#!/bin/ash 
#version march 1 2018 jason

pkitool="/usr/sbin/pkitool"
ersa="/etc/config/openvpnconfig/easy-rsa"

if [ ! -x /usr/bin/zip ]; then
  echo -e "zip not found; to install zip, \"opkg install zip\".\n"
  exit
fi

if [ $# == 0 ]; then
  echo -e "Usage: $0 [username] [servername]"
  echo -e "   or: $0 [username] [servername] pass\n"
  echo -e "If you want the user to be prompted with a passphrase add \"pass\" to the end of the command."
  echo -e "This will invoke \"build-key-pass\"\n"
  echo -e "[servername] needs to resolve to the openvpn server."
  echo -e "To REVOKE a certificate: $0 [username] revoke"
  exit
fi

if [ "$3" = "pass" ]; then
  buildkey="$pkitool --interact --pass"
else
  buildkey="$pkitool --interact"
fi

echo -e "\ncreate openvpn client files and config for $1 on $2 openvpn server \npress enter to continue"
read

if [ -z "$KEY_COUNTRY" ]; then
  source $ersa/vars
fi

if [ "$2" = "revoke" ]; then
  echo -e "\nREVOKE openvpn client files and config for $1? \npress enter to continue or ctrl+c to exit"
  read
  revoke-full $1
  echo "Be sure the VPN server config has \"crl-verify $ersa/keys/crl.pem\""
  exit
fi

echo "creating key for $1"
$buildkey $1

echo "creating $1 user configs"
/bin/mkdir $ersa/keys/$1
/bin/cp -p $ersa/keys/$1.key $ersa/keys/$1/
/bin/cp -p $ersa/keys/$1.crt $ersa/keys/$1/
/bin/cp -p $ersa/keys/ca.crt $ersa/keys/$1/

echo -e "nobind\r
float\r
comp-lzo\r
cipher AES-256-CBC\r
dev tun\r
remote $2 1194 udp\r
client\r
tls-exit\r
ca ca.crt\r
cert $1.crt\r
key $1.key\r
remote-cert-tls server\r
mute 5\r
resolv-retry infinite\r
#explicit-exit-notify\r
keepalive 10 60\r
ping-timer-rem\r
persist-tun\r
persist-key\r
#redirect-gateway def1\r" > $ersa/keys/$1/$2.ovpn

cd $ersa/keys/ && /usr/bin/zip -r $1_ovpn.zip $1/
echo -e "
done!
Use scp from another computer to grab the users zip. \"scp user@host:$ersa/keys/$1_ovpn.zip .\"
or send to another computer scp $ersa/keys/$1_ovpn.zip user@host:openvpn-keys/"