Compare commits
12 Commits
Author | SHA1 | Date |
---|---|---|
graysky | 5fa9fe5c02 | |
graysky | 5cbf1c8f3b | |
graysky | 6348d0b2bd | |
graysky | a5e33545e9 | |
graysky | 53a738c728 | |
graysky | cb19b7ffec | |
graysky | a506341991 | |
graysky | 16bce04c29 | |
graysky | 17c5440205 | |
graysky | c801f1c5b1 | |
graysky | 6cb5098296 | |
graysky | 1feba246fd |
|
@ -0,0 +1,7 @@
|
|||
Copyright (c) 2016-2018 graysky
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
35
README.md
35
README.md
|
@ -1,2 +1,33 @@
|
|||
# ovpngen
|
||||
Generate an OpenVPN Connect private tunnel profile in the unified format
|
||||
## Overview
|
||||
A simple shell script that creates OpenVPN compatible tunnel profiles in the unified file format. Tested on:
|
||||
* Linux OpenVPN version 2.4.6
|
||||
* iOS version 3.0.0.(712) of OpenVPN Connect
|
||||
* Android version 0.6.73 of OpenVPN for Android
|
||||
|
||||
## Usage
|
||||
Invoke the script with 5 tokens and the profile is outputted to stdout.
|
||||
1. Server Fully Qualified Domain Name of the OpenVPN server (or IP address).
|
||||
2. Full path to the CA cert.
|
||||
3. Full path to the client cert.
|
||||
4. Full path to the client private key.
|
||||
5. Full path to the server TLS shared secret key.
|
||||
6. Optionally define a port number (defaults to 1194 if left blank).
|
||||
7. Optionally define a protocol (defaults to udp if left blank).
|
||||
|
||||
### Example (run as root) using all 7 arguments to setup a profile working port 443 using TCP
|
||||
```
|
||||
CLIENT=foo
|
||||
|
||||
./ovpngen nipple.titty.org \
|
||||
/etc/openvpn/server/ca.crt \
|
||||
/etc/easy-rsa/pki/signed/$CLIENT.crt \
|
||||
/etc/easy-rsa/pki/private/$CLIENT.key \
|
||||
/etc/openvpn/server/ta.key \
|
||||
443 \
|
||||
tcp > $CLIENT.ovpn
|
||||
```
|
||||
|
||||
The resulting foo.ovpn may need to be edited. Pay attention to the commented lines!
|
||||
|
||||
### Credit
|
||||
Majority of the credit goes to the script's original author, [trovao](https://github.com/trovao). His version can be found [here](https://gist.github.com/trovao/18e428b5a758df24455b).
|
||||
|
|
77
ovpngen
77
ovpngen
|
@ -1,16 +1,36 @@
|
|||
#!/bin/sh
|
||||
#!/bin/bash
|
||||
|
||||
##
|
||||
## Usage: ovpngen SERVER CA_CERT CLIENT_CERT CLIENT_KEY SHARED_SECRET > client.ovpn
|
||||
##
|
||||
## Example invocation (note it must be run as root since key and cert files are protected
|
||||
## ovpngen titty.nipples.org /etc/easy-rsa/pki/ca.crt /etc/easy-rsa/pki/issued/client.crt /etc/easy-rsa/pki/private/client.key /etc/openvpn/ta.key > iphone.ovpn
|
||||
##
|
||||
## Tested and works with OpenVPN Connect 1.0.7 build 199 (iOS 64-bit) on iOS 9.3.3
|
||||
## Tested and works with OpenVPN Connect 1.2.9 build 0 (iOS 64-bit) on iOS 11.4.1
|
||||
##
|
||||
## Majority of the credit goes to the script's original author, trovao
|
||||
## Link to original script: https://gist.github.com/trovao/18e428b5a758df24455b
|
||||
##
|
||||
|
||||
usage() {
|
||||
echo "Usage: $0 SERVER CA_CERT CLIENT_CERT CLIENT_KEY SHARED_SECRET PORT PROTO"
