├── README.md ├── create_openvpn_server_centos8_v0_3.sh └── ubuntu20+_openvpn-install.sh /README.md: -------------------------------------------------------------------------------- 1 | # ABout 2 | There are two scripts in this repository, the first is create_openvpn_server_centos8_v0_3.sh. This script can install the OpenVPN server on the rhel family. This script was written by me. 3 | The second script has the name ubuntu20+_openvpn-install.sh. This script I took from the website https://github.com/angristan/openvpn-install. It is here so that I do not forget about it. 4 | 5 | # INSTALL 6 | To install any scripts you need fork it, then do 7 | ``` 8 | sudo chmod +x ./create_openvpn_server_centos8_v0_3.sh 9 | ``` 10 | and run it 11 | ``` sudo ./create_openvpn_server_centos8_v0_3.sh ``` 12 | -------------------------------------------------------------------------------- /create_openvpn_server_centos8_v0_3.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | echo "Этот скрипт создаст OpenVPN сервер с нуля, от вас потребуется указать количество клиентов и минимальные настройки" 3 | echo "К каждому пункту будет пояснение" 4 | echo "Для начала создадим пользователя openvpn" 5 | #Создадим нового пользователя openvpn с правами администратора 6 | #Проверка на наличие пользователя в системе, для отсутствия ошибок при повторном запуске 7 | username=openvpn #переменная с именем пользователя 8 | client_name=client #имя клиента 9 | answer=y #ответ пользователя 10 | grep "^$username:" /etc/passwd >/dev/null 11 | if [[ $? -ne 0 ]]; then 12 | adduser openvpn; usermod -aG wheel openvpn; passwd openvpn 13 | echo "Пользователь создан" 14 | else 15 | echo "Пользователь уже создан в системе" 16 | fi 17 | #Создание клиентов по умолчанию 18 | echo "Укажите количество клиентов по умолчанию. Потом можно добавить еще по необходимости" 19 | read quantity_client 20 | #Проверка-значение число, иначе сначала 21 | if [[ $quantity_client =~ ^[0-9]+$ ]]; then #количество клиентов 22 | echo "Будут создано "$quantity_client" клиентских конфигураций с именами "$client_name"[X].ovpn" 23 | else 24 | echo "введённый символ не является числом, попробуйте снова" 25 | echo "Попробовать снова? (y/n/e)" 26 | read answer 27 | case $answer in 28 | "y") 29 | $0 30 | ;; 31 | "n") 32 | echo "bye" 33 | exit 34 | ;; 35 | "e") 36 | exit 37 | ;; 38 | *) 39 | echo "error" 40 | ;; 41 | esac 42 | fi 43 | echo 'Установим утилиты необходимые для дальнейшей работы' 44 | dnf install wget -y; dnf install tar -y; dnf install zip -y 45 | #Начинаем установку. Подключим репозиторий и скачаем сам дистрибутив 46 | dnf install epel-release -y; sudo dnf install openvpn -y 47 | #Проверка наличия директории openvpn если есть то удаляем и создаем заново, иначе создаем 48 | if [[ -e /etc/openvpn ]]; then 49 | rm -rf /etc/openvpn 50 | mkdir /etc/openvpn; mkdir /etc/openvpn/keys; chown -R openvpn:openvpn /etc/openvpn 51 | echo "Удалена старая директория openvpn, создана новая" 52 | else 53 | mkdir /etc/openvpn; mkdir /etc/openvpn/keys; chown -R openvpn:openvpn /etc/openvpn 54 | echo "создана новая дирктория openvpn" 55 | fi 56 | #Скачиваем easy-rsa 57 | wget -P /etc/openvpn https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz 58 | tar -xvzf /etc/openvpn/EasyRSA-3.0.8.tgz -C /etc/openvpn 59 | rm -rf /etc/openvpn/EasyRSA-3.0.8.tgz 60 | #Создадим файл vars, с настройками пользователя 61 | touch /etc/openvpn/EasyRSA-3.0.8/vars 62 | #Значения переменных для vars 63 | echo "Укажите основные настройки создания сертификатов" 64 | echo "Для каждого пункта есть настройки по умолчанию, их можно оставить" 65 | echo "Страна(по умолчанию RH):"; read country 66 | if [[ -z $country ]]; then 67 | country="RH" 68 | fi 69 | echo "Размер ключа(по умолчанию 2048):"; read key_size 70 | if [[ $key_size =~ ^[0-9]+$ ]]; then #проверка на число 71 | echo "Установлен размер ключа:" $key_size 72 | else 73 | key_size=2048; echo "Значение ключа установлено по умолчанию" 74 | fi 75 | echo "Укажите область\край(по умолчанию Tegucigalpa"; read province 76 | if [[ -z $province ]]; then 77 | province="Tegucigalpa" 78 | fi 79 | echo "Город(по умолчанию Tegucigalpa)"; read city 80 | if [[ -z $city ]]; then 81 | city="Tegucigalpa" 82 | fi 83 | echo "email(по умолчанию temp@mass.hn)"; read mail 84 | if [[ -z $mail ]]; then 85 | mail="temp@mass.hn" 86 | fi 87 | echo "срок действия сертификата, дней(по умолчанию 3650/10 лет): "; read expire 88 | if [[ $expire =~ ^[0-9]+$ ]]; then 89 | echo "Срок действия сертификата" $expire "дней" 90 | else 91 | expire=3650 92 | fi 93 | #Набиваем vars 94 | cat < /etc/openvpn/EasyRSA-3.0.8/vars 95 | set_var EASYRSA_REQ_COUNTRY $country 96 | set_var EASYRSA_KEY_SIZE $key_size 97 | set_var EASYRSA_REQ_PROVINCE $province 98 | set_var EASYRSA_REQ_CITY $city 99 | set_var EASYRSA_REQ_ORG $domain_name 100 | set_var EASYRSA_REQ_EMAIL $mail 101 | set_var EASYRSA_REQ_OU $domain_name 102 | set_var EASYRSA_REQ_CN changeme 103 | set_var EASYRSA_CERT_EXPIRE $expire 104 | set_var EASYRSA_DH_KEY_SIZE $key_size 105 | EOF 106 | #Теперь инициализируем инфраструктуру публичных ключей 107 | cd /etc/openvpn/; /etc/openvpn/EasyRSA-3.0.8/easyrsa init-pki 108 | #Создаем свой ключ 109 | /etc/openvpn/EasyRSA-3.0.8/easyrsa build-ca nopass 110 | #Создаем сертификат сервера 111 | /etc/openvpn/EasyRSA-3.0.8/easyrsa build-server-full server_cert nopass 112 | #Создаем Диффи Хелмана 113 | /etc/openvpn/EasyRSA-3.0.8/easyrsa gen-dh 114 | #crl для информации об активных/отозванных сертификатах 115 | /etc/openvpn/EasyRSA-3.0.8/easyrsa gen-crl 116 | #Теперь копируем все что создали в папку keys 117 | cp /etc/openvpn/pki/ca.crt /etc/openvpn/pki/crl.pem /etc/openvpn/pki/dh.pem /etc/openvpn/keys/ 118 | cp /etc/openvpn/pki/issued/server_cert.crt /etc/openvpn/keys/ 119 | cp /etc/openvpn/pki/private/server_cert.key /etc/openvpn/keys/ 120 | 121 | #Получим настройки для файла server.conf 122 | echo "Сейчас соберем информацию для файла конфигурации сервера." 123 | echo "Порт(по умолчанию 1194):"; read port_num 124 | if [[ $port_num =~ ^[0-9]+$ ]]; then #проверка на число 125 | echo "Установлен порт:" $port_num 126 | else 127 | port_num=1194; echo "Номер порта установлен по умолчанию" 128 | echo "Протокол(по умолчанию udp)для установки tcp введите 1"; read protocol 129 | fi 130 | if [[ $protocol -eq 1 ]]; then 131 | protocol="tcp" 132 | echo "Выбран протокол tcp" 133 | else 134 | protocol="udp" 135 | echo "Выбран протокол udp" 136 | fi 137 | #Теперь создадим директорию и файлы для логов 138 | mkdir /var/log/openvpn 139 | touch /var/log/openvpn/{openvpn-status,openvpn}.log; chown -R openvpn:openvpn /var/log/openvpn 140 | #Включаем движение трафика 141 | echo net.ipv4.ip_forward=1 >>/etc/sysctl.conf 142 | sysctl -p /etc/sysctl.conf 143 | #Настроим selinux 144 | dnf install policycoreutils-python-utils -y 145 | dnf install setroubleshoot -y 146 | semanage port -a -t openvpn_port_t -p $protocol $port_num 147 | /sbin/restorecon -v /var/log/openvpn/openvpn.log 148 | /sbin/restorecon -v /var/log/openvpn/openvpn-status.log 149 | #Настроим firewalld 150 | firewall-cmd --add-port="$port_num"/"$protocol" 151 | firewall-cmd --zone=trusted --add-source=172.31.1.0/24 152 | firewall-cmd --permanent --add-port="$port_num"/"$protocol" 153 | firewall-cmd --permanent --zone=trusted --add-source=172.31.1.0/24 154 | firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 172.31.1.0/24 -j MASQUERADE 155 | firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 172.31.1.0/24 -j MASQUERADE 156 | systemctl restart firewalld 157 | #Создадим server.conf 158 | mkdir /etc/openvpn/server 159 | touch /etc/openvpn/server/server.conf 160 | #chmod -R a+r /etc/openvpn 161 | cat < /etc/openvpn/server/server.conf 162 | port $port_num 163 | proto $protocol 164 | dev tun 165 | ca /etc/openvpn/keys/ca.crt 166 | cert /etc/openvpn/keys/server_cert.crt 167 | key /etc/openvpn/keys/server_cert.key 168 | dh /etc/openvpn/keys/dh.pem 169 | crl-verify /etc/openvpn/keys/crl.pem 170 | topology subnet 171 | server 172.31.1.0 255.255.255.0 172 | route 172.31.1.0 255.255.255.0 173 | push "route 172.31.1.0 255.255.255.0" 174 | push "dhcp-option DNS 8.8.8.8" 175 | push "dhcp-option DNS 8.8.4.4" 176 | keepalive 10 120 177 | persist-key 178 | persist-tun 179 | status /var/log/openvpn/openvpn-status.log 180 | log-append /var/log/openvpn/openvpn.log 181 | verb 2 182 | mute 20 183 | daemon 184 | mode server 185 | user nobody 186 | group nobody 187 | EOF 188 | echo "Добавим сервер в автозагрузку и запустим" 189 | sudo systemctl enable openvpn-server@server 190 | sudo systemctl start openvpn-server@server 191 | sudo systemctl status openvpn-server@server 192 | 193 | #Начнем создавать клиентов 194 | #Директория для готовых конфигов 195 | mkdir /home/openvpn/ready_conf 196 | echo "IP к которому необходимо подключаться клиентам в формате 111.111.111.111"; read ip_adress 197 | #Создадим темповый файл конфигурации клиента с настройками 198 | touch /home/openvpn/temp_conf_client.txt 199 | cat < /home/openvpn/temp_conf_client.txt 200 | client 201 | dev tun 202 | proto $protocol 203 | remote $ip_adress $port_num 204 | persist-key 205 | persist-tun 206 | verb 3 207 | route-method exe 208 | route-delay 2 209 | EOF 210 | #теперь функция создания клиентов 211 | create_client () { 212 | cd /etc/openvpn/ 213 | /etc/openvpn/EasyRSA-3.0.8/easyrsa build-client-full "$client_name$quantity_client" nopass 214 | cp /home/openvpn/temp_conf_client.txt /home/openvpn/ready_conf/"$client_name$quantity_client"'.ovpn' 215 | { 216 | echo ""; cat "/etc/openvpn/pki/ca.crt"; echo "" 217 | echo ""; awk '/BEGIN/,/END/' "/etc/openvpn/pki/issued/$client_name$quantity_client.crt"; echo "" 218 | echo ""; cat "/etc/openvpn/pki/private/$client_name$quantity_client.key"; echo "" 219 | echo ""; cat "/etc/openvpn/pki/dh.pem"; echo "" 220 | } >> "/home/openvpn/ready_conf/"$client_name$quantity_client".ovpn" 221 | 222 | } 223 | #Запускать функцию создания клиентов, по счетчику 224 | while [[ $quantity_client -ne 0 ]]; do 225 | create_client 226 | let "quantity_client=$quantity_client-1" 227 | done 228 | /etc/openvpn/EasyRSA-3.0.8/easyrsa gen-crl #генерируем crl для информации об активных сертификатах 229 | cp /etc/openvpn/pki/crl.pem /etc/openvpn/keys/ #Копируем в директорию с активными сертификатами 230 | sudo systemctl restart openvpn-server@server #перезапускаем сервер, для применения crl 231 | cd /home/openvpn/ready_conf/; ls -alh ./ 232 | echo "сейчас вы в директории с готовыми файлами конфигураций, их уже можно использовать" 233 | echo "скрипт завершен успешно" 234 | exec bash 235 | 236 | -------------------------------------------------------------------------------- /ubuntu20+_openvpn-install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # shellcheck disable=SC1091,SC2164,SC2034,SC1072,SC1073,SC1009 3 | 4 | # Secure OpenVPN server installer for Debian, Ubuntu, CentOS, Amazon Linux 2, Fedora, Oracle Linux 8, Arch Linux, Rocky Linux and AlmaLinux. 5 | # https://github.com/angristan/openvpn-install 6 | 7 | function isRoot() { 8 | if [ "$EUID" -ne 0 ]; then 9 | return 1 10 | fi 11 | } 12 | 13 | function tunAvailable() { 14 | if [ ! -e /dev/net/tun ]; then 15 | return 1 16 | fi 17 | } 18 | 19 | function checkOS() { 20 | if [[ -e /etc/debian_version ]]; then 21 | OS="debian" 22 | source /etc/os-release 23 | 24 | if [[ $ID == "debian" || $ID == "raspbian" ]]; then 25 | if [[ $VERSION_ID -lt 9 ]]; then 26 | echo "⚠️ Your version of Debian is not supported." 27 | echo "" 28 | echo "However, if you're using Debian >= 9 or unstable/testing then you can continue, at your own risk." 29 | echo "" 30 | until [[ $CONTINUE =~ (y|n) ]]; do 31 | read -rp "Continue? [y/n]: " -e CONTINUE 32 | done 33 | if [[ $CONTINUE == "n" ]]; then 34 | exit 1 35 | fi 36 | fi 37 | elif [[ $ID == "ubuntu" ]]; then 38 | OS="ubuntu" 39 | MAJOR_UBUNTU_VERSION=$(echo "$VERSION_ID" | cut -d '.' -f1) 40 | if [[ $MAJOR_UBUNTU_VERSION -lt 16 ]]; then 41 | echo "⚠️ Your version of Ubuntu is not supported." 42 | echo "" 43 | echo "However, if you're using Ubuntu >= 16.04 or beta, then you can continue, at your own risk." 44 | echo "" 45 | until [[ $CONTINUE =~ (y|n) ]]; do 46 | read -rp "Continue? [y/n]: " -e CONTINUE 47 | done 48 | if [[ $CONTINUE == "n" ]]; then 49 | exit 1 50 | fi 51 | fi 52 | fi 53 | elif [[ -e /etc/system-release ]]; then 54 | source /etc/os-release 55 | if [[ $ID == "fedora" || $ID_LIKE == "fedora" ]]; then 56 | OS="fedora" 57 | fi 58 | if [[ $ID == "centos" || $ID == "rocky" || $ID == "almalinux" ]]; then 59 | OS="centos" 60 | if [[ $VERSION_ID -lt 7 ]]; then 61 | echo "⚠️ Your version of CentOS is not supported." 62 | echo "" 63 | echo "The script only support CentOS 7 and CentOS 8." 64 | echo "" 65 | exit 1 66 | fi 67 | fi 68 | if [[ $ID == "ol" ]]; then 69 | OS="oracle" 70 | if [[ ! $VERSION_ID =~ (8) ]]; then 71 | echo "Your version of Oracle Linux is not supported." 72 | echo "" 73 | echo "The script only support Oracle Linux 8." 74 | exit 1 75 | fi 76 | fi 77 | if [[ $ID == "amzn" ]]; then 78 | OS="amzn" 79 | if [[ $VERSION_ID != "2" ]]; then 80 | echo "⚠️ Your version of Amazon Linux is not supported." 81 | echo "" 82 | echo "The script only support Amazon Linux 2." 