setup-vpn.sh 5.57 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
#!/bin/sh

##
## Setup OpenVPN to create the OpenStack management network.
## This script only runs on the "network" node.
##

set -x

# Gotta know the rules!
if [ $EUID -ne 0 ] ; then
    echo "This script must be run as root" 1>&2
    exit 1
fi

DIRNAME=`dirname $0`

# Grab our libs
. "$DIRNAME/setup-lib.sh"

if [ "$HOSTNAME" != "$NETWORKMANAGER" ]; then
    exit 0;
fi

25 26
logtstart "vpn"

27 28 29 30 31 32
if [ ! -f $OURDIR/vpn-server-done ]; then
    maybe_install_packages openvpn easy-rsa
fi

# Only copy files later on to new nodes...
NEWVPNNODES=""
33 34 35 36 37 38

#
# Get our server CA config set up.
#
export EASY_RSA="/etc/openvpn/easy-rsa"

39 40 41 42 43 44 45 46 47 48
if [ ! -f $OURDIR/vpn-server-done ]; then
    mkdir -p $EASY_RSA
    cp -r /usr/share/easy-rsa/* $EASY_RSA
    cd $EASY_RSA
    # Batch mode
    sed -i -e s/--interact/--batch/ $EASY_RSA/build-ca
    sed -i -e s/--interact/--batch/ $EASY_RSA/build-key-server
    sed -i -e s/--interact/--batch/ $EASY_RSA/build-key
    sed -i -e s/DEBUG=0/DEBUG=1/ $EASY_RSA/pkitool
fi
49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64

export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG="`$EASY_RSA/whichopensslcnf $EASY_RSA`"
export KEY_DIR="$EASY_RSA/keys"
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=2048
export CA_EXPIRE=3650
export KEY_EXPIRE=3650

export KEY_COUNTRY="US"
export KEY_PROVINCE="UT"
export KEY_CITY="Salt Lake City"
export KEY_ORG="$EPID-$EEID"
65 66
TRUNCATED_EMAIL=`echo ${SWAPPER_EMAIL} | cut -c 1-40`
export KEY_EMAIL="${TRUNCATED_EMAIL}"
67 68 69 70 71 72 73 74 75
export KEY_CN="OSMgmtVPN"
export KEY_NAME=$KEY_CN
export KEY_OU=$KEY_CN
# --batch mode is unhappy if it's not this
export KEY_ALTNAMES="DNS:$NETWORKMANAGER"

mkdir -p $KEY_DIR
cd $EASY_RSA

76
if [ ! -f $OURDIR/vpn-server-done ]; then
77 78 79
    # Handle the case on Ubuntu18 where easy-rsa is broken for openssl 1.1.0
    # (https://github.com/OpenVPN/easy-rsa/issues/159)
    openssl version | grep -iq '^openssl 1\.1\.'
80 81 82 83
    if [ $? -eq 0 -a -n "$KEY_CONFIG" -a ! -e $KEY_CONFIG -a -e openssl-1.0.0.cnf ]; then
	    cp -p openssl-1.0.0.cnf $KEY_CONFIG
	    echo '# For use with easy-rsa version 2.x and OpenSSL 1.1.0*' >> $KEY_CONFIG
	    echo '# For use with easy-rsa version 2.0 and OpenSSL 1.1.0*' >> $KEY_CONFIG
84
    fi
85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112

    # Fixup the openssl.cnf files
    for file in `ls -1 /etc/openvpn/easy-rsa/openssl*.cnf | xargs` ; do
	sed -i -e 's/^\(subjectAltName=.*\)$/#\1/' $file
    done

    export KEY_CN="OSMgmtVPN"
    ./clean-all
    ./build-ca
    # We needed a CN for the CA build -- but now we have to drop it cause
    # the build-key* scripts don't want it set -- they set it to the first arg,
    # and behave badly if it IS set.
    unset KEY_CN
    ./build-key-server $NETWORKMANAGER
    cp -p $KEY_DIR/$NETWORKMANAGER.crt $KEY_DIR/$NETWORKMANAGER.key $KEY_DIR/ca.crt \
	/etc/openvpn/

    if [ -f $DIRNAME/etc/dh2048.pem ]; then
	cp $DIRNAME/etc/dh2048.pem /etc/openvpn
    else
	./build-dh
	cp -p $KEY_DIR/dh2048.pem /etc/openvpn/
    fi

    #
    # Get openvpn setup and restarted.
    #
    cat <<EOF > /etc/openvpn/server.conf
113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132
local $MYIP
port 1194
proto udp
dev tun
ca ca.crt
cert $NETWORKMANAGER.crt
key $NETWORKMANAGER.key
dh dh2048.pem
server 192.168.0.0 255.255.0.0
client-config-dir /etc/openvpn/ccd
client-to-client
;duplicate-cn
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
EOF

133 134 135 136 137 138
    mkdir -p /etc/openvpn/ccd

    #
    # Get the server up
    #
    if [ ${HAVE_SYSTEMD} -eq 1 ]; then
139 140 141
	# Make sure we don't start the VPN until our network is up.
	# This is sort of magical, but it works.
	mkdir /etc/systemd/system/openvpn@.service.d
142 143 144
	systemctl list-units | grep -q networking\.service
	if [ $? -eq 0 ]; then
	    cat <<EOF >/etc/systemd/system/openvpn@.service.d/local-ifup.conf
145 146 147 148
[Unit]
Requires=networking.service
After=networking.service
EOF
149 150 151 152 153 154 155 156 157 158
	else
	    systemctl list-units | grep -q network-online\.target
	    if [ $? -eq 0 ]; then
		cat <<EOF >/etc/systemd/system/openvpn@.service.d/local-ifup.conf
[Unit]
Requires=network-online.target
After=network-online.target
EOF
	    fi
	fi
159
	systemctl daemon-reload
160 161 162 163 164 165 166 167
	systemctl enable openvpn@server.service
	systemctl start openvpn@server.service
    else
	service openvpn restart
    fi

    touch $OURDIR/vpn-server-done
fi
168 169 170 171 172

#
# Now build keys and set static IPs for the controller and the
# compute nodes.
#
173
for node in $NODES
174
do
175 176 177 178 179 180
    if [ -f /etc/openvpn/ccd/$node ]; then
	continue
    fi

    NEWVPNNODES="${NEWVPNNODES} $node"

David Johnson's avatar
David Johnson committed
181
    fqdn=`getfqdn $node`
182

183
    export KEY_CN="$node"
184
    ./build-key $node
185

186
    NMIP=`cat $OURDIR/mgmt-hosts | grep -E "$node$" | head -1 | sed -n -e 's/^\\([0-9]*\\.[0-9]*\\.[0-9]*\\.[0-9]*\\).*$/\\1/p'`
187
    echo "ifconfig-push $NMIP 255.255.0.0" \
188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211
	> /etc/openvpn/ccd/$node
done

unset KEY_COUNTRY
unset KEY_PROVINCE
unset KEY_CITY
unset KEY_ORG
unset KEY_EMAIL
unset KEY_NAME
unset KEY_OU
unset KEY_ALTNAMES

unset EASY_RSA
unset OPENSSL
unset PKCS11TOOL
unset GREP
unset KEY_CONFIG
unset PKCS11_MODULE_PATH
unset PKCS11_PIN
unset KEY_SIZE
unset CA_EXPIRE
unset KEY_EXPIRE

#
212 213
# Get the hosts files setup to point to the new management network
# and setup the VPN on the clients.
214
#
215 216 217 218 219
maybe_install_packages pssh
PSSH='/usr/bin/parallel-ssh -t 0 -O StrictHostKeyChecking=no '
PHOSTS=""
mkdir -p $OURDIR/pssh.setup-vpn.stdout $OURDIR/pssh.setup-vpn.stderr

220
for node in $NEWVPNNODES
221
do
222 223
    [ "$node" = "$NETWORKMANAGER" ] && continue

David Johnson's avatar
David Johnson committed
224
    fqdn=`getfqdn $node`
225 226 227
    $SSH $fqdn mkdir -p $OURDIR
    scp -p -o StrictHostKeyChecking=no \
	/etc/openvpn/ca.crt $KEY_DIR/$node.crt $KEY_DIR/$node.key \
228
	$fqdn:$OURDIR
229
    PHOSTS="$PHOSTS -H $fqdn"
230 231
done

232 233 234
$PSSH -o $OURDIR/pssh.setup-vpn.stdout -e $OURDIR/pssh.setup-vpn.stderr \
    $PHOSTS $DIRNAME/setup-vpn-client.sh

235 236
logtend "vpn"

237
exit 0