container-openvpn/bin/ovpn_getclient

#!/bin/bash

#
# Get an OpenVPN client configuration file
#

if [ "$DEBUG" == "1" ]; then
    set -x
fi

set -e

if [ -z "$OPENVPN" ]; then
    export OPENVPN="$PWD"
fi
if ! source "$OPENVPN/ovpn_env.sh"; then
    echo "Could not source $OPENVPN/ovpn_env.sh."
    exit 1
fi
if [ -z "$EASYRSA_PKI" ]; then
    export EASYRSA_PKI="$OPENVPN/pki"
fi

cn="$1"
parm="$2"

if [ ! -f "$EASYRSA_PKI/private/${cn}.key" ]; then
    echo "Unable to find \"${cn}\", please try again or generate the key first" >&2
    exit 1
fi

get_client_config() {
    mode="$1"
    echo "
client
nobind
dev $OVPN_DEVICE
remote-cert-tls server

remote $OVPN_CN $OVPN_PORT $OVPN_PROTO"
    if [ "$OVPN_PROTO" == "udp6" ]; then
        echo "remote $OVPN_CN $OVPN_PORT udp"
    fi
    if [ "$OVPN_PROTO" == "tcp6" ]; then
        echo "remote $OVPN_CN $OVPN_PORT tcp"
    fi
    for i in "${OVPN_EXTRA_CLIENT_CONFIG[@]}"; do
      echo "$i"
    done
    if [ "$mode" == "combined" ]; then
        echo "
<key>
$(cat $EASYRSA_PKI/private/${cn}.key)
</key>
<cert>
$(openssl x509 -in $EASYRSA_PKI/issued/${cn}.crt)
</cert>
<ca>
$(cat $EASYRSA_PKI/ca.crt)
</ca>
key-direction 1
<tls-auth>
$(cat $EASYRSA_PKI/ta.key)
</tls-auth>
"
    elif [ "$mode" == "separated" ]; then
        echo "
key ${cn}.key
ca ca.crt
cert ${cn}.crt
tls-auth ta.key 1
"
    fi

    if [ "$OVPN_DEFROUTE" != "0" ];then
        echo "redirect-gateway def1"
    fi

    if [ -n "$OVPN_MTU" ]; then
        echo "tun-mtu $OVPN_MTU"
    fi

    if [ -n "$OVPN_TLS_CIPHER" ]; then
        echo "tls-cipher $OVPN_TLS_CIPHER"
    fi

    if [ -n "$OVPN_CIPHER" ]; then
        echo "cipher $OVPN_CIPHER"
    fi

    if [ -n "$OVPN_AUTH" ]; then
        echo "auth $OVPN_AUTH"
    fi

    if [ -n "$OVPN_OTP_AUTH" ]; then
        echo "auth-user-pass"
        echo "auth-nocache"
    fi

    if [ "$OVPN_COMP_LZO" == "1" ]; then
        echo "comp-lzo"
    fi

    if [ -n "$OVPN_OTP_AUTH" ]; then
        echo reneg-sec 0
    fi
}

dir="$OPENVPN/clients/$cn"
case "$parm" in
    "separated")
        mkdir -p "$dir"
        get_client_config "$parm" > "$dir/${cn}.ovpn"
        cp "$EASYRSA_PKI/private/${cn}.key" "$dir/${cn}.key"
        cp "$EASYRSA_PKI/ca.crt" "$dir/ca.crt"
        cp "$EASYRSA_PKI/issued/${cn}.crt" "$dir/${cn}.crt"
        cp "$EASYRSA_PKI/ta.key" "$dir/ta.key"
        ;;
    "" | "combined")
        get_client_config "combined"
        ;;
    "combined-save")
        mkdir -p "$dir"
        get_client_config "combined" > "$dir/${cn}-combined.ovpn"
        ;;
    *)
        echo "This script can produce the client configuration in two formats:" >&2
        echo "    1. combined (default): All needed configuration and cryptographic material is in one file (Use \"combined-save\" to write the configuration file in the same path as the separated parameter does)." >&2
        echo "    2. separated: Separated files." >&2
        echo "Please specify one of those options as second parameter." >&2
        ;;
esac
ovpn: Convert from servername -> server_url * Previously the server name cached the common name generated during init and assumed always 1194/udp. * The new configuration allows for users to pass in a url in a new form that allows the protocol to be specified as well as the port. * Example: udp://vpn.example.com:1194 * Try to be backwards compatible. 2014-07-01 05:43:00 +00:00			`#!/bin/bash`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00
			`#`
			`# Get an OpenVPN client configuration file`
			`#`

Disable bash debug (xtrace) by default, re-enable with -e DEBUG=1 2015-02-28 10:45:31 +00:00			`if [ "$DEBUG" == "1" ]; then`
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00			`set -x`
Disable bash debug (xtrace) by default, re-enable with -e DEBUG=1 2015-02-28 10:45:31 +00:00			`fi`

			`set -e`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00			`if [ -z "$OPENVPN" ]; then`
EASYRSA_PKI might not be defined. 2015-03-12 23:43:50 +00:00			`export OPENVPN="$PWD"`
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00			`fi`
EASYRSA_PKI might not be defined. 2015-03-12 23:43:50 +00:00			`if ! source "$OPENVPN/ovpn_env.sh"; then`
			`echo "Could not source $OPENVPN/ovpn_env.sh."`
			`exit 1`
			`fi`
			`if [ -z "$EASYRSA_PKI" ]; then`
			`export EASYRSA_PKI="$OPENVPN/pki"`
			`fi`

Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00			`cn="$1"`
			`parm="$2"`
ovpn: Convert from servername -> server_url * Previously the server name cached the common name generated during init and assumed always 1194/udp. * The new configuration allows for users to pass in a url in a new form that allows the protocol to be specified as well as the port. * Example: udp://vpn.example.com:1194 * Try to be backwards compatible. 2014-07-01 05:43:00 +00:00
env: Re-work environment code * Instead of storing just a server_url which was necessary to regenerate the OpenVPN configs, instead store an env file. * Move all the env parsing to `ovpn_genconfig` so that it can be re-run from genconfig instead of from `ovpn_init`. * Remove all the parsing and env defaults except for genconfig. NOTE: This breaks the older config method, uesrs will need to re-run genconfig with an arg[1] as the previous server_url, this will create the necessary env file the rest of the tools expect. Example recovery for legacy users: host$ docker run --rm -it kylemanna/openvpn bash -l container# ovpn_genconfig $(cat /etc/openvpn/server_url) 2014-07-06 01:51:58 +00:00			`if [ ! -f "$EASYRSA_PKI/private/${cn}.key" ]; then`
Fixed based on the review by @kylemanna. Thanks. 2015-03-14 12:22:28 +00:00			`echo "Unable to find \"${cn}\", please try again or generate the key first" >&2`
getclient: Do not autogenerate key * Do not autogenerate a key if it does not exist. Instead fail. * Requires users to explicitly generate keys and prevents generating erroneous keys in the event of a typo. 2014-07-10 16:53:24 +00:00			`exit 1`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00			`fi`

Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00			`get_client_config() {`
			`mode="$1"`
			`echo "`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00			`client`
			`nobind`
Add a parameter to use TAP instead of TUN device. 2015-08-18 22:46:07 +00:00			`dev $OVPN_DEVICE`
ovpn_getclient: Verify server certificate * Verify the server's certificate to avoid MITM attacks 2014-06-04 22:38:49 +00:00			`remote-cert-tls server`
Added IPv6 support to client script Signed-off-by: Tilo Spannagel <development@tilosp.de> 2017-02-03 20:15:41 +00:00
			`remote $OVPN_CN $OVPN_PORT $OVPN_PROTO"`
			`if [ "$OVPN_PROTO" == "udp6" ]; then`
			`echo "remote $OVPN_CN $OVPN_PORT udp"`
			`fi`
			`if [ "$OVPN_PROTO" == "tcp6" ]; then`
			`echo "remote $OVPN_CN $OVPN_PORT tcp"`
			`fi`
Extra client config is now an array 2017-06-20 23:30:35 +00:00			`for i in "${OVPN_EXTRA_CLIENT_CONFIG[@]}"; do`
			`echo "$i"`
			`done`
Fixed based on the review by @kylemanna. Thanks. 2015-03-14 12:22:28 +00:00			`if [ "$mode" == "combined" ]; then`
			`echo "`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00			`<key>`
env: Re-work environment code * Instead of storing just a server_url which was necessary to regenerate the OpenVPN configs, instead store an env file. * Move all the env parsing to `ovpn_genconfig` so that it can be re-run from genconfig instead of from `ovpn_init`. * Remove all the parsing and env defaults except for genconfig. NOTE: This breaks the older config method, uesrs will need to re-run genconfig with an arg[1] as the previous server_url, this will create the necessary env file the rest of the tools expect. Example recovery for legacy users: host$ docker run --rm -it kylemanna/openvpn bash -l container# ovpn_genconfig $(cat /etc/openvpn/server_url) 2014-07-06 01:51:58 +00:00			`$(cat $EASYRSA_PKI/private/${cn}.key)`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00			`</key>`
			`<cert>`
getclient: Use openssl to prune comments * The EasyRSA tools create a certificate file with all the metadata readable. This makes the config file larger then it needs to be, so prune it. * Retrieve text files with `openssl x509 -in <crt> -noout -text` 2015-07-06 04:07:04 +00:00			`$(openssl x509 -in $EASYRSA_PKI/issued/${cn}.crt)`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00			`</cert>`
			`<ca>`
			`$(cat $EASYRSA_PKI/ca.crt)`
			`</ca>`
[ovpn_getclient] key-direction before tls-auth NetworkManager seems to be ignoring the `key-direction` directive when it is after the `tls-auth` key, leading to issues as #268. Signed-off-by: w2ak <w2ak@users.noreply.github.com> 2018-01-04 18:10:46 +00:00			`key-direction 1`
tls-auth: Enable tls-auth for security * Enabling tls-auth improves security and helps protect against DDoS. 2014-06-04 22:34:42 +00:00			`<tls-auth>`
			`$(cat $EASYRSA_PKI/ta.key)`
			`</tls-auth>`
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00			`"`
Fixed based on the review by @kylemanna. Thanks. 2015-03-14 12:22:28 +00:00			`elif [ "$mode" == "separated" ]; then`
			`echo "`
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00			`key ${cn}.key`
			`ca ca.crt`
			`cert ${cn}.crt`
			`tls-auth ta.key 1`
			`"`
Fixed based on the review by @kylemanna. Thanks. 2015-03-14 12:22:28 +00:00			`fi`
getclient: Fix sourced env variables * Update to use the sourced environemental variables. * Add switch for not using default gateway. 2014-07-06 07:25:14 +00:00
Fixed based on the review by @kylemanna. Thanks. 2015-03-14 12:22:28 +00:00			`if [ "$OVPN_DEFROUTE" != "0" ];then`
			`echo "redirect-gateway def1"`
			`fi`
Support client mtu push 2015-01-17 09:07:52 +00:00
Fixed based on the review by @kylemanna. Thanks. 2015-03-14 12:22:28 +00:00			`if [ -n "$OVPN_MTU" ]; then`
			`echo "tun-mtu $OVPN_MTU"`
			`fi`
Allow to change security related options tls-cipher, cipher and auth. 2015-08-26 10:43:25 +00:00
			`if [ -n "$OVPN_TLS_CIPHER" ]; then`
			`echo "tls-cipher $OVPN_TLS_CIPHER"`
			`fi`

			`if [ -n "$OVPN_CIPHER" ]; then`
			`echo "cipher $OVPN_CIPHER"`
			`fi`

			`if [ -n "$OVPN_AUTH" ]; then`
			`echo "auth $OVPN_AUTH"`
			`fi`
COMP-lzo param is set in client config, if defined in server. 2015-11-27 14:03:35 +00:00
Export user pass option in client when OTP is enabled 2016-02-06 20:40:11 +00:00			`if [ -n "$OVPN_OTP_AUTH" ]; then`
			`echo "auth-user-pass"`
Do not cache user credentials 2016-02-07 01:53:43 +00:00			`echo "auth-nocache"`
Export user pass option in client when OTP is enabled 2016-02-06 20:40:11 +00:00			`fi`

Add configuration for keepalive * Add parameter to disable the push of block-outside-dns * -d should really do what it was supposed to do * Fix problem where comp-lzo would always be set regardless of the parameter 2017-03-09 23:04:21 +00:00			`if [ "$OVPN_COMP_LZO" == "1" ]; then`
COMP-lzo param is set in client config, if defined in server. 2015-11-27 14:03:35 +00:00			`echo "comp-lzo"`
			`fi`
automatically add reneg-sec 0 to client and server configs when otp is being used to avoid connection resetting every hour. Edit docs to make clear that a more secure cipher needs to be selected to use with otp to avoid the connection being reset every 64 MB of data 2017-01-24 14:37:48 +00:00
change test to bring in line with others 2017-01-26 17:53:53 +00:00			`if [ -n "$OVPN_OTP_AUTH" ]; then`
Add configuration for keepalive * Add parameter to disable the push of block-outside-dns * -d should really do what it was supposed to do * Fix problem where comp-lzo would always be set regardless of the parameter 2017-03-09 23:04:21 +00:00			`echo reneg-sec 0`
automatically add reneg-sec 0 to client and server configs when otp is being used to avoid connection resetting every hour. Edit docs to make clear that a more secure cipher needs to be selected to use with otp to avoid the connection being reset every 64 MB of data 2017-01-24 14:37:48 +00:00			`fi`
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00			`}`

			`dir="$OPENVPN/clients/$cn"`
			`case "$parm" in`
			`"separated")`
			`mkdir -p "$dir"`
			`get_client_config "$parm" > "$dir/${cn}.ovpn"`
			`cp "$EASYRSA_PKI/private/${cn}.key" "$dir/${cn}.key"`
			`cp "$EASYRSA_PKI/ca.crt" "$dir/ca.crt"`
			`cp "$EASYRSA_PKI/issued/${cn}.crt" "$dir/${cn}.crt"`
			`cp "$EASYRSA_PKI/ta.key" "$dir/ta.key"`
			`;;`
Fixed based on the review by @kylemanna. Thanks. 2015-03-14 12:22:28 +00:00			`"" \| "combined")`
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00			`get_client_config "combined"`
			`;;`
			`"combined-save")`
bugfix: combined-saved was not making directory 2017-01-12 11:49:24 +00:00			`mkdir -p "$dir"`
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00			`get_client_config "combined" > "$dir/${cn}-combined.ovpn"`
			`;;`
			`*)`
Add configuration for keepalive * Add parameter to disable the push of block-outside-dns * -d should really do what it was supposed to do * Fix problem where comp-lzo would always be set regardless of the parameter 2017-03-09 23:04:21 +00:00			`echo "This script can produce the client configuration in two formats:" >&2`
Fixed based on the review by @kylemanna. Thanks. 2015-03-14 12:22:28 +00:00			`echo " 1. combined (default): All needed configuration and cryptographic material is in one file (Use \"combined-save\" to write the configuration file in the same path as the separated parameter does)." >&2`
			`echo " 2. separated: Separated files." >&2`
Add configuration for keepalive * Add parameter to disable the push of block-outside-dns * -d should really do what it was supposed to do * Fix problem where comp-lzo would always be set regardless of the parameter 2017-03-09 23:04:21 +00:00			`echo "Please specify one of those options as second parameter." >&2`
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00			`;;`
			`esac`