openvpn +radiusplugin centos7.2

#!/bin/bash# OpenVPN road warrior installer for Debian, Ubuntu and CentOS# This script will work on Debian, Ubuntu, CentOS and probably other distros# of the same families, although no support is offered for them. It isn't# bulletproof but it will probably work if you simply want to setup a VPN on# your Debian/Ubuntu/CentOS box. It has been designed to be as unobtrusive and# universal as possible.# 检测运行脚本的Debian用户，使用“sh”而不是bashif readlink /proc/$$/exe | grep -qs "dash"; thenecho "这个脚本需要用bash运行，而不是sh"exit 1fiif [[ "$EUID" -ne 0 ]]; thenecho "对不起，您需要以root身份运行"exit 2fiif [[ ! -e /dev/net/tun ]]; thenecho "TUN不可用"exit 3fiif grep -qs "CentOS release 5" "/etc/redhat-release"; thenecho "CentOS 5，不支持"exit 4fiif [[ -e /etc/debian_version ]]; thenOS=debianGROUPNAME=nogroupRCLOCAL='/etc/rc.local'elif [[ -e /etc/centos-release || -e /etc/redhat-release ]]; thenOS=centosGROUPNAME=nobodyRCLOCAL='/etc/rc.d/rc.local'elseecho "看起来你不是在Debian，Ubuntu或CentOS系统上运行这个安装程序"exit 5finewclient () {# 生成自定义client.ovpncp /etc/openvpn/client-common.txt ~/$1.ovpnecho "<ca>" >> ~/$1.ovpncat /etc/openvpn/easy-rsa/pki/ca.crt >> ~/$1.ovpnecho "</ca>" >> ~/$1.ovpnecho "<cert>" >> ~/$1.ovpncat /etc/openvpn/easy-rsa/pki/issued/$1.crt >> ~/$1.ovpnecho "</cert>" >> ~/$1.ovpnecho "<key>" >> ~/$1.ovpncat /etc/openvpn/easy-rsa/pki/private/$1.key >> ~/$1.ovpnecho "</key>" >> ~/$1.ovpnecho "<tls-auth>" >> ~/$1.ovpncat /etc/openvpn/ta.key >> ~/$1.ovpnecho "</tls-auth>" >> ~/$1.ovpn}# 尝试从系统中获取我们的IP并回退到互联网。# 我这样做使脚本兼容NATed服务器（lowendspirit.com）# 并避免获得IPv6。IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -o -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)if [[ "$IP" = "" ]]; thenIP=$(wget -4qO- "http://whatismyip.akamai.com/")fiif [[ -e /etc/openvpn/server.conf ]]; thenwhile :doclearecho "貌似已经安装的OpenVPN"echo ""echo "你想让我做什么？"echo "   1) 添加新用户"echo "   2) 撤消现有用户"echo "   3) 删除OpenVPN"echo "   4) 退出"read -p "选择一个选项 [1-4]: " optioncase $option in1) echo ""echo "请告诉我客户端证书的名称“"echo "请仅使用一个，无特殊字符的名称"read -p "Client name: " -e -i client CLIENTcd /etc/openvpn/easy-rsa/./easyrsa build-client-full $CLIENT nopass# 生成自定义client.ovpnnewclient "$CLIENT"echo ""echo "客户 $CLIENT 添加配置在" ~/"$CLIENT.ovpn"exit;;2)# 这个选项可以记录一点更好，甚至可以简化# ...but what can I say, I want some sleep tooNUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep -c "^V")if [[ "$NUMBEROFCLIENTS" = '0' ]]; thenecho ""echo "You have no existing clients!"exit 6fiecho ""echo "选择您要取消现有的客户端证书"tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | nl -s ') 'if [[ "$NUMBEROFCLIENTS" = '1' ]]; thenread -p "选择一个客户端 [1]: " CLIENTNUMBERelseread -p "选择一个客户端 [1-$NUMBEROFCLIENTS]: " CLIENTNUMBERfiCLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)cd /etc/openvpn/easy-rsa/./easyrsa --batch revoke $CLIENT./easyrsa gen-crlrm -rf pki/reqs/$CLIENT.reqrm -rf pki/private/$CLIENT.keyrm -rf pki/issued/$CLIENT.crtrm -rf /etc/openvpn/crl.pemcp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem# 当OpenVPN被删除时，每个客户端连接都读取CRLchown nobody:$GROUPNAME /etc/openvpn/crl.pemecho ""echo "Certificate for client $CLIENT revoked"exit;;3) echo ""read -p "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVEif [[ "$REMOVE" = 'y' ]]; thenPORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)PROTOCOL=$(grep '^proto ' /etc/openvpn/server.conf | cut -d " " -f 2)IP=$(grep 'iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to ' $RCLOCAL | cut -d " " -f 11)if pgrep firewalld; then# 使用永久和不永久的规则来避免firewalld重新加载。firewall-cmd --zone=public --remove-port=$PORT/$PROTOCOLfirewall-cmd --zone=trusted --remove-source=10.8.0.0/24firewall-cmd --permanent --zone=public --remove-port=$PORT/$PROTOCOLfirewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24fiif iptables -L -n | grep -qE 'REJECT|DROP|ACCEPT'; theniptables -D INPUT -p $PROTOCOL --dport $PORT -j ACCEPTiptables -D FORWARD -s 10.8.0.0/24 -j ACCEPTiptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPTsed -i "/iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT/d" $RCLOCALsed -i "/iptables -I FORWARD -s 10.8.0.0\/24 -j ACCEPT/d" $RCLOCALsed -i "/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT/d" $RCLOCALfiiptables -t nat -D POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IPsed -i '/iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to /d' $RCLOCALif hash sestatus 2>/dev/null; thenif sestatus | grep "Current mode" | grep -qs "enforcing"; thenif [[ "$PORT" != '1194' || "$PROTOCOL" = 'tcp' ]]; thensemanage port -d -t openvpn_port_t -p $PROTOCOL $PORTfififiif [[ "$OS" = 'debian' ]]; thenapt-get remove --purge -y openvpn openvpn-blacklistelseyum remove openvpn -yfirm -rf /etc/openvpnrm -rf /usr/share/doc/openvpn*echo ""echo "OpenVPN 删除!"elseecho ""echo "删除已中止!"fiexit;;4) exit;;esacdoneelseclearecho '欢迎来到这个快速OpenVPN“三多先生为您”安装程序'echo ""# OpenVPN设置和第一个用户创建echo "我需要在开始设置之前问几个问题"echo "Y你可以保留默认选项，只要按enter键，如果你确定与他们"echo ""echo "首先我需要知道你想要的OpenVPN的网络接口的IPv4地址"echo "listening to."read -p "IP address: " -e -i $IP IPecho ""echo "您想要哪个协议用于OpenVPN连接？"echo "   1) UDP (建议)"echo "   2) TCP"read -p "Protocol [1-2]: " -e -i 1 PROTOCOLcase $PROTOCOL in1) PROTOCOL=udp;;2) PROTOCOL=tcp;;esacecho ""echo "你想要OpenVPN监听什么端口？"read -p "Port: " -e -i 1194 PORTecho ""echo "您想要使用哪个DNS与VPN？"echo "   1) Current system resolvers"echo "   2) Google"echo "   3) Aliyun"echo "   4) NTT"echo "   5) 114 DNS"echo "   6) Verisign"read -p "DNS [1-6]: " -e -i 1 DNSecho ""echo "最后，告诉我你的客户端证书的名称"echo "请仅使用一个，无特殊字符的名称"read -p "Client name: " -e -i client CLIENTecho ""echo "好吧，这就是我需要的。 我们现在准备好设置您的OpenVPN服务器"read -n1 -r -p "按任意键继续..."if [[ "$OS" = 'debian' ]]; thenapt-get updateapt-get install openvpn iptables openssl ca-certificates -yelse# 另外，发行版是CentOSyum install epel-release -yyum install openvpn iptables openssl wget ca-certificates -yfi# 默认情况下，在一些openvpn软件包中提供了旧版本的easy-rsaif [[ -d /etc/openvpn/easy-rsa/ ]]; thenrm -rf /etc/openvpn/easy-rsa/fi# Get easy-rsawget -O ~/EasyRSA-3.0.1.tgz "https://github.com/OpenVPN/easy-rsa/releases/download/3.0.1/EasyRSA-3.0.1.tgz"tar xzf ~/EasyRSA-3.0.1.tgz -C ~/mv ~/EasyRSA-3.0.1/ /etc/openvpn/mv /etc/openvpn/EasyRSA-3.0.1/ /etc/openvpn/easy-rsa/chown -R root:root /etc/openvpn/easy-rsa/rm -rf ~/EasyRSA-3.0.1.tgzcd /etc/openvpn/easy-rsa/# 创建PKI，设置CA，DH params和server +客户端证书./easyrsa init-pki./easyrsa --batch build-ca nopass./easyrsa gen-dh./easyrsa build-server-full server nopass./easyrsa build-client-full $CLIENT nopass./easyrsa gen-crl# 移动我们需要的东西cp pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn# 当OpenVPN被删除时，每个客户端连接都读取CRLchown nobody:$GROUPNAME /etc/openvpn/crl.pem# 生成tls-auth的密钥openvpn --genkey --secret /etc/openvpn/ta.key# 生成server.confecho "port $PORTproto $PROTOCOLdev tunsndbuf 0rcvbuf 0ca ca.crtcert server.crtkey server.keydh dh.pemtls-auth ta.key 0topology subnetserver 10.8.0.0 255.255.255.0ifconfig-pool-persist ipp.txt" > /etc/openvpn/server.confecho 'push "redirect-gateway def1 bypass-dhcp"' >> /etc/openvpn/server.conf# DNScase $DNS in1) #从openvpn.conf获取解析器并将其用于OpenVPNgrep -v '#' /etc/resolv.conf | grep 'nameserver' | grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | while read line; doecho "push \"dhcp-option DNS $line\"" >> /etc/openvpn/server.confdone;;2) echo 'push "dhcp-option DNS 8.8.8.8"' >> /etc/openvpn/server.confecho 'push "dhcp-option DNS 8.8.4.4"' >> /etc/openvpn/server.conf;;3)echo 'push "dhcp-option DNS 223.5.5.5"' >> /etc/openvpn/server.confecho 'push "dhcp-option DNS 223.6.6.6"' >> /etc/openvpn/server.conf;;4) echo 'push "dhcp-option DNS 129.250.35.250"' >> /etc/openvpn/server.confecho 'push "dhcp-option DNS 129.250.35.251"' >> /etc/openvpn/server.conf;;5) echo 'push "dhcp-option DNS 114.114.114.114"' >> /etc/openvpn/server.confecho 'push "dhcp-option DNS 114.114.115.115"' >> /etc/openvpn/server.conf;;6) echo 'push "dhcp-option DNS 64.6.64.6"' >> /etc/openvpn/server.confecho 'push "dhcp-option DNS 64.6.65.6"' >> /etc/openvpn/server.conf;;esacecho "keepalive 10 120cipher AES-256-CBCcomp-lzouser nobodygroup $GROUPNAMEpersist-keypersist-tunstatus openvpn-status.logverb 3#radius插件plugin /etc/openvpn/radiusplugin/radiusplugin.so /etc/openvpn/radiusplugin/radiusplugin.cnf#不请求客户的CA证书，使用User/Pass验证  client-cert-not-required  #使用客户提供的UserName作为Common Name  username-as-common-namecrl-verify crl.pem" >> /etc/openvpn/server.conf# 启用系统的net.ipv4.ip_forwardsed -i '/\<net.ipv4.ip_forward\>/c\net.ipv4.ip_forward=1' /etc/sysctl.confif ! grep -q "\<net.ipv4.ip_forward\>" /etc/sysctl.conf; thenecho 'net.ipv4.ip_forward=1' >> /etc/sysctl.conffi# 避免不必要的重新启动echo 1 > /proc/sys/net/ipv4/ip_forward# Needed to use rc.local with some systemd distrosif [[ "$OS" = 'debian' && ! -e $RCLOCAL ]]; thenecho '#!/bin/sh -eexit 0' > $RCLOCALfichmod +x $RCLOCAL# 为VPN子网设置NATiptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IPsed -i "1 a\iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to $IP" $RCLOCALif pgrep firewalld; then# 我们不使用--add-service = openvpn，因为这只会工作# the default port and protocol. Using both permanent and not permanent默认端口和协议。 使用永久和非永久# 规则以避免firewalld重新加载。firewall-cmd --zone=public --add-port=$PORT/$PROTOCOLfirewall-cmd --zone=trusted --add-source=10.8.0.0/24firewall-cmd --permanent --zone=public --add-port=$PORT/$PROTOCOLfirewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24fiif iptables -L -n | grep -qE 'REJECT|DROP'; then# 如果iptables有至少一个REJECT规则，我们假设这是必需的。# 不是最好的方法，但我不能想到其他，这不应该# 引起问题。iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPTiptables -I FORWARD -s 10.8.0.0/24 -j ACCEPTiptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPTsed -i "1 a\iptables -I INPUT -p $PROTOCOL --dport $PORT -j ACCEPT" $RCLOCALsed -i "1 a\iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT" $RCLOCALsed -i "1 a\iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT" $RCLOCALfi# 如果启用了SELinux并选择了自定义端口或TCP，我们需要这个if hash sestatus 2>/dev/null; thenif sestatus | grep "Current mode" | grep -qs "enforcing"; thenif [[ "$PORT" != '1194' || "$PROTOCOL" = 'tcp' ]]; then# semanage isn't available in CentOS 6 by defaultif ! hash semanage 2>/dev/null; thenyum install policycoreutils-python -yfisemanage port -a -t openvpn_port_t -p $PROTOCOL $PORTfififi# 最后，重新启动OpenVPNif [[ "$OS" = 'debian' ]]; then# Little hack to check for systemdif pgrep systemd-journal; thensystemctl restart openvpn@server.serviceelse/etc/init.d/openvpn restartfielseif pgrep systemd-journal; thensystemctl restart openvpn@server.servicesystemctl enable openvpn@server.serviceelseservice openvpn restartchkconfig openvpn onfifi# 尝试检测NATed连接，并询问潜在的LowEndSpirit用户EXTERNALIP=$(wget -4qO- "http://whatismyip.akamai.com/")if [[ "$IP" != "$EXTERNALIP" ]]; thenecho ""echo "Looks like your server is behind a NAT!"echo ""echo "如果您的服务器是NATed（例如LowEndSpirit），我需要知道外部IP"echo "如果不是这样，请忽略此操作，并将下一个字段留空"read -p "External IP: " -e USEREXTERNALIPif [[ "$USEREXTERNALIP" != "" ]]; thenIP=$USEREXTERNALIPfifi# client-common.txt已创建，因此我们有一个模板，以便以后添加更多用户echo "clientdev tunproto $PROTOCOLsndbuf 0rcvbuf 0remote $IP $PORTresolv-retry infinitenobindpersist-keypersist-tunremote-cert-tls servercipher AES-256-CBCcomp-lzosetenv opt block-outside-dnsauth-user-passkey-direction 1verb 3" > /etc/openvpn/client-common.txt# 生成自定义client.ovpnnewclient "$CLIENT"echo ""echo "完成!"echo ""echo "您的客户端配置位于" ~/"$CLIENT.ovpn"echo "如果你想添加更多的客户端，你只需要再次运行这个脚本！"fiif [[ -e /etc/openvpn/radiusplugin ]]; thenecho "/etc/openvpn/radiusplugin在这个路径下已经安装了radiusplugin!"elsecd /rootwget http://www.nongnu.org/radiusplugin/radiusplugin_v2.1a_beta1.tar.gztar -zxvf radiusplugin_v2.1a_beta1.tar.gzcd /root/radiusplugin_v2.1a_beta1make mkdir /etc/openvpn/radiusplugin/cp radiusplugin.so /etc/openvpn/radiusplugin/cp radiusplugin.cnf /etc/openvpn/radiusplugin/rm -rf /root/radiusplugin_v2.1a_beta1rm -rf /root/radiusplugin_v2.1a_beta1.tar.gzfi

添加radius对接的插件