From e53492850faffd78ad3c217a6562d8add8538217 Mon Sep 17 00:00:00 2001 From: Kyle Manna Date: Tue, 12 May 2015 00:59:43 -0700 Subject: [PATCH] crl: Pass crl-verify if found * Empty CRLs don't work. * Avoids confusing easyrsa during the init step where it thinks an existing PKI configuration exists. * Add to ovpn_run to help users that are upgrading and ran genconfig which now depends on the file being present. * Use a hardlink to tip toe around permissions issues. --- bin/ovpn_genconfig | 4 ---- bin/ovpn_run | 12 +++++++++++- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/bin/ovpn_genconfig b/bin/ovpn_genconfig index f4f7f32..894133d 100755 --- a/bin/ovpn_genconfig +++ b/bin/ovpn_genconfig @@ -160,7 +160,6 @@ ca $EASYRSA_PKI/ca.crt cert $EASYRSA_PKI/issued/${OVPN_CN}.crt dh $EASYRSA_PKI/dh.pem tls-auth $EASYRSA_PKI/ta.key -crl-verify $EASYRSA_PKI/crl.pem key-direction 0 keepalive 10 60 persist-key @@ -179,9 +178,6 @@ group nogroup EOF -# Create an empty CRL -[ ! -f "$EASYRSA_PKI/crl.pem" ] && touch $EASYRSA_PKI/crl.pem - [ -n "$OVPN_CLIENT_TO_CLIENT" ] && echo "client-to-client" >> "$conf" [ "$OVPN_DNS" == "1" ] && echo push "dhcp-option DNS 8.8.4.4" >> "$conf" [ "$OVPN_DNS" == "1" ] && echo push "dhcp-option DNS 8.8.8.8" >> "$conf" diff --git a/bin/ovpn_run b/bin/ovpn_run index 291b32c..5a2c95a 100755 --- a/bin/ovpn_run +++ b/bin/ovpn_run @@ -33,8 +33,18 @@ if [ "$OVPN_DEFROUTE" != "0" ] || [ "$OVPN_NAT" == "1" ] ; then done fi +# Use a hacky hardlink as the CRL Needs to be readable by the user/group +# OpenVPN is running as. Only pass arguments to OpenVPN if it's found. +if [ -r "$EASYRSA_PKI/crl.pem" ]; then + if [ ! -r "$OPENVPN/crl.pem" ]; then + ln "$EASYRSA_PKI/crl.pem" "$OPENVPN/crl.pem" + chmod 644 "$OPENVPN/crl.pem" + fi + ARGS=("--crl-verify" "$OPENVPN/crl.pem") +fi + if [ "$#" -gt 0 ]; then exec openvpn "$@" else - exec openvpn --config "$OPENVPN/openvpn.conf" + exec openvpn ${ARGS[@]} --config "$OPENVPN/openvpn.conf" fi