Author: Paolo Lulli <paolo@lulli.net>
Added vpn server/client subcommands
iron-vpn/vpn-client | 112 +++++++++++++++++++++++++++++++++++++++++++ iron-vpn/vpn-server | 122 +++++++++++++++++++++++++++++++++++++++++++++++
diff --git a/iron-vpn/vpn-client b/iron-vpn/vpn-client new file mode 100755 index 0000000000000000000000000000000000000000..9bd622a0cd883e2b04909a527b83a5b82f4b8c52 --- /dev/null +++ b/iron-vpn/vpn-client @@ -0,0 +1,112 @@ +#! /bin/bash +# Usage: $iron vpn-client <servername> <clientname> +# Summary: create OpenVPN client config +# Help: OpenVPN client config generator + +APPNAME="iron" + +if [ "$#" != "2" ]; then + echo "Usage: vpn-client <servername>" + exit 1 +fi + +servername=$1 +vpn_client=$2 +CFG_FILE=$HOME/.${APPNAME}/vpn/${servername}.cfg + +CURRDIR=$(pwd) +EASY_RSA_HOME=/usr/share/easy-rsa/ + +test -f $CFG_FILE || echo "No such config: [${CFG_FILE}]" +test -f $CFG_FILE || exit 1 +source ${CFG_FILE} + +function ovpn_generate_client() +{ + client_dn=$1 + #cd $EASY_RSA_HOME + export KEY_CN=${client_dn} + + ${EASY_RSA_HOME}/easyrsa build-client-full ${client_dn} +} + +function ovpn_generate_client_assembly() +{ + cd $CURRDIR + mkdir -p "$CURRDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}" + cp $CURRDIR/pki/ca.crt $CURRDIR/server/${code_organization}-client/${vpn_client}/${vpn_client} + cp $CURRDIR/pki/issued/${vpn_client}.crt $CURRDIR/server/${code_organization}-client/${vpn_client}/${vpn_client} + cp $CURRDIR/pki/private/${vpn_client}.key $CURRDIR/server/${code_organization}-client/${vpn_client}/${vpn_client} + +cat<<__EOT__>$CURRDIR/server/${code_organization}-client/${vpn_client}/${code_organization}.conf +client +dev tun +proto tcp +#remote ${code_organization} +remote 62.171.171.30 1194 +resolv-retry infinite +nobind +comp-lzo +persist-key +persist-tun +askpass /etc/openvpn/passwordfile +ca /etc/openvpn/${vpn_client}/ca.crt +cert /etc/openvpn/${vpn_client}/${vpn_client}.crt +key /etc/openvpn/${vpn_client}/${vpn_client}.key +verb 3 +log-append /var/log/openvpn.${code_organization}-client.log +__EOT__ + + cd ./server/${code_organization}-client/${vpn_client} + tar cvfz $CURRDIR/${code_organization}-${vpn_client}.tar.gz . +} + +function ovpn_generate_client_android() +{ + ovpnfile=$CURRDIR/server/${code_organization}-client/${vpn_client}/${code_organization}-${vpn_client}.ovpn + cd $CURRDIR + mkdir -p "$CURRDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}" + cp $CURRDIR/pki/ca.crt $CURRDIR/server/${code_organization}-client/${vpn_client}/${vpn_client} + cp $CURRDIR/pki/issued/${vpn_client}.crt $CURRDIR/server/${code_organization}-client/${vpn_client}/${vpn_client} + cp $CURRDIR/pki/private/${vpn_client}.key $CURRDIR/server/${code_organization}-client/${vpn_client}/${vpn_client} + +cat<<__EOT__>$ovpnfile +client +dev tun +proto tcp +#remote ${code_organization} +remote 62.171.171.30 1194 +resolv-retry infinite +nobind +comp-lzo +persist-key +persist-tun +askpass /etc/openvpn/passwordfile +verb 3 +log-append /var/log/openvpn.${code_organization}-client.log +#ca /etc/openvpn/${vpn_client}/ca.crt +#cert /etc/openvpn/${vpn_client}/${vpn_client}.crt +#key /etc/openvpn/${vpn_client}/${vpn_client}.key +__EOT__ + + echo "<ca>" >> $ovpnfile + cat $CURRDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}/ca.crt >> $ovpnfile + echo "</ca>" >> $ovpnfile + + echo "<cert>" >> $ovpnfile + cat $CURRDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}/${vpn_client}.crt \ + | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' \ + >> $ovpnfile + echo "</cert>" >> $ovpnfile + + echo "<key>" >> $ovpnfile + cat $CURRDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}/${vpn_client}.key \ + >> $ovpnfile + echo "</key>" >> $ovpnfile +} + +# MAIN + +ovpn_generate_client ${vpn_client} +ovpn_generate_client_android +ovpn_generate_client_assembly diff --git a/iron-vpn/vpn-server b/iron-vpn/vpn-server new file mode 100755 index 0000000000000000000000000000000000000000..1febb906c6d3858f18d8c781c4fcb401d9a18e0b --- /dev/null +++ b/iron-vpn/vpn-server @@ -0,0 +1,122 @@ +#! /bin/bash -x +# Usage: $iron vpn-server <servername> +# Summary: create OpenVPN CA and server config +# Help: OpenVPN CA and server config generator + +APPNAME="iron" + +if [ "$#" != "1" ]; then + echo "Usage: vpn-server <servername>" + exit 1 +fi + +servername=$1 +CFG_FILE=$HOME/.${APPNAME}/vpn/${servername}.cfg + +cd $(dirname $0) +CURRDIR=$(pwd) +#EASY_RSA_HOME=$CURRDIR/easy-rsa/easyrsa3 +EASY_RSA_HOME=/usr/share/easy-rsa/ + +function write_empty_config() +{ + CFGDIR=$(dirname ${CFG_FILE}) + test -d ${CFGDIR} || mkdir -p ${CFGDIR} + echo "code_country="> $CFG_FILE + echo "code_province=">> $CFG_FILE + echo "code_city=">> $CFG_FILE + echo "code_organization=${servername}">> $CFG_FILE + echo "code_email=">> $CFG_FILE + echo "vpn_port=1194">> $CFG_FILE + echo "Edit config file: [$CFG_FILE]" + exit 1 +} + +function test_config() +{ + test -f $CFG_FILE || write_empty_config +} + +function ovpn_generate_ca() +{ + +VARS_CONTENT=$(cat<<__EOT__ +export KEY_SIZE=2048 +export CA_EXPIRE=3650 +export KEY_EXPIRE=3650 + +export KEY_COUNTRY="${code_country}" +export KEY_PROVINCE="${code_province}" +export KEY_CITY="${code_city}" +export KEY_ORG="${code_organization}" +export KEY_EMAIL="${code_email}" +export KEY_CN=${code_organization} +export KEY_NAME=${code_organization} +export KEY_OU=${code_organization} +__EOT__) + + echo ${VARS_CONTENT} > $CURRDIR/vars + source $CURRDIR/vars + + ${EASY_RSA_HOME}/easyrsa init-pki + ${EASY_RSA_HOME}/easyrsa build-ca + ${EASY_RSA_HOME}/easyrsa gen-dh + +} + +function ovpn_generate_server() +{ + ${EASY_RSA_HOME}/easyrsa build-server-full ${code_organization} + # DISCOURAGED: not to give it a pass + #./easyrsa build-server-full ${code_organization} nopass +} + +function ovpn_generate_server_assembly() +{ + cd $CURRDIR + mkdir -p "$CURRDIR/server/${code_organization}/${code_organization}" + cp $CURRDIR/pki/ca.crt $CURRDIR/server/${code_organization}/${code_organization} + cp $CURRDIR/pki/dh.pem $CURRDIR/server/${code_organization}/${code_organization} + cp $CURRDIR/pki/issued/${code_organization}.crt $CURRDIR/server/${code_organization}/${code_organization} + cp $CURRDIR/pki/private/${code_organization}.key $CURRDIR/server/${code_organization}/${code_organization} + +cat<<__EOT__>$CURRDIR/server/${code_organization}/${code_organization}.conf +port ${vpn_port} +proto tcp +dev tun +#askpass /etc/openvpn/passwordfile +ca /etc/openvpn/${code_organization}/ca.crt +cert /etc/openvpn/${code_organization}/${code_organization}.crt +key /etc/openvpn/${code_organization}/${code_organization}.key +dh /etc/openvpn/${code_organization}/dh.pem +server 10.0.0.0 255.255.0.0 +# GOOD IP RANGES: +# 10.0.0.0 - 10.255.255.255 +# 172.16.0.0 - 172.31.255.255 +# 192.168.0.0 - 192.168.255.255 + +ifconfig-pool-persist /etc/openvpn/${code_organization}/ipp.txt +keepalive 10 120 +comp-lzo +user nobody +group users +persist-key +persist-tun +status /var/log/openvpn-status.log +log-append /var/log/openvpn.log +verb 3 +client-to-client +__EOT__ + + cd $CURRDIR/server/${code_organization} + tar cvfz $CURRDIR/${code_organization}-server.tar.gz . +} + +# MAIN + +test_config +source ${CFG_FILE} + +ovpn_generate_ca +ovpn_generate_server +ovpn_generate_server_assembly