[[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"
+
usage() {
cat <<EOF
usage: ${0##*/} VPN_SERVER_HOST
--b COMMON_NAME By default, use CONFIG_NAME. If the cert already exists
- on the server, with the CLIENT_NAME name, we use the
- existing one. See comment below if we ever want to
- check existing common names. They must be unique per
- server, so you can use $(uuidgen) if needed. You used
- to be able to create multiple with the same name, but
- not connect at the same time, but now, the generator
- keeps track, so you can't generate.
+-b COMMON_NAME By default, use $HOSTNAME or $CLIENT_HOST. If the cert
+ already exists on the server, with the CLIENT_NAME
+ name, we use the existing one. See comment below if we
+ ever want to check existing common names. They must be
+ unique per server, so you can use $(uuidgen) if
+ needed. You used to be able to create multiple with the
+ same name, but not connect at the same time, but now,
+ the generator keeps track, so you can't generate.
-c CLIENT_HOST default is localhost. Else we ssh to root@CLIENT_HOST
-n CONFIG_NAME default is client
+-s SCRIPT_PATH Use custom up/down script at PATH, copied to same path
+ on client.
Generate a client cert and config and install it on locally or on
CLIENT_HOST if given. Uses default config options, and expects be able
# sed -rn 's/^\s*commonName\s*=\s*(.*)/\1/p')
+####### begin command line parsing and checking ##############
+
shell="bash -c"
name=client
+custom_script=false
+script=/etc/openvpn/update-resolv-conf
-temp=$(getopt -l help hb:c:n: "$@") || usage 1
+temp=$(getopt -l help hb:c:n:s: "$@") || usage 1
eval set -- "$temp"
while true; do
case $1 in
-b) common_name="$2"; shift 2 ;;
- -c) shell="ssh root@$2"; shift 2 ;;
+ -c) client_host=$2; shell="ssh root@$client_host"; shift 2 ;;
-n) name="$2"; shift 2 ;;
+ -s) custom_script=true; script="$2"; shift 2 ;;
-h|--help) usage ;;
--) shift; break ;;
*) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;;
esac
done
-if [[ ! $common_name ]]; then common_name=$name; fi
+if [[ ! $common_name ]]; then
+ if [[ $client_host ]]; then
+ common_name=$client_host
+ else
+ common_name=$HOSTNAME
+ fi
+fi
host=$1
[[ $host ]] || usage 1
+####### end command line parsing and checking ##############
+
+
# bash or else we get motd spam. note sleep 2, sleep 1 failed.
ssh root@$host bash <<EOF | $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn/client'
set -eE -o pipefail
+server_dir=/etc/openvpn
+if [[ -e /etc/openvpn/server ]]; then
+ server_dir=/etc/openvpn/server
+fi
+
exists=true
for x in /etc/openvpn/easy-rsa/keys/{$name.{crt,key},ca.crt}; do
if [[ ! -e \$x ]]; then
cp /etc/openvpn/easy-rsa/keys/ca.crt \$d/$name-ca.crt
cp /etc/openvpn/easy-rsa/keys/$name.{crt,key} \$d
+cp \$server_dir/ta.key \$d/$name-ta.key
+
tar cz -C \$d .
rm -rf \$d
EOF
f=/etc/openvpn/client/$name.crt
-if [[ ! -s $f ]]; then
+if ! $shell "test -s $f"; then
+ # if common name is not unique, you get empty file. and if we didn't silence
+ # build-key, you'd see an error "TXT_DB error number 2"
echo "$0: error: $f is empty or otherwise bad. is this common name unique?"
exit 1
fi
# This script will update local dns
# to what the server sends, if it sends dns.
script-security 2
-up /etc/openvpn/update-resolv-conf
-down /etc/openvpn/update-resolv-conf
+up $script
+down $script
# matching server config
-cipher aes-256-cbc
+cipher AES-256-CBC
# example config has the commented line, but this other thing looks stronger,
# more resilient when running as nonroot
persist-key
-# see comments in server side configuration.
-# the minimum of the 2 is used.
-reneg-sec 2592000
+# See comments in server side configuration.
+# The minimum of the client & server config is what is used by openvpn.
+reneg-sec 432000
+
+tls-auth $name-ta.key 1
EOF
+
+if [[ $client_host ]] && $custom_script; then
+ $shell "dd of=$script" <$script
+ $shell "chmod +x $script"
+fi
+
+$shell 'cd /etc/openvpn; for f in client/*; do ln -sf $f .; done'