Introduce back-end OpenVPN TLS key generation

Generate TLS-AUTH or TLS-CRYPT key and Inline file. Allow ONLY one TLS key to exist. Signed-off-by: Richard T Bonhomme <[email protected]>
OpenVPN · Jul 6, 2024 · 12a840d · 12a840d
1 parent 9b69b38
commit 12a840d
Show file tree

Hide file tree

Showing 2 changed files with 66 additions and 3 deletions.
diff --git a/dev/easyrsa-tools.lib b/dev/easyrsa-tools.lib
@@ -11,6 +11,69 @@ fi
 # Set tools version
 EASYRSA_TOOLS_VERSION=1.0.1
 
+# Verify OpenVPN binary
+verify_openvpn() {
+	# Try to find openvpn
+	set_var EASYRSA_OPENVPN "$(which openvpn)"
+	if [ -f "$EASYRSA_OPENVPN" ]; then
+		verbose "verify_openvpn - $EASYRSA_OPENVPN"
+	else
+		user_error "Cannot find an OpenVPN binary."
+	fi
+} # => verify_openvpn()
+
+# OpenVPN TLS Auth Key, Linux only
+tls_key_gen() {
+	case "$1" in
+		auth)
+			tls_key_type=TLS-AUTH
+			inline_label=tls-auth
+		;;
+		crypt)
+			tls_key_type=TLS-CRYPT
+			inline_label=tls-crypt
+		;;
+		cryptv2)
+			print "Unavailable."
+			cleanup
+		;;
+		*)
+	esac
+	tls_key_file="$EASYRSA_PKI/private/easyrsa-tls.key"
+	inline_file="$EASYRSA_PKI/inline/easyrsa-tls.inline"
+
+	verify_openvpn
+
+	# Forbid overwrite
+	if [ -f "$tls_key_file" ]; then
+		user_error "\
+Cannot overwrite existing $tls_key_type Key:
+* $tls_key_file
+
+If this file is changed then it MUST be distributed to ALL servers
+AND clients to be in effect. You should NOT change the existing file."
+	fi
+
+	# Generate TLS Key
+	"$EASYRSA_OPENVPN" --genkey "$inline_label" \
+		"$tls_key_file" || die "tls_key_gen: $tls_key_type FAIL"
+
+	# Generate inline file
+	{
+		print "# Easy-RSA Inline file${NL}# Type: $tls_key_type Key"
+		print "<$inline_label>"
+		cat "$tls_key_file"
+		print "</$inline_label>"
+	} > "$inline_file" || \
+			die "tls_key_gen: inline FAIL"
+
+	notice "\
+$tls_key_type Key and Inline-file generated at:
+* $tls_key_file
+* $inline_file"
+	verbose "tls_key_gen: openvpn --genkey $tls_key_type OK"
+} # => tls_key_gen()
+
 # Get certificate start date
 # shellcheck disable=2317 # Unreach - ssl_cert_not_before_date()
 ssl_cert_not_before_date() {

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
@@ -5983,13 +5983,13 @@ case "$cmd" in
 
 		case "$cmd" in
 			gen-tls-auth)
-				tls_auth_key_gen "$@"
+				tls_key_gen auth "$@"
 			;;
 			gen-tls-crypt)
-				tls_crypt_key_gen "$@"
+				tls_key_gen crypt "$@"
 			;;
 			gen-tls-cryptv2)
-				tls_cryptv2_key_gen "$@"
+				tls_key_gen cryptv2 "$@"
 			;;
 			*)
 				die "Command '$cmd' not currently implemented."