1
0
mirror of https://github.com/Nyr/openvpn-install.git synced 2024-11-27 23:46:07 +03:00

Client name support spaces now.

Append @hostname to client config file names to prevent
duplication at client's side.
This commit is contained in:
Hoang Huynh 2014-03-11 18:20:12 +07:00
parent 9cd0ae2270
commit a265c407c7

View File

@ -1,9 +1,11 @@
#!/bin/bash #!/bin/bash
# OpenVPN road warrior installer for Debian-based distros # OpenVPN road warrior installer for Debian-based distros
# Check for Debian-based distro
# TODO check for Debian-based distros if [ ! -e /etc/debian_version ]; then
echo "Sorry, you need to be on a Debian-based OS to run this"
exit 1
fi
# Check for root # Check for root
if [ $USER != 'root' ]; then if [ $USER != 'root' ]; then
@ -11,14 +13,12 @@ if [ $USER != 'root' ]; then
exit 1 exit 1
fi fi
# check for tun/tap # check for tun/tap
if [ ! -e /dev/net/tun ]; then if [ ! -e /dev/net/tun ]; then
echo "TUN/TAP is not available, please enable it first (contact your provider if you don't know how)" echo "TUN/TAP is not available, please enable it first (contact your provider if you don't know how)"
exit 1 exit 1
fi fi
# Try to get our IP from the system and fallback to the Internet. # Try to get our IP from the system and fallback to the Internet.
# I do this to make the script compatible with NATed servers (lowendspirit.com) # I do this to make the script compatible with NATed servers (lowendspirit.com)
# and to avoid getting an IPv6. # and to avoid getting an IPv6.
@ -27,7 +27,10 @@ if [ "$IP" = "" ]; then
IP=$(wget -qO- ipv4.icanhazip.com) IP=$(wget -qO- ipv4.icanhazip.com)
fi fi
# Get the machine host name
HOSTNAME=$(hostname)
# If OpenVPN is already installed
if [ -e /etc/openvpn/server.conf ]; then if [ -e /etc/openvpn/server.conf ]; then
while : while :
do do
@ -45,30 +48,30 @@ if [ -e /etc/openvpn/server.conf ]; then
1) 1)
echo "" echo ""
echo "Tell me a name for the client cert" echo "Tell me a name for the client cert"
echo "Please, use one word only, no special characters" echo "Please, use words and spaces only, no special characters"
read -p "Client name: " -e CLIENT read -p "Client name: " -e -i $(id -un) CLIENT
cd /etc/openvpn/easy-rsa/2.0/ cd /etc/openvpn/easy-rsa/2.0/
source ./vars source ./vars
# build-key for the client # build-key for the client
export KEY_CN="$CLIENT" export KEY_CN="$CLIENT"
export EASY_RSA="${EASY_RSA:-.}" export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" $CLIENT "$EASY_RSA/pkitool" "$CLIENT"
# Let's generate the client config # Let's generate the client config
mkdir ~/ovpn-$CLIENT mkdir ~/ovpn-"$CLIENT"
# add server IP to the file names to prevent duplication on client configs # add server IP to the file names to prevent duplication on client configs
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/ovpn-$CLIENT/$CLIENT@$IP.conf cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/ovpn-"$CLIENT"/"$CLIENT"@$HOSTNAME.conf
cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt ~/ovpn-$CLIENT/ca@$IP.crt cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt ~/ovpn-"$CLIENT"/ca@$HOSTNAME.crt
cp /etc/openvpn/easy-rsa/2.0/keys/$CLIENT.crt ~/ovpn-$CLIENT/$CLIENT@$IP.crt cp /etc/openvpn/easy-rsa/2.0/keys/"$CLIENT".crt ~/ovpn-"$CLIENT"/"$CLIENT"@$HOSTNAME.crt
cp /etc/openvpn/easy-rsa/2.0/keys/$CLIENT.key ~/ovpn-$CLIENT/$CLIENT@$IP.key cp /etc/openvpn/easy-rsa/2.0/keys/"$CLIENT".key ~/ovpn-"$CLIENT"/"$CLIENT"@$HOSTNAME.key
cd ~/ovpn-$CLIENT cd ~/ovpn-"$CLIENT"
sed -i "s|ca ca.crt|ca ca@$IP.crt|" $CLIENT@$IP.conf sed -i "s|ca ca.crt|ca ca@$HOSTNAME.crt|" "$CLIENT"@$HOSTNAME.conf
sed -i "s|cert client.crt|cert $CLIENT@$IP.crt|" $CLIENT@$IP.conf sed -i "s|cert client.crt|cert \"$CLIENT@$HOSTNAME.crt\"|" "$CLIENT"@$HOSTNAME.conf
sed -i "s|key client.key|key $CLIENT@$IP.key|" $CLIENT@$IP.conf sed -i "s|key client.key|key \"$CLIENT@$HOSTNAME.key\"|" "$CLIENT"@$HOSTNAME.conf
# add an .ovpn file which is essentially the .conf file for client-side openvpn GUI tool on Windows # add an .ovpn file which is essentially the .conf file for client-side openvpn GUI tool on Windows
cp $CLIENT@$IP.conf $CLIENT@$IP.ovpn cp "$CLIENT"@$HOSTNAME.conf "$CLIENT"@$HOSTNAME.ovpn
tar -czf ../ovpn-$CLIENT.tar.gz $CLIENT@$IP.conf $CLIENT@$IP.ovpn ca@$IP.crt $CLIENT@$IP.crt $CLIENT@$IP.key tar -czf ../ovpn-"$CLIENT".tar.gz "$CLIENT"@$HOSTNAME.conf "$CLIENT"@$HOSTNAME.ovpn ca@$HOSTNAME.crt "$CLIENT"@$HOSTNAME.crt "$CLIENT"@$HOSTNAME.key
cd ~/ cd ~/
rm -rf ovpn-$CLIENT rm -rf ovpn-"$CLIENT"
echo "" echo ""
echo "Client $CLIENT added, certs available at `pwd`/ovpn-$CLIENT.tar.gz" echo "Client $CLIENT added, certs available at `pwd`/ovpn-$CLIENT.tar.gz"
exit 0 exit 0
@ -79,7 +82,7 @@ if [ -e /etc/openvpn/server.conf ]; then
read -p "Client name: " -e CLIENT read -p "Client name: " -e CLIENT
cd /etc/openvpn/easy-rsa/2.0/ cd /etc/openvpn/easy-rsa/2.0/
. /etc/openvpn/easy-rsa/2.0/vars . /etc/openvpn/easy-rsa/2.0/vars
. /etc/openvpn/easy-rsa/2.0/revoke-full $CLIENT . /etc/openvpn/easy-rsa/2.0/revoke-full "$CLIENT"
# If it's the first time revoking a cert, we need to add the crl-verify line # If it's the first time revoking a cert, we need to add the crl-verify line
if grep -q "crl-verify" "/etc/openvpn/server.conf"; then if grep -q "crl-verify" "/etc/openvpn/server.conf"; then
echo "" echo ""
@ -129,11 +132,11 @@ else
echo "" echo ""
echo "Do you want to allow multiple clients to connect with the same" echo "Do you want to allow multiple clients to connect with the same"
echo "certificate/key files? This is recommended only for trusted clients." echo "certificate/key files? This is recommended only for trusted clients."
read -p "Duplicate certificate [y/n]: " -e -i n DUPLICATE_CN read -p "Duplicate certificate [y/n]: " -e -i n DUPLICATECN
echo "" echo ""
echo "Finally, tell me your name for the client cert" echo "Finally, tell me your name for the client cert"
echo "Please, use one word only, no special characters" echo "Please, use words and spaces only, no special characters"
read -p "Client name: " -e CLIENT read -p "Client name: " -e -i $(id -un) CLIENT
echo "" echo ""
echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now" echo "Okay, that was all I needed. We are ready to setup your OpenVPN server now"
read -n1 -r -p "Press any key to continue..." read -n1 -r -p "Press any key to continue..."
@ -168,7 +171,7 @@ else
# Now the client keys. We need to set KEY_CN or the stupid pkitool will cry # Now the client keys. We need to set KEY_CN or the stupid pkitool will cry
export KEY_CN="$CLIENT" export KEY_CN="$CLIENT"
export EASY_RSA="${EASY_RSA:-.}" export EASY_RSA="${EASY_RSA:-.}"
"$EASY_RSA/pkitool" $CLIENT "$EASY_RSA/pkitool" "$CLIENT"
# DH params # DH params
. /etc/openvpn/easy-rsa/2.0/build-dh . /etc/openvpn/easy-rsa/2.0/build-dh
# Let's configure the server # Let's configure the server
@ -190,7 +193,7 @@ else
sed -i "/# By default this script does nothing./a\iptables -t nat -A PREROUTING -p udp -d $IP --dport 53 -j REDIRECT --to-port $PORT" /etc/rc.local sed -i "/# By default this script does nothing./a\iptables -t nat -A PREROUTING -p udp -d $IP --dport 53 -j REDIRECT --to-port $PORT" /etc/rc.local
fi fi
# Allow duplicate certificate/key files if user wants that # Allow duplicate certificate/key files if user wants that
if [ $DUPLICATE_CN = 'y' ]; then if [ $DUPLICATECN = 'y' ]; then
sed -i 's|;duplicate-cn|duplicate-cn|' server.conf sed -i 's|;duplicate-cn|duplicate-cn|' server.conf
fi fi
# Enable net.ipv4.ip_forward for the system # Enable net.ipv4.ip_forward for the system
@ -203,7 +206,7 @@ else
# And finally, restart OpenVPN # And finally, restart OpenVPN
/etc/init.d/openvpn restart /etc/init.d/openvpn restart
# Let's generate the client config # Let's generate the client config
mkdir ~/ovpn-$CLIENT mkdir ~/ovpn-"$CLIENT"
# Try to detect a NATed connection and ask about it to potential LowEndSpirit # Try to detect a NATed connection and ask about it to potential LowEndSpirit
# users # users
EXTERNALIP=$(wget -qO- ipv4.icanhazip.com) EXTERNALIP=$(wget -qO- ipv4.icanhazip.com)
@ -221,18 +224,18 @@ else
# IP/port set on the default client.conf so we can add further users # IP/port set on the default client.conf so we can add further users
# without asking for them # without asking for them
sed -i "s|remote my-server-1 1194|remote $IP $PORT|" /usr/share/doc/openvpn/examples/sample-config-files/client.conf sed -i "s|remote my-server-1 1194|remote $IP $PORT|" /usr/share/doc/openvpn/examples/sample-config-files/client.conf
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/ovpn-$CLIENT/$CLIENT@$IP.conf cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf ~/ovpn-"$CLIENT"/"$CLIENT"@$HOSTNAME.conf
cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt ~/ovpn-$CLIENT/ca@$IP.crt cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt ~/ovpn-"$CLIENT"/ca@$HOSTNAME.crt
cp /etc/openvpn/easy-rsa/2.0/keys/$CLIENT.crt ~/ovpn-$CLIENT/$CLIENT@$IP.crt cp /etc/openvpn/easy-rsa/2.0/keys/"$CLIENT".crt ~/ovpn-"$CLIENT"/"$CLIENT"@$HOSTNAME.crt
cp /etc/openvpn/easy-rsa/2.0/keys/$CLIENT.key ~/ovpn-$CLIENT/$CLIENT@$IP.key cp /etc/openvpn/easy-rsa/2.0/keys/"$CLIENT".key ~/ovpn-"$CLIENT"/"$CLIENT"@$HOSTNAME.key
cd ~/ovpn-$CLIENT cd ~/ovpn-"$CLIENT"
sed -i "s|ca ca.crt|ca ca@$IP.crt|" $CLIENT@$IP.conf sed -i "s|ca ca.crt|ca ca@$HOSTNAME.crt|" "$CLIENT"@$HOSTNAME.conf
sed -i "s|cert client.crt|cert $CLIENT@$IP.crt|" $CLIENT@$IP.conf sed -i "s|cert client.crt|cert \"$CLIENT@$HOSTNAME.crt\"|" "$CLIENT"@$HOSTNAME.conf
sed -i "s|key client.key|key $CLIENT@$IP.key|" $CLIENT@$IP.conf sed -i "s|key client.key|key \"$CLIENT@$HOSTNAME.key\"|" "$CLIENT"@$HOSTNAME.conf
cp $CLIENT@$IP.conf $CLIENT@$IP.ovpn cp "$CLIENT"@$HOSTNAME.conf "$CLIENT"@$HOSTNAME.ovpn
tar -czf ../ovpn-$CLIENT.tar.gz $CLIENT@$IP.conf $CLIENT@$IP.ovpn ca@$IP.crt $CLIENT@$IP.crt $CLIENT@$IP.key tar -czf ../ovpn-"$CLIENT".tar.gz "$CLIENT"@$HOSTNAME.conf "$CLIENT"@$HOSTNAME.ovpn ca@$HOSTNAME.crt "$CLIENT"@$HOSTNAME.crt "$CLIENT"@$HOSTNAME.key
cd ~/ cd ~/
rm -rf ovpn-$CLIENT rm -rf ovpn-"$CLIENT"
echo "" echo ""
echo "Finished!" echo "Finished!"
echo "" echo ""