Скрипт поднятия VPN

Admin

Administrator
Регистрация
12.08.2016
Сообщения
690
Оценка реакций
445
Скрипт для автоматической установки и выдачи конфига OpenVPN
Работает на Debian 7-9, Ubuntu 14.04-17.10
Код:
#!/bin/bash
#
# vpn installer script.sh

if [[ "$EUID" -ne 0 ]]; then
echo "Sorry, you need to run this as root"
exit 1
fi

if [[ ! -e /dev/net/tun ]]; then
echo "TUN is not available"
exit 2
fi

if [[ -e /etc/debian_version ]]; then
OS="debian"
VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID")
IPTABLES='/etc/iptables/iptables.rules'
SYSCTL='/etc/sysctl.conf'
if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.10"' ]]; then
 echo "Your version of Debian/Ubuntu is not supported."
 echo ""
     exit 4
fi
else
exit 4
fi

newclient () {
if [ -e /home/$1 ]; then
 homeDir="/home/$1"
elif [ ${SUDO_USER} ]; then
 homeDir="/home/${SUDO_USER}"
else  # if not SUDO_USER, use /root
 homeDir="/root"
fi
cp /etc/openvpn/client-template.txt $homeDir/$1.ovpn
echo "<ca>" >> $homeDir/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/ca.crt >> $homeDir/$1.ovpn
echo "</ca>" >> $homeDir/$1.ovpn
echo "<cert>" >> $homeDir/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/issued/$1.crt >> $homeDir/$1.ovpn
echo "</cert>" >> $homeDir/$1.ovpn
echo "<key>" >> $homeDir/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/private/$1.key >> $homeDir/$1.ovpn
echo "</key>" >> $homeDir/$1.ovpn
echo "key-direction 1" >> $homeDir/$1.ovpn
echo "<tls-auth>" >> $homeDir/$1.ovpn
cat /etc/openvpn/tls-auth.key >> $homeDir/$1.ovpn
echo "</tls-auth>" >> $homeDir/$1.ovpn
}

IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -o -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)

if [[ "$IP" = "" ]]; then
IP=$(wget -qO- ipv4.icanhazip.com)

fi

NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)' | head -1)

clear
#    IP=
PORT=43253
PROTOCOL=TCP
DNS=2
CIPHER="cipher AES-128-CBC"
DH_KEY_SIZE="2048"
RSA_KEY_SIZE="2048"
CLIENT="client"

if [[ "$OS" = 'debian' ]]; then
 apt-get install ca-certificates nginx -y >/dev/null 2>&1
 if [[ "$VERSION_ID" = 'VERSION_ID="7"' ]]; then
     echo "deb http://build.openvpn.net/debian/openvpn/stable wheezy main" > /etc/apt/sources.list.d/openvpn.list
     wget -q -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
     apt-get update >/dev/null 2>&1
 fi
 if [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then
     echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list
     wget -q -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
     apt update >/dev/null 2>&1
 fi
 if [[ "$VERSION_ID" = 'VERSION_ID="14.04"' ]]; then
     echo "deb http://build.openvpn.net/debian/openvpn/stable trusty main" > /etc/apt/sources.list.d/openvpn.list
     wget -q -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
     apt-get update >/dev/null 2>&1
 fi
 apt-get install openvpn iptables openssl wget ca-certificates curl -y
 if [[ ! -e /etc/systemd/system/iptables.service ]]; then
     mkdir /etc/iptables
     iptables-save > /etc/iptables/iptables.rules
     echo "#!/bin/sh
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT" > /etc/iptables/flush-iptables.sh
     chmod +x /etc/iptables/flush-iptables.sh
     echo "[Unit]
Description=Packet Filtering Framework
DefaultDependencies=no
Before=network-pre.target
Wants=network-pre.target
[Service]
Type=oneshot
ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
ExecStop=/etc/iptables/flush-iptables.sh
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
     systemctl daemon-reload
     systemctl enable iptables.service
 fi
elif [[ "$OS" = 'centos' || "$OS" = 'fedora' ]]; then
 if [[ "$OS" = 'centos' ]]; then
     yum install epel-release -y
 fi
 yum install openvpn iptables openssl wget ca-certificates curl -y
 if [[ ! -e /etc/systemd/system/iptables.service ]]; then
     mkdir /etc/iptables
     iptables-save > /etc/iptables/iptables.rules
     echo "#!/bin/sh
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT" > /etc/iptables/flush-iptables.sh
     chmod +x /etc/iptables/flush-iptables.sh
     echo "[Unit]
Description=Packet Filtering Framework
DefaultDependencies=no
Before=network-pre.target
Wants=network-pre.target
[Service]
Type=oneshot
ExecStart=/sbin/iptables-restore /etc/iptables/iptables.rules
ExecReload=/sbin/iptables-restore /etc/iptables/iptables.rules
ExecStop=/etc/iptables/flush-iptables.sh
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
     systemctl daemon-reload
     systemctl enable iptables.service
     systemctl disable firewalld
     systemctl mask firewalld
 fi
else
 echo ""
 CONTINUE="n"
 if [[ "$CONTINUE" = "n" ]]; then
     echo "Ok, bye !"
     exit 4
 fi

 if [[ "$OS" = 'arch' ]]; then
     exit 4
 fi
fi
if grep -qs "^nogroup:" /etc/group; then
 NOGROUP=nogroup
else
 NOGROUP=nobody
fi

if [[ -d /etc/openvpn/easy-rsa/ ]]; then
 rm -rf /etc/openvpn/easy-rsa/
fi
wget -O ~/EasyRSA-3.0.4.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz
tar xzf ~/EasyRSA-3.0.4.tgz -C ~/
mv ~/EasyRSA-3.0.4/ /etc/openvpn/
mv /etc/openvpn/EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/
chown -R root:root /etc/openvpn/easy-rsa/
rm -rf ~/EasyRSA-3.0.4.tgz
cd /etc/openvpn/easy-rsa/
SERVER_CN="cn_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
SERVER_NAME="server_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars
echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars
./easyrsa init-pki >/dev/null 2>&1
./easyrsa --batch build-ca nopass >/dev/null 2>&1
openssl dhparam -out dh.pem $DH_KEY_SIZE >/dev/null 2>&1
./easyrsa build-server-full $SERVER_NAME nopass >/dev/null 2>&1
./easyrsa build-client-full $CLIENT nopass >/dev/null 2>&1
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl >/dev/null 2>&1
openvpn --genkey --secret /etc/openvpn/tls-auth.key >/dev/null 2>&1
cp pki/ca.crt pki/private/ca.key dh.pem pki/issued/$SERVER_NAME.crt pki/private/$SERVER_NAME.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
chmod 644 /etc/openvpn/crl.pem

echo "port $PORT" > /etc/openvpn/server.conf
if [[ "$PROTOCOL" = 'UDP' ]]; then
 echo "proto udp" >> /etc/openvpn/server.conf
elif [[ "$PROTOCOL" = 'TCP' ]]; then
 echo "proto tcp" >> /etc/openvpn/server.conf
fi
echo "dev tun
user nobody
group $NOGROUP
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
case $DNS in
 1)
 grep -v '#' /etc/resolv.conf | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
     echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
 done
;;
 2) #Quad9
 echo 'push "dhcp-option DNS 9.9.9.9"' >> /etc/openvpn/server.conf
;;
 3) #FDN
 echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/server.conf
 echo 'push "dhcp-option DNS 80.67.169.12"' >> /etc/openvpn/server.conf
;;
 4) #DNS.WATCH
 echo 'push "dhcp-option DNS 84.200.69.80"' >> /etc/openvpn/server.conf
 echo 'push "dhcp-option DNS 84.200.70.40"' >> /etc/openvpn/server.conf
;;
 5) #OpenDNS
 echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf
 echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf
;;
 6) #Google
 echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf
 echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf
;;
 7) #Yandex Basic
 echo 'push "dhcp-option DNS 77.88.8.8"' >> /etc/openvpn/server.conf
 echo 'push "dhcp-option DNS 77.88.8.1"' >> /etc/openvpn/server.conf
;;
 8) #AdGuard DNS
 echo 'push "dhcp-option DNS 176.103.130.130"' >> /etc/openvpn/server.conf
 echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf
;;
esac
echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf
echo "crl-verify crl.pem
ca ca.crt
cert $SERVER_NAME.crt
key $SERVER_NAME.key
tls-auth tls-auth.key 0
dh dh.pem
auth SHA256
$CIPHER
#tls-server
#tls-version-min 1.2
#tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
status openvpn.log
verb 3" >> /etc/openvpn/server.conf

if [[ ! -e $SYSCTL ]]; then
 touch $SYSCTL
fi

sed -i '/\<net.ipv4.ip_forward\>/c\net.ipv4.ip_forward=1' $SYSCTL
if ! grep -q "\<net.ipv4.ip_forward\>" $SYSCTL; then
 echo 'net.ipv4.ip_forward=1' >> $SYSCTL
fi
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE
iptables-save > $IPTABLES
if pgrep firewalld; then
 if [[ "$PROTOCOL" = 'UDP' ]]; then
     firewall-cmd --zone=public --add-port=$PORT/udp
     firewall-cmd --permanent --zone=public --add-port=$PORT/udp
 elif [[ "$PROTOCOL" = 'TCP' ]]; then
     firewall-cmd --zone=public --add-port=$PORT/tcp
     firewall-cmd --permanent --zone=public --add-port=$PORT/tcp
 fi
 firewall-cmd --zone=trusted --add-source=10.8.0.0/24
 firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
fi
if iptables -L -n | grep -qE 'REJECT|DROP'; then
 if [[ "$PROTOCOL" = 'UDP' ]]; then
     iptables -I INPUT -p udp --dport $PORT -j ACCEPT
 elif [[ "$PROTOCOL" = 'TCP' ]]; then
     iptables -I INPUT -p tcp --dport $PORT -j ACCEPT
 fi
 iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
 iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
       iptables-save > $IPTABLES
fi
if hash sestatus 2>/dev/null; then
 if sestatus | grep "Current mode" | grep -qs "enforcing"; then
     if [[ "$PORT" != '1194' ]]; then
   if ! hash semanage 2>/dev/null; then
       yum install policycoreutils-python -y
   fi
   if [[ "$PROTOCOL" = 'UDP' ]]; then
       semanage port -a -t openvpn_port_t -p udp $PORT
   elif [[ "$PROTOCOL" = 'TCP' ]]; then
       semanage port -a -t openvpn_port_t -p tcp $PORT
   fi
     fi
 fi
fi
if [[ "$OS" = 'debian' ]]; then
 if pgrep systemd-journal; then
   sed -i 's|LimitNPROC|#LimitNPROC|' /lib/systemd/system/openvpn\@.service
   sed -i 's|/etc/openvpn/server|/etc/openvpn|' /lib/systemd/system/openvpn\@.service
   sed -i 's|%i.conf|server.conf|' /lib/systemd/system/openvpn\@.service
   systemctl daemon-reload
   systemctl restart openvpn
   systemctl enable openvpn
 else
     /etc/init.d/openvpn restart
 fi
else
 if pgrep systemd-journal; then
     if [[ "$OS" = 'arch' || "$OS" = 'fedora' ]]; then
   sed -i 's|/etc/openvpn/server|/etc/openvpn|' /usr/lib/systemd/system/[email protected]
   sed -i 's|%i.conf|server.conf|' /usr/lib/systemd/system/[email protected]
   systemctl daemon-reload
   systemctl restart [email protected]
   systemctl enable [email protected]
     else
   systemctl restart [email protected]
   systemctl enable [email protected]
     fi
 else
     service openvpn restart
     chkconfig openvpn on
 fi
fi
echo "client" > /etc/openvpn/client-template.txt
if [[ "$PROTOCOL" = 'UDP' ]]; then
 echo "proto udp" >> /etc/openvpn/client-template.txt
elif [[ "$PROTOCOL" = 'TCP' ]]; then
 echo "proto tcp-client" >> /etc/openvpn/client-template.txt
fi
echo "remote $IP $PORT
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name $SERVER_NAME name
auth SHA256
auth-nocache
$CIPHER
#tls-client
#tls-version-min 1.2
#tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
setenv opt block-outside-dns
verb 3" >> /etc/openvpn/client-template.txt

newclient "$CLIENT"
service nginx restart
cp /root/$CLIENT.ovpn /usr/share/nginx/html/ >/dev/null 2>&1
cp /root/$CLIENT.ovpn /usr/share/nginx/www/ >/dev/null 2>&1
clear
echo "http://$IP/$CLIENT.ovpn"
exit 0;
Создаем на сервере файл vpn.sh с этим содержимым сохраняем затем chmod 755 vpn.sh выполняем и далее vpn.sh примерно через минуту скрипт выдаст ссылку на конфиг.