freedombone/src/freedombone-app-vpn

#!/bin/bash
#
# .---.                  .              .
# |                      |              |
# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
#
#                    Freedom in the Cloud
#
# VPN functions
# https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-8
# https://jamielinux.com/blog/force-all-network-traffic-through-openvpn-using-iptables/
#
# License
# =======
#
# Copyright (C) 2014-2017 Bob Mottram <bob@freedombone.net>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

VARIANTS='full full-vim'

IN_DEFAULT_INSTALL=0
SHOW_ON_ABOUT=0

OPENVPN_SERVER_NAME="${PROJECT_NAME}-vpn"
OPENVPN_KEY_FILENAME='vpn.ovpn'

vpn_variables=(MY_EMAIL_ADDRESS
               MY_USERNAME)

function logging_on_vpn {
    echo -n ''
}

function logging_off_vpn {
    echo -n ''
}

function install_interactive_vpn {
    echo -n ''
    APP_INSTALLED=1
}

function reconfigure_vpn {
    echo -n ''
}

function upgrade_vpn {
    echo -n ''
}

function backup_local_vpn {
    for d in /home/*/ ; do
        USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
        if [ -f /home/$USERNAME/$OPENVPN_KEY_FILENAME ]; then
            cp /home/$USERNAME/$OPENVPN_KEY_FILENAME /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME}
        fi
    done

    function_check backup_directory_to_usb
    backup_directory_to_usb /etc/openvpn/easy-rsa/keys vpn
}

function restore_local_vpn {
    temp_restore_dir=/root/tempvpn
    restore_directory_from_usb $temp_restore_dir vpn
    if [ -d ${temp_restore_dir} ]; then
        cp -r ${temp_restore_dir}/* /etc/openvpn/easy-rsa/keys
        rm -rf ${temp_restore_dir}

        for d in /home/*/ ; do
            USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
            if [ -f /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} ]; then
                cp /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} /home/$USERNAME/$OPENVPN_KEY_FILENAME
                chown $USERNAME:$USERNAME /home/$USERNAME/$OPENVPN_KEY_FILENAME
            fi
        done
    fi
}

function backup_remote_vpn {
    for d in /home/*/ ; do
        USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
        if [ -f /home/$USERNAME/$OPENVPN_KEY_FILENAME ]; then
            cp /home/$USERNAME/$OPENVPN_KEY_FILENAME /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME}
        fi
    done

    function_check backup_directory_to_friend
    backup_directory_to_friend /etc/openvpn/easy-rsa/keys vpn
}

function restore_remote_vpn {
    temp_restore_dir=/root/tempvpn
    restore_directory_from_friend $temp_restore_dir vpn
    if [ -d ${temp_restore_dir} ]; then
        cp -r ${temp_restore_dir}/* /etc/openvpn/easy-rsa/keys
        rm -rf ${temp_restore_dir}

        for d in /home/*/ ; do
            USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
            if [ -f /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} ]; then
                cp /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} /home/$USERNAME/$OPENVPN_KEY_FILENAME
                chown $USERNAME:$USERNAME /home/$USERNAME/$OPENVPN_KEY_FILENAME
            fi
        done
    fi
}

function remove_vpn {
    systemctl stop openvpn
    apt-get -yq remove --purge fastd openvpn easy-rsa
    if [ -d /etc/openvpn ]; then
        rm -rf /etc/openvpn
    fi
    firewall_disable_vpn

    echo 0 > /proc/sys/net/ipv4/ip_forward
    sed -i 's|net.ipv4.ip_forward=.*|net.ipv4.ip_forward=0|g' /etc/sysctl.conf

    remove_completion_param install_vpn

    # remove any client keys
    for d in /home/*/ ; do
        USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
        if [ -f /home/$USERNAME/$OPENVPN_KEY_FILENAME ]; then
            shred -zu /home/$USERNAME/$OPENVPN_KEY_FILENAME
        fi
    done
}

function create_user_vpn_key {
    username=$1

    if [ ! -d /home/$username ]; then
        return
    fi

    echo $"Creating VPN key for $username"

    cd /etc/openvpn/easy-rsa
    echo '









y
y
' | ./build-key "$username"

    if [ ! -f /etc/openvpn/easy-rsa/keys/$username.crt ]; then
        echo $'VPN user cert not generated'
        exit 783528
    fi
    if [ ! -f /etc/openvpn/easy-rsa/keys/$username.key ]; then
        echo $'VPN user key not generated'
        exit 682523
    fi

    user_vpn_cert_file=/home/$username/$OPENVPN_KEY_FILENAME

    if [ ! -f /usr/share/doc/openvpn/examples/sample-config-files/client.conf ]; then
        echo $'No VPN client template found'
        exit 429823
    fi

    cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf $user_vpn_cert_file
    sed -i "s|remote .*|remote $DEFAULT_DOMAIN_NAME 1194|g" $user_vpn_cert_file
    sed -i 's|;user nobody|user nobody|g' $user_vpn_cert_file
    sed -i 's|;group nogroup|group nogroup|g' $user_vpn_cert_file

    sed -i 's|ca ca.crt|;ca ca.crt|g' $user_vpn_cert_file
    sed -i 's|cert client.crt|;cert client.crt|g' $user_vpn_cert_file
    sed -i 's|key client.key|;key client.key|g' $user_vpn_cert_file

    echo '<ca>' >> $user_vpn_cert_file
    cat /etc/openvpn/ca.crt >> $user_vpn_cert_file
    echo '</ca>' >> $user_vpn_cert_file

    echo '<cert>' >> $user_vpn_cert_file
    cat /etc/openvpn/easy-rsa/keys/$username.crt >> $user_vpn_cert_file
    echo '</cert>' >> $user_vpn_cert_file

    echo '<key>' >> $user_vpn_cert_file
    cat /etc/openvpn/easy-rsa/keys/$username.key >> $user_vpn_cert_file
    echo '</key>' >> $user_vpn_cert_file

    chown $username:$username $user_vpn_cert_file

    rm /etc/openvpn/easy-rsa/keys/$username.crt
    shred -zu /etc/openvpn/easy-rsa/keys/$username.key

    echo $"VPN key created at $user_vpn_cert_file"
}

function add_user_vpn {
    new_username="$1"
    new_user_password="$2"

    create_user_vpn_key $new_username
}

function remove_user_vpn {
    new_username="$1"
}

function install_vpn {
    apt-get -yq install fastd openvpn easy-rsa

    if [ ! -f /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz ]; then
        echo $'Example openvpn server config not found'
        exit 783953
    fi
    gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
    sed -i "s|;push \"redirect-gateway|push \"redirect-gateway|g" /etc/openvpn/server.conf
    sed -i 's|;push "dhcp-option|push "dhcp-option|g' /etc/openvpn/server.conf
    sed -i 's|;user nobody|user nobody|g' /etc/openvpn/server.conf
    sed -i 's|;group nogroup|group nogroup|g' /etc/openvpn/server.conf
    echo 1 > /proc/sys/net/ipv4/ip_forward
    sed -i 's|# net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf
    sed -i 's|#net.ipv4.ip_forward|net.ipv4.ip_forward|g' /etc/sysctl.conf
    sed -i 's|net.ipv4.ip_forward.*|net.ipv4.ip_forward=1|g' /etc/sysctl.conf

    cp -r /usr/share/easy-rsa/ /etc/openvpn
    if [ ! -d /etc/openvpn/easy-rsa/keys ]; then
        mkdir /etc/openvpn/easy-rsa/keys
    fi

    sed -i "s|export KEY_COUNTRY.*|export KEY_COUNTRY=\"US\"|g" /etc/openvpn/easy-rsa/vars
    sed -i "s|export KEY_PROVINCE.*|export KEY_PROVINCE=\"TX\"|g" /etc/openvpn/easy-rsa/vars
    sed -i "s|export KEY_CITY.*|export KEY_CITY=\"Dallas\"|g" /etc/openvpn/easy-rsa/vars
    sed -i "s|export KEY_ORG.*|export KEY_ORG=\"$PROJECT_NAME\"|g" /etc/openvpn/easy-rsa/vars
    sed -i "s|export KEY_EMAIL.*|export KEY_EMAIL=\"$MY_EMAIL_ADDRESS\"|g" /etc/openvpn/easy-rsa/vars
    sed -i "s|export KEY_OU=.*|export KEY_OU=\"MoonUnit\"|g" /etc/openvpn/easy-rsa/vars
    sed -i "s|export KEY_NAME.*|export KEY_NAME=\"$OPENVPN_SERVER_NAME\"|g" /etc/openvpn/easy-rsa/vars
    if [ ! -f /etc/openvpn/dh2048.pem ]; then
        openssl dhparam -out /etc/openvpn/dh2048.pem 2048
    fi
    cd /etc/openvpn/easy-rsa
    . ./vars
    ./clean-all
    vpn_openssl_version='1.0.0'
    if [ ! -f openssl-${vpn_openssl_version}.cnf ]; then
        echo $"openssl-${vpn_openssl_version}.cnf was not found"
        exit 7392353
    fi
    cp openssl-${vpn_openssl_version}.cnf openssl.cnf
    echo '







' | ./build-ca
    echo '









y
y
' | ./build-key-server $OPENVPN_SERVER_NAME
    if [ ! -f /etc/openvpn/easy-rsa/keys/$OPENVPN_SERVER_NAME.crt ]; then
        echo $'OpenVPN crt not found'
        exit 7823352
    fi
    if [ ! -f /etc/openvpn/easy-rsa/keys/$OPENVPN_SERVER_NAME.key ]; then
        echo $'OpenVPN key not found'
        exit 6839436
    fi
    if [ ! -f /etc/openvpn/easy-rsa/keys/ca.key ]; then
        echo $'OpenVPN ca not found'
        exit 7935203
    fi
    cp /etc/openvpn/easy-rsa/keys/{$OPENVPN_SERVER_NAME.crt,$OPENVPN_SERVER_NAME.key,ca.crt} /etc/openvpn

    create_user_vpn_key $MY_USERNAME

    firewall_enable_vpn
    systemctl start openvpn

    APP_INSTALLED=1
}

# NOTE: deliberately there is no "exit 0"