From 1869cd85d0ff21b01e4cdd76e710b3a6dcff63da Mon Sep 17 00:00:00 2001 From: Kyle Manna Date: Wed, 4 Jun 2014 11:13:59 -0700 Subject: [PATCH] openvpn.sh: Split in to smaller scripts * Split soon to be massive wrapper into smaller managable scripts. * Re-organized Dockerfile to exploit cache when rebuilding --- Dockerfile | 8 +-- bin/easyrsa_vars | 35 +++++++++++ bin/openvpn.sh | 152 --------------------------------------------- bin/ovpn_getclient | 48 ++++++++++++++ bin/ovpn_init | 57 +++++++++++++++++ bin/ovpn_run | 16 +++++ bin/ovpn_status | 9 +++ 7 files changed, 169 insertions(+), 156 deletions(-) create mode 100755 bin/easyrsa_vars delete mode 100755 bin/openvpn.sh create mode 100755 bin/ovpn_getclient create mode 100755 bin/ovpn_init create mode 100755 bin/ovpn_run create mode 100755 bin/ovpn_status diff --git a/Dockerfile b/Dockerfile index 8b62300..464d8bd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,9 +11,6 @@ RUN git clone https://github.com/OpenVPN/easy-rsa.git /usr/local/share/easy-rsa RUN cd /usr/local/share/easy-rsa && git checkout -b tested 89f369c5bbd13fbf0da2ea6361632c244e8af532 RUN ln -s /usr/local/share/easy-rsa/easyrsa3/easyrsa /usr/local/bin -ADD ./bin /usr/local/bin -RUN chmod a+x /usr/local/bin/* - # Needed by scripts ENV OPENVPN /etc/openvpn ENV EASYRSA /usr/local/share/easy-rsa/easyrsa3 @@ -24,4 +21,7 @@ VOLUME ["/etc/openvpn"] EXPOSE 1194/udp -ENTRYPOINT ["openvpn.sh"] +CMD ["ovpn_run"] + +ADD ./bin /usr/local/bin +RUN chmod a+x /usr/local/bin/* diff --git a/bin/easyrsa_vars b/bin/easyrsa_vars new file mode 100755 index 0000000..10d652b --- /dev/null +++ b/bin/easyrsa_vars @@ -0,0 +1,35 @@ +#!/bin/sh + +# +# Import/export EasyRSA default settings +# + +set -ex + +if [ $# -lt 1 ]; then + echo "No command provided" + echo + echo "$0 export > /path/to/file" + echo "$0 import < /path/to/file" + exit 1 +fi + +cmd=$1 +shift + +case "$cmd" in + export) + if [ -f "$EASYRSA_VARS_FILE" ]; then + cat "$EASYRSA_VARS_FILE" + else + cat "$EASYRSA/vars.example" + fi + ;; + import) + cat > "$EASYRSA_VARS_FILE" + ;; + *) + echo "Unknown cmd \"$cmd\"" + exit 2 + ;; +esac diff --git a/bin/openvpn.sh b/bin/openvpn.sh deleted file mode 100755 index 154d406..0000000 --- a/bin/openvpn.sh +++ /dev/null @@ -1,152 +0,0 @@ -#!/bin/bash -# -# OpenVPN + Docker Wrapper Script -# - -set -ex - -abort() { - echo "Error: $@" - exit 1 -} - -if [ $# -lt 1 ]; then - abort "No command specified" -fi - -do_openvpn() { - mkdir -p /dev/net - if [ ! -c /dev/net/tun ]; then - mknod /dev/net/tun c 10 200 - fi - - iptables -t nat -A POSTROUTING -s 192.168.255.0/24 -o eth0 -j MASQUERADE - - openvpn --config "$OPENVPN/udp1194.conf" -} - -do_init() { - cn=$1 - - # Provides a sufficient warning before erasing pre-existing files - easyrsa init-pki - - # For a CA key with a password, manually init; this is autopilot - easyrsa build-ca nopass - - easyrsa gen-dh - openvpn --genkey --secret $OPENVPN/pki/ta.key - - if [ -z "$cn"]; then - #TODO: Handle IPv6 (when I get a VPS with IPv6)... - ip4=$(dig +short myip.opendns.com @resolver1.opendns.com) - ptr=$(dig +short -x $ip4 | sed -e 's:\.$::') - - [ -n "$ptr" ] && cn=$ptr || cn=$ip4 - fi - - echo "$cn" > $OPENVPN/servername - - easyrsa build-server-full $cn nopass - - [ -f "$OPENVPN/udp1194.conf" ] || cat > "$OPENVPN/udp1194.conf" < -$(cat $EASYRSA_PKI/private/$cn.key) - - -$(cat $EASYRSA_PKI/issued/$cn.crt) - - -$(cat $EASYRSA_PKI/ca.crt) - - -$(cat $EASYRSA_PKI/dh.pem) - -# -#$(echo cat $EASYRSA_PKI/ta.key) -# -#key-direction 1 - - -remote $servername 1194 udp - -EOF -} - -# Read arguments from command line -cmd=$1 -shift - -case "$cmd" in - # nop for volume creation - init) - do_init "$@" - ;; - easyrsa) - easyrsa "$@" - ;; - easyrsa-export-vars) - if [ -f "$EASYRSA_VARS_FILE" ]; then - cat "$EASYRSA_VARS_FILE" - else - cat "$EASYRSA/vars.example" - fi - ;; - easyrsa-import-vars) - cat > "$EASYRSA_VARS_FILE" - ;; - bash) - $cmd "$@" - ;; - getclientconfig) - do_getclientconfig "$@" - ;; - openvpn) - do_openvpn "$@" - ;; - log) - tail -F /tmp/openvpn-status-1194.log - ;; - *) - abort "Unknown cmd \"$cmd\"" - ;; -esac diff --git a/bin/ovpn_getclient b/bin/ovpn_getclient new file mode 100755 index 0000000..b455dbc --- /dev/null +++ b/bin/ovpn_getclient @@ -0,0 +1,48 @@ +#!/bin/sh + +# +# Get an OpenVPN client configuration file +# + +set -ex + +cn=$1 + +if [ -z "$cn" ]; then + echo "Common name not specified" + exit 1 +fi + +if [ ! -f "$EASYRSA_PKI/private/$cn.key" ]; then + easyrsa build-server-full $cn nopass +fi + +servername=$(cat $OPENVPN/servername) + +cat < +$(cat $EASYRSA_PKI/private/$cn.key) + + +$(cat $EASYRSA_PKI/issued/$cn.crt) + + +$(cat $EASYRSA_PKI/ca.crt) + + +$(cat $EASYRSA_PKI/dh.pem) + +# +#$(echo cat $EASYRSA_PKI/ta.key) +# +#key-direction 1 + + +remote $servername 1194 udp + +EOF diff --git a/bin/ovpn_init b/bin/ovpn_init new file mode 100755 index 0000000..738975a --- /dev/null +++ b/bin/ovpn_init @@ -0,0 +1,57 @@ +#!/bin/sh + +# +# Initialize the PKI and OpenVPN configs +# + +set -ex + +cn=$1 + +if [ -z "$cn" ]; then + echo "Common name not specified" + exit 1 +fi + +# Provides a sufficient warning before erasing pre-existing files +easyrsa init-pki + +# For a CA key with a password, manually init; this is autopilot +easyrsa build-ca nopass + +easyrsa gen-dh +openvpn --genkey --secret $OPENVPN/pki/ta.key + +if [ -z "$cn"]; then + #TODO: Handle IPv6 (when I get a VPS with IPv6)... + ip4=$(dig +short myip.opendns.com @resolver1.opendns.com) + ptr=$(dig +short -x $ip4 | sed -e 's:\.$::') + + [ -n "$ptr" ] && cn=$ptr || cn=$ip4 +fi + +echo "$cn" > $OPENVPN/servername + +easyrsa build-server-full $cn nopass + +[ -f "$OPENVPN/udp1194.conf" ] || cat > "$OPENVPN/udp1194.conf" <