-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvpn-user-create
executable file
·89 lines (77 loc) · 3.01 KB
/
vpn-user-create
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
#!/usr/bin/env bash
# This file is managed by Ansible - do not edit
# 2024062801
# Author: Linuxfabrik GmbH, Zurich, Switzerland
# Contact: info (at) linuxfabrik (dot) ch
# https://www.linuxfabrik.ch/
# License: The Unlicense, see LICENSE file.
USERNAME=$1
[ -z "${USERNAME}" ] && { echo -e "Call: $0 firstname.lastname"; exit 1; }
RED="\e[0;31m" # color red
GREEN="\e[0;32m" # color green
NO_COLOR="\e[0m" # color no-color
# Create Cert using Easy-RSA
CLIENTEXISTS=$(tail -n +2 /opt/lfvpn/easy-rsa/pki/index.txt | grep -c -E "/CN=${USERNAME}\$")
if [[ $CLIENTEXISTS == '1' ]]; then
echo -e "${RED}Client '${USERNAME}' already exists.${NO_COLOR}"
exit
else
# generate user password
mkdir -p "/opt/lfvpn/client/${USERNAME}"
PW=$(pwgen 60 1)
echo "${PW}" > "/opt/lfvpn/client/${USERNAME}/pass"
cd /opt/lfvpn/easy-rsa/ || return
echo "${USERNAME}: ${PW}"
echo "${PW}" | /usr/share/easy-rsa/3/easyrsa --batch build-client-full "${USERNAME}"
echo -e "${GREEN}Client $USERNAME added${NO_COLOR}"
fi
# Create system account for new VPN user, add password to it. This is needed for
# PAM and google-authenticator.
USER_EXISTS=$(grep --count "^${USERNAME}:" /etc/passwd)
if [ "$USER_EXISTS" -eq 0 ]
then
useradd \
--create-home \
--shell /bin/nologin "${USERNAME}" 2> /dev/null || { echo -e "${RED}Error creating system account for ${USERNAME}${NO_COLOR}"; exit 1; }
fi
# update system user pw
echo "${USERNAME}:${PW}" | chpasswd
# remove pw expiration
chage --mindays 0 --maxdays 99999 --inactive -1 --expiredate -1 "${USERNAME}"
echo -e "${GREEN}System account for ${USERNAME} / ${USERNAME} created${NO_COLOR}"
# Create the custom client.conf
cp /opt/lfvpn/client/template.conf "/opt/lfvpn/client/${USERNAME}/openvpn.conf"
{
echo "<ca>"
cat "/opt/lfvpn/easy-rsa/pki/ca.crt"
echo "</ca>"
echo "<cert>"
awk '/BEGIN/,/END/' "/opt/lfvpn/easy-rsa/pki/issued/${USERNAME}.crt"
echo "</cert>"
echo "<key>"
cat "/opt/lfvpn/easy-rsa/pki/private/${USERNAME}.key"
echo "</key>"
# echo "<tls-crypt>"
# cat /etc/openvpn/tls-crypt.key
# echo "</tls-crypt>"
} >>"/opt/lfvpn/client/${USERNAME}/openvpn.conf"
chown -R root:root "/opt/lfvpn/client/${USERNAME}"
chmod -R 600 "/opt/lfvpn/client/${USERNAME}"
echo -e "${GREEN}Configuration file /opt/lfvpn/client/${USERNAME}/openvpn.conf created${NO_COLOR}"
# Cretae 2FA TOTP
google-authenticator \
--time-based \
--disallow-reuse \
--force \
--rate-limit=3 \
--rate-time=30 \
--minimal-window \
-C \
--issuer="OpenVPN" \
--secret="/opt/lfvpn/client/${USERNAME}/otp" || { echo -e "${RED}Error generating QR code${NO_COLOR}"; exit 1; }
SECRET=$(head -n 1 "/opt/lfvpn/client/${USERNAME}/otp")
qrencode \
--type=PNG \
--output="/opt/lfvpn/client/${USERNAME}/otp.png" \
"otpauth://totp/${USERNAME}@${HOST}?issuer=OpenVPN&secret=${SECRET}" || { echo -e "${RED}Error generating PNG${NO_COLOR}"; exit 1; }
echo -e "${GREEN}TOTP /opt/lfvpn/client/${USERNAME}/otp.png created${NO_COLOR}"