diff --git a/Angristan/2.4/openvpn-install.sh b/Angristan/2.4/openvpn-install.sh
deleted file mode 100755
index 59e4627..0000000
--- a/Angristan/2.4/openvpn-install.sh
+++ /dev/null
@@ -1,844 +0,0 @@
-#!/bin/bash
-
-set -ex
-
-# Secure OpenVPN server installer for Debian, Ubuntu, CentOS and Arch Linux
-# https://github.com/Angristan/OpenVPN-install
-
-
-if [[ "$EUID" -ne 0 ]]; then
- echo "Sorry, you need to run this as root"
- exit 1
-fi
-
-if [[ ! -e /dev/net/tun ]]; then
- echo "TUN is not available"
- exit 2
-fi
-
-if grep -qs "CentOS release 5" "/etc/redhat-release"; then
- echo "CentOS 5 is too old and not supported"
- exit 3
-fi
-
-if [[ -e /etc/debian_version ]]; then
- OS="debian"
- # Getting the version number, to verify that a recent version of OpenVPN is available
- VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID")
- RCLOCAL='/etc/rc.local'
- SYSCTL='/etc/sysctl.conf'
- if [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.04"' ]]; then
- echo "Your version of Debian/Ubuntu is not supported."
- echo "I can't install a recent version of OpenVPN on your system."
- echo ""
- echo "However, if you're using Debian unstable/testing, or Ubuntu beta,"
- echo "then you can continue, a recent version of OpenVPN is available on these."
- echo "Keep in mind they are not supported, though."
- while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do
- read -p "Continue ? [y/n]: " -e CONTINUE
- done
- if [[ "$CONTINUE" = "n" ]]; then
- echo "Ok, bye !"
- exit 4
- fi
- fi
-elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then
- OS=centos
- RCLOCAL='/etc/rc.d/rc.local'
- SYSCTL='/etc/sysctl.conf'
- # Needed for CentOS 7
- chmod +x /etc/rc.d/rc.local
-elif [[ -e /etc/arch-release ]]; then
- OS=arch
- RCLOCAL='/etc/rc.local'
- SYSCTL='/etc/sysctl.d/openvpn.conf'
-else
- echo "Looks like you aren't running this installer on a Debian, Ubuntu, CentOS or ArchLinux system"
- exit 4
-fi
-
-newclient () {
- # Where to write the custom client.ovpn?
- if [ ${SUDO_USER} ]; then # if not, use SUDO_USER
- homeDir="/home/${SUDO_USER}"
- else # if not SUDO_USER, use /root
- homeDir="/root"
- fi
- # Generates the custom client.ovpn
- cp /etc/openvpn/client-template.txt $homeDir/$1.ovpn
- echo "" >> $homeDir/$1.ovpn
- cat /etc/openvpn/easy-rsa/pki/ca.crt >> $homeDir/$1.ovpn
- echo "" >> $homeDir/$1.ovpn
- echo "" >> $homeDir/$1.ovpn
- cat /etc/openvpn/easy-rsa/pki/issued/$1.crt >> $homeDir/$1.ovpn
- echo "" >> $homeDir/$1.ovpn
- echo "" >> $homeDir/$1.ovpn
- cat /etc/openvpn/easy-rsa/pki/private/$1.key >> $homeDir/$1.ovpn
- echo "" >> $homeDir/$1.ovpn
- #We verify if we used tls-crypt or tls-auth during the installation
- TLS_SIG=$(cat /etc/openvpn/TLS_SIG)
- if [[ $TLS_SIG == "1" ]]; then
- echo "" >> ~/$1.ovpn
- cat /etc/openvpn/tls-crypt.key >> ~/$1.ovpn
- echo "" >> ~/$1.ovpn
- elif [[ $TLS_SIG == "2" ]]; then
- echo "key-direction 1" >> $homeDir/$1.ovpn
- echo "" >> $homeDir/$1.ovpn
- cat /etc/openvpn/tls-auth.key >> $homeDir/$1.ovpn
- echo "" >> $homeDir/$1.ovpn
- fi
-}
-
-# Try to get our IP from the system and fallback to the Internet.
-# I do this to make the script compatible with NATed servers (LowEndSpirit/Scaleway)
-# and to avoid getting an IPv6.
-IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -o -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
-if [[ "$IP" = "" ]]; then
- IP=$(wget -qO- ipv4.icanhazip.com)
-fi
-# Get Internet network interface with default route
-NIC=$(ip -4 route ls | grep default -m 1 | grep -Po '(?<=dev )(\S+)')
-
-if [[ -e /etc/openvpn/server.conf ]]; then
- while :
- do
- clear
- echo "OpenVPN-install (github.com/Angristan/OpenVPN-install)"
- echo ""
- echo "Looks like OpenVPN is already installed"
- echo ""
- echo "What do you want to do?"
- echo " 1) Add a cert for a new user"
- echo " 2) Revoke existing user cert"
- echo " 3) Remove OpenVPN"
- echo " 4) Exit"
- read -p "Select an option [1-4]: " option
- case $option in
- 1)
- echo ""
- echo "Tell me a name for the client cert"
- echo "Please, use one word only, no special characters"
- read -p "Client name: " -e -i client CLIENT
- cd /etc/openvpn/easy-rsa/
- ./easyrsa build-client-full $CLIENT nopass
- # Generates the custom client.ovpn
- newclient "$CLIENT"
- echo ""
- echo "Client $CLIENT added, certs available at $homeDir/$CLIENT.ovpn"
- exit
- ;;
- 2)
- NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")
- if [[ "$NUMBEROFCLIENTS" = '0' ]]; then
- echo ""
- echo "You have no existing clients!"
- exit 5
- fi
- echo ""
- echo "Select the existing client certificate you want to revoke"
- tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
- if [[ "$NUMBEROFCLIENTS" = '1' ]]; then
- read -p "Select one client [1]: " CLIENTNUMBER
- else
- read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
- fi
- CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
- cd /etc/openvpn/easy-rsa/
- ./easyrsa --batch revoke $CLIENT
- EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
- rm -rf pki/reqs/$CLIENT.req
- rm -rf pki/private/$CLIENT.key
- rm -rf pki/issued/$CLIENT.crt
- rm -rf /etc/openvpn/crl.pem
- cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
- chmod 644 /etc/openvpn/crl.pem
- echo ""
- echo "Certificate for client $CLIENT revoked"
- echo "Exiting..."
- exit
- ;;
- 3)
- echo ""
- read -p "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
- if [[ "$REMOVE" = 'y' ]]; then
- PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
- if pgrep firewalld; then
- # Using both permanent and not permanent rules to avoid a firewalld reload.
- firewall-cmd --zone=public --remove-port=$PORT/udp
- firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
- firewall-cmd --permanent --zone=public --remove-port=$PORT/udp
- firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
- fi
- if iptables -L -n | grep -qE 'REJECT|DROP'; then
- sed -i "/iptables -I INPUT -p udp --dport $PORT -j ACCEPT/d" $RCLOCAL
- sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL
- sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL
- fi
- sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL
- if hash sestatus 2>/dev/null; then
- if sestatus | grep "Current mode" | grep -qs "enforcing"; then
- if [[ "$PORT" != '1194' ]]; then
- semanage port -d -t openvpn_port_t -p udp $PORT
- fi
- fi
- fi
- if [[ "$OS" = 'debian' ]]; then
- apt-get autoremove --purge -y openvpn
- elif [[ "$OS" = 'arch' ]]; then
- pacman -R openvpn --noconfirm
- else
- yum remove openvpn -y
- fi
- rm -rf /etc/openvpn
- rm -rf /usr/share/doc/openvpn*
- # Where are the client files?
- if [ ${SUDO_USER} ]; then # if not, use SUDO_USER
- homeDir="/home/${SUDO_USER}"
- else # if not SUDO_USER, use /root
- homeDir="/root"
- fi
- rm $homeDir/*.ovpn
- echo ""
- echo "OpenVPN removed!"
- else
- echo ""
- echo "Removal aborted!"
- fi
- exit
- ;;
- 4) exit;;
- esac
- done
-else
- clear
- echo "Welcome to the secure OpenVPN installer (github.com/Angristan/OpenVPN-install)"
- echo ""
- # OpenVPN setup and first user creation
- echo "I need to ask you a few questions before starting the setup"
- echo "You can leave the default options and just press enter if you are ok with them"
- echo ""
- echo "I need to know the IPv4 address of the network interface you want OpenVPN listening to."
- echo "If your server is running behind a NAT, (e.g. LowEndSpirit, Scaleway) leave the IP address as it is. (local/private IP)"
- echo "Otherwise, it should be your public IPv4 address."
- read -p "IP address: " -e -i $IP IP
- echo ""
- echo "What port do you want for OpenVPN?"
- read -p "Port: " -e -i 1194 PORT
- echo ""
- echo "What protocol do you want for OpenVPN?"
- echo "Unless UDP is blocked, you should not use TCP (unnecessarily slower)"
- echo " 1) UDP (recommended)"
- echo " 2) TCP"
- while [[ $PROTOCOL != "1" && $PROTOCOL != "2" ]]; do
- read -p "Protocol [1-2]: " -e -i 1 PROTOCOL
- done
- echo ""
- echo "What DNS do you want to use with the VPN?"
- echo " 1) Current system resolvers (in /etc/resolv.conf)"
- echo " 2) FDN (France)"
- echo " 3) DNS.WATCH (Germany)"
- echo " 4) OpenDNS (Anycast: worldwide)"
- echo " 5) Google (Anycast: worldwide)"
- echo " 6) Yandex Basic (Russia)"
- while [[ $DNS != "1" && $DNS != "2" && $DNS != "3" && $DNS != "4" && $DNS != "5" && $DNS != "6" ]]; do
- read -p "DNS [1-6]: " -e -i 1 DNS
- done
- echo ""
- echo "Choose which compression algorithm you want to use:"
- echo " 1) LZ4 (faster)"
- echo " 2) LZ0 (use for OpenVPN 2.3 compatibility"
- while [[ $COMPRESSION != "1" && $COMPRESSION != "2" ]]; do
- read -p "Compression algorithm [1-2]: " -e -i 1 COMPRESSION
- done
- case $COMPRESSION in
- 1)
- COMPRESSION="lz4"
- ;;
- 2)
- COMPRESSION="lzo"
- ;;
- esac
- echo ""
- echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about "
- echo "the encryption in OpenVPN and the choices proposed in this script."
- echo "Please note that all the choices proposed are secure enough considering today's strandards, unlike some default OpenVPN options"
- echo "You can just type "enter" if you don't know what to choose."
- echo "Note that if you want to use an OpenVPN 2.3 client, You'll have to choose OpenVPN 2.3-compatible options."
- echo "All OpenVPN 2.3-compatible choices are specified for each following option."
- echo ""
- echo "Choose which cipher you want to use for the data channel:"
- echo " 1) AES-128-GCM (recommended)"
- echo " 2) AES-192-GCM"
- echo " 3) AES-256-GCM"
- echo "Only use AES-CBC for OpenVPN 2.3 compatibilty"
- echo " 4) AES-128-CBC"
- echo " 5) AES-192-CBC"
- echo " 6) AES-256-CBC"
- while [[ $CIPHER != "1" && $CIPHER != "2" && $CIPHER != "3" && $CIPHER != "4" && $CIPHER != "5" && $CIPHER != "6" ]]; do
- read -p "Data channel cipher [1-6]: " -e -i 1 CIPHER
- done
- case $CIPHER in
- 1)
- CIPHER="cipher AES-128-GCM"
- ;;
- 2)
- CIPHER="cipher AES-192-GCM"
- ;;
- 3)
- CIPHER="cipher AES-256-GCM"
- ;;
- 4)
- CIPHER="cipher AES-128-CBC"
- ;;
- 5)
- CIPHER="cipher AES-192-CBC"
- ;;
- 6)
- CIPHER="cipher AES-256-CBC"
- ;;
- esac
- echo ""
- echo "Choose what kind of certificate you want to use:"
- echo "Elleptic Curves keys (EC) are recommended, they're faster, lighter and more secure."
- echo "Use RSA for OpenVPN 2.3 compatibilty"
- echo " 1) ECDSA (recommended)"
- echo " 2) RSA"
- while [[ $CERT_TYPE != "1" && $CERT_TYPE != "2" ]]; do
- read -p "Certificate type [1-2]: " -e -i 1 CERT_TYPE
- done
- case $CERT_TYPE in
- 1)
- echo ""
- echo "Choose which curve you want to use for the EC key:"
- echo " 1) secp256r1"
- echo " 2) secp384r1 (recommended)"
- echo " 3) secp521r1"
- while [[ $CERT_CURVE != "1" && $CERT_CURVE != "2" && $CERT_CURVE != "3" ]]; do
- read -p "Curve [1-3]: " -e -i 2 CERT_CURVE
- done
- case $CERT_CURVE in
- 1)
- CERT_CURVE="secp256r1"
- ;;
- 2)
- CERT_CURVE="secp384r1"
- ;;
- 3)
- CERT_CURVE="secp521r1"
- ;;
- esac
- ;;
- 2)
- echo ""
- echo "Choose which RSA key size you want to use:"
- echo " 1) 2048 bits"
- echo " 2) 3072 bits (recommended)"
- echo " 3) 4096 bits"
- while [[ $RSA_SIZE != "1" && $RSA_SIZE != "2" && $RSA_SIZE != "3" ]]; do
- read -p "DH key size [1-3]: " -e -i 2 RSA_SIZE
- done
- case $RSA_SIZE in
- 1)
- RSA_SIZE="2048"
- ;;
- 2)
- RSA_SIZE="3072"
- ;;
- 3)
- RSA_SIZE="4096"
- ;;
- esac
- ;;
- esac
- echo ""
- echo "Choose which hash algorithm you want to use for the certificate:"
- echo " 1) SHA-256"
- echo " 2) SHA-384 (recommended)"
- echo " 3) SHA-512"
- while [[ $CERT_HASH != "1" && $CERT_HASH != "2" && $CERT_HASH != "3" ]]; do
- read -p "Hash algorithm [1-3]: " -e -i 2 CERT_HASH
- done
- case $CERT_HASH in
- 1)
- CERT_HASH="sha256"
- ;;
- 2)
- CERT_HASH="sha384"
- ;;
- 3)
- CERT_HASH="sha512"
- ;;
- esac
- echo ""
- echo "Choose what kind of Diffie-Hellman key you want to use."
- echo "Elleptic Curves (EC) are recommended, they're faster, lighter and more secure."
- echo "Use DH for OpenVPN 2.3 compatibilty"
- echo " 1) ECDH (recommended)"
- echo " 2) DH"
- while [[ $DH_TYPE != "1" && $DH_TYPE != "2" ]]; do
- read -p "DH key type [1-2]: " -e -i 1 DH_TYPE
- done
- case $DH_TYPE in
- 1)
- echo ""
- echo "Choose which curve you want to use for the ECDH key"
- echo " 1) secp256r1"
- echo " 2) secp384r1 (recommended)"
- echo " 3) secp521r1"
- while [[ $DH_CURVE != "1" && $DH_CURVE != "2" && $DH_CURVE != "3" ]]; do
- read -p "Curve [1-3]: " -e -i 2 DH_CURVE
- done
- case $DH_CURVE in
- 1)
- DH_CURVE="secp256r1"
- ;;
- 2)
- DH_CURVE="secp384r1"
- ;;
- 3)
- DH_CURVE="secp521r1"
- ;;
- esac
- ;;
- 2)
- echo""
- echo "Choose which DH key size you want to use"
- echo " 1) 2048 bits"
- echo " 2) 3072 bits (recommended)"
- echo " 3) 4096 bits"
- while [[ $DH_SIZE != "1" && $DH_SIZE != "2" && $DH_SIZE != "3" ]]; do
- read -p "DH key size [1-3]: " -e -i 2 DH_SIZE
- done
- case $DH_SIZE in
- 1)
- DH_SIZE="2048"
- ;;
- 2)
- DH_SIZE="3072"
- ;;
- 3)
- DH_SIZE="4096"
- ;;
- esac
- ;;
- esac
- echo ""
- echo "Choose which cipher you want to use for the control channel:"
- if [[ "$CERT_TYPE" = '1' ]]; then
- echo " 1) ECDHE-ECDSA-AES-256-GCM-SHA384 (recommended)"
- echo " 2) ECDHE-ECDSA-AES-128-GCM-SHA256"
- while [[ $CC_ENC != "1" && $CC_ENC != "2" ]]; do
- read -p "Control channel cipher [1-2]: " -e -i 1 CC_ENC
- done
- case $CC_ENC in
- 1)
- CC_ENC="TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"
- ;;
- 2)
- CC_ENC="TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"
- ;;
- esac
- elif [[ "$CERT_TYPE" = '2' ]]; then
- echo " 1) ECDHE-RSA-AES-256-GCM-SHA384 (recommended)"
- echo " 2) ECDHE-RSA-AES-128-GCM-SHA256"
- while [[ $CC_ENC != "1" && $CC_ENC != "2" ]]; do
- read -p "Control channel cipher [1-2]: " -e -i 1 CC_ENC
- done
- case $CC_ENC in
- 1)
- CC_ENC="TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"
- ;;
- 2)
- CC_ENC="TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"
- ;;
- esac
- fi
- echo ""
- echo "Do you want to use tls-crypt or tls-auth?"
- echo "They both encrypt and authenticate all control channel packets with a key."
- echo "tls-crypt is more advanced and secure than tls-auth, but it's an OpenVPN 2.4 feature."
- echo " 1) tls-crypt (recommended)"
- echo " 2) tls-auth (use only for OpenVPN 2.3 client compatibility)"
- while [[ $TLS_SIG != "1" && $TLS_SIG != "2" ]]; do
- read -p "Crontrol channel additional security layer [1-2]: " -e -i 1 TLS_SIG
- done
- echo""
- if [[ $CIPHER = "cipher AES-256-GCM" ]] || [[ $CIPHER = "cipher AES-192-GCM" ]] || [[ $CIPHER = "cipher AES-128-GCM" ]]; then
- echo "Choose which message digest algorithm you want to use for the tls-auth/tls-crypt control channel packets:"
- elif [[ $CIPHER = "cipher AES-256-CBC" ]] || [[ $CIPHER = "cipher AES-192-CBC" ]] || [[ $CIPHER = "cipher AES-128-CBC" ]]; then
- echo "Choose which message digest algorithm you want to use for the data channel packets"
- echo "and the tls-auth/tls-crypt control channel packets:"
- fi
- echo " 1) SHA-256"
- echo " 2) SHA-384 (recommended)"
- echo " 3) SHA-512"
- while [[ $HMAC_AUTH != "1" && $HMAC_AUTH != "2" && $HMAC_AUTH != "3" ]]; do
- read -p "HMAC authentication algorithm [1-3]: " -e -i 2 HMAC_AUTH
- done
- case $HMAC_AUTH in
- 1)
- HMAC_AUTH="SHA256"
- ;;
- 2)
- HMAC_AUTH="SHA384"
- ;;
- 3)
- HMAC_AUTH="SHA512"
- ;;
- esac
- echo ""
- echo "Finally, tell me a name for the client certificate and configuration"
- while [[ $CLIENT = "" ]]; do
- echo "Please, use one word only, no special characters"
- read -p "Client name: " -e -i client CLIENT
- done
- echo ""
- echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now"
- read -n1 -r -p "Press any key to continue..."
-
- if [[ "$OS" = 'debian' ]]; then
- apt-get install ca-certificates -y
- # We add the OpenVPN repo to get the latest version.
- # Debian 8
- if [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then
- echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list
- wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
- # Ubuntu 14.04
- elif [[ "$VERSION_ID" = 'VERSION_ID="14.04"' ]]; then
- echo "deb http://build.openvpn.net/debian/openvpn/stable trusty main" > /etc/apt/sources.list.d/openvpn.list
- wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
- # Ubuntu 16.04
- elif [[ "$VERSION_ID" = 'VERSION_ID="16.04"' ]]; then
- echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" > /etc/apt/sources.list.d/openvpn.list
- wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
- fi
- # Ubuntu >= 17.04 and Debian > 9 have OpenVPN 2.4 without the need of a third party repository.
- # The we install OpenVPN
- apt-get update
- apt-get install openvpn iptables openssl wget ca-certificates curl -y
- elif [[ "$OS" = 'centos' ]]; then
- yum install epel-release -y
- yum install openvpn iptables openssl wget ca-certificates curl -y
- else
- # Else, the distro is ArchLinux
- echo ""
- echo ""
- echo "As you're using ArchLinux, I need to update the packages on your system to install those I need."
- echo "Not doing that could cause problems between dependencies, or missing files in repositories."
- echo ""
- echo "Continuing will update your installed packages and install needed ones."
- while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do
- read -p "Continue ? [y/n]: " -e -i y CONTINUE
- done
- if [[ "$CONTINUE" = "n" ]]; then
- echo "Ok, bye !"
- exit 4
- fi
-
- if [[ "$OS" = 'arch' ]]; then
- # Install rc.local
- echo "[Unit]
-Description=/etc/rc.local compatibility
-
-[Service]
-Type=oneshot
-ExecStart=/etc/rc.local
-RemainAfterExit=yes
-
-[Install]
-WantedBy=multi-user.target" > /etc/systemd/system/rc-local.service
- touch /etc/rc.local
- chmod +x /etc/rc.local
- systemctl enable rc-local.service
- if ! grep '#!' $RCLOCAL; then
- echo "#!/bin/bash" > $RCLOCAL
- fi
- fi
-
- # Install dependencies
- pacman -Syu openvpn iptables openssl wget ca-certificates curl --needed --noconfirm
- if [[ "$OS" = 'arch' ]]; then
- touch /etc/iptables/iptables.rules # iptables won't start if this file does not exist
- systemctl enable iptables
- systemctl start iptables
- fi
- fi
-
- #To remember if we use tls-crypt or tls-auth when generating a new client conf
- echo $TLS_SIG > /etc/openvpn/TLS_SIG
-
- # Find out if the machine uses nogroup or nobody for the permissionless group
- if grep -qs "^nogroup:" /etc/group; then
- NOGROUP=nogroup
- else
- NOGROUP=nobody
- fi
-
- # An old version of easy-rsa was available by default in some openvpn packages
- if [[ -d /etc/openvpn/easy-rsa/ ]]; then
- rm -rf /etc/openvpn/easy-rsa/
- fi
- # Get easy-rsa
- wget -O ~/EasyRSA-3.0.3.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.3/EasyRSA-3.0.3.tgz
- tar xzf ~/EasyRSA-3.0.3.tgz -C ~/
- mv ~/EasyRSA-3.0.3/ /etc/openvpn/
- mv /etc/openvpn/EasyRSA-3.0.3/ /etc/openvpn/easy-rsa/
- chown -R root:root /etc/openvpn/easy-rsa/
- rm -rf ~/EasyRSA-3.0.3.tgz
- cd /etc/openvpn/easy-rsa/
- if [[ $CERT_TYPE == "1" ]]; then
- echo "set_var EASYRSA_ALGO ec
-set_var EASYRSA_CURVE $CERT_CURVE" > vars
- elif [[ $CERT_TYPE == "2" ]]; then
- echo "set_var EASYRSA_KEY_SIZE $RSA_SIZE" > vars
- fi
- echo 'set_var EASYRSA_DIGEST "'$CERT_HASH'"' >> vars
- # Create the PKI, set up the CA, the DH params and the server + client certificates
- ./easyrsa init-pki
- ./easyrsa --batch build-ca nopass
- if [[ $DH_TYPE == "2" ]]; then
- openssl dhparam -out dh.pem $DH_SIZE
- fi
- ./easyrsa build-server-full server nopass
- ./easyrsa build-client-full $CLIENT nopass
- EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
- if [[ $TLS_SIG == "1" ]]; then
- # Generate tls-crypt key
- openvpn --genkey --secret /etc/openvpn/tls-crypt.key
- elif [[ $TLS_SIG == "2" ]]; then
- # Generate tls-auth key
- openvpn --genkey --secret /etc/openvpn/tls-auth.key
- fi
- # Move all the generated files
- cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
- if [[ $DH_TYPE == "2" ]]; then
- cp dh.pem /etc/openvpn
- fi
- # Make cert revocation list readable for non-root
- chmod 644 /etc/openvpn/crl.pem
-
- # Generate server.conf
- echo "port $PORT" > /etc/openvpn/server.conf
- if [[ "$PROTOCOL" = '1' ]]; then
- echo "proto udp" >> /etc/openvpn/server.conf
- elif [[ "$PROTOCOL" = '2' ]]; then
- echo "proto tcp" >> /etc/openvpn/server.conf
- fi
- echo "dev tun
-user nobody
-group $NOGROUP
-persist-key
-persist-tun
-keepalive 10 120
-topology subnet
-server 10.8.0.0 255.255.255.0
-ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
- # DNS resolvers
- case $DNS in
- 1)
- # Obtain the resolvers from resolv.conf and use them for OpenVPN
- grep -v '#' /etc/resolv.conf | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
- echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
- done
- ;;
- 2) #FDN
- echo 'push "dhcp-option DNS 80.67.169.12"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/server.conf
- ;;
- 3) #DNS.WATCH
- echo 'push "dhcp-option DNS 84.200.69.80"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 84.200.70.40"' >> /etc/openvpn/server.conf
- ;;
- 4) #OpenDNS
- echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf
- ;;
- 5) #Google
- echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf
- ;;
- 6) #Yandex Basic
- echo 'push "dhcp-option DNS 77.88.8.8"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 77.88.8.1"' >> /etc/openvpn/server.conf
- ;;
- esac
-echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf
-echo "crl-verify crl.pem
-ca ca.crt
-cert server.crt
-key server.key" >> /etc/openvpn/server.conf
-if [[ $TLS_SIG == "1" ]]; then
- echo "tls-crypt tls-crypt.key 0" >> /etc/openvpn/server.conf
-elif [[ $TLS_SIG == "2" ]]; then
- echo "tls-auth tls-auth.key 0" >> /etc/openvpn/server.conf
-fi
-if [[ $DH_TYPE == "1" ]]; then
- echo "dh none
-ecdh-curve $DH_CURVE" >> /etc/openvpn/server.conf
-elif [[ $DH_TYPE == "2" ]]; then
- echo "dh dh.pem" >> /etc/openvpn/server.conf
-fi
-echo "auth $HMAC_AUTH
-$CIPHER
-ncp-disable
-tls-server
-tls-version-min 1.2
-tls-cipher $CC_ENC
-compress $COMPRESSION
-auth-nocache
-status openvpn.log
-verb 3" >> /etc/openvpn/server.conf
-
- # Create the sysctl configuration file if needed (mainly for Arch Linux)
- if [[ ! -e $SYSCTL ]]; then
- touch $SYSCTL
- fi
-
- # Enable net.ipv4.ip_forward for the system
- sed -i '/\/c\net.ipv4.ip_forward=1' $SYSCTL
- if ! grep -q "\" $SYSCTL; then
- echo 'net.ipv4.ip_forward=1' >> $SYSCTL
- fi
- # Avoid an unneeded reboot
- echo 1 > /proc/sys/net/ipv4/ip_forward
- # Needed to use rc.local with some systemd distros
- if [[ "$OS" = 'debian' && ! -e $RCLOCAL ]]; then
- echo '#!/bin/sh -e
- exit 0' > $RCLOCAL
- fi
- chmod +x $RCLOCAL
- # Set NAT for the VPN subnet
- iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE
- sed -i "1 a\iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE" $RCLOCAL
- if pgrep firewalld; then
- # We don't use --add-service=openvpn because that would only work with
- # the default port. Using both permanent and not permanent rules to
- # avoid a firewalld reload.
- if [[ "$PROTOCOL" = '1' ]]; then
- firewall-cmd --zone=public --add-port=$PORT/udp
- firewall-cmd --permanent --zone=public --add-port=$PORT/udp
- elif [[ "$PROTOCOL" = '2' ]]; then
- firewall-cmd --zone=public --add-port=$PORT/tcp
- firewall-cmd --permanent --zone=public --add-port=$PORT/tcp
- fi
- firewall-cmd --zone=trusted --add-source=10.8.0.0/24
- firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
- fi
- if iptables -L -n | grep -qE 'REJECT|DROP'; then
- # If iptables has at least one REJECT rule, we asume this is needed.
- # Not the best approach but I can't think of other and this shouldn't
- # cause problems.
- if [[ "$PROTOCOL" = '1' ]]; then
- iptables -I INPUT -p udp --dport $PORT -j ACCEPT
- elif [[ "$PROTOCOL" = '2' ]]; then
- iptables -I INPUT -p tcp --dport $PORT -j ACCEPT
- fi
- iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
- iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
- if [[ "$PROTOCOL" = '1' ]]; then
- sed -i "1 a\iptables -I INPUT -p udp --dport $PORT -j ACCEPT" $RCLOCAL
- elif [[ "$PROTOCOL" = '2' ]]; then
- sed -i "1 a\iptables -I INPUT -p tcp --dport $PORT -j ACCEPT" $RCLOCAL
- fi
- sed -i "1 a\iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" $RCLOCAL
- sed -i "1 a\iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" $RCLOCAL
- fi
- # If SELinux is enabled and a custom port was selected, we need this
- if hash sestatus 2>/dev/null; then
- if sestatus | grep "Current mode" | grep -qs "enforcing"; then
- if [[ "$PORT" != '1194' ]]; then
- # semanage isn't available in CentOS 6 by default
- if ! hash semanage 2>/dev/null; then
- yum install policycoreutils-python -y
- fi
- if [[ "$PROTOCOL" = '1' ]]; then
- semanage port -a -t openvpn_port_t -p udp $PORT
- elif [[ "$PROTOCOL" = '2' ]]; then
- semanage port -a -t openvpn_port_t -p tcp $PORT
- fi
- fi
- fi
- fi
- # And finally, restart OpenVPN
- if [[ "$OS" = 'debian' ]]; then
- # Little hack to check for systemd
- if pgrep systemd-journal; then
- if [[ "$VERSION_ID" = 'VERSION_ID="9"' ]]; then
- #Workaround to fix OpenVPN service on Debian 9 OpenVZ
- sed -i 's|LimitNPROC|#LimitNPROC|' /lib/systemd/system/openvpn-server\@.service
- sed -i 's|/etc/openvpn/server|/etc/openvpn|' /lib/systemd/system/openvpn-server\@.service
- sed -i 's|%i.conf|server.conf|' /lib/systemd/system/openvpn-server\@.service
- systemctl daemon-reload
- systemctl restart openvpn-server@openvpn.service
- systemctl enable openvpn-server@openvpn.service
- else
- systemctl restart openvpn@server.service
- fi
- else
- /etc/init.d/openvpn restart
- fi
- else
- if pgrep systemd-journal; then
- if [[ "$OS" = 'arch' ]]; then
- #Workaround to avoid rewriting the entire script for Arch
- sed -i 's|/etc/openvpn/server|/etc/openvpn|' /usr/lib/systemd/system/openvpn-server@.service
- sed -i 's|%i.conf|server.conf|' /usr/lib/systemd/system/openvpn-server@.service
- systemctl daemon-reload
- systemctl restart openvpn-server@openvpn.service
- systemctl enable openvpn-server@openvpn.service
- else
- systemctl restart openvpn@server.service
- systemctl enable openvpn@server.service
- fi
- else
- service openvpn restart
- chkconfig openvpn on
- fi
- fi
- # Try to detect a NATed connection and ask about it to potential LowEndSpirit/Scaleway users
- EXTERNALIP=$(wget -qO- ipv4.icanhazip.com)
- if [[ "$IP" != "$EXTERNALIP" ]]; then
- echo ""
- echo "Looks like your server is behind a NAT!"
- echo ""
- echo "If your server is NATed (e.g. LowEndSpirit, Scaleway, or behind a router),"
- echo "then I need to know the address that can be used to access it from outside."
- echo "If that's not the case, just ignore this and leave the next field blank"
- read -p "External IP or domain name: " -e USEREXTERNALIP
- if [[ "$USEREXTERNALIP" != "" ]]; then
- IP=$USEREXTERNALIP
- fi
- fi
- # client-template.txt is created so we have a template to add further users later
- echo "client" > /etc/openvpn/client-template.txt
- if [[ "$PROTOCOL" = '1' ]]; then
- echo "proto udp" >> /etc/openvpn/client-template.txt
- elif [[ "$PROTOCOL" = '2' ]]; then
- echo "proto tcp-client" >> /etc/openvpn/client-template.txt
- fi
- echo "remote $IP $PORT
-dev tun
-resolv-retry infinite
-nobind
-persist-key
-persist-tun
-remote-cert-tls server
-auth $HMAC_AUTH
-$CIPHER
-tls-client
-tls-version-min 1.2
-tls-cipher $CC_ENC
-compress $COMPRESSION
-auth-nocache
-setenv opt block-outside-dns
-verb 3" >> /etc/openvpn/client-template.txt
-
- # Generate the custom client.ovpn
- newclient "$CLIENT"
- echo ""
- echo "Finished!"
- echo ""
- echo "Your client config is available at $homeDir/$CLIENT.ovpn"
- echo "If you want to add more clients, you simply need to run this script another time!"
-fi
-exit 0;
diff --git a/Angristan/openvpn-install.sh b/Angristan/openvpn-install.sh
deleted file mode 100755
index 9c92191..0000000
--- a/Angristan/openvpn-install.sh
+++ /dev/null
@@ -1,645 +0,0 @@
-#!/bin/bash
-
-# Secure OpenVPN server installer for Debian, Ubuntu, CentOS and Arch Linux
-# https://github.com/Angristan/OpenVPN-install
-
-
-if [[ "$EUID" -ne 0 ]]; then
- echo "Sorry, you need to run this as root"
- exit 1
-fi
-
-if [[ ! -e /dev/net/tun ]]; then
- echo "TUN is not available"
- exit 2
-fi
-
-if grep -qs "CentOS release 5" "/etc/redhat-release"; then
- echo "CentOS 5 is too old and not supported"
- exit 3
-fi
-
-if [[ -e /etc/debian_version ]]; then
- OS="debian"
- # Getting the version number, to verify that a recent version of OpenVPN is available
- VERSION_ID=$(cat /etc/os-release | grep "VERSION_ID")
- RCLOCAL='/etc/rc.local'
- SYSCTL='/etc/sysctl.conf'
- if [[ "$VERSION_ID" != 'VERSION_ID="7"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="8"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="9"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="12.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="14.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.04"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="16.10"' ]] && [[ "$VERSION_ID" != 'VERSION_ID="17.04"' ]]; then
- echo "Your version of Debian/Ubuntu is not supported."
- echo "I can't install a recent version of OpenVPN on your system."
- echo ""
- echo "However, if you're using Debian unstable/testing, or Ubuntu beta,"
- echo "then you can continue, a recent version of OpenVPN is available on these."
- echo "Keep in mind they are not supported, though."
- while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do
- read -p "Continue ? [y/n]: " -e CONTINUE
- done
- if [[ "$CONTINUE" = "n" ]]; then
- echo "Ok, bye !"
- exit 4
- fi
- fi
-elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then
- OS=centos
- RCLOCAL='/etc/rc.d/rc.local'
- SYSCTL='/etc/sysctl.conf'
- # Needed for CentOS 7
- chmod +x /etc/rc.d/rc.local
-elif [[ -e /etc/arch-release ]]; then
- OS=arch
- RCLOCAL='/etc/rc.local'
- SYSCTL='/etc/sysctl.d/openvpn.conf'
-else
- echo "Looks like you aren't running this installer on a Debian, Ubuntu, CentOS or ArchLinux system"
- exit 4
-fi
-
-newclient () {
- # Where to write the custom client.ovpn?
- if [ -e /home/$1 ]; then # if $1 is a user name
- homeDir="/home/$1"
- elif [ ${SUDO_USER} ]; then # if not, use SUDO_USER
- homeDir="/home/${SUDO_USER}"
- else # if not SUDO_USER, use /root
- homeDir="/root"
- fi
- # Generates the custom client.ovpn
- cp /etc/openvpn/client-template.txt $homeDir/$1.ovpn
- echo "" >> $homeDir/$1.ovpn
- cat /etc/openvpn/easy-rsa/pki/ca.crt >> $homeDir/$1.ovpn
- echo "" >> $homeDir/$1.ovpn
- echo "" >> $homeDir/$1.ovpn
- cat /etc/openvpn/easy-rsa/pki/issued/$1.crt >> $homeDir/$1.ovpn
- echo "" >> $homeDir/$1.ovpn
- echo "" >> $homeDir/$1.ovpn
- cat /etc/openvpn/easy-rsa/pki/private/$1.key >> $homeDir/$1.ovpn
- echo "" >> $homeDir/$1.ovpn
- echo "key-direction 1" >> $homeDir/$1.ovpn
- echo "" >> $homeDir/$1.ovpn
- cat /etc/openvpn/tls-auth.key >> $homeDir/$1.ovpn
- echo "" >> $homeDir/$1.ovpn
-}
-
-# Try to get our IP from the system and fallback to the Internet.
-# I do this to make the script compatible with NATed servers (LowEndSpirit/Scaleway)
-# and to avoid getting an IPv6.
-IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -o -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
-if [[ "$IP" = "" ]]; then
- IP=$(wget -qO- ipv4.icanhazip.com)
-fi
-# Get Internet network interface with default route
-NIC=$(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)')
-
-if [[ -e /etc/openvpn/server.conf ]]; then
- while :
- do
- clear
- echo "OpenVPN-install (github.com/Angristan/OpenVPN-install)"
- echo ""
- echo "Looks like OpenVPN is already installed"
- echo ""
- echo "What do you want to do?"
- echo " 1) Add a cert for a new user"
- echo " 2) Revoke existing user cert"
- echo " 3) Remove OpenVPN"
- echo " 4) Exit"
- read -p "Select an option [1-4]: " option
- case $option in
- 1)
- echo ""
- echo "Tell me a name for the client cert"
- echo "Please, use one word only, no special characters"
- read -p "Client name: " -e -i client CLIENT
- cd /etc/openvpn/easy-rsa/
- ./easyrsa build-client-full $CLIENT nopass
- # Generates the custom client.ovpn
- newclient "$CLIENT"
- echo ""
- echo "Client $CLIENT added, certs available at $homeDir/$CLIENT.ovpn"
- exit
- ;;
- 2)
- NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")
- if [[ "$NUMBEROFCLIENTS" = '0' ]]; then
- echo ""
- echo "You have no existing clients!"
- exit 5
- fi
- echo ""
- echo "Select the existing client certificate you want to revoke"
- tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
- if [[ "$NUMBEROFCLIENTS" = '1' ]]; then
- read -p "Select one client [1]: " CLIENTNUMBER
- else
- read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
- fi
- CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
- cd /etc/openvpn/easy-rsa/
- ./easyrsa --batch revoke $CLIENT
- EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
- rm -rf pki/reqs/$CLIENT.req
- rm -rf pki/private/$CLIENT.key
- rm -rf pki/issued/$CLIENT.crt
- rm -rf /etc/openvpn/crl.pem
- cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
- chmod 644 /etc/openvpn/crl.pem
- echo ""
- echo "Certificate for client $CLIENT revoked"
- echo "Exiting..."
- exit
- ;;
- 3)
- echo ""
- read -p "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
- if [[ "$REMOVE" = 'y' ]]; then
- PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
- if pgrep firewalld; then
- # Using both permanent and not permanent rules to avoid a firewalld reload.
- firewall-cmd --zone=public --remove-port=$PORT/udp
- firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
- firewall-cmd --permanent --zone=public --remove-port=$PORT/udp
- firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
- fi
- if iptables -L -n | grep -qE 'REJECT|DROP'; then
- sed -i "/iptables -I INPUT -p udp --dport $PORT -j ACCEPT/d" $RCLOCAL
- sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL
- sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL
- fi
- sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL
- if hash sestatus 2>/dev/null; then
- if sestatus | grep "Current mode" | grep -qs "enforcing"; then
- if [[ "$PORT" != '1194' ]]; then
- semanage port -d -t openvpn_port_t -p udp $PORT
- fi
- fi
- fi
- if [[ "$OS" = 'debian' ]]; then
- apt-get autoremove --purge -y openvpn
- elif [[ "$OS" = 'arch' ]]; then
- pacman -R openvpn --noconfirm
- else
- yum remove openvpn -y
- fi
- rm -rf /etc/openvpn
- rm -rf /usr/share/doc/openvpn*
- echo ""
- echo "OpenVPN removed!"
- else
- echo ""
- echo "Removal aborted!"
- fi
- exit
- ;;
- 4) exit;;
- esac
- done
-else
- clear
- echo "Welcome to the secure OpenVPN installer (github.com/Angristan/OpenVPN-install)"
- echo ""
- # OpenVPN setup and first user creation
- echo "I need to ask you a few questions before starting the setup"
- echo "You can leave the default options and just press enter if you are ok with them"
- echo ""
- echo "I need to know the IPv4 address of the network interface you want OpenVPN listening to."
- echo "If your server is running behind a NAT, (e.g. LowEndSpirit, Scaleway) leave the IP address as it is. (local/private IP)"
- echo "Otherwise, it should be your public IPv4 address."
- read -p "IP address: " -e -i $IP IP
- echo ""
- echo "What port do you want for OpenVPN?"
- read -p "Port: " -e -i 1194 PORT
- echo ""
- echo "What protocol do you want for OpenVPN?"
- echo "Unless UDP is blocked, you should not use TCP (unnecessarily slower)"
- while [[ $PROTOCOL != "UDP" && $PROTOCOL != "TCP" ]]; do
- read -p "Protocol [UDP/TCP]: " -e -i UDP PROTOCOL
- done
- echo ""
- echo "What DNS do you want to use with the VPN?"
- echo " 1) Current system resolvers (in /etc/resolv.conf)"
- echo " 2) FDN (France)"
- echo " 3) DNS.WATCH (Germany)"
- echo " 4) OpenDNS (Anycast: worldwide)"
- echo " 5) Google (Anycast: worldwide)"
- echo " 6) Yandex Basic (Russia)"
- echo " 7) AdGuard DNS (Russia)"
- while [[ $DNS != "1" && $DNS != "2" && $DNS != "3" && $DNS != "4" && $DNS != "5" && $DNS != "6" && $DNS != "7" ]]; do
- read -p "DNS [1-7]: " -e -i 1 DNS
- done
- echo ""
- echo "See https://github.com/Angristan/OpenVPN-install#encryption to learn more about "
- echo "the encryption in OpenVPN and the choices I made in this script."
- echo "Please note that all the choices proposed are secure (to a different degree)"
- echo "and are still viable to date, unlike some default OpenVPN options"
- echo ''
- echo "Choose which cipher you want to use for the data channel:"
- echo " 1) AES-128-CBC (fastest and sufficiently secure for everyone, recommended)"
- echo " 2) AES-192-CBC"
- echo " 3) AES-256-CBC"
- echo "Alternatives to AES, use them only if you know what you're doing."
- echo "They are relatively slower but as secure as AES."
