allanger/container-openvpn
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Activity

Fixed based on the review by @kylemanna. Thanks.

Browse Source
This commit is contained in:
Robin Schneider 2015-03-14 13:22:28 +01:00
parent f431d179aa
commit 47cc0e3ae6
No known key found for this signature in database
GPG Key ID: 489A4D5EC353C98A
4 changed files with 25 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -37,7 +37,7 @@ Upstream links:
* Retrieve the client configuration with embedded certificates * Retrieve the client configuration with embedded certificates
docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_getclient CLIENTNAME combined > CLIENTNAME.ovpn docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn
* Create an environment variable with the name DEBUG and value of 1 to enable debug output (using "docker -e"). * Create an environment variable with the name DEBUG and value of 1 to enable debug output (using "docker -e").
@ -105,7 +105,7 @@ packets, etc).
simplicity. It's highly recommended to secure the CA key with some simplicity. It's highly recommended to secure the CA key with some
passphrase to protect against a filesystem compromise. A more secure system passphrase to protect against a filesystem compromise. A more secure system
would put the EasyRSA PKI CA on an offline system (can use the same Docker would put the EasyRSA PKI CA on an offline system (can use the same Docker
image and the script ovpn_copy_server_files to accomplish this). image and the script [`ovpn_copy_server_files`](/docs/clients.md) to accomplish this).
* It would be impossible for an adversary to sign bad or forged certificates * It would be impossible for an adversary to sign bad or forged certificates
without first cracking the key's passphase should the adversary have root without first cracking the key's passphase should the adversary have root
access to the filesystem. access to the filesystem.

34
bin/ovpn_getclient
View File

@ -25,7 +25,7 @@ cn="$1"
parm="$2" parm="$2"
if [ ! -f "$EASYRSA_PKI/private/${cn}.key" ]; then if [ ! -f "$EASYRSA_PKI/private/${cn}.key" ]; then
>&2 "Unable to find \"${cn}\", please try again or generate the key first" 1>&2 echo "Unable to find \"${cn}\", please try again or generate the key first" >&2
exit 1 exit 1
fi fi
@ -39,8 +39,8 @@ remote-cert-tls server
remote $OVPN_CN $OVPN_PORT $OVPN_PROTO remote $OVPN_CN $OVPN_PORT $OVPN_PROTO
" "
if [ "$mode" == "combined" ]; then if [ "$mode" == "combined" ]; then
echo " echo "
<key> <key>
$(cat $EASYRSA_PKI/private/${cn}.key) $(cat $EASYRSA_PKI/private/${cn}.key)
</key> </key>
@ -58,23 +58,23 @@ $(cat $EASYRSA_PKI/ta.key)
</tls-auth> </tls-auth>
key-direction 1 key-direction 1
" "
else elif [ "$mode" == "separated" ]; then
echo " echo "
key ${cn}.key key ${cn}.key
ca ca.crt ca ca.crt
cert ${cn}.crt cert ${cn}.crt
dh dh.pem dh dh.pem
tls-auth ta.key 1 tls-auth ta.key 1
" "
fi fi
if [ "$OVPN_DEFROUTE" != "0" ];then if [ "$OVPN_DEFROUTE" != "0" ];then
echo "redirect-gateway def1" echo "redirect-gateway def1"
fi fi
if [ -n "$OVPN_MTU" ]; then if [ -n "$OVPN_MTU" ]; then
echo "tun-mtu $OVPN_MTU" echo "tun-mtu $OVPN_MTU"
fi fi
} }
dir="$OPENVPN/clients/$cn" dir="$OPENVPN/clients/$cn"
@ -88,16 +88,16 @@ case "$parm" in
cp "$EASYRSA_PKI/dh.pem" "$dir/dh.pem" cp "$EASYRSA_PKI/dh.pem" "$dir/dh.pem"
cp "$EASYRSA_PKI/ta.key" "$dir/ta.key" cp "$EASYRSA_PKI/ta.key" "$dir/ta.key"
;; ;;
"combined") "" | "combined")
get_client_config "combined" get_client_config "combined"
;; ;;
"combined-save") "combined-save")
get_client_config "combined" > "$dir/${cn}-combined.ovpn" get_client_config "combined" > "$dir/${cn}-combined.ovpn"
;; ;;
*) *)
>&2 echo "This script can produce the client configuration in to formats." echo "This script can produce the client configuration in to formats:" >&2
>&2 echo " 1. combined: All needed configuration and cryptographic material is in one file (Use \"combined-save\" to write the configuration file in the same path as the separated parameter does)." echo " 1. combined (default): All needed configuration and cryptographic material is in one file (Use \"combined-save\" to write the configuration file in the same path as the separated parameter does)." >&2
>&2 echo " 2. separated: Separated files." echo " 2. separated: Separated files." >&2
>&2 echo "Please specific one of those options as second parameter." echo "Please specific one of those options as second parameter." >&2
;; ;;
esac esac

5
docs/advanced.md
View File

@ -1,6 +1,6 @@
# Advanced Configurations # Advanced Configurations
The ovpn_genconfig script is intended for simple configurations that apply to the majority of the users. If your use case isn't general, it likely won't be supported. This document aims to explain how to work around that. The [`ovpn_genconfig`](/bin/ovpn_genconfig) script is intended for simple configurations that apply to the majority of the users. If your use case isn't general, it likely won't be supported. This document aims to explain how to work around that.
## Create host volume mounts rather than data volumes ## Create host volume mounts rather than data volumes
@ -13,9 +13,8 @@ The ovpn_genconfig script is intended for simple configurations that apply to th
docker run --rm -v $PWD:/etc/openvpn -it kylemanna/openvpn ovpn_initpki docker run --rm -v $PWD:/etc/openvpn -it kylemanna/openvpn ovpn_initpki
vim openvpn.conf vim openvpn.conf
docker run --rm -v $PWD:/etc/openvpn -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass docker run --rm -v $PWD:/etc/openvpn -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass
docker run --rm -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_getclient CLIENTNAME combined > CLIENTNAME.ovpn docker run --rm -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn
* Start the server with: * Start the server with:
docker run -v $PWD:/etc/openvpn -d -p 1194:1194/udp --privileged kylemanna/openvpn docker run -v $PWD:/etc/openvpn -d -p 1194:1194/udp --privileged kylemanna/openvpn

8
docs/clients.md
View File

@ -2,16 +2,16 @@
## Client configuration mode ## Client configuration mode
The `ovpn_getclient` can produce two different versions of the configuration. The [`ovpn_getclient`](/bin/ovpn_getclient) can produce two different versions of the configuration.
1. combined: All needed configuration and cryptographic material is in one file (Use "combined-save" to write the configuration file in the same path as the separated parameter does). 1. combined (default): All needed configuration and cryptographic material is in one file (Use "combined-save" to write the configuration file in the same path as the separated parameter does).
2. separated: Separated files. 2. separated: Separated files.
Note that some client software might be picky about which configuration format it accepts. Note that some client software might be picky about which configuration format it accepts.
## Batch mode ## Batch mode
If you have more than a few clients, you will want to generate and update your client configuration in batch. For this task the script `ovpn_getclient_all` was written, which writes out the configuration for each client to a separate directory called `clients/$cn`. If you have more than a few clients, you will want to generate and update your client configuration in batch. For this task the script [`ovpn_getclient_all`](/bin/ovpn_getclient_all) was written, which writes out the configuration for each client to a separate directory called `clients/$cn`.
Execute the following to generate the configuration for all clients: Execute the following to generate the configuration for all clients:
@ -21,7 +21,7 @@ After doing so, you will find the following files in each of the `$cn` directori
ca.crt ca.crt
dh.pem dh.pem
$cn-combined.ovpn # Combined configuration file format, you your client recognices this file then only this file is needed. $cn-combined.ovpn # Combined configuration file format. If your client recognices this file then only this file is needed.
$cn.ovpn # Separated configuration. This configuration file requires the other files ca.crt dh.pem $cn.crt $cn.key ta.key $cn.ovpn # Separated configuration. This configuration file requires the other files ca.crt dh.pem $cn.crt $cn.key ta.key
$cn.crt $cn.crt
$cn.key $cn.key