-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathsetup
86 lines (72 loc) · 2.99 KB
/
setup
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
#!/bin/ash
# Setup VPN server
case "$1" in
host)
# Assign variable
host=$2
# CA certificate (Authority)
ipsec pki --gen --outform pem > caKey.pem
ipsec pki --self --ca --in caKey.pem \
--dn "C=DE, O=HomeVPN, CN=HomeVPN Root CA" \
--outform pem > caCert.pem
# VPN server certificate (Gateway)
ipsec pki --gen --outform pem > serverKey.pem
ipsec pki --pub --in serverKey.pem | ipsec pki --issue \
--cacert caCert.pem --cakey caKey.pem \
--dn "C=DE, O=HomeVPN, CN=${host}" \
--san="${host}" \
--flag serverAuth --flag ikeIntermediate \
--outform pem > serverCert.pem
# Move secrets to respective directories
mv caCert.pem /etc/ipsec.d/cacerts/
mv serverCert.pem /etc/ipsec.d/certs/
mv caKey.pem serverKey.pem /etc/ipsec.d/private/
# Add server key to IPsec secrets file
echo ": RSA serverKey.pem" > /etc/ipsec.secrets
# Update configuration with proper leftid
sed -i -- "s/@@host@@/${host}/g" /etc/ipsec.conf
;;
user)
# Assign variables
user=$2
password=$3
# Assign random password if not set
if [ $password = '' ]; then
# Generate a random password
P1=`cat /dev/urandom | tr -cd abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789 | head -c 3`
P2=`cat /dev/urandom | tr -cd abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789 | head -c 3`
P3=`cat /dev/urandom | tr -cd abcdefghjkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789 | head -c 3`
password="$P1$P2$P3"
echo "No VPN_PASSWORD set, generated a random one: $password"
fi
# Add XAUTH password to IPsec secrets file for user
echo "${user} : XAUTH \"${password}\"" >> /etc/ipsec.secrets
# Create key and certificate for user
ipsec pki --gen --outform pem > ${user}Key.pem
ipsec pki --pub --in ${user}Key.pem | ipsec pki --issue \
--cacert /etc/ipsec.d/cacerts/caCert.pem \
--cakey /etc/ipsec.d/private/caKey.pem \
--dn "C=DE, O=HomeVPN, CN=${user}" \
--san "${user}" \
--outform pem > ${user}Cert.pem
# Create encrypted PKCS#12 archive for user
openssl pkcs12 -export -password "pass:${password}" \
-inkey ${user}Key.pem \
-in ${user}Cert.pem -name "${user}" \
-certfile /etc/ipsec.d/cacerts/caCert.pem \
-caname "HomeVPN Root CA" \
-out ${user}Cert.p12
# Create password file for user
echo "${password}" > ${user}P12-XAUTH-Password.txt
# Move secrets to respective directories
mv ${user}Cert.pem /etc/ipsec.d/certs/
mv ${user}Key.pem /etc/ipsec.d/private/
mv ${user}Cert.p12 /home
mv ${user}P12-XAUTH-Password.txt /home
# Make credentials available to mounted host directory
cp --force /home/* /mnt/
;;
esac
# Restart IPsec, some how '$ ipsec rereadall' does not do the job,
# let's go aggressive
ipsec restart