XAROBASE
/
Scripts
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Update maj easy-rsa

This commit is contained in:
Clément ROUSSEAU 2020-03-16 08:43:02 +01:00
parent 8c3815e879
commit b0d5a7ee73
1 changed files with 28 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
Linux/Réseaux/vpn.sh
View File

@ -20,7 +20,7 @@ echo ' `--. \/ _ \| _| __\ \ /\ / / _` | '__/ _ \'
echo '/\__/ / (_) | | | |_ \ V V / (_| | | | __/'
echo '\____/ \___/|_| \__| \_/\_/ \__,_|_| \___|'
echo ""
echo "Programme de déploiement de service OpenVPN (V2)"
echo "Programme de déploiement de service OpenVPN (V3)"
echo ""
read -p "Ce script s'adresse aux utilisateurs expérimentés. Voulez-vous continuer ? (o/N) : " CONFIRM
CONFIRM=${CONFIRM^^}
@ -67,7 +67,9 @@ then
apt-get install ipcalc -y
echo "-- Installation de IPCALC terminé !"
apt-get install zip -y
echo "-- Installation de ZIP terminé !"
echo "-- Installation de ZIP terminé !"
apt-get install iptables-persistent -y
echo "-- Installation de iptables-persistent terminé !"
# Questions VPN et définition des variables
echo "########################"
@ -90,33 +92,30 @@ then
read -p "Entrer le DNS que votre client utilisera : " VPN_DNS
read -p "Entrer le TLD de votre réseau VPN : " VPN_TLD
VPN_TLD=${VPN_TLD,,}
read -p "Entre le nom du certificat client dde l'instance VPN : " VPN_USER
read -p "Entre le nom du certificat client de l'instance VPN : " VPN_USER
VPN_USER=${VPN_USER,,}
read -p "Voulez-vous sécuriser le certificat client par un mot de passe ? (o/N) : " VPN_USER_PASS
VPN_USER_PASS=${VPN_USER_PASS^^}
VPN_USER_PASS=${VPN_USER_PASS^^}
VPN_NETWORK=`ipcalc $VPN_NETWORK $VPN_NETMASK | grep Network | awk -F" " '{print $2}' | awk -F"/" '{print $1}'`
INTERFACES_CONFIG=`cat /etc/network/interfaces | grep "pre-up iptables-restore < /etc/openvpn/iptables.rules"`
# Configuration VPN
echo "###################################"
echo "# Génération du certifiat serveur #"
echo "###################################"
mkdir /etc/openvpn/easy-rsa
cp /usr/share/easy-rsa/* /etc/openvpn/easy-rsa
make-cadir /etc/openvpn/easy-rsa/
echo "-- easy-rsa copié !"
echo "" > /etc/openvpn/easy-rsa/vars
echo -e "export EASY_RSA=\"\`pwd\`\"\nexport OPENSSL=\"openssl\"\nexport PKCS11TOOL=\"pkcs11-tool\"\nexport GREP=\"grep\"\nexport KEY_CONFIG=\`\$EASY_RSA/whichopensslcnf \$EASY_RSA\`\nexport KEY_DIR=\"\$EASY_RSA/keys\"\necho NOTE: If you run ./clean-all, I will be doing a rm -rf on \$KEY_DIR\nexport PKCS11_MODULE_PATH=\"dummy\"\nexport PKCS11_PIN=\"dummy\"\nexport KEY_SIZE=2048\nexport CA_EXPIRE=3650\nexport KEY_COUNTRY=\"$KEY_COUNTRY\"\nexport KEY_PROVINCE=\"$KEY_PROVINCE\"\nexport KEY_CITY=\"$KEY_CITY\"\nexport KEY_ORG=\"$KEY_ORG\"\nexport KEY_EMAIL=\"$KEY_EMAIL\"\nexport KEY_OU=\"$KEY_OU\"\nexport KEY_NAME=\"$VPN_NAME\"" >> /etc/openvpn/easy-rsa/vars
cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
echo -e "set_var EASYRSA_DN\t\"org\"\nset_var EASYRSA_REQ_COUNTRY\t\"$KEY_COUNTRY\"\nset_var EASYRSA_REQ_PROVINCE\t\"$KEY_PROVINCE\"\nset_var EASYRSA_REQ_CITY\t\"$KEY_CITY\"\nset_var EASYRSA_REQ_ORG\t\t\"$KEY_ORG\"\nset_var EASYRSA_REQ_OU\t\t\"$KEY_OU\"\nset_var EASYRSA_REQ_EMAIL\t\"$KEY_EMAIL\"\nset_var EASYRSA_KEY_SIZE\t8192\nset_var EASYRSA_CA_EXPIRE\t3650\nset_var EASYRSA_CERT_EXPIRE\t3650" >> /etc/openvpn/easy-rsa/vars
echo "-- easy-rsa modifié !"
cd /etc/openvpn/easy-rsa
source vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server $VPN_NAME
openvpn --genkey --secret keys/ta.key
./easyrsa init-pki
./easyrsa gen-dh
./easyrsa build-ca nopass
./easyrsa gen-req $VPN_NAME nopass
./easyrsa sign-req server $VPN_NAME
openvpn --genkey --secret /etc/openvpn/ta.key
echo "-- Certificat généré !"
cp /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/easy-rsa/keys/ta.key /etc/openvpn/easy-rsa/keys/$VPN_NAME.crt /etc/openvpn/easy-rsa/keys/$VPN_NAME.key /etc/openvpn/easy-rsa/keys/dh2048.pem /etc/openvpn/
cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/easy-rsa/pki/issued/$VPN_NAME.crt /etc/openvpn/easy-rsa/pki/private/$VPN_NAME.key /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/
echo "-- Copie du certificat !"
echo "####################################"
echo "# Copie de la configuration du VPN #"
@ -125,37 +124,34 @@ then
mkdir /etc/openvpn/jail/tmp
mkdir /etc/openvpn/clientconf
touch /etc/openvpn/$VPN_NAME.conf
echo -e "mode server\nproto tcp\nport $VPN_PORT\ndev tun\ntopology subnet\nca ca.crt\ncert $VPN_NAME.crt\nkey $VPN_NAME.key\ndh dh2048.pem\ntls-auth ta.key 1\nkey-direction 0\ncipher AES-256-CBC\nserver $VPN_NETWORK $VPN_NETMASK\npush \"redirect-gateway def1\"\npush \"dhcp-option DNS $VPN_DNS\"\npush \"dhcp-option DOMAIN $VPN_TLD\"\nkeepalive 10 120\nclient-to-client\nuser nobody\ngroup nogroup\nchroot /etc/openvpn/jail\npersist-key\npersist-tun\ncomp-lzo\nduplicate-cn\nverb 3\nmute 20\nstatus openvpn-status.log\nlog-append /var/log/openvpn.log" >> /etc/openvpn/$VPN_NAME.conf
echo -e "mode server\nproto tcp\nport $VPN_PORT\ndev tun\ntopology subnet\nca ca.crt\ncert $VPN_NAME.crt\nkey $VPN_NAME.key\ndh dh.pem\ntls-auth ta.key 1\nkey-direction 0\ncipher AES-256-CBC\nserver $VPN_NETWORK $VPN_NETMASK\npush \"redirect-gateway def1\"\npush \"dhcp-option DNS $VPN_DNS\"\npush \"dhcp-option DOMAIN $VPN_TLD\"\nkeepalive 10 120\nclient-to-client\nuser nobody\ngroup nogroup\nchroot /etc/openvpn/jail\npersist-key\npersist-tun\ncomp-lzo\nduplicate-cn\nverb 3\nmute 20\nstatus openvpn-status.log\nlog-append /var/log/openvpn.log" >> /etc/openvpn/$VPN_NAME.conf
echo "-- Fichiers créés !"
echo "################################"
echo "# Activation du routage et NAT #"
echo "################################"
sed -i -e "s/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g" /etc/sysctl.conf
echo "-- Routage activé !"
iptables -I FORWARD -i tun0 -j ACCEPT
iptables -I FORWARD -o tun0 -j ACCEPT
iptables -I INPUT -i tun0 -j ACCEPT
iptables -I OUTPUT -o tun0 -j ACCEPT
iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE
sh -c "iptables-save > /etc/openvpn/iptables.rules"
if [ -z $INTERFACES_CONFIG ];
then
echo "pre-up iptables-restore < /etc/openvpn/iptables.rules" >> /etc/network/interfaces
fi
/sbin/iptables -I FORWARD -i tun0 -j ACCEPT
/sbin/iptables -I FORWARD -o tun0 -j ACCEPT
/sbin/iptables -I INPUT -i tun0 -j ACCEPT
/sbin/iptables -I OUTPUT -o tun0 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE
/sbin/iptables-save > /etc/iptables/rules.v4
echo "-- Règles NAT activé !"
echo "##################################"
echo "# Génération du certifiat client #"
echo "##################################"
echo "# Génération du certifiat client #"
echo "##################################"
if [ $VPN_USER_PASS == 'O' ];
then
echo "Entrer le mot de passe du certificat client : "
./build-key-pass $VPN_USER
./easyrsa gen-req $VPN_USER
else
./build-key $VPN_USER
./easyrsa gen-req $VPN_USER nopass
fi
./easyrsa sign-req client $VPN_USER
echo "-- Certificat créé !"
mkdir /etc/openvpn/clientconf/$VPN_USER
cp /etc/openvpn/ca.crt /etc/openvpn/ta.key /etc/openvpn/easy-rsa/keys/$VPN_USER.crt /etc/openvpn/easy-rsa/keys/$VPN_USER.key /etc/openvpn/clientconf/$VPN_USER/
cp /etc/openvpn/ca.crt /etc/openvpn/ta.key /etc/openvpn/easy-rsa/pki/issued/$VPN_USER.crt /etc/openvpn/easy-rsa/pki/private/$VPN_USER.key /etc/openvpn/clientconf/$VPN_USER/
echo "-- Certificat copié !"
touch /etc/openvpn/clientconf/$VPN_USER/client.conf
echo -e "client\ndev tun\nproto tcp-client\nremote $VPN_ADRESSE $VPN_PORT\nresolv-retry infinite\ncipher AES-256-CBC\nca ca.crt\ncert $VPN_USER.crt\nkey $VPN_USER.key\ntls-auth ta.key 1\nkey-direction 1\nnobind\npersist-key\npersist-tun\ncomp-lzo\nverb 3\nauth-nocache" >> /etc/openvpn/clientconf/$VPN_USER/client.conf