#!/bin/bash

set -e

EASYRSA_DIR="/etc/openvpn/easy-rsa"
CLIENT_DIR="/etc/openvpn/clients"
SERVER_IP=$(curl -s ifconfig.me || hostname -I | awk '{print $1}')
SERVER_PORT="1194"
PROTO="udp"

mkdir -p $CLIENT_DIR

usage() {
    echo "Usage:"
    echo "  $0 add <client_name>"
    echo "  $0 revoke <client_name>"
    echo "  $0 update <client_name>"
    exit 1
}

if [ "$EUID" -ne 0 ]; then
    echo "Run as root"
    exit 1
fi

ACTION="$1"
CLIENT="$2"

[ -z "$ACTION" ] || [ -z "$CLIENT" ] && usage

cd $EASYRSA_DIR

create_client() {
    ./easyrsa build-client-full "$CLIENT" nopass

    cat > $CLIENT_DIR/$CLIENT.ovpn <<EOF
client
dev tun
proto $PROTO
remote $SERVER_IP $SERVER_PORT
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
verb 3

<ca>
$(cat pki/ca.crt)
</ca>

<cert>
$(awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/' pki/issued/$CLIENT.crt)
</cert>

<key>
$(cat pki/private/$CLIENT.key)
</key>
EOF

    echo "Client '$CLIENT' created:"
    echo "  $CLIENT_DIR/$CLIENT.ovpn"
}

revoke_client() {
    ./easyrsa revoke "$CLIENT"
    ./easyrsa gen-crl
    cp pki/crl.pem /etc/openvpn/server/crl.pem
    chmod 644 /etc/openvpn/server/crl.pem

    rm -f $CLIENT_DIR/$CLIENT.ovpn

    systemctl restart openvpn-server@server

    echo "Client '$CLIENT' revoked and removed"
}

update_client() {
    revoke_client
    create_client
}

case "$ACTION" in
    add)
        create_client
        ;;
    revoke)
        revoke_client
        ;;
    update)
        update_client
        ;;
    *)
        usage
        ;;
esac

