Major refactor of vpn install

2011-09-27 12:57:53 -05:00 · 2011-09-27 12:57:53 -05:00 · 135fb64534
commit 135fb64534
parent 2969c701a0
1 changed files with 134 additions and 40 deletions
--- a/tools/install_openvpn.sh
+++ b/tools/install_openvpn.sh
@ -1,60 +1,154 @@
-# rough history from wilk - need to cleanup
+#!/bin/bash
-apt-get install -y openvpn bridge-utils
+# install_openvpn.sh - Install OpenVPN and generate required certificates
-cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/easy-rsa/
+#
-cd /etc/openvpn/easy-rsa
+# install_openvpn.sh --client name
-source vars
+# install_openvpn.sh --server [name]
-./clean-all
+#
-./build-dh
+# name is used on the CN of the generated cert, and the filename of
-./pkitool --initca
+# the configuration, certificate and key files.
-./pkitool --server server
+#
-./pkitool client1
+# --server mode configures the host with a running OpenVPN server instance
-cd keys
+# --client mode creates a tarball of a client configuration for this server
 openvpn --genkey --secret ta.key  ## Build a TLS key
 cp server.crt server.key ca.crt dh1024.pem ta.key ../../
 cd ../../
-cat >/etc/openvpn/server.conf <<EOF
+# VPN Config
-duplicate-cn
+VPN_SERVER=${VPN_SERVER:-`ifconfig eth0 | awk "/inet addr:/ { print \$2 }" | cut -d: -f2`}  # 50.56.12.212
-port 6081
+VPN_PROTO=${VPN_PROTO:-tcp}
-proto tcp
+VPN_PORT=${VPN_PORT:-6081}
-dev tun
+VPN_DEV=${VPN_DEV:-tun}
 VPN_CLIENT_NET=${VPN_CLIENT_NET:-172.16.28.0}
 VPN_CLIENT_MASK=${VPN_CLIENT_MASK:-255.255.255.0}
 VPN_LOCAL_NET=${VPN_LOCAL_NET:-10.0.0.0}
 VPN_LOCAL_MASK=${VPN_LOCAL_MASK:-255.255.0.0}
 VPN_DIR=/etc/openvpn
 CA_DIR=/etc/openvpn/easy-rsa
 usage() {
    echo "$0 - OpenVPN install and certificate generation"
    echo ""
    echo "$0 --client name"
    echo "$0 --server [name]"
    echo ""
    echo " --server mode configures the host with a running OpenVPN server instance"
    echo " --client mode creates a tarball of a client configuration for this server"
    exit 1
 }
 if [ -z $1 ]; then
    usage
 fi
 # Install OpenVPN
 if [ ! -x `which openvpn` ]; then
    apt-get install -y openvpn bridge-utils
 fi
 if [ ! -d $CA_DIR ]; then
    cp -pR /usr/share/doc/openvpn/examples/easy-rsa/2.0/ $CA_DIR
 fi
 OPWD=`pwd`
 cd $CA_DIR
 source ./vars
 # Override the defaults
 export KEY_COUNTRY="US"
 export KEY_PROVINCE="TX"
 export KEY_CITY="SanAntonio"
 export KEY_ORG="Cloudbuilders"
 export KEY_EMAIL="rcb@lists.rackspace.com"
 if [ ! -r $CA_DIR/keys/dh1024.pem ]; then
    # Initialize a new CA
    $CA_DIR/clean-all
    $CA_DIR/build-dh
    $CA_DIR/pkitool --initca
    openvpn --genkey --secret $CA_DIR/keys/ta.key  ## Build a TLS key
 fi
 do_server() {
    NAME=$1
    # Generate server certificate
    $CA_DIR/pkitool --server $NAME
    (cd $CA_DIR/keys;
        cp $NAME.crt $NAME.key ca.crt dh1024.pem ta.key $VPN_DIR
    )
    cat >$VPN_DIR/$NAME.conf <<EOF
 proto $VPN_PROTO
 port $VPN_PORT
 dev $VPN_DEV
 cert $NAME.crt
 key $NAME.key  # This file should be kept secret
 ca ca.crt
 cert server.crt
 key server.key  # This file should be kept secret
 dh dh1024.pem
-server 172.16.28.0 255.255.255.0
+duplicate-cn
 server $VPN_CLIENT_NET $VPN_CLIENT_MASK
 ifconfig-pool-persist ipp.txt
-push "route 10.0.0.0 255.255.255.224"
+push "route $VPN_LOCAL_NET $VPN_LOCAL_MASK"
 comp-lzo
 user nobody
 group nobody
 persist-key
 persist-tun
 status openvpn-status.log
 EOF
-/etc/init.d/openvpn restart
+    /etc/init.d/openvpn restart
 }
-echo Use the following ca for your client:
+do_client() {
-cat /etc/openvpn/ca.crt
+    NAME=$1
    # Generate a client certificate
    $CA_DIR/pkitool $NAME
-echo
+    TMP_DIR=`mktemp -d`
-echo Use the following cert for your client
+    (cd $CA_DIR/keys;
-cat /etc/openvpn/easy-rsa/keys/client1.crt 
+        cp -p ca.crt ta.key $NAME.key $NAME.crt $TMP_DIR
-echo
+    )
-echo Use the following key for your client
+    if [ -r $VPN_DIR/hostname ]; then
-cat /etc/openvpn/easy-rsa/keys/client1.key 
+        HOST=`cat $VPN_DIR/hostname`
-echo
+    else
-echo Use the following client config:
+        HOST=`hostname`
-cat <<EOF
+    fi
    cat >$TMP_DIR/$HOST.conf <<EOF
 proto $VPN_PROTO
 port $VPN_PORT
 dev $VPN_DEV
 cert $NAME.crt
 key $NAME.key  # This file should be kept secret
 ca ca.crt
 cert client.crt
 key client.key
 client
-dev tun
+remote $VPN_SERVER $VPN_PORT
 proto tcp
 remote 50.56.12.212 6081
 resolv-retry infinite
 nobind
 user nobody
 group nobody
 persist-key
 persist-tun
 comp-lzo
 verb 3
 EOF
    (cd $TMP_DIR; tar cf $OPWD/$NAME.tar *)
    rm -rf $TMP_DIR
    echo "Client certificate and configuration is in $OPWD/$NAME.tar"
 }
 # Process command line args
 case $1 in
    --client)   if [ -z $2 ]; then
                    usage
                fi
                do_client $2
                ;;
    --server)   if [ -z $2 ]; then
                    NAME=`hostname`
                else
                    NAME=$2
                    # Save for --client use
                    echo $NAME >$VPN_DIR/hostname
                fi
                do_server $NAME
                ;;
    --clean)    $CA_DIR/clean-all
                ;;
    *)          usage
 esac