- echo " 4) CAMELLIA-128-CBC"
- echo " 5) CAMELLIA-192-CBC"
- echo " 6) CAMELLIA-256-CBC"
- echo " 7) SEED-CBC"
- while [[ $CIPHER != "1" && $CIPHER != "2" && $CIPHER != "3" && $CIPHER != "4" && $CIPHER != "5" && $CIPHER != "6" && $CIPHER != "7" ]]; do
- read -p "Cipher [1-7]: " -e -i 1 CIPHER
- done
- case $CIPHER in
- 1)
- CIPHER="cipher AES-128-CBC"
- ;;
- 2)
- CIPHER="cipher AES-192-CBC"
- ;;
- 3)
- CIPHER="cipher AES-256-CBC"
- ;;
- 4)
- CIPHER="cipher CAMELLIA-128-CBC"
- ;;
- 5)
- CIPHER="cipher CAMELLIA-192-CBC"
- ;;
- 6)
- CIPHER="cipher CAMELLIA-256-CBC"
- ;;
- 7)
- CIPHER="cipher SEED-CBC"
- ;;
- esac
- echo ""
- echo "Choose what size of Diffie-Hellman key you want to use:"
- echo " 1) 2048 bits (fastest)"
- echo " 2) 3072 bits (recommended, best compromise)"
- echo " 3) 4096 bits (most secure)"
- while [[ $DH_KEY_SIZE != "1" && $DH_KEY_SIZE != "2" && $DH_KEY_SIZE != "3" ]]; do
- read -p "DH key size [1-3]: " -e -i 2 DH_KEY_SIZE
- done
- case $DH_KEY_SIZE in
- 1)
- DH_KEY_SIZE="2048"
- ;;
- 2)
- DH_KEY_SIZE="3072"
- ;;
- 3)
- DH_KEY_SIZE="4096"
- ;;
- esac
- echo ""
- echo "Choose what size of RSA key you want to use:"
- echo " 1) 2048 bits (fastest)"
- echo " 2) 3072 bits (recommended, best compromise)"
- echo " 3) 4096 bits (most secure)"
- while [[ $RSA_KEY_SIZE != "1" && $RSA_KEY_SIZE != "2" && $RSA_KEY_SIZE != "3" ]]; do
- read -p "DH key size [1-3]: " -e -i 2 RSA_KEY_SIZE
- done
- case $RSA_KEY_SIZE in
- 1)
- RSA_KEY_SIZE="2048"
- ;;
- 2)
- RSA_KEY_SIZE="3072"
- ;;
- 3)
- RSA_KEY_SIZE="4096"
- ;;
- esac
- echo ""
- echo "Finally, tell me a name for the client certificate and configuration"
- while [[ $CLIENT = "" ]]; do
- echo "Please, use one word only, no special characters"
- read -p "Client name: " -e -i client CLIENT
- done
- echo ""
- echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now"
- read -n1 -r -p "Press any key to continue..."
-
- if [[ "$OS" = 'debian' ]]; then
- apt-get install ca-certificates -y
- # We add the OpenVPN repo to get the latest version.
- # Debian 7
- if [[ "$VERSION_ID" = 'VERSION_ID="7"' ]]; then
- echo "deb http://build.openvpn.net/debian/openvpn/stable wheezy main" > /etc/apt/sources.list.d/openvpn.list
- wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
- apt-get update
- fi
- # Debian 8
- if [[ "$VERSION_ID" = 'VERSION_ID="8"' ]]; then
- echo "deb http://build.openvpn.net/debian/openvpn/stable jessie main" > /etc/apt/sources.list.d/openvpn.list
- wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
- apt update
- fi
- # Ubuntu 12.04
- if [[ "$VERSION_ID" = 'VERSION_ID="12.04"' ]]; then
- echo "deb http://build.openvpn.net/debian/openvpn/stable precise main" > /etc/apt/sources.list.d/openvpn.list
- wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
- apt-get update
- fi
- # Ubuntu 14.04
- if [[ "$VERSION_ID" = 'VERSION_ID="14.04"' ]]; then
- echo "deb http://build.openvpn.net/debian/openvpn/stable trusty main" > /etc/apt/sources.list.d/openvpn.list
- wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg | apt-key add -
- apt-get update
- fi
- # Ubuntu >= 16.04 and Debian > 8 have OpenVPN > 2.3.3 without the need of a third party repository.
- # The we install OpenVPN
- apt-get install openvpn iptables openssl wget ca-certificates curl -y
- elif [[ "$OS" = 'centos' ]]; then
- yum install epel-release -y
- yum install openvpn iptables openssl wget ca-certificates curl -y
- else
- # Else, the distro is ArchLinux
- echo ""
- echo ""
- echo "As you're using ArchLinux, I need to update the packages on your system to install those I need."
- echo "Not doing that could cause problems between dependencies, or missing files in repositories."
- echo ""
- echo "Continuing will update your installed packages and install needed ones."
- while [[ $CONTINUE != "y" && $CONTINUE != "n" ]]; do
- read -p "Continue ? [y/n]: " -e -i y CONTINUE
- done
- if [[ "$CONTINUE" = "n" ]]; then
- echo "Ok, bye !"
- exit 4
- fi
-
- if [[ "$OS" = 'arch' ]]; then
- # Install rc.local
- echo "[Unit]
-Description=/etc/rc.local compatibility
-
-[Service]
-Type=oneshot
-ExecStart=/etc/rc.local
-RemainAfterExit=yes
-
-[Install]
-WantedBy=multi-user.target" > /etc/systemd/system/rc-local.service
- chmod +x /etc/rc.local
- systemctl enable rc-local.service
- if ! grep '#!' $RCLOCAL; then
- echo "#!/bin/bash" > $RCLOCAL
- fi
- fi
-
- # Install dependencies
- pacman -Syu openvpn iptables openssl wget ca-certificates curl --needed --noconfirm
- if [[ "$OS" = 'arch' ]]; then
- touch /etc/iptables/iptables.rules # iptables won't start if this file does not exist
- systemctl enable iptables
- systemctl start iptables
- fi
- fi
- # Find out if the machine uses nogroup or nobody for the permissionless group
- if grep -qs "^nogroup:" /etc/group; then
- NOGROUP=nogroup
- else
- NOGROUP=nobody
- fi
-
- # An old version of easy-rsa was available by default in some openvpn packages
- if [[ -d /etc/openvpn/easy-rsa/ ]]; then
- rm -rf /etc/openvpn/easy-rsa/
- fi
- # Get easy-rsa
- wget -O ~/EasyRSA-3.0.3.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.3/EasyRSA-3.0.3.tgz
- tar xzf ~/EasyRSA-3.0.3.tgz -C ~/
- mv ~/EasyRSA-3.0.3/ /etc/openvpn/
- mv /etc/openvpn/EasyRSA-3.0.3/ /etc/openvpn/easy-rsa/
- chown -R root:root /etc/openvpn/easy-rsa/
- rm -rf ~/EasyRSA-3.0.3.tgz
- cd /etc/openvpn/easy-rsa/
- echo "set_var EASYRSA_KEY_SIZE $RSA_KEY_SIZE" > vars
- # Create the PKI, set up the CA, the DH params and the server + client certificates
- ./easyrsa init-pki
- ./easyrsa --batch build-ca nopass
- openssl dhparam -out dh.pem $DH_KEY_SIZE
- ./easyrsa build-server-full server nopass
- ./easyrsa build-client-full $CLIENT nopass
- EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
- # generate tls-auth key
- openvpn --genkey --secret /etc/openvpn/tls-auth.key
- # Move all the generated files
- cp pki/ca.crt pki/private/ca.key dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
- # Make cert revocation list readable for non-root
- chmod 644 /etc/openvpn/crl.pem
-
- # Generate server.conf
- echo "local $IP" > /etc/openvpn/server.conf
- echo "port $PORT" >> /etc/openvpn/server.conf
- if [[ "$PROTOCOL" = 'UDP' ]]; then
- echo "proto udp" >> /etc/openvpn/server.conf
- elif [[ "$PROTOCOL" = 'TCP' ]]; then
- echo "proto tcp" >> /etc/openvpn/server.conf
- fi
- echo "dev tun
-user nobody
-group $NOGROUP
-persist-key
-persist-tun
-keepalive 10 120
-topology subnet
-server 10.8.0.0 255.255.255.0
-ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
- # DNS resolvers
- case $DNS in
- 1)
- # Obtain the resolvers from resolv.conf and use them for OpenVPN
- grep -v '#' /etc/resolv.conf | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
- echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
- done
- ;;
- 2) #FDN
- echo 'push "dhcp-option DNS 80.67.169.12"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 80.67.169.40"' >> /etc/openvpn/server.conf
- ;;
- 3) #DNS.WATCH
- echo 'push "dhcp-option DNS 84.200.69.80"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 84.200.70.40"' >> /etc/openvpn/server.conf
- ;;
- 4) #OpenDNS
- echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf
- ;;
- 5) #Google
- echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf
- ;;
- 6) #Yandex Basic
- echo 'push "dhcp-option DNS 77.88.8.8"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 77.88.8.1"' >> /etc/openvpn/server.conf
- ;;
- 7) #AdGuard DNS
- echo 'push "dhcp-option DNS 176.103.130.130"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 176.103.130.131"' >> /etc/openvpn/server.conf
- ;;
- esac
-echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf
-echo "crl-verify crl.pem
-ca ca.crt
-cert server.crt
-key server.key
-tls-auth tls-auth.key 0
-dh dh.pem
-auth SHA256
-$CIPHER
-tls-server
-tls-version-min 1.2
-tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
-status openvpn.log
-verb 3" >> /etc/openvpn/server.conf
-
- # Create the sysctl configuration file if needed (mainly for Arch Linux)
- if [[ ! -e $SYSCTL ]]; then
- touch $SYSCTL
- fi
-
- # Enable net.ipv4.ip_forward for the system
- sed -i '/\/c\net.ipv4.ip_forward=1' $SYSCTL
- if ! grep -q "\" $SYSCTL; then
- echo 'net.ipv4.ip_forward=1' >> $SYSCTL
- fi
- # Avoid an unneeded reboot
- echo 1 > /proc/sys/net/ipv4/ip_forward
- # Needed to use rc.local with some systemd distros
- if [[ "$OS" = 'debian' && ! -e $RCLOCAL ]]; then
- echo '#!/bin/sh -e
- exit 0' > $RCLOCAL
- fi
- chmod +x $RCLOCAL
- # Set NAT for the VPN subnet
- iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE
- sed -i "1 a\iptables -t nat -A POSTROUTING -o $NIC -s 10.8.0.0/24 -j MASQUERADE" $RCLOCAL
- if pgrep firewalld; then
- # We don't use --add-service=openvpn because that would only work with
- # the default port. Using both permanent and not permanent rules to
- # avoid a firewalld reload.
- if [[ "$PROTOCOL" = 'UDP' ]]; then
- firewall-cmd --zone=public --add-port=$PORT/udp
- firewall-cmd --permanent --zone=public --add-port=$PORT/udp
- elif [[ "$PROTOCOL" = 'TCP' ]]; then
- firewall-cmd --zone=public --add-port=$PORT/tcp
- firewall-cmd --permanent --zone=public --add-port=$PORT/tcp
- fi
- firewall-cmd --zone=trusted --add-source=10.8.0.0/24
- firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
- fi
- if iptables -L -n | grep -qE 'REJECT|DROP'; then
- # If iptables has at least one REJECT rule, we asume this is needed.
- # Not the best approach but I can't think of other and this shouldn't
- # cause problems.
- if [[ "$PROTOCOL" = 'UDP' ]]; then
- iptables -I INPUT -p udp --dport $PORT -j ACCEPT
- elif [[ "$PROTOCOL" = 'TCP' ]]; then
- iptables -I INPUT -p tcp --dport $PORT -j ACCEPT
- fi
- iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
- iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
- if [[ "$PROTOCOL" = 'UDP' ]]; then
- sed -i "1 a\iptables -I INPUT -p udp --dport $PORT -j ACCEPT" $RCLOCAL
- elif [[ "$PROTOCOL" = 'TCP' ]]; then
- sed -i "1 a\iptables -I INPUT -p tcp --dport $PORT -j ACCEPT" $RCLOCAL
- fi
- sed -i "1 a\iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" $RCLOCAL
- sed -i "1 a\iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" $RCLOCAL
- fi
- # If SELinux is enabled and a custom port was selected, we need this
- if hash sestatus 2>/dev/null; then
- if sestatus | grep "Current mode" | grep -qs "enforcing"; then
- if [[ "$PORT" != '1194' ]]; then
- # semanage isn't available in CentOS 6 by default
- if ! hash semanage 2>/dev/null; then
- yum install policycoreutils-python -y
- fi
- if [[ "$PROTOCOL" = 'UDP' ]]; then
- semanage port -a -t openvpn_port_t -p udp $PORT
- elif [[ "$PROTOCOL" = 'TCP' ]]; then
- semanage port -a -t openvpn_port_t -p tcp $PORT
- fi
- fi
- fi
- fi
- # And finally, restart OpenVPN
- if [[ "$OS" = 'debian' ]]; then
- # Little hack to check for systemd
- if pgrep systemd-journal; then
- if [[ "$VERSION_ID" = 'VERSION_ID="9"' ]]; then
- #Workaround to fix OpenVPN service on Debian 9 OpenVZ
- sed -i 's|LimitNPROC|#LimitNPROC|' /lib/systemd/system/openvpn-server\@.service
- sed -i 's|/etc/openvpn/server|/etc/openvpn|' /lib/systemd/system/openvpn-server\@.service
- sed -i 's|%i.conf|server.conf|' /lib/systemd/system/openvpn-server\@.service
- systemctl daemon-reload
- systemctl restart openvpn-server@openvpn.service
- systemctl enable openvpn-server@openvpn.service
- else
- systemctl restart openvpn@server.service
- fi
- else
- /etc/init.d/openvpn restart
- fi
- else
- if pgrep systemd-journal; then
- if [[ "$OS" = 'arch' ]]; then
- #Workaround to avoid rewriting the entire script for Arch
- sed -i 's|/etc/openvpn/server|/etc/openvpn|' /usr/lib/systemd/system/openvpn-server@.service
- sed -i 's|%i.conf|server.conf|' /usr/lib/systemd/system/openvpn-server@.service
- systemctl daemon-reload
- systemctl restart openvpn-server@openvpn.service
- systemctl enable openvpn-server@openvpn.service
- else
- systemctl restart openvpn@server.service
- systemctl enable openvpn@server.service
- fi
- else
- service openvpn restart
- chkconfig openvpn on
- fi
- fi
- # Try to detect a NATed connection and ask about it to potential LowEndSpirit/Scaleway users
- EXTERNALIP=$(wget -qO- ipv4.icanhazip.com)
- if [[ "$IP" != "$EXTERNALIP" ]]; then
- echo ""
- echo "Looks like your server is behind a NAT!"
- echo ""
- echo "If your server is NATed (e.g. LowEndSpirit, Scaleway, or behind a router),"
- echo "then I need to know the address that can be used to access it from outside."
- echo "If that's not the case, just ignore this and leave the next field blank"
- read -p "External IP or domain name: " -e USEREXTERNALIP
- if [[ "$USEREXTERNALIP" != "" ]]; then
- IP=$USEREXTERNALIP
- fi
- fi
- # client-template.txt is created so we have a template to add further users later
- echo "client" > /etc/openvpn/client-template.txt
- if [[ "$PROTOCOL" = 'UDP' ]]; then
- echo "proto udp" >> /etc/openvpn/client-template.txt
- elif [[ "$PROTOCOL" = 'TCP' ]]; then
- echo "proto tcp-client" >> /etc/openvpn/client-template.txt
- fi
- echo "remote $IP $PORT
-dev tun
-resolv-retry infinite
-nobind
-persist-key
-persist-tun
-remote-cert-tls server
-auth SHA256
-$CIPHER
-tls-client
-tls-version-min 1.2
-tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
-setenv opt block-outside-dns
-verb 3" >> /etc/openvpn/client-template.txt
-
- # Generate the custom client.ovpn
- newclient "$CLIENT"
- echo ""
- echo "Finished!"
- echo ""
- echo "Your client config is available at $homeDir/$CLIENT.ovpn"
- echo "If you want to add more clients, you simply need to run this script another time!"
-fi
-exit 0;
diff --git a/Nyr/openvpn-install.sh b/Nyr/openvpn-install.sh
deleted file mode 100755
index 1e3fbf1..0000000
--- a/Nyr/openvpn-install.sh
+++ /dev/null
@@ -1,421 +0,0 @@
-#!/bin/bash
-# OpenVPN road warrior installer for Debian, Ubuntu and CentOS
-
-# This script will work on Debian, Ubuntu, CentOS and probably other distros
-# of the same families, although no support is offered for them. It isn't
-# bulletproof but it will probably work if you simply want to setup a VPN on
-# your Debian/Ubuntu/CentOS box. It has been designed to be as unobtrusive and
-# universal as possible.
-
-
-# Detect Debian users running the script with "sh" instead of bash
-if readlink /proc/$$/exe | grep -qs "dash"; then
- echo "This script needs to be run with bash, not sh"
- exit 1
-fi
-
-if [[ "$EUID" -ne 0 ]]; then
- echo "Sorry, you need to run this as root"
- exit 2
-fi
-
-if [[ ! -e /dev/net/tun ]]; then
- echo "The TUN device is not available
-You need to enable TUN before running this script"
- exit 3
-fi
-
-if grep -qs "CentOS release 5" "/etc/redhat-release"; then
- echo "CentOS 5 is too old and not supported"
- exit 4
-fi
-if [[ -e /etc/debian_version ]]; then
- OS=debian
- GROUPNAME=nogroup
- RCLOCAL='/etc/rc.local'
-elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; then
- OS=centos
- GROUPNAME=nobody
- RCLOCAL='/etc/rc.d/rc.local'
-else
- echo "Looks like you aren't running this installer on Debian, Ubuntu or CentOS"
- exit 5
-fi
-
-newclient () {
- # Generates the custom client.ovpn
- cp /etc/openvpn/client-common.txt ~/$1.ovpn
- echo "" >> ~/$1.ovpn
- cat /etc/openvpn/easy-rsa/pki/ca.crt >> ~/$1.ovpn
- echo "" >> ~/$1.ovpn
- echo "" >> ~/$1.ovpn
- cat /etc/openvpn/easy-rsa/pki/issued/$1.crt >> ~/$1.ovpn
- echo "" >> ~/$1.ovpn
- echo "" >> ~/$1.ovpn
- cat /etc/openvpn/easy-rsa/pki/private/$1.key >> ~/$1.ovpn
- echo "" >> ~/$1.ovpn
- echo "" >> ~/$1.ovpn
- cat /etc/openvpn/ta.key >> ~/$1.ovpn
- echo "" >> ~/$1.ovpn
-}
-
-# Try to get our IP from the system and fallback to the Internet.
-# I do this to make the script compatible with NATed servers (lowendspirit.com)
-# and to avoid getting an IPv6.
-IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -o -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
-if [[ "$IP" = "" ]]; then
- IP=$(wget -4qO- "http://whatismyip.akamai.com/")
-fi
-
-if [[ -e /etc/openvpn/server.conf ]]; then
- while :
- do
- clear
- echo "Looks like OpenVPN is already installed"
- echo ""
- echo "What do you want to do?"
- echo " 1) Add a new user"
- echo " 2) Revoke an existing user"
- echo " 3) Remove OpenVPN"
- echo " 4) Exit"
- read -p "Select an option [1-4]: " option
- case $option in
- 1)
- echo ""
- echo "Tell me a name for the client certificate"
- echo "Please, use one word only, no special characters"
- read -p "Client name: " -e -i client CLIENT
- cd /etc/openvpn/easy-rsa/
- ./easyrsa build-client-full $CLIENT nopass
- # Generates the custom client.ovpn
- newclient "$CLIENT"
- echo ""
- echo "Client $CLIENT added, configuration is available at" ~/"$CLIENT.ovpn"
- exit
- ;;
- 2)
- # This option could be documented a bit better and maybe even be simplimplified
- # ...but what can I say, I want some sleep too
- NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")
- if [[ "$NUMBEROFCLIENTS" = '0' ]]; then
- echo ""
- echo "You have no existing clients!"
- exit 6
- fi
- echo ""
- echo "Select the existing client certificate you want to revoke"
- tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') '
- if [[ "$NUMBEROFCLIENTS" = '1' ]]; then
- read -p "Select one client [1]: " CLIENTNUMBER
- else
- read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
- fi
- CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
- cd /etc/openvpn/easy-rsa/
- ./easyrsa --batch revoke $CLIENT
- EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
- rm -rf pki/reqs/$CLIENT.req
- rm -rf pki/private/$CLIENT.key
- rm -rf pki/issued/$CLIENT.crt
- rm -rf /etc/openvpn/crl.pem
- cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
- # CRL is read with each client connection, when OpenVPN is dropped to nobody
- chown nobody:$GROUPNAME /etc/openvpn/crl.pem
- echo ""
- echo "Certificate for client $CLIENT revoked"
- exit
- ;;
- 3)
- echo ""
- read -p "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
- if [[ "$REMOVE" = 'y' ]]; then
- PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
- PROTOCOL=$(grep '^proto ' /etc/openvpn/server.conf | cut -d " " -f 2)
- if pgrep firewalld; then
- IP=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24 -j SNAT --to ' | cut -d " " -f 10)
- # Using both permanent and not permanent rules to avoid a firewalld reload.
- firewall-cmd --zone=public --remove-port=$PORT/$PROTOCOL
- firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
- firewall-cmd --permanent --zone=public --remove-port=$PORT/$PROTOCOL
- firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
- firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
- firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
- else
- IP=$(grep 'iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to ' $RCLOCAL | cut -d " " -f 14)
- iptables -t nat -D POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
- sed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 ! -d 10.8.0.0\/24 -j SNAT --to /d' $RCLOCAL
- if iptables -L -n | grep -qE '^ACCEPT'; then
- iptables -D INPUT -p $PROTOCOL --dport $PORT -j ACCEPT
- iptables -D FORWARD -s 10.8.0.0/24 -j ACCEPT
- iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
- sed -i "/iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT/d" $RCLOCAL
- sed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCAL
- sed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCAL
- fi
- fi
- if hash sestatus 2>/dev/null; then
- if sestatus | grep "Current mode" | grep -qs "enforcing"; then
- if [[ "$PORT" != '1194' || "$PROTOCOL" = 'tcp' ]]; then
- semanage port -d -t openvpn_port_t -p $PROTOCOL $PORT
- fi
- fi
- fi
- if [[ "$OS" = 'debian' ]]; then
- apt-get remove --purge -y openvpn
- else
- yum remove openvpn -y
- fi
- rm -rf /etc/openvpn
- echo ""
- echo "OpenVPN removed!"
- else
- echo ""
- echo "Removal aborted!"
- fi
- exit
- ;;
- 4) exit;;
- esac
- done
-else
- clear
- echo 'Welcome to this quick OpenVPN "road warrior" installer'
- echo ""
- # OpenVPN setup and first user creation
- echo "I need to ask you a few questions before starting the setup"
- echo "You can leave the default options and just press enter if you are ok with them"
- echo ""
- echo "First I need to know the IPv4 address of the network interface you want OpenVPN"
- echo "listening to."
- read -p "IP address: " -e -i $IP IP
- echo ""
- echo "Which protocol do you want for OpenVPN connections?"
- echo " 1) UDP (recommended)"
- echo " 2) TCP"
- read -p "Protocol [1-2]: " -e -i 1 PROTOCOL
- case $PROTOCOL in
- 1)
- PROTOCOL=udp
- ;;
- 2)
- PROTOCOL=tcp
- ;;
- esac
- echo ""
- echo "What port do you want OpenVPN listening to?"
- read -p "Port: " -e -i 1194 PORT
- echo ""
- echo "Which DNS do you want to use with the VPN?"
- echo " 1) Current system resolvers"
- echo " 2) Google"
- echo " 3) OpenDNS"
- echo " 4) NTT"
- echo " 5) Hurricane Electric"
- echo " 6) Verisign"
- read -p "DNS [1-6]: " -e -i 1 DNS
- echo ""
- echo "Finally, tell me your name for the client certificate"
- echo "Please, use one word only, no special characters"
- read -p "Client name: " -e -i client CLIENT
- echo ""
- echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now"
- read -n1 -r -p "Press any key to continue..."
- if [[ "$OS" = 'debian' ]]; then
- apt-get update
- apt-get install openvpn iptables openssl ca-certificates -y
- else
- # Else, the distro is CentOS
- yum install epel-release -y
- yum install openvpn iptables openssl wget ca-certificates -y
- fi
- # An old version of easy-rsa was available by default in some openvpn packages
- if [[ -d /etc/openvpn/easy-rsa/ ]]; then
- rm -rf /etc/openvpn/easy-rsa/
- fi
- # Get easy-rsa
- wget -O ~/EasyRSA-3.0.3.tgz "https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.3/EasyRSA-3.0.3.tgz"
- tar xzf ~/EasyRSA-3.0.3.tgz -C ~/
- # Temporal fix for issue #353, which is caused by OpenVPN/easy-rsa#135
- # Will be removed as soon as a new release of easy-rsa is available
- sed -i 's/\[\[/\[/g;s/\]\]/\]/g;s/==/=/g' ~/EasyRSA-3.0.3/easyrsa
- mv ~/EasyRSA-3.0.3/ /etc/openvpn/
- mv /etc/openvpn/EasyRSA-3.0.3/ /etc/openvpn/easy-rsa/
- chown -R root:root /etc/openvpn/easy-rsa/
- rm -rf ~/EasyRSA-3.0.3.tgz
- cd /etc/openvpn/easy-rsa/
- # Create the PKI, set up the CA, the DH params and the server + client certificates
- ./easyrsa init-pki
- ./easyrsa --batch build-ca nopass
- ./easyrsa gen-dh
- ./easyrsa build-server-full server nopass
- ./easyrsa build-client-full $CLIENT nopass
- EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
- # Move the stuff we need
- cp pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn
- # CRL is read with each client connection, when OpenVPN is dropped to nobody
- chown nobody:$GROUPNAME /etc/openvpn/crl.pem
- # Generate key for tls-auth
- openvpn --genkey --secret /etc/openvpn/ta.key
- # Generate server.conf
- echo "port $PORT
-proto $PROTOCOL
-dev tun
-sndbuf 0
-rcvbuf 0
-ca ca.crt
-cert server.crt
-key server.key
-dh dh.pem
-auth SHA512
-tls-auth ta.key 0
-topology subnet
-server 10.8.0.0 255.255.255.0
-ifconfig-pool-persist ipp.txt" > /etc/openvpn/server.conf
- echo 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf
- # DNS
- case $DNS in
- 1)
- # Obtain the resolvers from resolv.conf and use them for OpenVPN
- grep -v '#' /etc/resolv.conf | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; do
- echo "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.conf
- done
- ;;
- 2)
- echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf
- ;;
- 3)
- echo 'push "dhcp-option DNS 208.67.222.222"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 208.67.220.220"' >> /etc/openvpn/server.conf
- ;;
- 4)
- echo 'push "dhcp-option DNS 129.250.35.250"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 129.250.35.251"' >> /etc/openvpn/server.conf
- ;;
- 5)
- echo 'push "dhcp-option DNS 74.82.42.42"' >> /etc/openvpn/server.conf
- ;;
- 6)
- echo 'push "dhcp-option DNS 64.6.64.6"' >> /etc/openvpn/server.conf
- echo 'push "dhcp-option DNS 64.6.65.6"' >> /etc/openvpn/server.conf
- ;;
- esac
- echo "keepalive 10 120
-cipher AES-256-CBC
-comp-lzo
-user nobody
-group $GROUPNAME
-persist-key
-persist-tun
-status openvpn-status.log
-verb 3
-crl-verify crl.pem" >> /etc/openvpn/server.conf
- # Enable net.ipv4.ip_forward for the system
- sed -i '/\/c\net.ipv4.ip_forward=1' /etc/sysctl.conf
- if ! grep -q "\" /etc/sysctl.conf; then
- echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
- fi
- # Avoid an unneeded reboot
- echo 1 > /proc/sys/net/ipv4/ip_forward
- if pgrep firewalld; then
- # Using both permanent and not permanent rules to avoid a firewalld
- # reload.
- # We don't use --add-service=openvpn because that would only work with
- # the default port and protocol.
- firewall-cmd --zone=public --add-port=$PORT/$PROTOCOL
- firewall-cmd --zone=trusted --add-source=10.8.0.0/24
- firewall-cmd --permanent --zone=public --add-port=$PORT/$PROTOCOL
- firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
- # Set NAT for the VPN subnet
- firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
- firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
- else
- # Needed to use rc.local with some systemd distros
- if [[ "$OS" = 'debian' && ! -e $RCLOCAL ]]; then
- echo '#!/bin/sh -e
-exit 0' > $RCLOCAL
- fi
- chmod +x $RCLOCAL
- # Set NAT for the VPN subnet
- iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
- sed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP" $RCLOCAL
- if iptables -L -n | grep -qE '^(REJECT|DROP)'; then
- # If iptables has at least one REJECT rule, we asume this is needed.
- # Not the best approach but I can't think of other and this shouldn't
- # cause problems.
- iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT
- iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
- iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
- sed -i "1 a\iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT" $RCLOCAL
- sed -i "1 a\iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" $RCLOCAL
- sed -i "1 a\iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" $RCLOCAL
- fi
- fi
- # If SELinux is enabled and a custom port or TCP was selected, we need this
- if hash sestatus 2>/dev/null; then
- if sestatus | grep "Current mode" | grep -qs "enforcing"; then
- if [[ "$PORT" != '1194' || "$PROTOCOL" = 'tcp' ]]; then
- # semanage isn't available in CentOS 6 by default
- if ! hash semanage 2>/dev/null; then
- yum install policycoreutils-python -y
- fi
- semanage port -a -t openvpn_port_t -p $PROTOCOL $PORT
- fi
- fi
- fi
- # And finally, restart OpenVPN
- if [[ "$OS" = 'debian' ]]; then
- # Little hack to check for systemd
- if pgrep systemd-journal; then
- systemctl restart openvpn@server.service
- else
- /etc/init.d/openvpn restart
- fi
- else
- if pgrep systemd-journal; then
- systemctl restart openvpn@server.service
- systemctl enable openvpn@server.service
- else
- service openvpn restart
- chkconfig openvpn on
- fi
- fi
- # Try to detect a NATed connection and ask about it to potential LowEndSpirit users
- EXTERNALIP=$(wget -4qO- "http://whatismyip.akamai.com/")
- if [[ "$IP" != "$EXTERNALIP" ]]; then
- echo ""
- echo "Looks like your server is behind a NAT!"
- echo ""
- echo "If your server is NATed (e.g. LowEndSpirit), I need to know the external IP"
- echo "If that's not the case, just ignore this and leave the next field blank"
- read -p "External IP: " -e USEREXTERNALIP
- if [[ "$USEREXTERNALIP" != "" ]]; then
- IP=$USEREXTERNALIP
- fi
- fi
- # client-common.txt is created so we have a template to add further users later
- echo "client
-dev tun
-proto $PROTOCOL
-sndbuf 0
-rcvbuf 0
-remote $IP $PORT
-resolv-retry infinite
-nobind
-persist-key
-persist-tun
-remote-cert-tls server
-auth SHA512
-cipher AES-256-CBC
-comp-lzo
-setenv opt block-outside-dns
-key-direction 1
-verb 3" > /etc/openvpn/client-common.txt
- # Generates the custom client.ovpn
- newclient "$CLIENT"
- echo ""
- echo "Finished!"
- echo ""
- echo "Your client configuration is available at" ~/"$CLIENT.ovpn"
- echo "If you want to add more clients, you simply need to run this script again!"
-fi
\ No newline at end of file
diff --git a/README b/README
deleted file mode 100644
index 6901dce..0000000
--- a/README
+++ /dev/null
@@ -1,16 +0,0 @@
-vps# iptables -t nat -A PREROUTING -p tcp --dport 9987 -j DNAT --to-destination 192.168.1.3 (mein Homeserver wenn ich richtig verstanden habe)
-vps# iptables -t nat -A POSTROUTING -p tcp --dport 9987 -j MASQUERADE
-
-vps# iptables -t nat -A PREROUTING -p tcp --dport 30033 -j DNAT --to-destination 192.168.1.3
-vps# iptables -t nat -A POSTROUTING -p tcp --dport 30033 -j MASQUERADE
-
-vps# iptables -t nat -A PREROUTING -p tcp --dport 10011 -j DNAT --to-destination 192.168.1.3
-vps# iptables -t nat -A POSTROUTING -p tcp --dport 10011 -j MASQUERADE
-
-Port forwarding using OpenVPN client
-
-sysctl -w net.ipv4.ip_forward=1
-
-iptables -t nat -A PREROUTING -d 50.xxx.xxx.xxx -p tcp --dport 8081 -j DNAT --to-dest 192.168.2.86:8081
-
-iptables -t nat -A POSTROUTING -d 192.168.2.86 -p tcp --dport 8081 -j SNAT --to-source 10.0.2.42
diff --git a/README.md b/README.md
index 9d61a90..8ce69ec 100755
--- a/README.md
+++ b/README.md
@@ -15,3 +15,20 @@ cat id_rsa.pub | ssh server 'cat>> ~/.ssh/authorized_keys'
# Zum suchen der libinput Treiber mit
libwacom-list-local-devices
for wort in /usr/share/libwacom/*; do if cat $wort | grep CTL-4100WL; then echo $wort; fi; done
+
+# Port forwarding using OpenVPN client
+
+vps# iptables -t nat -A PREROUTING -p tcp --dport 9987 -j DNAT --to-destination 192.168.1.3 (mein Homeserver wenn ich richtig verstanden habe)
+vps# iptables -t nat -A POSTROUTING -p tcp --dport 9987 -j MASQUERADE
+
+vps# iptables -t nat -A PREROUTING -p tcp --dport 30033 -j DNAT --to-destination 192.168.1.3
+vps# iptables -t nat -A POSTROUTING -p tcp --dport 30033 -j MASQUERADE
+
+vps# iptables -t nat -A PREROUTING -p tcp --dport 10011 -j DNAT --to-destination 192.168.1.3
+vps# iptables -t nat -A POSTROUTING -p tcp --dport 10011 -j MASQUERADE
+
+sysctl -w net.ipv4.ip_forward=1
+
+iptables -t nat -A PREROUTING -d 50.xxx.xxx.xxx -p tcp --dport 8081 -j DNAT --to-dest 192.168.2.86:8081
+
+iptables -t nat -A POSTROUTING -d 192.168.2.86 -p tcp --dport 8081 -j SNAT --to-source 10.0.2.42
diff --git a/Readme.md b/Readme.md
deleted file mode 100644
index 92f0ff1..0000000
--- a/Readme.md
+++ /dev/null
@@ -1,3 +0,0 @@
-29 0 \* /bin/bash /opt/scripts/make-backup.sh
-
-su www-data -s /bin/bash -c "php occ files:scan --path /srieger/files/Backups/Server"
\ No newline at end of file
diff --git a/Simon-OS/arch-install b/Simon-OS/arch-install
deleted file mode 100755
index 55a140b..0000000
--- a/Simon-OS/arch-install
+++ /dev/null
@@ -1,913 +0,0 @@
-#!/bin/bash
-#
-set -ex
-
-echo "Version: Di 7. Nov 19:17:34 CET 2017"
-
-if [[ $EUID -ne 0 ]]; then
- echo "This script must be run as root" 1>&2
- exit 1
-fi
-echo "Als root Angemeldet"
-
-function minimalinstallation() {
- #Mehrzeiler
- while read line
- do
- pacstrap -c -d -G -M ${mountpoint} $line
- done < /etc/packages_all.txt
-
-}
-
-function secureumount() {
- if [ "${dateisystem}" == "btrfs" ]; then
- if cat /proc/mounts | grep ${mountpoint} > /dev/null; then
- umount ${mountpoint}/boot
- btrfs fi df ${mountpoint}
- echo "umount!!!"
- umount ${mountpoint}/home
- umount ${mountpoint}/opt
- umount ${mountpoint}/var/cache/pacman/pkg
- umount ${mountpoint}/var/lib
- # custom-mounts
- for wort in ${mountsnaps}
- do
- umount ${mountpoint}${wort}
- done
- umount ${mountpoint}
- umount /mnt/btrfs-root
- #umount -R /mnt
- fi
-elif [ "${dateisystem}" == "ext4" ]; then
- if cat /proc/mounts | grep ${mountpoint} > /dev/null; then
- umount ${mountpoint}/boot
- umount ${mountpoint}
- fi
-fi
-
-
-}
-
-function partionierenmitswap() {
-wipefs -a -f ${device}
-sgdisk -o ${device}
-sgdisk -a 2048 -n 1::+1024K -c 1:"BIOS Boot Partition" -t 1:ef02 ${device}
-sgdisk -a 2048 -n 2::+1G -c 2:"EFI Boot Partition" -t 2:ef00 ${device}
-sgdisk -a 2048 -n 3::+8G -c 3:"Linux swap" -t 3:8200 ${device}
-sgdisk -a 2048 -n 4:: -c 4:"Linux filesystem" -t 4:8300 ${device}
-
-if [ "${verschluesselung}" == "y" ]; then
- echo "Bitte groß YES schreiben"
- cryptsetup -c aes-xts-plain64 -y -s 512 luksFormat ${device}${rootpartitionnummer}
- cryptsetup luksOpen ${device}${rootpartitionnummer} luks0
- deviceluks="/dev/mapper/luks0"
-fi
-
-}
-
-function partionierenohneswap() {
-wipefs -a -f ${device}
-sgdisk -o ${device}
-sgdisk -a 2048 -n 1::+1024K -c 1:"BIOS Boot Partition" -t 1:ef02 ${device}
-sgdisk -a 2048 -n 2::+1G -c 2:"EFI Boot Partition" -t 2:ef00 ${device}
-sgdisk -a 2048 -n 3:: -c 4:"Linux filesystem" -t 3:8300 ${device}
-
-if [ "${verschluesselung}" == "y" ]; then
- echo "Bitte groß YES schreiben"
- cryptsetup -c aes-xts-plain64 -y -s 512 luksFormat ${device}${rootpartitionnummer}
- cryptsetup luksOpen ${device}${rootpartitionnummer} luks0
- deviceluks="/dev/mapper/luks0"
-fi
-
-
-}
-
-function usbsecret() {
-
-/usr/bin/curl -v -C - -f https://raw.githubusercontent.com/simono41/Simon-OS/master/install/usbsecret > ${mountpoint}/usr/lib/initcpio/install/usbsecret
-/usr/bin/curl -v -C - -f https://raw.githubusercontent.com/simono41/Simon-OS/master/hooks/usbsecret > ${mountpoint}/root/usbsecret
-
-# hooks
-#cp install/usbsecret ${mountpoint}/usr/lib/initcpio/install/usbsecret
-#cp hooks/usbsecret ${mountpoint}/usr/lib/initcpio/hooks/usbsecret
-
-sed "s|%USB_UUID%|${usbsecretdeviceuuid}|g;" ${mountpoint}/root/usbsecret > ${mountpoint}/usr/lib/initcpio/hooks/usbsecret
-
-}
-
-function cron() {
-echo "cron-job snapshot"
-mkdir -p ${mountpoint}/var/spool/cron/
-echo "0 18 * * * /usr/bin/snapshot make ROOT home opt var/cache/pacman/pkg ${mountsnaps}" > ${mountpoint}/var/spool/cron/root
-if [ "${update}" != "n" ]; then
- /usr/bin/curl -v -C - -f https://raw.githubusercontent.com/simono41/Simon-OS/master/snapshot.sh > ${mountpoint}/usr/bin/snapshot
- chmod 755 ${mountpoint}/usr/bin/snapshot
-fi
-}
-
-function makeswapfile() {
-#swapfile
-fallocate -l ${swapfilespeicher} ${mountpoint}/swapfile
-chmod 600 ${mountpoint}/swapfile
-mkswap ${mountpoint}/swapfile
-echo "/swapfile none swap defaults 0 0" >> ${mountpoint}/etc/fstab
-}
-
-function makebtrfsswapfile() {
-
-/usr/bin/curl -v -C - -f https://raw.githubusercontent.com/simono41/Simon-OS/master/btrfs-swapon > ${mountpoint}/usr/bin/btrfs-swapon
-/usr/bin/curl -v -C - -f https://raw.githubusercontent.com/simono41/Simon-OS/master/btrfs-swapoff > ${mountpoint}/usr/bin/btrfs-swapoff
-/usr/bin/curl -v -C - -f https://raw.githubusercontent.com/simono41/Simon-OS/master/btrfs-swapon.service > ${mountpoint}/root/btrfs-swapon.service
-
-chmod +x ${mountpoint}/usr/bin/btrfs-swapon
-chmod +x ${mountpoint}/usr/bin/btrfs-swapoff
-
-sed "s|%swapfilespeicher%|${swapfilespeicher}|g;" ${mountpoint}/root/btrfs-swapon.service > ${mountpoint}/etc/systemd/system/btrfs-swapon.service
-
-arch-chroot ${mountpoint} systemctl enable btrfs-swapon
-
-}
-
-function removeinstaller {
-echo ""
-if [ -f ${mountpoint}/usr/share/applications/arch-install.desktop ]
-then
- rm ${mountpoint}/usr/share/applications/arch-install.desktop
-fi
-echo ""
-if [ -f ${mountpoint}/root/Schreibtisch/arch-install.desktop ]
-then
- rm ${mountpoint}/root/Schreibtisch/arch-install.desktop
-fi
-echo ""
-if [ -f ${mountpoint}/home/user/Schreibtisch/arch-install.desktop ]
-then
- rm ${mountpoint}/home/user/Schreibtisch/arch-install.desktop
-fi
-echo ""
-if [ -f ${mountpoint}/root/Desktop/arch-install.desktop ]
-then
- rm ${mountpoint}/root/Desktop/arch-install.desktop
-fi
-echo ""
-if [ -f ${mountpoint}/home/user/Desktop/arch-install.desktop ]
-then
- rm ${mountpoint}/home/user/Desktop/arch-install.desktop
-fi
-echo ""
-}
-
-function installation {
-
-#boot
-echo "formatieren"
-mkfs.vfat -F 32 ${device}${efipartitionnummer}
-
-#root
-if [ "${dateisystem}" == "btrfs" ]; then
- #mkfs.btrfs -f -L p_arch ${device}2
- btrfsformat #btrfs
- subvolume #btrfs
-
-elif [ "${dateisystem}" == "ext4" ]; then
- echo "mit j bestätigen"
- if [ "${verschluesselung}" == "y" ]; then
- mkfs.ext4 -L p_arch ${deviceluks} #ext4
- mount ${deviceluks} ${mountpoint}
- else
- mkfs.ext4 -L p_arch ${device}${rootpartitionnummer} #ext4
- mount ${device}${rootpartitionnummer} ${mountpoint}
- fi
-
-fi
-
-#swap
-if [ "${swap}" != "n" ]; then
- mkswap -L p_swap ${device}${swappartitionnummer}
-fi
-
-#installation
-if [ "${offline}" != "n" ]
-then
- if [ -f /run/archiso/bootmnt/arch/$(uname -m)/airootfs.sfs ]
- then
- echo "Es ist kein copytoram System."
- unsquashfs -f -d ${mountpoint} /run/archiso/bootmnt/arch/$(uname -m)/airootfs.sfs
- else
- echo "Es ist ein copytoram System."
- unsquashfs -f -d ${mountpoint} /run/archiso/copytoram/airootfs.sfs
- fi
-else
- minimalinstallation
-fi
-
-#kernel
-parameter="base udev "
-if [ "${swap}" != "n" ]; then
- parameter="${parameter}resume "
-fi
-if [ "${verschluesselung}" == "y" ]; then
- parameter="${parameter}encrypt "
-fi
-parameter="${parameter}block filesystems keyboard "
-if [ "${verschluesselung}" == "y" ]; then
- echo "btrfs-hook wird übersprungen!"
