-
Notifications
You must be signed in to change notification settings - Fork 0
/
openvpn.yml
65 lines (62 loc) · 3.74 KB
/
openvpn.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
#cloud-config
apt_update: true
packages:
- openvpn
- easy-rsa
- curl
runcmd:
- IPADDR=$(curl -s http://169.254.169.254/metadata/v1/interfaces/public/0/ipv4/address)
- gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
- sed -ie 's/dh dh1024.pem/dh dh2048.pem/' /etc/openvpn/server.conf
- sed -ie 's/;push "redirect-gateway def1 bypass-dhcp"/push "redirect-gateway def1 bypass-dhcp"/' /etc/openvpn/server.conf
- sed -ie 's/;push "dhcp-option DNS 208.67.222.222"/push "dhcp-option DNS 208.67.222.222"/' /etc/openvpn/server.conf
- sed -ie 's/;push "dhcp-option DNS 208.67.220.220"/push "dhcp-option DNS 208.67.220.220"/' /etc/openvpn/server.conf
- sed -ie 's/;user nobody/user nobody/' /etc/openvpn/server.conf
- sed -ie 's/;group nogroup/group nogroup/' /etc/openvpn/server.conf
- echo 1 > /proc/sys/net/ipv4/ip_forward
- sed -ie 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf
- ufw allow ssh
- ufw allow 1194/udp
- sed -ie 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/' /etc/default/ufw
- sed -i "1i# START OPENVPN RULES\n# NAT table rules\n*nat\n:POSTROUTING ACCEPT [0:0]\n# Allow traffic from OpenVPN client to eth0\n\n-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE\nCOMMIT\n# END OPENVPN RULES\n" /etc/ufw/before.rules
- ufw --force enable
- cp -r /usr/share/easy-rsa/ /etc/openvpn
- mkdir /etc/openvpn/easy-rsa/keys
- sed -ie 's/KEY_NAME="EasyRSA"/KEY_NAME="server"/' /etc/openvpn/easy-rsa/vars
- openssl dhparam -out /etc/openvpn/dh2048.pem 2048
- cd /etc/openvpn/easy-rsa && . ./vars
# Optionally set indentity information for certificates:
# - export KEY_COUNTRY="<%COUNTRY%>" # 2-char country code
# - export KEY_PROVINCE="<%PROVINCE%>" # 2-char state/province code
# - export KEY_CITY="<%CITY%>" # City name
# - export KEY_ORG="<%ORG%>" # Org/company name
# - export KEY_EMAIL="<%EMAIL%>" # Email address
# - export KEY_OU="<%ORG_UNIT%>" # Orgizational unit / department
- cd /etc/openvpn/easy-rsa && ./clean-all
- cd /etc/openvpn/easy-rsa && ./build-ca --batch
- cd /etc/openvpn/easy-rsa && ./build-key-server --batch server
- cp /etc/openvpn/easy-rsa/keys/server.crt /etc/openvpn
- cp /etc/openvpn/easy-rsa/keys/server.key /etc/openvpn
- cp /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn
- service openvpn start
- cd /etc/openvpn/easy-rsa && ./build-key --batch client1
- cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client.ovpn
- sed -ie "s/my-server-1/$IPADDR/" /etc/openvpn/easy-rsa/keys/client.ovpn
- sed -ie 's/;user nobody/user nobody/' /etc/openvpn/easy-rsa/keys/client.ovpn
- sed -ie 's/;group nogroup/group nogroup/' /etc/openvpn/easy-rsa/keys/client.ovpn
- sed -ie 's/ca ca.crt//' /etc/openvpn/easy-rsa/keys/client.ovpn
- sed -ie 's/cert client.crt//' /etc/openvpn/easy-rsa/keys/client.ovpn
- sed -ie 's/key client.key//' /etc/openvpn/easy-rsa/keys/client.ovpn
- echo "<ca>" >> /etc/openvpn/easy-rsa/keys/client.ovpn
- cat /etc/openvpn/ca.crt >> /etc/openvpn/easy-rsa/keys/client.ovpn
- echo "</ca>" >> /etc/openvpn/easy-rsa/keys/client.ovpn
- echo "<cert>" >> /etc/openvpn/easy-rsa/keys/client.ovpn
- cat /etc/openvpn/easy-rsa/keys/client1.crt >> /etc/openvpn/easy-rsa/keys/client.ovpn
- echo "</cert>" >> /etc/openvpn/easy-rsa/keys/client.ovpn
- echo "<key>" >> /etc/openvpn/easy-rsa/keys/client.ovpn
- cat /etc/openvpn/easy-rsa/keys/client1.key >> /etc/openvpn/easy-rsa/keys/client.ovpn
- echo "</key>" >> /etc/openvpn/easy-rsa/keys/client.ovpn
- cp /etc/openvpn/easy-rsa/keys/client.ovpn /root/
- cp /etc/openvpn/easy-rsa/keys/client1.crt /root/
- cp /etc/openvpn/easy-rsa/keys/client1.key /root/
- cp /etc/openvpn/easy-rsa/keys/ca.crt /root/