freedombone-app-vpn 25KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710
  1. #!/bin/bash
  2. #
  3. # .---. . .
  4. # | | |
  5. # |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
  6. # | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
  7. # ' ' --' --' -' - -' ' ' -' -' -' ' - --'
  8. #
  9. # Freedom in the Cloud
  10. #
  11. # VPN functions
  12. # https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-8
  13. # https://jamielinux.com/blog/force-all-network-traffic-through-openvpn-using-iptables/
  14. # http://www.farrellf.com/projects/software/2016-05-04_Running_a_VPN_Server_with_OpenVPN_and_Stunnel/index_.php
  15. #
  16. # License
  17. # =======
  18. #
  19. # Copyright (C) 2014-2017 Bob Mottram <bob@freedombone.net>
  20. #
  21. # This program is free software: you can redistribute it and/or modify
  22. # it under the terms of the GNU Affero General Public License as published by
  23. # the Free Software Foundation, either version 3 of the License, or
  24. # (at your option) any later version.
  25. #
  26. # This program is distributed in the hope that it will be useful,
  27. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  28. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  29. # GNU Affero General Public License for more details.
  30. #
  31. # You should have received a copy of the GNU Affero General Public License
  32. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  33. VARIANTS='full full-vim'
  34. IN_DEFAULT_INSTALL=0
  35. SHOW_ON_ABOUT=0
  36. OPENVPN_SERVER_NAME="server"
  37. OPENVPN_KEY_FILENAME='client.ovpn'
  38. VPN_COUNTRY_CODE="US"
  39. VPN_AREA="Apparent Free Speech Zone"
  40. VPN_LOCATION="Freedomville"
  41. VPN_ORGANISATION="Freedombone"
  42. VPN_UNIT="Freedombone Unit"
  43. STUNNEL_PORT=3439
  44. VPN_TLS_PORT=553
  45. VPN_MESH_TLS_PORT=653
  46. vpn_variables=(MY_EMAIL_ADDRESS
  47. DEFAULT_DOMAIN_NAME
  48. MY_USERNAME
  49. VPN_COUNTRY_CODE
  50. VPN_AREA
  51. VPN_LOCATION
  52. VPN_ORGANISATION
  53. VPN_UNIT
  54. VPN_TLS_PORT)
  55. function logging_on_vpn {
  56. sed -i 's|status .*|status /var/log/openvpn.log|g' /etc/openvpn/server.conf
  57. systemctl restart openvpn
  58. }
  59. function logging_off_vpn {
  60. sed -i 's|status .*|status /dev/null|g' /etc/openvpn/server.conf
  61. systemctl restart openvpn
  62. }
  63. function install_interactive_vpn {
  64. read_config_param VPN_TLS_PORT
  65. if [ ! $VPN_TLS_PORT ]; then
  66. VPN_TLS_PORT=553
  67. fi
  68. VPN_DETAILS_COMPLETE=
  69. while [ ! $VPN_DETAILS_COMPLETE ]
  70. do
  71. data=$(tempfile 2>/dev/null)
  72. trap "rm -f $data" 0 1 2 5 15
  73. currtlsport=$(grep 'VPN_TLS_PORT' temp.cfg | awk -F '=' '{print $2}')
  74. if [ $currtlsport ]; then
  75. VPN_TLS_PORT=$currtlsport
  76. fi
  77. dialog --backtitle $"Freedombone Configuration" \
  78. --title $"VPN Configuration" \
  79. --form $"\nPlease enter your VPN details. Changing the port to 443 will help defend against censorship but will prevent other web apps from running." 12 65 1 \
  80. $"TLS port:" 1 1 "$VPN_TLS_PORT" 1 12 5 5 \
  81. 2> $data
  82. sel=$?
  83. case $sel in
  84. 1) exit 1;;
  85. 255) exit 1;;
  86. esac
  87. tlsport=$(cat $data | sed -n 1p)
  88. if [ ${#tlsport} -gt 1 ]; then
  89. if [[ "$tlsport" != *' '* && "$tlsport" != *'.'* ]]; then
  90. VPN_TLS_PORT="$tlsport"
  91. VPN_DETAILS_COMPLETE="yes"
  92. write_config_param "VPN_TLS_PORT" "$VPN_TLS_PORT"
  93. fi
  94. fi
  95. done
  96. clear
  97. APP_INSTALLED=1
  98. }
  99. function vpn_change_tls_port {
  100. EXISTING_VPN_TLS_PORT=$VPN_TLS_PORT
  101. data=$(tempfile 2>/dev/null)
  102. trap "rm -f $data" 0 1 2 5 15
  103. dialog --title $"VPN Configuration" \
  104. --backtitle $"Freedombone Control Panel" \
  105. --inputbox $'Change TLS port' 10 50 $VPN_TLS_PORT 2>$data
  106. sel=$?
  107. case $sel in
  108. 0)
  109. tlsport=$(<$data)
  110. if [ ${#tlsport} -gt 0 ]; then
  111. if [[ "$tlsport" != "$EXISTING_VPN_TLS_PORT" ]]; then
  112. clear
  113. VPN_TLS_PORT=$tlsport
  114. write_config_param "VPN_TLS_PORT" "$VPN_TLS_PORT"
  115. sed -i "s|accept =.*|accept = $VPN_TLS_PORT|g" /etc/stunnel/stunnel.conf
  116. sed -i "s|accept =.*|accept = $VPN_TLS_PORT|g" /etc/stunnel/stunnel-client.conf
  117. for d in /home/*/ ; do
  118. USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
  119. if [ -f /home/$USERNAME/stunnel-client.conf ]; then
  120. cp /etc/stunnel/stunnel-client.conf /home/$USERNAME/stunnel-client.conf
  121. chown $USERNAME:$USERNAME /home/$USERNAME/stunnel-client.conf
  122. fi
  123. done
  124. if [ $VPN_TLS_PORT -eq 443 ]; then
  125. systemctl stop nginx
  126. systemctl disable nginx
  127. else
  128. systemctl enable nginx
  129. systemctl restart nginx
  130. fi
  131. systemctl restart stunnel
  132. dialog --title $"VPN Configuration" \
  133. --msgbox $"TLS port changed to $VPN_TLS_PORT" 6 60
  134. fi
  135. fi
  136. ;;
  137. esac
  138. }
  139. function vpn_regenerate_client_keys {
  140. data=$(tempfile 2>/dev/null)
  141. trap "rm -f $data" 0 1 2 5 15
  142. dialog --title $"Regenerate VPN keys for a user" \
  143. --backtitle $"Freedombone Control Panel" \
  144. --inputbox $'username' 10 50 2>$data
  145. sel=$?
  146. case $sel in
  147. 0)
  148. USERNAME=$(<$data)
  149. if [ ${#USERNAME} -gt 0 ]; then
  150. if [ -d /home/$USERNAME ]; then
  151. clear
  152. create_user_vpn_key $USERNAME
  153. dialog --title $"Regenerate VPN keys for a user" \
  154. --msgbox $"VPN keys were regenerated for $USERNAME" 6 60
  155. fi
  156. fi
  157. ;;
  158. esac
  159. }
  160. function configure_interactive_vpn {
  161. read_config_param VPN_TLS_PORT
  162. while true
  163. do
  164. data=$(tempfile 2>/dev/null)
  165. trap "rm -f $data" 0 1 2 5 15
  166. dialog --backtitle $"Freedombone Control Panel" \
  167. --title $"VPN Configuration" \
  168. --radiolist $"Choose an operation:" 13 70 3 \
  169. 1 $"Change TLS port (currently $VPN_TLS_PORT)" off \
  170. 2 $"Regenerate keys for a user" off \
  171. 3 $"Exit" on 2> $data
  172. sel=$?
  173. case $sel in
  174. 1) return;;
  175. 255) return;;
  176. esac
  177. case $(cat $data) in
  178. 1) vpn_change_tls_port;;
  179. 2) vpn_regenerate_client_keys;;
  180. 3) break;;
  181. esac
  182. done
  183. }
  184. function reconfigure_vpn {
  185. echo -n ''
  186. }
  187. function upgrade_vpn {
  188. echo -n ''
  189. }
  190. function backup_local_vpn {
  191. for d in /home/*/ ; do
  192. USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
  193. if [ -f /home/$USERNAME/$OPENVPN_KEY_FILENAME ]; then
  194. cp /home/$USERNAME/$OPENVPN_KEY_FILENAME /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME}
  195. fi
  196. done
  197. function_check backup_directory_to_usb
  198. backup_directory_to_usb /etc/openvpn/easy-rsa/keys vpn
  199. backup_directory_to_usb /etc/stunnel vpnstunnel
  200. }
  201. function restore_local_vpn {
  202. temp_restore_dir=/root/tempvpn
  203. restore_directory_from_usb $temp_restore_dir vpn
  204. if [ -d ${temp_restore_dir} ]; then
  205. cp -r ${temp_restore_dir}/* /etc/openvpn/easy-rsa/keys
  206. cp -r ${temp_restore_dir}/${OPENVPN_SERVER_NAME}* /etc/openvpn/
  207. cp -r ${temp_restore_dir}/dh* /etc/openvpn/
  208. rm -rf ${temp_restore_dir}
  209. for d in /home/*/ ; do
  210. USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
  211. if [ -f /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} ]; then
  212. cp /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} /home/$USERNAME/$OPENVPN_KEY_FILENAME
  213. chown $USERNAME:$USERNAME /home/$USERNAME/$OPENVPN_KEY_FILENAME
  214. fi
  215. done
  216. fi
  217. temp_restore_dir=/root/tempvpnstunnel
  218. restore_directory_from_usb $temp_restore_dir vpnstunnel
  219. if [ -d ${temp_restore_dir} ]; then
  220. cp -r ${temp_restore_dir}/* /etc/stunnel
  221. rm -rf ${temp_restore_dir}
  222. for d in /home/*/ ; do
  223. USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
  224. if [ -f /home/$USERNAME/stunnel.pem ]; then
  225. cp /etc/stunnel/stunnel.pem /home/$USERNAME/stunnel.pem
  226. chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.pem
  227. fi
  228. if [ -f /home/$USERNAME/stunnel.p12 ]; then
  229. cp /etc/stunnel/stunnel.p12 /home/$USERNAME/stunnel.p12
  230. chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.p12
  231. fi
  232. done
  233. fi
  234. }
  235. function backup_remote_vpn {
  236. for d in /home/*/ ; do
  237. USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
  238. if [ -f /home/$USERNAME/$OPENVPN_KEY_FILENAME ]; then
  239. cp /home/$USERNAME/$OPENVPN_KEY_FILENAME /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME}
  240. fi
  241. done
  242. function_check backup_directory_to_friend
  243. backup_directory_to_friend /etc/openvpn/easy-rsa/keys vpn
  244. backup_directory_to_friend /etc/stunnel vpnstunnel
  245. }
  246. function restore_remote_vpn {
  247. temp_restore_dir=/root/tempvpn
  248. restore_directory_from_friend $temp_restore_dir vpn
  249. if [ -d ${temp_restore_dir} ]; then
  250. cp -r ${temp_restore_dir}/* /etc/openvpn/easy-rsa/keys
  251. cp -r ${temp_restore_dir}/${OPENVPN_SERVER_NAME}* /etc/openvpn/
  252. cp -r ${temp_restore_dir}/dh* /etc/openvpn/
  253. rm -rf ${temp_restore_dir}
  254. for d in /home/*/ ; do
  255. USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
  256. if [ -f /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} ]; then
  257. cp /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} /home/$USERNAME/$OPENVPN_KEY_FILENAME
  258. chown $USERNAME:$USERNAME /home/$USERNAME/$OPENVPN_KEY_FILENAME
  259. fi
  260. done
  261. fi
  262. temp_restore_dir=/root/tempvpnstunnel
  263. restore_directory_from_friend $temp_restore_dir vpnstunnel
  264. if [ -d ${temp_restore_dir} ]; then
  265. cp -r ${temp_restore_dir}/* /etc/stunnel
  266. rm -rf ${temp_restore_dir}
  267. for d in /home/*/ ; do
  268. USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
  269. if [ -f /home/$USERNAME/stunnel.pem ]; then
  270. cp /etc/stunnel/stunnel.pem /home/$USERNAME/stunnel.pem
  271. chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.pem
  272. fi
  273. if [ -f /home/$USERNAME/stunnel.p12 ]; then
  274. cp /etc/stunnel/stunnel.p12 /home/$USERNAME/stunnel.p12
  275. chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.p12
  276. fi
  277. done
  278. fi
  279. }
  280. function remove_vpn {
  281. systemctl stop stunnel
  282. systemctl disable stunnel
  283. rm /etc/systemd/system/stunnel.service
  284. systemctl stop openvpn
  285. if [ $VPN_TLS_PORT -ne 443 ]; then
  286. firewall_remove VPN-TLS $VPN_TLS_PORT
  287. else
  288. systemctl enable nginx
  289. systemctl restart nginx
  290. fi
  291. apt-get -yq remove --purge fastd openvpn easy-rsa
  292. apt-get -yq remove stunnel4
  293. if [ -d /etc/openvpn ]; then
  294. rm -rf /etc/openvpn
  295. fi
  296. firewall_disable_vpn
  297. echo 0 > /proc/sys/net/ipv4/ip_forward
  298. sed -i 's|net.ipv4.ip_forward=.*|net.ipv4.ip_forward=0|g' /etc/sysctl.conf
  299. remove_completion_param install_vpn
  300. # remove any client keys
  301. for d in /home/*/ ; do
  302. USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
  303. if [ -f /home/$USERNAME/$OPENVPN_KEY_FILENAME ]; then
  304. shred -zu /home/$USERNAME/$OPENVPN_KEY_FILENAME
  305. fi
  306. rm /home/$USERNAME/stunnel*
  307. done
  308. userdel -f vpn
  309. groupdel -f vpn
  310. if [ -d /etc/stunnel ]; then
  311. rm -rf /etc/stunnel
  312. fi
  313. }
  314. function create_user_vpn_key {
  315. username=$1
  316. if [ ! -d /home/$username ]; then
  317. return
  318. fi
  319. echo $"Creating VPN key for $username"
  320. cd /etc/openvpn/easy-rsa
  321. if [ -f /etc/openvpn/easy-rsa/keys/$username.crt ]; then
  322. rm /etc/openvpn/easy-rsa/keys/$username.crt
  323. fi
  324. if [ -f /etc/openvpn/easy-rsa/keys/$username.key ]; then
  325. rm /etc/openvpn/easy-rsa/keys/$username.key
  326. fi
  327. if [ -f /etc/openvpn/easy-rsa/keys/$username.csr ]; then
  328. rm /etc/openvpn/easy-rsa/keys/$username.csr
  329. fi
  330. sed -i 's| --interact||g' build-key
  331. ./build-key "$username"
  332. if [ ! -f /etc/openvpn/easy-rsa/keys/$username.crt ]; then
  333. echo $'VPN user cert not generated'
  334. exit 783528
  335. fi
  336. user_cert=$(cat /etc/openvpn/easy-rsa/keys/$username.crt)
  337. if [ ${#user_cert} -lt 10 ]; then
  338. cat /etc/openvpn/easy-rsa/keys/$username.crt
  339. echo $'User cert generation failed'
  340. exit 634659
  341. fi
  342. if [ ! -f /etc/openvpn/easy-rsa/keys/$username.key ]; then
  343. echo $'VPN user key not generated'
  344. exit 682523
  345. fi
  346. user_key=$(cat /etc/openvpn/easy-rsa/keys/$username.key)
  347. if [ ${#user_key} -lt 10 ]; then
  348. cat /etc/openvpn/easy-rsa/keys/$username.key
  349. echo $'User key generation failed'
  350. exit 285838
  351. fi
  352. user_vpn_cert_file=/home/$username/$OPENVPN_KEY_FILENAME
  353. echo 'client' > $user_vpn_cert_file
  354. echo 'dev tun' >> $user_vpn_cert_file
  355. echo 'proto tcp' >> $user_vpn_cert_file
  356. echo "remote localhost $STUNNEL_PORT" >> $user_vpn_cert_file
  357. echo "route $DEFAULT_DOMAIN_NAME 255.255.255.255 net_gateway" >> $user_vpn_cert_file
  358. echo 'resolv-retry infinite' >> $user_vpn_cert_file
  359. echo 'nobind' >> $user_vpn_cert_file
  360. echo 'tun-mtu 1500' >> $user_vpn_cert_file
  361. echo 'tun-mtu-extra 32' >> $user_vpn_cert_file
  362. echo 'mssfix 1450' >> $user_vpn_cert_file
  363. echo 'persist-key' >> $user_vpn_cert_file
  364. echo 'persist-tun' >> $user_vpn_cert_file
  365. echo 'auth-nocache' >> $user_vpn_cert_file
  366. echo 'remote-cert-tls server' >> $user_vpn_cert_file
  367. echo 'comp-lzo' >> $user_vpn_cert_file
  368. echo 'verb 3' >> $user_vpn_cert_file
  369. echo '' >> $user_vpn_cert_file
  370. echo '<ca>' >> $user_vpn_cert_file
  371. cat /etc/openvpn/ca.crt >> $user_vpn_cert_file
  372. echo '</ca>' >> $user_vpn_cert_file
  373. echo '<cert>' >> $user_vpn_cert_file
  374. cat /etc/openvpn/easy-rsa/keys/$username.crt >> $user_vpn_cert_file
  375. echo '</cert>' >> $user_vpn_cert_file
  376. echo '<key>' >> $user_vpn_cert_file
  377. cat /etc/openvpn/easy-rsa/keys/$username.key >> $user_vpn_cert_file
  378. echo '</key>' >> $user_vpn_cert_file
  379. chown $username:$username $user_vpn_cert_file
  380. # keep a backup
  381. cp $user_vpn_cert_file /etc/openvpn/easy-rsa/keys/$username.ovpn
  382. #rm /etc/openvpn/easy-rsa/keys/$username.crt
  383. #rm /etc/openvpn/easy-rsa/keys/$username.csr
  384. shred -zu /etc/openvpn/easy-rsa/keys/$username.key
  385. echo $"VPN key created at $user_vpn_cert_file"
  386. }
  387. function add_user_vpn {
  388. new_username="$1"
  389. new_user_password="$2"
  390. create_user_vpn_key $new_username
  391. if [ -f /etc/stunnel/stunnel.pem ]; then
  392. cp /etc/stunnel/stunnel.pem /home/$new_username/stunnel.pem
  393. chown $new_username:$new_username /home/$new_username/stunnel.pem
  394. fi
  395. if [ -f /etc/stunnel/stunnel.p12 ]; then
  396. cp /etc/stunnel/stunnel.p12 /home/$new_username/stunnel.p12
  397. chown $new_username:$new_username /home/$new_username/stunnel.p12
  398. fi
  399. cp /etc/stunnel/stunnel-client.conf /home/$new_username/stunnel-client.conf
  400. chown $new_username:$new_username /home/$new_username/stunnel-client.conf
  401. }
  402. function remove_user_vpn {
  403. new_username="$1"
  404. }
  405. function mesh_setup_vpn {
  406. vpn_generate_keys
  407. if [ ${VPN_TLS_PORT} -ne 443 ]; then
  408. firewall_add VPN-TLS ${VPN_TLS_PORT} tcp
  409. fi
  410. generate_stunnel_keys
  411. systemctl restart openvpn
  412. }
  413. function generate_stunnel_keys {
  414. openssl req -x509 -nodes -days 3650 -sha256 \
  415. -subj "/O=$VPN_ORGANISATION/OU=$VPN_UNIT/C=$VPN_COUNTRY_CODE/ST=$VPN_AREA/L=$VPN_LOCATION/CN=$HOSTNAME" \
  416. -newkey rsa:2048 -keyout /etc/stunnel/key.pem \
  417. -out /etc/stunnel/cert.pem
  418. if [ ! -f /etc/stunnel/key.pem ]; then
  419. echo $'stunnel key not created'
  420. exit 793530
  421. fi
  422. if [ ! -f /etc/stunnel/cert.pem ]; then
  423. echo $'stunnel cert not created'
  424. exit 204587
  425. fi
  426. chmod 400 /etc/stunnel/key.pem
  427. chmod 640 /etc/stunnel/cert.pem
  428. cat /etc/stunnel/key.pem /etc/stunnel/cert.pem >> /etc/stunnel/stunnel.pem
  429. chmod 640 /etc/stunnel/stunnel.pem
  430. openssl pkcs12 -export -out /etc/stunnel/stunnel.p12 -inkey /etc/stunnel/key.pem -in /etc/stunnel/cert.pem -passout pass:
  431. if [ ! -f /etc/stunnel/stunnel.p12 ]; then
  432. echo $'stunnel pkcs12 not created'
  433. exit 639353
  434. fi
  435. chmod 640 /etc/stunnel/stunnel.p12
  436. cp /etc/stunnel/stunnel.pem /home/$MY_USERNAME/stunnel.pem
  437. cp /etc/stunnel/stunnel.p12 /home/$MY_USERNAME/stunnel.p12
  438. chown $MY_USERNAME:$MY_USERNAME $prefix$userhome/stunnel*
  439. }
  440. function install_stunnel {
  441. prefix=
  442. prefixchroot=
  443. userhome=/home/$MY_USERNAME
  444. if [ $rootdir ]; then
  445. prefix=$rootdir
  446. prefixchroot="chroot $rootdir"
  447. VPN_TLS_PORT=$VPN_MESH_TLS_PORT
  448. fi
  449. $prefixchroot apt-get -yq install stunnel4
  450. if [ ! $prefix ]; then
  451. cd /etc/stunnel
  452. generate_stunnel_keys
  453. fi
  454. echo 'chroot = /var/lib/stunnel4' > $prefix/etc/stunnel/stunnel.conf
  455. echo 'pid = /stunnel4.pid' >> $prefix/etc/stunnel/stunnel.conf
  456. echo 'setuid = stunnel4' >> $prefix/etc/stunnel/stunnel.conf
  457. echo 'setgid = stunnel4' >> $prefix/etc/stunnel/stunnel.conf
  458. echo 'socket = l:TCP_NODELAY=1' >> $prefix/etc/stunnel/stunnel.conf
  459. echo 'socket = r:TCP_NODELAY=1' >> $prefix/etc/stunnel/stunnel.conf
  460. echo 'cert = /etc/stunnel/stunnel.pem' >> $prefix/etc/stunnel/stunnel.conf
  461. echo '[openvpn]' >> $prefix/etc/stunnel/stunnel.conf
  462. echo "accept = $VPN_TLS_PORT" >> $prefix/etc/stunnel/stunnel.conf
  463. echo 'connect = localhost:1194' >> $prefix/etc/stunnel/stunnel.conf
  464. echo 'cert = /etc/stunnel/stunnel.pem' >> $prefix/etc/stunnel/stunnel.conf
  465. sed -i 's|ENABLED=.*|ENABLED=1|g' $prefix/etc/default/stunnel4
  466. echo '[openvpn]' > $prefix/etc/stunnel/stunnel-client.conf
  467. echo 'client = yes' >> $prefix/etc/stunnel/stunnel-client.conf
  468. echo "accept = $STUNNEL_PORT" >> $prefix/etc/stunnel/stunnel-client.conf
  469. echo "connect = $DEFAULT_DOMAIN_NAME:$VPN_TLS_PORT" >> $prefix/etc/stunnel/stunnel-client.conf
  470. echo 'cert = stunnel.pem' >> $prefix/etc/stunnel/stunnel-client.conf
  471. echo '[Unit]' > $prefix/etc/systemd/system/stunnel.service
  472. echo 'Description=SSL tunnel for network daemons' >> $prefix/etc/systemd/system/stunnel.service
  473. echo 'Documentation=man:stunnel https://www.stunnel.org/docs.html' >> $prefix/etc/systemd/system/stunnel.service
  474. echo 'DefaultDependencies=no' >> $prefix/etc/systemd/system/stunnel.service
  475. echo 'After=network.target' >> $prefix/etc/systemd/system/stunnel.service
  476. echo 'After=syslog.target' >> $prefix/etc/systemd/system/stunnel.service
  477. echo '' >> $prefix/etc/systemd/system/stunnel.service
  478. echo '[Install]' >> $prefix/etc/systemd/system/stunnel.service
  479. echo 'WantedBy=multi-user.target' >> $prefix/etc/systemd/system/stunnel.service
  480. echo 'Alias=stunnel.target' >> $prefix/etc/systemd/system/stunnel.service
  481. echo '' >> $prefix/etc/systemd/system/stunnel.service
