Major refactor of vpn install
This commit is contained in:
parent
2969c701a0
commit
135fb64534
1 changed files with 134 additions and 40 deletions
|
@ -1,60 +1,154 @@
|
||||||
# rough history from wilk - need to cleanup
|
#!/bin/bash
|
||||||
apt-get install -y openvpn bridge-utils
|
# install_openvpn.sh - Install OpenVPN and generate required certificates
|
||||||
cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/easy-rsa/
|
#
|
||||||
cd /etc/openvpn/easy-rsa
|
# install_openvpn.sh --client name
|
||||||
source vars
|
# install_openvpn.sh --server [name]
|
||||||
./clean-all
|
#
|
||||||
./build-dh
|
# name is used on the CN of the generated cert, and the filename of
|
||||||
./pkitool --initca
|
# the configuration, certificate and key files.
|
||||||
./pkitool --server server
|
#
|
||||||
./pkitool client1
|
# --server mode configures the host with a running OpenVPN server instance
|
||||||
cd keys
|
# --client mode creates a tarball of a client configuration for this server
|
||||||
openvpn --genkey --secret ta.key ## Build a TLS key
|
|
||||||
cp server.crt server.key ca.crt dh1024.pem ta.key ../../
|
|
||||||
cd ../../
|
|
||||||
|
|
||||||
cat >/etc/openvpn/server.conf <<EOF
|
# VPN Config
|
||||||
duplicate-cn
|
VPN_SERVER=${VPN_SERVER:-`ifconfig eth0 | awk "/inet addr:/ { print \$2 }" | cut -d: -f2`} # 50.56.12.212
|
||||||
port 6081
|
VPN_PROTO=${VPN_PROTO:-tcp}
|
||||||
proto tcp
|
VPN_PORT=${VPN_PORT:-6081}
|
||||||
dev tun
|
VPN_DEV=${VPN_DEV:-tun}
|
||||||
|
VPN_CLIENT_NET=${VPN_CLIENT_NET:-172.16.28.0}
|
||||||
|
VPN_CLIENT_MASK=${VPN_CLIENT_MASK:-255.255.255.0}
|
||||||
|
VPN_LOCAL_NET=${VPN_LOCAL_NET:-10.0.0.0}
|
||||||
|
VPN_LOCAL_MASK=${VPN_LOCAL_MASK:-255.255.0.0}
|
||||||
|
|
||||||
|
VPN_DIR=/etc/openvpn
|
||||||
|
CA_DIR=/etc/openvpn/easy-rsa
|
||||||
|
|
||||||
|
usage() {
|
||||||
|
echo "$0 - OpenVPN install and certificate generation"
|
||||||
|
echo ""
|
||||||
|
echo "$0 --client name"
|
||||||
|
echo "$0 --server [name]"
|
||||||
|
echo ""
|
||||||
|
echo " --server mode configures the host with a running OpenVPN server instance"
|
||||||
|
echo " --client mode creates a tarball of a client configuration for this server"
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
if [ -z $1 ]; then
|
||||||
|
usage
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Install OpenVPN
|
||||||
|
if [ ! -x `which openvpn` ]; then
|
||||||
|
apt-get install -y openvpn bridge-utils
|
||||||
|
fi
|
||||||
|
if [ ! -d $CA_DIR ]; then
|
||||||
|
cp -pR /usr/share/doc/openvpn/examples/easy-rsa/2.0/ $CA_DIR
|
||||||
|
fi
|
||||||
|
|
||||||
|
OPWD=`pwd`
|
||||||
|
cd $CA_DIR
|
||||||
|
source ./vars
|
||||||
|
|
||||||
|
# Override the defaults
|
||||||
|
export KEY_COUNTRY="US"
|
||||||
|
export KEY_PROVINCE="TX"
|
||||||
|
export KEY_CITY="SanAntonio"
|
||||||
|
export KEY_ORG="Cloudbuilders"
|
||||||
|
export KEY_EMAIL="rcb@lists.rackspace.com"
|
||||||
|
|
||||||
|
if [ ! -r $CA_DIR/keys/dh1024.pem ]; then
|
||||||
|
# Initialize a new CA
|
||||||
|
$CA_DIR/clean-all
|
||||||
|
$CA_DIR/build-dh
|
||||||
|
$CA_DIR/pkitool --initca
|
||||||
|
openvpn --genkey --secret $CA_DIR/keys/ta.key ## Build a TLS key
|
||||||
|
fi
|
||||||
|
|
||||||
|
do_server() {
|
||||||
|
NAME=$1
|
||||||
|
# Generate server certificate
|
||||||
|
$CA_DIR/pkitool --server $NAME
|
||||||
|
|
||||||
|
(cd $CA_DIR/keys;
|
||||||
|
cp $NAME.crt $NAME.key ca.crt dh1024.pem ta.key $VPN_DIR
|
||||||
|
)
|
||||||
|
cat >$VPN_DIR/$NAME.conf <<EOF
|
||||||
|
proto $VPN_PROTO
|
||||||
|
port $VPN_PORT
|
||||||
|
dev $VPN_DEV
|
||||||
|
cert $NAME.crt
|
||||||
|
key $NAME.key # This file should be kept secret
|
||||||
ca ca.crt
|
ca ca.crt
|
||||||
cert server.crt
|
|
||||||
key server.key # This file should be kept secret
|
|
||||||
dh dh1024.pem
|
dh dh1024.pem
|
||||||
server 172.16.28.0 255.255.255.0
|
duplicate-cn
|
||||||
|
server $VPN_CLIENT_NET $VPN_CLIENT_MASK
|
||||||
ifconfig-pool-persist ipp.txt
|
ifconfig-pool-persist ipp.txt
|
||||||
push "route 10.0.0.0 255.255.255.224"
|
push "route $VPN_LOCAL_NET $VPN_LOCAL_MASK"
|
||||||
comp-lzo
|
comp-lzo
|
||||||
|
user nobody
|
||||||
|
group nobody
|
||||||
persist-key
|
persist-key
|
||||||
persist-tun
|
persist-tun
|
||||||
status openvpn-status.log
|
status openvpn-status.log
|
||||||
EOF
|
EOF
|
||||||
/etc/init.d/openvpn restart
|
/etc/init.d/openvpn restart
|
||||||
|
}
|
||||||
|
|
||||||
echo Use the following ca for your client:
|
do_client() {
|
||||||
cat /etc/openvpn/ca.crt
|
NAME=$1
|
||||||
|
# Generate a client certificate
|
||||||
|
$CA_DIR/pkitool $NAME
|
||||||
|
|
||||||
echo
|
TMP_DIR=`mktemp -d`
|
||||||
echo Use the following cert for your client
|
(cd $CA_DIR/keys;
|
||||||
cat /etc/openvpn/easy-rsa/keys/client1.crt
|
cp -p ca.crt ta.key $NAME.key $NAME.crt $TMP_DIR
|
||||||
echo
|
)
|
||||||
echo Use the following key for your client
|
if [ -r $VPN_DIR/hostname ]; then
|
||||||
cat /etc/openvpn/easy-rsa/keys/client1.key
|
HOST=`cat $VPN_DIR/hostname`
|
||||||
echo
|
else
|
||||||
echo Use the following client config:
|
HOST=`hostname`
|
||||||
cat <<EOF
|
fi
|
||||||
|
cat >$TMP_DIR/$HOST.conf <<EOF
|
||||||
|
proto $VPN_PROTO
|
||||||
|
port $VPN_PORT
|
||||||
|
dev $VPN_DEV
|
||||||
|
cert $NAME.crt
|
||||||
|
key $NAME.key # This file should be kept secret
|
||||||
ca ca.crt
|
ca ca.crt
|
||||||
cert client.crt
|
|
||||||
key client.key
|
|
||||||
client
|
client
|
||||||
dev tun
|
remote $VPN_SERVER $VPN_PORT
|
||||||
proto tcp
|
|
||||||
remote 50.56.12.212 6081
|
|
||||||
resolv-retry infinite
|
resolv-retry infinite
|
||||||
nobind
|
nobind
|
||||||
|
user nobody
|
||||||
|
group nobody
|
||||||
persist-key
|
persist-key
|
||||||
persist-tun
|
persist-tun
|
||||||
comp-lzo
|
comp-lzo
|
||||||
verb 3
|
verb 3
|
||||||
EOF
|
EOF
|
||||||
|
(cd $TMP_DIR; tar cf $OPWD/$NAME.tar *)
|
||||||
|
rm -rf $TMP_DIR
|
||||||
|
echo "Client certificate and configuration is in $OPWD/$NAME.tar"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Process command line args
|
||||||
|
case $1 in
|
||||||
|
--client) if [ -z $2 ]; then
|
||||||
|
usage
|
||||||
|
fi
|
||||||
|
do_client $2
|
||||||
|
;;
|
||||||
|
--server) if [ -z $2 ]; then
|
||||||
|
NAME=`hostname`
|
||||||
|
else
|
||||||
|
NAME=$2
|
||||||
|
# Save for --client use
|
||||||
|
echo $NAME >$VPN_DIR/hostname
|
||||||
|
fi
|
||||||
|
do_server $NAME
|
||||||
|
;;
|
||||||
|
--clean) $CA_DIR/clean-all
|
||||||
|
;;
|
||||||
|
*) usage
|
||||||
|
esac
|
||||||
|
|
Loading…
Reference in a new issue