From 7cdd35b28fe4f931d44ade11d414bb007332874b Mon Sep 17 00:00:00 2001
From: bedefaced <thisisnewlife@mail.ru>
Date: Fri, 14 Apr 2017 19:35:14 +0300
Subject: [PATCH] openvpn

---
 openvpn/dns.sh                            |  25 ++++
 openvpn/env.sh                            |  20 ++++
 openvpn/install.sh                        | 137 ++++++++++++++++++++++
 openvpn/iptables-setup.sh                 |  88 ++++++++++++++
 openvpn/openvpn-server-embedded.ovpn.dist |  12 ++
 openvpn/openvpn-server.conf.dist          |  25 ++++
 openvpn/openvpn-server.ovpn.dist          |  16 +++
 openvpn/sysctl.sh                         |  33 ++++++
 8 files changed, 356 insertions(+)
 create mode 100755 openvpn/dns.sh
 create mode 100755 openvpn/env.sh
 create mode 100755 openvpn/install.sh
 create mode 100755 openvpn/iptables-setup.sh
 create mode 100644 openvpn/openvpn-server-embedded.ovpn.dist
 create mode 100644 openvpn/openvpn-server.conf.dist
 create mode 100644 openvpn/openvpn-server.ovpn.dist
 create mode 100755 openvpn/sysctl.sh

diff --git a/openvpn/dns.sh b/openvpn/dns.sh
new file mode 100755
index 0000000..882a878
--- /dev/null
+++ b/openvpn/dns.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
+source $DIR/env.sh
+
+if [[ ! -e $OPENVPNCONFIG ]] || [[ ! -r $OPENVPNCONFIG ]] || [[ ! -w $OPENVPNCONFIG ]]; then
+    echo "$PPPCONFIG is not exist or not accessible (are you root?)"
+    exit 1
+fi
+
+DEFAULTDNS1="8.8.8.8"
+DEFAULTDNS2="8.8.4.4"
+
+read -p "Preffered DNS resolver #1: " -e -i $DEFAULTDNS1 DNS1
+: ${DNS1:=$DEFAULTDNS1}
+
+read -p "Preffered DNS resolver #2: " -e -i $DEFAULTDNS2 DNS2
+: ${DNS2:=$DEFAULTDNS2}
+
+sed -i -e "/dhcp-option DNS/d" $OPENVPNCONFIG
+
+echo "push \"dhcp-option DNS $DNS1\"" >> $OPENVPNCONFIG
+echo "push \"dhcp-option DNS $DNS2\"" >> $OPENVPNCONFIG
+
+echo "$OPENVPNCONFIG updated!"
diff --git a/openvpn/env.sh b/openvpn/env.sh
new file mode 100755
index 0000000..938b578
--- /dev/null
+++ b/openvpn/env.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+SYSCTLCONFIG=/etc/sysctl.conf
+OPENVPNDIR=/etc/openvpn
+OPENVPNCONFIG=$OPENVPNDIR/openvpn-server.conf
+CADIR=$OPENVPNDIR/easy-rsa
+IPTABLES=/etc/iptables.rules
+RCLOCAL=/etc/rc.local
+NOBODYGROUP=nogroup
+
+LOCALPREFIX="172.20"
+LOCALIP="$LOCALPREFIX.0.0"
+LOCALMASK="/24"
+
+LOCALIPMASK="$LOCALIP$LOCALMASK"
+
+IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -o -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
+if [[ "$IP" = "" ]]; then
+	IP=$(wget -4qO- "http://whatismyip.akamai.com/")
+fi
diff --git a/openvpn/install.sh b/openvpn/install.sh
new file mode 100755
index 0000000..adcb15a
--- /dev/null
+++ b/openvpn/install.sh
@@ -0,0 +1,137 @@
+#!/usr/bin/env bash
+
+STARTDIR=$(pwd)
+
+DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
+source $DIR/env.sh
+
+if [[ "$EUID" -ne 0 ]]; then
+	echo "Sorry, you need to run this as root"
+	exit 1
+fi
+
+echo
+echo "Installing OpenVPN..."
+apt-get install openvpn easy-rsa
+
+echo
+echo "Configuring routing..."
+$DIR/sysctl.sh
+
+echo
+echo "Installing configuration files..."
