diff --git a/README.md b/README.md index f657114..98f3acf 100644 --- a/README.md +++ b/README.md @@ -60,8 +60,8 @@ The configurations generated by this tool will not need multiple files but inclu After you've set up your folder (you also could use one of the example configurations in the [`example` folder](https://github.com/Luzifer/vault-openvpn/tree/master/example) of this repository) you can issue your servers configuration: -```bash -# vault-openvpn --auto-revoke --pki-mountpoint luzifer_io server edda.openvpn.luzifer.io +```console +$ vault-openvpn --auto-revoke --pki-mountpoint luzifer_io server edda.openvpn.luzifer.io server 10.231.0.0 255.255.255.0 route 10.231.0.0 255.255.255.0 @@ -70,8 +70,8 @@ route 10.231.0.0 255.255.255.0 And also you can generate client configurations: -```bash -# vault-openvpn --auto-revoke --pki-mountpoint luzifer_io client workwork01.openvpn.luzifer.io +```console +$ vault-openvpn --auto-revoke --pki-mountpoint luzifer_io client workwork01.openvpn.luzifer.io remote myserver.com 1194 udp [...] @@ -79,8 +79,8 @@ remote myserver.com 1194 udp In case someone needs to get removed from your OpenVPN there is also a revoke: -```bash -# vault-openvpn --auto-revoke --pki-mountpoint luzifer_io revoke baduser.openvpn.luzifer.io +```console +$ vault-openvpn --auto-revoke --pki-mountpoint luzifer_io revoke baduser.openvpn.luzifer.io [...] 2016/07/25 15:06:58 Found certificate 33:e1:0c:85:36:a5:c2:6b:05:85:f5:aa:9f:3b:f3:3a:a2:e0:ae:b0 with CN baduser.openvpn.luzifer.io 2016/07/25 15:06:58 Revoked certificate 33:e1:0c:85:36:a5:c2:6b:05:85:f5:aa:9f:3b:f3:3a:a2:e0:ae:b0 @@ -88,3 +88,32 @@ In case someone needs to get removed from your OpenVPN there is also a revoke: ``` To have revokes being executed by OpenVPN you need to periodically update the CRL file OpenVPN reads. For my solution see the `living-example` in the `example` folder. + +## Using TLS authentication +OpenVPN highly recommends using TLS authentication hardening, see [GettingStartedwithOVPN](https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN#TLSAuthentication). + +This requires the use of a pre-shared key: If you want to use it, you will first need to generate a TLS authentication key and then upload it into vault: + +```console +$ openvpn --genkey --secret openvpn.key +$ vault kv put secret/ovpn key=@openvpn.key +``` + +In the above example we call the secret "ovpn" but you can call it anything you want, as long as it is a known value. +The key must be placed into both the client and server configurations and must match. Edit both config templates to include a section as shown below: + +``` + +{{ .TLSAuth }} + +``` + +Now run vault-openvpn passing in the name of the secret that holds our key, e.g. + +```console +# for the server config +$ vault-openvpn --auto-revoke --ovpn-key secret/ovpn --pki-mountpoint luzifer_io server edda.openvpn.luzifer.io + +# for the client config +$ vault-openvpn --auto-revoke --ovpn-key secret/ovpn --pki-mountpoint luzifer_io client workwork01.openvpn.luzifer.io +``` diff --git a/main.go b/main.go index 9ca75a4..5cb8a2b 100644 --- a/main.go +++ b/main.go @@ -45,6 +45,7 @@ var ( AutoRevoke bool `flag:"auto-revoke" vardefault:"auto-revoke" description:"Automatically revoke older certificates for this FQDN"` CertTTL time.Duration `flag:"ttl" vardefault:"ttl" description:"Set the TTL for this certificate"` + OVPNKey string `flag:"ovpn-key" vardefault:"ovpn-key" description:"Specify a secret name that holds an OpenVPN shared key"` LogLevel string `flag:"log-level" vardefault:"log-level" description:"Log level to use (debug, info, warning, error)"` Sort string `flag:"sort" vardefault:"sort" description:"How to sort list output (fqdn, issuedate, expiredate)"` @@ -53,13 +54,14 @@ var ( }{} defaultConfig = map[string]string{ + "auto-revoke": "true", + "log-level": "info", + "ovpn-key": "", "pki-mountpoint": "/pki", "pki-role": "openvpn", - "auto-revoke": "true", - "ttl": "8760h", - "log-level": "info", "sort": "fqdn", "template-path": ".", + "ttl": "8760h", } version = "dev" @@ -71,6 +73,7 @@ type templateVars struct { CertAuthority string Certificate string PrivateKey string + TLSAuth string } type listCertificatesTableRow struct { @@ -290,6 +293,13 @@ func generateCertificateConfig(tplName, fqdn string) error { tplv.CertAuthority = caCert + if cfg.OVPNKey != "" { + tplv.TLSAuth, err = fetchOVPNKey() + if err != nil { + return fmt.Errorf("Could not fetch TLSAuth key: %s", err) + } + } + if err := renderTemplate(tplName, tplv); err != nil { return fmt.Errorf("Could not render configuration: %s", err) } @@ -434,6 +444,26 @@ func getCACert() (string, error) { return cs.Data["certificate"].(string), nil } +func fetchOVPNKey() (string, error) { + path := strings.Trim(cfg.OVPNKey, "/") + secret, err := client.Logical().Read(path) + + if err != nil { + return "", err + } + + if secret == nil || secret.Data == nil { + return "", errors.New("Got no data from backend") + } + + key, ok := secret.Data["key"] + if !ok { + return "", errors.New("Within specified secret no entry named 'key' was found") + } + + return key.(string), nil +} + func generateCertificate(fqdn string) (*templateVars, error) { path := strings.Join([]string{strings.Trim(cfg.PKIMountPoint, "/"), "issue", cfg.PKIRole}, "/") secret, err := client.Logical().Write(path, map[string]interface{}{