From e6e2221d8b1b8182afeec26c9c4cacb14a161f0e Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Fri, 13 Mar 2015 00:32:40 +0100 Subject: [PATCH 1/4] Allow to export separated client config and wrote ovpn_getclient_all. --- README.md | 4 +-- bin/ovpn_getclient | 57 ++++++++++++++++++++++++++++++++++++------ bin/ovpn_getclient_all | 22 ++++++++++++++++ docs/advanced.md | 2 +- docs/clients.md | 28 +++++++++++++++++++++ 5 files changed, 103 insertions(+), 10 deletions(-) create mode 100755 bin/ovpn_getclient_all create mode 100644 docs/clients.md diff --git a/README.md b/README.md index d212cc7..785c5c4 100644 --- a/README.md +++ b/README.md @@ -37,7 +37,7 @@ Upstream links: * Retrieve the client configuration with embedded certificates - docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn + docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_getclient CLIENTNAME combined > CLIENTNAME.ovpn * Create an environment variable with the name DEBUG and value of 1 to enable debug output (using "docker -e"). @@ -105,7 +105,7 @@ packets, etc). simplicity. It's highly recommended to secure the CA key with some passphrase to protect against a filesystem compromise. A more secure system would put the EasyRSA PKI CA on an offline system (can use the same Docker - image to accomplish this). + image and the script ovpn_copy_server_files to accomplish this). * It would be impossible for an adversary to sign bad or forged certificates without first cracking the key's passphase should the adversary have root access to the filesystem. diff --git a/bin/ovpn_getclient b/bin/ovpn_getclient index 27e70b3..ca83f8c 100755 --- a/bin/ovpn_getclient +++ b/bin/ovpn_getclient @@ -5,25 +5,35 @@ # if [ "$DEBUG" == "1" ]; then - set -x + set -x fi set -e +if [ -z "$OPENVPN" ]; then + OPENVPN="$PWD" +fi source "$OPENVPN/ovpn_env.sh" -cn=$1 +cn="$1" +parm="$2" if [ ! -f "$EASYRSA_PKI/private/${cn}.key" ]; then - echo "Unable to find ${cn}, please try again or generate the key first" + >&2 "Unable to find \"${cn}\", please try again or generate the key first" 1>&2 exit 1 fi -cat < $(cat $EASYRSA_PKI/private/${cn}.key) @@ -40,9 +50,16 @@ $(cat $EASYRSA_PKI/dh.pem) $(cat $EASYRSA_PKI/ta.key) key-direction 1 - -remote $OVPN_CN $OVPN_PORT $OVPN_PROTO -EOF +" +else + echo " +key ${cn}.key +ca ca.crt +cert ${cn}.crt +dh dh.pem +tls-auth ta.key 1 +" +fi if [ "$OVPN_DEFROUTE" != "0" ];then echo "redirect-gateway def1" @@ -51,3 +68,29 @@ fi if [ -n "$OVPN_MTU" ]; then echo "tun-mtu $OVPN_MTU" fi +} + +dir="$OPENVPN/clients/$cn" +case "$parm" in + "separated") + mkdir -p "$dir" + get_client_config "$parm" > "$dir/${cn}.ovpn" + cp "$EASYRSA_PKI/private/${cn}.key" "$dir/${cn}.key" + cp "$EASYRSA_PKI/ca.crt" "$dir/ca.crt" + cp "$EASYRSA_PKI/issued/${cn}.crt" "$dir/${cn}.crt" + cp "$EASYRSA_PKI/dh.pem" "$dir/dh.pem" + cp "$EASYRSA_PKI/ta.key" "$dir/ta.key" + ;; + "combined") + get_client_config "combined" + ;; + "combined-save") + get_client_config "combined" > "$dir/${cn}-combined.ovpn" + ;; + *) + >&2 echo "This script can produce the client configuration in to formats." + >&2 echo " 1. combined: All needed configuration and cryptographic material is in one file (Use \"combined-save\" to write the configuration file in the same path as the separated parameter does)." + >&2 echo " 2. separated: Separated files." + >&2 echo "Please specific one of those options as second parameter." + ;; +esac diff --git a/bin/ovpn_getclient_all b/bin/ovpn_getclient_all new file mode 100755 index 0000000..d6ebb58 --- /dev/null +++ b/bin/ovpn_getclient_all @@ -0,0 +1,22 @@ +#!