2016-07-03 17:13:34 +02:00
#!/bin/bash
2018-04-08 14:30:21 +02:00
# _____ _ _
# | __|___ ___ ___ _| |___ _____| |_ ___ ___ ___
# | __| _| -_| -_| . | . | | . | . | | -_|
# |__| |_| |___|___|___|___|_|_|_|___|___|_|_|___|
2016-07-03 17:13:34 +02:00
#
2018-04-08 14:30:21 +02:00
# Freedom in the Cloud
2016-07-03 17:13:34 +02:00
#
# VPN functions
2017-09-24 23:48:01 +02:00
# https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-8
# https://jamielinux.com/blog/force-all-network-traffic-through-openvpn-using-iptables/
2017-09-26 17:31:51 +02:00
# http://www.farrellf.com/projects/software/2016-05-04_Running_a_VPN_Server_with_OpenVPN_and_Stunnel/index_.php
2016-07-03 17:13:34 +02:00
#
# License
# =======
#
2018-01-25 19:35:39 +01:00
# Copyright (C) 2014-2018 Bob Mottram <bob@freedombone.net>
2016-07-03 17:13:34 +02:00
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
2017-09-24 23:48:01 +02:00
VARIANTS='full full-vim'
2016-07-06 17:47:55 +02:00
2016-11-20 22:14:37 +01:00
IN_DEFAULT_INSTALL=0
SHOW_ON_ABOUT=0
2017-09-26 15:09:51 +02:00
OPENVPN_SERVER_NAME="server"
OPENVPN_KEY_FILENAME='client.ovpn'
2017-09-24 23:48:01 +02:00
2017-09-26 23:47:19 +02:00
VPN_COUNTRY_CODE="US"
VPN_AREA="Apparent Free Speech Zone"
VPN_LOCATION="Freedomville"
VPN_ORGANISATION="Freedombone"
VPN_UNIT="Freedombone Unit"
STUNNEL_PORT=3439
VPN_TLS_PORT=553
2017-09-30 20:21:58 +02:00
VPN_MESH_TLS_PORT=653
2017-09-26 23:47:19 +02:00
2017-09-24 23:48:01 +02:00
vpn_variables=(MY_EMAIL_ADDRESS
2017-09-26 23:47:19 +02:00
DEFAULT_DOMAIN_NAME
MY_USERNAME
VPN_COUNTRY_CODE
VPN_AREA
VPN_LOCATION
VPN_ORGANISATION
VPN_UNIT
VPN_TLS_PORT)
2016-10-05 23:33:41 +02:00
2017-07-01 20:14:28 +02:00
function logging_on_vpn {
2017-11-07 16:40:00 +01:00
if [ ! -f /etc/openvpn/server.conf ]; then
return
fi
2017-09-27 19:35:05 +02:00
sed -i 's|status .*|status /var/log/openvpn.log|g' /etc/openvpn/server.conf
systemctl restart openvpn
2017-07-01 20:14:28 +02:00
}
function logging_off_vpn {
2017-11-07 16:40:00 +01:00
if [ ! -f /etc/openvpn/server.conf ]; then
return
fi
2017-09-27 19:35:05 +02:00
sed -i 's|status .*|status /dev/null|g' /etc/openvpn/server.conf
systemctl restart openvpn
2017-07-01 20:14:28 +02:00
}
2016-09-30 12:34:39 +02:00
function install_interactive_vpn {
2017-09-27 13:36:13 +02:00
read_config_param VPN_TLS_PORT
if [ ! $VPN_TLS_PORT ]; then
VPN_TLS_PORT=553
fi
2017-09-26 23:47:19 +02:00
VPN_DETAILS_COMPLETE=
while [ ! $VPN_DETAILS_COMPLETE ]
do
2018-03-01 12:45:51 +01:00
data=$(mktemp 2>/dev/null)
2017-09-27 13:40:35 +02:00
currtlsport=$(grep 'VPN_TLS_PORT' temp.cfg | awk -F '=' '{print $2}')
2018-03-01 12:45:51 +01:00
if [ "$currtlsport" ]; then
2017-09-27 13:40:35 +02:00
VPN_TLS_PORT=$currtlsport
fi
2017-09-26 23:47:19 +02:00
dialog --backtitle $"Freedombone Configuration" \
--title $"VPN Configuration" \
2018-03-01 12:45:51 +01:00
--form $"\\nPlease enter your VPN details. Changing the port to 443 will help defend against censorship but will prevent other web apps from running." 12 65 1 \
2017-09-27 13:42:36 +02:00
$"TLS port:" 1 1 "$VPN_TLS_PORT" 1 12 5 5 \
2018-03-01 12:45:51 +01:00
2> "$data"
2017-09-26 23:47:19 +02:00
sel=$?
case $sel in
2018-03-01 12:45:51 +01:00
1) rm -f "$data"
exit 1;;
255) rm -f "$data"
exit 1;;
2017-09-26 23:47:19 +02:00
esac
2018-03-01 12:45:51 +01:00
tlsport=$(sed -n 1p < "$data")
2017-09-26 23:47:19 +02:00
if [ ${#tlsport} -gt 1 ]; then
if [[ "$tlsport" != *' '* && "$tlsport" != *'.'* ]]; then
VPN_TLS_PORT="$tlsport"
VPN_DETAILS_COMPLETE="yes"
write_config_param "VPN_TLS_PORT" "$VPN_TLS_PORT"
fi
fi
2018-03-01 12:45:51 +01:00
rm -f "$data"
2017-09-26 23:47:19 +02:00
done
2017-09-27 13:44:08 +02:00
clear
2016-10-10 20:11:33 +02:00
APP_INSTALLED=1
2016-09-30 12:34:39 +02:00
}
2017-09-26 23:47:19 +02:00
function vpn_change_tls_port {
2018-03-01 12:45:51 +01:00
if ! grep -q "VPN-TLS" "$FIREWALL_CONFIG"; then
2017-10-25 15:02:19 +02:00
EXISTING_VPN_TLS_PORT=443
else
2018-03-01 12:45:51 +01:00
EXISTING_VPN_TLS_PORT=$(grep "VPN-TLS" "$FIREWALL_CONFIG" | awk -F '=' '{print $2}')
2017-10-25 15:02:19 +02:00
fi
2017-09-26 23:47:19 +02:00
2018-03-01 12:45:51 +01:00
data=$(mktemp 2>/dev/null)
2017-09-26 23:47:19 +02:00
dialog --title $"VPN Configuration" \
--backtitle $"Freedombone Control Panel" \
2018-03-01 12:45:51 +01:00
--inputbox $'Change TLS port' 10 50 "$EXISTING_VPN_TLS_PORT" 2>"$data"
2017-09-26 23:47:19 +02:00
sel=$?
case $sel in
0)
2018-03-01 12:45:51 +01:00
tlsport=$(<"$data")
2017-09-26 23:47:19 +02:00
if [ ${#tlsport} -gt 0 ]; then
if [[ "$tlsport" != "$EXISTING_VPN_TLS_PORT" ]]; then
2017-09-27 00:12:32 +02:00
clear
2017-09-26 23:47:19 +02:00
VPN_TLS_PORT=$tlsport
write_config_param "VPN_TLS_PORT" "$VPN_TLS_PORT"
sed -i "s|accept =.*|accept = $VPN_TLS_PORT|g" /etc/stunnel/stunnel.conf
2017-10-25 14:37:53 +02:00
sed -i "s|connect =.*|connect = :$VPN_TLS_PORT|g" /etc/stunnel/stunnel-client.conf
2017-09-26 23:47:19 +02:00
for d in /home/*/ ; do
USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
2018-03-01 12:45:51 +01:00
if [ -f "/home/$USERNAME/stunnel-client.conf" ]; then
cp "/etc/stunnel/stunnel-client.conf" "/home/$USERNAME/stunnel-client.conf"
chown "$USERNAME":"$USERNAME" "/home/$USERNAME/stunnel-client.conf"
2017-09-26 23:47:19 +02:00
fi
done
2018-03-01 12:45:51 +01:00
if [ "$VPN_TLS_PORT" -eq 443 ]; then
2017-10-25 15:02:19 +02:00
if [[ "$PREVIOUS_VPN_TLS_PORT" != "443" ]]; then
2018-03-01 12:45:51 +01:00
firewall_remove VPN-TLS "${EXISTING_VPN_TLS_PORT}"
2017-10-25 15:02:19 +02:00
fi
2017-09-26 23:47:19 +02:00
systemctl stop nginx
systemctl disable nginx
else
2017-10-25 15:02:19 +02:00
if [[ "$PREVIOUS_VPN_TLS_PORT" != "$VPN_TLS_PORT" ]]; then
2018-03-01 12:45:51 +01:00
firewall_remove VPN-TLS "${EXISTING_VPN_TLS_PORT}"
firewall_add VPN-TLS "${VPN_TLS_PORT}" tcp
2017-10-25 15:02:19 +02:00
fi
2017-09-26 23:47:19 +02:00
systemctl enable nginx
systemctl restart nginx
fi
systemctl restart stunnel
2018-03-01 12:45:51 +01:00
if [ "$VPN_TLS_PORT" -eq 443 ]; then
2017-10-25 15:02:19 +02:00
dialog --title $"VPN Configuration" \
--msgbox $"TLS port changed to ${VPN_TLS_PORT}. Forward this port from your internet router." 10 60
else
dialog --title $"VPN Configuration" \
--msgbox $"TLS port changed to ${VPN_TLS_PORT}. Forward this port from your internet router." 10 60
fi
2017-09-26 23:47:19 +02:00
fi
fi
;;
esac
2018-03-01 12:45:51 +01:00
rm -f "$data"
2017-09-26 23:47:19 +02:00
}
2017-09-27 00:12:32 +02:00
function vpn_regenerate_client_keys {
2018-03-01 12:45:51 +01:00
data=$(mktemp 2>/dev/null)
2017-09-27 00:12:32 +02:00
dialog --title $"Regenerate VPN keys for a user" \
--backtitle $"Freedombone Control Panel" \
2018-03-01 12:45:51 +01:00
--inputbox $'username' 10 50 2>"$data"
2017-09-27 00:12:32 +02:00
sel=$?
