#!/bin/sh export DATE="24.4.2010";SCRIPT=${0#/rom} export TITLE="Admin: OpenVPN RSA" . ${SCRIPT%/*}/cgi-bin-pre.sh cat<Admin: OpenVPN RSA EOF key_encode() { local l= local o= for l in $(echo "$1"|sed 's/%/%25/g;s/ /%20/g;s/\//%2f/g;s/:/%3a/g;s/=/%3d/g;s/[[:cntrl:]]//g;a%0a');do o=$o$l done echo -n $o } client= ff_ovpn_tmp_crt_key= ff_ovpn_cli= if test -f /etc/init.d/S91openvpn;then ff_ovpn_cli=$(nvram get ff_ovpn_cli) fi case $REQUEST_METHOD in POST) read QUERY_STRING ;;esac case $QUERY_STRING in "") wan_hostname="$(nvram get wan_hostname)" ff_ovpn_clientremote="$(nvram get ff_ovpn_clientremote)" ff_ovpn_ca_crt="$(nvram get ff_ovpn_ca_crt)" ff_ovpn_ca_key="$(nvram get ff_ovpn_ca_key)" ff_ovpn_crt_key="$(nvram get ff_ovpn_crt_key)" ff_ovpn_dh="$(nvram get ff_ovpn_dh)" ;;*) IFS=\&;set $QUERY_STRING;unset IFS;eval $* client="$(unescape $client)" wan_hostname="$(unescape $wan_hostname)" ff_ovpn_clientremote="$(unescape $ff_ovpn_clientremote)" ff_ovpn_ca_crt="$(unescape $ff_ovpn_ca_crt)" ff_ovpn_ca_key="$(unescape $ff_ovpn_ca_key)" ff_ovpn_crt_key="$(unescape $ff_ovpn_crt_key)" ff_ovpn_dh="$(unescape $ff_ovpn_dh)" export KEY_CITY= export KEY_CN= export KEY_COUNTRY= export KEY_DIR=/tmp/keys export KEY_EMAIL= export KEY_EXPIRE=3650 export KEY_NAME= export KEY_ORG=Freifunk export KEY_OU= export KEY_PROVINCE= export KEY_SIZE=1024 test -d $KEY_DIR || mkdir $KEY_DIR test -f $KEY_DIR/serial || echo 01 > $KEY_DIR/serial test -f $KEY_DIR/index.txt || : > $KEY_DIR/index.txt case $post_build_ca in "");;*) unset QUERY_STRING echo '
'
export KEY_CN="${wan_hostname}_CA"
/usr/bin/openssl req \
-batch \
-days $KEY_EXPIRE \
-nodes \
-new \
-newkey rsa:$KEY_SIZE \
-sha1 \
-x509 \
-config /etc/openssl.cnf \
-keyout $KEY_DIR/ca.key \
-out $KEY_DIR/ca.crt
ff_ovpn_ca_crt=$(cat<'
;;esac
case $post_build_key_server in "");;*)
unset QUERY_STRING
echo '
'
echo "$ff_ovpn_ca_crt" > $KEY_DIR/ca.crt
echo "$ff_ovpn_ca_key" > $KEY_DIR/ca.key
export KEY_CN="${wan_hostname}_SERVER"
/usr/bin/openssl req \
-batch \
-days $KEY_EXPIRE \
-nodes \
-new \
-newkey rsa:$KEY_SIZE \
-extensions server \
-config /etc/openssl.cnf \
-keyout $KEY_DIR/server.key \
-out $KEY_DIR/server.csr
/usr/bin/openssl ca \
-batch \
-days $KEY_EXPIRE \
-md sha1 \
-extensions server \
-config /etc/openssl.cnf \
-out $KEY_DIR/server.crt \
-in $KEY_DIR/server.csr
unset LF
ff_ovpn_crt_key=$(cat<'
;;esac
case $post_build_key_client in "");;*)
unset QUERY_STRING
echo '
'
case $client in "")echo "Error: no client name set";;*)
echo "$ff_ovpn_ca_crt" > $KEY_DIR/ca.crt
echo "$ff_ovpn_ca_key" > $KEY_DIR/ca.key
export KEY_CN="${wan_hostname}_${client}"
/usr/bin/openssl req \
-batch \
-days 3650 \
-nodes \
-new \
-newkey rsa:1024 \
-config /etc/openssl.cnf \
-keyout $KEY_DIR/client.key \
-out $KEY_DIR/client.csr
/usr/bin/openssl ca \
-batch \
-days 3650 \
-md sha1 \
-config /etc/openssl.cnf \
-out $KEY_DIR/client.crt \
-in $KEY_DIR/client.csr
unset LF
ff_ovpn_tmp_crt_key=$(cat<'
;;esac
case $post_build_dh in "");;*)
unset QUERY_STRING
echo '
'
/usr/bin/openssl dhparam \
-out $KEY_DIR/dh${KEY_SIZE}.pem \
$KEY_SIZE
ff_ovpn_dh="$(cat $KEY_DIR/dh${KEY_SIZE}.pem)"
echo '
'
;;esac
# Make sure we got all from nvram config
rm -r $KEY_DIR
;;esac
case $QUERY_STRING in "")

cat<
function hideWork() {
var obj=document.getElementById('work');
if (null!=obj)obj.style.display='none';
}
window.onload=function(){setTimeout("hideWork()",1500);}


