make_openvpn_certs.sh
#!/bin/bash
######################################################################
#
# Linux OpenVPN 설치 스크립트
#
# 이 스크립트는 Linux(centos/ubuntu)에 OpenVPN을 설치하고 설정하는
# 과정을 자동으로 진행한다. 클라이언트는 /etc/openvpn/xxx.ovpn 파일을
# 사용하여 외부에서 접속할 수 있다.
#
######################################################################
OS_NAME="ubuntu" # or centos
OPENVPN_HOSTNAME="local.esvali.com"
INSTALL_OPENVPN=1
OPENVPN_PORT="1194"
OPENVPN_PROTO="udp"
OPENVPN_INTERNAL_NET="10.8.0.0 255.255.255.0"
# https://github.com/OpenVPN/easy-rsa/releases
EASY_RSA_VER="3.1.7"
EASY_RSA_DIR="/tmp/EasyRSA-${EASY_RSA_VER}"
EASY_RSA_CMD="${EASY_RSA_DIR}/easyrsa"
EASY_RSA_DOWNLOAD="https://github.com/OpenVPN/easy-rsa/releases/download/v${EASY_RSA_VER}/EasyRSA-${EASY_RSA_VER}.tgz"
# Configuration parameters
export EASYRSA_PKI_DIR="/etc/easy-rsa/pki"
export EASYRSA_REQ_CN="ovpnca"
######################################################################
#
# 관련 패키지 설치 (이미 설치되어 있으면 불필요)
# Ubuntu는 apt-get, CentOS는 yum으로 실행한다.
#
######################################################################
if [ ${OS_NAME} == "centos" ]; then
OVPN_USR="nobody"
OVPN_GRP="nobody"
systemctl stop openvpn@server.service
rm -rf /etc/openvpn/*
if [ ${INSTALL_OPENVPN} == 1 ]; then
yum -y install openvpn
fi
systemctl stop openvpn@server.service
else
OVPN_USR="nobody"
OVPN_GRP="nogroup"
systemctl stop openvpn
if [ ${INSTALL_OPENVPN} == 1 ]; then
apt-get -y install openvpn
fi
systemctl stop openvpn
fi
if [ $? -ne 0 ]; then
exit 1
fi
######################################################################
#
# easy-rsa 설치
#
######################################################################
wget -P ~/ "${EASY_RSA_DOWNLOAD}"
if [ $? -ne 0 ]; then
exit 1
fi
rm -rf ${EASY_RSA_DIR}
tar -C /tmp -xvzf ~/EasyRSA-${EASY_RSA_VER}.tgz
rm -f ~/EasyRSA-${EASY_RSA_VER}.tgz
######################################################################
#
# ${EASY_RSA_DIR}/vars 편집
#
######################################################################
rm -rf /etc/easy-rsa /etc/openvpn
mkdir -p ${EASYRSA_PKI_DIR} /etc/openvpn/server /etc/openvpn/client
cp -fv ${EASY_RSA_DIR}/vars.example ${EASY_RSA_DIR}/vars
sed -i "s/#set_var EASYRSA_REQ_COUNTRY\t\"US\"/set_var EASYRSA_REQ_COUNTRY \"KR\"/g" ${EASY_RSA_DIR}/vars
sed -i "s/#set_var EASYRSA_REQ_PROVINCE\t\"California\"/set_var EASYRSA_REQ_PROVINCE \"Seoul\"/g" ${EASY_RSA_DIR}/vars
sed -i "s/#set_var EASYRSA_REQ_CITY\t\"San Francisco\"/set_var EASYRSA_REQ_CITY \"Seoul\"/g" ${EASY_RSA_DIR}/vars
sed -i "s/#set_var EASYRSA_REQ_ORG\t\"Copyleft Certificate Co\"/set_var EASYRSA_REQ_ORG \"My Office\"/g" ${EASY_RSA_DIR}/vars
sed -i "s/#set_var EASYRSA_REQ_EMAIL\t\"me@example.net\"/set_var EASYRSA_REQ_EMAIL \"openvpn@mydomain\"/g" ${EASY_RSA_DIR}/vars
sed -i "s/#set_var EASYRSA_REQ_OU\t\t\"My Organizational Unit\"/set_var EASYRSA_REQ_OU \"My Organizational Unit\"/g" ${EASY_RSA_DIR}/vars
sed -i "s/#set_var EASYRSA_CA_EXPIRE\t3650/set_var EASYRSA_CA_EXPIRE 18250/g" ${EASY_RSA_DIR}/vars
sed -i "s/#set_var EASYRSA_CERT_EXPIRE\t825/set_var EASYRSA_CERT_EXPIRE 18250/g" ${EASY_RSA_DIR}/vars
sed -i "s/#set_var EASYRSA_CRL_DAYS\t180/set_var EASYRSA_CRL_DAYS 18250/g" ${EASY_RSA_DIR}/vars
sed -i "s/#set_var EASYRSA_NO_PASS\t1/set_var EASYRSA_NO_PASS 1/g" ${EASY_RSA_DIR}/vars
clear
