freuds · April 16, 2021 23:59
diff --git a/gen_ovpn_client.sh b/gen_ovpn_client.sh
 #!/usr/bin/env bash

 set +x

 #############################
 # only root
 if [ `id -u` != 0 ]; then
  die "Must be launch with root privilege"
 fi

 UUENCODE=$(which uuencode)
 MAILX=$(which mailx)
 ZIP=$(which zip)
 UNIX2DOS=$(which unix2dos)

 #############################

 # Wrapper around printf - clobber print since it's not POSIX anyway
 print() { printf "%s\n" "$*"; }

 # Exit fatally with a message to stderr
 # present even with EASYRSA_BATCH as these are fatal problems
 die() {
    print "
 Script error: $1" 1>&2
    exit ${2:-1}
 }

 # non-fatal warning output
 warn() {
    print "$1" 1>&2
 }

 # informational notices to stdout
 notice() {
    print "$1"
 }

 configParser() {

    local f
    f=$1
    if [ ! -f "$f" ]; then
        die "Error: cannot read server configuration files"
    fi

    SRV_VPN_PORT=$(awk '/^port/{print $2}' "${f}")
    SRV_VPN_IP=$(awk '/^server/{print $2 $3}' "${f}")
 }

 DIR="/etc/openvpn"
 EAZ="${DIR}/easyrsa3"
 OVPN="${EAZ}/pki/ovpn"
 if [ ! -d "${EAZ}" ]; then
    die "couldn't find easyrsa3 folder"
 fi
 cd ${EAZ}

 PROFIL=$1
 if [ -z "${PROFIL}" ]; then
    die "missing argument : ./gen-ovpn <filename_base>"
 fi

 CA_CRT="${EAZ}/pki/ca.crt"
 TLS_AUTH="${DIR}/keys/ta.key"
 USER_REQ="${EAZ}/pki/reqs/${PROFIL}.req"
 USER_KEY="${EAZ}/pki/private/${PROFIL}.key"
 USER_CRT="${EAZ}/pki/issued/${PROFIL}.crt"

 if [ ! -f "${TLS_AUTH}" ]; then
    openvpn --genkey --secret ${TLS_AUTH}
 fi

 if [ ! -f "${USER_REQ}" ] || [ ! -f "${USER_KEY}" ]; then
    die "missing request or key for user ${PROFIL} : ./easyrsa gen-req <username> nopass"
 fi

 if [ ! -f "${USER_CRT}" ]; then
    die "missing certificat for user ${PROFIL} : ./easyrsa sign client <username>"
 fi

 if [ ! -d "${OVPN}" ]; then
    mkdir -p "${OVPN}"
 fi

 # User exists
 CNF_FILE="${OVPN}/${PROFIL}.ovpn"
 CNF_FILENAME="config-vpn1-${PROFIL}.ovpn"
 CNF_VPN_HOSTNAME="vpn.freuds.me"
 CNF_MODEL=$(mktemp /tmp/$(basename $0).XXXXXXXX)
 CNF_CERT_TMP=$(mktemp /tmp/$(basename $0).XXXXXXXX)
 MAIL_MODEL=$(mktemp /tmp/$(basename $0).XXXXXXXX)
 MAIL_TO="[email protected]"
 MAIL_FROM="[email protected]"
 MAIL_SUBJECT="VPN Access"

 ## backup ovpn config if exists
 if [ -f "${CNF_FILE}" ]; then
    mv -f ${CNF_FILE} ${CNF_FILE}.`date '+%F'` && warn "We backup the last config"
 fi

 # extract SERVER PORT info
 # TODO: seach map config vpn *.conf
 configParser "/etc/openvpn/server/vpn1.conf"

 ## copy model for user
 notice "Create template from model. "
 cat > ${CNF_MODEL}<< EOF
 client
 dev tun
 proto udp
 remote $CNF_VPN_HOSTNAME $SRV_VPN_PORT
 resolv-retry infinite
 comp-lzo
 nobind
 persist-key
 persist-tun
 remote-cert-tls server
 cipher AES-256-GCM
 verb 3
 mute 20

 <ca>
 __CA_CRT__</ca>
 <cert>
 __USER_CRT__</cert>
 <key>
 __USER_KEY__</key>
 EOF

 # <tls-auth> __TLS_AUTH__</tls-auth>
 # key-direction 1

 notice "Replace TLS-AUTH OVPN file. "
 sed -n "/^-----BEGIN OpenVPN Static key V1-----/,/-----END OpenVPN Static key V1-----$/p" < ${TLS_AUTH} > ${CNF_CERT_TMP}
 sed -e "s/__TLS_AUTH__/$(<${CNF_CERT_TMP} sed -e 's/[\&/]/\\&/g' -e 's/$/\\n/' | tr -d '\n')/g" -i ${CNF_MODEL}

 notice "Replace CA certificat in OVPN file. "
 sed -e "s/__CA_CRT__/$(<${CA_CRT} sed -e 's/[\&/]/\\&/g' -e 's/$/\\n/' | tr -d '\n')/g" -i ${CNF_MODEL}

 notice "Replace CRT certificat in OVPN file. "
 sed -n "/^-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----$/p" < ${USER_CRT} > ${CNF_CERT_TMP}
 sed -e "s/__USER_CRT__/$(<${CNF_CERT_TMP} sed -e 's/[\&/]/\\&/g' -e 's/$/\\n/' | tr -d '\n')/g" -i ${CNF_MODEL}

 notice "Replace KEY certificat in OVPN file. "
 sed -e "s/__USER_KEY__/$(<${USER_KEY} sed -e 's/[\&/]/\\&/g' -e 's/$/\\n/' | tr -d '\n')/g" -i ${CNF_MODEL}

 # Copy file ovpn from model
 cat "${CNF_MODEL}" > "${CNF_FILE}" && notice "Prepare a new config file from model."
 chmod 644 ${CNF_FILE}

 # convert into DOS
 $UNIX2DOS ${CNF_FILE}

 # make package zip config file + VPN Doc
 #$ZIP -q ${ZIPNAME} ${OVPN_NAME} ${VPNDOC} && notice " - zip config client file"

 # send config file ( attachement + body)
 #| $MAILX -aFrom:${MAIL_FROM} -b ${MAIL_BCC} -s "${MAIL_SUBJECT}" "${MAIL_TO}"

 # reception
 cat > ${MAIL_MODEL}<<EOF
 Hello,

 Merci de trouver en PJ vos accès pour le client OpenVPN
 See: https://openvpn.net/community-downloads/

 Cordialement
 EOF

 notice "Sending config file by email : ${MAIL_TO}. "
 ( cat ${MAIL_MODEL}; $UUENCODE ${CNF_FILE} ${CNF_FILENAME} ) \
   | $MAILX -aFrom:${MAIL_FROM} -s "${MAIL_SUBJECT}" "${MAIL_TO}"

 # cleanup
 rm -f ${CNF_MODEL}
 rm -f ${CNF_CERT_TMP}
 rm -f ${MAIL_MODEL}

 exit 0
	#!/usr/bin/env bash

	set +x

	#############################
	# only root
	if [ `id -u` != 0 ]; then
	die "Must be launch with root privilege"
	fi

	UUENCODE=$(which uuencode)
	MAILX=$(which mailx)
	ZIP=$(which zip)
	UNIX2DOS=$(which unix2dos)

	#############################

	# Wrapper around printf - clobber print since it's not POSIX anyway
	print() { printf "%s\n" "$*"; }

	# Exit fatally with a message to stderr
	# present even with EASYRSA_BATCH as these are fatal problems
	die() {
	print "
	Script error: $1" 1>&2
	exit ${2:-1}
	}

	# non-fatal warning output
	warn() {
	print "$1" 1>&2
	}

	# informational notices to stdout
	notice() {
	print "$1"
	}

	configParser() {

	local f
	f=$1
	if [ ! -f "$f" ]; then
	die "Error: cannot read server configuration files"
	fi

	SRV_VPN_PORT=$(awk '/^port/{print $2}' "${f}")
	SRV_VPN_IP=$(awk '/^server/{print $2 $3}' "${f}")
	}

	DIR="/etc/openvpn"
	EAZ="${DIR}/easyrsa3"
	OVPN="${EAZ}/pki/ovpn"
	if [ ! -d "${EAZ}" ]; then
	die "couldn't find easyrsa3 folder"
	fi
	cd ${EAZ}

	PROFIL=$1
	if [ -z "${PROFIL}" ]; then
	die "missing argument : ./gen-ovpn <filename_base>"
	fi

	CA_CRT="${EAZ}/pki/ca.crt"
	TLS_AUTH="${DIR}/keys/ta.key"
	USER_REQ="${EAZ}/pki/reqs/${PROFIL}.req"
	USER_KEY="${EAZ}/pki/private/${PROFIL}.key"
	USER_CRT="${EAZ}/pki/issued/${PROFIL}.crt"

	if [ ! -f "${TLS_AUTH}" ]; then
	openvpn --genkey --secret ${TLS_AUTH}
	fi

	if [ ! -f "${USER_REQ}" ] \|\| [ ! -f "${USER_KEY}" ]; then
	die "missing request or key for user ${PROFIL} : ./easyrsa gen-req <username> nopass"
	fi

	if [ ! -f "${USER_CRT}" ]; then
	die "missing certificat for user ${PROFIL} : ./easyrsa sign client <username>"
	fi

	if [ ! -d "${OVPN}" ]; then
	mkdir -p "${OVPN}"
	fi

	# User exists
	CNF_FILE="${OVPN}/${PROFIL}.ovpn"
	CNF_FILENAME="config-vpn1-${PROFIL}.ovpn"
	CNF_VPN_HOSTNAME="vpn.freuds.me"
	CNF_MODEL=$(mktemp /tmp/$(basename $0).XXXXXXXX)
	CNF_CERT_TMP=$(mktemp /tmp/$(basename $0).XXXXXXXX)
	MAIL_MODEL=$(mktemp /tmp/$(basename $0).XXXXXXXX)
	MAIL_TO="[email protected]"
	MAIL_FROM="[email protected]"
	MAIL_SUBJECT="VPN Access"

	## backup ovpn config if exists
	if [ -f "${CNF_FILE}" ]; then
	mv -f ${CNF_FILE} ${CNF_FILE}.`date '+%F'` && warn "We backup the last config"
	fi

	# extract SERVER PORT info
	# TODO: seach map config vpn *.conf
	configParser "/etc/openvpn/server/vpn1.conf"

	## copy model for user
	notice "Create template from model. "
	cat > ${CNF_MODEL}<< EOF
	client
	dev tun
	proto udp
	remote $CNF_VPN_HOSTNAME $SRV_VPN_PORT
	resolv-retry infinite
	comp-lzo
	nobind
	persist-key
	persist-tun
	remote-cert-tls server
	cipher AES-256-GCM
	verb 3
	mute 20

	<ca>
	__CA_CRT__</ca>
	<cert>
	__USER_CRT__</cert>
	<key>
	__USER_KEY__</key>
	EOF

	# <tls-auth> __TLS_AUTH__</tls-auth>
	# key-direction 1

	notice "Replace TLS-AUTH OVPN file. "
	sed -n "/^-----BEGIN OpenVPN Static key V1-----/,/-----END OpenVPN Static key V1-----$/p" < ${TLS_AUTH} > ${CNF_CERT_TMP}
	sed -e "s/__TLS_AUTH__/$(<${CNF_CERT_TMP} sed -e 's/[\&/]/\\&/g' -e 's/$/\\n/' \| tr -d '\n')/g" -i ${CNF_MODEL}

	notice "Replace CA certificat in OVPN file. "
	sed -e "s/__CA_CRT__/$(<${CA_CRT} sed -e 's/[\&/]/\\&/g' -e 's/$/\\n/' \| tr -d '\n')/g" -i ${CNF_MODEL}

	notice "Replace CRT certificat in OVPN file. "
	sed -n "/^-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----$/p" < ${USER_CRT} > ${CNF_CERT_TMP}
	sed -e "s/__USER_CRT__/$(<${CNF_CERT_TMP} sed -e 's/[\&/]/\\&/g' -e 's/$/\\n/' \| tr -d '\n')/g" -i ${CNF_MODEL}

	notice "Replace KEY certificat in OVPN file. "
	sed -e "s/__USER_KEY__/$(<${USER_KEY} sed -e 's/[\&/]/\\&/g' -e 's/$/\\n/' \| tr -d '\n')/g" -i ${CNF_MODEL}

	# Copy file ovpn from model
	cat "${CNF_MODEL}" > "${CNF_FILE}" && notice "Prepare a new config file from model."
	chmod 644 ${CNF_FILE}

	# convert into DOS
	$UNIX2DOS ${CNF_FILE}

	# make package zip config file + VPN Doc
	#$ZIP -q ${ZIPNAME} ${OVPN_NAME} ${VPNDOC} && notice " - zip config client file"

	# send config file ( attachement + body)
	#\| $MAILX -aFrom:${MAIL_FROM} -b ${MAIL_BCC} -s "${MAIL_SUBJECT}" "${MAIL_TO}"

	# reception
	cat > ${MAIL_MODEL}<<EOF
	Hello,

	Merci de trouver en PJ vos accès pour le client OpenVPN
	See: https://openvpn.net/community-downloads/

	Cordialement
	EOF

	notice "Sending config file by email : ${MAIL_TO}. "
	( cat ${MAIL_MODEL}; $UUENCODE ${CNF_FILE} ${CNF_FILENAME} ) \
	\| $MAILX -aFrom:${MAIL_FROM} -s "${MAIL_SUBJECT}" "${MAIL_TO}"

	# cleanup
	rm -f ${CNF_MODEL}
	rm -f ${CNF_CERT_TMP}
	rm -f ${MAIL_MODEL}

	exit 0