Created
March 24, 2020 10:33
-
-
Save dptole/0d42510fa9ac46c788279bbbe3b31177 to your computer and use it in GitHub Desktop.
Instalar o servidor OpenVPN no Ubuntu 18.04
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -x | |
| IDU="$(id -u)" | |
| IDG="$(id -g)" | |
| if [ "0" != "$IDU" ] | |
| then | |
| echo "Utilizar usuário root" | |
| exit 1 | |
| fi | |
| if [ "0" != "$IDG" ] | |
| then | |
| echo "Utilizar usuário root" | |
| exit 1 | |
| fi | |
| cd /root/ | |
| echo "Limpeza..." | |
| systemctl stop openvpn@server | |
| rm -rf '/root/client-configs/' /root/EasyRSA* '/etc/openvpn/server.key' '/etc/openvpn/server.crt' '/etc/openvpn/ca.crt' '/etc/openvpn/ta.key' '/etc/openvpn/dh.pem' '/etc/openvpn/server.conf' | |
| set -e | |
| echo "This file should be run only once" | |
| echo "Install EasyRSA and OpenVPN" | |
| echo "https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-18-04" | |
| echo "" | |
| read -p "Digite o nome do primeiro usuário: " OPENVPN_USERNAME | |
| read -p "Qual é o IPv4 público desse servidor? " OPENVPN_SERVER_IP | |
| read -p "Digite a porta na qual os clientes irão se conectar: " OPENVPN_SERVER_PORT | |
| set +x | |
| # Intervenção manual | |
| echo "" | |
| ip route | grep default | |
| echo "" | |
| echo "O texto acima deve ser semelhante ao exemplo abaixo" | |
| echo "" | |
| echo "default via XXX.XXX.XXX.XXX dev eth0 proto dhcp src XXX.XXX.XXX.XXX metric XX" | |
| echo " ^^^^" | |
| echo " ||||" | |
| echo "" | |
| read -p "Digite a parte do primeiro texto que equivale a posição das setas acima: " INTERFACE | |
| set -x | |
| apt update | |
| apt install -y openvpn | |
| wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz | |
| tar xvf EasyRSA-3.0.4.tgz | |
| cp -rf EasyRSA-3.0.4 EasyRSA-server-3.0.4 | |
| cd ~/EasyRSA-3.0.4/ | |
| cp vars.example vars | |
| sed -ri 's/^#set_var EASYRSA_REQ_COUNTRY\s+"US"/set_var EASYRSA_REQ_COUNTRY "US"/' vars | |
| sed -ri 's/^#set_var EASYRSA_REQ_PROVINCE\s+"California"/set_var EASYRSA_REQ_PROVINCE "NewYork"/' vars | |
| sed -ri 's/^#set_var EASYRSA_REQ_CITY\s+"San Francisco"/set_var EASYRSA_REQ_CITY "New York City"/' vars | |
| sed -ri 's/^#set_var EASYRSA_REQ_ORG\s+"Copyleft Certificate Co"/set_var EASYRSA_REQ_ORG "DigitalOcean"/' vars | |
| sed -ri 's/^#set_var EASYRSA_REQ_EMAIL\s+"[email protected]"/set_var EASYRSA_REQ_EMAIL "[email protected]"/' vars | |
| sed -ri 's/^#set_var EASYRSA_REQ_OU\s+"My Organizational Unit"/set_var EASYRSA_REQ_OU "Community"/' vars | |
| ./easyrsa init-pki | |
| # Esse comando pede confirmação dos dados | |
| # Pressione <Enter> em todos os campos | |
| ./easyrsa build-ca nopass | |
| cd /root/EasyRSA-server-3.0.4 | |
| ./easyrsa init-pki | |
| # Esse comando pede confirmação dos dados | |
| # Pressione <Enter> em todos os campos | |
| ./easyrsa gen-req server nopass | |
| cp pki/private/server.key /etc/openvpn/server.key | |
| cd /root/EasyRSA-3.0.4 | |
| ./easyrsa import-req /root/EasyRSA-server-3.0.4/pki/reqs/server.req server | |
| # Esse comando pede confirmação | |
| # Digite <yes> e depois <Enter> | |
| ./easyrsa sign-req server server | |
| cp /root/EasyRSA-3.0.4/pki/issued/server.crt /etc/openvpn/server.crt | |
| cp /root/EasyRSA-3.0.4/pki/ca.crt /etc/openvpn/ca.crt | |
| cd /root/EasyRSA-server-3.0.4 | |
| ./easyrsa gen-dh | |
| openvpn --genkey --secret ta.key | |
| cp ta.key /etc/openvpn/ta.key | |
| cp pki/dh.pem /etc/openvpn/dh.pem | |
| cd /root/ | |
| mkdir -p client-configs/keys | |
| mkdir -p client-configs/files | |
| chmod -R 700 client-configs | |
| cd EasyRSA-server-3.0.4 | |
| # Esse comando pede confirmação dos dados | |
| # Pressione <Enter> em todos os campos | |
| ./easyrsa gen-req $OPENVPN_USERNAME nopass | |
| cp pki/private/$OPENVPN_USERNAME.key /root/client-configs/keys/$OPENVPN_USERNAME.key | |
| cd /root/EasyRSA-3.0.4 | |
| ./easyrsa import-req /root/EasyRSA-server-3.0.4/pki/reqs/$OPENVPN_USERNAME.req $OPENVPN_USERNAME | |
| # Esse comando pede confirmação | |
| # Digite <yes> e depois <Enter> | |
| ./easyrsa sign-req client $OPENVPN_USERNAME | |
| cd /root/EasyRSA-server-3.0.4 | |
| cp /root/EasyRSA-3.0.4/pki/issued/$OPENVPN_USERNAME.crt /root/client-configs/keys/$OPENVPN_USERNAME.crt | |
| cp ta.key /root/client-configs/keys/ta.key | |
| cp /etc/openvpn/ca.crt /root/client-configs/keys/ca.crt | |
| # Configurar o serviço do OpenVPN | |
| cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/ | |
| gzip -d /etc/openvpn/server.conf.gz | |
| cd /etc/openvpn/ | |
| sed -ri 's/^(cipher AES-256-CBC)/\1\nauth SHA256/' server.conf | |
| sed -i 's/dh dh2048.pem/dh dh.pem/' server.conf | |
| sed -i 's/;user nobody/user nobody/' server.conf | |
| sed -i 's/;group nogroup/group nogroup/' server.conf | |
| sed -i 's/;push "redirect-gateway def1 bypass-dhcp"/push "redirect-gateway def1 bypass-dhcp"/' server.conf | |
| sed -i 's/;push "dhcp-option DNS 208.67.222.222"/push "dhcp-option DNS 208.67.222.222"/' server.conf | |
| sed -i 's/;push "dhcp-option DNS 208.67.220.220"/push "dhcp-option DNS 208.67.220.220"/' server.conf | |
| sed -i 's/port 1194/port '$OPENVPN_SERVER_PORT'/' server.conf | |
| sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf | |
| # O comando abaixo deve escrever no stdout o texto abaixo | |
| # net.ipv4.ip_forward = 1 | |
| sysctl -p | |
| cd /etc/ufw/ | |
| if [ -e /etc/ufw/before.rules.old ] | |
| then | |
| cp before.rules.old before.rules | |
| fi | |
| cat <<EOF -> /etc/ufw/openvpn.rules | |
| # START OPENVPN RULES | |
| # NAT table rules | |
| *nat | |
| :POSTROUTING ACCEPT [0:0] | |
| # Allow traffic from OpenVPN client to $INTERFACE (change to the interface you discovered!) | |
| -A POSTROUTING -s 10.8.0.0/8 -o $INTERFACE -j MASQUERADE | |
| COMMIT | |
| # END OPENVPN RULES | |
| EOF | |
| cat openvpn.rules before.rules > before.rules.tmp | |
| cp before.rules before.rules.old | |
| cp before.rules.tmp before.rules | |
| rm before.rules.tmp | |
| sed -i 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/' /etc/default/ufw | |
| ufw allow $OPENVPN_SERVER_PORT/udp | |
| ufw allow OpenSSH | |
| ufw disable | |
| # O comando abaixo pede por confirmação | |
| # Digite <y> e depois <Enter> | |
| ufw enable | |
| # Gerando credenciais do usuário | |
| cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /root/client-configs/base.conf | |
| cd /root/ | |
| sed -i 's/remote my-server-1 1194/remote '$OPENVPN_SERVER_IP' '$OPENVPN_SERVER_PORT'/' client-configs/base.conf | |
| sed -i 's/;user nobody/user nobody/' client-configs/base.conf | |
| sed -i 's/;group nogroup/group nogroup/' client-configs/base.conf | |
| sed -i 's/ca ca.crt/#ca ca.crt/' client-configs/base.conf | |
| sed -i 's/cert client.crt/#cert client.crt/' client-configs/base.conf | |
| sed -i 's/key client.key/#key client.key/' client-configs/base.conf | |
| sed -i 's/tls-auth ta.key 1/#tls-auth ta.key 1/' client-configs/base.conf | |
| sed -ri 's/^(cipher AES-256-CBC)/\1\nauth SHA256/' client-configs/base.conf | |
| echo 'key-direction 1' >> client-configs/base.conf | |
| echo 'script-security 2' >> client-configs/base.conf | |
| echo 'up /etc/openvpn/update-resolv-conf' >> client-configs/base.conf | |
| echo 'down /etc/openvpn/update-resolv-conf' >> client-configs/base.conf | |
| cat <<'EOF' -> client-configs/make_config.sh | |
| #!/bin/bash | |
| # First argument: Client identifier | |
| KEY_DIR=~/client-configs/keys | |
| OUTPUT_DIR=~/client-configs/files | |
| BASE_CONFIG=~/client-configs/base.conf | |
| cat ${BASE_CONFIG} \ | |
| <(echo -e '<ca>') \ | |
| ${KEY_DIR}/ca.crt \ | |
| <(echo -e '</ca>\n<cert>') \ | |
| ${KEY_DIR}/${1}.crt \ | |
| <(echo -e '</cert>\n<key>') \ | |
| ${KEY_DIR}/${1}.key \ | |
| <(echo -e '</key>\n<tls-auth>') \ | |
| ${KEY_DIR}/ta.key \ | |
| <(echo -e '</tls-auth>') \ | |
| > ${OUTPUT_DIR}/${1}.ovpn | |
| EOF | |
| chmod 700 client-configs/make_config.sh | |
| ./client-configs/make_config.sh $OPENVPN_USERNAME | |
| cp client-configs/files/$OPENVPN_USERNAME.ovpn client-configs/files/$OPENVPN_USERNAME.comment.ovpn | |
| grep -v '^#' client-configs/files/$OPENVPN_USERNAME.comment.ovpn | grep -v '^;' | grep -v '^$' > client-configs/files/$OPENVPN_USERNAME.ovpn | |
| # Habilitar o OpenVPN para iniciar no boot da VM | |
| systemctl enable openvpn@server | |
| # Iniciar o OpenVPN agora | |
| systemctl start openvpn@server | |
| set +x | |
| echo "" | |
| echo "O texto abaixo representa as credenciais do usuário $OPENVPN_USERNAME" | |
| echo "Você deve copiar esse texto e salvar em um arquivo $OPENVPN_USERNAME.ovpn para acesso ao servidor" | |
| echo "com o comando abaixo" | |
| echo "" | |
| echo "sudo openvpn --config $OPENVPN_USERNAME.ovpn" | |
| echo "" | |
| read -p "Pression enter para ver..." | |
| echo "" | |
| cat client-configs/files/$OPENVPN_USERNAME.ovpn | |
| # ---start server--- | |
| # systemctl start openvpn@server | |
| # systemctl restart openvpn@server | |
| # systemctl status openvpn@server | |
| # systemctl stop openvpn@server | |
| # systemctl enable openvpn@server | |
| # ---log server--- | |
| # journalctl -u openvpn@server -f | |
| # ---connect to server--- | |
| # sudo openvpn --config dan.ovpn | |
| # ---test connection--- | |
| # clear; curl -i wtfismyip.com/json; echo ''; curl -i ipv4.wtfismyip.com/json; echo '' | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment