From c90989a0e2dbb6316e5d048f105c8615f70c6ba9 Mon Sep 17 00:00:00 2001 From: Nyr Date: Sat, 20 Oct 2018 14:52:24 +0200 Subject: [PATCH] Use a predefined DH group This is way faster than generating our own, see #532. --- openvpn-install.sh | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 92487ae..8b56327 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -233,19 +233,27 @@ else chown -R root:root /etc/openvpn/easy-rsa/ rm -f ~/easyrsa.tgz cd /etc/openvpn/easy-rsa/ - # Create the PKI, set up the CA, the DH params and the server + client certificates + # Create the PKI, set up the CA and the server and client certificates ./easyrsa init-pki ./easyrsa --batch build-ca nopass - ./easyrsa gen-dh EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server nopass EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full $CLIENT nopass EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl # Move the stuff we need - cp pki/ca.crt pki/private/ca.key pki/dh.pem pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn + cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn # CRL is read with each client connection, when OpenVPN is dropped to nobody chown nobody:$GROUPNAME /etc/openvpn/crl.pem # Generate key for tls-auth openvpn --genkey --secret /etc/openvpn/ta.key + # Create the DH parameters file using the predefined ffdhe2048 group + echo '-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS-----' > /etc/openvpn/dh.pem # Generate server.conf echo "port $PORT proto $PROTOCOL