1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Easy OpenVPN Install Script - Rough form, but functional w/ some experience

Discussion in 'General Scripting Chat' started by bpmee31, Sep 19, 2013.

  1. bpmee31

    bpmee31 Newbie

    Joined:
    Sep 7, 2011
    Messages:
    2
    Likes Received:
    0
    I've had to install OpenVPN on various servers, and eventually put together a script to make it much faster than configuring manually.

    Props to: Yasyf Mohamedali

    Notes:

    1. This should work with CentOS VPS and Dedicated boxes, HOWEVER, make sure your host has the right ports open and permissions.
    2. This script is in rough form. It is functional with minor tweaking. If you are a beginner, it would be better to use this for reference opposed to a full install.
    3. Backups of existing configs are made, however always backup your files anyway.
    4. You might need a Git user to fetch the Easy-RSA stuff.

    What it produces:

    1. Single user login capability with Auth-Pam authentication. You will be prompted to create a user on your box. This means a user/password combo is used instead of an open connection (not a good idea ;) )
    2. DNSmasq is installed, but I've noticed this isn't necessary for successful operation.
    3. Compatible with OpenVPN 2.3

    WARNING: This script is best for new installs. I flush all IPTABLES for convenience because I only use the box for VPN purposes. If you have existing IPTABLES, they will be backed up, but will NOT be active after the script finishes. (I know this is a deal breaker for some, sorry in advance)

    Code:
    #!/bin/bash
    
    
    #OpenVPN Server on CentOS OpenVZ VPS Script by Yasyf Mohamedali 
    #Adapted from various scripts around the net
    
    
    CLIENTID='blackhat1'
    IPFORWARDV1='net.ipv4.ip_forward = 1'
    IPFORWARDV2='net.ipv4.ip_forward=1'
    PORT='443' # Default is 1194 . 443 is useful for those behind firewalls in China, Iran, etc.
    PROTO='udp' # You can also use tcp, again useful for those behind firewals
    
    
    cd /home
    
    
    service openvpn stop
    
    
    echo "Checking to see if /etc/openvpn already exists. If so, will backup before this new install."
    
    
    if [ -d /etc/openvpn ]
        then
        echo "We have previous /etc/openvpn folder, will back it up before installing new openvpn."
        sleep 2
        cp -fR /etc/openvpn /etc/openvpn$(date +%Y%m%d%H%M%S)
    fi
    
    
    echo "Will remove old openvpn (if exists) with yum remove. Press ctrl+z to abort. You have 6 seconds"
    
    
    sleep 7
    
    
    yum remove openvpn
    
    
    echo "Backing up of old openvpn folder complete, removal of old openvpn software complete"
    
    
    sleep 1
    
    
    TUNSTATE=`cat /dev/net/tun`
    
    
    if [ "$TUNSTATE" = "cat: /dev/net/tun: Permission denied" ]
        then 
        clear
        echo "Sorry, but it seems that TUN/TAP is not enabled on your VPS."
        exit
    fi
    
    
    # Get IP on Various Systems
    
    
    if [ -f /etc/sysconfig/network-scripts/ifcfg-eth0 ]
        then
        IP=`grep IPADDR /etc/sysconfig/network-scripts/ifcfg-eth0 | awk -F= '{print $2}'`
        echo "We have Standard IP: $IP."
        sleep 2
    fi
    
    
    if [ -f /etc/sysconfig/network-scripts/ifcfg-venet0:0 ]
        then
        IP=`grep IPADDR /etc/sysconfig/network-scripts/ifcfg-venet0:0 | awk -F= '{print $2}'`
        echo "We have Standard VPS IP: $IP."
        sleep 2
    fi
    
    
    
    
    
    
    yum install -y gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl openssl-devel mlocate 
    
    
    
    
    wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.i386.rpm
    rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt
    rpm -K rpmforge-release-0.5.2-2.el5.rf.i386.rpm
    rpm -i rpmforge-release-0.5.2-2.el5.rf.i386.rpm
    
    
    yum install git-gui lzo-devel pam-devel
    
    
    echo "Installed DAG, GIT, LZO, and PAM."
    sleep 4
    
    
    updatedb
    
    
    # Unpatached
    cd /etc/yum.repos.d
    
    
    wget http://repos.openvpn.net/repos/yum/conf/repos.openvpn.net-CentOS6-snapshots.repo
    
    
    yum update
    
    
    yum -y install openvpn
    
    
    
    
    # Patched - I have patched software that helps those in China get through the firewall, but I haven't been able to #make it work.. Anyone with strong OpenVPN skills let me know, I will send you the patched files
    #XXXXXXXXXXXX
    #XXXXXXXXX
    #
    #XXXXXXXXX
    #XXXXXXXXXXXX
    
    
    
    
    if [ -d /etc/openvpn/easy-rsa ]
        then
        echo "We have previous /etc/openvpn/easy-rsa folder, will back it up before installing new openvpn."
        sleep 2
        mv /etc/openvpn/easy-rsa /etc/openvpn/easy-rsa$(date +%Y%m%d%H%M%S)
    fi
    
    
    cd ~
    
    
    if [ -d easy-rsa ]
        then
        echo "Looks like Git got Easy-RSA in your root folder, will back up and remove it."
        sleep 2
        mv easy-rsa easy-rsa$(date +%Y%m%d%H%M%S)
    fi
    
    
    git clone https://github.com/OpenVPN/easy-rsa.git
    
    
    cp -fR ~/easy-rsa/easy-rsa /etc/openvpn
    
    
    cd /etc/openvpn/
    
    
    if [ -d /etc/openvpn/easy-rsa/2.0/ ]
        then
        cd /etc/openvpn/easy-rsa/2.0/
    fi
    
    
    if [ -d /etc/openvpn/2.0/ ]
        then
        cd /etc/openvpn/2.0/
    fi
    
    
    
    
    chmod +rwx *
    
    
    source ./vars
    
    
    
    
    echo "####################################"
    echo "If you set a passphrase during this step you will need to"
    echo "type a password each time openvpn starts."
    echo "Accepting the default values (just press enter at each step) will also work."
    echo "####################################"
    
    
    
    
    ./clean-all
    ./build-ca
    ./build-key-server server
    ./build-dh
    
    
    cp keys/{ca.crt,ca.key,server.crt,server.key,dh2048.pem} /etc/openvpn/
    
    
    echo "####################################"
    echo "Accepting the default values (just press enter at each step) will also work."
    echo "This is your client key, you may set a passphrase here but it's not required"
    echo "If you do set a password here, you will need to enter it each time you use it on your machine to connect"
    echo "####################################"
    
    
    ./build-key $CLIENTID
    
    
    cp keys/{$CLIENTID.crt,$CLIENTID.csr,$CLIENTID.key} /etc/openvpn/
    
    
    client="client
    remote $IP $PORT
    dev tun
    comp-lzo
    ca ca.crt
    cert $CLIENTID.crt
    key $CLIENTID.key
    auth-user-pass
    auth-retry interact
    ns-cert-type server
    script-security 3
    route-delay 2
    route-method exe
    redirect-gateway def1
    dhcp-option DNS 10.10.10.1
    verb 6"
    
    
    echo "$client" > /etc/openvpn/$HOSTNAME.ovpn
    
    
    cd /etc/openvpn
    
    
    tar czf openvpn-keys.tgz ca.crt ca.key $CLIENTID.crt $CLIENTID.csr $CLIENTID.key $HOSTNAME.ovpn
    
    
    mv -f openvpn-keys.tgz ~
    
    
    PAMSCRIPT=`locate auth-pam.so | grep openvpn/plugins`
    
    
    echo "Pam Auth Script location is: $PAMSCRIPT"
    sleep 4
    
    
    ovpnsettings="port $PORT
    proto $PROTO
    dev tun
    ca ca.crt
    cert server.crt
    key server.key
    server 10.8.0.0 255.255.255.0
    dh dh2048.pem
    plugin $PAMSCRIPT /etc/pam.d/login
    ifconfig-pool-persist ipp.txt
    comp-lzo
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    verb 6
    mute 10
    push \"route 10.8.0.0 255.255.255.0\"
    push \"dhcp-option DNS 10.8.0.1\"
    push \"redirect-gateway def1 bypass-dhcp\"
    ping-timer-rem
    status $HOSTNAME.log
    daemon"
    
    
    echo "$ovpnsettings" > /etc/openvpn/openvpn.conf
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    
    if grep -Fxq "$IPFORWARDV1" /etc/sysctl.conf || grep -Fxq "$IPFORWARDV2" /etc/sysctl.conf
    then
        echo "Edit exists IP Forward, will now remove any commenting"
        perl -pi -e 's/\#?\s*net\.ipv4\.ip_forward\s*=\s*1/net\.ipv4\.ip_forward = 1/' /etc/sysctl.conf
    
    
    else
        echo "Need to add IP Forward to sysctl.conf at bottom of file"
        echo "$IPFORWARDV1" >> /etc/sysctl.conf
    fi
    
    
    echo "Backing up old IP Tables: /etc/sysconfig/iptables.bak.date"
    
    
    cp -pv /etc/sysconfig/iptables /etc/sysconfig/iptables.bak.$(date +%Y%m%d%H%M%S)
    
    
    echo "Saving old Ip Tables config as /etc/sysconfig/iptables-prevpn"
    
    
    iptables-save > /etc/sysconfig/iptables-prevpn
    
    
    echo "Now clearing ALL iptables rules for a fresh VPN install. Hit ctrl+z now to abort. You have 8 seconds to abort!"
    
    
    sleep 9
    
    
    echo "Stopping firewall and allowing everyone..."
    
    
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    iptables -P INPUT ACCEPT
    iptables -P FORWARD ACCEPT
    iptables -P OUTPUT ACCEPT
    
    
    echo "Now adding our IP Tables rules for the VPN"
    
    
    iptables -A FORWARD -s 10.8.0.0/255.255.255.0 -j ACCEPT 
    iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
    iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -j SNAT --to-source $IP
    iptables-save > /etc/sysconfig/iptables
    
    
    echo "Now installing DNSmasq"
    
    
    yum install dnsmasq
    
    
    /etc/init.d/dnsmasq start
    
    
    chkconfig dnsmasq on
    
    
    echo "Now starting OpenVPN";
    
    
    /etc/init.d/openvpn start
    
    
    chkconfig openvpn on
    
    
    echo "Next adding a user to login from your OpenVPN client"
    
    
    if grep "^$CLIENTID:" /etc/passwd; then
          
        echo "User Exists, we don't need to create our client"
    else
          
        echo "User does NOT exist, creating it now...supply a password and remember it!"
        useradd $CLIENTID -s /bin/false
        passwd $CLIENTID
    fi
    
    
    
    
    echo "OpenVPN has been installed
    Download ~/openvpn-keys.tgz archive and open the .ovpn file inside it in an OpenVPN Client Application"