From d3d861a729d30b0f6b07c8f40aab054e42943cb9 Mon Sep 17 00:00:00 2001 From: big fox tail Date: Sun, 24 Jan 2021 20:30:53 +0800 Subject: [PATCH] random generate openvpn cert at first run (#6207) --- .../cbi/openvpn-server/openvpn-server.lua | 1 + .../root/etc/config/openvpn | 2 +- .../root/etc/easy-rsa/vars | 229 ++++++++++++++++-- .../root/etc/openvpn/{dh1024.pem => dh.pem} | 0 .../root/etc/openvpncert.sh | 31 ++- 5 files changed, 230 insertions(+), 33 deletions(-) rename package/lean/luci-app-openvpn-server/root/etc/openvpn/{dh1024.pem => dh.pem} (100%) diff --git a/package/lean/luci-app-openvpn-server/luasrc/model/cbi/openvpn-server/openvpn-server.lua b/package/lean/luci-app-openvpn-server/luasrc/model/cbi/openvpn-server/openvpn-server.lua index 1ffb20988..50e661426 100644 --- a/package/lean/luci-app-openvpn-server/luasrc/model/cbi/openvpn-server/openvpn-server.lua +++ b/package/lean/luci-app-openvpn-server/luasrc/model/cbi/openvpn-server/openvpn-server.lua @@ -98,6 +98,7 @@ end function mp.on_after_commit(self) os.execute("uci set firewall.openvpn.dest_port=$(uci get openvpn.myvpn.port) && uci commit firewall && /etc/init.d/firewall restart") + os.execute("/etc/openvpncert.sh > /dev/null") os.execute("/etc/init.d/openvpn restart") end diff --git a/package/lean/luci-app-openvpn-server/root/etc/config/openvpn b/package/lean/luci-app-openvpn-server/root/etc/config/openvpn index 36032b000..d15302d13 100644 --- a/package/lean/luci-app-openvpn-server/root/etc/config/openvpn +++ b/package/lean/luci-app-openvpn-server/root/etc/config/openvpn @@ -9,7 +9,7 @@ config openvpn 'myvpn' option server '10.8.0.0 255.255.255.0' option comp_lzo 'adaptive' option ca '/etc/openvpn/ca.crt' - option dh '/etc/openvpn/dh1024.pem' + option dh '/etc/openvpn/dh.pem' option cert '/etc/openvpn/server.crt' option key '/etc/openvpn/server.key' option persist_key '1' diff --git a/package/lean/luci-app-openvpn-server/root/etc/easy-rsa/vars b/package/lean/luci-app-openvpn-server/root/etc/easy-rsa/vars index 4873fbcf7..3b0499411 100644 --- a/package/lean/luci-app-openvpn-server/root/etc/easy-rsa/vars +++ b/package/lean/luci-app-openvpn-server/root/etc/easy-rsa/vars @@ -1,19 +1,210 @@ -export EASY_RSA="/etc/easy-rsa" -export OPENSSL="openssl" -export PKCS11TOOL="pkcs11-tool" -export GREP="grep" -export KEY_CONFIG=`/usr/sbin/whichopensslcnf $EASY_RSA` -export KEY_DIR="$EASY_RSA/keys" -echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR -export PKCS11_MODULE_PATH="dummy" -export PKCS11_PIN="dummy" -export KEY_SIZE=1024 -export CA_EXPIRE=3650 -export KEY_EXPIRE=3650 -export KEY_COUNTRY="CN" -export KEY_PROVINCE="ZJ" -export KEY_CITY="ZJ" -export KEY_ORG="ZJ" -export KEY_EMAIL="ZJ@ZJ.com" -export KEY_OU="ZJ" -export KEY_NAME="EasyRSA" \ No newline at end of file +# Easy-RSA 3 parameter settings + +# NOTE: If you installed Easy-RSA from your distro's package manager, don't edit +# this file in place -- instead, you should copy the entire easy-rsa directory +# to another location so future upgrades don't wipe out your changes. + +# HOW TO USE THIS FILE +# +# vars.example contains built-in examples to Easy-RSA settings. You MUST name +# this file 'vars' if you want it to be used as a configuration file. If you do +# not, it WILL NOT be automatically read when you call easyrsa commands. +# +# It is not necessary to use this config file unless you wish to change +# operational defaults. These defaults should be fine for many uses without the +# need to copy and edit the 'vars' file. +# +# All of the editable settings are shown commented and start with the command +# 'set_var' -- this means any set_var command that is uncommented has been +# modified by the user. If you're happy with a default, there is no need to +# define the value to its default. + +# NOTES FOR WINDOWS USERS +# +# Paths for Windows *MUST* use forward slashes, or optionally double-esscaped +# backslashes (single forward slashes are recommended.) This means your path to +# the openssl binary might look like this: +# "C:/Program Files/OpenSSL-Win32/bin/openssl.exe" + +# A little housekeeping: DON'T EDIT THIS SECTION +# +# Easy-RSA 3.x doesn't source into the environment directly. +# Complain if a user tries to do this: +if [ -z "$EASYRSA_CALLER" ]; then + echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2 + echo "This is no longer necessary and is disallowed. See the section called" >&2 + echo "'How to use this file' near the top comments for more details." >&2 + return 1 +fi + +# DO YOUR EDITS BELOW THIS POINT + +# This variable is used as the base location of configuration files needed by +# easyrsa. More specific variables for specific files (e.g., EASYRSA_SSL_CONF) +# may override this default. +# +# The default value of this variable is the location of the easyrsa script +# itself, which is also where the configuration files are located in the +# easy-rsa tree. + +set_var EASYRSA "/etc/easy-rsa" + +# If your OpenSSL command is not in the system PATH, you will need to define the +# path to it here. Normally this means a full path to the executable, otherwise +# you could have left it undefined here and the shown default would be used. +# +# Windows users, remember to use paths with forward-slashes (or escaped +# back-slashes.) Windows users should declare the full path to the openssl +# binary here if it is not in their system PATH. + +#set_var EASYRSA_OPENSSL "openssl" +# +# This sample is in Windows syntax -- edit it for your path if not using PATH: +#set_var EASYRSA_OPENSSL "C:/Program Files/OpenSSL-Win32/bin/openssl.exe" + +# Edit this variable to point to your soon-to-be-created key directory. By +# default, this will be "$PWD/pki" (i.e. the "pki" subdirectory of the +# directory you are currently in). +# +# WARNING: init-pki will do a rm -rf on this directory so make sure you define +# it correctly! (Interactive mode will prompt before acting.) + +set_var EASYRSA_PKI "/etc/easy-rsa/pki" + +# Define X509 DN mode. +# This is used to adjust what elements are included in the Subject field as the DN +# (this is the "Distinguished Name.") +# Note that in cn_only mode the Organizational fields further below aren't used. +# +# Choices are: +# cn_only - use just a CN value +# org - use the "traditional" Country/Province/City/Org/OU/email/CN format + +#set_var EASYRSA_DN "cn_only" + +# Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.) +# These are the default values for fields which will be placed in the +# certificate. Don't leave any of these fields blank, although interactively +# you may omit any specific field by typing the "." symbol (not valid for +# email.) + +#set_var EASYRSA_REQ_COUNTRY "US" +#set_var EASYRSA_REQ_PROVINCE "California" +#set_var EASYRSA_REQ_CITY "San Francisco" +#set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" +#set_var EASYRSA_REQ_EMAIL "me@example.net" +#set_var EASYRSA_REQ_OU "My Organizational Unit" + +# Choose a size in bits for your keypairs. The recommended value is 2048. Using +# 2048-bit keys is considered more than sufficient for many years into the +# future. Larger keysizes will slow down TLS negotiation and make key/DH param +# generation take much longer. Values up to 4096 should be accepted by most +# software. Only used when the crypto alg is rsa (see below.) + +set_var EASYRSA_KEY_SIZE 2048 + +# The default crypto mode is rsa; ec can enable elliptic curve support. +# Note that not all software supports ECC, so use care when enabling it. +# Choices for crypto alg are: (each in lower-case) +# * rsa +# * ec + +#set_var EASYRSA_ALGO rsa + +# Define the named curve, used in ec mode only: + +#set_var EASYRSA_CURVE secp384r1 + +# In how many days should the root CA key expire? + +set_var EASYRSA_CA_EXPIRE 3650 + +# In how many days should certificates expire? + +set_var EASYRSA_CERT_EXPIRE 3650 + +# How many days until the next CRL publish date? Note that the CRL can still be +# parsed after this timeframe passes. It is only used for an expected next +# publication date. + +# How many days before its expiration date a certificate is allowed to be +# renewed? +#set_var EASYRSA_CERT_RENEW 30 + +#set_var EASYRSA_CRL_DAYS 180 + +# Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default +# is "no" to discourage use of deprecated extensions. If you require this +# feature to use with --ns-cert-type, set this to "yes" here. This support +# should be replaced with the more modern --remote-cert-tls feature. If you do +# not use --ns-cert-type in your configs, it is safe (and recommended) to leave +# this defined to "no". When set to "yes", server-signed certs get the +# nsCertType=server attribute, and also get any NS_COMMENT defined below in the +# nsComment field. + +#set_var EASYRSA_NS_SUPPORT "no" + +# When NS_SUPPORT is set to "yes", this field is added as the nsComment field. +# Set this blank to omit it. With NS_SUPPORT set to "no" this field is ignored. + +#set_var EASYRSA_NS_COMMENT "Easy-RSA Generated Certificate" + +# A temp file used to stage cert extensions during signing. The default should +# be fine for most users; however, some users might want an alternative under a +# RAM-based FS, such as /dev/shm or /tmp on some systems. + +#set_var EASYRSA_TEMP_FILE "$EASYRSA_PKI/extensions.temp" + +# !! +# NOTE: ADVANCED OPTIONS BELOW THIS POINT +# PLAY WITH THEM AT YOUR OWN RISK +# !! + +# Broken shell command aliases: If you have a largely broken shell that is +# missing any of these POSIX-required commands used by Easy-RSA, you will need +# to define an alias to the proper path for the command. The symptom will be +# some form of a 'command not found' error from your shell. This means your +# shell is BROKEN, but you can hack around it here if you really need. These +# shown values are not defaults: it is up to you to know what you're doing if +# you touch these. +# +#alias awk="/alt/bin/awk" +#alias cat="/alt/bin/cat" + +# X509 extensions directory: +# If you want to customize the X509 extensions used, set the directory to look +# for extensions here. Each cert type you sign must have a matching filename, +# and an optional file named 'COMMON' is included first when present. Note that +# when undefined here, default behaviour is to look in $EASYRSA_PKI first, then +# fallback to $EASYRSA for the 'x509-types' dir. You may override this +# detection with an explicit dir here. +# +#set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types" + +# OpenSSL config file: +# If you need to use a specific openssl config file, you can reference it here. +# Normally this file is auto-detected from a file named openssl-easyrsa.cnf from the +# EASYRSA_PKI or EASYRSA dir (in that order.) NOTE that this file is Easy-RSA +# specific and you cannot just use a standard config file, so this is an +# advanced feature. + +#set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf" + +# Default CN: +# This is best left alone. Interactively you will set this manually, and BATCH +# callers are expected to set this themselves. + +set_var EASYRSA_REQ_CN "CN" + +# Cryptographic digest to use. +# Do not change this default unless you understand the security implications. +# Valid choices include: md5, sha1, sha256, sha224, sha384, sha512 + +#set_var EASYRSA_DIGEST "sha256" + +# Batch mode. Leave this disabled unless you intend to call Easy-RSA explicitly +# in batch mode without any user input, confirmation on dangerous operations, +# or most output. Setting this to any non-blank string enables batch mode. + +#set_var EASYRSA_BATCH "" + diff --git a/package/lean/luci-app-openvpn-server/root/etc/openvpn/dh1024.pem b/package/lean/luci-app-openvpn-server/root/etc/openvpn/dh.pem similarity index 100% rename from package/lean/luci-app-openvpn-server/root/etc/openvpn/dh1024.pem rename to package/lean/luci-app-openvpn-server/root/etc/openvpn/dh.pem diff --git a/package/lean/luci-app-openvpn-server/root/etc/openvpncert.sh b/package/lean/luci-app-openvpn-server/root/etc/openvpncert.sh index 61d6f0cb9..7223a8dfc 100755 --- a/package/lean/luci-app-openvpn-server/root/etc/openvpncert.sh +++ b/package/lean/luci-app-openvpn-server/root/etc/openvpncert.sh @@ -1,15 +1,20 @@ #!/bin/sh -clean-all -echo -en "\n\n\n\n\n\n\n\n" | build-ca -build-dh -build-key-server server -build-key-pkcs12 client1 -cp /etc/easy-rsa/keys/ca.crt /etc/openvpn/ -cp /etc/easy-rsa/keys/server.crt /etc/openvpn/ -cp /etc/easy-rsa/keys/server.key /etc/openvpn/ -cp /etc/easy-rsa/keys/dh1024.pem /etc/openvpn/ -cp /etc/easy-rsa/keys/client1.crt /etc/openvpn/ -cp /etc/easy-rsa/keys/client1.key /etc/openvpn/ -/etc/init.d/openvpn restart -echo "OpenVPN Cert renew successfully" \ No newline at end of file +if [[ ! -f /etc/easy-rsa/pki/ca.crt || "$1" == "renew" ]]; then + echo yes|easyrsa init-pki + echo CN|easyrsa build-ca nopass + easyrsa gen-dh + easyrsa build-server-full server nopass + easyrsa build-client-full client1 nopass + + cp /etc/easy-rsa/pki/ca.crt /etc/openvpn/ + cp /etc/easy-rsa/pki/issued/server.crt /etc/openvpn/ + cp /etc/easy-rsa/pki/private/server.key /etc/openvpn/ + cp /etc/easy-rsa/pki/dh.pem /etc/openvpn/ + cp /etc/easy-rsa/pki/issued/client1.crt /etc/openvpn/ + cp /etc/easy-rsa/pki/private/client1.key /etc/openvpn/ + /etc/init.d/openvpn restart + echo "OpenVPN Cert renew successfully" +else + echo "Use the 'renew' option renew Cert" +fi