Last active
January 1, 2018 21:59
-
-
Save d-demirci/ec9ecff3bcd4e27619dfab50bd689625 to your computer and use it in GitHub Desktop.
Create VPN Server on ubuntu 16.04
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| help_menu() { | |
| echo "Usage: | |
| ${0##*/} [-h][-d CA_DIR][-p SERVERPORT][-v][-s] | |
| Options: | |
| -h, --help | |
| display this help and exit | |
| -d, --ca-dir=DIRECTORY | |
| ca_dir | |
| -p, --server-port=PORT | |
| server_port | |
| -s, --skip-update | |
| skip update | |
| -v, --verbose | |
| enable output | |
| " | |
| } && | |
| server_port=1194 && | |
| ca_dir=$HOME && | |
| skip_update=false && | |
| while [ "$1" != "" ]; do | |
| PARAM=`echo $1 | awk -F= '{print $1}'` | |
| VALUE=`echo $1 | awk -F= '{print $2}'` | |
| case $PARAM in | |
| -h | --help) | |
| help_menu | |
| exit | |
| ;; | |
| -d | --ca-dir) | |
| ca_dir=$VALUE | |
| ;; | |
| -p | --server_port) | |
| server_port=$VALUE | |
| ;; | |
| -s | --skipupdate) | |
| skip_update=true | |
| ;; | |
| -v | --verbose) | |
| verbose=true | |
| ;; | |
| *) | |
| echo "ERROR: unknown parameter \"$PARAM\"" | |
| help_menu | |
| exit 1 | |
| ;; | |
| esac | |
| shift | |
| done | |
| command_exists(){ | |
| command -v "$@" > /dev/null 2>&1 | |
| } | |
| set_up_ca_dir(){ | |
| verbose_out "Step 2: Set Up the CA Directory" && | |
| make-cadir "$ca_dir""openvpn-ca" && | |
| cd "$ca_dir""openvpn-ca" | |
| } && | |
| configure_ca_vars(){ | |
| echo ' ' && | |
| verbose_out "Step 3: Configure the CA Variables" && | |
| printf "KEY_COUNTRY(eg: US): " && | |
| read KEY_COUNTRY && | |
| printf "KEY_PROVINCE (eg: NY): " && | |
| read KEY_PROVINCE && | |
| printf "KEY_CITY (eg: New York City): " && | |
| read KEY_CITY && | |
| printf "KEY_ORG (eg: WhitehatBlog): " && | |
| read KEY_ORG && | |
| printf "KEY_EMAIL (eg: [email protected]): " && | |
| read KEY_EMAIL && | |
| printf "KEY_OU (eg: community): " && | |
| read KEY_OU && | |
| printf "KEY_NAME (eg: server): " && | |
| read KEY_NAME && | |
| sudo sed -i 's/export KEY_COUNTRY="US"/export KEY_COUNTRY="${KEY_COUNTRY}"/' vars && | |
| sudo sed -i 's/export KEY_PROVINCE="CA"/export KEY_PROVINCE="${KEY_PROVINCE}"/' vars && | |
| sudo sed -i 's/export KEY_CITY="SanFrancisco"/export KEY_CITY="${KEY_CITY}"/' vars && | |
| sudo sed -i 's/export KEY_ORG="Fort-Funston"/export KEY_ORG="${KEY_ORG}"/' vars && | |
| sudo sed -i 's/export KEY_EMAIL="[email protected]"/export KEY_EMAIL="${KEY_EMAIL}"/' vars && | |
| sudo sed -i 's/export KEY_OU="MyOrganizationalUnit"/export KEY_OU="${KEY_OU}"/' vars && | |
| echo export KEY_NAME="${KEY_NAME}" >>vars | |
| }&& | |
| build_ca(){ | |
| verbose_out "Step 4: Build the Certificate Authority" && | |
| cd "$ca_dir""openvpn-ca" && | |
| source ./vars && | |
| ./clean-all && | |
| ./build-ca | |
| } && | |
| create_server_cert_key_enc_files(){ | |
| verbose_out "Step 5: Create the Server Certificate, Key, and Encryption Files" | |
| cd "$ca_dir""openvpn-ca" && | |
| ./build-key-server server && | |
| ./build-dh && | |
| openvpn --genkey --secret keys/ta.key | |
| } && | |
| generate_client_cert_key_pair(){ | |
| verbose_out "Step 6: Generate a Client Certificate and Key Pair" | |
| cd "$ca_dir""openvpn-ca" && | |
| source vars && | |
| printf "CLIENT_KEY_NAME (eg: client1): " && | |
| read CLIENT_KEY_NAME && | |
| ./build-key "$CLIENT_KEY_NAME" | |
| } && | |
| configure_openvpn_service(){ | |
| verbose_out "Step 7: Configure the OpenVPN Service" | |
| cd "$ca_dir""openvpn-ca/keys" && | |
| sudo cp ca.crt server.crt server.key ta.key dh2048.pem /etc/openvpn && | |
| verbose_out "Step 7.1: Unzipping server.conf.gz to /etc/openvpn/server.conf" && | |
| gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf && | |
| sudo sed -i 's/This file is secret/& \nkey-direction 0 /' /etc/openvpn/server.conf && | |
| sudo sed -i 's/cipher AES-128-CBC/& \ncipher AES-128-CBC\nauth SHA256 /' /etc/openvpn/server.conf && | |
| sudo sed -i 's/user nobody/& \nuser nobody /' /etc/openvpn/server.conf && | |
| sudo sed -i 's/group nogroup/& \ngroup nogroup /' /etc/openvpn/server.conf | |
| } && | |
| adjust_server_network_configuration(){ | |
| verbose_out "Step 8: Adjust the Server Networking Configuration" | |
| verbose_out "Step 8.1: Allow IP Forwarding" | |
| sudo sed -i 's/net.ipv4.ip_forward=1/& \nnet.ipv4.ip_forward=1 /' /etc/sysctl.conf && | |
| sudo sysctl -p && | |
| verbose_out "Step 8.2: Adjust the UFW Rules to Masquerade Client Connections" && | |
| def_int=$(ip route | grep default | cut -d' ' -f5) && | |
| verbose_out "Step 8.2: Detected default interface :$def_int" && | |
| OPENVPN_RULES="$(cat <<-EOF | |
| # START OPENVPN RULES\n | |
| # NAT table rules\n | |
| *nat\n | |
| :POSTROUTING ACCEPT [0:0]\n | |
| # Allow traffic from OpenVPN client to ${def_int}\n | |
| -A POSTROUTING -s 10.8.0.0.8 -o ${def_int} -j MASQUERADE\n | |
| COMMIT\n | |
| # END OPENVPN RULES\n | |
| EOF | |
| )" | |
| sudo echo -e $OPENVPN_RULES > /tmp/before.rules && | |
| sudo cat /etc/ufw/before.rules >> /tmp/before.rules && | |
| sudo cp /tmp/before.rules /etc/ufw/before.rules && | |
| sudo rm /tmp/before.rules && | |
| verbose_out "Step 8.3: Adjusting UFW Rules for OpenVPN" && | |
| sudo sed -i 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/' /etc/default/ufw && | |
| sudo ufw allow $server_port/udp && | |
| sudo ufw allow OpenSSH && | |
| verbose_out "Step 8.4: Reloading UFW with new Rules" && | |
| sudo ufw disable && | |
| sudo ufw enable | |
| } && | |
| start_enable_openvpn_service(){ | |
| verbose_out "Step 9: Start and Enable the OpenVPN Service" | |
| sudo systemctl start openvpn@server && | |
| sudo systemctl status openvpn@server && | |
| verbose_out "Checking whether tun0 interface is ready" && | |
| sudo ip addr show tun0 && | |
| verbose_out "Step 9.2 enabling openvpnserver to start on boot" && | |
| sudo systemctl enable openvpn@server | |
| } && | |
| verbose_out(){ | |
| if [ "$verbose" = true ] | |
| then | |
| echo "$@" | |
| fi | |
| } && | |
| install(){ | |
| if [ "$skip_update" = false ] | |
| then | |
| verbose_out "Updating : command : sudo apt-get update -y " && | |
| sudo apt update -y | |
| else | |
| verbose_out "Skipping update" | |
| fi | |
| verbose_out 'Checking if openvpn exists : ' && | |
| if ! command_exists openvpn | |
| then | |
| verbose_out 'openvpn not found , installing ' && | |
| sudo apt-get install openvpn && | |
| verbose_out 'openvpn has been installed successfully' | |
| else | |
| verbose_out 'Found openvpn.. Continuing' | |
| fi && | |
| if ! command_exists easy-rsa | |
| then | |
| verbose_out 'easy-rsa not found , installing ' && | |
| sudo apt-get install easy-rsa && | |
| verbose_out 'easy-rsa has been installed successfully' | |
| else | |
| verbose_out 'Found easy-rsa.. Continuing' | |
| fi && | |
| verbose_out 'Setting up CA Directory' | |
| cwd=$(pwd) && | |
| if [ -d "$ca_dir""openvpn-ca" ] | |
| then | |
| verbose_out 'Skipping creating openvpn-ca directory. Already exists : '"$ca_dir""openvpn-ca" && | |
| cd "$ca_dir""openvpn-ca" | |
| else | |
| set_up_ca_dir | |
| fi && | |
| cwd=$(pwd) && | |
| if [ "$cwd" = "$ca_dir""openvpn-ca" ] | |
| then | |
| configure_ca_vars && | |
| build_ca && | |
| create_server_cert_key_enc_files && | |
| generate_client_cert_key_pair && | |
| configure_openvpn_service && | |
| adjust_server_network_configuration && | |
| start_enable_openvpn_service | |
| fi | |
| } | |
| install |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment