2014-07-01 05:43:00 +00:00
|
|
|
#!/bin/bash
|
2014-06-04 23:49:13 +00:00
|
|
|
|
|
|
|
#
|
|
|
|
# Generate OpenVPN configs
|
|
|
|
#
|
|
|
|
|
2014-07-06 04:16:02 +00:00
|
|
|
# Convert 1.2.3.4/24 -> 255.255.255.0
|
|
|
|
cidr2mask()
|
|
|
|
{
|
|
|
|
local i
|
|
|
|
local subnetmask=""
|
|
|
|
local cidr=${1#*/}
|
|
|
|
local full_octets=$(($cidr/8))
|
|
|
|
local partial_octet=$(($cidr%8))
|
|
|
|
|
|
|
|
for ((i=0;i<4;i+=1)); do
|
|
|
|
if [ $i -lt $full_octets ]; then
|
|
|
|
subnetmask+=255
|
|
|
|
elif [ $i -eq $full_octets ]; then
|
|
|
|
subnetmask+=$((256 - 2**(8-$partial_octet)))
|
|
|
|
else
|
|
|
|
subnetmask+=0
|
|
|
|
fi
|
|
|
|
[ $i -lt 3 ] && subnetmask+=.
|
|
|
|
done
|
|
|
|
echo $subnetmask
|
|
|
|
}
|
|
|
|
|
|
|
|
# Used often enough to justify a function
|
|
|
|
getroute() {
|
|
|
|
echo ${1%/*} $(cidr2mask $1)
|
|
|
|
}
|
|
|
|
|
|
|
|
usage() {
|
|
|
|
echo "usage: $0 [-d]"
|
|
|
|
echo " -u SERVER_PUBLIC_URL"
|
|
|
|
echo " [-s SERVER_SUBNET]"
|
|
|
|
echo " [-r ROUTE ...]"
|
2014-07-09 17:28:54 +00:00
|
|
|
echo " [-p PUSH ...]"
|
2015-10-16 13:41:22 +00:00
|
|
|
echo " [-n DNS_SERVER ...]"
|
2014-07-06 04:16:02 +00:00
|
|
|
echo
|
|
|
|
echo "optional arguments:"
|
|
|
|
echo " -d Disable NAT routing and default route"
|
2014-07-09 15:17:19 +00:00
|
|
|
echo " -c Enable client-to-client option"
|
2015-10-16 13:41:22 +00:00
|
|
|
echo " -D Do not push dns servers"
|
2015-01-17 08:56:46 +00:00
|
|
|
echo " -N Configure NAT to access external server network"
|
2015-01-17 09:07:52 +00:00
|
|
|
echo " -m Set client MTU"
|
2015-08-18 22:46:07 +00:00
|
|
|
echo " -t Use TAP device (instead of TUN device)"
|
2015-08-26 10:43:25 +00:00
|
|
|
echo " -T Encrypt packets with the given cipher algorithm instead of the default one (tls-cipher)."
|
|
|
|
echo " -C A list of allowable TLS ciphers delimited by a colon (cipher)."
|
|
|
|
echo " -a Authenticate packets with HMAC using the given message digest algorithm (auth)."
|
2015-11-27 14:02:33 +00:00
|
|
|
echo " -z Enable comp-lzo compression."
|
2016-02-06 19:23:59 +00:00
|
|
|
echo " -2 Enable two factor authentication using Google Authenticator."
|
2016-04-06 07:06:02 +00:00
|
|
|
echo " -f Set the fragment directive."
|
2014-07-06 04:16:02 +00:00
|
|
|
}
|
|
|
|
|
2015-02-28 10:45:31 +00:00
|
|
|
if [ "$DEBUG" == "1" ]; then
|
|
|
|
set -x
|
|
|
|
fi
|
|
|
|
|
|
|
|
set -e
|
2014-06-04 23:49:13 +00:00
|
|
|
|
2014-07-06 01:51:58 +00:00
|
|
|
OVPN_ENV=$OPENVPN/ovpn_env.sh
|
2014-07-06 04:16:02 +00:00
|
|
|
OVPN_SERVER=192.168.255.0/24
|
|
|
|
OVPN_DEFROUTE=1
|
2015-01-17 08:56:46 +00:00
|
|
|
OVPN_NAT=0
|
2015-01-17 08:56:21 +00:00
|
|
|
OVPN_DNS=1
|
2015-08-18 22:46:07 +00:00
|
|
|
OVPN_DEVICE="tun"
|
|
|
|
OVPN_DEVICEN=0
|
2014-07-09 17:34:39 +00:00
|
|
|
OVPN_ROUTES=()
|
2015-02-28 11:01:00 +00:00
|
|
|
TMP_ROUTES=()
|
2014-07-09 17:28:54 +00:00
|
|
|
OVPN_PUSH=()
|
2015-02-28 11:01:00 +00:00
|
|
|
TMP_PUSH=()
|
2015-10-16 13:41:22 +00:00
|
|
|
OVPN_DNS_SERVERS=("8.8.8.8" "8.8.4.4")
|
|
|
|
TMP_DNS_SERVERS=()
|
2015-08-26 10:43:25 +00:00
|
|
|
OVPN_TLS_CIPHER=''
|
|
|
|
OVPN_CIPHER=''
|
|
|
|
OVPN_AUTH=''
|
2014-06-04 23:49:13 +00:00
|
|
|
|
2014-07-06 01:51:58 +00:00
|
|
|
# Import defaults if present
|
|
|
|
[ -r "$OVPN_ENV" ] && source "$OVPN_ENV"
|
|
|
|
|
2014-07-06 04:16:02 +00:00
|
|
|
# Parse arguments
|
2016-04-06 07:06:02 +00:00
|
|
|
while getopts ":a:C:T:r:s:du:cp:n:DNmf:tz2" opt; do
|
2014-07-06 04:16:02 +00:00
|
|
|
case $opt in
|
2015-08-26 10:43:25 +00:00
|
|
|
a)
|
|
|
|
OVPN_AUTH="$OPTARG"
|
|
|
|
;;
|
|
|
|
C)
|
|
|
|
OVPN_CIPHER="$OPTARG"
|
|
|
|
;;
|
|
|
|
T)
|
|
|
|
OVPN_TLS_CIPHER="$OPTARG"
|
|
|
|
;;
|
2014-07-06 04:16:02 +00:00
|
|
|
r)
|
2015-02-28 11:01:00 +00:00
|
|
|
TMP_ROUTES+=("$OPTARG")
|
2014-07-06 04:16:02 +00:00
|
|
|
;;
|
|
|
|
s)
|
|
|
|
OVPN_SERVER=$OPTARG
|
|
|
|
;;
|
|
|
|
d)
|
|
|
|
OVPN_DEFROUTE=0
|
|
|
|
;;
|
|
|
|
u)
|
|
|
|
OVPN_SERVER_URL=$OPTARG
|
|
|
|
;;
|
2014-07-09 15:17:19 +00:00
|
|
|
c)
|
|
|
|
OVPN_CLIENT_TO_CLIENT=1
|
|
|
|
;;
|
2014-07-09 17:28:54 +00:00
|
|
|
p)
|
2015-02-28 11:01:00 +00:00
|
|
|
TMP_PUSH+=("$OPTARG")
|
2014-07-09 17:28:54 +00:00
|
|
|
;;
|
2015-10-16 13:41:22 +00:00
|
|
|
n)
|
|
|
|
TMP_DNS_SERVERS+=("$OPTARG")
|
|
|
|
;;
|
2015-01-17 08:56:21 +00:00
|
|
|
D)
|
|
|
|
OVPN_DNS=0
|
|
|
|
;;
|
2015-01-17 08:56:46 +00:00
|
|
|
N)
|
|
|
|
OVPN_NAT=1
|
|
|
|
;;
|
2015-01-17 09:07:52 +00:00
|
|
|
m)
|
|
|
|
OVPN_MTU=$OPTARG
|
|
|
|
;;
|
2015-08-18 22:46:07 +00:00
|
|
|
t)
|
|
|
|
OVPN_DEVICE="tap"
|
|
|
|
;;
|
2015-11-27 14:02:33 +00:00
|
|
|
z)
|
|
|
|
OVPN_COMP_LZO=1
|
|
|
|
;;
|
2016-02-06 19:23:59 +00:00
|
|
|
2)
|
|
|
|
OVPN_OTP_AUTH=1
|
|
|
|
;;
|
2016-04-06 07:06:02 +00:00
|
|
|
f)
|
|
|
|
OVPN_FRAGMENT=$OPTARG
|
|
|
|
;;
|
2014-07-06 04:16:02 +00:00
|
|
|
\?)
|
|
|
|
set +x
|
|
|
|
echo "Invalid option: -$OPTARG" >&2
|
|
|
|
usage
|
|
|
|
exit 1
|
|
|
|
;;
|
|
|
|
:)
|
|
|
|
set +x
|
|
|
|
echo "Option -$OPTARG requires an argument." >&2
|
|
|
|
usage
|
|
|
|
exit 1
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
done
|
|
|
|
|
2015-02-28 11:01:00 +00:00
|
|
|
# if new routes were not defined with -r, use default
|
2015-02-28 11:22:08 +00:00
|
|
|
[ ${#TMP_ROUTES[@]} -gt 0 ] && OVPN_ROUTES=("${TMP_ROUTES[@]}")
|
2015-02-28 11:01:00 +00:00
|
|
|
|
|
|
|
# if new push directives were not defined with -p, use default
|
2015-02-28 11:22:08 +00:00
|
|
|
[ ${#TMP_PUSH[@]} -gt 0 ] && OVPN_PUSH=("${TMP_PUSH[@]}")
|
2014-07-06 01:51:58 +00:00
|
|
|
|
2015-10-16 13:41:22 +00:00
|
|
|
# if dns servers were not defined with -n, use google nameservers
|
|
|
|
[ ${#TMP_DNS_SERVERS[@]} -gt 0 ] && OVPN_DNS_SERVERS=("${TMP_DNS_SERVERS[@]}")
|
|
|
|
|
2014-07-06 01:51:58 +00:00
|
|
|
# Server name is in the form "udp://vpn.example.com:1194"
|
2014-08-17 02:32:16 +00:00
|
|
|
if [[ "$OVPN_SERVER_URL" =~ ^((udp|tcp)://)?([0-9a-zA-Z\.\-]+)(:([0-9]+))?$ ]]; then
|
2014-07-06 01:51:58 +00:00
|
|
|
OVPN_PROTO=${BASH_REMATCH[2]};
|
|
|
|
OVPN_CN=${BASH_REMATCH[3]};
|
|
|
|
OVPN_PORT=${BASH_REMATCH[5]};
|
2014-07-01 05:43:00 +00:00
|
|
|
else
|
2014-07-06 04:16:02 +00:00
|
|
|
set +x
|
|
|
|
echo "Common name not specified, see '-u'"
|
|
|
|
usage
|
2014-06-04 23:49:13 +00:00
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
2014-07-01 05:43:00 +00:00
|
|
|
# Apply defaults
|
2014-07-06 01:51:58 +00:00
|
|
|
[ -z "$OVPN_PROTO" ] && OVPN_PROTO=udp
|
|
|
|
[ -z "$OVPN_PORT" ] && OVPN_PORT=1194
|
2014-07-09 17:34:39 +00:00
|
|
|
[ ${#OVPN_ROUTES[@]} -eq 0 ] && OVPN_ROUTES=("192.168.254.0/24")
|
2014-07-06 01:51:58 +00:00
|
|
|
|
2014-07-06 04:16:02 +00:00
|
|
|
export OVPN_SERVER OVPN_ROUTES OVPN_DEFROUTE
|
|
|
|
export OVPN_SERVER_URL OVPN_ENV OVPN_PROTO OVPN_CN OVPN_PORT
|
2015-08-18 22:46:07 +00:00
|
|
|
export OVPN_CLIENT_TO_CLIENT OVPN_PUSH OVPN_NAT OVPN_DNS OVPN_MTU OVPN_DEVICE
|
2015-08-26 10:43:25 +00:00
|
|
|
export OVPN_TLS_CIPHER OVPN_CIPHER OVPN_AUTH
|
2015-11-27 14:02:33 +00:00
|
|
|
export OVPN_COMP_LZO
|
2016-02-06 19:25:03 +00:00
|
|
|
export OVPN_OTP_AUTH
|
2016-04-06 07:06:02 +00:00
|
|
|
export OVPN_FRAGMENT
|
2014-07-06 01:51:58 +00:00
|
|
|
|
|
|
|
# Preserve config
|
|
|
|
if [ -f "$OVPN_ENV" ]; then
|
|
|
|
bak_env=$OVPN_ENV.$(date +%s).bak
|
|
|
|
echo "Backing up $OVPN_ENV -> $bak_env"
|
|
|
|
mv "$OVPN_ENV" "$bak_env"
|
|
|
|
fi
|
2014-07-06 04:16:02 +00:00
|
|
|
export | grep OVPN_ > "$OVPN_ENV"
|
2014-07-01 05:43:00 +00:00
|
|
|
|
2014-07-01 05:56:26 +00:00
|
|
|
conf=$OPENVPN/openvpn.conf
|
2014-06-30 06:09:18 +00:00
|
|
|
if [ -f "$conf" ]; then
|
|
|
|
bak=$conf.$(date +%s).bak
|
|
|
|
echo "Backing up $conf -> $bak"
|
|
|
|
mv "$conf" "$bak"
|
|
|
|
fi
|
|
|
|
|
|
|
|
cat > "$conf" <<EOF
|
2014-07-06 04:16:02 +00:00
|
|
|
server $(getroute $OVPN_SERVER)
|
2014-06-04 23:49:13 +00:00
|
|
|
verb 3
|
2014-07-06 04:16:02 +00:00
|
|
|
key $EASYRSA_PKI/private/${OVPN_CN}.key
|
2014-06-04 23:49:13 +00:00
|
|
|
ca $EASYRSA_PKI/ca.crt
|
2014-07-06 04:16:02 +00:00
|
|
|
cert $EASYRSA_PKI/issued/${OVPN_CN}.crt
|
2014-06-04 23:49:13 +00:00
|
|
|
dh $EASYRSA_PKI/dh.pem
|
|
|
|
tls-auth $EASYRSA_PKI/ta.key
|
|
|
|
key-direction 0
|
|
|
|
keepalive 10 60
|
|
|
|
persist-key
|
|
|
|
persist-tun
|
2014-06-30 07:10:52 +00:00
|
|
|
|
2014-07-06 01:51:58 +00:00
|
|
|
proto $OVPN_PROTO
|
2014-07-06 17:51:44 +00:00
|
|
|
# Rely on Docker to do port mapping, internally always 1194
|
|
|
|
port 1194
|
2015-08-18 22:46:07 +00:00
|
|
|
dev $OVPN_DEVICE$OVPN_DEVICEN
|
2014-07-01 05:56:26 +00:00
|
|
|
status /tmp/openvpn-status.log
|
2014-07-06 04:16:02 +00:00
|
|
|
|
2014-12-31 20:57:22 +00:00
|
|
|
user nobody
|
|
|
|
group nogroup
|
2014-06-04 23:49:13 +00:00
|
|
|
EOF
|
2014-07-01 15:30:28 +00:00
|
|
|
|
2015-08-26 10:43:25 +00:00
|
|
|
[ -n "$OVPN_TLS_CIPHER" ] && echo "tls-cipher $OVPN_TLS_CIPHER" >> "$conf"
|
|
|
|
[ -n "$OVPN_CIPHER" ] && echo "cipher $OVPN_CIPHER" >> "$conf"
|
|
|
|
[ -n "$OVPN_AUTH" ] && echo "auth $OVPN_AUTH" >> "$conf"
|
2015-05-11 17:33:56 +00:00
|
|
|
|
2014-07-09 15:17:19 +00:00
|
|
|
[ -n "$OVPN_CLIENT_TO_CLIENT" ] && echo "client-to-client" >> "$conf"
|
2015-11-27 14:02:33 +00:00
|
|
|
[ -n "$OVPN_COMP_LZO" ] && echo "comp-lzo" >> "$conf"
|
2015-11-01 01:27:55 +00:00
|
|
|
|
2016-04-06 07:06:02 +00:00
|
|
|
[ -n "$OVPN_FRAGMENT" ] && echo "fragment $OVPN_FRAGMENT" >> "$conf"
|
|
|
|
|
2015-11-01 01:27:55 +00:00
|
|
|
[ "$OVPN_DNS" == "1" ] && for i in "${OVPN_DNS_SERVERS[@]}"; do
|
2015-10-16 13:41:22 +00:00
|
|
|
echo "push dhcp-option DNS $i" >> "$conf"
|
|
|
|
done
|
2014-07-06 04:16:02 +00:00
|
|
|
# Append Routes
|
2014-07-09 17:34:39 +00:00
|
|
|
for i in "${OVPN_ROUTES[@]}"; do
|
2014-07-06 17:52:39 +00:00
|
|
|
# If user passed "0" skip this, assume no extra routes
|
|
|
|
[ "$i" = "0" ] && break;
|
2014-07-09 17:34:39 +00:00
|
|
|
echo route $(getroute "$i") >> "$conf"
|
2014-07-06 04:16:02 +00:00
|
|
|
done
|
|
|
|
|
2014-07-09 17:28:54 +00:00
|
|
|
# Append push commands
|
|
|
|
for i in "${OVPN_PUSH[@]}"; do
|
|
|
|
echo push \"$i\" >> "$conf"
|
|
|
|
done
|
|
|
|
|
2016-02-06 19:23:59 +00:00
|
|
|
# Optional OTP authentication support
|
|
|
|
if [ -n "$OVPN_OTP_AUTH" ]; then
|
|
|
|
echo -e "\n\n# Enable OTP+PAM for user authentication" >> "$conf"
|
2016-02-11 17:10:51 +00:00
|
|
|
echo "plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn" >> "$conf"
|
2016-02-06 19:23:59 +00:00
|
|
|
fi
|
|
|
|
|
2015-08-18 22:46:07 +00:00
|
|
|
set +e
|
2015-03-09 16:17:42 +00:00
|
|
|
|
2015-03-08 00:35:08 +00:00
|
|
|
# Clean-up duplicate configs
|
2015-03-09 16:17:42 +00:00
|
|
|
if diff -q "$bak_env" "$OVPN_ENV" 2>/dev/null; then
|
2015-03-08 00:35:08 +00:00
|
|
|
echo "Removing duplicate back-up: $bak_env"
|
|
|
|
rm -fv "$bak_env"
|
|
|
|
fi
|
2015-03-09 16:17:42 +00:00
|
|
|
if diff -q "$bak" "$conf" 2>/dev/null; then
|
2015-03-08 00:35:08 +00:00
|
|
|
echo "Removing duplicate back-up: $bak"
|
|
|
|
rm -fv "$bak"
|
|
|
|
fi
|
2014-07-09 15:17:47 +00:00
|
|
|
|
|
|
|
echo "Successfully generated config"
|