container-openvpn/bin/ovpn_getclient

#!/bin/bash

#
# Get an OpenVPN client configuration file
#

set -ex

if [ -s "$OPENVPN/server_url" ]; then
    server_url=$(cat "$OPENVPN/server_url" 2> /dev/null)
else
    # TODO Backwards compatible, need to throw away eventually
    server_url=$(cat "$OPENVPN/servername" 2> /dev/null)
fi

if [[ "$server_url" =~ ^((udp|tcp)://)?([0-9a-zA-Z\.]+)(:([0-9]+))?$ ]]; then
    proto=${BASH_REMATCH[2]};
    servername=${BASH_REMATCH[3]};
    port=${BASH_REMATCH[5]};
else
    echo "Common name not specified"
    exit 1
fi

# Apply defaults
[ -z "$proto" ] && proto=1194
[ -z "$port" ] && port=udp

if [ ! -f "$EASYRSA_PKI/private/$cn.key" ]; then
    easyrsa build-server-full $cn nopass
fi

cat <<EOF
client
nobind
dev tun
redirect-gateway def1
remote-cert-tls server

<key>
$(cat $EASYRSA_PKI/private/$cn.key)
</key>
<cert>
$(cat $EASYRSA_PKI/issued/$cn.crt)
</cert>
<ca>
$(cat $EASYRSA_PKI/ca.crt)
</ca>
<dh>
$(cat $EASYRSA_PKI/dh.pem)
</dh>
<tls-auth>
$(cat $EASYRSA_PKI/ta.key)
</tls-auth>
key-direction 1

<connection>
remote $servername $port $proto
</connection>
EOF
ovpn: Convert from servername -> server_url * Previously the server name cached the common name generated during init and assumed always 1194/udp. * The new configuration allows for users to pass in a url in a new form that allows the protocol to be specified as well as the port. * Example: udp://vpn.example.com:1194 * Try to be backwards compatible. 2014-07-01 05:43:00 +00:00			`#!/bin/bash`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00
			`#`
			`# Get an OpenVPN client configuration file`
			`#`

			`set -ex`

ovpn: Convert from servername -> server_url * Previously the server name cached the common name generated during init and assumed always 1194/udp. * The new configuration allows for users to pass in a url in a new form that allows the protocol to be specified as well as the port. * Example: udp://vpn.example.com:1194 * Try to be backwards compatible. 2014-07-01 05:43:00 +00:00			`if [ -s "$OPENVPN/server_url" ]; then`
			`server_url=$(cat "$OPENVPN/server_url" 2> /dev/null)`
			`else`
			`# TODO Backwards compatible, need to throw away eventually`
			`server_url=$(cat "$OPENVPN/servername" 2> /dev/null)`
			`fi`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00
ovpn: Convert from servername -> server_url * Previously the server name cached the common name generated during init and assumed always 1194/udp. * The new configuration allows for users to pass in a url in a new form that allows the protocol to be specified as well as the port. * Example: udp://vpn.example.com:1194 * Try to be backwards compatible. 2014-07-01 05:43:00 +00:00			`if [[ "$server_url" =~ ^((udp\|tcp)://)?([0-9a-zA-Z\.]+)(:([0-9]+))?$ ]]; then`
			`proto=${BASH_REMATCH[2]};`
			`servername=${BASH_REMATCH[3]};`
			`port=${BASH_REMATCH[5]};`
			`else`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00			`echo "Common name not specified"`
			`exit 1`
			`fi`

ovpn: Convert from servername -> server_url * Previously the server name cached the common name generated during init and assumed always 1194/udp. * The new configuration allows for users to pass in a url in a new form that allows the protocol to be specified as well as the port. * Example: udp://vpn.example.com:1194 * Try to be backwards compatible. 2014-07-01 05:43:00 +00:00			`# Apply defaults`
			`[ -z "$proto" ] && proto=1194`
			`[ -z "$port" ] && port=udp`

openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00			`if [ ! -f "$EASYRSA_PKI/private/$cn.key" ]; then`
			`easyrsa build-server-full $cn nopass`
			`fi`

			`cat <<EOF`
			`client`
			`nobind`
			`dev tun`
			`redirect-gateway def1`
ovpn_getclient: Verify server certificate * Verify the server's certificate to avoid MITM attacks 2014-06-04 22:38:49 +00:00			`remote-cert-tls server`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00
			`<key>`
			`$(cat $EASYRSA_PKI/private/$cn.key)`
			`</key>`
			`<cert>`
			`$(cat $EASYRSA_PKI/issued/$cn.crt)`
			`</cert>`
			`<ca>`
			`$(cat $EASYRSA_PKI/ca.crt)`
			`</ca>`
			`<dh>`
			`$(cat $EASYRSA_PKI/dh.pem)`
			`</dh>`
tls-auth: Enable tls-auth for security * Enabling tls-auth improves security and helps protect against DDoS. 2014-06-04 22:34:42 +00:00			`<tls-auth>`
			`$(cat $EASYRSA_PKI/ta.key)`
			`</tls-auth>`
			`key-direction 1`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00
			`<connection>`
ovpn: Convert from servername -> server_url * Previously the server name cached the common name generated during init and assumed always 1194/udp. * The new configuration allows for users to pass in a url in a new form that allows the protocol to be specified as well as the port. * Example: udp://vpn.example.com:1194 * Try to be backwards compatible. 2014-07-01 05:43:00 +00:00			`remote $servername $port $proto`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00			`</connection>`
			`EOF`