allanger/container-openvpn
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Activity

misc: Switch from data container to data volume

Browse Source 
* Use the `docker volume` mechanism.
* Less confusing and makes more sense.
* Released in ~ docker v1.9
This commit is contained in:
Kyle Manna 2016-09-03 16:08:49 -07:00
parent 9e7b363758
commit 379766fc5e
15 changed files with 60 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
README.md
View File

@ -22,38 +22,32 @@ a corresponding [Digital Ocean Community Tutorial](http://bit.ly/1AGUZkq).
## Quick Start ## Quick Start
* Create the `$OVPN_DATA` volume container, i.e. `OVPN_DATA="ovpn-data"` * Pick a name for the `$OVPN_DATA` data volume container, it will be created automatically.
docker run --name $OVPN_DATA -v /etc/openvpn busybox OVPN_DATA="ovpn-data"
* Initialize the `$OVPN_DATA` container that will hold the configuration files and certificates * Initialize the `$OVPN_DATA` container that will hold the configuration files and certificates
docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM
docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn ovpn_initpki docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn ovpn_initpki
* Start OpenVPN server process * Start OpenVPN server process
- On Docker [version 1.2](http://blog.docker.com/2014/08/announcing-docker-1-2-0/) and newer docker run -v $OVPN_DATA:/etc/openvpn -d -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn
docker run --volumes-from $OVPN_DATA -d -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn
- On Docker older than version 1.2
docker run --volumes-from $OVPN_DATA -d -p 1194:1194/udp --privileged kylemanna/openvpn
* Generate a client certificate without a passphrase * Generate a client certificate without a passphrase
docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass
* Retrieve the client configuration with embedded certificates * Retrieve the client configuration with embedded certificates
docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn
## Debugging Tips ## Debugging Tips
* Create an environment variable with the name DEBUG and value of 1 to enable debug output (using "docker -e"). * Create an environment variable with the name DEBUG and value of 1 to enable debug output (using "docker -e").
docker run --volumes-from $OVPN_DATA -p 1194:1194/udp --privileged -e DEBUG=1 kylemanna/openvpn docker run -v $OVPN_DATA:/etc/openvpn -p 1194:1194/udp --privileged -e DEBUG=1 kylemanna/openvpn
* Test using a client that has openvpn installed correctly * Test using a client that has openvpn installed correctly
@ -80,7 +74,7 @@ The OpenVPN server is started with the default run cmd of `ovpn_run`
The configuration is located in `/etc/openvpn`, and the Dockerfile The configuration is located in `/etc/openvpn`, and the Dockerfile
declares that directory as a volume. It means that you can start another declares that directory as a volume. It means that you can start another
container with the `--volumes-from` flag, and access the configuration. container with the `-v` argument, and access the configuration.
The volume also holds the PKI keys and certs so that it could be backed up. The volume also holds the PKI keys and certs so that it could be backed up.
To generate a client certificate, `kylemanna/openvpn` uses EasyRSA via the To generate a client certificate, `kylemanna/openvpn` uses EasyRSA via the
@ -153,11 +147,11 @@ OpenVPN with latest OpenSSL on Ubuntu 12.04 LTS).
### It Doesn't Stomp All Over the Server's Filesystem ### It Doesn't Stomp All Over the Server's Filesystem
Everything for the Docker container is contained in two images: the ephemeral Everything for the Docker container is contained in two images: the ephemeral
run time image (kylemanna/openvpn) and the data image (using busybox as a run time image (kylemanna/openvpn) and the `$OVPN_DATA` data volume. To remove
base). To remove it, remove the two Docker images and corresponding containers it, remove the corresponding containers, `$OVPN_DATA` data volume and Docker
and it's all gone. This also makes it easier to run multiple servers since image and it's completely removed. This also makes it easier to run multiple
each lives in the bubble of the container (of course multiple IPs or separate servers since each lives in the bubble of the container (of course multiple IPs
ports are needed to communicate with the world). or separate ports are needed to communicate with the world).
### Some (arguable) Security Benefits ### Some (arguable) Security Benefits

2
docs/advanced.md
View File

@ -4,7 +4,7 @@ The [`ovpn_genconfig`](/bin/ovpn_genconfig) script is intended for simple config
## Create host volume mounts rather than data volumes ## Create host volume mounts rather than data volumes
* Refer to the Quick Start document, and substitute `--volumes-from $OVPN_DATA` with `-v /path/on/host/openvpn0:/etc/openvpn` * Refer to the Quick Start document, and substitute `-v $OVPN_DATA:/etc/openvpn` with `-v /path/on/host/openvpn0:/etc/openvpn`
* Quick example that is likely to be out of date, but here's how to get started: * Quick example that is likely to be out of date, but here's how to get started:
mkdir openvpn0 mkdir openvpn0

4
docs/backup.md
View File

@ -11,10 +11,10 @@ I'd recommend encrypting the archive with something strong (e.g. gpg or openssl
## Backup to Archive ## Backup to Archive
docker run --volumes-from $OVPN_DATA --rm busybox tar -cvf - -C /etc openvpn | xz > openvpn-backup.tar.xz docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn tar -cvf - -C /etc openvpn | xz > openvpn-backup.tar.xz
## Restore to New Container ## Restore to New Container
Assumes an existing container named `$OVPN_DATA` to extract the data over the top. Assumes an existing container named `$OVPN_DATA` to extract the data over the top.
xzcat openvpn-backup.tar.xz | docker run --name $OVPN_DATA -v /etc/openvpn -i busybox tar -xvf - -C /etc xzcat openvpn-backup.tar.xz | docker run --name $OVPN_DATA -v /etc/openvpn -i kylemanna/openvpn tar -xvf - -C /etc

8
docs/clients.md
View File

@ -13,7 +13,7 @@ Note that some client software might be picky about which configuration format i
See an overview of the configured clients, including revokation status: See an overview of the configured clients, including revokation status:
docker run --rm -it --volumes-from $OVPN_DATA kylemanna/openvpn ovpn_listclients docker run --rm -it -v $OVPN_DATA:/etc/openvpn kylemanna/openvpn ovpn_listclients
## Batch Mode ## Batch Mode
@ -21,7 +21,7 @@ If you have more than a few clients, you will want to generate and update your c
Execute the following to generate the configuration for all clients: Execute the following to generate the configuration for all clients:
docker run --rm -it --volumes-from $OVPN_DATA --volume /tmp/openvpn_clients:/etc/openvpn/clients kylemanna/openvpn ovpn_getclient_all docker run --rm -it -v $OVPN_DATA:/etc/openvpn --volume /tmp/openvpn_clients:/etc/openvpn/clients kylemanna/openvpn ovpn_getclient_all
After doing so, you will find the following files in each of the `$cn` directories: After doing so, you will find the following files in each of the `$cn` directories:
@ -36,7 +36,7 @@ After doing so, you will find the following files in each of the `$cn` directori
Revoke `client1`'s certificate and generate the certificate revocation list (CRL): Revoke `client1`'s certificate and generate the certificate revocation list (CRL):
docker run --rm -it --volumes-from $OVPN_DATA kylemanna/openvpn easyrsa revoke client1 docker run --rm -it -v $OVPN_DATA:/etc/openvpn kylemanna/openvpn easyrsa revoke client1
docker run --rm -it --volumes-from $OVPN_DATA kylemanna/openvpn easyrsa gen-crl docker run --rm -it -v $OVPN_DATA:/etc/openvpn kylemanna/openvpn easyrsa gen-crl
The OpenVPN server will read this change every time a client connects (no need to restart server) and deny clients access using revoked certificates. The OpenVPN server will read this change every time a client connects (no need to restart server) and deny clients access using revoked certificates.

