Merge pull request #34 from ypid/master

Wrote script to copy only the needed files to the docker host which runs the docker openvpn server.
This commit is contained in:
Kyle Manna 2015-03-12 21:03:28 -07:00
commit f208847f54
3 changed files with 46 additions and 1 deletions

View File

@ -105,7 +105,7 @@ packets, etc).
simplicity. It's highly recommended to secure the CA key with some simplicity. It's highly recommended to secure the CA key with some
passphrase to protect against a filesystem compromise. A more secure system passphrase to protect against a filesystem compromise. A more secure system
would put the EasyRSA PKI CA on an offline system (can use the same Docker would put the EasyRSA PKI CA on an offline system (can use the same Docker
image to accomplish this). image and the script ovpn_copy_server_files to accomplish this).
* It would be impossible for an adversary to sign bad or forged certificates * It would be impossible for an adversary to sign bad or forged certificates
without first cracking the key's passphase should the adversary have root without first cracking the key's passphase should the adversary have root
access to the filesystem. access to the filesystem.

34
bin/ovpn_copy_server_files Executable file
View File

@ -0,0 +1,34 @@
#!/bin/bash
## @licence AGPLv3 <https://www.gnu.org/licenses/agpl-3.0.html>
## @author Copyright (C) 2015 Robin Schneider <ypid@riseup.net>
if [ -z "$OPENVPN" ]; then
export OPENVPN="$PWD"
fi
if ! source "$OPENVPN/ovpn_env.sh"; then
echo "Could not source $OPENVPN/ovpn_env.sh."
exit 1
fi
TARGET="/tmp/openvpn_${OVPN_CN}"
if [ -n "$1" ]; then
TARGET="$1"
else
TARGET="$OPENVPN/server"
fi
rsync --recursive --verbose --prune-empty-dirs \
--exclude="clients" \
--exclude="server" \
--include "*/" \
--include "/pki/private/${OVPN_CN}.key" \
--include "/pki/ca.crt" \
--include "/pki/issued/${OVPN_CN}.crt" \
--include "/pki/dh.pem" \
--include "ta.key" \
--include "/openvpn.conf" \
--include "/ovpn_env.sh" \
--exclude="*" \
"$OPENVPN/" "$TARGET"
echo "Created the openvpn configuration for the server: $TARGET"

11
docs/paranoid.md Normal file
View File

@ -0,0 +1,11 @@
# Advanced security
As mentioned in the [backup section](/docs/backup.md), there are good reasons to not generate the CA and/or leave it a server. This document describes how you can generate the CA and all your certificates on a secure machine and then copy only the needed files (which never includes the CA root key obviously ;) ) to the server(s) and clients.
Execute the following commands. Note that you might want to change the volume `/tmp/openvpn` to persistent storage or use a data docker container for this.
docker run --rm -t -i -v /tmp/openvpn:/etc/openvpn kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM
docker run --rm -t -i -v /tmp/openvpn:/etc/openvpn kylemanna/openvpn ovpn_initpki
docker run --rm -t -i -v /tmp/openvpn:/etc/openvpn kylemanna/openvpn ovpn_copy_server_files
The `ovpn_copy_server_files` script puts all the needed configuration in a subdirectory which defaults to `$OPENVPN/server`. All you need to do now is to copy this directory to the server and you are good to go.