container-openvpn/bin/ovpn_init

#!/bin/bash

#
# Initialize the PKI and OpenVPN configs
#

set -ex

server_url=$1

# Server name is in the form "udp://vpn.example.com:1194"
if [[ "$server_url" =~ ^((udp|tcp)://)?([0-9a-zA-Z\.]+)(:([0-9]+))?$ ]]; then
    proto=${BASH_REMATCH[2]};
    cn=${BASH_REMATCH[3]};
    port=${BASH_REMATCH[5]};
else
    echo "Common name not specified"
    exit 1
fi

# Apply defaults
[ -z "$proto" ] && proto=1194
[ -z "$port" ] && port=udp

# Specify "nopass" as arg[2] to make the CA insecure
nopass=$2

# Provides a sufficient warning before erasing pre-existing files
easyrsa init-pki

# CA always has a password for protection in event server is compromised. The
# password is only needed to sign client/server certificates.  No password is
# needed for normal OpenVPN operation.
easyrsa build-ca $nopass

easyrsa gen-dh
openvpn --genkey --secret $OPENVPN/pki/ta.key

# Was nice to autoset, but probably a bad idea in practice, users should
# have to explicitly specify the common name of their server
#if [ -z "$cn"]; then
#    #TODO: Handle IPv6 (when I get a VPS with IPv6)...
#    ip4=$(dig +short myip.opendns.com @resolver1.opendns.com)
#    ptr=$(dig +short -x $ip4 | sed -e 's:\.$::')
#
#    [ -n "$ptr" ] && cn=$ptr || cn=$ip4
#fi

echo "$server_url" > $OPENVPN/server_url

# For a server key with a password, manually init; this is autopilot
easyrsa build-server-full $cn nopass

ovpn_genconfig "$cn"
ovpn: Convert from servername -> server_url * Previously the server name cached the common name generated during init and assumed always 1194/udp. * The new configuration allows for users to pass in a url in a new form that allows the protocol to be specified as well as the port. * Example: udp://vpn.example.com:1194 * Try to be backwards compatible. 2014-07-01 05:43:00 +00:00			`#!/bin/bash`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00
			`#`
			`# Initialize the PKI and OpenVPN configs`
			`#`

			`set -ex`

ovpn: Convert from servername -> server_url * Previously the server name cached the common name generated during init and assumed always 1194/udp. * The new configuration allows for users to pass in a url in a new form that allows the protocol to be specified as well as the port. * Example: udp://vpn.example.com:1194 * Try to be backwards compatible. 2014-07-01 05:43:00 +00:00			`server_url=$1`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00
ovpn: Convert from servername -> server_url * Previously the server name cached the common name generated during init and assumed always 1194/udp. * The new configuration allows for users to pass in a url in a new form that allows the protocol to be specified as well as the port. * Example: udp://vpn.example.com:1194 * Try to be backwards compatible. 2014-07-01 05:43:00 +00:00			`# Server name is in the form "udp://vpn.example.com:1194"`
			`if [[ "$server_url" =~ ^((udp\|tcp)://)?([0-9a-zA-Z\.]+)(:([0-9]+))?$ ]]; then`
			`proto=${BASH_REMATCH[2]};`
			`cn=${BASH_REMATCH[3]};`
			`port=${BASH_REMATCH[5]};`
			`else`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00			`echo "Common name not specified"`
			`exit 1`
			`fi`

ovpn: Convert from servername -> server_url * Previously the server name cached the common name generated during init and assumed always 1194/udp. * The new configuration allows for users to pass in a url in a new form that allows the protocol to be specified as well as the port. * Example: udp://vpn.example.com:1194 * Try to be backwards compatible. 2014-07-01 05:43:00 +00:00			`# Apply defaults`
			`[ -z "$proto" ] && proto=1194`
			`[ -z "$port" ] && port=udp`

ovpn_init: Protect the CA key by default * Protect the CA key with a passphrase by default to protect it from a filsystem compromise. An attacker could still steal the other keys stored (ie the server's cert key), but not issue new keys. * This is a good compromise for now. 2014-06-05 00:07:07 +00:00			`# Specify "nopass" as arg[2] to make the CA insecure`
			`nopass=$2`

openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00			`# Provides a sufficient warning before erasing pre-existing files`
			`easyrsa init-pki`

ovpn_init: Protect the CA key by default * Protect the CA key with a passphrase by default to protect it from a filsystem compromise. An attacker could still steal the other keys stored (ie the server's cert key), but not issue new keys. * This is a good compromise for now. 2014-06-05 00:07:07 +00:00			`# CA always has a password for protection in event server is compromised. The`
			`# password is only needed to sign client/server certificates. No password is`
			`# needed for normal OpenVPN operation.`
			`easyrsa build-ca $nopass`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00
			`easyrsa gen-dh`
			`openvpn --genkey --secret $OPENVPN/pki/ta.key`

ovpen_init: Remove external IP resolution * Disable auto guessing the external IP in favor of the user explicitly specifying the server name. Save the servername for client cert generation later. * Remove dnsutils from build since dig is no longer necessary. Favor learn and mean images. 2014-06-04 18:15:43 +00:00			`# Was nice to autoset, but probably a bad idea in practice, users should`
			`# have to explicitly specify the common name of their server`
			`#if [ -z "$cn"]; then`
			`# #TODO: Handle IPv6 (when I get a VPS with IPv6)...`
			`# ip4=$(dig +short myip.opendns.com @resolver1.opendns.com)`
			`# ptr=$(dig +short -x $ip4 \| sed -e 's:\.$::')`
			`#`
			`# [ -n "$ptr" ] && cn=$ptr \|\| cn=$ip4`
			`#fi`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00
ovpn: Convert from servername -> server_url * Previously the server name cached the common name generated during init and assumed always 1194/udp. * The new configuration allows for users to pass in a url in a new form that allows the protocol to be specified as well as the port. * Example: udp://vpn.example.com:1194 * Try to be backwards compatible. 2014-07-01 05:43:00 +00:00			`echo "$server_url" > $OPENVPN/server_url`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00
ovpn_init: Protect the CA key by default * Protect the CA key with a passphrase by default to protect it from a filsystem compromise. An attacker could still steal the other keys stored (ie the server's cert key), but not issue new keys. * This is a good compromise for now. 2014-06-05 00:07:07 +00:00			`# For a server key with a password, manually init; this is autopilot`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00			`easyrsa build-server-full $cn nopass`

ovpn_genconfig: Add generate config script * Create a generate config script so that the new docker containers can regenerate the OpenVPN configuration without clobbering the PKI setup. 2014-06-04 23:49:13 +00:00			`ovpn_genconfig "$cn"`