#!/bin/bash # # Initialize the EasyRSA PKI # if [ "$DEBUG" == "1" ]; then set -x fi set -e source "$OPENVPN/ovpn_env.sh" # Specify "nopass" as arg[2] to make the CA insecure (not recommended!) nopass=$1 # Download EasyRSA because Ubuntu doesn't have it as a CLI command wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz tar xvf EasyRSA-unix-v3.0.6.tgz export EASYRSA="EasyRSA-unix-v3.0.6/" export EASYRSA_SSL_CONF="EasyRSA-unix-v3.0.6/openssl-easyrsa.cnf" cp -r EasyRSA-v3.0.6/x509-types/ x509-types/ # Provides a sufficient warning before erasing pre-existing files EasyRSA-v3.0.6/easyrsa init-pki # CA always has a password for protection in event server is compromised. The # password is only needed to sign client/server certificates. No password is # needed for normal OpenVPN operation. EasyRSA-v3.0.6/easyrsa build-ca $nopass EasyRSA-v3.0.6/easyrsa gen-dh openvpn --genkey --secret $EASYRSA_PKI/ta.key # Was nice to autoset, but probably a bad idea in practice, users should # have to explicitly specify the common name of their server #if [ -z "$cn"]; then # #TODO: Handle IPv6 (when I get a VPS with IPv6)... # ip4=$(dig +short myip.opendns.com @resolver1.opendns.com) # ptr=$(dig +short -x $ip4 | sed -e 's:\.$::') # # [ -n "$ptr" ] && cn=$ptr || cn=$ip4 #fi # For a server key with a password, manually init; this is autopilot EasyRSA-v3.0.6/easyrsa build-server-full "$OVPN_CN" nopass # Generate the CRL for client/server certificates revocation. EasyRSA-v3.0.6/easyrsa gen-crl # Remove EasyRSA files when we're done rm -r EasyRSA-v3.0.6/ rm EasyRSA-unix-v3.0.6.tgz rm -r x509-types/