Last active
July 28, 2024 19:43
-
-
Save XMB5/611ab1ecd0af0f7c1e6ec9e781e26bec to your computer and use it in GitHub Desktop.
Easy automatic OpenVPN setup for Ubuntu Server
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| #easy openvpn server setup for ubuntu | |
| read -p "port (1-65535): " PORT | |
| read -p "protocol (udp or tcp): " PROTOCOL | |
| read -p "encrypt (y or n): " ENCRYPT | |
| read -p "hmac (y or n): " HMAC | |
| read -p "xor scramble (y or n): " SCRAMBLE | |
| read -p "compress (y or n): " COMPRESS_YN | |
| read -p "network number (0-255): " NETWORK_NUM | |
| read -p "service name affix (no special chars): " SERVICE_AFFIX | |
| if [ "$COMPRESS_YN" == y ]; then | |
| COMPRESS=lz4 | |
| fi | |
| if [ "$ENCRYPT" == y ]; then | |
| CIPHER=aes-128-cbc | |
| else | |
| CIPHER=none | |
| fi | |
| if [ "$HMAC" == y ]; then | |
| AUTH=sha256 | |
| else | |
| AUTH=none | |
| fi | |
| if [ "$SCRAMBLE" == y ]; then | |
| SCRAMBLE_LINE="scramble xormask $(hexdump -n 8 -e '4/4 "%08x" 1 "\n"' /dev/urandom)" | |
| fi | |
| if [ -z "$(command -v openvpn)" ]; then | |
| OPENVPN_VERSION=2.4.6 | |
| echo "installing openvpn from source" | |
| sudo apt install -y gcc make libssl-dev liblz4-dev liblzo2-dev libpam-dev | |
| echo "download openvpn $OPENVPN_VERSION" | |
| wget --quiet "https://swupdate.openvpn.org/community/releases/openvpn-$OPENVPN_VERSION.tar.xz" -O- | tar xfJ - | |
| cd "openvpn-$OPENVPN_VERSION" | |
| for PATCH in 02-tunnelblick-openvpn_xorpatch-a 03-tunnelblick-openvpn_xorpatch-b 04-tunnelblick-openvpn_xorpatch-c 05-tunnelblick-openvpn_xorpatch-d 06-tunnelblick-openvpn_xorpatch-e; do | |
| echo "downloading patch $PATCH" | |
| wget --quiet "https://raw.githubusercontent.com/Tunnelblick/Tunnelblick/master/third_party/sources/openvpn/openvpn-${OPENVPN_VERSION}/patches/${PATCH}.diff" | |
| patch -Np1 -i "$PATCH.diff" | |
| done | |
| ./configure | |
| make | |
| sudo make install | |
| cd .. | |
| rm -rf "openvpn-$OPENVPN_VERSION" | |
| fi | |
| EASYRSA_VERSION=3.0.5 | |
| if [ ! -d "EasyRSA-$EASYRSA_VERSION" ]; then | |
| echo "downloading easyrsa" | |
| wget --quiet "https://github.com/OpenVPN/easy-rsa/releases/download/v$EASYRSA_VERSION/EasyRSA-nix-$EASYRSA_VERSION.tgz" -O- | tar xfz - | |
| fi | |
| if [ ! -d "pki" ]; then | |
| echo "generating keys" | |
| easyrsa="EasyRSA-$EASYRSA_VERSION/easyrsa" | |
| $easyrsa init-pki | |
| $easyrsa --batch build-ca nopass | |
| $easyrsa gen-dh | |
| EASYRSA_CERT_EXPIRE=3650 $easyrsa build-server-full server nopass | |
| EASYRSA_CERT_EXPIRE=3650 $easyrsa build-client-full client nopass | |
| EASYRSA_CRL_DAYS=3650 $easyrsa gen-crl | |
| openvpn --genkey --secret tc.key | |
| fi | |
| #network configuration | |
| cat > run-openvpn.sh << EOF | |
| #!/bin/bash | |
| echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward > /dev/null | |
| IP=\$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1) | |
| if [ -z "\$(sudo iptables -t nat -L POSTROUTING -n | grep -F 10.$NETWORK_NUM.0.0/24)" ]; then | |
| echo "adding iptables rule" | |
| sudo iptables -t nat -A POSTROUTING -s 10.$NETWORK_NUM.0.0/24 ! -d 10.$NETWORK_NUM.0.0/24 -j SNAT --to \$IP | |
| fi | |
| EOF | |
| chmod +x run-openvpn.sh | |
| #run-openvpn only contains routing rules so far | |
| source run-openvpn.sh | |
| echo 'cd "$(dirname "$BASH_SOURCE")" | |
| exec sudo openvpn --config server.ovpn' >> run-openvpn.sh | |
| SERVICE_NAME="openvpn-server-$SERVICE_AFFIX" | |
| SERVICE_FILE="/etc/systemd/system/$SERVICE_NAME.service" | |
| if [ ! -f "$SERVICE_FILE" ]; then | |
| echo "installing systemd service" | |
| echo "[Unit] | |
| Description=$SERVICE_NAME | |
| After=network.target | |
| After=systemd-user-sessions.service | |
| After=network-online.target | |
| [Service] | |
| ExecStart='$(readlink -f run-openvpn.sh)' | |
| [Install] | |
| WantedBy=multi-user.target" | sudo tee "$SERVICE_FILE" > /dev/null | |
| sudo systemctl daemon-reload | |
| echo "installed systemd service, run sudo systemctl start|enable $SERVICE_NAME to use" | |
| fi | |
| #generate server configuration | |
| echo "port $PORT | |
| proto $PROTOCOL | |
| sndbuf 0 | |
| rcvbuf 0 | |
| compress $COMPRESS | |
| dev tun | |
| ca pki/ca.crt | |
| cert pki/issued/server.crt | |
| key pki/private/server.key | |
| dh pki/dh.pem | |
| auth $AUTH | |
| tls-crypt tc.key | |
| topology subnet | |
| duplicate-cn | |
| server 10.$NETWORK_NUM.0.0 255.255.255.0 | |
| ifconfig-pool-persist ipp.txt | |
| push \"redirect-gateway def1 bypass-dhcp\" | |
| push \"dhcp-option DNS 128.52.130.209\" | |
| keepalive 10 60 | |
| cipher $CIPHER | |
| persist-key | |
| persist-tun | |
| status openvpn-status.log | |
| verb 3 | |
| crl-verify pki/crl.pem | |
| $SCRAMBLE_LINE" > server.ovpn | |
| #generate client.conf | |
| echo "finding public ip address" | |
| PUB_IP=`curl -s4 https://checkip.amazonaws.com/` | |
| echo "client | |
| compress $COMPRESS | |
| dev tun | |
| proto $PROTOCOL | |
| sndbuf 0 | |
| rcvbuf 0 | |
| remote $PUB_IP $PORT | |
| resolv-retry infinite | |
| nobind | |
| persist-key | |
| persist-tun | |
| remote-cert-tls server | |
| auth $AUTH | |
| cipher $CIPHER | |
| setenv opt block-outside-dns | |
| verb 3 | |
| <ca> | |
| $(cat pki/ca.crt) | |
| </ca> | |
| <cert> | |
| $(cat pki/issued/client.crt) | |
| </cert> | |
| <key> | |
| $(cat pki/private/client.key) | |
| </key> | |
| <tls-crypt> | |
| $(cat tc.key) | |
| </tls-crypt> | |
| $SCRAMBLE_LINE" > client.ovpn | |
| echo "done - client config in client.ovpn" |
really doesnt work on ubuntu 22. on which version should i try this?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Not working can you fix?