#!/bin/bash # # Initialize the PKI and OpenVPN configs # set -ex server_url=$1 # Server name is in the form "udp://vpn.example.com:1194" if [[ "$server_url" =~ ^((udp|tcp)://)?([0-9a-zA-Z\.]+)(:([0-9]+))?$ ]]; then proto=${BASH_REMATCH[2]}; cn=${BASH_REMATCH[3]}; port=${BASH_REMATCH[5]}; else echo "Common name not specified" exit 1 fi # Apply defaults [ -z "$proto" ] && proto=1194 [ -z "$port" ] && port=udp # Specify "nopass" as arg[2] to make the CA insecure nopass=$2 # Provides a sufficient warning before erasing pre-existing files easyrsa init-pki # CA always has a password for protection in event server is compromised. The # password is only needed to sign client/server certificates. No password is # needed for normal OpenVPN operation. easyrsa build-ca $nopass easyrsa gen-dh openvpn --genkey --secret $OPENVPN/pki/ta.key # Was nice to autoset, but probably a bad idea in practice, users should # have to explicitly specify the common name of their server #if [ -z "$cn"]; then # #TODO: Handle IPv6 (when I get a VPS with IPv6)... # ip4=$(dig +short myip.opendns.com @resolver1.opendns.com) # ptr=$(dig +short -x $ip4 | sed -e 's:\.$::') # # [ -n "$ptr" ] && cn=$ptr || cn=$ip4 #fi echo "$server_url" > $OPENVPN/server_url # For a server key with a password, manually init; this is autopilot easyrsa build-server-full $cn nopass ovpn_genconfig "$cn"