When creating a multi-server setup I used a partly copied, partly
symlinked directory structure for the different servers after creating a
certificate for each server with `easyrsa build-server-full`. In that
process I also copied the `server` directory.
The rsync command does not delete files which are not excluded so it
included the correct server key and the original one which can be a
security risk.
* Systemd service currently marks the mount as read-only, and this is
regarded as good practice for server/daemon only operation.
* Don't create /etc/openvpn/ccd as the mount may be read-only.
* Append the client-config-dir command line argument if it is found to
avoid mkdir operation.
* Mount can easily be modified using a different docker run line with
":ro" on the volume mount.
* Enable IPv6 forwarding if docker daemon provided a default route
* For now this requires the --privileged flag, but this could be hacked
around using `ip netns` madness.
* The EasyRSA tools create a certificate file with all the metadata
readable. This makes the config file larger then it needs to be, so
prune it.
* Retrieve text files with `openssl x509 -in <crt> -noout -text`
* rsync can copy the actual files.
* This change makes it easier to modifier the configuration and sync it
to the server. You only have to execute the ovpn_copy_server_files
once.
* Empty CRLs don't work.
* Avoids confusing easyrsa during the init step where it thinks an
existing PKI configuration exists.
* Add to ovpn_run to help users that are upgrading and ran genconfig
which now depends on the file being present.
* Use a hardlink to tip toe around permissions issues.
* Do not autogenerate a key if it does not exist. Instead fail.
* Requires users to explicitly generate keys and prevents generating
erroneous keys in the event of a typo.
* Convert to an array to simplify the code.
* This breaks running `ovpn_genconfig` multiple times with the same
route argument as the array will just grow. This needs to be fixed in
the future.
* Recommended way to work around this is to remove ovpn_env.sh.
* Pass public server URL via -u argument instead of $1
* Add ability to specify multiple alternative routes
* Add ability to specify override default server internal subnet
* Add ability to write configs without a default route out, not
implemented in other configs yet
* Instead of storing just a server_url which was necessary to
regenerate the OpenVPN configs, instead store an env file.
* Move all the env parsing to `ovpn_genconfig` so that it can be re-run
from genconfig instead of from `ovpn_init`.
* Remove all the parsing and env defaults except for genconfig.
NOTE: This breaks the older config method, uesrs will need to re-run
genconfig with an arg[1] as the previous server_url, this will create
the necessary env file the rest of the tools expect.
Example recovery for legacy users:
host$ docker run --rm -it kylemanna/openvpn bash -l
container# ovpn_genconfig $(cat /etc/openvpn/server_url)
* Previously the server name cached the common name generated during
init and assumed always 1194/udp.
* The new configuration allows for users to pass in a url in a new form
that allows the protocol to be specified as well as the port.
* Example: udp://vpn.example.com:1194
* Try to be backwards compatible.
* Protect the CA key with a passphrase by default to protect it from a
filsystem compromise. An attacker could still steal the other keys
stored (ie the server's cert key), but not issue new keys.
* This is a good compromise for now.
* Disable auto guessing the external IP in favor of the user explicitly
specifying the server name. Save the servername for client cert
generation later.
* Remove dnsutils from build since dig is no longer necessary. Favor
learn and mean images.
* Add ENV configuration options to Dockerfile as opposed to keeping in
the wrapper script.
* First step to splitting up openvpn.sh in to smaller scripts.
* Provide a way to invoke easyrsa form the wrapper
* Add ability to set the EasyRSA vars file which manages the default
settings for the EasyRSA PKI CA.