@@ -1,60 +1,154 @@

-# rough history from wilk - need to cleanup

-apt-get install -y openvpn bridge-utils

-cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/easy-rsa/

-cd /etc/openvpn/easy-rsa

-source vars

-./clean-all

-./build-dh

-./pkitool --initca

-./pkitool --server server

-./pkitool client1

-cd keys

-openvpn --genkey --secret ta.key  ## Build a TLS key

-cp server.crt server.key ca.crt dh1024.pem ta.key ../../

-cd ../../

-

-cat >/etc/openvpn/server.conf <<EOF

-duplicate-cn

-port 6081

-proto tcp

-dev tun

+#!/bin/bash

+# install_openvpn.sh - Install OpenVPN and generate required certificates

+#

+# install_openvpn.sh --client name

+# install_openvpn.sh --server [name]

+#

+# name is used on the CN of the generated cert, and the filename of

+# the configuration, certificate and key files.

+#

+# --server mode configures the host with a running OpenVPN server instance

+# --client mode creates a tarball of a client configuration for this server

+

+# VPN Config

+VPN_SERVER=${VPN_SERVER:-`ifconfig eth0 | awk "/inet addr:/ { print \$2 }" | cut -d: -f2`}  # 50.56.12.212

+VPN_PROTO=${VPN_PROTO:-tcp}

+VPN_PORT=${VPN_PORT:-6081}

+VPN_DEV=${VPN_DEV:-tun}

+VPN_CLIENT_NET=${VPN_CLIENT_NET:-172.16.28.0}

+VPN_CLIENT_MASK=${VPN_CLIENT_MASK:-255.255.255.0}

+VPN_LOCAL_NET=${VPN_LOCAL_NET:-10.0.0.0}

+VPN_LOCAL_MASK=${VPN_LOCAL_MASK:-255.255.0.0}

+

+VPN_DIR=/etc/openvpn

+CA_DIR=/etc/openvpn/easy-rsa

+

+usage() {

+    echo "$0 - OpenVPN install and certificate generation"

+    echo ""

+    echo "$0 --client name"

+    echo "$0 --server [name]"

+    echo ""

+    echo " --server mode configures the host with a running OpenVPN server instance"

+    echo " --client mode creates a tarball of a client configuration for this server"

+    exit 1

+}

+

+if [ -z $1 ]; then

+    usage

+fi

+

+# Install OpenVPN

+if [ ! -x `which openvpn` ]; then

+    apt-get install -y openvpn bridge-utils

+fi

+if [ ! -d $CA_DIR ]; then

+    cp -pR /usr/share/doc/openvpn/examples/easy-rsa/2.0/ $CA_DIR

+fi

+

+OPWD=`pwd`

+cd $CA_DIR

+source ./vars

+

+# Override the defaults

+export KEY_COUNTRY="US"

+export KEY_PROVINCE="TX"

+export KEY_CITY="SanAntonio"

+export KEY_ORG="Cloudbuilders"

+export KEY_EMAIL="rcb@lists.rackspace.com"

+

+if [ ! -r $CA_DIR/keys/dh1024.pem ]; then

+    # Initialize a new CA

+    $CA_DIR/clean-all

+    $CA_DIR/build-dh

+    $CA_DIR/pkitool --initca

+    openvpn --genkey --secret $CA_DIR/keys/ta.key  ## Build a TLS key

+fi

+

+do_server() {

+    NAME=$1

+    # Generate server certificate

+    $CA_DIR/pkitool --server $NAME

+

+    (cd $CA_DIR/keys;

+        cp $NAME.crt $NAME.key ca.crt dh1024.pem ta.key $VPN_DIR

+    )

+    cat >$VPN_DIR/$NAME.conf <<EOF

+proto $VPN_PROTO

+port $VPN_PORT

+dev $VPN_DEV

+cert $NAME.crt

+key $NAME.key  # This file should be kept secret

 ca ca.crt

-cert server.crt

-key server.key  # This file should be kept secret

 dh dh1024.pem

-server 172.16.28.0 255.255.255.0

+duplicate-cn

+server $VPN_CLIENT_NET $VPN_CLIENT_MASK

 ifconfig-pool-persist ipp.txt

-push "route 10.0.0.0 255.255.255.224"

+push "route $VPN_LOCAL_NET $VPN_LOCAL_MASK"

 comp-lzo

+user nobody

+group nobody

 persist-key

 persist-tun

 status openvpn-status.log

 EOF

-/etc/init.d/openvpn restart

-

-echo Use the following ca for your client:

-cat /etc/openvpn/ca.crt

-

-echo

-echo Use the following cert for your client

-cat /etc/openvpn/easy-rsa/keys/client1.crt 

-echo

-echo Use the following key for your client

-cat /etc/openvpn/easy-rsa/keys/client1.key 

-echo

-echo Use the following client config:

-cat <<EOF

+    /etc/init.d/openvpn restart

+}

+

+do_client() {

+    NAME=$1

+    # Generate a client certificate

+    $CA_DIR/pkitool $NAME

+

+    TMP_DIR=`mktemp -d`

+    (cd $CA_DIR/keys;

+        cp -p ca.crt ta.key $NAME.key $NAME.crt $TMP_DIR

+    )

+    if [ -r $VPN_DIR/hostname ]; then

+        HOST=`cat $VPN_DIR/hostname`

+    else

+        HOST=`hostname`

+    fi

+    cat >$TMP_DIR/$HOST.conf <<EOF

+proto $VPN_PROTO

+port $VPN_PORT

+dev $VPN_DEV

+cert $NAME.crt

+key $NAME.key  # This file should be kept secret

 ca ca.crt

-cert client.crt

-key client.key

 client

-dev tun

-proto tcp

-remote 50.56.12.212 6081

+remote $VPN_SERVER $VPN_PORT

 resolv-retry infinite

 nobind

+user nobody

+group nobody

 persist-key

 persist-tun

 comp-lzo

 verb 3

 EOF

+    (cd $TMP_DIR; tar cf $OPWD/$NAME.tar *)

+    rm -rf $TMP_DIR

+    echo "Client certificate and configuration is in $OPWD/$NAME.tar"

+}

+

+# Process command line args

+case $1 in

+    --client)   if [ -z $2 ]; then

+                    usage

+                fi

+                do_client $2

+                ;;

+    --server)   if [ -z $2 ]; then

+                    NAME=`hostname`

+                else

+                    NAME=$2

+                    # Save for --client use

+                    echo $NAME >$VPN_DIR/hostname

+                fi

+                do_server $NAME

+                ;;

+    --clean)    $CA_DIR/clean-all

+                ;;

+    *)          usage

+esac