Merge remote-tracking branch 'ypid/getclient' into dev
This commit is contained in:
commit
bf34f341fc
@ -105,7 +105,7 @@ packets, etc).
|
|||||||
simplicity. It's highly recommended to secure the CA key with some
|
simplicity. It's highly recommended to secure the CA key with some
|
||||||
passphrase to protect against a filesystem compromise. A more secure system
|
passphrase to protect against a filesystem compromise. A more secure system
|
||||||
would put the EasyRSA PKI CA on an offline system (can use the same Docker
|
would put the EasyRSA PKI CA on an offline system (can use the same Docker
|
||||||
image and the script ovpn_copy_server_files to accomplish this).
|
image and the script [`ovpn_copy_server_files`](/docs/clients.md) to accomplish this).
|
||||||
* It would be impossible for an adversary to sign bad or forged certificates
|
* It would be impossible for an adversary to sign bad or forged certificates
|
||||||
without first cracking the key's passphase should the adversary have root
|
without first cracking the key's passphase should the adversary have root
|
||||||
access to the filesystem.
|
access to the filesystem.
|
||||||
|
@ -5,25 +5,42 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
if [ "$DEBUG" == "1" ]; then
|
if [ "$DEBUG" == "1" ]; then
|
||||||
set -x
|
set -x
|
||||||
fi
|
fi
|
||||||
|
|
||||||
set -e
|
set -e
|
||||||
|
|
||||||
source "$OPENVPN/ovpn_env.sh"
|
if [ -z "$OPENVPN" ]; then
|
||||||
cn=$1
|
export OPENVPN="$PWD"
|
||||||
|
fi
|
||||||
|
if ! source "$OPENVPN/ovpn_env.sh"; then
|
||||||
|
echo "Could not source $OPENVPN/ovpn_env.sh."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
if [ -z "$EASYRSA_PKI" ]; then
|
||||||
|
export EASYRSA_PKI="$OPENVPN/pki"
|
||||||
|
fi
|
||||||
|
|
||||||
|
cn="$1"
|
||||||
|
parm="$2"
|
||||||
|
|
||||||
if [ ! -f "$EASYRSA_PKI/private/${cn}.key" ]; then
|
if [ ! -f "$EASYRSA_PKI/private/${cn}.key" ]; then
|
||||||
echo "Unable to find ${cn}, please try again or generate the key first"
|
echo "Unable to find \"${cn}\", please try again or generate the key first" >&2
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
cat <<EOF
|
get_client_config() {
|
||||||
|
mode="$1"
|
||||||
|
echo "
|
||||||
client
|
client
|
||||||
nobind
|
nobind
|
||||||
dev tun
|
dev tun
|
||||||
remote-cert-tls server
|
remote-cert-tls server
|
||||||
|
|
||||||
|
remote $OVPN_CN $OVPN_PORT $OVPN_PROTO
|
||||||
|
"
|
||||||
|
if [ "$mode" == "combined" ]; then
|
||||||
|
echo "
|
||||||
<key>
|
<key>
|
||||||
$(cat $EASYRSA_PKI/private/${cn}.key)
|
$(cat $EASYRSA_PKI/private/${cn}.key)
|
||||||
</key>
|
</key>
|
||||||
@ -40,14 +57,47 @@ $(cat $EASYRSA_PKI/dh.pem)
|
|||||||
$(cat $EASYRSA_PKI/ta.key)
|
$(cat $EASYRSA_PKI/ta.key)
|
||||||
</tls-auth>
|
</tls-auth>
|
||||||
key-direction 1
|
key-direction 1
|
||||||
|
"
|
||||||
|
elif [ "$mode" == "separated" ]; then
|
||||||
|
echo "
|
||||||
|
key ${cn}.key
|
||||||
|
ca ca.crt
|
||||||
|
cert ${cn}.crt
|
||||||
|
dh dh.pem
|
||||||
|
tls-auth ta.key 1
|
||||||
|
"
|
||||||
|
fi
|
||||||
|
|
||||||
remote $OVPN_CN $OVPN_PORT $OVPN_PROTO
|
if [ "$OVPN_DEFROUTE" != "0" ];then
|
||||||
EOF
|
echo "redirect-gateway def1"
|
||||||
|
fi
|
||||||
|
|
||||||
if [ "$OVPN_DEFROUTE" != "0" ];then
|
if [ -n "$OVPN_MTU" ]; then
|
||||||
echo "redirect-gateway def1"
|
echo "tun-mtu $OVPN_MTU"
|
||||||
fi
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
if [ -n "$OVPN_MTU" ]; then
|
dir="$OPENVPN/clients/$cn"
|
||||||
echo "tun-mtu $OVPN_MTU"
|
case "$parm" in
|
||||||
fi
|
"separated")
|
||||||
|
mkdir -p "$dir"
|
||||||
|
get_client_config "$parm" > "$dir/${cn}.ovpn"
|
||||||
|
cp "$EASYRSA_PKI/private/${cn}.key" "$dir/${cn}.key"
|
||||||
|
cp "$EASYRSA_PKI/ca.crt" "$dir/ca.crt"
|
||||||
|
cp "$EASYRSA_PKI/issued/${cn}.crt" "$dir/${cn}.crt"
|
||||||
|
cp "$EASYRSA_PKI/dh.pem" "$dir/dh.pem"
|
||||||
|
cp "$EASYRSA_PKI/ta.key" "$dir/ta.key"
|
||||||
|
;;
|
||||||
|
"" | "combined")
|
||||||
|
get_client_config "combined"
|
||||||
|
;;
|
||||||
|
"combined-save")
|
||||||
|
get_client_config "combined" > "$dir/${cn}-combined.ovpn"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "This script can produce the client configuration in to formats:" >&2
|
||||||
|
echo " 1. combined (default): All needed configuration and cryptographic material is in one file (Use \"combined-save\" to write the configuration file in the same path as the separated parameter does)." >&2
|
||||||
|
echo " 2. separated: Separated files." >&2
|
||||||
|
echo "Please specific one of those options as second parameter." >&2
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
25
bin/ovpn_getclient_all
Executable file
25
bin/ovpn_getclient_all
Executable file
@ -0,0 +1,25 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
## @licence AGPLv3 <https://www.gnu.org/licenses/agpl-3.0.html>
|
||||||
|
## @author Copyright (C) 2015 Robin Schneider <ypid@riseup.net>
|
||||||
|
|
||||||
|
if [ -z "$OPENVPN" ]; then
|
||||||
|
export OPENVPN="$PWD"
|
||||||
|
fi
|
||||||
|
if ! source "$OPENVPN/ovpn_env.sh"; then
|
||||||
|
echo "Could not source $OPENVPN/ovpn_env.sh."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
if [ -z "$EASYRSA_PKI" ]; then
|
||||||
|
export EASYRSA_PKI="$OPENVPN/pki"
|
||||||
|
fi
|
||||||
|
|
||||||
|
pushd "$EASYRSA_PKI"
|
||||||
|
for name in issued/*.crt; do
|
||||||
|
name=${name%.crt}
|
||||||
|
name=${name#issued/}
|
||||||
|
if [ "$name" != "$OVPN_CN" ]; then
|
||||||
|
ovpn_getclient "$name" separated
|
||||||
|
ovpn_getclient "$name" combined-save
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
popd
|
@ -1,6 +1,6 @@
|
|||||||
# Advanced Configurations
|
# Advanced Configurations
|
||||||
|
|
||||||
The ovpn_genconfig script is intended for simple configurations that apply to the majority of the users. If your use case isn't general, it likely won't be supported. This document aims to explain how to work around that.
|
The [`ovpn_genconfig`](/bin/ovpn_genconfig) script is intended for simple configurations that apply to the majority of the users. If your use case isn't general, it likely won't be supported. This document aims to explain how to work around that.
|
||||||
|
|
||||||
## Create host volume mounts rather than data volumes
|
## Create host volume mounts rather than data volumes
|
||||||
|
|
||||||
@ -18,4 +18,3 @@ The ovpn_genconfig script is intended for simple configurations that apply to th
|
|||||||
* Start the server with:
|
* Start the server with:
|
||||||
|
|
||||||
docker run -v $PWD:/etc/openvpn -d -p 1194:1194/udp --privileged kylemanna/openvpn
|
docker run -v $PWD:/etc/openvpn -d -p 1194:1194/udp --privileged kylemanna/openvpn
|
||||||
|
|
||||||
|
28
docs/clients.md
Normal file
28
docs/clients.md
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
# Advanced client management
|
||||||
|
|
||||||
|
## Client configuration mode
|
||||||
|
|
||||||
|
The [`ovpn_getclient`](/bin/ovpn_getclient) can produce two different versions of the configuration.
|
||||||
|
|
||||||
|
1. combined (default): All needed configuration and cryptographic material is in one file (Use "combined-save" to write the configuration file in the same path as the separated parameter does).
|
||||||
|
2. separated: Separated files.
|
||||||
|
|
||||||
|
Note that some client software might be picky about which configuration format it accepts.
|
||||||
|
|
||||||
|
## Batch mode
|
||||||
|
|
||||||
|
If you have more than a few clients, you will want to generate and update your client configuration in batch. For this task the script [`ovpn_getclient_all`](/bin/ovpn_getclient_all) was written, which writes out the configuration for each client to a separate directory called `clients/$cn`.
|
||||||
|
|
||||||
|
Execute the following to generate the configuration for all clients:
|
||||||
|
|
||||||
|
docker run --rm -t -i -v /tmp/openvpn:/etc/openvpn kylemanna/openvpn ovpn_getclient_all
|
||||||
|
|
||||||
|
After doing so, you will find the following files in each of the `$cn` directories:
|
||||||
|
|
||||||
|
ca.crt
|
||||||
|
dh.pem
|
||||||
|
$cn-combined.ovpn # Combined configuration file format. If your client recognices this file then only this file is needed.
|
||||||
|
$cn.ovpn # Separated configuration. This configuration file requires the other files ca.crt dh.pem $cn.crt $cn.key ta.key
|
||||||
|
$cn.crt
|
||||||
|
$cn.key
|
||||||
|
ta.key
|
Loading…
Reference in New Issue
Block a user