OpenVPN Installation | Konfiguration | Add User | Remove User in einem Script

[GTD Bastion]

Hallo Zusammen,

einigen von euch werde ich jetzt das Leben erleichern.
Dieses Script Funktioniert so wie es ist unter Debian based Systemen (Debian, Ubuntu, usw.)

Aufwand: 3 Minuten zum funktionierenden VPN Server!

Spoiler

#!/bin/bash
# OpenVPN road warrior installer for Debian-based distros

if [ $USER != 'root' ]; then
        echo "Sorry, you need to run this as root"
        exit
fi


if [ ! -e /dev/net/tun ]; then
        echo "TUN/TAP is not available"
        exit
fi


if [ ! -e /etc/debian_version ]; then
        echo "Looks like you aren't running this installer on a Debian-based system"
        exit
fi


# Try to get our IP from the system and fallback to the Internet.
# I do this to make the script compatible with NATed servers (lowendspirit.com)
# and to avoid getting an IPv6.
IP=$(ifconfig | grep 'inet addr:' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d: -f2 | awk '{ print $1}' | head -1)
if [ "$IP" = "" ]; then
        IP=$(wget -qO- ipv4.icanhazip.com)
fi


if [ -e /etc/openvpn/server.conf ]; then
        while :
        do
        clear
                echo "Looks like OpenVPN is already installed"
                echo "What do you want to do?"
                echo ""
                echo "1) Add a cert for a new user"
                echo "2) Revoke existing user cert"
                echo "3) Remove OpenVPN"
                echo "4) Exit"
                echo ""
                read -p "Select an option [1-4]:" option
                case $option in
                        1)
                        echo ""
                        echo "Tell me a name for the client cert"
                        echo "Please, use one word only, no special characters"
                        read -p "Client name: " -e -i client CLIENT
                        echo ""
                        echo "Do you like secure ${CLIENT}'s  private key with password?"
                        read -p "Use password for private key [y/n]:" -e -i y USEPASS
                        cd /etc/openvpn/easy-rsa/2.0/
                        source ./vars
                        # build-key for the client
                        export KEY_CN="$CLIENT"
                        export EASY_RSA="${EASY_RSA:-.}"
                        if [ $USEPASS = 'y' ];
                        then
                                "$EASY_RSA/pkitool" --pass $CLIENT
                        else
                                "$EASY_RSA/pkitool" $CLIENT
                        fi
                        #"$EASY_RSA/pkitool" $CLIENT
                        # Let's generate the client config
                        mkdir ~/ovpn-$CLIENT
                        cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/ovpn-$CLIENT/$CLIENT.conf
                        cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt ~/ovpn-$CLIENT
                        cp /etc/openvpn/easy-rsa/2.0/keys/$CLIENT.crt ~/ovpn-$CLIENT
                        cp /etc/openvpn/easy-rsa/2.0/keys/$CLIENT.key ~/ovpn-$CLIENT
                        cd ~/ovpn-$CLIENT
                        sed -i "s|cert client.crt|cert $CLIENT.crt|" $CLIENT.conf
                        sed -i "s|key client.key|key $CLIENT.key|" $CLIENT.conf
                        echo "remote-cert-tls server" >> $CLIENT.conf

                        cp $CLIENT.conf $CLIENT.ovpn

                        sed -i "s|ca ca.crt|ca [inline]|" $CLIENT.ovpn
                        sed -i "s|cert $CLIENT.crt|cert [inline]|" $CLIENT.ovpn
                        sed -i "s|key $CLIENT.key|key [inline]|" $CLIENT.ovpn
                        echo -e "keepalive 10 60\n" >> $CLIENT.ovpn

                        echo "<ca>" >> $CLIENT.ovpn
                        cat ca.crt >> $CLIENT.ovpn
                        echo -e "</ca>\n" >> $CLIENT.ovpn

                        echo "<cert>" >> $CLIENT.ovpn
                        sed -n "/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p" $CLIENT.crt >> $CLIENT.ovpn
                        echo -e "</cert>\n" >> $CLIENT.ovpn

                        echo "<key>" >> $CLIENT.ovpn
                        cat $CLIENT.key >> $CLIENT.ovpn
                        echo -e "</key>\n" >> $CLIENT.ovpn

                        zip ../ovpn-$CLIENT.zip $CLIENT.conf ca.crt $CLIENT.crt $CLIENT.key $CLIENT.ovpn
                        cd ~/
                        rm -rf ovpn-$CLIENT
                        echo ""
                        echo "Client $CLIENT added, certs available at ~/ovpn-$CLIENT.zip"
                        exit
                        ;;
                        2)
                        echo ""
                        echo "Tell me the existing client name"
                        read -p "Client name: " -e -i client CLIENT
                        cd /etc/openvpn/easy-rsa/2.0/
                        . /etc/openvpn/easy-rsa/2.0/vars
                        . /etc/openvpn/easy-rsa/2.0/revoke-full $CLIENT
                        # If it's the first time revoking a cert, we need to add the crl-verify line
                        if grep -q "crl-verify" "/etc/openvpn/server.conf"; then
                                echo ""
                                echo "Certificate for client $CLIENT revoked"
                        else
                                echo "crl-verify /etc/openvpn/easy-rsa/2.0/keys/crl.pem" >> "/etc/openvpn/server.conf"
                                /etc/init.d/openvpn restart
                                echo ""
                                echo "Certificate for client $CLIENT revoked"
                        fi
                        exit
                        ;;
                        3)
                        apt-get remove --purge -y openvpn openvpn-blacklist
                        rm -rf /etc/openvpn
                        rm -rf /usr/share/doc/openvpn
                        sed -i '/--dport 53 -j REDIRECT --to-port/d' /etc/rc.local
                        sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0/d' /etc/rc.local
                        echo ""
                        echo "OpenVPN removed!"
                        exit
                        ;;
                        4) exit;;
                esac
        done
else
        echo 'Welcome to this quick OpenVPN "road warrior" installer'
        echo ""
        # OpenVPN setup and first user creation
        echo "I need to ask you a few questions before starting the setup"
        echo "You can leave the default options and just press enter if you are ok with them"
        echo ""
        echo "First I need to know the IPv4 address of the network interface you want OpenVPN"
        echo "listening to."
        read -p "IP address: " -e -i $IP IP
        echo ""
        echo "What port do you want for OpenVPN?"
        read -p "Port: " -e -i 1194 PORT
        echo ""
        echo "Do you want OpenVPN to be available at port 53 too?"
        echo "This can be useful to connect under restrictive networks"
        read -p "Listen at port 53 [y/n]:" -e -i y ALTPORT
        echo ""
        echo "Finally, tell me your name for the client cert"
        echo "Please, use one word only, no special characters"
        read -p "Client name: " -e -i client CLIENT
        echo ""
        echo "Do you like secure ${CLIENT}'s  private key with password?"
        read -p "Use password for private key [y/n]:" -e -i y USEPASS
        echo ""
        echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now"
        read -n1 -r -p "Press any key to continue..."
        apt-get update
        apt-get install openvpn iptables openssl zip -y
        cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
        # easy-rsa isn't available by default for Debian Jessie and newer
        if [ ! -d /etc/openvpn/easy-rsa/2.0/ ]; then
                wget --no-check-certificate -O ~/easy-rsa.tar.gz https://github.com/OpenVPN/easy-rsa/archive/2.2.2.tar.gz
                tar xzf ~/easy-rsa.tar.gz -C ~/
                mkdir -p /etc/openvpn/easy-rsa/2.0/
                cp ~/easy-rsa-2.2.2/easy-rsa/2.0/* /etc/openvpn/easy-rsa/2.0/
                rm -rf ~/easy-rsa-2.2.2
                rm -rf ~/easy-rsa.tar.gz
        fi
        cd /etc/openvpn/easy-rsa/2.0/
        # Let's fix one thing first...
        cp -u -p openssl-1.0.0.cnf openssl.cnf
        # Bad NSA - 1024 bits was the default for Debian Wheezy and older
        sed -i 's|export KEY_SIZE=1024|export KEY_SIZE=2048|' /etc/openvpn/easy-rsa/2.0/vars
        # Create the PKI
        . /etc/openvpn/easy-rsa/2.0/vars
        . /etc/openvpn/easy-rsa/2.0/clean-all
        # The following lines are from build-ca. I don't use that script directly
        # because it's interactive and we don't want that. Yes, this could break
        # the installation script if build-ca changes in the future.
        export EASY_RSA="${EASY_RSA:-.}"
        "$EASY_RSA/pkitool" --initca $*
        # Same as the last time, we are going to run build-key-server
        export EASY_RSA="${EASY_RSA:-.}"
        "$EASY_RSA/pkitool" --server server
        # Now the client keys. We need to set KEY_CN or the stupid pkitool will cry
        export KEY_CN="$CLIENT"
        export EASY_RSA="${EASY_RSA:-.}"
        if [ $USEPASS = 'y' ];
        then
                "$EASY_RSA/pkitool" --pass $CLIENT
        else
                "$EASY_RSA/pkitool" $CLIENT
        fi
        # DH params
        . /etc/openvpn/easy-rsa/2.0/build-dh
        # Let's configure the server
        cd /usr/share/doc/openvpn/examples/sample-config-files
        gunzip -d server.conf.gz
        cp server.conf /etc/openvpn/
        cd /etc/openvpn/easy-rsa/2.0/keys
        cp ca.crt ca.key dh2048.pem server.crt server.key /etc/openvpn
        cd /etc/openvpn/
        # Set the server configuration
        sed -i 's|dh dh1024.pem|dh dh2048.pem|' server.conf
        sed -i 's|;push "redirect-gateway def1 bypass-dhcp"|push "redirect-gateway def1 bypass-dhcp"|' server.conf
        sed -i 's|;push "dhcp-option DNS 208.67.222.222"|push "dhcp-option DNS 8.8.8.8"|' server.conf
        sed -i 's|;push "dhcp-option DNS 208.67.220.220"|push "dhcp-option DNS 8.8.4.4"|' server.conf
        sed -i "s|port 1194|port $PORT|" server.conf
        # Listen at port 53 too if user wants that
        if [ $ALTPORT = 'y' ]; then
                iptables -t nat -A PREROUTING -p udp -d $IP --dport 53 -j REDIRECT --to-port $PORT
                sed -i "/# By default this script does nothing./a\iptables -t nat -A PREROUTING -p udp -d $IP --dport 53 -j REDIRECT --to-port $PORT" /etc/rc.local
        fi
        # Enable net.ipv4.ip_forward for the system
        sed -i 's|#net.ipv4.ip_forward=1|net.ipv4.ip_forward=1|' /etc/sysctl.conf
        # Avoid an unneeded reboot
        echo 1 > /proc/sys/net/ipv4/ip_forward
        # Set iptables
        iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP
        sed -i "/# By default this script does nothing./a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" /etc/rc.local
        # And finally, restart OpenVPN
        /etc/init.d/openvpn restart
        # Let's generate the client config
        mkdir ~/ovpn-$CLIENT
        # Try to detect a NATed connection and ask about it to potential LowEndSpirit
        # users
        EXTERNALIP=$(wget -qO- ipv4.icanhazip.com)
        if [ "$IP" != "$EXTERNALIP" ]; then
                echo ""
                echo "Looks like your server is behind a NAT!"
                echo ""
                echo "If your server is NATed (LowEndSpirit), I need to know the external IP"
                echo "If that's not the case, just ignore this and leave the next field blank"
                read -p "External IP: " -e USEREXTERNALIP
                if [ $USEREXTERNALIP != "" ]; then
                        IP=$USEREXTERNALIP
                fi
        fi
        # IP/port set on the default client.conf so we can add further users
        # without asking for them
        sed -i "s|remote my-server-1 1194|remote $IP $PORT|" /usr/share/doc/openvpn/examples/sample-config-files/client.conf
        cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/ovpn-$CLIENT/$CLIENT.conf
        cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt ~/ovpn-$CLIENT
        cp /etc/openvpn/easy-rsa/2.0/keys/$CLIENT.crt ~/ovpn-$CLIENT
        cp /etc/openvpn/easy-rsa/2.0/keys/$CLIENT.key ~/ovpn-$CLIENT
        cd ~/ovpn-$CLIENT
        sed -i "s|cert client.crt|cert $CLIENT.crt|" $CLIENT.conf
        sed -i "s|key client.key|key $CLIENT.key|" $CLIENT.conf
        echo "remote-cert-tls server" >> $CLIENT.conf

        cp $CLIENT.conf $CLIENT.ovpn

        sed -i "s|ca ca.crt|ca [inline]|" $CLIENT.ovpn
        sed -i "s|cert $CLIENT.crt|cert [inline]|" $CLIENT.ovpn
        sed -i "s|key $CLIENT.key|key [inline]|" $CLIENT.ovpn
        echo -e "keepalive 10 60\n" >> $CLIENT.ovpn

        echo "<ca>" >> $CLIENT.ovpn
        cat ca.crt >> $CLIENT.ovpn
        echo -e "</ca>\n" >> $CLIENT.ovpn

        echo "<cert>" >> $CLIENT.ovpn
        sed -n "/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p" $CLIENT.crt >> $CLIENT.ovpn
        echo -e "</cert>\n" >> $CLIENT.ovpn

        echo "<key>" >> $CLIENT.ovpn
        cat $CLIENT.key >> $CLIENT.ovpn
        echo -e "</key>\n" >> $CLIENT.ovpn

        zip ../ovpn-$CLIENT.zip $CLIENT.conf ca.crt $CLIENT.crt $CLIENT.key $CLIENT.ovpn
        cd ~/
        rm -rf ovpn-$CLIENT
        echo ""
        echo "Finished!"
        echo ""
        echo "Your client config is available at ~/ovpn-$CLIENT.zip"
        echo "If you want to add more clients, you simply need to run this script another time!"
fi

Anleitung:
1. openvpn.sh erstellen

nano /opt/openvpn.sh

2. Script Inhalt einfügen und mit strg + o speichern, Nano verlassen
3. Script ausführbar machen

chmod 755 /opt/openvpn.sh

4. Script ausführen

cd /opt
./openvpn.sh

5. Den Anweisungen des Scripts folgen

Für die Firewall Konfiguration empfehle ich mein entsprechendes Script:
Ubuntu Server 15.x --> Systemd Firewall Script / OpenVPN Routing

 

[Osprey]

AW: OpenVPN Installation | Konfiguration | Add User | Remove User in einem Script

Hallo T1x,
habe das Script auf meinem Pogo getestet und läuft perfekt! Klasse Arbeit Danke!

Spoiler

root@pimpmyv3 /opt > ./openvpn.sh
Welcome to this quick OpenVPN "road warrior" installer

I need to ask you a few questions before starting the setup
You can leave the default options and just press enter if you are ok with them

First I need to know the IPv4 address of the network interface you want OpenVPN
listening to.
IP address: 192.168.1.42

What port do you want for OpenVPN?
Port: 47053

Do you want OpenVPN to be available at port 53 too?
This can be useful to connect under restrictive networks
Listen at port 53 [y/n]:n

Finally, tell me your name for the client cert
Please, use one word only, no special characters
Client name: Osprey

Do you like secure osprey's  private key with password?
Use password for private key [y/n]:n

Okay, that was all I needed. We are ready to setup your OpenVPN server now
Press any key to continue...
Hit http://ftp.us.debian.org wheezy Release.gpg
Hit http://security.debian.org wheezy/updates Release.gpg
Hit http://ftp.us.debian.org wheezy Release
Hit http://security.debian.org wheezy/updates Release
Hit http://ftp.us.debian.org wheezy/main armel Packages
Hit http://security.debian.org wheezy/updates/main armel Packages
Hit http://ftp.us.debian.org wheezy/main Translation-en
Hit http://security.debian.org wheezy/updates/contrib armel Packages
Hit http://security.debian.org wheezy/updates/non-free armel Packages
Hit http://security.debian.org wheezy/updates/contrib Translation-en
Hit http://security.debian.org wheezy/updates/main Translation-en
Hit http://security.debian.org wheezy/updates/non-free Translation-en
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
iptables is already the newest version.
Suggested packages:
  ca-certificates resolvconf
Recommended packages:
  unzip
The following NEW packages will be installed:
  libpkcs11-helper1 openssl openvpn zip
0 upgraded, 4 newly installed, 0 to remove and 12 not upgraded.
Need to get 1574 kB of archives.
After this operation, 2786 kB of additional disk space will be used.
Get:1 http://ftp.us.debian.org/debian/ wheezy/main libpkcs11-helper1 armel 1.09-1 [46.0 kB]
Get:2 http://ftp.us.debian.org/debian/ wheezy/main openssl armel 1.0.1e-2+deb7u20 [704 kB]
Get:3 http://ftp.us.debian.org/debian/ wheezy/main openvpn armel 2.2.1-8+deb7u3 [491 kB]
Get:4 http://ftp.us.debian.org/debian/ wheezy/main zip armel 3.0-6 [333 kB]
Fetched 1574 kB in 3s (519 kB/s)
Preconfiguring packages ...
Selecting previously unselected package libpkcs11-helper1:armel.
(Reading database ... 32397 files and directories currently installed.)
Unpacking libpkcs11-helper1:armel (from .../libpkcs11-helper1_1.09-1_armel.deb) ...
Selecting previously unselected package openssl.
Unpacking openssl (from .../openssl_1.0.1e-2+deb7u20_armel.deb) ...
Selecting previously unselected package openvpn.
Unpacking openvpn (from .../openvpn_2.2.1-8+deb7u3_armel.deb) ...
Selecting previously unselected package zip.
Unpacking zip (from .../archives/zip_3.0-6_armel.deb) ...
Processing triggers for man-db ...
Setting up libpkcs11-helper1:armel (1.09-1) ...
Setting up openssl (1.0.1e-2+deb7u20) ...
Setting up openvpn (2.2.1-8+deb7u3) ...
[ ok ] Restarting virtual private network daemon.:.
Setting up zip (3.0-6) ...
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys
Using CA Common Name: changeme
Generating a 2048 bit RSA private key
..+++
..............+++
writing new private key to 'ca.key'
-----
Using Common Name: changeme
Generating a 2048 bit RSA private key
............................................................+++
..............+++
writing new private key to 'server.key'
-----
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'SanFrancisco'
organizationName      :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'changeme'
commonName            :PRINTABLE:'changeme'
name                  :PRINTABLE:'changeme'
emailAddress          :IA5STRING:'mail@host.domain'
Certificate is to be certified until Apr 19 04:22:43 2026 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
Using Common Name: osprey
Generating a 2048 bit RSA private key
....................+++
.......................+++
writing new private key to 'osprey.key'
-----
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'SanFrancisco'
organizationName      :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'changeme'
commonName            :PRINTABLE:'osprey'
name                  :PRINTABLE:'changeme'
emailAddress          :IA5STRING:'mail@host.domain'
Certificate is to be certified until Apr 19 04:22:47 2026 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.............................................^C

:emoticon-0165-muscl

 

[maxiking32]

AW: OpenVPN Installation | Konfiguration | Add User | Remove User in einem Script

Hi,
hab das Skript durchlaufen lassen. Die Verbindung unter den Clients funktioniert tadellos. Nur eine Verbindung nach außen ist nicht möglich. Habe wie gesagt nur das Skript ausgeführt. Muss ich noch was anderes beachten?

 

[Osprey]

AW: OpenVPN Installation | Konfiguration | Add User | Remove User in einem Script

Hi, die LAN IP (nicht die Tunnel ip) muss sich mindestens im 3 Block zur LAN IP des Servers unterscheiden. Bsp.:
Client LAN IP 192.168.1.25
Server LAN IP 192.168.5.25
LG Osprey

 

[maxiking32]

AW: OpenVPN Installation | Konfiguration | Add User | Remove User in einem Script

Dass tut sie bei mir.
Vielleicht liegt es an irgendwelchen IPTABLES? Habe da mal sowas gelesen...
Hast du ne Idee?

Edit: Jetzt hab ich ein ganz anderes Problem:
ERROR: Linux route add command failed: external program exited with error status: 2

 

[Osprey]

AW: OpenVPN Installation | Konfiguration | Add User | Remove User in einem Script

Hi, am openVPN Server sollte zum Routen noch dieser Befehl ausgeführt werden

echo 1 > /proc/sys/net/ipv4/ip_forward

LG Osprey

 

[maxiking32]

AW: OpenVPN Installation | Konfiguration | Add User | Remove User in einem Script

Der ist drin trotzdem kommt dieser route error. Hat noch jemand nen Tipp?

 

[Osprey]

AW: OpenVPN Installation | Konfiguration | Add User | Remove User in einem Script

Vergleich das mal mit der Anleitung deine Einstellungen:

LG Osprey

 

[Snues]

Hallo

So hatte mich so gefreut das es ein script zu Openvpn gibt und jetzt habe ich ein Problem....

modprobe: ERROR: ../libkmod/libkmod.c:557 kmod_search_moddep() could not open moddep file '/lib/modules/4.4.11-v7+/modules.dep.bin'
iptables v1.4.21: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

 

[Osprey]

Auf welchem System wurde das Script installiert?

LG Osprey

 

[GTD Bastion]

Kernel ohne NAT....hm.

 

[Snues]

Hallo

Nach einer neu Installation der Jessie lite image gings jetzt Also keine Fehler Meldung. Blöde frage wo liegt die Zip datei?

mfg bernd

Edit: so leider nicht zu finden die Zip datei :-( ???

 

[Tomek1318]

Hallo,

funktioniert der Script auch mit IPv6 wie Deutsche Glassfaser IPv6, Unitymedia IPv6 Anschlüssen ?

MfG. Tomek1318

 

[GTD Bastion]

Ohne VPS wirst du dir da selbst noch freigaben im Router konfigurieren müssen....

 

[Snues]

Hallo

Mal so eine frage muß ich bei der Jessie Lite Version eine andere Einstellung machen das die Zip Datei gemacht wird ?

Hab die Sd Card mit Jessie Lite installiert danach Upgrade&Update gemacht das Script geladen und durchgeführt nur leider ist die Zip Datei nirgends wo gespeichert..... ?

mfg Bernd