Commit 0ba1d76e authored by Matthew Smith's avatar Matthew Smith
Browse files

Merge branch 'initcmd' into 'master'

New ovs init command

See merge request !2
parents 0f480838 ed17185d
Pipeline #844 passed with stage
in 53 seconds
---
stages:
- package
package:
image: debian
stage: package
script:
- cp debian/control debian/control.skel
- debian/bumpver debian/control.skel > debian/control
- debian/mkdeb
artifacts:
paths:
- "*.deb"
......@@ -64,8 +64,7 @@ emailAddress = optional
####################################################################
[ req ]
# Commented out for bug hack reasons. See postinst for more info.
#prompt = no
prompt = no
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
......
#!/usr/bin/awk -f
# bumpver prints a modified debian package control file based on
# environment variables set from Gitlab CI. If a tagged revision is
# being built, then the Version field is the plain semver. Otherwise,
# the version from the control file has the Gitlab CI pipeline ID
# appended.
/Version/ {
if (ENVIRON["CI_COMMIT_TAG"]) {
# strip "v" prefix from tag
semver = ENVIRON["CI_COMMIT_TAG"]
sub("^v", "", semver)
printf "%s %s\n", $1, semver
next
}
printf("%s-%d\n", $0, ENVIRON["CI_PIPELINE_IID"])
next
}
{
print
}
......@@ -3,11 +3,10 @@ Section: admin
Priority: optional
Maintainer: Sol1 Packages <packages@sol1.com.au>
Build-Depends-Indep: debhelper (>= 4.1.16)
Standards-Version: 3.6.1
Version: 2.0.0
Package: openvpn-server
Architecture: all
Depends: openvpn, openssl, nsis (>= 2.06-4), zip, ucf, ${misc:Depends}, bc, cryptsetup, ifstat, bsd-mailx, sharutils, bash-completion, at
Depends: openvpn, openssl, nsis (>= 2.06-4), zip, ucf, bc, cryptsetup, ifstat, bsd-mailx, sharutils, bash-completion, at
Description: A system to assist the management of OpenVPN servers
Provides a simplified OpenVPN server configuration at installation time,
and a set of scripts to automatically create Windows and Linux client
......
usr/sbin
var/lib/openvpn-server/openssl
var/lib/openvpn-server/openvpn
usr/share/openvpn-server/config-templates
etc/openvpn-server/openssl
usr/lib/openvpn-server/ovs-commands
#!/bin/sh
name=`grep '^Package' debian/control | awk '{print $2}'`
version=`grep Version debian/control | awk '{print $2}'`
# if we're running from gitlab-ci
if test -n "$CI_COMMIT_SHORT_SHA"
then
version="$CI_COMMIT_SHORT_SHA"
fi
destdir="${name}_${version}"
mkdir -p $destdir/DEBIAN
cp debian/control debian/postinst debian/postrm $destdir/DEBIAN
mkdir -p $destdir/usr/share/openvpn-server/config-templates $destdir/usr/share/openvpn-server/ovs-commands
cp config/* $destdir/usr/share/openvpn-server/config-templates
cp scripts/* $destdir/usr/share/openvpn-server/ovs-commands
mkdir -p $destdir/usr/sbin
cp bin/ovs $destdir/usr/sbin
mkdir -p $destdir/usr/lib/openvpn-server/windows-client $destdir/usr/lib/openvpn-server/debian-client
cp -R clients/windows $destdir/usr/lib/openvpn-server/windows-client
cp -R clients/debian $destdir/usr/lib/openvpn-server/debian-client
mkdir -p $destdir/usr/share/openvpn-server
cp functions.sh $destdir/usr/share/openvpn-server
cp calc-ip-range.sh $destdir/usr/share/openvpn-server
mkdir -p $destdir/usr/share/nsis/Plugins
cp plugins/KillProc.dll $destdir/usr/share/nsis/Plugins
mkdir -p $destdir/etc
cp -r bash_completion.d $destdir/etc
chown -R root:root $destdir
dpkg-deb --build $destdir
#!/bin/bash
#!/bin/sh
set -e
if [ "$1" != "configure" ]; then
exit 0
fi
. /usr/share/debconf/confmodule
db_get openvpn-server/questions/country
KEY_COUNTRY="$RET"
db_get openvpn-server/questions/province
KEY_PROVINCE="$RET"
db_get openvpn-server/questions/city
KEY_CITY="$RET"
db_get openvpn-server/questions/orgname
KEY_ORGANISATION="$RET"
db_get openvpn-server/questions/orgnick
ORGNICK="$RET"
db_get openvpn-server/questions/subnet_route
SUBNETS="$RET"
db_get openvpn-server/questions/server_address
SERVERADDR="$RET"
TMPCONF=$(mktemp -d)
sed "s/%%KEY_COUNTRY%%/$KEY_COUNTRY/;
s/%%KEY_PROVINCE%%/$KEY_PROVINCE/;
s/%%KEY_CITY%%/$KEY_CITY/;
s/%%KEY_ORGANISATION%%/$KEY_ORGANISATION/;" \
< /usr/share/openvpn-server/config-templates/openssl.cnf \
> $TMPCONF/openssl.cnf
ucf --debconf-ok $TMPCONF/openssl.cnf /etc/openvpn-server/openssl/openssl.cnf
if [ ! -f /var/lib/openvpn-server/openssl/index.txt ]; then
touch /var/lib/openvpn-server/openssl/index.txt
fi
if [ ! -f /var/lib/openvpn-server/openssl/serial ]; then
echo 01 >/var/lib/openvpn-server/openssl/serial
fi
if [ -f /usr/lib/openvpn-server/ovs-commands/build-ddwrt-client ]; then
rm /usr/lib/openvpn-server/ovs-commands/build-ddwrt-client
fi
if [ ! -f /var/lib/openvpn-server/openssl/ca.key ]; then
echo -n "Generating Certificate Authority..."
# Generate the CA
# Insane echo trick to avoid "ASN1_mbstring_copy:string too long:ab_mbstr.c:154:maxsize=2"
# problem. This is why prompt=no is commented out in the openssl.cnf.
echo "
" | \
KEY_NAME="$KEY_ORGANISATION Certificate Authority" \
KEY_EMAIL="" \
openssl req -days 3650 -nodes -new -x509 \
-keyout /var/lib/openvpn-server/openssl/ca.key \
-out /var/lib/openvpn-server/openssl/ca.crt \
-config /etc/openvpn-server/openssl/openssl.cnf \
>/tmp/ovpns-install.log 2>&1
chmod 0600 /var/lib/openvpn-server/openssl/ca.key
echo " done."
fi
if [ ! -f /etc/openvpn-server/dh4096.pem ]; then
echo -n "Generating dhparams (may take a while)..."
openssl dhparam -out /etc/openvpn-server/dh4096.pem 4096 >/tmp/ovpns-install.log 2>&1
echo " done."
fi
if [ ! -f /etc/openvpn-server/$ORGNICK-server.p12 ]; then
echo -n "Generating server key..."
echo "
" | \
KEY_NAME="$KEY_ORGANISATION OpenVPN server on $(hostname)" \
KEY_EMAIL="" \
openssl req -days 3650 -nodes -new \
-keyout $TMPCONF/$ORGNICK-server.key \
-out $TMPCONF/$ORGNICK-server.csr \
-extensions server \
-config /etc/openvpn-server/openssl/openssl.cnf \
>/tmp/ovpns-install.log 2>&1
echo " done."
echo -n "Signing server key..."
echo "y
y" | \
KEY_NAME="$KEY_ORGANISATION OpenVPN server on $(hostname)" \
KEY_EMAIL="" \
openssl ca -days 3650 \
-out $TMPCONF/$ORGNICK-server.crt \
-in $TMPCONF/$ORGNICK-server.csr \
-extensions server \
-config /etc/openvpn-server/openssl/openssl.cnf \
>/tmp/ovpns-install.log 2>&1
echo " done."
echo -n "Converting key to pkcs12 format..."
openssl pkcs12 -export \
-inkey $TMPCONF/$ORGNICK-server.key \
-in $TMPCONF/$ORGNICK-server.crt \
-password pass: \
-certfile /var/lib/openvpn-server/openssl/ca.crt \
-out /etc/openvpn-server/$ORGNICK-server.p12\
>/tmp/ovpns-install.log 2>&1
echo " done."
chmod 0600 /etc/openvpn-server/$ORGNICK-server.p12
fi
if [ ! -f /etc/openvpn-server/ca.crl ]; then
echo -n "Generating an initial CRL... "
KEY_NAME="" KEY_EMAIL="" \
openssl ca -gencrl -crldays 3650 \
-out /etc/openvpn-server/ca.crl \
-config /etc/openvpn-server/openssl/openssl.cnf \
>/tmp/ovpns-install.log 2>&1
echo " done."
fi
cat <<EOF >$TMPCONF/config.sh
OVPN_ORGNICK="$ORGNICK"
OVPN_ORGNAME="$KEY_ORGANISATION"
OVPN_REMOTE="$SERVERADDR"
FIREWALLED=no
ALLOCATEIP=yes
CACHE_BUILDS="/var/lib/openvpn-server/openssl/builds/"
EOF
md5sum $TMPCONF/config.sh >$TMPCONF/config.sh.md5sum
ucf --debconf-ok $TMPCONF/config.sh /etc/openvpn-server/config.sh
for subnet in $SUBNETS; do
NET=${subnet/\/*/}
MASK=${subnet/*\//}
SUBNETROUTES="$SUBNETROUTES
push \"route $NET $MASK\""
done
if [ -f /etc/openvpn/$ORGNICK-server.conf ]; then
SERVERLINE="$(grep ^server /etc/openvpn/$ORGNICK-server.conf)"
else
OCTET2=$(($RANDOM % 16 + 16))
OCTET3=$(($RANDOM % 256 / 4 * 4))
SERVERLINE="server 172.$OCTET2.$OCTET3.0 255.255.252.0"
fi
cat <<EOF >$TMPCONF/$ORGNICK-server.conf
port 1194
proto udp
dev tun
dh /etc/openvpn-server/dh4096.pem
pkcs12 /etc/openvpn-server/$ORGNICK-server.p12
crl-verify /etc/openvpn-server/ca.crl
remote-cert-tls client
cipher AES-256-CBC
# Add a client config dir and don't allow connections if a client doesn't have a client config file
client-config-dir /etc/openvpn/ccd
ccd-exclusive
$SERVERLINE
ifconfig-pool-persist /var/lib/openvpn-server/openvpn/ifconfig-pool.txt
$SUBNETROUTES
#push "dhcp-option DNS 8.8.8.8"
#push "dhcp-option DOMAIN myfirst.domain"
#push "dhcp-option SEARCH myfirst.domain mysecond.domain"
keepalive 10 90
persist-key
persist-tun
status /var/lib/openvpn-server/openvpn/status.log
status-version 2
verb 1
mute 5
EOF
# Make the ccd dir
mkdir -p /etc/openvpn/ccd
# To trick ucf a bit and hopefully reduce the amount of gratuitous
# question-asking, we need to generate the md5sum of a sever config file
# that looks like the one generated by pre-0.3.0 versions of openvpn-server.
# The only difference between 0.2.1 and 0.3.0 should be the presence of the
# crl-verify line, so if we remove that we *should* be back to the old
# config. We'll see how that works in practice, shall we?
grep -v crl-verify $TMPCONF/$ORGNICK-server.conf | md5sum >$TMPCONF/$ORGNICK-server.conf.md5sum
ucf --debconf-ok $TMPCONF/$ORGNICK-server.conf /etc/openvpn/$ORGNICK-server.conf
# All clean!
rm -rf $TMPCONF
# Reload openvpn to take into account any changed settings
/usr/sbin/invoke-rc.d openvpn restart
# Initalise ovs bash completion for this session
if [ -f /etc/bash_completion.d/ovs ] ; then
. /etc/bash_completion.d/ovs
fi
##DEBHELPER##
exit 0
File mode changed from 100644 to 100755
#!/usr/bin/make -f
# Sample debian/rules that uses debhelper.
# GNU copyright 1997 to 1999 by Joey Hess.
# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1
DESTDIR=$(CURDIR)/debian/openvpn-server
build:
## Nothing to do ##
clean:
dh_testdir
dh_testroot
dh_clean
install: build
dh_testdir
dh_testroot
dh_clean -k
dh_installdirs
# Copy!
cp config/* $(DESTDIR)/usr/share/openvpn-server/config-templates
cp scripts/* $(DESTDIR)/usr/lib/openvpn-server/ovs-commands
chmod 0755 $(DESTDIR)/usr/lib/openvpn-server/ovs-commands/*
cp bin/ovs $(DESTDIR)/usr/sbin
cp -a clients/windows $(DESTDIR)/usr/share/openvpn-server/windows-client
cp -a clients/debian $(DESTDIR)/usr/share/openvpn-server/debian-client
cp functions.sh $(DESTDIR)/usr/share/openvpn-server
cp calc-ip-range.sh $(DESTDIR)/usr/share/openvpn-server
chmod 0755 $(DESTDIR)/usr/share/openvpn-server/calc-ip-range.sh
mkdir -p $(DESTDIR)/usr/share/nsis/Plugins/
cp plugins/KillProc.dll $(DESTDIR)/usr/share/nsis/Plugins/KillProc.dll
mkdir -p $(DESTDIR)/etc/bash_completion.d/
cp bash_completion.d/ovs $(DESTDIR)/etc/bash_completion.d/ovs
chmod 644 $(DESTDIR)/etc/bash_completion.d/ovs
dh_link -i
# Build architecture-independent files here.
binary-indep: build install
dh_testdir
dh_testroot
dh_installdocs -i
dh_installchangelogs -i
dh_installdebconf -i
dh_compress -i
dh_fixperms -i
dh_installdeb -i
dh_gencontrol -i
dh_md5sums -i
dh_builddeb -i
# Build architecture-dependent files here.
binary-arch: build install
# Nothing to do here, move along
binary: binary-indep binary-arch
.PHONY: build clean binary-indep binary-arch binary install configure
#!/bin/bash
prompt() {
default=$1
instruction=$2
echo -n "$instruction [$default]: "
unset response
IFS='\n' read response
if [ -z "$response" ]
then
response=$default
fi
}
prompt "AU" "2-letter ISO country code where this server is located"
KEY_COUNTRY=$response
prompt "NSW" "State/province this server located in"
KEY_PROVINCE=$response
prompt "Sydney" "City/town/locality this server located in"
KEY_CITY=$response
prompt "" "Name of the organisation using this server e.g. Acme Inc"
KEY_ORGANISATION=$response
# TODO use a little awk program which makes some short name
# from $org as the default prompt value.
prompt "" "Short organisation nickname, 4 to 12 characters, used for files generated by ovs e.g. acme"
ORGNICK=$response
# TODO input validation. A shell case statement might be enough
# since it provides pattern matching.
prompt "" "Subnet you want VPN clients to be able to access.
If you provide a value here, this subnet range will be pushed to
clients as one which can be accessed via this VPN server.
The subnet must be in the format nnn.nnn.nnn.nnn/sss.sss.sss.sss,
where nnn.nnn.nnn.nnn is the network and sss.sss.sss.sss is the subnet mask.
You may also specify multiple subnets here, separated by spaces.
If you wish this server to be standalone, and not provide access to any
other networks, leave this option blank."
SUBNETS=$response
prompt `hostname` "Internet-routable name or address of this server"
SERVERADDR=$response
echo "Country: $KEY_COUNTRY"
echo "Province: $KEY_PROVINCE"
echo "City: $KEY_CITY"
echo "Organisation: $KEY_ORGANISATION"
echo "Org nickname: $ORGNICK"
echo "Subnets:"
for s in $SUBNETS
do
echo $s
done
echo "Address: $SERVERADDR"
TMPCONF=`mktemp -d`
sed "s/%%KEY_COUNTRY%%/$KEY_COUNTRY/;
s/%%KEY_PROVINCE%%/$KEY_PROVINCE/;
s/%%KEY_CITY%%/$KEY_CITY/;
s/%%KEY_ORGANISATION%%/$KEY_ORGANISATION/;" \
< /usr/share/openvpn-server/config-templates/openssl.cnf \
> /etc/openvpn-server/openssl/openssl.cnf
if [ ! -f /var/lib/openvpn-server/openssl/index.txt ]; then
touch /var/lib/openvpn-server/openssl/index.txt
fi
if [ ! -f /var/lib/openvpn-server/openssl/serial ]; then
echo 01 >/var/lib/openvpn-server/openssl/serial
fi
if [ ! -f /var/lib/openvpn-server/openssl/ca.key ]; then
echo -n "Generating Certificate Authority..."
KEY_NAME="$KEY_ORGANISATION Certificate Authority" \
KEY_EMAIL="" \
openssl req -days 3650 -nodes -new -x509 \
-keyout /var/lib/openvpn-server/openssl/ca.key \
-out /var/lib/openvpn-server/openssl/ca.crt \
-config /etc/openvpn-server/openssl/openssl.cnf
chmod 0600 /var/lib/openvpn-server/openssl/ca.key
echo " done."
fi
if [ ! -f /etc/openvpn-server/dh4096.pem ]; then
openssl dhparam -out /etc/openvpn-server/dh4096.pem 4096
echo " done."
fi
if [ ! -f /etc/openvpn-server/$ORGNICK-server.p12 ]; then
echo -n "Generating server key..."
KEY_NAME="$KEY_ORGANISATION OpenVPN server on $(hostname)" \
KEY_EMAIL="" \
openssl req -days 3650 -nodes -new \
-keyout $TMPCONF/$ORGNICK-server.key \
-out $TMPCONF/$ORGNICK-server.csr \
-extensions server \
-config /etc/openvpn-server/openssl/openssl.cnf
echo " done."
echo -n "Signing server key..."
echo "y\ny" | \
KEY_NAME="$KEY_ORGANISATION OpenVPN server on $(hostname)" \
KEY_EMAIL="" \
openssl ca -days 3650 \
-out $TMPCONF/$ORGNICK-server.crt \
-in $TMPCONF/$ORGNICK-server.csr \
-extensions server \
-config /etc/openvpn-server/openssl/openssl.cnf
echo " done."
echo -n "Converting key to pkcs12 format..."
openssl pkcs12 -export \
-inkey $TMPCONF/$ORGNICK-server.key \
-in $TMPCONF/$ORGNICK-server.crt \
-password pass: \
-certfile /var/lib/openvpn-server/openssl/ca.crt \
-out /etc/openvpn-server/$ORGNICK-server.p12
echo " done."
chmod 0600 /etc/openvpn-server/$ORGNICK-server.p12
fi
if [ ! -f /etc/openvpn-server/ca.crl ]; then
echo -n "Generating an initial CRL... "
KEY_NAME="" KEY_EMAIL="" \
openssl ca -gencrl -crldays 3650 \
-out /etc/openvpn-server/ca.crl \
-config /etc/openvpn-server/openssl/openssl.cnf
echo " done."
fi
cat <<EOF > /etc/openvpn-server/config.sh
OVPN_ORGNICK="$ORGNICK"
OVPN_ORGNAME="$KEY_ORGANISATION"
OVPN_REMOTE="$SERVERADDR"
FIREWALLED=no
ALLOCATEIP=yes
CACHE_BUILDS="/var/lib/openvpn-server/openssl/builds/"
EOF
for subnet in $SUBNETS; do
NET=${subnet/\/*/}
MASK=${subnet/*\//}
SUBNETROUTES="$SUBNETROUTES
push \"route $NET $MASK\""
done
if [ -f /etc/openvpn/$ORGNICK-server.conf ]; then
SERVERLINE="$(grep ^server /etc/openvpn/$ORGNICK-server.conf)"
else
OCTET2=$(($RANDOM % 16 + 16))
OCTET3=$(($RANDOM % 256 / 4 * 4))
SERVERLINE="server 172.$OCTET2.$OCTET3.0 255.255.252.0"
fi
cat <<EOF >/etc/openvpn/$ORGNICK-server.conf
port 1194
proto udp
dev tun
dh /etc/openvpn-server/dh4096.pem
pkcs12 /etc/openvpn-server/$ORGNICK-server.p12
crl-verify /etc/openvpn-server/ca.crl
remote-cert-tls client
cipher AES-256-CBC
# Add a client config dir and don't allow connections if a client doesn't have a client config file
client-config-dir /etc/openvpn/ccd
ccd-exclusive
$SERVERLINE
ifconfig-pool-persist /var/lib/openvpn-server/openvpn/ifconfig-pool.txt
$SUBNETROUTES
#push "dhcp-option DNS 8.8.8.8"
#push "dhcp-option DOMAIN myfirst.domain"
#push "dhcp-option SEARCH myfirst.domain mysecond.domain"
keepalive 10 90
comp-lzo
persist-key
persist-tun
status /var/lib/openvpn-server/openvpn/status.log
status-version 2
verb 1
mute 5
EOF
mkdir -p /etc/openvpn/ccd
rm -rf $TMPCONF
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment