Last active
June 25, 2020 01:18
-
-
Save wheelerlaw/bb78cfe4584e4215ddb4b39bd8557bec to your computer and use it in GitHub Desktop.
Automate script to provision a server to function as an OpenConnect VPN server using Vultr
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| sudo apt-get install -y ocserv software-properties-common | |
| sudo add-apt-repository -y ppa:certbot/certbot | |
| sudo apt-get update && sudo apt-get install -y certbot | |
| sudo certbot certonly --standalone --preferred-challenges http -n --agree-tos --email [email protected] -d vpn.steele.co | |
| (crontab -l 2>/dev/null; echo "@daily certbot renew --quiet && systemctl restart ocserv") | crontab - | |
| sudo iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE | |
| sudo ufw default deny | |
| sudo ufw allow --force ssh | |
| sudo ufw allow --force 443 | |
| sudo ufw enable | |
| echo 'net.ipv4.ip_forward = 1' > /etc/sysctl.conf | |
| sudo sysctl -p | |
| echo \ | |
| 'auth = "plain[passwd=/etc/ocserv/ocpasswd]" | |
| tcp-port = 443 | |
| udp-port = 443 | |
| run-as-user = nobody | |
| run-as-group = daemon | |
| socket-file = /var/run/ocserv-socket | |
| server-cert = /etc/letsencrypt/live/vpn.steele.co/fullchain.pem | |
| server-key = /etc/letsencrypt/live/vpn.steele.co/privkey.pem | |
| ca-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem | |
| isolate-workers = true | |
| max-clients = 16 | |
| max-same-clients = 4 | |
| keepalive = 32400 | |
| dpd = 90 | |
| mobile-dpd = 1800 | |
| try-mtu-discovery = true | |
| cert-user-oid = 0.9.2342.19200300.100.1.1 | |
| tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0" | |
| auth-timeout = 240 | |
| min-reauth-time = 3 | |
| max-ban-score = 50 | |
| ban-reset-time = 300 | |
| cookie-timeout = 300 | |
| deny-roaming = false | |
| rekey-time = 172800 | |
| rekey-method = ssl | |
| use-utmp = true | |
| use-occtl = true | |
| pid-file = /var/run/ocserv.pid | |
| device = vpns | |
| predictable-ips = true | |
| default-domain = vpn.steele.co | |
| ipv4-network = 192.168.42.0/24 | |
| ipv6-network = fda9:4efe:7e3b:03ea::/48 | |
| tunnel-all-dns = true | |
| dns = 2606:4700:4700::1111 | |
| dns = 2606:4700:4700::1001 | |
| dns = 1.1.1.1 | |
| dns = 1.0.0.1 | |
| ping-leases = false | |
| cisco-client-compat = true | |
| dtls-legacy = true | |
| ' > /etc/ocserv/ocserv.conf | |
| echo '-A POSTROUTING -o ens3 -j MASQUERADE' > /etc/iptables.save | |
| echo \ | |
| '[Unit] | |
| Description=Packet Filtering Framework | |
| Before=network-pre.target | |
| Wants=network-pre.target | |
| [Service] | |
| Type=oneshot | |
| ExecStart=/sbin/iptables-restore /etc/iptables.rules | |
| ExecReload=/sbin/iptables-restore /etc/iptables.rules | |
| RemainAfterExit=yes | |
| [Install] | |
| WantedBy=multi-user.target' > /etc/systemd/system/iptables-restore.service | |
| sudo systemctl daemon-reload | |
| sudo systemctl enable iptables-restore | |
| sudo ocpasswd -c /etc/ocserv/ocpasswd wheeler |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment