From 2d16231c3cf3c0fdc5a544cd01b6b018998cb05a Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Tue, 25 Aug 2015 12:40:02 +0200 Subject: [PATCH 1/2] Updated documentation. * Related to https://github.com/kylemanna/docker-openvpn/pull/54 * Allow better syntax highlighting. * Added/Fixed hyperlinks. * Spelling. --- README.md | 34 ++++++++++++++++++++++++---------- docs/advanced.md | 20 ++++++++++++-------- docs/backup.md | 12 ++++++++---- docs/clients.md | 13 ++++++++----- docs/debug.md | 4 +++- docs/docker.md | 10 +++++++--- docs/paranoid.md | 10 ++++++---- docs/static-ips.md | 16 +++++++++++----- 8 files changed, 79 insertions(+), 40 deletions(-) diff --git a/README.md b/README.md index 2365c79..c93a54e 100644 --- a/README.md +++ b/README.md @@ -18,34 +18,48 @@ a corresponding [Digital Ocean Community Tutorial](http://bit.ly/1AGUZkq). * Create the `$OVPN_DATA` volume container, i.e. `OVPN_DATA="ovpn-data"` - docker run --name $OVPN_DATA -v /etc/openvpn busybox +```Shell +docker run --name $OVPN_DATA -v /etc/openvpn busybox +``` * Initialize the `$OVPN_DATA` container that will hold the configuration files and certificates - docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM - docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn ovpn_initpki +```Shell +docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM +docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn ovpn_initpki +``` * Start OpenVPN server process - On Docker [version 1.2](http://blog.docker.com/2014/08/announcing-docker-1-2-0/) and newer - docker run --volumes-from $OVPN_DATA -d -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn + ```Shell + docker run --volumes-from $OVPN_DATA -d -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn + ``` - On Docker older than version 1.2 - docker run --volumes-from $OVPN_DATA -d -p 1194:1194/udp --privileged kylemanna/openvpn + ```Shell + docker run --volumes-from $OVPN_DATA -d -p 1194:1194/udp --privileged kylemanna/openvpn + ``` * Generate a client certificate without a passphrase - docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass + ```Shell + docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass + ``` * Retrieve the client configuration with embedded certificates - docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn + ```Shell + docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn + ``` * Create an environment variable with the name DEBUG and value of 1 to enable debug output (using "docker -e"). - for example - docker run --volumes-from $OVPN_DATA -d -p 1194:1194/udp --privileged -e DEBUG=1 kylemanna/openvpn + ```Shell + docker run --volumes-from $OVPN_DATA -d -p 1194:1194/udp --privileged -e DEBUG=1 kylemanna/openvpn + ``` ## How Does It Work? @@ -109,13 +123,13 @@ packets, etc). simplicity. It's highly recommended to secure the CA key with some passphrase to protect against a filesystem compromise. A more secure system would put the EasyRSA PKI CA on an offline system (can use the same Docker - image and the script [`ovpn_copy_server_files`](/docs/clients.md) to accomplish this). + image and the script [`ovpn_copy_server_files`](/docs/paranoid.md) to accomplish this). * It would be impossible for an adversary to sign bad or forged certificates without first cracking the key's passphase should the adversary have root access to the filesystem. * The EasyRSA `build-client-full` command will generate and leave keys on the server, again possible to compromise and steal the keys. The keys generated - need to signed by the CA which the user hopefully configured with a passphrase + need to be signed by the CA which the user hopefully configured with a passphrase as described above. * Assuming the rest of the Docker container's filesystem is secure, TLS + PKI security should prevent any malicious host from using the VPN. diff --git a/docs/advanced.md b/docs/advanced.md index 59cb9be..beaa87f 100644 --- a/docs/advanced.md +++ b/docs/advanced.md @@ -7,14 +7,18 @@ The [`ovpn_genconfig`](/bin/ovpn_genconfig) script is intended for simple config * Refer to the Quick Start document, and substitute `--volumes-from $OVPN_DATA` with `-v /path/on/host/openvpn0:/etc/openvpn` * Quick example that is likely to be out of date, but here's how to get started: - mkdir openvpn0 - cd openvpn0 - docker run --rm -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM:1194 - docker run --rm -v $PWD:/etc/openvpn -it kylemanna/openvpn ovpn_initpki - vim openvpn.conf - docker run --rm -v $PWD:/etc/openvpn -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass - docker run --rm -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn +```Shell +mkdir openvpn0 +cd openvpn0 +docker run --rm -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM:1194 +docker run --rm -v $PWD:/etc/openvpn -it kylemanna/openvpn ovpn_initpki +vim openvpn.conf +docker run --rm -v $PWD:/etc/openvpn -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass +docker run --rm -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn +``` * Start the server with: - docker run -v $PWD:/etc/openvpn -d -p 1194:1194/udp --privileged kylemanna/openvpn +```Shell +docker run -v $PWD:/etc/openvpn -d -p 1194:1194/udp --privileged kylemanna/openvpn +``` diff --git a/docs/backup.md b/docs/backup.md index 6d9418c..d05f4ec 100644 --- a/docs/backup.md +++ b/docs/backup.md @@ -2,19 +2,23 @@ ## Security -The resulting archive from this back-up contains all credential to impersonate the server at a minimum. If the client's private keys are generated using the EasyRSA utility then it also contains the client certificates that could be used to impersonate said clients. Most importantly, if the certificate authority key is in this archive (as it is given the quick start directions), then a adversary could generate certificates at will. +The resulting archive from this backup contains all credential to impersonate the server at a minimum. If the client's private keys are generated using the EasyRSA utility then it also contains the client certificates that could be used to impersonate said clients. Most importantly, if the certificate authority key is in this archive (as it is given the quick start directions), then a adversary could generate certificates at will. -I'd recommend encrypting the archive with something strong (e.g. gpg or openssl + AES). For the paranoid keep backup offline. For the truly paranoid users, never keep any keys (i.e. client and certificate authority) in the docker container to begin with :). +I'd recommend encrypting the archive with something strong (e.g. gpg or openssl + AES). For the paranoid keep backup offline. For the [truly paranoid users](/docs/paranoid.md), never keep any keys (i.e. client and certificate authority) in the docker container to begin with :). **TL;DR Protect the resulting archive file. Ensure there is very limited access to it.** ## Backup to Archive - docker run --volumes-from $OVPN_DATA --rm busybox tar -cvf - -C /etc openvpn | xz > openvpn-backup.tar.xz +```Shell +docker run --volumes-from $OVPN_DATA --rm busybox tar -cvf - -C /etc openvpn | xz > openvpn-backup.tar.xz +``` ## Restore to New Container Assumes an existing container named `$OVPN_DATA` to extract the data over the top. - xzcat openvpn-backup.tar.xz | docker run --name $OVPN_DATA -v /etc/openvpn -i busybox tar -xvf - -C /etc +```Shell +xzcat openvpn-backup.tar.xz | docker run --name $OVPN_DATA -v /etc/openvpn -i busybox tar -xvf - -C /etc +``` diff --git a/docs/clients.md b/docs/clients.md index e5538f3..6f2d735 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -15,12 +15,13 @@ If you have more than a few clients, you will want to generate and update your c Execute the following to generate the configuration for all clients: - docker run --rm -it -v /tmp/openvpn:/etc/openvpn kylemanna/openvpn ovpn_getclient_all +```Shell +docker run --rm -it --volumes-from $OVPN_DATA --volume /tmp/openvpn_clients:/etc/openvpn/clients kylemanna/openvpn ovpn_getclient_all +``` After doing so, you will find the following files in each of the `$cn` directories: ca.crt - dh.pem $cn-combined.ovpn # Combined configuration file format. If your client