vbatts · March 9, 2022 12:00
diff --git a/gateway-prep.sh b/gateway-prep.sh
 #!/bin/bash

 set -eu

 conf_zip=""
 if [ -f kv0.zip ] ; then
  conf_zip="kv0.zip"
 fi
 if [ -f kv1.zip ] ; then
  conf_zip="kv1.zip"
 fi
 if [ $# -gt 0 ] ; then
  conf_zip="$1"
 fi
 if [ -z "${conf_zip}" ] ; then
  echo "[error] download the vpn client config zip archive first"
  exit 1
 fi
 conf_zip="$(realpath ${conf_zip})"
 dir="$(basename ${conf_zip} .zip)"

 echo "working with: $conf_zip"

 if [ ! -d "${dir}" ] ; then
  mkdir -vp "${dir}"  
  cd "${dir}"
  unzip "${conf_zip}" ||:
 else
  cd "${dir}"
 fi
 if [ ! -f "gen-client-cert.sh" ] ; then
  curl -OsSL https://gist.githubusercontent.com/vbatts/7d9e514f60e669e74dba73220291c1af/raw/gen-client-cert.sh
 fi
 echo "\n"

 cert_dir="$HOME/.cert/azure-gateway-${dir}"
 mkdir -p "${cert_dir}"
 umask 077
 if [ ! -f temp/clientCert.pem ] && [ ! -f "${cert_dir}/rootCert.pem" ] ; then
  bash gen-client-cert.sh 
 fi
 if [ ! -f "${cert_dir}/VpnServerRoot.cer" ] ; then
  cat Generic/VpnServerRoot.cer > "${cert_dir}/VpnServerRoot.cer"
 fi
 if [ ! -f "${cert_dir}/clientCert.pem" ] ; then
  cat temp/clientCert.pem > "${cert_dir}/clientCert.pem"
 fi
 if [ ! -f "${cert_dir}/clientKey.pem" ] ; then
  cat temp/clientKey.pem > "${cert_dir}/clientKey.pem"
 fi
 if [ ! -f "${cert_dir}/rootCert.pem" ] ; then
  cat temp/rootCert.pem > "${cert_dir}/rootCert.pem"
 fi
 echo "your root certificate data: "
 openssl x509 -in "${cert_dir}/rootCert.pem" -outform der | base64 -w0 ; echo

 echo "\n"

 gw_addr="$(grep VpnServer Generic/VpnSettings.xml | sed -e 's|^.*>\(.*\)<.*$|\1|')"

 ## print out IKE details
 echo "once you've installed the IPsec/IKEv2 (Strongswan) packages ..."
 echo "  (apt install strongswan strongswan-pki libstrongswan-extra-plugins curl libxml2-utils cifs-utils unzip network-manager-strongswan)"
 echo "use network-manager to + configure a new 'IPsec/IKEv2 (Strongswan)' VPN connection"
 echo "Name:                  Azure ${dir} (IKEv2)"
 echo "Address:               ${gw_addr}"
 echo "Gateway Certificate:   $(realpath ${cert_dir}/VpnServerRoot.cer)"
 echo "Client Certificate:    $(realpath ${cert_dir}/clientCert.pem)"
 echo "Client Key:            $(realpath ${cert_dir}/clientKey.pem)"
 echo "[x] Request an inner IP address"
 echo "[x] Enable custom proposals"
 echo "IKE:                   aes256gcm16-sha384-ecp384"
 echo "ESP:                   aes256gcm16-aes256gmac"
 echo ".. lastly, from the 'IPv4' tab, select [x] Use this connection only for resources on its network"

 echo "\n"
 # insert the generated client cert/key into the downloaded config
 sed -i '/\$CLIENTCERTIFICATE/{
 r temp/clientCert.pem
 d
 }
 /\$PRIVATEKEY/{
 r temp/clientKey.pem
 d
 }' ./OpenVPN/vpnconfig.ovpn
 ## print out OpenVPN details
 echo "once you've installed the OpenVPN packages ..."
 echo "  (apt install network-manager-openvpn)"
 echo "use network-manager to + 'Import from file...'"
 echo "file:                  $(realpath OpenVPN/vpnconfig.ovpn)"
 echo "Name:                  Azure ${dir} (OpenVPN)"
 echo ".. lastly, from the 'IPv4' tab, select [x] Use this connection only for resources on its network"

 echo "\n"
 echo "about to open network setting for you ..."
 sleep 2
 if [ "$(command -v gnome-control-center)" != "" ] ; then
  gnome-control-center network ||:
 fi

 # vim:set sts=2 sw=2 et:
diff --git a/gen-client-cert.sh b/gen-client-cert.sh
 #!/bin/bash

 ## adapted from https://docs.microsoft.com/en-us/azure/storage/files/storage-files-configure-p2s-vpn-linux#create-certificates-for-vpn-authentication

 rootCertName="P2SRootCert"
 username="client"
 password="1234"

 mkdir temp
 cd temp

 umask 077

 ipsec pki --gen --outform pem > rootKey.pem
 ipsec pki --self --in rootKey.pem --dn "CN=$rootCertName" --ca --outform pem > rootCert.pem

 #openssl x509 -in rootCert.pem -outform der | base64 -w0 ; echo

 ipsec pki --gen --size 4096 --outform pem > "clientKey.pem"
 ipsec pki --pub --in "clientKey.pem" | \
    ipsec pki \
        --issue \
        --cacert rootCert.pem \
        --cakey rootKey.pem \
        --dn "CN=$username" \
        --san $username \
        --flag clientAuth \
        --outform pem > "clientCert.pem"

 openssl pkcs12 -in "clientCert.pem" -inkey "clientKey.pem" -certfile rootCert.pem -export -out "client.p12" -password "pass:$password"
	#!/bin/bash

	set -eu

	conf_zip=""
	if [ -f kv0.zip ] ; then
	conf_zip="kv0.zip"
	fi
	if [ -f kv1.zip ] ; then
	conf_zip="kv1.zip"
	fi
	if [ $# -gt 0 ] ; then
	conf_zip="$1"
	fi
	if [ -z "${conf_zip}" ] ; then
	echo "[error] download the vpn client config zip archive first"
	exit 1
	fi
	conf_zip="$(realpath ${conf_zip})"
	dir="$(basename ${conf_zip} .zip)"

	echo "working with: $conf_zip"

	if [ ! -d "${dir}" ] ; then
	mkdir -vp "${dir}"
	cd "${dir}"
	unzip "${conf_zip}" \|\|:
	else
	cd "${dir}"
	fi
	if [ ! -f "gen-client-cert.sh" ] ; then
	curl -OsSL https://gist.githubusercontent.com/vbatts/7d9e514f60e669e74dba73220291c1af/raw/gen-client-cert.sh
	fi
	echo "\n"

	cert_dir="$HOME/.cert/azure-gateway-${dir}"
	mkdir -p "${cert_dir}"
	umask 077
	if [ ! -f temp/clientCert.pem ] && [ ! -f "${cert_dir}/rootCert.pem" ] ; then
	bash gen-client-cert.sh
	fi
	if [ ! -f "${cert_dir}/VpnServerRoot.cer" ] ; then
	cat Generic/VpnServerRoot.cer > "${cert_dir}/VpnServerRoot.cer"
	fi
	if [ ! -f "${cert_dir}/clientCert.pem" ] ; then
	cat temp/clientCert.pem > "${cert_dir}/clientCert.pem"
	fi
	if [ ! -f "${cert_dir}/clientKey.pem" ] ; then
	cat temp/clientKey.pem > "${cert_dir}/clientKey.pem"
	fi
	if [ ! -f "${cert_dir}/rootCert.pem" ] ; then
	cat temp/rootCert.pem > "${cert_dir}/rootCert.pem"
	fi
	echo "your root certificate data: "
	openssl x509 -in "${cert_dir}/rootCert.pem" -outform der \| base64 -w0 ; echo

	echo "\n"

	gw_addr="$(grep VpnServer Generic/VpnSettings.xml \| sed -e 's\|^.>\(.\)<.*$\|\1\|')"

	## print out IKE details
	echo "once you've installed the IPsec/IKEv2 (Strongswan) packages ..."
	echo " (apt install strongswan strongswan-pki libstrongswan-extra-plugins curl libxml2-utils cifs-utils unzip network-manager-strongswan)"
	echo "use network-manager to + configure a new 'IPsec/IKEv2 (Strongswan)' VPN connection"
	echo "Name: Azure ${dir} (IKEv2)"
	echo "Address: ${gw_addr}"
	echo "Gateway Certificate: $(realpath ${cert_dir}/VpnServerRoot.cer)"
	echo "Client Certificate: $(realpath ${cert_dir}/clientCert.pem)"
	echo "Client Key: $(realpath ${cert_dir}/clientKey.pem)"
	echo "[x] Request an inner IP address"
	echo "[x] Enable custom proposals"
	echo "IKE: aes256gcm16-sha384-ecp384"
	echo "ESP: aes256gcm16-aes256gmac"
	echo ".. lastly, from the 'IPv4' tab, select [x] Use this connection only for resources on its network"

	echo "\n"
	# insert the generated client cert/key into the downloaded config
	sed -i '/\$CLIENTCERTIFICATE/{
	r temp/clientCert.pem
	d
	}
	/\$PRIVATEKEY/{
	r temp/clientKey.pem
	d
	}' ./OpenVPN/vpnconfig.ovpn
	## print out OpenVPN details
	echo "once you've installed the OpenVPN packages ..."
	echo " (apt install network-manager-openvpn)"
	echo "use network-manager to + 'Import from file...'"
	echo "file: $(realpath OpenVPN/vpnconfig.ovpn)"
	echo "Name: Azure ${dir} (OpenVPN)"
	echo ".. lastly, from the 'IPv4' tab, select [x] Use this connection only for resources on its network"

	echo "\n"
	echo "about to open network setting for you ..."
	sleep 2
	if [ "$(command -v gnome-control-center)" != "" ] ; then
	gnome-control-center network \|\|:
	fi

	# vim:set sts=2 sw=2 et:
	#!/bin/bash

	## adapted from https://docs.microsoft.com/en-us/azure/storage/files/storage-files-configure-p2s-vpn-linux#create-certificates-for-vpn-authentication

	rootCertName="P2SRootCert"
	username="client"
	password="1234"

	mkdir temp
	cd temp

	umask 077

	ipsec pki --gen --outform pem > rootKey.pem
	ipsec pki --self --in rootKey.pem --dn "CN=$rootCertName" --ca --outform pem > rootCert.pem

	#openssl x509 -in rootCert.pem -outform der \| base64 -w0 ; echo

	ipsec pki --gen --size 4096 --outform pem > "clientKey.pem"
	ipsec pki --pub --in "clientKey.pem" \| \
	ipsec pki \
	--issue \
	--cacert rootCert.pem \
	--cakey rootKey.pem \
	--dn "CN=$username" \
	--san $username \
	--flag clientAuth \
	--outform pem > "clientCert.pem"

	openssl pkcs12 -in "clientCert.pem" -inkey "clientKey.pem" -certfile rootCert.pem -export -out "client.p12" -password "pass:$password"