install/openvpn
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add Configuration file 'install_openvpn.conf.sample[H' for installation script.

Browse Source
This commit is contained in:
Christoph 2017-07-22 03:47:05 +02:00
parent 8da0813954
commit 2a3381a45d
2 changed files with 65 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
conf/install_openvpn.conf.sample Normal file
View File

@ -0,0 +1,48 @@
## - Configuration/Initialization OpenVPN
## -
# ====================
# - Some Parameter Settings for using this installation howto
# ====================
# ---
# - Parameters OpenVPN Configuration / KEY Creation
# ---
OPENVPN_BASE_DIR=/etc/openvpn
EASY_RSA_DIR=${OPENVPN_BASE_DIR}/easy-rsa
# - (3*365+366)*8 = 11688 = 32 Jahre
CA_EXPIRE=11688
# - (3*365+366)*5 = 7305 = 20 Jahre
KEY_EXPIRE=7305
KEY_COUNTRY="DE"
KEY_PROVINCE="Berlin"
KEY_CITY="Berlin"
KEY_ORG="O.OPEN"
KEY_EMAIL="ckubu-adm\@oopen.de"
KEY_OU="Network Services"
KEY_NAME="VPN B3"
KEY_CN="VPN-B3"
KEY_ALTNAMES="VPN B3"
# ---
# - Parameters for Server Configurations ( server-home.conf / server-gw-ckubu.conf)
# ---
SERVER_PORT_HOME=1194
OPENVPN_NETWORK_HOME="10.0.42.0"
CCD_HOME="/etc/openvpn/ccd/server-home"
SERVER_PORT_GW_CKUBU=1195
OPENVPN_NETWORK_GW_CKUBU="10.1.42.0"
IPV4_OPENVPN_GW_CKUBU="10.1.42.1"
CCD_GW_CKUBU="/etc/openvpn/ccd/server-gw-ckubu"
MAIN_NETWORK=192.168.42.0
DNS_SERVER=192.168.42.1
DOMAIN=b3-bornim.netz

27
install_openvpn.sh
View File

@ -198,7 +198,7 @@ fi
# - Make the package included scripts available in directory # - Make the package included scripts available in directory
# - "/etc/openvpn/easy-rsa" # - "/etc/openvpn/easy-rsa"
# - # -
echononl " Backup directory '/etc/openvpn/easy-rsa'.." echononl " Backup directory '${EASY_RSA_DIR}'.."
if [[ -d "$EASY_RSA_DIR" ]]; then if [[ -d "$EASY_RSA_DIR" ]]; then
mv $EASY_RSA_DIR ${EASY_RSA_DIR}.$_date > "$log_file" 2>&1 mv $EASY_RSA_DIR ${EASY_RSA_DIR}.$_date > "$log_file" 2>&1
if [[ $? -eq 0 ]] ; then if [[ $? -eq 0 ]] ; then
@ -210,7 +210,7 @@ if [[ -d "$EASY_RSA_DIR" ]]; then
else else
echo_skipped echo_skipped
fi fi
echononl " Create directory '/etc/openvpn/easy-rsa'.." echononl " Create directory '${EASY_RSA_DIR}'.."
/usr/bin/make-cadir $EASY_RSA_DIR > "$log_file" 2>&1 /usr/bin/make-cadir $EASY_RSA_DIR > "$log_file" 2>&1
if [[ $? -eq 0 ]] ; then if [[ $? -eq 0 ]] ; then
echo_ok echo_ok
@ -351,6 +351,8 @@ fi
# - export EASY_RSA=\$BASE_DIR/easy_rsa # - export EASY_RSA=\$BASE_DIR/easy_rsa
# - export KEY_DIR=\$BASE_DIR/keys # - export KEY_DIR=\$BASE_DIR/keys
# - # -
# - export KEY_SIZE=$KEY_SIZE
# -
# - # root CA expires in 30 years (= 10950 days) # - # root CA expires in 30 years (= 10950 days)
# - export CA_EXPIRE=$CA_EXPIRE # - export CA_EXPIRE=$CA_EXPIRE
# - # -
@ -381,6 +383,11 @@ if [[ $? -ne 0 ]]; then
_failed=true _failed=true
fi fi
perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_SIZE=.*)/##\1\nexport KEY_SIZE=$KEY_SIZE/" ${EASY_RSA_DIR}/vars > "$log_file"
2>&1
if [[ $? -ne 0 ]]; then
_failed=true
fi
perl -i -n -p -e "s/^(\s*#*\s*export\s+CA_EXPIRE=.*)/##\1\nexport CA_EXPIRE=$CA_EXPIRE/" ${EASY_RSA_DIR}/vars > "$log_file" perl -i -n -p -e "s/^(\s*#*\s*export\s+CA_EXPIRE=.*)/##\1\nexport CA_EXPIRE=$CA_EXPIRE/" ${EASY_RSA_DIR}/vars > "$log_file"
2>&1 2>&1
if [[ $? -ne 0 ]]; then if [[ $? -ne 0 ]]; then
@ -550,7 +557,7 @@ echo ""
# - to help block DoS attacks and UDP port flooding. # - to help block DoS attacks and UDP port flooding.
# - # -
echononl " Create 'ta.key' for additional security" echononl " Create 'ta.key' for additional security"
openvpn --genkey --secret $OPENVPN_BASE_DIR/keys/ta.key > "$log_file" 2>&1 openvpn --genkey --secret ${OPENVPN_BASE_DIR}/keys/ta.key > "$log_file" 2>&1
if [[ $? -eq 0 ]] ; then if [[ $? -eq 0 ]] ; then
echo_ok echo_ok
else else
@ -707,16 +714,16 @@ dev tun
# Any X509 key management system can be used. # Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file # OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page). # (see "pkcs12" directive in man page).
ca keys/ca.crt ca ${OPENVPN_BASE_DIR}/keys/ca.crt
cert keys/server.crt cert ${OPENVPN_BASE_DIR}/keys/server.crt
key keys/server.key # This file should be kept secret key ${OPENVPN_BASE_DIR}/keys/server.key # This file should be kept secret
# Diffie hellman parameters. # Diffie hellman parameters.
# Generate your own with: # Generate your own with:
# openssl dhparam -out dh1024.pem 1024 # openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using # Substitute 2048 for 1024 if you are using
# 2048 bit keys. # 2048 bit keys.
dh keys/dh2048.pem dh ${OPENVPN_BASE_DIR}/keys/dh2048.pem
# Configure server mode and supply a VPN subnet # Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from. # for OpenVPN to draw client addresses from.
@ -872,7 +879,7 @@ keepalive 10 120
# The second parameter should be '0' # The second parameter should be '0'
# on the server and '1' on the clients. # on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret ;tls-auth ta.key 0 # This file is secret
tls-auth keys/ta.key 0 tls-auth ${OPENVPN_BASE_DIR}/keys/ta.key 0
# Select a cryptographic cipher. # Select a cryptographic cipher.
# This config item must be copied to # This config item must be copied to
@ -936,8 +943,8 @@ verb 4
# category will be output to the log. # category will be output to the log.
;mute 20 ;mute 20
#crl-verify /etc/openvpn/keys/crl.pem # CRL (certificate revocation list) verification
crl-verify /etc/openvpn/crl.pem crl-verify ${OPENVPN_BASE_DIR}/crl.pem
EOF EOF
if [[ $? -eq 0 ]] ; then if [[ $? -eq 0 ]] ; then