From 1b488c8053cff1f09d025a20dc765a2079417eff Mon Sep 17 00:00:00 2001
From: Ian Kelling <iank@fsf.org>
Date: Fri, 17 Apr 2020 19:15:17 -0400
Subject: [PATCH] update for multiple servers on one host

---
 client-cert-helper |  27 +++++++----
 vpn-mk-client-cert |  30 +++++++-----
 vpn-server-setup   | 117 +++++++++++++++++++++++++++++----------------
 3 files changed, 111 insertions(+), 63 deletions(-)

diff --git a/client-cert-helper b/client-cert-helper
index f5b35ac..a170813 100755
--- a/client-cert-helper
+++ b/client-cert-helper
@@ -16,14 +16,23 @@ if [[ -e /etc/openvpn/server ]]; then
   server_dir=/etc/openvpn/server
 fi
 
-cafile=$server_dir/ca.crt
+cafile=$server_dir/ca-$name.crt
 
+### begin section roughly copied from vpn-server-setup
+rsadir=/etc/openvpn/easy-rsa-$name
 new=true
-keyfiles=(/etc/openvpn/easy-rsa/pki/{issued/$common_name.crt,private/$common_name.key})
-if [[ -e /etc/openvpn/easy-rsa/build-ca ]]; then
+keyfiles=(
+  $rsadir/pki/private/$common_name.key
+  $rsadir/pki/issued/$common_name.crt
+)
+if [[ -e /etc/openvpn/easy-rsa-$name/build-ca ]]; then
   new=false
-  keyfiles=(/etc/openvpn/easy-rsa/keys/$name.{crt,key})
+  keyfiles=(
+    $rsadir/keys/$common_name.key
+    $rsadir/keys/$common_name.crt
+  )
 fi
+### end section roughly copied from vpn-server-setup
 
 if [[ ! -e $cafile ]]; then
   echo: error no cafile found at $cafile >/tmp/errors
@@ -40,7 +49,7 @@ done
 
 
 if ! $exists; then
-  cd /etc/openvpn/easy-rsa
+  cd /etc/openvpn/easy-rsa-$name
   if $new; then
     ./easyrsa build-client-full $common_name nopass >/dev/null
   else
@@ -51,10 +60,10 @@ if ! $exists; then
 fi
 
 d=$(mktemp -d)
-cp $cafile $d/$name-ca.crt
-cp ${keyfiles[@]} $d
-
-cp $server_dir/ta.key $d/$name-ta.key
+cp $server_dir/ta-$name.key $cafile $d
+for f in ${keyfiles[@]}; do
+  cp $f $d/$name.${f##*.}
+done
 
 tar cz -C $d .
 rm -rf $d
diff --git a/vpn-mk-client-cert b/vpn-mk-client-cert
index f4e5762..1aa9b41 100755
--- a/vpn-mk-client-cert
+++ b/vpn-mk-client-cert
@@ -101,6 +101,8 @@ if ! ssh root@$host bash -s -- $name $common_name < client-cert-helper \
   exit 1
 fi
 
+port=$(echo '/^port/ {print $2}' | ssh root@$host awk -f - /etc/openvpn/server/$name.conf | tail -n1)
+
 
 f=/etc/openvpn/client/$name.crt
 if ! $shell "test -s $f"; then
@@ -115,24 +117,18 @@ $shell "dd of=/etc/openvpn/client/$name.conf" <<EOF
 client
 dev tun
 proto udp
-remote $host 1194
+remote $host $port
 resolv-retry infinite
 nobind
 persist-key
 persist-tun
-ca $name-ca.crt
+ca ca-$name.crt
 cert $name.crt
 key $name.key
 # disabled for better performance
 #comp-lzo
 verb 3
 
-# This script will update local dns
-# to what the server sends, if it sends dns.
-script-security 2
-up "$script"
-down "$script"
-
 # matching server config
 cipher AES-256-CBC
 
@@ -148,12 +144,22 @@ persist-key
 # The minimum of the client & server config is what is used by openvpn.
 reneg-sec 432000
 
-tls-auth $name-ta.key 1
+tls-auth ta-$name.key 1
 EOF
 
-if [[ $client_host ]] && $custom_script; then
-  $shell "dd of=$script" <$script
-  $shell "chmod +x $script"
+if [[ $script ]]; then
+  $shell "tee -a /etc/openvpn/client/$name.conf" <<EOF
+# This script will update local dns
+# to what the server sends, if it sends dns.
+script-security 2
+up "$script"
+down "$script"
+EOF
+
+  if [[ $client_host ]] && $custom_script; then
+    $shell "dd of=$script" <$script
+    $shell "chmod +x $script"
+  fi
 fi
 
 $shell 'cd /etc/openvpn; for f in client/*; do ln -sf $f .; done'
diff --git a/vpn-server-setup b/vpn-server-setup
index 1224ff2..0710dc8 100755
--- a/vpn-server-setup
+++ b/vpn-server-setup
@@ -1,4 +1,4 @@
-#!/bin/bash -x
+#!/bin/bash
 # Copyright (C) 2016 Ian Kelling
 
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -21,10 +21,13 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
 usage() {
   cat <<'EOF'
-usage: ${0##*/} [-d|-h|--help] [IPV6_ADDR/BITS IPV6_DEFAULT_ROUTE]
+usage: ${0##*/} [OPTIONS] [IPV6_ADDR/BITS IPV6_DEFAULT_ROUTE]
 
--r  Do not push default route
+-4  I prefix of range for ipv4, default 10.8.0
 -d  Do not push dns
+-n  Name. default = server. 2 servers on the same host need different names.
+-p  Port. default 1194
+-r  Do not push default route
 -s  Do not start openvpn
 -h --help print help
 
@@ -49,11 +52,16 @@ EOF
 dns=true
 route=true
 start=true
-temp=$(getopt -l help drsh "$@") || usage 1
+ip4=10.8.0
+name=server
+temp=$(getopt -l help 4:dn:p:rsh "$@") || usage 1
 eval set -- "$temp"
 while true; do
   case $1 in
+    -4) ip4=$2; shift 2 ;;
     -d) dns=false; shift ;;
+    -n) name=$2; shift 2 ;;
+    -p) port=$2; shift 2 ;;
     -r) route=false; shift ;;
     -s) start=false; shift ;;
     -h|--help) usage ;;
@@ -64,26 +72,18 @@ done
 
 read -r ip6 ip6route <<<"$@"
 
+source /a/bin/distro-functions/src/package-manager-abstractions
 
-apt-get update
-# suggests get's us openssl. policy-rc.d is to prevent install from starting services
-f=/usr/sbin/policy-rc.d;
-dd of=$f <<EOF
-#!/bin/sh
-exit 101
-EOF
-chmod +x $f;
-apt-get install --install-suggests -y openvpn
-rm $f
+pi-nostart openvpn openssl resolvconf easy-rsa uuid-runtime
 
 if [[ -e /lib/systemd/system/openvpn-server@.service ]]; then
-  vpn_service=openvpn-server@server
+  vpn_service=openvpn-server@$name
 else
-  vpn_service=openvpn@server
+  vpn_service=openvpn@$name
 fi
-apt-get install -y uuid-runtime easy-rsa
-mkdir -p /etc/openvpn/easy-rsa
-cd /etc/openvpn/easy-rsa
+rsadir=/etc/openvpn/easy-rsa-$name
+mkdir -p $rsadir
+cd $rsadir
 cp -r /usr/share/easy-rsa/* .
 if [[ -e openssl-1.0.0.cnf && ! -e openssl.cnf ]]; then
   # there's a debian bug about this.
@@ -93,13 +93,22 @@ fi
 server_dir=/etc/openvpn/server
 mkdir -p $server_dir
 chmod 700 $server_dir
+conf=$server_dir/$name.conf
 
 
 new=true
-keyfiles=(/etc/openvpn/easy-rsa/pki/{ca.crt,private/server.key,issued/server.crt})
+ca_origin=$rsadir/pki/ca.crt
+keyfiles=(
+  $rsadir/pki/private/$name.key
+  $rsadir/pki/issued/$name.crt
+)
 if [[ -e /etc/openvpn/easy-rsa/build-ca ]]; then
   new=false
-  keyfiles=(/etc/openvpn/easy-rsa/keys/{ca.crt,server.{crt,key}})
+  ca_origin=$rsadir/ca.crt
+  keyfiles=(
+    $rsadir/keys/$name.key
+    $rsadir/keys/$name.crt
+  )
 fi
 
 keys_exist=true
@@ -110,14 +119,24 @@ for f in ${keyfiles[@]}; do
   fi
 done
 
+f=$server_dir/dh2048.pem
+if [[ ! -e $f ]]; then
+  openssl dhparam -out $f 2048
+fi
+
+f=$server_dir/ta-$name.key
+if [[ ! -e $f ]]; then
+  openvpn --genkey --secret $server_dir/ta-$name.key
+fi
+
+
 if ! $keys_exist; then
   # newer sample configs (post stretch) use ta.key. no harm making it for earlier oses
-  openvpn --genkey --secret $server_dir/ta.key
   if $new; then
+    echo 'set_var EASYRSA_NS_SUPPORT      "yes"' >vars
     ./easyrsa init-pki
     ./easyrsa --batch build-ca nopass
-    ./easyrsa build-server-full server nopass
-    openssl dhparam -out $server_dir/dh2048.pem 2048
+    ./easyrsa build-server-full $name nopass
   else
     # dun care about settning cert cn etc from the non-example values
     source vars
@@ -131,23 +150,23 @@ if ! $keys_exist; then
     # 'server' is the default name in our conf file for the name of the file
     # and I've seen no reason to change it.
     # Note, this is not idempotent.
-    { echo -e '\n\n\n\n\n\n\n\n\n\n'; sleep 1; echo -e 'y\ny\n'; } | ./build-key-server server
+    { echo -e '\n\n\n\n\n\n\n\n\n\n'; sleep 1; echo -e 'y\ny\n'; } | ./build-key-server $name
     ./build-dh
   fi
 fi
 
 
-cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz $server_dir
-gzip -df $server_dir/server.conf.gz
-
+gzip -dc /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz >$conf
 
+cafile=$server_dir/ca-$name.crt
+cp $ca_origin $cafile
 cp ${keyfiles[@]} $server_dir
 # for legacy systems
-for f in ${keyfiles[@]}; do
+for f in ${keyfiles[@]} $cafile; do
   ln -sf server/${f##*/} /etc/openvpn
 done
 
-cat >>$server_dir/server.conf <<'EOF'
+cat >>$conf <<EOF
 
 # I cat an extra blank line to start because the example config does
 # not have a final newline. ....
@@ -162,22 +181,30 @@ cipher AES-256-CBC
 client-config-dir /etc/openvpn/client-config
 
 # duplicate in newer sample configs
-tls-auth ta.key 0 # This file is secret
+tls-auth ta-$name.key 0 # This file is secret
 
 # depending on sample config, this may not be there, which means i can't
-# talk to 10.8.0.1, there might be some other way, but stretch's
+# talk to $ip4.1, there might be some other way, but stretch's
 # sample config says:
 # Should be subnet (addressing via IP)
 # unless Windows clients v2.0.9 and lower have to
 # be supported (then net30, i.e. a /30 per client)
 # Defaults to net30 (not recommended)
 topology subnet
-EOF
 
+status /var/log/openvpn/openvpn-status-$name.log
+ifconfig-pool-persist /var/log/openvpn/ipp-$name.txt
+ca ca-$name.crt
+cert $name.crt
+key $name.key
+client-config-dir /etc/openvpn/client-config-$name
+server $ip4.0 255.255.255.0
+EOF
+mkdir -p /etc/openvpn/client-config-$name
 
 # dh improve security,
 # remove comp-lzo to increase perf
-sed -i --follow-symlinks -f - $server_dir/server.conf <<'EOF'
+sed -i --follow-symlinks -f - $conf <<'EOF'
 s/^dh dh1024.pem/dh dh2048.pem/
 /^comp-lzo.*/d
 EOF
@@ -188,13 +215,13 @@ mkdir -p /etc/openvpn/client-config
 
 if $dns; then
   # Be the dns server for clients
-  cat >>$server_dir/server.conf <<'EOF'
-push "dhcp-option DNS 10.8.0.1"
+  cat >>$conf <<EOF
+push "dhcp-option DNS $ip4.1"
 EOF
 fi
 
 if [[ $ip6 ]]; then
-  cat >>$server_dir/server.conf <<EOF
+  cat >>$conf <<EOF
 push tun-ipv6 # legacy option that flidas needs, has no harm.
 ifconfig-ipv6 $ip6 $ip6route
 EOF
@@ -208,16 +235,22 @@ fi
 
 
 if $route; then
-  cat >>$server_dir/server.conf <<'EOF'
+  cat >>$conf <<'EOF'
 # Be the default gateway for clients.
 push "redirect-gateway def1"
 EOF
   if [[ $ip6 ]]; then
-    cat >>$server_dir/server.conf <<'EOF'
+    cat >>$conf <<'EOF'
 push "route-ipv6 2000::/3"
 EOF
   fi
 fi
+if [[ $port ]]; then
+  cat >>$conf <<EOF
+port $port
+EOF
+fi
+
 
 sed -i --follow-symlinks '/^ *net\.ipv4\.ip_forward=.*/d' /etc/sysctl.conf
 cat >>/etc/sysctl.conf <<'EOF'
@@ -225,7 +258,7 @@ net.ipv4.ip_forward=1
 EOF
 sysctl -p /etc/sysctl.conf
 
-gw=$(ip route | sed -rn 's/^default via .* dev (\S+).*/\1/p')
+gw=$(ip route | sed -rn 's/^default via .* dev (\S+).*/\1/p' | head -n1)
 
 cat >/etc/systemd/system/vpnnat.service <<EOF
 [Unit]
@@ -234,8 +267,8 @@ Description=Turns on nat iptables setting
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $gw -j MASQUERADE
-ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o $gw -j MASQUERADE
+ExecStart=/sbin/iptables -t nat -A POSTROUTING -s $ip4.0/24 -o $gw -j MASQUERADE
+ExecStop=/sbin/iptables -t nat -D POSTROUTING -s $ip4.0/24 -o $gw -j MASQUERADE
 
 [Install]
 WantedBy=$vpn_service.service
-- 
2.30.2