ref: 261a306e87671cb561ed3905816d7389b1eddb50
iron-vpn/vpn-server
#! /bin/bash # Usage: $iron vpn-server# Summary: create OpenVPN CA and server config # Help: OpenVPN CA and server config generator APPNAME="iron" if [ "$#" != "1" ]; then echo "Usage: vpn-server " exit 1 fi servername=$1 CFG_FILE=$HOME/.${APPNAME}/vpn/${servername}/${servername}.cfg CFGDIR=$(dirname ${CFG_FILE}) CURRDIR=$(pwd) cd $(dirname $0) #EASY_RSA_HOME=$CURRDIR/easy-rsa/easyrsa3 EASY_RSA_HOME=/usr/share/easy-rsa/ function write_empty_config() { test -d ${CFGDIR} || mkdir -p ${CFGDIR} echo "code_country="> $CFG_FILE echo "code_province=">> $CFG_FILE echo "code_city=">> $CFG_FILE echo "code_organization=${servername}">> $CFG_FILE echo "code_email=">> $CFG_FILE echo "vpn_port=1194">> $CFG_FILE echo "Edit config file: [$CFG_FILE]" exit 1 } function test_config() { test -f $CFG_FILE || write_empty_config } function ovpn_generate_ca_nopass() { cd ${CFGDIR}; VARS_CONTENT=$(cat<<__EOT__ export KEY_SIZE=2048 export CA_EXPIRE=3650 export KEY_EXPIRE=3650 export KEY_COUNTRY="${code_country}" export KEY_PROVINCE="${code_province}" export KEY_CITY="${code_city}" export KEY_ORG="${code_organization}" export KEY_EMAIL="${code_email}" export KEY_CN=${code_organization} export KEY_NAME=${code_organization} export KEY_OU=${code_organization} __EOT__) echo ${VARS_CONTENT} > $CFGDIR/vars source $CFGDIR/vars ${EASY_RSA_HOME}/easyrsa init-pki #${EASY_RSA_HOME}/easyrsa build-ca ${EASY_RSA_HOME}/easyrsa build-ca nopass ${EASY_RSA_HOME}/easyrsa gen-dh } function ovpn_generate_server_nopass() { cd ${CFGDIR}; ${EASY_RSA_HOME}/easyrsa build-server-full ${code_organization} nopass # DISCOURAGED: not to give it a pass #./easyrsa build-server-full ${code_organization} nopass } function ovpn_generate_server_assembly() { cd ${CFGDIR} mkdir -p "$CFGDIR/server/${code_organization}/${code_organization}" cp $CFGDIR/pki/ca.crt $CFGDIR/server/${code_organization}/${code_organization} cp $CFGDIR/pki/dh.pem $CFGDIR/server/${code_organization}/${code_organization} cp $CFGDIR/pki/issued/${code_organization}.crt $CFGDIR/server/${code_organization}/${code_organization} cp $CFGDIR/pki/private/${code_organization}.key $CFGDIR/server/${code_organization}/${code_organization} cat<<__EOT__>$CFGDIR/server/${code_organization}/${code_organization}.conf port ${vpn_port} proto tcp dev tun #askpass /etc/openvpn/passwordfile ca /etc/openvpn/${code_organization}/ca.crt cert /etc/openvpn/${code_organization}/${code_organization}.crt key /etc/openvpn/${code_organization}/${code_organization}.key dh /etc/openvpn/${code_organization}/dh.pem server 10.0.0.0 255.255.0.0 # GOOD IP RANGES: # 10.0.0.0 - 10.255.255.255 # 172.16.0.0 - 172.31.255.255 # 192.168.0.0 - 192.168.255.255 ifconfig-pool-persist /etc/openvpn/${code_organization}/ipp.txt keepalive 10 120 comp-lzo user nobody group users persist-key persist-tun status /var/log/openvpn-status.log log-append /var/log/openvpn.log verb 3 client-to-client __EOT__ cd $CFGDIR/server/${code_organization} tar cvfz $CURRDIR/${code_organization}-server.tar.gz . } # MAIN test_config source ${CFG_FILE} ca_password=$(uuidgen) server_password=$(uuidgen) server_credentials="$CFGDIR/server-credentials.txt" test -d ${CFGDIR} || mkdir -p ${CFGDIR} echo "CA password:[${ca_password}]">>$server_credentials echo "server [$servername] priv key password:[${server_password}]">>$server_credentials ovpn_generate_ca_nopass ovpn_generate_server_nopass openssl rsa -aes256 -in ${CFGDIR}/pki/private/ca.key -out ${CFGDIR}/pki/private/encrypted-ca.key \ -passout pass:${ca_password}\ && mv ${CFGDIR}/pki/private/encrypted-ca.key ${CFGDIR}/pki/private/ca.key openssl rsa -aes256 -in ${CFGDIR}/pki/private/${code_organization}.key -out ${CFGDIR}/pki/private/encrypted-${code_organization}.key\ -passout pass:${server_password}\ && mv ${CFGDIR}/pki/private/encrypted-${code_organization}.key $CFGDIR/pki/private/${code_organization}.key ovpn_generate_server_assembly