Update vpn.sh

Author: gilper0x

openvpn/vpn.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 # =========================================
-# SETUP OpenVPN
+# FIXED OPENVPN SETUP SCRIPT
 # =========================================
 
 export DEBIAN_FRONTEND=noninteractive
@@ -10,42 +10,54 @@ MYIP2="s/xxxxxxxxx/$MYIP/g"
 NIC=$(ip -o -4 route show to default | awk '{print $5}')
 DOMAIN=$(cat /usr/local/etc/xray/domain 2>/dev/null || cat /root/domain 2>/dev/null)
 
-# =========================================
-# Install OpenVPN and dependencies
+# ---------- Install dependencies ----------
 apt purge -y openvpn easy-rsa
+apt autoremove -y
+apt update
 apt install -y openvpn easy-rsa unzip openssl iptables iptables-persistent netfilter-persistent
 
-mkdir -p /etc/openvpn/server/easy-rsa/
-cd /etc/openvpn/
-wget https://raw.githubusercontent.com/givps/AutoScriptXray/master/openvpn/vpn.zip
-unzip vpn.zip && rm -f vpn.zip
-chown -R root:root /etc/openvpn/server/easy-rsa/
+# ---------- Clean old config ----------
+rm -rf /etc/openvpn
+mkdir -p /etc/openvpn
+
+# ---------- Download and unzip VPN config ----------
+wget -O /etc/openvpn/vpn.zip https://raw.githubusercontent.com/givps/AutoScriptXray/master/openvpn/vpn.zip
+unzip /etc/openvpn/vpn.zip -d /etc/openvpn/ && rm -f /etc/openvpn/vpn.zip
+mv /etc/openvpn/vpn/server /etc/openvpn/
+rm -rf /etc/openvpn/vpn
 
-# PAM plugin
+# ---------- Set permissions ----------
+chown -R root:root /etc/openvpn/server
+chmod 600 /etc/openvpn/server/*.key
+chmod 644 /etc/openvpn/server/*.crt /etc/openvpn/server/*.pem
+chmod +x /etc/openvpn/server/easy-rsa/easyrsa
+
+# ---------- PAM plugin ----------
 mkdir -p /usr/lib/openvpn/
-cp /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so \
-   /usr/lib/openvpn/openvpn-plugin-auth-pam.so
+cp -n /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so /usr/lib/openvpn/openvpn-plugin-auth-pam.so || true
 
-# Enable OpenVPN services
+# ---------- Enable OpenVPN services ----------
 sed -i 's/#AUTOSTART="all"/AUTOSTART="all"/g' /etc/default/openvpn
-systemctl enable --now openvpn-server@server-tcp-1194
-systemctl enable --now openvpn-server@server-udp-1195
+systemctl daemon-reload
+systemctl enable openvpn-server@server-tcp-1194
+systemctl enable openvpn-server@server-udp-1195
+systemctl enable openvpn-server@server-tcp-1196
 
-# IPv4 forwarding
+# ---------- IPv4 forwarding ----------
 echo 1 > /proc/sys/net/ipv4/ip_forward
 sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
+sysctl -p
 
-# =========================================
-# Generate client configs with embedded CA + login prompt
+# ---------- Make client configs ----------
 CA_CONTENT=$(cat /etc/openvpn/server/ca.crt)
 
 make_ovpn() {
-  local NAME=$1
-  local PROTO=$2
-  local PORT=$3
-  local EXTRA=$4
+    local NAME=$1
+    local PROTO=$2
+    local PORT=$3
+    local EXTRA=$4
 
-  cat > /etc/openvpn/${NAME}.ovpn <<-EOF
+    cat > /etc/openvpn/${NAME}.ovpn <<-EOF
 setenv FRIENDLY_NAME "${NAME^^}"
 client
 dev tun
@@ -67,37 +79,44 @@ $CA_CONTENT
 </ca>
 EOF
 
-sed -i $MYIP2 /etc/openvpn/${NAME}.ovpn
-cp /etc/openvpn/${NAME}.ovpn /home/vps/public_html/${NAME}.ovpn
+    sed -i $MYIP2 /etc/openvpn/${NAME}.ovpn
+    mkdir -p /home/vps/public_html/
+    cp /etc/openvpn/${NAME}.ovpn /home/vps/public_html/${NAME}.ovpn
+}
 
-# TCP 1194
 make_ovpn "client-tcp-1194" "tcp" "1194"
-
-# UDP 1195
 make_ovpn "client-udp-1195" "udp" "1195"
-
-# SSL (TCP 888)
 make_ovpn "client-ssl-888" "tcp" "888"
 
-# =========================================
-# Firewall rules for VPN subnets
-iptables -t nat -C POSTROUTING -s 10.6.0.0/24 -o $NIC -j MASQUERADE 2>/dev/null
-iptables -t nat -I POSTROUTING -s 10.6.0.0/24 -o $NIC -j MASQUERADE
-iptables -t nat -C POSTROUTING -s 10.7.0.0/24 -o $NIC -j MASQUERADE 2>/dev/null
-iptables -t nat -I POSTROUTING -s 10.7.0.0/24 -o $NIC -j MASQUERADE
-iptables -t nat -C POSTROUTING -s 10.8.0.0/24 -o $NIC -j MASQUERADE 2>/dev/null
-iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $NIC -j MASQUERADE
-
-iptables -C INPUT -p tcp --dport 1194 -j ACCEPT 2>/dev/null || \
-iptables -A INPUT -p tcp --dport 1194 -j ACCEPT
-iptables -C INPUT -p udp --dport 1195 -j ACCEPT 2>/dev/null || \
-iptables -A INPUT -p udp --dport 1195 -j ACCEPT
-iptables -C INPUT -p tcp --dport 888 -j ACCEPT 2>/dev/null || \
-iptables -A INPUT -p tcp --dport 888 -j ACCEPT
+# ---------- Firewall ----------
+for subnet in 10.6.0.0/24 10.7.0.0/24 10.8.0.0/24; do
+    iptables -t nat -C POSTROUTING -s $subnet -o $NIC -j MASQUERADE 2>/dev/null || \
+    iptables -t nat -I POSTROUTING -s $subnet -o $NIC -j MASQUERADE
+done
+
+for port in 1194/tcp 1195/udp 888/tcp; do
+    proto=$(echo $port | cut -d/ -f2)
+    p=$(echo $port | cut -d/ -f1)
+    iptables -C INPUT -p $proto --dport $p -j ACCEPT 2>/dev/null || \
+    iptables -A INPUT -p $proto --dport $p -j ACCEPT
+done
 
 netfilter-persistent save
 netfilter-persistent reload
 
-# Restart OpenVPN
-systemctl restart openvpn
+cp /etc/openvpn/server/server-tcp-1194.conf /etc/openvpn/server/server-udp-1195.conf
+sed -i 's/^proto tcp/proto udp/' /etc/openvpn/server/server-udp-1195.conf
+sed -i 's/^port 1194/port 1195/' /etc/openvpn/server/server-udp-1195.conf
+
+cp /etc/openvpn/server/server-tcp-1194.conf /etc/openvpn/server/server-tcp-1196.conf
+sed -i 's/^port 1194/port 1196/' /etc/openvpn/server/server-tcp-1196.conf
+
+# ---------- Restart OpenVPN ----------
+systemctl daemon-reload
+systemctl restart openvpn-server@server-tcp-1194
+systemctl restart openvpn-server@server-udp-1195
+systemctl restart openvpn-server@server-tcp-1196
+systemctl enable openvpn-server@server-tcp-1194
+systemctl enable openvpn-server@server-udp-1195
+systemctl enable openvpn-server@server-tcp-1196