Php/OpenVPN-Admin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Upgrade to EasyRSA 3.x

Browse Source 
- Automatically grab the latest version of EasyRSA 3.x branch
- Adapt commands for CA and server certificates generation
- Rename vars from key_* to cert_* for those whose were not key related
- Keep default values if vars are empty
- Does not fail on empty MySQL root password, it is bad but it can happen
This commit is contained in:
Nicolas KAROLAK 2016-09-04 13:50:17 +02:00
parent a62e07f8f4
commit 570ee6ad42
1 changed files with 71 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

122
install.sh
View File

@ -33,7 +33,6 @@ user=$2
group=$3 group=$3
openvpn_admin="$www/openvpn-admin" openvpn_admin="$www/openvpn-admin"
# Check the validity of the arguments # Check the validity of the arguments
if [ ! -d "$www" ] || ! grep -q "$user" "/etc/passwd" || ! grep -q "$group" "/etc/group" ; then if [ ! -d "$www" ] || ! grep -q "$user" "/etc/passwd" || ! grep -q "$group" "/etc/group" ; then
print_help print_help
@ -42,13 +41,14 @@ fi
base_path=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) base_path=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
printf "\n################## Server informations ##################\n" printf "\n################## Server informations ##################\n"
read -p "Server ip: " ip_server read -p "Server Hostname/IP: " ip_server
read -p "Port [default: 443]: " server_port read -p "Port [443]: " server_port
if [[ "$server_port" == "443" || "$server_port" == "" ]]; then if [[ ! -z $server_port ]]; then
server_port="443" server_port="443"
else else
server_port=$server_port server_port=$server_port
@ -60,13 +60,8 @@ status_code=1
while [ $status_code -ne 0 ]; do while [ $status_code -ne 0 ]; do
read -p "Server MySQL root password: " -s mysql_root_pass; echo read -p "Server MySQL root password: " -s mysql_root_pass; echo
if [ "$mysql_root_pass" != "" ]; then echo "SHOW DATABASES" | mysql -u root --password="$mysql_root_pass" &> /dev/null
echo "SHOW DATABASES" | mysql -u root --password="$mysql_root_pass" &> /dev/null status_code=$?
status_code=$?
else
echo "MySQL root password is empty!"
exit
fi
done done
sql_result=$(echo "SHOW DATABASES" | mysql -u root --password="$mysql_root_pass" | grep -e "^openvpn-admin$") sql_result=$(echo "SHOW DATABASES" | mysql -u root --password="$mysql_root_pass" | grep -e "^openvpn-admin$")
@ -88,76 +83,100 @@ fi
read -p "Server MySQL openvpn-admin user password: " -s mysql_pass; echo read -p "Server MySQL openvpn-admin user password: " -s mysql_pass; echo
# TODO MySQL port & host ? # TODO MySQL port & host ?
printf "\n################## Certificates informations ##################\n" printf "\n################## Certificates informations ##################\n"
key_size="0"
while [ "$key_size" != "1024" -a "$key_size" != "2048" -a "$key_size" != "4096" ]; do read -p "Key size (1024, 2048 or 4096) [2048]: " key_size
read -p "Key size (1024, 2048 or 4096): " key_size
done
read -p "Root certificate expiration (in days): " ca_expire read -p "Root certificate expiration (in days) [3650]: " ca_expire
read -p "Certificate expiration (in days): " key_expire read -p "Certificate expiration (in days) [3650]: " cert_expire
read -p "Country Name (2 letter code): " key_country read -p "Country Name (2 letter code) [US]: " cert_country
read -p "State or Province Name (full name): " key_province read -p "State or Province Name (full name) [California]: " cert_province
read -p "Locality Name (eg, city): " key_city read -p "Locality Name (eg, city) [San Francisco]: " cert_city
read -p "Organization Name (eg, company): " key_org read -p "Organization Name (eg, company) [Copyleft Certificate Co]: " cert_org
read -p "Email Address: " key_email read -p "Organizational Unit Name (eg, section) [My Organizational Unit]: " cert_ou
read -p "Common Name (eg, your name or your server's hostname): " key_cn read -p "Email Address [me@example.net]: " cert_email
read -p "Name (eg, your name or your server's hostname): " key_name read -p "Common Name (eg, your name or your server's hostname) [ChangeMe]: " key_cn
read -p "Organizational Unit Name (eg, section): " key_ou
printf "\n################## Creating the certificates ##################\n" printf "\n################## Creating the certificates ##################\n"
EASYRSA_RELEASES=( $(
curl -s https://api.github.com/repos/OpenVPN/easy-rsa/releases | \
grep 'tag_name' | \
grep -E '3(\.[0-9]+)+' | \
awk '{ print $2 }' | \
sed 's/[,|"|v]//g'
) )
EASYRSA_LATEST=${EASYRSA_RELEASES[0]}
# Get the rsa keys # Get the rsa keys
mkdir /etc/openvpn/easy-rsa/ wget -q --show-progress https://github.com/OpenVPN/easy-rsa/releases/download/${EASYRSA_LATEST}/EasyRSA-${EASYRSA_LATEST}.tgz
wget https://github.com/OpenVPN/easy-rsa/archive/2.2.2.zip tar -xaf EasyRSA-${EASYRSA_LATEST}.tgz
unzip 2.2.2.zip mv EasyRSA-${EASYRSA_LATEST} /etc/openvpn/easy-rsa
mv easy-rsa-2.2.2/easy-rsa/2.0/* /etc/openvpn/easy-rsa/ rm -r EasyRSA-${EASYRSA_LATEST}.tgz
rm -r 2.2.2.zip easy-rsa-2.2.2
cd /etc/openvpn/easy-rsa cd /etc/openvpn/easy-rsa
source vars if [[ ! -z $key_size ]]; then
export EASYRSA_KEY_SIZE=$key_size
fi
if [[ ! -z $ca_expire ]]; then
export EASYRSA_CA_EXPIRE=$ca_expire
fi
if [[ ! -z $cert_expire ]]; then
export EASYRSA_CERT_EXPIRE=$cert_expire
fi
if [[ ! -z $cert_country ]]; then
export EASYRSA_REQ_COUNTRY=$cert_country
fi
if [[ ! -z $cert_province ]]; then
export EASYRSA_REQ_PROVINCE=$cert_province
fi
if [[ ! -z $cert_city ]]; then
export EASYRSA_REQ_CITY=$cert_city
fi
if [[ ! -z $cert_org ]]; then
export EASYRSA_REQ_ORG=$cert_org
fi
if [[ ! -z $cert_ou ]]; then
export EASYRSA_REQ_OU=$cert_ou
fi
if [[ ! -z $cert_email ]]; then
export EASYRSA_REQ_EMAIL=$cert_email
fi
if [[ ! -z $key_cn ]]; then
export EASYRSA_REQ_CN=$key_cn
fi
export KEY_SIZE=$key_size # Init PKI dirs and build CA certs
export CA_EXPIRE=$ca_expire ./easyrsa init-pki
export KEY_EXPIRE=$key_expire ./easyrsa build-ca nopass
export KEY_COUNTRY=$key_country # Generate Diffie-Hellman parameters
export KEY_PROVINCE=$key_province ./easyrsa gen-dh
export KEY_CITY=$key_city # Genrate server keypair
export KEY_ORG=$key_org ./easyrsa build-server-full server nopass
export KEY_EMAIL=$key_email
export KEY_CN=$key_cn
export KEY_NAME=$key_name
export KEY_OU=$key_ou
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server
openvpn --genkey --secret keys/ta.key
# Generate shared-secret for TLS Authentication
openvpn --genkey --secret pki/ta.key
printf "\n################## Setup OpenVPN ##################\n" printf "\n################## Setup OpenVPN ##################\n"
# Copy certificates and the server configuration in the openvpn directory # Copy certificates and the server configuration in the openvpn directory
cp /etc/openvpn/easy-rsa/keys/{ca.crt,ta.key,server.crt,server.key,dh${KEY_SIZE}.pem} "/etc/openvpn/" cp /etc/openvpn/easy-rsa/pki/{ca.crt,ta.key,issued/server.crt,private/server.key,dh.pem} "/etc/openvpn/"
cp "$base_path/installation/server.conf" "/etc/openvpn/" cp "$base_path/installation/server.conf" "/etc/openvpn/"
mkdir "/etc/openvpn/ccd" mkdir "/etc/openvpn/ccd"
sed -i "s/dh dh1024\.pem/dh dh${KEY_SIZE}.pem/" "/etc/openvpn/server.conf" sed -i "s/dh dh1024\.pem/dh dh.pem/" "/etc/openvpn/server.conf"
sed -i "s/port 443/port $server_port/" "/etc/openvpn/server.conf" sed -i "s/port 443/port $server_port/" "/etc/openvpn/server.conf"
@ -177,6 +196,7 @@ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.8.0.2/24 -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -s 10.8.0.2/24 -o eth0 -j MASQUERADE
printf "\n################## Setup MySQL database ##################\n" printf "\n################## Setup MySQL database ##################\n"
echo "CREATE DATABASE \`openvpn-admin\`" | mysql -u root --password="$mysql_root_pass" echo "CREATE DATABASE \`openvpn-admin\`" | mysql -u root --password="$mysql_root_pass"