From 3d2d839d0b7b64f0acbc5948c4fbe070c6b6d53b Mon Sep 17 00:00:00 2001
From: Robin Schneider <ypid@riseup.net>
Date: Sun, 8 Mar 2015 22:40:08 +0100
Subject: [PATCH 1/3] Wrote script to copy only the needed files to the docker
 host which runs the docker openvpn server.

* For the truly paranoid users, never keep any keys (i.e. client and
  certificate authority) in the docker container to begin with :).
---
 README.md                  |  2 +-
 bin/ovpn_copy_server_files | 24 ++++++++++++++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)
 create mode 100755 bin/ovpn_copy_server_files

diff --git a/README.md b/README.md
index d212cc7..fff79e5 100644
--- a/README.md
+++ b/README.md
@@ -105,7 +105,7 @@ packets, etc).
   simplicity.  It's highly recommended to secure the CA key with some
   passphrase to protect against a filesystem compromise.  A more secure system
   would put the EasyRSA PKI CA on an offline system (can use the same Docker
-  image to accomplish this).
+  image and the script ovpn_copy_server_files to accomplish this).
 * It would be impossible for an adversary to sign bad or forged certificates
   without first cracking the key's passphase should the adversary have root
   access to the filesystem.
diff --git a/bin/ovpn_copy_server_files b/bin/ovpn_copy_server_files
new file mode 100755
index 0000000..1be138b
--- /dev/null
+++ b/bin/ovpn_copy_server_files
@@ -0,0 +1,24 @@
+#!/bin/bash
+## @licence AGPLv3 <https://www.gnu.org/licenses/agpl-3.0.html>
+## @author Copyright (C) 2015 Robin Schneider <ypid@riseup.net>
+
+source "$OPENVPN/ovpn_env.sh"
+
+TARGET="/tmp/openvpn_${OVPN_CN}"
+if [ -n "$1" ]; then
+    TARGET="$1"
+fi
+
+rsync --recursive --verbose --prune-empty-dirs \
+    --include "*/" \
+    --include "/pki/private/${OVPN_CN}.key" \
+    --include "/pki/ca.crt" \
+    --include "/pki/issued/${OVPN_CN}.crt" \
+    --include "/pki/dh.pem" \
+    --include "ta.key" \
+    --include "/openvpn.conf" \
+    --include "/ovpn_env.sh" \
+    --exclude="*" \
+    "$OPENVPN/" "$TARGET"
+
+echo "Created the openvpn configuration for the server: $TARGET"

From 5e514721ffd0c1e56f2820961ba71a6bbf985965 Mon Sep 17 00:00:00 2001
From: Robin Schneider <ypid@riseup.net>
Date: Thu, 12 Mar 2015 23:07:34 +0100
Subject: [PATCH 2/3] Added documentation for ovpn_copy_server_files.

---
 bin/ovpn_copy_server_files | 14 ++++++++++++--
 docs/paranoid.md           | 11 +++++++++++
 2 files changed, 23 insertions(+), 2 deletions(-)
 create mode 100644 docs/paranoid.md

diff --git a/bin/ovpn_copy_server_files b/bin/ovpn_copy_server_files
index 1be138b..10e6ca6 100755
--- a/bin/ovpn_copy_server_files
+++ b/bin/ovpn_copy_server_files
@@ -2,14 +2,24 @@
 ## @licence AGPLv3 <https://www.gnu.org/licenses/agpl-3.0.html>
 ## @author Copyright (C) 2015 Robin Schneider <ypid@riseup.net>
 
-source "$OPENVPN/ovpn_env.sh"
+if [ -z "$OPENVPN" ]; then
+    export OPENVPN="$PWD"
+fi
+if ! source "$OPENVPN/ovpn_env.sh"; then
+    echo "Could not source $OPENVPN/ovpn_env.sh."
+    exit 1
+fi
 
 TARGET="/tmp/openvpn_${OVPN_CN}"
 if [ -n "$1" ]; then
     TARGET="$1"
+else
+    TARGET="$OPENVPN/server"
 fi
 
 rsync --recursive --verbose --prune-empty-dirs \
+    --exclude="clients" \
+    --exclude="server" \
     --include "*/" \
     --include "/pki/private/${OVPN_CN}.key" \
     --include "/pki/ca.crt" \
@@ -19,6 +29,6 @@ rsync --recursive --verbose --prune-empty-dirs \
     --include "/openvpn.conf" \
     --include "/ovpn_env.sh" \
     --exclude="*" \
-    "$OPENVPN/" "$TARGET"
+    "$OPENVPN/" "$TARGET" -n
 
 echo "Created the openvpn configuration for the server: $TARGET"
diff --git a/docs/paranoid.md b/docs/paranoid.md
new file mode 100644
index 0000000..e936f85
--- /dev/null
+++ b/docs/paranoid.md
@@ -0,0 +1,11 @@
+# Advanced security
+
+As mentioned in the [backup section](/docs/backup.md), there are good reasons to not generate the CA and/or leave it a server. This document describes how you can generate the CA and all your certificates on a secure machine and then copy only the needed files (which never includes the CA root key obviously ;) ) to the server(s) and clients.
+
+Execute the following commands. Note that you might want to change the volume `/tmp/openvpn` to persistent storage or use a data docker container for this.
+
+    docker run --rm -t -i -v /tmp/openvpn:/etc/openvpn kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM
+    docker run --rm -t -i -v /tmp/openvpn:/etc/openvpn kylemanna/openvpn ovpn_initpki
+    docker run --rm -t -i -v /tmp/openvpn:/etc/openvpn kylemanna/openvpn ovpn_copy_server_files
+
+The `ovpn_copy_server_files` script puts all the needed configuration in a subdirectory which defaults to `$OPENVPN/server`. All you need to do now is to copy this directory to the server and you are good to go.

From 3c643675834ba23d3d6e624e5208df5039a63f00 Mon Sep 17 00:00:00 2001
From: Robin Schneider <ypid@riseup.net>
Date: Thu, 12 Mar 2015 23:49:49 +0100
Subject: [PATCH 3/3] Removed the --dry-run from rsync. Make it actually do
 something.

---
 bin/ovpn_copy_server_files | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bin/ovpn_copy_server_files b/bin/ovpn_copy_server_files
index 10e6ca6..91c6476 100755
--- a/bin/ovpn_copy_server_files
+++ b/bin/ovpn_copy_server_files
@@ -29,6 +29,6 @@ rsync --recursive --verbose --prune-empty-dirs \
     --include "/openvpn.conf" \
     --include "/ovpn_env.sh" \
     --exclude="*" \
-    "$OPENVPN/" "$TARGET" -n
+    "$OPENVPN/" "$TARGET"
 
 echo "Created the openvpn configuration for the server: $TARGET"