Added documentation for ovpn_copy_server_files.

This commit is contained in:
Robin Schneider 2015-03-12 23:07:34 +01:00
parent 3d2d839d0b
commit 5e514721ff
No known key found for this signature in database
GPG Key ID: 489A4D5EC353C98A
2 changed files with 23 additions and 2 deletions

View File

@ -2,14 +2,24 @@
## @licence AGPLv3 <https://www.gnu.org/licenses/agpl-3.0.html> ## @licence AGPLv3 <https://www.gnu.org/licenses/agpl-3.0.html>
## @author Copyright (C) 2015 Robin Schneider <ypid@riseup.net> ## @author Copyright (C) 2015 Robin Schneider <ypid@riseup.net>
source "$OPENVPN/ovpn_env.sh" if [ -z "$OPENVPN" ]; then
export OPENVPN="$PWD"
fi
if ! source "$OPENVPN/ovpn_env.sh"; then
echo "Could not source $OPENVPN/ovpn_env.sh."
exit 1
fi
TARGET="/tmp/openvpn_${OVPN_CN}" TARGET="/tmp/openvpn_${OVPN_CN}"
if [ -n "$1" ]; then if [ -n "$1" ]; then
TARGET="$1" TARGET="$1"
else
TARGET="$OPENVPN/server"
fi fi
rsync --recursive --verbose --prune-empty-dirs \ rsync --recursive --verbose --prune-empty-dirs \
--exclude="clients" \
--exclude="server" \
--include "*/" \ --include "*/" \
--include "/pki/private/${OVPN_CN}.key" \ --include "/pki/private/${OVPN_CN}.key" \
--include "/pki/ca.crt" \ --include "/pki/ca.crt" \
@ -19,6 +29,6 @@ rsync --recursive --verbose --prune-empty-dirs \
--include "/openvpn.conf" \ --include "/openvpn.conf" \
--include "/ovpn_env.sh" \ --include "/ovpn_env.sh" \
--exclude="*" \ --exclude="*" \
"$OPENVPN/" "$TARGET" "$OPENVPN/" "$TARGET" -n
echo "Created the openvpn configuration for the server: $TARGET" echo "Created the openvpn configuration for the server: $TARGET"

11
docs/paranoid.md Normal file
View File

@ -0,0 +1,11 @@
# Advanced security
As mentioned in the [backup section](/docs/backup.md), there are good reasons to not generate the CA and/or leave it a server. This document describes how you can generate the CA and all your certificates on a secure machine and then copy only the needed files (which never includes the CA root key obviously ;) ) to the server(s) and clients.
Execute the following commands. Note that you might want to change the volume `/tmp/openvpn` to persistent storage or use a data docker container for this.
docker run --rm -t -i -v /tmp/openvpn:/etc/openvpn kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM
docker run --rm -t -i -v /tmp/openvpn:/etc/openvpn kylemanna/openvpn ovpn_initpki
docker run --rm -t -i -v /tmp/openvpn:/etc/openvpn kylemanna/openvpn ovpn_copy_server_files
The `ovpn_copy_server_files` script puts all the needed configuration in a subdirectory which defaults to `$OPENVPN/server`. All you need to do now is to copy this directory to the server and you are good to go.