Pi-hole/pivpn
Pi-hole/pivpn
1
0
Fork 0
mirror of https://github.com/pivpn/pivpn.git synced 2024-12-18 19:00:15 +00:00
Code Issues Projects Releases Packages Wiki Activity

added command line option to (batch) remove certs

Browse source 
::: Revoke a client ovpn profile
:::
::: Usage: pivpn <-r|revoke> [-h|--help] [<client-1>] ... [<client-n>]
...
:::
::: Commands:
:::  [none]               Interactive mode
:::  <client>             Client(s) to to revoke
:::  -h,--help            Show this help dialog
This commit is contained in:
EWouters 2017-03-15 02:36:12 +13:00
parent 7a65f083c4
commit 56f24aa372
3 changed files with 159 additions and 99 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
pivpn
View file

@ -55,7 +55,8 @@ function debugFunc {
} }
function removeOVPNFunc { function removeOVPNFunc {
$SUDO /opt/pivpn/removeOVPN.sh shift
$SUDO /opt/pivpn/removeOVPN.sh "$@"
exit 1 exit 1
} }
@ -94,7 +95,7 @@ case "$1" in
"-c" | "clients" ) listClientsFunc;; "-c" | "clients" ) listClientsFunc;;
"-d" | "debug" ) debugFunc;; "-d" | "debug" ) debugFunc;;
"-l" | "list" ) listOVPNFunc;; "-l" | "list" ) listOVPNFunc;;
"-r" | "revoke" ) removeOVPNFunc;; "-r" | "revoke" ) removeOVPNFunc "$@";;
"-h" | "help" ) helpFunc;; "-h" | "help" ) helpFunc;;
"-u" | "uninstall" ) uninstallFunc;; "-u" | "uninstall" ) uninstallFunc;;
"-v" ) versionFunc;; "-v" ) versionFunc;;

95
scripts/makeOVPN.sh
View file

@ -11,56 +11,57 @@ INDEX="/etc/openvpn/easy-rsa/pki/index.txt"
INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER) INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER)
helpFunc() { helpFunc() {
echo "::: Create a client ovpn profile, optional nopass" echo "::: Create a client ovpn profile, optional nopass"
echo ":::" echo ":::"
echo "::: Usage: pivpn <-a|add> [-n|--name <arg>] [-p|--password <arg>]|[nopass] [-h|--help]" echo "::: Usage: pivpn <-a|add> [-n|--name <arg>] [-p|--password <arg>]|[nopass] [-h|--help]"
echo ":::" echo ":::"
echo "::: Commands:" echo "::: Commands:"
echo "::: nopass Create a client without a password" echo "::: [none] Interactive mode"
echo "::: -n,--name Name for the Client (default: '"$(hostname)"')" echo "::: nopass Create a client without a password"
echo "::: -p,--password Password for the Client (no default)" echo "::: -n,--name Name for the Client (default: '"$(hostname)"')"
echo "::: -h,--help Show this help dialog" echo "::: -p,--password Password for the Client (no default)"
echo "::: -h,--help Show this help dialog"
} }
# Parse input arguments # Parse input arguments
while test $# -gt 0 while test $# -gt 0
do do
_key="$1" _key="$1"
case "$_key" in case "$_key" in
-n|--name|--name=*) -n|--name|--name=*)
_val="${_key##--name=}" _val="${_key##--name=}"
if test "$_val" = "$_key" if test "$_val" = "$_key"
then then
test $# -lt 2 && echo "Missing value for the optional argument '$_key'." && exit 1 test $# -lt 2 && echo "Missing value for the optional argument '$_key'." && exit 1
_val="$2" _val="$2"
shift shift
fi fi
NAME="$_val" NAME="$_val"
;; ;;
-p|--password|--password=*) -p|--password|--password=*)
_val="${_key##--password=}" _val="${_key##--password=}"
if test "$_val" = "$_key" if test "$_val" = "$_key"
then then
test $# -lt 2 && echo "Missing value for the optional argument '$_key'." && exit 1 test $# -lt 2 && echo "Missing value for the optional argument '$_key'." && exit 1
_val="$2" _val="$2"
shift shift
fi fi
PASSWD="$_val" PASSWD="$_val"
;; ;;
-h|--help) -h|--help)
helpFunc helpFunc
exit 0 exit 0
;; ;;
nopass) nopass)
NO_PASS="1" NO_PASS="1"
;; ;;
*) *)
echo "Error: Got an unexpected argument '$1'" echo "Error: Got an unexpected argument '$1'"
helpFunc helpFunc
exit 1 exit 1
;; ;;
esac esac
shift shift
done done
# Functions def # Functions def
@ -100,7 +101,7 @@ function keyPASS() {
echo "pivpn add nopass" echo "pivpn add nopass"
exit 1 exit 1
fi fi
fi fi
if [ ${#PASSWD} -lt 4 ] || [ ${#PASSWD} -gt 1024 ] if [ ${#PASSWD} -lt 4 ] || [ ${#PASSWD} -gt 1024 ]
then then
echo "Password must be between from 4 to 1024 characters" echo "Password must be between from 4 to 1024 characters"
@ -170,7 +171,7 @@ if [[ "${NO_PASS}" =~ "1" ]]; then
keynoPASS keynoPASS
elif [[ -n "${PASSWD}" ]]; then elif [[ -n "${PASSWD}" ]]; then
echo "Both nopass and password arguments passed to the script. Please use either one." echo "Both nopass and password arguments passed to the script. Please use either one."
exit 1 exit 1
else else
keyPASS keyPASS
fi fi

158
scripts/removeOVPN.sh
View file

@ -6,73 +6,131 @@ REVOKE_STATUS=$(cat /etc/pivpn/REVOKE_STATUS)
PLAT=$(cat /etc/pivpn/DET_PLATFORM) PLAT=$(cat /etc/pivpn/DET_PLATFORM)
INDEX="/etc/openvpn/easy-rsa/pki/index.txt" INDEX="/etc/openvpn/easy-rsa/pki/index.txt"
helpFunc() {
echo "::: Revoke a client ovpn profile"
echo ":::"
echo "::: Usage: pivpn <-r|revoke> [-h|--help] [<client-1>] ... [<client-n>] ..."
echo ":::"
echo "::: Commands:"
echo "::: [none] Interactive mode"
echo "::: <client> Client(s) to to revoke"
echo "::: -h,--help Show this help dialog"
}
# Parse input arguments
while test $# -gt 0
do
_key="$1"
case "$_key" in
-h|--help)
helpFunc
exit 0
;;
*)
CERTS_TO_REVOKE+=("$1")
;;
esac
shift
done
if [ ! -f "${INDEX}" ]; then if [ ! -f "${INDEX}" ]; then
printf "The file: %s was not found\n" "$INDEX" printf "The file: %s was not found\n" "$INDEX"
exit 1 exit 1
fi fi
printf "\n" if [[ -z "${CERTS_TO_REVOKE}" ]]; then
printf " ::\e[4m Certificate List \e[0m:: \n" printf "\n"
printf " ::\e[4m Certificate List \e[0m:: \n"
i=0
while read -r line || [ -n "$line" ]; do i=0
STATUS=$(echo "$line" | awk '{print $1}') while read -r line || [ -n "$line" ]; do
if [[ "${STATUS}" = "V" ]]; then STATUS=$(echo "$line" | awk '{print $1}')
NAME=$(echo "$line" | sed -e 's:.*/CN=::') if [[ "${STATUS}" = "V" ]]; then
CERTS[$i]=${NAME} NAME=$(echo "$line" | sed -e 's:.*/CN=::')
if [ "$i" != 0 ]; then CERTS[$i]=${NAME}
# Prevent printing "server" certificate if [ "$i" != 0 ]; then
printf " %s\n" "$NAME" # Prevent printing "server" certificate
printf " %s\n" "$NAME"
fi
let i=i+1
fi fi
let i=i+1 done <${INDEX}
printf "\n"
echo "::: Please enter the Name of the client to be revoked from the list above:"
read -r NAME
if [[ -z "${NAME}" ]]; then
echo "You can not leave this blank!"
exit 1
fi fi
done <${INDEX}
printf "\n" for((x=1;x<=i;++x)); do
if [ "${CERTS[$x]}" = "${NAME}" ]; then
echo "::: Please enter the Name of the client to be revoked from the list above:" VALID=1
read -r NAME fi
done
if [[ -z "${NAME}" ]]; then
echo "::: You can not leave this blank!" if [ -z "${VALID}" ]; then
exit 1 printf "You didn't enter a valid cert name!\n"
fi exit 1
for((x=1;x<=i;++x)); do
if [ "${CERTS[$x]}" = "${NAME}" ]; then
VALID=1
fi fi
done
CERTS_TO_REVOKE=( "${NAME}" )
if [ -z "${VALID}" ]; then else
printf "::: You didn't enter a valid cert name!\n" i=0
exit 1 while read -r line || [ -n "$line" ]; do
STATUS=$(echo "$line" | awk '{print $1}')
if [[ "${STATUS}" = "V" ]]; then
NAME=$(echo "$line" | sed -e 's:.*/CN=::')
CERTS[$i]=${NAME}
let i=i+1
fi
done <${INDEX}
for (( ii = 0; ii < ${#CERTS_TO_REVOKE[@]}; ii++)); do
VALID=0
for((x=1;x<=i;++x)); do
if [ "${CERTS[$x]}" = "${CERTS_TO_REVOKE[ii]}" ]; then
VALID=1
fi
done
if [ "${VALID}" != 1 ]; then
printf "You passed an invalid cert name: '"%s"'!\n" "${CERTS_TO_REVOKE[ii]}"
exit 1
fi
done
fi fi
cd /etc/openvpn/easy-rsa || exit cd /etc/openvpn/easy-rsa || exit
if [ "${REVOKE_STATUS}" == 0 ]; then if [ "${REVOKE_STATUS}" == 0 ]; then
echo 1 > /etc/pivpn/REVOKE_STATUS echo 1 > /etc/pivpn/REVOKE_STATUS
printf "\nThis seems to be the first time you have revoked a cert.\n" printf "\nThis seems to be the first time you have revoked a cert.\n"
printf "First we need to initialize the Certificate Revocation List.\n" printf "First we need to initialize the Certificate Revocation List.\n"
printf "Then add the CRL to your server config and restart openvpn.\n" printf "Then add the CRL to your server config and restart openvpn.\n"
./easyrsa gen-crl ./easyrsa gen-crl
cp pki/crl.pem /etc/openvpn/crl.pem cp pki/crl.pem /etc/openvpn/crl.pem
chown nobody:nogroup /etc/openvpn/crl.pem chown nobody:nogroup /etc/openvpn/crl.pem
sed -i '/#crl-verify/c\crl-verify /etc/openvpn/crl.pem' /etc/openvpn/server.conf sed -i '/#crl-verify/c\crl-verify /etc/openvpn/crl.pem' /etc/openvpn/server.conf
if [[ ${PLAT} == "Ubuntu" || ${PLAT} == "Debian" ]]; then if [[ ${PLAT} == "Ubuntu" || ${PLAT} == "Debian" ]]; then
service openvpn restart service openvpn restart
else else
systemctl restart openvpn.service systemctl restart openvpn.service
fi fi
fi fi
./easyrsa --batch revoke "${NAME}" for (( ii = 0; ii < ${#CERTS_TO_REVOKE[@]}; ii++)); do
./easyrsa gen-crl printf "\n::: Revoking certificate '"%s"'.\n" "${CERTS_TO_REVOKE[ii]}"
printf "\n::: Certificate revoked, and CRL file updated.\n" ./easyrsa --batch revoke "${CERTS_TO_REVOKE[ii]}"
printf "::: Removing certs and client configuration for this profile.\n" ./easyrsa gen-crl
rm -rf "pki/reqs/${NAME}.req" printf "\n::: Certificate revoked, and CRL file updated.\n"
rm -rf "pki/private/${NAME}.key" printf "::: Removing certs and client configuration for this profile.\n"
rm -rf "pki/issued/${NAME}.crt" rm -rf "pki/reqs/${CERTS_TO_REVOKE[ii]}.req"
rm -rf "/home/${INSTALL_USER}/ovpns/${NAME}.ovpn" rm -rf "pki/private/${CERTS_TO_REVOKE[ii]}.key"
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem rm -rf "pki/issued/${CERTS_TO_REVOKE[ii]}.crt"
rm -rf "/home/${INSTALL_USER}/ovpns/${CERTS_TO_REVOKE[ii]}.ovpn"
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
done
printf "::: Completed!\n" printf "::: Completed!\n"