wok view openvpn/stuff/usr/bin/make-ovpn @ rev 25417
Openvpn/make-ovpn/client: multi server support
| author | Pascal Bellard <pascal.bellard@slitaz.org> |
|---|---|
| date | Fri Aug 05 07:39:58 2022 +0000 (20 months ago) |
| parents | 65d7d867e0c1 |
| children | 8ac6f7029d68 |
line source
1 #!/bin/sh
3 [ $(id -u) != 0 ] && exec su -c "$0 $@"
4 [ -z "$1" ] && cat <<EOT && exit 0
5 Usage:
6 $0 server name vpn-prefix [routes]... > config-server-name.ovpn
7 $0 client name server-ip[,server2...] [port] > config-client-name.ovpn
9 Examples:
10 $0 server office 192.168.99 192.168.0.0/255.255.255.0 10.0.0.0/255.0.0.0
11 $0 client bart-simson myoffice.org
13 Tip: run it twice to avoid keys generation output
14 EOT
16 mkpki()
17 {
18 echo -n "Country : "; read country
19 echo -n "Company : "; read company
20 echo -n "Province: "; read province
21 echo -n "City : "; read city
22 echo -n "Email : "; read email
23 cat > vars <<EOT
24 set_var EASYRSA "\${0%/*}"
25 set_var EASYRSA_PKI \$EASYRSA/pki
26 set_var EASYRSA_EXT_DIR \$EASYRSA/x509-types
27 set_var EASYRSA_SSL_CONF \$EASYRSA/openssl-easyrsa.cnf
28 set_var EASYRSA_SL "cn_only"
29 set_var EASYRSA_DIGEST "sha256"
30 set_var EASYRSA_KEY_SIZE 2048
31 set_var EASYRSA_ALGO rsa
32 set_var EASYRSA_CA_EXPIRE 7500
33 set_var EASYRSA_CERT_EXPIRE 365
34 set_var EASYRSA_NS_SUPPORT "yes"
35 set_var EASYRSA_NS_COMMENT "$company CERTIFICATE AUTHORITY"
36 set_var EASYRSA_REQ_COUNTRY "$country"
37 set_var EASYRSA_REQ_PROVINCE "$province"
38 set_var EASYRSA_REQ_CITY "$city"
39 set_var EASYRSA_REQ_ORG "$company CERTIFICATE AUTHORITY"
40 set_var EASYRSA_REQ_OU "$company EASY CA"
41 set_var EASYRSA_REQ_EMAIL "$email"
42 #buggy?#set_var EASYRSA_BATCH "yes"
43 EOT
44 chmod +x vars
45 ./easyrsa init-pki
46 #./easyrsa build-ca nopass
47 ./easyrsa build-ca
48 ./easyrsa gen-dh
49 }
51 common_conf()
52 {
53 cat <<EOT
54 dev tun
55 proto udp
56 cipher AES-256-CBC
57 tls-version-min 1.2
58 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:\
59 TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:\
60 TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
61 auth SHA512
62 auth-nocache
63 persist-key
64 persist-tun
65 verb 3
66 EOT
67 }
69 [ -z "$(which make-cadir)" ] && tazpkg get-install easy-rsa
70 dir=/etc/openvpn/easy-rsa
71 [ -d $dir ] || make-cadir $dir
72 cd $dir
74 [ -d pki ] || mkpki
75 name="$1${2+-$2}"
76 if [ "$1" = "server" ] || [ "$1" = client ]; then
77 if [ ! -s pki/issued/$name.crt ]; then
78 ./easyrsa gen-req "$name" nopass
79 ./easyrsa sign-req $1 "$name"
80 fi
81 fi
83 [ "$1" = "client" ] && case "$3" in
84 *,*) echo "remote-random"
85 for i in ${3//,/ }; do echo "remote $i ${4:-1194}"; done ;;
86 *) echo "remote ${3:-my.office.com} ${4:-1194}"
87 esac
88 [ "$1" = "client" ] && cat << EOT
89 client
90 float
92 $(common_conf)
93 remote-cert-tls server
95 pull
96 resolv-retry infinite
97 nobind
98 mute-replay-warnings
100 <ca>
101 $(cat pki/ca.crt)
102 </ca>
103 <cert>
104 $(cat pki/issued/$name.crt)
105 </cert>
106 <key>
107 $(cat pki/private/$name.key)
108 </key>
109 EOT
111 net=${3:-192.168.16}
112 [ "$1" = "server" ] && cat << EOT
113 status /var/log/openvpn-$name
114 $(common_conf)
115 keepalive 15 120
116 tls-exit
117 user nobody
118 group nogroup
119 #compress lz4-v2
120 #push "compress lz4-v2"
121 mute 2
122 passtos
123 float
124 port 1194
125 mode server
126 tls-server
127 ping-timer-rem
128 management 127.0.0.1 1294
130 client-to-client
131 #inactive 3600
132 #duplicate-cn
133 #push "redirect-gateway def1"
135 ifconfig $net.1 $net.3
136 ifconfig-pool $net.6 $net.254
137 route $net.0 255.255.255.0
138 $(shift 3; for i in $net.0/255.255.255.0 $@; do
139 echo "push \"route ${i/\// }\""
140 done)
141 $(sed -e '/nameserver/!d;s|nameserver *|push "dhcp-option DNS |;s|.*|&"|' \
142 /etc/resolv.conf | head -n 2)
144 <ca>
145 $(cat pki/ca.crt)
146 </ca>
147 <cert>
148 $(cat pki/issued/$name.crt)
149 </cert>
150 <key>
151 $(cat pki/private/$name.key)
152 </key>
153 <dh>
154 $(cat pki/dh.pem)
155 </dh>
156 EOT