OpenVPN/0000770000175000017500000000000014301674214011712 5ustar thomasthomasOpenVPN/etc/0000770000175000017500000000000014301674116012466 5ustar thomasthomasOpenVPN/etc/systemd/0000770000175000017500000000000014301674123014154 5ustar thomasthomasOpenVPN/etc/systemd/system/0000770000175000017500000000000014301674160015501 5ustar thomasthomasOpenVPN/etc/systemd/system/set-nftables-vpn.service0000644000175000017500000000140613554266473022274 0ustar thomasthomas[Unit] Description=thlu:set-nftables-vpn.service: Setting some netfilter-rules for openvpn-server [Service] Type=oneshot RemainAfterExit=no ExecStart=/usr/sbin/nft flush ruleset ExecStart=/usr/sbin/nft add table ip filter ExecStart=/usr/sbin/nft add chain ip filter postrouting "{ type nat hook postrouting priority 100; policy accept; counter;}" ExecStart=/usr/sbin/nft add rule ip filter postrouting oifname eth0 ip saddr 10.0.8.0/23 masquerade ExecStart=/usr/sbin/nft add table ip6 filter ExecStart=/usr/sbin/nft add chain ip6 filter postrouting "{ type nat hook postrouting priority 100; policy accept; counter;}" ExecStart=/usr/sbin/nft add rule ip6 filter postrouting oifname eth0 ip6 saddr fd00:10:0:8::/63 masquerade [Install] WantedBy=multi-user.target OpenVPN/etc/systemd/system/openvpn@.service0000644000175000017500000000102713522000342020640 0ustar thomasthomas[Unit] Description=thlu:openvpn@%I.service Start a OpenVPN-Daemon [Service] Type=forking PIDFile=/var/run/openvpn/%I.pid ExecStartPre=/bin/mkdir -p /var/run/openvpn ExecStartPre=/bin/mkdir -p /var/log/openvpn ExecStartPre=/bin/chmod 770 /var/log/openvpn ExecStartPre=/bin/chown root:vpnuser /var/log/openvpn ExecStartPre=/bin/sleep 2 ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%I.pid --status /var/run/openvpn/%I.status 60 --config /etc/openvpn/%I.conf KillMode=process [Install] WantedBy=multi-user.target OpenVPN/etc/systemd/system/openvpn.service0000644000175000017500000000060713360605165020561 0ustar thomasthomas[Unit] Description=thlu:openvpn.service Start OpenVPN-Daemons for TCP and UDP [Service] Type=oneshot RemainAfterExit=yes ExecStart=/bin/systemctl start openvpn@server_udp.service # ExecStart=/bin/systemctl start openvpn@server_tcp.service ExecStop=/bin/systemctl stop openvpn@server_udp.service # ExecStop=/bin/systemctl stop openvpn@server_tcp.service [Install] WantedBy=basic.target OpenVPN/etc/openvpn/0000770000175000017500000000000014301674140014150 5ustar thomasthomasOpenVPN/etc/openvpn/client_tcp.conf0000644000175000017500000000055213565006307017155 0ustar thomasthomastls-client remote myprivateddnslink.net proto tcp-client dev tun0 port 443 remote-cert-tls server pull ping 60 cipher AES-256-GCM auth SHA256 auth-nocache ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/client.crt key /etc/openvpn/keys/client.key tls-crypt /etc/openvpn/keys/ta.key mute 10 verb 3 log-append /var/run/openvpn/client.log OpenVPN/etc/openvpn/server_tcp.conf0000644000175000017500000000133314301672655017207 0ustar thomasthomasserver 10.0.9.0 255.255.255.0 server-ipv6 fd00:10:0:9::/64 proto tcp-server dev tun1 port 55554 topology "subnet" push "topology subnet" push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 10.0.1.1" push "dhcp-option DNS fd00:10:0:1:228d:ff77:fe11:2892" push "route 10.0.1.0 255.255.255.0" push "route-ipv6 fd00:10:0:1::/64" ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key cipher AES-256-GCM auth SHA256 auth-nocache dh /etc/openvpn/keys/dh.pem ecdh-curve secp384r1 tls-version-min 1.3 tls-crypt /etc/openvpn/keys/ta.key ping-timer-rem keepalive 10 60 persist-key persist-tun group vpnuser user vpnuser verb 3 mute 10 log-append /var/log/openvpn/openvpn_tcp.log OpenVPN/etc/openvpn/client_udp.conf0000644000175000017500000000057213574204201017152 0ustar thomasthomastls-client remote myprivateddnslink.net proto udp dev tun0 port 55553 remote-cert-tls server pull ping 60 cipher AES-256-GCM auth SHA256 auth-nocache ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/client.crt key /etc/openvpn/keys/client.key tls-crypt /etc/openvpn/keys/ta.key mute 10 verb 3 explicit-exit-notify log-append /var/run/openvpn/client.log OpenVPN/etc/openvpn/server_udp.conf0000644000175000017500000000132414302346263017203 0ustar thomasthomasserver 10.0.8.0 255.255.255.0 server-ipv6 fd00:10:0:8::/64 proto udp dev tun0 port 55553 topology "subnet" push "topology subnet" push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 10.0.1.1" push "dhcp-option DNS fd00:10:0:1:228d:ff77:fe11:2892" push "route 10.0.1.0 255.255.255.0" push "route-ipv6 fd00:10:0:1::/64" ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key cipher AES-256-GCM auth SHA256 auth-nocache dh /etc/openvpn/keys/dh.pem ecdh-curve secp384r1 tls-version-min 1.3 tls-crypt /etc/openvpn/keys/ta.key ping-timer-rem keepalive 10 60 persist-key persist-tun group vpnuser user vpnuser verb 3 mute 10 log-append /var/log/openvpn/openvpn_udp.log OpenVPN/easy-rsa/0000770000175000017500000000000014301666204013436 5ustar thomasthomasOpenVPN/easy-rsa/vars0000644000175000017500000000132713566516141014350 0ustar thomasthomas# Algorithmus? "ec" or "rsa" set_var EASYRSA_ALGO ec set_var EASYRSA_KEY_SIZE 4096 set_var EASYRSA_CRL_DAYS 365 set_var EASYRSA_CA_EXPIRE 365 set_var EASYRSA_CERT_EXPIRE 365 set_var EASYRSA_DIGEST sha256 # Certificate-Properties: # Use a Common-Name-Value requested in dialog? "cn_only" # Use the "traditional" Country/Province/City/Org/OU/email/CN format? "org" set_var EASYRSA_DN "cn_only" set_var EASYRSA_REQ_CN "" set_var EASYRSA_REQ_COUNTRY "" set_var EASYRSA_REQ_PROVINCE "" set_var EASYRSA_REQ_CITY "" set_var EASYRSA_REQ_ORG "" set_var EASYRSA_REQ_OU "" set_var EASYRSA_REQ_EMAIL "" OpenVPN/easy-rsa/create-ca30000644000175000017500000002114614303345013015271 0ustar thomasthomas#! /bin/bash #=================================================================================================== # Description : Create Certificate Authority ((CA) Certs & Keyfiles) for OpenVPN) # # Script-Name : create-ca3 # Date : 24.08.2021 # Version : 4.3 # Licence : GNU General Public License 3 # # create-ca is written and tested for Debian and Raspian (... and easy-rsa 3.06) #=================================================================================================== PATH=/sbin:/usr/sbin:/bin:/usr/bin:$PATH # VPN-Hosts: fname[ 0]="{srv} server" fname[ 1]="{pwd} S5" fname[ 2]="{pwd} S8" fname[ 3]="{pwd}{p12} Tab" fname[ 4]="D630" BOLD="\033[1m" RED="\033[31m" GREEN="\033[32m" YELLOW="\033[33m" LIGHTBLUE="\033[36m" COLRES="\033[0m" INVERSE="\033[7m" jobs=() keysize=2048 #--------------------------------------------------------------------------------------------------- DoPrepareJobs() { clear for i in "${jobs[@]}"; do echo -e "\n${GREEN}${BOLD}Want to start $i?