Pi-hole/pivpn
Pi-hole/pivpn
1
0
Fork 0
mirror of https://github.com/pivpn/pivpn.git synced 2024-12-18 19:00:15 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'test'

Browse source
This commit is contained in:
Kaladin Light 2016-12-07 13:07:08 -05:00
commit 794897eb28
6 changed files with 134 additions and 218 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

197
auto_install/install.sh
View file

@ -15,7 +15,8 @@
pivpnGitUrl="https://github.com/pivpn/pivpn.git"
pivpnFilesDir="/etc/.pivpn"
easyrsaRel="https://github.com/pivpn/easy-rsa/releases/download/3.0.1-pivpn/EasyRSA-3.0.1-pivpn.tgz"
easyrsaVer="3.0.1-pivpn1"
easyrsaRel="https://github.com/pivpn/easy-rsa/releases/download/${easyrsaVer}/EasyRSA-${easyrsaVer}.tgz"
# Find the rows and columns. Will default to 80x24 if it can not be detected.
screen_size=$(stty size 2>/dev/null || echo 24 80)
@ -143,10 +144,9 @@ chooseUser() {
then
# See http://askubuntu.com/a/667842/459815
PASSWORD=$(whiptail --title "password dialog" --passwordbox "Please enter the new user password" ${r} ${c} 3>&1 1>&2 2>&3)
CRYPT=$(perl -e 'printf("%s\n", crypt($ARGV[0], "password"))' "$password")
$SUDO useradd -m -p "$CRYPT" -s /bin/bash "$userToAdd"
if [ $? -eq 0 ]
then
CRYPT=$(perl -e 'printf("%s\n", crypt($ARGV[0], "password"))' "${PASSWORD}")
$SUDO useradd -m -p "${CRYPT}" -s /bin/bash "${userToAdd}"
if [[ $? = 0 ]]; then
echo "Succeeded"
((numUsers+=1))
else
@ -157,8 +157,8 @@ chooseUser() {
fi
fi
availableUsers=$(awk -F':' '$3>=500 && $3<=60000 {print $1}' /etc/passwd)
userArray=()
firstloop=1
local userArray=()
local firstloop=1
while read -r line
do
@ -167,13 +167,12 @@ chooseUser() {
firstloop=0
mode="ON"
fi
userArray+=("$line" "" "$mode")
userArray+=("${line}" "" "${mode}")
done <<< "${availableUsers}"
chooseUserCmd=(whiptail --title "Choose A User" --separate-output --radiolist "Choose:" ${r} ${c} ${numUsers})
if chooseUserOptions=$("${chooseUserCmd[@]}" "${userArray[@]}" 2>&1 >/dev/tty)
then
for desiredUser in ${chooseUserOptions}
do
chooseUserOptions=$("${chooseUserCmd[@]}" "${userArray[@]}" 2>&1 >/dev/tty)
if [[ $? = 0 ]]; then
for desiredUser in ${chooseUserOptions}; do
pivpnUser=${desiredUser}
echo "::: Using User: $pivpnUser"
echo "${pivpnUser}" > /tmp/pivpnUSR
@ -184,7 +183,6 @@ chooseUser() {
fi
}
verifyFreeDiskSpace() {
# If user installs unattended-upgrades we'd need about 60MB so will check for 75MB free
echo "::: Verifying free disk space..."
@ -239,7 +237,7 @@ chooseInterface() {
mode="ON"
fi
interfacesArray+=("${line}" "available" "${mode}")
done <<< "$availableInterfaces"
done <<< "${availableInterfaces}"
# Find out how many interfaces are available to choose from
interfaceCount=$(echo "${availableInterfaces}" | wc -l)
@ -320,7 +318,7 @@ It is also possible to use a DHCP reservation, but if you are going to do that,
setDHCPCD() {
# Append these lines to dhcpcd.conf to enable a static IP
echo "## interface ${pivpnInterface}
echo "interface ${pivpnInterface}
static ip_address=${IPv4addr}
static routers=${IPv4gw}
static domain_name_servers=${IPv4dns}" | $SUDO tee -a ${dhcpcdFile} >/dev/null
@ -461,7 +459,7 @@ checkForDependencies() {
echo ":::"
echo "::: Checking dependencies:"
dependencies=( openvpn easy-rsa git iptables-persistent dnsutils expect whiptail )
dependencies=( openvpn git dhcpcd5 tar wget iptables-persistent dnsutils expect whiptail )
for i in "${dependencies[@]}"; do
echo -n "::: Checking for $i..."
if [ "$(dpkg-query -W -f='${Status}' "$i" 2>/dev/null | grep -c "ok installed")" -eq 0 ]; then
@ -471,7 +469,7 @@ checkForDependencies() {
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | $SUDO debconf-set-selections
echo iptables-persistent iptables-persistent/autosave_v6 boolean false | $SUDO debconf-set-selections
fi
if [[ $i = "expect" ]]; then
if [[ $i == "expect" ]] || [[ $i == "openvpn" ]]; then
$SUDO apt-get --yes --quiet --no-install-recommends install "$i" > /dev/null & spinner $!
else
$SUDO apt-get --yes --quiet install "$i" > /dev/null & spinner $!
@ -590,16 +588,17 @@ setCustomPort() {
}
setClientDNS() {
DNSChoseCmd=(whiptail --separate-output --radiolist "Select the DNS Provider for your VPN Clients. To use your own, select Custom." ${r} ${c} 5)
DNSChoseCmd=(whiptail --separate-output --radiolist "Select the DNS Provider for your VPN Clients. To use your own, select Custom." ${r} ${c} 6)
DNSChooseOptions=(Google "" on
OpenDNS "" off
Level3 "" off
DNS.WATCH "" off
Norton "" off
Custom "" off)
if DNSchoices=$("${DNSChoseCmd[@]}" "${DNSChooseOptions[@]}" 2>&1 >/dev/tty)
then
case $DNSchoices in
case ${DNSchoices} in
Google)
echo "::: Using Google DNS servers."
OVPNDNS1="8.8.8.8"
@ -620,6 +619,13 @@ setClientDNS() {
$SUDO sed -i '0,/\(dhcp-option DNS \)/ s/\(dhcp-option DNS \).*/\1'${OVPNDNS1}'\"/' /etc/openvpn/server.conf
$SUDO sed -i '0,/\(dhcp-option DNS \)/! s/\(dhcp-option DNS \).*/\1'${OVPNDNS2}'\"/' /etc/openvpn/server.conf
;;
DNS.WATCH)
echo "::: Using DNS.WATCH servers."
OVPNDNS1="82.200.69.80"
OVPNDNS2="84.200.70.40"
$SUDO sed -i '0,/\(dhcp-option DNS \)/ s/\(dhcp-option DNS \).*/\1'${OVPNDNS1}'\"/' /etc/openvpn/server.conf
$SUDO sed -i '0,/\(dhcp-option DNS \)/! s/\(dhcp-option DNS \).*/\1'${OVPNDNS2}'\"/' /etc/openvpn/server.conf
;;
Norton)
echo "::: Using Norton ConnectSafe servers."
OVPNDNS1="199.85.126.10"
@ -695,124 +701,63 @@ confOpenVPN() {
exit 1
fi
# Copy the easy-rsa files to a directory inside the new openvpn directory
$SUDO cp -r /usr/share/easy-rsa /etc/openvpn
# If easy-rsa exists, remove it
if [[ -d /etc/openvpn/easy-rsa/ ]]; then
$SUDO rm -rf /etc/openvpn/easy-rsa/
fi
# Edit the EASY_RSA variable in the vars file to point to the new easy-rsa directory,
# And set the chosen key size
# Get the PiVPN easy-rsa
wget -q -O "/tmp/EasyRSA-${easyrsaVer}" "${easyrsaRel}"
tar xzf /tmp/EasyRSA-${easyrsaVer} -C /tmp
$SUDO mv /tmp/EasyRSA-${easyrsaVer}/ /etc/openvpn/easy-rsa/
$SUDO chown -R root:root /etc/openvpn/easy-rsa
$SUDO mkdir /etc/openvpn/easy-rsa/pki
# Write out new vars file
IFS= read -d '' String <<"EOF"
if [ -z "$EASYRSA_CALLER" ]; then
echo "Nope." >&2
return 1
fi
set_var EASYRSA "/etc/openvpn/easy-rsa"
set_var EASYRSA_PKI "$EASYRSA/pki"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_ALGO rsa
set_var EASYRSA_CURVE secp384r1
EOF
echo "${String}" | $SUDO tee /etc/openvpn/easy-rsa/vars >/dev/null
# Edit the KEY_SIZE variable in the vars file to set user chosen key size
cd /etc/openvpn/easy-rsa || exit
$SUDO sed -i 's:"`pwd`":"/etc/openvpn/easy-rsa":' vars
$SUDO sed -i "s/\(KEY_SIZE=\).*/\1${ENCRYPT}/" vars
# Init Cert Values
COUNTRY="US"
STATE="CA"
CITY="SanFrancisco"
ORG="Fort-Funston"
SERVER_NAME="server"
KEY_NAME="EasyRSA"
EMAIL="me@myhost.mydomain"
whiptail --title "Certificate Information" --msgbox "You will now be shown the default values for fields that will be used in the certificate. \nIt is fine to leave these as-is since only you and the clients you create will ever see this. \nHowever, if you want to change the values, simply select the ones you wish to modify." ${r} ${c}
until [[ $CERTVALCorrect = True ]]
do
CERTVAL=$(whiptail --title "Certificate Information" --checklist "Choose any certificate values you want to change" ${r} ${c} 7 \
"COUNTRY" "= US" OFF \
"STATE" "= CA" OFF \
"CITY" "= SanFranciso" OFF \
"ORG" "= Fort-Funston" OFF \
"SERVER_NAME" "= server" OFF \
"KEY_NAME" "= EasyRSA" OFF \
"EMAIL" "= me@myhost.mydomain" OFF 3>&1 1>&2 2>&3)
exitstatus=$?
if [ $exitstatus != 0 ]; then
echo "::: Cancel selected. Exiting..."
exit 1
fi
for i in $CERTVAL
do
if [ "$i" == '"COUNTRY"' ]; then
COUNTRY=$(whiptail --title "Certificate Country" --inputbox \
"Enter a 2 letter abbreviation for Country" ${r} ${c} US 3>&1 1>&2 2>&3)
$SUDO sed -i "s/\(KEY_COUNTRY=\"\).*/\1${COUNTRY}\"/" vars
fi
if [ "$i" == '"STATE"' ]; then
STATE=$(whiptail --title "Certificate State" --inputbox \
"Enter a 2 letter abbreviated State or Province" ${r} ${c} CA 3>&1 1>&2 2>&3)
$SUDO sed -i "s/\(KEY_PROVINCE=\"\).*/\1${STATE}\"/" vars
fi
if [ "$i" == '"CITY"' ]; then
CITY=$(whiptail --title "Certificate City" --inputbox \
"Enter a City name" ${r} ${c} SanFrancisco 3>&1 1>&2 2>&3)
$SUDO sed -i "s/\(KEY_CITY=\"\).*/\1${CITY}\"/" vars
fi
if [ "$i" == '"ORG"' ]; then
ORG=$(whiptail --title "Certificate Org" --inputbox \
"Enter an Organization name" ${r} ${c} Fort-Funston 3>&1 1>&2 2>&3)
$SUDO sed -i "s/\(KEY_ORG=\"\).*/\1${ORG}\"/" vars
fi
if [ "$i" == '"EMAIL"' ]; then
EMAIL=$(whiptail --title "Certificate Email" --inputbox \
"Enter an Email Address" ${r} ${c} "me@myhost.mydomain" 3>&1 1>&2 2>&3)
$SUDO sed -i "s/\(KEY_EMAIL=\"\).*/\1${EMAIL}\"/" vars
fi
if [ "$i" == '"SERVER_NAME"' ]; then
SERVER_NAME=$(whiptail --title "Server Name" --inputbox \
"Enter a Server Name" ${r} ${c} "pivpn" 3>&1 1>&2 2>&3)
# This began a rabbit hole of errors. Nope.
#sed -i '/export KEY_CN/s/^#//g' vars
#sed -i "s/\(KEY_CN=\"\).*/\1${SERVER_NAME}\"/" vars
fi
if [ "$i" == '"KEY_NAME"' ]; then
KEY_NAME=$(whiptail --title "Key Name" --inputbox \
"Enter a Key Name" ${r} ${c} "EasyRSA" 3>&1 1>&2 2>&3)
$SUDO sed -i "s/\(KEY_NAME=\"\).*/\1${KEY_NAME}\"/" vars
fi
done
if (whiptail --backtitle "Confirm Certificate Fields" --title "Confirm Certificate Fields" --yesno "Are these values correct?\n\n Country: $COUNTRY\n State: $STATE\n City: $CITY\n Org: $ORG\n Email: $EMAIL\n Server Name: $SERVER_NAME\n Key Name: $KEY_NAME" ${r} ${c}) then
CERTVALCorrect=True
else
CERTVALCorrect=False
fi
done
# Make PiVPN the OU
KEY_OU=PiVPN
$SUDO sed -i "s/\(KEY_OU=\"\).*/\1${KEY_OU}\"/" vars
# It seems you have to set this if you mess with key_cn, lets not.
# grep -q 'KEY_ALTNAMES=' vars || printf '\nexport KEY_ALTNAMES="PiVPN_KEYALT"\n' >> vars
echo "export KEY_ALTNAMES=\"PiVPN_ALTNAME\"" >> vars
# source the vars file just edited
source ./vars
$SUDO sed -i "s/\(KEY_SIZE\).*/\1 ${ENCRYPT}/" vars
# Remove any previous keys
${SUDOE} ./clean-all
${SUDOE} ./easyrsa --batch init-pki
# Build the certificate authority
echo "::: Building CA..."
${SUDOE} ./build-ca < /etc/.pivpn/ca_info.txt
printf "::: Building CA...\n"
${SUDOE} ./easyrsa --batch build-ca nopass
printf "\n::: CA Complete.\n"
whiptail --msgbox --backtitle "Setup OpenVPN" --title "Server Information" "The server key, Diffie-Hellman key, and HMAC key will now be generated." ${r} ${c}
# Build the server
${SUDOE} ./build-key-server --batch "$SERVER_NAME"
${SUDOE} ./easyrsa build-server-full server nopass
if ([ "$ENCRYPT" -ge "4096" ] && whiptail --backtitle "Setup OpenVPN" --title "Download Diffie-Hellman Parameters" --yesno --defaultno "Download Diffie-Hellman parameters from a public DH parameter generation service?\n\nGenerating DH parameters for a $ENCRYPT-bit key can take many hours on a Raspberry Pi. You can instead download DH parameters from \"2 Ton Digital\" that are generated at regular intervals as part of a public service. Downloaded DH parameters will be randomly selected from a pool of the last 128 generated.\nMore information about this service can be found here: https://2ton.com.au/dhtool/\n\nIf you're paranoid, choose 'No' and Diffie-Hellman parameters will be generated on your device." ${r} ${c})
then
# Downloading parameters, $KEY_DIR and $KEY_SIZE get set by sourcing ./vars
# Downloading parameters
RANDOM_INDEX=$(( RANDOM % 128 ))
${SUDOE} curl "https://2ton.com.au/dhparam/${ENCRYPT}/${RANDOM_INDEX}" -o "${KEY_DIR}/dh${KEY_SIZE}.pem"
${SUDOE} curl "https://2ton.com.au/dhparam/${ENCRYPT}/${RANDOM_INDEX}" -o "/etc/openvpn/easy-rsa/pki/dh${ENCRYPT}.pem"
else
# Generate Diffie-Hellman key exchange
${SUDOE} ./build-dh
${SUDOE} ./easyrsa gen-dh
${SUDOE} mv pki/dh.pem pki/dh${ENCRYPT}.pem
fi
# Generate static HMAC key to defend against DDoS
${SUDOE} openvpn --genkey --secret keys/ta.key
${SUDOE} openvpn --genkey --secret pki/ta.key
# Write config file for server using the template .txt file
$SUDO cp /etc/.pivpn/server_config.txt /etc/openvpn/server.conf
@ -821,7 +766,7 @@ fi
$SUDO sed -i "s/LOCALMASK/${LOCALMASK}/g" /etc/openvpn/server.conf
# Set the user encryption key size
$SUDO sed -i "s/\(dh \/etc\/openvpn\/easy-rsa\/keys\/dh\).*/\1${ENCRYPT}.pem/" /etc/openvpn/server.conf
$SUDO sed -i "s/\(dh \/etc\/openvpn\/easy-rsa\/pki\/dh\).*/\1${ENCRYPT}.pem/" /etc/openvpn/server.conf
# if they modified port put value in server.conf
if [ $PORT != 1194 ]; then
@ -834,8 +779,8 @@ fi
fi
# write out server certs to conf file
$SUDO sed -i "s/\(key \/etc\/openvpn\/easy-rsa\/keys\/\).*/\1${SERVER_NAME}.key/" /etc/openvpn/server.conf
$SUDO sed -i "s/\(cert \/etc\/openvpn\/easy-rsa\/keys\/\).*/\1${SERVER_NAME}.crt/" /etc/openvpn/server.conf
$SUDO sed -i "s/\(key \/etc\/openvpn\/easy-rsa\/pki\/private\/\).*/\1${SERVER_NAME}.key/" /etc/openvpn/server.conf
$SUDO sed -i "s/\(cert \/etc\/openvpn\/easy-rsa\/pki\/issued\/\).*/\1${SERVER_NAME}.crt/" /etc/openvpn/server.conf
}
confUnattendedUpgrades() {
@ -932,10 +877,10 @@ confOVPN() {
exit 1
fi
$SUDO cp /etc/.pivpn/Default.txt /etc/openvpn/easy-rsa/keys/Default.txt
$SUDO cp /etc/.pivpn/Default.txt /etc/openvpn/easy-rsa/pki/Default.txt
if [ "$METH" == "$IPv4pub" ]; then
$SUDO sed -i 's/IPv4pub/'"$IPv4pub"'/' /etc/openvpn/easy-rsa/keys/Default.txt
$SUDO sed -i 's/IPv4pub/'"$IPv4pub"'/' /etc/openvpn/easy-rsa/pki/Default.txt
else
until [[ $publicDNSCorrect = True ]]
do
@ -947,7 +892,7 @@ confOVPN() {
fi
if (whiptail --backtitle "Confirm DNS Name" --title "Confirm DNS Name" --yesno "Is this correct?\n\n Public DNS Name: $PUBLICDNS" ${r} ${c}) then
publicDNSCorrect=True
$SUDO sed -i 's/IPv4pub/'"$PUBLICDNS"'/' /etc/openvpn/easy-rsa/keys/Default.txt
$SUDO sed -i 's/IPv4pub/'"$PUBLICDNS"'/' /etc/openvpn/easy-rsa/pki/Default.txt
else
publicDNSCorrect=False
@ -957,16 +902,16 @@ confOVPN() {
# if they modified port put value in Default.txt for clients to use
if [ $PORT != 1194 ]; then
$SUDO sed -i -e "s/1194/${PORT}/g" /etc/openvpn/easy-rsa/keys/Default.txt
$SUDO sed -i -e "s/1194/${PORT}/g" /etc/openvpn/easy-rsa/pki/Default.txt
fi
# if they modified protocol put value in Default.txt for clients to use
if [ "$PROTO" != "udp" ]; then
$SUDO sed -i -e "s/proto udp/proto tcp/g" /etc/openvpn/easy-rsa/keys/Default.txt
$SUDO sed -i -e "s/proto udp/proto tcp/g" /etc/openvpn/easy-rsa/pki/Default.txt
fi
# verify server name to strengthen security
$SUDO sed -i "s/SRVRNAME/${SERVER_NAME}/" /etc/openvpn/easy-rsa/keys/Default.txt
$SUDO sed -i "s/SRVRNAME/${SERVER_NAME}/" /etc/openvpn/easy-rsa/pki/Default.txt
$SUDO mkdir "/home/$pivpnUser/ovpns"
$SUDO chmod 0777 -R "/home/$pivpnUser/ovpns"

2
pivpn
View file

@ -42,7 +42,7 @@ function uninstallFunc {
}
function versionFunc {
printf "\e[1mVersion 1.6\e[0m\n"
printf "\e[1mVersion 1.7\e[0m\n"
}
function helpFunc {

12
scripts/listOVPN.sh
View file

@ -1,9 +1,9 @@
#!/usr/bin/env bash
# PiVPN: list clients script
INDEX="/etc/openvpn/easy-rsa/keys/index.txt"
INDEX="/etc/openvpn/easy-rsa/pki/index.txt"
printf "\n"
if [ ! -f "$INDEX" ]; then
if [ ! -f "${INDEX}" ]; then
echo "The file: $INDEX was not found!"
exit 1
fi
@ -15,13 +15,13 @@ printf " ::\e[4m Status \e[0m||\e[4m Name \e[0m:: \n"
while read -r line || [ -n "$line" ]; do
STATUS=$(echo "$line" | awk '{print $1}')
NAME=$(echo "$line" | sed -e 's/^.*CN=\([^/]*\)\/.*/\1/')
if [ "$STATUS" = "V" ]; then
NAME=$(echo "$line" | sed -e 's:.*/CN=::')
if [ "${STATUS}" == "V" ]; then
printf " Valid :: %s\n" "$NAME"
elif [ "$STATUS" = "R" ]; then
elif [ "${STATUS}" == "R" ]; then
printf " Revoked :: %s\n" "$NAME"
else
printf " Unknown :: %s\n" "$NAME"
fi
done <$INDEX
done <${INDEX}
printf "\n"

91
scripts/makeOVPN.sh
View file

@ -4,40 +4,24 @@
DEFAULT="Default.txt"
FILEEXT=".ovpn"
CRT=".crt"
OKEY=".key"
KEY=".3des.key"
KEY=".key"
CA="ca.crt"
TA="ta.key"
INDEX="/etc/openvpn/easy-rsa/keys/index.txt"
INDEX="/etc/openvpn/easy-rsa/pki/index.txt"
INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER)
# Functions def
function keynoPASS() {
# Override key def
KEY=".key"
#Build the client key
expect << EOF
set timeout -1
spawn ./build-key "$NAME"
expect "Country Name" { send "\r" }
expect "State or Province Name" { send "\r" }
expect "Locality Name" { send "\r" }
expect "Organization Name" { send "\r" }
expect "Organizational Unit" { send "\r" }
expect "Common Name" { send "\r" }
expect "Name" { send "\r" }
expect "Email Address" { send "\r" }
expect "challenge password" { send "\r" }
expect "optional company name" { send "\r" }
expect "Sign the certificate" { send "y\r" }
expect "commit" { send "y\r" }
spawn ./easyrsa build-client-full "$NAME" nopass
expect eof
EOF
cd keys || exit
cd pki || exit
}
@ -75,65 +59,44 @@ function keyPASS() {
expect << EOF
set timeout -1
spawn ./build-key-pass "$NAME"
spawn ./easyrsa build-client-full "$NAME"
expect "Enter PEM pass phrase" { send "${PASSWD}\r" }
expect "Verifying - Enter PEM pass phrase" { send "${PASSWD}\r" }
expect "Country Name" { send "\r" }
expect "State or Province Name" { send "\r" }
expect "Locality Name" { send "\r" }
expect "Organization Name" { send "\r" }
expect "Organizational Unit" { send "\r" }
expect "Common Name" { send "\r" }
expect "Name" { send "\r" }
expect "Email Address" { send "\r" }
expect "challenge password" { send "\r" }
expect "optional company name" { send "\r" }
expect "Sign the certificate" { send "y\r" }
expect "commit" { send "y\r" }
expect eof
EOF
cd keys || exit
cd pki || exit
expect << EOF
set timeout -1
spawn openssl rsa -in "$NAME$OKEY" -des3 -out "$NAME$KEY"
expect "Enter pass phrase for" { send "${PASSWD}\r" }
expect "Enter PEM pass phrase" { send "${PASSWD}\r" }
expect "Verifying - Enter PEM pass" { send "${PASSWD}\r" }
expect eof
EOF
}
printf "Enter a Name for the Client: "
read -r NAME
if [[ "$NAME" =~ [^a-zA-Z0-9] ]]; then
echo "Name can only contain alphanumeric characters"
if [[ "${NAME}" =~ [^a-zA-Z0-9] ]]; then
echo "Name can only contain alphanumeric characters."
exit 1
fi
if [[ -z "$NAME" ]]; then
echo "You cannot leave the name blank"
if [[ -z "${NAME}" ]]; then
echo "You cannot leave the name blank."
exit 1
fi
# Check if name is already in use
while read -r line || [ -n "$line" ]; do
if [ "$(echo "$line" | sed -e 's/^.*CN=\([^/]*\)\/.*/\1/')" = "$NAME" ]; then
echo "Name is already in use"
if [ "$(echo "$line" | sed -e 's:.*/CN=::')" == "${NAME}" ]; then
echo "Name is already in use."
exit 1
fi
done <$INDEX
done <${INDEX}
# Check if name is reserved
if [ "$NAME" = "ta" ] || [ "$NAME" = "server" ] || [ "$NAME" = "ca" ]; then
echo "Sorry, this name is unavailable, please choose another one"
if [ "${NAME}" == "ta" ] || [ "${NAME}" == "server" ] || [ "${NAME}" == "ca" ]; then
echo "Sorry, this is in use by the server and cannot be used by clients."
exit 1
fi
cd /etc/openvpn/easy-rsa || exit
source /etc/openvpn/easy-rsa/vars
if [[ "$@" =~ "nopass" ]]; then
keynoPASS
@ -142,28 +105,28 @@ else
fi
#1st Verify that clients Public Key Exists
if [ ! -f "$NAME$CRT" ]; then
if [ ! -f "issued/${NAME}${CRT}" ]; then
echo "[ERROR]: Client Public Key Certificate not found: $NAME$CRT"
exit
fi
echo "Client's cert found: $NAME$CRT"
#Then, verify that there is a private key for that client
if [ ! -f "$NAME$KEY" ]; then
echo "[ERROR]: Client 3des Private Key not found: $NAME$KEY"
if [ ! -f "private/${NAME}${KEY}" ]; then
echo "[ERROR]: Client Private Key not found: $NAME$KEY"
exit
fi
echo "Client's Private Key found: $NAME$KEY"
#Confirm the CA public key exists
if [ ! -f "$CA" ]; then
if [ ! -f "${CA}" ]; then
echo "[ERROR]: CA Public Key not found: $CA"
exit
fi
echo "CA public Key found: $CA"
#Confirm the tls-auth ta key file exists
if [ ! -f "$TA" ]; then
if [ ! -f "${TA}" ]; then
echo "[ERROR]: tls-auth Key not found: $TA"
exit
fi
@ -172,31 +135,31 @@ echo "tls-auth Private Key found: $TA"
#Ready to make a new .ovpn file
{
# Start by populating with the default file
cat "$DEFAULT"
cat "${DEFAULT}"
#Now, append the CA Public Cert
echo "<ca>"
cat "$CA"
cat "${CA}"
echo "</ca>"
#Next append the client Public Cert
echo "<cert>"
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' < "$NAME$CRT"
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' < "issued/${NAME}${CRT}"
echo "</cert>"
#Then, append the client Private Key
echo "<key>"
cat "$NAME$KEY"
cat "private/${NAME}${KEY}"
echo "</key>"
#Finally, append the TA Private Key
echo "<tls-auth>"
cat "$TA"
cat "${TA}"
echo "</tls-auth>"
} > "$NAME$FILEEXT"
} > "${NAME}${FILEEXT}"
# Copy the .ovpn profile to the home directory for convenient remote access
cp "/etc/openvpn/easy-rsa/keys/$NAME$FILEEXT" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT"
cp "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT"
chown "$INSTALL_USER" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT"
printf "\n\n"
printf "========================================================\n"

37
scripts/removeOVPN.sh
View file

@ -4,9 +4,9 @@
INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER)
REVOKE_STATUS=$(cat /etc/pivpn/REVOKE_STATUS)
PLAT=$(cat /etc/pivpn/DET_PLATFORM)
INDEX="/etc/openvpn/easy-rsa/keys/index.txt"
INDEX="/etc/openvpn/easy-rsa/pki/index.txt"
if [ ! -f "$INDEX" ]; then
if [ ! -f "${INDEX}" ]; then
printf "The file: %s was not found\n" "$INDEX"
exit 1
fi
@ -18,7 +18,7 @@ i=0
while read -r line || [ -n "$line" ]; do
STATUS=$(echo "$line" | awk '{print $1}')
if [[ "$STATUS" = "V" ]]; then
NAME=$(echo "$line" | sed -e 's/^.*CN=\([^/]*\)\/.*/\1/')
NAME=$(echo "$line" | sed -e 's:.*/CN=::')
CERTS[$i]=$NAME
if [ "$i" != 0 ]; then
# Prevent printing "server" certificate
@ -26,13 +26,13 @@ while read -r line || [ -n "$line" ]; do
fi
let i=i+1
fi
done <$INDEX
done <${INDEX}
printf "\n"
echo "::: Please enter the Name of the client to be revoked from the list above:"
read -r NAME
if [[ -z "$NAME" ]]; then
if [[ -z "${NAME}" ]]; then
echo "::: You can not leave this blank!"
exit 1
fi
@ -43,24 +43,21 @@ for((x=1;x<=i;++x)); do
fi
done
if [ -z "$VALID" ]; then
if [ -z "${VALID}" ]; then
printf "::: You didn't enter a valid cert name!\n"
exit 1
fi
cd /etc/openvpn/easy-rsa || exit
source /etc/openvpn/easy-rsa/vars
./revoke-full "$NAME"
echo "::: Certificate revoked, removing ovpns from /home/$INSTALL_USER/ovpns"
rm "/home/$INSTALL_USER/ovpns/$NAME.ovpn"
cp /etc/openvpn/easy-rsa/keys/crl.pem /etc/openvpn/crl.pem
echo "::: Completed!"
if [ "$REVOKE_STATUS" == 0 ]; then
if [ "${REVOKE_STATUS}" == 0 ]; then
echo 1 > /etc/pivpn/REVOKE_STATUS
printf "\nThis seems to be the first time you have revoked a cert.\n"
printf "We are adding the CRL to the server.conf and restarting openvpn.\n"
printf "First we need to initialize the Certificate Revocation List.\n"
printf "Then add the CRL to your server config and restart openvpn.\n"
./easyrsa gen-crl
cp pki/crl.pem /etc/openvpn/crl.pem
chown nobody:nogroup /etc/openvpn/crl.pem
sed -i '/#crl-verify/c\crl-verify /etc/openvpn/crl.pem' /etc/openvpn/server.conf
if [[ ${PLAT} == "Ubuntu" || ${PLAT} == "Debian" ]]; then
service openvpn restart
@ -68,3 +65,13 @@ if [ "$REVOKE_STATUS" == 0 ]; then
systemctl restart openvpn.service
fi
fi
./easyrsa --batch revoke "${NAME}"
printf "\n::: Certificate revoked, and CRL file updated.\n"
printf "::: Removing certs and client configuration for this profile.\n"
rm -rf "pki/reqs/${NAME}.req"
rm -rf "pki/private/${NAME}.key"
rm -rf "pki/issued/${NAME}.crt"
rm -rf "/home/$INSTALL_USER/ovpns/${NAME}.ovpn"
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
printf "::: Completed!\n"

13
server_config.txt
View file

@ -1,10 +1,11 @@
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh1024.pem
topology subnet
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
@ -25,7 +26,7 @@ client-to-client
duplicate-cn
keepalive 10 120
tls-version-min 1.2
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0
cipher AES-256-CBC
auth SHA256
comp-lzo
@ -37,4 +38,4 @@ persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1
# This configuration file was originally written by Lauren Orsini at ReadWrite.
# Generated for use by PiVPN.io