diff options
Diffstat (limited to 'connect-vpn.sh')
-rwxr-xr-x | connect-vpn.sh | 153 |
1 files changed, 153 insertions, 0 deletions
diff --git a/connect-vpn.sh b/connect-vpn.sh new file mode 100755 index 0000000..f4f302c --- /dev/null +++ b/connect-vpn.sh | |||
@@ -0,0 +1,153 @@ | |||
1 | #!/bin/sh | ||
2 | ROUTER_IP=68.48.18.140 | ||
3 | ROUTER_NAME=andy | ||
4 | |||
5 | CLIENT_KEY_BASENAME=ssh_host_rsa_key | ||
6 | CLIENT_KEY_DIRNAME=/etc/ssh | ||
7 | CLIENT_KEY=${CLIENT_KEY_DIRNAME}/${CLIENT_KEY_BASENAME} | ||
8 | |||
9 | ssh2der() | ||
10 | { | ||
11 | ssh-keygen -e -f "$1" -m PEM | openssl rsa -RSAPublicKey_in -outform DER | ||
12 | } | ||
13 | |||
14 | match_and_drop_first_word() | ||
15 | { | ||
16 | expect=$1 | ||
17 | while read word rest | ||
18 | do | ||
19 | if [ "$word" = "$expect" ] | ||
20 | then | ||
21 | printf '%s\n' "$rest" | ||
22 | return | ||
23 | fi | ||
24 | done | ||
25 | false | ||
26 | } | ||
27 | |||
28 | keyscan() | ||
29 | { | ||
30 | if [ -e keyscan.cache ] | ||
31 | then | ||
32 | cat keyscan.cache | ||
33 | else | ||
34 | ssh-keyscan -t rsa "$1" | ||
35 | fi | ||
36 | } | ||
37 | |||
38 | write_successfully() | ||
39 | { | ||
40 | local f=$(mktemp) || return | ||
41 | local out="$1" | ||
42 | [ "$2" = -- ] || return | ||
43 | shift 2 | ||
44 | if "$@" > "$f" | ||
45 | then | ||
46 | if [ "$NO_ACT" ] | ||
47 | then | ||
48 | echo "mv $f $out" >&2 | ||
49 | else | ||
50 | mv "$f" "$out" | ||
51 | fi | ||
52 | else | ||
53 | rm -f "$f" | ||
54 | return 1 | ||
55 | fi | ||
56 | } | ||
57 | |||
58 | keycopy() | ||
59 | { | ||
60 | private_key_tmp="$(mktemp)" || return | ||
61 | cp "$CLIENT_KEY" "$private_key_tmp" | ||
62 | ssh-keygen -N '' -P '' -p -m PEM -f "$private_key_tmp" | ||
63 | trap 'rm -f "$private_key_tmp"' EXIT | ||
64 | |||
65 | write_successfully /etc/swanctl/private/"$CLIENT_KEY_BASENAME" -- openssl rsa -in "$private_key_tmp" -outform DER | ||
66 | write_successfully /etc/swanctl/pubkey/"$CLIENT_KEY_BASENAME".pub -- openssl rsa -in "$private_key_tmp" -outform DER -pubout | ||
67 | |||
68 | trap - EXIT | ||
69 | rm -f "$private_key_tmp" | ||
70 | |||
71 | t=$(mktemp) | ||
72 | keyscan "$ROUTER_IP" | match_and_drop_first_word "$ROUTER_IP" > "$t" | ||
73 | write_successfully /etc/swanctl/pubkey/"$ROUTER_NAME".pub -- ssh2der "$t" | ||
74 | rm -f "$t" | ||
75 | } | ||
76 | |||
77 | nocomments() | ||
78 | { | ||
79 | sed 's/#.*//; /^ *$/d' | ||
80 | } | ||
81 | |||
82 | |||
83 | config() | ||
84 | { | ||
85 | local conn="$1" remote_addrs="$2" id="$3" | ||
86 | local remote_ts=0::0/0 vips=:: | ||
87 | local public_key_file="${CLIENT_KEY_BASENAME}.pub" private_key_file="${CLIENT_KEY_BASENAME}" | ||
88 | sed -e 's/^ //' <<END | ||
89 | connections { | ||
90 | ${conn} { | ||
91 | remote_addrs = ${remote_addrs} | ||
92 | vips = ${vips} | ||
93 | local { | ||
94 | pubkeys = ${public_key_file} | ||
95 | id = ${id} | ||
96 | } | ||
97 | remote { | ||
98 | id = "${remote_addrs}" | ||
99 | pubkeys = ${conn}.pub | ||
100 | } | ||
101 | children { | ||
102 | child { | ||
103 | remote_ts = ${remote_ts} | ||
104 | dpd_action = restart | ||
105 | } | ||
106 | } | ||
107 | } | ||
108 | } | ||
109 | secrets { | ||
110 | private { | ||
111 | file = ${private_key_file} | ||
112 | } | ||
113 | } | ||
114 | END | ||
115 | } | ||
116 | |||
117 | get_my_mac() | ||
118 | { | ||
119 | iface=$(ip -oneline route get "$1" | sed -ne 's/.* dev \([^ ]*\) .*/\1/p') | ||
120 | [ "$iface" ] || return | ||
121 | my_mac=$(ip -oneline -6 addr show dev "$iface" | sed -ne 's/.* inet6 fe80::\([^/]*\)\/.*/\1/p') | ||
122 | [ "$my_mac" ] | ||
123 | } | ||
124 | |||
125 | NO_ACT() | ||
126 | { | ||
127 | [ "$NO_ACT" ] || "$@" | ||
128 | } | ||
129 | |||
130 | write_config() | ||
131 | { | ||
132 | get_my_mac "$ROUTER_IP" || return | ||
133 | write_successfully /etc/swanctl/conf.d/"$ROUTER_NAME".conf -- config "$ROUTER_NAME" "$ROUTER_IP" "$my_mac" | ||
134 | } | ||
135 | |||
136 | test_new_config() | ||
137 | { | ||
138 | NO_ACT ipsec stop | ||
139 | |||
140 | write_config | ||
141 | |||
142 | NO_ACT ipsec start | ||
143 | NO_ACT sleep 2 | ||
144 | NO_ACT swanctl -c | ||
145 | NO_ACT ipsec listpubkeys | ||
146 | NO_ACT ipsec up ${ROUTER_NAME} | ||
147 | } | ||
148 | |||
149 | NO_ACT=y | ||
150 | set -e | ||
151 | keycopy | ||
152 | test_new_config | ||
153 | |||