zdt-openvpn/bin/ovpn_create_server

60 lines
1.1 KiB
Bash
Executable File

#!/bin/bash
#
# Initialize the EasyRSA PKI
#
if [ "$DEBUG" == "1" ]; then
set -x
fi
set -e
# these might get lost if empty syncing to object storage
mkdir -p $OPENVPN/pki/reqs $OPENVPN/pki/issued $OPENVPN/pki/certs_by_serial $OPENVPN/otp $OPENVPN/ccd
touch $OPENVPN/otp/_empty $OPENVPN/ccd/_empty
# Finally generate server cert
easyrsa build-server-full "$1" nopass
# write server FQDN
echo "$1" > $OPENVPN/server
# static server config
cat <<EOF > $OPENVPN/openvpn.conf
port 1194
proto udp
dev tun
topology subnet
cipher AES-256-GCM
keepalive 10 120
user nobody
group nogroup
persist-key
persist-tun
status /var/run/openvpn-status.log
status-version 3
verb 3
verify-client-cert require
reneg-sec 0
plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password snafu pin PASSWORD"
#plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP"
#auth-user-pass-optional
ifconfig-pool-persist ipp.txt
ca /etc/openvpn/ca.crt
dh /etc/openvpn/dh.pem
crl-verify /etc/openvpn/crl.pem
tls-auth /etc/openvpn/ta.key
# Include local config last
config /etc/openvpn/local.conf
EOF