case $sel in
0)
2018-03-01 12:45:51 +01:00
USERNAME=$(<"$data")
2017-09-27 00:12:32 +02:00
if [ ${#USERNAME} -gt 0 ]; then
2018-03-01 12:45:51 +01:00
if [ -d "/home/$USERNAME" ]; then
2017-09-27 00:12:32 +02:00
clear
2018-03-01 12:45:51 +01:00
create_user_vpn_key "$USERNAME"
2017-09-27 00:12:32 +02:00
dialog --title $"Regenerate VPN keys for a user" \
--msgbox $"VPN keys were regenerated for $USERNAME" 6 60
fi
fi
;;
esac
2018-03-01 12:45:51 +01:00
rm -f "$data"
2017-09-27 00:12:32 +02:00
}
2017-09-26 23:47:19 +02:00
function configure_interactive_vpn {
read_config_param VPN_TLS_PORT
while true
do
2018-04-04 14:18:45 +02:00
W=(1 $"Change TLS port (currently $VPN_TLS_PORT)"
2 $"Regenerate keys for a user")
# shellcheck disable=SC2068
selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"VPN" --menu $"Choose an operation, or ESC to exit:" 10 60 2 "${W[@]}" 3>&2 2>&1 1>&3)
if [ ! "$selection" ]; then
break
fi
case $selection in
2017-09-26 23:47:19 +02:00
1) vpn_change_tls_port;;
2017-09-27 00:12:32 +02:00
2) vpn_regenerate_client_keys;;
2017-09-26 23:47:19 +02:00
esac
done
}
2016-07-09 12:36:12 +02:00
function reconfigure_vpn {
2016-09-25 12:20:41 +02:00
echo -n ''
2016-07-09 12:36:12 +02:00
}
2016-07-06 16:01:28 +02:00
function upgrade_vpn {
2016-09-25 12:20:41 +02:00
echo -n ''
2016-07-06 16:01:28 +02:00
}
2016-07-06 15:55:09 +02:00
function backup_local_vpn {
2017-09-25 00:37:41 +02:00
for d in /home/*/ ; do
USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
2018-03-01 12:45:51 +01:00
if [ -f "/home/$USERNAME/$OPENVPN_KEY_FILENAME" ]; then
cp "/home/$USERNAME/$OPENVPN_KEY_FILENAME" "/etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME}"
2017-09-25 00:37:41 +02:00
fi
done
function_check backup_directory_to_usb
backup_directory_to_usb /etc/openvpn/easy-rsa/keys vpn
2017-09-27 16:31:50 +02:00
backup_directory_to_usb /etc/stunnel vpnstunnel
2016-07-06 15:55:09 +02:00
}
2016-07-09 12:15:41 +02:00
function restore_local_vpn {
2017-09-25 00:37:41 +02:00
temp_restore_dir=/root/tempvpn
restore_directory_from_usb $temp_restore_dir vpn
if [ -d ${temp_restore_dir} ]; then
cp -r ${temp_restore_dir}/* /etc/openvpn/easy-rsa/keys
2017-09-27 16:06:53 +02:00
cp -r ${temp_restore_dir}/${OPENVPN_SERVER_NAME}* /etc/openvpn/
cp -r ${temp_restore_dir}/dh* /etc/openvpn/
2017-09-25 00:37:41 +02:00
rm -rf ${temp_restore_dir}
for d in /home/*/ ; do
USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
2018-03-01 12:45:51 +01:00
if [ -f "/etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME}" ]; then
cp "/etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME}" "/home/$USERNAME/$OPENVPN_KEY_FILENAME"
chown "$USERNAME":"$USERNAME" "/home/$USERNAME/$OPENVPN_KEY_FILENAME"
2017-09-25 00:37:41 +02:00
fi
done
fi
2017-09-27 16:31:50 +02:00
temp_restore_dir=/root/tempvpnstunnel
restore_directory_from_usb $temp_restore_dir vpnstunnel
if [ -d ${temp_restore_dir} ]; then
cp -r ${temp_restore_dir}/* /etc/stunnel
rm -rf ${temp_restore_dir}
for d in /home/*/ ; do
USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
2018-03-01 12:45:51 +01:00
if [ -f "/home/$USERNAME/stunnel.pem" ]; then
cp /etc/stunnel/stunnel.pem "/home/$USERNAME/stunnel.pem"
chown "$USERNAME":"$USERNAME" "/home/$USERNAME/stunnel.pem"
2017-09-27 16:31:50 +02:00
fi
2018-03-01 12:45:51 +01:00
if [ -f "/home/$USERNAME/stunnel.p12" ]; then
cp /etc/stunnel/stunnel.p12 "/home/$USERNAME/stunnel.p12"
chown "$USERNAME":"$USERNAME" "/home/$USERNAME/stunnel.p12"
2017-09-27 16:31:50 +02:00
fi
done
fi