${COLRES}\n" read -p "Continue? Yes,Skip,Quit? (y/s/q): " CONFIRM case $CONFIRM in q) echo "Stopped!" exit 1 ;; s) echo $i "skipped!" ;; *) $i echo -e "\n $i ${GREEN}done!${COLRES}\n\n" ;; esac done return } #=================================================================================================== BuildFilesPerHost() { Hint 3 KeyCN_bak=$KEY_CN clear for host in "${fname[@]}"; do withpwd=false server=false p12=false if [[ "$host" =~ "{pwd}" ]]; then host="${host//'{pwd}'/''}" withpwd=true fi if [[ "$host" =~ "{srv}" ]]; then host="${host//'{srv}'/''}" server=true fi if [[ "$host" =~ "{p12}" ]]; then host="${host//'{p12}'/''}" p12=true fi host="${host#"${host%%[![:space:]]*}"}" host="${host%"${host##*[![:space:]]}"}" export KEY_CN="${KeyCN_bak}_${host}" clear echo -e "\n\n${GREEN}${BOLD}Want to start build-key for Host '$host' (pwd=$withpwd) (pkcs12=$p12)?\n${COLRES}\n" read -p "Continue? Yes,Skip,Quit? (y/s/q): " CONFIRM case $CONFIRM in q) echo "Stopped!" exit 1 ;; s) echo "Skipped!" ;; *) if [ $server == true ]; then ./easyrsa gen-req $host nopass ./easyrsa sign-req server $host else if [ $withpwd == true ]; then Hint 2 clear ./easyrsa gen-req $host else ./easyrsa gen-req $host nopass fi ./easyrsa sign-req client $host if [ $p12 == true ]; then Hint 4 openssl pkcs12 -export -in ./pki/issued/$host.crt -inkey ./pki/private/$host.key -certfile ./pki/ca.crt -name $host -out ./pki/private/$host.p12 fi fi if [ -s "./pki/private/$host.key" ] && [ -s "./pki/issued/$host.crt" ]; then echo -e "\n\nbuild key for Host $host ${GREEN}done!${COLRES}\n" else echo -e "\n\nbuild key for Host $host ${RED}failed!${COLRES}\n" fi read -p "Press Enter to Continue: " CONFIRM [ "$CONFIRM" = "q" ] && exit 1 ;; esac done } #=================================================================================================== Hint() { local ahelp=() clear if [ $1 -eq 1 ]; then ahelp=( "${INVERSE} Hinweis! ${COLRES}" " " "Die folgende sich mehrfach wiederholende Abrage mit der Eingabeaufforderung:" " ${LIGHTBLUE}Continue? Yes,Skip,Quit? (y/s/q):${COLRES}" "kann jeweils einfach mit der Enter-Taste zur Fortführung beantwortet werden." " " "Taste 'q' und Enter beendet das Programm" "Taste 's' und Enter überspringt den betreffenden Programmpunkt!" " " "Die meisten weiteren Abfragen können ebenfalls jeweils mit der Enter-Taste" "bestätigt werden. Sofern eine Eingabe ausdrücklich notwendig ist, erfolgt" "vorher ein Hinweis." ) elif [ $1 -eq 2 ]; then ahelp=( "${INVERSE} Hinweis! ${COLRES}" " " "Die Angabe {pwd} im Client-Array verlangt später beim" "Herstellen einer Verbindung durch diesen Client ein Password" "zur Authorisierung der Verwendung des Zertifikats. Bitte jetzt" "bei der Eingabeaufforderung auf dem nächsten Bildschirm:" " " " ${LIGHTBLUE}Enter PEM pass phrase:${COLRES}" " " "das gewünschte Password eingeben! Achtung: Es müssen mindestens" "4 Zeichen eingegeben werden!" ) elif [ $1 -eq 3 ]; then ahelp=( "${INVERSE} Hinweis! ${COLRES}" " " "Die folgende Abfrage für 'Sign' und 'Commit' als Abschlussfrage bei der" "Erstellung der Zertifikate muss bei jedem einzelnen Host explizit mit ${GREEN}${BOLD}'yes'${COLRES} " "als Eingabe beantwortet werden, da sonst kein Zertifikat erstellt wird:" "${LIGHTBLUE}Type the word 'yes' to continue, or any other input to abort.${COLRES}" "${LIGHTBLUE}Confirm request details:"${COLRES} ) elif [ $1 -eq 4 ]; then ahelp=( "${INVERSE} Hinweis! ${COLRES}" " " "Für die Zertifikat-Erstellung wurde der Parameter ${GREEN}${BOLD}{p12}${COLRES} eingetragen, deshalb wird für eine " "Verwendung mit besserer Sicherheit (z.B. auf Android-Geräten) eine zusätzliche pkcs12-Datei als" "Paket-Archiv erzeugt, die anstelle von clt.key, clt.crt und ca.crt in die Benutzer-Zertifikat-DB" "des Android-Geräts übernommen werden kann." " " "Bitte auf die beiden unterhalb folgenden Abfragen zuerst das vergebene Zertifikat-Password" "eingeben, wodurch die Verwendung des Zertifikats für den nächsten Schritt erlaubt wird. Und" "bei der nächsten Abfrage bitte ein weiteres neues Password eigeben, mit dem das Zertifikat" "später aus der pkcs12-Datei in die Keychain des Android-Gerätes exportiert werden darf, um" "sie dann von dort in das OpenVPN-Profil zu importieren." "Wenn man das unbedingt möchte, kann man das gleiche Password sowohl für das Zertfikat als" "auch für den Export in die Keychain verwenden." " " ) fi echo -e "\n" for i in "${ahelp[@]}"; do echo -e "$i"; done echo -e "\n" [ $1 -eq 4 ] && return read -p "Press Enter to Continue! " CONFIRM echo -e "\n\n" [ "$CONFIRM" = "q" ] && exit 1 return } #=================================================================================================== # Main [ -z "$(which openssl)" ] && echo "Fehler: Kein openssl gefunden!" && exit 1 [ -z "$(which openvpn)" ] && echo "Fehler: Kein openvpn gefunden!" && exit 1 [ -f "vars.example" ] && mv vars.example vars.example.sik while read line; do [ -n "$line" ] && line=${line%#*} if [ -n "$line" ];then name=$(awk -F ' ' '{ print $2 }' <<< $line) parm=$(awk -F ' ' '{ print $3 }' <<< $line) case $name in EASYRSA_KEY_SIZE) [ -n "$parm" ] && keysize=$parm;; esac fi done < <(cat "$(dirname $0)/vars"; echo "") Hint 1 # Pre-Jobs jobs=() jobs[0]="./easyrsa init-pki" jobs[1]="./easyrsa build-ca nopass" DoPrepareJobs BuildFilesPerHost # Post-Jobs jobs=() jobs[0]="./easyrsa gen-crl" jobs[1]="openssl dhparam -out dh$keysize.pem $keysize" jobs[2]="openvpn --genkey secret ta.key" DoPrepareJobs [ -s ./pki/ca.crt ] && mv ./pki/ca.crt ./pki/issued [ -s ta.key ] && mv ta.key ./pki/private [ -s dh${keysize}.pem ] && mv dh${keysize}.pem ./pki/private #=================================================================================================== #EOF OpenVPN/usr/0000770000175000017500000000000014301674201012517 5ustar thomasthomasOpenVPN/usr/local/0000770000175000017500000000000014301674204013614 5ustar thomasthomasOpenVPN/usr/local/bin/0000770000175000017500000000000014301674211014362 5ustar thomasthomasOpenVPN/usr/local/bin/vpn.20000644000175000017500000000145713522000711015252 0ustar thomasthomas#!/bin/bash # Script-Name : vpn # Date : 15.01.2017 # Version : 1.0 # Usage : vpn {x} if [[ $EUID -ne 0 ]]; then echo -e "\nThis script must be run as root" 1>&2 exit 1 fi mkdir -p /var/run/openvpn TerminalApp=$(which xterm) [ -f /var/run/openvpn/client.log ] || touch /var/run/openvpn/client.log [ -n "$TerminalApp" ] && $TerminalApp -geometry 120x20+1+1 -e "/usr/bin/tail /var/run/openvpn/client.log -n 100 --sleep-interval=2 -f --pid=$$" & if [ -z "$1" ]; then confnme="client_udp" else confnme="client_tcp" fi if [ ! -f /etc/openvpn/$confnme.conf ]; then echo "/etc/openvpn/$confnme.conf nicht gefunden!" exit 1 fi systemctl start openvpn@$confnme.service read -p "Enter-Taste beendet die laufende OpenVPN-Sitzung" systemctl stop openvpn@$confnme.service exit 0 OpenVPN/usr/local/bin/vpn.10000644000175000017500000000132713360643726015270 0ustar thomasthomas#!/bin/bash # Script-Name : vpn # Date : 15.01.2017 # Version : 1.0 # Usage : vpn {x} if [[ $EUID -ne 0 ]]; then echo -e "\nThis script must be run as root" 1>&2 exit 1 fi mkdir -p /var/run/openvpn TerminalApp=$(which xterm) [ -f /var/run/openvpn/client.log ] || touch /var/run/openvpn/client.log [ -n "$TerminalApp" ] && $TerminalApp -geometry 120x20+1+1 -e "/usr/bin/tail /var/run/openvpn/client.log -n 100 --sleep-interval=2 -f --pid=$$" & if [ -z "$1" ]; then confnme="/etc/openvpn/client_udp.conf" else confnme="/etc/openvpn/client_tcp.conf" fi echo -e "\r\nstrg-c beendet die OpenVPN-Sitzung\r\n" [ -f $confnme ] && openvpn --config "$confnme" || echo "$confnme nicht gefunden!" OpenVPN/ca_client/0000770000175000017500000000000013566720101013632 5ustar thomasthomasOpenVPN/ca_client/content0000644000175000017500000000122314301674535015237 0ustar thomasthomas$ ls -lah drwxr-xr-x+ 2 toml toml 0 2018-09-14 14:04 . drwxr-xr-x+ 7 toml toml 0 2018-09-11 21:15 .. -rw-r--r--+ 1 toml toml 0 2018-09-10 14:07 ca.crt -rw-r--r--+ 1 toml toml 0 2018-09-10 14:10 D630.crt -rw-------+ 1 toml toml 0 2018-09-10 14:10 D630.key -rw-r--r--+ 1 toml toml 0 2018-09-10 14:10 S5.crt -rw-------+ 1 toml toml 0 2018-09-10 14:11 S5.key -rw-r--r--+ 1 toml toml 0 2018-09-10 14:11 S8.crt -rw-------+ 1 toml toml 0 2018-09-10 14:11 S8.key -rw-r--r--+ 1 toml toml 0 2018-09-10 14:11 Tab.crt -rw-------+ 1 toml toml 0 2018-09-10 14:11 Tab.key -rw-------+ 1 toml toml 0 2018-09-10 14:11 Tab.p12 -rw-------+ 1 toml toml 0 2018-09-10 14:07 ta.key OpenVPN/ca_server/0000770000175000017500000000000013360645111013661 5ustar thomasthomasOpenVPN/ca_server/content0000644000175000017500000000071314301674473015273 0ustar thomasthomas$ ls -lah insgesamt 0 drwxr-xr-x+ 2 thomas thomas 0 2018-09-11 21:13 . drwxr-xr-x+ 7 thomas thomas 0 2018-09-11 21:15 .. -rw-------+ 1 thomas thomas 0 2018-09-10 14:07 ca.crt -rw-------+ 1 thomas thomas 0 2018-09-11 21:13 crl.pem -rw-------+ 1 thomas thomas 0 2018-09-10 14:07 dh4096.pem -rw-------+ 1 thomas thomas 0 2018-09-10 14:07 server.crt -rw-------+ 1 thomas thomas 0 2018-09-10 14:07 server.key -rw-------+ 1 thomas thomas 0 2018-09-10 14:07 ta.key