diff --git a/auto_install/install.sh b/auto_install/install.sh
index 29cc897..8dbe4f5 100755
--- a/auto_install/install.sh
+++ b/auto_install/install.sh
@@ -15,7 +15,8 @@
pivpnGitUrl="https://github.com/pivpn/pivpn.git"
pivpnFilesDir="/etc/.pivpn"
-easyrsaRel="https://github.com/pivpn/easy-rsa/releases/download/3.0.1-pivpn/EasyRSA-3.0.1-pivpn.tgz"
+easyrsaVer="3.0.1-pivpn1"
+easyrsaRel="https://github.com/pivpn/easy-rsa/releases/download/${easyrsaVer}/EasyRSA-${easyrsaVer}.tgz"
# Find the rows and columns. Will default to 80x24 if it can not be detected.
screen_size=$(stty size 2>/dev/null || echo 24 80)
@@ -143,10 +144,9 @@ chooseUser() {
then
# See http://askubuntu.com/a/667842/459815
PASSWORD=$(whiptail --title "password dialog" --passwordbox "Please enter the new user password" ${r} ${c} 3>&1 1>&2 2>&3)
- CRYPT=$(perl -e 'printf("%s\n", crypt($ARGV[0], "password"))' "$password")
- $SUDO useradd -m -p "$CRYPT" -s /bin/bash "$userToAdd"
- if [ $? -eq 0 ]
- then
+ CRYPT=$(perl -e 'printf("%s\n", crypt($ARGV[0], "password"))' "${PASSWORD}")
+ $SUDO useradd -m -p "${CRYPT}" -s /bin/bash "${userToAdd}"
+ if [[ $? = 0 ]]; then
echo "Succeeded"
((numUsers+=1))
else
@@ -157,8 +157,8 @@ chooseUser() {
fi
fi
availableUsers=$(awk -F':' '$3>=500 && $3<=60000 {print $1}' /etc/passwd)
- userArray=()
- firstloop=1
+ local userArray=()
+ local firstloop=1
while read -r line
do
@@ -167,13 +167,12 @@ chooseUser() {
firstloop=0
mode="ON"
fi
- userArray+=("$line" "" "$mode")
+ userArray+=("${line}" "" "${mode}")
done <<< "${availableUsers}"
chooseUserCmd=(whiptail --title "Choose A User" --separate-output --radiolist "Choose:" ${r} ${c} ${numUsers})
- if chooseUserOptions=$("${chooseUserCmd[@]}" "${userArray[@]}" 2>&1 >/dev/tty)
- then
- for desiredUser in ${chooseUserOptions}
- do
+ chooseUserOptions=$("${chooseUserCmd[@]}" "${userArray[@]}" 2>&1 >/dev/tty)
+ if [[ $? = 0 ]]; then
+ for desiredUser in ${chooseUserOptions}; do
pivpnUser=${desiredUser}
echo "::: Using User: $pivpnUser"
echo "${pivpnUser}" > /tmp/pivpnUSR
@@ -184,7 +183,6 @@ chooseUser() {
fi
}
-
verifyFreeDiskSpace() {
# If user installs unattended-upgrades we'd need about 60MB so will check for 75MB free
echo "::: Verifying free disk space..."
@@ -239,7 +237,7 @@ chooseInterface() {
mode="ON"
fi
interfacesArray+=("${line}" "available" "${mode}")
- done <<< "$availableInterfaces"
+ done <<< "${availableInterfaces}"
# Find out how many interfaces are available to choose from
interfaceCount=$(echo "${availableInterfaces}" | wc -l)
@@ -320,7 +318,7 @@ It is also possible to use a DHCP reservation, but if you are going to do that,
setDHCPCD() {
# Append these lines to dhcpcd.conf to enable a static IP
- echo "## interface ${pivpnInterface}
+ echo "interface ${pivpnInterface}
static ip_address=${IPv4addr}
static routers=${IPv4gw}
static domain_name_servers=${IPv4dns}" | $SUDO tee -a ${dhcpcdFile} >/dev/null
@@ -461,7 +459,7 @@ checkForDependencies() {
echo ":::"
echo "::: Checking dependencies:"
- dependencies=( openvpn easy-rsa git iptables-persistent dnsutils expect whiptail )
+ dependencies=( openvpn git dhcpcd5 tar wget iptables-persistent dnsutils expect whiptail )
for i in "${dependencies[@]}"; do
echo -n "::: Checking for $i..."
if [ "$(dpkg-query -W -f='${Status}' "$i" 2>/dev/null | grep -c "ok installed")" -eq 0 ]; then
@@ -471,7 +469,7 @@ checkForDependencies() {
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | $SUDO debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean false | $SUDO debconf-set-selections
fi
- if [[ $i = "expect" ]]; then
+ if [[ $i == "expect" ]] || [[ $i == "openvpn" ]]; then
$SUDO apt-get --yes --quiet --no-install-recommends install "$i" > /dev/null & spinner $!
else
$SUDO apt-get --yes --quiet install "$i" > /dev/null & spinner $!
@@ -590,16 +588,17 @@ setCustomPort() {
}
setClientDNS() {
- DNSChoseCmd=(whiptail --separate-output --radiolist "Select the DNS Provider for your VPN Clients. To use your own, select Custom." ${r} ${c} 5)
+ DNSChoseCmd=(whiptail --separate-output --radiolist "Select the DNS Provider for your VPN Clients. To use your own, select Custom." ${r} ${c} 6)
DNSChooseOptions=(Google "" on
OpenDNS "" off
Level3 "" off
+ DNS.WATCH "" off
Norton "" off
Custom "" off)
if DNSchoices=$("${DNSChoseCmd[@]}" "${DNSChooseOptions[@]}" 2>&1 >/dev/tty)
then
- case $DNSchoices in
+ case ${DNSchoices} in
Google)
echo "::: Using Google DNS servers."
OVPNDNS1="8.8.8.8"
@@ -620,6 +619,13 @@ setClientDNS() {
$SUDO sed -i '0,/\(dhcp-option DNS \)/ s/\(dhcp-option DNS \).*/\1'${OVPNDNS1}'\"/' /etc/openvpn/server.conf
$SUDO sed -i '0,/\(dhcp-option DNS \)/! s/\(dhcp-option DNS \).*/\1'${OVPNDNS2}'\"/' /etc/openvpn/server.conf
;;
+ DNS.WATCH)
+ echo "::: Using DNS.WATCH servers."
+ OVPNDNS1="82.200.69.80"
+ OVPNDNS2="84.200.70.40"
+ $SUDO sed -i '0,/\(dhcp-option DNS \)/ s/\(dhcp-option DNS \).*/\1'${OVPNDNS1}'\"/' /etc/openvpn/server.conf
+ $SUDO sed -i '0,/\(dhcp-option DNS \)/! s/\(dhcp-option DNS \).*/\1'${OVPNDNS2}'\"/' /etc/openvpn/server.conf
+ ;;
Norton)
echo "::: Using Norton ConnectSafe servers."
OVPNDNS1="199.85.126.10"
@@ -695,124 +701,63 @@ confOpenVPN() {
exit 1
fi
- # Copy the easy-rsa files to a directory inside the new openvpn directory
- $SUDO cp -r /usr/share/easy-rsa /etc/openvpn
+ # If easy-rsa exists, remove it
+ if [[ -d /etc/openvpn/easy-rsa/ ]]; then
+ $SUDO rm -rf /etc/openvpn/easy-rsa/
+ fi
- # Edit the EASY_RSA variable in the vars file to point to the new easy-rsa directory,
- # And set the chosen key size
+ # Get the PiVPN easy-rsa
+ wget -q -O "/tmp/EasyRSA-${easyrsaVer}" "${easyrsaRel}"
+ tar xzf /tmp/EasyRSA-${easyrsaVer} -C /tmp
+ $SUDO mv /tmp/EasyRSA-${easyrsaVer}/ /etc/openvpn/easy-rsa/
+ $SUDO chown -R root:root /etc/openvpn/easy-rsa
+ $SUDO mkdir /etc/openvpn/easy-rsa/pki
+
+ # Write out new vars file
+ IFS= read -d '' String <<"EOF"
+if [ -z "$EASYRSA_CALLER" ]; then
+ echo "Nope." >&2
+ return 1
+fi
+set_var EASYRSA "/etc/openvpn/easy-rsa"
+set_var EASYRSA_PKI "$EASYRSA/pki"
+set_var EASYRSA_KEY_SIZE 2048
+set_var EASYRSA_ALGO rsa
+set_var EASYRSA_CURVE secp384r1
+EOF
+
+echo "${String}" | $SUDO tee /etc/openvpn/easy-rsa/vars >/dev/null
+
+ # Edit the KEY_SIZE variable in the vars file to set user chosen key size
cd /etc/openvpn/easy-rsa || exit
- $SUDO sed -i 's:"`pwd`":"/etc/openvpn/easy-rsa":' vars
- $SUDO sed -i "s/\(KEY_SIZE=\).*/\1${ENCRYPT}/" vars
-
- # Init Cert Values
- COUNTRY="US"
- STATE="CA"
- CITY="SanFrancisco"
- ORG="Fort-Funston"
- SERVER_NAME="server"
- KEY_NAME="EasyRSA"
- EMAIL="me@myhost.mydomain"
-
- whiptail --title "Certificate Information" --msgbox "You will now be shown the default values for fields that will be used in the certificate. \nIt is fine to leave these as-is since only you and the clients you create will ever see this. \nHowever, if you want to change the values, simply select the ones you wish to modify." ${r} ${c}
-
- until [[ $CERTVALCorrect = True ]]
- do
- CERTVAL=$(whiptail --title "Certificate Information" --checklist "Choose any certificate values you want to change" ${r} ${c} 7 \
- "COUNTRY" "= US" OFF \
- "STATE" "= CA" OFF \
- "CITY" "= SanFranciso" OFF \
- "ORG" "= Fort-Funston" OFF \
- "SERVER_NAME" "= server" OFF \
- "KEY_NAME" "= EasyRSA" OFF \
- "EMAIL" "= me@myhost.mydomain" OFF 3>&1 1>&2 2>&3)
-
- exitstatus=$?
- if [ $exitstatus != 0 ]; then
- echo "::: Cancel selected. Exiting..."
- exit 1
- fi
-
- for i in $CERTVAL
- do
- if [ "$i" == '"COUNTRY"' ]; then
- COUNTRY=$(whiptail --title "Certificate Country" --inputbox \
- "Enter a 2 letter abbreviation for Country" ${r} ${c} US 3>&1 1>&2 2>&3)
- $SUDO sed -i "s/\(KEY_COUNTRY=\"\).*/\1${COUNTRY}\"/" vars
- fi
- if [ "$i" == '"STATE"' ]; then
- STATE=$(whiptail --title "Certificate State" --inputbox \
- "Enter a 2 letter abbreviated State or Province" ${r} ${c} CA 3>&1 1>&2 2>&3)
- $SUDO sed -i "s/\(KEY_PROVINCE=\"\).*/\1${STATE}\"/" vars
- fi
- if [ "$i" == '"CITY"' ]; then
- CITY=$(whiptail --title "Certificate City" --inputbox \
- "Enter a City name" ${r} ${c} SanFrancisco 3>&1 1>&2 2>&3)
- $SUDO sed -i "s/\(KEY_CITY=\"\).*/\1${CITY}\"/" vars
- fi
- if [ "$i" == '"ORG"' ]; then
- ORG=$(whiptail --title "Certificate Org" --inputbox \
- "Enter an Organization name" ${r} ${c} Fort-Funston 3>&1 1>&2 2>&3)
- $SUDO sed -i "s/\(KEY_ORG=\"\).*/\1${ORG}\"/" vars
- fi
- if [ "$i" == '"EMAIL"' ]; then
- EMAIL=$(whiptail --title "Certificate Email" --inputbox \
- "Enter an Email Address" ${r} ${c} "me@myhost.mydomain" 3>&1 1>&2 2>&3)
- $SUDO sed -i "s/\(KEY_EMAIL=\"\).*/\1${EMAIL}\"/" vars
- fi
- if [ "$i" == '"SERVER_NAME"' ]; then
- SERVER_NAME=$(whiptail --title "Server Name" --inputbox \
- "Enter a Server Name" ${r} ${c} "pivpn" 3>&1 1>&2 2>&3)
- # This began a rabbit hole of errors. Nope.
- #sed -i '/export KEY_CN/s/^#//g' vars
- #sed -i "s/\(KEY_CN=\"\).*/\1${SERVER_NAME}\"/" vars
- fi
- if [ "$i" == '"KEY_NAME"' ]; then
- KEY_NAME=$(whiptail --title "Key Name" --inputbox \
- "Enter a Key Name" ${r} ${c} "EasyRSA" 3>&1 1>&2 2>&3)
- $SUDO sed -i "s/\(KEY_NAME=\"\).*/\1${KEY_NAME}\"/" vars
- fi
- done
- if (whiptail --backtitle "Confirm Certificate Fields" --title "Confirm Certificate Fields" --yesno "Are these values correct?\n\n Country: $COUNTRY\n State: $STATE\n City: $CITY\n Org: $ORG\n Email: $EMAIL\n Server Name: $SERVER_NAME\n Key Name: $KEY_NAME" ${r} ${c}) then
- CERTVALCorrect=True
- else
- CERTVALCorrect=False
- fi
- done
- # Make PiVPN the OU
- KEY_OU=PiVPN
- $SUDO sed -i "s/\(KEY_OU=\"\).*/\1${KEY_OU}\"/" vars
-
- # It seems you have to set this if you mess with key_cn, lets not.
- # grep -q 'KEY_ALTNAMES=' vars || printf '\nexport KEY_ALTNAMES="PiVPN_KEYALT"\n' >> vars
- echo "export KEY_ALTNAMES=\"PiVPN_ALTNAME\"" >> vars
- # source the vars file just edited
- source ./vars
+ $SUDO sed -i "s/\(KEY_SIZE\).*/\1 ${ENCRYPT}/" vars
# Remove any previous keys
- ${SUDOE} ./clean-all
+ ${SUDOE} ./easyrsa --batch init-pki
# Build the certificate authority
- echo "::: Building CA..."
- ${SUDOE} ./build-ca < /etc/.pivpn/ca_info.txt
+ printf "::: Building CA...\n"
+ ${SUDOE} ./easyrsa --batch build-ca nopass
printf "\n::: CA Complete.\n"
whiptail --msgbox --backtitle "Setup OpenVPN" --title "Server Information" "The server key, Diffie-Hellman key, and HMAC key will now be generated." ${r} ${c}
# Build the server
- ${SUDOE} ./build-key-server --batch "$SERVER_NAME"
+ ${SUDOE} ./easyrsa build-server-full server nopass
if ([ "$ENCRYPT" -ge "4096" ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\n\nGenerating DH parameters for a $ENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from a pool of the last 128 generated.\nMore information about this service can be found here: https://2ton.com.au/dhtool/\n\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c})
then
- # Downloading parameters, $KEY_DIR and $KEY_SIZE get set by sourcing ./vars
+ # Downloading parameters
RANDOM_INDEX=$(( RANDOM % 128 ))
- ${SUDOE} curl "https://2ton.com.au/dhparam/${ENCRYPT}/${RANDOM_INDEX}" -o "${KEY_DIR}/dh${KEY_SIZE}.pem"
+ ${SUDOE} curl "https://2ton.com.au/dhparam/${ENCRYPT}/${RANDOM_INDEX}" -o "/etc/openvpn/easy-rsa/pki/dh${ENCRYPT}.pem"
else
# Generate Diffie-Hellman key exchange
- ${SUDOE} ./build-dh
+ ${SUDOE} ./easyrsa gen-dh
+ ${SUDOE} mv pki/dh.pem pki/dh${ENCRYPT}.pem
fi
# Generate static HMAC key to defend against DDoS
- ${SUDOE} openvpn --genkey --secret keys/ta.key
+ ${SUDOE} openvpn --genkey --secret pki/ta.key
# Write config file for server using the template .txt file
$SUDO cp /etc/.pivpn/server_config.txt /etc/openvpn/server.conf
@@ -821,7 +766,7 @@ fi
$SUDO sed -i "s/LOCALMASK/${LOCALMASK}/g" /etc/openvpn/server.conf
# Set the user encryption key size
- $SUDO sed -i "s/\(dh \/etc\/openvpn\/easy-rsa\/keys\/dh\).*/\1${ENCRYPT}.pem/" /etc/openvpn/server.conf
+ $SUDO sed -i "s/\(dh \/etc\/openvpn\/easy-rsa\/pki\/dh\).*/\1${ENCRYPT}.pem/" /etc/openvpn/server.conf
# if they modified port put value in server.conf
if [ $PORT != 1194 ]; then
@@ -834,8 +779,8 @@ fi
fi
# write out server certs to conf file
- $SUDO sed -i "s/\(key \/etc\/openvpn\/easy-rsa\/keys\/\).*/\1${SERVER_NAME}.key/" /etc/openvpn/server.conf
- $SUDO sed -i "s/\(cert \/etc\/openvpn\/easy-rsa\/keys\/\).*/\1${SERVER_NAME}.crt/" /etc/openvpn/server.conf
+ $SUDO sed -i "s/\(key \/etc\/openvpn\/easy-rsa\/pki\/private\/\).*/\1${SERVER_NAME}.key/" /etc/openvpn/server.conf
+ $SUDO sed -i "s/\(cert \/etc\/openvpn\/easy-rsa\/pki\/issued\/\).*/\1${SERVER_NAME}.crt/" /etc/openvpn/server.conf
}
confUnattendedUpgrades() {
@@ -932,10 +877,10 @@ confOVPN() {
exit 1
fi
- $SUDO cp /etc/.pivpn/Default.txt /etc/openvpn/easy-rsa/keys/Default.txt
+ $SUDO cp /etc/.pivpn/Default.txt /etc/openvpn/easy-rsa/pki/Default.txt
if [ "$METH" == "$IPv4pub" ]; then
- $SUDO sed -i 's/IPv4pub/'"$IPv4pub"'/' /etc/openvpn/easy-rsa/keys/Default.txt
+ $SUDO sed -i 's/IPv4pub/'"$IPv4pub"'/' /etc/openvpn/easy-rsa/pki/Default.txt
else
until [[ $publicDNSCorrect = True ]]
do
@@ -947,7 +892,7 @@ confOVPN() {
fi
if (whiptail --backtitle "Confirm DNS Name" --title "Confirm DNS Name" --yesno "Is this correct?\n\n Public DNS Name: $PUBLICDNS" ${r} ${c}) then
publicDNSCorrect=True
- $SUDO sed -i 's/IPv4pub/'"$PUBLICDNS"'/' /etc/openvpn/easy-rsa/keys/Default.txt
+ $SUDO sed -i 's/IPv4pub/'"$PUBLICDNS"'/' /etc/openvpn/easy-rsa/pki/Default.txt
else
publicDNSCorrect=False
@@ -957,16 +902,16 @@ confOVPN() {
# if they modified port put value in Default.txt for clients to use
if [ $PORT != 1194 ]; then
- $SUDO sed -i -e "s/1194/${PORT}/g" /etc/openvpn/easy-rsa/keys/Default.txt
+ $SUDO sed -i -e "s/1194/${PORT}/g" /etc/openvpn/easy-rsa/pki/Default.txt
fi
# if they modified protocol put value in Default.txt for clients to use
if [ "$PROTO" != "udp" ]; then
- $SUDO sed -i -e "s/proto udp/proto tcp/g" /etc/openvpn/easy-rsa/keys/Default.txt
+ $SUDO sed -i -e "s/proto udp/proto tcp/g" /etc/openvpn/easy-rsa/pki/Default.txt
fi
# verify server name to strengthen security
- $SUDO sed -i "s/SRVRNAME/${SERVER_NAME}/" /etc/openvpn/easy-rsa/keys/Default.txt
+ $SUDO sed -i "s/SRVRNAME/${SERVER_NAME}/" /etc/openvpn/easy-rsa/pki/Default.txt
$SUDO mkdir "/home/$pivpnUser/ovpns"
$SUDO chmod 0777 -R "/home/$pivpnUser/ovpns"
diff --git a/pivpn b/pivpn
index 01657e8..95d53e8 100644
--- a/pivpn
+++ b/pivpn
@@ -42,7 +42,7 @@ function uninstallFunc {
}
function versionFunc {
- printf "\e[1mVersion 1.6\e[0m\n"
+ printf "\e[1mVersion 1.7\e[0m\n"
}
function helpFunc {
diff --git a/scripts/listOVPN.sh b/scripts/listOVPN.sh
index 90b870d..ec0ffd7 100644
--- a/scripts/listOVPN.sh
+++ b/scripts/listOVPN.sh
@@ -1,9 +1,9 @@
#!/usr/bin/env bash
# PiVPN: list clients script
-INDEX="/etc/openvpn/easy-rsa/keys/index.txt"
+INDEX="/etc/openvpn/easy-rsa/pki/index.txt"
printf "\n"
-if [ ! -f "$INDEX" ]; then
+if [ ! -f "${INDEX}" ]; then
echo "The file: $INDEX was not found!"
exit 1
fi
@@ -15,13 +15,13 @@ printf " ::\e[4m Status \e[0m||\e[4m Name \e[0m:: \n"
while read -r line || [ -n "$line" ]; do
STATUS=$(echo "$line" | awk '{print $1}')
- NAME=$(echo "$line" | sed -e 's/^.*CN=\([^/]*\)\/.*/\1/')
- if [ "$STATUS" = "V" ]; then
+ NAME=$(echo "$line" | sed -e 's:.*/CN=::')
+ if [ "${STATUS}" == "V" ]; then
printf " Valid :: %s\n" "$NAME"
- elif [ "$STATUS" = "R" ]; then
+ elif [ "${STATUS}" == "R" ]; then
printf " Revoked :: %s\n" "$NAME"
else
printf " Unknown :: %s\n" "$NAME"
fi
-done <$INDEX
+done <${INDEX}
printf "\n"
diff --git a/scripts/makeOVPN.sh b/scripts/makeOVPN.sh
index 527a7a3..dba75bd 100644
--- a/scripts/makeOVPN.sh
+++ b/scripts/makeOVPN.sh
@@ -4,40 +4,24 @@
DEFAULT="Default.txt"
FILEEXT=".ovpn"
CRT=".crt"
-OKEY=".key"
-KEY=".3des.key"
+KEY=".key"
CA="ca.crt"
TA="ta.key"
-INDEX="/etc/openvpn/easy-rsa/keys/index.txt"
+INDEX="/etc/openvpn/easy-rsa/pki/index.txt"
INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER)
# Functions def
function keynoPASS() {
- # Override key def
- KEY=".key"
-
#Build the client key
expect << EOF
set timeout -1
- spawn ./build-key "$NAME"
- expect "Country Name" { send "\r" }
- expect "State or Province Name" { send "\r" }
- expect "Locality Name" { send "\r" }
- expect "Organization Name" { send "\r" }
- expect "Organizational Unit" { send "\r" }
- expect "Common Name" { send "\r" }
- expect "Name" { send "\r" }
- expect "Email Address" { send "\r" }
- expect "challenge password" { send "\r" }
- expect "optional company name" { send "\r" }
- expect "Sign the certificate" { send "y\r" }
- expect "commit" { send "y\r" }
+ spawn ./easyrsa build-client-full "$NAME" nopass
expect eof
EOF
- cd keys || exit
+ cd pki || exit
}
@@ -75,65 +59,44 @@ function keyPASS() {
expect << EOF
set timeout -1
- spawn ./build-key-pass "$NAME"
+ spawn ./easyrsa build-client-full "$NAME"
expect "Enter PEM pass phrase" { send "${PASSWD}\r" }
expect "Verifying - Enter PEM pass phrase" { send "${PASSWD}\r" }
- expect "Country Name" { send "\r" }
- expect "State or Province Name" { send "\r" }
- expect "Locality Name" { send "\r" }
- expect "Organization Name" { send "\r" }
- expect "Organizational Unit" { send "\r" }
- expect "Common Name" { send "\r" }
- expect "Name" { send "\r" }
- expect "Email Address" { send "\r" }
- expect "challenge password" { send "\r" }
- expect "optional company name" { send "\r" }
- expect "Sign the certificate" { send "y\r" }
- expect "commit" { send "y\r" }
expect eof
EOF
- cd keys || exit
+ cd pki || exit
- expect << EOF
- set timeout -1
- spawn openssl rsa -in "$NAME$OKEY" -des3 -out "$NAME$KEY"
- expect "Enter pass phrase for" { send "${PASSWD}\r" }
- expect "Enter PEM pass phrase" { send "${PASSWD}\r" }
- expect "Verifying - Enter PEM pass" { send "${PASSWD}\r" }
- expect eof
-EOF
}
printf "Enter a Name for the Client: "
read -r NAME
-if [[ "$NAME" =~ [^a-zA-Z0-9] ]]; then
- echo "Name can only contain alphanumeric characters"
+if [[ "${NAME}" =~ [^a-zA-Z0-9] ]]; then
+ echo "Name can only contain alphanumeric characters."
exit 1
fi
-if [[ -z "$NAME" ]]; then
- echo "You cannot leave the name blank"
+if [[ -z "${NAME}" ]]; then
+ echo "You cannot leave the name blank."
