free
/
freedombone
Observar 1
Favorito 0
Fork 0
Código Issues 0 Pull Requests 0 Versões 0 Wiki Atividade
8395 Commits
5 Branches
Tag: 49f094140c
Branches Tags
${ item.name }
Criar branch ${ searchTerm }
de 49f094140c
${ noResults }
freedombone/src/freedombone-app-vpn

freedombone-app-vpn 27KB
Histórico Original

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734 
  1. #!/bin/bash

  2. #

  3. # .---.                  .              .

  4. # |                      |              |

  5. # |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.

  6. # |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'

  7. # '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'

  8. #

  9. #                    Freedom in the Cloud

  10. #

  11. # VPN functions

  12. # https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-8

  13. # https://jamielinux.com/blog/force-all-network-traffic-through-openvpn-using-iptables/

  14. # http://www.farrellf.com/projects/software/2016-05-04_Running_a_VPN_Server_with_OpenVPN_and_Stunnel/index_.php

  15. #

  16. # License

  17. # =======

  18. #

  19. # Copyright (C) 2014-2018 Bob Mottram <bob@freedombone.net>

  20. #

  21. # This program is free software: you can redistribute it and/or modify

  22. # it under the terms of the GNU Affero General Public License as published by

  23. # the Free Software Foundation, either version 3 of the License, or

  24. # (at your option) any later version.

  25. #

  26. # This program is distributed in the hope that it will be useful,

  27. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  28. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  29. # GNU Affero General Public License for more details.

  30. #

  31. # You should have received a copy of the GNU Affero General Public License

  32. # along with this program.  If not, see <http://www.gnu.org/licenses/>.

  33. 

  34. VARIANTS='full full-vim'

  35. 

  36. IN_DEFAULT_INSTALL=0

  37. SHOW_ON_ABOUT=0

  38. 

  39. OPENVPN_SERVER_NAME="server"

  40. OPENVPN_KEY_FILENAME='client.ovpn'

  41. 

  42. VPN_COUNTRY_CODE="US"

  43. VPN_AREA="Apparent Free Speech Zone"

  44. VPN_LOCATION="Freedomville"

  45. VPN_ORGANISATION="Freedombone"

  46. VPN_UNIT="Freedombone Unit"

  47. STUNNEL_PORT=3439

  48. VPN_TLS_PORT=553

  49. VPN_MESH_TLS_PORT=653

  50. 

  51. vpn_variables=(MY_EMAIL_ADDRESS

  52.                DEFAULT_DOMAIN_NAME

  53.                MY_USERNAME

  54.                VPN_COUNTRY_CODE

  55.                VPN_AREA

  56.                VPN_LOCATION

  57.                VPN_ORGANISATION

  58.                VPN_UNIT

  59.                VPN_TLS_PORT)

  60. 

  61. function logging_on_vpn {

  62.     if [ ! -f /etc/openvpn/server.conf ]; then

  63.         return

  64.     fi

  65.     sed -i 's|status .*|status /var/log/openvpn.log|g' /etc/openvpn/server.conf

  66.     systemctl restart openvpn

  67. }

  68. 

  69. function logging_off_vpn {

  70.     if [ ! -f /etc/openvpn/server.conf ]; then

  71.         return

  72.     fi

  73.     sed -i 's|status .*|status /dev/null|g' /etc/openvpn/server.conf

  74.     systemctl restart openvpn

  75. }

  76. 

  77. function install_interactive_vpn {

  78.     read_config_param VPN_TLS_PORT

  79.     if [ ! $VPN_TLS_PORT ]; then

  80.         VPN_TLS_PORT=553

  81.     fi

  82.     VPN_DETAILS_COMPLETE=

  83.     while [ ! $VPN_DETAILS_COMPLETE ]

  84.     do

  85.         data=$(tempfile 2>/dev/null)

  86.         trap "rm -f $data" 0 1 2 5 15

  87.         currtlsport=$(grep 'VPN_TLS_PORT' temp.cfg | awk -F '=' '{print $2}')

  88.         if [ $currtlsport ]; then

  89.             VPN_TLS_PORT=$currtlsport

  90.         fi

  91.         dialog --backtitle $"Freedombone Configuration" \

  92.                --title $"VPN Configuration" \

  93.                --form $"\nPlease enter your VPN details. Changing the port to 443 will help defend against censorship but will prevent other web apps from running." 12 65 1 \

  94.                $"TLS port:" 1 1 "$VPN_TLS_PORT" 1 12 5 5 \

  95.                2> $data

  96.         sel=$?

  97.         case $sel in

  98.             1) exit 1;;

  99.             255) exit 1;;

  100.         esac

  101.         tlsport=$(cat $data | sed -n 1p)

  102.         if [ ${#tlsport} -gt 1 ]; then

  103.             if [[ "$tlsport" != *' '* && "$tlsport" != *'.'* ]]; then

  104.                 VPN_TLS_PORT="$tlsport"

  105.                 VPN_DETAILS_COMPLETE="yes"

  106.                 write_config_param "VPN_TLS_PORT" "$VPN_TLS_PORT"

  107.             fi

  108.         fi

  109.     done

  110.     clear

  111.     APP_INSTALLED=1

  112. }

  113. 

  114. function vpn_change_tls_port {

  115.     if ! grep -q "VPN-TLS" $FIREWALL_CONFIG; then

  116.         EXISTING_VPN_TLS_PORT=443

  117.     else

  118.         EXISTING_VPN_TLS_PORT=$(cat $FIREWALL_CONFIG | grep "VPN-TLS" | awk -F '=' '{print $2}')

  119.     fi

  120. 

  121.     data=$(tempfile 2>/dev/null)

  122.     trap "rm -f $data" 0 1 2 5 15

  123.     dialog --title $"VPN Configuration" \

  124.            --backtitle $"Freedombone Control Panel" \

  125.            --inputbox $'Change TLS port' 10 50 $EXISTING_VPN_TLS_PORT 2>$data

  126.     sel=$?

  127.     case $sel in

  128.         0)

  129.             tlsport=$(<$data)

  130.             if [ ${#tlsport} -gt 0 ]; then

  131.                 if [[ "$tlsport" != "$EXISTING_VPN_TLS_PORT" ]]; then

  132.                     clear

  133.                     VPN_TLS_PORT=$tlsport

  134.                     write_config_param "VPN_TLS_PORT" "$VPN_TLS_PORT"

  135.                     sed -i "s|accept =.*|accept = $VPN_TLS_PORT|g" /etc/stunnel/stunnel.conf

  136.                     sed -i "s|connect =.*|connect = :$VPN_TLS_PORT|g" /etc/stunnel/stunnel-client.conf

  137. 

  138.                     for d in /home/*/ ; do

  139.                         USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  140.                         if [ -f /home/$USERNAME/stunnel-client.conf ]; then

  141.                             cp /etc/stunnel/stunnel-client.conf /home/$USERNAME/stunnel-client.conf

  142.                             chown $USERNAME:$USERNAME /home/$USERNAME/stunnel-client.conf

  143.                         fi

  144.                     done

  145. 

  146.                     if [ $VPN_TLS_PORT -eq 443 ]; then

  147.                         if [[ "$PREVIOUS_VPN_TLS_PORT" != "443" ]]; then

  148.                             firewall_remove VPN-TLS ${EXISTING_VPN_TLS_PORT}

  149.                         fi

  150.                         systemctl stop nginx

  151.                         systemctl disable nginx

  152.                     else

  153.                         if [[ "$PREVIOUS_VPN_TLS_PORT" != "$VPN_TLS_PORT" ]]; then

  154.                             firewall_remove VPN-TLS ${EXISTING_VPN_TLS_PORT}

  155.                             firewall_add VPN-TLS ${VPN_TLS_PORT} tcp

  156.                         fi

  157.                         systemctl enable nginx

  158.                         systemctl restart nginx

  159.                     fi

  160. 

  161.                     systemctl restart stunnel

  162. 

  163.                     if [ $VPN_TLS_PORT -eq 443 ]; then

  164.                         dialog --title $"VPN Configuration" \

  165.                                --msgbox $"TLS port changed to ${VPN_TLS_PORT}. Forward this port from your internet router." 10 60

  166.                     else

  167.                         dialog --title $"VPN Configuration" \

  168.                                --msgbox $"TLS port changed to ${VPN_TLS_PORT}. Forward this port from your internet router." 10 60

  169.                     fi

  170.                 fi

  171.             fi

  172.             ;;

  173.     esac

  174. }

  175. 

  176. function vpn_regenerate_client_keys {

  177.     data=$(tempfile 2>/dev/null)

  178.     trap "rm -f $data" 0 1 2 5 15

  179.     dialog --title $"Regenerate VPN keys for a user" \

  180.            --backtitle $"Freedombone Control Panel" \

  181.            --inputbox $'username' 10 50 2>$data

  182.     sel=$?

  183.     case $sel in

  184.         0)

  185.             USERNAME=$(<$data)

  186.             if [ ${#USERNAME} -gt 0 ]; then

  187.                 if [ -d /home/$USERNAME ]; then

  188.                     clear

  189.                     create_user_vpn_key $USERNAME

  190.                     dialog --title $"Regenerate VPN keys for a user" \

  191.                            --msgbox $"VPN keys were regenerated for $USERNAME" 6 60

  192.                 fi

  193.             fi

  194.             ;;

  195.     esac

  196. }

  197. 

