Add mention of SSL for configuration download.

README.md

@@ -4,20 +4,29 @@ Quick instructions:
 
 ```bash
 CID=$(docker run -d -privileged -p 1194:1194/udp -p 443:443/tcp jpetazzo/openvpn)
-SERVERADDR=$(curl http://myip.enix.org/REMOTE_ADDR)
-echo "Download your OpenVPN configuration file at http://$SERVERADDR:8080/"
-docker run -p 8080:8080 -volumes-from $CID jpetazzo/openvpn serveconfig
+docker run -t -i -p 8080:8080 -volumes-from $CID jpetazzo/openvpn serveconfig
 ```
 
-Now download the file located at the indicated URL. The configuration
-server exits after 1 download, so if you need to download the configuration
-on multiple devices, repeat the last `docker run`.
+Now download the file located at the indicated URL. You will get a
+certificate warning, since the connection is done over SSL, but we are
+using a self-signed certificate. After downloading the configuration,
+stop the `serveconfig` container. You can restart it later if you need
+to re-download the configuration, or to download it to multiple devices.
 
 The file can be used immediately as an OpenVPN profile. It embeds all the
 required configuration and credentials. It has been tested successfully on
 Linux, Windows, and Android clients. If you can test it on OS X and iPhone,
 let me know!
 
+**Note:** there is a [bug in the Android Download Manager](
+http://code.google.com/p/android/issues/detail?id=3492) which prevents
+downloading files from untrusted SSL servers; and in that case, our
+self-signed certificate means that our server is untrusted. If you
+try to download with the default browser on your Android device,
+it will show the download as "in progress" but it will remain stuck.
+You can download it with Firefox; or you can transfer it with another
+way: Dropbox, USB, micro-SD card...
+
 If you reboot the server (or stop the container), if you `docker run`
 again, you will create a new service (with a new configuration) and
 you will have to re-download the configuration file. However, you can
@@ -41,9 +50,9 @@ The configuration is located in `/etc/openvpn`, and the Dockerfile
 declares that directory as a volume. It means that you can start another
 container with the `-volumes-from` flag, and access the configuration.
 Conveniently, `jpetazzo/openvpn` comes with a script called `serveconfig`,
-which starts a pseudo HTTP server on `8080/tcp`. The pseudo server
-will accept only one request, and send the content of the configuration
-file, then it will exit.
+which starts a pseudo HTTPS server on `8080/tcp`. The pseudo server
+does not even check the HTTP request; it just sends the HTTP status line,
+headers, and body right away.
 
 
 ## OpenVPN details
@@ -86,7 +95,3 @@ generate a new client key each time the `serveconfig` command is
 called. The command could even take the client CN as argument, and
 another `revoke` command could be used to revoke previously issued
 keys.
-
-Also, the configuration could be served over SSL. This should be
-fairly enough, since we use `socat` for the pseudo HTTP server,
-and `socat` can also do SSL.

bin/run

@@ -53,6 +53,13 @@ dev tun1194
 status openvpn-status-1194
 EOF
 
+MY_IP_ADDR=$(curl -s http://myip.enix.org/REMOTE_ADDR)
+[ "$MY_IP_ADDR" ] || {
+    echo "Sorry, I could not figure out my public IP address."
+    echo "(I use http://myip.enix.org/REMOTE_ADDR/ for that purpose.)"
+    exit 1
+}
+
 [ -f client.ovpn ] || cat >client.ovpn <<EOF
 client
 nobind
@@ -73,17 +80,18 @@ redirect-gateway def1
 </dh>
 
 <connection>
-remote `curl -s http://myip.enix.org/REMOTE_ADDR` 1194 udp
+remote $MY_IP_ADDR 1194 udp
 </connection>
 
 <connection>
-remote `curl -s http://myip.enix.org/REMOTE_ADDR` 443 tcp-client
+remote $MY_IP_ADDR 443 tcp-client
 </connection>
 EOF
 
 [ -f client.http ] || cat >client.http <<EOF
 HTTP/1.0 200 OK
 Content-Type: application/x-openvpn-profile
+Content-Length: `wc -c client.ovpn`
 
 `cat client.ovpn`
 EOF

bin/serveconfig

@@ -7,4 +7,8 @@ cd /etc/openvpn
     exit 1
 }
 
-socat TCP-LISTEN:8080,reuseaddr - < client.http >> http8080.log 
+echo "https://$(curl -s http://myip.enix.org/REMOTE_ADDR):8080/"
+socat -d -d \
+    OPENSSL-LISTEN:8080,fork,reuseaddr,key=key.pem,certificate=cert.pem,verify=0 \
+    EXEC:'cat client.http' \
+    2>> http8080.log