Allow to export separated client config and wrote ovpn_getclient_all.
This commit is contained in:
parent
8d8f19d951
commit
e6e2221d8b
@ -37,7 +37,7 @@ Upstream links:
|
||||
|
||||
* Retrieve the client configuration with embedded certificates
|
||||
|
||||
docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn
|
||||
docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_getclient CLIENTNAME combined > CLIENTNAME.ovpn
|
||||
|
||||
* Create an environment variable with the name DEBUG and value of 1 to enable debug output (using "docker -e").
|
||||
|
||||
@ -105,7 +105,7 @@ packets, etc).
|
||||
simplicity. It's highly recommended to secure the CA key with some
|
||||
passphrase to protect against a filesystem compromise. A more secure system
|
||||
would put the EasyRSA PKI CA on an offline system (can use the same Docker
|
||||
image to accomplish this).
|
||||
image and the script ovpn_copy_server_files to accomplish this).
|
||||
* It would be impossible for an adversary to sign bad or forged certificates
|
||||
without first cracking the key's passphase should the adversary have root
|
||||
access to the filesystem.
|
||||
|
@ -10,20 +10,30 @@ fi
|
||||
|
||||
set -e
|
||||
|
||||
if [ -z "$OPENVPN" ]; then
|
||||
OPENVPN="$PWD"
|
||||
fi
|
||||
source "$OPENVPN/ovpn_env.sh"
|
||||
cn=$1
|
||||
cn="$1"
|
||||
parm="$2"
|
||||
|
||||
if [ ! -f "$EASYRSA_PKI/private/${cn}.key" ]; then
|
||||
echo "Unable to find ${cn}, please try again or generate the key first"
|
||||
>&2 "Unable to find \"${cn}\", please try again or generate the key first" 1>&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
cat <<EOF
|
||||
get_client_config() {
|
||||
mode="$1"
|
||||
echo "
|
||||
client
|
||||
nobind
|
||||
dev tun
|
||||
remote-cert-tls server
|
||||
|
||||
remote $OVPN_CN $OVPN_PORT $OVPN_PROTO
|
||||
"
|
||||
if [ "$mode" == "combined" ]; then
|
||||
echo "
|
||||
<key>
|
||||
$(cat $EASYRSA_PKI/private/${cn}.key)
|
||||
</key>
|
||||
@ -40,9 +50,16 @@ $(cat $EASYRSA_PKI/dh.pem)
|
||||
$(cat $EASYRSA_PKI/ta.key)
|
||||
</tls-auth>
|
||||
key-direction 1
|
||||
|
||||
remote $OVPN_CN $OVPN_PORT $OVPN_PROTO
|
||||
EOF
|
||||
"
|
||||
else
|
||||
echo "
|
||||
key ${cn}.key
|
||||
ca ca.crt
|
||||
cert ${cn}.crt
|
||||
dh dh.pem
|
||||
tls-auth ta.key 1
|
||||
"
|
||||
fi
|
||||
|
||||
if [ "$OVPN_DEFROUTE" != "0" ];then
|
||||
echo "redirect-gateway def1"
|
||||
@ -51,3 +68,29 @@ fi
|
||||
if [ -n "$OVPN_MTU" ]; then
|
||||
echo "tun-mtu $OVPN_MTU"
|
||||
fi
|
||||
}
|
||||
|
||||
dir="$OPENVPN/clients/$cn"
|
||||
case "$parm" in
|
||||
"separated")
|
||||
mkdir -p "$dir"
|
||||
get_client_config "$parm" > "$dir/${cn}.ovpn"
|
||||
cp "$EASYRSA_PKI/private/${cn}.key" "$dir/${cn}.key"
|
||||
cp "$EASYRSA_PKI/ca.crt" "$dir/ca.crt"
|
||||
cp "$EASYRSA_PKI/issued/${cn}.crt" "$dir/${cn}.crt"
|
||||
cp "$EASYRSA_PKI/dh.pem" "$dir/dh.pem"
|
||||
cp "$EASYRSA_PKI/ta.key" "$dir/ta.key"
|
||||
;;
|
||||
"combined")
|
||||
get_client_config "combined"
|
||||
;;
|
||||
"combined-save")
|
||||
get_client_config "combined" > "$dir/${cn}-combined.ovpn"
|
||||
;;
|
||||
*)
|
||||
>&2 echo "This script can produce the client configuration in to formats."
|
||||
>&2 echo " 1. combined: All needed configuration and cryptographic material is in one file (Use \"combined-save\" to write the configuration file in the same path as the separated parameter does)."
|
||||
>&2 echo " 2. separated: Separated files."
|
||||
>&2 echo "Please specific one of those options as second parameter."
|
||||
;;
|
||||
esac
|
||||
|
22
bin/ovpn_getclient_all
Executable file
22
bin/ovpn_getclient_all
Executable file
@ -0,0 +1,22 @@
|
||||
#!/bin/bash
|
||||
## @licence AGPLv3 <https://www.gnu.org/licenses/agpl-3.0.html>
|
||||
## @author Copyright (C) 2015 Robin Schneider <ypid@riseup.net>
|
||||
|
||||
if [ -z "$OPENVPN" ]; then
|
||||
export OPENVPN="$PWD"
|
||||
fi
|
||||
if ! source "$OPENVPN/ovpn_env.sh"; then
|
||||
echo "Could not source $OPENVPN/ovpn_env.sh."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
pushd "$EASYRSA_PKI"
|
||||
for name in issued/*.crt; do
|
||||
name=${name%.crt}
|
||||
name=${name#issued/}
|
||||
if [ "$name" != "$OVPN_CN" ]; then
|
||||
ovpn_getclient "$name" separated
|
||||
ovpn_getclient "$name" combined-save
|
||||
fi
|
||||
done
|
||||
popd
|
@ -13,7 +13,7 @@ The ovpn_genconfig script is intended for simple configurations that apply to th
|
||||
docker run --rm -v $PWD:/etc/openvpn -it kylemanna/openvpn ovpn_initpki
|
||||
vim openvpn.conf
|
||||
docker run --rm -v $PWD:/etc/openvpn -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass
|
||||
docker run --rm -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn
|
||||
docker run --rm -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_getclient CLIENTNAME combined > CLIENTNAME.ovpn
|
||||
|
||||
* Start the server with:
|
||||
|
||||
|
28
docs/clients.md
Normal file
28
docs/clients.md
Normal file
@ -0,0 +1,28 @@
|
||||
# Advanced client management
|
||||
|
||||
## Client configuration mode
|
||||
|
||||
The `ovpn_getclient` can produce two different format of configuration.
|
||||
|
||||
1. combined: All needed configuration and cryptographic material is in one file (Use "combined-save" to write the configuration file in the same path as the separated parameter does).
|
||||
2. separated: Separated files.
|
||||
|
||||
Some client software might be picky about which configuration format it accepts.
|
||||
|
||||
## Batch mode
|
||||
|
||||
If you have more than a few clients, you will want to generate and update your client configuration in batch. For this task the script `ovpn_getclient_all` was written, which writes out the configuration for each client to a separate directory called `clients/$cn`.
|
||||
|
||||
Execute the following to generate the configuration for all clients:
|
||||
|
||||
docker run --rm -t -i -v /tmp/openvpn:/etc/openvpn kylemanna/openvpn ovpn_getclient_all
|
||||
|
||||
After doing so, you will find the following files in each of the `$cn` directories:
|
||||
|
||||
ca.crt
|
||||
dh.pem
|
||||
$cn-combined.ovpn # Combined configuration file format, you your client recognices this file then only this file is needed.
|
||||
$cn.ovpn # Separated configuration. This configuration file requires the other files ca.crt dh.pem $cn.crt $cn.key ta.key
|
||||
$cn.crt
|
||||
$cn.key
|
||||
ta.key
|
Loading…
Reference in New Issue
Block a user