diff --git a/conf/install_openvpn.conf.sample b/conf/install_openvpn.conf.sample new file mode 100644 index 0000000..cecaab1 --- /dev/null +++ b/conf/install_openvpn.conf.sample @@ -0,0 +1,48 @@ +## - Configuration/Initialization OpenVPN +## - + +# ==================== +# - Some Parameter Settings for using this installation howto +# ==================== + +# --- +# - Parameters OpenVPN Configuration / KEY Creation +# --- + +OPENVPN_BASE_DIR=/etc/openvpn +EASY_RSA_DIR=${OPENVPN_BASE_DIR}/easy-rsa + +# - (3*365+366)*8 = 11688 = 32 Jahre +CA_EXPIRE=11688 +# - (3*365+366)*5 = 7305 = 20 Jahre +KEY_EXPIRE=7305 + +KEY_COUNTRY="DE" +KEY_PROVINCE="Berlin" +KEY_CITY="Berlin" +KEY_ORG="O.OPEN" +KEY_EMAIL="ckubu-adm\@oopen.de" +KEY_OU="Network Services" + +KEY_NAME="VPN B3" +KEY_CN="VPN-B3" + +KEY_ALTNAMES="VPN B3" + + +# --- +# - Parameters for Server Configurations ( server-home.conf / server-gw-ckubu.conf) +# --- + +SERVER_PORT_HOME=1194 +OPENVPN_NETWORK_HOME="10.0.42.0" +CCD_HOME="/etc/openvpn/ccd/server-home" + +SERVER_PORT_GW_CKUBU=1195 +OPENVPN_NETWORK_GW_CKUBU="10.1.42.0" +IPV4_OPENVPN_GW_CKUBU="10.1.42.1" +CCD_GW_CKUBU="/etc/openvpn/ccd/server-gw-ckubu" + +MAIN_NETWORK=192.168.42.0 +DNS_SERVER=192.168.42.1 +DOMAIN=b3-bornim.netz diff --git a/install_openvpn.sh b/install_openvpn.sh index edf160c..3ca0f6e 100755 --- a/install_openvpn.sh +++ b/install_openvpn.sh @@ -198,7 +198,7 @@ fi # - Make the package included scripts available in directory # - "/etc/openvpn/easy-rsa" # - -echononl " Backup directory '/etc/openvpn/easy-rsa'.." +echononl " Backup directory '${EASY_RSA_DIR}'.." if [[ -d "$EASY_RSA_DIR" ]]; then mv $EASY_RSA_DIR ${EASY_RSA_DIR}.$_date > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then @@ -210,7 +210,7 @@ if [[ -d "$EASY_RSA_DIR" ]]; then else echo_skipped fi -echononl " Create directory '/etc/openvpn/easy-rsa'.." +echononl " Create directory '${EASY_RSA_DIR}'.." /usr/bin/make-cadir $EASY_RSA_DIR > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok @@ -351,6 +351,8 @@ fi # - export EASY_RSA=\$BASE_DIR/easy_rsa # - export KEY_DIR=\$BASE_DIR/keys # - +# - export KEY_SIZE=$KEY_SIZE +# - # - # root CA expires in 30 years (= 10950 days) # - export CA_EXPIRE=$CA_EXPIRE # - @@ -381,6 +383,11 @@ if [[ $? -ne 0 ]]; then _failed=true fi +perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_SIZE=.*)/##\1\nexport KEY_SIZE=$KEY_SIZE/" ${EASY_RSA_DIR}/vars > "$log_file" +2>&1 +if [[ $? -ne 0 ]]; then + _failed=true +fi perl -i -n -p -e "s/^(\s*#*\s*export\s+CA_EXPIRE=.*)/##\1\nexport CA_EXPIRE=$CA_EXPIRE/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 if [[ $? -ne 0 ]]; then @@ -550,7 +557,7 @@ echo "" # - to help block DoS attacks and UDP port flooding. # - echononl " Create 'ta.key' for additional security" -openvpn --genkey --secret $OPENVPN_BASE_DIR/keys/ta.key > "$log_file" 2>&1 +openvpn --genkey --secret ${OPENVPN_BASE_DIR}/keys/ta.key > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else @@ -707,16 +714,16 @@ dev tun # Any X509 key management system can be used. # OpenVPN can also use a PKCS #12 formatted key file # (see "pkcs12" directive in man page). -ca keys/ca.crt -cert keys/server.crt -key keys/server.key # This file should be kept secret +ca ${OPENVPN_BASE_DIR}/keys/ca.crt +cert ${OPENVPN_BASE_DIR}/keys/server.crt +key ${OPENVPN_BASE_DIR}/keys/server.key # This file should be kept secret # Diffie hellman parameters. # Generate your own with: # openssl dhparam -out dh1024.pem 1024 # Substitute 2048 for 1024 if you are using # 2048 bit keys. -dh keys/dh2048.pem +dh ${OPENVPN_BASE_DIR}/keys/dh2048.pem # Configure server mode and supply a VPN subnet # for OpenVPN to draw client addresses from. @@ -872,7 +879,7 @@ keepalive 10 120 # The second parameter should be '0' # on the server and '1' on the clients. ;tls-auth ta.key 0 # This file is secret -tls-auth keys/ta.key 0 +tls-auth ${OPENVPN_BASE_DIR}/keys/ta.key 0 # Select a cryptographic cipher. # This config item must be copied to @@ -936,8 +943,8 @@ verb 4 # category will be output to the log. ;mute 20 -#crl-verify /etc/openvpn/keys/crl.pem -crl-verify /etc/openvpn/crl.pem +# CRL (certificate revocation list) verification +crl-verify ${OPENVPN_BASE_DIR}/crl.pem EOF if [[ $? -eq 0 ]] ; then