Pi-hole/pivpn
Pi-hole/pivpn
1
0
Fork 0
mirror of https://github.com/pivpn/pivpn.git synced 2024-12-19 19:30:16 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #361 from jellemdekker/feature/generate-crl-during-installation

Browse source 
Generate and activate CRL during installation
This commit is contained in:
redfast00 2017-09-24 01:12:05 +02:00 committed by GitHub
commit 003b27362f
3 changed files with 6 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
auto_install/install.sh
View file

@ -884,6 +884,11 @@ EOF
# Generate static HMAC key to defend against DDoS
${SUDOE} openvpn --genkey --secret pki/ta.key
# Generate an empty Certificate Revocation List
${SUDOE} ./easyrsa gen-crl
${SUDOE} cp pki/crl.pem /etc/openvpn/crl.pem
${SUDOE} chown nobody:nogroup /etc/openvpn/crl.pem
# Write config file for server using the template .txt file
$SUDO cp /etc/.pivpn/server_config.txt /etc/openvpn/server.conf
@ -992,10 +997,6 @@ confOVPN() {
$SUDO cp /tmp/pivpnUSR /etc/pivpn/INSTALL_USER
$SUDO cp /tmp/DET_PLATFORM /etc/pivpn/DET_PLATFORM
# Set status that no certs have been revoked
echo 0 > /tmp/REVOKE_STATUS
$SUDO cp /tmp/REVOKE_STATUS /etc/pivpn/REVOKE_STATUS
$SUDO cp /etc/.pivpn/Default.txt /etc/openvpn/easy-rsa/pki/Default.txt
if [[ ${useUpdateVars} == false ]]; then

17
scripts/removeOVPN.sh
View file

@ -2,7 +2,6 @@
# PiVPN: revoke client script
INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER)
REVOKE_STATUS=$(cat /etc/pivpn/REVOKE_STATUS)
PLAT=$(cat /etc/pivpn/DET_PLATFORM)
INDEX="/etc/openvpn/easy-rsa/pki/index.txt"
@ -105,22 +104,6 @@ fi
cd /etc/openvpn/easy-rsa || exit
if [ "${REVOKE_STATUS}" == 0 ]; then
echo 1 > /etc/pivpn/REVOKE_STATUS
printf "\nThis seems to be the first time you have revoked a cert.\n"
printf "First we need to initialize the Certificate Revocation List.\n"
printf "Then add the CRL to your server config and restart openvpn.\n"
./easyrsa gen-crl
cp pki/crl.pem /etc/openvpn/crl.pem
chown nobody:nogroup /etc/openvpn/crl.pem
sed -i '/#crl-verify/c\crl-verify /etc/openvpn/crl.pem' /etc/openvpn/server.conf
if [[ ${PLAT} == "Ubuntu" || ${PLAT} == "Debian" ]]; then
service openvpn restart
else
systemctl restart openvpn.service
fi
fi
for (( ii = 0; ii < ${#CERTS_TO_REVOKE[@]}; ii++)); do
printf "\n::: Revoking certificate '"%s"'.\n" "${CERTS_TO_REVOKE[ii]}"
./easyrsa --batch revoke "${CERTS_TO_REVOKE[ii]}"

2
server_config.txt
View file

@ -33,7 +33,7 @@ user nobody
group nogroup
persist-key
persist-tun
#crl-verify /etc/openvpn/crl.pem
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
log /var/log/openvpn.log