2014-07-01 05:43:00 +00:00
|
|
|
#!/bin/bash
|
2014-06-04 18:13:59 +00:00
|
|
|
|
|
|
|
#
|
2014-07-06 04:25:00 +00:00
|
|
|
# Initialize the EasyRSA PKI
|
2014-06-04 18:13:59 +00:00
|
|
|
#
|
|
|
|
|
2015-02-28 10:45:31 +00:00
|
|
|
if [ "$DEBUG" == "1" ]; then
|
|
|
|
set -x
|
|
|
|
fi
|
|
|
|
|
|
|
|
set -e
|
2014-06-04 18:13:59 +00:00
|
|
|
|
2014-07-06 01:51:58 +00:00
|
|
|
source "$OPENVPN/ovpn_env.sh"
|
2014-07-01 05:43:00 +00:00
|
|
|
|
2014-07-06 04:25:00 +00:00
|
|
|
# Specify "nopass" as arg[2] to make the CA insecure (not recommended!)
|
|
|
|
nopass=$1
|
2014-06-05 00:07:07 +00:00
|
|
|
|
2019-06-22 03:12:59 +00:00
|
|
|
# Download EasyRSA because Ubuntu doesn't have it as a CLI command
|
2019-06-22 05:22:05 +00:00
|
|
|
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz
|
|
|
|
tar xvf EasyRSA-unix-v3.0.6.tgz
|
2019-06-22 03:12:59 +00:00
|
|
|
|
2019-06-22 05:33:08 +00:00
|
|
|
export EASYRSA="EasyRSA-unix-v3.0.6/"
|
2019-06-22 05:22:05 +00:00
|
|
|
export EASYRSA_SSL_CONF="EasyRSA-unix-v3.0.6/openssl-easyrsa.cnf"
|
|
|
|
cp -r EasyRSA-unix-v3.0.6/x509-types/ x509-types/
|
2014-06-04 18:13:59 +00:00
|
|
|
# Provides a sufficient warning before erasing pre-existing files
|
2019-06-22 05:22:05 +00:00
|
|
|
EasyRSA-unix-v3.0.6/easyrsa init-pki
|
2014-06-04 18:13:59 +00:00
|
|
|
|
2014-06-05 00:07:07 +00:00
|
|
|
# CA always has a password for protection in event server is compromised. The
|
|
|
|
# password is only needed to sign client/server certificates. No password is
|
|
|
|
# needed for normal OpenVPN operation.
|
2019-06-22 05:22:05 +00:00
|
|
|
EasyRSA-unix-v3.0.6/easyrsa build-ca $nopass
|
2014-06-04 18:13:59 +00:00
|
|
|
|
2019-06-22 05:22:05 +00:00
|
|
|
EasyRSA-unix-v3.0.6/easyrsa gen-dh
|
2016-06-23 10:20:13 +00:00
|
|
|
openvpn --genkey --secret $EASYRSA_PKI/ta.key
|
2014-06-04 18:13:59 +00:00
|
|
|
|
2014-06-04 18:15:43 +00:00
|
|
|
# Was nice to autoset, but probably a bad idea in practice, users should
|
|
|
|
# have to explicitly specify the common name of their server
|
|
|
|
#if [ -z "$cn"]; then
|
|
|
|
# #TODO: Handle IPv6 (when I get a VPS with IPv6)...
|
|
|
|
# ip4=$(dig +short myip.opendns.com @resolver1.opendns.com)
|
|
|
|
# ptr=$(dig +short -x $ip4 | sed -e 's:\.$::')
|
|
|
|
#
|
|
|
|
# [ -n "$ptr" ] && cn=$ptr || cn=$ip4
|
|
|
|
#fi
|
2014-06-04 18:13:59 +00:00
|
|
|
|
2014-06-05 00:07:07 +00:00
|
|
|
# For a server key with a password, manually init; this is autopilot
|
2019-06-22 05:22:05 +00:00
|
|
|
EasyRSA-unix-v3.0.6/easyrsa build-server-full "$OVPN_CN" nopass
|
2017-05-02 14:42:39 +00:00
|
|
|
|
|
|
|
# Generate the CRL for client/server certificates revocation.
|
2019-06-22 05:22:05 +00:00
|
|
|
EasyRSA-unix-v3.0.6/easyrsa gen-crl
|
2019-06-22 03:17:01 +00:00
|
|
|
|
2019-06-22 03:19:22 +00:00
|
|
|
# Remove EasyRSA files when we're done
|
2019-06-22 05:22:05 +00:00
|
|
|
rm -r EasyRSA-unix-v3.0.6/
|
|
|
|
rm EasyRSA-unix-v3.0.6.tgz
|
2019-06-22 04:55:28 +00:00
|
|
|
rm -r x509-types/
|