Advanced client management

README.md

@@ -37,7 +37,7 @@ Upstream links:
 
 * Retrieve the client configuration with embedded certificates
 
- docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn
+ docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_getclient CLIENTNAME combined > CLIENTNAME.ovpn
 
 * Create an environment variable with the name DEBUG and value of 1 to enable debug output (using "docker -e").
 
@@ -105,7 +105,7 @@ packets, etc).
  simplicity. It's highly recommended to secure the CA key with some
  passphrase to protect against a filesystem compromise. A more secure system
  would put the EasyRSA PKI CA on an offline system (can use the same Docker
- image to accomplish this).
+ image and the script ovpn_copy_server_files to accomplish this).
 * It would be impossible for an adversary to sign bad or forged certificates
  without first cracking the key's passphase should the adversary have root
  access to the filesystem.

bin/ovpn_getclient

@@ -5,25 +5,42 @@
 #
 
 if [ "$DEBUG" == "1" ]; then
- set -x
+  set -x
 fi
 
 set -e
 
-source "$OPENVPN/ovpn_env.sh"
-cn=$1
+if [ -z "$OPENVPN" ]; then
+ export OPENVPN="$PWD"
+fi
+if ! source "$OPENVPN/ovpn_env.sh"; then
+ echo "Could not source $OPENVPN/ovpn_env.sh."
+ exit 1
+fi
+if [ -z "$EASYRSA_PKI" ]; then
+ export EASYRSA_PKI="$OPENVPN/pki"
+fi
+
+cn="$1"
+parm="$2"
 
 if [ ! -f "$EASYRSA_PKI/private/${cn}.key" ]; then
- echo "Unable to find ${cn}, please try again or generate the key first"
+ >&2 "Unable to find \"${cn}\", please try again or generate the key first" 1>&2
  exit 1
 fi
 
-cat <<EOF
+get_client_config() {
+ mode="$1"
+ echo "
 client
 nobind
 dev tun
 remote-cert-tls server
 
+remote $OVPN_CN $OVPN_PORT $OVPN_PROTO
+"
+if [ "$mode" == "combined" ]; then
+ echo "
 <key>
 $(cat $EASYRSA_PKI/private/${cn}.key)
 </key>
@@ -40,9 +57,16 @@ $(cat $EASYRSA_PKI/dh.pem)
 $(cat $EASYRSA_PKI/ta.key)
 </tls-auth>
 key-direction 1
-
-remote $OVPN_CN $OVPN_PORT $OVPN_PROTO
-EOF
+"
+else
+ echo "
+key ${cn}.key
+ca ca.crt
+cert ${cn}.crt
+dh dh.pem
+tls-auth ta.key 1
+"
+fi
 
 if [ "$OVPN_DEFROUTE" != "0" ];then
  echo "redirect-gateway def1"
@@ -51,3 +75,29 @@ fi
 if [ -n "$OVPN_MTU" ]; then
  echo "tun-mtu $OVPN_MTU"
 fi
+}
+
+dir="$OPENVPN/clients/$cn"
+case "$parm" in
+ "separated")
+ mkdir -p "$dir"
+ get_client_config "$parm" > "$dir/${cn}.ovpn"
+ cp "$EASYRSA_PKI/private/${cn}.key" "$dir/${cn}.key"
+ cp "$EASYRSA_PKI/ca.crt" "$dir/ca.crt"
+ cp "$EASYRSA_PKI/issued/${cn}.crt" "$dir/${cn}.crt"
+ cp "$EASYRSA_PKI/dh.pem" "$dir/dh.pem"
+ cp "$EASYRSA_PKI/ta.key" "$dir/ta.key"
+ ;;
+ "combined")
+ get_client_config "combined"
+ ;;
+ "combined-save")
+ get_client_config "combined" > "$dir/${cn}-combined.ovpn"
+ ;;
+ *)
+ >&2 echo "This script can produce the client configuration in to formats."
+ >&2 echo " 1. combined: All needed configuration and cryptographic material is in one file (Use \"combined-save\" to write the configuration file in the same path as the separated parameter does)."
+ >&2 echo " 2. separated: Separated files."
+ >&2 echo "Please specific one of those options as second parameter."
+ ;;
+esac

bin/ovpn_getclient_all

@@ -0,0 +1,25 @@
+#!/bin/bash
+## @licence AGPLv3 <https://www.gnu.org/licenses/agpl-3.0.html>
+## @author Copyright (C) 2015 Robin Schneider <[email protected]>
+
+if [ -z "$OPENVPN" ]; then
+ export OPENVPN="$PWD"
+fi
+if ! source "$OPENVPN/ovpn_env.sh"; then
+ echo "Could not source $OPENVPN/ovpn_env.sh."
+ exit 1
+fi
+if [ -z "$EASYRSA_PKI" ]; then
+ export EASYRSA_PKI="$OPENVPN/pki"
+fi
+
+pushd "$EASYRSA_PKI"
+for name in issued/*.crt; do
+ name=${name%.crt}
+ name=${name#issued/}
+ if [ "$name" != "$OVPN_CN" ]; then
+ ovpn_getclient "$name" separated
+ ovpn_getclient "$name" combined-save
+ fi
+done
+popd

docs/advanced.md

@@ -13,7 +13,7 @@ The ovpn_genconfig script is intended for simple configurations that apply to th
  docker run --rm -v $PWD:/etc/openvpn -it kylemanna/openvpn ovpn_initpki
  vim openvpn.conf
  docker run --rm -v $PWD:/etc/openvpn -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass
- docker run --rm -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn
+ docker run --rm -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_getclient CLIENTNAME combined > CLIENTNAME.ovpn
 
 * Start the server with:
 

docs/clients.md

@@ -0,0 +1,28 @@
+# Advanced client management
+
+## Client configuration mode
+
+The `ovpn_getclient` can produce two different versions of the configuration.
+
+1. combined: All needed configuration and cryptographic material is in one file (Use "combined-save" to write the configuration file in the same path as the separated parameter does).
+2. separated: Separated files.
+
+Note that some client software might be picky about which configuration format it accepts.
+
+## Batch mode
+
+If you have more than a few clients, you will want to generate and update your client configuration in batch. For this task the script `ovpn_getclient_all` was written, which writes out the configuration for each client to a separate directory called `clients/$cn`.
+
+Execute the following to generate the configuration for all clients:
+
+ docker run --rm -t -i -v /tmp/openvpn:/etc/openvpn kylemanna/openvpn ovpn_getclient_all
+
+After doing so, you will find the following files in each of the `$cn` directories:
+
+ ca.crt
+ dh.pem
+ $cn-combined.ovpn # Combined configuration file format, you your client recognices this file then only this file is needed.
+ $cn.ovpn # Separated configuration. This configuration file requires the other files ca.crt dh.pem $cn.crt $cn.key ta.key
+ $cn.crt
+ $cn.key
+ ta.key