diff --git a/tools/install_openvpn.sh b/tools/install_openvpn.sh index 3b52cf11b8..a3a2346fb6 100644 --- a/tools/install_openvpn.sh +++ b/tools/install_openvpn.sh @@ -1,60 +1,154 @@ -# rough history from wilk - need to cleanup -apt-get install -y openvpn bridge-utils -cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/easy-rsa/ -cd /etc/openvpn/easy-rsa -source vars -./clean-all -./build-dh -./pkitool --initca -./pkitool --server server -./pkitool client1 -cd keys -openvpn --genkey --secret ta.key ## Build a TLS key -cp server.crt server.key ca.crt dh1024.pem ta.key ../../ -cd ../../ +#!/bin/bash +# install_openvpn.sh - Install OpenVPN and generate required certificates +# +# install_openvpn.sh --client name +# install_openvpn.sh --server [name] +# +# name is used on the CN of the generated cert, and the filename of +# the configuration, certificate and key files. +# +# --server mode configures the host with a running OpenVPN server instance +# --client mode creates a tarball of a client configuration for this server -cat >/etc/openvpn/server.conf <<EOF -duplicate-cn -port 6081 -proto tcp -dev tun +# VPN Config +VPN_SERVER=${VPN_SERVER:-`ifconfig eth0 | awk "/inet addr:/ { print \$2 }" | cut -d: -f2`} # 50.56.12.212 +VPN_PROTO=${VPN_PROTO:-tcp} +VPN_PORT=${VPN_PORT:-6081} +VPN_DEV=${VPN_DEV:-tun} +VPN_CLIENT_NET=${VPN_CLIENT_NET:-172.16.28.0} +VPN_CLIENT_MASK=${VPN_CLIENT_MASK:-255.255.255.0} +VPN_LOCAL_NET=${VPN_LOCAL_NET:-10.0.0.0} +VPN_LOCAL_MASK=${VPN_LOCAL_MASK:-255.255.0.0} + +VPN_DIR=/etc/openvpn +CA_DIR=/etc/openvpn/easy-rsa + +usage() { + echo "$0 - OpenVPN install and certificate generation" + echo "" + echo "$0 --client name" + echo "$0 --server [name]" + echo "" + echo " --server mode configures the host with a running OpenVPN server instance" + echo " --client mode creates a tarball of a client configuration for this server" + exit 1 +} + +if [ -z $1 ]; then + usage +fi + +# Install OpenVPN +if [ ! -x `which openvpn` ]; then + apt-get install -y openvpn bridge-utils +fi +if [ ! -d $CA_DIR ]; then + cp -pR /usr/share/doc/openvpn/examples/easy-rsa/2.0/ $CA_DIR +fi + +OPWD=`pwd` +cd $CA_DIR +source ./vars + +# Override the defaults +export KEY_COUNTRY="US" +export KEY_PROVINCE="TX" +export KEY_CITY="SanAntonio" +export KEY_ORG="Cloudbuilders" +export KEY_EMAIL="rcb@lists.rackspace.com" + +if [ ! -r $CA_DIR/keys/dh1024.pem ]; then + # Initialize a new CA + $CA_DIR/clean-all + $CA_DIR/build-dh + $CA_DIR/pkitool --initca + openvpn --genkey --secret $CA_DIR/keys/ta.key ## Build a TLS key +fi + +do_server() { + NAME=$1 + # Generate server certificate + $CA_DIR/pkitool --server $NAME + + (cd $CA_DIR/keys; + cp $NAME.crt $NAME.key ca.crt dh1024.pem ta.key $VPN_DIR + ) + cat >$VPN_DIR/$NAME.conf <<EOF +proto $VPN_PROTO +port $VPN_PORT +dev $VPN_DEV +cert $NAME.crt +key $NAME.key # This file should be kept secret ca ca.crt -cert server.crt -key server.key # This file should be kept secret dh dh1024.pem -server 172.16.28.0 255.255.255.0 +duplicate-cn +server $VPN_CLIENT_NET $VPN_CLIENT_MASK ifconfig-pool-persist ipp.txt -push "route 10.0.0.0 255.255.255.224" +push "route $VPN_LOCAL_NET $VPN_LOCAL_MASK" comp-lzo +user nobody +group nobody persist-key persist-tun status openvpn-status.log EOF -/etc/init.d/openvpn restart + /etc/init.d/openvpn restart +} -echo Use the following ca for your client: -cat /etc/openvpn/ca.crt +do_client() { + NAME=$1 + # Generate a client certificate + $CA_DIR/pkitool $NAME -echo -echo Use the following cert for your client -cat /etc/openvpn/easy-rsa/keys/client1.crt -echo -echo Use the following key for your client -cat /etc/openvpn/easy-rsa/keys/client1.key -echo -echo Use the following client config: -cat <<EOF + TMP_DIR=`mktemp -d` + (cd $CA_DIR/keys; + cp -p ca.crt ta.key $NAME.key $NAME.crt $TMP_DIR + ) + if [ -r $VPN_DIR/hostname ]; then + HOST=`cat $VPN_DIR/hostname` + else + HOST=`hostname` + fi + cat >$TMP_DIR/$HOST.conf <<EOF +proto $VPN_PROTO +port $VPN_PORT +dev $VPN_DEV +cert $NAME.crt +key $NAME.key # This file should be kept secret ca ca.crt -cert client.crt -key client.key client -dev tun -proto tcp -remote 50.56.12.212 6081 +remote $VPN_SERVER $VPN_PORT resolv-retry infinite nobind +user nobody +group nobody persist-key persist-tun comp-lzo verb 3 EOF + (cd $TMP_DIR; tar cf $OPWD/$NAME.tar *) + rm -rf $TMP_DIR + echo "Client certificate and configuration is in $OPWD/$NAME.tar" +} + +# Process command line args +case $1 in + --client) if [ -z $2 ]; then + usage + fi + do_client $2 + ;; + --server) if [ -z $2 ]; then + NAME=`hostname` + else + NAME=$2 + # Save for --client use + echo $NAME >$VPN_DIR/hostname + fi + do_server $NAME + ;; + --clean) $CA_DIR/clean-all + ;; + *) usage +esac