diff --git a/bin/start_openvpn b/bin/start_openvpn new file mode 100755 index 0000000..a3629f8 --- /dev/null +++ b/bin/start_openvpn @@ -0,0 +1,20 @@ +#!/usr/bin/env bash +if [ -z "$( ls -A '/opt/data/openvpn' )" ] || [ "${EASY_RSA_REGEN}" == "true" ]; then + rm -rf /opt/data/openvpn/* + # -- It should prepare certs with easy-rsa + /usr/share/easy-rsa/easyrsa init-pki + # -- Currently only no password + /usr/share/easy-rsa/easyrsa build-ca nopass + /usr/share/easy-rsa/easyrsa gen-dh + `unset EASYRSA_REQ_CN && /usr/share/easy-rsa/easyrsa build-server-full server nopass` + # -- Generate the CRL for client/server certificates revocation. + /usr/share/easy-rsa/easyrsa gen-crl + openvpn --genkey tls-crypt-v2-server "pki/private/${EASYRSA_REQ_CN}.pem" + openvpn --genkey secret > "ta.key" + +else + echo "Easy RSA config is already prepared, skipping" +fi + +cp /opt/data/openvpn/ta.key /etc/openvpn/server +openvpn --config /opt/config/server.conf \ No newline at end of file diff --git a/containerfiles/Containerfile b/containerfiles/Containerfile index 07645f3..d0d3d20 100644 --- a/containerfiles/Containerfile +++ b/containerfiles/Containerfile @@ -16,7 +16,7 @@ RUN dudo -l "https://swupdate.openvpn.org/community/releases/openvpn-{{ version RUN tar -xf /tmp/openvpn.tar.gz -C /tmp && rm -f /tmp/openvpn.tar.gz RUN mv /tmp/openvpn-${OPENVPN_VERSION} /output/openvpn -FROM ubuntu as builder +FROM ubuntu:24.04 as builder # ------------------------------------------------------ # -- TODO: Define it only once # ------------------------------------------------------ @@ -31,36 +31,34 @@ WORKDIR /src/openvpn RUN ./configure --disable-systemd --enable-async-push --enable-iproute2 RUN make && make install RUN mkdir /output -RUN cp $(which openvpn) /output/ +RUN cp $(which openvpn) /output +RUN cp /src/openvpn/sample/sample-config-files/server.conf /output # ------------------------------------------------------ # -- Final container # ------------------------------------------------------ FROM ubuntu:24.04 -LABEL maintainer="allanger " -COPY --from=builder /output /src +LABEL maintainer="allanger " +VOLUME /opt/data/openvpn +WORKDIR /opt/data/openvpn + +ENV EASYRSA_BATCH=yes +ENV EASYRSA_REQ_CN=openvpn-server + +COPY --from=builder /output/openvpn /src/openvpn +COPY --from=builder /output/server.conf /opt/config/server.conf + # ------------------------------------------------------- # -- Prepare system deps +# -- It's also installing the openvpn package but +# -- it's required for getting dependencies, later +# -- it's rewritten by the binary that from the builder # ------------------------------------------------------- -RUN apt update && apt install openvpn easy-rsa iptables -y && \ - mv /src/openvpn $(which openvpn) - -# Needed by scripts -ENV OPENVPN /etc/openvpn - -# Prevents refused client connection because of an expired CRL -ENV EASYRSA_CRL_DAYS 3650 - -VOLUME ["/etc/openvpn"] - -# Internally uses port 1194, remap if needed using `docker run -p 443:1194/tcp` -EXPOSE 1194 +RUN apt update &&\ + apt upgrade -y && \ + apt install openvpn easy-rsa -y && \ + mv /src/openvpn $(which openvpn) CMD ["ovpn_run"] -COPY --chmod='755' ./bin /usr/local/bin -# ----------------------------------------------------------- -# -- Add support for OTP authentication using a PAM module -# -- I have no idea how it works yet -# ----------------------------------------------------------- -WORKDIR /etc/openvpn +COPY --chmod='755' ./bin /usr/local/bin \ No newline at end of file