toodooleedoo · April 12, 2017 13:08
diff --git a/README.md b/README.md
diff --git a/openvpn-safe-start.sh b/openvpn-safe-start.sh
 #!/bin/bash
 ############################
 #
 # Title: Allow passwordless login and prevent leaks.
 # Requirements:  Linux with a working OpenVPN using ovpn files
 # @Author: Eric Soukenka
 # @Date: April 6th 2017
 #
 #######################


 if [ "$EUID" -ne 0 ]
  then echo "Please run with sudo or as root"
  exit
 fi

 # Base directory with .ovpn files
 CONFIG_BASEDIR=/etc/openvpn/configs
 # Setup passwordless login for vpn.  Note password will be left behind in ovpn file!
 ## Example:
 ### echo "[email protected]" > /etc/openvpn/userpass
 ### echo "mypassword" >> /etc/openvpn/userpass
 PASSWORDFILE=/etc/openvpn/userpass 
 #Waits this many seconds for determining external ip
 WAITTIME=15
 #Place daemon will log to
 OPENVPNLOGFILE=/var/log/openvpn.log

 if [ -z "${1}" ]; then
 	if [ -f "${CONFIG_BASEDIR}/default.ovpn" ]; then	
 		CONFIG_FILE="default.ovpn";
 	else
 		echo "${CONFIG_BASEDIR}/default.ovpn does not exist and no config file name passed in";
 		exit;
 	fi
 else 
 	CONFIG_FILE="${1}"
 fi

 VPNIP=`cat ${CONFIG_BASEDIR}/${CONFIG_FILE} |grep "remote " |awk '{print $2}'`

 # Let's make sure we have a valid IP Address
 if [[ ${VPNIP} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
 	echo "SUCCESS: FOUND IP ${VPNIP} in ${CONFIG_BASEDIR}/${CONFIG_FILE}";
 else
 	echo "FAILURE: IP \"${VPNIP}\" doesn't seem valid from ${CONFIG_BASEDIR}/${CONFIG_FILE}";
 	exit;
 fi

 # Staging passwordless login
 # https://forums.openvpn.net/viewtopic.php?t=11342
 if [ -f ${PASSWORDFILE} ]; then
 	sed -i 's/auth-user-pass.*/auth-user-pass \/etc\/openvpn\/userpass/g' ${CONFIG_BASEDIR}/${CONFIG_FILE};
 else 
 	echo "WARNING: Skipping adding credentials to conf file";
 fi

 # Prevent IP leaks.  Disconnects will immediatly cut all internet traffic
 ## Flush all IP rules then add ONLY VPNIP.  
 echo "# Empty the entire filter table'" > clear-all-rules
 echo "*filter" >> clear-all-rules
 echo ":INPUT ACCEPT [0:0]" >> clear-all-rules
 echo ":FORWARD ACCEPT [0:0]" >> clear-all-rules
 echo ":OUTPUT ACCEPT [0:0]" >> clear-all-rules
 echo "COMMIT" >> clear-all-rules
 iptables-restore < clear-all-rules
 rm clear-all-rules
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A OUTPUT -o lo -j ACCEPT #allow loopback access
 iptables -A OUTPUT -d 255.255.255.255 -j  ACCEPT #make sure you can communicate with any DHCP server
 iptables -A INPUT -s 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server
 iptables -A INPUT -s 192.168.1.0/16 -d 192.168.1.0/16 -j ACCEPT #make sure that you can communicate within your own network
 iptables -A OUTPUT -s 192.168.1.0/16 -d 192.168.1.0/16 -j ACCEPT
 iptables -A FORWARD -i eth+ -o tun+ -j ACCEPT 
 iptables -A FORWARD -i tun+ -o eth+ -j ACCEPT # make sure that eth+ and tun+ can communicate
 iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE # in the POSTROUTING chain of the NAT table, map the tun+ interface outgoing packet IP address, cease examining rules and let the header be modified, so that we don't have to worry about ports or any other issue - please check this rule with care if you have already a NAT table in your chain
 iptables -A OUTPUT -o eth+ ! -d ${VPNIP} -j DROP  # if destination for outgoing packet on eth+ is NOT a.b.c.d, drop the packet, so that nothing leaks if VPN disconnects


 echo "SUCCESS: Set iptables for allowing only ${VPNIP}";
 pkill -f "openvpn --config";
 sleep 5;
 openvpn --config ${CONFIG_BASEDIR}/${CONFIG_FILE} --daemon --log ${OPENVPNLOGFILE};
 echo "SUCCESS: Starting OPENVPN in daemon mode.  Check ${OPENVPNLOGFILE} for details";
 sleep 5
 echo "NOTICE: Running curl to determine your external IP with max wait of ${WAITTIME} seconds";
 EXTERNALIP="`curl -m ${WAITTIME} -s http://whatismijnip.nl |cut -d ' ' -f 5`";
 if [ "${EXTERNALIP}" = ${VPNIP} ]; then
 	echo "SUCCESS: External IP - ${EXTERNALIP}";
 else 
 	echo "FAILURE: External IP: ${EXTERNALIP}";
 fi
 echo "NOTICE: You can stop the daemon anytime by running pkill -f openvpn";
	#!/bin/bash
	############################
	#
	# Title: Allow passwordless login and prevent leaks.
	# Requirements: Linux with a working OpenVPN using ovpn files
	# @Author: Eric Soukenka
	# @Date: April 6th 2017
	#
	#######################


	if [ "$EUID" -ne 0 ]
	then echo "Please run with sudo or as root"
	exit
	fi

	# Base directory with .ovpn files
	CONFIG_BASEDIR=/etc/openvpn/configs
	# Setup passwordless login for vpn. Note password will be left behind in ovpn file!
	## Example:
	### echo "[email protected]" > /etc/openvpn/userpass
	### echo "mypassword" >> /etc/openvpn/userpass
	PASSWORDFILE=/etc/openvpn/userpass
	#Waits this many seconds for determining external ip
	WAITTIME=15
	#Place daemon will log to
	OPENVPNLOGFILE=/var/log/openvpn.log

	if [ -z "${1}" ]; then
	if [ -f "${CONFIG_BASEDIR}/default.ovpn" ]; then
	CONFIG_FILE="default.ovpn";
	else
	echo "${CONFIG_BASEDIR}/default.ovpn does not exist and no config file name passed in";
	exit;
	fi
	else
	CONFIG_FILE="${1}"
	fi

	VPNIP=`cat ${CONFIG_BASEDIR}/${CONFIG_FILE} \|grep "remote " \|awk '{print $2}'`

	# Let's make sure we have a valid IP Address
	if [[ ${VPNIP} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
	echo "SUCCESS: FOUND IP ${VPNIP} in ${CONFIG_BASEDIR}/${CONFIG_FILE}";
	else
	echo "FAILURE: IP \"${VPNIP}\" doesn't seem valid from ${CONFIG_BASEDIR}/${CONFIG_FILE}";
	exit;
	fi

	# Staging passwordless login
	# https://forums.openvpn.net/viewtopic.php?t=11342
	if [ -f ${PASSWORDFILE} ]; then
	sed -i 's/auth-user-pass.*/auth-user-pass \/etc\/openvpn\/userpass/g' ${CONFIG_BASEDIR}/${CONFIG_FILE};
	else
	echo "WARNING: Skipping adding credentials to conf file";
	fi

	# Prevent IP leaks. Disconnects will immediatly cut all internet traffic
	## Flush all IP rules then add ONLY VPNIP.
	echo "# Empty the entire filter table'" > clear-all-rules
	echo "*filter" >> clear-all-rules
	echo ":INPUT ACCEPT [0:0]" >> clear-all-rules
	echo ":FORWARD ACCEPT [0:0]" >> clear-all-rules
	echo ":OUTPUT ACCEPT [0:0]" >> clear-all-rules
	echo "COMMIT" >> clear-all-rules
	iptables-restore < clear-all-rules
	rm clear-all-rules
	iptables -A INPUT -i lo -j ACCEPT
	iptables -A OUTPUT -o lo -j ACCEPT #allow loopback access
	iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server
	iptables -A INPUT -s 255.255.255.255 -j ACCEPT #make sure you can communicate with any DHCP server
	iptables -A INPUT -s 192.168.1.0/16 -d 192.168.1.0/16 -j ACCEPT #make sure that you can communicate within your own network
	iptables -A OUTPUT -s 192.168.1.0/16 -d 192.168.1.0/16 -j ACCEPT
	iptables -A FORWARD -i eth+ -o tun+ -j ACCEPT
	iptables -A FORWARD -i tun+ -o eth+ -j ACCEPT # make sure that eth+ and tun+ can communicate
	iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE # in the POSTROUTING chain of the NAT table, map the tun+ interface outgoing packet IP address, cease examining rules and let the header be modified, so that we don't have to worry about ports or any other issue - please check this rule with care if you have already a NAT table in your chain
	iptables -A OUTPUT -o eth+ ! -d ${VPNIP} -j DROP # if destination for outgoing packet on eth+ is NOT a.b.c.d, drop the packet, so that nothing leaks if VPN disconnects


	echo "SUCCESS: Set iptables for allowing only ${VPNIP}";
	pkill -f "openvpn --config";
	sleep 5;
	openvpn --config ${CONFIG_BASEDIR}/${CONFIG_FILE} --daemon --log ${OPENVPNLOGFILE};
	echo "SUCCESS: Starting OPENVPN in daemon mode. Check ${OPENVPNLOGFILE} for details";
	sleep 5
	echo "NOTICE: Running curl to determine your external IP with max wait of ${WAITTIME} seconds";
	EXTERNALIP="`curl -m ${WAITTIME} -s http://whatismijnip.nl \|cut -d ' ' -f 5`";
	if [ "${EXTERNALIP}" = ${VPNIP} ]; then
	echo "SUCCESS: External IP - ${EXTERNALIP}";
	else
	echo "FAILURE: External IP: ${EXTERNALIP}";
	fi
	echo "NOTICE: You can stop the daemon anytime by running pkill -f openvpn";