sierra-tango-echo · May 9, 2020 11:23
diff --git a/gwopenvpn.bash b/gwopenvpn.bash
 yum -y install epel-release
 yum -y install openvpn easy-rsa bind-utils

 cp -pav /usr/share/easy-rsa/3.0.7 /etc/openvpn/easyrsa
 cd /etc/openvpn/easyrsa

 cat<< 'EOF' > /etc/openvpn/easyrsa/vars
 if [ -z "$EASYRSA_CALLER" ]; then
    echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
    echo "This is no longer necessary and is disallowed. See the section called" >&2
    echo "'How to use this file' near the top comments for more details." >&2
    return 1
 fi

 set_var EASYRSA        "$PWD"
 set_var EASYRSA_OPENSSL        "openssl"
 set_var EASYRSA_PKI            "$EASYRSA/pki"
 set_var EASYRSA_DN     "org"

 set_var EASYRSA_REQ_COUNTRY    "UK"
 set_var EASYRSA_REQ_PROVINCE   "Oxfordshire"
 set_var EASYRSA_REQ_CITY       "Oxford"
 set_var EASYRSA_REQ_ORG        "Alces Flight Ltd"
 set_var EASYRSA_REQ_EMAIL      "[email protected]"
 set_var EASYRSA_REQ_OU         "Infrastructure"
 set_var EASYRSA_KEY_SIZE       2048

 set_var EASYRSA_ALGO           rsa

 set_var EASYRSA_CA_EXPIRE      3650
 set_var EASYRSA_CERT_EXPIRE    3650
 set_var EASYRSA_CRL_DAYS       180

 set_var EASYRSA_TEMP_FILE      "$EASYRSA_PKI/extensions.temp"

 set_var EASYRSA_BATCH 		"true"
 EOF

 ./easyrsa init-pki  
 ./easyrsa init-pki  
 ./easyrsa --req-cn=cluster0 build-ca nopass 
 ./easyrsa --req-cn=cluster0 gen-req cluster0 nopass
 ./easyrsa sign-req server cluster0

 ./easyrsa --req-cn=clusterX gen-req clusterX nopass
 ./easyrsa sign-req client clusterX

 ./easyrsa gen-dh
 ./easyrsa gen-crl
 openvpn --genkey --secret ta.key

 #Do config
 cat << EOF > /etc/openvpn/flightconnector.conf
 mode server
 tls-server
 port 443
 proto tcp-server
 dev tun0
 ca /etc/openvpn/easyrsa/pki/ca.crt
 cert /etc/openvpn/easyrsa/pki/issued/hub.crt
 key /etc/openvpn/easyrsa/pki/private/hub.key
 dh /etc/openvpn/easyrsa/pki/dh.pem
 crl-verify /etc/openvpn/easyrsa/pki/crl.pem

 client-config-dir ccd-clusters
 ccd-exclusive
 client-to-client

 ifconfig 10.115.0.1 255.255.255.0
 topology subnet

 #Cluster X routes
 route 10.10.0.0 255.255.0.0 10.115.0.2
 route 10.11.0.0 255.255.0.0 10.115.0.2

 keepalive 10 120
 comp-lzo adaptive

 tls-auth /etc/openvpn/easyrsa/ta.key 0
 cipher AES-256-CBC
 auth SHA512
 tls-version-min 1.2
 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
 persist-key
 persist-tun

 status openvpn-status.log
 log         /var/log/openvpn-fc.log
 log-append  /var/log/openvpn-fc.log
 verb 3
 EOF

 cat << EOF > /etc/pam.d/openvpn-flightconnector
 #%PAM-1.0
 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
 auth       substack     system-auth
 auth       include      postlogin
 auth       required     pam_listfile.so onerr=fail item=user sense=allow file=/etc/openvpn/flightconnector.users
 account    required     pam_nologin.so
 account    include      system-auth
 password   include      system-auth
 # pam_selinux.so close should be the first session rule
 session    required     pam_selinux.so close
 session    required     pam_loginuid.so
 session    optional     pam_console.so
 # pam_selinux.so open should only be followed by sessions to be executed in the user context
 session    required     pam_selinux.so open
 session    required     pam_namespace.so
 session    optional     pam_keyinit.so force revoke
 session    include      system-auth
 session    include      postlogin
 -session   optional     pam_ck_connector.so
 EOF

 systemctl enable openvpn@flightconnector
 systemctl restart openvpn@flightconnector

 openvpn --genkey --secret /etc/openvpn/easyrsa/ta.key

 mkdir /etc/openvpn/ccd-clusters

 cat << EOF > /etc/openvpn/ccd-clusters/clusterX
 ifconfig-push 10.110.0.2 255.255.255.0
 #CLUSTER 0 ROUTE PUSH
 push "route 10.110.0.0 255.255.0.0 10.115.0.1"
 #CLUSTER X ROUTE PULL
 iroute 10.10.0.0 255.255.0.0
 iroute 10.11.0.0 255.255.0.0
 EOF
	yum -y install epel-release
	yum -y install openvpn easy-rsa bind-utils

	cp -pav /usr/share/easy-rsa/3.0.7 /etc/openvpn/easyrsa
	cd /etc/openvpn/easyrsa

	cat<< 'EOF' > /etc/openvpn/easyrsa/vars
	if [ -z "$EASYRSA_CALLER" ]; then
	echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
	echo "This is no longer necessary and is disallowed. See the section called" >&2
	echo "'How to use this file' near the top comments for more details." >&2
	return 1
	fi

	set_var EASYRSA "$PWD"
	set_var EASYRSA_OPENSSL "openssl"
	set_var EASYRSA_PKI "$EASYRSA/pki"
	set_var EASYRSA_DN "org"

	set_var EASYRSA_REQ_COUNTRY "UK"
	set_var EASYRSA_REQ_PROVINCE "Oxfordshire"
	set_var EASYRSA_REQ_CITY "Oxford"
	set_var EASYRSA_REQ_ORG "Alces Flight Ltd"
	set_var EASYRSA_REQ_EMAIL "[email protected]"
	set_var EASYRSA_REQ_OU "Infrastructure"
	set_var EASYRSA_KEY_SIZE 2048

	set_var EASYRSA_ALGO rsa

	set_var EASYRSA_CA_EXPIRE 3650
	set_var EASYRSA_CERT_EXPIRE 3650
	set_var EASYRSA_CRL_DAYS 180

	set_var EASYRSA_TEMP_FILE "$EASYRSA_PKI/extensions.temp"

	set_var EASYRSA_BATCH "true"
	EOF

	./easyrsa init-pki
	./easyrsa init-pki
	./easyrsa --req-cn=cluster0 build-ca nopass
	./easyrsa --req-cn=cluster0 gen-req cluster0 nopass
	./easyrsa sign-req server cluster0

	./easyrsa --req-cn=clusterX gen-req clusterX nopass
	./easyrsa sign-req client clusterX

	./easyrsa gen-dh
	./easyrsa gen-crl
	openvpn --genkey --secret ta.key

	#Do config
	cat << EOF > /etc/openvpn/flightconnector.conf
	mode server
	tls-server
	port 443
	proto tcp-server
	dev tun0
	ca /etc/openvpn/easyrsa/pki/ca.crt
	cert /etc/openvpn/easyrsa/pki/issued/hub.crt
	key /etc/openvpn/easyrsa/pki/private/hub.key
	dh /etc/openvpn/easyrsa/pki/dh.pem
	crl-verify /etc/openvpn/easyrsa/pki/crl.pem

	client-config-dir ccd-clusters
	ccd-exclusive
	client-to-client

	ifconfig 10.115.0.1 255.255.255.0
	topology subnet

	#Cluster X routes
	route 10.10.0.0 255.255.0.0 10.115.0.2
	route 10.11.0.0 255.255.0.0 10.115.0.2

	keepalive 10 120
	comp-lzo adaptive

	tls-auth /etc/openvpn/easyrsa/ta.key 0
	cipher AES-256-CBC
	auth SHA512
	tls-version-min 1.2
	tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
	persist-key
	persist-tun

	status openvpn-status.log
	log /var/log/openvpn-fc.log
	log-append /var/log/openvpn-fc.log
	verb 3
	EOF

	cat << EOF > /etc/pam.d/openvpn-flightconnector
	#%PAM-1.0
	auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
	auth substack system-auth
	auth include postlogin
	auth required pam_listfile.so onerr=fail item=user sense=allow file=/etc/openvpn/flightconnector.users
	account required pam_nologin.so
	account include system-auth
	password include system-auth
	# pam_selinux.so close should be the first session rule
	session required pam_selinux.so close
	session required pam_loginuid.so
	session optional pam_console.so
	# pam_selinux.so open should only be followed by sessions to be executed in the user context
	session required pam_selinux.so open
	session required pam_namespace.so
	session optional pam_keyinit.so force revoke
	session include system-auth
	session include postlogin
	-session optional pam_ck_connector.so
	EOF

	systemctl enable openvpn@flightconnector
	systemctl restart openvpn@flightconnector

	openvpn --genkey --secret /etc/openvpn/easyrsa/ta.key

	mkdir /etc/openvpn/ccd-clusters

	cat << EOF > /etc/openvpn/ccd-clusters/clusterX
	ifconfig-push 10.110.0.2 255.255.255.0
	#CLUSTER 0 ROUTE PUSH
	push "route 10.110.0.0 255.255.0.0 10.115.0.1"
	#CLUSTER X ROUTE PULL
	iroute 10.10.0.0 255.255.0.0
	iroute 10.11.0.0 255.255.0.0
	EOF