Commit Graph

184 Commits

Author SHA1 Message Date
Robin Schneider
ee9f4531ad
Only setup networking for containers which need it.
This should mitigate a hypothetical compromise of the scripts used to
manage the CA and other sensitive material.

The examples should still work and make sense although I have not tried
all of them with this change applied.

Note that I did not append the --net=none to all examples because in
some cases network is probably wanted.

* Changing this for all docs was not accepted by @kylemanna.
  https://github.com/kylemanna/docker-openvpn/pull/65#issuecomment-138559257
2015-09-08 15:34:58 +02:00
Kyle Manna
41f7fd22ad Merge pull request #66 from ypid/copy_server_not_symlink
ovpn_copy_server_files: Copy openvpn.conf instead of symlinking locally.
2015-09-07 20:03:09 -07:00
Kyle Manna
d08df0189b Dockerfile: Chmod everything in /usr/local/bin
* Keep it simple.
* Nothing should ever be put in bin that isn't excutable.
2015-09-07 19:21:55 -07:00
Kyle Manna
d96378a391 Dockerfile: Streamline tarball extraction
* No point in writing it to the disk and then deleting it
* Extract it in place
2015-09-07 19:21:07 -07:00
Julian Vassev
32029c98c8 Update to easyrsa 3.0
virtual size 60mb smaller, git replaced by curl
2015-09-08 01:11:32 +03:00
Robin Schneider
3df53012b6
ovpn_copy_server_files: Copy openvpn.conf instead of symlinking locally.
Symlinked files can be resolved by rsync when using the configuration on remote
servers but for local testing having the actual file is beneficial.
2015-08-27 21:19:27 +02:00
Kyle Manna
74c4ca94a7 Merge pull request #62 from ypid/docs-rework
Updated documentation.
2015-08-26 08:42:58 -07:00
Kyle Manna
b96a91e876 Merge pull request #63 from ypid/allow_ciper_setting
Allow to change security related options tls-cipher, cipher and auth.
2015-08-26 08:42:30 -07:00
Kyle Manna
407506392f Merge pull request #64 from ypid/copy_server_files-ensure-rm
ovpn_copy_server_files: Ensure that no other keys then the one for the server is present.
2015-08-26 08:41:24 -07:00
Robin Schneider
bf9f58f8e1
Reverted Github flavored markdown Shell syntax highlighting.
Sorry again for the inconvenience.
2015-08-26 13:12:18 +02:00
Robin Schneider
050d4a1f82
ovpn_copy_server_files: Ensure that no other keys then the one for the server is present.
When creating a multi-server setup I used a partly copied, partly
symlinked directory structure for the different servers after creating a
certificate for each server with `easyrsa build-server-full`. In that
process I also copied the `server` directory.
The rsync command does not delete files which are not excluded so it
included the correct server key and the original one which can be a
security risk.
2015-08-26 13:00:17 +02:00
Robin Schneider
d6209eebc2
Allow to change security related options tls-cipher, cipher and auth. 2015-08-26 12:56:40 +02:00
Robin Schneider
2d16231c3c
Updated documentation.
* Related to https://github.com/kylemanna/docker-openvpn/pull/54
* Allow better syntax highlighting.
* Added/Fixed hyperlinks.
* Spelling.
2015-08-25 12:40:02 +02:00
Kyle Manna
15ac3c89b0 Merge pull request #60 from wernerb/master
Set custom OVPN_NATDEVICE when using --net=host to custom interface.
2015-08-24 09:04:51 -07:00
Werner Buck
0181bb93d6 Add ability to set OVPN_NATDEVICE to target specific interface when using net=host 2015-08-24 17:19:40 +02:00
Kyle Manna
e557222753 Merge pull request #59 from thomastweets/master
Add a parameter to use TAP instead of TUN device.
2015-08-18 16:38:18 -07:00
Thomas Emmerling
3703d3afc3 Add a parameter to use TAP instead of TUN device. 2015-08-19 00:46:07 +02:00
Kyle Manna
d3d11b660a docs: Update docker key resource
* Update link to docker.com as the previous URL would redirect
* Add `-L` flag to follow future location headers
2015-08-15 19:21:09 -07:00
Kyle Manna
4868a35bd3 docs: Second pass on IPv6
Still needs more work, but updated to reflect the templated systemd file.
2015-08-12 14:08:59 -07:00
Kyle Manna
bce012b92a Merge pull request #57 from ypid/fixed-ipv6-docs
Quick read of ipv6 docs and small fixes.
2015-08-12 13:58:57 -07:00
Robin Schneider
7007c49d34
Reverted docker service restart command to use systemctl directly. 2015-08-12 22:04:01 +02:00
Robin Schneider
c679404695
Quick read of ipv6 docs and small fixes.
* Why on earth does one directly edit the systemd/system/docker.service
  file just to add a start argument?
* Fixed typos.
* I have not fully tested it yet, but I will when I have time.
2015-08-11 23:18:41 +02:00
Kyle Manna
2508abd5ad run: Fail gracefully when IPv6 fails
* Fail gracefully but complain in the log when --privileged isn't used
  for docker run.
* IPv6 is in development for the time being.
* Closes #56
2015-08-09 18:04:05 -07:00
Kyle Manna
149cd3a3a3 systemd: Set upstream image to latest
* No longer is the image tagged dev following the merge.
2015-08-07 12:12:37 -07:00
Kyle Manna
1f47f361eb Merge pull request #55 from kylemanna/dev
Merge Development Branch
2015-08-07 11:14:59 -07:00
Kyle Manna
d89cbe5ba3 Merge pull request #54 from pushrax/remove-dh-client-config
Remove dh param from client config
2015-08-05 06:38:23 -07:00
Justin Li
02c3ee63a1 Remove dh param from client config 2015-08-04 23:07:47 -04:00
Kyle Manna
34d9601e6e ovpn_run: Assume /etc/openvpn is read-only
* Systemd service currently marks the mount as read-only, and this is
  regarded as good practice for server/daemon only operation.
* Don't create /etc/openvpn/ccd as the mount may be read-only.
* Append the client-config-dir command line argument if it is found to
  avoid mkdir operation.
* Mount can easily be modified using a different docker run line with
  ":ro" on the volume mount.
2015-07-27 20:26:43 -07:00
Kyle Manna
5a1e642177 init: systemd: Use systemd style config overrides
* RIP hacky /etc/default/foo style environement sourcing hack
2015-07-11 08:50:24 -07:00
Kyle Manna
313d1e756c init: Update init file to be a template
* Useful for systems with several OpenVPN docker containers running.
2015-07-11 08:31:58 -07:00
Kyle Manna
7a3cc674f0 docs: backup: Correct mindless typos
* Correct minor grammatical typos
2015-07-10 11:27:35 -07:00
Kyle Manna
08d8116e31 docs: faq: How do I edit openvpn.conf?
* It gets asked too many times.
2015-07-06 08:55:42 -07:00
Kyle Manna
017580fdaa docs: ipv6: Add section enabling Docker IPv6
* Oops, doesn't work without this.
2015-07-05 22:11:19 -07:00
Kyle Manna
0edc11b585 docs: docker: Install apt dependencies
* Otherwise it's annoying without it.
2015-07-05 21:52:19 -07:00
Kyle Manna
155c4d4b90 docs: docker: Crash course on installation
* Nothing less nothing more.
2015-07-05 21:48:10 -07:00
Kyle Manna
56a8e735b6 docs: ipv6: Add initial development guide
* Work in progress.
2015-07-05 21:28:44 -07:00
Kyle Manna
9c8d195880 init: Add docker-openvpn systemd service file
* Works with IPv6 thanks to ExecStartPost.
2015-07-05 21:08:47 -07:00
Kyle Manna
e6f7904344 run: Add IPv6 forwarding if default route
* Enable IPv6 forwarding if docker daemon provided a default route
* For now this requires the --privileged flag, but this could be hacked
  around using `ip netns` madness.
2015-07-05 21:07:06 -07:00
Kyle Manna
6aca273d89 getclient: Use openssl to prune comments
* The EasyRSA tools create a certificate file with all the metadata
  readable.  This makes the config file larger then it needs to be, so
  prune it.
* Retrieve text files with `openssl x509 -in <crt> -noout -text`
2015-07-05 21:07:04 -07:00
Kyle Manna
e3655b5115 init: Move upstart file to init directory
* No functional changes.
2015-07-05 21:07:00 -07:00
Kyle Manna
1078267db5 Dockerfile: Clarify port mapping
* Extend comment about port mapping since everyone seems to want to run
  on port 443/tcp.
* Accept that nobody (except the already competent) will read the
  comment and ask anyway.
2015-06-21 22:55:16 -07:00
Kyle Manna
27bb8c7149 README: Add example service
* Example service to demo the container.
2015-06-21 22:35:46 -07:00
Kyle Manna
868da2ddac Merge pull request #49 from ypid/copy-server-create-ccd
Create ccd directory to prevent error if /etc is mounted read-only.
2015-05-31 16:00:39 -07:00
Robin Schneider
7399ff7bbd
Create ccd directory to prevent error if /etc is mounted read-only.
* mkdir: cannot create directory '/etc/openvpn/ccd': Read-only file system
2015-05-31 22:10:54 +02:00
Kyle Manna
e0f7856e6f Merge pull request #48 from ypid/optimized-copy-server-script
Optimized ovpn_copy_server_files script. No need to copy the config files.
2015-05-30 16:09:50 -07:00
Kyle Manna
a52a9cdc8d Merge pull request #47 from ypid/added-raw-client-config
Added variable OVPN_ADDITIONAL_CLIENT_CONFIG use arbitrary openvpn configuration options.
2015-05-30 16:09:25 -07:00
Kyle Manna
d1ae4dd305 Merge pull request #46 from ypid/fixed-docs
Using better example in docs.
2015-05-30 16:08:54 -07:00
Robin Schneider
e361e757da
Optimized ovpn_copy_server_files script. No need to copy the config files.
* rsync can copy the actual files.
* This change makes it easier to modifier the configuration and sync it
  to the server. You only have to execute the ovpn_copy_server_files
  once.
2015-05-31 00:52:33 +02:00
Robin Schneider
ca78b46723
Added variable OVPN_ADDITIONAL_CLIENT_CONFIG use arbitrary openvpn configuration options. 2015-05-30 23:03:17 +02:00
Robin Schneider
2e2c66b978
Using better example in docs. 2015-05-30 23:00:53 +02:00