aboutsummaryrefslogtreecommitdiffstats
path: root/Security/openvpn-gen.sh
blob: f45fa91a2ccdc9d5ce72b1830695254200a3b5e8 (about) (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
#!/bin/bash
########################################################################################################################
# openvpn-gen.sh
########################################################################################################################
#
# All rights reserved Ⓒ 2017-2022 sdxlive.com
#
# Majority of the credit goes to the script's original author, trovao
#
# Modified by Jean-Christophe Manciot <jcmanciot@sdxlive.com>
#
# Licensed under a GPLv3 License.
# You may not use this file except in compliance with the License. You may obtain a copy of the License at
#
#    https://www.gnu.org/licenses/gpl-3.0.md
#
# The licensor cannot revoke these freedoms as long as you follow the license terms.
#
# Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. 
# You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.
#
########################################################################################################################

########################################################################################################################
#
# Generating an OpenVPN client config file on the screen.
# 
########################################################################################################################
#
# Usage:
# -----
#
# openvpn-gen.sh my.openvpn-server.com\
#                /etc/openvpn/server/ca.crt \
#                /etc/openvpn/client/client1.crt \
#                /etc/openvpn/client/client1.key \
#                > /etc/openvpn/client/client1.ovpn
#
########################################################################################################################
# set -x

usage() {
        echo "Usage: $0 SERVER CA_CERT CLIENT_CERT CLIENT_KEY SHARED_SECRET PORT PROTO CIPHER AUTH"
        echo
        cat << EOF
The first 4 tokens are required while the last are optional
SERVER          = Fully qualified domain name
CA_CERT         = Full path to the CA cert
CLIENT_CERT     = Full path to the client cert
CLIENT_KEY      = Full path to the client private key
SHARED_SECRET   = Full path to the server TLS shared secret key
PORT            = Port number (defaults to 1194 if left blank)
PROTO           = Protocol (defaults to udp if left blank)
CIPHER          = server cipher (defaults to AES-256-GCM)
AUTH            = server HMAC message digest algorithm (defaults to SHA256)
EOF
        echo
        echo 'For example:'
        echo
        echo 'CLIENT=jason'
        echo "$0 my.openvpn-server.com \\"
        echo '   /etc/openvpn/server/ca.crt \'
        echo '   /etc/easy-rsa/pki/signed/$CLIENT.crt \'
        echo '   /etc/easy-rsa/pki/private/$CLIENT.key \'
        echo '   /etc/openvpn/server/ta.key > $CLIENT.ovpn'
        exit 0
}

[[ -z "$1" ]] && usage

server=${1?"The server address is required"}
cacert=${2?"The path to the ca certificate file is required"}
client_cert=${3?"The path to the client certificate file is required"}
client_key=${4?"The path to the client private key file is required"}
tls_key=$5
port=$6
proto=$7
cipher=$8
auth=$9
PARAMETERS_NUMBER=4

case "$#" in
        ${PARAMETERS_NUMBER})
                tls_key=''
                port=1194
                proto=udp
                cipher=AES-256-GCM
                auth=SHA256
                ;;
        $((PARAMETERS_NUMBER+1)))
                port=1194
                proto=udp
                cipher=AES-256-GCM
                auth=SHA256
                ;;
        $((PARAMETERS_NUMBER+2)))
                proto=udp
                cipher=AES-256-GCM
                auth=SHA256
                ;;
        $((PARAMETERS_NUMBER+3)))
                cipher=AES-256-GCM
                auth=SHA256
                ;;
        $((PARAMETERS_NUMBER+4)))
                auth=SHA256
                ;;
        $((PARAMETERS_NUMBER+5)))
                ;;
        *)
                echo -e ''$_{1..180}'\b-'
                echo "Wrong number of parameters"
                echo -e ''$_{1..180}'\b-'
                exit 1
                ;;
esac

# test for readable files
for i in "$cacert" "$client_cert" "$client_key"
do
        [[ -f "$i" ]] || {
                echo -e ''$_{1..180}'\b-'
                echo " I cannot find $i on the filesystem."
                echo " This could be due to permissions or that you did not define the full path correctly."
                echo " Check the path and try again."
                echo -e ''$_{1..180}'\b-'
                exit 1
        }
        [[ -r "$i" ]] || {
                echo -e ''$_{1..180}'\b-'
                echo " I cannot read $i. Try invoking $0 as root."
                echo -e ''$_{1..180}'\b-'
                exit 1
        }
done

# Printing ovpn file
cat << EOF
client
dev tun
remote ${server} ${port} ${proto}
resolv-retry 5
persist-key
persist-tun
verb 3
EOF
if [[ -n "$cipher" ]]; then
cat << EOF
cipher $cipher
EOF
fi
if [[ -n "$auth" ]]; then
cat << EOF
auth $auth
EOF
fi
cat << EOF
remote-cert-tls server
key-direction 1
<ca>
EOF
cat "${cacert}"
cat << EOF
</ca>
<cert>
EOF
cat "${client_cert}"
cat << EOF
</cert>
<key>
EOF
cat "${client_key}"
cat << EOF
</key>
EOF
if [[ -n "${tls_key}" ]]; then
### Optionally change the <tls-auth> tag set to <tls-crypt>
### to match how the server is configured since these options are mutually exclusive!
cat << EOF
<tls-auth>
EOF
cat "${tls_key}"
cat << EOF
</tls-auth>
EOF
fi

exit 0