├── LICENSE.txt
├── README.md
└── ezopenvpn.sh


/LICENSE.txt:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2013 Nyr
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy of
 6 | this software and associated documentation files (the "Software"), to deal in
 7 | the Software without restriction, including without limitation the rights to
 8 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
 9 | the Software, and to permit persons to whom the Software is furnished to do so,
10 | subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
17 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
18 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
19 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
20 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
21 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | ##ezopenvpn
 2 | =========
 3 | 
 4 | OpenVPN [road warrior](http://en.wikipedia.org/wiki/Road_warrior_%28computing%29) installer for Debian-based distros, based on Nyr's [openvpn-install](https://github.com/Nyr/openvpn-install) script
 5 | 
 6 | This script will let you setup your own VPN server in no more than one minute, even if you haven't used OpenVPN before. It isn't bulletproof but it has been designed to be as unobtrusive and universal as possible.
 7 | 
 8 | ###Installation
 9 | Run the script and follow the assistant:
10 | 
11 | `wget https://raw.github.com/cwaffles/ezopenvpn/master/ezopenvpn.sh --no-check-certificate -O ezopenvpn.sh; chmod +x ezopenvpn.sh; ./ezopenvpn.sh`
12 | 
13 | Once it ends, you can run it again to add more users.
14 | 
15 | ###New features
16 | - Automatic inline .ovpn file generation for Android devices
17 | - Google DNS servers
18 | - Port 53 enabled by default for captive portal bypass
19 | 
20 | ###I want to run my own VPN but don't have a server for that
21 | There are reliable providers where you can get a little VPS for even less than one buck a month.
22 | 
23 | - [Secure Dragon (Tampa, FL - Denver, CO - Los Angeles, CA - Chicago, IL)](https://securedragon.net/openvz.php)
24 | - [High Speed Web (Los Angeles, CA)](http://www.highspeedweb.net/)
25 | - [IperWeb (Dallas, TX)](http://my.iperweb.com/cart/)
26 | - [HTTP Zoom (Berkshire, UK)](http://httpzoom.com/)
27 | 
28 | If you don't care about sharing an IP address with more people, you should check out the awesome [LowEndSpirit](http://lowendspirit.com/) project. They are providing IPv6-only VPS with NATed IPv4 for only 3€/year.
29 | 


--------------------------------------------------------------------------------
/ezopenvpn.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | # OpenVPN road warrior installer for Debian-based distros
  3 | 
  4 | # This script will only work on Debian-based systems. It isn't bulletproof but
  5 | # it will probably work if you simply want to setup a VPN on your Debian/Ubuntu
  6 | # VPS. It has been designed to be as unobtrusive and universal as possible.
  7 | 
  8 | 
  9 | if [ $USER != 'root' ]; then
 10 | 	echo "Sorry, you need to run this as root"
 11 | 	exit
 12 | fi
 13 | 
 14 | 
 15 | if [ ! -e /dev/net/tun ]; then
 16 | 	echo "TUN/TAP is not available"
 17 | 	exit
 18 | fi
 19 | 
 20 | 
 21 | if [ ! -e /etc/debian_version ]; then
 22 | 	echo "Looks like you aren't running this installer on a Debian-based system"
 23 | 	exit
 24 | fi
 25 | 
 26 | 
 27 | # Try to get our IP from the system and fallback to the Internet.
 28 | # I do this to make the script compatible with NATed servers (lowendspirit.com)
 29 | # and to avoid getting an IPv6.
 30 | IP=$(ifconfig | grep 'inet addr:' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d: -f2 | awk '{ print $1}' | head -1)
 31 | if [ "$IP" = "" ]; then
 32 |         IP=$(wget -qO- ipv4.icanhazip.com)
 33 | fi
 34 | 
 35 | 
 36 | if [ -e /etc/openvpn/server.conf ]; then
 37 | 	while :
 38 | 	do
 39 | 	clear
 40 | 		echo "Looks like OpenVPN is already installed"
 41 | 		echo "What do you want to do?"
 42 | 		echo ""
 43 | 		echo "1) Add a cert for a new user"
 44 | 		echo "2) Revoke existing user cert"
 45 | 		echo "3) Remove OpenVPN"
 46 | 		echo "4) Exit"
 47 | 		echo ""
 48 | 		read -p "Select an option [1-4]:" option
 49 | 		case $option in
 50 | 			1) 
 51 | 			echo ""
 52 | 			echo "Tell me a name for the client cert"
 53 | 			echo "Please, use one word only, no special characters"
 54 | 			read -p "Client name: " -e -i client CLIENT
 55 | 			echo ""
 56 | 		        echo "Do you like secure ${CLIENT}'s  private key with password?"
 57 |         		read -p "Use password for private key [y/n]:" -e -i y USEPASS
 58 | 			cd /etc/openvpn/easy-rsa/2.0/
 59 | 			source ./vars
 60 | 			# build-key for the client
 61 | 			export KEY_CN="$CLIENT"
 62 | 			export EASY_RSA="${EASY_RSA:-.}"
 63 | 			if [ $USEPASS = 'y' ]; 
 64 | 			then
 65 | 				"$EASY_RSA/pkitool" --pass $CLIENT
 66 | 			else
 67 | 				"$EASY_RSA/pkitool" $CLIENT 
 68 |         		fi
 69 | 			#"$EASY_RSA/pkitool" $CLIENT
 70 | 			# Let's generate the client config
 71 | 			mkdir ~/ovpn-$CLIENT
 72 | 			cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/ovpn-$CLIENT/$CLIENT.conf
 73 | 			cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt ~/ovpn-$CLIENT
 74 | 			cp /etc/openvpn/easy-rsa/2.0/keys/$CLIENT.crt ~/ovpn-$CLIENT
 75 | 			cp /etc/openvpn/easy-rsa/2.0/keys/$CLIENT.key ~/ovpn-$CLIENT
 76 | 			cd ~/ovpn-$CLIENT
 77 | 			sed -i "s|cert client.crt|cert $CLIENT.crt|" $CLIENT.conf
 78 | 			sed -i "s|key client.key|key $CLIENT.key|" $CLIENT.conf
 79 | 			echo "remote-cert-tls server" >> $CLIENT.conf
 80 | 			
 81 | 			cp $CLIENT.conf $CLIENT.ovpn
 82 | 			
 83 | 			sed -i "s|ca ca.crt|ca [inline]|" $CLIENT.ovpn
 84 | 			sed -i "s|cert $CLIENT.crt|cert [inline]|" $CLIENT.ovpn
 85 | 			sed -i "s|key $CLIENT.key|key [inline]|" $CLIENT.ovpn
 86 | 			echo -e "keepalive 10 60\n" >> $CLIENT.ovpn
 87 | 			
 88 | 			echo "<ca>" >> $CLIENT.ovpn
 89 | 			cat ca.crt >> $CLIENT.ovpn
 90 | 			echo -e "</ca>\n" >> $CLIENT.ovpn
 91 | 			
 92 | 			echo "<cert>" >> $CLIENT.ovpn
 93 | 			sed -n "/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p" $CLIENT.crt >> $CLIENT.ovpn
 94 | 			echo -e "</cert>\n" >> $CLIENT.ovpn
 95 | 			
 96 | 			echo "<key>" >> $CLIENT.ovpn
 97 | 			cat $CLIENT.key >> $CLIENT.ovpn
 98 | 			echo -e "</key>\n" >> $CLIENT.ovpn
 99 | 			
100 | 			zip ../ovpn-$CLIENT.zip $CLIENT.conf ca.crt $CLIENT.crt $CLIENT.key $CLIENT.ovpn
101 | 			cd ~/
102 | 			rm -rf ovpn-$CLIENT
103 | 			echo ""
104 | 			echo "Client $CLIENT added, certs available at ~/ovpn-$CLIENT.zip"
105 | 			exit
106 | 			;;
107 | 			2)
108 | 			echo ""
109 | 			echo "Tell me the existing client name"
110 | 			read -p "Client name: " -e -i client CLIENT
111 | 			cd /etc/openvpn/easy-rsa/2.0/
112 | 			. /etc/openvpn/easy-rsa/2.0/vars
113 | 			. /etc/openvpn/easy-rsa/2.0/revoke-full $CLIENT
114 | 			# If it's the first time revoking a cert, we need to add the crl-verify line
115 | 			if grep -q "crl-verify" "/etc/openvpn/server.conf"; then
116 | 				echo ""
117 | 				echo "Certificate for client $CLIENT revoked"
118 | 			else
119 | 				echo "crl-verify /etc/openvpn/easy-rsa/2.0/keys/crl.pem" >> "/etc/openvpn/server.conf"
120 | 				/etc/init.d/openvpn restart
121 | 				echo ""
122 | 				echo "Certificate for client $CLIENT revoked"
123 | 			fi
124 | 			exit
125 | 			;;
126 | 			3) 
127 | 			apt-get remove --purge -y openvpn openvpn-blacklist
128 | 			rm -rf /etc/openvpn
129 | 			rm -rf /usr/share/doc/openvpn
130 | 			sed -i '/--dport 53 -j REDIRECT --to-port/d' /etc/rc.local
131 | 			sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0/d' /etc/rc.local
132 | 			echo ""
133 | 			echo "OpenVPN removed!"
