From 5400deadad443303d2245ca10da7ba8f7a369c6c Mon Sep 17 00:00:00 2001
From: dex4k <49769442+dex4k@users.noreply.github.com>
Date: Mon, 15 Jul 2019 22:41:05 +0100
Subject: [PATCH] OpenVPN script but asks for pass for CA authority

Adds extra security in case server in breached. If an attacker is able to take your CA private key it is encrypted with a passphrase. The regular script allows anyone who is able to steal with CA private key to issue new clients for your VPN. Obviously your server should be protected enough your private key is not stolen in the first place, but this adds an extra level of security.
---
 openvpn-install.sh => openvpn-install-capass.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename openvpn-install.sh => openvpn-install-capass.sh (99%)

diff --git a/openvpn-install.sh b/openvpn-install-capass.sh
similarity index 99%
rename from openvpn-install.sh
rename to openvpn-install-capass.sh
index 0685a72..c484ee4 100755
--- a/openvpn-install.sh
+++ b/openvpn-install-capass.sh
@@ -648,14 +648,14 @@ function installOpenVPN () {
 	echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars
 	# Create the PKI, set up the CA, the DH params and the server certificate
 	./easyrsa init-pki
-	./easyrsa --batch build-ca nopass
+	./easyrsa --batch build-ca
 
 	if [[ $DH_TYPE == "2" ]]; then
 		# ECDH keys are generated on-the-fly so we don't need to generate them beforehand
 		openssl dhparam -out dh.pem $DH_KEY_SIZE
 	fi
 
-	./easyrsa build-server-full "$SERVER_NAME" nopass
+	./easyrsa build-server-full "$SERVER_NAME"
 	EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
 
 	case $TLS_SIG in