Major refactor of vpn install
diff --git a/tools/install_openvpn.sh b/tools/install_openvpn.sh
index 3b52cf1..a3a2346 100644
--- a/tools/install_openvpn.sh
+++ b/tools/install_openvpn.sh
@@ -1,60 +1,154 @@
-# rough history from wilk - need to cleanup
-apt-get install -y openvpn bridge-utils
-cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/easy-rsa/
-cd /etc/openvpn/easy-rsa
-source vars
-./clean-all
-./build-dh
-./pkitool --initca
-./pkitool --server server
-./pkitool client1
-cd keys
-openvpn --genkey --secret ta.key ## Build a TLS key
-cp server.crt server.key ca.crt dh1024.pem ta.key ../../
-cd ../../
+#!/bin/bash
+# install_openvpn.sh - Install OpenVPN and generate required certificates
+#
+# install_openvpn.sh --client name
+# install_openvpn.sh --server [name]
+#
+# name is used on the CN of the generated cert, and the filename of
+# the configuration, certificate and key files.
+#
+# --server mode configures the host with a running OpenVPN server instance
+# --client mode creates a tarball of a client configuration for this server
-cat >/etc/openvpn/server.conf <<EOF
-duplicate-cn
-port 6081
-proto tcp
-dev tun
+# VPN Config
+VPN_SERVER=${VPN_SERVER:-`ifconfig eth0 | awk "/inet addr:/ { print \$2 }" | cut -d: -f2`} # 50.56.12.212
+VPN_PROTO=${VPN_PROTO:-tcp}
+VPN_PORT=${VPN_PORT:-6081}
+VPN_DEV=${VPN_DEV:-tun}
+VPN_CLIENT_NET=${VPN_CLIENT_NET:-172.16.28.0}
+VPN_CLIENT_MASK=${VPN_CLIENT_MASK:-255.255.255.0}
+VPN_LOCAL_NET=${VPN_LOCAL_NET:-10.0.0.0}
+VPN_LOCAL_MASK=${VPN_LOCAL_MASK:-255.255.0.0}
+
+VPN_DIR=/etc/openvpn
+CA_DIR=/etc/openvpn/easy-rsa
+
+usage() {
+ echo "$0 - OpenVPN install and certificate generation"
+ echo ""
+ echo "$0 --client name"
+ echo "$0 --server [name]"
+ echo ""
+ echo " --server mode configures the host with a running OpenVPN server instance"
+ echo " --client mode creates a tarball of a client configuration for this server"
+ exit 1
+}
+
+if [ -z $1 ]; then
+ usage
+fi
+
+# Install OpenVPN
+if [ ! -x `which openvpn` ]; then
+ apt-get install -y openvpn bridge-utils
+fi
+if [ ! -d $CA_DIR ]; then
+ cp -pR /usr/share/doc/openvpn/examples/easy-rsa/2.0/ $CA_DIR
+fi
+
+OPWD=`pwd`
+cd $CA_DIR
+source ./vars
+
+# Override the defaults
+export KEY_COUNTRY="US"
+export KEY_PROVINCE="TX"
+export KEY_CITY="SanAntonio"
+export KEY_ORG="Cloudbuilders"
+export KEY_EMAIL="rcb@lists.rackspace.com"
+
+if [ ! -r $CA_DIR/keys/dh1024.pem ]; then
+ # Initialize a new CA
+ $CA_DIR/clean-all
+ $CA_DIR/build-dh
+ $CA_DIR/pkitool --initca
+ openvpn --genkey --secret $CA_DIR/keys/ta.key ## Build a TLS key
+fi
+
+do_server() {
+ NAME=$1
+ # Generate server certificate
+ $CA_DIR/pkitool --server $NAME
+
+ (cd $CA_DIR/keys;
+ cp $NAME.crt $NAME.key ca.crt dh1024.pem ta.key $VPN_DIR
+ )
+ cat >$VPN_DIR/$NAME.conf <<EOF
+proto $VPN_PROTO
+port $VPN_PORT
+dev $VPN_DEV
+cert $NAME.crt
+key $NAME.key # This file should be kept secret
ca ca.crt
-cert server.crt
-key server.key # This file should be kept secret
dh dh1024.pem
-server 172.16.28.0 255.255.255.0
+duplicate-cn
+server $VPN_CLIENT_NET $VPN_CLIENT_MASK
ifconfig-pool-persist ipp.txt
-push "route 10.0.0.0 255.255.255.224"
+push "route $VPN_LOCAL_NET $VPN_LOCAL_MASK"
comp-lzo
+user nobody
+group nobody
persist-key
persist-tun
status openvpn-status.log
EOF
-/etc/init.d/openvpn restart
+ /etc/init.d/openvpn restart
+}
-echo Use the following ca for your client:
-cat /etc/openvpn/ca.crt
+do_client() {
+ NAME=$1
+ # Generate a client certificate
+ $CA_DIR/pkitool $NAME
-echo
-echo Use the following cert for your client
-cat /etc/openvpn/easy-rsa/keys/client1.crt
-echo
-echo Use the following key for your client
-cat /etc/openvpn/easy-rsa/keys/client1.key
-echo
-echo Use the following client config:
-cat <<EOF
+ TMP_DIR=`mktemp -d`
+ (cd $CA_DIR/keys;
+ cp -p ca.crt ta.key $NAME.key $NAME.crt $TMP_DIR
+ )
+ if [ -r $VPN_DIR/hostname ]; then
+ HOST=`cat $VPN_DIR/hostname`
+ else
+ HOST=`hostname`
+ fi
+ cat >$TMP_DIR/$HOST.conf <<EOF
+proto $VPN_PROTO
+port $VPN_PORT
+dev $VPN_DEV
+cert $NAME.crt
+key $NAME.key # This file should be kept secret
ca ca.crt
-cert client.crt
-key client.key
client
-dev tun
-proto tcp
-remote 50.56.12.212 6081
+remote $VPN_SERVER $VPN_PORT
resolv-retry infinite
nobind
+user nobody
+group nobody
persist-key
persist-tun
comp-lzo
verb 3
EOF
+ (cd $TMP_DIR; tar cf $OPWD/$NAME.tar *)
+ rm -rf $TMP_DIR
+ echo "Client certificate and configuration is in $OPWD/$NAME.tar"
+}
+
+# Process command line args
+case $1 in
+ --client) if [ -z $2 ]; then
+ usage
+ fi
+ do_client $2
+ ;;
+ --server) if [ -z $2 ]; then
+ NAME=`hostname`
+ else
+ NAME=$2
+ # Save for --client use
+ echo $NAME >$VPN_DIR/hostname
+ fi
+ do_server $NAME
+ ;;
+ --clean) $CA_DIR/clean-all
+ ;;
+ *) usage
+esac