openvpn-install
openvpn-install copied to clipboard
angristan
Adding a password-protected user without interactive shell
Is it somehow possible to add such user without answering all the dialogs? I need it to be created using my API.
It's not currently possible without interactive input. Related issue #261.
AFAIK, it is not currently possible to automate this. easy-rsa will ask for a password from stdin:
https://github.com/angristan/openvpn-install/blob/ef37eb64b02118cf00782e0b280f5091a34d405b/openvpn-install.sh#L975
I wish we had a workaround.
Related:
- https://github.com/OpenVPN/easy-rsa/pull/242
- https://github.com/OpenVPN/easy-rsa/issues/103
- https://github.com/OpenVPN/easy-rsa/issues/101
- https://github.com/OpenVPN/easy-rsa/issues/18
there is a workaround but it involves hacking easy-rsa see this stackoverflow answer
in /etc/openvpn/easy-rsa/easyrsa find the function gen_req()
in line 641 (depends on your version) there is opts=""
edit it to read:
opts="-passout stdin"
now you can feed the script a text file as input
./openvpn-install.sh <textinput.txt
textinput contains
1
nameofclient
2
passwordofclient
passwordofclient
it must be said that the openvpn-install.sh script won't function anymore as expected after that modification. Rather then being asked for the password twice when going through the interactive script I only need to type it once and it's visible as plaintext. But the resulting cert works just fine.
@DeadMate If you only ever run it through your api this might work for you.
however, we are working on a wrapper script, that modify easyrsa, then run openvpn-install.sh with piping in a textfile, then restores the orignal easyrsa file.
The following script modifies the first "opts=" statement found in the declaration of gen_req in easyrsa to prepend "-passout stdin". It stores the original next to easyrsa as "easyrsa.nostdin.bkp", which you could also use to restore the original file after any automation.
This is of course a bit of a hacky workaround, but it does the job.
#!/bin/bash
EASYRSA_EXECUTABLE="/etc/openvpn/easy-rsa/easyrsa"
EASYRSA_EXECUTABLE_BACKUP="$EASYRSA_EXECUTABLE.nostdin.bkp"
# Restore easyrsa to original state or create backup from original
if [ -f "$EASYRSA_EXECUTABLE_BACKUP" ]; then
cp $EASYRSA_EXECUTABLE_BACKUP $EASYRSA_EXECUTABLE
else
cp $EASYRSA_EXECUTABLE $EASYRSA_EXECUTABLE_BACKUP
fi
# Get Line Number of gen_req() {
GEN_REQ_LOCATION=$(cat $EASYRSA_EXECUTABLE | grep -n "gen_req() {" | awk "NR==1" | awk -F ':' '{print $1}')
# Get Line Number of first opts= after gen_req() {
OPTS_LOCATION=$(tail $EASYRSA_EXECUTABLE -n +$GEN_REQ_LOCATION | grep -n "opts=\"" | awk "NR==1" | awk -F ':' '{print $1}')
# Add Numbers to get global position of matched opts= statement
COMBINED_LOCATION=$(($GEN_REQ_LOCATION+$OPTS_LOCATION-1))
# Add -passout stdin to opts=
RESULT=$(cat $EASYRSA_EXECUTABLE | sed -e "${COMBINED_LOCATION}s/.*opts=\"/\topts=\"-passout stdin /")
# Overwrite original easyrsa
echo "$RESULT" > $EASYRSA_EXECUTABLE
exit 0
Awsome, thanks for letting us know. I won't have time to add this before a little while, but I'll gadly accept a PR.
With EasyRSA 3.0.7 it's possible to pass the password of the password protected client with a variable. @angristan you always wanted to do this so I leave it to you #160 (comment)
From EasyRSA 3.0.7 changelog: Add support for EASYRSA_PASSIN and EASYRSA_PASSOUT env vars
pass the password with the var EASYRSA_PASSOUT, then run the command, this works for me.
MENU_OPTION="1" CLIENT="foo" PASS="2" EASYRSA_PASSOUT=pass:newpassword ./openvpn-install.sh
easy-rsa v3.1.2
