|
|
|
OVPN ?= openvpn |
|
PUBIP ?= 127.0.0.1 |
|
|
|
# .SECONDARY with no prerequisites causes all targets to be treated as secondary (i.e., no target is removed because it is considered intermediate). |
|
.SECONDARY: |
|
|
|
.PHONY: def |
|
def: svc.ovpn 001.ovpn 002.ovpn 003.ovpn 004.ovpn 005.ovpn 006.ovpn 007.ovpn 008.ovpn 009.ovpn |
|
tar -cf ovpn.tar $^ |
|
# 所有配置已打包为ovpn.tar |
|
# 若后续想要新增客户端 |
|
# 则当前文件夹的文件应保留 |
|
|
|
openssl.cnf: |
|
echo '' > $@ |
|
echo '[ca]' >> $@ |
|
echo 'default_ca = CA_default' >> $@ |
|
echo '[CA_default]' >> $@ |
|
echo 'certs = certs' >> $@ |
|
echo 'database = index.txt' >> $@ |
|
echo 'new_certs_dir = newcerts' >> $@ |
|
echo 'certificate = cacert.pem' >> $@ |
|
echo 'serial = serial' >> $@ |
|
echo 'preserve = no' >> $@ |
|
echo 'policy = policy_match' >> $@ |
|
echo '[policy_match]' >> $@ |
|
echo 'countryName = match' >> $@ |
|
echo 'stateOrProvinceName = optional' >> $@ |
|
echo 'organizationName = match' >> $@ |
|
echo 'organizationalUnitName = optional' >> $@ |
|
echo 'commonName = supplied' >> $@ |
|
echo 'emailAddress = optional' >> $@ |
|
echo '[root]' >> $@ |
|
echo 'subjectKeyIdentifier = hash' >> $@ |
|
echo 'authorityKeyIdentifier = keyid:always,issuer' >> $@ |
|
echo 'basicConstraints = critical,CA:TRUE' >> $@ |
|
echo '[ovpnsvc]' >> $@ |
|
echo 'keyUsage = critical,digitalSignature,keyEncipherment' >> $@ |
|
echo 'extendedKeyUsage = critical,serverAuth' >> $@ |
|
echo 'basicConstraints = critical,CA:FALSE' >> $@ |
|
echo '[ovpncli]' >> $@ |
|
echo 'keyUsage = critical,digitalSignature' >> $@ |
|
echo 'extendedKeyUsage = critical,clientAuth' >> $@ |
|
echo 'basicConstraints = critical,CA:FALSE' >> $@ |
|
mkdir -p newcerts # 必须存在的文件夹 |
|
touch index.txt # 必须存在的文件 |
|
|
|
dh2048.pem: |
|
openssl dhparam -out dh2048.pem 2048 |
|
|
|
tlsauth.pem: |
|
$(OVPN) --genkey --secret tlsauth.pem |
|
|
|
%.pem: |
|
openssl genrsa -out $@ 2048 |
|
|
|
root.csr: root.pem |
|
openssl req -new -key $< -out $@ -subj '/emailAddress=hello@gmail.com/countryName=US/stateOrProvinceName=California/organizationName=Hello LLC/commonName=Hello CA/organizationalUnitName=Hello CA' |
|
|
|
svc.csr: svc.pem |
|
openssl req -new -key $< -out $@ -subj '/emailAddress=hello@gmail.com/countryName=US/stateOrProvinceName=California/organizationName=Hello LLC/commonName=Hello LLC/organizationalUnitName=Hello Unit' |
|
|
|
%.csr: %.pem |
|
openssl req -new -key $< -out $@ -subj "/emailAddress=hello@gmail.com/countryName=US/stateOrProvinceName=California/organizationName=Hello LLC/commonName=$*/organizationalUnitName=Hello Unit" |
|
|
|
root.crt: openssl.cnf root.pem root.csr |
|
openssl ca -config openssl.cnf -extensions root -keyfile root.pem -selfsign -startdate 20000101000000Z -enddate 20991231235959Z -in root.csr -out $@ -notext -rand_serial -md sha256 -batch |
|
|
|
svc.crt: openssl.cnf root.pem root.crt svc.csr svc.pem |
|
openssl ca -config openssl.cnf -extensions ovpnsvc -keyfile root.pem -cert root.crt -startdate 20000101000000Z -enddate 20991231235959Z -in svc.csr -out $@ -notext -rand_serial -md sha256 -batch |
|
|
|
%.crt: openssl.cnf root.pem root.crt %.csr %.pem |
|
openssl ca -config openssl.cnf -extensions ovpncli -keyfile root.pem -cert root.crt -startdate 20000101000000Z -enddate 20991231235959Z -in $*.csr -out $@ -notext -rand_serial -md sha256 -batch |
|
|
|
.DELETE_ON_ERROR: |
|
svc.ovpn: root.crt svc.crt svc.pem dh2048.pem tlsauth.pem |
|
echo '' > $@ |
|
echo 'local 0.0.0.0' >> $@ |
|
echo 'port 8000' >> $@ |
|
echo 'proto udp' >> $@ |
|
echo 'dev tun' >> $@ |
|
echo '<ca>' >> $@ |
|
cat root.crt >> $@ |
|
echo '</ca>' >> $@ |
|
echo '<cert>' >> $@ |
|
cat svc.crt >> $@ |
|
echo '</cert>' >> $@ |
|
echo '<key>' >> $@ |
|
cat svc.pem >> $@ |
|
echo '</key>' >> $@ |
|
echo '<dh>' >> $@ |
|
cat dh2048.pem >> $@ |
|
echo '</dh>' >> $@ |
|
echo 'server 10.0.0.0 255.255.255.0' >> $@ |
|
echo 'ifconfig-pool-persist ipp.txt' >> $@ |
|
echo 'push "redirect-gateway def1"' >> $@ |
|
echo 'push "dhcp-option DNS 8.8.8.8"' >> $@ |
|
echo 'push "dhcp-option DNS 1.1.1.1"' >> $@ |
|
echo 'keepalive 10 120' >> $@ |
|
echo 'key-direction 0' >> $@ |
|
echo '<tls-auth>' >> $@ |
|
cat tlsauth.pem >> $@ |
|
echo '</tls-auth>' >> $@ |
|
echo 'cipher AES-256-CBC' >> $@ |
|
echo 'persist-key' >> $@ |
|
echo 'persist-tun' >> $@ |
|
echo 'status openvpn-status.log' >> $@ |
|
echo 'verb 3' >> $@ |
|
echo 'explicit-exit-notify 1' >> $@ |
|
echo 'push "block-outside-dns"' >> $@ |
|
echo '' >> $@ |
|
|
|
.DELETE_ON_ERROR: |
|
%.ovpn: root.crt %.crt %.pem tlsauth.pem |
|
echo '' > $@ |
|
echo 'client' >> $@ |
|
echo 'dev tun' >> $@ |
|
echo 'proto udp' >> $@ |
|
echo 'remote $(PUBIP) 8000' >> $@ |
|
echo 'resolv-retry infinite' >> $@ |
|
echo 'nobind' >> $@ |
|
echo 'persist-key' >> $@ |
|
echo 'persist-tun' >> $@ |
|
echo '<ca>' >> $@ |
|
cat root.crt >> $@ |
|
echo '</ca>' >> $@ |
|
echo '<cert>' >> $@ |
|
cat $*.crt >> $@ |
|
echo '</cert>' >> $@ |
|
echo '<key>' >> $@ |
|
cat $*.pem >> $@ |
|
echo '</key>' >> $@ |
|
echo 'remote-cert-tls server' >> $@ |
|
echo 'key-direction 1' >> $@ |
|
echo '<tls-auth>' >> $@ |
|
cat tlsauth.pem >> $@ |
|
echo '</tls-auth>' >> $@ |
|
echo 'verb 3' >> $@ |
|
echo '' >> $@ |