From 9ef0bbc47d1890c1e9795e8d4242888e35c423ac Mon Sep 17 00:00:00 2001
From: Angristan <11699655+Angristan@users.noreply.github.com>
Date: Sat, 18 Aug 2018 19:40:07 +0200
Subject: [PATCH] Add password option for clients (#160)

---
 README.md          |  1 +
 openvpn-install.sh | 38 +++++++++++++++++++++++++++++++++++---
 2 files changed, 36 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 0a2a5cf..20fbac4 100644
--- a/README.md
+++ b/README.md
@@ -88,6 +88,7 @@ This fork includes the following features :
 - [Arch Linux support](https://github.com/Angristan/OpenVPN-install/pull/2)
 - Up-to-date OpenVPN thanks to [EPEL](http://fedoraproject.org/wiki/EPEL) for CentOS and [swupdate.openvpn.net](https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos) for Ubuntu and Debian. These are third-party yet trusted repositories.
 - Randomized certificate name
+- The ability to create passwordless clients and clients protected with a password
 - Other improvements !
 
 ## DNS
diff --git a/openvpn-install.sh b/openvpn-install.sh
index df5b77d..2c0c173 100644
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -113,12 +113,28 @@ if [[ -e /etc/openvpn/server.conf ]]; then
 		case $option in
 			1)
 			echo ""
+			echo "Do you want to protect the configuration file with a password?"
+			echo "(e.g. encrypt the private key with a password)"
+			echo "   1) Add a passwordless client"
+			echo "   2) Use a password for the client"
+			until [[ "$pass" =~ ^[1-2]$ ]]; do
+				read -rp "Select an option [1-2]: " -e -i 1 pass
+			done
+			echo ""
 			echo "Tell me a name for the client cert"
 			echo "Please, use one word only, no special characters"
-			read -rp "Client name: " -e -i newclient CLIENT
 
+			read -rp "Client name: " -e -i newclient CLIENT
 			cd /etc/openvpn/easy-rsa/ || return
-			./easyrsa build-client-full $CLIENT nopass
+			case $pass in
+				1)
+				./easyrsa build-client-full $CLIENT nopass
+				;;
+				2)
+				echo "⚠️ You will be asked for the client password below ⚠️"
+				./easyrsa build-client-full $CLIENT
+				;;
+			esac
 
 			# Generates the custom client.ovpn
 			newclient "$CLIENT"
@@ -365,6 +381,14 @@ else
 		;;
 	esac
 	echo ""
+	echo "Do you want to protect the configuration file with a password?"
+	echo "(e.g. encrypt the private key with a password)"
+	echo "   1) Add a passwordless client"
+	echo "   2) Use a password for the client"
+	until [[ "$pass" =~ ^[1-2]$ ]]; do
+		read -rp "Select an option [1-2]: " -e -i 1 pass
+	done
+	echo ""
 	echo "Finally, tell me a name for the client certificate and configuration"
 	while [[ $CLIENT = "" ]]; do
 		echo "Please, use one word only, no special characters"
@@ -524,7 +548,15 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables.service
 	./easyrsa --batch build-ca nopass
 	openssl dhparam -out dh.pem $DH_KEY_SIZE
 	./easyrsa build-server-full $SERVER_NAME nopass
-	./easyrsa build-client-full $CLIENT nopass
+	case $pass in
+		1)
+			./easyrsa build-client-full $CLIENT nopass
+		;;
+		2)
+			echo "⚠️ You will be asked for the client password below ⚠️"
+			./easyrsa build-client-full $CLIENT
+		;;
+	esac
 	EASYRSA_CRL_DAYS=3650 ./easyrsa gen-crl
 	# generate tls-auth key
 	openvpn --genkey --secret /etc/openvpn/tls-auth.key