2
docs/debug.md
View File

@ -7,7 +7,7 @@ Random things I do to debug the containers.
* Create a shell in the running docker container (aka namespace) with [nsenter](https://github.com/jpetazzo/nsenter) * Create a shell in the running docker container (aka namespace) with [nsenter](https://github.com/jpetazzo/nsenter)
* If you don't have nsenter/docker-enter, you can mount the data container and modify it with * If you don't have nsenter/docker-enter, you can mount the data container and modify it with
docker run --rm -it --volumes-from $OVPN_DATA kylemanna/openvpn bash -l docker run --rm -it -v $OVPN_DATA:/etc/openvpn kylemanna/openvpn bash -l
## Stream OpenVPN Logs ## Stream OpenVPN Logs

2
docs/faqs.md
View File

@ -4,7 +4,7 @@
Use a Docker image with a text editor pre-installed (i.e. Ubuntu) and connect the volume container: Use a Docker image with a text editor pre-installed (i.e. Ubuntu) and connect the volume container:
docker run --volumes-from $OVPN_DATA --rm -it ubuntu vi /etc/openvpn/openvpn.conf docker run -v $OVPN_DATA:/etc/openvpn --rm -it ubuntu vi /etc/openvpn/openvpn.conf
## Why not keep everything in one image? ## Why not keep everything in one image?

