Pi-hole/pivpn
Pi-hole/pivpn
1
0
Fork 0
mirror of https://github.com/pivpn/pivpn.git synced 2024-12-18 19:00:15 +00:00
Code Issues Projects Releases Packages Wiki Activity

Updated .ovpn12 configuration

Browse source 
Incorporated feedback on how to properly implement .ovpn12 files.
This commit is contained in:
IcedComputer 2019-06-27 14:43:30 -07:00 committed by GitHub
parent dae6276d37
commit 97bb319795
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 59 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

75
scripts/makeOVPN.sh
View file

@ -13,7 +13,7 @@ INSTALL_USER=$(cat /etc/pivpn/INSTALL_USER)
helpFunc() { helpFunc() {
echo "::: Create a client ovpn profile, optional nopass" echo "::: Create a client ovpn profile, optional nopass"
echo ":::" echo ":::"
echo "::: Usage: pivpn <-a|add> [-n|--name <arg>] [-p|--password <arg>]|[nopass] [-d|--days <number>] [-h|--help]" echo "::: Usage: pivpn <-a|add> [-n|--name <arg>] [-p|--password <arg>]|[nopass] [-d|--days <number>] [-i|--iOS] [-h|--help]"
echo ":::" echo ":::"
echo "::: Commands:" echo "::: Commands:"
echo "::: [none] Interactive mode" echo "::: [none] Interactive mode"
@ -21,6 +21,7 @@ helpFunc() {
echo "::: -d,--days Expire the certificate after specified number of days (default: 1080)" echo "::: -d,--days Expire the certificate after specified number of days (default: 1080)"
echo "::: -n,--name Name for the Client (default: '"$(hostname)"')" echo "::: -n,--name Name for the Client (default: '"$(hostname)"')"
echo "::: -p,--password Password for the Client (no default)" echo "::: -p,--password Password for the Client (no default)"
echo "::: -i,--iOS Generate a certificate that leverages iOS keychain"
echo "::: -h,--help Show this help dialog" echo "::: -h,--help Show this help dialog"
} }
@ -59,7 +60,10 @@ do
fi fi
DAYS="$_val" DAYS="$_val"
;; ;;
-h|--help) -i|--iOS)
iOS=1
;;
-h|--help)
helpFunc helpFunc
exit 0 exit 0
;; ;;
@ -235,8 +239,58 @@ if [ ! -f "${TA}" ]; then
fi fi
echo "tls-auth Private Key found: $TA" echo "tls-auth Private Key found: $TA"
## Added new step to create an .ovpn12 file that can be stored on iOS keychain
## This step is more secure method and does not require the end-user to keep entering passwords, or storing the client private cert where it can be easily tampered
## https://openvpn.net/faq/how-do-i-use-a-client-certificate-and-private-key-from-the-ios-keychain/
if [ "$iOS" = "1" ]; then
#Generates the .ovpn file WITHOUT the client private key
{
# Start by populating with the default file
cat "${DEFAULT}"
#Now, append the CA Public Cert
echo "<ca>"
cat "${CA}"
echo "</ca>"
#Next append the client Public Cert
echo "<cert>"
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' < "issued/${NAME}${CRT}"
echo "</cert>"
#Finally, append the TA Private Key
if [ -f /etc/pivpn/TWO_POINT_FOUR ]; then
echo "<tls-crypt>"
cat "${TA}"
echo "</tls-crypt>"
else
echo "<tls-auth>"
cat "${TA}"
echo "</tls-auth>"
fi
} > "${NAME}${FILEEXT}"
# Copy the .ovpn profile to the home directory for convenient remote access
printf "========================================================\n"
printf "Generating an .ovpn12 file for use with iOS devices\n"
printf "Please remember the export password\n"
printf "as you will need this import the certificate on your iOS device\n"
printf "========================================================\n"
openssl pkcs12 -passin pass:$PASSWD -passin pass:$PASSWD -export -in issued/${NAME}${CRT} -inkey private/${NAME}${KEY} -certfile ${CA} -name ${NAME} -out /home/$INSTALL_USER/ovpns/$NAME.ovpn12
chown "$INSTALL_USER" "/home/$INSTALL_USER/ovpns/$NAME.ovpn12"
chmod o-r "/home/$INSTALL_USER/ovpns/$NAME.ovpn12"
printf "========================================================\n"
printf "\e[1mDone! %s successfully created!\e[0m \n" "$NAME.ovpn12"
printf "You will need to transfer both the .ovpn and .ovpn12 files\n"
printf "to your iOS device.\n"
printf "========================================================\n\n"
else
#This is the standard non-iOS configuration
#Ready to make a new .ovpn file #Ready to make a new .ovpn file
{ {
# Start by populating with the default file # Start by populating with the default file
cat "${DEFAULT}" cat "${DEFAULT}"
@ -266,20 +320,9 @@ echo "tls-auth Private Key found: $TA"
echo "</tls-auth>" echo "</tls-auth>"
fi fi
} > "${NAME}${FILEEXT}" } > "${NAME}${FILEEXT}"
## Added new step to create an .ovpn12 file that can be stored on iOS keychain
## This step is more secure method and does not require the end-user to keep entering passwords, or storing the client private cert where it can be easily tampered
## https://openvpn.net/faq/how-do-i-use-a-client-certificate-and-private-key-from-the-ios-keychain/
printf "========================================================\n"
printf "Generating an .ovpn12 file for use with iOS devices\n"
printf "========================================================\n"
openssl pkcs12 -export -in issued/${NAME}${CRT} -inkey private/${NAME}${KEY} -certfile ${CA} -name ${NAME} -out /home/$INSTALL_USER/ovpns/$NAME.ovpn12
chown "$INSTALL_USER" "/home/$INSTALL_USER/ovpns/$NAME.ovpn12"
chmod o-r "/home/$INSTALL_USER/ovpns/$NAME.ovpn12"
fi
# Copy the .ovpn profile to the home directory for convenient remote access # Copy the .ovpn profile to the home directory for convenient remote access
cp "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT" cp "/etc/openvpn/easy-rsa/pki/$NAME$FILEEXT" "/home/$INSTALL_USER/ovpns/$NAME$FILEEXT"