2016-02-10 00:27:26 +00:00
#!/bin/bash
2016-08-31 19:42:53 +00:00
set -e
[ -n " ${ DEBUG +x } " ] && set -x
2016-02-10 16:12:49 +00:00
OVPN_DATA = basic-data-otp
2016-02-10 00:27:26 +00:00
CLIENT = travis-client
IMG = kylemanna/openvpn
OTP_USER = otp
2016-08-31 19:42:53 +00:00
CLIENT_DIR = " $( readlink -f " $( dirname " $BASH_SOURCE " ) /../../client " ) "
2016-02-10 00:27:26 +00:00
# Function to fail
abort( ) { cat <<< " $@ " 1>& 2; exit 1; }
ip addr ls
SERV_IP = $( ip -4 -o addr show scope global | awk '{print $4}' | sed -e 's:/.*::' | head -n1)
# Configure server with two factor authentication
2016-09-03 23:08:49 +00:00
docker run -v $OVPN_DATA :/etc/openvpn --rm $IMG ovpn_genconfig -u udp://$SERV_IP -2
2016-02-10 00:27:26 +00:00
# nopass is insecure
2016-09-03 23:08:49 +00:00
docker run -v $OVPN_DATA :/etc/openvpn --rm -it -e "EASYRSA_BATCH=1" -e "EASYRSA_REQ_CN=Travis-CI Test CA" $IMG ovpn_initpki nopass
2016-02-10 00:27:26 +00:00
2016-09-03 23:08:49 +00:00
docker run -v $OVPN_DATA :/etc/openvpn --rm -it $IMG easyrsa build-client-full $CLIENT nopass
2016-02-10 00:27:26 +00:00
# Generate OTP credentials for user named test, should return QR code for test user
2016-09-03 23:08:49 +00:00
docker run -v $OVPN_DATA :/etc/openvpn --rm -it $IMG ovpn_otp_user $OTP_USER | tee $CLIENT_DIR /qrcode.txt
2016-02-10 00:27:26 +00:00
# Ensure a chart link is printed in client OTP configuration
2016-08-31 19:42:53 +00:00
grep 'https://www.google.com/chart' $CLIENT_DIR /qrcode.txt || abort 'Link to chart not generated'
grep 'Your new secret key is:' $CLIENT_DIR /qrcode.txt || abort 'Secret key is missing'
2016-02-10 00:27:26 +00:00
# Extract an emergency code from textual output, grepping for line and trimming spaces
2016-08-31 19:42:53 +00:00
OTP_TOKEN = $( grep -A1 'Your emergency scratch codes are' $CLIENT_DIR /qrcode.txt | tail -1 | tr -d '[[:space:]]' )
2016-02-10 00:27:26 +00:00
# Token should be present
if [ -z $OTP_TOKEN ] ; then
abort "QR Emergency Code not detected"
fi
# Store authentication credentials in config file and tell openvpn to use them
2016-08-31 19:42:53 +00:00
echo -e " $OTP_USER \n $OTP_TOKEN " > $CLIENT_DIR /credentials.txt
2016-02-10 00:27:26 +00:00
# Override the auth-user-pass directive to use a credentials file
2016-09-03 23:08:49 +00:00
docker run -v $OVPN_DATA :/etc/openvpn --rm $IMG ovpn_getclient $CLIENT | sed 's/auth-user-pass/auth-user-pass \/client\/credentials.txt/' | tee $CLIENT_DIR /config.ovpn
2016-02-10 00:27:26 +00:00
#
# Fire up the server
#
2016-02-10 16:12:49 +00:00
sudo iptables -N DOCKER || echo 'Firewall already configured'
sudo iptables -I FORWARD -j DOCKER || echo 'Forward already configured'
2016-02-10 00:27:26 +00:00
# run in shell bg to get logs
2016-09-03 23:08:49 +00:00
docker run --name "ovpn-test" -v $OVPN_DATA :/etc/openvpn --rm -p 1194:1194/udp --privileged $IMG &
2016-02-10 00:27:26 +00:00
#for i in $(seq 10); do
# SERV_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}')
# test -n "$SERV_IP" && break
#done
2016-08-31 19:42:53 +00:00
#sed -ie s:SERV_IP:$SERV_IP:g $CLIENT_DIR/config.ovpn
2016-02-10 00:27:26 +00:00
#
# Fire up a client in a container since openvpn is disallowed by Travis-CI, don't NAT
# the host as it confuses itself:
# "Incoming packet rejected from [AF_INET]172.17.42.1:1194[2], expected peer address: [AF_INET]10.240.118.86:1194"
#
2016-08-31 19:42:53 +00:00
docker run --rm --net= host --privileged --volume $CLIENT_DIR :/client $IMG /client/wait-for-connect.sh
2016-02-10 00:27:26 +00:00
#
# Client either connected or timed out, kill server
#
kill %1
#
# Celebrate
#
cat <<EOF
___________
< it worked >
-----------
\ ^__^
\ ( oo) \_ ______
( __) \ ) \/ \\
|| ----w |
|| ||
EOF