meepak · September 8, 2024 05:15
diff --git a/setup-openvpn b/setup-openvpn
 #!/bin/bash

 # Function to exit on error
 exit_on_error() {
    echo "Error: $1"
    exit 1
 }

 # Update system
 sudo apt update || exit_on_error "Failed to update package list"

 # Install OpenVPN and Easy-RSA
 sudo apt install -y openvpn easy-rsa || exit_on_error "Failed to install OpenVPN and Easy-RSA"

 # Check if ~/openvpn-ca exists, if so, abort
 if [ -d ~/openvpn-ca ]; then
    echo "~/openvpn-ca already exists. Aborting."
    exit 1
 fi

 # Setup Easy-RSA environment
 make-cadir ~/openvpn-ca || exit_on_error "Failed to create the CA directory"
 cd ~/openvpn-ca || exit_on_error "Failed to change directory to ~/openvpn-ca"

 # Initialize Easy-RSA
 ./easyrsa init-pki || exit_on_error "Failed to initialize the PKI"

 # Build the CA (No need to source vars anymore)
 ./easyrsa build-ca nopass || exit_on_error "Failed to build the CA"

 # Generate the server key and certificate
 ./easyrsa gen-req server nopass || exit_on_error "Failed to generate server request"
 ./easyrsa sign-req server server || exit_on_error "Failed to sign the server certificate"

 # Generate Diffie-Hellman parameters
 ./easyrsa gen-dh || exit_on_error "Failed to generate Diffie-Hellman parameters"

 # Generate the HMAC key
 openvpn --genkey --secret ta.key || exit_on_error "Failed to generate HMAC key"

 # Generate the client key and certificate
 ./easyrsa gen-req client1 nopass || exit_on_error "Failed to generate client request"
 ./easyrsa sign-req client client1 || exit_on_error "Failed to sign client certificate"

 # Move the necessary keys and certificates to OpenVPN directory
 sudo cp pki/ca.crt pki/issued/server.crt pki/private/server.key pki/dh.pem ta.key /etc/openvpn/

 # Create the OpenVPN server configuration file
 sudo bash -c 'cat > /etc/openvpn/server.conf <<EOF
 port 1194
 proto udp
 dev tun
 ca ca.crt
 cert server.crt
 key server.key
 dh dh.pem
 auth SHA256
 tls-auth ta.key 0
 topology subnet
 server 10.8.0.0 255.255.255.0
 ifconfig-pool-persist ipp.txt
 push "redirect-gateway def1 bypass-dhcp"
 push "dhcp-option DNS 8.8.8.8"
 push "dhcp-option DNS 8.8.4.4"
 keepalive 10 120
 cipher AES-256-CBC
 compress lz4
 persist-key
 persist-tun
 status openvpn-status.log
 log-append /var/log/openvpn.log
 verb 3
 EOF'

 # Enable IP forwarding
 sudo sysctl -w net.ipv4.ip_forward=1 || exit_on_error "Failed to enable IP forwarding"

 # Apply IP forwarding permanently
 sudo sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf

 # Configure firewall (replace eth0 with your network interface if different)
 sudo ufw allow 1194/udp
 sudo ufw allow OpenSSH
 sudo ufw disable
 sudo ufw enable

 # Start and enable OpenVPN service
 sudo systemctl start openvpn@server
 sudo systemctl enable openvpn@server

 # Generate client .ovpn file
 CLIENT_CONFIG="client
 dev tun
 proto udp
 remote $(curl -s ifconfig.me) 1194
 resolv-retry infinite
 nobind
 persist-key
 persist-tun
 remote-cert-tls server
 auth SHA256
 cipher AES-256-CBC
 compress lz4
 key-direction 1
 verb 3

 <ca>
 $(cat ~/openvpn-ca/pki/ca.crt)
 </ca>
 <cert>
 $(cat ~/openvpn-ca/pki/issued/client1.crt)
 </cert>
 <key>
 $(cat ~/openvpn-ca/pki/private/client1.key)
 </key>
 <tls-auth>
 $(cat ~/openvpn-ca/ta.key)
 </tls-auth>"

 echo "$CLIENT_CONFIG" > ~/client1.ovpn

 echo "OpenVPN setup is complete. Client .ovpn file is located at ~/client1.ovpn"
	#!/bin/bash

	# Function to exit on error
	exit_on_error() {
	echo "Error: $1"
	exit 1
	}

	# Update system
	sudo apt update \|\| exit_on_error "Failed to update package list"

	# Install OpenVPN and Easy-RSA
	sudo apt install -y openvpn easy-rsa \|\| exit_on_error "Failed to install OpenVPN and Easy-RSA"

	# Check if ~/openvpn-ca exists, if so, abort
	if [ -d ~/openvpn-ca ]; then
	echo "~/openvpn-ca already exists. Aborting."
	exit 1
	fi

	# Setup Easy-RSA environment
	make-cadir ~/openvpn-ca \|\| exit_on_error "Failed to create the CA directory"
	cd ~/openvpn-ca \|\| exit_on_error "Failed to change directory to ~/openvpn-ca"

	# Initialize Easy-RSA
	./easyrsa init-pki \|\| exit_on_error "Failed to initialize the PKI"

	# Build the CA (No need to source vars anymore)
	./easyrsa build-ca nopass \|\| exit_on_error "Failed to build the CA"

	# Generate the server key and certificate
	./easyrsa gen-req server nopass \|\| exit_on_error "Failed to generate server request"
	./easyrsa sign-req server server \|\| exit_on_error "Failed to sign the server certificate"

	# Generate Diffie-Hellman parameters
	./easyrsa gen-dh \|\| exit_on_error "Failed to generate Diffie-Hellman parameters"

	# Generate the HMAC key
	openvpn --genkey --secret ta.key \|\| exit_on_error "Failed to generate HMAC key"

	# Generate the client key and certificate
	./easyrsa gen-req client1 nopass \|\| exit_on_error "Failed to generate client request"
	./easyrsa sign-req client client1 \|\| exit_on_error "Failed to sign client certificate"

	# Move the necessary keys and certificates to OpenVPN directory
	sudo cp pki/ca.crt pki/issued/server.crt pki/private/server.key pki/dh.pem ta.key /etc/openvpn/

	# Create the OpenVPN server configuration file
	sudo bash -c 'cat > /etc/openvpn/server.conf <<EOF
	port 1194
	proto udp
	dev tun
	ca ca.crt
	cert server.crt
	key server.key
	dh dh.pem
	auth SHA256
	tls-auth ta.key 0
	topology subnet
	server 10.8.0.0 255.255.255.0
	ifconfig-pool-persist ipp.txt
	push "redirect-gateway def1 bypass-dhcp"
	push "dhcp-option DNS 8.8.8.8"
	push "dhcp-option DNS 8.8.4.4"
	keepalive 10 120
	cipher AES-256-CBC
	compress lz4
	persist-key
	persist-tun
	status openvpn-status.log
	log-append /var/log/openvpn.log
	verb 3
	EOF'

	# Enable IP forwarding
	sudo sysctl -w net.ipv4.ip_forward=1 \|\| exit_on_error "Failed to enable IP forwarding"

	# Apply IP forwarding permanently
	sudo sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf

	# Configure firewall (replace eth0 with your network interface if different)
	sudo ufw allow 1194/udp
	sudo ufw allow OpenSSH
	sudo ufw disable
	sudo ufw enable

	# Start and enable OpenVPN service
	sudo systemctl start openvpn@server
	sudo systemctl enable openvpn@server

	# Generate client .ovpn file
	CLIENT_CONFIG="client
	dev tun
	proto udp
	remote $(curl -s ifconfig.me) 1194
	resolv-retry infinite
	nobind
	persist-key
	persist-tun
	remote-cert-tls server
	auth SHA256
	cipher AES-256-CBC
	compress lz4
	key-direction 1
	verb 3

	<ca>
	$(cat ~/openvpn-ca/pki/ca.crt)
	</ca>
	<cert>
	$(cat ~/openvpn-ca/pki/issued/client1.crt)
	</cert>
	<key>
	$(cat ~/openvpn-ca/pki/private/client1.key)
	</key>
	<tls-auth>
	$(cat ~/openvpn-ca/ta.key)
	</tls-auth>"

	echo "$CLIENT_CONFIG" > ~/client1.ovpn

	echo "OpenVPN setup is complete. Client .ovpn file is located at ~/client1.ovpn"