octoleo
/
openvpn-install
mirror of https://github.com/namibia/openvpn-install.git
1
1
Fork 0
Code Issues Releases Activity

CentOS support and other improvements

This commit is contained in:
Nyr 2015-02-11 19:51:19 +01:00
parent a256194ecb
commit fad088013c
2 changed files with 89 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -1,7 +1,7 @@
##openvpn-install ##openvpn-install
OpenVPN [road warrior](http://en.wikipedia.org/wiki/Road_warrior_%28computing%29) installer for Debian-based distros. OpenVPN [road warrior](http://en.wikipedia.org/wiki/Road_warrior_%28computing%29) installer for Debian, Ubuntu and CentOS.
This script will let you setup your own VPN server in no more than one minute, even if you haven't used OpenVPN before. It isn't bulletproof but it has been designed to be as unobtrusive and universal as possible. This script will let you setup your own VPN server in no more than a minute, even if you haven't used OpenVPN before. It isn't bulletproof but has been designed to be as unobtrusive and universal as possible.
###Installation ###Installation
Run the script and follow the assistant: Run the script and follow the assistant:
@ -17,4 +17,4 @@ If you don't care about sharing an IP address with more people, check out the aw
###Donations ###Donations
If you want to show your appreciation for the time saved, you can donate via [PayPal](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=VBAYDL34Z7J6L) or [Bitcoin](https://www.coinbase.com/Nyr). Thanks! If you want to show your appreciation, you can donate via [PayPal](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=VBAYDL34Z7J6L) or [Bitcoin](https://www.coinbase.com/Nyr). Thanks!

123
openvpn-install.sh
View File

@ -1,9 +1,11 @@
#!/bin/bash #!/bin/bash
# OpenVPN road warrior installer for Debian-based distros # OpenVPN road warrior installer for Debian, Ubuntu and CentOS
# This script will only work on Debian-based systems. It isn't bulletproof but # This script will work on Debian, Ubuntu, CentOS and probably other distros
# it will probably work if you simply want to setup a VPN on your Debian/Ubuntu # of the same families, although no support is offered for them. It isn't
# VPS. It has been designed to be as unobtrusive and universal as possible. # bulletproof but it will probably work if you simply want to setup a VPN on
# your Debian/Ubuntu/CentOS box. It has been designed to be as unobtrusive and
# universal as possible.
if [[ "$USER" != 'root' ]]; then if [[ "$USER" != 'root' ]]; then
@ -18,14 +20,27 @@ if [[ ! -e /dev/net/tun ]]; then
fi fi
if [[ ! -e /etc/debian_version ]]; then if grep -q "CentOS release 5" "/etc/redhat-release"; then
echo "Looks like you aren't running this installer on a Debian-based system" echo "CentOS 5 is too old and not supported"
exit
fi
if [[ -e /etc/debian_version ]]; then
OS=debian
RCLOCAL='/etc/rc.local'
elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then
OS=centos
RCLOCAL='/etc/rc.d/rc.local'
# Needed for CentOS 7
chmod +x /etc/rc.d/rc.local
else
echo "Looks like you aren't running this installer on a Debian, Ubuntu or CentOS system"
exit exit
fi fi
newclient () { newclient () {
# Generates the client.ovpn # Generates the client.ovpn
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/$1.ovpn cp /usr/share/doc/openvpn*/*ample*/sample-config-files/client.conf ~/$1.ovpn
sed -i "/ca ca.crt/d" ~/$1.ovpn sed -i "/ca ca.crt/d" ~/$1.ovpn
sed -i "/cert client.crt/d" ~/$1.ovpn sed -i "/cert client.crt/d" ~/$1.ovpn
sed -i "/key client.key/d" ~/$1.ovpn sed -i "/key client.key/d" ~/$1.ovpn
@ -40,11 +55,20 @@ newclient () {
echo "</key>" >> ~/$1.ovpn echo "</key>" >> ~/$1.ovpn
} }
geteasyrsa () {
wget --no-check-certificate -O ~/easy-rsa.tar.gz https://github.com/OpenVPN/easy-rsa/archive/2.2.2.tar.gz
tar xzf ~/easy-rsa.tar.gz -C ~/
mkdir -p /etc/openvpn/easy-rsa/2.0/
cp ~/easy-rsa-2.2.2/easy-rsa/2.0/* /etc/openvpn/easy-rsa/2.0/
rm -rf ~/easy-rsa-2.2.2
rm -rf ~/easy-rsa.tar.gz
}
# Try to get our IP from the system and fallback to the Internet. # Try to get our IP from the system and fallback to the Internet.
# I do this to make the script compatible with NATed servers (lowendspirit.com) # I do this to make the script compatible with NATed servers (lowendspirit.com)
# and to avoid getting an IPv6. # and to avoid getting an IPv6.
IP=$(ifconfig | grep 'inet addr:' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d: -f2 | awk '{ print $1}' | head -1) IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -o -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
if [[ "$IP" = "" ]]; then if [[ "$IP" = "" ]]; then
IP=$(wget -qO- ipv4.icanhazip.com) IP=$(wget -qO- ipv4.icanhazip.com)
fi fi
@ -89,26 +113,27 @@ if [[ -e /etc/openvpn/server.conf ]]; then
. /etc/openvpn/easy-rsa/2.0/vars . /etc/openvpn/easy-rsa/2.0/vars
. /etc/openvpn/easy-rsa/2.0/revoke-full $CLIENT . /etc/openvpn/easy-rsa/2.0/revoke-full $CLIENT
# If it's the first time revoking a cert, we need to add the crl-verify line # If it's the first time revoking a cert, we need to add the crl-verify line
if grep -q "crl-verify" "/etc/openvpn/server.conf"; then if ! grep -q "crl-verify" "/etc/openvpn/server.conf"; then
echo ""
echo "Certificate for client $CLIENT revoked"
else
echo "crl-verify /etc/openvpn/easy-rsa/2.0/keys/crl.pem" >> "/etc/openvpn/server.conf" echo "crl-verify /etc/openvpn/easy-rsa/2.0/keys/crl.pem" >> "/etc/openvpn/server.conf"
/etc/init.d/openvpn restart /etc/init.d/openvpn restart
echo ""
echo "Certificate for client $CLIENT revoked"
fi fi
echo ""
echo "Certificate for client $CLIENT revoked"
exit exit
;; ;;
3) 3)
echo "" echo ""
read -p "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE read -p "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
if [[ "$REMOVE" = 'y' ]]; then if [[ "$REMOVE" = 'y' ]]; then
apt-get remove --purge -y openvpn openvpn-blacklist if [[ "$OS" = 'debian' ]]; then
apt-get remove --purge -y openvpn openvpn-blacklist
else
yum remove openvpn -y
fi
rm -rf /etc/openvpn rm -rf /etc/openvpn
rm -rf /usr/share/doc/openvpn rm -rf /usr/share/doc/openvpn*
sed -i '/--dport 53 -j REDIRECT --to-port/d' /etc/rc.local sed -i '/--dport 53 -j REDIRECT --to-port/d' $RCLOCAL
sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0/d' /etc/rc.local sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0/d' $RCLOCAL
echo "" echo ""
echo "OpenVPN removed!" echo "OpenVPN removed!"
else else
@ -158,17 +183,19 @@ else
echo "" echo ""
echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now" echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now"
read -n1 -r -p "Press any key to continue..." read -n1 -r -p "Press any key to continue..."
apt-get update if [[ "$OS" = 'debian' ]]; then
apt-get install openvpn iptables openssl -y apt-get update
cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn apt-get install openvpn iptables openssl -y
# easy-rsa isn't available by default for Debian Jessie and newer cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
if [[ ! -d /etc/openvpn/easy-rsa/2.0/ ]]; then # easy-rsa isn't available by default for Debian Jessie and newer
wget --no-check-certificate -O ~/easy-rsa.tar.gz https://github.com/OpenVPN/easy-rsa/archive/2.2.2.tar.gz if [[ ! -d /etc/openvpn/easy-rsa/2.0/ ]]; then
