From c6b94b5726bffca57802b352013147c0c3ba89e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Petazzoni?= Date: Wed, 4 Sep 2013 14:22:24 -0700 Subject: [PATCH] Add mention of SSL for configuration download. --- README.md | 31 ++++++++++++++++++------------- bin/run | 12 ++++++++++-- bin/serveconfig | 6 +++++- 3 files changed, 33 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 019f004..2c066d4 100644 --- a/README.md +++ b/README.md @@ -4,20 +4,29 @@ Quick instructions: ```bash CID=$(docker run -d -privileged -p 1194:1194/udp -p 443:443/tcp jpetazzo/openvpn) -SERVERADDR=$(curl http://myip.enix.org/REMOTE_ADDR) -echo "Download your OpenVPN configuration file at http://$SERVERADDR:8080/" -docker run -p 8080:8080 -volumes-from $CID jpetazzo/openvpn serveconfig +docker run -t -i -p 8080:8080 -volumes-from $CID jpetazzo/openvpn serveconfig ``` -Now download the file located at the indicated URL. The configuration -server exits after 1 download, so if you need to download the configuration -on multiple devices, repeat the last `docker run`. +Now download the file located at the indicated URL. You will get a +certificate warning, since the connection is done over SSL, but we are +using a self-signed certificate. After downloading the configuration, +stop the `serveconfig` container. You can restart it later if you need +to re-download the configuration, or to download it to multiple devices. The file can be used immediately as an OpenVPN profile. It embeds all the required configuration and credentials. It has been tested successfully on Linux, Windows, and Android clients. If you can test it on OS X and iPhone, let me know! +**Note:** there is a [bug in the Android Download Manager]( +http://code.google.com/p/android/issues/detail?id=3492) which prevents +downloading files from untrusted SSL servers; and in that case, our +self-signed certificate means that our server is untrusted. If you +try to download with the default browser on your Android device, +it will show the download as "in progress" but it will remain stuck. +You can download it with Firefox; or you can transfer it with another +way: Dropbox, USB, micro-SD card... + If you reboot the server (or stop the container), if you `docker run` again, you will create a new service (with a new configuration) and you will have to re-download the configuration file. However, you can @@ -41,9 +50,9 @@ The configuration is located in `/etc/openvpn`, and the Dockerfile declares that directory as a volume. It means that you can start another container with the `-volumes-from` flag, and access the configuration. Conveniently, `jpetazzo/openvpn` comes with a script called `serveconfig`, -which starts a pseudo HTTP server on `8080/tcp`. The pseudo server -will accept only one request, and send the content of the configuration -file, then it will exit. +which starts a pseudo HTTPS server on `8080/tcp`. The pseudo server +does not even check the HTTP request; it just sends the HTTP status line, +headers, and body right away. ## OpenVPN details @@ -86,7 +95,3 @@ generate a new client key each time the `serveconfig` command is called. The command could even take the client CN as argument, and another `revoke` command could be used to revoke previously issued keys. - -Also, the configuration could be served over SSL. This should be -fairly enough, since we use `socat` for the pseudo HTTP server, -and `socat` can also do SSL. \ No newline at end of file diff --git a/bin/run b/bin/run index a34b870..538b385 100755 --- a/bin/run +++ b/bin/run @@ -53,6 +53,13 @@ dev tun1194 status openvpn-status-1194 EOF +MY_IP_ADDR=$(curl -s http://myip.enix.org/REMOTE_ADDR) +[ "$MY_IP_ADDR" ] || { + echo "Sorry, I could not figure out my public IP address." + echo "(I use http://myip.enix.org/REMOTE_ADDR/ for that purpose.)" + exit 1 +} + [ -f client.ovpn ] || cat >client.ovpn < -remote `curl -s http://myip.enix.org/REMOTE_ADDR` 1194 udp +remote $MY_IP_ADDR 1194 udp -remote `curl -s http://myip.enix.org/REMOTE_ADDR` 443 tcp-client +remote $MY_IP_ADDR 443 tcp-client EOF [ -f client.http ] || cat >client.http <> http8080.log +echo "https://$(curl -s http://myip.enix.org/REMOTE_ADDR):8080/" +socat -d -d \ + OPENSSL-LISTEN:8080,fork,reuseaddr,key=key.pem,certificate=cert.pem,verify=0 \ + EXEC:'cat client.http' \ + 2>> http8080.log