Wrote script to copy only the needed files to the docker host which runs the docker openvpn server.

* For the truly paranoid users, never keep any keys (i.e. client and certificate authority) in the docker container to begin with :).
2015-03-08 22:40:08 +01:00 · 2015-03-08 22:40:08 +01:00 · 3d2d839d0b
commit 3d2d839d0b
parent 8d8f19d951
2 changed files with 25 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -105,7 +105,7 @@ packets, etc).
  simplicity.  It's highly recommended to secure the CA key with some
  passphrase to protect against a filesystem compromise.  A more secure system
  would put the EasyRSA PKI CA on an offline system (can use the same Docker
-  image to accomplish this).
+  image and the script ovpn_copy_server_files to accomplish this).
 * It would be impossible for an adversary to sign bad or forged certificates
  without first cracking the key's passphase should the adversary have root
  access to the filesystem.
--- a/bin/ovpn_copy_server_files
+++ b/bin/ovpn_copy_server_files
@ -0,0 +1,24 @@
+#!/bin/bash
+## @licence AGPLv3 <https://www.gnu.org/licenses/agpl-3.0.html>
+## @author Copyright (C) 2015 Robin Schneider <ypid@riseup.net>
+
+source "$OPENVPN/ovpn_env.sh"
+
+TARGET="/tmp/openvpn_${OVPN_CN}"
+if [ -n "$1" ]; then
+    TARGET="$1"
+fi
+
+rsync --recursive --verbose --prune-empty-dirs \
+    --include "*/" \
+    --include "/pki/private/${OVPN_CN}.key" \
+    --include "/pki/ca.crt" \
+    --include "/pki/issued/${OVPN_CN}.crt" \
+    --include "/pki/dh.pem" \
+    --include "ta.key" \
+    --include "/openvpn.conf" \
+    --include "/ovpn_env.sh" \
+    --exclude="*" \
+    "$OPENVPN/" "$TARGET"
+
+echo "Created the openvpn configuration for the server: $TARGET"