From 16fbc4019d7e13ad2ab986623eafd5dde51367dc Mon Sep 17 00:00:00 2001 From: Nicolas Duchon Date: Wed, 21 Jun 2017 01:29:29 +0200 Subject: [PATCH] Fix ovpn_genconfig for repeatability --- bin/ovpn_genconfig | 156 ++++++++++++++++++++++++--------------------- 1 file changed, 84 insertions(+), 72 deletions(-) diff --git a/bin/ovpn_genconfig b/bin/ovpn_genconfig index 8cae0f1..b965f12 100755 --- a/bin/ovpn_genconfig +++ b/bin/ovpn_genconfig @@ -7,7 +7,6 @@ TMP_PUSH_CONFIGFILE=$(mktemp -t vpn_push.XXXXXXX) TMP_ROUTE_CONFIGFILE=$(mktemp -t vpn_route.XXXXXXX) TMP_EXTRA_CONFIGFILE=$(mktemp -t vpn_extra.XXXXXXX) -TMP_EXTRA_CLIENT_CONFIGFILE=$(mktemp -t vpn_extra_client.XXXXXXX) #Traceback on Error and Exit come from https://docwhat.org/tracebacks-in-bash/ set -eu @@ -46,7 +45,6 @@ on_exit() { rm -f $TMP_PUSH_CONFIGFILE rm -f $TMP_ROUTE_CONFIGFILE rm -f $TMP_EXTRA_CONFIGFILE - rm -f $TMP_EXTRA_CLIENT_CONFIGFILE local _ec="$?" if [[ $_ec != 0 && "${_showed_traceback}" != t ]]; then traceback 1 @@ -129,14 +127,6 @@ process_extra_config() { ovpn_extra_config="$1" echo "Processing Extra Config: '${ovpn_extra_config}'" [[ -n "$ovpn_extra_config" ]] && echo "$ovpn_extra_config" >> "$TMP_EXTRA_CONFIGFILE" - -} - -process_extra_client_config() { - local ovpn_extra_config='' - ovpn_extra_config="$1" - echo "Processing Extra Client Config: '${ovpn_extra_config}'" - [[ -n "$ovpn_extra_config" ]] && echo "$ovpn_extra_config" >> "$TMP_EXTRA_CLIENT_CONFIGFILE" } if [ "${DEBUG:-}" == "1" ]; then @@ -152,25 +142,33 @@ if [ -z "${EASYRSA_PKI:-}" ]; then export EASYRSA_PKI="$OPENVPN/pki" fi -OVPN_ENV=${OPENVPN}/ovpn_env.sh -OVPN_SERVER=192.168.255.0/24 +OVPN_AUTH='' +OVPN_CIPHER='' +OVPN_CLIENT_TO_CLIENT='' +OVPN_CN='' +OVPN_COMP_LZO=0 OVPN_DEFROUTE=1 -OVPN_NAT=0 -OVPN_DNS=1 OVPN_DEVICE="tun" OVPN_DEVICEN=0 -OVPN_KEEPALIVE="10 60" -OVPN_DNS_SERVERS=("8.8.8.8" "8.8.4.4") -TMP_DNS_SERVERS=() -OVPN_TLS_CIPHER='' -OVPN_CIPHER='' -OVPN_AUTH='' -OVPN_EXTRA_CONFIG='' -CUSTOM_ROUTE_CONFIG='' -OVPN_COMP_LZO=0 OVPN_DISABLE_PUSH_BLOCK_DNS=0 +OVPN_DNS=1 +OVPN_DNS_SERVERS=() +OVPN_ENV=${OPENVPN}/ovpn_env.sh +OVPN_EXTRA_CLIENT_CONFIG=() +OVPN_EXTRA_SERVER_CONFIG=() +OVPN_FRAGMENT='' +OVPN_KEEPALIVE="10 60" +OVPN_MTU='' +OVPN_NAT=0 +OVPN_PORT='' +OVPN_PROTO='' +OVPN_PUSH=() +OVPN_ROUTES=() +OVPN_SERVER=192.168.255.0/24 +OVPN_SERVER_URL='' +OVPN_TLS_CIPHER='' -# Import defaults if present +# Import existing configuration if present [ -r "$OVPN_ENV" ] && source "$OVPN_ENV" # Parse arguments @@ -180,10 +178,16 @@ while getopts ":a:e:E:C:T:r:s:du:bcp:n:k:DNm:f:tz2" opt; do OVPN_AUTH="$OPTARG" ;; e) - process_extra_config "$OPTARG" + mapfile -t TMP_EXTRA_SERVER_CONFIG < <(echo "$OPTARG") + for i in "${TMP_EXTRA_SERVER_CONFIG[@]}"; do + OVPN_EXTRA_SERVER_CONFIG+=("$i") + done ;; E) - process_extra_client_config "$OPTARG" + mapfile -t TMP_EXTRA_CLIENT_CONFIG < <(echo "$OPTARG") + for i in "${TMP_EXTRA_CLIENT_CONFIG[@]}"; do + OVPN_EXTRA_CLIENT_CONFIG+=("$i") + done ;; C) OVPN_CIPHER="$OPTARG" @@ -192,18 +196,20 @@ while getopts ":a:e:E:C:T:r:s:du:bcp:n:k:DNm:f:tz2" opt; do OVPN_TLS_CIPHER="$OPTARG" ;; r) - CUSTOM_ROUTE_CONFIG=1 - process_route_config "$OPTARG" + mapfile -t TMP_ROUTES < <(echo "$OPTARG") + for i in "${TMP_ROUTES[@]}"; do + OVPN_ROUTES+=("$i") + done ;; s) - OVPN_SERVER=$OPTARG + OVPN_SERVER="$OPTARG" ;; d) OVPN_DEFROUTE=0 OVPN_DISABLE_PUSH_BLOCK_DNS=1 ;; u) - OVPN_SERVER_URL=$OPTARG + OVPN_SERVER_URL="$OPTARG" ;; b) OVPN_DISABLE_PUSH_BLOCK_DNS=1 @@ -212,10 +218,16 @@ while getopts ":a:e:E:C:T:r:s:du:bcp:n:k:DNm:f:tz2" opt; do OVPN_CLIENT_TO_CLIENT=1 ;; p) - process_push_config "$OPTARG" + mapfile -t TMP_PUSH < <(echo "$OPTARG") + for i in "${TMP_PUSH[@]}"; do + OVPN_PUSH+=("$i") + done ;; n) - TMP_DNS_SERVERS+=("$OPTARG") + mapfile -t TMP_DNS_SERVERS < <(echo "$OPTARG") + for i in "${TMP_DNS_SERVERS[@]}"; do + OVPN_DNS_SERVERS+=("$i") + done ;; D) OVPN_DNS=0 @@ -227,7 +239,7 @@ while getopts ":a:e:E:C:T:r:s:du:bcp:n:k:DNm:f:tz2" opt; do OVPN_KEEPALIVE="$OPTARG" ;; m) - OVPN_MTU=$OPTARG + OVPN_MTU="$OPTARG" ;; t) OVPN_DEVICE="tap" @@ -239,7 +251,7 @@ while getopts ":a:e:E:C:T:r:s:du:bcp:n:k:DNm:f:tz2" opt; do OVPN_OTP_AUTH=1 ;; f) - OVPN_FRAGMENT=$OPTARG + OVPN_FRAGMENT="$OPTARG" ;; \?) set +x @@ -259,9 +271,6 @@ done # Create ccd directory for static routes [ ! -d "${OPENVPN:-}/ccd" ] && mkdir -p ${OPENVPN:-}/ccd -# if dns servers were not defined with -n, use google nameservers -[ ${#TMP_DNS_SERVERS[@]} -gt 0 ] && OVPN_DNS_SERVERS=("${TMP_DNS_SERVERS[@]}") - # Server name is in the form "udp://vpn.example.com:1194" if [[ "${OVPN_SERVER_URL:-}" =~ ^((udp|tcp|udp6|tcp6)://)?([0-9a-zA-Z\.\-]+)(:([0-9]+))?$ ]]; then OVPN_PROTO=${BASH_REMATCH[2]}; @@ -274,25 +283,13 @@ else exit 1 fi -# Apply defaults +# Apply defaults. If dns servers were not defined with -n, use google nameservers +set +u +[ -z "$OVPN_DNS_SERVERS" ] && OVPN_DNS_SERVERS=("8.8.8.8" "8.8.4.4") [ -z "$OVPN_PROTO" ] && OVPN_PROTO=udp [ -z "$OVPN_PORT" ] && OVPN_PORT=1194 -[ -z "$CUSTOM_ROUTE_CONFIG" ] && [ "$OVPN_DEFROUTE" == "1" ] && process_route_config "192.168.254.0/24" - -# Save extra client config from temp file only if temp file is not empty -if [ -s "$TMP_EXTRA_CLIENT_CONFIGFILE" ]; then - OVPN_ADDITIONAL_CLIENT_CONFIG=$(cat $TMP_EXTRA_CLIENT_CONFIGFILE) -fi - -export OVPN_SERVER OVPN_ROUTES OVPN_DEFROUTE -export OVPN_SERVER_URL OVPN_ENV OVPN_PROTO OVPN_CN OVPN_PORT -export OVPN_CLIENT_TO_CLIENT OVPN_PUSH OVPN_NAT OVPN_DNS OVPN_MTU OVPN_DEVICE -export OVPN_TLS_CIPHER OVPN_CIPHER OVPN_AUTH -export OVPN_COMP_LZO -export OVPN_DISABLE_PUSH_BLOCK_DNS -export OVPN_OTP_AUTH -export OVPN_FRAGMENT -export OVPN_ADDITIONAL_CLIENT_CONFIG +set -u +[ "${#OVPN_ROUTES[@]}" == "0" ] && [ "$OVPN_DEFROUTE" == "1" ] && OVPN_ROUTES+=("192.168.254.0/24") # Preserve config if [ -f "$OVPN_ENV" ]; then @@ -301,17 +298,10 @@ if [ -f "$OVPN_ENV" ]; then mv "$OVPN_ENV" "$bak_env" fi -# Like `export | grep OVPN_ > "$OVPN_ENV"` but handles multiline variables -set +u -while read var ; do - eval value=\$$var - if [ -n "$value" ]; then - echo "declare -x $var=\"$value\"" >> "$OVPN_ENV" - else - echo "declare -x $var" >> "$OVPN_ENV" - fi -done < <(export | egrep -o '(OVPN_[^=]+)') -set -u +# Save the current OVPN_ vars to the ovpn_env.sh file +while read -r var; do + echo "declare -x $var" >> "$OVPN_ENV" +done < <(set | grep '^OVPN_') conf=${OPENVPN:-}/openvpn.conf if [ -f "$conf" ]; then @@ -320,6 +310,13 @@ if [ -f "$conf" ]; then mv "$conf" "$bak" fi +# Echo extra client configurations +if [ ${#OVPN_EXTRA_CLIENT_CONFIG[@]} -gt 0 ]; then + for i in "${OVPN_EXTRA_CLIENT_CONFIG[@]}"; do + echo "Processing Extra Client Config: $i" + done +fi + cat > "$conf" <> "$conf" +# Append route commands +if [ ${#OVPN_ROUTES[@]} -gt 0 ]; then + for i in "${OVPN_ROUTES[@]}"; do + process_route_config "$i" + done + echo -e "\n### Route Configurations Below" >> "$conf" + cat $TMP_ROUTE_CONFIGFILE >> "$conf" +fi + +# Append push commands [ "$OVPN_DNS" == "1" ] && for i in "${OVPN_DNS_SERVERS[@]}"; do process_push_config "dhcp-option DNS $i" done -# Append route commands -echo -e "\n### Route Configurations Below" >> "$conf" -cat $TMP_ROUTE_CONFIGFILE >> "$conf" +[ ${#OVPN_PUSH[@]} -gt 0 ] && for i in "${OVPN_PUSH[@]}"; do + process_push_config "$i" +done -# Append push commands echo -e "\n### Push Configurations Below" >> "$conf" cat $TMP_PUSH_CONFIGFILE >> "$conf" -# Optional OTP authentication support +# Append optional OTP authentication support if [ -n "${OVPN_OTP_AUTH:-}" ]; then echo -e "\n\n# Enable OTP+PAM for user authentication" >> "$conf" echo "plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn" >> "$conf" echo "reneg-sec 0" >> "$conf" fi -echo -e "\n### Extra Configurations Below" >> "$conf" -cat $TMP_EXTRA_CONFIGFILE >> "$conf" +# Append extra server configurations +if [ ${#OVPN_EXTRA_SERVER_CONFIG[@]} -gt 0 ]; then + for i in "${OVPN_EXTRA_SERVER_CONFIG[@]}"; do + process_extra_config "$i" + done + echo -e "\n### Extra Configurations Below" >> "$conf" + cat $TMP_EXTRA_CONFIGFILE >> "$conf" +fi set +e