OVPN: Generation of certificates, keys and profiles for clients.

ovpngen.sh

#!/bin/bash

if [ -z "$1" ]
then
    echo "Usage:"
    echo "Generate profile:"
    echo "sudo ./ovpngen.sh your_profile_name"
    echo "Revoke profile:"
    echo "sudo ./ovpngen.sh -r your_profile_name"
    exit 0
fi

TARGET_NAME=$1
SHOULD_REVOKE=false

if [ $1 = "-r" ]
then
    SHOULD_REVOKE=true
    if [ -z "$2" ]
    then
        echo "You must provide a profile name to revoke"
        exit 1
    fi
    TARGET_NAME=$2
fi

OPWD=$(pwd)
OVPN_DIRECTORY=/etc/openvpn
SERVER_CONF=$OVPN_DIRECTORY/server.conf
EASY_DIRECTORY=$OVPN_DIRECTORY/easy-rsa
FOVPN_DIRECTORY=$OVPN_DIRECTORY/openvpn-profiles
FOVPN=$FOVPN_DIRECTORY/$TARGET_NAME.ovpn
DOVPN_DIRECTORY=~/openvpn-profiles
DOVPN=$DOVPN_DIRECTORY/$TARGET_NAME.ovpn
PROFILE_BASE_FILE=/etc/openvpn/ovpn.base

[ -d $FOVPN_DIRECTORY ] || mkdir $FOVPN_DIRECTORY
[ -d $DOVPN_DIRECTORY ] || mkdir $DOVPN_DIRECTORY

revoke_profile() {
    if [ ! -f $FOVPN ]
    then
        echo "WARNING: Nothing to revoke, the profile doesn't exist."
    fi
    
    SHOULD_CLEAR=false
    CLEAR_COMMAND="crl-verify crl.pem"
    COMMAND_COUNT=$(cat $SERVER_CONF | grep -Fx "$CLEAR_COMMAND" | wc -l)
    if [ $COMMAND_COUNT -eq "0" ]
    then
        echo $CLEAR_COMMAND >> $SERVER_CONF
    fi
    rm $FOVPN_DIRECTORY/$1.*
    rm $DOVPN
    cd $EASY_DIRECTORY
    source vars
    ./revoke-full $1
    cp keys/crl.pem $OVPN_DIRECTORY
    service openvpn restart
    rm keys/$1.*
}    


if [ "$SHOULD_REVOKE" = true ]
then
    revoke_profile $TARGET_NAME
    exit 0
fi

if [ -f $FOVPN ]
then
    echo "A profile with name $TARGET_NAME already exists."
    read -r -p "Do you want to delete the existing profile and revoke its certificate [y/N]?" response
    
    case "$response" in
        [yY][eE][sS]|[yY]) 
        revoke_profile $TARGET_NAME
        ;;
    *)
        echo "ERROR: Cannot continue due to the existing profile."
        exit 1
        ;;
    esac
fi

if [  ! -f $PROFILE_BASE_FILE ]
then
    cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf $PROFILE_BASE_FILE
    sed -i 's/ca ca.crt/;ca ca.crt/g' $PROFILE_BASE_FILE
    sed -i 's/cert client.crt/;cert client.crt/g' $PROFILE_BASE_FILE
    sed -i 's/key client.key/;key client.key/g' $PROFILE_BASE_FILE
fi

DEFAULT_SERVER_COUNT=$(cat $PROFILE_BASE_FILE | grep -Fx "remote my-server-1 1194" | wc -l)
if [ $DEFAULT_SERVER_COUNT -ne 0 ]
then
   echo "You need to specify the remote address in $PROFILE_BASE_FILE before continue."
   echo "Replace 'my-server-1' with the public ip or the host domain."
   exit 0
fi 

cd $EASY_DIRECTORY
. ./vars
./pkitool $TARGET_NAME

cd $OVPN_DIRECTORY

echo '' > $FOVPN
echo "Client file: "  $FOVPN
cp ovpn.base $FOVPN
echo '<ca>' >> $FOVPN
cat /etc/openvpn/ca.crt >> $FOVPN
echo '</ca>' >> $FOVPN

echo '<cert>' >> $FOVPN
cat $EASY_DIRECTORY/keys/$TARGET_NAME.crt >> $FOVPN
echo '</cert>' >> $FOVPN

echo '<key>' >> $FOVPN
cat $EASY_DIRECTORY/keys/$TARGET_NAME.key >> $FOVPN
echo '</key>' >> $FOVPN


cp $EASY_DIRECTORY/keys/$TARGET_NAME.crt $FOVPN_DIRECTORY/$TARGET_NAME.crt
cp $EASY_DIRECTORY/keys/$TARGET_NAME.key $FOVPN_DIRECTORY/$TARGET_NAME.key
cp $FOVPN $DOVPN
chown daniel $DOVPN

sudo service openvpn restart

cd $OPWD