Blame - tools/install_openvpn.sh - devstack

blob: ff88a065a916c87f926517018e6bdf5e726ca36e [file] [log] [blame]

Dean Troyer	135fb64	2011-09-27 12:57:53 -0500	[diff] [blame]	1	#!/bin/bash
				2	# install_openvpn.sh - Install OpenVPN and generate required certificates
				3	#
				4	# install_openvpn.sh --client name
				5	# install_openvpn.sh --server [name]
				6	#
				7	# name is used on the CN of the generated cert, and the filename of
				8	# the configuration, certificate and key files.
				9	#
				10	# --server mode configures the host with a running OpenVPN server instance
				11	# --client mode creates a tarball of a client configuration for this server
Jesse Andrews	2969c70	2011-09-24 12:31:57 -0700	[diff] [blame]	12
Dean Troyer	78f2140	2011-11-14 17:45:37 -0600	[diff] [blame^]	13	# Get config file
				14	if [ -e localrc.vpn ]; then
				15	. localrc.vpn
				16	fi
				17
Dean Troyer	135fb64	2011-09-27 12:57:53 -0500	[diff] [blame]	18	# VPN Config
				19	VPN_SERVER=${VPN_SERVER:-`ifconfig eth0 \| awk "/inet addr:/ { print \$2 }" \| cut -d: -f2`} # 50.56.12.212
				20	VPN_PROTO=${VPN_PROTO:-tcp}
				21	VPN_PORT=${VPN_PORT:-6081}
				22	VPN_DEV=${VPN_DEV:-tun}
Dean Troyer	78f2140	2011-11-14 17:45:37 -0600	[diff] [blame^]	23	VPN_BRIDGE=${VPN_BRIDGE:-br0}
Dean Troyer	135fb64	2011-09-27 12:57:53 -0500	[diff] [blame]	24	VPN_CLIENT_NET=${VPN_CLIENT_NET:-172.16.28.0}
				25	VPN_CLIENT_MASK=${VPN_CLIENT_MASK:-255.255.255.0}
Dean Troyer	78f2140	2011-11-14 17:45:37 -0600	[diff] [blame^]	26	VPN_CLIENT_DHCP="${VPN_CLIENT_DHCP:-172.16.28.1 172.16.28.254}"
Dean Troyer	135fb64	2011-09-27 12:57:53 -0500	[diff] [blame]	27	VPN_LOCAL_NET=${VPN_LOCAL_NET:-10.0.0.0}
				28	VPN_LOCAL_MASK=${VPN_LOCAL_MASK:-255.255.0.0}
				29
				30	VPN_DIR=/etc/openvpn
				31	CA_DIR=/etc/openvpn/easy-rsa
				32
				33	usage() {
				34	echo "$0 - OpenVPN install and certificate generation"
				35	echo ""
				36	echo "$0 --client name"
				37	echo "$0 --server [name]"
				38	echo ""
				39	echo " --server mode configures the host with a running OpenVPN server instance"
				40	echo " --client mode creates a tarball of a client configuration for this server"
				41	exit 1
				42	}
				43
				44	if [ -z $1 ]; then
				45	usage
				46	fi
				47
				48	# Install OpenVPN
Dean Troyer	78f2140	2011-11-14 17:45:37 -0600	[diff] [blame^]	49	VPN_EXEC=`which openvpn`
				50	if [ -z "$VPN_EXEC" -o ! -x "$VPN_EXEC" ]; then
Dean Troyer	135fb64	2011-09-27 12:57:53 -0500	[diff] [blame]	51	apt-get install -y openvpn bridge-utils
				52	fi
				53	if [ ! -d $CA_DIR ]; then
				54	cp -pR /usr/share/doc/openvpn/examples/easy-rsa/2.0/ $CA_DIR
				55	fi
				56
				57	OPWD=`pwd`
				58	cd $CA_DIR
				59	source ./vars
				60
				61	# Override the defaults
				62	export KEY_COUNTRY="US"
				63	export KEY_PROVINCE="TX"
				64	export KEY_CITY="SanAntonio"
				65	export KEY_ORG="Cloudbuilders"
				66	export KEY_EMAIL="rcb@lists.rackspace.com"
				67
				68	if [ ! -r $CA_DIR/keys/dh1024.pem ]; then
				69	# Initialize a new CA
				70	$CA_DIR/clean-all
				71	$CA_DIR/build-dh
				72	$CA_DIR/pkitool --initca
				73	openvpn --genkey --secret $CA_DIR/keys/ta.key ## Build a TLS key
				74	fi
				75
				76	do_server() {
				77	NAME=$1
				78	# Generate server certificate
				79	$CA_DIR/pkitool --server $NAME
				80
				81	(cd $CA_DIR/keys;
				82	cp $NAME.crt $NAME.key ca.crt dh1024.pem ta.key $VPN_DIR
				83	)
Dean Troyer	78f2140	2011-11-14 17:45:37 -0600	[diff] [blame^]	84	cat >$VPN_DIR/br-up <<EOF
				85	#!/bin/bash
				86
				87	BR="$VPN_BRIDGE"
				88	TAP="\$1"
				89
				90	for t in \$TAP; do
				91	openvpn --mktun --dev \$t
				92	brctl addif \$BR \$t
				93	ifconfig \$t 0.0.0.0 promisc up
				94	done
				95	EOF
				96	chmod +x $VPN_DIR/br-up
				97	cat >$VPN_DIR/br-down <<EOF
				98	#!/bin/bash
				99
				100	BR="$VPN_BRIDGE"
				101	TAP="\$1"
				102
				103	for i in \$TAP; do
				104	brctl delif \$BR $t
				105	openvpn --rmtun --dev \$i
				106	done
				107	EOF
				108	chmod +x $VPN_DIR/br-down
Dean Troyer	135fb64	2011-09-27 12:57:53 -0500	[diff] [blame]	109	cat >$VPN_DIR/$NAME.conf <<EOF
				110	proto $VPN_PROTO
				111	port $VPN_PORT
				112	dev $VPN_DEV
Dean Troyer	78f2140	2011-11-14 17:45:37 -0600	[diff] [blame^]	113	up $VPN_DIR/br-up
				114	down $VPN_DIR/br-down
Dean Troyer	135fb64	2011-09-27 12:57:53 -0500	[diff] [blame]	115	cert $NAME.crt
				116	key $NAME.key # This file should be kept secret
Jesse Andrews	2969c70	2011-09-24 12:31:57 -0700	[diff] [blame]	117	ca ca.crt
Jesse Andrews	2969c70	2011-09-24 12:31:57 -0700	[diff] [blame]	118	dh dh1024.pem
Dean Troyer	135fb64	2011-09-27 12:57:53 -0500	[diff] [blame]	119	duplicate-cn
Dean Troyer	78f2140	2011-11-14 17:45:37 -0600	[diff] [blame^]	120	#server $VPN_CLIENT_NET $VPN_CLIENT_MASK
				121	server-bridge $VPN_CLIENT_NET $VPN_CLIENT_MASK $VPN_CLIENT_DHCP
Jesse Andrews	2969c70	2011-09-24 12:31:57 -0700	[diff] [blame]	122	ifconfig-pool-persist ipp.txt
Dean Troyer	135fb64	2011-09-27 12:57:53 -0500	[diff] [blame]	123	push "route $VPN_LOCAL_NET $VPN_LOCAL_MASK"
Jesse Andrews	2969c70	2011-09-24 12:31:57 -0700	[diff] [blame]	124	comp-lzo
Dean Troyer	135fb64	2011-09-27 12:57:53 -0500	[diff] [blame]	125	user nobody
Dean Troyer	78f2140	2011-11-14 17:45:37 -0600	[diff] [blame^]	126	group nogroup
Jesse Andrews	2969c70	2011-09-24 12:31:57 -0700	[diff] [blame]	127	persist-key
				128	persist-tun
				129	status openvpn-status.log
				130	EOF
Dean Troyer	135fb64	2011-09-27 12:57:53 -0500	[diff] [blame]	131	/etc/init.d/openvpn restart
				132	}
Jesse Andrews	2969c70	2011-09-24 12:31:57 -0700	[diff] [blame]	133
Dean Troyer	135fb64	2011-09-27 12:57:53 -0500	[diff] [blame]	134	do_client() {
				135	NAME=$1
				136	# Generate a client certificate
				137	$CA_DIR/pkitool $NAME
Jesse Andrews	2969c70	2011-09-24 12:31:57 -0700	[diff] [blame]	138
Dean Troyer	135fb64	2011-09-27 12:57:53 -0500	[diff] [blame]	139	TMP_DIR=`mktemp -d`
				140	(cd $CA_DIR/keys;
				141	cp -p ca.crt ta.key $NAME.key $NAME.crt $TMP_DIR
				142	)
				143	if [ -r $VPN_DIR/hostname ]; then
				144	HOST=`cat $VPN_DIR/hostname`
				145	else
				146	HOST=`hostname`
				147	fi
				148	cat >$TMP_DIR/$HOST.conf <<EOF
				149	proto $VPN_PROTO
				150	port $VPN_PORT
				151	dev $VPN_DEV
				152	cert $NAME.crt
				153	key $NAME.key # This file should be kept secret
Jesse Andrews	2969c70	2011-09-24 12:31:57 -0700	[diff] [blame]	154	ca ca.crt
Jesse Andrews	2969c70	2011-09-24 12:31:57 -0700	[diff] [blame]	155	client
Dean Troyer	135fb64	2011-09-27 12:57:53 -0500	[diff] [blame]	156	remote $VPN_SERVER $VPN_PORT
Jesse Andrews	2969c70	2011-09-24 12:31:57 -0700	[diff] [blame]	157	resolv-retry infinite
				158	nobind
Dean Troyer	135fb64	2011-09-27 12:57:53 -0500	[diff] [blame]	159	user nobody
Dean Troyer	78f2140	2011-11-14 17:45:37 -0600	[diff] [blame^]	160	group nogroup
Jesse Andrews	2969c70	2011-09-24 12:31:57 -0700	[diff] [blame]	161	persist-key
				162	persist-tun
				163	comp-lzo
				164	verb 3
				165	EOF
Dean Troyer	135fb64	2011-09-27 12:57:53 -0500	[diff] [blame]	166	(cd $TMP_DIR; tar cf $OPWD/$NAME.tar *)
				167	rm -rf $TMP_DIR
				168	echo "Client certificate and configuration is in $OPWD/$NAME.tar"
				169	}
				170
				171	# Process command line args
				172	case $1 in
				173	--client) if [ -z $2 ]; then
				174	usage
				175	fi
				176	do_client $2
				177	;;
				178	--server) if [ -z $2 ]; then
				179	NAME=`hostname`
				180	else
				181	NAME=$2
				182	# Save for --client use
				183	echo $NAME >$VPN_DIR/hostname
				184	fi
				185	do_server $NAME
				186	;;
				187	--clean) $CA_DIR/clean-all
				188	;;
				189	*) usage
				190	esac