pki/ca.crt >> $homeDir/$1.ovpn echo "<ca>"
echo "</ca>" >> $homeDir/$1.ovpn cat "/etc/openvpn/easy-rsa/pki/ca.crt"
echo "<cert>" >> $homeDir/$1.ovpn echo "</ca>"
cat /etc/openvpn/easy-rsa/pki/issued/$1.crt >> $homeDir/$1.ovpn
echo "</cert>" >> $homeDir/$1.ovpn echo "<cert>"
echo "<key>" >> $homeDir/$1.ovpn cat "/etc/openvpn/easy-rsa/pki/issued/$1.crt"
cat /etc/openvpn/easy-rsa/pki/private/$1.key >> $homeDir/$1.ovpn echo "</cert>"
echo "</key>" >> $homeDir/$1.ovpn
echo "key-direction 1" >> $homeDir/$1.ovpn echo "<key>"
echo "<tls-auth>" >> $homeDir/$1.ovpn cat "/etc/openvpn/easy-rsa/pki/private/$1.key"
cat /etc/openvpn/tls-auth.key >> $homeDir/$1.ovpn echo "</key>"
echo "</tls-auth>" >> $homeDir/$1.ovpn echo "key-direction 1"
echo "<tls-auth>"
cat "/etc/openvpn/tls-auth.key"
echo "</tls-auth>"
} >> "$homeDir/$1.ovpn"
} }
# Get Internet network interface with default route # Get Internet network interface with default route
@ -94,22 +102,27 @@ if [[ -e /etc/openvpn/server.conf ]]; then
echo "" echo ""
echo "Looks like OpenVPN is already installed" echo "Looks like OpenVPN is already installed"
echo "" echo ""
echo "What do you want to do?" echo "What do you want to do?"
echo " 1) Add a cert for a new user" echo " 1) Add a cert for a new user"
echo " 2) Revoke existing user cert" echo " 2) Revoke existing user cert"
echo " 3) Remove OpenVPN" echo " 3) Remove OpenVPN"
echo " 4) Exit" echo " 4) Exit"
read -p "Select an option [1-4]: " option read -rp "Select an option [1-4]: " option
case $option in case $option in
1) 1)
echo "" echo ""
echo "Tell me a name for the client cert" echo "Tell me a name for the client cert"
echo "Please, use one word only, no special characters" echo "Please, use one word only, no special characters"
read -p "Client name: " -e -i newclient CLIENT read -rp "Client name: " -e -i newclient CLIENT
cd /etc/openvpn/easy-rsa/
cd /etc/openvpn/easy-rsa/ || return
./easyrsa build-client-full $CLIENT nopass ./easyrsa build-client-full $CLIENT nopass
# Generates the custom client.ovpn # Generates the custom client.ovpn
newclient "$CLIENT" newclient "$CLIENT"
echo "" echo ""
echo "Client $CLIENT added, certs available at $homeDir/$CLIENT.ovpn" echo "Client $CLIENT added, certs available at $homeDir/$CLIENT.ovpn"
exit exit
@ -121,16 +134,18 @@ if [[ -e /etc/openvpn/server.conf ]]; then
echo "You have no existing clients!" echo "You have no existing clients!"
exit 5 exit 5
fi fi
echo "" echo ""
echo "Select the existing client certificate you want to revoke" echo "Select the existing client certificate you want to revoke"
tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') ' tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
if [[ "$NUMBEROFCLIENTS" = '1' ]]; then if [[ "$NUMBEROFCLIENTS" = '1' ]]; then
read -p "Select one client [1]: " CLIENTNUMBER read -rp "Select one client [1]: " CLIENTNUMBER
else else
read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
fi fi
CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p) CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
cd /etc/openvpn/easy-rsa/ cd /etc/openvpn/easy-rsa/ || return
./easyrsa --batch revoke $CLIENT ./easyrsa --batch revoke $CLIENT
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
rm -f pki/reqs/$CLIENT.req rm -f pki/reqs/$CLIENT.req
@ -141,6 +156,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then
chmod 644 /etc/openvpn/crl.pem chmod 644 /etc/openvpn/crl.pem
rm -f $(find /home -maxdepth 2 | grep $CLIENT.ovpn) 2>/dev/null rm -f $(find /home -maxdepth 2 | grep $CLIENT.ovpn) 2>/dev/null
rm -f /root/$CLIENT.ovpn 2>/dev/null rm -f /root/$CLIENT.ovpn 2>/dev/null
echo "" echo ""
echo "Certificate for client $CLIENT revoked" echo "Certificate for client $CLIENT revoked"
echo "Exiting..." echo "Exiting..."
