Commit Graph

426 Commits

Author SHA1 Message Date
Adrian Olek
8c7d020074 Use --cap-add=NET_ADMIN instead of --privileged
Ovpn doesn't need all the capabilities.
https://docs.docker.com/reference/run/#runtime-privilege-linux-capabilities-and-lxc-configuration says:
For interacting with the network stack, instead of using --privileged they should use --cap-add=NET_ADMIN to modify the network interfaces.
2014-10-06 20:09:23 +02:00
Kyle Manna
a69ca8d65e Merge pull request #8 from disassembler/master
fixing regexp to allow dashes in OVPN_SERVER_URL
2014-08-17 12:53:31 -07:00
Samuel Leathers
f1616f7196 fixing regexp to allow dashes in OVPN_SERVER_URL 2014-08-16 22:32:16 -04:00
Kyle Manna
d36bb7ecba getclient: Do not autogenerate key
* Do not autogenerate a key if it does not exist.  Instead fail.
* Requires users to explicitly generate keys and prevents generating
  erroneous keys in the event of a typo.
2014-07-10 09:55:06 -07:00
Kyle Manna
76a230b3be Merge branch 'docs' 2014-07-09 12:24:30 -07:00
Kyle Manna
5fd47763d7 README: Add --rm to init steps
* Don't need these containers to stick around polluting docker.
2014-07-09 12:23:48 -07:00
Kyle Manna
37f86037d8 advanced: Add advanced configs
* Copy paste stuff for using host mounted volumes
2014-07-09 12:21:50 -07:00
Kyle Manna
e9c5108a8f debug: Add mention of shells
* Very useful for getting in a running container or fix a data volume.
2014-07-09 12:21:38 -07:00
Kyle Manna
816eff9af6 docs: openvpn-data -> $OVPN_DATA
* Easier to work with.
2014-07-09 12:09:27 -07:00
Kyle Manna
c38b412dc6 Merge branch 'private_subnet'
Closes #5
2014-07-09 11:10:54 -07:00
Kyle Manna
b9cc5b347a genconfig: Convert OVPN_ROUTES to array
* Convert to an array to simplify the code.
* This breaks running `ovpn_genconfig` multiple times with the same
  route argument as the array will just grow.  This needs to be fixed in
  the future.
* Recommended way to work around this is to remove ovpn_env.sh.
2014-07-09 11:06:02 -07:00
Kyle Manna
20be0f90a5 genconfig: Add push support
* Add ability to specify push commands with `-p` argument.
2014-07-09 10:55:02 -07:00
Kyle Manna
0c873ab4cf genconfig: Print success
* Print success message to console. Provides positive feedback.
2014-07-09 10:53:41 -07:00
Kyle Manna
f263eb9a61 genconfig: Add client-to-client support 2014-07-09 10:53:25 -07:00
Kyle Manna
d5979915cf README: Use variable for volume container name
* Use a variable for the volume container name to simplify my life.
* I can set the variable and then copy/paste from the README.
2014-07-09 00:07:35 -07:00
Kyle Manna
201bab6f3d Dockerfile: Set WORKDIR to /etc/openvpn
* Set WORKDIR to simply admin when I run cmd `bash`
* Add comment on port
2014-07-06 10:55:17 -07:00
Kyle Manna
e933fbe923 genconfig: Handle "-r 0" to disable extra routes
* Disable extra routes for minimal VPNs.
2014-07-06 10:52:39 -07:00
Kyle Manna
f1e85c959e genconfig: Fix typo, use Docker for port mapping
* Use docker run ... -p 1337:1194/udp kylemanna/openvpn
2014-07-06 10:51:44 -07:00
Kyle Manna
d412ce9f7e getclient: Fix sourced env variables
* Update to use the sourced environemental variables.
* Add switch for not using default gateway.
2014-07-06 00:25:14 -07:00
Kyle Manna
c3321abce5 README: Minor typo
* Multiple steps now. Tweak.
2014-07-06 00:24:54 -07:00
Kyle Manna
ca8f41f341 backup: Add restore step
* Add restore step
* Use lzma compression since we're in the 2010's
2014-07-06 00:11:27 -07:00
Kyle Manna
31d631443f README: Update to reflect recent changes
* Change argument parameters.

Closes #4
2014-07-05 23:35:47 -07:00
Kyle Manna
f221b0f0d0 genconfig: Handle route default env
* Handle re-inheriting previous routes if not overriden
* Handle leading whitespace
2014-07-05 22:27:30 -07:00
Kyle Manna
3b13cf9918 run: Handle NAT routes dynamically
* Handle the NAT routes dynamically
* Stop caring about backwards compatibility for now
2014-07-05 22:27:15 -07:00
Kyle Manna
6ca11162a5 init: Rename to initpki
* This function only initialize the EasyRSA PKI tools now.
* Decoupled from the init process.
2014-07-05 22:27:15 -07:00
Kyle Manna
6fe867c52b genconfig: Add getopts parsing
* Pass public server URL via -u argument instead of $1
* Add ability to specify multiple alternative routes
* Add ability to specify override default server internal subnet
* Add ability to write configs without a default route out, not
  implemented in other configs yet
2014-07-05 22:27:04 -07:00
Kyle Manna
852d404c12 env: Re-work environment code
* Instead of storing just a server_url which was necessary to
  regenerate the OpenVPN configs, instead store an env file.
* Move all the env parsing to `ovpn_genconfig` so that it can be re-run
  from genconfig instead of from `ovpn_init`.
* Remove all the parsing and env defaults except for genconfig.

NOTE: This breaks the older config method, uesrs will need to re-run
genconfig with an arg[1] as the previous server_url, this will create
the necessary env file the rest of the tools expect.

Example recovery for legacy users:

    host$ docker run --rm -it kylemanna/openvpn bash -l
    container# ovpn_genconfig $(cat /etc/openvpn/server_url)
2014-07-05 22:07:24 -07:00
Kyle Manna
60671e6819 genconfig: Delete backup if configs are identical
* Avoid accumulating noise.
2014-07-01 08:30:28 -07:00
Kyle Manna
a3f80e625f docs: Add debug document
* Start of something useful, maybe.
2014-07-01 00:09:00 -07:00
Kyle Manna
fbc53ebda0 Merge branch 'tweak_configs' 2014-06-30 23:52:37 -07:00
Kyle Manna
e4feb29b87 README: Correct dynamic subnet
* Correct dynamic client subnet that recently changed.
2014-06-30 23:45:36 -07:00
Kyle Manna
9951ca6ca2 README: Use long server_url
* Attempt to reveal the configurability to the curious.
2014-06-30 23:43:41 -07:00
Kyle Manna
836b473d20 ovpn: Remove reference to udp/1194
* Remove references to udp/1194.
* Works better with non-standard ports and tcp.
2014-06-30 23:27:00 -07:00
Kyle Manna
34eca5b96f ovpn: Convert from servername -> server_url
* Previously the server name cached the common name generated during
  init and assumed always 1194/udp.
* The new configuration allows for users to pass in a url in a new form
  that allows the protocol to be specified as well as the port.
* Example: udp://vpn.example.com:1194
* Try to be backwards compatible.
2014-06-30 23:27:00 -07:00
Kyle Manna
507f27a9e0 docs: Add backup documentation
* Brain dump on ways to backup the docker volume container for peace of
  mind.
2014-06-30 09:19:36 -07:00
Kyle Manna
aeb1e255cf Merge branch 'static-ips'
Closes #2
2014-06-30 00:39:11 -07:00
Kyle Manna
9a7ccd45ae docs: Add static IP documentation
* Add the documentation while it's fresh.
2014-06-30 00:35:52 -07:00
Kyle Manna
26a14d2f4b clients: Add support for static subnet
* Allow static clients to be placed on 192.168.254.0/24 subnet.
2014-06-30 00:13:55 -07:00
Kyle Manna
5e3c9719c8 run: Always ensure client dir exists
* OpenVPN will fail to start if this directory doesn't exist.
2014-06-29 23:26:23 -07:00
Kyle Manna
7b9d82630d genconfig: Backup old config file
* Backup previous config file before overwriting.
2014-06-29 23:26:23 -07:00
Kyle Manna
1aaf6a4359 genconfig: Use servername if $1 not specified
* Set the common name to servername set during last ovpn_init if $1 is
  not passed in.
* Simplies re-running ovpn_genconfig when features are added.
2014-06-29 23:26:23 -07:00
Kyle Manna
20dc3d6ea0 genconfig: Expand the subnet
* Use a larger subnet (2x the size) to allow for more hard-coded
  configurations.
2014-06-29 23:26:23 -07:00
Kyle Manna
353019b0e9 genconfig: Add client-config-dir
* Add client config directory for client specific configuration options
  such as IP addresses.
2014-06-29 23:26:23 -07:00
Kyle Manna
024fa95f19 README: Update to describe current implementation
* Update to describe the current implementation as changed following the
  fork.
2014-06-05 09:02:49 -07:00
Kyle Manna
126f3a4557 ovpn_init: Protect the CA key by default
* Protect the CA key with a passphrase by default to protect it from a
  filsystem compromise.  An attacker could still steal the other keys
  stored (ie the server's cert key), but not issue new keys.
* This is a good compromise for now.
2014-06-04 17:07:07 -07:00
Kyle Manna
e1902bc2cd ovpn_genconfig: Add generate config script
* Create a generate config script so that the new docker containers can
  regenerate the OpenVPN configuration without clobbering the PKI setup.
2014-06-04 16:50:53 -07:00
Kyle Manna
d180cce5d0 README: Update with quick blurb on how to use
* Brain dump of an example until I get time to properly update.
2014-06-04 15:42:35 -07:00
Kyle Manna
4728990da3 ovpn_getclient: Verify server certificate
* Verify the server's certificate to avoid MITM attacks
2014-06-04 15:38:49 -07:00
Kyle Manna
bc4165e587 tls-auth: Enable tls-auth for security
* Enabling tls-auth improves security and helps protect against DDoS.
2014-06-04 15:35:18 -07:00
Kyle Manna
1751d00fc9 Dockerfile: Switch to leaner Debian image
* Debian testing/Jessie is approximately 30% smaller the Ubuntu, use
  that instead.
2014-06-04 11:42:37 -07:00