Move vpn key generation functions into initial mesh setup script
This commit is contained in:
Bob Mottram
parent
7906f36373
commit
2d1ddbbf58
|
|
@ -31,8 +31,6 @@ PROJECT_NAME='freedombone'
|
|||
export TEXTDOMAIN=${PROJECT_NAME}-image-mesh
|
||||
export TEXTDOMAINDIR="/usr/share/locale"
|
||||
|
||||
source /usr/local/bin/${PROJECT_NAME}-app-vpn
|
||||
|
||||
# The browser application to use
|
||||
BROWSER=midori
|
||||
BROWSER_OPTIONS='-p'
|
||||
|
|
@ -74,6 +72,17 @@ IPFS_PORT=4001
|
|||
|
||||
CURRENT_BLOG_INDEX=/home/$MY_USERNAME/.blog-index
|
||||
|
||||
OPENVPN_SERVER_NAME="server"
|
||||
OPENVPN_KEY_FILENAME='client.ovpn'
|
||||
VPN_COUNTRY_CODE="US"
|
||||
VPN_AREA="Apparent Free Speech Zone"
|
||||
VPN_LOCATION="Freedomville"
|
||||
VPN_ORGANISATION="Freedombone"
|
||||
VPN_UNIT="Freedombone Unit"
|
||||
STUNNEL_PORT=3439
|
||||
VPN_TLS_PORT=553
|
||||
VPN_MESH_TLS_PORT=653
|
||||
|
||||
# Debian stretch has a problem where the formerly predictable wlan0 and eth0
|
||||
# device names get assigned random names. This is a hacky workaround.
|
||||
# Also adding net.ifnames=0 to kernel options on bootloader may work.
|
||||
|
|
@ -556,6 +565,198 @@ function setup_tahoelafs {
|
|||
echo $'Configured Tahoe-LAFS' >> $INSTALL_LOG
|
||||
}
|
||||
|
||||
function create_user_vpn_key {
|
||||
username=$1
|
||||
|
||||
if [ ! -d /home/$username ]; then
|
||||
return
|
||||
fi
|
||||
|
||||
echo $"Creating VPN key for $username" >> /var/log/${PROJECT_NAME}.log
|
||||
|
||||
cd /etc/openvpn/easy-rsa
|
||||
|
||||
if [ -f /etc/openvpn/easy-rsa/keys/$username.crt ]; then
|
||||
rm /etc/openvpn/easy-rsa/keys/$username.crt
|
||||
fi
|
||||
if [ -f /etc/openvpn/easy-rsa/keys/$username.key ]; then
|
||||
rm /etc/openvpn/easy-rsa/keys/$username.key
|
||||
fi
|
||||
if [ -f /etc/openvpn/easy-rsa/keys/$username.csr ]; then
|
||||
rm /etc/openvpn/easy-rsa/keys/$username.csr
|
||||
fi
|
||||
|
||||
sed -i 's| --interact||g' build-key
|
||||
./build-key "$username"
|
||||
|
||||
if [ ! -f /etc/openvpn/easy-rsa/keys/$username.crt ]; then
|
||||
echo $'VPN user cert not generated' >> /var/log/${PROJECT_NAME}.log
|
||||
exit 783528
|
||||
fi
|
||||
user_cert=$(cat /etc/openvpn/easy-rsa/keys/$username.crt)
|
||||
if [ ${#user_cert} -lt 10 ]; then
|
||||
cat /etc/openvpn/easy-rsa/keys/$username.crt
|
||||
echo $'User cert generation failed' >> /var/log/${PROJECT_NAME}.log
|
||||
exit 634659
|
||||
fi
|
||||
if [ ! -f /etc/openvpn/easy-rsa/keys/$username.key ]; then
|
||||
echo $'VPN user key not generated'
|
||||
exit 682523
|
||||
fi
|
||||
user_key=$(cat /etc/openvpn/easy-rsa/keys/$username.key)
|
||||
if [ ${#user_key} -lt 10 ]; then
|
||||
cat /etc/openvpn/easy-rsa/keys/$username.key
|
||||
echo $'User key generation failed'
|
||||
exit 285838
|
||||
fi
|
||||
|
||||
user_vpn_cert_file=/home/$username/$OPENVPN_KEY_FILENAME
|
||||
|
||||
echo 'client' > $user_vpn_cert_file
|
||||
echo 'dev tun' >> $user_vpn_cert_file
|
||||
echo 'proto tcp' >> $user_vpn_cert_file
|
||||
echo "remote localhost $STUNNEL_PORT" >> $user_vpn_cert_file
|
||||
echo "route $DEFAULT_DOMAIN_NAME 255.255.255.255 net_gateway" >> $user_vpn_cert_file
|
||||
echo 'resolv-retry infinite' >> $user_vpn_cert_file
|
||||
echo 'nobind' >> $user_vpn_cert_file
|
||||
echo 'tun-mtu 1500' >> $user_vpn_cert_file
|
||||
echo 'tun-mtu-extra 32' >> $user_vpn_cert_file
|
||||
echo 'mssfix 1450' >> $user_vpn_cert_file
|
||||
echo 'persist-key' >> $user_vpn_cert_file
|
||||
echo 'persist-tun' >> $user_vpn_cert_file
|
||||
echo 'auth-nocache' >> $user_vpn_cert_file
|
||||
echo 'remote-cert-tls server' >> $user_vpn_cert_file
|
||||
echo 'comp-lzo' >> $user_vpn_cert_file
|
||||
echo 'verb 3' >> $user_vpn_cert_file
|
||||
echo '' >> $user_vpn_cert_file
|
||||
|
||||
echo '<ca>' >> $user_vpn_cert_file
|
||||
cat /etc/openvpn/ca.crt >> $user_vpn_cert_file
|
||||
echo '</ca>' >> $user_vpn_cert_file
|
||||
|
||||
echo '<cert>' >> $user_vpn_cert_file
|
||||
cat /etc/openvpn/easy-rsa/keys/$username.crt >> $user_vpn_cert_file
|
||||
echo '</cert>' >> $user_vpn_cert_file
|
||||
|
||||
echo '<key>' >> $user_vpn_cert_file
|
||||
cat /etc/openvpn/easy-rsa/keys/$username.key >> $user_vpn_cert_file
|
||||
echo '</key>' >> $user_vpn_cert_file
|
||||
|
||||
chown $username:$username $user_vpn_cert_file
|
||||
|
||||
# keep a backup
|
||||
cp $user_vpn_cert_file /etc/openvpn/easy-rsa/keys/$username.ovpn
|
||||
|
||||
#rm /etc/openvpn/easy-rsa/keys/$username.crt
|
||||
#rm /etc/openvpn/easy-rsa/keys/$username.csr
|
||||
shred -zu /etc/openvpn/easy-rsa/keys/$username.key
|
||||
|
||||
echo $"VPN key created at $user_vpn_cert_file" >> /var/log/${PROJECT_NAME}.log
|
||||
}
|
||||
|
||||
function vpn_generate_keys {
|
||||
# generate host keys
|
||||
if [ ! -f /etc/openvpn/dh2048.pem ]; then
|
||||
${PROJECT_NAME}-dhparam -o /etc/openvpn/dh2048.pem
|
||||
fi
|
||||
if [ ! -f /etc/openvpn/dh2048.pem ]; then
|
||||
echo $'vpn dhparams were not generated' >> /var/log/${PROJECT_NAME}.log
|
||||
exit 73724523
|
||||
fi
|
||||
cp /etc/openvpn/dh2048.pem /etc/openvpn/easy-rsa/keys/dh2048.pem
|
||||
|
||||
cd /etc/openvpn/easy-rsa
|
||||
. ./vars
|
||||
./clean-all
|
||||
vpn_openssl_version='1.0.0'
|
||||
if [ ! -f openssl-${vpn_openssl_version}.cnf ]; then
|
||||
echo $"openssl-${vpn_openssl_version}.cnf was not found" >> /var/log/${PROJECT_NAME}.log
|
||||
exit 7392353
|
||||
fi
|
||||
cp openssl-${vpn_openssl_version}.cnf openssl.cnf
|
||||
|
||||
if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt ]; then
|
||||
rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt
|
||||
fi
|
||||
if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key ]; then
|
||||
rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key
|
||||
fi
|
||||
if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.csr ]; then
|
||||
rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.csr
|
||||
fi
|
||||
sed -i 's| --interact||g' build-key-server
|
||||
sed -i 's| --interact||g' build-ca
|
||||
./build-ca
|
||||
./build-key-server ${OPENVPN_SERVER_NAME}
|
||||
if [ ! -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt ]; then
|
||||
echo $'OpenVPN crt not found' >> /var/log/${PROJECT_NAME}.log
|
||||
exit 7823352
|
||||
fi
|
||||
server_cert=$(cat /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt)
|
||||
if [ ${#server_cert} -lt 10 ]; then
|
||||
cat /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt
|
||||
echo $'Server cert generation failed' >> /var/log/${PROJECT_NAME}.log
|
||||
exit 3284682
|
||||
fi
|
||||
|
||||
if [ ! -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key ]; then
|
||||
echo $'OpenVPN key not found' >> /var/log/${PROJECT_NAME}.log
|
||||
exit 6839436
|
||||
fi
|
||||
if [ ! -f /etc/openvpn/easy-rsa/keys/ca.key ]; then
|
||||
echo $'OpenVPN ca not found' >> /var/log/${PROJECT_NAME}.log
|
||||
exit 7935203
|
||||
fi
|
||||
cp /etc/openvpn/easy-rsa/keys/{$OPENVPN_SERVER_NAME.crt,$OPENVPN_SERVER_NAME.key,ca.crt} /etc/openvpn
|
||||
|
||||
create_user_vpn_key ${MY_USERNAME}
|
||||
}
|
||||
|
||||
function generate_stunnel_keys {
|
||||
echo "Creating stunnel keys" >> /var/log/${PROJECT_NAME}.log
|
||||
openssl req -x509 -nodes -days 3650 -sha256 \
|
||||
-subj "/O=$VPN_ORGANISATION/OU=$VPN_UNIT/C=$VPN_COUNTRY_CODE/ST=$VPN_AREA/L=$VPN_LOCATION/CN=$HOSTNAME" \
|
||||
-newkey rsa:2048 -keyout /etc/stunnel/key.pem \
|
||||
-out /etc/stunnel/cert.pem
|
||||
if [ ! -f /etc/stunnel/key.pem ]; then
|
||||
echo $'stunnel key not created' >> /var/log/${PROJECT_NAME}.log
|
||||
exit 793530
|
||||
fi
|
||||
if [ ! -f /etc/stunnel/cert.pem ]; then
|
||||
echo $'stunnel cert not created' >> /var/log/${PROJECT_NAME}.log
|
||||
exit 204587
|
||||
fi
|
||||
chmod 400 /etc/stunnel/key.pem
|
||||
chmod 640 /etc/stunnel/cert.pem
|
||||
|
||||
cat /etc/stunnel/key.pem /etc/stunnel/cert.pem >> /etc/stunnel/stunnel.pem
|
||||
chmod 640 /etc/stunnel/stunnel.pem
|
||||
|
||||
openssl pkcs12 -export -out /etc/stunnel/stunnel.p12 -inkey /etc/stunnel/key.pem -in /etc/stunnel/cert.pem -passout pass:
|
||||
if [ ! -f /etc/stunnel/stunnel.p12 ]; then
|
||||
echo $'stunnel pkcs12 not created' >> /var/log/${PROJECT_NAME}.log
|
||||
exit 639353
|
||||
fi
|
||||
chmod 640 /etc/stunnel/stunnel.p12
|
||||
|
||||
cp /etc/stunnel/stunnel.pem /home/$MY_USERNAME/stunnel.pem
|
||||
cp /etc/stunnel/stunnel.p12 /home/$MY_USERNAME/stunnel.p12
|
||||
chown $MY_USERNAME:$MY_USERNAME $prefix$userhome/stunnel*
|
||||
echo "stunnel keys created" >> /var/log/${PROJECT_NAME}.log
|
||||
}
|
||||
|
||||
function mesh_setup_vpn {
|
||||
vpn_generate_keys
|
||||
|
||||
cp /etc/stunnel/stunnel-client.conf /home/$MY_USERNAME/stunnel-client.conf
|
||||
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/stunnel*
|
||||
|
||||
generate_stunnel_keys
|
||||
|
||||
systemctl restart openvpn
|
||||
}
|
||||
|
||||
|
||||
# whether to reset the identity
|
||||
set_new_identity=
|
||||
if [ $2 ]; then
|
||||
|
|
@ -596,6 +797,11 @@ if [ -f $MESH_INSTALL_SETUP ]; then
|
|||
rm -rf /home/$MY_USERNAME/.ssb
|
||||
fi
|
||||
|
||||
# Remove vpn keys
|
||||
if [ -d /etc/openvpn/easy-rsa/keys ]; then
|
||||
rm -rf /etc/openvpn/easy-rsa/keys/*
|
||||
fi
|
||||
|
||||
echo $'Beginning mesh node setup' >> $INSTALL_LOG
|
||||
|
||||
if [ -d /home/$MY_USERNAME/.config ]; then
|
||||
|
|
|
|||
Loading…
Reference in New Issue