#!/bin/bash

set -e

# Check root
if [ "$EUID" -ne 0 ]; then
  echo "Run as root"
  exit 1
fi

echo "Installing OpenVPN on Debian 12..."


#dpkg -i debs/*

# Setup Easy-RSA
EASYRSA_DIR=/etc/openvpn/easy-rsa
FORWARD_FILE=/etc/sysctl.d/99-openvpn.conf
DATE=$(date '+%Y-%m-%d-%H-%M-%S')
if [ -d "$EASYRSA_DIR" ];
	then
		echo "$EASYRSA_DIR already exist..!"
		
		cp -r $EASYRSA_DIR /mnt/easy-rsa-$DATE
       		rm -rf $EASYRSA_DIR

# Enable IP forwarding
		
		echo " " > $FORWARD_FILE
		echo "net.ipv4.ip_forward=1" > $FORWARD_FILE
		sysctl --system

       		make-cadir $EASYRSA_DIR
		cd $EASYRSA_DIR

		./easyrsa init-pki
		echo | ./easyrsa build-ca nopass
		./easyrsa gen-dh
		./easyrsa build-server-full server nopass
		./easyrsa gen-crl

# Copy certs
	cp pki/ca.crt pki/dh.pem pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn/server/

# Server config
cat > /etc/openvpn/server/server.conf <<EOF
port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key
dh dh.pem
crl-verify crl.pem

server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

keepalive 10 120
cipher AES-256-GCM
persist-key
persist-tun
user nobody
group nogroup
status openvpn-status.log
verb 3
EOF
		systemctl restart openvpn-server@server
		echo
		echo "Openvpn server reconfigured and running!"

	else 
       		make-cadir $EASYRSA_DIR
		cd $EASYRSA_DIR
		
# Re-enable IP forwarding
		echo "net.ipv4.ip_forward=1" > $FORWARD_FILE
		sysctl --system

		./easyrsa init-pki
		echo | ./easyrsa build-ca nopass
		./easyrsa gen-dh
		./easyrsa build-server-full server nopass
		./easyrsa gen-crl

# Copy certs
	cp pki/ca.crt pki/dh.pem pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn/server/

# Server config
cat > /etc/openvpn/server/server.conf <<EOF
port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key
dh dh.pem
crl-verify crl.pem

server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

keepalive 10 120
cipher AES-256-GCM
persist-key
persist-tun
user nobody
group nogroup
status openvpn-status.log
verb 3
EOF
		systemctl enable openvpn-server@server
		systemctl start openvpn-server@server
		echo
		echo "Openvpn server configure and running!"

fi

## Firewall NAT
#IFACE=$(ip route get 8.8.8.8 | awk '{print $5}')
#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $IFACE -j MASQUERADE
#iptables-save > /etc/iptables/rules.v4