  198. function configure_interactive_vpn {

  199.     read_config_param VPN_TLS_PORT

  200.     while true

  201.     do

  202.         data=$(tempfile 2>/dev/null)

  203.         trap "rm -f $data" 0 1 2 5 15

  204.         dialog --backtitle $"Freedombone Control Panel" \

  205.                --title $"VPN Configuration" \

  206.                --radiolist $"Choose an operation:" 13 70 3 \

  207.                1 $"Change TLS port (currently $VPN_TLS_PORT)" off \

  208.                2 $"Regenerate keys for a user" off \

  209.                3 $"Exit" on 2> $data

  210.         sel=$?

  211.         case $sel in

  212.             1) return;;

  213.             255) return;;

  214.         esac

  215.         case $(cat $data) in

  216.             1) vpn_change_tls_port;;

  217.             2) vpn_regenerate_client_keys;;

  218.             3) break;;

  219.         esac

  220.     done

  221. }

  222. 

  223. function reconfigure_vpn {

  224.     echo -n ''

  225. }

  226. 

  227. function upgrade_vpn {

  228.     echo -n ''

  229. }

  230. 

  231. function backup_local_vpn {

  232.     for d in /home/*/ ; do

  233.         USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  234.         if [ -f /home/$USERNAME/$OPENVPN_KEY_FILENAME ]; then

  235.             cp /home/$USERNAME/$OPENVPN_KEY_FILENAME /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME}

  236.         fi

  237.     done

  238. 

  239.     function_check backup_directory_to_usb

  240.     backup_directory_to_usb /etc/openvpn/easy-rsa/keys vpn

  241.     backup_directory_to_usb /etc/stunnel vpnstunnel

  242. }

  243. 

  244. function restore_local_vpn {

  245.     temp_restore_dir=/root/tempvpn

  246.     restore_directory_from_usb $temp_restore_dir vpn

  247.     if [ -d ${temp_restore_dir} ]; then

  248.         cp -r ${temp_restore_dir}/* /etc/openvpn/easy-rsa/keys

  249.         cp -r ${temp_restore_dir}/${OPENVPN_SERVER_NAME}* /etc/openvpn/

  250.         cp -r ${temp_restore_dir}/dh* /etc/openvpn/

  251.         rm -rf ${temp_restore_dir}

  252. 

  253.         for d in /home/*/ ; do

  254.             USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  255.             if [ -f /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} ]; then

  256.                 cp /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} /home/$USERNAME/$OPENVPN_KEY_FILENAME

  257.                 chown $USERNAME:$USERNAME /home/$USERNAME/$OPENVPN_KEY_FILENAME

  258.             fi

  259.         done

  260.     fi

  261.     temp_restore_dir=/root/tempvpnstunnel

  262.     restore_directory_from_usb $temp_restore_dir vpnstunnel

  263.     if [ -d ${temp_restore_dir} ]; then

  264.         cp -r ${temp_restore_dir}/* /etc/stunnel

  265.         rm -rf ${temp_restore_dir}

  266.         for d in /home/*/ ; do

  267.             USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  268.             if [ -f /home/$USERNAME/stunnel.pem ]; then

  269.                 cp /etc/stunnel/stunnel.pem /home/$USERNAME/stunnel.pem

  270.                 chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.pem

  271.             fi

  272.             if [ -f /home/$USERNAME/stunnel.p12 ]; then

  273.                 cp /etc/stunnel/stunnel.p12 /home/$USERNAME/stunnel.p12

  274.                 chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.p12

  275.             fi

  276.         done

  277.     fi

  278. }

  279. 

  280. function backup_remote_vpn {

  281.     for d in /home/*/ ; do

  282.         USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  283.         if [ -f /home/$USERNAME/$OPENVPN_KEY_FILENAME ]; then

  284.             cp /home/$USERNAME/$OPENVPN_KEY_FILENAME /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME}

  285.         fi

  286.     done

  287. 

  288.     function_check backup_directory_to_friend

  289.     backup_directory_to_friend /etc/openvpn/easy-rsa/keys vpn

  290.     backup_directory_to_friend /etc/stunnel vpnstunnel

  291. }

  292. 

  293. function restore_remote_vpn {

  294.     temp_restore_dir=/root/tempvpn

  295.     restore_directory_from_friend $temp_restore_dir vpn

  296.     if [ -d ${temp_restore_dir} ]; then

  297.         cp -r ${temp_restore_dir}/* /etc/openvpn/easy-rsa/keys

  298.         cp -r ${temp_restore_dir}/${OPENVPN_SERVER_NAME}* /etc/openvpn/

  299.         cp -r ${temp_restore_dir}/dh* /etc/openvpn/

  300.         rm -rf ${temp_restore_dir}

  301. 

  302.         for d in /home/*/ ; do

  303.             USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  304.             if [ -f /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} ]; then

  305.                 cp /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} /home/$USERNAME/$OPENVPN_KEY_FILENAME

  306.                 chown $USERNAME:$USERNAME /home/$USERNAME/$OPENVPN_KEY_FILENAME

  307.             fi

  308.         done

  309.     fi

  310.     temp_restore_dir=/root/tempvpnstunnel

  311.     restore_directory_from_friend $temp_restore_dir vpnstunnel

  312.     if [ -d ${temp_restore_dir} ]; then

  313.         cp -r ${temp_restore_dir}/* /etc/stunnel

  314.         rm -rf ${temp_restore_dir}

  315.         for d in /home/*/ ; do

  316.             USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  317.             if [ -f /home/$USERNAME/stunnel.pem ]; then

  318.                 cp /etc/stunnel/stunnel.pem /home/$USERNAME/stunnel.pem

  319.                 chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.pem

  320.             fi

  321.             if [ -f /home/$USERNAME/stunnel.p12 ]; then

  322.                 cp /etc/stunnel/stunnel.p12 /home/$USERNAME/stunnel.p12

  323.                 chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.p12

  324.             fi

  325.         done

  326.     fi

  327. }

  328. 

  329. function remove_vpn {

  330.     systemctl stop stunnel

  331.     systemctl disable stunnel

  332.     rm /etc/systemd/system/stunnel.service

  333. 

  334.     systemctl stop openvpn

  335.     if [ $VPN_TLS_PORT -ne 443 ]; then

  336.         firewall_remove VPN-TLS $VPN_TLS_PORT

  337.     else

  338.         systemctl enable nginx

  339.         systemctl restart nginx

  340.     fi

  341. 

  342.     apt-get -yq remove --purge fastd openvpn easy-rsa

  343.     apt-get -yq remove stunnel4

  344.     if [ -d /etc/openvpn ]; then

  345.         rm -rf /etc/openvpn

  346.     fi

  347.     firewall_disable_vpn

  348. 

  349.     echo 0 > /proc/sys/net/ipv4/ip_forward

  350.     sed -i 's|net.ipv4.ip_forward=.*|net.ipv4.ip_forward=0|g' /etc/sysctl.conf

  351. 

  352.     remove_completion_param install_vpn

  353. 

  354.     # remove any client keys

  355.     for d in /home/*/ ; do

  356.         USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  357.         if [ -f /home/$USERNAME/$OPENVPN_KEY_FILENAME ]; then

  358.             shred -zu /home/$USERNAME/$OPENVPN_KEY_FILENAME

  359.         fi

  360.         rm /home/$USERNAME/stunnel*

  361.     done

  362.     userdel -f vpn

  363.     groupdel -f vpn

  364. 

  365.     if [ -d /etc/stunnel ]; then

  366.         rm -rf /etc/stunnel

  367.     fi

  368. }

  369. 

  370. function create_user_vpn_key {

  371.     username=$1

  372. 

  373.     if [ ! -d /home/$username ]; then

  374.         return

  375.     fi

  376. 

  377.     echo $"Creating VPN key for $username"

  378. 

  379.     cd /etc/openvpn/easy-rsa

  380. 

  381.     if [ -f /etc/openvpn/easy-rsa/keys/$username.crt ]; then

  382.         rm /etc/openvpn/easy-rsa/keys/$username.crt

  383.     fi

  384.     if [ -f /etc/openvpn/easy-rsa/keys/$username.key ]; then

  385.         rm /etc/openvpn/easy-rsa/keys/$username.key

  386.     fi

  387.     if [ -f /etc/openvpn/easy-rsa/keys/$username.csr ]; then

  388.         rm /etc/openvpn/easy-rsa/keys/$username.csr

  389.     fi

  390. 

  391.     sed -i 's| --interact||g' build-key

  392.     ./build-key "$username"

  393. 

  394.     if [ ! -f /etc/openvpn/easy-rsa/keys/$username.crt ]; then

  395.         echo $'VPN user cert not generated'

  396.         exit 783528

  397.     fi

  398.     user_cert=$(cat /etc/openvpn/easy-rsa/keys/$username.crt)

  399.     if [ ${#user_cert} -lt 10 ]; then

  400.         cat /etc/openvpn/easy-rsa/keys/$username.crt

  401.         echo $'User cert generation failed'

  402.         exit 634659

  403.     fi

  404.     if [ ! -f /etc/openvpn/easy-rsa/keys/$username.key ]; then

  405.         echo $'VPN user key not generated'

  406.         exit 682523

  407.     fi

  408.     user_key=$(cat /etc/openvpn/easy-rsa/keys/$username.key)

  409.     if [ ${#user_key} -lt 10 ]; then

  410.         cat /etc/openvpn/easy-rsa/keys/$username.key

  411.         echo $'User key generation failed'

  412.         exit 285838

  413.     fi

  414. 

  415.     user_vpn_cert_file=/home/$username/$OPENVPN_KEY_FILENAME

  416. 

  417.     echo 'client' > $user_vpn_cert_file

  418.     echo 'dev tun' >> $user_vpn_cert_file

  419.     echo 'proto tcp' >> $user_vpn_cert_file

  420.     echo "remote localhost $STUNNEL_PORT" >> $user_vpn_cert_file

  421.     echo "route $DEFAULT_DOMAIN_NAME 255.255.255.255 net_gateway" >> $user_vpn_cert_file

  422.     echo 'resolv-retry infinite' >> $user_vpn_cert_file

  423.     echo 'nobind' >> $user_vpn_cert_file

  424.     echo 'tun-mtu 1500' >> $user_vpn_cert_file

  425.     echo 'tun-mtu-extra 32' >> $user_vpn_cert_file

  426.     echo 'mssfix 1450' >> $user_vpn_cert_file

  427.     echo 'persist-key' >> $user_vpn_cert_file

  428.     echo 'persist-tun' >> $user_vpn_cert_file

  429.     echo 'auth-nocache' >> $user_vpn_cert_file

  430.     echo 'remote-cert-tls server' >> $user_vpn_cert_file

  431.     echo 'comp-lzo' >> $user_vpn_cert_file

  432.     echo 'verb 3' >> $user_vpn_cert_file

  433.     echo '' >> $user_vpn_cert_file

  434. 

  435.     echo '<ca>' >> $user_vpn_cert_file

  436.     cat /etc/openvpn/ca.crt >> $user_vpn_cert_file

  437.     echo '</ca>' >> $user_vpn_cert_file

  438. 

  439.     echo '<cert>' >> $user_vpn_cert_file

  440.     cat /etc/openvpn/easy-rsa/keys/$username.crt >> $user_vpn_cert_file

  441.     echo '</cert>' >> $user_vpn_cert_file

  442. 

  443.     echo '<key>' >> $user_vpn_cert_file

  444.     cat /etc/openvpn/easy-rsa/keys/$username.key >> $user_vpn_cert_file

  445.     echo '</key>' >> $user_vpn_cert_file

  446. 

  447.     chown $username:$username $user_vpn_cert_file

  448. 

  449.     # keep a backup

  450.     cp $user_vpn_cert_file /etc/openvpn/easy-rsa/keys/$username.ovpn

  451. 

  452.     #rm /etc/openvpn/easy-rsa/keys/$username.crt

  453.     #rm /etc/openvpn/easy-rsa/keys/$username.csr

  454.     shred -zu /etc/openvpn/easy-rsa/keys/$username.key

  455. 

  456.     echo $"VPN key created at $user_vpn_cert_file"

  457. }

  458. 

  459. function add_user_vpn {

  460.     new_username="$1"

  461.     new_user_password="$2"

  462. 

  463.     create_user_vpn_key $new_username

  464.     if [ -f /etc/stunnel/stunnel.pem ]; then

  465.         cp /etc/stunnel/stunnel.pem /home/$new_username/stunnel.pem

  466.         chown $new_username:$new_username /home/$new_username/stunnel.pem

  467.     fi

  468.     if [ -f /etc/stunnel/stunnel.p12 ]; then

  469.         cp /etc/stunnel/stunnel.p12 /home/$new_username/stunnel.p12

  470.         chown $new_username:$new_username /home/$new_username/stunnel.p12

  471.     fi

  472.     cp /etc/stunnel/stunnel-client.conf /home/$new_username/stunnel-client.conf

  473.     chown $new_username:$new_username /home/$new_username/stunnel-client.conf

  474. }

  475. 

  476. function remove_user_vpn {

  477.     new_username="$1"

  478. }

  479. 

  480. function mesh_setup_vpn {

  481.     vpn_generate_keys

  482. 

  483.     if [ -d /home/fbone ]; then

  484.         cp /etc/stunnel/stunnel-client.conf /home/fbone/stunnel-client.conf

  485.         chown fbone:fbone /home/fbone/stunnel*

  486.     fi

  487. 

  488.     generate_stunnel_keys

  489. 

  490.     systemctl restart openvpn

  491. }

  492. 

  493. function generate_stunnel_keys {

  494.     openssl req -x509 -nodes -days 3650 -sha256 \

  495.             -subj "/O=$VPN_ORGANISATION/OU=$VPN_UNIT/C=$VPN_COUNTRY_CODE/ST=$VPN_AREA/L=$VPN_LOCATION/CN=$HOSTNAME" \

  496.             -newkey rsa:2048 -keyout /etc/stunnel/key.pem \

  497.             -out /etc/stunnel/cert.pem

  498.     if [ ! -f /etc/stunnel/key.pem ]; then

  499.         echo $'stunnel key not created'

  500.         exit 793530

  501.     fi

  502.     if [ ! -f /etc/stunnel/cert.pem ]; then

  503.         echo $'stunnel cert not created'

  504.         exit 204587

  505.     fi

  506.     chmod 400 /etc/stunnel/key.pem

  507.     chmod 640 /etc/stunnel/cert.pem

  508. 

