iron.git

commit be4e0ef43f3a944225b1497f691fafff720f5e3a

Author: Paolo Lulli <paolo@lulli.net>

create cleatext key, encrypt later


 iron-vpn/vpn-client | 59 ++++++++++++++++++++++++++----------------
 iron-vpn/vpn-server | 65 +++++++++++++++++++++++++++++++---------------


diff --git a/iron-vpn/vpn-client b/iron-vpn/vpn-client
index 4b3a6d554a6046d30790fae7ab257486177474a9..ee9a1d9736501095d7d0a3ba5a33de1a010890c8 100755
--- a/iron-vpn/vpn-client
+++ b/iron-vpn/vpn-client
@@ -1,4 +1,4 @@
-#! /bin/bash 
+#! /bin/bash
 # Usage: $iron vpn-client <servername> <clientname>
 # Summary: create OpenVPN client config
 # Help: OpenVPN client config generator
@@ -6,13 +6,14 @@
 APPNAME="iron"
 
 if [ "$#" != "2" ]; then
-   echo "Usage: vpn-client <servername> <clientname>"
-   exit 1
+  echo "Usage: vpn-client <servername> <clientname>"
+  exit 1
 fi
 
 servername=$1
 vpn_client=$2
-CFG_FILE=$HOME/.${APPNAME}/vpn/${servername}.cfg
+CFG_FILE=$HOME/.${APPNAME}/vpn/${servername}/${servername}.cfg
+CFGDIR=$(dirname ${CFG_FILE})
 
 CURRDIR=$(pwd)
 EASY_RSA_HOME=/usr/share/easy-rsa/
@@ -21,24 +22,24 @@ test -f $CFG_FILE || echo "No such config: [${CFG_FILE}]"
 test -f $CFG_FILE || exit 1
 source ${CFG_FILE}
 
-function ovpn_generate_client()
+function ovpn_generate_client_nopass()
 {
+  cd $CFGDIR
   client_dn=$1
-  #cd $EASY_RSA_HOME
   export KEY_CN=${client_dn}
   
-  ${EASY_RSA_HOME}/easyrsa build-client-full ${client_dn}
+  ${EASY_RSA_HOME}/easyrsa build-client-full ${client_dn} nopass
 }
 
 function ovpn_generate_client_assembly()
 {
-  cd $CURRDIR
-  mkdir -p "$CURRDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}"
-  cp $CURRDIR/pki/ca.crt $CURRDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}
-  cp $CURRDIR/pki/issued/${vpn_client}.crt $CURRDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}
-  cp $CURRDIR/pki/private/${vpn_client}.key $CURRDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}
+  cd $CFGDIR
+  mkdir -p "$CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}"
+  cp $CFGDIR/pki/ca.crt $CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}
+  cp $CFGDIR/pki/issued/${vpn_client}.crt $CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}
+  cp $CFGDIR/pki/private/${vpn_client}.key $CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}
   
-cat<<__EOT__>$CURRDIR/server/${code_organization}-client/${vpn_client}/${code_organization}.conf
+cat<<__EOT__>$CFGDIR/server/${code_organization}-client/${vpn_client}/${code_organization}.conf
 client
 dev tun
 proto tcp
@@ -63,12 +64,12 @@ }
 
 function ovpn_generate_client_android()
 {
-  ovpnfile=$CURRDIR/server/${code_organization}-client/${vpn_client}/${code_organization}-${vpn_client}.ovpn
-  cd $CURRDIR
-  mkdir -p "$CURRDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}"
-  cp $CURRDIR/pki/ca.crt $CURRDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}
-  cp $CURRDIR/pki/issued/${vpn_client}.crt $CURRDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}
-  cp $CURRDIR/pki/private/${vpn_client}.key $CURRDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}
+  ovpnfile=$CFGDIR/server/${code_organization}-client/${vpn_client}/${code_organization}-${vpn_client}.ovpn
+  cd $CFGDIR
+  mkdir -p "$CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}"
+  cp $CFGDIR/pki/ca.crt $CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}
+  cp $CFGDIR/pki/issued/${vpn_client}.crt $CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}
+  cp $CFGDIR/pki/private/${vpn_client}.key $CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}
   
