From 3d2d839d0b7b64f0acbc5948c4fbe070c6b6d53b Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Sun, 8 Mar 2015 22:40:08 +0100 Subject: [PATCH] Wrote script to copy only the needed files to the docker host which runs the docker openvpn server. * For the truly paranoid users, never keep any keys (i.e. client and certificate authority) in the docker container to begin with :). --- README.md | 2 +- bin/ovpn_copy_server_files | 24 ++++++++++++++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) create mode 100755 bin/ovpn_copy_server_files diff --git a/README.md b/README.md index d212cc7..fff79e5 100644 --- a/README.md +++ b/README.md @@ -105,7 +105,7 @@ packets, etc). simplicity. It's highly recommended to secure the CA key with some passphrase to protect against a filesystem compromise. A more secure system would put the EasyRSA PKI CA on an offline system (can use the same Docker - image to accomplish this). + image and the script ovpn_copy_server_files to accomplish this). * It would be impossible for an adversary to sign bad or forged certificates without first cracking the key's passphase should the adversary have root access to the filesystem. diff --git a/bin/ovpn_copy_server_files b/bin/ovpn_copy_server_files new file mode 100755 index 0000000..1be138b --- /dev/null +++ b/bin/ovpn_copy_server_files @@ -0,0 +1,24 @@ +#!/bin/bash +## @licence AGPLv3 +## @author Copyright (C) 2015 Robin Schneider + +source "$OPENVPN/ovpn_env.sh" + +TARGET="/tmp/openvpn_${OVPN_CN}" +if [ -n "$1" ]; then + TARGET="$1" +fi + +rsync --recursive --verbose --prune-empty-dirs \ + --include "*/" \ + --include "/pki/private/${OVPN_CN}.key" \ + --include "/pki/ca.crt" \ + --include "/pki/issued/${OVPN_CN}.crt" \ + --include "/pki/dh.pem" \ + --include "ta.key" \ + --include "/openvpn.conf" \ + --include "/ovpn_env.sh" \ + --exclude="*" \ + "$OPENVPN/" "$TARGET" + +echo "Created the openvpn configuration for the server: $TARGET"