freuds/gen_ovpn_client.sh

## gen_ovpn_client.sh
#!/usr/bin/env bash

set +x

#############################
# only root
if [ `id -u` != 0 ]; then
  die "Must be launch with root privilege"
fi

UUENCODE=$(which uuencode)
MAILX=$(which mailx)
ZIP=$(which zip)
UNIX2DOS=$(which unix2dos)

#############################

# Wrapper around printf - clobber print since it's not POSIX anyway
print() { printf "%s\n" "$*"; }

# Exit fatally with a message to stderr
# present even with EASYRSA_BATCH as these are fatal problems
die() {
    print "
Script error: $1" 1>&2
    exit ${2:-1}
}

# non-fatal warning output
warn() {
    print "$1" 1>&2
}

# informational notices to stdout
notice() {
    print "$1"
}

configParser() {

    local f
    f=$1
    if [ ! -f "$f" ]; then
        die "Error: cannot read server configuration files"
    fi

    SRV_VPN_PORT=$(awk '/^port/{print $2}' "${f}")
    SRV_VPN_IP=$(awk '/^server/{print $2 $3}' "${f}")
}

DIR="/etc/openvpn"
EAZ="${DIR}/easyrsa3"
OVPN="${EAZ}/pki/ovpn"
if [ ! -d "${EAZ}" ]; then
    die "couldn't find easyrsa3 folder"
fi
cd ${EAZ}

PROFIL=$1
if [ -z "${PROFIL}" ]; then
    die "missing argument : ./gen-ovpn <filename_base>"
fi

CA_CRT="${EAZ}/pki/ca.crt"
TLS_AUTH="${DIR}/keys/ta.key"
USER_REQ="${EAZ}/pki/reqs/${PROFIL}.req"
USER_KEY="${EAZ}/pki/private/${PROFIL}.key"
USER_CRT="${EAZ}/pki/issued/${PROFIL}.crt"

if [ ! -f "${TLS_AUTH}" ]; then
    openvpn --genkey --secret ${TLS_AUTH}
fi

if [ ! -f "${USER_REQ}" ] || [ ! -f "${USER_KEY}" ]; then
    die "missing request or key for user ${PROFIL} : ./easyrsa gen-req <username> nopass"
fi

if [ ! -f "${USER_CRT}" ]; then
    die "missing certificat for user ${PROFIL} : ./easyrsa sign client <username>"
fi

if [ ! -d "${OVPN}" ]; then
    mkdir -p "${OVPN}"
fi

# User exists
CNF_FILE="${OVPN}/${PROFIL}.ovpn"
CNF_FILENAME="config-vpn1-${PROFIL}.ovpn"
CNF_VPN_HOSTNAME="vpn.freuds.me"
CNF_MODEL=$(mktemp /tmp/$(basename $0).XXXXXXXX)
CNF_CERT_TMP=$(mktemp /tmp/$(basename $0).XXXXXXXX)
MAIL_MODEL=$(mktemp /tmp/$(basename $0).XXXXXXXX)
MAIL_TO="mymail@example.com"
MAIL_FROM="mymail@example.com"
MAIL_SUBJECT="VPN Access"

## backup ovpn config if exists
if [ -f "${CNF_FILE}" ]; then
    mv -f ${CNF_FILE} ${CNF_FILE}.`date '+%F'` && warn "We backup the last config"
fi

# extract SERVER PORT info
# TODO: seach map config vpn *.conf
configParser "/etc/openvpn/server/vpn1.conf"

## copy model for user
notice "Create template from model. "
cat > ${CNF_MODEL}<< EOF
client
dev tun
proto udp
remote $CNF_VPN_HOSTNAME $SRV_VPN_PORT
resolv-retry infinite
comp-lzo
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
verb 3
mute 20

<ca>
__CA_CRT__</ca>
<cert>
__USER_CRT__</cert>
<key>
__USER_KEY__</key>
EOF

# <tls-auth> __TLS_AUTH__</tls-auth>
# key-direction 1

notice "Replace TLS-AUTH OVPN file. "
sed -n "/^-----BEGIN OpenVPN Static key V1-----/,/-----END OpenVPN Static key V1-----$/p" < ${TLS_AUTH} > ${CNF_CERT_TMP}
sed -e "s/__TLS_AUTH__/$(<${CNF_CERT_TMP} sed -e 's/[\&/]/\\&/g' -e 's/$/\\n/' | tr -d '\n')/g" -i ${CNF_MODEL}

notice "Replace CA certificat in OVPN file. "
sed -e "s/__CA_CRT__/$(<${CA_CRT} sed -e 's/[\&/]/\\&/g' -e 's/$/\\n/' | tr -d '\n')/g" -i ${CNF_MODEL}

notice "Replace CRT certificat in OVPN file. "
sed -n "/^-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----$/p" < ${USER_CRT} > ${CNF_CERT_TMP}
sed -e "s/__USER_CRT__/$(<${CNF_CERT_TMP} sed -e 's/[\&/]/\\&/g' -e 's/$/\\n/' | tr -d '\n')/g" -i ${CNF_MODEL}

notice "Replace KEY certificat in OVPN file. "
sed -e "s/__USER_KEY__/$(<${USER_KEY} sed -e 's/[\&/]/\\&/g' -e 's/$/\\n/' | tr -d '\n')/g" -i ${CNF_MODEL}

# Copy file ovpn from model
cat "${CNF_MODEL}" > "${CNF_FILE}" && notice "Prepare a new config file from model."
chmod 644 ${CNF_FILE}

# convert into DOS
$UNIX2DOS ${CNF_FILE}

# make package zip config file + VPN Doc
#$ZIP -q ${ZIPNAME} ${OVPN_NAME} ${VPNDOC} && notice " - zip config client file"

# send config file ( attachement + body)
#| $MAILX -aFrom:${MAIL_FROM} -b ${MAIL_BCC} -s "${MAIL_SUBJECT}" "${MAIL_TO}"

# reception
cat > ${MAIL_MODEL}<<EOF
Hello,

Merci de trouver en PJ vos accès pour le client OpenVPN
See: https://openvpn.net/community-downloads/

Cordialement
EOF

notice "Sending config file by email : ${MAIL_TO}. "
( cat ${MAIL_MODEL}; $UUENCODE ${CNF_FILE} ${CNF_FILENAME} ) \
   | $MAILX -aFrom:${MAIL_FROM} -s "${MAIL_SUBJECT}" "${MAIL_TO}"

# cleanup
rm -f ${CNF_MODEL}
rm -f ${CNF_CERT_TMP}
rm -f ${MAIL_MODEL}

exit 0
	#!/usr/bin/env bash

	set +x

	#############################
	# only root
	if [ `id -u` != 0 ]; then
	die "Must be launch with root privilege"
	fi

	UUENCODE=$(which uuencode)
	MAILX=$(which mailx)
	ZIP=$(which zip)
	UNIX2DOS=$(which unix2dos)

	#############################

	# Wrapper around printf - clobber print since it's not POSIX anyway
	print() { printf "%s\n" "$*"; }

	# Exit fatally with a message to stderr
	# present even with EASYRSA_BATCH as these are fatal problems
	die() {
	print "
	Script error: $1" 1>&2
	exit ${2:-1}
	}

	# non-fatal warning output
	warn() {
	print "$1" 1>&2
	}

	# informational notices to stdout
	notice() {
	print "$1"
	}

	configParser() {

	local f
	f=$1
	if [ ! -f "$f" ]; then
	die "Error: cannot read server configuration files"
	fi

	SRV_VPN_PORT=$(awk '/^port/{print $2}' "${f}")
	SRV_VPN_IP=$(awk '/^server/{print $2 $3}' "${f}")
	}

	DIR="/etc/openvpn"
	EAZ="${DIR}/easyrsa3"
	OVPN="${EAZ}/pki/ovpn"
	if [ ! -d "${EAZ}" ]; then
	die "couldn't find easyrsa3 folder"
	fi
	cd ${EAZ}

	PROFIL=$1
	if [ -z "${PROFIL}" ]; then
	die "missing argument : ./gen-ovpn <filename_base>"
	fi

	CA_CRT="${EAZ}/pki/ca.crt"
	TLS_AUTH="${DIR}/keys/ta.key"
	USER_REQ="${EAZ}/pki/reqs/${PROFIL}.req"
	USER_KEY="${EAZ}/pki/private/${PROFIL}.key"
	USER_CRT="${EAZ}/pki/issued/${PROFIL}.crt"

	if [ ! -f "${TLS_AUTH}" ]; then
	openvpn --genkey --secret ${TLS_AUTH}
	fi

	if [ ! -f "${USER_REQ}" ] \|\| [ ! -f "${USER_KEY}" ]; then
	die "missing request or key for user ${PROFIL} : ./easyrsa gen-req <username> nopass"
	fi

	if [ ! -f "${USER_CRT}" ]; then
	die "missing certificat for user ${PROFIL} : ./easyrsa sign client <username>"
	fi

	if [ ! -d "${OVPN}" ]; then
	mkdir -p "${OVPN}"
	fi

	# User exists
	CNF_FILE="${OVPN}/${PROFIL}.ovpn"
	CNF_FILENAME="config-vpn1-${PROFIL}.ovpn"
	CNF_VPN_HOSTNAME="vpn.freuds.me"
	CNF_MODEL=$(mktemp /tmp/$(basename $0).XXXXXXXX)
	CNF_CERT_TMP=$(mktemp /tmp/$(basename $0).XXXXXXXX)
	MAIL_MODEL=$(mktemp /tmp/$(basename $0).XXXXXXXX)
	MAIL_TO="mymail@example.com"
	MAIL_FROM="mymail@example.com"
	MAIL_SUBJECT="VPN Access"

	## backup ovpn config if exists
	if [ -f "${CNF_FILE}" ]; then
	mv -f ${CNF_FILE} ${CNF_FILE}.`date '+%F'` && warn "We backup the last config"
	fi

	# extract SERVER PORT info
	# TODO: seach map config vpn *.conf
	configParser "/etc/openvpn/server/vpn1.conf"

	## copy model for user
	notice "Create template from model. "
	cat > ${CNF_MODEL}<< EOF
	client
	dev tun
	proto udp
	remote $CNF_VPN_HOSTNAME $SRV_VPN_PORT
	resolv-retry infinite
	comp-lzo
	nobind
	persist-key
	persist-tun
	remote-cert-tls server
	cipher AES-256-GCM
	verb 3
	mute 20

	<ca>
	__CA_CRT__</ca>
	<cert>
	__USER_CRT__</cert>
	<key>
	__USER_KEY__</key>
	EOF

	# <tls-auth> __TLS_AUTH__</tls-auth>
	# key-direction 1

	notice "Replace TLS-AUTH OVPN file. "
	sed -n "/^-----BEGIN OpenVPN Static key V1-----/,/-----END OpenVPN Static key V1-----$/p" < ${TLS_AUTH} > ${CNF_CERT_TMP}
	sed -e "s/__TLS_AUTH__/$(<${CNF_CERT_TMP} sed -e 's/[\&/]/\\&/g' -e 's/$/\\n/' \| tr -d '\n')/g" -i ${CNF_MODEL}

	notice "Replace CA certificat in OVPN file. "
	sed -e "s/__CA_CRT__/$(<${CA_CRT} sed -e 's/[\&/]/\\&/g' -e 's/$/\\n/' \| tr -d '\n')/g" -i ${CNF_MODEL}

	notice "Replace CRT certificat in OVPN file. "
	sed -n "/^-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----$/p" < ${USER_CRT} > ${CNF_CERT_TMP}
	sed -e "s/__USER_CRT__/$(<${CNF_CERT_TMP} sed -e 's/[\&/]/\\&/g' -e 's/$/\\n/' \| tr -d '\n')/g" -i ${CNF_MODEL}

	notice "Replace KEY certificat in OVPN file. "
	sed -e "s/__USER_KEY__/$(<${USER_KEY} sed -e 's/[\&/]/\\&/g' -e 's/$/\\n/' \| tr -d '\n')/g" -i ${CNF_MODEL}

	# Copy file ovpn from model
	cat "${CNF_MODEL}" > "${CNF_FILE}" && notice "Prepare a new config file from model."
	chmod 644 ${CNF_FILE}

	# convert into DOS
	$UNIX2DOS ${CNF_FILE}

	# make package zip config file + VPN Doc
	#$ZIP -q ${ZIPNAME} ${OVPN_NAME} ${VPNDOC} && notice " - zip config client file"

	# send config file ( attachement + body)
	#\| $MAILX -aFrom:${MAIL_FROM} -b ${MAIL_BCC} -s "${MAIL_SUBJECT}" "${MAIL_TO}"

	# reception
	cat > ${MAIL_MODEL}<<EOF
	Hello,

	Merci de trouver en PJ vos accès pour le client OpenVPN
	See: https://openvpn.net/community-downloads/

	Cordialement
	EOF

	notice "Sending config file by email : ${MAIL_TO}. "
	( cat ${MAIL_MODEL}; $UUENCODE ${CNF_FILE} ${CNF_FILENAME} ) \
	\| $MAILX -aFrom:${MAIL_FROM} -s "${MAIL_SUBJECT}" "${MAIL_TO}"

	# cleanup
	rm -f ${CNF_MODEL}
	rm -f ${CNF_CERT_TMP}
	rm -f ${MAIL_MODEL}

	exit 0