#!/bin/bash #25/01/2021 clear clear msg -bar SCPdir="/etc/VPS-MX" && [[ ! -d ${SCPdir} ]] && exit 1 SCPfrm="${SCPdir}/herramientas" && [[ ! -d ${SCPfrm} ]] && exit SCPinst="${SCPdir}/protocolos" && [[ ! -d ${SCPinst} ]] && exit SCPidioma="${SCPdir}/idioma" && [[ ! -e ${SCPidioma} ]] && touch ${SCPidioma} #timedatectl set-timezone UTC # Detect Debian users running the script with "sh" instead of bash if readlink /proc/$$/exe | grep -q "dash"; then echo "Este script se utiliza con bash" exit fi if [[ "$EUID" -ne 0 ]]; then echo "Sorry, solo funciona como root" exit fi if [[ ! -e /dev/net/tun ]]; then echo "El TUN device no esta disponible Necesitas habilitar TUN antes de usar este script" exit fi if [[ -e /etc/debian_version ]]; then OS=debian GROUPNAME=nogroup RCLOCAL='/etc/rc.local' elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then OS=centos GROUPNAME=nobody RCLOCAL='/etc/rc.d/rc.local' else echo "Tu sistema operativo no esta disponible para este script" exit fi agrega_dns() { msg -ama " Escriba el HOST DNS que desea Agregar" read -p " [NewDNS]: " SDNS cat /etc/hosts | grep -v "$SDNS" >/etc/hosts.bak && mv -f /etc/hosts.bak /etc/hosts if [[ -e /etc/opendns ]]; then cat /etc/opendns >/tmp/opnbak mv -f /tmp/opnbak /etc/opendns echo "$SDNS" >>/etc/opendns else echo "$SDNS" >/etc/opendns fi [[ -z $NEWDNS ]] && NEWDNS="$SDNS" || NEWDNS="$NEWDNS $SDNS" unset SDNS } mportas() { unset portas portas_var=$(lsof -V -i -P -n | grep -v "ESTABLISHED" | grep -v "COMMAND") while read port; do var1=$(echo $port | awk '{print $1}') && var2=$(echo $port | awk '{print $9}' | awk -F ":" '{print $2}') [[ "$(echo -e $portas | grep "$var1 $var2")" ]] || portas+="$var1 $var2 \n" done <<<"$portas_var" i=1 echo -e "$portas" } dns_fun() { case $1 in 3) dns[$2]='push "dhcp-option DNS 1.0.0.1"' ;; 4) dns[$2]='push "dhcp-option DNS 1.1.1.1"' ;; 5) dns[$2]='push "dhcp-option DNS 9.9.9.9"' ;; 6) dns[$2]='push "dhcp-option DNS 1.1.1.1"' ;; 7) dns[$2]='push "dhcp-option DNS 80.67.169.40"' ;; 8) dns[$2]='push "dhcp-option DNS 80.67.169.12"' ;; 9) dns[$2]='push "dhcp-option DNS 84.200.69.80"' ;; 10) dns[$2]='push "dhcp-option DNS 84.200.70.40"' ;; 11) dns[$2]='push "dhcp-option DNS 208.67.222.222"' ;; 12) dns[$2]='push "dhcp-option DNS 208.67.220.220"' ;; 13) dns[$2]='push "dhcp-option DNS 8.8.8.8"' ;; 14) dns[$2]='push "dhcp-option DNS 8.8.4.4"' ;; 15) dns[$2]='push "dhcp-option DNS 77.88.8.8"' ;; 16) dns[$2]='push "dhcp-option DNS 77.88.8.1"' ;; 17) dns[$2]='push "dhcp-option DNS 176.103.130.130"' ;; 18) dns[$2]='push "dhcp-option DNS 176.103.130.131"' ;; esac } meu_ip() { if [[ -e /etc/VPS-MX/MEUIPvps ]]; then echo "$(cat /etc/VPS-MX/MEUIPvps)" else MEU_IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127 \.[0-9]{1,3} \.[0-9]{1,3} \.[0-9]{1,3}' | grep -o -E '[0-9]{1,3} \.[0-9]{1,3} \.[0-9]{1,3} \.[0-9]{1,3}' | head -1) MEU_IP2=$(wget -qO- ipv4.icanhazip.com) [[ "$MEU_IP" != "$MEU_IP2" ]] && echo "$MEU_IP2" || echo "$MEU_IP" echo "$MEU_IP" >/etc/VPS-MX/MEUIPvps fi } IP="$(meu_ip)" instala_ovpn2() { msg -bar3 clear msg -bar msg -tit echo -e " \033[1;32m INSTALADOR DE OPENVPN | VPS-MX By @Kalix1" msg -bar # OpenVPN setup and first user creation echo -e " \033[1;97mSe necesitan ciertos parametros para configurar OpenVPN." echo "Configuracion por default solo presiona ENTER." echo "Primero, cual es la IPv4 que quieres para OpenVPN" echo "Detectando..." msg -bar # Autodetect IP address and pre-fill for the user IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127 \.[0-9]{1,3} \.[0-9]{1,3} \.[0-9]{1,3}' | grep -oE '[0-9]{1,3} \.[0-9]{1,3} \.[0-9]{1,3} \.[0-9]{1,3}' | head -1) read -p "IP address: " -e -i $IP IP # If $IP is a private IP address, the server must be behind NAT if echo "$IP" | grep -qE '^(10 \.|172 \.1[6789] \.|172 \.2[0-9] \.|172 \.3[01] \.|192 \.168)'; then echo echo "Este servidor esta detras de una red NAT?" read -p "IP Publica / hostname: " -e PUBLICIP fi msg -bar msg -ama "Que protocolo necesitas para las conexiones OpenVPN?" msg -bar echo " 1) UDP (recomendada)" echo " 2) TCP" msg -bar read -p "Protocolo [1-2]: " -e -i 1 PROTOCOL case $PROTOCOL in 1) PROTOCOL=udp ;; 2) PROTOCOL=tcp ;; esac msg -bar msg -ama "Que puerto necesitas en OpenVPN (Default 1194)?" msg -bar read -p "Puerto: " -e -i 1194 PORT msg -bar msg -ama "Cual DNS usaras en tu VPN?" msg -bar echo " 1) Actuales en el VPS" echo " 2) 1.1.1.1" echo " 3) Google" echo " 4) OpenDNS" echo " 5) Verisign" msg -bar read -p "DNS [1-5]: " -e -i 1 DNS #CIPHER msg -bar msg -ama " Elija que codificacion desea para el canal de datos:" msg -bar echo " 1) AES-128-CBC" echo " 2) AES-192-CBC" echo " 3) AES-256-CBC" echo " 4) CAMELLIA-128-CBC" echo " 5) CAMELLIA-192-CBC" echo " 6) CAMELLIA-256-CBC" echo " 7) SEED-CBC" echo " 8) NONE" msg -bar while [[ $CIPHER != @([1-8]) ]]; do read -p " Cipher [1-7]: " -e -i 1 CIPHER done case $CIPHER in 1) CIPHER="cipher AES-128-CBC" ;; 2) CIPHER="cipher AES-192-CBC" ;; 3) CIPHER="cipher AES-256-CBC" ;; 4) CIPHER="cipher CAMELLIA-128-CBC" ;; 5) CIPHER="cipher CAMELLIA-192-CBC" ;; 6) CIPHER="cipher CAMELLIA-256-CBC" ;; 7) CIPHER="cipher SEED-CBC" ;; 8) CIPHER="cipher none" ;; esac msg -bar msg -ama " Estamos listos para configurar su servidor OpenVPN" msg -bar read -n1 -r -p "Presiona cualquier tecla para continuar..." if [[ "$OS" = 'debian' ]]; then apt-get update apt-get install openvpn iptables openssl ca-certificates -y else # yum install epel-release -y yum install openvpn iptables openssl ca-certificates -y fi # Get easy-rsa EASYRSAURL='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz' wget -O ~/easyrsa.tgz "$EASYRSAURL" 2>/dev/null || curl -Lo ~/easyrsa.tgz "$EASYRSAURL" tar xzf ~/easyrsa.tgz -C ~/ mv ~/EasyRSA-3.0.8/ /etc/openvpn/ mv /etc/openvpn/EasyRSA-3.0.8/ /etc/openvpn/easy-rsa/ chown -R root:root /etc/openvpn/easy-rsa/ rm -f ~/easyrsa.tgz cd /etc/openvpn/easy-rsa/ # ./easyrsa init-pki ./easyrsa --batch build-ca nopass ./easyrsa gen-dh ./easyrsa build-server-full server nopass EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl # cp pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn # chown nobody:$GROUPNAME /etc/openvpn/crl.pem # openvpn --genkey --secret /etc/openvpn/ta.key # echo "port $PORT proto $PROTOCOL dev tun sndbuf 0 rcvbuf 0 ca ca.crt cert server.crt key server.key dh dh.pem auth SHA512 tls-auth ta.key 0 topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt" >/etc/openvpn/server.conf echo 'push "redirect-gateway def1 bypass-dhcp"' >>/etc/openvpn/server.conf # DNS case $DNS in 1) # # if grep -q "127.0.0.53" "/etc/resolv.conf"; then RESOLVCONF='/run/systemd/resolve/resolv.conf' else RESOLVCONF='/etc/resolv.conf' fi # grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3} \.[0-9]{1,3} \.[0-9]{1,3} \.[0-9]{1,3}' | while read line; do echo "push \"dhcp-option DNS $line \"" >>/etc/openvpn/server.conf done ;; 2) echo 'push "dhcp-option DNS 1.1.1.1"' >>/etc/openvpn/server.conf echo 'push "dhcp-option DNS 1.0.0.1"' >>/etc/openvpn/server.conf ;; 3) echo 'push "dhcp-option DNS 8.8.8.8"' >>/etc/openvpn/server.conf echo 'push "dhcp-option DNS 8.8.4.4"' >>/etc/openvpn/server.conf ;; 4) echo 'push "dhcp-option DNS 208.67.222.222"' >>/etc/openvpn/server.conf echo 'push "dhcp-option DNS 208.67.220.220"' >>/etc/openvpn/server.conf ;; 5) echo 'push "dhcp-option DNS 64.6.64.6"' >>/etc/openvpn/server.conf echo 'push "dhcp-option DNS 64.6.65.6"' >>/etc/openvpn/server.conf ;; esac echo "keepalive 10 120 ${CIPHER} user nobody group $GROUPNAME persist-key persist-tun status openvpn-status.log verb 3 crl-verify crl.pem" >>/etc/openvpn/server.conf updatedb PLUGIN=$(locate openvpn-plugin-auth-pam.so | head -1) [[ ! -z $(echo ${PLUGIN}) ]] && { echo "client-to-client client-cert-not-required username-as-common-name plugin $PLUGIN login" >>/etc/openvpn/server.conf } # echo 'net.ipv4.ip_forward=1' >/etc/sysctl.d/30-openvpn-forward.conf # echo 1 >/proc/sys/net/ipv4/ip_forward if pgrep firewalld; then # # # # firewall-cmd --zone=public --add-port=$PORT/$PROTOCOL firewall-cmd --zone=trusted --add-source=10.8.0.0/24 firewall-cmd --permanent --zone=public --add-port=$PORT/$PROTOCOL firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24 # firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP else # if [[ "$OS" = 'debian' && ! -e $RCLOCAL ]]; then echo '#!/bin/sh -e exit 0' >$RCLOCAL fi chmod +x $RCLOCAL # iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP sed -i "1 a \iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL if iptables -L -n | grep -qE '^(REJECT|DROP)'; then # # # iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT sed -i "1 a \iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT" $RCLOCAL sed -i "1 a \iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" $RCLOCAL sed -i "1 a \iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" $RCLOCAL fi fi # if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$PORT" != '1194' ]]; then # if ! hash semanage 2>/dev/null; then yum install policycoreutils-python -y fi semanage port -a -t openvpn_port_t -p $PROTOCOL $PORT fi # if [[ "$OS" = 'debian' ]]; then # if pgrep systemd-journal; then systemctl restart openvpn@server.service else /etc/init.d/openvpn restart fi else if pgrep systemd-journal; then systemctl restart openvpn@server.service systemctl enable openvpn@server.service else service openvpn restart chkconfig openvpn on fi fi # if [[ "$PUBLICIP" != "" ]]; then IP=$PUBLICIP fi # echo "# OVPN_ACCESS_SERVER_PROFILE=VPS-MX client dev tun proto $PROTOCOL sndbuf 0 rcvbuf 0 remote $IP $PORT resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server auth SHA512 ${CIPHER} setenv opt block-outside-dns key-direction 1 verb 3 auth-user-pass" >/etc/openvpn/client-common.txt msg -bar msg -ama " Ahora crear una SSH para generar el (.ovpn)!" msg -bar echo -e " \033[1;32m Configuracion Finalizada!" msg -bar } instala_ovpn() { parametros_iniciais() { #Verifica o Sistema [[ "$EUID" -ne 0 ]] && echo " Lo siento, usted necesita ejecutar esto como ROOT" && exit 1 [[ ! -e /dev/net/tun ]] && echo " TUN no esta Disponible" && exit 1 if [[ -e /etc/debian_version ]]; then OS="debian" VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID") IPTABLES='/etc/iptables/iptables.rules' [[ ! -d /etc/iptables ]] && mkdir /etc/iptables [[ ! -e $IPTABLES ]] && touch $IPTABLES SYSCTL='/etc/sysctl.conf' [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="18.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.10"' ]] && { echo " Su vercion de Debian / Ubuntu no Soportada." while [[ $CONTINUE != @(y|Y|s|S|n|N) ]]; do read -p "Continuar ? [y/n]: " -e CONTINUE done [[ "$CONTINUE" = @(n|N) ]] && exit 1 } else msg -ama " Parece que no estas ejecutando este instalador en un sistema Debian o Ubuntu" msg -bar return 1 fi #Pega Interface NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )( \S+)' | head -1) } add_repo() { #INSTALACAO E UPDATE DO REPOSITORIO # Debian 7 if [[ "$VERSION_ID" = 'VERSION_ID="7"' ]]; then echo "deb http://build.openvpn.net/debian/openvpn/stable wheezy main" >/etc/apt/sources.list.d/openvpn.list wget -q -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - >/dev/null 2>&1 # Debian 8 elif [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" >/etc/apt/sources.list.d/openvpn.list wget -q -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - >/dev/null 2>&1 # Ubuntu 14.04 elif [[ "$VERSION_ID" = 'VERSION_ID="14.04"' ]]; then echo "deb http://build.openvpn.net/debian/openvpn/stable trusty main" >/etc/apt/sources.list.d/openvpn.list wget -q -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - >/dev/null 2>&1 # Ubuntu 16.04 elif [[ "$VERSION_ID" = 'VERSION_ID="16.04"' ]]; then echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" >/etc/apt/sources.list.d/openvpn.list wget -q -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - >/dev/null 2>&1 # Ubuntu 18.04 elif [[ "$VERSION_ID" = 'VERSION_ID="18.04"' ]]; then apt-get remove openvpn -y >/dev/null 2>&1 rm -rf /etc/apt/sources.list.d/openvpn.list >/dev/null 2>&1 echo "deb http://build.openvpn.net/debian/openvpn/stable bionic main" >/etc/apt/sources.list.d/openvpn.list wget -q -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add - >/dev/null 2>&1 fi } coleta_variaveis() { echo -e " \033[1;32m INSTALADOR DE OPENVPN | VPS-MX By @Kalix1" msg -bar msg -ne " Confirme su IP" read -p ": " -e -i $IP ip msg -bar msg -ama " Que puerto desea usar?" msg -bar while true; do read -p " Port: " -e -i 1194 PORT [[ $(mportas | grep -w "$PORT") ]] || break echo -e " \033[1;33m Este puerto esta en uso \033[0m" unset PORT done msg -bar echo -e " \033[1;31m Que protocolo desea para las conexiones OPENVPN?" echo -e " \033[1;31m A menos que UDP este bloqueado, no utilice TCP (es mas lento)" #PROTOCOLO while [[ $PROTOCOL != @(UDP|TCP) ]]; do read -p " Protocol [UDP/TCP]: " -e -i TCP PROTOCOL done [[ $PROTOCOL = "UDP" ]] && PROTOCOL=udp [[ $PROTOCOL = "TCP" ]] && PROTOCOL=tcp #DNS msg -bar msg -ama " Que DNS desea utilizar?" msg -bar echo " 1) Usar DNS de sistema " echo " 2) Cloudflare" echo " 3) Quad" echo " 4) FDN" echo " 5) DNS.WATCH" echo " 6) OpenDNS" echo " 7) Google DNS" echo " 8) Yandex Basic" echo " 9) AdGuard DNS" msg -bar while [[ $DNS != @([1-9]) ]]; do read -p " DNS [1-9]: " -e -i 1 DNS done #CIPHER msg -bar msg -ama " Elija que codificacion desea para el canal de datos:" msg -bar echo " 1) AES-128-CBC" echo " 2) AES-192-CBC" echo " 3) AES-256-CBC" echo " 4) CAMELLIA-128-CBC" echo " 5) CAMELLIA-192-CBC" echo " 6) CAMELLIA-256-CBC" echo " 7) SEED-CBC" msg -bar while [[ $CIPHER != @([1-7]) ]]; do read -p " Cipher [1-7]: " -e -i 1 CIPHER done case $CIPHER in 1) CIPHER="cipher AES-128-CBC" ;; 2) CIPHER="cipher AES-192-CBC" ;; 3) CIPHER="cipher AES-256-CBC" ;; 4) CIPHER="cipher CAMELLIA-128-CBC" ;; 5) CIPHER="cipher CAMELLIA-192-CBC" ;; 6) CIPHER="cipher CAMELLIA-256-CBC" ;; 7) CIPHER="cipher SEED-CBC" ;; esac msg -bar msg -ama " Estamos listos para configurar su servidor OpenVPN" msg -bar read -n1 -r -p " Enter para Continuar ..." tput cuu1 && tput dl1 } parametros_iniciais # BREVE VERIFICACAO coleta_variaveis # COLETA VARIAVEIS PARA INSTALAÇÃO add_repo # ATUALIZA REPOSITÓRIO OPENVPN E INSTALA OPENVPN # Cria Diretorio [[ ! -d /etc/openvpn ]] && mkdir /etc/openvpn # Install openvpn echo -ne " \033[1;31m[ ! ] apt-get update" apt-get update -q >/dev/null 2>&1 && echo -e " \033[1;32m [OK]" || echo -e " \033[1;31m [FAIL]" echo -ne " \033[1;31m[ ! ] apt-get install openvpn curl openssl" apt-get install -qy openvpn curl >/dev/null 2>&1 && apt-get install openssl ca-certificates -y >/dev/null 2>&1 && echo -e " \033[1;32m [OK]" || echo -e " \033[1;31m [FAIL]" SERVER_IP="$(meu_ip)" # IP Address [[ -z "${SERVER_IP}" ]] && SERVER_IP=$(ip a | awk -F"[ /]+" '/global/ && !/127.0/ {print $3; exit}') echo -ne " \033[1;31m[ ! ] Generating Server Config" # Gerando server.con ( case $DNS in 1) i=0 grep -v '#' /etc/resolv.conf | grep 'nameserver' | grep -E -o '[0-9]{1,3} \.[0-9]{1,3} \.[0-9]{1,3} \.[0-9]{1,3}' | while read line; do dns[$i]="push \"dhcp-option DNS $line \"" done [[ ! "${dns[@]}" ]] && dns[0]='push "dhcp-option DNS 8.8.8.8"' && dns[1]='push "dhcp-option DNS 8.8.4.4"' ;; 2) dns_fun 3 && dns_fun 4 ;; 3) dns_fun 5 && dns_fun 6 ;; 4) dns_fun 7 && dns_fun 8 ;; 5) dns_fun 9 && dns_fun 10 ;; 6) dns_fun 11 && dns_fun 12 ;; 7) dns_fun 13 && dns_fun 14 ;; 8) dns_fun 15 && dns_fun 16 ;; 9) dns_fun 17 && dns_fun 18 ;; esac echo 01 >/etc/openvpn/ca.srl while [[ ! -e /etc/openvpn/dh.pem || -z $(cat /etc/openvpn/dh.pem) ]]; do openssl dhparam -out /etc/openvpn/dh.pem 2048 &>/dev/null done while [[ ! -e /etc/openvpn/ca-key.pem || -z $(cat /etc/openvpn/ca-key.pem) ]]; do openssl genrsa -out /etc/openvpn/ca-key.pem 2048 &>/dev/null done chmod 600 /etc/openvpn/ca-key.pem &>/dev/null while [[ ! -e /etc/openvpn/ca-csr.pem || -z $(cat /etc/openvpn/ca-csr.pem) ]]; do openssl req -new -key /etc/openvpn/ca-key.pem -out /etc/openvpn/ca-csr.pem -subj /CN=OpenVPN-CA/ &>/dev/null done while [[ ! -e /etc/openvpn/ca.pem || -z $(cat /etc/openvpn/ca.pem) ]]; do openssl x509 -req -in /etc/openvpn/ca-csr.pem -out /etc/openvpn/ca.pem -signkey /etc/openvpn/ca-key.pem -days 365 &>/dev/null done cat >/etc/openvpn/server.conf <>/etc/openvpn/server.conf } ) && echo -e " \033[1;32m [OK]" || echo -e " \033[1;31m [FAIL]" echo -ne " \033[1;31m[ ! ] Generating CA Config" # Generate CA Config ( while [[ ! -e /etc/openvpn/client-key.pem || -z $(cat /etc/openvpn/client-key.pem) ]]; do openssl genrsa -out /etc/openvpn/client-key.pem 2048 &>/dev/null done chmod 600 /etc/openvpn/client-key.pem while [[ ! -e /etc/openvpn/client-csr.pem || -z $(cat /etc/openvpn/client-csr.pem) ]]; do openssl req -new -key /etc/openvpn/client-key.pem -out /etc/openvpn/client-csr.pem -subj /CN=OpenVPN-Client/ &>/dev/null done while [[ ! -e /etc/openvpn/client-cert.pem || -z $(cat /etc/openvpn/client-cert.pem) ]]; do openssl x509 -req -in /etc/openvpn/client-csr.pem -out /etc/openvpn/client-cert.pem -CA /etc/openvpn/ca.pem -CAkey /etc/openvpn/ca-key.pem -days 365 &>/dev/null done ) && echo -e " \033[1;32m [OK]" || echo -e " \033[1;31m [FAIL]" teste_porta() { msg -bar echo -ne " \033[1;31m$(fun_trans ${id} "Verificando"):" sleep 1s [[ ! $(mportas | grep "$1") ]] && { echo -e " \033[1;33m [FAIL] \033[0m" } || { echo -e " \033[1;32m [Pass] \033[0m" return 1 } } msg -bar echo -e " \033[1;33m Ahora Necesitamos un Proxy SQUID o PYTHON-OPENVPN" echo -e " \033[1;33m Si no existe un proxy en la puerta, un proxy Python sera abierto!" msg -bar while [[ $? != "1" ]]; do read -p " Confirme el Puerto(Proxy) " -e -i 80 PPROXY teste_porta $PPROXY done cat >/etc/openvpn/client-common.txt </etc/iptables.conf cat >/etc/network/if-up.d/iptables </proc/sys/net/ipv4/ip_forward # Regras de Firewall if pgrep firewalld; then if [[ "$PROTOCOL" = 'udp' ]]; then firewall-cmd --zone=public --add-port=$PORT/udp firewall-cmd --permanent --zone=public --add-port=$PORT/udp elif [[ "$PROTOCOL" = 'tcp' ]]; then firewall-cmd --zone=public --add-port=$PORT/tcp firewall-cmd --permanent --zone=public --add-port=$PORT/tcp fi firewall-cmd --zone=trusted --add-source=10.8.0.0/24 firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24 fi if iptables -L -n | grep -qE 'REJECT|DROP'; then if [[ "$PROTOCOL" = 'udp' ]]; then iptables -I INPUT -p udp --dport $PORT -j ACCEPT elif [[ "$PROTOCOL" = 'tcp' ]]; then iptables -I INPUT -p tcp --dport $PORT -j ACCEPT fi iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables-save >$IPTABLES fi if hash sestatus 2>/dev/null; then if sestatus | grep "Current mode" | grep -qs "enforcing"; then if [[ "$PORT" != '1194' ]]; then if ! hash semanage 2>/dev/null; then yum install policycoreutils-python -y fi if [[ "$PROTOCOL" = 'udp' ]]; then semanage port -a -t openvpn_port_t -p udp $PORT elif [[ "$PROTOCOL" = 'tcp' ]]; then semanage port -a -t openvpn_port_t -p tcp $PORT fi fi fi fi #Liberando DNS msg -bar msg -ama " Ultimo Paso, Configuraciones DNS" msg -bar while [[ $DDNS != @(n|N) ]]; do echo -ne " \033[1;33m" read -p " Agergar HOST DNS [S/N]: " -e -i n DDNS [[ $DDNS = @(s|S|y|Y) ]] && agrega_dns done [[ ! -z $NEWDNS ]] && { sed -i "/127.0.0.1[[:blank:]] \+localhost/a 127.0.0.1 $NEWDNS" /etc/hosts for DENESI in $(echo $NEWDNS); do sed -i "/remote ${SERVER_IP} ${PORT} ${PROTOCOL}/a remote ${DENESI} ${PORT} ${PROTOCOL}" /etc/openvpn/client-common.txt done } msg -bar # REINICIANDO OPENVPN if [[ "$OS" = 'debian' ]]; then if pgrep systemd-journal; then sed -i 's|LimitNPROC|#LimitNPROC|' /lib/systemd/system/openvpn \@.service sed -i 's|/etc/openvpn/server|/etc/openvpn|' /lib/systemd/system/openvpn \@.service sed -i 's|%i.conf|server.conf|' /lib/systemd/system/openvpn \@.service #systemctl daemon-reload ( systemctl restart openvpn systemctl enable openvpn ) >/dev/null 2>&1 else /etc/init.d/openvpn restart >/dev/null 2>&1 fi else if pgrep systemd-journal; then ( systemctl restart openvpn@server.service systemctl enable openvpn@server.service ) >/dev/null 2>&1 else ( service openvpn restart chkconfig openvpn on ) >/dev/null 2>&1 fi fi service squid restart &>/dev/null service squid3 restart &>/dev/null apt-get install ufw -y >/dev/null 2>&1 for ufww in $(mportas | awk '{print $2}'); do ufw allow $ufww >/dev/null 2>&1 done #Restart OPENVPN ( killall openvpn 2>/dev/null systemctl stop openvpn@server.service >/dev/null 2>&1 service openvpn stop >/dev/null 2>&1 sleep 0.1s cd /etc/openvpn >/dev/null 2>&1 screen -dmS ovpnscr openvpn --config "server.conf" >/dev/null 2>&1 ) >/dev/null 2>&1 echo -e " \033[1;32m Openvpn configurado con EXITO!" msg -bar msg -ama " Ahora crear una SSH para generar el (.ovpn)!" msg -bar return 0 } edit_ovpn_host() { msg -bar3 msg -ama " CONFIGURACION HOST DNS OPENVPN" msg -bar while [[ $DDNS != @(n|N) ]]; do echo -ne " \033[1;33m" read -p " Agregar host [S/N]: " -e -i n DDNS [[ $DDNS = @(s|S|y|Y) ]] && agrega_dns done [[ ! -z $NEWDNS ]] && sed -i "/127.0.0.1[[:blank:]] \+localhost/a 127.0.0.1 $NEWDNS" /etc/hosts msg -bar msg -ama " Es Necesario el Reboot del Servidor Para" msg -ama " Para que las configuraciones sean efectudas" msg -bar } fun_openvpn() { [[ -e /etc/openvpn/server.conf ]] && { unset OPENBAR [[ $(mportas | grep -w "openvpn") ]] && OPENBAR=" \033[1;32m ONLINE" || OPENBAR=" \033[1;31m OFFLINE" msg -ama " OPENVPN YA ESTA INSTALADO" msg -bar