Scribd
Upload
12 views13 pages

ПРИЛОЖА2

This document is a Bash script for installing and managing OpenVPN on Debian and Ubuntu systems. It includes functions for adding and removing clients, configuring server settings, and managing firewall rules. The script requires root privileges and checks for necessary components before proceeding with the installation and configuration of OpenVPN.

Uploaded by

karajanov.bektimir
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
12 views13 pages

ПРИЛОЖА2

This document is a Bash script for installing and managing OpenVPN on Debian and Ubuntu systems. It includes functions for adding and removing clients, configuring server settings, and managing firewall rules. The script requires root privileges and checks for necessary components before proceeding with the installation and configuration of OpenVPN.

Uploaded by

karajanov.bektimir
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 13

QOSÍMSHALAR

#!/bin/bash
# OpenVPN installer for Debian, Ubuntu
# For install need run sudo bash openvpn-install.sh

if [[ "$EUID" -ne 0 ]]; then


echo " Siz (root) jen’illiklerine iye
boliwin’iz kerek " exit 1
fi
if [[ ! -e /dev/net/tun ]]; then
echo"TUN ruxsat etilmegn
TUN di qosın’" exit 2
fi

if [[ -e /etc/debian_version ]]; then


OS=debian
GROUPNAME=nogroup
RCLOCAL='/etc/rc.local'
else
echo" Siz qollap –quwatlanbaytug’in sistemada skriptti jumısqa tu’sirip
atırg’ang’a uqsaysiz. Qollap quwatlaw sistemalari Debian ha’m Ubuntu"
exit 3
fi

newclient () {
cp /etc/openvpn/client-common.txt ~/$1.ovpn
echo "<ca>">> ~/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/ca.crt >> ~/$1.ovpn
echo "</ca>">> ~/$1.ovpn
echo "<cert>">> ~/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/issued/$1.crt >> ~/$1.ovpn
echo "</cert>">> ~/$1.ovpn
echo "<key>">> ~/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/private/$1.key >> ~/$1.ovpn
echo "</key>">> ~/$1.ovpn
echo "<tls-auth>">> ~/$1.ovpn
cat /etc/openvpn/ta.key >>
~/$1.ovpn echo "</tls-auth>">>
~/$1.ovpn
}

IP=$(ip addr show)

if [[ -e /etc/openvpn/server.conf ]];
then while :
do
clear
echo "OpenVPN di ornatiw"
echo ""
echo "Tan’lan’?"
echo " 1) Jan’a paydalaniwshi qosiw"
echo " 2) Paydalaniwshini o’shiriw"
echo " 3) OpenVPN serverin o’shiriw"
echo " 4) Juwmaqlaw"
read -p "Saylan’ [1-4]: " option
case $option in
1)
echo ""
echo " Jan’a paydalaniwshi gilt atin kiritin’ "
echo "Tek latin ha’riplerden yaki sanlardan bolsin"
read -p "Client name: " -e -i client
CLIENT cd /etc/openvpn/easy-rsa/ easyrsa
build-client-full $CLIENT nopass
newclient "$CLIENT"
echo ""
echo "Client $CLIENT "
~/"$CLIENT.ovpn"
exit
;;
2)

NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt |
grep -c "^V")
if [[ "$NUMBEROFCLIENTS" = '0' ]]; then
echo ""
echo "Sizde Clientler sani joq!"
exit 6
fi
echo ""
echo " Sertifikatti alip taslawshi bolǵan klientti saylan’ "
if [[ "$NUMBEROFCLIENTS" = '1' ]]; then
read -p "Klientti saylan’ [1]: " CLIENTNUMBER
else
read -p " Klientti saylan’ [1-$NUMBEROFCLIENTS]: " CLIENT-
NUMBER
fi
CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V"| cut -
d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
cd /etc/openvpn/easy-rsa/
./easyrsa --batch revoke $CLIENT
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
rm -rf pki/reqs/$CLIENT.req
rm -rf pki/private/$CLIENT.key
rm -rf pki/issued/$CLIENT.crt
rm -rf /etc/openvpn/crl.pem
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
chown nobody:$GROUPNAME /etc/openvpn/crl.pem
echo ""
echo " $CLIENT sertifikatin
biykarlaw"exit
;;
3)
echo ""
read -p " OpenVPN di o’shiresizba? [y/n]: " -e -i n REMOVE if [[
"$REMOVE" = 'y' ]]; then
PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d "" -f 2)
PROTOCOL=$(grep '^proto ' /etc/openvpn/server.conf | cut -d "" -f
2) if pgrep firewalld; then
IP=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep
'\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24 -j SNAT --to '| cut -d "" -f 10)
firewall-cmd --zone=public --remove-port=$PORT/$PROTOCOL
firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
firewall-cmd --permanent --zone=public --remove-
port=$PORT/$PROTOCOL
firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s
10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
firewall-cmd --permanent --direct --remove-rule ipv4 nat
POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
else
IP=$(grep 'iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d
10.8.0.0/24 -j SNAT --to ' $RCLOCAL | cut -d "" -f 14)
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j
SNAT --to $IP
sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 ! -d
10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL
if iptables -L -n | grep -qE '^ACCEPT'; then
iptables -D INPUT -p $PROTOCOL --dport $PORT -j ACCEPT
iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -D FORWARD -m state --state RELAT-
ED,ESTABLISHED -j ACCEPT
sed -i "/iptables -I INPUT -p $PROTOCOL --dport $PORT -j AC-
CEPT/d" $RCLOCAL
sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d"
$RCLOCAL
sed -i "/iptables -I FORWARD -m state --state RELAT-
ED,ESTABLISHED -j ACCEPT/d" $RCLOCAL
fi
fi
if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing";
then if [[ "$PORT" != '1194' || "$PROTOCOL" = 'tcp' ]];
then
semanage port -d -t openvpn_port_t -p $PROTOCOL $PORT
fi
fi
fi
if [[ "$OS" = 'debian' ]]; then
apt-get remove --purge -y openvpn
else
yum remove openvpn -y
fi
rm -rf /etc/openvpn
echo ""
echo "OpenVPN o’shirildi!" else
echo ""
echo "O’shirildi!"
fi
exit
;;
4) exit;;
esac
done
else
clear
echo 'OpenVPN avtomat ornatiw'
echo ""
echo " Jumisti baslaw ushin siz OpenvPN jalg’aniwi ushin za’ru’r bolg’an tarmaqtin’
IPv4 adresin kiritiwin’iz kerek "
read -p "IP address:" -e -i $IP IP
echo ""
echo " Jalg’aniw qaysi protokolg’a muwapıq a’melge asiriladi
" echo " 1) UDP (recommended)"
echo " 2) TCP"
read -p "Protocol[1-2]: " -e -i 1 PROTOCOL
case $PROTOCOL in
1)
PROTOCOL=udp
;;
2)
PROTOCOL=tcp
;;
esac
echo ""
echo "Islew ushin tarmaq portin tan’lan’ (OpenVPN)"
read -p "Port: " -e -i 1194 PORT
echo ""
echo "Qanday DNS serverleri isletilsin (VPN tarmag’inda)?" echo "
1) Current system resolvers"
echo " 2) Google"
echo " 3) OpenDNS"
read -p "DNS [1-6]: " -e -i 1 DNS
echo ""
echo " Serverge kirisiw ushin birinshi gilt ati " echo "Tek
latin ha’riplerinde yaki sanlar boliwi kerek"
read -p "Client name: " -e -i client
CLIENT echo ""
read -n1 -r -p " Ornatiwdi baslaw ushin qa’legen tuymeni basin’..."
if [[ "$OS" = 'debian' ]];
then apt-get update
apt-get install openvpn iptables openssl ca-certificates -y
fi
if [[ -d /etc/openvpn/easy-rsa/ ]];
then rm -rf /etc/openvpn/easy-rsa/
fi
wget -O ~/EasyRSA-3.0.3.tgz "https://github.com/OpenVPN/easy-
rsa/releases/download/v3.0.3/EasyRSA-3.0.3.tgz"
tar xzf ~/EasyRSA-3.0.3.tgz -C ~/

sed -i 's/\[\[/\[/g;s/\]\]/\]/g;s/==/=/g' ~/EasyRSA-3.0.3/easyrsa


mv ~/EasyRSA-3.0.3/ /etc/openvpn/
mv /etc/openvpn/EasyRSA-3.0.3/ /etc/openvpn/easy-rsa/
chown -R root:root /etc/openvpn/easy-rsa/
rm -rf ~/EasyRSA-
3.0.3.tgz cd
/etc/openvpn/easy-rsa/
./easyrsa init-pki
./easyrsa --batch build-ca nopass
./easyrsa gen-dh
./easyrsa build-server-full server nopass
./easyrsa build-client-full $CLIENT nopass
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
cp pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt
pki/private/server.key pki/crl.pem /etc/openvpn
chown nobody:$GROUPNAME /etc/openvpn/crl.pem
openvpn --genkey --secret /etc/openvpn/ta.key
echo "port $PORT
proto $PROTOCOL
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt"> /etc/openvpn/server.conf
echo 'push "redirect-gateway def1 bypass-dhcp"'>> /etc/openvpn/server.conf
# DNS
case $DNS in
1)
grep -v '#' /etc/resolv.conf | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.
[0- 9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
echo "push \"dhcp-option DNS $line\"">> /etc/openvpn/server.conf
done
;;
2)
echo 'push "dhcp-option DNS 8.8.8.8"'>> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 8.8.4.4"'>> /etc/openvpn/server.conf
;;
3)
echo 'push "dhcp-option DNS 208.67.222.222"'>> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 208.67.220.220"'>> /etc/openvpn/server.conf
;;
4)
echo 'push "dhcp-option DNS 129.250.35.250"'>> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 129.250.35.251"'>> /etc/openvpn/server.conf
;;
5)
echo 'push "dhcp-option DNS 74.82.42.42"'>> /etc/openvpn/server.conf
;;
6)
echo 'push "dhcp-option DNS 64.6.64.6"'>> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 64.6.65.6"'>> /etc/openvpn/server.conf
;;
esac
echo "keepalive 10
120 cipher AES-256-
CBC comp-lzo
user nobody
group
$GROUPNAME
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem">> /etc/openvpn/server.conf
sed -i '/\<net.ipv4.ip_forward\>/c\net.ipv4.ip_forward=1' /etc/sysctl.conf
if ! grep -q "\<net.ipv4.ip_forward\>" /etc/sysctl.conf; then
echo 'net.ipv4.ip_forward=1'>> /etc/sysctl.conf
fi
echo 1 >
/proc/sys/net/ipv4/ip_forward if pgrep
firewalld; then

firewall-cmd --zone=public --add-port=$PORT/$PROTOCOL


firewall-cmd --zone=trusted --add-source=10.8.0.0/24
firewall-cmd --permanent --zone=public --add-port=$PORT/$PROTOCOL
firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -
d 10.8.0.0/24 -j SNAT --to $IP
firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s
10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
else
if [[ "$OS" = 'debian'&& ! -e $RCLOCAL ]]; then
echo '#!/bin/sh -e
exit 0'> $RCLOCAL
fi
chmod +x $RCLOCAL
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --
to $IP
sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j
SNAT --to $IP" $RCLOCAL
if iptables -L -n | grep -qE '^(REJECT|DROP)'; then

iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT


iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j
ACCEPT
sed -i "1 a\iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT"
$RCLOCAL
sed -i "1 a\iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" $RCLOCAL
sed -i "1 a\iptables -I FORWARD -m state --state RELAT-
ED,ESTABLISHED -j ACCEPT" $RCLOCAL
fi
fi
if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing";
then if [[ "$PORT" != '1194' || "$PROTOCOL" = 'tcp' ]];
then
semanage port -a -t openvpn_port_t -p $PROTOCOL $PORT
fi
fi
fi
if [[ "$OS" = 'debian' ]]; then
if pgrep systemd-journal; then
systemctl restart openvpn@server.service
else
/etc/init.d/openvpn restart
fi
else
if pgrep systemd-journal; then
systemctl restart openvpn@server.service
systemctl enable openvpn@server.service
else
service openvpn restart
chkconfig openvpn on
fi
fi
EXTERNALIP=$(ip addr show)
if [[ "$IP" != "$EXTERNALIP" ]]; then
echo ""
echo" Sizdin’ serverin’iz qollap -quwatlamaydi (NAT)!"
echo ""
echo " Eger sizdin’ serverin’iz qollap -quwatlansa NATed (e.g. LowEndSpirit), IP"
echo" Eger joq bolsa, bul bo’limdi o’tkerip jiberiń
" read -p "External IP: " -e USEREXTERNALIP
if [[ "$USEREXTERNALIP" != "" ]];
then IP=$USEREXTERNALIP
fi
fi
echo "client
dev tun
proto $PROTOCOL
sndbuf 0
rcvbuf 0
remote $IP $PORT
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-
CBC comp-lzo
setenv opt block-outside-dns
key-direction 1
verb 3"> /etc/openvpn/client-common.txt
newclient "$CLIENT"
echo ""
echo " Tayin!"
echo ""
echo "Paydalaniwshi jalg’andi" ~/"$CLIENT.ovpn" echo "Eger ko’p
paydalaniwshilardi VPN tarmag’ina jalg’aw ushin skripti qayta iske
tu’sirin’"
fi

You might also like