OpenVPN Client Management Script
One thing that always bothered me about OpenVPN was the work you had to do to get one client setup. It wasn’t a hard process, but when configuring multiple clients it was always a very monotonous job and quite annoying. So, to resolve this issue, I wrote a script to create the keys, certificates, package the needed client files, and then put them in a directory specifically for client packages. This way, you can build the key, give the package to the client, and be done with it. To add, you can also revoke clients from the same script, just to make it complete.
Creating our OpenVPN Client Script
This script has been tested on both FreeBSD and Debian Linux. Throw this script in the easy-rsa folder, and name it vpn-client. Create the directory /etc/openvpn/config and put the client configuration file that you want to distribute to your clients in there.
NOTE: Be sure to change the key and certificate name for the client in your standard client.conf to:
cert changeme.crt
key changeme.keyYou can change this as long as it matches $CNAME
The script was written to work with a default OpenVPN UNIX/Linux install. If ZIPDIR isn’t a valid directory (which it shouldn’t be) don’t worry, the script will create it for you.
#!/usr/local/bin/bash
##################################################
# Copyright 2006 Network Synapse
# ZIPDIR : Directory to add zipped client packages
# CFILE : Conf file to add to client package
# Make sure to have a ovpn file if you
# are packaging for Windows clients
# CNAME : Name of keys in the standard config
# CONF : Name to save the config under
##################################################
ZIPDIR=/etc/openvpn/client-pkg
CFILE=/etc/openvpn/config/client.conf
CNAME=changeme
CONF=client.conf
## System Variables
CASEV=$1
NAME=$2
CRL=crl.pem
RT=revoke-test.pem
SDIR=/etc/openvpn/easy-rsa
if test -e $ZIPDIR
then
break
else
mkdir $ZIPDIR
fi
cd $SDIR
# Test Arguments
test_client() {
if test ${#NAME} -lt 1
then
echo "Usage: vpn-client $CASEV <client name>";
exit 1
fi
}
# Creating our key
create_key() {
if test $KEY_DIR
then
cd $KEY_DIR &&
openssl req -days 3650 -nodes -new -keyout $NAME.key - out $NAME.csr -config $KEY_CONFIG &&
openssl ca -days 3650 -out $NAME.crt -in $NAME.csr -config $KEY_CONFIG &&
chmod 0600 $NAME.key
fi
}
# Revoking our key
revoke_key() {
if test $KEY_DIR
then
cd $KEY_DIR
rm -f $RT
openssl ca -revoke $NAME.crt -config $KEY_CONFIG
openssl ca -gencrl -out $CRL -config $KEY_CONFIG
cat ca.crt $CRL >$RT
openssl verify -CAfile $RT -crl_check $NAME.crt
else
echo you must define KEY_DIR
fi
}
# Edit Config file per client
edit_conf () {
cat $CFILE | sed s/$CNAME/$NAME/g > $KEY_DIR/$CONF
}
# Making the client packages
create_pkg () {
cd $KEY_DIR
zip -q $NAME.zip ca.crt $NAME.crt $NAME.key $CONF
mv $NAME.zip $ZIPDIR
}
case "$1" in
create)
test_client
. ./vars
create_key
edit_conf
create_pkg
;;
revoke)
test_client
. ./vars
revoke_key
;;
*)
echo "Usage: vpn-client {create|revoke} <client name>"
exit 1
;;
esac
exit 0Using the Script
With the script we can now quickly create clients keys, and distributable packaged configurations:
$ ./vpn-client create new-clientOnce we run this, a new client will be setup with this name, and a new package named new-client.zip will be created. In this zip file we’ll find the ca.crt file, the client.conf configuration file, and the keys for that client. Basically everything needed for the new client.
When we want to revoke a key, we can use another command:
$ ./vpn-client revoke new-clientThis revokes the keys, making our previous created keys completely worthless and unusable.
No Comments