0f974c07494b1a0f8538411049705f10ecd6a716
2 # Copyright (C) 2016 Ian Kelling
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
17 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
19 [[ $EUID == 0 ]] ||
exec sudo
-E "$BASH_SOURCE" "$@"
21 readonly this_file
="$(readlink -f -- "${BASH_SOURCE[0]}")"
22 this_dir
="${this_file%/*}"
27 usage: ${0##*/} VPN_SERVER_HOST
29 -b COMMON_NAME By default, use $CLIENT_HOST or if it is not given,
30 $HOSTNAME. If the cert already exists on the server,
31 with the CLIENT_NAME name, we use the existing one. See
32 comment below if we ever want to check existing common
33 names. They must be unique per server, so you can use
34 $(uuidgen) if needed. You used to be able to create
35 multiple with the same name, but not connect at the
36 same time, but now, the generator keeps track, so you
39 -c CLIENT_HOST Default is localhost. Else we ssh to root@CLIENT_HOST.
40 -f Force. Proceed even if cert already exists.
41 -n CONFIG_NAME default is client
42 -o SERVER_CONFIG_NAME Default is CONFIG_NAME
43 -r Install certs to the current directory instead of /etc/openvpn/client
44 -s SCRIPT_PATH Use custom up/down script at SCRIPT_PATH. If client host is
45 not localhost, the script is copied to it. The default
46 script used to be /etc/openvpn/update-resolv-conf, but now
47 that systemd-resolved is becoming popular, there is no default.
49 Environment variable: SSH_CONFIG_FILE_OVERRIDE
51 Generate a client cert and config and install it on locally or on
52 CLIENT_HOST if given. Uses default config options, and expects be able
53 to ssh to VPN_SERVER_HOST and CLIENT_HOST as root, or if CLIENT_HOST is
54 localhost, just to sudo this script as root.
59 Note: Uses GNU getopt options parsing style
64 # to get the common name
65 # cn=$(s openssl x509 -noout -nameopt multiline -subject \
66 # -in /etc/openvpn/client/mail.crt | \
67 # sed -rn 's/^\s*commonName\s*=\s*(.*)/\1/p')
70 ####### begin command line parsing and checking ##############
74 client_host
=$CLIENT_HOST
77 if [[ $SSH_CONFIG_FILE_OVERRIDE ]]; then
78 ssh_arg
="-F $SSH_CONFIG_FILE_OVERRIDE"
81 temp
=$
(getopt
-l help hb
:c
:fn
:o
:rs
: "$@") || usage
1
85 -b) common_name
="$2"; shift 2 ;;
86 -c) client_host
=$2; shell
="ssh $ssh_arg root@$client_host"; shift 2 ;;
87 -f) force
=true
; shift ;;
88 -n) name
="$2"; shift 2 ;;
89 -o) server_name
="$2"; shift 2 ;;
90 -r) rel
=true
; shift ;;
91 -s) script="$2"; shift 2 ;;
94 *) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;;
98 if [[ $client_host ]] && $rel; then
99 echo "$0: error client_host and -r specified. use one or the other"
104 if [[ ! $server_name ]]; then
108 if [[ ! $common_name ]]; then
109 if [[ $client_host ]]; then
110 common_name
=$client_host
112 common_name
=$HOSTNAME
117 [[ $host ]] || usage
1
119 ####### end command line parsing and checking ##############
126 f
=/etc
/openvpn
/client
/$name.crt
127 keydir
=/etc
/openvpn
/client
133 if [[ $client_host ]]; then
134 cert_to_test
=$
(mktemp
)
135 ssh $ssh_arg root@
$client_host cat $f 2>/dev
/null
>$cert_to_test ||
:
137 if openssl x509
-checkend $
(( 60 * 60 * 24 * 30 )) -noout -in $cert_to_test &>/dev
/null
; then
138 if [[ $client_host ]]; then
141 if $prefix test -s $keydir/ta-
$name.key
-a -s $keydir/ca-
$name.crt
; then
142 echo "$0: cert already exists. exiting early"
148 port
=$
(echo '/^port/ {print $2}' |
ssh $ssh_arg root@
$host awk -f - /etc
/openvpn
/server
/$name.conf |
tail -n1)
150 $shell "dd of=$keydir/$name.conf" <<EOF
151 # From example config, from debian stretch to buster
156 resolv-retry infinite
159 # persist-tun was here, but if the vpn goes down this makes
160 # the whole thing get stuck if the vpn is our default route
161 # unless we set a special route out just for the vpn.
166 # disabled for better performance
170 # matching server config
173 # example config has the commented line, but this other thing looks stronger,
174 # and I've seen it in a vpn provider I trust
175 # ns-cert-type server
176 remote-cert-tls server
178 # more resilient when running as nonroot
181 # See comments in server side configuration.
182 # The minimum of the client & server config is what is used by openvpn.
185 tls-auth ta-$name.key 1
188 if [[ $script ]]; then
189 $shell "tee -a /etc/openvpn/client/$name.conf" <<EOF
195 if [[ $client_host && $script ]]; then
196 $shell "dd of=$script" <$script
197 $shell "chmod +x $script"
202 $shell 'cd /etc/openvpn; for f in client/*; do ln -sf $f .; done'
209 # bash or else we get motd spam. note sleep 2, sleep 1 failed.
210 $shell '[[ -e /etc/openvpn ]] || apt install openvpn'
211 hostssh
="ssh $arg root@$host"
212 if ! $hostssh bash
-s -- $server_name $common_name < $this_dir/client-cert-helper \
213 |
$shell "id -u | grep -xF 0 || s=sudo; \$s tar xzv $dirarg"; then
214 echo $hostssh cat /tmp
/vpn-mk-client-cert.log
:
215 $hostssh cat /tmp
/vpn-mk-client-cert.log
216 echo EOF
for root@
$host:/tmp
/vpn-mk-client-cert.log
222 if ! $shell "test -s $f"; then
223 # if common name is not unique, you get empty file. and if we didn't silence
224 # build-key, you'd see an error "TXT_DB error number 2"
225 echo "$0: error: $f is empty or otherwise bad. is this common name unique?"