first commit
This commit is contained in:
commit
c83dabc861
|
@ -0,0 +1,12 @@
|
|||
#!/bin/bash
|
||||
#Downloads the config file for the client.
|
||||
|
||||
eval `echo "${QUERY_STRING}"|tr '&' ';'`
|
||||
client=$(echo $client | tr -d '\r')
|
||||
echo "Content-type: text/plain"
|
||||
echo "Content-Disposition: attachment; filename=\"$client.ovpn\""
|
||||
echo ""
|
||||
while read c; do
|
||||
echo $c
|
||||
done </etc/openvpn/clients/$client.ovpn
|
||||
exit 0
|
Binary file not shown.
After Width: | Height: | Size: 8.6 KiB |
Binary file not shown.
After Width: | Height: | Size: 12 KiB |
Binary file not shown.
After Width: | Height: | Size: 18 KiB |
|
@ -0,0 +1,82 @@
|
|||
#!/bin/bash
|
||||
|
||||
#The admin interface for OpenVPN
|
||||
|
||||
echo "Content-type: text/html"
|
||||
echo ""
|
||||
echo "<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="UTF-8">
|
||||
<title>Simple OpenVPN Server</title>
|
||||
</head>
|
||||
<body>"
|
||||
|
||||
echo "<h1>Simple OpenVPN Server</h1>"
|
||||
|
||||
eval `echo "${QUERY_STRING}"|tr '&' ';'`
|
||||
|
||||
IP=$(wget -4qO- "http://whatismyip.akamai.com/")
|
||||
|
||||
newclient () {
|
||||
# Generates the custom client.ovpn
|
||||
cp /etc/openvpn/client-common.txt /etc/openvpn/clients/$1.ovpn
|
||||
echo "<ca>" >> /etc/openvpn/clients/$1.ovpn
|
||||
cat /etc/openvpn/easy-rsa/pki/ca.crt >> /etc/openvpn/clients/$1.ovpn
|
||||
echo "</ca>" >> /etc/openvpn/clients/$1.ovpn
|
||||
echo "<cert>" >> /etc/openvpn/clients/$1.ovpn
|
||||
cat /etc/openvpn/easy-rsa/pki/issued/$1.crt >> /etc/openvpn/clients/$1.ovpn
|
||||
echo "</cert>" >> /etc/openvpn/clients/$1.ovpn
|
||||
echo "<key>" >> /etc/openvpn/clients/$1.ovpn
|
||||
cat /etc/openvpn/easy-rsa/pki/private/$1.key >> /etc/openvpn/clients/$1.ovpn
|
||||
echo "</key>" >> /etc/openvpn/clients/$1.ovpn
|
||||
echo "<tls-auth>" >> /etc/openvpn/clients/$1.ovpn
|
||||
cat /etc/openvpn/ta.key >> /etc/openvpn/clients/$1.ovpn
|
||||
echo "</tls-auth>" >> /etc/openvpn/clients/$1.ovpn
|
||||
}
|
||||
|
||||
cd /etc/openvpn/easy-rsa/
|
||||
|
||||
case $option in
|
||||
"add") #Add a client
|
||||
./easyrsa build-client-full $client nopass
|
||||
# Generates the custom client.ovpn
|
||||
newclient "$client"
|
||||
echo "<h3>Certificate for client <span style='color:red'>$client</span> added.</h3>"
|
||||
;;
|
||||
"revoke") #Revoke a client
|
||||
echo "<span style='display:none'>"
|
||||
./easyrsa --batch revoke $client
|
||||
./easyrsa gen-crl
|
||||
echo "</span>"
|
||||
rm -rf pki/reqs/$client.req
|
||||
rm -rf pki/private/$client.key
|
||||
rm -rf pki/issued/$client.crt
|
||||
rm -rf /etc/openvpn/crl.pem
|
||||
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
|
||||
# CRL is read with each client connection, when OpenVPN is dropped to nobody
|
||||
echo "<h3>Certificate for client <span style='color:red'>$client</span> revoked.</h3>"
|
||||
;;
|
||||
esac
|
||||
|
||||
NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")
|
||||
if [[ "$NUMBEROFCLIENTS" = '0' ]]; then
|
||||
echo "<h3>You have no existing clients.<h3>"
|
||||
else
|
||||
while read c; do
|
||||
if [[ $(echo $c | grep -c "^V") = '1' ]]; then
|
||||
clientName=$(echo $c | cut -d '=' -f 2)
|
||||
echo "<p><a href='index.sh?option=revoke&client=$clientName'>Revoke</a> <a target='_blank' href='download.sh?client=$clientName'>Download</a> $clientName</p>"
|
||||
fi
|
||||
done </etc/openvpn/easy-rsa/pki/index.txt
|
||||
fi
|
||||
|
||||
echo "
|
||||
<form action='index.sh' method='get'>
|
||||
<input type='hidden' name='option' value='add'>
|
||||
New Client: <input type='text' name='client'><input type='submit' value='Add'>
|
||||
</form>
|
||||
"
|
||||
|
||||
echo "</body></html>"
|
||||
exit 0
|
|
@ -0,0 +1,21 @@
|
|||
MIT License
|
||||
|
||||
Copyright (c) 2017 Nyr, blaize
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
|
@ -0,0 +1,48 @@
|
|||
server.modules = (
|
||||
"mod_access",
|
||||
"mod_alias",
|
||||
"mod_compress",
|
||||
"mod_redirect",
|
||||
"mod_cgi",
|
||||
"mod_auth"
|
||||
)
|
||||
|
||||
cgi.assign = ( ".sh" => "/bin/bash" )
|
||||
|
||||
server.document-root = "/var/www/html"
|
||||
server.upload-dirs = ( "/var/cache/lighttpd/uploads" )
|
||||
server.errorlog = "/var/log/lighttpd/error.log"
|
||||
server.pid-file = "/var/run/lighttpd.pid"
|
||||
server.username = "www-data"
|
||||
server.groupname = "www-data"
|
||||
server.port = 443
|
||||
|
||||
ssl.engine = "enable"
|
||||
ssl.pemfile = "/etc/lighttpd/ssl/server.pem"
|
||||
|
||||
|
||||
index-file.names = ("index.sh", "index.php", "index.html", "index.lighttpd.html" )
|
||||
url.access-deny = ( "~", ".inc" )
|
||||
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
|
||||
|
||||
compress.cache-dir = "/var/cache/lighttpd/compress/"
|
||||
compress.filetype = ( "application/javascript", "text/css", "text/html", "text/plain" )
|
||||
|
||||
# default listening port for IPv6 falls back to the IPv4 port
|
||||
## Use ipv6 if available
|
||||
#include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
|
||||
include_shell "/usr/share/lighttpd/create-mime.assign.pl"
|
||||
include_shell "/usr/share/lighttpd/include-conf-enabled.pl"
|
||||
|
||||
auth.debug = 2
|
||||
auth.backend = "plain"
|
||||
auth.backend.plain.userfile = "/etc/lighttpd/.lighttpdpassword"
|
||||
|
||||
auth.require = ( "/" =>
|
||||
(
|
||||
"method" => "basic",
|
||||
"realm" => "Password protected area",
|
||||
"require" => "user=admin"
|
||||
)
|
||||
)
|
||||
|
|
@ -0,0 +1,234 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"adminUsername": {
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Username for the Virtual Machine."
|
||||
}
|
||||
},
|
||||
"adminPassword": {
|
||||
"type": "securestring",
|
||||
"metadata": {
|
||||
"description": "Password for the Virtual Machine."
|
||||
}
|
||||
},
|
||||
"dnsNameForPublicIP": {
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Unique DNS Name for the Public IP used to access the Virtual Machine."
|
||||
}
|
||||
}
|
||||
},
|
||||
"variables": {
|
||||
"storageAccountName": "[concat(uniquestring(resourceGroup().id),'storage')]",
|
||||
"imagePublisher": "Canonical",
|
||||
"imageOffer": "UbuntuServer",
|
||||
"OSDiskName": "openvpn-vhd",
|
||||
"imageSKU": "16.04.0-LTS",
|
||||
"nicName": "openvpnNic",
|
||||
"addressPrefix": "10.0.0.0/16",
|
||||
"subnetName": "openvpnSubnet",
|
||||
"subnetPrefix": "10.0.0.0/24",
|
||||
"storageAccountType": "Standard_LRS",
|
||||
"publicIPAddressName": "openvpnPublicIP",
|
||||
"publicIPAddressType": "Dynamic",
|
||||
"vmStorageAccountContainerName": "vhds",
|
||||
"vmName": "openvpnVM",
|
||||
"vmSize": "Basic_A0",
|
||||
"virtualNetworkName": "openvpnVNET",
|
||||
"vnetID": "[resourceId('Microsoft.Network/virtualNetworks',variables('virtualNetworkName'))]",
|
||||
"subnetRef": "[concat(variables('vnetID'),'/subnets/',variables('subnetName'))]",
|
||||
"apiVersion": "2015-06-15"
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"type": "Microsoft.Storage/storageAccounts",
|
||||
"name": "[variables('storageAccountName')]",
|
||||
"apiVersion": "[variables('apiVersion')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"properties": {
|
||||
"accountType": "[variables('storageAccountType')]"
|
||||
}
|
||||
},
|
||||
{
|
||||
"apiVersion": "[variables('apiVersion')]",
|
||||
"type": "Microsoft.Network/publicIPAddresses",
|
||||
"name": "[variables('publicIPAddressName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"properties": {
|
||||
"publicIPAllocationMethod": "[variables('publicIPAddressType')]",
|
||||
"dnsSettings": {
|
||||
"domainNameLabel": "[parameters('dnsNameForPublicIP')]"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"apiVersion": "[variables('apiVersion')]",
|
||||
"type": "Microsoft.Network/virtualNetworks",
|
||||
"name": "[variables('virtualNetworkName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"properties": {
|
||||
"addressSpace": {
|
||||
"addressPrefixes": [
|
||||
"[variables('addressPrefix')]"
|
||||
]
|
||||
},
|
||||
"subnets": [
|
||||
{
|
||||
"name": "[variables('subnetName')]",
|
||||
"properties": {
|
||||
"addressPrefix": "[variables('subnetPrefix')]"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"apiVersion": "[variables('apiVersion')]",
|
||||
"type": "Microsoft.Network/networkInterfaces",
|
||||
"name": "[variables('nicName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"dependsOn": [
|
||||
"[concat('Microsoft.Network/publicIPAddresses/', variables('publicIPAddressName'))]",
|
||||
"[concat('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]",
|
||||
"[concat('Microsoft.Network/networkSecurityGroups/', 'openvpn-nsg')]"
|
||||
],
|
||||
"properties": {
|
||||
"ipConfigurations": [
|
||||
{
|
||||
"name": "ipconfig1",
|
||||
"properties": {
|
||||
"privateIPAllocationMethod": "Dynamic",
|
||||
"publicIPAddress": {
|
||||
"id": "[resourceId('Microsoft.Network/publicIPAddresses',variables('publicIPAddressName'))]"
|
||||
},
|
||||
"subnet": {
|
||||
"id": "[variables('subnetRef')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "['openvpn-nsg']",
|
||||
"type": "Microsoft.Network/networkSecurityGroups",
|
||||
"apiVersion": "2016-09-01",
|
||||
"location": "[resourceGroup().location]",
|
||||
"properties": {
|
||||
"securityRules": [
|
||||
{
|
||||
"name": "default-allow-ssh",
|
||||
"properties": {
|
||||
"priority": 1000,
|
||||
"sourceAddressPrefix": "*",
|
||||
"protocol": "TCP",
|
||||
"destinationPortRange": "22",
|
||||
"access": "Allow",
|
||||
"direction": "Inbound",
|
||||
"sourcePortRange": "*",
|
||||
"destinationAddressPrefix": "*"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "default-allow-openvpn",
|
||||
"properties": {
|
||||
"priority": 1100,
|
||||
"sourceAddressPrefix": "*",
|
||||
"protocol": "UDP",
|
||||
"destinationPortRange": "1194",
|
||||
"access": "Allow",
|
||||
"direction": "Inbound",
|
||||
"sourcePortRange": "*",
|
||||
"destinationAddressPrefix": "*"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "default-allow-https",
|
||||
"properties": {
|
||||
"priority": 1200,
|
||||
"sourceAddressPrefix": "*",
|
||||
"protocol": "UDP",
|
||||
"destinationPortRange": "443",
|
||||
"access": "Allow",
|
||||
"direction": "Inbound",
|
||||
"sourcePortRange": "*",
|
||||
"destinationAddressPrefix": "*"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Compute/virtualMachines/extensions",
|
||||
"name": "[concat(variables('vmName'),'/', 'openvpn-setup')]",
|
||||
"apiVersion": "['2015-06-15']",
|
||||
"location": "[resourceGroup().location]",
|
||||
"dependsOn": [
|
||||
"[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"publisher": "Microsoft.Azure.Extensions",
|
||||
"type": "CustomScript",
|
||||
"typeHandlerVersion": "2.0",
|
||||
"autoUpgradeMinorVersion": true,
|
||||
"settings": {
|
||||
"fileUris": "[split('https://raw.githubusercontent.com/theonemule/simple-openvpn-server/master/openvpn.sh', ' ')]",
|
||||
"commandToExecute": "[concat('bash openvpn.sh --host=', parameters('dnsNameForPublicIP'), '.', resourceGroup().location, '.cloudapp.azure.com --adminpassword=', parameters('adminPassword'))]"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"apiVersion": "2016-04-30-preview",
|
||||
"type": "Microsoft.Compute/virtualMachines",
|
||||
"name": "[variables('vmName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"dependsOn": [
|
||||
"[concat('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]",
|
||||
"[concat('Microsoft.Network/networkInterfaces/', variables('nicName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"hardwareProfile": {
|
||||
"vmSize": "[variables('vmSize')]"
|
||||
},
|
||||
"osProfile": {
|
||||
"computerName": "[variables('vmName')]",
|
||||
"adminUsername": "[parameters('adminUsername')]",
|
||||
"adminPassword": "[parameters('adminPassword')]"
|
||||
},
|
||||
"storageProfile": {
|
||||
"imageReference": {
|
||||
"publisher": "[variables('imagePublisher')]",
|
||||
"offer": "[variables('imageOffer')]",
|
||||
"sku": "[variables('imageSKU')]",
|
||||
"version": "latest"
|
||||
},
|
||||
"osDisk": {
|
||||
"createOption": "FromImage"
|
||||
}
|
||||
},
|
||||
"networkProfile": {
|
||||
"networkInterfaces": [
|
||||
{
|
||||
"id": "[resourceId('Microsoft.Network/networkInterfaces',variables('nicName'))]"
|
||||
}
|
||||
]
|
||||
},
|
||||
"diagnosticsProfile": {
|
||||
"bootDiagnostics": {
|
||||
"enabled": "true",
|
||||
"storageUri": "[concat(reference(concat('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), variables('apiVersion')).primaryEndpoints.blob)]"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
],
|
||||
"outputs": {
|
||||
"httpSite": {
|
||||
"type": "string",
|
||||
"value": "[concat('Browse to: ', parameters('dnsNameForPublicIP'), '.', resourceGroup().location, '.cloudapp.azure.com and logon with u:admin p:', parameters('adminPassword'))]"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,281 @@
|
|||
#!/bin/bash
|
||||
|
||||
|
||||
ADMINPASSWORD="password"
|
||||
DNS1="8.8.8.8"
|
||||
DNS2="8.8.4.4"
|
||||
PROTOCOL=udp
|
||||
PORT=1194
|
||||
HOST=$(wget -4qO- "http://whatismyip.akamai.com/")
|
||||
|
||||
|
||||
for i in "$@"
|
||||
do
|
||||
case $i in
|
||||
--adminpassword=*)
|
||||
ADMINPASSWORD="${i#*=}"
|
||||
;;
|
||||
--dns1=*)
|
||||
DNS1="${i#*=}"
|
||||
;;
|
||||
--dns2=*)
|
||||
DNS2="${i#*=}"
|
||||
;;
|
||||
--vpnport=*)
|
||||
PORT="${i#*=}"
|
||||
;;
|
||||
--protocol=*)
|
||||
PROTOCOL="${i#*=}"
|
||||
;;
|
||||
--host=*)
|
||||
HOST="${i#*=}"
|
||||
;;
|
||||
*)
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
|
||||
# Detect Debian users running the script with "sh" instead of bash
|
||||
if readlink /proc/$$/exe | grep -qs "dash"; then
|
||||
echo "This script needs to be run with bash, not sh"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [[ "$EUID" -ne 0 ]]; then
|
||||
echo "Sorry, you need to run this as root"
|
||||
exit 2
|
||||
fi
|
||||
|
||||
if [[ ! -e /dev/net/tun ]]; then
|
||||
echo "The TUN device is not available. You need to enable TUN before running this script."
|
||||
exit 3
|
||||
fi
|
||||
|
||||
if grep -qs "CentOS release 5" "/etc/redhat-release"; then
|
||||
echo "CentOS 5 is too old and not supported"
|
||||
exit 4
|
||||
fi
|
||||
|
||||
if [[ -e /etc/debian_version ]]; then
|
||||
OS=debian
|
||||
GROUPNAME=nogroup
|
||||
RCLOCAL='/etc/rc.local'
|
||||
elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then
|
||||
OS=centos
|
||||
GROUPNAME=nobody
|
||||
RCLOCAL='/etc/rc.d/rc.local'
|
||||
else
|
||||
echo "Looks like you aren't running this installer on Debian, Ubuntu or CentOS"
|
||||
exit 5
|
||||
fi
|
||||
|
||||
# Try to get our IP from the system and fallback to the Internet.
|
||||
|
||||
IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -o -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
|
||||
if [[ "$IP" = "" ]]; then
|
||||
IP=$(wget -4qO- "http://whatismyip.akamai.com/")
|
||||
fi
|
||||
|
||||
|
||||
|
||||
if [[ "$OS" = 'debian' ]]; then
|
||||
apt-get update
|
||||
apt-get install openvpn iptables openssl ca-certificates lighttpd -y
|
||||
else
|
||||
# Else, the distro is CentOS
|
||||
yum install epel-release -y
|
||||
yum install openvpn iptables openssl wget ca-certificates lighttpd -y
|
||||
fi
|
||||
|
||||
# An old version of easy-rsa was available by default in some openvpn packages
|
||||
if [[ -d /etc/openvpn/easy-rsa/ ]]; then
|
||||
rm -rf /etc/openvpn/easy-rsa/
|
||||
fi
|
||||
# Get easy-rsa
|
||||
|
||||
wget -O ~/EasyRSA-3.0.1.tgz "https://github.com/OpenVPN/easy-rsa/releases/download/3.0.1/EasyRSA-3.0.1.tgz"
|
||||
tar xzf ~/EasyRSA-3.0.1.tgz -C ~/
|
||||
mv ~/EasyRSA-3.0.1/ /etc/openvpn/
|
||||
mv /etc/openvpn/EasyRSA-3.0.1/ /etc/openvpn/easy-rsa/
|
||||
chown -R root:root /etc/openvpn/easy-rsa/
|
||||
rm -rf ~/EasyRSA-3.0.1.tgz
|
||||
cd /etc/openvpn/easy-rsa/
|
||||
|
||||
# Create the PKI, set up the CA, the DH params and the server + client certificates
|
||||
./easyrsa init-pki
|
||||
./easyrsa --batch build-ca nopass
|
||||
./easyrsa gen-dh
|
||||
./easyrsa build-server-full server nopass
|
||||
|
||||
# ./easyrsa build-client-full $CLIENT nopass
|
||||
./easyrsa gen-crl
|
||||
|
||||
# Move the stuff we need
|
||||
cp pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
|
||||
|
||||
# CRL is read with each client connection, when OpenVPN is dropped to nobody
|
||||
chown nobody:$GROUPNAME /etc/openvpn/crl.pem
|
||||
|
||||
# Generate key for tls-auth
|
||||
openvpn --genkey --secret /etc/openvpn/ta.key
|
||||
|
||||
# Generate server.conf
|
||||
echo "port $PORT
|
||||
proto $PROTOCOL
|
||||
dev tun
|
||||
sndbuf 0
|
||||
rcvbuf 0
|
||||
ca ca.crt
|
||||
cert server.crt
|
||||
key server.key
|
||||
dh dh.pem
|
||||
tls-auth ta.key 0
|
||||
topology subnet
|
||||
server 10.8.0.0 255.255.255.0
|
||||
ifconfig-pool-persist ipp.txt" > /etc/openvpn/server.conf
|
||||
echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf
|
||||
|
||||
# DNS
|
||||
echo "push \"dhcp-option DNS $DNS1\"" >> /etc/openvpn/server.conf
|
||||
echo "push \"dhcp-option DNS $DNS2\"" >> /etc/openvpn/server.conf
|
||||
echo "keepalive 10 120
|
||||
cipher AES-256-CBC
|
||||
comp-lzo
|
||||
user nobody
|
||||
group $GROUPNAME
|
||||
persist-key
|
||||
persist-tun
|
||||
status openvpn-status.log
|
||||
verb 3
|
||||
crl-verify crl.pem" >> /etc/openvpn/server.conf
|
||||
|
||||
# Enable net.ipv4.ip_forward for the system
|
||||
sed -i '/\<net.ipv4.ip_forward\>/c\net.ipv4.ip_forward=1' /etc/sysctl.conf
|
||||
if ! grep -q "\<net.ipv4.ip_forward\>" /etc/sysctl.conf; then
|
||||
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
|
||||
fi
|
||||
|
||||
# Avoid an unneeded reboot
|
||||
echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
if pgrep firewalld; then
|
||||
# Using both permanent and not permanent rules to avoid a firewalld
|
||||
# reload.
|
||||
# We don't use --add-service=openvpn because that would only work with
|
||||
# the default port and protocol.
|
||||
firewall-cmd --zone=public --add-port=$PORT/$PROTOCOL
|
||||
firewall-cmd --zone=trusted --add-source=10.8.0.0/24
|
||||
firewall-cmd --permanent --zone=public --add-port=$PORT/$PROTOCOL
|
||||
firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
|
||||
# Set NAT for the VPN subnet
|
||||
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 -j SNAT --to $IP
|
||||
firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 -j SNAT --to $IP
|
||||
else
|
||||
# Needed to use rc.local with some systemd distros
|
||||
if [[ "$OS" = 'debian' && ! -e $RCLOCAL ]]; then
|
||||
echo '#!/bin/sh -e
|
||||
exit 0' > $RCLOCAL
|
||||
fi
|
||||
chmod +x $RCLOCAL
|
||||
# Set NAT for the VPN subnet
|
||||
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP
|
||||
sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL
|
||||
if iptables -L -n | grep -qE '^(REJECT|DROP)'; then
|
||||
# If iptables has at least one REJECT rule, we asume this is needed.
|
||||
# Not the best approach but I can't think of other and this shouldn't
|
||||
# cause problems.
|
||||
iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT
|
||||
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
|
||||
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
sed -i "1 a\iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT" $RCLOCAL
|
||||
sed -i "1 a\iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" $RCLOCAL
|
||||
sed -i "1 a\iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" $RCLOCAL
|
||||
fi
|
||||
fi
|
||||
# If SELinux is enabled and a custom port or TCP was selected, we need this
|
||||
if hash sestatus 2>/dev/null; then
|
||||
if sestatus | grep "Current mode" | grep -qs "enforcing"; then
|
||||
if [[ "$PORT" != '1194' || "$PROTOCOL" = 'tcp' ]]; then
|
||||
# semanage isn't available in CentOS 6 by default
|
||||
if ! hash semanage 2>/dev/null; then
|
||||
yum install policycoreutils-python -y
|
||||
fi
|
||||
semanage port -a -t openvpn_port_t -p $PROTOCOL $PORT
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
# And finally, restart OpenVPN
|
||||
if [[ "$OS" = 'debian' ]]; then
|
||||
# Little hack to check for systemd
|
||||
if pgrep systemd-journal; then
|
||||
systemctl restart openvpn@server.service
|
||||
else
|
||||
/etc/init.d/openvpn restart
|
||||
fi
|
||||
else
|
||||
if pgrep systemd-journal; then
|
||||
systemctl restart openvpn@server.service
|
||||
systemctl enable openvpn@server.service
|
||||
else
|
||||
service openvpn restart
|
||||
chkconfig openvpn on
|
||||
fi
|
||||
fi
|
||||
|
||||
# Try to detect a NATed connection and ask about it to potential LowEndSpirit users
|
||||
|
||||
|
||||
# client-common.txt is created so we have a template to add further users later
|
||||
echo "client
|
||||
dev tun
|
||||
proto $PROTOCOL
|
||||
sndbuf 0
|
||||
rcvbuf 0
|
||||
remote $HOST $PORT
|
||||
resolv-retry infinite
|
||||
nobind
|
||||
persist-key
|
||||
persist-tun
|
||||
remote-cert-tls server
|
||||
cipher AES-256-CBC
|
||||
comp-lzo
|
||||
setenv opt block-outside-dns
|
||||
key-direction 1
|
||||
verb 3" > /etc/openvpn/client-common.txt
|
||||
|
||||
# Generates the custom client.ovpn
|
||||
mkdir /etc/openvpn/clients/
|
||||
|
||||
#Setup the web server to use an self signed cert
|
||||
mkdir /etc/openvpn/clients/
|
||||
|
||||
#Set permissions for easy-rsa and open vpn to be modified by the web user.
