allanger/container-openvpn
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Activity
558 Commits 5 Branches 6 Tags 707 KiB
2a1b2fadce
Commit Graph

175 Commits

Author SHA1 Message Date
Kyle Manna
6aca273d89 getclient: Use openssl to prune comments 
* The EasyRSA tools create a certificate file with all the metadata
  readable.  This makes the config file larger then it needs to be, so
  prune it.
* Retrieve text files with `openssl x509 -in <crt> -noout -text`
 2015-07-05 21:07:04 -07:00
Robin Schneider
7399ff7bbd
Create ccd directory to prevent error if /etc is mounted read-only. 
* mkdir: cannot create directory '/etc/openvpn/ccd': Read-only file system
 2015-05-31 22:10:54 +02:00
Kyle Manna
e0f7856e6f Merge pull request #48 from ypid/optimized-copy-server-script 
Optimized ovpn_copy_server_files script. No need to copy the config files.
 2015-05-30 16:09:50 -07:00
Robin Schneider
e361e757da
Optimized ovpn_copy_server_files script. No need to copy the config files. 
* rsync can copy the actual files.
* This change makes it easier to modifier the configuration and sync it
  to the server. You only have to execute the ovpn_copy_server_files
  once.
 2015-05-31 00:52:33 +02:00
Robin Schneider
ca78b46723
Added variable OVPN_ADDITIONAL_CLIENT_CONFIG use arbitrary openvpn configuration options. 2015-05-30 23:03:17 +02:00
Robin Schneider
debf45ae46
Changed license of scripts I wrote to MIT. Related to #43. 2015-05-12 21:24:59 +02:00
Kyle Manna
e53492850f crl: Pass crl-verify if found 
* Empty CRLs don't work.
* Avoids confusing easyrsa during the init step where it thinks an
  existing PKI configuration exists.
* Add to ovpn_run to help users that are upgrading and ran genconfig
  which now depends on the file being present.
* Use a hardlink to tip toe around permissions issues.
 2015-05-12 02:10:43 -07:00
Kyle Manna
5021bad597 ovpn: Add support for revoking certificates (CRL) 
* Add this much needed missing feature.  Easy RSA makes it... easy.
 2015-05-11 10:41:25 -07:00
Kyle Manna
c3024ce335 genconfig: Remove duplicate-cn mention 
* Remove the commented out duplicate-cn configuration option
* Leads to confusion
* Related #42
 2015-05-09 15:19:24 -07:00
Kyle Manna
2f9947c8e4 run: Pass cmd line arguments to openvpn 
* Pass command line arguments to openvpn if passed in.  Enables users to
  easily override or add settings.
* Resolves #42
 2015-05-09 15:18:53 -07:00
Kyle Manna
bf34f341fc Merge remote-tracking branch 'ypid/getclient' into dev 2015-03-20 16:54:22 -07:00
Robin Schneider
47cc0e3ae6
Fixed based on the review by @kylemanna. Thanks. 2015-03-14 13:22:28 +01:00
Kyle Manna
f208847f54 Merge pull request #34 from ypid/master 
Wrote script to copy only the needed files to the docker host which runs the docker openvpn server.
 2015-03-12 21:03:28 -07:00
Robin Schneider
fd4a5dc38e
EASYRSA_PKI might not be defined. 2015-03-13 00:43:50 +01:00
Robin Schneider
e6e2221d8b
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-13 00:32:40 +01:00
Robin Schneider
3c64367583
Removed the --dry-run from rsync. Make it actually do something. 2015-03-12 23:49:49 +01:00
Robin Schneider
5e514721ff
Added documentation for ovpn_copy_server_files. 2015-03-12 23:11:33 +01:00
Kyle Manna
88c76c787e genconfig: Turn off exit on error at end 
* Need to check return status of diff, but don't want a false return
  code to exit the script.
