So I was trying to push a route to my client and the script failed with
'too many arguments', I reworked this part and took the opportunity to
rework a little bit the way push and routes were handled.
I also added some tests and validated that what I changed would not
break what was there before.
Generated arguments will be added only if matching arguments were not
specified by the user. User arguments will be placed after generated
arguments. This allows the user to override any generated configuration
values.
When creating a multi-server setup I used a partly copied, partly
symlinked directory structure for the different servers after creating a
certificate for each server with `easyrsa build-server-full`. In that
process I also copied the `server` directory.
The rsync command does not delete files which are not excluded so it
included the correct server key and the original one which can be a
security risk.
* Systemd service currently marks the mount as read-only, and this is
regarded as good practice for server/daemon only operation.
* Don't create /etc/openvpn/ccd as the mount may be read-only.
* Append the client-config-dir command line argument if it is found to
avoid mkdir operation.
* Mount can easily be modified using a different docker run line with
":ro" on the volume mount.
* Enable IPv6 forwarding if docker daemon provided a default route
* For now this requires the --privileged flag, but this could be hacked
around using `ip netns` madness.
* The EasyRSA tools create a certificate file with all the metadata
readable. This makes the config file larger then it needs to be, so
prune it.
* Retrieve text files with `openssl x509 -in <crt> -noout -text`
* rsync can copy the actual files.
* This change makes it easier to modifier the configuration and sync it
to the server. You only have to execute the ovpn_copy_server_files
once.
* Empty CRLs don't work.
* Avoids confusing easyrsa during the init step where it thinks an
existing PKI configuration exists.
* Add to ovpn_run to help users that are upgrading and ran genconfig
which now depends on the file being present.
* Use a hardlink to tip toe around permissions issues.