Acmeraptor
Joined 17 August 2024
Acmeraptor (talk | contribs) No edit summary |
Acmeraptor (talk | contribs) No edit summary |
||
| Line 257: | Line 257: | ||
===OpenVPN=== | ===OpenVPN=== | ||
[https://openwrt.org/docs/guide-user/services/vpn/openvpn/server OpenWRT/OpenVPN] | [https://openwrt.org/docs/guide-user/services/vpn/openvpn/server OpenWRT/OpenVPN] Use this as a baseline for rewriting the scripts, as they do not work as published. | ||
*This section is being heavily edited until I work out the kinks | *This section is being heavily edited until I work out the kinks | ||
| Line 269: | Line 269: | ||
opkg install luci-app-advanced-reboot luci-app-openvpn openvpn-easy-rsa openvpn-openssl | opkg install luci-app-advanced-reboot luci-app-openvpn openvpn-easy-rsa openvpn-openssl | ||
=====1-preparation.sh===== | |||
# Install packages | |||
opkg update | |||
opkg install luci-app-advanced-reboot luci-app-openvpn openvpn-easy-rsa openvpn-openssl | |||
# Configuration parameters | |||
VPN_DIR="/etc/openvpn" | |||
VPN_PKI="/etc/easy-rsa/pki" | |||
VPN_PORT="1194" | |||
VPN_PROTO="udp" | |||
VPN_POOL="10.65.9.0 255.255.255.0" | |||
VPN_DNS="${VPN_POOL%.* *}.1" | |||
VPN_DN="$(uci -q get dhcp.@dnsmasq[0].domain)" | |||
# Fetch server address | |||
NET_FQDN="$(uci -q get ddns.@service[0].lookup_host)" | |||
. /lib/functions/network.sh | |||
network_flush_cache | |||
network_find_wan NET_IF | |||
network_get_ipaddr NET_ADDR "${NET_IF}" | |||
if [ -n "${NET_FQDN}" ] | |||
then VPN_SERV="${NET_FQDN}" | |||
else VPN_SERV="${NET_ADDR}" | |||
fi | |||
=====2-keymanagement.sh===== | |||
# Work around EasyRSA issues | |||
wget -U "" -O /tmp/easyrsa.tar.gz \ | |||
https://github.com/OpenVPN/easy-rsa/\ | |||
releases/download/v3.1.7/EasyRSA-3.1.7.tgz | |||
tar -z -x -f /tmp/easyrsa.tar.gz | |||
# Configuration parameters | |||
cat << EOF > /etc/profile.d/easy-rsa.sh | |||
export EASYRSA_PKI="${VPN_PKI}" | |||
export EASYRSA_TEMP_DIR="/tmp" | |||
export EASYRSA_CERT_EXPIRE="3650" | |||
export EASYRSA_BATCH="1" | |||
alias easyrsa="/root/EasyRSA-3.1.7/easyrsa" | |||
EOF | |||
. /etc/profile.d/easy-rsa.sh | |||
# Remove and re-initialize PKI directory | |||
easyrsa init-pki | |||
# Generate DH parameters | |||
easyrsa gen-dh | |||
# Create a new CA | |||
easyrsa build-ca nopass | |||
# Generate server keys and certificate | |||
easyrsa build-server-full server nopass | |||
openvpn --genkey tls-crypt-v2-server ${EASYRSA_PKI}/private/server.pem | |||
# Generate client keys and certificate | |||
easyrsa build-client-full client nopass | |||
openvpn --tls-crypt-v2 ${EASYRSA_PKI}/private/server.pem \ | |||
--genkey tls-crypt-v2-client ${EASYRSA_PKI}/private/client.pem | |||
=====3-firewall.sh===== | |||
# Configure firewall | |||
uci rename firewall.@zone[0]="lan" | |||
uci rename firewall.@zone[1]="wan" | |||
uci del_list firewall.lan.device="tun+" | |||
uci add_list firewall.lan.device="tun+" | |||
uci -q delete firewall.ovpn | |||
uci set firewall.ovpn="rule" | |||
uci set firewall.ovpn.name="Allow-OpenVPN" | |||
uci set firewall.ovpn.src="wan" | |||
uci set firewall.ovpn.dest_port="${VPN_PORT}" | |||
uci set firewall.ovpn.proto="${VPN_PROTO}" | |||
uci set firewall.ovpn.target="ACCEPT" | |||
uci commit firewall | |||
service firewall restart | |||
=====4-vpnservice.sh===== | |||
# Configure VPN service and generate client profiles | |||
umask go= | |||
VPN_DH="$(cat ${VPN_PKI}/dh.pem)" | |||
VPN_CA="$(openssl x509 -in ${VPN_PKI}/ca.crt)" | |||
ls ${VPN_PKI}/issued \ | |||
| sed -e "s/\.\w*$//" \ | |||
| while read -r VPN_ID | |||
do | |||
VPN_TC="$(cat ${VPN_PKI}/private/${VPN_ID}.pem)" | |||
VPN_KEY="$(cat ${VPN_PKI}/private/${VPN_ID}.key)" | |||
VPN_CERT="$(openssl x509 -in ${VPN_PKI}/issued/${VPN_ID}.crt)" | |||
VPN_EKU="$(echo "${VPN_CERT}" | openssl x509 -noout -purpose)" | |||
case ${VPN_EKU} in | |||
(*"SSL server : Yes"*) | |||
VPN_CONF="${VPN_DIR}/${VPN_ID}.conf" | |||
cat << EOF > ${VPN_CONF} ;; | |||
user nobody | |||
group nogroup | |||
dev tun | |||
port ${VPN_PORT} | |||
proto ${VPN_PROTO} | |||
server ${VPN_POOL} | |||
topology subnet | |||
client-to-client | |||
keepalive 10 60 | |||
persist-tun | |||
persist-key | |||
push "dhcp-option DNS ${VPN_DNS}" | |||
push "dhcp-option DOMAIN ${VPN_DN}" | |||
push "redirect-gateway def1" | |||
push "persist-tun" | |||
push "persist-key" | |||
<dh> | |||
${VPN_DH} | |||
</dh> | |||
EOF | |||
(*"SSL client : Yes"*) | |||
VPN_CONF="${VPN_DIR}/${VPN_ID}.ovpn" | |||
cat << EOF > ${VPN_CONF} ;; | |||
user nobody | |||
group nogroup | |||
dev tun | |||
nobind | |||
client | |||
remote ${VPN_SERV} ${VPN_PORT} ${VPN_PROTO} | |||
auth-nocache | |||
remote-cert-tls server | |||
EOF | |||
esac | |||
cat << EOF >> ${VPN_CONF} | |||
<tls-crypt-v2> | |||
${VPN_TC} | |||
</tls-crypt-v2> | |||
<key> | |||
${VPN_KEY} | |||
</key> | |||
<cert> | |||
${VPN_CERT} | |||
</cert> | |||
<ca> | |||
${VPN_CA} | |||
</ca> | |||
EOF | |||
done | |||
service openvpn restart | |||
ls ${VPN_DIR}/*.ovpn | |||
====Restoration==== | ====Restoration==== | ||