zdt-openvpn/bin/ovpn_getclient_config

94 lines
1.8 KiB
Bash
Executable File

#!/bin/bash
#
# Get an OpenVPN client configuration file
#
if [ "$DEBUG" == "1" ]; then
set -x
fi
set -e
if [ -z "$OPENVPN" ]; then
export OPENVPN="$PWD"
fi
if [ -z "$EASYRSA_PKI" ]; then
export EASYRSA_PKI="$OPENVPN/pki"
fi
[ -f $OPENVPN/server ] || { echo "Missing OpenVPN server setup!"; exit 1; }
cn="$1"
type="$2"
[ -z "$type" ] && type="ovpn"
server="$(cat $OPENVPN/server)"
set +x
if [ "$type" == "ovpn" -o "$type" == "combined" ]; then
if [ ! -f "$EASYRSA_PKI/private/${cn}.key" ]; then
echo "Unable to find certificate or key for \"${cn}\" !" >&2
exit 1
fi
echo "
client
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
auth-user-pass
reneg-sec 0
#static-challenge "Enter Google Authenticator Code:" 1
# comp-lzo yes
user nobody
verb 3
remote $server
<key>
$(cat $EASYRSA_PKI/private/${cn}.key)
</key>
<cert>
$(openssl x509 -in $EASYRSA_PKI/issued/${cn}.crt)
</cert>
<ca>
$(cat $EASYRSA_PKI/ca.crt)
</ca>
<tls-auth>
$(cat $EASYRSA_PKI/ta.key)
</tls-auth>
"
fi
# TOTP incl. QRCODE
if [ "$type" == "totp" -o "$type" == "combined" ]; then
if [ ! -f "${OPENVPN}/otp/${cn}.google_authenticator" ]; then
echo "Unable to find TOTP data for \"${cn}\" !" >&2
exit 1
fi
# secret is always first line
secret="$(head -1 ${OPENVPN}/otp/${cn}.google_authenticator)"
# remaining one time codes are at the bottom, max 5
onetime="$(tail -n +2 ${OPENVPN}/otp/${cn}.google_authenticator | grep -v \")"
# Output as UTF8 and remove all ANSI control to allow piping eg. into yopass
echo "otpauth://totp/${cn}?secret=${secret}&issuer=${server}" | qrencode -o - -t ANSIUTF8 | sed "s,\x1B\[[0-9;]*[a-zA-Z],,g"
echo "Your new secret key is: $secret"
echo "Your emergency scratch codes are:"
echo "$onetime"
fi