|
*** Consider using Wireguard instead! Thanks to Alex Jensen for creating this script: https://www.cron.dk/easy-certificate-generation-for-openvpn/ To use: 1: Save this script to "/conf/openvpn/zmake.sh". 2: Change "EdgeOpenVPN" to be the IP address or hostname that clients should use to connect to the VPN. This will be put into every client OVPN file. You can also do this later to each OVPN file. 3: Execute it by opening Putty and entering: bash /config/openvpn/zmake.sh Give it 45 minutes or so (to generate Diffie Hellman). 4: Edit "Server.ovpn", the "push route" lines need to have the IP ranges you want to access from VPN if full gateway redirection is not enabled. If upstream network of Edgerouter is 192.168.1.1 (WAN of Edgerouter has a 192.168.1.xx IP) then adding a line with "192.168.1.0" will make it available from vpn, even if remote gateway redirect is disabled. 5: Open Putty, enter "configure" to go into configure mode, and paste in the contents of "zEdgeSetup.txt". 6: Copy ovpn files to computers, use OpenVPN to connect. Copy to Clipboard
#!/bin/bash
cd /config/openvpn
#-----------------------------------------------------------------------------------------------
# Setup
CAname=CA-World
CAsubject="/C=US/ST=SomeCity/L=SomeCity/O=CAworld"
CAexpire=10000
CAkeyLength=2048
ServerName=EdgeOpenVPN
ServerSubject="/C=US/ST=SomeState/L=SomeCity/O=MyCompany/CN=${ServerName}"
ServerExpire=10000
ServerKeyLength=2048
ClientExpire=10000
ClientKeyLength=2048
DHkeyLength=2048
#-----------------------------------------------------------------------------------------------
# Functions
function makeCA () {
CAname=$1
CAexpire=$2
CAsubject=$3
CAkeyLength=$4
printf "Generating Certificate Authority ${CAname}...\n\n"
openssl genrsa -out ${CAname}.key ${CAkeyLength}
openssl req -x509 -new -nodes -key ${CAname}.key -sha256 -days ${CAexpire} -out ${CAname}.pem -subj $CAsubject
}
function makeCert () {
CAname=$1
CertName=$2
CertExpire=$3
CertSubject=$4
CertKeyLength=$5
printf "\nGeneration certificate for ${CertName}...\n\n"
ConfigFile=`mktemp`
printf 'basicConstraints = CA:FALSE\nsubjectKeyIdentifier=hash\nauthorityKeyIdentifier=keyid' > ${ConfigFile}
openssl genrsa -out ${CertName}.key ${CertKeyLength}
openssl req -new -key ${CertName}.key -out ${CertName}.csr -subj ${CertSubject}
openssl x509 -req -extfile ${ConfigFile} -in ${CertName}.csr -CA ${CAname}.pem -CAkey ${CAname}.key \
-CAcreateserial -out ${CertName}.crt -days ${CertExpire} -sha256
rm ${CertName}.csr
rm ${ConfigFile}
}
function makeOvpnFile () {
CAname=$1
ClientName=$2
HostName=$3
echo client > ${ClientName}.ovpn
echo dev tun >> ${ClientName}.ovpn
echo proto udp >> ${ClientName}.ovpn
echo route 192.168.1.0 255.255.255.0
echo remote ${HostName} 1194 >> ${ClientName}.ovpn
echo cipher AES-256-CBC >> ${ClientName}.ovpn
echo auth SHA256 >> ${ClientName}.ovpn
echo resolv-retry infinite >> ${ClientName}.ovpn
echo #redirect-gateway def1 >> ${ClientName}.ovpn
echo persist-key >> ${ClientName}.ovpn
echo persist-tun >> ${ClientName}.ovpn
echo user nobody >> ${ClientName}.ovpn
echo group nogroup >> ${ClientName}.ovpn
echo verb 3 >> ${ClientName}.ovpn
