wrenchpilot · October 13, 2024 17:57
diff --git a/make_ovpn.sh b/make_ovpn.sh
 #!/usr/bin/env bash

 # Default Variable Declarations

 PWD="$(pwd)"
 PKI_PATH="/usr/local/etc/pki"
 EXT=".ovpn"
 certPath="${PKI_PATH}/issued"
 keyPath="${PKI_PATH}/private"
 CRT="${certPath}/server.crt"
 CA="${PKI_PATH}/ca.crt"
 TA="${PKI_PATH}/ta.key"
 CONFIGS="${PKI_PATH}/configs"
 DEFAULT="${PKI_PATH}/inline_client.conf"
 SERVER="" # Enter server domain name/ip

 function createInlineConfig() {
   cat <<EOF >"${DEFAULT}"
 # configures the OpenVPN client mode
 client

 # specifies that we are using a routed tunnel interface
 dev tun

 # specifies that we are using the UDP protocol. (TCP is supported as well)
 # Both server and client need to match protocol (either UDP or TCP)
 proto udp

 # specifies the IP address and port of the OpenVPN server. 1194 is the standard port for UDP
 remote ${SERVER} 1194

 # specifies that the client should keep trying to resolve the server IP indefinitely
 resolv-retry infinite

 # allows the client to choose any available UDP port
 nobind

 # persists the key across tunnel restarts
 persist-key

 # persists the tunnel device across tunnel restarts
 persist-tun

 key-direction 1

 # ensures that the server certificate was signed by a trusted CA (specified in the ca option)
 remote-cert-tls server

 # specifies the encryption cipher to be used for the VPN connection
 cipher AES-256-CBC

 # specifies the hash algorithm to be used for HMAC authentication
 auth SHA256

 # specifies the verbosity level of OpenVPN log output
 verb 3
 EOF

 }

 # Check for Homebrew
 if ! [ -x "$(command -v brew)" ]; then
   echo 'Error: Homebrew is not installed.' >&2
   exit 1
 fi

 # Check for EasyRSA
 if ! [ -x "$(command -v easyrsa)" ]; then
   echo 'Error: easyrsa is not installed.' >&2
   echo "[LOG]: Installing easyrsa via Homebrew"
   brew install easyrsa
 fi

 # Check for OpenVPN
 if ! [ -x "$(command -v openvpn)" ]; then
   echo 'Error: openvpn is not installed.' >&2
   echo "[LOG]: Installing openvpn via Homebrew"
   brew install openvpn
 fi

 # Check for PKI_PATH Directory, Initialize if does not exist
 if [ ! -d "${PKI_PATH}" ]; then
   echo "[ERROR]: PKI_PATH Not Initialized!"
   echo "[LOG]: Initializing PKI_PATH"
   easyrsa init-pki
   echo "[LOG]: Building CA"
   easyrsa build-ca
   echo "[LOG]: Generating DH"
   easyrsa gen-dh
   echo "[LOG]: Generating server"
   easyrsa gen-req server
   echo "[LOG]: Signing Server"
   easyrsa sign-req server server
 fi

 cd "${PKI_PATH}"

 # Check for inline config file
 if [ ! -f "${DEFAULT}" ]; then
   echo "[ERROR]: inline_client.conf not found! Creating..."
   createInlineConfig
 fi

 #Ask for a Client name
 echo "Please Enter Client Name:"
 read NAME

 ovpnName="${CONFIGS}/${NAME}"

 #1st Verify that client's Public Key Exists
 if [ ! -f "${certPath}/${NAME}.crt" ]; then
   echo "[ERROR]: Client Public Key Certificate not found: ${certPath}/${NAME}.crt"
   echo "[LOG]: Generating Public Key Certificate for ${NAME}"
   easyrsa gen-req "${NAME}" nopass
   easyrsa sign-req client "${NAME}"
 else
   echo "Client's cert found: ${certPath}/${NAME}.crt"
 fi

