cezar97
GitHub
parent
852fecf1cf
commit
e83c8cf029
1 changed files with 9 additions and 4 deletions
|
|
@ -654,14 +654,18 @@ set_var EASYRSA_CURVE $CERT_CURVE" > vars
|
||||||
elif [[ $CERT_TYPE == "2" ]]; then
|
elif [[ $CERT_TYPE == "2" ]]; then
|
||||||
echo "set_var EASYRSA_KEY_SIZE $RSA_SIZE" > vars
|
echo "set_var EASYRSA_KEY_SIZE $RSA_SIZE" > vars
|
||||||
fi
|
fi
|
||||||
|
# Generate a random, alphanumeric identifier of 16 characters for CN and one for server name
|
||||||
|
SERVER_CN="cn_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
|
||||||
|
SERVER_NAME="server_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
|
||||||
echo 'set_var EASYRSA_DIGEST "'$CERT_HASH'"' >> vars
|
echo 'set_var EASYRSA_DIGEST "'$CERT_HASH'"' >> vars
|
||||||
|
echo "set_var EASYRSA_REQ_CN $SERVER_CN" >> vars
|
||||||
# Create the PKI, set up the CA, the DH params and the server + client certificates
|
# Create the PKI, set up the CA, the DH params and the server + client certificates
|
||||||
./easyrsa init-pki
|
./easyrsa init-pki
|
||||||
./easyrsa --batch build-ca nopass
|
./easyrsa --batch build-ca nopass
|
||||||
if [[ $DH_TYPE == "2" ]]; then
|
if [[ $DH_TYPE == "2" ]]; then
|
||||||
openssl dhparam -out dh.pem $DH_SIZE
|
openssl dhparam -out dh.pem $DH_SIZE
|
||||||
fi
|
fi
|
||||||
./easyrsa build-server-full server nopass
|
./easyrsa build-server-full $SERVER_NAME nopass
|
||||||
./easyrsa build-client-full $CLIENT nopass
|
./easyrsa build-client-full $CLIENT nopass
|
||||||
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
|
EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
|
||||||
if [[ $TLS_SIG == "1" ]]; then
|
if [[ $TLS_SIG == "1" ]]; then
|
||||||
|
|
@ -672,7 +676,7 @@ set_var EASYRSA_CURVE $CERT_CURVE" > vars
|
||||||
openvpn --genkey --secret /etc/openvpn/tls-auth.key
|
openvpn --genkey --secret /etc/openvpn/tls-auth.key
|
||||||
fi
|
fi
|
||||||
# Move all the generated files
|
# Move all the generated files
|
||||||
cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
|
cp pki/ca.crt pki/private/ca.key pki/issued/$SERVER_NAME.crt pki/private/$SERVER_NAME.key /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn
|
||||||
if [[ $DH_TYPE == "2" ]]; then
|
if [[ $DH_TYPE == "2" ]]; then
|
||||||
cp dh.pem /etc/openvpn
|
cp dh.pem /etc/openvpn
|
||||||
fi
|
fi
|
||||||
|
|
@ -734,8 +738,8 @@ ifconfig-pool-persist ipp.txt" >> /etc/openvpn/server.conf
|
||||||
echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf
|
echo 'push "redirect-gateway def1 bypass-dhcp" '>> /etc/openvpn/server.conf
|
||||||
echo "crl-verify crl.pem
|
echo "crl-verify crl.pem
|
||||||
ca ca.crt
|
ca ca.crt
|
||||||
cert server.crt
|
cert $SERVER_NAME.crt
|
||||||
key server.key" >> /etc/openvpn/server.conf
|
key $SERVER_NAME.key" >> /etc/openvpn/server.conf
|
||||||
if [[ $TLS_SIG == "1" ]]; then
|
if [[ $TLS_SIG == "1" ]]; then
|
||||||
echo "tls-crypt tls-crypt.key 0" >> /etc/openvpn/server.conf
|
echo "tls-crypt tls-crypt.key 0" >> /etc/openvpn/server.conf
|
||||||
elif [[ $TLS_SIG == "2" ]]; then
|
elif [[ $TLS_SIG == "2" ]]; then
|
||||||
|
|
@ -886,6 +890,7 @@ nobind
|
||||||
persist-key
|
persist-key
|
||||||
persist-tun
|
persist-tun
|
||||||
remote-cert-tls server
|
remote-cert-tls server
|
||||||
|
verify-x509-name $SERVER_NAME name
|
||||||
auth $HMAC_AUTH
|
auth $HMAC_AUTH
|
||||||
$CIPHER
|
$CIPHER
|
||||||
tls-client
|
tls-client
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue