OpenVPN Client Management Script

We create open-source because we love it, and we share our finding so everyone else can benefit as well.

openbsd

OpenVPN Client Management Script

One thing that always bothered me about OpenVPN was the work you had to do to get one client setup. It wasn’t a hard process, but when configuring multiple clients it was always a very monotonous job and quite annoying. So, to resolve this issue, I wrote a script to create the keys, certificates, package the needed client files, and then put them in a directory specifically for client packages. This way, you can build the key, give the package to the client, and be done with it. To add, you can also revoke clients from the same script, just to make it complete.

Creating our OpenVPN Client Script

This script has been tested on both FreeBSD and Debian Linux. Throw this script in the easy-rsa folder, and name it vpn-client. Create the directory /etc/openvpn/config and put the client configuration file that you want to distribute to your clients in there.

NOTE: Be sure to change the key and certificate name for the client in your standard client.conf to:

cert changeme.crt
key changeme.key

You can change this as long as it matches $CNAME

The script was written to work with a default OpenVPN UNIX/Linux install. If ZIPDIR isn’t a valid directory (which it shouldn’t be) don’t worry, the script will create it for you.

#!/usr/local/bin/bash
##################################################
# Copyright 2006 Network Synapse
# ZIPDIR : Directory to add zipped client packages
# CFILE  : Conf file to add to client package
#          Make sure to have a ovpn file if you
#          are packaging for Windows clients
# CNAME  : Name of keys in the standard config
# CONF   : Name to save the config under
##################################################


ZIPDIR=/etc/openvpn/client-pkg
CFILE=/etc/openvpn/config/client.conf
CNAME=changeme
CONF=client.conf


## System Variables
CASEV=$1
NAME=$2
CRL=crl.pem
RT=revoke-test.pem
SDIR=/etc/openvpn/easy-rsa


if test -e $ZIPDIR
then
  break
else
  mkdir $ZIPDIR
fi
cd $SDIR


# Test Arguments
test_client() {
  if test ${#NAME} -lt 1
  then
    echo "Usage: vpn-client $CASEV <client name>";
    exit 1
  fi
}

# Creating our key
create_key() {
  if test $KEY_DIR
  then
    cd $KEY_DIR &&
    openssl req -days 3650 -nodes -new -keyout $NAME.key - out $NAME.csr -config $KEY_CONFIG &&
    openssl ca -days 3650 -out $NAME.crt -in $NAME.csr -config $KEY_CONFIG &&
    chmod 0600 $NAME.key
  fi
}

# Revoking our key
revoke_key() {
  if test $KEY_DIR
  then
    cd $KEY_DIR
    rm -f $RT
    openssl ca -revoke $NAME.crt -config $KEY_CONFIG
    openssl ca -gencrl -out $CRL -config $KEY_CONFIG
    cat ca.crt $CRL >$RT
    openssl verify -CAfile $RT -crl_check $NAME.crt
  else
    echo you must define KEY_DIR
  fi
}

# Edit Config file per client
edit_conf () {
  cat $CFILE | sed s/$CNAME/$NAME/g > $KEY_DIR/$CONF
}

# Making the client packages
create_pkg () {
  cd $KEY_DIR
  zip -q $NAME.zip ca.crt $NAME.crt $NAME.key $CONF
  mv $NAME.zip $ZIPDIR
}

case "$1" in
  create)
    test_client
    . ./vars
    create_key
    edit_conf
    create_pkg
  ;;
  revoke)
    test_client
    . ./vars
    revoke_key
  ;;
  *)
    echo "Usage: vpn-client {create|revoke} <client name>"
    exit 1
  ;;
esac

exit 0

Using the Script

With the script we can now quickly create clients keys, and distributable packaged configurations:

$ ./vpn-client create new-client

Once we run this, a new client will be setup with this name, and a new package named new-client.zip will be created. In this zip file we’ll find the ca.crt file, the client.conf configuration file, and the keys for that client. Basically everything needed for the new client.

When we want to revoke a key, we can use another command:

$ ./vpn-client revoke new-client

This revokes the keys, making our previous created keys completely worthless and unusable.

No Comments

Add your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.