install/openvpn
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: install:565af91d8c2b1f12d87ea60e9734192fe1ca5354
Branches Tags
install:master
..
compare: install:f3a4dea46b11712db56990c8cf2568592f6b892c
Branches Tags
install:master

2 Commits
565af91d8c ... f3a4dea46b

Author SHA1 Message Date
Christoph
f3a4dea46b Ass script 'revoke_multiple_keys.sh'. 2024-05-11 15:19:34 +02:00
Christoph
df3e40f29c revoke_key.sh: add support for command line parameters. 2024-05-11 15:19:13 +02:00
2 changed files with 661 additions and 117 deletions
Expand all files Collapse all files

297
revoke_key.sh
View File

@@ -1,22 +1,93 @@
#!/usr/bin/env bash
script_dir="$(dirname $(realpath $0))"
script_name="$(basename $(realpath $0))"
working_dir="$(dirname $(realpath $0))"
log_file="$(mktemp)"
_date="$(date +%Y-%m-%d-%H%M)"
key_names_reserverd="ta ca server"
#if [[ $# -eq 0 ]] ; then
# BATCH_MODE=false
#elif [[ -z "${BATCH_MODE}" ]] ; then
# BATCH_MODE=false
#fi
# - For checking if revokation was successfull
# -
_CHECK_DIR="$(mktemp -d)"
_RT_CERT="${_CHECK_DIR}/revoke-test.pem"
#---------------------------------------
#-----------------------------
# Some functions
#-----------------------------
#---------------------------------------
# ----------
# Base Function(s)
# ----------
usage() {
[[ -n "$1" ]] && error "$1"
[[ $terminal ]] && echo -e "
\033[1mUsage:\033[m
$(basename $0) [OPTION [OPTION ..
\033[1mDescription\033[m
Revoke a given key from a alos given (local) OpenVPN Service
\033[1mOptions\033[m
-b
No interaction possible - run this script in batch mode
-C <name-of the OpenVPN service instance>
The nae of the instance of the OpenVPN servive from which a key is requested
to remove.
Example:
-C \033[1mopp-home\033[m - Revoke a key from OpenVPN service, which is startet with
configuration \033[1m/etc/openvpn/opp-home\033[m
-h
Prints this help.
-N <key-name>
the name of the key, which is requested ti revoke from OpenVPN Service
-S
Don't restart Service after (successfully) revoking the given key
\033[1mFiles\033[m
No script configuration file is used.
Configuration files for the OpenVPN service must be exists, i.e. for service \033[1mopp-home\033[m
${working_dir}/conf/server-opp-home.conf
\033[1mExample:\033[m
interactive run - all needed parameters will be requested:
$(basename $0)
running in batch mode - revoke key 'gudrun' from local OpenVPN service 'opp-home'.
Dont restart service if finished.
$(basename $0) -b -S -C opp-home -N gudrun
"
clean_up 1
}
clean_up() {
@@ -28,7 +99,7 @@ clean_up() {
}
blank_line() {
if $terminal ; then
if $terminal && ! ${BATCH_MODE}; then
echo ""
fi
}
@@ -48,6 +119,7 @@ is_int() {
}
echononl(){
if $terminal && ! ${BATCH_MODE} ; then
echo X\\c > /tmp/shprompt$$
if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
echo -e -n "$*\\c" 1>&2
@@ -55,62 +127,116 @@ echononl(){
echo -e -n "$*" 1>&2
fi
rm /tmp/shprompt$$
fi
}
error(){
echo ""
echo -e "\t[ \033[31m\033[1mError\033[m ]: $*"
echo ""
}
fatal(){
echo ""
echo -e "\t[ \033[31m\033[1mFatal\033[m ]: $*"
if $terminal ; then
echo -e " [ \033[31m\033[1mFatal\033[m ]: $*"
echo ""
echo -e "\t\033[37m\033[1mscript will be interrupted\033[m\033[m"
echo -e " \033[31m\033[1mScript was interupted\033[m!"
else
echo " [ Fatal ]: $*"
echo ""
echo " Script was terminated...."
fi
echo ""
clean_up 1
}
error (){
echo ""
if $terminal && ! ${BATCH_MODE} ; then
echo -e " [ \033[31m\033[1mError\033[m ]: $*"
else
echo "[ Error ]: $*"
fi
echo ""
}
warn (){
echo ""
echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*"
if $terminal && ! ${BATCH_MODE} ; then
echo -e " [ \033[33m\033[1mWarning\033[m ]: $*"
else
echo "[ Warning ]: $*"
fi
echo ""
}
info (){
warn_only_terminal () {
if $terminal && ! ${BATCH_MODE} ; then
echo ""
echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*"
echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*"
echo ""
fi
}
info (){
if $terminal && ! ${BATCH_MODE} ; then
echo ""
echo -e " [ \033[32m\033[1mInfo\033[m ] $*"
echo ""
fi
}
ok (){
if $terminal && ! ${BATCH_MODE} ; then
echo ""
echo -e " [ \033[32m\033[1mOk\033[m ] $*"
echo ""
fi
}
print_command () {
echo ""
echo -e "\t\033[33m\033[1mCommand was\033[m: $*"
echo ""
}
echo_done() {
echo -e "\033[80G[ \033[32mdone\033[m ]"
if $terminal && ! ${BATCH_MODE} ; then
echo -e "\033[75G[ \033[32mdone\033[m ]"
fi
}
echo_ok() {
echo -e "\033[80G[ \033[32mok\033[m ]"
if $terminal && ! ${BATCH_MODE} ; then
echo -e "\033[75G[ \033[32mok\033[m ]"
fi
}
echo_warning() {
echo -e "\033[80G[ \033[33m\033[1mwarn\033[m ]"
echo_warn() {
if $terminal && ! ${BATCH_MODE} ; then
echo -e "\033[75G[ \033[33mwarn\033[m ]"
fi
}
echo_failed(){
echo -e "\033[80G[ \033[1;31mfailed\033[m ]"
if $terminal && ! ${BATCH_MODE} ; then
echo -e "\033[75G[ \033[1;31mfailed\033[m ]"
fi
}
echo_skipped() {
echo -e "\033[80G[ \033[37mskipped\033[m ]"
if $terminal && ! ${BATCH_MODE} ; then
echo -e "\033[75G[ \033[90m\033[1mskipped\033[m ]"
fi
}
echo_wait(){
if $terminal && ! ${BATCH_MODE} ; then
echo -en "\033[75G[ \033[5m\033[1m...\033[m ]"
fi
}
trap clean_up SIGHUP SIGINT SIGTERM
# ----------
# - Some checks ..
# ----------
# -------------
# --- Check some prerequisites
# -------------
# - Running in a terminal?
# -
if [[ -t 1 ]] ; then
terminal=true
else
terminal=false
fi
# -Is systemd supported on this system?
# -
@@ -123,41 +249,90 @@ if [[ -n "$systemd" ]] && [[ -n "$systemctl" ]] ; then
fi
clear
# ----------
# - Read commandline parameter
# ----------
BATCH_MODE=false
OPENVPN_SERVER_CONFIG=
KEY_NAME_TO_REVOKE=
RESTART_OPENVPN_SERVICE=true
while getopts bC:hN:S opt ; do
case $opt in
b) BATCH_MODE=true
;;
C) OPENVPN_SERVER_CONFIG="${OPTARG}"
;;
h) usage
;;
N) KEY_NAME_TO_REVOKE="${OPTARG}"
;;
S) RESTART_OPENVPN_SERVICE=false
;;
esac
done
if ${BATCH_MODE} ; then
if [[ -z "${OPENVPN_SERVER_CONFIG}" ]] && [[ -z "${KEY_NAME_TO_REVOKE}" ]]; then
fatal "In batch mode both a server configuration (-C) and the key name (-N) musit be specified!"
elif [[ -z "${OPENVPN_SERVER_CONFIG}" ]] ; then
fatal "In batch mode also a server configuration (-C) must be specified!"
elif [[ -z "${KEY_NAME_TO_REVOKE}" ]]; then
fatal "In batch mode also the key name (-N) must be specified!"
fi
fi
#clear
if $terminal && ! ${BATCH_MODE} ; then
echo ""
echo -e "\033[21G\033[32mRevoke OpenVPN key.. \033[m"
echo ""
echo ""
fi
declare -a conf_file_arr=()
declare -a conf_name_arr=()
for _conf_file in `ls ${script_dir}/conf/server-*.conf 2>/dev/null` ; do
conf_file_arr+=("${_conf_file}")
for _conf_file in `ls ${working_dir}/conf/server-*.conf 2>/dev/null` ; do
_basename=$(basename $_conf_file)
_tmp_name=${_basename%%.*}
_tmp_name=${_tmp_name#*-}
if ${BATCH_MODE} ; then
if [[ "${_tmp_name}" = "${OPENVPN_SERVER_CONFIG}" ]]; then
conf_file="${_conf_file}"
break
fi
else
conf_name_arr+=("$_tmp_name")
conf_file_arr+=("${_conf_file}")
fi
done
if [[ ${#conf_file_arr[@]} -lt 1 ]] ; then
if [[ ${#conf_file_arr[@]} -lt 1 ]] && [[ -z "${conf_file}" ]]; then
fatal "NO Configuration found!"
fi
echo ""
blank_line
declare -i i=0
if ! ${BATCH_MODE} ; then
if [[ ${#conf_file_arr[@]} -gt 1 ]] ; then
if $terminal ; then
echo ""
echo "Which Configuration should be loaded?"
echo ""
fi
for _conf_file in ${conf_file_arr[@]} ; do
if $terminal ; then
echo " [${i}] ${conf_name_arr[${i}]}"
fi
(( i++ ))
done
_OK=false
echo
blank_line
echononl "Eingabe: "
while ! $_OK ; do
read _IN
@@ -165,27 +340,32 @@ if [[ ${#conf_file_arr[@]} -gt 1 ]] ; then
conf_file=${conf_file_arr[$_IN]}
_OK=true
else
if is_number "$_IN" && [[ -n ${conf_file_arr[$_IN]} ]]; then
if $terminal ; then
echo ""
echo -e "\tFalsche Eingabe !"
echo ""
fi
echononl "Eingabe: "
fi
fi
done
else
conf_file=${conf_file_arr[0]}
fi
fi
if $terminal && ! ${BATCH_MODE} ; then
echo ""
echo -e "\033[32m--\033[m"
echo ""
fi
#---------------------------------------
#-----------------------------
# Read Configurations from $conf_file
#-----------------------------
#---------------------------------------
# ----------
# - Read Configurations from $conf_file
# ----------
echononl " Load Configuration File $(basename ${conf_file}).."
if [[ ! -f "$conf_file" ]]; then
@@ -219,18 +399,24 @@ fi
if $terminal && ! ${BATCH_MODE} ; then
echo ""
echo -e "\033[32m--\033[m"
echo ""
KEY_NAME_TO_REVOKE=""
fi
#KEY_NAME_TO_REVOKE=""
if [ -z "$KEY_NAME_TO_REVOKE" ]; then
if $terminal && ! ${BATCH_MODE} ; then
echo "Insert key name you wish to revoke."
echo ""
echo ""
fi
echononl "key name to revoke: "
read KEY_NAME_TO_REVOKE
while [ "X$KEY_NAME_TO_REVOKE" = "X" ] ; do
if $terminal && ! ${BATCH_MODE} ; then
echo -e "\n\t\033[33m\033[1mKey name is required!\033[m\n"
fi
echononl "key name: "
read KEY_NAME_TO_REVOKE
done
@@ -260,9 +446,12 @@ if [[ ! -f "${_CLIENT_CERT}" ]]; then
fatal "Key '$KEY_NAME_TO_REVOKE' not found!"
fi
if $terminal && ! ${BATCH_MODE} ; then
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Server Configuration....: ${OPENVPN_SERVER_CONFIG}"
echo "Key to revoke...........: $(basename "$_CLIENT_KEY")"
info "Going to revoke key \033[37m\033[1m$(basename "$_CLIENT_KEY")\033[m.."
@@ -272,17 +461,21 @@ echo ""
if [[ "$OK" != "YES" ]] ; then
fatal "Abort by user request - Answer as not 'YES'"
fi
fi
# ----------
# - Main part of script
# ----------
#---------------------------------------
#-----------------------------
# Revoke Key
#-----------------------------
#---------------------------------------
if $terminal && ! ${BATCH_MODE} ; then
echo ""
echo ""
echo -e " \033[1mMain part of script - Goimg to revoke key of requested user $(basename "$_CLIENT_KEY")..\033[m"
echo ""
fi
blank_line
# ---
# - Backup existing OpenVPN directory
@@ -473,10 +666,11 @@ else
fi
# ---
# - Start apache webservice
# - Restart OpenVPN service
# ---
echo ""
echononl "\tRestart OpenVPN Service.."
if ${RESTART_OPENVPN_SERVICE} ; then
if $systemd_supported ; then
systemctl restart openvpn > $log_file 2>&1
else
@@ -489,6 +683,9 @@ else
error "$(cat $log_file)"
warn "Restarting OpenVPN Service failed!."
fi
else
echo_skipped
fi
clean_up 0

347
revoke_multiple_keys.sh Executable file
View File

@@ -0,0 +1,347 @@
#!/usr/bin/env bash
script_name="$(basename $(realpath $0))"
working_dir="$(dirname $(realpath $0))"
conf_file="${working_dir}/conf/${script_name%%.*}.conf"
LOCK_DIR="/tmp/${script_name%%.*}.LOCK"
log_file="${LOCK_DIR}/${script_name%%.*}.log"
clean_up() {
# Perform program exit housekeeping
rm -rf "$LOCK_DIR"
blank_line
exit $1
}
echononl(){
if $terminal ; then
echo X\\c > /tmp/shprompt$$
if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
echo -e -n " $*\\c" 1>&2
else
echo -e -n " $*" 1>&2
fi
rm /tmp/shprompt$$
fi
}
fatal(){
echo ""
if $terminal ; then
echo -e " [ \033[31m\033[1mFatal\033[m ]: $*"
echo ""
echo -e " \033[31m\033[1mScript was interupted\033[m!"
else
echo " [ Fatal ]: $*"
echo ""
echo " Script was terminated...."
fi
echo ""
clean_up 1
}
error (){
echo ""
if $terminal ; then
echo -e " [ \033[31m\033[1mError\033[m ]: $*"
else
echo "[ Error ]: $*"
fi
echo ""
}
warn (){
echo ""
if $terminal ; then
echo -e " [ \033[33m\033[1mWarning\033[m ]: $*"
else
echo "[ Warning ]: $*"
fi
echo ""
}
warn_only_terminal () {
if $terminal ; then
echo ""
echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*"
echo ""
fi
}
info (){
if $terminal ; then
echo ""
echo -e " [ \033[32m\033[1mInfo\033[m ] $*"
echo ""
fi
}
ok (){
if $terminal ; then
echo ""
echo -e " [ \033[32m\033[1mOk\033[m ] $*"
echo ""
fi
}
echo_done() {
if $terminal ; then
echo -e "\033[75G[ \033[32mdone\033[m ]"
fi
}
echo_ok() {
if $terminal ; then
echo -e "\033[75G[ \033[32mok\033[m ]"
fi
}
echo_warn() {
if $terminal ; then
echo -e "\033[75G[ \033[33mwarn\033[m ]"
fi
}
echo_failed(){
if $terminal ; then
echo -e "\033[75G[ \033[1;31mfailed\033[m ]"
fi
}
echo_skipped() {
if $terminal ; then
echo -e "\033[75G[ \033[90m\033[1mskipped\033[m ]"
fi
}
echo_wait(){
if $terminal ; then
echo -en "\033[75G[ \033[5m\033[1m...\033[m ]"
fi
}
# - Check if a given array (parameter 2) contains a given string (parameter 1)
# -
containsElement () {
local e
for e in "${@:2}"; do [[ "$e" == "$1" ]] && return 0; done
return 1
}
trim() {
local var="$*"
var="${var#"${var%%[![:space:]]*}"}" # remove leading whitespace characters
var="${var%"${var##*[![:space:]]}"}" # remove trailing whitespace characters
echo -n "$var"
}
is_number() {
return $(test ! -z "${1##*[!0-9]*}" > /dev/null 2>&1);
# - also possible
# -
#[[ ! -z "${1##*[!0-9]*}" ]] && return 0 || return 1
#return $([[ ! -z "${1##*[!0-9]*}" ]])
}
is_int() {
return $(test "$@" -eq "$@" > /dev/null 2>&1);
}
blank_line() {
if $terminal ; then
echo ""
fi
}
# ----------
# - Some checks ..
# ----------
# - Running in a terminal?
# -
if [[ -t 1 ]] ; then
terminal=true
else
terminal=false
fi
# -------------
# - Job is already running?
# -------------
# - If job already runs, stop execution..
# -
if mkdir "$LOCK_DIR" 2> /dev/null ; then
## - Remove lockdir when the script finishes, or when it receives a signal
trap "clean_up 1" SIGHUP SIGINT SIGTERM
else
datum="$(date +"%d.%m.%Y %H:%M")"
msg="[ Error ]: A previos instance of \"`basename $0`\" seems already be running.\n\n Exiting now.."
echo ""
echo "[ Error ]: A previos instance of that script \"`basename $0`\" seems already be running."
echo ""
echo -e " Exiting now.."
echo ""
for _email in ${alert_email_arr[@]} ; do
echo -e "To:${_email}\n${content_type}\nSubject:Error cronjob `basename $0` -- $datum\n${msg}\n" \
| sendmail -F "Error `hostname -f`" -f $sender_address $_email
done
exit 1
fi
# ==========
# - Begin Main Script
# ==========
# ----------
# - Headline
# ----------
if $terminal ; then
echo ""
echo -e "\033[1m----------\033[m"
echo -e "\033[32m\033[1mRunning script \033[m\033[1m$script_name\033[32m .. \033[m"
echo -e "\033[1m----------\033[m"
fi
declare -a conf_file_arr=()
declare -a conf_name_arr=()
for _conf_file in `ls ${working_dir}/conf/server-*.conf 2>/dev/null` ; do
_basename=$(basename $_conf_file)
_tmp_name=${_basename%%.*}
_tmp_name=${_tmp_name#*-}
conf_name_arr+=("$_tmp_name")
conf_file_arr+=("${_conf_file}")
done
if [[ ${#conf_file_arr[@]} -lt 1 ]] && [[ -z "${conf_file}" ]]; then
fatal "NO Configuration found!"
fi
blank_line
declare -i i=0
OPENVPN_INSTANCE=
if [[ ${#conf_file_arr[@]} -gt 1 ]] ; then
if $terminal ; then
echo ""
echo "Which Configuration should be loaded?"
echo ""
fi
for _conf_file in ${conf_file_arr[@]} ; do
if $terminal ; then
echo " [${i}] ${conf_name_arr[${i}]}"
fi
(( i++ ))
done
_OK=false
blank_line
echononl "Eingabe: "
while ! $_OK ; do
read _IN
if is_number "$_IN" && [[ -n ${conf_file_arr[$_IN]} ]]; then
OPENVPN_INSTANCE="${conf_name_arr[$_IN]}"
_OK=true
else
if is_number "$_IN" && [[ -n ${conf_file_arr[$_IN]} ]]; then
if $terminal ; then
echo ""
echo -e "\tFalsche Eingabe !"
echo ""
fi
echononl "Eingabe: "
fi
fi
done
else
OPENVPN_INSTANCE="${conf_name_arr[0]}"
fi
echo ""
echo -e "\033[32m--\033[m"
echo ""
echo "Insert users(s), you wish to revoke from local OpenVPN system.."
echo ""
echo " Multiple users are supported - give a blank separated list"
echo ""
echo ""
users=
if [ -z "$_users" ]; then
echononl "Users: "
read users
while [ "X$users" = "X" ] ; do
echo -e "\n\t\033[33m\033[1mEingabe erforderlich.\033[m\n"
echononl "Users: "
read users
done
else
echononl "Users [${_users}]: "
read users
if [[ "X$users" = "X" ]]; then
users=$_users
fi
fi
# ----------
# - Main part of script
# ----------
if $terminal ; then
echo ""
echo ""
echo -e " \033[1mMain part of script - Goimg to revoke requested user..\033[m"
echo ""
fi
declare -a user_req_for_del_arr=()
for _user in ${users} ; do
user_req_for_del_arr+=("${_user}")
done
for _user in "${user_req_for_del_arr[@]}" ; do
echononl " Revoke user \033[1m${_user}\033[m from OpenVPN instance \033[1m${OPENVPN_INSTANCE}\033[m"
echo "1" | /usr/local/src/openvpn/get_all_keys.sh 2> /dev/null | grep -q -i $_user
if [[ $? -eq 0 ]] ; then
echo "1" | /usr/local/src/openvpn/get_revoked_keys.sh 2> /dev/null | grep -q -i $_user
if [[ $? -gt 0 ]] ; then
/usr/local/src/openvpn/revoke_key.sh -b -S -C ${OPENVPN_INSTANCE} -N ${_user} > ${log_file} 2>&1
if [[ $? -gt 0 ]]; then
echo_failed
error "$(cat ${log_file})"
else
echo_done
fi
else
echo_skipped
warn_only_terminal "User \033]1m${_user}\033[mn already revoked!"
fi
else
echo_skipped
warn_only_terminal "User \033]1m${_user}\033[mn has no OpenVPN credentials."
fi
done
echo ""
clean_up 0