 #Then, verify that there is a private key for that client
 if [ ! -f "${keyPath}/${NAME}.key" ]; then
   echo "[ERROR]: Client Private Key not found: ${keyPath}/${NAME}.key"
 else
   echo "Client's Private Key found: ${keyPath}/${NAME}.key"
 fi

 #Confirm the tls-auth ta key file exists
 if [ ! -f "${TA}" ]; then
   echo "[ERROR]: tls-auth Key not found: ${TA}"
   echo "[LOG]: Generating tls-auth key: ${TA}"
   openvpn --genkey secret ta.key
 else
   echo "tls-auth Private Key found: ${TA}"
 fi

 #Ready to make a new .opvn file - Start by populating with the

 cat $DEFAULT >"${ovpnName}${EXT}"

 #Now, append the CA Public Cert
 echo "<ca>" >>"${ovpnName}${EXT}"
 cat "${CA}" | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >>"${ovpnName}${EXT}"
 echo "</ca>" >>"${ovpnName}${EXT}"

 #Next append the client Public Cert
 echo "<cert>" >>"${ovpnName}${EXT}"
 cat "${certPath}/${NAME}.crt" | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >>"${ovpnName}${EXT}"
 echo "</cert>" >>"${ovpnName}${EXT}"

 #Then, append the client Private Key
 echo "<key>" >>"${ovpnName}${EXT}"
 cat "${keyPath}/${NAME}.key" >>"${ovpnName}${EXT}"
 echo "</key>" >>"${ovpnName}${EXT}"

 #Finally, append the TA Private Key
 echo "<tls-auth>" >>"${ovpnName}${EXT}"
 cat "${TA}" >>"${ovpnName}${EXT}"
 echo "</tls-auth>" >>"${ovpnName}${EXT}"

 echo "Done! ${ovpnName}${EXT} Successfully Created."

 cd "${PWD}"

 # Original Script written by Eric Jodoin
 # Updated 2024-10-13 @wrenchpilot
	#!/usr/bin/env bash

	# Default Variable Declarations

	PWD="$(pwd)"
	PKI_PATH="/usr/local/etc/pki"
	EXT=".ovpn"
	certPath="${PKI_PATH}/issued"
	keyPath="${PKI_PATH}/private"
	CRT="${certPath}/server.crt"
	CA="${PKI_PATH}/ca.crt"
	TA="${PKI_PATH}/ta.key"
	CONFIGS="${PKI_PATH}/configs"
	DEFAULT="${PKI_PATH}/inline_client.conf"
	SERVER="" # Enter server domain name/ip

	function createInlineConfig() {
	cat <<EOF >"${DEFAULT}"
	# configures the OpenVPN client mode
	client

	# specifies that we are using a routed tunnel interface
	dev tun

	# specifies that we are using the UDP protocol. (TCP is supported as well)
	# Both server and client need to match protocol (either UDP or TCP)
	proto udp

	# specifies the IP address and port of the OpenVPN server. 1194 is the standard port for UDP
	remote ${SERVER} 1194

	# specifies that the client should keep trying to resolve the server IP indefinitely
	resolv-retry infinite

	# allows the client to choose any available UDP port
	nobind

	# persists the key across tunnel restarts
	persist-key

	# persists the tunnel device across tunnel restarts
	persist-tun

	key-direction 1

	# ensures that the server certificate was signed by a trusted CA (specified in the ca option)
	remote-cert-tls server

	# specifies the encryption cipher to be used for the VPN connection
	cipher AES-256-CBC

	# specifies the hash algorithm to be used for HMAC authentication
	auth SHA256

	# specifies the verbosity level of OpenVPN log output
	verb 3
	EOF

	}

	# Check for Homebrew
	if ! [ -x "$(command -v brew)" ]; then
	echo 'Error: Homebrew is not installed.' >&2
	exit 1
	fi

	# Check for EasyRSA
	if ! [ -x "$(command -v easyrsa)" ]; then
	echo 'Error: easyrsa is not installed.' >&2
	echo "[LOG]: Installing easyrsa via Homebrew"
	brew install easyrsa
	fi

	# Check for OpenVPN
	if ! [ -x "$(command -v openvpn)" ]; then
	echo 'Error: openvpn is not installed.' >&2
	echo "[LOG]: Installing openvpn via Homebrew"
	brew install openvpn
	fi

	# Check for PKI_PATH Directory, Initialize if does not exist
	if [ ! -d "${PKI_PATH}" ]; then
	echo "[ERROR]: PKI_PATH Not Initialized!"
	echo "[LOG]: Initializing PKI_PATH"
	easyrsa init-pki
	echo "[LOG]: Building CA"
	easyrsa build-ca
	echo "[LOG]: Generating DH"
	easyrsa gen-dh
	echo "[LOG]: Generating server"
	easyrsa gen-req server
	echo "[LOG]: Signing Server"
	easyrsa sign-req server server
	fi

	cd "${PKI_PATH}"

	# Check for inline config file
	if [ ! -f "${DEFAULT}" ]; then
	echo "[ERROR]: inline_client.conf not found! Creating..."
	createInlineConfig
	fi

	#Ask for a Client name
	echo "Please Enter Client Name:"
	read NAME

	ovpnName="${CONFIGS}/${NAME}"

	#1st Verify that client's Public Key Exists
	if [ ! -f "${certPath}/${NAME}.crt" ]; then
	echo "[ERROR]: Client Public Key Certificate not found: ${certPath}/${NAME}.crt"
	echo "[LOG]: Generating Public Key Certificate for ${NAME}"
	easyrsa gen-req "${NAME}" nopass
	easyrsa sign-req client "${NAME}"
	else
	echo "Client's cert found: ${certPath}/${NAME}.crt"
	fi

	#Then, verify that there is a private key for that client
	if [ ! -f "${keyPath}/${NAME}.key" ]; then
	echo "[ERROR]: Client Private Key not found: ${keyPath}/${NAME}.key"
	else
	echo "Client's Private Key found: ${keyPath}/${NAME}.key"
	fi

	#Confirm the tls-auth ta key file exists
	if [ ! -f "${TA}" ]; then
	echo "[ERROR]: tls-auth Key not found: ${TA}"
	echo "[LOG]: Generating tls-auth key: ${TA}"
	openvpn --genkey secret ta.key
	else
	echo "tls-auth Private Key found: ${TA}"
	fi

	#Ready to make a new .opvn file - Start by populating with the

	cat $DEFAULT >"${ovpnName}${EXT}"

	#Now, append the CA Public Cert
	echo "<ca>" >>"${ovpnName}${EXT}"
	cat "${CA}" \| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >>"${ovpnName}${EXT}"
	echo "</ca>" >>"${ovpnName}${EXT}"

	#Next append the client Public Cert
	echo "<cert>" >>"${ovpnName}${EXT}"
	cat "${certPath}/${NAME}.crt" \| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >>"${ovpnName}${EXT}"
	echo "</cert>" >>"${ovpnName}${EXT}"

	#Then, append the client Private Key
	echo "<key>" >>"${ovpnName}${EXT}"
	cat "${keyPath}/${NAME}.key" >>"${ovpnName}${EXT}"
	echo "</key>" >>"${ovpnName}${EXT}"

	#Finally, append the TA Private Key
	echo "<tls-auth>" >>"${ovpnName}${EXT}"
	cat "${TA}" >>"${ovpnName}${EXT}"
	echo "</tls-auth>" >>"${ovpnName}${EXT}"

	echo "Done! ${ovpnName}${EXT} Successfully Created."

	cd "${PWD}"

	# Original Script written by Eric Jodoin
	# Updated 2024-10-13 @wrenchpilot