-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathscript.sh
More file actions
495 lines (460 loc) · 17.6 KB
/
script.sh
File metadata and controls
495 lines (460 loc) · 17.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
#!/bin/bash
#
# Nyr openvpn-install + tls-crypt-v2 (variant A) integration
# MIT License
# Detect Debian users running the script with "sh" instead of bash
if readlink /proc/$$/exe | grep -q "dash"; then
echo "This script needs to be run with bash, not sh"
exit
fi
if [[ "$EUID" -ne 0 ]]; then
echo "Sorry, you need to run this as root"
exit
fi
if [[ ! -e /dev/net/tun ]]; then
echo "The TUN device is not available
You need to enable TUN before running this script"
exit
fi
if [[ -e /etc/debian_version ]]; then
OS=debian
GROUPNAME=nogroup
RCLOCAL='/etc/rc.local'
elif [[ -e /etc/centos-release || -e /etc/redhat-release || -e /etc/almalinux-release || -e /etc/rocky-release ]]; then
OS=centos
GROUPNAME=nobody
RCLOCAL='/etc/rc.d/rc.local'
else
echo "Looks like you aren't running this installer on Debian/Ubuntu or RHEL/CentOS"
exit
fi
# [tc2] helper: which OpenVPN systemd unit to use
unit_exists() { systemctl list-unit-files | grep -q "^$1"; }
SERVICE_UNIT=""
detect_service_unit() {
if unit_exists "openvpn-server@.service"; then
SERVICE_UNIT="openvpn-server@server.service"
else
SERVICE_UNIT="openvpn@server.service"
fi
}
# [tc2] helper: detect TLS mode from server.conf
detect_tls_mode() {
if [[ -f /etc/openvpn/server/server.conf ]] && grep -q "^tls-crypt-v2 " /etc/openvpn/server/server.conf; then echo "v2"; return; fi
if [[ -f /etc/openvpn/server.conf ]] && grep -q "^tls-crypt-v2 " /etc/openvpn/server.conf; then echo "v2"; return; fi
if [[ -f /etc/openvpn/server/server.conf ]] && grep -q "^tls-crypt " /etc/openvpn/server/server.conf; then echo "v1"; return; fi
if [[ -f /etc/openvpn/server.conf ]] && grep -q "^tls-crypt " /etc/openvpn/server.conf; then echo "v1"; return; fi
if [[ -f /etc/openvpn/server/server.conf ]] && grep -q "^tls-auth " /etc/openvpn/server/server.conf; then echo "ta"; return; fi
if [[ -f /etc/openvpn/server.conf ]] && grep -q "^tls-auth " /etc/openvpn/server.conf; then echo "ta"; return; fi
echo "none"
}
# [tc2] newclient updated: builds per-client tls-crypt-v2 key or embeds tls-crypt
newclient () {
CLIENT="$1"
TLS_MODE="$(detect_tls_mode)"
# Generates the custom client ovpn
cp /etc/openvpn/client-common.txt ~/$CLIENT.ovpn
# Inline CA/cert/key
{
echo "<ca>"
cat /etc/openvpn/easy-rsa/pki/ca.crt
echo "</ca>"
echo "<cert>"
sed -ne '/BEGIN CERTIFICATE/,$ p' /etc/openvpn/easy-rsa/pki/issued/$CLIENT.crt
echo "</cert>"
echo "<key>"
cat /etc/openvpn/easy-rsa/pki/private/$CLIENT.key
echo "</key>"
} >> ~/$CLIENT.ovpn
# Inline TLS protection depending on mode
if [[ "$TLS_MODE" = "v2" ]]; then
mkdir -p /etc/openvpn/tc2-clients
if [[ ! -f /etc/openvpn/tc2-server.key ]]; then
echo "WARN: tls-crypt-v2 server key not found, fallback to v1"
TLS_MODE="v1"
fi
fi
if [[ "$TLS_MODE" = "v2" ]]; then
# per-client tls-crypt-v2 key
if [[ ! -f /etc/openvpn/tc2-clients/${CLIENT}.key ]]; then
openvpn --tls-crypt-v2 /etc/openvpn/tc2-server.key --genkey tls-crypt-v2-client /etc/openvpn/tc2-clients/${CLIENT}.key
fi
echo "<tls-crypt-v2>" >> ~/$CLIENT.ovpn
cat /etc/openvpn/tc2-clients/${CLIENT}.key >> ~/$CLIENT.ovpn
echo "</tls-crypt-v2>" >> ~/$CLIENT.ovpn
elif [[ "$TLS_MODE" = "v1" ]]; then
echo "<tls-crypt>" >> ~/$CLIENT.ovpn
cat /etc/openvpn/tc.key >> ~/$CLIENT.ovpn
echo "</tls-crypt>" >> ~/$CLIENT.ovpn
else
# legacy fallback (tls-auth)
echo "key-direction 1" >> ~/$CLIENT.ovpn
echo "<tls-auth>" >> ~/$CLIENT.ovpn
sed -ne '/BEGIN OpenVPN Static key/,$ p' /etc/openvpn/ta.key >> ~/$CLIENT.ovpn
echo "</tls-auth>" >> ~/$CLIENT.ovpn
fi
}
if [[ -e /etc/openvpn/server.conf || -e /etc/openvpn/server/server.conf ]]; then
while :
do
clear
echo "Looks like OpenVPN is already installed."
echo
echo "What do you want to do?"
echo " 1) Add a new user"
echo " 2) Revoke an existing user"
echo " 3) Remove OpenVPN"
echo " 4) Exit"
read -p "Select an option [1-4]: " option
case $option in
1)
echo
echo "Tell me a name for the client certificate."
echo "Please, use one word only, no special characters."
read -p "Client name: " -e CLIENT
cd /etc/openvpn/easy-rsa/
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full $CLIENT nopass
# Generates the custom client.ovpn (with tls-crypt-v2 or tls-crypt inline)
newclient "$CLIENT"
echo
echo "Client $CLIENT added, configuration is available at:" ~/"$CLIENT.ovpn"
exit
;;
2)
NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")
if [[ "$NUMBEROFCLIENTS" = '0' ]]; then
echo
echo "You have no existing clients!"
exit
fi
echo
echo "Select the existing client certificate you want to revoke:"
tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
if [[ "$NUMBEROFCLIENTS" = '1' ]]; then
read -p "Select one client [1]: " CLIENTNUMBER
else
read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
fi
CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
echo
read -p "Do you really want to revoke access for client $CLIENT? [y/N]: " -e REVOKE
if [[ "$REVOKE" = 'y' || "$REVOKE" = 'Y' ]]; then
cd /etc/openvpn/easy-rsa/
./easyrsa --batch revoke $CLIENT
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
rm -f pki/reqs/$CLIENT.req
rm -f pki/private/$CLIENT.key
rm -f pki/issued/$CLIENT.crt
rm -f /etc/openvpn/crl.pem
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
# CRL is read with each client connection, when OpenVPN is dropped to nobody
chown nobody:$GROUPNAME /etc/openvpn/crl.pem
echo
echo "Certificate for client $CLIENT revoked!"
else
echo
echo "Certificate revocation for client $CLIENT aborted!"
fi
exit
;;
3)
echo
read -p "Do you really want to remove OpenVPN? [y/N]: " -e REMOVE
if [[ "$REMOVE" = 'y' || "$REMOVE" = 'Y' ]]; then
CONF_FILE="/etc/openvpn/server.conf"
[[ -f /etc/openvpn/server/server.conf ]] && CONF_FILE="/etc/openvpn/server/server.conf"
PORT=$(grep '^port ' "$CONF_FILE" | awk '{print $2}')
PROTOCOL=$(grep '^proto ' "$CONF_FILE" | awk '{print $2}')
if pgrep firewalld; then
IP=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24 -j SNAT --to ' | awk '{print $10}')
firewall-cmd --zone=public --remove-port=$PORT/$PROTOCOL
firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
firewall-cmd --permanent --zone=public --remove-port=$PORT/$PROTOCOL
firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
else
IP=$(grep 'iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to ' $RCLOCAL | awk '{print $14}')
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 ! -d 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL
if iptables -L -n | grep -qE '^ACCEPT'; then
iptables -D INPUT -p $PROTOCOL --dport $PORT -j ACCEPT
iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
sed -i "/iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT/d" $RCLOCAL
sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL
sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL
fi
fi
if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$PORT" != '1194' ]]; then
semanage port -d -t openvpn_port_t -p $PROTOCOL $PORT
fi
if [[ "$OS" = 'debian' ]]; then
apt-get remove --purge -y openvpn
else
yum remove openvpn -y
fi
rm -rf /etc/openvpn
rm -f /etc/sysctl.d/30-openvpn-forward.conf
echo
echo "OpenVPN removed!"
