From ee57b3af5859f3e7b91cdde9070773e828a5836f Mon Sep 17 00:00:00 2001 From: Pavel Muhortov Date: Mon, 1 May 2023 16:50:38 +0300 Subject: [PATCH] moved to ovpn and wireguard management --- README.md | 255 ++------------------------- ovpn-cert-expiration.sh | 149 ---------------- ovpn-client-management.sh | 353 -------------------------------------- ovpn-connect-handling.sh | 195 --------------------- wg-client-management.sh | 284 ------------------------------ wg-connect-handling.sh | 208 ---------------------- 6 files changed, 10 insertions(+), 1434 deletions(-) delete mode 100644 ovpn-cert-expiration.sh delete mode 100644 ovpn-client-management.sh delete mode 100644 ovpn-connect-handling.sh delete mode 100644 wg-client-management.sh delete mode 100644 wg-connect-handling.sh diff --git a/README.md b/README.md index e4dc559..043d786 100644 --- a/README.md +++ b/README.md @@ -7,11 +7,6 @@ Small tools needed to solve immediate tasks independently or as part of a projec * [`confutil`.py](https://git.hmp.today/pavel.muhortov/utils#confutil-py) * [`sendmail`.py](https://git.hmp.today/pavel.muhortov/utils#sendmail-py) * [`simplewc`.py](https://git.hmp.today/pavel.muhortov/utils#simplewc-py) -* [`ovpn-cert-expiration`.sh](https://git.hmp.today/pavel.muhortov/utils#ovpn-cert-expiration-sh) -* [`ovpn-client-management`.sh](https://git.hmp.today/pavel.muhortov/utils#ovpn-client-management-sh) -* [`ovpn-connect-handling`.sh](https://git.hmp.today/pavel.muhortov/utils#ovpn-connect-handling-sh) -* [`wg-client-management`.sh](https://git.hmp.today/pavel.muhortov/utils#wg-client-management-sh) -* [`wg-connect-handling`.sh](https://git.hmp.today/pavel.muhortov/utils#wg-connect-handling-sh) ____ @@ -156,17 +151,22 @@ ____ |**[--file]**|mail attachment files|`None`| |**[--time]**|minutes of attempts to send|3| -Example usage in terminal with Python: +Example usage in terminal: ```bash -python3 ./sendmail.py -u user@gmail.com -p pass -d addr1@gmail.com,addr2@gmail.com +# download +sudo wget https://git.hmp.today/pavel.muhortov/utils/raw/branch/master/sendmail.py -O /usr/local/bin/sendmail.py +sudo chmod +x /usr/local/bin/sendmail.py ``` -Example usage in terminal with make the script executable: +```bash +# example 1 +sendmail.py -u user@gmail.com -p pass -d addr1@gmail.com,addr2@gmail.com +``` ```bash -chmod u+x ./sendmail.py -./sendmail.py -u user@gmail.com -p pass -d addr1@gmail.com,addr2@gmail.com +# example 2 +/usr/local/opt/python-3.9/bin/python3.9 /usr/local/bin/sendmail.py -u user@gmail.com -p pass -d addr1@gmail.com,addr2@gmail.com --file "/path/to/file1,/path/to/file2" ``` Example usage in Python: @@ -221,238 +221,3 @@ chmod u+x ./simplewc.py ./simplewc.py --domain EXAMPLE.COM --server 8.8.8.8 --keyname KEY --keydata YOU_KEY_CONTENT --test --force ./simplewc.py --domain EXAMPLE.COM --server dyn.dns.he.net --keyname - --keydata YOU_DDNSKEY --test --force ``` - -____ - -## `ovpn-cert-expiration`.sh - -**Description:** -> Checking openvpn server certificates expiration and preparing stats for monitoring. - -**Dependencies:** -> -> * privileged rights -> * [openssl](https://www.openssl.org/) (tested version 1.1.1k on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/)) - -| POSITION | PARAMETERS | DESCRIPTION | DEFAULT | -|-----------|--------------|------------------------|---------------| -| 1 |**[qn]**|execution without pauses|| -| 2 |**[/path/to/conf]**|openvpn server config file path|/etc/openvpn/server/server.conf| - -Example usage: - -```bash -# download -sudo wget https://git.hmp.today/pavel.muhortov/utils/raw/branch/master/ovpn-cert-expiration.sh -O /etc/openvpn/server/ovpn-cert-expiration.sh -sudo chmod +x /etc/openvpn/server/ovpn-cert-expiration.sh -``` - -```bash -# sudo crontab -e -0 * * * * bash /etc/openvpn/server/ovpn-cert-expiration.sh qn -``` - -```bash -# check stats -watch cat /var/log/openvpn/ovpn-cert-expiration.log -``` - -____ - -## `ovpn-client-management`.sh - -**Description:** -> Creating or deleting client config for openvpn and sending config and info to email. - -**Dependencies:** -> -> * privileged rights -> * chpasswd -> * [openvpn](https://openvpn.net/) (tested version 2.5.1 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/)) -> * [easy-rsa](https://github.com/OpenVPN/easy-rsa) (tested version 3.0.8 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/)) -> * tar -> * [Python 3](https://www.python.org/downloads/) (tested version 3.9.5 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/)) -> * existing [/usr/local/bin/sendmail.py](http://git.hmp.today/pavel.muhortov/utils/raw/branch/master/sendmail.py) - -| POSITION | PARAMETERS | DESCRIPTION | DEFAULT | -|-----------|--------------|------------------------|---------------| -| 1 |**add\|del**|add or delete client config|**REQUIRED**| -| 2 |**\**|client username|**REQUIRED**| -| 3 |**\**|client password|| -| 4 |**[-f]**,**[--force]**|service will restart after username delete|| - -Example usage: - -```bash -# download -sudo wget https://git.hmp.today/pavel.muhortov/utils/raw/branch/master/ovpn-client-management.sh -O /etc/openvpn/server/ovpn-client-management.sh -sudo chmod +x /etc/openvpn/server/ovpn-client-management.sh -``` - -```bash -# create link -ln -s /etc/openvpn/server/ovpn-client-management.sh ./ovpn -``` - -```bash -# create client -sudo ./ovpn add username password -``` - -```bash -# delete client (and restart service for applying changes) -sudo ./ovpn del username -f -``` - -```bash -# check journal -tail -f /var/log/openvpn/ovpn.log -``` - -____ - -## `ovpn-connect-handling`.sh - -**Description:** -> Handling client connection and preparing stats for monitoring. - -**Dependencies:** -> -> * executing by [openvpn](https://openvpn.net/) server (tested version 2.5.1 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/)) -> * [jq](https://github.com/stedolan/jq) (tested version 1.6 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/)) -> * [grepcidr](https://github.com/ryantig/grepcidr) (tested version 2.0 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/)) -> * [Python 3](https://www.python.org/downloads/) (tested version 3.9.5 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/)) -> * existing [/usr/local/bin/sendmail.py](http://git.hmp.today/pavel.muhortov/utils/raw/branch/master/sendmail.py) -> * [bash](https://www.gnu.org/software/bash/) (tested versions: 5.1.4 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/), 5.0.17 on [Ubuntu 20](https://wiki.ubuntu.com/FocalFossa/ReleaseNotes), 4.2.46 on [CentOS 7](https://wiki.centos.org/Manuals/ReleaseNotes/CentOS7.2009)) - -| POSITION | PARAMETERS | DESCRIPTION | DEFAULT | -|-----------|--------------|------------------------|---------------| -| 1 |**inc\|dec**|increment or decrement counter|**REQUIRED**| -| 2 |****|root path for counter, names, log|**REQUIRED**| -| 3 |**[mail]**|send email notification|| -| 4 |**[geo]**|check client address geolocation|| - -Example usage: - -```bash -# download -sudo wget https://git.hmp.today/pavel.muhortov/utils/raw/branch/master/ovpn-connect-handling.sh -O /etc/openvpn/server/ovpn-connect-handling.sh -sudo chmod +x /etc/openvpn/server/ovpn-connect-handling.sh -``` - -```bash -# add options to openvpn server config file -sudo tee -a /etc/openvpn/server/server.conf > /dev/null <<'EOF' -script-security 2 -client-connect "/etc/openvpn/server/ovpn-connect-handling.sh inc /var/log/openvpn mail geo" -client-disconnect "/etc/openvpn/server/ovpn-connect-handling.sh dec /var/log/openvpn - -" -EOF -sudo systemctl restart openvpn@server -``` - -```bash -# check counter and names -watch cat /var/log/openvpn/openvpn-counts.log -# check journal -tail -f /var/log/openvpn/ovpn-connect-handling.log -``` - -____ - -## `wg-client-management`.sh - -**Description:** -> Creating or deleting client config for wireguard and sending config and info to email. - -**Dependencies:** -> -> * privileged rights -> * [wireguard](https://www.wireguard.com/) (tested version 1.0.2 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/)) -> * [qrencode](https://github.com/fukuchi/libqrencode) (tested version 4.1.1 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/)) -> * [grepcidr](https://github.com/ryantig/grepcidr) (tested version 2.0 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/)) -> * [Python 3](https://www.python.org/downloads/) (tested version 3.9.5 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/)) -> * existing [/usr/local/bin/sendmail.py](http://git.hmp.today/pavel.muhortov/utils/raw/branch/master/sendmail.py) - -| POSITION | PARAMETERS | DESCRIPTION | DEFAULT | -|-----------|--------------|------------------------|---------------| -| 1 |**add\|del**|add or delete client config|**REQUIRED**| -| 2 |**\**|client username|**REQUIRED**| -| 3 |**\**|client ip address|**REQUIRED**| -| 4 |**[-f]**,**[--force]**|service will restart after add\|del username|| - -Example usage: - -```bash -# download -sudo wget https://git.hmp.today/pavel.muhortov/utils/raw/branch/master/wg-client-management.sh -O /etc/wireguard/wg-client-management.sh -sudo chmod +x /etc/wireguard/wg-client-management.sh -``` - -```bash -# create link -ln -s /etc/wireguard/wg-client-management.sh ./wg -``` - -```bash -# create client -sudo ./wg add username address -``` - -```bash -# delete client and restart service -sudo ./wg del username address -f -``` - -```bash -# check journal -tail -f /var/log/wireguard/wg.log -``` - -____ - -## `wg-connect-handling`.sh - -**Description:** -> Handling client connection and preparing stats for monitoring. - -**Dependencies:** -> -> * privileged rights -> * [jq](https://github.com/stedolan/jq) (tested version 1.6 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/)) -> * [grepcidr](https://github.com/ryantig/grepcidr) (tested version 2.0 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/)) -> * [Python 3](https://www.python.org/downloads/) (tested version 3.9.5 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/)) -> * existing [/usr/local/bin/sendmail.py](http://git.hmp.today/pavel.muhortov/utils/raw/branch/master/sendmail.py) -> * [bash](https://www.gnu.org/software/bash/) (tested versions: 