Add support for OpenVPN username and password
This commit is contained in:
Johan
parent
2b310143d7
commit
e6f33e3015
@ -1,6 +1,7 @@
|
||||
#!/bin/bash
|
||||
# Make sure script is ran as root
|
||||
if [[ $EUID -ne 0 ]]; then
|
||||
exec sudo /bin/bash "$0" "$@"
|
||||
exec sudo /bin/bash "$0" "$@"
|
||||
fi
|
||||
|
||||
DIR=$(pwd)
|
||||
@ -10,12 +11,26 @@ for i in {1..255}; do
|
||||
break
|
||||
fi
|
||||
done
|
||||
VPN_SUBNET=$(grep -E '^server ' "/etc/openvpn/myserver.conf" | awk '{print $2}')
|
||||
VPN_PUBLIC_HOST=$(grep -E '^#public-host ' "/etc/openvpn/myserver.conf" | awk '{print $2}')
|
||||
VPN_PUBLIC_PORT=$(grep -E '^port ' "/etc/openvpn/myserver.conf" | awk '{print $2}')
|
||||
echo "Adding VPN client to $VPN_PUBLIC_HOST:$VPN_PUBLIC_PORT"
|
||||
read -e -p "Enter client name: " -i "$CLIENT_NAME" CLIENT_NAME
|
||||
if [ -f "/etc/openvpn/easy-rsa/pki/issued/$CLIENT_NAME.crt" ]; then
|
||||
echo Client $CLIENT_NAME already exists...
|
||||
exit 1
|
||||
fi
|
||||
VPN_SUBNET=$(grep -E '^server ' "/etc/openvpn/myserver.conf" | awk '{print $2}')
|
||||
if grep -q "^auth-user-pass-verify" "/etc/openvpn/myserver.conf"; then
|
||||
read -e -p "Enter username: " -i "$CLIENT_USERNAME" CLIENT_USERNAME
|
||||
if grep -q "^$CLIENT_USERNAME" "/etc/openvpn/credentials"; then
|
||||
echo "Username $CLIENT_USERNAME already exists"
|
||||
exit 1
|
||||
fi
|
||||
read -e -p "Enter password: " -i "$CLIENT_PASSWORD" CLIENT_PASSWORD
|
||||
CLIENT_PASSWORD_HASH=$(echo -n "$CLIENT_PASSWORD" | sha256sum | awk '{print $1}')
|
||||
echo "$CLIENT_USERNAME:$CLIENT_PASSWORD_HASH:$CLIENT_NAME" >> "/etc/openvpn/credentials"
|
||||
EXTRA_CONFIG = "auth-user-pass"
|
||||
fi
|
||||
read -e -p "Use static IP for this client? VPN subnet is $VPN_SUBNET (Leave empty for dynamic): " -i "" CLIENT_IP
|
||||
if [ ! -z "${CLIENT_IP}" ]; then
|
||||
echo Setting IP...
|
||||
@ -41,13 +56,14 @@ persist-key
|
||||
cipher AES-256-CBC
|
||||
ncp-ciphers AES-256-GCM:AES-128-GCM
|
||||
auth SHA1
|
||||
# tls-client
|
||||
tls-client
|
||||
client
|
||||
resolv-retry infinite
|
||||
remote home.myspace.nu 1294 udp
|
||||
# remote-cert-tls server
|
||||
remote $VPN_PUBLIC_HOST $VPN_PUBLIC_PORT udp
|
||||
remote-cert-tls server
|
||||
float
|
||||
verb 3
|
||||
$EXTRA_CONFIG
|
||||
|
||||
<ca>
|
||||
$CA_CERT
|
||||
|
||||
@ -62,6 +62,18 @@ if ufw status | grep -q "Status: active"; then
|
||||
fi
|
||||
|
||||
if [ ! -f /etc/openvpn/myserver.conf ] || [[ " $@ " == *" --force "* ]]; then
|
||||
read -n 1 -p "Do you want to use username and password for login (y/N)? " answer
|
||||
if [[ ! -z "$answer" && "${answer^^}"=="Y" ]]; then
|
||||
EXTRA_CONFIG=$(cat <<-END
|
||||
script-security 2 # must be at least 2
|
||||
auth-user-pass-verify /etc/openvpn/auth-script.sh via-file
|
||||
username-as-common-name # without this openvpn will use cn in the certificate as username
|
||||
duplicate-cn # you may need this if everyone is using same certificate
|
||||
verify-client-cert require
|
||||
END
|
||||
)
|
||||
fi
|
||||
|
||||
tee /etc/openvpn/myserver.conf > /dev/null <<EOL
|
||||
#public-host $VPN_PUBLIC_HOST
|
||||
port $VPN_PUBLIC_PORT
|
||||
@ -80,6 +92,8 @@ topology subnet
|
||||
ifconfig-pool $VPN_SUBNET.2 $VPN_SUBNET.126
|
||||
push "route $LAN_SUBNET.0 255.255.255.0"
|
||||
|
||||
$EXTRA_CONFIG
|
||||
|
||||
keepalive 10 120
|
||||
tls-auth ta.key 0
|
||||
cipher AES-256-CBC
|
||||
@ -129,6 +143,17 @@ if [ -f "/etc/openvpn/easy-rsa/pki/issued/$CLIENT_NAME.crt" ]; then
|
||||
echo Client $CLIENT_NAME already exists...
|
||||
exit 1
|
||||
fi
|
||||
if grep -q "^auth-user-pass-verify" "/etc/openvpn/myserver.conf"; then
|
||||
read -e -p "Enter username: " -i "$CLIENT_USERNAME" CLIENT_USERNAME
|
||||
if grep -q "^$CLIENT_USERNAME" "/etc/openvpn/credentials"; then
|
||||
echo "Username $CLIENT_USERNAME already exists"
|
||||
exit 1
|
||||
fi
|
||||
read -e -p "Enter password: " -i "$CLIENT_PASSWORD" CLIENT_PASSWORD
|
||||
CLIENT_PASSWORD_HASH=$(echo -n "$CLIENT_PASSWORD" | sha256sum | awk '{print $1}')
|
||||
echo "$CLIENT_USERNAME:$CLIENT_PASSWORD_HASH:$CLIENT_NAME" >> "/etc/openvpn/credentials"
|
||||
EXTRA_CONFIG = "auth-user-pass"
|
||||
fi
|
||||
read -e -p "Use static IP for this client? VPN subnet is $VPN_SUBNET (Leave empty for dynamic): " -i "" CLIENT_IP
|
||||
if [ ! -z "${CLIENT_IP}" ]; then
|
||||
echo Setting IP...
|
||||
@ -161,6 +186,7 @@ remote $VPN_PUBLIC_HOST $VPN_PUBLIC_PORT udp
|
||||
remote-cert-tls server
|
||||
float
|
||||
verb 3
|
||||
$EXTRA_CONFIG
|
||||
|
||||
<ca>
|
||||
$CA_CERT
|
||||
@ -178,7 +204,23 @@ $TA_KEY
|
||||
EOL
|
||||
EOF
|
||||
chmod +755 /usr/local/bin/add-openvpn-client.sh
|
||||
|
||||
cat << 'EOF' > /usr/local/bin/remove-iptable-dups.sh
|
||||
#!/bin/bash
|
||||
iptables-save | awk '!seen[$0]++ || /^(\*|COMMIT)/' | iptables-restore
|
||||
EOF
|
||||
chmod +755 /usr/local/bin/remove-iptable-dups.sh
|
||||
|
||||
cat << 'EOF' > /etc/openvpn/auth-script.sh
|
||||
#!/bin/bash
|
||||
readarray -t lines < $1
|
||||
username=${lines[0]}
|
||||
password=${lines[1]}
|
||||
password_hash=$(echo -n "$password" | sha256sum | awk '{print $1}')
|
||||
if grep -q "^$username:$password_hash:" "/etc/openvpn/credentials"; then
|
||||
exit 0 # Authentication success
|
||||
else
|
||||
exit 1 # Authentication failed
|
||||
fi
|
||||
EOF
|
||||
chmod +755 /etc/openvpn/auth-script.sh
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user