+yes | cp -rf $DIR/openvpn-server.conf.dist $OPENVPNCONFIG
+
+sed -i -e "s@CADIR@$CADIR@g" $OPENVPNCONFIG
+sed -i -e "s@LOCALPREFIX@$LOCALPREFIX@g" $OPENVPNCONFIG
+sed -i -e "s@NOBODYGROUP@$NOBODYGROUP@g" $OPENVPNCONFIG
+
+echo
+echo "Configuring iptables firewall..."
+$DIR/iptables-setup.sh
+
+echo
+echo "Do you want to create routing or bridging OpenVPN mode? "
+echo "More information at: https://community.openvpn.net/openvpn/wiki/309-what-is-the-difference-between-bridging-and-routing"
+echo "    1) routing"
+echo "    2) bridging"
+echo
+read -p "Your choice [1 or 2]: " -e -i 1 MODE
+case $MODE in
+	1)
+	DEVICE="tun"
+	sed -i -e "s/DEVICE/tun/g" $OPENVPNCONFIG
+	sed -i -e "/server-bridge/d" $OPENVPNCONFIG
+	;;
+	2)
+	DEVICE="tap"
+	sed -i -e "s/DEVICE/tap/g" $OPENVPNCONFIG
+	sed -i -e "/server /d" $OPENVPNCONFIG
+	;;
+	*)
+	echo "Hm... Strange answer..."
+	exit
+	;;
+esac
+
+echo
+echo "Configuring DNS parameters..."
+$DIR/dns.sh
+
+echo
+echo "Creating server keys..."
+make-cadir $CADIR
+cd $CADIR
+source ./vars
+./clean-all
+./build-ca
+./build-key-server --batch openvpn-server
+./build-dh
+openvpn --genkey --secret ta.key
+
+ADDUSER="no"
+ANSUSER="yes"
+
+echo
+echo "Configuring VPN users..."
+while [ "$ANSUSER" != "$ADDUSER" ]; 
+do
+	while [[ -z "$LOGIN" ]];
+	do
+	    read -p "Enter name: " LOGIN
+	done
+
+	./build-key --batch $LOGIN
+
+	if [ $? -eq 0 ]; then
+
+		# copy files and OVPN config
+		mkdir "$STARTDIR/$LOGIN"
+		cp $CADIR/keys/ca.crt $CADIR/keys/$LOGIN.key $CADIR/keys/$LOGIN.crt ta.key "$STARTDIR/$LOGIN/"
+
+		DIST="$STARTDIR/$LOGIN/openvpn-server.ovpn"
+		cp $DIR/openvpn-server.ovpn.dist $DIST
+		sed -i -e "s@LOGIN@$LOGIN@g" $DIST
+		sed -i -e "s@IP@$IP@g" $DIST
+		sed -i -e "s@DEVICE@$DEVICE@g" $DIST
+
+		SRC="$STARTDIR/$LOGIN"
+		DIST="$STARTDIR/$LOGIN/openvpn-server-embedded.ovpn"
+		cp $DIR/openvpn-server-embedded.ovpn.dist $DIST
+		sed -i -e "s@IP@$IP@g" $DIST
+		sed -i -e "s@DEVICE@$DEVICE@g" $DIST
+
+		echo "<ca>" >> $DIST
+		cat $SRC/ca.crt >> $DIST
+		echo "</ca>" >> $DIST
+
+		echo "<cert>" >> $DIST
+		cat $SRC/$LOGIN.crt >> $DIST
+		echo "</cert>" >> $DIST
+
+		echo "<key>" >> $DIST
+		cat $SRC/$LOGIN.key >> $DIST
+		echo "</key>" >> $DIST
+
+		echo "<tls-auth>" >> $DIST
+		cat $SRC/ta.key >> $DIST
+		echo "</tls-auth>" >> $DIST
+
+		echo
+		echo "Created directory $STARTDIR/$LOGIN with necessary files."
+		chown -R ${USER:=$(/usr/bin/id -run)}:$USER $STARTDIR/$LOGIN/
+
+	fi
+	
+	read -p "Would you want add another user? [no] " ANSUSER
+	: ${ANSUSER:=$ADDUSER}
+done
+
+echo
+echo "Starting OpenVPN..."
