Last active
November 10, 2018 15:51
-
-
Save peewpw/a1a367f1ab68e9262a19b13d33357596 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| cd /opt | |
| # Install openvpn | |
| apt-get update | |
| apt-get install openvpn easy-rsa -y | |
| # force vpn server to use amazon's DNS (not dhcp options set) | |
| echo "supersede domain-name-servers 10.0.0.2" >> /etc/dhcp/dhclient.conf | |
| # make a directory for our stuffs | |
| make-cadir certificates && cd certificates | |
| # generate server things | |
| sed -i 's/export KEY_CONFIG.*/export KEY_CONFIG="\$EASY_RSA\/openssl-1.0.0.cnf"/g' vars | |
| source vars | |
| ./clean-all | |
| touch keys/index.txt.attr | |
| ./pkitool --initca | |
| ./pkitool --server server | |
| ./build-dh | |
| openvpn --genkey --secret keys/ta.key | |
| cd /opt/certificates/keys | |
| cp ca.crt server.crt server.key ta.key dh2048.pem /etc/openvpn | |
| cd /opt/certificates | |
| echo "port 1194 | |
| proto udp | |
| dev tun | |
| ca ca.crt | |
| cert server.crt | |
| key server.key | |
| dh dh2048.pem | |
| server 10.8.0.0 255.255.255.0 | |
| push \"route 10.0.0.0 255.255.0.0\" | |
| client-to-client | |
| duplicate-cn | |
| keepalive 10 120 | |
| tls-auth ta.key 0 | |
| key-direction 0 | |
| cipher AES-256-CBC | |
| auth SHA256 | |
| user nobody | |
| group nogroup | |
| persist-key | |
| persist-tun | |
| comp-lzo | |
| status /var/log/openvpn/openvpn-status.log | |
| verb 3 | |
| explicit-exit-notify 1" > /etc/openvpn/server.conf | |
| IFS=', ' read -r -a domnames <<< "$1" | |
| for element in "${domnames[@]}" | |
| do | |
| echo "push \"dhcp-option DOMAIN $element\"" >> /etc/openvpn/server.conf | |
| done | |
| IFS=', ' read -r -a dnsnames <<< "$2" | |
| for element in "${dnsnames[@]}" | |
| do | |
| echo "push \"dhcp-option DNS $element\"" >> /etc/openvpn/server.conf | |
| done | |
| # allow ip forwarding | |
| sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf | |
| sysctl -p | |
| iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | |
| echo "@reboot root iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE" >> /etc/crontab | |
| # generate client things | |
| ./pkitool client | |
| myip=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4) | |
| mkdir /opt/client-configs/ && cd /opt/client-configs/ | |
| echo "remote $myip 1194 | |
| client | |
| dev tun | |
| proto udp | |
| resolv-retry infinite | |
| nobind | |
| persist-key | |
| persist-tun | |
| remote-cert-tls server | |
| cipher AES-256-CBC | |
| auth SHA256 | |
| key-direction 1 | |
| comp-lzo | |
| verb 3 | |
| mute 20 | |
| user nobody | |
| group nogroup | |
| script-security 2 | |
| up /etc/openvpn/update-resolv-conf | |
| down /etc/openvpn/update-resolv-conf" > template.ovpn | |
| cp template.ovpn client.ovpn | |
| echo "<ca>" >> client.ovpn | |
| cat /etc/openvpn/ca.crt >> client.ovpn | |
| echo "</ca> | |
| <cert>" >> client.ovpn | |
| cat /opt/certificates/keys/client.crt >> client.ovpn | |
| echo "</cert> | |
| <key>" >> client.ovpn | |
| cat /opt/certificates/keys/client.key >> client.ovpn | |
| echo "</key> | |
| <tls-auth>" >> client.ovpn | |
| cat /etc/openvpn/ta.key >> client.ovpn | |
| echo "</tls-auth>" >> client.ovpn | |
| # start openvpn | |
| sudo systemctl start openvpn@server |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment