#!/bin/bash # ########################################################################################## # this script will be used to centos system # ########################################################################################## # Vers=`grep -oP '(?<=release )\d' /etc/centos-release` read -t 60 -p "Input system's net device(eth0|ens33|eno1677776...): " Ncard read -p "Please input server's network segment: (192.168.1.0?) " RoutE Vpn="/opt" DnS="8.8.8.8" Checkps="checkpsw.sh" #######--compile the judge script--############# Screen=`stty -F /dev/console size` &> /dev/null Lenth_T=${Screen#* } [ ! -z $Lenth_T ] && Lenth_T=80 Lenth_1=$[Lenth_T-14] R="\033[31m" G="\033[32m" Y="\033[33m" B="\033[34m" P="\033[35m" N="\033[0m" success() { Str=$1 S_pace=$[$Lenth_1-${#Str}] echo -n $Str for i in `seq $S_pace`; do echo -n " " done echo -e "[ ${G}OK${N} ]" } failure() { Str=$1 S_pace=$[$Lenth_1-${#Str}] echo -n $Str for i in `seq $S_pace`; do echo -n " " done echo -e "[ ${R}failure${N} ]" } warning() { Str=$1 S_pace=$[$Lenth_1-${#Str}] echo -n $Str for i in `seq $S_pace`; do echo -n " " done echo -e "[ ${Y}warning${N} ]" } #######--compile the judge script--############# # # # # # #############start to install openvpn-2.2.2############## # ##1. set iptables: # ###1.1. check out the net card. command -v ifconfig &> /dev/null || yum install -y net-tools if [ $Vers -eq 6 ]; then Ip=`ifconfig $Ncard 2> /dev/null | sed -n '2p' | awk -F '[: ]+' '{print $4}'` ping -c1 -W1 $Ip &> /dev/null if [ $? -eq 0 ]; then success "The $Ncard running." else failure "The $Ncard is not running or $Ip is not right.check it." exit 1 fi elif [ $Vers -eq 7 ]; then Ip=`ifconfig $Ncard 2> /dev/null | sed -n '2p' | awk -F '[: ]+' '{print $3}'` ping -c1 -W1 $Ip &> /dev/null if [ $? -eq 0 ]; then success "The $Ncard running." else failure "The $Ncard is not running or $Ip is not right.check it." exit 1 fi else warning "You input a wrong device,check it." exit 110 fi ###1.2. config firewall if [ $Vers -eq 6 ]; then iptables -t nat -A POSTROUTING -s 172.20.0.0/24 -j MASQUERADE iptables -t nat -A POSTROUTING -s 172.20.0.0/24 -o $Ncard -j SNAT --to-source $Ip elif [ $Vers -eq 7 ]; then rpm -q iptables-services &> /dev/null || yum install -y iptables-services iptables -t nat -A POSTROUTING -s 172.20.0.0/24 -j MASQUERADE iptables -t nat -A POSTROUTING -s 172.20.0.0/24 -o $Ncard -j SNAT --to-source $Ip #[ -f /usr/libexec/iptables/iptables.init ] && /usr/libexec/iptables/iptables.init restart else warning "your system is too old,please update it." exit 12 fi ##2. Install environment rpm -q gcc wget gcc-c++ unzip openssl openssl-devel | \ grep -oP '(?<=package )\S+' | \ xargs -r yum install -y [ -d $Vpn ] || mkdir -p $Vpn pushd $Vpn && \ wget https://9133w.cn/sources/openvpn.tgz && \ tar xf openvpn.tgz && \ rm -f openvpn.tgz && popd ##3. install lzo cd $Vpn [ -f lzo-2.06.tgz ] || \ wget -T 60 -t 100 http://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz -O lzo-2.06.tgz [ $? -eq 0 ] || exit 3 [ -d /usr/local/lzo-2.06 ] || tar xf lzo-2.06.tgz -C /usr/local/ [ $? -eq 0 ] || exit 4 cd /usr/local/lzo-2.06 ./configure --prefix=/usr/local/lzo && make -j4 && make -j4 install if [ $? -eq 0 ]; then success "lzo install success." else failure "lzo install failure,check it." exit 3 fi ##4. install openvpn if [ -d $Vpn ]; then cd $Vpn if [ -f openvpn-2.2.2.tar.gz ]; then tar xf openvpn-2.2.2.tar.gz cd openvpn-2.2.2 ./configure --prefix=/usr/local/openvpn \ --with-lzo-headers=/usr/local/lzo/include \ --with-lzo-lib=/usr/local/lzo/lib && make -j4 && make -j4 install if [ $? -eq 0 ]; then success "Install openvpn-2.2.2 success." else failure "Install openvpn-2.2.2 failure,check the configures." exit 4 fi sleep 1 else failure "There is no openvpn packages in this directory." exit 2 fi else failure "There is no such dir." exit 3 fi ##5. config openvpn # ###5.1. build ca certificate to authenticate cd $Vpn/openvpn-2.2.2/easy-rsa/2.0 sed -i 's/KEY_COUNTRY=.*/KEY_COUNTRY="CN"/g' ./vars sed -i 's/KEY_PROVINCE=.*/KEY_PROVINCE="Zhejiang"/g' ./vars sed -i 's/KEY_CITY=.*/KEY_CITY="Hangzhou"/g' ./vars sed -i 's/KEY_ORG=.*/KEY_ORG="Tech"/g' ./vars sed -i 's/KEY_EMAIL=\".*/KEY_EMAIL="root@localhost"/g' ./vars # sed -i 's/KEY_EMAIL=[a-z]*.*/KEY_EMAIL=187298092@qq.com/g' ./vars sed -i 's/KEY_CN=.*/KEY_CN=sanshi/g' ./vars sed -i 's/KEY_NAME=.*/KEY_NAME=sanshi/g' ./vars sed -i 's/KEY_OU=.*/KEY_OU=sanshi/g' ./vars sed -i 's/PKCS11_MODULE_PATH=.*/PKCS11_MODULE_PATH=sanshi/g' ./vars source ./vars ./clean-all sleep 2 warning "The next step will let you to input your CA certificate's information!" echo -e "\t ${P}be careful to write through!${N}" sleep 2 ./build-ca ./build-dh ./build-key-server server ./build-key client # /usr/local/openvpn/sbin/openvpn --genkey --secret keys/ta.key #prevent DDOS,UDP...destroy sleep 2 cp -rp keys /usr/local/openvpn/ ###5.2.1. copy and config the conf file mkdir -p /usr/local/openvpn/etc cp $Vpn/openvpn-2.2.2/sample-config-files/server.conf /usr/local/openvpn/etc/ [ $? -eq 0 ] || exit 5 cd /usr/local/openvpn/etc/ if [ $Vers -eq 6 ]; then sed -i 's/^;local.*/local '$Ip'/' server.conf sed -i 's/^port 1194/port 32394/' server.conf sed -i 's/^;proto tcp/proto tcp/' server.conf sed -i 's/^proto udp/;proto udp/' server.conf sed -i 's/^ca ca.crt/ca \/usr\/local\/openvpn\/keys\/ca.crt/' server.conf sed -i 's/^cert server.crt/cert \/usr\/local\/openvpn\/keys\/server.crt/' server.conf sed -i 's/^key server.key/key \/usr\/local\/openvpn\/keys\/server.key/' server.conf sed -i 's/^dh dh1024.pem/dh \/usr\/local\/openvpn\/keys\/dh1024.pem/' server.conf sed -i 's/^;push "dhcp-option DNS 208.67.222.222"/push "dhcp-option DNS '$DnS'"/' server.conf sed -i 's/^;push "route 192.168.10.0 255.255.255.0"/push "route '$RoutE' 255.255.255.0"/' server.conf sed -i 's/^;log[[:space:]]\+openvpn.log/log \/data\/openvpn\/openvpn.log/' server.conf # echo "tls-auth /usr/local/openvpn/keys/ta.key 0" >> server.conf #ending:server is 0;client is 1 # echo 'push "redirect-gateway"' >> server.conf # fanqiang!!!!!!! fi sleep 1 if [ $Vers -eq 7 ]; then sed -i 's/^;local.*/local '$Ip'/' server.conf sed -i 's/^port 1194/port 32394/' server.conf sed -i 's/^;proto tcp/proto tcp/' server.conf sed -i 's/^proto udp/;proto udp/' server.conf sed -i 's/^ca ca.crt/ca \/usr\/local\/openvpn\/keys\/ca.crt/' server.conf sed -i 's/^cert server.crt/cert \/usr\/local\/openvpn\/keys\/server.crt/' server.conf sed -i 's/^key server.key/key \/usr\/local\/openvpn\/keys\/server.key/' server.conf sed -i 's/^dh dh1024.pem/dh \/usr\/local\/openvpn\/keys\/dh1024.pem/' server.conf sed -i 's/^;push "dhcp-option DNS 208.67.222.222"/push "dhcp-option DNS '$DnS'"/' server.conf sed -i 's/^;push "route 192.168.10.0 255.255.255.0"/push "route '$RoutE' 255.255.255.0"/' server.conf sed -i 's/^;log[[:space:]]\+openvpn.log/log \/data\/openvpn\/openvpn.log/' server.conf fi sleep 1 sed -i 's/^server 10.*/server 172.20.0.0 255.255.255.0/' server.conf ###5.2.2. compile the user and password check script if [[ -f $Vpn/$Checkps ]]; then chmod +x $Vpn/$Checkps else echo -e "\t${R}need checkps.sh scripts." exit 5 fi cat > /usr/local/openvpn/etc/users << EOF admin 18768106913 EOF chmod 400 /usr/local/openvpn/etc/users chown nobody.nobody /usr/local/openvpn/etc/users sleep 1 # ###5.2.3. config the server.conf again for authentication cat >> /usr/local/openvpn/etc/server.conf << EOF auth-user-pass-verify $Vpn/$Checkps via-env client-cert-not-required username-as-common-name script-security 3 execve EOF ###5.3. set route forwarding grep "net.ipv4.ip_forward" /etc/sysctl.conf || echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf sed -i 's/^net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/' /etc/sysctl.conf sysctl -p &> /dev/null ###5.4. start openvpn service cp $Vpn/openvpn-2.2.2/sample-scripts/openvpn.init /etc/rc.d/init.d/openvpn sed -i 's@openvpn_locations=.*@openvpn_locations="/usr/sbin/openvpn /usr/local/sbin/openvpn /usr/local/openvpn/sbin/openvpn"@' /etc/rc.d/init.d/openvpn sed -i 's/^work=.*/work=\/usr\/local\/openvpn\/etc/' /etc/rc.d/init.d/openvpn chmod +x /etc/rc.d/init.d/openvpn chkconfig --add openvpn chkconfig openvpn on service openvpn start sleep 1 ss -tanl | grep 2394 &> /dev/null && success "openvpn running. " || failure "openvpn stopped." sleep 1 ##6. Be ready to make client's needs # ###6.1. copy and config all needs to a directory:clients mkdir /root/clients/{certs,confs} -p cp /usr/local/openvpn/keys/ca.crt /root/clients/certs # cp /usr/local/openvpn/keys/ta.key /root/clients/certs cp $Vpn/openvpn-2.2.2/sample-config-files/client.conf /root/clients/confs/ sed -i 's/^;proto.*/proto tcp/' /root/clients/confs/client.conf sed -i 's/^proto udp/;proto udp/' /root/clients/confs/client.conf sed -i 's/^cert\(.*\)/;cert\1/' /root/clients/confs/client.conf sed -i 's/^key\(.*\)/;key\1/' /root/clients/confs/client.conf # echo tls-auth keys/ta.key 1 cat >> /root/clients/confs/client.conf < /dev/null || yum install -y zip zip -rm -9 /root/clients.zip /root/clients #-r:recursion;-m:delete the old dir [ $? -eq 0 ] && success "client's files have zipped as 'clients.zip'" sleep 2 success "INSTALL OPENVPN-2.2.2 FINISH!" ##########################revoke the certificate######################## #cd $Vpn/openvpn-2.2.2/easy-rsa/ #./revoke-full client1 #revoke client1'certificate #grep "R" keys/index.txt #if revoked the certificate,There is a mark in front of it #cp keys/crl.pem /usr/local/openvpn/etc/keys ##########################################crl.pem will list the revoked certificates #cat >> /usr/local/openvpn/etc/server.conf << EOF #crl-verify /usr/local/openvpn/etc/keys/crl.pem #service openvpn restart ######################################################################### # windows!!!!: route add 10.0.0.0 mask 255.0.0.0 172.16.0.1 -p # if you make a cluster of openvpn just let 4 ssl file : server.crt ca.crt server.key dhcp1024.pem are all same!!! copy them from zhe first server keys dir.