From 565af91d8c2b1f12d87ea60e9734192fe1ca5354 Mon Sep 17 00:00:00 2001 From: Christoph Date: Wed, 3 Apr 2024 22:54:08 +0200 Subject: [PATCH] Add support vor OpenVPN Conector v3. --- build_key-pass.sh | 290 +++++++++++++++++++++++++++++++++++++++++-- create_key_config.sh | 290 +++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 563 insertions(+), 17 deletions(-) diff --git a/build_key-pass.sh b/build_key-pass.sh index a7856a8..3610481 100755 --- a/build_key-pass.sh +++ b/build_key-pass.sh @@ -449,6 +449,8 @@ fi _client_conf_dir="${OPENVPN_BASE_DIR}/client-configs" _client_conf_file="${_client_conf_dir}/${NEW_KEY_NAME}.conf" +_client_openvpn_connector_v3="${_client_conf_dir}/${NEW_KEY_NAME}.v3.ovpn" +_client_openvpn_connector_v2="${_client_conf_dir}/${NEW_KEY_NAME}.v2.ovpn" echononl " Create client config dir '$_client_conf_dir'.." if [[ ! -d "$_client_conf_dir" ]]; then @@ -670,8 +672,8 @@ cat << EOF >> "$_client_conf_file" 2> $log_file ;cipher AES-256-CBC EOF -if [[ "${SERVER_CIPHER,,}" != "none" ]]; then - cat <> ${_server_conf_file} 2>> "$log_file" +if [[ "${SERVER_CIPHER,,}" != "none" ]] && [[ ! "${SERVER_CIPHER}" =~ AES-256- ]] ; then + cat <> ${_client_conf_file} 2>> "$log_file" cipher ${SERVER_CIPHER} EOF fi @@ -726,6 +728,278 @@ else fi +# --- +# Create client config for OpenVPN Connector V3 +# --- + +echononl " Create sample client configuration ${_client_openvpn_connector_v3} for OpenVPN Connector V3 .." +cat << EOF > "$_client_openvpn_connector_v3" 2> $log_file +############################################## +# Sample client-side OpenVPN 2.0 config file # +# for connecting to multi-client server. # +# # +# This configuration can be used by multiple # +# clients, however each client should have # +# its own cert and key files. # +# # +# On Windows, you might want to rename this # +# file so it has a .ovpn extension # +############################################## + +# Specify that we are a client and that we +# will be pulling certain config file directives +# from the server. +client + +# Use the same setting as you are using on +# the server. +# On most systems, the VPN will not function +# unless you partially or fully disable +# the firewall for the TUN/TAP interface. +;dev tap +dev tun + +# Windows needs the TAP-Win32 adapter name +# from the Network Connections panel +# if you have more than one. On XP SP2, +# you may need to disable the firewall +# for the TAP adapter. +;dev-node MyTap + +# Are we connecting to a TCP or +# UDP server? Use the same setting as +# on the server +;proto tcp +proto udp + +# The hostname/IP and port of the server. +# You can have multiple remote entries +# to load balance between the servers. +remote $OPENVPN_SERVER $SERVER_PORT udp4 + +# !! Not supported by OpenVPN Connect +##topology subnet + +# Choose a random host from the remote +# list for load-balancing. Otherwise +# try hosts in the order specified. +;remote-random + +# Keep trying indefinitely to resolve the +# host name of the OpenVPN server. Very useful +# on machines which are not permanently connected +# to the internet such as laptops. +# +# !! Not supported by OpenVPN Connect +##resolv-retry infinite + +# Most clients don't need to bind to +# a specific local port number. +nobind + +# Downgrade privileges after initialization (non-Windows only) +;user openvpn +;group openvpn + +# If you are connecting through an +# HTTP proxy to reach the actual OpenVPN +# server, put the proxy server/IP and +# port number here. See the man page +# if your proxy server requires +# authentication. +;http-proxy-retry # retry on connection failures +;http-proxy [proxy server] [proxy port #] + +# Wireless networks often produce a lot +# of duplicate packets. Set this flag +# to silence duplicate packet warnings. +;mute-replay-warnings + + +# Try to preserve some state across restarts. +# +# !! Not supported by OpenVPN Connect +##persist-key +##persist-tun + +# SSL/TLS parms. +# See the server config file for more +# description. It's best to use +# a separate .crt/.key file pair +# for each client. A single ca +# file can be used for all clients. +;ca ${_CA_CERT} +;cert ${_CLIENT_CERT} +;key ${_CLIENT_KEY} + +# Server CA + +EOF + +_file="${_CA_CERT}" +_found=false +while IFS='' read -r line || [[ -n $line ]]; do + if [[ "$line" =~ "-----BEGIN" ]] ; then + _found=true + fi + if $_found ; then + echo "$line" >> "$_client_openvpn_connector_v3" + fi + if [[ "$line" =~ "-----END" ]]; then + _found=false + fi +done < $_file + +cat << EOF >> "$_client_openvpn_connector_v3" 2> $log_file + + +# Client Certificate + +EOF + +_file="${_CLIENT_CERT}" +_found=false +while IFS='' read -r line || [[ -n $line ]]; do + if [[ "$line" =~ "-----BEGIN" ]] ; then + _found=true + fi + if $_found ; then + echo "$line" >> "$_client_openvpn_connector_v3" + fi + if [[ "$line" =~ "-----END" ]]; then + _found=false + fi +done < $_file + +cat << EOF >> "$_client_openvpn_connector_v3" 2> $log_file + + +# Client Key + +EOF + +_file="${_CLIENT_KEY}" +_found=false +while IFS='' read -r line || [[ -n $line ]]; do + if [[ "$line" =~ "-----BEGIN" ]] ; then + _found=true + fi + if $_found ; then + echo "$line" >> "$_client_openvpn_connector_v3" + fi + if [[ "$line" =~ "-----END" ]]; then + _found=false + fi +done < $_file + +cat << EOF >> "$_client_openvpn_connector_v3" 2> $log_file + + +# Verify server certificate by checking that the +# certificate has the correct key usage set. +# This is an important precaution to protect against +# a potential attack discussed here: +# http://openvpn.net/howto.html#mitm +# +# To use this feature, you will need to generate +# your server certificates with the keyUsage set to +# digitalSignature, keyEncipherment +# and the extendedKeyUsage to +# serverAuth +# EasyRSA can do this for you. +remote-cert-tls server + +# If a tls-auth key is used on the server +# then every client must also have the key. +;tls-auth ${_TA_KEY} 1 + +key-direction 1 + +EOF + +_file="${_TA_KEY}" +_found=false +while IFS='' read -r line || [[ -n $line ]]; do + if [[ "$line" =~ "-----BEGIN" ]] ; then + _found=true + fi + if $_found ; then + echo "$line" >> "$_client_openvpn_connector_v3" + fi + if [[ "$line" =~ "-----END" ]]; then + _found=false + fi +done < $_file + +cat << EOF >> "$_client_openvpn_connector_v3" 2> $log_file + + +# Select a cryptographic cipher. +# If the cipher option is used on the server +# then you must also specify it here. +# Note that v2.4 client/server will automatically +# negotiate AES-256-GCM in TLS mode. +# See also the data-ciphers option in the manpage +;cipher AES-256-CBC +EOF + +if [[ "${SERVER_CIPHER,,}" != "none" ]] && [[ ! "${SERVER_CIPHER}" =~ AES-256- ]] ; then + cat <> ${_client_openvpn_connector_v3} 2>> "$log_file" +cipher ${SERVER_CIPHER} +EOF +fi + +cat <> "$_client_openvpn_connector_v3" 2>> "$log_file" + +# Enable compression on the VPN link. +# Don't enable this unless it is also +# enabled in the server config file. +;comp-lzo +EOF + +if $LZO_COMPRESSION ; then + cat <> ${_client_openvpn_connector_v3} 2>> "$log_file" +# !! OpenVPN Connect needs 'comp-lzo yes' +comp-lzo yes +EOF +fi + +cat <> ${_client_openvpn_connector_v3} 2>> "$log_file" + +# --auth-nocache +# +# Don't cache --askpass or --auth-user-pass username/passwords in +# virtual memory. +# If specified, this directive will cause OpenVPN to immediately forget +# username/password inputs after they are used. As a result, when OpenVPN +# needs a username/password, it will prompt for input from stdin, which may +# be multiple times during the duration of an OpenVPN session. +# +# When using --auth-nocache in combination with a user/password file +# and --chroot or --daemon, make sure to use an absolute path. +# +# !! Not supported by OpenVPN Connect +##auth-nocache + +# Verbosity level. +# 0 -- quiet except for fatal errors. +# 1 -- mostly quiet, but display non-fatal network errors. +# 3 -- medium output, good for normal operation. +# 9 -- verbose, good for troubleshooting +verb 1 + +# Setting 'pull' on the client takes care to get the 'push' durectives +# from the server +# !! Not supported by OpenVPN Connect +##pull +EOF +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed +fi + + echo "" echo -e "\033[32m--\033[m" @@ -801,9 +1075,12 @@ if $_copy_to_user_home_dir ; then if [[ -n "$ORG_SHORTCUT" ]]; then cp -a "$_client_conf_file" "${_target_dir}/${ORG_SHORTCUT}-$(basename $_client_conf_file)" >> $log_file 2>&1 - cp -a "$_client_conf_file" "${_target_dir}/${ORG_SHORTCUT} $(basename $_client_conf_file)" >> $log_file 2>&1 + cp -a "$_client_conf_file" "${_target_dir}/${ORG_SHORTCUT}-$(basename $_client_openvpn_connector_v2)" >> $log_file 2>&1 + cp -a "$_client_openvpn_connector_v3" "${_target_dir}/${ORG_SHORTCUT}-$(basename $_client_openvpn_connector_v3)" >> $log_file 2>&1 else cp -a "$_client_conf_file" "${_target_dir}/${KEY_CN/VPN-/}-$(basename $_client_conf_file)" >> $log_file 2>&1 + cp -a "$_client_conf_file" "${_target_dir}/${KEY_CN/VPN-/}-$(basename $_client_openvpn_connector_v2)" >> $log_file 2>&1 + cp -a "$_client_openvpn_connector_v3" "${_target_dir}/${KEY_CN/VPN-/}-$(basename $_client_openvpn_connector_v3)" >> $log_file 2>&1 fi if [[ $? -ne 0 ]] ; then _failed=true @@ -816,13 +1093,6 @@ if $_copy_to_user_home_dir ; then _failed=true fi - # - Configuration for Windows OpenVPN - # - - cp -a "$_client_conf_file" "${_target_dir}/${_CLIENT_CN}.ovpn" >> $log_file 2>&1 - if [[ $? -ne 0 ]] ; then - _failed=true - fi - cp -a "${_CLIENT_CERT}" "${_target_dir}" >> $log_file 2>&1 if [[ $? -ne 0 ]] ; then _failed=true diff --git a/create_key_config.sh b/create_key_config.sh index 80c9ef5..4f47b69 100755 --- a/create_key_config.sh +++ b/create_key_config.sh @@ -393,6 +393,8 @@ echo "" _client_conf_dir="${OPENVPN_BASE_DIR}/client-configs" _client_conf_file="${_client_conf_dir}/${NEW_KEY_NAME}.conf" +_client_openvpn_connector_v3="${_client_conf_dir}/${NEW_KEY_NAME}.v3.ovpn" +_client_openvpn_connector_v2="${_client_conf_dir}/${NEW_KEY_NAME}.v2.ovpn" echononl " Create client config dir '$_client_conf_dir'.." if [[ ! -d "$_client_conf_dir" ]]; then @@ -612,8 +614,8 @@ cat << EOF >> "$_client_conf_file" 2> $log_file # See also the data-ciphers option in the manpage EOF -if [[ "${SERVER_CIPHER,,}" != "none" ]]; then - cat <> ${_server_conf_file} 2>> "$log_file" +if [[ "${SERVER_CIPHER,,}" != "none" ]] && [[ ! "${SERVER_CIPHER}" =~ AES-256- ]] ; then + cat <> ${_client_conf_file} 2>> "$log_file" cipher ${SERVER_CIPHER} EOF fi @@ -667,6 +669,281 @@ else #error "$(cat $log_file)" fi + +# --- +# Create client config for OpenVPN Connector V3 +# --- + +echononl " Create sample client configuration ${_client_openvpn_connector_v3} for OpenVPN Connector V3 .." +cat << EOF > "$_client_openvpn_connector_v3" 2> $log_file +############################################## +# Sample client-side OpenVPN 2.0 config file # +# for connecting to multi-client server. # +# # +# This configuration can be used by multiple # +# clients, however each client should have # +# its own cert and key files. # +# # +# On Windows, you might want to rename this # +# file so it has a .ovpn extension # +############################################## + +# Specify that we are a client and that we +# will be pulling certain config file directives +# from the server. +client + +# Use the same setting as you are using on +# the server. +# On most systems, the VPN will not function +# unless you partially or fully disable +# the firewall for the TUN/TAP interface. +;dev tap +dev tun + +# Windows needs the TAP-Win32 adapter name +# from the Network Connections panel +# if you have more than one. On XP SP2, +# you may need to disable the firewall +# for the TAP adapter. +;dev-node MyTap + +# Are we connecting to a TCP or +# UDP server? Use the same setting as +# on the server +;proto tcp +proto udp + +# The hostname/IP and port of the server. +# You can have multiple remote entries +# to load balance between the servers. +remote $OPENVPN_SERVER $SERVER_PORT udp4 + +# !! Not supported by OpenVPN Connect +##topology subnet + +# Choose a random host from the remote +# list for load-balancing. Otherwise +# try hosts in the order specified. +;remote-random + +# Keep trying indefinitely to resolve the +# host name of the OpenVPN server. Very useful +# on machines which are not permanently connected +# to the internet such as laptops. +# +# !! Not supported by OpenVPN Connect +##resolv-retry infinite + +# Most clients don't need to bind to +# a specific local port number. +nobind + +# Downgrade privileges after initialization (non-Windows only) +;user openvpn +;group openvpn + +# If you are connecting through an +# HTTP proxy to reach the actual OpenVPN +# server, put the proxy server/IP and +# port number here. See the man page +# if your proxy server requires +# authentication. +;http-proxy-retry # retry on connection failures +;http-proxy [proxy server] [proxy port #] + +# Wireless networks often produce a lot +# of duplicate packets. Set this flag +# to silence duplicate packet warnings. +;mute-replay-warnings + + +# Try to preserve some state across restarts. +# +# !! Not supported by OpenVPN Connect +##persist-key +##persist-tun + +# SSL/TLS parms. +# See the server config file for more +# description. It's best to use +# a separate .crt/.key file pair +# for each client. A single ca +# file can be used for all clients. +;ca ${_CA_CERT} +;cert ${_CLIENT_CERT} +;key ${_CLIENT_KEY} + +# Server CA + +EOF + +_file="${_CA_CERT}" +_found=false +while IFS='' read -r line || [[ -n $line ]]; do + if [[ "$line" =~ "-----BEGIN" ]] ; then + _found=true + fi + if $_found ; then + echo "$line" >> "$_client_openvpn_connector_v3" + fi + if [[ "$line" =~ "-----END" ]]; then + _found=false + fi +done < $_file + +cat << EOF >> "$_client_openvpn_connector_v3" 2> $log_file + + +# Client Certificate + +EOF + +_file="${_CLIENT_CERT}" +_found=false +while IFS='' read -r line || [[ -n $line ]]; do + if [[ "$line" =~ "-----BEGIN" ]] ; then + _found=true + fi + if $_found ; then + echo "$line" >> "$_client_openvpn_connector_v3" + fi + if [[ "$line" =~ "-----END" ]]; then + _found=false + fi +done < $_file + +cat << EOF >> "$_client_openvpn_connector_v3" 2> $log_file + + +# Client Key + +EOF + +_file="${_CLIENT_KEY}" +_found=false +while IFS='' read -r line || [[ -n $line ]]; do + if [[ "$line" =~ "-----BEGIN" ]] ; then + _found=true + fi + if $_found ; then + echo "$line" >> "$_client_openvpn_connector_v3" + fi + if [[ "$line" =~ "-----END" ]]; then + _found=false + fi +done < $_file + +cat << EOF >> "$_client_openvpn_connector_v3" 2> $log_file + + +# Verify server certificate by checking that the +# certificate has the correct key usage set. +# This is an important precaution to protect against +# a potential attack discussed here: +# http://openvpn.net/howto.html#mitm +# +# To use this feature, you will need to generate +# your server certificates with the keyUsage set to +# digitalSignature, keyEncipherment +# and the extendedKeyUsage to +# serverAuth +# EasyRSA can do this for you. +remote-cert-tls server + +# If a tls-auth key is used on the server +# then every client must also have the key. +;tls-auth ${_TA_KEY} 1 + +key-direction 1 + +EOF + +_file="${_TA_KEY}" +_found=false +while IFS='' read -r line || [[ -n $line ]]; do + if [[ "$line" =~ "-----BEGIN" ]] ; then + _found=true + fi + if $_found ; then + echo "$line" >> "$_client_openvpn_connector_v3" + fi + if [[ "$line" =~ "-----END" ]]; then + _found=false + fi +done < $_file + +cat << EOF >> "$_client_openvpn_connector_v3" 2> $log_file + + +# Select a cryptographic cipher. +# If the cipher option is used on the server +# then you must also specify it here. +# Note that v2.4 client/server will automatically +# negotiate AES-256-GCM in TLS mode. +# See also the data-ciphers option in the manpage +;cipher AES-256-CBC +EOF + +if [[ "${SERVER_CIPHER,,}" != "none" ]] && [[ ! "${SERVER_CIPHER}" =~ AES-256- ]] ; then + cat <> ${_client_openvpn_connector_v3} 2>> "$log_file" +cipher ${SERVER_CIPHER} +EOF +fi + +cat <> "$_client_openvpn_connector_v3" 2>> "$log_file" + +# Enable compression on the VPN link. +# Don't enable this unless it is also +# enabled in the server config file. +;comp-lzo +EOF + +if $LZO_COMPRESSION ; then + cat <> ${_client_openvpn_connector_v3} 2>> "$log_file" +# !! OpenVPN Connect needs 'comp-lzo yes' +comp-lzo yes +EOF +fi + +cat <> ${_client_openvpn_connector_v3} 2>> "$log_file" + +# --auth-nocache +# +# Don't cache --askpass or --auth-user-pass username/passwords in +# virtual memory. +# If specified, this directive will cause OpenVPN to immediately forget +# username/password inputs after they are used. As a result, when OpenVPN +# needs a username/password, it will prompt for input from stdin, which may +# be multiple times during the duration of an OpenVPN session. +# +# When using --auth-nocache in combination with a user/password file +# and --chroot or --daemon, make sure to use an absolute path. +# +# !! Not supported by OpenVPN Connect +##auth-nocache + +# Verbosity level. +# 0 -- quiet except for fatal errors. +# 1 -- mostly quiet, but display non-fatal network errors. +# 3 -- medium output, good for normal operation. +# 9 -- verbose, good for troubleshooting +verb 1 + +# Setting 'pull' on the client takes care to get the 'push' durectives +# from the server +# !! Not supported by OpenVPN Connect +##pull +EOF +if [[ $? -eq 0 ]] ; then + echo_ok +else + echo_failed + #error "$(cat $log_file)" +fi + + + echo "" echononl " Create directory '$(dirname "$_target_dir")'.." @@ -700,9 +977,12 @@ if [[ $? -ne 0 ]] ; then fi if [[ -n "$ORG_SHORTCUT" ]]; then cp -a "$_client_conf_file" "${_target_dir}/${ORG_SHORTCUT}-$(basename $_client_conf_file)" >> $log_file 2>&1 - cp -a "$_client_conf_file" "${_target_dir}/${ORG_SHORTCUT} $(basename $_client_conf_file)" >> $log_file 2>&1 + cp -a "$_client_conf_file" "${_target_dir}/${ORG_SHORTCUT}-$(basename $_client_openvpn_connector_v2)" >> $log_file 2>&1 + cp -a "$_client_openvpn_connector_v3" "${_target_dir}/${ORG_SHORTCUT}-$(basename $_client_openvpn_connector_v3)" >> $log_file 2>&1 else cp -a "$_client_conf_file" "${_target_dir}/${KEY_CN/VPN-/}-$(basename $_client_conf_file)" >> $log_file 2>&1 + cp -a "$_client_conf_file" "${_target_dir}/${KEY_CN/VPN-/}-$(basename $_client_openvpn_connector_v2)" >> $log_file 2>&1 + cp -a "$_client_openvpn_connector_v3" "${_target_dir}/${KEY_CN/VPN-/}-$(basename $_client_openvpn_connector_v3)" >> $log_file 2>&1 fi if [[ $? -ne 0 ]] ; then _failed=true @@ -714,10 +994,6 @@ cp -a "$_client_conf_file" "${_target_dir}/client-$(basename $_client_conf_file) if [[ $? -ne 0 ]] ; then _failed=true fi -cp -a "$_client_conf_file" "${_target_dir}/${_CLIENT_CN}.ovpn" -if [[ $? -ne 0 ]] ; then - _failed=true -fi cp -a "$_client_conf_file" "${_target_dir}/client-${NEW_KEY_NAME}.conf" if [[ $? -ne 0 ]] ; then _failed=true