diff --git a/BashScripts/add-openvpn-client.sh b/BashScripts/add-openvpn-client.sh index c388fbe..7ba24a0 100644 --- a/BashScripts/add-openvpn-client.sh +++ b/BashScripts/add-openvpn-client.sh @@ -1,6 +1,7 @@ +#!/bin/bash # Make sure script is ran as root if [[ $EUID -ne 0 ]]; then - exec sudo /bin/bash "$0" "$@" + exec sudo /bin/bash "$0" "$@" fi DIR=$(pwd) @@ -10,12 +11,26 @@ for i in {1..255}; do break fi done +VPN_SUBNET=$(grep -E '^server ' "/etc/openvpn/myserver.conf" | awk '{print $2}') +VPN_PUBLIC_HOST=$(grep -E '^#public-host ' "/etc/openvpn/myserver.conf" | awk '{print $2}') +VPN_PUBLIC_PORT=$(grep -E '^port ' "/etc/openvpn/myserver.conf" | awk '{print $2}') +echo "Adding VPN client to $VPN_PUBLIC_HOST:$VPN_PUBLIC_PORT" read -e -p "Enter client name: " -i "$CLIENT_NAME" CLIENT_NAME if [ -f "/etc/openvpn/easy-rsa/pki/issued/$CLIENT_NAME.crt" ]; then echo Client $CLIENT_NAME already exists... exit 1 fi -VPN_SUBNET=$(grep -E '^server ' "/etc/openvpn/myserver.conf" | awk '{print $2}') +if grep -q "^auth-user-pass-verify" "/etc/openvpn/myserver.conf"; then + read -e -p "Enter username: " -i "$CLIENT_USERNAME" CLIENT_USERNAME + if grep -q "^$CLIENT_USERNAME" "/etc/openvpn/credentials"; then + echo "Username $CLIENT_USERNAME already exists" + exit 1 + fi + read -e -p "Enter password: " -i "$CLIENT_PASSWORD" CLIENT_PASSWORD + CLIENT_PASSWORD_HASH=$(echo -n "$CLIENT_PASSWORD" | sha256sum | awk '{print $1}') + echo "$CLIENT_USERNAME:$CLIENT_PASSWORD_HASH:$CLIENT_NAME" >> "/etc/openvpn/credentials" + EXTRA_CONFIG = "auth-user-pass" +fi read -e -p "Use static IP for this client? VPN subnet is $VPN_SUBNET (Leave empty for dynamic): " -i "" CLIENT_IP if [ ! -z "${CLIENT_IP}" ]; then echo Setting IP... @@ -41,13 +56,14 @@ persist-key cipher AES-256-CBC ncp-ciphers AES-256-GCM:AES-128-GCM auth SHA1 -# tls-client +tls-client client resolv-retry infinite -remote home.myspace.nu 1294 udp -# remote-cert-tls server +remote $VPN_PUBLIC_HOST $VPN_PUBLIC_PORT udp +remote-cert-tls server float verb 3 +$EXTRA_CONFIG $CA_CERT diff --git a/BashScripts/install-openvpn-server.sh b/BashScripts/install-openvpn-server.sh index 9ca6d7e..36d8a89 100644 --- a/BashScripts/install-openvpn-server.sh +++ b/BashScripts/install-openvpn-server.sh @@ -62,6 +62,18 @@ if ufw status | grep -q "Status: active"; then fi if [ ! -f /etc/openvpn/myserver.conf ] || [[ " $@ " == *" --force "* ]]; then + read -n 1 -p "Do you want to use username and password for login (y/N)? " answer + if [[ ! -z "$answer" && "${answer^^}"=="Y" ]]; then + EXTRA_CONFIG=$(cat <<-END +script-security 2 # must be at least 2 +auth-user-pass-verify /etc/openvpn/auth-script.sh via-file +username-as-common-name # without this openvpn will use cn in the certificate as username +duplicate-cn # you may need this if everyone is using same certificate +verify-client-cert require +END +) + fi + tee /etc/openvpn/myserver.conf > /dev/null <> "/etc/openvpn/credentials" + EXTRA_CONFIG = "auth-user-pass" +fi read -e -p "Use static IP for this client? VPN subnet is $VPN_SUBNET (Leave empty for dynamic): " -i "" CLIENT_IP if [ ! -z "${CLIENT_IP}" ]; then echo Setting IP... @@ -161,6 +186,7 @@ remote $VPN_PUBLIC_HOST $VPN_PUBLIC_PORT udp remote-cert-tls server float verb 3 +$EXTRA_CONFIG $CA_CERT @@ -178,7 +204,23 @@ $TA_KEY EOL EOF chmod +755 /usr/local/bin/add-openvpn-client.sh + cat << 'EOF' > /usr/local/bin/remove-iptable-dups.sh #!/bin/bash iptables-save | awk '!seen[$0]++ || /^(\*|COMMIT)/' | iptables-restore EOF +chmod +755 /usr/local/bin/remove-iptable-dups.sh + +cat << 'EOF' > /etc/openvpn/auth-script.sh +#!/bin/bash +readarray -t lines < $1 +username=${lines[0]} +password=${lines[1]} +password_hash=$(echo -n "$password" | sha256sum | awk '{print $1}') +if grep -q "^$username:$password_hash:" "/etc/openvpn/credentials"; then + exit 0 # Authentication success +else + exit 1 # Authentication failed +fi +EOF +chmod +755 /etc/openvpn/auth-script.sh