Allow to export separated client config and wrote ovpn_getclient_all.

README.md

@@ -37,7 +37,7 @@ Upstream links:
 
 * Retrieve the client configuration with embedded certificates
 
-        docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn
+        docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_getclient CLIENTNAME combined > CLIENTNAME.ovpn
 
 * Create an environment variable with the name DEBUG and value of 1 to enable debug output (using "docker -e").
 
@@ -105,7 +105,7 @@ packets, etc).
   simplicity.  It's highly recommended to secure the CA key with some
   passphrase to protect against a filesystem compromise.  A more secure system
   would put the EasyRSA PKI CA on an offline system (can use the same Docker
-  image to accomplish this).
+  image and the script ovpn_copy_server_files to accomplish this).
 * It would be impossible for an adversary to sign bad or forged certificates
   without first cracking the key's passphase should the adversary have root
   access to the filesystem.

bin/ovpn_getclient

@@ -10,20 +10,30 @@ fi
 
 set -e
 
+if [ -z "$OPENVPN" ]; then
+    OPENVPN="$PWD"
+fi
 source "$OPENVPN/ovpn_env.sh"
-cn=$1
+cn="$1"
+parm="$2"
 
 if [ ! -f "$EASYRSA_PKI/private/${cn}.key" ]; then
-    echo "Unable to find ${cn}, please try again or generate the key first"
+    >&2 "Unable to find \"${cn}\", please try again or generate the key first" 1>&2
     exit 1
 fi
 
-cat <<EOF
+get_client_config() {
+    mode="$1"
+    echo "
 client
 nobind
 dev tun
 remote-cert-tls server
 
+remote $OVPN_CN $OVPN_PORT $OVPN_PROTO
+"
+if [ "$mode" == "combined" ]; then
+    echo "
 <key>
 $(cat $EASYRSA_PKI/private/${cn}.key)
 </key>
@@ -40,9 +50,16 @@ $(cat $EASYRSA_PKI/dh.pem)
 $(cat $EASYRSA_PKI/ta.key)
 </tls-auth>
 key-direction 1
-
+"
-remote $OVPN_CN $OVPN_PORT $OVPN_PROTO
+else
-EOF
+    echo "
+key ${cn}.key
+ca ca.crt
+cert ${cn}.crt
+dh dh.pem
+tls-auth ta.key 1
+"
+fi
 
 if [ "$OVPN_DEFROUTE" != "0" ];then
     echo "redirect-gateway def1"
@@ -51,3 +68,29 @@ fi
 if [ -n "$OVPN_MTU" ]; then
     echo "tun-mtu $OVPN_MTU"
 fi
+}
+
+dir="$OPENVPN/clients/$cn"
+case "$parm" in
+    "separated")
+        mkdir -p "$dir"
+        get_client_config "$parm" > "$dir/${cn}.ovpn"
+        cp "$EASYRSA_PKI/private/${cn}.key" "$dir/${cn}.key"
+        cp "$EASYRSA_PKI/ca.crt" "$dir/ca.crt"
+        cp "$EASYRSA_PKI/issued/${cn}.crt" "$dir/${cn}.crt"
+        cp "$EASYRSA_PKI/dh.pem" "$dir/dh.pem"
+        cp "$EASYRSA_PKI/ta.key" "$dir/ta.key"
+        ;;
+    "combined")
+        get_client_config "combined"
+        ;;
+    "combined-save")
+        get_client_config "combined" > "$dir/${cn}-combined.ovpn"
+        ;;
+    *)
+        >&2 echo "This script can produce the client configuration in to formats."
+        >&2 echo "    1. combined: All needed configuration and cryptographic material is in one file (Use \"combined-save\" to write the configuration file in the same path as the separated parameter does)."
+        >&2 echo "    2. separated: Separated files."
+        >&2 echo "Please specific one of those options as second parameter."
+        ;;
+esac

bin/ovpn_getclient_all

@@ -0,0 +1,22 @@
+#!/bin/bash
+## @licence AGPLv3 <https://www.gnu.org/licenses/agpl-3.0.html>
+## @author Copyright (C) 2015 Robin Schneider <ypid@riseup.net>
+
+if [ -z "$OPENVPN" ]; then
+    export OPENVPN="$PWD"
+fi
+if ! source "$OPENVPN/ovpn_env.sh"; then
+    echo "Could not source $OPENVPN/ovpn_env.sh."
+    exit 1
+fi
+
+pushd "$EASYRSA_PKI"
+for name in issued/*.crt; do
+    name=${name%.crt}
+    name=${name#issued/}
+    if [ "$name" != "$OVPN_CN" ]; then
+        ovpn_getclient "$name" separated
+        ovpn_getclient "$name" combined-save
+    fi
+done
+popd

docs/advanced.md

@@ -13,7 +13,7 @@ The ovpn_genconfig script is intended for simple configurations that apply to th
         docker run --rm -v $PWD:/etc/openvpn -it kylemanna/openvpn ovpn_initpki
         vim openvpn.conf
         docker run --rm -v $PWD:/etc/openvpn -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass
-        docker run --rm -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn
+        docker run --rm -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_getclient CLIENTNAME combined > CLIENTNAME.ovpn
 
 * Start the server with:
 

docs/clients.md

@@ -0,0 +1,28 @@
+# Advanced client management
+
+## Client configuration mode
+
+The `ovpn_getclient` can produce two different format of configuration.
+
+1. combined: All needed configuration and cryptographic material is in one file (Use "combined-save" to write the configuration file in the same path as the separated parameter does).
+2. separated: Separated files.
+
+Some client software might be picky about which configuration format it accepts.
+
+## Batch mode
+
+If you have more than a few clients, you will want to generate and update your client configuration in batch. For this task the script `ovpn_getclient_all` was written, which writes out the configuration for each client to a separate directory called `clients/$cn`.
+
+Execute the following to generate the configuration for all clients:
+
+    docker run --rm -t -i -v /tmp/openvpn:/etc/openvpn kylemanna/openvpn ovpn_getclient_all
+
+After doing so, you will find the following files in each of the `$cn` directories:
+
+    ca.crt
+    dh.pem
+    $cn-combined.ovpn # Combined configuration file format, you your client recognices this file then only this file is needed.
+    $cn.ovpn          # Separated configuration. This configuration file requires the other files ca.crt dh.pem $cn.crt $cn.key ta.key
+    $cn.crt
+    $cn.key
+    ta.key