Move vpn key generation functions into initial mesh setup script

src/freedombone-image-mesh

@@ -31,8 +31,6 @@ PROJECT_NAME='freedombone'
 export TEXTDOMAIN=${PROJECT_NAME}-image-mesh
 export TEXTDOMAINDIR="/usr/share/locale"
 
-source /usr/local/bin/${PROJECT_NAME}-app-vpn
-
 # The browser application to use
 BROWSER=midori
 BROWSER_OPTIONS='-p'
@@ -74,6 +72,17 @@ IPFS_PORT=4001
 
 CURRENT_BLOG_INDEX=/home/$MY_USERNAME/.blog-index
 
+OPENVPN_SERVER_NAME="server"
+OPENVPN_KEY_FILENAME='client.ovpn'
+VPN_COUNTRY_CODE="US"
+VPN_AREA="Apparent Free Speech Zone"
+VPN_LOCATION="Freedomville"
+VPN_ORGANISATION="Freedombone"
+VPN_UNIT="Freedombone Unit"
+STUNNEL_PORT=3439
+VPN_TLS_PORT=553
+VPN_MESH_TLS_PORT=653
+
 # Debian stretch has a problem where the formerly predictable wlan0 and eth0
 # device names get assigned random names. This is a hacky workaround.
 # Also adding net.ifnames=0 to kernel options on bootloader may work.
@@ -556,6 +565,198 @@ function setup_tahoelafs {
     echo $'Configured Tahoe-LAFS' >> $INSTALL_LOG
 }
 
