[[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"
+readonly this_file="$(readlink -f -- "${BASH_SOURCE[0]}")"; cd "${this_file%/*}"
+
usage() {
- cat <<EOF
+ cat <<'EOF'
usage: ${0##*/} VPN_SERVER_HOST
-b COMMON_NAME By default, use $HOSTNAME or $CLIENT_HOST. If the cert
the generator keeps track, so you can't generate.
-c CLIENT_HOST default is localhost. Else we ssh to root@CLIENT_HOST
-n CONFIG_NAME default is client
--s SCRIPT_PATH Use custom up/down script at PATH, copied to same path
- on client.
+-s SCRIPT_PATH Use custom up/down script at SCRIPT_PATH. copied to same path
+ on client, if client is not localhost.
Generate a client cert and config and install it on locally or on
CLIENT_HOST if given. Uses default config options, and expects be able
Note: Uses GNU getopt options parsing style
EOF
- exit ${1:-0}
+ exit ${1:-0}
}
# to get the common name
# cn=$(s openssl x509 -noout -nameopt multiline -subject \
- # -in /etc/openvpn/client/mail.crt | \
- # sed -rn 's/^\s*commonName\s*=\s*(.*)/\1/p')
+ # -in /etc/openvpn/client/mail.crt | \
+ # sed -rn 's/^\s*commonName\s*=\s*(.*)/\1/p')
####### begin command line parsing and checking ##############
name=client
custom_script=false
script=/etc/openvpn/update-resolv-conf
+client_host=$CLIENT_HOST
temp=$(getopt -l help hb:c:n:s: "$@") || usage 1
eval set -- "$temp"
while true; do
- case $1 in
- -b) common_name="$2"; shift 2 ;;
- -c) client_host=$2; shell="ssh root@$client_host"; shift 2 ;;
- -n) name="$2"; shift 2 ;;
- -s) custom_script=true; script="$2"; shift 2 ;;
- -h|--help) usage ;;
- --) shift; break ;;
- *) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;;
- esac
+ case $1 in
+ -b) common_name="$2"; shift 2 ;;
+ -c) client_host=$2; shell="ssh root@$client_host"; shift 2 ;;
+ -n) name="$2"; shift 2 ;;
+ -s) custom_script=true; script="$2"; shift 2 ;;
+ -h|--help) usage ;;
+ --) shift; break ;;
+ *) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;;
+ esac
done
if [[ ! $common_name ]]; then
- if [[ $client_host ]]; then
- common_name=$client_host
- else
- common_name=$HOSTNAME
- fi
+ if [[ $client_host ]]; then
+ common_name=$client_host
+ else
+ common_name=$HOSTNAME
+ fi
fi
host=$1
# bash or else we get motd spam. note sleep 2, sleep 1 failed.
-ssh root@$host bash <<EOF | $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn/client'
-set -eE -o pipefail
-
-server_dir=/etc/openvpn
-if [[ -e /etc/openvpn/server ]]; then
- server_dir=/etc/openvpn/server
-fi
-
-exists=true
-for x in /etc/openvpn/easy-rsa/keys/{$name.{crt,key},ca.crt}; do
- if [[ ! -e \$x ]]; then
- exists=false
- break
- fi
-done
-
-if ! \$exists; then
- cd /etc/openvpn/easy-rsa
- source vars >/dev/null
-
- { echo -e '\n\n\n\n\n'$common_name'\n\n\n\n\n'; sleep 2; echo -e 'y\ny\n'; } | ./build-key $name &>/dev/null
+if ! ssh root@$host bash -s -- $name $common_name < client-cert-helper \
+ | $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn/client'; then
+ echo ssh root@$host cat /tmp/vpn-mk-client-cert.log:
+ ssh root@$host cat /tmp/vpn-mk-client-cert.log
+ exit 1
fi
-d=\$(mktemp -d)
-cp /etc/openvpn/easy-rsa/keys/ca.crt \$d/$name-ca.crt
-cp /etc/openvpn/easy-rsa/keys/$name.{crt,key} \$d
-
-cp \$server_dir/ta.key \$d/$name-ta.key
-
-tar cz -C \$d .
-rm -rf \$d
-EOF
f=/etc/openvpn/client/$name.crt
if ! $shell "test -s $f"; then
- # if common name is not unique, you get empty file. and if we didn't silence
- # build-key, you'd see an error "TXT_DB error number 2"
- echo "$0: error: $f is empty or otherwise bad. is this common name unique?"
- exit 1
+ # if common name is not unique, you get empty file. and if we didn't silence
+ # build-key, you'd see an error "TXT_DB error number 2"
+ echo "$0: error: $f is empty or otherwise bad. is this common name unique?"
+ exit 1
fi
$shell "dd of=/etc/openvpn/client/$name.conf" <<EOF
-# From example config, from debian stretch as of 1-2017
+# From example config, from debian stretch to buster
client
dev tun
proto udp
# matching server config
cipher AES-256-CBC
-
# example config has the commented line, but this other thing looks stronger,
# and I've seen it in a vpn provider I trust
# ns-cert-type server
EOF
if [[ $client_host ]] && $custom_script; then
- $shell "dd of=$script" <$script
- $shell "chmod +x $script"
+ $shell "dd of=$script" <$script
+ $shell "chmod +x $script"
fi
$shell 'cd /etc/openvpn; for f in client/*; do ln -sf $f .; done'