Kyle Manna
093fc9fafc
bin: copy_server_files: Backup crl.pem
...
* Back-up the crl.pem file if present.
* Closes #198
2017-01-05 15:58:10 -08:00
Kyle Manna
51270aae82
Merge pull request #162 from slamont/master
...
Too many arguments while pushing route
2016-09-24 18:02:28 -07:00
Sylvain Lamontagne
72a3c8a001
Fix for regression
...
As I reworked the push options, a bug got introduced where a duplication
of push in the config for the DNS dhcp-options would make it to fail.
There was no tests covering this, so I did not catch it earlier.
I've add the missing tests and fix the bug
2016-09-22 18:12:45 -04:00
Sylvain Lamontagne
2e943378d1
Too many arguments while pushing route
...
So I was trying to push a route to my client and the script failed with
'too many arguments', I reworked this part and took the opportunity to
rework a little bit the way push and routes were handled.
I also added some tests and validated that what I changed would not
break what was there before.
2016-09-22 16:02:59 -04:00
Kyle Manna
bdeaff217c
Merge pull request #161 from slamont/master
...
Add doc for extra config use and fixed unlikely unbound variable
2016-09-20 10:10:14 -07:00
Sylvain Lamontagne
e8eb1dda0c
Added extra config doc in faqs and fixed an unlikely unbound variable
2016-09-20 12:53:29 -04:00
Kyle Manna
97f8677a03
Merge pull request #160 from slamont/master
...
Add multiple extra config option
2016-09-20 09:36:01 -07:00
Sylvain Lamontagne
39996ed568
Fix Unbound Variables
2016-09-16 18:50:48 -04:00
Sylvain Lamontagne
1807bc6dc4
Add multiple extra config option
...
Add bash traceback in case an error occured
2016-09-16 18:42:45 -04:00
Kyle Manna
a17dfd7808
copy_server_files: Include ccd directory
...
* Include the client configuration directory
* Related to #133
2016-09-16 07:38:19 -07:00
Kyle Manna
9e7b363758
genconfig: Clean-up usage() display
...
* Semi-sorted order.
* Move arguments with flags up.
2016-09-03 15:45:55 -07:00
Kyle Manna
dcc33e2483
Merge pull request #143 from sandhu/master
...
Fix for Windows 10 DNS Leak
2016-07-05 11:44:18 -07:00
Kyle Manna
0a5a792519
Merge pull request #138 from Caerbannog/patch-1
...
Add "key-direction 1" to client .ovpn
2016-07-05 11:44:05 -07:00
Achint Sandhu
bcedc8d6d6
Fix for Windows 10 DNS Leak
...
The patch includes an update to the OpenVPN server config to
address a DNS leak when using Windows 10, as documented at:
https://community.openvpn.net/openvpn/ticket/605
2016-07-05 13:29:45 -04:00
Emmanuel Frecon
3e747b353e
Sending key to proper location!
2016-06-23 12:20:13 +02:00
Martin d'Allens
dac38246bd
Add "key-direction 1" to client .ovpn
...
Adding this setting avoids connection errors on some clients, when the .ovpn file is imported directly in Gnome NetworkManager.
Server logs:
Authenticate/Decrypt packet error: packet HMAC authentication failed
TLS Error: incoming packet authentication failed from ...
Client logs:
nm-openvpn: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
nm-openvpn: TLS Error: TLS handshake failed
NetworkManager version: 1.2.0
openvpn version: OpenVPN 2.3.10
2016-06-13 12:09:54 +02:00
Emmanuel Frecon
c12fdcd83f
Automatically creating CCD directory
2016-06-08 09:14:08 +02:00
Dave Burke
d77ba5e1e8
Combine user args with generated args
...
Generated arguments will be added only if matching arguments were not
specified by the user. User arguments will be placed after generated
arguments. This allows the user to override any generated configuration
values.
2016-05-31 21:11:03 -05:00
Dave Burke
097376db75
Set working dir in ovpn_run instead of Dockerfile
2016-05-28 22:34:41 -05:00
Nate Jones
191cb45106
allow specifying extra config
2016-05-16 09:56:27 -07:00
Nate Jones
d3fcec15f1
adding ovpn_listclients script
2016-05-11 16:02:27 -07:00
Rudi Starcevic
74bfad0aac
Add openvpn.conf gerneration -f fragment directive option
2016-04-06 15:06:02 +08:00
Fabio Napoleoni
d481313311
Back to Alpine Linux using packaged version of google-authenticator
2016-02-11 18:10:51 +01:00
Fabio Napoleoni
e8d93ea4fa
Use $USER@$OVPN_CN for OTP label.
2016-02-07 13:22:20 +01:00
Fabio Napoleoni
607063b358
Do not cache user credentials
2016-02-07 02:53:43 +01:00
Fabio Napoleoni
bb3d1add3c
Export user pass option in client when OTP is enabled
2016-02-06 21:40:11 +01:00
Fabio Napoleoni
c24a22deea
Allow interactive usage
2016-02-06 21:38:26 +01:00
Fabio Napoleoni
6084261943
Improved script for user OTP generation, tested with pamtester
2016-02-06 21:31:08 +01:00
Fabio Napoleoni
dd719c1f11
Save OTP variable in server env
2016-02-06 20:25:03 +01:00
Fabio Napoleoni
6fcebf9adb
Server side configuration for OTP
2016-02-06 20:23:59 +01:00
Kyle Manna
e7d0d4ea0e
ovpn_run: Fix sysctl IPv6 forwarding write
...
* I'm not sure if this ever worked without the `-w` flag. Perhaps in an
old version of sysctl?
2015-12-29 13:33:55 -08:00
unknown
2fa3abe064
fixed getopts argument typo. removed ":" before "z"
2015-11-29 10:15:15 -08:00
Christian Tawfik
2650d4a286
COMP-lzo param is set in client config, if defined in server.
2015-11-29 10:15:15 -08:00
Christian Tawfik
2abbcf1999
added config param to enable COMP-LZO compression
2015-11-29 10:14:07 -08:00
Greg Brockman
ded4414ef4
Respect the -D flag
...
It looks like edfbffb85f
caused the
OVPN_DNS variable to start being ignored, meaning the -D flag was a
no-op.
2015-10-31 19:39:32 -07:00
Johannes 'fish' Ziemke
edfbffb85f
Support pushing custom DNS servers
2015-10-16 15:41:22 +02:00
Kyle Manna
1498795de2
ovpn_copy_server_files: Use short flags with rm
...
* The busybox tool in the alpine distro doesn't support long flags.
2015-09-29 11:42:17 -07:00
Kyle Manna
f00de363c7
ovpn_copy_server_files: Copy files without rsync
...
* Hack around the missing rsync by using tar to preserve the directory
structure.
* Fixes #73
2015-09-29 11:28:04 -07:00
Robin Schneider
3df53012b6
ovpn_copy_server_files: Copy openvpn.conf instead of symlinking locally.
...
Symlinked files can be resolved by rsync when using the configuration on remote
servers but for local testing having the actual file is beneficial.
2015-08-27 21:19:27 +02:00
Kyle Manna
b96a91e876
Merge pull request #63 from ypid/allow_ciper_setting
...
Allow to change security related options tls-cipher, cipher and auth.
2015-08-26 08:42:30 -07:00
Robin Schneider
050d4a1f82
ovpn_copy_server_files: Ensure that no other keys then the one for the server is present.
...
When creating a multi-server setup I used a partly copied, partly
symlinked directory structure for the different servers after creating a
certificate for each server with `easyrsa build-server-full`. In that
process I also copied the `server` directory.
The rsync command does not delete files which are not excluded so it
included the correct server key and the original one which can be a
security risk.
2015-08-26 13:00:17 +02:00
Robin Schneider
d6209eebc2
Allow to change security related options tls-cipher, cipher and auth.
2015-08-26 12:56:40 +02:00
Werner Buck
0181bb93d6
Add ability to set OVPN_NATDEVICE to target specific interface when using net=host
2015-08-24 17:19:40 +02:00
Thomas Emmerling
3703d3afc3
Add a parameter to use TAP instead of TUN device.
2015-08-19 00:46:07 +02:00
Kyle Manna
2508abd5ad
run: Fail gracefully when IPv6 fails
...
* Fail gracefully but complain in the log when --privileged isn't used
for docker run.
* IPv6 is in development for the time being.
* Closes #56
2015-08-09 18:04:05 -07:00
Kyle Manna
1f47f361eb
Merge pull request #55 from kylemanna/dev
...
Merge Development Branch
2015-08-07 11:14:59 -07:00
Justin Li
02c3ee63a1
Remove dh param from client config
2015-08-04 23:07:47 -04:00
Kyle Manna
34d9601e6e
ovpn_run: Assume /etc/openvpn is read-only
...
* Systemd service currently marks the mount as read-only, and this is
regarded as good practice for server/daemon only operation.
* Don't create /etc/openvpn/ccd as the mount may be read-only.
* Append the client-config-dir command line argument if it is found to
avoid mkdir operation.
* Mount can easily be modified using a different docker run line with
":ro" on the volume mount.
2015-07-27 20:26:43 -07:00
Kyle Manna
e6f7904344
run: Add IPv6 forwarding if default route
...
* Enable IPv6 forwarding if docker daemon provided a default route
* For now this requires the --privileged flag, but this could be hacked
around using `ip netns` madness.
2015-07-05 21:07:06 -07:00
Kyle Manna
6aca273d89
getclient: Use openssl to prune comments
...
* The EasyRSA tools create a certificate file with all the metadata
readable. This makes the config file larger then it needs to be, so
prune it.
* Retrieve text files with `openssl x509 -in <crt> -noout -text`
2015-07-05 21:07:04 -07:00
Robin Schneider
7399ff7bbd
Create ccd directory to prevent error if /etc is mounted read-only.
...
* mkdir: cannot create directory '/etc/openvpn/ccd': Read-only file system
2015-05-31 22:10:54 +02:00
Kyle Manna
e0f7856e6f
Merge pull request #48 from ypid/optimized-copy-server-script
...
Optimized ovpn_copy_server_files script. No need to copy the config files.
2015-05-30 16:09:50 -07:00
Robin Schneider
e361e757da
Optimized ovpn_copy_server_files script. No need to copy the config files.
...
* rsync can copy the actual files.
* This change makes it easier to modifier the configuration and sync it
to the server. You only have to execute the ovpn_copy_server_files
once.
2015-05-31 00:52:33 +02:00
Robin Schneider
ca78b46723
Added variable OVPN_ADDITIONAL_CLIENT_CONFIG use arbitrary openvpn configuration options.
2015-05-30 23:03:17 +02:00
Robin Schneider
debf45ae46
Changed license of scripts I wrote to MIT. Related to #43 .
2015-05-12 21:24:59 +02:00
Kyle Manna
e53492850f
crl: Pass crl-verify if found
...
* Empty CRLs don't work.
* Avoids confusing easyrsa during the init step where it thinks an
existing PKI configuration exists.
* Add to ovpn_run to help users that are upgrading and ran genconfig
which now depends on the file being present.
* Use a hardlink to tip toe around permissions issues.
2015-05-12 02:10:43 -07:00
Kyle Manna
5021bad597
ovpn: Add support for revoking certificates (CRL)
...
* Add this much needed missing feature. Easy RSA makes it... easy.
2015-05-11 10:41:25 -07:00
Kyle Manna
c3024ce335
genconfig: Remove duplicate-cn mention
...
* Remove the commented out duplicate-cn configuration option
* Leads to confusion
* Related #42
2015-05-09 15:19:24 -07:00
Kyle Manna
2f9947c8e4
run: Pass cmd line arguments to openvpn
...
* Pass command line arguments to openvpn if passed in. Enables users to
easily override or add settings.
* Resolves #42
2015-05-09 15:18:53 -07:00
Kyle Manna
bf34f341fc
Merge remote-tracking branch 'ypid/getclient' into dev
2015-03-20 16:54:22 -07:00
Robin Schneider
47cc0e3ae6
Fixed based on the review by @kylemanna. Thanks.
2015-03-14 13:22:28 +01:00
Kyle Manna
f208847f54
Merge pull request #34 from ypid/master
...
Wrote script to copy only the needed files to the docker host which runs the docker openvpn server.
2015-03-12 21:03:28 -07:00
Robin Schneider
fd4a5dc38e
EASYRSA_PKI might not be defined.
2015-03-13 00:43:50 +01:00
Robin Schneider
e6e2221d8b
Allow to export separated client config and wrote ovpn_getclient_all.
2015-03-13 00:32:40 +01:00
Robin Schneider
3c64367583
Removed the --dry-run from rsync. Make it actually do something.
2015-03-12 23:49:49 +01:00
Robin Schneider
5e514721ff
Added documentation for ovpn_copy_server_files.
2015-03-12 23:11:33 +01:00
Kyle Manna
88c76c787e
genconfig: Turn off exit on error at end
...
* Need to check return status of diff, but don't want a false return
code to exit the script.
* Fixes #35
2015-03-09 09:19:38 -07:00
Robin Schneider
3d2d839d0b
Wrote script to copy only the needed files to the docker host which runs the docker openvpn server.
...
* For the truly paranoid users, never keep any keys (i.e. client and
certificate authority) in the docker container to begin with :).
2015-03-08 22:40:08 +01:00
Kyle Manna
8d8f19d951
genconfig: Describe backup conf deletion
...
* Handle back-up configuration deletion better by informing the user
why the back-up vanished and why.
* Closes #33
2015-03-07 16:35:08 -08:00
omriiluz
43ae3eb61d
properly clone arrays
2015-02-28 03:22:08 -08:00
omriiluz
6b23cf8d88
do not accumulate routes and push directives from default if new directives were defined
2015-02-28 03:01:00 -08:00
omriiluz
e9d1022eb4
Disable bash debug (xtrace) by default, re-enable with -e DEBUG=1
2015-02-28 02:45:31 -08:00
Nui Narongwet
e959dca048
Return correct exit status
2015-02-21 02:46:50 +07:00
omriiluz
1cb38ce146
Support client mtu push
2015-01-17 01:07:52 -08:00
Omri Iluz
3eeee022fd
Create NAT if OVPN_NAT is set (flag -N)
2015-01-17 01:00:18 -08:00
Omri Iluz
1e2418ae37
Control external NAT creation
2015-01-17 00:56:46 -08:00
Omri Iluz
97f231b4e7
Control default DNS push with -D flag
2015-01-17 00:56:21 -08:00
Omri Iluz
bf50da4ee2
Remove hard coded DNS push.
...
TODO: control with cmdline option
2015-01-16 03:36:47 -08:00
Jimmy Wong
31a8584685
Run daemon as nobody
2015-01-01 22:57:28 -08:00
Zack Adams
73c206d14a
Fixed SIGTERM handling
2014-12-10 10:36:00 -05:00
Timo Zingel
f2148d99ae
no connection block in client config
2014-12-08 21:07:46 +01:00
Christopher Brickley
be22048a2b
avoid dup iptables rules
2014-10-23 09:16:51 -04:00
Samuel Leathers
f1616f7196
fixing regexp to allow dashes in OVPN_SERVER_URL
2014-08-16 22:32:16 -04:00
Kyle Manna
d36bb7ecba
getclient: Do not autogenerate key
...
* Do not autogenerate a key if it does not exist. Instead fail.
* Requires users to explicitly generate keys and prevents generating
erroneous keys in the event of a typo.
2014-07-10 09:55:06 -07:00
Kyle Manna
b9cc5b347a
genconfig: Convert OVPN_ROUTES to array
...
