Code Monkey home page Code Monkey logo

openvpn-user-create's Introduction

OpenVPN user creation script

This script automates the process of creating configurations for OpenVPN clients. It handles the generation of client
keys, signing of the certificates, and creation of client configuration files with predefined template. The script also
manages client-specific settings in the CCD (Client Configuration Directory) by automatically assigning unique IP
addresses to each client.

Requirements

  • Python 3.x
  • OpenVPN with Easy-RSA for certificate management
  • Access to the OpenVPN server's Easy-RSA directory and the CCD directory

Setup

Install OpenVPN and EasyRSA

sudo -i
apt update
apt install easy-rsa openvpn -y

Set up new OpenVPN server

PROJECT_NAME=vpn-server
mkdir /etc/openvpn/${PROJECT_NAME}
cp -r /usr/share/easy-rsa /etc/openvpn/${PROJECT_NAME}
cd /etc/openvpn/${PROJECT_NAME}/easy-rsa

echo "set_var EASYRSA_ALGO     ec
set_var EASYRSA_CURVE    secp521r1
set_var EASYRSA_DIGEST   \"sha512\"
set_var EASYRSA_CA_EXPIRE       36500
set_var EASYRSA_CERT_EXPIRE     36500" \
| tee -a vars > /dev/null

EASYRSA_VARS_FILE=/etc/openvpn/${PROJECT_NAME}/easy-rsa/vars
./easyrsa init-pki
dd if=/dev/urandom of=pki/.rnd bs=256 count=1
./easyrsa build-ca nopass
./easyrsa gen-req server nopass
./easyrsa sign-req server server
openvpn --genkey --secret pki/tc.key

Create OpenVPN server configuration
Change port, proto and server fields according to your parameters!

vi /etc/openvpn/${PROJECT_NAME}.conf

# Define the network port and protocol
port 6543
proto udp
dev tun

# Specify locations of the certificate authority (CA), server certificate, and private key
ca project-name/easy-rsa/pki/ca.crt
cert project-name/easy-rsa/pki/issued/server.crt
key project-name/easy-rsa/pki/private/server.key

# Disable Diffie-Hellman parameters
dh none

# VPN server IP and subnet configuration
server 10.10.10.0 255.255.255.0
topology subnet

# Keepalive settings to maintain active connections
keepalive 10 120

# Encrypt control channel with a pre-shared key
tls-crypt project-name/easy-rsa/pki/tc.key

# Security parameters for authentication and encryption
auth SHA512
keysize 256
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
cipher AES-256-GCM

# Set renegotiation time in seconds
reneg-sec 360

# Ensure the client certificate is for client authentication
remote-cert-eku "TLS Web Client Authentication"

# Enable script execution
script-security 2

# Allow VPN clients to communicate with each other
client-to-client

# Directory for client-specific configuration
client-config-dir /etc/openvpn/project-name-ccd

# Uncomment these lines to drop privileges after startup for added security
#user nobody
#group nobody

# Persist key and tunnel information across restarts
persist-key
persist-tun

# Logging configuration
status /var/log/openvpn/project-name-status.log
log /var/log/openvpn/project-name.log

# Set the maximum number of concurrently connected clients
;max-clients 100

# Use a fast compression algorithm
;compress lz4-v2

# Redirect all client traffic through the VPN (uncomment to enable)
;push "redirect-gateway def1 bypass-dhcp"

# Specify a DNS server to be used by the VPN clients
;push "dhcp-option DNS 8.8.8.8"

# Harden the server against Denial of Service attacks
;tls-auth databox/easy-rsa/pki/ta.key 0

# Limit the number of incoming connections per second to mitigate DoS attacks
;tcp-queue-limit 64

# Add explicit-exit-notify to notify the client about VPN session termination
;explicit-exit-notify 1

sed -i "s/project-name/$PROJECT_NAME/g" /etc/openvpn/${PROJECT_NAME}.conf
systemctl start openvpn@${PROJECT_NAME}
systemctl enable openvpn@${PROJECT_NAME}
systemctl status openvpn@${PROJECT_NAME}

Change port to yours

ufw allow 6543 comment openvpn

Configure the script

git clone https://github.com/kstka/openvpn-user-create
cd openvpn-user-create
cp config.py.sample config.py
chmod +x create-user.py

Edit config.py and define your variables

PROJECT_NAME = 'vpn-server'
RSA_DIR = f"/etc/openvpn/{PROJECT_NAME}/easy-rsa"
CCD_DIR = f"/etc/openvpn/{PROJECT_NAME}-ccd"
CONF_DIR = "client-configurations"
CONF_PREFIX = f"{PROJECT_NAME}-"
NETWORK_PREFIX = "10.10.10."
REMOTE_SERVER = 'example.com'
REMOTE_PORT = '6543'
TEMPLATE_FILE = 'template.ovpn'

Usage

./create-user.py username

This command will:

  • Check if the necessary directories exist (CCD and client config directory), creating them if necessary.
  • Generate a unique IP address for the client.
  • Generate client keys and sign them using Easy-RSA.
  • Fill in the client's OpenVPN configuration template and save it to the specified directory.
  • Create a CCD file for the client with the assigned IP address.

openvpn-user-create's People

Contributors

kstka avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.