+systemctl enable openvpn
+service openvpn restart
+
+echo
+echo "Installation script completed!"
+
diff --git a/openvpn/iptables-setup.sh b/openvpn/iptables-setup.sh
new file mode 100755
index 0000000..f3e6dd0
--- /dev/null
+++ b/openvpn/iptables-setup.sh
@@ -0,0 +1,88 @@
+#!/usr/bin/env bash
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+source $DIR/env.sh
+
+if [[ ! -e $IPTABLES ]]; then
+	touch $IPTABLES
+fi
+
+if [[ ! -e $IPTABLES ]] || [[ ! -r $IPTABLES ]] || [[ ! -w $IPTABLES ]]; then
+    echo "$IPTABLES is not exist or not accessible (are you root?)"
+    exit 1
+fi
+
+# backup and remove rules with $LOCALIP
+iptables-save > $IPTABLES.backup
+
+IFS=$'\n'
+
+iptablesclear=$(iptables -S -t nat | sed -n -e '/$LOCALPREFIX/p' | sed -e 's/-A/-D/g')
+for line in $iptablesclear
+do
+    cmd="iptables -t nat $line"
+    eval $cmd
+done
+
+# detect default gateway interface
+echo "Found next network interfaces:"
+ifconfig -a | sed 's/[ \t].*//;/^\(lo\|\)$/d'
+echo
+GATE=$(route | grep '^default' | grep -o '[^ ]*$')
+read -p "Enter your external network interface: " -i $GATE -e GATE
+
+STATIC="yes"
+read -p "Your external IP is $IP. Is this IP static? [yes] " ANSIP
+: ${ANSIP:=$STATIC}
+
+if [ "$STATIC" == "$ANSIP" ]; then
+    # SNAT
+    sed -i -e "s@PUBLICIP@$IP@g" $OPENVPNCONFIG
+    iptables -t nat -A POSTROUTING -s $LOCALIPMASK -o $GATE -j SNAT --to-source $IP
+else
+    # MASQUERADE
+    sed -i -e "/PUBLICIP/d" $OPENVPNCONFIG
+    iptables -t nat -A POSTROUTING -o $GATE -j MASQUERADE
+fi
+
+DROP="yes"
+read -p "Would you want to disable client-to-client routing? [yes] " ANSDROP
+: ${ANSDROP:=$DROP}
+
+if [ "$DROP" == "$ANSDROP" ]; then
+    # disable forwarding
+    sed -i -e "/client-to-client/d" $OPENVPNCONFIG
+    iptables -I FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP
+    iptables -A FORWARD -i tun+ -o tun+ -j DROP
+    iptables -A FORWARD -i tap+ -o tap+ -j DROP
+else
+    echo "Deleting DROP rules if exists..."
+    iptables -D FORWARD -s $LOCALIPMASK -d $LOCALIPMASK -j DROP
+    iptables -D FORWARD -i tap+ -o tap+ -j DROP
+    iptables -D FORWARD -i tun+ -o tun+ -j DROP
+fi
+
+# MSS Clamping
+iptables -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS  --clamp-mss-to-pmtu
+
+# TUN/TAP
+iptables -A INPUT -i tun+ -j ACCEPT
+iptables -A INPUT -i tap+ -j ACCEPT
+iptables -A OUTPUT -o tun+ -j ACCEPT
+iptables -A OUTPUT -o tap+ -j ACCEPT
+
+# OpenVPN
+iptables -A INPUT -p udp --dport 1194 -j ACCEPT
+
+iptables-save | awk '($0 !~ /^-A/)||!($0 in a) {a[$0];print}' > $IPTABLES
+
+RESTORPRESENTS=$(grep iptables-restore $RCLOCAL)
+if [ $? -ne 0 ]; then
+	sed -i -e "/exit 0/d" $RCLOCAL
+	echo "iptables-restore < $IPTABLES" >> $RCLOCAL
+	echo "exit 0" >> $RCLOCAL
+fi
+
+iptables -F
+iptables-restore < $IPTABLES
+
diff --git a/openvpn/openvpn-server-embedded.ovpn.dist b/openvpn/openvpn-server-embedded.ovpn.dist