echo "#####################################################################"
echo "#"
echo "# Initialization and Build CA"
echo "#"
echo "#####################################################################"
cd ${EASY_RSA_DIR}
${EASY_RSA_CMD} init-pki
${EASY_RSA_CMD} build-ca
if [ $? -ne 0 ]; then
exit 1
fi
clear
echo "#####################################################################"
echo "#"
echo "# Build Server Key"
echo "#"
echo "#####################################################################"
${EASY_RSA_CMD} gen-req ${OPENVPN_HOSTNAME}-openvpn-server nopass
if [ $? -ne 0 ]; then
exit 1
fi
${EASY_RSA_CMD} sign-req server ${OPENVPN_HOSTNAME}-openvpn-server
if [ $? -ne 0 ]; then
exit 1
fi
clear
echo "#####################################################################"
echo "#"
echo "# Verify the certificate file using the OpenSSL command"
echo "#"
echo "#####################################################################"
openssl verify -CAfile pki/ca.crt ${EASY_RSA_DIR}/pki/issued/${OPENVPN_HOSTNAME}-openvpn-server.crt
if [ $? -ne 0 ]; then
exit 1
fi
clear
echo "#####################################################################"
echo "#"
echo "# Build Client Key"
echo "#"
echo "#####################################################################"
${EASY_RSA_CMD} gen-req ${OPENVPN_HOSTNAME}-openvpn-client nopass
if [ $? -ne 0 ]; then
exit 1
fi
${EASY_RSA_CMD} sign-req client ${OPENVPN_HOSTNAME}-openvpn-client
if [ $? -ne 0 ]; then
exit 1
fi
clear
echo "#####################################################################"
echo "#"
echo "# Verify the certificate file using the OpenSSL command"
echo "#"
echo "#####################################################################"
openssl verify -CAfile ${EASY_RSA_DIR}/pki/ca.crt ${EASY_RSA_DIR}/pki/issued/${OPENVPN_HOSTNAME}-openvpn-client.crt
if [ $? -ne 0 ]; then
exit 1
fi
clear
echo "#####################################################################"
echo "#"
echo "# Generate the Diffie-Hellman key"
echo "#"
echo "#####################################################################"
${EASY_RSA_CMD} gen-dh
if [ $? -ne 0 ]; then
exit 1
fi
${EASY_RSA_CMD} gen-crl
if [ $? -ne 0 ]; then
exit 1
fi
#####################################################################
#
# easy-rsa 삭제
#
#####################################################################
#rm -rf /tmp/${EASY_RSA_DIR}
clear
echo "#####################################################################"
echo "#"
echo "# Copy Certificates Files"
echo "#"
echo "#####################################################################"
cp -fv ${EASY_RSA_DIR}/pki/ca.crt /etc/openvpn/server/
cp -fv ${EASY_RSA_DIR}/pki/issued/${OPENVPN_HOSTNAME}-openvpn-server.crt /etc/openvpn/server/
cp -fv ${EASY_RSA_DIR}/pki/private/${OPENVPN_HOSTNAME}-openvpn-server.key /etc/openvpn/server
cp -fv ${EASY_RSA_DIR}/pki/ca.crt /etc/openvpn/client/
cp -fv ${EASY_RSA_DIR}/pki/issued/${OPENVPN_HOSTNAME}-openvpn-client.crt /etc/openvpn/client/
cp -fv ${EASY_RSA_DIR}/pki/private/${OPENVPN_HOSTNAME}-openvpn-client.key /etc/openvpn/client/
cp -fv ${EASY_RSA_DIR}/pki/dh.pem /etc/openvpn/server/
cp -fv ${EASY_RSA_DIR}/pki/crl.pem /etc/openvpn/server/
#####################################################################
#
# server.conf
#
#####################################################################
echo "# OpenVPN Port, Protocol and the tun" > /etc/openvpn/server.conf
echo "port ${OPENVPN_PORT}" >> /etc/openvpn/server.conf
echo "proto udp" >> /etc/openvpn/server.conf
echo "dev tun" >> /etc/openvpn/server.conf
echo "" >> /etc/openvpn/server.conf
echo "# OpenVPN Server Certificate - CA, server key and certificate" >> /etc/openvpn/server.conf
echo "ca /etc/openvpn/server/ca.crt" >> /etc/openvpn/server.conf
echo "cert /etc/openvpn/server/${OPENVPN_HOSTNAME}-openvpn-server.crt" >> /etc/openvpn/server.conf
echo "key /etc/openvpn/server/${OPENVPN_HOSTNAME}-openvpn-server.key" >> /etc/openvpn/server.conf
echo "" >> /etc/openvpn/server.conf
echo "#DH and CRL key" >> /etc/openvpn/server.conf
echo "dh /etc/openvpn/server/dh.pem" >> /etc/openvpn/server.conf
echo "crl-verify /etc/openvpn/server/crl.pem" >> /etc/openvpn/server.conf
echo "" >> /etc/openvpn/server.conf
echo "# Network Configuration - Internal network" >> /etc/openvpn/server.conf
echo "# Redirect all Connection through OpenVPN Server" >> /etc/openvpn/server.conf
echo "server ${OPENVPN_INTERNAL_NET}" >> /etc/openvpn/server.conf
echo "push \"redirect-gateway def1 bypass-dhcp\"" >> /etc/openvpn/server.conf
echo "" >> /etc/openvpn/server.conf
echo "# Using the DNS from https://dns.watch" >> /etc/openvpn/server.conf
echo "push \"dhcp-option DNS 8.8.8.8\"" >> /etc/openvpn/server.conf
echo "push \"dhcp-option DNS 8.8.4.4\"" >> /etc/openvpn/server.conf
echo "client-to-client" >> /etc/openvpn/server.conf
echo "topology subnet" >> /etc/openvpn/server.conf
echo "mode server" >> /etc/openvpn/server.conf
echo "cipher AES-256-CBC" >> /etc/openvpn/server.conf
echo "" >> /etc/openvpn/server.conf
echo "#Enable multiple client to connect with same Certificate key" >> /etc/openvpn/server.conf
echo "duplicate-cn" >> /etc/openvpn/server.conf
echo "" >> /etc/openvpn/server.conf
echo "# TLS Security" >> /etc/openvpn/server.conf
echo "tls-server" >> /etc/openvpn/server.conf
echo "#tls-version-min 1.2" >> /etc/openvpn/server.conf
echo "#tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256" >> /etc/openvpn/server.conf
echo "#auth SHA512" >> /etc/openvpn/server.conf
echo "auth-nocache" >> /etc/openvpn/server.conf
echo "" >> /etc/openvpn/server.conf
echo "# Other Configuration" >> /etc/openvpn/server.conf
echo "keepalive 10 120" >> /etc/openvpn/server.conf
echo "persist-key" >> /etc/openvpn/server.conf
echo "persist-tun" >> /etc/openvpn/server.conf
echo "comp-lzo" >> /etc/openvpn/server.conf
echo "daemon" >> /etc/openvpn/server.conf
echo "user ${OVPN_USR}" >> /etc/openvpn/server.conf
echo "group ${OVPN_GRP}" >> /etc/openvpn/server.conf
echo "" >> /etc/openvpn/server.conf
echo "# OpenVPN Log" >> /etc/openvpn/server.conf
echo "log /var/log/openvpn.log" >> /etc/openvpn/server.conf
echo "status /var/log/openvpn-status.log" >> /etc/openvpn/server.conf
echo "verb 3" >> /etc/openvpn/server.conf
echo "" >> /etc/openvpn/server.conf
echo "# auth plug-in" >> /etc/openvpn/server.conf
echo "#plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login" >> /etc/openvpn/server.conf
#####################################################################
#
# client.ovpn
#
#####################################################################
OPENVPN_CLIENT_CERT="$(openssl x509 -in /etc/openvpn/client/${OPENVPN_HOSTNAME}-openvpn-client.crt)"
OPENVPN_CLIENT_CA="$(openssl x509 -in /etc/openvpn/client/ca.crt)"
OPENVPN_CLIENT_KEY="$(cat /etc/openvpn/client/${OPENVPN_HOSTNAME}-openvpn-client.key)"
NL=$'\n'
cat << EOF > /etc/openvpn/${OPENVPN_HOSTNAME}_client.ovpn
client
dev tun
proto ${OPENVPN_PROTO}
remote ${OPENVPN_HOSTNAME} ${OPENVPN_PORT}
resolv-retry infinite
nobind
persist-key
persist-tun
tls-client
cipher AES-256-CBC
remote-cert-tls server
tun-mtu 1500
auth-nocache
comp-lzo yes
verb 3
reneg-sec 0
<ca>${NL}${OPENVPN_CLIENT_CA}${NL}</ca>
<cert>${NL}${OPENVPN_CLIENT_CERT}${NL}</cert>
<key>${NL}${OPENVPN_CLIENT_KEY}${NL}</key>
EOF
#####################################################################
#
# 퍼미션 조정 및 재시작
#
#####################################################################
rm -rf ${EASY_RSA_DIR}
rm -rf /etc/easy-rsa
rm -f /var/log/openvpn.log
chown -R ${OVPN_USR}:${OVPN_GRP} /etc/openvpn
systemctl daemon-reload
if [ ${OS_NAME} == "centos" ]; then
systemctl -f enable openvpn@server.service
systemctl restart openvpn@server.service
else
systemctl -f enable openvpn
systemctl restart openvpn
fi
tail -n 200 /var/log/openvpn.log
firewall_openvpn.sh
#!/bin/bash
######################################################################
#
# OpenVPN 기동 후 이 스크립트를 실행하여 Client에서 OpenVPN
# 서버를 통해 인터넷 연결이 가능하도록 한다.
#
######################################################################
####################################################################
# 사용법 출력
####################################################################
func_usage() {
echo
echo "Usage (as root): $0 [start | restart | stop | status | help]"
echo
echo "Examples:"
echo " # ${0} start"
echo " # ${0} restart"
echo " # ${0} stop"
echo
}
######################################################################
# reset iptables
######################################################################
func_reset() {
# Remove any existing rules form all chains
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -F -t raw
iptables -F -t filter
# Remove any pre-existing user-defined chains
iptables -X
iptables -X -t nat
iptables -X -t mangle
iptables -X -t raw
iptables -X -t filter
# Zero all packet and byte counters
iptables -Z
iptables -Z -t nat
iptables -Z -t mangle
iptables -Z -t raw
iptables -Z -t filter
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
echo "0" > /proc/sys/net/ipv4/ip_forward
}
####################################################################
# iptables masquerade
####################################################################
func_masq() {
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
}
case "$1" in
start | restart)
echo
echo "Starting/Restarting firewall..."
func_reset
func_masq
;;
stop)
echo
echo "Stopping firewall..."
func_reset
;;
status)
clear
echo "####################################################################"
echo "# iptables -L -v -t nat"
echo "####################################################################"
iptables -L -v -t nat
echo
echo "####################################################################"
echo "# iptables -L -v"
echo "####################################################################"
iptables -L -v
;;
* | help)
func_usage
;;
esac
exit 0