File: server-setup-with-ca

package info (click to toggle)
openvpn 2.7.0-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 11,388 kB
  • sloc: ansic: 103,617; sh: 6,873; makefile: 1,010; python: 271; perl: 66
file content (98 lines) | stat: -rwxr-xr-x 2,934 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
 
#!/bin/bash

# ----------------------------------------------
# Test an OpenVPN server setup with CA
# ----------------------------------------------

set -ex

CONFIG_DIR=/etc/openvpn
CA_DIR=easy-rsa
CA_VARS_FILE=vars
DEVICE=tun1
IP_NETWORK=10.9.8.0
NETWORK_MASK=255.255.255.0
LOG_FILE=$AUTOPKGTEST_ARTIFACTS/openvpn.log

# Print information message to stdout
info() {
  echo "[I] $1"
}

info "Check if the container can create tun devices"
[ ! -c /dev/net/tun ] && exit 77

info "Create the CA directory inside the config directory"
cd $CONFIG_DIR
make-cadir $CA_DIR
cd $CA_DIR

info \
"Add some variables to the $CA_VARS_FILE to build the CA and keys in a non interactive mode"
cat << EOF >> $CA_VARS_FILE
set_var EASYRSA_REQ_COUNTRY     "US"
set_var EASYRSA_REQ_PROVINCE    "California"
set_var EASYRSA_REQ_CITY        "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL       "me@example.net"
set_var EASYRSA_REQ_OU          "My Organizational Unit"

set_var EASYRSA_BATCH           "1"
EOF

info "Setup the CA and the server keys"
./easyrsa --batch init-pki
# remove conflicting vars file to avoid easy-rsa errors
rm -f vars
./easyrsa --batch build-ca nopass 2>/dev/null
./easyrsa --batch build-server-full server nopass 2>/dev/null
./easyrsa --batch gen-dh 2>/dev/null

info "Create the OpenVPN server config file"
cat << EOF > /etc/openvpn/server.conf
dev $DEVICE
server $IP_NETWORK $NETWORK_MASK

ca      $CONFIG_DIR/$CA_DIR/pki/ca.crt
cert    $CONFIG_DIR/$CA_DIR/pki/issued/server.crt
key     $CONFIG_DIR/$CA_DIR/pki/private/server.key
dh      $CONFIG_DIR/$CA_DIR/pki/dh.pem
EOF

info "Start an OpenVPN process in background and redirect its output to a file"
openvpn --disable-dco --config $CONFIG_DIR/server.conf --verb 6 > $LOG_FILE &

info "Give some time to start the process, check if the TUN device is opened"
count=1
until [ -f $LOG_FILE ] && cat $LOG_FILE | grep "device $DEVICE opened"; do
  [ $count -gt 9 ] && exit 5
  count=$(expr $count + 1)
  sleep 1
done

cat $LOG_FILE | grep "TUN/TAP device $DEVICE opened"

info "Check if the $DEVICE was created and if the state is UNKNOWN at this point"
ip address show $DEVICE | grep 'state UNKNOWN'

info "Check if OpenVPN is listening on port 1194 (default port)"
ss -lnptu | grep -E '([0-9]{1,3}\.){3}[0-9]{1,3}:1194.*users:\(\(\"openvpn\"'

info "Check if Diffie-Hellman was initialized"
cat $LOG_FILE | grep 'Diffie-Hellman initialized'

info "Check if the $DEVICE is linked"
cat $LOG_FILE | grep "net_iface_up: set $DEVICE up"

#info "Check if the network route was correctly configured"
#cat $LOG_FILE | grep "net_route_v4_add: $IP_NETWORK/24 via"

info "Check if the Initialization Sequence completed"
cat $LOG_FILE | grep 'Initialization Sequence Completed'

# Clean up: kill tha OpenVPN process, remove the $DEVICE created and CA dir
cleanup() {
  pkill openvpn
  rm -rf $CONFIG_DIR/$CA_DIR
}
trap cleanup INT TERM EXIT