Von Lars, 10 Monate vorher, geschrieben in Bash.
Einbetten
  1. #!/bin/bash
  2. #
  3. # https://github.com/Nyr/openvpn-install
  4. #
  5. # Copyright (c) 2013 Nyr. Released under the MIT License.
  6.  
  7.  
  8. if grep -qs "14.04" /etc/os-release; then
  9.         echo "Ubuntu 14.04 is too old and not supported"
  10.         exit
  11. fi
  12.  
  13. if grep -qs "jessie" /etc/os-release; then
  14.         echo "Debian 8 is too old and not supported"
  15.         exit
  16. fi
  17.  
  18. if grep -qs "CentOS release 6" /etc/redhat-release; then
  19.         echo "CentOS 6 is too old and not supported"
  20.         exit
  21. fi
  22.  
  23. if grep -qs "Ubuntu 16.04" /etc/os-release; then
  24.         echo 'Ubuntu 16.04 is no longer supported in the current version of openvpn-install
  25. Use an older version if Ubuntu 16.04 support is needed: https://git.io/vpn1604'
  26.         exit
  27. fi
  28.  
  29. # Detect Debian users running the script with "sh" instead of bash
  30. if readlink /proc/$$/exe | grep -q "dash"; then
  31.         echo "This script needs to be run with bash, not sh"
  32.         exit
  33. fi
  34.  
  35. if [[ "$EUID" -ne 0 ]]; then
  36.         echo "Sorry, you need to run this as root"
  37.         exit
  38. fi
  39.  
  40. if [[ ! -e /dev/net/tun ]]; then
  41.         echo "The TUN device is not available
  42. You need to enable TUN before running this script"
  43.         exit
  44. fi
  45.  
  46. if ! iptables -t nat -nL &>/dev/null; then
  47.         echo "Unable to initialize the iptables/netfilter NAT table, setup can't continue.
  48. If you are a LowEndSpirit customer, see here: https://git.io/nfLES
  49. If you are getting this message on any other provider, ask them for support."
  50.         exit
  51. fi
  52.  
  53. if [[ -e /etc/debian_version ]]; then
  54.         os="debian"
  55.         group_name="nogroup"
  56. elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then
  57.         os="centos"
  58.         group_name="nobody"
  59. else
  60.         echo "Looks like you aren't running this installer on Debian, Ubuntu or CentOS"
  61.         exit
  62. fi
  63.  
  64. new_client () {
  65.         # Generates the custom client.ovpn
  66.         {
  67.         cat /etc/openvpn/server/client-common.txt
  68.         echo "<ca>"
  69.         cat /etc/openvpn/server/easy-rsa/pki/ca.crt
  70.         echo "</ca>"
  71.         echo "<cert>"
  72.         sed -ne '/BEGIN CERTIFICATE/,$ p' /etc/openvpn/server/easy-rsa/pki/issued/"$1".crt
  73.         echo "</cert>"
  74.         echo "<key>"
  75.         cat /etc/openvpn/server/easy-rsa/pki/private/"$1".key
  76.         echo "</key>"
  77.         echo "<tls-crypt>"
  78.         sed -ne '/BEGIN OpenVPN Static key/,$ p' /etc/openvpn/server/tc.key
  79.         echo "</tls-crypt>"
  80.         } > ~/"$1".ovpn
  81. }
  82.  
  83. if [[ -e /etc/openvpn/server/server.conf ]]; then
  84.         while :
  85.         do
  86.         clear
  87.                 echo "Looks like OpenVPN is already installed."
  88.                 echo
  89.                 echo "What do you want to do?"
  90.                 echo "   1) Add a new user"
  91.                 echo "   2) Revoke an existing user"
  92.                 echo "   3) Remove OpenVPN"
  93.                 echo "   4) Exit"
  94.                 read -p "Select an option: " option
  95.                 until [[ "$option" =~ ^[1-4]$ ]]; do
  96.                         echo "$option: invalid selection."
  97.                         read -p "Select an option: " option
  98.                 done
  99.                 case "$option" in
  100.                         1)
  101.                         echo
  102.                         echo "Tell me a name for the client certificate."
  103.                         read -p "Client name: " unsanitized_client
  104.                         client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client")
  105.                         while [[ -z "$client" || -e /etc/openvpn/server/easy-rsa/pki/issued/"$client".crt ]]; do
  106.                                 echo "$client: invalid client name."                                read -p "Client name: " unsanitized_client
  107.                                 client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client")
  108.                         done
  109.                         cd /etc/openvpn/server/easy-rsa/
  110.                         EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" nopass
  111.                         # Generates the custom client.ovpn
  112.                         new_client "$client"
  113.                         echo
  114.                         echo "Client $client added, configuration is available at:" ~/"$client.ovpn"
  115.                         exit
  116.                         ;;
  117.                         2)
  118.                         # This option could be documented a bit better and maybe even be simplified
  119.                         # ...but what can I say, I want some sleep too
  120.                         number_of_clients=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep -c "^V")
  121.                         if [[ "$number_of_clients" = 0 ]]; then
  122.                                 echo
  123.                                 echo "You have no existing clients!"                                exit
  124.                         fi
  125.                         echo
  126.                         echo "Select the existing client certificate you want to revoke:"
  127.                         tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
  128.                         read -p "Select one client: " client_number
  129.                         until [[ "$client_number" =~ ^[0-9]+$ && "$client_number" -le "$number_of_clients" ]]; do
  130.                                 echo "$client_number: invalid selection."
  131.                                 read -p "Select one client: " client_number
  132.                         done
  133.                         client=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$client_number"p)
  134.                         echo
  135.                         read -p "Do you really want to revoke access for client $client? [y/N]: " revoke
  136.                         until [[ "$revoke" =~ ^[yYnN]*$ ]]; do
  137.                                 echo "$revoke: invalid selection."
  138.                                 read -p "Do you really want to revoke access for client $client? [y/N]: " revoke
  139.                         done
  140.                         if [[ "$revoke" =~ ^[yY]$ ]]; then
  141.                                 cd /etc/openvpn/server/easy-rsa/
  142.                                 ./easyrsa --batch revoke "$client"
  143.                                 EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
  144.                                 rm -f pki/reqs/"$client".req
  145.                                 rm -f pki/private/"$client".key
  146.                                 rm -f pki/issued/"$client".crt
  147.                                 rm -f /etc/openvpn/server/crl.pem
  148.                                 cp /etc/openvpn/server/easy-rsa/pki/crl.pem /etc/openvpn/server/crl.pem
  149.                                 # CRL is read with each client connection, when OpenVPN is dropped to nobody
  150.                                 chown nobody:"$group_name" /etc/openvpn/server/crl.pem
  151.                                 echo
  152.                                 echo "Certificate for client $client revoked!"
  153.                         else
  154.                                 echo
  155.                                 echo "Certificate revocation for client $client aborted!"
  156.                         fi
  157.                         exit
  158.                         ;;
  159.                         3)
  160.                         echo
  161.                         read -p "Do you really want to remove OpenVPN? [y/N]: " remove
  162.                         until [[ "$remove" =~ ^[yYnN]*$ ]]; do
  163.                                 echo "$remove: invalid selection."
  164.                                 read -p "Do you really want to remove OpenVPN? [y/N]: " remove
  165.                         done
  166.                         if [[ "$remove" =~ ^[yY]$ ]]; then
  167.                                 port=$(grep '^port ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
  168.                                 protocol=$(grep '^proto ' /etc/openvpn/server/server.conf | cut -d " " -f 2)
  169.                                 if pgrep firewalld; then
  170.                                         ip=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24 -j SNAT --to ' | cut -d " " -f 10)
  171.                                         # Using both permanent and not permanent rules to avoid a firewalld reload.
  172.                                         firewall-cmd --remove-port="$port"/"$protocol"
  173.                                         firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
  174.                                         firewall-cmd --permanent --remove-port="$port"/"$protocol"
  175.                                         firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
  176.                                         firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"
  177.                                         firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"
  178.                                 else
  179.                                         systemctl disable --now openvpn-iptables.service
  180.                                         rm -f /etc/systemd/system/openvpn-iptables.service
  181.                                 fi
  182.                                 if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$port" != 1194 ]]; then
  183.                                         semanage port -d -t openvpn_port_t -p "$protocol" "$port"
  184.                                 fi
  185.                                 systemctl disable --now openvpn-server@server.service
  186.                                 rm -rf /etc/openvpn/server
  187.                                 rm -f /etc/systemd/system/openvpn-server@server.service.d/disable-limitnproc.conf
  188.                                 rm -f /etc/sysctl.d/30-openvpn-forward.conf
  189.                                 if [[ "$os" = "debian" ]]; then
  190.                                         apt-get remove --purge -y openvpn
  191.                                 else
  192.                                         yum remove openvpn -y
  193.                                 fi
  194.                                 echo
  195.                                 echo "OpenVPN removed!"
  196.                         else
  197.                                 echo
  198.                                 echo "Removal aborted!"
  199.                         fi
  200.                         exit
  201.                         ;;
  202.                         4) exit;;
  203.                 esac
  204.         done
  205. else
  206.         clear
  207.         echo "Welcome to this OpenVPN "road warrior" installer!"
  208.         echo
  209.         echo "I need to ask you a few questions before starting setup."
  210.         echo "You can use the default options and just press enter if you are ok with them."
  211.         # If system has a single IPv4, it is selected automatically. Else, ask the user
  212.         if [[ $(ip addr | grep inet | grep -v inet6 | grep -vEc '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}') -eq 1 ]]; then
  213.                 ip=$(ip addr | grep inet | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
  214.         else
  215.                 number_of_ips=$(ip addr | grep inet | grep -v inet6 | grep -vEc '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
  216.                 echo
  217.                 echo "What IPv4 address should the OpenVPN server bind to?"
  218.                 ip addr | grep inet | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | nl -s ') '
  219.                 read -p "IPv4 address [1]: " ip_number
  220.                 until [[ -z "$ip_number" || "$ip_number" =~ ^[0-9]+$ && "$ip_number" -le "$number_of_ips" ]]; do
  221.                         echo "$ip_number: invalid selection."
  222.                         read -p "IPv4 address [1]: " ip_number
  223.                 done
  224.                 [[ -z "$ip_number" ]] && ip_number="1"
  225.                 ip=$(ip addr | grep inet | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | sed -n "$ip_number"p)
  226.         fi
  227.         # If $IP is a private IP address, the server must be behind NAT
  228.         if echo "$ip" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then
  229.                 echo
  230.                 echo "This server is behind NAT. What is the public IPv4 address or hostname?"
  231.                 get_public_ip=$(wget -4qO- "http://whatismyip.akamai.com/" || curl -4Ls "http://whatismyip.akamai.com/")
  232.                 read -p "Public IPv4 address / hostname [$get_public_ip]: " public_ip
  233.                 [ -z "$public_ip" ] && public_ip="$get_public_ip"
  234.         fi
  235.         echo
  236.         echo "Which protocol do you want for OpenVPN connections?"
  237.         echo "   1) UDP (recommended)"
  238.         echo "   2) TCP"
  239.         read -p "Protocol [1]: " protocol
  240.         until [[ -z "$protocol" || "$protocol" =~ ^[12]$ ]]; do
  241.                 echo "$protocol: invalid selection."
  242.                 read -p "Protocol [1]: " protocol
  243.         done
  244.         case "$protocol" in
  245.                 1|"")
  246.                 protocol=udp
  247.                 ;;
  248.                 2)
  249.                 protocol=tcp
  250.                 ;;
  251.         esac
  252.         echo
  253.         echo "What port do you want OpenVPN listening to?"
  254.         read -p "Port [1194]: " port
  255.         until [[ -z "$port" || "$port" =~ ^[0-9]+$ && "$port" -le 65535 ]]; do
  256.                 echo "$port: invalid selection."
  257.                 read -p "Port [1194]: " port
  258.         done
  259.         [[ -z "$port" ]] && port="1194"
  260.         echo
  261.         echo "Which DNS do you want to use with the VPN?"
  262.         echo "   1) Current system resolvers"
  263.         echo "   2) 1.1.1.1"
  264.         echo "   3) Google"
  265.         echo "   4) OpenDNS"
  266.         echo "   5) Verisign"
  267.         read -p "DNS [1]: " dns
  268.         until [[ -z "$dns" || "$dns" =~ ^[1-5]$ ]]; do
  269.                 echo "$dns: invalid selection."
  270.                 read -p "DNS [1]: " dns
  271.         done
  272.         echo
  273.         echo "Finally, tell me a name for the client certificate."
  274.         read -p "Client name [client]: " unsanitized_client
  275.         # Allow a limited set of characters to avoid conflicts
  276.         client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client")
  277.         [[ -z "$client" ]] && client="client"
  278.         echo
  279.         echo "Okay, that was all I needed. We are ready to set up your OpenVPN server now."
  280.         read -n1 -r -p "Press any key to continue..."
  281.         # If running inside a container, disable LimitNPROC to prevent conflicts
  282.         if systemd-detect-virt -cq; then
  283.                 mkdir /etc/systemd/system/openvpn-server@server.service.d/ 2>/dev/null
  284.                 echo "[Service]
  285. LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disable-limitnproc.conf
  286.         fi
  287.         if [[ "$os" = "debian" ]]; then
  288.                 apt-get update
  289.                 apt-get install openvpn iptables openssl ca-certificates -y
  290.         else
  291.                 # Else, the distro is CentOS
  292.                 yum install epel-release -y
  293.                 yum install openvpn iptables openssl ca-certificates -y
  294.         fi
  295.         # Get easy-rsa
  296.         easy_rsa_url='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-nix-3.0.5.tgz'
  297.         wget -O ~/easyrsa.tgz "$easy_rsa_url" 2>/dev/null || curl -Lo ~/easyrsa.tgz "$easy_rsa_url"
  298.         tar xzf ~/easyrsa.tgz -C ~/
  299.         mv ~/EasyRSA-3.0.5/ /etc/openvpn/server/
  300.         mv /etc/openvpn/server/EasyRSA-3.0.5/ /etc/openvpn/server/easy-rsa/
  301.         chown -R root:root /etc/openvpn/server/easy-rsa/
  302.         rm -f ~/easyrsa.tgz
  303.         cd /etc/openvpn/server/easy-rsa/
  304.         # Create the PKI, set up the CA and the server and client certificates
  305.         ./easyrsa init-pki
  306.         ./easyrsa --batch build-ca nopass
  307.         EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server nopass
  308.         EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" nopass
  309.         EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
  310.         # Move the stuff we need
  311.         cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn/server
  312.         # CRL is read with each client connection, when OpenVPN is dropped to nobody
  313.         chown nobody:"$group_name" /etc/openvpn/server/crl.pem
  314.         # Generate key for tls-crypt
  315.         openvpn --genkey --secret /etc/openvpn/server/tc.key
  316.         # Create the DH parameters file using the predefined ffdhe2048 group
  317.         echo '-----BEGIN DH PARAMETERS-----
  318. MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
  319. +8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
  320. 87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
  321. YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
  322. 7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
  323. ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
  324. -----END DH PARAMETERS-----' > /etc/openvpn/server/dh.pem
  325.         # Generate server.conf
  326.         echo "local $ip
  327. port $port
  328. proto $protocol
  329. dev tun
  330. ca ca.crt
  331. cert server.crt
  332. key server.key
  333. dh dh.pem
  334. auth SHA512
  335. tls-crypt tc.key
  336. topology subnet
  337. server 10.8.0.0 255.255.255.0
  338. ifconfig-pool-persist ipp.txt" > /etc/openvpn/server/server.conf
  339.         echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server/server.conf
  340.         # DNS
  341.         case "$dns" in
  342.                 1|"")
  343.                 # Locate the proper resolv.conf
  344.                 # Needed for systems running systemd-resolved
  345.                 if grep -q "127.0.0.53" "/etc/resolv.conf"; then
  346.                         resolv_conf="/run/systemd/resolve/resolv.conf"
  347.                 else
  348.                         resolv_conf="/etc/resolv.conf"
  349.                 fi
  350.                 # Obtain the resolvers from resolv.conf and use them for OpenVPN
  351.                 grep -v '#' "$resolv_conf" | grep nameserver | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
  352.                         echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server/server.conf
  353.                 done
  354.                 ;;
  355.                 2)
  356.                 echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server/server.conf
  357.                 echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server/server.conf
  358.                 ;;
  359.                 3)
  360.                 echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server/server.conf
