From 122039a6539a9f875760b13928a874dd8f10fa14 Mon Sep 17 00:00:00 2001
From: yohan <783b8c87@scimetis.net>
Date: Sun, 14 Apr 2019 18:34:38 +0200
Subject: [PATCH] Initial commit.

---
 .gitignore         |  1 +
 README             |  6 ++++++
 create_conf.sh     | 21 +++++++++++++++++++++
 docker-compose.yml | 19 +++++++++++++++++++
 openssl.conf       | 13 +++++++++++++
 5 files changed, 60 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 README
 create mode 100755 create_conf.sh
 create mode 100644 docker-compose.yml
 create mode 100644 openssl.conf

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..3b7e381
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+conf/
diff --git a/README b/README
new file mode 100644
index 0000000..6cbd380
--- /dev/null
+++ b/README
@@ -0,0 +1,6 @@
+https://stackoverflow.com/questions/17089889/openssl-x509v3-extended-key-usage
+https://forums.openvpn.net/viewtopic.php?t=7484
+https://serverfault.com/questions/785108/why-does-openvpn-give-the-error-unsupported-certificate-purpose-for-an-interm
+https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line
+https://github.com/openssl/openssl/issues/6481
+
diff --git a/create_conf.sh b/create_conf.sh
new file mode 100755
index 0000000..f66533b
--- /dev/null
+++ b/create_conf.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+mkdir -p conf
+cd conf
+openssl req -nodes -days 3650 -new -x509 -keyout ca.key -out ca.crt -subj "/C=FR/O=scimetis/CN=scimetis.net" 
+openssl dhparam -out dh1024.pem 1024
+
+openssl req -nodes -new -keyout server.key -out server.csr -subj "/C=FR/O=scimetis/CN=scimetis.net" -reqexts server -config ../openssl.conf
+openssl x509 -req -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -extensions server -extfile ../openssl.conf -in server.csr -out server.crt
+
+openssl req -nodes -new -keyout client.key -out client.csr -subj "/C=FR/O=scimetis/CN=serveur Windows" -reqexts usr_cert -config ../openssl.conf
+openssl x509 -req -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -extensions usr_cert -extfile ../openssl.conf -in client.csr -out client.crt
+
+openssl req -nodes -new -keyout client2.key -out client2.csr -subj "/C=FR/O=scimetis/CN=PC client" -reqexts usr_cert -config ../openssl.conf
+openssl x509 -req -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -extensions usr_cert -extfile ../openssl.conf -in client2.csr -out client2.crt
+
+chcon -R -u system_u -r object_r -t svirt_sandbox_file_t ./
+mkdir keys
+mkdir ccd
+cp -a ca.crt ca.srl dh1024.pem server.crt server.key keys/
+echo "ifconfig-push 192.168.102.10 255.255.255.0" > "ccd/serveur Windows"
+cd ..
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..0fa8d69
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,19 @@
+version: "2.1"
+ 
+services:
+
+  openvpn-server:
+    image: openvpn-server
+    ports:
+      - 1195:1194/udp
+    volumes:
+      - ./conf/keys:/etc/openvpn/server/keys
+      - ./conf/ccd:/etc/openvpn/server/ccd
+    cap_add:
+      - NET_ADMIN
+    devices:
+      - /dev/net/tun
+    restart: always
+    #entrypoint: /bin/bash
+    #privileged: true
+    #network_mode: "host"
diff --git a/openssl.conf b/openssl.conf
new file mode 100644
index 0000000..77237b2
--- /dev/null
+++ b/openssl.conf
@@ -0,0 +1,13 @@
+[req]
+distinguished_name=req_distinguished_name
+
+[ req_distinguished_name ]
+
+[usr_cert]
+extendedKeyUsage=clientAuth
+keyUsage = digitalSignature
+
+[server]
+extendedKeyUsage=serverAuth
+keyUsage = digitalSignature, keyEncipherment
+