hardyscc · May 12, 2022 07:33
diff --git a/raspbian-openvpn.txt b/raspbian-openvpn.txt
 # Raspbian PiVPN

 ## load os image

 install & start "Raspberry Pi Imager"
 > Operating System > RASPBERRY PI OS LITE (32-BIT)
 > Storage > Your SD Card
 > Setting - Set hostname vpn.local
 > Setting - Enable SSH
 > Setting - Set username and password
 > Click Write

 ## copy ssh public key to host
 ssh-copy-id vpn.local

 ## setup
 ssh vpn.local
 sudo raspi-config
 > 2 Network Options -> N1 Hostname (host)
 > 4 Localisation Options -> Change Locale (en_US.UTF-8)
 > 4 Localisation Options -> Change Timezone (Asia/Hong Kong)

 ## update locale
 cat << EOF | sudo tee -a /etc/default/locale 
 LANGUAGE=en_US.UTF-8
 LC_ALL=en_US.UTF-8
 EOF

 ## update os
 ssh vpn.local
 sudo apt update
 sudo apt -y upgrade

 ## install dnsmasq
 sudo apt -y install dnsmasq

 ## setup dnsmasq
 cat << EOF | sudo tee -a /etc/dnsmasq.conf
 listen-address=127.0.0.1,10.8.0.1
 addn-hosts=/etc/hosts.openvpn-clients
 EOF
 sudo touch /etc/hosts.openvpn-clients
 sudo chmod a+w /etc/hosts.openvpn-clients
 sudo systemctl restart dnsmasq

 ## install PiVPN
 curl -L https://install.pivpn.io | bash
 > Accept DHCP
 > Select OpenVPN
 > Yes for Customize
 > TCP 7443
 > Select PiVPN-is-local-DNS
 > No for Custom Search Domain
 > Select DNS Entry - vpn.domain.com
 > Installation mode - Yes
 > Use a 2048-bit
 > Yes for not generate new DH parameters
 > Yes for Unattended Upgrades

 ## remove block-outside-dns (able to lookup internal domain i.e. *.home)
 sudo sed -i '/block-outside-dns/d' /etc/openvpn/server.conf

 ## setup learn-address
 curl -LO https://gist.githubusercontent.com/hardyscc/f7f4c20afad85d98792015f623dfb1f7/raw/learn-address.sh
 chmod +x learn-address.sh 
 sudo mv learn-address.sh /etc/openvpn/learn-address.sh
 sudo sed -i '/^keepalive/d' /etc/openvpn/server.conf
 cat << EOF | sudo tee -a /etc/openvpn/server.conf
 # learn vpn client ip address
 user root
 script-security 2
 learn-address learn-address.sh
 log-append /var/log/openvpn.log
 keepalive 120 240
 EOF
 sudo mkdir /etc/systemd/system/[email protected]
 cat << EOF | sudo tee -a /etc/systemd/system/[email protected]/override.conf
 [Service]
 CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_KILL
 EOF
 sudo systemctl daemon-reload
 sudo systemctl stop openvpn
 sudo systemctl disable openvpn
 sudo systemctl start openvpn@server
 sudo systemctl enable openvpn@server

 ## create ovpn
 pivpn add nopass -d 3650 -n your-pc
	# Raspbian PiVPN

	## load os image

	install & start "Raspberry Pi Imager"
	> Operating System > RASPBERRY PI OS LITE (32-BIT)
	> Storage > Your SD Card
	> Setting - Set hostname vpn.local
	> Setting - Enable SSH
	> Setting - Set username and password
	> Click Write

	## copy ssh public key to host
	ssh-copy-id vpn.local

	## setup
	ssh vpn.local
	sudo raspi-config
	> 2 Network Options -> N1 Hostname (host)
	> 4 Localisation Options -> Change Locale (en_US.UTF-8)
	> 4 Localisation Options -> Change Timezone (Asia/Hong Kong)

	## update locale
	cat << EOF \| sudo tee -a /etc/default/locale
	LANGUAGE=en_US.UTF-8
	LC_ALL=en_US.UTF-8
	EOF

	## update os
	ssh vpn.local
	sudo apt update
	sudo apt -y upgrade

	## install dnsmasq
	sudo apt -y install dnsmasq

	## setup dnsmasq
	cat << EOF \| sudo tee -a /etc/dnsmasq.conf
	listen-address=127.0.0.1,10.8.0.1
	addn-hosts=/etc/hosts.openvpn-clients
	EOF
	sudo touch /etc/hosts.openvpn-clients
	sudo chmod a+w /etc/hosts.openvpn-clients
	sudo systemctl restart dnsmasq

	## install PiVPN
	curl -L https://install.pivpn.io \| bash
	> Accept DHCP
	> Select OpenVPN
	> Yes for Customize
	> TCP 7443
	> Select PiVPN-is-local-DNS
	> No for Custom Search Domain
	> Select DNS Entry - vpn.domain.com
	> Installation mode - Yes
	> Use a 2048-bit
	> Yes for not generate new DH parameters
	> Yes for Unattended Upgrades

	## remove block-outside-dns (able to lookup internal domain i.e. *.home)
	sudo sed -i '/block-outside-dns/d' /etc/openvpn/server.conf

	## setup learn-address
	curl -LO https://gist.githubusercontent.com/hardyscc/f7f4c20afad85d98792015f623dfb1f7/raw/learn-address.sh
	chmod +x learn-address.sh
	sudo mv learn-address.sh /etc/openvpn/learn-address.sh
	sudo sed -i '/^keepalive/d' /etc/openvpn/server.conf
	cat << EOF \| sudo tee -a /etc/openvpn/server.conf
	# learn vpn client ip address
	user root
	script-security 2
	learn-address learn-address.sh
	log-append /var/log/openvpn.log
	keepalive 120 240
	EOF
	sudo mkdir /etc/systemd/system/[email protected]
	cat << EOF \| sudo tee -a /etc/systemd/system/[email protected]/override.conf
	[Service]
	CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_KILL
	EOF
	sudo systemctl daemon-reload
	sudo systemctl stop openvpn
	sudo systemctl disable openvpn
	sudo systemctl start openvpn@server
	sudo systemctl enable openvpn@server

	## create ovpn
	pivpn add nopass -d 3650 -n your-pc