Created
May 5, 2021 12:46
-
-
Save jfqd/297d044c9df112eaf83427bff017ba0d to your computer and use it in GitHub Desktop.
Install OpenVPN with Homebrew on macOS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # install homebrew if not yet done | |
| /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)" | |
| # fix me! | |
| IP_ADDRESS="91.123.123.123" | |
| LOCAL_NET="10.168.231.0" | |
| CERTNAME="name.example.com" | |
| brew analytics off | |
| brew install openvpn | |
| brew install pwgen | |
| sudo mkdir -p /etc/openvpn/certs/ | |
| sudo chmod 0700 /etc/openvpn/certs/ | |
| sudo mkdir -p /etc/openvpn/ccd | |
| cd ~/Desktop | |
| curl -O -L https://github.com/OpenVPN/easy-rsa/archive/release/2.x.zip | |
| unzip 2.x.zip | |
| sudo cp -R ~/Desktop/easy-rsa-release-2.x/easy-rsa/2.0/ /etc/openvpn/easy-rsa | |
| rm -rf ~/Desktop/easy-rsa-release-2.x | |
| rm -rf 2.x.zip | |
| cd /etc/openvpn/easy-rsa/ | |
| export PATH="/usr/local/opt/openssl@1.1/bin:$PATH" | |
| sudo cp openssl-1.0.0.cnf openssl.cnf | |
| source ./vars | |
| export KEY_COUNTRY="DE" | |
| export KEY_PROVINCE="Province" | |
| export KEY_CITY="City" | |
| export KEY_ORG="Companyname" | |
| export KEY_EMAIL="info@example.com" | |
| export KEY_OU="IT" | |
| export KEY_NAME="Name" | |
| export KEY_SIZE=4096 | |
| sudo -E ./clean-all | |
| sudo -E ./build-ca | |
| sudo -E ./build-key-server server | |
| sudo -E ./build-key "${CERTNAME}" | |
| sudo -E ./build-dh | |
| sudo -E /usr/local/sbin/openvpn --genkey secret keys/ta.key | |
| sudo mkdir -p /etc/openvpn/certs/ | |
| sudo cp /etc/openvpn/easy-rsa/keys/server.crt /etc/openvpn/certs/ | |
| sudo cp /etc/openvpn/easy-rsa/keys/server.key /etc/openvpn/certs/ | |
| sudo cp /etc/openvpn/easy-rsa/keys/dh4096.pem /etc/openvpn/certs/ | |
| sudo cp /etc/openvpn/easy-rsa/keys/ta.key /etc/openvpn/certs/ | |
| sudo cp /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/certs/ | |
| sudo touch /var/log/openvpn.log | |
| sudo touch /var/log/openvpn-status.log | |
| sudo touch /etc/openvpn/easy-rsa/keys/crl.pem | |
| sudo chown nobody:nobody /var/log/openvpn.log | |
| sudo chown nobody:nobody /var/log/openvpn-status.log | |
| cat >> /usr/local/etc/openvpn/openvpn.conf << EOF | |
| local ${IP_ADDRESS} | |
| port 4731 | |
| ca /etc/openvpn/certs/ca.crt | |
| cert /etc/openvpn/certs/server.crt | |
| key /etc/openvpn/certs/server.key | |
| dh /etc/openvpn/certs/dh4096.pem | |
| keepalive 10 120 | |
| tls-auth /etc/openvpn/certs/ta.key 0 | |
| cipher AES-256-CBC | |
| max-clients 1 | |
| persist-key | |
| persist-tun | |
| status /var/log/openvpn-status.log | |
| log-append /var/log/openvpn.log | |
| client-config-dir /etc/openvpn/ccd | |
| dev tun | |
| proto udp | |
| # remove revoked certificats | |
| # crl-verify /etc/openvpn/easy-rsa/keys/crl.pem | |
| # do not use deamon with launchd! | |
| # daemon | |
| # Set log file verbosity. | |
| verb 3 | |
| # Silence repeating messages | |
| ;mute 20 | |
| # connect server network to the client | |
| server ${LOCAL_NET} 255.255.255.0 | |
| # push server network route to client | |
| push "route ${LOCAL_NET} 255.255.255.0" | |
| script-security 2 | |
| EOF | |
| sudo su - | |
| cat >> /Library/LaunchDaemons/org.openvpn.server.plist << EOF | |
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd";> | |
| <plist version="1.0"> | |
| <dict> | |
| <key>Label</key> | |
| <string>homebrew.mxcl.openvpn</string> | |
| <key>ProgramArguments</key> | |
| <array> | |
| <string>/usr/local/sbin/openvpn</string> | |
| <string>--config</string> | |
| <string>/etc/openvpn/openvpn.conf</string> | |
| <string>--mode</string> | |
| <string>server</string> | |
| <string>--tls-server</string> | |
| </array> | |
| <key>OnDemand</key> | |
| <false/> | |
| <key>RunAtLoad</key> | |
| <true/> | |
| <key>TimeOut</key> | |
| <integer>90</integer> | |
| <key>WorkingDirectory</key> | |
| <string>/etc/openvpn/</string> | |
| </dict> | |
| </plist> | |
| EOF | |
| chown root:wheel /Library/LaunchDaemons/org.openvpn.server.plist | |
| launchctl load /Library/LaunchDaemons/org.openvpn.server.plist | |
| # set hostname | |
| scutil --set HostName hostname.example.com | |
| exit | |
| mkdir -p ~/Desktop/${CERTNAME}.tblk | |
| cat >> ~/Desktop/${CERTNAME}.tblk/config.ovpn << EOF | |
| remote ${IP_ADDRESS} 4731 udp | |
| client | |
| dev tun | |
| resolv-retry infinite | |
| nobind | |
| persist-key | |
| persist-tun | |
| ca ca.crt | |
| cert server.crt | |
| key server.key | |
| verb 3 | |
| keepalive 10 120 | |
| tls-auth ta.key 1 | |
| cipher AES-256-CBC | |
| tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 | |
| remote-cert-tls server | |
| auth-nocache | |
| EOF | |
| sudo cp keys/${CERTNAME}.crt ~/Desktop/${CERTNAME}.tblk/server.crt | |
| sudo cp keys/${CERTNAME}.key ~/Desktop/${CERTNAME}.tblk/server.key | |
| sudo cp keys/ca.crt ~/Desktop/${CERTNAME}.tblk | |
| sudo cp keys/ta.key ~/Desktop/${CERTNAME}.tblk | |
| sudo chown -R 501:20 ~/Desktop/${CERTNAME}.tblk |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment