#!/bin/sh

set -eu

convert_remoteservers_for_openvpn() {
  echo "$1" | awk '{
                for (i = 1; i <= NF; i++) {
                  gsub(/\|/, " ", $i); print "--remote", $i
                }
              }'
}

# puavo.vpn.client.remote_servers should contain servers in form:
# "192.0.2.16|443|tcp 203.0.113.4|443|tcp" ...
remote_servers=$(puavo-conf puavo.vpn.client.remote_servers)

if [ -z "$remote_servers" ]; then
  cat <<'EOF' >&2
No remote servers were configured for OpenVPN.
Check the "puavo.vpn.client.remote_servers" puavo-conf parameter.
EOF
  exit 1
fi

/usr/sbin/openvpn                                          \
    --auth-nocache                                         \
    --ca /etc/puavo/certs/orgcabundle.pem                  \
    --cert /etc/puavo/certs/host.crt                       \
    --client                                               \
    --connect-retry 5 5                                    \
    --dev vpn0                                             \
    --dev-type tun                                         \
    --keepalive 10 60                                      \
    --key /etc/puavo/certs/host.key                        \
    --proto tcp-client                                     \
    --remote-cert-tls server                               \
    --remote-random                                        \
    --route-up '/usr/lib/puavo-vpn-client/runme route-up'  \
    --script-security 2                                    \
    --status /run/puavo/vpn-client-openvpn.status 10       \
    --up-delay                                             \
    --verb 3                                               \
    --writepid /run/puavo/vpn-client-openvpn.pid           \
    $(convert_remoteservers_for_openvpn "$remote_servers")
