freedombone-app-vpn 25KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695
  1. #!/bin/bash
  2. #
  3. # .---. . .
  4. # | | |
  5. # |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
  6. # | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
  7. # ' ' --' --' -' - -' ' ' -' -' -' ' - --'
  8. #
  9. # Freedom in the Cloud
  10. #
  11. # VPN functions
  12. # https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-8
  13. # https://jamielinux.com/blog/force-all-network-traffic-through-openvpn-using-iptables/
  14. # http://www.farrellf.com/projects/software/2016-05-04_Running_a_VPN_Server_with_OpenVPN_and_Stunnel/index_.php
  15. #
  16. # License
  17. # =======
  18. #
  19. # Copyright (C) 2014-2017 Bob Mottram <bob@freedombone.net>
  20. #
  21. # This program is free software: you can redistribute it and/or modify
  22. # it under the terms of the GNU Affero General Public License as published by
  23. # the Free Software Foundation, either version 3 of the License, or
  24. # (at your option) any later version.
  25. #
  26. # This program is distributed in the hope that it will be useful,
  27. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  28. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  29. # GNU Affero General Public License for more details.
  30. #
  31. # You should have received a copy of the GNU Affero General Public License
  32. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  33. VARIANTS='full full-vim'
  34. IN_DEFAULT_INSTALL=0
  35. SHOW_ON_ABOUT=0
  36. OPENVPN_SERVER_NAME="server"
  37. OPENVPN_KEY_FILENAME='client.ovpn'
  38. VPN_COUNTRY_CODE="US"
  39. VPN_AREA="Apparent Free Speech Zone"
  40. VPN_LOCATION="Freedomville"
  41. VPN_ORGANISATION="Freedombone"
  42. VPN_UNIT="Freedombone Unit"
  43. STUNNEL_PORT=3439
  44. VPN_TLS_PORT=553
  45. vpn_variables=(MY_EMAIL_ADDRESS
  46. DEFAULT_DOMAIN_NAME
  47. MY_USERNAME
  48. VPN_COUNTRY_CODE
  49. VPN_AREA
  50. VPN_LOCATION
  51. VPN_ORGANISATION
  52. VPN_UNIT
  53. VPN_TLS_PORT)
  54. function logging_on_vpn {
  55. sed -i 's|status .*|status /var/log/openvpn.log|g' /etc/openvpn/server.conf
  56. systemctl restart openvpn
  57. }
  58. function logging_off_vpn {
  59. sed -i 's|status .*|status /dev/null|g' /etc/openvpn/server.conf
  60. systemctl restart openvpn
  61. }
  62. function install_interactive_vpn {
  63. read_config_param VPN_TLS_PORT
  64. if [ ! $VPN_TLS_PORT ]; then
  65. VPN_TLS_PORT=553
  66. fi
  67. VPN_DETAILS_COMPLETE=
  68. while [ ! $VPN_DETAILS_COMPLETE ]
  69. do
  70. data=$(tempfile 2>/dev/null)
  71. trap "rm -f $data" 0 1 2 5 15
  72. currtlsport=$(grep 'VPN_TLS_PORT' temp.cfg | awk -F '=' '{print $2}')
  73. if [ $currtlsport ]; then
  74. VPN_TLS_PORT=$currtlsport
  75. fi
  76. dialog --backtitle $"Freedombone Configuration" \
  77. --title $"VPN Configuration" \
  78. --form $"\nPlease enter your VPN details. Changing the port to 443 will help defend against censorship but will prevent other web apps from running." 12 65 1 \
  79. $"TLS port:" 1 1 "$VPN_TLS_PORT" 1 12 5 5 \
  80. 2> $data
  81. sel=$?
  82. case $sel in
  83. 1) exit 1;;
  84. 255) exit 1;;
  85. esac
  86. tlsport=$(cat $data | sed -n 1p)
  87. if [ ${#tlsport} -gt 1 ]; then
  88. if [[ "$tlsport" != *' '* && "$tlsport" != *'.'* ]]; then
  89. VPN_TLS_PORT="$tlsport"
  90. VPN_DETAILS_COMPLETE="yes"
  91. write_config_param "VPN_TLS_PORT" "$VPN_TLS_PORT"
  92. fi
  93. fi
  94. done
  95. clear
  96. APP_INSTALLED=1
  97. }
  98. function vpn_change_tls_port {
  99. EXISTING_VPN_TLS_PORT=$VPN_TLS_PORT
  100. data=$(tempfile 2>/dev/null)
  101. trap "rm -f $data" 0 1 2 5 15
  102. dialog --title $"VPN Configuration" \
  103. --backtitle $"Freedombone Control Panel" \
  104. --inputbox $'Change TLS port' 10 50 $VPN_TLS_PORT 2>$data
  105. sel=$?
  106. case $sel in
  107. 0)
  108. tlsport=$(<$data)
  109. if [ ${#tlsport} -gt 0 ]; then
  110. if [[ "$tlsport" != "$EXISTING_VPN_TLS_PORT" ]]; then
  111. clear
  112. VPN_TLS_PORT=$tlsport
  113. write_config_param "VPN_TLS_PORT" "$VPN_TLS_PORT"
  114. sed -i "s|accept =.*|accept = $VPN_TLS_PORT|g" /etc/stunnel/stunnel.conf
  115. sed -i "s|accept =.*|accept = $VPN_TLS_PORT|g" /etc/stunnel/stunnel-client.conf
  116. for d in /home/*/ ; do
  117. USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
  118. if [ -f /home/$USERNAME/stunnel-client.conf ]; then
  119. cp /etc/stunnel/stunnel-client.conf /home/$USERNAME/stunnel-client.conf
  120. chown $USERNAME:$USERNAME /home/$USERNAME/stunnel-client.conf
  121. fi
  122. done
  123. if [ $VPN_TLS_PORT -eq 443 ]; then
  124. systemctl stop nginx
  125. systemctl disable nginx
  126. else
  127. systemctl enable nginx
  128. systemctl restart nginx
  129. fi
  130. systemctl restart stunnel
  131. dialog --title $"VPN Configuration" \
  132. --msgbox $"TLS port changed to $VPN_TLS_PORT" 6 60
  133. fi
  134. fi
  135. ;;
  136. esac
  137. }
  138. function vpn_regenerate_client_keys {
  139. data=$(tempfile 2>/dev/null)
  140. trap "rm -f $data" 0 1 2 5 15
  141. dialog --title $"Regenerate VPN keys for a user" \
  142. --backtitle $"Freedombone Control Panel" \
  143. --inputbox $'username' 10 50 2>$data
  144. sel=$?
  145. case $sel in
  146. 0)
  147. USERNAME=$(<$data)
  148. if [ ${#USERNAME} -gt 0 ]; then
  149. if [ -d /home/$USERNAME ]; then
  150. clear
  151. create_user_vpn_key $USERNAME
  152. dialog --title $"Regenerate VPN keys for a user" \
  153. --msgbox $"VPN keys were regenerated for $USERNAME" 6 60
  154. fi
  155. fi
  156. ;;
  157. esac
  158. }
  159. function configure_interactive_vpn {
  160. read_config_param VPN_TLS_PORT
  161. while true
  162. do
  163. data=$(tempfile 2>/dev/null)
  164. trap "rm -f $data" 0 1 2 5 15
  165. dialog --backtitle $"Freedombone Control Panel" \
  166. --title $"VPN Configuration" \
  167. --radiolist $"Choose an operation:" 13 70 3 \
  168. 1 $"Change TLS port (currently $VPN_TLS_PORT)" off \
  169. 2 $"Regenerate keys for a user" off \
  170. 3 $"Exit" on 2> $data
  171. sel=$?
  172. case $sel in
  173. 1) return;;
  174. 255) return;;
  175. esac
  176. case $(cat $data) in
  177. 1) vpn_change_tls_port;;
  178. 2) vpn_regenerate_client_keys;;
  179. 3) break;;
  180. esac
  181. done
  182. }
  183. function reconfigure_vpn {
  184. echo -n ''
  185. }
  186. function upgrade_vpn {
  187. echo -n ''
  188. }
  189. function backup_local_vpn {
  190. for d in /home/*/ ; do
  191. USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
  192. if [ -f /home/$USERNAME/$OPENVPN_KEY_FILENAME ]; then
  193. cp /home/$USERNAME/$OPENVPN_KEY_FILENAME /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME}
  194. fi
  195. done
  196. function_check backup_directory_to_usb
  197. backup_directory_to_usb /etc/openvpn/easy-rsa/keys vpn
  198. backup_directory_to_usb /etc/stunnel vpnstunnel
  199. }
  200. function restore_local_vpn {
  201. temp_restore_dir=/root/tempvpn
  202. restore_directory_from_usb $temp_restore_dir vpn
  203. if [ -d ${temp_restore_dir} ]; then
  204. cp -r ${temp_restore_dir}/* /etc/openvpn/easy-rsa/keys
  205. cp -r ${temp_restore_dir}/${OPENVPN_SERVER_NAME}* /etc/openvpn/
  206. cp -r ${temp_restore_dir}/dh* /etc/openvpn/
  207. rm -rf ${temp_restore_dir}
  208. for d in /home/*/ ; do
  209. USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
  210. if [ -f /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} ]; then
  211. cp /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} /home/$USERNAME/$OPENVPN_KEY_FILENAME
  212. chown $USERNAME:$USERNAME /home/$USERNAME/$OPENVPN_KEY_FILENAME
  213. fi
  214. done
  215. fi
  216. temp_restore_dir=/root/tempvpnstunnel
  217. restore_directory_from_usb $temp_restore_dir vpnstunnel
  218. if [ -d ${temp_restore_dir} ]; then
  219. cp -r ${temp_restore_dir}/* /etc/stunnel
  220. rm -rf ${temp_restore_dir}
  221. for d in /home/*/ ; do
  222. USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
  223. if [ -f /home/$USERNAME/stunnel.pem ]; then
  224. cp /etc/stunnel/stunnel.pem /home/$USERNAME/stunnel.pem
  225. chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.pem
  226. fi
  227. if [ -f /home/$USERNAME/stunnel.p12 ]; then
  228. cp /etc/stunnel/stunnel.p12 /home/$USERNAME/stunnel.p12
  229. chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.p12
  230. fi
  231. done
  232. fi
  233. }
  234. function backup_remote_vpn {
  235. for d in /home/*/ ; do
  236. USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
  237. if [ -f /home/$USERNAME/$OPENVPN_KEY_FILENAME ]; then
  238. cp /home/$USERNAME/$OPENVPN_KEY_FILENAME /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME}
  239. fi
  240. done
  241. function_check backup_directory_to_friend
  242. backup_directory_to_friend /etc/openvpn/easy-rsa/keys vpn
  243. backup_directory_to_friend /etc/stunnel vpnstunnel
  244. }
  245. function restore_remote_vpn {
  246. temp_restore_dir=/root/tempvpn
  247. restore_directory_from_friend $temp_restore_dir vpn
  248. if [ -d ${temp_restore_dir} ]; then
  249. cp -r ${temp_restore_dir}/* /etc/openvpn/easy-rsa/keys
  250. cp -r ${temp_restore_dir}/${OPENVPN_SERVER_NAME}* /etc/openvpn/
  251. cp -r ${temp_restore_dir}/dh* /etc/openvpn/
  252. rm -rf ${temp_restore_dir}
  253. for d in /home/*/ ; do
  254. USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
  255. if [ -f /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} ]; then
  256. cp /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} /home/$USERNAME/$OPENVPN_KEY_FILENAME
  257. chown $USERNAME:$USERNAME /home/$USERNAME/$OPENVPN_KEY_FILENAME
  258. fi
  259. done
  260. fi
  261. temp_restore_dir=/root/tempvpnstunnel
  262. restore_directory_from_friend $temp_restore_dir vpnstunnel
  263. if [ -d ${temp_restore_dir} ]; then
  264. cp -r ${temp_restore_dir}/* /etc/stunnel
  265. rm -rf ${temp_restore_dir}
  266. for d in /home/*/ ; do
  267. USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
  268. if [ -f /home/$USERNAME/stunnel.pem ]; then
  269. cp /etc/stunnel/stunnel.pem /home/$USERNAME/stunnel.pem
  270. chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.pem
  271. fi
  272. if [ -f /home/$USERNAME/stunnel.p12 ]; then
  273. cp /etc/stunnel/stunnel.p12 /home/$USERNAME/stunnel.p12
  274. chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.p12
  275. fi
  276. done
  277. fi
  278. }
  279. function remove_vpn {
  280. systemctl stop stunnel
  281. systemctl disable stunnel
  282. rm /etc/systemd/system/stunnel.service
  283. systemctl stop openvpn
  284. if [ $VPN_TLS_PORT -ne 443 ]; then
  285. firewall_remove VPN-TLS $VPN_TLS_PORT
  286. else
  287. systemctl enable nginx
  288. systemctl restart nginx
  289. fi
  290. apt-get -yq remove --purge fastd openvpn easy-rsa
  291. apt-get -yq remove stunnel4
  292. if [ -d /etc/openvpn ]; then
  293. rm -rf /etc/openvpn
  294. fi
  295. firewall_disable_vpn
  296. echo 0 > /proc/sys/net/ipv4/ip_forward
  297. sed -i 's|net.ipv4.ip_forward=.*|net.ipv4.ip_forward=0|g' /etc/sysctl.conf
  298. remove_completion_param install_vpn
  299. # remove any client keys
  300. for d in /home/*/ ; do
  301. USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
  302. if [ -f /home/$USERNAME/$OPENVPN_KEY_FILENAME ]; then
  303. shred -zu /home/$USERNAME/$OPENVPN_KEY_FILENAME
  304. fi
  305. rm /home/$USERNAME/stunnel*
  306. done
  307. userdel -f vpn
  308. groupdel -f vpn
  309. if [ -d /etc/stunnel ]; then
  310. rm -rf /etc/stunnel
  311. fi
  312. }
  313. function create_user_vpn_key {
  314. username=$1
  315. if [ ! -d /home/$username ]; then
  316. return
  317. fi
  318. echo $"Creating VPN key for $username"
  319. cd /etc/openvpn/easy-rsa
  320. if [ -f /etc/openvpn/easy-rsa/keys/$username.crt ]; then
  321. rm /etc/openvpn/easy-rsa/keys/$username.crt
  322. fi
  323. if [ -f /etc/openvpn/easy-rsa/keys/$username.key ]; then
  324. rm /etc/openvpn/easy-rsa/keys/$username.key
  325. fi
  326. if [ -f /etc/openvpn/easy-rsa/keys/$username.csr ]; then
  327. rm /etc/openvpn/easy-rsa/keys/$username.csr
  328. fi
  329. sed -i 's| --interact||g' build-key
  330. ./build-key "$username"
  331. if [ ! -f /etc/openvpn/easy-rsa/keys/$username.crt ]; then
  332. echo $'VPN user cert not generated'
  333. exit 783528
  334. fi
  335. user_cert=$(cat /etc/openvpn/easy-rsa/keys/$username.crt)
  336. if [ ${#user_cert} -lt 10 ]; then
  337. cat /etc/openvpn/easy-rsa/keys/$username.crt
  338. echo $'User cert generation failed'
  339. exit 634659
  340. fi
  341. if [ ! -f /etc/openvpn/easy-rsa/keys/$username.key ]; then
  342. echo $'VPN user key not generated'
  343. exit 682523
  344. fi
  345. user_key=$(cat /etc/openvpn/easy-rsa/keys/$username.key)
  346. if [ ${#user_key} -lt 10 ]; then
  347. cat /etc/openvpn/easy-rsa/keys/$username.key
  348. echo $'User key generation failed'
  349. exit 285838
  350. fi
  351. user_vpn_cert_file=/home/$username/$OPENVPN_KEY_FILENAME
  352. echo 'client' > $user_vpn_cert_file
  353. echo 'dev tun' >> $user_vpn_cert_file
  354. echo 'proto tcp' >> $user_vpn_cert_file
  355. echo "remote localhost $STUNNEL_PORT" >> $user_vpn_cert_file
  356. echo "route $DEFAULT_DOMAIN_NAME 255.255.255.255 net_gateway" >> $user_vpn_cert_file
  357. echo 'resolv-retry infinite' >> $user_vpn_cert_file
  358. echo 'nobind' >> $user_vpn_cert_file
  359. echo 'tun-mtu 1500' >> $user_vpn_cert_file
  360. echo 'tun-mtu-extra 32' >> $user_vpn_cert_file
  361. echo 'mssfix 1450' >> $user_vpn_cert_file
  362. echo 'persist-key' >> $user_vpn_cert_file
  363. echo 'persist-tun' >> $user_vpn_cert_file
  364. echo 'auth-nocache' >> $user_vpn_cert_file
  365. echo 'remote-cert-tls server' >> $user_vpn_cert_file
  366. echo 'comp-lzo' >> $user_vpn_cert_file
  367. echo 'verb 3' >> $user_vpn_cert_file
  368. echo '' >> $user_vpn_cert_file
  369. echo '<ca>' >> $user_vpn_cert_file
  370. cat /etc/openvpn/ca.crt >> $user_vpn_cert_file
  371. echo '</ca>' >> $user_vpn_cert_file
  372. echo '<cert>' >> $user_vpn_cert_file
  373. cat /etc/openvpn/easy-rsa/keys/$username.crt >> $user_vpn_cert_file
  374. echo '</cert>' >> $user_vpn_cert_file
  375. echo '<key>' >> $user_vpn_cert_file
  376. cat /etc/openvpn/easy-rsa/keys/$username.key >> $user_vpn_cert_file
  377. echo '</key>' >> $user_vpn_cert_file
  378. chown $username:$username $user_vpn_cert_file
  379. # keep a backup
  380. cp $user_vpn_cert_file /etc/openvpn/easy-rsa/keys/$username.ovpn
  381. #rm /etc/openvpn/easy-rsa/keys/$username.crt
  382. #rm /etc/openvpn/easy-rsa/keys/$username.csr
  383. shred -zu /etc/openvpn/easy-rsa/keys/$username.key
  384. echo $"VPN key created at $user_vpn_cert_file"
  385. }
  386. function add_user_vpn {
  387. new_username="$1"
  388. new_user_password="$2"
  389. create_user_vpn_key $new_username
  390. if [ -f /etc/stunnel/stunnel.pem ]; then
  391. cp /etc/stunnel/stunnel.pem /home/$new_username/stunnel.pem
  392. chown $new_username:$new_username /home/$new_username/stunnel.pem
  393. fi
  394. if [ -f /etc/stunnel/stunnel.p12 ]; then
  395. cp /etc/stunnel/stunnel.p12 /home/$new_username/stunnel.p12
  396. chown $new_username:$new_username /home/$new_username/stunnel.p12
  397. fi
  398. cp /etc/stunnel/stunnel-client.conf /home/$new_username/stunnel-client.conf
  399. chown $new_username:$new_username /home/$new_username/stunnel-client.conf
  400. }
  401. function remove_user_vpn {
  402. new_username="$1"
  403. }
  404. function generate_stunnel_keys {
  405. openssl req -x509 -nodes -days 3650 -sha256 \
  406. -subj "/O=$VPN_ORGANISATION/OU=$VPN_UNIT/C=$VPN_COUNTRY_CODE/ST=$VPN_AREA/L=$VPN_LOCATION/CN=$HOSTNAME" \
  407. -newkey rsa:2048 -keyout /etc/stunnel/key.pem \
  408. -out /etc/stunnel/cert.pem
  409. if [ ! -f /etc/stunnel/key.pem ]; then
  410. echo $'stunnel key not created'
  411. exit 793530
  412. fi
  413. if [ ! -f /etc/stunnel/cert.pem ]; then
  414. echo $'stunnel cert not created'
  415. exit 204587
  416. fi
  417. chmod 400 /etc/stunnel/key.pem
  418. chmod 640 /etc/stunnel/cert.pem
  419. cat /etc/stunnel/key.pem /etc/stunnel/cert.pem >> /etc/stunnel/stunnel.pem
  420. chmod 640 /etc/stunnel/stunnel.pem
  421. openssl pkcs12 -export -out /etc/stunnel/stunnel.p12 -inkey /etc/stunnel/key.pem -in /etc/stunnel/cert.pem -passout pass:
  422. if [ ! -f /etc/stunnel/stunnel.p12 ]; then
  423. echo $'stunnel pkcs12 not created'
  424. exit 639353
  425. fi
  426. chmod 640 /etc/stunnel/stunnel.p12
  427. cp /etc/stunnel/stunnel.pem /home/$MY_USERNAME/stunnel.pem
  428. cp /etc/stunnel/stunnel.p12 /home/$MY_USERNAME/stunnel.p12
  429. chown $MY_USERNAME:$MY_USERNAME $prefix$userhome/stunnel*
  430. }
  431. function install_stunnel {
  432. prefix=
  433. prefixchroot=
  434. userhome=/home/$MY_USERNAME
  435. if [ $rootdir ]; then
  436. prefix=$rootdir
  437. prefixchroot="chroot $rootdir"
  438. fi
  439. $prefixchroot apt-get -yq install stunnel4
  440. if [ ! $prefix ]; then
  441. cd /etc/stunnel
  442. generate_stunnel_keys
  443. fi
  444. echo 'chroot = /var/lib/stunnel4' > $prefix/etc/stunnel/stunnel.conf
  445. echo 'pid = /stunnel4.pid' >> $prefix/etc/stunnel/stunnel.conf
  446. echo 'setuid = stunnel4' >> $prefix/etc/stunnel/stunnel.conf
  447. echo 'setgid = stunnel4' >> $prefix/etc/stunnel/stunnel.conf
  448. echo 'socket = l:TCP_NODELAY=1' >> $prefix/etc/stunnel/stunnel.conf
  449. echo 'socket = r:TCP_NODELAY=1' >> $prefix/etc/stunnel/stunnel.conf
  450. echo 'cert = /etc/stunnel/stunnel.pem' >> $prefix/etc/stunnel/stunnel.conf
  451. echo '[openvpn]' >> $prefix/etc/stunnel/stunnel.conf
  452. echo "accept = $VPN_TLS_PORT" >> $prefix/etc/stunnel/stunnel.conf
  453. echo 'connect = localhost:1194' >> $prefix/etc/stunnel/stunnel.conf
  454. echo 'cert = /etc/stunnel/stunnel.pem' >> $prefix/etc/stunnel/stunnel.conf
  455. sed -i 's|ENABLED=.*|ENABLED=1|g' /etc/default/stunnel4
  456. echo '[openvpn]' > $prefix/etc/stunnel/stunnel-client.conf
  457. echo 'client = yes' >> $prefix/etc/stunnel/stunnel-client.conf
  458. echo "accept = $STUNNEL_PORT" >> $prefix/etc/stunnel/stunnel-client.conf
  459. echo "connect = $DEFAULT_DOMAIN_NAME:$VPN_TLS_PORT" >> $prefix/etc/stunnel/stunnel-client.conf
  460. echo 'cert = stunnel.pem' >> $prefix/etc/stunnel/stunnel-client.conf
  461. echo '[Unit]' > $prefix/etc/systemd/system/stunnel.service
  462. echo 'Description=SSL tunnel for network daemons' >> $prefix/etc/systemd/system/stunnel.service
  463. echo 'Documentation=man:stunnel https://www.stunnel.org/docs.html' >> $prefix/etc/systemd/system/stunnel.service
  464. echo 'DefaultDependencies=no' >> $prefix/etc/systemd/system/stunnel.service
  465. echo 'After=network.target' >> $prefix/etc/systemd/system/stunnel.service
  466. echo 'After=syslog.target' >> $prefix/etc/systemd/system/stunnel.service
  467. echo '' >> $prefix/etc/systemd/system/stunnel.service
  468. echo '[Install]' >> $prefix/etc/systemd/system/stunnel.service
  469. echo 'WantedBy=multi-user.target' >> $prefix/etc/systemd/system/stunnel.service
  470. echo 'Alias=stunnel.target' >> $prefix/etc/systemd/system/stunnel.service
  471. echo '' >> $prefix/etc/systemd/system/stunnel.service
  472. echo '[Service]' >> $prefix/etc/systemd/system/stunnel.service
  473. echo 'Type=forking' >> $prefix/etc/systemd/system/stunnel.service
  474. echo 'RuntimeDirectory=stunnel' >> $prefix/etc/systemd/system/stunnel.service
  475. echo 'EnvironmentFile=-/etc/stunnel/stunnel.conf' >> $prefix/etc/systemd/system/stunnel.service
  476. echo 'ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf' >> $prefix/etc/systemd/system/stunnel.service
  477. echo 'ExecStop=/usr/bin/killall -9 stunnel' >> $prefix/etc/systemd/system/stunnel.service
  478. echo 'RemainAfterExit=yes' >> $prefix/etc/systemd/system/stunnel.service
  479. if [ ! $prefix ]; then
  480. if [ $VPN_TLS_PORT -eq 443 ]; then
  481. systemctl stop nginx
  482. systemctl disable nginx
  483. else
  484. systemctl enable nginx
  485. systemctl restart nginx
  486. fi
  487. systemctl enable stunnel
  488. systemctl daemon-reload
  489. systemctl start stunnel
  490. fi
  491. cp $prefix/etc/stunnel/stunnel-client.conf $prefix$userhome/stunnel-client.conf
  492. chown $MY_USERNAME:$MY_USERNAME $prefix$userhome/stunnel*
  493. }
  494. function vpn_generate_keys {
  495. # generate host keys
  496. if [ ! -f /etc/openvpn/dh2048.pem ]; then
  497. openssl dhparam -out /etc/openvpn/dh2048.pem 2048
  498. fi
  499. if [ ! -f /etc/openvpn/dh2048.pem ]; then
  500. echo $'vpn dhparams were not generated'
  501. exit 73724523
  502. fi
  503. cp /etc/openvpn/dh2048.pem /etc/openvpn/easy-rsa/keys/dh2048.pem
  504. cd /etc/openvpn/easy-rsa
  505. . ./vars
  506. ./clean-all
  507. vpn_openssl_version='1.0.0'
  508. if [ ! -f openssl-${vpn_openssl_version}.cnf ]; then
  509. echo $"openssl-${vpn_openssl_version}.cnf was not found"
  510. exit 7392353
  511. fi
  512. cp openssl-${vpn_openssl_version}.cnf openssl.cnf
  513. if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt ]; then
  514. rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt
  515. fi
  516. if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key ]; then
  517. rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key
  518. fi
  519. if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.csr ]; then
  520. rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.csr
  521. fi
  522. sed -i 's| --interact||g' build-key-server
  523. sed -i 's| --interact||g' build-ca
  524. ./build-ca
  525. ./build-key-server ${OPENVPN_SERVER_NAME}
  526. if [ ! -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt ]; then
  527. echo $'OpenVPN crt not found'
  528. exit 7823352
  529. fi
  530. server_cert=$(cat /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt)
  531. if [ ${#server_cert} -lt 10 ]; then
  532. cat /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt
  533. echo $'Server cert generation failed'
  534. exit 3284682
  535. fi
  536. if [ ! -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key ]; then
  537. echo $'OpenVPN key not found'
  538. exit 6839436
  539. fi
  540. if [ ! -f /etc/openvpn/easy-rsa/keys/ca.key ]; then
  541. echo $'OpenVPN ca not found'
  542. exit 7935203
  543. fi
  544. cp /etc/openvpn/easy-rsa/keys/{$OPENVPN_SERVER_NAME.crt,$OPENVPN_SERVER_NAME.key,ca.crt} /etc/openvpn
  545. create_user_vpn_key ${MY_USERNAME}
  546. }
  547. function install_vpn {
  548. prefix=
  549. prefixchroot=
  550. if [ $rootdir ]; then
  551. prefix=$rootdir
  552. prefixchroot="chroot $rootdir"
  553. fi
  554. $prefixchroot apt-get -yq install fastd openvpn easy-rsa
  555. $prefixchroot groupadd vpn
  556. $prefixchroot useradd -r -s /bin/false -g vpn vpn
  557. # server configuration
  558. echo 'port 1194' > $prefix/etc/openvpn/server.conf
  559. echo 'proto tcp' >> $prefix/etc/openvpn/server.conf
  560. echo 'dev tun' >> $prefix/etc/openvpn/server.conf
  561. echo 'tun-mtu 1500' >> $prefix/etc/openvpn/server.conf
  562. echo 'tun-mtu-extra 32' >> $prefix/etc/openvpn/server.conf
  563. echo 'mssfix 1450' >> $prefix/etc/openvpn/server.conf
  564. echo 'ca /etc/openvpn/ca.crt' >> $prefix/etc/openvpn/server.conf
  565. echo 'cert /etc/openvpn/server.crt' >> $prefix/etc/openvpn/server.conf
  566. echo 'key /etc/openvpn/server.key' >> $prefix/etc/openvpn/server.conf
  567. echo 'dh /etc/openvpn/dh2048.pem' >> $prefix/etc/openvpn/server.conf
  568. echo 'server 10.8.0.0 255.255.255.0' >> $prefix/etc/openvpn/server.conf
  569. echo 'push "redirect-gateway def1 bypass-dhcp"' >> $prefix/etc/openvpn/server.conf
  570. echo "push \"dhcp-option DNS 85.214.73.63\"" >> $prefix/etc/openvpn/server.conf
  571. echo "push \"dhcp-option DNS 213.73.91.35\"" >> $prefix/etc/openvpn/server.conf
  572. echo 'keepalive 5 30' >> $prefix/etc/openvpn/server.conf
  573. echo 'comp-lzo' >> $prefix/etc/openvpn/server.conf
  574. echo 'persist-key' >> $prefix/etc/openvpn/server.conf
  575. echo 'persist-tun' >> $prefix/etc/openvpn/server.conf
  576. echo 'status /dev/null' >> $prefix/etc/openvpn/server.conf
  577. echo 'verb 3' >> $prefix/etc/openvpn/server.conf
  578. echo '' >> $prefix/etc/openvpn/server.conf
  579. if [ ! $prefix ]; then
  580. echo 1 > /proc/sys/net/ipv4/ip_forward
  581. fi
  582. sed -i 's|# net.ipv4.ip_forward|net.ipv4.ip_forward|g' $prefix/etc/sysctl.conf
  583. sed -i 's|#net.ipv4.ip_forward|net.ipv4.ip_forward|g' $prefix/etc/sysctl.conf
  584. sed -i 's|net.ipv4.ip_forward.*|net.ipv4.ip_forward=1|g' $prefix/etc/sysctl.conf
  585. cp -r $prefix/usr/share/easy-rsa/ $prefix/etc/openvpn
  586. if [ ! -d $prefix/etc/openvpn/easy-rsa/keys ]; then
  587. mkdir $prefix/etc/openvpn/easy-rsa/keys
  588. fi
  589. # keys configuration
  590. sed -i "s|export KEY_COUNTRY.*|export KEY_COUNTRY=\"US\"|g" $prefix/etc/openvpn/easy-rsa/vars
  591. sed -i "s|export KEY_PROVINCE.*|export KEY_PROVINCE=\"TX\"|g" $prefix/etc/openvpn/easy-rsa/vars
  592. sed -i "s|export KEY_CITY.*|export KEY_CITY=\"Dallas\"|g" $prefix/etc/openvpn/easy-rsa/vars
  593. sed -i "s|export KEY_ORG.*|export KEY_ORG=\"$PROJECT_NAME\"|g" $prefix/etc/openvpn/easy-rsa/vars
  594. sed -i "s|export KEY_EMAIL.*|export KEY_EMAIL=\"$MY_EMAIL_ADDRESS\"|g" $prefix/etc/openvpn/easy-rsa/vars
  595. sed -i "s|export KEY_OU=.*|export KEY_OU=\"MoonUnit\"|g" $prefix/etc/openvpn/easy-rsa/vars
  596. sed -i "s|export KEY_NAME.*|export KEY_NAME=\"$OPENVPN_SERVER_NAME\"|g" $prefix/etc/openvpn/easy-rsa/vars
  597. if [ ! $prefix ]; then
  598. vpn_generate_keys
  599. firewall_enable_vpn
  600. if [ ${VPN_TLS_PORT} -ne 443 ]; then
  601. firewall_add VPN-TLS ${VPN_TLS_PORT} tcp
  602. fi
  603. systemctl start openvpn
  604. fi
  605. install_stunnel
  606. if [ ! $prefix ]; then
  607. systemctl restart openvpn
  608. fi
  609. APP_INSTALLED=1
  610. }
  611. # NOTE: deliberately there is no "exit 0"