free
/
freedombone
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
7501 Commits
5 Branches
Tree: 4cdd66d6f9
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '4cdd66d6f9'
${ noResults }
freedombone/src/freedombone-app-vpn

freedombone-app-vpn 25KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695 
  1. #!/bin/bash

  2. #

  3. # .---.                  .              .

  4. # |                      |              |

  5. # |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.

  6. # |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'

  7. # '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'

  8. #

  9. #                    Freedom in the Cloud

  10. #

  11. # VPN functions

  12. # https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-8

  13. # https://jamielinux.com/blog/force-all-network-traffic-through-openvpn-using-iptables/

  14. # http://www.farrellf.com/projects/software/2016-05-04_Running_a_VPN_Server_with_OpenVPN_and_Stunnel/index_.php

  15. #

  16. # License

  17. # =======

  18. #

  19. # Copyright (C) 2014-2017 Bob Mottram <bob@freedombone.net>

  20. #

  21. # This program is free software: you can redistribute it and/or modify

  22. # it under the terms of the GNU Affero General Public License as published by

  23. # the Free Software Foundation, either version 3 of the License, or

  24. # (at your option) any later version.

  25. #

  26. # This program is distributed in the hope that it will be useful,

  27. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  28. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  29. # GNU Affero General Public License for more details.

  30. #

  31. # You should have received a copy of the GNU Affero General Public License

  32. # along with this program.  If not, see <http://www.gnu.org/licenses/>.

  33. 

  34. VARIANTS='full full-vim'

  35. 

  36. IN_DEFAULT_INSTALL=0

  37. SHOW_ON_ABOUT=0

  38. 

  39. OPENVPN_SERVER_NAME="server"

  40. OPENVPN_KEY_FILENAME='client.ovpn'

  41. 

  42. VPN_COUNTRY_CODE="US"

  43. VPN_AREA="Apparent Free Speech Zone"

  44. VPN_LOCATION="Freedomville"

  45. VPN_ORGANISATION="Freedombone"

  46. VPN_UNIT="Freedombone Unit"

  47. STUNNEL_PORT=3439

  48. VPN_TLS_PORT=553

  49. 

  50. vpn_variables=(MY_EMAIL_ADDRESS

  51.                DEFAULT_DOMAIN_NAME

  52.                MY_USERNAME

  53.                VPN_COUNTRY_CODE

  54.                VPN_AREA

  55.                VPN_LOCATION

  56.                VPN_ORGANISATION

  57.                VPN_UNIT

  58.                VPN_TLS_PORT)

  59. 

  60. function logging_on_vpn {

  61.     sed -i 's|status .*|status /var/log/openvpn.log|g' /etc/openvpn/server.conf

  62.     systemctl restart openvpn

  63. }

  64. 

  65. function logging_off_vpn {

  66.     sed -i 's|status .*|status /dev/null|g' /etc/openvpn/server.conf

  67.     systemctl restart openvpn

  68. }

  69. 

  70. function install_interactive_vpn {

  71.     read_config_param VPN_TLS_PORT

  72.     if [ ! $VPN_TLS_PORT ]; then

  73.         VPN_TLS_PORT=553

  74.     fi

  75.     VPN_DETAILS_COMPLETE=

  76.     while [ ! $VPN_DETAILS_COMPLETE ]

  77.     do

  78.         data=$(tempfile 2>/dev/null)

  79.         trap "rm -f $data" 0 1 2 5 15

  80.         currtlsport=$(grep 'VPN_TLS_PORT' temp.cfg | awk -F '=' '{print $2}')

  81.         if [ $currtlsport ]; then

  82.             VPN_TLS_PORT=$currtlsport

  83.         fi

  84.         dialog --backtitle $"Freedombone Configuration" \

  85.                --title $"VPN Configuration" \

  86.                --form $"\nPlease enter your VPN details. Changing the port to 443 will help defend against censorship but will prevent other web apps from running." 12 65 1 \

  87.                $"TLS port:" 1 1 "$VPN_TLS_PORT" 1 12 5 5 \

  88.                2> $data

  89.         sel=$?

  90.         case $sel in

  91.             1) exit 1;;

  92.             255) exit 1;;

  93.         esac

  94.         tlsport=$(cat $data | sed -n 1p)

  95.         if [ ${#tlsport} -gt 1 ]; then

  96.             if [[ "$tlsport" != *' '* && "$tlsport" != *'.'* ]]; then

  97.                 VPN_TLS_PORT="$tlsport"

  98.                 VPN_DETAILS_COMPLETE="yes"

  99.                 write_config_param "VPN_TLS_PORT" "$VPN_TLS_PORT"

  100.             fi

  101.         fi

  102.     done

  103.     clear

  104.     APP_INSTALLED=1

  105. }

  106. 

