allanger/container-openvpn
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Activity
507f27a9e0
container-openvpn/bin/ovpn_init

46 lines
1.1 KiB
Plaintext
Raw Normal View History

openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding
2014-06-04 18:13:59 +00:00
#!/bin/sh
#
# Initialize the PKI and OpenVPN configs
#
set -ex
cn=$1
if [ -z "$cn" ]; then
echo "Common name not specified"
exit 1
fi
ovpn_init: Protect the CA key by default * Protect the CA key with a passphrase by default to protect it from a filsystem compromise. An attacker could still steal the other keys stored (ie the server's cert key), but not issue new keys. * This is a good compromise for now.
2014-06-05 00:07:07 +00:00
# Specify "nopass" as arg[2] to make the CA insecure
nopass=$2
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding
2014-06-04 18:13:59 +00:00
# Provides a sufficient warning before erasing pre-existing files
easyrsa init-pki
ovpn_init: Protect the CA key by default * Protect the CA key with a passphrase by default to protect it from a filsystem compromise. An attacker could still steal the other keys stored (ie the server's cert key), but not issue new keys. * This is a good compromise for now.
2014-06-05 00:07:07 +00:00
# CA always has a password for protection in event server is compromised. The
# password is only needed to sign client/server certificates. No password is
# needed for normal OpenVPN operation.
easyrsa build-ca $nopass
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding
2014-06-04 18:13:59 +00:00
easyrsa gen-dh
openvpn --genkey --secret $OPENVPN/pki/ta.key
ovpen_init: Remove external IP resolution * Disable auto guessing the external IP in favor of the user explicitly specifying the server name. Save the servername for client cert generation later. * Remove dnsutils from build since dig is no longer necessary. Favor learn and mean images.
2014-06-04 18:15:43 +00:00
# Was nice to autoset, but probably a bad idea in practice, users should
# have to explicitly specify the common name of their server
#if [ -z "$cn"]; then
# #TODO: Handle IPv6 (when I get a VPS with IPv6)...
# ip4=$(dig +short myip.opendns.com @resolver1.opendns.com)
# ptr=$(dig +short -x $ip4 | sed -e 's:\.$::')
#
# [ -n "$ptr" ] && cn=$ptr || cn=$ip4
#fi
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding
2014-06-04 18:13:59 +00:00
echo "$cn" > $OPENVPN/servername
ovpn_init: Protect the CA key by default * Protect the CA key with a passphrase by default to protect it from a filsystem compromise. An attacker could still steal the other keys stored (ie the server's cert key), but not issue new keys. * This is a good compromise for now.
2014-06-05 00:07:07 +00:00
# For a server key with a password, manually init; this is autopilot
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding
2014-06-04 18:13:59 +00:00
easyrsa build-server-full $cn nopass
ovpn_genconfig: Add generate config script * Create a generate config script so that the new docker containers can regenerate the OpenVPN configuration without clobbering the PKI setup.
2014-06-04 23:49:13 +00:00
ovpn_genconfig "$cn"
Reference in New Issue Copy Permalink