Last active
December 14, 2022 04:50
-
-
Save maravedi/2de674799029f71c18508810ec4ee2df to your computer and use it in GitHub Desktop.
Create an Azure VPN Client Cert and Private Key Pair and Output an OpenVPN Config File
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # File: create_azure_vpn_client_cert.sh | |
| # Author: David Frazer | |
| # Date: 12/13/2022 | |
| # NOTE: This script expects a CA root cert and CA root key to exist at the following paths: | |
| # "${ORGNAME}_cacert.pem" | |
| # "${ORGNAME}_cakey.pem" | |
| # OPTIONAL: Set this to 1 to create a PFX for the user | |
| CREATE_PFX=0 | |
| AZCLOUD="AzureCloud" # AzureCloud, AzureChinaCloud, AzureUSGovernment, AzureGermanCloud | |
| AZTENANTID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" | |
| ORGNAME="org" | |
| VPNRESOURCEGROUP="rg-org" | |
| # Generate a pseudo-random base64 string for the export password | |
| PASSWORD=$(openssl rand -base64 25) | |
| # Retrieve the username for this certificate | |
| echo "What's the username for this user?" | |
| read USERNAME | |
| # Generate a private key | |
| echo "Generating private key and issuing the client cert from the CA cert" | |
| ipsec pki --gen --outform pem > "${USERNAME}_vpn_key.pem" | |
| ipsec pki --pub --in "${USERNAME}_vpn_key.pem" | ipsec pki --issue --cacert "${ORGNAME}_cacert.pem" --cakey "${ORGNAME}_cakey.pem" --dn "CN=${USERNAME}" --san "${USERNAME}" --flag clientAuth --outform pem > "${USERNAME}_vpn_cert.pem" | |
| # OPTIONAL: Generate a PFX with the public cert, private key, and export password generated above | |
| # This is only necessary if the certificate and key need to be shared separately | |
| # Set CREATE_PFX to 1 at the top of this script to create the PFX | |
| if [ "$CREATE_PFX" -eq "1" ]; then | |
| echo "Creating a PFX" | |
| openssl pkcs12 -in "${USERNAME}_vpn_cert.pem" -inkey "${USERNAME}_vpn_key.pem" -certfile "${ORGNAME}_cacert.pem" -export -out "${USERNAME}.p12" -password "pass:${PASSWORD}"; | |
| fi | |
| echo "Creating the export password file" | |
| echo $PASSWORD > "${USERNAME}_vpn_export_pass.txt" | |
| echo "Ensuring we're logged in to Azure" | |
| AZCLOUD_SETTING=$(az cloud show --query "name" | tr -d '"') | |
| if [ "$AZCLOUD" = "$AZCLOUD_SETTING" ]; then | |
| # Do nothing because it's set | |
| : | |
| else | |
| # Set it to the desired Azure Cloud environment | |
| az cloud set --name "$AZCLOUD" | |
| fi | |
| AZTENANTID_SETTING=$(az account show --query "homeTenantId" | tr -d '"') | |
| if [ "$AZTENANTID" = "$AZTENANTID_SETTING" ]; then | |
| # Do nothing because it's correct | |
| : | |
| else | |
| # Set it to the desired Azure Cloud environment | |
| az login | |
| fi | |
| echo "Generating the vpn client configuration files" | |
| az network vnet-gateway vpn-client generate -g "${VPNRESOURCEGROUP}" -n "GatewaySubnet" --authentication-method EAPTLS | xargs -n 1 curl --output vpnclientconfiguration.zip | |
| echo "Unpacking the generated vpn client configuration files" | |
| unzip -o vpnclientconfiguration.zip -d vpnclientconfiguration | |
| cp vpnclientconfiguration/OpenVPN/vpnconfig.ovpn . | |
| echo "Inserting the client certificate and private key into the OpenVPN config file" | |
| sed -e "/\$CLIENTCERTIFICATE/r ${USERNAME}_vpn_cert.pem" -e "/\$CLIENTCERTIFICATE/d" vpnconfig.ovpn -e "/\$PRIVATEKEY/r ${USERNAME}_vpn_key.pem" -e "/\$PRIVATEKEY/d" vpnconfig.ovpn -e 's/\r$//' -i vpnconfig.ovpn | |
| echo "Password protecting a zip of the OpenVPN config file with the export password" | |
| zip --password `cat "${USERNAME}_vpn_export_pass.txt"` "${USERNAME}_vpnconfig.zip" vpnconfig.ovpn | |
| echo "Done" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment