From 34d9601e6ebed24aed2ac18840e113b5aac204b9 Mon Sep 17 00:00:00 2001 From: Kyle Manna Date: Mon, 27 Jul 2015 20:20:46 -0700 Subject: [PATCH] ovpn_run: Assume /etc/openvpn is read-only * Systemd service currently marks the mount as read-only, and this is regarded as good practice for server/daemon only operation. * Don't create /etc/openvpn/ccd as the mount may be read-only. * Append the client-config-dir command line argument if it is found to avoid mkdir operation. * Mount can easily be modified using a different docker run line with ":ro" on the volume mount. --- bin/ovpn_genconfig | 2 -- bin/ovpn_run | 11 +++++++---- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/bin/ovpn_genconfig b/bin/ovpn_genconfig index 894133d..974c344 100755 --- a/bin/ovpn_genconfig +++ b/bin/ovpn_genconfig @@ -171,8 +171,6 @@ port 1194 dev tun0 status /tmp/openvpn-status.log -client-config-dir $OPENVPN/ccd - user nobody group nogroup EOF diff --git a/bin/ovpn_run b/bin/ovpn_run index b58e82e..b91da3a 100755 --- a/bin/ovpn_run +++ b/bin/ovpn_run @@ -10,6 +10,9 @@ fi set -e +# Build runtime arguments array based on environment +ARGS=("--config" "$OPENVPN/openvpn.conf") + source "$OPENVPN/ovpn_env.sh" mkdir -p /dev/net @@ -17,8 +20,8 @@ if [ ! -c /dev/net/tun ]; then mknod /dev/net/tun c 10 200 fi -if [ ! -d "$OPENVPN/ccd" ]; then - mkdir -p /etc/openvpn/ccd +if [ -d "$OPENVPN/ccd" ]; then + ARGS+=("--client-config-dir" "$OPENVPN/ccd") fi # Setup NAT forwarding if requested @@ -40,7 +43,7 @@ if [ -r "$EASYRSA_PKI/crl.pem" ]; then ln "$EASYRSA_PKI/crl.pem" "$OPENVPN/crl.pem" chmod 644 "$OPENVPN/crl.pem" fi - ARGS=("--crl-verify" "$OPENVPN/crl.pem") + ARGS+=("--crl-verify" "$OPENVPN/crl.pem") fi ip -6 route show default 2>/dev/null @@ -56,5 +59,5 @@ fi if [ "$#" -gt 0 ]; then exec openvpn "$@" else - exec openvpn ${ARGS[@]} --config "$OPENVPN/openvpn.conf" + exec openvpn ${ARGS[@]} fi