blob: f4f302c9a1985aa600e7721f8eedd628019f0083 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
|
#!/bin/sh
ROUTER_IP=68.48.18.140
ROUTER_NAME=andy
CLIENT_KEY_BASENAME=ssh_host_rsa_key
CLIENT_KEY_DIRNAME=/etc/ssh
CLIENT_KEY=${CLIENT_KEY_DIRNAME}/${CLIENT_KEY_BASENAME}
ssh2der()
{
ssh-keygen -e -f "$1" -m PEM | openssl rsa -RSAPublicKey_in -outform DER
}
match_and_drop_first_word()
{
expect=$1
while read word rest
do
if [ "$word" = "$expect" ]
then
printf '%s\n' "$rest"
return
fi
done
false
}
keyscan()
{
if [ -e keyscan.cache ]
then
cat keyscan.cache
else
ssh-keyscan -t rsa "$1"
fi
}
write_successfully()
{
local f=$(mktemp) || return
local out="$1"
[ "$2" = -- ] || return
shift 2
if "$@" > "$f"
then
if [ "$NO_ACT" ]
then
echo "mv $f $out" >&2
else
mv "$f" "$out"
fi
else
rm -f "$f"
return 1
fi
}
keycopy()
{
private_key_tmp="$(mktemp)" || return
cp "$CLIENT_KEY" "$private_key_tmp"
ssh-keygen -N '' -P '' -p -m PEM -f "$private_key_tmp"
trap 'rm -f "$private_key_tmp"' EXIT
write_successfully /etc/swanctl/private/"$CLIENT_KEY_BASENAME" -- openssl rsa -in "$private_key_tmp" -outform DER
write_successfully /etc/swanctl/pubkey/"$CLIENT_KEY_BASENAME".pub -- openssl rsa -in "$private_key_tmp" -outform DER -pubout
trap - EXIT
rm -f "$private_key_tmp"
t=$(mktemp)
keyscan "$ROUTER_IP" | match_and_drop_first_word "$ROUTER_IP" > "$t"
write_successfully /etc/swanctl/pubkey/"$ROUTER_NAME".pub -- ssh2der "$t"
rm -f "$t"
}
nocomments()
{
sed 's/#.*//; /^ *$/d'
}
config()
{
local conn="$1" remote_addrs="$2" id="$3"
local remote_ts=0::0/0 vips=::
local public_key_file="${CLIENT_KEY_BASENAME}.pub" private_key_file="${CLIENT_KEY_BASENAME}"
sed -e 's/^ //' <<END
connections {
${conn} {
remote_addrs = ${remote_addrs}
vips = ${vips}
local {
pubkeys = ${public_key_file}
id = ${id}
}
remote {
id = "${remote_addrs}"
pubkeys = ${conn}.pub
}
children {
child {
remote_ts = ${remote_ts}
dpd_action = restart
}
}
}
}
secrets {
private {
file = ${private_key_file}
}
}
END
}
get_my_mac()
{
iface=$(ip -oneline route get "$1" | sed -ne 's/.* dev \([^ ]*\) .*/\1/p')
[ "$iface" ] || return
my_mac=$(ip -oneline -6 addr show dev "$iface" | sed -ne 's/.* inet6 fe80::\([^/]*\)\/.*/\1/p')
[ "$my_mac" ]
}
NO_ACT()
{
[ "$NO_ACT" ] || "$@"
}
write_config()
{
get_my_mac "$ROUTER_IP" || return
write_successfully /etc/swanctl/conf.d/"$ROUTER_NAME".conf -- config "$ROUTER_NAME" "$ROUTER_IP" "$my_mac"
}
test_new_config()
{
NO_ACT ipsec stop
write_config
NO_ACT ipsec start
NO_ACT sleep 2
NO_ACT swanctl -c
NO_ACT ipsec listpubkeys
NO_ACT ipsec up ${ROUTER_NAME}
}
NO_ACT=y
set -e
keycopy
test_new_config
|