OpenVPN Rapid Installer

From test.coolscript.org
Jump to navigation Jump to search

Install and configure OpenVPN including certificates in less than one minute

  • Express installation and configuration of OpenVPN, this has been tested on any recent Debian, Ubuntu or Raspian releases.
  • Enjoy the wide range of supported OpenVPN Clients, with this Script you may quickly establish a VPN connection, compatible with Windows, Linux, Mac OS, Android and iOS
  • Install and configure OpenVPN together with a Certification Authority and X509 Client Certificates with one single command,
  • Optional journaling

Additional Tools

  • ovpncert
    • Create new ovpn profiles and certificates on the fly
    • Revoke ovpn certificates on the fly
  • ovpnreport
    • Search the journal for login activity, users or ip-addresses
    • List current connections

Installation Samples[edit]

Basic installation with no options[edit]

Install and configure OpenVPN with Easy-RSA

  • Default udp port 1194
  • Default network 10.8.0.0/24
  • Automatically installation (-a)
#Copy&Paste
wget -q https://coolscript.org/download/scripts/openvpn/openvpn-install.sh -O \
/tmp/openvpn-install.sh && bash \
/tmp/openvpn-install.sh -a

Custom Network Installation[edit]

Install and configure OpenVPN with Easy-RSA

  • Use tcp port 1194 (-o and -p)
  • Use your custom network 192.168.200.0/24 (-n and -m)
  • Automatically installation (-a)
  • Reinstallation if a previous setup exists (-r)
#Copy&Paste
wget -q https://coolscript.org/download/scripts/openvpn/openvpn-install.sh -O \
/tmp/openvpn-install.sh && bash \
/tmp/openvpn-install.sh -a -r \
-o 1194 \
-p tcp \
-n 192.168.200.0 \
-m 24

Recommended Setup - Support local users and journaling[edit]

Install and configure OpenVPN with Easy-RSA

  • Default udp port 1194
  • Default network 10.8.0.0/24
  • Automatically installation (-a)
  • Reinstallation if a previous setup exists (-r)
  • Enable additional authentication using local user (-u)
  • Enable journaling (-j)
#Copy&Paste
wget -q https://coolscript.org/download/scripts/openvpn/openvpn-install.sh -O \
/tmp/openvpn-install.sh && bash \
/tmp/openvpn-install.sh -a -r -u -j

Available Arguments[edit]

openvpn-install.sh -h
-a Mandatory Flag, Automatic installation, otherwise do nothing than STDOUT
-h Optional Flag, help and exit
-j Optional Flag, Enable jthe journaling
-m Optional String, Network mask set in decimal format, default is $defCIDR bit
-n Optional String, Network Address, default is $defNET
-o Optional String, port, default is $defPort
-p Optional String, protocol (tcp or udp), default is $defProto 
-r Optional Flag, Re-Install application
-u Optional Flag, enforce additional user authentication through local PAM

Tools[edit]

ovpncert[edit]

Use ovpncert to create, revoke and printing OpenVPN profiles Samples:

ovpncert.pl -cn mycert -c             -> Create the OpenVPN certificate using the client name mycert
ovpncert.pl -cn mycert -c -d 30       -> Same as above but valid for 30 days
ovpncert.pl -cn mycert -p             -> Print the OpenVPN certificate to STDOUT using the client name mycert
ovpncert.pl -cn mycert -r             -> Revoke the OpenVPN certificate using the client name mycert
ovpncert.pl -l                        -> List certificates including the current online status

Arguments:

-sc     OpenVPN configuration name without the .conf extension. Default set to server0
-cn     Client configuration name without the .conf extension. Default set to client1
-c      Create a OpenVPN client certificate
-d      Valid for n days
-h      Display help
-l      List certificates
-p      Print the OpenVPN client Certificate
-r      Revoke a OpenVPN client certificate
-v      Be verbose

ovpnreport[edit]

Use ovpnreprot to see the connection history. Ovpnreport is using a sqlite database which gets the data by the tool ovpntrack.
Sample:

 ovpnreport.pl                        Print all data, max 5000 records, can be overwritten by the limit arg
 ovpnreport.pl -c                     Print current connections
 ovpnreport.pl -ip 1.2.3.4 -limit 10  Search for 1.2.3.4 and limit to max 10 records
 ovpnreport.pl -cname demo -time 5    Search for the cname demo and show connection by min. 5 minutes
 ovpnreport.pl -d 90 -v               Delete data older than 90 days, vacuum database after

Arguments:

 -c        Print current connections
 -cname    Print data which includes the given cname
 -csv      Print all data and format as CSV
 -d        Delete data older then x days
 -h        Print this help
 -ip       Print data which includes the given ip address
 -limit    Print data and limit the output by the given number
 -name     Print data which includes the given name
 -time     Print data which has a minimum connection time (minutes)
 -v        Vacuum database, valid with arg -d

ovpnreport[edit]

Ovpntrack can only be used by openvpn itself, ovpntrack is used to track vpn connection data. Use ovpnreport to view the data.
It is required to setup the OpenVPN server configuration to activate the tracking.
Sample:

script-security 2
client-connect "/etc/openvpn/scripts/ovpntrack.pl -d"
client-disconnect "/etc/openvpn/scripts/ovpntrack.pl -d"


Routing and Masquerading[edit]

Please note that your OpenVPN Client will not be able to access the internet for various reasons, in most cases the routing does not allow the traffic.
There are many ways to establish the access and here is a very simple way of how this could work.

  • Install nftables
apt-get install nftables
  • Enable the service at startup
systemctl enable nftables
  • Add a new table to nftables
nft add table ip nat
  • Add the postrouting chain to nftables
nft 'add chain nat postrouting { type nat hook postrouting priority 100 ; policy accept; }'
  • Masq the entire traffic to eht0, please note that eth0 can vary
nft add rule ip nat postrouting oif eth0 counter masquerade comment \"Masquerade all traffic to eth0\"
  • List the new table:
nft list table ip nat
table ip nat {
       chain postrouting {
               type nat hook postrouting priority srcnat; policy accept;
               oif "eth0" counter packets 0 bytes 1 masquerade comment "Masquerade all traffic to eth0"
       }
}
  • Write back the configuration to make the change permanent
 nft list table ip nat >> /etc/nftables.conf
  • Either reboot the machine or reload to configuration to test:
systemctl restart nftables


Reference: