Openvpn - Script de Instalación Automático - Linux para Todos

DESARROLLOS WEB DISTROS LINUX ECASH HARDWARE MANUALES NOTICIAS REDES SCRIPTS SOFTWARE
 Home Scripts OpenVPN – Script de instalación automático

Buscar... 
OpenVPN – Script de instalación automático

SUSCRÍBETE A NUESTRO BOLETÍN
sergio | Scripts | 13/03/2018
¿Quieres recibir nuestros artículos en tu Email?
Correo electrónico *
¡Suscríbete!
ÚLTIMOS ARTICULOS
Script – Crear backup de bases de datos por
FTP
Los mejores Paneles de Control Web
OpenSource
Problema al enviar mails a Hotmail y
OpenVPN – Script de instalación automático. Outlook
Con el Petro Coin se podrán adquirir
En un anterior articulo, ya explicamos como instalar y configurar paso a paso un servidor viviendas
OpenVPN. Hoy te presento un script bash que automatiza el proceso, podrás configurar tu Cambiar MySQL por Percona en CentOS y
propio servidor VPN seguro en solo unos minutos. Debian
Bloquear países desde .htaccess
El script de instalación es funcional en los siguientes sistemas operativos y arquitecturas:
Lista de códigos de país ISO (country codes)
Instalar Apache Maven en CentOS7
Debian 7 (i386, amd64)
Debian 8 (i386, amd64) Han pasado 20 años de la revolución del
OpenSource
Debian 9 (i386, amd64, armhf, arm64)
Ubuntu 14.04 LTS (i386, amd64) Herramientas de verificación de un sitio WEB
Ubuntu 16.04 LTS (i386, amd64)
Ubuntu 17.10 (i386, amd64, armhf, arm64)
Fedora 25 (amd64) COMENTARIOS RECIENTES
Fedora 26 (amd64)
Fedora 27 (amd64) sergio en Instalar CentOS Web Panel en
CentOS 6 y 7
CentOS 6 (i386, amd64)
CentOS 7 (i386, amd64, arm64) Tomas Ysturiz en Instalar el Kernel 4.15 en
sistemas RPM y DEB
Arch Linux (i686, amd64, arm64)
David Dussancourt en Instalar CentOS Web
Panel en CentOS 6 y 7
JoseMari en Las mejores alternativas a
Photoshop en Linux
saberbholt en Software de windows
equivalente en linux
ARCHIVOS
OpenVPN – Script de instalación automático Archivos Elegir mes
Por si eres de los que prefiere empaquetar tu propio script, te coloco el código. Si prefieres
un modo más automatizado (recomendado) lo encontraras más abajo, al final del articulo.
ENLACES
Debes tener en cuenta, que uses el método que uses debes habilitar el módulo TUN (modulo RSS de las entradas
del kernel), de lo contrario, OpenVPN no funcionará. Contacto
Te adelanto que no todos los proveedores de vps lo ofrecen, de todas maneras si no lo tienes
instalado el script te avisara.
El código:
Shell
1 #!/bin/bash
2
3 # Secure OpenVPN server installer for Debian, Ubuntu, CentOS and Arch Linux
4
5
6 if [[ "$EUID" -ne 0 ]]; then
7 echo "Sorry, you need to run this as root"
8 exit 1
9 fi
10
11 if [[ ! -e /dev/net/tun ]]; then
12 echo "TUN is not available"
13 exit 2
14 fi
15
16 if grep -qs "CentOS release 5" "/etc/redhat-release"; then
17 echo "CentOS 5 is too old and not supported"
18 exit 3
19 fi
20
21 if [[ -e /etc/debian_version ]]; then
22 OS="debian"
23 # Getting the version number, to verify that a recent version of OpenVPN is available
24 VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID")
25 IPTABLES='/etc/iptables/iptables.rules'
26 SYSCTL='/etc/sysctl.conf'
27 if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"'
28 echo "Your version of Debian/Ubuntu is not supported."
29 echo "I can't install a recent version of OpenVPN on your system."
30 echo ""
31 echo "However, if you're using Debian unstable/testing, or Ubuntu beta,"
32 echo "then you can continue, a recent version of OpenVPN is available on these."
33 echo "Keep in mind they are not supported, though."
34 while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do
35 read -p "Continue ? [y/n]: " -e CONTINUE
36 done
37 if [[ "$CONTINUE" = "n" ]]; then
38 echo "Ok, bye !"
39 exit 4
40 fi
41 fi
42 elif [[ -e /etc/fedora-release ]]; then
43 OS=fedora
45 SYSCTL='/etc/sysctl.d/openvpn.conf'
46 elif [[ -e /etc/centos-release || -e /etc/redhat-release || -e /etc/system-release
47 OS=centos
49 SYSCTL='/etc/sysctl.conf'
50 elif [[ -e /etc/arch-release ]]; then
51 OS=arch
53 SYSCTL='/etc/sysctl.d/openvpn.conf'
54 else
55 echo "Looks like you aren't running this installer on a Debian, Ubuntu, CentOS or ArchLinux system"
56 exit 4
57 fi
58
59 newclient () {
60 # Where to write the custom client.ovpn?
61 if [ -e /home/$1 ]; then # if $1 is a user name
62 homeDir="/home/$1"
63 elif [ ${SUDO_USER} ]; then # if not, use SUDO_USER
64 homeDir="/home/${SUDO_USER}"
65 else # if not SUDO_USER, use /root
66 homeDir="/root"
67 fi
68 # Generates the custom client.ovpn
69 cp /etc/openvpn/client-template.txt $homeDir/$1.ovpn
70 echo "<ca>" >> $homeDir/$1.ovpn
71 cat /etc/openvpn/easy-rsa/pki/ca.crt >> $homeDir/$1.ovpn
72 echo "</ca>" >> $homeDir/$1.ovpn
73 echo "<cert>" >> $homeDir/$1.ovpn
74 cat /etc/openvpn/easy-rsa/pki/issued/$1.crt >> $homeDir/$1.ovpn
75 echo "</cert>" >> $homeDir/$1.ovpn
76 echo "<key>" >> $homeDir/$1.ovpn
77 cat /etc/openvpn/easy-rsa/pki/private/$1.key >> $homeDir/$1.ovpn
78 echo "</key>" >> $homeDir/$1.ovpn
79 echo "key-direction 1" >> $homeDir/$1.ovpn
80 echo "<tls-auth>" >> $homeDir/$1.ovpn
81 cat /etc/openvpn/tls-auth.key >> $homeDir/$1.ovpn
82 echo "</tls-auth>" >> $homeDir/$1.ovpn
83 }
84
85 # Try to get our IP from the system and fallback to the Internet.
86 # I do this to make the script compatible with NATed servers (LowEndSpirit/Scaleway)
87 # and to avoid getting an IPv6.
88 IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
89 if [[ "$IP" = "" ]]; then
90 IP=$(wget -qO- ipv4.icanhazip.com)
91 fi
92 # Get Internet network interface with default route
93 NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)
94
95 if [[ -e /etc/openvpn/server.conf ]]; then
96 while :
97 do
98 clear
99 echo "OpenVPN-install (github.com/Angristan/OpenVPN-install)"
100 echo ""
101 echo "Looks like OpenVPN is already installed"
102 echo ""
103 echo "What do you want to do?"
104 echo " 1) Add a cert for a new user"
105 echo " 2) Revoke existing user cert"
106 echo " 3) Remove OpenVPN"
107 echo " 4) Exit"
108 read -p "Select an option [1-4]: " option
109 case $option in
110 1)
111 echo ""
112 echo "Tell me a name for the client cert"
113 echo "Please, use one word only, no special characters"
114 read -p "Client name: " -e -i newclient CLIENT
115 cd /etc/openvpn/easy-rsa/
116 ./easyrsa build-client-full $CLIENT nopass
117 # Generates the custom client.ovpn
118 newclient "$CLIENT"
119 echo ""
120 echo "Client $CLIENT added, certs available at $homeDir/$CLIENT.ovpn"
121 exit
122 ;;
123 2)
124 NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c
125 if [[ "$NUMBEROFCLIENTS" = '0' ]]; then
126 echo ""
127 echo "You have no existing clients!"
128 exit 5
129 fi
130 echo ""
131 echo "Select the existing client certificate you want to revoke"
132 tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f
133 if [[ "$NUMBEROFCLIENTS" = '1' ]]; then
134 read -p "Select one client [1]: " CLIENTNUMBER
135 else
136 read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
137 fi
138 CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -
140 ./easyrsa --batch revoke $CLIENT
141 EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
142 rm -rf pki/reqs/$CLIENT.req
