|
| 1 | +#!/bin/bash -e |
| 2 | +if [[ $# != 3 ]]; then |
| 3 | + echo "usage: $0 vpn_addr team_id password" |
| 4 | + exit 1 |
| 5 | +fi |
| 6 | +vpn_addr="$1" |
| 7 | +team_id="$2" |
| 8 | +password="$3" |
| 9 | + |
| 10 | +echo "team-${team_id}" > auth.txt |
| 11 | +echo "$password" >> auth.txt |
| 12 | + |
| 13 | +vpn_port=$((10000 + $team_id)) |
| 14 | + |
| 15 | +cat > ctf.ovpn <<EOF |
| 16 | +client |
| 17 | +setenv SERVER_POLL_TIMEOUT 4 |
| 18 | +nobind |
| 19 | +remote ${vpn_addr} |
| 20 | +port ${vpn_port} |
| 21 | +proto udp |
| 22 | +dev tun |
| 23 | +ns-cert-type server |
| 24 | +auth-user-pass |
| 25 | +
|
| 26 | +user nobody |
| 27 | +group $(id -gn nobody) |
| 28 | +persist-tun |
| 29 | +persist-key |
| 30 | +
|
| 31 | +cipher AES-128-CBC |
| 32 | +verb 3 |
| 33 | +
|
| 34 | +auth-user-pass auth.txt |
| 35 | +script-security 2 |
| 36 | +tls-verify "./verify-cn team-${team_id}" |
| 37 | +
|
| 38 | +<ca> |
| 39 | +-----BEGIN CERTIFICATE----- |
| 40 | +MIIDtTCCAp2gAwIBAgIJAKz96Ok7WRJ4MA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV |
| 41 | +BAYTAkJSMRAwDgYDVQQKEwdQd24yV2luMRMwEQYDVQQDEwpQd24yV2luIENBMQ8w |
| 42 | +DQYDVQQpEwZzZXJ2ZXIwHhcNMTcxMDExMDIxMTAxWhcNMjcxMDA5MDIxMTAxWjBF |
| 43 | +MQswCQYDVQQGEwJCUjEQMA4GA1UEChMHUHduMldpbjETMBEGA1UEAxMKUHduMldp |
| 44 | +biBDQTEPMA0GA1UEKRMGc2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB |
| 45 | +CgKCAQEAv0ONla2e6+JrhRElPobYgXyZs9ZlGplo6NYH4n2iOUPODkFfydRMkhqs |
| 46 | +T48q7s3sWpHOezr5Qj9SepGUvcYK/9tc7uAn2psUW8FOOK3qGjvw4o6G2x9sI/tS |
| 47 | +J6OWKbu84Xy05l6BrRxI+qWVLcYgjogIflXgkwLcFLUA19uGaQYzaPO4csGtGVPC |
| 48 | +oS0mrn/GgyH6RSXN502LUO4b+3LihI5fxf2nQjTb3pdImVMtznbP8XNaq/je5h5q |
| 49 | +hQT67DWjXVdZd41awMJlbvbmywdROLYUVMO73q78C1vg6lrr44tNi4D3cYXNwA18 |
| 50 | +S+99+dDSCiTrtlr0dtGR8AHdOwM8GwIDAQABo4GnMIGkMB0GA1UdDgQWBBQMMm2V |
| 51 | +mbmXdQrfFdEZ+A3Vj8lUbjB1BgNVHSMEbjBsgBQMMm2VmbmXdQrfFdEZ+A3Vj8lU |
| 52 | +bqFJpEcwRTELMAkGA1UEBhMCQlIxEDAOBgNVBAoTB1B3bjJXaW4xEzARBgNVBAMT |
| 53 | +ClB3bjJXaW4gQ0ExDzANBgNVBCkTBnNlcnZlcoIJAKz96Ok7WRJ4MAwGA1UdEwQF |
| 54 | +MAMBAf8wDQYJKoZIhvcNAQELBQADggEBALJIROdxRx7M+R+OUUK0soIZlIiJEuXA |
| 55 | +nPNXvvC3hhYeo54GaiPBmfrDEtp+dgTpTzVuW+nur7M/oSnCAwBvasaUXQU+Am/A |
| 56 | +Z1r8zBSIsDDRM3OCfKbqUymjpzGNz7S6GawYIcroak5NW/C8VcuZzo7FTXPSI32u |
| 57 | +thfeDTzWTIcXOaKi1efsKgR49JVQ6YVhv5dzHxYtfZa3AGiRQRD4lKfbeQcd+Eh+ |
| 58 | +mzr8C4EuOK+YQiXHSyO9DxilNaR3t5LeNyiRH/xC2gFcBJtR1Ep/ZYNdA9TT41Gd |
| 59 | +ERKi59X9sSQJ7h+ZM8F56E99/7oW02PUpbxgf4CciLFcQKXk07uZJX8= |
| 60 | +-----END CERTIFICATE----- |
| 61 | +</ca> |
| 62 | +EOF |
| 63 | + |
| 64 | +cat > verify-cn <<EOF |
| 65 | +#!/usr/bin/perl |
| 66 | +die "usage: verify-cn expected_cn certificate_depth subject" if (@ARGV != 3); |
| 67 | +(\$expected_cn, \$depth, \$x509) = @ARGV; |
| 68 | +if (\$depth == 0) { |
| 69 | + if (\$x509 =~ / CN=([^,]+)/) { |
| 70 | + \$cn = \$1; |
| 71 | + if (\$expected_cn eq \$cn) { |
| 72 | + exit 0; |
| 73 | + } |
| 74 | + } |
| 75 | + exit 1; |
| 76 | +} |
| 77 | +exit 0; |
| 78 | +EOF |
| 79 | + |
| 80 | +chmod +x verify-cn |
| 81 | + |
| 82 | +echo "Run: sudo openvpn ctf.ovpn" |
0 commit comments