背景:
业务上有个需求,需要通过调用脚本来实现针对某个或某些员工的vpn的开通与回收,但当时想到开通证书及回收时需要交互操作,所以想到了shell中的expect来实现,当然还有其他方法,比如通过修改证书签名的脚本来实现不交互,但是感觉还是通过expect捕获来完成更规范些,当然也可以使用python中的pexpect模块来实现。
脚本:
目前只简单实现了下根据人名创建了对应的证书文件,并没有加入发送邮件和回收的功能 ,脚本中涉及到的ip地址和路由根据实际情况修改
#!/bin/bash
ct_vpn (){
/usr/bin/expect <<EOF
spawn /usr/local/openvpn/etc/easy-rsa/3.0/./easyrsa gen-req $name nopass
expect "$name" {send "\r"}
expect eof
spawn /usr/local/openvpn/etc/easy-rsa/3.0/./easyrsa sign-req client $name
expect {
"Confirm request details" {send "yes\r";exp_continue}
"*ca.key*" {send "passwd\r"}
}
expect eof
EOF
ca="client
dev tun
proto udp
#remote 0.0.0.0 3000 #腾讯云新版本vpn
remote 0.0.0.0 3000 #办公网新版本vpn
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
verb 3
keepalive 10 60
route-method exe
route-delay 2
route 0.0.0.0 255.255.255.255 net_gateway
route xx.xx.xx.cn 255.255.255.255 net_gateway
route xx.xx.xx.cn 255.255.255.255 net_gateway
route xx.xx.xx.cn 255.255.255.255 net_gateway
"
echo "$ca" >/data/openvpn/new_openvpn/NEW_VPN_userconf/$name.ovpn
echo "<ca>" >> /data/openvpn/new_openvpn/NEW_VPN_userconf/$name.ovpn
cat /data/openvpn/new_openvpn/NEW_VPN_pki/ca.crt
>>/data/openvpn/new_openvpn/NEW_VPN_userconf/$name.ovpn
echo "</ca>" >> /data/openvpn/new_openvpn/NEW_VPN_userconf/$name.ovpn
echo "<cert>" >> /data/openvpn/new_openvpn/NEW_VPN_userconf/$name.ovpn
cat /data/openvpn/new_openvpn/NEW_VPN_pki/issued/$name.crt >>/data/openvpn/new_openvpn/NEW_VPN_userconf/$name.ovpn
echo "</cert>" >> /data/openvpn/new_openvpn/NEW_VPN_userconf/$name.ovpn
echo "<key>" >> /data/openvpn/new_openvpn/NEW_VPN_userconf/$name.ovpn
cat /data/openvpn/new_openvpn/NEW_VPN_pki/private/$name.key >>/data/openvpn/new_openvpn/NEW_VPN_userconf/$name.ovpn
echo "</key>" >> /data/openvpn/new_openvpn/NEW_VPN_userconf/$name.ovpn
}
username=(
zhangsan
lisi
wangwu
)
for name in ${username[*]};do
ct_vpn
done
expect部分详解:
expect脚本可以直接在命令解释器行直接引用#!/usr/bin/expect,但是用位置变量时比较麻烦,假设我上面需要将执行脚本时后面的参数作为人名传进来,那么expect是无法调用位置变量来获取人名的,所以使用了嵌入式,将expect迁入到shell脚本中来使用。
/usr/bin/expect <<EOF
spawn /usr/local/openvpn/etc/easy-rsa/3.0/./easyrsa gen-req $name nopass
expect "$name" {send "\r"}
expect eof
spawn /usr/local/openvpn/etc/easy-rsa/3.0/./easyrsa sign-req client $name
expect {
"Confirm request details" {send "yes\r";exp_continue}
"*ca.key*" {send "password\r"}
}
expect eof
EOF
# spawn 为要执行的交互命令
# expect 表示要捕获的返回的内容
# send 表示上面的expect捕获到对应的内容后要输入的内容
# expect eof表示结束此次的捕获,除非遇到下个spawn重新开始捕获
# send后面的exo_continue表示发送完此次的内容,继续下面内容的捕获,不然默认就捕获到一次就结束了