  482. echo '[Service]' >> $prefix/etc/systemd/system/stunnel.service
  483. echo 'Type=forking' >> $prefix/etc/systemd/system/stunnel.service
  484. echo 'RuntimeDirectory=stunnel' >> $prefix/etc/systemd/system/stunnel.service
  485. echo 'EnvironmentFile=-/etc/stunnel/stunnel.conf' >> $prefix/etc/systemd/system/stunnel.service
  486. echo 'ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf' >> $prefix/etc/systemd/system/stunnel.service
  487. echo 'ExecStop=/usr/bin/killall -9 stunnel' >> $prefix/etc/systemd/system/stunnel.service
  488. echo 'RemainAfterExit=yes' >> $prefix/etc/systemd/system/stunnel.service
  489. if [ ! $prefix ]; then
  490. if [ $VPN_TLS_PORT -eq 443 ]; then
  491. systemctl stop nginx
  492. systemctl disable nginx
  493. else
  494. systemctl enable nginx
  495. systemctl restart nginx
  496. fi
  497. systemctl enable stunnel
  498. systemctl daemon-reload
  499. systemctl start stunnel
  500. fi
  501. cp $prefix/etc/stunnel/stunnel-client.conf $prefix$userhome/stunnel-client.conf
  502. chown $MY_USERNAME:$MY_USERNAME $prefix$userhome/stunnel*
  503. }
  504. function vpn_generate_keys {
  505. # generate host keys
  506. if [ ! -f /etc/openvpn/dh2048.pem ]; then
  507. ${PROJECT_NAME}-dhparam -o /etc/openvpn/dh2048.pem
  508. fi
  509. if [ ! -f /etc/openvpn/dh2048.pem ]; then
  510. echo $'vpn dhparams were not generated'
  511. exit 73724523
  512. fi
  513. cp /etc/openvpn/dh2048.pem /etc/openvpn/easy-rsa/keys/dh2048.pem
  514. cd /etc/openvpn/easy-rsa
  515. . ./vars
  516. ./clean-all
  517. vpn_openssl_version='1.0.0'
  518. if [ ! -f openssl-${vpn_openssl_version}.cnf ]; then
  519. echo $"openssl-${vpn_openssl_version}.cnf was not found"
  520. exit 7392353
  521. fi
  522. cp openssl-${vpn_openssl_version}.cnf openssl.cnf
  523. if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt ]; then
  524. rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt
  525. fi
  526. if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key ]; then
  527. rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key
  528. fi
  529. if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.csr ]; then
  530. rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.csr
  531. fi
  532. sed -i 's| --interact||g' build-key-server
  533. sed -i 's| --interact||g' build-ca
  534. ./build-ca
  535. ./build-key-server ${OPENVPN_SERVER_NAME}
  536. if [ ! -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt ]; then
  537. echo $'OpenVPN crt not found'
  538. exit 7823352
  539. fi
  540. server_cert=$(cat /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt)
  541. if [ ${#server_cert} -lt 10 ]; then
  542. cat /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt
  543. echo $'Server cert generation failed'
  544. exit 3284682
  545. fi
  546. if [ ! -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key ]; then
  547. echo $'OpenVPN key not found'
  548. exit 6839436
  549. fi
  550. if [ ! -f /etc/openvpn/easy-rsa/keys/ca.key ]; then
  551. echo $'OpenVPN ca not found'
  552. exit 7935203
  553. fi
  554. cp /etc/openvpn/easy-rsa/keys/{$OPENVPN_SERVER_NAME.crt,$OPENVPN_SERVER_NAME.key,ca.crt} /etc/openvpn
  555. create_user_vpn_key ${MY_USERNAME}
  556. }
  557. function install_vpn {
  558. prefix=
  559. prefixchroot=
  560. if [ $rootdir ]; then
  561. prefix=$rootdir
