# See the License for the specific language governing permissions and
# limitations under the License.
-# usage: $0 SERVER_HOST [DEST_HOST]
-# ssh to SERVER_HOST, create a cert & client config, put it on
-# DEST_HOST, or localhost by default. Assumes server was setup
-# by the other script in this dir.
-
set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
[[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"
usage() {
- cat <<'EOF'
-usage: ${0##*/} VPN_SERVER_HOST [CLIENT_HOST]
+ cat <<EOF
+usage: ${0##*/} VPN_SERVER_HOST
+
+-b COMMON_NAME By default, use CONFIG_NAME. If the cert already exists
+ on the server, with the CLIENT_NAME name, we use the
+ existing one. See comment below if we ever want to
+ check existing common names. They must be unique per
+ server, so you can use $(uuidgen) if needed. You used
+ to be able to create multiple with the same name, but
+ not connect at the same time, but now, the generator
+ keeps track, so you can't generate.
+-c CLIENT_HOST default is localhost. Else we ssh to root@CLIENT_HOST
+-n CONFIG_NAME default is client
Generate a client cert and config and install it on locally or on
CLIENT_HOST if given. Uses default config options, and expects be able
-to ssh to VPN_SERVER_HOST and CLIENT_HOST.
+to ssh to VPN_SERVER_HOST and CLIENT_HOST as root, or if CLIENT_HOST is
+localhost, just to sudo this script as root.
+
+
+
+
+Note: Uses GNU getopt options parsing style
EOF
exit ${1:-0}
}
-case $1 in
- -h|--help|*) usage 0 ;;
-esac
+# to get the common name
+# cn=$(s openssl x509 -noout -nameopt multiline -subject \
+ # -in /etc/openvpn/client/mail.crt | \
+ # sed -rn 's/^\s*commonName\s*=\s*(.*)/\1/p')
-(($# <= 2)) || usage 1
-host=$1
shell="bash -c"
-if [[ $2 ]]; then
- shell="ssh $2"
-fi
+name=client
+
+temp=$(getopt -l help hb:c:n: "$@") || usage 1
+eval set -- "$temp"
+while true; do
+ case $1 in
+ -b) common_name="$2"; shift 2 ;;
+ -c) shell="ssh root@$2"; shift 2 ;;
+ -n) name="$2"; shift 2 ;;
+ -h|--help) usage ;;
+ --) shift; break ;;
+ *) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;;
+ esac
+done
+
+if [[ ! $common_name ]]; then common_name=$name; fi
+
+host=$1
+[[ $host ]] || usage 1
# bash or else we get motd spam. note sleep 2, sleep 1 failed.
-ssh $host bash <<EOF | $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn'
+ssh root@$host bash <<EOF | $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn/client'
set -eE -o pipefail
-cd /etc/openvpn/easy-rsa
-source vars >/dev/null
-# uuidgen because common name must be unique
-{ echo -e '\n\n\n\n\n'\$(uuidgen)'\n\n\n\n\n'; sleep 2; echo -e 'y\ny\n'; } | ./build-key client &>/dev/null
+exists=true
+for x in /etc/openvpn/easy-rsa/keys/{$name.{crt,key},ca.crt}; do
+ if [[ ! -e \$x ]]; then
+ exists=false
+ break
+ fi
+done
-d=\$(mktemp -d)
-cp /etc/openvpn/easy-rsa/keys/ca.crt \
- /etc/openvpn/update-resolv-conf \
- /usr/share/doc/openvpn/examples/sample-config-files/client.conf \$d
-mv /etc/openvpn/easy-rsa/keys/client.{crt,key} \$d
+if ! \$exists; then
+ cd /etc/openvpn/easy-rsa
+ source vars >/dev/null
+
+ { echo -e '\n\n\n\n\n'$common_name'\n\n\n\n\n'; sleep 2; echo -e 'y\ny\n'; } | ./build-key $name &>/dev/null
+fi
-sed -i --follow-symlinks "s/^remote .*/remote $host 1194/" \$d/client.conf
+d=\$(mktemp -d)
+cp /etc/openvpn/easy-rsa/keys/ca.crt \$d/$name-ca.crt
+cp /etc/openvpn/easy-rsa/keys/$name.{crt,key} \$d
tar cz -C \$d .
rm -rf \$d
EOF
+
+f=/etc/openvpn/client/$name.crt
+if [[ ! -s $f ]]; then
+ echo "$0: error: $f is empty or otherwise bad. is this common name unique?"
+ exit 1
+fi
+
+$shell "dd of=/etc/openvpn/client/$name.conf" <<EOF
+# From example config, from debian stretch as of 1-2017
+client
+dev tun
+proto udp
+remote $host 1194
+resolv-retry infinite
+nobind
+persist-key
+persist-tun
+ca $name-ca.crt
+cert $name.crt
+key $name.key
+# disabled for better performance
+#comp-lzo
+verb 3
+
+# This script will update local dns
+# to what the server sends, if it sends dns.
+script-security 2
+up /etc/openvpn/update-resolv-conf
+down /etc/openvpn/update-resolv-conf
+
+# matching server config
+cipher aes-256-cbc
+
+
+# example config has the commented line, but this other thing looks stronger,
+# and I've seen it in a vpn provider I trust
+# ns-cert-type server
+remote-cert-tls server
+
+# more resilient when running as nonroot
+persist-key
+
+# see comments in server side configuration.
+# the minimum of the 2 is used.
+reneg-sec 2592000
+EOF