Major refactor of vpn install

This commit is contained in:
Dean Troyer 2011-09-27 12:57:53 -05:00
parent 2969c701a0
commit 135fb64534

View file

@ -1,60 +1,154 @@
# rough history from wilk - need to cleanup #!/bin/bash
apt-get install -y openvpn bridge-utils # install_openvpn.sh - Install OpenVPN and generate required certificates
cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/easy-rsa/ #
cd /etc/openvpn/easy-rsa # install_openvpn.sh --client name
source vars # install_openvpn.sh --server [name]
./clean-all #
./build-dh # name is used on the CN of the generated cert, and the filename of
./pkitool --initca # the configuration, certificate and key files.
./pkitool --server server #
./pkitool client1 # --server mode configures the host with a running OpenVPN server instance
cd keys # --client mode creates a tarball of a client configuration for this server
openvpn --genkey --secret ta.key ## Build a TLS key
cp server.crt server.key ca.crt dh1024.pem ta.key ../../
cd ../../
cat >/etc/openvpn/server.conf <<EOF # VPN Config
duplicate-cn VPN_SERVER=${VPN_SERVER:-`ifconfig eth0 | awk "/inet addr:/ { print \$2 }" | cut -d: -f2`} # 50.56.12.212
port 6081 VPN_PROTO=${VPN_PROTO:-tcp}
proto tcp VPN_PORT=${VPN_PORT:-6081}
dev tun VPN_DEV=${VPN_DEV:-tun}
VPN_CLIENT_NET=${VPN_CLIENT_NET:-172.16.28.0}
VPN_CLIENT_MASK=${VPN_CLIENT_MASK:-255.255.255.0}
VPN_LOCAL_NET=${VPN_LOCAL_NET:-10.0.0.0}
VPN_LOCAL_MASK=${VPN_LOCAL_MASK:-255.255.0.0}
VPN_DIR=/etc/openvpn
CA_DIR=/etc/openvpn/easy-rsa
usage() {
echo "$0 - OpenVPN install and certificate generation"
echo ""
echo "$0 --client name"
echo "$0 --server [name]"
echo ""
echo " --server mode configures the host with a running OpenVPN server instance"
echo " --client mode creates a tarball of a client configuration for this server"
exit 1
}
if [ -z $1 ]; then
usage
fi
# Install OpenVPN
if [ ! -x `which openvpn` ]; then
apt-get install -y openvpn bridge-utils
fi
if [ ! -d $CA_DIR ]; then
cp -pR /usr/share/doc/openvpn/examples/easy-rsa/2.0/ $CA_DIR
fi
OPWD=`pwd`
cd $CA_DIR
source ./vars
# Override the defaults
export KEY_COUNTRY="US"
export KEY_PROVINCE="TX"
export KEY_CITY="SanAntonio"
export KEY_ORG="Cloudbuilders"
export KEY_EMAIL="rcb@lists.rackspace.com"
if [ ! -r $CA_DIR/keys/dh1024.pem ]; then
# Initialize a new CA
$CA_DIR/clean-all
$CA_DIR/build-dh
$CA_DIR/pkitool --initca
openvpn --genkey --secret $CA_DIR/keys/ta.key ## Build a TLS key
fi
do_server() {
NAME=$1
# Generate server certificate
$CA_DIR/pkitool --server $NAME
(cd $CA_DIR/keys;
cp $NAME.crt $NAME.key ca.crt dh1024.pem ta.key $VPN_DIR
)
cat >$VPN_DIR/$NAME.conf <<EOF
proto $VPN_PROTO
port $VPN_PORT
dev $VPN_DEV
cert $NAME.crt
key $NAME.key # This file should be kept secret
ca ca.crt ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem dh dh1024.pem
server 172.16.28.0 255.255.255.0 duplicate-cn
server $VPN_CLIENT_NET $VPN_CLIENT_MASK
ifconfig-pool-persist ipp.txt ifconfig-pool-persist ipp.txt
push "route 10.0.0.0 255.255.255.224" push "route $VPN_LOCAL_NET $VPN_LOCAL_MASK"
comp-lzo comp-lzo
user nobody
group nobody
persist-key persist-key
persist-tun persist-tun
status openvpn-status.log status openvpn-status.log
EOF EOF
/etc/init.d/openvpn restart /etc/init.d/openvpn restart
}
echo Use the following ca for your client: do_client() {
cat /etc/openvpn/ca.crt NAME=$1
# Generate a client certificate
$CA_DIR/pkitool $NAME
echo TMP_DIR=`mktemp -d`
echo Use the following cert for your client (cd $CA_DIR/keys;
cat /etc/openvpn/easy-rsa/keys/client1.crt cp -p ca.crt ta.key $NAME.key $NAME.crt $TMP_DIR
echo )
echo Use the following key for your client if [ -r $VPN_DIR/hostname ]; then
cat /etc/openvpn/easy-rsa/keys/client1.key HOST=`cat $VPN_DIR/hostname`
echo else
echo Use the following client config: HOST=`hostname`
cat <<EOF fi
cat >$TMP_DIR/$HOST.conf <<EOF
proto $VPN_PROTO
port $VPN_PORT
dev $VPN_DEV
cert $NAME.crt
key $NAME.key # This file should be kept secret
ca ca.crt ca ca.crt
cert client.crt
key client.key
client client
dev tun remote $VPN_SERVER $VPN_PORT
proto tcp
remote 50.56.12.212 6081
resolv-retry infinite resolv-retry infinite
nobind nobind
user nobody
group nobody
persist-key persist-key
persist-tun persist-tun
comp-lzo comp-lzo
verb 3 verb 3
EOF EOF
(cd $TMP_DIR; tar cf $OPWD/$NAME.tar *)
rm -rf $TMP_DIR
echo "Client certificate and configuration is in $OPWD/$NAME.tar"
}
# Process command line args
case $1 in
--client) if [ -z $2 ]; then
usage
fi
do_client $2
;;
--server) if [ -z $2 ]; then
NAME=`hostname`
else
NAME=$2
# Save for --client use
echo $NAME >$VPN_DIR/hostname
fi
do_server $NAME
;;
--clean) $CA_DIR/clean-all
;;
*) usage
esac