Generate files for OpenVPN

easy-rsa.sh

#!/bin/bash
# Source: https://wiki.archlinux.org/index.php/Easy-RSA

VER="3.0.7"
CA_NAME="EasyRSA CA"

#
# install easy-rsa
#
wget -O EasyRSA.tgz "https://github.com/OpenVPN/easy-rsa/releases/download/v${VER}/EasyRSA-${VER}.tgz"
tar -xf EasyRSA.tgz
mv EasyRSA-*/ easy-rsa/
rm -f EasyRSA.tgz
cd easy-rsa

#
# CA public certificate
#
# > pki/ca.crt
./easyrsa init-pki
echo "$CA_NAME" | ./easyrsa build-ca nopass

#
# Server certificate and private key
#
# > pki/reqs/server.req
# > private/server.key
echo | ./easyrsa gen-req server nopass

#
# Diffie-Hellman (DH) parameters file
#
# > dh.pem
openssl dhparam -out dh.pem 2048

#
# Hash-based Message Authentication Code (HMAC) key
#
# > ta.key
openvpn --genkey --secret ta.key

#
# Client certificate and private key
#
# > pki/reqs/client.req
# > pki/private/client.key
echo | ./easyrsa gen-req client nopass

#
# Sign the certificates
#
# > pki/issued/server.crt
# > pki/issued/client.crt
echo "yes" | ./easyrsa sign-req server server
echo "yes" | ./easyrsa sign-req client client

#
# Copy files
#
mkdir -p openvpn/{server,client}

# CA public certificate
cp pki/ca.crt openvpn/server
cp pki/ca.crt openvpn/client

# Server public certificate & private key
cp pki/private/server.key openvpn/server
cp pki/issued/server.crt openvpn/server

# Client public certificate & private key
cp pki/private/client.key openvpn/client
cp pki/issued/client.crt openvpn/client

cp ta.key openvpn/server
cp ta.key openvpn/client
cp dh.pem openvpn/server