Bernhard.Linz/openvpn-install
1
0
Fork 0
mirror of https://github.com/angristan/openvpn-install.git synced 2025-12-14 16:17:03 +01:00
Code Issues Projects Releases Wiki Activity

feat: support headless client revocation by name (#1387)

Browse Source 
Add support for revoking clients by setting the CLIENT environment
variable directly with the client name, in addition to the existing
CLIENTNUMBER support (from
https://github.com/angristan/openvpn-install/pull/1328)

This makes headless revocation more user-friendly as users no longer
need to know the client's index number.
This commit is contained in:
Stanislas
2025-12-13 20:18:07 +01:00
committed by GitHub
parent 9fd183caed
commit 9175c2c221
3 changed files with 34 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
README.md
View File

@@ -122,6 +122,28 @@ export PASS="1" # set to "2" for a password-protected client, and set PASSPHRASE
./openvpn-install.sh ./openvpn-install.sh
``` ```
### Headless User Revocation
It's also possible to automate the revocation of an existing user. The key is to provide the `MENU_OPTION` variable set to `2` along with either `CLIENT` (client name) or `CLIENTNUMBER` (1-based index from the client list).
The following Bash script revokes the existing user `foo`:
```bash
#!/bin/bash
export MENU_OPTION="2"
export CLIENT="foo"
./openvpn-install.sh
```
Alternatively, you can use the client number:
```bash
#!/bin/bash
export MENU_OPTION="2"
export CLIENTNUMBER="1" # Revokes the first client in the list
./openvpn-install.sh
```
## Features ## Features
- Installs and configures a ready-to-use OpenVPN server - Installs and configures a ready-to-use OpenVPN server

9
openvpn-install.sh
View File

@@ -1627,6 +1627,15 @@ function selectClient() {
log_fatal "You have no existing clients!" log_fatal "You have no existing clients!"
fi fi
# If CLIENT is set, validate it exists as a valid client
if [[ -n $CLIENT ]]; then
if tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | cut -d '=' -f 2 | grep -qx "$CLIENT"; then
return
else
log_fatal "Client '$CLIENT' not found or not valid"
fi
fi
if [[ $show_expiry == "true" ]]; then if [[ $show_expiry == "true" ]]; then
local i=1 local i=1
while read -r client; do while read -r client; do

14
test/server-entrypoint.sh
View File

@@ -501,19 +501,11 @@ if [ ! -f /shared/revoke-client-disconnected ]; then
fi fi
echo "Client disconnected" echo "Client disconnected"
# Now revoke the certificate # Now revoke the certificate using the new CLIENT name feature
echo "Revoking certificate for '$REVOKE_CLIENT'..." echo "Revoking certificate for '$REVOKE_CLIENT'..."
REVOKE_OUTPUT="/tmp/revoke-output.log" REVOKE_OUTPUT="/tmp/revoke-output.log"
# MENU_OPTION=3 is revoke, CLIENTNUMBER is dynamically determined from index.txt # MENU_OPTION=3 is revoke, CLIENT specifies the client name directly
# We need to find the client number for revoketest (MENU_OPTION=3 CLIENT=$REVOKE_CLIENT bash /opt/openvpn-install.sh) 2>&1 | tee "$REVOKE_OUTPUT" || true
REVOKE_CLIENT_NUM=$(tail -n +2 /etc/openvpn/server/easy-rsa/pki/index.txt | grep "^V" | grep -n "CN=$REVOKE_CLIENT\$" | cut -d: -f1)
if [ -z "$REVOKE_CLIENT_NUM" ]; then
echo "ERROR: Could not find client number for '$REVOKE_CLIENT'"
cat /etc/openvpn/server/easy-rsa/pki/index.txt
exit 1
fi
echo "Revoke client number: $REVOKE_CLIENT_NUM"
(MENU_OPTION=3 CLIENTNUMBER=$REVOKE_CLIENT_NUM bash /opt/openvpn-install.sh) 2>&1 | tee "$REVOKE_OUTPUT" || true
if grep -q "Certificate for client $REVOKE_CLIENT revoked" "$REVOKE_OUTPUT"; then if grep -q "Certificate for client $REVOKE_CLIENT revoked" "$REVOKE_OUTPUT"; then
echo "PASS: Certificate for '$REVOKE_CLIENT' revoked successfully" echo "PASS: Certificate for '$REVOKE_CLIENT' revoked successfully"