From ec813af1f21bc110b1fc2148170a5ea4e4233956 Mon Sep 17 00:00:00 2001 From: wheezy Date: Sat, 8 Jan 2022 01:59:01 +0300 Subject: [PATCH] add switches to setup passwords --- openvpn-install.sh | 79 +++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 74 insertions(+), 5 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 7cb62ea..d064f42 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -195,12 +195,63 @@ if [[ ! -e /etc/openvpn/server/server.conf ]]; then read -p "DNS server [1]: " dns done echo + echo "Setup CA password?" + echo " 1) No" + echo " 2) Yes" + read -p "CA password? [1]: " ca_pass_option + until [[ -z "$ca_pass_option" || "$ca_pass_option" =~ ^[12]$ ]]; do + echo "$ca_pass_option: invalid selection." + read -p "CA password? [1]: " ca_pass_option + done + case "$ca_pass_option" in + 1|"") + ca_pass_option=nopass + ;; + 2) + ca_pass_option="" + ;; + esac + echo + echo "Setup VPN-server password?" + echo " 1) No" + echo " 2) Yes" + read -p "server cert password? [1]: " srv_pass_option + until [[ -z "$srv_pass_option" || "$srv_pass_option" =~ ^[12]$ ]]; do + echo "$srv_pass_option: invalid selection." + read -p "server cert password? [1]: " srv_pass_option + done + case "$srv_pass_option" in + 1|"") + srv_pass_option=nopass + ;; + 2) + srv_pass_option="" + ;; + esac + echo echo "Enter a name for the first client:" read -p "Name [client]: " unsanitized_client # Allow a limited set of characters to avoid conflicts client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client") [[ -z "$client" ]] && client="client" echo + echo "Setup client cert password?" + echo " 1) No" + echo " 2) Yes" + read -p "Client cert password? [1]: " client_pass_option + until [[ -z "$client_pass_option" || "$client_pass_option" =~ ^[12]$ ]]; do + echo "$client_pass_option: invalid selection." + read -p "Client cert password? [1]: " client_pass_option + done + case "$client_pass_option" in + 1|"") + client_pass_option=nopass + ;; + 2) + client_pass_option="" + ;; + esac + echo echo "OpenVPN installation is ready to begin." # Install a firewall if firewalld or iptables are not already available if ! systemctl is-active --quiet firewalld.service && ! hash iptables 2>/dev/null; then @@ -240,12 +291,12 @@ LimitNPROC=infinity" > /etc/systemd/system/openvpn-server@server.service.d/disab mkdir -p /etc/openvpn/server/easy-rsa/ { wget -qO- "$easy_rsa_url" 2>/dev/null || curl -sL "$easy_rsa_url" ; } | tar xz -C /etc/openvpn/server/easy-rsa/ --strip-components 1 chown -R root:root /etc/openvpn/server/easy-rsa/ - cd /etc/openvpn/server/easy-rsa/ + cd /etc/openvpn/server/easy-rsa/\ # Create the PKI, set up the CA and the server and client certificates ./easyrsa init-pki - ./easyrsa --batch build-ca - EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server - EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" + ./easyrsa --batch build-ca "$ca_pass_option" + EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-server-full server "$srv_pass_option" + EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" "$client_pass_option" EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl # Move the stuff we need cp pki/ca.crt pki/private/ca.key pki/issued/server.crt pki/private/server.key pki/crl.pem /etc/openvpn/server @@ -461,7 +512,25 @@ else client=$(sed 's/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-]/_/g' <<< "$unsanitized_client") done cd /etc/openvpn/server/easy-rsa/ - EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" + echo + echo "Setup client cert password?" + echo " 1) No" + echo " 2) Yes" + read -p "Client cert password? [1]: " client_pass_option + until [[ -z "$client_pass_option" || "$client_pass_option" =~ ^[12]$ ]]; do + echo "$client_pass_option: invalid selection." + read -p "Client cert password? [1]: " client_pass_option + done + case "$client_pass_option" in + 1|"") + client_pass_option=nopass + ;; + 2) + client_pass_option="" + ;; + esac + echo + EASYRSA_CERT_EXPIRE=3650 ./easyrsa build-client-full "$client" "$client_pass_option" # Generates the custom client.ovpn new_client echo