container-openvpn/bin/ovpn_getclient
Kyle Manna 6aca273d89 getclient: Use openssl to prune comments
* The EasyRSA tools create a certificate file with all the metadata
  readable.  This makes the config file larger then it needs to be, so
  prune it.
* Retrieve text files with `openssl x509 -in <crt> -noout -text`
2015-07-05 21:07:04 -07:00

105 lines
2.3 KiB
Bash
Executable File

#!/bin/bash
#
# Get an OpenVPN client configuration file
#
if [ "$DEBUG" == "1" ]; then
set -x
fi
set -e
if [ -z "$OPENVPN" ]; then
export OPENVPN="$PWD"
fi
if ! source "$OPENVPN/ovpn_env.sh"; then
echo "Could not source $OPENVPN/ovpn_env.sh."
exit 1
fi
if [ -z "$EASYRSA_PKI" ]; then
export EASYRSA_PKI="$OPENVPN/pki"
fi
cn="$1"
parm="$2"
if [ ! -f "$EASYRSA_PKI/private/${cn}.key" ]; then
echo "Unable to find \"${cn}\", please try again or generate the key first" >&2
exit 1
fi
get_client_config() {
mode="$1"
echo "
client
nobind
dev tun
remote-cert-tls server
remote $OVPN_CN $OVPN_PORT $OVPN_PROTO
"
if [ "$mode" == "combined" ]; then
echo "
<key>
$(cat $EASYRSA_PKI/private/${cn}.key)
</key>
<cert>
$(openssl x509 -in $EASYRSA_PKI/issued/${cn}.crt)
</cert>
<ca>
$(cat $EASYRSA_PKI/ca.crt)
</ca>
<dh>
$(cat $EASYRSA_PKI/dh.pem)
</dh>
<tls-auth>
$(cat $EASYRSA_PKI/ta.key)
</tls-auth>
key-direction 1
"
elif [ "$mode" == "separated" ]; then
echo "
key ${cn}.key
ca ca.crt
cert ${cn}.crt
dh dh.pem
tls-auth ta.key 1
$OVPN_ADDITIONAL_CLIENT_CONFIG
"
fi
if [ "$OVPN_DEFROUTE" != "0" ];then
echo "redirect-gateway def1"
fi
if [ -n "$OVPN_MTU" ]; then
echo "tun-mtu $OVPN_MTU"
fi
}
dir="$OPENVPN/clients/$cn"
case "$parm" in
"separated")
mkdir -p "$dir"
get_client_config "$parm" > "$dir/${cn}.ovpn"
cp "$EASYRSA_PKI/private/${cn}.key" "$dir/${cn}.key"
cp "$EASYRSA_PKI/ca.crt" "$dir/ca.crt"
cp "$EASYRSA_PKI/issued/${cn}.crt" "$dir/${cn}.crt"
cp "$EASYRSA_PKI/dh.pem" "$dir/dh.pem"
cp "$EASYRSA_PKI/ta.key" "$dir/ta.key"
;;
"" | "combined")
get_client_config "combined"
;;
"combined-save")
get_client_config "combined" > "$dir/${cn}-combined.ovpn"
;;
*)
echo "This script can produce the client configuration in to formats:" >&2
echo " 1. combined (default): All needed configuration and cryptographic material is in one file (Use \"combined-save\" to write the configuration file in the same path as the separated parameter does)." >&2
echo " 2. separated: Separated files." >&2
echo "Please specific one of those options as second parameter." >&2
;;
esac