* Convert to an array to simplify the code.
* This breaks running `ovpn_genconfig` multiple times with the same
route argument as the array will just grow. This needs to be fixed in
the future.
* Recommended way to work around this is to remove ovpn_env.sh.
2014-07-09 11:06:02 -07:00
Kyle Manna
20be0f90a5
genconfig: Add push support
...
* Add ability to specify push commands with `-p` argument.
2014-07-09 10:55:02 -07:00
Kyle Manna
0c873ab4cf
genconfig: Print success
...
* Print success message to console. Provides positive feedback.
2014-07-09 10:53:41 -07:00
Kyle Manna
f263eb9a61
genconfig: Add client-to-client support
2014-07-09 10:53:25 -07:00
Kyle Manna
e933fbe923
genconfig: Handle "-r 0" to disable extra routes
...
* Disable extra routes for minimal VPNs.
2014-07-06 10:52:39 -07:00
Kyle Manna
f1e85c959e
genconfig: Fix typo, use Docker for port mapping
...
* Use docker run ... -p 1337:1194/udp kylemanna/openvpn
2014-07-06 10:51:44 -07:00
Kyle Manna
d412ce9f7e
getclient: Fix sourced env variables
...
* Update to use the sourced environemental variables.
* Add switch for not using default gateway.
2014-07-06 00:25:14 -07:00
Kyle Manna
f221b0f0d0
genconfig: Handle route default env
...
* Handle re-inheriting previous routes if not overriden
* Handle leading whitespace
2014-07-05 22:27:30 -07:00
Kyle Manna
3b13cf9918
run: Handle NAT routes dynamically
...
* Handle the NAT routes dynamically
* Stop caring about backwards compatibility for now
2014-07-05 22:27:15 -07:00
Kyle Manna
6ca11162a5
init: Rename to initpki
...
* This function only initialize the EasyRSA PKI tools now.
* Decoupled from the init process.
2014-07-05 22:27:15 -07:00
Kyle Manna
6fe867c52b
genconfig: Add getopts parsing
...
* Pass public server URL via -u argument instead of $1
* Add ability to specify multiple alternative routes
* Add ability to specify override default server internal subnet
* Add ability to write configs without a default route out, not
implemented in other configs yet
2014-07-05 22:27:04 -07:00
Kyle Manna
852d404c12
env: Re-work environment code
...
* Instead of storing just a server_url which was necessary to
regenerate the OpenVPN configs, instead store an env file.
* Move all the env parsing to `ovpn_genconfig` so that it can be re-run
from genconfig instead of from `ovpn_init`.
* Remove all the parsing and env defaults except for genconfig.
NOTE: This breaks the older config method, uesrs will need to re-run
genconfig with an arg[1] as the previous server_url, this will create
the necessary env file the rest of the tools expect.
Example recovery for legacy users:
host$ docker run --rm -it kylemanna/openvpn bash -l
container# ovpn_genconfig $(cat /etc/openvpn/server_url)
2014-07-05 22:07:24 -07:00
Kyle Manna
60671e6819
genconfig: Delete backup if configs are identical
...
* Avoid accumulating noise.
2014-07-01 08:30:28 -07:00
Kyle Manna
836b473d20
ovpn: Remove reference to udp/1194
...
* Remove references to udp/1194.
* Works better with non-standard ports and tcp.
2014-06-30 23:27:00 -07:00
Kyle Manna
34eca5b96f
ovpn: Convert from servername -> server_url
...
* Previously the server name cached the common name generated during
init and assumed always 1194/udp.
* The new configuration allows for users to pass in a url in a new form
that allows the protocol to be specified as well as the port.
* Example: udp://vpn.example.com:1194
* Try to be backwards compatible.
2014-06-30 23:27:00 -07:00
Kyle Manna
26a14d2f4b
clients: Add support for static subnet
...
* Allow static clients to be placed on 192.168.254.0/24 subnet.
2014-06-30 00:13:55 -07:00