79 lines
2.3 KiB
Bash
Executable File
79 lines
2.3 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Connect to Sophos SSL VPN via openvpn management interface (same as NM)
|
|
set -euo pipefail
|
|
|
|
VPN_USER="d-chrka"
|
|
OVPN="/home/d-chrka@internal.lan/Downloads/sslvpn-fixed.ovpn"
|
|
LOGFILE="/tmp/vpn-sophos.log"
|
|
MGMT_SOCK="/tmp/vpn-mgmt-$$.sock"
|
|
DNS_SERVER="172.21.20.201"
|
|
DNS_SEARCH="krah-gruppe.de internal.lan krah.intranet.de hirsau.seuffer resistec.pri krahicenet.local"
|
|
CERT_DIR="/home/chk/.local/share/networkmanagement/certificates/nm-openvpn"
|
|
|
|
PW=$(secret-tool lookup service sslvpn user "$VPN_USER")
|
|
OTP_SECRET=$(secret-tool lookup service sslvpn-totp user "$VPN_USER")
|
|
|
|
# Wait for fresh OTP window (>20s remaining)
|
|
while true; do
|
|
REMAINING=$(( 30 - ($(date +%s) % 30) ))
|
|
[ "$REMAINING" -gt 20 ] && break
|
|
echo "Waiting for fresh OTP window (${REMAINING}s remaining)..."
|
|
sleep $(( REMAINING + 1 ))
|
|
done
|
|
|
|
OTP=$(oathtool --totp -b "$OTP_SECRET")
|
|
echo "OTP generated, $(( 30 - ($(date +%s) % 30) ))s valid"
|
|
|
|
# Up-script: configure DNS once tun is up
|
|
UPSCRIPT=$(mktemp /dev/shm/vpn-up-XXXXXX)
|
|
cat > "$UPSCRIPT" << EOF
|
|
#!/bin/bash
|
|
DEV="\$1"
|
|
resolvectl dns "\$DEV" $DNS_SERVER
|
|
resolvectl domain "\$DEV" ~krah-gruppe.de ~internal.lan ~krah.intranet.de ~hirsau.seuffer ~resistec.pri ~krahicenet.local
|
|
resolvectl default-route "\$DEV" no
|
|
echo "DNS configured on \$DEV" >> "$LOGFILE"
|
|
EOF
|
|
chmod +x "$UPSCRIPT"
|
|
|
|
echo "Connecting..."
|
|
sudo openvpn \
|
|
--config "$OVPN" \
|
|
--remote rcdro1.krah-gruppe.de 8443 udp \
|
|
--cert "$CERT_DIR/sslvpn-fixed-cert.pem" \
|
|
--key "$CERT_DIR/sslvpn-fixed-key.pem" \
|
|
--auth-nocache \
|
|
--management "$MGMT_SOCK" unix \
|
|
--management-query-passwords \
|
|
--auth-retry interact \
|
|
--script-security 2 \
|
|
--up "$UPSCRIPT" \
|
|
--daemon vpn-sophos \
|
|
--log "$LOGFILE"
|
|
|
|
# Feed credentials via management interface
|
|
sleep 1
|
|
(
|
|
printf 'username "Auth" %s\n' "$VPN_USER"
|
|
sleep 0.2
|
|
printf 'password "Auth" "%s%s"\n' "$PW" "$OTP"
|
|
sleep 2
|
|
) | socat - UNIX-CONNECT:"$MGMT_SOCK" 2>/dev/null || true
|
|
|
|
# Wait for tun interface
|
|
echo -n "Waiting for tunnel"
|
|
for i in $(seq 1 30); do
|
|
if ip link show tun0 &>/dev/null; then
|
|
echo " connected."
|
|
echo "Disconnect: ~/bin/vpn-disconnect.sh"
|
|
rm -f "$UPSCRIPT"
|
|
exit 0
|
|
fi
|
|
echo -n "."
|
|
sleep 1
|
|
done
|
|
|
|
rm -f "$UPSCRIPT" "$MGMT_SOCK"
|
|
echo " failed. Log: sudo cat $LOGFILE"
|
|
exit 1
|