Commit Graph

141 Commits

Author SHA1 Message Date
Christian Tawfik
2abbcf1999 added config param to enable COMP-LZO compression 2015-11-29 10:14:07 -08:00
Greg Brockman
ded4414ef4 Respect the -D flag
It looks like edfbffb85f caused the
OVPN_DNS variable to start being ignored, meaning the -D flag was a
no-op.
2015-10-31 19:39:32 -07:00
Johannes 'fish' Ziemke
edfbffb85f Support pushing custom DNS servers 2015-10-16 15:41:22 +02:00
Kyle Manna
1498795de2 ovpn_copy_server_files: Use short flags with rm
* The busybox tool in the alpine distro doesn't support long flags.
2015-09-29 11:42:17 -07:00
Kyle Manna
f00de363c7 ovpn_copy_server_files: Copy files without rsync
* Hack around the missing rsync by using tar to preserve the directory
  structure.
* Fixes #73
2015-09-29 11:28:04 -07:00
Robin Schneider
3df53012b6
ovpn_copy_server_files: Copy openvpn.conf instead of symlinking locally.
Symlinked files can be resolved by rsync when using the configuration on remote
servers but for local testing having the actual file is beneficial.
2015-08-27 21:19:27 +02:00
Kyle Manna
b96a91e876 Merge pull request #63 from ypid/allow_ciper_setting
Allow to change security related options tls-cipher, cipher and auth.
2015-08-26 08:42:30 -07:00
Robin Schneider
050d4a1f82
ovpn_copy_server_files: Ensure that no other keys then the one for the server is present.
When creating a multi-server setup I used a partly copied, partly
symlinked directory structure for the different servers after creating a
certificate for each server with `easyrsa build-server-full`. In that
process I also copied the `server` directory.
The rsync command does not delete files which are not excluded so it
included the correct server key and the original one which can be a
security risk.
2015-08-26 13:00:17 +02:00
Robin Schneider
d6209eebc2
Allow to change security related options tls-cipher, cipher and auth. 2015-08-26 12:56:40 +02:00
Werner Buck
0181bb93d6 Add ability to set OVPN_NATDEVICE to target specific interface when using net=host 2015-08-24 17:19:40 +02:00
Thomas Emmerling
3703d3afc3 Add a parameter to use TAP instead of TUN device. 2015-08-19 00:46:07 +02:00
Kyle Manna
2508abd5ad run: Fail gracefully when IPv6 fails
* Fail gracefully but complain in the log when --privileged isn't used
  for docker run.
* IPv6 is in development for the time being.
* Closes #56
2015-08-09 18:04:05 -07:00
Kyle Manna
1f47f361eb Merge pull request #55 from kylemanna/dev
Merge Development Branch
2015-08-07 11:14:59 -07:00
Justin Li
02c3ee63a1 Remove dh param from client config 2015-08-04 23:07:47 -04:00
Kyle Manna
34d9601e6e ovpn_run: Assume /etc/openvpn is read-only
* Systemd service currently marks the mount as read-only, and this is
  regarded as good practice for server/daemon only operation.
* Don't create /etc/openvpn/ccd as the mount may be read-only.
* Append the client-config-dir command line argument if it is found to
  avoid mkdir operation.
* Mount can easily be modified using a different docker run line with
  ":ro" on the volume mount.
2015-07-27 20:26:43 -07:00
Kyle Manna
e6f7904344 run: Add IPv6 forwarding if default route
* Enable IPv6 forwarding if docker daemon provided a default route
* For now this requires the --privileged flag, but this could be hacked
  around using `ip netns` madness.
2015-07-05 21:07:06 -07:00
Kyle Manna
6aca273d89 getclient: Use openssl to prune comments
* The EasyRSA tools create a certificate file with all the metadata
  readable.  This makes the config file larger then it needs to be, so
  prune it.
* Retrieve text files with `openssl x509 -in <crt> -noout -text`
2015-07-05 21:07:04 -07:00
Robin Schneider
7399ff7bbd
Create ccd directory to prevent error if /etc is mounted read-only.
* mkdir: cannot create directory '/etc/openvpn/ccd': Read-only file system
2015-05-31 22:10:54 +02:00
Kyle Manna
e0f7856e6f Merge pull request #48 from ypid/optimized-copy-server-script
Optimized ovpn_copy_server_files script. No need to copy the config files.
2015-05-30 16:09:50 -07:00
Robin Schneider
e361e757da
Optimized ovpn_copy_server_files script. No need to copy the config files.
* rsync can copy the actual files.
* This change makes it easier to modifier the configuration and sync it
  to the server. You only have to execute the ovpn_copy_server_files
  once.
2015-05-31 00:52:33 +02:00
Robin Schneider
ca78b46723
Added variable OVPN_ADDITIONAL_CLIENT_CONFIG use arbitrary openvpn configuration options. 2015-05-30 23:03:17 +02:00
Robin Schneider
debf45ae46
Changed license of scripts I wrote to MIT. Related to #43. 2015-05-12 21:24:59 +02:00
Kyle Manna
e53492850f crl: Pass crl-verify if found
* Empty CRLs don't work.
* Avoids confusing easyrsa during the init step where it thinks an
  existing PKI configuration exists.
* Add to ovpn_run to help users that are upgrading and ran genconfig
  which now depends on the file being present.
* Use a hardlink to tip toe around permissions issues.
2015-05-12 02:10:43 -07:00
Kyle Manna
5021bad597 ovpn: Add support for revoking certificates (CRL)
* Add this much needed missing feature.  Easy RSA makes it... easy.
2015-05-11 10:41:25 -07:00
Kyle Manna
c3024ce335 genconfig: Remove duplicate-cn mention
* Remove the commented out duplicate-cn configuration option
* Leads to confusion
* Related #42
2015-05-09 15:19:24 -07:00
Kyle Manna
2f9947c8e4 run: Pass cmd line arguments to openvpn
* Pass command line arguments to openvpn if passed in.  Enables users to
  easily override or add settings.
* Resolves #42
2015-05-09 15:18:53 -07:00
Kyle Manna
bf34f341fc Merge remote-tracking branch 'ypid/getclient' into dev 2015-03-20 16:54:22 -07:00
Robin Schneider
47cc0e3ae6
Fixed based on the review by @kylemanna. Thanks. 2015-03-14 13:22:28 +01:00
Kyle Manna
f208847f54 Merge pull request #34 from ypid/master
Wrote script to copy only the needed files to the docker host which runs the docker openvpn server.
2015-03-12 21:03:28 -07:00
Robin Schneider
fd4a5dc38e
EASYRSA_PKI might not be defined. 2015-03-13 00:43:50 +01:00
Robin Schneider
e6e2221d8b
Allow to export separated client config and wrote ovpn_getclient_all. 2015-03-13 00:32:40 +01:00
Robin Schneider
3c64367583
Removed the --dry-run from rsync. Make it actually do something. 2015-03-12 23:49:49 +01:00
Robin Schneider
5e514721ff
Added documentation for ovpn_copy_server_files. 2015-03-12 23:11:33 +01:00
Kyle Manna
88c76c787e genconfig: Turn off exit on error at end
* Need to check return status of diff, but don't want a false return
  code to exit the script.
* Fixes #35
2015-03-09 09:19:38 -07:00
Robin Schneider
3d2d839d0b
Wrote script to copy only the needed files to the docker host which runs the docker openvpn server.
* For the truly paranoid users, never keep any keys (i.e. client and
  certificate authority) in the docker container to begin with :).
2015-03-08 22:40:08 +01:00
Kyle Manna
8d8f19d951 genconfig: Describe backup conf deletion
* Handle back-up configuration deletion better by informing the user
  why the back-up vanished and why.
* Closes #33
2015-03-07 16:35:08 -08:00
omriiluz
43ae3eb61d properly clone arrays 2015-02-28 03:22:08 -08:00
omriiluz
6b23cf8d88 do not accumulate routes and push directives from default if new directives were defined 2015-02-28 03:01:00 -08:00
omriiluz
e9d1022eb4 Disable bash debug (xtrace) by default, re-enable with -e DEBUG=1 2015-02-28 02:45:31 -08:00
Nui Narongwet
e959dca048 Return correct exit status 2015-02-21 02:46:50 +07:00
omriiluz
1cb38ce146 Support client mtu push 2015-01-17 01:07:52 -08:00
Omri Iluz
3eeee022fd Create NAT if OVPN_NAT is set (flag -N) 2015-01-17 01:00:18 -08:00
Omri Iluz
1e2418ae37 Control external NAT creation 2015-01-17 00:56:46 -08:00
Omri Iluz
97f231b4e7 Control default DNS push with -D flag 2015-01-17 00:56:21 -08:00
Omri Iluz
bf50da4ee2 Remove hard coded DNS push.
TODO: control with cmdline option
2015-01-16 03:36:47 -08:00
Jimmy Wong
31a8584685 Run daemon as nobody 2015-01-01 22:57:28 -08:00
Zack Adams
73c206d14a Fixed SIGTERM handling 2014-12-10 10:36:00 -05:00
Timo Zingel
f2148d99ae no connection block in client config 2014-12-08 21:07:46 +01:00
Christopher Brickley
be22048a2b avoid dup iptables rules 2014-10-23 09:16:51 -04:00
Samuel Leathers
f1616f7196 fixing regexp to allow dashes in OVPN_SERVER_URL 2014-08-16 22:32:16 -04:00
Kyle Manna
d36bb7ecba getclient: Do not autogenerate key
* Do not autogenerate a key if it does not exist.  Instead fail.