else
echo
echo "Removal aborted!"
fi
exit
;;
4) exit;;
esac
done
else
clear
echo 'Welcome to this OpenVPN "road warrior" installer (tls-crypt-v2 enhanced)!'
echo
# OpenVPN setup and first user creation
echo "I need to ask you a few questions before starting the setup."
echo "You can leave the default options and just press enter if you are ok with them."
echo
echo "First, provide the IPv4 address of the network interface you want OpenVPN"
echo "listening to."
# Autodetect IP address and pre-fill for the user
IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
read -p "IP address: " -e -i $IP IP
# If $IP is a private IP address, the server must be behind NAT
if echo "$IP" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then
echo
echo "This server is behind NAT. What is the public IPv4 address or hostname?"
read -p "Public IP address / hostname: " -e PUBLICIP
fi
echo
echo "Which protocol do you want for OpenVPN connections?"
echo " 1) UDP"
echo " 2) TCP (recommended for 443)"
read -p "Protocol [1-2]: " -e -i 2 PROTOCOL
case $PROTOCOL in
1) PROTOCOL=udp ;;
2) PROTOCOL=tcp ;;
esac
echo
echo "What port do you want OpenVPN listening to?"
read -p "Port: " -e -i 443 PORT
echo
echo "Which DNS do you want to use with the VPN?"
echo " 1) Current system resolvers"
echo " 2) 1.1.1.1"
echo " 3) Google"
echo " 4) OpenDNS"
echo " 5) Verisign"
read -p "DNS [1-5]: " -e -i 1 DNS
echo
echo "Finally, tell me your name for the client certificate."
echo "Please, use one word only, no special characters."
read -p "Client name: " -e -i client CLIENT
echo
echo "Okay, that was all I needed. We are ready to set up your OpenVPN server now."
read -n1 -r -p "Press any key to continue..."
if [[ "$OS" = 'debian' ]]; then
apt-get update
apt-get install openvpn iptables openssl ca-certificates -y
else
yum install epel-release -y
yum install openvpn iptables openssl ca-certificates -y
fi
# Get easy-rsa
EASYRSAURL='https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-nix-3.0.5.tgz'
wget -O ~/easyrsa.tgz "$EASYRSAURL" 2>/dev/null || curl -Lo ~/easyrsa.tgz "$EASYRSAURL"
tar xzf ~/easyrsa.tgz -C ~/
mv ~/EasyRSA-3.0.5/ /etc/openvpn/
mv /etc/openvpn/EasyRSA-3.0.5/ /etc/openvpn/easy-rsa/
chown -R root:root /etc/openvpn/easy-rsa/
rm -f ~/easyrsa.tgz
cd /etc/openvpn/easy-rsa/
# Create the PKI, set up the CA and the server and client certificates
./easyrsa init-pki
./easyrsa --batch build-ca nopass
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server nopass
EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full $CLIENT nopass
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
# Move the stuff we need
cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn
# CRL is read with each client connection, when OpenVPN is dropped to nobody
chown nobody:$GROUPNAME /etc/openvpn/crl.pem
# [tc2] Create DH and TLS protection keys
# DH (ffdhe2048 predefined group)
echo '-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----' > /etc/openvpn/dh.pem
# [tc2] Try tls-crypt-v2 first, fallback to tls-crypt
TLS_MODE="v2"
if ! openvpn --help 2>&1 | grep -q "tls-crypt-v2"; then
TLS_MODE="v1"
fi
if [[ "$TLS_MODE" = "v2" ]]; then
openvpn --genkey tls-crypt-v2-server /etc/openvpn/tc2-server.key
else
openvpn --genkey --secret /etc/openvpn/tc.key
fi
# Generate server.conf (absolute paths for both unit styles)
mkdir -p /etc/openvpn/server
CONF_BODY="port $PORT
proto $PROTOCOL
dev tun
sndbuf 0
rcvbuf 0
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh.pem
auth SHA256
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
; modern cipher negotiation (removes --cipher warning)
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
data-ciphers-fallback AES-256-CBC
"
if [[ "$TLS_MODE" = "v2" ]]; then
CONF_TLS="tls-crypt-v2 /etc/openvpn/tc2-server.key"
else
CONF_TLS="tls-crypt /etc/openvpn/tc.key"
fi
echo "$CONF_BODY$CONF_TLS" > /etc/openvpn/server.conf
echo "$CONF_BODY$CONF_TLS" > /etc/openvpn/server/server.conf
echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf
echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server/server.conf
# DNS
case $DNS in
1)
if grep -q "127.0.0.53" "/etc/resolv.conf"; then
RESOLVCONF='/run/systemd/resolve/resolv.conf'
else
RESOLVCONF='/etc/resolv.conf'
fi
grep -v '#' $RESOLVCONF | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server/server.conf
done
;;
2)
echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server/server.conf
echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server/server.conf
;;
3)
echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server/server.conf
echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server/server.conf
;;
4)
echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server/server.conf
echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server/server.conf
;;
5)
echo 'push "dhcp-option DNS 64.6.64.6"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 64.6.65.6"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 64.6.64.6"' >> /etc/openvpn/server/server.conf
echo 'push "dhcp-option DNS 64.6.65.6"' >> /etc/openvpn/server/server.conf
;;
esac
echo "keepalive 10 120
cipher AES-256-CBC
user nobody
group $GROUPNAME
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
crl-verify /etc/openvpn/crl.pem" >> /etc/openvpn/server.conf
echo "keepalive 10 120
cipher AES-256-CBC
user nobody
group $GROUPNAME
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
crl-verify /etc/openvpn/crl.pem" >> /etc/openvpn/server/server.conf
# Enable net.ipv4.ip_forward for the system
echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/30-openvpn-forward.conf
echo 1 > /proc/sys/net/ipv4/ip_forward
# Firewall / NAT
if pgrep firewalld; then
firewall-cmd --zone=public --add-port=$PORT/$PROTOCOL
firewall-cmd --zone=trusted --add-source=10.8.0.0/24
firewall-cmd --permanent --zone=public --add-port=$PORT/$PROTOCOL
firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
else
if [[ "$OS" = 'debian' && ! -e $RCLOCAL ]]; then
echo '#!/bin/sh -e
exit 0' > $RCLOCAL
fi
chmod +x $RCLOCAL
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL
if iptables -L -n | grep -qE '^(REJECT|DROP)'; then
iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
sed -i "1 a\iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT" $RCLOCAL
sed -i "1 a\iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT" $RCLOCAL
sed -i "1 a\iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" $RCLOCAL
fi
fi
# SELinux port label if needed
if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$PORT" != '1194' ]]; then
if ! hash semanage 2>/dev/null; then
yum install policycoreutils-python -y || yum install policycoreutils-python-utils -y
fi
semanage port -a -t openvpn_port_t -p $PROTOCOL $PORT
fi
# Finally, restart OpenVPN (support both unit types)
detect_service_unit
systemctl daemon-reload || true
systemctl restart "$SERVICE_UNIT" || {
echo "Failed to start $SERVICE_UNIT, trying legacy unit..."
systemctl restart openvpn@server.service || exit 1
}
systemctl enable "$SERVICE_UNIT" 2>/dev/null || systemctl enable openvpn@server.service 2>/dev/null
# If the server is behind a NAT, use the correct IP address
if [[ "$PUBLICIP" != "" ]]; then
IP=$PUBLICIP
fi
# client-common.txt template (modern ciphers; no key-direction)
cat > /etc/openvpn/client-common.txt <<EOF
client
dev tun
proto $PROTOCOL
sndbuf 0
rcvbuf 0
remote $IP $PORT
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA256
cipher AES-256-CBC
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC
data-ciphers-fallback AES-256-CBC
setenv opt block-outside-dns
verb 3
EOF
# Generates the custom client.ovpn (with <tls-crypt-v2> or <tls-crypt>)
newclient "$CLIENT"
echo
echo "Finished!"
echo
echo "Your client configuration is available at:" ~/"$CLIENT.ovpn"
echo "If you want to add more clients, you simply need to run this script again!"
fi