|
||||
chown -R www-data:www-data /etc/openvpn/easy-rsa
|
||||
chown -R www-data:www-data /etc/openvpn/clients/
|
||||
chmod -R 755 /etc/openvpn/
|
||||
chmod -R 777 /etc/openvpn/crl.pem
|
||||
chmod g+s /etc/openvpn/clients/
|
||||
chmod g+s /etc/openvpn/easy-rsa/
|
||||
|
||||
#Generate a self-signed certificate for the web server
|
||||
mkdir /etc/lighttpd/ssl/
|
||||
openssl req -new -x509 -keyout /etc/lighttpd/ssl/server.pem -out /etc/lighttpd/ssl/server.pem -days 9999 -nodes -subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=IT Department/CN=example.com"
|
||||
chmod 744 /etc/lighttpd/ssl/server.pem
|
||||
|
||||
|
||||
#Configure the web server with the lighttpd.conf from GitHub
|
||||
mv /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.old
|
||||
wget -O /etc/lighttpd/lighttpd.conf https://raw.githubusercontent.com/theonemule/simple-openvpn-server/master/lighttpd.conf
|
||||
|
||||
#install the webserver scripts
|
||||
rm /var/www/html/*
|
||||
wget -O /var/www/html/index.sh https://raw.githubusercontent.com/theonemule/simple-openvpn-server/master/index.sh
|
||||
wget -O /var/www/html/download.sh https://raw.githubusercontent.com/theonemule/simple-openvpn-server/master/download.sh
|
||||
chown -R www-data:www-data /var/www/html/
|
||||
|
||||
#set the password file for the WWW logon
|
||||
echo "admin:$ADMINPASSWORD" >> /etc/lighttpd/.lighttpdpassword
|
||||
|
||||
#restart the web server
|
||||
service lighttpd restart
|
|
@ -0,0 +1,101 @@
|
|||
Simple OpenVPN Server
|
||||
====
|
||||
|
||||
OpenVPN is a one of the most popular VPN platforms for a lot of good reasons. It's free, open source, and there are clients for just about every platform imaginable. For these reasons, OpenVPN is the choice for organizations and individuals alike.
|
||||
|
||||
There are dedicated appliances for OpenVPN that work well for enterprises, but for smaller organizations and individuals, these are overkill. This little project grew out of a desire to create a simple, web based UI for managing OpenVPN while as well as creating a fully automated installer of the the software on a rather lower-powered Linux host, such as an entry level VM on Azure, a Virtual Private Server (VPS) or even a container.
|
||||
|
||||
A special thanks goes out to the folks behind [openvpn-install](https://github.com/Nyr/openvpn-install) for their wonderful project, which serves as an interactive installer on the command line. Much of the heavy lifting for the installer is in the script there. This project isn't technically a fork, but it does use a substantial amount of the inner workings of the script.
|
||||
|
||||
The scripts assumes that there is NOT an instance of OpenVPN already installed on the machine and that port 443 is not in use by another web server for HTTPS. Likewise, this script was built for Redhat 6+ and current Debian/Ubuntu distros.
|
||||
|
||||
|
||||
## Installing OpenVPN
|
||||
|
||||
Optionally, you can do a completely automated deployment to Azure and skip past the installation to **Managing Clients**.
|
||||
|
||||
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Ftheonemule%2Fsimple-openvpn-server%2Fmaster%2Fopenvpn-template.json" target="_blank"><img src="http://azuredeploy.net/deploybutton.png"/></a>
|
||||
|
||||
Otherwise, use the installer:
|
||||
|
||||
1. Pull up a terminal or SSH into the target server.
|
||||
|
||||
1. Logon as root
|
||||
|
||||
````
|
||||
sudo -i
|
||||
````
|
||||
|
||||
1. Download the installer script.
|
||||
|
||||
````
|
||||
wget https://raw.githubusercontent.com/theonemule/simple-openvpn-server/master/openvpn.sh
|
||||
````
|
||||
|
||||
1. Make the script executable
|
||||
|
||||
````
|
||||
chmod +x openvpn.sh
|
||||
````
|
||||
|
||||
1. Run the script.
|
||||
|
||||
````
|
||||
./openvpn.sh [options]
|
||||
````
|
||||
|
||||
Example:
|
||||
|
||||
````
|
||||
./openvpn.sh --adminpassword=mypassword --host=myvpn.example.com
|
||||
````
|
||||
|
||||
|
||||
There are number of options the script will accept
|
||||
|
||||
**adminpassword** -- This is the admin password for the website for managing clients. The default is **password**.
|
||||
|
||||
**dns1** -- The first dns server assigned to the clients. The default is **8.8.8.8**.
|
||||
|
||||
**dns2** -- The first dns server assigned to the clients. The default is **8.8.4.4**.
|
||||
|
||||
**vpnport** -- The port to be used by OpenVPN. 1194 may be blocked by some firewalls, so this is customizable. The default port is **1194**.
|
||||
|
||||
**protocol** -- The protocol to be used by OpenVPN. This accepts **udp** or tcp. The default is **udp**.
|
||||
|
||||
**host** -- The host name of the server. The script attempts to detect the external IP of your server if the host is not specified. ***It is highly recommended that you use a host name if your sever is not using a static IP address***. You can get a free dynamic DNS account and use a dynamic DNS updater that keeps the DNS records for your server up to date in the event that your IPa address changes.
|
||||
|
||||
1. Let the installer finish. This may take a few minutes, as the intaller generates a few keys to set up a certificate authority (CA) that is used to assign certificates to the clients.
|
||||
|
||||
1. If the server you are installing this on is behind a firewall, be sure that you forward the external ports from the firewall to the ports on the server for the VPN. Optionally, if you want to be able to manage the VPN from outside the firewall, forward a port to 443 on the VPN Server.
|
||||
|
||||
|
||||
## Managing Profiles
|
||||
|
||||
1. Once the script is complete, point your browser to **https://[your host or IP]/**, where your host or IP is the host name or IP addressed for the VPN. You may get an error about the site not being secure even though you are using https. This is because the site is using a self-esigned certificate. Simply ignore the warning.
|
||||
|
||||
1. Logon to the admin site. Use **admin** for the username and the password used for the **adminpassword** option when the installer was run. If you did not supply one, use **password**.
|
||||
|
||||
![Logon](images/logon.png)
|
||||
|
||||
1. Once logged on, enter a name for the client and click **Add**.
|
||||
|
||||
![Add a client](images/add-client.png)
|
||||
|
||||
1. Once added, you can click **Revoke** to revoke access or **Download** to download the client profile.
|
||||
|
||||
![Revoke or Download](images/download-revoke.png)
|
||||
|
||||
## Connecting to the Server
|
||||
|
||||
Once the profile is downloaded you need to configure a client:
|
||||
|
||||
* **Windows**: use [OpenVPN GUI](https://openvpn.net/index.php/open-source/downloads.html). After installing the app, copy the .ovon to the **C:\Program Files\OpenVPN\config** folder. Launch the GUI from your Start menu, then right click the icon in the Tool Tray, then click **Connect**. Disconnect by right clicking and selecting **Disconnect**.
|
||||
|
||||
* **MacOS** (OS X): use [Tunnelblick](https://tunnelblick.net/downloads.html). Download and install Tunnelblick. After downloading, double-click on the downloaded .ovpn file and import the configuration either for yourself or all users. Once imported, click the Tunnleblick icon on the menu bar and click **Connect**. Disconnect by clicking the Tunnelblick icon and selecting **Disconnect**.
|
||||
|
||||
* **Android**: use [OpenVPN Connect for Android](https://play.google.com/store/apps/details?id=net.openvpn.openvpn&hl=en). Download and install the app. Next, go to the admin site and create and/or download a profile. In the app, select Import from the menu, then select **Import**, then select **Import Profile from SD card**. Find the profile in your **Downloads** folder and import the profile. Once downloaded, click **Connect**. To disconnect, open the app again and select **Disconnect**.
|
||||
|
||||
* **iOS**: use [OpenVPN Connect for iOS](https://itunes.apple.com/us/app/openvpn-connect/id590379981?mt=8). Install the app, then browse to the admin site in Safari. Create and/or download a profile. After the profile is downloaded, select **Open in Open VPN**. Install the profile, then select **Connect** to connect to the VPN. To disconnect, open the app again and select **Disconnect**.
|
||||
|
||||
That's it! Your VPN is up and running.
|
Loading…
Reference in New Issue