5.1.4 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/), 5.0.17 on [Ubuntu 20](https://wiki.ubuntu.com/FocalFossa/ReleaseNotes), 4.2.46 on [CentOS 7](https://wiki.centos.org/Manuals/ReleaseNotes/CentOS7.2009)) - -| POSITION | PARAMETERS | DESCRIPTION | DEFAULT | -|-----------|--------------|------------------------|---------------| -| 1 |****|root path for counter, names, log|**REQUIRED**| -| 2 |**[mail]**|send email notification|| -| 3 |**[geo]**|check client address geolocation|| - -Example usage: - -```bash -# download -sudo wget https://git.hmp.today/pavel.muhortov/utils/raw/branch/master/wg-connect-handling.sh -O /etc/wireguard/wg-connect-handling.sh -sudo chmod +x /etc/wireguard/wg-connect-handling.sh -``` - -```bash -# create root path for counter, names, log -sudo mkdir /var/log/wireguard -sudo chown -R root:root /var/log/wireguard -sudo chmod -R 755 /var/log/wireguard -``` - -```bash -# sudo crontab -e -* * * * * bash /etc/wireguard/wg-connect-handling.sh /var/log/wireguard mail geo -``` - -```bash -# check counter and names -watch cat /var/log/wireguard/wg-counts.log -# check journal -tail -f /var/log/wireguard/wg-connect-handling.log -``` diff --git a/ovpn-cert-expiration.sh b/ovpn-cert-expiration.sh deleted file mode 100644 index fc75703..0000000 --- a/ovpn-cert-expiration.sh +++ /dev/null @@ -1,149 +0,0 @@ -#! /bin/bash - -# DESCRIPTION: -# checking openvpn server certificates expiration -# and -# preparing stats for monitoring -# -# DEPENDENCIES: -# - privileged rights -# - openssl -# -# PARAMETERS: -# 1: "qn" - execution without pauses -# 2: openvpn server config file path -# -# FUNCTIONS: -# - -####################################### -# Print message and add to log. -# Globals: -# logs -# Arguments: -# 1: message to print and logging -####################################### -addtologs() { - echo "$(date +'%Y.%m.%d-%H:%M:%S') $1" | tee -a "${logs}" -} - -####################################### -# Waiting for press [ENTER]. -# Globals: -# None -# Arguments: -# None -####################################### -execpause() { - read -r -p "Press [ENTER] to continue... " -} - -####################################### -# Exit procedure. -# Globals: -# show -# Arguments: -# None -####################################### -execquite() { - addtologs "execution time is $(($(date +%s)-time)) seconds, exit" - if [ "${show}" != "qn" ]; then - execpause - fi - exit -} - -####################################### -# Error exit procedure -# Globals: -# None -# Arguments: -# 1: message to print and logging -####################################### -execerror() { - addtologs "error: $1" - execquite -} - -####################################### -# Parsing config file and creating global vars. -# Globals: -# None -# Arguments: -# None -####################################### -getconfig() { - cacrpath=$(grep ^ca "${conf}" | cut -d' ' -f2) - certpath=$(grep ^cert "${conf}" | cut -d' ' -f2) - statfile="$(dirname "$(grep ^log /etc/openvpn/server/server.conf | cut -d' ' -f2)")/$(basename -s .sh "$0").log" -} - -####################################### -# Checking user rights. -# Globals: -# None -# Arguments: -# None -# return: -# 0 - if privileged rights, 1 - if not privileged rights -####################################### -checkroot() { - if [ "${EUID}" -ne 0 ]; then - return 1 # false - else - return 0 # true - fi -} - -####################################### -# Print certificate expiration date in epoch -# Globals: -# None -# Arguments: -# 1: certificate path -####################################### -checkcert() { - printf '%s\n' "$(date -d "$(openssl x509 -text -noout -in "${1}" | grep 'Not After' | cut -d':' -f2-)" +%s)" -} - -# -# VARIABLES: -# - -show=$1 -conf=$2 -logs=/dev/null -if [ -z "${conf}" ] || [ "${conf}" == "-" ]; then - conf=/etc/openvpn/server/server.conf -fi - -time=$(date +%s) -cd "$(dirname "$(realpath "$0")")" || execerror -if [ ! -e "${conf}" ]; then - execerror "${conf} not found" -else - getconfig -fi - -if ! command -v openssl &> /dev/null; then - execerror "Not found dependencies" -fi - -# -# MAIN: -# - -if checkroot; then - cacrtime=$(checkcert "${cacrpath}") - certtime=$(checkcert "${certpath}") - cacrremain=$(( cacrtime - time )) - certremain=$(( certtime - time)) - addtologs "${cacrpath} remains only ${cacrremain} seconds" - addtologs "${certpath} remains only ${certremain} seconds" - printf '%s\n' "ca=${cacrremain}" > "${statfile}" - printf '%s\n' "cert=${certremain}" >> "${statfile}" - addtologs "stats wrote to ${statfile}" - execquite -else - execerror "Restart this as root!" -fi diff --git a/ovpn-client-management.sh b/ovpn-client-management.sh deleted file mode 100644 index 1159274..0000000 --- a/ovpn-client-management.sh +++ /dev/null @@ -1,353 +0,0 @@ -#! /bin/bash - -# DESCRIPTION: -# creating or deleting client config for openvpn -# and -# sending config and info to email -# -# DEPENDENCIES: -# - privileged rights -# - chpasswd -# - openvpn -# - easy-rsa -# - tar -# - Python 3 -# - existing /usr/local/bin/sendmail.py -# -# PARAMETERS: -# 1: "add|del" - add or delete client config -# 2: username - client username -# 3: password - client password -# -f|--force - service will restart after username delete -# -# FUNCTIONS: -# - -####################################### -# Print message and add to log. -# Globals: -# logs -# Arguments: -# 1: message to print and logging -####################################### -addtologs() { - echo "$(date +'%Y.