Last active
September 8, 2024 19:51
-
-
Save Limych/35e83cb65ca8e48808c567984aee1ff8 to your computer and use it in GitHub Desktop.
Automatically install OpenVPN Gateway on Raspberry PI
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # Source: https://gist.github.com/Limych/35e83cb65ca8e48808c567984aee1ff8 | |
| # | |
| # Usage: | |
| # Place one or more OVPN-files to some folder on target machine. | |
| # You may additional place VPN credentials to file 'login.txt': 1st line — login, 2nd line — password. | |
| # Then at that folder run this command: | |
| # bash <(curl -sL https://gist.github.com/Limych/35e83cb65ca8e48808c567984aee1ff8/raw/rpi-vpn-gw-install.sh) | |
| set +e | |
| normal=$(tput sgr0) | |
| green=$(tput setaf 2) | |
| yellow=$(tput setaf 3) | |
| red=$(tput setaf 1) | |
| info () { | |
| echo -e "$green$*$normal" >&2 | |
| } | |
| warn () { | |
| echo -e "${yellow}WARNING: $*$normal" >&2 | |
| } | |
| die () { | |
| rc=$1 | |
| shift | |
| echo -e "${red}ERROR: $*$normal" >&2 | |
| exit $rc | |
| } | |
| # Check for the presence of VPN configuration files | |
| info "Checking presence of VPN configuration files" | |
| if ls ../*.ovpn 1>/dev/null 2>&1 ; then | |
| ROOT=../ | |
| elif ls ./*.ovpn 1>/dev/null 2>&1 ; then | |
| ROOT=./ | |
| else | |
| die 1 "No one of VPN configuration file found. (*.ovpn)" | |
| fi | |
| info "... VPN configuration files found at $ROOT" | |
| # Install requirements | |
| info "Installing requirements" | |
| sudo DEBIAN_FRONTEND=noninteractive apt install openvpn iptables-persistent -yq | |
| # Copying VPN configurations to OpenVPN folder | |
| info "Copying VPN configurations to OpenVPN folder..." | |
| for file in $ROOT/*.ovpn; do | |
| sudo cp "${file}" /etc/openvpn/"${file/%.ovpn/.conf}" | |
| sudo sed -i -e 's/\(auth-user-pass\)/\1 login.txt/g' /etc/openvpn/"${file/%.ovpn/.conf}" | |
| done | |
| sudo chmod 0600 /etc/openvpn/*.conf | |
| # Obtain VPN credentials | |
| info "Obtain VPN credentials" | |
| if [ -f $ROOT/login.txt ]; then | |
| info "... Found login.txt file" | |
| sudo cp $ROOT/login.txt /etc/openvpn/ | |
| else | |
| read -rp "VPN Username: " login | |
| read -rp "VPN Password: " password | |
| echo -e "$login\n$password" | sudo tee /etc/openvpn/login.txt >/dev/null | |
| fi | |
| sudo chmod 0600 /etc/openvpn/login.txt | |
| # Obtain basic information about this host | |
| NET=$(ip r | sed -n '2 p' | cut -d " " -f 1) | |
| ETH_DEV=$(ip -o -4 route show to default | cut -d " " -f 5) | |
| # Obtain unique IP's of all VPN servers | |
| IFS=$'\n' | |
| HOST_PORTS=( $(grep -r "remote\s" $ROOT/*.ovpn | cut -d " " -f 2,3 | tr -d '\r') ) | |
| HOSTS=() | |
| IP_PORTS=() | |
| for ip in "${HOST_PORTS[@]}" | |
| do | |
| HOSTS+=("$(getent hosts "$(echo $ip | cut -d " " -f 1)")") | |
| IP_PORTS+=("$(getent hosts "$(echo $ip | cut -d " " -f 1)" | cut -d " " -f 1) $(echo $ip | cut -d " " -f 2)") | |
| done | |
| HOSTS=( $(echo "${HOSTS[*]}" | sort -u) ) | |
| IP_PORTS=( $(echo "${IP_PORTS[*]}" | sort -u) ) | |
| # Update hosts file | |
| info "Update hosts file" | |
| printf '%b\n' "${HOSTS[*]}" | sudo tee -a /etc/hosts >/dev/null | |
| # Set up IP forwarding | |
| info "Set up IP forwarding" | |
| sudo sed -i '/net\.ipv4\.ip_forward=1/s/^# *//g' /etc/sysctl.conf | |
| sudo sysctl -p /etc/sysctl.conf | |
| # | |
| sudo iptables -F | |
| sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
| sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
| # | |
| sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE | |
| sudo iptables -A FORWARD -i tun0 -o "$ETH_DEV" -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| sudo iptables -A FORWARD -i "$ETH_DEV" -o tun0 -j ACCEPT | |
| # | |
| sudo iptables -A OUTPUT -o tun0 -m comment --comment "VPN" -j ACCEPT | |
| sudo iptables -A OUTPUT -o "$ETH_DEV" -p icmp -m comment --comment "ICMP" -j ACCEPT | |
| sudo iptables -A OUTPUT -d "$NET" -o "$ETH_DEV" -m comment --comment "LAN" -j ACCEPT | |
| sudo iptables -A OUTPUT -o "$ETH_DEV" -p udp -m udp --dport 1194 -m comment --comment "Allow VPN traffic" -j ACCEPT | |
| sudo iptables -A OUTPUT -o "$ETH_DEV" -p udp -m udp --dport 123 -m comment --comment "NTP" -j ACCEPT | |
| for i in "${IP_PORTS[@]}" | |
| do | |
| sudo iptables -A OUTPUT -p tcp -d "$(echo "$i" | cut -d " " -f 1)" --dport "$(echo "$i" | cut -d " " -f 2)" -m comment --comment "VPN IP" -j ACCEPT | |
| sudo iptables -A OUTPUT -p udp -d "$(echo "$i" | cut -d " " -f 1)" --dport "$(echo "$i" | cut -d " " -f 2)" -m comment --comment "VPN IP" -j ACCEPT | |
| done | |
| sudo iptables -A OUTPUT -o "$ETH_DEV" -j DROP | |
| sudo iptables -I FORWARD -i "$ETH_DEV" ! -o tun0 -j DROP | |
| # | |
| sudo iptables-save | sudo tee /etc/iptables/rules.v4 >/dev/null | |
| # Enabling OpenVPN service | |
| info "Enabling OpenVPN service..." | |
| sudo systemctl enable openvpn | |
| info "Done :)" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment