pivpn/scripts/makeOVPN.sh

#!/bin/bash
# Create OVPN Client
# Default Variable Declarations
DEFAULT="Default.txt"
FILEEXT=".ovpn"
CRT=".crt"
KEY=".key"
CA="ca.crt"
TA="ta.key"
INDEX="/etc/openvpn/easy-rsa/pki/index.txt"
INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER)

# Functions def

function keynoPASS() {

    #Build the client key
    expect << EOF
    set timeout -1
    spawn ./easyrsa build-client-full "$NAME" nopass
    expect eof
EOF

    cd pki || exit

}

function keyPASS() {

    stty -echo
    while true
    do
        printf "Enter the password for the client:  "
        read -r PASSWD
        printf "\n"
        printf "Enter the password again to verify:  "
        read -r PASSWD2
        printf "\n"
        [ "${PASSWD}" = "${PASSWD2}" ] && break
        printf "Passwords do not match! Please try again.\n"
    done
    stty echo
    if [[ -z "${PASSWD}" ]]; then
        echo "You left the password blank"
        echo "If you don't want a password, please run:"
        echo "pivpn add nopass"
        exit 1
    fi
    if [ ${#PASSWD} -lt 4 ] || [ ${#PASSWD} -gt 1024 ]
    then
        echo "Password must be between from 4 to 1024 characters"
        exit 1
    fi

    #Escape chars in PASSWD
    PASSWD=$(echo -n ${PASSWD} | sed -e 's/\\/\\\\/g' -e 's/\//\\\//g' -e 's/\$/\\\$/g' -e 's/!/\\!/g' -e 's/\./\\\./g' -e "s/'/\\\'/g" -e 's/"/\\"/g' -e 's/\*/\\\*/g' -e 's/\@/\\\@/g' -e 's/\#/\\\#/g' -e 's/£/\\£/g' -e 's/%/\\%/g' -e 's/\^/\\\^/g' -e 's/\&/\\\&/g' -e 's/(/\\(/g' -e 's/)/\\)/g' -e 's/-/\\-/g' -e 's/_/\\_/g' -e 's/\+/\\\+/g' -e 's/=/\\=/g' -e 's/\[/\\\[/g' -e 's/\]/\\\]/g' -e 's/;/\\;/g' -e 's/:/\\:/g' -e 's/|/\\|/g' -e 's/</\\</g' -e 's/>/\\>/g' -e 's/,/\\,/g' -e 's/?/\\?/g' -e 's/~/\\~/g' -e 's/{/\\{/g' -e 's/}/\\}/g')

    #Build the client key and then encrypt the key

    expect << EOF
    set timeout -1
    spawn ./easyrsa build-client-full "$NAME"
    expect "Enter PEM pass phrase" { send "${PASSWD}\r" }
    expect "Verifying - Enter PEM pass phrase" { send "${PASSWD}\r" }
    expect eof
EOF

    cd pki || exit

}

printf "Enter a Name for the Client:  "
read -r NAME

if [[ "${NAME}" =~ [^a-zA-Z0-9] ]]; then
    echo "Name can only contain alphanumeric characters."
    exit 1
fi

if [[ -z "${NAME}" ]]; then
    echo "You cannot leave the name blank."
    exit 1
fi

# Check if name is already in use
while read -r line || [ -n "$line" ]; do
    if [ "$(echo "$line" | sed -e 's:.*/CN=::')" == "${NAME}" ]; then
        echo "Name is already in use."
        exit 1
    fi
done <${INDEX}

# Check if name is reserved
if [ "${NAME}" == "ta" ] || [ "${NAME}" == "server" ] || [ "${NAME}" == "ca" ]; then
    echo "Sorry, this is in use by the server and cannot be used by clients."
    exit 1
fi

cd /etc/openvpn/easy-rsa || exit

if [[ "$@" =~ "nopass" ]]; then
    keynoPASS
else
    keyPASS
fi

#1st Verify that clients Public Key Exists
if [ ! -f "issued/${NAME}${CRT}" ]; then
    echo "[ERROR]: Client Public Key Certificate not found: $NAME$CRT"
    exit
fi
echo "Client's cert found: $NAME$CRT"

#Then, verify that there is a private key for that client
if [ ! -f "private/${NAME}${KEY}" ]; then
    echo "[ERROR]: Client Private Key not found: $NAME$KEY"
    exit
fi
echo "Client's Private Key found: $NAME$KEY"

#Confirm the CA public key exists
if [ ! -f "${CA}" ]; then
    echo "[ERROR]: CA Public Key not found: $CA"
    exit
fi
echo "CA public Key found: $CA"

#Confirm the tls-auth ta key file exists
if [ ! -f "${TA}" ]; then
    echo "[ERROR]: tls-auth Key not found: $TA"
    exit
fi
echo "tls-auth Private Key found: $TA"

#Ready to make a new .ovpn file
{
    # Start by populating with the default file
    cat "${DEFAULT}"

    #Now, append the CA Public Cert
    echo "<ca>"
    cat "${CA}"
    echo "</ca>"

    #Next append the client Public Cert
    echo "<cert>"
    sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' < "issued/${NAME}${CRT}"
    echo "</cert>"

    #Then, append the client Private Key
    echo "<key>"
    cat "private/${NAME}${KEY}"
    echo "</key>"

    #Finally, append the TA Private Key
    echo "<tls-auth>"
    cat "${TA}"
    echo "</tls-auth>"
} > "${NAME}${FILEEXT}"

# Copy the .ovpn profile to the home directory for convenient remote access
cp "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT"
chown "$INSTALL_USER" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT"
printf "\n\n"
printf "========================================================\n"
printf "\e[1mDone! %s successfully created!\e[0m \n" "$NAME$FILEEXT"
printf "%s was copied to:\n" "$NAME$FILEEXT"
printf "  /home/%s/ovpns\n" "$INSTALL_USER"
printf "for easy transfer.\n"
printf "========================================================\n\n"
Sanitization 'n input validation 2016-10-04 17:46:14 +00:00			`#!/bin/bash`
			`# Create OVPN Client`
			`# Default Variable Declarations`
			`DEFAULT="Default.txt"`
			`FILEEXT=".ovpn"`
			`CRT=".crt"`
pivpn add for easyrsa3, updates to pivpn list for easyrsa3 2016-12-06 15:56:51 +00:00			`KEY=".key"`
Sanitization 'n input validation 2016-10-04 17:46:14 +00:00			`CA="ca.crt"`
			`TA="ta.key"`
pivpn add for easyrsa3, updates to pivpn list for easyrsa3 2016-12-06 15:56:51 +00:00			`INDEX="/etc/openvpn/easy-rsa/pki/index.txt"`
First commit of reworked installer 2016-04-19 18:01:55 +00:00			`INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER)`

Implement the "planetahuevo enhancement", IE the ability to generate a client cert with no password. Run 'pivpn add nopass' 2016-05-01 03:37:27 +00:00			`# Functions def`
'pivpn add' functionality greatly improved! Now with 2 scoops of raisins! 2016-04-30 17:28:01 +00:00
Implement the "planetahuevo enhancement", IE the ability to generate a client cert with no password. Run 'pivpn add nopass' 2016-05-01 03:37:27 +00:00			`function keynoPASS() {`
'pivpn add' functionality greatly improved! Now with 2 scoops of raisins! 2016-04-30 17:28:01 +00:00
Implement the "planetahuevo enhancement", IE the ability to generate a client cert with no password. Run 'pivpn add nopass' 2016-05-01 03:37:27 +00:00			`#Build the client key`
			`expect << EOF`
fixes expect timeout 2016-10-09 11:34:17 +00:00			`set timeout -1`
pivpn add for easyrsa3, updates to pivpn list for easyrsa3 2016-12-06 15:56:51 +00:00			`spawn ./easyrsa build-client-full "$NAME" nopass`
Implement the "planetahuevo enhancement", IE the ability to generate a client cert with no password. Run 'pivpn add nopass' 2016-05-01 03:37:27 +00:00			`expect eof`
			`EOF`

pivpn add for easyrsa3, updates to pivpn list for easyrsa3 2016-12-06 15:56:51 +00:00			`cd pki \|\| exit`
Implement the "planetahuevo enhancement", IE the ability to generate a client cert with no password. Run 'pivpn add nopass' 2016-05-01 03:37:27 +00:00
			`}`

			`function keyPASS() {`
'pivpn add' functionality greatly improved! Now with 2 scoops of raisins! 2016-04-30 17:28:01 +00:00
Implement the "planetahuevo enhancement", IE the ability to generate a client cert with no password. Run 'pivpn add nopass' 2016-05-01 03:37:27 +00:00			`stty -echo`
			`while true`
			`do`
Prevent overwriting files 2016-10-04 18:54:09 +00:00			`printf "Enter the password for the client: "`
Sanitization 'n input validation 2016-10-04 17:46:14 +00:00			`read -r PASSWD`
Implement the "planetahuevo enhancement", IE the ability to generate a client cert with no password. Run 'pivpn add nopass' 2016-05-01 03:37:27 +00:00			`printf "\n"`
			`printf "Enter the password again to verify: "`
Sanitization 'n input validation 2016-10-04 17:46:14 +00:00			`read -r PASSWD2`
Implement the "planetahuevo enhancement", IE the ability to generate a client cert with no password. Run 'pivpn add nopass' 2016-05-01 03:37:27 +00:00			`printf "\n"`
Fix escaping stuff in for password of client key Was overzealously escaping... oops 2016-11-12 02:55:47 +00:00			`[ "${PASSWD}" = "${PASSWD2}" ] && break`
Implement the "planetahuevo enhancement", IE the ability to generate a client cert with no password. Run 'pivpn add nopass' 2016-05-01 03:37:27 +00:00			`printf "Passwords do not match! Please try again.\n"`
			`done`
			`stty echo`
Fix escaping stuff in for password of client key Was overzealously escaping... oops 2016-11-12 02:55:47 +00:00			`if [[ -z "${PASSWD}" ]]; then`
Sanitization 'n input validation 2016-10-04 17:46:14 +00:00			`echo "You left the password blank"`
			`echo "If you don't want a password, please run:"`
			`echo "pivpn add nopass"`
			`exit 1`
			`fi`
			`if [ ${#PASSWD} -lt 4 ] \|\| [ ${#PASSWD} -gt 1024 ]`
			`then`
			`echo "Password must be between from 4 to 1024 characters"`
			`exit 1`
			`fi`
Implement the "planetahuevo enhancement", IE the ability to generate a client cert with no password. Run 'pivpn add nopass' 2016-05-01 03:37:27 +00:00
Fixes Issue #148 2016-11-11 22:45:48 +00:00			`#Escape chars in PASSWD`
Fix escaping stuff in for password of client key Was overzealously escaping... oops 2016-11-12 02:55:47 +00:00			PASSWD=$(echo -n ${PASSWD} \| sed -e 's/\\/\\\\/g' -e 's/\//\\\//g' -e 's/\$/\\\$/g' -e 's/!/\\!/g' -e 's/\./\\\./g' -e "s/'/\\\'/g" -e 's/"/\\"/g' -e 's/\/\\\/g' -e 's/\@/\\\@/g' -e 's/\#/\\\#/g' -e 's/£/\\£/g' -e 's/%/\\%/g' -e 's/\^/\\\^/g' -e 's/\&/\\\&/g' -e 's/(/\\(/g' -e 's/)/\\)/g' -e 's/-/\\-/g' -e 's/_/\\_/g' -e 's/\+/\\\+/g' -e 's/=/\\=/g' -e 's/\[/\\\[/g' -e 's/\]/\\\]/g' -e 's/;/\\;/g' -e 's/:/\\:/g' -e 's/\|/\\\|/g' -e 's/</\\</g' -e 's/>/\\>/g' -e 's/,/\\,/g' -e 's/?/\\?/g' -e 's/~/\\~/g' -e 's/{/\\{/g' -e 's/}/\\}/g')
Fixes Issue #148 2016-11-11 22:45:48 +00:00
Implement the "planetahuevo enhancement", IE the ability to generate a client cert with no password. Run 'pivpn add nopass' 2016-05-01 03:37:27 +00:00			`#Build the client key and then encrypt the key`

			`expect << EOF`
fixes expect timeout 2016-10-09 11:34:17 +00:00			`set timeout -1`
pivpn add for easyrsa3, updates to pivpn list for easyrsa3 2016-12-06 15:56:51 +00:00			`spawn ./easyrsa build-client-full "$NAME"`
Fix escaping stuff in for password of client key Was overzealously escaping... oops 2016-11-12 02:55:47 +00:00			`expect "Enter PEM pass phrase" { send "${PASSWD}\r" }`
			`expect "Verifying - Enter PEM pass phrase" { send "${PASSWD}\r" }`
Implement the "planetahuevo enhancement", IE the ability to generate a client cert with no password. Run 'pivpn add nopass' 2016-05-01 03:37:27 +00:00			`expect eof`
'pivpn add' functionality greatly improved! Now with 2 scoops of raisins! 2016-04-30 17:28:01 +00:00			`EOF`

pivpn add for easyrsa3, updates to pivpn list for easyrsa3 2016-12-06 15:56:51 +00:00			`cd pki \|\| exit`
'pivpn add' functionality greatly improved! Now with 2 scoops of raisins! 2016-04-30 17:28:01 +00:00
Implement the "planetahuevo enhancement", IE the ability to generate a client cert with no password. Run 'pivpn add nopass' 2016-05-01 03:37:27 +00:00			`}`

			`printf "Enter a Name for the Client: "`
Sanitization 'n input validation 2016-10-04 17:46:14 +00:00			`read -r NAME`

pivpn add for easyrsa3, updates to pivpn list for easyrsa3 2016-12-06 15:56:51 +00:00			`if [[ "${NAME}" =~ [^a-zA-Z0-9] ]]; then`
			`echo "Name can only contain alphanumeric characters."`
Sanitization 'n input validation 2016-10-04 17:46:14 +00:00			`exit 1`
			`fi`
Implement the "planetahuevo enhancement", IE the ability to generate a client cert with no password. Run 'pivpn add nopass' 2016-05-01 03:37:27 +00:00
pivpn add for easyrsa3, updates to pivpn list for easyrsa3 2016-12-06 15:56:51 +00:00			`if [[ -z "${NAME}" ]]; then`
			`echo "You cannot leave the name blank."`
Fixes #23, enhance 'pivpn add', minor bug fixes & other enhancements 2016-05-06 01:04:57 +00:00			`exit 1`
			`fi`

Prevent overwriting files 2016-10-04 18:54:09 +00:00			`# Check if name is already in use`
			`while read -r line \|\| [ -n "$line" ]; do`
pivpn add for easyrsa3, updates to pivpn list for easyrsa3 2016-12-06 15:56:51 +00:00			`if [ "$(echo "$line" \| sed -e 's:.*/CN=::')" == "${NAME}" ]; then`
			`echo "Name is already in use."`
Prevent overwriting files 2016-10-04 18:54:09 +00:00			`exit 1`
			`fi`
pivpn add for easyrsa3, updates to pivpn list for easyrsa3 2016-12-06 15:56:51 +00:00			`done <${INDEX}`
Prevent overwriting files 2016-10-04 18:54:09 +00:00
			`# Check if name is reserved`
pivpn add for easyrsa3, updates to pivpn list for easyrsa3 2016-12-06 15:56:51 +00:00			`if [ "${NAME}" == "ta" ] \|\| [ "${NAME}" == "server" ] \|\| [ "${NAME}" == "ca" ]; then`
			`echo "Sorry, this is in use by the server and cannot be used by clients."`
Prevent overwriting files 2016-10-04 18:54:09 +00:00			`exit 1`
			`fi`

Sanitization 'n input validation 2016-10-04 17:46:14 +00:00			`cd /etc/openvpn/easy-rsa \|\| exit`
Implement the "planetahuevo enhancement", IE the ability to generate a client cert with no password. Run 'pivpn add nopass' 2016-05-01 03:37:27 +00:00
			`if [[ "$@" =~ "nopass" ]]; then`
			`keynoPASS`
			`else`
			`keyPASS`
			`fi`
Sanitization 'n input validation 2016-10-04 17:46:14 +00:00
			`#1st Verify that clients Public Key Exists`
pivpn add for easyrsa3, updates to pivpn list for easyrsa3 2016-12-06 15:56:51 +00:00			`if [ ! -f "issued/${NAME}${CRT}" ]; then`
Sanitization 'n input validation 2016-10-04 17:46:14 +00:00			`echo "[ERROR]: Client Public Key Certificate not found: $NAME$CRT"`
			`exit`
			`fi`
			`echo "Client's cert found: $NAME$CRT"`

			`#Then, verify that there is a private key for that client`
pivpn add for easyrsa3, updates to pivpn list for easyrsa3 2016-12-06 15:56:51 +00:00			`if [ ! -f "private/${NAME}${KEY}" ]; then`
			`echo "[ERROR]: Client Private Key not found: $NAME$KEY"`
Sanitization 'n input validation 2016-10-04 17:46:14 +00:00			`exit`
			`fi`
First commit of reworked installer 2016-04-19 18:01:55 +00:00			`echo "Client's Private Key found: $NAME$KEY"`
Sanitization 'n input validation 2016-10-04 17:46:14 +00:00
			`#Confirm the CA public key exists`
pivpn add for easyrsa3, updates to pivpn list for easyrsa3 2016-12-06 15:56:51 +00:00			`if [ ! -f "${CA}" ]; then`
Sanitization 'n input validation 2016-10-04 17:46:14 +00:00			`echo "[ERROR]: CA Public Key not found: $CA"`
			`exit`
			`fi`
			`echo "CA public Key found: $CA"`

			`#Confirm the tls-auth ta key file exists`
pivpn add for easyrsa3, updates to pivpn list for easyrsa3 2016-12-06 15:56:51 +00:00			`if [ ! -f "${TA}" ]; then`
Sanitization 'n input validation 2016-10-04 17:46:14 +00:00			`echo "[ERROR]: tls-auth Key not found: $TA"`
			`exit`
			`fi`
			`echo "tls-auth Private Key found: $TA"`

			`#Ready to make a new .ovpn file`
			`{`
			`# Start by populating with the default file`
pivpn add for easyrsa3, updates to pivpn list for easyrsa3 2016-12-06 15:56:51 +00:00			`cat "${DEFAULT}"`
Sanitization 'n input validation 2016-10-04 17:46:14 +00:00
			`#Now, append the CA Public Cert`
			`echo "<ca>"`
pivpn add for easyrsa3, updates to pivpn list for easyrsa3 2016-12-06 15:56:51 +00:00			`cat "${CA}"`
Sanitization 'n input validation 2016-10-04 17:46:14 +00:00			`echo "</ca>"`

			`#Next append the client Public Cert`
			`echo "<cert>"`
pivpn add for easyrsa3, updates to pivpn list for easyrsa3 2016-12-06 15:56:51 +00:00			`sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' < "issued/${NAME}${CRT}"`
Sanitization 'n input validation 2016-10-04 17:46:14 +00:00			`echo "</cert>"`

			`#Then, append the client Private Key`
			`echo "<key>"`
pivpn add for easyrsa3, updates to pivpn list for easyrsa3 2016-12-06 15:56:51 +00:00			`cat "private/${NAME}${KEY}"`
Sanitization 'n input validation 2016-10-04 17:46:14 +00:00			`echo "</key>"`

			`#Finally, append the TA Private Key`
			`echo "<tls-auth>"`
pivpn add for easyrsa3, updates to pivpn list for easyrsa3 2016-12-06 15:56:51 +00:00			`cat "${TA}"`
Sanitization 'n input validation 2016-10-04 17:46:14 +00:00			`echo "</tls-auth>"`
pivpn add for easyrsa3, updates to pivpn list for easyrsa3 2016-12-06 15:56:51 +00:00			`} > "${NAME}${FILEEXT}"`
First commit of reworked installer 2016-04-19 18:01:55 +00:00
			`# Copy the .ovpn profile to the home directory for convenient remote access`
pivpn add for easyrsa3, updates to pivpn list for easyrsa3 2016-12-06 15:56:51 +00:00			`cp "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT"`
Sanitization 'n input validation 2016-10-04 17:46:14 +00:00			`chown "$INSTALL_USER" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT"`
'pivpn add' functionality greatly improved! Now with 2 scoops of raisins! 2016-04-30 17:28:01 +00:00			`printf "\n\n"`
			`printf "========================================================\n"`
Sanitization 'n input validation 2016-10-04 17:46:14 +00:00			`printf "\e[1mDone! %s successfully created!\e[0m \n" "$NAME$FILEEXT"`
			`printf "%s was copied to:\n" "$NAME$FILEEXT"`
			`printf " /home/%s/ovpns\n" "$INSTALL_USER"`
'pivpn add' functionality greatly improved! Now with 2 scoops of raisins! 2016-04-30 17:28:01 +00:00			`printf "for easy transfer.\n"`
			`printf "========================================================\n\n"`