2016-07-09 12:15:41 +02:00
}
2016-07-06 15:55:09 +02:00
function backup_remote_vpn {
2017-09-25 00:37:41 +02:00
for d in /home/*/ ; do
USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
2018-03-01 12:45:51 +01:00
if [ -f "/home/$USERNAME/$OPENVPN_KEY_FILENAME" ]; then
cp "/home/$USERNAME/$OPENVPN_KEY_FILENAME" "/etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME}"
2017-09-25 00:37:41 +02:00
fi
done
function_check backup_directory_to_friend
backup_directory_to_friend /etc/openvpn/easy-rsa/keys vpn
2017-09-27 16:31:50 +02:00
backup_directory_to_friend /etc/stunnel vpnstunnel
2016-07-04 22:02:22 +02:00
}
2016-07-09 12:15:41 +02:00
function restore_remote_vpn {
2017-09-25 00:37:41 +02:00
temp_restore_dir=/root/tempvpn
restore_directory_from_friend $temp_restore_dir vpn
if [ -d ${temp_restore_dir} ]; then
cp -r ${temp_restore_dir}/* /etc/openvpn/easy-rsa/keys
2017-09-27 16:06:53 +02:00
cp -r ${temp_restore_dir}/${OPENVPN_SERVER_NAME}* /etc/openvpn/
cp -r ${temp_restore_dir}/dh* /etc/openvpn/
2017-09-25 00:37:41 +02:00
rm -rf ${temp_restore_dir}
for d in /home/*/ ; do
USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
2018-03-01 12:45:51 +01:00
if [ -f "/etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME}" ]; then
cp "/etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME}" "/home/$USERNAME/$OPENVPN_KEY_FILENAME"
chown "$USERNAME":"$USERNAME" "/home/$USERNAME/$OPENVPN_KEY_FILENAME"
2017-09-25 00:37:41 +02:00
fi
done
fi
2017-09-27 16:31:50 +02:00
temp_restore_dir=/root/tempvpnstunnel
restore_directory_from_friend $temp_restore_dir vpnstunnel
if [ -d ${temp_restore_dir} ]; then
cp -r ${temp_restore_dir}/* /etc/stunnel
rm -rf ${temp_restore_dir}
for d in /home/*/ ; do
USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
2018-03-01 12:45:51 +01:00
if [ -f "/home/$USERNAME/stunnel.pem" ]; then
cp /etc/stunnel/stunnel.pem "/home/$USERNAME/stunnel.pem"
chown "$USERNAME":"$USERNAME" "/home/$USERNAME/stunnel.pem"
2017-09-27 16:31:50 +02:00
fi
2018-03-01 12:45:51 +01:00
if [ -f "/home/$USERNAME/stunnel.p12" ]; then
cp /etc/stunnel/stunnel.p12 "/home/$USERNAME/stunnel.p12"
chown "$USERNAME":"$USERNAME" "/home/$USERNAME/stunnel.p12"
2017-09-27 16:31:50 +02:00
fi
done
fi
2016-07-09 12:15:41 +02:00
}
2016-07-05 21:07:43 +02:00
function remove_vpn {
2017-09-27 00:44:43 +02:00
systemctl stop stunnel
systemctl disable stunnel
rm /etc/systemd/system/stunnel.service
2017-09-25 19:42:51 +02:00
systemctl stop openvpn
2018-03-01 12:45:51 +01:00
if [ "$VPN_TLS_PORT" -ne 443 ]; then
firewall_remove VPN-TLS "$VPN_TLS_PORT"
2017-09-27 00:48:05 +02:00
else
systemctl enable nginx
systemctl restart nginx
2017-09-26 23:47:19 +02:00
fi
apt-get -yq remove --purge fastd openvpn easy-rsa
apt-get -yq remove stunnel4
2017-09-24 23:48:01 +02:00
if [ -d /etc/openvpn ]; then
rm -rf /etc/openvpn
fi
2017-09-25 12:38:39 +02:00
firewall_disable_vpn
2017-09-25 20:06:00 +02:00
echo 0 > /proc/sys/net/ipv4/ip_forward
sed -i 's|net.ipv4.ip_forward=.*|net.ipv4.ip_forward=0|g' /etc/sysctl.conf
2016-10-17 15:44:49 +02:00
remove_completion_param install_vpn
2017-09-25 00:12:53 +02:00
# remove any client keys
for d in /home/*/ ; do
USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
2018-03-01 12:45:51 +01:00
if [ -f "/home/$USERNAME/$OPENVPN_KEY_FILENAME" ]; then
2018-06-13 12:21:59 +02:00
rm "/home/$USERNAME/$OPENVPN_KEY_FILENAME"
2017-09-25 00:12:53 +02:00
fi
2018-03-01 12:45:51 +01:00
rm "/home/$USERNAME/stunnel*"
2017-09-25 00:12:53 +02:00
done
2017-09-26 15:25:34 +02:00
