logo

한국어

[CentOS7] OpenVPN 서버 설치 스크립트

관리자 2019.10.02 18:38 조회 수 : 10

#!/bin/sh
#####################################################################
#
# OpenVPN 설치 스크립트 (for CentOS 7)
# 디폴트 포트: 1194/udp
#
#####################################################################

#####################################################################
#
# 패키지 설치
#
#####################################################################
yum install -y epel-release
yum install -y easy-rsa
yum install -y openvpn

#####################################################################
#
# 기존 설치파일 삭제
#
#####################################################################
rm -f /etc/openvpn/server.conf
rm -f /var/log/openvpn.log
rm -rf /etc/openvpn/client/*
rm -rf /etc/openvpn/easy-rsa
rm -rf /etc/openvpn/server/*

#####################################################################
#
# vars
#
#####################################################################
cp -rf /usr/share/easy-rsa /etc/openvpn/
echo "set_var EASYRSA                 \"\$PWD\"" > /etc/openvpn/easy-rsa/3/vars
echo "set_var EASYRSA_PKI             \"\$EASYRSA/pki\"" >> /etc/openvpn/easy-rsa/3/vars
echo "set_var EASYRSA_DN              \"cn_only\"" >> /etc/openvpn/easy-rsa/3/vars
echo "set_var EASYRSA_REQ_COUNTRY     \"KR\"" >> /etc/openvpn/easy-rsa/3/vars
echo "set_var EASYRSA_REQ_PROVINCE    \"Seoul\"" >> /etc/openvpn/easy-rsa/3/vars
echo "set_var EASYRSA_REQ_CITY        \"Seoul\"" >> /etc/openvpn/easy-rsa/3/vars
echo "set_var EASYRSA_REQ_ORG         \"ESECUVALI CORP.\"" >> /etc/openvpn/easy-rsa/3/vars
echo "set_var EASYRSA_REQ_EMAIL       \"hasu0707@esvali.com\"" >> /etc/openvpn/easy-rsa/3/vars
echo "set_var EASYRSA_REQ_OU          \"ESECUVALI CORP. EASY CA\"" >> /etc/openvpn/easy-rsa/3/vars
echo "set_var EASYRSA_KEY_SIZE        2048" >> /etc/openvpn/easy-rsa/3/vars
echo "set_var EASYRSA_ALGO            rsa" >> /etc/openvpn/easy-rsa/3/vars
echo "set_var EASYRSA_CA_EXPIRE       7500" >> /etc/openvpn/easy-rsa/3/vars
echo "set_var EASYRSA_CERT_EXPIRE     365" >> /etc/openvpn/easy-rsa/3/vars
echo "set_var EASYRSA_NS_SUPPORT      \"no\"" >> /etc/openvpn/easy-rsa/3/vars
echo "set_var EASYRSA_NS_COMMENT      \"ESECUVALI CORP. CERTIFICATE AUTHORITY\"" >> /etc/openvpn/easy-rsa/3/vars
echo "set_var EASYRSA_EXT_DIR         \"\$EASYRSA/x509-types\"" >> /etc/openvpn/easy-rsa/3/vars
echo "set_var EASYRSA_SSL_CONF        \"\$EASYRSA/openssl-1.0.cnf\"" >> /etc/openvpn/easy-rsa/3/vars
echo "set_var EASYRSA_DIGEST          \"sha256\"" >> /etc/openvpn/easy-rsa/3/vars
chmod 755 /etc/openvpn/easy-rsa/3/vars

clear
echo "#####################################################################"
echo "#"
echo "# Initialization and Build CA"
echo "#"
echo "#####################################################################"
cd /etc/openvpn/easy-rsa/3
./easyrsa init-pki
./easyrsa build-ca

clear
echo "#####################################################################"
echo "#"
echo "# Build Server Key"
echo "#"
echo "#####################################################################"
./easyrsa gen-req www.esvali.com-openvpn-server nopass
./easyrsa sign-req server www.esvali.com-openvpn-server

clear
echo "#####################################################################"
echo "#"
echo "# Verify the certificate file using the OpenSSL command"
echo "#"
echo "#####################################################################"
openssl verify -CAfile pki/ca.crt pki/issued/www.esvali.com-openvpn-server.crt

clear
echo "#####################################################################"
echo "#"
echo "# Build Client Key"
echo "#"
echo "#####################################################################"
./easyrsa gen-req www.esvali.com-openvpn-client nopass
./easyrsa sign-req client www.esvali.com-openvpn-client

clear
echo "#####################################################################"
echo "#"
echo "# Verify the certificate file using the OpenSSL command"
echo "#"
echo "#####################################################################"
openssl verify -CAfile pki/ca.crt pki/issued/www.esvali.com-openvpn-client.crt