%m.%d-%H:%M:%S') $1" | tee -a "${logs}" -} - -####################################### -# Exit procedure. -# Globals: -# show -# Arguments: -# None -####################################### -execquite() { - addtologs "execution time is $(($(date +%s)-time)) seconds, exit" - exit -} - -####################################### -# Error exit procedure -# Globals: -# None -# Arguments: -# 1: message to print and logging -####################################### -execerror() { - addtologs "error: $1" - execquite -} - -####################################### -# Checking user rights. -# Globals: -# None -# Arguments: -# None -# return: -# 0 - if privileged rights, 1 - if not privileged rights -####################################### -checkroot() { - if [ "${EUID}" -ne 0 ]; then - return 1 # false - else - return 0 # true - fi -} - -####################################### -# Creating linux user -# Globals: -# clientname -# clientpass -# Arguments: -# None -####################################### -createuser() { - useradd "${clientname}" --shell /sbin/nologin - echo "${clientname}:${clientpass}" | chpasswd -} - -####################################### -# Creating Easy-RSA user certificate -# Globals: -# easyrsadir -# easyrsavar -# easyrsaexe -# easyrsacap -# clientname -# clientpass -# Arguments: -# None -####################################### -# shellcheck disable=SC2016 -createcert() { - cd ${easyrsadir} || execerror "" - sed -i -e '$aset_var EASYRSA_REQ_CN '"${clientname}"'' ${easyrsavar} - ${easyrsaexe} --passout=pass:"${clientpass}" --passin=pass:${easyrsacap} build-client-full "${clientname}" - sed -i '/EASYRSA_REQ_CN/d' ${easyrsavar} -} - -####################################### -# Creating ovpn config file -# Globals: -# easyrsadir -# ovpncfgdef -# clientname -# ovpncfgdir -# Arguments: -# None -####################################### -createovpn() { - cd ${easyrsadir} || execerror "" - { - cat "${ovpncfgdef}" - echo -e '' - cat "${easyrsadir}/pki/ca.crt" - echo -e '\n' - cat "${easyrsadir}/pki/issued/${clientname}.crt" - echo -e '\n' - cat "${easyrsadir}/pki/private/${clientname}.key" - echo -e '\n' - cat "${easyrsadir}/pki/ta.key" - echo -e '' - } >> "${ovpncfgdir}/${clientname}.ovpn" -} - -####################################### -# Creating tar with config file -# Globals: -# easyrsadir -# clientname -# ovpncfgdir -# Arguments: -# None -####################################### -createtars() { - cp "${ovpncfgdir}/${clientname}.ovpn" "${ovpncfgdir}/vpn.cnf" - sed -i "s#auth-user-pass#auth-user-pass /config/openvpn/vpn.txt#g" ${ovpncfgdir}/vpn.cnf - { - echo -e "${clientname}" - echo -e "${clientpass}" - } >> "${ovpncfgdir}/vpn.txt" - cd ${ovpncfgdir} || execerror "" - tar cf "${clientname}.tar" --remove-files vpn.cnf vpn.txt -} - -####################################### -# Creating info file -# Globals: -# easyrsadir -# easyrsaexe -# clientname -# ovpncfgdir -# Arguments: -# None -####################################### -createinfo() { - cd ${easyrsadir} || execerror - validuntil=$(${easyrsaexe} show-cert "${clientname}" | grep "Not After" | cut -d: -f2-) - -faqprofile=$(cat < "${ovpncfgdir}/${clientname}.info" -} - -####################################### -# Send email notification about client connect -# Globals: -# clientname -# faqprofile -# ovpncfgdir -# Arguments: -# None -####################################### -startsendmail() { - subj="[OVPN Settings] $(cat /etc/hostname): ${clientname}.ovpn client profile" - ( - python3 /usr/local/bin/sendmail.py \ - -u "$(grep "from=" /usr/local/bin/sendmail.config | cut -d= -f2)" \ - -p "$(grep "pass=" /usr/local/bin/sendmail.config | cut -d= -f2)" \ - -d "$(grep "dest=" /usr/local/bin/sendmail.config | cut -d= -f2)" \ - --smtp "$(grep "smtp=" /usr/local/bin/sendmail.config | cut -d= -f2)" \ - --port "$(grep "port=" /usr/local/bin/sendmail.config | cut -d= -f2)" \ - --stls "True" \ - --subj "${subj}" \ - --text "${faqprofile}" \ - --file "${ovpncfgdir}/${clientname}.ovpn,${ovpncfgdir}/${clientname}.tar" \ - >> /dev/null 2>&1 & - ) - addtologs "sent mail with subject '${subj}'" -} - -####################################### -# Deleting linux user -# Globals: -# clientname -# Arguments: -# None -####################################### -deleteuser() { - userdel -f -r "${clientname}" -} - -####################################### -# Deleting Easy-RSA user certificate -# Globals: -# easyrsadir -# easyrsavar -# easyrsaexe -# easyrsacap -# clientname -# Arguments: -# None -####################################### -deletecert() { - cd ${easyrsadir} || execerror - ${easyrsaexe} --batch --passin=pass:${easyrsacap} revoke "${clientname}" - ${easyrsaexe} --batch --passin=pass:${easyrsacap} gen-crl -} - -####################################### -# Deleting ovpn config file -# Globals: -# clientname -# ovpncfgdir -# Arguments: -# None -####################################### -deleteovpn() { - rm -f "${ovpncfgdir}/${clientname}.ovpn" -} - -####################################### -# Deleting tar with config file -# Globals: -# clientname -# ovpncfgdir -# Arguments: -# None -####################################### -deletetars() { - rm -f "${ovpncfgdir}/${clientname}.tar" -} - -####################################### -# Deleting info file -# Globals: -# clientname -# ovpncfgdir -# Arguments: -# None -####################################### -deleteinfo() { - rm -f "${ovpncfgdir}/${clientname}.info" -} - -# -# VARIABLES: -# - -easyrsadir="/etc/openvpn/easy-rsa" -easyrsaidx="${easyrsadir}/pki/index.txt" -easyrsaexe="${easyrsadir}/easyrsa" -easyrsavar="${easyrsadir}/vars" -easyrsacap="openvpnca" -ovpncfgdir="/etc/openvpn/client" -ovpncfgdef="${ovpncfgdir}/client.conf.default" - -clienttodo=$1 -clientname=$2 -clientpass=$3 - -resetforce=0 -for argument in "${@}"; do - case $argument in - -f | --force ) - resetforce=1 - ;; - -* ) - ;; - esac -done - -time=$(date +%s) -logs=/dev/null - -# -# MAIN: -# - -if checkroot; then - logs=/var/log/openvpn/$(basename -s .sh "$0").log - if [ "${clienttodo}" == "add" ] && \ - [ -n "${clientname}" ] && \ - [ "${#clientpass}" -ge 8 ]; then - if id -u "${clientname}" >/dev/null 2>&1 || \ - grep -w "${clientname}" ${easyrsaidx} || \ - [ -e "${ovpncfgdir}/${clientname}.ovpn" ]; then - execerror "linux user or certificate or ovpn config exist, exit" - else - createuser && addtologs "created Linux user '${clientname}'" - createcert && addtologs "created certificate for ${clientname}" - createovpn && addtologs "created ovpn config file for ${clientname}" - createtars && addtologs "created tar with config file for ${clientname}" - createinfo && addtologs "created info file for ${clientname}" - startsendmail - fi - elif [ "${clienttodo}" == "del" ] && [ -n "${clientname}" ]; then - if id -u "${clientname}" >/dev/null 2>&1 || \ - grep -w "${clientname}" ${easyrsaidx} || \ - [ -e "${ovpncfgdir}/${clientname}.ovpn" ]; then - deleteuser - addtologs "deleted Linux user '${clientname}'" - deletecert && addtologs "deleted certificate for ${clientname}" - deleteovpn && addtologs "deleted ovpn config file for ${clientname}" - deletetars && addtologs "deleted tar with config file for ${clientname}" - deleteinfo && addtologs "deleted info file for ${clientname}" - if [ "${resetforce}" -eq 1 ];then - addtologs "restarting openvpn@server..." - systemctl restart openvpn@server - fi - else - execerror "linux user and certificate and ovpn config not exist, exit" - fi - else - printf "%s\n" "Usage example: $0 'add' 'username(surname)' 'password(not less 8 symbols)'" - printf "%s\n" "Usage example: $0 'del' 'username(surname)'" - printf "%s\n" "Usage example: $0 'del' 'username(surname)' -f" - fi -else - execerror "Restart this as root!" -fi -execquite diff --git a/ovpn-connect-handling.sh b/ovpn-connect-handling.sh deleted file mode 100644 index 96e05e4..0000000 --- a/ovpn-connect-handling.sh +++ /dev/null @@ -1,195 +0,0 @@ -#! /bin/bash - -# DESCRIPTION: -# handling client connection -# and -# preparing stats for monitoring -# -# DEPENDENCIES: -# - executing by openvpn server -# - jq -# - grepcidr -# - Python 3 -# - existing /usr/local/bin/sendmail.py -# -# PARAMETERS: -# 1: "inc|dec" - increment or decrement counter -# 2: root path for counter, names, log -# 3: "mail" - send email notification -# 4: "geo" - check client address geolocation -# -# FUNCTIONS: -# - -####################################### -# Print message and add to log. -# Globals: -# logs -# Arguments: -# 1: message to print and logging -####################################### -addtologs() { - echo "$(date +'%Y.%m.%d-%H:%M:%S') $1" | tee -a "${logs}" -} - -####################################### -# Exit procedure. -# Globals: -# show -# Arguments: -# None -####################################### -execquite() { - addtologs "execution time is $(($(date +%s)-time)) seconds, exit" - exit -} - -####################################### -# Error exit procedure -# Globals: -# None -# Arguments: -# 1: message to print and logging -####################################### -execerror() { - addtologs "error: $1" - execquite -} - -####################################### -# Incrementing counter with adding client name -# Globals: -# counts_file -# common_name (variable by openvpn server) -# ifconfig_pool_remote_ip (variable by openvpn server) -# Arguments: -# None -####################################### -# shellcheck disable=SC2154 -incremcounter() { - summary_cur=$(grep 'total=' "${counts_file}" | cut -d= -f2) - summary_new=${summary_cur} && (( summary_new += 1 )) - counts_temp=$(sed -e "s/total=${summary_cur}/total=${summary_new}/g" "${counts_file}" \ - | sed -e '$a'"${common_name}"'_'"${ifconfig_pool_remote_ip}"'') - addtologs "client ${common_name} connected, counter increment to ${summary_new}" - printf "%s\n" "${counts_temp}" > "${counts_file}" -} - -####################################### -# Decrementing counter with deleting client name -# Globals: -# counts_file -# common_name (variable by openvpn server) -# Arguments: -# None -####################################### -decremcounter(){ - summary_cur=$(grep 'total=' "${counts_file}" | cut -d= -f2) - summary_new=${summary_cur} && (( summary_new -= 1 )) - counts_temp=$(sed -e "s/total=${summary_cur}/total=${summary_new}/g" "${counts_file}" \ - | sed '0,/'"${common_name}"'/{/'"${common_name}"'/d}') - addtologs "client ${common_name} disconnected, counter decrement to ${summary_new}" - printf "%s\n" "${counts_temp}" > "${counts_file}" -} - -####################################### -# Get information about client address -# Globals: -# flaggeol -# untrusted_ip (variable by openvpn server) -# Arguments: -# None -####################################### -# shellcheck disable=SC2154 -expandaddress() { - ipinfo="Source address is ${untrusted_ip}" - localnetworks="10.0.0.0/8 - 100.64.0.0/10 - 127.0.0.1/8 - 172.16.0.0/12 - 192.168.0.0/16 - " - if ! grepcidr "${localnetworks}" <(echo "${untrusted_ip}") >/dev/null; then - if [ "${flaggeol}" == "geo" ]; then - ipinfo=$(curl "https://api.ipbase.com/v1/json/${untrusted_ip}") - if [ "$(jq -r '.country_name' <<< "$ipinfo")" != "" ]; then - z=$(jq -r '.zip_code' <<< "$ipinfo") - c=$(jq -r '.country_name' <<< "$ipinfo") - r=$(jq -r '.region_name' <<< "$ipinfo") - t=$(jq -r '.city' <<< "$ipinfo") - ipinfo="Source address ${untrusted_ip} is from ${z}, ${c}, ${r}, ${t}" - fi - fi - fi - addtologs "client ${common_name} checked. ${ipinfo}" -} - -####################################### -# Send email notification about client connect -# Globals: -# ipinfo -# common_name (variable by openvpn server) -# ifconfig_pool_remote_ip (variable by openvpn server) -# Arguments: -# None -####################################### -startsendmail() { - subj="[VPN Connected] $(cat /etc/hostname): ${common_name} connect to ${ifconfig_pool_remote_ip}" - ( - python3 /usr/local/bin/sendmail.py \ - -u "$(grep "from=" /usr/local/bin/sendmail.config | cut -d= -f2)" \ - -p "$(grep "pass=" /usr/local/bin/sendmail.config | cut -d= -f2)" \ - -d "$(grep "dest=" /usr/local/bin/sendmail.config | cut -d= -f2)" \ - --smtp "$(grep "smtp=" /usr/local/bin/sendmail.config | cut -d= -f2)" \ - --port "$(grep "port=" /usr/local/bin/sendmail.config | cut -d= -f2)" \ - --stls "True" \ - --subj "${subj}" \ - --text "${ipinfo}" \ - >> /dev/null 2>&1 & - ) - addtologs "sent mail with subject '${subj}'" -} - -# -# VARIABLES: -# - -flagmath=$1 -pathroot=$2 -flagmail=$3 -flaggeol=$4 - -time=$(date +%s) -logs="${pathroot}/$(basename -s .sh "$0").log" -counts_file="${pathroot}/ovpn-counts.log" -if [ -z "${pathroot}" ]; then - logs=/dev/null - execerror "Usage example: $0 'inc|dec' '/var/log/openvpn' '-' '-'" -elif [ ! -e "${logs}" ]; then - touch "${logs}" -fi - -if ! command -v curl &> /dev/null || \ - ! command -v /usr/local/bin/sendmail.py &> /dev/null || \ - ! command -v python3 &> /dev/null || \ - ! command -v grepcidr &> /dev/null || \ - ! command -v jq &> /dev/null; then - execerror "Not found dependencies" -fi - -# -# MAIN: -# - -if [ "${flagmath}" == "inc" ]; then - incremcounter - expandaddress - if [ "${flagmail}" == "mail" ]; then - startsendmail - fi -elif [ "${flagmath}" == "dec" ]; then - decremcounter -else - execerror "Usage example: $0 'inc|dec' '/var/log/openvpn' '-' '-'" -fi -execquite diff --git a/wg-client-management.sh b/wg-client-management.sh deleted file mode 100644 index 276e14c..0000000 --- a/wg-client-management.sh +++ /dev/null @@ -1,284 +0,0 @@ -#! /bin/bash - -# DESCRIPTION: -# creating or deleting client config for wireguard -# and -# sending config and info to email -# -# DEPENDENCIES: -# - privileged rights -# - wireguard -# - qrencode -# - grepcidr -# - Python 3 -# - existing /usr/local/bin/sendmail.py -# -# PARAMETERS: -# 1: "add|del" - add or delete client config -# 2: username - client username -# 3: address - client ip address -# -f|--force - service will restart after username add|del -# -# FUNCTIONS: -# - -####################################### -# Print message and add to log. -# Globals: -# logs -# Arguments: -# 1: message to print and logging -####################################### -addtologs() { - echo "$(date +'%Y.%m.%d-%H:%M:%S') $1" | tee -a "${logs}" -} - -####################################### -# Exit procedure. -# Globals: -# show -# Arguments: -# None -####################################### -execquite() { - addtologs "execution time is $(($(date +%s)-time)) seconds, exit" - exit -} - -####################################### -# Error exit procedure -# Globals: -# None -# Arguments: -# 1: message to print and logging -####################################### -execerror() { - addtologs "error: $1" - execquite -} - -####################################### -# Checking user rights. -# Globals: -# None -# Arguments: -# None -# return: -# 0 - if privileged rights, 1 - if not privileged rights -####################################### -checkroot() { - if [ "${EUID}" -ne 0 ]; then - return 1 # false - else - return 0 # true - fi -} - -####################################### -# Send email notification about client connect -# Globals: -# clientname -# faqprofile -# Arguments: -# None -####################################### -startsendmail() { - subj="[WG Settings] $(cat /etc/hostname): ${clientname} client profile" - ( - python3 /usr/local/bin/sendmail.py \ - -u "$(grep "from=" /usr/local/bin/sendmail.config | cut -d= -f2)" \ - -p "$(grep "pass=" /usr/local/bin/sendmail.config | cut -d= -f2)" \ - -d "$(grep "dest=" /usr/local/bin/sendmail.config | cut -d= -f2)" \ - --smtp "$(grep "smtp=" /usr/local/bin/sendmail.config | cut -d= -f2)" \ - --port "$(grep "port=" /usr/local/bin/sendmail.config | cut -d= -f2)" \ - --stls "True" \ - --subj "${subj}" \ - --text "${faqprofile}" \ - --file "/etc/wireguard/${clientname}.png,/etc/wireguard/${clientname}.conf" \ - >> /dev/null 2>&1 & - ) - addtologs "sent mail with subject '${subj}'" -} - -####################################### -# Create wireguard client certificates -# Globals: -# clientname -# clientaddr -# servercfgname -# Arguments: -# None -####################################### -createcert() { - wg genkey | tee "/etc/wireguard/pki/${clientname}-private.key" | wg pubkey > "/etc/wireguard/pki/${clientname}-public.key" - clientpublkey=$(cat "/etc/wireguard/pki/${clientname}-public.key") - clientprivkey=$(cat "/etc/wireguard/pki/${clientname}-private.key") - wg set wg0 peer "${clientpublkey}" allowed-ips "${clientaddr}/32" - { - echo -e "[Peer]" - echo -e " PublicKey = ${clientpublkey}" - echo -e " AllowedIPs = ${clientaddr}/32" - } >> ${servercfgname} - ip -4 route add "${clientaddr}/32" dev wg0 -} - -####################################### -# Create wireguard client configuration -# Globals: -# clientname -# clientaddr -# clientconfdef -# clientprivkey -# serverpublkey -# Arguments: -# None -####################################### -createconf() { - clientconf=$(cat "${clientconfdef}") - clientconf=${clientconf//clientaddr/${clientaddr}} - clientconf=${clientconf//clientprivkey/${clientprivkey}} - clientconf=${clientconf//serverpublkey/${serverpublkey}} - clientconf=${clientconf//clientaddrs/${clientaddr}} - printf "%s\n" "${clientconf}" > "/etc/wireguard/${clientname}.conf" -} - -####################################### -# Create wireguard client info, qr-code -# Globals: -# clientname -# Arguments: -# None -####################################### -createinfo() { -faqprofile=$(cat < /dev/null || \ - ! command -v /usr/local/bin/sendmail.py &> /dev/null || \ - ! command -v python3 &> /dev/null; then - execerror "Not found dependencies" -fi - -# -# MAIN: -# - -if checkroot; then - serverpublkey=$(cat /etc/wireguard/pki/server-public.key) - servercfgname="/etc/wireguard/wg0.conf" - clientpublkey='' - clientprivkey='' - clientconfdef="/etc/wireguard/client.conf.default" - logs=/var/log/wireguard/$(basename -s .sh "$0").log - - if [ "${clienttodo}" == "add" ] && \ - [ -n "${clientname}" ] && \ - grepcidr "0.0.0.0/0" <(echo "${clientaddr}") >/dev/null; then - if [ -f "/etc/wireguard/${clientname}.conf" ] || \ - grep -q -w "${clientaddr}/32" ${servercfgname}; then - execerror "wireguard config exist or address used, exit" - else - createcert && addtologs "created certificate for ${clientname}" - createconf && addtologs "created wg config file for ${clientname}" - createinfo && addtologs "created info file for ${clientname}" - startsendmail - fi - if [ "${resetforce}" -eq 1 ];then - addtologs "restarting wg-quick@wg0..." - systemctl restart wg-quick@wg0 - fi - elif [ "${clienttodo}" == "del" ] && \ - [ -n "${clientname}" ] && \ - grepcidr "0.0.0.0/0" <(echo "${clientaddr}") >/dev/null; then - if [ -f "/etc/wireguard/${clientname}.conf" ]; then - deleteconf && addtologs "deleted wg config file for ${clientname}" - fi - if [ -f "/etc/wireguard/${clientname}.png" ]; then - deleteinfo && addtologs "deleted info file for ${clientname}" - fi - if grep -q -w "${clientaddr}/32" ${servercfgname}; then - deletecert && addtologs "deleted certificate for ${clientname}" - fi - if [ "${resetforce}" -eq 1 ];then - addtologs "restarting wg-quick@wg0..." - systemctl restart wg-quick@wg0 - fi - else - printf "%s\n" "Usage example: $0 'add' 'username(surname)' 'address(ww.xx.yy.zz) -f'" - printf "%s\n" "Usage example: $0 'del' 'username(surname)' 'address(ww.xx.yy.zz)'" - fi -else - execerror "Restart this as root!" -fi -execquite diff --git a/wg-connect-handling.sh b/wg-connect-handling.sh deleted file mode 100644 index 4de263a..0000000 --- a/wg-connect-handling.sh +++ /dev/null @@ -1,208 +0,0 @@ -#! /bin/bash - -# DESCRIPTION: -# handling client connection -# and -# preparing stats for monitoring -# -# DEPENDENCIES: -# - privileged rights -# - jq -# - grepcidr -# - Python 3 -# - existing /usr/local/bin/sendmail.py -# -# PARAMETERS: -# 1: root path for counter, names, log -# 2: "mail" - send email notification -# 3: "geo" - check client address geolocation -# -# FUNCTIONS: -# - -####################################### -# Print message and add to log. -# Globals: -# logs -# Arguments: -# 1: message to print and logging -####################################### -addtologs() { - echo "$(date +'%Y.