#!/bin/bash
-# Copyright (C) 2016 Ian Kelling
+# I, Ian Kelling, follow the GNU license recommendations at
+# https://www.gnu.org/licenses/license-recommendations.en.html. They
+# recommend that small programs, < 300 lines, be licensed under the
+# Apache License 2.0. This file contains or is part of one or more small
+# programs. If a small program grows beyond 300 lines, I plan to switch
+# its license to GPL.
+
+# Copyright 2024 Ian Kelling
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# See the License for the specific language governing permissions and
# limitations under the License.
+
set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
[[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"
-readonly this_file="$(readlink -f -- "${BASH_SOURCE[0]}")"; cd "${this_file%/*}"
+readonly this_file="$(readlink -f -- "${BASH_SOURCE[0]}")"
+this_dir="${this_file%/*}"
usage() {
cat <<'EOF'
usage: ${0##*/} VPN_SERVER_HOST
--b COMMON_NAME By default, use $HOSTNAME or $CLIENT_HOST. If the cert
- already exists on the server, with the CLIENT_NAME
- name, we use the existing one. See comment below if we
- ever want to check existing common names. They must be
- unique per server, so you can use $(uuidgen) if
- needed. You used to be able to create multiple with the
- same name, but not connect at the same time, but now,
- the generator keeps track, so you can't generate.
--c CLIENT_HOST default is localhost. Else we ssh to root@CLIENT_HOST
+-b COMMON_NAME By default, use $CLIENT_HOST or if it is not given,
+ $HOSTNAME. If the cert already exists on the server,
+ with the CLIENT_NAME name, we use the existing one. See
+ comment below if we ever want to check existing common
+ names. They must be unique per server, so you can use
+ $(uuidgen) if needed. You used to be able to create
+ multiple with the same name, but not connect at the
+ same time, but now, the generator keeps track, so you
+ can't generate.
+
+-c CLIENT_HOST Default is localhost. Else we ssh to root@CLIENT_HOST.
+-f Force. Proceed even if cert already exists.
-n CONFIG_NAME default is client
--s SCRIPT_PATH Use custom up/down script at PATH, copied to same path
- on client.
+-o SERVER_CONFIG_NAME Default is CONFIG_NAME
+-r Install certs to the current directory instead of /etc/openvpn/client
+-s SCRIPT_PATH Use custom up/down script at SCRIPT_PATH. If client host is
+ not localhost, the script is copied to it. The default
+ script used to be /etc/openvpn/update-resolv-conf, but now
+ that systemd-resolved is becoming popular, there is no default.
+
+Environment variable: SSH_CONFIG_FILE_OVERRIDE
Generate a client cert and config and install it on locally or on
CLIENT_HOST if given. Uses default config options, and expects be able
shell="bash -c"
name=client
-custom_script=false
-script=/etc/openvpn/update-resolv-conf
client_host=$CLIENT_HOST
+force=false
+rel=false
+if [[ $SSH_CONFIG_FILE_OVERRIDE ]]; then
+ ssh_arg="-F $SSH_CONFIG_FILE_OVERRIDE"
+fi
-temp=$(getopt -l help hb:c:n:s: "$@") || usage 1
+temp=$(getopt -l help hb:c:fn:o:rs: "$@") || usage 1
eval set -- "$temp"
while true; do
case $1 in
-b) common_name="$2"; shift 2 ;;
- -c) client_host=$2; shell="ssh root@$client_host"; shift 2 ;;
+ -c) client_host=$2; shell="ssh $ssh_arg root@$client_host"; shift 2 ;;
+ -f) force=true; shift ;;
-n) name="$2"; shift 2 ;;
- -s) custom_script=true; script="$2"; shift 2 ;;
+ -o) server_name="$2"; shift 2 ;;
+ -r) rel=true; shift ;;
+ -s) script="$2"; shift 2 ;;
-h|--help) usage ;;
--) shift; break ;;
*) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;;
esac
done
+if [[ $client_host ]] && $rel; then
+ echo "$0: error client_host and -r specified. use one or the other"
+ exit 1
+fi
+
+
+if [[ ! $server_name ]]; then
+ server_name="$name"
+fi
+
if [[ ! $common_name ]]; then
if [[ $client_host ]]; then
common_name=$client_host
####### end command line parsing and checking ##############
-# bash or else we get motd spam. note sleep 2, sleep 1 failed.
