X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=vpn-mk-client-cert;h=59ddda55cc5cc5959d2d68273d85f7ae5d81e415;hb=aa9be22d2798d15580907238cfdbf8f3ffd7364d;hp=306cb22fdb004d06cfd515edbd8e07042144b83d;hpb=beeb3f8f469421f9b926ab6b5763a099086c6f2b;p=vpn-setup

diff --git a/vpn-mk-client-cert b/vpn-mk-client-cert
index 306cb22..59ddda5 100755
--- a/vpn-mk-client-cert
+++ b/vpn-mk-client-cert
@@ -13,56 +13,176 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# usage: $0 SERVER_HOST [DEST_HOST]
-# ssh to SERVER_HOST, create a cert & client config, put it on
-# DEST_HOST, or localhost by default. Assumes server was setup
-# by the other script in this dir.
-
 set -eE -o pipefail
 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
 [[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"
 
+readonly this_file="$(readlink -f -- "${BASH_SOURCE[0]}")"; cd "${this_file%/*}"
+
+
 usage() {
-    cat <<EOF
-usage: ${0##*/} VPN_SERVER_HOST [CLIENT_HOST]
+  cat <<'EOF'
+usage: ${0##*/} VPN_SERVER_HOST
+
+-b COMMON_NAME   By default, use $CLIENT_HOST or if it is not given,
+                 $HOSTNAME. If the cert already exists on the server,
+                 with the CLIENT_NAME name, we use the existing one. See
+                 comment below if we ever want to check existing common
+                 names. They must be unique per server, so you can use
+                 $(uuidgen) if needed. You used to be able to create
+                 multiple with the same name, but not connect at the
+                 same time, but now, the generator keeps track, so you
+                 can't generate.
+
+-c CLIENT_HOST   Default is localhost. Else we ssh to root@CLIENT_HOST.
+-f               Force. Proceed even if cert already exists.
+-n CONFIG_NAME   default is client
+-o SERVER_CONFIG_NAME  Default is CONFIG_NAME
+-s SCRIPT_PATH   Use custom up/down script at SCRIPT_PATH. If client host is
+                 not localhost, the script is copied to it. The default
+                 script used to be /etc/openvpn/update-resolv-conf, but now
+                 that systemd-resolved is becoming popular, there is no default.
 
 Generate a client cert and config and install it on locally or on
 CLIENT_HOST if given.  Uses default config options, and expects be able
-to ssh to VPN_SERVER_HOST and CLIENT_HOST.
+to ssh to VPN_SERVER_HOST and CLIENT_HOST as root, or if CLIENT_HOST is
+localhost, just to sudo this script as root.
+
+
+
+
+Note: Uses GNU getopt options parsing style
 EOF
-    exit ${1:-0}
+  exit ${1:-0}
 }
 
-case $1 in
-    -h|--help) usage 0 ;;
-esac
+# to get the common name
+# cn=$(s openssl x509 -noout -nameopt multiline -subject \
+  #        -in /etc/openvpn/client/mail.crt | \
+  #          sed -rn 's/^\s*commonName\s*=\s*(.*)/\1/p')
 
-(($# >= 1)) || usage 1
 
-host=$1
+####### begin command line parsing and checking ##############
+
 shell="bash -c"
-if [[ $2 ]]; then
-    shell="ssh $2"
+name=client
+client_host=$CLIENT_HOST
+force=false
+
+temp=$(getopt -l help hb:c:fn:o:s: "$@") || usage 1
+eval set -- "$temp"
+while true; do
+  case $1 in
+    -b) common_name="$2"; shift 2 ;;
+    -c) client_host=$2; shell="ssh root@$client_host"; shift 2 ;;
+    -f) force=true; shift ;;
+    -n) name="$2"; shift 2 ;;
+    -o) server_name="$2"; shift 2 ;;
+    -s) script="$2"; shift 2 ;;
+    -h|--help) usage ;;
+    --) shift; break ;;
+    *) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;;
+  esac
+done
+
+if [[ ! $server_name ]]; then
+  server_name="$name"
+fi
+
+if [[ ! $common_name ]]; then
+  if [[ $client_host ]]; then
+    common_name=$client_host
+  else
+    common_name=$HOSTNAME
+  fi
+fi
+
+host=$1
+[[ $host ]] || usage 1
+
+####### end command line parsing and checking ##############
+
+
+f=/etc/openvpn/client/$name.crt
+
+cert_to_test=$f
+if [[ $client_host ]]; then
+  cert_to_test=$(mktemp)
+  ssh root@$client_host cat $f 2>/dev/null >$cert_to_test ||:
 fi
+if ! $force && openssl x509 -checkend $(( 60 * 60 * 24 * 30 )) -noout -in $cert_to_test &>/dev/null; then
+  echo "$0: cert already exists. exiting early"
+  exit 0
+fi
+
 
 # bash or else we get motd spam. note sleep 2, sleep 1 failed.
-ssh $host bash <<EOF | $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn'
-set -eE -o pipefail
-cd /etc/openvpn/easy-rsa
-source vars >/dev/null
+$shell '[[ -e /etc/openvpn ]] || apt install openvpn'
+if ! ssh root@$host bash -s -- $server_name $common_name < client-cert-helper \
+    |  $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn/client'; then
+  echo ssh root@$host cat /tmp/vpn-mk-client-cert.log:
+  ssh root@$host cat /tmp/vpn-mk-client-cert.log
+  echo EOF for root@$host:/tmp/vpn-mk-client-cert.log
+  exit 1
+fi
+
+port=$(echo '/^port/ {print $2}' | ssh root@$host awk -f - /etc/openvpn/server/$name.conf | tail -n1)
 
-# uuidgen because common name must be unique
-{ echo -e '\n\n\n\n\n'\$(uuidgen)'\n\n\n\n\n'; sleep 2; echo -e 'y\ny\n'; } | ./build-key client &>/dev/null
 
-d=\$(mktemp -d)
-cp /etc/openvpn/easy-rsa/keys/ca.crt \
-   /etc/openvpn/update-resolv-conf \
-   /usr/share/doc/openvpn/examples/sample-config-files/client.conf \$d
-mv /etc/openvpn/easy-rsa/keys/client.{crt,key} \$d
+if ! $shell "test -s $f"; then
+  # if common name is not unique, you get empty file. and if we didn't silence
+  # build-key, you'd see an error "TXT_DB error number 2"
+  echo "$0: error: $f is empty or otherwise bad. is this common name unique?"
+  exit 1
+fi
 
-sed -i --follow-symlinks "s/^remote .*/remote $host 1194/" \$d/client.conf
+$shell "dd of=/etc/openvpn/client/$name.conf" <<EOF
+# From example config, from debian stretch to buster
+client
+dev tun
+proto udp
+remote $host $port
+resolv-retry infinite
+nobind
+persist-key
+persist-tun
+ca ca-$name.crt
+cert $name.crt
+key $name.key
+# disabled for better performance
+#comp-lzo
+verb 3
+
+# matching server config
+cipher AES-256-CBC
+
+# example config has the commented line, but this other thing looks stronger,
+# and I've seen it in a vpn provider I trust
+# ns-cert-type server
+remote-cert-tls server
+
+# more resilient when running as nonroot
+persist-key
+
+# See comments in server side configuration.
+# The minimum of the client & server config is what is used by openvpn.
+reneg-sec 432000
+
+tls-auth ta-$name.key 1
+EOF
 
-tar cz -C \$d .
-rm -rf \$d
+if [[ $script ]]; then
+  $shell "tee -a /etc/openvpn/client/$name.conf" <<EOF
+script-security 2
+up "$script"
+down "$script"
 EOF
+
+  if [[ $client_host && $script ]]; then
+    $shell "dd of=$script" <$script
+    $shell "chmod +x $script"
+  fi
+fi
+
+$shell 'cd /etc/openvpn; for f in client/*; do ln -sf $f .; done'