OpenVPN supports certificates generated by easy-rsa. This script creates client configuration files using the inline format with easyrsa3
| #!/bin/bash | |
| # Original Script written by Eric Jodoin | |
| # Update by Eric Maasdorp 2017-12-16 | |
| # Update for easyrsa3 by Holger Smolinski 2020-04-16 | |
| wd=$( pwd ) | |
| #Ask for a Client name | |
| name=${REQ_CN:-} | |
| while [ -z "${name}" ]; do | |
| read -p "Please enter the client name (Ctrl-C to exit): " name | |
| done; | |
| openvpn=${OPENVPN:-/etc/openvpn} | |
| ovpnTemplate=${OPENVPN_TEMPLATE:-${openvpn}/openvpn.client.template} | |
| EASY_RSA_DIR=${EASY_RSA:-${openvpn}/easy-rsa} | |
| export EASY_RSA_DIR # exported for use in subshell | |
| fileext=".ovpn" | |
| crt=".crt" | |
| key=".key" | |
| caCertFile="ca"${crt} | |
| tlsAuthKeyFile="ta"${key} | |
| pkipath=$( | |
| set +x | |
| function set_var() { | |
| var=$1 | |
| shift | |
| value="$*" | |
| eval "export $var=\"\${${var}-${value}}\"" | |
| } #=> set_var() | |
| EASYRSA_CALLER=1 source ${EASY_RSA_DIR}/vars | |
| echo $EASYRSA_PKI | |
| ) | |
| ovpnFile=${name}${fileext} | |
| capath=${pkipath}/${caCertFile} | |
| crtpath=${pkipath}/issued/${name}${crt} | |
| keypath=${pkipath}/private/${name}${key} | |
| tapath=${openvpn}/${tlsAuthKeyFile} | |
| while [ -z "${yesno}" ]; do | |
| read -p "Creating ovpn inline config file ${wd}/${ovpnFile} for ${name} using PKI ${pkipath} (y/N)" yesno | |
| [ "${yesno}" == "y" ] || exit | |
| done | |
| # Here's the beef... | |
| ( | |
| set -x | |
| EASYRSA_REQ_CN=${name} # required for batch mode | |
| ${EASY_RSA_DIR}/easyrsa --batch gen-req ${name} nopass | |
| ${EASY_RSA_DIR}/easyrsa --batch sign-req client ${name} | |
| ) | |
| # Confirm the CA public key exists | |
| # Short version: ( [ -f ${capath} ] && echo "found" ) || echo "Not found" | |
| if [ ! -r ${capath} ]; then | |
| echo "[ERROR]: CA's Public Key not found or not readable: ${capath}" | |
| exit | |
| fi | |
| echo "CA's public Key found: ${capath}" | |
| #1st Verify that client's Public Key Exists | |
| if [ ! -r ${crtpath} ]; then | |
| echo "[ERROR]: Client's Public Key Certificate not found or not readable: ${crtpath}" | |
| exit | |
| fi | |
| echo "Client's cert found: ${crtpath}" | |
| #Then, verify that there is a private key for that client | |
| if [ ! -r ${keypath} ]; then | |
| echo "[ERROR]: Client's Private Key not found or not readable: ${keypath}" | |
| exit | |
| fi | |
| echo "Client's Private Key found: ${keypath}" | |
| #Confirm the tls-auth ta key file exists | |
| if [ ! -r ${tapath} ]; then | |
| if [ -f ${tapath} ]; then | |
| echo "tls-kauth Key exists but is not readable:" ${tapath} | |
| echo "File mode : " $( ls -al ${tapath} ) | |
| echo "Current user : " $( id ) | |
| else | |
| echo "[ERROR]: tls-auth Key not found or not readable: ${tapath}" | |
| fi | |
| exit | |
| fi | |
| echo "tls-auth Private Key found: ${tapath}" | |
| #Ready to make a new .opvn file - Start by populating with the | |
| cat $ovpnTemplate > $ovpnFile | |
| #Now, append the CA Public Cert | |
| echo "<ca>" >> $ovpnFile | |
| cat ${capath} | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $ovpnFile | |
| echo "</ca>" >> $ovpnFile | |
| #Next append the client Public Cert | |
| echo "<cert>" >> $ovpnFile | |
| cat ${crtpath} | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $ovpnFile | |
| echo "</cert>" >> $ovpnFile | |
| #Then, append the client Private Key | |
| echo "<key>" >> $ovpnFile | |
| cat ${keypath} >> $ovpnFile | |
| echo "</key>" >> $ovpnFile | |
| #Finally, append the TA Private Key | |
| echo "<tls-auth>" >> $ovpnFile | |
| cat ${tapath} >> $ovpnFile | |
| echo "</tls-auth>" >> $ovpnFile | |
| echo "Done! $ovpnFile Successfully Created." |