iankelling.org / git / vpn-setup / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
fix a few failures
[vpn-setup] / vpn-mk-client-cert
1 #!/bin/bash
2 # Copyright (C) 2016 Ian Kelling
3
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
7
8 # http://www.apache.org/licenses/LICENSE-2.0
9
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
15
16 set -eE -o pipefail
17 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
18
19 [[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"
20
21 readonly this_file="$(readlink -f -- "${BASH_SOURCE[0]}")"; cd "${this_file%/*}"
22
23
24 usage() {
25 cat <<'EOF'
26 usage: ${0##*/} VPN_SERVER_HOST
27
28 -b COMMON_NAME By default, use $CLIENT_HOST or if it is not given,
29 $HOSTNAME. If the cert already exists on the server,
30 with the CLIENT_NAME name, we use the existing one. See
31 comment below if we ever want to check existing common
32 names. They must be unique per server, so you can use
33 $(uuidgen) if needed. You used to be able to create
34 multiple with the same name, but not connect at the
35 same time, but now, the generator keeps track, so you
36 can't generate.
37
38 -c CLIENT_HOST Default is localhost. Else we ssh to root@CLIENT_HOST.
39 -f Force. Proceed even if cert already exists.
40 -n CONFIG_NAME default is client
41 -o SERVER_CONFIG_NAME Default is CONFIG_NAME
42 -s SCRIPT_PATH Use custom up/down script at SCRIPT_PATH. copied to same path
43 on client, if client is not localhost.
44
45 Generate a client cert and config and install it on locally or on
46 CLIENT_HOST if given. Uses default config options, and expects be able
47 to ssh to VPN_SERVER_HOST and CLIENT_HOST as root, or if CLIENT_HOST is
48 localhost, just to sudo this script as root.
49
50
51
52
53 Note: Uses GNU getopt options parsing style
54 EOF
55 exit ${1:-0}
56 }
57
58 # to get the common name
59 # cn=$(s openssl x509 -noout -nameopt multiline -subject \
60 # -in /etc/openvpn/client/mail.crt | \
61 # sed -rn 's/^\s*commonName\s*=\s*(.*)/\1/p')
62
63
64 ####### begin command line parsing and checking ##############
65
66 shell="bash -c"
67 name=client
68 custom_script=false
69 script=/etc/openvpn/update-resolv-conf
70 client_host=$CLIENT_HOST
71 force=false
72
73 temp=$(getopt -l help hb:c:fn:o:s: "$@") || usage 1
74 eval set -- "$temp"
75 while true; do
76 case $1 in
77 -b) common_name="$2"; shift 2 ;;
78 -c) client_host=$2; shell="ssh root@$client_host"; shift 2 ;;
79 -f) force=true; shift ;;
80 -n) name="$2"; shift 2 ;;
81 -o) server_name="$2"; shift 2 ;;
82 -s) custom_script=true; script="$2"; shift 2 ;;
83 -h|--help) usage ;;
84 --) shift; break ;;
85 *) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;;
86 esac
87 done
88
89 if [[ ! $server_name ]]; then
90 server_name="$name"
91 fi
92
93 if [[ ! $common_name ]]; then
94 if [[ $client_host ]]; then
95 common_name=$client_host
96 else
97 common_name=$HOSTNAME
98 fi
99 fi
100
101 host=$1
102 [[ $host ]] || usage 1
103
104 ####### end command line parsing and checking ##############
105
106
107 f=/etc/openvpn/client/$name.crt
108
109 cert_to_test=$f
110 if [[ $client_host ]]; then
111 cert_to_test=$(mktemp)
112 ssh root@$client_host cat $f 2>/dev/null >$cert_to_test ||:
113 fi
114 if ! $force && openssl x509 -checkend $(( 60 * 60 * 24 * 30 )) -noout -in $cert_to_test &>/dev/null; then
115 echo "$0: cert already exists. exiting early"
116 exit 0
117 fi
118
119
120 # bash or else we get motd spam. note sleep 2, sleep 1 failed.
121 $shell '[[ -e /etc/openvpn ]] || apt install openvpn'
122 if ! ssh root@$host bash -s -- $server_name $common_name < client-cert-helper \
123 | $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn/client'; then
124 echo ssh root@$host cat /tmp/vpn-mk-client-cert.log:
125 ssh root@$host cat /tmp/vpn-mk-client-cert.log
126 echo EOF for root@$host:/tmp/vpn-mk-client-cert.log
127 exit 1
128 fi
129
130 port=$(echo '/^port/ {print $2}' | ssh root@$host awk -f - /etc/openvpn/server/$name.conf | tail -n1)
131
132
133 if ! $shell "test -s $f"; then
134 # if common name is not unique, you get empty file. and if we didn't silence
135 # build-key, you'd see an error "TXT_DB error number 2"
136 echo "$0: error: $f is empty or otherwise bad. is this common name unique?"
137 exit 1
138 fi
139
140 $shell "dd of=/etc/openvpn/client/$name.conf" <<EOF
141 # From example config, from debian stretch to buster
142 client
143 dev tun
144 proto udp
145 remote $host $port
146 resolv-retry infinite
147 nobind
148 persist-key
149 persist-tun
150 ca ca-$name.crt
151 cert $name.crt
152 key $name.key
153 # disabled for better performance
154 #comp-lzo
155 verb 3
156
157 # matching server config
158 cipher AES-256-CBC
159
160 # example config has the commented line, but this other thing looks stronger,
161 # and I've seen it in a vpn provider I trust
162 # ns-cert-type server
163 remote-cert-tls server
164
165 # more resilient when running as nonroot
166 persist-key
167
168 # See comments in server side configuration.
169 # The minimum of the client & server config is what is used by openvpn.
170 reneg-sec 432000
171
172 tls-auth ta-$name.key 1
173 EOF
174
175 if [[ $script ]]; then
176 $shell "tee -a /etc/openvpn/client/$name.conf" <<EOF
177 # This script will update local dns
178 # to what the server sends, if it sends dns.
179 script-security 2
180 up "$script"
181 down "$script"
182 EOF
183
184 if [[ $client_host ]] && $custom_script; then
185 $shell "dd of=$script" <$script
186 $shell "chmod +x $script"
187 fi
188 fi
189
190 $shell 'cd /etc/openvpn; for f in client/*; do ln -sf $f .; done'
Setup openvpn client & server