-
Notifications
You must be signed in to change notification settings - Fork 0
/
crea-clientkey.bash
183 lines (168 loc) · 4.76 KB
/
crea-clientkey.bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
#!/bin/bash
#
# crea-clientkey.bash
# Create OpenVPN client certificate
# (C) Luca Romano 2021
#
#
#
#
#############################################################################
#
#--> Global variables
#
CNX_PRG_NAME=$0
CNX_PATH_TO_OVPN=$HOME/openVPN
CNX_PATH_TO_EASYRSA=$CNX_PATH_TO_OVPN/EasyRSA
CNX_PATH_TO_CA=$CNX_PATH_TO_OVPN/ca
CNX_PATH_TO_PKI=$CNX_PATH_TO_OVPN/pki
CNX_PATH_TO_CLIENTKEY=$CNX_PATH_TO_OVPN/clients
CNX_CN=""
CNX_YN=""
CNX_VPNSERVERLIST=`ls $CNX_PATH_TO_PKI`
CNX_VPNSERVER=""
CNX_VPNADDRESS=""
CNX_COMPLETED="N"
function confirm() {
CNX_YN=""
while [ "$CNX_YN" != "y" ] && [ "$CNX_YN" != "Y" ] && [ "$CNX_YN" != "n" ] && [ "$CNX_YN" != "N" ]
do
echo "$1 (Y/N) ?"
read CNX_YN
done
}
function quit() {
echo "$CNX_PRG_NAME: $1"
exit 1
}
function select_vpnserver() {
CNX_VPNSERVER=""
while [ "$CNX_VPNSERVER" == "" ]
do
select server in $CNX_VPNSERVERLIST Quit
do
CNX_VPNSERVER=$server
if [ "$CNX_VPNSERVER" != "" ]
then
break
else
echo "Invalid choice"
fi
done
done
}
function select_vpnaddress() {
echo "Select remote address for server -> $CNX_VPNSERVER or hit return to accept $CNX_VPNSERVER.connexx.it"
read CNX_VPNADDRESS
if [ "$CNX_VPNADDRESS" == "" ]
then
CNX_VPNADDRESS=$CNX_VPNSERVER.connexx.it
fi
}
function select_cn() {
CNX_CN=""
while [ "$CNX_CN" == "" ]
do
echo "Please enter the common name (CN) for this client; q to quit"
read CNX_CN
done
}
#
#--> Message start
#
echo "---- $CNX_PRG_NAME: Create certificate and key for OpenVPN CLIENT ----"
#
#--> MAIN part of script
#
if [ ! -d "$CNX_PATH_TO_EASYRSA" ]
then
echo "Directory $CNX_PATH_TO_EASYRSA does NOT exist!"
echo "Please download EasyRSA by doing:"
echo
echo "wget -P ~/ https://github.com/OpenVPN/easy-rsa/releases/download/v<Latest version>/EasyRSA-<Latest version>.tgz"
echo "Execute tar xvf EasyRSA<Latest version>.tgz in your HOME folder ($HOME)"
echo "Execute ln -s EasyRSA<Latest version>.tgz EasyRSA"
echo
echo "Substitute latest version with the correct value (i.e. 3.0.8)"
echo "Install EasyRSA and restart this script"
echo
quit "missing EasyRSA software, exiting..."
fi
if [ ! -d "$CNX_PATH_TO_PKI" ]
then
echo "Directory $CNX_PATH_TO_PKI does NOT exist; creating..."
mkdir $CNX_PATH_TO_PKI
fi
if [ ! -d "$CNX_PATH_TO_CLIENTKEY" ]
then
echo "Directory $CNX_PATH_TO_CLIENTKEY does NOT exist; creating..."
mkdir $CNX_PATH_TO_CLIENTKEY
chmod 700 $CNX_PATH_TO_CLIENTKEY
fi
#
#--> LOOP until completed
#
while [ "$CNX_COMPLETED" == "N" ]
do
select_vpnserver
if [ "$CNX_VPNSERVER" == "Quit" ]
then
quit "exiting upon user request..."
fi
select_vpnaddress
select_cn
if [ "$CNX_CN" == "q" ] || [ "$CNX_CN" == "Q" ]
then
quit "exiting upon user request..."
fi
confirm "Generating CLIENT certificate and key with Common Name (CN) -> $CNX_CN to access VPN server -> $CNX_VPNSERVER"
if [ "$CNX_YN" == "n" ] || [ "$CNX_YN" == "N" ]
then
continue
fi
CNX_OUTPUT_CLIENT_PATH=$CNX_PATH_TO_CLIENTKEY/$CNX_VPNSERVER
CNX_OUTPUT_CLIENT_PATH+=VPN/$CNX_CN
if [ ! -d "$CNX_OUTPUT_CLIENT_PATH" ]
then
echo "Directory $CNX_OUTPUT_CLIENT_PATH does NOT exist; creating..."
mkdir -p $CNX_OUTPUT_CLIENT_PATH
chmod 700 $CNX_OUTPUT_CLIENT_PATH
fi
CNX_PATH_TO_PKI_CA=$CNX_PATH_TO_PKI/$CNX_VPNSERVER/ca
CNX_PATH_TO_PKI_SERVER=$CNX_PATH_TO_PKI/$CNX_VPNSERVER/server
cd $CNX_PATH_TO_EASYRSA
#
#--> Client part
#
./easyrsa --pki-dir=$CNX_PATH_TO_PKI_CA gen-req $CNX_CN nopass
mv $CNX_PATH_TO_PKI_SERVER/reqs/$CNX_CN.req /tmp
./easyrsa --pki-dir=$CNX_PATH_TO_PKI_CA import-req /tmp/$CNX_CN.req $CNX_CN
rm -f /tmp/$CNX_CN.req
./easyrsa --pki-dir=$CNX_PATH_TO_PKI_CA sign-req client $CNX_CN
cp $CNX_PATH_TO_PKI_CA/private/$CNX_CN.key $CNX_OUTPUT_CLIENT_PATH
cp $CNX_PATH_TO_PKI_CA/issued/$CNX_CN.crt $CNX_OUTPUT_CLIENT_PATH
CNX_OVPN=$CNX_OUTPUT_CLIENT_PATH/$CNX_CN.ovpn
echo "Creating $CNX_OVPN file..."
echo "#" > $CNX_OVPN
echo "# Filename: `basename $CNX_OVPN`" >> $CNX_OVPN
echo "# Automatically generated by script: `basename $CNX_PRG_NAME`" >> $CNX_OVPN
echo "# Date: `date`" >> $CNX_OVPN
echo "#" >> $CNX_OVPN
cat $CNX_PATH_TO_CLIENTKEY/client.conf | sed "s/my-server-1/$CNX_VPNADDRESS/g" >> $CNX_OVPN
echo "<ca>" >> $CNX_OVPN
cat $CNX_PATH_TO_PKI_CA/ca.crt >> $CNX_OVPN
echo "</ca>" >> $CNX_OVPN
echo "<cert>" >> $CNX_OVPN
cat $CNX_OUTPUT_CLIENT_PATH/$CNX_CN.crt >> $CNX_OVPN
echo "</cert>" >> $CNX_OVPN
echo "<key>" >> $CNX_OVPN
cat $CNX_OUTPUT_CLIENT_PATH/$CNX_CN.key >> $CNX_OVPN
echo "</key>" >> $CNX_OVPN
echo "<tls-auth>" >> $CNX_OVPN
cat $CNX_PATH_TO_PKI_SERVER/ta.key >> $CNX_OVPN
echo "</tls-auth>" >> $CNX_OVPN
echo "Client configuration for '$CNX_CN' connecting to VPN server -> $CNX_VPNSERVER finished"
echo "Files are located in $CNX_OUTPUT_CLIENT_PATH"
echo "Use `basename $CNX_OVPN` in your client openVPN"
CNX_COMPLETED="Y"
done