#!/bin/bash # # This script contains the functions necessary to configure OpenVPN for # vaulting between a DPU and DPV. The functions should be called from the # vault. The dpu instructions should be run remotely from the dpv. # This script assumes that vaulting has been configured between a DPU # and DPV. # # The following operations are supported: # DPV: # openvpnconfig dpv edit_vars # openvpnconfig dpv build_ca # openvpnconfig dpv gen_key s # openvpnconfig dpv gen_key c # openvpnconfig dpv config # openvpnconfig dpv hosts # openvpnconfig dpv scp_on # openvpnconfig dpv scp_off # openvpnconfig dpv dh # openvpnconfig dpv start # openvpnconfig dpv stop # openvpnconfig dpv setup_vault # openvpnconfig dpv setup_dpu # openvpnconfig dpv setup_end # DPU: # openvpnconfig dpu get_ip # openvpnconfig dpu pull_key # openvpnconfig dpu config # openvpnconfig dpu hosts # openvpnconfig dpu start # openvpnconfig dpu stop # openvpnconfig dpu tt_socket # openvpnconfig dpu trust # openvpnconfig dpu grant # openvpnconfig dpu setup # # Return codes: # 0: success # non-zero: error, message output to stderr # # eval `grep BPDIR /etc/default/bp.ini` MASTER_INI=$BPDIR/bpinit/master.ini OPENVPN=/etc/openvpn VARS=$OPENVPN/easy-rsa/vars #************************************************************************** # DPV FUNCTIONS #************************************************************************** #This function is used to test if the vars file for openVPN exists and to #source the vars file for use in other functions. It returns 0 on success #and non-zero on error. function use_vars { if [ ! -f $VARS ] then echo "File: $VARS does not exist" >&2 exit 1 fi pushd $OPENVPN/easy-rsa/ >/dev/null . $VARS >/dev/null popd >/dev/null } #This function expects no arguements. It returns 0 on success and non-zero #on error. #This function edits the vars file for use when generating certificates. function edit_vars_dpv { use_vars if [ $? -ne 0 ] then exit $? fi VaultName=`$BPDIR/bin/bputil -g "Server Information" Server1 "" $MASTER_INI` sed -i 's/KEY_SIZE=.\+$/KEY_SIZE=2048/g' $VARS sed -i 's/KEY_COUNTRY=.\+$/KEY_COUNTRY="US"/g' $VARS sed -i 's/KEY_PROVINCE=.\+$/KEY_PROVINCE="SC"/g' $VARS sed -i 's/KEY_CITY=.\+$/KEY_CITY="Columbia"/g' $VARS sed -i 's/KEY_ORG=.\+$/KEY_ORG="Unitrends-vaulting"/g' $VARS sed -i "s/KEY_EMAIL=.\+$/KEY_EMAIL=\"root@$VaultName\"/g" $VARS } #This function expects no arguements and exits with 0 on success or #non-zero on error. It builds the Certificate Authority (CA). function build_ca_dpv { use_vars if [ $? -ne 0 ] then exit $? fi $OPENVPN/easy-rsa/clean-all >/dev/null 2>&1 $OPENVPN/easy-rsa/pkitool --initca >/dev/null 2>&1 } #This function can take two parameters. It returns 0 on success #and non-zero on error. #Usage for Server: generate_key s #Usage for DPU: generate_key c function generate_key { use_vars if [ $? -ne 0 ] then exit $? fi if [ "$1" = s ] then $OPENVPN/easy-rsa/pkitool --server server 1>&2 2>/dev/null elif [ "$1" = c -a -n "$2" ] then $OPENVPN/easy-rsa/pkitool $2 1>&2 2>/dev/null else echo "Usage: $0 dpv gen_key [s|c] [optional Name]" >&2 fi } #Can be generated during install #This function expects no arguements. Exits 0 on success and non-zero #on error. function build_dh { use_vars if [ $? -ne 0 ] then exit $? fi $OPENVPN/easy-rsa/build-dh #output should be redirected to /dev/null } #Don't need to edit the server config file unless need to change subnet address. #This function takes no arguements. Exits 0 on success and non-zero on error. function edit_config { Subnet=$1 Mask=$2 if [ ! -f $OPENVPN/inbound.conf ] then echo "File: $OPENVPN/inbound.conf not found" >&2 exit 1 fi sed -i "s/^server.\+$/server $1 $2/g" } #assumes remote management has already been configured. #This function expects two parameters. Exits 0 on success, non-zero on error. #Usage: edit_hosts function edit_hosts { virtIP=$1 DPU=$2 nonVirtIP=`$BPDIR/bin/cmc_network host info $DPU 2>/dev/null | grep 'ip' | awk '{ print $2 }'` if [ -z $nonVirtIP ] then echo "DPU provided is not in hosts" >&2 exit 1 fi echo "yes" | cp /etc/hosts /etc/hosts.unitrends >/dev/null 2>&1 $BPDIR/bin/cmc_network host save $nonVirtIP $virtIP $DPU $BPDIR/bin/cmc_network host save - $nonVirtIP $DPU-nonVPN } function enable_transfer { DPU=$1 #Should be DPU username if [ ! -d /backups/$DPU ] then echo "$DPU not properly synced to vault" >&2 exit 1 fi if [ ! -f $OPENVPN/easy-rsa/keys/$DPU.crt ] then echo "The proper certificates and/or keys have not been generated" >&2 exit 1 else if [ ! -L /backups/$DPU/bin/scp ] then ln -s /usr/bin/scp /backups/$DPU/bin fi cp $OPENVPN/easy-rsa/keys/$DPU.crt /backups/$DPU/ cp $OPENVPN/easy-rsa/keys/$DPU.key /backups/$DPU/ cp $OPENVPN/easy-rsa/keys/ca.crt /backups/$DPU/ chmod 644 /backups/$DPU/$DPU.key fi } function disable_transfer { DPU=$1 #Should be DPU username if [ ! -d /backups/$DPU ] then echo "$DPU not properly synced to vault" >&2 exit 1 fi rm -f /backups/$DPU/bin/scp rm -f /backups/$DPU/$DPU.crt rm -f /backups/$DPU/$DPU.key rm -f /backups/$DPU/ca.crt } #************************************************************************* # DPU FUNCTIONS #************************************************************************* #This function expects no arguements. It has 1 output. Exits 0 on success #or non-zero on error. function get_virtualIP { TunConfig=`ifconfig tun0 2>/dev/null` if [ $? -ne 0 ] then echo "OpenVPN service has not been started" >&2 exit 1 else IP=`echo "$TunConfig" | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}'` echo -n $IP fi } #This function expects no arguements. Exits 0 on success, non-zero on error. #Assumes vaulting has been configured and there is an ssh relationship. #Enable_Transfer function needs to be run first function pull_key { SyncUser=`$BPDIR/bin/bputil -g Securesync SyncUser "" $MASTER_INI` SyncTo=`$BPDIR/bin/bputil -g Securesync SyncTo "" $MASTER_INI` if [ -z "$SyncTo" -o -z "$SyncUser" ] then echo "SyncTo or SyncUser is not set." >&2 exit 1 fi if [ ! -d $OPENVPN/easy-rsa/keys/ ] then mkdir $OPENVPN/easy-rsa/keys/ fi scp $SyncUser@$SyncTo:/backups/$SyncUser/ca.crt $OPENVPN/easy-rsa/keys/ >/dev/null if [ $? -ne 0 ] then echo "Could not get file ca.crt" >&2 exit 1 fi scp $SyncUser@$SyncTo:/backups/$SyncUser/$SyncUser.crt $OPENVPN/easy-rsa/keys/ >/dev/null if [ $? -ne 0 ] then rm -f $OPENVPN/easy-rsa/keys/ca.crt echo "Could not get file $SyncUser.crt" >&2 exit 1 fi scp $SyncUser@$SyncTo:/backups/$SyncUser/$SyncUser.key $OPENVPN/easy-rsa/keys/ >/dev/null if [ $? -ne 0 ] then rm -f $OPENVPN/easy-rsa/keys/ca.crt $OPENVPN/easy-rsa/keys/$SyncUser.crt echo "Could not get file $SyncUser.key" >&2 exit 1 fi chmod 600 $OPENVPN/easy-rsa/keys/$SyncUser.key } #This functions expects the DPV hostname to be provided. Exits 0 for success #and non-zero for error. function edit_config_dpu { DPV=`$BPDIR/bin/bputil -g Securesync SyncTo "" $MASTER_INI` nonVirtIP=`$BPDIR/bin/cmc_network host info $DPV | grep 'ip' | awk '{ print $2 }'` DPU=`$BPDIR/bin/bputil -g "Server Information" Server1 "" $MASTER_INI` if [ -z $nonVirtIP ] then echo "Vault not in host file" >&2 exit 1 fi sed -i "s/^remote.*1194$/remote $nonVirtIP 1194/g" $OPENVPN/vaulting.conf sed -i "s/^cert.\+$/cert easy-rsa\/keys\/$DPU.crt/g" $OPENVPN/vaulting.conf sed -i "s/^key.\+$/key easy-rsa\/keys\/$DPU.key/g" $OPENVPN/vaulting.conf } #This function takes the name of a DPV as a parameter. Exits 0 on success #and non-zero on error. function edit_hosts_dpu { DPV=`$BPDIR/bin/bputil -g Securesync SyncTo "" $MASTER_INI` virtIP="172.17.3.1" nonVirtIP=`$BPDIR/bin/cmc_network host info $DPV 2>/dev/null | grep 'ip' | awk '{ print $2 }'` if [ -z $nonVirtIP ] then echo "Vaulting has not been configured" >&2 exit 1 fi echo "yes" | cp /etc/hosts /etc/hosts.unitrends >/dev/null 2>&1 $BPDIR/bin/cmc_network host save $nonVirtIP $virtIP $DPV $BPDIR/bin/cmc_network host save - $nonVirtIP $DPV-nonVPN } #This function expects no arguements. Exits 0 on success and non-zero on error function edit_master { $BPDIR/bin/bputil -p Securesync TransportType socket $MASTER_INI >/dev/null } #This function expects no arguements. Exits 0 on success and non-zero on error function config_trust { SyncUser=`$BPDIR/bin/bputil -g Securesync SyncUser "" $MASTER_INI` SyncTo=`$BPDIR/bin/bputil -g Securesync SyncTo "" $MASTER_INI` if [ -z $SyncTo ] then echo "Vaulting has not been configured" 1>&2 exit 1 fi ssh $SyncUser@$SyncTo bpsync >/dev/null 2>/dev/null } #This function expects no arguements. Exits 0 on success and non-zero on error. #It updates the remote management hosts for the DPU. function update_remote_management { SyncTo=`$BPDIR/bin/bputil -g Securesync SyncTo "" $MASTER_INI` #$BPDIR/bin/cmc_grant revoke $SyncTo $BPDIR/bin/cmc_grant grant $SyncTo >/dev/null } #************************************************************************** # DPU and DPV functions #************************************************************************** #This function expects no arguements. Exits 0 on success, non-zero on error #It starts running openVPN function start_service { pushd $OPENVPN/easy-rsa/ >/dev/null service openvpn start >/dev/null chkconfig openvpn on >/dev/null popd >/dev/null } #This function expects no arguements. Exits 0 on success, non-zero on error #It stops openVPN function stop_service { pushd $OPENVPN/easy-rsa/ >/dev/null service openvpn stop >/dev/null chkconfig openvpn off >/dev/null popd >/dev/null } #This function installs and sets up openVPN on a DPU or Vault. It expects #no parameters. It also returns zero on success and non-zero on failure. function install_openvpn { yum install -y openvpn >/dev/null 2>&1 rm -rf $OPENVPN/easy-rsa cp -a /usr/share/openvpn/easy-rsa/2.0/ $OPENVPN/easy-rsa/ pushd $OPENVPN >/dev/null wget ftp://updateftp.unitrends.com/pub/other/openvpn/vaulting.conf >/dev/null 2>&1 wget ftp://updateftp.unitrends.com/pub/other/openvpn/inbound.conf >/dev/null 2>&1 sed -i 's/^crl-verify.\+//g' $OPENVPN/inbound.conf sed -i "s/^cert.\+$/cert easy-rsa\/keys\/server.crt/g" $OPENVPN/inbound.conf sed -i "s/^key.\+$/key easy-rsa\/keys\/server.key/g" $OPENVPN/inbound.conf } #**************************************************************************** # Main Program #**************************************************************************** usage_str="Configuration functions for OpenVPN on DPU and Vault.\n Usage: `basename $0`:\n [dpv] [edit_vars|build_ca|gen_key|dh|config|start|stop|hosts|scp_on|scp_off|\n setup_vault|setup_client|setup_end|install]\n [dpu] [get_ip|pull_key|config|hosts|start|stop|tt_socket|trust|grant|setup|\n install]\n dpv gen_key s\n dpv gen_key c \n dpv config \n dpv hosts \n dpv scp_on \n dpv scp_off \n dpv setup_dpu \n dpv setup_end \n all other actions don't require arguements." if [ $# -lt 2 ] then echo -e $usage_str >&2 exit 1 fi case $1 in dpv) shift case $1 in edit_vars) edit_vars_dpv exit $? ;; build_ca) build_ca_dpv exit $? ;; gen_key) #usage: gen_key [c|s], s for server key generate_key $2 $3 exit $? ;; dh) build_dh exit $? ;; config) shift #config edit_config $* exit $? ;; start) start_service exit $? ;; stop) stop_service exit $? ;; hosts) #dpv hosts shift edit_hosts $* exit $? ;; scp_on) #scp_on enable_transfer $2 exit $? ;; scp_off) #scp_off disable_transfer $2 exit $? ;; setup_vault) while [ $? -eq 0 ] do echo "Configuring Vault for OpenVPN" echo "Part 1 of 5" edit_vars_dpv echo "Part 2 of 5" build_ca_dpv echo "Part 3 of 5" generate_key s echo "Part 4 of 5" echo "This will take a long time" build_dh echo "Part 5 of 5" start_service echo "Next, run the following command on the DPV: $BPDIR/bin/openvpnconfig dpv setup_dpu This creates configuration items needed for configuring the DPU." exit 99 done if [ $? -eq 99 ] then exit 0 fi exit $? ;; setup_dpu) while [ $? -eq 0 ] do echo "Begin setup for a new DPU" echo "Part 1 of 2" generate_key c $2 echo "Part 2 of 2" enable_transfer $2 echo "Next, run the following command on the DPU: $BPDIR/bin/openvpnconfig dpu setup This will configure the DPU for OpenVPN." exit 99 done if [ $? -eq 99 ] then exit 0 fi exit $? ;; setup_end) # while [ $? -eq 0 ] do echo "Finishing configuration on the Vault" echo "Part 1 of 2" disable_transfer $2 echo "Part 2 of 2" edit_hosts $3 $2 echo "OpenVPN configuration is complete." exit 99 done if [ $? -eq 99 ] then exit 0 fi exit $? ;; install) echo "Installing OpenVPN" echo "This may take a few minutes" install_openvpn rm -f $OPENVPN/vaulting.conf echo "Installation complete" exit $? ;; *) echo "Invalid operation: $1" >&2 echo -e $usage_str >&2 exit 1 ;; esac ;; dpu) shift case $1 in get_ip) get_virtualIP exit $? ;; pull_key) pull_key exit $? ;; config) edit_config_dpu exit $? ;; hosts) edit_hosts_dpu exit $? ;; start) start_service exit $? ;; stop) stop_service exit $? ;; tt_socket) edit_master exit $? ;; trust) config_trust exit $? ;; grant) update_remote_management exit $? ;; setup) while [ $? -eq 0 ] do echo "Configuring OpenVPN on the DPU" echo "Part 1 of 8" pull_key echo "Part 2 of 8" edit_config_dpu echo "Part 3 of 8" edit_hosts_dpu echo "Part 4 of 8" start_service echo "Part 5 of 8" edit_master echo "Part 6 of 8" sleep 5 config_trust echo "Part 7 of 8" update_remote_management echo "Part 8 of 8" echo "This IP returned below is the virtual IP needed for the next step." echo -n "Virtual IP: " get_virtualIP echo "" echo "Next, return to the Vault and run the following command: $BPDIR/bin/openvpnconfig dpv setup_end This Virtual IP should be provided from Part 8 of the DPU configuration." exit 99 done if [ $? -eq 99 ] then exit 0 fi exit $? ;; install) echo "Installing OpenVPN" echo "This may take a few minutes" install_openvpn rm -f $OPENVPN/inbound.conf echo "Installation complete" exit $? ;; *) echo "Invalid operation: $1" >&2 echo -e $usage_str >&2 exit 1 ;; esac ;; esac