allanger/container-openvpn
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Activity

Compare commits

base: allanger:tests-and-linter
Branches Tags
allanger:main
allanger:renovate/configure
allanger:refactor-the-project
allanger:tests-and-linter
allanger:add-openvpn-admin
allanger:v2.1.0
allanger:v2.0.0
allanger:v1.1.0
allanger:v1.0
allanger:v0.2
allanger:v0.1
..
compare: allanger:main
Branches Tags
allanger:main
allanger:renovate/configure
allanger:refactor-the-project
allanger:tests-and-linter
allanger:add-openvpn-admin
allanger:v2.1.0
allanger:v2.0.0
allanger:v1.1.0
allanger:v1.0
allanger:v0.2
allanger:v0.1

38 Commits
tests-and- ... main

Author SHA1 Message Date
Nikolai Rodionov
5a22013175
Build AMD only
Some checks failed
ci/woodpecker/push/woodpecker/1 Pipeline failed
Details
ci/woodpecker/push/woodpecker/2 Pipeline was successful
Details
2024-09-27 23:46:08 +02:00
Nikolai Rodionov
67d37f5df5
Build AMD only
Some checks failed
ci/woodpecker/push/woodpecker/2 Pipeline failed
Details
ci/woodpecker/push/woodpecker/1 Pipeline failed
Details
2024-09-27 23:43:38 +02:00
Nikolai Rodionov
0ac36c1569
Trigger build
Some checks failed
ci/woodpecker/push/woodpecker/2 Pipeline failed
Details
ci/woodpecker/push/woodpecker/1 Pipeline failed
Details
2024-09-22 22:17:21 +02:00
Nikolai Rodionov
ad8194eaa2
Try building on ARM 2024-09-22 22:16:14 +02:00
Nikolai Rodionov
ff531b8c3c
Try building on ARM 2024-09-22 22:14:53 +02:00
Nikolai Rodionov
877691e308
Build older vpn 2.6.5
Some checks failed
ci/woodpecker/push/woodpecker/1 Pipeline failed
Details
ci/woodpecker/push/woodpecker/2 Pipeline was successful
Details
2024-08-18 22:36:44 +02:00
Nikolai Rodionov
b3f437902f
Try newer ubuntu
Some checks failed
ci/woodpecker/push/woodpecker/2 Pipeline was successful
Details
ci/woodpecker/push/woodpecker/1 Pipeline failed
Details
2024-08-18 22:17:59 +02:00
Nikolai Rodionov
db02862770
Fix registry url
Some checks failed
ci/woodpecker/push/woodpecker/1 Pipeline failed
Details
ci/woodpecker/push/woodpecker/2 Pipeline was successful
Details
2024-08-18 21:52:18 +02:00
Nikolai Rodionov
e601741b2c
Fix the arch
Some checks failed
ci/woodpecker/push/woodpecker/2 Pipeline failed
Details
ci/woodpecker/push/woodpecker/1 Pipeline was successful
Details
2024-08-18 21:50:48 +02:00
Nikolai Rodionov
4737de1394
Fix the arch
Some checks failed
ci/woodpecker/push/woodpecker/2 Pipeline failed
Details
ci/woodpecker/push/woodpecker/1 Pipeline was successful
Details
2024-08-18 21:48:06 +02:00
Nikolai Rodionov
c01b61cb8d
Trigger build
Some checks failed
ci/woodpecker/push/woodpecker/1 Pipeline failed
Details
ci/woodpecker/push/woodpecker/2 Pipeline failed
Details
2024-08-18 21:28:49 +02:00
Nikolai Rodionov
2a1b2fadce
Trigger build 2024-08-18 21:28:12 +02:00
Nikolai Rodionov
70b79587f0
Move back to ubuntu 22.04 2024-08-18 21:26:41 +02:00
Nikolai Rodionov
767cd2d512
Use Ubuntu 24.04 2024-07-14 13:54:03 +02:00
Nikolai Rodionov
e231e219aa
Fix the xor build 2024-07-14 12:50:30 +02:00
Nikolai Rodionov
0170a5dc76
Use the latest builder 2024-07-14 11:01:23 +02:00
Nikolai Rodionov
c5694a5672
Update openvpn-xor 2024-07-13 22:31:01 +02:00
Nikolai Rodionov
c64873d9fc
Update vanilla openVPN to 2.6.11 2024-06-20 16:03:42 +02:00
Nikolai Rodionov
18e09d9658
Do not install glibc 2024-06-05 13:32:59 +02:00
Nikolai Rodionov
36d4d424f8
install glibc to the final container 2024-05-31 18:26:46 +02:00
Nikolai Rodionov
db6e07b5c5
Try using sh instead of bash 2024-05-24 16:47:14 +02:00
Nikolai Rodionov
383dd1b82d
Try buidling in Woodpecker CI in matrix 2024-05-24 16:45:13 +02:00
Nikolai Rodionov
42511439ce
Try buidling in Woodpecker CI 2024-05-24 16:28:59 +02:00
Nikolai Rodionov
5c3f73e8c4
Build newer versions 2024-03-24 11:28:57 +01:00
Nikolai Rodionov
114050fa99
Get OpenVPN version automatically 2024-02-29 10:29:14 +01:00
Nikolai Rodionov
0cabb525d4
Get OpenVPN version automatically 2024-02-29 10:25:05 +01:00
Nikolai Rodionov
cdb94b148a
Remove OTP folder 2024-02-27 16:48:21 +01:00
Nikolai Rodionov
79bfbcc8bd
Renove env debug 2024-02-27 16:42:40 +01:00
Nikolai Rodionov
c827972079
Add build args support 2024-02-27 16:40:29 +01:00
Nikolai Rodionov
24fb1546b7
Debug 2024-02-27 16:33:51 +01:00
Nikolai Rodionov
e1071ce9d8
Debug 2024-02-27 16:32:03 +01:00
Nikolai Rodionov
2fb97bc8d9
Debug 2024-02-27 16:30:02 +01:00
Nikolai Rodionov
0f4a57694b
Try newer build strategy 2024-02-27 16:28:38 +01:00
Nikolai Rodionov
88edadf5eb
Update the version in CI 2024-02-19 15:15:59 +01:00
Nikolai Rodionov
d8408f498e
Update OpenVPN and Tunnelblick versions 2024-02-19 14:46:12 +01:00
Nikolai Rodionov
c3297b38e9
Update XORed vpn to 2.6.8 2024-01-01 10:56:33 +01:00
Nikolai Rodionov
cdda2fb983
Trigger build 2023-12-25 19:32:06 +01:00
Nikolai Rodionov
2df2ec12e8
chore: Keep versions up-to-date 2023-12-25 19:31:23 +01:00
25 changed files with 67 additions and 1001 deletions
Show Stats Expand all files Collapse all files

