ovpn_client added detection for tls-crypt or tls-auth

SloCompTech · SloCompTech · commit 6d4df9c89dcb · 2019-03-19T23:51:24.000+01:00
Added detection to `ovpn_client` to detect if `tls-crypt` or `tls-auth` is present in server config so it adds `ta.key` to generated client config.
diff --git a/root/app/bin/ovpn_client b/root/app/bin/ovpn_client
@@ -31,6 +31,16 @@ function build_ovpn() {
             cat $file
         done
 
+        # Check if server config is using tls-crypt or tls-auth
+        local crypto=""
+        for srv_file in $OVPN_ROOT/openvpn/server/*.conf
+        do
+            crypto="$(ovpn_findopt $srv_file tls-crypt tls-auth)"
+            if [ -n "$crypto" ]; then
+                break
+            fi
+        done
+
         # CA
         echo "<ca>"
         cat $EASYRSA_PKI/ca.crt
@@ -47,10 +57,17 @@ function build_ovpn() {
         cat $EASYRSA_PKI/private/$1.key
         echo "</key>"
 
-        # tls-crypt
-        echo "<tls-crypt>"
-        cat $EASYRSA_PKI/ta.key
-        echo "</tls-crypt>"
+        if [ "$crypto" = "tls-crypt" ]; then
+            # tls-crypt
+            echo "<tls-crypt>"
+            cat $EASYRSA_PKI/ta.key
+            echo "</tls-crypt>"
+        elif [ "$crypto" = "tls-auth" ]; then
+            # tls-auth
+            echo "<tls-auth>"
+            cat $EASYRSA_PKI/ta.key
+            echo "</tls-auth>"
+        fi
     fi
 }
 
diff --git a/root/app/bin/ovpn_findopt b/root/app/bin/ovpn_findopt
@@ -0,0 +1,28 @@
+#!/usr/bin/python
+
+#
+#   Finds first of specified options in config file
+#   @author Martin Dagarin
+#   @version 1
+#   @since 19/03/2019
+#
+#   Usage: ovpn_findopt <config_file> <opt1> <opt2> <opt3> ...
+#
+import sys
+
+# Import libraries included in this docker
+sys.path.insert(0, '/app/lib')
+import libovpn
+
+if len(sys.argv) < 3:
+    # Invalid command
+    print("")
+    sys.exit(0)
+
+config_file = sys.argv[1]
+found = libovpn.conf_optFindFirst(config_file, sys.argv[2:])
+
+if found is not None:
+    print(found)
+else:
+    print("")
diff --git a/root/app/lib/libovpn.py b/root/app/lib/libovpn.py
@@ -0,0 +1,54 @@
+#!/usr/bin/python
+
+#
+#   Functions to help with scripting
+#   @author Martin Dagarin
+#   @version 1
+#   @since 19/03/2019
+#
+
+#
+#   Checks if OpenVPN file has configuration option enabled
+#   @param file Path to OpenVPN config file
+#   @param opt Option to check for
+#   @return Returns True if found, else false
+#
+
+def conf_hasOpt(file, opt):
+    with open(file, "r") as f:
+        for line in f:
+            line = line.strip()
+            if line.startswith(opt):
+                return True
+        return False
+
+#
+#   Finds option which is enabled in config
+#   @param file Path to OpenVPN config file
+#   @param opts Array of options, which to check
+#   @return Returns first options which was found or None
+#
+def conf_optFindFirst(file, opts):
+    with open(file, "r") as f:
+        for line in f:
+            line = line.strip()
+            for opt in opts:
+                if line.startswith(opt):
+                    return opt
+        return None
+
+#
+#   Replaces $VARIABLES in file with values
+#   @param file Path to file
+#   @param var Array of tuples with key value ("$KEY","VALUE")
+#
+def conf_envsubst(file, vars):
+    with open(file, "r") as f:
+        lines = f.readlines()
+    with open(file, "w") as f:
+        for line in lines:
+            # Dont proces comments
+            if not line.strip().startswith("#"):
+                for kv in vars:
+                    line = line.replace(kv[0],kv[1])
+            f.write(line)