8
docs/otp.md
View File

@ -13,15 +13,15 @@ In order to enable two factor authentication the following steps are required.
* Generate server configuration with `-2` option * Generate server configuration with `-2` option
docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_genconfig -u udp://vpn.example.com -2 docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://vpn.example.com -2
* Generate your client certificate (possibly without a password since you're using OTP) * Generate your client certificate (possibly without a password since you're using OTP)
docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn easyrsa build-client-full <user> nopass docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full <user> nopass
* Generate authentication configuration for your client. -t is needed to show QR code, -i is optional for interactive usage * Generate authentication configuration for your client. -t is needed to show QR code, -i is optional for interactive usage
docker run --volumes-from $OVPN_DATA --rm -t kylemanna/openvpn ovpn_otp_user <user> docker run -v $OVPN_DATA:/etc/openvpn --rm -t kylemanna/openvpn ovpn_otp_user <user>
The last step will generate OTP configuration for the provided user with the following options The last step will generate OTP configuration for the provided user with the following options
@ -62,7 +62,7 @@ If something is not working you can verify your PAM setup with these commands
``` ```
# Start a shell in container # Start a shell in container
docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn bash docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn bash
# Then in container you have pamtester utility already installed # Then in container you have pamtester utility already installed
which pamtester which pamtester
# To check authentication use this command that will prompt for a valid code from Authenticator APP # To check authentication use this command that will prompt for a valid code from Authenticator APP

2
docs/paranoid.md
View File

@ -22,7 +22,7 @@ If you want to select the cyphers used by OpenVPN the following parameters of th
The following options have been tested successfully: The following options have been tested successfully:
docker run --volumes-from $OVPN_DATA --net=none --rm kylemanna/openvpn ovpn_genconfig -C 'AES-256-CBC' -a 'SHA384' docker run -v $OVPN_DATA:/etc/openvpn --net=none --rm kylemanna/openvpn ovpn_genconfig -C 'AES-256-CBC' -a 'SHA384'
Changing the `tls-cipher` option seems to be more complicated because some clients (namely NetworkManager in Debian Jessie) seem to have trouble with this. Running `openvpn` manually also did not solve the issue: Changing the `tls-cipher` option seems to be more complicated because some clients (namely NetworkManager in Debian Jessie) seem to have trouble with this. Running `openvpn` manually also did not solve the issue:

6
docs/static-ips.md
View File

@ -6,7 +6,7 @@ The docker image is setup for static client configuration on the 192.168.254.0/2
1. Create a client specific configuration: 1. Create a client specific configuration:
$ echo "ifconfig-push 192.168.254.1 192.168.254.2" | docker run --volumes-from $OVPN_DATA -i --rm kylemanna/openvpn tee /etc/openvpn/ccd/CERT_COMMON_NAME $ echo "ifconfig-push 192.168.254.1 192.168.254.2" | docker run -v $OVPN_DATA:/etc/openvpn -i --rm kylemanna/openvpn tee /etc/openvpn/ccd/CERT_COMMON_NAME
ifconfig-push 192.168.254.1 192.168.254.2 ifconfig-push 192.168.254.1 192.168.254.2
2. Wait for client to reconnect if necessary 2. Wait for client to reconnect if necessary
@ -15,10 +15,10 @@ The docker image is setup for static client configuration on the 192.168.254.0/2
Login to the data volume with a `bash` container, note only changes in /etc/openvpn will persist: Login to the data volume with a `bash` container, note only changes in /etc/openvpn will persist:
docker run --volumes-from $OVPN_DATA -it --rm kylemanna/openvpn bash -l docker run -v $OVPN_DATA:/etc/openvpn -it --rm kylemanna/openvpn bash -l
## Upgrading from Old OpenVPN Configurations ## Upgrading from Old OpenVPN Configurations
If you're running an old configuration and need to upgrade it to pull in the ccd directory run the following: If you're running an old configuration and need to upgrade it to pull in the ccd directory run the following:
docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_genconfig docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig

8
docs/tcp.md
View File

@ -10,18 +10,18 @@ Another example would be trying to open a VPN connection from within a very rest
## Using TCP ## Using TCP
Those requiring TCP connections should initialize the data container by specifying the TCP protocol and port number: Those requiring TCP connections should initialize the data container by specifying the TCP protocol and port number:
docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_genconfig -u tcp://VPN.SERVERNAME.COM:443 docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u tcp://VPN.SERVERNAME.COM:443
docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn ovpn_initpki docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn ovpn_initpki
Because the server container always exposes port 1194, regardless of the Because the server container always exposes port 1194, regardless of the
specified protocol, adjust the mapping appropriately: specified protocol, adjust the mapping appropriately:
docker run --volumes-from $OVPN_DATA -d -p 443:1194/tcp --cap-add=NET_ADMIN kylemanna/openvpn docker run -v $OVPN_DATA:/etc/openvpn -d -p 443:1194/tcp --cap-add=NET_ADMIN kylemanna/openvpn
## Running a Second Fallback TCP Container ## Running a Second Fallback TCP Container
Instead of choosing between UDP and TCP, you can use both. A single instance of OpenVPN can only listen for a single protocol on a single port, but this image makes it easy to run two instances simultaneously. After building, configuring, and starting a standard container listening for UDP traffic on 1194, you can start a second container listening for tcp traffic on port 443: Instead of choosing between UDP and TCP, you can use both. A single instance of OpenVPN can only listen for a single protocol on a single port, but this image makes it easy to run two instances simultaneously. After building, configuring, and starting a standard container listening for UDP traffic on 1194, you can start a second container listening for tcp traffic on port 443:
docker run --volumes-from $OVPN_DATA --rm -p 443:1194/tcp --privileged kylemanna/openvpn ovpn_run --proto tcp docker run -v $OVPN_DATA:/etc/openvpn --rm -p 443:1194/tcp --privileged kylemanna/openvpn ovpn_run --proto tcp
`ovpn_run` will load all the values from the default config file, and `--proto tcp` will override the protocol setting. `ovpn_run` will load all the values from the default config file, and `--proto tcp` will override the protocol setting.

2
init/docker-openvpn@.service
View File

@ -32,7 +32,7 @@ ExecStartPre=-/usr/bin/docker pull $IMG
ExecStartPre=/bin/sh -c 'test -z "$IP6_PREFIX" && exit 0; sysctl net.ipv6.conf.all.forwarding=1' ExecStartPre=/bin/sh -c 'test -z "$IP6_PREFIX" && exit 0; sysctl net.ipv6.conf.all.forwarding=1'
# Main process # Main process
ExecStart=/usr/bin/docker run --rm --privileged --volumes-from ${DATA_VOL}:ro --name ${NAME} -p ${PORT} ${IMG} ovpn_run $ARGS ExecStart=/usr/bin/docker run --rm --privileged -v ${DATA_VOL}:/etc/openvpn:ro --name ${NAME} -p ${PORT} ${IMG} ovpn_run $ARGS
# IPv6: Add static route for IPv6 after it starts up # IPv6: Add static route for IPv6 after it starts up
ExecStartPost=/bin/sh -c 'test -z "${IP6_PREFIX}" && exit 0; sleep 1; ip route replace ${IP6_PREFIX} via $(docker inspect -f "{{ .NetworkSettings.GlobalIPv6Address }}" $NAME ) dev docker0' ExecStartPost=/bin/sh -c 'test -z "${IP6_PREFIX}" && exit 0; sleep 1; ip route replace ${IP6_PREFIX} via $(docker inspect -f "{{ .NetworkSettings.GlobalIPv6Address }}" $NAME ) dev docker0'

2
init/upstart.init
View File

@ -4,5 +4,5 @@ start on filesystem and started docker
stop on runlevel [!2345] stop on runlevel [!2345]
respawn respawn
script script
exec docker run --volumes-from ovpn-data --rm -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn exec docker run -v ovpn-data:/etc/openvpn --rm -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn
end script end script

17
test/tests/basic/run.sh
View File

@ -8,23 +8,18 @@ CLIENT=travis-client
IMG=kylemanna/openvpn IMG=kylemanna/openvpn
CLIENT_DIR="$(readlink -f "$(dirname "$BASH_SOURCE")/../../client")" CLIENT_DIR="$(readlink -f "$(dirname "$BASH_SOURCE")/../../client")"
#
# Create a docker container with the config data
#
docker run --name $OVPN_DATA -v /etc/openvpn busybox
ip addr ls ip addr ls
SERV_IP=$(ip -4 -o addr show scope global | awk '{print $4}' | sed -e 's:/.*::' | head -n1) SERV_IP=$(ip -4 -o addr show scope global | awk '{print $4}' | sed -e 's:/.*::' | head -n1)
