|
#!/bin/bash |
|
# Original Script written by Eric Jodoin |
|
# Update by Eric Maasdorp 2017-12-16 |
|
# Update for easyrsa3 by Holger Smolinski 2020-04-16 |
|
|
|
wd=$( pwd ) |
|
|
|
#Ask for a Client name |
|
name=${REQ_CN:-} |
|
while [ -z "${name}" ]; do |
|
read -p "Please enter the client name (Ctrl-C to exit): " name |
|
done; |
|
|
|
openvpn=${OPENVPN:-/etc/openvpn} |
|
ovpnTemplate=${OPENVPN_TEMPLATE:-${openvpn}/openvpn.client.template} |
|
|
|
EASY_RSA_DIR=${EASY_RSA:-${openvpn}/easy-rsa} |
|
export EASY_RSA_DIR # exported for use in subshell |
|
|
|
fileext=".ovpn" |
|
crt=".crt" |
|
key=".key" |
|
caCertFile="ca"${crt} |
|
tlsAuthKeyFile="ta"${key} |
|
|
|
pkipath=$( |
|
set +x |
|
function set_var() { |
|
var=$1 |
|
shift |
|
value="$*" |
|
eval "export $var=\"\${${var}-${value}}\"" |
|
} #=> set_var() |
|
EASYRSA_CALLER=1 source ${EASY_RSA_DIR}/vars |
|
echo $EASYRSA_PKI |
|
) |
|
|
|
ovpnFile=${name}${fileext} |
|
capath=${pkipath}/${caCertFile} |
|
crtpath=${pkipath}/issued/${name}${crt} |
|
keypath=${pkipath}/private/${name}${key} |
|
tapath=${openvpn}/${tlsAuthKeyFile} |
|
|
|
while [ -z "${yesno}" ]; do |
|
read -p "Creating ovpn inline config file ${wd}/${ovpnFile} for ${name} using PKI ${pkipath} (y/N)" yesno |
|
[ "${yesno}" == "y" ] || exit |
|
done |
|
|
|
# Here's the beef... |
|
( |
|
set -x |
|
EASYRSA_REQ_CN=${name} # required for batch mode |
|
${EASY_RSA_DIR}/easyrsa --batch gen-req ${name} nopass |
|
${EASY_RSA_DIR}/easyrsa --batch sign-req client ${name} |
|
) |
|
|
|
|
|
# Confirm the CA public key exists |
|
# Short version: ( [ -f ${capath} ] && echo "found" ) || echo "Not found" |
|
if [ ! -r ${capath} ]; then |
|
echo "[ERROR]: CA's Public Key not found or not readable: ${capath}" |
|
exit |
|
fi |
|
echo "CA's public Key found: ${capath}" |
|
|
|
#1st Verify that client's Public Key Exists |
|
if [ ! -r ${crtpath} ]; then |
|
echo "[ERROR]: Client's Public Key Certificate not found or not readable: ${crtpath}" |
|
exit |
|
fi |
|
echo "Client's cert found: ${crtpath}" |
|
|
|
#Then, verify that there is a private key for that client |
|
if [ ! -r ${keypath} ]; then |
|
echo "[ERROR]: Client's Private Key not found or not readable: ${keypath}" |
|
exit |
|
fi |
|
echo "Client's Private Key found: ${keypath}" |
|
|
|
#Confirm the tls-auth ta key file exists |
|
if [ ! -r ${tapath} ]; then |
|
if [ -f ${tapath} ]; then |
|
echo "tls-kauth Key exists but is not readable:" ${tapath} |
|
echo "File mode : " $( ls -al ${tapath} ) |
|
echo "Current user : " $( id ) |
|
else |
|
echo "[ERROR]: tls-auth Key not found or not readable: ${tapath}" |
|
fi |
|
exit |
|
fi |
|
echo "tls-auth Private Key found: ${tapath}" |
|
|
|
#Ready to make a new .opvn file - Start by populating with the |
|
|
|
cat $ovpnTemplate > $ovpnFile |
|
|
|
#Now, append the CA Public Cert |
|
echo "<ca>" >> $ovpnFile |
|
cat ${capath} | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $ovpnFile |
|
echo "</ca>" >> $ovpnFile |
|
|
|
#Next append the client Public Cert |
|
echo "<cert>" >> $ovpnFile |
|
cat ${crtpath} | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $ovpnFile |
|
echo "</cert>" >> $ovpnFile |
|
|
|
#Then, append the client Private Key |
|
echo "<key>" >> $ovpnFile |
|
cat ${keypath} >> $ovpnFile |
|
echo "</key>" >> $ovpnFile |
|
|
|
#Finally, append the TA Private Key |
|
echo "<tls-auth>" >> $ovpnFile |
|
cat ${tapath} >> $ovpnFile |
|
echo "</tls-auth>" >> $ovpnFile |
|
|
|
echo "Done! $ovpnFile Successfully Created." |