This repository was archived by the owner on Feb 2, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathentrypoint.sh
More file actions
82 lines (67 loc) · 2.24 KB
/
entrypoint.sh
File metadata and controls
82 lines (67 loc) · 2.24 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
#!/bin/sh
# Generating the CA
CA_TMPL="/etc/ocserv/certs/ca.tmpl"
CA_KEY="/etc/ocserv/certs/ca-key.pem"
CA_CERT="/etc/ocserv/certs/ca-cert.pem"
[ -z "$CA_CN" ] && CA_CN="VPN CA"
[ -z "$CA_ORG" ] && CA_ORG="Big Corp"
[ -z "$CA_DAYS" ] && CA_DAYS="-1"
[ -f "$CA_TMPL" ] || cat << _EOF_ > $CA_TMPL
cn = "$CA_CN"
organization = "$CA_ORG"
serial = 1
expiration_days = "$CA_DAYS"
ca
signing_key
cert_signing_key
crl_signing_key
_EOF_
[ -f "$CA_KEY" ] || certtool --generate-privkey --outfile $CA_KEY
[ -f "$CA_CERT" ] || certtool --generate-self-signed --load-privkey $CA_KEY --template $CA_TMPL --outfile $CA_CERT
# Generating server certificate
SRV_TMPL="/etc/ocserv/certs/server.tmpl"
SRV_KEY="/etc/ocserv/certs/server-key.pem"
SRV_CERT="/etc/ocserv/certs/server-cert.pem"
[ -z "$SRV_CN" ] && SRV_CN="VPN server"
[ -z "$SRV_DNS" ] && SRV_DNS="www.example.com"
[ -z "$SRV_ORG" ] && SRV_ORG="MyCompany"
[ -z "$SRV_DAYS" ] && SRV_DAYS="-1"
[ -f "$SRV_TMPL" ] || cat << _EOF_ > $SRV_TMPL
cn = "$SRV_CN"
dns_name = "$SRV_DNS"
organization = "$SRV_ORG"
expiration_days = "$SRV_DAYS"
signing_key
encryption_key
tls_www_server
_EOF_
[ -f "$SRV_KEY" ] || certtool --generate-privkey --outfile $SRV_KEY
[ -f "$SRV_CERT" ] || certtool --generate-certificate --load-privkey $SRV_KEY --load-ca-certificate $CA_CERT --load-ca-privkey $CA_KEY --template $SRV_TMPL --outfile $SRV_CERT
# Create a test user
if [ -z "$NO_TEST_USER" ] && [ ! -f /etc/ocserv/ocpasswd ]; then
echo "Create test user 'test' with password 'test'"
echo 'test:*:$5$DktJBFKobxCFd7wN$sn.bVw8ytyAaNamO.CvgBvkzDiFR6DaHdUzcif52KK7' > /etc/ocserv/ocpasswd
fi
# Open ipv4 ip forward
sysctl -w net.ipv4.ip_forward=1
# Enable NAT forwarding
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# Enable TUN device
if [ ! -e /dev/net/tun ]; then
mkdir -p /dev/net
mknod /dev/net/tun c 10 200
chmod 600 /dev/net/tun
fi
# Run OpennConnect Server
OCSERV_CONF="/etc/supervisor/conf.d/ocserv.conf"
[ -f $OCSERV_CONF ] || cat << _EOF_ > $OCSERV_CONF
[program:ocserv]
command=ocserv -c /etc/ocserv/ocserv.conf -f -d 1
autostart=true
autorestart=true
stderr_logfile=/var/log/ocserv_error.log
stdout_logfile=/var/log/ocserv.log
priority=5
_EOF_
exec "$@"