-else
- if [ "${dateisystem}" == "btrfs" ]; then
- parameter="${parameter}btrfs "
- fi
-fi
-if [ "${usbsecret}" == "y" ]; then
- parameter="${parameter}usbsecret "
-fi
-
-echo ""
-echo "MODULES=\"i915 radeon\"" > ${mountpoint}/etc/mkinitcpio.conf
-echo "HOOKS=\"${parameter}\"" >> ${mountpoint}/etc/mkinitcpio.conf
-echo "COMPRESSION=\"lz4\"" >> ${mountpoint}/etc/mkinitcpio.conf
-echo "FILES=\"/etc/modprobe.d/blacklist-floppy.conf\"" >> ${mountpoint}/etc/mkinitcpio.conf
-echo ""
-echo "blacklist floppy" > ${mountpoint}/etc/modprobe.d/blacklist-floppy.conf
-echo ""
-#cp /etc/X11/xinit/xinitrc ${mountpoint}/etc/X11/xinit/xinitrc
-echo "exec startxfce4" > ${mountpoint}/etc/X11/xinit/xinitrc
-#
-echo ""
-echo "tmpfs /tmp tmpfs defaults 0 0" >> ${mountpoint}/etc/fstab
-echo "tmpfs /dev/shm tmpfs defaults 0 0" >> ${mountpoint}/etc/fstab
-
-#fstab
-rootbind=$(blkid -s PARTUUID -o value ${device}${rootpartitionnummer})
-
-#genfstab -Up ${mountpoint} >> ${mountpoint}/etc/fstab
-
-if [ "${dateisystem}" == "btrfs" ]; then
- btrfsfstab #btrfs
-
- mkdir -p ${mountpoint}/run/btrfs-root
- if [ "${verschluesselung}" == "y" ]; then
- echo "${deviceluks} /run/btrfs-root/ btrfs defaults 0 0" >> ${mountpoint}/etc/fstab #btrfs
- else
- echo "PARTUUID=${rootbind} /run/btrfs-root/ btrfs defaults 0 0" >> ${mountpoint}/etc/fstab #btrfs
- fi
- #grep -v "/var/lib" < ${mountpoint}/etc/fstab > fstab.neu; mv fstab.neu ${mountpoint}/etc/fstab
-
- echo "/run/btrfs-root/__current/ROOT/var/lib /var/lib none bind 0 0" >> ${mountpoint}/etc/fstab #btrfs
-
- cron
-
-elif [ "${dateisystem}" == "ext4" ]; then
- if [ "${verschluesselung}" == "y" ]; then
- echo "${deviceluks} / ext4 rw,defaults,noatime,nodiratime,discard 0 0" >> ${mountpoint}/etc/fstab
- else
- echo "PARTUUID=${rootbind} / ext4 rw,defaults,noatime,nodiratime,discard 0 0" >> ${mountpoint}/etc/fstab
- fi
-fi
-
-
-bootbind=$(blkid -s PARTUUID -o value ${device}${efipartitionnummer})
-
-echo -e "PARTUUID=${bootbind} /boot vfat rw,relatime 0 2" >> ${mountpoint}/etc/fstab
-
-
-if [ "${swap}" != "n" ]; then
- if [ "${verschluesselung}" == "y" ]; then
- swappartition=$(blkid -s PARTUUID -o value ${device}${swappartitionnummer})
- echo "swap PARTUUID=${swappartition} /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256" >> ${mountpoint}/etc/crypttab
- echo "/dev/mapper/swap none swap defaults 0 0" >> ${mountpoint}/etc/fstab
- else
- swappartition=$(blkid -s PARTUUID -o value ${device}${swappartitionnummer})
- echo "PARTUUID=${swappartition} none swap defaults 0 0" >> ${mountpoint}/etc/fstab
- fi
-fi
-
-#makeswapfile+fstab
-if [ "${swapfile}" == "y" ]; then
- if [ "${dateisystem}" == "btrfs" ]; then
- makebtrfsswapfile
- elif [ "${dateisystem}" == "ext4" ]; then
- makeswapfile
- fi
-fi
-
-#hostname
-echo "${name}"s-OS > ${mountpoint}/etc/hostname
-
-#openvpn
-if [ "${openvpn}" != "n" ]; then
- arch-chroot ${mountpoint} systemctl enable openvpn-client@client.service
-else
- arch-chroot ${mountpoint} systemctl disable openvpn-client@client.service
-fi
-
-if [ "${usbsecret}" == "y" ]; then
- usbsecret
-fi
-
-if [ "${verschluesselung}" == "y" ]; then
- if [ "${boot}" == "grub" ]; then
- tobootdevice=$(blkid -s PARTUUID -o value ${device}${rootpartitionnummer})
- sed -i 's/GRUB_CMDLINE_LINUX=.*$/GRUB_CMDLINE_LINUX="cryptdevice=PARTUUID='$tobootdevice':luks0"/' ${mountpoint}/etc/default/grub
- echo "GRUB_ENABLE_CRYPTODISK=y" >> ${mountpoint}/etc/default/grub
- fi
-fi
-
-
-
-
-
-
-
-
-
-
-
-
-#sie könne hier ihre scripte die bei der installation ausgeführt werden sollen hinzufügen :D
-
-
-
-
-
-
-}
-
-function btrfsformat() {
-if [ "$raid" == "raid0" ]; then
- if [ "${verschluesselung}" == "y" ]; then
- mkfs.btrfs -f -m raid10 -d raid10 ${deviceluks} ${device1}
- else
- mkfs.btrfs -f -m raid0 -d raid0 ${device}${rootpartitionnummer} ${device1}
- fi
-elif [ "$raid" == "raid1" ]; then
- if [ "${verschluesselung}" == "y" ]; then
- mkfs.btrfs -f -m raid10 -d raid10 ${deviceluks} ${device1}
- else
- mkfs.btrfs -f -m raid1 -d raid1 ${device}${rootpartitionnummer} ${device1}
- fi
-elif [ "$raid" == "raid10" ]; then
- if [ "${verschluesselung}" == "y" ]; then
- mkfs.btrfs -f -m raid10 -d raid10 ${deviceluks} ${device1}
- else
- mkfs.btrfs -f -m raid10 -d raid10 ${device}${rootpartitionnummer} ${device1}
- fi
-else
- if [ "${verschluesselung}" == "y" ]; then
- mkfs.btrfs -f -m single ${deviceluks}
- else
- mkfs.btrfs -f -m single ${device}${rootpartitionnummer}
- fi
-fi
-btrfs filesystem show
-
-}
-
-function btrfsfstab() {
-
-rootbind=$(blkid -s PARTUUID -o value ${device}${rootpartitionnummer})
-
-if [ "${verschluesselung}" == "y" ]; then
-
-
- echo -e "${deviceluks} / btrfs rw,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current/ROOT 0 0" >> ${mountpoint}/etc/fstab
-
- echo -e "${deviceluks} /home btrfs rw,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current/home 0 0" >> ${mountpoint}/etc/fstab
- echo -e "${deviceluks} /opt btrfs rw,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current/opt 0 0" >> ${mountpoint}/etc/fstab
- echo -e "${deviceluks} /var/cache/pacman/pkg btrfs rw,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current/var/cache/pacman/pkg 0 0" >> ${mountpoint}/etc/fstab
-
- # custom-mounts
- for wort in ${mountsnaps}
- do
- echo -e "${deviceluks} ${wort} btrfs rw,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current${wort} 0 0" >> ${mountpoint}/etc/fstab
- done
-
-
-else
-
- echo -e "PARTUUID=${rootbind} / btrfs rw,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current/ROOT 0 0" >> ${mountpoint}/etc/fstab
-
- echo -e "PARTUUID=${rootbind} /home btrfs rw,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current/home 0 0" >> ${mountpoint}/etc/fstab
- echo -e "PARTUUID=${rootbind} /opt btrfs rw,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current/opt 0 0" >> ${mountpoint}/etc/fstab
- echo -e "PARTUUID=${rootbind} /var/cache/pacman/pkg btrfs rw,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current/var/cache/pacman/pkg 0 0" >> ${mountpoint}/etc/fstab
-
- # custom-mounts
- for wort in ${mountsnaps}
- do
- echo -e "PARTUUID=${rootbind} ${wort} btrfs rw,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current${wort} 0 0" >> ${mountpoint}/etc/fstab
- done
-
-
-fi
-}
-
-function btrfsmount() {
-#[[ -z "${device}" ]] && device=${2}
-
-if [ "${1}" == "1" ] || [ "${1}" == "" ]; then
- if [ "${verschluesselung}" == "y" ]; then
- mkdir -p /mnt/btrfs-root
- mount -o defaults,noatime,nodiratime,space_cache,discard,ssd,compress=lzo ${deviceluks} /mnt/btrfs-root
- else
- mkdir -p /mnt/btrfs-root
- mount -o defaults,noatime,nodiratime,space_cache,discard,ssd,compress=lzo ${device}${rootpartitionnummer} /mnt/btrfs-root
- fi
-fi
-if [ "${1}" == "2" ] || [ "${1}" == "" ]; then
- if [ "${verschluesselung}" == "y" ]; then
- mkdir -p ${mountpoint}
- mount -o defaults,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current/ROOT ${deviceluks} ${mountpoint}
-
- mkdir -p ${mountpoint}/home
- mkdir -p ${mountpoint}/opt
- mkdir -p ${mountpoint}/var/cache/pacman/pkg
- mount -o defaults,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current/home ${deviceluks} ${mountpoint}/home
- mount -o defaults,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current/opt ${deviceluks} ${mountpoint}/opt
- mount -o defaults,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current/var/cache/pacman/pkg ${deviceluks} ${mountpoint}/var/cache/pacman/pkg
-
- # custom-mounts
- for wort in ${mountsnaps}
- do
- mkdir -p ${mountpoint}${wort}
- mount -o defaults,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current${wort} ${deviceluks} ${mountpoint}${wort}
- done
-
- mkdir -p ${mountpoint}/var/lib
- mount --bind /mnt/btrfs-root/__current/ROOT/var/lib ${mountpoint}/var/lib
- else
- mkdir -p ${mountpoint}
- mount -o defaults,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current/ROOT ${device}${rootpartitionnummer} ${mountpoint}
-
- mkdir -p ${mountpoint}/home
- mkdir -p ${mountpoint}/opt
- mkdir -p ${mountpoint}/var/cache/pacman/pkg
- mount -o defaults,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current/home ${device}${rootpartitionnummer} ${mountpoint}/home
- mount -o defaults,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current/opt ${device}${rootpartitionnummer} ${mountpoint}/opt
- mount -o defaults,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current/var/cache/pacman/pkg ${device}${rootpartitionnummer} ${mountpoint}/var/cache/pacman/pkg
-
- # custom-mounts
- for wort in ${mountsnaps}
- do
- mkdir -p ${mountpoint}${wort}
- mount -o defaults,noatime,nodiratime,space_cache,discard,ssd,compress=lzo,subvol=__current${wort} ${device}${rootpartitionnummer} ${mountpoint}${wort}
- done
-
- mkdir -p ${mountpoint}/var/lib
- mount --bind /mnt/btrfs-root/__current/ROOT/var/lib ${mountpoint}/var/lib
- fi
- # boot mount
- mkdir -p ${mountpoint}/boot
- mount -t vfat ${device}${efipartitionnummer} ${mountpoint}/boot
-
-fi
-}
-
-function subvolume() {
-
-# Mount
-btrfsmount 1
-
-# Create
-mkdir -p /mnt/btrfs-root/__snapshot
-mkdir -p /mnt/btrfs-root/__current
-btrfs subvolume create /mnt/btrfs-root/__current/ROOT
-btrfs subvolume create /mnt/btrfs-root/__current/home
-btrfs subvolume create /mnt/btrfs-root/__current/opt
-mkdir -p /mnt/btrfs-root/__current/var/cache/pacman
-btrfs subvolume create /mnt/btrfs-root/__current/var/cache/pacman/pkg/
-
-# custom-mounts
-for wort in ${mountsnaps}
-do
- mkdir -p /mnt/btrfs-root/__current${wort%/*}
- btrfs subvolume create /mnt/btrfs-root/__current${wort}
-done
-
-btrfs subvolume list -p /mnt/btrfs-root
-
-# Mount
-btrfsmount 2
-
-}
-
-function update() {
-#statements
-local if="${1}"
-local of="${2}"
-local parameters="${3}"
-local before="${4}"
-if [ -f "${of}" ]
-then
- rm ${of}
-else
- echo "${of} nicht vorhanden!"
-fi
-/usr/bin/curl -v -C - -f ${if} > ${of}
-chmod 755 ${of}
-[[ -n "${5}" ]] && of=${5}
-${before} ${of} ${parameters}
-}
-
-function systemdboot() {
-tobootdeviceuuid=$(blkid -s PARTUUID -o value ${device}${rootpartitionnummer})
-swappartitionpart=$(blkid -s PARTUUID -o value ${device}${swappartitionnummer})
-
-# zurücksetzen der parameter
-parameter=""
-
-if [ "${swap}" != "n" ]; then
- parameter="${parameter}resume=PARTUUID=${swappartitionpart} "
-fi
-if [ "${verschluesselung}" == "y" ]; then
- tobootdevice=${deviceluks}
- parameter="${parameter}cryptdevice=PARTUUID=${tobootdeviceuuid}:luks0 "
-else
- tobootdevice="PARTUUID=${tobootdeviceuuid}"
-fi
-if [ "${dateisystem}" == "btrfs" ]; then
- parameter="${parameter}rootflags=subvol=__current/ROOT "
-fi
-
-#rootsub=$(btrfs subvolume list /mnt | awk 'NR<0 && NR>2 {print $2}')
-
-mkdir -p ${mountpoint}/boot/EFI/systemd/
-mkdir -p ${mountpoint}/boot/EFI/BOOT/
-cp ${mountpoint}/usr/lib/systemd/boot/efi/systemd-bootx64.efi ${mountpoint}/boot/EFI/systemd/systemd-bootx64.efi
-cp ${mountpoint}/usr/lib/systemd/boot/efi/systemd-bootx64.efi ${mountpoint}/boot/EFI/BOOT/BOOTX64.EFI
-
-mkdir -p ${mountpoint}/boot/loader/entries/
-echo "title "${name}"s-os" > ${mountpoint}/boot/loader/entries/arch-uefi.conf
-echo "linux /vmlinuz-linux" >> ${mountpoint}/boot/loader/entries/arch-uefi.conf
-echo "initrd /intel-ucode.img" >> ${mountpoint}/boot/loader/entries/arch-uefi.conf
-echo "initrd /initramfs-linux.img" >> ${mountpoint}/boot/loader/entries/arch-uefi.conf
-echo "options root=${tobootdevice} rw ${parameter}" >> ${mountpoint}/boot/loader/entries/arch-uefi.conf
-
-echo "title "${name}"s-os" > ${mountpoint}/boot/loader/entries/arch-uefi-fallback.conf
-echo "linux /vmlinuz-linux" >> ${mountpoint}/boot/loader/entries/arch-uefi-fallback.conf
-echo "initrd /intel-ucode.img" >> ${mountpoint}/boot/loader/entries/arch-uefi-fallback.conf
-echo "initrd /initramfs-linux-fallback.img" >> ${mountpoint}/boot/loader/entries/arch-uefi-fallback.conf
-echo "options root=${tobootdevice} rw ${parameter}" >> ${mountpoint}/boot/loader/entries/arch-uefi-fallback.conf
-
-echo "default arch-uefi" > ${mountpoint}/boot/loader/loader.conf
-echo "timeout 1" >> ${mountpoint}/boot/loader/loader.conf
-
-if [ "${booteintraege}" != "n" ]; then
-
- echo "Zusätzliche Booteinträge werden erstellt!!!"
-
- arch-chroot ${mountpoint} efibootmgr -c -d ${device} -p 1 -l /EFI/systemd/systemd-bootx64.efi -L "Linux Boot Manager"
-
- arch-chroot ${mountpoint} efibootmgr -c -d ${device} -p 1 -l \vmlinuz-linux -L "Arch Linux efistub" -u "initrd=/initramfs-linux.img root=${tobootdevice} rw ${parameter}"
-
- # überschreibt die efistub deswegen entfernt
- #arch-chroot ${mountpoint} efibootmgr -c -d ${device} -p 1 -l \vmlinuz-linux -L "Arch Linux fallback efistub" -u "initrd=/initramfs-linux-fallback.img root=${tobootdevice} rw ${parameter}"
-
- #arch-chroot ${mountpoint} bootctl install
-
-fi
-
-}
-
-function abfrage() {
-read -p "Wie heissen sie?: " name
-[[ -z "${name}" ]] && name=arch-linux
-
-# Partionierung
-# UEFI oder Legacy-BIOS
-echo ""
-echo "UEFI = Unified Extensible Firmware Interface"
-echo "Empfohlen fuer Neuere PCs"
-echo "WICHTIG DAFUER MUESSEN SIE IM BOOTMENUE DEN UEFI USB_STICK AUSGEWAEHLT HABEN SONST KANN KEIN UEFI BOOTEINTRAG ERSTELLT WERDEN!!!"
-echo ""
-echo "BIOS = basic input/output system"
-echo "Empfohlen fuer Alte PCs und portable USB-Sticks"
-echo ""
-echo "Bitte die Eingaben klein schreiben :D !!!"
-echo "Für jedes ja must du ein y machen und für jedes nein ein n ok !!!"
-echo ""
-if mount | grep efi > /dev/null; then
- echo "System unterstützt UEFI"
- read -p "Wie moechten sie ihre Festplatte partioniert haben: [UEFI/bios] " Partition
- [[ -z "${Partition}" ]] && Partition=uefi
-else
- echo "System unterstützt kein UEFI"
- read -p "Wie moechten sie ihre Festplatte partioniert haben: [uefi/BIOS] " Partition
- [[ -z "${Partition}" ]] && Partition=bios
-fi
-
-if [ "${Partition}" == "uefi" ]
-then
- read -p "Soll mit systemd gebootet werden oder mit grub? [systemd/GRUB] : " boot
- if [ "${boot}" == "systemd" ]; then
- read -p "Sollen noch zusätzliche Booteinträge erstelt werden? [Y/n] : " booteintraege
- fi
-
-fi
-[[ -z "${boot}" ]] && boot=grub
-
-fdisk -l
-read -p "Geben sie eine Festplatte an: /dev/sda " device
-[[ -z "${device}" ]] && device=/dev/sda
-
-read -p "Welches Passwort soll der Root erhalten?: root " pass
-[[ -z "${pass}" ]] && pass=root
-
-read -p "Welches Dateisystem soll benutzt werden? [BTRFS/ext4] " dateisystem
-[[ -z "${dateisystem}" ]] && dateisystem=btrfs
-
-if [ "${dateisystem}" == "btrfs" ]; then
- read -p "Soll ein raid gemacht werden?: [raid0/raid1/raid10/n] " raid
- [[ -z "${raid}" ]] && raid=n
- if [ "${raid}" == "n" ]; then
- echo "Kein raid wird erzeugt!"
- else
- fdisk -l
- read -p "Bitte geben sie die Festplatten in eine Reihe an die zu einem Raid verbunden werden sollen!!!: " device1
- fi
- echo "Standartmässige Snapshots / /home /opt /var/cache/pacman/pkg"
- echo "Die Verzeichnisse dürfen sich nicht überlappen sonst kann es zu problemen mit dem unmounten kommen!!!"
- read -p "Sollen mehr Snapshots erstellt werden?: " mountsnaps
-fi
-
-read -p "Wollen sie eine swap-partition erstellen? : [Y/n] " swap
-read -p "Wollen sie eine swapfile erstellen? : [y/N] " swapfile
-
-if [ "${update}" != "n" ]; then
-
- echo "Diese einstellung kann man mit: "
- echo "systemctl enable openvpn-client@client.service aktivieren und mit"
- echo "systemctl disable openvpn-client@client.service deaktivieren"
- echo "Die Bandbreite wird dadurch reduziert aber die Sicherheit deutlich erhöht"
- read -p "Soll die Verbindung mit einer VPN verschlüsselt werden? : [Y/n] " openvpn
-
-fi
-
-if [ "${update}" != "n" ]; then
-
- echo "WARNUNG das System wird nicht verschlüsselt!!!"
- echo "WARNUNG ohne den USB-Stick startet das System nicht mehr!!!"
- read -p "Soll ein USB-Stick als Schlüssel für das System installiert werden? : [y/N] " usbsecret
- if [ "${usbsecret}" == "y" ]; then
- read -p "Welcher USB-Stick soll ausgewählt werden für die USB-secret Schlüssel?: /dev/sdb1 " usbsecretdevice
- [[ -z "${usbsecretdevice}" ]] && device=/dev/sdb1
- usbsecretdeviceuuid=$(blkid -s PARTUUID -o value ${usbsecretdevice})
- [[ -z "${usbsecretdeviceuuid}" ]] && mkfs.ext4 ${usbsecretdevice}
- fi
-fi
-
-if [ "${raid}" == "n" ]; then
- read -p "Soll die Festplatte verschlüsselt werden? : [y/N] " verschluesselung
-fi
-
-# berechnungen
-
-if [ "${update}" != "n" ] && [ "spectre-os" != "$(cat /etc/hostname)" ]; then
- read -p "Soll eine Offline-Installation durchgefuehrt werden? : [Y/n] " offline
- if [ "${offline}" != "n" ]
- then
- install="offline"
- else
- install="online"
- fi
-else
- install="offline"
-fi
-
-# Dateisystem
-if [ "${dateisystem}" == "btrfs" ]; then
- mountpoint="/mnt/btrfs-current"
-elif [ "${dateisystem}" == "ext4" ]; then
- mountpoint="/mnt"
-fi
-
-#
-echo "Name: ${name}"
-echo "Partionsart: ${Partition}"
-echo "Bootloader: ${boot}"
-echo "Laufwerk: ${device}"
-if [ "${raid}" != "n" ]; then
- echo "Raid: ${raid}"
- echo "Festplatten: ${device1}"
-fi
-echo "Dateisystem: ${dateisystem}"
-#echo "System-Partition ${speicher}"
-#if [ "${swap}" != "n" ]; then
-# echo "Swap-partition ${swapspeicher}"
-#fi
-#if [ "${swapfile}" == "y" ]; then
-# echo "Swapfile ${swapfilespeicher}"
-#fi
-echo "Rootpasswort: ${pass}"
-echo "Architektur: $(uname -m)"
-echo "Installation: ${install}"
-if [ "${dateisystem}" == "btrfs" ]; then
- for wort in ${mountsnaps}
- do
- echo "Snapshot ${wort} wird erstellt!!!"
- done
-fi
-if [ "${openvpn}" != "n" ]; then
- echo "VPN-Verschlüsselung: aktiv"
-fi
-if [ "${usbsecret}" == "y" ]; then
- echo "USB-secret: aktiv"
- echo "USB-UIDD: ${usbsecretdeviceuuid}"
- echo "USB-Label: ${usbsecretdevice}"
-fi
-if [ "${verschluesselung}" == "y" ]; then
- echo "Fesptplatte mit Luks 512KB verschlüsselung: aktiv"
-fi
-
-
-# Partitionierung
-
-if [ "${dateisystem}" == "btrfs" ]; then
- if [ "${Partition}" == "uefi" ]; then
- bootpartitionnummer=1
- efipartitionnummer=2
- rootpartitionnummer=3
- if [ "${swap}" != "n" ]; then
- swappartitionnummer=3
- rootpartitionnummer=4
- fi
- elif [ "${Partition}" == "bios" ]; then
- bootpartitionnummer=1
- efipartitionnummer=2
- rootpartitionnummer=3
- if [ "${swap}" != "n" ]; then
- swappartitionnummer=3
- rootpartitionnummer=4
- fi
- fi
-elif [ "${dateisystem}" == "ext4" ]; then
- if [ "${Partition}" == "uefi" ]; then
- bootpartitionnummer=1
- efipartitionnummer=2
- rootpartitionnummer=3
- if [ "${swap}" != "n" ]; then
- swappartitionnummer=3
- rootpartitionnummer=4
- fi
- elif [ "${Partition}" == "bios" ]; then
- bootpartitionnummer=1
- efipartitionnummer=2
- rootpartitionnummer=3
- if [ "${swap}" != "n" ]; then
- swappartitionnummer=3
- rootpartitionnummer=4
- fi
- fi
-fi
-
-echo "Boot-Partition = ${device}${bootpartitionnummer}"
-echo "EFI-Partition = ${device}${efipartitionnummer}"
-echo "Swap-Partition = ${device}${swappartitionnummer}"
-echo "ROOT-Partition = ${device}${rootpartitionnummer}"
-
-
-#
-read -p "Sind alle Angaben Richtig?: [y/N] " sicherheitsabfrage
-if [ "$sicherheitsabfrage" != "y" ]
-then
- echo "ABGEBROCHEN"
- exit 1
-fi
-if [ "${update}" != "n" ] && [ "spectre-os" != "$(cat /etc/hostname)" ]; then
- echo "Nur für reine arch-linux systeme benötigend!!!"
- read -p "Sollen noch wichtige Packete für die installation installiert werden? [y/N] " packete
- if [ "${packete}" == "y" ]; then
- pacman -Syu base base-devel syslinux efibootmgr efitools grub intel-ucode os-prober btrfs-progs dosfstools arch-install-scripts xorriso cdrtools squashfs-tools wget dosfstools btrfs-progs gdisk dialog bash-completion git iw wireless_tools wpa_supplicant
- fi
-fi
-echo "Betriebssystem wird installiert!!!"
-sleep 5
-}
-
-
-
-
-
-
-
-
-
-
-
-if [ "${1}" != "n" ]
-then
-read -p "Soll im Internet geguckt werden ob es ein neues Install-Script gibt und dann ausgefuehrt werden?: [Y/n] " update
-if [ "${update}" == "debug" ]
-then
- echo "Überspringe das herunterladen einen neuen Scriptes!!!"
-else
- if [ "${update}" != "n" ]
- then
- update https://raw.githubusercontent.com/simono41/Simon-OS/master/arch-install /root/arch-install.new n
- exit 0
- fi
-fi
-fi
-
-# debug = Installation überspringen zu arch-graphical-install und DEBEUG-MODUS
-abfrage
-
-secureumount
-
-if [ "${name}" == "debug" ]
-then
-echo "DEBEUG-MODUS"
-echo "Wenn kein befehl mehr ausgefuehrt werden muss einfach eingabetaste druecken"
-echo "Welcher befehl soll ausgefuert werden? "
-
-befehl=blablabla
-while [ "$befehl" != "" ]
-do
- read -p "" befehl
- $befehl
-done
-
-fi
-
-#
-echo "Eine Säuberung erhört die chance der Installation auf dem System."
-echo "Es kann eine Zeit lang dauern!"
-dd if=/dev/zero of=${device} bs=64M count=10 status=progress
-#
-if [ "${Partition}" == "uefi" ]
-then
-echo "Partioniere mit UEFI"
-
-if [ "${swap}" != "n" ]; then
- echo "Erstelle zustzliche swap-partition"
- partionierenmitswap
-else
- partionierenohneswap
-fi
-echo "installation"
-installation
-arch-chroot ${mountpoint} /bin/bash <&2
+ sudo "${0}" "$@"
+ exit 0
+fi
+
+fdisk -l
+
+read -p "Welches Laufwerk soll beschrieben werden?: [/dev/sda|/dev/sdb] " device
+
+echo "Wipe Device ${device} ..."
+
+sleep 5
+
+wipefs -a -f ${device}
+sgdisk -o ${device}
+
+echo "Create new Partition type ..."
+
+sleep 5
+
+bootpartitionnummer=1
+rootpartitionnummer=2
+
+sgdisk -a 2048 -n ${bootpartitionnummer: -1}::+1024K -c ${bootpartitionnummer: -1}:"BIOS Boot Partition" -t ${bootpartitionnummer: -1}:ef02 ${device}
+sgdisk -a 2048 -n ${rootpartitionnummer: -1}:: -c ${rootpartitionnummer: -1}:"Linux filesystem" -t ${rootpartitionnummer: -1}:8300 ${device}
+
+echo "Create and mount the FAT filesystem..."
+
+sleep 5
+
+mkfs.vfat /dev/sdX1
+mkdir boot
+mount /dev/sdX1 boot
+
+echo "Create and mount the ext4 filesystem..."
+
+sleep 5
+
+mkfs.ext4 /dev/sdX2
+mkdir root
+mount /dev/sdX2 root
+
+echo "Download and extract the root filesystem..."
+
+sleep 5
+
+wget http://os.archlinuxarm.org/os/ArchLinuxARM-rpi-armv7-latest.tar.gz
+bsdtar -xpf ArchLinuxARM-rpi-armv7-latest.tar.gz -C root
+sync
+
+echo "Move boot files to the first partition..."
+
+sleep 5
+
+mv root/boot/* boot
+
+echo "Unmount the two partitions..."
+
+sleep 5
+
+umount boot root
+
diff --git a/ssh b/ssh
old mode 100644
new mode 100755
diff --git a/sslstrip.log b/sslstrip.log
old mode 100644
new mode 100755
diff --git a/youtube-dl-helper_v1.sh b/youtube-dl-helper_v1.sh
old mode 100644
new mode 100755
diff --git a/youtube-dl-helper_v2.sh b/youtube-dl-helper_v2.sh
old mode 100644
new mode 100755
diff --git a/youtube-mplayer.sh b/youtube-mplayer.sh
old mode 100644
new mode 100755
diff --git a/youtube-vlc.sh b/youtube-vlc.sh
old mode 100644
new mode 100755
diff --git a/youtube-vlc_windows.sh b/youtube-vlc_windows.sh
old mode 100644
new mode 100755