free
/
freedomboneeee
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
freedomboneeee/src/freedombone-app-vpn

735 lines
27 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
#
# .---. . .
# | | |
# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
# | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
# ' ' --' --' -' - -' ' ' -' -' -' ' - --'
#
# Freedom in the Cloud
#
# VPN functions
# https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-8
# https://jamielinux.com/blog/force-all-network-traffic-through-openvpn-using-iptables/
# http://www.farrellf.com/projects/software/2016-05-04_Running_a_VPN_Server_with_OpenVPN_and_Stunnel/index_.php
#
# License
# =======
#
# Copyright (C) 2014-2018 Bob Mottram <bob@freedombone.net>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
VARIANTS='full full-vim'
IN_DEFAULT_INSTALL=0
SHOW_ON_ABOUT=0
OPENVPN_SERVER_NAME="server"
OPENVPN_KEY_FILENAME='client.ovpn'
VPN_COUNTRY_CODE="US"
VPN_AREA="Apparent Free Speech Zone"
VPN_LOCATION="Freedomville"
VPN_ORGANISATION="Freedombone"
VPN_UNIT="Freedombone Unit"
STUNNEL_PORT=3439
VPN_TLS_PORT=553
VPN_MESH_TLS_PORT=653
vpn_variables=(MY_EMAIL_ADDRESS
DEFAULT_DOMAIN_NAME
MY_USERNAME
VPN_COUNTRY_CODE
VPN_AREA
VPN_LOCATION
VPN_ORGANISATION
VPN_UNIT
VPN_TLS_PORT)
function logging_on_vpn {
if [ ! -f /etc/openvpn/server.conf ]; then
return
fi
sed -i 's|status .*|status /var/log/openvpn.log|g' /etc/openvpn/server.conf
systemctl restart openvpn
}
function logging_off_vpn {
if [ ! -f /etc/openvpn/server.conf ]; then
return
fi
sed -i 's|status .*|status /dev/null|g' /etc/openvpn/server.conf
systemctl restart openvpn
}
function install_interactive_vpn {
read_config_param VPN_TLS_PORT
if [ ! $VPN_TLS_PORT ]; then
VPN_TLS_PORT=553
fi
VPN_DETAILS_COMPLETE=
while [ ! $VPN_DETAILS_COMPLETE ]
do
data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15
currtlsport=$(grep 'VPN_TLS_PORT' temp.cfg | awk -F '=' '{print $2}')
if [ $currtlsport ]; then
VPN_TLS_PORT=$currtlsport
fi
dialog --backtitle $"Freedombone Configuration" \
--title $"VPN Configuration" \
--form $"\nPlease enter your VPN details. Changing the port to 443 will help defend against censorship but will prevent other web apps from running." 12 65 1 \
$"TLS port:" 1 1 "$VPN_TLS_PORT" 1 12 5 5 \
2> $data
sel=$?
case $sel in
1) exit 1;;
255) exit 1;;
esac
tlsport=$(cat $data | sed -n 1p)
if [ ${#tlsport} -gt 1 ]; then
if [[ "$tlsport" != *' '* && "$tlsport" != *'.'* ]]; then
VPN_TLS_PORT="$tlsport"
VPN_DETAILS_COMPLETE="yes"
write_config_param "VPN_TLS_PORT" "$VPN_TLS_PORT"
fi
fi
done
clear
APP_INSTALLED=1
}
function vpn_change_tls_port {
if ! grep -q "VPN-TLS" $FIREWALL_CONFIG; then
EXISTING_VPN_TLS_PORT=443
else
EXISTING_VPN_TLS_PORT=$(cat $FIREWALL_CONFIG | grep "VPN-TLS" | awk -F '=' '{print $2}')
fi
data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15
dialog --title $"VPN Configuration" \
--backtitle $"Freedombone Control Panel" \
--inputbox $'Change TLS port' 10 50 $EXISTING_VPN_TLS_PORT 2>$data
sel=$?
case $sel in
0)
tlsport=$(<$data)
if [ ${#tlsport} -gt 0 ]; then
if [[ "$tlsport" != "$EXISTING_VPN_TLS_PORT" ]]; then
clear
VPN_TLS_PORT=$tlsport
write_config_param "VPN_TLS_PORT" "$VPN_TLS_PORT"
sed -i "s|accept =.*|accept = $VPN_TLS_PORT|g" /etc/stunnel/stunnel.conf
sed -i "s|connect =.*|connect = :$VPN_TLS_PORT|g" /etc/stunnel/stunnel-client.conf
for d in /home/*/ ; do
USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
if [ -f /home/$USERNAME/stunnel-client.conf ]; then
cp /etc/stunnel/stunnel-client.conf /home/$USERNAME/stunnel-client.conf
chown $USERNAME:$USERNAME /home/$USERNAME/stunnel-client.conf
fi
done
if [ $VPN_TLS_PORT -eq 443 ]; then
if [[ "$PREVIOUS_VPN_TLS_PORT" != "443" ]]; then
firewall_remove VPN-TLS ${EXISTING_VPN_TLS_PORT}
fi
systemctl stop nginx
systemctl disable nginx
else
if [[ "$PREVIOUS_VPN_TLS_PORT" != "$VPN_TLS_PORT" ]]; then
firewall_remove VPN-TLS ${EXISTING_VPN_TLS_PORT}
firewall_add VPN-TLS ${VPN_TLS_PORT} tcp
fi
systemctl enable nginx
systemctl restart nginx
fi
systemctl restart stunnel
if [ $VPN_TLS_PORT -eq 443 ]; then
dialog --title $"VPN Configuration" \
--msgbox $"TLS port changed to ${VPN_TLS_PORT}. Forward this port from your internet router." 10 60
else
dialog --title $"VPN Configuration" \
--msgbox $"TLS port changed to ${VPN_TLS_PORT}. Forward this port from your internet router." 10 60
fi
fi
fi
;;
esac
}
function vpn_regenerate_client_keys {
data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15
dialog --title $"Regenerate VPN keys for a user" \
--backtitle $"Freedombone Control Panel" \
--inputbox $'username' 10 50 2>$data
sel=$?
case $sel in
0)
USERNAME=$(<$data)
if [ ${#USERNAME} -gt 0 ]; then
if [ -d /home/$USERNAME ]; then
clear
create_user_vpn_key $USERNAME
dialog --title $"Regenerate VPN keys for a user" \
--msgbox $"VPN keys were regenerated for $USERNAME" 6 60
fi
fi
;;
esac
}
function configure_interactive_vpn {
read_config_param VPN_TLS_PORT
while true
do
data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15
dialog --backtitle $"Freedombone Control Panel" \
--title $"VPN Configuration" \
--radiolist $"Choose an operation:" 13 70 3 \
1 $"Change TLS port (currently $VPN_TLS_PORT)" off \
2 $"Regenerate keys for a user" off \
3 $"Exit" on 2> $data
sel=$?
case $sel in
1) return;;
255) return;;
esac
case $(cat $data) in
1) vpn_change_tls_port;;
2) vpn_regenerate_client_keys;;
3) break;;
esac
done
}
function reconfigure_vpn {
echo -n ''
}
function upgrade_vpn {
echo -n ''
}
function backup_local_vpn {
for d in /home/*/ ; do
USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
if [ -f /home/$USERNAME/$OPENVPN_KEY_FILENAME ]; then
cp /home/$USERNAME/$OPENVPN_KEY_FILENAME /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME}
fi
done
function_check backup_directory_to_usb
backup_directory_to_usb /etc/openvpn/easy-rsa/keys vpn
backup_directory_to_usb /etc/stunnel vpnstunnel
}
function restore_local_vpn {
temp_restore_dir=/root/tempvpn
restore_directory_from_usb $temp_restore_dir vpn
if [ -d ${temp_restore_dir} ]; then
cp -r ${temp_restore_dir}/* /etc/openvpn/easy-rsa/keys
cp -r ${temp_restore_dir}/${OPENVPN_SERVER_NAME}* /etc/openvpn/
cp -r ${temp_restore_dir}/dh* /etc/openvpn/
rm -rf ${temp_restore_dir}
for d in /home/*/ ; do
USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
if [ -f /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} ]; then
cp /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} /home/$USERNAME/$OPENVPN_KEY_FILENAME
chown $USERNAME:$USERNAME /home/$USERNAME/$OPENVPN_KEY_FILENAME
fi
done
fi
temp_restore_dir=/root/tempvpnstunnel
restore_directory_from_usb $temp_restore_dir vpnstunnel
if [ -d ${temp_restore_dir} ]; then
cp -r ${temp_restore_dir}/* /etc/stunnel
rm -rf ${temp_restore_dir}
for d in /home/*/ ; do
USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
if [ -f /home/$USERNAME/stunnel.pem ]; then
cp /etc/stunnel/stunnel.pem /home/$USERNAME/stunnel.pem
chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.pem
fi
if [ -f /home/$USERNAME/stunnel.p12 ]; then
cp /etc/stunnel/stunnel.p12 /home/$USERNAME/stunnel.p12
chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.p12
fi
done
fi
}
function backup_remote_vpn {
for d in /home/*/ ; do
USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
if [ -f /home/$USERNAME/$OPENVPN_KEY_FILENAME ]; then
cp /home/$USERNAME/$OPENVPN_KEY_FILENAME /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME}
fi
done
function_check backup_directory_to_friend
backup_directory_to_friend /etc/openvpn/easy-rsa/keys vpn
backup_directory_to_friend /etc/stunnel vpnstunnel
}
function restore_remote_vpn {
temp_restore_dir=/root/tempvpn
restore_directory_from_friend $temp_restore_dir vpn
if [ -d ${temp_restore_dir} ]; then
cp -r ${temp_restore_dir}/* /etc/openvpn/easy-rsa/keys
cp -r ${temp_restore_dir}/${OPENVPN_SERVER_NAME}* /etc/openvpn/
cp -r ${temp_restore_dir}/dh* /etc/openvpn/
rm -rf ${temp_restore_dir}
for d in /home/*/ ; do
USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
if [ -f /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} ]; then
cp /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} /home/$USERNAME/$OPENVPN_KEY_FILENAME
chown $USERNAME:$USERNAME /home/$USERNAME/$OPENVPN_KEY_FILENAME
fi
done
fi
temp_restore_dir=/root/tempvpnstunnel
restore_directory_from_friend $temp_restore_dir vpnstunnel
if [ -d ${temp_restore_dir} ]; then
cp -r ${temp_restore_dir}/* /etc/stunnel
rm -rf ${temp_restore_dir}
for d in /home/*/ ; do
USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
if [ -f /home/$USERNAME/stunnel.pem ]; then
cp /etc/stunnel/stunnel.pem /home/$USERNAME/stunnel.pem
chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.pem
fi
if [ -f /home/$USERNAME/stunnel.p12 ]; then
cp /etc/stunnel/stunnel.p12 /home/$USERNAME/stunnel.p12
chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.p12
fi
done
fi
}
function remove_vpn {
systemctl stop stunnel
systemctl disable stunnel
rm /etc/systemd/system/stunnel.service
systemctl stop openvpn
if [ $VPN_TLS_PORT -ne 443 ]; then
firewall_remove VPN-TLS $VPN_TLS_PORT
else
systemctl enable nginx
systemctl restart nginx
fi
apt-get -yq remove --purge fastd openvpn easy-rsa
apt-get -yq remove stunnel4
if [ -d /etc/openvpn ]; then
rm -rf /etc/openvpn
fi
firewall_disable_vpn
echo 0 > /proc/sys/net/ipv4/ip_forward
sed -i 's|net.ipv4.ip_forward=.*|net.ipv4.ip_forward=0|g' /etc/sysctl.conf
remove_completion_param install_vpn
# remove any client keys
for d in /home/*/ ; do
USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
if [ -f /home/$USERNAME/$OPENVPN_KEY_FILENAME ]; then
shred -zu /home/$USERNAME/$OPENVPN_KEY_FILENAME
fi
rm /home/$USERNAME/stunnel*
done
userdel -f vpn
groupdel -f vpn
if [ -d /etc/stunnel ]; then
rm -rf /etc/stunnel
fi
}
function create_user_vpn_key {
username=$1
if [ ! -d /home/$username ]; then
return
fi
echo $"Creating VPN key for $username"
cd /etc/openvpn/easy-rsa
if [ -f /etc/openvpn/easy-rsa/keys/$username.crt ]; then
rm /etc/openvpn/easy-rsa/keys/$username.crt
fi
if [ -f /etc/openvpn/easy-rsa/keys/$username.key ]; then
rm /etc/openvpn/easy-rsa/keys/$username.key
fi
if [ -f /etc/openvpn/easy-rsa/keys/$username.csr ]; then
rm /etc/openvpn/easy-rsa/keys/$username.csr
fi
sed -i 's| --interact||g' build-key
./build-key "$username"
if [ ! -f /etc/openvpn/easy-rsa/keys/$username.crt ]; then
echo $'VPN user cert not generated'
exit 783528
fi
user_cert=$(cat /etc/openvpn/easy-rsa/keys/$username.crt)
if [ ${#user_cert} -lt 10 ]; then
cat /etc/openvpn/easy-rsa/keys/$username.crt
echo $'User cert generation failed'
exit 634659
fi
if [ ! -f /etc/openvpn/easy-rsa/keys/$username.key ]; then
echo $'VPN user key not generated'
exit 682523
fi
user_key=$(cat /etc/openvpn/easy-rsa/keys/$username.key)
if [ ${#user_key} -lt 10 ]; then
cat /etc/openvpn/easy-rsa/keys/$username.key
echo $'User key generation failed'
exit 285838
fi
user_vpn_cert_file=/home/$username/$OPENVPN_KEY_FILENAME
echo 'client' > $user_vpn_cert_file
echo 'dev tun' >> $user_vpn_cert_file
echo 'proto tcp' >> $user_vpn_cert_file
echo "remote localhost $STUNNEL_PORT" >> $user_vpn_cert_file
echo "route $DEFAULT_DOMAIN_NAME 255.255.255.255 net_gateway" >> $user_vpn_cert_file
echo 'resolv-retry infinite' >> $user_vpn_cert_file
echo 'nobind' >> $user_vpn_cert_file
echo 'tun-mtu 1500' >> $user_vpn_cert_file
echo 'tun-mtu-extra 32' >> $user_vpn_cert_file
echo 'mssfix 1450' >> $user_vpn_cert_file
echo 'persist-key' >> $user_vpn_cert_file
echo 'persist-tun' >> $user_vpn_cert_file
echo 'auth-nocache' >> $user_vpn_cert_file
echo 'remote-cert-tls server' >> $user_vpn_cert_file
echo 'comp-lzo' >> $user_vpn_cert_file
echo 'verb 3' >> $user_vpn_cert_file
echo '' >> $user_vpn_cert_file
echo '<ca>' >> $user_vpn_cert_file
cat /etc/openvpn/ca.crt >> $user_vpn_cert_file
echo '</ca>' >> $user_vpn_cert_file
echo '<cert>' >> $user_vpn_cert_file
cat /etc/openvpn/easy-rsa/keys/$username.crt >> $user_vpn_cert_file
echo '</cert>' >> $user_vpn_cert_file
echo '<key>' >> $user_vpn_cert_file
cat /etc/openvpn/easy-rsa/keys/$username.key >> $user_vpn_cert_file
echo '</key>' >> $user_vpn_cert_file
chown $username:$username $user_vpn_cert_file
# keep a backup
cp $user_vpn_cert_file /etc/openvpn/easy-rsa/keys/$username.ovpn
#rm /etc/openvpn/easy-rsa/keys/$username.crt
#rm /etc/openvpn/easy-rsa/keys/$username.csr
shred -zu /etc/openvpn/easy-rsa/keys/$username.key
echo $"VPN key created at $user_vpn_cert_file"
}
function add_user_vpn {
new_username="$1"
new_user_password="$2"
create_user_vpn_key $new_username
if [ -f /etc/stunnel/stunnel.pem ]; then
cp /etc/stunnel/stunnel.pem /home/$new_username/stunnel.pem
chown $new_username:$new_username /home/$new_username/stunnel.pem
fi
if [ -f /etc/stunnel/stunnel.p12 ]; then
cp /etc/stunnel/stunnel.p12 /home/$new_username/stunnel.p12
chown $new_username:$new_username /home/$new_username/stunnel.p12
fi
cp /etc/stunnel/stunnel-client.conf /home/$new_username/stunnel-client.conf
chown $new_username:$new_username /home/$new_username/stunnel-client.conf
}
function remove_user_vpn {
new_username="$1"
}
function mesh_setup_vpn {
vpn_generate_keys
if [ -d /home/fbone ]; then
cp /etc/stunnel/stunnel-client.conf /home/fbone/stunnel-client.conf
chown fbone:fbone /home/fbone/stunnel*
fi
generate_stunnel_keys
systemctl restart openvpn
}
function generate_stunnel_keys {
openssl req -x509 -nodes -days 3650 -sha256 \
-subj "/O=$VPN_ORGANISATION/OU=$VPN_UNIT/C=$VPN_COUNTRY_CODE/ST=$VPN_AREA/L=$VPN_LOCATION/CN=$HOSTNAME" \
-newkey rsa:2048 -keyout /etc/stunnel/key.pem \
-out /etc/stunnel/cert.pem
if [ ! -f /etc/stunnel/key.pem ]; then
echo $'stunnel key not created'
exit 793530
fi
if [ ! -f /etc/stunnel/cert.pem ]; then
echo $'stunnel cert not created'
exit 204587
fi
chmod 400 /etc/stunnel/key.pem
chmod 640 /etc/stunnel/cert.pem
cat /etc/stunnel/key.pem /etc/stunnel/cert.pem >> /etc/stunnel/stunnel.pem
chmod 640 /etc/stunnel/stunnel.pem
openssl pkcs12 -export -out /etc/stunnel/stunnel.p12 -inkey /etc/stunnel/key.pem -in /etc/stunnel/cert.pem -passout pass:
if [ ! -f /etc/stunnel/stunnel.p12 ]; then
echo $'stunnel pkcs12 not created'
exit 639353
fi
chmod 640 /etc/stunnel/stunnel.p12
cp /etc/stunnel/stunnel.pem /home/$MY_USERNAME/stunnel.pem
cp /etc/stunnel/stunnel.p12 /home/$MY_USERNAME/stunnel.p12
chown $MY_USERNAME:$MY_USERNAME $prefix$userhome/stunnel*
}
function install_stunnel {
prefix=
prefixchroot=
if [ $rootdir ]; then
prefix=$rootdir
prefixchroot="chroot $rootdir"
VPN_TLS_PORT=$VPN_MESH_TLS_PORT
fi
$prefixchroot apt-get -yq install stunnel4
if [ ! $prefix ]; then
cd /etc/stunnel
generate_stunnel_keys
fi
echo 'chroot = /var/lib/stunnel4' > $prefix/etc/stunnel/stunnel.conf
echo 'pid = /stunnel4.pid' >> $prefix/etc/stunnel/stunnel.conf
echo 'setuid = stunnel4' >> $prefix/etc/stunnel/stunnel.conf
echo 'setgid = stunnel4' >> $prefix/etc/stunnel/stunnel.conf
echo 'socket = l:TCP_NODELAY=1' >> $prefix/etc/stunnel/stunnel.conf
echo 'socket = r:TCP_NODELAY=1' >> $prefix/etc/stunnel/stunnel.conf
echo 'cert = /etc/stunnel/stunnel.pem' >> $prefix/etc/stunnel/stunnel.conf
echo '[openvpn]' >> $prefix/etc/stunnel/stunnel.conf
echo "accept = $VPN_TLS_PORT" >> $prefix/etc/stunnel/stunnel.conf
echo 'connect = localhost:1194' >> $prefix/etc/stunnel/stunnel.conf
echo 'cert = /etc/stunnel/stunnel.pem' >> $prefix/etc/stunnel/stunnel.conf
echo 'protocol = socks' >> $prefix/etc/stunnel/stunnel.conf
sed -i 's|ENABLED=.*|ENABLED=1|g' $prefix/etc/default/stunnel4
echo '[openvpn]' > $prefix/etc/stunnel/stunnel-client.conf
echo 'client = yes' >> $prefix/etc/stunnel/stunnel-client.conf
echo "accept = $STUNNEL_PORT" >> $prefix/etc/stunnel/stunnel-client.conf
echo "connect = $DEFAULT_DOMAIN_NAME:$VPN_TLS_PORT" >> $prefix/etc/stunnel/stunnel-client.conf
echo 'cert = stunnel.pem' >> $prefix/etc/stunnel/stunnel-client.conf
echo 'protocol = socks' >> $prefix/etc/stunnel/stunnel-client.conf
echo '[Unit]' > $prefix/etc/systemd/system/stunnel.service
echo 'Description=SSL tunnel for network daemons' >> $prefix/etc/systemd/system/stunnel.service
echo 'Documentation=man:stunnel https://www.stunnel.org/docs.html' >> $prefix/etc/systemd/system/stunnel.service
echo 'DefaultDependencies=no' >> $prefix/etc/systemd/system/stunnel.service
echo 'After=network.target' >> $prefix/etc/systemd/system/stunnel.service
echo 'After=syslog.target' >> $prefix/etc/systemd/system/stunnel.service
echo '' >> $prefix/etc/systemd/system/stunnel.service
echo '[Install]' >> $prefix/etc/systemd/system/stunnel.service
echo 'WantedBy=multi-user.target' >> $prefix/etc/systemd/system/stunnel.service
echo 'Alias=stunnel.target' >> $prefix/etc/systemd/system/stunnel.service
echo '' >> $prefix/etc/systemd/system/stunnel.service
echo '[Service]' >> $prefix/etc/systemd/system/stunnel.service
echo 'Type=forking' >> $prefix/etc/systemd/system/stunnel.service
echo 'RuntimeDirectory=stunnel' >> $prefix/etc/systemd/system/stunnel.service
echo 'EnvironmentFile=-/etc/stunnel/stunnel.conf' >> $prefix/etc/systemd/system/stunnel.service
echo 'ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf' >> $prefix/etc/systemd/system/stunnel.service
echo 'ExecStop=/usr/bin/killall -9 stunnel' >> $prefix/etc/systemd/system/stunnel.service
echo 'RemainAfterExit=yes' >> $prefix/etc/systemd/system/stunnel.service
if [ ! $prefix ]; then
if [ $VPN_TLS_PORT -eq 443 ]; then
systemctl stop nginx
systemctl disable nginx
else
systemctl enable nginx
systemctl restart nginx
fi
systemctl enable stunnel
systemctl daemon-reload
systemctl start stunnel
cp /etc/stunnel/stunnel-client.conf /home/$MY_USERNAME/stunnel-client.conf
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/stunnel*
fi
}
function vpn_generate_keys {
# generate host keys
if [ ! -f /etc/openvpn/dh2048.pem ]; then
${PROJECT_NAME}-dhparam -o /etc/openvpn/dh2048.pem
fi
if [ ! -f /etc/openvpn/dh2048.pem ]; then
echo $'vpn dhparams were not generated'
exit 73724523
fi
cp /etc/openvpn/dh2048.pem /etc/openvpn/easy-rsa/keys/dh2048.pem
cd /etc/openvpn/easy-rsa
. ./vars
./clean-all
vpn_openssl_version='1.0.0'
if [ ! -f openssl-${vpn_openssl_version}.cnf ]; then
echo $"openssl-${vpn_openssl_version}.cnf was not found"
exit 7392353
fi
cp openssl-${vpn_openssl_version}.cnf openssl.cnf
if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt ]; then
rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt
fi
if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key ]; then
rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key
fi
if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.csr ]; then
rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.csr
fi
sed -i 's| --interact||g' build-key-server
sed -i 's| --interact||g' build-ca
./build-ca
./build-key-server ${OPENVPN_SERVER_NAME}
if [ ! -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt ]; then
echo $'OpenVPN crt not found'
exit 7823352
fi
server_cert=$(cat /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt)
if [ ${#server_cert} -lt 10 ]; then
cat /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt
echo $'Server cert generation failed'
exit 3284682
fi
if [ ! -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key ]; then
echo $'OpenVPN key not found'
exit 6839436
fi
if [ ! -f /etc/openvpn/easy-rsa/keys/ca.key ]; then
echo $'OpenVPN ca not found'
