tomgidden · April 10, 2018 19:54
diff --git a/client.conf b/client.conf
 ## OpenVPN client configuration with client-side NAT
 ## (so other machines on your home network can use the VPN)
 ## 

 # Put all of this in /etc/openvpn, and install:
 #    ln -s common.sh up.sh
 #    ln -s common.sh down.sh
 #    chmod 755 common.sh
 #    openssl dhparam -out dh2048.pem 2048
 #    chmod 600 client.conf *.crt *.key *.pem
 # and add in your ca.crt, and vpn .crt and .key files, along
 # with the ta.key that you really should be using.

 # The encryption and authentication stuff
 ca               ca.crt
 cert             user.crt
 key              user.key
 dh               dh2048.pem
 tls-auth         ta.key 1
 # Or use tls-crypt if both server and client are on OpenVPN 2.4.
 # Mine aren't, unfortunately :(

 # Check you're talking to the right server.  This checks
 # the fingerprint of the CA that signed your VPN's certificate.
 #
 #     openssl x509 -in ca.crt -fingerprint -noout
 #
 # (If you are using a different CA to sign the server's cert,
 # run that command there instead)
 verify-hash      AB:CD:EF:01:02:03:65:F4:B4:48:38:CE:97:7E:94:30:F8:EC:91:4A

 # Alternatively (or additionally) verify the remote cert name
 # or subject:
 verify-x509-name 'CN=VPN server on 20150306-131553' subject

 # VPN parameters
 remote           vpn-host.example.com 443 tcp-client
 dev              tun
 ping             10
 persist-tun
 persist-key
 persist-local-ip
 persist-remote-ip
 pull
 tls-client
 remote-cert-tls  server
 cipher           AES-256-CBC

 # SNAT and forwarding to allow this VPN client to
 # act as a gateway for other machines on your home
 # network
 script-security  2
 up               up.sh
 down             down.sh

 # Logging
 verb             3
 mute             20
 status           /var/log/openvpn-client-status.log
 log-append       /var/log/openvpn-client.log
diff --git a/common.sh b/common.sh
 #!/bin/bash

 # This script adds or removes Source NAT (masquerade) rules for packets
 # going out through the VPN, and arranges for this server to forward
 # those packets as well.
 #
 # You will need to set sysctl net.ipv4.ip_forward = 1 as well.
 #
 # This script will need to be symlinked or copied as `up.sh` and 
 # `down.sh`: it uses the script's filename to determine whether to
 # add or delete, as unfortunately, OpenVPN doesn't tell the script.


 IF=$1
 IP=$4

 function add_rule {
 	( /sbin/iptables -C $* 2>/dev/null ) || ( echo "Adding $*"; /sbin/iptables -A $* )
 }

 function del_rule {
 	( /sbin/iptables -C $* 2>/dev/null ) && ( echo "Deleting $*"; /sbin/iptables -D $* )
 }

 if [[ $0 = *"up.sh" ]]; then
 	FN=add_rule
 elif [[ $0 = *"down.sh" ]]; then
 	FN=del_rule
 else
  exit 1
 fi

 $FN FORWARD -o $IF -j ACCEPT -t filter
 $FN FORWARD -i $IF -j ACCEPT -t filter
 $FN POSTROUTING -o $IF -j MASQUERADE -t nat
diff --git a/down.sh b/down.sh
 common.sh
diff --git a/up.sh b/up.sh
 common.sh
	## OpenVPN client configuration with client-side NAT
	## (so other machines on your home network can use the VPN)
	##

	# Put all of this in /etc/openvpn, and install:
	# ln -s common.sh up.sh
	# ln -s common.sh down.sh
	# chmod 755 common.sh
	# openssl dhparam -out dh2048.pem 2048
	# chmod 600 client.conf .crt .key *.pem
	# and add in your ca.crt, and vpn .crt and .key files, along
	# with the ta.key that you really should be using.

	# The encryption and authentication stuff
	ca ca.crt
	cert user.crt
	key user.key
	dh dh2048.pem
	tls-auth ta.key 1
	# Or use tls-crypt if both server and client are on OpenVPN 2.4.
	# Mine aren't, unfortunately :(

	# Check you're talking to the right server. This checks
	# the fingerprint of the CA that signed your VPN's certificate.
	#
	# openssl x509 -in ca.crt -fingerprint -noout
	#
	# (If you are using a different CA to sign the server's cert,
	# run that command there instead)
	verify-hash AB:CD:EF:01:02:03:65:F4:B4:48:38:CE:97:7E:94:30:F8:EC:91:4A

	# Alternatively (or additionally) verify the remote cert name
	# or subject:
	verify-x509-name 'CN=VPN server on 20150306-131553' subject

	# VPN parameters
	remote vpn-host.example.com 443 tcp-client
	dev tun
	ping 10
	persist-tun
	persist-key
	persist-local-ip
	persist-remote-ip
	pull
	tls-client
	remote-cert-tls server
	cipher AES-256-CBC

	# SNAT and forwarding to allow this VPN client to
	# act as a gateway for other machines on your home
	# network
	script-security 2
	up up.sh
	down down.sh

	# Logging
	verb 3
	mute 20
	status /var/log/openvpn-client-status.log
	log-append /var/log/openvpn-client.log
	#!/bin/bash

	# This script adds or removes Source NAT (masquerade) rules for packets
	# going out through the VPN, and arranges for this server to forward
	# those packets as well.
	#
	# You will need to set sysctl net.ipv4.ip_forward = 1 as well.
	#
	# This script will need to be symlinked or copied as `up.sh` and
	# `down.sh`: it uses the script's filename to determine whether to
	# add or delete, as unfortunately, OpenVPN doesn't tell the script.


	IF=$1
	IP=$4

	function add_rule {
	( /sbin/iptables -C $* 2>/dev/null ) \|\| ( echo "Adding $"; /sbin/iptables -A $ )
	}

	function del_rule {
	( /sbin/iptables -C $* 2>/dev/null ) && ( echo "Deleting $"; /sbin/iptables -D $ )
	}

	if [[ $0 = *"up.sh" ]]; then
	FN=add_rule
	elif [[ $0 = *"down.sh" ]]; then
	FN=del_rule
	else
	exit 1
	fi

	$FN FORWARD -o $IF -j ACCEPT -t filter
	$FN FORWARD -i $IF -j ACCEPT -t filter
	$FN POSTROUTING -o $IF -j MASQUERADE -t nat