grahambrown11/_ Pritunl to ChromeOS ONC convert.md

## _ Pritunl to ChromeOS ONC convert.md

      
    Raw
  

              _ Pritunl to ChromeOS ONC convert.md
            
          
    Convert Pritunl Profile for ChromeOS

Pritunl is a great alternate to the Commercial OpenVPN Server
with a nice web interface for setting up a server and users.
We use Chromebooks and the paid for version of Pritunl has native support for making the onc file
but we needed a temporary solution for COVID-19 pandemic so here is a bash script that can convert the tar profile link
into an onc file to import into ChromeOS. The Pritunl tar profile link is the ovpn file tarred,
so if you have an ovpn profile file it will be easy to modify the script to just use the ovpn file instead of downloading it.
./convertvpn.sh https://you-pritunl-server/abc.tar outputfolder

Transfer and import the resulting onc file on the Chromebook using the url below
chrome://net-internals/#chromeos

I wrapped this script on a linux webserver so a user can paste their profile link and get the onc downloaded directly on their Chromebook.

  
## convertvpn.sh
#!/bin/bash

url=$1
folder=$2

mkdir -p $folder
if curl --insecure "$url" 2> /dev/null | tar xO > $folder/profile.ovpn 2> /dev/null; then
  cat $folder/profile.ovpn | sed -n '/^<ca>/,/^<\/ca>/p' | sed '1d;$d' > $folder/ca.pem
  cat $folder/profile.ovpn | sed -n '/^<cert>/,/^<\/cert>/p' | sed '1d;$d' > $folder/client.pem
  cat $folder/profile.ovpn | sed -n '/^<key>/,/^<\/key>/p' | sed '1d;$d' > $folder/client.key
  openssl pkcs12 -export -in $folder/client.pem -inkey $folder/client.key -certfile $folder/ca.pem -out $folder/client.p12 -passout pass:
  caid=$(uuidgen)
  ca=$(cat $folder/ca.pem | sed -E ':a;N;$!ba;s/\n/\\n/g')
  keyid=$(uuidgen)
  key=$(base64 $folder/client.p12 | sed -E ':a;N;$!ba;s/\n/\\n/g')
  tls=$(cat $folder/profile.ovpn | sed -n '/^<tls-auth>/,/^<\/tls-auth>/p' | sed '1d;$d' | sed -E ':a;N;$!ba;s/\n/\\n/g')
  confid=$(uuidgen)
  read -ra remote <<< $(cat $folder/profile.ovpn | sed -n '/^remote\s/p')
  host="${remote[1]}"
  port="${remote[2]}"
  proto="${remote[3]}"
  onc="{\"Type\":\"UnencryptedConfiguration\",\"Certificates\":["
  onc="${onc}{\"GUID\":\"{${caid}}\",\"Type\":\"Authority\",\"X509\":\"${ca}\"},"
  onc="${onc}{\"GUID\":\"{${keyid}}\",\"Type\":\"Client\",\"PKCS12\":\"${key}\"}],"
  onc="${onc}\"NetworkConfigurations\":[{\"GUID\":\"{${confid}}\",\"Name\":\"Office\",\"Type\":\"VPN\",\"VPN\":{"
  onc="${onc}\"Type\":\"OpenVPN\",\"Host\":\"${host}\",\"OpenVPN\":{\"ServerCARef\":\"{${caid}}\","
  onc="${onc}\"AuthRetry\":\"interact\",\"ClientCertType\":\"Ref\",\"ClientCertRef\":\"{${keyid}}\","
  onc="${onc}\"CompLZO\":\"true\",\"Cipher\":\"AES-256-CBC\",\"Auth\":\"SHA512\",\"Port\":${port},\"Proto\":\"${proto}\","
  onc="${onc}\"RemoteCertTLS\":\"server\",\"RemoteCertEKU\":\"TLS Web Server Authentication\",\"ServerPollTimeout\":10,"
  onc="${onc}\"UserAuthenticationType\":\"Password\",\"SaveCredentials\":true,\"KeyDirection\": \"1\","
  onc="${onc}\"TLSAuthContents\":\"${tls}\"}}}]}"
  echo "${onc}" > $folder/vpn.onc
  rm $folder/profile.ovpn
  rm $folder/ca.pem
  rm $folder/client.pem
  rm $folder/client.key
  rm $folder/client.p12
fi
	#!/bin/bash

	url=$1
	folder=$2

	mkdir -p $folder
	if curl --insecure "$url" 2> /dev/null \| tar xO > $folder/profile.ovpn 2> /dev/null; then
	cat $folder/profile.ovpn \| sed -n '/^<ca>/,/^<\/ca>/p' \| sed '1d;$d' > $folder/ca.pem
	cat $folder/profile.ovpn \| sed -n '/^<cert>/,/^<\/cert>/p' \| sed '1d;$d' > $folder/client.pem
	cat $folder/profile.ovpn \| sed -n '/^<key>/,/^<\/key>/p' \| sed '1d;$d' > $folder/client.key
	openssl pkcs12 -export -in $folder/client.pem -inkey $folder/client.key -certfile $folder/ca.pem -out $folder/client.p12 -passout pass:
	caid=$(uuidgen)
	ca=$(cat $folder/ca.pem \| sed -E ':a;N;$!ba;s/\n/\\n/g')
	keyid=$(uuidgen)
	key=$(base64 $folder/client.p12 \| sed -E ':a;N;$!ba;s/\n/\\n/g')
	tls=$(cat $folder/profile.ovpn \| sed -n '/^<tls-auth>/,/^<\/tls-auth>/p' \| sed '1d;$d' \| sed -E ':a;N;$!ba;s/\n/\\n/g')
	confid=$(uuidgen)
	read -ra remote <<< $(cat $folder/profile.ovpn \| sed -n '/^remote\s/p')
	host="${remote[1]}"
	port="${remote[2]}"
	proto="${remote[3]}"
	onc="{\"Type\":\"UnencryptedConfiguration\",\"Certificates\":["
	onc="${onc}{\"GUID\":\"{${caid}}\",\"Type\":\"Authority\",\"X509\":\"${ca}\"},"
	onc="${onc}{\"GUID\":\"{${keyid}}\",\"Type\":\"Client\",\"PKCS12\":\"${key}\"}],"
	onc="${onc}\"NetworkConfigurations\":[{\"GUID\":\"{${confid}}\",\"Name\":\"Office\",\"Type\":\"VPN\",\"VPN\":{"
	onc="${onc}\"Type\":\"OpenVPN\",\"Host\":\"${host}\",\"OpenVPN\":{\"ServerCARef\":\"{${caid}}\","
	onc="${onc}\"AuthRetry\":\"interact\",\"ClientCertType\":\"Ref\",\"ClientCertRef\":\"{${keyid}}\","
	onc="${onc}\"CompLZO\":\"true\",\"Cipher\":\"AES-256-CBC\",\"Auth\":\"SHA512\",\"Port\":${port},\"Proto\":\"${proto}\","
	onc="${onc}\"RemoteCertTLS\":\"server\",\"RemoteCertEKU\":\"TLS Web Server Authentication\",\"ServerPollTimeout\":10,"
	onc="${onc}\"UserAuthenticationType\":\"Password\",\"SaveCredentials\":true,\"KeyDirection\": \"1\","
	onc="${onc}\"TLSAuthContents\":\"${tls}\"}}}]}"
	echo "${onc}" > $folder/vpn.onc
	rm $folder/profile.ovpn
	rm $folder/ca.pem
	rm $folder/client.pem
	rm $folder/client.key
	rm $folder/client.p12
	fi