bridging removed (too many manual actions on client systems and configuration tuning)

openvpn/adduser.sh

@@ -0,0 +1,70 @@
+#!/usr/bin/env bash
+
+STARTDIR=$(pwd)
+
+DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
+source $DIR/env.sh
+
+if [[ "$EUID" -ne 0 ]]; then
+	echo "Sorry, you need to run this as root"
+	exit 1
+fi
+
+cd $CADIR
+source ./vars
+
+ADDUSER="no"
+ANSUSER="yes"
+
+while [ "$ANSUSER" != "$ADDUSER" ]; 
+do
+	while [[ -z "$LOGIN" ]];
+	do
+	    read -p "Enter name: " LOGIN
+	done
+
+	./build-key --batch $LOGIN
+
+	if [ $? -eq 0 ]; then
+
+		# copy files and OVPN config
+		mkdir "$STARTDIR/$LOGIN"
+		cp $CADIR/keys/ca.crt $CADIR/keys/$LOGIN.key $CADIR/keys/$LOGIN.crt ta.key "$STARTDIR/$LOGIN/"
+
+		DIST="$STARTDIR/$LOGIN/openvpn-server.ovpn"
+		cp $DIR/openvpn-server.ovpn.dist $DIST
+		sed -i -e "s@LOGIN@$LOGIN@g" $DIST
+		sed -i -e "s@IP@$IP@g" $DIST
+
+		SRC="$STARTDIR/$LOGIN"
+		DIST="$STARTDIR/$LOGIN/openvpn-server-embedded.ovpn"
+		cp $DIR/openvpn-server-embedded.ovpn.dist $DIST
+		sed -i -e "s@IP@$IP@g" $DIST
+
+		echo "<ca>" >> $DIST
+		cat $SRC/ca.crt >> $DIST
+		echo "</ca>" >> $DIST
+
+		echo "<cert>" >> $DIST
+		cat $SRC/$LOGIN.crt >> $DIST
+		echo "</cert>" >> $DIST
+
+		echo "<key>" >> $DIST
+		cat $SRC/$LOGIN.key >> $DIST
+		echo "</key>" >> $DIST
+
+		echo "<tls-auth>" >> $DIST
+		cat $SRC/ta.key >> $DIST
+		echo "</tls-auth>" >> $DIST
+
+		echo
+		echo "Created directory $STARTDIR/$LOGIN with necessary files."
+		USERNAME=${SUDO_USER:-$USER}
+		chown -R $USERNAME:$USERNAME $STARTDIR/$LOGIN/
+
+	fi
+	
+	read -p "Would you want add another user? [no] " ANSUSER
+	: ${ANSUSER:=$ADDUSER}
+done
+

openvpn/install.sh

@@ -12,7 +12,7 @@ fi
 
 echo
 echo "Installing OpenVPN..."
-apt-get install openvpn easy-rsa
+apt-get install openvpn easy-rsa bridge-utils
 
 echo
 echo "Configuring routing..."
@@ -30,30 +30,6 @@ echo
 echo "Configuring iptables firewall..."
 $DIR/iptables-setup.sh
 
-echo
-echo "Do you want to create routing or bridging OpenVPN mode? "
-echo "More information at: https://community.openvpn.net/openvpn/wiki/309-what-is-the-difference-between-bridging-and-routing"
-echo "    1) routing"
-echo "    2) bridging"
-echo
-read -p "Your choice [1 or 2]: " -e -i 1 MODE
-case $MODE in
-	1)
-	DEVICE="tun"
-	sed -i -e "s/DEVICE/tun/g" $OPENVPNCONFIG
-	sed -i -e "/server-bridge/d" $OPENVPNCONFIG
-	;;
-	2)
-	DEVICE="tap"
-	sed -i -e "s/DEVICE/tap/g" $OPENVPNCONFIG
-	sed -i -e "/server /d" $OPENVPNCONFIG
-	;;
-	*)
-	echo "Hm... Strange answer..."
-	exit
-	;;
-esac
-
 echo
 echo "Configuring DNS parameters..."
 $DIR/dns.sh
@@ -69,64 +45,9 @@ source ./vars
 ./build-dh
 openvpn --genkey --secret ta.key
 
-ADDUSER="no"
-ANSUSER="yes"
-
 echo
 echo "Configuring VPN users..."
-while [ "$ANSUSER" != "$ADDUSER" ]; 
-do
-	while [[ -z "$LOGIN" ]];
-	do
-	    read -p "Enter name: " LOGIN
-	done
-
-	./build-key --batch $LOGIN
-
-	if [ $? -eq 0 ]; then
-
-		# copy files and OVPN config
-		mkdir "$STARTDIR/$LOGIN"
-		cp $CADIR/keys/ca.crt $CADIR/keys/$LOGIN.key $CADIR/keys/$LOGIN.crt ta.key "$STARTDIR/$LOGIN/"
-
-		DIST="$STARTDIR/$LOGIN/openvpn-server.ovpn"
-		cp $DIR/openvpn-server.ovpn.dist $DIST
-		sed -i -e "s@LOGIN@$LOGIN@g" $DIST
-		sed -i -e "s@IP@$IP@g" $DIST
-		sed -i -e "s@DEVICE@$DEVICE@g" $DIST
-
-		SRC="$STARTDIR/$LOGIN"
-		DIST="$STARTDIR/$LOGIN/openvpn-server-embedded.ovpn"
-		cp $DIR/openvpn-server-embedded.ovpn.dist $DIST
-		sed -i -e "s@IP@$IP@g" $DIST
-		sed -i -e "s@DEVICE@$DEVICE@g" $DIST
-
-		echo "<ca>" >> $DIST
-		cat $SRC/ca.crt >> $DIST
-		echo "</ca>" >> $DIST
-
-		echo "<cert>" >> $DIST
-		cat $SRC/$LOGIN.crt >> $DIST
-		echo "</cert>" >> $DIST
-
-		echo "<key>" >> $DIST
-		cat $SRC/$LOGIN.key >> $DIST
-		echo "</key>" >> $DIST
-
-		echo "<tls-auth>" >> $DIST
-		cat $SRC/ta.key >> $DIST
-		echo "</tls-auth>" >> $DIST
-
-		echo
-		echo "Created directory $STARTDIR/$LOGIN with necessary files."
-		USERNAME=${SUDO_USER:-$USER}
-		chown -R $USERNAME:$USERNAME $STARTDIR/$LOGIN/
-
-	fi
-	
-	read -p "Would you want add another user? [no] " ANSUSER
-	: ${ANSUSER:=$ADDUSER}
-done
+$DIR/adduser.sh
 
 echo
 echo "Starting OpenVPN..."

openvpn/iptables-setup.sh

@@ -67,9 +67,7 @@ iptables -t mangle -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS  -
 
 # TUN/TAP
 iptables -A INPUT -i tun+ -j ACCEPT
-iptables -A INPUT -i tap+ -j ACCEPT
 iptables -A OUTPUT -o tun+ -j ACCEPT
-iptables -A OUTPUT -o tap+ -j ACCEPT
 
 # OpenVPN
 iptables -A INPUT -p udp --dport 1194 -j ACCEPT
@@ -85,4 +83,3 @@ fi
 
 iptables -F
 iptables-restore < $IPTABLES
-

openvpn/openvpn-server-embedded.ovpn.dist

@@ -1,10 +1,10 @@
 client
-dev DEVICE
+dev tun
 persist-key
 persist-tun
 tls-client
 remote-cert-tls server
-cipher DES-EDE3-CBC
+cipher AES-256-CBC
 remote IP
 port 1194
 proto udp

openvpn/openvpn-server.conf.dist

@@ -1,7 +1,7 @@
 mode server
 port 1194
 proto udp
-dev DEVICE
+dev tun
 ca CADIR/keys/ca.crt
 cert CADIR/keys/openvpn-server.crt
 key CADIR/keys/openvpn-server.key
@@ -9,16 +9,17 @@ dh CADIR/keys/dh2048.pem
 tls-server
 tls-auth CADIR/ta.key 0
 server LOCALPREFIX.0.0 255.255.255.0
-server-bridge LOCALPREFIX.0.1 255.255.255.0 LOCALPREFIX.0.10 LOCALPREFIX.0.100
+topology subnet
 local PUBLICIP
 client-to-client
-cipher DES-EDE3-CBC
+cipher AES-256-CBC
 user nobody
 group NOBODYGROUP
 max-clients 100
 keepalive 10 120
 persist-key
 persist-tun
+mssfix
 push "route-gateway dhcp"
 push "redirect-gateway def1 bypass-dhcp"
 push "dhcp-option DNS 8.8.8.8"

openvpn/openvpn-server.ovpn.dist

@@ -1,8 +1,8 @@
 client
-dev DEVICE
+dev tun
 persist-key
 persist-tun
-cipher DES-EDE3-CBC
+cipher AES-256-CBC
 remote IP
 port 1194
 proto udp