83 | echo "" 84 | exit 1 85 | fi 86 | fi 87 | elif [[ -e /etc/arch-release ]]; then 88 | OS=arch 89 | else 90 | echo "Looks like you aren't running this installer on a Debian, Ubuntu, Fedora, CentOS, Amazon Linux 2, Oracle Linux 8 or Arch Linux system" 91 | exit 1 92 | fi 93 | } 94 | 95 | function initialCheck() { 96 | if ! isRoot; then 97 | echo "Sorry, you need to run this as root" 98 | exit 1 99 | fi 100 | if ! tunAvailable; then 101 | echo "TUN is not available" 102 | exit 1 103 | fi 104 | checkOS 105 | } 106 | 107 | function installUnbound() { 108 | # If Unbound isn't installed, install it 109 | if [[ ! -e /etc/unbound/unbound.conf ]]; then 110 | 111 | if [[ $OS =~ (debian|ubuntu) ]]; then 112 | apt-get install -y unbound 113 | 114 | # Configuration 115 | echo 'interface: 10.8.0.1 116 | access-control: 10.8.0.1/24 allow 117 | hide-identity: yes 118 | hide-version: yes 119 | use-caps-for-id: yes 120 | prefetch: yes' >>/etc/unbound/unbound.conf 121 | 122 | elif [[ $OS =~ (centos|amzn|oracle) ]]; then 123 | yum install -y unbound 124 | 125 | # Configuration 126 | sed -i 's|# interface: 0.0.0.0$|interface: 10.8.0.1|' /etc/unbound/unbound.conf 127 | sed -i 's|# access-control: 127.0.0.0/8 allow|access-control: 10.8.0.1/24 allow|' /etc/unbound/unbound.conf 128 | sed -i 's|# hide-identity: no|hide-identity: yes|' /etc/unbound/unbound.conf 129 | sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf 130 | sed -i 's|use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf 131 | 132 | elif [[ $OS == "fedora" ]]; then 133 | dnf install -y unbound 134 | 135 | # Configuration 136 | sed -i 's|# interface: 0.0.0.0$|interface: 10.8.0.1|' /etc/unbound/unbound.conf 137 | sed -i 's|# access-control: 127.0.0.0/8 allow|access-control: 10.8.0.1/24 allow|' /etc/unbound/unbound.conf 138 | sed -i 's|# hide-identity: no|hide-identity: yes|' /etc/unbound/unbound.conf 139 | sed -i 's|# hide-version: no|hide-version: yes|' /etc/unbound/unbound.conf 140 | sed -i 's|# use-caps-for-id: no|use-caps-for-id: yes|' /etc/unbound/unbound.conf 141 | 142 | elif [[ $OS == "arch" ]]; then 143 | pacman -Syu --noconfirm unbound 144 | 145 | # Get root servers list 146 | curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache 147 | 148 | if [[ ! -f /etc/unbound/unbound.conf.old ]]; then 149 | mv /etc/unbound/unbound.conf /etc/unbound/unbound.conf.old 150 | fi 151 | 152 | echo 'server: 153 | use-syslog: yes 154 | do-daemonize: no 155 | username: "unbound" 156 | directory: "/etc/unbound" 157 | trust-anchor-file: trusted-key.key 158 | root-hints: root.hints 159 | interface: 10.8.0.1 160 | access-control: 10.8.0.1/24 allow 161 | port: 53 162 | num-threads: 2 163 | use-caps-for-id: yes 164 | harden-glue: yes 165 | hide-identity: yes 166 | hide-version: yes 167 | qname-minimisation: yes 168 | prefetch: yes' >/etc/unbound/unbound.conf 169 | fi 170 | 171 | # IPv6 DNS for all OS 172 | if [[ $IPV6_SUPPORT == 'y' ]]; then 173 | echo 'interface: fd42:42:42:42::1 174 | access-control: fd42:42:42:42::/112 allow' >>/etc/unbound/unbound.conf 175 | fi 176 | 177 | if [[ ! $OS =~ (fedora|centos|amzn|oracle) ]]; then 178 | # DNS Rebinding fix 179 | echo "private-address: 10.0.0.0/8 180 | private-address: fd42:42:42:42::/112 181 | private-address: 172.16.0.0/12 182 | private-address: 192.168.0.0/16 183 | private-address: 169.254.0.0/16 184 | private-address: fd00::/8 185 | private-address: fe80::/10 186 | private-address: 127.0.0.0/8 187 | private-address: ::ffff:0:0/96" >>/etc/unbound/unbound.conf 188 | fi 189 | else # Unbound is already installed 190 | echo 'include: /etc/unbound/openvpn.conf' >>/etc/unbound/unbound.conf 191 | 192 | # Add Unbound 'server' for the OpenVPN subnet 193 | echo 'server: 194 | interface: 10.8.0.1 195 | access-control: 10.8.0.1/24 allow 196 | hide-identity: yes 197 | hide-version: yes 198 | use-caps-for-id: yes 199 | prefetch: yes 200 | private-address: 10.0.0.0/8 201 | private-address: fd42:42:42:42::/112 202 | private-address: 172.16.0.0/12 203 | private-address: 192.168.0.0/16 204 | private-address: 169.254.0.0/16 205 | private-address: fd00::/8 206 | private-address: fe80::/10 207 | private-address: 127.0.0.0/8 208 | private-address: ::ffff:0:0/96' >/etc/unbound/openvpn.conf 209 | if [[ $IPV6_SUPPORT == 'y' ]]; then 210 | echo 'interface: fd42:42:42:42::1 211 | access-control: fd42:42:42:42::/112 allow' >>/etc/unbound/openvpn.conf 212 | fi 213 | fi 214 | 215 | systemctl enable unbound 216 | systemctl restart unbound 217 | } 218 | 219 | function installQuestions() { 220 | echo "Welcome to the OpenVPN installer!" 221 | echo "The git repository is available at: https://github.com/angristan/openvpn-install" 222 | echo "" 223 | 224 | echo "I need to ask you a few questions before starting the setup." 225 | echo "You can leave the default options and just press enter if you are ok with them." 226 | echo "" 227 | echo "I need to know the IPv4 address of the network interface you want OpenVPN listening to." 228 | echo "Unless your server is behind NAT, it should be your public IPv4 address." 229 | 230 | # Detect public IPv4 address and pre-fill for the user 231 | IP=$(ip -4 addr | sed -ne 's|^.* inet \([^/]*\)/.* scope global.*$|\1|p' | head -1) 232 | 233 | if [[ -z $IP ]]; then 234 | # Detect public IPv6 address 235 | IP=$(ip -6 addr | sed -ne 's|^.* inet6 \([^/]*\)/.* scope global.*$|\1|p' | head -1) 236 | fi 237 | APPROVE_IP=${APPROVE_IP:-n} 238 | if [[ $APPROVE_IP =~ n ]]; then 239 | read -rp "IP address: " -e -i "$IP" IP 240 | fi 241 | # If $IP is a private IP address, the server must be behind NAT 242 | if echo "$IP" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then 243 | echo "" 244 | echo "It seems this server is behind NAT. What is its public IPv4 address or hostname?" 245 | echo "We need it for the clients to connect to the server." 246 | 247 | PUBLICIP=$(curl -s https://api.ipify.org) 248 | until [[ $ENDPOINT != "" ]]; do 249 | read -rp "Public IPv4 address or hostname: " -e -i "$PUBLICIP" ENDPOINT 250 | done 251 | fi 252 | 253 | echo "" 254 | echo "Checking for IPv6 connectivity..." 255 | echo "" 256 | # "ping6" and "ping -6" availability varies depending on the distribution 257 | if type ping6 >/dev/null 2>&1; then 258 | PING6="ping6 -c3 ipv6.google.com > /dev/null 2>&1" 259 | else 260 | PING6="ping -6 -c3 ipv6.google.com > /dev/null 2>&1" 261 | fi 262 | if eval "$PING6"; then 263 | echo "Your host appears to have IPv6 connectivity." 264 | SUGGESTION="y" 265 | else 266 | echo "Your host does not appear to have IPv6 connectivity." 267 | SUGGESTION="n" 268 | fi 269 | echo "" 270 | # Ask the user if they want to enable IPv6 regardless its availability. 271 | until [[ $IPV6_SUPPORT =~ (y|n) ]]; do 272 | read -rp "Do you want to enable IPv6 support (NAT)? [y/n]: " -e -i $SUGGESTION IPV6_SUPPORT 273 | done 274 | echo "" 275 | echo "What port do you want OpenVPN to listen to?" 276 | echo " 1) Default: 1194" 277 | echo " 2) Custom" 278 | echo " 3) Random [49152-65535]" 279 | until [[ $PORT_CHOICE =~ ^[1-3]$ ]]; do 280 | read -rp "Port choice [1-3]: " -e -i 1 PORT_CHOICE 281 | done 282 | case $PORT_CHOICE in 283 | 1) 284 | PORT="1194" 285 | ;; 286 | 2) 287 | until [[ $PORT =~ ^[0-9]+$ ]] && [ "$PORT" -ge 1 ] && [ "$PORT" -le 65535 ]; do 288 | read -rp "Custom port [1-65535]: " -e -i 1194 PORT 289 | done 290 | ;; 291 | 3) 292 | # Generate random number within private ports range 293 | PORT=$(shuf -i49152-65535 -n1) 294 | echo "Random Port: $PORT" 295 | ;; 296 | esac 297 | echo "" 298 | echo "What protocol do you want OpenVPN to use?" 299 | echo "UDP is faster. Unless it is not available, you shouldn't use TCP." 300 | echo " 1) UDP" 301 | echo " 2) TCP" 302 | until [[ $PROTOCOL_CHOICE =~ ^[1-2]$ ]]; do 303 | read -rp "Protocol [1-2]: " -e -i 1 PROTOCOL_CHOICE 304 | done 305 | case $PROTOCOL_CHOICE in 306 | 1) 307 | PROTOCOL="udp" 308 | ;; 309 | 2) 310 | PROTOCOL="tcp" 311 | ;; 312 | esac 313 | echo "" 314 | echo "What DNS resolvers do you want to use with the VPN?" 315 | echo " 1) Current system resolvers (from /etc/resolv.conf)" 316 | echo " 2) Self-hosted DNS Resolver (Unbound)" 317 | echo " 3) Cloudflare (Anycast: worldwide)" 318 | echo " 4) Quad9 (Anycast: worldwide)" 319 | echo " 5) Quad9 uncensored (Anycast: worldwide)" 320 | echo " 6) FDN (France)" 321 | echo " 7) DNS.WATCH (Germany)" 322 | echo " 8) OpenDNS (Anycast: worldwide)" 323 | echo " 9) Google (Anycast: worldwide)" 324 | echo " 10) Yandex Basic (Russia)" 325 | echo " 11) AdGuard DNS (Anycast: worldwide)" 326 | echo " 12) NextDNS (Anycast: worldwide)" 327 | echo " 13) Custom" 328 | until [[ $DNS =~ ^[0-9]+$ ]] && [ "$DNS" -ge 1 ] && [ "$DNS" -le 13 ]; do 329 | read -rp "DNS [1-12]: " -e -i 11 DNS 330 | if [[ $DNS == 2 ]] && [[ -e /etc/unbound/unbound.conf ]]; then 331 | echo "" 332 | echo "Unbound is already installed." 333 | echo "You can allow the script to configure it in order to use it from your OpenVPN clients" 334 | echo "We will simply add a second server to /etc/unbound/unbound.conf for the OpenVPN subnet." 335 | echo "No changes are made to the current configuration." 336 | echo "" 337 | 338 | until [[ $CONTINUE =~ (y|n) ]]; do 339 | read -rp "Apply configuration changes to Unbound? [y/n]: " -e CONTINUE 340 | done 341 | if [[ $CONTINUE == "n" ]]; then 342 | # Break the loop and cleanup 343 | unset DNS 344 | unset CONTINUE 345 | fi 346 | elif [[ $DNS == "13" ]]; then 347 | until [[ $DNS1 =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do 348 | read -rp "Primary DNS: " -e DNS1 349 | done 350 | until [[ $DNS2 =~ ^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ ]]; do 351 | read -rp "Secondary DNS (optional): " -e DNS2 352 | if [[ $DNS2 == "" ]]; then 353 | break 354 | fi 355 | done 356 | fi 357 | done 358 | echo "" 359 | echo "Do you want to use compression? It is not recommended since the VORACLE attack makes use of it." 360 | until [[ $COMPRESSION_ENABLED =~ (y|n) ]]; do 361 | read -rp"Enable compression? [y/n]: " -e -i n COMPRESSION_ENABLED 362 | done 363 | if [[ $COMPRESSION_ENABLED == "y" ]]; then 364 | echo "Choose which compression algorithm you want to use: (they are ordered by efficiency)" 365 | echo " 1) LZ4-v2" 366 | echo " 2) LZ4" 367 | echo " 3) LZ0" 368 | until [[ $COMPRESSION_CHOICE =~ ^[1-3]$ ]]; do 369 | read -rp"Compression algorithm [1-3]: " -e -i 1 COMPRESSION_CHOICE 370 | done 371 | case $COMPRESSION_CHOICE in 372 | 1) 373 | COMPRESSION_ALG="lz4-v2" 374 | ;; 375 | 2) 376 | COMPRESSION_ALG="lz4" 377 | ;; 378 | 3) 379 | COMPRESSION_ALG="lzo" 380 | ;; 381 | esac 382 | fi 383 | echo "" 384 | echo "Do you want to customize encryption settings?" 385 | echo "Unless you know what you're doing, you should stick with the default parameters provided by the script." 386 | echo "Note that whatever you choose, all the choices presented in the script are safe. (Unlike OpenVPN's defaults)" 387 | echo "See https://github.com/angristan/openvpn-install#security-and-encryption to learn more." 388 | echo "" 389 | until [[ $CUSTOMIZE_ENC =~ (y|n) ]]; do 390 | read -rp "Customize encryption settings? [y/n]: " -e -i n CUSTOMIZE_ENC 391 | done 392 | if [[ $CUSTOMIZE_ENC == "n" ]]; then 393 | # Use default, sane and fast parameters 394 | CIPHER="AES-128-GCM" 395 | CERT_TYPE="1" # ECDSA 396 | CERT_CURVE="prime256v1" 397 | CC_CIPHER="TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" 398 | DH_TYPE="1" # ECDH 399 | DH_CURVE="prime256v1" 400 | HMAC_ALG="SHA256" 401 | TLS_SIG="1" # tls-crypt 402 | else 403 | echo "" 404 | echo "Choose which cipher you want to use for the data channel:" 405 | echo " 1) AES-128-GCM (recommended)" 406 | echo " 2) AES-192-GCM" 407 | echo " 3) AES-256-GCM" 408 | echo " 4) AES-128-CBC" 409 | echo " 5) AES-192-CBC" 410 | echo " 6) AES-256-CBC" 411 | until [[ $CIPHER_CHOICE =~ ^[1-6]$ ]]; do 412 | read -rp "Cipher [1-6]: " -e -i 1 CIPHER_CHOICE 413 | done 414 | case $CIPHER_CHOICE in 415 | 1) 416 | CIPHER="AES-128-GCM" 417 | ;; 418 | 2) 419 | CIPHER="AES-192-GCM" 420 | ;; 421 | 3) 422 | CIPHER="AES-256-GCM" 423 | ;; 424 | 4) 425 | CIPHER="AES-128-CBC" 426 | ;; 427 | 5) 428 | CIPHER="AES-192-CBC" 429 | ;; 430 | 6) 431 | CIPHER="AES-256-CBC" 432 | ;; 433 | esac 434 | echo "" 435 | echo "Choose what kind of certificate you want to use:" 436 | echo " 1) ECDSA (recommended)" 437 | echo " 2) RSA" 438 | until [[ $CERT_TYPE =~ ^[1-2]$ ]]; do 439 | read -rp"Certificate key type [1-2]: " -e -i 1 CERT_TYPE 440 | done 441 | case $CERT_TYPE in 442 | 1) 443 | echo "" 444 | echo "Choose which curve you want to use for the certificate's key:" 445 | echo " 1) prime256v1 (recommended)" 446 | echo " 2) secp384r1" 447 | echo " 3) secp521r1" 448 | until [[ $CERT_CURVE_CHOICE =~ ^[1-3]$ ]]; do 449 | read -rp"Curve [1-3]: " -e -i 1 CERT_CURVE_CHOICE 450 | done 451 | case $CERT_CURVE_CHOICE in 452 | 1) 453 | CERT_CURVE="prime256v1" 454 | ;; 455 | 2) 456 | CERT_CURVE="secp384r1" 457 | ;; 458 | 3) 459 | CERT_CURVE="secp521r1" 460 | ;; 461 | esac 462 | ;; 463 | 2) 464 | echo "" 465 | echo "Choose which size you want to use for the certificate's RSA key:" 466 | echo " 1) 2048 bits (recommended)" 467 | echo " 2) 3072 bits" 468 | echo " 3) 4096 bits" 469 | until [[ $RSA_KEY_SIZE_CHOICE =~ ^[1-3]$ ]]; do 470 | read -rp "RSA key size [1-3]: " -e -i 1 RSA_KEY_SIZE_CHOICE 471 | done 472 | case $RSA_KEY_SIZE_CHOICE in 473 | 1) 474 | RSA_KEY_SIZE="2048" 475 | ;; 476 | 2) 477 | RSA_KEY_SIZE="3072" 478 | ;; 479 | 3) 480 | RSA_KEY_SIZE="4096" 481 | ;; 482 | esac 483 | ;; 484 | esac 485 | echo "" 486 | echo "Choose which cipher you want to use for the control channel:" 487 | case $CERT_TYPE in 488 | 1) 489 | echo " 1) ECDHE-ECDSA-AES-128-GCM-SHA256 (recommended)" 490 | echo " 2) ECDHE-ECDSA-AES-256-GCM-SHA384" 491 | until [[ $CC_CIPHER_CHOICE =~ ^[1-2]$ ]]; do 492 | read -rp"Control channel cipher [1-2]: " -e -i 1 CC_CIPHER_CHOICE 493 | done 494 | case $CC_CIPHER_CHOICE in 495 | 1) 496 | CC_CIPHER="TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256" 497 | ;; 498 | 2) 499 | CC_CIPHER="TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384" 500 | ;; 501 | esac 502 | ;; 503 | 2) 504 | echo " 1) ECDHE-RSA-AES-128-GCM-SHA256 (recommended)" 505 | echo " 2) ECDHE-RSA-AES-256-GCM-SHA384" 506 | until [[ $CC_CIPHER_CHOICE =~ ^[1-2]$ ]]; do 507 | read -rp"Control channel cipher [1-2]: " -e -i 1 CC_CIPHER_CHOICE 508 | done 509 | case $CC_CIPHER_CHOICE in 510 | 1) 511 | CC_CIPHER="TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256" 512 | ;; 513 | 2) 514 | CC_CIPHER="TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384" 515 | ;; 516 | esac 517 | ;; 518 | esac 519 | echo "" 520 | echo "Choose what kind of Diffie-Hellman key you want to use:" 521 | echo " 1) ECDH (recommended)" 522 | echo " 2) DH" 523 | until [[ $DH_TYPE =~ [1-2] ]]; do 524 | read -rp"DH key type [1-2]: " -e -i 1 DH_TYPE 525 | done 526 | case $DH_TYPE in 527 | 1) 528 | echo "" 529 | echo "Choose which curve you want to use for the ECDH key:" 530 | echo " 1) prime256v1 (recommended)" 531 | echo " 2) secp384r1" 532 | echo " 3) secp521r1" 533 | while [[ $DH_CURVE_CHOICE != "1" && $DH_CURVE_CHOICE != "2" && $DH_CURVE_CHOICE != "3" ]]; do 534 | read -rp"Curve [1-3]: " -e -i 1 DH_CURVE_CHOICE 535 | done 536 | case $DH_CURVE_CHOICE in 537 | 1) 538 | DH_CURVE="prime256v1" 539 | ;; 540 | 2) 541 | DH_CURVE="secp384r1" 542 | ;; 543 | 3) 544 | DH_CURVE="secp521r1" 545 | ;; 546 | esac 547 | ;; 548 | 2) 549 | echo "" 550 | echo "Choose what size of Diffie-Hellman key you want to use:" 551 | echo " 1) 2048 bits (recommended)" 552 | echo " 2) 3072 bits" 553 | echo " 3) 4096 bits" 554 | until [[ $DH_KEY_SIZE_CHOICE =~ ^[1-3]$ ]]; do 555 | read -rp "DH key size [1-3]: " -e -i 1 DH_KEY_SIZE_CHOICE 556 | done 557 | case $DH_KEY_SIZE_CHOICE in 558 | 1) 559 | DH_KEY_SIZE="2048" 560 | ;; 561 | 2) 562 | DH_KEY_SIZE="3072" 563 | ;; 564 | 3) 565 | DH_KEY_SIZE="4096" 566 | ;; 567 | esac 568 | ;; 569 | esac 570 | echo "" 571 | # The "auth" options behaves differently with AEAD ciphers 572 | if [[ $CIPHER =~ CBC$ ]]; then 573 | echo "The digest algorithm authenticates data channel packets and tls-auth packets from the control channel." 574 | elif [[ $CIPHER =~ GCM$ ]]; then 575 | echo "The digest algorithm authenticates tls-auth packets from the control channel." 576 | fi 577 | echo "Which digest algorithm do you want to use for HMAC?" 578 | echo " 1) SHA-256 (recommended)" 579 | echo " 2) SHA-384" 580 | echo " 3) SHA-512" 581 | until [[ $HMAC_ALG_CHOICE =~ ^[1-3]$ ]]; do 582 | read -rp "Digest algorithm [1-3]: " -e -i 1 HMAC_ALG_CHOICE 583 | done 584 | case $HMAC_ALG_CHOICE in 585 | 1) 586 | HMAC_ALG="SHA256" 587 | ;; 588 | 2) 589 | HMAC_ALG="SHA384" 590 | ;; 591 | 3) 592 | HMAC_ALG="SHA512" 593 | ;; 594 | esac 595 | echo "" 596 | echo "You can add an additional layer of security to the control channel with tls-auth and tls-crypt" 597 | echo "tls-auth authenticates the packets, while tls-crypt authenticate and encrypt them." 598 | echo " 1) tls-crypt (recommended)" 599 | echo " 2) tls-auth" 600 | until [[ $TLS_SIG =~ [1-2] ]]; do 601 | read -rp "Control channel additional security mechanism [1-2]: " -e -i 1 TLS_SIG 602 | done 603 | fi 604 | echo "" 605 | echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now." 606 | echo "You will be able to generate a client at the end of the installation." 607 | APPROVE_INSTALL=${APPROVE_INSTALL:-n} 608 | if [[ $APPROVE_INSTALL =~ n ]]; then 609 | read -n1 -r -p "Press any key to continue..." 610 | fi 611 | } 612 | 613 | function installOpenVPN() { 614 | if [[ $AUTO_INSTALL == "y" ]]; then 615 | # Set default choices so that no questions will be asked. 616 | APPROVE_INSTALL=${APPROVE_INSTALL:-y} 617 | APPROVE_IP=${APPROVE_IP:-y} 618 | IPV6_SUPPORT=${IPV6_SUPPORT:-n} 619 | PORT_CHOICE=${PORT_CHOICE:-1} 620 | PROTOCOL_CHOICE=${PROTOCOL_CHOICE:-1} 621 | DNS=${DNS:-1} 622 | COMPRESSION_ENABLED=${COMPRESSION_ENABLED:-n} 623 | CUSTOMIZE_ENC=${CUSTOMIZE_ENC:-n} 624 | CLIENT=${CLIENT:-client} 625 | PASS=${PASS:-1} 626 | CONTINUE=${CONTINUE:-y} 627 | 628 | # Behind NAT, we'll default to the publicly reachable IPv4/IPv6. 629 | if [[ $IPV6_SUPPORT == "y" ]]; then 630 | if ! PUBLIC_IP=$(curl -f --retry 5 --retry-connrefused https://ip.seeip.org); then 631 | PUBLIC_IP=$(dig -6 TXT +short o-o.myaddr.l.google.com @ns1.google.com | tr -d '"') 632 | fi 633 | else 634 | if ! PUBLIC_IP=$(curl -f --retry 5 --retry-connrefused -4 https://ip.seeip.org); then 635 | PUBLIC_IP=$(dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com | tr -d '"') 636 | fi 637 | fi 638 | ENDPOINT=${ENDPOINT:-$PUBLIC_IP} 639 | fi 640 | 641 | # Run setup questions first, and set other variables if auto-install 642 | installQuestions 643 | 644 | # Get the "public" interface from the default route 645 | NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1) 646 | if [[ -z $NIC ]] && [[ $IPV6_SUPPORT == 'y' ]]; then 647 | NIC=$(ip -6 route show default | sed -ne 's/^default .* dev \([^ ]*\) .*$/\1/p') 648 | fi 649 | 650 | # $NIC can not be empty for script rm-openvpn-rules.sh 651 | if [[ -z $NIC ]]; then 652 | echo 653 | echo "Can not detect public interface." 654 | echo "This needs for setup MASQUERADE." 655 | until [[ $CONTINUE =~ (y|n) ]]; do 656 | read -rp "Continue? [y/n]: " -e CONTINUE 657 | done 658 | if [[ $CONTINUE == "n" ]]; then 659 | exit 1 660 | fi 661 | fi 662 | 663 | # If OpenVPN isn't installed yet, install it. This script is more-or-less 664 | # idempotent on multiple runs, but will only install OpenVPN from upstream 665 | # the first time. 666 | if [[ ! -e /etc/openvpn/server.conf ]]; then 667 | if [[ $OS =~ (debian|ubuntu) ]]; then 668 | apt-get update 669 | apt-get -y install ca-certificates gnupg 670 | # We add the OpenVPN repo to get the latest version. 671 | if [[ $VERSION_ID == "16.04" ]]; then 672 | echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" >/etc/apt/sources.list.d/openvpn.list 673 | wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - 674 | apt-get update 675 | fi 676 | # Ubuntu > 16.04 and Debian > 8 have OpenVPN >= 2.4 without the need of a third party repository. 677 | apt-get install -y openvpn iptables openssl wget ca-certificates curl 678 | elif [[ $OS == 'centos' ]]; then 679 | yum install -y epel-release 680 | yum install -y openvpn iptables openssl wget ca-certificates curl tar 'policycoreutils-python*' 681 | elif [[ $OS == 'oracle' ]]; then 682 | yum install -y oracle-epel-release-el8 683 | yum-config-manager --enable ol8_developer_EPEL 684 | yum install -y openvpn iptables openssl wget ca-certificates curl tar policycoreutils-python-utils 685 | elif [[ $OS == 'amzn' ]]; then 686 | amazon-linux-extras install -y epel 687 | yum install -y openvpn iptables openssl wget ca-certificates curl 688 | elif [[ $OS == 'fedora' ]]; then 689 | dnf install -y openvpn iptables openssl wget ca-certificates curl policycoreutils-python-utils 690 | elif [[ $OS == 'arch' ]]; then 691 | # Install required dependencies and upgrade the system 692 | pacman --needed --noconfirm -Syu openvpn iptables openssl wget ca-certificates curl 693 | fi 694 | # An old version of easy-rsa was available by default in some openvpn packages 695 | if [[ -d /etc/openvpn/easy-rsa/ ]]; then 696 | rm -rf /etc/openvpn/easy-rsa/ 697 | fi 698 | fi 699 | 700 | # Find out if the machine uses nogroup or nobody for the permissionless group 701 | if grep -qs "^nogroup:" /etc/group; then 702 | NOGROUP=nogroup 703 | else 704 | NOGROUP=nobody 705 | fi 706 | 707 | # Install the latest version of easy-rsa from source, if not already installed. 708 | if [[ ! -d /etc/openvpn/easy-rsa/ ]]; then 709 | local version="3.1.2" 710 | wget -O ~/easy-rsa.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v${version}/EasyRSA-${version}.tgz 711 | mkdir -p /etc/openvpn/easy-rsa 712 | tar xzf ~/easy-rsa.tgz --strip-components=1 --no-same-owner --directory /etc/openvpn/easy-rsa 713 | rm -f ~/easy-rsa.tgz 714 | 715 | cd /etc/openvpn/easy-rsa/ || return 716 | case $CERT_TYPE in 717 | 1) 718 | echo "set_var EASYRSA_ALGO ec" >vars 719 | echo "set_var EASYRSA_CURVE $CERT_CURVE" >>vars 720 | ;; 721 | 2) 722 | echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" >vars 723 | ;; 724 | esac 725 | 726 | # Generate a random, alphanumeric identifier of 16 characters for CN and one for server name 727 | SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" 728 | echo "$SERVER_CN" >SERVER_CN_GENERATED 729 | SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" 730 | echo "$SERVER_NAME" >SERVER_NAME_GENERATED 731 | 732 | # Create the PKI, set up the CA, the DH params and the server certificate 733 | ./easyrsa init-pki 734 | ./easyrsa --batch --req-cn="$SERVER_CN" build-ca nopass 735 | 736 | if [[ $DH_TYPE == "2" ]]; then 737 | # ECDH keys are generated on-the-fly so we don't need to generate them beforehand 738 | openssl dhparam -out dh.pem $DH_KEY_SIZE 739 | fi 740 | 741 | ./easyrsa --batch build-server-full "$SERVER_NAME" nopass 742 | EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl 743 | 744 | case $TLS_SIG in 745 | 1) 746 | # Generate tls-crypt key 747 | openvpn --genkey --secret /etc/openvpn/tls-crypt.key 748 | ;; 749 | 2) 750 | # Generate tls-auth key 751 | openvpn --genkey --secret /etc/openvpn/tls-auth.key 752 | ;; 753 | esac 754 | else 755 | # If easy-rsa is already installed, grab the generated SERVER_NAME 756 | # for client configs 757 | cd /etc/openvpn/easy-rsa/ || return 758 | SERVER_NAME=$(cat SERVER_NAME_GENERATED) 759 | fi 760 | 761 | # Move all the generated files 762 | cp pki/ca.crt pki/private/ca.key "pki/issued/$SERVER_NAME.crt" "pki/private/$SERVER_NAME.key" /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn 763 | if [[ $DH_TYPE == "2" ]]; then 764 | cp dh.pem /etc/openvpn 765 | fi 766 | 767 | # Make cert revocation list readable for non-root 768 | chmod 644 /etc/openvpn/crl.pem 769 | 770 | # Generate server.conf 771 | echo "port $PORT" >/etc/openvpn/server.conf 772 | if [[ $IPV6_SUPPORT == 'n' ]]; then 773 | echo "proto $PROTOCOL" >>/etc/openvpn/server.conf 774 | elif [[ $IPV6_SUPPORT == 'y' ]]; then 775 | echo "proto ${PROTOCOL}6" >>/etc/openvpn/server.conf 776 | fi 777 | 778 | echo "dev tun 779 | user nobody 780 | group $NOGROUP 781 | persist-key 782 | persist-tun 783 | keepalive 10 120 784 | topology subnet 785 | server 10.8.0.0 255.255.255.0 786 | ifconfig-pool-persist ipp.txt" >>/etc/openvpn/server.conf 787 | 788 | # DNS resolvers 789 | case $DNS in 790 | 1) # Current system resolvers 791 | # Locate the proper resolv.conf 792 | # Needed for systems running systemd-resolved 793 | if grep -q "127.0.0.53" "/etc/resolv.conf"; then 794 | RESOLVCONF='/run/systemd/resolve/resolv.conf' 795 | else 796 | RESOLVCONF='/etc/resolv.conf' 797 | fi 798 | # Obtain the resolvers from resolv.conf and use them for OpenVPN 799 | sed -ne 's/^nameserver[[:space:]]\+\([^[:space:]]\+\).*$/\1/p' $RESOLVCONF | while read -r line; do 800 | # Copy, if it's a IPv4 |or| if IPv6 is enabled, IPv4/IPv6 does not matter 801 | if [[ $line =~ ^[0-9.]*$ ]] || [[ $IPV6_SUPPORT == 'y' ]]; then 802 | echo "push \"dhcp-option DNS $line\"" >>/etc/openvpn/server.conf 803 | fi 804 | done 805 | ;; 806 | 2) # Self-hosted DNS resolver (Unbound) 807 | echo 'push "dhcp-option DNS 10.8.0.1"' >>/etc/openvpn/server.conf 808 | if [[ $IPV6_SUPPORT == 'y' ]]; then 809 | echo 'push "dhcp-option DNS fd42:42:42:42::1"' >>/etc/openvpn/server.conf 810 | fi 811 | ;; 812 | 3) # Cloudflare 813 | echo 'push "dhcp-option DNS 1.0.0.1"' >>/etc/openvpn/server.conf 814 | echo 'push "dhcp-option DNS 1.1.1.1"' >>/etc/openvpn/server.conf 815 | ;; 816 | 4) # Quad9 817 | echo 'push "dhcp-option DNS 9.9.9.9"' >>/etc/openvpn/server.conf 818 | echo 'push "dhcp-option DNS 149.112.112.112"' >>/etc/openvpn/server.conf 819 | ;; 820 | 5) # Quad9 uncensored 821 | echo 'push "dhcp-option DNS 9.9.9.10"' >>/etc/openvpn/server.conf 822 | echo 'push "dhcp-option DNS 149.112.112.10"' >>/etc/openvpn/server.conf 823 | ;; 824 | 6) # FDN 825 | echo 'push "dhcp-option DNS 80.67.169.40"' >>/etc/openvpn/server.conf 826 | echo 'push "dhcp-option DNS 80.67.169.12"' >>/etc/openvpn/server.conf 827 | ;; 828 | 7) # DNS.WATCH 829 | echo 'push "dhcp-option DNS 84.200.69.80"' >>/etc/openvpn/server.conf 830 | echo 'push "dhcp-option DNS 84.200.70.40"' >>/etc/openvpn/server.conf 831 | ;; 832 | 8) # OpenDNS 833 | echo 'push "dhcp-option DNS 208.67.222.222"' >>/etc/openvpn/server.conf 834 | echo 'push "dhcp-option DNS 208.67.220.220"' >>/etc/openvpn/server.conf 835 | ;; 836 | 9) # Google 837 | echo 'push "dhcp-option DNS 8.8.8.8"' >>/etc/openvpn/server.conf 838 | echo 'push "dhcp-option DNS 8.8.4.4"' >>/etc/openvpn/server.conf 839 | ;; 840 | 10) # Yandex Basic 841 | echo 'push "dhcp-option DNS 77.88.8.8"' >>/etc/openvpn/server.conf 842 | echo 'push "dhcp-option DNS 77.88.8.1"' >>/etc/openvpn/server.conf 843 | ;; 844 | 11) # AdGuard DNS 845 | echo 'push "dhcp-option DNS 94.140.14.14"' >>/etc/openvpn/server.conf 846 | echo 'push "dhcp-option DNS 94.140.15.15"' >>/etc/openvpn/server.conf 847 | ;; 848 | 12) # NextDNS 849 | echo 'push "dhcp-option DNS 45.90.28.167"' >>/etc/openvpn/server.conf 850 | echo 'push "dhcp-option DNS 45.90.30.167"' >>/etc/openvpn/server.conf 851 | ;; 852 | 13) # Custom DNS 853 | echo "push \"dhcp-option DNS $DNS1\"" >>/etc/openvpn/server.conf 854 | if [[ $DNS2 != "" ]]; then 855 | echo "push \"dhcp-option DNS $DNS2\"" >>/etc/openvpn/server.conf 856 | fi 857 | ;; 858 | esac 859 | echo 'push "redirect-gateway def1 bypass-dhcp"' >>/etc/openvpn/server.conf 860 | 861 | # IPv6 network settings if needed 862 | if [[ $IPV6_SUPPORT == 'y' ]]; then 863 | echo 'server-ipv6 fd42:42:42:42::/112 864 | tun-ipv6 865 | push tun-ipv6 866 | push "route-ipv6 2000::/3" 867 | push "redirect-gateway ipv6"' >>/etc/openvpn/server.conf 868 | fi 869 | 870 | if [[ $COMPRESSION_ENABLED == "y" ]]; then 871 | echo "compress $COMPRESSION_ALG" >>/etc/openvpn/server.conf 872 | fi 873 | 874 | if [[ $DH_TYPE == "1" ]]; then 875 | echo "dh none" >>/etc/openvpn/server.conf 876 | echo "ecdh-curve $DH_CURVE" >>/etc/openvpn/server.conf 877 | elif [[ $DH_TYPE == "2" ]]; then 878 | echo "dh dh.pem" >>/etc/openvpn/server.conf 879 | fi 880 | 881 | case $TLS_SIG in 882 | 1) 883 | echo "tls-crypt tls-crypt.key" >>/etc/openvpn/server.conf 884 | ;; 885 | 2) 886 | echo "tls-auth tls-auth.key 0" >>/etc/openvpn/server.conf 887 | ;; 888 | esac 889 | 890 | echo "crl-verify crl.pem 891 | ca ca.crt 892 | cert $SERVER_NAME.crt 893 | key $SERVER_NAME.key 894 | auth $HMAC_ALG 895 | cipher $CIPHER 896 | ncp-ciphers $CIPHER 897 | tls-server 898 | tls-version-min 1.2 899 | tls-cipher $CC_CIPHER 900 | client-config-dir /etc/openvpn/ccd 901 | status /var/log/openvpn/status.log 902 | verb 3" >>/etc/openvpn/server.conf 903 | 904 | # Create client-config-dir dir 905 | mkdir -p /etc/openvpn/ccd 906 | # Create log dir 907 | mkdir -p /var/log/openvpn 908 | 909 | # Enable routing 910 | echo 'net.ipv4.ip_forward=1' >/etc/sysctl.d/99-openvpn.conf 911 | if [[ $IPV6_SUPPORT == 'y' ]]; then 912 | echo 'net.ipv6.conf.all.forwarding=1' >>/etc/sysctl.d/99-openvpn.conf 913 | fi 914 | # Apply sysctl rules 915 | sysctl --system 916 | 917 | # If SELinux is enabled and a custom port was selected, we need this 918 | if hash sestatus 2>/dev/null; then 919 | if sestatus | grep "Current mode" | grep -qs "enforcing"; then 920 | if [[ $PORT != '1194' ]]; then 921 | semanage port -a -t openvpn_port_t -p "$PROTOCOL" "$PORT" 922 | fi 923 | fi 924 | fi 925 | 926 | # Finally, restart and enable OpenVPN 927 | if [[ $OS == 'arch' || $OS == 'fedora' || $OS == 'centos' || $OS == 'oracle' ]]; then 928 | # Don't modify package-provided service 929 | cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service 930 | 931 | # Workaround to fix OpenVPN service on OpenVZ 932 | sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn-server@.service 933 | # Another workaround to keep using /etc/openvpn/ 934 | sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn-server@.service 935 | 936 | systemctl daemon-reload 937 | systemctl enable openvpn-server@server 938 | systemctl restart openvpn-server@server 939 | elif [[ $OS == "ubuntu" ]] && [[ $VERSION_ID == "16.04" ]]; then 940 | # On Ubuntu 16.04, we use the package from the OpenVPN repo 941 | # This package uses a sysvinit service 942 | systemctl enable openvpn 943 | systemctl start openvpn 944 | else 945 | # Don't modify package-provided service 946 | cp /lib/systemd/system/openvpn\@.service /etc/systemd/system/openvpn\@.service 947 | 948 | # Workaround to fix OpenVPN service on OpenVZ 949 | sed -i 's|LimitNPROC|#LimitNPROC|' /etc/systemd/system/openvpn\@.service 950 | # Another workaround to keep using /etc/openvpn/ 951 | sed -i 's|/etc/openvpn/server|/etc/openvpn|' /etc/systemd/system/openvpn\@.service 952 | 953 | systemctl daemon-reload 954 | systemctl enable openvpn@server 955 | systemctl restart openvpn@server 956 | fi 957 | 958 | if [[ $DNS == 2 ]]; then 959 | installUnbound 960 | fi 961 | 962 | # Add iptables rules in two scripts 963 | mkdir -p /etc/iptables 964 | 965 | # Script to add rules 966 | echo "#!/bin/sh 967 | iptables -t nat -I POSTROUTING 1 -s 10.8.0.0/24 -o $NIC -j MASQUERADE 968 | iptables -I INPUT 1 -i tun0 -j ACCEPT 969 | iptables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT 970 | iptables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT 971 | iptables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >/etc/iptables/add-openvpn-rules.sh 972 | 973 | if [[ $IPV6_SUPPORT == 'y' ]]; then 974 | echo "ip6tables -t nat -I POSTROUTING 1 -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE 975 | ip6tables -I INPUT 1 -i tun0 -j ACCEPT 976 | ip6tables -I FORWARD 1 -i $NIC -o tun0 -j ACCEPT 977 | ip6tables -I FORWARD 1 -i tun0 -o $NIC -j ACCEPT 978 | ip6tables -I INPUT 1 -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >>/etc/iptables/add-openvpn-rules.sh 979 | fi 980 | 981 | # Script to remove rules 982 | echo "#!/bin/sh 983 | iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o $NIC -j MASQUERADE 984 | iptables -D INPUT -i tun0 -j ACCEPT 985 | iptables -D FORWARD -i $NIC -o tun0 -j ACCEPT 986 | iptables -D FORWARD -i tun0 -o $NIC -j ACCEPT 987 | iptables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >/etc/iptables/rm-openvpn-rules.sh 988 | 989 | if [[ $IPV6_SUPPORT == 'y' ]]; then 990 | echo "ip6tables -t nat -D POSTROUTING -s fd42:42:42:42::/112 -o $NIC -j MASQUERADE 991 | ip6tables -D INPUT -i tun0 -j ACCEPT 992 | ip6tables -D FORWARD -i $NIC -o tun0 -j ACCEPT 993 | ip6tables -D FORWARD -i tun0 -o $NIC -j ACCEPT 994 | ip6tables -D INPUT -i $NIC -p $PROTOCOL --dport $PORT -j ACCEPT" >>/etc/iptables/rm-openvpn-rules.sh 995 | fi 996 | 997 | chmod +x /etc/iptables/add-openvpn-rules.sh 998 | chmod +x /etc/iptables/rm-openvpn-rules.sh 999 | 1000 | # Handle the rules via a systemd script 1001 | echo "[Unit] 1002 | Description=iptables rules for OpenVPN 1003 | Before=network-online.target 1004 | Wants=network-online.target 1005 | 1006 | [Service] 1007 | Type=oneshot 1008 | ExecStart=/etc/iptables/add-openvpn-rules.sh 1009 | ExecStop=/etc/iptables/rm-openvpn-rules.sh 1010 | RemainAfterExit=yes 1011 | 1012 | [Install] 1013 | WantedBy=multi-user.target" >/etc/systemd/system/iptables-openvpn.service 1014 | 1015 | # Enable service and apply rules 1016 | systemctl daemon-reload 1017 | systemctl enable iptables-openvpn 1018 | systemctl start iptables-openvpn 1019 | 1020 | # If the server is behind a NAT, use the correct IP address for the clients to connect to 1021 | if [[ $ENDPOINT != "" ]]; then 1022 | IP=$ENDPOINT 1023 | fi 1024 | 1025 | # client-template.txt is created so we have a template to add further users later 1026 | echo "client" >/etc/openvpn/client-template.txt 1027 | if [[ $PROTOCOL == 'udp' ]]; then 1028 | echo "proto udp" >>/etc/openvpn/client-template.txt 1029 | echo "explicit-exit-notify" >>/etc/openvpn/client-template.txt 1030 | elif [[ $PROTOCOL == 'tcp' ]]; then 1031 | echo "proto tcp-client" >>/etc/openvpn/client-template.txt 1032 | fi 1033 | echo "remote $IP $PORT 1034 | dev tun 1035 | resolv-retry infinite 1036 | nobind 1037 | persist-key 1038 | persist-tun 1039 | remote-cert-tls server 1040 | verify-x509-name $SERVER_NAME name 1041 | auth $HMAC_ALG 1042 | auth-nocache 1043 | cipher $CIPHER 1044 | tls-client 1045 | tls-version-min 1.2 1046 | tls-cipher $CC_CIPHER 1047 | ignore-unknown-option block-outside-dns 1048 | setenv opt block-outside-dns # Prevent Windows 10 DNS leak 1049 | verb 3" >>/etc/openvpn/client-template.txt 1050 | 1051 | if [[ $COMPRESSION_ENABLED == "y" ]]; then 1052 | echo "compress $COMPRESSION_ALG" >>/etc/openvpn/client-template.txt 1053 | fi 1054 | 1055 | # Generate the custom client.ovpn 1056 | newClient 1057 | echo "If you want to add more clients, you simply need to run this script another time!" 1058 | } 1059 | 1060 | function newClient() { 1061 | echo "" 1062 | echo "Tell me a name for the client." 1063 | echo "The name must consist of alphanumeric character. It may also include an underscore or a dash." 1064 | 1065 | until [[ $CLIENT =~ ^[a-zA-Z0-9_-]+$ ]]; do 1066 | read -rp "Client name: " -e CLIENT 1067 | done 1068 | 1069 | echo "" 1070 | echo "Do you want to protect the configuration file with a password?" 1071 | echo "(e.g. encrypt the private key with a password)" 1072 | echo " 1) Add a passwordless client" 1073 | echo " 2) Use a password for the client" 1074 | 1075 | until [[ $PASS =~ ^[1-2]$ ]]; do 1076 | read -rp "Select an option [1-2]: " -e -i 1 PASS 1077 | done 1078 | 1079 | CLIENTEXISTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c -E "/CN=$CLIENT\$") 1080 | if [[ $CLIENTEXISTS == '1' ]]; then 1081 | echo "" 1082 | echo "The specified client CN was already found in easy-rsa, please choose another name." 1083 | exit 1084 | else 1085 | cd /etc/openvpn/easy-rsa/ || return 1086 | case $PASS in 1087 | 1) 1088 | ./easyrsa --batch build-client-full "$CLIENT" nopass 1089 | ;; 1090 | 2) 1091 | echo "⚠️ You will be asked for the client password below ⚠️" 1092 | ./easyrsa --batch build-client-full "$CLIENT" 1093 | ;; 1094 | esac 1095 | echo "Client $CLIENT added." 