diff --git a/README.md b/README.md index 61c33d3..ed1f4e5 100644 --- a/README.md +++ b/README.md @@ -22,38 +22,32 @@ a corresponding [Digital Ocean Community Tutorial](http://bit.ly/1AGUZkq). ## Quick Start -* Create the `$OVPN_DATA` volume container, i.e. `OVPN_DATA="ovpn-data"` +* Pick a name for the `$OVPN_DATA` data volume container, it will be created automatically. - docker run --name $OVPN_DATA -v /etc/openvpn busybox + OVPN_DATA="ovpn-data" * Initialize the `$OVPN_DATA` container that will hold the configuration files and certificates - docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM - docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn ovpn_initpki + docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM + docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn ovpn_initpki * Start OpenVPN server process - - On Docker [version 1.2](http://blog.docker.com/2014/08/announcing-docker-1-2-0/) and newer - - docker run --volumes-from $OVPN_DATA -d -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn - - - On Docker older than version 1.2 - - docker run --volumes-from $OVPN_DATA -d -p 1194:1194/udp --privileged kylemanna/openvpn + docker run -v $OVPN_DATA:/etc/openvpn -d -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn * Generate a client certificate without a passphrase - docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass + docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass * Retrieve the client configuration with embedded certificates - docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn + docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn ## Debugging Tips * Create an environment variable with the name DEBUG and value of 1 to enable debug output (using "docker -e"). - docker run --volumes-from $OVPN_DATA -p 1194:1194/udp --privileged -e DEBUG=1 kylemanna/openvpn + docker run -v $OVPN_DATA:/etc/openvpn -p 1194:1194/udp --privileged -e DEBUG=1 kylemanna/openvpn * Test using a client that has openvpn installed correctly @@ -80,7 +74,7 @@ The OpenVPN server is started with the default run cmd of `ovpn_run` The configuration is located in `/etc/openvpn`, and the Dockerfile declares that directory as a volume. It means that you can start another -container with the `--volumes-from` flag, and access the configuration. +container with the `-v` argument, and access the configuration. The volume also holds the PKI keys and certs so that it could be backed up. To generate a client certificate, `kylemanna/openvpn` uses EasyRSA via the @@ -153,11 +147,11 @@ OpenVPN with latest OpenSSL on Ubuntu 12.04 LTS). ### It Doesn't Stomp All Over the Server's Filesystem Everything for the Docker container is contained in two images: the ephemeral -run time image (kylemanna/openvpn) and the data image (using busybox as a -base). To remove it, remove the two Docker images and corresponding containers -and it's all gone. This also makes it easier to run multiple servers since -each lives in the bubble of the container (of course multiple IPs or separate -ports are needed to communicate with the world). +run time image (kylemanna/openvpn) and the `$OVPN_DATA` data volume. To remove +it, remove the corresponding containers, `$OVPN_DATA` data volume and Docker +image and it's completely removed. This also makes it easier to run multiple +servers since each lives in the bubble of the container (of course multiple IPs +or separate ports are needed to communicate with the world). ### Some (arguable) Security Benefits diff --git a/docs/advanced.md b/docs/advanced.md index 59cb9be..ad7c8b3 100644 --- a/docs/advanced.md +++ b/docs/advanced.md @@ -4,7 +4,7 @@ The [`ovpn_genconfig`](/bin/ovpn_genconfig) script is