freedombone/src/freedombone-app-vpn

#!/bin/bash
#
# .---.                  .              .
# |                      |              |
# |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.
# |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'
# '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'
#
#                    Freedom in the Cloud
#
# VPN functions
# https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-debian-8
# https://jamielinux.com/blog/force-all-network-traffic-through-openvpn-using-iptables/
# http://www.farrellf.com/projects/software/2016-05-04_Running_a_VPN_Server_with_OpenVPN_and_Stunnel/index_.php
#
# License
# =======
#
# Copyright (C) 2014-2017 Bob Mottram <bob@freedombone.net>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

VARIANTS='full full-vim'

IN_DEFAULT_INSTALL=0
SHOW_ON_ABOUT=0

OPENVPN_SERVER_NAME="server"
OPENVPN_KEY_FILENAME='client.ovpn'

VPN_COUNTRY_CODE="US"
VPN_AREA="Apparent Free Speech Zone"
VPN_LOCATION="Freedomville"
VPN_ORGANISATION="Freedombone"
VPN_UNIT="Freedombone Unit"
STUNNEL_PORT=3439
VPN_TLS_PORT=553
VPN_MESH_TLS_PORT=653

vpn_variables=(MY_EMAIL_ADDRESS
               DEFAULT_DOMAIN_NAME
               MY_USERNAME
               VPN_COUNTRY_CODE
               VPN_AREA
               VPN_LOCATION
               VPN_ORGANISATION
               VPN_UNIT
               VPN_TLS_PORT)

function logging_on_vpn {
    sed -i 's|status .*|status /var/log/openvpn.log|g' /etc/openvpn/server.conf
    systemctl restart openvpn
}

function logging_off_vpn {
    sed -i 's|status .*|status /dev/null|g' /etc/openvpn/server.conf
    systemctl restart openvpn
}

function install_interactive_vpn {
    read_config_param VPN_TLS_PORT
    if [ ! $VPN_TLS_PORT ]; then
        VPN_TLS_PORT=553
    fi
    VPN_DETAILS_COMPLETE=
    while [ ! $VPN_DETAILS_COMPLETE ]
    do
        data=$(tempfile 2>/dev/null)
        trap "rm -f $data" 0 1 2 5 15
        currtlsport=$(grep 'VPN_TLS_PORT' temp.cfg | awk -F '=' '{print $2}')
        if [ $currtlsport ]; then
            VPN_TLS_PORT=$currtlsport
        fi
        dialog --backtitle $"Freedombone Configuration" \
               --title $"VPN Configuration" \
               --form $"\nPlease enter your VPN details. Changing the port to 443 will help defend against censorship but will prevent other web apps from running." 12 65 1 \
               $"TLS port:" 1 1 "$VPN_TLS_PORT" 1 12 5 5 \
               2> $data
        sel=$?
        case $sel in
            1) exit 1;;
            255) exit 1;;
        esac
        tlsport=$(cat $data | sed -n 1p)
        if [ ${#tlsport} -gt 1 ]; then
            if [[ "$tlsport" != *' '* && "$tlsport" != *'.'* ]]; then
                VPN_TLS_PORT="$tlsport"
                VPN_DETAILS_COMPLETE="yes"
                write_config_param "VPN_TLS_PORT" "$VPN_TLS_PORT"
            fi
        fi
    done
    clear
    APP_INSTALLED=1
}

function vpn_change_tls_port {
    EXISTING_VPN_TLS_PORT=$VPN_TLS_PORT

    data=$(tempfile 2>/dev/null)
    trap "rm -f $data" 0 1 2 5 15
    dialog --title $"VPN Configuration" \
           --backtitle $"Freedombone Control Panel" \
           --inputbox $'Change TLS port' 10 50 $VPN_TLS_PORT 2>$data
    sel=$?
    case $sel in
        0)
            tlsport=$(<$data)
            if [ ${#tlsport} -gt 0 ]; then
                if [[ "$tlsport" != "$EXISTING_VPN_TLS_PORT" ]]; then
                    clear
                    VPN_TLS_PORT=$tlsport
                    write_config_param "VPN_TLS_PORT" "$VPN_TLS_PORT"
                    sed -i "s|accept =.*|accept = $VPN_TLS_PORT|g" /etc/stunnel/stunnel.conf
                    sed -i "s|accept =.*|accept = $VPN_TLS_PORT|g" /etc/stunnel/stunnel-client.conf

                    for d in /home/*/ ; do
                        USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
                        if [ -f /home/$USERNAME/stunnel-client.conf ]; then
                            cp /etc/stunnel/stunnel-client.conf /home/$USERNAME/stunnel-client.conf
                            chown $USERNAME:$USERNAME /home/$USERNAME/stunnel-client.conf
                        fi
                    done

                    if [ $VPN_TLS_PORT -eq 443 ]; then
                        systemctl stop nginx
                        systemctl disable nginx
                    else
                        systemctl enable nginx
                        systemctl restart nginx
                    fi

                    systemctl restart stunnel

                    dialog --title $"VPN Configuration" \
                           --msgbox $"TLS port changed to $VPN_TLS_PORT" 6 60
                fi
            fi
            ;;
    esac
}

function vpn_regenerate_client_keys {
    data=$(tempfile 2>/dev/null)
    trap "rm -f $data" 0 1 2 5 15
    dialog --title $"Regenerate VPN keys for a user" \
           --backtitle $"Freedombone Control Panel" \
           --inputbox $'username' 10 50 2>$data
    sel=$?
    case $sel in
        0)
            USERNAME=$(<$data)
            if [ ${#USERNAME} -gt 0 ]; then
                if [ -d /home/$USERNAME ]; then
                    clear
                    create_user_vpn_key $USERNAME
                    dialog --title $"Regenerate VPN keys for a user" \
                           --msgbox $"VPN keys were regenerated for $USERNAME" 6 60
                fi
            fi
            ;;
    esac
}

function configure_interactive_vpn {
    read_config_param VPN_TLS_PORT
    while true
    do
        data=$(tempfile 2>/dev/null)
        trap "rm -f $data" 0 1 2 5 15
        dialog --backtitle $"Freedombone Control Panel" \
               --title $"VPN Configuration" \
               --radiolist $"Choose an operation:" 13 70 3 \
               1 $"Change TLS port (currently $VPN_TLS_PORT)" off \
               2 $"Regenerate keys for a user" off \
               3 $"Exit" on 2> $data
        sel=$?
        case $sel in
            1) return;;
            255) return;;
        esac
        case $(cat $data) in
            1) vpn_change_tls_port;;
            2) vpn_regenerate_client_keys;;
            3) break;;
        esac
    done
}

function reconfigure_vpn {
    echo -n ''
}

function upgrade_vpn {
    echo -n ''
}

function backup_local_vpn {
    for d in /home/*/ ; do
        USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
        if [ -f /home/$USERNAME/$OPENVPN_KEY_FILENAME ]; then
            cp /home/$USERNAME/$OPENVPN_KEY_FILENAME /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME}
        fi
    done

    function_check backup_directory_to_usb
    backup_directory_to_usb /etc/openvpn/easy-rsa/keys vpn
    backup_directory_to_usb /etc/stunnel vpnstunnel
}

function restore_local_vpn {
    temp_restore_dir=/root/tempvpn
    restore_directory_from_usb $temp_restore_dir vpn
    if [ -d ${temp_restore_dir} ]; then
        cp -r ${temp_restore_dir}/* /etc/openvpn/easy-rsa/keys
        cp -r ${temp_restore_dir}/${OPENVPN_SERVER_NAME}* /etc/openvpn/
        cp -r ${temp_restore_dir}/dh* /etc/openvpn/
        rm -rf ${temp_restore_dir}

        for d in /home/*/ ; do
            USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
            if [ -f /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} ]; then
                cp /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} /home/$USERNAME/$OPENVPN_KEY_FILENAME
                chown $USERNAME:$USERNAME /home/$USERNAME/$OPENVPN_KEY_FILENAME
            fi
        done
    fi
    temp_restore_dir=/root/tempvpnstunnel
    restore_directory_from_usb $temp_restore_dir vpnstunnel
    if [ -d ${temp_restore_dir} ]; then
        cp -r ${temp_restore_dir}/* /etc/stunnel
        rm -rf ${temp_restore_dir}
        for d in /home/*/ ; do
            USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
            if [ -f /home/$USERNAME/stunnel.pem ]; then
                cp /etc/stunnel/stunnel.pem /home/$USERNAME/stunnel.pem
                chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.pem
            fi
            if [ -f /home/$USERNAME/stunnel.p12 ]; then
                cp /etc/stunnel/stunnel.p12 /home/$USERNAME/stunnel.p12
                chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.p12
            fi
        done
    fi
}

function backup_remote_vpn {
    for d in /home/*/ ; do
        USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
        if [ -f /home/$USERNAME/$OPENVPN_KEY_FILENAME ]; then
            cp /home/$USERNAME/$OPENVPN_KEY_FILENAME /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME}
        fi
    done

    function_check backup_directory_to_friend
    backup_directory_to_friend /etc/openvpn/easy-rsa/keys vpn
    backup_directory_to_friend /etc/stunnel vpnstunnel
}

function restore_remote_vpn {
    temp_restore_dir=/root/tempvpn
    restore_directory_from_friend $temp_restore_dir vpn
    if [ -d ${temp_restore_dir} ]; then
        cp -r ${temp_restore_dir}/* /etc/openvpn/easy-rsa/keys
        cp -r ${temp_restore_dir}/${OPENVPN_SERVER_NAME}* /etc/openvpn/
        cp -r ${temp_restore_dir}/dh* /etc/openvpn/
        rm -rf ${temp_restore_dir}

        for d in /home/*/ ; do
            USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
            if [ -f /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} ]; then
                cp /etc/openvpn/easy-rsa/keys/${USERNAME}_${OPENVPN_KEY_FILENAME} /home/$USERNAME/$OPENVPN_KEY_FILENAME
                chown $USERNAME:$USERNAME /home/$USERNAME/$OPENVPN_KEY_FILENAME
            fi
        done
    fi
    temp_restore_dir=/root/tempvpnstunnel
    restore_directory_from_friend $temp_restore_dir vpnstunnel
    if [ -d ${temp_restore_dir} ]; then
        cp -r ${temp_restore_dir}/* /etc/stunnel
        rm -rf ${temp_restore_dir}
        for d in /home/*/ ; do
            USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
            if [ -f /home/$USERNAME/stunnel.pem ]; then
                cp /etc/stunnel/stunnel.pem /home/$USERNAME/stunnel.pem
                chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.pem
            fi
            if [ -f /home/$USERNAME/stunnel.p12 ]; then
                cp /etc/stunnel/stunnel.p12 /home/$USERNAME/stunnel.p12
                chown $USERNAME:$USERNAME /home/$USERNAME/stunnel.p12
            fi
        done
    fi
}

function remove_vpn {
    systemctl stop stunnel
    systemctl disable stunnel
    rm /etc/systemd/system/stunnel.service

    systemctl stop openvpn
    if [ $VPN_TLS_PORT -ne 443 ]; then
        firewall_remove VPN-TLS $VPN_TLS_PORT
    else
        systemctl enable nginx
        systemctl restart nginx
    fi

    apt-get -yq remove --purge fastd openvpn easy-rsa
    apt-get -yq remove stunnel4
    if [ -d /etc/openvpn ]; then
        rm -rf /etc/openvpn
    fi
    firewall_disable_vpn

    echo 0 > /proc/sys/net/ipv4/ip_forward
    sed -i 's|net.ipv4.ip_forward=.*|net.ipv4.ip_forward=0|g' /etc/sysctl.conf

    remove_completion_param install_vpn

    # remove any client keys
    for d in /home/*/ ; do
        USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
        if [ -f /home/$USERNAME/$OPENVPN_KEY_FILENAME ]; then
            shred -zu /home/$USERNAME/$OPENVPN_KEY_FILENAME
        fi
        rm /home/$USERNAME/stunnel*
    done
    userdel -f vpn
    groupdel -f vpn

    if [ -d /etc/stunnel ]; then
        rm -rf /etc/stunnel
    fi
}

function create_user_vpn_key {
    username=$1

    if [ ! -d /home/$username ]; then
        return
    fi

    echo $"Creating VPN key for $username"

    cd /etc/openvpn/easy-rsa

    if [ -f /etc/openvpn/easy-rsa/keys/$username.crt ]; then
        rm /etc/openvpn/easy-rsa/keys/$username.crt
    fi
    if [ -f /etc/openvpn/easy-rsa/keys/$username.key ]; then
        rm /etc/openvpn/easy-rsa/keys/$username.key
    fi
    if [ -f /etc/openvpn/easy-rsa/keys/$username.csr ]; then
        rm /etc/openvpn/easy-rsa/keys/$username.csr
    fi

    sed -i 's| --interact||g' build-key
    ./build-key "$username"

    if [ ! -f /etc/openvpn/easy-rsa/keys/$username.crt ]; then
        echo $'VPN user cert not generated'
        exit 783528
    fi
    user_cert=$(cat /etc/openvpn/easy-rsa/keys/$username.crt)
    if [ ${#user_cert} -lt 10 ]; then
        cat /etc/openvpn/easy-rsa/keys/$username.crt
        echo $'User cert generation failed'
        exit 634659
    fi
    if [ ! -f /etc/openvpn/easy-rsa/keys/$username.key ]; then
        echo $'VPN user key not generated'
        exit 682523
    fi
    user_key=$(cat /etc/openvpn/easy-rsa/keys/$username.key)
    if [ ${#user_key} -lt 10 ]; then
        cat /etc/openvpn/easy-rsa/keys/$username.key
        echo $'User key generation failed'
        exit 285838
    fi

    user_vpn_cert_file=/home/$username/$OPENVPN_KEY_FILENAME

    echo 'client' > $user_vpn_cert_file
    echo 'dev tun' >> $user_vpn_cert_file
    echo 'proto tcp' >> $user_vpn_cert_file
    echo "remote localhost $STUNNEL_PORT" >> $user_vpn_cert_file
    echo "route $DEFAULT_DOMAIN_NAME 255.255.255.255 net_gateway" >> $user_vpn_cert_file
    echo 'resolv-retry infinite' >> $user_vpn_cert_file
    echo 'nobind' >> $user_vpn_cert_file
    echo 'tun-mtu 1500' >> $user_vpn_cert_file
    echo 'tun-mtu-extra 32' >> $user_vpn_cert_file
    echo 'mssfix 1450' >> $user_vpn_cert_file
    echo 'persist-key' >> $user_vpn_cert_file
    echo 'persist-tun' >> $user_vpn_cert_file
    echo 'auth-nocache' >> $user_vpn_cert_file
    echo 'remote-cert-tls server' >> $user_vpn_cert_file
    echo 'comp-lzo' >> $user_vpn_cert_file
    echo 'verb 3' >> $user_vpn_cert_file
    echo '' >> $user_vpn_cert_file

    echo '<ca>' >> $user_vpn_cert_file
    cat /etc/openvpn/ca.crt >> $user_vpn_cert_file
    echo '</ca>' >> $user_vpn_cert_file

    echo '<cert>' >> $user_vpn_cert_file
    cat /etc/openvpn/easy-rsa/keys/$username.crt >> $user_vpn_cert_file
    echo '</cert>' >> $user_vpn_cert_file

    echo '<key>' >> $user_vpn_cert_file
    cat /etc/openvpn/easy-rsa/keys/$username.key >> $user_vpn_cert_file
    echo '</key>' >> $user_vpn_cert_file

    chown $username:$username $user_vpn_cert_file

    # keep a backup
    cp $user_vpn_cert_file /etc/openvpn/easy-rsa/keys/$username.ovpn

    #rm /etc/openvpn/easy-rsa/keys/$username.crt
    #rm /etc/openvpn/easy-rsa/keys/$username.csr
    shred -zu /etc/openvpn/easy-rsa/keys/$username.key

    echo $"VPN key created at $user_vpn_cert_file"
}

function add_user_vpn {
    new_username="$1"
    new_user_password="$2"

    create_user_vpn_key $new_username
    if [ -f /etc/stunnel/stunnel.pem ]; then
        cp /etc/stunnel/stunnel.pem /home/$new_username/stunnel.pem
        chown $new_username:$new_username /home/$new_username/stunnel.pem
    fi
    if [ -f /etc/stunnel/stunnel.p12 ]; then
        cp /etc/stunnel/stunnel.p12 /home/$new_username/stunnel.p12
        chown $new_username:$new_username /home/$new_username/stunnel.p12
    fi
    cp /etc/stunnel/stunnel-client.conf /home/$new_username/stunnel-client.conf
    chown $new_username:$new_username /home/$new_username/stunnel-client.conf
}

function remove_user_vpn {
    new_username="$1"
}

function mesh_setup_vpn {
    vpn_generate_keys

    if [ ${VPN_TLS_PORT} -ne 443 ]; then
        firewall_add VPN-TLS ${VPN_TLS_PORT} tcp
    fi

