wok rev 23216
openvpn: add make-ovpn
| author | Pascal Bellard <pascal.bellard@slitaz.org> |
|---|---|
| date | Sun Mar 22 20:02:34 2020 +0100 (2020-03-22) |
| parents | f05572332c7c |
| children | c0fe731d810e |
| files | openvpn/stuff/usr/bin/conf2opvn openvpn/stuff/usr/bin/conf2ovpn openvpn/stuff/usr/bin/make-ovpn |
line diff
1.1 --- a/openvpn/stuff/usr/bin/conf2opvn Sat Mar 21 15:46:42 2020 +0100 1.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 1.3 @@ -1,11 +0,0 @@ 1.4 -#!/bin/sh 1.5 - 1.6 -[ "$1" ] && echo "usage: $0 < file.conf > file.opvn" && exit 1 1.7 -awk '{ if ($1 == "ca" || $1 == "cert" || $1 == "key" || $1 == "extra-certs" || 1.8 - $1 == "secret" || $1 == "pkcs12" || $1 == "http-proxy-user-pass" || 1.9 - $1 == "crl-verify" || $1 == "tls-auth" || $1 == "tls-crypt" || 1.10 - $1 == "dh") f[$1]=$2; else print 1.11 -} END { print "key-direction 1 # for tls-auth, need check\n"; for (i in f) { 1.12 - print "<" i ">"; system("cat " f[i]); print "</" i ">\n" 1.13 - } 1.14 -}'
2.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 2.2 +++ b/openvpn/stuff/usr/bin/conf2ovpn Sun Mar 22 20:02:34 2020 +0100 2.3 @@ -0,0 +1,11 @@ 2.4 +#!/bin/sh 2.5 + 2.6 +[ "$1" ] && echo "usage: $0 < file.conf > file.ovpn" && exit 1 2.7 +awk '{ if ($1 == "ca" || $1 == "cert" || $1 == "key" || $1 == "extra-certs" || 2.8 + $1 == "secret" || $1 == "pkcs12" || $1 == "http-proxy-user-pass" || 2.9 + $1 == "crl-verify" || $1 == "tls-auth" || $1 == "tls-crypt" || 2.10 + $1 == "dh") f[$1]=$2; else print 2.11 +} END { print "key-direction 1 # for tls-auth, please check\n"; for (i in f) { 2.12 + print "<" i ">"; system("cat " f[i]); print "</" i ">\n" 2.13 + } 2.14 +}'
3.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 3.2 +++ b/openvpn/stuff/usr/bin/make-ovpn Sun Mar 22 20:02:34 2020 +0100 3.3 @@ -0,0 +1,151 @@ 3.4 +#!/bin/sh 3.5 + 3.6 +[ $(id -u) != 0 ] && exec su -c "$0 $@" 3.7 +[ -z "$1" ] && cat <<EOT && exit 0 3.8 +Usage: 3.9 + $0 server name vpn-prefix [routes]... > config-server-name.ovpn 3.10 + $0 client name server-ip > config-client-name.ovpn 3.11 + 3.12 +Examples: 3.13 + $0 server office 192.168.99 192.168.0.0/255.255.255.0 10.0.0.0/255.0.0.0 3.14 + $0 client bart-simson myoffice.org 3.15 + 3.16 +Tip: run it twice to avoid keys generation output 3.17 +EOT 3.18 + 3.19 +mkpki() 3.20 +{ 3.21 + echo -n "Country : "; read country 3.22 + echo -n "Company : "; read company 3.23 + echo -n "Province: "; read province 3.24 + echo -n "City : "; read city 3.25 + echo -n "Email : "; read email 3.26 + cat > vars <<EOT 3.27 +set_var EASYRSA "\${0%/*}" 3.28 +set_var EASYRSA_PKI \$EASYRSA/pki 3.29 +set_var EASYRSA_EXT_DIR \$EASYRSA/x509-types 3.30 +set_var EASYRSA_SSL_CONF \$EASYRSA/openssl-easyrsa.cnf 3.31 +set_var EASYRSA_SL "cn_only" 3.32 +set_var EASYRSA_DIGEST "sha256" 3.33 +set_var EASYRSA_KEY_SIZE 2048 3.34 +set_var EASYRSA_ALGO rsa 3.35 +set_var EASYRSA_CA_EXPIRE 7500 3.36 +set_var EASYRSA_CERT_EXPIRE 365 3.37 +set_var EASYRSA_NS_SUPPORT "yes" 3.38 +set_var EASYRSA_NS_COMMENT "$company CERTIFICATE AUTHORITY" 3.39 +set_var EASYRSA_REQ_COUNTRY "$country" 3.40 +set_var EASYRSA_REQ_PROVINCE "$province" 3.41 +set_var EASYRSA_REQ_CITY "$city" 3.42 +set_var EASYRSA_REQ_ORG "$company CERTIFICATE AUTHORITY" 3.43 +set_var EASYRSA_REQ_OU "$company EASY CA" 3.44 +set_var EASYRSA_REQ_EMAIL "$email" 3.45 +#buggy?