wok view openvpn/stuff/usr/bin/make-ovpn @ rev 25825
Up expat (2.7.0)
| author | Pascal Bellard <pascal.bellard@slitaz.org> |
|---|---|
| date | Sat Mar 15 10:56:40 2025 +0000 (3 months ago) |
| parents | 8ac6f7029d68 |
| children |
line source
1 #!/bin/sh
3 [ $(id -u) != 0 ] && exec su -c "$0 $@"
4 [ -z "$1" ] && cat <<EOT && exit 0
5 Usage:
6 $0 server name vpn-prefix [routes]... > config-server-name.ovpn
7 $0 client name server-ip[,server2...] [port] > config-client-name.ovpn
9 Examples:
10 $0 server office 192.168.99 192.168.0.0/255.255.255.0 10.0.0.0/255.0.0.0
11 $0 client bart-simson myoffice.org
13 Tip: run it twice to avoid keys generation output
14 EOT
16 mkpki()
17 {
18 echo -n "Country : "; read country
19 echo -n "Company : "; read company
20 echo -n "Province: "; read province
21 echo -n "City : "; read city
22 echo -n "Email : "; read email
23 cat > vars <<EOT
24 set_var EASYRSA "\${0%/*}"
25 set_var EASYRSA_PKI \$EASYRSA/pki
26 set_var EASYRSA_EXT_DIR \$EASYRSA/x509-types
27 set_var EASYRSA_SSL_CONF \$EASYRSA/openssl-easyrsa.cnf
28 set_var EASYRSA_SL "cn_only"
29 set_var EASYRSA_DIGEST "sha256"
30 set_var EASYRSA_KEY_SIZE ${EASYRSA_KEY_SIZE:-2048}
31 set_var EASYRSA_ALGO ${EASYRSA_ALGO:-rsa}
32 set_var EASYRSA_CA_EXPIRE ${EASYRSA_CA_EXPIRE:-7500}
33 set_var EASYRSA_CERT_EXPIRE ${EASYRSA_CERT_EXPIRE:-365}
34 set_var EASYRSA_NS_SUPPORT "yes"
35 set_var EASYRSA_NS_COMMENT "$company CERTIFICATE AUTHORITY"
36 set_var EASYRSA_REQ_COUNTRY "$country"
37 set_var EASYRSA_REQ_PROVINCE "$province"
38 set_var EASYRSA_REQ_CITY "$city"
39 set_var EASYRSA_REQ_ORG "$company CERTIFICATE AUTHORITY"
40 set_var EASYRSA_REQ_OU "$company EASY CA"
41 set_var EASYRSA_REQ_EMAIL "$email"
42 #buggy?#set_var EASYRSA_BATCH "yes"
43 EOT
44 chmod +x vars
45 ./easyrsa init-pki
46 ln -s ../vars pki/vars
47 #./easyrsa build-ca nopass
48 ./easyrsa build-ca
49 ./easyrsa gen-dh
50 }
52 common_conf()
53 {
54 cat <<EOT
55 dev tun
56 proto udp
57 cipher AES-256-CBC
58 tls-version-min 1.2
59 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:\
60 TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:\
61 TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
62 auth SHA512
63 auth-nocache
64 persist-key
65 persist-tun
66 verb 3
67 EOT
68 }
70 [ -z "$(which make-cadir)" ] && tazpkg get-install easy-rsa
71 dir=/etc/openvpn/easy-rsa
72 [ -d $dir ] || make-cadir $dir
73 cd $dir
75 [ -d pki ] || mkpki
76 name="$1${2+-$2}"
77 if [ "$1" = "server" ] || [ "$1" = client ]; then
78 if [ ! -s pki/issued/$name.crt ]; then
79 ./easyrsa gen-req "$name" nopass
80 ./easyrsa sign-req $1 "$name"
81 fi
82 fi
84 [ "$1" = "client" ] && case "$3" in
85 *,*) echo "remote-random"
86 for i in ${3//,/ }; do echo "remote $i ${4:-1194}"; done ;;
87 *) echo "remote ${3:-my.office.com} ${4:-1194}"
88 esac
89 [ "$1" = "client" ] && cat << EOT
90 client
91 float
93 $(common_conf)
94 remote-cert-tls server
96 pull
97 resolv-retry infinite
98 nobind
99 mute-replay-warnings
101 <ca>
102 $(cat pki/ca.crt)
103 </ca>
104 <cert>
105 $(cat pki/issued/$name.crt)
106 </cert>
107 <key>
108 $(cat pki/private/$name.key)
109 </key>
110 EOT
112 net=${3:-192.168.16}
113 [ "$1" = "server" ] && cat << EOT
114 status /var/log/openvpn-$name
115 $(common_conf)
116 keepalive 15 120
117 tls-exit
118 user nobody
119 group nogroup
120 #compress lz4-v2
121 #push "compress lz4-v2"
122 mute 2
123 passtos
124 float
125 port 1194
126 mode server
127 tls-server
128 ping-timer-rem
129 management 127.0.0.1 1294
131 client-to-client
132 #inactive 3600
133 #duplicate-cn
134 #push "redirect-gateway def1"
136 # Windows needs $net.3
137 ifconfig $net.1 $net.3
138 # Windows needs $net.6
139 ifconfig-pool $net.6 $net.254
140 route $net.0 255.255.255.0
141 $(shift 3; for i in $net.0/255.255.255.0 $@; do
142 echo "push \"route ${i/\// }\""
143 done)
144 $(sed -e '/nameserver/!d;s|nameserver *|push "dhcp-option DNS |;s|.*|&"|' \
145 /etc/resolv.conf | head -n 2)
147 <ca>
148 $(cat pki/ca.crt)
149 </ca>
150 <cert>
151 $(cat pki/issued/$name.crt)
152 </cert>
153 <key>
154 $(cat pki/private/$name.key)
155 </key>
156 <dh>
157 $(cat pki/dh.pem)
158 </dh>
159 EOT