Merge pull request #34 from ypid/master

Wrote script to copy only the needed files to the docker host which runs the docker openvpn server.
This commit is contained in:
Kyle Manna 2015-03-12 21:03:28 -07:00
commit f208847f54
3 changed files with 46 additions and 1 deletions

View File

@ -105,7 +105,7 @@ packets, etc).
simplicity. It's highly recommended to secure the CA key with some
passphrase to protect against a filesystem compromise. A more secure system
would put the EasyRSA PKI CA on an offline system (can use the same Docker
image to accomplish this).
image and the script ovpn_copy_server_files to accomplish this).
* It would be impossible for an adversary to sign bad or forged certificates
without first cracking the key's passphase should the adversary have root
access to the filesystem.

34
bin/ovpn_copy_server_files Executable file
View File

@ -0,0 +1,34 @@
#!/bin/bash
## @licence AGPLv3 <https://www.gnu.org/licenses/agpl-3.0.html>
## @author Copyright (C) 2015 Robin Schneider <ypid@riseup.net>
if [ -z "$OPENVPN" ]; then
export OPENVPN="$PWD"
fi
if ! source "$OPENVPN/ovpn_env.sh"; then
echo "Could not source $OPENVPN/ovpn_env.sh."
exit 1
fi
TARGET="/tmp/openvpn_${OVPN_CN}"
if [ -n "$1" ]; then
TARGET="$1"
else
TARGET="$OPENVPN/server"
fi
rsync --recursive --verbose --prune-empty-dirs \
--exclude="clients" \
--exclude="server" \
--include "*/" \
--include "/pki/private/${OVPN_CN}.key" \
--include "/pki/ca.crt" \
--include "/pki/issued/${OVPN_CN}.crt" \
--include "/pki/dh.pem" \
--include "ta.key" \
--include "/openvpn.conf" \
--include "/ovpn_env.sh" \
--exclude="*" \
"$OPENVPN/" "$TARGET"
echo "Created the openvpn configuration for the server: $TARGET"

11
docs/paranoid.md Normal file
View File

@ -0,0 +1,11 @@
# Advanced security
As mentioned in the [backup section](/docs/backup.md), there are good reasons to not generate the CA and/or leave it a server. This document describes how you can generate the CA and all your certificates on a secure machine and then copy only the needed files (which never includes the CA root key obviously ;) ) to the server(s) and clients.
Execute the following commands. Note that you might want to change the volume `/tmp/openvpn` to persistent storage or use a data docker container for this.
docker run --rm -t -i -v /tmp/openvpn:/etc/openvpn kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM
docker run --rm -t -i -v /tmp/openvpn:/etc/openvpn kylemanna/openvpn ovpn_initpki
docker run --rm -t -i -v /tmp/openvpn:/etc/openvpn kylemanna/openvpn ovpn_copy_server_files
The `ovpn_copy_server_files` script puts all the needed configuration in a subdirectory which defaults to `$OPENVPN/server`. All you need to do now is to copy this directory to the server and you are good to go.