ovpngen/ovpngen

101 lines
2.5 KiB
Bash

#!/bin/bash
## Tested and works with OpenVPN Connect 1.2.9 build 0 (iOS 64-bit) on iOS 11.4.1
##
## Majority of the credit goes to the script's original author, trovao
## Link to original script: https://gist.github.com/trovao/18e428b5a758df24455b
usage() {
echo "Usage: $0 SERVER CA_CERT CLIENT_CERT CLIENT_KEY SHARED_SECRET PORT PROTO"
echo
cat << EOF
The first 5 tokens are required while the last are optional
SERVER = Fully qualified domain name
CA_CERT = Full path to the CA cert
CLIENT_CERT = Full path to the client cert
CLIENT_KEY = Full path to the client private key
SHARED_SECRET = Full path to the server TLS shared secret key
PORT = Port number (defaults to 1194 if left blank)
PROTO = Protocol (defaults to udp if left blank)
EOF
echo
echo 'For example:'
echo
echo 'CLIENT=jason'
echo "$0 my.openvpn-server.com \\"
echo ' /etc/openvpn/server/ca.crt \'
echo ' /etc/easy-rsa/pki/signed/$CLIENT.crt \'
echo ' /etc/easy-rsa/pki/private/$CLIENT.key \'
echo ' /etc/openvpn/server/ta.key > $CLIENT.ovpn'
exit 0
}
[[ -z "$1" ]] && usage
server=${1?"The server address is required"}
cacert=${2?"The path to the ca certificate file is required"}
client_cert=${3?"The path to the client certificate file is required"}
client_key=${4?"The path to the client private key file is required"}
tls_key=${5?"The path to the TLS shared secret file is required"}
# test for readable files
for i in "$cacert" "$client_cert" "$client_key" "$tls_key"; do
[[ -f "$i" ]] || {
echo " I cannot find $i on the filesystem."
echo " This could be due to permissions or that you did not define the full path correctly."
echo " Check the path and try again."
exit 1
}
[[ -r "$i" ]] || {
echo " I cannot read $i. Try invoking $0 as root."
exit 1
}
done
[[ -z "$6" ]] && port=1194 || port="$6"
[[ -z "$7" ]] && proto='udp' || proto="$7"
cat << EOF
client
dev tun
remote ${server} ${port} ${proto}
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
###
### optionally uncomment and change both the cipher and auth lines to EXACTLY
### match the values specified in ${server}
#cipher AES-256-CBC
#auth SHA512
###
### scroll down and optionally change the <tls-auth> tag set to <tls-crypt>
### to match how the server is configured since these options are mutually
### exclusive!
###
remote-cert-tls server
key-direction 1
<ca>
EOF
cat "${cacert}"
cat << EOF
</ca>
<cert>
EOF
cat "${client_cert}"
cat << EOF
</cert>
<key>
EOF
cat "${client_key}"
cat << EOF
</key>
<tls-auth>
EOF
cat "${tls_key}"
cat << EOF
</tls-auth>
EOF
# vim:set ts=2 sw=2 et: