mirror of
https://github.com/Nyr/openvpn-install.git
synced 2024-11-23 21:46:08 +03:00
Multiple improvements
- Better UX for client certificate revocation: a list of the current client names is shown to the user - easy-rsa 2.2.2 now used by default: it’s easier for me to maintain a single version
This commit is contained in:
parent
b778c1aed9
commit
7d467d9666
57
openvpn-install.sh
Executable file → Normal file
57
openvpn-install.sh
Executable file → Normal file
@ -55,15 +55,6 @@ newclient () {
|
|||||||
echo "</key>" >> ~/$1.ovpn
|
echo "</key>" >> ~/$1.ovpn
|
||||||
}
|
}
|
||||||
|
|
||||||
geteasyrsa () {
|
|
||||||
wget --no-check-certificate -O ~/easy-rsa.tar.gz https://github.com/OpenVPN/easy-rsa/archive/2.2.2.tar.gz
|
|
||||||
tar xzf ~/easy-rsa.tar.gz -C ~/
|
|
||||||
mkdir -p /etc/openvpn/easy-rsa/2.0/
|
|
||||||
cp ~/easy-rsa-2.2.2/easy-rsa/2.0/* /etc/openvpn/easy-rsa/2.0/
|
|
||||||
rm -rf ~/easy-rsa-2.2.2
|
|
||||||
rm -rf ~/easy-rsa.tar.gz
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
# Try to get our IP from the system and fallback to the Internet.
|
# Try to get our IP from the system and fallback to the Internet.
|
||||||
# I do this to make the script compatible with NATed servers (lowendspirit.com)
|
# I do this to make the script compatible with NATed servers (lowendspirit.com)
|
||||||
@ -79,13 +70,12 @@ if [[ -e /etc/openvpn/server.conf ]]; then
|
|||||||
do
|
do
|
||||||
clear
|
clear
|
||||||
echo "Looks like OpenVPN is already installed"
|
echo "Looks like OpenVPN is already installed"
|
||||||
|
echo ""
|
||||||
echo "What do you want to do?"
|
echo "What do you want to do?"
|
||||||
echo ""
|
echo " 1) Add a cert for a new user"
|
||||||
echo "1) Add a cert for a new user"
|
echo " 2) Revoke existing user cert"
|
||||||
echo "2) Revoke existing user cert"
|
echo " 3) Remove OpenVPN"
|
||||||
echo "3) Remove OpenVPN"
|
echo " 4) Exit"
|
||||||
echo "4) Exit"
|
|
||||||
echo ""
|
|
||||||
read -p "Select an option [1-4]: " option
|
read -p "Select an option [1-4]: " option
|
||||||
case $option in
|
case $option in
|
||||||
1)
|
1)
|
||||||
@ -106,9 +96,23 @@ if [[ -e /etc/openvpn/server.conf ]]; then
|
|||||||
exit
|
exit
|
||||||
;;
|
;;
|
||||||
2)
|
2)
|
||||||
|
# This option could be documented a bit better and maybe even be simplimplified
|
||||||
|
# ...but what can I say, I want some sleep too
|
||||||
|
NUMBEROFCLIENTS=$(tail -n +2 /etc/openvpn/easy-rsa/2.0/keys/index.txt | grep "^V" | wc -l)
|
||||||
|
if [[ "$NUMBEROFCLIENTS" = '0' ]]; then
|
||||||
echo ""
|
echo ""
|
||||||
echo "Tell me the existing client name"
|
echo "You have no existing clients!"
|
||||||
read -p "Client name: " -e -i client CLIENT
|
exit
|
||||||
|
fi
|
||||||
|
echo ""
|
||||||
|
echo "Select the existing client certificate you want to revoke"
|
||||||
|
tail -n +2 /etc/openvpn/easy-rsa/2.0/keys/index.txt | grep "^V" | cut -d '/' -f 7 | cut -d '=' -f 2 | nl -s ') '
|
||||||
|
if [[ "$NUMBEROFCLIENTS" = '1' ]]; then
|
||||||
|
read -p "Select one client [1]: " CLIENTNUMBER
|
||||||
|
else
|
||||||
|
read -p "Select one client [1-$NUMBEROFCLIENTS]: " CLIENTNUMBER
|
||||||
|
fi
|
||||||
|
CLIENT=$(tail -n +2 /etc/openvpn/easy-rsa/2.0/keys/index.txt | grep "^V" | cut -d '/' -f 7 | cut -d '=' -f 2 | sed -n "$CLIENTNUMBER"p)
|
||||||
cd /etc/openvpn/easy-rsa/2.0/
|
cd /etc/openvpn/easy-rsa/2.0/
|
||||||
. /etc/openvpn/easy-rsa/2.0/vars
|
. /etc/openvpn/easy-rsa/2.0/vars
|
||||||
. /etc/openvpn/easy-rsa/2.0/revoke-full $CLIENT
|
. /etc/openvpn/easy-rsa/2.0/revoke-full $CLIENT
|
||||||
@ -195,22 +199,25 @@ else
|
|||||||
if [[ "$OS" = 'debian' ]]; then
|
if [[ "$OS" = 'debian' ]]; then
|
||||||
apt-get update
|
apt-get update
|
||||||
apt-get install openvpn iptables openssl -y
|
apt-get install openvpn iptables openssl -y
|
||||||
cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
|
|
||||||
# easy-rsa isn't available by default for Debian Jessie and newer
|
|
||||||
if [[ ! -d /etc/openvpn/easy-rsa/2.0/ ]]; then
|
|
||||||
geteasyrsa
|
|
||||||
fi
|
|
||||||
else
|
else
|
||||||
# Else, the distro is CentOS
|
# Else, the distro is CentOS
|
||||||
yum install epel-release -y
|
yum install epel-release -y
|
||||||
yum install openvpn iptables openssl wget -y
|
yum install openvpn iptables openssl wget -y
|
||||||
geteasyrsa
|
|
||||||
fi
|
fi
|
||||||
|
# An old version of easy-rsa was available by default in some openvpn packages
|
||||||
|
if [[ -d /etc/openvpn/easy-rsa/2.0/ ]]; then
|
||||||
|
rm -f /etc/openvpn/easy-rsa/2.0/
|
||||||
|
fi
|
||||||
|
# Get easy-rsa
|
||||||
|
wget --no-check-certificate -O ~/easy-rsa.tar.gz https://github.com/OpenVPN/easy-rsa/archive/2.2.2.tar.gz
|
||||||
|
tar xzf ~/easy-rsa.tar.gz -C ~/
|
||||||
|
mkdir -p /etc/openvpn/easy-rsa/2.0/
|
||||||
|
cp ~/easy-rsa-2.2.2/easy-rsa/2.0/* /etc/openvpn/easy-rsa/2.0/
|
||||||
|
rm -rf ~/easy-rsa-2.2.2
|
||||||
|
rm -rf ~/easy-rsa.tar.gz
|
||||||
cd /etc/openvpn/easy-rsa/2.0/
|
cd /etc/openvpn/easy-rsa/2.0/
|
||||||
# Let's fix one thing first...
|
# Let's fix one thing first...
|
||||||
cp -u -p openssl-1.0.0.cnf openssl.cnf
|
cp -u -p openssl-1.0.0.cnf openssl.cnf
|
||||||
# Fuck you NSA - 1024 bits was the default for Debian Wheezy and older
|
|
||||||
sed -i 's|export KEY_SIZE=1024|export KEY_SIZE=2048|' /etc/openvpn/easy-rsa/2.0/vars
|
|
||||||
# Create the PKI
|
# Create the PKI
|
||||||
. /etc/openvpn/easy-rsa/2.0/vars
|
. /etc/openvpn/easy-rsa/2.0/vars
|
||||||
. /etc/openvpn/easy-rsa/2.0/clean-all
|
. /etc/openvpn/easy-rsa/2.0/clean-all
|
||||||
|
Loading…
Reference in New Issue
Block a user