#!/bin/bash
-# Copyright (C) 2016 Ian Kelling
+# I, Ian Kelling, follow the GNU license recommendations at
+# https://www.gnu.org/licenses/license-recommendations.en.html. They
+# recommend that small programs, < 300 lines, be licensed under the
+# Apache License 2.0. This file contains or is part of one or more small
+# programs. If a small program grows beyond 300 lines, I plan to switch
+# its license to GPL.
+
+# Copyright 2024 Ian Kelling
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# See the License for the specific language governing permissions and
# limitations under the License.
+
set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
-f Force. Proceed even if cert already exists.
-n CONFIG_NAME default is client
-o SERVER_CONFIG_NAME Default is CONFIG_NAME
--r Install certs to the current directory instead of /etc/openvpn
+-r Install certs to the current directory instead of /etc/openvpn/client
-s SCRIPT_PATH Use custom up/down script at SCRIPT_PATH. If client host is
not localhost, the script is copied to it. The default
script used to be /etc/openvpn/update-resolv-conf, but now
keydir=/etc/openvpn/client
fi
-port=$(echo '/^port/ {print $2}' | ssh $ssh_arg root@$host awk -f - /etc/openvpn/server/$name.conf | tail -n1)
+if ! $force; then
+ cert_to_test=$f
+ if [[ $client_host ]]; then
+ cert_to_test=$(mktemp)
+ ssh $ssh_arg root@$client_host cat $f 2>/dev/null >$cert_to_test ||:
+ fi
+ if openssl x509 -checkend $(( 60 * 60 * 24 * 30 )) -noout -in $cert_to_test &>/dev/null; then
+ if [[ $client_host ]]; then
+ prefix="$shell"
+ fi
+ if $prefix test -s $keydir/ta-$name.key -a -s $keydir/ca-$name.crt; then
+ echo "$0: cert already exists. exiting early"
+ exit 0
+ fi
+ fi
+fi
+
+port=$(echo '/^port/ {print $2}' | ssh $ssh_arg root@$host awk -f - /etc/openvpn/server/$name.conf | tail -n1)
$shell "dd of=$keydir/$name.conf" <<EOF
# From example config, from debian stretch to buster
$shell 'cd /etc/openvpn; for f in client/*; do ln -sf $f .; done'
fi
-cert_to_test=$f
-if [[ $client_host ]]; then
- cert_to_test=$(mktemp)
- ssh $ssh_arg root@$client_host cat $f 2>/dev/null >$cert_to_test ||:
-fi
-if ! $force && openssl x509 -checkend $(( 60 * 60 * 24 * 30 )) -noout -in $cert_to_test &>/dev/null; then
- if [[ $client_host ]]; then
- prefix="$shell"
- fi
- if $prefix test -s $keydir/ta-$name.key -a -s $keydir/ca-$name.crt; then
- echo "$0: cert already exists. exiting early"
- fi
- exit 0
-fi
-
if ! $rel; then
dirarg="-C $keydir"
fi