101 lines
2.5 KiB
Bash
101 lines
2.5 KiB
Bash
#!/bin/bash
|
|
|
|
## Tested and works with OpenVPN Connect 1.2.9 build 0 (iOS 64-bit) on iOS 11.4.1
|
|
##
|
|
## Majority of the credit goes to the script's original author, trovao
|
|
## Link to original script: https://gist.github.com/trovao/18e428b5a758df24455b
|
|
|
|
usage() {
|
|
echo "Usage: $0 SERVER CA_CERT CLIENT_CERT CLIENT_KEY SHARED_SECRET PORT PROTO"
|
|
echo
|
|
cat << EOF
|
|
The first 5 tokens are required while the last are optional
|
|
SERVER = Fully qualified domain name
|
|
CA_CERT = Full path to the CA cert
|
|
CLIENT_CERT = Full path to the client cert
|
|
CLIENT_KEY = Full path to the client private key
|
|
SHARED_SECRET = Full path to the server TLS shared secret key
|
|
PORT = Port number (defaults to 1194 if left blank)
|
|
PROTO = Protocol (defaults to udp if left blank)
|
|
EOF
|
|
echo
|
|
echo 'For example:'
|
|
echo
|
|
echo 'CLIENT=jason'
|
|
echo "$0 my.openvpn-server.com \\"
|
|
echo ' /etc/openvpn/server/ca.crt \'
|
|
echo ' /etc/easy-rsa/pki/signed/$CLIENT.crt \'
|
|
echo ' /etc/easy-rsa/pki/private/$CLIENT.key \'
|
|
echo ' /etc/openvpn/server/ta.key > $CLIENT.ovpn'
|
|
exit 0
|
|
}
|
|
|
|
[[ -z "$1" ]] && usage
|
|
|
|
server=${1?"The server address is required"}
|
|
cacert=${2?"The path to the ca certificate file is required"}
|
|
client_cert=${3?"The path to the client certificate file is required"}
|
|
client_key=${4?"The path to the client private key file is required"}
|
|
tls_key=${5?"The path to the TLS shared secret file is required"}
|
|
|
|
# test for readable files
|
|
for i in "$cacert" "$client_cert" "$client_key" "$tls_key"; do
|
|
[[ -f "$i" ]] || {
|
|
echo " I cannot find $i on the filesystem."
|
|
echo " This could be due to permissions or that you did not define the full path correctly."
|
|
echo " Check the path and try again."
|
|
exit 1
|
|
}
|
|
[[ -r "$i" ]] || {
|
|
echo " I cannot read $i. Try invoking $0 as root."
|
|
exit 1
|
|
}
|
|
done
|
|
[[ -z "$6" ]] && port=1194 || port="$6"
|
|
[[ -z "$7" ]] && proto='udp' || proto="$7"
|
|
|
|
cat << EOF
|
|
client
|
|
dev tun
|
|
remote ${server} ${port} ${proto}
|
|
resolv-retry infinite
|
|
nobind
|
|
persist-key
|
|
persist-tun
|
|
verb 3
|
|
###
|
|
### optionally uncomment and change both the cipher and auth lines to EXACTLY
|
|
### match the values specified in ${server}
|
|
#cipher AES-256-CBC
|
|
#auth SHA512
|
|
###
|
|
### scroll down and optionally change the <tls-auth> tag set to <tls-crypt>
|
|
### to match how the server is configured since these options are mutually
|
|
### exclusive!
|
|
###
|
|
remote-cert-tls server
|
|
key-direction 1
|
|
<ca>
|
|
EOF
|
|
cat "${cacert}"
|
|
cat << EOF
|
|
</ca>
|
|
<cert>
|
|
EOF
|
|
cat "${client_cert}"
|
|
cat << EOF
|
|
</cert>
|
|
<key>
|
|
EOF
|
|
cat "${client_key}"
|
|
cat << EOF
|
|
</key>
|
|
<tls-auth>
|
|
EOF
|
|
cat "${tls_key}"
|
|
cat << EOF
|
|
</tls-auth>
|
|
EOF
|
|
|
|
# vim:set ts=2 sw=2 et:
|