#set_var EASYRSA_BATCH "yes" 3.46 +EOT 3.47 + chmod +x vars 3.48 + ./easyrsa init-pki 3.49 + #./easyrsa build-ca nopass 3.50 + ./easyrsa build-ca 3.51 + ./easyrsa gen-dh 3.52 +} 3.53 + 3.54 +common_conf() 3.55 +{ 3.56 + cat <<EOT 3.57 +dev tun 3.58 +proto udp 3.59 +cipher AES-256-CBC 3.60 +tls-version-min 1.2 3.61 +tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:\ 3.62 +TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:\ 3.63 +TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 3.64 +auth SHA512 3.65 +auth-nocache 3.66 +persist-key 3.67 +persist-tun 3.68 +verb 3 3.69 +EOT 3.70 +} 3.71 + 3.72 +[ -z "$(which make-cadir)" ] && tazpkg get-install easy-rsa 3.73 +dir=/etc/openvpn/easy-rsa 3.74 +[ -d $dir ] || make-cadir $dir 3.75 +cd $dir 3.76 + 3.77 +[ -d pki ] || mkpki 3.78 +name="$1${2+-$2}" 3.79 +if [ "$1" = "server" ] || [ "$1" = client ]; then 3.80 + if [ ! -s pki/issued/$name.crt ]; then 3.81 + ./easyrsa gen-req "$name" nopass 3.82 + ./easyrsa sign-req $1 "$name" 3.83 + fi 3.84 +fi 3.85 + 3.86 +[ "$1" = "client" ] && cat << EOT 3.87 +client 3.88 +remote ${3:-my.office.com} 1194 3.89 + 3.90 +$(common_conf) 3.91 +remote-cert-tls server 3.92 + 3.93 +pull 3.94 +resolv-retry infinite 3.95 +nobind 3.96 +mute-replay-warnings 3.97 + 3.98 +<ca> 3.99 +$(cat pki/ca.crt) 3.100 +</ca> 3.101 +<cert> 3.102 +$(cat pki/issued/$name.crt) 3.103 +</cert> 3.104 +<key> 3.105 +$(cat pki/private/$name.key) 3.106 +</key> 3.107 +EOT 3.108 + 3.109 +net=${3:-192.168.16} 3.110 +[ "$1" = "server" ] && cat << EOT 3.111 +status /var/log/openvpn-$name 3.112 +$(common_conf) 3.113 +keepalive 15 120 3.114 +tls-exit 3.115 +user nobody 3.116 +group nogroup 3.117 +#compress lz4-v2 3.118 +#push "compress lz4-v2" 3.119 +mute 2 3.120 +passtos 3.121 +float 3.122 +port 1194 3.123 +mode server 3.124 +tls-server 3.125 +ping-timer-rem 3.126 +management 127.0.0.1 1294 3.127 + 3.128 +client-to-client 3.129 +#inactive 3600 3.130 +#duplicate-cn 3.131 +#push "redirect-gateway def1" 3.132 + 3.133 +ifconfig $net.1 $net.3 3.134 +ifconfig-pool $net.6 $net.254 3.135 +$(shift 3; for i in $net.0/255.255.255.0 $@; do 3.136 + echo "route ${i/\// }" 3.137 + echo "push \"route ${i/\// }\"" 3.138 +done) 3.139 +$(sed -e '/nameserver/!d;s|nameserver *|push "dhcp-option DNS |;s|.*|&"|' \ 3.140 +/etc/resolv.conf | head -n 2) 3.141 + 3.142 +<ca> 3.143 +$(cat pki/ca.crt) 3.144 +</ca> 3.145 +<cert> 3.146 +$(cat pki/issued/$name.crt) 3.147 +</cert> 3.148 +<key> 3.149 +$(cat pki/private/$name.key) 3.150 +</key> 3.151 +<dh> 3.152 +$(cat pki/dh.pem) 3.153 +</dh> 3.154 +EOT