recognices this file then only this file is needed. $cn.ovpn # Separated configuration. This configuration file requires the other files ca.crt dh.pem $cn.crt $cn.key ta.key $cn.crt @@ -31,7 +32,9 @@ After doing so, you will find the following files in each of the `$cn` directori Revoke `client1`'s certificate and generate the certificate revocation list (CRL): - docker run --rm -it --volumes-from $OVPN_DATA kylemanna/openvpn easyrsa revoke client1 - docker run --rm -it --volumes-from $OVPN_DATA kylemanna/openvpn easyrsa gen-crl +```Shell +docker run --rm -it --volumes-from $OVPN_DATA kylemanna/openvpn easyrsa revoke client1 +docker run --rm -it --volumes-from $OVPN_DATA kylemanna/openvpn easyrsa gen-crl +``` -The OpenVPN server will read this change everytime a client connects (no need to restart server) and deny clients access using revoked certificates. +The OpenVPN server will read this change every time a client connects (no need to restart server) and deny clients access using revoked certificates. diff --git a/docs/debug.md b/docs/debug.md index 8b55554..2c00487 100644 --- a/docs/debug.md +++ b/docs/debug.md @@ -7,7 +7,9 @@ Random things I do to debug the containers. * Create a shell in the running docker container (aka namespace) with [nsenter](https://github.com/jpetazzo/nsenter) * If you don't have nsenter/docker-enter, you can mount the data container and modify it with - docker run --rm -it --volumes-from $OVPN_DATA kylemanna/openvpn bash -l +```Shell +docker run --rm -it --volumes-from $OVPN_DATA kylemanna/openvpn bash -l +``` ## Stream OpenVPN Logs diff --git a/docs/docker.md b/docs/docker.md index a969e44..8f37392 100644 --- a/docs/docker.md +++ b/docs/docker.md @@ -11,7 +11,7 @@ It is recommended to use platforms that support systemd as future versions of th ### Step 1 — Set Up Docker -Docker is moving fast and Debian / Ubuntu's long term support (LTS) policy doesn't keep up. To work around this we'll install a PPA that will get us the latest version of Docker. +Docker is moving fast and Debian / Ubuntu's long term support (LTS) policy doesn't keep up. To work around this we'll install a PPA that will get us the latest version of Docker. For Debian Jessie users, just install docker.io from jessie-backports. Ensure dependencies are installed: @@ -41,11 +41,15 @@ After **re-logging in** verify the group membership using the id command. The ex Run a Debian jessie docker container: - docker run --rm -it debian:jessie bash -l +```Shell +docker run --rm -it debian:jessie bash -l +``` Once inside the container you'll see the `root@:/#` prompt signifying that the current shell is in a Docker container. To confirm that it's different from the host, check the version of Debian running in the container: - cat /etc/issue.net +```Shell +cat /etc/issue.net +``` Expected result: diff --git a/docs/paranoid.md b/docs/paranoid.md index 086a41e..e98db93 100644 --- a/docs/paranoid.md +++ b/docs/paranoid.md @@ -2,10 +2,12 @@ As mentioned in the [backup section](/docs/backup.md), there are good reasons to not generate the CA and/or leave it on the server. This document describes how you can generate the CA and all your certificates on a secure machine and then copy only the needed files (which never includes the CA root key obviously ;) ) to the server(s) and clients. -Execute the following commands. Note that you might want to change the volume `/tmp/openvpn` to persistent storage or use a data docker container for this. +Execute the following commands. Note that you might want to change the volume `$PWD` or use a data docker container for this. - docker run --rm -t -i -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM - docker run --rm -t -i -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_initpki - docker run --rm -t -i -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_copy_server_files +```Shell +docker run --rm -t -i -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM +docker run --rm -t -i -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_initpki +docker run --rm -t -i -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_copy_server_files +``` The [`ovpn_copy_server_files`](/bin/ovpn_copy_server_files) script puts all the needed configuration in a subdirectory which defaults to `$OPENVPN/server`. All you need to do now is to copy this directory to the server and you are good to go. diff --git a/docs/static-ips.md b/docs/static-ips.md index 38fcbc2..5b5b5b1 100644 --- a/docs/static-ips.md +++ b/docs/static-ips.md @@ -1,13 +1,15 @@ # Static IP Addresses -The docker image is setup for static client configuration on the 192.168.254.0/24 subnet. To use it follow the Quick Start section below. Note that the IP addresses octects need to be picked special, see [OpenVPN Documentation](https://openvpn.net/index.php/open-source/documentation/howto.html#policy) for more details. +The docker image is setup for static client configuration on the 192.168.254.0/24 subnet. To use it follow the Quick Start section below. Note that the IP addresses octets need to be picked special, see [OpenVPN Documentation](https://openvpn.net/index.php/open-source/documentation/howto.html#policy) for more details. ## Quick Start 1. Create a client specific configuration: - $ echo "ifconfig-push 192.168.254.1 192.168.254.2" | docker run --volumes-from $OVPN_DATA -i --rm kylemanna/openvpn tee /etc/openvpn/ccd/CERT_COMMON_NAME - ifconfig-push 192.168.254.1 192.168.254.2 +```Shell +echo "ifconfig-push 192.168.254.1 192.168.254.2" | docker run --volumes-from $OVPN_DATA -i --rm kylemanna/openvpn tee /etc/openvpn/ccd/CERT_COMMON_NAME +ifconfig-push 192.168.254.1 192.168.254.2 +``` 2. Wait for client to reconnect if necessary @@ -15,10 +17,14 @@ The docker image is setup for static client configuration on the 192.168.254.0/2 Login to the data volume with a `bash` container, note only changes in /etc/openvpn will persist: - docker run --volumes-from $OVPN_DATA -it --rm kylemanna/openvpn bash -l +```Shell +docker run --volumes-from $OVPN_DATA -it --rm kylemanna/openvpn bash -l +``` ## Upgrading from Old OpenVPN Configurations If you're running an old configuration and need to upgrade it to pull in the ccd directory run the following: - docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_genconfig +```Shell +docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_genconfig +``` From bf9f58f8e132788fe708474ff5094549f0e54297 Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Wed, 26 Aug 2015 13:12:18 +0200 Subject: [PATCH 2/2] Reverted Github flavored markdown Shell syntax highlighting. Sorry again for the inconvenience. --- README.md | 30 ++++++++---------------------- docs/advanced.md | 20 ++++++++------------ docs/backup.md | 8 ++------ docs/clients.md | 10 +++------- docs/debug.md | 4 +--- docs/docker.md | 8 ++------ docs/paranoid.md | 8 +++----- docs/static-ips.md | 14 ++++---------- 8 files changed, 31 insertions(+), 71 deletions(-) diff --git a/README.md b/README.md index c93a54e..5171b6d 100644 --- a/README.md +++ b/README.md @@ -18,48 +18,34 @@ a corresponding [Digital Ocean Community Tutorial](http://bit.ly/1AGUZkq). * Create the `$OVPN_DATA` volume container, i.e. `OVPN_DATA="ovpn-data"` -```Shell -docker run --name $OVPN_DATA -v /etc/openvpn busybox -``` + docker run --name $OVPN_DATA -v /etc/openvpn busybox * Initialize the `$OVPN_DATA` container that will hold the configuration files and certificates -```Shell -docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM -docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn ovpn_initpki -``` + docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM + docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn ovpn_initpki * Start OpenVPN server process - On Docker [version 1.2](http://blog.docker.com/2014/08/announcing-docker-1-2-0/) and newer - ```Shell - docker run --volumes-from $OVPN_DATA -d -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn - ``` + docker run --volumes-from $OVPN_DATA -d -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn - On Docker older than version 1.2 - ```Shell - docker run --volumes-from $OVPN_DATA -d -p 1194:1194/udp --privileged kylemanna/openvpn - ``` + docker run --volumes-from $OVPN_DATA -d -p 1194:1194/udp --privileged kylemanna/openvpn * Generate a client certificate without a passphrase - ```Shell - docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass - ``` + docker run --volumes-from $OVPN_DATA --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass * Retrieve the client configuration with embedded certificates - ```Shell - docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn - ``` + docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn * Create an environment variable with the name DEBUG and value of 1 to enable debug output (using "docker -e"). - ```Shell - docker run --volumes-from $OVPN_DATA -d -p 1194:1194/udp --privileged -e DEBUG=1 kylemanna/openvpn - ``` + docker run --volumes-from $OVPN_DATA -d -p 1194:1194/udp --privileged -e DEBUG=1 kylemanna/openvpn ## How Does It Work? diff --git a/docs/advanced.md b/docs/advanced.md index beaa87f..59cb9be 100644 --- a/docs/advanced.md +++ b/docs/advanced.md @@ -7,18 +7,14 @@ The [`ovpn_genconfig`](/bin/ovpn_genconfig) script is intended for simple config * Refer to the Quick Start document, and substitute `--volumes-from $OVPN_DATA` with `-v /path/on/host/openvpn0:/etc/openvpn` * Quick example that is likely to be out of date, but here's how to get started: -```Shell -mkdir openvpn0 -cd openvpn0 -docker run --rm -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM:1194 -docker run --rm -v $PWD:/etc/openvpn -it kylemanna/openvpn ovpn_initpki -vim openvpn.conf -docker run --rm -v $PWD:/etc/openvpn -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass -docker run --rm -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn -``` + mkdir openvpn0 + cd openvpn0 + docker run --rm -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM:1194 + docker run --rm -v $PWD:/etc/openvpn -it kylemanna/openvpn ovpn_initpki + vim openvpn.conf + docker run --rm -v $PWD:/etc/openvpn -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass + docker run --rm -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn * Start the server with: -```Shell -docker run -v $PWD:/etc/openvpn -d -p 1194:1194/udp --privileged kylemanna/openvpn -``` + docker run -v $PWD:/etc/openvpn -d -p 1194:1194/udp --privileged kylemanna/openvpn diff --git a/docs/backup.md b/docs/backup.md index d05f4ec..e7729c8 100644 --- a/docs/backup.md +++ b/docs/backup.md @@ -11,14 +11,10 @@ I'd recommend encrypting the archive with something strong (e.g. gpg or openssl ## Backup to Archive -```Shell -docker run --volumes-from $OVPN_DATA --rm busybox tar -cvf - -C /etc openvpn | xz > openvpn-backup.tar.xz -``` + docker run --volumes-from $OVPN_DATA --rm busybox tar -cvf - -C /etc openvpn | xz > openvpn-backup.tar.xz ## Restore to New Container Assumes an existing container named `$OVPN_DATA` to extract the data over the top. -```Shell -xzcat openvpn-backup.tar.xz | docker run --name $OVPN_DATA -v /etc/openvpn -i busybox tar -xvf - -C /etc -``` + xzcat openvpn-backup.tar.xz | docker run --name $OVPN_DATA -v /etc/openvpn -i busybox tar -xvf - -C /etc diff --git a/docs/clients.md b/docs/clients.md index 6f2d735..228916e 100644 --- a/docs/clients.md +++ b/docs/clients.md @@ -15,9 +15,7 @@ If you have more than a few clients, you will want to generate and update your c Execute the following to generate the configuration for all clients: -```Shell -docker run --rm -it --volumes-from $OVPN_DATA --volume /tmp/openvpn_clients:/etc/openvpn/clients kylemanna/openvpn ovpn_getclient_all -``` + docker run --rm -it --volumes-from $OVPN_DATA --volume /tmp/openvpn_clients:/etc/openvpn/clients kylemanna/openvpn ovpn_getclient_all After doing so, you will find the following files in each of the `$cn` directories: @@ -32,9 +30,7 @@ After doing so, you will find the following files in each of the `$cn` directori Revoke `client1`'s certificate and generate the certificate revocation list (CRL): -```Shell -docker run --rm -it --volumes-from $OVPN_DATA kylemanna/openvpn easyrsa revoke client1 -docker run --rm -it --volumes-from $OVPN_DATA kylemanna/openvpn easyrsa gen-crl -``` + docker run --rm -it --volumes-from $OVPN_DATA kylemanna/openvpn easyrsa revoke client1 + docker run --rm -it --volumes-from $OVPN_DATA kylemanna/openvpn easyrsa gen-crl The OpenVPN server will read this change every time a client connects (no need to restart server) and deny clients access using revoked certificates. diff --git a/docs/debug.md b/docs/debug.md index 2c00487..8b55554 100644 --- a/docs/debug.md +++ b/docs/debug.md @@ -7,9 +7,7 @@ Random things I do to debug the containers. * Create a shell in the running docker container (aka namespace) with [nsenter](https://github.com/jpetazzo/nsenter) * If you don't have nsenter/docker-enter, you can mount the data container and modify it with -```Shell -docker run --rm -it --volumes-from $OVPN_DATA kylemanna/openvpn bash -l -``` + docker run --rm -it --volumes-from $OVPN_DATA kylemanna/openvpn bash -l ## Stream OpenVPN Logs diff --git a/docs/docker.md b/docs/docker.md index 8f37392..b7bede5 100644 --- a/docs/docker.md +++ b/docs/docker.md @@ -41,15 +41,11 @@ After **re-logging in** verify the group membership using the id command. The ex Run a Debian jessie docker container: -```Shell -docker run --rm -it debian:jessie bash -l -``` + docker run --rm -it debian:jessie bash -l Once inside the container you'll see the `root@:/#` prompt signifying that the current shell is in a Docker container. To confirm that it's different from the host, check the version of Debian running in the container: -```Shell -cat /etc/issue.net -``` + cat /etc/issue.net Expected result: diff --git a/docs/paranoid.md b/docs/paranoid.md index e98db93..64c7181 100644 --- a/docs/paranoid.md +++ b/docs/paranoid.md @@ -4,10 +4,8 @@ As mentioned in the [backup section](/docs/backup.md), there are good reasons to Execute the following commands. Note that you might want to change the volume `$PWD` or use a data docker container for this. -```Shell -docker run --rm -t -i -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM -docker run --rm -t -i -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_initpki -docker run --rm -t -i -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_copy_server_files -``` + docker run --rm -t -i -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM + docker run --rm -t -i -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_initpki + docker run --rm -t -i -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_copy_server_files The [`ovpn_copy_server_files`](/bin/ovpn_copy_server_files) script puts all the needed configuration in a subdirectory which defaults to `$OPENVPN/server`. All you need to do now is to copy this directory to the server and you are good to go. diff --git a/docs/static-ips.md b/docs/static-ips.md index 5b5b5b1..f96dd54 100644 --- a/docs/static-ips.md +++ b/docs/static-ips.md @@ -6,10 +6,8 @@ The docker image is setup for static client configuration on the 192.168.254.0/2 1. Create a client specific configuration: -```Shell -echo "ifconfig-push 192.168.254.1 192.168.254.2" | docker run --volumes-from $OVPN_DATA -i --rm kylemanna/openvpn tee /etc/openvpn/ccd/CERT_COMMON_NAME -ifconfig-push 192.168.254.1 192.168.254.2 -``` + $ echo "ifconfig-push 192.168.254.1 192.168.254.2" | docker run --volumes-from $OVPN_DATA -i --rm kylemanna/openvpn tee /etc/openvpn/ccd/CERT_COMMON_NAME + ifconfig-push 192.168.254.1 192.168.254.2 2. Wait for client to reconnect if necessary @@ -17,14 +15,10 @@ ifconfig-push 192.168.254.1 192.168.254.2 Login to the data volume with a `bash` container, note only changes in /etc/openvpn will persist: -```Shell -docker run --volumes-from $OVPN_DATA -it --rm kylemanna/openvpn bash -l -``` + docker run --volumes-from $OVPN_DATA -it --rm kylemanna/openvpn bash -l ## Upgrading from Old OpenVPN Configurations If you're running an old configuration and need to upgrade it to pull in the ccd directory run the following: -```Shell -docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_genconfig -``` + docker run --volumes-from $OVPN_DATA --rm kylemanna/openvpn ovpn_genconfig