Commit Graph

111 Commits

Author SHA1 Message Date
Kyle Manna
0a5a792519 Merge pull request #138 from Caerbannog/patch-1
Add "key-direction 1" to client .ovpn
2016-07-05 11:44:05 -07:00
Emmanuel Frecon
3e747b353e Sending key to proper location! 2016-06-23 12:20:13 +02:00
Martin d'Allens
dac38246bd Add "key-direction 1" to client .ovpn
Adding this setting avoids connection errors on some clients, when the .ovpn file is imported directly in Gnome NetworkManager.

Server logs:
    Authenticate/Decrypt packet error: packet HMAC authentication failed
    TLS Error: incoming packet authentication failed from ...

Client logs:
    nm-openvpn: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    nm-openvpn: TLS Error: TLS handshake failed

NetworkManager version: 1.2.0
openvpn version: OpenVPN 2.3.10
2016-06-13 12:09:54 +02:00
Emmanuel Frecon
c12fdcd83f Automatically creating CCD directory 2016-06-08 09:14:08 +02:00
Dave Burke
d77ba5e1e8 Combine user args with generated args
Generated arguments will be added only if matching arguments were not
specified by the user. User arguments will be placed after generated
arguments. This allows the user to override any generated configuration
values.
2016-05-31 21:11:03 -05:00
Dave Burke
097376db75 Set working dir in ovpn_run instead of Dockerfile 2016-05-28 22:34:41 -05:00
Nate Jones
191cb45106 allow specifying extra config 2016-05-16 09:56:27 -07:00
Nate Jones
d3fcec15f1 adding ovpn_listclients script 2016-05-11 16:02:27 -07:00
Rudi Starcevic
74bfad0aac Add openvpn.conf gerneration -f fragment directive option 2016-04-06 15:06:02 +08:00
Fabio Napoleoni
d481313311 Back to Alpine Linux using packaged version of google-authenticator 2016-02-11 18:10:51 +01:00
Fabio Napoleoni
e8d93ea4fa Use $USER@$OVPN_CN for OTP label. 2016-02-07 13:22:20 +01:00
Fabio Napoleoni
607063b358 Do not cache user credentials 2016-02-07 02:53:43 +01:00
Fabio Napoleoni
bb3d1add3c Export user pass option in client when OTP is enabled 2016-02-06 21:40:11 +01:00
Fabio Napoleoni
c24a22deea Allow interactive usage 2016-02-06 21:38:26 +01:00
Fabio Napoleoni
6084261943 Improved script for user OTP generation, tested with pamtester 2016-02-06 21:31:08 +01:00
Fabio Napoleoni
dd719c1f11 Save OTP variable in server env 2016-02-06 20:25:03 +01:00
Fabio Napoleoni
6fcebf9adb Server side configuration for OTP 2016-02-06 20:23:59 +01:00
Kyle Manna
e7d0d4ea0e ovpn_run: Fix sysctl IPv6 forwarding write
* I'm not sure if this ever worked without the `-w` flag.  Perhaps in an
  old version of sysctl?
2015-12-29 13:33:55 -08:00
unknown
2fa3abe064 fixed getopts argument typo. removed ":" before "z" 2015-11-29 10:15:15 -08:00
Christian Tawfik
2650d4a286 COMP-lzo param is set in client config, if defined in server. 2015-11-29 10:15:15 -08:00
Christian Tawfik
2abbcf1999 added config param to enable COMP-LZO compression 2015-11-29 10:14:07 -08:00
Greg Brockman
ded4414ef4 Respect the -D flag
It looks like edfbffb85f caused the
OVPN_DNS variable to start being ignored, meaning the -D flag was a
no-op.
2015-10-31 19:39:32 -07:00
Johannes 'fish' Ziemke
edfbffb85f Support pushing custom DNS servers 2015-10-16 15:41:22 +02:00
Kyle Manna
1498795de2 ovpn_copy_server_files: Use short flags with rm
* The busybox tool in the alpine distro doesn't support long flags.
2015-09-29 11:42:17 -07:00
Kyle Manna
f00de363c7 ovpn_copy_server_files: Copy files without rsync
* Hack around the missing rsync by using tar to preserve the directory
  structure.
* Fixes #73
2015-09-29 11:28:04 -07:00
Robin Schneider
3df53012b6
ovpn_copy_server_files: Copy openvpn.conf instead of symlinking locally.
Symlinked files can be resolved by rsync when using the configuration on remote
servers but for local testing having the actual file is beneficial.
2015-08-27 21:19:27 +02:00
Kyle Manna
b96a91e876 Merge pull request #63 from ypid/allow_ciper_setting
Allow to change security related options tls-cipher, cipher and auth.
2015-08-26 08:42:30 -07:00
Robin Schneider
050d4a1f82
ovpn_copy_server_files: Ensure that no other keys then the one for the server is present.
When creating a multi-server setup I used a partly copied, partly
symlinked directory structure for the different servers after creating a
certificate for each server with `easyrsa build-server-full`. In that
process I also copied the `server` directory.
The rsync command does not delete files which are not excluded so it
included the correct server key and the original one which can be a
security risk.
2015-08-26 13:00:17 +02:00
Robin Schneider
d6209eebc2
Allow to change security related options tls-cipher, cipher and auth. 2015-08-26 12:56:40 +02:00
Werner Buck
0181bb93d6 Add ability to set OVPN_NATDEVICE to target specific interface when using net=host 2015-08-24 17:19:40 +02:00
Thomas Emmerling
3703d3afc3 Add a parameter to use TAP instead of TUN device. 2015-08-19 00:46:07 +02:00
Kyle Manna
2508abd5ad run: Fail gracefully when IPv6 fails
* Fail gracefully but complain in the log when --privileged isn't used
  for docker run.
* IPv6 is in development for the time being.
* Closes #56
2015-08-09 18:04:05 -07:00
Kyle Manna
1f47f361eb Merge pull request #55 from kylemanna/dev
Merge Development Branch
2015-08-07 11:14:59 -07:00
Justin Li
02c3ee63a1 Remove dh param from client config 2015-08-04 23:07:47 -04:00
Kyle Manna
34d9601e6e ovpn_run: Assume /etc/openvpn is read-only
* Systemd service currently marks the mount as read-only, and this is
  regarded as good practice for server/daemon only operation.
* Don't create /etc/openvpn/ccd as the mount may be read-only.
* Append the client-config-dir command line argument if it is found to
  avoid mkdir operation.
* Mount can easily be modified using a different docker run line with
  ":ro" on the volume mount.
2015-07-27 20:26:43 -07:00
Kyle Manna
e6f7904344 run: Add IPv6 forwarding if default route
* Enable IPv6 forwarding if docker daemon provided a default route
* For now this requires the --privileged flag, but this could be hacked
  around using `ip netns` madness.
2015-07-05 21:07:06 -07:00
Kyle Manna
6aca273d89 getclient: Use openssl to prune comments
* The EasyRSA tools create a certificate file with all the metadata
  readable.  This makes the config file larger then it needs to be, so
  prune it.
* Retrieve text files with `openssl x509 -in <crt> -noout -text`
2015-07-05 21:07:04 -07:00
Robin Schneider
7399ff7bbd
Create ccd directory to prevent error if /etc is mounted read-only.
* mkdir: cannot create directory '/etc/openvpn/ccd': Read-only file system
2015-05-31 22:10:54 +02:00
Kyle Manna
e0f7856e6f Merge pull request #48 from ypid/optimized-copy-server-script
Optimized ovpn_copy_server_files script. No need to copy the config files.
2015-05-30 16:09:50 -07:00
Robin Schneider
e361e757da
Optimized ovpn_copy_server_files script. No need to copy the config files.
* rsync can copy the actual files.
* This change makes it easier to modifier the configuration and sync it
  to the server. You only have to execute the ovpn_copy_server_files
  once.
2015-05-31 00:52:33 +02:00
Robin Schneider
ca78b46723
Added variable OVPN_ADDITIONAL_CLIENT_CONFIG use arbitrary openvpn configuration options. 2015-05-30 23:03:17 +02:00
Robin Schneider
debf45ae46
Changed license of scripts I wrote to MIT. Related to #43. 2015-05-12 21:24:59 +02:00
Kyle Manna
e53492850f crl: Pass crl-verify if found
* Empty CRLs don't work.
* Avoids confusing easyrsa during the init step where it thinks an
  existing PKI configuration exists.
* Add to ovpn_run to help users that are upgrading and ran genconfig
  which now depends on the file being present.
* Use a hardlink to tip toe around permissions issues.
2015-05-12 02:10:43 -07:00
Kyle Manna
5021bad597 ovpn: Add support for revoking certificates (CRL)
* Add this much needed missing feature.  Easy RSA makes it... easy.
2015-05-11 10:41:25 -07:00
Kyle Manna
c3024ce335 genconfig: Remove duplicate-cn mention
* Remove the commented out duplicate-cn configuration option
* Leads to confusion
* Related #42
2015-05-09 15:19:24 -07:00
Kyle Manna
2f9947c8e4 run: Pass cmd line arguments to openvpn
* Pass command line arguments to openvpn if passed in.  Enables users to
  easily override or add settings.
* Resolves #42
2015-05-09 15:18:53 -07:00
Kyle Manna
bf34f341fc Merge remote-tracking branch 'ypid/getclient' into dev 2015-03-20 16:54:22 -07:00
Robin Schneider
47cc0e3ae6
Fixed based on the review by @kylemanna. Thanks. 2015-03-14 13:22:28 +01:00
Kyle Manna
f208847f54 Merge pull request #34 from ypid/master
Wrote script to copy only the needed files to the docker host which runs the docker openvpn server.
2015-03-12 21:03:28 -07:00
Robin Schneider
fd4a5dc38e
EASYRSA_PKI might not be defined. 2015-03-13 00:43:50 +01:00