simono41/shell-scripte-code
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

[+] Add raspberry_arch-install.sh script

Browse source
This commit is contained in:
user1 2022-06-26 13:25:20 +02:00
parent e522e9dd0d
commit 848cc3ac94
21 changed files with 86 additions and 2844 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

844
Angristan/2.4/openvpn-install.sh
View file

@ -1,844 +0,0 @@
#!/bin/bash
set -ex
# Secure OpenVPN server installer for Debian, Ubuntu, CentOS and Arch Linux
# https://github.com/Angristan/OpenVPN-install
if [[ "$EUID" -ne 0 ]]; then
echo "Sorry, you need to run this as root"
exit 1
fi
if [[ ! -e /dev/net/tun ]]; then
echo "TUN is not available"
exit 2
fi
if grep -qs "CentOS release 5" "/etc/redhat-release"; then
echo "CentOS 5 is too old and not supported"
exit 3
fi
if [[ -e /etc/debian_version ]]; then
OS="debian"
# Getting the version number, to verify that a recent version of OpenVPN is available
VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID")
RCLOCAL='/etc/rc.local'
SYSCTL='/etc/sysctl.conf'
if [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.04"' ]]; then
echo "Your version of Debian/Ubuntu is not supported."
echo "I can't install a recent version of OpenVPN on your system."
echo ""
echo "However, if you're using Debian unstable/testing, or Ubuntu beta,"
echo "then you can continue, a recent version of OpenVPN is available on these."
echo "Keep in mind they are not supported, though."
while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do
read -p "Continue ? [y/n]: " -e CONTINUE
done
if [[ "$CONTINUE" = "n" ]]; then
echo "Ok, bye !"
exit 4
fi
fi
elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then
OS=centos
RCLOCAL='/etc/rc.d/rc.local'
SYSCTL='/etc/sysctl.conf'
# Needed for CentOS 7
chmod +x /etc/rc.d/rc.local
elif [[ -e /etc/arch-release ]]; then
OS=arch
RCLOCAL='/etc/rc.local'
SYSCTL='/etc/sysctl.d/openvpn.conf'
else
echo "Looks like you aren't running this installer on a Debian, Ubuntu, CentOS or ArchLinux system"
exit 4
fi
newclient () {
# Where to write the custom client.ovpn?
if [ ${SUDO_USER} ]; then # if not, use SUDO_USER
homeDir="/home/${SUDO_USER}"
else # if not SUDO_USER, use /root
homeDir="/root"
fi
# Generates the custom client.ovpn
cp /etc/openvpn/client-template.txt $homeDir/$1.ovpn
echo "<ca>" >> $homeDir/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/ca.crt >> $homeDir/$1.ovpn
echo "</ca>" >> $homeDir/$1.ovpn
echo "<cert>" >> $homeDir/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/issued/$1.crt >> $homeDir/$1.ovpn
echo "</cert>" >> $homeDir/$1.ovpn
echo "<key>" >> $homeDir/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/private/$1.key >> $homeDir/$1.ovpn
echo "</key>" >> $homeDir/$1.ovpn
#We verify if we used tls-crypt or tls-auth during the installation
TLS_SIG=$(cat /etc/openvpn/TLS_SIG)
if [[ $TLS_SIG == "1" ]]; then
echo "<tls-crypt>" >> ~/$1.ovpn
cat /etc/openvpn/tls-crypt.key >> ~/$1.ovpn
echo "</tls-crypt>" >> ~/$1.ovpn
elif [[ $TLS_SIG == "2" ]]; then
echo "key-direction 1" >> $homeDir/$1.ovpn
echo "<tls-auth>" >> $homeDir/$1.ovpn
cat /etc/openvpn/tls-auth.key >> $homeDir/$1.ovpn
echo "</tls-auth>" >> $homeDir/$1.ovpn
fi
}
# Try to get our IP from the system and fallback to the Internet.
# I do this to make the script compatible with NATed servers (LowEndSpirit/Scaleway)
# and to avoid getting an IPv6.
IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -o -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
if [[ "$IP" = "" ]]; then
IP=$(wget -qO- ipv4.icanhazip.com)
fi
# Get Internet network interface with default route
NIC=$(ip -4 route ls | grep default -m 1 | grep -Po '(?<=dev )(\S+)')
if [[ -e /etc/openvpn/server.conf ]]; then
while :
do
clear
echo "OpenVPN-install (github.com/Angristan/OpenVPN-install)"
echo ""
echo "Looks like OpenVPN is already installed"
echo ""
echo "What do you want to do?"
echo " 1) Add a cert for a new user"
echo " 2) Revoke existing user cert"
echo " 3) Remove OpenVPN"
echo " 4) Exit"
read -p "Select an option [1-4]: " option
case $option in
1)
echo ""
echo "Tell me a name for the client cert"
echo "Please, use one word only, no special characters"
read -p "Client name: " -e -i client CLIENT
cd /etc/openvpn/easy-rsa/
./easyrsa build-client-full $CLIENT nopass
# Generates the custom client.ovpn
newclient "$CLIENT"
echo ""
echo "Client $CLIENT added, certs available at $homeDir/$CLIENT.ovpn"
exit
;;
2)
NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")
if [[ "$NUMBEROFCLIENTS" = '0' ]]; then
echo ""
echo "You have no existing clients!"
exit 5
fi
echo ""
echo "Select the existing client certificate you want to revoke"
tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
if [[ "$NUMBEROFCLIENTS" = '1' ]]; then
read -p "Select one client [1]: " CLIENTNUMBER
else
read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
fi
CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
cd /etc/openvpn/easy-rsa/
./easyrsa --batch revoke $CLIENT
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
rm -rf pki/reqs/$CLIENT.req
rm -rf pki/private/$CLIENT.key
rm -rf pki/issued/$CLIENT.crt
rm -rf /etc/openvpn/crl.pem
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
chmod 644 /etc/openvpn/crl.pem
echo ""
echo "Certificate for client $CLIENT revoked"
echo "Exiting..."
exit
;;
3)
echo ""
read -p "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
if [[ "$REMOVE" = 'y' ]]; then
PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
if pgrep firewalld; then
# Using both permanent and not permanent rules to avoid a firewalld reload.
firewall-cmd --zone=public --remove-port=$PORT/udp
firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
firewall-cmd --permanent --zone=public --remove-port=$PORT/udp
firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
fi
if iptables -L -n | grep -qE 'REJECT|DROP'; then
sed -i "/iptables -I INPUT -p udp --dport $PORT -j ACCEPT/d" $RCLOCAL
sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL
sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL
fi
sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL
if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing"; then
if [[ "$PORT" != '1194' ]]; then
semanage port -d -t openvpn_port_t -p udp $PORT
fi
fi
fi
if [[ "$OS" = 'debian' ]]; then
apt-get autoremove --purge -y openvpn
elif [[ "$OS" = 'arch' ]]; then
pacman -R openvpn --noconfirm
else
yum remove openvpn -y
fi
rm -rf /etc/openvpn
rm -rf /usr/share/doc/openvpn*
# Where are the client files?
if [ ${SUDO_USER} ]; then # if not, use SUDO_USER
homeDir="/home/${SUDO_USER}"
else # if not SUDO_USER, use /root
homeDir="/root"
fi
rm $homeDir/*.ovpn
echo ""
echo "OpenVPN removed!"
else
echo ""
echo "Removal aborted!"
fi
exit
;;
4) exit;;
esac
done
else
clear
echo "Welcome to the secure OpenVPN installer (github.com/Angristan/OpenVPN-install)"
echo ""
# OpenVPN setup and first user creation
echo "I need to ask you a few questions before starting the setup"
echo "You can leave the default options and just press enter if you are ok with them"
echo ""
echo "I need to know the IPv4 address of the network interface you want OpenVPN listening to."
echo "If your server is running behind a NAT, (e.g. LowEndSpirit, Scaleway) leave the IP address as it is. (local/private IP)"
echo "Otherwise, it should be your public IPv4 address."
read -p "IP address: " -e -i $IP IP
echo ""
echo "What port do you want for OpenVPN?"
read -p "Port: " -e -i 1194 PORT
echo ""
echo "What protocol do you want for OpenVPN?"
echo "Unless UDP is blocked, you should not use TCP (unnecessarily slower)"
echo " 1) UDP (recommended)"
echo " 2) TCP"
while [[ $PROTOCOL != "1" && $PROTOCOL != "2" ]]; do
read -p "Protocol [1-2]: " -e -i 1 PROTOCOL
done
echo ""
echo "What DNS do you want to use with the VPN?"
echo " 1) Current system resolvers (in /etc/resolv.conf)"
echo " 2) FDN (France)"
echo " 3) DNS.WATCH (Germany)"
echo " 4) OpenDNS (Anycast: worldwide)"
echo " 5) Google (Anycast: worldwide)"
echo " 6) Yandex Basic (Russia)"
while [[ $DNS != "1" && $DNS != "2" && $DNS != "3" && $DNS != "4" && $DNS != "5" && $DNS != "6" ]]; do
read -p "DNS [1-6]: " -e -i 1 DNS
done
echo ""
echo "Choose which compression algorithm you want to use:"
echo " 1) LZ4 (faster)"
echo " 2) LZ0 (use for OpenVPN 2.3 compatibility"
while [[ $COMPRESSION != "1" && $COMPRESSION != "2" ]]; do
read -p "Compression algorithm [1-2]: " -e -i 1 COMPRESSION
done
case $COMPRESSION in
1)
COMPRESSION="lz4"
;;
2)
COMPRESSION="lzo"
;;
esac
echo ""
echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about "
echo "the encryption in OpenVPN and the choices proposed in this script."
echo "Please note that all the choices proposed are secure enough considering today's strandards, unlike some default OpenVPN options"
echo "You can just type "enter" if you don't know what to choose."
echo "Note that if you want to use an OpenVPN 2.3 client, You'll have to choose OpenVPN 2.3-compatible options."
echo "All OpenVPN 2.3-compatible choices are specified for each following option."
echo ""
echo "Choose which cipher you want to use for the data channel:"
echo " 1) AES-128-GCM (recommended)"
echo " 2) AES-192-GCM"
echo " 3) AES-256-GCM"
echo "Only use AES-CBC for OpenVPN 2.3 compatibilty"
echo " 4) AES-128-CBC"
echo " 5) AES-192-CBC"
echo " 6) AES-256-CBC"
while [[ $CIPHER != "1" && $CIPHER != "2" && $CIPHER != "3" && $CIPHER != "4" && $CIPHER != "5" && $CIPHER != "6" ]]; do
read -p "Data channel cipher [1-6]: " -e -i 1 CIPHER
done
case $CIPHER in
1)
CIPHER="cipher AES-128-GCM"
;;
2)
CIPHER="cipher AES-192-GCM"
;;
3)
CIPHER="cipher AES-256-GCM"
;;
4)
CIPHER="cipher AES-128-CBC"
;;
5)
CIPHER="cipher AES-192-CBC"
;;
6)
CIPHER="cipher AES-256-CBC"
;;
esac
echo ""
echo "Choose what kind of certificate you want to use:"
echo "Elleptic Curves keys (EC) are recommended, they're faster, lighter and more secure."
echo "Use RSA for OpenVPN 2.3 compatibilty"
echo " 1) ECDSA (recommended)"
echo " 2) RSA"
while [[ $CERT_TYPE != "1" && $CERT_TYPE != "2" ]]; do
read -p "Certificate type [1-2]: " -e -i 1 CERT_TYPE
done
case $CERT_TYPE in
1)
echo ""
echo "Choose which curve you want to use for the EC key:"
echo " 1) secp256r1"
echo " 2) secp384r1 (recommended)"
echo " 3) secp521r1"
while [[ $CERT_CURVE != "1" && $CERT_CURVE != "2" && $CERT_CURVE != "3" ]]; do
read -p "Curve [1-3]: " -e -i 2 CERT_CURVE
done
case $CERT_CURVE in
1)
CERT_CURVE="secp256r1"
;;
2)
CERT_CURVE="secp384r1"
;;
3)
CERT_CURVE="secp521r1"
;;
esac
;;
2)
echo ""
echo "Choose which RSA key size you want to use:"
echo " 1) 2048 bits"
echo " 2) 3072 bits (recommended)"
echo " 3) 4096 bits"
while [[ $RSA_SIZE != "1" && $RSA_SIZE != "2" && $RSA_SIZE != "3" ]]; do
read -p "DH key size [1-3]: " -e -i 2 RSA_SIZE
done
case $RSA_SIZE in
1)
RSA_SIZE="2048"
;;
2)
RSA_SIZE="3072"
;;
3)
RSA_SIZE="4096"
;;
esac
;;
esac
echo ""
echo "Choose which hash algorithm you want to use for the certificate:"
echo " 1) SHA-256"
echo " 2) SHA-384 (recommended)"
echo " 3) SHA-512"
while [[ $CERT_HASH != "1" && $CERT_HASH != "2" && $CERT_HASH != "3" ]]; do
read -p "Hash algorithm [1-3]: " -e -i 2 CERT_HASH
done
case $CERT_HASH in
1)
CERT_HASH="sha256"
;;
2)
CERT_HASH="sha384"
;;
3)
CERT_HASH="sha512"
;;
esac
echo ""
echo "Choose what kind of Diffie-Hellman key you want to use."
echo "Elleptic Curves (EC) are recommended, they're faster, lighter and more secure."
echo "Use DH for OpenVPN 2.3 compatibilty"
echo " 1) ECDH (recommended)"
echo " 2) DH"
while [[ $DH_TYPE != "1" && $DH_TYPE != "2" ]]; do
read -p "DH key type [1-2]: " -e -i 1 DH_TYPE
done
case $DH_TYPE in
1)
echo ""
echo "Choose which curve you want to use for the ECDH key"
echo " 1) secp256r1"
echo " 2) secp384r1 (recommended)"
echo " 3) secp521r1"
while [[ $DH_CURVE != "1" && $DH_CURVE != "2" && $DH_CURVE != "3" ]]; do
read -p "Curve [1-3]: " -e -i 2 DH_CURVE
done
case $DH_CURVE in
1)
DH_CURVE="secp256r1"
;;
2)
DH_CURVE="secp384r1"
;;
3)
DH_CURVE="secp521r1"
;;
esac
;;
2)
echo""
echo "Choose which DH key size you want to use"
echo " 1) 2048 bits"
echo " 2) 3072 bits (recommended)"
echo " 3) 4096 bits"
while [[ $DH_SIZE != "1" && $DH_SIZE != "2" && $DH_SIZE != "3" ]]; do
read -p "DH key size [1-3]: " -e -i 2 DH_SIZE
done
case $DH_SIZE in
1)
DH_SIZE="2048"
;;
2)
DH_SIZE="3072"
;;
3)
DH_SIZE="4096"
;;
esac
;;
esac
echo ""
echo "Choose which cipher you want to use for the control channel:"
if [[ "$CERT_TYPE" = '1' ]]; then
echo " 1) ECDHE-ECDSA-AES-256-GCM-SHA384 (recommended)"
echo " 2) ECDHE-ECDSA-AES-128-GCM-SHA256"
while [[ $CC_ENC != "1" && $CC_ENC != "2" ]]; do
read -p "Control channel cipher [1-2]: " -e -i 1 CC_ENC
done
case $CC_ENC in
1)
CC_ENC="TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
;;
2)
CC_ENC="TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"
;;
esac
elif [[ "$CERT_TYPE" = '2' ]]; then
echo " 1) ECDHE-RSA-AES-256-GCM-SHA384 (recommended)"
echo " 2) ECDHE-RSA-AES-128-GCM-SHA256"
while [[ $CC_ENC != "1" && $CC_ENC != "2" ]]; do
read -p "Control channel cipher [1-2]: " -e -i 1 CC_ENC
done
case $CC_ENC in
1)
CC_ENC="TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"
;;
2)
CC_ENC="TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"
;;
esac
fi
echo ""
echo "Do you want to use tls-crypt or tls-auth?"
echo "They both encrypt and authenticate all control channel packets with a key."
echo "tls-crypt is more advanced and secure than tls-auth, but it's an OpenVPN 2.4 feature."
echo " 1) tls-crypt (recommended)"
echo " 2) tls-auth (use only for OpenVPN 2.3 client compatibility)"
while [[ $TLS_SIG != "1" && $TLS_SIG != "2" ]]; do
read -p "Crontrol channel additional security layer [1-2]: " -e -i 1 TLS_SIG
done
echo""
if [[ $CIPHER = "cipher AES-256-GCM" ]] || [[ $CIPHER = "cipher AES-192-GCM" ]] || [[ $CIPHER = "cipher AES-128-GCM" ]]; then
echo "Choose which message digest algorithm you want to use for the tls-auth/tls-crypt control channel packets:"
elif [[ $CIPHER = "cipher AES-256-CBC" ]] || [[ $CIPHER = "cipher AES-192-CBC" ]] || [[ $CIPHER = "cipher AES-128-CBC" ]]; then
echo "Choose which message digest algorithm you want to use for the data channel packets"
echo "and the tls-auth/tls-crypt control channel packets:"
fi
echo " 1) SHA-256"
echo " 2) SHA-384 (recommended)"
echo " 3) SHA-512"
while [[ $HMAC_AUTH != "1" && $HMAC_AUTH != "2" && $HMAC_AUTH != "3" ]]; do
read -p "HMAC authentication algorithm [1-3]: " -e -i 2 HMAC_AUTH
done
case $HMAC_AUTH in
1)
HMAC_AUTH="SHA256"
;;
2)
HMAC_AUTH="SHA384"
;;
3)
HMAC_AUTH="SHA512"
;;
esac
echo ""
echo "Finally, tell me a name for the client certificate and configuration"
while [[ $CLIENT = "" ]]; do
echo "Please, use one word only, no special characters"
read -p "Client name: " -e -i client CLIENT
done
echo ""
echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now"
read -n1 -r -p "Press any key to continue..."
if [[ "$OS" = 'debian' ]]; then
apt-get install ca-certificates -y
# We add the OpenVPN repo to get the latest version.
# Debian 8
if [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
# Ubuntu 14.04
elif [[ "$VERSION_ID" = 'VERSION_ID="14.04"' ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/stable trusty main" > /etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
# Ubuntu 16.04
elif [[ "$VERSION_ID" = 'VERSION_ID="16.04"' ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" > /etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
fi
# Ubuntu >= 17.04 and Debian > 9 have OpenVPN 2.4 without the need of a third party repository.
# The we install OpenVPN
apt-get update
apt-get install openvpn iptables openssl wget ca-certificates curl -y
elif [[ "$OS" = 'centos' ]]; then
yum install epel-release -y
yum install openvpn iptables openssl wget ca-certificates curl -y
else
# Else, the distro is ArchLinux
echo ""
echo ""
echo "As you're using ArchLinux, I need to update the packages on your system to install those I need."
echo "Not doing that could cause problems between dependencies, or missing files in repositories."
echo ""
echo "Continuing will update your installed packages and install needed ones."
while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do
read -p "Continue ? [y/n]: " -e -i y CONTINUE
done
if [[ "$CONTINUE" = "n" ]]; then
echo "Ok, bye !"
exit 4
fi
if [[ "$OS" = 'arch' ]]; then
# Install rc.local
echo "[Unit]
Description=/etc/rc.local compatibility
[Service]
Type=oneshot
ExecStart=/etc/rc.local
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target" > /etc/systemd/system/rc-local.service
touch /etc/rc.local
chmod +x /etc/rc.local
systemctl enable rc-local.service
if ! grep '#!' $RCLOCAL; then
echo "#!/bin/bash" > $RCLOCAL
fi
fi
# Install dependencies
pacman -Syu openvpn iptables openssl wget ca-certificates curl --needed --noconfirm
if [[ "$OS" = 'arch' ]]; then
touch /etc/iptables/iptables.rules # iptables won't start if this file does not exist
systemctl enable iptables
systemctl start iptables
fi
fi
#To remember if we use tls-crypt or tls-auth when generating a new client conf
echo $TLS_SIG > /etc/openvpn/TLS_SIG
# Find out if the machine uses nogroup or nobody for the permissionless group
if grep -qs "^nogroup:" /etc/group; then
NOGROUP=nogroup
else
NOGROUP=nobody
fi
# An old version of easy-rsa was available by default in some openvpn packages
if [[ -d /etc/openvpn/easy-rsa/ ]]; then
rm -rf /etc/openvpn/easy-rsa/
fi
# Get easy-rsa
wget -O ~/EasyRSA-3.0.3.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.3/EasyRSA-3.0.3.tgz
tar xzf ~/EasyRSA-3.0.3.tgz -C ~/
mv ~/EasyRSA-3.0.3/ /etc/openvpn/
mv /etc/openvpn/EasyRSA-3.0.3/ /etc/openvpn/easy-rsa/
chown -R root:root /etc/openvpn/easy-rsa/
rm -rf ~/EasyRSA-3.0.3.tgz
cd /etc/openvpn/easy-rsa/
if [[ $CERT_TYPE == "1" ]]; then
echo "set_var EASYRSA_ALGO ec
set_var EASYRSA_CURVE $CERT_CURVE" > vars
elif [[ $CERT_TYPE == "2" ]]; then
echo "set_var EASYRSA_KEY_SIZE $RSA_SIZE" > vars
fi
echo 'set_var EASYRSA_DIGEST "'$CERT_HASH'"' >> vars
# Create the PKI, set up the CA, the DH params and the server + client certificates
./easyrsa init-pki
./easyrsa --batch build-ca nopass
if [[ $DH_TYPE == "2" ]]; then
openssl dhparam -out dh.pem $DH_SIZE
fi
./easyrsa build-server-full server nopass
./easyrsa build-client-full $CLIENT nopass
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
if [[ $TLS_SIG == "1" ]]; then
# Generate tls-crypt key
openvpn --genkey --secret /etc/openvpn/tls-crypt.key
elif [[ $TLS_SIG == "2" ]]; then
# Generate tls-auth key
openvpn --genkey --secret /etc/openvpn/tls-auth.key
fi
# Move all the generated files
cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
if [[ $DH_TYPE == "2" ]]; then
cp dh.pem /etc/openvpn
fi
# Make cert revocation list readable for non-root
chmod 644 /etc/openvpn/crl.pem
# Generate server.conf
echo "port $PORT" > /etc/openvpn/server.conf
if [[ "$PROTOCOL" = '1' ]]; then
echo "proto udp" >> /etc/openvpn/server.conf
elif [[ "$PROTOCOL" = '2' ]]; then
echo "proto tcp" >> /etc/openvpn/server.conf
fi
echo "dev tun
user nobody
group $NOGROUP
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
# DNS resolvers
case $DNS in
1)
# Obtain the resolvers from resolv.conf and use them for OpenVPN
grep -v '#' /etc/resolv.conf | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
done
;;
2) #FDN
echo 'push "dhcp-option DNS 80.67.169.12"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/server.conf
;;
3) #DNS.WATCH
echo 'push "dhcp-option DNS 84.200.69.80"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 84.200.70.40"' >> /etc/openvpn/server.conf
;;
4) #OpenDNS
echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf
;;
5) #Google
echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf
;;
6) #Yandex Basic
echo 'push "dhcp-option DNS 77.88.8.8"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 77.88.8.1"' >> /etc/openvpn/server.conf
;;
esac
echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf
echo "crl-verify crl.pem
ca ca.crt
cert server.crt
key server.key" >> /etc/openvpn/server.conf
if [[ $TLS_SIG == "1" ]]; then
echo "tls-crypt tls-crypt.key 0" >> /etc/openvpn/server.conf
elif [[ $TLS_SIG == "2" ]]; then
echo "tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf
fi
if [[ $DH_TYPE == "1" ]]; then
echo "dh none
ecdh-curve $DH_CURVE" >> /etc/openvpn/server.conf
elif [[ $DH_TYPE == "2" ]]; then
echo "dh dh.pem" >> /etc/openvpn/server.conf
fi
echo "auth $HMAC_AUTH
$CIPHER
ncp-disable
tls-server
tls-version-min 1.2
tls-cipher $CC_ENC
compress $COMPRESSION
auth-nocache
status openvpn.log
verb 3" >> /etc/openvpn/server.conf
# Create the sysctl configuration file if needed (mainly for Arch Linux)
if [[ ! -e $SYSCTL ]]; then
touch $SYSCTL
fi
# Enable net.ipv4.ip_forward for the system
sed -i '/\<net.ipv4.ip_forward\>/c\net.ipv4.ip_forward=1' $SYSCTL
if ! grep -q "\<net.ipv4.ip_forward\>" $SYSCTL; then
echo 'net.ipv4.ip_forward=1' >> $SYSCTL
fi
# Avoid an unneeded reboot
echo 1 > /proc/sys/net/ipv4/ip_forward
# Needed to use rc.local with some systemd distros
if [[ "$OS" = 'debian' && ! -e $RCLOCAL ]]; then
echo '#!/bin/sh -e
exit 0' > $RCLOCAL
fi
chmod +x $RCLOCAL
# Set NAT for the VPN subnet
iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE
sed -i "1 a\iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE" $RCLOCAL
if pgrep firewalld; then
# We don't use --add-service=openvpn because that would only work with
# the default port. Using both permanent and not permanent rules to
# avoid a firewalld reload.
if [[ "$PROTOCOL" = '1' ]]; then
firewall-cmd --zone=public --add-port=$PORT/udp
firewall-cmd --permanent --zone=public --add-port=$PORT/udp
elif [[ "$PROTOCOL" = '2' ]]; then
firewall-cmd --zone=public --add-port=$PORT/tcp
firewall-cmd --permanent --zone=public --add-port=$PORT/tcp
fi
firewall-cmd --zone=trusted --add-source=10.8.0.0/24
firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
fi
if iptables -L -n | grep -qE 'REJECT|DROP'; then
# If iptables has at least one REJECT rule, we asume this is needed.
# Not the best approach but I can't think of other and this shouldn't
# cause problems.
if [[ "$PROTOCOL" = '1' ]]; then
iptables -I INPUT -p udp --dport $PORT -j ACCEPT
elif [[ "$PROTOCOL" = '2' ]]; then
iptables -I INPUT -p tcp --dport $PORT -j ACCEPT
fi
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
if [[ "$PROTOCOL" = '1' ]]; then
sed -i "1 a\iptables -I INPUT -p udp --dport $PORT -j ACCEPT" $RCLOCAL
elif [[ "$PROTOCOL" = '2' ]]; then
sed -i "1 a\iptables -I INPUT -p tcp --dport $PORT -j ACCEPT" $RCLOCAL
fi
sed -i "1 a\iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" $RCLOCAL
sed -i "1 a\iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" $RCLOCAL
fi
# If SELinux is enabled and a custom port was selected, we need this
if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing"; then
if [[ "$PORT" != '1194' ]]; then
# semanage isn't available in CentOS 6 by default
if ! hash semanage 2>/dev/null; then
yum install policycoreutils-python -y
fi
if [[ "$PROTOCOL" = '1' ]]; then
semanage port -a -t openvpn_port_t -p udp $PORT
elif [[ "$PROTOCOL" = '2' ]]; then
semanage port -a -t openvpn_port_t -p tcp $PORT
fi
fi
fi
fi
# And finally, restart OpenVPN
if [[ "$OS" = 'debian' ]]; then
# Little hack to check for systemd
if pgrep systemd-journal; then
if [[ "$VERSION_ID" = 'VERSION_ID="9"' ]]; then
#Workaround to fix OpenVPN service on Debian 9 OpenVZ
sed -i 's|LimitNPROC|#LimitNPROC|' /lib/systemd/system/openvpn-server\@.service
sed -i 's|/etc/openvpn/server|/etc/openvpn|' /lib/systemd/system/openvpn-server\@.service
sed -i 's|%i.conf|server.conf|' /lib/systemd/system/openvpn-server\@.service
systemctl daemon-reload
systemctl restart openvpn-server@openvpn.service
systemctl enable openvpn-server@openvpn.service
else
systemctl restart openvpn@server.service
fi
else
/etc/init.d/openvpn restart
fi
else
if pgrep systemd-journal; then
if [[ "$OS" = 'arch' ]]; then
#Workaround to avoid rewriting the entire script for Arch
sed -i 's|/etc/openvpn/server|/etc/openvpn|' /usr/lib/systemd/system/openvpn-server@.service
sed -i 's|%i.conf|server.conf|' /usr/lib/systemd/system/openvpn-server@.service
systemctl daemon-reload
systemctl restart openvpn-server@openvpn.service
systemctl enable openvpn-server@openvpn.service
else
systemctl restart openvpn@server.service
systemctl enable openvpn@server.service
fi
else
service openvpn restart
chkconfig openvpn on
fi
fi
# Try to detect a NATed connection and ask about it to potential LowEndSpirit/Scaleway users
EXTERNALIP=$(wget -qO- ipv4.icanhazip.com)
if [[ "$IP" != "$EXTERNALIP" ]]; then
echo ""
echo "Looks like your server is behind a NAT!"
echo ""
echo "If your server is NATed (e.g. LowEndSpirit, Scaleway, or behind a router),"
echo "then I need to know the address that can be used to access it from outside."
echo "If that's not the case, just ignore this and leave the next field blank"
read -p "External IP or domain name: " -e USEREXTERNALIP
if [[ "$USEREXTERNALIP" != "" ]]; then
IP=$USEREXTERNALIP
fi
fi
# client-template.txt is created so we have a template to add further users later
echo "client" > /etc/openvpn/client-template.txt
if [[ "$PROTOCOL" = '1' ]]; then
echo "proto udp" >> /etc/openvpn/client-template.txt
elif [[ "$PROTOCOL" = '2' ]]; then
echo "proto tcp-client" >> /etc/openvpn/client-template.txt
fi
echo "remote $IP $PORT
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth $HMAC_AUTH
$CIPHER
tls-client
tls-version-min 1.2
tls-cipher $CC_ENC
compress $COMPRESSION
auth-nocache
setenv opt block-outside-dns
verb 3" >> /etc/openvpn/client-template.txt
# Generate the custom client.ovpn
newclient "$CLIENT"
echo ""
echo "Finished!"
echo ""
echo "Your client config is available at $homeDir/$CLIENT.ovpn"
echo "If you want to add more clients, you simply need to run this script another time!"
fi
exit 0;

645
Angristan/openvpn-install.sh
View file

@ -1,645 +0,0 @@
#!/bin/bash
# Secure OpenVPN server installer for Debian, Ubuntu, CentOS and Arch Linux
# https://github.com/Angristan/OpenVPN-install
if [[ "$EUID" -ne 0 ]]; then
echo "Sorry, you need to run this as root"
exit 1
fi
if [[ ! -e /dev/net/tun ]]; then
echo "TUN is not available"
exit 2
fi
if grep -qs "CentOS release 5" "/etc/redhat-release"; then
echo "CentOS 5 is too old and not supported"
exit 3
fi
if [[ -e /etc/debian_version ]]; then
OS="debian"
# Getting the version number, to verify that a recent version of OpenVPN is available
VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID")
RCLOCAL='/etc/rc.local'
SYSCTL='/etc/sysctl.conf'
if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.04"' ]]; then
echo "Your version of Debian/Ubuntu is not supported."
echo "I can't install a recent version of OpenVPN on your system."
echo ""
echo "However, if you're using Debian unstable/testing, or Ubuntu beta,"
echo "then you can continue, a recent version of OpenVPN is available on these."
echo "Keep in mind they are not supported, though."
while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do
read -p "Continue ? [y/n]: " -e CONTINUE
done
if [[ "$CONTINUE" = "n" ]]; then
echo "Ok, bye !"
exit 4
fi
fi
elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then
OS=centos
RCLOCAL='/etc/rc.d/rc.local'
SYSCTL='/etc/sysctl.conf'
# Needed for CentOS 7
chmod +x /etc/rc.d/rc.local
elif [[ -e /etc/arch-release ]]; then
OS=arch
RCLOCAL='/etc/rc.local'
SYSCTL='/etc/sysctl.d/openvpn.conf'
else
echo "Looks like you aren't running this installer on a Debian, Ubuntu, CentOS or ArchLinux system"
exit 4
fi
newclient () {
# Where to write the custom client.ovpn?
if [ -e /home/$1 ]; then # if $1 is a user name
homeDir="/home/$1"
elif [ ${SUDO_USER} ]; then # if not, use SUDO_USER
homeDir="/home/${SUDO_USER}"
else # if not SUDO_USER, use /root
homeDir="/root"
fi
# Generates the custom client.ovpn
cp /etc/openvpn/client-template.txt $homeDir/$1.ovpn
echo "<ca>" >> $homeDir/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/ca.crt >> $homeDir/$1.ovpn
echo "</ca>" >> $homeDir/$1.ovpn
echo "<cert>" >> $homeDir/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/issued/$1.crt >> $homeDir/$1.ovpn
echo "</cert>" >> $homeDir/$1.ovpn
echo "<key>" >> $homeDir/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/private/$1.key >> $homeDir/$1.ovpn
echo "</key>" >> $homeDir/$1.ovpn
echo "key-direction 1" >> $homeDir/$1.ovpn
echo "<tls-auth>" >> $homeDir/$1.ovpn
cat /etc/openvpn/tls-auth.key >> $homeDir/$1.ovpn
echo "</tls-auth>" >> $homeDir/$1.ovpn
}
# Try to get our IP from the system and fallback to the Internet.
# I do this to make the script compatible with NATed servers (LowEndSpirit/Scaleway)
# and to avoid getting an IPv6.
IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -o -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
if [[ "$IP" = "" ]]; then
IP=$(wget -qO- ipv4.icanhazip.com)
fi
# Get Internet network interface with default route
NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)')
if [[ -e /etc/openvpn/server.conf ]]; then
while :
do
clear
echo "OpenVPN-install (github.com/Angristan/OpenVPN-install)"
echo ""
echo "Looks like OpenVPN is already installed"
echo ""
echo "What do you want to do?"
echo " 1) Add a cert for a new user"
echo " 2) Revoke existing user cert"
echo " 3) Remove OpenVPN"
echo " 4) Exit"
read -p "Select an option [1-4]: " option
case $option in
1)
echo ""
echo "Tell me a name for the client cert"
echo "Please, use one word only, no special characters"
read -p "Client name: " -e -i client CLIENT
cd /etc/openvpn/easy-rsa/
./easyrsa build-client-full $CLIENT nopass
# Generates the custom client.ovpn
newclient "$CLIENT"
echo ""
echo "Client $CLIENT added, certs available at $homeDir/$CLIENT.ovpn"
exit
;;
2)
NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")
if [[ "$NUMBEROFCLIENTS" = '0' ]]; then
echo ""
echo "You have no existing clients!"
exit 5
fi
echo ""
echo "Select the existing client certificate you want to revoke"
tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
if [[ "$NUMBEROFCLIENTS" = '1' ]]; then
read -p "Select one client [1]: " CLIENTNUMBER
else
read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
fi
CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
cd /etc/openvpn/easy-rsa/
./easyrsa --batch revoke $CLIENT
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
rm -rf pki/reqs/$CLIENT.req
rm -rf pki/private/$CLIENT.key
rm -rf pki/issued/$CLIENT.crt
rm -rf /etc/openvpn/crl.pem
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
chmod 644 /etc/openvpn/crl.pem
echo ""
echo "Certificate for client $CLIENT revoked"
echo "Exiting..."
exit
;;
3)
echo ""
read -p "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
if [[ "$REMOVE" = 'y' ]]; then
PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
if pgrep firewalld; then
# Using both permanent and not permanent rules to avoid a firewalld reload.
firewall-cmd --zone=public --remove-port=$PORT/udp
firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
firewall-cmd --permanent --zone=public --remove-port=$PORT/udp
firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
fi
if iptables -L -n | grep -qE 'REJECT|DROP'; then
sed -i "/iptables -I INPUT -p udp --dport $PORT -j ACCEPT/d" $RCLOCAL
sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL
sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL
fi
sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL
if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing"; then
if [[ "$PORT" != '1194' ]]; then
semanage port -d -t openvpn_port_t -p udp $PORT
fi
fi
fi
if [[ "$OS" = 'debian' ]]; then
apt-get autoremove --purge -y openvpn
elif [[ "$OS" = 'arch' ]]; then
pacman -R openvpn --noconfirm
else
yum remove openvpn -y
fi
rm -rf /etc/openvpn
rm -rf /usr/share/doc/openvpn*
echo ""
echo "OpenVPN removed!"
else
echo ""
echo "Removal aborted!"
fi
exit
;;
4) exit;;
esac
done
else
clear
echo "Welcome to the secure OpenVPN installer (github.com/Angristan/OpenVPN-install)"
echo ""
# OpenVPN setup and first user creation
echo "I need to ask you a few questions before starting the setup"
echo "You can leave the default options and just press enter if you are ok with them"
echo ""
echo "I need to know the IPv4 address of the network interface you want OpenVPN listening to."
echo "If your server is running behind a NAT, (e.g. LowEndSpirit, Scaleway) leave the IP address as it is. (local/private IP)"
echo "Otherwise, it should be your public IPv4 address."
read -p "IP address: " -e -i $IP IP
echo ""
echo "What port do you want for OpenVPN?"
read -p "Port: " -e -i 1194 PORT
echo ""
echo "What protocol do you want for OpenVPN?"
echo "Unless UDP is blocked, you should not use TCP (unnecessarily slower)"
while [[ $PROTOCOL != "UDP" && $PROTOCOL != "TCP" ]]; do
read -p "Protocol [UDP/TCP]: " -e -i UDP PROTOCOL
done
echo ""
echo "What DNS do you want to use with the VPN?"
echo " 1) Current system resolvers (in /etc/resolv.conf)"
echo " 2) FDN (France)"
echo " 3) DNS.WATCH (Germany)"
echo " 4) OpenDNS (Anycast: worldwide)"
echo " 5) Google (Anycast: worldwide)"
echo " 6) Yandex Basic (Russia)"
echo " 7) AdGuard DNS (Russia)"
while [[ $DNS != "1" && $DNS != "2" && $DNS != "3" && $DNS != "4" && $DNS != "5" && $DNS != "6" && $DNS != "7" ]]; do
read -p "DNS [1-7]: " -e -i 1 DNS
done
echo ""
echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about "
echo "the encryption in OpenVPN and the choices I made in this script."
echo "Please note that all the choices proposed are secure (to a different degree)"
echo "and are still viable to date, unlike some default OpenVPN options"
echo ''
echo "Choose which cipher you want to use for the data channel:"
echo " 1) AES-128-CBC (fastest and sufficiently secure for everyone, recommended)"
echo " 2) AES-192-CBC"
echo " 3) AES-256-CBC"
echo "Alternatives to AES, use them only if you know what you're doing."
echo "They are relatively slower but as secure as AES."
echo " 4) CAMELLIA-128-CBC"
echo " 5) CAMELLIA-192-CBC"
echo " 6) CAMELLIA-256-CBC"
echo " 7) SEED-CBC"
while [[ $CIPHER != "1" && $CIPHER != "2" && $CIPHER != "3" && $CIPHER != "4" && $CIPHER != "5" && $CIPHER != "6" && $CIPHER != "7" ]]; do
read -p "Cipher [1-7]: " -e -i 1 CIPHER
done
case $CIPHER in
1)
CIPHER="cipher AES-128-CBC"
;;
2)
CIPHER="cipher AES-192-CBC"
;;
3)
CIPHER="cipher AES-256-CBC"
;;
4)
CIPHER="cipher CAMELLIA-128-CBC"
;;
5)
CIPHER="cipher CAMELLIA-192-CBC"
;;
6)
CIPHER="cipher CAMELLIA-256-CBC"
;;
7)
CIPHER="cipher SEED-CBC"
;;
esac
echo ""
echo "Choose what size of Diffie-Hellman key you want to use:"
echo " 1) 2048 bits (fastest)"
echo " 2) 3072 bits (recommended, best compromise)"
echo " 3) 4096 bits (most secure)"
while [[ $DH_KEY_SIZE != "1" && $DH_KEY_SIZE != "2" && $DH_KEY_SIZE != "3" ]]; do
read -p "DH key size [1-3]: " -e -i 2 DH_KEY_SIZE
done
case $DH_KEY_SIZE in
1)
DH_KEY_SIZE="2048"
;;
2)
DH_KEY_SIZE="3072"
;;
3)
DH_KEY_SIZE="4096"
;;
esac
echo ""
echo "Choose what size of RSA key you want to use:"
echo " 1) 2048 bits (fastest)"
echo " 2) 3072 bits (recommended, best compromise)"
echo " 3) 4096 bits (most secure)"
while [[ $RSA_KEY_SIZE != "1" && $RSA_KEY_SIZE != "2" && $RSA_KEY_SIZE != "3" ]]; do
read -p "DH key size [1-3]: " -e -i 2 RSA_KEY_SIZE
done
case $RSA_KEY_SIZE in
1)
RSA_KEY_SIZE="2048"
;;
2)
RSA_KEY_SIZE="3072"
;;
3)
RSA_KEY_SIZE="4096"
;;
esac
echo ""
echo "Finally, tell me a name for the client certificate and configuration"
while [[ $CLIENT = "" ]]; do
echo "Please, use one word only, no special characters"
read -p "Client name: " -e -i client CLIENT
done
echo ""
echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now"
read -n1 -r -p "Press any key to continue..."
if [[ "$OS" = 'debian' ]]; then
apt-get install ca-certificates -y
# We add the OpenVPN repo to get the latest version.
# Debian 7
if [[ "$VERSION_ID" = 'VERSION_ID="7"' ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/stable wheezy main" > /etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update
fi
# Debian 8
if [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt update
fi
# Ubuntu 12.04
if [[ "$VERSION_ID" = 'VERSION_ID="12.04"' ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/stable precise main" > /etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update
fi
# Ubuntu 14.04
if [[ "$VERSION_ID" = 'VERSION_ID="14.04"' ]]; then
echo "deb http://build.openvpn.net/debian/openvpn/stable trusty main" > /etc/apt/sources.list.d/openvpn.list
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
apt-get update
fi
# Ubuntu >= 16.04 and Debian > 8 have OpenVPN > 2.3.3 without the need of a third party repository.
# The we install OpenVPN
apt-get install openvpn iptables openssl wget ca-certificates curl -y
elif [[ "$OS" = 'centos' ]]; then
yum install epel-release -y
yum install openvpn iptables openssl wget ca-certificates curl -y
else
# Else, the distro is ArchLinux
echo ""
echo ""
echo "As you're using ArchLinux, I need to update the packages on your system to install those I need."
echo "Not doing that could cause problems between dependencies, or missing files in repositories."
echo ""
echo "Continuing will update your installed packages and install needed ones."
while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do
read -p "Continue ? [y/n]: " -e -i y CONTINUE
done
if [[ "$CONTINUE" = "n" ]]; then
echo "Ok, bye !"
exit 4
fi
if [[ "$OS" = 'arch' ]]; then
# Install rc.local
echo "[Unit]
Description=/etc/rc.local compatibility
[Service]
Type=oneshot
ExecStart=/etc/rc.local
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target" > /etc/systemd/system/rc-local.service
chmod +x /etc/rc.local
systemctl enable rc-local.service
if ! grep '#!' $RCLOCAL; then
echo "#!/bin/bash" > $RCLOCAL
fi
fi
# Install dependencies
pacman -Syu openvpn iptables openssl wget ca-certificates curl --needed --noconfirm
if [[ "$OS" = 'arch' ]]; then
touch /etc/iptables/iptables.rules # iptables won't start if this file does not exist
systemctl enable iptables
systemctl start iptables
fi
fi
# Find out if the machine uses nogroup or nobody for the permissionless group
if grep -qs "^nogroup:" /etc/group; then
NOGROUP=nogroup
else
NOGROUP=nobody
fi
# An old version of easy-rsa was available by default in some openvpn packages
if [[ -d /etc/openvpn/easy-rsa/ ]]; then
rm -rf /etc/openvpn/easy-rsa/
fi
# Get easy-rsa
wget -O ~/EasyRSA-3.0.3.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.3/EasyRSA-3.0.3.tgz
tar xzf ~/EasyRSA-3.0.3.tgz -C ~/
mv ~/EasyRSA-3.0.3/ /etc/openvpn/
mv /etc/openvpn/EasyRSA-3.0.3/ /etc/openvpn/easy-rsa/
chown -R root:root /etc/openvpn/easy-rsa/
rm -rf ~/EasyRSA-3.0.3.tgz
cd /etc/openvpn/easy-rsa/
echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars
# Create the PKI, set up the CA, the DH params and the server + client certificates
./easyrsa init-pki
./easyrsa --batch build-ca nopass
openssl dhparam -out dh.pem $DH_KEY_SIZE
./easyrsa build-server-full server nopass
./easyrsa build-client-full $CLIENT nopass
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
# generate tls-auth key
openvpn --genkey --secret /etc/openvpn/tls-auth.key
# Move all the generated files
cp pki/ca.crt pki/private/ca.key dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
# Make cert revocation list readable for non-root
chmod 644 /etc/openvpn/crl.pem
# Generate server.conf
echo "local $IP" > /etc/openvpn/server.conf
echo "port $PORT" >> /etc/openvpn/server.conf
if [[ "$PROTOCOL" = 'UDP' ]]; then
echo "proto udp" >> /etc/openvpn/server.conf
elif [[ "$PROTOCOL" = 'TCP' ]]; then
echo "proto tcp" >> /etc/openvpn/server.conf
fi
echo "dev tun
user nobody
group $NOGROUP
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
# DNS resolvers
case $DNS in
1)
# Obtain the resolvers from resolv.conf and use them for OpenVPN
grep -v '#' /etc/resolv.conf | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
done
;;
2) #FDN
echo 'push "dhcp-option DNS 80.67.169.12"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/server.conf
;;
3) #DNS.WATCH
echo 'push "dhcp-option DNS 84.200.69.80"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 84.200.70.40"' >> /etc/openvpn/server.conf
;;
4) #OpenDNS
echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf
;;
5) #Google
echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf
;;
6) #Yandex Basic
echo 'push "dhcp-option DNS 77.88.8.8"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 77.88.8.1"' >> /etc/openvpn/server.conf
;;
7) #AdGuard DNS
echo 'push "dhcp-option DNS 176.103.130.130"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf
;;
esac
echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf
echo "crl-verify crl.pem
ca ca.crt
cert server.crt
key server.key
tls-auth tls-auth.key 0
dh dh.pem
auth SHA256
$CIPHER
tls-server
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
status openvpn.log
verb 3" >> /etc/openvpn/server.conf
# Create the sysctl configuration file if needed (mainly for Arch Linux)
if [[ ! -e $SYSCTL ]]; then
touch $SYSCTL
fi
# Enable net.ipv4.ip_forward for the system
sed -i '/\<net.ipv4.ip_forward\>/c\net.ipv4.ip_forward=1' $SYSCTL
if ! grep -q "\<net.ipv4.ip_forward\>" $SYSCTL; then
echo 'net.ipv4.ip_forward=1' >> $SYSCTL
fi
# Avoid an unneeded reboot
echo 1 > /proc/sys/net/ipv4/ip_forward
# Needed to use rc.local with some systemd distros
if [[ "$OS" = 'debian' && ! -e $RCLOCAL ]]; then
echo '#!/bin/sh -e
exit 0' > $RCLOCAL
fi
chmod +x $RCLOCAL
# Set NAT for the VPN subnet
iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE
sed -i "1 a\iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE" $RCLOCAL
if pgrep firewalld; then
# We don't use --add-service=openvpn because that would only work with
# the default port. Using both permanent and not permanent rules to
# avoid a firewalld reload.
if [[ "$PROTOCOL" = 'UDP' ]]; then
firewall-cmd --zone=public --add-port=$PORT/udp
firewall-cmd --permanent --zone=public --add-port=$PORT/udp
elif [[ "$PROTOCOL" = 'TCP' ]]; then
firewall-cmd --zone=public --add-port=$PORT/tcp
firewall-cmd --permanent --zone=public --add-port=$PORT/tcp
fi
firewall-cmd --zone=trusted --add-source=10.8.0.0/24
firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
fi
if iptables -L -n | grep -qE 'REJECT|DROP'; then
# If iptables has at least one REJECT rule, we asume this is needed.
# Not the best approach but I can't think of other and this shouldn't
# cause problems.
if [[ "$PROTOCOL" = 'UDP' ]]; then
iptables -I INPUT -p udp --dport $PORT -j ACCEPT
elif [[ "$PROTOCOL" = 'TCP' ]]; then
iptables -I INPUT -p tcp --dport $PORT -j ACCEPT
fi
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
if [[ "$PROTOCOL" = 'UDP' ]]; then
sed -i "1 a\iptables -I INPUT -p udp --dport $PORT -j ACCEPT" $RCLOCAL
elif [[ "$PROTOCOL" = 'TCP' ]]; then
sed -i "1 a\iptables -I INPUT -p tcp --dport $PORT -j ACCEPT" $RCLOCAL
fi
sed -i "1 a\iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" $RCLOCAL
sed -i "1 a\iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" $RCLOCAL
fi
# If SELinux is enabled and a custom port was selected, we need this
if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing"; then
if [[ "$PORT" != '1194' ]]; then
# semanage isn't available in CentOS 6 by default
if ! hash semanage 2>/dev/null; then
yum install policycoreutils-python -y
fi
if [[ "$PROTOCOL" = 'UDP' ]]; then
semanage port -a -t openvpn_port_t -p udp $PORT
elif [[ "$PROTOCOL" = 'TCP' ]]; then
semanage port -a -t openvpn_port_t -p tcp $PORT
fi
fi
fi
fi
# And finally, restart OpenVPN
if [[ "$OS" = 'debian' ]]; then
# Little hack to check for systemd
if pgrep systemd-journal; then
if [[ "$VERSION_ID" = 'VERSION_ID="9"' ]]; then
#Workaround to fix OpenVPN service on Debian 9 OpenVZ
sed -i 's|LimitNPROC|#LimitNPROC|' /lib/systemd/system/openvpn-server\@.service
sed -i 's|/etc/openvpn/server|/etc/openvpn|' /lib/systemd/system/openvpn-server\@.service
sed -i 's|%i.conf|server.conf|' /lib/systemd/system/openvpn-server\@.service
systemctl daemon-reload
systemctl restart openvpn-server@openvpn.service
systemctl enable openvpn-server@openvpn.service
else
systemctl restart openvpn@server.service
fi
else
/etc/init.d/openvpn restart
fi
else
if pgrep systemd-journal; then
if [[ "$OS" = 'arch' ]]; then
#Workaround to avoid rewriting the entire script for Arch
sed -i 's|/etc/openvpn/server|/etc/openvpn|' /usr/lib/systemd/system/openvpn-server@.service
sed -i 's|%i.conf|server.conf|' /usr/lib/systemd/system/openvpn-server@.service
systemctl daemon-reload
systemctl restart openvpn-server@openvpn.service
systemctl enable openvpn-server@openvpn.service
else
systemctl restart openvpn@server.service
systemctl enable openvpn@server.service
fi
else
service openvpn restart
chkconfig openvpn on
fi
fi
# Try to detect a NATed connection and ask about it to potential LowEndSpirit/Scaleway users
EXTERNALIP=$(wget -qO- ipv4.icanhazip.com)
if [[ "$IP" != "$EXTERNALIP" ]]; then
echo ""
echo "Looks like your server is behind a NAT!"
echo ""
echo "If your server is NATed (e.g. LowEndSpirit, Scaleway, or behind a router),"
echo "then I need to know the address that can be used to access it from outside."
echo "If that's not the case, just ignore this and leave the next field blank"
read -p "External IP or domain name: " -e USEREXTERNALIP
if [[ "$USEREXTERNALIP" != "" ]]; then
IP=$USEREXTERNALIP
fi
fi
# client-template.txt is created so we have a template to add further users later
echo "client" > /etc/openvpn/client-template.txt
if [[ "$PROTOCOL" = 'UDP' ]]; then
echo "proto udp" >> /etc/openvpn/client-template.txt
elif [[ "$PROTOCOL" = 'TCP' ]]; then
echo "proto tcp-client" >> /etc/openvpn/client-template.txt
fi
echo "remote $IP $PORT
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA256
$CIPHER
tls-client
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
setenv opt block-outside-dns
verb 3" >> /etc/openvpn/client-template.txt
# Generate the custom client.ovpn
newclient "$CLIENT"
echo ""
echo "Finished!"
echo ""
echo "Your client config is available at $homeDir/$CLIENT.ovpn"
echo "If you want to add more clients, you simply need to run this script another time!"
fi
exit 0;

421
Nyr/openvpn-install.sh
View file

@ -1,421 +0,0 @@
#!/bin/bash
# OpenVPN road warrior installer for Debian, Ubuntu and CentOS
# This script will work on Debian, Ubuntu, CentOS and probably other distros
# of the same families, although no support is offered for them. It isn't
# bulletproof but it will probably work if you simply want to setup a VPN on
# your Debian/Ubuntu/CentOS box. It has been designed to be as unobtrusive and
# universal as possible.
# Detect Debian users running the script with "sh" instead of bash
if readlink /proc/$$/exe | grep -qs "dash"; then
echo "This script needs to be run with bash, not sh"
exit 1
fi
if [[ "$EUID" -ne 0 ]]; then
echo "Sorry, you need to run this as root"
exit 2
fi
if [[ ! -e /dev/net/tun ]]; then
echo "The TUN device is not available
You need to enable TUN before running this script"
exit 3
fi
if grep -qs "CentOS release 5" "/etc/redhat-release"; then
echo "CentOS 5 is too old and not supported"
exit 4
fi
if [[ -e /etc/debian_version ]]; then
OS=debian
GROUPNAME=nogroup
RCLOCAL='/etc/rc.local'
elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then
OS=centos
GROUPNAME=nobody
RCLOCAL='/etc/rc.d/rc.local'
else
echo "Looks like you aren't running this installer on Debian, Ubuntu or CentOS"
exit 5
fi
newclient () {
# Generates the custom client.ovpn
cp /etc/openvpn/client-common.txt ~/$1.ovpn
echo "<ca>" >> ~/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/ca.crt >> ~/$1.ovpn
echo "</ca>" >> ~/$1.ovpn
echo "<cert>" >> ~/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/issued/$1.crt >> ~/$1.ovpn
echo "</cert>" >> ~/$1.ovpn
echo "<key>" >> ~/$1.ovpn
cat /etc/openvpn/easy-rsa/pki/private/$1.key >> ~/$1.ovpn
echo "</key>" >> ~/$1.ovpn
echo "<tls-auth>" >> ~/$1.ovpn
cat /etc/openvpn/ta.key >> ~/$1.ovpn
echo "</tls-auth>" >> ~/$1.ovpn
}
# Try to get our IP from the system and fallback to the Internet.
# I do this to make the script compatible with NATed servers (lowendspirit.com)
# and to avoid getting an IPv6.
IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -o -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
if [[ "$IP" = "" ]]; then
IP=$(wget -4qO- "http://whatismyip.akamai.com/")
fi
if [[ -e /etc/openvpn/server.conf ]]; then
while :
do
clear
echo "Looks like OpenVPN is already installed"
echo ""
echo "What do you want to do?"
echo " 1) Add a new user"
echo " 2) Revoke an existing user"
echo " 3) Remove OpenVPN"
echo " 4) Exit"
read -p "Select an option [1-4]: " option
case $option in
1)
echo ""
echo "Tell me a name for the client certificate"
echo "Please, use one word only, no special characters"
read -p "Client name: " -e -i client CLIENT
cd /etc/openvpn/easy-rsa/
./easyrsa build-client-full $CLIENT nopass
# Generates the custom client.ovpn
newclient "$CLIENT"
echo ""
echo "Client $CLIENT added, configuration is available at" ~/"$CLIENT.ovpn"
exit
;;
2)
# This option could be documented a bit better and maybe even be simplimplified
# ...but what can I say, I want some sleep too
NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")
if [[ "$NUMBEROFCLIENTS" = '0' ]]; then
echo ""
echo "You have no existing clients!"
exit 6
fi
echo ""
echo "Select the existing client certificate you want to revoke"
tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
if [[ "$NUMBEROFCLIENTS" = '1' ]]; then
read -p "Select one client [1]: " CLIENTNUMBER
else
read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
fi
CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
cd /etc/openvpn/easy-rsa/
./easyrsa --batch revoke $CLIENT
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
rm -rf pki/reqs/$CLIENT.req
rm -rf pki/private/$CLIENT.key
rm -rf pki/issued/$CLIENT.crt
rm -rf /etc/openvpn/crl.pem
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
# CRL is read with each client connection, when OpenVPN is dropped to nobody
chown nobody:$GROUPNAME /etc/openvpn/crl.pem
echo ""
echo "Certificate for client $CLIENT revoked"
exit
;;
3)
echo ""
read -p "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
if [[ "$REMOVE" = 'y' ]]; then
PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
PROTOCOL=$(grep '^proto ' /etc/openvpn/server.conf | cut -d " " -f 2)
if pgrep firewalld; then
IP=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24 -j SNAT --to ' | cut -d " " -f 10)
# Using both permanent and not permanent rules to avoid a firewalld reload.
firewall-cmd --zone=public --remove-port=$PORT/$PROTOCOL
firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
firewall-cmd --permanent --zone=public --remove-port=$PORT/$PROTOCOL
firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
else
IP=$(grep 'iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to ' $RCLOCAL | cut -d " " -f 14)
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 ! -d 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL
if iptables -L -n | grep -qE '^ACCEPT'; then
iptables -D INPUT -p $PROTOCOL --dport $PORT -j ACCEPT
iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
sed -i "/iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT/d" $RCLOCAL
sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL
sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL
fi
fi
if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing"; then
if [[ "$PORT" != '1194' || "$PROTOCOL" = 'tcp' ]]; then
semanage port -d -t openvpn_port_t -p $PROTOCOL $PORT
fi
fi
fi
if [[ "$OS" = 'debian' ]]; then
apt-get remove --purge -y openvpn
else
yum remove openvpn -y
fi
rm -rf /etc/openvpn
echo ""
echo "OpenVPN removed!"
else
echo ""
echo "Removal aborted!"
fi
exit
;;
4) exit;;
esac
done
else
clear
echo 'Welcome to this quick OpenVPN "road warrior" installer'
echo ""
# OpenVPN setup and first user creation
echo "I need to ask you a few questions before starting the setup"
echo "You can leave the default options and just press enter if you are ok with them"
echo ""
echo "First I need to know the IPv4 address of the network interface you want OpenVPN"
echo "listening to."
read -p "IP address: " -e -i $IP IP
echo ""
echo "Which protocol do you want for OpenVPN connections?"
echo " 1) UDP (recommended)"
echo " 2) TCP"
read -p "Protocol [1-2]: " -e -i 1 PROTOCOL
case $PROTOCOL in
1)
PROTOCOL=udp
;;
2)
PROTOCOL=tcp
;;
esac
echo ""
echo "What port do you want OpenVPN listening to?"
read -p "Port: " -e -i 1194 PORT
echo ""
echo "Which DNS do you want to use with the VPN?"
echo " 1) Current system resolvers"
echo " 2) Google"
echo " 3) OpenDNS"
echo " 4) NTT"
echo " 5) Hurricane Electric"
echo " 6) Verisign"
read -p "DNS [1-6]: " -e -i 1 DNS
echo ""
echo "Finally, tell me your name for the client certificate"
echo "Please, use one word only, no special characters"
read -p "Client name: " -e -i client CLIENT
echo ""
echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now"
read -n1 -r -p "Press any key to continue..."
if [[ "$OS" = 'debian' ]]; then
apt-get update
apt-get install openvpn iptables openssl ca-certificates -y
else
# Else, the distro is CentOS
yum install epel-release -y
yum install openvpn iptables openssl wget ca-certificates -y
fi
# An old version of easy-rsa was available by default in some openvpn packages
if [[ -d /etc/openvpn/easy-rsa/ ]]; then
rm -rf /etc/openvpn/easy-rsa/
fi
# Get easy-rsa
wget -O ~/EasyRSA-3.0.3.tgz "https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.3/EasyRSA-3.0.3.tgz"
tar xzf ~/EasyRSA-3.0.3.tgz -C ~/
# Temporal fix for issue #353, which is caused by OpenVPN/easy-rsa#135
# Will be removed as soon as a new release of easy-rsa is available
sed -i 's/\[\[/\[/g;s/\]\]/\]/g;s/==/=/g' ~/EasyRSA-3.0.3/easyrsa
mv ~/EasyRSA-3.0.3/ /etc/openvpn/
mv /etc/openvpn/EasyRSA-3.0.3/ /etc/openvpn/easy-rsa/
chown -R root:root /etc/openvpn/easy-rsa/
rm -rf ~/EasyRSA-3.0.3.tgz
cd /etc/openvpn/easy-rsa/
# Create the PKI, set up the CA, the DH params and the server + client certificates
./easyrsa init-pki
./easyrsa --batch build-ca nopass
./easyrsa gen-dh
./easyrsa build-server-full server nopass
./easyrsa build-client-full $CLIENT nopass
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
# Move the stuff we need
cp pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn
# CRL is read with each client connection, when OpenVPN is dropped to nobody
chown nobody:$GROUPNAME /etc/openvpn/crl.pem
# Generate key for tls-auth
openvpn --genkey --secret /etc/openvpn/ta.key
# Generate server.conf
echo "port $PORT
proto $PROTOCOL
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt" > /etc/openvpn/server.conf
echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf
# DNS
case $DNS in
1)
# Obtain the resolvers from resolv.conf and use them for OpenVPN
grep -v '#' /etc/resolv.conf | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
done
;;
2)
echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf
;;
3)
echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf
;;
4)
echo 'push "dhcp-option DNS 129.250.35.250"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 129.250.35.251"' >> /etc/openvpn/server.conf
;;
5)
echo 'push "dhcp-option DNS 74.82.42.42"' >> /etc/openvpn/server.conf
;;
6)
echo 'push "dhcp-option DNS 64.6.64.6"' >> /etc/openvpn/server.conf
echo 'push "dhcp-option DNS 64.6.65.6"' >> /etc/openvpn/server.conf
;;
esac
echo "keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group $GROUPNAME
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem" >> /etc/openvpn/server.conf
# Enable net.ipv4.ip_forward for the system
sed -i '/\<net.ipv4.ip_forward\>/c\net.ipv4.ip_forward=1' /etc/sysctl.conf
if ! grep -q "\<net.ipv4.ip_forward\>" /etc/sysctl.conf; then
echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
fi
# Avoid an unneeded reboot
echo 1 > /proc/sys/net/ipv4/ip_forward
if pgrep firewalld; then
# Using both permanent and not permanent rules to avoid a firewalld
# reload.
# We don't use --add-service=openvpn because that would only work with
# the default port and protocol.
firewall-cmd --zone=public --add-port=$PORT/$PROTOCOL
firewall-cmd --zone=trusted --add-source=10.8.0.0/24
firewall-cmd --permanent --zone=public --add-port=$PORT/$PROTOCOL
firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
# Set NAT for the VPN subnet
firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
else
# Needed to use rc.local with some systemd distros
if [[ "$OS" = 'debian' && ! -e $RCLOCAL ]]; then
echo '#!/bin/sh -e
exit 0' > $RCLOCAL
fi
chmod +x $RCLOCAL
# Set NAT for the VPN subnet
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL
if iptables -L -n | grep -qE '^(REJECT|DROP)'; then
# If iptables has at least one REJECT rule, we asume this is needed.
# Not the best approach but I can't think of other and this shouldn't
# cause problems.
iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
sed -i "1 a\iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT" $RCLOCAL
sed -i "1 a\iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" $RCLOCAL
sed -i "1 a\iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" $RCLOCAL
fi
fi
# If SELinux is enabled and a custom port or TCP was selected, we need this
if hash sestatus 2>/dev/null; then
if sestatus | grep "Current mode" | grep -qs "enforcing"; then
if [[ "$PORT" != '1194' || "$PROTOCOL" = 'tcp' ]]; then
# semanage isn't available in CentOS 6 by default
if ! hash semanage 2>/dev/null; then
yum install policycoreutils-python -y
fi
semanage port -a -t openvpn_port_t -p $PROTOCOL $PORT
fi
fi
fi
# And finally, restart OpenVPN
if [[ "$OS" = 'debian' ]]; then
# Little hack to check for systemd
if pgrep systemd-journal; then
systemctl restart openvpn@server.service
else
/etc/init.d/openvpn restart
fi
else
if pgrep systemd-journal; then
systemctl restart openvpn@server.service
systemctl enable openvpn@server.service
else
service openvpn restart
chkconfig openvpn on
fi
fi
# Try to detect a NATed connection and ask about it to potential LowEndSpirit users
EXTERNALIP=$(wget -4qO- "http://whatismyip.akamai.com/")
if [[ "$IP" != "$EXTERNALIP" ]]; then
echo ""
echo "Looks like your server is behind a NAT!"
echo ""
echo "If your server is NATed (e.g. LowEndSpirit), I need to know the external IP"
echo "If that's not the case, just ignore this and leave the next field blank"
read -p "External IP: " -e USEREXTERNALIP
if [[ "$USEREXTERNALIP" != "" ]]; then
IP=$USEREXTERNALIP
fi
fi
# client-common.txt is created so we have a template to add further users later
echo "client
dev tun
proto $PROTOCOL
sndbuf 0
rcvbuf 0
remote $IP $PORT
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
comp-lzo
setenv opt block-outside-dns
key-direction 1
verb 3" > /etc/openvpn/client-common.txt
# Generates the custom client.ovpn
newclient "$CLIENT"
echo ""
echo "Finished!"
echo ""
echo "Your client configuration is available at" ~/"$CLIENT.ovpn"
echo "If you want to add more clients, you simply need to run this script again!"
fi

16
README
View file

@ -1,16 +0,0 @@
vps# iptables -t nat -A PREROUTING -p tcp --dport 9987 -j DNAT --to-destination 192.168.1.3 (mein Homeserver wenn ich richtig verstanden habe)
vps# iptables -t nat -A POSTROUTING -p tcp --dport 9987 -j MASQUERADE
vps# iptables -t nat -A PREROUTING -p tcp --dport 30033 -j DNAT --to-destination 192.168.1.3
vps# iptables -t nat -A POSTROUTING -p tcp --dport 30033 -j MASQUERADE
vps# iptables -t nat -A PREROUTING -p tcp --dport 10011 -j DNAT --to-destination 192.168.1.3
vps# iptables -t nat -A POSTROUTING -p tcp --dport 10011 -j MASQUERADE
Port forwarding using OpenVPN client
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A PREROUTING -d 50.xxx.xxx.xxx -p tcp --dport 8081 -j DNAT --to-dest 192.168.2.86:8081
iptables -t nat -A POSTROUTING -d 192.168.2.86 -p tcp --dport 8081 -j SNAT --to-source 10.0.2.42

17
README.md
View file

@ -15,3 +15,20 @@ cat id_rsa.pub | ssh server 'cat>> ~/.ssh/authorized_keys'
# Zum suchen der libinput Treiber mit
libwacom-list-local-devices
for wort in /usr/share/libwacom/*; do if cat $wort | grep CTL-4100WL; then echo $wort; fi; done
# Port forwarding using OpenVPN client
vps# iptables -t nat -A PREROUTING -p tcp --dport 9987 -j DNAT --to-destination 192.168.1.3 (mein Homeserver wenn ich richtig verstanden habe)
vps# iptables -t nat -A POSTROUTING -p tcp --dport 9987 -j MASQUERADE
vps# iptables -t nat -A PREROUTING -p tcp --dport 30033 -j DNAT --to-destination 192.168.1.3
vps# iptables -t nat -A POSTROUTING -p tcp --dport 30033 -j MASQUERADE
vps# iptables -t nat -A PREROUTING -p tcp --dport 10011 -j DNAT --to-destination 192.168.1.3
vps# iptables -t nat -A POSTROUTING -p tcp --dport 10011 -j MASQUERADE
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A PREROUTING -d 50.xxx.xxx.xxx -p tcp --dport 8081 -j DNAT --to-dest 192.168.2.86:8081
iptables -t nat -A POSTROUTING -d 192.168.2.86 -p tcp --dport 8081 -j SNAT --to-source 10.0.2.42

3
Readme.md
View file

@ -1,3 +0,0 @@
29 0 \* /bin/bash /opt/scripts/make-backup.sh
su www-data -s /bin/bash -c "php occ files:scan --path /srieger/files/Backups/Server"

