update config even if we already have cert

[vpn-setup] / vpn-mk-client-cert

#!/bin/bash
# Copyright (C) 2016 Ian Kelling

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at

#     http://www.apache.org/licenses/LICENSE-2.0

# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR

[[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"

readonly this_file="$(readlink -f -- "${BASH_SOURCE[0]}")"; cd "${this_file%/*}"


usage() {
  cat <<'EOF'
usage: ${0##*/} VPN_SERVER_HOST

-b COMMON_NAME   By default, use $CLIENT_HOST or if it is not given,
                 $HOSTNAME. If the cert already exists on the server,
                 with the CLIENT_NAME name, we use the existing one. See
                 comment below if we ever want to check existing common
                 names. They must be unique per server, so you can use
                 $(uuidgen) if needed. You used to be able to create
                 multiple with the same name, but not connect at the
                 same time, but now, the generator keeps track, so you
                 can't generate.

-c CLIENT_HOST   Default is localhost. Else we ssh to root@CLIENT_HOST.
-f               Force. Proceed even if cert already exists.
-n CONFIG_NAME   default is client
-o SERVER_CONFIG_NAME  Default is CONFIG_NAME
-s SCRIPT_PATH   Use custom up/down script at SCRIPT_PATH. If client host is
                 not localhost, the script is copied to it. The default
                 script used to be /etc/openvpn/update-resolv-conf, but now
                 that systemd-resolved is becoming popular, there is no default.

Generate a client cert and config and install it on locally or on
CLIENT_HOST if given.  Uses default config options, and expects be able
to ssh to VPN_SERVER_HOST and CLIENT_HOST as root, or if CLIENT_HOST is
localhost, just to sudo this script as root.




Note: Uses GNU getopt options parsing style
EOF
  exit ${1:-0}
}

# to get the common name
# cn=$(s openssl x509 -noout -nameopt multiline -subject \
  #        -in /etc/openvpn/client/mail.crt | \
  #          sed -rn 's/^\s*commonName\s*=\s*(.*)/\1/p')


####### begin command line parsing and checking ##############

shell="bash -c"
name=client
client_host=$CLIENT_HOST
force=false

temp=$(getopt -l help hb:c:fn:o:s: "$@") || usage 1
eval set -- "$temp"
while true; do
  case $1 in
    -b) common_name="$2"; shift 2 ;;
    -c) client_host=$2; shell="ssh root@$client_host"; shift 2 ;;
    -f) force=true; shift ;;
    -n) name="$2"; shift 2 ;;
    -o) server_name="$2"; shift 2 ;;
    -s) script="$2"; shift 2 ;;
    -h|--help) usage ;;
    --) shift; break ;;
    *) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;;
  esac
done

if [[ ! $server_name ]]; then
  server_name="$name"
fi

if [[ ! $common_name ]]; then
  if [[ $client_host ]]; then
    common_name=$client_host
  else
    common_name=$HOSTNAME
  fi
fi

host=$1
[[ $host ]] || usage 1

####### end command line parsing and checking ##############


f=/etc/openvpn/client/$name.crt

$shell "dd of=/etc/openvpn/client/$name.conf" <<EOF
# From example config, from debian stretch to buster
client
dev tun
proto udp
remote $host $port
resolv-retry infinite
nobind
persist-key
# persist-tun was here, but if the vpn goes down this makes
# the whole thing get stuck if the vpn is our default route
# unless we set a special route out just for the vpn.
# todo: investigate.
ca ca-$name.crt
cert $name.crt
key $name.key
# disabled for better performance
#comp-lzo
verb 3

# matching server config
cipher AES-256-CBC

# example config has the commented line, but this other thing looks stronger,
# and I've seen it in a vpn provider I trust
# ns-cert-type server
remote-cert-tls server

# more resilient when running as nonroot
persist-key

# See comments in server side configuration.
# The minimum of the client & server config is what is used by openvpn.
reneg-sec 432000

tls-auth ta-$name.key 1
EOF

if [[ $script ]]; then
  $shell "tee -a /etc/openvpn/client/$name.conf" <<EOF
script-security 2
up "$script"
down "$script"
EOF

  if [[ $client_host && $script ]]; then
    $shell "dd of=$script" <$script
    $shell "chmod +x $script"
  fi
fi

$shell 'cd /etc/openvpn; for f in client/*; do ln -sf $f .; done'


cert_to_test=$f
if [[ $client_host ]]; then
  cert_to_test=$(mktemp)
  ssh root@$client_host cat $f 2>/dev/null >$cert_to_test ||:
fi
if ! $force && openssl x509 -checkend $(( 60 * 60 * 24 * 30 )) -noout -in $cert_to_test &>/dev/null; then
  echo "$0: cert already exists. exiting early"
  exit 0
fi


# bash or else we get motd spam. note sleep 2, sleep 1 failed.
$shell '[[ -e /etc/openvpn ]] || apt install openvpn'
if ! ssh root@$host bash -s -- $server_name $common_name < client-cert-helper \
    |  $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn/client'; then
  echo ssh root@$host cat /tmp/vpn-mk-client-cert.log:
  ssh root@$host cat /tmp/vpn-mk-client-cert.log
  echo EOF for root@$host:/tmp/vpn-mk-client-cert.log
  exit 1
fi

port=$(echo '/^port/ {print $2}' | ssh root@$host awk -f - /etc/openvpn/server/$name.conf | tail -n1)


if ! $shell "test -s $f"; then
  # if common name is not unique, you get empty file. and if we didn't silence
  # build-key, you'd see an error "TXT_DB error number 2"
  echo "$0: error: $f is empty or otherwise bad. is this common name unique?"
  exit 1
fi