iankelling.org Git - vpn-setup/blob - vpn-mk-client-cert

   1 #!/bin/bash
   2 # Copyright (C) 2016 Ian Kelling
   3
   4 # Licensed under the Apache License, Version 2.0 (the "License");
   5 # you may not use this file except in compliance with the License.
   6 # You may obtain a copy of the License at
   7
   8 #     http://www.apache.org/licenses/LICENSE-2.0
   9
  10 # Unless required by applicable law or agreed to in writing, software
  11 # distributed under the License is distributed on an "AS IS" BASIS,
  12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13 # See the License for the specific language governing permissions and
  14 # limitations under the License.
  15
  16 # usage: $0 SERVER_HOST [DEST_HOST]
  17 # ssh to SERVER_HOST, create a cert & client config, put it on
  18 # DEST_HOST, or localhost by default. Assumes server was setup
  19 # by the other script in this dir.
  20
  21 set -eE -o pipefail
  22 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
  23
  24 [[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"
  25
  26 usage() {
  27     cat <<EOF
  28 usage: ${0##*/} VPN_SERVER_HOST
  29
  30 -c CLIENT_HOST   default is localhost
  31 -n CONFIG_NAME   default is client
  32
  33 Generate a client cert and config and install it on locally or on
  34 CLIENT_HOST if given.  Uses default config options, and expects be able
  35 to ssh to VPN_SERVER_HOST and CLIENT_HOST.
  36 EOF
  37     exit ${1:-0}
  38 }
  39
  40 shell="bash -c"
  41 name=client
  42
  43 temp=$(getopt -l help hc:n: "$@") || usage 1
  44 eval set -- "$temp"
  45 while true; do
  46     case $1 in
  47         -c) shell="ssh $2"; shift 2 ;;
  48         -n) name="$2"; shift 2 ;;
  49         -h|--help) usage ;;
  50         --) shift; break ;;
  51         *) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;;
  52     esac
  53 done
  54 host=$1
  55 [[ $host ]] || usage 1
  56
  57 # bash or else we get motd spam. note sleep 2, sleep 1 failed.
  58 ssh $host bash <<EOF | $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn/client'
  59 set -eE -o pipefail
  60 cd /etc/openvpn/easy-rsa
  61 source vars >/dev/null
  62
  63 # uuidgen because common name must be unique
  64 { echo -e '\n\n\n\n\n'\$(uuidgen)'\n\n\n\n\n'; sleep 2; echo -e 'y\ny\n'; } | ./build-key $name &>/dev/null
  65
  66 d=\$(mktemp -d)
  67 cp /etc/openvpn/easy-rsa/keys/ca.crt \$d/$name-ca.crt
  68 mv /etc/openvpn/easy-rsa/keys/$name.{crt,key} \$d
  69
  70 tar cz -C \$d .
  71 rm -rf \$d
  72 EOF
  73
  74 cat > /etc/openvpn/client/$name.conf <<EOF
  75 # From example config, from debian stretch as of 1-2017
  76 client
  77 dev tun
  78 proto udp
  79 remote $host 1194
  80 resolv-retry infinite
  81 nobind
  82 persist-key
  83 persist-tun
  84 ca $name-ca.crt
  85 cert $name.crt
  86 key $name.key
  87 # disabled for better performance
  88 #comp-lzo
  89 verb 3
  90
  91 # This script will update local dns
  92 # to what the server sends, if it sends dns.
  93 script-security 2
  94 up /etc/openvpn/update-resolv-conf
  95 down /etc/openvpn/update-resolv-conf
  96
  97 # matching server config
  98 cipher aes-256-cbc
  99
 100
 101 # example config has the commented line, but this other thing looks stronger,
 102 # and I've seen it in a vpn provider I trust
 103 # ns-cert-type server
 104 remote-cert-tls server
 105
 106 # more resilient when running as nonroot
 107 persist-key
 108 EOF