Last active
August 10, 2022 16:29
-
-
Save tatdatpham/7ede5a2a24ce7fed157a096ff057f1cc to your computer and use it in GitHub Desktop.
Create openvpn user in Ubuntu server (include OTP)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Check user exist | |
function checkUser() { | |
if getent passwd $1 > /dev/null 2>&1; then | |
echo "The user $1 exists in the system (not sure about VPN user)" | |
exit 1 | |
else | |
echo "The user is available for VPN config creation!" | |
fi | |
} | |
# Check for parameters | |
if [ "$1" != "" ]; then | |
echo "Creating OpenVPN config for user $1" | |
checkUser $1 | |
NAME_CLIENT=$1 | |
else | |
echo "Parameter missing! Enter the name for client right after the script name!" | |
exit 1 | |
fi | |
# set the variables we'll use later | |
DIR_CLIENT="/etc/openvpn/clients/${NAME_CLIENT}" | |
# create the certificate and key | |
cd "/etc/openvpn/easy-rsa" | |
/etc/openvpn/easy-rsa/easyrsa build-client-full "${NAME_CLIENT}" nopass | |
# create a directory to save all the files | |
mkdir -p "${DIR_CLIENT}" | |
# copy certificate, key, tls auth and CA | |
#cp -v "/etc/openvpn/easy-rsa/pki/ca.crt" "$DIR_CLIENT/blink.security.fis.vn.crt" | |
#cp -v "/etc/openvpn/easy-rsa/pki/ta.key" "$DIR_CLIENT/blink.security.fis.vn.key" | |
#cp -v "/etc/openvpn/easy-rsa/pki/issued/${NAME_CLIENT}.crt" "$DIR_CLIENT/" | |
#cp -v "/etc/openvpn/easy-rsa/pki/private/${NAME_CLIENT}.key" "$DIR_CLIENT/" | |
# copy and customize the client configuration | |
cp -v "/etc/openvpn/client-template.txt" "${DIR_CLIENT}/${NAME_CLIENT}.ovpn" | |
echo "<ca>" >> "${DIR_CLIENT}/${NAME_CLIENT}.ovpn" | |
cat "/etc/openvpn/easy-rsa/pki/ca.crt" >> "${DIR_CLIENT}/${NAME_CLIENT}.ovpn" | |
echo "</ca>" >> "${DIR_CLIENT}/${NAME_CLIENT}.ovpn" | |
echo "<cert>" >> "${DIR_CLIENT}/${NAME_CLIENT}.ovpn" | |
awk '/BEGIN/,/END/' "/etc/openvpn/easy-rsa/pki/issued/${NAME_CLIENT}.crt" >> "${DIR_CLIENT}/${NAME_CLIENT}.ovpn" | |
echo "</cert>" >> "${DIR_CLIENT}/${NAME_CLIENT}.ovpn" | |
echo "<key>" >> "${DIR_CLIENT}/${NAME_CLIENT}.ovpn" | |
cat "/etc/openvpn/easy-rsa/pki/private/${NAME_CLIENT}.key" >> "${DIR_CLIENT}/${NAME_CLIENT}.ovpn" | |
echo "</key>" >> "${DIR_CLIENT}/${NAME_CLIENT}.ovpn" | |
echo "<tls-crypt>" >> "${DIR_CLIENT}/${NAME_CLIENT}.ovpn" | |
cat "/etc/openvpn/tls-crypt.key" >> "${DIR_CLIENT}/${NAME_CLIENT}.ovpn" | |
echo "</tls-crypt>" >> "${DIR_CLIENT}/${NAME_CLIENT}.ovpn" | |
# create a new local user | |
PASS=$(head -n 4096 /dev/urandom | tr -dc a-zA-Z0-9 | cut -b 1-20) | |
useradd -m "${NAME_CLIENT}" | |
echo "$PASS" | passwd --stdin ${NAME_CLIENT} | |
echo "$PASS" > ${DIR_CLIENT}/vpnpass.txt | |
usermod -aG vpnusers ${NAME_CLIENT} | |
# run the google authenticator as the local user and save the code | |
cd "${DIR_CLIENT}" | |
su ${NAME_CLIENT} -c "/usr/bin/google-authenticator -C -t -f -D -r 3 -Q UTF8 -R 30 -w3" > ${DIR_CLIENT}/${NAME_CLIENT}_auth_code.txt | |
cp "/home/${NAME_CLIENT}/.google_authenticator" "/etc/openvpn/google-auth/${NAME_CLIENT}" | |
chown -v root "/etc/openvpn/google-auth/${NAME_CLIENT}" | |
chmod 400 "/etc/openvpn/google-auth/${NAME_CLIENT}" | |
zip -r ${NAME_CLIENT}.zip . | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment