找回密码
 立即注册
搜索
查看: 281|回复: 0

shadowsocks-all.sh

[复制链接]

986

主题

92

回帖

5万

积分

管理员

积分
55255
发表于 2022-6-22 15:40:40 | 显示全部楼层 |阅读模式

( R: C& g  _8 j# I6 c! Y. g+ c- j
  1. #!/bin/bash
    % c; B3 [* ?7 T+ V6 ?8 H
  2. #
      A8 `! d7 [+ Q! t
  3. # https://github.com/Nyr/openvpn-install
    7 o5 e1 H5 N1 n" h2 J3 D9 e2 A5 L
  4. #
    / l7 O; d9 w. I9 ~) B$ y
  5. # Copyright (c) 2013 Nyr. Released under the MIT License.
    ' ^, y) P+ l. V! A5 Y; b% v) w$ g
  6. 6 ?9 K1 ]6 p5 ^8 D# o# g

  7. # F. o  s+ B! J" V" a
  8. # Detect Debian users running the script with "sh" instead of bash
    ( J/ z" J3 N  a( U" \! G
  9. if readlink /proc/$$/exe | grep -q "dash"; then
    - r' U3 F. l" ^1 p' e& v' r) I
  10.         echo 'This installer needs to be run with "bash", not "sh".'
    & ^* o% f% S! L; S5 w
  11.         exit1 V# d# Z: {1 m0 b
  12. fi
    / f. g9 i2 M* ~1 U0 n7 ~. p

  13. & d! R0 K7 n3 K0 F; V1 Z
  14. # Discard stdin. Needed when running from an one-liner which includes a newline% f% `4 ], t0 H# H  s# C6 ~
  15. read -N 999999 -t 0.001
    ; P3 e. @$ Q. `. D6 U
  16. 6 f5 q( Y- L8 Z: O" w
  17. # Detect OpenVZ 69 Z0 k9 J  H  _# |: w6 Y1 d
  18. if [[ $(uname -r | cut -d "." -f 1) -eq 2 ]]; then
    3 ]: A( X* K' L  d* I& V; v! m" m7 Y/ I
  19.         echo "The system is running an old kernel, which is incompatible with this installer."3 P5 A/ K1 v& F8 @
  20.         exit
    : ~2 y! r+ Y. W
  21. fi5 E) W3 p* W& w6 H! s1 y1 C8 P
  22. 2 t+ u6 n3 l8 _5 ?
  23. # Detect OS; }- i- A0 U( ?% q
  24. # $os_version variables aren't always in use, but are kept here for convenience
    * ]+ ~/ D1 S( ]* [& k- ]
  25. if grep -qs "ubuntu" /etc/os-release; then
    3 _. N! e: @0 f8 h
  26.         os="ubuntu"
    # T. ]9 G- z! K0 N# v: F
  27.         os_version=$(grep 'VERSION_ID' /etc/os-release | cut -d '"' -f 2 | tr -d '.')
    ; g6 c( c, ?1 A# T7 m" \8 d
  28.         group_name="nogroup"* @9 q7 C. k' |% V6 ~
  29. elif [[ -e /etc/debian_version ]]; then
    + P4 r& t; s( J* Z9 w7 G1 F
  30.         os="debian") X* Z# J& r, B7 o! x  E# ^
  31.         os_version=$(grep -oE '[0-9]+' /etc/debian_version | head -1)
    & x& I/ d( {' f; e( F  b1 ~0 S
  32.         group_name="nogroup"# g- y( L* e" x9 {! a, R
  33. elif [[ -e /etc/almalinux-release || -e /etc/rocky-release || -e /etc/centos-release ]]; then6 t$ w5 d; c, r8 S9 x  L
  34.         os="centos") w( B" @0 I4 g4 z& a6 S  ~! `
  35.         os_version=$(grep -shoE '[0-9]+' /etc/almalinux-release /etc/rocky-release /etc/centos-release | head -1)
    ; V! u7 l( D) F" V
  36.         group_name="nobody"
    0 i9 z' H( }; L9 _, Z% a
  37. elif [[ -e /etc/fedora-release ]]; then
    # H3 H0 Z4 H9 I0 x* y8 e
  38.         os="fedora"; ~8 b: s; T' B3 z7 {% b- q% u. D4 R- _
  39.         os_version=$(grep -oE '[0-9]+' /etc/fedora-release | head -1)" m2 J* u) m. f1 h! B0 H
  40.         group_name="nobody". c% s/ n: l8 ]. b/ A+ b! Y
  41. else, C4 `/ G4 v5 F! v
  42.         echo "This installer seems to be running on an unsupported distribution.
    " Y, n) Z! p3 t/ E
  43. Supported distros are Ubuntu, Debian, AlmaLinux, Rocky Linux, CentOS and Fedora.": N1 ?( y, L+ @* R0 k$ L8 k# n
  44.         exit* L" B! G& X$ d/ m
  45. fi; q2 q9 W: K+ [" M; m; H

  46. . X  U0 S. ~- \  N8 ~) `5 G& _' x: v
  47. if [[ "$os" == "ubuntu" && "$os_version" -lt 1804 ]]; then
    - Y0 f  t% a* ^9 I# h1 S
  48.         echo "Ubuntu 18.04 or higher is required to use this installer.
    , a% ?- J6 r! ]$ R
  49. This version of Ubuntu is too old and unsupported."
    + T* |" z  _, A+ b5 m( n
  50.         exit
    8 H5 }5 o* t) n$ ?) }" E
  51. fi* L* B' b+ A) [8 |
  52. / s) M# [6 c. {) N
  53. if [[ "$os" == "debian" && "$os_version" -lt 9 ]]; then
    / U0 Y, M& }5 y
  54.         echo "Debian 9 or higher is required to use this installer.7 g' {& U, R+ T  z" [( m% J
  55. This version of Debian is too old and unsupported."0 A+ \. q+ u, {' }5 o- ?4 N
  56.         exit
    " @8 I" c( m8 C
  57. fi
    # ?4 ~6 L# c- {  W

  58. 3 B( C1 Z, w# k8 X$ O
  59. if [[ "$os" == "centos" && "$os_version" -lt 7 ]]; then4 m/ n2 x* i6 T- k/ Q) e" V
  60.         echo "CentOS 7 or higher is required to use this installer.; `  U# I' _( j4 d8 C* W7 V
  61. This version of CentOS is too old and unsupported."
    . x9 F8 n1 ^5 Q7 H
  62.         exit
    / |( P9 z# _+ t6 ?
  63. fi
    4 Z9 z9 Q6 N" j4 w0 x9 V

  64. : V; u' B' P- z8 x# P
  65. # Detect environments where $PATH does not include the sbin directories
    4 z1 T. w" l1 s9 H3 M# P& Q
  66. if ! grep -q sbin <<< "$PATH"; then
    ! ~( ^" P- |) E4 c
  67.         echo '$PATH does not include sbin. Try using "su -" instead of "su".'
      b7 W; Y3 v# C9 a; F/ W8 x+ l
  68.         exit
    . e) C# |* B. |2 Z
  69. fi$ C/ m; p) T; A* N0 g$ i
  70. 7 T, A1 v6 ?/ ^2 R8 z
  71. if [[ "$EUID" -ne 0 ]]; then
    / E# w# e( p: W# e
  72.         echo "This installer needs to be run with superuser privileges."# o% T$ X3 q5 F; R2 n  k1 J( P) J4 m
  73.         exit$ b6 f7 L% g3 {/ A+ C
  74. fi* m# D; k' I6 m& N
  75. 5 c, f* q# |. g& T# j; [, a
  76. if [[ ! -e /dev/net/tun ]] || ! ( exec 7<>/dev/net/tun ) 2>/dev/null; then* y- l6 z$ E% s7 C/ R/ Z. a
  77.         echo "The system does not have the TUN device available.- W" n3 p5 Q/ T
  78. TUN needs to be enabled before running this installer."
    / T6 Z  x: z1 x
  79.         exit
    - t6 l7 _+ y: ]& Z3 @2 a; V
  80. fi# b( c7 {+ b% W- L8 F6 P

