openvpn自动创建和吊销用户证书的脚本,记得安装expect
#!/bin/bash
#
#********************************************************************
#Date: 2022-02-17
#FileName: openvpn.sh
#Description: openvpn
#Copyright (C): 2022 All rights reserved
#********************************************************************
#输入要操作的用户名
read -p "Please input the username:" NAME
#判断是创建还是吊销
read -p "Please input create or revoke:" FUN
export SDIR="/etc/openvpn/easy-rsa/3/"
export CRTDIR="/etc/openvpn/client/"
export CDIR="/etc/openvpn/client/easy-rsa/3/"
export CRTPAS="${RANDOM}!${NAME}"
export PAS=$CRTPAS
#NAME=$1
export CCRT_DIR="/etc/openvpn/client/${NAME}"
#创建用户的函数
create(){
mkdir $CCRT_DIR
echo $PAS > ${CCRT_DIR}/password.txt
#在easyrsa-client证书环境生成req和key文件
cd $CDIR
expect &> /dev/null <<EOF
spawn ./easyrsa gen-req $NAME
expect {
"phrase:" { send "$PAS\n";exp_continue }
"phrase:" { send "$PAS\n";exp_continue }
"]:" { send "\n" }
}
expect eof
EOF
#在easyrsa-server导入req文件并签发证书
cd $SDIR && ./easyrsa import-req ${CDIR}pki/reqs/${NAME}.req $NAME &> /dev/null && echo -e "yes\n" | ./easyrsa sign-req client $NAME &> /dev/null
#整理证书文件
cp ${SDIR}pki/ca.crt $CCRT_DIR
cp ${SDIR}pki/issued/${NAME}.crt $CCRT_DIR
cp ${CDIR}pki/private/${NAME}.key $CCRT_DIR
#复制client.ovpn配置文件并修改
cp ${CRTDIR}client.ovpn $CCRT_DIR && sed -i "s/name/${NAME}/g" ${CCRT_DIR}/client.ovpn
#打包证书文件
cd $CCRT_DIR && tar czf ${NAME}.tar.gz ./* &> /dev/null
}
#证书吊销的函数
revoke(){
if grep -q "$NAME" /etc/openvpn/easy-rsa/3/pki/index.txt;then
if grep "$NAME" /etc/openvpn/easy-rsa/3/pki/index.txt | grep -q R;then
echo "该用户已吊销"
exit 0
else
echo "+++++++开始吊销用户++++++"
cd $SDIR && echo -e "yes\n" | ./easyrsa revoke $NAME &> /dev/null && ./easyrsa gen-crl &> /dev/null && echo "+++++++吊销完成++++++"
systemctl restart openvpn@server
exit 0
fi
else
echo "该用户不存在"
exit 0
fi
}
#删除证书的函数
delete(){
echo "++++++++开始删除残留文件++++++++"
rm -rf ${CDIR}pki/reqs/${NAME}.req
rm -rf ${CDIR}pki/private/${NAME}.key
rm -rf $CCRT_DIR
rm -rf ${SDIR}pki/reqs/${NAME}.req
rm -rf ${SDIR}pki/issued/${NAME}.crt
#删除带R的吊销记录
sed -i "/${NAME}/d" /etc/openvpn/easy-rsa/3/pki/index.txt && echo "+++++++删除完成+++++++"
}
#创建
case $FUN in
create)
#判断是否重名
if [ -e ${CDIR}pki/private/${NAME}.key ];then
echo "The user already exists"
read -p "删除原用户并重新创建或选择退出,Please input delete or exit:" FUN2
if [ "$FUN2" = delete ];then
delete
echo "++++++原用户已删除,现在开始新建++++++++"
create
echo "++++++创建完成++++++++"
elif [ "$FUN2" = exit ];then
exit 0
else
echo "输入参数错误,退出"
exit 1
fi
else
echo "+++++++开始创建+++++"
create
echo "++++++创建完成++++++"
exit 0
fi
;;
revoke)
revoke
;;
*)
echo "Input false,please input create or revoke!"
