wok annotate openvpn/stuff/usr/bin/make-ovpn @ rev 25624

Add opendkim
author Pascal Bellard <pascal.bellard@slitaz.org>
date Wed Nov 08 16:45:57 2023 +0000 (20 months ago)
parents 1a6eb3793a9e
children 0058b4efc694
rev   line source
pascal@23216 1 #!/bin/sh
pascal@23216 2
pascal@23216 3 [ $(id -u) != 0 ] && exec su -c "$0 $@"
pascal@23216 4 [ -z "$1" ] && cat <<EOT && exit 0
pascal@23216 5 Usage:
pascal@23216 6 $0 server name vpn-prefix [routes]... > config-server-name.ovpn
pascal@25417 7 $0 client name server-ip[,server2...] [port] > config-client-name.ovpn
pascal@23216 8
pascal@23216 9 Examples:
pascal@23216 10 $0 server office 192.168.99 192.168.0.0/255.255.255.0 10.0.0.0/255.0.0.0
pascal@23216 11 $0 client bart-simson myoffice.org
pascal@23216 12
pascal@23216 13 Tip: run it twice to avoid keys generation output
pascal@23216 14 EOT
pascal@23216 15
pascal@23216 16 mkpki()
pascal@23216 17 {
pascal@23216 18 echo -n "Country : "; read country
pascal@23216 19 echo -n "Company : "; read company
pascal@23216 20 echo -n "Province: "; read province
pascal@23216 21 echo -n "City : "; read city
pascal@23216 22 echo -n "Email : "; read email
pascal@23216 23 cat > vars <<EOT
pascal@23216 24 set_var EASYRSA "\${0%/*}"
pascal@23216 25 set_var EASYRSA_PKI \$EASYRSA/pki
pascal@23216 26 set_var EASYRSA_EXT_DIR \$EASYRSA/x509-types
pascal@23216 27 set_var EASYRSA_SSL_CONF \$EASYRSA/openssl-easyrsa.cnf
pascal@23216 28 set_var EASYRSA_SL "cn_only"
pascal@23216 29 set_var EASYRSA_DIGEST "sha256"
pascal@23216 30 set_var EASYRSA_KEY_SIZE 2048
pascal@23216 31 set_var EASYRSA_ALGO rsa
pascal@23216 32 set_var EASYRSA_CA_EXPIRE 7500
pascal@23216 33 set_var EASYRSA_CERT_EXPIRE 365
pascal@23216 34 set_var EASYRSA_NS_SUPPORT "yes"
pascal@23216 35 set_var EASYRSA_NS_COMMENT "$company CERTIFICATE AUTHORITY"
pascal@23216 36 set_var EASYRSA_REQ_COUNTRY "$country"
pascal@23216 37 set_var EASYRSA_REQ_PROVINCE "$province"
pascal@23216 38 set_var EASYRSA_REQ_CITY "$city"
pascal@23216 39 set_var EASYRSA_REQ_ORG "$company CERTIFICATE AUTHORITY"
pascal@23216 40 set_var EASYRSA_REQ_OU "$company EASY CA"
pascal@23216 41 set_var EASYRSA_REQ_EMAIL "$email"
pascal@23216 42 #buggy?#set_var EASYRSA_BATCH "yes"
pascal@23216 43 EOT
pascal@23216 44 chmod +x vars
pascal@23216 45 ./easyrsa init-pki
pascal@23216 46 #./easyrsa build-ca nopass
pascal@23216 47 ./easyrsa build-ca
pascal@23216 48 ./easyrsa gen-dh
pascal@23216 49 }
pascal@23216 50
pascal@23216 51 common_conf()
pascal@23216 52 {
pascal@23216 53 cat <<EOT
pascal@23216 54 dev tun
pascal@23216 55 proto udp
pascal@23216 56 cipher AES-256-CBC
pascal@23216 57 tls-version-min 1.2
pascal@23216 58 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:\
pascal@23216 59 TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:\
pascal@23216 60 TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
pascal@23216 61 auth SHA512
pascal@23216 62 auth-nocache
pascal@23216 63 persist-key
pascal@23216 64 persist-tun
pascal@23216 65 verb 3
pascal@23216 66 EOT
pascal@23216 67 }
pascal@23216 68
pascal@23216 69 [ -z "$(which make-cadir)" ] && tazpkg get-install easy-rsa
pascal@23216 70 dir=/etc/openvpn/easy-rsa
pascal@23216 71 [ -d $dir ] || make-cadir $dir
pascal@23216 72 cd $dir
pascal@23216 73
pascal@23216 74 [ -d pki ] || mkpki
pascal@23216 75 name="$1${2+-$2}"
pascal@23216 76 if [ "$1" = "server" ] || [ "$1" = client ]; then
pascal@23216 77 if [ ! -s pki/issued/$name.crt ]; then
pascal@23216 78 ./easyrsa gen-req "$name" nopass
pascal@23216 79 ./easyrsa sign-req $1 "$name"
pascal@23216 80 fi
pascal@23216 81 fi
pascal@23216 82
pascal@25417 83 [ "$1" = "client" ] && case "$3" in
pascal@25417 84 *,*) echo "remote-random"
pascal@25417 85 for i in ${3//,/ }; do echo "remote $i ${4:-1194}"; done ;;
pascal@25417 86 *) echo "remote ${3:-my.office.com} ${4:-1194}"
pascal@25417 87 esac
pascal@23216 88 [ "$1" = "client" ] && cat << EOT
pascal@23216 89 client
pascal@25417 90 float
pascal@23216 91
pascal@23216 92 $(common_conf)
pascal@23216 93 remote-cert-tls server
pascal@23216 94
pascal@23216 95 pull
pascal@23216 96 resolv-retry infinite
pascal@23216 97 nobind
pascal@23216 98 mute-replay-warnings
pascal@23216 99
pascal@23216 100 <ca>
pascal@23216 101 $(cat pki/ca.crt)
pascal@23216 102 </ca>
pascal@23216 103 <cert>
pascal@23216 104 $(cat pki/issued/$name.crt)
pascal@23216 105 </cert>
pascal@23216 106 <key>
pascal@23216 107 $(cat pki/private/$name.key)
pascal@23216 108 </key>
pascal@23216 109 EOT
pascal@23216 110
pascal@23216 111 net=${3:-192.168.16}
pascal@23216 112 [ "$1" = "server" ] && cat << EOT
pascal@23216 113 status /var/log/openvpn-$name
pascal@23216 114 $(common_conf)
pascal@23216 115 keepalive 15 120
pascal@23216 116 tls-exit
pascal@23216 117 user nobody
pascal@23216 118 group nogroup
pascal@23216 119 #compress lz4-v2
pascal@23216 120 #push "compress lz4-v2"
pascal@23216 121 mute 2
pascal@23216 122 passtos
pascal@23216 123 float
pascal@23216 124 port 1194
pascal@23216 125 mode server
pascal@23216 126 tls-server
pascal@23216 127 ping-timer-rem
pascal@23216 128 management 127.0.0.1 1294
pascal@23216 129
pascal@23216 130 client-to-client
pascal@23216 131 #inactive 3600
pascal@23216 132 #duplicate-cn
pascal@23216 133 #push "redirect-gateway def1"
pascal@23216 134
pascal@25624 135 ifconfig $net.1 $net.2
pascal@25624 136 ifconfig-pool $net.5 $net.254
pascal@23219 137 route $net.0 255.255.255.0
pascal@23216 138 $(shift 3; for i in $net.0/255.255.255.0 $@; do
pascal@23216 139 echo "push \"route ${i/\// }\""
pascal@23216 140 done)
pascal@23216 141 $(sed -e '/nameserver/!d;s|nameserver *|push "dhcp-option DNS |;s|.*|&"|' \
pascal@23216 142 /etc/resolv.conf | head -n 2)
pascal@23216 143
pascal@23216 144 <ca>
pascal@23216 145 $(cat pki/ca.crt)
pascal@23216 146 </ca>
pascal@23216 147 <cert>
pascal@23216 148 $(cat pki/issued/$name.crt)
pascal@23216 149 </cert>
pascal@23216 150 <key>
pascal@23216 151 $(cat pki/private/$name.key)
pascal@23216 152 </key>
pascal@23216 153 <dh>
pascal@23216 154 $(cat pki/dh.pem)
pascal@23216 155 </dh>
pascal@23216 156 EOT