From: Ian Kelling Date: Sat, 4 Sep 2021 19:50:38 +0000 (-0400) Subject: fixes X-Git-Url: https://iankelling.org/git/?a=commitdiff_plain;h=7a7d2d3cb1416b693ea06d91d20d5e1b945657a2;p=vpn-setup fixes --- diff --git a/vpn-mk-client-cert b/vpn-mk-client-cert index 7421178..014008d 100755 --- a/vpn-mk-client-cert +++ b/vpn-mk-client-cert @@ -18,7 +18,8 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR [[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@" -readonly this_file="$(readlink -f -- "${BASH_SOURCE[0]}")"; cd "${this_file%/*}" +readonly this_file="$(readlink -f -- "${BASH_SOURCE[0]}")" +this_dir="${this_file%/*}" usage() { @@ -39,11 +40,14 @@ usage: ${0##*/} VPN_SERVER_HOST -f Force. Proceed even if cert already exists. -n CONFIG_NAME default is client -o SERVER_CONFIG_NAME Default is CONFIG_NAME +-r Install certs to the current directory instead of /etc/openvpn -s SCRIPT_PATH Use custom up/down script at SCRIPT_PATH. If client host is not localhost, the script is copied to it. The default script used to be /etc/openvpn/update-resolv-conf, but now that systemd-resolved is becoming popular, there is no default. +Environment variable: SSH_CONFIG_FILE_OVERRIDE + Generate a client cert and config and install it on locally or on CLIENT_HOST if given. Uses default config options, and expects be able to ssh to VPN_SERVER_HOST and CLIENT_HOST as root, or if CLIENT_HOST is @@ -69,16 +73,21 @@ shell="bash -c" name=client client_host=$CLIENT_HOST force=false +rel=false +if [[ $SSH_CONFIG_FILE_OVERRIDE ]]; then + ssh_arg="-F $SSH_CONFIG_FILE_OVERRIDE" +fi -temp=$(getopt -l help hb:c:fn:o:s: "$@") || usage 1 +temp=$(getopt -l help hb:c:fn:o:rs: "$@") || usage 1 eval set -- "$temp" while true; do case $1 in -b) common_name="$2"; shift 2 ;; - -c) client_host=$2; shell="ssh root@$client_host"; shift 2 ;; + -c) client_host=$2; shell="ssh $ssh_arg root@$client_host"; shift 2 ;; -f) force=true; shift ;; -n) name="$2"; shift 2 ;; -o) server_name="$2"; shift 2 ;; + -r) rel=true; shift ;; -s) script="$2"; shift 2 ;; -h|--help) usage ;; --) shift; break ;; @@ -86,6 +95,12 @@ while true; do esac done +if [[ $client_host ]] && $rel; then + echo "$0: error client_host and -r specified. use one or the other" + exit 1 +fi + + if [[ ! $server_name ]]; then server_name="$name" fi @@ -104,9 +119,18 @@ host=$1 ####### end command line parsing and checking ############## -f=/etc/openvpn/client/$name.crt +if $rel; then + f=$name.crt + keydir=. +else + f=/etc/openvpn/client/$name.crt + keydir=/etc/openvpn/client +fi + +port=$(echo '/^port/ {print $2}' | ssh $ssh_arg root@$host awk -f - /etc/openvpn/server/$name.conf | tail -n1) -$shell "dd of=/etc/openvpn/client/$name.conf" </dev/null >$cert_to_test ||: + ssh $ssh_arg root@$client_host cat $f 2>/dev/null >$cert_to_test ||: fi if ! $force && openssl x509 -checkend $(( 60 * 60 * 24 * 30 )) -noout -in $cert_to_test &>/dev/null; then - echo "$0: cert already exists. exiting early" + if [[ $client_host ]]; then + prefix="$shell" + fi + if $prefix test -s $keydir/ta-$name.key -a -s $keydir/ca-$name.crt; then + echo "$0: cert already exists. exiting early" + fi exit 0 fi +if ! $rel; then + dirarg="-C $keydir" +fi # bash or else we get motd spam. note sleep 2, sleep 1 failed. $shell '[[ -e /etc/openvpn ]] || apt install openvpn' -if ! ssh root@$host bash -s -- $server_name $common_name < client-cert-helper \ - | $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn/client'; then - echo ssh root@$host cat /tmp/vpn-mk-client-cert.log: - ssh root@$host cat /tmp/vpn-mk-client-cert.log +hostssh="ssh $arg root@$host" +if ! $hostssh bash -s -- $server_name $common_name < $this_dir/client-cert-helper \ + | $shell "id -u | grep -xF 0 || s=sudo; \$s tar xzv $dirarg"; then + echo $hostssh cat /tmp/vpn-mk-client-cert.log: + $hostssh cat /tmp/vpn-mk-client-cert.log echo EOF for root@$host:/tmp/vpn-mk-client-cert.log exit 1 fi -port=$(echo '/^port/ {print $2}' | ssh root@$host awk -f - /etc/openvpn/server/$name.conf | tail -n1) if ! $shell "test -s $f"; then