-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathopenvpn-genconf
executable file
·332 lines (291 loc) · 8.67 KB
/
openvpn-genconf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
#!/bin/bash
###############################################################################
#
# openssl-gensconf - A program to create OpenVPN configuration files and keys.
#
# I looked around and I found several programs, but none were really very
# suitable. So I wrote my own. It's pretty simple, but it does the job.
#
# SPDX-License-Identifier: GPL-2.0-only
#
###############################################################################
if ! type -a easyrsa >/dev/null 2>&1; then
echo "easyrsa not found, you need to get it from"
echo " https://github.com/OpenVPN/easy-rsa"
echo "and put it into your path."
echo "This is not the same thing as the easy-rsa package on"
echo "Ubuntu or other distros."
exit 1
fi
if ! type -a openvpn >/dev/null 2>&1; then
echo "OpenVPN must be installed on this host, even if you aren't"
echo "using it on this host. It's required for generating some keys."
exit 1
fi
NL=$'\n'
DEFAULT_OVPN_PORT=1194
DEFAULT_OVPN_SUBNET="192.168.8.0 255.255.255.0"
DEFAULT_OVPN_KEYSIZE="2048"
DEFAULT_OVPN_SERVER_FILENAME="server"
do_help() {
echo "This program creates keys and configuration files for use with"
echo "OpenVPN."
echo "To use this, create a directory and cd into it. Then run the"
echo "program with the form:"
echo " $0 [<client1> [<client2> ...]]"
echo "On the first run it will ask for configuration and"
echo "then generate server keys and configuration. Then for each"
echo "parameter supplied it will generate a client .ovpn file."
echo
echo "The program will generate a tarball with the server config"
echo "It will tell you the filename. Untar that in /etc/openvpn"
echo "on your target."
echo
echo "It will also create a .opvn file for each client with all"
echo "the keys and configuration in it. OpenVPN knows how to use"
echo "these files, transfer them (securely) to the clients and"
echo "load them into OpenVPN."
echo
echo "NOTE: Do not run this on the OpenVPN server. The CA key"
echo "is critical to keep a secret. Do it on a secure internal"
echo "machine."
echo
echo "If you need to revoke certificates, you can use easyrsa"
echo "to create a crl. Use the command:"
echo " easyrsa revoke <client>"
echo "then run"
echo " easyrsa gen-crl"
echo "Copy the crl.pem file created by easyrsa (it will tell you"
echo "the name) onto the server and replace the file"
echo "/etc/openvpn/<serverfile>-keys/crl.pem on the target."
}
if [ -n "$1" ]; then
if [ "$1" == '-h' -o "$1" == '--help' ]; then
do_help
exit 0
fi
fi
do_config() {
echo "The remote host name on the big internet the OpenVPN client will"
echo "connect to."
echo -n "OpenVPN server hostname or IP (required): "
read OVPN_SERVER
if [ -z "${OVPN_SERVER}" ]; then
echo "Server name is required" 1>&2
return 1
fi
echo
echo -n "OpenVPN port (default ${DEFAULT_OVPN_PORT}): "
read OVPN_PORT
if [ -z "${OVPN_PORT}" ]; then
OVPN_PORT=1194
fi
echo
echo "An unused subnet that OpenVPN will assign IP addresses from."
echo -n "OpenVPN subnet (default ${DEFAULT_OVPN_SUBNET}): "
read OVPN_SUBNET
if [ -z "${OVPN_SUBNET}" ]; then
OVPN_SUBNET="${DEFAULT_OVPN_SUBNET}"
fi
echo
echo "Local networks that OpenVPN will route clients to, in the"
echo "form \"192.168.1.0 255.255.255.0\". Multiple may be listed,"
echo "enter an empty one to finish."
OVPN_ROUTES=""
echo -n "Route: "
read r
while [ -n "$r" ]; do
OVPN_ROUTES="${OVPN_ROUTES} $r"
echo -n "Route: "
read r
done
echo
echo "Route IPV6 traffic using this subnet."
echo -n "OpenVPN IPv6 subnet (optional): "
read OVPN_IPV6_SUBNET
OVPN_IPv6_ROUTES=""
if [ -n "${OVPN_IPV6_SUBNET}" ]; then
echo
echo "Local IPv6 networks that OpenVPN will route clients to, in the"
echo "standard nn:nn:nn::nn/nn form. Multiple may be listed,"
echo "enter an empty one to finish."
echo -n "Route: "
read r
while [ -n "$r" ]; do
OVPN_IPV6_ROUTES="${OVPN_IPV6_ROUTES} $r"
echo -n "Route: "
read r
done
fi
echo
echo "DNS server on your internal network."
echo -n "OpenVPN DNS server (required): "
read OVPN_DNS_SERVER
if [ -z "${OVPN_DNS_SERVER}" ]; then
echo "DNS server is required" 1>&2
return 1
fi
echo
echo "Domain name of your internal network (for DNS)."
echo -n "OpenVPN domain name (required): "
read OVPN_DOMAIN
if [ -z "${OVPN_DOMAIN}" ]; then
echo "Domain is required" 1>&2
return 1
fi
echo
echo "The key length for keys. This will onlny have an effect"
echo "when the PKI is created, you will need to delete everything"
echo "and start over if you want to change the key size."
echo -n "OpenVPN SSL keysize (default ${DEFAULT_OVPN_KEYSIZE}): "
read EASYRSA_KEY_SIZE
if [ -z "${EASYRSA_KEY_SIZE}" ]; then
EASYRSA_KEY_SIZE="${DEFAULT_OVPN_KEYSIZE}"
fi
echo
echo "The filename on the OpenVPN server for the configuration file"
echo -n "OpenVPN server file name (default ${DEFAULT_OVPN_SERVER_FILENAME}): "
read OVPN_SERVER_FILENAME
if [ -z "${OVPN_SERVER_FILENAME}" ]; then
OVPN_SERVER_FILENAME="${DEFAULT_OVPN_SERVER_FILENAME}"
fi
echo "OVPN_SERVER=\"${OVPN_SERVER}\"" >.ovpn.config
echo "OVPN_PORT=\"${OVPN_PORT}\"" >>.ovpn.config
echo "OVPN_SUBNET=\"${OVPN_SUBNET}\"" >>.ovpn.config
echo "OVPN_ROUTES=\"${OVPN_ROUTES}\"" >>.ovpn.config
echo "OVPN_IPV6_SUBNET=\"${OVPN_IPV6_SUBNET}\"" >>.ovpn.config
echo "OVPN_IPV6_ROUTES=\"${OVPN_IPV6_ROUTES}\"" >>.ovpn.config
echo "OVPN_DNS_SERVER=\"${OVPN_DNS_SERVER}\"" >>.ovpn.config
echo "OVPN_DOMAIN=\"${OVPN_DOMAIN}\"" >>.ovpn.config
echo "export EASYRSA_KEY_SIZE=\"${EASYRSA_KEY_SIZE}\"" >>.ovpn.config
echo "OVPN_SERVER_FILENAME=\"${OVPN_SERVER_FILENAME}\"" >>.ovpn.config
}
genroutes() {
while [ -n "$1" ]; do
addr="$1"
shift
if [ -z "$1" ]; then
echo "Invalid routes at $addr" 1>&2
return 1
fi
echo "push \"route ${addr} $1\"" >>"${OVPN_SERVER_FILENAME}".conf
shift
done
}
genipv6routes() {
while [ -n "$1" ]; do
echo "push \"route-ipv6 $1\"" >>"${OVPN_SERVER_FILENAME}".conf
shift
done
}
genserver() {
if [ ! -e "${OVPN_SERVER_FILENAME}"-tc.pem ]; then
openvpn --genkey --secret "${OVPN_SERVER_FILENAME}"-tc.pem
fi
rm -rf tmpserver
mkdir tmpserver
cd tmpserver
mkdir "${OVPN_SERVER_FILENAME}"-keys
cd "${OVPN_SERVER_FILENAME}"-keys
openssl x509 -in ../../pki/ca.crt -out ca.crt
cp ../../pki/dh.pem .
cp ../../pki/crl.pem .
openssl x509 -in ../../pki/issued/"${OVPN_SERVER_FILENAME}".crt -out server.crt
cp ../../pki/private/"${OVPN_SERVER_FILENAME}".key server.key
cp ../../"${OVPN_SERVER_FILENAME}"-tc.pem ./tc.pem
cd ..
cat <<EOF >"${OVPN_SERVER_FILENAME}".conf
dev tun
port ${OVPN_PORT}
proto udp
server ${OVPN_SUBNET}
topology subnet
client-to-client
keepalive 10 60
user nobody
group nogroup
persist-tun
persist-key
remote-cert-tls client
compress lz4
push "dhcp-option DNS ${OVPN_DNS_SERVER}"
push "dhcp-option DOMAIN ${OVPN_DOMAIN}"
push "compress lz4"
dh "${OVPN_SERVER_FILENAME}-keys/dh.pem"
ca "${OVPN_SERVER_FILENAME}-keys/ca.crt"
crl-verify "${OVPN_SERVER_FILENAME}-keys/crl.pem"
cert "${OVPN_SERVER_FILENAME}-keys/server.crt"
key "${OVPN_SERVER_FILENAME}-keys/server.key"
tls-crypt "${OVPN_SERVER_FILENAME}-keys/tc.pem"
EOF
genroutes ${OVPN_ROUTES}
if [ -n "${OVPN_IPV6_SUBNET}" ]; then
echo "server-ipv6 ${OVPN_IPV6_SUBNET}" >>"${OVPN_SERVER_FILENAME}".conf
fi
genipv6routes ${OVPN_IPV6_ROUTES}
tar czf ../"${OVPN_SERVER_FILENAME}".tar.gz *
cd ..
rm -rf tmpserver
echo "${OVPN_SERVER_FILENAME}.tar.gz created, untar that in your"
echo "/etc/openvpn directory on your OpenVPN server"
}
genclient() {
rm -f pki/private/$1.key pki/issued/$1.crt pki/reqs/$1.req
easyrsa build-client-full "$1" nopass
OVPN_TC="$(sed -e "/^#/d;/^\w/N;s/\n//" "${OVPN_SERVER_FILENAME}"-tc.pem)"
OVPN_CA="$(openssl x509 -in pki/ca.crt)"
OVPN_KEY="$(cat pki/private/$1.key)"
OVPN_CERT="$(openssl x509 -in pki/issued/$1.crt)"
cat <<EOF >"$1".ovpn
dev tun
nobind
client
remote ${OVPN_SERVER} ${OVPN_PORT} udp
auth-nocache
remote-cert-tls server
<ca>${NL}${OVPN_CA}${NL}</ca>
<cert>${NL}${OVPN_CERT}${NL}</cert>
<key>${NL}${OVPN_KEY}${NL}</key>
<tls-crypt>${NL}${OVPN_TC}${NL}</tls-crypt>
EOF
}
if [ ! -e .ovpn.config ]; then
echo "Configuration file not present, starting configuration."
if ! do_config; then
exit 1
fi
fi
. ./.ovpn.config
if [ ! -e pki ]; then
if ! easyrsa init-pki; then
exit 1
fi
fi
if [ ! -e pki/dh.pem ]; then
if ! easyrsa gen-dh; then
exit 1
fi
fi
if [ ! -e pki/ca.crt ]; then
if ! easyrsa build-ca nopass; then
exit 1
fi
fi
if [ ! -e pki/issued/${OVPN_SERVER_FILENAME}.crt ]; then
if ! easyrsa build-server-full ${OVPN_SERVER_FILENAME} nopass; then
exit 1
fi
easyrsa gen-crl
fi
if [ ! -e "${OVPN_SERVER_FILENAME}".tar.gz ]; then
genserver
fi
while [ -n "$1" ]; do
if [ -e "$1".ovpn ]; then
echo "$1.ovpn already exists"
else
genclient "$1"
fi
shift
done
exit 0