Add mention of SSL for configuration download.
This commit is contained in:
parent
be9e6b65c9
commit
c6b94b5726
31
README.md
31
README.md
@ -4,20 +4,29 @@ Quick instructions:
|
|||||||
|
|
||||||
```bash
|
```bash
|
||||||
CID=$(docker run -d -privileged -p 1194:1194/udp -p 443:443/tcp jpetazzo/openvpn)
|
CID=$(docker run -d -privileged -p 1194:1194/udp -p 443:443/tcp jpetazzo/openvpn)
|
||||||
SERVERADDR=$(curl http://myip.enix.org/REMOTE_ADDR)
|
docker run -t -i -p 8080:8080 -volumes-from $CID jpetazzo/openvpn serveconfig
|
||||||
echo "Download your OpenVPN configuration file at http://$SERVERADDR:8080/"
|
|
||||||
docker run -p 8080:8080 -volumes-from $CID jpetazzo/openvpn serveconfig
|
|
||||||
```
|
```
|
||||||
|
|
||||||
Now download the file located at the indicated URL. The configuration
|
Now download the file located at the indicated URL. You will get a
|
||||||
server exits after 1 download, so if you need to download the configuration
|
certificate warning, since the connection is done over SSL, but we are
|
||||||
on multiple devices, repeat the last `docker run`.
|
using a self-signed certificate. After downloading the configuration,
|
||||||
|
stop the `serveconfig` container. You can restart it later if you need
|
||||||
|
to re-download the configuration, or to download it to multiple devices.
|
||||||
|
|
||||||
The file can be used immediately as an OpenVPN profile. It embeds all the
|
The file can be used immediately as an OpenVPN profile. It embeds all the
|
||||||
required configuration and credentials. It has been tested successfully on
|
required configuration and credentials. It has been tested successfully on
|
||||||
Linux, Windows, and Android clients. If you can test it on OS X and iPhone,
|
Linux, Windows, and Android clients. If you can test it on OS X and iPhone,
|
||||||
let me know!
|
let me know!
|
||||||
|
|
||||||
|
**Note:** there is a [bug in the Android Download Manager](
|
||||||
|
http://code.google.com/p/android/issues/detail?id=3492) which prevents
|
||||||
|
downloading files from untrusted SSL servers; and in that case, our
|
||||||
|
self-signed certificate means that our server is untrusted. If you
|
||||||
|
try to download with the default browser on your Android device,
|
||||||
|
it will show the download as "in progress" but it will remain stuck.
|
||||||
|
You can download it with Firefox; or you can transfer it with another
|
||||||
|
way: Dropbox, USB, micro-SD card...
|
||||||
|
|
||||||
If you reboot the server (or stop the container), if you `docker run`
|
If you reboot the server (or stop the container), if you `docker run`
|
||||||
again, you will create a new service (with a new configuration) and
|
again, you will create a new service (with a new configuration) and
|
||||||
you will have to re-download the configuration file. However, you can
|
you will have to re-download the configuration file. However, you can
|
||||||
@ -41,9 +50,9 @@ The configuration is located in `/etc/openvpn`, and the Dockerfile
|
|||||||
declares that directory as a volume. It means that you can start another
|
declares that directory as a volume. It means that you can start another
|
||||||
container with the `-volumes-from` flag, and access the configuration.
|
container with the `-volumes-from` flag, and access the configuration.
|
||||||
Conveniently, `jpetazzo/openvpn` comes with a script called `serveconfig`,
|
Conveniently, `jpetazzo/openvpn` comes with a script called `serveconfig`,
|
||||||
which starts a pseudo HTTP server on `8080/tcp`. The pseudo server
|
which starts a pseudo HTTPS server on `8080/tcp`. The pseudo server
|
||||||
will accept only one request, and send the content of the configuration
|
does not even check the HTTP request; it just sends the HTTP status line,
|
||||||
file, then it will exit.
|
headers, and body right away.
|
||||||
|
|
||||||
|
|
||||||
## OpenVPN details
|
## OpenVPN details
|
||||||
@ -86,7 +95,3 @@ generate a new client key each time the `serveconfig` command is
|
|||||||
called. The command could even take the client CN as argument, and
|
called. The command could even take the client CN as argument, and
|
||||||
another `revoke` command could be used to revoke previously issued
|
another `revoke` command could be used to revoke previously issued
|
||||||
keys.
|
keys.
|
||||||
|
|
||||||
Also, the configuration could be served over SSL. This should be
|
|
||||||
fairly enough, since we use `socat` for the pseudo HTTP server,
|
|
||||||
and `socat` can also do SSL.
|
|
12
bin/run
12
bin/run
@ -53,6 +53,13 @@ dev tun1194
|
|||||||
status openvpn-status-1194
|
status openvpn-status-1194
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
|
MY_IP_ADDR=$(curl -s http://myip.enix.org/REMOTE_ADDR)
|
||||||
|
[ "$MY_IP_ADDR" ] || {
|
||||||
|
echo "Sorry, I could not figure out my public IP address."
|
||||||
|
echo "(I use http://myip.enix.org/REMOTE_ADDR/ for that purpose.)"
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
[ -f client.ovpn ] || cat >client.ovpn <<EOF
|
[ -f client.ovpn ] || cat >client.ovpn <<EOF
|
||||||
client
|
client
|
||||||
nobind
|
nobind
|
||||||
@ -73,17 +80,18 @@ redirect-gateway def1
|
|||||||
</dh>
|
</dh>
|
||||||
|
|
||||||
<connection>
|
<connection>
|
||||||
remote `curl -s http://myip.enix.org/REMOTE_ADDR` 1194 udp
|
remote $MY_IP_ADDR 1194 udp
|
||||||
</connection>
|
</connection>
|
||||||
|
|
||||||
<connection>
|
<connection>
|
||||||
remote `curl -s http://myip.enix.org/REMOTE_ADDR` 443 tcp-client
|
remote $MY_IP_ADDR 443 tcp-client
|
||||||
</connection>
|
</connection>
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
[ -f client.http ] || cat >client.http <<EOF
|
[ -f client.http ] || cat >client.http <<EOF
|
||||||
HTTP/1.0 200 OK
|
HTTP/1.0 200 OK
|
||||||
Content-Type: application/x-openvpn-profile
|
Content-Type: application/x-openvpn-profile
|
||||||
|
Content-Length: `wc -c client.ovpn`
|
||||||
|
|
||||||
`cat client.ovpn`
|
`cat client.ovpn`
|
||||||
EOF
|
EOF
|
||||||
|
@ -7,4 +7,8 @@ cd /etc/openvpn
|
|||||||
exit 1
|
exit 1
|
||||||
}
|
}
|
||||||
|
|
||||||
socat TCP-LISTEN:8080,reuseaddr - < client.http >> http8080.log
|
echo "https://$(curl -s http://myip.enix.org/REMOTE_ADDR):8080/"
|
||||||
|
socat -d -d \
|
||||||
|
OPENSSL-LISTEN:8080,fork,reuseaddr,key=key.pem,certificate=cert.pem,verify=0 \
|
||||||
|
EXEC:'cat client.http' \
|
||||||
|
2>> http8080.log
|
||||||
|
Loading…
Reference in New Issue
Block a user