 cat<<__EOT__>$ovpnfile
 client
@@ -90,23 +91,35 @@ #key  /etc/openvpn/${vpn_client}/${vpn_client}.key
 __EOT__
   
   echo "<ca>" >> $ovpnfile
-  cat $CURRDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}/ca.crt >> $ovpnfile
+  cat $CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}/ca.crt >> $ovpnfile
   echo "</ca>" >> $ovpnfile
   
   echo "<cert>" >> $ovpnfile
-  cat $CURRDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}/${vpn_client}.crt  \
+  cat $CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}/${vpn_client}.crt  \
   | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' \
   >> $ovpnfile
   echo "</cert>" >> $ovpnfile
   
   echo "<key>" >> $ovpnfile
-  cat $CURRDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}/${vpn_client}.key \
+  cat $CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}/${vpn_client}.key \
   >> $ovpnfile
   echo "</key>" >> $ovpnfile
 }
 
 # MAIN
 
-ovpn_generate_client ${vpn_client}
+client_password=$(uuidgen)
+client_credentials="$CFGDIR/client-${vpn_client}-credentials.txt"
+test -d ${CFGDIR} || mkdir -p ${CFGDIR}
+echo "credentials for ${code_organization}:${vpn_client}:[${client_password}]">>$client_credentials
+
+ovpn_generate_client_nopass ${vpn_client}
+
+
+openssl rsa -aes256 -in $CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}/${vpn_client}.key -out $CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}/encrypted-${vpn_client}.key\
+        -passout pass:${client_password}\
+        && mv  $CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}/encrypted-${vpn_client}.key $CFGDIR/server/${code_organization}-client/${vpn_client}/${vpn_client}/${vpn_client}.key
+
+
 ovpn_generate_client_android
 ovpn_generate_client_assembly




diff --git a/iron-vpn/vpn-server b/iron-vpn/vpn-server
index aa0bef3ab7fd8d5dd65b77d597285fe5422e41ba..ca833c9de10c808677d636903f8222fca22a99e8 100755
--- a/iron-vpn/vpn-server
+++ b/iron-vpn/vpn-server
@@ -1,4 +1,4 @@
-#! /bin/bash 
+#! /bin/bash
 # Usage: $iron vpn-server <servername>
 # Summary: create OpenVPN CA and server config
 # Help: OpenVPN CA and server config generator
@@ -6,21 +6,21 @@
 APPNAME="iron"
 
 if [ "$#" != "1" ]; then
-   echo "Usage: vpn-server <servername>"
-   exit 1
+  echo "Usage: vpn-server <servername>"
+  exit 1
 fi
 
 servername=$1
-CFG_FILE=$HOME/.${APPNAME}/vpn/${servername}.cfg
+CFG_FILE=$HOME/.${APPNAME}/vpn/${servername}/${servername}.cfg
+CFGDIR=$(dirname ${CFG_FILE})
 
-cd $(dirname $0)
 CURRDIR=$(pwd)
+cd $(dirname $0)
 #EASY_RSA_HOME=$CURRDIR/easy-rsa/easyrsa3
 EASY_RSA_HOME=/usr/share/easy-rsa/
 
 function write_empty_config()
 {
-  CFGDIR=$(dirname ${CFG_FILE})
   test -d ${CFGDIR} || mkdir -p ${CFGDIR}
   echo "code_country="> $CFG_FILE
   echo "code_province=">> $CFG_FILE
@@ -37,8 +37,9 @@ {
   test -f $CFG_FILE || write_empty_config
 }
 
-function ovpn_generate_ca()
+function ovpn_generate_ca_nopass()
 {
+  cd ${CFGDIR};
   
 VARS_CONTENT=$(cat<<__EOT__
 export KEY_SIZE=2048
@@ -55,32 +56,34 @@ export KEY_NAME=${code_organization}
 export KEY_OU=${code_organization}
 __EOT__)
   
-  echo ${VARS_CONTENT} > $CURRDIR/vars
-  source $CURRDIR/vars
+  echo ${VARS_CONTENT} > $CFGDIR/vars
+  source $CFGDIR/vars
   
   ${EASY_RSA_HOME}/easyrsa init-pki
-  ${EASY_RSA_HOME}/easyrsa build-ca
+  #${EASY_RSA_HOME}/easyrsa build-ca
+  ${EASY_RSA_HOME}/easyrsa build-ca nopass
   ${EASY_RSA_HOME}/easyrsa gen-dh
   
 }
 
-function ovpn_generate_server()
+function ovpn_generate_server_nopass()
 {
-  ${EASY_RSA_HOME}/easyrsa build-server-full ${code_organization}
+  cd ${CFGDIR};
+  ${EASY_RSA_HOME}/easyrsa build-server-full ${code_organization} nopass
   # DISCOURAGED: not to give it a pass
   #./easyrsa build-server-full ${code_organization} nopass
 }
 
 function ovpn_generate_server_assembly()
 {
-  cd $CURRDIR
-  mkdir -p "$CURRDIR/server/${code_organization}/${code_organization}"
-  cp $CURRDIR/pki/ca.crt $CURRDIR/server/${code_organization}/${code_organization}
-  cp $CURRDIR/pki/dh.pem $CURRDIR/server/${code_organization}/${code_organization}
-  cp $CURRDIR/pki/issued/${code_organization}.crt $CURRDIR/server/${code_organization}/${code_organization}
-  cp $CURRDIR/pki/private/${code_organization}.key $CURRDIR/server/${code_organization}/${code_organization}
+  cd ${CFGDIR}
+  mkdir -p "$CFGDIR/server/${code_organization}/${code_organization}"
+  cp $CFGDIR/pki/ca.crt $CFGDIR/server/${code_organization}/${code_organization}
+  cp $CFGDIR/pki/dh.pem $CFGDIR/server/${code_organization}/${code_organization}
+  cp $CFGDIR/pki/issued/${code_organization}.crt $CFGDIR/server/${code_organization}/${code_organization}
+  cp $CFGDIR/pki/private/${code_organization}.key $CFGDIR/server/${code_organization}/${code_organization}
   
-cat<<__EOT__>$CURRDIR/server/${code_organization}/${code_organization}.conf
+cat<<__EOT__>$CFGDIR/server/${code_organization}/${code_organization}.conf
 port ${vpn_port}
 proto tcp
 dev tun
@@ -108,7 +111,7 @@ verb 3
 client-to-client
 __EOT__
   
-  cd $CURRDIR/server/${code_organization}
+  cd $CFGDIR/server/${code_organization}
   tar cvfz $CURRDIR/${code_organization}-server.tar.gz  .
 }
 
@@ -117,6 +120,24 @@
 test_config
 source ${CFG_FILE}
 
-ovpn_generate_ca
-ovpn_generate_server
+
+ca_password=$(uuidgen)
+server_password=$(uuidgen)
+server_credentials="$CFGDIR/server-credentials.txt"
+test -d ${CFGDIR} || mkdir -p ${CFGDIR}
+echo "CA password:[${ca_password}]">>$server_credentials
+echo "server [$servername] priv key password:[${server_password}]">>$server_credentials
+
+
+ovpn_generate_ca_nopass
+ovpn_generate_server_nopass 
+
+openssl rsa -aes256 -in ${CFGDIR}/pki/private/ca.key -out ${CFGDIR}/pki/private/encrypted-ca.key \
+	-passout pass:${ca_password}\
+	&& mv ${CFGDIR}/pki/private/encrypted-ca.key ${CFGDIR}/pki/private/ca.key 
+
+openssl rsa -aes256 -in ${CFGDIR}/pki/private/${code_organization}.key -out ${CFGDIR}/pki/private/encrypted-${code_organization}.key\
+	-passout pass:${server_password}\
+	&& mv ${CFGDIR}/pki/private/encrypted-${code_organization}.key $CFGDIR/pki/private/${code_organization}.key
+
 ovpn_generate_server_assembly