bridging removed (too many manual actions on client systems and configuration tuning)

2017-04-19 17:13:54 +03:00 · 2017-04-19 17:13:54 +03:00 · b90c750763
commit b90c750763
parent ea106239ef
6 changed files with 80 additions and 91 deletions
--- a/openvpn/adduser.sh
+++ b/openvpn/adduser.sh
@ -0,0 +1,70 @@
 #!/usr/bin/env bash
 STARTDIR=$(pwd)
 DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
 source $DIR/env.sh
 if [[ "$EUID" -ne 0 ]]; then
 	echo "Sorry, you need to run this as root"
 	exit 1
 fi
 cd $CADIR
 source ./vars
 ADDUSER="no"
 ANSUSER="yes"
 while [ "$ANSUSER" != "$ADDUSER" ]; 
 do
 	while [[ -z "$LOGIN" ]];
 	do
 	    read -p "Enter name: " LOGIN
 	done
 	./build-key --batch $LOGIN
 	if [ $? -eq 0 ]; then
 		# copy files and OVPN config
 		mkdir "$STARTDIR/$LOGIN"
 		cp $CADIR/keys/ca.crt $CADIR/keys/$LOGIN.key $CADIR/keys/$LOGIN.crt ta.key "$STARTDIR/$LOGIN/"
 		DIST="$STARTDIR/$LOGIN/openvpn-server.ovpn"
 		cp $DIR/openvpn-server.ovpn.dist $DIST
 		sed -i -e "s@LOGIN@$LOGIN@g" $DIST
 		sed -i -e "s@IP@$IP@g" $DIST
 		SRC="$STARTDIR/$LOGIN"
 		DIST="$STARTDIR/$LOGIN/openvpn-server-embedded.ovpn"
 		cp $DIR/openvpn-server-embedded.ovpn.dist $DIST
 		sed -i -e "s@IP@$IP@g" $DIST
 		echo "<ca>" >> $DIST
 		cat $SRC/ca.crt >> $DIST
 		echo "</ca>" >> $DIST
 		echo "<cert>" >> $DIST
 		cat $SRC/$LOGIN.crt >> $DIST
 		echo "</cert>" >> $DIST
 		echo "<key>" >> $DIST
 		cat $SRC/$LOGIN.key >> $DIST
 		echo "</key>" >> $DIST
 		echo "<tls-auth>" >> $DIST
 		cat $SRC/ta.key >> $DIST
 		echo "</tls-auth>" >> $DIST
 		echo
 		echo "Created directory $STARTDIR/$LOGIN with necessary files."
 		USERNAME=${SUDO_USER:-$USER}
 		chown -R $USERNAME:$USERNAME $STARTDIR/$LOGIN/
 	fi
 	read -p "Would you want add another user? [no] " ANSUSER
 	: ${ANSUSER:=$ADDUSER}
 done
--- a/openvpn/install.sh
+++ b/openvpn/install.sh
@ -12,7 +12,7 @@ fi
 echo
 echo "Installing OpenVPN..."
-apt-get install openvpn easy-rsa
+apt-get install openvpn easy-rsa bridge-utils
 echo
 echo "Configuring routing..."
@ -30,30 +30,6 @@ echo
 echo "Configuring iptables firewall..."
 $DIR/iptables-setup.sh
 echo
 echo "Do you want to create routing or bridging OpenVPN mode? "
 echo "More information at: https://community.openvpn.net/openvpn/wiki/309-what-is-the-difference-between-bridging-and-routing"
 echo "    1) routing"
 echo "    2) bridging"
 echo
 read -p "Your choice [1 or 2]: " -e -i 1 MODE
 case $MODE in
 	1)
 	DEVICE="tun"
 	sed -i -e "s/DEVICE/tun/g" $OPENVPNCONFIG
 	sed -i -e "/server-bridge/d" $OPENVPNCONFIG
 	;;
 	2)
 	DEVICE="tap"
 	sed -i -e "s/DEVICE/tap/g" $OPENVPNCONFIG
 	sed -i -e "/server /d" $OPENVPNCONFIG
 	;;
 	*)
 	echo "Hm... Strange answer..."
 	exit
 	;;
 esac
 echo
 echo "Configuring DNS parameters..."
 $DIR/dns.sh
@ -69,64 +45,9 @@ source ./vars
 ./build-dh
 openvpn --genkey --secret ta.key
 ADDUSER="no"
 ANSUSER="yes"
 echo
 echo "Configuring VPN users..."
-while [ "$ANSUSER" != "$ADDUSER" ]; 
+$DIR/adduser.sh
 do
 	while [[ -z "$LOGIN" ]];
 	do
 	    read -p "Enter name: " LOGIN
 	done
 	./build-key --batch $LOGIN
 	if [ $? -eq 0 ]; then
 		# copy files and OVPN config
 		mkdir "$STARTDIR/$LOGIN"
 		cp $CADIR/keys/ca.crt $CADIR/keys/$LOGIN.key $CADIR/keys/$LOGIN.crt ta.key "$STARTDIR/$LOGIN/"
 		DIST="$STARTDIR/$LOGIN/openvpn-server.ovpn"
 		cp $DIR/openvpn-server.ovpn.dist $DIST
 		sed -i -e "s@LOGIN@$LOGIN@g" $DIST
 		sed -i -e "s@IP@$IP@g" $DIST
 		sed -i -e "s@DEVICE@$DEVICE@g" $DIST
 		SRC="$STARTDIR/$LOGIN"
 		DIST="$STARTDIR/$LOGIN/openvpn-server-embedded.ovpn"
 		cp $DIR/openvpn-server-embedded.ovpn.dist $DIST
 		sed -i -e "s@IP@$IP@g" $DIST
 		sed -i -e "s@DEVICE@$DEVICE@g" $DIST
 		echo "<ca>" >> $DIST
 		cat $SRC/ca.crt >> $DIST
 		echo "</ca>" >> $DIST
 		echo "<cert>" >> $DIST
 		cat $SRC/$LOGIN.crt >> $DIST
 		echo "</cert>" >> $DIST
 		echo "<key>" >> $DIST
 		cat $SRC/$LOGIN.key >> $DIST
 		echo "</key>" >> $DIST
 		echo "<tls-auth>" >> $DIST
 		cat $SRC/ta.key >> $DIST
 		echo "</tls-auth>" >> $DIST
 		echo
 		echo "Created directory $STARTDIR/$LOGIN with necessary files."
 		USERNAME=${SUDO_USER:-$USER}
 		chown -R $USERNAME:$USERNAME $STARTDIR/$LOGIN/
 	fi
 	read -p "Would you want add another user? [no] " ANSUSER
 	: ${ANSUSER:=$ADDUSER}
 done
 echo
 echo "Starting OpenVPN..."
--- a/openvpn/iptables-setup.sh
+++ b/openvpn/iptables-setup.sh
@ -67,9 +67,7 @@ iptables -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS  -
 # TUN/TAP
 iptables -A INPUT -i tun+ -j ACCEPT
 iptables -A INPUT -i tap+ -j ACCEPT
 iptables -A OUTPUT -o tun+ -j ACCEPT
 iptables -A OUTPUT -o tap+ -j ACCEPT
 # OpenVPN
 iptables -A INPUT -p udp --dport 1194 -j ACCEPT
@ -85,4 +83,3 @@ fi
 iptables -F
 iptables-restore < $IPTABLES
--- a/openvpn/openvpn-server-embedded.ovpn.dist
+++ b/openvpn/openvpn-server-embedded.ovpn.dist
@ -1,10 +1,10 @@
 client
-dev DEVICE
+dev tun
 persist-key
 persist-tun
 tls-client
 remote-cert-tls server
-cipher DES-EDE3-CBC
+cipher AES-256-CBC
 remote IP
 port 1194
 proto udp
--- a/openvpn/openvpn-server.conf.dist
+++ b/openvpn/openvpn-server.conf.dist
@ -1,7 +1,7 @@
 mode server
 port 1194
 proto udp
-dev DEVICE
+dev tun
 ca CADIR/keys/ca.crt
 cert CADIR/keys/openvpn-server.crt
 key CADIR/keys/openvpn-server.key
@ -9,16 +9,17 @@ dh CADIR/keys/dh2048.pem
 tls-server
 tls-auth CADIR/ta.key 0
 server LOCALPREFIX.0.0 255.255.255.0
-server-bridge LOCALPREFIX.0.1 255.255.255.0 LOCALPREFIX.0.10 LOCALPREFIX.0.100
+topology subnet
 local PUBLICIP
 client-to-client
-cipher DES-EDE3-CBC
+cipher AES-256-CBC
 user nobody
 group NOBODYGROUP
 max-clients 100
 keepalive 10 120
 persist-key
 persist-tun
 mssfix
 push "route-gateway dhcp"
 push "redirect-gateway def1 bypass-dhcp"
 push "dhcp-option DNS 8.8.8.8"
--- a/openvpn/openvpn-server.ovpn.dist
+++ b/openvpn/openvpn-server.ovpn.dist
@ -1,8 +1,8 @@
 client
-dev DEVICE
+dev tun
 persist-key
 persist-tun
-cipher DES-EDE3-CBC
+cipher AES-256-CBC
 remote IP
 port 1194
 proto udp