  361.                 echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server/server.conf
  362.                 ;;
  363.                 4)
  364.                 echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server/server.conf
  365.                 echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server/server.conf
  366.                 ;;
  367.                 5)
  368.                 echo 'push "dhcp-option DNS 64.6.64.6"' >> /etc/openvpn/server/server.conf
  369.                 echo 'push "dhcp-option DNS 64.6.65.6"' >> /etc/openvpn/server/server.conf
  370.                 ;;
  371.         esac
  372.         echo "keepalive 10 120
  373. cipher AES-256-CBC
  374. user nobody
  375. group $group_name
  376. persist-key
  377. persist-tun
  378. status openvpn-status.log
  379. verb 3
  380. crl-verify crl.pem" >> /etc/openvpn/server/server.conf
  381.         if [[ "$protocol" = "udp" ]]; then
  382.                 echo "explicit-exit-notify" >> /etc/openvpn/server/server.conf
  383.         fi
  384.         # Enable net.ipv4.ip_forward for the system
  385.         echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/30-openvpn-forward.conf
  386.         # Enable without waiting for a reboot or service restart
  387.         echo 1 > /proc/sys/net/ipv4/ip_forward
  388.         if pgrep firewalld; then
  389.                 # Using both permanent and not permanent rules to avoid a firewalld
  390.                 # reload.
  391.                 # We don't use --add-service=openvpn because that would only work with
  392.                 # the default port and protocol.
  393.                 firewall-cmd --add-port="$port"/"$protocol"
  394.                 firewall-cmd --zone=trusted --add-source=10.8.0.0/24                firewall-cmd --permanent --add-port="$port"/"$protocol"
  395.                 firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
  396.                 # Set NAT for the VPN subnet
  397.                 firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"
  398.                 firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"
  399.         else
  400.                 # Create a service to set up persistent iptables rules
  401.                 echo "[Unit]
  402. Before=network.target
  403. [Service]
  404. Type=oneshot
  405. ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip
  406. ExecStart=/sbin/iptables -I INPUT -p $protocol --dport $port -j ACCEPT
  407. ExecStart=/sbin/iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
  408. ExecStart=/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  409. ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip
  410. ExecStop=/sbin/iptables -D INPUT -p $protocol --dport $port -j ACCEPT
  411. ExecStop=/sbin/iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
  412. ExecStop=/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  413. RemainAfterExit=yes
  414. [Install]
  415. WantedBy=multi-user.target" > /etc/systemd/system/openvpn-iptables.service
  416.                 systemctl enable --now openvpn-iptables.service
  417.         fi
  418.         # If SELinux is enabled and a custom port was selected, we need this
  419.         if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$port" != 1194 ]]; then
  420.                 # Install semanage if not already present
  421.                 if ! hash semanage 2>/dev/null; then
  422.                         if grep -qs "CentOS Linux release 7" "/etc/centos-release"; then
  423.                                 yum install policycoreutils-python -y
  424.                         else
  425.                                 yum install policycoreutils-python-utils -y
  426.                         fi
  427.                 fi
  428.                 semanage port -a -t openvpn_port_t -p "$protocol" "$port"
  429.         fi
  430.         # If the server is behind a NAT, use the correct IP address
  431.         if [[ "$public_ip" != "" ]]; then
  432.                 ip="$public_ip"
  433.         fi
  434.         # client-common.txt is created so we have a template to add further users later
  435.         echo "client
  436. dev tun
  437. proto $protocol
  438. remote $ip $port
  439. resolv-retry infinite
  440. nobind
  441. persist-key
  442. persist-tun
  443. remote-cert-tls server
  444. auth SHA512
  445. cipher AES-256-CBC
  446. ignore-unknown-option block-outside-dns
  447. block-outside-dns
  448. verb 3" > /etc/openvpn/server/client-common.txt
  449.         # Enable and start the OpenVPN service
  450.         systemctl enable --now openvpn-server@server.service
  451.         # Generates the custom client.ovpn
  452.         new_client "$client"
  453.         echo
  454.         echo "Finished!"
  455.         echo
  456.         echo "Your client configuration is available at:" ~/"$client.ovpn"
  457.         echo "If you want to add more clients, just run this script again!"
  458. fi
captcha