|
||||
echo
|
||||
cat << EOF
|
||||
The first 5 tokens are required while the last are optional
|
||||
SERVER = Fully qualified domain name
|
||||
CA_CERT = Full path to the CA cert
|
||||
CLIENT_CERT = Full path to the client cert
|
||||
CLIENT_KEY = Full path to the client private key
|
||||
SHARED_SECRET = Full path to the server TLS shared secret key
|
||||
PORT = Port number (defaults to 1194 if left blank)
|
||||
PROTO = Protocol (defaults to udp if left blank)
|
||||
EOF
|
||||
echo
|
||||
echo 'For example:'
|
||||
echo
|
||||
echo 'CLIENT=jason'
|
||||
echo "$0 my.openvpn-server.com \\"
|
||||
echo ' /etc/openvpn/server/ca.crt \'
|
||||
echo ' /etc/easy-rsa/pki/signed/$CLIENT.crt \'
|
||||
echo ' /etc/easy-rsa/pki/private/$CLIENT.key \'
|
||||
echo ' /etc/openvpn/server/ta.key > $CLIENT.ovpn'
|
||||
exit 0
|
||||
}
|
||||
|
||||
[[ -z "$1" ]] && usage
|
||||
|
||||
server=${1?"The server address is required"}
|
||||
cacert=${2?"The path to the ca certificate file is required"}
|
||||
|
@ -18,36 +38,63 @@ client_cert=${3?"The path to the client certificate file is required"}
|
|||
client_key=${4?"The path to the client private key file is required"}
|
||||
tls_key=${5?"The path to the TLS shared secret file is required"}
|
||||
|
||||
# test for readable files
|
||||
for i in "$cacert" "$client_cert" "$client_key" "$tls_key"; do
|
||||
[[ -f "$i" ]] || {
|
||||
echo " I cannot find $i on the filesystem."
|
||||
echo " This could be due to permissions or that you did not define the full path correctly."
|
||||
echo " Check the path and try again."
|
||||
exit 1
|
||||
}
|
||||
[[ -r "$i" ]] || {
|
||||
echo " I cannot read $i. Try invoking $0 as root."
|
||||
exit 1
|
||||
}
|
||||
done
|
||||
[[ -z "$6" ]] && port=1194 || port="$6"
|
||||
[[ -z "$7" ]] && proto='udp' || proto="$7"
|
||||
|
||||
cat << EOF
|
||||
client
|
||||
dev tun
|
||||
remote ${server} 1194 udp
|
||||
remote ${server} ${port} ${proto}
|
||||
resolv-retry infinite
|
||||
nobind
|
||||
persist-key
|
||||
persist-tun
|
||||
verb 3
|
||||
comp-lzo
|
||||
###
|
||||
### optionally uncomment and change both the cipher and auth lines to EXACTLY
|
||||
### match the values specified in ${server}
|
||||
#cipher AES-256-CBC
|
||||
#auth SHA512
|
||||
###
|
||||
### scroll down and optionally change the <tls-auth> tag set to <tls-crypt>
|
||||
### to match how the server is configured since these options are mutually
|
||||
### exclusive!
|
||||
###
|
||||
remote-cert-tls server
|
||||
key-direction 1
|
||||
<ca>
|
||||
EOF
|
||||
cat ${cacert}
|
||||
cat "${cacert}"
|
||||
cat << EOF
|
||||
</ca>
|
||||
<cert>
|
||||
EOF
|
||||
cat ${client_cert}
|
||||
cat "${client_cert}"
|
||||
cat << EOF
|
||||
</cert>
|
||||
<key>
|
||||
EOF
|
||||
cat ${client_key}
|
||||
cat "${client_key}"
|
||||
cat << EOF
|
||||
</key>
|
||||
<tls-auth>
|
||||
EOF
|
||||
cat ${tls_key}
|
||||
cat "${tls_key}"
|
||||
cat << EOF
|
||||
</tls-auth>
|
||||
EOF
|
||||
|
||||
# vim:set ts=2 sw=2 et:
|
||||
|
|
Loading…
Reference in New Issue