pivpn/scripts/makeOVPN.sh

344 lines
10 KiB
Bash
Raw Normal View History

2016-10-04 17:46:14 +00:00
#!/bin/bash
# Create OVPN Client
# Default Variable Declarations
DEFAULT="Default.txt"
FILEEXT=".ovpn"
CRT=".crt"
KEY=".key"
2016-10-04 17:46:14 +00:00
CA="ca.crt"
TA="ta.key"
INDEX="/etc/openvpn/easy-rsa/pki/index.txt"
2016-04-19 18:01:55 +00:00
INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER)
helpFunc() {
echo "::: Create a client ovpn profile, optional nopass"
echo ":::"
echo "::: Usage: pivpn <-a|add> [-b|--bitwarden] [-n|--name <arg>] [-p|--password <arg>]|[nopass] [-d|--days <number>] [-h|--help]"
echo ":::"
echo "::: Commands:"
echo "::: [none] Interactive mode"
echo "::: nopass Create a client without a password"
echo "::: -b,--bitwarden Create and save a client through Bitwarden"
echo "::: -d,--days Expire the certificate after specified number of days (default: 1080)"
echo "::: -n,--name Name for the Client (default: '"$(hostname)"')"
echo "::: -p,--password Password for the Client (no default)"
echo "::: -h,--help Show this help dialog"
}
# Parse input arguments
while test $# -gt 0
do
_key="$1"
case "$_key" in
-n|--name|--name=*)
_val="${_key##--name=}"
if test "$_val" = "$_key"
then
test $# -lt 2 && echo "Missing value for the optional argument '$_key'." && exit 1
_val="$2"
shift
fi
NAME="$_val"
;;
-p|--password|--password=*)
_val="${_key##--password=}"
if test "$_val" = "$_key"
then
test $# -lt 2 && echo "Missing value for the optional argument '$_key'." && exit 1
_val="$2"
shift
fi
PASSWD="$_val"
;;
-d|--days|--days=*)
_val="${_key##--days=}"
if test "$_val" = "$_key"
then
test $# -lt 2 && echo "Missing value for the optional argument '$_key'." && exit 1
_val="$2"
shift
fi
DAYS="$_val"
;;
-h|--help)
helpFunc
exit 0
;;
nopass)
NO_PASS="1"
;;
-b|--bitwarden)
BITWARDEN="2"
;;
*)
2018-02-15 09:14:03 +00:00
echo "Error: Got an unexpected argument '$1'"
helpFunc
exit 1
;;
esac
shift
done
# Functions def
function keynoPASS() {
#Build the client key
expect << EOF
2016-10-09 11:34:17 +00:00
set timeout -1
set env(EASYRSA_CERT_EXPIRE) "${DAYS}"
spawn ./easyrsa build-client-full "${NAME}" nopass
expect eof
EOF
cd pki || exit
}
function useBitwarden() {
# login and unlock vault
printf "****Bitwarden Login****"
printf "\n"
SESSION_KEY=`bw login --raw`
export BW_SESSION=$SESSION_KEY
printf "Successfully Logged in!"
printf "\n"
# ask user for username
printf "Enter the username: "
read -r NAME
# check name
until [[ "$NAME" =~ ^[a-zA-Z0-9.@_-]+$ && ${NAME::1} != "." && ${NAME::1} != "-" ]]
do
echo "Name can only contain alphanumeric characters and these characters (.-@_). The name also cannot start with a dot (.) or a dash (-). Please try again."
# ask user for username again
printf "Enter the username: "
read -r NAME
done
# ask user for length of password
printf "Please enter the length of characters you want your password to be (minimum 12): "
read -r LENGTH
# check length
until [[ "$LENGTH" -gt 11 && "$LENGTH" -lt 129 ]]
do
echo "Password must be between from 12 to 128 characters, please try again."
# ask user for length of password
printf "Enter the length of characters you want your password to be (minimum 12): "
read -r LENGTH
done
printf "Creating a PiVPN item for your vault..."
printf "\n"
# create a new item for your PiVPN Password
PASSWD=`bw generate -usln --length $LENGTH`
bw get template item | jq '.login.type = "1"'| jq '.name = "PiVPN"' | jq -r --arg NAME "$NAME" '.login.username = $NAME' | jq -r --arg PASSWD "$PASSWD" '.login.password = $PASSWD' | bw encode | bw create item
bw logout
}
function keyPASS() {
if [[ -z "${PASSWD}" ]]; then
stty -echo
while true
do
printf "Enter the password for the client: "
read -r PASSWD
printf "\n"
printf "Enter the password again to verify: "
read -r PASSWD2
printf "\n"
[ "${PASSWD}" = "${PASSWD2}" ] && break
printf "Passwords do not match! Please try again.\n"
done
stty echo
if [[ -z "${PASSWD}" ]]; then
echo "You left the password blank"
echo "If you don't want a password, please run:"
echo "pivpn add nopass"
exit 1
fi
fi
2016-10-04 17:46:14 +00:00
if [ ${#PASSWD} -lt 4 ] || [ ${#PASSWD} -gt 1024 ]
then
echo "Password must be between from 4 to 1024 characters"
exit 1
fi
2016-11-11 22:45:48 +00:00
#Escape chars in PASSWD
PASSWD=$(echo -n ${PASSWD} | sed -e 's/\\/\\\\/g' -e 's/\//\\\//g' -e 's/\$/\\\$/g' -e 's/!/\\!/g' -e 's/\./\\\./g' -e "s/'/\\\'/g" -e 's/"/\\"/g' -e 's/\*/\\\*/g' -e 's/\@/\\\@/g' -e 's/\#/\\\#/g' -e 's/£/\\£/g' -e 's/%/\\%/g' -e 's/\^/\\\^/g' -e 's/\&/\\\&/g' -e 's/(/\\(/g' -e 's/)/\\)/g' -e 's/-/\\-/g' -e 's/_/\\_/g' -e 's/\+/\\\+/g' -e 's/=/\\=/g' -e 's/\[/\\\[/g' -e 's/\]/\\\]/g' -e 's/;/\\;/g' -e 's/:/\\:/g' -e 's/|/\\|/g' -e 's/</\\</g' -e 's/>/\\>/g' -e 's/,/\\,/g' -e 's/?/\\?/g' -e 's/~/\\~/g' -e 's/{/\\{/g' -e 's/}/\\}/g')
2016-11-11 22:45:48 +00:00
#Build the client key and then encrypt the key
expect << EOF
2016-10-09 11:34:17 +00:00
set timeout -1
set env(EASYRSA_CERT_EXPIRE) "${DAYS}"
spawn ./easyrsa build-client-full "${NAME}"
expect "Enter PEM pass phrase" { send -- "${PASSWD}\r" }
expect "Verifying - Enter PEM pass phrase" { send -- "${PASSWD}\r" }
expect eof
EOF
cd pki || exit
}
# bitWarden first
if [[ "${BITWARDEN}" =~ "2" ]]; then
useBitwarden
fi
if [ -z "${NAME}" ]; then
printf "Enter a Name for the Client: "
read -r NAME
fi
2016-10-04 17:46:14 +00:00
if [[ ${NAME::1} == "." ]] || [[ ${NAME::1} == "-" ]]; then
echo "Names cannot start with a dot (.) or a dash (-)."
exit 1
fi
if [[ "${NAME}" =~ [^a-zA-Z0-9.@_-] ]]; then
echo "Name can only contain alphanumeric characters and these characters (.-@_)."
2016-10-04 17:46:14 +00:00
exit 1
fi
if [[ -z "${NAME}" ]]; then
echo "You cannot leave the name blank."
exit 1
fi
2016-10-04 18:54:09 +00:00
# Check if name is already in use
2017-01-28 01:36:53 +00:00
while read -r line || [ -n "${line}" ]; do
STATUS=$(echo "$line" | awk '{print $1}')
2017-02-05 19:30:31 +00:00
if [ "${STATUS}" == "V" ]; then
2017-01-28 01:36:53 +00:00
CERT=$(echo "$line" | sed -e 's:.*/CN=::')
if [ "${CERT}" == "${NAME}" ]; then
INUSE="1"
2017-02-05 19:30:31 +00:00
break
2017-01-28 01:36:53 +00:00
fi
2016-10-04 18:54:09 +00:00
fi
done <${INDEX}
2016-10-04 18:54:09 +00:00
2017-01-28 01:36:53 +00:00
if [ "${INUSE}" == "1" ]; then
printf "\n!! This name is already in use by a Valid Certificate."
printf "\nPlease choose another name or revoke this certificate first.\n"
exit 1
fi
2016-10-04 18:54:09 +00:00
# Check if name is reserved
if [ "${NAME}" == "ta" ] || [ "${NAME}" == "server" ] || [ "${NAME}" == "ca" ]; then
echo "Sorry, this is in use by the server and cannot be used by clients."
2016-10-04 18:54:09 +00:00
exit 1
fi
#As of EasyRSA 3.0.6, by default certificates last 1080 days, see https://github.com/OpenVPN/easy-rsa/blob/6b7b6bf1f0d3c9362b5618ad18c66677351cacd1/easyrsa3/vars.example
if [ -z "${DAYS}" ]; then
read -r -e -p "How many days should the certificate last? " -i 1080 DAYS
2019-05-10 10:53:52 +00:00
fi
if [[ ! "$DAYS" =~ ^[0-9]+$ ]] || [ "$DAYS" -lt 1 ] || [ "$DAYS" -gt 3650 ]; then
#The CRL lasts 3650 days so it doesn't make much sense that certificates would last longer
echo "Please input a valid number of days, between 1 and 3650 inclusive."
exit 1
2019-05-10 10:53:52 +00:00
fi
2016-10-04 17:46:14 +00:00
cd /etc/openvpn/easy-rsa || exit
if [[ "${NO_PASS}" =~ "1" ]]; then
if [[ -n "${PASSWD}" ]]; then
echo "Both nopass and password arguments passed to the script. Please use either one."
exit 1
else
keynoPASS
2017-03-16 09:28:50 +00:00
fi
else
keyPASS
fi
2016-10-04 17:46:14 +00:00
#1st Verify that clients Public Key Exists
if [ ! -f "issued/${NAME}${CRT}" ]; then
2016-10-04 17:46:14 +00:00
echo "[ERROR]: Client Public Key Certificate not found: $NAME$CRT"
exit
fi
echo "Client's cert found: $NAME$CRT"
#Then, verify that there is a private key for that client
if [ ! -f "private/${NAME}${KEY}" ]; then
echo "[ERROR]: Client Private Key not found: $NAME$KEY"
2016-10-04 17:46:14 +00:00
exit
fi
2016-04-19 18:01:55 +00:00
echo "Client's Private Key found: $NAME$KEY"
2016-10-04 17:46:14 +00:00
#Confirm the CA public key exists
if [ ! -f "${CA}" ]; then
2016-10-04 17:46:14 +00:00
echo "[ERROR]: CA Public Key not found: $CA"
exit
fi
echo "CA public Key found: $CA"
2019-08-06 08:02:28 +00:00
#Confirm the tls key file exists
if [ ! -f "${TA}" ]; then
2019-08-06 08:02:28 +00:00
echo "[ERROR]: tls Private Key not found: $TA"
2016-10-04 17:46:14 +00:00
exit
fi
2019-08-06 08:02:28 +00:00
echo "tls Private Key found: $TA"
2016-10-04 17:46:14 +00:00
#Ready to make a new .ovpn file
{
# Start by populating with the default file
cat "${DEFAULT}"
2016-10-04 17:46:14 +00:00
#Now, append the CA Public Cert
echo "<ca>"
cat "${CA}"
2016-10-04 17:46:14 +00:00
echo "</ca>"
#Next append the client Public Cert
echo "<cert>"
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' < "issued/${NAME}${CRT}"
2016-10-04 17:46:14 +00:00
echo "</cert>"
#Then, append the client Private Key
echo "<key>"
cat "private/${NAME}${KEY}"
2016-10-04 17:46:14 +00:00
echo "</key>"
2019-08-06 08:02:28 +00:00
#Finally, append the tls Private Key
2018-04-02 10:07:58 +00:00
if [ -f /etc/pivpn/TWO_POINT_FOUR ]; then
echo "<tls-crypt>"
cat "${TA}"
echo "</tls-crypt>"
else
echo "<tls-auth>"
cat "${TA}"
echo "</tls-auth>"
fi
2018-02-15 09:14:03 +00:00
} > "${NAME}${FILEEXT}"
2016-04-19 18:01:55 +00:00
2019-08-06 08:02:28 +00:00
if [ ! -d "/home/$INSTALL_USER/ovpns" ]; then
mkdir "/home/$INSTALL_USER/ovpns"
chmod 0777 -R "/home/$INSTALL_USER/ovpns"
fi
2016-04-19 18:01:55 +00:00
# Copy the .ovpn profile to the home directory for convenient remote access
cp "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT"
2016-10-04 17:46:14 +00:00
chown "$INSTALL_USER" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT"
chmod o-r "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT"
chmod o-r "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT"
printf "\n\n"
printf "========================================================\n"
2016-10-04 17:46:14 +00:00
printf "\e[1mDone! %s successfully created!\e[0m \n" "$NAME$FILEEXT"
printf "%s was copied to:\n" "$NAME$FILEEXT"
printf " /home/%s/ovpns\n" "$INSTALL_USER"
printf "for easy transfer. Please use this profile only on one\n"
printf "device and create additional profiles for other devices.\n"
printf "========================================================\n\n"