forked from georgejin110/useful
-
Notifications
You must be signed in to change notification settings - Fork 1
/
sslvpnauto.sh
92 lines (72 loc) · 2.79 KB
/
sslvpnauto.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
#!/bin/bash
if [ $(id -u) != "0" ]; then
echo "The current user has no root privilages\n"
exit 1
fi
clear
echo "SSLVPNAuto Ver-0.1-A1 By Alex Fang"
echo "Released under GNU GPLv2."
echo "Copyright (C) Alex Fang Bug Reports [email protected] Twitter @AFANG01"
echo "Solutions by ocserv, client anyconnect, openconnect"
echo "SSLVPNauto.sh Version 0.1-alpha-1 by Alex Fang. Copyright (C) Alex Fang [email protected] All Rights Reserved"
echo "Press Anykey to continue..." $anykey ; read anykey
sudo apt-get update && sudo apt-get upgrade
apt-get -t wheezy-backports install libgnutls28-dev
apt-get install gnutls-bin pkg-config
wget ftp://ftp.infradead.org/pub/ocserv/ocserv-0.3.2.tar.xz
tar xvf ocserv-0.3.2.tar.xz
cd ocserv-0.3.2
./configure --prefix=/usr --sysconfdir=/etc && make && make install
echo "Your CA's name" $caname ; read caname
echo "Your Organization name" $ouname ; read ouname
echo "Your Company name" $oname ; read oname
echo "Your server's FQDN" $fqdnname
#server-ca
certtool --generate-privkey --outfile ca-key.pem
cat << _EOF_ > ca.tmpl
cn = "$caname"
organization = "$ouname"
serial = 1
expiration_days = 9999
ca
signing_key
cert_signing_key
crl_signing_key
_EOF_
certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
#server-key
certtool --generate-privkey --outfile server-key.pem
cat << _EOF_ > server.tmpl
cn = "$fqdnname"
o = "$oname"
serial = 2
expiration_days = 9999
signing_key
encryption_key #only if the generated key is an RSA one
tls_www_server
_EOF_
certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server-cert.pem
cp server-cert.pem /etc/ssl/certs && cp server-key.pem /etc/ssl/private
#counfigure
mkdir /etc/ocserv
cd /etc/ocserv
wget turin.theredian.org/ocserv.conf
echo "Counfiguration complete. Now adding 1 user for u. Username:" $username ; read username
sudo ocpasswd -c /etc/ocserv/ocpasswd $username
#iptables rules
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -d 127.0.0.0/8 -j REJECT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
clear
echo "Config finished."
echo "Your server domain is" $fqdnname
echo "Your username is" $username
echo "Your password is the password you just entered."
echo "You can use 'sudo ocpasswd -c /etc/ocserv/ocpasswd username' to add users."
echo "SSLVPNauto v0.1-A1 For Debian Copyright (C) Alex Fang [email protected] released under GNU GPLv2."