24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
..
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
..
65
66
67
68
69
70
71
72
73
74
75
76
77
78
...
191
192
193
194
195
196
197
198
199
200
201
202
203
|
# users to be able to change the behavior of vpn with
# setenv, you must change the param invokation to a simple
# assignment.
#
# note that you may want to add a visudo line allowing
# %wheel or perhaps even all users to execute openvpn
# without a password; otherwise, only sudoers will be able
# to use vpn and the root password will be required for
# every state change.
__=$LINENO
param(){ eval $1=\${$1:-$2}; }
param vpn_basedir ~/opt/vpn
# the directory in which vpn's logfiles are stored,
# and possibly the script itself
................................................................................
# a configuration file that is applied to all vpns
param vpn_srv_keydir /srv/vpn/ca
# the directory on the server where vpn client keys
# are stored
param vpn_cn $(uname -n)
# the name of the device / user / resource connecting
# `vpn key` will use this value to determine which
# client keys to download. i recommend a one-key-per-
# device setup with the certificate CN used to assign
# a name in the tunnel's DNS server, but one-key-per-
# user or one-key-period setups are also possible.
param TMPDIR /tmp
# a directory for temporary files, preferably one that
# does not persist across boots (e.g. a tmpfs)
param USER $(whoami)
................................................................................
# the user who should own all files and processes
# created and destroyed by vpn
param vpn_pidbox $TMPDIR/pid.$USER
# a directory for storing pids in. this should be chmod
# 700 and owned by the user invoking vpn, ideally
param vpn_script $0
# a path to the executable
param vpn_scrname $(basename $vpn_script)
# the name of the executable
# thus ends the admin-configurable portion of this script.
................................................................................
echo -e " and openvpn is \e[32mrunning\e[m"
exit 0
} || {
echo -e " but named process is \e[31mnot a vpn instance!\e[m"
stale; exit 1
}
} ;;
( help ) head -n $(expr $__ - 1) $vpn_script |
tail -n $(expr $__ - 2); exit 255;;
( * ) err "action must be one of: join | part | info | clean" ;;
esac
|
|
|
>
>
>
>
>
>
>
>
>
|
|
|
|
|
|
>
>
>
>
|
|
|
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
..
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
..
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
...
204
205
206
207
208
209
210
211
212
213
214
215
216
|
# users to be able to change the behavior of vpn with
# setenv, you must change the param invokation to a simple
# assignment.
#
# note that you may want to add a visudo line allowing
# %wheel or perhaps even all users to execute openvpn
# without a password; otherwise, only sudoers will be able
# to use vpn and the root password will be required every
# time a user connects. root is not needed to tear down
# connections, as by default the openvpn process is set to
# pivot to the account that invoked the script after it is
# done with tasks that require privileged access.
#
# (it should go without saying, but ensure you understand
# the security implications before editing sudoers on a
# multiuser machine or one that is directly exposed to the
# internet.)
_text_=$LINENO
param(){ eval $1=\${$1:-$2}; }
param vpn_basedir ~/opt/vpn
# the directory in which vpn's logfiles are stored,
# and possibly the script itself
................................................................................
# a configuration file that is applied to all vpns
param vpn_srv_keydir /srv/vpn/ca
# the directory on the server where vpn client keys
# are stored
param vpn_cn $(uname -n)
# the name of the device / user / resource connecting.
# `vpn key` will use this value to determine which
# client keys to download. i recommend a one-key-per-
# device setup with the certificate CN used to assign a
# name in the tunnel's DNS server, but one-key-per-
# user or one-key-period setups are also possible.
param TMPDIR /tmp
# a directory for temporary files, preferably one that
# does not persist across boots (e.g. a tmpfs)
param USER $(whoami)
................................................................................
# the user who should own all files and processes
# created and destroyed by vpn
param vpn_pidbox $TMPDIR/pid.$USER
# a directory for storing pids in. this should be chmod
# 700 and owned by the user invoking vpn, ideally
param vpn_bin openvpn
# the binary to use. if openvpn is not in your path,
# enter its absolute path here
param vpn_script $0
# a path to the executable
param vpn_scrname $(basename $vpn_script)
# the name of the executable
# thus ends the admin-configurable portion of this script.
................................................................................
echo -e " and openvpn is \e[32mrunning\e[m"
exit 0
} || {
echo -e " but named process is \e[31mnot a vpn instance!\e[m"
stale; exit 1
}
} ;;
( help ) head -n $(expr $_text_ - 2) $vpn_script |
tail -n $(expr $_text_ - 2); exit 255;;
( * ) err "action must be one of: join | part | info | clean" ;;
esac
|