From e26cef18630515823825019be1dbda586a4b8f30 Mon Sep 17 00:00:00 2001 From: Orazio Date: Wed, 8 May 2019 13:01:56 +0200 Subject: [PATCH 1/3] Custom certificate duration and more flexible names --- auto_install/install.sh | 1 - scripts/makeOVPN.sh | 33 ++++++++++++++++++++++++++++++--- 2 files changed, 30 insertions(+), 4 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index ea915f3..b0c382e 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -405,7 +405,6 @@ installScripts() { $SUDO cp /etc/.pivpn/scripts/removeOVPN.sh /opt/pivpn/removeOVPN.sh $SUDO cp /etc/.pivpn/scripts/uninstall.sh /opt/pivpn/uninstall.sh $SUDO cp /etc/.pivpn/scripts/pivpnDebug.sh /opt/pivpn/pivpnDebug.sh - $SUDO cp /etc/.pivpn/scripts/fix_iptables.sh /opt/pivpn/fix_iptables.sh $SUDO chmod 0755 /opt/pivpn/{makeOVPN,clientStat,listOVPN,removeOVPN,uninstall,pivpnDebug,fix_iptables}.sh $SUDO cp /etc/.pivpn/pivpn /usr/local/bin/pivpn $SUDO chmod 0755 /usr/local/bin/pivpn diff --git a/scripts/makeOVPN.sh b/scripts/makeOVPN.sh index 48a25ee..4f0f67c 100755 --- a/scripts/makeOVPN.sh +++ b/scripts/makeOVPN.sh @@ -13,11 +13,12 @@ INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER) helpFunc() { echo "::: Create a client ovpn profile, optional nopass" echo ":::" - echo "::: Usage: pivpn <-a|add> [-n|--name ] [-p|--password ]|[nopass] [-h|--help]" + echo "::: Usage: pivpn <-a|add> [-n|--name ] [-p|--password ]|[nopass] [-d|--days ] [-h|--help]" echo ":::" echo "::: Commands:" echo "::: [none] Interactive mode" echo "::: nopass Create a client without a password" + echo "::: -d,--days Expire the certificate after specified number of days (default: 1080)" echo "::: -n,--name Name for the Client (default: '"$(hostname)"')" echo "::: -p,--password Password for the Client (no default)" echo "::: -h,--help Show this help dialog" @@ -48,6 +49,16 @@ do fi PASSWD="$_val" ;; + -d|--days|--days=*) + _val="${_key##--days=}" + if test "$_val" = "$_key" + then + test $# -lt 2 && echo "Missing value for the optional argument '$_key'." && exit 1 + _val="$2" + shift + fi + DAYS="$_val" + ;; -h|--help) helpFunc exit 0 @@ -71,6 +82,7 @@ function keynoPASS() { #Build the client key expect << EOF set timeout -1 + set env(EASYRSA_CERT_EXPIRE) "${DAYS}" spawn ./easyrsa build-client-full "${NAME}" nopass expect eof EOF @@ -115,6 +127,7 @@ function keyPASS() { expect << EOF set timeout -1 + set env(EASYRSA_CERT_EXPIRE) "${DAYS}" spawn ./easyrsa build-client-full "${NAME}" expect "Enter PEM pass phrase" { send -- "${PASSWD}\r" } expect "Verifying - Enter PEM pass phrase" { send -- "${PASSWD}\r" } @@ -129,8 +142,13 @@ if [ -z "${NAME}" ]; then read -r NAME fi -if [[ "${NAME}" =~ [^a-zA-Z0-9\-] ]]; then - echo "Name can only contain alphanumeric characters and dashes (-)." +if [[ ${NAME::1} == "." ]] || [[ ${NAME::1} == "-" ]]; then + echo "Names cannot start with a dot (.) or a dash (-)." + exit 1 +fi + +if [[ "${NAME}" =~ [^a-zA-Z0-9\.\-\@\_] ]]; then + echo "Name can only contain alphanumeric characters and these characters (.-@_)." exit 1 fi @@ -164,6 +182,15 @@ if [ "${NAME}" == "ta" ] || [ "${NAME}" == "server" ] || [ "${NAME}" == "ca" ]; exit 1 fi +#As of EasyRSA 3.0.6, by default certificates last 1080 days, see https://github.com/OpenVPN/easy-rsa/blob/6b7b6bf1f0d3c9362b5618ad18c66677351cacd1/easyrsa3/vars.example +if [ -z "${DAYS}" ]; then + read -r -e -p "How many days should the certificate last? " -i 1080 DAYS +elif [[ ! "$DAYS" =~ ^[0-9]+$ ]] || [ "$DAYS" -lt 1 ] || [ "$DAYS" -gt 3650 ]; then + #The CRL lasts 3650 days so it doesn't make much sense that certificates would last longer + echo "Please input a valid number of days, between 1 and 3650 inclusive." + exit 1 +fi + cd /etc/openvpn/easy-rsa || exit if [[ "${NO_PASS}" =~ "1" ]]; then From 05d7d8480922cab1c964487c3d636821f16f160d Mon Sep 17 00:00:00 2001 From: Orazio Date: Wed, 8 May 2019 15:29:43 +0200 Subject: [PATCH 2/3] Remove reference to a deleted file --- auto_install/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index b0c382e..f817e45 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -405,7 +405,7 @@ installScripts() { $SUDO cp /etc/.pivpn/scripts/removeOVPN.sh /opt/pivpn/removeOVPN.sh $SUDO cp /etc/.pivpn/scripts/uninstall.sh /opt/pivpn/uninstall.sh $SUDO cp /etc/.pivpn/scripts/pivpnDebug.sh /opt/pivpn/pivpnDebug.sh - $SUDO chmod 0755 /opt/pivpn/{makeOVPN,clientStat,listOVPN,removeOVPN,uninstall,pivpnDebug,fix_iptables}.sh + $SUDO chmod 0755 /opt/pivpn/{makeOVPN,clientStat,listOVPN,removeOVPN,uninstall,pivpnDebug}.sh $SUDO cp /etc/.pivpn/pivpn /usr/local/bin/pivpn $SUDO chmod 0755 /usr/local/bin/pivpn $SUDO cp /etc/.pivpn/scripts/bash-completion /etc/bash_completion.d/pivpn From e70cb32caa79adea9a7299fbbca86a0c65b82847 Mon Sep 17 00:00:00 2001 From: Orazio Date: Fri, 10 May 2019 12:53:52 +0200 Subject: [PATCH 3/3] Fixed logic --- scripts/makeOVPN.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/scripts/makeOVPN.sh b/scripts/makeOVPN.sh index 4f0f67c..0a571b4 100755 --- a/scripts/makeOVPN.sh +++ b/scripts/makeOVPN.sh @@ -185,10 +185,13 @@ fi #As of EasyRSA 3.0.6, by default certificates last 1080 days, see https://github.com/OpenVPN/easy-rsa/blob/6b7b6bf1f0d3c9362b5618ad18c66677351cacd1/easyrsa3/vars.example if [ -z "${DAYS}" ]; then read -r -e -p "How many days should the certificate last? " -i 1080 DAYS -elif [[ ! "$DAYS" =~ ^[0-9]+$ ]] || [ "$DAYS" -lt 1 ] || [ "$DAYS" -gt 3650 ]; then +fi + +if [[ ! "$DAYS" =~ ^[0-9]+$ ]] || [ "$DAYS" -lt 1 ] || [ "$DAYS" -gt 3650 ]; then #The CRL lasts 3650 days so it doesn't make much sense that certificates would last longer echo "Please input a valid number of days, between 1 and 3650 inclusive." exit 1 + fi cd /etc/openvpn/easy-rsa || exit