* Fixes #35
 2015-03-09 09:19:38 -07:00
Robin Schneider
3d2d839d0b
Wrote script to copy only the needed files to the docker host which runs the docker openvpn server. 
* For the truly paranoid users, never keep any keys (i.e. client and
  certificate authority) in the docker container to begin with :).
 2015-03-08 22:40:08 +01:00
Kyle Manna
8d8f19d951 genconfig: Describe backup conf deletion 
* Handle back-up configuration deletion better by informing the user
  why the back-up vanished and why.
* Closes #33
 2015-03-07 16:35:08 -08:00
omriiluz
43ae3eb61d properly clone arrays 2015-02-28 03:22:08 -08:00
omriiluz
6b23cf8d88 do not accumulate routes and push directives from default if new directives were defined 2015-02-28 03:01:00 -08:00
omriiluz
e9d1022eb4 Disable bash debug (xtrace) by default, re-enable with -e DEBUG=1 2015-02-28 02:45:31 -08:00
Nui Narongwet
e959dca048 Return correct exit status 2015-02-21 02:46:50 +07:00
omriiluz
1cb38ce146 Support client mtu push 2015-01-17 01:07:52 -08:00
Omri Iluz
3eeee022fd Create NAT if OVPN_NAT is set (flag -N) 2015-01-17 01:00:18 -08:00
Omri Iluz
1e2418ae37 Control external NAT creation 2015-01-17 00:56:46 -08:00
Omri Iluz
97f231b4e7 Control default DNS push with -D flag 2015-01-17 00:56:21 -08:00
Omri Iluz
bf50da4ee2 Remove hard coded DNS push. 
TODO: control with cmdline option
 2015-01-16 03:36:47 -08:00
Jimmy Wong
31a8584685 Run daemon as nobody 2015-01-01 22:57:28 -08:00
Zack Adams
73c206d14a Fixed SIGTERM handling 2014-12-10 10:36:00 -05:00
Timo Zingel
f2148d99ae no connection block in client config 2014-12-08 21:07:46 +01:00
Christopher Brickley
be22048a2b avoid dup iptables rules 2014-10-23 09:16:51 -04:00
Samuel Leathers
f1616f7196 fixing regexp to allow dashes in OVPN_SERVER_URL 2014-08-16 22:32:16 -04:00
Kyle Manna
d36bb7ecba getclient: Do not autogenerate key 
* Do not autogenerate a key if it does not exist.  Instead fail.
* Requires users to explicitly generate keys and prevents generating
  erroneous keys in the event of a typo.
 2014-07-10 09:55:06 -07:00
Kyle Manna
b9cc5b347a genconfig: Convert OVPN_ROUTES to array 
* Convert to an array to simplify the code.
* This breaks running `ovpn_genconfig` multiple times with the same
  route argument as the array will just grow.  This needs to be fixed in
  the future.
* Recommended way to work around this is to remove ovpn_env.sh.
 2014-07-09 11:06:02 -07:00
Kyle Manna
20be0f90a5 genconfig: Add push support 
* Add ability to specify push commands with `-p` argument.
 2014-07-09 10:55:02 -07:00
Kyle Manna
0c873ab4cf genconfig: Print success 
* Print success message to console. Provides positive feedback.
 2014-07-09 10:53:41 -07:00
Kyle Manna
f263eb9a61 genconfig: Add client-to-client support 2014-07-09 10:53:25 -07:00
Kyle Manna
e933fbe923 genconfig: Handle "-r 0" to disable extra routes 
* Disable extra routes for minimal VPNs.
 2014-07-06 10:52:39 -07:00
Kyle Manna
f1e85c959e genconfig: Fix typo, use Docker for port mapping 
* Use docker run ... -p 1337:1194/udp kylemanna/openvpn
 2014-07-06 10:51:44 -07:00
Kyle Manna
d412ce9f7e getclient: Fix sourced env variables 
* Update to use the sourced environemental variables.
* Add switch for not using default gateway.
 2014-07-06 00:25:14 -07:00
Kyle Manna
f221b0f0d0 genconfig: Handle route default env 
* Handle re-inheriting previous routes if not overriden
* Handle leading whitespace
 2014-07-05 22:27:30 -07:00
Kyle Manna
3b13cf9918 run: Handle NAT routes dynamically 
* Handle the NAT routes dynamically
* Stop caring about backwards compatibility for now
 2014-07-05 22:27:15 -07:00
Kyle Manna
6ca11162a5 init: Rename to initpki 
* This function only initialize the EasyRSA PKI tools now.
* Decoupled from the init process.
 2014-07-05 22:27:15 -07:00
Kyle Manna
6fe867c52b genconfig: Add getopts parsing 
* Pass public server URL via -u argument instead of $1
* Add ability to specify multiple alternative routes
* Add ability to specify override default server internal subnet
* Add ability to write configs without a default route out, not
  implemented in other configs yet
 2014-07-05 22:27:04 -07:00
Kyle Manna
852d404c12 env: Re-work environment code 
* Instead of storing just a server_url which was necessary to
  regenerate the OpenVPN configs, instead store an env file.
* Move all the env parsing to `ovpn_genconfig` so that it can be re-run
  from genconfig instead of from `ovpn_init`.
* Remove all the parsing and env defaults except for genconfig.

NOTE: This breaks the older config method, uesrs will need to re-run
genconfig with an arg[1] as the previous server_url, this will create
the necessary env file the rest of the tools expect.

Example recovery for legacy users:

    host$ docker run --rm -it kylemanna/openvpn bash -l
    container# ovpn_genconfig $(cat /etc/openvpn/server_url)
 2014-07-05 22:07:24 -07:00
Kyle Manna
60671e6819 genconfig: Delete backup if configs are identical 
* Avoid accumulating noise.
 2014-07-01 08:30:28 -07:00
Kyle Manna
836b473d20 ovpn: Remove reference to udp/1194 
* Remove references to udp/1194.
* Works better with non-standard ports and tcp.
 2014-06-30 23:27:00 -07:00
Kyle Manna
34eca5b96f ovpn: Convert from servername -> server_url 
* Previously the server name cached the common name generated during
  init and assumed always 1194/udp.
* The new configuration allows for users to pass in a url in a new form
  that allows the protocol to be specified as well as the port.
* Example: udp://vpn.example.com:1194
* Try to be backwards compatible.
 2014-06-30 23:27:00 -07:00
Kyle Manna
26a14d2f4b clients: Add support for static subnet 
* Allow static clients to be placed on 192.168.254.0/24 subnet.
 2014-06-30 00:13:55 -07:00
Kyle Manna
5e3c9719c8 run: Always ensure client dir exists 
* OpenVPN will fail to start if this directory doesn't exist.
 2014-06-29 23:26:23 -07:00
Kyle Manna
7b9d82630d genconfig: Backup old config file 
* Backup previous config file before overwriting.
 2014-06-29 23:26:23 -07:00
Kyle Manna
1aaf6a4359 genconfig: Use servername if $1 not specified 
* Set the common name to servername set during last ovpn_init if $1 is
  not passed in.
* Simplies re-running ovpn_genconfig when features are added.
 2014-06-29 23:26:23 -07:00
Kyle Manna
20dc3d6ea0 genconfig: Expand the subnet 
* Use a larger subnet (2x the size) to allow for more hard-coded
  configurations.
 2014-06-29 23:26:23 -07:00
Kyle Manna
353019b0e9 genconfig: Add client-config-dir 
* Add client config directory for client specific configuration options
  such as IP addresses.
 2014-06-29 23:26:23 -07:00
Kyle Manna
126f3a4557 ovpn_init: Protect the CA key by default 
* Protect the CA key with a passphrase by default to protect it from a
  filsystem compromise.  An attacker could still steal the other keys
  stored (ie the server's cert key), but not issue new keys.
* This is a good compromise for now.
 2014-06-04 17:07:07 -07:00
Kyle Manna
e1902bc2cd ovpn_genconfig: Add generate config script 
* Create a generate config script so that the new docker containers can
  regenerate the OpenVPN configuration without clobbering the PKI setup.
 2014-06-04 16:50:53 -07:00
Kyle Manna
4728990da3 ovpn_getclient: Verify server certificate 
* Verify the server's certificate to avoid MITM attacks
 2014-06-04 15:38:49 -07:00
Kyle Manna
bc4165e587 tls-auth: Enable tls-auth for security 
* Enabling tls-auth improves security and helps protect against DDoS.
 2014-06-04 15:35:18 -07:00
Kyle Manna
939cf7ab67 ovpen_init: Remove external IP resolution 
* Disable auto guessing the external IP in favor of the user explicitly
  specifying the server name.  Save the servername for client cert
  generation later.
* Remove dnsutils from build since dig is no longer necessary.  Favor
  learn and mean images.
 2014-06-04 11:15:43 -07:00
Kyle Manna
1869cd85d0 openvpn.sh: Split in to smaller scripts 
* Split soon to be massive wrapper into smaller managable scripts.
* Re-organized Dockerfile to exploit cache when rebuilding
 2014-06-04 11:13:59 -07:00
Kyle Manna
035ff64200 Dockerfile: Add ENV configuration 
* Add ENV configuration options to Dockerfile as opposed to keeping in
  the wrapper script.
* First step to splitting up openvpn.sh in to smaller scripts.
 2014-06-04 10:52:59 -07:00
Kyle Manna
2d26b87343 run: Remove run script 
* Replaced by openvpn.sh
 2014-06-04 09:29:45 -07:00
Kyle Manna
161acca6a2 openvpn.sh: Add log tail function 
* Add ability to tail log file as original repo did.
 2014-06-04 09:29:17 -07:00
Kyle Manna
7944bcd9fe serveconfig: Remove 
* Use the openvpn.sh wrapper script instead
 2014-06-04 09:26:53 -07:00
Kyle Manna
422c2a302d openvpn.sh: Add getclientconfig 
* Add mechanism to generate and return a client configuration
* Seemlessly Generates certificate if necessary
 2014-06-04 09:18:25 -07:00
Kyle Manna
f673ee83ce openvpn.sh: Save servername used during init 
* Save the DNS domain name or IP address the server was configured with
* Useful for generating client configurations
 2014-06-04 09:08:09 -07:00
Kyle Manna
a1c174f6f5 openvpn.sh: Implement init step and cert gen 
* Initialize and configure the OpenVPN server
* Generate PKI keys, CA, and certs when needed
 2014-06-04 01:39:38 -07:00
Kyle Manna
9e4de074d0 openvpn.sh: Add easyrsa to wrapper 
* Provide a way to invoke easyrsa form the wrapper
* Add ability to set the EasyRSA vars file which manages the default
  settings for the EasyRSA PKI CA.
 2014-06-04 00:21:14 -07:00
Kyle Manna
023cfe6596 openvpn.sh: Add wrapper script 
* Add the beginning of a wrapper script that will handle cert generation
  and OpenVPN invocation.
 2014-06-03 20:58:13 -07:00
Paimpozhil
83e47bb3be adding google nameservers into the DHCP push 2014-04-29 16:05:53 -04:00
Yeri Tiete
b3a5a89ab3 forgot .log 
It's not that important but it's cleaner.
 2013-09-11 00:33:55 +02:00
Jérôme Petazzoni
c6b94b5726 Add mention of SSL for configuration download. 2013-09-04 14:22:24 -07:00
Jerome Petazzoni
0f56065a90 Docker can haz VPN nao! 2013-09-02 23:46:19 +00:00