-f Force. Proceed even if cert already exists.
-n CONFIG_NAME default is client
-o SERVER_CONFIG_NAME Default is CONFIG_NAME
--s SCRIPT_PATH Use custom up/down script at SCRIPT_PATH. copied to same path
- on client, if client is not localhost.
+-s SCRIPT_PATH Use custom up/down script at SCRIPT_PATH. If client host is
+ not localhost, the script is copied to it. The default
+ script used to be /etc/openvpn/update-resolv-conf, but now
+ that systemd-resolved is becoming popular, there is no default.
Generate a client cert and config and install it on locally or on
CLIENT_HOST if given. Uses default config options, and expects be able
shell="bash -c"
name=client
-custom_script=false
-script=/etc/openvpn/update-resolv-conf
client_host=$CLIENT_HOST
force=false
-f) force=true; shift ;;
-n) name="$2"; shift 2 ;;
-o) server_name="$2"; shift 2 ;;
- -s) custom_script=true; script="$2"; shift 2 ;;
+ -s) script="$2"; shift 2 ;;
-h|--help) usage ;;
--) shift; break ;;
*) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;;
f=/etc/openvpn/client/$name.crt
-cert_to_test=$f
-if [[ $client_host ]]; then
- cert_to_test=$(mktemp)
- ssh root@$client_host cat $f 2>/dev/null >$cert_to_test ||:
-fi
-if ! $force && openssl x509 -checkend $(( 60 * 60 * 24 * 30 )) -noout -in $cert_to_test &>/dev/null; then
- echo "$0: cert already exists. exiting early"
- exit 0
-fi
-
-
-# bash or else we get motd spam. note sleep 2, sleep 1 failed.
-$shell '[[ -e /etc/openvpn ]] || apt install openvpn'
-if ! ssh root@$host bash -s -- $server_name $common_name < client-cert-helper \
- | $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn/client'; then
- echo ssh root@$host cat /tmp/vpn-mk-client-cert.log:
- ssh root@$host cat /tmp/vpn-mk-client-cert.log
- echo EOF for root@$host:/tmp/vpn-mk-client-cert.log
- exit 1
-fi
-
-port=$(echo '/^port/ {print $2}' | ssh root@$host awk -f - /etc/openvpn/server/$name.conf | tail -n1)
-
-
-if ! $shell "test -s $f"; then
- # if common name is not unique, you get empty file. and if we didn't silence
- # build-key, you'd see an error "TXT_DB error number 2"
- echo "$0: error: $f is empty or otherwise bad. is this common name unique?"
- exit 1
-fi
-
$shell "dd of=/etc/openvpn/client/$name.conf" <<EOF
# From example config, from debian stretch to buster
client
resolv-retry infinite
nobind
persist-key
-persist-tun
+# persist-tun was here, but if the vpn goes down this makes
+# the whole thing get stuck if the vpn is our default route
+# unless we set a special route out just for the vpn.
+# todo: investigate.
ca ca-$name.crt
cert $name.crt
key $name.key
if [[ $script ]]; then
$shell "tee -a /etc/openvpn/client/$name.conf" <<EOF
-# This script will update local dns
-# to what the server sends, if it sends dns.
script-security 2
up "$script"
down "$script"
EOF
- if [[ $client_host ]] && $custom_script; then
+ if [[ $client_host && $script ]]; then
$shell "dd of=$script" <$script
$shell "chmod +x $script"
fi
fi
$shell 'cd /etc/openvpn; for f in client/*; do ln -sf $f .; done'
+
+
+cert_to_test=$f
+if [[ $client_host ]]; then
+ cert_to_test=$(mktemp)
+ ssh root@$client_host cat $f 2>/dev/null >$cert_to_test ||:
+fi
+if ! $force && openssl x509 -checkend $(( 60 * 60 * 24 * 30 )) -noout -in $cert_to_test &>/dev/null; then
+ echo "$0: cert already exists. exiting early"
+ exit 0
+fi
+
+
+# bash or else we get motd spam. note sleep 2, sleep 1 failed.
+$shell '[[ -e /etc/openvpn ]] || apt install openvpn'
+if ! ssh root@$host bash -s -- $server_name $common_name < client-cert-helper \
+ | $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn/client'; then
+ echo ssh root@$host cat /tmp/vpn-mk-client-cert.log:
+ ssh root@$host cat /tmp/vpn-mk-client-cert.log
+ echo EOF for root@$host:/tmp/vpn-mk-client-cert.log
+ exit 1
+fi
+
+port=$(echo '/^port/ {print $2}' | ssh root@$host awk -f - /etc/openvpn/server/$name.conf | tail -n1)
+
+
+if ! $shell "test -s $f"; then
+ # if common name is not unique, you get empty file. and if we didn't silence
+ # build-key, you'd see an error "TXT_DB error number 2"
+ echo "$0: error: $f is empty or otherwise bad. is this common name unique?"
+ exit 1
+fi
iankelling.org / git / vpn-setup / blobdiff