container-openvpn/bin/ovpn_initpki

#!/bin/bash

#
# Initialize the EasyRSA PKI
#

if [ "$DEBUG" == "1" ]; then
  set -x
fi

set -e

source "$OPENVPN/ovpn_env.sh"

# Specify "nopass" as arg[2] to make the CA insecure (not recommended!)
nopass=$1

# Download EasyRSA because Ubuntu doesn't have it as a CLI command
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz
tar xvf EasyRSA-unix-v3.0.6.tgz

export EASYRSA="EasyRSA-v3.0.6/"
export EASYRSA_SSL_CONF="EasyRSA-v3.0.6/openssl-easyrsa.cnf"
cp -r EasyRSA-v3.0.6/x509-types/ x509-types/
# Provides a sufficient warning before erasing pre-existing files
EasyRSA-v3.0.6/easyrsa init-pki

# CA always has a password for protection in event server is compromised. The
# password is only needed to sign client/server certificates.  No password is
# needed for normal OpenVPN operation.
EasyRSA-v3.0.6/easyrsa build-ca $nopass

EasyRSA-v3.0.6/easyrsa gen-dh
openvpn --genkey --secret $EASYRSA_PKI/ta.key

# Was nice to autoset, but probably a bad idea in practice, users should
# have to explicitly specify the common name of their server
#if [ -z "$cn"]; then
#    #TODO: Handle IPv6 (when I get a VPS with IPv6)...
#    ip4=$(dig +short myip.opendns.com @resolver1.opendns.com)
#    ptr=$(dig +short -x $ip4 | sed -e 's:\.$::')
#
#    [ -n "$ptr" ] && cn=$ptr || cn=$ip4
#fi

# For a server key with a password, manually init; this is autopilot
EasyRSA-v3.0.6/easyrsa build-server-full "$OVPN_CN" nopass

# Generate the CRL for client/server certificates revocation.
EasyRSA-v3.0.6/easyrsa gen-crl

# Remove EasyRSA files when we're done
rm -r EasyRSA-v3.0.6/
rm EasyRSA-unix-v3.0.6.tgz
rm -r x509-types/
ovpn: Convert from servername -> server_url * Previously the server name cached the common name generated during init and assumed always 1194/udp. * The new configuration allows for users to pass in a url in a new form that allows the protocol to be specified as well as the port. * Example: udp://vpn.example.com:1194 * Try to be backwards compatible. 2014-07-01 05:43:00 +00:00			`#!/bin/bash`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00
			`#`
init: Rename to initpki * This function only initialize the EasyRSA PKI tools now. * Decoupled from the init process. 2014-07-06 04:25:00 +00:00			`# Initialize the EasyRSA PKI`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00			`#`

Disable bash debug (xtrace) by default, re-enable with -e DEBUG=1 2015-02-28 10:45:31 +00:00			`if [ "$DEBUG" == "1" ]; then`
			`set -x`
			`fi`

			`set -e`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00
env: Re-work environment code * Instead of storing just a server_url which was necessary to regenerate the OpenVPN configs, instead store an env file. * Move all the env parsing to `ovpn_genconfig` so that it can be re-run from genconfig instead of from `ovpn_init`. * Remove all the parsing and env defaults except for genconfig. NOTE: This breaks the older config method, uesrs will need to re-run genconfig with an arg[1] as the previous server_url, this will create the necessary env file the rest of the tools expect. Example recovery for legacy users: host$ docker run --rm -it kylemanna/openvpn bash -l container# ovpn_genconfig $(cat /etc/openvpn/server_url) 2014-07-06 01:51:58 +00:00			`source "$OPENVPN/ovpn_env.sh"`
ovpn: Convert from servername -> server_url * Previously the server name cached the common name generated during init and assumed always 1194/udp. * The new configuration allows for users to pass in a url in a new form that allows the protocol to be specified as well as the port. * Example: udp://vpn.example.com:1194 * Try to be backwards compatible. 2014-07-01 05:43:00 +00:00
init: Rename to initpki * This function only initialize the EasyRSA PKI tools now. * Decoupled from the init process. 2014-07-06 04:25:00 +00:00			`# Specify "nopass" as arg[2] to make the CA insecure (not recommended!)`
			`nopass=$1`
ovpn_init: Protect the CA key by default * Protect the CA key with a passphrase by default to protect it from a filsystem compromise. An attacker could still steal the other keys stored (ie the server's cert key), but not issue new keys. * This is a good compromise for now. 2014-06-05 00:07:07 +00:00
download easyrsa in pki generation script because ubuntu doesn't have it on CLI 2019-06-22 03:12:59 +00:00			`# Download EasyRSA because Ubuntu doesn't have it as a CLI command`
bump to EasyRSA-unix-v3.0.6 2019-06-22 05:22:05 +00:00			`wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz`
			`tar xvf EasyRSA-unix-v3.0.6.tgz`
download easyrsa in pki generation script because ubuntu doesn't have it on CLI 2019-06-22 03:12:59 +00:00
fix easyrsa path part 2 2019-06-22 05:34:34 +00:00			`export EASYRSA="EasyRSA-v3.0.6/"`
			`export EASYRSA_SSL_CONF="EasyRSA-v3.0.6/openssl-easyrsa.cnf"`
fix easyrsa path 2019-06-22 05:34:11 +00:00			`cp -r EasyRSA-v3.0.6/x509-types/ x509-types/`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00			`# Provides a sufficient warning before erasing pre-existing files`
fix easyrsa path 2019-06-22 05:34:11 +00:00			`EasyRSA-v3.0.6/easyrsa init-pki`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00
ovpn_init: Protect the CA key by default * Protect the CA key with a passphrase by default to protect it from a filsystem compromise. An attacker could still steal the other keys stored (ie the server's cert key), but not issue new keys. * This is a good compromise for now. 2014-06-05 00:07:07 +00:00			`# CA always has a password for protection in event server is compromised. The`
			`# password is only needed to sign client/server certificates. No password is`
			`# needed for normal OpenVPN operation.`
fix easyrsa path 2019-06-22 05:34:11 +00:00			`EasyRSA-v3.0.6/easyrsa build-ca $nopass`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00
fix easyrsa path 2019-06-22 05:34:11 +00:00			`EasyRSA-v3.0.6/easyrsa gen-dh`
Sending key to proper location! 2016-06-23 10:20:13 +00:00			`openvpn --genkey --secret $EASYRSA_PKI/ta.key`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00
ovpen_init: Remove external IP resolution * Disable auto guessing the external IP in favor of the user explicitly specifying the server name. Save the servername for client cert generation later. * Remove dnsutils from build since dig is no longer necessary. Favor learn and mean images. 2014-06-04 18:15:43 +00:00			`# Was nice to autoset, but probably a bad idea in practice, users should`
			`# have to explicitly specify the common name of their server`
			`#if [ -z "$cn"]; then`
			`# #TODO: Handle IPv6 (when I get a VPS with IPv6)...`
			`# ip4=$(dig +short myip.opendns.com @resolver1.opendns.com)`
			`# ptr=$(dig +short -x $ip4 \| sed -e 's:\.$::')`
			`#`
			`# [ -n "$ptr" ] && cn=$ptr \|\| cn=$ip4`
			`#fi`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00
ovpn_init: Protect the CA key by default * Protect the CA key with a passphrase by default to protect it from a filsystem compromise. An attacker could still steal the other keys stored (ie the server's cert key), but not issue new keys. * This is a good compromise for now. 2014-06-05 00:07:07 +00:00			`# For a server key with a password, manually init; this is autopilot`
fix easyrsa path 2019-06-22 05:34:11 +00:00			`EasyRSA-v3.0.6/easyrsa build-server-full "$OVPN_CN" nopass`
Generate a CRL during PKI initialization 2017-05-02 14:42:39 +00:00
			`# Generate the CRL for client/server certificates revocation.`
fix easyrsa path 2019-06-22 05:34:11 +00:00			`EasyRSA-v3.0.6/easyrsa gen-crl`
cleanup EasyRSA once we're done 2019-06-22 03:17:01 +00:00
add note about removing easyrsa after finishing 2019-06-22 03:19:22 +00:00			`# Remove EasyRSA files when we're done`
fix easyrsa path 2019-06-22 05:34:11 +00:00			`rm -r EasyRSA-v3.0.6/`
bump to EasyRSA-unix-v3.0.6 2019-06-22 05:22:05 +00:00			`rm EasyRSA-unix-v3.0.6.tgz`
clean up x509-types folder 2019-06-22 04:55:28 +00:00			`rm -r x509-types/`