From 9c50bb28940b944f6e5543775b7ee14ff2b7b492 Mon Sep 17 00:00:00 2001
From: Simon Reinisch <simon@reinisch.io>
Date: Sun, 2 Jun 2024 14:16:24 +0200
Subject: [PATCH] Trim generated .ovpn files and add cli

---
 README.md                       | 18 ++++-----------
 clients.sh                      | 41 +++++++++++++++++++++++++++++++++
 genclients.sh                   | 35 ----------------------------
 openvpn-docker/bin/genclient.sh |  2 +-
 openvpn/config/client.conf      |  2 +-
 openvpn/config/server.conf      |  3 +++
 6 files changed, 51 insertions(+), 50 deletions(-)
 create mode 100755 clients.sh
 delete mode 100755 genclients.sh

diff --git a/README.md b/README.md
index 6a7d099..1482721 100644
--- a/README.md
+++ b/README.md
@@ -80,26 +80,18 @@ The pihole admin dashboard can only be reached through the vpn under [http://pi.
 > This file will be used as base-configuration for each `.ovpn` file! You probably at least want to change the IP address to your public one.
 
 ```sh
-sudo docker exec openvpn bash /opt/app/bin/genclient.sh <name> <password?>
-```
-
-You can find you `.ovpn` file under `/openvpn/clients/<name>.ovpn`, make sure to change the remote ip-address / port / protocol.
-
-#### Generating a list of certificates
-
-This repo contains a script [genclients](genclients.sh) that can be used to generate a list of clients with the current year as suffix:
-
-```sh
-./genclients <password> <username1> [<username2> ... <usernameN>]
+./clients.sh add <password> <names...>
 ```
 
 ### Revoking `.ovpn` files
 
 ```sh
-sudo docker exec openvpn bash /opt/app/bin/rmclient.sh <name>
+./clients.sh remove <name>
 ```
 
-Revoked certificates won't kill active connections, you'll have to restart the service if you want the user to immediately disconnect:
+> [!WARNING]
+> Revoked certificates won't kill active connections, you'll have to restart the service if you want the user to immediately disconnect:
+
 ```sh
 sudo docker compose restart openvpn
 ```
diff --git a/clients.sh b/clients.sh
new file mode 100755
index 0000000..b00d3a9
--- /dev/null
+++ b/clients.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+SCRIPT_NAME='./clients'
+
+# Function to add clients
+add_clients() {
+  local password=$1
+  shift
+  for name in "$@"; do
+    sudo docker exec openvpn bash /opt/app/bin/genclient.sh "$name" "$password"
+  done
+}
+
+# Function to remove clients
+remove_clients() {
+  for name in "$@"; do
+    sudo docker exec openvpn bash /opt/app/bin/rmclient.sh "$name"
+  done
+}
+
+# Main script logic
+case "$1" in
+  add)
+    if [ "$#" -lt 3 ]; then
+      echo "Usage: $SCRIPT_NAME add <password> <names...>"
+      exit 1
+    fi
+    add_clients "$2" "${@:3}"
+    ;;
+  remove)
+    if [ "$#" -lt 2 ]; then
+      echo "Usage: $SCRIPT_NAME remove <names...>"
+      exit 1
+    fi
+    remove_clients "${@:2}"
+    ;;
+  *)
+    echo "Usage: $SCRIPT_NAME {add|remove} <arguments>"
+    exit 1
+    ;;
+esac
diff --git a/genclients.sh b/genclients.sh
deleted file mode 100755
index 1d7e50a..0000000
--- a/genclients.sh
+++ /dev/null
@@ -1,35 +0,0 @@
-#!/bin/bash
-
-# Check if the correct number of arguments is provided
-if [ $# -lt 2 ]; then
-    echo "Usage: $0 <password> <username1> [<username2> ... <usernameN>]"
-    exit 1
-fi
-
-# Check if the 'openvpn' container is running
-if ! sudo docker ps --format '{{.Names}}' | grep -q '^openvpn$'; then
-    echo "Error: The 'openvpn' container is not running."
-    exit 1
-fi
-
-# Get the password (first argument)
-password="$1"
-username_suffix=$(date +%Y)
-error_log_file="genclients_log.txt"
-
-# Shift the arguments to exclude the password and process only the usernames
-shift
-
-# Loop through the remaining arguments (usernames) and create clients for each
-for username in "$@"; do
-    username="$username-$username_suffix"
-    sudo docker exec openvpn bash /opt/app/bin/genclient.sh "$username" "$password" >>/dev/null 2>>"$error_log_file"
-
-    if [ $? -eq 0 ]; then
-        echo "Client '$username' created successfully."
-    else
-        echo "Error creating client '$username'. Check out '$error_log_file' for more info."
-    fi
-done
-
-echo "Done."
diff --git a/openvpn-docker/bin/genclient.sh b/openvpn-docker/bin/genclient.sh
index 38a0e15..111d5f7 100644
--- a/openvpn-docker/bin/genclient.sh
+++ b/openvpn-docker/bin/genclient.sh
@@ -46,7 +46,7 @@ echo 'Sync pki directory...'
 cp -r ./pki/. /etc/openvpn/pki
 
 echo 'Generate .ovpn file...'
-echo "$(cat /etc/openvpn/config/client.conf)
+echo "$(grep -vE '^#|^$|^;' /etc/openvpn/config/client.conf)
 <ca>
 $CA
 </ca>
diff --git a/openvpn/config/client.conf b/openvpn/config/client.conf
index c27ef6d..93bdcb5 100644
--- a/openvpn/config/client.conf
+++ b/openvpn/config/client.conf
@@ -118,5 +118,5 @@ verb 3
 # Silence repeating messages
 ;mute 20
 
-# Use the inlined key
+# Specify key direction for tls-auth
 key-direction 1
diff --git a/openvpn/config/server.conf b/openvpn/config/server.conf
index e202efa..fb6dd52 100644
--- a/openvpn/config/server.conf
+++ b/openvpn/config/server.conf
@@ -313,3 +313,6 @@ explicit-exit-notify 1
 # Instruct the OpenVPN server to check the certificate revocation list
 # every time a user tries to connect to this instance.
 crl-verify pki/crl.pem
+
+# Specify key direction for tls-auth
+key-direction 0