LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Can someone correct my script/improve to install OPENVPN - SERVER for Lenny / Debian? (https://www.linuxquestions.org/questions/linux-server-73/can-someone-correct-my-script-improve-to-install-openvpn-server-for-lenny-debian-750708/)

frenchn00b 08-27-2009 03:28 PM
Can someone correct my script/improve to install OPENVPN - SERVER for Lenny / Debian?
 
(VPN is normally on port: 1723)
---
Script to install an OPENVPN Server, for newbies
---
(I dont understand where is the little detail error with openssl at the end)

The error is just this crl.pem file (OPENSSL / MAKE-CRL), below, almost at the end.

For an medium level/expert in Linux, it will be easy.

#
first copy /etc/openvpn (cuz make-crl missing and pkitool too)
1.0 into ../
2.0 into ../
and here we go

Code:
#!/bin/sh
#
# Howto from: http://howto.landure.fr/
# many thanks for Landure's help and website
# Automatic script to install OPENVPN. Frenchn00b

echo "OpenVPN installation is done by this command line :"
apt-get install openvpn openssl liblzo1

echo "Once OpenVPN installed on our system, we create a folder to regroup scripts used by this howto :"

mkdir --parents /etc/openvpn/scripts/

#mkdir -p /etc/openvpn/easy-rsa/keys

modprobe tun

mkdir /dev/net
mknod /dev/net/tun c 10 200


apt-get install module-init-tools


echo "OpenVPN use OpenSSL to encrypt connections. Clients authentication is based on private / public keys signature."

echo "This keys are the core of a OpenVPN network. You need to be carefull when creating them."

echo "EasyRSA scripts setup"

echo "OpenVPN is installed with some scripts that easy encryption keys creation. We now copy this scripts in the VPN"
echo "server configuration folder so that we can edit them :"

cp -r /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn

echo "Two of the files of this configuration needs to be edited. We start by downloading modified versions needed by this howto :"


echo "WGET the pre-conf files y/n?"
read ludo

if [ "$ludo" == "y" ]  ; then

wget  http://howto.landure.fr/gnu-linux/debian-4-0-etch/installer-et-configurer-openvpn-sur-debian-4-0-etch/vars \
    --output-document /etc/openvpn/easy-rsa/vars

wget http://howto.landure.fr/gnu-linux/debian-4-0-etch/installer-et-configurer-openvpn-sur-debian-4-0-etch/openssl.cnf \
    --output-document /etc/openvpn/easy-rsa/openssl.cnf

fi



echo "VPN server parameters"

echo "You can now edit the VPN configuration files to fit your needs  :"

echo "    * KEY_COUNTRY : Your country code."
    echo "* KEY_PROVINCE : Your province."
  echo "* KEY_CITY : Your city."
echo "    * KEY_ORG : The key name (you don't have to change it)."
echo "    * KEY_EMAIL : The email address associated to the key."

printf "Type Enter"
read kfjlkfdsj


vim /etc/openvpn/easy-rsa/vars



echo "A certification authority is a private / public keys pair used to sign other public keys. To create your certification authority, use the following command lines :"

source /etc/openvpn/easy-rsa/vars
export KEY_COMMONNAME="ca.$OPENVPN_SERVER"

/etc/openvpn/easy-rsa/clean-all
/etc/openvpn/easy-rsa/build-ca

printf "Type Enter"
read kfjlkfdsj


echo "If you have correctly set up easy-rsa, you can use the default values."

echo "Note :  Some free certification authority exists and can be used to sign HTTPS servers certificates. This is not necessary for a OpenVPN server, but if you want to do this, I think it is possible. To find more about this, visit CAcert."

echo "Server certificate creation"

echo "We will now create our server certificate. This is done by running these commands :"

source /etc/openvpn/easy-rsa/vars
export KEY_COMMONNAME="$OPENVPN_SERVER"
/etc/openvpn/easy-rsa/build-key-server server

echo "Here again, use default values."

echo "Note : You can protect your server certificate with a password. If you choose to do this, the password will be asked each time you need to create or revoke clients certificates. DO NOT LOOSE IT. It's a security asset, but it is not mandatory. Take your descision according to your paranoïa level."



echo "TLS key"

printf "Type Enter"
read kfjlkfdsj

echo "We now create a key that will protect our VPN from some attacks. It allow us to setup a HSA firewall :"

openvpn --genkey --secret /etc/openvpn/keys/ta.key

echo "Server configuration"

echo "To create our VPN server configuration, we use a example file :"

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
gunzip /etc/openvpn/server.conf.gz

echo "We modify this file to feet our needs :"

source /etc/openvpn/easy-rsa/vars
sed -i  \
    -e "s/^ca ca\.crt/ca \/etc\/openvpn\/keys\/ca\.crt/" \
    -e "s/^cert server\.crt/cert \/etc\/openvpn\/keys\/server\.crt/" \
    -e "s/^key server\.key/key \/etc\/openvpn\/keys\/server\.key/" \
    -e "s/^dh[\t ]*dh1024.pem/dh \/etc\/openvpn\/keys\/dh$KEY_SIZE.pem/" \
    -e "s/^server[\t ].*$/server $OPENVPN_IPRANGE\.0 255\.255\.255\.0/" \
    -e 's/^;\(tls-auth \)\(ta.key.*\)$/\1\/etc\/openvpn\/keys\/\2/' \
    -e 's/^;\(.*# Triple-DES\)$/\1/' \
    -e 's/^\(status \).*/\1\/var\/log\/openvpn-status.log/' \
    /etc/openvpn/server.conf

printf "Type Enter"
echo "type quit q"
read kfjlkfdsj

less /etc/openvpn/server.conf


echo "Reduced permissions"

echo "We want our VPN server to run with minimals permissions. First, make you keys folder readable :"

chmod go+rx /etc/openvpn/keys

echo "And setup OpenVPN to run with nouser and nogroup permissions :"

sed -i \
    -e 's/^;\(user[ \t]*.*\)/\1/' \
    -e 's/^;\(group[ \t]*.*\)/\1/' \
    /etc/openvpn/server.conf

printf "Type Enter"
echo "type quit q"
read kfjlkfdsj

less /etc/openvpn/server.conf

echo "Client to Client communication in the VPN network"

echo "If you want your VPN clients to be able to dialog with each others, and not only with the server, run this command line :"

sed -i -e 's/^;client-to-client/client-to-client/' \
    /etc/openvpn/server.conf

echo "Clients revocation management :"

echo "In order to detect revoked clients, we enable the revoked certificates management :"

echo "
# Revoked certificate list
crl-verify /etc/openvpn/keys/crl.pem" >> /etc/openvpn/server.conf

echo "# Revoked certificate list"  >> /etc/openvpn/server.conf
echo "crl-verify /etc/openvpn/keys/crl.pem"  >> /etc/openvpn/server.conf

echo "And we create a empty crl.pem file :"

echo "" > /etc/openvpn/keys/crl.pem


cd /etc/openvpn/easy-rsa
echo "* OPENSSL REQ:*"
ls  openssl.cnf
mkdir -p demoCA/private
mkdir -p demoCA/certs
openssl req -new -x509 -keyout demoCA/private/cakey.pem -out demoCA/certs/cacert.pem -days 3650 -config openssl.cnf

# gültige CRL erstellen

echo "* OPENSSL :*"
openssl ca  -gencrl -out /etc/openvpn/keys/crl.pem


echo "---- non important begin"
chmod +x /etc/openvpn/easy-rsa/make-crl
chmod +x /etc/openvpn/make-crl
echo "---- end"

# here are big errors
#cp /etc/openvpn/keys/crl.pem /etc/openvpn/keys/privkey.pem
echo "* MAKE-CRL:*"
/etc/openvpn/easy-rsa/make-crl /etc/openvpn/keys/crl.pem

printf "Type Enter"
read kfjlkfdsj

echo "Last step"

echo "The last step is to restart the VPN server :"

printf "Type Enter to restart the VPN Server"
read kfjlkfdsj


/etc/init.d/openvpn restart


All times are GMT -5. The time now is 02:53 AM.