Skip to content

Instantly share code, notes, and snippets.

@meepak

meepak/setup-openvpn

Last active September 8, 2024 05:15
Show Gist options
  • Save meepak/8295d5483ed21f7bf8a2a15f7ed76b77 to your computer and use it in GitHub Desktop.
Save meepak/8295d5483ed21f7bf8a2a15f7ed76b77 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
setup-openvpn
#!/bin/bash
# Function to exit on error
exit_on_error() {
echo "Error: $1"
exit 1
}
# Update system
sudo apt update || exit_on_error "Failed to update package list"
# Install OpenVPN and Easy-RSA
sudo apt install -y openvpn easy-rsa || exit_on_error "Failed to install OpenVPN and Easy-RSA"
# Check if ~/openvpn-ca exists, if so, abort
if [ -d ~/openvpn-ca ]; then
echo "~/openvpn-ca already exists. Aborting."
exit 1
fi
# Setup Easy-RSA environment
make-cadir ~/openvpn-ca || exit_on_error "Failed to create the CA directory"
cd ~/openvpn-ca || exit_on_error "Failed to change directory to ~/openvpn-ca"
# Initialize Easy-RSA
./easyrsa init-pki || exit_on_error "Failed to initialize the PKI"
# Build the CA (No need to source vars anymore)
./easyrsa build-ca nopass || exit_on_error "Failed to build the CA"
# Generate the server key and certificate
./easyrsa gen-req server nopass || exit_on_error "Failed to generate server request"
./easyrsa sign-req server server || exit_on_error "Failed to sign the server certificate"
# Generate Diffie-Hellman parameters
./easyrsa gen-dh || exit_on_error "Failed to generate Diffie-Hellman parameters"
# Generate the HMAC key
openvpn --genkey --secret ta.key || exit_on_error "Failed to generate HMAC key"
# Generate the client key and certificate
./easyrsa gen-req client1 nopass || exit_on_error "Failed to generate client request"
./easyrsa sign-req client client1 || exit_on_error "Failed to sign client certificate"
# Move the necessary keys and certificates to OpenVPN directory
sudo cp pki/ca.crt pki/issued/server.crt pki/private/server.key pki/dh.pem ta.key /etc/openvpn/
# Create the OpenVPN server configuration file
sudo bash -c 'cat > /etc/openvpn/server.conf <<EOF
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA256
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
compress lz4
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn.log
verb 3
EOF'
# Enable IP forwarding
sudo sysctl -w net.ipv4.ip_forward=1 || exit_on_error "Failed to enable IP forwarding"
# Apply IP forwarding permanently
sudo sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf
# Configure firewall (replace eth0 with your network interface if different)
sudo ufw allow 1194/udp
sudo ufw allow OpenSSH
sudo ufw disable
sudo ufw enable
# Start and enable OpenVPN service
sudo systemctl start openvpn@server
sudo systemctl enable openvpn@server
# Generate client .ovpn file
CLIENT_CONFIG="client
dev tun
proto udp
remote $(curl -s ifconfig.me) 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA256
cipher AES-256-CBC
compress lz4
key-direction 1
verb 3
<ca>
$(cat ~/openvpn-ca/pki/ca.crt)
</ca>
<cert>
$(cat ~/openvpn-ca/pki/issued/client1.crt)
</cert>
<key>
$(cat ~/openvpn-ca/pki/private/client1.key)
</key>
<tls-auth>
$(cat ~/openvpn-ca/ta.key)
</tls-auth>"
echo "$CLIENT_CONFIG" > ~/client1.ovpn
echo "OpenVPN setup is complete. Client .ovpn file is located at ~/client1.ovpn"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment