functions.sh 6.09 KB
Newer Older
Matthew Smith's avatar
Matthew Smith committed
1
2
#!/usr/bin/bash

3
4
# Useful vars

5
6
7
OPENVPNCONFIGDIR="/etc/openvpn/"
CCDDIR="$OPENVPNCONFIGDIR/ccd/"
CCDREVOKEDDIR="$OPENVPNCONFIGDIR/ccd_revoked/"
8

9
SHOREWALLVARS="/etc/shorewall/openvpn.vars"
10
11


David Kempe's avatar
David Kempe committed
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# ask_key_questions
# Request all of the pertinent information about the person for whom a new
# client key is being generated.
#
# Doesn't take any arguments or return anything directly, but instead sets
# a series of global variables:
#
# OVPN_EMAIL
# OVPN_COMMONNAME
#
# The common name is used as the file name in many places as well as the commmon name of the 
# certificate, the email address is just added to the certificate. 

function ask_key_questions
{
27
28
	echo ""
	read -p "Common Name of certificate, this should be unique,
29
using 4 to 30 upper or lowercase letters or numbers and _ ONLY: " OVPN_COMMONNAME
30
31
32
33
34
35
36
37
38
39
40
41
42

# OVPN_COMMONNAME    <-- This is the variable to return to the other script
# Yes I stole this validation test from the init script so yes it could be optimized
# this is a quick and dirty fix that at least does the job, I may improve it one day.

#Count the number of characters entered
COUNT=($(echo -n $OVPN_COMMONNAME | wc -m))

if [ $COUNT -eq 0 ]; then
		#Enter must have been pressed without any entry so lets just set COMMONNAME_VALID to 0 to catch us in the while loop below
        COMMONNAME_VALID=0
else
        #There was something entered so lets validate OVPN_COMMONNAME
43
        if [ $COUNT -gt 3 ] && [ $COUNT -lt 31 ]; then
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
		#We have between 4 and 12 characters in the variable, lets validate they are valid
			if [[ $OVPN_COMMONNAME =~ ^[0-9A-Za-z_]+$ ]]; then
                COMMONNAME_VALID=1  #Yay! winner winner, chicken dinner
            fi
		else
		#There must not have been a valid OVPN_COMMONNAME entered so we continue to the while loop below
		COMMONNAME_VALID=0
        fi

fi

#If the COMMONNAME_VALID variable was not set to 1 above then we go into this loop to try again
while [[ $COMMONNAME_VALID != 1 ]]; do
        echo ""
        echo "The certificate name can only consist of (4-15) upper or lowercase letters or numbers and _"
        read -p "You entered [$OVPN_COMMONNAME]. Please try again: " OVPN_COMMONNAME
        COUNT=($(echo -n $OVPN_COMMONNAME | wc -m))

        if [ $COUNT -eq 0 ]; then
				#Enter was pressed again so we stay in the loop
                COMMONNAME_VALID=0
        else
        #There was something entered so lets validate the ORGNICK
        	if [ $COUNT -gt 3 ] && [ $COUNT -lt 16 ]; then
                #We have between 4 and 12 characters in the variable, lets validate they are valid letters
                if [[ $OVPN_COMMONNAME =~ ^[0-9A-Za-z_]+$ ]]; then
                        COMMONNAME_VALID=1  #Yay! winner winner, chicken dinner
                fi
			fi
        fi

done

David Kempe's avatar
David Kempe committed
77
78
79
	read -p "Users E-mail address for certificate: " OVPN_EMAIL
}

80
81
82
83
84
function allocate_ip {
	if [ -z $ALLOCATEIP ]; then
		read -p "Do you want to allocate a static VPN IP to the client for firewalling? (y/n)" ALLOCATEIP
	fi

85
	if [ "$ALLOCATEIP" = "yes" ] || [ "$ALLOCATEIP" = "y" ]; then
86
87
88
    	export $OVPN_ORGNICK
    	/usr/lib/openvpn-server/ovs-commands/make-static-ip $OVPN_COMMONNAME
	else
89
    	echo "Static IP not allocated"
90
91
92
	fi
}

93
94
95
96
97
98
function make_cache {
    if [ ! -d "${CACHE_BUILDS}" ]; then 
        mkdir -p "${CACHE_BUILDS}"
    fi
}

99

David Kempe's avatar
David Kempe committed
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
# make_pkcs12
# Generate a PKCS12 certificate bundle from the given
# parameters, and utilising the openvpn-server generated default files (CA,
# etc).
#
# Usage: make_pkcs12 <email> <commonname> <destfile>
#
# <email> -- the e-mail address of the certificate's owner
# <commonname> -- the real name of the certificate's owner
# <destfile> -- the location you want the completed certificate bundle to
#	end up in.
#
function make_pkcs12
{
	local email="$1"
	local commonname="$2"
	local destfile="$3"

	local WORKDIR=$(mktemp -d)

	pushd $WORKDIR >/dev/null

	echo -n "Building Certificate..."
	echo "






" |									\
	KEY_EMAIL="$email"						\
	KEY_NAME="$commonname"						\
	openssl req -days 3650 -nodes -new -keyout key -out csr		\
		-config /etc/openvpn-server/openssl/openssl.cnf		\
		>/dev/null 2>&1

	echo "y
y" |									\
	KEY_EMAIL="$email"						\
	KEY_NAME="$commonname"						\
	openssl ca -days 3650 -out crt -in csr				\
		-config /etc/openvpn-server/openssl/openssl.cnf		\
		>/dev/null 2>&1

	openssl pkcs12 -export						\
		-inkey key -in crt -password pass:			\
		-certfile /var/lib/openvpn-server/openssl/ca.crt	\
		-out bundle.p12						\
		>/dev/null 2>&1

	echo " done."

	popd >/dev/null

	cp $WORKDIR/bundle.p12 $destfile

	rm -rf $WORKDIR
}



function make_generic_bundle
{
	. /etc/openvpn-server/config.sh
	local email="$1"
	local commonname="$2"
	local parentworkdir="$3"

	local WORKDIR=$(mktemp -d)

	pushd $WORKDIR >/dev/null

	echo -n "Building Certificate..."
	echo "






" |									\
	KEY_EMAIL="$email"						\
	KEY_NAME="$commonname"						\
	openssl req -days 3650 -nodes -new -keyout key -out csr		\
		-config /etc/openvpn-server/openssl/openssl.cnf		\
		>/dev/null 2>&1

	echo "y
y" |									\
	KEY_EMAIL="$email"						\
	KEY_NAME="$commonname"						\
	openssl ca -days 3650 -out crt -in csr				\
		-config /etc/openvpn-server/openssl/openssl.cnf		\
		>/dev/null 2>&1

	mv key "$commonname".key
	mv crt "$commonname".crt
	cp /var/lib/openvpn-server/openssl/ca.crt  "$OVPN_ORGNAME"-ca.crt

	echo " done."

	popd >/dev/null

	cp $WORKDIR/* $parentworkdir/

	rm -rf $WORKDIR
}
208
209
210
211
212
213



# get_current_certificates 
#  echo's out a list of currect vpn certificates
#
214
function get_current_certificates () {
215

216
	echo "Index     User <email address>"
217
    grep ^V /var/lib/openvpn-server/openssl/index.txt | awk '{print $3 "/" $5}' | sed "s/[A-Za-z]*=//g" | awk -F "/" '{print $1 "\t" $6 " <" $7 ">"}'
218

219
220
221
222
223
}


function create_shorewall_vars () {

224
225
226
227
228
	local shorewall_dir=$(dirname $SHOREWALLVARS)
	if [ ! -d $shorewall_dir ]; then
		mkdir -p $shorewall_dir
	fi

229
    grep -H "ifconfig-push" $CCDDIR* | sed "s/[\/|:]/ /g" | sed "s/-//g" | awk '{print $4 "=" $6}' > $SHOREWALLVARS
230
231

}
232

233
234
235
236
237
238
239
240
function prompt_restart_shorewall () {
	read -p "Do you want to restart Shorewall now? (y/n)" SHOREWALLYN
    if [ "$SHOREWALLYN" = "y" ] ; then
        echo "OK proceeding"
		shorewall restart
    else
        exit
    fi
241
}