intended for simple config ## Create host volume mounts rather than data volumes -* Refer to the Quick Start document, and substitute `--volumes-from $OVPN_DATA` with `-v /path/on/host/openvpn0:/etc/openvpn` +* Refer to the Quick Start document, and substitute `-v $OVPN_DATA:/etc/openvpn` with `-v /path/on/host/openvpn0:/etc/openvpn` * Quick example that is likely to be out of date, but here's how to get started: mkdir openvpn0 diff --git a/docs/backup.md b/docs/backup.md index e7729c8..fba4a76 100644 --- a/docs/backup.md +++ b/docs/backup.md @@ -11,10 +11,10 @@ I'd recommend encrypting the archive with something strong (e.g. gpg or openssl ## Backup to Archive - docker run --volumes-from $OVPN_DATA --rm busybox tar -cvf - -C /etc openvpn | xz > openvpn-backup.tar.xz + docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn tar -cvf - -C /etc openvpn | xz > openvpn-backup.tar.xz ## Restore to New Container Assumes an existing container named `$OVPN_DATA` to extract the data over the top. - xzcat openvpn-backup.tar.xz | docker run --name $OVPN_DATA -v /etc/openvpn -i busybox tar -xvf - -C /etc + xzcat openvpn-backup.tar.xz | docker run --name $OVPN_DATA -v /etc/openvpn -i kylemanna/openvpn tar -xvf - -C /etc diff --git a/docs/clients.md b/docs/clients.md index f6606e6..ead50c0 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -13,7 +13,7 @@ Note that some client software might be picky about which configuration format i See an overview of the configured clients, including revokation status: - docker run --rm -it --volumes-from $OVPN_DATA kylemanna/openvpn ovpn_listclients + docker run --rm -it -v $OVPN_DATA:/etc/openvpn kylemanna/openvpn ovpn_listclients ## Batch Mode @@ -21,7 +21,7 @@ If you have more than a few clients, you will want to generate and update your c Execute the following to generate the configuration for all clients: - docker run --rm -it --volumes-from $OVPN_DATA --volume /tmp/openvpn_clients:/etc/openvpn/clients kylemanna/openvpn ovpn_getclient_all + docker run --rm -it -v $OVPN_DATA:/etc/openvpn --volume /tmp/openvpn_clients:/etc/openvpn/clients kylemanna/openvpn ovpn_getclient_all After doing so, you will find the following files in each of the `$cn` directories: @@ -36,7 +36,7 @@ After doing so, you will find the following files in each of the `$cn` directori Revoke `client1`'s certificate and generate the certificate revocation list (CRL): - docker run --rm -it --volumes-from $OVPN_DATA kylemanna/openvpn easyrsa revoke client1 - docker run --rm -it --volumes-from $OVPN_DATA kylemanna/openvpn easyrsa gen-crl + docker run --rm -it -v $OVPN_DATA:/etc/openvpn kylemanna/openvpn easyrsa revoke client1 + docker run --rm -it -v $OVPN_DATA:/etc/openvpn kylemanna/openvpn easyrsa gen-crl The OpenVPN server will read this change every time a client connects (no need to restart server) and deny clients access using revoked certificates. diff --git a/docs/debug.md b/docs/debug.md index 8b55554..ef59366 100644 --- a/docs/debug.md +++ b/docs/debug.md @@ -7,7 +7,7 @@ Random things I do to debug the containers. * Create a shell in the running docker container (aka namespace) with [nsenter](https://github.com/jpetazzo/nsenter) * If you don't have nsenter/docker-enter, you can mount the data container and modify it with - docker run --rm -it --volumes-from $OVPN_DATA kylemanna/openvpn bash -l + docker run --rm -it -v $OVPN_DATA:/etc/openvpn kylemanna/openvpn bash -l ## Stream OpenVPN Logs diff --git a/docs/faqs.md b/docs/faqs.md index 61465f1..2247075 100644 --- a/docs/faqs.md +++ b/docs/faqs.md @@ -4,7 +4,7 @@ Use a Docker image with a text editor pre-installed (i.e. Ubuntu) and connect the volume container: - docker run --volumes-from $OVPN_DATA --rm -it ubuntu vi /etc/openvpn/openvpn.conf + docker run -v $OVPN_DATA:/etc/openvpn --rm -it ubuntu vi /etc/openvpn/openvpn.conf ## Why not keep everything in one image? diff --git a/docs/otp.md b/docs/otp.md index 932279b..ad2ce86 100644 --- a/docs/otp.md +++ b/docs/otp.md @@ -13,15 +13,15 @@ In order to enable two factor authentication the following steps are required. * Generate server configuration with `-2` option - docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_genconfig -u udp://vpn.example.com -2 + docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://vpn.example.com -2 * Generate your client certificate (possibly without a password since you're using OTP) - docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn easyrsa build-client-full nopass + docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full nopass * Generate authentication configuration for your client. -t is needed to show QR code, -i is optional for interactive usage - docker run --volumes-from $OVPN_DATA --rm -t kylemanna/openvpn ovpn_otp_user + docker run -v $OVPN_DATA:/etc/openvpn --rm -t kylemanna/openvpn ovpn_otp_user The last step will generate OTP configuration for the provided user with the following options @@ -62,7 +62,7 @@ If something is not working you can verify your PAM setup with these commands ``` # Start a shell in container -docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn bash +docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn bash # Then in container you have pamtester utility already installed which pamtester # To check authentication use this command that will prompt for a valid code from Authenticator APP diff --git a/docs/paranoid.md b/docs/paranoid.md index 44dd119..974aa90 100644 --- a/docs/paranoid.md +++ b/docs/paranoid.md @@ -22,7 +22,7 @@ If you want to select the cyphers used by OpenVPN the following parameters of th The following options have been tested successfully: - docker run --volumes-from $OVPN_DATA --net=none --rm kylemanna/openvpn ovpn_genconfig -C 'AES-256-CBC' -a 'SHA384' + docker run -v $OVPN_DATA:/etc/openvpn --net=none --rm kylemanna/openvpn ovpn_genconfig -C 'AES-256-CBC' -a 'SHA384' Changing the `tls-cipher` option seems to be more complicated because some clients (namely NetworkManager in Debian Jessie) seem to have trouble with this. Running `openvpn` manually also did not solve the issue: diff --git a/docs/static-ips.md b/docs/static-ips.md index f96dd54..05d6328 100644 --- a/docs/static-ips.md +++ b/docs/static-ips.md @@ -6,7 +6,7 @@ The docker image is setup for static client configuration on the 192.168.254.0/2 1. Create a client specific configuration: - $ echo "ifconfig-push 192.168.254.1 192.168.254.2" | docker run --volumes-from $OVPN_DATA -i --rm kylemanna/openvpn tee /etc/openvpn/ccd/CERT_COMMON_NAME + $ echo "ifconfig-push 192.168.254.1 192.168.254.2" | docker run -v $OVPN_DATA:/etc/openvpn -i --rm kylemanna/openvpn tee /etc/openvpn/ccd/CERT_COMMON_NAME ifconfig-push 192.168.254.1 192.168.254.2 2. Wait for client to reconnect if necessary @@ -15,10 +15,10 @@ The docker image is setup for static client configuration on the 192.168.254.0/2 Login to the data volume with a `bash` container, note only changes in /etc/openvpn will persist: - docker run --volumes-from $OVPN_DATA -it --rm kylemanna/openvpn bash -l + docker run -v $OVPN_DATA:/etc/openvpn -it --rm kylemanna/openvpn bash -l ## Upgrading from Old OpenVPN Configurations If you're running an old configuration and need to upgrade it to pull in the ccd directory run the following: - docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_genconfig + docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig diff --git a/docs/tcp.md b/docs/tcp.md index 87afc3b..1bc62b7 100644 --- a/docs/tcp.md +++ b/docs/tcp.md @@ -10,18 +10,18 @@ Another example would be trying to open a VPN connection from within a very rest ## Using TCP Those requiring TCP connections should initialize the data container by specifying the TCP protocol and port number: - docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_genconfig -u tcp://VPN.SERVERNAME.COM:443 - docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn ovpn_initpki + docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u tcp://VPN.SERVERNAME.COM:443 + docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn ovpn_initpki Because the server container always exposes port 1194, regardless of the specified protocol, adjust the mapping appropriately: - docker run --volumes-from $OVPN_DATA -d -p 443:1194/tcp --cap-add=NET_ADMIN kylemanna/openvpn + docker run -v $OVPN_DATA:/etc/openvpn -d -p 443:1194/tcp --cap-add=NET_ADMIN kylemanna/openvpn ## Running a Second Fallback TCP Container Instead of choosing between UDP and TCP, you can use both. A single instance of OpenVPN can only listen for a single protocol on a single port, but this image makes it easy to run two instances simultaneously. After building, configuring, and starting a standard container listening for UDP traffic on 1194, you can start a second container listening for tcp traffic on port 443: - docker run --volumes-from $OVPN_DATA --rm -p 443:1194/tcp --privileged kylemanna/openvpn ovpn_run --proto tcp + docker run -v $OVPN_DATA:/etc/openvpn --rm -p 443:1194/tcp --privileged kylemanna/openvpn ovpn_run --proto tcp `ovpn_run` will load all the values from the default config file, and `--proto tcp` will override the protocol setting. diff --git a/init/docker-openvpn@.service b/init/docker-openvpn@.service index a601536..31925fb 100644 --- a/init/docker-openvpn@.service +++ b/init/docker-openvpn@.service @@ -32,7 +32,7 @@ ExecStartPre=-/usr/bin/docker pull $IMG ExecStartPre=/bin/sh -c 'test -z "$IP6_PREFIX" && exit 0; sysctl net.ipv6.conf.all.forwarding=1' # Main process -ExecStart=/usr/bin/docker run --rm --privileged --volumes-from ${DATA_VOL}:ro --name ${NAME} -p ${PORT} ${IMG} ovpn_run $ARGS +ExecStart=/usr/bin/docker run --rm --privileged -v ${DATA_VOL}:/etc/openvpn:ro --name ${NAME} -p ${PORT} ${IMG} ovpn_run $ARGS # IPv6: Add static route for IPv6 after it starts up ExecStartPost=/bin/sh -c 'test -z "${IP6_PREFIX}" && exit 0; sleep 1; ip route replace ${IP6_PREFIX} via $(docker inspect -f "{{ .NetworkSettings.GlobalIPv6Address }}" $NAME ) dev docker0' diff --git a/init/upstart.init b/init/upstart.init index b5b926e..aebe59f 100644 --- a/init/upstart.init +++ b/init/upstart.init @@ -4,5 +4,5 @@ start on filesystem and started docker stop on runlevel [!2345] respawn script - exec docker run --volumes-from ovpn-data --rm -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn + exec docker run -v ovpn-data:/etc/openvpn --rm -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn end script diff --git a/test/tests/basic/run.sh b/test/tests/basic/run.sh index 9104968..f1013bc 100755 --- a/test/tests/basic/run.sh +++ b/test/tests/basic/run.sh @@ -8,23 +8,18 @@ CLIENT=travis-client IMG=kylemanna/openvpn CLIENT_DIR="$(readlink -f "$(dirname "$BASH_SOURCE")/../../client")" -# -# Create a docker container with the config data -# -docker run --name $OVPN_DATA -v /etc/openvpn busybox - ip addr ls SERV_IP=$(ip -4 -o addr show scope global | awk '{print $4}' | sed -e 's:/.