#!/bin/bash

# NOTE(vasco): 
# Ao configurar a maquina virtual em si deixei a rede externa primeiro (enp0s8)
# E a rede interna como a segunda interface (enp0s9).

# --- configuração --- #
source VM_CONFIG.sh
yum install -y google-authenticator qrencode ntpsec

# --- forwarding --- #
if_fora="enp0s8"
ip_fora="193.136.212.1"
if_dentro="enp0s9"
ip_dentro="10.60.0.3"
mega_tunel="tun0"
ip_mega_tunel="10.8.0.0/24"

ifconfig $if_fora $ip_fora netmask 255.255.255.0
ifconfig $if_dentro $ip_dentro netmask 255.255.255.0

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p /etc/sysctl.conf

iptables -I INPUT 1  -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 -i $mega_tunel -o $if_dentro -j ACCEPT
iptables -I FORWARD 1 -i $if_dentro -o $mega_tunel -j ACCEPT
iptables -I FORWARD 1 -i $mega_tunel -o $if_fora -j ACCEPT
iptables -I FORWARD 1 -i $if_fora -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -s $ip_mega_tunel -o $if_fora -j MASQUERADE
iptables-save > /etc/sysconfig/iptables

# --- vpn server --- #
vpn_dir="/etc/openvpn/server"
cp ca/ta.key $vpn_dir 
cp ca/ca.crt $vpn_dir 
cp ca/vpn.key $vpn_dir 
cp ca/vpn.crt $vpn_dir 
cp ca/dh2048.pem $vpn_dir 
cp conf/vpn.conf $vpn_dir 
cp conf/ocsp-verify.sh $vpn_dir
cp conf/totp /etc/pam.d/
systemctl enable --now openvpn-server@vpn.service

# --- utilizador --- #
id -u john &>/dev/null || useradd john
echo "password" | passwd --stdin john
groupadd -f totp
usermod -aG totp john
usermod -aG totp openvpn
sudo chown john:totp /home/john/.google_authenticator
sudo chmod 660 /home/john/.google_authenticator