container-openvpn/bin/ovpn_getclient

#!/bin/bash

#
# Get an OpenVPN client configuration file
#

if [ "$DEBUG" == "1" ]; then
    set -x
fi

set -e

if [ -z "$OPENVPN" ]; then
    OPENVPN="$PWD"
fi
source "$OPENVPN/ovpn_env.sh"
cn="$1"
parm="$2"

if [ ! -f "$EASYRSA_PKI/private/${cn}.key" ]; then
    >&2 "Unable to find \"${cn}\", please try again or generate the key first" 1>&2
    exit 1
fi

get_client_config() {
    mode="$1"
    echo "
client
nobind
dev tun
remote-cert-tls server

remote $OVPN_CN $OVPN_PORT $OVPN_PROTO
"
if [ "$mode" == "combined" ]; then
    echo "
<key>
$(cat $EASYRSA_PKI/private/${cn}.key)
</key>
<cert>
$(cat $EASYRSA_PKI/issued/${cn}.crt)
</cert>
<ca>
$(cat $EASYRSA_PKI/ca.crt)
</ca>
<dh>
$(cat $EASYRSA_PKI/dh.pem)
</dh>
<tls-auth>
$(cat $EASYRSA_PKI/ta.key)
</tls-auth>
key-direction 1
"
else
    echo "
key ${cn}.key
ca ca.crt
cert ${cn}.crt
dh dh.pem
tls-auth ta.key 1
"
fi

if [ "$OVPN_DEFROUTE" != "0" ];then
    echo "redirect-gateway def1"
fi

if [ -n "$OVPN_MTU" ]; then
    echo "tun-mtu $OVPN_MTU"
fi
}

dir="$OPENVPN/clients/$cn"
case "$parm" in
    "separated")
        mkdir -p "$dir"
        get_client_config "$parm" > "$dir/${cn}.ovpn"
        cp "$EASYRSA_PKI/private/${cn}.key" "$dir/${cn}.key"
        cp "$EASYRSA_PKI/ca.crt" "$dir/ca.crt"
        cp "$EASYRSA_PKI/issued/${cn}.crt" "$dir/${cn}.crt"
        cp "$EASYRSA_PKI/dh.pem" "$dir/dh.pem"
        cp "$EASYRSA_PKI/ta.key" "$dir/ta.key"
        ;;
    "combined")
        get_client_config "combined"
        ;;
    "combined-save")
        get_client_config "combined" > "$dir/${cn}-combined.ovpn"
        ;;
    *)
        >&2 echo "This script can produce the client configuration in to formats."
        >&2 echo "    1. combined: All needed configuration and cryptographic material is in one file (Use \"combined-save\" to write the configuration file in the same path as the separated parameter does)."
        >&2 echo "    2. separated: Separated files."
        >&2 echo "Please specific one of those options as second parameter."
        ;;
esac
ovpn: Convert from servername -> server_url * Previously the server name cached the common name generated during init and assumed always 1194/udp. * The new configuration allows for users to pass in a url in a new form that allows the protocol to be specified as well as the port. * Example: udp://vpn.example.com:1194 * Try to be backwards compatible. 2014-07-01 05:43:00 +00:00			`#!/bin/bash`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00
			`#`
			`# Get an OpenVPN client configuration file`
			`#`

Disable bash debug (xtrace) by default, re-enable with -e DEBUG=1 2015-02-28 10:45:31 +00:00			`if [ "$DEBUG" == "1" ]; then`
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00			`set -x`
Disable bash debug (xtrace) by default, re-enable with -e DEBUG=1 2015-02-28 10:45:31 +00:00			`fi`

			`set -e`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00			`if [ -z "$OPENVPN" ]; then`
			`OPENVPN="$PWD"`
			`fi`
env: Re-work environment code * Instead of storing just a server_url which was necessary to regenerate the OpenVPN configs, instead store an env file. * Move all the env parsing to `ovpn_genconfig` so that it can be re-run from genconfig instead of from `ovpn_init`. * Remove all the parsing and env defaults except for genconfig. NOTE: This breaks the older config method, uesrs will need to re-run genconfig with an arg[1] as the previous server_url, this will create the necessary env file the rest of the tools expect. Example recovery for legacy users: host$ docker run --rm -it kylemanna/openvpn bash -l container# ovpn_genconfig $(cat /etc/openvpn/server_url) 2014-07-06 01:51:58 +00:00			`source "$OPENVPN/ovpn_env.sh"`
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00			`cn="$1"`
			`parm="$2"`
ovpn: Convert from servername -> server_url * Previously the server name cached the common name generated during init and assumed always 1194/udp. * The new configuration allows for users to pass in a url in a new form that allows the protocol to be specified as well as the port. * Example: udp://vpn.example.com:1194 * Try to be backwards compatible. 2014-07-01 05:43:00 +00:00
env: Re-work environment code * Instead of storing just a server_url which was necessary to regenerate the OpenVPN configs, instead store an env file. * Move all the env parsing to `ovpn_genconfig` so that it can be re-run from genconfig instead of from `ovpn_init`. * Remove all the parsing and env defaults except for genconfig. NOTE: This breaks the older config method, uesrs will need to re-run genconfig with an arg[1] as the previous server_url, this will create the necessary env file the rest of the tools expect. Example recovery for legacy users: host$ docker run --rm -it kylemanna/openvpn bash -l container# ovpn_genconfig $(cat /etc/openvpn/server_url) 2014-07-06 01:51:58 +00:00			`if [ ! -f "$EASYRSA_PKI/private/${cn}.key" ]; then`
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00			`>&2 "Unable to find \"${cn}\", please try again or generate the key first" 1>&2`
getclient: Do not autogenerate key * Do not autogenerate a key if it does not exist. Instead fail. * Requires users to explicitly generate keys and prevents generating erroneous keys in the event of a typo. 2014-07-10 16:53:24 +00:00			`exit 1`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00			`fi`

Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00			`get_client_config() {`
			`mode="$1"`
			`echo "`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00			`client`
			`nobind`
			`dev tun`
ovpn_getclient: Verify server certificate * Verify the server's certificate to avoid MITM attacks 2014-06-04 22:38:49 +00:00			`remote-cert-tls server`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00			`remote $OVPN_CN $OVPN_PORT $OVPN_PROTO`
			`"`
			`if [ "$mode" == "combined" ]; then`
			`echo "`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00			`<key>`
env: Re-work environment code * Instead of storing just a server_url which was necessary to regenerate the OpenVPN configs, instead store an env file. * Move all the env parsing to `ovpn_genconfig` so that it can be re-run from genconfig instead of from `ovpn_init`. * Remove all the parsing and env defaults except for genconfig. NOTE: This breaks the older config method, uesrs will need to re-run genconfig with an arg[1] as the previous server_url, this will create the necessary env file the rest of the tools expect. Example recovery for legacy users: host$ docker run --rm -it kylemanna/openvpn bash -l container# ovpn_genconfig $(cat /etc/openvpn/server_url) 2014-07-06 01:51:58 +00:00			`$(cat $EASYRSA_PKI/private/${cn}.key)`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00			`</key>`
			`<cert>`
env: Re-work environment code * Instead of storing just a server_url which was necessary to regenerate the OpenVPN configs, instead store an env file. * Move all the env parsing to `ovpn_genconfig` so that it can be re-run from genconfig instead of from `ovpn_init`. * Remove all the parsing and env defaults except for genconfig. NOTE: This breaks the older config method, uesrs will need to re-run genconfig with an arg[1] as the previous server_url, this will create the necessary env file the rest of the tools expect. Example recovery for legacy users: host$ docker run --rm -it kylemanna/openvpn bash -l container# ovpn_genconfig $(cat /etc/openvpn/server_url) 2014-07-06 01:51:58 +00:00			`$(cat $EASYRSA_PKI/issued/${cn}.crt)`
openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding 2014-06-04 18:13:59 +00:00			`</cert>`
			`<ca>`
			`$(cat $EASYRSA_PKI/ca.crt)`
			`</ca>`
			`<dh>`
			`$(cat $EASYRSA_PKI/dh.pem)`
			`</dh>`
tls-auth: Enable tls-auth for security * Enabling tls-auth improves security and helps protect against DDoS. 2014-06-04 22:34:42 +00:00			`<tls-auth>`
			`$(cat $EASYRSA_PKI/ta.key)`
			`</tls-auth>`
			`key-direction 1`
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00			`"`
			`else`
			`echo "`
			`key ${cn}.key`
			`ca ca.crt`
			`cert ${cn}.crt`
			`dh dh.pem`
			`tls-auth ta.key 1`
			`"`
			`fi`
getclient: Fix sourced env variables * Update to use the sourced environemental variables. * Add switch for not using default gateway. 2014-07-06 07:25:14 +00:00
			`if [ "$OVPN_DEFROUTE" != "0" ];then`
			`echo "redirect-gateway def1"`
			`fi`
Support client mtu push 2015-01-17 09:07:52 +00:00
Return correct exit status 2015-02-20 19:46:50 +00:00			`if [ -n "$OVPN_MTU" ]; then`
			`echo "tun-mtu $OVPN_MTU"`
			`fi`
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-12 23:32:40 +00:00			`}`

			`dir="$OPENVPN/clients/$cn"`
			`case "$parm" in`
			`"separated")`
			`mkdir -p "$dir"`
			`get_client_config "$parm" > "$dir/${cn}.ovpn"`
			`cp "$EASYRSA_PKI/private/${cn}.key" "$dir/${cn}.key"`
			`cp "$EASYRSA_PKI/ca.crt" "$dir/ca.crt"`
			`cp "$EASYRSA_PKI/issued/${cn}.crt" "$dir/${cn}.crt"`
			`cp "$EASYRSA_PKI/dh.pem" "$dir/dh.pem"`
			`cp "$EASYRSA_PKI/ta.key" "$dir/ta.key"`
			`;;`
			`"combined")`
			`get_client_config "combined"`
			`;;`
			`"combined-save")`
			`get_client_config "combined" > "$dir/${cn}-combined.ovpn"`
			`;;`
			`*)`
			`>&2 echo "This script can produce the client configuration in to formats."`
			`>&2 echo " 1. combined: All needed configuration and cryptographic material is in one file (Use \"combined-save\" to write the configuration file in the same path as the separated parameter does)."`
			`>&2 echo " 2. separated: Separated files."`
			`>&2 echo "Please specific one of those options as second parameter."`
			`;;`
			`esac`