tools/install_openvpn.sh - devstack - Gitiles

 #!/bin/bash
 # install_openvpn.sh - Install OpenVPN and generate required certificates
 #
 # install_openvpn.sh --client name
 # install_openvpn.sh --server [name]
 #
 # name is used on the CN of the generated cert, and the filename of
 # the configuration, certificate and key files.
 #
 # --server mode configures the host with a running OpenVPN server instance
 # --client mode creates a tarball of a client configuration for this server

 # VPN Config
 VPN_SERVER=${VPN_SERVER:-`ifconfig eth0 | awk "/inet addr:/ { print \$2 }" | cut -d: -f2`}  # 50.56.12.212
 VPN_PROTO=${VPN_PROTO:-tcp}
 VPN_PORT=${VPN_PORT:-6081}
 VPN_DEV=${VPN_DEV:-tun}
 VPN_CLIENT_NET=${VPN_CLIENT_NET:-172.16.28.0}
 VPN_CLIENT_MASK=${VPN_CLIENT_MASK:-255.255.255.0}
 VPN_LOCAL_NET=${VPN_LOCAL_NET:-10.0.0.0}
 VPN_LOCAL_MASK=${VPN_LOCAL_MASK:-255.255.0.0}

 VPN_DIR=/etc/openvpn
 CA_DIR=/etc/openvpn/easy-rsa

 usage() {
     echo "$0 - OpenVPN install and certificate generation"
     echo ""
     echo "$0 --client name"
     echo "$0 --server [name]"
     echo ""
     echo " --server mode configures the host with a running OpenVPN server instance"
     echo " --client mode creates a tarball of a client configuration for this server"
     exit 1
 }

 if [ -z $1 ]; then
     usage
 fi

 # Install OpenVPN
 if [ ! -x `which openvpn` ]; then
     apt-get install -y openvpn bridge-utils
 fi
 if [ ! -d $CA_DIR ]; then
     cp -pR /usr/share/doc/openvpn/examples/easy-rsa/2.0/ $CA_DIR
 fi

 OPWD=`pwd`
 cd $CA_DIR
 source ./vars

 # Override the defaults
 export KEY_COUNTRY="US"
 export KEY_PROVINCE="TX"
 export KEY_CITY="SanAntonio"
 export KEY_ORG="Cloudbuilders"
 export KEY_EMAIL="rcb@lists.rackspace.com"

 if [ ! -r $CA_DIR/keys/dh1024.pem ]; then
     # Initialize a new CA
     $CA_DIR/clean-all
     $CA_DIR/build-dh
     $CA_DIR/pkitool --initca
     openvpn --genkey --secret $CA_DIR/keys/ta.key  ## Build a TLS key
 fi

 do_server() {
     NAME=$1
     # Generate server certificate
     $CA_DIR/pkitool --server $NAME

     (cd $CA_DIR/keys;
         cp $NAME.crt $NAME.key ca.crt dh1024.pem ta.key $VPN_DIR
     )
     cat >$VPN_DIR/$NAME.conf <<EOF
 proto $VPN_PROTO
 port $VPN_PORT
 dev $VPN_DEV
 cert $NAME.crt
 key $NAME.key  # This file should be kept secret
 ca ca.crt
 dh dh1024.pem
 duplicate-cn
 server $VPN_CLIENT_NET $VPN_CLIENT_MASK
 ifconfig-pool-persist ipp.txt
 push "route $VPN_LOCAL_NET $VPN_LOCAL_MASK"
 comp-lzo
 user nobody
 group nobody
 persist-key
 persist-tun
 status openvpn-status.log
 EOF
     /etc/init.d/openvpn restart
 }

 do_client() {
     NAME=$1
     # Generate a client certificate
     $CA_DIR/pkitool $NAME

     TMP_DIR=`mktemp -d`
     (cd $CA_DIR/keys;
         cp -p ca.crt ta.key $NAME.key $NAME.crt $TMP_DIR
     )
     if [ -r $VPN_DIR/hostname ]; then
         HOST=`cat $VPN_DIR/hostname`
     else
         HOST=`hostname`
     fi
     cat >$TMP_DIR/$HOST.conf <<EOF
 proto $VPN_PROTO
 port $VPN_PORT
 dev $VPN_DEV
 cert $NAME.crt
 key $NAME.key  # This file should be kept secret
 ca ca.crt
 client
 remote $VPN_SERVER $VPN_PORT
 resolv-retry infinite
 nobind
 user nobody
 group nobody
 persist-key
 persist-tun
 comp-lzo
 verb 3
 EOF
     (cd $TMP_DIR; tar cf $OPWD/$NAME.tar *)
     rm -rf $TMP_DIR
     echo "Client certificate and configuration is in $OPWD/$NAME.tar"
 }

