logo

한국어

OpenVPN 설치 스크립트 (CentOS/Ubuntu)

관리자 2019.11.29 19:18 조회 수 : 5

#!/bin/bash
######################################################################
#
# Linux OpenVPN 설치 스크립트
#
# 이 스크립트는 Linux(centos/ubuntu)에 OpenVPN을 설치하고 설정하는
# 과정을 자동으로 진행한다. 클라이언트는 /etc/openvpn/xxx.ovpn 파일을
# 사용하여 외부에서 접속할 수 있다.
#
######################################################################
OS_NAME="centos" # or ubuntu
OPENVPN_HOSTNAME="openvpn.mysite.com"

OPENVPN_PORT="1194"
OPENVPN_PROTO="udp"
OPENVPN_INTERNAL_NET="10.8.0.0 255.255.255.0"

EASY_RSA_VER=3.0.6
EASY_RSA_DIR="/tmp/EasyRSA-v${EASY_RSA_VER}"
EASY_RSA_CMD="${EASY_RSA_DIR}/easyrsa"
EASY_RSA_DOWNLOAD="https://github.com/OpenVPN/easy-rsa/releases/download/v${EASY_RSA_VER}/EasyRSA-unix-v${EASY_RSA_VER}.tgz"

# Configuration parameters
export EASYRSA_PKI_DIR="/etc/easy-rsa/pki"
export EASYRSA_REQ_CN="ovpnca"

######################################################################
#
# 관련 패키지 설치 (이미 설치되어 있으면 불필요)
# Ubuntu는 apt-get, CentOS는 yum으로 실행한다.
#
######################################################################
if [ ${OS_NAME} == "centos" ]; then
  OVPN_USR="nobody"
  OVPN_GRP="nobody"
  systemctl stop openvpn@server.service
  rm -rf /etc/openvpn/*
  yum -y install openvpn
else
  OVPN_USR="nobody"
  OVPN_GRP="nogroup"
  systemctl stop openvpn
  apt-get -y install openvpn
fi
if [ $? -ne 0 ]; then
  exit 1
fi

######################################################################
#
# easy-rsa 설치
#
######################################################################
wget -P ~/ ${EASY_RSA_DOWNLOAD}
if [ $? -ne 0 ]; then
  exit 1
fi
tar -C /tmp -xvzf ~/EasyRSA-unix-v${EASY_RSA_VER}.tgz
rm -f ~/EasyRSA-unix-v${EASY_RSA_VER}.tgz

######################################################################
#
# ${EASY_RSA_DIR}/vars 편집
#
######################################################################
rm -rf /etc/easy-rsa /etc/openvpn
mkdir -p ${EASYRSA_PKI_DIR} /etc/openvpn/server /etc/openvpn/client
cp -fv ${EASY_RSA_DIR}/vars.example ${EASY_RSA_DIR}/vars

sed -i "s/#set_var EASYRSA_REQ_COUNTRY\t\"US\"/set_var EASYRSA_REQ_COUNTRY \"KR\"/g" ${EASY_RSA_DIR}/vars
sed -i "s/#set_var EASYRSA_REQ_PROVINCE\t\"California\"/set_var EASYRSA_REQ_PROVINCE \"Seoul\"/g" ${EASY_RSA_DIR}/vars
sed -i "s/#set_var EASYRSA_REQ_CITY\t\"San Francisco\"/set_var EASYRSA_REQ_CITY \"Seoul\"/g" ${EASY_RSA_DIR}/vars
sed -i "s/#set_var EASYRSA_REQ_ORG\t\"Copyleft Certificate Co\"/set_var EASYRSA_REQ_ORG \"My Office\"/g" ${EASY_RSA_DIR}/vars
sed -i "s/#set_var EASYRSA_REQ_EMAIL\t\"me@example.net\"/set_var EASYRSA_REQ_EMAIL \"openvpn@mydomain\"/g" ${EASY_RSA_DIR}/vars
sed -i "s/#set_var EASYRSA_REQ_OU\t\t\"My Organizational Unit\"/set_var EASYRSA_REQ_OU \"My Organizational Unit\"/g" ${EASY_RSA_DIR}/vars
sed -i "s/#set_var EASYRSA_CA_EXPIRE\t3650/set_var EASYRSA_CA_EXPIRE 18250/g" ${EASY_RSA_DIR}/vars
sed -i "s/#set_var EASYRSA_CERT_EXPIRE\t1080/set_var EASYRSA_CERT_EXPIRE 18250/g" ${EASY_RSA_DIR}/vars

clear
echo "#####################################################################"
echo "#"
echo "# Initialization and Build CA"
echo "#"
echo "#####################################################################"
cd /etc/easy-rsa
${EASY_RSA_CMD} init-pki
${EASY_RSA_CMD} build-ca
if [ $? -ne 0 ]; then
  exit 1
fi

clear
echo "#####################################################################"
echo "#"
echo "# Build Server Key"
echo "#"
echo "#####################################################################"
${EASY_RSA_CMD} gen-req ${OPENVPN_HOSTNAME}-openvpn-server nopass
if [ $? -ne 0 ]; then
  exit 1
fi
${EASY_RSA_CMD} sign-req server ${OPENVPN_HOSTNAME}-openvpn-server
if [ $? -ne 0 ]; then
  exit 1
fi

clear
echo "#####################################################################"
echo "#"
echo "# Verify the certificate file using the OpenSSL command"
echo "#"
echo "#####################################################################"
openssl verify -CAfile pki/ca.crt ${EASYRSA_PKI_DIR}/issued/${OPENVPN_HOSTNAME}-openvpn-server.crt
if [ $? -ne 0 ]; then
  exit 1
fi

clear
echo "#####################################################################"
echo "#"
echo "# Build Client Key"
echo "#"
echo "#####################################################################"
${EASY_RSA_CMD} gen-req ${OPENVPN_HOSTNAME}-openvpn-client nopass
if [ $? -ne 0 ]; then
  exit 1
fi
${EASY_RSA_CMD} sign-req client ${OPENVPN_HOSTNAME}-openvpn-client
if [ $? -ne 0 ]; then
  exit 1
fi

clear
echo "#####################################################################"
echo "#"
echo "# Verify the certificate file using the OpenSSL command"
echo "#"
echo "#####################################################################"
openssl verify -CAfile ${EASYRSA_PKI_DIR}/ca.crt ${EASYRSA_PKI_DIR}/issued/${OPENVPN_HOSTNAME}-openvpn-client.crt
if [ $? -ne 0 ]; then
  exit 1
fi

clear
echo "#####################################################################"
echo "#"
echo "# Generate the Diffie-Hellman key"
echo "#"
echo "#####################################################################"
${EASY_RSA_CMD} gen-dh
if [ $? -ne 0 ]; then
  exit 1
fi
${EASY_RSA_CMD} gen-crl
if [ $? -ne 0 ]; then
  exit 1
fi

#####################################################################
#
# easy-rsa 삭제
#
#####################################################################
rm -rf /tmp/${EASY_RSA_DIR}

clear
echo "#####################################################################"
echo "#"
echo "# Copy Certificates Files"
echo "#"
echo "#####################################################################"
cp -fv ${EASYRSA_PKI_DIR}/ca.crt /etc/openvpn/server/
cp -fv ${EASYRSA_PKI_DIR}/issued/${OPENVPN_HOSTNAME}-openvpn-server.crt /etc/openvpn/server/
cp -fv ${EASYRSA_PKI_DIR}/private/${OPENVPN_HOSTNAME}-openvpn-server.key /etc/openvpn/server

cp -fv ${EASYRSA_PKI_DIR}/ca.crt /etc/openvpn/client/
cp -fv ${EASYRSA_PKI_DIR}/issued/${OPENVPN_HOSTNAME}-openvpn-client.crt /etc/openvpn/client/
cp -fv ${EASYRSA_PKI_DIR}/private/${OPENVPN_HOSTNAME}-openvpn-client.key /etc/openvpn/client/

cp -fv ${EASYRSA_PKI_DIR}/dh.pem /etc/openvpn/server/
cp -fv ${EASYRSA_PKI_DIR}/crl.pem /etc/openvpn/server/

#####################################################################
#
# server.conf
#
#####################################################################
echo "# OpenVPN Port, Protocol and the tun" > /etc/openvpn/server.conf
echo "port 1194" >> /etc/openvpn/server.conf
echo "proto udp" >> /etc/openvpn/server.conf
echo "dev tun" >> /etc/openvpn/server.conf
echo "" >> /etc/openvpn/server.conf
echo "# OpenVPN Server Certificate - CA, server key and certificate" >> /etc/openvpn/server.conf
echo "ca /etc/openvpn/server/ca.crt" >> /etc/openvpn/server.conf
echo "cert /etc/openvpn/server/${OPENVPN_HOSTNAME}-openvpn-server.crt" >> /etc/openvpn/server.conf
echo "key /etc/openvpn/server/${OPENVPN_HOSTNAME}-openvpn-server.key" >> /etc/openvpn/server.conf
echo "" >> /etc/openvpn/server.conf
echo "#DH and CRL key" >> /etc/openvpn/server.conf
echo "dh /etc/openvpn/server/dh.pem" >> /etc/openvpn/server.conf
echo "crl-verify /etc/openvpn/server/crl.pem" >> /etc/openvpn/server.conf
echo "" >> /etc/openvpn/server.conf
echo "# Network Configuration - Internal network" >> /etc/openvpn/server.conf
echo "# Redirect all Connection through OpenVPN Server" >> /etc/openvpn/server.conf
echo "server ${OPENVPN_INTERNAL_NET}" >> /etc/openvpn/server.conf
echo "push \"redirect-gateway def1 bypass-dhcp\"" >> /etc/openvpn/server.conf
echo "" >> /etc/openvpn/server.conf
echo "# Using the DNS from https://dns.watch" >> /etc/openvpn/server.conf
echo "push \"dhcp-option DNS 8.8.8.8\"" >> /etc/openvpn/server.conf
echo "push \"dhcp-option DNS 8.8.4.4\"" >> /etc/openvpn/server.conf
echo "client-to-client" >> /etc/openvpn/server.conf
echo "topology subnet" >> /etc/openvpn/server.conf
echo "mode server" >> /etc/openvpn/server.conf
echo "cipher AES-256-CBC" >> /etc/openvpn/server.conf
echo "" >> /etc/openvpn/server.conf
echo "#Enable multiple client to connect with same Certificate key" >> /etc/openvpn/server.conf
echo "#duplicate-cn" >> /etc/openvpn/server.conf
echo "" >> /etc/openvpn/server.conf
echo "# TLS Security" >> /etc/openvpn/server.conf
echo "tls-server" >> /etc/openvpn/server.conf
echo "#tls-version-min 1.2" >> /etc/openvpn/server.conf
echo "#tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256" >> /etc/openvpn/server.conf
echo "#auth SHA512" >> /etc/openvpn/server.conf
echo "auth-nocache" >> /etc/openvpn/server.conf
echo "" >> /etc/openvpn/server.conf
echo "# Other Configuration" >> /etc/openvpn/server.conf
echo "keepalive 10 120" >> /etc/openvpn/server.conf
echo "persist-key" >> /etc/openvpn/server.conf
echo "persist-tun" >> /etc/openvpn/server.conf
echo "comp-lzo" >> /etc/openvpn/server.conf
echo "daemon" >> /etc/openvpn/server.conf
echo "user ${OVPN_USR}" >> /etc/openvpn/server.conf
echo "group ${OVPN_GRP}" >> /etc/openvpn/server.conf
echo "" >> /etc/openvpn/server.conf
echo "# OpenVPN Log" >> /etc/openvpn/server.conf
echo "log /var/log/openvpn.log" >> /etc/openvpn/server.conf
echo "status /var/log/openvpn-status.log" >> /etc/openvpn/server.conf
echo "verb 3" >> /etc/openvpn/server.conf
echo "" >> /etc/openvpn/server.conf
echo "# auth plug-in" >> /etc/openvpn/server.conf
echo "#plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login" >> /etc/openvpn/server.conf

#####################################################################
#
# client.ovpn
#
#####################################################################
OPENVPN_CLIENT_CERT="$(openssl x509 -in /etc/openvpn/client/${OPENVPN_HOSTNAME}-openvpn-client.crt)"
OPENVPN_CLIENT_CA="$(openssl x509 -in /etc/openvpn/client/ca.crt)"
OPENVPN_CLIENT_KEY="$(cat /etc/openvpn/client/${OPENVPN_HOSTNAME}-openvpn-client.key)"
NL=$'\n'

cat << EOF > /etc/openvpn/${OPENVPN_HOSTNAME}_client.ovpn
client
dev tun
proto ${OPENVPN_PROTO}
remote ${OPENVPN_HOSTNAME} ${OPENVPN_PORT}
resolv-retry infinite
nobind
persist-key
persist-tun
tls-client
cipher AES-256-CBC
remote-cert-tls server
auth-nocache
comp-lzo
verb 3
reneg-sec 0
${NL}${OPENVPN_CLIENT_CA}${NL}
${NL}${OPENVPN_CLIENT_CERT}${NL}
${NL}${OPENVPN_CLIENT_KEY}${NL}
EOF

#####################################################################
#
# 퍼미션 조정 및 재시작
#
#####################################################################
rm -rf /etc/easy-rsa
chown -R ${OVPN_USR}:${OVPN_GRP} /etc/openvpn
systemctl daemon-reload
if [ ${OS_NAME} == "centos" ]; then
  systemctl -f enable openvpn@server.service
  systemctl restart openvpn@server.service
else
  systemctl -f enable openvpn
  systemctl restart openvpn
fi
tail -n 100 /var/log/openvpn.log