From 2d1ddbbf58d1a75a37f3b9d4e6b9ba1753deaaf2 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 30 Sep 2017 22:46:01 +0100 Subject: [PATCH] Move vpn key generation functions into initial mesh setup script --- src/freedombone-image-mesh | 210 ++++++++++++++++++++++++++++++++++++- 1 file changed, 208 insertions(+), 2 deletions(-) diff --git a/src/freedombone-image-mesh b/src/freedombone-image-mesh index db504d6d..f727afb3 100755 --- a/src/freedombone-image-mesh +++ b/src/freedombone-image-mesh @@ -31,8 +31,6 @@ PROJECT_NAME='freedombone' export TEXTDOMAIN=${PROJECT_NAME}-image-mesh export TEXTDOMAINDIR="/usr/share/locale" -source /usr/local/bin/${PROJECT_NAME}-app-vpn - # The browser application to use BROWSER=midori BROWSER_OPTIONS='-p' @@ -74,6 +72,17 @@ IPFS_PORT=4001 CURRENT_BLOG_INDEX=/home/$MY_USERNAME/.blog-index +OPENVPN_SERVER_NAME="server" +OPENVPN_KEY_FILENAME='client.ovpn' +VPN_COUNTRY_CODE="US" +VPN_AREA="Apparent Free Speech Zone" +VPN_LOCATION="Freedomville" +VPN_ORGANISATION="Freedombone" +VPN_UNIT="Freedombone Unit" +STUNNEL_PORT=3439 +VPN_TLS_PORT=553 +VPN_MESH_TLS_PORT=653 + # Debian stretch has a problem where the formerly predictable wlan0 and eth0 # device names get assigned random names. This is a hacky workaround. # Also adding net.ifnames=0 to kernel options on bootloader may work. @@ -556,6 +565,198 @@ function setup_tahoelafs { echo $'Configured Tahoe-LAFS' >> $INSTALL_LOG } +function create_user_vpn_key { + username=$1 + + if [ ! -d /home/$username ]; then + return + fi + + echo $"Creating VPN key for $username" >> /var/log/${PROJECT_NAME}.log + + cd /etc/openvpn/easy-rsa + + if [ -f /etc/openvpn/easy-rsa/keys/$username.crt ]; then + rm /etc/openvpn/easy-rsa/keys/$username.crt + fi + if [ -f /etc/openvpn/easy-rsa/keys/$username.key ]; then + rm /etc/openvpn/easy-rsa/keys/$username.key + fi + if [ -f /etc/openvpn/easy-rsa/keys/$username.csr ]; then + rm /etc/openvpn/easy-rsa/keys/$username.csr + fi + + sed -i 's| --interact||g' build-key + ./build-key "$username" + + if [ ! -f /etc/openvpn/easy-rsa/keys/$username.crt ]; then + echo $'VPN user cert not generated' >> /var/log/${PROJECT_NAME}.log + exit 783528 + fi + user_cert=$(cat /etc/openvpn/easy-rsa/keys/$username.crt) + if [ ${#user_cert} -lt 10 ]; then + cat /etc/openvpn/easy-rsa/keys/$username.crt + echo $'User cert generation failed' >> /var/log/${PROJECT_NAME}.log + exit 634659 + fi + if [ ! -f /etc/openvpn/easy-rsa/keys/$username.key ]; then + echo $'VPN user key not generated' + exit 682523 + fi + user_key=$(cat /etc/openvpn/easy-rsa/keys/$username.key) + if [ ${#user_key} -lt 10 ]; then + cat /etc/openvpn/easy-rsa/keys/$username.key + echo $'User key generation failed' + exit 285838 + fi + + user_vpn_cert_file=/home/$username/$OPENVPN_KEY_FILENAME + + echo 'client' > $user_vpn_cert_file + echo 'dev tun' >> $user_vpn_cert_file + echo 'proto tcp' >> $user_vpn_cert_file + echo "remote localhost $STUNNEL_PORT" >> $user_vpn_cert_file + echo "route $DEFAULT_DOMAIN_NAME 255.255.255.255 net_gateway" >> $user_vpn_cert_file + echo 'resolv-retry infinite' >> $user_vpn_cert_file + echo 'nobind' >> $user_vpn_cert_file + echo 'tun-mtu 1500' >> $user_vpn_cert_file + echo 'tun-mtu-extra 32' >> $user_vpn_cert_file + echo 'mssfix 1450' >> $user_vpn_cert_file + echo 'persist-key' >> $user_vpn_cert_file + echo 'persist-tun' >> $user_vpn_cert_file + echo 'auth-nocache' >> $user_vpn_cert_file + echo 'remote-cert-tls server' >> $user_vpn_cert_file + echo 'comp-lzo' >> $user_vpn_cert_file + echo 'verb 3' >> $user_vpn_cert_file + echo '' >> $user_vpn_cert_file + + echo '' >> $user_vpn_cert_file + cat /etc/openvpn/ca.crt >> $user_vpn_cert_file + echo '' >> $user_vpn_cert_file + + echo '' >> $user_vpn_cert_file + cat /etc/openvpn/easy-rsa/keys/$username.crt >> $user_vpn_cert_file + echo '' >> $user_vpn_cert_file + + echo '' >> $user_vpn_cert_file + cat /etc/openvpn/easy-rsa/keys/$username.key >> $user_vpn_cert_file + echo '' >> $user_vpn_cert_file + + chown $username:$username $user_vpn_cert_file + + # keep a backup + cp $user_vpn_cert_file /etc/openvpn/easy-rsa/keys/$username.ovpn + + #rm /etc/openvpn/easy-rsa/keys/$username.crt + #rm /etc/openvpn/easy-rsa/keys/$username.csr + shred -zu /etc/openvpn/easy-rsa/keys/$username.key + + echo $"VPN key created at $user_vpn_cert_file" >> /var/log/${PROJECT_NAME}.log +} + +function vpn_generate_keys { + # generate host keys + if [ ! -f /etc/openvpn/dh2048.pem ]; then + ${PROJECT_NAME}-dhparam -o /etc/openvpn/dh2048.pem + fi + if [ ! -f /etc/openvpn/dh2048.pem ]; then + echo $'vpn dhparams were not generated' >> /var/log/${PROJECT_NAME}.log + exit 73724523 + fi + cp /etc/openvpn/dh2048.pem /etc/openvpn/easy-rsa/keys/dh2048.pem + + cd /etc/openvpn/easy-rsa + . ./vars + ./clean-all + vpn_openssl_version='1.0.0' + if [ ! -f openssl-${vpn_openssl_version}.cnf ]; then + echo $"openssl-${vpn_openssl_version}.cnf was not found" >> /var/log/${PROJECT_NAME}.log + exit 7392353 + fi + cp openssl-${vpn_openssl_version}.cnf openssl.cnf + + if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt ]; then + rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt + fi + if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key ]; then + rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key + fi + if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.csr ]; then + rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.csr + fi + sed -i 's| --interact||g' build-key-server + sed -i 's| --interact||g' build-ca + ./build-ca + ./build-key-server ${OPENVPN_SERVER_NAME} + if [ ! -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt ]; then + echo $'OpenVPN crt not found' >> /var/log/${PROJECT_NAME}.log + exit 7823352 + fi + server_cert=$(cat /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt) + if [ ${#server_cert} -lt 10 ]; then + cat /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt + echo $'Server cert generation failed' >> /var/log/${PROJECT_NAME}.log + exit 3284682 + fi + + if [ ! -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key ]; then + echo $'OpenVPN key not found' >> /var/log/${PROJECT_NAME}.log + exit 6839436 + fi + if [ ! -f /etc/openvpn/easy-rsa/keys/ca.key ]; then + echo $'OpenVPN ca not found' >> /var/log/${PROJECT_NAME}.log + exit 7935203 + fi + cp /etc/openvpn/easy-rsa/keys/{$OPENVPN_SERVER_NAME.crt,$OPENVPN_SERVER_NAME.key,ca.crt} /etc/openvpn + + create_user_vpn_key ${MY_USERNAME} +} + +function generate_stunnel_keys { + echo "Creating stunnel keys" >> /var/log/${PROJECT_NAME}.log + openssl req -x509 -nodes -days 3650 -sha256 \ + -subj "/O=$VPN_ORGANISATION/OU=$VPN_UNIT/C=$VPN_COUNTRY_CODE/ST=$VPN_AREA/L=$VPN_LOCATION/CN=$HOSTNAME" \ + -newkey rsa:2048 -keyout /etc/stunnel/key.pem \ + -out /etc/stunnel/cert.pem + if [ ! -f /etc/stunnel/key.pem ]; then + echo $'stunnel key not created' >> /var/log/${PROJECT_NAME}.log + exit 793530 + fi + if [ ! -f /etc/stunnel/cert.pem ]; then + echo $'stunnel cert not created' >> /var/log/${PROJECT_NAME}.log + exit 204587 + fi + chmod 400 /etc/stunnel/key.pem + chmod 640 /etc/stunnel/cert.pem + + cat /etc/stunnel/key.pem /etc/stunnel/cert.pem >> /etc/stunnel/stunnel.pem + chmod 640 /etc/stunnel/stunnel.pem + + openssl pkcs12 -export -out /etc/stunnel/stunnel.p12 -inkey /etc/stunnel/key.pem -in /etc/stunnel/cert.pem -passout pass: + if [ ! -f /etc/stunnel/stunnel.p12 ]; then + echo $'stunnel pkcs12 not created' >> /var/log/${PROJECT_NAME}.log + exit 639353 + fi + chmod 640 /etc/stunnel/stunnel.p12 + + cp /etc/stunnel/stunnel.pem /home/$MY_USERNAME/stunnel.pem + cp /etc/stunnel/stunnel.p12 /home/$MY_USERNAME/stunnel.p12 + chown $MY_USERNAME:$MY_USERNAME $prefix$userhome/stunnel* + echo "stunnel keys created" >> /var/log/${PROJECT_NAME}.log +} + +function mesh_setup_vpn { + vpn_generate_keys + + cp /etc/stunnel/stunnel-client.conf /home/$MY_USERNAME/stunnel-client.conf + chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/stunnel* + + generate_stunnel_keys + + systemctl restart openvpn +} + + # whether to reset the identity set_new_identity= if [ $2 ]; then @@ -596,6 +797,11 @@ if [ -f $MESH_INSTALL_SETUP ]; then rm -rf /home/$MY_USERNAME/.ssb fi + # Remove vpn keys + if [ -d /etc/openvpn/easy-rsa/keys ]; then + rm -rf /etc/openvpn/easy-rsa/keys/* + fi + echo $'Beginning mesh node setup' >> $INSTALL_LOG if [ -d /home/$MY_USERNAME/.config ]; then