OpenVPN Updates (#2492)

* Add ubuntu20 vpn scripts

* Try to add support for AL23 vpn

* Try to add support for AL23 vpn

* Try to add support for AL2 vpn

* Try to add support for AL2 vpn

* Try to add support for AL2 vpn

* Try to add support for AL2 vpn

* Try to add support for AL2 vpn

* Try to add support for AL2 vpn

* Try to add support for AL2 vpn

* Try to add support for AL2 vpn

* Try to add support for AL2 vpn

* Try to add support for AL2 vpn

* Add whitelist for snap to work

* Add support for openvpn on AL2

* Add support for openvpn on AL2

* Add support for openvpn on AL2

* Add support for openvpn on AL2

* Add support for openvpn on AL2

* Add support for openvpn on AL2

* Add support for openvpn on AL2

* Add support for openvpn on AL2

* Add support for openvpn on AL2

* Add support for openvpn on AL2

* Add support for openvpn on AL2

* Add support for openvpn on AL2

* Add support for openvpn on AL2

* Add support for openvpn on AL2

* Add support for openvpn on AL2

* Add support for openvpn on AL2

* Add support for openvpn on AL2

* Add support for openvpn on AL2

files/openvpn_management_scripts/create_ovpn.sh

@@ -29,8 +29,8 @@ set -e
 set -u
 
 
-USER_CERT_PATH="$KEY_PATH/$1.crt"
-USER_KEY_PATH="$KEY_PATH/$1.key"
+USER_CERT_PATH="$KEY_PATH/issued/$1.crt"
+USER_KEY_PATH="$KEY_PATH/private/$1.key"
 
 
 #HEADER

files/openvpn_management_scripts/create_seperated_vpn_zip.sh

@@ -30,8 +30,8 @@ username=${username// /_}
 # now, clean out anything that's not alphanumeric or an underscore
 username=${username//[^a-zA-Z0-9_-.]/}
 
-USER_CERT_PATH="$KEY_PATH/$1.crt"
-USER_KEY_PATH="$KEY_PATH/$1.key"
+USER_CERT_PATH="$KEY_PATH/issued/$1.crt"
+USER_KEY_PATH="$KEY_PATH/private/$1.key"
 
 #make a temp dir
 TEMP_NAME="$username-$CLOUD_NAME-seperated"
@@ -47,6 +47,7 @@ cp $USER_KEY_PATH $TEMP_DIR/client.key
 #This is because EXTHOST is a defined variable in the template
 while read r; do eval echo $r; done < $TEMPLATE_DIR/client_ovpn_seperate.settings >> $TEMP_DIR/${username}-${CLOUD_NAME}.ovpn
 
+mkdir -p $KEY_DIR/ovpn_files_seperated
 tar -C $TEMP_DIR/../ -zcvf $KEY_DIR/ovpn_files_seperated/${username}-${CLOUD_NAME}-seperated.tgz  $TEMP_NAME
 
 echo -e "Exiting ${BOLD}$_${CLEAR}"

files/openvpn_management_scripts/create_vpn_user.sh

@@ -49,13 +49,16 @@ export KEY_EMAIL=$email
 export KEY_ALTNAMES="DNS:${KEY_CN}"
 
 #This create the key's for the road warrior
-echo -e "running ${YELLOW} build-batch-key"
-build-key-batch  $username &>/dev/null && echo -e "${GREEN}success!" || echo -e "${RED}failure";echo -e $CLEAR 
+echo -e "running ${YELLOW} easyrsa build-client-full"
+(
+	cd $EASYRSA_PATH
+	easyrsa build-client-full $username nopass &>/dev/null && echo -e "${GREEN}success!" || echo -e "${RED}failure";echo -e $CLEAR
+)
 #&& echo -e "${GREEN}success!" || echo -e "${RED}failure";echo -e $CLEAR
 
-echo "Backup certs so we can revoke them if ever needed"
-[ -d  $KEY_DIR/user_certs/ ]  || mkdir  $KEY_DIR/user_certs/
-cp $KEY_DIR/$username.crt $KEY_DIR/user_certs/$username.crt-$(date +%F-%T) && echo -e "${GREEN}success!" || echo -e "${RED}failure";echo -e $CLEAR
+# echo "Backup certs so we can revoke them if ever needed"
+# [ -d  $KEY_DIR/user_certs/ ]  || mkdir  $KEY_DIR/user_certs/
+# cp $KEY_DIR/$username.crt $KEY_DIR/user_certs/$username.crt-$(date +%F-%T) && echo -e "${GREEN}success!" || echo -e "${RED}failure";echo -e $CLEAR
 
 echo "Create the OVPN file for $username"
 $VPN_BIN_ROOT/create_ovpn.sh $KEY_CN $KEY_EMAIL > $KEY_DIR/ovpn_files/${username}-${CLOUD_NAME}.ovpn 2> /dev/null && echo -e "${GREEN}success!" || echo -e "${RED}failure";echo -e $CLEAR

files/openvpn_management_scripts/install_ovpn.sh

@@ -12,13 +12,13 @@ VARS_PATH="$EASYRSA_PATH/vars"
 
 #EASY-RSA Vars
 
-    KEY_SIZE=4096
-    COUNTRY="US"
-    STATE="IL"
-    CITY="Chicago"
-    ORG="CDIS" 
-    EMAIL='support\@datacommons.io'
-    KEY_EXPIRE=365
+KEY_SIZE=4096
+COUNTRY="US"
+STATE="IL"
+CITY="Chicago"
+ORG="CDIS" 
+EMAIL='support\@datacommons.io'
+KEY_EXPIRE=365
 
 
 #OpenVPN

files/openvpn_management_scripts/reset_totp_token.sh

@@ -40,11 +40,15 @@ update_password_file() {
 }
 
 generate_qr_code() {
-    uuid=$(uuidgen)
-    qrcode_out=/var/www/qrcode/${uuid}.svg
+    mkdir -p /etc/openvpn/pki/qrcodes
+    qrcode_out=/etc/openvpn/pki/qrcodes/${vpn_username}.png
     string=$( python -c "import pyotp; print( pyotp.totp.TOTP('$totp_secret').provisioning_uri('$vpn_username', issuer_name='$CLOUD_NAME') )" )
-    $( python -c "import pyqrcode; pyqrcode.create('$string').svg('${qrcode_out}', scale=8)" )
-    vpn_creds_url="https://${FQDN}/$uuid.svg"
+    $( python -c "import qrcode; qrcode.make('$string').save('${qrcode_out}')" )
+    # vpn_creds_url="https://${FQDN}/$uuid.svg"
+    s3Path="s3://${S3BUCKET}/qrcodes/${vpn_username}.png"
+    aws s3 cp ${qrcode_out} ${s3Path}
+    signedUrl="$(aws s3 presign "$s3Path" --expires-in "$((60*60*48))")"
+    vpn_creds_url=${signedUrl}
 }
 
 print_info() {

files/openvpn_management_scripts/revoke_user.sh

@@ -25,18 +25,15 @@ set -e
 
 username=${1}
 
-#Source the settings for EASY RSA
-source $EASYRSA_PATH/vars
 
 #Override exports
 export KEY_CN=$username
 
-set +e
-#revoke-full $username || echo -e "${RED}${BOLD}${BLINK}FAILED TO REVOKE ${username}${CLEAR}"
-revoke-full $username
-#Apparently it doesn't exist like I expected, and says failed even when it succeeded.
-
-set -e
+(
+    cd $EASYRSA_PATH
+    ./easyrsa revoke $username
+    ./easyrsa gen-crl
+)
 
 sed -i "/${username},/d" $USER_PW_FILE || echo -e "${RED}${BOLD}${BLINK}Failed to remove $username from file ${USER_PW_FILE}${CLEAR}"
 /etc/openvpn/bin/push_to_s3.sh

files/openvpn_management_scripts/send_email.sh

@@ -14,7 +14,7 @@ RED="\033[31m"
 
 echo -e "Entering ${BOLD}$_${CLEAR}"
 
-S3BUCKET=WHICHVPN
+export S3BUCKET=WHICHVPN
 
 if [ "${1}" == "" ] 
 then

files/openvpn_management_scripts/templates/network_tweaks.sh.template

@@ -14,3 +14,5 @@ iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 # Masquerade
 iptables -t nat -A POSTROUTING -s #VPN_SUBNET#  -d #VM_SUBNET# -o $vpnserver_int -j MASQUERADE
 echo 1 > /proc/sys/net/ipv4/ip_forward
+
+service iptables save

files/openvpn_management_scripts/templates/openvpn.conf.template

@@ -10,16 +10,16 @@ persist-key
 persist-tun
 
 #certificates
-ca easy-rsa/keys/ca.crt
-cert easy-rsa/keys/#FQDN#.crt
-key easy-rsa/keys/#FQDN#.key  # This file should be kept secret
-dh easy-rsa/keys/dh4096.pem
-tls-auth easy-rsa/keys/ta.key 0 # This file is secret
-crl-verify easy-rsa/keys/crl.pem # Revocation files
+ca /etc/openvpn/easy-rsa/pki/ca.crt
+cert /etc/openvpn/easy-rsa/pki/issued/#FQDN#.crt
+key /etc/openvpn/easy-rsa/pki/private/#FQDN#.key  # This file should be kept secret
+dh /etc/openvpn/easy-rsa/pki/dh.pem
+tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0 # This file is secret
+crl-verify /etc/openvpn/easy-rsa/pki/crl.pem # Revocation files
 
 #Password script
-auth-user-pass-verify  bin/auth-user-pass-verify.sh via-env
-script-security 3 execve
+auth-user-pass-verify  /etc/openvpn/bin/auth-user-pass-verify.sh via-env
+script-security 3 # execve
 
 #Cipher suite
 cipher AES-256-CBC

files/openvpn_management_scripts/templates/settings.sh.template

@@ -1,6 +1,7 @@
 export VPN_SETTINGS_LOADED="1"
 export CLOUD_NAME='#CLOUD_NAME#'
 export FQDN="#FQDN#"
+export EXTHOST='#CLOUD_NAME#.planx-pla.net'
 ## EXTHOST is set in the easy-rsa/vars env settings.  I think these values have to maych so removing from here
 
 #sendemail vars
@@ -28,7 +29,7 @@ export OPENVPN_MY_BIN="/etc/openvpn/bin"
 
 #CDIS OpenVPN scripts contants
 export TEMPLATE_DIR="/etc/openvpn/bin/templates"
-export KEY_PATH="/etc/openvpn/easy-rsa/keys/"
+export KEY_PATH="/etc/openvpn/easy-rsa/pki/"
 export CA_PATH="$KEY_PATH/ca.crt"
 export TA_KEY_PATH="$KEY_PATH/ta.key"
 export ARCHIVE_CERT_DIR="$KEY_DIR/user_certs/"
@@ -37,6 +38,6 @@ export USER_PW_FILE="/etc/openvpn/user_passwd.csv"
 export VPN_BIN_ROOT="/etc/openvpn/bin"
 export VPN_USER_CSV="/etc/openvpn/user_passwd.csv"
 export VPN_FILE_ATTACHMENTS="-a$VPN_BIN_ROOT/OpenVPN_for_PLANX_Installation_Guide.pdf"
-
+export KEY_DIR="$EASYRSA_PATH/pki"
 export PATH=$PATH:$EASYRSA_PATH:$OPENVPN_MY_BIN
 source /etc/openvpn/bin/.venv/bin/activate

files/openvpn_management_scripts/templates/vars.template

@@ -1,81 +1,25 @@
-# easy-rsa parameter settings
-export EXTHOST="#EXTHOST#"
+# EasyRSA 3 vars file
 
-# NOTE: If you installed from an RPM,
-# don't edit this file in place in
-# /usr/share/openvpn/easy-rsa --
-# instead, you should copy the whole
-# easy-rsa directory to another location
-# (such as /etc/openvpn) so that your
-# edits will not be wiped out by a future
-# OpenVPN package upgrade.
+# This is a user-customized vars file for EasyRSA 3.
+# Adjust these values to suit your needs.
 
-# This variable should point to
-# the top level of the easy-rsa
-# tree.
-export EASY_RSA="#EASY_RSA_DIR#"
+# Key Size - Increase to 2048 if you are paranoid. This affects performance.
+set_var EASYRSA_KEY_SIZE        #KEY_SIZE#
 
-#
-# This variable should point to
-# the requested executables
-#
-export OPENSSL="openssl"
-export PKCS11TOOL="pkcs11-tool"
-export GREP="grep"
+# CA and Certificate Expiry - Set these to your desired expiry in days
+set_var EASYRSA_CA_EXPIRE       3650
+set_var EASYRSA_CERT_EXPIRE     #KEY_EXPIRE#
 
+# Fields for the request Distinguished Name (DN)
+# Adjust these to match your organization's information
+set_var EASYRSA_REQ_COUNTRY     "#COUNTRY#"
+set_var EASYRSA_REQ_PROVINCE    "#STATE#"
+set_var EASYRSA_REQ_CITY        "#CITY#"
+set_var EASYRSA_REQ_ORG         "#ORG#"
+set_var EASYRSA_REQ_EMAIL       "#EMAIL#"
+set_var EASYRSA_REQ_OU          "#OU#"
 
-# This variable should point to
-# the openssl.cnf file included
-# with easy-rsa.
-export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
 
-# Edit this variable to point to
-# your soon-to-be-created key
-# directory.
-#
-# WARNING: clean-all will do
-# a rm -rf on this directory
-# so make sure you define
-# it correctly!
-export KEY_DIR="$EASY_RSA/keys"
+set_var EASYRSA_BATCH       "1"
 
-# Issue rm -rf warning
-echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
-
-# PKCS11 fixes
-export PKCS11_MODULE_PATH="dummy"
-export PKCS11_PIN="dummy"
-
-# Increase this to 2048 if you
-# are paranoid.  This will slow
-# down TLS negotiation performance
-# as well as the one-time DH parms
-# generation process.
-export KEY_SIZE=#KEY_SIZE#
-
-# In how many days should the root CA key expire?
-export CA_EXPIRE=3650
-
-# In how many days should certificates expire?
-export KEY_EXPIRE=#KEY_EXPIRE#
-
-# These are the default values for fields
-# which will be placed in the certificate.
-# Don't leave any of these fields blank.
-export KEY_COUNTRY="#COUNTRY#"
-export KEY_PROVINCE="#STATE#"
-export KEY_CITY="#CITY#"
-export KEY_ORG="#ORG#"
-export KEY_EMAIL="#EMAIL#"
-export KEY_OU="#OU#"
-
-# X509 Subject Field
-export KEY_NAME="#KEY_NAME#"
-
-# PKCS11 Smart Card
-# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
-# export PKCS11_PIN=1234
-
-# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
-# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
-# export KEY_CN="CommonName"
+# Note: Do not leave any of the fields blank as it may cause the script to fail.