openvpn check and deluser (revoke); crl-verify option added; adduser bugfix

8 years ago · 459db4b62a
parent 7daa49f7de
commit 459db4b62a
7 changed files with 95 additions and 29 deletions
--- a/ipsec/adduser.sh
+++ b/ipsec/adduser.sh
@ -48,6 +48,7 @@ do
 			else
 				read -p "Would you want to add another user? [no] " ANSUSER
 				: ${ANSUSER:=$NOTADDUSER}
+				unset LOGIN
 			fi
 			continue
 		else
@ -101,6 +102,7 @@ do
 		echo
 		read -p "Would you want to add another user? [no] " ANSUSER
 		: ${ANSUSER:=$NOTADDUSER}
+		unset LOGIN
 	else
 		ANSUSER=$NOTADDUSER
 	fi
--- a/openvpn/adduser.sh
+++ b/openvpn/adduser.sh
@ -25,51 +25,60 @@ do
 	    read -p "Enter name: " LOGIN
 	done

-	./build-key --batch $LOGIN
+	$DIR/checkuser.sh $LOGIN

-	if [ $? -eq 0 ]; then
+	if [[ $? -ne 0 ]]; then

-		# copy files and OVPN config
-		mkdir -p "$DIR/$LOGIN"
-		cp $CADIR/keys/ca.crt $CADIR/keys/$LOGIN.key $CADIR/keys/$LOGIN.crt ta.key "$DIR/$LOGIN/"
+		./build-key --batch $LOGIN

-		DIST="$DIR/$LOGIN/openvpn-server.ovpn"
-		cp $DIR/openvpn-server.ovpn.dist $DIST
-		sed -i -e "s@LOGIN@$LOGIN@g" $DIST
-		sed -i -e "s@IP@$IP@g" $DIST
+		if [ $? -eq 0 ]; then

-		SRC="$DIR/$LOGIN"
-		DIST="$DIR/$LOGIN/openvpn-server-embedded.ovpn"
-		cp $DIR/openvpn-server-embedded.ovpn.dist $DIST
-		sed -i -e "s@IP@$IP@g" $DIST
+			# copy files and OVPN config
+			mkdir -p "$DIR/$LOGIN"
+			cp $CADIR/keys/ca.crt $CADIR/keys/$LOGIN.key $CADIR/keys/$LOGIN.crt ta.key "$DIR/$LOGIN/"

-		echo "<ca>" >> $DIST
-		cat $SRC/ca.crt >> $DIST
-		echo "</ca>" >> $DIST
+			DIST="$DIR/$LOGIN/openvpn-server.ovpn"
+			cp $DIR/openvpn-server.ovpn.dist $DIST
+			sed -i -e "s@LOGIN@$LOGIN@g" $DIST
+			sed -i -e "s@IP@$IP@g" $DIST

-		echo "<cert>" >> $DIST
-		cat $SRC/$LOGIN.crt >> $DIST
-		echo "</cert>" >> $DIST
+			SRC="$DIR/$LOGIN"
+			DIST="$DIR/$LOGIN/openvpn-server-embedded.ovpn"
+			cp $DIR/openvpn-server-embedded.ovpn.dist $DIST
+			sed -i -e "s@IP@$IP@g" $DIST

-		echo "<key>" >> $DIST
-		cat $SRC/$LOGIN.key >> $DIST
-		echo "</key>" >> $DIST
+			echo "<ca>" >> $DIST
+			cat $SRC/ca.crt >> $DIST
+			echo "</ca>" >> $DIST

-		echo "<tls-auth>" >> $DIST
-		cat $SRC/ta.key >> $DIST
-		echo "</tls-auth>" >> $DIST
+			echo "<cert>" >> $DIST
+			cat $SRC/$LOGIN.crt >> $DIST
+			echo "</cert>" >> $DIST

-		echo
-		echo "Directory $DIR/$LOGIN with necessary files has been created."
-		USERNAME=${SUDO_USER:-$USER}
-		chown -R $USERNAME:$USERNAME $DIR/$LOGIN/
+			echo "<key>" >> $DIST
+			cat $SRC/$LOGIN.key >> $DIST
+			echo "</key>" >> $DIST
+
+			echo "<tls-auth>" >> $DIST
+			cat $SRC/ta.key >> $DIST
+			echo "</tls-auth>" >> $DIST

+			echo
+			echo "Directory $DIR/$LOGIN with necessary files has been created."
+			USERNAME=${SUDO_USER:-$USER}
+			chown -R $USERNAME:$USERNAME $DIR/$LOGIN/
+
+		fi
+	else
+		echo "User $LOGIN already exists."
+		unset LOGIN
 	fi
 	
 	if [[ $# -eq 0 ]]; then
 		echo
 		read -p "Would you want to add another user? [no] " ANSUSER
 		: ${ANSUSER:=$NOTADDUSER}
+		unset LOGIN
 	else
 		ANSUSER=$NOTADDUSER
 	fi
--- a/openvpn/checkuser.sh
+++ b/openvpn/checkuser.sh
@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
+source $DIR/env.sh
+
+if [[ "$EUID" -ne 0 ]]; then
+	echo "Sorry, you need to run this as root"
+	exit 1
+fi
+
+if [[ $# -gt 0 ]]; then
+    LOGIN="$1"
+fi
+
+while [[ -z "$LOGIN" ]];
+do
+    read -p "Enter name: " LOGIN
+done
+
+RET=$(ls $CADIR/keys | grep "^$LOGIN.key$" >/dev/null)
+
+exit $?
--- a/openvpn/deluser.sh
+++ b/openvpn/deluser.sh
@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+
+DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
+source $DIR/env.sh
+
+if [[ "$EUID" -ne 0 ]]; then
+	echo "Sorry, you need to run this as root"
+	exit 1
+fi
+
+if [[ $# -gt 0 ]]; then
+    LOGIN="$1"
+fi
+
+while [[ -z "$LOGIN" ]];
+do
+    read -p "Enter name: " LOGIN
+done
+
+cd $CADIR
+source ./vars
+
+./revoke-full $LOGIN
+
+cp -rf $CADIR/keys/crl.pem $OPENVPNDIR
+chown nobody:$NOBODYGROUP $OPENVPNDIR/crl.pem
--- a/openvpn/install.sh
+++ b/openvpn/install.sh
@ -29,6 +29,7 @@ echo
 echo "Installing configuration files..."
 yes | cp -rf $DIR/openvpn-server.conf.dist $OPENVPNCONFIG

+sed -i -e "s@OPENVPNDIR@$OPENVPNDIR@g" $OPENVPNCONFIG
 sed -i -e "s@CADIR@$CADIR@g" $OPENVPNCONFIG
 sed -i -e "s@LOCALPREFIX@$LOCALPREFIX@g" $OPENVPNCONFIG
 sed -i -e "s@NOBODYGROUP@$NOBODYGROUP@g" $OPENVPNCONFIG
@ -63,6 +64,9 @@ source ./vars
 ./build-dh
 openvpn --genkey --secret ta.key

+# add dummy user and revoke its certificate for non-empty crl.pem file
+./build-key --batch client000
+./revoke-full client000

 echo
 echo "Adding cron jobs..."
--- a/openvpn/openvpn-server.conf.dist
+++ b/openvpn/openvpn-server.conf.dist
@ -2,6 +2,7 @@ mode server
 port 1194
 proto udp
 dev tun
+crl-verify OPENVPNDIR/crl.pem
 ca CADIR/keys/ca.crt
 cert CADIR/keys/openvpn-server.crt
 key CADIR/keys/openvpn-server.key
--- a/pptp/adduser.sh
+++ b/pptp/adduser.sh
@ -48,6 +48,7 @@ do
 			else
 				read -p "Would you want to add another user? [no] " ANSUSER
 				: ${ANSUSER:=$NOTADDUSER}
+				unset LOGIN
 			fi
 			continue
 		else
@ -79,6 +80,7 @@ do
 		echo
 		read -p "Would you want to add another user? [no] " ANSUSER
 		: ${ANSUSER:=$NOTADDUSER}
+		unset LOGIN
 	else
 		ANSUSER=$NOTADDUSER
 	fi