usage() {
cat <<EOF
-usage: ${0##*/} VPN_SERVER_HOST [CLIENT_HOST]
+usage: ${0##*/} VPN_SERVER_HOST
+
+-c CLIENT_HOST default is localhost
+-n CONFIG_NAME default is client
Generate a client cert and config and install it on locally or on
CLIENT_HOST if given. Uses default config options, and expects be able
exit ${1:-0}
}
-case $1 in
- -h|--help) usage 0 ;;
-esac
-
-(($# <= 1)) || usage 1
-
-host=$1
shell="bash -c"
-if [[ $2 ]]; then
- shell="ssh $2"
-fi
+name=client
+
+temp=$(getopt -l help hc:n: "$@") || usage 1
+eval set -- "$temp"
+while true; do
+ case $1 in
+ -c) shell="ssh $2"; shift 2 ;;
+ -n) name="$2"; shift 2 ;;
+ -h|--help) usage ;;
+ --) shift; break ;;
+ *) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;;
+ esac
+done
+host=$1
+[[ $host ]] || usage 1
# bash or else we get motd spam. note sleep 2, sleep 1 failed.
-ssh $host bash <<EOF | $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn'
+ssh $host bash <<EOF | $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn/client'
set -eE -o pipefail
cd /etc/openvpn/easy-rsa
source vars >/dev/null
# uuidgen because common name must be unique
-{ echo -e '\n\n\n\n\n'\$(uuidgen)'\n\n\n\n\n'; sleep 2; echo -e 'y\ny\n'; } | ./build-key client &>/dev/null
+{ echo -e '\n\n\n\n\n'\$(uuidgen)'\n\n\n\n\n'; sleep 2; echo -e 'y\ny\n'; } | ./build-key $name &>/dev/null
d=\$(mktemp -d)
-cp /etc/openvpn/easy-rsa/keys/ca.crt \
- /etc/openvpn/update-resolv-conf \
- /usr/share/doc/openvpn/examples/sample-config-files/client.conf \$d
-mv /etc/openvpn/easy-rsa/keys/client.{crt,key} \$d
-
-sed -i --follow-symlinks "s/^remote .*/remote $host 1194/" \$d/client.conf
+cp /etc/openvpn/easy-rsa/keys/ca.crt \$d/$name-ca.crt
+mv /etc/openvpn/easy-rsa/keys/$name.{crt,key} \$d
tar cz -C \$d .
rm -rf \$d
EOF
+
+cat > /etc/openvpn/client/$name.conf <<EOF
+# From example config, from debian stretch as of 1-2017
+client
+dev tun
+proto udp
+remote $host 1194
+resolv-retry infinite
+nobind
+persist-key
+persist-tun
+ca $name-ca.crt
+cert $name.crt
+key $name.key
+# disabled for better performance
+#comp-lzo
+verb 3
+
+# This script will update local dns
+# to what the server sends, if it sends dns.
+script-security 2
+up /etc/openvpn/update-resolv-conf
+down /etc/openvpn/update-resolv-conf
+
+# matching server config
+cipher aes-256-cbc
+
+
+# example config has the commented line, but this other thing looks stronger,
+# and I've seen it in a vpn provider I trust
+# ns-cert-type server
+remote-cert-tls server
+
+# more resilient when running as nonroot
+persist-key
+EOF