vbatts/gateway-prep.sh

## gateway-prep.sh
#!/bin/bash

set -eu

conf_zip=""
if [ -f kv0.zip ] ; then
  conf_zip="kv0.zip"
fi
if [ -f kv1.zip ] ; then
  conf_zip="kv1.zip"
fi
if [ $# -gt 0 ] ; then
  conf_zip="$1"
fi
if [ -z "${conf_zip}" ] ; then
  echo "[error] download the vpn client config zip archive first"
  exit 1
fi
conf_zip="$(realpath ${conf_zip})"
dir="$(basename ${conf_zip} .zip)"

echo "working with: $conf_zip"

if [ ! -d "${dir}" ] ; then
  mkdir -vp "${dir}"
  cd "${dir}"
  unzip "${conf_zip}" ||:
else
  cd "${dir}"
fi
if [ ! -f "gen-client-cert.sh" ] ; then
  curl -OsSL https://gist.githubusercontent.com/vbatts/7d9e514f60e669e74dba73220291c1af/raw/gen-client-cert.sh
fi
echo "\n"

cert_dir="$HOME/.cert/azure-gateway-${dir}"
mkdir -p "${cert_dir}"
umask 077
if [ ! -f temp/clientCert.pem ] && [ ! -f "${cert_dir}/rootCert.pem" ] ; then
  bash gen-client-cert.sh
fi
if [ ! -f "${cert_dir}/VpnServerRoot.cer" ] ; then
  cat Generic/VpnServerRoot.cer > "${cert_dir}/VpnServerRoot.cer"
fi
if [ ! -f "${cert_dir}/clientCert.pem" ] ; then
  cat temp/clientCert.pem > "${cert_dir}/clientCert.pem"
fi
if [ ! -f "${cert_dir}/clientKey.pem" ] ; then
  cat temp/clientKey.pem > "${cert_dir}/clientKey.pem"
fi
if [ ! -f "${cert_dir}/rootCert.pem" ] ; then
  cat temp/rootCert.pem > "${cert_dir}/rootCert.pem"
fi
echo "your root certificate data: "
openssl x509 -in "${cert_dir}/rootCert.pem" -outform der | base64 -w0 ; echo

echo "\n"

gw_addr="$(grep VpnServer Generic/VpnSettings.xml | sed -e 's|^.*>\(.*\)<.*$|\1|')"

## print out IKE details
echo "once you've installed the IPsec/IKEv2 (Strongswan) packages ..."
echo "  (apt install strongswan strongswan-pki libstrongswan-extra-plugins curl libxml2-utils cifs-utils unzip network-manager-strongswan)"
echo "use network-manager to + configure a new 'IPsec/IKEv2 (Strongswan)' VPN connection"
echo "Name:                  Azure ${dir} (IKEv2)"
echo "Address:               ${gw_addr}"
echo "Gateway Certificate:   $(realpath ${cert_dir}/VpnServerRoot.cer)"
echo "Client Certificate:    $(realpath ${cert_dir}/clientCert.pem)"
echo "Client Key:            $(realpath ${cert_dir}/clientKey.pem)"
echo "[x] Request an inner IP address"
echo "[x] Enable custom proposals"
echo "IKE:                   aes256gcm16-sha384-ecp384"
echo "ESP:                   aes256gcm16-aes256gmac"
echo ".. lastly, from the 'IPv4' tab, select [x] Use this connection only for resources on its network"

echo "\n"
# insert the generated client cert/key into the downloaded config
sed -i '/\$CLIENTCERTIFICATE/{
r temp/clientCert.pem
d
}
/\$PRIVATEKEY/{
r temp/clientKey.pem
d
}' ./OpenVPN/vpnconfig.ovpn
## print out OpenVPN details
echo "once you've installed the OpenVPN packages ..."
echo "  (apt install network-manager-openvpn)"
echo "use network-manager to + 'Import from file...'"
echo "file:                  $(realpath OpenVPN/vpnconfig.ovpn)"
echo "Name:                  Azure ${dir} (OpenVPN)"
echo ".. lastly, from the 'IPv4' tab, select [x] Use this connection only for resources on its network"

echo "\n"
echo "about to open network setting for you ..."
sleep 2
if [ "$(command -v gnome-control-center)" != "" ] ; then
  gnome-control-center network ||:
fi

# vim:set sts=2 sw=2 et:

## gen-client-cert.sh
#!/bin/bash

## adapted from https://docs.microsoft.com/en-us/azure/storage/files/storage-files-configure-p2s-vpn-linux#create-certificates-for-vpn-authentication

rootCertName="P2SRootCert"
username="client"
password="1234"

mkdir temp
cd temp

umask 077

ipsec pki --gen --outform pem > rootKey.pem
ipsec pki --self --in rootKey.pem --dn "CN=$rootCertName" --ca --outform pem > rootCert.pem

#openssl x509 -in rootCert.pem -outform der | base64 -w0 ; echo

ipsec pki --gen --size 4096 --outform pem > "clientKey.pem"
ipsec pki --pub --in "clientKey.pem" | \
    ipsec pki \
        --issue \
        --cacert rootCert.pem \
        --cakey rootKey.pem \
        --dn "CN=$username" \
        --san $username \
        --flag clientAuth \
        --outform pem > "clientCert.pem"

openssl pkcs12 -in "clientCert.pem" -inkey "clientKey.pem" -certfile rootCert.pem -export -out "client.p12" -password "pass:$password"
	#!/bin/bash

	set -eu

	conf_zip=""
	if [ -f kv0.zip ] ; then
	conf_zip="kv0.zip"
	fi
	if [ -f kv1.zip ] ; then
	conf_zip="kv1.zip"
	fi
	if [ $# -gt 0 ] ; then
	conf_zip="$1"
	fi
	if [ -z "${conf_zip}" ] ; then
	echo "[error] download the vpn client config zip archive first"
	exit 1
	fi
	conf_zip="$(realpath ${conf_zip})"
	dir="$(basename ${conf_zip} .zip)"

	echo "working with: $conf_zip"

	if [ ! -d "${dir}" ] ; then
	mkdir -vp "${dir}"
	cd "${dir}"
	unzip "${conf_zip}" \|\|:
	else
	cd "${dir}"
	fi
	if [ ! -f "gen-client-cert.sh" ] ; then
	curl -OsSL https://gist.githubusercontent.com/vbatts/7d9e514f60e669e74dba73220291c1af/raw/gen-client-cert.sh
	fi
	echo "\n"

	cert_dir="$HOME/.cert/azure-gateway-${dir}"
	mkdir -p "${cert_dir}"
	umask 077
	if [ ! -f temp/clientCert.pem ] && [ ! -f "${cert_dir}/rootCert.pem" ] ; then
	bash gen-client-cert.sh
	fi
	if [ ! -f "${cert_dir}/VpnServerRoot.cer" ] ; then
	cat Generic/VpnServerRoot.cer > "${cert_dir}/VpnServerRoot.cer"
	fi
	if [ ! -f "${cert_dir}/clientCert.pem" ] ; then
	cat temp/clientCert.pem > "${cert_dir}/clientCert.pem"
	fi
	if [ ! -f "${cert_dir}/clientKey.pem" ] ; then
	cat temp/clientKey.pem > "${cert_dir}/clientKey.pem"
	fi
	if [ ! -f "${cert_dir}/rootCert.pem" ] ; then
	cat temp/rootCert.pem > "${cert_dir}/rootCert.pem"
	fi
	echo "your root certificate data: "
	openssl x509 -in "${cert_dir}/rootCert.pem" -outform der \| base64 -w0 ; echo

	echo "\n"

	gw_addr="$(grep VpnServer Generic/VpnSettings.xml \| sed -e 's\|^.>\(.\)<.*$\|\1\|')"

	## print out IKE details
	echo "once you've installed the IPsec/IKEv2 (Strongswan) packages ..."
	echo " (apt install strongswan strongswan-pki libstrongswan-extra-plugins curl libxml2-utils cifs-utils unzip network-manager-strongswan)"
	echo "use network-manager to + configure a new 'IPsec/IKEv2 (Strongswan)' VPN connection"
	echo "Name: Azure ${dir} (IKEv2)"
	echo "Address: ${gw_addr}"
	echo "Gateway Certificate: $(realpath ${cert_dir}/VpnServerRoot.cer)"
	echo "Client Certificate: $(realpath ${cert_dir}/clientCert.pem)"
	echo "Client Key: $(realpath ${cert_dir}/clientKey.pem)"
	echo "[x] Request an inner IP address"
	echo "[x] Enable custom proposals"
	echo "IKE: aes256gcm16-sha384-ecp384"
	echo "ESP: aes256gcm16-aes256gmac"
	echo ".. lastly, from the 'IPv4' tab, select [x] Use this connection only for resources on its network"

	echo "\n"
	# insert the generated client cert/key into the downloaded config
	sed -i '/\$CLIENTCERTIFICATE/{
	r temp/clientCert.pem
	d
	}
	/\$PRIVATEKEY/{
	r temp/clientKey.pem
	d
	}' ./OpenVPN/vpnconfig.ovpn
	## print out OpenVPN details
	echo "once you've installed the OpenVPN packages ..."
	echo " (apt install network-manager-openvpn)"
	echo "use network-manager to + 'Import from file...'"
	echo "file: $(realpath OpenVPN/vpnconfig.ovpn)"
	echo "Name: Azure ${dir} (OpenVPN)"
	echo ".. lastly, from the 'IPv4' tab, select [x] Use this connection only for resources on its network"

	echo "\n"
	echo "about to open network setting for you ..."
	sleep 2
	if [ "$(command -v gnome-control-center)" != "" ] ; then
	gnome-control-center network \|\|:
	fi

	# vim:set sts=2 sw=2 et:
	#!/bin/bash

	## adapted from https://docs.microsoft.com/en-us/azure/storage/files/storage-files-configure-p2s-vpn-linux#create-certificates-for-vpn-authentication

	rootCertName="P2SRootCert"
	username="client"
	password="1234"

	mkdir temp
	cd temp

	umask 077

	ipsec pki --gen --outform pem > rootKey.pem
	ipsec pki --self --in rootKey.pem --dn "CN=$rootCertName" --ca --outform pem > rootCert.pem

	#openssl x509 -in rootCert.pem -outform der \| base64 -w0 ; echo

	ipsec pki --gen --size 4096 --outform pem > "clientKey.pem"
	ipsec pki --pub --in "clientKey.pem" \| \
	ipsec pki \
	--issue \
	--cacert rootCert.pem \
	--cakey rootKey.pem \
	--dn "CN=$username" \
	--san $username \
	--flag clientAuth \
	--outform pem > "clientCert.pem"

	openssl pkcs12 -in "clientCert.pem" -inkey "clientKey.pem" -certfile rootCert.pem -export -out "client.p12" -password "pass:$password"