echo -e " \033[1;32m [1] > \033[1;36m DESINSTALAR OPENVPN" echo -e " \033[1;32m [2] > \033[1;36m EDITAR CONFIGURACION CLIENTE \033[1;31m(MEDIANTE NANO)" echo -e " \033[1;32m [3] > \033[1;36m EDITAR CONFIGURACION SERVIDOR \033[1;31m(MEDIANTE NANO)" echo -e " \033[1;32m [4] > \033[1;36m CAMBIAR HOST DE OPENVPN" echo -e " \033[1;32m [5] > \033[1;36m INICIAR O PARAR OPENVPN - $OPENBAR" msg -bar while [[ $xption != @([0|1|2|3|4|5]) ]]; do echo -ne " \033[1;33m $(fun_trans "Opcion"): " && read xption tput cuu1 && tput dl1 done case $xption in 1) clear msg -bar echo -ne " \033[1;97m" read -p "QUIERES DESINTALAR OPENVPN? [Y/N]: " -e REMOVE msg -bar if [[ "$REMOVE" = 'y' || "$REMOVE" = 'Y' ]]; then PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2) PROTOCOL=$(grep '^proto ' /etc/openvpn/server.conf | cut -d " " -f 2) if pgrep firewalld; then IP=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep ' \-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24 -j SNAT --to ' | cut -d " " -f 10) # firewall-cmd --zone=public --remove-port=$PORT/$PROTOCOL firewall-cmd --zone=trusted --remove-source=10.8.0.0/24 firewall-cmd --permanent --zone=public --remove-port=$PORT/$PROTOCOL firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24 firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP else IP=$(grep 'iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to ' $RCLOCAL | cut -d " " -f 14) iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0 \/24 ! -d 10.8.0.0 \/24 -j SNAT --to /d' $RCLOCAL if iptables -L -n | grep -qE '^ACCEPT'; then iptables -D INPUT -p $PROTOCOL --dport $PORT -j ACCEPT iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT sed -i "/iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT/d" $RCLOCAL sed -i "/iptables -I FORWARD -s 10.8.0.0 \/24 -j ACCEPT/d" $RCLOCAL sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL fi fi if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$PORT" != '1194' ]]; then semanage port -d -t openvpn_port_t -p $PROTOCOL $PORT fi if [[ "$OS" = 'debian' ]]; then apt-get remove --purge -y openvpn else yum remove openvpn -y fi rm -rf /etc/openvpn rm -f /etc/sysctl.d/30-openvpn-forward.conf msg -bar echo "OpenVPN removido!" msg -bar else msg -bar echo "Desinstalacion abortada!" msg -bar fi return 0 ;; 2) nano /etc/openvpn/client-common.txt return 0 ;; 3) nano /etc/openvpn/server.conf return 0 ;; 4) edit_ovpn_host ;; 5) [[ $(mportas | grep -w openvpn) ]] && { /etc/init.d/openvpn stop >/dev/null 2>&1 killall openvpn &>/dev/null systemctl stop openvpn@server.service &>/dev/null service openvpn stop &>/dev/null #ps x |grep openvpn |grep -v grep|awk '{print $1}' | while read pid; do kill -9 $pid; done } || { cd /etc/openvpn screen -dmS ovpnscr openvpn --config "server.conf" >/dev/null 2>&1 cd $HOME } msg -ama " Procedimiento Hecho con Exito" msg -bar return 0 ;; 0) return 0 ;; esac exit } [[ -e /etc/squid/squid.conf ]] && instala_ovpn2 && return 0 [[ -e /etc/squid3/squid.conf ]] && instala_ovpn2 && return 0 instala_ovpn2 || return 1 } fun_openvpn