Skip to content
Snippets Groups Projects
Commit 7e524cac authored by David Kempe's avatar David Kempe
Browse files

imported all the questions from init. still some TODO

parent 4968626c
Branches
No related tags found
No related merge requests found
Pipeline #1802 passed
......@@ -79,6 +79,190 @@ done
function ask_server_questions
{
#copied over from init
# READ the config from here - you need to have init'ed first - ideally ovs init-ca
. /etc/openvpn-server/config.sh
DEFAULT_PORT=1194 #Default OpenVPN Port
DEFAULT_PROTOCOL_SELECTION=1 #Default OpenVPN Protocol to use, set 1 for UDP and 2 for TCP
if [ -f /var/lib/openvpn-server/ca-store ]
then
# /usr/lib/openvpn-server/ovs-commands/mount-ca-store
# if [ $? = 1 ]
# then
if grep -q ca-store /proc/mounts
then
echo "ca-store mounted"
else
echo "ca-store not mounted, or your session has expired."
echo "Use ovs mount-ca-store to mount your ca-store"
exit 1
fi
fi
#TODO - setup an init-ca function - so the steps will be init-ca build-server and then build clients. server certs and config gets copied to server.
# KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORGANISATION are all CA related info. $OVPN_ORGNICK, read from config.sh
# ORG_EMAIL read from config.sh
#Ask for any subnets to push to clients
## TODO subnet input validation. A shell case statement might be enough
## since it provides pattern matching.
echo ""
echo ""
read -p "Specify the subnet you want VPN clients to be able to access.
If you provide a value here, this subnet range will be pushed to
clients as one which can be accessed via this VPN server.
You must specify the subnet in the format nnn.nnn.nnn.nnn/sss.sss.sss.sss,
where nnn.nnn.nnn.nnn is the network and sss.sss.sss.sss is the subnet mask.
For example, to tell clients to use this VPN to access the 192.168.10.0/24
network, enter 192.168.10.0/255.255.255.0
You may also specify multiple subnets to route by providing them all here,
separated by spaces. For example to tell clients to use this VPN to access
the 192.168.10.0/24 and 192.168.20.0/24 networks enter
192.168.10.0/255.255.255.0 192.168.11.0/255.255.255.0
If you wish this server to be standalone, and not provide access to any
other networks, leave this option blank.
: " SUBNETSTRING
#Turn the SUBNETSTRING variable into an array
SUBNETS=($SUBNETSTRING)
#TODO: Use this text as a base for subnet validation message when I wrote that check
#The subnet specification you provided was incorrect.
# The set of subnets you gave was incorrect. Please go back and try again.
#TODO: Add some validation so we don't have an empty hostname variable
#Ask for the server hostname to be used by ovs for client file generation
echo ""
echo ""
read -p "What is the generally-accessible name or IP address of the server?
For clients to be able to connect to the server, it must have a consistent
DNS name or IP address. Please enter this name or address here: " SERVERADDR
#Ask port to be used by this server
#TODO Port number validation
echo ""
echo ""
read -p "What port number do you want this server to use?
For most uses the standard OpenVPN port of $DEFAULT_PORT
is fine, however if you need to use a non standard port you
can specify a port number here [$DEFAULT_PORT]: " SERVER_PORT
#Count the number of characters entered
COUNT=($(echo -n $SERVER_PORT | wc -m))
#If enter was pressed then lets just set the default OpenVPN Port here
if [ $COUNT -eq 0 ]
then
SERVER_PORT=$DEFAULT_PORT
fi
#Ask for the transport protocol to be used by this server
if [[ $DEFAULT_PROTOCOL_SELECTION =~ ^[2]+$ ]]; then
DEFAULT_PROTOCOL=TCP
else
DEFAULT_PROTOCOL=UDP
fi
echo ""
echo ""
read -p "What transport protocol is this server to use?
For most uses the standard protocol of UDP
is fine, however if you need to use TCP you can select
that here by entering the protocol number
1 UDP
2 TCP
[$DEFAULT_PROTOCOL]: " PROTOCOL_SELECTION
#Count the number of characters entered
COUNT=($(echo -n $PROTOCOL_SELECTION | wc -m))
#If enter was pressed then lets just set the default OpenVPN Protocol here
if [ $COUNT -eq 0 ]
then
PROTOCOL_SELECTION=$DEFAULT_PROTOCOL_SELECTION
VALID_PROTOCOL=1
else
#There was something entered so lets validate PROTOCOL_SELECTION
if [[ $PROTOCOL_SELECTION =~ ^[1]+$ ]] || [[ $PROTOCOL_SELECTION =~ ^[2]+$ ]]; then
#We have a 1 or 2 so the selection is valid
VALID_PROTOCOL=1
else
#We don't have a 1 or 2 so selection is invalid
VALID_PROTOCOL=0
fi
fi
echo ""
echo "Passed the first loop and variable is $PROTOCOL_SELECTION"
echo ""
#Check to make sure it was 1 or 2 entered, and if not then head into this loop
while [[ $VALID_PROTOCOL != 1 ]]; do
echo ""
echo "You entered [$PROTOCOL_SELECTION]. Please only enter 1 or 2 "
echo "1 UDP"
echo "2 TCP"
read -p "[$DEFAULT_PROTOCOL]:" PROTOCOL_SELECTION
COUNT=($(echo -n $PROTOCOL_SELECTION | wc -m))
if [ $COUNT -eq 0 ]; then
#This lets us get out of the loop if you just press enter and it also sets PROTOCOL_SELECTION to the default
PROTOCOL_SELECTION=$DEFAULT_PROTOCOL_SELECTION
VALID_PROTOCOL=1
else
#There was something entered so lets validate the selection
if [[ $PROTOCOL_SELECTION =~ ^[1-2]+$ ]]; then
#We have a valid selection so lets set VALID_PROTOCOL to 1 and get out of this loop
VALID_PROTOCOL=1
fi
fi
done
#Finally lets read the PROTOCOL_SELECTION variable and set the SERVER_PROTOCOL variable
if [[ $PROTOCOL_SELECTION =~ ^[2]+$ ]]; then
SERVER_PROTOCOL=tcp
else
SERVER_PROTOCOL=udp
fi
#Lets show the user all the values entered and allow a verification before proceeding
echo "Subnets:"
for subnet in "${SUBNETS[@]}"
do
echo $subnet
done
echo "Server address: $SERVERADDR"
echo "Server port: $SERVER_PORT"
echo "Server protocol: $SERVER_PROTOCOL"
#Asking the user a final yes or no question if the values are correct before proceeding
echo ""
read -p "Press y to proceed or any other key to abort: " CORRECTVALUES
#old questions
echo "This step creates a server certificate for using on an OpenVPN server"
read -p "Common Name of Server certificate, this should be unique,
using 4 to 30 upper or lowercase letters or numbers and _ ONLY: " OVPN_COMMONNAME
......@@ -262,23 +446,23 @@ y" | \
function make_server_bundle
{
. /etc/openvpn-server/config.sh
local email="$1"
local commonname="$2"
local parentworkdir="$3"
. /etc/openvpn-server/config.sh
local email="$1"
local commonname="$2"
local parentworkdir="$3"
local WORKDIR=$(mktemp -d)
local WORKDIR=$(mktemp -d)
pushd $WORKDIR >/dev/null
pushd $WORKDIR >/dev/null
echo "------------------------------------------"
echo -n "Generating server key..."
KEY_NAME="$KEY_ORGANISATION OpenVPN server on $(hostname)" \
KEY_EMAIL="$ORG_EMAIL" \
KEY_NAME=$commonname \
KEY_EMAIL=$email \
openssl req -nodes -new \
-keyout $WORKDIR/$ORGNICK-$commonname-server.key \
-out $WORKDIR/$ORGNICK-$commonname-server.csr \
-keyout $WORKDIR/$OVPN_ORGNICK-$commonname-server.key \
-out $WORKDIR/$OVPN_ORGNICK-$commonname-server.csr \
-extensions server \
-config /etc/openvpn-server/openssl/openssl.cnf
echo " done."
......@@ -292,8 +476,8 @@ y
KEY_NAME="$KEY_ORGANISATION OpenVPN server on $(hostname)" \
KEY_EMAIL="$ORG_EMAIL" \
openssl ca -days 3650 \
-out $WORKDIR/$ORGNICK-$commonname-server.crt \
-in $WORKDIR/$ORGNICK-$commonname-server.csr \
-out $WORKDIR/$OVPN_ORGNICK-$commonname-server.crt \
-in $WORKDIR/$OVPN_ORGNICK-$commonname-server.csr \
-extensions server \
-config /etc/openvpn-server/openssl/openssl.cnf
echo " done."
......@@ -301,20 +485,20 @@ y
echo "------------------------------------------"
echo -n "Converting key to pkcs12 format..."
openssl pkcs12 -export \
-inkey $WORKDIR/$ORGNICK-$commonname-server.key \
-in $WORKDIR/$ORGNICK-$commonname-server.crt \
-inkey $WORKDIR/$OVPN_ORGNICK-$commonname-server.key \
-in $WORKDIR/$OVPN_ORGNICK-$commonname-server.crt \
-password pass: \
-certfile /var/lib/openvpn-server/openssl/ca.crt \
-out /etc/openvpn-server/$ORGNICK-$commonname-server.p12
-out /var/lib/openvpn-server/openssl/$OVPN_ORGNICK-$commonname-server.p12
echo " done."
chmod 0600 /etc/openvpn-server/$ORGNICK-$commonname-server.p12
chmod 0600 /var/lib/openvpn-server/openssl/$OVPN_ORGNICK-$commonname-server.p12
popd >/dev/null
popd >/dev/null
cp $WORKDIR/* $parentworkdir/
cp $WORKDIR/* $parentworkdir/
rm -rf $WORKDIR
rm -rf $WORKDIR
}
......
#!/bin/bash
#!/bin/bash
set -e
......@@ -36,15 +36,29 @@ FILEBASE="${OVPN_ORGNICK}-${OVPN_COMMONNAME}"
make_server_bundle "$OVPN_EMAIL" "$OVPN_COMMONNAME" "$WORKDIR"
CA=`cat "$OVPN_ORGNAME"-ca.crt`
CERT=`sed -n "/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p" $OVPN_COMMONNAME-server.crt`
KEY=`cat $OVPN_COMMONNAME-server.key`
CA=`cat /var/lib/openvpn-server/openssl/ca.crt`
CERT=`sed -n "/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p" $FILEBASE-server.crt`
KEY=`cat $FILEBASE-server.key`
OCTET2=$(($RANDOM % 16 + 16))
OCTET3=$(($RANDOM % 256 / 4 * 4))
SERVERLINE="server 172.$OCTET2.$OCTET3.0 255.255.252.0"
#Assemble the array containing the local networks to route into
#the correct push statements for the OpenVPN config file
for subnet in "${SUBNETS[@]}"; do
NET=${subnet/\/*/}
MASK=${subnet/*\//}
SUBNET_ARRAY+=("push \"route $NET $MASK\"")
done
sed "s/%%SERVER_PORT%%/$SERVER_PORT/;
s/%%SERVER_PROTOCOL%%/$SERVER_PROTOCOL/;
s/%%ORGNICK%%/$ORGNICK/;
s/%%SERVERLINE%%/$SERVERLINE/;" \
< /usr/share/openvpn-server/config-templates/server.conf \
> $WORKDIR/${FILEBASE}-server.conf
sed "s/%%PORT%%/$OVPN_PORT/;
s/%%PROTOCOL%%/$OVPN_PROTO/;
s/%%REMOTE%%/$OVPN_REMOTE/" \
/usr/share/openvpn-server/config-templates/server.conf \
> ${FILEBASE}-server.conf
echo "
<ca>
......@@ -59,17 +73,16 @@ $KEY
popd >/dev/null
OVPNFILE="openvpn-${FILEBASE}-server.conf"
cp ${WORKDIR}/${FILEBASE}-server.conf ./$OVPNFILE
if [ -z "$CACHE_BUILDS" ]; then
cp ${WORKDIR}/${FILEBASE}-server.conf ./$OVPNFILE
echo "Your OpenVPN generic client has been built in ${OVPNFILE}"
echo "Your OpenVPN generic client has been built in ${OVPNFILE}"
else
make_cache
cp ${WORKDIR}/${FILEBASE}-server.conf "${CACHE_BUILDS}/${OVPNFILE}"
echo "Your OpenVPN generic client has been built in ${CACHE_BUILDS}/${OVPNFILE}"
cp ${WORKDIR}/${FILEBASE}-server.conf "${CACHE_BUILDS}/"
echo "Your OpenVPN generic client has been built in ${CACHE_BUILDS}/${OVPNFILE}"
fi
rm -rf $WORKDIR
echo "install this config file in /etc/openvpn on the target server"
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment