Move vpn key generation functions into initial mesh setup script

This commit is contained in:
Bob Mottram 2017-09-30 22:46:01 +01:00
parent 7906f36373
commit 2d1ddbbf58
1 changed files with 208 additions and 2 deletions

View File

@ -31,8 +31,6 @@ PROJECT_NAME='freedombone'
export TEXTDOMAIN=${PROJECT_NAME}-image-mesh
export TEXTDOMAINDIR="/usr/share/locale"
source /usr/local/bin/${PROJECT_NAME}-app-vpn
# The browser application to use
BROWSER=midori
BROWSER_OPTIONS='-p'
@ -74,6 +72,17 @@ IPFS_PORT=4001
CURRENT_BLOG_INDEX=/home/$MY_USERNAME/.blog-index
OPENVPN_SERVER_NAME="server"
OPENVPN_KEY_FILENAME='client.ovpn'
VPN_COUNTRY_CODE="US"
VPN_AREA="Apparent Free Speech Zone"
VPN_LOCATION="Freedomville"
VPN_ORGANISATION="Freedombone"
VPN_UNIT="Freedombone Unit"
STUNNEL_PORT=3439
VPN_TLS_PORT=553
VPN_MESH_TLS_PORT=653
# Debian stretch has a problem where the formerly predictable wlan0 and eth0
# device names get assigned random names. This is a hacky workaround.
# Also adding net.ifnames=0 to kernel options on bootloader may work.
@ -556,6 +565,198 @@ function setup_tahoelafs {
echo $'Configured Tahoe-LAFS' >> $INSTALL_LOG
}
function create_user_vpn_key {
username=$1
if [ ! -d /home/$username ]; then
return
fi
echo $"Creating VPN key for $username" >> /var/log/${PROJECT_NAME}.log
cd /etc/openvpn/easy-rsa
if [ -f /etc/openvpn/easy-rsa/keys/$username.crt ]; then
rm /etc/openvpn/easy-rsa/keys/$username.crt
fi
if [ -f /etc/openvpn/easy-rsa/keys/$username.key ]; then
rm /etc/openvpn/easy-rsa/keys/$username.key
fi
if [ -f /etc/openvpn/easy-rsa/keys/$username.csr ]; then
rm /etc/openvpn/easy-rsa/keys/$username.csr
fi
sed -i 's| --interact||g' build-key
./build-key "$username"
if [ ! -f /etc/openvpn/easy-rsa/keys/$username.crt ]; then
echo $'VPN user cert not generated' >> /var/log/${PROJECT_NAME}.log
exit 783528
fi
user_cert=$(cat /etc/openvpn/easy-rsa/keys/$username.crt)
if [ ${#user_cert} -lt 10 ]; then
cat /etc/openvpn/easy-rsa/keys/$username.crt
echo $'User cert generation failed' >> /var/log/${PROJECT_NAME}.log
exit 634659
fi
if [ ! -f /etc/openvpn/easy-rsa/keys/$username.key ]; then
echo $'VPN user key not generated'
exit 682523
fi
user_key=$(cat /etc/openvpn/easy-rsa/keys/$username.key)
if [ ${#user_key} -lt 10 ]; then
cat /etc/openvpn/easy-rsa/keys/$username.key
echo $'User key generation failed'
exit 285838
fi
user_vpn_cert_file=/home/$username/$OPENVPN_KEY_FILENAME
echo 'client' > $user_vpn_cert_file
echo 'dev tun' >> $user_vpn_cert_file
echo 'proto tcp' >> $user_vpn_cert_file
echo "remote localhost $STUNNEL_PORT" >> $user_vpn_cert_file
echo "route $DEFAULT_DOMAIN_NAME 255.255.255.255 net_gateway" >> $user_vpn_cert_file
echo 'resolv-retry infinite' >> $user_vpn_cert_file
echo 'nobind' >> $user_vpn_cert_file
echo 'tun-mtu 1500' >> $user_vpn_cert_file
echo 'tun-mtu-extra 32' >> $user_vpn_cert_file
echo 'mssfix 1450' >> $user_vpn_cert_file
echo 'persist-key' >> $user_vpn_cert_file
echo 'persist-tun' >> $user_vpn_cert_file
echo 'auth-nocache' >> $user_vpn_cert_file
echo 'remote-cert-tls server' >> $user_vpn_cert_file
echo 'comp-lzo' >> $user_vpn_cert_file
echo 'verb 3' >> $user_vpn_cert_file
echo '' >> $user_vpn_cert_file
echo '<ca>' >> $user_vpn_cert_file
cat /etc/openvpn/ca.crt >> $user_vpn_cert_file
echo '</ca>' >> $user_vpn_cert_file
echo '<cert>' >> $user_vpn_cert_file
cat /etc/openvpn/easy-rsa/keys/$username.crt >> $user_vpn_cert_file
echo '</cert>' >> $user_vpn_cert_file
echo '<key>' >> $user_vpn_cert_file
cat /etc/openvpn/easy-rsa/keys/$username.key >> $user_vpn_cert_file
echo '</key>' >> $user_vpn_cert_file
chown $username:$username $user_vpn_cert_file
# keep a backup
cp $user_vpn_cert_file /etc/openvpn/easy-rsa/keys/$username.ovpn
#rm /etc/openvpn/easy-rsa/keys/$username.crt
#rm /etc/openvpn/easy-rsa/keys/$username.csr
shred -zu /etc/openvpn/easy-rsa/keys/$username.key
echo $"VPN key created at $user_vpn_cert_file" >> /var/log/${PROJECT_NAME}.log
}
function vpn_generate_keys {
# generate host keys
if [ ! -f /etc/openvpn/dh2048.pem ]; then
${PROJECT_NAME}-dhparam -o /etc/openvpn/dh2048.pem
fi
if [ ! -f /etc/openvpn/dh2048.pem ]; then
echo $'vpn dhparams were not generated' >> /var/log/${PROJECT_NAME}.log
exit 73724523
fi
cp /etc/openvpn/dh2048.pem /etc/openvpn/easy-rsa/keys/dh2048.pem
cd /etc/openvpn/easy-rsa
. ./vars
./clean-all
vpn_openssl_version='1.0.0'
if [ ! -f openssl-${vpn_openssl_version}.cnf ]; then
echo $"openssl-${vpn_openssl_version}.cnf was not found" >> /var/log/${PROJECT_NAME}.log
exit 7392353
fi
cp openssl-${vpn_openssl_version}.cnf openssl.cnf
if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt ]; then
rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt
fi
if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key ]; then
rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key
fi
if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.csr ]; then
rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.csr
fi
sed -i 's| --interact||g' build-key-server
sed -i 's| --interact||g' build-ca
./build-ca
./build-key-server ${OPENVPN_SERVER_NAME}
if [ ! -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt ]; then
echo $'OpenVPN crt not found' >> /var/log/${PROJECT_NAME}.log
exit 7823352
fi
server_cert=$(cat /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt)
if [ ${#server_cert} -lt 10 ]; then
cat /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt
echo $'Server cert generation failed' >> /var/log/${PROJECT_NAME}.log
exit 3284682
fi
if [ ! -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key ]; then
echo $'OpenVPN key not found' >> /var/log/${PROJECT_NAME}.log
exit 6839436
fi
if [ ! -f /etc/openvpn/easy-rsa/keys/ca.key ]; then
echo $'OpenVPN ca not found' >> /var/log/${PROJECT_NAME}.log
exit 7935203
fi
cp /etc/openvpn/easy-rsa/keys/{$OPENVPN_SERVER_NAME.crt,$OPENVPN_SERVER_NAME.key,ca.crt} /etc/openvpn
create_user_vpn_key ${MY_USERNAME}
}
function generate_stunnel_keys {
echo "Creating stunnel keys" >> /var/log/${PROJECT_NAME}.log
openssl req -x509 -nodes -days 3650 -sha256 \
-subj "/O=$VPN_ORGANISATION/OU=$VPN_UNIT/C=$VPN_COUNTRY_CODE/ST=$VPN_AREA/L=$VPN_LOCATION/CN=$HOSTNAME" \
-newkey rsa:2048 -keyout /etc/stunnel/key.pem \
-out /etc/stunnel/cert.pem
if [ ! -f /etc/stunnel/key.pem ]; then
echo $'stunnel key not created' >> /var/log/${PROJECT_NAME}.log
exit 793530
fi
if [ ! -f /etc/stunnel/cert.pem ]; then
echo $'stunnel cert not created' >> /var/log/${PROJECT_NAME}.log
exit 204587
fi
chmod 400 /etc/stunnel/key.pem
chmod 640 /etc/stunnel/cert.pem
cat /etc/stunnel/key.pem /etc/stunnel/cert.pem >> /etc/stunnel/stunnel.pem
chmod 640 /etc/stunnel/stunnel.pem
openssl pkcs12 -export -out /etc/stunnel/stunnel.p12 -inkey /etc/stunnel/key.pem -in /etc/stunnel/cert.pem -passout pass:
if [ ! -f /etc/stunnel/stunnel.p12 ]; then
echo $'stunnel pkcs12 not created' >> /var/log/${PROJECT_NAME}.log
exit 639353
fi
chmod 640 /etc/stunnel/stunnel.p12
cp /etc/stunnel/stunnel.pem /home/$MY_USERNAME/stunnel.pem
cp /etc/stunnel/stunnel.p12 /home/$MY_USERNAME/stunnel.p12
chown $MY_USERNAME:$MY_USERNAME $prefix$userhome/stunnel*
echo "stunnel keys created" >> /var/log/${PROJECT_NAME}.log
}
function mesh_setup_vpn {
vpn_generate_keys
cp /etc/stunnel/stunnel-client.conf /home/$MY_USERNAME/stunnel-client.conf
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/stunnel*
generate_stunnel_keys
systemctl restart openvpn
}
# whether to reset the identity
set_new_identity=
if [ $2 ]; then
@ -596,6 +797,11 @@ if [ -f $MESH_INSTALL_SETUP ]; then
rm -rf /home/$MY_USERNAME/.ssb
fi
# Remove vpn keys
if [ -d /etc/openvpn/easy-rsa/keys ]; then
rm -rf /etc/openvpn/easy-rsa/keys/*
fi
echo $'Beginning mesh node setup' >> $INSTALL_LOG
if [ -d /home/$MY_USERNAME/.config ]; then