Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
O
openvpn-server
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Container registry
Model registry
Operate
Environments
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
S1OVS
openvpn-server
Commits
7e524cac
Commit
7e524cac
authored
2 years ago
by
David Kempe
Browse files
Options
Downloads
Patches
Plain Diff
imported all the questions from init. still some TODO
parent
4968626c
Branches
Branches containing commit
No related tags found
No related merge requests found
Pipeline
#1802
passed
2 years ago
Stage: package
Changes
2
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
functions.sh
+203
-19
203 additions, 19 deletions
functions.sh
scripts/build-server-cert
+27
-14
27 additions, 14 deletions
scripts/build-server-cert
with
230 additions
and
33 deletions
functions.sh
+
203
−
19
View file @
7e524cac
...
...
@@ -79,6 +79,190 @@ done
function
ask_server_questions
{
#copied over from init
# READ the config from here - you need to have init'ed first - ideally ovs init-ca
.
/etc/openvpn-server/config.sh
DEFAULT_PORT
=
1194
#Default OpenVPN Port
DEFAULT_PROTOCOL_SELECTION
=
1
#Default OpenVPN Protocol to use, set 1 for UDP and 2 for TCP
if
[
-f
/var/lib/openvpn-server/ca-store
]
then
# /usr/lib/openvpn-server/ovs-commands/mount-ca-store
# if [ $? = 1 ]
# then
if
grep
-q
ca-store /proc/mounts
then
echo
"ca-store mounted"
else
echo
"ca-store not mounted, or your session has expired."
echo
"Use ovs mount-ca-store to mount your ca-store"
exit
1
fi
fi
#TODO - setup an init-ca function - so the steps will be init-ca build-server and then build clients. server certs and config gets copied to server.
# KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORGANISATION are all CA related info. $OVPN_ORGNICK, read from config.sh
# ORG_EMAIL read from config.sh
#Ask for any subnets to push to clients
## TODO subnet input validation. A shell case statement might be enough
## since it provides pattern matching.
echo
""
echo
""
read
-p
"Specify the subnet you want VPN clients to be able to access.
If you provide a value here, this subnet range will be pushed to
clients as one which can be accessed via this VPN server.
You must specify the subnet in the format nnn.nnn.nnn.nnn/sss.sss.sss.sss,
where nnn.nnn.nnn.nnn is the network and sss.sss.sss.sss is the subnet mask.
For example, to tell clients to use this VPN to access the 192.168.10.0/24
network, enter 192.168.10.0/255.255.255.0
You may also specify multiple subnets to route by providing them all here,
separated by spaces. For example to tell clients to use this VPN to access
the 192.168.10.0/24 and 192.168.20.0/24 networks enter
192.168.10.0/255.255.255.0 192.168.11.0/255.255.255.0
If you wish this server to be standalone, and not provide access to any
other networks, leave this option blank.
: "
SUBNETSTRING
#Turn the SUBNETSTRING variable into an array
SUBNETS
=(
$SUBNETSTRING
)
#TODO: Use this text as a base for subnet validation message when I wrote that check
#The subnet specification you provided was incorrect.
# The set of subnets you gave was incorrect. Please go back and try again.
#TODO: Add some validation so we don't have an empty hostname variable
#Ask for the server hostname to be used by ovs for client file generation
echo
""
echo
""
read
-p
"What is the generally-accessible name or IP address of the server?
For clients to be able to connect to the server, it must have a consistent
DNS name or IP address. Please enter this name or address here: "
SERVERADDR
#Ask port to be used by this server
#TODO Port number validation
echo
""
echo
""
read
-p
"What port number do you want this server to use?
For most uses the standard OpenVPN port of
$DEFAULT_PORT
is fine, however if you need to use a non standard port you
can specify a port number here [
$DEFAULT_PORT
]: "
SERVER_PORT
#Count the number of characters entered
COUNT
=(
$(
echo
-n
$SERVER_PORT
|
wc
-m
)
)
#If enter was pressed then lets just set the default OpenVPN Port here
if
[
$COUNT
-eq
0
]
then
SERVER_PORT
=
$DEFAULT_PORT
fi
#Ask for the transport protocol to be used by this server
if
[[
$DEFAULT_PROTOCOL_SELECTION
=
~ ^[2]+
$
]]
;
then
DEFAULT_PROTOCOL
=
TCP
else
DEFAULT_PROTOCOL
=
UDP
fi
echo
""
echo
""
read
-p
"What transport protocol is this server to use?
For most uses the standard protocol of UDP
is fine, however if you need to use TCP you can select
that here by entering the protocol number
1 UDP
2 TCP
[
$DEFAULT_PROTOCOL
]: "
PROTOCOL_SELECTION
#Count the number of characters entered
COUNT
=(
$(
echo
-n
$PROTOCOL_SELECTION
|
wc
-m
)
)
#If enter was pressed then lets just set the default OpenVPN Protocol here
if
[
$COUNT
-eq
0
]
then
PROTOCOL_SELECTION
=
$DEFAULT_PROTOCOL_SELECTION
VALID_PROTOCOL
=
1
else
#There was something entered so lets validate PROTOCOL_SELECTION
if
[[
$PROTOCOL_SELECTION
=
~ ^[1]+
$
]]
||
[[
$PROTOCOL_SELECTION
=
~ ^[2]+
$
]]
;
then
#We have a 1 or 2 so the selection is valid
VALID_PROTOCOL
=
1
else
#We don't have a 1 or 2 so selection is invalid
VALID_PROTOCOL
=
0
fi
fi
echo
""
echo
"Passed the first loop and variable is
$PROTOCOL_SELECTION
"
echo
""
#Check to make sure it was 1 or 2 entered, and if not then head into this loop
while
[[
$VALID_PROTOCOL
!=
1
]]
;
do
echo
""
echo
"You entered [
$PROTOCOL_SELECTION
]. Please only enter 1 or 2 "
echo
"1 UDP"
echo
"2 TCP"
read
-p
"[
$DEFAULT_PROTOCOL
]:"
PROTOCOL_SELECTION
COUNT
=(
$(
echo
-n
$PROTOCOL_SELECTION
|
wc
-m
)
)
if
[
$COUNT
-eq
0
]
;
then
#This lets us get out of the loop if you just press enter and it also sets PROTOCOL_SELECTION to the default
PROTOCOL_SELECTION
=
$DEFAULT_PROTOCOL_SELECTION
VALID_PROTOCOL
=
1
else
#There was something entered so lets validate the selection
if
[[
$PROTOCOL_SELECTION
=
~ ^[1-2]+
$
]]
;
then
#We have a valid selection so lets set VALID_PROTOCOL to 1 and get out of this loop
VALID_PROTOCOL
=
1
fi
fi
done
#Finally lets read the PROTOCOL_SELECTION variable and set the SERVER_PROTOCOL variable
if
[[
$PROTOCOL_SELECTION
=
~ ^[2]+
$
]]
;
then
SERVER_PROTOCOL
=
tcp
else
SERVER_PROTOCOL
=
udp
fi
#Lets show the user all the values entered and allow a verification before proceeding
echo
"Subnets:"
for
subnet
in
"
${
SUBNETS
[@]
}
"
do
echo
$subnet
done
echo
"Server address:
$SERVERADDR
"
echo
"Server port:
$SERVER_PORT
"
echo
"Server protocol:
$SERVER_PROTOCOL
"
#Asking the user a final yes or no question if the values are correct before proceeding
echo
""
read
-p
"Press y to proceed or any other key to abort: "
CORRECTVALUES
#old questions
echo
"This step creates a server certificate for using on an OpenVPN server"
read
-p
"Common Name of Server certificate, this should be unique,
using 4 to 30 upper or lowercase letters or numbers and _ ONLY: "
OVPN_COMMONNAME
...
...
@@ -262,23 +446,23 @@ y" | \
function
make_server_bundle
{
.
/etc/openvpn-server/config.sh
local
email
=
"
$1
"
local
commonname
=
"
$2
"
local
parentworkdir
=
"
$3
"
.
/etc/openvpn-server/config.sh
local
email
=
"
$1
"
local
commonname
=
"
$2
"
local
parentworkdir
=
"
$3
"
local
WORKDIR
=
$(
mktemp
-d
)
local
WORKDIR
=
$(
mktemp
-d
)
pushd
$WORKDIR
>
/dev/null
pushd
$WORKDIR
>
/dev/null
echo
"------------------------------------------"
echo
-n
"Generating server key..."
KEY_NAME
=
"
$KEY_ORGANISATION
OpenVPN server on
$(
host
name
)
"
\
KEY_EMAIL
=
"
$ORG_EMAIL
"
\
KEY_NAME
=
$common
name
\
KEY_EMAIL
=
$email
\
openssl req
-nodes
-new
\
-keyout
$WORKDIR
/
$ORGNICK
-
$commonname
-server
.key
\
-out
$WORKDIR
/
$ORGNICK
-
$commonname
-server
.csr
\
-keyout
$WORKDIR
/
$
OVPN_
ORGNICK
-
$commonname
-server
.key
\
-out
$WORKDIR
/
$
OVPN_
ORGNICK
-
$commonname
-server
.csr
\
-extensions
server
\
-config
/etc/openvpn-server/openssl/openssl.cnf
echo
" done."
...
...
@@ -292,8 +476,8 @@ y
KEY_NAME
=
"
$KEY_ORGANISATION
OpenVPN server on
$(
hostname
)
"
\
KEY_EMAIL
=
"
$ORG_EMAIL
"
\
openssl ca
-days
3650
\
-out
$WORKDIR
/
$ORGNICK
-
$commonname
-server
.crt
\
-in
$WORKDIR
/
$ORGNICK
-
$commonname
-server
.csr
\
-out
$WORKDIR
/
$
OVPN_
ORGNICK
-
$commonname
-server
.crt
\
-in
$WORKDIR
/
$
OVPN_
ORGNICK
-
$commonname
-server
.csr
\
-extensions
server
\
-config
/etc/openvpn-server/openssl/openssl.cnf
echo
" done."
...
...
@@ -301,20 +485,20 @@ y
echo
"------------------------------------------"
echo
-n
"Converting key to pkcs12 format..."
openssl pkcs12
-export
\
-inkey
$WORKDIR
/
$ORGNICK
-
$commonname
-server
.key
\
-in
$WORKDIR
/
$ORGNICK
-
$commonname
-server
.crt
\
-inkey
$WORKDIR
/
$
OVPN_
ORGNICK
-
$commonname
-server
.key
\
-in
$WORKDIR
/
$
OVPN_
ORGNICK
-
$commonname
-server
.crt
\
-password
pass:
\
-certfile
/var/lib/openvpn-server/openssl/ca.crt
\
-out
/
etc
/openvpn-server/
$
ORGNICK
-
$commonname
-server
.p12
-out
/
var/lib
/openvpn-server/
openssl/
$OVPN_
ORGNICK
-
$commonname
-server
.p12
echo
" done."
chmod
0600 /
etc
/openvpn-server/
$
ORGNICK
-
$commonname
-server
.p12
chmod
0600 /
var/lib
/openvpn-server/
openssl/
$OVPN_
ORGNICK
-
$commonname
-server
.p12
popd
>
/dev/null
popd
>
/dev/null
cp
$WORKDIR
/
*
$parentworkdir
/
cp
$WORKDIR
/
*
$parentworkdir
/
rm
-rf
$WORKDIR
rm
-rf
$WORKDIR
}
...
...
This diff is collapsed.
Click to expand it.
scripts/build-server-cert
+
27
−
14
View file @
7e524cac
#!/bin/bash
#!/bin/bash
set
-e
...
...
@@ -36,15 +36,29 @@ FILEBASE="${OVPN_ORGNICK}-${OVPN_COMMONNAME}"
make_server_bundle
"
$OVPN_EMAIL
"
"
$OVPN_COMMONNAME
"
"
$WORKDIR
"
CA
=
`
cat
"
$OVPN_ORGNAME
"
-ca
.crt
`
CERT
=
`
sed
-n
"/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p"
$OVPN_COMMONNAME
-server
.crt
`
KEY
=
`
cat
$OVPN_COMMONNAME
-server
.key
`
CA
=
`
cat
/var/lib/openvpn-server/openssl/ca.crt
`
CERT
=
`
sed
-n
"/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p"
$FILEBASE
-server
.crt
`
KEY
=
`
cat
$FILEBASE
-server
.key
`
OCTET2
=
$((
$RANDOM
%
16
+
16
))
OCTET3
=
$((
$RANDOM
%
256
/
4
*
4
))
SERVERLINE
=
"server 172.
$OCTET2
.
$OCTET3
.0 255.255.252.0"
#Assemble the array containing the local networks to route into
#the correct push statements for the OpenVPN config file
for
subnet
in
"
${
SUBNETS
[@]
}
"
;
do
NET
=
${
subnet
/\/*/
}
MASK
=
${
subnet
/*\//
}
SUBNET_ARRAY+
=(
"push
\"
route
$NET
$MASK
\"
"
)
done
sed
"s/%%SERVER_PORT%%/
$SERVER_PORT
/;
s/%%SERVER_PROTOCOL%%/
$SERVER_PROTOCOL
/;
s/%%ORGNICK%%/
$ORGNICK
/;
s/%%SERVERLINE%%/
$SERVERLINE
/;"
\
< /usr/share/openvpn-server/config-templates/server.conf
\
>
$WORKDIR
/
${
FILEBASE
}
-server
.conf
sed
"s/%%PORT%%/
$OVPN_PORT
/;
s/%%PROTOCOL%%/
$OVPN_PROTO
/;
s/%%REMOTE%%/
$OVPN_REMOTE
/"
\
/usr/share/openvpn-server/config-templates/server.conf
\
>
${
FILEBASE
}
-server
.conf
echo
"
<ca>
...
...
@@ -59,17 +73,16 @@ $KEY
popd
>
/dev/null
OVPNFILE
=
"openvpn-
${
FILEBASE
}
-server.conf"
cp
${
WORKDIR
}
/
${
FILEBASE
}
-server
.conf ./
$OVPNFILE
if
[
-z
"
$CACHE_BUILDS
"
]
;
then
cp
${
WORKDIR
}
/
${
FILEBASE
}
-server
.conf ./
$OVPNFILE
echo
"Your OpenVPN generic client has been built in
${
OVPNFILE
}
"
echo
"Your OpenVPN generic client has been built in
${
OVPNFILE
}
"
else
make_cache
cp
${
WORKDIR
}
/
${
FILEBASE
}
-server
.conf
"
${
CACHE_BUILDS
}
/
${
OVPNFILE
}
"
echo
"Your OpenVPN generic client has been built in
${
CACHE_BUILDS
}
/
${
OVPNFILE
}
"
cp
${
WORKDIR
}
/
${
FILEBASE
}
-server
.conf
"
${
CACHE_BUILDS
}
/"
echo
"Your OpenVPN generic client has been built in
${
CACHE_BUILDS
}
/
${
OVPNFILE
}
"
fi
rm
-rf
$WORKDIR
echo
"install this config file in /etc/openvpn on the target server"
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment