allanger/container-openvpn
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Activity

Merge pull request #418 from darkmattercoder/patch-extended-clientstatus

Browse Source 
extended client status for EXPIRED or other errors
This commit is contained in:
Kyle Manna 2019-01-22 22:27:09 -08:00 committed by GitHub
commit 47746e1bcb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 23 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
bin/ovpn_listclients
View File

@ -15,6 +15,8 @@ cd "$EASYRSA_PKI"
if [ -e crl.pem ]; then if [ -e crl.pem ]; then
cat ca.crt crl.pem > cacheck.pem cat ca.crt crl.pem > cacheck.pem
else
cat ca.crt > cacheck.pem
fi fi
echo "name,begin,end,status" echo "name,begin,end,status"
@ -26,20 +28,27 @@ for name in issued/*.crt; do
name=${name%.crt} name=${name%.crt}
name=${name#issued/} name=${name#issued/}
if [ "$name" != "$OVPN_CN" ]; then if [ "$name" != "$OVPN_CN" ]; then
if [ -e crl.pem ]; then # check for revocation or expiration
if openssl verify -crl_check -CAfile cacheck.pem $path &> /dev/null; then command="openssl verify -crl_check -CAfile cacheck.pem $path"
status="VALID" result=$($command)
if [ $(echo "$result" | wc -l) == 1 ] && [ "$(echo "$result" | grep ": OK")" ]; then
status="VALID"
else else
status="REVOKED" result=$(echo "$result" | tail -n 1 | grep error | cut -d" " -f2)
case $result in
10)
status="EXPIRED"
;;
23)
status="REVOKED"
;;
*)
status="INVALID"
esac
fi fi
else
status="VALID"
fi
echo "$name,$begin,$end,$status" echo "$name,$begin,$end,$status"
fi fi
done done
if [ -e crl.pem ]; then # Clean
rm cacheck.pem rm cacheck.pem
fi

4
docs/clients.md
View File

@ -11,10 +11,12 @@ Note that some client software might be picky about which configuration format i
## Client List ## Client List
See an overview of the configured clients, including revocation status: See an overview of the configured clients, including revocation and expiration status:
docker run --rm -it -v $OVPN_DATA:/etc/openvpn kylemanna/openvpn ovpn_listclients docker run --rm -it -v $OVPN_DATA:/etc/openvpn kylemanna/openvpn ovpn_listclients
The output is generated using `openssl verify`. Error codes from the verification process different from `X509_V_ERR_CERT_HAS_EXPIRED` or `X509_V_ERR_CERT_REVOKED` will show the status `INVALID`.
## Batch Mode ## Batch Mode
If you have more than a few clients, you will want to generate and update your client configuration in batch. For this task the script [`ovpn_getclient_all`](/bin/ovpn_getclient_all) was written, which writes out the configuration for each client to a separate directory called `clients/$cn`. If you have more than a few clients, you will want to generate and update your client configuration in batch. For this task the script [`ovpn_getclient_all`](/bin/ovpn_getclient_all) was written, which writes out the configuration for each client to a separate directory called `clients/$cn`.