allanger/container-openvpn
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Activity
2a1b2fadce
container-openvpn/bin/ovpn_initpki

38 lines
980 B
Plaintext
Raw Normal View History

ovpn: Convert from servername -> server_url * Previously the server name cached the common name generated during init and assumed always 1194/udp. * The new configuration allows for users to pass in a url in a new form that allows the protocol to be specified as well as the port. * Example: udp://vpn.example.com:1194 * Try to be backwards compatible.
2014-07-01 05:43:00 +00:00
#!/bin/bash
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding
2014-06-04 18:13:59 +00:00
#
init: Rename to initpki * This function only initialize the EasyRSA PKI tools now. * Decoupled from the init process.
2014-07-06 04:25:00 +00:00
# Initialize the EasyRSA PKI
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding
2014-06-04 18:13:59 +00:00
#
Disable bash debug (xtrace) by default, re-enable with -e DEBUG=1
2015-02-28 10:45:31 +00:00
if [ "$DEBUG" == "1" ]; then
set -x
fi
set -e
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding
2014-06-04 18:13:59 +00:00
env: Re-work environment code * Instead of storing just a server_url which was necessary to regenerate the OpenVPN configs, instead store an env file. * Move all the env parsing to `ovpn_genconfig` so that it can be re-run from genconfig instead of from `ovpn_init`. * Remove all the parsing and env defaults except for genconfig. NOTE: This breaks the older config method, uesrs will need to re-run genconfig with an arg[1] as the previous server_url, this will create the necessary env file the rest of the tools expect. Example recovery for legacy users: host$ docker run --rm -it kylemanna/openvpn bash -l container# ovpn_genconfig $(cat /etc/openvpn/server_url)
2014-07-06 01:51:58 +00:00
source "$OPENVPN/ovpn_env.sh"
ovpn: Convert from servername -> server_url * Previously the server name cached the common name generated during init and assumed always 1194/udp. * The new configuration allows for users to pass in a url in a new form that allows the protocol to be specified as well as the port. * Example: udp://vpn.example.com:1194 * Try to be backwards compatible.
2014-07-01 05:43:00 +00:00
init: Rename to initpki * This function only initialize the EasyRSA PKI tools now. * Decoupled from the init process.
2014-07-06 04:25:00 +00:00
# Specify "nopass" as arg[2] to make the CA insecure (not recommended!)
nopass=$1
ovpn_init: Protect the CA key by default * Protect the CA key with a passphrase by default to protect it from a filsystem compromise. An attacker could still steal the other keys stored (ie the server's cert key), but not issue new keys. * This is a good compromise for now.
2014-06-05 00:07:07 +00:00
Take over the project I've decided to maintain the project myself now, so I've forked it and create a drone pipeline to push image to my registry
2023-08-09 17:49:38 +00:00
/usr/share/easy-rsa/easyrsa init-pki
/usr/share/easy-rsa/easyrsa build-ca $nopass
/usr/share/easy-rsa/easyrsa gen-dh
Sending key to proper location!
2016-06-23 10:20:13 +00:00
openvpn --genkey --secret $EASYRSA_PKI/ta.key
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding
2014-06-04 18:13:59 +00:00
ovpen_init: Remove external IP resolution * Disable auto guessing the external IP in favor of the user explicitly specifying the server name. Save the servername for client cert generation later. * Remove dnsutils from build since dig is no longer necessary. Favor learn and mean images.
2014-06-04 18:15:43 +00:00
# Was nice to autoset, but probably a bad idea in practice, users should
# have to explicitly specify the common name of their server
#if [ -z "$cn"]; then
# #TODO: Handle IPv6 (when I get a VPS with IPv6)...
# ip4=$(dig +short myip.opendns.com @resolver1.opendns.com)
# ptr=$(dig +short -x $ip4 | sed -e 's:\.$::')
#
# [ -n "$ptr" ] && cn=$ptr || cn=$ip4
#fi
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding
2014-06-04 18:13:59 +00:00
ovpn_init: Protect the CA key by default * Protect the CA key with a passphrase by default to protect it from a filsystem compromise. An attacker could still steal the other keys stored (ie the server's cert key), but not issue new keys. * This is a good compromise for now.
2014-06-05 00:07:07 +00:00
# For a server key with a password, manually init; this is autopilot
Take over the project I've decided to maintain the project myself now, so I've forked it and create a drone pipeline to push image to my registry
2023-08-09 17:49:38 +00:00
/usr/share/easy-rsa/easyrsa build-server-full "$OVPN_CN" nopass
Generate a CRL during PKI initialization
2017-05-02 14:42:39 +00:00
# Generate the CRL for client/server certificates revocation.
Take over the project I've decided to maintain the project myself now, so I've forked it and create a drone pipeline to push image to my registry
2023-08-09 17:49:38 +00:00
/usr/share/easy-rsa/easyrsa gen-crl
Reference in New Issue Copy Permalink