* Requires users to explicitly generate keys and prevents generating
  erroneous keys in the event of a typo.
2014-07-10 09:55:06 -07:00
Kyle Manna
b9cc5b347a genconfig: Convert OVPN_ROUTES to array
* Convert to an array to simplify the code.
* This breaks running `ovpn_genconfig` multiple times with the same
  route argument as the array will just grow.  This needs to be fixed in
  the future.
* Recommended way to work around this is to remove ovpn_env.sh.
2014-07-09 11:06:02 -07:00
Kyle Manna
20be0f90a5 genconfig: Add push support
* Add ability to specify push commands with `-p` argument.
2014-07-09 10:55:02 -07:00
Kyle Manna
0c873ab4cf genconfig: Print success
* Print success message to console. Provides positive feedback.
2014-07-09 10:53:41 -07:00
Kyle Manna
f263eb9a61 genconfig: Add client-to-client support 2014-07-09 10:53:25 -07:00
Kyle Manna
e933fbe923 genconfig: Handle "-r 0" to disable extra routes
* Disable extra routes for minimal VPNs.
2014-07-06 10:52:39 -07:00
Kyle Manna
f1e85c959e genconfig: Fix typo, use Docker for port mapping
* Use docker run ... -p 1337:1194/udp kylemanna/openvpn
2014-07-06 10:51:44 -07:00
Kyle Manna
d412ce9f7e getclient: Fix sourced env variables
* Update to use the sourced environemental variables.
* Add switch for not using default gateway.
2014-07-06 00:25:14 -07:00
Kyle Manna
f221b0f0d0 genconfig: Handle route default env
* Handle re-inheriting previous routes if not overriden
* Handle leading whitespace
2014-07-05 22:27:30 -07:00
Kyle Manna
3b13cf9918 run: Handle NAT routes dynamically
* Handle the NAT routes dynamically
* Stop caring about backwards compatibility for now
2014-07-05 22:27:15 -07:00
Kyle Manna
6ca11162a5 init: Rename to initpki
* This function only initialize the EasyRSA PKI tools now.
* Decoupled from the init process.
2014-07-05 22:27:15 -07:00
Kyle Manna
6fe867c52b genconfig: Add getopts parsing
* Pass public server URL via -u argument instead of $1
* Add ability to specify multiple alternative routes
* Add ability to specify override default server internal subnet
* Add ability to write configs without a default route out, not
  implemented in other configs yet
2014-07-05 22:27:04 -07:00
Kyle Manna
852d404c12 env: Re-work environment code
* Instead of storing just a server_url which was necessary to
  regenerate the OpenVPN configs, instead store an env file.
* Move all the env parsing to `ovpn_genconfig` so that it can be re-run
  from genconfig instead of from `ovpn_init`.
* Remove all the parsing and env defaults except for genconfig.

NOTE: This breaks the older config method, uesrs will need to re-run
genconfig with an arg[1] as the previous server_url, this will create
the necessary env file the rest of the tools expect.

Example recovery for legacy users:

    host$ docker run --rm -it kylemanna/openvpn bash -l
    container# ovpn_genconfig $(cat /etc/openvpn/server_url)
2014-07-05 22:07:24 -07:00
Kyle Manna
60671e6819 genconfig: Delete backup if configs are identical
* Avoid accumulating noise.
2014-07-01 08:30:28 -07:00
Kyle Manna
836b473d20 ovpn: Remove reference to udp/1194
* Remove references to udp/1194.
* Works better with non-standard ports and tcp.
2014-06-30 23:27:00 -07:00
Kyle Manna
34eca5b96f ovpn: Convert from servername -> server_url
* Previously the server name cached the common name generated during
  init and assumed always 1194/udp.
* The new configuration allows for users to pass in a url in a new form
  that allows the protocol to be specified as well as the port.
* Example: udp://vpn.example.com:1194
* Try to be backwards compatible.
2014-06-30 23:27:00 -07:00
Kyle Manna
26a14d2f4b clients: Add support for static subnet
* Allow static clients to be placed on 192.168.254.0/24 subnet.
2014-06-30 00:13:55 -07:00
Kyle Manna
5e3c9719c8 run: Always ensure client dir exists
* OpenVPN will fail to start if this directory doesn't exist.
2014-06-29 23:26:23 -07:00
Kyle Manna
7b9d82630d genconfig: Backup old config file
* Backup previous config file before overwriting.
