[[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"
-readonly this_file="$(readlink -f -- "${BASH_SOURCE[0]}")"; cd "${this_file%/*}"
+readonly this_file="$(readlink -f -- "${BASH_SOURCE[0]}")"
+this_dir="${this_file%/*}"
usage() {
-f Force. Proceed even if cert already exists.
-n CONFIG_NAME default is client
-o SERVER_CONFIG_NAME Default is CONFIG_NAME
+-r Install certs to the current directory instead of /etc/openvpn
-s SCRIPT_PATH Use custom up/down script at SCRIPT_PATH. If client host is
not localhost, the script is copied to it. The default
script used to be /etc/openvpn/update-resolv-conf, but now
that systemd-resolved is becoming popular, there is no default.
+Environment variable: SSH_CONFIG_FILE_OVERRIDE
+
Generate a client cert and config and install it on locally or on
CLIENT_HOST if given. Uses default config options, and expects be able
to ssh to VPN_SERVER_HOST and CLIENT_HOST as root, or if CLIENT_HOST is
name=client
client_host=$CLIENT_HOST
force=false
+rel=false
+if [[ $SSH_CONFIG_FILE_OVERRIDE ]]; then
+ ssh_arg="-F $SSH_CONFIG_FILE_OVERRIDE"
+fi
-temp=$(getopt -l help hb:c:fn:o:s: "$@") || usage 1
+temp=$(getopt -l help hb:c:fn:o:rs: "$@") || usage 1
eval set -- "$temp"
while true; do
case $1 in
-b) common_name="$2"; shift 2 ;;
- -c) client_host=$2; shell="ssh root@$client_host"; shift 2 ;;
+ -c) client_host=$2; shell="ssh $ssh_arg root@$client_host"; shift 2 ;;
-f) force=true; shift ;;
-n) name="$2"; shift 2 ;;
-o) server_name="$2"; shift 2 ;;
+ -r) rel=true; shift ;;
-s) script="$2"; shift 2 ;;
-h|--help) usage ;;
--) shift; break ;;
esac
done
+if [[ $client_host ]] && $rel; then
+ echo "$0: error client_host and -r specified. use one or the other"
+ exit 1
+fi
+
+
if [[ ! $server_name ]]; then
server_name="$name"
fi
####### end command line parsing and checking ##############
-f=/etc/openvpn/client/$name.crt
+if $rel; then
+ f=$name.crt
+ keydir=.
+else
+ f=/etc/openvpn/client/$name.crt
+ keydir=/etc/openvpn/client
+fi
+
+port=$(echo '/^port/ {print $2}' | ssh $ssh_arg root@$host awk -f - /etc/openvpn/server/$name.conf | tail -n1)
-$shell "dd of=/etc/openvpn/client/$name.conf" <<EOF
+
+$shell "dd of=$keydir/$name.conf" <<EOF
# From example config, from debian stretch to buster
client
dev tun
fi
fi
-$shell 'cd /etc/openvpn; for f in client/*; do ln -sf $f .; done'
-
+if ! $rel; then
+ $shell 'cd /etc/openvpn; for f in client/*; do ln -sf $f .; done'
+fi
cert_to_test=$f
if [[ $client_host ]]; then
cert_to_test=$(mktemp)
- ssh root@$client_host cat $f 2>/dev/null >$cert_to_test ||:
+ ssh $ssh_arg root@$client_host cat $f 2>/dev/null >$cert_to_test ||:
fi
if ! $force && openssl x509 -checkend $(( 60 * 60 * 24 * 30 )) -noout -in $cert_to_test &>/dev/null; then
- echo "$0: cert already exists. exiting early"
+ if [[ $client_host ]]; then
+ prefix="$shell"
+ fi
+ if $prefix test -s $keydir/ta-$name.key -a -s $keydir/ca-$name.crt; then
+ echo "$0: cert already exists. exiting early"
+ fi
exit 0
fi
+if ! $rel; then
+ dirarg="-C $keydir"
+fi
# bash or else we get motd spam. note sleep 2, sleep 1 failed.
$shell '[[ -e /etc/openvpn ]] || apt install openvpn'
-if ! ssh root@$host bash -s -- $server_name $common_name < client-cert-helper \
- | $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn/client'; then
- echo ssh root@$host cat /tmp/vpn-mk-client-cert.log:
- ssh root@$host cat /tmp/vpn-mk-client-cert.log
+hostssh="ssh $arg root@$host"
+if ! $hostssh bash -s -- $server_name $common_name < $this_dir/client-cert-helper \
+ | $shell "id -u | grep -xF 0 || s=sudo; \$s tar xzv $dirarg"; then
+ echo $hostssh cat /tmp/vpn-mk-client-cert.log:
+ $hostssh cat /tmp/vpn-mk-client-cert.log
echo EOF for root@$host:/tmp/vpn-mk-client-cert.log
exit 1
fi
-port=$(echo '/^port/ {print $2}' | ssh root@$host awk -f - /etc/openvpn/server/$name.conf | tail -n1)
if ! $shell "test -s $f"; then
iankelling.org / git / vpn-setup / commitdiff