  81. 0 N0 f6 r  s) ~9 G: D. j* G
  82. new_client () {
    2 U8 J, a1 r" t4 G* N; E/ f
  83.         # Generates the custom client.ovpn
    . z8 x9 `( n) ]6 A
  84.         {
    ) m4 P4 V; N3 u/ G$ z. H' X
  85.         cat /etc/openvpn/server/client-common.txt4 }& P: s# x( o3 f1 S  Q1 G2 l
  86.         echo "<ca>"
    " R: F+ f, _& }1 F7 P. J
  87.         cat /etc/openvpn/server/easy-rsa/pki/ca.crt. K% Q1 E7 r: r8 c/ U
  88.         echo "</ca>"' Z" t. w4 Z1 Y4 a3 N) `; B
  89.         echo "<cert>"4 q! |5 y! \# A
  90.         sed -ne '/BEGIN CERTIFICATE/,$ p' /etc/openvpn/server/easy-rsa/pki/issued/"$client".crt
    2 q6 M8 I8 v3 U5 a' Q/ h
  91.         echo "</cert>"
    . H  I% p9 g% L8 n: `, L
  92.         echo "<key>"* _% D" Q3 w+ _; ]
  93.         cat /etc/openvpn/server/easy-rsa/pki/private/"$client".key4 G- P2 T6 [, K6 E+ A$ f2 x& W
  94.         echo "</key>"8 r: r! b2 w! S3 ~
  95.         echo "<tls-crypt>"( _9 p8 k3 V* _& ]# o  M
  96.         sed -ne '/BEGIN OpenVPN Static key/,$ p' /etc/openvpn/server/tc.key$ p" _1 ]5 V3 v8 Q* R
  97.         echo "</tls-crypt>"
    ( O) I1 A! `( k4 \2 K; m/ ]! j
  98.         } > ~/"$client".ovpn1 f) D7 u  e3 W- T, F- J: b
  99. }5 [- P' b7 ]& c- p5 v7 I4 M5 m

  100. 9 ]( s2 L% \, r$ y
  101. if [[ ! -e /etc/openvpn/server/server.conf ]]; then- I+ {+ \3 R; l9 F5 d- q, i  D
  102.         # Detect some Debian minimal setups where neither wget nor curl are installed: N  l* |, l6 P, @
  103.         if ! hash wget 2>/dev/null && ! hash curl 2>/dev/null; then
    + J1 Q, N4 X- a* D0 d4 x  I
  104.                 echo "Wget is required to use this installer."
    ; S8 k7 F' {/ w
  105.                 read -n1 -r -p "Press any key to install Wget and continue..."
    $ d) ^& q7 a6 i
  106.                 apt-get update
    , e$ ]  e7 O7 |
  107.                 apt-get install -y wget8 t$ V  F& j* o8 P( B+ T! C  K
  108.         fi
    # b: o$ M( W8 V& t5 R
  109.         clear
    - C6 N- j5 P7 m, D
  110.         echo 'Welcome to this OpenVPN road warrior installer!'. @8 T! t' G/ E# c
  111.         # If system has a single IPv4, it is selected automatically. Else, ask the user  ?0 U4 ]: U9 A# c% ~! t+ `
  112.         if [[ $(ip -4 addr | grep inet | grep -vEc '127(\.[0-9]{1,3}){3}') -eq 1 ]]; then
    8 }5 O" Q0 ^6 f( p" g
  113.                 ip=$(ip -4 addr | grep inet | grep -vE '127(\.[0-9]{1,3}){3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}(\.[0-9]{1,3}){3}')- E' z$ U) o! l9 N7 K
  114.         else
    9 ^* _+ Z8 F; p8 j7 t
  115.                 number_of_ip=$(ip -4 addr | grep inet | grep -vEc '127(\.[0-9]{1,3}){3}')
    : O' q6 n" A/ E2 D4 F) M
  116.                 echo2 q" F; [3 r9 t/ N0 O/ J0 H! C
  117.                 echo "Which IPv4 address should be used?"
    ) N& w* _( W- p/ I& x
  118.                 ip -4 addr | grep inet | grep -vE '127(\.[0-9]{1,3}){3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}(\.[0-9]{1,3}){3}' | nl -s ') '
    $ x' N$ e1 Z5 z: ~$ ?4 e/ Z
  119.                 read -p "IPv4 address [1]: " ip_number# D$ W) C$ O! k
  120.                 until [[ -z "$ip_number" || "$ip_number" =~ ^[0-9]+$ && "$ip_number" -le "$number_of_ip" ]]; do1 n. ^$ J. ~  [
  121.                         echo "$ip_number: invalid selection."; `1 x4 ?) }& r, Q) v- P5 G7 Y
  122.                         read -p "IPv4 address [1]: " ip_number" N& ?" C1 j$ O
  123.                 done
    + Z4 Y! M4 p' K$ A6 f4 C! R2 g, l
  124.                 [[ -z "$ip_number" ]] && ip_number="1"* U* L- x9 f9 N) H1 t
  125.                 ip=$(ip -4 addr | grep inet | grep -vE '127(\.[0-9]{1,3}){3}' | cut -d '/' -f 1 | grep -oE '[0-9]{1,3}(\.[0-9]{1,3}){3}' | sed -n "$ip_number"p)
    . @5 H' ^- m9 x6 j1 ?: s
  126.         fi/ \: ]+ f! s! R3 d. W, k( g
  127.         # If $ip is a private IP address, the server must be behind NAT6 G6 `$ u' W! ]" \
  128.         if echo "$ip" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then1 Z# [# {1 S& m0 L+ v+ S+ R5 X
  129.                 echo
    7 u0 ]* t5 W5 p* u  ]! B- p% N8 J. o7 ]" g
  130.                 echo "This server is behind NAT. What is the public IPv4 address or hostname?"
    + X  @. g4 I$ j2 F( g. H
  131.                 # Get public IP and sanitize with grep! Q+ Y' z) Y7 ~7 \% g7 f
  132.                 get_public_ip=$(grep -m 1 -oE '^[0-9]{1,3}(\.[0-9]{1,3}){3}$' <<< "$(wget -T 10 -t 1 -4qO- "http://ip1.dynupdate.no-ip.com/" || curl -m 10 -4Ls "http://ip1.dynupdate.no-ip.com/")")4 N; y' C, z# }+ V. o7 C, I
  133.                 read -p "Public IPv4 address / hostname [$get_public_ip]: " public_ip8 q5 @; M1 |) r$ s: Z) M/ D1 O
  134.                 # If the checkip service is unavailable and user didn't provide input, ask again
    4 g( q6 Z) z9 l  \
  135.                 until [[ -n "$get_public_ip" || -n "$public_ip" ]]; do) Y, q3 ~6 p$ ^
  136.                         echo "Invalid input.". J. m- t* J$ N+ t  p" K
  137.                         read -p "Public IPv4 address / hostname: " public_ip
    ! _* k+ I3 p8 J8 y; `9 H  a
  138.                 done
    1 U- K: s. ^' P% P; r
  139.                 [[ -z "$public_ip" ]] && public_ip="$get_public_ip"0 P; `# W6 j* m9 K3 D
  140.         fi5 \. c( {# x& k
  141.         # If system has a single IPv6, it is selected automatically
    1 J( |0 G& n- Z" _
  142.         if [[ $(ip -6 addr | grep -c 'inet6 [23]') -eq 1 ]]; then) |7 a2 o' R/ z1 o
  143.                 ip6=$(ip -6 addr | grep 'inet6 [23]' | cut -d '/' -f 1 | grep -oE '([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}')
    + Z1 m. k  N( A$ E- T5 \1 _) C
  144.         fi
    * v( r/ j) P& i( ]' Y4 f" M
  145.         # If system has multiple IPv6, ask the user to select one6 t6 \: e  J5 A9 G& J: Q5 I
  146.         if [[ $(ip -6 addr | grep -c 'inet6 [23]') -gt 1 ]]; then
    & \# X( v& r. i. S2 |
  147.                 number_of_ip6=$(ip -6 addr | grep -c 'inet6 [23]'). P8 l, z* r8 h  M/ n
  148.                 echo/ h: ?6 z; ^3 j# B  L- \8 }% v- g
  149.                 echo "Which IPv6 address should be used?"
    : z, m" a: {: I, v0 ?# j5 T
  150.                 ip -6 addr | grep 'inet6 [23]' | cut -d '/' -f 1 | grep -oE '([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}' | nl -s ') '' ]" a0 |; V- o! M0 Q( E' V* R0 U. @
  151.                 read -p "IPv6 address [1]: " ip6_number
    " r. z4 J2 ]' J. |
  152.                 until [[ -z "$ip6_number" || "$ip6_number" =~ ^[0-9]+$ && "$ip6_number" -le "$number_of_ip6" ]]; do
    . b9 z* g6 E4 C0 D6 C, a$ P3 k
  153.                         echo "$ip6_number: invalid selection.", b8 Y2 D' J' b" Z8 t
  154.                         read -p "IPv6 address [1]: " ip6_number
    * i2 @  V( E5 s* X: n4 c
  155.                 done4 Q. X5 {$ L& S
  156.                 [[ -z "$ip6_number" ]] && ip6_number="1"
    # z2 Z' o& f& H5 T) @6 v6 a0 ^
  157.                 ip6=$(ip -6 addr | grep 'inet6 [23]' | cut -d '/' -f 1 | grep -oE '([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}' | sed -n "$ip6_number"p)
      O7 J0 _  n  Y, p
  158.         fi
    8 H6 \/ G( H7 I" }  {
  159.         echo- v1 a! {4 `. ?& D! G) H5 C) n) y# a/ T
  160.         echo "Which protocol should OpenVPN use?"9 l  u' }' ^9 \$ T
  161.         echo "   1) UDP (recommended)"
      w. A. `' h/ P, B. U3 ~
  162.         echo "   2) TCP"
    9 Z" |1 Q2 J0 i5 _% w4 {
  163.         read -p "Protocol [1]: " protocol
    0 H7 P6 i0 I7 R9 ?8 j' b* p6 `
  164.         until [[ -z "$protocol" || "$protocol" =~ ^[12]$ ]]; do
    4 V7 b( G* N$ M
  165.                 echo "$protocol: invalid selection."
    / @/ s; ^2 a9 J
  166.                 read -p "Protocol [1]: " protocol
    1 C1 H& t, s$ v' w5 `# U# g
  167.         done
    - g. u% s. v# q/ _+ y7 Q' B
  168.         case "$protocol" in) R0 H9 n- f9 s& `0 l0 [! Y
  169.                 1|"")
    , a; m* L! [: j: k2 K" p
  170.                 protocol=udp2 C# T4 U7 A8 K) K1 }/ U
  171.                 ;;
    ! u/ |* Z6 K. R& |3 q3 K4 x5 W" v  g
  172.                 2)
    . D# b- C, H, h( p
  173.                 protocol=tcp
    6 K3 G/ n8 ^% [- o6 L
  174.                 ;;
    * m' f6 @: q7 v" @7 Q4 d
  175.         esac# H/ Z" D( y7 C& q7 i' m9 h
  176.         echo- m/ A. s$ ~& J
  177.         echo "What port should OpenVPN listen to?"; v" ?0 h. z1 ^
  178.         read -p "Port [1194]: " port9 R) v$ f  q) C: K# m* A
  179.         until [[ -z "$port" || "$port" =~ ^[0-9]+$ && "$port" -le 65535 ]]; do
    0 a: F3 F5 r6 I6 k. Z/ I9 Z
  180.                 echo "$port: invalid port."  D3 |4 L4 D% ?* W4 O9 k9 I) V2 D- ^7 L
  181.                 read -p "Port [1194]: " port* p4 T: S% q1 p9 N
  182.         done
    ' p5 G# M3 n0 C
  183.         [[ -z "$port" ]] && port="1194"$ V& k1 z5 R% b1 r# P
  184.         echo0 O' z9 h% {+ \8 K4 ]2 j
  185.         echo "Select a DNS server for the clients:"( B, V  x7 v, S9 q) z
  186.         echo "   1) Current system resolvers"- ?" @0 {$ J& X8 S4 i* s5 {
  187.         echo "   2) Google"1 t, Q9 a' w( J  u4 K7 B2 k
  188.         echo "   3) 1.1.1.1"
    2 s  b) R" o  V2 t
  189.         echo "   4) OpenDNS"
    5 J& A, p. P, m
  190.         echo "   5) Quad9"
    $ p+ u+ Y9 t# x5 `) i0 {
  191.         echo "   6) AdGuard"
    ' c( q! f4 k, V  ?# N
  192.         read -p "DNS server [1]: " dns  Q) |+ [4 p! j4 s. O1 l) o/ X$ B
  193.         until [[ -z "$dns" || "$dns" =~ ^[1-6]$ ]]; do. \* R  B4 @8 D/ I# m
  194.                 echo "$dns: invalid selection."
    2 m* l! j( }1 z: E7 l
  195.                 read -p "DNS server [1]: " dns& F4 w/ z: i  ~1 P
  196.         done
    * R9 C( u8 n& W! G) g1 |5 N0 L7 K
  197.         echo
    1 S5 t6 p# @% R8 \2 ?5 B
  198.         echo "Enter a name for the first client:"
    7 L7 V9 M3 ~  J1 z* z7 ?3 j' i
  199.         read -p "Name [client]: " unsanitized_client: }3 r4 L6 k+ ^, c5 R2 V3 T/ P/ |  g" S
  200.         # Allow a limited set of characters to avoid conflicts
    7 ~  P* ?& ~& u! a$ e8 r
  201.         client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client")# ^/ M: ?$ p1 ?  z6 u2 d! b
  202.         [[ -z "$client" ]] && client="client"! w& d5 K0 L. E( l, o+ C
  203.         echo. B: r3 ^  H$ [
  204.         echo "OpenVPN installation is ready to begin."
    1 [' l4 k  E4 h) w' H
  205.         # Install a firewall if firewalld or iptables are not already available
    8 L) ~$ H( ~- H+ {4 V
  206.         if ! systemctl is-active --quiet firewalld.service && ! hash iptables 2>/dev/null; then/ Y* M9 \+ `4 R% @5 J
  207.                 if [[ "$os" == "centos" || "$os" == "fedora" ]]; then
    ) ^/ D3 p' d- c0 G0 |, `! I
  208.                         firewall="firewalld"2 D2 r( j+ w' W' ]3 t8 E8 r
  209.                         # We don't want to silently enable firewalld, so we give a subtle warning# b; r4 i5 N6 }4 {
  210.                         # If the user continues, firewalld will be installed and enabled during setup. q! e9 I/ Q$ P0 p
  211.                         echo "firewalld, which is required to manage routing tables, will also be installed."
    , P0 l2 _( s) R( A
  212.                 elif [[ "$os" == "debian" || "$os" == "ubuntu" ]]; then
    ( n% S. [. w  n! Y. I
  213.                         # iptables is way less invasive than firewalld so no warning is given
    , d$ _) y$ \$ g; g, _) N' p1 \# c
  214.                         firewall="iptables"* _, u9 ~6 E( X4 }$ S5 S
  215.                 fi/ D8 v4 i  L- j6 j! h1 |; p% l( ?
  216.         fi
    ' t' A$ q7 ~6 S! s" k
  217.         read -n1 -r -p "Press any key to continue..."7 A2 `, s4 h& }* Q2 U
  218.         # If running inside a container, disable LimitNPROC to prevent conflicts5 J6 t  U: A$ y2 \
  219.         if systemd-detect-virt -cq; then8 B' r8 m( b  q5 Z0 L
  220.                 mkdir /etc/systemd/system/openvpn-server@server.service.d/ 2>/dev/null
    4 |7 i) c: L$ W  d
  221.                 echo "[Service]
    9 A  C. F6 k9 U$ R/ e7 |6 d
  222. LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disable-limitnproc.conf" U. ]6 b% r3 p
  223.         fi: ]5 n) Z7 l9 g% o
  224.         if [[ "$os" = "debian" || "$os" = "ubuntu" ]]; then6 F; i/ y5 \* k# j: N$ N! _7 s* \
  225.                 apt-get update# L7 b$ P/ ?5 D3 n9 o0 K9 b8 Q
  226.                 apt-get install -y openvpn openssl ca-certificates $firewall2 m, u! p+ [, d5 m. D' s* I
  227.         elif [[ "$os" = "centos" ]]; then$ l. Z& L1 j- O# @9 n
  228.                 yum install -y epel-release. n8 K* S* x* ^6 J( F
  229.                 yum install -y openvpn openssl ca-certificates tar $firewall
      {, L# M$ X' O9 C' K, t  `0 @
  230.         else# a0 @% M8 S" Y% |) g1 }
  231.                 # Else, OS must be Fedora
    5 Y% \, j; }: S8 R# o
  232.                 dnf install -y openvpn openssl ca-certificates tar $firewall) l" }  Q; N2 Y$ }5 X2 V' R
  233.         fi
    ; U! A* H2 M; J+ K0 z2 B
  234.         # If firewalld was just installed, enable it: [/ L3 I* A( C6 O+ u2 t' p/ p
  235.         if [[ "$firewall" == "firewalld" ]]; then. x  e* y3 ^: j$ i1 N, {
  236.                 systemctl enable --now firewalld.service
    + g. F8 w% i+ X7 ?+ @- D! T
  237.         fi5 J- \% _3 T' u% ?
  238.         # Get easy-rsa
    5 K; X- R1 B( i/ `
  239.         easy_rsa_url='https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.0/EasyRSA-3.1.0.tgz'
    0 a5 y8 c# y3 u+ u
  240.         mkdir -p /etc/openvpn/server/easy-rsa/
    0 W1 g) W7 i4 T( U  Q
  241.         { wget -qO- "$easy_rsa_url" 2>/dev/null || curl -sL "$easy_rsa_url" ; } | tar xz -C /etc/openvpn/server/easy-rsa/ --strip-components 1
    , g/ \- i! _! k/ e- `
  242.         chown -R root:root /etc/openvpn/server/easy-rsa/; M" v8 j* F  ~. w
  243.         cd /etc/openvpn/server/easy-rsa/
    ; O* Q4 c6 n* P
  244.         # Create the PKI, set up the CA and the server and client certificates1 _, O; ?6 C$ q8 s$ v2 A
  245.         ./easyrsa init-pki1 V; @- h3 X6 }3 m8 _+ ~; a
  246.         ./easyrsa --batch build-ca nopass; X4 X: l! F. o/ F+ B0 T
  247.         EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server nopass  W7 B% {9 v% d4 p. f1 h
  248.         EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" nopass6 A+ O5 j1 b4 ~$ L9 s# I7 C0 C
  249.         EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl8 W  P" j) }" b% P! Y
  250.         # Move the stuff we need
    & i* z* J5 w  K
  251.         cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn/server7 }  h+ Y" ~9 q# m$ @& U+ |
  252.         # CRL is read with each client connection, while OpenVPN is dropped to nobody
    . d4 O1 F1 Z( [
  253.         chown nobody:"$group_name" /etc/openvpn/server/crl.pem, y0 x; Y# [  C& u) ~" Z& w
  254.         # Without +x in the directory, OpenVPN can't run a stat() on the CRL file
    3 F; e& q7 F) R+ m
  255.         chmod o+x /etc/openvpn/server/
    7 E7 w' Q% A( W/ `' }
  256.         # Generate key for tls-crypt
    1 {( E( r  E+ s& Q1 V" s5 {: K
  257.         openvpn --genkey --secret /etc/openvpn/server/tc.key5 M0 k% j% C, M" {% F
  258.         # Create the DH parameters file using the predefined ffdhe2048 group% t, a3 H+ V1 u5 x5 J4 y
