pavel.muhortov/openvpn-management
1
0
Fork 0
generated from pavel.muhortov/template-bash
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: pavel.muhortov:8983e51896bcab6b5521efc8aacc6bad20798dd3
Branches Tags
pavel.muhortov:master
..
compare: pavel.muhortov:c206d33a724197dca185289daae6de384d46ee88
Branches Tags
pavel.muhortov:master

No commits in common. "8983e51896bcab6b5521efc8aacc6bad20798dd3" and "c206d33a724197dca185289daae6de384d46ee88" have entirely different histories.
8983e51896 ... c206d33a72

4 changed files with 110 additions and 226 deletions
Show Stats Expand all files Collapse all files

1
.gitignore vendored
View File

@ -23,4 +23,5 @@ downloads/
test/ test/
tmp/ tmp/
var/ var/
*.conf
*.log *.log

23
README.md
View File

@ -75,7 +75,7 @@ ____
## `ovpn-client-management`.sh ## `ovpn-client-management`.sh
**Description:** **Description:**
> Creating or deleting client config for openvpn and sending config and info to email/telegram. > Creating or deleting client config for openvpn and sending config and info to email.
**Dependencies:** **Dependencies:**
> >
@ -91,9 +91,8 @@ ____
|-----------|--------------|------------------------|---------------| |-----------|--------------|------------------------|---------------|
| 1 |**add\|del**|add or delete client config|**REQUIRED**| | 1 |**add\|del**|add or delete client config|**REQUIRED**|
| 2 |**\<username\>**|client username|**REQUIRED**| | 2 |**\<username\>**|client username|**REQUIRED**|
| 3 |**\<password\>**|client password|**REQUIRED**| | 3 |**\<password\>**|client password||
| 4 |**\<additional\>**|client description|| | 4 |**[-f]**,**[--force]**|service will restart after username delete||
| 5 |**[-f]**,**[--force]**|service will restart after username delete||
Example usage: Example usage:
@ -103,22 +102,6 @@ sudo wget https://git.hmp.today/pavel.muhortov/openvpn-management/raw/branch/mas
sudo chmod +x /etc/openvpn/server/ovpn-client-management.sh sudo chmod +x /etc/openvpn/server/ovpn-client-management.sh
``` ```
```bash
# edit ovpn-client-management.conf
sudo tee /etc/openvpn/server/ovpn-client-management.conf > /dev/null <<'EOF'
# sendmail configuration
from=user@host.zone
pass=password
dest=user@host.zone
smtp=smtp.host.zone
port=587
# telegram configuration
API_KEY=YOURAPIKEY
CHAT_ID=-100123456789
THRD_ID=123
EOF
```
```bash ```bash
# create link # create link
ln -s /etc/openvpn/server/ovpn-client-management.sh ./ovpn ln -s /etc/openvpn/server/ovpn-client-management.sh ./ovpn

10
ovpn-client-management.conf
View File

@ -1,10 +0,0 @@
# sendmail configuration
from=user@host.zone
pass=password
dest=user@host.zone
smtp=smtp.host.zone
port=587
# telegram configuration
API_KEY=YOURAPIKEY
CHAT_ID=-100123456789
THRD_ID=123

278
ovpn-client-management.sh
View File

@ -3,7 +3,7 @@
# DESCRIPTION: # DESCRIPTION:
# creating or deleting client config for openvpn # creating or deleting client config for openvpn
# and # and
# sending config and info to email/telegram # sending config and info to email
# #
# DEPENDENCIES: # DEPENDENCIES:
# - privileged rights # - privileged rights
@ -18,7 +18,6 @@
# 1: "add|del" - add or delete client config # 1: "add|del" - add or delete client config
# 2: username - client username # 2: username - client username
# 3: password - client password # 3: password - client password
# 4: additional - client description
# -f|--force - service will restart after username delete # -f|--force - service will restart after username delete
# #
# FUNCTIONS: # FUNCTIONS:
@ -32,7 +31,7 @@
# 1: message to print and logging # 1: message to print and logging
####################################### #######################################
addtologs() { addtologs() {
printf "%s\n" "$(date +'%Y.%m.%d-%H:%M:%S') $1" | tee -a "${logs}" echo "$(date +'%Y.%m.%d-%H:%M:%S') $1" | tee -a "${logs}"
} }
####################################### #######################################
@ -44,11 +43,11 @@ addtologs() {
####################################### #######################################
execquite() { execquite() {
addtologs "execution time is $(($(date +%s)-time)) seconds, exit" addtologs "execution time is $(($(date +%s)-time)) seconds, exit"
exit "${1}" exit
} }
####################################### #######################################
# Error exit procedure. # Error exit procedure
# Globals: # Globals:
# None # None
# Arguments: # Arguments:
@ -56,37 +55,7 @@ execquite() {
####################################### #######################################
execerror() { execerror() {
addtologs "error: $1" addtologs "error: $1"
execquite 1 execquite
}
#######################################
# Parsing config file and creating global vars.
# Globals:
# None
# Arguments:
# None
#######################################
getconfig() {
logs=/var/log/openvpn/$(basename -s .sh "$(realpath "$0")").log
conf="$(dirname "$(realpath "$0")")/$(basename -s .sh "$(realpath "$0")").conf"
# easyrsa configuration
easyrsadir="/etc/openvpn/easy-rsa"
easyrsaidx="${easyrsadir}/pki/index.txt"
easyrsaexe="${easyrsadir}/easyrsa"
easyrsavar="${easyrsadir}/vars"
easyrsacap="openvpnca"
ovpncfgdir="/etc/openvpn/client"
ovpncfgdef="${ovpncfgdir}/client.conf.default"
# mail configuration
from="$(grep "from=" "${conf}" | cut -d= -f2)"
pass="$(grep "pass=" "${conf}" | cut -d= -f2)"
dest="$(grep "dest=" "${conf}" | cut -d= -f2)"
smtp="$(grep "smtp=" "${conf}" | cut -d= -f2)"
port="$(grep "port=" "${conf}" | cut -d= -f2)"
# telegram configuration
API_KEY=$(grep "API_KEY=" "${conf}" | cut -d= -f2)
CHAT_ID=$(grep "CHAT_ID=" "${conf}" | cut -d= -f2)
THRD_ID=$(grep "THRD_ID=" "${conf}" | cut -d= -f2)
} }
####################################### #######################################
@ -107,7 +76,7 @@ checkroot() {
} }
####################################### #######################################
# Creating linux user. # Creating linux user
# Globals: # Globals:
# clientname # clientname
# clientpass # clientpass
@ -115,18 +84,12 @@ checkroot() {
# None # None
####################################### #######################################
createuser() { createuser() {
if ! id -u "${clientname}" >/dev/null 2>&1; then
useradd "${clientname}" --shell /sbin/nologin useradd "${clientname}" --shell /sbin/nologin
addtologs "created Linux user '${clientname}'" echo "${clientname}:${clientpass}" | chpasswd
else
addtologs "${clientname} Linux user exists, create skipped"
fi
printf "%s\n" "${clientname}:${clientpass}" | chpasswd
addtologs "changed '${clientname}' user password"
} }
####################################### #######################################
# Creating Easy-RSA user certificate. # Creating Easy-RSA user certificate
# Globals: # Globals:
# easyrsadir # easyrsadir
# easyrsavar # easyrsavar
@ -139,22 +102,15 @@ createuser() {
####################################### #######################################
# shellcheck disable=SC2016 # shellcheck disable=SC2016
createcert() { createcert() {
if ! grep -w "${clientname}" ${easyrsaidx} | grep "^V" > /dev/null 2>&1; then cd ${easyrsadir} || execerror ""
( sed -i -e '$aset_var EASYRSA_REQ_CN '"${clientname}"'' ${easyrsavar}
cd "${easyrsadir}" || execerror ""
sed -i -e '$aset_var EASYRSA_REQ_CN '"${clientname}"'' "${easyrsavar}"
# ${easyrsaexe} --passout=pass:"${clientpass}" --passin=pass:${easyrsacap} build-client-full "${clientname}" # ${easyrsaexe} --passout=pass:"${clientpass}" --passin=pass:${easyrsacap} build-client-full "${clientname}"
${easyrsaexe} --passin=pass:"${easyrsacap}" build-client-full "${clientname}" nopass ${easyrsaexe} --passin=pass:"${easyrsacap}" build-client-full "${clientname}" nopass
sed -i '/EASYRSA_REQ_CN/d' "${easyrsavar}" sed -i '/EASYRSA_REQ_CN/d' ${easyrsavar}
) > /dev/null 2>&1
addtologs "created ${clientname} easyrsa certificate"
else
addtologs "${clientname} certificate exists, create skipped"
fi
} }
####################################### #######################################
# Creating ovpn config file. # Creating ovpn config file
# Globals: # Globals:
# easyrsadir # easyrsadir
# ovpncfgdef # ovpncfgdef
@ -164,19 +120,23 @@ createcert() {
# None # None
####################################### #######################################
createovpn() { createovpn() {
cd "${easyrsadir}" || execerror "" cd ${easyrsadir} || execerror ""
{ {
cat "${ovpncfgdef}" cat "${ovpncfgdef}"
printf "%s\n" "<ca>" "$(cat "${easyrsadir}/pki/ca.crt")" "</ca>" echo -e '<ca>'
printf "%s\n" "<cert>" "$(cat "${easyrsadir}/pki/issued/${clientname}.crt")" "</cert>" cat "${easyrsadir}/pki/ca.crt"
printf "%s\n" "<key>" "$(cat "${easyrsadir}/pki/private/${clientname}.key")" "</key>" echo -e '</ca>\n<cert>'
printf "%s\n" "<tls-auth>" "$(cat "${easyrsadir}/pki/private/ta.key")" "</tls-auth>" cat "${easyrsadir}/pki/issued/${clientname}.crt"
echo -e '</cert>\n<key>'
cat "${easyrsadir}/pki/private/${clientname}.key"
echo -e '</key>\n<tls-auth>'
cat "${easyrsadir}/pki/private/ta.key"
echo -e '</tls-auth>'
} >> "${ovpncfgdir}/${clientname}.ovpn" } >> "${ovpncfgdir}/${clientname}.ovpn"
addtologs "created ${clientname} ovpn config file"
} }
####################################### #######################################
# Creating tar with config file. # Creating tar with config file
# Globals: # Globals:
# easyrsadir # easyrsadir
# clientname # clientname
@ -186,18 +146,17 @@ createovpn() {
####################################### #######################################
createtars() { createtars() {
cp "${ovpncfgdir}/${clientname}.ovpn" "${ovpncfgdir}/vpn.cnf" cp "${ovpncfgdir}/${clientname}.ovpn" "${ovpncfgdir}/vpn.cnf"
sed -i "s#auth-user-pass#auth-user-pass /config/openvpn/vpn.txt#g" "${ovpncfgdir}/vpn.cnf" sed -i "s#auth-user-pass#auth-user-pass /config/openvpn/vpn.txt#g" ${ovpncfgdir}/vpn.cnf
{ {
printf "%s\n" "${clientname}" echo -e "${clientname}"
printf "%s\n" "${clientpass}" echo -e "${clientpass}"
} >> "${ovpncfgdir}/vpn.txt" } >> "${ovpncfgdir}/vpn.txt"
cd "${ovpncfgdir}" || execerror "" cd ${ovpncfgdir} || execerror ""
tar cf "${clientname}.tar" --remove-files vpn.cnf vpn.txt tar cf "${clientname}.tar" --remove-files vpn.cnf vpn.txt
addtologs "created ${clientname} tar with config file"
} }
####################################### #######################################
# Creating info file. # Creating info file
# Globals: # Globals:
# easyrsadir # easyrsadir
# easyrsaexe # easyrsaexe
@ -207,35 +166,30 @@ createtars() {
# None # None
####################################### #######################################
createinfo() { createinfo() {
cd "${easyrsadir}" || execerror "" cd ${easyrsadir} || execerror
validuntil=$(${easyrsaexe} show-cert "${clientname}" | grep "Not After" | cut -d: -f2-) validuntil=$(${easyrsaexe} show-cert "${clientname}" | grep "Not After" | cut -d: -f2-)
faqprofile=$(printf "%s\n" \
"OpenVPN Connect client:" \ faqprofile=$(cat <<END
"https://openvpn.net/client/" \ OpenVPN Connect client and installation instructions:
"OpenVPN GUI client:" \ https://openvpn.net/vpn-client/
"https://openvpn.net/community-downloads/" \ OpenVPN GUI client:
"" \ https://openvpn.net/community-downloads/
"${additional}" \
"" \ User Login: ${clientname}
"User Login: \`${clientname}\`" \ User Password: ${clientpass}
"User Password: \`${clientpass}\`" \ Time Expired: ${validuntil}
"Time Expired: ${validuntil}" END
) )
printf "%s\n" "${faqprofile}" > "${ovpncfgdir}/${clientname}.info"
addtologs "created ${clientname} info file" echo -e "${faqprofile}" > "${ovpncfgdir}/${clientname}.info"
} }
####################################### #######################################
# Send email notification about client config. # Send email notification about client connect
# Globals: # Globals:
# clientname # clientname
# faqprofile # faqprofile
# ovpncfgdir # ovpncfgdir
# from
# pass
# dest
# smtp
# port
# Arguments: # Arguments:
# None # None
####################################### #######################################
@ -243,72 +197,33 @@ startsendmail() {
subj="[OVPN Settings] $(cat /etc/hostname): ${clientname}.ovpn client profile" subj="[OVPN Settings] $(cat /etc/hostname): ${clientname}.ovpn client profile"
( (
python3 /usr/local/bin/sendmail.py \ python3 /usr/local/bin/sendmail.py \
-u "${from}" \ -u "$(grep "from=" /usr/local/bin/sendmail.config | cut -d= -f2)" \
-p "${pass}" \ -p "$(grep "pass=" /usr/local/bin/sendmail.config | cut -d= -f2)" \
-d "${dest}" \ -d "$(grep "dest=" /usr/local/bin/sendmail.config | cut -d= -f2)" \
--smtp "${smtp}" \ --smtp "$(grep "smtp=" /usr/local/bin/sendmail.config | cut -d= -f2)" \
--port "${port}" \ --port "$(grep "port=" /usr/local/bin/sendmail.config | cut -d= -f2)" \
--stls "True" \ --stls "True" \
--subj "${subj}" \ --subj "${subj}" \
--text "$(printf "%s\n" "${faqprofile}" | sed 's|`||g')" \ --text "${faqprofile}" \
--file "${ovpncfgdir}/${clientname}.ovpn,${ovpncfgdir}/${clientname}.tar" --file "${ovpncfgdir}/${clientname}.ovpn,${ovpncfgdir}/${clientname}.tar" \
) > /dev/null 2>&1 >> /dev/null 2>&1 &
addtologs "sent mail with subject '${subj}' to ${dest}" )
addtologs "sent mail with subject '${subj}'"
} }
####################################### #######################################
# Send telegram notification about client config. # Deleting linux user
# Globals:
# clientname
# faqprofile
# ovpncfgdir
# API_KEY
# CHAT_ID
# THRD_ID
# Arguments:
# None
#######################################
# shellcheck disable=SC2030,2031
startsendtlgm() {
(
API_URL="https://api.telegram.org/bot${API_KEY}/sendMediaGroup?chat_id=${CHAT_ID}"
if grep -q "_" <<< "${CHAT_ID}"; then
THRD_ID=$(printf "%s\n" "${CHAT_ID}" | cut -d_ -f2)
CHAT_ID=$(printf "%s\n" "${CHAT_ID}" | cut -d_ -f1)
fi
if [ -n "${THRD_ID}" ]; then
API_URL="${API_URL}&message_thread_id=${THRD_ID}"
fi
curl "${API_URL}" \
-F "media=[{\"type\": \"document\", \"media\": \"attach://ovpn\", \"caption\": \"${faqprofile}\", \"parse_mode\": \"Markdown\"}, {\"type\": \"document\", \"media\": \"attach://tars\" }]" \
-F "ovpn=@${ovpncfgdir}/${clientname}.ovpn" \
-F "tars=@${ovpncfgdir}/${clientname}.tar"
) > /dev/null 2>&1
addtologs "sent telegram media with ${clientname}.ovpn client profile to ${CHAT_ID}"
}
#######################################
# Deleting linux user.
# Globals: # Globals:
# clientname # clientname
# Arguments: # Arguments:
# None # None
####################################### #######################################
deleteuser() { deleteuser() {
if id -u "${clientname}" > /dev/null 2>&1; then
(
userdel -f -r "${clientname}" userdel -f -r "${clientname}"
) > /dev/null 2>&1
addtologs "deleted Linux user '${clientname}'"
else
addtologs "${clientname} Linux user does not exist, delete skipped"
fi
} }
####################################### #######################################
# Deleting Easy-RSA user certificate. # Deleting Easy-RSA user certificate
# Globals: # Globals:
# easyrsadir # easyrsadir
# easyrsavar # easyrsavar
@ -319,20 +234,13 @@ deleteuser() {
# None # None
####################################### #######################################
deletecert() { deletecert() {
if grep -w "${clientname}" ${easyrsaidx} > /dev/null 2>&1; then cd ${easyrsadir} || execerror
( ${easyrsaexe} --batch --passin=pass:${easyrsacap} revoke "${clientname}"
cd "${easyrsadir}" || execerror ${easyrsaexe} --batch --passin=pass:${easyrsacap} gen-crl
${easyrsaexe} --batch --passin=pass:"${easyrsacap}" revoke "${clientname}"
${easyrsaexe} --batch --passin=pass:"${easyrsacap}" gen-crl
) > /dev/null 2>&1
addtologs "revoked ${clientname} easyrsa certificate"
else
addtologs "${clientname} certificate does not exist, revoke skipped"
fi
} }
####################################### #######################################
# Deleting ovpn config file. # Deleting ovpn config file
# Globals: # Globals:
# clientname # clientname
# ovpncfgdir # ovpncfgdir
@ -340,16 +248,11 @@ deletecert() {
# None # None
####################################### #######################################
deleteovpn() { deleteovpn() {
if [ -e "${ovpncfgdir}/${clientname}.ovpn" ]; then
rm -f "${ovpncfgdir}/${clientname}.ovpn" rm -f "${ovpncfgdir}/${clientname}.ovpn"
addtologs "deleted ${clientname} ovpn config file"
else
addtologs "${clientname} ovpn config does not exist, delete skipped"
fi
} }
####################################### #######################################
# Deleting tar with config file. # Deleting tar with config file
# Globals: # Globals:
# clientname # clientname
# ovpncfgdir # ovpncfgdir
@ -357,16 +260,11 @@ deleteovpn() {
# None # None
####################################### #######################################
deletetars() { deletetars() {
if [ -e "${ovpncfgdir}/${clientname}.tar" ]; then
rm -f "${ovpncfgdir}/${clientname}.tar" rm -f "${ovpncfgdir}/${clientname}.tar"
addtologs "deleted ${clientname} tar with config"
else
addtologs "${clientname} tar does not exist, delete skipped"
fi
} }
####################################### #######################################
# Deleting info file. # Deleting info file
# Globals: # Globals:
# clientname # clientname
# ovpncfgdir # ovpncfgdir
@ -374,22 +272,24 @@ deletetars() {
# None # None
####################################### #######################################
deleteinfo() { deleteinfo() {
if [ -e "${ovpncfgdir}/${clientname}.info" ]; then
rm -f "${ovpncfgdir}/${clientname}.info" rm -f "${ovpncfgdir}/${clientname}.info"
addtologs "deleted ${clientname} info file"
else
addtologs "${clientname} info file does not exist, delete skipped"
fi
} }
# #
# VARIABLES: # VARIABLES:
# #
easyrsadir="/etc/openvpn/easy-rsa"
easyrsaidx="${easyrsadir}/pki/index.txt"
easyrsaexe="${easyrsadir}/easyrsa"
easyrsavar="${easyrsadir}/vars"
easyrsacap="openvpnca"
ovpncfgdir="/etc/openvpn/client"
ovpncfgdef="${ovpncfgdir}/client.conf.default"
clienttodo=$1 clienttodo=$1
clientname=$2 clientname=$2
clientpass=$3 clientpass=$3
additional=$4
resetforce=0 resetforce=0
for argument in "${@}"; do for argument in "${@}"; do
@ -410,35 +310,45 @@ logs=/dev/null
# #
if checkroot; then if checkroot; then
getconfig logs=/var/log/openvpn/$(basename -s .sh "$0").log
if [ "${clienttodo}" == "add" ] && \ if [ "${clienttodo}" == "add" ] && \
[ -n "${clientname}" ] && \ [ -n "${clientname}" ] && \
[ "${#clientpass}" -ge 8 ]; then [ "${#clientpass}" -ge 8 ]; then
createuser if id -u "${clientname}" >/dev/null 2>&1 || \
createcert grep -w "${clientname}" ${easyrsaidx} || \
createovpn [ -e "${ovpncfgdir}/${clientname}.ovpn" ]; then
createtars execerror "linux user or certificate or ovpn config exist, exit"
createinfo else
createuser && addtologs "created Linux user '${clientname}'"
createcert && addtologs "created certificate for ${clientname}"
createovpn && addtologs "created ovpn config file for ${clientname}"
createtars && addtologs "created tar with config file for ${clientname}"
createinfo && addtologs "created info file for ${clientname}"
startsendmail startsendmail
startsendtlgm fi
elif [ "${clienttodo}" == "del" ] && \ elif [ "${clienttodo}" == "del" ] && [ -n "${clientname}" ]; then
[ -n "${clientname}" ]; then if id -u "${clientname}" >/dev/null 2>&1 || \
grep -w "${clientname}" ${easyrsaidx} || \
[ -e "${ovpncfgdir}/${clientname}.ovpn" ]; then
deleteuser deleteuser
deletecert addtologs "deleted Linux user '${clientname}'"
deleteovpn deletecert && addtologs "deleted certificate for ${clientname}"
deletetars deleteovpn && addtologs "deleted ovpn config file for ${clientname}"
deleteinfo deletetars && addtologs "deleted tar with config file for ${clientname}"
deleteinfo && addtologs "deleted info file for ${clientname}"
if [ "${resetforce}" -eq 1 ];then if [ "${resetforce}" -eq 1 ];then
addtologs "restarting openvpn@server..." addtologs "restarting openvpn@server..."
systemctl restart openvpn@server systemctl restart openvpn@server
fi fi
else
execerror "linux user and certificate and ovpn config not exist, exit"
fi
else else
printf "%s\n" "Usage example: $0 'add' 'username(surname)' 'password(not less 8 symbols)'" printf "%s\n" "Usage example: $0 'add' 'username(surname)' 'password(not less 8 symbols)'"
printf "%s\n" "Usage example: $0 'add' 'username(surname)' 'password(not less 8 symbols)' 'additional client description'"
printf "%s\n" "Usage example: $0 'del' 'username(surname)'" printf "%s\n" "Usage example: $0 'del' 'username(surname)'"
printf "%s\n" "Usage example: $0 'del' 'username(surname)' -f" printf "%s\n" "Usage example: $0 'del' 'username(surname)' -f"
fi fi
else else
execerror "Restart this as root!" execerror "Restart this as root!"
fi fi
execquite 0 execquite