Add PASSPHRASE support in headless mode (#1015)

Add support for a password protected user in headless mode Fixes #389 --------- Co-authored-by: Siebren Kraak <siebren.kraak@secura.com> Co-authored-by: Stanislas Lange <git@slange.me>
2025-12-15 16:37:03 +01:00 · 2025-12-13 15:42:43 +01:00
parent 75ea8ef1c1
commit cb2d67be74
4 changed files with 173 additions and 8 deletions
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -1688,10 +1688,18 @@ function newClient() {
 			run_cmd_fatal "Building client certificate" ./easyrsa --batch build-client-full "$CLIENT" nopass
 			;;
 		2)
-			log_warn "You will be asked for the client password below"
-			# Run directly (not via run_cmd) so password prompt is visible to user
-			if ! ./easyrsa --batch build-client-full "$CLIENT"; then
-				log_fatal "Building client certificate failed"
+			if [[ -z "$PASSPHRASE" ]]; then
+				log_warn "You will be asked for the client password below"
+				# Run directly (not via run_cmd) so password prompt is visible to user
+				if ! ./easyrsa --batch build-client-full "$CLIENT"; then
+					log_fatal "Building client certificate failed"
+				fi
+			else
+				log_info "Using provided passphrase for client certificate"
+				# Use env var to avoid exposing passphrase in install log
+				export EASYRSA_PASSPHRASE="$PASSPHRASE"
+				run_cmd_fatal "Building client certificate" ./easyrsa --batch --passin=env:EASYRSA_PASSPHRASE --passout=env:EASYRSA_PASSPHRASE build-client-full "$CLIENT"
+				unset EASYRSA_PASSPHRASE
 			fi
 			;;
 		esac