Automating OpenVPN User Management with Bash Scripts

We earn commissions using affiliate links.

Managing OpenVPN users manually can become a tedious and error-prone task, especially when dealing with a large number of users. By automating user management through Bash scripts, administrators can streamline operations, reduce human error, and improve efficiency. This article will guide you through automating user creation, revocation, and other essential OpenVPN user management tasks using Bash scripts.

Contents show

Prerequisites for Automation

Before we dive into the script, make sure that your system meets the following requirements:

OpenVPN installed on your system.
Root or sudo privileges on the server.
Basic understanding of Bash scripting.
Access to the OpenVPN configuration files, such as server.conf, and the Easy-RSA tools for managing certificates.

Automating User Creation

The first task we’ll automate is creating new OpenVPN users. This process includes generating the necessary certificates and keys for each user. We will use Easy-RSA for this purpose, which is a tool that simplifies the process of certificate management for OpenVPN.

Here’s a sample Bash script to automate user creation:



# Define the username
USERNAME=$1

# Check if username was provided
if [ -z "$USERNAME" ]; then
    echo "Error: No username provided."
    exit 1
fi

# Navigate to Easy-RSA directory
cd /etc/openvpn/easy-rsa/ || exit

# Source Easy-RSA variables
source ./vars

# Build the client certificate
./easyrsa gen-req $USERNAME nopass

# Sign the certificate
./easyrsa sign-req client $USERNAME

# Generate the Diffie-Hellman parameters
./easyrsa gen-dh

# Create the client configuration file (for OpenVPN)
cp /etc/openvpn/client-template.ovpn /etc/openvpn/client-configs/$USERNAME.ovpn

# Add the user's certificate and key to the configuration file
echo "" >> /etc/openvpn/client-configs/$USERNAME.ovpn
cat /etc/openvpn/easy-rsa/pki/issued/$USERNAME.crt >> /etc/openvpn/client-configs/$USERNAME.ovpn
echo "" >> /etc/openvpn/client-configs/$USERNAME.ovpn

echo "" >> /etc/openvpn/client-configs/$USERNAME.ovpn
cat /etc/openvpn/easy-rsa/pki/private/$USERNAME.key >> /etc/openvpn/client-configs/$USERNAME.ovpn
echo "" >> /etc/openvpn/client-configs/$USERNAME.ovpn

# Output success message
echo "User $USERNAME created successfully."

In this script, we perform several actions:

We generate a new certificate request for the user.
We sign the certificate using Easy-RSA.
We generate the Diffie-Hellman parameters for encryption.
We copy a basic OpenVPN client configuration template and append the necessary certificate and key information.

Automating User Revocation

Revoking a user’s access involves deleting their certificate from the OpenVPN server. This prevents the user from connecting to the VPN in the future. We can automate this process with the following Bash script:



# Define the username
USERNAME=$1

# Check if username was provided
if [ -z "$USERNAME" ]; then
    echo "Error: No username provided."
    exit 1
fi

# Navigate to Easy-RSA directory
cd /etc/openvpn/easy-rsa/ || exit

# Source Easy-RSA variables
source ./vars

# Revoke the user’s certificate
./easyrsa revoke $USERNAME

# Generate the certificate revocation list (CRL)
./easyrsa gen-crl

# Restart OpenVPN service to apply changes
systemctl restart openvpn@server.service

# Output success message
echo "User $USERNAME has been revoked."

This script performs the following tasks:

It revokes the user’s certificate using Easy-RSA.
It generates a new certificate revocation list (CRL) to ensure that revoked certificates are no longer valid.
It restarts the OpenVPN service to apply the changes.

Automating User List Management

Having a clear overview of all OpenVPN users can be vital for effective system management. We can automate the process of listing all users with a simple Bash script. This script will pull the list of certificates in the Easy-RSA directory and display the usernames.



# Navigate to Easy-RSA directory
cd /etc/openvpn/easy-rsa/ || exit

# Source Easy-RSA variables
source ./vars

# List all user certificates
echo "Listing all OpenVPN users:"
for user in $(ls pki/issued/); do
    echo "${user%.crt}"
done

This script lists all certificates in the issued folder and removes the .crt extension to show just the username. This way, you can easily track all active OpenVPN users.

Automating User Expiration

To ensure that users do not have perpetual access to the VPN, you can set an expiration date for each user. By automating certificate expiration with Bash, you can periodically check and revoke users whose access has expired. The following script helps automate this process:



# Define the expiration period (in days)
EXPIRATION_DAYS=30

# Navigate to Easy-RSA directory
cd /etc/openvpn/easy-rsa/ || exit

# Source Easy-RSA variables
source ./vars

# Get current date
CURRENT_DATE=$(date +%s)

# Loop through all issued certificates
for cert in pki/issued/*.crt; do
    # Get the certificate's creation date
    CERT_DATE=$(openssl x509 -in $cert -noout -dates | grep 'notBefore' | sed 's/notBefore=//')

    # Convert the certificate creation date to Unix timestamp
    CERT_TIMESTAMP=$(date -d "$CERT_DATE" +%s)

    # Calculate the expiration date
    EXPIRATION_TIMESTAMP=$((CERT_TIMESTAMP + EXPIRATION_DAYS * 86400))

    # Check if the certificate has expired
    if [ $CURRENT_DATE -ge $EXPIRATION_TIMESTAMP ]; then
        USERNAME="${cert##*/}"
        USERNAME="${USERNAME%.crt}"
        
        # Revoke the expired user
        ./easyrsa revoke $USERNAME
        ./easyrsa gen-crl
        systemctl restart openvpn@server.service
        
        echo "User $USERNAME expired and revoked."
    fi
done

With this script, we check each certificate’s creation date and compare it with the current date. If the certificate has expired, the user is automatically revoked.