132
.drone.yml
View File

@ -1,132 +0,0 @@
---
kind: pipeline
type: docker
name: Lint the chart
trigger:
event:
- push
environment:
KIND_VERSION: v0.20.0
HELM_VERSION: v3.12.1
KUBECTL_VERSION: v1.28.3
CT_VERSION: 3.10.1
steps:
# ---------------------------------------------------------------------
# -- Prepare dependencies
# ---------------------------------------------------------------------
- name: Download dependencies
image: ghcr.io/allanger/dumb-downloader:latest
commands:
- mkdir .bin
# -- Download kind
- dudo -l "https://kind.sigs.k8s.io/dl/{{ version }}/kind-{{ os }}-{{ arch }}" -d .bin/kind -p $KIND_VERSION
- chmod +x .bin/kind
- name: Check changed charts
image: quay.io/helmpack/chart-testing
volumes:
- name: dockersock
path: /var/run
commands:
- export KUBECONFIG=$PWD/kubeconfig
- git fetch origin
- |
if [[ -n "$(ct list-changed --chart-dirs . --target-branch main)" ]]; then
touch .changed
fi
- name: Lint changed charts
image: quay.io/helmpack/chart-testing
volumes:
- name: dockersock
path: /var/run
commands:
- git fetch origin
- |
if [ -e .changed ]; then
ct lint --target-branch main --validate-maintainers=false --chart-dirs .
fi
- name: Test changed charts
image: quay.io/helmpack/chart-testing
volumes:
- name: dockersock
path: /var/run
commands:
- export PATH=$PWD/.bin:$PATH
- apk update && apk add docker
- kind create cluster --config kind.yaml
- sed -i -E -e 's/localhost|0\.0\.0\.0/docker/g' ~/.kube/config
- kubectl get storageclass
- git fetch origin
- |
if [ -e .changed ]; then
ct install --target-branch main --chart-dirs .
ct install --target-branch main --chart-dirs . --upgrade
fi
services:
- name: docker
image: docker:dind
privileged: true
volumes:
- name: dockersock
path: /var/run
volumes:
- name: dockersock
temp: {}
---
# ----------------------------------------------
# -- Build an image and push it to the registry
# ----------------------------------------------
kind: pipeline
type: docker
name: Build the builder
trigger:
event:
- push
branch:
- main
steps:
- name: Build openvpn xor amd64
image: git.badhouseplants.net/badhouseplants/badhouseplants-builder:555262114ea81f6f286010474527f419b56d33a3
privileged: true
environment:
GITEA_TOKEN:
from_secret: GITEA_TOKEN
CONTAINERFILE: ./containerfiles/Containerfile-XOR
CUSTOM_TAG: v2.6.5-XOR-4.0.0beta08
commands:
- build-container
- name: Build openvpn amd64
image: git.badhouseplants.net/badhouseplants/badhouseplants-builder:555262114ea81f6f286010474527f419b56d33a3
privileged: true
environment:
GITEA_TOKEN:
from_secret: GITEA_TOKEN
CONTAINERFILE: ./containerfiles/Containerfile
CUSTOM_TAG: v2.6.8
commands:
- build-container
- name: Publish the Helm chart
image: alpine/helm
depends_on:
- Build openvpn xor amd64
- Build openvpn amd64
environment:
GITEA_TOKEN:
from_secret: GITEA_TOKEN
commands:
- cd helm
- helm plugin install https://github.com/chartmuseum/helm-push
- helm package . -d chart-package
- helm repo add --username allanger --password $GITEA_TOKEN openvpn https://git.badhouseplants.net/api/packages/allanger/helm
- helm cm-push "./chart-package/$(ls chart-package)" openvpn

37
.woodpecker.yaml Normal file
View File

@ -0,0 +1,37 @@
---
when:
event:
- push
branch:
- main
matrix:
TARGET:
- openvpn_xor
- openvpn
steps:
build-${TARGET}:
name: Build ${TARGET}
image: zot.badhouseplants.net/badhouseplants/badhouseplants-builder:latest
secrets:
- registry_token
environment:
CONTAINER_REGISTRY: zot.badhouseplants.net
privileged: true
depends_on: []
backend_options:
kubernetes:
resources:
requests:
memory: 1024Mi
cpu: 300m
limits:
memory: 1024Mi
securityContext:
privileged: true
nodeSelector:
kubernetes.io/arch: "amd64"
commands:
- source ./env/${TARGET}.env
- ./scripts/$SCRIPT

18
.woodpecker/.check-workflow.yml
View File

@ -1,18 +0,0 @@
---
steps:
deps:
name: Download dependencies
image: alpine
commands:
- echo 1
mail:
image: deblan/woodpecker-email
settings:
from.address: noreply@github.com
from.name: John Smith
host: smtp.mailgun.org
username:
from_secret: check
password: 12345
recipients:
- octocat@github.com

82
.woodpecker/.test.yml
View File

@ -1,82 +0,0 @@
---
clone:
git:
image: woodpeckerci/plugin-git
settings:
partial: false
steps:
deps:
name: Download dependencies
image: ghcr.io/allanger/dumb-downloader:latest
environment:
KIND_VERSION: v0.20.0
HELM_VERSION: v3.12.1
KUBECTL_VERSION: v1.28.3
CT_VERSION: 3.10.1
commands:
- mkdir .bin
# -- Download kind
- dudo -l "https://kind.sigs.k8s.io/dl/{{ version }}/kind-{{ os }}-{{ arch }}" -d .bin/kind -p $KIND_VERSION
- chmod +x .bin/kind
changed:
name: Check changed charts
image: quay.io/helmpack/chart-testing
commands:
- git fetch origin
- ls -la
- ct help
- ct lint --chart-dirs . --target-branch main --print-config --debug
- |
if [[ -n "$(ct list-changed --chart-dirs . --target-branch main)" ]]; then
touch .changed
fi
lint:
name: Lint charts
image: quay.io/helmpack/chart-testing
commands:
- git fetch origin
- |
if [ -e .changed ]; then
ct lint --target-branch main --validate-maintainers=false --chart-dirs .
fi
test:
name: Test charts
image: quay.io/helmpack/chart-testing
environment:
- DOCKER_HOST=tcp://docker:2375
commands:
- export PATH=$PWD/.bin:$PATH
- apk update && apk add docker curl bash
- curl -s https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh | bash
- k3d cluster create test --api-port 16443 --k3s-arg="kubelet-args=\"--allowed-unsafe-sysctls=net.ipv4.ip_forward\""@all
- sed -i -E -e 's/localhost|0\.0\.0\.0/docker/g' ~/.kube/config
- kubectl get storageclass
- git fetch origin
- |
if [ -e .changed ]; then
ct install --target-branch main --chart-dirs .
ct install --target-branch main --chart-dirs . --upgrade
fi
services:
docker:
image: docker:dind
commands:
- echo "1" > /proc/sys/net/ipv4/ip_forward
- dockerd -H tcp://0.0.0.0:2375 --tls=false
privileged: true
ports:
- 2375
- 16443
backend_options:
kubernetes:
resources:
requests:
memory: 500Mi
cpu: 500m
limits:
memory: 1000Mi
cpu: 1000m

