diff --git a/bin/ovpn_copy_server_files b/bin/ovpn_copy_server_files deleted file mode 100755 index b99f54c..0000000 --- a/bin/ovpn_copy_server_files +++ /dev/null @@ -1,47 +0,0 @@ -#!/bin/bash -## @licence MIT -## @author Copyright (C) 2015 Robin Schneider - -set -e - -if [ -z "$OPENVPN" ]; then - export OPENVPN="$PWD" -fi -if ! source "$OPENVPN/ovpn_env.sh"; then - echo "Could not source $OPENVPN/ovpn_env.sh." - exit 1 -fi - -TARGET="$OPENVPN/server" -if [ -n "$1" ]; then - TARGET="$1" -fi -mkdir -p "${TARGET}" - -## Ensure that no other keys then the one for the server is present. -rm -rf "$TARGET/pki/private" "$TARGET/pki/issued" - -FILES=( - "openvpn.conf" - "ovpn_env.sh" - "pki/private/${OVPN_CN}.key" - "pki/issued/${OVPN_CN}.crt" - "pki/dh.pem" - "pki/ta.key" - "pki/ca.crt" - "ccd" -) - -if [ -f "${OPENVPN}/pki/crl.pem" ]; then - FILES+=("pki/crl.pem") -fi - -# Ensure the ccd directory exists, even if empty -mkdir -p "ccd" - -# rsync isn't available to keep size down -# cp --parents isn't in busybox version -# hack the directory structure with tar -tar cf - -C "${OPENVPN}" "${FILES[@]}" | tar xvf - -C "${TARGET}" - -echo "Created the openvpn configuration for the server: $TARGET" diff --git a/bin/ovpn_create_client b/bin/ovpn_create_client new file mode 100755 index 0000000..0a87e99 --- /dev/null +++ b/bin/ovpn_create_client @@ -0,0 +1,34 @@ +#!/bin/bash + +# +# Initialize the EasyRSA PKI +# + +if [ "$DEBUG" == "1" ]; then + set -x +fi + +set -e + +if [ -z "$OPENVPN" ]; then + export OPENVPN="$PWD" +fi + +[ -f $OPENVPN/server ] || { echo "Missing OpenVPN server setup!"; exit 1; } + +cn="$1" +server="$(cat $OPENVPN/server)" + +# generate client cert +if [ -f "$EASYRSA_PKI/issued/${cn}.crt" ]; then + echo "Certificate for \"${cn}\" already exists !" >&2 + exit 1 +fi + +easyrsa build-client-full "$cn" nopass 1>/dev/null 2>&1 + +# Generate OpenVPN users via google authenticator + +# Skip confirmation if not running in interctive mode. Essential for integration tests. +google-authenticator --time-based --disallow-reuse --force --rate-limit=3 --rate-time=30 --window-size=3 \ + -l "${cn}" -i "${server}" -s /etc/openvpn/otp/${cn}.google_authenticator --no-confirm -q diff --git a/bin/ovpn_create_server b/bin/ovpn_create_server new file mode 100755 index 0000000..73d2e3a --- /dev/null +++ b/bin/ovpn_create_server @@ -0,0 +1,59 @@ +#!/bin/bash + +# +# Initialize the EasyRSA PKI +# + +if [ "$DEBUG" == "1" ]; then + set -x +fi + +set -e + +# these might get lost if empty syncing to object storage +mkdir -p $OPENVPN/pki/reqs $OPENVPN/pki/issued $OPENVPN/pki/certs_by_serial $OPENVPN/otp $OPENVPN/ccd +touch $OPENVPN/otp/_empty $OPENVPN/ccd/_empty + +# Finally generate server cert +easyrsa build-server-full "$1" nopass + +# write server FQDN +echo "$1" > $OPENVPN/server + +# static server config +cat < $OPENVPN/openvpn.conf +port 1194 +proto udp +dev tun +topology subnet +cipher AES-256-GCM + +keepalive 10 120 + +user nobody +group nogroup + +persist-key +persist-tun + +status /var/run/openvpn-status.log +status-version 3 +verb 3 + +verify-client-cert require +reneg-sec 0 + +plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password snafu pin PASSWORD" +#plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP" +#auth-user-pass-optional + +ifconfig-pool-persist ipp.txt + +ca /etc/openvpn/ca.crt +dh /etc/openvpn/dh.pem +crl-verify /etc/openvpn/crl.pem +tls-auth /etc/openvpn/ta.key + +# Include local config last +config /etc/openvpn/local.conf +EOF diff --git a/bin/ovpn_genconfig b/bin/ovpn_genconfig deleted file mode 100755 index c2ebca6..0000000 --- a/bin/ovpn_genconfig +++ /dev/null @@ -1,412 +0,0 @@ -#!/bin/bash - -# -# Generate OpenVPN configs -# - -TMP_PUSH_CONFIGFILE=$(mktemp -t vpn_push.XXXXXXX) -TMP_ROUTE_CONFIGFILE=$(mktemp -t vpn_route.XXXXXXX) -TMP_EXTRA_CONFIGFILE=$(mktemp -t vpn_extra.XXXXXXX) - -#Traceback on Error and Exit come from https://docwhat.org/tracebacks-in-bash/ -set -eu - -_showed_traceback=f - -traceback() { - # Hide the traceback() call. - local -i start=$(( ${1:-0} + 1 )) - local -i end=${#BASH_SOURCE[@]} - local -i i=0 - local -i j=0 - - echo "Traceback (last called is first):" 1>&2 - for ((i=${start}; i < ${end}; i++)); do - j=$(( $i - 1 )) - local function="${FUNCNAME[$i]}" - local file="${BASH_SOURCE[$i]}" - local line="${BASH_LINENO[$j]}" - echo " ${function}() in ${file}:${line}" 1>&2 - done -} - -on_error() { - local _ec="$?" - local _cmd="${BASH_COMMAND:-unknown}" - traceback 1 - _showed_traceback=t - echo "The command ${_cmd} exited with exit code ${_ec}." 1>&2 -} -trap on_error ERR - - -on_exit() { - echo "Cleaning up before Exit ..." - rm -f $TMP_PUSH_CONFIGFILE - rm -f $TMP_ROUTE_CONFIGFILE - rm -f $TMP_EXTRA_CONFIGFILE - local _ec="$?" - if [[ $_ec != 0 && "${_showed_traceback}" != t ]]; then - traceback 1 - fi -} -trap on_exit EXIT - -# Convert 1.2.3.4/24 -> 255.255.255.0 -cidr2mask() -{ - local i - local subnetmask="" - local cidr=${1#*/} - local full_octets=$(($cidr/8)) - local partial_octet=$(($cidr%8)) - - for ((i=0;i<4;i+=1)); do - if [ $i -lt $full_octets ]; then - subnetmask+=255 - elif [ $i -eq $full_octets ]; then - subnetmask+=$((256 - 2**(8-$partial_octet))) - else - subnetmask+=0 - fi - [ $i -lt 3 ] && subnetmask+=. - done - echo $subnetmask -} - -# Used often enough to justify a function -getroute() { - echo ${1%/*} $(cidr2mask $1) -} - -usage() { - echo "usage: $0 [-d]" - echo " -u SERVER_PUBLIC_URL" - echo " [-e EXTRA_SERVER_CONFIG ]" - echo " [-E EXTRA_CLIENT_CONFIG ]" - echo " [-f FRAGMENT ]" - echo " [-n DNS_SERVER ...]" - echo " [-p PUSH ...]" - echo " [-r ROUTE ...]" - echo " [-s SERVER_SUBNET]" - echo - echo "optional arguments:" - echo " -2 Enable two factor authentication using Google Authenticator." - echo " -a Authenticate packets with HMAC using the given message digest algorithm (auth)." - echo " -b Disable 'push block-outside-dns'" - echo " -c Enable client-to-client option" - echo " -C A list of allowable TLS ciphers delimited by a colon (cipher)." - echo " -d Disable default route" - echo " -D Do not push dns servers" - echo " -k Set keepalive. Default: '10 60'" - echo " -m Set client MTU" - echo " -N Configure NAT to access external server network" - echo " -t Use TAP device (instead of TUN device)" - echo " -T Encrypt packets with the given cipher algorithm instead of the default one (tls-cipher)." - echo " -z Enable comp-lzo compression." -} - -process_route_config() { - local