echo '' >> ${ClientName}.ovpn
echo '<ca>' >>> ${ClientName}.ovpn
cat ${CAname}.pem >> ${ClientName}.ovpn
echo '</ca>' >> ${ClientName}.ovpn
echo '<cert>' >> ${ClientName}.ovpn
cat ${ClientName}.crt >> ${ClientName}.ovpn
echo '</cert>' >> ${ClientName}.ovpn
echo '<key>' >> ${ClientName}.ovpn
cat ${ClientName}.key >> ${ClientName}.ovpn
echo '</key>' >> ${ClientName}.ovpn
}
function showConfGuide () {
CAname=$1
ServerName=$2
CurrentPath=`pwd`
echo server 10.20.30.0 255.255.255.0> Server.ovpn
echo # Copy push route below to have LAN subnets above router>> Server.ovpn
echo #push "route 10.20.30 255.255.255.0">> Server.ovpn
echo topology subnet>> Server.ovpn
echo mode server>> Server.ovpn
echo tls-server>> Server.ovpn
echo port 1194 >> Server.ovpn
echo proto udp>> Server.ovpn
echo dev tun>> Server.ovpn
echo cipher AES-256-CBC>> Server.ovpn
echo auth SHA256>> Server.ovpn
echo ca ${CurrentPath}/${CAname}.pem>> Server.ovpn
echo cert ${CurrentPath}/${ServerName}.crt>> Server.ovpn
echo key ${CurrentPath}/${ServerName}.key>> Server.ovpn
echo dh ${CurrentPath}/dh.pem>> Server.ovpn
echo #client-config-dir /config/ccd>> Server.ovpn
echo keepalive 10 30 >> Server.ovpn
echo persist-key>> Server.ovpn
echo persist-tun>> Server.ovpn
echo user nobody>> Server.ovpn
echo group nogroup>> Server.ovpn
echo verb 3 >> Server.ovpn
echo set interfaces openvpn vtun0 config-file /config/openvpn/Server.ovpn> zEdgeSetup.txt
echo >> zEdgeSetup.txt
echo >> zEdgeSetup.txt
echo edit firewall name WAN_LOCAL>> zEdgeSetup.txt
echo set rule 67 action accept>> zEdgeSetup.txt
echo set rule 67 description "OpenVPN">> zEdgeSetup.txt
echo set rule 67 destination port 1194 >> zEdgeSetup.txt
echo set rule 67 protocol tcp_udp>> zEdgeSetup.txt
echo set rule 67 log disable>> zEdgeSetup.txt
}
function makeDH () {
DHkeyLength=$1
printf "\nMaking diffie-hellman keypair for perfect forward secrecy...\n\n"
openssl dhparam -out dh.pem -2 ${DHkeyLength}
}
function makeClientCert () {
CAname=$1
Clientname=$2
ClientExpire=$3
ClientKeyLength=$4
ServerName=$5
printf "\n\nMaking Client certificate for ${Clientname}\n"
makeCert ${CAname} ${Clientname} ${ClientExpire} "/C=US/ST=SomeState/L=SomeCity/O=${Clientname}/CN=${Clientname}" ${ClientKeyLength}
makeOvpnFile ${CAname} ${Clientname} ${ServerName}
}
#-----------------------------------------------------------------------------------------------
# Make everything
makeCA ${CAname} ${CAexpire} ${CAsubject} ${CAkeyLength}
makeCert ${CAname} ${ServerName} ${ServerExpire} ${ServerSubject} ${ServerKeyLength}
for i in {1..10}
do
makeClientCert ${CAname} "User${i}" ${ClientExpire} ${ClientKeyLength} ${ServerName}
done
makeDH ${DHkeyLength}
showConfGuide ${CAname} ${ServerName}
printf "\nScript is done!\n"
printf "\nYou need to open '/config/openvpn/zEdgeSetup.txt' and run those commands\n\n"
ls '/config/openvpn/'
To make more client certificates, comment out all of the makeXX lines except the ones containing usernames like "User01". Rename them as appropriate. makeCert ${CAname} ${ClientName} ${ClientExpire} ${ClientSubject} ${ClientKeyLength} Run and repeat to make multiple clients. |