    generate_stunnel_keys

    systemctl restart openvpn
}

function generate_stunnel_keys {
    openssl req -x509 -nodes -days 3650 -sha256 \
            -subj "/O=$VPN_ORGANISATION/OU=$VPN_UNIT/C=$VPN_COUNTRY_CODE/ST=$VPN_AREA/L=$VPN_LOCATION/CN=$HOSTNAME" \
            -newkey rsa:2048 -keyout /etc/stunnel/key.pem \
            -out /etc/stunnel/cert.pem
    if [ ! -f /etc/stunnel/key.pem ]; then
        echo $'stunnel key not created'
        exit 793530
    fi
    if [ ! -f /etc/stunnel/cert.pem ]; then
        echo $'stunnel cert not created'
        exit 204587
    fi
    chmod 400 /etc/stunnel/key.pem
    chmod 640 /etc/stunnel/cert.pem

    cat /etc/stunnel/key.pem /etc/stunnel/cert.pem >> /etc/stunnel/stunnel.pem
    chmod 640 /etc/stunnel/stunnel.pem

    openssl pkcs12 -export -out /etc/stunnel/stunnel.p12 -inkey /etc/stunnel/key.pem -in /etc/stunnel/cert.pem -passout pass:
    if [ ! -f /etc/stunnel/stunnel.p12 ]; then
        echo $'stunnel pkcs12 not created'
        exit 639353
    fi
    chmod 640 /etc/stunnel/stunnel.p12

    cp /etc/stunnel/stunnel.pem /home/$MY_USERNAME/stunnel.pem
    cp /etc/stunnel/stunnel.p12 /home/$MY_USERNAME/stunnel.p12
    chown $MY_USERNAME:$MY_USERNAME $prefix$userhome/stunnel*
}

function install_stunnel {
    prefix=
    prefixchroot=
    userhome=/home/$MY_USERNAME
    if [ $rootdir ]; then
        prefix=$rootdir
        prefixchroot="chroot $rootdir"
        VPN_TLS_PORT=$VPN_MESH_TLS_PORT
    fi

    $prefixchroot apt-get -yq install stunnel4

    if [ ! $prefix ]; then
        cd /etc/stunnel
        generate_stunnel_keys
    fi

    echo 'chroot = /var/lib/stunnel4' > $prefix/etc/stunnel/stunnel.conf
    echo 'pid = /stunnel4.pid' >> $prefix/etc/stunnel/stunnel.conf
    echo 'setuid = stunnel4' >> $prefix/etc/stunnel/stunnel.conf
    echo 'setgid = stunnel4' >> $prefix/etc/stunnel/stunnel.conf
    echo 'socket = l:TCP_NODELAY=1' >> $prefix/etc/stunnel/stunnel.conf
    echo 'socket = r:TCP_NODELAY=1' >> $prefix/etc/stunnel/stunnel.conf
    echo 'cert = /etc/stunnel/stunnel.pem' >> $prefix/etc/stunnel/stunnel.conf
    echo '[openvpn]' >> $prefix/etc/stunnel/stunnel.conf
    echo "accept = $VPN_TLS_PORT" >> $prefix/etc/stunnel/stunnel.conf
    echo 'connect = localhost:1194' >> $prefix/etc/stunnel/stunnel.conf
    echo 'cert = /etc/stunnel/stunnel.pem' >> $prefix/etc/stunnel/stunnel.conf

    sed -i 's|ENABLED=.*|ENABLED=1|g' $prefix/etc/default/stunnel4

    echo '[openvpn]' > $prefix/etc/stunnel/stunnel-client.conf
    echo 'client = yes' >> $prefix/etc/stunnel/stunnel-client.conf
    echo "accept = $STUNNEL_PORT" >> $prefix/etc/stunnel/stunnel-client.conf
    echo "connect = $DEFAULT_DOMAIN_NAME:$VPN_TLS_PORT" >> $prefix/etc/stunnel/stunnel-client.conf
    echo 'cert = stunnel.pem' >> $prefix/etc/stunnel/stunnel-client.conf

    echo '[Unit]' > $prefix/etc/systemd/system/stunnel.service
    echo 'Description=SSL tunnel for network daemons' >> $prefix/etc/systemd/system/stunnel.service
    echo 'Documentation=man:stunnel https://www.stunnel.org/docs.html' >> $prefix/etc/systemd/system/stunnel.service
    echo 'DefaultDependencies=no' >> $prefix/etc/systemd/system/stunnel.service
    echo 'After=network.target' >> $prefix/etc/systemd/system/stunnel.service
    echo 'After=syslog.target' >> $prefix/etc/systemd/system/stunnel.service
    echo '' >> $prefix/etc/systemd/system/stunnel.service
    echo '[Install]' >> $prefix/etc/systemd/system/stunnel.service
    echo 'WantedBy=multi-user.target' >> $prefix/etc/systemd/system/stunnel.service
    echo 'Alias=stunnel.target' >> $prefix/etc/systemd/system/stunnel.service
    echo '' >> $prefix/etc/systemd/system/stunnel.service
    echo '[Service]' >> $prefix/etc/systemd/system/stunnel.service
    echo 'Type=forking' >> $prefix/etc/systemd/system/stunnel.service
    echo 'RuntimeDirectory=stunnel' >> $prefix/etc/systemd/system/stunnel.service
    echo 'EnvironmentFile=-/etc/stunnel/stunnel.conf' >> $prefix/etc/systemd/system/stunnel.service
    echo 'ExecStart=/usr/bin/stunnel /etc/stunnel/stunnel.conf' >> $prefix/etc/systemd/system/stunnel.service
    echo 'ExecStop=/usr/bin/killall -9 stunnel' >> $prefix/etc/systemd/system/stunnel.service
    echo 'RemainAfterExit=yes' >> $prefix/etc/systemd/system/stunnel.service

    if [ ! $prefix ]; then
        if [ $VPN_TLS_PORT -eq 443 ]; then
            systemctl stop nginx
            systemctl disable nginx
        else
            systemctl enable nginx
            systemctl restart nginx
        fi

        systemctl enable stunnel
        systemctl daemon-reload
        systemctl start stunnel
    fi

    cp $prefix/etc/stunnel/stunnel-client.conf $prefix$userhome/stunnel-client.conf
    chown $MY_USERNAME:$MY_USERNAME $prefix$userhome/stunnel*
}

function vpn_generate_keys {
    # generate host keys
    if [ ! -f /etc/openvpn/dh2048.pem ]; then
        ${PROJECT_NAME}-dhparam -o /etc/openvpn/dh2048.pem
    fi
    if [ ! -f /etc/openvpn/dh2048.pem ]; then
        echo $'vpn dhparams were not generated'
        exit 73724523
    fi
    cp /etc/openvpn/dh2048.pem /etc/openvpn/easy-rsa/keys/dh2048.pem

    cd /etc/openvpn/easy-rsa
    . ./vars
    ./clean-all
    vpn_openssl_version='1.0.0'
    if [ ! -f openssl-${vpn_openssl_version}.cnf ]; then
        echo $"openssl-${vpn_openssl_version}.cnf was not found"
        exit 7392353
    fi
    cp openssl-${vpn_openssl_version}.cnf openssl.cnf

    if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt ]; then
        rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt
    fi
    if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key ]; then
        rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key
    fi
    if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.csr ]; then
        rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.csr
    fi
    sed -i 's| --interact||g' build-key-server
    sed -i 's| --interact||g' build-ca
    ./build-ca
    ./build-key-server ${OPENVPN_SERVER_NAME}
    if [ ! -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt ]; then
        echo $'OpenVPN crt not found'
        exit 7823352
    fi
    server_cert=$(cat /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt)
    if [ ${#server_cert} -lt 10 ]; then
        cat /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt
        echo $'Server cert generation failed'
        exit 3284682
    fi

    if [ ! -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key ]; then
        echo $'OpenVPN key not found'
        exit 6839436
    fi
    if [ ! -f /etc/openvpn/easy-rsa/keys/ca.key ]; then
        echo $'OpenVPN ca not found'
        exit 7935203
    fi
    cp /etc/openvpn/easy-rsa/keys/{$OPENVPN_SERVER_NAME.crt,$OPENVPN_SERVER_NAME.key,ca.crt} /etc/openvpn

    create_user_vpn_key ${MY_USERNAME}
}

function install_vpn {
    prefix=
    prefixchroot=
    if [ $rootdir ]; then
        prefix=$rootdir
        prefixchroot="chroot $rootdir"
        VPN_TLS_PORT=$VPN_MESH_TLS_PORT
    fi
    $prefixchroot apt-get -yq install fastd openvpn easy-rsa

    $prefixchroot groupadd vpn
    $prefixchroot useradd -r -s /bin/false -g vpn vpn

    # server configuration
    echo 'port 1194' > $prefix/etc/openvpn/server.conf
    echo 'proto tcp' >> $prefix/etc/openvpn/server.conf
    echo 'dev tun' >> $prefix/etc/openvpn/server.conf
    echo 'tun-mtu 1500' >> $prefix/etc/openvpn/server.conf
    echo 'tun-mtu-extra 32' >> $prefix/etc/openvpn/server.conf
    echo 'mssfix 1450' >> $prefix/etc/openvpn/server.conf
    echo 'ca /etc/openvpn/ca.crt' >> $prefix/etc/openvpn/server.conf
    echo 'cert /etc/openvpn/server.crt' >> $prefix/etc/openvpn/server.conf
    echo 'key /etc/openvpn/server.key' >> $prefix/etc/openvpn/server.conf
    echo 'dh /etc/openvpn/dh2048.pem' >> $prefix/etc/openvpn/server.conf
    echo 'server 10.8.0.0 255.255.255.0' >> $prefix/etc/openvpn/server.conf
    echo 'push "redirect-gateway def1 bypass-dhcp"' >> $prefix/etc/openvpn/server.conf
    echo "push \"dhcp-option DNS 85.214.73.63\"" >> $prefix/etc/openvpn/server.conf
    echo "push \"dhcp-option DNS 213.73.91.35\"" >> $prefix/etc/openvpn/server.conf
    echo 'keepalive 5 30' >> $prefix/etc/openvpn/server.conf
    echo 'comp-lzo' >> $prefix/etc/openvpn/server.conf
    echo 'persist-key' >> $prefix/etc/openvpn/server.conf
    echo 'persist-tun' >> $prefix/etc/openvpn/server.conf
    echo 'status /dev/null' >> $prefix/etc/openvpn/server.conf
    echo 'verb 3' >> $prefix/etc/openvpn/server.conf
    echo '' >> $prefix/etc/openvpn/server.conf

    if [ ! $prefix ]; then
        echo 1 > /proc/sys/net/ipv4/ip_forward
    fi
    sed -i 's|# net.ipv4.ip_forward|net.ipv4.ip_forward|g' $prefix/etc/sysctl.conf
    sed -i 's|#net.ipv4.ip_forward|net.ipv4.ip_forward|g' $prefix/etc/sysctl.conf
    sed -i 's|net.ipv4.ip_forward.*|net.ipv4.ip_forward=1|g' $prefix/etc/sysctl.conf

    cp -r $prefix/usr/share/easy-rsa/ $prefix/etc/openvpn
    if [ ! -d $prefix/etc/openvpn/easy-rsa/keys ]; then
        mkdir $prefix/etc/openvpn/easy-rsa/keys
    fi

    # keys configuration
    sed -i "s|export KEY_COUNTRY.*|export KEY_COUNTRY=\"US\"|g" $prefix/etc/openvpn/easy-rsa/vars
    sed -i "s|export KEY_PROVINCE.*|export KEY_PROVINCE=\"TX\"|g" $prefix/etc/openvpn/easy-rsa/vars
    sed -i "s|export KEY_CITY.*|export KEY_CITY=\"Dallas\"|g" $prefix/etc/openvpn/easy-rsa/vars
    sed -i "s|export KEY_ORG.*|export KEY_ORG=\"$PROJECT_NAME\"|g" $prefix/etc/openvpn/easy-rsa/vars
    sed -i "s|export KEY_EMAIL.*|export KEY_EMAIL=\"$MY_EMAIL_ADDRESS\"|g" $prefix/etc/openvpn/easy-rsa/vars
    sed -i "s|export KEY_OU=.*|export KEY_OU=\"MoonUnit\"|g" $prefix/etc/openvpn/easy-rsa/vars
    sed -i "s|export KEY_NAME.*|export KEY_NAME=\"$OPENVPN_SERVER_NAME\"|g" $prefix/etc/openvpn/easy-rsa/vars

    if [ ! $prefix ]; then
        vpn_generate_keys
        firewall_enable_vpn

        if [ ${VPN_TLS_PORT} -ne 443 ]; then
            firewall_add VPN-TLS ${VPN_TLS_PORT} tcp
        fi

        systemctl start openvpn
    fi

    install_stunnel

    if [ ! $prefix ]; then
        systemctl restart openvpn
    fi

    APP_INSTALLED=1
}

# NOTE: deliberately there is no "exit 0"