Script to create openvpn certs, as for a private network for ilo

protogeni/scripts/openvpn-setup.in

+#!/usr/bin/perl -w
+#
+# Copyright (c) 2008-2014 University of Utah and the Flux Group.
+# 
+# {{{GENIPUBLIC-LICENSE
+# 
+# GENI Public License
+# 
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and/or hardware specification (the "Work") to
+# deal in the Work without restriction, including without limitation the
+# rights to use, copy, modify, merge, publish, distribute, sublicense,
+# and/or sell copies of the Work, and to permit persons to whom the Work
+# is furnished to do so, subject to the following conditions:
+# 
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Work.
+# 
+# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS
+# IN THE WORK.
+# 
+# }}}
+#
+use strict;
+use English;
+use Getopt::Std;
+
+#
+# Initialize an emulab to act as a protogeni emulab. Add optional -c
+# option if this is a clearinghouse.
+# 
+sub usage()
+{
+    print "Usage: openvpn-setup [-r [-k]]\n";
+    print "Options:\n";
+    print "  -r    - Regenerate certs, replacing existing keys/certs\n";
+    print "  -k    - Reuse private keys when using -r option\n";
+    exit(1);
+}
+my $optlist = "rk";
+my $regen   = 0;
+my $oldkeys = 0;
+
+#
+# Configure variables
+#
+my $TB		  = "@prefix@";
+my $TBOPS         = "@TBOPSEMAIL@";
+my $OURDOMAIN     = "@OURDOMAIN@";
+my $PGENIDOMAIN   = "@PROTOGENI_DOMAIN@";
+my $PGENISUPPORT  = @PROTOGENI_SUPPORT@;
+my $PROTOUSER	  = "elabman";
+my $MKSYSCERT	  = "$TB/sbin/mksyscert";
+my $WAP           = "$TB/sbin/withadminprivs";
+my $SERVERCERT	  = "$TB/etc/openvpn-server.pem";
+my $CLIENTCERT	  = "$TB/etc/openvpn-client.pem";
+my $DHFILE	  = "$TB/etc/openvpn-dh.pem";
+my $SUDO	  = "/usr/local/bin/sudo";
+my $OPENSSL       = "/usr/bin/openssl";
+
+# un-taint path
+$ENV{'PATH'} = '/bin:/usr/bin:/usr/local/bin:/usr/site/bin';
+delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
+
+# Protos
+sub fatal($);
+
+#
+# Turn off line buffering on output
+#
+$| = 1; 
+
+# Load the Testbed support stuff.
+use lib "@prefix@/lib";
+use libtestbed;
+
+if ($UID != 0) {
+    fatal("Must be root to run this script\n");
+}
+
+#
+# Check args.
+#
+my %options = ();
+if (! getopts($optlist, \%options)) {
+    usage();
+}
+if (defined($options{"r"})) {
+    $regen = 1;
+}
+if (defined($options{"k"})) {
+    $oldkeys = 1;
+}
+usage()
+    if (@ARGV);
+
+if (! -e $SERVERCERT || $regen) {
+    my $keyopt = ($oldkeys && -e $SERVERCERT ? "-k $SERVERCERT" : "");
+
+    print "Creating OpenVPN server certificate ...\n";
+    system("$SUDO -u $PROTOUSER $MKSYSCERT -o $SERVERCERT $keyopt ".
+	   "'ProtoGENI OpenVPN Server'") == 0
+	   or fatal("Could not generate $SERVERCERT");
+}
+
+if (! -e $CLIENTCERT || $regen) {
+    my $keyopt = ($oldkeys && -e $CLIENTCERT ? "-k $CLIENTCERT" : "");
+
+    print "Creating OpenVPN client certificate ...\n";
+    system("$SUDO -u $PROTOUSER $MKSYSCERT -o $CLIENTCERT $keyopt ".
+	   "'ProtoGENI OpenVPN Client'") == 0
+	   or fatal("Could not generate $CLIENTCERT");
+}
+
+if (! -e $DHFILE || $regen) {
+    print "Creating OpenVPN Diffie Hellman key file  ...\n";
+    system("$OPENSSL dhparam -out $DHFILE 1024")
+	or fatal("Could not generate $DHFILE");
+}
+exit(0);
+
+sub fatal($)
+{
+    my ($msg) = @_;
+
+    die("*** $0:\n".
+	"    $msg\n");
+}
+