@ -148,7 +164,7 @@ if [[ -e /etc/openvpn/server.conf ]]; then
;; ;;
3) 3)
echo "" echo ""
read -p "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
if [[ "$REMOVE" = 'y' ]]; then if [[ "$REMOVE" = 'y' ]]; then
PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2) PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
if pgrep firewalld; then if pgrep firewalld; then
@ -206,6 +222,7 @@ else
clear clear
echo "Welcome to the secure OpenVPN installer (github.com/Angristan/OpenVPN-install)" echo "Welcome to the secure OpenVPN installer (github.com/Angristan/OpenVPN-install)"
echo "" echo ""
# OpenVPN setup and first user creation # OpenVPN setup and first user creation
echo "I need to ask you a few questions before starting the setup" echo "I need to ask you a few questions before starting the setup"
echo "You can leave the default options and just press enter if you are ok with them" echo "You can leave the default options and just press enter if you are ok with them"
@ -213,23 +230,25 @@ else
echo "I need to know the IPv4 address of the network interface you want OpenVPN listening to." echo "I need to know the IPv4 address of the network interface you want OpenVPN listening to."
echo "If your server is running behind a NAT, (e.g. LowEndSpirit, Scaleway) leave the IP address as it is. (local/private IP)" echo "If your server is running behind a NAT, (e.g. LowEndSpirit, Scaleway) leave the IP address as it is. (local/private IP)"
echo "Otherwise, it should be your public IPv4 address." echo "Otherwise, it should be your public IPv4 address."
# Autodetect IP address and pre-fill for the user # Autodetect IP address and pre-fill for the user
IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1) IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
read -p "IP address: " -e -i $IP IP read -rp "IP address: " -e -i $IP IP
echo "" echo ""
echo "What port do you want for OpenVPN?" echo "What port do you want for OpenVPN?"
read -p "Port: " -e -i 1194 PORT read -rp "Port: " -e -i 1194 PORT
# If $IP is a private IP address, the server must be behind NAT # If $IP is a private IP address, the server must be behind NAT
if echo "$IP" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then if echo "$IP" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then
echo "" echo ""
echo "This server is behind NAT. What is the public IPv4 address or hostname?" echo "This server is behind NAT. What is the public IPv4 address or hostname?"
read -p "Public IP address / hostname: " -e PUBLICIP read -rp "Public IP address / hostname: " -e PUBLICIP
fi fi
echo "" echo ""
echo "What protocol do you want for OpenVPN?" echo "What protocol do you want for OpenVPN?"
echo "Unless UDP is blocked, you should not use TCP (unnecessarily slower)" echo "Unless UDP is blocked, you should not use TCP (unnecessarily slower)"
while [[ $PROTOCOL != "UDP" && $PROTOCOL != "TCP" ]]; do until [[ "$PROTOCOL" == "UDP" || "$PROTOCOL" == "TCP" ]]; do
read -p "Protocol [UDP/TCP]: " -e -i UDP PROTOCOL read -rp "Protocol [UDP/TCP]: " -e -i UDP PROTOCOL
done done
echo "" echo ""
echo "What DNS do you want to use with the VPN?" echo "What DNS do you want to use with the VPN?"
@ -242,8 +261,8 @@ else
echo " 7) Google (Anycast: worldwide)" echo " 7) Google (Anycast: worldwide)"
echo " 8) Yandex Basic (Russia)" echo " 8) Yandex Basic (Russia)"
echo " 9) AdGuard DNS (Russia)" echo " 9) AdGuard DNS (Russia)"
while [[ $DNS != "1" && $DNS != "2" && $DNS != "3" && $DNS != "4" && $DNS != "5" && $DNS != "6" && $DNS != "7" && $DNS != "8" && $DNS != "9" ]]; do until [[ "$DNS" =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 -a "$DNS" -le 9 ]; do
read -p "DNS [1-9]: " -e -i 1 DNS read -rp "DNS [1-9]: " -e -i 1 DNS
done done
echo "" echo ""
echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about " echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about "
@ -261,8 +280,8 @@ else
echo " 5) CAMELLIA-192-CBC" echo " 5) CAMELLIA-192-CBC"
echo " 6) CAMELLIA-256-CBC" echo " 6) CAMELLIA-256-CBC"
echo " 7) SEED-CBC" echo " 7) SEED-CBC"
while [[ $CIPHER != "1" && $CIPHER != "2" && $CIPHER != "3" && $CIPHER != "4" && $CIPHER != "5" && $CIPHER != "6" && $CIPHER != "7" ]]; do until [[ "$CIPHER" =~ ^[0-9]+$ ]] && [ "$CIPHER" -ge 1 -a "$CIPHER" -le 7 ]; do
read -p "Cipher [1-7]: " -e -i 1 CIPHER read -rp "Cipher [1-7]: " -e -i 1 CIPHER
done done
case $CIPHER in case $CIPHER in
1) 1)
@ -292,8 +311,8 @@ else
echo " 1) 2048 bits (fastest)" echo " 1) 2048 bits (fastest)"
echo " 2) 3072 bits (recommended, best compromise)" echo " 2) 3072 bits (recommended, best compromise)"
echo " 3) 4096 bits (most secure)" echo " 3) 4096 bits (most secure)"
while [[ $DH_KEY_SIZE != "1" && $DH_KEY_SIZE != "2" && $DH_KEY_SIZE != "3" ]]; do until [[ "$DH_KEY_SIZE" =~ ^[0-9]+$ ]] && [ "$DH_KEY_SIZE" -ge 1 -a "$DH_KEY_SIZE" -le 3 ]; do
read -p "DH key size [1-3]: " -e -i 2 DH_KEY_SIZE read -rp "DH key size [1-3]: " -e -i 2 DH_KEY_SIZE
done done
case $DH_KEY_SIZE in case $DH_KEY_SIZE in
1) 1)
@ -311,8 +330,8 @@ else
echo " 1) 2048 bits (fastest)" echo " 1) 2048 bits (fastest)"
echo " 2) 3072 bits (recommended, best compromise)" echo " 2) 3072 bits (recommended, best compromise)"
echo " 3) 4096 bits (most secure)" echo " 3) 4096 bits (most secure)"
while [[ $RSA_KEY_SIZE != "1" && $RSA_KEY_SIZE != "2" && $RSA_KEY_SIZE != "3" ]]; do until [[ "$RSA_KEY_SIZE" =~ ^[0-9]+$ ]] && [ "$RSA_KEY_SIZE" -ge 1 -a "$RSA_KEY_SIZE" -le 3 ]; do
read -p "RSA key size [1-3]: " -e -i 2 RSA_KEY_SIZE read -rp "RSA key size [1-3]: " -e -i 2 RSA_KEY_SIZE
done done
case $RSA_KEY_SIZE in case $RSA_KEY_SIZE in
1) 1)
@ -329,7 +348,9 @@ else
echo "Finally, tell me a name for the client certificate and configuration" echo "Finally, tell me a name for the client certificate and configuration"
while [[ $CLIENT = "" ]]; do while [[ $CLIENT = "" ]]; do
echo "Please, use one word only, no special characters" echo "Please, use one word only, no special characters"
read -p "Client name: " -e -i client CLIENT read -rp "Client name: " -e -i client CLIENT
# Remove special characters
CLIENT=$(echo $CLIENT | tr -dc '[:alnum:]\n\r')
done done
echo "" echo ""
echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now" echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now"
@ -437,8 +458,8 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
echo "Not doing that could cause problems between dependencies, or missing files in repositories." echo "Not doing that could cause problems between dependencies, or missing files in repositories."
echo "" echo ""
echo "Continuing will update your installed packages and install needed ones." echo "Continuing will update your installed packages and install needed ones."
while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do until [[ $CONTINUE == "y" || $CONTINUE == "n" ]]; do
read -p "Continue ? [y/n]: " -e -i y CONTINUE read -rp "Continue ? [y/n]: " -e -i y CONTINUE
done done
if [[ "$CONTINUE" = "n" ]]; then if [[ "$CONTINUE" = "n" ]]; then
echo "Ok, bye !" echo "Ok, bye !"
