X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=vpn-mk-client-cert;h=014008dbe21a5b87be52bc3a36ca703a918fe55e;hb=7a7d2d3cb1416b693ea06d91d20d5e1b945657a2;hp=59ddda55cc5cc5959d2d68273d85f7ae5d81e415;hpb=aa9be22d2798d15580907238cfdbf8f3ffd7364d;p=vpn-setup

diff --git a/vpn-mk-client-cert b/vpn-mk-client-cert
index 59ddda5..014008d 100755
--- a/vpn-mk-client-cert
+++ b/vpn-mk-client-cert
@@ -18,7 +18,8 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
 [[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"
 
-readonly this_file="$(readlink -f -- "${BASH_SOURCE[0]}")"; cd "${this_file%/*}"
+readonly this_file="$(readlink -f -- "${BASH_SOURCE[0]}")"
+this_dir="${this_file%/*}"
 
 
 usage() {
@@ -39,11 +40,14 @@ usage: ${0##*/} VPN_SERVER_HOST
 -f               Force. Proceed even if cert already exists.
 -n CONFIG_NAME   default is client
 -o SERVER_CONFIG_NAME  Default is CONFIG_NAME
+-r               Install certs to the current directory instead of /etc/openvpn
 -s SCRIPT_PATH   Use custom up/down script at SCRIPT_PATH. If client host is
                  not localhost, the script is copied to it. The default
                  script used to be /etc/openvpn/update-resolv-conf, but now
                  that systemd-resolved is becoming popular, there is no default.
 
+Environment variable: SSH_CONFIG_FILE_OVERRIDE
+
 Generate a client cert and config and install it on locally or on
 CLIENT_HOST if given.  Uses default config options, and expects be able
 to ssh to VPN_SERVER_HOST and CLIENT_HOST as root, or if CLIENT_HOST is
@@ -69,16 +73,21 @@ shell="bash -c"
 name=client
 client_host=$CLIENT_HOST
 force=false
+rel=false
+if [[ $SSH_CONFIG_FILE_OVERRIDE ]]; then
+  ssh_arg="-F $SSH_CONFIG_FILE_OVERRIDE"
+fi
 
-temp=$(getopt -l help hb:c:fn:o:s: "$@") || usage 1
+temp=$(getopt -l help hb:c:fn:o:rs: "$@") || usage 1
 eval set -- "$temp"
 while true; do
   case $1 in
     -b) common_name="$2"; shift 2 ;;
-    -c) client_host=$2; shell="ssh root@$client_host"; shift 2 ;;
+    -c) client_host=$2; shell="ssh $ssh_arg root@$client_host"; shift 2 ;;
     -f) force=true; shift ;;
     -n) name="$2"; shift 2 ;;
     -o) server_name="$2"; shift 2 ;;
+    -r) rel=true; shift ;;
     -s) script="$2"; shift 2 ;;
     -h|--help) usage ;;
     --) shift; break ;;
@@ -86,6 +95,12 @@ while true; do
   esac
 done
 
+if [[ $client_host ]] && $rel; then
+  echo "$0: error client_host and -r specified. use one or the other"
+  exit 1
+fi
+
+
 if [[ ! $server_name ]]; then
   server_name="$name"
 fi
@@ -104,40 +119,18 @@ host=$1
 ####### end command line parsing and checking ##############
 
 
-f=/etc/openvpn/client/$name.crt
-
-cert_to_test=$f
-if [[ $client_host ]]; then
-  cert_to_test=$(mktemp)
-  ssh root@$client_host cat $f 2>/dev/null >$cert_to_test ||:
-fi
-if ! $force && openssl x509 -checkend $(( 60 * 60 * 24 * 30 )) -noout -in $cert_to_test &>/dev/null; then
-  echo "$0: cert already exists. exiting early"
-  exit 0
-fi
-
-
-# bash or else we get motd spam. note sleep 2, sleep 1 failed.
-$shell '[[ -e /etc/openvpn ]] || apt install openvpn'
-if ! ssh root@$host bash -s -- $server_name $common_name < client-cert-helper \
-    |  $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn/client'; then
-  echo ssh root@$host cat /tmp/vpn-mk-client-cert.log:
-  ssh root@$host cat /tmp/vpn-mk-client-cert.log
-  echo EOF for root@$host:/tmp/vpn-mk-client-cert.log
-  exit 1
+if $rel; then
+  f=$name.crt
+  keydir=.
+else
+  f=/etc/openvpn/client/$name.crt
+  keydir=/etc/openvpn/client
 fi
 
-port=$(echo '/^port/ {print $2}' | ssh root@$host awk -f - /etc/openvpn/server/$name.conf | tail -n1)
-
+port=$(echo '/^port/ {print $2}' | ssh $ssh_arg root@$host awk -f - /etc/openvpn/server/$name.conf | tail -n1)
 
-if ! $shell "test -s $f"; then
-  # if common name is not unique, you get empty file. and if we didn't silence
-  # build-key, you'd see an error "TXT_DB error number 2"
-  echo "$0: error: $f is empty or otherwise bad. is this common name unique?"
-  exit 1
-fi
 
-$shell "dd of=/etc/openvpn/client/$name.conf" <<EOF
+$shell "dd of=$keydir/$name.conf" <<EOF
 # From example config, from debian stretch to buster
 client
 dev tun
@@ -146,7 +139,10 @@ remote $host $port
 resolv-retry infinite
 nobind
 persist-key
-persist-tun
+# persist-tun was here, but if the vpn goes down this makes
+# the whole thing get stuck if the vpn is our default route
+# unless we set a special route out just for the vpn.
+# todo: investigate.
 ca ca-$name.crt
 cert $name.crt
 key $name.key
@@ -185,4 +181,45 @@ EOF
   fi
 fi
 
-$shell 'cd /etc/openvpn; for f in client/*; do ln -sf $f .; done'
+if ! $rel; then
+  $shell 'cd /etc/openvpn; for f in client/*; do ln -sf $f .; done'
+fi
+
+cert_to_test=$f
+if [[ $client_host ]]; then
+  cert_to_test=$(mktemp)
+  ssh $ssh_arg root@$client_host cat $f 2>/dev/null >$cert_to_test ||:
+fi
+if ! $force && openssl x509 -checkend $(( 60 * 60 * 24 * 30 )) -noout -in $cert_to_test &>/dev/null; then
+  if [[ $client_host ]]; then
+    prefix="$shell"
+  fi
+  if $prefix test -s $keydir/ta-$name.key -a -s $keydir/ca-$name.crt; then
+    echo "$0: cert already exists. exiting early"
+  fi
+  exit 0
+fi
+
+if ! $rel; then
+  dirarg="-C $keydir"
+fi
+
+# bash or else we get motd spam. note sleep 2, sleep 1 failed.
+$shell '[[ -e /etc/openvpn ]] || apt install openvpn'
+hostssh="ssh $arg root@$host"
+if ! $hostssh bash -s -- $server_name $common_name < $this_dir/client-cert-helper \
+    |  $shell "id -u | grep -xF 0 || s=sudo; \$s tar xzv $dirarg"; then
+  echo $hostssh cat /tmp/vpn-mk-client-cert.log:
+  $hostssh cat /tmp/vpn-mk-client-cert.log
+  echo EOF for root@$host:/tmp/vpn-mk-client-cert.log
+  exit 1
+fi
+
+
+
+if ! $shell "test -s $f"; then
+  # if common name is not unique, you get empty file. and if we didn't silence
+  # build-key, you'd see an error "TXT_DB error number 2"
+  echo "$0: error: $f is empty or otherwise bad. is this common name unique?"
+  exit 1
+fi