#!/bin/bash set -e if [ -f /etc/ocserv/certs/server-cert.pem ] then echo "Initialized!" exit 0 else echo "Initializing ..." fi mkdir -p /etc/ocserv/certs cd /etc/ocserv/certs cat > ca.tmpl <<_EOF_ cn = "ocserv Root CA" organization = "ocserv" serial = 1 expiration_days = 3650 ca signing_key cert_signing_key crl_signing_key _EOF_ cat > server.tmpl <<_EOF_ cn = "${VPN_DOMAIN}" dns_name = "${VPN_DOMAIN}" organization = "ocserv" serial = 2 expiration_days = 3650 encryption_key signing_key tls_www_server _EOF_ cat > client.tmpl <<_EOF_ cn = "client@${VPN_DOMAIN}" uid = "client" unit = "ocserv" expiration_days = 3650 signing_key tls_www_client _EOF_ # gen ca keys certtool --generate-privkey \ --outfile ca-key.pem certtool --generate-self-signed \ --load-privkey /etc/ocserv/certs/ca-key.pem \ --template ca.tmpl \ --outfile ca.pem # gen server keys certtool --generate-privkey \ --outfile server-key.pem certtool --generate-certificate \ --load-privkey server-key.pem \ --load-ca-certificate ca.pem \ --load-ca-privkey ca-key.pem \ --template server.tmpl \ --outfile server-cert.pem # gen client keys certtool --generate-privkey \ --outfile client-key.pem certtool --generate-certificate \ --load-privkey client-key.pem \ --load-ca-certificate ca.pem \ --load-ca-privkey ca-key.pem \ --template client.tmpl \ --outfile client-cert.pem certtool --to-p12 \ --pkcs-cipher 3des-pkcs12 \ --load-ca-certificate ca.pem \ --load-certificate client-cert.pem \ --load-privkey client-key.pem \ --outfile client.p12 \ --outder \ --p12-name "${VPN_DOMAIN}" \ --password "${VPN_PASSWORD}" sed -i -e "s@^ipv4-network =.*@ipv4-network = ${VPN_NETWORK}@" \ -e "s@^ipv4-netmask =.*@ipv4-netmask = ${VPN_NETMASK}@" \ -e "s@^no-route =.*@no-route = ${LAN_NETWORK}/${LAN_NETMASK}@" /etc/ocserv/ocserv.conf echo "${VPN_PASSWORD}" | ocpasswd -c /etc/ocserv/ocpasswd "${VPN_USERNAME}"