143 rm -rf pki/private/$CLIENT.key
144 rm -rf pki/issued/$CLIENT.crt
145 rm -rf /etc/openvpn/crl.pem
146 cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
147 chmod 644 /etc/openvpn/crl.pem
148 echo ""
149 echo "Certificate for client $CLIENT revoked"
150 echo "Exiting..."
151 exit
152 ;;
153 3)
154 echo ""
155 read -p "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
156 if [[ "$REMOVE" = 'y' ]]; then
157 PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
158 if pgrep firewalld; then
159 # Using both permanent and not permanent rules to avoid a firewalld reload.
160 firewall-cmd --zone=public --remove-port=$PORT/udp
161 firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
162 firewall-cmd --permanent --zone=public --remove-port=$PORT/udp
163 firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
164 fi
165 if iptables -L -n | grep -qE 'REJECT|DROP'; then
166 if [[ "$PROTOCOL" = 'udp' ]]; then
167 iptables -D INPUT -p udp --dport $PORT -j ACCEPT
168 else
169 iptables -D INPUT -p tcp --dport $PORT -j ACCEPT
170 fi
171 iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
172 iptables-save > $IPTABLES
173 fi
174 iptables -t nat -D POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE
176 if hash sestatus 2>/dev/null; then
177 if sestatus | grep "Current mode" | grep -qs "enforcing"; then
178 if [[ "$PORT" != '1194' ]]; then
179 semanage port -d -t openvpn_port_t -p udp $PORT
180 fi
181 fi
182 fi
183 if [[ "$OS" = 'debian' ]]; then
184 apt-get autoremove --purge -y openvpn
185 elif [[ "$OS" = 'arch' ]]; then
186 pacman -R openvpn --noconfirm
187 else
188 yum remove openvpn -y
189 fi
190 rm -rf /etc/openvpn
191 rm -rf /usr/share/doc/openvpn*
192 echo ""
193 echo "OpenVPN removed!"
194 else
195 echo ""
196 echo "Removal aborted!"
197 fi
198 exit
199 ;;
200 4) exit;;
201 esac
202 done
203 else
204 clear
205 echo "Welcome to the secure OpenVPN installer (github.com/Angristan/OpenVPN-install)"
206 echo ""
207 # OpenVPN setup and first user creation
208 echo "I need to ask you a few questions before starting the setup"
209 echo "You can leave the default options and just press enter if you are ok with them"
210 echo ""
211 echo "I need to know the IPv4 address of the network interface you want OpenVPN listening to."
212 echo "If your server is running behind a NAT, (e.g. LowEndSpirit, Scaleway) leave the IP address as it is. (local/private I
213 echo "Otherwise, it should be your public IPv4 address."
214 read -p "IP address: " -e -i $IP IP
215 echo ""
216 echo "What port do you want for OpenVPN?"
217 read -p "Port: " -e -i 1194 PORT
218 echo ""
219 echo "What protocol do you want for OpenVPN?"
220 echo "Unless UDP is blocked, you should not use TCP (unnecessarily slower)"
221 while [[ $PROTOCOL != "UDP" && $PROTOCOL != "TCP" ]]; do
222 read -p "Protocol [UDP/TCP]: " -e -i UDP PROTOCOL
223 done
224 echo ""
225 echo "What DNS do you want to use with the VPN?"
226 echo " 1) Current system resolvers (from /etc/resolv.conf)"
227 echo " 2) Quad9 (Anycast: worldwide)"
228 echo " 3) FDN (France)"
229 echo " 4) DNS.WATCH (Germany)"
230 echo " 5) OpenDNS (Anycast: worldwide)"
231 echo " 6) Google (Anycast: worldwide)"
232 echo " 7) Yandex Basic (Russia)"
233 echo " 8) AdGuard DNS (Russia)"
234 while [[ $DNS != "1" && $DNS != "2" && $DNS != "3" && $DNS != "4" && $DNS !=
235 read -p "DNS [1-8]: " -e -i 1 DNS
236 done
237 echo ""
238 echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about "
239 echo "the encryption in OpenVPN and the choices I made in this script."
240 echo "Please note that all the choices proposed are secure (to a different degree)"
241 echo "and are still viable to date, unlike some default OpenVPN options"
242 echo ''
243 echo "Choose which cipher you want to use for the data channel:"
244 echo " 1) AES-128-CBC (fastest and sufficiently secure for everyone, recommended)"
245 echo " 2) AES-192-CBC"
246 echo " 3) AES-256-CBC"
247 echo "Alternatives to AES, use them only if you know what you're doing."
248 echo "They are relatively slower but as secure as AES."
249 echo " 4) CAMELLIA-128-CBC"
252 echo " 7) SEED-CBC"
253 while [[ $CIPHER != "1" && $CIPHER != "2" && $CIPHER != "3" && $CIPHER != "4"
254 read -p "Cipher [1-7]: " -e -i 1 CIPHER
255 done
256 case $CIPHER in
257 1)
258 CIPHER="cipher AES-128-CBC"
259 ;;
260 2)
262 ;;
263 3)
265 ;;
266 4)
267 CIPHER="cipher CAMELLIA-128-CBC"
268 ;;
269 5)
271 ;;
272 6)
274 ;;
275 7)
276 CIPHER="cipher SEED-CBC"
277 ;;
278 esac
279 echo ""
280 echo "Choose what size of Diffie-Hellman key you want to use:"
281 echo " 1) 2048 bits (fastest)"
282 echo " 2) 3072 bits (recommended, best compromise)"
283 echo " 3) 4096 bits (most secure)"
284 while [[ $DH_KEY_SIZE != "1" && $DH_KEY_SIZE != "2" && $DH_KEY_SIZE != "3"
285 read -p "DH key size [1-3]: " -e -i 2 DH_KEY_SIZE
286 done
287 case $DH_KEY_SIZE in
288 1)
289 DH_KEY_SIZE="2048"
290 ;;
291 2)
293 ;;
294 3)
296 ;;
297 esac
298 echo ""
299 echo "Choose what size of RSA key you want to use:"
300 echo " 1) 2048 bits (fastest)"
301 echo " 2) 3072 bits (recommended, best compromise)"
302 echo " 3) 4096 bits (most secure)"
303 while [[ $RSA_KEY_SIZE != "1" && $RSA_KEY_SIZE != "2" && $RSA_KEY_SIZE != "3"
304 read -p "RSA key size [1-3]: " -e -i 2 RSA_KEY_SIZE
305 done
306 case $RSA_KEY_SIZE in
307 1)
308 RSA_KEY_SIZE="2048"
309 ;;
310 2)
312 ;;
313 3)
315 ;;
316 esac
317 echo ""
318 echo "Finally, tell me a name for the client certificate and configuration"
319 while [[ $CLIENT = "" ]]; do
320 echo "Please, use one word only, no special characters"
321 read -p "Client name: " -e -i client CLIENT
322 done
323 echo ""
324 echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now"
325 read -n1 -r -p "Press any key to continue..."
326
328 apt-get install ca-certificates gpg -y
329 # We add the OpenVPN repo to get the latest version.
330 # Debian 7
331 if [[ "$VERSION_ID" = 'VERSION_ID="7"' ]]; then
332 echo "deb http://build.openvpn.net/debian/openvpn/stable wheezy main" > /etc
333 wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add
334 apt-get update
335 fi
336 # Debian 8
337 if [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then
338 echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc
340 apt update
341 fi
342 # Ubuntu 14.04
343 if [[ "$VERSION_ID" = 'VERSION_ID="14.04"' ]]; then
344 echo "deb http://build.openvpn.net/debian/openvpn/stable trusty main" > /etc
346 apt-get update
347 fi
348 # Ubuntu >= 16.04 and Debian > 8 have OpenVPN > 2.3.3 without the need of a third party repository.
349 # The we install OpenVPN
350 apt-get install openvpn iptables openssl wget ca-certificates curl -y
351 # Install iptables service
352 if [[ ! -e /etc/systemd/system/iptables.service ]]; then
353 mkdir /etc/iptables
354 iptables-save > /etc/iptables/iptables.rules
355 echo "#!/bin/sh
356 iptables -F
357 iptables -X
358 iptables -t nat -F
359 iptables -t nat -X
360 iptables -t mangle -F
361 iptables -t mangle -X
362 iptables -P INPUT ACCEPT
363 iptables -P FORWARD ACCEPT
364 iptables -P OUTPUT ACCEPT" > /etc/iptables/flush-iptables.sh
365 chmod +x /etc/iptables/flush-iptables.sh
366 echo "[Unit]
367 Description=Packet Filtering Framework
368 DefaultDependencies=no
369 Before=network-pre.target
370 Wants=network-pre.target
371 [Service]
372 Type=oneshot
373 ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
374 ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
375 ExecStop=/etc/iptables/flush-iptables.sh
376 RemainAfterExit=yes
377 [Install]
378 WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
379 systemctl daemon-reload
380 systemctl enable iptables.service
381 fi
382 elif [[ "$OS" = 'centos' || "$OS" = 'fedora' ]]; then
383 if [[ "$OS" = 'centos' ]]; then
384 yum install epel-release -y
385 fi
386 yum install openvpn iptables openssl wget ca-certificates curl -y
387 # Install iptables service
388 if [[ ! -e /etc/systemd/system/iptables.service ]]; then
389 mkdir /etc/iptables
390 iptables-save > /etc/iptables/iptables.rules
391 echo "#!/bin/sh
392 iptables -F
393 iptables -X
394 iptables -t nat -F
395 iptables -t nat -X
396 iptables -t mangle -F
397 iptables -t mangle -X
398 iptables -P INPUT ACCEPT
399 iptables -P FORWARD ACCEPT
400 iptables -P OUTPUT ACCEPT" > /etc/iptables/flush-iptables.sh
401 chmod +x /etc/iptables/flush-iptables.sh
402 echo "[Unit]
403 Description=Packet Filtering Framework
404 DefaultDependencies=no
405 Before=network-pre.target
406 Wants=network-pre.target
407 [Service]
408 Type=oneshot
409 ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
410 ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
411 ExecStop=/etc/iptables/flush-iptables.sh
412 RemainAfterExit=yes
413 [Install]
414 WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
416 systemctl enable iptables.service
417 # Disable firewalld to allow iptables to start upon reboot
418 systemctl disable firewalld
419 systemctl mask firewalld
420 fi
421 else
422 # Else, the distro is ArchLinux
423 echo ""
424 echo ""
425 echo "As you're using ArchLinux, I need to update the packages on your system to install those I need."
426 echo "Not doing that could cause problems between dependencies, or missing files in repositories."
427 echo ""
428 echo "Continuing will update your installed packages and install needed ones."
429 while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do
430 read -p "Continue ? [y/n]: " -e -i y CONTINUE
431 done
432 if [[ "$CONTINUE" = "n" ]]; then
433 echo "Ok, bye !"
434 exit 4
435 fi
436
437 if [[ "$OS" = 'arch' ]]; then
438 # Install dependencies
439 pacman -Syu openvpn iptables openssl wget ca-certificates curl --needed --noconfirm
440 iptables-save > /etc/iptables/iptables.rules # iptables won't start if this file does not exist
442 systemctl enable iptables
443 systemctl start iptables
444 fi
445 fi
446 # Find out if the machine uses nogroup or nobody for the permissionless group
447 if grep -qs "^nogroup:" /etc/group; then
448 NOGROUP=nogroup
449 else
450 NOGROUP=nobody
451 fi
452
453 # An old version of easy-rsa was available by default in some openvpn packages
454 if [[ -d /etc/openvpn/easy-rsa/ ]]; then
455 rm -rf /etc/openvpn/easy-rsa/
456 fi
457 # Get easy-rsa
458 wget -O ~/EasyRSA-3.0.4.tgz https://github.com/OpenVPN/easy-rsa/releases/download
459 tar xzf ~/EasyRSA-3.0.4.tgz -C ~/
460 mv ~/EasyRSA-3.0.4/ /etc/openvpn/
461 mv /etc/openvpn/EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/
462 chown -R root:root /etc/openvpn/easy-rsa/
463 rm -rf ~/EasyRSA-3.0.4.tgz
465 # Generate a random, alphanumeric identifier of 16 characters for CN and one for server name
466 SERVER_CN="cn_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
467 SERVER_NAME="server_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
468 echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars
469 echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars
470 # Create the PKI, set up the CA, the DH params and the server + client certificates
471 ./easyrsa init-pki
472 ./easyrsa --batch build-ca nopass
473 openssl dhparam -out dh.pem $DH_KEY_SIZE
474 ./easyrsa build-server-full $SERVER_NAME nopass
475 ./easyrsa build-client-full $CLIENT nopass
476 EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
477 # generate tls-auth key
478 openvpn --genkey --secret /etc/openvpn/tls-auth.key
479 # Move all the generated files
480 cp pki/ca.crt pki/private/ca.key dh.pem pki/issued/$SERVER_NAME.crt pki/private
481 # Make cert revocation list readable for non-root
482 chmod 644 /etc/openvpn/crl.pem
483
484 # Generate server.conf
485 echo "port $PORT" > /etc/openvpn/server.conf
486 if [[ "$PROTOCOL" = 'UDP' ]]; then
487 echo "proto udp" >> /etc/openvpn/server.conf
488 elif [[ "$PROTOCOL" = 'TCP' ]]; then
489 echo "proto tcp" >> /etc/openvpn/server.conf
490 fi
491 echo "dev tun
492 user nobody
493 group $NOGROUP
494 persist-key
495 persist-tun
496 keepalive 10 120
497 topology subnet
498 server 10.8.0.0 255.255.255.0
499 ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
500 # DNS resolvers
501 case $DNS in
502 1)
503 # Obtain the resolvers from resolv.conf and use them for OpenVPN
504 grep -v '#' /etc/resolv.conf | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
505 echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
506 done
507 ;;
508 2) #Quad9
509 echo 'push "dhcp-option DNS 9.9.9.9"' >> /etc/openvpn/server.conf
510 ;;
511 3) #FDN
514 ;;
515 4) #DNS.WATCH
518 ;;
519 5) #OpenDNS
522 ;;
523 6) #Google
526 ;;
527 7) #Yandex Basic
530 ;;
531 8) #AdGuard DNS
534 ;;
535 esac
536 echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf
537 echo "crl-verify crl.pem
538 ca ca.crt
539 cert $SERVER_NAME.crt
540 key $SERVER_NAME.key
541 tls-auth tls-auth.key 0
542 dh dh.pem
543 auth SHA256
544 $CIPHER
545 tls-server
546 tls-version-min 1.2
547 tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
548 status openvpn.log
549 verb 3" >> /etc/openvpn/server.conf
550
551 # Create the sysctl configuration file if needed (mainly for Arch Linux)
552 if [[ ! -e $SYSCTL ]]; then
553 touch $SYSCTL
554 fi
555
556 # Enable net.ipv4.ip_forward for the system
557 sed -i '/\<net.ipv4.ip_forward\>/c\net.ipv4.ip_forward=1' $SYSCTL
558 if ! grep -q "\<net.ipv4.ip_forward\>" $SYSCTL; then
559 echo 'net.ipv4.ip_forward=1' >> $SYSCTL
560 fi
561 # Avoid an unneeded reboot
562 echo 1 > /proc/sys/net/ipv4/ip_forward
563 # Set NAT for the VPN subnet
564 iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE
565 # Save persitent iptables rules
567 if pgrep firewalld; then
568 # We don't use --add-service=openvpn because that would only work with
569 # the default port. Using both permanent and not permanent rules to
570 # avoid a firewalld reload.
572 firewall-cmd --zone=public --add-port=$PORT/udp
573 firewall-cmd --permanent --zone=public --add-port=$PORT/udp
575 firewall-cmd --zone=public --add-port=$PORT/tcp
576 firewall-cmd --permanent --zone=public --add-port=$PORT/tcp
577 fi
578 firewall-cmd --zone=trusted --add-source=10.8.0.0/24
579 firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
580 fi
581 if iptables -L -n | grep -qE 'REJECT|DROP'; then
582 # If iptables has at least one REJECT rule, we asume this is needed.
583 # Not the best approach but I can't think of other and this shouldn't
584 # cause problems.
586 iptables -I INPUT -p udp --dport $PORT -j ACCEPT
588 iptables -I INPUT -p tcp --dport $PORT -j ACCEPT
589 fi
590 iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
591 iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
592 # Save persitent OpenVPN rules
594 fi
595 # If SELinux is enabled and a custom port was selected, we need this
596 if hash sestatus 2>/dev/null; then
597 if sestatus | grep "Current mode" | grep -qs "enforcing"; then
598 if [[ "$PORT" != '1194' ]]; then
599 # semanage isn't available in CentOS 6 by default
600 if ! hash semanage 2>/dev/null; then
601 yum install policycoreutils-python -y
602 fi
604 semanage port -a -t openvpn_port_t -p udp $PORT
606 semanage port -a -t openvpn_port_t -p tcp $PORT
607 fi
608 fi
609 fi
610 fi
611 # And finally, restart OpenVPN
613 # Little hack to check for systemd
614 if pgrep systemd-journal; then
615 #Workaround to fix OpenVPN service on OpenVZ
616 sed -i 's|LimitNPROC|#LimitNPROC|' /lib/systemd/system/openvpn\@.service
617 sed -i 's|/etc/openvpn/server|/etc/openvpn|' /lib/systemd/system/openvpn\@.service
618 sed -i 's|%i.conf|server.conf|' /lib/systemd/system/openvpn\@.service
620 systemctl restart openvpn
621 systemctl enable openvpn
622 else
623 /etc/init.d/openvpn restart
624 fi
625 else
626 if pgrep systemd-journal; then
627 if [[ "$OS" = 'arch' || "$OS" = 'fedora' ]]; then
628 #Workaround to avoid rewriting the entire script for Arch & Fedora
629 sed -i 's|/etc/openvpn/server|/etc/openvpn|' /usr/lib/systemd/system/openvpn
630 sed -i 's|%i.conf|server.conf|' /usr/lib/systemd/system/openvpn-server@.service
632 systemctl restart openvpn-server@openvpn.service
633 systemctl enable openvpn-server@openvpn.service
634 else
635 systemctl restart openvpn@server.service
636 systemctl enable openvpn@server.service
637 fi
638 else
639 service openvpn restart
640 chkconfig openvpn on
641 fi
642 fi
643 # Try to detect a NATed connection and ask about it to potential LowEndSpirit/Scaleway users
644 EXTERNALIP=$(wget -qO- ipv4.icanhazip.com)
645 if [[ "$IP" != "$EXTERNALIP" ]]; then
646 echo ""
647 echo "Looks like your server is behind a NAT!"
648 echo ""
649 echo "If your server is NATed (e.g. LowEndSpirit, Scaleway, or behind a router),"
650 echo "then I need to know the address that can be used to access it from outside."
651 echo "If that's not the case, just ignore this and leave the next field blank"
652 read -p "External IP or domain name: " -e USEREXTERNALIP
653 if [[ "$USEREXTERNALIP" != "" ]]; then
654 IP=$USEREXTERNALIP
655 fi
656 fi
657 # client-template.txt is created so we have a template to add further users later
658 echo "client" > /etc/openvpn/client-template.txt
660 echo "proto udp" >> /etc/openvpn/client-template.txt
662 echo "proto tcp-client" >> /etc/openvpn/client-template.txt
663 fi
664 echo "remote $IP $PORT
665 dev tun
666 resolv-retry infinite
667 nobind
668 persist-key
669 persist-tun
670 remote-cert-tls server
671 verify-x509-name $SERVER_NAME name
672 auth SHA256
673 auth-nocache
674 $CIPHER
675 tls-client
676 tls-version-min 1.2
677 tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
678 setenv opt block-outside-dns
679 verb 3" >> /etc/openvpn/client-template.txt
680
681 # Generate the custom client.ovpn
682 newclient "$CLIENT"
683 echo ""
684 echo "Finished!"
685 echo ""
686 echo "Your client config is available at $homeDir/$CLIENT.ovpn"
687 echo "If you want to add more clients, you simply need to run this script another time!"
688 fi
689 exit 0;
Guardas el código y lo ejecutas como *.sh.

