Debian 7.5 OpenVPN

by jolexa
10 deployments · 4 still active · last rev. 2 years ago

Deploy Debian 7.5, install OpenVPN, start UDP/1194 and TCP/443 VPN which can be accessed via username and password. Not intended for longterm usage!

After the node is online, navigate your web browser to http://<IP>:<Port>, download the ca.crt and client config file. Import them into your vpn client and authenticate with the credentials you set.

Compatible with: No distros currently supported
						#!/bin/bash

# <UDF name="username" Label="Username to access VPN" />
# <UDF name="password" Label="Password to access VPN" />
# <UDF name="ssh" Label="Start SSH?" Example="If things go right, ssh access is not needed or desired" default="stop" oneOf="start,stop" />
# <UDF name="port" Label="HTTP Port" Example="Access the client config and ca file at http://IP:PORT cannot be 443" default="8080" />

/etc/init.d/ssh $SSH
useradd $USERNAME -p $(echo "$PASSWORD"|openssl passwd -1 -stdin)
IP=$(/sbin/ifconfig eth0 | awk '/inet / { print $2 }' | sed 's/addr://')

apt-get update
apt-get install -y openvpn

# generate the keyfiles in NON interactive mode!
cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
cd /etc/openvpn/easy-rsa/2.0/
ln -s openssl-1.0.0.cnf openssl.cnf
. /etc/openvpn/easy-rsa/2.0/vars
/etc/openvpn/easy-rsa/2.0/clean-all
/etc/openvpn/easy-rsa/2.0/build-dh
/etc/openvpn/easy-rsa/2.0/pkitool --initca
/etc/openvpn/easy-rsa/2.0/pkitool --server SERVER
mv /etc/openvpn/easy-rsa/2.0/keys/ /etc/openvpn/
mkdir /etc/openvpn/secret; mv /etc/openvpn/keys/SERVER.key /etc/openvpn/secret/
mkdir /etc/openvpn/download/
cp /etc/openvpn/keys/ca.crt /etc/openvpn/download/$IP-ca.crt

cat << EOF >> /etc/openvpn/openvpn-udp.conf
port 1194
proto udp
dev tun
# Certificates.
ca keys/ca.crt
cert keys/SERVER.crt
key secret/SERVER.key  # This file should be kept secret
dh keys/dh1024.pem
server 10.8.0.0 255.255.255.0
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
push "redirect-gateway def1"
client-cert-not-required
plugin /usr/lib/openvpn/openvpn-auth-pam.so login
status openvpn-status.log
verb 3
EOF

cat << EOF >> /etc/openvpn/openvpn-tcp.conf
port 443
proto tcp
dev tun
# Certificates.
ca keys/ca.crt
cert keys/SERVER.crt
key secret/SERVER.key  # This file should be kept secret
dh keys/dh1024.pem
server 10.9.0.0 255.255.255.0
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
push "redirect-gateway def1"
client-cert-not-required
plugin /usr/lib/openvpn/openvpn-auth-pam.so login
status openvpn-tcp-status.log
verb 3
EOF

sysctl -w net/ipv4/ip_forward=1
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -s 10.9.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.9.0.0/24 -o eth0 -j MASQUERADE
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT

/etc/init.d/openvpn start

cat << EOC >> /etc/openvpn/download/$IP-openvpn-client.conf
client
dev tun
<connection>
remote $IP 1194 udp
</connection>
<connection>
remote $IP 443 tcp
</connection>
nobind
persist-key
persist-tun
comp-lzo
ca ca.crt
auth-user-pass
verb 3
EOC

cd /etc/openvpn/download ; python -m SimpleHTTPServer $PORT