@ -472,10 +493,10 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
mv /etc/openvpn/EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/ mv /etc/openvpn/EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/
chown -R root:root /etc/openvpn/easy-rsa/ chown -R root:root /etc/openvpn/easy-rsa/
rm -f ~/EasyRSA-3.0.4.tgz rm -f ~/EasyRSA-3.0.4.tgz
cd /etc/openvpn/easy-rsa/ cd /etc/openvpn/easy-rsa/ || return
# Generate a random, alphanumeric identifier of 16 characters for CN and one for server name # Generate a random, alphanumeric identifier of 16 characters for CN and one for server name
SERVER_CN="cn_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" SERVER_CN="cn_$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 16 | head -n 1)"
SERVER_NAME="server_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" SERVER_NAME="server_$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 16 | head -n 1)"
echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars
echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars
# Create the PKI, set up the CA, the DH params and the server + client certificates # Create the PKI, set up the CA, the DH params and the server + client certificates
@ -494,11 +515,7 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
# Generate server.conf # Generate server.conf
echo "port $PORT" > /etc/openvpn/server.conf echo "port $PORT" > /etc/openvpn/server.conf
if [[ "$PROTOCOL" = 'UDP' ]]; then echo "proto $(echo $PROTOCOL | tr '[:upper:]' '[:lower:]')" >> /etc/openvpn/server.conf
echo "proto udp" >> /etc/openvpn/server.conf
elif [[ "$PROTOCOL" = 'TCP' ]]; then
echo "proto tcp" >> /etc/openvpn/server.conf
fi
echo "dev tun echo "dev tun
user nobody user nobody
group $NOGROUP group $NOGROUP
@ -519,7 +536,7 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
RESOLVCONF='/etc/resolv.conf' RESOLVCONF='/etc/resolv.conf'
fi fi
# Obtain the resolvers from resolv.conf and use them for OpenVPN # Obtain the resolvers from resolv.conf and use them for OpenVPN
grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read -r line; do
echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
done done
;; ;;
@ -556,7 +573,7 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf
;; ;;
esac esac
echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf echo 'push "redirect-gateway def1 bypass-dhcp" ' >> /etc/openvpn/server.conf
echo "crl-verify crl.pem echo "crl-verify crl.pem
ca ca.crt ca ca.crt
cert $SERVER_NAME.crt cert $SERVER_NAME.crt
@ -581,12 +598,16 @@ verb 3" >> /etc/openvpn/server.conf
if ! grep -q "\<net.ipv4.ip_forward\>" $SYSCTL; then if ! grep -q "\<net.ipv4.ip_forward\>" $SYSCTL; then
echo 'net.ipv4.ip_forward=1' >> $SYSCTL echo 'net.ipv4.ip_forward=1' >> $SYSCTL
fi fi
# Avoid an unneeded reboot # Avoid an unneeded reboot
echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_forward
# Set NAT for the VPN subnet # Set NAT for the VPN subnet
iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE
# Save persitent iptables rules # Save persitent iptables rules
iptables-save > $IPTABLES iptables-save > $IPTABLES
if pgrep firewalld; then if pgrep firewalld; then
# We don't use --add-service=openvpn because that would only work with # We don't use --add-service=openvpn because that would only work with
# the default port. Using both permanent and not permanent rules to # the default port. Using both permanent and not permanent rules to
@ -601,6 +622,7 @@ verb 3" >> /etc/openvpn/server.conf
firewall-cmd --zone=trusted --add-source=10.8.0.0/24 firewall-cmd --zone=trusted --add-source=10.8.0.0/24
firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24 firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
fi fi
if iptables -L -n | grep -qE 'REJECT|DROP'; then if iptables -L -n | grep -qE 'REJECT|DROP'; then
# If iptables has at least one REJECT rule, we asume this is needed. # If iptables has at least one REJECT rule, we asume this is needed.
# Not the best approach but I can't think of other and this shouldn't # Not the best approach but I can't think of other and this shouldn't
@ -615,6 +637,7 @@ verb 3" >> /etc/openvpn/server.conf
# Save persitent OpenVPN rules # Save persitent OpenVPN rules
iptables-save > $IPTABLES iptables-save > $IPTABLES
fi fi
# If SELinux is enabled and a custom port was selected, we need this # If SELinux is enabled and a custom port was selected, we need this
if hash sestatus 2>/dev/null; then if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing"; then if sestatus | grep "Current mode" | grep -qs "enforcing"; then
@ -631,6 +654,7 @@ verb 3" >> /etc/openvpn/server.conf
fi fi
fi fi
fi fi
# And finally, restart OpenVPN # And finally, restart OpenVPN
if [[ "$OS" = 'debian' ]]; then if [[ "$OS" = 'debian' ]]; then
# Little hack to check for systemd # Little hack to check for systemd
@ -663,10 +687,12 @@ verb 3" >> /etc/openvpn/server.conf
chkconfig openvpn on chkconfig openvpn on
fi fi
fi fi
# If the server is behind a NAT, use the correct IP address # If the server is behind a NAT, use the correct IP address
if [[ "$PUBLICIP" != "" ]]; then if [[ "$PUBLICIP" != "" ]]; then
IP=$PUBLICIP IP=$PUBLICIP
fi fi
# client-template.txt is created so we have a template to add further users later # client-template.txt is created so we have a template to add further users later
echo "client" > /etc/openvpn/client-template.txt echo "client" > /etc/openvpn/client-template.txt
if [[ "$PROTOCOL" = 'UDP' ]]; then if [[ "$PROTOCOL" = 'UDP' ]]; then