+function create_user_vpn_key {
+    username=$1
+
+    if [ ! -d /home/$username ]; then
+        return
+    fi
+
+    echo $"Creating VPN key for $username" >> /var/log/${PROJECT_NAME}.log
+
+    cd /etc/openvpn/easy-rsa
+
+    if [ -f /etc/openvpn/easy-rsa/keys/$username.crt ]; then
+        rm /etc/openvpn/easy-rsa/keys/$username.crt
+    fi
+    if [ -f /etc/openvpn/easy-rsa/keys/$username.key ]; then
+        rm /etc/openvpn/easy-rsa/keys/$username.key
+    fi
+    if [ -f /etc/openvpn/easy-rsa/keys/$username.csr ]; then
+        rm /etc/openvpn/easy-rsa/keys/$username.csr
+    fi
+
+    sed -i 's| --interact||g' build-key
+    ./build-key "$username"
+
+    if [ ! -f /etc/openvpn/easy-rsa/keys/$username.crt ]; then
+        echo $'VPN user cert not generated' >> /var/log/${PROJECT_NAME}.log
+        exit 783528
+    fi
+    user_cert=$(cat /etc/openvpn/easy-rsa/keys/$username.crt)
+    if [ ${#user_cert} -lt 10 ]; then
+        cat /etc/openvpn/easy-rsa/keys/$username.crt
+        echo $'User cert generation failed' >> /var/log/${PROJECT_NAME}.log
+        exit 634659
+    fi
+    if [ ! -f /etc/openvpn/easy-rsa/keys/$username.key ]; then
+        echo $'VPN user key not generated'
+        exit 682523
+    fi
+    user_key=$(cat /etc/openvpn/easy-rsa/keys/$username.key)
+    if [ ${#user_key} -lt 10 ]; then
+        cat /etc/openvpn/easy-rsa/keys/$username.key
+        echo $'User key generation failed'
+        exit 285838
+    fi
+
+    user_vpn_cert_file=/home/$username/$OPENVPN_KEY_FILENAME
+
+    echo 'client' > $user_vpn_cert_file
+    echo 'dev tun' >> $user_vpn_cert_file
+    echo 'proto tcp' >> $user_vpn_cert_file
+    echo "remote localhost $STUNNEL_PORT" >> $user_vpn_cert_file
+    echo "route $DEFAULT_DOMAIN_NAME 255.255.255.255 net_gateway" >> $user_vpn_cert_file
+    echo 'resolv-retry infinite' >> $user_vpn_cert_file
+    echo 'nobind' >> $user_vpn_cert_file
+    echo 'tun-mtu 1500' >> $user_vpn_cert_file
+    echo 'tun-mtu-extra 32' >> $user_vpn_cert_file
+    echo 'mssfix 1450' >> $user_vpn_cert_file
+    echo 'persist-key' >> $user_vpn_cert_file
+    echo 'persist-tun' >> $user_vpn_cert_file
+    echo 'auth-nocache' >> $user_vpn_cert_file
+    echo 'remote-cert-tls server' >> $user_vpn_cert_file
+    echo 'comp-lzo' >> $user_vpn_cert_file
+    echo 'verb 3' >> $user_vpn_cert_file
+    echo '' >> $user_vpn_cert_file
+
+    echo '<ca>' >> $user_vpn_cert_file
+    cat /etc/openvpn/ca.crt >> $user_vpn_cert_file
+    echo '</ca>' >> $user_vpn_cert_file
+
+    echo '<cert>' >> $user_vpn_cert_file
+    cat /etc/openvpn/easy-rsa/keys/$username.crt >> $user_vpn_cert_file
+    echo '</cert>' >> $user_vpn_cert_file
+
+    echo '<key>' >> $user_vpn_cert_file
+    cat /etc/openvpn/easy-rsa/keys/$username.key >> $user_vpn_cert_file
+    echo '</key>' >> $user_vpn_cert_file
+
+    chown $username:$username $user_vpn_cert_file
+
+    # keep a backup
+    cp $user_vpn_cert_file /etc/openvpn/easy-rsa/keys/$username.ovpn
+
+    #rm /etc/openvpn/easy-rsa/keys/$username.crt
+    #rm /etc/openvpn/easy-rsa/keys/$username.csr
+    shred -zu /etc/openvpn/easy-rsa/keys/$username.key
+
+    echo $"VPN key created at $user_vpn_cert_file" >> /var/log/${PROJECT_NAME}.log
+}
+
+function vpn_generate_keys {
+    # generate host keys
+    if [ ! -f /etc/openvpn/dh2048.pem ]; then
+        ${PROJECT_NAME}-dhparam -o /etc/openvpn/dh2048.pem
+    fi
+    if [ ! -f /etc/openvpn/dh2048.pem ]; then
+        echo $'vpn dhparams were not generated' >> /var/log/${PROJECT_NAME}.log
+        exit 73724523
+    fi
+    cp /etc/openvpn/dh2048.pem /etc/openvpn/easy-rsa/keys/dh2048.pem
+
+    cd /etc/openvpn/easy-rsa
+    . ./vars
+    ./clean-all
+    vpn_openssl_version='1.0.0'
+    if [ ! -f openssl-${vpn_openssl_version}.cnf ]; then
+        echo $"openssl-${vpn_openssl_version}.cnf was not found" >> /var/log/${PROJECT_NAME}.log
+        exit 7392353
+    fi
+    cp openssl-${vpn_openssl_version}.cnf openssl.cnf
+
+    if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt ]; then
+        rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt
+    fi
+    if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key ]; then
+        rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key
+    fi
+    if [ -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.csr ]; then
+        rm /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.csr
+    fi
+    sed -i 's| --interact||g' build-key-server
+    sed -i 's| --interact||g' build-ca
+    ./build-ca
+    ./build-key-server ${OPENVPN_SERVER_NAME}
+    if [ ! -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt ]; then
+        echo $'OpenVPN crt not found' >> /var/log/${PROJECT_NAME}.log
+        exit 7823352
+    fi
+    server_cert=$(cat /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt)
+    if [ ${#server_cert} -lt 10 ]; then
+        cat /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.crt
+        echo $'Server cert generation failed' >> /var/log/${PROJECT_NAME}.log
+        exit 3284682
+    fi
+
+    if [ ! -f /etc/openvpn/easy-rsa/keys/${OPENVPN_SERVER_NAME}.key ]; then
+        echo $'OpenVPN key not found' >> /var/log/${PROJECT_NAME}.log
+        exit 6839436
+    fi
+    if [ ! -f /etc/openvpn/easy-rsa/keys/ca.key ]; then
+        echo $'OpenVPN ca not found' >> /var/log/${PROJECT_NAME}.log
+        exit 7935203
+    fi
+    cp /etc/openvpn/easy-rsa/keys/{$OPENVPN_SERVER_NAME.crt,$OPENVPN_SERVER_NAME.key,ca.crt} /etc/openvpn
+
+    create_user_vpn_key ${MY_USERNAME}
+}
+
+function generate_stunnel_keys {
+    echo "Creating stunnel keys" >> /var/log/${PROJECT_NAME}.log
+    openssl req -x509 -nodes -days 3650 -sha256 \
+            -subj "/O=$VPN_ORGANISATION/OU=$VPN_UNIT/C=$VPN_COUNTRY_CODE/ST=$VPN_AREA/L=$VPN_LOCATION/CN=$HOSTNAME" \
+            -newkey rsa:2048 -keyout /etc/stunnel/key.pem \
+            -out /etc/stunnel/cert.pem
+    if [ ! -f /etc/stunnel/key.pem ]; then
+        echo $'stunnel key not created' >> /var/log/${PROJECT_NAME}.log
+        exit 793530
+    fi
+    if [ ! -f /etc/stunnel/cert.pem ]; then
+        echo $'stunnel cert not created' >> /var/log/${PROJECT_NAME}.log
+        exit 204587
+    fi
+    chmod 400 /etc/stunnel/key.pem
+    chmod 640 /etc/stunnel/cert.pem
+
+    cat /etc/stunnel/key.pem /etc/stunnel/cert.pem >> /etc/stunnel/stunnel.pem
+    chmod 640 /etc/stunnel/stunnel.pem
+
+    openssl pkcs12 -export -out /etc/stunnel/stunnel.p12 -inkey /etc/stunnel/key.pem -in /etc/stunnel/cert.pem -passout pass:
+    if [ ! -f /etc/stunnel/stunnel.p12 ]; then
+        echo $'stunnel pkcs12 not created' >> /var/log/${PROJECT_NAME}.log
+        exit 639353
+    fi
+    chmod 640 /etc/stunnel/stunnel.p12
+
+    cp /etc/stunnel/stunnel.pem /home/$MY_USERNAME/stunnel.pem
+    cp /etc/stunnel/stunnel.p12 /home/$MY_USERNAME/stunnel.p12
+    chown $MY_USERNAME:$MY_USERNAME $prefix$userhome/stunnel*
+    echo "stunnel keys created" >> /var/log/${PROJECT_NAME}.log
+}
+
+function mesh_setup_vpn {
+    vpn_generate_keys
+
+    cp /etc/stunnel/stunnel-client.conf /home/$MY_USERNAME/stunnel-client.conf
+    chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/stunnel*
+
+    generate_stunnel_keys
+
+    systemctl restart openvpn
+}
+
+
 # whether to reset the identity
 set_new_identity=
 if [ $2 ]; then
@@ -596,6 +797,11 @@ if [ -f $MESH_INSTALL_SETUP ]; then
         rm -rf /home/$MY_USERNAME/.ssb
     fi
 
+    # Remove vpn keys
+    if [ -d /etc/openvpn/easy-rsa/keys ]; then
+        rm -rf /etc/openvpn/easy-rsa/keys/*
+    fi
+
     echo $'Beginning mesh node setup' >> $INSTALL_LOG
 
     if [ -d /home/$MY_USERNAME/.config ]; then