Move vpn key generation functions into initial mesh setup script
This commit is contained in:
Bob Mottram
parent
7906f36373
commit
2d1ddbbf58
|
|
@ -31,8 +31,6 @@ PROJECT_NAME='freedombone'
|
||||||
export TEXTDOMAIN=${PROJECT_NAME}-image-mesh
|
export TEXTDOMAIN=${PROJECT_NAME}-image-mesh
|
||||||
export TEXTDOMAINDIR="/usr/share/locale"
|
export TEXTDOMAINDIR="/usr/share/locale"
|
||||||
|
|
||||||
source /usr/local/bin/${PROJECT_NAME}-app-vpn
|
|
||||||
|
|
||||||
# The browser application to use
|
# The browser application to use
|
||||||
BROWSER=midori
|
BROWSER=midori
|
||||||
BROWSER_OPTIONS='-p'
|
BROWSER_OPTIONS='-p'
|
||||||
|
|
@ -74,6 +72,17 @@ IPFS_PORT=4001
|
||||||
|
|
||||||
CURRENT_BLOG_INDEX=/home/$MY_USERNAME/.blog-index
|
CURRENT_BLOG_INDEX=/home/$MY_USERNAME/.blog-index
|
||||||
|
|
||||||
|
OPENVPN_SERVER_NAME="server"
|
||||||
|
OPENVPN_KEY_FILENAME='client.ovpn'
|
||||||
|
VPN_COUNTRY_CODE="US"
|
||||||
|
VPN_AREA="Apparent Free Speech Zone"
|
||||||
|
VPN_LOCATION="Freedomville"
|
||||||
|
VPN_ORGANISATION="Freedombone"
|
||||||
|
VPN_UNIT="Freedombone Unit"
|
||||||
|
STUNNEL_PORT=3439
|
||||||
|
VPN_TLS_PORT=553
|
||||||
|
VPN_MESH_TLS_PORT=653
|
||||||
|
|
||||||
# Debian stretch has a problem where the formerly predictable wlan0 and eth0
|
# Debian stretch has a problem where the formerly predictable wlan0 and eth0
|
||||||
# device names get assigned random names. This is a hacky workaround.
|
# device names get assigned random names. This is a hacky workaround.
|
||||||
# Also adding net.ifnames=0 to kernel options on bootloader may work.
|
# Also adding net.ifnames=0 to kernel options on bootloader may work.
|
||||||
|
|
@ -556,6 +565,198 @@ function setup_tahoelafs {
|
||||||
echo $'Configured Tahoe-LAFS' >> $INSTALL_LOG
|
echo $'Configured Tahoe-LAFS' >> $INSTALL_LOG
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function create_user_vpn_key {
|
||||||
|
username=$1
|
||||||
|
|
||||||
|
if [ ! -d /home/$username ]; then
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo $"Creating VPN key for $username" >> /var/log/${PROJECT_NAME}.log
|
||||||
|
|
||||||
|
cd /etc/openvpn/easy-rsa
|
||||||
|
|
||||||
|
if [ -f /etc/openvpn/easy-rsa/keys/$username.crt ]; then
|
||||||
|
rm /etc/openvpn/easy-rsa/keys/$username.crt
|
||||||
|
fi
|
||||||
|
if [ -f /etc/openvpn/easy-rsa/keys/$username.key ]; then
|
||||||
|
rm /etc/openvpn/easy-rsa/keys/$username.key
|
||||||
|
fi
|
||||||
|
if [ -f /etc/openvpn/easy-rsa/keys/$username.csr ]; then
|
||||||
|
rm /etc/openvpn/easy-rsa/keys/$username.csr
|
||||||
|
fi
|
||||||
|
|
||||||
|
sed -i 's| --interact||g' build-key
|
||||||
|
./build-key "$username"
|
||||||
|
|
||||||
|
if [ ! -f /etc/openvpn/easy-rsa/keys/$username.crt ]; then
|
||||||
|
echo $'VPN user cert not generated' >> /var/log/${PROJECT_NAME}.log
|
||||||
|
exit 783528
|
||||||
|
fi
|
||||||
|
user_cert=$(cat /etc/openvpn/easy-rsa/keys/$username.crt)
|
||||||
|
if [ ${#user_cert} -lt 10 ]; then
|
||||||
|
cat /etc/openvpn/easy-rsa/keys/$username.crt
|
||||||
|
echo $'User cert generation failed' >> /var/log/${PROJECT_NAME}.log
|
||||||
|
exit 634659
|
||||||
|
fi
|
||||||
|
if [ ! -f /etc/openvpn/easy-rsa/keys/$username.key ]; then
|
||||||
|
echo $'VPN user key not generated'
|
||||||
|
exit 682523
|
||||||
|
fi
|
||||||
|
user_key=$(cat /etc/openvpn/easy-rsa/keys/$username.key)
|
||||||
|
if [ ${#user_key} -lt 10 ]; then
|
||||||
|
cat /etc/openvpn/easy-rsa/keys/$username.key
|
||||||
|
echo $'User key generation failed'
|
||||||
|
exit 285838
|
||||||
|
fi
|
||||||
|
|
||||||
|
user_vpn_cert_file=/home/$username/$OPENVPN_KEY_FILENAME
|
||||||
|
|
||||||
|
echo 'client' > $user_vpn_cert_file
|
||||||
|
echo 'dev tun' >> $user_vpn_cert_file
|
||||||
|
echo 'proto tcp' >> $user_vpn_cert_file
|
||||||
|
echo "remote localhost $STUNNEL_PORT" >> $user_vpn_cert_file
|
||||||
|
echo "route $DEFAULT_DOMAIN_NAME 255.255.255.255 net_gateway" >> $user_vpn_cert_file
|
||||||
|
echo 'resolv-retry infinite' >> $user_vpn_cert_file
|
||||||
|
echo 'nobind' >> $user_vpn_cert_file
|
||||||
|
echo 'tun-mtu 1500' >> $user_vpn_cert_file
|
||||||
|
echo 'tun-mtu-extra 32' >> $user_vpn_cert_file
|
||||||
|
echo 'mssfix 1450' >> $user_vpn_cert_file
|
||||||
|
echo 'persist-key' >> $user_vpn_cert_file
|
||||||
|
echo 'persist-tun' >> $user_vpn_cert_file
|
||||||
|
echo 'auth-nocache' >> $user_vpn_cert_file
|
||||||
|
echo 'remote-cert-tls server' >> $user_vpn_cert_file
|
||||||
|
echo 'comp-lzo' >> $user_vpn_cert_file
|
||||||
|
echo 'verb 3' >> $user_vpn_cert_file
|
||||||
|
echo '' >> $user_vpn_cert_file
|
||||||
|
|
||||||
|
echo '<ca>' >> $user_vpn_cert_file
|
||||||
|
cat /etc/openvpn/ca.crt >> $user_vpn_cert_file
|
||||||
|
echo '</ca>' >> $user_vpn_cert_file
|
||||||
|
|
||||||
|
echo '<cert>' >> $user_vpn_cert_file
|
||||||
|
cat /etc/openvpn/easy-rsa/keys/$username.crt >> $user_vpn_cert_file
|
||||||
|
echo '</cert>' >> $user_vpn_cert_file
|
||||||
|
|
||||||
|
echo '<key>' >> $user_vpn_cert_file
|
||||||
|
cat /etc/openvpn/easy-rsa/keys/$username.key >> $user_vpn_cert_file
|
||||||
|
echo '</key>' >> $user_vpn_cert_file
|
||||||
|
|
||||||
|
chown $username:$username $user_vpn_cert_file
|
||||||
|
|
||||||
|
# keep a backup
|
||||||
|
cp $user_vpn_cert_file /etc/openvpn/easy-rsa/keys/$username.ovpn
|
||||||
|
|
||||||
|
#rm /etc/openvpn/easy-rsa/keys/$username.crt
|
||||||
|
#rm /etc/openvpn/easy-rsa/keys/$username.csr
|
||||||
|
shred -zu /etc/openvpn/easy-rsa/keys/$username.key
|
||||||
|
|
||||||
|
echo $"VPN key created at $user_vpn_cert_file" >> /var/log/${PROJECT_NAME}.log
|
||||||
|
}
|
||||||
|
|
||||||
|
function vpn_generate_keys {
|
||||||
|
# generate host keys
|
||||||
|
if [ ! -f /etc/openvpn/dh2048.pem ]; then
|
||||||
|
${PROJECT_NAME}-dhparam -o /etc/openvpn/dh2048.pem
|
||||||
|
fi
|
||||||
|
if [ ! -f /etc/openvpn/dh2048.pem ]; then
|
||||||
|
echo $'vpn dhparams were not generated' >> /var/log/${PROJECT_NAME}.log
|
||||||
|
exit 73724523
|
||||||
|
fi
|
||||||
|
cp /etc/openvpn/dh2048.pem /etc/openvpn/easy-rsa/keys/dh2048.pem
|
||||||
|
|
||||||
|
cd /etc/openvpn/easy-rsa
|
||||||
|
. ./vars
|
||||||
|
./clean-all
|
||||||
|
vpn_openssl_version='1.0.0'
|
||||||
|
if [ ! -f openssl-${vpn_openssl_version}.cnf ]; then
|
||||||
|
echo $"openssl-${vpn_openssl_version}.cnf was not found" >> /var/log/${PROJECT_NAME}.log
|
||||||
|
exit 7392353
|
||||||
|
fi
|
||||||
|
cp openssl-${vpn_openssl_version}.cnf openssl.cnf
|
||||||
|
|
||||||
|
if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt ]; then
|
||||||
|
rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt
|
||||||
|
fi
|
||||||
|
if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key ]; then
|
||||||
|
rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key
|
||||||
|
fi
|
||||||
|
if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.csr ]; then
|
||||||
|
rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.csr
|
||||||
|
fi
|
||||||
|
sed -i 's| --interact||g' build-key-server
|
||||||
|
sed -i 's| --interact||g' build-ca
|
||||||
|
./build-ca
|
||||||
|
./build-key-server ${OPENVPN_SERVER_NAME}
|
||||||
|
if [ ! -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt ]; then
|
||||||
|
echo $'OpenVPN crt not found' >> /var/log/${PROJECT_NAME}.log
|
||||||
|
exit 7823352
|
||||||
|
fi
|
||||||
|
server_cert=$(cat /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt)
|
||||||
|
if [ ${#server_cert} -lt 10 ]; then
|
||||||
|
cat /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt
|
||||||
|
echo $'Server cert generation failed' >> /var/log/${PROJECT_NAME}.log
|
||||||
|
exit 3284682
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key ]; then
|
||||||
|
echo $'OpenVPN key not found' >> /var/log/${PROJECT_NAME}.log
|
||||||
|
exit 6839436
|
||||||
|
fi
|
||||||
|
if [ ! -f /etc/openvpn/easy-rsa/keys/ca.key ]; then
|
||||||
|
echo $'OpenVPN ca not found' >> /var/log/${PROJECT_NAME}.log
|
||||||
|
exit 7935203
|
||||||
|
fi
|
||||||
|
cp /etc/openvpn/easy-rsa/keys/{$OPENVPN_SERVER_NAME.crt,$OPENVPN_SERVER_NAME.key,ca.crt} /etc/openvpn
|
||||||
|
|
||||||
|
create_user_vpn_key ${MY_USERNAME}
|
||||||
|
}
|
||||||
|
|
||||||
|
function generate_stunnel_keys {
|
||||||
|
echo "Creating stunnel keys" >> /var/log/${PROJECT_NAME}.log
|
||||||
|
openssl req -x509 -nodes -days 3650 -sha256 \
|
||||||
|
-subj "/O=$VPN_ORGANISATION/OU=$VPN_UNIT/C=$VPN_COUNTRY_CODE/ST=$VPN_AREA/L=$VPN_LOCATION/CN=$HOSTNAME" \
|
||||||
|
-newkey rsa:2048 -keyout /etc/stunnel/key.pem \
|
||||||
|
-out /etc/stunnel/cert.pem
|
||||||
|
if [ ! -f /etc/stunnel/key.pem ]; then
|
||||||
|
echo $'stunnel key not created' >> /var/log/${PROJECT_NAME}.log
|
||||||
|
exit 793530
|
||||||
|
fi
|
||||||
|
if [ ! -f /etc/stunnel/cert.pem ]; then
|
||||||
|
echo $'stunnel cert not created' >> /var/log/${PROJECT_NAME}.log
|
||||||
|
exit 204587
|
||||||
|
fi
|
||||||
|
chmod 400 /etc/stunnel/key.pem
|
||||||
|
chmod 640 /etc/stunnel/cert.pem
|
||||||
|
|
||||||
|
cat /etc/stunnel/key.pem /etc/stunnel/cert.pem >> /etc/stunnel/stunnel.pem
|
||||||
|
chmod 640 /etc/stunnel/stunnel.pem
|
||||||
|
|
||||||
|
openssl pkcs12 -export -out /etc/stunnel/stunnel.p12 -inkey /etc/stunnel/key.pem -in /etc/stunnel/cert.pem -passout pass:
|
||||||
|
if [ ! -f /etc/stunnel/stunnel.p12 ]; then
|
||||||
|
echo $'stunnel pkcs12 not created' >> /var/log/${PROJECT_NAME}.log
|
||||||
|
exit 639353
|
||||||
|
fi
|
||||||
|
chmod 640 /etc/stunnel/stunnel.p12
|
||||||
|
|
||||||
|
cp /etc/stunnel/stunnel.pem /home/$MY_USERNAME/stunnel.pem
|
||||||
|
cp /etc/stunnel/stunnel.p12 /home/$MY_USERNAME/stunnel.p12
|
||||||
|
chown $MY_USERNAME:$MY_USERNAME $prefix$userhome/stunnel*
|
||||||
|
echo "stunnel keys created" >> /var/log/${PROJECT_NAME}.log
|
||||||
|
}
|
||||||
|
|
||||||
|
function mesh_setup_vpn {
|
||||||
|
vpn_generate_keys
|
||||||
|
|
||||||
|
cp /etc/stunnel/stunnel-client.conf /home/$MY_USERNAME/stunnel-client.conf
|
||||||
|
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/stunnel*
|
||||||
|
|
||||||
|
generate_stunnel_keys
|
||||||
|
|
||||||
|
systemctl restart openvpn
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
# whether to reset the identity
|
# whether to reset the identity
|
||||||
set_new_identity=
|
set_new_identity=
|
||||||
if [ $2 ]; then
|
if [ $2 ]; then
|
||||||
|
|
@ -596,6 +797,11 @@ if [ -f $MESH_INSTALL_SETUP ]; then
|
||||||
rm -rf /home/$MY_USERNAME/.ssb
|
rm -rf /home/$MY_USERNAME/.ssb
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Remove vpn keys
|
||||||
|
if [ -d /etc/openvpn/easy-rsa/keys ]; then
|
||||||
|
rm -rf /etc/openvpn/easy-rsa/keys/*
|
||||||
|
fi
|
||||||
|
|
||||||
echo $'Beginning mesh node setup' >> $INSTALL_LOG
|
echo $'Beginning mesh node setup' >> $INSTALL_LOG
|
||||||
|
|
||||||
if [ -d /home/$MY_USERNAME/.config ]; then
|
if [ -d /home/$MY_USERNAME/.config ]; then
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue