support buster

[vpn-setup] / client-cert-helper

diff --git a/client-cert-helper b/client-cert-helper
new file mode 100755 (executable)
index 0000000..aedc4cd
--- /dev/null
+++ b/client-cert-helper
@@ -0,0 +1,58 @@
+#!/bin/bash
+set -eE -o pipefail
+
+rm -f /tmp/vpn-mk-client-cert.log
+exec 2>/tmp/vpn-mk-client-cert.log
+
+name=$1
+common_name=$2
+
+echo common_name=$common_name >&2
+
+server_dir=/etc/openvpn
+if [[ -e /etc/openvpn/server ]]; then
+  server_dir=/etc/openvpn/server
+fi
+
+cafile=$server_dir/ca.crt
+
+new=true
+keyfiles=(/etc/openvpn/easy-rsa/pki/{issued/$common_name.crt,private/$common_name.key})
+if [[ -e /etc/openvpn/easy-rsa/build-ca ]]; then
+  new=false
+  keyfiles=(/etc/openvpn/easy-rsa/keys/$name.{crt,key})
+fi
+
+if [[ ! -e $cafile ]]; then
+  echo: error no cafile found at $cafile >/tmp/errors
+  exit 1
+fi
+
+exists=true
+for x in ${keyfiles[@]}; do
+  if [[ ! -e $x ]]; then
+    exists=false
+    break
+  fi
+done
+
+
+if ! $exists; then
+  cd /etc/openvpn/easy-rsa
+  if $new; then
+    ./easyrsa build-client-full $common_name nopass >/dev/null
+  else
+    source vars >/dev/null
+
+    { echo -e '\n\n\n\n\n'$common_name'\n\n\n\n\n'; sleep 2; echo -e 'y\ny\n'; } | ./build-key $name >/dev/null
+  fi
+fi
+
+d=$(mktemp -d)
+cp $cafile $d/$name-ca.crt
+cp ${keyfiles[@]} $d
+
+cp $server_dir/ta.key $d/$name-ta.key
+
+tar cz -C $d .
+rm -rf $d