2 # Copyright (C) 2016 Ian Kelling
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
16 # usage: $0 SERVER_HOST [DEST_HOST]
17 # ssh to SERVER_HOST, create a cert & client config, put it on
18 # DEST_HOST, or localhost by default. Assumes server was setup
19 # by the other script in this dir.
22 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
24 [[ $EUID == 0 ]] ||
exec sudo
-E "$BASH_SOURCE" "$@"
28 usage: ${0##*/} VPN_SERVER_HOST
30 -c CLIENT_HOST default is localhost
31 -n CONFIG_NAME default is client
33 Generate a client cert and config and install it on locally or on
34 CLIENT_HOST if given. Uses default config options, and expects be able
35 to ssh to VPN_SERVER_HOST and CLIENT_HOST.
43 temp
=$
(getopt
-l help hc
:n
: "$@") || usage
1
47 -c) shell
="ssh $2"; shift 2 ;;
48 -n) name
="$2"; shift 2 ;;
51 *) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;;
55 [[ $host ]] || usage
1
57 # bash or else we get motd spam. note sleep 2, sleep 1 failed.
58 ssh $host bash
<<EOF | $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn/client'
60 cd /etc/openvpn/easy-rsa
61 source vars >/dev/null
63 # uuidgen because common name must be unique
64 { echo -e '\n\n\n\n\n'\$(uuidgen)'\n\n\n\n\n'; sleep 2; echo -e 'y\ny\n'; } | ./build-key $name &>/dev/null
67 cp /etc/openvpn/easy-rsa/keys/ca.crt \$d/$name-ca.crt
68 mv /etc/openvpn/easy-rsa/keys/$name.{crt,key} \$d
74 cat > /etc
/openvpn
/client
/$name.conf
<<EOF
75 # From example config, from debian stretch as of 1-2017
87 # disabled for better performance
91 # This script will update local dns
92 # to what the server sends, if it sends dns.
94 up /etc/openvpn/update-resolv-conf
95 down /etc/openvpn/update-resolv-conf
97 # matching server config
101 # example config has the commented line, but this other thing looks stronger,
102 # and I've seen it in a vpn provider I trust
103 # ns-cert-type server
104 remote-cert-tls server
106 # more resilient when running as nonroot