  562. prefixchroot="chroot $rootdir"
  563. VPN_TLS_PORT=$VPN_MESH_TLS_PORT
  564. fi
  565. $prefixchroot apt-get -yq install fastd openvpn easy-rsa
  566. $prefixchroot groupadd vpn
  567. $prefixchroot useradd -r -s /bin/false -g vpn vpn
  568. # server configuration
  569. echo 'port 1194' > $prefix/etc/openvpn/server.conf
  570. echo 'proto tcp' >> $prefix/etc/openvpn/server.conf
  571. echo 'dev tun' >> $prefix/etc/openvpn/server.conf
  572. echo 'tun-mtu 1500' >> $prefix/etc/openvpn/server.conf
  573. echo 'tun-mtu-extra 32' >> $prefix/etc/openvpn/server.conf
  574. echo 'mssfix 1450' >> $prefix/etc/openvpn/server.conf
  575. echo 'ca /etc/openvpn/ca.crt' >> $prefix/etc/openvpn/server.conf
  576. echo 'cert /etc/openvpn/server.crt' >> $prefix/etc/openvpn/server.conf
  577. echo 'key /etc/openvpn/server.key' >> $prefix/etc/openvpn/server.conf
  578. echo 'dh /etc/openvpn/dh2048.pem' >> $prefix/etc/openvpn/server.conf
  579. echo 'server 10.8.0.0 255.255.255.0' >> $prefix/etc/openvpn/server.conf
  580. echo 'push "redirect-gateway def1 bypass-dhcp"' >> $prefix/etc/openvpn/server.conf
  581. echo "push \"dhcp-option DNS 85.214.73.63\"" >> $prefix/etc/openvpn/server.conf
  582. echo "push \"dhcp-option DNS 213.73.91.35\"" >> $prefix/etc/openvpn/server.conf
  583. echo 'keepalive 5 30' >> $prefix/etc/openvpn/server.conf
  584. echo 'comp-lzo' >> $prefix/etc/openvpn/server.conf
  585. echo 'persist-key' >> $prefix/etc/openvpn/server.conf
  586. echo 'persist-tun' >> $prefix/etc/openvpn/server.conf
  587. echo 'status /dev/null' >> $prefix/etc/openvpn/server.conf
  588. echo 'verb 3' >> $prefix/etc/openvpn/server.conf
  589. echo '' >> $prefix/etc/openvpn/server.conf
  590. if [ ! $prefix ]; then
  591. echo 1 > /proc/sys/net/ipv4/ip_forward
  592. fi
  593. sed -i 's|# net.ipv4.ip_forward|net.ipv4.ip_forward|g' $prefix/etc/sysctl.conf
  594. sed -i 's|#net.ipv4.ip_forward|net.ipv4.ip_forward|g' $prefix/etc/sysctl.conf
  595. sed -i 's|net.ipv4.ip_forward.*|net.ipv4.ip_forward=1|g' $prefix/etc/sysctl.conf
  596. cp -r $prefix/usr/share/easy-rsa/ $prefix/etc/openvpn
  597. if [ ! -d $prefix/etc/openvpn/easy-rsa/keys ]; then
  598. mkdir $prefix/etc/openvpn/easy-rsa/keys
  599. fi
  600. # keys configuration
  601. sed -i "s|export KEY_COUNTRY.*|export KEY_COUNTRY=\"US\"|g" $prefix/etc/openvpn/easy-rsa/vars
  602. sed -i "s|export KEY_PROVINCE.*|export KEY_PROVINCE=\"TX\"|g" $prefix/etc/openvpn/easy-rsa/vars
  603. sed -i "s|export KEY_CITY.*|export KEY_CITY=\"Dallas\"|g" $prefix/etc/openvpn/easy-rsa/vars
  604. sed -i "s|export KEY_ORG.*|export KEY_ORG=\"$PROJECT_NAME\"|g" $prefix/etc/openvpn/easy-rsa/vars
  605. sed -i "s|export KEY_EMAIL.*|export KEY_EMAIL=\"$MY_EMAIL_ADDRESS\"|g" $prefix/etc/openvpn/easy-rsa/vars
  606. sed -i "s|export KEY_OU=.*|export KEY_OU=\"MoonUnit\"|g" $prefix/etc/openvpn/easy-rsa/vars
  607. sed -i "s|export KEY_NAME.*|export KEY_NAME=\"$OPENVPN_SERVER_NAME\"|g" $prefix/etc/openvpn/easy-rsa/vars
  608. if [ ! $prefix ]; then
  609. vpn_generate_keys
  610. firewall_enable_vpn
  611. if [ ${VPN_TLS_PORT} -ne 443 ]; then
  612. firewall_add VPN-TLS ${VPN_TLS_PORT} tcp
  613. fi
  614. systemctl start openvpn
  615. fi
  616. install_stunnel
  617. if [ ! $prefix ]; then
  618. systemctl restart openvpn
  619. fi
  620. APP_INSTALLED=1
  621. }
  622. # NOTE: deliberately there is no "exit 0"