User Tools

Site Tools


docs:guide-user:services:vpn:openvpn:automated_pc

Automated script on PC

Creating private key on an embedded device requires a lot of time. You can speed up things creating certificates on your PC.

Install openvpn on your pc (it is required to create build the certificate) and then run this script. It will ask you a password to encrypt the private key of client.ovpn. Then you only have to transfer server.conf on your router in /etc/openvpn path and run service openvpn restart.

# Change SERVER.DOMAIN.OR.IP in client.ovpn
 
writeclient(){
    cat << EOF > "client.ovpn"
verb 3
dev tun
nobind
client
remote SERVER.DOMAIN.OR.IP 1194 udp
auth-nocache
remote-cert-tls server
<tls-crypt>
${TC_KEY}
</tls-crypt>
<ca>
${CA_CERT}
</ca>
<cert>
${CLI_CERT}
</cert>
<key>
${CLI_KEY}
</key>
EOF
}
 
writeserver(){
    cat << EOF > "server.conf"
verb 3
user nobody
group nogroup
dev tun0
port 1194
proto udp
server 192.168.8.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 120
persist-tun
persist-key
duplicate-cn
push "dhcp-option DNS 8.8.8.8"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
${DH_KEY}
</dh>
<tls-crypt>
${TC_KEY}
</tls-crypt>
<ca>
${CA_CERT}
</ca>
<cert>
${SER_CERT}
</cert>
<key>
${SER_KEY}
</key>
EOF
}
 
if [ ! -f "EasyRSA.tgz" ]
then
    wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz -O EasyRSA.tgz
    tar -xf EasyRSA.tgz
fi
 
cd EasyRSA-v3.0.6
./easyrsa --batch init-pki
 
export EASYRSA_PKI="pki"
export EASYRSA_REQ_CN="vpnca"
./easyrsa --batch gen-dh
./easyrsa --batch build-ca nopass
./easyrsa --batch build-server-full vpnserver nopass
./easyrsa --batch build-client-full vpnclient # nopass # uncomment to remove password on client.ovpn
openvpn --genkey --secret pki/tc.pem
 
DH_KEY="$(cat "pki/dh.pem")"
TC_KEY="$(sed -e "/^#/d;/^\w/N;s/\n//" "pki/tc.pem")"
CA_CERT="$(openssl x509 -in "pki/ca.crt")"
SER_CERT="$(openssl x509 -in "pki/issued/vpnserver.crt")"
SER_KEY="$(cat "pki/private/vpnserver.key")"
CLI_CERT="$(openssl x509 -in "pki/issued/vpnclient.crt")"
CLI_KEY="$(cat "pki/private/vpnclient.key")"
 
writeserver
writeclient
 
echo Done! You can find config files here:
echo $(pwd)/server.conf
echo $(pwd)/client.ovpn
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
docs/guide-user/services/vpn/openvpn/automated_pc.txt · Last modified: 2020/06/09 11:52 by vgaetera