From 5b845760e3d08923125c878d3f3d818be4fa749c Mon Sep 17 00:00:00 2001 From: abn0mad <65207005+abn0mad@users.noreply.github.com> Date: Tue, 7 Mar 2023 11:14:10 +0800 Subject: [PATCH] Added optional passphrase for client certificates --- openvpn-install.sh | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 637fe3c..6f2b123 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -4,7 +4,6 @@ # # Copyright (c) 2013 Nyr. Released under the MIT License. - # Detect Debian users running the script with "sh" instead of bash if readlink /proc/$$/exe | grep -q "dash"; then echo 'This installer needs to be run with "bash", not "sh".' @@ -245,7 +244,14 @@ LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disab ./easyrsa --batch init-pki ./easyrsa --batch build-ca nopass ./easyrsa --batch --days=3650 build-server-full server nopass - ./easyrsa --batch --days=3650 build-client-full "$client" nopass + echo "" + read -e -p "Require password for client certificate [Y/N]: " -i "N" PASSW + if [[ "$PASSW" != [yY] ]]; then + ./easyrsa --batch --days=3650 build-client-full "$client" nopass + else + ./easyrsa --batch --days=3650 build-client-full "$client" + fi + echo "" ./easyrsa --batch --days=3650 gen-crl # Move the stuff we need cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn/server @@ -461,7 +467,14 @@ else client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client") done cd /etc/openvpn/server/easy-rsa/ - ./easyrsa --batch --days=3650 build-client-full "$client" nopass + echo "" + read -e -p "Require password for client certificate [Y/N]: " -i "N" PASSW + if [[ "$PASSW" != [yY] ]]; then + ./easyrsa --batch --days=3650 build-client-full "$client" nopass + else + ./easyrsa --batch --days=3650 build-client-full "$client" + fi + echo "" # Generates the custom client.ovpn new_client echo