From e6e2221d8b1b8182afeec26c9c4cacb14a161f0e Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Fri, 13 Mar 2015 00:32:40 +0100 Subject: [PATCH] Allow to export separated client config and wrote ovpn_getclient_all. --- README.md | 4 +-- bin/ovpn_getclient | 57 ++++++++++++++++++++++++++++++++++++------ bin/ovpn_getclient_all | 22 ++++++++++++++++ docs/advanced.md | 2 +- docs/clients.md | 28 +++++++++++++++++++++ 5 files changed, 103 insertions(+), 10 deletions(-) create mode 100755 bin/ovpn_getclient_all create mode 100644 docs/clients.md diff --git a/README.md b/README.md index d212cc7..785c5c4 100644 --- a/README.md +++ b/README.md @@ -37,7 +37,7 @@ Upstream links: * Retrieve the client configuration with embedded certificates - docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn + docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_getclient CLIENTNAME combined > CLIENTNAME.ovpn * Create an environment variable with the name DEBUG and value of 1 to enable debug output (using "docker -e"). @@ -105,7 +105,7 @@ packets, etc). simplicity. It's highly recommended to secure the CA key with some passphrase to protect against a filesystem compromise. A more secure system would put the EasyRSA PKI CA on an offline system (can use the same Docker - image to accomplish this). + image and the script ovpn_copy_server_files to accomplish this). * It would be impossible for an adversary to sign bad or forged certificates without first cracking the key's passphase should the adversary have root access to the filesystem. diff --git a/bin/ovpn_getclient b/bin/ovpn_getclient index 27e70b3..ca83f8c 100755 --- a/bin/ovpn_getclient +++ b/bin/ovpn_getclient @@ -5,25 +5,35 @@ # if [ "$DEBUG" == "1" ]; then - set -x + set -x fi set -e +if [ -z "$OPENVPN" ]; then + OPENVPN="$PWD" +fi source "$OPENVPN/ovpn_env.sh" -cn=$1 +cn="$1" +parm="$2" if [ ! -f "$EASYRSA_PKI/private/${cn}.key" ]; then - echo "Unable to find ${cn}, please try again or generate the key first" + >&2 "Unable to find \"${cn}\", please try again or generate the key first" 1>&2 exit 1 fi -cat < $(cat $EASYRSA_PKI/private/${cn}.key) @@ -40,9 +50,16 @@ $(cat $EASYRSA_PKI/dh.pem) $(cat $EASYRSA_PKI/ta.key) key-direction 1 - -remote $OVPN_CN $OVPN_PORT $OVPN_PROTO -EOF +" +else + echo " +key ${cn}.key +ca ca.crt +cert ${cn}.crt +dh dh.pem +tls-auth ta.key 1 +" +fi if [ "$OVPN_DEFROUTE" != "0" ];then echo "redirect-gateway def1" @@ -51,3 +68,29 @@ fi if [ -n "$OVPN_MTU" ]; then echo "tun-mtu $OVPN_MTU" fi +} + +dir="$OPENVPN/clients/$cn" +case "$parm" in + "separated") + mkdir -p "$dir" + get_client_config "$parm" > "$dir/${cn}.ovpn" + cp "$EASYRSA_PKI/private/${cn}.key" "$dir/${cn}.key" + cp "$EASYRSA_PKI/ca.crt" "$dir/ca.crt" + cp "$EASYRSA_PKI/issued/${cn}.crt" "$dir/${cn}.crt" + cp "$EASYRSA_PKI/dh.pem" "$dir/dh.pem" + cp "$EASYRSA_PKI/ta.key" "$dir/ta.key" + ;; + "combined") + get_client_config "combined" + ;; + "combined-save") + get_client_config "combined" > "$dir/${cn}-combined.ovpn" + ;; + *) + >&2 echo "This script can produce the client configuration in to formats." + >&2 echo " 1. combined: All needed configuration and cryptographic material is in one file (Use \"combined-save\" to write the configuration file in the same path as the separated parameter does)." + >&2 echo " 2. separated: Separated files." + >&2 echo "Please specific one of those options as second parameter." + ;; +esac diff --git a/bin/ovpn_getclient_all b/bin/ovpn_getclient_all new file mode 100755 index 0000000..d6ebb58 --- /dev/null +++ b/bin/ovpn_getclient_all @@ -0,0 +1,22 @@ +#!/bin/bash +## @licence AGPLv3 +## @author Copyright (C) 2015 Robin Schneider + +if [ -z "$OPENVPN" ]; then + export OPENVPN="$PWD" +fi +if ! source "$OPENVPN/ovpn_env.sh"; then + echo "Could not source $OPENVPN/ovpn_env.sh." + exit 1 +fi + +pushd "$EASYRSA_PKI" +for name in issued/*.crt; do + name=${name%.crt} + name=${name#issued/} + if [ "$name" != "$OVPN_CN" ]; then + ovpn_getclient "$name" separated + ovpn_getclient "$name" combined-save + fi +done +popd diff --git a/docs/advanced.md b/docs/advanced.md index 068343c..39bda25 100644 --- a/docs/advanced.md +++ b/docs/advanced.md @@ -13,7 +13,7 @@ The ovpn_genconfig script is intended for simple configurations that apply to th docker run --rm -v $PWD:/etc/openvpn -it kylemanna/openvpn ovpn_initpki vim openvpn.conf docker run --rm -v $PWD:/etc/openvpn -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass - docker run --rm -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn + docker run --rm -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_getclient CLIENTNAME combined > CLIENTNAME.ovpn * Start the server with: diff --git a/docs/clients.md b/docs/clients.md new file mode 100644 index 0000000..793e40a --- /dev/null +++ b/docs/clients.md @@ -0,0 +1,28 @@ +# Advanced client management + +## Client configuration mode + +The `ovpn_getclient` can produce two different format of configuration. + +1. combined: All needed configuration and cryptographic material is in one file (Use "combined-save" to write the configuration file in the same path as the separated parameter does). +2. separated: Separated files. + +Some client software might be picky about which configuration format it accepts. + +## Batch mode + +If you have more than a few clients, you will want to generate and update your client configuration in batch. For this task the script `ovpn_getclient_all` was written, which writes out the configuration for each client to a separate directory called `clients/$cn`. + +Execute the following to generate the configuration for all clients: + + docker run --rm -t -i -v /tmp/openvpn:/etc/openvpn kylemanna/openvpn ovpn_getclient_all + +After doing so, you will find the following files in each of the `$cn` directories: + + ca.crt + dh.pem + $cn-combined.ovpn # Combined configuration file format, you your client recognices this file then only this file is needed. + $cn.ovpn # Separated configuration. This configuration file requires the other files ca.crt dh.pem $cn.crt $cn.key ta.key + $cn.crt + $cn.key + ta.key