1. devstack
  2. Blame
tools/install_openvpn.sh
135fb645 
 #!/bin/bash
e62ba4d3 
 
 # **install_openvpn.sh**
 
 # Install OpenVPN and generate required certificates
135fb645 
 #
 # install_openvpn.sh --client name
 # install_openvpn.sh --server [name]
 #
 # name is used on the CN of the generated cert, and the filename of
 # the configuration, certificate and key files.
 #
 # --server mode configures the host with a running OpenVPN server instance
 # --client mode creates a tarball of a client configuration for this server
78f21408 
 # Get config file
f44e98d1 
 if [ -e localrc ]; then
     . localrc
78f21408 
 fi
f44e98d1 
 if [ -e vpnrc ]; then
     . vpnrc
 fi
 
 # Do some IP manipulation
 function cidr2netmask() {
     set -- $(( 5 - ($1 / 8) )) 255 255 255 255 $(( (255 << (8 - ($1 % 8))) & 255 )) 0 0 0
     if [[ $1 -gt 1 ]]; then
         shift $1
     else
         shift
     fi
     echo ${1-0}.${2-0}.${3-0}.${4-0}
 }
 
 FIXED_NET=`echo $FIXED_RANGE | cut -d'/' -f1`
 FIXED_CIDR=`echo $FIXED_RANGE | cut -d'/' -f2`
 FIXED_MASK=`cidr2netmask $FIXED_CIDR`
78f21408
135fb645 
 # VPN Config
 VPN_SERVER=${VPN_SERVER:-`ifconfig eth0 | awk "/inet addr:/ { print \$2 }" | cut -d: -f2`}  # 50.56.12.212
 VPN_PROTO=${VPN_PROTO:-tcp}
 VPN_PORT=${VPN_PORT:-6081}
f44e98d1 
 VPN_DEV=${VPN_DEV:-tap0}
 VPN_BRIDGE=${VPN_BRIDGE:-br100}
 VPN_BRIDGE_IF=${VPN_BRIDGE_IF:-$FLAT_INTERFACE}
 VPN_CLIENT_NET=${VPN_CLIENT_NET:-$FIXED_NET}
 VPN_CLIENT_MASK=${VPN_CLIENT_MASK:-$FIXED_MASK}
 VPN_CLIENT_DHCP="${VPN_CLIENT_DHCP:-net.1 net.254}"
135fb645 
 
 VPN_DIR=/etc/openvpn
f44e98d1 
 CA_DIR=$VPN_DIR/easy-rsa
135fb645 
 
 usage() {
     echo "$0 - OpenVPN install and certificate generation"
     echo ""
     echo "$0 --client name"
     echo "$0 --server [name]"
     echo ""
     echo " --server mode configures the host with a running OpenVPN server instance"
     echo " --client mode creates a tarball of a client configuration for this server"
     exit 1
 }
 
 if [ -z $1 ]; then
     usage
 fi
 
 # Install OpenVPN
78f21408 
 VPN_EXEC=`which openvpn`
 if [ -z "$VPN_EXEC" -o ! -x "$VPN_EXEC" ]; then
135fb645 
     apt-get install -y openvpn bridge-utils
 fi
 if [ ! -d $CA_DIR ]; then
     cp -pR /usr/share/doc/openvpn/examples/easy-rsa/2.0/ $CA_DIR
 fi
f44e98d1 
 # Keep track of the current directory
 TOOLS_DIR=$(cd $(dirname "$0") && pwd)
 TOP_DIR=$(cd $TOOLS_DIR/.. && pwd)
 
 WEB_DIR=$TOP_DIR/../vpn
 if [[ ! -d $WEB_DIR ]]; then
     mkdir -p $WEB_DIR
 fi
 WEB_DIR=$(cd $TOP_DIR/../vpn && pwd)
135fb645 
 cd $CA_DIR
 source ./vars
 
 # Override the defaults
 export KEY_COUNTRY="US"
 export KEY_PROVINCE="TX"
 export KEY_CITY="SanAntonio"
 export KEY_ORG="Cloudbuilders"
 export KEY_EMAIL="rcb@lists.rackspace.com"
 
 if [ ! -r $CA_DIR/keys/dh1024.pem ]; then
     # Initialize a new CA
     $CA_DIR/clean-all
     $CA_DIR/build-dh
     $CA_DIR/pkitool --initca
     openvpn --genkey --secret $CA_DIR/keys/ta.key  ## Build a TLS key
 fi
 
 do_server() {
     NAME=$1
     # Generate server certificate
     $CA_DIR/pkitool --server $NAME
 
     (cd $CA_DIR/keys;
         cp $NAME.crt $NAME.key ca.crt dh1024.pem ta.key $VPN_DIR
     )
78f21408 
     cat >$VPN_DIR/br-up <<EOF
 #!/bin/bash
 
 BR="$VPN_BRIDGE"
 TAP="\$1"
f44e98d1 
 if [[ ! -d /sys/class/net/\$BR ]]; then
     brctl addbr \$BR
 fi
78f21408 
 for t in \$TAP; do
     openvpn --mktun --dev \$t
     brctl addif \$BR \$t
     ifconfig \$t 0.0.0.0 promisc up
 done
 EOF
     chmod +x $VPN_DIR/br-up
     cat >$VPN_DIR/br-down <<EOF
 #!/bin/bash
 
 BR="$VPN_BRIDGE"
 TAP="\$1"
 
 for i in \$TAP; do
     brctl delif \$BR $t
     openvpn --rmtun --dev \$i
 done
 EOF
     chmod +x $VPN_DIR/br-down
135fb645 
     cat >$VPN_DIR/$NAME.conf <<EOF
 proto $VPN_PROTO
 port $VPN_PORT
 dev $VPN_DEV
78f21408 
 up $VPN_DIR/br-up
 down $VPN_DIR/br-down
135fb645 
 cert $NAME.crt
 key $NAME.key  # This file should be kept secret
2969c701 
 ca ca.crt
 dh dh1024.pem
135fb645 
 duplicate-cn
78f21408 
 server-bridge $VPN_CLIENT_NET $VPN_CLIENT_MASK $VPN_CLIENT_DHCP
2969c701 
 ifconfig-pool-persist ipp.txt
 comp-lzo
135fb645 
 user nobody
78f21408 
 group nogroup
2969c701 
 persist-key
 persist-tun
 status openvpn-status.log
 EOF
135fb645 
     /etc/init.d/openvpn restart
 }
 
 do_client() {
     NAME=$1
     # Generate a client certificate
     $CA_DIR/pkitool $NAME
 
     TMP_DIR=`mktemp -d`
     (cd $CA_DIR/keys;
         cp -p ca.crt ta.key $NAME.key $NAME.crt $TMP_DIR
     )
     if [ -r $VPN_DIR/hostname ]; then
         HOST=`cat $VPN_DIR/hostname`
     else
         HOST=`hostname`
     fi
     cat >$TMP_DIR/$HOST.conf <<EOF
 proto $VPN_PROTO
 port $VPN_PORT
 dev $VPN_DEV
 cert $NAME.crt
 key $NAME.key  # This file should be kept secret
2969c701 
 ca ca.crt
 client
135fb645 
 remote $VPN_SERVER $VPN_PORT
2969c701 
 resolv-retry infinite
 nobind
135fb645 
 user nobody
78f21408 
 group nogroup
2969c701 
 persist-key
 persist-tun
 comp-lzo
 verb 3
 EOF
f44e98d1 
     (cd $TMP_DIR; tar cf $WEB_DIR/$NAME.tar *)
135fb645 
     rm -rf $TMP_DIR
f44e98d1 
     echo "Client certificate and configuration is in $WEB_DIR/$NAME.tar"
135fb645 
 }
 
 # Process command line args
 case $1 in
     --client)   if [ -z $2 ]; then
                     usage
                 fi
                 do_client $2
                 ;;
     --server)   if [ -z $2 ]; then
                     NAME=`hostname`
                 else
                     NAME=$2
                     # Save for --client use
                     echo $NAME >$VPN_DIR/hostname
                 fi
                 do_server $NAME
                 ;;
     --clean)    $CA_DIR/clean-all
                 ;;
     *)          usage
 esac