/bin/bash +## @licence AGPLv3 +## @author Copyright (C) 2015 Robin Schneider + +if [ -z "$OPENVPN" ]; then + export OPENVPN="$PWD" +fi +if ! source "$OPENVPN/ovpn_env.sh"; then + echo "Could not source $OPENVPN/ovpn_env.sh." + exit 1 +fi + +pushd "$EASYRSA_PKI" +for name in issued/*.crt; do + name=${name%.crt} + name=${name#issued/} + if [ "$name" != "$OVPN_CN" ]; then + ovpn_getclient "$name" separated + ovpn_getclient "$name" combined-save + fi +done +popd diff --git a/docs/advanced.md b/docs/advanced.md index 068343c..39bda25 100644 --- a/docs/advanced.md +++ b/docs/advanced.md @@ -13,7 +13,7 @@ The ovpn_genconfig script is intended for simple configurations that apply to th docker run --rm -v $PWD:/etc/openvpn -it kylemanna/openvpn ovpn_initpki vim openvpn.conf docker run --rm -v $PWD:/etc/openvpn -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass - docker run --rm -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn + docker run --rm -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_getclient CLIENTNAME combined > CLIENTNAME.ovpn * Start the server with: diff --git a/docs/clients.md b/docs/clients.md new file mode 100644 index 0000000..793e40a --- /dev/null +++ b/docs/clients.md @@ -0,0 +1,28 @@ +# Advanced client management + +## Client configuration mode + +The `ovpn_getclient` can produce two different format of configuration. + +1. combined: All needed configuration and cryptographic material is in one file (Use "combined-save" to write the configuration file in the same path as the separated parameter does). +2. separated: Separated files. + +Some client software might be picky about which configuration format it accepts. + +## Batch mode + +If you have more than a few clients, you will want to generate and update your client configuration in batch. For this task the script `ovpn_getclient_all` was written, which writes out the configuration for each client to a separate directory called `clients/$cn`. + +Execute the following to generate the configuration for all clients: + + docker run --rm -t -i -v /tmp/openvpn:/etc/openvpn kylemanna/openvpn ovpn_getclient_all + +After doing so, you will find the following files in each of the `$cn` directories: + + ca.crt + dh.pem + $cn-combined.ovpn # Combined configuration file format, you your client recognices this file then only this file is needed. + $cn.ovpn # Separated configuration. This configuration file requires the other files ca.crt dh.pem $cn.crt $cn.key ta.key + $cn.crt + $cn.key + ta.key From fd4a5dc38ebe850b1efb7d4d7280cd394b4bfd19 Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Fri, 13 Mar 2015 00:43:50 +0100 Subject: [PATCH 2/4] EASYRSA_PKI might not be defined. --- bin/ovpn_getclient | 11 +++++++++-- bin/ovpn_getclient_all | 3 +++ 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/bin/ovpn_getclient b/bin/ovpn_getclient index ca83f8c..06a041e 100755 --- a/bin/ovpn_getclient +++ b/bin/ovpn_getclient @@ -11,9 +11,16 @@ fi set -e if [ -z "$OPENVPN" ]; then - OPENVPN="$PWD" + export OPENVPN="$PWD" fi -source "$OPENVPN/ovpn_env.sh" +if ! source "$OPENVPN/ovpn_env.sh"; then + echo "Could not source $OPENVPN/ovpn_env.sh." + exit 1 +fi +if [ -z "$EASYRSA_PKI" ]; then + export EASYRSA_PKI="$OPENVPN/pki" +fi + cn="$1" parm="$2" diff --git a/bin/ovpn_getclient_all b/bin/ovpn_getclient_all index d6ebb58..f94980a 100755 --- a/bin/ovpn_getclient_all +++ b/bin/ovpn_getclient_all @@ -9,6 +9,9 @@ if ! source "$OPENVPN/ovpn_env.sh"; then echo "Could not source $OPENVPN/ovpn_env.sh." exit 1 fi +if [ -z "$EASYRSA_PKI" ]; then + export EASYRSA_PKI="$OPENVPN/pki" +fi pushd "$EASYRSA_PKI" for name in issued/*.crt; do From f431d179aa240e9de6c0f40eaefaf06a1acbbd77 Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Fri, 13 Mar 2015 02:00:04 +0100 Subject: [PATCH 3/4] Fixed spelling. --- docs/clients.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/clients.md b/docs/clients.md index 793e40a..81f029f 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -2,12 +2,12 @@ ## Client configuration mode -The `ovpn_getclient` can produce two different format of configuration. +The `ovpn_getclient` can produce two different versions of the configuration. 1. combined: All needed configuration and cryptographic material is in one file (Use "combined-save" to write the configuration file in the same path as the separated parameter does). 2. separated: Separated files. -Some client software might be picky about which configuration format it accepts. +Note that some client software might be picky about which configuration format it accepts. ## Batch mode From 47cc0e3ae6b295a01f03516c3902b5ff081ec27c Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Sat, 14 Mar 2015 13:22:28 +0100 Subject: [PATCH 4/4] Fixed based on the review by @kylemanna. Thanks. --- README.md | 4 ++-- bin/ovpn_getclient | 34 +++++++++++++++++----------------- docs/advanced.md | 5 ++--- docs/clients.md | 8 ++++---- 4 files changed, 25 insertions(+), 26 deletions(-) diff --git a/README.md b/README.md index 785c5c4..f717227 100644 --- a/README.md +++ b/README.md @@ -37,7 +37,7 @@ Upstream links: * Retrieve the client configuration with embedded certificates - docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_getclient CLIENTNAME combined > CLIENTNAME.ovpn + docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn * Create an environment variable with the name DEBUG and value of 1 to enable debug output (using "docker -e"). @@ -105,7 +105,7 @@ packets, etc). simplicity. It's highly recommended to secure the CA key with some passphrase to protect against a filesystem compromise. A more secure system would put the EasyRSA PKI CA on an offline system (can use the same Docker - image and the script ovpn_copy_server_files to accomplish this). + image and the script [`ovpn_copy_server_files`](/docs/clients.md) to accomplish this). * It would be impossible for an adversary to sign bad or forged certificates without first cracking the key's passphase should the adversary have root access to the filesystem. diff --git a/bin/ovpn_getclient b/bin/ovpn_getclient index 06a041e..d076c9d 100755 --- a/bin/ovpn_getclient +++ b/bin/ovpn_getclient @@ -25,7 +25,7 @@ cn="$1" parm="$2" if [ ! -f "$EASYRSA_PKI/private/${cn}.key" ]; then - >&2 "Unable to find \"${cn}\", please try again or generate the key first" 1>&2 + echo "Unable to find \"${cn}\", please try again or generate the key first" >&2 exit 1 fi @@ -39,8 +39,8 @@ remote-cert-tls server remote $OVPN_CN $OVPN_PORT $OVPN_PROTO " -if [ "$mode" == "combined" ]; then - echo " + if [ "$mode" == "combined" ]; then + echo " $(cat $EASYRSA_PKI/private/${cn}.key) @@ -58,23 +58,23 @@ $(cat $EASYRSA_PKI/ta.key) key-direction 1 " -else - echo " + elif [ "$mode" == "separated" ]; then + echo " key ${cn}.key ca ca.crt cert ${cn}.crt dh dh.pem tls-auth ta.key 1 " -fi + fi -if [ "$OVPN_DEFROUTE" != "0" ];then - echo "redirect-gateway def1" -fi + if [ "$OVPN_DEFROUTE" != "0" ];then + echo "redirect-gateway def1" + fi -if [ -n "$OVPN_MTU" ]; then - echo "tun-mtu $OVPN_MTU" -fi + if [ -n "$OVPN_MTU" ]; then + echo "tun-mtu $OVPN_MTU" + fi } dir="$OPENVPN/clients/$cn" @@ -88,16 +88,16 @@ case "$parm" in cp "$EASYRSA_PKI/dh.pem" "$dir/dh.pem" cp "$EASYRSA_PKI/ta.key" "$dir/ta.key" ;; - "combined") + "" | "combined") get_client_config "combined" ;; "combined-save") get_client_config "combined" > "$dir/${cn}-combined.ovpn" ;; *) - >&2 echo "This script can produce the client configuration in to formats." - >&2 echo " 1. combined: All needed configuration and cryptographic material is in one file (Use \"combined-save\" to write the configuration file in the same path as the separated parameter does)." - >&2 echo " 2. separated: Separated files." - >&2 echo "Please specific one of those options as second parameter." + echo "This script can produce the client configuration in to formats:" >&2 + echo " 1. combined (default): All needed configuration and cryptographic material is in one file (Use \"combined-save\" to write the configuration file in the same path as the separated parameter does)." >&2 + echo " 2. separated: Separated files." >&2 + echo "Please specific one of those options as second parameter." >&2 ;; esac diff --git a/docs/advanced.md b/docs/advanced.md index 39bda25..59cb9be 100644 --- a/docs/advanced.md +++ b/docs/advanced.md @@ -1,6 +1,6 @@ # Advanced Configurations -The ovpn_genconfig script is intended for simple configurations that apply to the majority of the users. If your use case isn't general, it likely won't be supported. This document aims to explain how to work around that. +The [`ovpn_genconfig`](/bin/ovpn_genconfig) script is intended for simple configurations that apply to the majority of the users. If your use case isn't general, it likely won't be supported. This document aims to explain how to work around that. ## Create host volume mounts rather than data volumes @@ -13,9 +13,8 @@ The ovpn_genconfig script is intended for simple configurations that apply to th docker run --rm -v $PWD:/etc/openvpn -it kylemanna/openvpn ovpn_initpki vim openvpn.conf docker run --rm -v $PWD:/etc/openvpn -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass - docker run --rm -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_getclient CLIENTNAME combined > CLIENTNAME.ovpn + docker run --rm -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn * Start the server with: docker run -v $PWD:/etc/openvpn -d -p 1194:1194/udp --privileged kylemanna/openvpn - diff --git a/docs/clients.md b/docs/clients.md index 81f029f..5ace6c9 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -2,16 +2,16 @@ ## Client configuration mode -The `ovpn_getclient` can produce two different versions of the configuration. +The [`ovpn_getclient`](/bin/ovpn_getclient) can produce two different versions of the configuration. -1. combined: All needed configuration and cryptographic material is in one file (Use "combined-save" to write the configuration file in the same path as the separated parameter does). +1. combined (default): All needed configuration and cryptographic material is in one file (Use "combined-save" to write the configuration file in the same path as the separated parameter does). 2. separated: Separated files. Note that some client software might be picky about which configuration format it accepts. ## Batch mode -If you have more than a few clients, you will want to generate and update your client configuration in batch. For this task the script `ovpn_getclient_all` was written, which writes out the configuration for each client to a separate directory called `clients/$cn`. +If you have more than a few clients, you will want to generate and update your client configuration in batch. For this task the script [`ovpn_getclient_all`](/bin/ovpn_getclient_all) was written, which writes out the configuration for each client to a separate directory called `clients/$cn`. Execute the following to generate the configuration for all clients: @@ -21,7 +21,7 @@ After doing so, you will find the following files in each of the `$cn` directori ca.crt dh.pem - $cn-combined.ovpn # Combined configuration file format, you your client recognices this file then only this file is needed. + $cn-combined.ovpn # Combined configuration file format. If your client recognices this file then only this file is needed. $cn.ovpn # Separated configuration. This configuration file requires the other files ca.crt dh.pem $cn.crt $cn.key ta.key $cn.crt $cn.key