From db7cd23a75387ecb417b4b621d6610bc6ff4eb6d Mon Sep 17 00:00:00 2001
From: Ian Kelling <iank@fsf.org>
Date: Sun, 21 Jan 2018 20:37:50 -0500
Subject: [PATCH] add trisquel flidas support, small fixes and additions

---
 vpn-mk-client-cert |  71 ++++++++++++----
 vpn-server-setup   | 199 +++++++++++++++++++++++++++++----------------
 2 files changed, 182 insertions(+), 88 deletions(-)

diff --git a/vpn-mk-client-cert b/vpn-mk-client-cert
index f480d02..d495754 100755
--- a/vpn-mk-client-cert
+++ b/vpn-mk-client-cert
@@ -18,20 +18,23 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
 [[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"
 
+
 usage() {
     cat <<EOF
 usage: ${0##*/} VPN_SERVER_HOST
 
--b COMMON_NAME   By default, use CONFIG_NAME. If the cert already exists
-                 on the server, with the CLIENT_NAME name, we use the
-                 existing one. See comment below if we ever want to
-                 check existing common names. They must be unique per
-                 server, so you can use $(uuidgen) if needed. You used
-                 to be able to create multiple with the same name, but
-                 not connect at the same time, but now, the generator
-                 keeps track, so you can't generate.
+-b COMMON_NAME   By default, use $HOSTNAME or $CLIENT_HOST. If the cert
+                 already exists on the server, with the CLIENT_NAME
+                 name, we use the existing one. See comment below if we
+                 ever want to check existing common names. They must be
+                 unique per server, so you can use $(uuidgen) if
+                 needed. You used to be able to create multiple with the
+                 same name, but not connect at the same time, but now,
+                 the generator keeps track, so you can't generate.
 -c CLIENT_HOST   default is localhost. Else we ssh to root@CLIENT_HOST
 -n CONFIG_NAME   default is client
+-s SCRIPT_PATH   Use custom up/down script at PATH, copied to same path
+                 on client.
 
 Generate a client cert and config and install it on locally or on
 CLIENT_HOST if given.  Uses default config options, and expects be able
@@ -52,31 +55,50 @@ EOF
     #          sed -rn 's/^\s*commonName\s*=\s*(.*)/\1/p')
 
 
+####### begin command line parsing and checking ##############
+
 shell="bash -c"
 name=client
+custom_script=false
+script=/etc/openvpn/update-resolv-conf
 
-temp=$(getopt -l help hb:c:n: "$@") || usage 1
+temp=$(getopt -l help hb:c:n:s: "$@") || usage 1
 eval set -- "$temp"
 while true; do
     case $1 in
         -b) common_name="$2"; shift 2 ;;
-        -c) shell="ssh root@$2"; shift 2 ;;
+        -c) client_host=$2; shell="ssh root@$client_host"; shift 2 ;;
         -n) name="$2"; shift 2 ;;
+        -s) custom_script=true; script="$2"; shift 2 ;;
         -h|--help) usage ;;
         --) shift; break ;;
         *) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;;
     esac
 done
 
-if [[ ! $common_name ]]; then common_name=$name; fi
+if [[ ! $common_name ]]; then
+    if [[ $client_host ]]; then
+        common_name=$client_host
+    else
+        common_name=$HOSTNAME
+    fi
+fi
 
 host=$1
 [[ $host ]] || usage 1
 
+####### end command line parsing and checking ##############
+
+
 # bash or else we get motd spam. note sleep 2, sleep 1 failed.
 ssh root@$host bash <<EOF | $shell 'id -u | grep -xF 0 || s=sudo; $s tar xzv -C /etc/openvpn/client'
 set -eE -o pipefail
 
+server_dir=/etc/openvpn
+if [[ -e /etc/openvpn/server ]]; then
+    server_dir=/etc/openvpn/server
+fi
+
 exists=true
 for x in /etc/openvpn/easy-rsa/keys/{$name.{crt,key},ca.crt}; do
   if [[ ! -e \$x ]]; then
@@ -96,12 +118,16 @@ d=\$(mktemp -d)
 cp /etc/openvpn/easy-rsa/keys/ca.crt \$d/$name-ca.crt
 cp /etc/openvpn/easy-rsa/keys/$name.{crt,key} \$d
 
+cp \$server_dir/ta.key \$d/$name-ta.key
+
 tar cz -C \$d .
 rm -rf \$d
 EOF
 
 f=/etc/openvpn/client/$name.crt
-if [[ ! -s $f ]]; then
+if ! $shell "test -s $f"; then
+    # if common name is not unique, you get empty file. and if we didn't silence
+    # build-key, you'd see an error "TXT_DB error number 2"
     echo "$0: error: $f is empty or otherwise bad. is this common name unique?"
     exit 1
 fi
@@ -126,11 +152,11 @@ verb 3
 # This script will update local dns
 # to what the server sends, if it sends dns.
 script-security 2
-up /etc/openvpn/update-resolv-conf
-down /etc/openvpn/update-resolv-conf
+up $script
+down $script
 
 # matching server config
-cipher aes-256-cbc
+cipher AES-256-CBC
 
 
 # example config has the commented line, but this other thing looks stronger,
@@ -141,7 +167,16 @@ remote-cert-tls server
 # more resilient when running as nonroot
 persist-key
 
-# see comments in server side configuration.
-# the minimum of the 2 is used.
-reneg-sec 2592000
+# See comments in server side configuration.
+# The minimum of the client & server config is what is used by openvpn.
+reneg-sec 432000
+
+tls-auth $name-ta.key 1
 EOF
+
+if [[ $client_host ]] && $custom_script; then
+    $shell "dd of=$script" <$script
+    $shell "chmod +x $script"
+fi
+
+$shell 'cd /etc/openvpn; for f in client/*; do ln -sf $f .; done'
diff --git a/vpn-server-setup b/vpn-server-setup
index dec98e9..bbfd41b 100755
--- a/vpn-server-setup
+++ b/vpn-server-setup
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash -x
 # Copyright (C) 2016 Ian Kelling
 
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -19,105 +19,161 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
 [[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"
 
-dns=true
-route=true
-case $1 in
-    -r) route=false ;;
-    -d) dns=false ;;
-    -h|--help|*)
-        cat <<'EOF'
+usage() {
+    cat <<'EOF'
 usage: ${0##*/} [-d|-h|--help]
 
 -r  Do not push default route
 -d  Do not push dns
+-s  Do not start openvpn
 -h --help print help
 
-Sets up a vpn server which pushes gateway route and dns server
-so all traffic goes through the vpn. requires systemd,
-and might have some debian specific paths.
+Sets up a vpn server which pushes gateway route and dns server so all
+traffic goes through the vpn. requires systemd, and might have some
+debian specific paths.
+
+You can save all the keys by storing /etc/openvpn/easy-rsa/keys, and
+the script will not generate them if it sees they exist already.
+
+Note: Uses GNU getopt options parsing style
 EOF
-        exit
-        ;;
-esac
+    exit $1
+}
+
+dns=true
+route=true
+start=true
+temp=$(getopt -l help drsh "$@") || usage 1
+eval set -- "$temp"
+while true; do
+    case $1 in
+        -d) dns=false; shift ;;
+        -r) route=false; shift ;;
+        -s) start=false; shift ;;
+        -h|--help) usage ;;
+        --) shift; break ;;
+        *) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;;
+    esac
+done
 
 apt-get update
-# suggests get's us openssl & easy rsa
+# suggests get's us openssl
 apt-get install --install-suggests -y openvpn
-apt-get install -y uuid-runtime
-mkdir -p /etc/openvpn/easy-rsa/keys
+if [[ -e /lib/systemd/system/openvpn-server@.service ]]; then
+    vpn_service=openvpn-server@server
+else
+    vpn_service=openvpn@server
+fi
+apt-get install -y uuid-runtime easy-rsa
+mkdir -p /etc/openvpn/easy-rsa
 cd /etc/openvpn/easy-rsa
 cp -r /usr/share/easy-rsa/* .
-source vars # dun care about setting cert cn etc from the non-example values
-./clean-all
-# accept default prompts
-echo -e '\n\n\n\n\n\n\n\n' | ./build-ca
-
-# This builds the server's key/cert. argument is the name of the file,
-# but it also is the default common name of the cert.
-# 'server' is the default name in our conf file for the name of the file
-# and I've seen no reason to change it.
-# Note, this is not idempotent.
-{ echo -e '\n\n\n\n\n\n\n\n\n\n'; sleep 1; echo -e 'y\ny\n'; } | ./build-key-server server
-./build-dh
-cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
-cp /etc/openvpn/easy-rsa/keys/{ca.crt,server.{crt,key},dh2048.pem} /etc/openvpn
-gzip -df /etc/openvpn/server.conf.gz
-# dh improve security,
-# remove comp-lzo to increase perf
-sed -i --follow-symlinks -f - /etc/openvpn/server.conf <<'EOF'
-s/^dh dh1024.pem/dh dh2048.pem/
-/^comp-lzo.*/d
-EOF
+if [[ -e openssl-1.0.0.cnf && ! -e openssl.cnf ]]; then
+    # there's a debian bug about this.
+    ln -s openssl-1.0.0.cnf openssl.cnf
+fi
+
+keys_exist=true
+keyfiles=(/etc/openvpn/easy-rsa/keys/{ca.crt,server.{crt,key},dh2048.pem,ta.key})
+for f in ${keyfiles[@]}; do
+    if [[ ! -e $f ]]; then
+        keys_exist=false
+        break
+    fi
+done
+
+if ! $keys_exist; then
+    source vars # dun care about setting cert cn etc from the non-example values
+    ./clean-all # note: removes and creates /etc/openvpn/easy-rsa/keys
+    # newer sample configs (post stretch) use ta.key. no harm making it for earlier oses
+    openvpn --genkey --secret /etc/openvpn/easy-rsa/keys/ta.key
+    # accept default prompts
+    echo -e '\n\n\n\n\n\n\n\n' | ./build-ca
+
+    # This builds the server's key/cert. argument is the name of the file,
+    # but it also is the default common name of the cert.
+    # 'server' is the default name in our conf file for the name of the file
+    # and I've seen no reason to change it.
+    # Note, this is not idempotent.
+    { echo -e '\n\n\n\n\n\n\n\n\n\n'; sleep 1; echo -e 'y\ny\n'; } | ./build-key-server server
+    ./build-dh
+fi
+
+server_dir=/etc/openvpn/server
+mkdir -p $server_dir
+chmod 700 $server_dir
+
+cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz $server_dir
+gzip -df $server_dir/server.conf.gz
+
+
+cp ${keyfiles[@]} $server_dir
+# for legacy systems
+for f in ${keyfiles[@]}; do
+    ln -sf server/${f##*/} /etc/openvpn
+done
+
+cat >>$server_dir/server.conf <<'EOF'
 
+# I cat an extra blank line to start because the example config does
+# not have a final newline. ....
 
-cat >>/etc/openvpn/server.conf <<'EOF'
 # not in example config, but openvpn outputs a warning about insecure
 # cipher without a setting like this (the default i can understand due
 # to compatibility issues, but not changing the example config... not
-# cool). exact cipher taken from config of vpn provider I trust. This
+# cool).
 # requires the same setting on the client side.
-cipher aes-256-cbc
+cipher AES-256-CBC
 # just sets up the ability to have client specific configs
 client-config-dir /etc/openvpn/client-config
-# 30 days. default is 3600, 1 hour. we momentarily disconnect
-# after this time, and get a new tls key. The idea is that
-# if someone is working very hard to break our encryption,
-# they have less time to do it, and less time in the past
-# for it to be broken. online sources say that there is no
-# good objective idea about what a good value is here, since
-# we don't expect our encryption to be breakable, but 1 hour
-# seems very conservative. Since I want to support hosting
-# a server over the tunnel, having the server break up to once
-# an hour is very tough. I've seen a vpn service that seems
-# very on top of things set this to 5 days.
-reneg-sec 2592000
+
+# duplicate in newer sample configs
+tls-auth ta.key 0 # This file is secret
+
+# depending on sample config, this may not be there, which means i can't
+# talk to 10.8.0.1, there might be some other way, but stretch's
+# sample config says:
+# Should be subnet (addressing via IP)
+# unless Windows clients v2.0.9 and lower have to
+# be supported (then net30, i.e. a /30 per client)
+# Defaults to net30 (not recommended)
+topology subnet
 EOF
-mkdir -p /etc/openvpn/client-config
 
-if $route; then
-    cat >>/etc/openvpn/server.conf <<'EOF'
-# Be the default gateway for clients.
-push "redirect-gateway def1"
+
+# dh improve security,
+# remove comp-lzo to increase perf
+sed -i --follow-symlinks -f - $server_dir/server.conf <<'EOF'
+s/^dh dh1024.pem/dh dh2048.pem/
+/^comp-lzo.*/d
 EOF
-fi
+
+
+mkdir -p /etc/openvpn/client-config
+
 
 if $dns; then
     # Be the dns server for clients
-    cat >>/etc/openvpn/server.conf <<'EOF'
+    cat >>$server_dir/server.conf <<'EOF'
 push "dhcp-option DNS 10.8.0.1"
 EOF
 fi
 
-echo "1" > /proc/sys/net/ipv4/ip_forward
-sed -i --follow-symlinks '/^ *net\.ipv4\.ip_forward=.*/d' /etc/sysctl.conf
-cat >>/etc/sysctl.conf <<'EOF'
+if $route; then
+    cat >>$server_dir/server.conf <<'EOF'
+# Be the default gateway for clients.
+push "redirect-gateway def1"
+EOF
+    echo "1" > /proc/sys/net/ipv4/ip_forward
+    sed -i --follow-symlinks '/^ *net\.ipv4\.ip_forward=.*/d' /etc/sysctl.conf
+    cat >>/etc/sysctl.conf <<'EOF'
 net.ipv4.ip_forward=1
 EOF
 
 
-gw=$(ip route | sed -rn 's/^default via .* dev (\S+).*/\1/p')
+    gw=$(ip route | sed -rn 's/^default via .* dev (\S+).*/\1/p')
 
-cat >/etc/systemd/system/vpnnat.service <<EOF
+    cat >/etc/systemd/system/vpnnat.service <<EOF
 [Unit]
 Description=Turns on nat iptables setting
 
@@ -128,10 +184,13 @@ ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $gw -j MASQUERA
 ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o $gw -j MASQUERADE
 
 [Install]
-WantedBy=openvpn.service
+WantedBy=$vpn_service
 EOF
-systemctl daemon-reload # needed if the file was already there
-systemctl enable vpnnat.service
-systemctl start vpnnat.service
+    systemctl daemon-reload # needed if the file was already there
+    # note, no need to start it, the vpn_service does that.
+fi
 
-systemctl restart openvpn@server
+if $start; then
+    systemctl enable $vpn_service
+    systemctl restart $vpn_service
+fi
-- 
2.30.2