exit 7935203
fi
cp /etc/openvpn/easy-rsa/keys/{$OPENVPN_SERVER_NAME.crt,$OPENVPN_SERVER_NAME.key,ca.crt} /etc/openvpn
create_user_vpn_key ${MY_USERNAME}
}
function install_vpn {
prefix=
prefixchroot=
if [ $rootdir ]; then
prefix=$rootdir
prefixchroot="chroot $rootdir"
VPN_TLS_PORT=$VPN_MESH_TLS_PORT
fi
$prefixchroot apt-get -yq install fastd openvpn easy-rsa
$prefixchroot groupadd vpn
$prefixchroot useradd -r -s /bin/false -g vpn vpn
# server configuration
echo 'port 1194' > $prefix/etc/openvpn/server.conf
echo 'proto tcp' >> $prefix/etc/openvpn/server.conf
echo 'dev tun' >> $prefix/etc/openvpn/server.conf
echo 'tun-mtu 1500' >> $prefix/etc/openvpn/server.conf
echo 'tun-mtu-extra 32' >> $prefix/etc/openvpn/server.conf
echo 'mssfix 1450' >> $prefix/etc/openvpn/server.conf
echo 'ca /etc/openvpn/ca.crt' >> $prefix/etc/openvpn/server.conf
echo 'cert /etc/openvpn/server.crt' >> $prefix/etc/openvpn/server.conf
echo 'key /etc/openvpn/server.key' >> $prefix/etc/openvpn/server.conf
echo 'dh /etc/openvpn/dh2048.pem' >> $prefix/etc/openvpn/server.conf
echo 'server 10.8.0.0 255.255.255.0' >> $prefix/etc/openvpn/server.conf
echo 'push "redirect-gateway def1 bypass-dhcp"' >> $prefix/etc/openvpn/server.conf
echo "push \"dhcp-option DNS 85.214.73.63\"" >> $prefix/etc/openvpn/server.conf
echo "push \"dhcp-option DNS 213.73.91.35\"" >> $prefix/etc/openvpn/server.conf
echo 'keepalive 5 30' >> $prefix/etc/openvpn/server.conf
echo 'comp-lzo' >> $prefix/etc/openvpn/server.conf
echo 'persist-key' >> $prefix/etc/openvpn/server.conf
echo 'persist-tun' >> $prefix/etc/openvpn/server.conf
echo 'status /dev/null' >> $prefix/etc/openvpn/server.conf
echo 'verb 3' >> $prefix/etc/openvpn/server.conf
echo '' >> $prefix/etc/openvpn/server.conf
if [ ! $prefix ]; then
echo 1 > /proc/sys/net/ipv4/ip_forward
fi
sed -i 's|# net.ipv4.ip_forward|net.ipv4.ip_forward|g' $prefix/etc/sysctl.conf
sed -i 's|#net.ipv4.ip_forward|net.ipv4.ip_forward|g' $prefix/etc/sysctl.conf
sed -i 's|net.ipv4.ip_forward.*|net.ipv4.ip_forward=1|g' $prefix/etc/sysctl.conf
cp -r $prefix/usr/share/easy-rsa/ $prefix/etc/openvpn
if [ ! -d $prefix/etc/openvpn/easy-rsa/keys ]; then
mkdir $prefix/etc/openvpn/easy-rsa/keys
fi
# keys configuration
sed -i "s|export KEY_COUNTRY.*|export KEY_COUNTRY=\"US\"|g" $prefix/etc/openvpn/easy-rsa/vars
sed -i "s|export KEY_PROVINCE.*|export KEY_PROVINCE=\"TX\"|g" $prefix/etc/openvpn/easy-rsa/vars
sed -i "s|export KEY_CITY.*|export KEY_CITY=\"Dallas\"|g" $prefix/etc/openvpn/easy-rsa/vars
sed -i "s|export KEY_ORG.*|export KEY_ORG=\"$PROJECT_NAME\"|g" $prefix/etc/openvpn/easy-rsa/vars
sed -i "s|export KEY_EMAIL.*|export KEY_EMAIL=\"$MY_EMAIL_ADDRESS\"|g" $prefix/etc/openvpn/easy-rsa/vars
sed -i "s|export KEY_OU=.*|export KEY_OU=\"MoonUnit\"|g" $prefix/etc/openvpn/easy-rsa/vars
sed -i "s|export KEY_NAME.*|export KEY_NAME=\"$OPENVPN_SERVER_NAME\"|g" $prefix/etc/openvpn/easy-rsa/vars
if [ ! $prefix ]; then
vpn_generate_keys
firewall_enable_vpn
if [ ${VPN_TLS_PORT} -ne 443 ]; then
firewall_add VPN-TLS ${VPN_TLS_PORT} tcp
fi
systemctl start openvpn
fi
install_stunnel
if [ ! $prefix ]; then
systemctl restart openvpn
fi
APP_INSTALLED=1
}
# NOTE: deliberately there is no "exit 0"
Reference in New Issue View Git Blame Copy Permalink