ovpn_run: Assume /etc/openvpn is read-only

* Systemd service currently marks the mount as read-only, and this is
  regarded as good practice for server/daemon only operation.
* Don't create /etc/openvpn/ccd as the mount may be read-only.
* Append the client-config-dir command line argument if it is found to
  avoid mkdir operation.
* Mount can easily be modified using a different docker run line with
  ":ro" on the volume mount.
This commit is contained in:
Kyle Manna 2015-07-27 20:20:46 -07:00
parent 5a1e642177
commit 34d9601e6e
2 changed files with 7 additions and 6 deletions

View File

@ -171,8 +171,6 @@ port 1194
dev tun0
status /tmp/openvpn-status.log
client-config-dir $OPENVPN/ccd
user nobody
group nogroup
EOF

View File

@ -10,6 +10,9 @@ fi
set -e
# Build runtime arguments array based on environment
ARGS=("--config" "$OPENVPN/openvpn.conf")
source "$OPENVPN/ovpn_env.sh"
mkdir -p /dev/net
@ -17,8 +20,8 @@ if [ ! -c /dev/net/tun ]; then
mknod /dev/net/tun c 10 200
fi
if [ ! -d "$OPENVPN/ccd" ]; then
mkdir -p /etc/openvpn/ccd
if [ -d "$OPENVPN/ccd" ]; then
ARGS+=("--client-config-dir" "$OPENVPN/ccd")
fi
# Setup NAT forwarding if requested
@ -40,7 +43,7 @@ if [ -r "$EASYRSA_PKI/crl.pem" ]; then
ln "$EASYRSA_PKI/crl.pem" "$OPENVPN/crl.pem"
chmod 644 "$OPENVPN/crl.pem"
fi
ARGS=("--crl-verify" "$OPENVPN/crl.pem")
ARGS+=("--crl-verify" "$OPENVPN/crl.pem")
fi
ip -6 route show default 2>/dev/null
@ -56,5 +59,5 @@ fi
if [ "$#" -gt 0 ]; then
exec openvpn "$@"
else
exec openvpn ${ARGS[@]} --config "$OPENVPN/openvpn.conf"
exec openvpn ${ARGS[@]}
fi