tar xzf ~/easy-rsa.tar.gz -C ~/ geteasyrsa
mkdir -p /etc/openvpn/easy-rsa/2.0/ fi
cp ~/easy-rsa-2.2.2/easy-rsa/2.0/* /etc/openvpn/easy-rsa/2.0/ else
rm -rf ~/easy-rsa-2.2.2 # Else, the distro is CentOS
rm -rf ~/easy-rsa.tar.gz yum install epel-release -y
yum install openvpn iptables openssl wget -y
geteasyrsa
fi fi
cd /etc/openvpn/easy-rsa/2.0/ cd /etc/openvpn/easy-rsa/2.0/
# Let's fix one thing first... # Let's fix one thing first...
@ -193,8 +220,10 @@ else
# DH params # DH params
. /etc/openvpn/easy-rsa/2.0/build-dh . /etc/openvpn/easy-rsa/2.0/build-dh
# Let's configure the server # Let's configure the server
cd /usr/share/doc/openvpn/examples/sample-config-files cd /usr/share/doc/openvpn*/*ample*/sample-config-files
gunzip -d server.conf.gz if [[ "$OS" = 'debian' ]]; then
gunzip -d server.conf.gz
fi
cp server.conf /etc/openvpn/ cp server.conf /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0/keys cd /etc/openvpn/easy-rsa/2.0/keys
cp ca.crt ca.key dh2048.pem server.crt server.key /etc/openvpn cp ca.crt ca.key dh2048.pem server.crt server.key /etc/openvpn
@ -234,22 +263,42 @@ else
# Listen at port 53 too if user wants that # Listen at port 53 too if user wants that
if [[ "$ALTPORT" = 'y' ]]; then if [[ "$ALTPORT" = 'y' ]]; then
iptables -t nat -A PREROUTING -p udp -d $IP --dport 53 -j REDIRECT --to-port $PORT iptables -t nat -A PREROUTING -p udp -d $IP --dport 53 -j REDIRECT --to-port $PORT
sed -i "1 a\iptables -t nat -A PREROUTING -p udp -d $IP --dport 53 -j REDIRECT --to-port $PORT" /etc/rc.local sed -i "1 a\iptables -t nat -A PREROUTING -p udp -d $IP --dport 53 -j REDIRECT --to-port $PORT" $RCLOCAL
fi fi
# Enable net.ipv4.ip_forward for the system # Enable net.ipv4.ip_forward for the system
sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf if [[ "$OS" = 'debian' ]]; then
sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf
else
# CentOS 5 and 6
sed -i 's|net.ipv4.ip_forward = 0|net.ipv4.ip_forward = 1|' /etc/sysctl.conf
# CentOS 7
if ! grep -q "net.ipv4.ip_forward=1" "/etc/sysctl.conf"; then
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
fi
fi
# Avoid an unneeded reboot # Avoid an unneeded reboot
echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_forward
# Set iptables # Set iptables
if [[ "$INTERNALNETWORK" = 'y' ]]; then if [[ "$INTERNALNETWORK" = 'y' ]]; then
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP" /etc/rc.local sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL
else else
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP
sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" /etc/rc.local sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL
fi fi
# And finally, restart OpenVPN # And finally, restart OpenVPN
/etc/init.d/openvpn restart if [[ "$OS" = 'debian' ]]; then
/etc/init.d/openvpn restart
else
# Little hack to check for systemd
if pidof systemd; then
systemctl restart openvpn@server.service
systemctl enable openvpn@server.service
else
service openvpn restart
chkconfig openvpn on
fi
fi
# Try to detect a NATed connection and ask about it to potential LowEndSpirit # Try to detect a NATed connection and ask about it to potential LowEndSpirit
# users # users
EXTERNALIP=$(wget -qO- ipv4.icanhazip.com) EXTERNALIP=$(wget -qO- ipv4.icanhazip.com)
@ -266,7 +315,7 @@ else
fi fi
# IP/port set on the default client.conf so we can add further users # IP/port set on the default client.conf so we can add further users
# without asking for them # without asking for them
sed -i "s|remote my-server-1 1194|remote $IP $PORT|" /usr/share/doc/openvpn/examples/sample-config-files/client.conf sed -i "s|remote my-server-1 1194|remote $IP $PORT|" /usr/share/doc/openvpn*/*ample*/sample-config-files/client.conf
# Generate the client.ovpn # Generate the client.ovpn
newclient "$CLIENT" newclient "$CLIENT"
echo "" echo ""