esac
client.ovpn文件内容
~]#cat /etc/openvpn/client/client.ovpn
client
dev tun
proto tcp
remote 180.169.231.103 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert name.crt
key name.key
remote-cert-tls server
#tls-auth ta.key 1
cipher AES-256-CBC
verb 3
server.conf配置文件内容
[root@centos22 ~]#grep -Ev "^($|#)" /etc/openvpn/server.conf
local 192.168.0.22
port 1194
proto tcp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key # This file should be kept secret
dh /etc/openvpn/certs/dh.pem
server 10.8.0.0 255.255.255.0
push "route 192.168.0.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway def1 bypass-dhcp"
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
;client-to-client
;duplicate-cn
keepalive 10 120
cipher AES-256-CBC
;compress lz4-v2
;push "compress lz4-v2"
;comp-lzo
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
mute 20
crl-verify /etc/openvpn/easy-rsa/3/pki/crl.pem
安装openvpn
51 yum install openvpn
52 yum install easy-rsa
56 cp /usr/share/doc/openvpn-2.4.11/sample/sample-config-files/server.conf /etc/openvpn/
57 cp -r /usr/share/easy-rsa/ /etc/openvpn/
58 cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa/3.0.8/vars
59 cd /etc/openvpn/easy-rsa/3.0.8/vars
60 cd /etc/openvpn/easy-rsa/3.0.8/
75 ./easyrsa init-pki
78 ./easyrsa build-ca nopass
81 ./easyrsa gen-req server nopass
84 ./easyrsa sign server server
86 ./easyrsa gen-dh
88 ll /etc/openvpn/easy-rsa/3/pki/dh.pem
91 cp -r /usr/share/easy-rsa/ /etc/openvpn/client/easy-rsa
93 cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/client/easy-rsa/vars
94 cd /etc/openvpn/client/easy-rsa/3
96 ./easyrsa init-pki
98 ./easyrsa gen-req yezhenzhen nopass
100 cd /etc/openvpn/easy-rsa/3
101 ./easyrsa import-req /etc/openvpn/client/easy-rsa/3/pki/reqs/yezhenzhen.req yezhenzhen
102 ./easyrsa --help
103 ./easyrsa sign-req client yezhenzhen
105 mkdir /etc/openvpn/certs
106 cd /etc/openvpn/certs
107 cp /etc/openvpn/easy-rsa/3/pki/dh.pem .
108 cp /etc/openvpn/easy-rsa/3/pki/ca.crt .
109 cp /etc/openvpn/easy-rsa/3/pki/issued/server.crt .
110 cp /etc/openvpn/easy-rsa/3/pki/private/server.key .
112 mkdir /etc/openvpn/client/yezhenzhen
113 cp /etc/openvpn/easy-rsa/3/pki/ca.crt /etc/openvpn/client/yezhenzhen/
114 cp /etc/openvpn/easy-rsa/3/pki/issued/yezhenzhen.crt /etc/openvpn/client/yezhenzhen/
115 cp /etc/openvpn/client/easy-rsa/3/pki/private/yezhenzhen.key /etc/openvpn/client/yezhenzhen/
116 tree /etc/openvpn/client/yezhenzhen/
117 vim /etc/openvpn/server.conf
118 cd /etc/openvpn/client/yezhenzhen/
125 grep -Ev "^(#| |$|;)" /usr/share/doc/openvpn-2.4.11/sample/sample-config-files/client.conf > client.ovpn
126 vim client.ovpn
128 yum install iptables-services iptables -y
129 systemctl enable iptables --now
130 iptables -vnL
131 iptables -F
132 iptables -vnL
133 iptables -X
134 iptables -Z
135 iptables -t nat -F
136 iptables -t nat -X
137 iptables -t nat -Z
138 sysctl -p | grep forward
141 iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -j MASQUERADE
142 iptables -A INPUT -p TCP --dport 1194 -j ACCEPT
143 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
144 service iptables save
145 iptables -vnL
146 iptables -t nat -vnL
147 mkdir /var/log/openvpn
148 chown nobody.nobody /var/log/openvpn
149 systemctl start openvpn@server
150 systemctl status openvpn@server.service
151 tail /etc/openvpn/openvpn.log
155 ifconfig tun0
157 tar czvf yezhenzhen.tar.gz ./*
写成脚本
#!/bin/bash
yum install openvpn
yum install easy-rsa -y
#可能要修改版本
cp /usr/share/doc/openvpn-`rpm -q openvpn | cut -d- -f 2` /sample/sample-config-files/server.conf /etc/openvpn/
cp -r /usr/share/easy-rsa/ /etc/openvpn/
cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa/3.0.8/vars
cd /etc/openvpn/easy-rsa/3 && ./easyrsa init-pki && ./easyrsa build-ca nopass && ./easyrsa gen-req server nopass && ./easyrsa sign server server && ./easyrsa gen-dh && ./easyrsa gen-crl
cp -r /usr/share/easy-rsa/ /etc/openvpn/client/easy-rsa
cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/client/easy-rsa/vars
yum install iptables-services iptables -y
systemctl enable iptables --now
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -j MASQUERADE
iptables -A INPUT -p TCP --dport 1194 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
service iptables save
mkdir /var/log/openvpn
chown nobody.nobody /var/log/openvpn
mv -f /root/server.conf /etc/openvpn/
mv -f /root/client.ovpn /etc/openvpn/client/
systemctl start openvpn@server
systemctl enable openvpn@server
