X-Git-Url: https://iankelling.org/git/?p=vpn-setup;a=blobdiff_plain;f=vpn-mk-client-cert;h=1aa9b4166aca033059b65b25328c829a68677b15;hp=a3ea21f87f6128ab1a2fb4fe9bf5a0dbf0ffb5ed;hb=HEAD;hpb=727a80d387c2cdd395e77e5bfcd1fbf04bf34e3f diff --git a/vpn-mk-client-cert b/vpn-mk-client-cert index a3ea21f..7bad544 100755 --- a/vpn-mk-client-cert +++ b/vpn-mk-client-cert @@ -1,5 +1,12 @@ #!/bin/bash -# Copyright (C) 2016 Ian Kelling +# I, Ian Kelling, follow the GNU license recommendations at +# https://www.gnu.org/licenses/license-recommendations.en.html. They +# recommend that small programs, < 300 lines, be licensed under the +# Apache License 2.0. This file contains or is part of one or more small +# programs. If a small program grows beyond 300 lines, I plan to switch +# its license to GPL. + +# Copyright 2024 Ian Kelling # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,56 +20,216 @@ # See the License for the specific language governing permissions and # limitations under the License. -# usage: $0 SERVER_HOST [DEST_HOST] -# ssh to SERVER_HOST, create a cert & client config, put it on -# DEST_HOST, or localhost by default. Assumes server was setup -# by the other script in this dir. set -eE -o pipefail trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR [[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@" +readonly this_file="$(readlink -f -- "${BASH_SOURCE[0]}")" +this_dir="${this_file%/*}" + + usage() { - cat <<'EOF' -usage: ${0##*/} VPN_SERVER_HOST [CLIENT_HOST] + cat <<'EOF' +usage: ${0##*/} VPN_SERVER_HOST + +-b COMMON_NAME By default, use $CLIENT_HOST or if it is not given, + $HOSTNAME. If the cert already exists on the server, + with the CLIENT_NAME name, we use the existing one. See + comment below if we ever want to check existing common + names. They must be unique per server, so you can use + $(uuidgen) if needed. You used to be able to create + multiple with the same name, but not connect at the + same time, but now, the generator keeps track, so you + can't generate. + +-c CLIENT_HOST Default is localhost. Else we ssh to root@CLIENT_HOST. +-f Force. Proceed even if cert already exists. +-n CONFIG_NAME default is client +-o SERVER_CONFIG_NAME Default is CONFIG_NAME +-r Install certs to the current directory instead of /etc/openvpn/client +-s SCRIPT_PATH Use custom up/down script at SCRIPT_PATH. If client host is + not localhost, the script is copied to it. The default + script used to be /etc/openvpn/update-resolv-conf, but now + that systemd-resolved is becoming popular, there is no default. + +Environment variable: SSH_CONFIG_FILE_OVERRIDE Generate a client cert and config and install it on locally or on CLIENT_HOST if given. Uses default config options, and expects be able -to ssh to VPN_SERVER_HOST and CLIENT_HOST. +to ssh to VPN_SERVER_HOST and CLIENT_HOST as root, or if CLIENT_HOST is +localhost, just to sudo this script as root. + + + + +Note: Uses GNU getopt options parsing style EOF - exit ${1:-0} + exit ${1:-0} } -case $1 in - -h|--help|*) usage 0 ;; -esac +# to get the common name +# cn=$(s openssl x509 -noout -nameopt multiline -subject \ + # -in /etc/openvpn/client/mail.crt | \ + # sed -rn 's/^\s*commonName\s*=\s*(.*)/\1/p') -(($# <= 2)) || usage 1 -host=$1 +####### begin command line parsing and checking ############## + shell="bash -c" -if [[ $2 ]]; then - shell="ssh $2" +name=client +client_host=$CLIENT_HOST +force=false +rel=false +if [[ $SSH_CONFIG_FILE_OVERRIDE ]]; then + ssh_arg="-F $SSH_CONFIG_FILE_OVERRIDE" fi -# bash or else we get motd spam. note sleep 2, sleep 1 failed. -ssh $host bash </dev/null +temp=$(getopt -l help hb:c:fn:o:rs: "$@") || usage 1 +eval set -- "$temp" +while true; do + case $1 in + -b) common_name="$2"; shift 2 ;; + -c) client_host=$2; shell="ssh $ssh_arg root@$client_host"; shift 2 ;; + -f) force=true; shift ;; + -n) name="$2"; shift 2 ;; + -o) server_name="$2"; shift 2 ;; + -r) rel=true; shift ;; + -s) script="$2"; shift 2 ;; + -h|--help) usage ;; + --) shift; break ;; + *) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;; + esac +done + +if [[ $client_host ]] && $rel; then + echo "$0: error client_host and -r specified. use one or the other" + exit 1 +fi + + +if [[ ! $server_name ]]; then + server_name="$name" +fi + +if [[ ! $common_name ]]; then + if [[ $client_host ]]; then + common_name=$client_host + else + common_name=$HOSTNAME + fi +fi + +host=$1 +[[ $host ]] || usage 1 -# uuidgen because common name must be unique -{ echo -e '\n\n\n\n\n'\$(uuidgen)'\n\n\n\n\n'; sleep 2; echo -e 'y\ny\n'; } | ./build-key client &>/dev/null +####### end command line parsing and checking ############## -d=\$(mktemp -d) -cp /etc/openvpn/easy-rsa/keys/ca.crt \ - /etc/openvpn/update-resolv-conf \ - /usr/share/doc/openvpn/examples/sample-config-files/client.conf \$d -mv /etc/openvpn/easy-rsa/keys/client.{crt,key} \$d -sed -i --follow-symlinks "s/^remote .*/remote $host 1194/" \$d/client.conf +if $rel; then + f=$name.crt + keydir=. +else + f=/etc/openvpn/client/$name.crt + keydir=/etc/openvpn/client +fi + + +if ! $force; then + cert_to_test=$f + if [[ $client_host ]]; then + cert_to_test=$(mktemp) + ssh $ssh_arg root@$client_host cat $f 2>/dev/null >$cert_to_test ||: + fi + if openssl x509 -checkend $(( 60 * 60 * 24 * 30 )) -noout -in $cert_to_test &>/dev/null; then + if [[ $client_host ]]; then + prefix="$shell" + fi + if $prefix test -s $keydir/ta-$name.key -a -s $keydir/ca-$name.crt; then + echo "$0: cert already exists. exiting early" + exit 0 + fi + fi +fi + +port=$(echo '/^port/ {print $2}' | ssh $ssh_arg root@$host awk -f - /etc/openvpn/server/$name.conf | tail -n1) + +$shell "dd of=$keydir/$name.conf" <