frenchn00b |
08-27-2009 03:28 PM |
Can someone correct my script/improve to install OPENVPN - SERVER for Lenny / Debian?
(VPN is normally on port: 1723)
---
Script to install an OPENVPN Server, for newbies
---
(I dont understand where is the little detail error with openssl at the end)
The error is just this crl.pem file (OPENSSL / MAKE-CRL), below, almost at the end.
For an medium level/expert in Linux, it will be easy.
#
first copy /etc/openvpn (cuz make-crl missing and pkitool too)
1.0 into ../
2.0 into ../
and here we go
Code:
#!/bin/sh
#
# Howto from: http://howto.landure.fr/
# many thanks for Landure's help and website
# Automatic script to install OPENVPN. Frenchn00b
echo "OpenVPN installation is done by this command line :"
apt-get install openvpn openssl liblzo1
echo "Once OpenVPN installed on our system, we create a folder to regroup scripts used by this howto :"
mkdir --parents /etc/openvpn/scripts/
#mkdir -p /etc/openvpn/easy-rsa/keys
modprobe tun
mkdir /dev/net
mknod /dev/net/tun c 10 200
apt-get install module-init-tools
echo "OpenVPN use OpenSSL to encrypt connections. Clients authentication is based on private / public keys signature."
echo "This keys are the core of a OpenVPN network. You need to be carefull when creating them."
echo "EasyRSA scripts setup"
echo "OpenVPN is installed with some scripts that easy encryption keys creation. We now copy this scripts in the VPN"
echo "server configuration folder so that we can edit them :"
cp -r /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
echo "Two of the files of this configuration needs to be edited. We start by downloading modified versions needed by this howto :"
echo "WGET the pre-conf files y/n?"
read ludo
if [ "$ludo" == "y" ] ; then
wget http://howto.landure.fr/gnu-linux/debian-4-0-etch/installer-et-configurer-openvpn-sur-debian-4-0-etch/vars \
--output-document /etc/openvpn/easy-rsa/vars
wget http://howto.landure.fr/gnu-linux/debian-4-0-etch/installer-et-configurer-openvpn-sur-debian-4-0-etch/openssl.cnf \
--output-document /etc/openvpn/easy-rsa/openssl.cnf
fi
echo "VPN server parameters"
echo "You can now edit the VPN configuration files to fit your needs :"
echo " * KEY_COUNTRY : Your country code."
echo "* KEY_PROVINCE : Your province."
echo "* KEY_CITY : Your city."
echo " * KEY_ORG : The key name (you don't have to change it)."
echo " * KEY_EMAIL : The email address associated to the key."
printf "Type Enter"
read kfjlkfdsj
vim /etc/openvpn/easy-rsa/vars
echo "A certification authority is a private / public keys pair used to sign other public keys. To create your certification authority, use the following command lines :"
source /etc/openvpn/easy-rsa/vars
export KEY_COMMONNAME="ca.$OPENVPN_SERVER"
/etc/openvpn/easy-rsa/clean-all
/etc/openvpn/easy-rsa/build-ca
printf "Type Enter"
read kfjlkfdsj
echo "If you have correctly set up easy-rsa, you can use the default values."
echo "Note : Some free certification authority exists and can be used to sign HTTPS servers certificates. This is not necessary for a OpenVPN server, but if you want to do this, I think it is possible. To find more about this, visit CAcert."
echo "Server certificate creation"
echo "We will now create our server certificate. This is done by running these commands :"
source /etc/openvpn/easy-rsa/vars
export KEY_COMMONNAME="$OPENVPN_SERVER"
/etc/openvpn/easy-rsa/build-key-server server
echo "Here again, use default values."
echo "Note : You can protect your server certificate with a password. If you choose to do this, the password will be asked each time you need to create or revoke clients certificates. DO NOT LOOSE IT. It's a security asset, but it is not mandatory. Take your descision according to your paranoïa level."
echo "TLS key"
printf "Type Enter"
read kfjlkfdsj
echo "We now create a key that will protect our VPN from some attacks. It allow us to setup a HSA firewall :"
openvpn --genkey --secret /etc/openvpn/keys/ta.key
echo "Server configuration"
echo "To create our VPN server configuration, we use a example file :"
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
gunzip /etc/openvpn/server.conf.gz
echo "We modify this file to feet our needs :"
source /etc/openvpn/easy-rsa/vars
sed -i \
-e "s/^ca ca\.crt/ca \/etc\/openvpn\/keys\/ca\.crt/" \
-e "s/^cert server\.crt/cert \/etc\/openvpn\/keys\/server\.crt/" \
-e "s/^key server\.key/key \/etc\/openvpn\/keys\/server\.key/" \
-e "s/^dh[\t ]*dh1024.pem/dh \/etc\/openvpn\/keys\/dh$KEY_SIZE.pem/" \
-e "s/^server[\t ].*$/server $OPENVPN_IPRANGE\.0 255\.255\.255\.0/" \
-e 's/^;\(tls-auth \)\(ta.key.*\)$/\1\/etc\/openvpn\/keys\/\2/' \
-e 's/^;\(.*# Triple-DES\)$/\1/' \
-e 's/^\(status \).*/\1\/var\/log\/openvpn-status.log/' \
/etc/openvpn/server.conf
printf "Type Enter"
echo "type quit q"
read kfjlkfdsj
less /etc/openvpn/server.conf
echo "Reduced permissions"
echo "We want our VPN server to run with minimals permissions. First, make you keys folder readable :"
chmod go+rx /etc/openvpn/keys
echo "And setup OpenVPN to run with nouser and nogroup permissions :"
sed -i \
-e 's/^;\(user[ \t]*.*\)/\1/' \
-e 's/^;\(group[ \t]*.*\)/\1/' \
/etc/openvpn/server.conf
printf "Type Enter"
echo "type quit q"
read kfjlkfdsj
less /etc/openvpn/server.conf
echo "Client to Client communication in the VPN network"
echo "If you want your VPN clients to be able to dialog with each others, and not only with the server, run this command line :"
sed -i -e 's/^;client-to-client/client-to-client/' \
/etc/openvpn/server.conf
echo "Clients revocation management :"
echo "In order to detect revoked clients, we enable the revoked certificates management :"
echo "
# Revoked certificate list
crl-verify /etc/openvpn/keys/crl.pem" >> /etc/openvpn/server.conf
echo "# Revoked certificate list" >> /etc/openvpn/server.conf
echo "crl-verify /etc/openvpn/keys/crl.pem" >> /etc/openvpn/server.conf
echo "And we create a empty crl.pem file :"
echo "" > /etc/openvpn/keys/crl.pem
cd /etc/openvpn/easy-rsa
echo "* OPENSSL REQ:*"
ls openssl.cnf
mkdir -p demoCA/private
mkdir -p demoCA/certs
openssl req -new -x509 -keyout demoCA/private/cakey.pem -out demoCA/certs/cacert.pem -days 3650 -config openssl.cnf
# gültige CRL erstellen
echo "* OPENSSL :*"
openssl ca -gencrl -out /etc/openvpn/keys/crl.pem
echo "---- non important begin"
chmod +x /etc/openvpn/easy-rsa/make-crl
chmod +x /etc/openvpn/make-crl
echo "---- end"
# here are big errors
#cp /etc/openvpn/keys/crl.pem /etc/openvpn/keys/privkey.pem
echo "* MAKE-CRL:*"
/etc/openvpn/easy-rsa/make-crl /etc/openvpn/keys/crl.pem
printf "Type Enter"
read kfjlkfdsj
echo "Last step"
echo "The last step is to restart the VPN server :"
printf "Type Enter to restart the VPN Server"
read kfjlkfdsj
/etc/init.d/openvpn restart
|