#!/bin/bash

set -e

cd /etc/openvpn

# key generation moved here, otherwise it takes too long (now the system is generating more entrophy because it continues to start)


#basic setup
if ! [ -e pki ]; then
	./easyrsa init-pki
fi

#create ca cert
if ! [ -e pki/ca.crt ]; then
	echo syn3 | ./easyrsa build-ca nopass
fi

#create server cert
if ! [ -e pki/issued/server.crt ]; then
	./easyrsa build-server-full server nopass
fi

#create dh parameters
if ! [ -e pki/dh.pem ]; then
	./easyrsa gen-dh
fi

#create CRL list
if ! [ -e pki/crl.pem ]; then
	./easyrsa gen-crl
fi

#openvpn group
if ! ( getent group | grep "OpenVPN access" &> /dev/null ) ; then
 smbldap-groupadd -g 521 "OpenVPN access" || exit 1;
fi

#openvpn ipblock
NAME="OpenVPN clients"
if ! grep "$NAME" /etc/firewall/ipblocks; then
	echo "$NAME='10.8.0.0/24'" >> /etc/firewall/ipblocks
fi

#create tlsauth key
if ! [ -e pki/ta.key ]; then
        openvpn --genkey --secret pki/ta.key
fi


modprobe tun

exec openvpn --config openvpn.conf --config openvpn_syn3.conf  --config openvpn_custom.conf