Como ya comente anteriormente… puedes instalarlo desde su github oficial con unas
simples lineas.
Desde tu consola / terminal:
1 wget https://raw.githubusercontent.com/Angristan/OpenVPN-install/master/openvpn-install.sh
damos permisos.
1 chmod +x openvpn-install.sh
instalamos…
1 ./openvpn-install.sh
responde a las preguntas que te realizara para configurarlo correctamente.
Una vez la instalación haya concluido, debes reiniciar el servidor.
Para agregar clientes, borrar clientes o desinstalar OpenVPN, ejecuta de nuevo el script.
Te aparecerán las siguientes funciones…
Modifica según tus necesidades.
Ya tienes listo para producción tu flamante servidor OpenVPN.
4.7 (93.33%) 3 Votos
AGREGAR COMENTARIO
b i link b-quote del ins img ul ol li code more
cerrar etiquetas Insertar Codigo
Texto del comentario***
Nombre*
Email*
Sitio web
No soy un robot
reCAPTCHA
Privacidad - Condiciones
PUBLICAR
Agrégame a la lista de correos.

Copyright © 2018 Linux para todos CONTACTO POLÍTICA DE COOKIES POLÍTICA DE PRIVACIDAD SOBRE LAS COOKIES

Openvpn - Script de Instalación Automático - Linux para Todos

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Openvpn - Script de Instalación Automático - Linux para Todos

Загружено:

Авторское право:

Доступные форматы

DESARROLLOS WEB DISTROS LINUX ECASH HARDWARE MANUALES NOTICIAS REDES SCRIPTS SOFTWARE

 Home Scripts OpenVPN – Script de instalación automático

OpenVPN – Script de instalación automático

OpenVPN – Script de instalación automático Archivos Elegir mes

Guardas el código y lo ejecutas como *.sh.

Desde tu consola / terminal:

responde a las preguntas que te realizara para configurarlo correctamente.

Una vez la instalación haya concluido, debes reiniciar el servidor.

Te aparecerán las siguientes funciones…

Modifica según tus necesidades.

Ya tienes listo para producción tu flamante servidor OpenVPN.

4.7 (93.33%) 3 Votos

cerrar etiquetas Insertar Codigo

Texto del comentario***

Agrégame a la lista de correos.

Вам также может понравиться