ovpn_run: Assume /etc/openvpn is read-only

* Systemd service currently marks the mount as read-only, and this is
  regarded as good practice for server/daemon only operation.
* Don't create /etc/openvpn/ccd as the mount may be read-only.
* Append the client-config-dir command line argument if it is found to
  avoid mkdir operation.
* Mount can easily be modified using a different docker run line with
  ":ro" on the volume mount.

bin/ovpn_genconfig

@@ -171,8 +171,6 @@ port 1194
 dev tun0
 status /tmp/openvpn-status.log
 
-client-config-dir $OPENVPN/ccd
-
 user nobody
 group nogroup
 EOF

bin/ovpn_run

@@ -10,6 +10,9 @@ fi
 
 set -e
 
+# Build runtime arguments array based on environment
+ARGS=("--config" "$OPENVPN/openvpn.conf")
+
 source "$OPENVPN/ovpn_env.sh"
 
 mkdir -p /dev/net
@@ -17,8 +20,8 @@ if [ ! -c /dev/net/tun ]; then
     mknod /dev/net/tun c 10 200
 fi
 
-if [ ! -d "$OPENVPN/ccd" ]; then
+if [ -d "$OPENVPN/ccd" ]; then
-    mkdir -p /etc/openvpn/ccd
+    ARGS+=("--client-config-dir" "$OPENVPN/ccd")
 fi
 
 # Setup NAT forwarding if requested
@@ -40,7 +43,7 @@ if [ -r "$EASYRSA_PKI/crl.pem" ]; then
         ln "$EASYRSA_PKI/crl.pem" "$OPENVPN/crl.pem"
         chmod 644 "$OPENVPN/crl.pem"
     fi
-    ARGS=("--crl-verify" "$OPENVPN/crl.pem")
+    ARGS+=("--crl-verify" "$OPENVPN/crl.pem")
 fi
 
 ip -6 route show default 2>/dev/null
@@ -56,5 +59,5 @@ fi
 if [ "$#" -gt 0 ]; then
     exec openvpn "$@"
 else
-    exec openvpn ${ARGS[@]} --config "$OPENVPN/openvpn.conf"
+    exec openvpn ${ARGS[@]}
 fi