  259.         echo '-----BEGIN DH PARAMETERS-----
    + k8 @7 V. ?% i) Q4 j
  260. MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz% z; \" C0 x$ u1 p# u$ C; D
  261. +8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
    & s( d  V7 G* |; U
  262. 87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
    4 b% H1 a5 {: o7 p* {$ ~, J
  263. YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi; H# ~. G/ H4 v! Y: ^
  264. 7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD6 U" @; ]& m6 ^( f
  265. ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
    + Z: I& _& b" x. E3 M4 r) _  I2 l
  266. -----END DH PARAMETERS-----' > /etc/openvpn/server/dh.pem
    0 o% Y3 ~+ D$ x- @, ^) v: W" U
  267.         # Generate server.conf
    $ {5 C$ U( O; m1 H9 V* k. A
  268.         echo "local $ip
    2 H) {6 [9 V* E9 g% w
  269. port $port
    7 E9 Z" o, S7 {1 ]4 N8 Y0 C" ~; s2 D
  270. proto $protocol
    ) F3 d+ u" ~- g- G. e" S+ T
  271. dev tun6 G, c' V5 s% ~( o/ g. K
  272. ca ca.crt
      O9 B! b5 y3 M  j/ }
  273. cert server.crt) p( c: o/ {# L+ ~' G! }0 ^: H8 X
  274. key server.key' @' M' ^$ ?9 k- Y- Q
  275. dh dh.pem: \9 B$ D% R" G- K' N
  276. auth SHA512' q1 q4 f# Y5 ^7 _/ b/ @
  277. tls-crypt tc.key
    ( Y; D) N- R' g, [' w
  278. topology subnet
    # D% @4 R: v; b5 I1 C: R: R7 h
  279. server 10.8.0.0 255.255.255.0" > /etc/openvpn/server/server.conf- X- }# d( V0 K8 S0 K  L; d
  280.         # IPv6/ p) f" ~1 u5 O0 w$ ~! L
  281.         if [[ -z "$ip6" ]]; then8 C! K$ z# S. [, x; K6 P
  282.                 echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server/server.conf, T2 z: c- R) A0 d; X+ c/ `
  283.         else  f% Z: m$ T  [
  284.                 echo 'server-ipv6 fddd:1194:1194:1194::/64' >> /etc/openvpn/server/server.conf
    6 u, q$ y+ v+ p9 w
  285.                 echo 'push "redirect-gateway def1 ipv6 bypass-dhcp"' >> /etc/openvpn/server/server.conf5 I, J4 m/ g& }2 z! d
  286.         fi
    3 |$ x: ]. n$ W+ G
  287.         echo 'ifconfig-pool-persist ipp.txt' >> /etc/openvpn/server/server.conf5 h3 E% G3 x7 e4 V) I8 ]7 s% W
  288.         # DNS
    $ {- n1 d' G# k" \- J7 v, `& ?
  289.         case "$dns" in" a9 a+ e9 u$ M
  290.                 1|"")- K: B  O& t% ]3 \5 U! h! R4 n- D
  291.                         # Locate the proper resolv.conf
    * _+ s% t% h/ S# O/ ~) B) _; I- L
  292.                         # Needed for systems running systemd-resolved* r: R- T* W" b* N8 W' V& O
  293.                         if grep -q '^nameserver 127.0.0.53' "/etc/resolv.conf"; then
      k0 V- @& s( @# Y+ c
  294.                                 resolv_conf="/run/systemd/resolve/resolv.conf"1 P' d8 K- n- k# \& M2 _
  295.                         else7 J  {0 v& q2 v, O) n+ d- i
  296.                                 resolv_conf="/etc/resolv.conf", g( ~: C; t& A$ b
  297.                         fi( r# q; ^0 w1 n6 @
  298.                         # Obtain the resolvers from resolv.conf and use them for OpenVPN0 _! i: N1 U) U( a' x  m
  299.                         grep -v '^#\|^;' "$resolv_conf" | grep '^nameserver' | grep -oE '[0-9]{1,3}(\.[0-9]{1,3}){3}' | while read line; do* Z! `$ V3 o! e# M$ P
  300.                                 echo "push "dhcp-option DNS $line"" >> /etc/openvpn/server/server.conf8 T& g8 D) U# M& U6 k
  301.                         done
    : Z( @. x. Q1 F. O2 }, i  z; ^5 W
  302.                 ;;3 s- S. O5 |# @, J8 V% ~' T; F
  303.                 2)
    * r- A% R) n5 J4 n- Y
  304.                         echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server/server.conf% j$ ~2 K- R- m
  305.                         echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server/server.conf
    ! l* `1 P  z6 `
  306.                 ;;2 Y) X% b3 F7 c& A
  307.                 3)% q6 q' a- |$ O
  308.                         echo 'push "dhcp-option DNS 1.1.1.1"' >> /etc/openvpn/server/server.conf
    ) |+ a+ q. z- M% B9 ~+ |
  309.                         echo 'push "dhcp-option DNS 1.0.0.1"' >> /etc/openvpn/server/server.conf
    2 l( \% g  c* e3 Y$ k9 c
  310.                 ;;! L$ |2 s$ C8 [
  311.                 4); e* W+ [4 |1 E3 y  S) h* v
  312.                         echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server/server.conf
    6 ]2 U5 D/ M% i7 _! |
  313.                         echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server/server.conf- P& {% o3 ]+ |8 G. e7 R! o
  314.                 ;;6 c4 @! }$ O' ~9 b7 k" _; T, ~3 `+ `
  315.                 5)
    / A, ], h4 O! r% v+ ^
  316.                         echo 'push "dhcp-option DNS 9.9.9.9"' >> /etc/openvpn/server/server.conf; T3 _7 Z+ e" h1 X. ], B* e
  317.                         echo 'push "dhcp-option DNS 149.112.112.112"' >> /etc/openvpn/server/server.conf/ m2 j+ z4 J" F; {2 k
  318.                 ;;6 O; h4 l6 N5 G: U
  319.                 6)) P/ d) {: x$ x5 A
  320.                         echo 'push "dhcp-option DNS 94.140.14.14"' >> /etc/openvpn/server/server.conf
    $ o; S& }6 u! D: }
  321.                         echo 'push "dhcp-option DNS 94.140.15.15"' >> /etc/openvpn/server/server.conf6 Y( U9 r1 [' m6 [8 J. q/ T
  322.                 ;;% x  J" E3 b9 R6 k6 F
  323.         esac4 A& T" v: Q( U0 F( X
  324.         echo "keepalive 10 120# N- a* v) r1 j& i# c6 p8 ]/ K" r
  325. cipher AES-256-CBC6 D4 [0 g& }+ t
  326. user nobody
    ! n1 j* f* w; l$ o( f9 h
  327. group $group_name
    : u& D3 A+ Z4 q) z1 B
  328. persist-key6 }8 e5 H, R& ^  L5 _" X0 Y
  329. persist-tun
    5 ^3 y! x3 C6 p1 U* a/ f( J
  330. verb 34 R! U: g6 I& H8 f! h  j/ E& a
  331. crl-verify crl.pem" >> /etc/openvpn/server/server.conf1 |6 q! W9 t1 w  v
  332.         if [[ "$protocol" = "udp" ]]; then; U" j2 d7 w! G/ e- q+ r
  333.                 echo "explicit-exit-notify" >> /etc/openvpn/server/server.conf
    7 `: j5 }2 g8 q3 Y9 Z* f: u
  334.         fi6 g$ E. H: R9 Q$ d
  335.         # Enable net.ipv4.ip_forward for the system
    4 h2 `! N$ Z3 H7 }2 i; }1 q
  336.         echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/99-openvpn-forward.conf! O' O* A9 f" r0 ~( b# X* k
  337.         # Enable without waiting for a reboot or service restart
    ' Q4 q$ m6 h& W2 J/ {' F" I
  338.         echo 1 > /proc/sys/net/ipv4/ip_forward
    + \1 E6 X; o1 x) F. X9 X
  339.         if [[ -n "$ip6" ]]; then( O) L& X. H9 W
  340.                 # Enable net.ipv6.conf.all.forwarding for the system# ~2 J6 q$ ^, L7 @; g- i! [& {. @; j
  341.                 echo "net.ipv6.conf.all.forwarding=1" >> /etc/sysctl.d/99-openvpn-forward.conf
    , b3 f, X& _' ^  R; O+ J
  342.                 # Enable without waiting for a reboot or service restart2 I! v( n2 t( T5 E+ G2 f. A
  343.                 echo 1 > /proc/sys/net/ipv6/conf/all/forwarding" |* S8 E# ]8 Q. l! V. c% T% A) F
  344.         fi
    " N- e: w% D. z& v6 X, n
  345.         if systemctl is-active --quiet firewalld.service; then
    - M, ^5 L# P! f9 t) Y% f2 }
  346.                 # Using both permanent and not permanent rules to avoid a firewalld2 H1 I5 w' H8 j1 @
  347.                 # reload.
    . |3 a0 H9 {: o. ?/ v7 }, h0 M
  348.                 # We don't use --add-service=openvpn because that would only work with( ^; l/ @0 E3 @. J1 x, t& \
  349.                 # the default port and protocol.
    " s8 M1 ~/ y8 v5 Z
  350.                 firewall-cmd --add-port="$port"/"$protocol"
    1 j! z4 N! d. P4 a3 T4 N
  351.                 firewall-cmd --zone=trusted --add-source=10.8.0.0/24
    ( S$ Q) [3 ^5 z
  352.                 firewall-cmd --permanent --add-port="$port"/"$protocol"
    7 r. D: q/ d" {6 I; J2 n
  353.                 firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
    5 @7 z) ~/ `* L) \( V) b% V
  354.                 # Set NAT for the VPN subnet4 B( j4 g& w$ }9 A" V$ ~; w
  355.                 firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"; D+ z! U! S% [3 Q+ H$ b; \
  356.                 firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"
    ! w' c7 P5 z7 f5 J
  357.                 if [[ -n "$ip6" ]]; then4 U1 O. i0 z5 E
  358.                         firewall-cmd --zone=trusted --add-source=fddd:1194:1194:1194::/64
    % N8 t; _" B( Z8 @7 d# |" ^
  359.                         firewall-cmd --permanent --zone=trusted --add-source=fddd:1194:1194:1194::/64
    6 D& I! r2 _; R6 t, n
  360.                         firewall-cmd --direct --add-rule ipv6 nat POSTROUTING 0 -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to "$ip6"9 i, z0 A$ n% Z' n1 ?
  361.                         firewall-cmd --permanent --direct --add-rule ipv6 nat POSTROUTING 0 -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to "$ip6"* V  B& U$ y. l2 Z
  362.                 fi
    0 x1 e0 b+ c3 ]' p: n$ X/ ?8 f
  363.         else; p% M) {. m4 L& A
  364.                 # Create a service to set up persistent iptables rules! z# _# b! I* C7 _
  365.                 iptables_path=$(command -v iptables)
    " h) X5 h7 T" y1 W- _
  366.                 ip6tables_path=$(command -v ip6tables)
    1 Q+ r! `* b* X7 r, k4 ~0 L8 }
  367.                 # nf_tables is not available as standard in OVZ kernels. So use iptables-legacy& O$ G1 u- Z5 u2 U( }1 ?
  368.                 # if we are in OVZ, with a nf_tables backend and iptables-legacy is available.8 k2 S& m8 x, l9 L- X6 k6 _
  369.                 if [[ $(systemd-detect-virt) == "openvz" ]] && readlink -f "$(command -v iptables)" | grep -q "nft" && hash iptables-legacy 2>/dev/null; then
    / J, ?4 f! o# Y( U/ m
  370.                         iptables_path=$(command -v iptables-legacy)
    1 L5 V6 z' [" L( z* [7 e1 O
  371.                         ip6tables_path=$(command -v ip6tables-legacy)
    3 I" `' C" X* m! _# w$ Z
  372.                 fi
    , A) ]) C: p! e+ U
  373.                 echo "[Unit]
    " a, [9 q% E' H8 J  L. i8 I5 _* A
  374. Before=network.target% u; x% u  }0 }
  375. [Service]
    ' k" _  S3 i1 n; `
  376. Type=oneshot
    * r2 s2 ]) ?4 R
  377. ExecStart=$iptables_path -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip
    : K$ j0 u8 E% p
  378. ExecStart=$iptables_path -I INPUT -p $protocol --dport $port -j ACCEPT& F; C/ Y- a% L$ I( y: w' K
  379. ExecStart=$iptables_path -I FORWARD -s 10.8.0.0/24 -j ACCEPT' U/ J2 f( R7 z. P7 n
  380. ExecStart=$iptables_path -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    5 R; O" |/ q; D- E! T, x
  381. ExecStop=$iptables_path -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $ip! H# \  c4 D# q* G
  382. ExecStop=$iptables_path -D INPUT -p $protocol --dport $port -j ACCEPT0 D5 `' y( P6 n% J1 P
  383. ExecStop=$iptables_path -D FORWARD -s 10.8.0.0/24 -j ACCEPT
    ; b5 z. ^- M$ `9 U/ D3 B
  384. ExecStop=$iptables_path -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" > /etc/systemd/system/openvpn-iptables.service
    * G* e$ F# N3 {% k% ?
  385.                 if [[ -n "$ip6" ]]; then
    ) i$ ~# N1 |$ [" G: a
  386.                         echo "ExecStart=$ip6tables_path -t nat -A POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to $ip6( S. P% J& x* {% t4 P2 w/ Y, ?
  387. ExecStart=$ip6tables_path -I FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT7 c* `7 n3 r2 Y8 Z
  388. ExecStart=$ip6tables_path -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    " l$ I$ U( {, |2 g# z; I
  389. ExecStop=$ip6tables_path -t nat -D POSTROUTING -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to $ip6
    ) C6 a* x/ D* c6 D6 }3 ?4 F1 k
  390. ExecStop=$ip6tables_path -D FORWARD -s fddd:1194:1194:1194::/64 -j ACCEPT
    . \; b* m( Q5 G+ K( [5 H
  391. ExecStop=$ip6tables_path -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" >> /etc/systemd/system/openvpn-iptables.service3 a% r- g$ C" {
  392.                 fi
    ( y, |  @9 l- o' h8 h/ A
  393.                 echo "RemainAfterExit=yes
    3 l& J5 D) F& J
  394. [Install]
    / p5 p, r8 Z' \- C3 x
  395. WantedBy=multi-user.target" >> /etc/systemd/system/openvpn-iptables.service
    ! O! I  F/ \/ Z* O$ l7 B  H( \
  396.                 systemctl enable --now openvpn-iptables.service
    0 s+ i# ?, A9 k" ~- o( R
  397.         fi
    $ ?6 b* c9 c. t! X% y
  398.         # If SELinux is enabled and a custom port was selected, we need this: Q0 F2 d  s4 p6 @
  399.         if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$port" != 1194 ]]; then
    & e# D5 |- F9 L' ?) ~4 G& D" L6 w
  400.                 # Install semanage if not already present
    " M; I. F4 a* p& V. S
  401.                 if ! hash semanage 2>/dev/null; then" `5 q0 Q6 Q. r( v0 e1 o# L
  402.                         if [[ "$os_version" -eq 7 ]]; then
    8 y+ C  L& d8 y9 E( j: V6 W
  403.                                 # Centos 7
    - h. k. W: u* F
  404.                                 yum install -y policycoreutils-python  z( K2 H" K& M- E+ V0 X# s3 ?. a
  405.                         else! s- d, l2 p7 ~- p+ y
  406.                                 # CentOS 8 or Fedora5 E' w3 k, \1 Y( f% b
  407.                                 dnf install -y policycoreutils-python-utils# U! S/ k0 @3 q
  408.                         fi
    : d: Q" l, l4 J3 |" o' z8 N
  409.                 fi
    3 E: K8 A8 q. d
  410.                 semanage port -a -t openvpn_port_t -p "$protocol" "$port"1 L, U$ ~3 J# y! N* J* v& a
  411.         fi1 |- \4 ]& i6 L5 `; Z
  412.         # If the server is behind NAT, use the correct IP address
    6 |, R$ w& _! s3 G8 G
  413.         [[ -n "$public_ip" ]] && ip="$public_ip"2 Z* y8 A3 n8 K
  414.         # client-common.txt is created so we have a template to add further users later) \7 `6 S! I8 v6 c
  415.         echo "client9 k3 q3 P0 ~1 S( q7 R( E
  416. dev tun7 b8 n) U) r: L0 i) z# B
  417. proto $protocol
    2 U& k& l/ S) ]" o$ i0 }" _3 i
  418. remote $ip $port3 u  @3 P8 D* M! V5 J. {
  419. resolv-retry infinite
    + T4 ?3 d& k: p' f0 W) v
  420. nobind
    6 y: v9 L' v% M/ Z, D+ O) t. N1 ~! z  E
  421. persist-key/ r: i) h: T4 C
  422. persist-tun
      t, N7 \" c% m2 p2 A% V& |6 A
  423. remote-cert-tls server
    4 l8 O# Y! a/ J
  424. auth SHA512$ d) R0 |4 `2 z: O$ _
  425. cipher AES-256-CBC
    ; A7 x) X  F4 {( c
  426. ignore-unknown-option block-outside-dns( W8 |/ T/ i( p6 T: g
  427. block-outside-dns
    7 i9 f4 u, A# K" l! ^( S& j% E
  428. verb 3" > /etc/openvpn/server/client-common.txt
    7 ]; O0 L7 D( K4 c3 V
  429.         # Enable and start the OpenVPN service2 a9 I* c+ Y9 s; d9 y9 r
  430.         systemctl enable --now openvpn-server@server.service6 u/ F8 r) g0 d" [' y
  431.         # Generates the custom client.ovpn
    + \6 I, D+ ]( s% h5 i3 k$ l0 h
  432.         new_client
      k" H& c* o$ [( s3 j
  433.         echo) d- w% B9 [0 z7 M
  434.         echo "Finished!"  a0 O$ g. _) ?6 O* V& I9 k) S) k
  435.         echo) y, u7 N. x5 ~) b. q
  436.         echo "The client configuration is available in:" ~/"$client.ovpn"
    ! U& F; u, T% [$ `% S2 d2 N' ]% l7 D
  437.         echo "New clients can be added by running this script again."
    / n& H9 W& C: A9 _+ b0 a8 z# J
  438. else/ q7 F  L' M, E1 Y$ l: y  L
  439.         clear2 n. a- }; O! w* Y7 e) `. U
  440.         echo "OpenVPN is already installed."5 ?+ o8 s7 Y, x6 ]7 B
  441.         echo
    : j* V. X7 {3 u5 b
  442.         echo "Select an option:"0 r5 J" A2 B" x5 H3 ]5 n$ t
  443.         echo "   1) Add a new client"$ g! a) Q5 j; v0 B( I8 X: z) J: N. f0 J
  444.         echo "   2) Revoke an existing client"* T8 N2 a1 @; K
  445.         echo "   3) Remove OpenVPN"9 H7 T3 H8 z! l' W0 v1 Y5 U
  446.         echo "   4) Exit"6 n4 k$ i0 Y1 _2 T! X
  447.         read -p "Option: " option- H2 x( E$ V# i1 q
  448.         until [[ "$option" =~ ^[1-4]$ ]]; do2 w1 U0 s  g! c' p) o6 [- }: t
  449.                 echo "$option: invalid selection."
    ' ]/ E! P8 H: H  V: K6 G9 A
  450.                 read -p "Option: " option
    , ~" P7 M, p9 f$ O0 Z
  451.         done
    ! h5 m/ W4 ^/ z
  452.         case "$option" in- j1 ?7 v3 f0 v+ \
  453.                 1)
    3 e3 n9 x" ]2 j
  454.                         echo
    / }2 z! w9 {0 L  }- Q* _  Q# r
  455.                         echo "Provide a name for the client:"
      Y4 u0 g, z. }9 p' q# b! r
  456.                         read -p "Name: " unsanitized_client/ R+ H2 l& x& C- V  A2 R9 g
  457.                         client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client")
    , c7 k) s% P& x# u7 e
  458.                         while [[ -z "$client" || -e /etc/openvpn/server/easy-rsa/pki/issued/"$client".crt ]]; do
    3 _+ ~  [8 p9 U2 d* b9 D
  459.                                 echo "$client: invalid name.". y, d) {* c5 j' i1 j/ O
  460.                                 read -p "Name: " unsanitized_client
    ( w7 D% {8 m" B( z. g1 j& E! |1 b
  461.                                 client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client")! w* N. v  V; @, G. B! Z
  462.                         done
    2 b/ L! Z0 I. p! A
  463.                         cd /etc/openvpn/server/easy-rsa/, Y5 L# k# w( L; t- n: x
  464.                         EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" nopass
    1 f! I( G2 ~6 j9 E0 \8 z% N
  465.                         # Generates the custom client.ovpn
    1 U% w3 t  h$ K) z
  466.                         new_client+ R# n/ ?$ S. |/ n
  467.                         echo
    8 C. ~. F* d3 g
  468.                         echo "$client added. Configuration available in:" ~/"$client.ovpn"& R: V& b7 R# K
  469.                         exit
    & f' {3 V! N7 p. J1 w: t# G& r+ f/ J: h
  470.                 ;;
    5 b* ~" q" h4 r! n) e+ O/ Q/ ]1 k
  471.                 2)
    2 e  I: i3 w  O
  472.                         # This option could be documented a bit better and maybe even be simplified) Q0 l' g: H; \: K
  473.                         # ...but what can I say, I want some sleep too# ^; r3 M; N7 W* ^8 w  f9 q
  474.                         number_of_clients=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep -c "^V")3 ^" ]3 _: w$ x) H, S( Q
  475.                         if [[ "$number_of_clients" = 0 ]]; then
    # O2 V8 [" h4 B; ]
  476.                                 echo
    % U4 ]5 [. K$ e0 s, R) q3 {8 y
  477.                                 echo "There are no existing clients!"
    ; w% _5 S0 t3 |( f- X( o- {8 @
  478.                                 exit7 p" Z4 A( h% Y* S& O4 y
  479.                         fi
    # K" z, U. ]5 a% ]  s8 Z& ?0 G
  480.                         echo
    $ I% {: q8 q5 O  C! G
  481.                         echo "Select the client to revoke:"
    , }' Q9 S8 j: V% `! n9 v) A% d
  482.                         tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
    " X# |" N, p$ A6 X# W% D
  483.                         read -p "Client: " client_number
    % A) z" Y3 q2 n1 r; ]3 z* T
  484.                         until [[ "$client_number" =~ ^[0-9]+$ && "$client_number" -le "$number_of_clients" ]]; do, _2 i/ Y' l; }
  485.                                 echo "$client_number: invalid selection."
    5 q+ E& _9 |: y3 B2 _. J7 [) b
  486.                                 read -p "Client: " client_number' R3 W- w& R( H( t6 U. H) ~
  487.                         done, `; X2 k. Q0 Y' Y0 D+ B
  488.                         client=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$client_number"p)4 a( Y0 c% Z2 D: @" l
  489.                         echo
    - E7 A  W% G" l! d4 t2 B$ q* m2 A
  490.                         read -p "Confirm $client revocation? [y/N]: " revoke1 |7 R) u/ K' z" o& p0 G1 B3 M3 e
  491.                         until [[ "$revoke" =~ ^[yYnN]*$ ]]; do. B) ]% l3 p) R/ J
  492.                                 echo "$revoke: invalid selection."
    2 f. L1 s5 L+ W) |  {9 D
  493.                                 read -p "Confirm $client revocation? [y/N]: " revoke3 L5 d/ R- t& e
  494.                         done& O9 Y2 t9 q7 T& |% ^' o! M0 A" {
  495.                         if [[ "$revoke" =~ ^[yY]$ ]]; then
    / Q) P8 u0 w: H/ L% X8 r
  496.                                 cd /etc/openvpn/server/easy-rsa/5 o2 d* a7 R# p
  497.                                 ./easyrsa --batch revoke "$client"/ U0 I4 J" @+ r  K9 E
  498.                                 EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
    $ l0 |9 @; L' E) [5 B
  499.                                 rm -f /etc/openvpn/server/crl.pem
    ; A* k3 _) i0 o( p8 P+ H- O
  500.                                 cp /etc/openvpn/server/easy-rsa/pki/crl.pem /etc/openvpn/server/crl.pem; F$ i% m7 O4 J: d. ?, s
  501.                                 # CRL is read with each client connection, when OpenVPN is dropped to nobody/ o. n: s7 H. f( ^+ R/ O! F" Q
  502.                                 chown nobody:"$group_name" /etc/openvpn/server/crl.pem
    - M' d) U9 m5 u, \4 G% H% Q; A
  503.                                 echo
    - A- i$ R6 d' D" y; W, o; l3 R$ U
  504.                                 echo "$client revoked!"
    " Q4 E( ]: Z5 p/ Q1 ~7 H' y
  505.                         else5 H  P/ n$ K) X6 f' \  I* b
  506.                                 echo* |7 T: l7 ~; r8 G
  507.                                 echo "$client revocation aborted!"9 l1 E0 f7 X! y0 U& _4 L  j* l# K% c+ q
  508.                         fi* e. _. A5 G) O/ m( x$ T, _- x  a
  509.                         exit4 L0 i2 J. Y) ]' Y1 V% S6 K* g' o
  510.                 ;;
    & l0 O1 V4 c$ I+ L! E- D% o0 ~
  511.                 3)
    ( p" _! p& C) f
  512.                         echo
    ; U5 T( ~" j" d; h) P0 |4 u
  513.                         read -p "Confirm OpenVPN removal? [y/N]: " remove+ Q! `* l8 b" W2 F! `" U9 @9 d
  514.                         until [[ "$remove" =~ ^[yYnN]*$ ]]; do
    4 ~+ ?3 k4 t( o
  515.                                 echo "$remove: invalid selection."
    % ^7 U0 G5 B0 R
  516.                                 read -p "Confirm OpenVPN removal? [y/N]: " remove5 z3 g0 s% p5 a& z9 `; a8 u/ G
  517.                         done% p# c7 ?: I7 u4 p5 O
  518.                         if [[ "$remove" =~ ^[yY]$ ]]; then
    - o0 {: r$ z# C3 v3 J# E% V3 x
  519.                                 port=$(grep '^port ' /etc/openvpn/server/server.conf | cut -d " " -f 2)  }- ?, K9 b* }
  520.                                 protocol=$(grep '^proto ' /etc/openvpn/server/server.conf | cut -d " " -f 2), ]- G8 J3 B( D# m
  521.                                 if systemctl is-active --quiet firewalld.service; then
    ' U% Q1 ]) A) R0 T) S
  522.                                         ip=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24' | grep -oE '[^ ]+$')
    ! \( X$ u8 ^" h" G& B
  523.                                         # Using both permanent and not permanent rules to avoid a firewalld reload.# O* d, z; z+ A
  524.                                         firewall-cmd --remove-port="$port"/"$protocol"
    0 Q9 S  e5 m1 W  B( H0 F7 j3 O
  525.                                         firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
    7 u1 e! f  E; p7 a! c
  526.                                         firewall-cmd --permanent --remove-port="$port"/"$protocol"
    1 g1 W! c. b* S# `
  527.                                         firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24: C0 o. K+ J+ ~1 t5 E
  528.                                         firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"
    0 {6 y, P$ i- q* M6 F, g& H) A
  529.                                         firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip"3 I* l7 v) M. c$ K
  530.                                         if grep -qs "server-ipv6" /etc/openvpn/server/server.conf; then+ q) N8 R# R, z$ {% O" l/ k/ h
  531.                                                 ip6=$(firewall-cmd --direct --get-rules ipv6 nat POSTROUTING | grep '\-s fddd:1194:1194:1194::/64 '"'"'!'"'"' -d fddd:1194:1194:1194::/64' | grep -oE '[^ ]+$'), K7 z' |; A8 T  z( \
  532.                                                 firewall-cmd --zone=trusted --remove-source=fddd:1194:1194:1194::/64  `  z  y. v+ @0 n! ^
  533.                                                 firewall-cmd --permanent --zone=trusted --remove-source=fddd:1194:1194:1194::/647 }, P' V. u/ s$ b1 L
  534.                                                 firewall-cmd --direct --remove-rule ipv6 nat POSTROUTING 0 -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to "$ip6"
    3 A# F) T7 `7 [4 |
  535.                                                 firewall-cmd --permanent --direct --remove-rule ipv6 nat POSTROUTING 0 -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to "$ip6"; T$ S. O8 I6 R: }4 l0 j
  536.                                         fi* U' M5 K. V2 b& m. u! {# \
  537.                                 else& L3 S9 h6 M, ]: r% J
  538.                                         systemctl disable --now openvpn-iptables.service
    * l! m& Q! h7 ?; |% q. L4 Z+ v
  539.                                         rm -f /etc/systemd/system/openvpn-iptables.service
    ; m9 X2 H! X! T  `3 w. W
  540.                                 fi2 H. d0 |& i9 ]& Z( w" K2 F, C
  541.                                 if sestatus 2>/dev/null | grep "Current mode" | grep -q "enforcing" && [[ "$port" != 1194 ]]; then
    0 q: @% x9 o4 I
  542.                                         semanage port -d -t openvpn_port_t -p "$protocol" "$port"
    . {' w8 T1 ^- g/ s- ?
  543.                                 fi3 j" L7 ^6 z" G4 I7 Y6 Q0 l
  544.                                 systemctl disable --now openvpn-server@server.service3 T1 Z: ?# K( {$ ~9 O# s  P; ?
  545.                                 rm -f /etc/systemd/system/openvpn-server@server.service.d/disable-limitnproc.conf
    ! Q2 j! Q$ B0 x$ c
  546.                                 rm -f /etc/sysctl.d/99-openvpn-forward.conf
    ) v. f5 T$ c( F) m2 M$ U1 @
  547.                                 if [[ "$os" = "debian" || "$os" = "ubuntu" ]]; then
      ^, w7 U/ Z4 v+ o& s5 u
  548.                                         rm -rf /etc/openvpn/server# p- H$ j6 v2 a# i0 F
  549.                                         apt-get remove --purge -y openvpn4 d- O; K) X$ o( N" h- n- }
  550.                                 else2 h$ n' A* x  B. m; m
  551.                                         # Else, OS must be CentOS or Fedora3 C; U6 x2 C# d7 ~0 ?& ?8 x
  552.                                         yum remove -y openvpn( W; j% L! j+ ]( R- t  s
  553.                                         rm -rf /etc/openvpn/server' q. {6 E2 Q2 G$ |/ \  _! A
  554.                                 fi
    ( L7 N/ b3 V! V) d+ k$ r
  555.                                 echo4 a. b# U+ f1 O/ p
  556.                                 echo "OpenVPN removed!") T5 o) Y' [1 h, O4 i. _
  557.                         else
    0 ~+ u9 @- D- Y4 h1 x9 d; _
  558.                                 echo
    1 V; W. i9 ~  T
  559.                                 echo "OpenVPN removal aborted!"
    + i+ t. J* Y! P* h
  560.                         fi6 w9 v1 m8 M: ]# x3 f5 X
  561.                         exit
    ) i# ?) @4 ^+ O/ d% a
  562.                 ;;
    & K0 U) ?+ L  @  g# F
  563.                 4)* f# w! I- x5 Y% `7 a" D: C
  564.                         exit
    0 X) @& M, x8 N. A" |, q
  565.                 ;;
    . T6 V9 g& ~1 d3 u2 x
  566.         esac
    % ?* ]# k# |5 l
  567. fi( ?; f8 _/ b; A$ R/ @0 d8 V2 w
复制代码

3 Q" q$ {1 U8 w1 R- |2 C; Q, x" _+ A; t$ p$ u9 V

3 M6 w  @0 K7 @4 w1 H. J3 c. g1 P5 [! X: N

shadowsocks-all.sh

601.59 KB, 下载次数: 12, 下载积分: 金钱 -5

shadowsocks-all.sh

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Archiver|手机版|小黑屋|

GMT+8, 2026-3-22 12:03 AM , Processed in 0.151698 second(s), 25 queries .

Powered by xyh-moon X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表