913
Simon-OS/arch-install
View file

@ -1,913 +0,0 @@
#!/bin/bash
#
set -ex
echo "Version: Di 7. Nov 19:17:34 CET 2017"
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root" 1>&2
exit 1
fi
echo "Als root Angemeldet"
function minimalinstallation() {
#Mehrzeiler
while read line
do
pacstrap -c -d -G -M ${mountpoint} $line
done < /etc/packages_all.txt
}
function secureumount() {
if [ "${dateisystem}" == "btrfs" ]; then
if cat /proc/mounts | grep ${mountpoint} > /dev/null; then
umount ${mountpoint}/boot
btrfs fi df ${mountpoint}
echo "umount!!!"
umount ${mountpoint}/home
umount ${mountpoint}/opt
umount ${mountpoint}/var/cache/pacman/pkg
umount ${mountpoint}/var/lib
# custom-mounts
for wort in ${mountsnaps}
do
umount ${mountpoint}${wort}
done
umount ${mountpoint}
umount /mnt/btrfs-root
#umount -R /mnt
fi
elif [ "${dateisystem}" == "ext4" ]; then
if cat /proc/mounts | grep ${mountpoint} > /dev/null; then
umount ${mountpoint}/boot
umount ${mountpoint}
fi
fi
}
function partionierenmitswap() {
wipefs -a -f ${device}
sgdisk -o ${device}
sgdisk -a 2048 -n 1::+1024K -c 1:"BIOS Boot Partition" -t 1:ef02 ${device}
sgdisk -a 2048 -n 2::+1G -c 2:"EFI Boot Partition" -t 2:ef00 ${device}
sgdisk -a 2048 -n 3::+8G -c 3:"Linux swap" -t 3:8200 ${device}
sgdisk -a 2048 -n 4:: -c 4:"Linux filesystem" -t 4:8300 ${device}
if [ "${verschluesselung}" == "y" ]; then
echo "Bitte groß YES schreiben"
cryptsetup -c aes-xts-plain64 -y -s 512 luksFormat ${device}${rootpartitionnummer}
cryptsetup luksOpen ${device}${rootpartitionnummer} luks0
deviceluks="/dev/mapper/luks0"
fi
}
function partionierenohneswap() {
wipefs -a -f ${device}
sgdisk -o ${device}
sgdisk -a 2048 -n 1::+1024K -c 1:"BIOS Boot Partition" -t 1:ef02 ${device}
sgdisk -a 2048 -n 2::+1G -c 2:"EFI Boot Partition" -t 2:ef00 ${device}
sgdisk -a 2048 -n 3:: -c 4:"Linux filesystem" -t 3:8300 ${device}
if [ "${verschluesselung}" == "y" ]; then
echo "Bitte groß YES schreiben"
cryptsetup -c aes-xts-plain64 -y -s 512 luksFormat ${device}${rootpartitionnummer}
cryptsetup luksOpen ${device}${rootpartitionnummer} luks0
deviceluks="/dev/mapper/luks0"
fi
}
function usbsecret() {
/usr/bin/curl -v -C - -f https://raw.githubusercontent.com/simono41/Simon-OS/master/install/usbsecret > ${mountpoint}/usr/lib/initcpio/install/usbsecret
/usr/bin/curl -v -C - -f https://raw.githubusercontent.com/simono41/Simon-OS/master/hooks/usbsecret > ${mountpoint}/root/usbsecret
# hooks
#cp install/usbsecret ${mountpoint}/usr/lib/initcpio/install/usbsecret
#cp hooks/usbsecret ${mountpoint}/usr/lib/initcpio/hooks/usbsecret
sed "s|%USB_UUID%|${usbsecretdeviceuuid}|g;" ${mountpoint}/root/usbsecret > ${mountpoint}/usr/lib/initcpio/hooks/usbsecret
}
function cron() {
echo "cron-job snapshot"
mkdir -p ${mountpoint}/var/spool/cron/
echo "0 18 * * * /usr/bin/snapshot make ROOT home opt var/cache/pacman/pkg ${mountsnaps}" > ${mountpoint}/var/spool/cron/root
if [ "${update}" != "n" ]; then
/usr/bin/curl -v -C - -f https://raw.githubusercontent.com/simono41/Simon-OS/master/snapshot.sh > ${mountpoint}/usr/bin/snapshot
chmod 755 ${mountpoint}/usr/bin/snapshot
fi
}
function makeswapfile() {
#swapfile
fallocate -l ${swapfilespeicher} ${mountpoint}/swapfile
chmod 600 ${mountpoint}/swapfile
mkswap ${mountpoint}/swapfile
echo "/swapfile none swap defaults 0 0" >> ${mountpoint}/etc/fstab
}
function makebtrfsswapfile() {
/usr/bin/curl -v -C - -f https://raw.githubusercontent.com/simono41/Simon-OS/master/btrfs-swapon > ${mountpoint}/usr/bin/btrfs-swapon
/usr/bin/curl -v -C - -f https://raw.githubusercontent.com/simono41/Simon-OS/master/btrfs-swapoff > ${mountpoint}/usr/bin/btrfs-swapoff
/usr/bin/curl -v -C - -f https://raw.githubusercontent.com/simono41/Simon-OS/master/btrfs-swapon.service > ${mountpoint}/root/btrfs-swapon.service
chmod +x ${mountpoint}/usr/bin/btrfs-swapon
chmod +x ${mountpoint}/usr/bin/btrfs-swapoff
sed "s|%swapfilespeicher%|${swapfilespeicher}|g;" ${mountpoint}/root/btrfs-swapon.service > ${mountpoint}/etc/systemd/system/btrfs-swapon.service
arch-chroot ${mountpoint} systemctl enable btrfs-swapon
}
function removeinstaller {
echo ""
if [ -f ${mountpoint}/usr/share/applications/arch-install.desktop ]
then
rm ${mountpoint}/usr/share/applications/arch-install.desktop
fi
echo ""
if [ -f ${mountpoint}/root/Schreibtisch/arch-install.desktop ]
then
rm ${mountpoint}/root/Schreibtisch/arch-install.desktop
fi
echo ""
if [ -f ${mountpoint}/home/user/Schreibtisch/arch-install.desktop ]
then
rm ${mountpoint}/home/user/Schreibtisch/arch-install.desktop
fi
echo ""
if [ -f ${mountpoint}/root/Desktop/arch-install.desktop ]
then
rm ${mountpoint}/root/Desktop/arch-install.desktop
fi
echo ""
if [ -f ${mountpoint}/home/user/Desktop/arch-install.desktop ]
then
rm ${mountpoint}/home/user/Desktop/arch-install.desktop
fi
echo ""
}
function installation {
#boot
echo "formatieren"
mkfs.vfat -F 32 ${device}${efipartitionnummer}
#root
if [ "${dateisystem}" == "btrfs" ]; then
#mkfs.btrfs -f -L p_arch ${device}2
btrfsformat #btrfs
subvolume #btrfs
elif [ "${dateisystem}" == "ext4" ]; then
echo "mit j bestätigen"
if [ "${verschluesselung}" == "y" ]; then
mkfs.ext4 -L p_arch ${deviceluks} #ext4
mount ${deviceluks} ${mountpoint}
else
mkfs.ext4 -L p_arch ${device}${rootpartitionnummer} #ext4
mount ${device}${rootpartitionnummer} ${mountpoint}
fi
fi
#swap
if [ "${swap}" != "n" ]; then
mkswap -L p_swap ${device}${swappartitionnummer}
fi
#installation
if [ "${offline}" != "n" ]
then
if [ -f /run/archiso/bootmnt/arch/$(uname -m)/airootfs.sfs ]
then
echo "Es ist kein copytoram System."
unsquashfs -f -d ${mountpoint} /run/archiso/bootmnt/arch/$(uname -m)/airootfs.sfs
else
echo "Es ist ein copytoram System."
unsquashfs -f -d ${mountpoint} /run/archiso/copytoram/airootfs.sfs
fi
else
minimalinstallation
fi
#kernel
parameter="base udev "
if [ "${swap}" != "n" ]; then
parameter="${parameter}resume "
fi
if [ "${verschluesselung}" == "y" ]; then
parameter="${parameter}encrypt "
fi
parameter="${parameter}block filesystems keyboard "
if [ "${verschluesselung}" == "y" ]; then
echo "btrfs-hook wird übersprungen!"
else
if [ "${dateisystem}" == "btrfs" ]; then
parameter="${parameter}btrfs "
fi
fi
if [ "${usbsecret}" == "y" ]; then
parameter="${parameter}usbsecret "
fi
echo ""
echo "MODULES=\"i915 radeon\"" > ${mountpoint}/etc/mkinitcpio.conf
echo "HOOKS=\"${parameter}\"" >> ${mountpoint}/etc/mkinitcpio.conf
echo "COMPRESSION=\"lz4\"" >> ${mountpoint}/etc/mkinitcpio.conf
echo "FILES=\"/etc/modprobe.d/blacklist-floppy.conf\"" >> ${mountpoint}/etc/mkinitcpio.conf
echo ""
echo "blacklist floppy" > ${mountpoint}/etc/modprobe.d/blacklist-floppy.conf
echo ""
#cp /etc/X11/xinit/xinitrc ${mountpoint}/etc/X11/xinit/xinitrc
echo "exec startxfce4" > ${mountpoint}/etc/X11/xinit/xinitrc
#
echo ""
echo "tmpfs /tmp tmpfs defaults 0 0" >> ${mountpoint}/etc/fstab
echo "tmpfs /dev/shm tmpfs defaults 0 0" >> ${mountpoint}/etc/fstab
#fstab
rootbind=$(blkid -s PARTUUID -o value ${device}${rootpartitionnummer})
#genfstab -Up ${mountpoint} >> ${mountpoint}/etc/fstab
if [ "${dateisystem}" == "btrfs" ]; then
btrfsfstab #btrfs
mkdir -p ${mountpoint}/run/btrfs-root
if [ "${verschluesselung}" == "y" ]; then
echo "${deviceluks} /run/btrfs-root/ btrfs defaults 0 0" >> ${mountpoint}/etc/fstab #btrfs
else
echo "PARTUUID=${rootbind} /run/btrfs-root/ btrfs defaults 0 0" >> ${mountpoint}/etc/fstab #btrfs
fi
#grep -v "/var/lib" < ${mountpoint}/etc/fstab > fstab.neu; mv fstab.neu ${mountpoint}/etc/fstab
echo "/run/btrfs-root/__current/ROOT/var/lib /var/lib none bind 0 0" >> ${mountpoint}/etc/fstab #btrfs
cron
elif [ "${dateisystem}" == "ext4" ]; then
if [ "${verschluesselung}" == "y" ]; then
echo "${deviceluks} / ext4 rw,defaults,noatime,nodiratime,discard 0 0" >> ${mountpoint}/etc/fstab
else
echo "PARTUUID=${rootbind} / ext4 rw,defaults,noatime,nodiratime,discard 0 0" >> ${mountpoint}/etc/fstab
fi
fi
bootbind=$(blkid -s PARTUUID -o value ${device}${efipartitionnummer})
echo -e "PARTUUID=${bootbind} /boot vfat rw,relatime 0 2" >> ${mountpoint}/etc/fstab
if [ "${swap}" != "n" ]; then
if [ "${verschluesselung}" == "y" ]; then
swappartition=$(blkid -s PARTUUID -o value ${device}${swappartitionnummer})
echo "swap PARTUUID=${swappartition} /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256" >> ${mountpoint}/etc/crypttab
echo "/dev/mapper/swap none swap defaults 0 0" >> ${mountpoint}/etc/fstab
else
swappartition=$(blkid -s PARTUUID -o value ${device}${swappartitionnummer})
echo "PARTUUID=${swappartition} none swap defaults 0 0" >> ${mountpoint}/etc/fstab
fi
fi
#makeswapfile+fstab
if [ "${swapfile}" == "y" ]; then
if [ "${dateisystem}" == "btrfs" ]; then
makebtrfsswapfile
elif [ "${dateisystem}" == "ext4" ]; then
makeswapfile
fi
fi
#hostname
echo "${name}"s-OS > ${mountpoint}/etc/hostname
#openvpn
if [ "${openvpn}" != "n" ]; then
arch-chroot ${mountpoint} systemctl enable openvpn-client@client.service
else
arch-chroot ${mountpoint} systemctl disable openvpn-client@client.service
fi
if [ "${usbsecret}" == "y" ]; then
usbsecret
fi
if [ "${verschluesselung}" == "y" ]; then
if [ "${boot}" == "grub" ]; then
tobootdevice=$(blkid -s PARTUUID -o value ${device}${rootpartitionnummer})
sed -i 's/GRUB_CMDLINE_LINUX=.*$/GRUB_CMDLINE_LINUX="cryptdevice=PARTUUID='$tobootdevice':luks0"/' ${mountpoint}/etc/default/grub
echo "GRUB_ENABLE_CRYPTODISK=y" >> ${mountpoint}/etc/default/grub
fi
fi
#sie könne hier ihre scripte die bei der installation ausgeführt werden sollen hinzufügen :D
}
function btrfsformat() {
if [ "$raid" == "raid0" ]; then
if [ "${verschluesselung}" == "y" ]; then
mkfs.btrfs -f -m raid10 -d raid10 ${deviceluks} ${device1}
else
mkfs.btrfs -f -m raid0 -d raid0 ${device}${rootpartitionnummer} ${device1}
fi
elif [ "$raid" == "raid1" ]; then
if [ "${verschluesselung}" == "y" ]; then
mkfs.btrfs -f -m raid10 -d raid10 ${deviceluks} ${device1}
else
mkfs.btrfs -f -m raid1 -d raid1 ${device}${rootpartitionnummer} ${device1}
fi
elif [ "$raid" == "raid10" ]; then
if [ "${verschluesselung}" == "y" ]; then
mkfs.btrfs -f -m raid10 -d raid10 ${deviceluks} ${device1}
else
mkfs.btrfs -f -m raid10 -d raid10 ${device}${rootpartitionnummer} ${device1}
fi
else
if [ "${verschluesselung}" == "y" ]; then
mkfs.btrfs -f -m single ${deviceluks}
else
mkfs.btrfs -f -m single ${device}${rootpartitionnummer}
fi
fi
btrfs filesystem show
}
function btrfsfstab() {
rootbind=$(blkid -s PARTUUID -o value ${device}${rootpartitionnummer})
if [ "${verschluesselung}" == "y" ]; then
echo -e "${deviceluks} / btrfs rw,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current/ROOT 0 0" >> ${mountpoint}/etc/fstab
echo -e "${deviceluks} /home btrfs rw,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current/home 0 0" >> ${mountpoint}/etc/fstab
echo -e "${deviceluks} /opt btrfs rw,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current/opt 0 0" >> ${mountpoint}/etc/fstab
echo -e "${deviceluks} /var/cache/pacman/pkg btrfs rw,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current/var/cache/pacman/pkg 0 0" >> ${mountpoint}/etc/fstab
# custom-mounts
for wort in ${mountsnaps}
do
echo -e "${deviceluks} ${wort} btrfs rw,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current${wort} 0 0" >> ${mountpoint}/etc/fstab
done
else
echo -e "PARTUUID=${rootbind} / btrfs rw,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current/ROOT 0 0" >> ${mountpoint}/etc/fstab
echo -e "PARTUUID=${rootbind} /home btrfs rw,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current/home 0 0" >> ${mountpoint}/etc/fstab
echo -e "PARTUUID=${rootbind} /opt btrfs rw,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current/opt 0 0" >> ${mountpoint}/etc/fstab
echo -e "PARTUUID=${rootbind} /var/cache/pacman/pkg btrfs rw,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current/var/cache/pacman/pkg 0 0" >> ${mountpoint}/etc/fstab
# custom-mounts
for wort in ${mountsnaps}
do
echo -e "PARTUUID=${rootbind} ${wort} btrfs rw,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current${wort} 0 0" >> ${mountpoint}/etc/fstab
done
fi
}
function btrfsmount() {
#[[ -z "${device}" ]] && device=${2}
if [ "${1}" == "1" ] || [ "${1}" == "" ]; then
if [ "${verschluesselung}" == "y" ]; then
mkdir -p /mnt/btrfs-root
mount -o defaults,noatime,nodiratime,space_cache,discard,ssd,compress=lzo ${deviceluks} /mnt/btrfs-root
else
mkdir -p /mnt/btrfs-root
mount -o defaults,noatime,nodiratime,space_cache,discard,ssd,compress=lzo ${device}${rootpartitionnummer} /mnt/btrfs-root
fi
fi
if [ "${1}" == "2" ] || [ "${1}" == "" ]; then
if [ "${verschluesselung}" == "y" ]; then
mkdir -p ${mountpoint}
mount -o defaults,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current/ROOT ${deviceluks} ${mountpoint}
mkdir -p ${mountpoint}/home
mkdir -p ${mountpoint}/opt
mkdir -p ${mountpoint}/var/cache/pacman/pkg
mount -o defaults,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current/home ${deviceluks} ${mountpoint}/home
mount -o defaults,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current/opt ${deviceluks} ${mountpoint}/opt
mount -o defaults,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current/var/cache/pacman/pkg ${deviceluks} ${mountpoint}/var/cache/pacman/pkg
# custom-mounts
for wort in ${mountsnaps}
do
mkdir -p ${mountpoint}${wort}
mount -o defaults,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current${wort} ${deviceluks} ${mountpoint}${wort}
done
mkdir -p ${mountpoint}/var/lib
mount --bind /mnt/btrfs-root/__current/ROOT/var/lib ${mountpoint}/var/lib
else
mkdir -p ${mountpoint}
mount -o defaults,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current/ROOT ${device}${rootpartitionnummer} ${mountpoint}
mkdir -p ${mountpoint}/home
mkdir -p ${mountpoint}/opt
mkdir -p ${mountpoint}/var/cache/pacman/pkg
mount -o defaults,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current/home ${device}${rootpartitionnummer} ${mountpoint}/home
mount -o defaults,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current/opt ${device}${rootpartitionnummer} ${mountpoint}/opt
mount -o defaults,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current/var/cache/pacman/pkg ${device}${rootpartitionnummer} ${mountpoint}/var/cache/pacman/pkg
# custom-mounts
for wort in ${mountsnaps}
do
mkdir -p ${mountpoint}${wort}
mount -o defaults,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current${wort} ${device}${rootpartitionnummer} ${mountpoint}${wort}
done
mkdir -p ${mountpoint}/var/lib
mount --bind /mnt/btrfs-root/__current/ROOT/var/lib ${mountpoint}/var/lib
fi
# boot mount
mkdir -p ${mountpoint}/boot
mount -t vfat ${device}${efipartitionnummer} ${mountpoint}/boot
fi
}
function subvolume() {
# Mount
btrfsmount 1
# Create
mkdir -p /mnt/btrfs-root/__snapshot
mkdir -p /mnt/btrfs-root/__current
btrfs subvolume create /mnt/btrfs-root/__current/ROOT
btrfs subvolume create /mnt/btrfs-root/__current/home
btrfs subvolume create /mnt/btrfs-root/__current/opt
mkdir -p /mnt/btrfs-root/__current/var/cache/pacman
btrfs subvolume create /mnt/btrfs-root/__current/var/cache/pacman/pkg/
# custom-mounts
for wort in ${mountsnaps}
do
mkdir -p /mnt/btrfs-root/__current${wort%/*}
btrfs subvolume create /mnt/btrfs-root/__current${wort}
done
btrfs subvolume list -p /mnt/btrfs-root
# Mount
btrfsmount 2
}
function update() {
#statements
local if="${1}"
local of="${2}"
local parameters="${3}"
local before="${4}"
if [ -f "${of}" ]
then
rm ${of}
else
echo "${of} nicht vorhanden!"
fi
/usr/bin/curl -v -C - -f ${if} > ${of}
chmod 755 ${of}
[[ -n "${5}" ]] && of=${5}
${before} ${of} ${parameters}
}
function systemdboot() {
tobootdeviceuuid=$(blkid -s PARTUUID -o value ${device}${rootpartitionnummer})
swappartitionpart=$(blkid -s PARTUUID -o value ${device}${swappartitionnummer})
# zurücksetzen der parameter
parameter=""
if [ "${swap}" != "n" ]; then
parameter="${parameter}resume=PARTUUID=${swappartitionpart} "
fi
if [ "${verschluesselung}" == "y" ]; then
tobootdevice=${deviceluks}
parameter="${parameter}cryptdevice=PARTUUID=${tobootdeviceuuid}:luks0 "
else
tobootdevice="PARTUUID=${tobootdeviceuuid}"
fi
if [ "${dateisystem}" == "btrfs" ]; then
parameter="${parameter}rootflags=subvol=__current/ROOT "
fi
#rootsub=$(btrfs subvolume list /mnt | awk 'NR<0 && NR>2 {print $2}')
mkdir -p ${mountpoint}/boot/EFI/systemd/
mkdir -p ${mountpoint}/boot/EFI/BOOT/
cp ${mountpoint}/usr/lib/systemd/boot/efi/systemd-bootx64.efi ${mountpoint}/boot/EFI/systemd/systemd-bootx64.efi
cp ${mountpoint}/usr/lib/systemd/boot/efi/systemd-bootx64.efi ${mountpoint}/boot/EFI/BOOT/BOOTX64.EFI
mkdir -p ${mountpoint}/boot/loader/entries/
echo "title "${name}"s-os" > ${mountpoint}/boot/loader/entries/arch-uefi.conf
echo "linux /vmlinuz-linux" >> ${mountpoint}/boot/loader/entries/arch-uefi.conf
echo "initrd /intel-ucode.img" >> ${mountpoint}/boot/loader/entries/arch-uefi.conf
echo "initrd /initramfs-linux.img" >> ${mountpoint}/boot/loader/entries/arch-uefi.conf
echo "options root=${tobootdevice} rw ${parameter}" >> ${mountpoint}/boot/loader/entries/arch-uefi.conf
echo "title "${name}"s-os" > ${mountpoint}/boot/loader/entries/arch-uefi-fallback.conf
echo "linux /vmlinuz-linux" >> ${mountpoint}/boot/loader/entries/arch-uefi-fallback.conf
echo "initrd /intel-ucode.img" >> ${mountpoint}/boot/loader/entries/arch-uefi-fallback.conf
echo "initrd /initramfs-linux-fallback.img" >> ${mountpoint}/boot/loader/entries/arch-uefi-fallback.conf
echo "options root=${tobootdevice} rw ${parameter}" >> ${mountpoint}/boot/loader/entries/arch-uefi-fallback.conf
echo "default arch-uefi" > ${mountpoint}/boot/loader/loader.conf
echo "timeout 1" >> ${mountpoint}/boot/loader/loader.conf
if [ "${booteintraege}" != "n" ]; then
echo "Zusätzliche Booteinträge werden erstellt!!!"
arch-chroot ${mountpoint} efibootmgr -c -d ${device} -p 1 -l /EFI/systemd/systemd-bootx64.efi -L "Linux Boot Manager"
arch-chroot ${mountpoint} efibootmgr -c -d ${device} -p 1 -l \vmlinuz-linux -L "Arch Linux efistub" -u "initrd=/initramfs-linux.img root=${tobootdevice} rw ${parameter}"
# überschreibt die efistub deswegen entfernt
#arch-chroot ${mountpoint} efibootmgr -c -d ${device} -p 1 -l \vmlinuz-linux -L "Arch Linux fallback efistub" -u "initrd=/initramfs-linux-fallback.img root=${tobootdevice} rw ${parameter}"
#arch-chroot ${mountpoint} bootctl install
fi
}
function abfrage() {
read -p "Wie heissen sie?: " name
[[ -z "${name}" ]] && name=arch-linux
# Partionierung
# UEFI oder Legacy-BIOS
echo ""
echo "UEFI = Unified Extensible Firmware Interface"
echo "Empfohlen fuer Neuere PCs"
echo "WICHTIG DAFUER MUESSEN SIE IM BOOTMENUE DEN UEFI USB_STICK AUSGEWAEHLT HABEN SONST KANN KEIN UEFI BOOTEINTRAG ERSTELLT WERDEN!!!"
echo ""
echo "BIOS = basic input/output system"
echo "Empfohlen fuer Alte PCs und portable USB-Sticks"
echo ""
echo "Bitte die Eingaben klein schreiben :D !!!"
echo "Für jedes ja must du ein y machen und für jedes nein ein n ok !!!"
echo ""
if mount | grep efi > /dev/null; then
echo "System unterstützt UEFI"
read -p "Wie moechten sie ihre Festplatte partioniert haben: [UEFI/bios] " Partition
[[ -z "${Partition}" ]] && Partition=uefi
else
echo "System unterstützt kein UEFI"
read -p "Wie moechten sie ihre Festplatte partioniert haben: [uefi/BIOS] " Partition
[[ -z "${Partition}" ]] && Partition=bios
fi
if [ "${Partition}" == "uefi" ]
then
read -p "Soll mit systemd gebootet werden oder mit grub? [systemd/GRUB] : " boot
if [ "${boot}" == "systemd" ]; then
read -p "Sollen noch zusätzliche Booteinträge erstelt werden? [Y/n] : " booteintraege
fi
fi
[[ -z "${boot}" ]] && boot=grub
fdisk -l
read -p "Geben sie eine Festplatte an: /dev/sda " device
[[ -z "${device}" ]] && device=/dev/sda
read -p "Welches Passwort soll der Root erhalten?: root " pass
[[ -z "${pass}" ]] && pass=root
read -p "Welches Dateisystem soll benutzt werden? [BTRFS/ext4] " dateisystem
[[ -z "${dateisystem}" ]] && dateisystem=btrfs
if [ "${dateisystem}" == "btrfs" ]; then
read -p "Soll ein raid gemacht werden?: [raid0/raid1/raid10/n] " raid
[[ -z "${raid}" ]] && raid=n
if [ "${raid}" == "n" ]; then
echo "Kein raid wird erzeugt!"
else
fdisk -l
read -p "Bitte geben sie die Festplatten in eine Reihe an die zu einem Raid verbunden werden sollen!!!: " device1
fi
echo "Standartmässige Snapshots / /home /opt /var/cache/pacman/pkg"
echo "Die Verzeichnisse dürfen sich nicht überlappen sonst kann es zu problemen mit dem unmounten kommen!!!"
read -p "Sollen mehr Snapshots erstellt werden?: " mountsnaps
fi
read -p "Wollen sie eine swap-partition erstellen? : [Y/n] " swap
read -p "Wollen sie eine swapfile erstellen? : [y/N] " swapfile
if [ "${update}" != "n" ]; then
echo "Diese einstellung kann man mit: "
echo "systemctl enable openvpn-client@client.service aktivieren und mit"
echo "systemctl disable openvpn-client@client.service deaktivieren"
echo "Die Bandbreite wird dadurch reduziert aber die Sicherheit deutlich erhöht"
read -p "Soll die Verbindung mit einer VPN verschlüsselt werden? : [Y/n] " openvpn
fi
if [ "${update}" != "n" ]; then
echo "WARNUNG das System wird nicht verschlüsselt!!!"
echo "WARNUNG ohne den USB-Stick startet das System nicht mehr!!!"
read -p "Soll ein USB-Stick als Schlüssel für das System installiert werden? : [y/N] " usbsecret
if [ "${usbsecret}" == "y" ]; then
read -p "Welcher USB-Stick soll ausgewählt werden für die USB-secret Schlüssel?: /dev/sdb1 " usbsecretdevice
[[ -z "${usbsecretdevice}" ]] && device=/dev/sdb1
usbsecretdeviceuuid=$(blkid -s PARTUUID -o value ${usbsecretdevice})
[[ -z "${usbsecretdeviceuuid}" ]] && mkfs.ext4 ${usbsecretdevice}
fi
fi
if [ "${raid}" == "n" ]; then
read -p "Soll die Festplatte verschlüsselt werden? : [y/N] " verschluesselung
fi
# berechnungen
if [ "${update}" != "n" ] && [ "spectre-os" != "$(cat /etc/hostname)" ]; then
read -p "Soll eine Offline-Installation durchgefuehrt werden? : [Y/n] " offline
if [ "${offline}" != "n" ]
then
install="offline"
else
install="online"
fi
else
install="offline"
fi
# Dateisystem
if [ "${dateisystem}" == "btrfs" ]; then
mountpoint="/mnt/btrfs-current"
elif [ "${dateisystem}" == "ext4" ]; then
mountpoint="/mnt"
fi
#
echo "Name: ${name}"
echo "Partionsart: ${Partition}"
echo "Bootloader: ${boot}"
echo "Laufwerk: ${device}"
if [ "${raid}" != "n" ]; then
echo "Raid: ${raid}"
echo "Festplatten: ${device1}"
fi
echo "Dateisystem: ${dateisystem}"
#echo "System-Partition ${speicher}"
#if [ "${swap}" != "n" ]; then
# echo "Swap-partition ${swapspeicher}"
#fi
#if [ "${swapfile}" == "y" ]; then
# echo "Swapfile ${swapfilespeicher}"
#fi
echo "Rootpasswort: ${pass}"
echo "Architektur: $(uname -m)"
echo "Installation: ${install}"
if [ "${dateisystem}" == "btrfs" ]; then
for wort in ${mountsnaps}
do
echo "Snapshot ${wort} wird erstellt!!!"
done
fi
if [ "${openvpn}" != "n" ]; then
echo "VPN-Verschlüsselung: aktiv"
fi
if [ "${usbsecret}" == "y" ]; then
echo "USB-secret: aktiv"
echo "USB-UIDD: ${usbsecretdeviceuuid}"
echo "USB-Label: ${usbsecretdevice}"
fi
if [ "${verschluesselung}" == "y" ]; then
echo "Fesptplatte mit Luks 512KB verschlüsselung: aktiv"
fi
# Partitionierung
if [ "${dateisystem}" == "btrfs" ]; then
if [ "${Partition}" == "uefi" ]; then
bootpartitionnummer=1
efipartitionnummer=2
rootpartitionnummer=3
if [ "${swap}" != "n" ]; then
swappartitionnummer=3
rootpartitionnummer=4
fi
elif [ "${Partition}" == "bios" ]; then
bootpartitionnummer=1
efipartitionnummer=2
rootpartitionnummer=3
if [ "${swap}" != "n" ]; then
swappartitionnummer=3
rootpartitionnummer=4
fi
fi
elif [ "${dateisystem}" == "ext4" ]; then
if [ "${Partition}" == "uefi" ]; then
bootpartitionnummer=1
efipartitionnummer=2
rootpartitionnummer=3
if [ "${swap}" != "n" ]; then
swappartitionnummer=3
rootpartitionnummer=4
fi
elif [ "${Partition}" == "bios" ]; then
bootpartitionnummer=1
efipartitionnummer=2
rootpartitionnummer=3
if [ "${swap}" != "n" ]; then
swappartitionnummer=3
rootpartitionnummer=4
fi
fi
fi
echo "Boot-Partition = ${device}${bootpartitionnummer}"
echo "EFI-Partition = ${device}${efipartitionnummer}"
echo "Swap-Partition = ${device}${swappartitionnummer}"
echo "ROOT-Partition = ${device}${rootpartitionnummer}"
#
read -p "Sind alle Angaben Richtig?: [y/N] " sicherheitsabfrage
if [ "$sicherheitsabfrage" != "y" ]
then
echo "ABGEBROCHEN"
exit 1
fi
if [ "${update}" != "n" ] && [ "spectre-os" != "$(cat /etc/hostname)" ]; then
echo "Nur für reine arch-linux systeme benötigend!!!"
read -p "Sollen noch wichtige Packete für die installation installiert werden? [y/N] " packete
if [ "${packete}" == "y" ]; then
pacman -Syu base base-devel syslinux efibootmgr efitools grub intel-ucode os-prober btrfs-progs dosfstools arch-install-scripts xorriso cdrtools squashfs-tools wget dosfstools btrfs-progs gdisk dialog bash-completion git iw wireless_tools wpa_supplicant
fi
fi
echo "Betriebssystem wird installiert!!!"
sleep 5
}
if [ "${1}" != "n" ]
then
read -p "Soll im Internet geguckt werden ob es ein neues Install-Script gibt und dann ausgefuehrt werden?: [Y/n] " update
if [ "${update}" == "debug" ]
then
echo "Überspringe das herunterladen einen neuen Scriptes!!!"
else
if [ "${update}" != "n" ]
then
update https://raw.githubusercontent.com/simono41/Simon-OS/master/arch-install /root/arch-install.new n
exit 0
fi
fi
fi
# debug = Installation überspringen zu arch-graphical-install und DEBEUG-MODUS
abfrage
secureumount
if [ "${name}" == "debug" ]
then
echo "DEBEUG-MODUS"
echo "Wenn kein befehl mehr ausgefuehrt werden muss einfach eingabetaste druecken"
echo "Welcher befehl soll ausgefuert werden? "
befehl=blablabla
while [ "$befehl" != "" ]
do
read -p "" befehl
$befehl
done
fi
#
echo "Eine Säuberung erhört die chance der Installation auf dem System."
echo "Es kann eine Zeit lang dauern!"
dd if=/dev/zero of=${device} bs=64M count=10 status=progress
#
if [ "${Partition}" == "uefi" ]
then
echo "Partioniere mit UEFI"
if [ "${swap}" != "n" ]; then
echo "Erstelle zustzliche swap-partition"
partionierenmitswap
else
partionierenohneswap
fi
echo "installation"
installation
arch-chroot ${mountpoint} /bin/bash <<EOT
mkinitcpio -p linux
passwd
${pass}
${pass}
EOT
echo ""
if [ "${boot}" == "grub" ]
then
arch-chroot ${mountpoint} /bin/bash <<EOT
grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id="${name}"s-os --recheck
grub-mkconfig -o /boot/grub/grub.cfg
EOT
else
systemdboot
fi
removeinstaller
echo "Fertig"
elif [ "${Partition}" == "bios" ]; then
echo "Partioniere mit bios"
if [ "${swap}" != "n" ]; then
echo "Erstelle zustzliche swap-partition"
partionierenmitswap
else
partionierenohneswap
fi
echo "installation"
installation
arch-chroot ${mountpoint} /bin/bash <<EOT
mkinitcpio -p linux
passwd
${pass}
${pass}
grub-install --target=i386-pc --recheck ${device}
grub-mkconfig -o /boot/grub/grub.cfg
EOT
removeinstaller
echo "Fertig"
else
echo "Eingabe Ungueltig"
exit 1
fi
if [ "${update}" != "n" ] && [ "spectre-os" != "$(cat /etc/hostname)" ]; then
read -p "Soll die erweiterte Installation durchgeführt werden? [Y/n] " graphical
if [ "$graphical" != "n" ]
then
update https://raw.githubusercontent.com/simono41/Simon-OS/master/arch-graphical-install ${mountpoint}/root/arch-graphical-install "n" "arch-chroot ${mountpoint}" /root/arch-graphical-install
fi
fi
echo "df!!!"
df -h
if [ "${dateisystem}" == "btrfs" ]; then
btrfs filesystem df ${mountpoint}
fi
echo "umount!!!"
sleep 5
secureumount
echo ""
echo "Fertig!!!"
read -p "Installation erfolgreich Abgeschlossen. Wollen sie den PC NEUSTARTEN?: [Y/n] " sicherheitsabfrage
if [ "$sicherheitsabfrage" != "n" ]
then
echo "starte neu"
reboot
fi
exit 0

4
backup-server-files.sh Normal file → Executable file
View file

@ -1,8 +1,8 @@
# backup
for wort in $(ls -d */ | cut -f1 -d'/'); do echo $wort; tar -pczf ${wort}.tar.gz ${wort}; done
for wort in $(ls -d */ | cut -f1 -d'/'); do echo $wort; tar --use-compress-program=pigz -pcf ${wort}.tar.gz ${wort}; done
# transfer data (SSH)
scp -P 1022 *tar.gz simono41@65.108.123.253:
# restore
for wort in *.tar.gz; do echo $wort; tar -pxzf $wort; done
for wort in *.tar.gz; do echo $wort; tar -pxzf $wort; done

0
connect_adb-bridge.sh Normal file → Executable file
View file

0
create_ssh_adb-bridge.sh Normal file → Executable file
View file

0
install_app_and_debug.sh Normal file → Executable file
View file

0
make-backup.sh Normal file → Executable file
View file

0
ocr.sh Normal file → Executable file
View file

67
raspberry_arch-install.sh Normal file
View file

@ -0,0 +1,67 @@
#!/usr/bin/env bash
#
set -ex
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root" 1>&2
sudo "${0}" "$@"
exit 0
fi
fdisk -l
read -p "Welches Laufwerk soll beschrieben werden?: [/dev/sda|/dev/sdb] " device
echo "Wipe Device ${device} ..."
sleep 5
wipefs -a -f ${device}
sgdisk -o ${device}
echo "Create new Partition type ..."
sleep 5
bootpartitionnummer=1
rootpartitionnummer=2
sgdisk -a 2048 -n ${bootpartitionnummer: -1}::+1024K -c ${bootpartitionnummer: -1}:"BIOS Boot Partition" -t ${bootpartitionnummer: -1}:ef02 ${device}
sgdisk -a 2048 -n ${rootpartitionnummer: -1}:: -c ${rootpartitionnummer: -1}:"Linux filesystem" -t ${rootpartitionnummer: -1}:8300 ${device}
echo "Create and mount the FAT filesystem..."
sleep 5
mkfs.vfat /dev/sdX1
mkdir boot
mount /dev/sdX1 boot
echo "Create and mount the ext4 filesystem..."
sleep 5
mkfs.ext4 /dev/sdX2
mkdir root
mount /dev/sdX2 root
echo "Download and extract the root filesystem..."
sleep 5
wget http://os.archlinuxarm.org/os/ArchLinuxARM-rpi-armv7-latest.tar.gz
bsdtar -xpf ArchLinuxARM-rpi-armv7-latest.tar.gz -C root
sync
echo "Move boot files to the first partition..."
sleep 5
mv root/boot/* boot
echo "Unmount the two partitions..."
sleep 5
umount boot root

0
ssh Normal file → Executable file
View file

0
sslstrip.log Normal file → Executable file
View file

0
youtube-dl-helper_v1.sh Normal file → Executable file
View file

0
youtube-dl-helper_v2.sh Normal file → Executable file
View file

0
youtube-mplayer.sh Normal file → Executable file
View file

0
youtube-vlc.sh Normal file → Executable file
View file

0
youtube-vlc_windows.sh Normal file → Executable file
View file