  107. function vpn_change_tls_port {

  108.     EXISTING_VPN_TLS_PORT=$VPN_TLS_PORT

  109. 

  110.     data=$(tempfile 2>/dev/null)

  111.     trap "rm -f $data" 0 1 2 5 15

  112.     dialog --title $"VPN Configuration" \

  113.            --backtitle $"Freedombone Control Panel" \

  114.            --inputbox $'Change TLS port' 10 50 $VPN_TLS_PORT 2>$data

  115.     sel=$?

  116.     case $sel in

  117.         0)

  118.             tlsport=$(<$data)

  119.             if [ ${#tlsport} -gt 0 ]; then

  120.                 if [[ "$tlsport" != "$EXISTING_VPN_TLS_PORT" ]]; then

  121.                     clear

  122.                     VPN_TLS_PORT=$tlsport

  123.                     write_config_param "VPN_TLS_PORT" "$VPN_TLS_PORT"

  124.                     sed -i "s|accept =.*|accept = $VPN_TLS_PORT|g" /etc/stunnel/stunnel.conf

  125.                     sed -i "s|accept =.*|accept = $VPN_TLS_PORT|g" /etc/stunnel/stunnel-client.conf

  126. 

  127.                     for d in /home/*/ ; do

  128.                         USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  129.                         if [ -f /home/$USERNAME/stunnel-client.conf ]; then

  130.                             cp /etc/stunnel/stunnel-client.conf /home/$USERNAME/stunnel-client.conf

  131.                             chown $USERNAME:$USERNAME /home/$USERNAME/stunnel-client.conf

  132.                         fi

  133.                     done

  134. 

  135.                     if [ $VPN_TLS_PORT -eq 443 ]; then

  136.                         systemctl stop nginx

  137.                         systemctl disable nginx

  138.                     else

  139.                         systemctl enable nginx

  140.                         systemctl restart nginx

  141.                     fi

  142. 

  143.                     systemctl restart stunnel

  144. 

  145.                     dialog --title $"VPN Configuration" \

  146.                            --msgbox $"TLS port changed to $VPN_TLS_PORT" 6 60

  147.                 fi

  148.             fi

  149.             ;;

  150.     esac

  151. }

  152. 

  153. function vpn_regenerate_client_keys {

  154.     data=$(tempfile 2>/dev/null)

  155.     trap "rm -f $data" 0 1 2 5 15

  156.     dialog --title $"Regenerate VPN keys for a user" \

  157.            --backtitle $"Freedombone Control Panel" \

  158.            --inputbox $'username' 10 50 2>$data

  159.     sel=$?

  160.     case $sel in

  161.         0)

  162.             USERNAME=$(<$data)

  163.             if [ ${#USERNAME} -gt 0 ]; then

  164.                 if [ -d /home/$USERNAME ]; then

  165.                     clear

  166.                     create_user_vpn_key $USERNAME

  167.                     dialog --title $"Regenerate VPN keys for a user" \

  168.                            --msgbox $"VPN keys were regenerated for $USERNAME" 6 60

  169.                 fi

  170.             fi

  171.             ;;

  172.     esac

  173. }

  174. 

  175. function configure_interactive_vpn {

  176.     read_config_param VPN_TLS_PORT

  177.     while true

  178.     do

  179.         data=$(tempfile 2>/dev/null)

  180.         trap "rm -f $data" 0 1 2 5 15

  181.         dialog --backtitle $"Freedombone Control Panel" \

  182.                --title $"VPN Configuration" \

  183.                --radiolist $"Choose an operation:" 13 70 3 \

  184.                1 $"Change TLS port (currently $VPN_TLS_PORT)" off \

  185.                2 $"Regenerate keys for a user" off \

  186.                3 $"Exit" on 2> $data

  187.         sel=$?

  188.         case $sel in

  189.             1) return;;

  190.             255) return;;

  191.         esac

  192.         case $(cat $data) in

  193.             1) vpn_change_tls_port;;

  194.             2) vpn_regenerate_client_keys;;

  195.             3) break;;

  196.         esac

  197.     done

  198. }

  199. 

  200. function reconfigure_vpn {

  201.     echo -n ''

  202. }

  203. 

  204. function upgrade_vpn {

  205.     echo -n ''

  206. }

  207. 

  208. function backup_local_vpn {

  209.     for d in /home/*/ ; do

  210.         USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  211.         if [ -f /home/$USERNAME/$OPENVPN_KEY_FILENAME ]; then

  212.             cp /home/$USERNAME/$OPENVPN_KEY_FILENAME /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME}

  213.         fi

  214.     done

  215. 

  216.     function_check backup_directory_to_usb

  217.     backup_directory_to_usb /etc/openvpn/easy-rsa/keys vpn

  218.     backup_directory_to_usb /etc/stunnel vpnstunnel

  219. }

  220. 

  221. function restore_local_vpn {

  222.     temp_restore_dir=/root/tempvpn

  223.     restore_directory_from_usb $temp_restore_dir vpn

  224.     if [ -d ${temp_restore_dir} ]; then

  225.         cp -r ${temp_restore_dir}/* /etc/openvpn/easy-rsa/keys

  226.         cp -r ${temp_restore_dir}/${OPENVPN_SERVER_NAME}* /etc/openvpn/

  227.         cp -r ${temp_restore_dir}/dh* /etc/openvpn/

  228.         rm -rf ${temp_restore_dir}

  229. 

  230.         for d in /home/*/ ; do

  231.             USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  232.             if [ -f /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} ]; then

  233.                 cp /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} /home/$USERNAME/$OPENVPN_KEY_FILENAME

  234.                 chown $USERNAME:$USERNAME /home/$USERNAME/$OPENVPN_KEY_FILENAME

  235.             fi

  236.         done

  237.     fi

  238.     temp_restore_dir=/root/tempvpnstunnel

  239.     restore_directory_from_usb $temp_restore_dir vpnstunnel

  240.     if [ -d ${temp_restore_dir} ]; then

  241.         cp -r ${temp_restore_dir}/* /etc/stunnel

  242.         rm -rf ${temp_restore_dir}

  243.         for d in /home/*/ ; do

  244.             USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  245.             if [ -f /home/$USERNAME/stunnel.pem ]; then

  246.                 cp /etc/stunnel/stunnel.pem /home/$USERNAME/stunnel.pem

  247.                 chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.pem

  248.             fi

  249.             if [ -f /home/$USERNAME/stunnel.p12 ]; then

  250.                 cp /etc/stunnel/stunnel.p12 /home/$USERNAME/stunnel.p12

  251.                 chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.p12

  252.             fi

  253.         done

  254.     fi

  255. }

  256. 

  257. function backup_remote_vpn {

  258.     for d in /home/*/ ; do

  259.         USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  260.         if [ -f /home/$USERNAME/$OPENVPN_KEY_FILENAME ]; then

  261.             cp /home/$USERNAME/$OPENVPN_KEY_FILENAME /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME}

  262.         fi

  263.     done

  264. 

  265.     function_check backup_directory_to_friend

  266.     backup_directory_to_friend /etc/openvpn/easy-rsa/keys vpn

  267.     backup_directory_to_friend /etc/stunnel vpnstunnel

  268. }

  269. 

  270. function restore_remote_vpn {

  271.     temp_restore_dir=/root/tempvpn

  272.     restore_directory_from_friend $temp_restore_dir vpn

  273.     if [ -d ${temp_restore_dir} ]; then

  274.         cp -r ${temp_restore_dir}/* /etc/openvpn/easy-rsa/keys

  275.         cp -r ${temp_restore_dir}/${OPENVPN_SERVER_NAME}* /etc/openvpn/

  276.         cp -r ${temp_restore_dir}/dh* /etc/openvpn/

  277.         rm -rf ${temp_restore_dir}

  278. 

  279.         for d in /home/*/ ; do

  280.             USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  281.             if [ -f /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} ]; then

  282.                 cp /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} /home/$USERNAME/$OPENVPN_KEY_FILENAME

  283.                 chown $USERNAME:$USERNAME /home/$USERNAME/$OPENVPN_KEY_FILENAME

  284.             fi

  285.         done

  286.     fi

  287.     temp_restore_dir=/root/tempvpnstunnel

  288.     restore_directory_from_friend $temp_restore_dir vpnstunnel

  289.     if [ -d ${temp_restore_dir} ]; then

  290.         cp -r ${temp_restore_dir}/* /etc/stunnel

  291.         rm -rf ${temp_restore_dir}

  292.         for d in /home/*/ ; do

  293.             USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  294.             if [ -f /home/$USERNAME/stunnel.pem ]; then

  295.                 cp /etc/stunnel/stunnel.pem /home/$USERNAME/stunnel.pem

  296.                 chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.pem

  297.             fi

  298.             if [ -f /home/$USERNAME/stunnel.p12 ]; then

  299.                 cp /etc/stunnel/stunnel.p12 /home/$USERNAME/stunnel.p12

  300.                 chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.p12

  301.             fi

  302.         done

  303.     fi

  304. }

  305. 

  306. function remove_vpn {

  307.     systemctl stop stunnel

  308.     systemctl disable stunnel

  309.     rm /etc/systemd/system/stunnel.service

  310. 

  311.     systemctl stop openvpn

  312.     if [ $VPN_TLS_PORT -ne 443 ]; then

  313.         firewall_remove VPN-TLS $VPN_TLS_PORT

  314.     else

  315.         systemctl enable nginx

  316.         systemctl restart nginx

  317.     fi

  318. 

  319.     apt-get -yq remove --purge fastd openvpn easy-rsa

  320.     apt-get -yq remove stunnel4

  321.     if [ -d /etc/openvpn ]; then

  322.         rm -rf /etc/openvpn

  323.     fi

  324.     firewall_disable_vpn

  325. 

  326.     echo 0 > /proc/sys/net/ipv4/ip_forward

  327.     sed -i 's|net.ipv4.ip_forward=.*|net.ipv4.ip_forward=0|g' /etc/sysctl.conf

  328. 

  329.     remove_completion_param install_vpn

  330. 

  331.     # remove any client keys

  332.     for d in /home/*/ ; do

  333.         USERNAME=$(echo "$d" | awk -F '/' '{print $3}')

  334.         if [ -f /home/$USERNAME/$OPENVPN_KEY_FILENAME ]; then

  335.             shred -zu /home/$USERNAME/$OPENVPN_KEY_FILENAME

  336.         fi

  337.         rm /home/$USERNAME/stunnel*

  338.     done

  339.     userdel -f vpn

  340.     groupdel -f vpn

  341. 

  342.     if [ -d /etc/stunnel ]; then

  343.         rm -rf /etc/stunnel

  344.     fi

  345. }

  346. 

  347. function create_user_vpn_key {

  348.     username=$1

  349. 

  350.     if [ ! -d /home/$username ]; then

  351.         return

  352.     fi

  353. 

  354.     echo $"Creating VPN key for $username"

  355. 

  356.     cd /etc/openvpn/easy-rsa

  357. 

  358.     if [ -f /etc/openvpn/easy-rsa/keys/$username.crt ]; then

  359.         rm /etc/openvpn/easy-rsa/keys/$username.crt

  360.     fi

  361.     if [ -f /etc/openvpn/easy-rsa/keys/$username.key ]; then

  362.         rm /etc/openvpn/easy-rsa/keys/$username.key

  363.     fi

  364.     if [ -f /etc/openvpn/easy-rsa/keys/$username.csr ]; then

  365.         rm /etc/openvpn/easy-rsa/keys/$username.csr

  366.     fi

  367. 

  368.     sed -i 's| --interact||g' build-key

  369.     ./build-key "$username"

  370. 

  371.     if [ ! -f /etc/openvpn/easy-rsa/keys/$username.crt ]; then

  372.         echo $'VPN user cert not generated'

  373.         exit 783528

  374.     fi

  375.     user_cert=$(cat /etc/openvpn/easy-rsa/keys/$username.crt)

  376.     if [ ${#user_cert} -lt 10 ]; then

  377.         cat /etc/openvpn/easy-rsa/keys/$username.crt

  378.         echo $'User cert generation failed'

  379.         exit 634659

  380.     fi

  381.     if [ ! -f /etc/openvpn/easy-rsa/keys/$username.key ]; then

  382.         echo $'VPN user key not generated'

  383.         exit 682523

  384.     fi

  385.     user_key=$(cat /etc/openvpn/easy-rsa/keys/$username.key)

  386.     if [ ${#user_key} -lt 10 ]; then

  387.         cat /etc/openvpn/easy-rsa/keys/$username.key

  388.         echo $'User key generation failed'

  389.         exit 285838

  390.     fi

  391. 

  392.     user_vpn_cert_file=/home/$username/$OPENVPN_KEY_FILENAME

  393. 

  394.     echo 'client' > $user_vpn_cert_file

  395.     echo 'dev tun' >> $user_vpn_cert_file

  396.     echo 'proto tcp' >> $user_vpn_cert_file

  397.     echo "remote localhost $STUNNEL_PORT" >> $user_vpn_cert_file

  398.     echo "route $DEFAULT_DOMAIN_NAME 255.255.255.255 net_gateway" >> $user_vpn_cert_file

  399.     echo 'resolv-retry infinite' >> $user_vpn_cert_file

  400.     echo 'nobind' >> $user_vpn_cert_file

  401.     echo 'tun-mtu 1500' >> $user_vpn_cert_file

  402.     echo 'tun-mtu-extra 32' >> $user_vpn_cert_file

  403.     echo 'mssfix 1450' >> $user_vpn_cert_file

  404.     echo 'persist-key' >> $user_vpn_cert_file

  405.     echo 'persist-tun' >> $user_vpn_cert_file

  406.     echo 'auth-nocache' >> $user_vpn_cert_file

  407.     echo 'remote-cert-tls server' >> $user_vpn_cert_file

  408.     echo 'comp-lzo' >> $user_vpn_cert_file

  409.     echo 'verb 3' >> $user_vpn_cert_file

  410.     echo '' >> $user_vpn_cert_file

  411. 

  412.     echo '<ca>' >> $user_vpn_cert_file

  413.     cat /etc/openvpn/ca.crt >> $user_vpn_cert_file

  414.     echo '</ca>' >> $user_vpn_cert_file

  415. 

  416.     echo '<cert>' >> $user_vpn_cert_file

  417.     cat /etc/openvpn/easy-rsa/keys/$username.crt >> $user_vpn_cert_file

  418.     echo '</cert>' >> $user_vpn_cert_file

  419. 

  420.     echo '<key>' >> $user_vpn_cert_file

  421.     cat /etc/openvpn/easy-rsa/keys/$username.key >> $user_vpn_cert_file

  422.     echo '</key>' >> $user_vpn_cert_file

  423. 

  424.     chown $username:$username $user_vpn_cert_file

  425. 

  426.     # keep a backup

  427.     cp $user_vpn_cert_file /etc/openvpn/easy-rsa/keys/$username.ovpn

  428. 

  429.     #rm /etc/openvpn/easy-rsa/keys/$username.crt

  430.     #rm /etc/openvpn/easy-rsa/keys/$username.csr

  431.     shred -zu /etc/openvpn/easy-rsa/keys/$username.key

  432. 

  433.     echo $"VPN key created at $user_vpn_cert_file"

  434. }

  435. 

  436. function add_user_vpn {

  437.     new_username="$1"

  438.     new_user_password="$2"

  439. 

  440.     create_user_vpn_key $new_username

  441.     if [ -f /etc/stunnel/stunnel.pem ]; then

  442.         cp /etc/stunnel/stunnel.pem /home/$new_username/stunnel.pem

  443.         chown $new_username:$new_username /home/$new_username/stunnel.pem

  444.     fi

  445.     if [ -f /etc/stunnel/stunnel.p12 ]; then

  446.         cp /etc/stunnel/stunnel.p12 /home/$new_username/stunnel.p12

  447.         chown $new_username:$new_username /home/$new_username/stunnel.p12

  448.     fi

  449.     cp /etc/stunnel/stunnel-client.conf /home/$new_username/stunnel-client.conf

  450.     chown $new_username:$new_username /home/$new_username/stunnel-client.conf

  451. }

  452. 

  453. function remove_user_vpn {

  454.     new_username="$1"

  455. }

  456. 

  457. function generate_stunnel_keys {

  458.     openssl req -x509 -nodes -days 3650 -sha256 \

  459.             -subj "/O=$VPN_ORGANISATION/OU=$VPN_UNIT/C=$VPN_COUNTRY_CODE/ST=$VPN_AREA/L=$VPN_LOCATION/CN=$HOSTNAME" \

  460.             -newkey rsa:2048 -keyout /etc/stunnel/key.pem \

  461.             -out /etc/stunnel/cert.pem

  462.     if [ ! -f /etc/stunnel/key.pem ]; then

  463.         echo $'stunnel key not created'

  464.         exit 793530

  465.     fi

  466.     if [ ! -f /etc/stunnel/cert.pem ]; then

  467.         echo $'stunnel cert not created'

  468.         exit 204587

  469.     fi

  470.     chmod 400 /etc/stunnel/key.pem

  471.     chmod 640 /etc/stunnel/cert.pem

  472. 

  473.     cat /etc/stunnel/key.pem /etc/stunnel/cert.pem >> /etc/stunnel/stunnel.pem

  474.     chmod 640 /etc/stunnel/stunnel.pem

  475. 

  476.     openssl pkcs12 -export -out /etc/stunnel/stunnel.p12 -inkey /etc/stunnel/key.pem -in /etc/stunnel/cert.pem -passout pass:

  477.     if [ ! -f /etc/stunnel/stunnel.p12 ]; then

  478.         echo $'stunnel pkcs12 not created'

  479.         exit 639353

  480.     fi

  481.     chmod 640 /etc/stunnel/stunnel.p12

  482. 

  483.     cp /etc/stunnel/stunnel.pem /home/$MY_USERNAME/stunnel.pem

  484.     cp /etc/stunnel/stunnel.p12 /home/$MY_USERNAME/stunnel.p12

  485.     chown $MY_USERNAME:$MY_USERNAME $prefix$userhome/stunnel*

  486. }

  487. 

  488. function install_stunnel {

  489.     prefix=

  490.     prefixchroot=

  491.     userhome=/home/$MY_USERNAME

  492.     if [ $rootdir ]; then

  493.         prefix=$rootdir

  494.         prefixchroot="chroot $rootdir"

  495.     fi

  496. 

  497.     $prefixchroot apt-get -yq install stunnel4

  498. 

  499.     if [ ! $prefix ]; then

  500.         cd /etc/stunnel

  501.         generate_stunnel_keys

  502.     fi

  503. 

  504.     echo 'chroot = /var/lib/stunnel4' > $prefix/etc/stunnel/stunnel.conf

  505.     echo 'pid = /stunnel4.pid' >> $prefix/etc/stunnel/stunnel.conf

  506.     echo 'setuid = stunnel4' >> $prefix/etc/stunnel/stunnel.conf

  507.     echo 'setgid = stunnel4' >> $prefix/etc/stunnel/stunnel.conf

  508.     echo 'socket = l:TCP_NODELAY=1' >> $prefix/etc/stunnel/stunnel.conf

  509.     echo 'socket = r:TCP_NODELAY=1' >> $prefix/etc/stunnel/stunnel.conf

  510.     echo 'cert = /etc/stunnel/stunnel.pem' >> $prefix/etc/stunnel/stunnel.conf

  511.     echo '[openvpn]' >> $prefix/etc/stunnel/stunnel.conf

  512.     echo "accept = $VPN_TLS_PORT" >> $prefix/etc/stunnel/stunnel.conf

  513.     echo 'connect = localhost:1194' >> $prefix/etc/stunnel/stunnel.conf

  514.     echo 'cert = /etc/stunnel/stunnel.pem' >> $prefix/etc/stunnel/stunnel.conf

  515. 

  516.     sed -i 's|ENABLED=.*|ENABLED=1|g' /etc/default/stunnel4

  517. 

  518.     echo '[openvpn]' > $prefix/etc/stunnel/stunnel-client.conf

  519.     echo 'client = yes' >> $prefix/etc/stunnel/stunnel-client.conf

  520.     echo "accept = $STUNNEL_PORT" >> $prefix/etc/stunnel/stunnel-client.conf

  521.     echo "connect = $DEFAULT_DOMAIN_NAME:$VPN_TLS_PORT" >> $prefix/etc/stunnel/stunnel-client.conf

  522.     echo 'cert = stunnel.pem' >> $prefix/etc/stunnel/stunnel-client.conf

  523. 

  524.     echo '[Unit]' > $prefix/etc/systemd/system/stunnel.service

  525.     echo 'Description=SSL tunnel for network daemons' >> $prefix/etc/systemd/system/stunnel.service

  526.     echo 'Documentation=man:stunnel https://www.stunnel.org/docs.html' >> $prefix/etc/systemd/system/stunnel.service

  527.     echo 'DefaultDependencies=no' >> $prefix/etc/systemd/system/stunnel.service

  528.     echo 'After=network.target' >> $prefix/etc/systemd/system/stunnel.service

  529.     echo 'After=syslog.target' >> $prefix/etc/systemd/system/stunnel.service

  530.     echo '' >> $prefix/etc/systemd/system/stunnel.service

  531.     echo '[Install]' >> $prefix/etc/systemd/system/stunnel.service

  532.     echo 'WantedBy=multi-user.target' >> $prefix/etc/systemd/system/stunnel.service

  533.     echo 'Alias=stunnel.target' >> $prefix/etc/systemd/system/stunnel.service

  534.     echo '' >> $prefix/etc/systemd/system/stunnel.service

  535.     echo '[Service]' >> $prefix/etc/systemd/system/stunnel.service

  536.     echo 'Type=forking' >> $prefix/etc/systemd/system/stunnel.service

  537.     echo 'RuntimeDirectory=stunnel' >> $prefix/etc/systemd/system/stunnel.service

  538.     echo 'EnvironmentFile=-/etc/stunnel/stunnel.conf' >> $prefix/etc/systemd/system/stunnel.service

  539.     echo 'ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf' >> $prefix/etc/systemd/system/stunnel.service

  540.     echo 'ExecStop=/usr/bin/killall -9 stunnel' >> $prefix/etc/systemd/system/stunnel.service

  541.     echo 'RemainAfterExit=yes' >> $prefix/etc/systemd/system/stunnel.service

  542. 

  543.     if [ ! $prefix ]; then

  544.         if [ $VPN_TLS_PORT -eq 443 ]; then

  545.             systemctl stop nginx

  546.             systemctl disable nginx

  547.         else

  548.             systemctl enable nginx

  549.             systemctl restart nginx

  550.         fi

  551. 

  552.         systemctl enable stunnel

  553.         systemctl daemon-reload

  554.         systemctl start stunnel

  555.     fi

  556. 

  557.     cp $prefix/etc/stunnel/stunnel-client.conf $prefix$userhome/stunnel-client.conf

  558.     chown $MY_USERNAME:$MY_USERNAME $prefix$userhome/stunnel*

  559. }

  560. 

  561. function vpn_generate_keys {

  562.     # generate host keys

  563.     if [ ! -f /etc/openvpn/dh2048.pem ]; then

  564.         openssl dhparam -out /etc/openvpn/dh2048.pem 2048

  565.     fi

  566.     if [ ! -f /etc/openvpn/dh2048.pem ]; then

  567.         echo $'vpn dhparams were not generated'

  568.         exit 73724523

  569.     fi

  570.     cp /etc/openvpn/dh2048.pem /etc/openvpn/easy-rsa/keys/dh2048.pem

  571. 

  572.     cd /etc/openvpn/easy-rsa

  573.     . ./vars

  574.     ./clean-all

  575.     vpn_openssl_version='1.0.0'

  576.     if [ ! -f openssl-${vpn_openssl_version}.cnf ]; then

  577.         echo $"openssl-${vpn_openssl_version}.cnf was not found"

  578.         exit 7392353

  579.     fi

  580.     cp openssl-${vpn_openssl_version}.cnf openssl.cnf

  581. 

  582.     if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt ]; then

  583.         rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt

  584.     fi

  585.     if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key ]; then

  586.         rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key

  587.     fi

  588.     if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.csr ]; then

  589.         rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.csr

  590.     fi

  591.     sed -i 's| --interact||g' build-key-server

  592.     sed -i 's| --interact||g' build-ca

  593.     ./build-ca

  594.     ./build-key-server ${OPENVPN_SERVER_NAME}

  595.     if [ ! -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt ]; then

  596.         echo $'OpenVPN crt not found'

  597.         exit 7823352

  598.     fi

  599.     server_cert=$(cat /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt)

  600.     if [ ${#server_cert} -lt 10 ]; then

  601.         cat /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt

  602.         echo $'Server cert generation failed'

  603.         exit 3284682

  604.     fi

  605. 

  606.     if [ ! -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key ]; then

  607.         echo $'OpenVPN key not found'

  608.         exit 6839436

  609.     fi

  610.     if [ ! -f /etc/openvpn/easy-rsa/keys/ca.key ]; then

  611.         echo $'OpenVPN ca not found'

  612.         exit 7935203

  613.     fi

  614.     cp /etc/openvpn/easy-rsa/keys/{$OPENVPN_SERVER_NAME.crt,$OPENVPN_SERVER_NAME.key,ca.crt} /etc/openvpn

  615. 

  616.     create_user_vpn_key ${MY_USERNAME}

  617. }

  618. 

  619. function install_vpn {

  620.     prefix=

  621.     prefixchroot=

  622.     if [ $rootdir ]; then

  623.         prefix=$rootdir

  624.         prefixchroot="chroot $rootdir"

  625.     fi

  626.     $prefixchroot apt-get -yq install fastd openvpn easy-rsa

  627. 

  628.     $prefixchroot groupadd vpn

  629.     $prefixchroot useradd -r -s /bin/false -g vpn vpn

  630. 

  631.     # server configuration

  632.     echo 'port 1194' > $prefix/etc/openvpn/server.conf

  633.     echo 'proto tcp' >> $prefix/etc/openvpn/server.conf

  634.     echo 'dev tun' >> $prefix/etc/openvpn/server.conf

  635.     echo 'tun-mtu 1500' >> $prefix/etc/openvpn/server.conf

  636.     echo 'tun-mtu-extra 32' >> $prefix/etc/openvpn/server.conf

  637.     echo 'mssfix 1450' >> $prefix/etc/openvpn/server.conf

  638.     echo 'ca /etc/openvpn/ca.crt' >> $prefix/etc/openvpn/server.conf

  639.     echo 'cert /etc/openvpn/server.crt' >> $prefix/etc/openvpn/server.conf

  640.     echo 'key /etc/openvpn/server.key' >> $prefix/etc/openvpn/server.conf

  641.     echo 'dh /etc/openvpn/dh2048.pem' >> $prefix/etc/openvpn/server.conf

  642.     echo 'server 10.8.0.0 255.255.255.0' >> $prefix/etc/openvpn/server.conf

  643.     echo 'push "redirect-gateway def1 bypass-dhcp"' >> $prefix/etc/openvpn/server.conf

  644.     echo "push \"dhcp-option DNS 85.214.73.63\"" >> $prefix/etc/openvpn/server.conf

  645.     echo "push \"dhcp-option DNS 213.73.91.35\"" >> $prefix/etc/openvpn/server.conf

  646.     echo 'keepalive 5 30' >> $prefix/etc/openvpn/server.conf

  647.     echo 'comp-lzo' >> $prefix/etc/openvpn/server.conf

  648.     echo 'persist-key' >> $prefix/etc/openvpn/server.conf

  649.     echo 'persist-tun' >> $prefix/etc/openvpn/server.conf

  650.     echo 'status /dev/null' >> $prefix/etc/openvpn/server.conf

  651.     echo 'verb 3' >> $prefix/etc/openvpn/server.conf

  652.     echo '' >> $prefix/etc/openvpn/server.conf

  653. 

  654.     if [ ! $prefix ]; then

  655.         echo 1 > /proc/sys/net/ipv4/ip_forward

  656.     fi

  657.     sed -i 's|# net.ipv4.ip_forward|net.ipv4.ip_forward|g' $prefix/etc/sysctl.conf

  658.     sed -i 's|#net.ipv4.ip_forward|net.ipv4.ip_forward|g' $prefix/etc/sysctl.conf

  659.     sed -i 's|net.ipv4.ip_forward.*|net.ipv4.ip_forward=1|g' $prefix/etc/sysctl.conf

  660. 

  661.     cp -r $prefix/usr/share/easy-rsa/ $prefix/etc/openvpn

  662.     if [ ! -d $prefix/etc/openvpn/easy-rsa/keys ]; then

  663.         mkdir $prefix/etc/openvpn/easy-rsa/keys

  664.     fi

  665. 

  666.     # keys configuration

  667.     sed -i "s|export KEY_COUNTRY.*|export KEY_COUNTRY=\"US\"|g" $prefix/etc/openvpn/easy-rsa/vars

  668.     sed -i "s|export KEY_PROVINCE.*|export KEY_PROVINCE=\"TX\"|g" $prefix/etc/openvpn/easy-rsa/vars

  669.     sed -i "s|export KEY_CITY.*|export KEY_CITY=\"Dallas\"|g" $prefix/etc/openvpn/easy-rsa/vars

  670.     sed -i "s|export KEY_ORG.*|export KEY_ORG=\"$PROJECT_NAME\"|g" $prefix/etc/openvpn/easy-rsa/vars

  671.     sed -i "s|export KEY_EMAIL.*|export KEY_EMAIL=\"$MY_EMAIL_ADDRESS\"|g" $prefix/etc/openvpn/easy-rsa/vars

  672.     sed -i "s|export KEY_OU=.*|export KEY_OU=\"MoonUnit\"|g" $prefix/etc/openvpn/easy-rsa/vars

  673.     sed -i "s|export KEY_NAME.*|export KEY_NAME=\"$OPENVPN_SERVER_NAME\"|g" $prefix/etc/openvpn/easy-rsa/vars

  674. 

  675.     if [ ! $prefix ]; then

  676.         vpn_generate_keys

  677.         firewall_enable_vpn

  678. 

  679.         if [ ${VPN_TLS_PORT} -ne 443 ]; then

  680.             firewall_add VPN-TLS ${VPN_TLS_PORT} tcp

  681.         fi

  682. 

  683.         systemctl start openvpn

  684.     fi

  685. 

  686.     install_stunnel

  687. 

  688.     if [ ! $prefix ]; then

  689.         systemctl restart openvpn

  690.     fi

  691. 

  692.     APP_INSTALLED=1

  693. }

  694. 

  695. # NOTE: deliberately there is no "exit 0"