clear
echo "#####################################################################"
echo "#"
echo "# Generate the Diffie-Hellman key"
echo "#"
echo "#####################################################################"
./easyrsa gen-dh
./easyrsa gen-crl

clear
echo "#####################################################################"
echo "#"
echo "# Copy Certificates Files"
echo "#"
echo "#####################################################################"
cp -f pki/ca.crt /etc/openvpn/server/
cp -f pki/issued/www.esvali.com-openvpn-server.crt /etc/openvpn/server/
cp -f pki/private/www.esvali.com-openvpn-server.key /etc/openvpn/server

cp -f pki/ca.crt /etc/openvpn/client/
cp -f pki/issued/www.esvali.com-openvpn-client.crt /etc/openvpn/client/
cp -f pki/private/www.esvali.com-openvpn-client.key /etc/openvpn/client/

cp -f pki/dh.pem /etc/openvpn/server/
cp -f pki/crl.pem /etc/openvpn/server/

#####################################################################
#
# server.conf
#
#####################################################################
echo "# OpenVPN Port, Protocol and the tun" > /etc/openvpn/server.conf
echo "port 1194" >> /etc/openvpn/server.conf
echo "proto udp" >> /etc/openvpn/server.conf
echo "dev tun" >> /etc/openvpn/server.conf
echo "" >> /etc/openvpn/server.conf
echo "# OpenVPN Server Certificate - CA, server key and certificate" >> /etc/openvpn/server.conf
echo "ca /etc/openvpn/server/ca.crt" >> /etc/openvpn/server.conf
echo "cert /etc/openvpn/server/www.esvali.com-openvpn-server.crt" >> /etc/openvpn/server.conf
echo "key /etc/openvpn/server/www.esvali.com-openvpn-server.key" >> /etc/openvpn/server.conf
echo "" >> /etc/openvpn/server.conf
echo "#DH and CRL key" >> /etc/openvpn/server.conf
echo "dh /etc/openvpn/server/dh.pem" >> /etc/openvpn/server.conf
echo "crl-verify /etc/openvpn/server/crl.pem" >> /etc/openvpn/server.conf
echo "" >> /etc/openvpn/server.conf
echo "# Network Configuration - Internal network" >> /etc/openvpn/server.conf
echo "# Redirect all Connection through OpenVPN Server" >> /etc/openvpn/server.conf
echo "server 10.8.1.0 255.255.255.0" >> /etc/openvpn/server.conf
echo "push \"redirect-gateway def1 bypass-dhcp\"" >> /etc/openvpn/server.conf
echo "" >> /etc/openvpn/server.conf
echo "# Using the DNS from https://dns.watch" >> /etc/openvpn/server.conf
echo "push \"dhcp-option DNS 8.8.8.8\"" >> /etc/openvpn/server.conf
echo "push \"dhcp-option DNS 8.8.4.4\"" >> /etc/openvpn/server.conf
echo "client-to-client" >> /etc/openvpn/server.conf
echo "" >> /etc/openvpn/server.conf
echo "#Enable multiple client to connect with same Certificate key" >> /etc/openvpn/server.conf
echo "duplicate-cn" >> /etc/openvpn/server.conf
echo "" >> /etc/openvpn/server.conf
echo "# TLS Security" >> /etc/openvpn/server.conf
echo "cipher AES-256-CBC" >> /etc/openvpn/server.conf
echo "tls-version-min 1.2" >> /etc/openvpn/server.conf
echo "tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256" >> /etc/openvpn/server.conf
echo "auth SHA512" >> /etc/openvpn/server.conf
echo "auth-nocache" >> /etc/openvpn/server.conf
echo "" >> /etc/openvpn/server.conf
echo "# Other Configuration" >> /etc/openvpn/server.conf
echo "keepalive 20 120" >> /etc/openvpn/server.conf
echo "persist-key" >> /etc/openvpn/server.conf
echo "persist-tun" >> /etc/openvpn/server.conf
echo "comp-lzo yes" >> /etc/openvpn/server.conf
echo "daemon" >> /etc/openvpn/server.conf
echo "user nobody" >> /etc/openvpn/server.conf
echo "group nobody" >> /etc/openvpn/server.conf
echo "" >> /etc/openvpn/server.conf
echo "# OpenVPN Log" >> /etc/openvpn/server.conf
echo "log-append /var/log/openvpn.log" >> /etc/openvpn/server.conf
echo "verb 3" >> /etc/openvpn/server.conf

#####################################################################
#
# 자동 시작 설정
#
#####################################################################
systemctl restart openvpn@server
systemctl enable openvpn@server
systemctl status openvpn@server