-if ! ssh root@$host bash -s -- $name $common_name < client-cert-helper \
- | $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn/client'; then
- echo ssh root@$host cat /tmp/vpn-mk-client-cert.log:
- ssh root@$host cat /tmp/vpn-mk-client-cert.log
- exit 1
+if $rel; then
+ f=$name.crt
+ keydir=.
+else
+ f=/etc/openvpn/client/$name.crt
+ keydir=/etc/openvpn/client
fi
-f=/etc/openvpn/client/$name.crt
-if ! $shell "test -s $f"; then
- # if common name is not unique, you get empty file. and if we didn't silence
- # build-key, you'd see an error "TXT_DB error number 2"
- echo "$0: error: $f is empty or otherwise bad. is this common name unique?"
- exit 1
+if ! $force; then
+ cert_to_test=$f
+ if [[ $client_host ]]; then
+ cert_to_test=$(mktemp)
+ ssh $ssh_arg root@$client_host cat $f 2>/dev/null >$cert_to_test ||:
+ fi
+ if openssl x509 -checkend $(( 60 * 60 * 24 * 30 )) -noout -in $cert_to_test &>/dev/null; then
+ if [[ $client_host ]]; then
+ prefix="$shell"
+ fi
+ if $prefix test -s $keydir/ta-$name.key -a -s $keydir/ca-$name.crt; then
+ echo "$0: cert already exists. exiting early"
+ exit 0
+ fi
+ fi
fi
-$shell "dd of=/etc/openvpn/client/$name.conf" <<EOF
+port=$(echo '/^port/ {print $2}' | ssh $ssh_arg root@$host awk -f - /etc/openvpn/server/$name.conf | tail -n1)
+
+$shell "dd of=$keydir/$name.conf" <<EOF
# From example config, from debian stretch to buster
client
dev tun
proto udp
-remote $host 1194
+remote $host $port
resolv-retry infinite
nobind
persist-key
-persist-tun
-ca $name-ca.crt
+# persist-tun was here, but if the vpn goes down this makes
+# the whole thing get stuck if the vpn is our default route
+# unless we set a special route out just for the vpn.
+# todo: investigate.
+ca ca-$name.crt
cert $name.crt
key $name.key
# disabled for better performance
#comp-lzo
verb 3
-# This script will update local dns
-# to what the server sends, if it sends dns.
-script-security 2
-up "$script"
-down "$script"
-
# matching server config
cipher AES-256-CBC
-
# example config has the commented line, but this other thing looks stronger,
# and I've seen it in a vpn provider I trust
# ns-cert-type server
# The minimum of the client & server config is what is used by openvpn.
reneg-sec 432000
-tls-auth $name-ta.key 1
+tls-auth ta-$name.key 1
+EOF
+
+if [[ $script ]]; then
+ $shell "tee -a /etc/openvpn/client/$name.conf" <<EOF
+script-security 2
+up "$script"
+down "$script"
EOF
-if [[ $client_host ]] && $custom_script; then
- $shell "dd of=$script" <$script
- $shell "chmod +x $script"
+ if [[ $client_host && $script ]]; then
+ $shell "dd of=$script" <$script
+ $shell "chmod +x $script"
+ fi
+fi
+
+if ! $rel; then
+ $shell 'cd /etc/openvpn; for f in client/*; do ln -sf $f .; done'
+fi
+
+if ! $rel; then
+ dirarg="-C $keydir"
fi
-$shell 'cd /etc/openvpn; for f in client/*; do ln -sf $f .; done'
+# bash or else we get motd spam. note sleep 2, sleep 1 failed.
+$shell '[[ -e /etc/openvpn ]] || apt install openvpn'
+hostssh="ssh $arg root@$host"
+if ! $hostssh bash -s -- $server_name $common_name < $this_dir/client-cert-helper \
+ | $shell "id -u | grep -xF 0 || s=sudo; \$s tar xzv $dirarg"; then
+ echo $hostssh cat /tmp/vpn-mk-client-cert.log:
+ $hostssh cat /tmp/vpn-mk-client-cert.log
+ echo EOF for root@$host:/tmp/vpn-mk-client-cert.log
+ exit 1
+fi
+
+
+
+if ! $shell "test -s $f"; then
+ # if common name is not unique, you get empty file. and if we didn't silence
+ # build-key, you'd see an error "TXT_DB error number 2"
+ echo "$0: error: $f is empty or otherwise bad. is this common name unique?"
+ exit 1
+fi