From 45a01c0d327582c02ebd3bb5bf0bb1008dd258d1 Mon Sep 17 00:00:00 2001 From: daizack Date: Sat, 20 May 2023 00:43:58 +0000 Subject: [PATCH] update code --- README.md | 25 +++++++++++++++++++------ openvpn-install.sh | 36 ++++++++++++++++++++---------------- 2 files changed, 39 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index fe22bf2..19d8c07 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,22 @@ If you want to show your appreciation, you can donate via [PayPal](https://www.p `bash openvpn-install.sh` + +### Make ccd and make a file named as the client username (change 10.10.0.101 to the ip you want to assgin to the client) + +``` +sudo mkdir /etc/openvpn/ccd + +sudo echo "ifconfig-push 10.10.0.101 255.255.255.0" >/etc/openvon/ccd/client + +``` + ### Install client on ubuntu server + + + + + ``` sudo apt update sudo apt install openvpn @@ -36,7 +51,7 @@ Copy .ovpn to the target machine sudo service openvpn@client start ``` -### Some note +### Some change made in the code, no action needed below: partial routing (if do not want redirect all traffic to the vpn server. If you have a machine that host public app e.g. website server, you will need this setting.) @@ -45,7 +60,7 @@ add ``` route-nopull -route 10.8.0.0 255.255.255.0 +route 10.10.0.0 255.255.255.0 ``` make a file @@ -54,7 +69,7 @@ make a file ``` route-nopull - route 10.8.0.0 255.255.255.0 + route 10.10.0.0 255.255.255.0 ``` another file @@ -80,6 +95,4 @@ client-config-dir /etc/openvpn/ccd client-to-client ``` -Then go to /etc/openvpn/ccd to create file named as user name and put something like (in this example, the ip is set to 10.8.0.101 for the user) - -`ifconfig-push 10.8.0.101 255.255.255.0` +T diff --git a/openvpn-install.sh b/openvpn-install.sh index 637fe3c..396bf19 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -236,7 +236,7 @@ LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disab systemctl enable --now firewalld.service fi # Get easy-rsa - easy_rsa_url='https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.2/EasyRSA-3.1.2.tgz' + easy_rsa_url='https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.3/EasyRSA-3.1.3.tgz' mkdir -p /etc/openvpn/server/easy-rsa/ { wget -qO- "$easy_rsa_url" 2>/dev/null || curl -sL "$easy_rsa_url" ; } | tar xz -C /etc/openvpn/server/easy-rsa/ --strip-components 1 chown -R root:root /etc/openvpn/server/easy-rsa/ @@ -276,7 +276,9 @@ dh dh.pem auth SHA512 tls-crypt tc.key topology subnet -server 10.8.0.0 255.255.255.0" > /etc/openvpn/server/server.conf +client-config-dir /etc/openvpn/ccd +client-to-client +server 10.10.0.0 255.255.255.0" > /etc/openvpn/server/server.conf # IPv6 if [[ -z "$ip6" ]]; then echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server/server.conf @@ -284,7 +286,7 @@ server 10.8.0.0 255.255.255.0" > /etc/openvpn/server/server.conf echo 'server-ipv6 fddd:1194:1194:1194::/64' >> /etc/openvpn/server/server.conf echo 'push "redirect-gateway def1 ipv6 bypass-dhcp"' >> /etc/openvpn/server/server.conf fi - echo 'ifconfig-pool-persist ipp.txt' >> /etc/openvpn/server/server.conf + # echo 'ifconfig-pool-persist ipp.txt' >> /etc/openvpn/server/server.conf # DNS case "$dns" in 1|"") @@ -349,12 +351,12 @@ crl-verify crl.pem" >> /etc/openvpn/server/server.conf # We don't use --add-service=openvpn because that would only work with # the default port and protocol. firewall-cmd --add-port="$port"/"$protocol" - firewall-cmd --zone=trusted --add-source=10.8.0.0/24 + firewall-cmd --zone=trusted --add-source=10.10.0.0/24 firewall-cmd --permanent --add-port="$port"/"$protocol" - firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24 + firewall-cmd --permanent --zone=trusted --add-source=10.10.0.0/24 # Set NAT for the VPN subnet - firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip" - firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip" + firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.10.0.0/24 ! -d 10.10.0.0/24 -j SNAT --to "$ip" + firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.10.0.0/24 ! -d 10.10.0.0/24 -j SNAT --to "$ip" if [[ -n "$ip6" ]]; then firewall-cmd --zone=trusted --add-source=fddd:1194:1194:1194::/64 firewall-cmd --permanent --zone=trusted --add-source=fddd:1194:1194:1194::/64 @@ -375,13 +377,13 @@ crl-verify crl.pem" >> /etc/openvpn/server/server.conf Before=network.target [Service] Type=oneshot -ExecStart=$iptables_path -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip +ExecStart=$iptables_path -t nat -A POSTROUTING -s 10.10.0.0/24 ! -d 10.10.0.0/24 -j SNAT --to $ip ExecStart=$iptables_path -I INPUT -p $protocol --dport $port -j ACCEPT -ExecStart=$iptables_path -I FORWARD -s 10.8.0.0/24 -j ACCEPT +ExecStart=$iptables_path -I FORWARD -s 10.10.0.0/24 -j ACCEPT ExecStart=$iptables_path -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -ExecStop=$iptables_path -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip +ExecStop=$iptables_path -t nat -D POSTROUTING -s 10.10.0.0/24 ! -d 10.10.0.0/24 -j SNAT --to $ip ExecStop=$iptables_path -D INPUT -p $protocol --dport $port -j ACCEPT -ExecStop=$iptables_path -D FORWARD -s 10.8.0.0/24 -j ACCEPT +ExecStop=$iptables_path -D FORWARD -s 10.10.0.0/24 -j ACCEPT ExecStop=$iptables_path -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" > /etc/systemd/system/openvpn-iptables.service if [[ -n "$ip6" ]]; then echo "ExecStart=$ip6tables_path -t nat -A POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to $ip6 @@ -425,6 +427,8 @@ remote-cert-tls server auth SHA512 cipher AES-256-CBC ignore-unknown-option block-outside-dns +route-nopull +route 10.10.0.0 255.255.255.0 verb 3" > /etc/openvpn/server/client-common.txt # Enable and start the OpenVPN service systemctl enable --now openvpn-server@server.service @@ -519,14 +523,14 @@ else port=$(grep '^port ' /etc/openvpn/server/server.conf | cut -d " " -f 2) protocol=$(grep '^proto ' /etc/openvpn/server/server.conf | cut -d " " -f 2) if systemctl is-active --quiet firewalld.service; then - ip=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24' | grep -oE '[^ ]+$') + ip=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.10.0.0/24 '"'"'!'"'"' -d 10.10.0.0/24' | grep -oE '[^ ]+$') # Using both permanent and not permanent rules to avoid a firewalld reload. firewall-cmd --remove-port="$port"/"$protocol" - firewall-cmd --zone=trusted --remove-source=10.8.0.0/24 + firewall-cmd --zone=trusted --remove-source=10.10.0.0/24 firewall-cmd --permanent --remove-port="$port"/"$protocol" - firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24 - firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip" - firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip" + firewall-cmd --permanent --zone=trusted --remove-source=10.10.0.0/24 + firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.10.0.0/24 ! -d 10.10.0.0/24 -j SNAT --to "$ip" + firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.10.0.0/24 ! -d 10.10.0.0/24 -j SNAT --to "$ip" if grep -qs "server-ipv6" /etc/openvpn/server/server.conf; then ip6=$(firewall-cmd --direct --get-rules ipv6 nat POSTROUTING | grep '\-s fddd:1194:1194:1194::/64 '"'"'!'"'"' -d fddd:1194:1194:1194::/64' | grep -oE '[^ ]+$') firewall-cmd --zone=trusted --remove-source=fddd:1194:1194:1194::/64