userdel -f vpn
groupdel -f vpn
2017-09-26 23:47:19 +02:00
if [ -d /etc/stunnel ]; then
rm -rf /etc/stunnel
fi
2016-07-04 20:06:09 +02:00
}
2017-09-24 23:48:01 +02:00
function create_user_vpn_key {
username=$1
2018-03-01 12:45:51 +01:00
if [ ! -d "/home/$username" ]; then
2017-09-24 23:48:01 +02:00
return
fi
echo $"Creating VPN key for $username"
2018-03-01 12:45:51 +01:00
cd /etc/openvpn/easy-rsa || exit 4728468246
2017-09-25 23:17:52 +02:00
2018-03-01 12:45:51 +01:00
if [ -f "/etc/openvpn/easy-rsa/keys/$username.crt" ]; then
rm "/etc/openvpn/easy-rsa/keys/$username.crt"
2017-09-25 23:17:52 +02:00
fi
2018-03-01 12:45:51 +01:00
if [ -f "/etc/openvpn/easy-rsa/keys/$username.key" ]; then
rm "/etc/openvpn/easy-rsa/keys/$username.key"
2017-09-25 23:17:52 +02:00
fi
2018-03-01 12:45:51 +01:00
if [ -f "/etc/openvpn/easy-rsa/keys/$username.csr" ]; then
rm "/etc/openvpn/easy-rsa/keys/$username.csr"
2017-09-25 23:17:52 +02:00
fi
2017-09-25 23:34:35 +02:00
sed -i 's| --interact||g' build-key
./build-key "$username"
2017-09-24 23:48:01 +02:00
2018-03-01 12:45:51 +01:00
if [ ! -f "/etc/openvpn/easy-rsa/keys/$username.crt" ]; then
2017-09-24 23:48:01 +02:00
echo $'VPN user cert not generated'
exit 783528
fi
2018-03-01 12:45:51 +01:00
user_cert=$(cat "/etc/openvpn/easy-rsa/keys/$username.crt")
2017-09-25 23:00:52 +02:00
if [ ${#user_cert} -lt 10 ]; then
2018-03-01 12:45:51 +01:00
cat "/etc/openvpn/easy-rsa/keys/$username.crt"
2017-09-25 23:00:52 +02:00
echo $'User cert generation failed'
exit 634659
fi
2018-03-01 12:45:51 +01:00
if [ ! -f "/etc/openvpn/easy-rsa/keys/$username.key" ]; then
2017-09-24 23:48:01 +02:00
echo $'VPN user key not generated'
exit 682523
fi
2018-03-01 12:45:51 +01:00
user_key=$(cat "/etc/openvpn/easy-rsa/keys/$username.key")
2017-09-25 23:00:52 +02:00
if [ ${#user_key} -lt 10 ]; then
2018-03-01 12:45:51 +01:00
cat "/etc/openvpn/easy-rsa/keys/$username.key"
2017-09-25 23:00:52 +02:00
echo $'User key generation failed'
exit 285838
fi
2017-09-24 23:48:01 +02:00
2017-09-25 00:12:53 +02:00
user_vpn_cert_file=/home/$username/$OPENVPN_KEY_FILENAME
2017-09-24 23:48:01 +02:00
2018-03-01 12:45:51 +01:00
{ echo 'client';
echo 'dev tun';
echo 'proto tcp';
echo "remote localhost $STUNNEL_PORT";
echo "route $DEFAULT_DOMAIN_NAME 255.255.255.255 net_gateway";
echo 'resolv-retry infinite';
echo 'nobind';
echo 'tun-mtu 1500';
echo 'tun-mtu-extra 32';
echo 'mssfix 1450';
echo 'persist-key';
echo 'persist-tun';
echo 'auth-nocache';
echo 'remote-cert-tls server';
echo 'comp-lzo';
echo 'verb 3';
echo ''; } > "$user_vpn_cert_file"
{
echo '<ca>';
cat /etc/openvpn/ca.crt;
echo '</ca>';
echo '<cert>';
cat "/etc/openvpn/easy-rsa/keys/$username.crt;"
echo '</cert>';
echo '<key>';
cat "/etc/openvpn/easy-rsa/keys/$username.key;"
echo '</key>'; } >> "$user_vpn_cert_file"
chown "$username":"$username" "$user_vpn_cert_file"
2017-09-24 23:48:01 +02:00
2017-09-27 00:05:01 +02:00
# keep a backup
2018-03-01 12:45:51 +01:00
cp "$user_vpn_cert_file" "/etc/openvpn/easy-rsa/keys/$username.ovpn"
2017-09-27 00:05:01 +02:00
2017-09-26 13:19:06 +02:00
#rm /etc/openvpn/easy-rsa/keys/$username.crt
#rm /etc/openvpn/easy-rsa/keys/$username.csr
2018-06-13 12:21:59 +02:00
rm "/etc/openvpn/easy-rsa/keys/$username.key"
2017-09-24 23:48:01 +02:00
echo $"VPN key created at $user_vpn_cert_file"
}
function add_user_vpn {
new_username="$1"
2018-03-01 12:45:51 +01:00
# new_user_password="$2"
2017-09-24 23:48:01 +02:00
2018-03-01 12:45:51 +01:00
create_user_vpn_key "$new_username"
2017-09-26 23:47:19 +02:00
if [ -f /etc/stunnel/stunnel.pem ]; then
2018-03-01 12:45:51 +01:00
cp /etc/stunnel/stunnel.pem "/home/$new_username/stunnel.pem"
chown "$new_username":"$new_username" "/home/$new_username/stunnel.pem"
2017-09-26 23:47:19 +02:00
fi
if [ -f /etc/stunnel/stunnel.p12 ]; then
2018-03-01 12:45:51 +01:00
cp /etc/stunnel/stunnel.p12 "/home/$new_username/stunnel.p12"
chown "$new_username":"$new_username" "/home/$new_username/stunnel.p12"
2017-09-26 23:47:19 +02:00
fi
2018-03-01 12:45:51 +01:00
cp /etc/stunnel/stunnel-client.conf "/home/$new_username/stunnel-client.conf"
chown "$new_username":"$new_username" "/home/$new_username/stunnel-client.conf"
2017-09-24 23:48:01 +02:00
}
function remove_user_vpn {
new_username="$1"
}
2017-09-30 15:01:05 +02:00
function mesh_setup_vpn {
vpn_generate_keys
2017-09-30 21:06:36 +02:00
if [ -d /home/fbone ]; then
cp /etc/stunnel/stunnel-client.conf /home/fbone/stunnel-client.conf
chown fbone:fbone /home/fbone/stunnel*
2017-09-30 15:01:05 +02:00
fi
generate_stunnel_keys
systemctl restart openvpn
}
2017-09-30 13:22:22 +02:00
function generate_stunnel_keys {
2017-09-26 23:47:19 +02:00
openssl req -x509 -nodes -days 3650 -sha256 \
-subj "/O=$VPN_ORGANISATION/OU=$VPN_UNIT/C=$VPN_COUNTRY_CODE/ST=$VPN_AREA/L=$VPN_LOCATION/CN=$HOSTNAME" \
2017-09-30 13:22:22 +02:00
-newkey rsa:2048 -keyout /etc/stunnel/key.pem \
-out /etc/stunnel/cert.pem
if [ ! -f /etc/stunnel/key.pem ]; then
2017-09-26 23:47:19 +02:00
echo $'stunnel key not created'
exit 793530
fi
2017-09-30 13:22:22 +02:00
if [ ! -f /etc/stunnel/cert.pem ]; then
2017-09-26 23:47:19 +02:00
echo $'stunnel cert not created'
exit 204587
fi
2017-09-30 13:22:22 +02:00
chmod 400 /etc/stunnel/key.pem
chmod 640 /etc/stunnel/cert.pem
2017-09-26 23:47:19 +02:00
2017-09-30 13:22:22 +02:00
cat /etc/stunnel/key.pem /etc/stunnel/cert.pem >> /etc/stunnel/stunnel.pem
chmod 640 /etc/stunnel/stunnel.pem
2017-09-26 23:47:19 +02:00
2017-09-30 13:22:22 +02:00
openssl pkcs12 -export -out /etc/stunnel/stunnel.p12 -inkey /etc/stunnel/key.pem -in /etc/stunnel/cert.pem -passout pass:
if [ ! -f /etc/stunnel/stunnel.p12 ]; then
2017-09-26 23:47:19 +02:00
echo $'stunnel pkcs12 not created'
exit 639353
fi
2017-09-30 13:22:22 +02:00
chmod 640 /etc/stunnel/stunnel.p12
2017-09-26 23:47:19 +02:00
2018-03-01 12:45:51 +01:00
cp /etc/stunnel/stunnel.pem "/home/$MY_USERNAME/stunnel.pem"
cp /etc/stunnel/stunnel.p12 "/home/$MY_USERNAME/stunnel.p12"
chown "$MY_USERNAME":"$MY_USERNAME" "$prefix/home/$MY_USERNAME/stunnel*"
2017-09-30 13:22:22 +02:00
}
2017-09-26 23:47:19 +02:00
2017-09-30 13:22:22 +02:00
function install_stunnel {
prefix=
prefixchroot=
2018-03-01 12:45:51 +01:00
# shellcheck disable=SC2154
if [ "$rootdir" ]; then
2017-09-30 13:22:22 +02:00
prefix=$rootdir
prefixchroot="chroot $rootdir"
2017-09-30 20:21:58 +02:00
VPN_TLS_PORT=$VPN_MESH_TLS_PORT
2017-09-26 23:47:19 +02:00
fi
2017-09-30 13:22:22 +02:00
$prefixchroot apt-get -yq install stunnel4
2017-09-26 23:47:19 +02:00
2018-03-01 12:45:51 +01:00
if [ ! "$prefix" ]; then
cd /etc/stunnel || exit 46284624
2017-09-30 13:22:22 +02:00
generate_stunnel_keys
fi
2017-09-26 23:47:19 +02:00
2018-03-01 12:45:51 +01:00
{ echo 'chroot = /var/lib/stunnel4';
echo 'pid = /stunnel4.pid';
echo 'setuid = stunnel4';
echo 'setgid = stunnel4';
echo 'socket = l:TCP_NODELAY=1';
echo 'socket = r:TCP_NODELAY=1';
echo 'cert = /etc/stunnel/stunnel.pem';
echo '[openvpn]';
echo "accept = $VPN_TLS_PORT";
echo 'connect = localhost:1194';
