ovpn_run: Assume /etc/openvpn is read-only

* Systemd service currently marks the mount as read-only, and this is regarded as good practice for server/daemon only operation. * Don't create /etc/openvpn/ccd as the mount may be read-only. * Append the client-config-dir command line argument if it is found to avoid mkdir operation. * Mount can easily be modified using a different docker run line with ":ro" on the volume mount.
2015-07-27 20:20:46 -07:00 · 2015-07-27 20:20:46 -07:00 · 34d9601e6e
commit 34d9601e6e
parent 5a1e642177
2 changed files with 7 additions and 6 deletions
--- a/bin/ovpn_genconfig
+++ b/bin/ovpn_genconfig
@ -171,8 +171,6 @@ port 1194
 dev tun0
 status /tmp/openvpn-status.log

-client-config-dir $OPENVPN/ccd
-
 user nobody
 group nogroup
 EOF
--- a/bin/ovpn_run
+++ b/bin/ovpn_run
@ -10,6 +10,9 @@ fi

 set -e

+# Build runtime arguments array based on environment
+ARGS=("--config" "$OPENVPN/openvpn.conf")
+
 source "$OPENVPN/ovpn_env.sh"

 mkdir -p /dev/net
@ -17,8 +20,8 @@ if [ ! -c /dev/net/tun ]; then
    mknod /dev/net/tun c 10 200
 fi

-if [ ! -d "$OPENVPN/ccd" ]; then
-    mkdir -p /etc/openvpn/ccd
+if [ -d "$OPENVPN/ccd" ]; then
+    ARGS+=("--client-config-dir" "$OPENVPN/ccd")
 fi

 # Setup NAT forwarding if requested
@ -40,7 +43,7 @@ if [ -r "$EASYRSA_PKI/crl.pem" ]; then
        ln "$EASYRSA_PKI/crl.pem" "$OPENVPN/crl.pem"
        chmod 644 "$OPENVPN/crl.pem"
    fi
-    ARGS=("--crl-verify" "$OPENVPN/crl.pem")
+    ARGS+=("--crl-verify" "$OPENVPN/crl.pem")
 fi

 ip -6 route show default 2>/dev/null
@ -56,5 +59,5 @@ fi
 if [ "$#" -gt 0 ]; then
    exec openvpn "$@"
 else
-    exec openvpn ${ARGS[@]} --config "$OPENVPN/openvpn.conf"
+    exec openvpn ${ARGS[@]}
 fi