-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrun.sh
executable file
·258 lines (242 loc) · 9.35 KB
/
run.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
#!/bin/bash
# Pre-reqs: have openvpn, sshpass and curl are installed on a 64-bit x86 Linux system.
# This script only works with CentOS VPS systems as I'm too lazy to port it.
# Prior to running, execute export VULTR_API_KEY=[YOUR_API_KEY_HERE]
if [ -z "$VULTR_API_KEY" ];then
echo "Run export VULTR_API_KEY=[YOUR_API_KEY_HERE] before executing this script"
exit 1
fi
# Install glide and setup go locally
export GOPATH=`pwd`
export GOBIN=$GOPATH/go/bin
mkdir -p $GOPATH/bin
export PATH="$PATH:$GOBIN/"
echo PATH=$PATH
export DATE=$(date +%s)
export ROOT_PW=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1 | tr -d '[:space:]')
curl https://glide.sh/get | sh
# Get Vultr CLI
go get github.com/JamesClonk/vultr
vultr version
# Create a new startup script to setup the server
# This is based on Nyr's OpenVPN installer except dramatically simplified and with many options chosen for you.
cat << EOF > temp_script
#!/bin/bash
echo User data executed > /root/success
OS=centos
GROUPNAME=nobody
RCLOCAL='/etc/rc.d/rc.local'
ROOT_PW=$ROOT_PW
PROTOCOL=udp
PORT=1194
echo \$ROOT_PW | passwd root --stdin # Set root password to our random value
IP=\$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -o -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
if [[ "\$IP" = "" ]]; then
IP=\$(wget -4qO- "http://whatismyip.akamai.com/")
fi
newclient () {
# Generates the custom client.ovpn
cp /etc/openvpn/client-common.txt ~/\$1.ovpn
echo "<ca>" >> ~/\$1.ovpn
cat /etc/openvpn/easy-rsa/pki/ca.crt >> ~/\$1.ovpn
echo "</ca>" >> ~/\$1.ovpn
echo "<cert>" >> ~/\$1.ovpn
cat /etc/openvpn/easy-rsa/pki/issued/\$1.crt >> ~/\$1.ovpn
echo "</cert>" >> ~/\$1.ovpn
echo "<key>" >> ~/\$1.ovpn
cat /etc/openvpn/easy-rsa/pki/private/\$1.key >> ~/\$1.ovpn
echo "</key>" >> ~/\$1.ovpn
echo "<tls-auth>" >> ~/\$1.ovpn
cat /etc/openvpn/ta.key >> ~/\$1.ovpn
echo "</tls-auth>" >> ~/\$1.ovpn
}
echo "nameserver 1.1.1.1" > /etc/resolv.conf
echo "nameserver 1.0.0.1" >> /etc/resolv.conf
sed -i 's/enabled=1/enabled=0/g' /etc/yum/pluginconf.d/fastestmirror.conf
yum -y install epel-release yum-utils; yum -y install openvpn iptraf-ng iftop htop fail2ban iotop iptables openssl wget ca-certificates
export CLIENT="openvpn_cert"
if [[ -d /etc/openvpn/easy-rsa/ ]]; then
rm -rf /etc/openvpn/easy-rsa/
fi
# Get easy-rsa
wget -O ~/EasyRSA-3.0.4.tgz "https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz"
tar xzf ~/EasyRSA-3.0.4.tgz -C ~/
mv ~/EasyRSA-3.0.4/ /etc/openvpn/
mv /etc/openvpn/EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/
chown -R root:root /etc/openvpn/easy-rsa/
rm -rf ~/EasyRSA-3.0.4.tgz
cd /etc/openvpn/easy-rsa/
# Create the PKI, set up the CA, the DH params and the server + client certificates
./easyrsa init-pki
./easyrsa --batch build-ca nopass
./easyrsa gen-dh
./easyrsa build-server-full server nopass
./easyrsa build-client-full \$CLIENT nopass
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
# Move the stuff we need
cp pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn
# CRL is read with each client connection, when OpenVPN is dropped to nobody
chown nobody:\$GROUPNAME /etc/openvpn/crl.pem
# Generate key for tls-auth
openvpn --genkey --secret /etc/openvpn/ta.key
# Generate server.conf
echo "port \$PORT
proto \$PROTOCOL
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt" > /etc/openvpn/server.conf
echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server.conf
echo "keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group \$GROUPNAME
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem" >> /etc/openvpn/server.conf
# Enable net.ipv4.ip_forward for the system
sed -i '/\<net.ipv4.ip_forward\>/c\net.ipv4.ip_forward=1' /etc/sysctl.conf
if ! grep -q "\<net.ipv4.ip_forward\>" /etc/sysctl.conf; then
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
fi
# Avoid an unneeded reboot
echo 1 > /proc/sys/net/ipv4/ip_forward
if pgrep firewalld; then
# Using both permanent and not permanent rules to avoid a firewalld
# reload.
# We don't use --add-service=openvpn because that would only work with
# the default port and protocol.
firewall-cmd --zone=public --add-port=\$PORT/\$PROTOCOL
firewall-cmd --zone=trusted --add-source=10.8.0.0/24
firewall-cmd --permanent --zone=public --add-port=\$PORT/\$PROTOCOL
firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
# Set NAT for the VPN subnet
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to \$IP
firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to \$IP
else
# Needed to use rc.local with some systemd distros
if [[ "\$OS" = 'debian' && ! -e \$RCLOCAL ]]; then
echo '#!/bin/sh -e
exit 0' > \$RCLOCAL
fi
chmod +x \$RCLOCAL
# Set NAT for the VPN subnet
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to \$IP
sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to \$IP" \$RCLOCAL
if iptables -L -n | grep -qE '^(REJECT|DROP)'; then
# If iptables has at least one REJECT rule, we asume this is needed.
# Not the best approach but I can't think of other and this shouldn't
# cause problems.
iptables -I INPUT -p \$PROTOCOL --dport \$PORT -j ACCEPT
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
sed -i "1 a\iptables -I INPUT -p \$PROTOCOL --dport \$PORT -j ACCEPT" \$RCLOCAL
sed -i "1 a\iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" \$RCLOCAL
sed -i "1 a\iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" \$RCLOCAL
fi
fi
# If SELinux is enabled and a custom port or TCP was selected, we need this
if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing"; then
if [[ "\$PORT" != '1194' || "\$PROTOCOL" = 'tcp' ]]; then
# semanage isn't available in CentOS 6 by default
if ! hash semanage 2>/dev/null; then
yum install policycoreutils-python -y
fi
semanage port -a -t openvpn_port_t -p \$PROTOCOL \$PORT
fi
fi
fi
# And finally, restart OpenVPN
if [[ "\$OS" = 'debian' ]]; then
# Little hack to check for systemd
if pgrep systemd-journal; then
systemctl restart [email protected]
else
/etc/init.d/openvpn restart
fi
else
if pgrep systemd-journal; then
systemctl restart [email protected]
systemctl enable [email protected]
else
service openvpn restart
chkconfig openvpn on
fi
fi
# Try to detect a NATed connection and ask about it to potential LowEndSpirit users
EXTERNALIP=\$(wget -4qO- "http://whatismyip.akamai.com/")
if [[ "\$IP" != "\$EXTERNALIP" ]]; then
echo ""
echo "Looks like your server could be behind a NAT!"
echo ""
echo "If your server is behind a NAT, I need to know the public IP or hostname"
echo "If that's not the case, just ignore this and leave the next field blank"
read -p "Public IP: " -e PUBLICIP
if [[ "\$PUBLICIP" != "" ]]; then
IP=\$PUBLICIP
fi
fi
# client-common.txt is created so we have a template to add further users later
echo "client
dev tun
proto \$PROTOCOL
sndbuf 0
rcvbuf 0
remote \$IP \$PORT
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
comp-lzo
setenv opt block-outside-dns
key-direction 1
verb 3" > /etc/openvpn/client-common.txt
newclient "\$CLIENT"
yum -y update # Security is important, but running this at the beginning slows things down
EOF
vultr script create --type="boot" --name="openvpn_$DATE" --file="temp_script"
sleep 3 # Wait for script to save; yes, this is a real race condition
# Figure out which script we're Using
SCRIPT_ID=$(vultr scripts | grep openvpn_$DATE | cut -f1)
echo Using $SCRIPT_ID ...; echo
echo "Listing Vultr regions:"
vultr regions
echo "Double check on Vultr's site to make sure 1024 MB inventory is avaialble in this region."
read -p "Select a region (DC number): " dcid
dcid=${dcid:-1}
# Initialize a new server with the new startup script
vultr server create --name="openvpn_$DATE" --plan=201 --os=167 --hostname="openvpn" --region=$dcid --script=$SCRIPT_ID
echo "Waiting a bit to give the VPS time to come online"
sleep 60 # give the server time to get assigned an IP address. If we don't wait long enough here, the server breaks
vultr server list | grep openvpn_$DATE
SUBID=$(vultr server list | grep openvpn_$DATE | cut -f1 | tr -d '[:space:]')
IP=$(vultr server list | grep openvpn_$DATE | cut -f3 | tr -d '[:space:]')
echo "*** VPS SUBSCRIPTION ID: $SUBID"
echo "*** VPS IP ADDRESS: $IP"
echo "*** VPS ROOT PASSWORD: $ROOT_PW"
echo "Waiting to let the server finish generating the certificates"
sleep 150
rm -f openvpn_cert.ovpn
sshpass -p "$ROOT_PW" scp root@$IP:/root/openvpn_cert.ovpn .
# Cleanup startup script
vultr script delete $(vultr script list | grep openvpn_$DATE | cut -f1)
echo "If everything worked correctly, openvpn_cert.ovpn can now be used to connect to the server"
echo "To troubleshoot, try checking /tmp/firstboot.log on the server."
echo "To connect, run this: sudo openvpn openvpn_cert.ovpn"