Bulk certificate, client specific override and client export (script? CLI?)



  • Good morning everyone (it's 8.27 here in Milan, and a beautiful day indeed :-)

    This is my first post in the forum and to begin with i'd like to thank everyone for the precious help i had in setting up my firewall and OpenVPN using the information i found here. Also, pfSense is a wonderful product, and i'm seriously thinking of using it in many other ways beyond the project i'm currently developing.

    I'm currently tasked to set up a client-to-LAN VPN for a large number of clients (embedded devices running a linux distribution, which collect data from some environmental probes and send them to a central server, also on the VPN, at regular intervals). The obvious choice was OpenVPN as i think it's more flexible, easy to setup and to manage than other solutions; i planned to use PKI, with a client certificate for each client, a "fixed" IP address assigned with client specific overrides and client export "package" to install on each of the client devices.

    Generating certificates, creating client specific overrides and exporting client configurations with the GUI is quick and easy, but since i'll have to perform these 3 steps for each client, multiplied by the number of clients (100, to begin with, then possibly an INSANELY HIGH number shortly after :-) i was wondering if there is a way to do this in batch, for example with a shell script.

    I'm a newcomer to pfSense, and i looked everywhere in the available documentation, forums, blogs, books, but did not find anything useful yet.

    I understand probably a good trick would be to launch the PHP "commands" corresponding to the GUI functions used for these tasks, and that it is not possible to generate the pieces on a different machine (eg. a Linux box) and simply to copy them to the pfSense box, as this way they wouldn't be included in the XML configuration and wouldn't be "recognized" and used by the system.

    I also planned the network and the client names in advance so that everything would be easy to manage and to be scripted (eg., all the clients have a hostname corresponding to their certificate common name, and at the end of the name there's the last 2 octets of the IP address, that is clientname-X-Y).

    So, could anybody help me on this, please? Beer offered at the first chance, that goes without saying :-)

    Also, i don't know if this is the proper place to suggest a new feature, but i think it would be great to have a panel to generate certificates and CSOs in the GUI (eg. common name=prefix + number from XXX to YYY, IP address: from A.B.C.XXX to A.B.C.YYY… with a checkbox to generate and download client configuration packages for all clients all at once).

    Ciao,
    Lorenzo


Log in to reply