wok: openvpn/stuff/usr/bin/make-ovpn annotate

wok annotate openvpn/stuff/usr/bin/make-ovpn @ rev 24180

syslinux: add apple partitions (again)

author	Pascal Bellard <pascal.bellard@slitaz.org>
date	Fri Dec 31 10:26:14 2021 +0000 (2021-12-31)
parents	ecd0c9292898
children	65d7d867e0c1

rev	line source
pascal@23216	1 #!/bin/sh
pascal@23216	2
pascal@23216	3 [ $(id -u) != 0 ] && exec su -c "$0 $@"
pascal@23216	4 [ -z "$1" ] && cat <<EOT && exit 0
pascal@23216	5 Usage:
pascal@23216	6 $0 server name vpn-prefix [routes]... > config-server-name.ovpn
pascal@23216	7 $0 client name server-ip > config-client-name.ovpn
pascal@23216	8
pascal@23216	9 Examples:
pascal@23216	10 $0 server office 192.168.99 192.168.0.0/255.255.255.0 10.0.0.0/255.0.0.0
pascal@23216	11 $0 client bart-simson myoffice.org
pascal@23216	12
pascal@23216	13 Tip: run it twice to avoid keys generation output
pascal@23216	14 EOT
pascal@23216	15
pascal@23216	16 mkpki()
pascal@23216	17 {
pascal@23216	18 echo -n "Country : "; read country
pascal@23216	19 echo -n "Company : "; read company
pascal@23216	20 echo -n "Province: "; read province
pascal@23216	21 echo -n "City : "; read city
pascal@23216	22 echo -n "Email : "; read email
pascal@23216	23 cat > vars <<EOT
pascal@23216	24 set_var EASYRSA "\${0%/*}"
pascal@23216	25 set_var EASYRSA_PKI \$EASYRSA/pki
pascal@23216	26 set_var EASYRSA_EXT_DIR \$EASYRSA/x509-types
pascal@23216	27 set_var EASYRSA_SSL_CONF \$EASYRSA/openssl-easyrsa.cnf
pascal@23216	28 set_var EASYRSA_SL "cn_only"
pascal@23216	29 set_var EASYRSA_DIGEST "sha256"
pascal@23216	30 set_var EASYRSA_KEY_SIZE 2048
pascal@23216	31 set_var EASYRSA_ALGO rsa
pascal@23216	32 set_var EASYRSA_CA_EXPIRE 7500
pascal@23216	33 set_var EASYRSA_CERT_EXPIRE 365
pascal@23216	34 set_var EASYRSA_NS_SUPPORT "yes"
pascal@23216	35 set_var EASYRSA_NS_COMMENT "$company CERTIFICATE AUTHORITY"
pascal@23216	36 set_var EASYRSA_REQ_COUNTRY "$country"
pascal@23216	37 set_var EASYRSA_REQ_PROVINCE "$province"
pascal@23216	38 set_var EASYRSA_REQ_CITY "$city"
pascal@23216	39 set_var EASYRSA_REQ_ORG "$company CERTIFICATE AUTHORITY"
pascal@23216	40 set_var EASYRSA_REQ_OU "$company EASY CA"
pascal@23216	41 set_var EASYRSA_REQ_EMAIL "$email"
pascal@23216	42 #buggy?#set_var EASYRSA_BATCH "yes"
pascal@23216	43 EOT
pascal@23216	44 chmod +x vars
pascal@23216	45 ./easyrsa init-pki
pascal@23216	46 #./easyrsa build-ca nopass
pascal@23216	47 ./easyrsa build-ca
pascal@23216	48 ./easyrsa gen-dh
pascal@23216	49 }
pascal@23216	50
pascal@23216	51 common_conf()
pascal@23216	52 {
pascal@23216	53 cat <<EOT
pascal@23216	54 dev tun
pascal@23216	55 proto udp
pascal@23216	56 cipher AES-256-CBC
pascal@23216	57 tls-version-min 1.2
pascal@23216	58 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:\
pascal@23216	59 TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:\
pascal@23216	60 TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
pascal@23216	61 auth SHA512
pascal@23216	62 auth-nocache
pascal@23216	63 persist-key
pascal@23216	64 persist-tun
pascal@23216	65 verb 3
pascal@23216	66 EOT
pascal@23216	67 }
pascal@23216	68
pascal@23216	69 [ -z "$(which make-cadir)" ] && tazpkg get-install easy-rsa
pascal@23216	70 dir=/etc/openvpn/easy-rsa
pascal@23216	71 [ -d $dir ] \|\| make-cadir $dir
pascal@23216	72 cd $dir
pascal@23216	73
pascal@23216	74 [ -d pki ] \|\| mkpki
pascal@23216	75 name="$1${2+-$2}"
pascal@23216	76 if [ "$1" = "server" ] \|\| [ "$1" = client ]; then
pascal@23216	77 if [ ! -s pki/issued/$name.crt ]; then
pascal@23216	78 ./easyrsa gen-req "$name" nopass
pascal@23216	79 ./easyrsa sign-req $1 "$name"
pascal@23216	80 fi
pascal@23216	81 fi
pascal@23216	82
pascal@23216	83 [ "$1" = "client" ] && cat << EOT
pascal@23216	84 client
pascal@23216	85 remote ${3:-my.office.com} 1194
pascal@23216	86
pascal@23216	87 $(common_conf)
pascal@23216	88 remote-cert-tls server
pascal@23216	89
pascal@23216	90 pull
pascal@23216	91 resolv-retry infinite
pascal@23216	92 nobind
pascal@23216	93 mute-replay-warnings
pascal@23216	94
pascal@23216	95 <ca>
pascal@23216	96 $(cat pki/ca.crt)
pascal@23216	97 </ca>
pascal@23216	98 <cert>
pascal@23216	99 $(cat pki/issued/$name.crt)
pascal@23216	100 </cert>
pascal@23216	101 <key>
pascal@23216	102 $(cat pki/private/$name.key)
pascal@23216	103 </key>
pascal@23216	104 EOT
pascal@23216	105
pascal@23216	106 net=${3:-192.168.16}
pascal@23216	107 [ "$1" = "server" ] && cat << EOT
pascal@23216	108 status /var/log/openvpn-$name
pascal@23216	109 $(common_conf)
pascal@23216	110 keepalive 15 120
pascal@23216	111 tls-exit
pascal@23216	112 user nobody
pascal@23216	113 group nogroup
pascal@23216	114 #compress lz4-v2
pascal@23216	115 #push "compress lz4-v2"
pascal@23216	116 mute 2
pascal@23216	117 passtos
pascal@23216	118 float
pascal@23216	119 port 1194
pascal@23216	120 mode server
pascal@23216	121 tls-server
pascal@23216	122 ping-timer-rem
pascal@23216	123 management 127.0.0.1 1294
pascal@23216	124
pascal@23216	125 client-to-client
pascal@23216	126 #inactive 3600
pascal@23216	127 #duplicate-cn
pascal@23216	128 #push "redirect-gateway def1"
pascal@23216	129
pascal@23216	130 ifconfig $net.1 $net.3
pascal@23216	131 ifconfig-pool $net.6 $net.254
pascal@23219	132 route $net.0 255.255.255.0
pascal@23216	133 $(shift 3; for i in $net.0/255.255.255.0 $@; do
pascal@23216	134 echo "push \"route ${i/\// }\""
pascal@23216	135 done)
pascal@23216	136 $(sed -e '/nameserver/!d;s\|nameserver \|push "dhcp-option DNS \|;s\|.\|&"\|' \
pascal@23216	137 /etc/resolv.conf \| head -n 2)
pascal@23216	138
pascal@23216	139 <ca>
pascal@23216	140 $(cat pki/ca.crt)
pascal@23216	141 </ca>
pascal@23216	142 <cert>
pascal@23216	143 $(cat pki/issued/$name.crt)
pascal@23216	144 </cert>
pascal@23216	145 <key>
pascal@23216	146 $(cat pki/private/$name.key)
pascal@23216	147 </key>
pascal@23216	148 <dh>
pascal@23216	149 $(cat pki/dh.pem)
pascal@23216	150 </dh>
pascal@23216	151 EOT

SliTaz Repositories

wok annotate openvpn/stuff/usr/bin/make-ovpn @ rev 24180