Coder Social home page Coder Social logo

theonemule / simple-openvpn-server Goto Github PK

View Code? Open in Web Editor NEW
228.0 14.0 112.0 73 KB

A setup script and simple web UI for setting up an OpenVPN Server

License: MIT License

Shell 100.00%
openvpn-server tunnelblick azure openvpn-installer openvpn-configuration

simple-openvpn-server's Introduction

Simple OpenVPN Server

OpenVPN is a one of the most popular VPN platforms for a lot of good reasons. It's free, open source, and there are clients for just about every platform imaginable. For these reasons, OpenVPN is the choice for organizations and individuals alike.

There are dedicated appliances for OpenVPN that work well for enterprises, but for smaller organizations and individuals, these are overkill. This little project grew out of a desire to create a simple, web based UI for managing OpenVPN while as well as creating a fully automated installer of the the software on a rather lower-powered Linux host, such as an entry level VM on Azure, a Virtual Private Server (VPS) or even a container.

A special thanks goes out to the folks behind openvpn-install for their wonderful project, which serves as an interactive installer on the command line. Much of the heavy lifting for the installer here is from the script there.

The scripts assumes that there is NOT an instance of OpenVPN already installed on the machine and that port 443 is not in use by another web server for HTTPS. Likewise, this script was built for current Debian/Ubuntu distros.

Installing OpenVPN

Optionally, you can do a completely automated deployment to Azure and skip past the installation to Managing Clients.

Deploy to Azure!

Otherwise, use the installer:

  1. Pull up a terminal or SSH into the target server.

  2. Logon as root

    sudo -i

  3. Download the installer script.

    wget https://raw.githubusercontent.com/theonemule/simple-openvpn-server/master/openvpn.sh

  4. Make the script executable

    chmod +x openvpn.sh

  5. Run the script.

    ./openvpn.sh [options]

    Example:

    ./openvpn.sh --adminpassword=mypassword --host=myvpn.example.com

    There are number of options the script will accept

    adminpassword -- This is the admin password for the website for managing clients. The default is password.

    dns1 -- The first dns server assigned to the clients. The default is 8.8.8.8.

    dns2 -- The first dns server assigned to the clients. The default is 8.8.4.4.

    vpnport -- The port to be used by OpenVPN. 1194 may be blocked by some firewalls, so this is customizable. The default port is 1194.

    protocol -- The protocol to be used by OpenVPN. This accepts udp or tcp. The default is udp.

    email -- The email to be used by NGINX for Let's Encrypt.

    host -- The host name of the server. The script attempts to detect the external IP of your server if the host is not specified. It is highly recommended that you use a host name if your sever is not using a static IP address. You can get a free dynamic DNS account and use a dynamic DNS updater that keeps the DNS records for your server up to date in the event that your IPa address changes.

  6. Let the installer finish. This may take a few minutes, as the intaller generates a few keys to set up a certificate authority (CA) that is used to assign certificates to the clients.

  7. If the server you are installing this on is behind a firewall, be sure that you forward the external ports from the firewall to the ports on the server for the VPN. Optionally, if you want to be able to manage the VPN from outside the firewall, forward a port to 443 on the VPN Server.

Managing Profiles

  1. Once the script is complete, point your browser to https://[your host or IP]/, where your host or IP is the host name or IP addressed for the VPN. You may get an error about the site not being secure even though you are using https. This is because the site is using a self-esigned certificate. Simply ignore the warning.

  2. Logon to the admin site. Use admin for the username and the password used for the adminpassword option when the installer was run. If you did not supply one, use password.

    Logon

  3. Once logged on, enter a name for the client and click Add.

    Add a client

  4. Once added, you can click Revoke to revoke access or Download to download the client profile.

    Revoke or Download

Connecting to the Server

Once the profile is downloaded you need to configure a client:

  • Windows: use OpenVPN GUI. After installing the app, copy the .ovon to the C:\Program Files\OpenVPN\config folder. Launch the GUI from your Start menu, then right click the icon in the Tool Tray, then click Connect. Disconnect by right clicking and selecting Disconnect.

  • MacOS (OS X): use Tunnelblick. Download and install Tunnelblick. After downloading, double-click on the downloaded .ovpn file and import the configuration either for yourself or all users. Once imported, click the Tunnleblick icon on the menu bar and click Connect. Disconnect by clicking the Tunnelblick icon and selecting Disconnect.

  • Android: use OpenVPN Connect for Android. Download and install the app. Next, go to the admin site and create and/or download a profile. In the app, select Import from the menu, then select Import, then select Import Profile from SD card. Find the profile in your Downloads folder and import the profile. Once downloaded, click Connect. To disconnect, open the app again and select Disconnect.

  • iOS: use OpenVPN Connect for iOS. Install the app, then browse to the admin site in Safari. Create and/or download a profile. After the profile is downloaded, select Open in Open VPN. Install the profile, then select Connect to connect to the VPN. To disconnect, open the app again and select Disconnect.

That's it! Your VPN is up and running.

simple-openvpn-server's People

Contributors

blaizestewart avatar kenneyhe-zingbox avatar spatemp avatar ted-zhang avatar theonemule avatar ultramookie avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

h4ckl4bm3 muteflamingo kenneyhe-zingbox clemenstyp matbest1 marioaugustorama pascal-gujer marc-hanheide tiagojmartins jeanfbrito ruffrey fliptalk skizap zpx2012 jay-chuang chunliu ibinetwork zackjd ted-zhang jounouchiang antoniocaccamo amaot swe-himelrana 1v1a3x demianrey fsheik sagarobotics lancevo matheusf0rnazieri wateras kodjosuprem shiayx rzkmak chriseckl ignuki iamxie1127 mcicolella dav-mo aquevix benjange melzisme kimmelsg kenpachizrk lavinir papalegba gabrielpc1190 ywptr shamun eddwills95 thongvm proinsights m-hoseyny samratchakrabortyy nitxq idaniellaw baeriswyld sameerlike141 omerkarabacak nkyo leonirlopes xzq050 danterob rezanid perphilip fcti-fernando stu-ball cougarx14 v2ray-vpn nu11secur1ty djegy zamulak masbr0d1n spatemp knowit-chflo demah ramikan brunuhville yyl-20020115 acosaburca mratyldrm bakry321m cnrbzk roxleopardo alexf4dev eddyme23 ultramookie youralginis essoojay sureshkim aaditya-mehta devcrono suisui-daigaku roopkm45 pree123 jlmartinnc sfunke saurikcornel digitalarche thatguyvanquish

simple-openvpn-server's Issues

Feature Request: LDAP authentication to Azure Windows server

Just curious, it may be well out of scope, but we are using this to secure access to a Windows server in Azure, but as it works now only the certificate is used to authenticate to the VPN. Would it be possible to extend this to query LDAP on a Windows server in Azure to look up the username and also require a password along with the certificate?

Remove comp-lzo option from client config

I couldn't push my fix as this repo is locked.

But you can remove the comp-lzo remove client conf now as it already removed from server config

The line is 243 in openvpn.sh

image

BTW: Maybe consider open the repo to allow people to push their branch?

Let's encrypt failed with default email.

Let's Encrypt has blocked [email protected]. Therefore, the user needs to specify an email address, or the script should automatically generate an email from the given hostname.

Additionally, the email documentation in README.md is incorrectly labeled as "protocol."

Auto revoke after 31 days

Hi,
Any idea please to make auto revoke client certificate after 31 days (or any date) ?
So we are able to revoke with admin panel or auto revoke following settings.
Thanks ! Nice openvpn admin !
Raz

Done APT-GET upgrade and service is not running any more

Hi,

I have done an upgrade and apparently the service stopped running.
My Azure VM also changed his public ip address so I am not sure what is causing the issue.

The service status is as "active (exited)"

How can I fix this?

Thank you

AWS no internet

I installed your script on AWS, it connects to the server but there is no Internet and do not open sites

rm /var/www/html/*

simple-openvpn-server/openvpn.sh

Line 274 in 6b811f9

rm /var/www/html/*

Has it ever crossed your mind that /var/www/html might be used by anything other than this script?

Apparently it has, and you want it all gone - because why else would you want to delete everything before creating a single file in this folder?

This is a prime example for why one shouldn't trust random .sh scripts from github. I'm glad I run daily backups, but we know not everyone does. And using software from github shouldn't be the reason why we need backups.

New lighttpd.conf

The new lighttpd.conf should be like this:

server.modules = (
	"mod_access",
	"mod_alias",
	"mod_compress",
        "mod_redirect",
	"mod_cgi",
	"mod_auth",
        "mod_openssl"
)

cgi.assign = ( ".sh" => "/bin/bash" )

server.document-root        = "/var/www/html"
server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
server.errorlog             = "/var/log/lighttpd/error.log"
server.pid-file             = "/var/run/lighttpd.pid"
server.username             = "www-data"
server.groupname            = "www-data"
server.port                 = 443

ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/server.pem"


index-file.names            = ("index.sh", "index.php", "index.html", "index.lighttpd.html" )
url.access-deny             = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

compress.cache-dir          = "/var/cache/lighttpd/compress/"
compress.filetype           = ( "application/javascript", "text/css", "text/html", "text/plain" )

# default listening port for IPv6 falls back to the IPv4 port
## Use ipv6 if available
#include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include_shell "/usr/share/lighttpd/create-mime.conf.pl"
include "/etc/lighttpd/conf-enabled/*.conf"

auth.debug = 2
auth.backend = "plain"
auth.backend.plain.userfile = "/etc/lighttpd/.lighttpdpassword"

auth.require = ( "/" =>
	(
		"method" => "basic",
		"realm" => "Password protected area",
		"require" => "user=admin"
	)
)

Thanks for your work :D

How to route only VPN/LAN subnet traffic over OpenVPN?

By default on other systems, split tunnel is enabled - meaning, all internet traffic goes through the client Internet connection, but if traffic is destined for the OpenVPN server's subnet/OpenVPN subnet itself, it is routed over the vpn.

I have tried adding pull-filter ignore redirect-gateway and removing setenv opt block-outside-dns (in client configuration) but by doing so I remove access to the VPN LAN.

What is the proper way to configure this flavor of OpenVPN server to properly split the traffic?

Deployment error - Package certbot is not available, but is referred to by another package.

I got this error just now. Any ideas on resolving?

{
  "code": "VMExtensionProvisioningError",
  "message": "VM has reported a failure when processing extension 'openvpn-setup' (publisher 'Microsoft.Azure.Extensions' and type 'CustomScript'). Error message: 'Enable failed: failed to execute command: command terminated with exit status=5\n[stdout]\nHit:1 http://archive.ubuntu.com/ubuntu focal InRelease\nGet:2 http://archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]\nGet:3 http://archive.ubuntu.com/ubuntu focal-backports InRelease [108 kB]\nGet:4 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB]\nGet:5 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [3230 kB]\nGet:6 http://archive.ubuntu.com/ubuntu focal-updates/main Translation-en [513 kB]\nGet:7 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 c-n-f Metadata [17.2 kB]\nGet:8 http://archive.ubuntu.com/ubuntu focal-updates/restricted amd64 Packages [2849 kB]\nGet:9 http://archive.ubuntu.com/ubuntu focal-updates/restricted Translation-en [397 kB]\nGet:10 http://archive.ubuntu.com/ubuntu focal-updates/restricted amd64 c-n-f Metadata [552 B]\nGet:11 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [1177 kB]\nGet:12 http://archive.ubuntu.com/ubuntu focal-updates/universe Translation-en [282 kB]\nGet:13 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 c-n-f Metadata [25.7 kB]\nGet:14 http://archive.ubuntu.com/ubuntu focal-updates/multiverse amd64 Packages [26.2 kB]\nGet:15 http://archive.ubuntu.com/ubuntu focal-updates/multiverse Translation-en [7880 B]\nGet:16 http://archive.ubuntu.com/ubuntu focal-updates/multiverse amd64 c-n-f Metadata [620 B]\nGet:17 http://archive.ubuntu.com/ubuntu focal-backports/main amd64 Packages [45.7 kB]\nGet:18 http://archive.ubuntu.com/ubuntu focal-backports/main Translation-en [16.3 kB]\nGet:19 http://archive.ubuntu.com/ubuntu focal-backports/main amd64 c-n-f Metadata [1420 B]\nGet:20 http://archive.ubuntu.com/ubuntu focal-backports/restricted amd64 c-n-f Metadata [116 B]\nGet:21 http://archive.ubuntu.com/ubuntu focal-backports/universe amd64 Packages [25.0 kB]\nGet:22 http://archive.ubuntu.com/ubuntu focal-backports/universe Translation-en [16.3 kB]\nGet:23 http://archive.ubuntu.com/ubuntu focal-backports/universe amd64 c-n-f Metadata [880 B]\nGet:24 http://archive.ubuntu.com/ubuntu focal-backports/multiverse amd64 c-n-f Metadata [116 B]\nGet:25 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages [2853 kB]\nGet:26 http://security.ubuntu.com/ubuntu focal-security/main Translation-en [431 kB]\nGet:27 http://security.ubuntu.com/ubuntu focal-security/main amd64 c-n-f Metadata [13.2 kB]\nGet:28 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 Packages [2730 kB]\nGet:29 http://security.ubuntu.com/ubuntu focal-security/restricted Translation-en [382 kB]\nGet:30 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 c-n-f Metadata [552 B]\nGet:31 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages [952 kB]\nGet:32 http://security.ubuntu.com/ubuntu focal-security/universe Translation-en [200 kB]\nGet:33 http://security.ubuntu.com/ubuntu focal-security/universe amd64 c-n-f Metadata [19.2 kB]\nGet:34 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 Packages [23.9 kB]\nGet:35 http://security.ubuntu.com/ubuntu focal-security/multiverse Translation-en [5904 B]\nGet:36 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 c-n-f Metadata [548 B]\nReading package lists...\nReading package lists...\nBuilding dependency tree...\nReading state information...\nPackage certbot is not available, but is referred to by another package.\nThis may mean that the package is missing, has been obsoleted, or\nis only available from another source\n\nPackage fcgiwrap is not available, but is referred to by another package.\nThis may mean that the package is missing, has been obsoleted, or\nis only available from another source\n\n165\n\n[stderr]\n?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240409%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240409T164708Z&X-Amz-Expires=300&X-Amz-Signature=a961b7db3030c6d0e4b7a804fd8891b9917431e8ab6365c9040f85dca738835f&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=4519663&response-content-disposition=attachment%3B%20filename%3DEasyRSA-3.0.1.tgz&response-content-type=application%2Foctet-stream\nResolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.110.133, 185.199.111.133, 185.199.108.133, ...\nConnecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.110.133|:443... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 40960 (40K) [application/octet-stream]\nSaving to: ‘/root/EasyRSA-3.0.1.tgz’\n\n     0K .......... .......... .......... ..........           100% 45.7M=0.001s\n\n2024-04-09 16:47:08 (45.7 MB/s) - ‘/root/EasyRSA-3.0.1.tgz’ saved [40960/40960]\n\nmv: cannot stat '/etc/openvpn/EasyRSA-3.0.1/': No such file or directory\nchown: cannot access '/etc/openvpn/easy-rsa/': No such file or directory\nopenvpn.sh: line 97: cd: /etc/openvpn/easy-rsa/: No such file or directory\nopenvpn.sh: line 100: ./easyrsa: No such file or directory\nopenvpn.sh: line 101: ./easyrsa: No such file or directory\nopenvpn.sh: line 102: ./easyrsa: No such file or directory\nopenvpn.sh: line 103: ./easyrsa: No such file or directory\nopenvpn.sh: line 106: ./easyrsa: No such file or directory\ncp: cannot stat 'pki/ca.crt': No such file or directory\ncp: cannot stat 'pki/private/ca.key': No such file or directory\ncp: cannot stat 'pki/dh.pem': No such file or directory\ncp: cannot stat 'pki/issued/server.crt': No such file or directory\ncp: cannot stat 'pki/private/server.key': No such file or directory\ncp: cannot stat '/etc/openvpn/easy-rsa/pki/crl.pem': No such file or directory\nchown: cannot access '/etc/openvpn/crl.pem': No such file or directory\nopenvpn.sh: line 115: openvpn: command not found\nFailed to restart [email protected]: Unit [email protected] not found.\nmv: cannot stat '/etc/openvpn/clients/': No such file or directory\nchown: cannot access '/etc/openvpn/easy-rsa': No such file or directory\nchmod: cannot access '/etc/openvpn/crl.pem': No such file or directory\nchmod: cannot access '/etc/openvpn/easy-rsa/': No such file or directory\nmv: cannot stat '/etc/nginx/sites-available/default': No such file or directory\n/etc/nginx/sites-available/default: No such file or directory\nsed: can't read /etc/nginx/sites-available/default: No such file or directory\nrm: cannot remove '/var/www/html/*': No such file or directory\n--2024-04-09 16:47:08--  https://raw.githubusercontent.com/theonemule/simple-openvpn-server/master/index.sh\nResolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.111.133, 185.199.110.133, ...\nConnecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 4989 (4.9K) [text/plain]\nSaving to: ‘/var/www/html/index.sh’\n\n     0K ....                                                  100% 26.4M=0s\n\n2024-04-09 16:47:08 (26.4 MB/s) - ‘/var/www/html/index.sh’ saved [4989/4989]\n\n--2024-04-09 16:47:08--  https://raw.githubusercontent.com/theonemule/simple-openvpn-server/master/download.sh\nResolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.111.133, 185.199.110.133, ...\nConnecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 311 [text/plain]\nSaving to: ‘/var/www/html/download.sh’\n\n     0K                                                       100% 9.01M=0s\n\n2024-04-09 16:47:08 (9.01 MB/s) - ‘/var/www/html/download.sh’ saved [311/311]\n\nopenvpn.sh: line 271: htpasswd: command not found\nopenvpn.sh: line 275: certbot: command not found\nFailed to restart apache2.service: Unit apache2.service not found.\nFailed to restart nginx.service: Unit nginx.service not found.\n'. More information on troubleshooting is available at https://aka.ms/VMExtensionCSELinuxTroubleshoot. "
}

NSG not associated with nic

With the ARM template, after creating openvpnVM, it is not associating NSG to nick. I had to manually do it which is not a big deal but something to be aware if you are configurating it by clicking on ARM template link.

Cannot connect on HTTPS

NET::ERR_CERT_INVALID

You cannot visit XXX right now because the website sent scrambled credentials that Chrome cannot process. Network errors and attacks are usually temporary, so this page will probably work later.

How to fix this?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.