#! /bin/bash # DESCRIPTION: # creating or deleting client config for openvpn # and # sending config and info to email # # DEPENDENCIES: # - privileged rights # - chpasswd # - openvpn # - easy-rsa # - tar # - Python 3 # - existing /usr/local/bin/sendmail.py # # PARAMETERS: # 1: "add|del" - add or delete client config # 2: username - client username # 3: password - client password # -f|--force - service will restart after username delete # # FUNCTIONS: # ####################################### # Print message and add to log. # Globals: # logs # Arguments: # 1: message to print and logging ####################################### addtologs() { echo "$(date +'%Y.%m.%d-%H:%M:%S') $1" | tee -a "${logs}" } ####################################### # Exit procedure. # Globals: # show # Arguments: # None ####################################### execquite() { addtologs "execution time is $(($(date +%s)-time)) seconds, exit" exit } ####################################### # Error exit procedure # Globals: # None # Arguments: # 1: message to print and logging ####################################### execerror() { addtologs "error: $1" execquite } ####################################### # Checking user rights. # Globals: # None # Arguments: # None # return: # 0 - if privileged rights, 1 - if not privileged rights ####################################### checkroot() { if [ "${EUID}" -ne 0 ]; then return 1 # false else return 0 # true fi } ####################################### # Creating linux user # Globals: # clientname # clientpass # Arguments: # None ####################################### createuser() { useradd "${clientname}" --shell /sbin/nologin echo "${clientname}:${clientpass}" | chpasswd } ####################################### # Creating Easy-RSA user certificate # Globals: # easyrsadir # easyrsavar # easyrsaexe # easyrsacap # clientname # clientpass # Arguments: # None ####################################### # shellcheck disable=SC2016 createcert() { cd ${easyrsadir} || execerror "" sed -i -e '$aset_var EASYRSA_REQ_CN '"${clientname}"'' ${easyrsavar} ${easyrsaexe} --passout=pass:"${clientpass}" --passin=pass:${easyrsacap} build-client-full "${clientname}" sed -i '/EASYRSA_REQ_CN/d' ${easyrsavar} } ####################################### # Creating ovpn config file # Globals: # easyrsadir # ovpncfgdef # clientname # ovpncfgdir # Arguments: # None ####################################### createovpn() { cd ${easyrsadir} || execerror "" { cat "${ovpncfgdef}" echo -e '' cat "${easyrsadir}/pki/ca.crt" echo -e '\n' cat "${easyrsadir}/pki/issued/${clientname}.crt" echo -e '\n' cat "${easyrsadir}/pki/private/${clientname}.key" echo -e '\n' cat "${easyrsadir}/pki/ta.key" echo -e '' } >> "${ovpncfgdir}/${clientname}.ovpn" } ####################################### # Creating tar with config file # Globals: # easyrsadir # clientname # ovpncfgdir # Arguments: # None ####################################### createtars() { cp "${ovpncfgdir}/${clientname}.ovpn" "${ovpncfgdir}/vpn.cnf" sed -i "s#auth-user-pass#auth-user-pass /config/openvpn/vpn.txt#g" ${ovpncfgdir}/vpn.cnf { echo -e "${clientname}" echo -e "${clientpass}" } >> "${ovpncfgdir}/vpn.txt" cd ${ovpncfgdir} || execerror "" tar cf "${clientname}.tar" --remove-files vpn.cnf vpn.txt } ####################################### # Creating info file # Globals: # easyrsadir # easyrsaexe # clientname # ovpncfgdir # Arguments: # None ####################################### createinfo() { cd ${easyrsadir} || execerror validuntil=$(${easyrsaexe} show-cert "${clientname}" | grep "Not After" | cut -d: -f2-) faqprofile=$(cat < "${ovpncfgdir}/${clientname}.info" } ####################################### # Send email notification about client connect # Globals: # clientname # faqprofile # ovpncfgdir # Arguments: # None ####################################### startsendmail() { subj="[OVPN Settings] $(cat /etc/hostname): ${clientname}.ovpn client profile" ( python3 /usr/local/bin/sendmail.py \ -u "$(grep "from=" /usr/local/bin/sendmail.config | cut -d= -f2)" \ -p "$(grep "pass=" /usr/local/bin/sendmail.config | cut -d= -f2)" \ -d "$(grep "dest=" /usr/local/bin/sendmail.config | cut -d= -f2)" \ --smtp "$(grep "smtp=" /usr/local/bin/sendmail.config | cut -d= -f2)" \ --port "$(grep "port=" /usr/local/bin/sendmail.config | cut -d= -f2)" \ --stls "True" \ --subj "${subj}" \ --text "${faqprofile}" \ --file "${ovpncfgdir}/${clientname}.ovpn,${ovpncfgdir}/${clientname}.tar" \ >> /dev/null 2>&1 & ) addtologs "sent mail with subject '${subj}'" } ####################################### # Deleting linux user # Globals: # clientname # Arguments: # None ####################################### deleteuser() { userdel -f -r "${clientname}" } ####################################### # Deleting Easy-RSA user certificate # Globals: # easyrsadir # easyrsavar # easyrsaexe # easyrsacap # clientname # Arguments: # None ####################################### deletecert() { cd ${easyrsadir} || execerror ${easyrsaexe} --batch --passin=pass:${easyrsacap} revoke "${clientname}" ${easyrsaexe} --batch --passin=pass:${easyrsacap} gen-crl } ####################################### # Deleting ovpn config file # Globals: # clientname # ovpncfgdir # Arguments: # None ####################################### deleteovpn() { rm -f "${ovpncfgdir}/${clientname}.ovpn" } ####################################### # Deleting tar with config file # Globals: # clientname # ovpncfgdir # Arguments: # None ####################################### deletetars() { rm -f "${ovpncfgdir}/${clientname}.tar" } ####################################### # Deleting info file # Globals: # clientname # ovpncfgdir # Arguments: # None ####################################### deleteinfo() { rm -f "${ovpncfgdir}/${clientname}.info" } # # VARIABLES: # easyrsadir="/etc/openvpn/easy-rsa" easyrsaidx="${easyrsadir}/pki/index.txt" easyrsaexe="${easyrsadir}/easyrsa" easyrsavar="${easyrsadir}/vars" easyrsacap="openvpnca" ovpncfgdir="/etc/openvpn/client" ovpncfgdef="${ovpncfgdir}/client.conf.default" clienttodo=$1 clientname=$2 clientpass=$3 resetforce=0 for argument in "${@}"; do case $argument in -f | --force ) resetforce=1 ;; -* ) ;; esac done time=$(date +%s) logs=/dev/null # # MAIN: # if checkroot; then logs=/var/log/openvpn/$(basename -s .sh "$0").log if [ "${clienttodo}" == "add" ] && \ [ -n "${clientname}" ] && \ [ "${#clientpass}" -ge 8 ]; then if id -u "${clientname}" >/dev/null 2>&1 || \ grep -w "${clientname}" ${easyrsaidx} || \ [ -e "${ovpncfgdir}/${clientname}.ovpn" ]; then execerror "linux user or certificate or ovpn config exist, exit" else createuser && addtologs "created Linux user '${clientname}'" createcert && addtologs "created certificate for ${clientname}" createovpn && addtologs "created ovpn config file for ${clientname}" createtars && addtologs "created tar with config file for ${clientname}" createinfo && addtologs "created info file for ${clientname}" startsendmail fi elif [ "${clienttodo}" == "del" ] && [ -n "${clientname}" ]; then if id -u "${clientname}" >/dev/null 2>&1 || \ grep -w "${clientname}" ${easyrsaidx} || \ [ -e "${ovpncfgdir}/${clientname}.ovpn" ]; then deleteuser addtologs "deleted Linux user '${clientname}'" deletecert && addtologs "deleted certificate for ${clientname}" deleteovpn && addtologs "deleted ovpn config file for ${clientname}" deletetars && addtologs "deleted tar with config file for ${clientname}" deleteinfo && addtologs "deleted info file for ${clientname}" if [ "${resetforce}" -eq 1 ];then addtologs "restarting openvpn@server..." systemctl restart openvpn@server fi else execerror "linux user and certificate and ovpn config not exist, exit" fi else printf "%s\n" "Usage example: $0 'add' 'username(surname)' 'password(not less 8 symbols)'" printf "%s\n" "Usage example: $0 'del' 'username(surname)'" printf "%s\n" "Usage example: $0 'del' 'username(surname)' -f" fi else execerror "Restart this as root!" fi execquite