2014-06-29 23:26:23 -07:00
Kyle Manna
1aaf6a4359 genconfig: Use servername if $1 not specified
* Set the common name to servername set during last ovpn_init if $1 is
  not passed in.
* Simplies re-running ovpn_genconfig when features are added.
2014-06-29 23:26:23 -07:00
Kyle Manna
20dc3d6ea0 genconfig: Expand the subnet
* Use a larger subnet (2x the size) to allow for more hard-coded
  configurations.
2014-06-29 23:26:23 -07:00
Kyle Manna
353019b0e9 genconfig: Add client-config-dir
* Add client config directory for client specific configuration options
  such as IP addresses.
2014-06-29 23:26:23 -07:00
Kyle Manna
126f3a4557 ovpn_init: Protect the CA key by default
* Protect the CA key with a passphrase by default to protect it from a
  filsystem compromise.  An attacker could still steal the other keys
  stored (ie the server's cert key), but not issue new keys.
* This is a good compromise for now.
2014-06-04 17:07:07 -07:00
Kyle Manna
e1902bc2cd ovpn_genconfig: Add generate config script
* Create a generate config script so that the new docker containers can
  regenerate the OpenVPN configuration without clobbering the PKI setup.
2014-06-04 16:50:53 -07:00
Kyle Manna
4728990da3 ovpn_getclient: Verify server certificate
* Verify the server's certificate to avoid MITM attacks
2014-06-04 15:38:49 -07:00
Kyle Manna
bc4165e587 tls-auth: Enable tls-auth for security
* Enabling tls-auth improves security and helps protect against DDoS.
2014-06-04 15:35:18 -07:00
Kyle Manna
939cf7ab67 ovpen_init: Remove external IP resolution
* Disable auto guessing the external IP in favor of the user explicitly
  specifying the server name.  Save the servername for client cert
  generation later.
* Remove dnsutils from build since dig is no longer necessary.  Favor
  learn and mean images.
2014-06-04 11:15:43 -07:00
Kyle Manna
1869cd85d0 openvpn.sh: Split in to smaller scripts
* Split soon to be massive wrapper into smaller managable scripts.
* Re-organized Dockerfile to exploit cache when rebuilding
2014-06-04 11:13:59 -07:00
Kyle Manna
035ff64200 Dockerfile: Add ENV configuration
* Add ENV configuration options to Dockerfile as opposed to keeping in
  the wrapper script.
* First step to splitting up openvpn.sh in to smaller scripts.
2014-06-04 10:52:59 -07:00
Kyle Manna
2d26b87343 run: Remove run script
* Replaced by openvpn.sh
2014-06-04 09:29:45 -07:00
Kyle Manna
161acca6a2 openvpn.sh: Add log tail function
* Add ability to tail log file as original repo did.
2014-06-04 09:29:17 -07:00
Kyle Manna
7944bcd9fe serveconfig: Remove
* Use the openvpn.sh wrapper script instead
2014-06-04 09:26:53 -07:00
Kyle Manna
422c2a302d openvpn.sh: Add getclientconfig
* Add mechanism to generate and return a client configuration
* Seemlessly Generates certificate if necessary
2014-06-04 09:18:25 -07:00
Kyle Manna
f673ee83ce openvpn.sh: Save servername used during init
* Save the DNS domain name or IP address the server was configured with
* Useful for generating client configurations
2014-06-04 09:08:09 -07:00
Kyle Manna
a1c174f6f5 openvpn.sh: Implement init step and cert gen
* Initialize and configure the OpenVPN server
* Generate PKI keys, CA, and certs when needed
2014-06-04 01:39:38 -07:00
Kyle Manna
9e4de074d0 openvpn.sh: Add easyrsa to wrapper
* Provide a way to invoke easyrsa form the wrapper
* Add ability to set the EasyRSA vars file which manages the default
  settings for the EasyRSA PKI CA.
2014-06-04 00:21:14 -07:00
Kyle Manna
023cfe6596 openvpn.sh: Add wrapper script
* Add the beginning of a wrapper script that will handle cert generation
  and OpenVPN invocation.
2014-06-03 20:58:13 -07:00
Paimpozhil
83e47bb3be adding google nameservers into the DHCP push 2014-04-29 16:05:53 -04:00
Yeri Tiete
b3a5a89ab3 forgot .log
It's not that important but it's cleaner.
2013-09-11 00:33:55 +02:00
Jérôme Petazzoni
c6b94b5726 Add mention of SSL for configuration download. 2013-09-04 14:22:24 -07:00
Jerome Petazzoni
0f56065a90 Docker can haz VPN nao! 2013-09-02 23:46:19 +00:00