Add password option for clients (#160)

2018-08-18 19:40:07 +02:00 · 2018-08-18 19:40:07 +02:00 · 9ef0bbc47d
parent a0267c994d
commit 9ef0bbc47d
2 changed files with 36 additions and 3 deletions
--- a/README.md
+++ b/README.md
@ -88,6 +88,7 @@ This fork includes the following features :
 - [Arch Linux support](https://github.com/Angristan/OpenVPN-install/pull/2)
 - Up-to-date OpenVPN thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) for CentOS and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos) for Ubuntu and Debian. These are third-party yet trusted repositories.
 - Randomized certificate name
+- The ability to create passwordless clients and clients protected with a password
 - Other improvements !

 ## DNS
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@ -113,12 +113,28 @@ if [[ -e /etc/openvpn/server.conf ]]; then
 		case $option in
 			1)
 			echo ""
+			echo "Do you want to protect the configuration file with a password?"
+			echo "(e.g. encrypt the private key with a password)"
+			echo "   1) Add a passwordless client"
+			echo "   2) Use a password for the client"
+			until [[ "$pass" =~ ^[1-2]$ ]]; do
+				read -rp "Select an option [1-2]: " -e -i 1 pass
+			done
+			echo ""
 			echo "Tell me a name for the client cert"
 			echo "Please, use one word only, no special characters"
-			read -rp "Client name: " -e -i newclient CLIENT

+			read -rp "Client name: " -e -i newclient CLIENT
 			cd /etc/openvpn/easy-rsa/ || return
-			./easyrsa build-client-full $CLIENT nopass
+			case $pass in
+				1)
+				./easyrsa build-client-full $CLIENT nopass
+				;;
+				2)
+				echo "⚠️ You will be asked for the client password below ⚠️"
+				./easyrsa build-client-full $CLIENT
+				;;
+			esac

 			# Generates the custom client.ovpn
 			newclient "$CLIENT"
@ -365,6 +381,14 @@ else
 		;;
 	esac
 	echo ""
+	echo "Do you want to protect the configuration file with a password?"
+	echo "(e.g. encrypt the private key with a password)"
+	echo "   1) Add a passwordless client"
+	echo "   2) Use a password for the client"
+	until [[ "$pass" =~ ^[1-2]$ ]]; do
+		read -rp "Select an option [1-2]: " -e -i 1 pass
+	done
+	echo ""
 	echo "Finally, tell me a name for the client certificate and configuration"
 	while [[ $CLIENT = "" ]]; do
 		echo "Please, use one word only, no special characters"
@ -524,7 +548,15 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
 	./easyrsa --batch build-ca nopass
 	openssl dhparam -out dh.pem $DH_KEY_SIZE
 	./easyrsa build-server-full $SERVER_NAME nopass
-	./easyrsa build-client-full $CLIENT nopass
+	case $pass in
+		1)
+			./easyrsa build-client-full $CLIENT nopass
+		;;
+		2)
+			echo "⚠️ You will be asked for the client password below ⚠️"
+			./easyrsa build-client-full $CLIENT
+		;;
+	esac
 	EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
 	# generate tls-auth key
 	openvpn --genkey --secret /etc/openvpn/tls-auth.key