LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 08-27-2009, 04:28 PM   #1
frenchn00b
Senior Member
 
Registered: Jun 2007
Location: E.U., Mountains :-)
Distribution: Debian, Etch, the greatest
Posts: 2,546

Rep: Reputation: 51
Can someone correct my script/improve to install OPENVPN - SERVER for Lenny / Debian?


(VPN is normally on port: 1723)
---
Script to install an OPENVPN Server, for newbies
---
(I dont understand where is the little detail error with openssl at the end)

The error is just this crl.pem file (OPENSSL / MAKE-CRL), below, almost at the end.

For an medium level/expert in Linux, it will be easy.

#
first copy /etc/openvpn (cuz make-crl missing and pkitool too)
1.0 into ../
2.0 into ../
and here we go

Code:
#!/bin/sh
#
# Howto from: http://howto.landure.fr/ 
# many thanks for Landure's help and website
# Automatic script to install OPENVPN. Frenchn00b

echo "OpenVPN installation is done by this command line :"
apt-get install openvpn openssl liblzo1

echo "Once OpenVPN installed on our system, we create a folder to regroup scripts used by this howto :"

mkdir --parents /etc/openvpn/scripts/

#mkdir -p /etc/openvpn/easy-rsa/keys

modprobe tun

mkdir /dev/net
mknod /dev/net/tun c 10 200


apt-get install module-init-tools


echo "OpenVPN use OpenSSL to encrypt connections. Clients authentication is based on private / public keys signature." 

echo "This keys are the core of a OpenVPN network. You need to be carefull when creating them."

echo "EasyRSA scripts setup"

echo "OpenVPN is installed with some scripts that easy encryption keys creation. We now copy this scripts in the VPN" 
echo "server configuration folder so that we can edit them :"

cp -r /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn

echo "Two of the files of this configuration needs to be edited. We start by downloading modified versions needed by this howto :"


echo "WGET the pre-conf files y/n?"
read ludo

if [ "$ludo" == "y" ]  ; then 

wget  http://howto.landure.fr/gnu-linux/debian-4-0-etch/installer-et-configurer-openvpn-sur-debian-4-0-etch/vars \
     --output-document /etc/openvpn/easy-rsa/vars

wget http://howto.landure.fr/gnu-linux/debian-4-0-etch/installer-et-configurer-openvpn-sur-debian-4-0-etch/openssl.cnf \
     --output-document /etc/openvpn/easy-rsa/openssl.cnf

fi



echo "VPN server parameters"

echo "You can now edit the VPN configuration files to fit your needs  :"

echo "    * KEY_COUNTRY : Your country code."
    echo "* KEY_PROVINCE : Your province."
   echo "* KEY_CITY : Your city."
echo "    * KEY_ORG : The key name (you don't have to change it)."
echo "    * KEY_EMAIL : The email address associated to the key."

printf "Type Enter"
read kfjlkfdsj


vim /etc/openvpn/easy-rsa/vars



echo "A certification authority is a private / public keys pair used to sign other public keys. To create your certification authority, use the following command lines :"

source /etc/openvpn/easy-rsa/vars
export KEY_COMMONNAME="ca.$OPENVPN_SERVER"

/etc/openvpn/easy-rsa/clean-all
/etc/openvpn/easy-rsa/build-ca

printf "Type Enter"
read kfjlkfdsj


echo "If you have correctly set up easy-rsa, you can use the default values."

echo "Note :  Some free certification authority exists and can be used to sign HTTPS servers certificates. This is not necessary for a OpenVPN server, but if you want to do this, I think it is possible. To find more about this, visit CAcert."

echo "Server certificate creation"

echo "We will now create our server certificate. This is done by running these commands :"

source /etc/openvpn/easy-rsa/vars
export KEY_COMMONNAME="$OPENVPN_SERVER"
/etc/openvpn/easy-rsa/build-key-server server

echo "Here again, use default values."

echo "Note : You can protect your server certificate with a password. If you choose to do this, the password will be asked each time you need to create or revoke clients certificates. DO NOT LOOSE IT. It's a security asset, but it is not mandatory. Take your descision according to your paranoļa level."



echo "TLS key"

printf "Type Enter"
read kfjlkfdsj

echo "We now create a key that will protect our VPN from some attacks. It allow us to setup a HSA firewall :"

openvpn --genkey --secret /etc/openvpn/keys/ta.key

echo "Server configuration"

echo "To create our VPN server configuration, we use a example file :"

cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
gunzip /etc/openvpn/server.conf.gz

echo "We modify this file to feet our needs :"

source /etc/openvpn/easy-rsa/vars
sed -i  \
    -e "s/^ca ca\.crt/ca \/etc\/openvpn\/keys\/ca\.crt/" \
    -e "s/^cert server\.crt/cert \/etc\/openvpn\/keys\/server\.crt/" \
    -e "s/^key server\.key/key \/etc\/openvpn\/keys\/server\.key/" \
    -e "s/^dh[\t ]*dh1024.pem/dh \/etc\/openvpn\/keys\/dh$KEY_SIZE.pem/" \
    -e "s/^server[\t ].*$/server $OPENVPN_IPRANGE\.0 255\.255\.255\.0/" \
    -e 's/^;\(tls-auth \)\(ta.key.*\)$/\1\/etc\/openvpn\/keys\/\2/' \
    -e 's/^;\(.*# Triple-DES\)$/\1/' \
    -e 's/^\(status \).*/\1\/var\/log\/openvpn-status.log/' \
    /etc/openvpn/server.conf

printf "Type Enter"
echo "type quit q"
read kfjlkfdsj

less /etc/openvpn/server.conf


echo "Reduced permissions"

echo "We want our VPN server to run with minimals permissions. First, make you keys folder readable :"

chmod go+rx /etc/openvpn/keys

echo "And setup OpenVPN to run with nouser and nogroup permissions :"

sed -i \
    -e 's/^;\(user[ \t]*.*\)/\1/' \
    -e 's/^;\(group[ \t]*.*\)/\1/' \
    /etc/openvpn/server.conf

printf "Type Enter"
echo "type quit q"
read kfjlkfdsj

less /etc/openvpn/server.conf

echo "Client to Client communication in the VPN network"

echo "If you want your VPN clients to be able to dialog with each others, and not only with the server, run this command line :"

sed -i -e 's/^;client-to-client/client-to-client/' \
    /etc/openvpn/server.conf

echo "Clients revocation management :"

echo "In order to detect revoked clients, we enable the revoked certificates management :"

echo "
# Revoked certificate list
crl-verify /etc/openvpn/keys/crl.pem" >> /etc/openvpn/server.conf

echo "# Revoked certificate list"  >> /etc/openvpn/server.conf
echo "crl-verify /etc/openvpn/keys/crl.pem"  >> /etc/openvpn/server.conf

echo "And we create a empty crl.pem file :"

echo "" > /etc/openvpn/keys/crl.pem


cd /etc/openvpn/easy-rsa
echo "* OPENSSL REQ:*" 
ls  openssl.cnf
mkdir -p demoCA/private
mkdir -p demoCA/certs
openssl req -new -x509 -keyout demoCA/private/cakey.pem -out demoCA/certs/cacert.pem -days 3650 -config openssl.cnf

# gültige CRL erstellen

echo "* OPENSSL :*" 
openssl ca  -gencrl -out /etc/openvpn/keys/crl.pem


echo "---- non important begin"
chmod +x /etc/openvpn/easy-rsa/make-crl
chmod +x /etc/openvpn/make-crl
echo "---- end"

# here are big errors
#cp /etc/openvpn/keys/crl.pem /etc/openvpn/keys/privkey.pem
echo "* MAKE-CRL:*" 
/etc/openvpn/easy-rsa/make-crl /etc/openvpn/keys/crl.pem

printf "Type Enter"
read kfjlkfdsj

echo "Last step"

echo "The last step is to restart the VPN server :"

printf "Type Enter to restart the VPN Server"
read kfjlkfdsj


/etc/init.d/openvpn restart

Last edited by frenchn00b; 08-27-2009 at 04:41 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: How To Install VMware Server 1.0.x On A Debian Lenny Desktop LXer Syndicated Linux News 0 03-25-2009 08:30 PM
LXer: How To Upgrade A Debian Etch System (Server & Desktop) To Debian Lenny LXer Syndicated Linux News 0 02-20-2009 05:30 PM
LXer: The Perfect Server - Debian Lenny (Debian 5.0) [ISPConfig 2] LXer Syndicated Linux News 0 02-19-2009 12:00 PM
cant get iptables nat/server script correct furryhit Linux - Networking 2 03-14-2004 10:00 AM


All times are GMT -5. The time now is 09:00 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration