8 changed files with 206 additions and 335 deletions
@ -5,133 +5,27 @@ print_error() { |
|||||||
exit |
exit |
||||||
} |
} |
||||||
|
|
||||||
read_env() { |
|
||||||
source "$1" |
|
||||||
# grep -vE '^#|^$' "$1" | sed -r 's/\ /\\\ /g; s/\=/\t/g' | \ |
|
||||||
# while read env val |
|
||||||
# do |
|
||||||
# env - $env="$val" |
|
||||||
# done |
|
||||||
} |
|
||||||
|
|
||||||
# Ensure to be root |
# Ensure to be root |
||||||
if [ "$EUID" -ne 0 ]; then |
if [ "$EUID" -ne 0 ]; then |
||||||
echo "Please run as root" |
print_error "Please run as root" |
||||||
exit |
|
||||||
fi |
fi |
||||||
|
|
||||||
base_path=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) |
base_path=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) |
||||||
|
|
||||||
# Read dotEnv file |
# Read dotEnv file |
||||||
read_env "$base_path/../.env" |
source "$base_path/../.env" |
||||||
|
|
||||||
printf "\n################## Server informations ##################\n" |
|
||||||
|
|
||||||
[ ! -z "$VPN_LOCAL" ] && echo "VPN_LOCAL=$VPN_LOCAL" |
|
||||||
[ -z "$VPN_LOCAL" ] && read -p "Server local Hostname/IP: " VPN_LOCAL |
|
||||||
[ -z "$VPN_LOCAL" ] && print_error "Server local address is required!" |
|
||||||
|
|
||||||
[ ! -z "$VPN_REMOTE" ] && echo "VPN_LOCAL=$VPN_REMOTE" |
|
||||||
[ -z "$VPN_REMOTE" ] && read -p "Server remote Hostname/IP: " VPN_REMOTE |
|
||||||
[ -z "$VPN_REMOTE" ] && print_error "Server remote address is required!" |
|
||||||
|
|
||||||
[ ! -z "$VPN_PROTO" ] && echo "VPN_PROTO=$VPN_PROTO" |
|
||||||
[ -z "$VPN_PROTO" ] && read -p "OpenVPN protocol (tcp or udp) [tcp]: " VPN_PROTO |
|
||||||
[ -z "$VPN_PROTO" ] && VPN_PROTO="tcp" |
|
||||||
|
|
||||||
[ ! -z "$VPN_PORT" ] && echo "VPN_PORT=$VPN_PORT" |
|
||||||
[ -z "$VPN_PORT" ] && read -p "OpenVPN port [443]: " VPN_PORT |
|
||||||
[ -z "$VPN_PORT" ] && VPN_PORT="443" |
|
||||||
|
|
||||||
[ ! -z "$VPN_GROUP" ] && echo "VPN_GROUP=$VPN_GROUP" |
|
||||||
[ -z "$VPN_GROUP" ] && read -p "OpenVPN group [nogroup]: " VPN_GROUP |
|
||||||
[ -z "$VPN_GROUP" ] && VPN_GROUP="nogroup" |
|
||||||
|
|
||||||
[ ! -z "$VPN_INIF" ] && echo "VPN_INIF=$VPN_INIF" |
|
||||||
[ -z "$VPN_INIF" ] && read -p "OpenVPN input interface [tun0]: " VPN_INIF |
|
||||||
[ -z "$VPN_INIF" ] && VPN_INIF="tun0" |
|
||||||
|
|
||||||
[ ! -z "$VPN_OUTIF" ] && echo "VPN_OUTIF=$VPN_OUTIF" |
|
||||||
[ -z "$VPN_OUTIF" ] && read -p "OpenVPN output interface [eth0]: " VPN_OUTIF |
|
||||||
[ -z "$VPN_OUTIF" ] && VPN_OUTIF="eth0" |
|
||||||
|
|
||||||
[ ! -z "$VPN_NET" ] && echo "VPN_NET=$VPN_NET" |
|
||||||
[ -z "$VPN_NET" ] && read -p "OpenVPN clients subnet [10.8.0.0/24]: " VPN_NET |
|
||||||
[ -z "$VPN_NET" ] && VPN_NET="10.8.0.0/24" |
|
||||||
|
|
||||||
|
|
||||||
printf "\n################## Certificates informations ##################\n" |
|
||||||
|
|
||||||
[ -z "$EASYRSA_KEY_SIZE" ] && read -p "Key size (1024, 2048 or 4096) [2048]: " EASYRSA_KEY_SIZE |
|
||||||
[ -z "$EASYRSA_CA_EXPIRE" ] && read -p "Root certificate expiration (in days) [3650]: " EASYRSA_CA_EXPIRE |
|
||||||
[ -z "$EASYRSA_CERT_EXPIRE" ] && read -p "Certificate expiration (in days) [3650]: " EASYRSA_CERT_EXPIRE |
|
||||||
[ -z "$EASYRSA_REQ_COUNTRY" ] && read -p "Country Name (2 letter code) [US]: " EASYRSA_REQ_COUNTRY |
|
||||||
[ -z "$EASYRSA_REQ_PROVINCE" ] && read -p "State or Province Name (full name) [California]: " EASYRSA_REQ_PROVINCE |
|
||||||
[ -z "$EASYRSA_REQ_CITY" ] && read -p "Locality Name (eg, city) [San Francisco]: " EASYRSA_REQ_CITY |
|
||||||
[ -z "$EASYRSA_REQ_ORG" ] && read -p "Organization Name (eg, company) [Copyleft Certificate Co]: " EASYRSA_REQ_ORG |
|
||||||
[ -z "$EASYRSA_REQ_OU" ] && read -p "Organizational Unit Name (eg, section) [My Organizational Unit]: " EASYRSA_REQ_OU |
|
||||||
[ -z "$EASYRSA_REQ_EMAIL" ] && read -p "Email Address [[email protected]]: " EASYRSA_REQ_EMAIL |
|
||||||
[ -z "$EASYRSA_REQ_CN" ] && read -p "Common Name (eg, your name or your server's hostname) [ChangeMe]: " EASYRSA_REQ_CN |
|
||||||
|
|
||||||
|
source ./install/00_env.sh |
||||||
|
source ./install/03_certificate.sh |
||||||
|
source ./install/04_openvpn.sh |
||||||
|
source ./install/05_firewall.sh |
||||||
|
|
||||||
printf "\n################## Creating the certificates ##################\n" |
printf "\033[1m\n#################################### Finish ####################################\n" |
||||||
|
|
||||||
EASYRSA_RELEASES=( $( |
|
||||||
curl -s https://api.github.com/repos/OpenVPN/easy-rsa/releases | \ |
|
||||||
grep 'tag_name' | \ |
|
||||||
grep -E '3(\.[0-9]+)+' | \ |
|
||||||
awk '{ print $2 }' | \ |
|
||||||
sed 's/[,|"|v]//g' |
|
||||||
) ) |
|
||||||
EASYRSA_LATEST=${EASYRSA_RELEASES[0]} |
|
||||||
|
|
||||||
# Get the rsa keys |
|
||||||
wget -q https://github.com/OpenVPN/easy-rsa/releases/download/v${EASYRSA_LATEST}/EasyRSA-${EASYRSA_LATEST}.tgz -O /tmp/EasyRSA-${EASYRSA_LATEST}.tgz |
|
||||||
mkdir -p /etc/openvpn/easy-rsa |
|
||||||
tar -xaf /tmp/EasyRSA-${EASYRSA_LATEST}.tgz -C /etc/openvpn/easy-rsa --strip-components=1 |
|
||||||
rm -r /tmp/EasyRSA-${EASYRSA_LATEST}.tgz |
|
||||||
cd /etc/openvpn/easy-rsa |
|
||||||
|
|
||||||
# Init PKI dirs and build CA certs |
|
||||||
./easyrsa --batch init-pki |
|
||||||
./easyrsa --batch build-ca nopass |
|
||||||
# Generate Diffie-Hellman parameters |
|
||||||
./easyrsa --batch gen-dh |
|
||||||
# Generate server keypair |
|
||||||
./easyrsa --batch build-server-full server nopass |
|
||||||
|
|
||||||
# Generate shared-secret for TLS Authentication |
|
||||||
openvpn --genkey --secret pki/ta.key |
|
||||||
|
|
||||||
|
|
||||||
printf "\n################## Setup OpenVPN ##################\n" |
|
||||||
|
|
||||||
# Copy certificates and the server configuration in the openvpn directory |
|
||||||
cp /etc/openvpn/easy-rsa/pki/{ca.crt,ta.key,issued/server.crt,private/server.key,dh.pem} "/etc/openvpn/" |
|
||||||
chmod +r /etc/openvpn/{ca.crt,ta.key} |
|
||||||
cp "$base_path/../configs/server.conf" "/etc/openvpn/" |
|
||||||
mkdir -p "/etc/openvpn/ccd" |
|
||||||
sed -i " |
|
||||||
s/VPN_SERVER/$VPN_SERVER/; |
|
||||||
s/VPN_PORT/$VPN_PORT/; |
|
||||||
s/VPN_INIF/$VPN_INIF/; |
|
||||||
s/VPN_PROTO/$VPN_PROTO/; |
|
||||||
s/VPN_GROUP/$VPN_GROUP/" "/etc/openvpn/server.conf" |
|
||||||
|
|
||||||
|
|
||||||
printf "\n################## Setup firewall ##################\n" |
|
||||||
|
|
||||||
# Make ip forwading and make it persistent |
|
||||||
echo 1 > "/proc/sys/net/ipv4/ip_forward" |
|
||||||
echo "net.ipv4.ip_forward = 1" >> "/etc/sysctl.conf" |
|
||||||
|
|
||||||
# Iptable rules |
|
||||||
iptables -I FORWARD -i $VPN_INIF -j ACCEPT |
|
||||||
iptables -I FORWARD -o $VPN_INIF -j ACCEPT |
|
||||||
iptables -I OUTPUT -o $VPN_INIF -j ACCEPT |
|
||||||
|
|
||||||
iptables -A FORWARD -i $VPN_INIF -o $VPN_OUTIF -j ACCEPT |
echo -e "# Congratulations, you have successfully setup OpenVPN-Admin! #\r" |
||||||
iptables -t nat -A POSTROUTING -o $VPN_OUTIF -j MASQUERADE |
echo -e "Please, finish the installation by configuring your web server (Apache, Nginx...)" |
||||||
iptables -t nat -A POSTROUTING -s $VPN_NET -o $VPN_OUTIF -j MASQUERADE |
echo -e "and install the web application by visiting http://your-installation/index.php?installation\r" |
||||||
|
echo -e "Then, you will be able to run OpenVPN with systemctl start openvpn@server\r" |
||||||
|
echo "Please, report any issues here https://github.com/Chocobozzz/OpenVPN-Admin" |
||||||
|
|
||||||
printf "\033[1m\n#################################### Finish ####################################\n" |
printf "\n################################################################################ \033[0m\n" |
||||||
|
@ -7,10 +7,14 @@ print_help () { |
|||||||
echo -e "\tgroup: Group of the web application" |
echo -e "\tgroup: Group of the web application" |
||||||
} |
} |
||||||
|
|
||||||
|
print_error() { |
||||||
|
echo "$1" |
||||||
|
exit |
||||||
|
} |
||||||
|
|
||||||
# Ensure to be root |
# Ensure to be root |
||||||
if [ "$EUID" -ne 0 ]; then |
if [ "$EUID" -ne 0 ]; then |
||||||
echo "Please run as root" |
print_error "Please run as root" |
||||||
exit |
|
||||||
fi |
fi |
||||||
|
|
||||||
# Ensure there are enought arguments |
# Ensure there are enought arguments |
||||||
@ -20,11 +24,10 @@ if [ "$#" -ne 3 ]; then |
|||||||
fi |
fi |
||||||
|
|
||||||
# Ensure there are the prerequisites |
# Ensure there are the prerequisites |
||||||
for i in openvpn mysql php bower node unzip wget sed; do |
for i in openvpn mysql php node npm unzip wget sed curl; do |
||||||
which $i > /dev/null |
which $i > /dev/null |
||||||
if [ "$?" -ne 0 ]; then |
if [ "$?" -ne 0 ]; then |
||||||
echo "Miss $i" |
print_error "Miss $i" |
||||||
exit |
|
||||||
fi |
fi |
||||||
done |
done |
||||||
|
|
||||||
@ -42,223 +45,22 @@ fi |
|||||||
|
|
||||||
base_path=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) |
base_path=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) |
||||||
|
|
||||||
|
# Read dotEnv file |
||||||
|
source "$base_path/../.env" |
||||||
|
|
||||||
printf "\n################## Server informations ##################\n" |
source ./install/00_env.sh |
||||||
|
source ./install/01_mysql.sh |
||||||
read -p "Server Hostname/IP: " ip_server |
source ./install/02_app.sh |
||||||
|
source ./install/03_certificate.sh |
||||||
read -p "OpenVPN protocol (tcp or udp) [tcp]: " openvpn_proto |
source ./install/04_openvpn.sh |
||||||
|
source ./install/05_firewall.sh |
||||||
if [[ -z $openvpn_proto ]]; then |
|
||||||
openvpn_proto="tcp" |
|
||||||
fi |
|
||||||
|
|
||||||
read -p "Port [443]: " server_port |
|
||||||
|
|
||||||
if [[ -z $server_port ]]; then |
|
||||||
server_port="443" |
|
||||||
fi |
|
||||||
|
|
||||||
# Get root pass (to create the database and the user) |
|
||||||
mysql_root_pass="" |
|
||||||
status_code=1 |
|
||||||
|
|
||||||
while [ $status_code -ne 0 ]; do |
|
||||||
read -p "MySQL root password: " -s mysql_root_pass; echo |
|
||||||
echo "SHOW DATABASES" | mysql -u root --password="$mysql_root_pass" &> /dev/null |
|
||||||
status_code=$? |
|
||||||
done |
|
||||||
|
|
||||||
sql_result=$(echo "SHOW DATABASES" | mysql -u root --password="$mysql_root_pass" | grep -e "^openvpn-admin$") |
|
||||||
# Check if the database doesn't already exist |
|
||||||
if [ "$sql_result" != "" ]; then |
|
||||||
echo "The openvpn-admin database already exists." |
|
||||||
exit |
|
||||||
fi |
|
||||||
|
|
||||||
|
|
||||||
# Check if the user doesn't already exist |
|
||||||
read -p "MySQL user name for OpenVPN-Admin (will be created): " mysql_user |
|
||||||
|
|
||||||
echo "SHOW GRANTS FOR $mysql_user@localhost" | mysql -u root --password="$mysql_root_pass" &> /dev/null |
|
||||||
if [ $? -eq 0 ]; then |
|
||||||
echo "The MySQL user already exists." |
|
||||||
exit |
|
||||||
fi |
|
||||||
|
|
||||||
read -p "MySQL user password for OpenVPN-Admin: " -s mysql_pass; echo |
|
||||||
|
|
||||||
# TODO MySQL port & host ? |
|
||||||
|
|
||||||
|
|
||||||
printf "\n################## Certificates informations ##################\n" |
|
||||||
|
|
||||||
read -p "Key size (1024, 2048 or 4096) [2048]: " key_size |
|
||||||
|
|
||||||
read -p "Root certificate expiration (in days) [3650]: " ca_expire |
|
||||||
|
|
||||||
read -p "Certificate expiration (in days) [3650]: " cert_expire |
|
||||||
|
|
||||||
read -p "Country Name (2 letter code) [US]: " cert_country |
|
||||||
|
|
||||||
read -p "State or Province Name (full name) [California]: " cert_province |
|
||||||
|
|
||||||
read -p "Locality Name (eg, city) [San Francisco]: " cert_city |
|
||||||
|
|
||||||
read -p "Organization Name (eg, company) [Copyleft Certificate Co]: " cert_org |
|
||||||
|
|
||||||
read -p "Organizational Unit Name (eg, section) [My Organizational Unit]: " cert_ou |
|
||||||
|
|
||||||
read -p "Email Address [[email protected]]: " cert_email |
|
||||||
|
|
||||||
read -p "Common Name (eg, your name or your server's hostname) [ChangeMe]: " key_cn |
|
||||||
|
|
||||||
|
|
||||||
printf "\n################## Creating the certificates ##################\n" |
|
||||||
|
|
||||||
EASYRSA_RELEASES=( $( |
|
||||||
curl -s https://api.github.com/repos/OpenVPN/easy-rsa/releases | \ |
|
||||||
grep 'tag_name' | \ |
|
||||||
grep -E '3(\.[0-9]+)+' | \ |
|
||||||
awk '{ print $2 }' | \ |
|
||||||
sed 's/[,|"|v]//g' |
|
||||||
) ) |
|
||||||
EASYRSA_LATEST=${EASYRSA_RELEASES[0]} |
|
||||||
|
|
||||||
# Get the rsa keys |
|
||||||
wget -q https://github.com/OpenVPN/easy-rsa/releases/download/v${EASYRSA_LATEST}/EasyRSA-${EASYRSA_LATEST}.tgz |
|
||||||
tar -xaf EasyRSA-${EASYRSA_LATEST}.tgz |
|
||||||
mv EasyRSA-${EASYRSA_LATEST} /etc/openvpn/easy-rsa |
|
||||||
rm -r EasyRSA-${EASYRSA_LATEST}.tgz |
|
||||||
cd /etc/openvpn/easy-rsa |
|
||||||
|
|
||||||
if [[ ! -z $key_size ]]; then |
|
||||||
export EASYRSA_KEY_SIZE=$key_size |
|
||||||
fi |
|
||||||
if [[ ! -z $ca_expire ]]; then |
|
||||||
export EASYRSA_CA_EXPIRE=$ca_expire |
|
||||||
fi |
|
||||||
if [[ ! -z $cert_expire ]]; then |
|
||||||
export EASYRSA_CERT_EXPIRE=$cert_expire |
|
||||||
fi |
|
||||||
if [[ ! -z $cert_country ]]; then |
|
||||||
export EASYRSA_REQ_COUNTRY=$cert_country |
|
||||||
fi |
|
||||||
if [[ ! -z $cert_province ]]; then |
|
||||||
export EASYRSA_REQ_PROVINCE=$cert_province |
|
||||||
fi |
|
||||||
if [[ ! -z $cert_city ]]; then |
|
||||||
export EASYRSA_REQ_CITY=$cert_city |
|
||||||
fi |
|
||||||
if [[ ! -z $cert_org ]]; then |
|
||||||
export EASYRSA_REQ_ORG=$cert_org |
|
||||||
fi |
|
||||||
if [[ ! -z $cert_ou ]]; then |
|
||||||
export EASYRSA_REQ_OU=$cert_ou |
|
||||||
fi |
|
||||||
if [[ ! -z $cert_email ]]; then |
|
||||||
export EASYRSA_REQ_EMAIL=$cert_email |
|
||||||
fi |
|
||||||
if [[ ! -z $key_cn ]]; then |
|
||||||
export EASYRSA_REQ_CN=$key_cn |
|
||||||
fi |
|
||||||
|
|
||||||
# Init PKI dirs and build CA certs |
|
||||||
./easyrsa init-pki |
|
||||||
./easyrsa build-ca nopass |
|
||||||
# Generate Diffie-Hellman parameters |
|
||||||
./easyrsa gen-dh |
|
||||||
# Genrate server keypair |
|
||||||
./easyrsa build-server-full server nopass |
|
||||||
|
|
||||||
# Generate shared-secret for TLS Authentication |
|
||||||
openvpn --genkey --secret pki/ta.key |
|
||||||
|
|
||||||
|
|
||||||
printf "\n################## Setup OpenVPN ##################\n" |
|
||||||
|
|
||||||
# Copy certificates and the server configuration in the openvpn directory |
|
||||||
cp /etc/openvpn/easy-rsa/pki/{ca.crt,ta.key,issued/server.crt,private/server.key,dh.pem} "/etc/openvpn/" |
|
||||||
cp "$base_path/installation/server.conf" "/etc/openvpn/" |
|
||||||
mkdir "/etc/openvpn/ccd" |
|
||||||
sed -i "s/port 443/port $server_port/" "/etc/openvpn/server.conf" |
|
||||||
|
|
||||||
if [ $openvpn_proto = "udp" ]; then |
|
||||||
sed -i "s/proto tcp/proto $openvpn_proto/" "/etc/openvpn/server.conf" |
|
||||||
fi |
|
||||||
|
|
||||||
nobody_group=$(id -ng nobody) |
|
||||||
sed -i "s/group nogroup/group $nobody_group/" "/etc/openvpn/server.conf" |
|
||||||
|
|
||||||
printf "\n################## Setup firewall ##################\n" |
|
||||||
|
|
||||||
# Make ip forwading and make it persistent |
|
||||||
echo 1 > "/proc/sys/net/ipv4/ip_forward" |
|
||||||
echo "net.ipv4.ip_forward = 1" >> "/etc/sysctl.conf" |
|
||||||
|
|
||||||
# Iptable rules |
|
||||||
iptables -I FORWARD -i tun0 -j ACCEPT |
|
||||||
iptables -I FORWARD -o tun0 -j ACCEPT |
|
||||||
iptables -I OUTPUT -o tun0 -j ACCEPT |
|
||||||
|
|
||||||
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT |
|
||||||
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE |
|
||||||
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE |
|
||||||
iptables -t nat -A POSTROUTING -s 10.8.0.2/24 -o eth0 -j MASQUERADE |
|
||||||
|
|
||||||
|
|
||||||
printf "\n################## Setup MySQL database ##################\n" |
|
||||||
|
|
||||||
echo "CREATE DATABASE \`openvpn-admin\`" | mysql -u root --password="$mysql_root_pass" |
|
||||||
echo "CREATE USER $mysql_user@localhost IDENTIFIED BY '$mysql_pass'" | mysql -u root --password="$mysql_root_pass" |
|
||||||
echo "GRANT ALL PRIVILEGES ON \`openvpn-admin\`.* TO $mysql_user@localhost" | mysql -u root --password="$mysql_root_pass" |
|
||||||
echo "FLUSH PRIVILEGES" | mysql -u root --password="$mysql_root_pass" |
|
||||||
|
|
||||||
|
|
||||||
printf "\n################## Setup web application ##################\n" |
|
||||||
|
|
||||||
# Copy bash scripts (which will insert row in MySQL) |
|
||||||
cp -r "$base_path/installation/scripts" "/etc/openvpn/" |
|
||||||
chmod +x "/etc/openvpn/scripts/"* |
|
||||||
|
|
||||||
# Configure MySQL in openvpn scripts |
|
||||||
sed -i "s/USER=''/USER='$mysql_user'/" "/etc/openvpn/scripts/config.sh" |
|
||||||
sed -i "s/PASS=''/PASS='$mysql_pass'/" "/etc/openvpn/scripts/config.sh" |
|
||||||
|
|
||||||
# Create the directory of the web application |
|
||||||
mkdir "$openvpn_admin" |
|
||||||
cp -r "$base_path/"{index.php,sql,bower.json,.bowerrc,js,include,css,installation/client-conf} "$openvpn_admin" |
|
||||||
|
|
||||||
# New workspace |
|
||||||
cd "$openvpn_admin" |
|
||||||
|
|
||||||
# Replace config.php variables |
|
||||||
sed -i "s/\$user = '';/\$user = '$mysql_user';/" "./include/config.php" |
|
||||||
sed -i "s/\$pass = '';/\$pass = '$mysql_pass';/" "./include/config.php" |
|
||||||
|
|
||||||
# Replace in the client configurations with the ip of the server and openvpn protocol |
|
||||||
for file in "./client-conf/gnu-linux/client.conf" "./client-conf/osx-viscosity/client.conf" "./client-conf/windows/client.ovpn"; do |
|
||||||
sed -i "s/remote xxx\.xxx\.xxx\.xxx 443/remote $ip_server $server_port/" $file |
|
||||||
|
|
||||||
if [ $openvpn_proto = "udp" ]; then |
|
||||||
sed -i "s/proto tcp-client/proto udp/" $file |
|
||||||
fi |
|
||||||
done |
|
||||||
|
|
||||||
# Copy ta.key inside the client-conf directory |
|
||||||
for directory in "./client-conf/gnu-linux/" "./client-conf/osx-viscosity/" "./client-conf/windows/"; do |
|
||||||
cp "/etc/openvpn/"{ca.crt,ta.key} $directory |
|
||||||
done |
|
||||||
|
|
||||||
# Install third parties |
|
||||||
bower --allow-root install |
|
||||||
chown -R "$user:$group" "$openvpn_admin" |
|
||||||
|
|
||||||
printf "\033[1m\n#################################### Finish ####################################\n" |
printf "\033[1m\n#################################### Finish ####################################\n" |
||||||
|
|
||||||
echo -e "# Congratulations, you have successfully setup OpenVPN-Admin! #\r" |
echo -e "# Congratulations, you have successfully setup OpenVPN-Admin! #\r" |
||||||
echo -e "Please, finish the installation by configuring your web server (Apache, NGinx...)" |
echo -e "Please, finish the installation by configuring your web server (Apache, Nginx...)" |
||||||
echo -e "and install the web application by visiting http://your-installation/index.php?installation\r" |
echo -e "and install the web application by visiting http://your-installation/index.php?installation\r" |
||||||
echo -e "Then, you will be able to run OpenVPN with systemctl start openvpn@server\r" |
echo -e "Then, you will be able to run OpenVPN with systemctl start openvpn@server\r" |
||||||
echo "Please, report any issues here https://github.com/Chocobozzz/OpenVPN-Admin" |
echo "Please, report any issues here https://github.com/Chocobozzz/OpenVPN-Admin" |
||||||
|
|
||||||
printf "\n################################################################################ \033[0m\n" |
printf "\n################################################################################ \033[0m\n" |
||||||
|
@ -0,0 +1,49 @@ |
|||||||
|
#!/bin/bash |
||||||
|
|
||||||
|
printf "\n################## Server informations ##################\n" |
||||||
|
|
||||||
|
[ ! -z "$VPN_LOCAL" ] && echo "VPN_LOCAL=$VPN_LOCAL" |
||||||
|
[ -z "$VPN_LOCAL" ] && read -p "Server local Hostname/IP: " VPN_LOCAL |
||||||
|
[ -z "$VPN_LOCAL" ] && print_error "Server local address is required!" |
||||||
|
|
||||||
|
[ ! -z "$VPN_REMOTE" ] && echo "VPN_LOCAL=$VPN_REMOTE" |
||||||
|
[ -z "$VPN_REMOTE" ] && read -p "Server remote Hostname/IP: " VPN_REMOTE |
||||||
|
[ -z "$VPN_REMOTE" ] && print_error "Server remote address is required!" |
||||||
|
|
||||||
|
[ ! -z "$VPN_PROTO" ] && echo "VPN_PROTO=$VPN_PROTO" |
||||||
|
[ -z "$VPN_PROTO" ] && read -p "OpenVPN protocol (tcp or udp) [tcp]: " VPN_PROTO |
||||||
|
[ -z "$VPN_PROTO" ] && VPN_PROTO="tcp" |
||||||
|
|
||||||
|
[ ! -z "$VPN_PORT" ] && echo "VPN_PORT=$VPN_PORT" |
||||||
|
[ -z "$VPN_PORT" ] && read -p "OpenVPN port [443]: " VPN_PORT |
||||||
|
[ -z "$VPN_PORT" ] && VPN_PORT="443" |
||||||
|
|
||||||
|
[ ! -z "$VPN_GROUP" ] && echo "VPN_GROUP=$VPN_GROUP" |
||||||
|
[ -z "$VPN_GROUP" ] && read -p "OpenVPN group [nogroup]: " VPN_GROUP |
||||||
|
[ -z "$VPN_GROUP" ] && VPN_GROUP="nogroup" |
||||||
|
|
||||||
|
[ ! -z "$VPN_INIF" ] && echo "VPN_INIF=$VPN_INIF" |
||||||
|
[ -z "$VPN_INIF" ] && read -p "OpenVPN input interface [tun0]: " VPN_INIF |
||||||
|
[ -z "$VPN_INIF" ] && VPN_INIF="tun0" |
||||||
|
|
||||||
|
[ ! -z "$VPN_OUTIF" ] && echo "VPN_OUTIF=$VPN_OUTIF" |
||||||
|
[ -z "$VPN_OUTIF" ] && read -p "OpenVPN output interface [eth0]: " VPN_OUTIF |
||||||
|
[ -z "$VPN_OUTIF" ] && VPN_OUTIF="eth0" |
||||||
|
|
||||||
|
[ ! -z "$VPN_NET" ] && echo "VPN_NET=$VPN_NET" |
||||||
|
[ -z "$VPN_NET" ] && read -p "OpenVPN clients subnet [10.8.0.0/24]: " VPN_NET |
||||||
|
[ -z "$VPN_NET" ] && VPN_NET="10.8.0.0/24" |
||||||
|
|
||||||
|
|
||||||
|
printf "\n################## Certificates informations ##################\n" |
||||||
|
|
||||||
|
[ -z "$EASYRSA_KEY_SIZE" ] && read -p "Key size (1024, 2048 or 4096) [2048]: " EASYRSA_KEY_SIZE |
||||||
|
[ -z "$EASYRSA_CA_EXPIRE" ] && read -p "Root certificate expiration (in days) [3650]: " EASYRSA_CA_EXPIRE |
||||||
|
[ -z "$EASYRSA_CERT_EXPIRE" ] && read -p "Certificate expiration (in days) [3650]: " EASYRSA_CERT_EXPIRE |
||||||
|
[ -z "$EASYRSA_REQ_COUNTRY" ] && read -p "Country Name (2 letter code) [US]: " EASYRSA_REQ_COUNTRY |
||||||
|
[ -z "$EASYRSA_REQ_PROVINCE" ] && read -p "State or Province Name (full name) [California]: " EASYRSA_REQ_PROVINCE |
||||||
|
[ -z "$EASYRSA_REQ_CITY" ] && read -p "Locality Name (eg, city) [San Francisco]: " EASYRSA_REQ_CITY |
||||||
|
[ -z "$EASYRSA_REQ_ORG" ] && read -p "Organization Name (eg, company) [Copyleft Certificate Co]: " EASYRSA_REQ_ORG |
||||||
|
[ -z "$EASYRSA_REQ_OU" ] && read -p "Organizational Unit Name (eg, section) [My Organizational Unit]: " EASYRSA_REQ_OU |
||||||
|
[ -z "$EASYRSA_REQ_EMAIL" ] && read -p "Email Address [[email protected]]: " EASYRSA_REQ_EMAIL |
||||||
|
[ -z "$EASYRSA_REQ_CN" ] && read -p "Common Name (eg, your name or your server's hostname) [ChangeMe]: " EASYRSA_REQ_CN |
@ -0,0 +1,53 @@ |
|||||||
|
#!/bin/bash |
||||||
|
|
||||||
|
function mysql_exec() |
||||||
|
{ |
||||||
|
echo "$1" | mysql -u root --password="$mysql_root_pass" &> /dev/null |
||||||
|
} |
||||||
|
|
||||||
|
printf "\n################## Setup MySQL database ##################\n" |
||||||
|
|
||||||
|
[ ! -z "$DB_HOST" ] && echo "DB_HOST=$DB_HOST" |
||||||
|
[ -z "$DB_HOST" ] && read -p "MySQL database host: " DB_HOST |
||||||
|
[ -z "$DB_HOST" ] && print_error "MySQL database host is required!" |
||||||
|
|
||||||
|
# Get root pass (to create the database and the user) |
||||||
|
mysql_root_pass="" |
||||||
|
status_code=1 |
||||||
|
|
||||||
|
while [ $status_code -ne 0 ]; do |
||||||
|
read -p "MySQL root password: " -s mysql_root_pass; echo |
||||||
|
mysql_exec "SHOW DATABASES" |
||||||
|
status_code=$? |
||||||
|
done |
||||||
|
|
||||||
|
[ ! -z "$DB_NAME" ] && echo "DB_NAME=$DB_NAME" |
||||||
|
[ -z "$DB_NAME" ] && read -p "MySQL database name: " DB_NAME |
||||||
|
[ -z "$DB_NAME" ] && print_error "MySQL database name is required!" |
||||||
|
|
||||||
|
[ ! -z "$DB_USER" ] && echo "DB_USER=$DB_USER" |
||||||
|
[ -z "$DB_USER" ] && read -p "MySQL user name for $DB_NAME (will be created): " DB_USER |
||||||
|
[ -z "$DB_USER" ] && print_error "MySQL user is required!" |
||||||
|
|
||||||
|
[ ! -z "$DB_PASS" ] && echo "DB_PASS=$DB_PASS" |
||||||
|
[ -z "$DB_PASS" ] && read -p "MySQL user password for $DB_USER: " DB_PASS |
||||||
|
[ -z "$DB_PASS" ] && print_error "MySQL user password is required!" |
||||||
|
|
||||||
|
sql_result=$(mysql_exec "SHOW DATABASES" | grep -e "^$DB_NAME$") |
||||||
|
|
||||||
|
# Check if the database doesn't already exist |
||||||
|
if [ "$sql_result" != "" ]; then |
||||||
|
echo "The $DB_NAME database already exists." |
||||||
|
exit |
||||||
|
fi |
||||||
|
|
||||||
|
mysql_exec "SHOW GRANTS FOR $DB_USER@localhost" |
||||||
|
if [ $? -eq 0 ]; then |
||||||
|
echo "The MySQL user already exists." |
||||||
|
exit |
||||||
|
fi |
||||||
|
|
||||||
|
mysql_exec "CREATE DATABASE \`$DB_NAME\`" |
||||||
|
mysql_exec "CREATE USER $DB_USER@% IDENTIFIED BY '$DB_PASS'" |
||||||
|
mysql_exec "GRANT ALL PRIVILEGES ON \`$DB_NAME\`.* TO $DB_USER@%" |
||||||
|
mysql_exec "FLUSH PRIVILEGES" |
@ -0,0 +1,12 @@ |
|||||||
|
#!/bin/bash |
||||||
|
|
||||||
|
printf "\n################## Setup web application ##################\n" |
||||||
|
|
||||||
|
# Install third parties |
||||||
|
npm install |
||||||
|
|
||||||
|
# Create the directory of the web application |
||||||
|
mkdir -p "$openvpn_admin" |
||||||
|
cp -r "$base_path/"{app/,public/,vendor/,.env} "$openvpn_admin" |
||||||
|
|
||||||
|
chown -R "$user:$group" "$openvpn_admin" |
@ -0,0 +1,30 @@ |
|||||||
|
#!/bin/bash |
||||||
|
|
||||||
|
printf "\n################## Creating the certificates ##################\n" |
||||||
|
|
||||||
|
EASYRSA_RELEASES=( $( |
||||||
|
curl -s https://api.github.com/repos/OpenVPN/easy-rsa/releases | \ |
||||||
|
grep 'tag_name' | \ |
||||||
|
grep -E '3(\.[0-9]+)+' | \ |
||||||
|
awk '{ print $2 }' | \ |
||||||
|
sed 's/[,|"|v]//g' |
||||||
|
) ) |
||||||
|
EASYRSA_LATEST=${EASYRSA_RELEASES[0]} |
||||||
|
|
||||||
|
# Get the rsa keys |
||||||
|
wget -q https://github.com/OpenVPN/easy-rsa/releases/download/v${EASYRSA_LATEST}/EasyRSA-${EASYRSA_LATEST}.tgz -O /tmp/EasyRSA-${EASYRSA_LATEST}.tgz |
||||||
|
mkdir -p /etc/openvpn/easy-rsa |
||||||
|
tar -xaf /tmp/EasyRSA-${EASYRSA_LATEST}.tgz -C /etc/openvpn/easy-rsa --strip-components=1 |
||||||
|
rm -r /tmp/EasyRSA-${EASYRSA_LATEST}.tgz |
||||||
|
cd /etc/openvpn/easy-rsa |
||||||
|
|
||||||
|
# Init PKI dirs and build CA certs |
||||||
|
./easyrsa --batch init-pki |
||||||
|
./easyrsa --batch build-ca nopass |
||||||
|
# Generate Diffie-Hellman parameters |
||||||
|
./easyrsa --batch gen-dh |
||||||
|
# Generate server keypair |
||||||
|
./easyrsa --batch build-server-full server nopass |
||||||
|
|
||||||
|
# Generate shared-secret for TLS Authentication |
||||||
|
openvpn --genkey --secret pki/ta.key |
@ -0,0 +1,15 @@ |
|||||||
|
#!/bin/bash |
||||||
|
|
||||||
|
printf "\n################## Setup OpenVPN ##################\n" |
||||||
|
|
||||||
|
# Copy certificates and the server configuration in the openvpn directory |
||||||
|
cp /etc/openvpn/easy-rsa/pki/{ca.crt,ta.key,issued/server.crt,private/server.key,dh.pem} "/etc/openvpn/" |
||||||
|
chmod +r /etc/openvpn/{ca.crt,ta.key} |
||||||
|
cp "$base_path/../configs/server.conf" "/etc/openvpn/" |
||||||
|
mkdir -p "/etc/openvpn/ccd" |
||||||
|
sed -i " |
||||||
|
s/VPN_SERVER/$VPN_SERVER/; |
||||||
|
s/VPN_PORT/$VPN_PORT/; |
||||||
|
s/VPN_INIF/$VPN_INIF/; |
||||||
|
s/VPN_PROTO/$VPN_PROTO/; |
||||||
|
s/VPN_GROUP/$VPN_GROUP/" "/etc/openvpn/server.conf" |
@ -0,0 +1,16 @@ |
|||||||
|
#!/bin/bash |
||||||
|
|
||||||
|
printf "\n################## Setup firewall ##################\n" |
||||||
|
|
||||||
|
# Make ip forwading and make it persistent |
||||||
|
echo 1 > "/proc/sys/net/ipv4/ip_forward" |
||||||
|
echo "net.ipv4.ip_forward = 1" >> "/etc/sysctl.conf" |
||||||
|
|
||||||
|
# Iptable rules |
||||||
|
iptables -I FORWARD -i $VPN_INIF -j ACCEPT |
||||||
|
iptables -I FORWARD -o $VPN_INIF -j ACCEPT |
||||||
|
iptables -I OUTPUT -o $VPN_INIF -j ACCEPT |
||||||
|
|
||||||
|
iptables -A FORWARD -i $VPN_INIF -o $VPN_OUTIF -j ACCEPT |
||||||
|
iptables -t nat -A POSTROUTING -o $VPN_OUTIF -j MASQUERADE |
||||||
|
iptables -t nat -A POSTROUTING -s $VPN_NET -o $VPN_OUTIF -j MASQUERADE |
Loading…
Reference in new issue