docker run --volumes-from $OVPN_DATA --rm $IMG ovpn_genconfig -u udp://$SERV_IP docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_genconfig -u udp://$SERV_IP
# nopass is insecure # nopass is insecure
docker run --volumes-from $OVPN_DATA --rm -it -e "EASYRSA_BATCH=1" -e "EASYRSA_REQ_CN=Travis-CI Test CA" $IMG ovpn_initpki nopass docker run -v $OVPN_DATA:/etc/openvpn --rm -it -e "EASYRSA_BATCH=1" -e "EASYRSA_REQ_CN=Travis-CI Test CA" $IMG ovpn_initpki nopass
docker run --volumes-from $OVPN_DATA --rm -it $IMG easyrsa build-client-full $CLIENT nopass docker run -v $OVPN_DATA:/etc/openvpn --rm -it $IMG easyrsa build-client-full $CLIENT nopass
docker run --volumes-from $OVPN_DATA --rm $IMG ovpn_getclient $CLIENT | tee $CLIENT_DIR/config.ovpn docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_getclient $CLIENT | tee $CLIENT_DIR/config.ovpn
docker run --volumes-from $OVPN_DATA --rm $IMG ovpn_listclients | grep $CLIENT docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_listclients | grep $CLIENT
# #
# Fire up the server # Fire up the server
@ -32,7 +27,7 @@ docker run --volumes-from $OVPN_DATA --rm $IMG ovpn_listclients | grep $CLIENT
sudo iptables -N DOCKER || echo 'Firewall already configured' sudo iptables -N DOCKER || echo 'Firewall already configured'
sudo iptables -I FORWARD -j DOCKER || echo 'Forward already configured' sudo iptables -I FORWARD -j DOCKER || echo 'Forward already configured'
# run in shell bg to get logs # run in shell bg to get logs
docker run --name "ovpn-test" --volumes-from $OVPN_DATA --rm -p 1194:1194/udp --privileged $IMG & docker run --name "ovpn-test" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --privileged $IMG &
#for i in $(seq 10); do #for i in $(seq 10); do
# SERV_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}') # SERV_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}')

27
test/tests/dual-proto/run.sh
View File

@ -9,32 +9,27 @@ CLIENT_TCP=travis-client-tcp
IMG=kylemanna/openvpn IMG=kylemanna/openvpn
CLIENT_DIR="$(readlink -f "$(dirname "$BASH_SOURCE")/../../client")" CLIENT_DIR="$(readlink -f "$(dirname "$BASH_SOURCE")/../../client")"
#
# Create a docker container with the config data
#
docker run --name $OVPN_DATA -v /etc/openvpn busybox
ip addr ls ip addr ls
SERV_IP=$(ip -4 -o addr show scope global | awk '{print $4}' | sed -e 's:/.*::' | head -n1) SERV_IP=$(ip -4 -o addr show scope global | awk '{print $4}' | sed -e 's:/.*::' | head -n1)
# get temporary TCP config # get temporary TCP config
docker run --volumes-from $OVPN_DATA --rm $IMG ovpn_genconfig -u tcp://$SERV_IP:443 docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_genconfig -u tcp://$SERV_IP:443
# nopass is insecure # nopass is insecure
docker run --volumes-from $OVPN_DATA --rm -it -e "EASYRSA_BATCH=1" -e "EASYRSA_REQ_CN=Travis-CI Test CA" $IMG ovpn_initpki nopass docker run -v $OVPN_DATA:/etc/openvpn --rm -it -e "EASYRSA_BATCH=1" -e "EASYRSA_REQ_CN=Travis-CI Test CA" $IMG ovpn_initpki nopass
# gen TCP client # gen TCP client
docker run --volumes-from $OVPN_DATA --rm -it $IMG easyrsa build-client-full $CLIENT_TCP nopass docker run -v $OVPN_DATA:/etc/openvpn --rm -it $IMG easyrsa build-client-full $CLIENT_TCP nopass
docker run --volumes-from $OVPN_DATA --rm $IMG ovpn_getclient $CLIENT_TCP | tee $CLIENT_DIR/config-tcp.ovpn docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_getclient $CLIENT_TCP | tee $CLIENT_DIR/config-tcp.ovpn
# switch to UDP config and gen UDP client # switch to UDP config and gen UDP client
docker run --volumes-from $OVPN_DATA --rm $IMG ovpn_genconfig -u udp://$SERV_IP docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_genconfig -u udp://$SERV_IP
docker run --volumes-from $OVPN_DATA --rm -it $IMG easyrsa build-client-full $CLIENT_UDP nopass docker run -v $OVPN_DATA:/etc/openvpn --rm -it $IMG easyrsa build-client-full $CLIENT_UDP nopass
docker run --volumes-from $OVPN_DATA --rm $IMG ovpn_getclient $CLIENT_UDP | tee $CLIENT_DIR/config.ovpn docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_getclient $CLIENT_UDP | tee $CLIENT_DIR/config.ovpn
#Verify client configs #Verify client configs
docker run --volumes-from $OVPN_DATA --rm $IMG ovpn_listclients | grep $CLIENT_TCP docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_listclients | grep $CLIENT_TCP
docker run --volumes-from $OVPN_DATA --rm $IMG ovpn_listclients | grep $CLIENT_UDP docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_listclients | grep $CLIENT_UDP
# #
# Fire up the server # Fire up the server
@ -43,8 +38,8 @@ sudo iptables -N DOCKER || echo 'Firewall already configured'
sudo iptables -I FORWARD -j DOCKER || echo 'Forward already configured' sudo iptables -I FORWARD -j DOCKER || echo 'Forward already configured'
# run in shell bg to get logs # run in shell bg to get logs
docker run --name "ovpn-test-udp" --volumes-from $OVPN_DATA --rm -p 1194:1194/udp --privileged $IMG & docker run --name "ovpn-test-udp" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --privileged $IMG &
docker run --name "ovpn-test-tcp" --volumes-from $OVPN_DATA --rm -p 443:1194/tcp --privileged $IMG ovpn_run --proto tcp & docker run --name "ovpn-test-tcp" -v $OVPN_DATA:/etc/openvpn --rm -p 443:1194/tcp --privileged $IMG ovpn_run --proto tcp &
# #
# Fire up a clients in a containers since openvpn is disallowed by Travis-CI, don't NAT # Fire up a clients in a containers since openvpn is disallowed by Travis-CI, don't NAT

17
test/tests/otp/run.sh
View File

@ -12,23 +12,18 @@ CLIENT_DIR="$(readlink -f "$(dirname "$BASH_SOURCE")/../../client")"
# Function to fail # Function to fail
abort() { cat <<< "$@" 1>&2; exit 1; } abort() { cat <<< "$@" 1>&2; exit 1; }
#
# Create a docker container with the config data
#
docker run --name $OVPN_DATA -v /etc/openvpn busybox
ip addr ls ip addr ls
SERV_IP=$(ip -4 -o addr show scope global | awk '{print $4}' | sed -e 's:/.*::' | head -n1) SERV_IP=$(ip -4 -o addr show scope global | awk '{print $4}' | sed -e 's:/.*::' | head -n1)
# Configure server with two factor authentication # Configure server with two factor authentication
docker run --volumes-from $OVPN_DATA --rm $IMG ovpn_genconfig -u udp://$SERV_IP -2 docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_genconfig -u udp://$SERV_IP -2
# nopass is insecure # nopass is insecure
docker run --volumes-from $OVPN_DATA --rm -it -e "EASYRSA_BATCH=1" -e "EASYRSA_REQ_CN=Travis-CI Test CA" $IMG ovpn_initpki nopass docker run -v $OVPN_DATA:/etc/openvpn --rm -it -e "EASYRSA_BATCH=1" -e "EASYRSA_REQ_CN=Travis-CI Test CA" $IMG ovpn_initpki nopass
docker run --volumes-from $OVPN_DATA --rm -it $IMG easyrsa build-client-full $CLIENT nopass docker run -v $OVPN_DATA:/etc/openvpn --rm -it $IMG easyrsa build-client-full $CLIENT nopass
# Generate OTP credentials for user named test, should return QR code for test user # Generate OTP credentials for user named test, should return QR code for test user
docker run --volumes-from $OVPN_DATA --rm -it $IMG ovpn_otp_user $OTP_USER | tee $CLIENT_DIR/qrcode.txt docker run -v $OVPN_DATA:/etc/openvpn --rm -it $IMG ovpn_otp_user $OTP_USER | tee $CLIENT_DIR/qrcode.txt
# Ensure a chart link is printed in client OTP configuration # Ensure a chart link is printed in client OTP configuration
grep 'https://www.google.com/chart' $CLIENT_DIR/qrcode.txt || abort 'Link to chart not generated' grep 'https://www.google.com/chart' $CLIENT_DIR/qrcode.txt || abort 'Link to chart not generated'
grep 'Your new secret key is:' $CLIENT_DIR/qrcode.txt || abort 'Secret key is missing' grep 'Your new secret key is:' $CLIENT_DIR/qrcode.txt || abort 'Secret key is missing'
@ -43,7 +38,7 @@ fi
echo -e "$OTP_USER\n$OTP_TOKEN" > $CLIENT_DIR/credentials.txt echo -e "$OTP_USER\n$OTP_TOKEN" > $CLIENT_DIR/credentials.txt
# Override the auth-user-pass directive to use a credentials file # Override the auth-user-pass directive to use a credentials file
docker run --volumes-from $OVPN_DATA --rm $IMG ovpn_getclient $CLIENT | sed 's/auth-user-pass/auth-user-pass \/client\/credentials.txt/' | tee $CLIENT_DIR/config.ovpn docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_getclient $CLIENT | sed 's/auth-user-pass/auth-user-pass \/client\/credentials.txt/' | tee $CLIENT_DIR/config.ovpn
# #
# Fire up the server # Fire up the server
@ -51,7 +46,7 @@ docker run --volumes-from $OVPN_DATA --rm $IMG ovpn_getclient $CLIENT | sed 's/a
sudo iptables -N DOCKER || echo 'Firewall already configured' sudo iptables -N DOCKER || echo 'Firewall already configured'
sudo iptables -I FORWARD -j DOCKER || echo 'Forward already configured' sudo iptables -I FORWARD -j DOCKER || echo 'Forward already configured'
# run in shell bg to get logs # run in shell bg to get logs
docker run --name "ovpn-test" --volumes-from $OVPN_DATA --rm -p 1194:1194/udp --privileged $IMG & docker run --name "ovpn-test" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --privileged $IMG &
#for i in $(seq 10); do #for i in $(seq 10); do
# SERV_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}') # SERV_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}')