[TriLUG] Need quick openvpn setup help

Tue Dec 4 11:30:49 EST 2007

And I'm not making guarantees about this one, but this is
the script that I used to automate the creation of keys.

Alan

#!/bin/sh
# generate_openvpn_client_key.sh

################################################################################

usage () {
   echo "$program: create an openvpn key for a user and package it nicely"
   echo ""
   server=`hostname -s`
   client="exampleclient"
   echo "usage: $program $client <-- same as user's email address 
@company.com"
   echo "       creates a key with a 'Common Name' of '$server-$client'"
   echo "       creates a zip files that contains:"
   echo "        - keys/$server/ca.crt"
   echo "        - keys/$server/$server-$client.crt"
   echo "        - keys/$server/$server-$client.key"
   echo "        - $server-$client.ovpn"
   echo "        - $server-$client.conf"
   echo ""
}

################################################################################

program=$0
if [ -z $1 ] ; then
   usage
   exit
fi
client=$1
server=`hostname -s`
external=`grep '^search' /etc/resolv.conf | sed -e 's/search *//g'`
OPENVPN="/etc/openvpn"
commonname="$server-$client"
CWD=`pwd`

cd $OPENVPN

. ./vars

tmpfile="/tmp/$$.tmpfile"

# NOTE - the next three steps are taken directly from the 'build-key' script

# (1) create the certificate
rm $tmpfile 2> /dev/null
echo "" >> $tmpfile  # COUNTRY
echo "" >> $tmpfile  # STATE
echo "" >> $tmpfile  # CITY
echo "" >> $tmpfile  # ORGANIZATION
echo "" >> $tmpfile  # ORGANIZATIONAL UNIT NAME
echo "$commonname" >> $tmpfile  # COMMON NAME
echo "" >> $tmpfile  # EMAIL ADDRESS
echo "" >> $tmpfile  # CHALLENGE PASSWORD
echo "" >> $tmpfile  # OPTIONAL COMPANY NAME
( cd $KEY_DIR ; openssl req -days 3650 -nodes -new -keyout 
$commonname.key -out $commonname.csr -config $KEY_CONFIG < $tmpfile )
rm $tmpfile 2> /dev/null

# (2) sign the certificate
echo "y" >> $tmpfile  # SIGN THIS CERTIFICATE
echo "y" >> $tmpfile  # COMMIT
( cd $KEY_DIR ; openssl ca -days 3650 -out $commonname.crt -in 
$commonname.csr -config $KEY_CONFIG < $tmpfile )
rm $tmpfile 2> /dev/null

# (3) set permissions
chmod 0600 $KEY_DIR/$commonname.key

# package this up into a tidy little ZIP file

cd $OPENVPN
tmpdir="/tmp/$$.tmpdir"
mkdir $tmpdir
mkdir $tmpdir/keys
mkdir $tmpdir/keys/$server
cp $OPENVPN/keys/$server/ca.crt             $tmpdir/keys/$server/ca.crt
cp $OPENVPN/keys/$server/$commonname.crt    
$tmpdir/keys/$server/$commonname.crt
cp $OPENVPN/keys/$server/$commonname.key    
$tmpdir/keys/$server/$commonname.key

cat > $tmpfile << EOF

# the basics
dev tun
proto udp
client
remote $external 1194

# retries, etc
resolv-retry infinite
nobind
persist-key
persist-tun

# for security
user nobody
group nogroup

# certificate stuff
ca    "[DIRECTORY]keys/$server/ca.crt"
cert  "[DIRECTORY]keys/$server/$commonname.crt"
key   "[DIRECTORY]keys/$server/$commonname.key"

# low layers
comp-lzo

EOF

# create DOS/Windows config file
cat $tmpfile | sed -e 's/\[DIRECTORY\]//g' | sed -e 's/$/\r/g' > 
$tmpdir/$commonname.ovpn

# create unix/Linux config file
cat $tmpfile | sed -e 's/\[DIRECTORY\]/\/etc\/openvpn\//g' > 
$tmpdir/$commonname.conf
cat >> $tmpdir/$commonname.conf << EOF
# logging
log-append   /var/log/openvpn.log
verb 3

EOF

# ZIP it all up (prompt for a password)
echo ""
echo "Now creating ZIP file... YOU WILL BE PROMPTED FOR A PASSWORD"
( cd $tmpdir ; zip -r -e $CWD/$commonname.zip . )

# clean up
rm $tmpfile
rm -rf $tmpdir

cd $CWD
ls -l $CWD/$commonname.zip