Last active
April 26, 2021 20:05
-
-
Save xenithorb/c79040f7251b00e17c0995b533ced5df to your computer and use it in GitHub Desktop.
OpenVPN EasyRSA companion to output OVPN files (.ovpn) that contain embedded certs and keys
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Generate OVPN files (single config w/ certs and keys) for OpenVPN | |
| # from EasyRSA tool's pki folder output | |
| # | |
| # - Tool expects to be in easy-rsa's pki fodler ( after `easy-rsa init-pki` ) | |
| # - outputs to ovpn-out folder | |
| # Expected usage: | |
| # $ # First install easy-rsa with your pkg manager | |
| # $ mkdir ~/openvpn # new folder | |
| # $ cd ~/openvpn | |
| # $ cp -a /usr/share/easy-rsa/[0-9]/* . | |
| # $ ./easyrsa init-pki | |
| # $ ./easyrsa build-ca | |
| # $ ./easyrsa gen-dh | |
| # $ # Where <filename_base> is a regular name like "computer1" | |
| # $ ./build-server-full <filename_base> [ cmd-opts ] | |
| # $ ./build-client-full <filename_base> [ cmd-opts ] | |
| # $ cd pki | |
| # $ wget <this script> | |
| # $ ./mkovpn.sh server vpn.server1.com 10.8.0.1 | |
| # $ ./mkovpn.sh client computer1 vpn.server1.com | |
| # $ # Now you may distribute the files to your server and client | |
| # | |
| # Author: Michael Goodwin <xenithorb> / 2017-05-17 | |
| # | |
| out_dir="./ovpn-out" | |
| [[ ! -d "${out_dir}" ]] && mkdir "${out_dir}" | |
| type="$1" | |
| cipher="AES-256-GCM" | |
| # This can be set lower for incompatible older clients, so they don't end up | |
| # using Blowfish by default (64 bit, insecure) | |
| cipher="AES-128-CBC" | |
| ciphers="AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC" | |
| port="1194" | |
| shift | |
| name="${1?:ERROR: Need certificate base name}" | |
| if [[ $type == "server" ]]; then | |
| server="${1?:ERROR: Need server DNS}" | |
| subnet="${2?:ERROR: Need internal VPN subnet address, 10.8.0.0 maybe?}" | |
| name="${server}" | |
| out_format="${server}.conf" | |
| elif [[ $type == "client" ]]; then | |
| server="${2?:ERROR: Need server DNS}" | |
| out_format="${name}-${server}.ovpn" | |
| fi | |
| format_cert() { | |
| local type="$1" file="$2" ssl_cmd="x509" | |
| [[ "$type" == "key" ]] && ssl_cmd="rsa" | |
| [[ "$type" == "dh" ]] && ssl_cmd="dh" | |
| printf '<%s>\n%s\n</%s>\n' \ | |
| "$type" \ | |
| "$( openssl "${ssl_cmd}" -in "${file}" )" \ | |
| "$type" | |
| } | |
| print_certs() { | |
| local name="$1" | |
| format_cert ca "ca.crt" | |
| format_cert cert "issued/${name}.crt" | |
| format_cert key "private/${name}.key" || \ | |
| { echo "Key decrypted incorrectly" ; exit 1; } 1>&2 | |
| [[ "${out_format}" =~ .conf$ ]] && \ | |
| format_cert dh "dh.pem" | |
| } | |
| CONFIG_CLIENT_ONLY=( | |
| "client" | |
| "remote ${server} ${port}" | |
| "nobind" | |
| ";allow-recursive-routing" | |
| "explicit-exit-notify 1" | |
| "resolv-retry infinite" | |
| ) | |
| CONFIG_COMMON=( | |
| "proto udp" | |
| "dev tun" | |
| "persist-key" | |
| "persist-tun" | |
| ";comp-lzo" | |
| "verb 3" | |
| "cipher ${cipher}" | |
| "" | |
| ) | |
| CONFIG_SERVER_ONLY=( | |
| "server ${subnet} 255.255.255.0" | |
| ";push \"route 192.168.1.0 255.255.255.0\"" | |
| "push \"redirect-gateway def1 bypass-dhcp block-local\"" | |
| "push \"dhcp-option DNS ${subnet%\.*}.1\"" | |
| "ncp-ciphers ${ciphers}" | |
| ";client-to-client" | |
| "mute 10" | |
| "keepalive 5 30" | |
| ) | |
| print_opts() { | |
| local name="$1" server="$2" type="$3" | |
| [[ "$type" == "client" ]] && printf "%s\n" "${CONFIG_CLIENT_ONLY[@]}" | |
| [[ "$type" == "server" ]] && printf "%s\n" "${CONFIG_SERVER_ONLY[@]}" | |
| printf "%s\n" "${CONFIG_COMMON[@]}" | |
| } | |
| print_config() { | |
| local name="$1" server="$2" type="$3" | |
| print_opts "$name" "$server" "$type" | |
| print_certs "$name" | |
| } | |
| print_config "$name" "$server" "$type" | tee "${out_dir}/${out_format}" > /dev/null |
IPTables changes on vpn.mgoodwin.net:
--- iptables.old 2017-05-17 19:50:41.641053304 +0000
+++ iptables 2017-05-17 16:08:06.043401689 +0000
@@ -1,15 +1,29 @@
-# Generated by iptables-save v1.4.21 on Wed May 17 19:48:04 2017
+# Generated by iptables-save v1.4.21 on Wed May 17 16:08:06 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [364322:462453314]
+:OUTPUT ACCEPT [23808:22624551]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 9002 -m comment --comment "Weechat WP proxy" -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 9001 -m comment --comment "Weechat IRC proxy" -j ACCEPT
+-A INPUT -p udp -m conntrack --ctstate NEW -m udp --dport 1194 -m comment --comment OpenVPN -j ACCEPT
+-A INPUT -i tun0 -p udp -m conntrack --ctstate NEW -m udp --dport 53 -m comment --comment "DNSMasq for OpenVPN" -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -s 10.8.0.0/24 -i tun0 -o eth0 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
-# Completed on Wed May 17 19:48:04 2017
+# Completed on Wed May 17 16:08:06 2017
+# Generated by iptables-save v1.4.21 on Wed May 17 16:08:06 2017
+*nat
+:PREROUTING ACCEPT [617:30419]
+:INPUT ACCEPT [108:6402]
+:OUTPUT ACCEPT [141:9956]
+:POSTROUTING ACCEPT [141:9956]
+-A PREROUTING -i eth0 -p udp -m udp --dport 443 -j REDIRECT --to-ports 1194
+-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
+COMMIT
+# Completed on Wed May 17 16:08:06 2017
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Required changes for OpenVPN on EdgeRouter: