2 # I, Ian Kelling, follow the GNU license recommendations at
3 # https://www.gnu.org/licenses/license-recommendations.en.html. They
4 # recommend that small programs, < 300 lines, be licensed under the
5 # Apache License 2.0. This file contains or is part of one or more small
6 # programs. If a small program grows beyond 300 lines, I plan to switch
9 # Copyright 2024 Ian Kelling
11 # Licensed under the Apache License, Version 2.0 (the "License");
12 # you may not use this file except in compliance with the License.
13 # You may obtain a copy of the License at
15 # http://www.apache.org/licenses/LICENSE-2.0
17 # Unless required by applicable law or agreed to in writing, software
18 # distributed under the License is distributed on an "AS IS" BASIS,
19 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20 # See the License for the specific language governing permissions and
21 # limitations under the License.
25 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
27 [[ $EUID == 0 ]] ||
exec sudo
-E "$BASH_SOURCE" "$@"
29 readonly this_file
="$(readlink -f -- "${BASH_SOURCE[0]}")"
30 this_dir
="${this_file%/*}"
35 usage: ${0##*/} VPN_SERVER_HOST
37 -b COMMON_NAME By default, use $CLIENT_HOST or if it is not given,
38 $HOSTNAME. If the cert already exists on the server,
39 with the CLIENT_NAME name, we use the existing one. See
40 comment below if we ever want to check existing common
41 names. They must be unique per server, so you can use
42 $(uuidgen) if needed. You used to be able to create
43 multiple with the same name, but not connect at the
44 same time, but now, the generator keeps track, so you
47 -c CLIENT_HOST Default is localhost. Else we ssh to root@CLIENT_HOST.
48 -f Force. Proceed even if cert already exists.
49 -n CONFIG_NAME default is client
50 -o SERVER_CONFIG_NAME Default is CONFIG_NAME
51 -r Install certs to the current directory instead of /etc/openvpn/client
52 -s SCRIPT_PATH Use custom up/down script at SCRIPT_PATH. If client host is
53 not localhost, the script is copied to it. The default
54 script used to be /etc/openvpn/update-resolv-conf, but now
55 that systemd-resolved is becoming popular, there is no default.
57 Environment variable: SSH_CONFIG_FILE_OVERRIDE
59 Generate a client cert and config and install it on locally or on
60 CLIENT_HOST if given. Uses default config options, and expects be able
61 to ssh to VPN_SERVER_HOST and CLIENT_HOST as root, or if CLIENT_HOST is
62 localhost, just to sudo this script as root.
67 Note: Uses GNU getopt options parsing style
72 # to get the common name
73 # cn=$(s openssl x509 -noout -nameopt multiline -subject \
74 # -in /etc/openvpn/client/mail.crt | \
75 # sed -rn 's/^\s*commonName\s*=\s*(.*)/\1/p')
78 ####### begin command line parsing and checking ##############
82 client_host
=$CLIENT_HOST
85 if [[ $SSH_CONFIG_FILE_OVERRIDE ]]; then
86 ssh_arg
="-F $SSH_CONFIG_FILE_OVERRIDE"
89 temp
=$
(getopt
-l help hb
:c
:fn
:o
:rs
: "$@") || usage
1
93 -b) common_name
="$2"; shift 2 ;;
94 -c) client_host
=$2; shell
="ssh $ssh_arg root@$client_host"; shift 2 ;;
95 -f) force
=true
; shift ;;
96 -n) name
="$2"; shift 2 ;;
97 -o) server_name
="$2"; shift 2 ;;
98 -r) rel
=true
; shift ;;
99 -s) script="$2"; shift 2 ;;
102 *) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;;
106 if [[ $client_host ]] && $rel; then
107 echo "$0: error client_host and -r specified. use one or the other"
112 if [[ ! $server_name ]]; then
116 if [[ ! $common_name ]]; then
117 if [[ $client_host ]]; then
118 common_name
=$client_host
120 common_name
=$HOSTNAME
125 [[ $host ]] || usage
1
127 ####### end command line parsing and checking ##############
134 f
=/etc
/openvpn
/client
/$name.crt
135 keydir
=/etc
/openvpn
/client
141 if [[ $client_host ]]; then
142 cert_to_test
=$
(mktemp
)
143 ssh $ssh_arg root@
$client_host cat $f 2>/dev
/null
>$cert_to_test ||
:
145 if openssl x509
-checkend $
(( 60 * 60 * 24 * 30 )) -noout -in $cert_to_test &>/dev
/null
; then
146 if [[ $client_host ]]; then
149 if $prefix test -s $keydir/ta-
$name.key
-a -s $keydir/ca-
$name.crt
; then
150 echo "$0: cert already exists. exiting early"
156 port
=$
(echo '/^port/ {print $2}' |
ssh $ssh_arg root@
$host awk -f - /etc
/openvpn
/server
/$name.conf |
tail -n1)
158 $shell "dd of=$keydir/$name.conf" <<EOF
159 # From example config, from debian stretch to buster
164 resolv-retry infinite
167 # persist-tun was here, but if the vpn goes down this makes
168 # the whole thing get stuck if the vpn is our default route
169 # unless we set a special route out just for the vpn.
174 # disabled for better performance
178 # matching server config
181 # example config has the commented line, but this other thing looks stronger,
182 # and I've seen it in a vpn provider I trust
183 # ns-cert-type server
184 remote-cert-tls server
186 # more resilient when running as nonroot
189 # See comments in server side configuration.
190 # The minimum of the client & server config is what is used by openvpn.
193 tls-auth ta-$name.key 1
196 if [[ $script ]]; then
197 $shell "tee -a /etc/openvpn/client/$name.conf" <<EOF
203 if [[ $client_host && $script ]]; then
204 $shell "dd of=$script" <$script
205 $shell "chmod +x $script"
210 $shell 'cd /etc/openvpn; for f in client/*; do ln -sf $f .; done'
217 # bash or else we get motd spam. note sleep 2, sleep 1 failed.
218 $shell '[[ -e /etc/openvpn ]] || apt install openvpn'
219 hostssh
="ssh $arg root@$host"
220 if ! $hostssh bash
-s -- $server_name $common_name < $this_dir/client-cert-helper \
221 |
$shell "id -u | grep -xF 0 || s=sudo; \$s tar xzv $dirarg"; then
222 echo $hostssh cat /tmp
/vpn-mk-client-cert.log
:
223 $hostssh cat /tmp
/vpn-mk-client-cert.log
224 echo EOF
for root@
$host:/tmp
/vpn-mk-client-cert.log
230 if ! $shell "test -s $f"; then
231 # if common name is not unique, you get empty file. and if we didn't silence
232 # build-key, you'd see an error "TXT_DB error number 2"
233 echo "$0: error: $f is empty or otherwise bad. is this common name unique?"