Trim generated .ovpn files and add cli

simonwep · Jun 2, 2024 · 9c50bb2 · 9c50bb2
1 parent fae4b3f
commit 9c50bb2
Show file tree

Hide file tree

Showing 6 changed files with 51 additions and 50 deletions.
diff --git a/README.md b/README.md
@@ -80,26 +80,18 @@ The pihole admin dashboard can only be reached through the vpn under [http://pi.
 > This file will be used as base-configuration for each `.ovpn` file! You probably at least want to change the IP address to your public one.
 
 ```sh
-sudo docker exec openvpn bash /opt/app/bin/genclient.sh <name> <password?>
-```
-
-You can find you `.ovpn` file under `/openvpn/clients/<name>.ovpn`, make sure to change the remote ip-address / port / protocol.
-
-#### Generating a list of certificates
-
-This repo contains a script [genclients](genclients.sh) that can be used to generate a list of clients with the current year as suffix:
-
-```sh
-./genclients <password> <username1> [<username2> ... <usernameN>]
+./clients.sh add <password> <names...>
 ```
 
 ### Revoking `.ovpn` files
 
 ```sh
-sudo docker exec openvpn bash /opt/app/bin/rmclient.sh <name>
+./clients.sh remove <name>
 ```
 
-Revoked certificates won't kill active connections, you'll have to restart the service if you want the user to immediately disconnect:
+> [!WARNING]
+> Revoked certificates won't kill active connections, you'll have to restart the service if you want the user to immediately disconnect:
+
 ```sh
 sudo docker compose restart openvpn
 ```

diff --git a/clients.sh b/clients.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+SCRIPT_NAME='./clients'
+
+# Function to add clients
+add_clients() {
+  local password=$1
+  shift
+  for name in "$@"; do
+    sudo docker exec openvpn bash /opt/app/bin/genclient.sh "$name" "$password"
+  done
+}
+
+# Function to remove clients
+remove_clients() {
+  for name in "$@"; do
+    sudo docker exec openvpn bash /opt/app/bin/rmclient.sh "$name"
+  done
+}
+
+# Main script logic
+case "$1" in
+  add)
+    if [ "$#" -lt 3 ]; then
+      echo "Usage: $SCRIPT_NAME add <password> <names...>"
+      exit 1
+    fi
+    add_clients "$2" "${@:3}"
+    ;;
+  remove)
+    if [ "$#" -lt 2 ]; then
+      echo "Usage: $SCRIPT_NAME remove <names...>"
+      exit 1
+    fi
+    remove_clients "${@:2}"
+    ;;
+  *)
+    echo "Usage: $SCRIPT_NAME {add|remove} <arguments>"
+    exit 1
+    ;;
+esac
diff --git a/genclients.sh b/genclients.sh
diff --git a/openvpn-docker/bin/genclient.sh b/openvpn-docker/bin/genclient.sh
@@ -46,7 +46,7 @@ echo 'Sync pki directory...'
 cp -r ./pki/. /etc/openvpn/pki
 
 echo 'Generate .ovpn file...'
-echo "$(cat /etc/openvpn/config/client.conf)
+echo "$(grep -vE '^#|^$|^;' /etc/openvpn/config/client.conf)
 <ca>
 $CA
 </ca>

diff --git a/openvpn/config/client.conf b/openvpn/config/client.conf
@@ -118,5 +118,5 @@ verb 3
 # Silence repeating messages
 ;mute 20
 
-# Use the inlined key
+# Specify key direction for tls-auth
 key-direction 1
diff --git a/openvpn/config/server.conf b/openvpn/config/server.conf
@@ -313,3 +313,6 @@ explicit-exit-notify 1
 # Instruct the OpenVPN server to check the certificate revocation list
 # every time a user tries to connect to this instance.
 crl-verify pki/crl.pem
+
+# Specify key direction for tls-auth
+key-direction 0