wok view openvpn/stuff/usr/bin/make-ovpn @ rev 23285

updated pdf2djvu (0.9.12 -> 0.9.17)
author Hans-G?nter Theisgen
date Sun Mar 29 10:50:45 2020 +0100 (2020-03-29)
parents ecd0c9292898
children 65d7d867e0c1
line source
1 #!/bin/sh
2
3 [ $(id -u) != 0 ] && exec su -c "$0 $@"
4 [ -z "$1" ] && cat <<EOT && exit 0
5 Usage:
6 $0 server name vpn-prefix [routes]... > config-server-name.ovpn
7 $0 client name server-ip > config-client-name.ovpn
8
9 Examples:
10 $0 server office 192.168.99 192.168.0.0/255.255.255.0 10.0.0.0/255.0.0.0
11 $0 client bart-simson myoffice.org
12
13 Tip: run it twice to avoid keys generation output
14 EOT
15
16 mkpki()
17 {
18 echo -n "Country : "; read country
19 echo -n "Company : "; read company
20 echo -n "Province: "; read province
21 echo -n "City : "; read city
22 echo -n "Email : "; read email
23 cat > vars <<EOT
24 set_var EASYRSA "\${0%/*}"
25 set_var EASYRSA_PKI \$EASYRSA/pki
26 set_var EASYRSA_EXT_DIR \$EASYRSA/x509-types
27 set_var EASYRSA_SSL_CONF \$EASYRSA/openssl-easyrsa.cnf
28 set_var EASYRSA_SL "cn_only"
29 set_var EASYRSA_DIGEST "sha256"
30 set_var EASYRSA_KEY_SIZE 2048
31 set_var EASYRSA_ALGO rsa
32 set_var EASYRSA_CA_EXPIRE 7500
33 set_var EASYRSA_CERT_EXPIRE 365
34 set_var EASYRSA_NS_SUPPORT "yes"
35 set_var EASYRSA_NS_COMMENT "$company CERTIFICATE AUTHORITY"
36 set_var EASYRSA_REQ_COUNTRY "$country"
37 set_var EASYRSA_REQ_PROVINCE "$province"
38 set_var EASYRSA_REQ_CITY "$city"
39 set_var EASYRSA_REQ_ORG "$company CERTIFICATE AUTHORITY"
40 set_var EASYRSA_REQ_OU "$company EASY CA"
41 set_var EASYRSA_REQ_EMAIL "$email"
42 #buggy?#set_var EASYRSA_BATCH "yes"
43 EOT
44 chmod +x vars
45 ./easyrsa init-pki
46 #./easyrsa build-ca nopass
47 ./easyrsa build-ca
48 ./easyrsa gen-dh
49 }
50
51 common_conf()
52 {
53 cat <<EOT
54 dev tun
55 proto udp
56 cipher AES-256-CBC
57 tls-version-min 1.2
58 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:\
59 TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:\
60 TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
61 auth SHA512
62 auth-nocache
63 persist-key
64 persist-tun
65 verb 3
66 EOT
67 }
68
69 [ -z "$(which make-cadir)" ] && tazpkg get-install easy-rsa
70 dir=/etc/openvpn/easy-rsa
71 [ -d $dir ] || make-cadir $dir
72 cd $dir
73
74 [ -d pki ] || mkpki
75 name="$1${2+-$2}"
76 if [ "$1" = "server" ] || [ "$1" = client ]; then
77 if [ ! -s pki/issued/$name.crt ]; then
78 ./easyrsa gen-req "$name" nopass
79 ./easyrsa sign-req $1 "$name"
80 fi
81 fi
82
83 [ "$1" = "client" ] && cat << EOT
84 client
85 remote ${3:-my.office.com} 1194
86
87 $(common_conf)
88 remote-cert-tls server
89
90 pull
91 resolv-retry infinite
92 nobind
93 mute-replay-warnings
94
95 <ca>
96 $(cat pki/ca.crt)
97 </ca>
98 <cert>
99 $(cat pki/issued/$name.crt)
100 </cert>
101 <key>
102 $(cat pki/private/$name.key)
103 </key>
104 EOT
105
106 net=${3:-192.168.16}
107 [ "$1" = "server" ] && cat << EOT
108 status /var/log/openvpn-$name
109 $(common_conf)
110 keepalive 15 120
111 tls-exit
112 user nobody
113 group nogroup
114 #compress lz4-v2
115 #push "compress lz4-v2"
116 mute 2
117 passtos
118 float
119 port 1194
120 mode server
121 tls-server
122 ping-timer-rem
123 management 127.0.0.1 1294
124
125 client-to-client
126 #inactive 3600
127 #duplicate-cn
128 #push "redirect-gateway def1"
129
130 ifconfig $net.1 $net.3
131 ifconfig-pool $net.6 $net.254
132 route $net.0 255.255.255.0
133 $(shift 3; for i in $net.0/255.255.255.0 $@; do
134 echo "push \"route ${i/\// }\""
135 done)
136 $(sed -e '/nameserver/!d;s|nameserver *|push "dhcp-option DNS |;s|.*|&"|' \
137 /etc/resolv.conf | head -n 2)
138
139 <ca>
140 $(cat pki/ca.crt)
141 </ca>
142 <cert>
143 $(cat pki/issued/$name.crt)
144 </cert>
145 <key>
146 $(cat pki/private/$name.key)
147 </key>
148 <dh>
149 $(cat pki/dh.pem)
150 </dh>
151 EOT