diff --git a/.gitignore b/.gitignore index b34ecd4..0b68825 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ /BAK/* *.log *.swp +dh*.pem conf/*.conf conf/*.conf diff --git a/install_openvpn.sh b/install_openvpn.sh index 2ff4335..669f749 100755 --- a/install_openvpn.sh +++ b/install_openvpn.sh @@ -27,6 +27,7 @@ clean_up() { # Perform program exit housekeeping rm $log_file + blank_line exit $1 } @@ -37,6 +38,14 @@ trim() { echo -n "$var" } + +blank_line() { + if $terminal ; then + echo "" + fi +} + + # - Test of valid IPv4 Address # - # - Returns 0 if valid, > 0 otherwise @@ -135,6 +144,36 @@ echo_skipped() { echo -e "\033[80G[ \033[37mskipped\033[m ]" } +detect_os_1 () { + + if $(which lsb_release > /dev/null 2>&1) ; then + + os_dist="$(lsb_release -i | awk '{print tolower($3)}')" + os_version="$(lsb_release -r | awk '{print tolower($2)}')" + os_codename="$(lsb_release -c | awk '{print tolower($2)}')" + + if [[ "$os_dist" = "debian" ]]; then + if $(echo "$os_version" | grep -q '\.') ; then + os_version=$(echo "$os_version" | cut --delimiter='.' -f1) + fi + fi + + elif [[ -e "/etc/os-release" ]]; then + + . /etc/os-release + + os_dist=$ID + os_version=${os_version_ID} + + fi + + # remove whitespace from os_dist and os_version + os_dist="${os_dist// /}" + os_version="${os_version// /}" + +} + + trap clean_up SIGHUP SIGINT SIGTERM #--------------------------------------- @@ -157,6 +196,13 @@ else fi fi +# - Set variable +# - os_dist +# - os_version +# - os_codename +# - +detect_os_1 + clear echo -e "\n\t\033[32mStart script for installation of OpenVPN on this Server..\033[m" @@ -170,7 +216,7 @@ echo -e "\n\t\033[32mStart script for installation of OpenVPN on this Server..\0 DEFAULT_SERVER_PORT=1194 DEFAULT_CA_EXPIRE=11688 -DEFAULT_KEY_EXPIRE=7305 +DEFAULT_CERT_EXPIRE=7305 DEFAULT_KEY_SIZE=4096 @@ -184,6 +230,12 @@ DEFAULT_KEY_OU="Network Services" #DEFAULT_SERVER_CIPHER="BF-CBC" DEFAULT_SERVER_CIPHER="AES-256-CBC" +#if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 9 ]] ; then +# EASYRSA_CALLER=1 +#else +# EASYRSA_CALLER="" +#fi + #--------------------------------------- #----------------------------- @@ -210,6 +262,7 @@ else fi [[ -z "$DEFAULT_SERVER_CIPHER" ]] && DEFAULT_SERVER_CIPHER='None' + echo "" echo "" echo -e "\033[32m==========\033[m" @@ -298,7 +351,7 @@ while [ "X$OPENVPN_NAME" = "X" ] ; do read OPENVPN_NAME done -DEFAULT_OPENVPN_BASE_DIR="/etc/openvpn/${OPENVPN_NAME}" +DEFAULT_OPENVPN_BASE_DIR="/etc/openvpn/server/${OPENVPN_NAME}" echo "" @@ -326,7 +379,13 @@ while [[ "X${OPENVPN_BASE_DIR}" = "X" ]]; do done EASY_RSA_DIR="${OPENVPN_BASE_DIR}/easy-rsa" -OPENVPN_CCD_DIR="${OPENVPN_BASE_DIR}/ccd/server-${OPENVPN_NAME}" +if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 9 ]] ; then + OPENVPN_KEY_DIR="${OPENVPN_BASE_DIR}/pki" + OPENVPN_CCD_DIR="${OPENVPN_BASE_DIR}/ccd" +else + OPENVPN_KEY_DIR="${OPENVPN_BASE_DIR}/keys" + OPENVPN_CCD_DIR="${OPENVPN_BASE_DIR}/ccd/server-${OPENVPN_NAME}" +fi echo "" echo -e "\033[32m--\033[m" @@ -356,13 +415,13 @@ echo "" echo " Example: (3*365+366)*5 = 7305 = 20 Jahre" echo " expiration time: 7305" echo "" -KEY_EXPIRE="" +CERT_EXPIRE="" -echononl "Expiration time certificates [${DEFAULT_KEY_EXPIRE}]: " -while [[ "X${KEY_EXPIRE}" = "X" ]]; do - read KEY_EXPIRE - if [[ "X$KEY_EXPIRE" = "X" ]]; then - KEY_EXPIRE="$DEFAULT_KEY_EXPIRE" +echononl "Expiration time certificates [${DEFAULT_CERT_EXPIRE}]: " +while [[ "X${CERT_EXPIRE}" = "X" ]]; do + read CERT_EXPIRE + if [[ "X$CERT_EXPIRE" = "X" ]]; then + CERT_EXPIRE="$DEFAULT_CERT_EXPIRE" fi done @@ -689,7 +748,7 @@ echo -e "\tOpenVPN 'easy-rsa' Directory........: $EASY_RSA_DIR" echo -e "\tOpenVPN 'ccd' Directory.............: $OPENVPN_CCD_DIR" echo "" echo -e "\tExpiration time ROOT CA.............: $CA_EXPIRE" -echo -e "\tExpiration time certificates........: $KEY_EXPIRE" +echo -e "\tExpiration time certificates........: $CERT_EXPIRE" echo -e "\tKey size............................: $KEY_SIZE" echo "" echo -e "\tKEY_COUNTRY.........................: $KEY_COUNTRY" @@ -799,9 +858,9 @@ OPENVPN_BASE_DIR="$OPENVPN_BASE_DIR" CA_EXPIRE=$CA_EXPIRE # - Example: (3*365+366)*5 = 7305 = 20 Jahre -# - KEY_EXPIRE=7305 +# - CERT_EXPIRE=7305 # - -KEY_EXPIRE=$KEY_EXPIRE +CERT_EXPIRE=$CERT_EXPIRE KEY_SIZE=$KEY_SIZE @@ -999,21 +1058,22 @@ else echo_skipped fi +echononl " Backup directory '${OPENVPN_BASE_DIR}'.." +if [[ -d "$OPENVPN_BASE_DIR" ]]; then + mv $OPENVPN_BASE_DIR ${OPENVPN_BASE_DIR}.$_date > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi +else + echo_skipped +fi + # - Make the package included scripts available in directory # - "/etc/openvpn/easy-rsa" # - -echononl " Backup directory '${EASY_RSA_DIR}'.." -if [[ -d "$EASY_RSA_DIR" ]]; then - mv $EASY_RSA_DIR ${EASY_RSA_DIR}.$_date > "$log_file" 2>&1 - if [[ $? -eq 0 ]] ; then - echo_ok - else - echo_failed - error "$(cat $log_file)" - fi -else - echo_skipped -fi echononl " Create directory '${EASY_RSA_DIR}'.." /usr/bin/make-cadir $EASY_RSA_DIR > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then @@ -1023,37 +1083,6 @@ else error "$(cat $log_file)" fi -# - Create key directory -# - -echononl " Backup key directory '${OPENVPN_BASE_DIR}/keys'.." -if [[ -d "${OPENVPN_BASE_DIR}/keys" ]]; then - mv ${OPENVPN_BASE_DIR}/keys ${OPENVPN_BASE_DIR}/keys.$_date > "$log_file" 2>&1 - if [[ $? -eq 0 ]] ; then - echo_ok - else - echo_failed - error "$(cat $log_file)" - fi -else - echo_skipped -fi -echononl " Create key directory '${OPENVPN_BASE_DIR}/keys'.." -mkdir ${OPENVPN_BASE_DIR}/keys > "$log_file" 2>&1 -if [[ $? -eq 0 ]] ; then - echo_ok -else - echo_failed - error "$(cat $log_file)" -fi -echononl " Change permissions (700) in directory '${OPENVPN_BASE_DIR}/keys'.." -chmod 700 "${OPENVPN_BASE_DIR}/keys" > "$log_file" 2>&1 -if [[ $? -eq 0 ]] ; then - echo_ok -else - echo_failed - error "$(cat $log_file)" -fi - # - Create Log Directory # - openvpn_log_dir="/var/log/openvpn" @@ -1070,29 +1099,13 @@ else fi fi - -# - Backup existing 'ccd' directory +# - Create client configuration directory # - -echononl " Backup directory '${OPENVPN_BASE_DIR}/ccd'.." -if [[ -d "${OPENVPN_BASE_DIR}/ccd" ]] ; then - mv "${OPENVPN_BASE_DIR}/ccd" "${OPENVPN_BASE_DIR}/ccd.${_date}" > "$log_file" 2>&1 - if [[ $? -eq 0 ]] ; then - echo_ok - else - echo_failed - error "$(cat $log_file)" - fi -else - echo_skipped -fi - -# - Create Directory 'ccd' -# - -echononl " Create log directoy '${OPENVPN_BASE_DIR}/ccd'" -if [[ -d "${OPENVPN_BASE_DIR}/ccd" ]] ; then +echononl " Create Client configuration directory '$OPENVPN_CCD_DIR'" +if [[ -d "${OPENVPN_CCD_DIR}" ]] ; then echo_skipped else - mkdir "${OPENVPN_BASE_DIR}/ccd" > "$log_file" 2>&1 + mkdir "${OPENVPN_CCD_DIR}" > "$log_file" 2>&1 if [[ $? -eq 0 ]] ; then echo_ok else @@ -1148,12 +1161,13 @@ fi # - Adjust /etc/openvpn/easy-rsa/vars # - +# - Debian Version <= 9 # - add: # - export BASE_DIR=$OPENVPN_BASE_DIR # - # - replace: # - export EASY_RSA=\$BASE_DIR/easy_rsa -# - export KEY_DIR=\$BASE_DIR/keys +# - export KEY_DIR=\$OPENVPN_KEY_DIR # - # - export KEY_SIZE=$KEY_SIZE # - @@ -1161,7 +1175,7 @@ fi # - export CA_EXPIRE=$CA_EXPIRE # - # - # certificates expires in 20 years (=7300 days) -# - export KEY_EXPIRE=$KEY_EXPIRE +# - export CERT_EXPIRE=$CERT_EXPIRE # - # - export KEY_COUNTRY="$KEY_COUNTRY" # - export KEY_PROVINCE="$KEY_PROVINCE" @@ -1174,75 +1188,240 @@ fi # - # - #export KEY_CN="$KEY_CN" # - +# - Debiab Version >= 10 +# - set_var EASYRSA "${0%/*}" +# - set_var EASYRSA_OPENSSL "openssl" +# - set_var EASYRSA_PKI "$OPENVPN_KEY_DIR" +# - set_var EASYRSA_ALGO rsa +# - set_var EASYRSA_DN "org" + +# - set_var EASYRSA_REQ_COUNTRY "$KEY_COUNTRY" +# - set_var EASYRSA_REQ_PROVINCE "$KEY_PROVINCE" +# - set_var EASYRSA_REQ_CITY "$KEY_CITY" +# - set_var EASYRSA_REQ_ORG "$KEY_ORG" +# - set_var EASYRSA_REQ_EMAIL "$KEY_EMAIL" +# - set_var EASYRSA_REQ_OU "$KEY_OU" +# - +# - set:var EASYRSA_REQ_CN "$KEY_CN" +# - +# - set_var EASYRSA_CA_EXPIRE "$CA_EXPIRE" +# - set_var EASYRSA_CERT_EXPIRE "$CERT_EXPIRE" +# - +# - set_var EASYRSA_CRL_DAYS "$CERT_EXPIRE" +# - set_var EASYRSA_CERT_RENEW "365" +# - _failed=false echononl " Adjust '${EASY_RSA_DIR}/vars'.." -perl -i.$_date -n -p -e "s&^(\s*#*\s*export\s+EASY_RSA=.*)&##\1\nexport BASE_DIR=\"${OPENVPN_BASE_DIR}\"\nexport EASY_RSA=\"\\\$BASE_DIR/easy-rsa\"&" ${EASY_RSA_DIR}/vars > "$log_file" -2>&1 -if [[ $? -ne 0 ]]; then - _failed=true -fi -perl -i -n -p -e "s&^(\s*#*\s*export\s+KEY_DIR=.*)&##\1\nexport KEY_DIR=\"\\\$BASE_DIR/keys\"&" ${EASY_RSA_DIR}/vars > "$log_file" -2>&1 -if [[ $? -ne 0 ]]; then - _failed=true -fi +if [[ "$os_dist" = "debian" ]] && [[ $os_version -gt 9 ]] ; then + + #perl -i.$_date -n -p -e "s&^(\s*#*\s*#set_var\s+EASYRSA\s+.*)&##\1\nset_var EASYRSA\t \"\\\${0%/*}\"&" ${EASY_RSA_DIR}/vars > "$log_file" + + perl -i.$_date -n -p -e "s&^(\s*#*\s*#set_var\s+EASYRSA\s+.*)&##\1\nset_var EASYRSA\t \"${OPENVPN_BASE_DIR}/easy-rsa\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + _key="EASYRSA_OPENSSL" + _val="openssl" + perl -i.$_date -n -p -e "s&^(\s*#*\s*#set_var\s+${_key}\s+.*)&##\1\nset_var ${_key}\t \"${_val}\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + + if [[ $? -ne 0 ]]; then + _failed=true + fi + + _key="EASYRSA_PKI" + _val="${OPENVPN_KEY_DIR}" + perl -i.$_date -n -p -e "s&^(\s*#*\s*#set_var\s+${_key}\s+.*)&##\1\nset_var ${_key}\t \"${_val}\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + # EASYRSA_KEY_SIZE + perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+EASYRSA_KEY_SIZE\s+.*)&##\1\nset_var EASYRSA_KEY_SIZE\t\t ${KEY_SIZE}&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + # EASYRSA_ALGO + perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+EASYRSA_ALGO\s+.*)&##\1\nset_var EASYRSA_ALGO\t\t rsa&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + # EASYRSA_KEY_SIZE + perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+EASYRSA_KEY_SIZE\s+.*)&##\1\nset_var EASYRSA_KEY_SIZE\t\t ${KEY_SIZE}&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + _key="EASYRSA_DN" + _val=""org + perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+EASYRSA_DN\s+.*)&##\1\nset_var EASYRSA_DN\t\t \"org\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + _key="EASYRSA_REQ_COUNTRY" + _val="$KEY_COUNTRY" + perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + _key="EASYRSA_REQ_PROVINCE" + _val="$KEY_PROVINCE" + perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + _key="EASYRSA_REQ_CITY" + _val="$KEY_CITY" + perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + _key="EASYRSA_REQ_ORG" + _val="$KEY_ORG" + perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + _key="EASYRSA_REQ_EMAIL" + _val="$KEY_EMAIL" + perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + _key="EASYRSA_REQ_OU" + _val="$KEY_OU" + perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + _key="EASYRSA_REQ_CN" + _val="$KEY_CN" + perl -i.$_date -n -p -e "s&^(\s*#*\s*#set_var\s+${_key}\s+.*)&##\1\nset_var ${_key}\t \"${_val}\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + + if [[ $? -ne 0 ]]; then + _failed=true + fi + + _key="EASYRSA_CA_EXPIRE" + _val="$CA_EXPIRE" + perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + _key="EASYRSA_CERT_EXPIRE" + _val="$CERT_EXPIRE" + perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + _key="EASYRSA_CRL_DAYS" + _val="$CERT_EXPIRE" + perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + _key="EASYRSA_CERT_RENEW" + _val="365" + perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + _key="EASYRSA_REQ_CN" + _val="$KEY_CN" + perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + _key="EASYRSA_BATCH" + _val="1" + perl -i -n -p -e "s&^(\s*#*\s*#set_var\s+$_key\s+.*)&##\1\nset_var $_key\t\t \"$_val\"&" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + +else + perl -i.$_date -n -p -e "s&^(\s*#*\s*export\s+EASY_RSA=.*)&##\1\nexport BASE_DIR=\"${OPENVPN_BASE_DIR}\"\nexport EASY_RSA=\"\\\$BASE_DIR/easy-rsa\"&" ${EASY_RSA_DIR}/vars > "$log_file" + 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + perl -i -n -p -e "s&^(\s*#*\s*export\s+KEY_DIR=.*)&##\1\nexport KEY_DIR=\"${OPENVPN_KEY_DIR}\"&" ${EASY_RSA_DIR}/vars > "$log_file" + 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi -perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_SIZE=.*)/##\1\nexport KEY_SIZE=$KEY_SIZE/" ${EASY_RSA_DIR}/vars > "$log_file" -2>&1 -if [[ $? -ne 0 ]]; then - _failed=true -fi -perl -i -n -p -e "s/^(\s*#*\s*export\s+CA_EXPIRE=.*)/##\1\nexport CA_EXPIRE=$CA_EXPIRE/" ${EASY_RSA_DIR}/vars > "$log_file" -2>&1 -if [[ $? -ne 0 ]]; then - _failed=true -fi -perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_EXPIRE=.*)/##\1\nexport KEY_EXPIRE=$KEY_EXPIRE/" ${EASY_RSA_DIR}/vars > "$log_file" -2>&1 -if [[ $? -ne 0 ]]; then - _failed=true -fi + perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_SIZE=.*)/##\1\nexport KEY_SIZE=$KEY_SIZE/" ${EASY_RSA_DIR}/vars > "$log_file" + 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + perl -i -n -p -e "s/^(\s*#*\s*export\s+CA_EXPIRE=.*)/##\1\nexport CA_EXPIRE=$CA_EXPIRE/" ${EASY_RSA_DIR}/vars > "$log_file" + 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + perl -i -n -p -e "s/^(\s*#*\s*export\s+CERT_EXPIRE=.*)/##\1\nexport CERT_EXPIRE=$CERT_EXPIRE/" ${EASY_RSA_DIR}/vars > "$log_file" + 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi -perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_COUNTRY=.*)/##\1\nexport KEY_COUNTRY=\"${KEY_COUNTRY}\"/" ${EASY_RSA_DIR}/vars > "$log_file" -2>&1 -if [[ $? -ne 0 ]]; then - _failed=true -fi -perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_PROVINCE=.*)/##\1\nexport KEY_PROVINCE=\"${KEY_PROVINCE}\"/" ${EASY_RSA_DIR}/vars > "$log_file" -2>&1 -if [[ $? -ne 0 ]]; then - _failed=true -fi -perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_CITY=.*)/##\1\nexport KEY_CITY=\"${KEY_CITY}\"/" ${EASY_RSA_DIR}/vars > "$log_file" -2>&1 -if [[ $? -ne 0 ]]; then - _failed=true -fi -perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_ORG=.*)/##\1\nexport KEY_ORG=\"${KEY_ORG}\"/" ${EASY_RSA_DIR}/vars > "$log_file" -2>&1 -if [[ $? -ne 0 ]]; then - _failed=true -fi -perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_EMAIL=.*)/##\1\nexport KEY_EMAIL=\"${EMAIL_PREFIX}\@${EMAIL_DOMAIN}\"/" ${EASY_RSA_DIR}/vars > "$log_file" -2>&1 -if [[ $? -ne 0 ]]; then - _failed=true -fi -perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_OU=.*)/##\1\nexport KEY_OU=\"${KEY_OU}\"/" ${EASY_RSA_DIR}/vars > "$log_file" -2>&1 -if [[ $? -ne 0 ]]; then - _failed=true -fi -perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_NAME=.*)/##\1\nexport KEY_NAME=\"${KEY_NAME}\"/" ${EASY_RSA_DIR}/vars > "$log_file" -2>&1 -if [[ $? -ne 0 ]]; then - _failed=true -fi + perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_COUNTRY=.*)/##\1\nexport KEY_COUNTRY=\"${KEY_COUNTRY}\"/" ${EASY_RSA_DIR}/vars > "$log_file" + 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_PROVINCE=.*)/##\1\nexport KEY_PROVINCE=\"${KEY_PROVINCE}\"/" ${EASY_RSA_DIR}/vars > "$log_file" + 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_CITY=.*)/##\1\nexport KEY_CITY=\"${KEY_CITY}\"/" ${EASY_RSA_DIR}/vars > "$log_file" + 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_ORG=.*)/##\1\nexport KEY_ORG=\"${KEY_ORG}\"/" ${EASY_RSA_DIR}/vars > "$log_file" + 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_EMAIL=.*)/##\1\nexport KEY_EMAIL=\"${EMAIL_PREFIX}\@${EMAIL_DOMAIN}\"/" ${EASY_RSA_DIR}/vars > "$log_file" + 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_OU=.*)/##\1\nexport KEY_OU=\"${KEY_OU}\"/" ${EASY_RSA_DIR}/vars > "$log_file" + 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_NAME=.*)/##\1\nexport KEY_NAME=\"${KEY_NAME}\"/" ${EASY_RSA_DIR}/vars > "$log_file" + 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi -perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_CN=.*)/#\1\nexport KEY_CN=\"${KEY_CN}\"/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 -if [[ $? -ne 0 ]]; then - _failed=true + perl -i -n -p -e "s/^(\s*#*\s*export\s+KEY_CN=.*)/#\1\nexport KEY_CN=\"${KEY_CN}\"/" ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi fi echo -e "\nexport KEY_ALTNAMES=\"$KEY_ALTNAMES\"" >> ${EASY_RSA_DIR}/vars 2> "$log_file" @@ -1257,6 +1436,778 @@ else echo_ok fi +#--------------------------------------- +#----------------------------- +# Initial Setup OpenVPN (Root ca / Server key /..) +#----------------------------- +#--------------------------------------- + +echo "" + +# - source file vars +# - +# - Note: +# - since debian buster, sourcing an Easy-RSA 'vars' file is no longer +# - necessary and is disallowed. The vars file is automatically read when +# - you call easyrsa commands. +# - +if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 10 ]] ; then + echononl " Load configuration '${EASY_RSA_DIR}/vars'.." + source ${EASY_RSA_DIR}/vars > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi + + if [[ ! -f "$KEY_CONFIG" ]] ; then + echononl " Create Symlink '$(basename $KEY_CONFIG)'.." + if [[ -f "$(dirname $KEY_CONFIG)/openssl-1.0.0.cnf" ]]; then + ln -s "$(dirname $KEY_CONFIG)/openssl-1.0.0.cnf" "$KEY_CONFIG" + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + error "Cannot create symlink '$KEY_CONFIG'!" + + echononl "continue anyway [yes/no]: " + read OK + OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')" + while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do + echononl "Wrong entry! - repeat [yes/nno]: " + read OK + done + [[ $OK = "yes" ]] || fatal "Abbruch durch User" + fi + else + echo_failed + error "No OpenSSL configuration file present!" + + echononl "continue anyway [yes/no]: " + read OK + OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')" + while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do + echononl "Wrong entry! - repeat [yes/nno]: " + read OK + done + [[ $OK = "yes" ]] || fatal "Abbruch durch User" + fi + fi + + _failed=false + OPENSSL_CONFIG_FILE="$(realpath "$KEY_CONFIG")" + echononl " Adjust '$OPENSSL_CONFIG_FILE'.." + perl -i.ORIG -n -p -e "s/^(\s*default_days\s*=.*)/#\1\ndefault_days = $CA_EXPIRE/" $OPENSSL_CONFIG_FILE > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + perl -i -n -p -e "s/^(\s*default_crl_days\s*=.*)/#\1\ndefault_crl_days = $CA_EXPIRE/" $OPENSSL_CONFIG_FILE > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + _failed=true + fi + + if $_failed ; then + echo_failed + error "$(cat $log_file)" + else + echo_ok + fi + +fi + + + +# --- +# - Create Keys and Certs +# --- +echo "" +echo -e "\033[32m--\033[m" +echo "Create Keys and Certs .." +echo -e "\033[32m--\033[m" + +# - Initialise key directory +# - +if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 10 ]] ; then + + # - Create file 'serial' with value '01' - the serial for the next + # - created certificate + # - + echononl " Create '${OPENVPN_KEY_DIR}/serial'.." + echo "01" > "${OPENVPN_KEY_DIR}/serial" 2> "$log_file" + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi + + # - Create empty file index.txt at key-directory + # - + echononl " Create empty file '${OPENVPN_KEY_DIR}/index.txt'.." + touch ${OPENVPN_KEY_DIR}/index.txt + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi + +else + + # - Removes & re-initializes the PKI dir for a clean PKI + # - + echononl " Initialise PKI Directory" + ${EASY_RSA_DIR}/easyrsa init-pki > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi + +fi + + +# - Create Root CA +# - +echononl " Create Root CA.." +if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 10 ]] ; then + printf "\n\n\n\n\n\n\n\n" | ${EASY_RSA_DIR}/build-ca > "$log_file" 2>&1 +else + printf "\n\n\n\n\n\n\n" | ${EASY_RSA_DIR}/easyrsa build-ca nopass > "$log_file" 2>&1 +fi +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" +fi + + +# - Generate Diffie-Hellman parameters for the server side +# - of an SSL/TLS connection. +# - +echononl " Generates DH (Diffie-Hellman) parameters (dh key).." +if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 10 ]] ; then + if [[ -f "${script_dir}/dh${KEY_SIZE}.pem" ]]; then + cp "${script_dir}/dh${KEY_SIZE}.pem" "${OPENVPN_BASE_DIR}/dh${KEY_SIZE}.pem" > "$log_file" 2>&1 + else + ${EASY_RSA_DIR}/build-dh > "$log_file" 2>&1 + fi +else + if [[ -f "${script_dir}/dh${KEY_SIZE}.pem" ]]; then + cp "${script_dir}/dh${KEY_SIZE}.pem" "${OPENVPN_KEY_DIR}/dh.pem" > "$log_file" 2>&1 + else + ${EASY_RSA_DIR}/easyrsa gen-dh > "$log_file" 2>&1 + fi +fi +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" +fi + + +# - Generate Sever Key +# - +if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 10 ]] ; then + + echo "" + echo -e " \033[32mNow create the server key. Tis procedure works interactive.\033[m" + echo -e " Use \033[37m\033[1m${KEY_CN}-server\033[m as 'commonName'" + echo "" + echononl "Type to continue: " + read ok + echo "" + + ${EASY_RSA_DIR}/build-key-server server + if [[ $? -eq 0 ]] ; then + info "Building server key was successfully." + else + error "Building server key failed!" + fi + + echo "" + echononl "Type to continue: " + read ok + echo "" + +else + + # - Generate server keypair + # - + # - build-server-full [ cmd-opts ] + # - Generate a keypair and sign locally for a client and/or server + # - + # - This mode uses the as the X509 CN. + # - + # - cmd-opts is an optional set of command options from this list: + # - nopass - do not encrypt the private key (default is encrypted) + # - + echononl " Generate server keypair '${KEY_CN}-server'.." + ${EASY_RSA_DIR}/easyrsa build-server-full "server" nopass > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi + +fi + + +# - For extra security beyond that provided +# - by SSL/TLS, create an "HMAC firewall" +# - to help block DoS attacks and UDP port flooding. +# - +echononl " Create 'ta.key' for additional security" +openvpn --genkey --secret ${OPENVPN_KEY_DIR}/ta.key > "$log_file" 2>&1 +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" +fi + +# - Create empty CRL (Certificate Revokation List) +# - +if [[ "$os_dist" = "debian" ]] && [[ $os_version -lt 10 ]] ; then + echononl " Create CRL (Certificate Revokation List) '${OPENVPN_BASE_DIR}/crl.pem'.." + openssl ca -gencrl -out ${OPENVPN_BASE_DIR}/crl.pem -config $KEY_CONFIG > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi + + echononl " Create symlink for '${OPENVPN_KEY_DIR}/crl.pem'.." + ln -s ../crl.pem ${OPENVPN_KEY_DIR}/crl.pem > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi + +else + echononl " Create CRL (Certificate Revokation List) '${OPENVPN_KEY_DIR}/crl.pem'.." + ${EASY_RSA_DIR}/easyrsa gen-crl > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi + + echononl " Change permissions (644) for ${OPENVPN_KEY_DIR}/crl.pem" + chmod 644 ${OPENVPN_KEY_DIR}/crl.pem > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi + +fi + + +# ---- +# - Create server configurations +# ---- + +echo "" +echo -e "\033[32m--\033[m" +echo "Server configurations .." +echo -e "\033[32m--\033[m" + + +#--------------------------------------- +#----------------------------- +# Write Server Configuration for $OPENVPN_NAME +#----------------------------- +#--------------------------------------- +_server_conf_file="/etc/openvpn/server-${OPENVPN_NAME}.conf" + +echononl " Backup file $_server_conf_file" +if [[ -f "$_server_conf_file" ]] ; then + mv "$_server_conf_file" "${_server_conf_file}.$_date" > "$log_file" 2>&1 + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" + fi +else + echo_skipped +fi + +echononl " Create configuration '${_server_conf_file}" +cat < ${_server_conf_file} 2> "$log_file" +################################################# +# Sample OpenVPN 2.0 config file for # +# multi-client server. # +# # +# This file is for the server side # +# of a many-clients <-> one-server # +# OpenVPN configuration. # +# # +# OpenVPN also supports # +# single-machine <-> single-machine # +# configurations (See the Examples page # +# on the web site for more info). # +# # +# This config should work on Windows # +# or Linux/BSD systems. Remember on # +# Windows to quote pathnames and use # +# double backslashes, e.g.: # +# "C:\\\\Program Files\\\\OpenVPN\\\\config\\\\foo.key" # +# # +# Comments are preceded with '#' or ';' # +################################################# + +# Which local IP address should OpenVPN +# listen on? (optional) +;local a.b.c.d + +# Which TCP/UDP port should OpenVPN listen on? +# If you want to run multiple OpenVPN instances +# on the same machine, use