new file mode 100644
index 0000000..ed995b3
--- /dev/null
+++ b/openvpn/openvpn-server-embedded.ovpn.dist
@@ -0,0 +1,12 @@
+client
+dev DEVICE
+persist-key
+persist-tun
+tls-client
+cipher DES-EDE3-CBC
+remote IP
+port 1194
+proto udp
+resolv-retry infinite
+redirect-gateway
+key-direction 1
diff --git a/openvpn/openvpn-server.conf.dist b/openvpn/openvpn-server.conf.dist
new file mode 100644
index 0000000..c9f401c
--- /dev/null
+++ b/openvpn/openvpn-server.conf.dist
@@ -0,0 +1,25 @@
+mode server
+port 1194
+proto udp
+dev DEVICE
+ca CADIR/keys/ca.crt
+cert CADIR/keys/openvpn-server.crt
+key CADIR/keys/openvpn-server.key
+dh CADIR/keys/dh2048.pem
+tls-server
+tls-auth CADIR/ta.key 0
+server LOCALPREFIX.0.0 255.255.255.0
+server-bridge LOCALPREFIX.0.1 255.255.255.0 LOCALPREFIX.0.10 LOCALPREFIX.0.100
+local PUBLICIP
+client-to-client
+cipher DES-EDE3-CBC
+user nobody
+group NOBODYGROUP
+max-clients 100
+keepalive 10 120
+persist-key
+persist-tun
+push "route-gateway dhcp"
+push "redirect-gateway def1 bypass-dhcp"
+push "dhcp-option DNS 8.8.8.8"
+push "dhcp-option DNS 8.8.4.4"
diff --git a/openvpn/openvpn-server.ovpn.dist b/openvpn/openvpn-server.ovpn.dist
new file mode 100644
index 0000000..6f63ccd
--- /dev/null
+++ b/openvpn/openvpn-server.ovpn.dist
@@ -0,0 +1,16 @@
+client
+dev DEVICE
+persist-key
+persist-tun
+cipher DES-EDE3-CBC
+remote IP
+port 1194
+proto udp
+resolv-retry infinite
+redirect-gateway
+tls-client
+tls-auth ta.key 1
+ca ca.crt
+cert LOGIN.crt
+key LOGIN.key 
+
diff --git a/openvpn/sysctl.sh b/openvpn/sysctl.sh
new file mode 100755
index 0000000..440118a
--- /dev/null
+++ b/openvpn/sysctl.sh
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+
+DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
+source $DIR/env.sh
+
+if [[ ! -e $SYSCTLCONFIG ]] || [[ ! -r $SYSCTLCONFIG ]] || [[ ! -w $SYSCTLCONFIG ]]; then
+    echo "$SYSCTLCONFIG is not exist or not accessible (are you root?)"
+    exit 1
+fi
+
+sed -i -e "/net.ipv4.ip_forward/d" $SYSCTLCONFIG
+echo "net.ipv4.ip_forward=1" >> $SYSCTLCONFIG
+
+sed -i -e "/net.ipv4.conf.all.accept_redirects/d" $SYSCTLCONFIG
+echo "net.ipv4.conf.all.accept_redirects=0" >> $SYSCTLCONFIG
+
+sed -i -e "/net.ipv4.conf.all.send_redirects/d" $SYSCTLCONFIG
+echo "net.ipv4.conf.all.send_redirects=0" >> $SYSCTLCONFIG
+
+sed -i -e "/net.ipv4.conf.default.rp_filter/d" $SYSCTLCONFIG
+echo "net.ipv4.conf.default.rp_filter=0" >> $SYSCTLCONFIG
+
+sed -i -e "/net.ipv4.conf.default.accept_source_route/d" $SYSCTLCONFIG
+echo "net.ipv4.conf.default.accept_source_route=0" >> $SYSCTLCONFIG
+
+sed -i -e "/net.ipv4.conf.default.send_redirects/d" $SYSCTLCONFIG
+echo "net.ipv4.conf.default.send_redirects=0" >> $SYSCTLCONFIG
+
+sed -i -e "/net.ipv4.icmp_ignore_bogus_error_responses/d" $SYSCTLCONFIG
+echo "net.ipv4.icmp_ignore_bogus_error_responses=1" >> $SYSCTLCONFIG
+
+sysctl -p
+service procps restart