Add mention of SSL for configuration download.

This commit is contained in:
Jérôme Petazzoni 2013-09-04 14:22:24 -07:00
parent be9e6b65c9
commit c6b94b5726
3 changed files with 33 additions and 16 deletions

View File

@ -4,20 +4,29 @@ Quick instructions:
```bash ```bash
CID=$(docker run -d -privileged -p 1194:1194/udp -p 443:443/tcp jpetazzo/openvpn) CID=$(docker run -d -privileged -p 1194:1194/udp -p 443:443/tcp jpetazzo/openvpn)
SERVERADDR=$(curl http://myip.enix.org/REMOTE_ADDR) docker run -t -i -p 8080:8080 -volumes-from $CID jpetazzo/openvpn serveconfig
echo "Download your OpenVPN configuration file at http://$SERVERADDR:8080/"
docker run -p 8080:8080 -volumes-from $CID jpetazzo/openvpn serveconfig
``` ```
Now download the file located at the indicated URL. The configuration Now download the file located at the indicated URL. You will get a
server exits after 1 download, so if you need to download the configuration certificate warning, since the connection is done over SSL, but we are
on multiple devices, repeat the last `docker run`. using a self-signed certificate. After downloading the configuration,
stop the `serveconfig` container. You can restart it later if you need
to re-download the configuration, or to download it to multiple devices.
The file can be used immediately as an OpenVPN profile. It embeds all the The file can be used immediately as an OpenVPN profile. It embeds all the
required configuration and credentials. It has been tested successfully on required configuration and credentials. It has been tested successfully on
Linux, Windows, and Android clients. If you can test it on OS X and iPhone, Linux, Windows, and Android clients. If you can test it on OS X and iPhone,
let me know! let me know!
**Note:** there is a [bug in the Android Download Manager](
http://code.google.com/p/android/issues/detail?id=3492) which prevents
downloading files from untrusted SSL servers; and in that case, our
self-signed certificate means that our server is untrusted. If you
try to download with the default browser on your Android device,
it will show the download as "in progress" but it will remain stuck.
You can download it with Firefox; or you can transfer it with another
way: Dropbox, USB, micro-SD card...
If you reboot the server (or stop the container), if you `docker run` If you reboot the server (or stop the container), if you `docker run`
again, you will create a new service (with a new configuration) and again, you will create a new service (with a new configuration) and
you will have to re-download the configuration file. However, you can you will have to re-download the configuration file. However, you can
@ -41,9 +50,9 @@ The configuration is located in `/etc/openvpn`, and the Dockerfile
declares that directory as a volume. It means that you can start another declares that directory as a volume. It means that you can start another
container with the `-volumes-from` flag, and access the configuration. container with the `-volumes-from` flag, and access the configuration.
Conveniently, `jpetazzo/openvpn` comes with a script called `serveconfig`, Conveniently, `jpetazzo/openvpn` comes with a script called `serveconfig`,
which starts a pseudo HTTP server on `8080/tcp`. The pseudo server which starts a pseudo HTTPS server on `8080/tcp`. The pseudo server
will accept only one request, and send the content of the configuration does not even check the HTTP request; it just sends the HTTP status line,
file, then it will exit. headers, and body right away.
## OpenVPN details ## OpenVPN details
@ -86,7 +95,3 @@ generate a new client key each time the `serveconfig` command is
called. The command could even take the client CN as argument, and called. The command could even take the client CN as argument, and
another `revoke` command could be used to revoke previously issued another `revoke` command could be used to revoke previously issued
keys. keys.
Also, the configuration could be served over SSL. This should be
fairly enough, since we use `socat` for the pseudo HTTP server,
and `socat` can also do SSL.

12
bin/run
View File

@ -53,6 +53,13 @@ dev tun1194
status openvpn-status-1194 status openvpn-status-1194
EOF EOF
MY_IP_ADDR=$(curl -s http://myip.enix.org/REMOTE_ADDR)
[ "$MY_IP_ADDR" ] || {
echo "Sorry, I could not figure out my public IP address."
echo "(I use http://myip.enix.org/REMOTE_ADDR/ for that purpose.)"
exit 1
}
[ -f client.ovpn ] || cat >client.ovpn <<EOF [ -f client.ovpn ] || cat >client.ovpn <<EOF
client client
nobind nobind
@ -73,17 +80,18 @@ redirect-gateway def1
</dh> </dh>
<connection> <connection>
remote `curl -s http://myip.enix.org/REMOTE_ADDR` 1194 udp remote $MY_IP_ADDR 1194 udp
</connection> </connection>
<connection> <connection>
remote `curl -s http://myip.enix.org/REMOTE_ADDR` 443 tcp-client remote $MY_IP_ADDR 443 tcp-client
</connection> </connection>
EOF EOF
[ -f client.http ] || cat >client.http <<EOF [ -f client.http ] || cat >client.http <<EOF
HTTP/1.0 200 OK HTTP/1.0 200 OK
Content-Type: application/x-openvpn-profile Content-Type: application/x-openvpn-profile
Content-Length: `wc -c client.ovpn`
`cat client.ovpn` `cat client.ovpn`
EOF EOF

View File

@ -7,4 +7,8 @@ cd /etc/openvpn
exit 1 exit 1
} }
socat TCP-LISTEN:8080,reuseaddr - < client.http >> http8080.log echo "https://$(curl -s http://myip.enix.org/REMOTE_ADDR):8080/"
socat -d -d \
OPENSSL-LISTEN:8080,fork,reuseaddr,key=key.pem,certificate=cert.pem,verify=0 \
EXEC:'cat client.http' \
2>> http8080.log