#!/bin/bash # Copyright (C) 2016 Ian Kelling # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # http://www.apache.org/licenses/LICENSE-2.0 # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. set -eE -o pipefail trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR [[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@" readonly this_file="$(readlink -f -- "${BASH_SOURCE[0]}")"; cd "${this_file%/*}" usage() { cat <<'EOF' usage: ${0##*/} VPN_SERVER_HOST -b COMMON_NAME By default, use $HOSTNAME or $CLIENT_HOST. If the cert already exists on the server, with the CLIENT_NAME name, we use the existing one. See comment below if we ever want to check existing common names. They must be unique per server, so you can use $(uuidgen) if needed. You used to be able to create multiple with the same name, but not connect at the same time, but now, the generator keeps track, so you can't generate. -c CLIENT_HOST default is localhost. Else we ssh to root@CLIENT_HOST -n CONFIG_NAME default is client -s SCRIPT_PATH Use custom up/down script at PATH, copied to same path on client. Generate a client cert and config and install it on locally or on CLIENT_HOST if given. Uses default config options, and expects be able to ssh to VPN_SERVER_HOST and CLIENT_HOST as root, or if CLIENT_HOST is localhost, just to sudo this script as root. Note: Uses GNU getopt options parsing style EOF exit ${1:-0} } # to get the common name # cn=$(s openssl x509 -noout -nameopt multiline -subject \ # -in /etc/openvpn/client/mail.crt | \ # sed -rn 's/^\s*commonName\s*=\s*(.*)/\1/p') ####### begin command line parsing and checking ############## shell="bash -c" name=client custom_script=false script=/etc/openvpn/update-resolv-conf client_host=$CLIENT_HOST temp=$(getopt -l help hb:c:n:s: "$@") || usage 1 eval set -- "$temp" while true; do case $1 in -b) common_name="$2"; shift 2 ;; -c) client_host=$2; shell="ssh root@$client_host"; shift 2 ;; -n) name="$2"; shift 2 ;; -s) custom_script=true; script="$2"; shift 2 ;; -h|--help) usage ;; --) shift; break ;; *) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;; esac done if [[ ! $common_name ]]; then if [[ $client_host ]]; then common_name=$client_host else common_name=$HOSTNAME fi fi host=$1 [[ $host ]] || usage 1 ####### end command line parsing and checking ############## # bash or else we get motd spam. note sleep 2, sleep 1 failed. if ! ssh root@$host bash -s -- $name $common_name < client-cert-helper \ | $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn/client'; then echo ssh root@$host cat /tmp/vpn-mk-client-cert.log: ssh root@$host cat /tmp/vpn-mk-client-cert.log exit 1 fi f=/etc/openvpn/client/$name.crt if ! $shell "test -s $f"; then # if common name is not unique, you get empty file. and if we didn't silence # build-key, you'd see an error "TXT_DB error number 2" echo "$0: error: $f is empty or otherwise bad. is this common name unique?" exit 1 fi $shell "dd of=/etc/openvpn/client/$name.conf" <