 # Process command line args
 case $1 in
     --client)   if [ -z $2 ]; then
                     usage
                 fi
                 do_client $2
                 ;;
     --server)   if [ -z $2 ]; then
                     NAME=`hostname`
                 else
                     NAME=$2
                     # Save for --client use
                     echo $NAME >$VPN_DIR/hostname
                 fi
                 do_server $NAME
                 ;;
     --clean)    $CA_DIR/clean-all
                 ;;
     *)          usage
 esac
	#!/bin/bash
	# install_openvpn.sh - Install OpenVPN and generate required certificates
	#
	# install_openvpn.sh --client name
	# install_openvpn.sh --server [name]
	#
	# name is used on the CN of the generated cert, and the filename of
	# the configuration, certificate and key files.
	#
	# --server mode configures the host with a running OpenVPN server instance
	# --client mode creates a tarball of a client configuration for this server

	# VPN Config
	VPN_SERVER=${VPN_SERVER:-`ifconfig eth0 \| awk "/inet addr:/ { print \$2 }" \| cut -d: -f2`} # 50.56.12.212
	VPN_PROTO=${VPN_PROTO:-tcp}
	VPN_PORT=${VPN_PORT:-6081}
	VPN_DEV=${VPN_DEV:-tun}
	VPN_CLIENT_NET=${VPN_CLIENT_NET:-172.16.28.0}
	VPN_CLIENT_MASK=${VPN_CLIENT_MASK:-255.255.255.0}
	VPN_LOCAL_NET=${VPN_LOCAL_NET:-10.0.0.0}
	VPN_LOCAL_MASK=${VPN_LOCAL_MASK:-255.255.0.0}

	VPN_DIR=/etc/openvpn
	CA_DIR=/etc/openvpn/easy-rsa

	usage() {
	echo "$0 - OpenVPN install and certificate generation"
	echo ""
	echo "$0 --client name"
	echo "$0 --server [name]"
	echo ""
	echo " --server mode configures the host with a running OpenVPN server instance"
	echo " --client mode creates a tarball of a client configuration for this server"
	exit 1
	}

	if [ -z $1 ]; then
	usage
	fi

	# Install OpenVPN
	if [ ! -x `which openvpn` ]; then
	apt-get install -y openvpn bridge-utils
	fi
	if [ ! -d $CA_DIR ]; then
	cp -pR /usr/share/doc/openvpn/examples/easy-rsa/2.0/ $CA_DIR
	fi

	OPWD=`pwd`
	cd $CA_DIR
	source ./vars

	# Override the defaults
	export KEY_COUNTRY="US"
	export KEY_PROVINCE="TX"
	export KEY_CITY="SanAntonio"
	export KEY_ORG="Cloudbuilders"
	export KEY_EMAIL="rcb@lists.rackspace.com"

	if [ ! -r $CA_DIR/keys/dh1024.pem ]; then
	# Initialize a new CA
	$CA_DIR/clean-all
	$CA_DIR/build-dh
	$CA_DIR/pkitool --initca
	openvpn --genkey --secret $CA_DIR/keys/ta.key ## Build a TLS key
	fi

	do_server() {
	NAME=$1
	# Generate server certificate
	$CA_DIR/pkitool --server $NAME

	(cd $CA_DIR/keys;
	cp $NAME.crt $NAME.key ca.crt dh1024.pem ta.key $VPN_DIR
	)
	cat >$VPN_DIR/$NAME.conf <<EOF
	proto $VPN_PROTO
	port $VPN_PORT
	dev $VPN_DEV
	cert $NAME.crt
	key $NAME.key # This file should be kept secret
	ca ca.crt
	dh dh1024.pem
	duplicate-cn
	server $VPN_CLIENT_NET $VPN_CLIENT_MASK
	ifconfig-pool-persist ipp.txt
	push "route $VPN_LOCAL_NET $VPN_LOCAL_MASK"
	comp-lzo
	user nobody
	group nobody
	persist-key
	persist-tun
	status openvpn-status.log
	EOF
	/etc/init.d/openvpn restart
	}

	do_client() {
	NAME=$1
	# Generate a client certificate
	$CA_DIR/pkitool $NAME

	TMP_DIR=`mktemp -d`
	(cd $CA_DIR/keys;
	cp -p ca.crt ta.key $NAME.key $NAME.crt $TMP_DIR
	)
	if [ -r $VPN_DIR/hostname ]; then
	HOST=`cat $VPN_DIR/hostname`
	else
	HOST=`hostname`
	fi
	cat >$TMP_DIR/$HOST.conf <<EOF
	proto $VPN_PROTO
	port $VPN_PORT
	dev $VPN_DEV
	cert $NAME.crt
	key $NAME.key # This file should be kept secret
	ca ca.crt
	client
	remote $VPN_SERVER $VPN_PORT
	resolv-retry infinite
	nobind
	user nobody
	group nobody
	persist-key
	persist-tun
	comp-lzo
	verb 3
	EOF
	(cd $TMP_DIR; tar cf $OPWD/$NAME.tar *)
	rm -rf $TMP_DIR
	echo "Client certificate and configuration is in $OPWD/$NAME.tar"
	}

	# Process command line args
	case $1 in
	--client) if [ -z $2 ]; then
	usage
	fi
	do_client $2
	;;
	--server) if [ -z $2 ]; then
	NAME=`hostname`
	else
	NAME=$2
	# Save for --client use
	echo $NAME >$VPN_DIR/hostname
	fi
	do_server $NAME
	;;
	--clean) $CA_DIR/clean-all
	;;
	*) usage
	esac