a different port +# number for each one. You will need to +# open up this port on your firewall. +port $SERVER_PORT + +# TCP or UDP server? +;proto tcp +proto udp + +topology subnet +EOF + +if [[ ${#LOCAL_NETWORK_ARR[@]} -gt 0 ]]; then + for _local_network in ${LOCAL_NETWORK_ARR[@]} ; do + IFS='/' read -a _net_arr <<< "${_local_network}" + if [[ -n ${_net_arr[1]} ]]; then + _netmask=$(cidr2mask ${_net_arr[1]}) + else + _netmask="255.255.255.0" + fi + cat <> ${_server_conf_file} 2>> "$log_file" +route ${_net_arr[0]} $_netmask $OPENVPN_SERVER_IP +EOF + done +fi + +cat <> ${_server_conf_file} 2>> "$log_file" + +# "dev tun" will create a routed IP tunnel, +# "dev tap" will create an ethernet tunnel. +# Use "dev tap" if you are ethernet bridging. +# If you want to control access policies +# over the VPN, you must create firewall +# rules for the the TUN/TAP interface. +# On non-Windows systems, you can give +# an explicit unit number, such as tun0. +# On Windows, use "dev-node" for this. +# On most systems, the VPN will not function +# unless you partially or fully disable +# the firewall for the TUN/TAP interface. +;dev tap +dev tun + +# Enable TUN IPv6 module +;tun-ipv6 + +# Windows needs the TAP-Win32 adapter name +# from the Network Connections panel if you +# have more than one. On XP SP2 or higher, +# you may need to selectively disable the +# Windows firewall for the TAP adapter. +# Non-Windows systems usually don't need this. +;dev-node MyTap + +# SSL/TLS root certificate (ca), certificate +# (cert), and private key (key). Each client +# and the server must have their own cert and +# key file. The server and all clients will +# use the same ca file. +# +# See the "easy-rsa" directory for a series +# of scripts for generating RSA certificates +# and private keys. Remember to use +# a unique Common Name for the server +# and each of the client certificates. +# +# Any X509 key management system can be used. +# OpenVPN can also use a PKCS #12 formatted key file +# (see "pkcs12" directive in man page). +ca ${OPENVPN_KEY_DIR}/ca.crt +EOF + +if [[ -d "${OPENVPN_KEY_DIR}/issued" ]] ; then + cat <> ${_server_conf_file} 2>> "$log_file" +cert ${OPENVPN_KEY_DIR}/issued/server.crt +key ${OPENVPN_KEY_DIR}/private/server.key # This file should be kept secret + +# Diffie hellman parameters. +# Generate your own with: +# openssl dhparam -out dh1024.pem 1024 +# Substitute 2048 for 1024 if you are using +# 2048 bit keys. +dh ${OPENVPN_KEY_DIR}/dh.pem +EOF +else + cat <> ${_server_conf_file} 2>> "$log_file" +cert ${OPENVPN_BASE_DIR}/keys/server.crt +key ${OPENVPN_BASE_DIR}/keys/server.key # This file should be kept secret + +# Diffie hellman parameters. +# Generate your own with: +# openssl dhparam -out dh1024.pem 1024 +# Substitute 2048 for 1024 if you are using +# 2048 bit keys. +dh ${OPENVPN_KEY_DIR}/dh${KEY_SIZE}.pem +EOF +fi + +cat <> ${_server_conf_file} 2>> "$log_file" + +# Configure server mode and supply a VPN subnet +# for OpenVPN to draw client addresses from. +# The server will take 10.8.0.1 for itself, +# the rest will be made available to clients. +# Each client will be able to reach the server +# on 10.8.0.1. Comment this line out if you are +# ethernet bridging. See the man page for more info. +;server 10.8.0.0 255.255.255.0 +;server-ipv6 2a01:30:1fff:fd00::/64 +server $OPENVPN_NETWORK 255.255.255.0 + +# Maintain a record of client <-> virtual IP address +# associations in this file. If OpenVPN goes down or +# is restarted, reconnecting clients can be assigned +# the same virtual IP address from the pool that was +# previously assigned. +ifconfig-pool-persist ${OPENVPN_BASE_DIR}/ipp.txt + +# Configure server mode for ethernet bridging. +# You must first use your OS's bridging capability +# to bridge the TAP interface with the ethernet +# NIC interface. Then you must manually set the +# IP/netmask on the bridge interface, here we +# assume 10.8.0.4/255.255.255.0. Finally we +# must set aside an IP range in this subnet +# (start=10.8.0.50 end=10.8.0.100) to allocate +# to connecting clients. Leave this line commented +# out unless you are ethernet bridging. +;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 + +# Push routes to the client to allow it +# to reach other private subnets behind +# the server. Remember that these +# private subnets will also need +# to know to route the OpenVPN client +# address pool (10.8.0.0/255.255.255.0) +# back to the OpenVPN server. +;push "route 10.8.0.0 255.255.255.0" +EOF +if [[ ${#REMOTE_NETWORK_ARR[@]} -gt 0 ]]; then + for _remote_network in ${REMOTE_NETWORK_ARR[@]} ; do + IFS='/' read -a _net_arr <<< "${_remote_network}" + if [[ -n ${_net_arr[1]} ]]; then + _netmask=$(cidr2mask ${_net_arr[1]}) + else + _netmask="255.255.255.0" + fi + cat <> ${_server_conf_file} 2>> "$log_file" +push "route ${_net_arr[0]} $_netmask" +EOF + done +fi + +cat <> ${_server_conf_file} 2>> "$log_file" + +# To assign specific IP addresses to specific +# clients or if a connecting client has a private +# subnet behind it that should also have VPN access, +# use the subdirectory "ccd" for client-specific +# configuration files (see man page for more info). +client-config-dir $OPENVPN_CCD_DIR + +# --- +# EXAMPLE: Suppose the client +# having the certificate common name "Thelonious" +# also has a small subnet behind his connecting +# machine, such as 192.168.40.128/255.255.255.248. +# First, uncomment out these lines: +;client-config-dir /etc/openvpn/ccd +;route 192.168.40.128 255.255.255.248 + +# Then create a file ccd/Thelonious with this line: +# iroute 192.168.40.128 255.255.255.248 +# This will allow Thelonious' private subnet to +# access the VPN. This example will only work +# if you are routing, not bridging, i.e. you are +# using "dev tun" and "server" directives. +# --- + +# --- +# EXAMPLE: Suppose you want to give +# Thelonious a fixed VPN IP address of 10.9.0.1. +# First uncomment out these lines: +;client-config-dir ccd +;route 10.9.0.0 255.255.255.252 + +# Then add this line to ccd/Thelonious: +# ifconfig-push 10.9.0.1 10.9.0.2 +# --- + +# --- +# Suppose that you want to enable different +# firewall access policies for different groups +# of clients. There are two methods: +# (1) Run multiple OpenVPN daemons, one for each +# group, and firewall the TUN/TAP interface +# for each group/daemon appropriately. +# (2) (Advanced) Create a script to dynamically +# modify the firewall in response to access +# from different clients. See man +# page for more info on learn-address script. +;learn-address ./script +# --- + +# If enabled, this directive will configure +# all clients to redirect their default +# network gateway through the VPN, causing +# all IP traffic such as web browsing and +# and DNS lookups to go through the VPN +# (The OpenVPN server machine may need to NAT +# the TUN/TAP interface to the internet in +# order for this to work properly). +# CAVEAT: May break client's network config if +# client's local DHCP server packets get routed +# through the tunnel. Solution: make sure +# client's local DHCP server is reachable via +# a more specific route than the default route +# of 0.0.0.0/0.0.0.0. +;push "redirect-gateway" + +# Certain Windows-specific network settings +# can be pushed to clients, such as DNS +# or WINS server addresses. CAVEAT: +# http://openvpn.net/faq.html#dhcpcaveats +;push "dhcp-option WINS 10.8.0.1" +EOF +if [[ -n "$DNS_SERVER" ]]; then + cat <> ${_server_conf_file} 2>> "$log_file" +push "dhcp-option DNS ${DNS_SERVER}" +EOF +fi + +if [[ ${#SEARCH_DOMAINS_ARR[@]} -gt 0 ]]; then + for _domain in ${SEARCH_DOMAINS_ARR[@]} ; do + cat <> ${_server_conf_file} 2>> "$log_file" +push "dhcp-option DOMAIN ${_domain}" +EOF + done +fi + +cat <> ${_server_conf_file} 2>> "$log_file" + +# Uncomment this directive to allow different +# clients to be able to "see" each other. +# By default, clients will only see the server. +# To force clients to only see the server, you +# will also need to appropriately firewall the +# server's TUN/TAP interface. +client-to-client + +# Uncomment this directive if multiple clients +# might connect with the same certificate/key +# files or common names. This is recommended +# only for testing purposes. For production use, +# each client should have its own certificate/key +# pair. +# +# IF YOU HAVE NOT GENERATED INDIVIDUAL +# CERTIFICATE/KEY PAIRS FOR EACH CLIENT, +# EACH HAVING ITS OWN UNIQUE "COMMON NAME", +# UNCOMMENT THIS LINE OUT. +;duplicate-cn + +# The keepalive directive causes ping-like +# messages to be sent back and forth over +# the link so that each side knows when +# the other side has gone down. +# Ping every 10 seconds, assume that remote +# peer is down if no ping received during +# a 120 second time period. +keepalive 10 120 + +# For extra security beyond that provided +# by SSL/TLS, create an "HMAC firewall" +# to help block DoS attacks and UDP port flooding. +# +# Generate with: +# openvpn --genkey --secret ta.key +# +# The server and each client must have +# a copy of this key. +# The second parameter should be '0' +# on the server and '1' on the clients. +;tls-auth ta.key 0 # This file is secret +tls-auth ${OPENVPN_KEY_DIR}/ta.key 0 + +# Select a cryptographic cipher. +# This config item must be copied to +# the client config file as well. +;cipher BF-CBC # Blowfish (default) +;cipher AES-128-CBC # AES +;cipher DES-EDE3-CBC # Triple-DES +EOF + +if [[ -n "$SERVER_CIPHER" ]]; then + cat <> ${_server_conf_file} 2>> "$log_file" +cipher $SERVER_CIPHER +EOF + +fi + +cat <> ${_server_conf_file} 2>> "$log_file" + +# Enable compression on the VPN link. +# If you enable it here, you must also +# enable it in the client config file. +;comp-lzo +EOF + +if $LZO_COMPRESSION ; then + cat <> ${_server_conf_file} 2>> "$log_file" +comp-lzo +EOF +fi + +cat <> ${_server_conf_file} 2>> "$log_file" + +# The maximum number of concurrently connected +# clients we want to allow. +;max-clients 100 + +# It's a good idea to reduce the OpenVPN +# daemon's privileges after initialization. +# +# You can uncomment this out on +# non-Windows systems. +user nobody +group nogroup + +# The persist options will try to avoid +# accessing certain resources on restart +# that may no longer be accessible because +# of the privilege downgrade. +persist-key +persist-tun +persist-local-ip +persist-remote-ip + +# Output a short status file showing +# current connections, truncated +# and rewritten every minute. +;status openvpn-status.log +status /var/log/openvpn/status-server-${OPENVPN_NAME}.log + +# By default, log messages will go to the syslog (or +# on Windows, if running as a service, they will go to +# the "\Program Files\OpenVPN\log" directory). +# Use log or log-append to override this default. +# "log" will truncate the log file on OpenVPN startup, +# while "log-append" will append to it. Use one +# or the other (but not both). +;log-append openvpn.log +;log openvpn.log +log /var/log/openvpn/server-${OPENVPN_NAME}.log + +# Set the appropriate level of log +# file verbosity. +# +# 0 is silent, except for fatal errors +# 4 is reasonable for general usage +# 5 and 6 can help to debug connection problems +# 9 is extremely verbose +verb 1 + +# Silence repeating messages. At most 20 +# sequential messages of the same message +# category will be output to the log. +;mute 20 +EOF + +if [[ -h "${OPENVPN_BASE_DIR}/crl.pem" ]] ; then + cat <> ${_server_conf_file} 2>> "$log_file" + +# CRL (certificate revocation list) verification +crl-verify ${OPENVPN_BASE_DIR}/crl.pem +EOF +elif [[ -f "${OPENVPN_KEY_DIR}/crl.pem" ]]; then + cat <> ${_server_conf_file} 2>> "$log_file" + +# CRL (certificate revocation list) verification +crl-verify ${OPENVPN_KEY_DIR}/crl.pem +EOF +fi +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + error "$(cat $log_file)" +fi + +echo "" + + +# - Start OpenVPN Service +# - +echononl " Start OpenVPN Service" +if $systemd_supported ; then + $systemctl start $service_name > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + echo_failed + error "$(cat $log_file)" + else + echo_ok + fi +else + $init_script start > "$log_file" 2>&1 + if [[ $? -ne 0 ]]; then + echo_failed + error "$(cat $log_file)" + else + echo_ok + fi +fi + + +# - See if OpenVPN Service is running/has started +# +check_string_ps="$openvpn_binary" +check_string_ps_plus="--daemon" +sleep 2 +PID=$(ps -e f | grep -E "[[:digit:]]\ ${check_string_ps}" | grep "\ ${check_string_ps_plus}\ " | grep -v grep | awk '{print$2}') +if [[ "X${PID}" = "X" ]]; then + warn "\033[37m\033[1mOpenVPN Service is NOT running.\033[m\n Maybe you have to restart the machine in order to start openvpn daemon." +fi + + +echo "" +clean_up 0 + + + +clean_up 0 + #--------------------------------------- #----------------------------- @@ -1286,10 +2237,28 @@ if [[ ! -f "$KEY_CONFIG" ]] ; then else echo_failed error "$(cat $log_file)" - fatal "No OpenSSL configuration file present!" + #fatal "No OpenSSL configuration file present!" + fi + elif [[ -f "$(dirname $KEY_CONFIG)/openssl-easyrsa.cnf" ]]; then + ln -s "$(dirname $KEY_CONFIG)//openssl-easyrsa.cnf" "$KEY_CONFIG" + if [[ $? -eq 0 ]] ; then + echo_ok + else + echo_failed + error "$(cat $log_file)" fi else + echo_failed fatal "No OpenSSL configuration file present!" + + echononl "continue anyway [yes/no]: " + read OK + OK="$(echo "$OK" | tr '[:upper:]' '[:lower:]')" + while [[ "$OK" != "yes" ]] && [[ "$OK" != "no" ]] ; do + echononl "Wrong entry! - repeat [yes/nno]: " + read OK + done + [[ $OK = "yes" ]] || fatal "Abbruch durch User" fi fi @@ -1326,25 +2295,25 @@ echo "" # - Create file 'serial' with value '01' - the serial for the next # - created certificate # - -echononl " Create '${OPENVPN_BASE_DIR}/keys/serial'.." -echo "01" > "${OPENVPN_BASE_DIR}/keys/serial" 2> "$log_file" -if [[ $? -eq 0 ]] ; then - echo_ok -else - echo_failed - error "$(cat $log_file)" -fi - -# - Create empty file index.txt at key-directory -# - -echononl " Create empty file '${OPENVPN_BASE_DIR}/keys/index.txt'.." -touch $OPENVPN_BASE_DIR/keys/index.txt -if [[ $? -eq 0 ]] ; then - echo_ok -else - echo_failed - error "$(cat $log_file)" -fi +#echononl " Create '${OPENVPN_BASE_DIR}/keys/serial'.." +#echo "01" > "${OPENVPN_BASE_DIR}/keys/serial" 2> "$log_file" +#if [[ $? -eq 0 ]] ; then +# echo_ok +#else +# echo_failed +# error "$(cat $log_file)" +#fi +# +## - Create empty file index.txt at key-directory +## - +#echononl " Create empty file '${OPENVPN_BASE_DIR}/keys/index.txt'.." +#touch $OPENVPN_BASE_DIR/keys/index.txt +#if [[ $? -eq 0 ]] ; then +# echo_ok +#else +# echo_failed +# error "$(cat $log_file)" +#fi # - Create Root CA # -