X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=vpn-mk-client-cert;h=1aa9b4166aca033059b65b25328c829a68677b15;hb=c34b9b437d4a7173190ea58e040a3ae76f7410d7;hp=f480d02b8e4cf7bbcac1ac400d99253ca41bf381;hpb=dfbfe58ae8f9e2a80fde7279fc1608ef6e32c6fa;p=vpn-setup

diff --git a/vpn-mk-client-cert b/vpn-mk-client-cert
index f480d02..1aa9b41 100755
--- a/vpn-mk-client-cert
+++ b/vpn-mk-client-cert
@@ -18,20 +18,25 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
 [[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"
 
+readonly this_file="$(readlink -f -- "${BASH_SOURCE[0]}")"; cd "${this_file%/*}"
+
+
 usage() {
-    cat <<EOF
+  cat <<'EOF'
 usage: ${0##*/} VPN_SERVER_HOST
 
--b COMMON_NAME   By default, use CONFIG_NAME. If the cert already exists
-                 on the server, with the CLIENT_NAME name, we use the
-                 existing one. See comment below if we ever want to
-                 check existing common names. They must be unique per
-                 server, so you can use $(uuidgen) if needed. You used
-                 to be able to create multiple with the same name, but
-                 not connect at the same time, but now, the generator
-                 keeps track, so you can't generate.
+-b COMMON_NAME   By default, use $HOSTNAME or $CLIENT_HOST. If the cert
+                 already exists on the server, with the CLIENT_NAME
+                 name, we use the existing one. See comment below if we
+                 ever want to check existing common names. They must be
+                 unique per server, so you can use $(uuidgen) if
+                 needed. You used to be able to create multiple with the
+                 same name, but not connect at the same time, but now,
+                 the generator keeps track, so you can't generate.
 -c CLIENT_HOST   default is localhost. Else we ssh to root@CLIENT_HOST
 -n CONFIG_NAME   default is client
+-s SCRIPT_PATH   Use custom up/down script at SCRIPT_PATH. copied to same path
+                 on client, if client is not localhost.
 
 Generate a client cert and config and install it on locally or on
 CLIENT_HOST if given.  Uses default config options, and expects be able
@@ -43,95 +48,89 @@ localhost, just to sudo this script as root.
 
 Note: Uses GNU getopt options parsing style
 EOF
-    exit ${1:-0}
+  exit ${1:-0}
 }
 
 # to get the common name
 # cn=$(s openssl x509 -noout -nameopt multiline -subject \
-    #        -in /etc/openvpn/client/mail.crt | \
-    #          sed -rn 's/^\s*commonName\s*=\s*(.*)/\1/p')
+  #        -in /etc/openvpn/client/mail.crt | \
+  #          sed -rn 's/^\s*commonName\s*=\s*(.*)/\1/p')
 
 
+####### begin command line parsing and checking ##############
+
 shell="bash -c"
 name=client
+custom_script=false
+script=/etc/openvpn/update-resolv-conf
+client_host=$CLIENT_HOST
 
-temp=$(getopt -l help hb:c:n: "$@") || usage 1
+temp=$(getopt -l help hb:c:n:s: "$@") || usage 1
 eval set -- "$temp"
 while true; do
-    case $1 in
-        -b) common_name="$2"; shift 2 ;;
-        -c) shell="ssh root@$2"; shift 2 ;;
-        -n) name="$2"; shift 2 ;;
-        -h|--help) usage ;;
-        --) shift; break ;;
-        *) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;;
-    esac
+  case $1 in
+    -b) common_name="$2"; shift 2 ;;
+    -c) client_host=$2; shell="ssh root@$client_host"; shift 2 ;;
+    -n) name="$2"; shift 2 ;;
+    -s) custom_script=true; script="$2"; shift 2 ;;
+    -h|--help) usage ;;
+    --) shift; break ;;
+    *) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;;
+  esac
 done
 
-if [[ ! $common_name ]]; then common_name=$name; fi
+if [[ ! $common_name ]]; then
+  if [[ $client_host ]]; then
+    common_name=$client_host
+  else
+    common_name=$HOSTNAME
+  fi
+fi
 
 host=$1
 [[ $host ]] || usage 1
 
-# bash or else we get motd spam. note sleep 2, sleep 1 failed.
-ssh root@$host bash <<EOF | $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn/client'
-set -eE -o pipefail
-
-exists=true
-for x in /etc/openvpn/easy-rsa/keys/{$name.{crt,key},ca.crt}; do
-  if [[ ! -e \$x ]]; then
-     exists=false
-     break
-  fi
-done
+####### end command line parsing and checking ##############
 
-if ! \$exists; then
-  cd /etc/openvpn/easy-rsa
-  source vars >/dev/null
 
-  { echo -e '\n\n\n\n\n'$common_name'\n\n\n\n\n'; sleep 2; echo -e 'y\ny\n'; } | ./build-key $name &>/dev/null
+# bash or else we get motd spam. note sleep 2, sleep 1 failed.
+if ! ssh root@$host bash -s -- $name $common_name < client-cert-helper \
+    |  $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn/client'; then
+  echo ssh root@$host cat /tmp/vpn-mk-client-cert.log:
+  ssh root@$host cat /tmp/vpn-mk-client-cert.log
+  exit 1
 fi
 
-d=\$(mktemp -d)
-cp /etc/openvpn/easy-rsa/keys/ca.crt \$d/$name-ca.crt
-cp /etc/openvpn/easy-rsa/keys/$name.{crt,key} \$d
+port=$(echo '/^port/ {print $2}' | ssh root@$host awk -f - /etc/openvpn/server/$name.conf | tail -n1)
 
-tar cz -C \$d .
-rm -rf \$d
-EOF
 
 f=/etc/openvpn/client/$name.crt
-if [[ ! -s $f ]]; then
-    echo "$0: error: $f is empty or otherwise bad. is this common name unique?"
-    exit 1
+if ! $shell "test -s $f"; then
+  # if common name is not unique, you get empty file. and if we didn't silence
+  # build-key, you'd see an error "TXT_DB error number 2"
+  echo "$0: error: $f is empty or otherwise bad. is this common name unique?"
+  exit 1
 fi
 
 $shell "dd of=/etc/openvpn/client/$name.conf" <<EOF
-# From example config, from debian stretch as of 1-2017
+# From example config, from debian stretch to buster
 client
 dev tun
 proto udp
-remote $host 1194
+remote $host $port
 resolv-retry infinite
 nobind
 persist-key
 persist-tun
-ca $name-ca.crt
+ca ca-$name.crt
 cert $name.crt
 key $name.key
 # disabled for better performance
 #comp-lzo
 verb 3
 
-# This script will update local dns
-# to what the server sends, if it sends dns.
-script-security 2
-up /etc/openvpn/update-resolv-conf
-down /etc/openvpn/update-resolv-conf
-
 # matching server config
-cipher aes-256-cbc
-
+cipher AES-256-CBC
 
 # example config has the commented line, but this other thing looks stronger,
 # and I've seen it in a vpn provider I trust
@@ -141,7 +140,26 @@ remote-cert-tls server
 # more resilient when running as nonroot
 persist-key
 
-# see comments in server side configuration.
-# the minimum of the 2 is used.
-reneg-sec 2592000
+# See comments in server side configuration.
+# The minimum of the client & server config is what is used by openvpn.
+reneg-sec 432000
+
+tls-auth ta-$name.key 1
 EOF
+
+if [[ $script ]]; then
+  $shell "tee -a /etc/openvpn/client/$name.conf" <<EOF
+# This script will update local dns
+# to what the server sends, if it sends dns.
+script-security 2
+up "$script"
+down "$script"
+EOF
+
+  if [[ $client_host ]] && $custom_script; then
+    $shell "dd of=$script" <$script
+    $shell "chmod +x $script"
+  fi
+fi
+
+$shell 'cd /etc/openvpn; for f in client/*; do ln -sf $f .; done'