Skip to content

Instantly share code, notes, and snippets.

@lookingcloudy

lookingcloudy/base.conf

Last active July 8, 2019 21:53
Show Gist options
  • Save lookingcloudy/237cde0f66c82a4af65d1f6605429e55 to your computer and use it in GitHub Desktop.
Save lookingcloudy/237cde0f66c82a4af65d1f6605429e55 to your computer and use it in GitHub Desktop.
Download ZIP
OpenVPN
Raw
base.conf
client
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
proto tcp
remote x.x.x.x 443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-128-CBC
auth SHA256
key-direction 1
#compress lz4
comp-lzo
verb 3
Raw
base_mfa.conf
client
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
proto tcp
remote x.x.x.x 443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
#for google authenticator
ns-cert-type server
auth-user-pass
cipher AES-128-CBC
auth SHA256
key-direction 1
#compress lz4
comp-lzo
verb 3
Raw
make_config.sh
#!/bin/bash
# First argument: Client identifier
KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG} \
<(echo -e '<ca>') \
${KEY_DIR}/ca.crt \
<(echo -e '</ca>\n<cert>') \
${KEY_DIR}/${1}.crt \
<(echo -e '</cert>\n<key>') \
${KEY_DIR}/${1}.key \
<(echo -e '</key>\n<tls-auth>') \
${KEY_DIR}/ta.key \
<(echo -e '</tls-auth>') \
> ${OUTPUT_DIR}/${1}.ovpn
Raw
make_config_with_mfa.sh
#!/bin/bash
# goes into ~/client_configs
# OpenVPN configuration Directory
OPENVPN_CFG_DIR=/etc/openvpn
# Directory where EasyRSA outputs the client keys and certificates
KEY_DIR=~/openvpn-ca/keys
# Where this script should create the OpenVPN client config files
OUTPUT_DIR=~/client-configs/files
# Base configuration for the client
BASE_CONFIG=~/client-configs/base-mfa.conf
# MFA Label
MFA_LABEL='OpenVPN Server'
# MFA User
MFA_USER=gauth
# MFA Directory
MFA_DIR=/etc/openvpn/google-authenticator
# ##############################################################################
function send_mail() {
attachment=$1
which mutt 2>&1 >/dev/null
if [ $? -ne 0 ]; then
echo "INFO: mail program not found, an email will not be sent to the user"
else
echo -en "Please, provide the e-mail of the user\n> "
read email
echo "INFO: Sending email"
echo "Here is your OpenVPN client configuration" | mutt -s "Your OpenVPN configuration" -a "$attachment" -- "$email"
fi
}
function generate_mfa() {
user_id=$1
if [ "$user_id" == "" ]; then
echo "ERROR: No user id provided to generate MFA token"
exit 1
fi
echo "INFO: Creating user ${user_id}"
sudo useradd -s /bin/nologin "$user_id"
# echo "> Please provide a password for the user"
# passwd "$user_id"
echo "INFO: Generating MFA Token"
su -c "google-authenticator -t -d -r3 -w3 -R30 -f -l \"${MFA_LABEL}-${user_id}\" -s $MFA_DIR/${user_id}" - $MFA_USER
}
function main() {
user_id=$1
if [ "$user_id" == "" ]; then
echo "ERROR: No user id provided"
exit 1
fi
if [ ! -f ${KEY_DIR}/ca.crt ]; then
echo "ERROR: CA certificate not found"
exit 1
fi
if [ ! -f ${KEY_DIR}/${user_id}.crt ]; then
echo "ERROR: User certificate not found"
exit 1
fi
if [ ! -f ${KEY_DIR}/${user_id}.key ]; then
echo "ERROR: User private key not found"
exit 1
fi
if [ ! -f ${OPENVPN_CFG_DIR}/ta.key ]; then
echo "ERROR: TLS Auth key not found"
exit 1
fi
cat ${BASE_CONFIG} \
<(echo -e '<ca>') \
${KEY_DIR}/ca.crt \
<(echo -e '</ca>\n<cert>') \
${KEY_DIR}/${user_id}.crt \
<(echo -e '</cert>\n<key>') \
${KEY_DIR}/${user_id}.key \
<(echo -e '</key>\n<tls-auth>') \
${KEY_DIR}/ta.key \
<(echo -e '</tls-auth>') \
> ${OUTPUT_DIR}/${user_id}-mfa.ovpn
echo "INFO: Key created in ${OUTPUT_DIR}/${user_id}.ovpn"
generate_mfa $user_id
# send_mail "${OUTPUT_DIR}/${user_id}.ovpn"
exit 0
}
# ##############################################################################
main $1
Raw
server.conf
#uncomment last line for MFA
port 443
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn
keepalive 10 120
tls-auth ta.key 0
key-direction 0
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
auth SHA256
;compress lz4
comp-lzo
# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
;log openvpn.log
;log-append openvpn.log
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 5
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20
#plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment