diff options
author | Andrew Cady <d@cryptonomic.net> | 2021-10-04 18:57:00 -0400 |
---|---|---|
committer | Andrew Cady <d@cryptonomic.net> | 2021-10-04 18:57:21 -0400 |
commit | 448cab6d8f073558a3f4c3a85652d3fcbf03c100 (patch) | |
tree | 58edbb0c02b918e96b36ed8597cbbd5b1fee62d0 | |
parent | 8856797b5e7a7dcd8262e641d4acc119f00c6bec (diff) |
clean up keycopy.sh somewhat (and rename it)
-rwxr-xr-x | connect-vpn.sh | 153 | ||||
-rw-r--r-- | keycopy.sh | 115 |
2 files changed, 153 insertions, 115 deletions
diff --git a/connect-vpn.sh b/connect-vpn.sh new file mode 100755 index 0000000..f4f302c --- /dev/null +++ b/connect-vpn.sh | |||
@@ -0,0 +1,153 @@ | |||
1 | #!/bin/sh | ||
2 | ROUTER_IP=68.48.18.140 | ||
3 | ROUTER_NAME=andy | ||
4 | |||
5 | CLIENT_KEY_BASENAME=ssh_host_rsa_key | ||
6 | CLIENT_KEY_DIRNAME=/etc/ssh | ||
7 | CLIENT_KEY=${CLIENT_KEY_DIRNAME}/${CLIENT_KEY_BASENAME} | ||
8 | |||
9 | ssh2der() | ||
10 | { | ||
11 | ssh-keygen -e -f "$1" -m PEM | openssl rsa -RSAPublicKey_in -outform DER | ||
12 | } | ||
13 | |||
14 | match_and_drop_first_word() | ||
15 | { | ||
16 | expect=$1 | ||
17 | while read word rest | ||
18 | do | ||
19 | if [ "$word" = "$expect" ] | ||
20 | then | ||
21 | printf '%s\n' "$rest" | ||
22 | return | ||
23 | fi | ||
24 | done | ||
25 | false | ||
26 | } | ||
27 | |||
28 | keyscan() | ||
29 | { | ||
30 | if [ -e keyscan.cache ] | ||
31 | then | ||
32 | cat keyscan.cache | ||
33 | else | ||
34 | ssh-keyscan -t rsa "$1" | ||
35 | fi | ||
36 | } | ||
37 | |||
38 | write_successfully() | ||
39 | { | ||
40 | local f=$(mktemp) || return | ||
41 | local out="$1" | ||
42 | [ "$2" = -- ] || return | ||
43 | shift 2 | ||
44 | if "$@" > "$f" | ||
45 | then | ||
46 | if [ "$NO_ACT" ] | ||
47 | then | ||
48 | echo "mv $f $out" >&2 | ||
49 | else | ||
50 | mv "$f" "$out" | ||
51 | fi | ||
52 | else | ||
53 | rm -f "$f" | ||
54 | return 1 | ||
55 | fi | ||
56 | } | ||
57 | |||
58 | keycopy() | ||
59 | { | ||
60 | private_key_tmp="$(mktemp)" || return | ||
61 | cp "$CLIENT_KEY" "$private_key_tmp" | ||
62 | ssh-keygen -N '' -P '' -p -m PEM -f "$private_key_tmp" | ||
63 | trap 'rm -f "$private_key_tmp"' EXIT | ||
64 | |||
65 | write_successfully /etc/swanctl/private/"$CLIENT_KEY_BASENAME" -- openssl rsa -in "$private_key_tmp" -outform DER | ||
66 | write_successfully /etc/swanctl/pubkey/"$CLIENT_KEY_BASENAME".pub -- openssl rsa -in "$private_key_tmp" -outform DER -pubout | ||
67 | |||
68 | trap - EXIT | ||
69 | rm -f "$private_key_tmp" | ||
70 | |||
71 | t=$(mktemp) | ||
72 | keyscan "$ROUTER_IP" | match_and_drop_first_word "$ROUTER_IP" > "$t" | ||
73 | write_successfully /etc/swanctl/pubkey/"$ROUTER_NAME".pub -- ssh2der "$t" | ||
74 | rm -f "$t" | ||
75 | } | ||
76 | |||
77 | nocomments() | ||
78 | { | ||
79 | sed 's/#.*//; /^ *$/d' | ||
80 | } | ||
81 | |||
82 | |||
83 | config() | ||
84 | { | ||
85 | local conn="$1" remote_addrs="$2" id="$3" | ||
86 | local remote_ts=0::0/0 vips=:: | ||
87 | local public_key_file="${CLIENT_KEY_BASENAME}.pub" private_key_file="${CLIENT_KEY_BASENAME}" | ||
88 | sed -e 's/^ //' <<END | ||
89 | connections { | ||
90 | ${conn} { | ||
91 | remote_addrs = ${remote_addrs} | ||
92 | vips = ${vips} | ||
93 | local { | ||
94 | pubkeys = ${public_key_file} | ||
95 | id = ${id} | ||
96 | } | ||
97 | remote { | ||
98 | id = "${remote_addrs}" | ||
99 | pubkeys = ${conn}.pub | ||
100 | } | ||
101 | children { | ||
102 | child { | ||
103 | remote_ts = ${remote_ts} | ||
104 | dpd_action = restart | ||
105 | } | ||
106 | } | ||
107 | } | ||
108 | } | ||
109 | secrets { | ||
110 | private { | ||
111 | file = ${private_key_file} | ||
112 | } | ||
113 | } | ||
114 | END | ||
115 | } | ||
116 | |||
117 | get_my_mac() | ||
118 | { | ||
119 | iface=$(ip -oneline route get "$1" | sed -ne 's/.* dev \([^ ]*\) .*/\1/p') | ||
120 | [ "$iface" ] || return | ||
121 | my_mac=$(ip -oneline -6 addr show dev "$iface" | sed -ne 's/.* inet6 fe80::\([^/]*\)\/.*/\1/p') | ||
122 | [ "$my_mac" ] | ||
123 | } | ||
124 | |||
125 | NO_ACT() | ||
126 | { | ||
127 | [ "$NO_ACT" ] || "$@" | ||
128 | } | ||
129 | |||
130 | write_config() | ||
131 | { | ||
132 | get_my_mac "$ROUTER_IP" || return | ||
133 | write_successfully /etc/swanctl/conf.d/"$ROUTER_NAME".conf -- config "$ROUTER_NAME" "$ROUTER_IP" "$my_mac" | ||
134 | } | ||
135 | |||
136 | test_new_config() | ||
137 | { | ||
138 | NO_ACT ipsec stop | ||
139 | |||
140 | write_config | ||
141 | |||
142 | NO_ACT ipsec start | ||
143 | NO_ACT sleep 2 | ||
144 | NO_ACT swanctl -c | ||
145 | NO_ACT ipsec listpubkeys | ||
146 | NO_ACT ipsec up ${ROUTER_NAME} | ||
147 | } | ||
148 | |||
149 | NO_ACT=y | ||
150 | set -e | ||
151 | keycopy | ||
152 | test_new_config | ||
153 | |||
diff --git a/keycopy.sh b/keycopy.sh deleted file mode 100644 index 68c97fd..0000000 --- a/keycopy.sh +++ /dev/null | |||
@@ -1,115 +0,0 @@ | |||
1 | #!/bin/sh | ||
2 | yourip=68.48.18.140 | ||
3 | h=$yourip | ||
4 | n=andy | ||
5 | |||
6 | key_basename=ssh_host_rsa_key | ||
7 | input_key=/etc/ssh/$key_basename | ||
8 | |||
9 | ssh2der() | ||
10 | { | ||
11 | ssh-keygen -e -f "$1" -m PEM | openssl rsa -RSAPublicKey_in -outform DER | ||
12 | } | ||
13 | |||
14 | match_and_drop_first_word() | ||
15 | { | ||
16 | expect=$1 | ||
17 | while read word rest | ||
18 | do | ||
19 | if [ "$word" = "$expect" ] | ||
20 | then | ||
21 | printf '%s\n' "$rest" | ||
22 | return | ||
23 | fi | ||
24 | done | ||
25 | false | ||
26 | } | ||
27 | |||
28 | keyscan() | ||
29 | { | ||
30 | if [ -e keyscan.cache ] | ||
31 | then | ||
32 | cat keyscan.cache | ||
33 | else | ||
34 | ssh-keyscan -t rsa "$1" | ||
35 | fi | ||
36 | } | ||
37 | |||
38 | keycopy() | ||
39 | { | ||
40 | openssl rsa -in "$input_key" -outform DER > /etc/swanctl/private/"$key_basename" | ||
41 | openssl rsa -in "$input_key" -pubout -outform DER > /etc/swanctl/pubkey/"$key_basename".pub | ||
42 | |||
43 | t=$(mktemp) | ||
44 | |||
45 | keyscan "$yourip" | match_and_drop_first_word "$yourip" > "$t" | ||
46 | ssh2der "$t" > /etc/swanctl/pubkey/"$n".pub | ||
47 | rm -f "$t" | ||
48 | } | ||
49 | |||
50 | nocomments() | ||
51 | { | ||
52 | sed 's/#.*//; /^ *$/d' | ||
53 | } | ||
54 | |||
55 | |||
56 | write_config() | ||
57 | { | ||
58 | conn=$1 | ||
59 | remote_addrs=$2 | ||
60 | id=$3 | ||
61 | cat > /etc/swanctl/conf.d/"$conn".conf <<END | ||
62 | connections { | ||
63 | ${conn} { | ||
64 | remote_addrs = ${remote_addrs} | ||
65 | vips = :: | ||
66 | local { | ||
67 | pubkeys = ssh_host_rsa_key.pub | ||
68 | id = ${id} | ||
69 | } | ||
70 | remote { | ||
71 | id = "${remote_addrs}" | ||
72 | pubkeys = ${conn}.pub | ||
73 | } | ||
74 | children { | ||
75 | child { | ||
76 | remote_ts = 0::0/0 | ||
77 | dpd_action = restart | ||
78 | } | ||
79 | } | ||
80 | } | ||
81 | } | ||
82 | secrets { | ||
83 | private1 { | ||
84 | file = ssh_host_rsa_key | ||
85 | } | ||
86 | } | ||
87 | END | ||
88 | } | ||
89 | |||
90 | generate_config() | ||
91 | { | ||
92 | iface=$(ip -oneline route get "$yourip" | sed -ne 's/.* dev \([^ ]*\) .*/\1/p') | ||
93 | [ "$iface" ] || return | ||
94 | mymac=$(ip -oneline -6 addr show dev "$iface" | sed -ne 's/.* inet6 fe80::\([^/]*\)\/.*/\1/p') | ||
95 | [ "$mymac" ] || return | ||
96 | write_config andy "$yourip" "$mymac" | ||
97 | } | ||
98 | |||
99 | test_new_config() | ||
100 | { | ||
101 | ipsec stop | ||
102 | |||
103 | generate_config | ||
104 | |||
105 | ipsec start | ||
106 | sleep 2 | ||
107 | swanctl -c | ||
108 | ipsec listpubkeys | ||
109 | ipsec up andy | ||
110 | } | ||
111 | |||
112 | set -e | ||
113 | keycopy | ||
114 | test_new_config | ||
115 | |||