1096 | fi 1097 | 1098 | # Home directory of the user, where the client configuration will be written 1099 | if [ -e "/home/${CLIENT}" ]; then 1100 | # if $1 is a user name 1101 | homeDir="/home/${CLIENT}" 1102 | elif [ "${SUDO_USER}" ]; then 1103 | # if not, use SUDO_USER 1104 | if [ "${SUDO_USER}" == "root" ]; then 1105 | # If running sudo as root 1106 | homeDir="/root" 1107 | else 1108 | homeDir="/home/${SUDO_USER}" 1109 | fi 1110 | else 1111 | # if not SUDO_USER, use /root 1112 | homeDir="/root" 1113 | fi 1114 | 1115 | # Determine if we use tls-auth or tls-crypt 1116 | if grep -qs "^tls-crypt" /etc/openvpn/server.conf; then 1117 | TLS_SIG="1" 1118 | elif grep -qs "^tls-auth" /etc/openvpn/server.conf; then 1119 | TLS_SIG="2" 1120 | fi 1121 | 1122 | # Generates the custom client.ovpn 1123 | cp /etc/openvpn/client-template.txt "$homeDir/$CLIENT.ovpn" 1124 | { 1125 | echo "" 1126 | cat "/etc/openvpn/easy-rsa/pki/ca.crt" 1127 | echo "" 1128 | 1129 | echo "" 1130 | awk '/BEGIN/,/END CERTIFICATE/' "/etc/openvpn/easy-rsa/pki/issued/$CLIENT.crt" 1131 | echo "" 1132 | 1133 | echo "" 1134 | cat "/etc/openvpn/easy-rsa/pki/private/$CLIENT.key" 1135 | echo "" 1136 | 1137 | case $TLS_SIG in 1138 | 1) 1139 | echo "" 1140 | cat /etc/openvpn/tls-crypt.key 1141 | echo "" 1142 | ;; 1143 | 2) 1144 | echo "key-direction 1" 1145 | echo "" 1146 | cat /etc/openvpn/tls-auth.key 1147 | echo "" 1148 | ;; 1149 | esac 1150 | } >>"$homeDir/$CLIENT.ovpn" 1151 | 1152 | echo "" 1153 | echo "The configuration file has been written to $homeDir/$CLIENT.ovpn." 1154 | echo "Download the .ovpn file and import it in your OpenVPN client." 1155 | 1156 | exit 0 1157 | } 1158 | 1159 | function revokeClient() { 1160 | NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V") 1161 | if [[ $NUMBEROFCLIENTS == '0' ]]; then 1162 | echo "" 1163 | echo "You have no existing clients!" 1164 | exit 1 1165 | fi 1166 | 1167 | echo "" 1168 | echo "Select the existing client certificate you want to revoke" 1169 | tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') ' 1170 | until [[ $CLIENTNUMBER -ge 1 && $CLIENTNUMBER -le $NUMBEROFCLIENTS ]]; do 1171 | if [[ $CLIENTNUMBER == '1' ]]; then 1172 | read -rp "Select one client [1]: " CLIENTNUMBER 1173 | else 1174 | read -rp "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER 1175 | fi 1176 | done 1177 | CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p) 1178 | cd /etc/openvpn/easy-rsa/ || return 1179 | ./easyrsa --batch revoke "$CLIENT" 1180 | EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl 1181 | rm -f /etc/openvpn/crl.pem 1182 | cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem 1183 | chmod 644 /etc/openvpn/crl.pem 1184 | find /home/ -maxdepth 2 -name "$CLIENT.ovpn" -delete 1185 | rm -f "/root/$CLIENT.ovpn" 1186 | sed -i "/^$CLIENT,.*/d" /etc/openvpn/ipp.txt 1187 | cp /etc/openvpn/easy-rsa/pki/index.txt{,.bk} 1188 | 1189 | echo "" 1190 | echo "Certificate for client $CLIENT revoked." 1191 | } 1192 | 1193 | function removeUnbound() { 1194 | # Remove OpenVPN-related config 1195 | sed -i '/include: \/etc\/unbound\/openvpn.conf/d' /etc/unbound/unbound.conf 1196 | rm /etc/unbound/openvpn.conf 1197 | 1198 | until [[ $REMOVE_UNBOUND =~ (y|n) ]]; do 1199 | echo "" 1200 | echo "If you were already using Unbound before installing OpenVPN, I removed the configuration related to OpenVPN." 1201 | read -rp "Do you want to completely remove Unbound? [y/n]: " -e REMOVE_UNBOUND 1202 | done 1203 | 1204 | if [[ $REMOVE_UNBOUND == 'y' ]]; then 1205 | # Stop Unbound 1206 | systemctl stop unbound 1207 | 1208 | if [[ $OS =~ (debian|ubuntu) ]]; then 1209 | apt-get remove --purge -y unbound 1210 | elif [[ $OS == 'arch' ]]; then 1211 | pacman --noconfirm -R unbound 1212 | elif [[ $OS =~ (centos|amzn|oracle) ]]; then 1213 | yum remove -y unbound 1214 | elif [[ $OS == 'fedora' ]]; then 1215 | dnf remove -y unbound 1216 | fi 1217 | 1218 | rm -rf /etc/unbound/ 1219 | 1220 | echo "" 1221 | echo "Unbound removed!" 1222 | else 1223 | systemctl restart unbound 1224 | echo "" 1225 | echo "Unbound wasn't removed." 1226 | fi 1227 | } 1228 | 1229 | function removeOpenVPN() { 1230 | echo "" 1231 | read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE 1232 | if [[ $REMOVE == 'y' ]]; then 1233 | # Get OpenVPN port from the configuration 1234 | PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2) 1235 | PROTOCOL=$(grep '^proto ' /etc/openvpn/server.conf | cut -d " " -f 2) 1236 | 1237 | # Stop OpenVPN 1238 | if [[ $OS =~ (fedora|arch|centos|oracle) ]]; then 1239 | systemctl disable openvpn-server@server 1240 | systemctl stop openvpn-server@server 1241 | # Remove customised service 1242 | rm /etc/systemd/system/openvpn-server@.service 1243 | elif [[ $OS == "ubuntu" ]] && [[ $VERSION_ID == "16.04" ]]; then 1244 | systemctl disable openvpn 1245 | systemctl stop openvpn 1246 | else 1247 | systemctl disable openvpn@server 1248 | systemctl stop openvpn@server 1249 | # Remove customised service 1250 | rm /etc/systemd/system/openvpn\@.service 1251 | fi 1252 | 1253 | # Remove the iptables rules related to the script 1254 | systemctl stop iptables-openvpn 1255 | # Cleanup 1256 | systemctl disable iptables-openvpn 1257 | rm /etc/systemd/system/iptables-openvpn.service 1258 | systemctl daemon-reload 1259 | rm /etc/iptables/add-openvpn-rules.sh 1260 | rm /etc/iptables/rm-openvpn-rules.sh 1261 | 1262 | # SELinux 1263 | if hash sestatus 2>/dev/null; then 1264 | if sestatus | grep "Current mode" | grep -qs "enforcing"; then 1265 | if [[ $PORT != '1194' ]]; then 1266 | semanage port -d -t openvpn_port_t -p "$PROTOCOL" "$PORT" 1267 | fi 1268 | fi 1269 | fi 1270 | 1271 | if [[ $OS =~ (debian|ubuntu) ]]; then 1272 | apt-get remove --purge -y openvpn 1273 | if [[ -e /etc/apt/sources.list.d/openvpn.list ]]; then 1274 | rm /etc/apt/sources.list.d/openvpn.list 1275 | apt-get update 1276 | fi 1277 | elif [[ $OS == 'arch' ]]; then 1278 | pacman --noconfirm -R openvpn 1279 | elif [[ $OS =~ (centos|amzn|oracle) ]]; then 1280 | yum remove -y openvpn 1281 | elif [[ $OS == 'fedora' ]]; then 1282 | dnf remove -y openvpn 1283 | fi 1284 | 1285 | # Cleanup 1286 | find /home/ -maxdepth 2 -name "*.ovpn" -delete 1287 | find /root/ -maxdepth 1 -name "*.ovpn" -delete 1288 | rm -rf /etc/openvpn 1289 | rm -rf /usr/share/doc/openvpn* 1290 | rm -f /etc/sysctl.d/99-openvpn.conf 1291 | rm -rf /var/log/openvpn 1292 | 1293 | # Unbound 1294 | if [[ -e /etc/unbound/openvpn.conf ]]; then 1295 | removeUnbound 1296 | fi 1297 | echo "" 1298 | echo "OpenVPN removed!" 1299 | else 1300 | echo "" 1301 | echo "Removal aborted!" 1302 | fi 1303 | } 1304 | 1305 | function manageMenu() { 1306 | echo "Welcome to OpenVPN-install!" 1307 | echo "The git repository is available at: https://github.com/angristan/openvpn-install" 1308 | echo "" 1309 | echo "It looks like OpenVPN is already installed." 1310 | echo "" 1311 | echo "What do you want to do?" 1312 | echo " 1) Add a new user" 1313 | echo " 2) Revoke existing user" 1314 | echo " 3) Remove OpenVPN" 1315 | echo " 4) Exit" 1316 | until [[ $MENU_OPTION =~ ^[1-4]$ ]]; do 1317 | read -rp "Select an option [1-4]: " MENU_OPTION 1318 | done 1319 | 1320 | case $MENU_OPTION in 1321 | 1) 1322 | newClient 1323 | ;; 1324 | 2) 1325 | revokeClient 1326 | ;; 1327 | 3) 1328 | removeOpenVPN 1329 | ;; 1330 | 4) 1331 | exit 0 1332 | ;; 1333 | esac 1334 | } 1335 | 1336 | # Check for root, TUN, OS... 1337 | initialCheck 1338 | 1339 | # Check if OpenVPN is already installed 1340 | if [[ -e /etc/openvpn/server.conf && $AUTO_INSTALL != "y" ]]; then 1341 | manageMenu 1342 | else 1343 | installOpenVPN 1344 | fi 1345 | --------------------------------------------------------------------------------