%m.%d-%H:%M:%S') $1" | tee -a "${logs}" -} - -####################################### -# Exit procedure. -# Globals: -# show -# Arguments: -# None -####################################### -execquite() { - addtologs "execution time is $(($(date +%s)-time)) seconds, exit" - exit -} - -####################################### -# Error exit procedure -# Globals: -# None -# Arguments: -# 1: message to print and logging -####################################### -execerror() { - addtologs "error: $1" - execquite -} - -####################################### -# Checking user rights. -# Globals: -# None -# Arguments: -# None -# return: -# 0 - if privileged rights, 1 - if not privileged rights -####################################### -checkroot() { - if [ "${EUID}" -ne 0 ]; then - return 1 # false - else - return 0 # true - fi -} - -####################################### -# Get information about client address -# Globals: -# flaggeol -# show_from_addr -# conf_client_nm -# Arguments: -# None -####################################### -# shellcheck disable=SC2154 -expandaddress() { - ipinfo="Source address is ${show_from_addr}" - localnetworks="10.0.0.0/8 - 100.64.0.0/10 - 127.0.0.1/8 - 172.16.0.0/12 - 192.168.0.0/16 - " - if ! grepcidr "${localnetworks}" <(echo "${show_from_addr}") >/dev/null; then - if [ "${flaggeol}" == "geo" ]; then - ipinfo=$(curl "https://api.ipbase.com/v1/json/${show_from_addr}") - if [ "$(jq -r '.country_name' <<< "$ipinfo")" != "" ]; then - z=$(jq -r '.zip_code' <<< "$ipinfo") - c=$(jq -r '.country_name' <<< "$ipinfo") - r=$(jq -r '.region_name' <<< "$ipinfo") - t=$(jq -r '.city' <<< "$ipinfo") - ipinfo="Source address ${show_from_addr} is from ${z}, ${c}, ${r}, ${t}" - fi - fi - fi - addtologs "client ${conf_client_nm} checked. ${ipinfo}" -} - -####################################### -# Send email notification about client connect -# Globals: -# ipinfo -# conf_client_nm -# conf_ipaddress -# Arguments: -# None -####################################### -startsendmail() { - subj="[VPN Connected] $(cat /etc/hostname): ${conf_client_nm} connect to ${conf_ipaddress}" - ( - python3 /usr/local/bin/sendmail.py \ - -u "$(grep "from=" /usr/local/bin/sendmail.config | cut -d= -f2)" \ - -p "$(grep "pass=" /usr/local/bin/sendmail.config | cut -d= -f2)" \ - -d "$(grep "dest=" /usr/local/bin/sendmail.config | cut -d= -f2)" \ - --smtp "$(grep "smtp=" /usr/local/bin/sendmail.config | cut -d= -f2)" \ - --port "$(grep "port=" /usr/local/bin/sendmail.config | cut -d= -f2)" \ - --stls "True" \ - --subj "${subj}" \ - --text "${ipinfo}" \ - >> /dev/null 2>&1 & - ) - addtologs "sent mail with subject '${subj}'" -} - -# -# VARIABLES: -# - -pathroot=$1 -flagmail=$2 -flaggeol=$3 - -time=$(date +%s) -logs="${pathroot}/$(basename -s .sh "$0").log" -counts_file="${pathroot}/wg-counts.log" -counts_temp=$(cat "${counts_file}") -if [ -z "${pathroot}" ]; then - logs=/dev/null - execerror "Usage example: $0 '/var/log/wireguard' '-' '-'" -elif [ ! -e "${logs}" ]; then - touch "${logs}" -fi - -if ! command -v curl &> /dev/null || \ - ! command -v /usr/local/bin/sendmail.py &> /dev/null || \ - ! command -v python3 &> /dev/null || \ - ! command -v grepcidr &> /dev/null || \ - ! command -v jq &> /dev/null; then - execerror "Not found dependencies" -fi - -# -# MAIN: -# - -if checkroot; then - allowed_cfg=$(find /etc/wireguard/ -name "*.conf" | grep -v "wg0.conf") - counter_now=0 - clients_now="" - while read -r file; do - conf_keepalive=$(grep "PersistentKeepalive" "${file}" |cut -d"=" -f2 |tr -d " ") - conf_ipaddress=$(grep "Address" "${file}" |cut -d"=" -f2 |cut -d"/" -f1 |tr -d " ") - conf_client_nm=$(basename -s .conf "${file}") - show_handshake=$(wg show all dump |grep "${conf_ipaddress}" |cut -f6) - show_from_addr=$(wg show all dump |grep "${conf_ipaddress}" |cut -f4 |cut -d":" -f1) - if [ "${show_handshake}" -ne 0 ]; then - calc_handshake="$(date -d "-${conf_keepalive} min" +"%s")" - if [ "${show_handshake}" -ge "${calc_handshake}" ]; then - (( counter_now ++)) - connect_status="connected" - if ping -q -c 1 -W 1 "${conf_ipaddress}" > /dev/null; then - connect_status="connected, ping responded" - else - connect_status="connected, ping loss" - fi - clients_now+=$(printf "%s\n\r" "${conf_client_nm}_${conf_ipaddress}") - if ! grep -q "${conf_client_nm}_${conf_ipaddress}" <<< "${counts_temp}"; then - addtologs "client ${conf_client_nm} ${connect_status}" - expandaddress - if [ "${flagmail}" == "mail" ]; then - startsendmail - fi - fi - else - connect_status="disconnected" - if grep -q "${conf_client_nm}_${conf_ipaddress}" <<< "${counts_temp}"; then - addtologs "client ${conf_client_nm} ${connect_status}" - fi - fi - else - connect_status="never connected" - fi - done <<< "$allowed_cfg" - printf "%s\n" "total=${counter_now}=" > "${counts_file}" - printf "%s\n" "${clients_now}" >> "${counts_file}" -else - execerror "Restart this as root!" -fi -execquite