cat <<'EOF'
usage: ${0##*/} VPN_SERVER_HOST
--b COMMON_NAME By default, use $HOSTNAME or $CLIENT_HOST. If the cert
- already exists on the server, with the CLIENT_NAME
- name, we use the existing one. See comment below if we
- ever want to check existing common names. They must be
- unique per server, so you can use $(uuidgen) if
- needed. You used to be able to create multiple with the
- same name, but not connect at the same time, but now,
- the generator keeps track, so you can't generate.
--c CLIENT_HOST default is localhost. Else we ssh to root@CLIENT_HOST
+-b COMMON_NAME By default, use $CLIENT_HOST or if it is not given,
+ $HOSTNAME. If the cert already exists on the server,
+ with the CLIENT_NAME name, we use the existing one. See
+ comment below if we ever want to check existing common
+ names. They must be unique per server, so you can use
+ $(uuidgen) if needed. You used to be able to create
+ multiple with the same name, but not connect at the
+ same time, but now, the generator keeps track, so you
+ can't generate.
+
+-c CLIENT_HOST Default is localhost. Else we ssh to root@CLIENT_HOST.
-n CONFIG_NAME default is client
-s SCRIPT_PATH Use custom up/down script at SCRIPT_PATH. copied to same path
on client, if client is not localhost.
####### end command line parsing and checking ##############
-
# bash or else we get motd spam. note sleep 2, sleep 1 failed.
+$shell '[[ -e /etc/openvpn ]] || apt install openvpn'
if ! ssh root@$host bash -s -- $name $common_name < client-cert-helper \
| $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn/client'; then
echo ssh root@$host cat /tmp/vpn-mk-client-cert.log:
exit 1
fi
+port=$(echo '/^port/ {print $2}' | ssh root@$host awk -f - /etc/openvpn/server/$name.conf | tail -n1)
+
f=/etc/openvpn/client/$name.crt
if ! $shell "test -s $f"; then
client
dev tun
proto udp
-remote $host 1194
+remote $host $port
resolv-retry infinite
nobind
persist-key
persist-tun
-ca $name-ca.crt
+ca ca-$name.crt
cert $name.crt
key $name.key
# disabled for better performance
#comp-lzo
verb 3
-# This script will update local dns
-# to what the server sends, if it sends dns.
-script-security 2
-up "$script"
-down "$script"
-
# matching server config
cipher AES-256-CBC
# The minimum of the client & server config is what is used by openvpn.
reneg-sec 432000
-tls-auth $name-ta.key 1
+tls-auth ta-$name.key 1
EOF
-if [[ $client_host ]] && $custom_script; then
- $shell "dd of=$script" <$script
- $shell "chmod +x $script"
+if [[ $script ]]; then
+ $shell "tee -a /etc/openvpn/client/$name.conf" <<EOF
+# This script will update local dns
+# to what the server sends, if it sends dns.
+script-security 2
+up "$script"
+down "$script"
+EOF
+
+ if [[ $client_host ]] && $custom_script; then
+ $shell "dd of=$script" <$script
+ $shell "chmod +x $script"
+ fi
fi
$shell 'cd /etc/openvpn; for f in client/*; do ln -sf $f .; done'
iankelling.org / git / vpn-setup / blobdiff