  509.     cat /etc/stunnel/key.pem /etc/stunnel/cert.pem >> /etc/stunnel/stunnel.pem

  510.     chmod 640 /etc/stunnel/stunnel.pem

  511. 

  512.     openssl pkcs12 -export -out /etc/stunnel/stunnel.p12 -inkey /etc/stunnel/key.pem -in /etc/stunnel/cert.pem -passout pass:

  513.     if [ ! -f /etc/stunnel/stunnel.p12 ]; then

  514.         echo $'stunnel pkcs12 not created'

  515.         exit 639353

  516.     fi

  517.     chmod 640 /etc/stunnel/stunnel.p12

  518. 

  519.     cp /etc/stunnel/stunnel.pem /home/$MY_USERNAME/stunnel.pem

  520.     cp /etc/stunnel/stunnel.p12 /home/$MY_USERNAME/stunnel.p12

  521.     chown $MY_USERNAME:$MY_USERNAME $prefix$userhome/stunnel*

  522. }

  523. 

  524. function install_stunnel {

  525.     prefix=

  526.     prefixchroot=

  527.     if [ $rootdir ]; then

  528.         prefix=$rootdir

  529.         prefixchroot="chroot $rootdir"

  530.         VPN_TLS_PORT=$VPN_MESH_TLS_PORT

  531.     fi

  532. 

  533.     $prefixchroot apt-get -yq install stunnel4

  534. 

  535.     if [ ! $prefix ]; then

  536.         cd /etc/stunnel

  537.         generate_stunnel_keys

  538.     fi

  539. 

  540.     echo 'chroot = /var/lib/stunnel4' > $prefix/etc/stunnel/stunnel.conf

  541.     echo 'pid = /stunnel4.pid' >> $prefix/etc/stunnel/stunnel.conf

  542.     echo 'setuid = stunnel4' >> $prefix/etc/stunnel/stunnel.conf

  543.     echo 'setgid = stunnel4' >> $prefix/etc/stunnel/stunnel.conf

  544.     echo 'socket = l:TCP_NODELAY=1' >> $prefix/etc/stunnel/stunnel.conf

  545.     echo 'socket = r:TCP_NODELAY=1' >> $prefix/etc/stunnel/stunnel.conf

  546.     echo 'cert = /etc/stunnel/stunnel.pem' >> $prefix/etc/stunnel/stunnel.conf

  547.     echo '[openvpn]' >> $prefix/etc/stunnel/stunnel.conf

  548.     echo "accept = $VPN_TLS_PORT" >> $prefix/etc/stunnel/stunnel.conf

  549.     echo 'connect = localhost:1194' >> $prefix/etc/stunnel/stunnel.conf

  550.     echo 'cert = /etc/stunnel/stunnel.pem' >> $prefix/etc/stunnel/stunnel.conf

  551.     echo 'protocol = socks' >> $prefix/etc/stunnel/stunnel.conf

  552. 

  553.     sed -i 's|ENABLED=.*|ENABLED=1|g' $prefix/etc/default/stunnel4

  554. 

  555.     echo '[openvpn]' > $prefix/etc/stunnel/stunnel-client.conf

  556.     echo 'client = yes' >> $prefix/etc/stunnel/stunnel-client.conf

  557.     echo "accept = $STUNNEL_PORT" >> $prefix/etc/stunnel/stunnel-client.conf

  558.     echo "connect = $DEFAULT_DOMAIN_NAME:$VPN_TLS_PORT" >> $prefix/etc/stunnel/stunnel-client.conf

  559.     echo 'cert = stunnel.pem' >> $prefix/etc/stunnel/stunnel-client.conf

  560.     echo 'protocol = socks' >> $prefix/etc/stunnel/stunnel-client.conf

  561. 

  562.     echo '[Unit]' > $prefix/etc/systemd/system/stunnel.service

  563.     echo 'Description=SSL tunnel for network daemons' >> $prefix/etc/systemd/system/stunnel.service

  564.     echo 'Documentation=man:stunnel https://www.stunnel.org/docs.html' >> $prefix/etc/systemd/system/stunnel.service

  565.     echo 'DefaultDependencies=no' >> $prefix/etc/systemd/system/stunnel.service

  566.     echo 'After=network.target' >> $prefix/etc/systemd/system/stunnel.service

  567.     echo 'After=syslog.target' >> $prefix/etc/systemd/system/stunnel.service

  568.     echo '' >> $prefix/etc/systemd/system/stunnel.service

  569.     echo '[Install]' >> $prefix/etc/systemd/system/stunnel.service

  570.     echo 'WantedBy=multi-user.target' >> $prefix/etc/systemd/system/stunnel.service

  571.     echo 'Alias=stunnel.target' >> $prefix/etc/systemd/system/stunnel.service

  572.     echo '' >> $prefix/etc/systemd/system/stunnel.service

  573.     echo '[Service]' >> $prefix/etc/systemd/system/stunnel.service

  574.     echo 'Type=forking' >> $prefix/etc/systemd/system/stunnel.service

  575.     echo 'RuntimeDirectory=stunnel' >> $prefix/etc/systemd/system/stunnel.service

  576.     echo 'EnvironmentFile=-/etc/stunnel/stunnel.conf' >> $prefix/etc/systemd/system/stunnel.service

  577.     echo 'ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf' >> $prefix/etc/systemd/system/stunnel.service

  578.     echo 'ExecStop=/usr/bin/killall -9 stunnel' >> $prefix/etc/systemd/system/stunnel.service

  579.     echo 'RemainAfterExit=yes' >> $prefix/etc/systemd/system/stunnel.service

  580. 

  581.     if [ ! $prefix ]; then

  582.         if [ $VPN_TLS_PORT -eq 443 ]; then

  583.             systemctl stop nginx

  584.             systemctl disable nginx

  585.         else

  586.             systemctl enable nginx

  587.             systemctl restart nginx

  588.         fi

  589. 

  590.         systemctl enable stunnel

  591.         systemctl daemon-reload

  592.         systemctl start stunnel

  593. 

  594.         cp /etc/stunnel/stunnel-client.conf /home/$MY_USERNAME/stunnel-client.conf

  595.         chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/stunnel*

  596.     fi

  597. }

  598. 

  599. function vpn_generate_keys {

  600.     # generate host keys

  601.     if [ ! -f /etc/openvpn/dh2048.pem ]; then

  602.         ${PROJECT_NAME}-dhparam -o /etc/openvpn/dh2048.pem

  603.     fi

  604.     if [ ! -f /etc/openvpn/dh2048.pem ]; then

  605.         echo $'vpn dhparams were not generated'

  606.         exit 73724523

  607.     fi

  608.     cp /etc/openvpn/dh2048.pem /etc/openvpn/easy-rsa/keys/dh2048.pem

  609. 

  610.     cd /etc/openvpn/easy-rsa

  611.     . ./vars

  612.     ./clean-all

  613.     vpn_openssl_version='1.0.0'

  614.     if [ ! -f openssl-${vpn_openssl_version}.cnf ]; then

  615.         echo $"openssl-${vpn_openssl_version}.cnf was not found"

  616.         exit 7392353

  617.     fi

  618.     cp openssl-${vpn_openssl_version}.cnf openssl.cnf

  619. 

  620.     if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt ]; then

  621.         rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt

  622.     fi

  623.     if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key ]; then

  624.         rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key

  625.     fi

  626.     if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.csr ]; then

  627.         rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.csr

  628.     fi

  629.     sed -i 's| --interact||g' build-key-server

  630.     sed -i 's| --interact||g' build-ca

  631.     ./build-ca

  632.     ./build-key-server ${OPENVPN_SERVER_NAME}

  633.     if [ ! -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt ]; then

  634.         echo $'OpenVPN crt not found'

  635.         exit 7823352

  636.     fi

  637.     server_cert=$(cat /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt)

  638.     if [ ${#server_cert} -lt 10 ]; then

  639.         cat /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt

  640.         echo $'Server cert generation failed'

  641.         exit 3284682

  642.     fi

  643. 

  644.     if [ ! -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key ]; then

  645.         echo $'OpenVPN key not found'

  646.         exit 6839436

  647.     fi

  648.     if [ ! -f /etc/openvpn/easy-rsa/keys/ca.key ]; then

  649.         echo $'OpenVPN ca not found'

  650.         exit 7935203

  651.     fi

  652.     cp /etc/openvpn/easy-rsa/keys/{$OPENVPN_SERVER_NAME.crt,$OPENVPN_SERVER_NAME.key,ca.crt} /etc/openvpn

  653. 

  654.     create_user_vpn_key ${MY_USERNAME}

  655. }

  656. 

  657. function install_vpn {

  658.     prefix=

  659.     prefixchroot=

  660.     if [ $rootdir ]; then

  661.         prefix=$rootdir

  662.         prefixchroot="chroot $rootdir"

  663.         VPN_TLS_PORT=$VPN_MESH_TLS_PORT

  664.     fi

  665.     $prefixchroot apt-get -yq install fastd openvpn easy-rsa

  666. 

  667.     $prefixchroot groupadd vpn

  668.     $prefixchroot useradd -r -s /bin/false -g vpn vpn

  669. 

  670.     # server configuration

  671.     echo 'port 1194' > $prefix/etc/openvpn/server.conf

  672.     echo 'proto tcp' >> $prefix/etc/openvpn/server.conf

  673.     echo 'dev tun' >> $prefix/etc/openvpn/server.conf

  674.     echo 'tun-mtu 1500' >> $prefix/etc/openvpn/server.conf

  675.     echo 'tun-mtu-extra 32' >> $prefix/etc/openvpn/server.conf

  676.     echo 'mssfix 1450' >> $prefix/etc/openvpn/server.conf

  677.     echo 'ca /etc/openvpn/ca.crt' >> $prefix/etc/openvpn/server.conf

  678.     echo 'cert /etc/openvpn/server.crt' >> $prefix/etc/openvpn/server.conf

  679.     echo 'key /etc/openvpn/server.key' >> $prefix/etc/openvpn/server.conf

  680.     echo 'dh /etc/openvpn/dh2048.pem' >> $prefix/etc/openvpn/server.conf

  681.     echo 'server 10.8.0.0 255.255.255.0' >> $prefix/etc/openvpn/server.conf

  682.     echo 'push "redirect-gateway def1 bypass-dhcp"' >> $prefix/etc/openvpn/server.conf

  683.     echo "push \"dhcp-option DNS 85.214.73.63\"" >> $prefix/etc/openvpn/server.conf

  684.     echo "push \"dhcp-option DNS 213.73.91.35\"" >> $prefix/etc/openvpn/server.conf

  685.     echo 'keepalive 5 30' >> $prefix/etc/openvpn/server.conf

  686.     echo 'comp-lzo' >> $prefix/etc/openvpn/server.conf

  687.     echo 'persist-key' >> $prefix/etc/openvpn/server.conf

  688.     echo 'persist-tun' >> $prefix/etc/openvpn/server.conf

  689.     echo 'status /dev/null' >> $prefix/etc/openvpn/server.conf

  690.     echo 'verb 3' >> $prefix/etc/openvpn/server.conf

  691.     echo '' >> $prefix/etc/openvpn/server.conf

  692. 

  693.     if [ ! $prefix ]; then

  694.         echo 1 > /proc/sys/net/ipv4/ip_forward

  695.     fi

  696.     sed -i 's|# net.ipv4.ip_forward|net.ipv4.ip_forward|g' $prefix/etc/sysctl.conf

  697.     sed -i 's|#net.ipv4.ip_forward|net.ipv4.ip_forward|g' $prefix/etc/sysctl.conf

  698.     sed -i 's|net.ipv4.ip_forward.*|net.ipv4.ip_forward=1|g' $prefix/etc/sysctl.conf

  699. 

  700.     cp -r $prefix/usr/share/easy-rsa/ $prefix/etc/openvpn

  701.     if [ ! -d $prefix/etc/openvpn/easy-rsa/keys ]; then

  702.         mkdir $prefix/etc/openvpn/easy-rsa/keys

  703.     fi

  704. 

  705.     # keys configuration

  706.     sed -i "s|export KEY_COUNTRY.*|export KEY_COUNTRY=\"US\"|g" $prefix/etc/openvpn/easy-rsa/vars

  707.     sed -i "s|export KEY_PROVINCE.*|export KEY_PROVINCE=\"TX\"|g" $prefix/etc/openvpn/easy-rsa/vars

  708.     sed -i "s|export KEY_CITY.*|export KEY_CITY=\"Dallas\"|g" $prefix/etc/openvpn/easy-rsa/vars

  709.     sed -i "s|export KEY_ORG.*|export KEY_ORG=\"$PROJECT_NAME\"|g" $prefix/etc/openvpn/easy-rsa/vars

  710.     sed -i "s|export KEY_EMAIL.*|export KEY_EMAIL=\"$MY_EMAIL_ADDRESS\"|g" $prefix/etc/openvpn/easy-rsa/vars

  711.     sed -i "s|export KEY_OU=.*|export KEY_OU=\"MoonUnit\"|g" $prefix/etc/openvpn/easy-rsa/vars

  712.     sed -i "s|export KEY_NAME.*|export KEY_NAME=\"$OPENVPN_SERVER_NAME\"|g" $prefix/etc/openvpn/easy-rsa/vars

  713. 

  714.     if [ ! $prefix ]; then

  715.         vpn_generate_keys

  716.         firewall_enable_vpn

  717. 

  718.         if [ ${VPN_TLS_PORT} -ne 443 ]; then

  719.             firewall_add VPN-TLS ${VPN_TLS_PORT} tcp

  720.         fi

  721. 

  722.         systemctl start openvpn

  723.     fi

  724. 

  725.     install_stunnel

  726. 

  727.     if [ ! $prefix ]; then

  728.         systemctl restart openvpn

  729.     fi

  730. 

  731.     APP_INSTALLED=1

  732. }

  733. 

  734. # NOTE: deliberately there is no "exit 0"