pklaus/create_keys_for_client.sh

## create_keys_for_client.sh
#!/bin/bash
# <http://blog.philippklaus.de/2010/09/openvpn/>

set -x

#SERVERNAME=$(hostname)
SERVERNAME=$(ifconfig | grep -A 5 eth0 |  grep -w 'inet addr' | tr '\t' ' ' | cut -d ':' -f 2 | cut -d ' ' -f 1)
read -e -p "Please enter the server you want your clients to connect to [default: $SERVERNAME]: " input
SERVERNAME="${input:-$SERVERNAME}"

HOSTNAME="somehost"; input=''
read -e -p "Please enter the hostname you want to create the certificates for [default: $HOSTNAME]: " input
HOSTNAME="${input:-$HOSTNAME}"

olddir=`pwd`; cd /etc/openvpn/easy-rsa

# Check if all needed files are available:
if [ ! -f vars ]; then
  echo "The file \`vars\` does not exist. Stopping"; exit 1
fi

source vars

# Create a folder for all the keys, configuration files and helpers:
to="/etc/openvpn/easy-rsa/keys/$SERVERNAME"
mkdir $to

# Create the certificates $HOSTNAME.crt and $HOSTNAME.key
./pkitool $HOSTNAME
cp keys/$HOSTNAME.crt keys/$HOSTNAME.key $to

# Create a file with all the custom variables:
cat << EOF > $to/settings.conf.sh
#!/bin/bash
# This file contains all the shell script variables for your OpenVPN setup

HOSTNAME="$HOSTNAME"
SERVERNAME="$SERVERNAME"
CONFDIR="/etc/openvpn/$SERVERNAME"
CONFFILE="$HOSTNAME.ovpn"
PIDDIR="/var/run/openvpn"
PIDFILE="$SERVERNAME.pid"
EOF

cd /etc/openvpn

# Customize the client configuration file template
cp template.client.ovpn $to/$HOSTNAME.ovpn
sed -i "s/HOSTNAME/$HOSTNAME/g" $to/$HOSTNAME.ovpn

# Copy other needed files:
cp template.start-vpn.sh $to/start-vpn.sh
cp template.stop-vpn.sh $to/stop-vpn.sh
cp template.up.sh $to/up.sh
cp template.down.sh $to/down.sh
cp ca.crt ta.key $to

chmod +x $to/up.sh $to/down.sh $to/start-vpn.sh $to/stop-vpn.sh

cd /etc/openvpn/easy-rsa/keys
# Create a bundle with all the files needed by the client and move it:
tar cjf $HOSTNAME.tar.bz2 $SERVERNAME && rm -rf $SERVERNAME && chmod 777 $HOSTNAME.tar.bz2 && mv $HOSTNAME.tar.bz2 /etc/openvpn

echo "Created the file /etc/openvpn/$HOSTNAME.tar.bz2 with all the files needed for the OpenVPN configuration on the client.
If you want to revoke a certificate, run \`cd /etc/openvpn/easy-rsa; . vars; revoke-full $HOSTNAME\`. More information on <http://openvpn.net/howto.html#revoke>"

cd $olddir

## template.client.ovpn
client
dev tun
auth-nocache
proto tcp-client
remote philippklaus.de 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert HOSTNAME.crt
key HOSTNAME.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 3
log ./openvpn.log
; now also set the dns entry:
up ./up.sh
script-security 2
down ./down.sh

## template.down.sh
#!/bin/sh

mv /etc/resolv.conf.hold /etc/resolv.conf

## template.start-vpn.sh
#!/bin/sh

source settings.conf.sh

mkdir -p $PIDDIR
rm $PIDDIR/$PIDFILE

cd $CONFDIR

openvpn --daemon --cd $CONFDIR --config $CONFDIR/$CONFFILE --writepid $PIDDIR/$PIDFILE

sleep 4


### If the client you are connecting here is a router and you want it to forward the traffic for its subnet to the VPN (and your OpenVPN server configuration is set to forward all traffic through the tunnel), then uncomment these lines:
#iptables -I FORWARD -o tun+ -j ACCEPT
#iptables -t nat -I POSTROUTING -o tun+ -j MASQUERADE

## template.stop-vpn.sh
#!/bin/sh

source settings.conf.sh

proc_id=`cat $PIDDIR/$PIDFILE`

kill -SIGTERM $proc_id

## template.up.sh
#!/bin/sh
# <http://openvpn.net/archive/openvpn-users/2006-10/msg00217.html>
# script to automatically set DNS information on connection

mv /etc/resolv.conf /etc/resolv.conf.hold # back up old file

for OPTION in "${foreign_option_1}" "${foreign_option_2}" "${foreign_option_3}" "${foreign_option_4}" "${foreign_option_5}" "${foreign_option_6}"
do
    if [ -z "${OPTION}" ]; then
        break
    fi
    if [ -n "$(echo ${OPTION} | grep DOMAIN)" ] || [ -n "$(echo ${OPTION} | grep DNS)" ]; then
        echo ${OPTION} |sed -e 's/dhcp-option DOMAIN/search/g' -e 's/dhcp-option DNS/nameserver/g' >> /etc/resolv.conf
    fi
done

if [ ! -f /etc/resolv.conf ]; then # openvpn did not set any DNS information
    mv /etc/resolv.conf.hold /etc/resolv.conf
fi
	#!/bin/bash
	# <http://blog.philippklaus.de/2010/09/openvpn/>

	set -x

	#SERVERNAME=$(hostname)
	SERVERNAME=$(ifconfig \| grep -A 5 eth0 \| grep -w 'inet addr' \| tr '\t' ' ' \| cut -d ':' -f 2 \| cut -d ' ' -f 1)
	read -e -p "Please enter the server you want your clients to connect to [default: $SERVERNAME]: " input
	SERVERNAME="${input:-$SERVERNAME}"

	HOSTNAME="somehost"; input=''
	read -e -p "Please enter the hostname you want to create the certificates for [default: $HOSTNAME]: " input
	HOSTNAME="${input:-$HOSTNAME}"

	olddir=`pwd`; cd /etc/openvpn/easy-rsa

	# Check if all needed files are available:
	if [ ! -f vars ]; then
	echo "The file \`vars\` does not exist. Stopping"; exit 1
	fi

	source vars

	# Create a folder for all the keys, configuration files and helpers:
	to="/etc/openvpn/easy-rsa/keys/$SERVERNAME"
	mkdir $to

	# Create the certificates $HOSTNAME.crt and $HOSTNAME.key
	./pkitool $HOSTNAME
	cp keys/$HOSTNAME.crt keys/$HOSTNAME.key $to

	# Create a file with all the custom variables:
	cat << EOF > $to/settings.conf.sh
	#!/bin/bash
	# This file contains all the shell script variables for your OpenVPN setup

	HOSTNAME="$HOSTNAME"
	SERVERNAME="$SERVERNAME"
	CONFDIR="/etc/openvpn/$SERVERNAME"
	CONFFILE="$HOSTNAME.ovpn"
	PIDDIR="/var/run/openvpn"
	PIDFILE="$SERVERNAME.pid"
	EOF

	cd /etc/openvpn

	# Customize the client configuration file template
	cp template.client.ovpn $to/$HOSTNAME.ovpn
	sed -i "s/HOSTNAME/$HOSTNAME/g" $to/$HOSTNAME.ovpn

	# Copy other needed files:
	cp template.start-vpn.sh $to/start-vpn.sh
	cp template.stop-vpn.sh $to/stop-vpn.sh
	cp template.up.sh $to/up.sh
	cp template.down.sh $to/down.sh
	cp ca.crt ta.key $to

	chmod +x $to/up.sh $to/down.sh $to/start-vpn.sh $to/stop-vpn.sh

	cd /etc/openvpn/easy-rsa/keys
	# Create a bundle with all the files needed by the client and move it:
	tar cjf $HOSTNAME.tar.bz2 $SERVERNAME && rm -rf $SERVERNAME && chmod 777 $HOSTNAME.tar.bz2 && mv $HOSTNAME.tar.bz2 /etc/openvpn

	echo "Created the file /etc/openvpn/$HOSTNAME.tar.bz2 with all the files needed for the OpenVPN configuration on the client.
	If you want to revoke a certificate, run \`cd /etc/openvpn/easy-rsa; . vars; revoke-full $HOSTNAME\`. More information on <http://openvpn.net/howto.html#revoke>"

	cd $olddir
	client
	dev tun
	auth-nocache
	proto tcp-client
	remote philippklaus.de 1194
	resolv-retry infinite
	nobind
	persist-key
	persist-tun
	ca ca.crt
	cert HOSTNAME.crt
	key HOSTNAME.key
	ns-cert-type server
	tls-auth ta.key 1
	comp-lzo
	verb 3
	log ./openvpn.log
	; now also set the dns entry:
	up ./up.sh
	script-security 2
	down ./down.sh
	#!/bin/sh

	source settings.conf.sh

	mkdir -p $PIDDIR
	rm $PIDDIR/$PIDFILE

	cd $CONFDIR

	openvpn --daemon --cd $CONFDIR --config $CONFDIR/$CONFFILE --writepid $PIDDIR/$PIDFILE

	sleep 4


	### If the client you are connecting here is a router and you want it to forward the traffic for its subnet to the VPN (and your OpenVPN server configuration is set to forward all traffic through the tunnel), then uncomment these lines:
	#iptables -I FORWARD -o tun+ -j ACCEPT
	#iptables -t nat -I POSTROUTING -o tun+ -j MASQUERADE
	#!/bin/sh

	source settings.conf.sh

	proc_id=`cat $PIDDIR/$PIDFILE`

	kill -SIGTERM $proc_id
	#!/bin/sh
	# <http://openvpn.net/archive/openvpn-users/2006-10/msg00217.html>
	# script to automatically set DNS information on connection

	mv /etc/resolv.conf /etc/resolv.conf.hold # back up old file

	for OPTION in "${foreign_option_1}" "${foreign_option_2}" "${foreign_option_3}" "${foreign_option_4}" "${foreign_option_5}" "${foreign_option_6}"
	do
	if [ -z "${OPTION}" ]; then
	break
	fi
	if [ -n "$(echo ${OPTION} \| grep DOMAIN)" ] \|\| [ -n "$(echo ${OPTION} \| grep DNS)" ]; then
	echo ${OPTION} \|sed -e 's/dhcp-option DOMAIN/search/g' -e 's/dhcp-option DNS/nameserver/g' >> /etc/resolv.conf
	fi
	done

	if [ ! -f /etc/resolv.conf ]; then # openvpn did not set any DNS information
	mv /etc/resolv.conf.hold /etc/resolv.conf
	fi