Client Name:
 (Mandatory to Generate)
EOF

case $ff_ovpn_cli in 0)

cat<



Download:

EOF

case $ff_ovpn_tmp_crt_key in "")

cat<";;esac

cat<";;esac;;esac

cat<



Client
Certificate (*.crt) &

Client Key (*.key):		








 



EOF

case $ff_ovpn_cli in 0)

cat< (For client
config tar, see above)


EOF

;;esac

cat<
 (Prefix for all CN)

CA
Certificate (ca.crt):


CA
Key (ca.key):




 

Server
Certificate (server.crt) & Server Key (server.key):






 

Diffie
Hellman Parameters:




 

    
 





Tip:
This page manages only the first configuration, if multiple OpenVPN
configurations are present. For a secondary OpenVPN server (e.g. with TCP
on another port) you therefore need to copy the respective input fields
from the first to the second configuration page manually.


Hints
on Managing Keys


    

  • A
key can be used to encrypt or decrypt a data stream. A certificate
proves the authenticity of a key. All keys and certificates generated
here are valid for 10 years.
    • 

  •  The CA ("Certificate
Authoritiy") is required to prove the authenticity of all generated
keys and certificates. On this server, you will generate a CA key in a
first step. This key is secret, so do not distribute.
    • 

  •  By using the CA key, a CA certificate is
also created. Disribute the CA certificate to all clients. Note:
Everybody can generate self-signed certificates. You can spend more
money by inviting third parties to validate authenticity (e.g.
goverments or companies). Their competence and honesty is trusted e.g.
by a lot of web browsers. For that reason, web browsers include
pre-installed CA certificates which they trust blindly. If you carry a
CA certificate from Computer to Computer, make sure to avoid the bad
guys which may exchange the storage medium underway.
    • 

  •  In a second step, you generate a
pair of a key and a certificate for the server. This pair stays on the
server.
    • 

  •  In additional steps, you generate
pairs of keys and certificates for every client. Transport these pairs
to the clients on a secure channel. Now repeat these steps for every
client:

      

    1. Fill
in the Client Name input field.
      2. 

    2. Click the Generate Client
Pair button.
      3. 

    3. Copy the
contents of the Client Certificate & Client Key field to
a text file via clipboard.
      4. 

    4. Transport the text file to the
client and enter it's contents there in the Certificate &
Key input field.
      5. 

    

    Tip:
First configure the OpenVPN server as desired. Use the first OpenVPN
configuration, if more than one configuration is present. Then, after
you created a client key, click the Client Configuration (Tar)
link. The downloaded archive file can be used e.g. with the Windows
OpenVPN GUI: unpack the archive contents to C:\Program
Files\OpenVPN\config.
    

    Note: Storage space on
this router is limited. For this reason, generated keys and
certificates for clients are not saved. To revoke single keys later
on, you may store published keys elsewere. A CRL (Certificate
Revocation List) is not managed by this user interface.
    • 

  • The server
requires the "Diffie Hellman" parameters to optimize the data
connection by using a faster symmetric encryption. Copy these parameters
from one of your others servers or generate new parameters. The
paramters are secret, so do not distribute. Attention: this
process requires up to 15 minutes on a router.
    • 

  • If
you are ready, do not forget to save all settings by clicking on the
Apply button.
    • 


EOF

;;*)
DIRTY=
case $post_ovpn in "");;*)
keys="wan_hostname ff_ovpn_ca_crt ff_ovpn_ca_key ff_ovpn_crt_key ff_ovpn_dh"
case $ff_ovpn_cli in 0)keys="$keys ff_ovpn_clientremote";;esac
for V in $keys; do
eval C=\"\$$V\"
case "$(nvram get $V)" in "$C");;*)
DIRTY=1
nvram set $V="$C"
;;esac
done
;;esac
case $DIRTY in "")

cat<No settings are
changed.


EOF

;;1)
nvram commit>&- 2>&-

cat< The
changed settings are committed. The settings are active after the next
Restart.   


EOF

;;esac
;;esac

. ${SCRIPT%/*}/cgi-bin-post.sh