Last active
February 5, 2025 18:35
-
-
Save xeptore/04ae36fc49094801b83f98f4121d17fc to your computer and use it in GitHub Desktop.
wget https://gist.github.com/xeptore/04ae36fc49094801b83f98f4121d17fc/raw/setup.sh && chmod +x ./setup.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| public_hostname= | |
| cd /root/easy-rsa || exit 4 | |
| for client in "$@" | |
| do | |
| EASYRSA_CERT_EXPIRE=3650 ./easyrsa --batch build-client-full "$client" nopass | |
| server_port=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2) | |
| mkdir -p /root/clients | |
| cat >"/root/clients/$client.ovpn" <<EOF | |
| client | |
| proto udp | |
| explicit-exit-notify | |
| remote $public_hostname $server_port | |
| dev tap | |
| resolv-retry infinite | |
| mute-replay-warnings | |
| nobind | |
| persist-key | |
| persist-tun | |
| remote-cert-tls server | |
| verify-x509-name r6-siege.server name | |
| auth SHA512 | |
| auth-nocache | |
| tls-client | |
| ignore-unknown-option block-outside-dns | |
| setenv opt block-outside-dns | |
| verb 3 | |
| <ca> | |
| $(cat /root/easy-rsa/pki/ca.crt) | |
| </ca> | |
| <cert> | |
| $(awk '/BEGIN/,/END CERTIFICATE/' "/root/easy-rsa/pki/issued/$client.crt") | |
| </cert> | |
| <key> | |
| $(cat "/root/easy-rsa/pki/private/$client.key") | |
| </key> | |
| <tls-crypt> | |
| $(cat /root/easy-rsa/pki/tc.key) | |
| </tls-crypt> | |
| EOF | |
| done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| caddy_tag=v2.9.1 | |
| set -Eeuo pipefail | |
| bail() { | |
| echo 'Error executing command, exiting' | |
| exit 1 | |
| } | |
| exec_cmd_nobail() { | |
| echo "+ $1" | |
| bash -c "$1" | |
| } | |
| exec_cmd() { | |
| exec_cmd_nobail "$1" || bail | |
| } | |
| exec_cmd 'apt-get update && apt-get upgrade -y && apt-get autoremove -y && apt-get autoclean -y && apt-get autoclean -y' | |
| exec_cmd 'curl \ | |
| --silent \ | |
| --show-error \ | |
| --fail-with-body \ | |
| --location \ | |
| --tlsv1.3 \ | |
| --create-dirs \ | |
| --output \ | |
| /root/add-client.sh \ | |
| https://gist.github.com/xeptore/04ae36fc49094801b83f98f4121d17fc/raw/add-client.sh' | |
| exec_cmd 'chmod +x /root/add-client.sh' | |
| exec_cmd 'apt-get install -y openvpn easy-rsa openssl ca-certificates net-tools' | |
| exec_cmd 'systemctl stop openvpn.service [email protected]' | |
| exec_cmd 'systemctl enable openvpn.service [email protected]' | |
| exec_cmd 'mkdir -p /root/easy-rsa' | |
| exec_cmd 'ln -sf /usr/share/easy-rsa/* /root/easy-rsa/' | |
| exec_cmd 'cat >/etc/sysctl.d/99-openvpn.conf <<EOF | |
| net.ipv4.ip_forward=1 | |
| EOF' | |
| exec_cmd 'sysctl --system' | |
| exec_cmd 'mkdir -p /etc/openvpn/ccd' | |
| exec_cmd 'mkdir -p /var/log/openvpn' | |
| exec_cmd 'mkdir -p /root/clients' | |
| exec_cmd 'mkdir -p /root/easy-rsa' | |
| cd /root/easy-rsa || exit 4 | |
| exec_cmd 'cat >/root/easy-rsa/vars <<EOF | |
| set_var EASYRSA_ALGO ec | |
| set_var EASYRSA_DIGEST sha512 | |
| set_var EASYRSA_CURVE prime256v1 | |
| EOF' | |
| exec_cmd './easyrsa init-pki' | |
| exec_cmd 'EASYRSA_CA_EXPIRE=3650 ./easyrsa --batch --req-cn=r6-siege build-ca nopass' | |
| exec_cmd 'EASYRSA_CERT_EXPIRE=3650 ./easyrsa --batch build-server-full r6-siege.server nopass' | |
| exec_cmd 'EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl' | |
| exec_cmd 'chmod 644 ./pki/crl.pem' | |
| exec_cmd 'openvpn --genkey secret /root/easy-rsa/pki/tc.key' | |
| exec_cmd 'sed -i "/^[@#]/ d" /root/easy-rsa/pki/tc.key' | |
| exec_cmd "curl --silent --show-error --fail-with-body --location --tlsv1.3 https://github.com/caddyserver/caddy/releases/download/${caddy_tag}/caddy_${caddy_tag#v}_linux_amd64.tar.gz | tar -xzvf - caddy && mv -v ./caddy /usr/bin/caddy" | |
| cat >/etc/openvpn/server.conf <<EOF | |
| server 10.9.8.0 255.255.255.0 | |
| max-clients 10 | |
| port 29957 | |
| proto udp | |
| dev tap | |
| user nobody | |
| group nogroup | |
| persist-key | |
| persist-tun | |
| keepalive 7 14 | |
| client-to-client | |
| ifconfig-pool-persist ipp.txt | |
| push "dhcp-option DNS 1.0.0.1" | |
| push "dhcp-option DNS 1.1.1.1" | |
| push "redirect-gateway def1 bypass-dhcp" | |
| auth SHA512 | |
| data-ciphers AES-256-GCM | |
| tls-server | |
| client-config-dir /etc/openvpn/ccd | |
| status /var/log/openvpn/status.log | |
| verb 3 | |
| explicit-exit-notify 1 | |
| <dh> | |
| </dh> | |
| <tls-crypt> | |
| $(cat /root/easy-rsa/pki/tc.key) | |
| </tls-crypt> | |
| <crl-verify> | |
| $(cat /root/easy-rsa/pki/crl.pem) | |
| </crl-verify> | |
| <ca> | |
| $(cat /root/easy-rsa/pki/ca.crt) | |
| </ca> | |
| <cert> | |
| $(awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' /root/easy-rsa/pki/issued/r6-siege.server.crt) | |
| </cert> | |
| <key> | |
| $(cat /root/easy-rsa/pki/private/r6-siege.server.key) | |
| </key> | |
| EOF | |
| cat <<EOF | |
| ************************************************************ | |
| * * | |
| * NOTES * | |
| * * | |
| * Set 'public_hostname' variable in /root/add-client.sh * | |
| * * | |
| * Run 'caddy file-server -b -r /root/clients/ -d domain' * | |
| * * | |
| * Set 'dh' configuration optin in /etc/openvpn/server.conf * | |
| * * | |
| * (Reboot the server in order for changes to take effect) * | |
| * * | |
| ************************************************************ | |
| EOF |
wget https://gist.github.com/xeptore/04ae36fc49094801b83f98f4121d17fc/raw/setup.sh && chmod +x ./setup.sh
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
TODO:
curlerror handling insetup.shscript[email protected]systemd unit permission denied error on/etc/openvpn/ccd/directory when a new client is connected