Allow to export separated client config and wrote ovpn_getclient_all.

This commit is contained in:
Robin Schneider 2015-03-13 00:32:40 +01:00
parent 8d8f19d951
commit e6e2221d8b
No known key found for this signature in database
GPG Key ID: 489A4D5EC353C98A
5 changed files with 103 additions and 10 deletions

View File

@ -37,7 +37,7 @@ Upstream links:
* Retrieve the client configuration with embedded certificates
docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn
docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_getclient CLIENTNAME combined > CLIENTNAME.ovpn
* Create an environment variable with the name DEBUG and value of 1 to enable debug output (using "docker -e").
@ -105,7 +105,7 @@ packets, etc).
simplicity. It's highly recommended to secure the CA key with some
passphrase to protect against a filesystem compromise. A more secure system
would put the EasyRSA PKI CA on an offline system (can use the same Docker
image to accomplish this).
image and the script ovpn_copy_server_files to accomplish this).
* It would be impossible for an adversary to sign bad or forged certificates
without first cracking the key's passphase should the adversary have root
access to the filesystem.

View File

@ -10,20 +10,30 @@ fi
set -e
if [ -z "$OPENVPN" ]; then
OPENVPN="$PWD"
fi
source "$OPENVPN/ovpn_env.sh"
cn=$1
cn="$1"
parm="$2"
if [ ! -f "$EASYRSA_PKI/private/${cn}.key" ]; then
echo "Unable to find ${cn}, please try again or generate the key first"
>&2 "Unable to find \"${cn}\", please try again or generate the key first" 1>&2
exit 1
fi
cat <<EOF
get_client_config() {
mode="$1"
echo "
client
nobind
dev tun
remote-cert-tls server
remote $OVPN_CN $OVPN_PORT $OVPN_PROTO
"
if [ "$mode" == "combined" ]; then
echo "
<key>
$(cat $EASYRSA_PKI/private/${cn}.key)
</key>
@ -40,9 +50,16 @@ $(cat $EASYRSA_PKI/dh.pem)
$(cat $EASYRSA_PKI/ta.key)
</tls-auth>
key-direction 1
remote $OVPN_CN $OVPN_PORT $OVPN_PROTO
EOF
"
else
echo "
key ${cn}.key
ca ca.crt
cert ${cn}.crt
dh dh.pem
tls-auth ta.key 1
"
fi
if [ "$OVPN_DEFROUTE" != "0" ];then
echo "redirect-gateway def1"
@ -51,3 +68,29 @@ fi
if [ -n "$OVPN_MTU" ]; then
echo "tun-mtu $OVPN_MTU"
fi
}
dir="$OPENVPN/clients/$cn"
case "$parm" in
"separated")
mkdir -p "$dir"
get_client_config "$parm" > "$dir/${cn}.ovpn"
cp "$EASYRSA_PKI/private/${cn}.key" "$dir/${cn}.key"
cp "$EASYRSA_PKI/ca.crt" "$dir/ca.crt"
cp "$EASYRSA_PKI/issued/${cn}.crt" "$dir/${cn}.crt"
cp "$EASYRSA_PKI/dh.pem" "$dir/dh.pem"
cp "$EASYRSA_PKI/ta.key" "$dir/ta.key"
;;
"combined")
get_client_config "combined"
;;
"combined-save")
get_client_config "combined" > "$dir/${cn}-combined.ovpn"
;;
*)
>&2 echo "This script can produce the client configuration in to formats."
>&2 echo " 1. combined: All needed configuration and cryptographic material is in one file (Use \"combined-save\" to write the configuration file in the same path as the separated parameter does)."
>&2 echo " 2. separated: Separated files."
>&2 echo "Please specific one of those options as second parameter."
;;
esac

22
bin/ovpn_getclient_all Executable file
View File

@ -0,0 +1,22 @@
#!/bin/bash
## @licence AGPLv3 <https://www.gnu.org/licenses/agpl-3.0.html>
## @author Copyright (C) 2015 Robin Schneider <ypid@riseup.net>
if [ -z "$OPENVPN" ]; then
export OPENVPN="$PWD"
fi
if ! source "$OPENVPN/ovpn_env.sh"; then
echo "Could not source $OPENVPN/ovpn_env.sh."
exit 1
fi
pushd "$EASYRSA_PKI"
for name in issued/*.crt; do
name=${name%.crt}
name=${name#issued/}
if [ "$name" != "$OVPN_CN" ]; then
ovpn_getclient "$name" separated
ovpn_getclient "$name" combined-save
fi
done
popd

View File

@ -13,7 +13,7 @@ The ovpn_genconfig script is intended for simple configurations that apply to th
docker run --rm -v $PWD:/etc/openvpn -it kylemanna/openvpn ovpn_initpki
vim openvpn.conf
docker run --rm -v $PWD:/etc/openvpn -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass
docker run --rm -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn
docker run --rm -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_getclient CLIENTNAME combined > CLIENTNAME.ovpn
* Start the server with:

28
docs/clients.md Normal file
View File

@ -0,0 +1,28 @@
# Advanced client management
## Client configuration mode
The `ovpn_getclient` can produce two different format of configuration.
1. combined: All needed configuration and cryptographic material is in one file (Use "combined-save" to write the configuration file in the same path as the separated parameter does).
2. separated: Separated files.
Some client software might be picky about which configuration format it accepts.
## Batch mode
If you have more than a few clients, you will want to generate and update your client configuration in batch. For this task the script `ovpn_getclient_all` was written, which writes out the configuration for each client to a separate directory called `clients/$cn`.
Execute the following to generate the configuration for all clients:
docker run --rm -t -i -v /tmp/openvpn:/etc/openvpn kylemanna/openvpn ovpn_getclient_all
After doing so, you will find the following files in each of the `$cn` directories:
ca.crt
dh.pem
$cn-combined.ovpn # Combined configuration file format, you your client recognices this file then only this file is needed.
$cn.ovpn # Separated configuration. This configuration file requires the other files ca.crt dh.pem $cn.crt $cn.key ta.key
$cn.crt
$cn.key
ta.key