134 | 			exit
135 | 			;;
136 | 			4) exit;;
137 | 		esac
138 | 	done
139 | else
140 | 	echo 'Welcome to this quick OpenVPN "road warrior" installer'
141 | 	echo ""
142 | 	# OpenVPN setup and first user creation
143 | 	echo "I need to ask you a few questions before starting the setup"
144 | 	echo "You can leave the default options and just press enter if you are ok with them"
145 | 	echo ""
146 | 	echo "First I need to know the IPv4 address of the network interface you want OpenVPN"
147 | 	echo "listening to."
148 | 	read -p "IP address: " -e -i $IP IP
149 | 	echo ""
150 | 	echo "What port do you want for OpenVPN?"
151 | 	read -p "Port: " -e -i 1194 PORT
152 | 	echo ""
153 | 	echo "Do you want OpenVPN to be available at port 53 too?"
154 | 	echo "This can be useful to connect under restrictive networks"
155 | 	read -p "Listen at port 53 [y/n]:" -e -i y ALTPORT
156 | 	echo ""
157 | 	echo "Finally, tell me your name for the client cert"
158 | 	echo "Please, use one word only, no special characters"
159 | 	read -p "Client name: " -e -i client CLIENT
160 | 	echo ""
161 |         echo "Do you like secure ${CLIENT}'s  private key with password?"
162 |         read -p "Use password for private key [y/n]:" -e -i y USEPASS
163 | 	echo ""
164 | 	echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now"
165 | 	read -n1 -r -p "Press any key to continue..."
166 | 	apt-get update
167 | 	apt-get install openvpn iptables openssl zip -y
168 | 	cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
169 | 	# easy-rsa isn't available by default for Debian Jessie and newer
170 | 	if [ ! -d /etc/openvpn/easy-rsa/2.0/ ]; then
171 | 		wget --no-check-certificate -O ~/easy-rsa.tar.gz https://github.com/OpenVPN/easy-rsa/archive/2.2.2.tar.gz
172 | 		tar xzf ~/easy-rsa.tar.gz -C ~/
173 | 		mkdir -p /etc/openvpn/easy-rsa/2.0/
174 | 		cp ~/easy-rsa-2.2.2/easy-rsa/2.0/* /etc/openvpn/easy-rsa/2.0/
175 | 		rm -rf ~/easy-rsa-2.2.2
176 | 		rm -rf ~/easy-rsa.tar.gz
177 | 	fi
178 | 	cd /etc/openvpn/easy-rsa/2.0/
179 | 	# Let's fix one thing first...
180 | 	cp -u -p openssl-1.0.0.cnf openssl.cnf
181 | 	# Bad NSA - 1024 bits was the default for Debian Wheezy and older
182 | 	sed -i 's|export KEY_SIZE=1024|export KEY_SIZE=2048|' /etc/openvpn/easy-rsa/2.0/vars
183 | 	# Create the PKI
184 | 	. /etc/openvpn/easy-rsa/2.0/vars
185 | 	. /etc/openvpn/easy-rsa/2.0/clean-all
186 | 	# The following lines are from build-ca. I don't use that script directly
187 | 	# because it's interactive and we don't want that. Yes, this could break
188 | 	# the installation script if build-ca changes in the future.
189 | 	export EASY_RSA="${EASY_RSA:-.}"
190 | 	"$EASY_RSA/pkitool" --initca $*
191 | 	# Same as the last time, we are going to run build-key-server
192 | 	export EASY_RSA="${EASY_RSA:-.}"
193 | 	"$EASY_RSA/pkitool" --server server
194 | 	# Now the client keys. We need to set KEY_CN or the stupid pkitool will cry
195 | 	export KEY_CN="$CLIENT"
196 | 	export EASY_RSA="${EASY_RSA:-.}"
197 |         if [ $USEPASS = 'y' ];
198 |         then
199 |         	"$EASY_RSA/pkitool" --pass $CLIENT
200 |         else
201 |         	"$EASY_RSA/pkitool" $CLIENT
202 |         fi
203 | 	# DH params
204 | 	. /etc/openvpn/easy-rsa/2.0/build-dh
205 | 	# Let's configure the server
206 | 	cd /usr/share/doc/openvpn/examples/sample-config-files
207 | 	gunzip -d server.conf.gz
208 | 	cp server.conf /etc/openvpn/
209 | 	cd /etc/openvpn/easy-rsa/2.0/keys
210 | 	cp ca.crt ca.key dh2048.pem server.crt server.key /etc/openvpn
211 | 	cd /etc/openvpn/
212 | 	# Set the server configuration
213 | 	sed -i 's|dh dh1024.pem|dh dh2048.pem|' server.conf
214 | 	sed -i 's|;push "redirect-gateway def1 bypass-dhcp"|push "redirect-gateway def1 bypass-dhcp"|' server.conf
215 | 	sed -i 's|;push "dhcp-option DNS 208.67.222.222"|push "dhcp-option DNS 8.8.8.8"|' server.conf
216 | 	sed -i 's|;push "dhcp-option DNS 208.67.220.220"|push "dhcp-option DNS 8.8.4.4"|' server.conf
217 | 	sed -i "s|port 1194|port $PORT|" server.conf
218 | 	# Listen at port 53 too if user wants that
219 | 	if [ $ALTPORT = 'y' ]; then
220 | 		iptables -t nat -A PREROUTING -p udp -d $IP --dport 53 -j REDIRECT --to-port $PORT
221 | 		sed -i "/# By default this script does nothing./a\iptables -t nat -A PREROUTING -p udp -d $IP --dport 53 -j REDIRECT --to-port $PORT" /etc/rc.local
222 | 	fi
223 | 	# Enable net.ipv4.ip_forward for the system
224 | 	sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf
225 | 	# Avoid an unneeded reboot
226 | 	echo 1 > /proc/sys/net/ipv4/ip_forward
227 | 	# Set iptables
228 | 	iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP
229 | 	sed -i "/# By default this script does nothing./a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" /etc/rc.local
230 | 	# And finally, restart OpenVPN
231 | 	/etc/init.d/openvpn restart
232 | 	# Let's generate the client config
233 | 	mkdir ~/ovpn-$CLIENT
234 | 	# Try to detect a NATed connection and ask about it to potential LowEndSpirit
235 | 	# users
236 | 	EXTERNALIP=$(wget -qO- ipv4.icanhazip.com)
237 | 	if [ "$IP" != "$EXTERNALIP" ]; then
238 | 		echo ""
239 | 		echo "Looks like your server is behind a NAT!"
240 | 		echo ""
241 | 		echo "If your server is NATed (LowEndSpirit), I need to know the external IP"
242 | 		echo "If that's not the case, just ignore this and leave the next field blank"
243 | 		read -p "External IP: " -e USEREXTERNALIP
244 | 		if [ $USEREXTERNALIP != "" ]; then
245 | 			IP=$USEREXTERNALIP
246 | 		fi
247 | 	fi
248 | 	# IP/port set on the default client.conf so we can add further users
249 | 	# without asking for them
250 | 	sed -i "s|remote my-server-1 1194|remote $IP $PORT|" /usr/share/doc/openvpn/examples/sample-config-files/client.conf
251 | 	cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/ovpn-$CLIENT/$CLIENT.conf
252 | 	cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt ~/ovpn-$CLIENT
253 | 	cp /etc/openvpn/easy-rsa/2.0/keys/$CLIENT.crt ~/ovpn-$CLIENT
254 | 	cp /etc/openvpn/easy-rsa/2.0/keys/$CLIENT.key ~/ovpn-$CLIENT
255 | 	cd ~/ovpn-$CLIENT
256 | 	sed -i "s|cert client.crt|cert $CLIENT.crt|" $CLIENT.conf
257 | 	sed -i "s|key client.key|key $CLIENT.key|" $CLIENT.conf
258 | 	echo "remote-cert-tls server" >> $CLIENT.conf
259 | 	
260 | 	cp $CLIENT.conf $CLIENT.ovpn
261 | 	
262 | 	sed -i "s|ca ca.crt|ca [inline]|" $CLIENT.ovpn
263 | 	sed -i "s|cert $CLIENT.crt|cert [inline]|" $CLIENT.ovpn
264 | 	sed -i "s|key $CLIENT.key|key [inline]|" $CLIENT.ovpn
265 | 	echo -e "keepalive 10 60\n" >> $CLIENT.ovpn
266 | 	
267 | 	echo "<ca>" >> $CLIENT.ovpn
268 | 	cat ca.crt >> $CLIENT.ovpn
269 | 	echo -e "</ca>\n" >> $CLIENT.ovpn
270 | 	
271 | 	echo "<cert>" >> $CLIENT.ovpn
272 | 	sed -n "/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p" $CLIENT.crt >> $CLIENT.ovpn
273 | 	echo -e "</cert>\n" >> $CLIENT.ovpn
274 | 	
275 | 	echo "<key>" >> $CLIENT.ovpn
276 | 	cat $CLIENT.key >> $CLIENT.ovpn
277 | 	echo -e "</key>\n" >> $CLIENT.ovpn
278 | 
279 | 	zip ../ovpn-$CLIENT.zip $CLIENT.conf ca.crt $CLIENT.crt $CLIENT.key $CLIENT.ovpn
280 | 	cd ~/
281 | 	rm -rf ovpn-$CLIENT
282 | 	echo ""
283 | 	echo "Finished!"
284 | 	echo ""
285 | 	echo "Your client config is available at ~/ovpn-$CLIENT.zip"
286 | 	echo "If you want to add more clients, you simply need to run this script another time!"
287 | fi
288 | 


--------------------------------------------------------------------------------