*::' | head -n1) -docker run --volumes-from $OVPN_DATA --rm $IMG ovpn_genconfig -u udp://$SERV_IP +docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_genconfig -u udp://$SERV_IP # nopass is insecure -docker run --volumes-from $OVPN_DATA --rm -it -e "EASYRSA_BATCH=1" -e "EASYRSA_REQ_CN=Travis-CI Test CA" $IMG ovpn_initpki nopass +docker run -v $OVPN_DATA:/etc/openvpn --rm -it -e "EASYRSA_BATCH=1" -e "EASYRSA_REQ_CN=Travis-CI Test CA" $IMG ovpn_initpki nopass -docker run --volumes-from $OVPN_DATA --rm -it $IMG easyrsa build-client-full $CLIENT nopass +docker run -v $OVPN_DATA:/etc/openvpn --rm -it $IMG easyrsa build-client-full $CLIENT nopass -docker run --volumes-from $OVPN_DATA --rm $IMG ovpn_getclient $CLIENT | tee $CLIENT_DIR/config.ovpn +docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_getclient $CLIENT | tee $CLIENT_DIR/config.ovpn -docker run --volumes-from $OVPN_DATA --rm $IMG ovpn_listclients | grep $CLIENT +docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_listclients | grep $CLIENT # # Fire up the server @@ -32,7 +27,7 @@ docker run --volumes-from $OVPN_DATA --rm $IMG ovpn_listclients | grep $CLIENT sudo iptables -N DOCKER || echo 'Firewall already configured' sudo iptables -I FORWARD -j DOCKER || echo 'Forward already configured' # run in shell bg to get logs -docker run --name "ovpn-test" --volumes-from $OVPN_DATA --rm -p 1194:1194/udp --privileged $IMG & +docker run --name "ovpn-test" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --privileged $IMG & #for i in $(seq 10); do # SERV_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}') diff --git a/test/tests/dual-proto/run.sh b/test/tests/dual-proto/run.sh index 46bbbbb..5696252 100755 --- a/test/tests/dual-proto/run.sh +++ b/test/tests/dual-proto/run.sh @@ -9,32 +9,27 @@ CLIENT_TCP=travis-client-tcp IMG=kylemanna/openvpn CLIENT_DIR="$(readlink -f "$(dirname "$BASH_SOURCE")/../../client")" -# -# Create a docker container with the config data -# -docker run --name $OVPN_DATA -v /etc/openvpn busybox - ip addr ls SERV_IP=$(ip -4 -o addr show scope global | awk '{print $4}' | sed -e 's:/.*::' | head -n1) # get temporary TCP config -docker run --volumes-from $OVPN_DATA --rm $IMG ovpn_genconfig -u tcp://$SERV_IP:443 +docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_genconfig -u tcp://$SERV_IP:443 # nopass is insecure -docker run --volumes-from $OVPN_DATA --rm -it -e "EASYRSA_BATCH=1" -e "EASYRSA_REQ_CN=Travis-CI Test CA" $IMG ovpn_initpki nopass +docker run -v $OVPN_DATA:/etc/openvpn --rm -it -e "EASYRSA_BATCH=1" -e "EASYRSA_REQ_CN=Travis-CI Test CA" $IMG ovpn_initpki nopass # gen TCP client -docker run --volumes-from $OVPN_DATA --rm -it $IMG easyrsa build-client-full $CLIENT_TCP nopass -docker run --volumes-from $OVPN_DATA --rm $IMG ovpn_getclient $CLIENT_TCP | tee $CLIENT_DIR/config-tcp.ovpn +docker run -v $OVPN_DATA:/etc/openvpn --rm -it $IMG easyrsa build-client-full $CLIENT_TCP nopass +docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_getclient $CLIENT_TCP | tee $CLIENT_DIR/config-tcp.ovpn # switch to UDP config and gen UDP client -docker run --volumes-from $OVPN_DATA --rm $IMG ovpn_genconfig -u udp://$SERV_IP -docker run --volumes-from $OVPN_DATA --rm -it $IMG easyrsa build-client-full $CLIENT_UDP nopass -docker run --volumes-from $OVPN_DATA --rm $IMG ovpn_getclient $CLIENT_UDP | tee $CLIENT_DIR/config.ovpn +docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_genconfig -u udp://$SERV_IP +docker run -v $OVPN_DATA:/etc/openvpn --rm -it $IMG easyrsa build-client-full $CLIENT_UDP nopass +docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_getclient $CLIENT_UDP | tee $CLIENT_DIR/config.ovpn #Verify client configs -docker run --volumes-from $OVPN_DATA --rm $IMG ovpn_listclients | grep $CLIENT_TCP -docker run --volumes-from $OVPN_DATA --rm $IMG ovpn_listclients | grep $CLIENT_UDP +docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_listclients | grep $CLIENT_TCP +docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_listclients | grep $CLIENT_UDP # # Fire up the server @@ -43,8 +38,8 @@ sudo iptables -N DOCKER || echo 'Firewall already configured' sudo iptables -I FORWARD -j DOCKER || echo 'Forward already configured' # run in shell bg to get logs -docker run --name "ovpn-test-udp" --volumes-from $OVPN_DATA --rm -p 1194:1194/udp --privileged $IMG & -docker run --name "ovpn-test-tcp" --volumes-from $OVPN_DATA --rm -p 443:1194/tcp --privileged $IMG ovpn_run --proto tcp & +docker run --name "ovpn-test-udp" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --privileged $IMG & +docker run --name "ovpn-test-tcp" -v $OVPN_DATA:/etc/openvpn --rm -p 443:1194/tcp --privileged $IMG ovpn_run --proto tcp & # # Fire up a clients in a containers since openvpn is disallowed by Travis-CI, don't NAT diff --git a/test/tests/otp/run.sh b/test/tests/otp/run.sh index 40c4077..4cb53ca 100755 --- a/test/tests/otp/run.sh +++ b/test/tests/otp/run.sh @@ -12,23 +12,18 @@ CLIENT_DIR="$(readlink -f "$(dirname "$BASH_SOURCE")/../../client")" # Function to fail abort() { cat <<< "$@" 1>&2; exit 1; } -# -# Create a docker container with the config data -# -docker run --name $OVPN_DATA -v /etc/openvpn busybox - ip addr ls SERV_IP=$(ip -4 -o addr show scope global | awk '{print $4}' | sed -e 's:/.*::' | head -n1) # Configure server with two factor authentication -docker run --volumes-from $OVPN_DATA --rm $IMG ovpn_genconfig -u udp://$SERV_IP -2 +docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_genconfig -u udp://$SERV_IP -2 # nopass is insecure -docker run --volumes-from $OVPN_DATA --rm -it -e "EASYRSA_BATCH=1" -e "EASYRSA_REQ_CN=Travis-CI Test CA" $IMG ovpn_initpki nopass +docker run -v $OVPN_DATA:/etc/openvpn --rm -it -e "EASYRSA_BATCH=1" -e "EASYRSA_REQ_CN=Travis-CI Test CA" $IMG ovpn_initpki nopass -docker run --volumes-from $OVPN_DATA --rm -it $IMG easyrsa build-client-full $CLIENT nopass +docker run -v $OVPN_DATA:/etc/openvpn --rm -it $IMG easyrsa build-client-full $CLIENT nopass # Generate OTP credentials for user named test, should return QR code for test user -docker run --volumes-from $OVPN_DATA --rm -it $IMG ovpn_otp_user $OTP_USER | tee $CLIENT_DIR/qrcode.txt +docker run -v $OVPN_DATA:/etc/openvpn --rm -it $IMG ovpn_otp_user $OTP_USER | tee $CLIENT_DIR/qrcode.txt # Ensure a chart link is printed in client OTP configuration grep 'https://www.google.com/chart' $CLIENT_DIR/qrcode.txt || abort 'Link to chart not generated' grep 'Your new secret key is:' $CLIENT_DIR/qrcode.txt || abort 'Secret key is missing' @@ -43,7 +38,7 @@ fi echo -e "$OTP_USER\n$OTP_TOKEN" > $CLIENT_DIR/credentials.txt # Override the auth-user-pass directive to use a credentials file -docker run --volumes-from $OVPN_DATA --rm $IMG ovpn_getclient $CLIENT | sed 's/auth-user-pass/auth-user-pass \/client\/credentials.txt/' | tee $CLIENT_DIR/config.ovpn +docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_getclient $CLIENT | sed 's/auth-user-pass/auth-user-pass \/client\/credentials.txt/' | tee $CLIENT_DIR/config.ovpn # # Fire up the server @@ -51,7 +46,7 @@ docker run --volumes-from $OVPN_DATA --rm $IMG ovpn_getclient $CLIENT | sed 's/a sudo iptables -N DOCKER || echo 'Firewall already configured' sudo iptables -I FORWARD -j DOCKER || echo 'Forward already configured' # run in shell bg to get logs -docker run --name "ovpn-test" --volumes-from $OVPN_DATA --rm -p 1194:1194/udp --privileged $IMG & +docker run --name "ovpn-test" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --privileged $IMG & #for i in $(seq 10); do # SERV_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}')