ubuntu simple openvpn server and client

setup_openvpn.sh

#!/bin/bash

# Check if running as root
if [ "$EUID" -ne 0 ]; then 
    echo "Please run as root or with sudo"
    exit 1
fi

# Exit on error
set -e

# Store the starting directory
STARTDIR=$(pwd)

echo "Starting OpenVPN setup..."

# Install required packages
echo "Installing required packages..."
apt update
apt install -y openvpn easy-rsa net-tools ufw

# Set up the PKI directory
echo "Setting up PKI infrastructure..."
mkdir -p /etc/openvpn/easy-rsa
cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/
cd /etc/openvpn/easy-rsa

# Initialize the PKI
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-req server nopass
./easyrsa sign-req server server
./easyrsa gen-dh
openvpn --genkey --secret ta.key

# Copy the necessary files to OpenVPN directory
echo "Copying certificates and keys..."
mkdir -p /etc/openvpn/server
cp pki/ca.crt /etc/openvpn/server/
cp pki/issued/server.crt /etc/openvpn/server/
cp pki/private/server.key /etc/openvpn/server/
cp pki/dh.pem /etc/openvpn/server/
cp ta.key /etc/openvpn/server/

# Create server configuration
cat << 'EOF' > /etc/openvpn/server/server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-GCM
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
EOF

# Enable IP forwarding
echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/99-openvpn.conf
sysctl --system

# Configure firewall
echo "Configuring firewall..."
ufw allow OpenSSH
ufw allow 1194/udp
ufw --force enable

# Configure NAT
NIC=$(ip route get 8.8.8.8 | awk '{print $5;exit}')
ufw route allow in on tun0 out on $NIC
ufw route allow in on $NIC out on tun0
ufw reload

# Add iptables NAT rule and make it persistent
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $NIC -j MASQUERADE

# Start and enable OpenVPN
systemctl enable --now openvpn-server@server

# Generate client certificate
echo "Generating client certificates..."
cd /etc/openvpn/easy-rsa
./easyrsa gen-req client1 nopass
./easyrsa sign-req client client1

# Create client config directory
mkdir -p /etc/openvpn/client

# Create base client configuration
cat << EOF > /etc/openvpn/client/base.conf
client
dev tun
proto udp
remote $(curl -s ifconfig.me) 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
auth SHA256
key-direction 1
verb 3
EOF

# Function to generate client configuration
generate_client_config() {
    CLIENT=$1
    OUTPUT_DIR="/etc/openvpn/client"
    cat ${OUTPUT_DIR}/base.conf > ${OUTPUT_DIR}/${CLIENT}.ovpn
    echo -e "<ca>\n$(cat pki/ca.crt)\n</ca>" >> ${OUTPUT_DIR}/${CLIENT}.ovpn
    echo -e "<cert>\n$(cat pki/issued/${CLIENT}.crt)\n</cert>" >> ${OUTPUT_DIR}/${CLIENT}.ovpn
    echo -e "<key>\n$(cat pki/private/${CLIENT}.key)\n</key>" >> ${OUTPUT_DIR}/${CLIENT}.ovpn
    echo -e "<tls-auth>\n$(cat ta.key)\n</tls-auth>" >> ${OUTPUT_DIR}/${CLIENT}.ovpn
}

# Generate config for first client
generate_client_config "client1"

echo "OpenVPN setup completed!"
echo "Client configuration is available at: /etc/openvpn/client/client1.ovpn"
echo ""
echo "To generate additional client certificates, use:"
echo "cd /etc/openvpn/easy-rsa"
echo "./easyrsa gen-req CLIENT_NAME nopass"
echo "./easyrsa sign-req client CLIENT_NAME"