diff --git a/README.md b/README.md index ec34222..e4dc559 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,7 @@ Small tools needed to solve immediate tasks independently or as part of a projec * [`confutil`.py](https://git.hmp.today/pavel.muhortov/utils#confutil-py) * [`sendmail`.py](https://git.hmp.today/pavel.muhortov/utils#sendmail-py) * [`simplewc`.py](https://git.hmp.today/pavel.muhortov/utils#simplewc-py) +* [`ovpn-cert-expiration`.sh](https://git.hmp.today/pavel.muhortov/utils#ovpn-cert-expiration-sh) * [`ovpn-client-management`.sh](https://git.hmp.today/pavel.muhortov/utils#ovpn-client-management-sh) * [`ovpn-connect-handling`.sh](https://git.hmp.today/pavel.muhortov/utils#ovpn-connect-handling-sh) * [`wg-client-management`.sh](https://git.hmp.today/pavel.muhortov/utils#wg-client-management-sh) @@ -223,6 +224,41 @@ chmod u+x ./simplewc.py ____ +## `ovpn-cert-expiration`.sh + +**Description:** +> Checking openvpn server certificates expiration and preparing stats for monitoring. + +**Dependencies:** +> +> * privileged rights +> * [openssl](https://www.openssl.org/) (tested version 1.1.1k on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/)) + +| POSITION | PARAMETERS | DESCRIPTION | DEFAULT | +|-----------|--------------|------------------------|---------------| +| 1 |**[qn]**|execution without pauses|| +| 2 |**[/path/to/conf]**|openvpn server config file path|/etc/openvpn/server/server.conf| + +Example usage: + +```bash +# download +sudo wget https://git.hmp.today/pavel.muhortov/utils/raw/branch/master/ovpn-cert-expiration.sh -O /etc/openvpn/server/ovpn-cert-expiration.sh +sudo chmod +x /etc/openvpn/server/ovpn-cert-expiration.sh +``` + +```bash +# sudo crontab -e +0 * * * * bash /etc/openvpn/server/ovpn-cert-expiration.sh qn +``` + +```bash +# check stats +watch cat /var/log/openvpn/ovpn-cert-expiration.log +``` + +____ + ## `ovpn-client-management`.sh **Description:** @@ -230,6 +266,7 @@ ____ **Dependencies:** > +> * privileged rights > * chpasswd > * [openvpn](https://openvpn.net/) (tested version 2.5.1 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/)) > * [easy-rsa](https://github.com/OpenVPN/easy-rsa) (tested version 3.0.8 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/)) @@ -329,6 +366,7 @@ ____ **Dependencies:** > +> * privileged rights > * [wireguard](https://www.wireguard.com/) (tested version 1.0.2 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/)) > * [qrencode](https://github.com/fukuchi/libqrencode) (tested version 4.1.1 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/)) > * [grepcidr](https://github.com/ryantig/grepcidr) (tested version 2.0 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/)) diff --git a/ovpn-cert-expiration.sh b/ovpn-cert-expiration.sh new file mode 100644 index 0000000..fc75703 --- /dev/null +++ b/ovpn-cert-expiration.sh @@ -0,0 +1,149 @@ +#! /bin/bash + +# DESCRIPTION: +# checking openvpn server certificates expiration +# and +# preparing stats for monitoring +# +# DEPENDENCIES: +# - privileged rights +# - openssl +# +# PARAMETERS: +# 1: "qn" - execution without pauses +# 2: openvpn server config file path +# +# FUNCTIONS: +# + +####################################### +# Print message and add to log. +# Globals: +# logs +# Arguments: +# 1: message to print and logging +####################################### +addtologs() { + echo "$(date +'%Y.%m.%d-%H:%M:%S') $1" | tee -a "${logs}" +} + +####################################### +# Waiting for press [ENTER]. +# Globals: +# None +# Arguments: +# None +####################################### +execpause() { + read -r -p "Press [ENTER] to continue... " +} + +####################################### +# Exit procedure. +# Globals: +# show +# Arguments: +# None +####################################### +execquite() { + addtologs "execution time is $(($(date +%s)-time)) seconds, exit" + if [ "${show}" != "qn" ]; then + execpause + fi + exit +} + +####################################### +# Error exit procedure +# Globals: +# None +# Arguments: +# 1: message to print and logging +####################################### +execerror() { + addtologs "error: $1" + execquite +} + +####################################### +# Parsing config file and creating global vars. +# Globals: +# None +# Arguments: +# None +####################################### +getconfig() { + cacrpath=$(grep ^ca "${conf}" | cut -d' ' -f2) + certpath=$(grep ^cert "${conf}" | cut -d' ' -f2) + statfile="$(dirname "$(grep ^log /etc/openvpn/server/server.conf | cut -d' ' -f2)")/$(basename -s .sh "$0").log" +} + +####################################### +# Checking user rights. +# Globals: +# None +# Arguments: +# None +# return: +# 0 - if privileged rights, 1 - if not privileged rights +####################################### +checkroot() { + if [ "${EUID}" -ne 0 ]; then + return 1 # false + else + return 0 # true + fi +} + +####################################### +# Print certificate expiration date in epoch +# Globals: +# None +# Arguments: +# 1: certificate path +####################################### +checkcert() { + printf '%s\n' "$(date -d "$(openssl x509 -text -noout -in "${1}" | grep 'Not After' | cut -d':' -f2-)" +%s)" +} + +# +# VARIABLES: +# + +show=$1 +conf=$2 +logs=/dev/null +if [ -z "${conf}" ] || [ "${conf}" == "-" ]; then + conf=/etc/openvpn/server/server.conf +fi + +time=$(date +%s) +cd "$(dirname "$(realpath "$0")")" || execerror +if [ ! -e "${conf}" ]; then + execerror "${conf} not found" +else + getconfig +fi + +if ! command -v openssl &> /dev/null; then + execerror "Not found dependencies" +fi + +# +# MAIN: +# + +if checkroot; then + cacrtime=$(checkcert "${cacrpath}") + certtime=$(checkcert "${certpath}") + cacrremain=$(( cacrtime - time )) + certremain=$(( certtime - time)) + addtologs "${cacrpath} remains only ${cacrremain} seconds" + addtologs "${certpath} remains only ${certremain} seconds" + printf '%s\n' "ca=${cacrremain}" > "${statfile}" + printf '%s\n' "cert=${certremain}" >> "${statfile}" + addtologs "stats wrote to ${statfile}" + execquite +else + execerror "Restart this as root!" +fi