crl: Pass crl-verify if found

* Empty CRLs don't work.
* Avoids confusing easyrsa during the init step where it thinks an
  existing PKI configuration exists.
* Add to ovpn_run to help users that are upgrading and ran genconfig
  which now depends on the file being present.
* Use a hardlink to tip toe around permissions issues.

bin/ovpn_genconfig

@@ -160,7 +160,6 @@ ca $EASYRSA_PKI/ca.crt
 cert $EASYRSA_PKI/issued/${OVPN_CN}.crt
 dh $EASYRSA_PKI/dh.pem
 tls-auth $EASYRSA_PKI/ta.key
-crl-verify $EASYRSA_PKI/crl.pem
 key-direction 0
 keepalive 10 60
 persist-key
@@ -179,9 +178,6 @@ group nogroup
 EOF
 
 
-# Create an empty CRL
-[ ! -f "$EASYRSA_PKI/crl.pem" ] && touch $EASYRSA_PKI/crl.pem
-
 [ -n "$OVPN_CLIENT_TO_CLIENT" ] && echo "client-to-client" >> "$conf"
 [ "$OVPN_DNS" == "1" ] && echo push "dhcp-option DNS 8.8.4.4" >> "$conf"
 [ "$OVPN_DNS" == "1" ] && echo push "dhcp-option DNS 8.8.8.8" >> "$conf"

bin/ovpn_run

@@ -33,8 +33,18 @@ if [ "$OVPN_DEFROUTE" != "0" ] || [ "$OVPN_NAT" == "1" ] ; then
     done
 fi
 
+# Use a hacky hardlink as the CRL Needs to be readable by the user/group
+# OpenVPN is running as.  Only pass arguments to OpenVPN if it's found.
+if [ -r "$EASYRSA_PKI/crl.pem" ]; then
+    if [ ! -r "$OPENVPN/crl.pem" ]; then
+        ln "$EASYRSA_PKI/crl.pem" "$OPENVPN/crl.pem"
+        chmod 644 "$OPENVPN/crl.pem"
+    fi
+    ARGS=("--crl-verify" "$OPENVPN/crl.pem")
+fi
+
 if [ "$#" -gt 0 ]; then
     exec openvpn "$@"
 else
-    exec openvpn --config "$OPENVPN/openvpn.conf"
+    exec openvpn ${ARGS[@]} --config "$OPENVPN/openvpn.conf"
 fi