container-openvpn/bin/ovpn_initpki

52 lines
1.4 KiB
Plaintext
Raw Normal View History

#!/bin/bash
#
# Initialize the EasyRSA PKI
#
if [ "$DEBUG" == "1" ]; then
set -x
fi
set -e
source "$OPENVPN/ovpn_env.sh"
# Specify "nopass" as arg[2] to make the CA insecure (not recommended!)
nopass=$1
# Download EasyRSA because Ubuntu doesn't have it as a CLI command
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz
tar xvf EasyRSA-3.0.4.tgz
# Provides a sufficient warning before erasing pre-existing files
2019-06-22 03:53:24 +00:00
EasyRSA-3.0.4/easyrsa init-pki
# CA always has a password for protection in event server is compromised. The
# password is only needed to sign client/server certificates. No password is
# needed for normal OpenVPN operation.
2019-06-22 03:53:24 +00:00
EasyRSA-3.0.4/easyrsa build-ca $nopass
2019-06-22 03:53:24 +00:00
EasyRSA-3.0.4/easyrsa gen-dh
2016-06-23 10:20:13 +00:00
openvpn --genkey --secret $EASYRSA_PKI/ta.key
# Was nice to autoset, but probably a bad idea in practice, users should
# have to explicitly specify the common name of their server
#if [ -z "$cn"]; then
# #TODO: Handle IPv6 (when I get a VPS with IPv6)...
# ip4=$(dig +short myip.opendns.com @resolver1.opendns.com)
# ptr=$(dig +short -x $ip4 | sed -e 's:\.$::')
#
# [ -n "$ptr" ] && cn=$ptr || cn=$ip4
#fi
# For a server key with a password, manually init; this is autopilot
2019-06-22 03:53:24 +00:00
EasyRSA-3.0.4/easyrsa build-server-full "$OVPN_CN" nopass
# Generate the CRL for client/server certificates revocation.
2019-06-22 03:53:24 +00:00
EasyRSA-3.0.4/easyrsa gen-crl
2019-06-22 03:17:01 +00:00
# Remove EasyRSA files when we're done
2019-06-22 03:17:01 +00:00
rm -r ~/EasyRSA-3.0.4/
rm EasyRSA-3.0.4.tgz