ovpn_route_config='' - ovpn_route_config="$1" - # If user passed "0" skip this, assume no extra routes - [[ "$ovpn_route_config" == "0" ]] && break; - echo "Processing Route Config: '${ovpn_route_config}'" - [[ -n "$ovpn_route_config" ]] && echo "route $(getroute $ovpn_route_config)" >> "$TMP_ROUTE_CONFIGFILE" -} - -process_push_config() { - local ovpn_push_config='' - ovpn_push_config="$1" - echo "Processing PUSH Config: '${ovpn_push_config}'" - [[ -n "$ovpn_push_config" ]] && echo "push \"$ovpn_push_config\"" >> "$TMP_PUSH_CONFIGFILE" -} - -process_extra_config() { - local ovpn_extra_config='' - ovpn_extra_config="$1" - echo "Processing Extra Config: '${ovpn_extra_config}'" - [[ -n "$ovpn_extra_config" ]] && echo "$ovpn_extra_config" >> "$TMP_EXTRA_CONFIGFILE" -} - -if [ "${DEBUG:-}" == "1" ]; then - set -x -fi - -set -e - -if [ -z "${OPENVPN:-}" ]; then - export OPENVPN="$PWD" -fi -if [ -z "${EASYRSA_PKI:-}" ]; then - export EASYRSA_PKI="$OPENVPN/pki" -fi - -OVPN_AUTH='' -OVPN_CIPHER='' -OVPN_CLIENT_TO_CLIENT='' -OVPN_CN='' -OVPN_COMP_LZO=0 -OVPN_DEFROUTE=1 -OVPN_DEVICE="tun" -OVPN_DEVICEN=0 -OVPN_DISABLE_PUSH_BLOCK_DNS=0 -OVPN_DNS=1 -OVPN_DNS_SERVERS=() -OVPN_ENV=${OPENVPN}/ovpn_env.sh -OVPN_EXTRA_CLIENT_CONFIG=() -OVPN_EXTRA_SERVER_CONFIG=() -OVPN_FRAGMENT='' -OVPN_KEEPALIVE="10 60" -OVPN_MTU='' -OVPN_NAT=0 -OVPN_PORT='' -OVPN_PROTO='' -OVPN_PUSH=() -OVPN_ROUTES=() -OVPN_SERVER=192.168.255.0/24 -OVPN_SERVER_URL='' -OVPN_TLS_CIPHER='' - -# Import existing configuration if present -[ -r "$OVPN_ENV" ] && source "$OVPN_ENV" - -# Parse arguments -while getopts ":a:e:E:C:T:r:s:du:bcp:n:k:DNm:f:tz2" opt; do - case $opt in - a) - OVPN_AUTH="$OPTARG" - ;; - e) - mapfile -t TMP_EXTRA_SERVER_CONFIG <<< "$OPTARG" - for i in "${TMP_EXTRA_SERVER_CONFIG[@]}"; do - OVPN_EXTRA_SERVER_CONFIG+=("$i") - done - ;; - E) - mapfile -t TMP_EXTRA_CLIENT_CONFIG <<< "$OPTARG" - for i in "${TMP_EXTRA_CLIENT_CONFIG[@]}"; do - OVPN_EXTRA_CLIENT_CONFIG+=("$i") - done - ;; - C) - OVPN_CIPHER="$OPTARG" - ;; - T) - OVPN_TLS_CIPHER="$OPTARG" - ;; - r) - mapfile -t TMP_ROUTES <<< "$OPTARG" - for i in "${TMP_ROUTES[@]}"; do - OVPN_ROUTES+=("$i") - done - ;; - s) - OVPN_SERVER="$OPTARG" - ;; - d) - OVPN_DEFROUTE=0 - OVPN_DISABLE_PUSH_BLOCK_DNS=1 - ;; - u) - OVPN_SERVER_URL="$OPTARG" - ;; - b) - OVPN_DISABLE_PUSH_BLOCK_DNS=1 - ;; - c) - OVPN_CLIENT_TO_CLIENT=1 - ;; - p) - mapfile -t TMP_PUSH <<< "$OPTARG" - for i in "${TMP_PUSH[@]}"; do - OVPN_PUSH+=("$i") - done - ;; - n) - mapfile -t TMP_DNS_SERVERS <<< "$OPTARG" - for i in "${TMP_DNS_SERVERS[@]}"; do - OVPN_DNS_SERVERS+=("$i") - done - ;; - D) - OVPN_DNS=0 - ;; - N) - OVPN_NAT=1 - ;; - k) - OVPN_KEEPALIVE="$OPTARG" - ;; - m) - OVPN_MTU="$OPTARG" - ;; - t) - OVPN_DEVICE="tap" - ;; - z) - OVPN_COMP_LZO=1 - ;; - 2) - OVPN_OTP_AUTH=1 - ;; - f) - OVPN_FRAGMENT="$OPTARG" - ;; - \?) - set +x - echo "Invalid option: -$OPTARG" >&2 - usage - exit 1 - ;; - :) - set +x - echo "Option -$OPTARG requires an argument." >&2 - usage - exit 1 - ;; - esac -done - -# Create ccd directory for static routes -[ ! -d "${OPENVPN:-}/ccd" ] && mkdir -p ${OPENVPN:-}/ccd - -# Server name is in the form "udp://vpn.example.com:1194" -if [[ "${OVPN_SERVER_URL:-}" =~ ^((udp|tcp|udp6|tcp6)://)?([0-9a-zA-Z\.\-]+)(:([0-9]+))?$ ]]; then - OVPN_PROTO=${BASH_REMATCH[2]}; - OVPN_CN=${BASH_REMATCH[3]}; - OVPN_PORT=${BASH_REMATCH[5]}; -else - set +x - echo "Common name not specified, see '-u'" - usage - exit 1 -fi - -# Apply defaults. If dns servers were not defined with -n, use google nameservers -set +u -[ -z "$OVPN_DNS_SERVERS" ] && OVPN_DNS_SERVERS=("8.8.8.8" "8.8.4.4") -[ -z "$OVPN_PROTO" ] && OVPN_PROTO=udp -[ -z "$OVPN_PORT" ] && OVPN_PORT=1194 -set -u -[ "${#OVPN_ROUTES[@]}" == "0" ] && [ "$OVPN_DEFROUTE" == "1" ] && OVPN_ROUTES+=("192.168.254.0/24") - -# Preserve config -if [ -f "$OVPN_ENV" ]; then - bak_env=$OVPN_ENV.$(date +%s).bak - echo "Backing up $OVPN_ENV -> $bak_env" - mv "$OVPN_ENV" "$bak_env" -fi - -# Save the current OVPN_ vars to the ovpn_env.sh file -(set | grep '^OVPN_') | while read -r var; do - echo "declare -x $var" >> "$OVPN_ENV" -done - -conf=${OPENVPN:-}/openvpn.conf -if [ -f "$conf" ]; then - bak=$conf.$(date +%s).bak - echo "Backing up $conf -> $bak" - mv "$conf" "$bak" -fi - -# Echo extra client configurations -if [ ${#OVPN_EXTRA_CLIENT_CONFIG[@]} -gt 0 ]; then - for i in "${OVPN_EXTRA_CLIENT_CONFIG[@]}"; do - echo "Processing Extra Client Config: $i" - done -fi - -cat > "$conf" <> "$conf" -[ -n "$OVPN_CIPHER" ] && echo "cipher $OVPN_CIPHER" >> "$conf" -[ -n "$OVPN_AUTH" ] && echo "auth $OVPN_AUTH" >> "$conf" - -[ -n "${OVPN_CLIENT_TO_CLIENT:-}" ] && echo "client-to-client" >> "$conf" -[ "$OVPN_COMP_LZO" == "1" ] && echo "comp-lzo" >> "$conf" -[ "$OVPN_COMP_LZO" == "0" ] && echo "comp-lzo no" >> "$conf" - -[ -n "${OVPN_FRAGMENT:-}" ] && echo "fragment $OVPN_FRAGMENT" >> "$conf" - -# Append route commands -if [ ${#OVPN_ROUTES[@]} -gt 0 ]; then - for i in "${OVPN_ROUTES[@]}"; do - process_route_config "$i" - done - echo -e "\n### Route Configurations Below" >> "$conf" - cat $TMP_ROUTE_CONFIGFILE >> "$conf" -fi - -# Append push commands -[ "$OVPN_DNS" == "1" ] && for i in "${OVPN_DNS_SERVERS[@]}"; do - process_push_config "dhcp-option DNS $i" -done - -if [ "$OVPN_COMP_LZO" == "0" ]; then - process_push_config "comp-lzo no" -fi - -[ ${#OVPN_PUSH[@]} -gt 0 ] && for i in "${OVPN_PUSH[@]}"; do - process_push_config "$i" -done - -echo -e "\n### Push Configurations Below" >> "$conf" -cat $TMP_PUSH_CONFIGFILE >> "$conf" - -# Append optional OTP authentication support -if [ -n "${OVPN_OTP_AUTH:-}" ]; then - echo -e "\n\n# Enable OTP+PAM for user authentication" >> "$conf" - echo "plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn" >> "$conf" - echo "reneg-sec 0" >> "$conf" -fi - -# Append extra server configurations -if [ ${#OVPN_EXTRA_SERVER_CONFIG[@]} -gt 0 ]; then - for i in "${OVPN_EXTRA_SERVER_CONFIG[@]}"; do - process_extra_config "$i" - done - echo -e "\n### Extra Configurations Below" >> "$conf" - cat $TMP_EXTRA_CONFIGFILE >> "$conf" -fi - -set +e - -# Clean-up duplicate configs -if diff -q "${bak_env:-}" "$OVPN_ENV" 2>/dev/null; then - echo "Removing duplicate back-up: $bak_env" - rm -fv "$bak_env" -fi -if diff -q "${bak:-}" "$conf" 2>/dev/null; then - echo "Removing duplicate back-up: $bak" - rm -fv "$bak" -fi - -echo "Successfully generated config" diff --git a/bin/ovpn_getclient b/bin/ovpn_getclient deleted file mode 100755 index 092aeea..0000000 --- a/bin/ovpn_getclient +++ /dev/null @@ -1,132 +0,0 @@ -#!/bin/bash - -# -# Get an OpenVPN client configuration file -# - -if [ "$DEBUG" == "1" ]; then - set -x -fi - -set -e - -if [ -z "$OPENVPN" ]; then - export OPENVPN="$PWD" -fi -if ! source "$OPENVPN/ovpn_env.sh"; then - echo "Could not source $OPENVPN/ovpn_env.sh." - exit 1 -fi -if [ -z "$EASYRSA_PKI" ]; then - export EASYRSA_PKI="$OPENVPN/pki" -fi - -cn="$1" -parm="$2" - -if [ ! -f "$EASYRSA_PKI/private/${cn}.key" ]; then - echo "Unable to find \"${cn}\", please try again or generate the key first" >&2 - exit 1 -fi - -get_client_config() { - mode="$1" - echo " -client -nobind -dev $OVPN_DEVICE -remote-cert-tls server - -remote $OVPN_CN $OVPN_PORT $OVPN_PROTO" - if [ "$OVPN_PROTO" == "udp6" ]; then - echo "remote $OVPN_CN $OVPN_PORT udp" - fi - if [ "$OVPN_PROTO" == "tcp6" ]; then - echo "remote $OVPN_CN $OVPN_PORT tcp" - fi - for i in "${OVPN_EXTRA_CLIENT_CONFIG[@]}"; do - echo "$i" - done - if [ "$mode" == "combined" ]; then - echo " - -$(cat $EASYRSA_PKI/private/${cn}.key) - - -$(openssl x509 -in $EASYRSA_PKI/issued/${cn}.crt) - - -$(cat $EASYRSA_PKI/ca.crt) - -key-direction 1 - -$(cat $EASYRSA_PKI/ta.key) - -" - elif [ "$mode" == "separated" ]; then - echo " -key ${cn}.key -ca ca.crt -cert ${cn}.crt -tls-auth ta.key 1 -" - fi - - if [ "$OVPN_DEFROUTE" != "0" ];then - echo "redirect-gateway def1" - fi - - if [ -n "$OVPN_MTU" ]; then - echo "tun-mtu $OVPN_MTU" - fi - - if [ -n "$OVPN_TLS_CIPHER" ]; then - echo "tls-cipher $OVPN_TLS_CIPHER" - fi - - if [ -n "$OVPN_CIPHER" ]; then - echo "cipher $OVPN_CIPHER" - fi - - if [ -n "$OVPN_AUTH" ]; then - echo "auth $OVPN_AUTH" - fi - - if [ -n "$OVPN_OTP_AUTH" ]; then - echo "auth-user-pass" - echo "auth-nocache" - fi - - if [ "$OVPN_COMP_LZO" == "1" ]; then - echo "comp-lzo" - fi - - if [ -n "$OVPN_OTP_AUTH" ]; then - echo reneg-sec 0 - fi -} - -dir="$OPENVPN/clients/$cn" -case "$parm" in - "separated") - mkdir -p "$dir" - get_client_config "$parm" > "$dir/${cn}.ovpn" - cp "$EASYRSA_PKI/private/${cn}.key" "$dir/${cn}.key" - cp "$EASYRSA_PKI/ca.crt" "$dir/ca.crt" - cp "$EASYRSA_PKI/issued/${cn}.crt" "$dir/${cn}.crt" - cp "$EASYRSA_PKI/ta.key" "$dir/ta.key" - ;; - "" | "combined") - get_client_config "combined" - ;; - "combined-save") - mkdir -p "$dir" - get_client_config "combined" > "$dir/${cn}-combined.ovpn" - ;; - *) - echo "This script can produce the client configuration in two formats:" >&2 - echo " 1. combined (default): All needed configuration and cryptographic material is in one file (Use \"combined-save\" to write the configuration file in the same path as the separated parameter does)." >&2 - echo " 2. separated: Separated files." >&2 - echo "Please specify one of those options as second parameter." >&2 - ;; -esac diff --git a/bin/ovpn_getclient_all b/bin/ovpn_getclient_all deleted file mode 100755 index f760495..0000000 --- a/bin/ovpn_getclient_all +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash -## @licence MIT -## @author Copyright (C) 2015 Robin Schneider - -if [ -z "$OPENVPN" ]; then - export OPENVPN="$PWD" -fi -if ! source "$OPENVPN/ovpn_env.sh"; then - echo "Could not source $OPENVPN/ovpn_env.sh." - exit 1 -fi -if [ -z "$EASYRSA_PKI" ]; then - export EASYRSA_PKI="$OPENVPN/pki" -fi - -pushd "$EASYRSA_PKI" -for name in issued/*.crt; do - name=${name%.crt} - name=${name#issued/} - if [ "$name" != "$OVPN_CN" ]; then - ovpn_getclient "$name" separated - ovpn_getclient "$name" combined-save - fi -done -popd diff --git a/bin/ovpn_getclient_config b/bin/ovpn_getclient_config new file mode 100755 index 0000000..92d8f0b --- /dev/null +++ b/bin/ovpn_getclient_config @@ -0,0 +1,93 @@ +#!/bin/bash + +# +# Get an OpenVPN client configuration file +# + +if [ "$DEBUG" == "1" ]; then + set -x +fi + +set -e + +if [ -z "$OPENVPN" ]; then + export OPENVPN="$PWD" +fi +if [ -z "$EASYRSA_PKI" ]; then + export EASYRSA_PKI="$OPENVPN/pki" +fi + +[ -f $OPENVPN/server ] || { echo "Missing OpenVPN server setup!"; exit 1; } + +cn="$1" +type="$2" +[ -z "$type" ] && type="ovpn" + +server="$(cat $OPENVPN/server)" + +set +x + +if [ "$type" == "ovpn" -o "$type" == "combined" ]; then + if [ ! -f "$EASYRSA_PKI/private/${cn}.key" ]; then + echo "Unable to find certificate or key for \"${cn}\" !" >&2 + exit 1 + fi + + echo " +client +dev tun +proto udp +resolv-retry infinite +nobind +persist-key +persist-tun +remote-cert-tls server +cipher AES-256-GCM + +auth-user-pass +reneg-sec 0 +#static-challenge "Enter Google Authenticator Code:" 1 + +# comp-lzo yes +user nobody +verb 3 + +remote $server + + +$(cat $EASYRSA_PKI/private/${cn}.key) + + +$(openssl x509 -in $EASYRSA_PKI/issued/${cn}.crt) + + +$(cat $EASYRSA_PKI/ca.crt) + + +$(cat $EASYRSA_PKI/ta.key) + +" +fi + + +# TOTP incl. QRCODE +if [ "$type" == "totp" -o "$type" == "combined" ]; then + if [ ! -f "${OPENVPN}/otp/${cn}.google_authenticator" ]; then + echo "Unable to find TOTP data for \"${cn}\" !" >&2 + exit 1 + fi + + # secret is always first line + secret="$(head -1 ${OPENVPN}/otp/${cn}.google_authenticator)" + + # remaining one time codes are at the bottom, max 5 + onetime="$(tail -n +2 ${OPENVPN}/otp/${cn}.google_authenticator | grep -v \")" + + # Output as UTF8 and remove all ANSI control to allow piping eg. into yopass + echo "otpauth://totp/${cn}?secret=${secret}&issuer=${server}" | qrencode -o - -t ANSIUTF8 | sed "s,\x1B\[[0-9;]*[a-zA-Z],,g" + + echo "Your new secret key is: $secret" + echo "Your emergency scratch codes are:" + echo "$onetime" + +fi diff --git a/bin/ovpn_initpki b/bin/ovpn_initpki index 11a3ccb..810f51a 100755 --- a/bin/ovpn_initpki +++ b/bin/ovpn_initpki @@ -10,34 +10,13 @@ fi set -e -source "$OPENVPN/ovpn_env.sh" - -# Specify "nopass" as arg[2] to make the CA insecure (not recommended!) -nopass=$1 - # Provides a sufficient warning before erasing pre-existing files easyrsa init-pki -# CA always has a password for protection in event server is compromised. The -# password is only needed to sign client/server certificates. No password is -# needed for normal OpenVPN operation. -easyrsa build-ca $nopass +# we rely on external KMS +echo "BastionOpenVPNRootCA" | easyrsa build-ca nopass easyrsa gen-dh openvpn --genkey secret $EASYRSA_PKI/ta.key -# Was nice to autoset, but probably a bad idea in practice, users should -# have to explicitly specify the common name of their server -#if [ -z "$cn"]; then -# #TODO: Handle IPv6 (when I get a VPS with IPv6)... -# ip4=$(dig +short myip.opendns.com @resolver1.opendns.com) -# ptr=$(dig +short -x $ip4 | sed -e 's:\.$::') -# -# [ -n "$ptr" ] && cn=$ptr || cn=$ip4 -#fi - -# For a server key with a password, manually init; this is autopilot -easyrsa build-server-full "$OVPN_CN" nopass - -# Generate the CRL for client/server certificates revocation. easyrsa gen-crl diff --git a/bin/ovpn_listclients b/bin/ovpn_listclients index 47f4459..316b10a 100755 --- a/bin/ovpn_listclients +++ b/bin/ovpn_listclients @@ -3,10 +3,6 @@ if [ -z "$OPENVPN" ]; then export OPENVPN="$PWD" fi -if ! source "$OPENVPN/ovpn_env.sh"; then - echo "Could not source $OPENVPN/ovpn_env.sh." - exit 1 -fi if [ -z "$EASYRSA_PKI" ]; then export EASYRSA_PKI="$OPENVPN/pki" fi @@ -27,7 +23,7 @@ for name in issued/*.crt; do name=${name%.crt} name=${name#issued/} - if [ "$name" != "$OVPN_CN" ]; then + #if [ "$name" != "$OVPN_CN" ]; then # check for revocation or expiration command="openssl verify -crl_check -CAfile cacheck.pem $path" result=$($command) @@ -47,7 +43,7 @@ for name in issued/*.crt; do esac fi echo "$name,$begin,$end,$status" - fi + #fi done # Clean diff --git a/bin/ovpn_otp_user b/bin/ovpn_otp_user deleted file mode 100755 index dcebd4a..0000000 --- a/bin/ovpn_otp_user +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/bash - -# -# Generate OpenVPN users via google authenticator -# - -if ! source "$OPENVPN/ovpn_env.sh"; then - echo "Could not source $OPENVPN/ovpn_env.sh." - exit 1 -fi - -if [ "x$OVPN_OTP_AUTH" != "x1" ]; then - echo "OTP authentication not enabled, please regenerate configuration using -2 flag" - exit 1 -fi - -if [ -z $1 ]; then - echo "Usage: ovpn_otp_user USERNAME" - exit 1 -fi - -# Ensure the otp folder is present -[ -d /etc/openvpn/otp ] || mkdir -p /etc/openvpn/otp - -# Binary is present in image, save an $user.google_authenticator file in /etc/openvpn/otp -if [ "$2" == "interactive" ]; then - # Authenticator will ask for other parameters. User can choose rate limit, token reuse policy and time window policy - # Always use time base OTP otherwise storage for counters must be configured somewhere in volume - google-authenticator --time-based --force -l "${1}@${OVPN_CN}" -s /etc/openvpn/otp/${1}.google_authenticator -else - # Skip confirmation if not running in interctive mode. Essential for integration tests. - google-authenticator --time-based --disallow-reuse --force --rate-limit=3 --rate-time=30 --window-size=3 \ - -l "${1}@${OVPN_CN}" -s /etc/openvpn/otp/${1}.google_authenticator --no-confirm -fi diff --git a/bin/ovpn_revokeclient b/bin/ovpn_revokeclient index 00fefd9..062eac0 100755 --- a/bin/ovpn_revokeclient +++ b/bin/ovpn_revokeclient @@ -13,10 +13,6 @@ set -e if [ -z "$OPENVPN" ]; then export OPENVPN="$PWD" fi -if ! source "$OPENVPN/ovpn_env.sh"; then - echo "Could not source $OPENVPN/ovpn_env.sh." - exit 1 -fi if [ -z "$EASYRSA_PKI" ]; then export EASYRSA_PKI="$OPENVPN/pki" fi @@ -24,16 +20,16 @@ fi cn="$1" if [ ! -f "$EASYRSA_PKI/private/${cn}.key" ]; then - echo "Unable to find \"${cn}\", please try again or generate the key first" >&2 + echo "Unable to find \"${cn}\"" >&2 exit 1 fi -revoke_client_certificate(){ - easyrsa revoke "$1" - echo "Generating the Certificate Revocation List :" - easyrsa gen-crl - cp -f "$EASYRSA_PKI/crl.pem" "$OPENVPN/crl.pem" - chmod 644 "$OPENVPN/crl.pem" -} +export EASYRSA_BATCH="True" -revoke_client_certificate "$cn" +easyrsa revoke "$cn" +echo "Revoked $cn" + +echo "Updating crl.pem" +easyrsa gen-crl + +rm -f $OPENVPN/pki/issued/$cn.crt $OPENVPN/pki/private/$cn.key $OPENVPN/pki/reqs/$cn.req $OPENVPN/otp/$cn.google_authenticator diff --git a/bin/ovpn_run b/bin/ovpn_run index 154ca15..01d63a2 100755 --- a/bin/ovpn_run +++ b/bin/ovpn_run @@ -12,31 +12,6 @@ set -e cd $OPENVPN -# bootstrap things? -if [[ "$BOOTSTRAP_CA" == "TRUE" ]]; then - echo "bootstrapping ca" - - #check if it already exist to not overwrite things - if [ -f "/etc/openvpn/ovpn_env.sh" ]; then - echo "config already initialized - skipping" - else - ovpn_genconfig -u $PROTOCOL://$VPN_HOSTNAME - source "$OPENVPN/ovpn_env.sh" - easyrsa init-pki - - easyrsa --batch --req-cn=$CA_SERVERNAME build-ca nopass - - easyrsa gen-dh - openvpn --genkey secret $EASYRSA_PKI/ta.key - # For a server key with a password, manually init; this is autopilot - easyrsa build-server-full "$OVPN_CN" nopass - - # Generate the CRL for client/server certificates revocation. - easyrsa gen-crl - fi -fi - - # Build runtime arguments array based on environment USER_ARGS=("${@}") ARGS=() @@ -64,10 +39,9 @@ function addArg { # set up iptables rules and routing # this allows rules/routing to be altered by supplying this function -# in an included file, such as ovpn_env.sh function setupIptablesAndRouting { - $IPTABLES -t nat -C POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE 2>/dev/null || { - $IPTABLES -t nat -A POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE + $IPTABLES -t nat -C POSTROUTING -s $VPN_CIDR_RANGE -o $OVPN_NATDEVICE -j MASQUERADE 2>/dev/null || { + $IPTABLES -t nat -A POSTROUTING -s $VPN_CIDR_RANGE -o $OVPN_NATDEVICE -j MASQUERADE } for i in "${OVPN_ROUTES[@]}"; do $IPTABLES -t nat -C POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE 2>/dev/null || { @@ -79,7 +53,10 @@ function setupIptablesAndRouting { addArg "--config" "$OPENVPN/openvpn.conf" -source "$OPENVPN/ovpn_env.sh" +VPN_CIDR_RANGE="172.16.10.0/24" + +# When using --net=host, use this to specify nat device. +OVPN_NATDEVICE=eth0 mkdir -p /dev/net if [ ! -c /dev/net/tun ]; then @@ -90,43 +67,8 @@ if [ -d "$OPENVPN/ccd" ]; then addArg "--client-config-dir" "$OPENVPN/ccd" fi -# When using --net=host, use this to specify nat device. -[ -z "$OVPN_NATDEVICE" ] && OVPN_NATDEVICE=eth0 - # Setup NAT forwarding if requested -if [ "$OVPN_DEFROUTE" != "0" ] || [ "$OVPN_NAT" == "1" ] ; then - # call function to setup iptables rules and routing - # this allows rules to be customized by supplying - # a replacement function in, for example, ovpn_env.sh - setupIptablesAndRouting -fi - -# Use a copy of crl.pem as the CRL Needs to be readable by the user/group -# OpenVPN is running as. Only pass arguments to OpenVPN if it's found. -if [ "$EASYRSA_PKI/crl.pem" -nt "$OPENVPN/crl.pem" ]; then - cp -f "$EASYRSA_PKI/crl.pem" "$OPENVPN/crl.pem" - chmod 644 "$OPENVPN/crl.pem" -fi - -if [ -r "$OPENVPN/crl.pem" ]; then - addArg "--crl-verify" "$OPENVPN/crl.pem" -fi - -ip -6 route show default 2>/dev/null -if [ $? = 0 ]; then - echo "Checking IPv6 Forwarding" - if [ "$(