echo 'cert = /etc/stunnel/stunnel.pem';
echo 'protocol = socks'; } > "$prefix/etc/stunnel/stunnel.conf"
sed -i 's|ENABLED=.*|ENABLED=1|g' "$prefix/etc/default/stunnel4"
{ echo '[openvpn]';
echo 'client = yes';
echo "accept = $STUNNEL_PORT";
echo "connect = $DEFAULT_DOMAIN_NAME:$VPN_TLS_PORT";
echo 'cert = stunnel.pem';
echo 'protocol = socks'; } > "$prefix/etc/stunnel/stunnel-client.conf"
{ echo '[Unit]';
echo 'Description=SSL tunnel for network daemons';
echo 'Documentation=man:stunnel https://www.stunnel.org/docs.html';
echo 'DefaultDependencies=no';
echo 'After=network.target';
echo 'After=syslog.target';
echo '';
echo '[Install]';
echo 'WantedBy=multi-user.target';
echo 'Alias=stunnel.target';
echo '';
echo '[Service]';
echo 'Type=forking';
echo 'RuntimeDirectory=stunnel';
echo 'EnvironmentFile=-/etc/stunnel/stunnel.conf';
echo 'ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf';
echo 'ExecStop=/usr/bin/killall -9 stunnel';
echo 'RemainAfterExit=yes'; } > "$prefix/etc/systemd/system/stunnel.service"
if [ ! "$prefix" ]; then
2017-09-30 13:22:22 +02:00
if [ $VPN_TLS_PORT -eq 443 ]; then
systemctl stop nginx
systemctl disable nginx
else
systemctl enable nginx
systemctl restart nginx
fi
systemctl enable stunnel
systemctl daemon-reload
systemctl start stunnel
2017-09-24 23:48:01 +02:00
2018-03-01 12:45:51 +01:00
cp /etc/stunnel/stunnel-client.conf "/home/$MY_USERNAME/stunnel-client.conf"
chown "$MY_USERNAME":"$MY_USERNAME" "/home/$MY_USERNAME/stunnel*"
2017-09-30 21:06:36 +02:00
fi
2017-09-30 13:22:22 +02:00
}
2017-09-25 22:54:54 +02:00
2017-09-30 13:22:22 +02:00
function vpn_generate_keys {
2017-09-25 22:54:54 +02:00
# generate host keys
2017-09-25 16:33:00 +02:00
if [ ! -f /etc/openvpn/dh2048.pem ]; then
2018-03-01 12:45:51 +01:00
"${PROJECT_NAME}-dhparam" -o /etc/openvpn/dh2048.pem
2017-09-25 16:33:00 +02:00
fi
2017-09-27 15:23:32 +02:00
if [ ! -f /etc/openvpn/dh2048.pem ]; then
echo $'vpn dhparams were not generated'
exit 73724523
fi
cp /etc/openvpn/dh2048.pem /etc/openvpn/easy-rsa/keys/dh2048.pem
2018-03-01 12:45:51 +01:00
cd /etc/openvpn/easy-rsa || exit 5628756256
# shellcheck disable=SC1091
2017-09-24 23:48:01 +02:00
. ./vars
./clean-all
2017-09-25 18:29:27 +02:00
vpn_openssl_version='1.0.0'
if [ ! -f openssl-${vpn_openssl_version}.cnf ]; then
echo $"openssl-${vpn_openssl_version}.cnf was not found"
2017-09-25 17:18:37 +02:00
exit 7392353
fi
2017-09-25 18:29:27 +02:00
cp openssl-${vpn_openssl_version}.cnf openssl.cnf
2017-09-25 23:17:52 +02:00
if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt ]; then
rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt
fi
if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key ]; then
rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key
fi
if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.csr ]; then
rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.csr
fi
2017-09-25 23:34:35 +02:00
sed -i 's| --interact||g' build-key-server
sed -i 's| --interact||g' build-ca
./build-ca
2017-09-30 13:22:22 +02:00
./build-key-server ${OPENVPN_SERVER_NAME}
2017-09-25 23:13:50 +02:00
if [ ! -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt ]; then
2017-09-24 23:48:01 +02:00
echo $'OpenVPN crt not found'
exit 7823352
fi
2017-09-25 23:13:50 +02:00
server_cert=$(cat /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt)
if [ ${#server_cert} -lt 10 ]; then
cat /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt
echo $'Server cert generation failed'
exit 3284682
fi
if [ ! -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key ]; then
2017-09-24 23:48:01 +02:00
echo $'OpenVPN key not found'
exit 6839436
fi
if [ ! -f /etc/openvpn/easy-rsa/keys/ca.key ]; then
echo $'OpenVPN ca not found'
exit 7935203
fi
cp /etc/openvpn/easy-rsa/keys/{$OPENVPN_SERVER_NAME.crt,$OPENVPN_SERVER_NAME.key,ca.crt} /etc/openvpn
2018-03-01 12:45:51 +01:00
create_user_vpn_key "${MY_USERNAME}"
2017-09-30 13:22:22 +02:00
}
2017-09-24 23:48:01 +02:00
2017-09-30 13:22:22 +02:00
function install_vpn {
prefix=
prefixchroot=
2018-03-01 12:45:51 +01:00
if [ "$rootdir" ]; then
2017-09-30 13:22:22 +02:00
prefix=$rootdir
prefixchroot="chroot $rootdir"
2017-09-30 20:21:58 +02:00
VPN_TLS_PORT=$VPN_MESH_TLS_PORT
2017-09-30 13:22:22 +02:00
fi
$prefixchroot apt-get -yq install fastd openvpn easy-rsa
2017-09-26 23:47:19 +02:00
2017-09-30 13:22:22 +02:00
$prefixchroot groupadd vpn
$prefixchroot useradd -r -s /bin/false -g vpn vpn
# server configuration
2018-03-01 12:45:51 +01:00
{ echo 'port 1194';
echo 'proto tcp';
echo 'dev tun';
echo 'tun-mtu 1500';
echo 'tun-mtu-extra 32';
echo 'mssfix 1450';
echo 'ca /etc/openvpn/ca.crt';
echo 'cert /etc/openvpn/server.crt';
echo 'key /etc/openvpn/server.key';
echo 'dh /etc/openvpn/dh2048.pem';
echo 'server 10.8.0.0 255.255.255.0';
echo 'push "redirect-gateway def1 bypass-dhcp"';
2018-04-02 12:54:04 +02:00
echo "push \"dhcp-option DNS 91.239.100.100\"";
echo "push \"dhcp-option DNS 89.233.43.71\"";
2018-03-01 12:45:51 +01:00
echo 'keepalive 5 30';
echo 'comp-lzo';
echo 'persist-key';
echo 'persist-tun';
echo 'status /dev/null';
echo 'verb 3';
echo ''; } > "$prefix/etc/openvpn/server.conf"
if [ ! "$prefix" ]; then
2017-09-30 13:22:22 +02:00
echo 1 > /proc/sys/net/ipv4/ip_forward
fi
2018-03-01 12:45:51 +01:00
sed -i 's|# net.ipv4.ip_forward|net.ipv4.ip_forward|g' "$prefix/etc/sysctl.conf"
sed -i 's|#net.ipv4.ip_forward|net.ipv4.ip_forward|g' "$prefix/etc/sysctl.conf"
sed -i 's|net.ipv4.ip_forward.*|net.ipv4.ip_forward=1|g' "$prefix/etc/sysctl.conf"
2017-09-30 13:22:22 +02:00
2018-03-01 12:45:51 +01:00
cp -r "$prefix/usr/share/easy-rsa/" "$prefix/etc/openvpn"
if [ ! -d "$prefix/etc/openvpn/easy-rsa/keys" ]; then
mkdir "$prefix/etc/openvpn/easy-rsa/keys"
2017-09-26 23:47:19 +02:00
fi
2017-09-30 13:22:22 +02:00
# keys configuration
2018-03-01 12:45:51 +01:00
sed -i "s|export KEY_COUNTRY.*|export KEY_COUNTRY=\"US\"|g" "$prefix/etc/openvpn/easy-rsa/vars"
sed -i "s|export KEY_PROVINCE.*|export KEY_PROVINCE=\"TX\"|g" "$prefix/etc/openvpn/easy-rsa/vars"
sed -i "s|export KEY_CITY.*|export KEY_CITY=\"Dallas\"|g" "$prefix/etc/openvpn/easy-rsa/vars"
sed -i "s|export KEY_ORG.*|export KEY_ORG=\"$PROJECT_NAME\"|g" "$prefix/etc/openvpn/easy-rsa/vars"
sed -i "s|export KEY_EMAIL.*|export KEY_EMAIL=\"$MY_EMAIL_ADDRESS\"|g" "$prefix/etc/openvpn/easy-rsa/vars"
sed -i "s|export KEY_OU=.*|export KEY_OU=\"MoonUnit\"|g" "$prefix/etc/openvpn/easy-rsa/vars"
sed -i "s|export KEY_NAME.*|export KEY_NAME=\"$OPENVPN_SERVER_NAME\"|g" "$prefix/etc/openvpn/easy-rsa/vars"
if [ ! "$prefix" ]; then
2017-09-30 13:22:22 +02:00
vpn_generate_keys
firewall_enable_vpn
if [ ${VPN_TLS_PORT} -ne 443 ]; then
firewall_add VPN-TLS ${VPN_TLS_PORT} tcp
fi
systemctl start openvpn
fi
2017-09-24 23:48:01 +02:00
2017-09-26 23:47:19 +02:00
install_stunnel
2018-03-01 12:45:51 +01:00
if [ ! "$prefix" ]; then
2017-09-30 13:22:22 +02:00
systemctl restart openvpn
fi
2017-09-27 16:13:00 +02:00
2016-10-10 20:11:33 +02:00
APP_INSTALLED=1
2016-07-03 17:13:34 +02:00
}
# NOTE: deliberately there is no "exit 0"
