Bernhard.Linz/openvpn-install
1
0
Fork 0
mirror of https://github.com/angristan/openvpn-install.git synced 2025-12-31 06:57:02 +01:00
Code Issues Projects Releases Wiki Activity

fix: support fingerprint mode in client management operations (#1446)

Browse Source 
## Summary

Fixes fingerprint mode (OpenVPN 2.6+ peer-fingerprint authentication)
which was broken for client management operations.

### CI Fix
Docker environment variables (`AUTH_MODE`, etc.) weren't being passed to
the systemd service running tests. Added `PassEnvironment` directive to
fix this.

### Script Fixes
In fingerprint mode, `easyrsa self-sign-*` commands don't
create/maintain `index.txt`, but several functions depended on it.

**Fixed operations:**
- `selectClient()`: uses fingerprints from server.conf instead of
index.txt
- `listClients()`: scans certs in pki/issued/, marks those without
fingerprint as revoked
- `newClient()`: duplicate check works in fingerprint mode, cleans up
revoked cert files for name reuse
- `revokeClient()`: removes fingerprint from server.conf, keeps cert for
listing
- `renewClient()`: uses `self-sign-client` instead of `easyrsa renew`
- `renewServer()`: uses `self-sign-server` + regenerates all client
configs (they embed server fingerprint)

**New helpers:**
- `getAuthMode()` - returns "pki" or "fingerprint"
- `getClientsFromFingerprints()` - parses client names from server.conf
- `clientExistsInFingerprints()` - checks client existence
- `getCertExpiry()` - extracts expiry date/days from cert file
- `removeCertFiles()` - removes cert/key/req files for regeneration
- `extractFingerprint()` - gets SHA256 fingerprint from cert

Fixes #1444
This commit is contained in:
Stanislas
2025-12-29 17:04:45 +01:00
committed by GitHub
parent 62e98f79e0
commit 28050efa50
3 changed files with 275 additions and 79 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
test/server-entrypoint.sh
View File

@@ -203,7 +203,7 @@ if [ "$DUPLICATE_EXIT_CODE" -ne 1 ]; then
cat "$DUPLICATE_OUTPUT"
exit 1
fi
if grep -q "The specified client CN was already found in easy-rsa" "$DUPLICATE_OUTPUT"; then
if grep -q "The specified client CN was already found" "$DUPLICATE_OUTPUT"; then
echo "PASS: Duplicate client name correctly rejected with exit code 1"
else
echo "FAIL: Expected error message for duplicate client name not found"
@@ -538,6 +538,11 @@ done
# Allow routing to stabilize after renewal restart
sleep 3
# Update shared client config after server renewal (fingerprint changed)
cp /root/testclient.ovpn /shared/client.ovpn
sed -i 's/^remote .*/remote openvpn-server 1194/' /shared/client.ovpn
echo "Updated client config with new server fingerprint"
# =====================================================
# Verify Unbound DNS resolver (started by systemd via install script)
# =====================================================