e53492850f
* Empty CRLs don't work. * Avoids confusing easyrsa during the init step where it thinks an existing PKI configuration exists. * Add to ovpn_run to help users that are upgrading and ran genconfig which now depends on the file being present. * Use a hardlink to tip toe around permissions issues.
51 lines
1.2 KiB
Bash
Executable File
51 lines
1.2 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
#
|
|
# Run the OpenVPN server normally
|
|
#
|
|
|
|
if [ "$DEBUG" == "1" ]; then
|
|
set -x
|
|
fi
|
|
|
|
set -e
|
|
|
|
source "$OPENVPN/ovpn_env.sh"
|
|
|
|
mkdir -p /dev/net
|
|
if [ ! -c /dev/net/tun ]; then
|
|
mknod /dev/net/tun c 10 200
|
|
fi
|
|
|
|
if [ ! -d "$OPENVPN/ccd" ]; then
|
|
mkdir -p /etc/openvpn/ccd
|
|
fi
|
|
|
|
# Setup NAT forwarding if requested
|
|
if [ "$OVPN_DEFROUTE" != "0" ] || [ "$OVPN_NAT" == "1" ] ; then
|
|
iptables -t nat -C POSTROUTING -s $OVPN_SERVER -o eth0 -j MASQUERADE || {
|
|
iptables -t nat -A POSTROUTING -s $OVPN_SERVER -o eth0 -j MASQUERADE
|
|
}
|
|
for i in "${OVPN_ROUTES[@]}"; do
|
|
iptables -t nat -C POSTROUTING -s "$i" -o eth0 -j MASQUERADE || {
|
|
iptables -t nat -A POSTROUTING -s "$i" -o eth0 -j MASQUERADE
|
|
}
|
|
done
|
|
fi
|
|
|
|
# Use a hacky hardlink as the CRL Needs to be readable by the user/group
|
|
# OpenVPN is running as. Only pass arguments to OpenVPN if it's found.
|
|
if [ -r "$EASYRSA_PKI/crl.pem" ]; then
|
|
if [ ! -r "$OPENVPN/crl.pem" ]; then
|
|
ln "$EASYRSA_PKI/crl.pem" "$OPENVPN/crl.pem"
|
|
chmod 644 "$OPENVPN/crl.pem"
|
|
fi
|
|
ARGS=("--crl-verify" "$OPENVPN/crl.pem")
|
|
fi
|
|
|
|
if [ "$#" -gt 0 ]; then
|
|
exec openvpn "$@"
|
|
else
|
|
exec openvpn ${ARGS[@]} --config "$OPENVPN/openvpn.conf"
|
|
fi
|