53 lines
1.7 KiB
Bash
53 lines
1.7 KiB
Bash
#!/usr/bin/env bash
|
|
set -ex
|
|
|
|
EASY_RSA_LOC="/etc/openvpn/easyrsa"
|
|
SERVER_CERT="${EASY_RSA_LOC}/pki/issued/server.crt"
|
|
cd $EASY_RSA_LOC
|
|
if [ -e "$SERVER_CERT" ]; then
|
|
echo "Found existing certs - reusing"
|
|
else
|
|
if [ ${OPVN_ROLE:-"master"} = "slave" ]; then
|
|
echo "Waiting for initial sync data from master"
|
|
while [ $(wget -q localhost/api/sync/last/try -O - | wc -m) -lt 1 ]
|
|
do
|
|
sleep 5
|
|
done
|
|
else
|
|
echo "Generating new certs"
|
|
easyrsa init-pki
|
|
cp -R /usr/share/easy-rsa/* $EASY_RSA_LOC/pki
|
|
echo "ca" | easyrsa build-ca nopass
|
|
easyrsa build-server-full server nopass
|
|
easyrsa gen-dh
|
|
openvpn --genkey --secret ./pki/ta.key
|
|
fi
|
|
fi
|
|
easyrsa gen-crl
|
|
|
|
iptables -t nat -A POSTROUTING -s 172.16.100.0/255.255.255.0 ! -d 172.16.100.0/255.255.255.0 -j MASQUERADE
|
|
|
|
mkdir -p /dev/net
|
|
if [ ! -c /dev/net/tun ]; then
|
|
mknod /dev/net/tun c 10 200
|
|
fi
|
|
|
|
cp -f /etc/openvpn/setup/openvpn.conf /etc/openvpn/openvpn.conf
|
|
|
|
if [ ${OPVN_PASSWD_AUTH} = "true" ]; then
|
|
mkdir -p /etc/openvpn/scripts/
|
|
cp -f /etc/openvpn/setup/auth.sh /etc/openvpn/scripts/auth.sh
|
|
chmod +x /etc/openvpn/scripts/auth.sh
|
|
echo "auth-user-pass-verify /etc/openvpn/scripts/auth.sh via-file" | tee -a /etc/openvpn/openvpn.conf
|
|
echo "script-security 2" | tee -a /etc/openvpn/openvpn.conf
|
|
echo "verify-client-cert require" | tee -a /etc/openvpn/openvpn.conf
|
|
openvpn-user db-init --db.path=$EASY_RSA_LOC/pki/users.db
|
|
fi
|
|
|
|
[ -d $EASY_RSA_LOC/pki ] && chmod 755 $EASY_RSA_LOC/pki
|
|
[ -f $EASY_RSA_LOC/pki/crl.pem ] && chmod 644 $EASY_RSA_LOC/pki/crl.pem
|
|
|
|
mkdir -p /etc/openvpn/ccd
|
|
|
|
openvpn --config /etc/openvpn/openvpn.conf --client-config-dir /etc/openvpn/ccd --port 1194 --proto tcp --management 127.0.0.1 8989 --dev tun0
|
|
|