exit 1
fi
# Check if name is already in use
while read -r line || [ -n "$line" ]; do
- if [ "$(echo "$line" | sed -e 's/^.*CN=\([^/]*\)\/.*/\1/')" = "$NAME" ]; then
- echo "Name is already in use"
+ if [ "$(echo "$line" | sed -e 's:.*/CN=::')" == "${NAME}" ]; then
+ echo "Name is already in use."
exit 1
fi
-done <$INDEX
+done <${INDEX}
# Check if name is reserved
-if [ "$NAME" = "ta" ] || [ "$NAME" = "server" ] || [ "$NAME" = "ca" ]; then
- echo "Sorry, this name is unavailable, please choose another one"
+if [ "${NAME}" == "ta" ] || [ "${NAME}" == "server" ] || [ "${NAME}" == "ca" ]; then
+ echo "Sorry, this is in use by the server and cannot be used by clients."
exit 1
fi
cd /etc/openvpn/easy-rsa || exit
-source /etc/openvpn/easy-rsa/vars
if [[ "$@" =~ "nopass" ]]; then
keynoPASS
@@ -142,28 +105,28 @@ else
fi
#1st Verify that clients Public Key Exists
-if [ ! -f "$NAME$CRT" ]; then
+if [ ! -f "issued/${NAME}${CRT}" ]; then
echo "[ERROR]: Client Public Key Certificate not found: $NAME$CRT"
exit
fi
echo "Client's cert found: $NAME$CRT"
#Then, verify that there is a private key for that client
-if [ ! -f "$NAME$KEY" ]; then
- echo "[ERROR]: Client 3des Private Key not found: $NAME$KEY"
+if [ ! -f "private/${NAME}${KEY}" ]; then
+ echo "[ERROR]: Client Private Key not found: $NAME$KEY"
exit
fi
echo "Client's Private Key found: $NAME$KEY"
#Confirm the CA public key exists
-if [ ! -f "$CA" ]; then
+if [ ! -f "${CA}" ]; then
echo "[ERROR]: CA Public Key not found: $CA"
exit
fi
echo "CA public Key found: $CA"
#Confirm the tls-auth ta key file exists
-if [ ! -f "$TA" ]; then
+if [ ! -f "${TA}" ]; then
echo "[ERROR]: tls-auth Key not found: $TA"
exit
fi
@@ -172,31 +135,31 @@ echo "tls-auth Private Key found: $TA"
#Ready to make a new .ovpn file
{
# Start by populating with the default file
- cat "$DEFAULT"
+ cat "${DEFAULT}"
#Now, append the CA Public Cert
echo ""
- cat "$CA"
+ cat "${CA}"
echo ""
#Next append the client Public Cert
echo ""
- sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' < "$NAME$CRT"
+ sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' < "issued/${NAME}${CRT}"
echo ""
#Then, append the client Private Key
echo ""
- cat "$NAME$KEY"
+ cat "private/${NAME}${KEY}"
echo ""
#Finally, append the TA Private Key
echo ""
- cat "$TA"
+ cat "${TA}"
echo ""
-} > "$NAME$FILEEXT"
+} > "${NAME}${FILEEXT}"
# Copy the .ovpn profile to the home directory for convenient remote access
-cp "/etc/openvpn/easy-rsa/keys/$NAME$FILEEXT" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT"
+cp "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT"
chown "$INSTALL_USER" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT"
printf "\n\n"
printf "========================================================\n"
diff --git a/scripts/removeOVPN.sh b/scripts/removeOVPN.sh
index d695e3b..ad61aeb 100644
--- a/scripts/removeOVPN.sh
+++ b/scripts/removeOVPN.sh
@@ -4,9 +4,9 @@
INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER)
REVOKE_STATUS=$(cat /etc/pivpn/REVOKE_STATUS)
PLAT=$(cat /etc/pivpn/DET_PLATFORM)
-INDEX="/etc/openvpn/easy-rsa/keys/index.txt"
+INDEX="/etc/openvpn/easy-rsa/pki/index.txt"
-if [ ! -f "$INDEX" ]; then
+if [ ! -f "${INDEX}" ]; then
printf "The file: %s was not found\n" "$INDEX"
exit 1
fi
@@ -18,7 +18,7 @@ i=0
while read -r line || [ -n "$line" ]; do
STATUS=$(echo "$line" | awk '{print $1}')
if [[ "$STATUS" = "V" ]]; then
- NAME=$(echo "$line" | sed -e 's/^.*CN=\([^/]*\)\/.*/\1/')
+ NAME=$(echo "$line" | sed -e 's:.*/CN=::')
CERTS[$i]=$NAME
if [ "$i" != 0 ]; then
# Prevent printing "server" certificate
@@ -26,13 +26,13 @@ while read -r line || [ -n "$line" ]; do
fi
let i=i+1
fi
-done <$INDEX
+done <${INDEX}
printf "\n"
echo "::: Please enter the Name of the client to be revoked from the list above:"
read -r NAME
-if [[ -z "$NAME" ]]; then
+if [[ -z "${NAME}" ]]; then
echo "::: You can not leave this blank!"
exit 1
fi
@@ -43,24 +43,21 @@ for((x=1;x<=i;++x)); do
fi
done
-if [ -z "$VALID" ]; then
+if [ -z "${VALID}" ]; then
printf "::: You didn't enter a valid cert name!\n"
exit 1
fi
cd /etc/openvpn/easy-rsa || exit
-source /etc/openvpn/easy-rsa/vars
-./revoke-full "$NAME"
-echo "::: Certificate revoked, removing ovpns from /home/$INSTALL_USER/ovpns"
-rm "/home/$INSTALL_USER/ovpns/$NAME.ovpn"
-cp /etc/openvpn/easy-rsa/keys/crl.pem /etc/openvpn/crl.pem
-echo "::: Completed!"
-
-if [ "$REVOKE_STATUS" == 0 ]; then
+if [ "${REVOKE_STATUS}" == 0 ]; then
echo 1 > /etc/pivpn/REVOKE_STATUS
printf "\nThis seems to be the first time you have revoked a cert.\n"
- printf "We are adding the CRL to the server.conf and restarting openvpn.\n"
+ printf "First we need to initialize the Certificate Revocation List.\n"
+ printf "Then add the CRL to your server config and restart openvpn.\n"
+ ./easyrsa gen-crl
+ cp pki/crl.pem /etc/openvpn/crl.pem
+ chown nobody:nogroup /etc/openvpn/crl.pem
sed -i '/#crl-verify/c\crl-verify /etc/openvpn/crl.pem' /etc/openvpn/server.conf
if [[ ${PLAT} == "Ubuntu" || ${PLAT} == "Debian" ]]; then
service openvpn restart
@@ -68,3 +65,13 @@ if [ "$REVOKE_STATUS" == 0 ]; then
systemctl restart openvpn.service
fi
fi
+
+./easyrsa --batch revoke "${NAME}"
+printf "\n::: Certificate revoked, and CRL file updated.\n"
+printf "::: Removing certs and client configuration for this profile.\n"
+rm -rf "pki/reqs/${NAME}.req"
+rm -rf "pki/private/${NAME}.key"
+rm -rf "pki/issued/${NAME}.crt"
+rm -rf "/home/$INSTALL_USER/ovpns/${NAME}.ovpn"
+cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
+printf "::: Completed!\n"
diff --git a/server_config.txt b/server_config.txt
index 900bbba..cfa9733 100644
--- a/server_config.txt
+++ b/server_config.txt
@@ -1,10 +1,11 @@
dev tun
proto udp
port 1194
-ca /etc/openvpn/easy-rsa/keys/ca.crt
-cert /etc/openvpn/easy-rsa/keys/server.crt
-key /etc/openvpn/easy-rsa/keys/server.key
-dh /etc/openvpn/easy-rsa/keys/dh1024.pem
+ca /etc/openvpn/easy-rsa/pki/ca.crt
+cert /etc/openvpn/easy-rsa/pki/issued/server.crt
+key /etc/openvpn/easy-rsa/pki/private/server.key
+dh /etc/openvpn/easy-rsa/pki/dh1024.pem
+topology subnet
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
@@ -25,7 +26,7 @@ client-to-client
duplicate-cn
keepalive 10 120
tls-version-min 1.2
-tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
+tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
comp-lzo
@@ -37,4 +38,4 @@ persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1
-# This configuration file was originally written by Lauren Orsini at ReadWrite.
+# Generated for use by PiVPN.io