79
Containerfile
View File

@ -1,79 +0,0 @@
FROM ghcr.io/allanger/dumb-downloader as dudo
ENV OPENVPN_VERSION=2.6.5
ENV TUNNELBLICK_VERSION=4.0.0beta08
ENV EASYRSA_VERSION=3.1.5
RUN apt update && apt install gnupg tar -y
RUN mkdir /output
# ------------------------------------------------------
# -- Downlaod OpenVPN
# ------------------------------------------------------
RUN dudo -l "https://keys.openpgp.org/vks/v1/by-fingerprint/F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7" -d security-openvpn-net.asc -p DUMMY
RUN gpg --import security-openvpn-net.asc
RUN dudo -l "https://swupdate.openvpn.org/community/releases/openvpn-{{ version }}.tar.gz.asc" -d /tmp/openvpn.asc -p $OPENVPN_VERSION
# ------------------------------------------------------
# -- I should fix it later
# ------------------------------------------------------
# RUN gpg --no-tty --verify /tmp/openvpn.asc
RUN dudo -l "https://swupdate.openvpn.org/community/releases/openvpn-{{ version }}.tar.gz " -d /tmp/openvpn.tar.gz -p $OPENVPN_VERSION
RUN tar -xf /tmp/openvpn.tar.gz -C /tmp && rm -f /tmp/openvpn.tar.gz
RUN mv /tmp/openvpn-$OPENVPN_VERSION /output/openvpn
# ------------------------------------------------------
# -- Download Tunnelblick
# ------------------------------------------------------
RUN dudo -l "https://github.com/Tunnelblick/Tunnelblick/archive/refs/tags/v{{ version }}.tar.gz" -d /tmp/tunnelblick.tar.gz -p $TUNNELBLICK_VERSION
RUN tar -xf /tmp/tunnelblick.tar.gz -C /tmp && rm -f /tmp/tunnelblick.tar.gz
RUN mv /tmp/Tunnelblick-$TUNNELBLICK_VERSION /output/tunnelblick
FROM ubuntu as builder
# ------------------------------------------------------
# -- TODO: Define it only once
# ------------------------------------------------------
ENV OPENVPN_VERSION=2.6.5
ENV TUNNELBLICK_VERSION=v4.0.0beta08
COPY --from=dudo /output /src
RUN apt-get update &&\
apt-get install -y wget tar unzip build-essential \
libssl-dev iproute2 liblz4-dev liblzo2-dev \
libpam0g-dev libpkcs11-helper1-dev libsystemd-dev \
easy-rsa iptables pkg-config libcap-ng-dev
RUN cp /src/tunnelblick/third_party/sources/openvpn/openvpn-$OPENVPN_VERSION/patches/*.diff /src/openvpn
WORKDIR /src/openvpn
RUN for patch in $(find -type f | grep diff); do\
patch -p1 < $patch;\
done
RUN ./configure --disable-systemd --enable-async-push --enable-iproute2
RUN make && make install
RUN mkdir /output
RUN cp $(which openvpn) /output/
# ------------------------------------------------------
# -- Final container
# ------------------------------------------------------
FROM ubuntu:22.04
LABEL maintainer="allanger <allanger@zohomail.com>"
COPY --from=builder /output /src
# -------------------------------------------------------
# -- Prepare system deps
# -------------------------------------------------------
RUN apt update && apt install openvpn easy-rsa iptables -y && \
mv /src/openvpn $(which openvpn)
# Needed by scripts
ENV OPENVPN /etc/openvpn
# Prevents refused client connection because of an expired CRL
ENV EASYRSA_CRL_DAYS 3650
VOLUME ["/etc/openvpn"]
# Internally uses port 1194, remap if needed using `docker run -p 443:1194/tcp`
EXPOSE 1194
CMD ["ovpn_run"]
COPY --chmod='755' ./bin /usr/local/bin
# -----------------------------------------------------------
# -- Add support for OTP authentication using a PAM module
# -- I have no idea how it works yet
# -----------------------------------------------------------
COPY ./otp/openvpn /etc/pam.d/

52
alpine/google-authenticator/APKBUILD
View File

@ -1,52 +0,0 @@
# Contributor: Fabio Napoleoni <f.napoleoni@gmail.com>
# Maintainer:
pkgname=google-authenticator
pkgver=20160207
pkgrel=1
pkgdesc="Google Authenticator PAM module"
url="https://github.com/google/google-authenticator"
arch="all"
license="ASL 2.0"
depends=
depends_dev=
makedepends="$depends_dev autoconf automake libtool linux-pam-dev m4 openssl-dev"
install=
subpackages="$pkgname-doc"
source="https://github.com/google/google-authenticator/archive/c0404dcdbda9ab9e4f0b8451ecdd44eee8db2425.zip"
_builddir="$srcdir"/$pkgname-c0404dcdbda9ab9e4f0b8451ecdd44eee8db2425/libpam
prepare() {
local i
cd "$_builddir"
for i in $source; do
case $i in
*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
esac
done
}
build() {
cd "$_builddir"
./bootstrap.sh || return 1
./configure \
--build=$CBUILD \
--host=$CHOST \
--prefix=/usr \
--libdir=/lib \
--sysconfdir=/etc \
--mandir=/usr/share/man \
--infodir=/usr/share/info \
|| return 1
make || return 1
}
package() {
cd "$_builddir"
make DESTDIR="$pkgdir" install || return 1
}
md5sums="33d3cbd0488bcb4f50b34b5670deffae c0404dcdbda9ab9e4f0b8451ecdd44eee8db2425.zip"
sha256sums="e32abe693e54195bdb6aca52783e6e1c239e67296876ac59211a59e4608338b8 c0404dcdbda9ab9e4f0b8451ecdd44eee8db2425.zip"
sha512sums="b44a626e6cc5d8e27685f5d39b5d33f49fc7070331db7b458d3ee40723972821bb8ed5458f27a287dc664d162acf1f8f9a36ca3b1bf767f2bbf27d4f538e9872 c0404dcdbda9ab9e4f0b8451ecdd44eee8db2425.zip"

15
containerfiles/Containerfile
View File

@ -1,5 +1,5 @@
FROM ghcr.io/allanger/dumb-downloader as dudo
ENV OPENVPN_VERSION=2.6.8
ARG OPENVPN_VERSION
RUN apt update && apt install gnupg tar -y
RUN mkdir /output
# ------------------------------------------------------
@ -7,20 +7,20 @@ RUN mkdir /output
# ------------------------------------------------------
RUN dudo -l "https://keys.openpgp.org/vks/v1/by-fingerprint/F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7" -d security-openvpn-net.asc -p DUMMY
RUN gpg --import security-openvpn-net.asc
RUN dudo -l "https://swupdate.openvpn.org/community/releases/openvpn-{{ version }}.tar.gz.asc" -d /tmp/openvpn.asc -p $OPENVPN_VERSION
RUN dudo -l "https://swupdate.openvpn.org/community/releases/openvpn-{{ version }}.tar.gz.asc" -d /tmp/openvpn.asc -p ${OPENVPN_VERSION}
# ------------------------------------------------------
# -- I should fix it later
# -- todo: I should fix it later
# ------------------------------------------------------
# RUN gpg --no-tty --verify /tmp/openvpn.asc
RUN dudo -l "https://swupdate.openvpn.org/community/releases/openvpn-{{ version }}.tar.gz " -d /tmp/openvpn.tar.gz -p $OPENVPN_VERSION
RUN dudo -l "https://swupdate.openvpn.org/community/releases/openvpn-{{ version }}.tar.gz " -d /tmp/openvpn.tar.gz -p ${OPENVPN_VERSION}
RUN tar -xf /tmp/openvpn.tar.gz -C /tmp && rm -f /tmp/openvpn.tar.gz
RUN mv /tmp/openvpn-$OPENVPN_VERSION /output/openvpn
RUN mv /tmp/openvpn-${OPENVPN_VERSION} /output/openvpn
FROM ubuntu as builder
FROM ubuntu:22.04 as builder
# ------------------------------------------------------
# -- TODO: Define it only once
# ------------------------------------------------------
ENV OPENVPN_VERSION=2.6.8
ARG OPENVPN_VERSION
COPY --from=dudo /output /src
RUN apt-get update &&\
apt-get install -y wget tar unzip build-essential \
@ -64,4 +64,3 @@ COPY --chmod='755' ./bin /usr/local/bin
# -- I have no idea how it works yet
# -----------------------------------------------------------
WORKDIR /etc/openvpn
COPY ./otp/openvpn /etc/pam.d/

13
containerfiles/Containerfile-XOR
View File

@ -1,6 +1,6 @@
FROM ghcr.io/allanger/dumb-downloader as dudo
ENV OPENVPN_VERSION=2.6.5
ENV TUNNELBLICK_VERSION=4.0.0beta08
ARG OPENVPN_VERSION
ARG TUNNELBLICK_VERSION
RUN apt update && apt install gnupg tar -y
RUN mkdir /output
# ------------------------------------------------------
@ -23,12 +23,12 @@ RUN dudo -l "https://github.com/Tunnelblick/Tunnelblick/archive/refs/tags/v{{ ve
RUN tar -xf /tmp/tunnelblick.tar.gz -C /tmp && rm -f /tmp/tunnelblick.tar.gz
RUN mv /tmp/Tunnelblick-$TUNNELBLICK_VERSION /output/tunnelblick
FROM ubuntu as builder
FROM ubuntu:24.04 as builder
# ------------------------------------------------------
# -- TODO: Define it only once
# ------------------------------------------------------
ENV OPENVPN_VERSION=2.6.5
ENV TUNNELBLICK_VERSION=v4.0.0beta08
ARG OPENVPN_VERSION
ARG TUNNELBLICK_VERSION
COPY --from=dudo /output /src
RUN apt-get update &&\
apt-get install -y wget tar unzip build-essential \
@ -48,7 +48,7 @@ RUN cp $(which openvpn) /output/
# ------------------------------------------------------
# -- Final container
# ------------------------------------------------------
FROM ubuntu:22.04
FROM ubuntu:24.04
LABEL maintainer="allanger <allanger@zohomail.com>"
COPY --from=builder /output /src
# -------------------------------------------------------
@ -76,4 +76,3 @@ COPY --chmod='755' ./bin /usr/local/bin
# -- I have no idea how it works yet
# -----------------------------------------------------------
WORKDIR /etc/openvpn
COPY ./otp/openvpn /etc/pam.d/

3
env/openvpn.env vendored Normal file
View File

@ -0,0 +1,3 @@
export OPENVPN_VERSION=2.6.5
export CONTAINERFILE=./containerfiles/Containerfile
export SCRIPT=build_upstream.sh

3
env/openvpn_xor.env vendored Normal file
View File

@ -0,0 +1,3 @@
export TUNNELBLICK_VERSION=6.0beta03
export CONTAINERFILE=./containerfiles/Containerfile-XOR
export SCRIPT=build_xor.sh

22
helm/Chart.yaml
View File

@ -1,22 +0,0 @@
---
apiVersion: v2
name: openvpn
description: A Helm chart for deploying OpenVPN
type: application
version: 1.0.8
appVersion: 2.6.5
sources:
- https://git.badhouseplants.net/allanger/container-openvpn-xor
- https://github.com/kylemanna/docker-openvpn
- https://github.com/lawtancool/docker-openvpn-xor
maintainers:
- name: allanger
email: allanger@zohomail.com
url: https://badhouseplants.net
keywords:
- OpenVPN
- VPN
- xor

17
helm/LICENSE
View File

@ -1,17 +0,0 @@
Permission is hereby granted, without written agreement and without
license or royalty fees, to use, copy, modify, and distribute this
software and its documentation for any purpose, provided that the
above copyright notice and the following two paragraphs appear in
all copies of this software.
IN NO EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE TO ANY PARTY FOR
DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES
ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN
IF THE COPYRIGHT HOLDER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
THE COPYRIGHT HOLDER SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS
ON AN "AS IS" BASIS, AND THE COPYRIGHT HOLDER HAS NO OBLIGATION TO
PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.

9
helm/README.md
View File

@ -1,9 +0,0 @@
# helm-openvpn
A helm chart to deploy openvpn
## K8s reqs:
--allowed-unsafe-sysctls=net.ipv4.ip_forward
## How it works?
1. It's generating the openvpn configuration if it's not generated yet. It's an `ininContainer` that really runs only once.

1
helm/templates/NOTES.txt
View File

@ -1 +0,0 @@
1. Get the application URL by running these commands:

62
helm/templates/_helpers.tpl
View File

@ -1,62 +0,0 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "openvpn-chart.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "openvpn-chart.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "openvpn-chart.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "openvpn-chart.labels" -}}
helm.sh/chart: {{ include "openvpn-chart.chart" . }}
{{ include "openvpn-chart.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "openvpn-chart.selectorLabels" -}}
app.kubernetes.io/name: {{ include "openvpn-chart.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "openvpn-chart.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "openvpn-chart.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

128
helm/templates/deployment.yaml
View File

@ -1,128 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "openvpn-chart.fullname" . }}
labels:
{{- include "openvpn-chart.labels" . | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "openvpn-chart.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "openvpn-chart.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: pvc-openvpn
persistentVolumeClaim:
claimName: {{ include "openvpn-chart.fullname" . }}
- name: pki-scripts
configMap:
name: {{ include "openvpn-chart.fullname" . }}-pki-scripts
securityContext:
sysctls:
- name: net.ipv4.ip_forward
value: "1"
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumeMounts:
- mountPath: "/etc/openvpn"
name: pvc-openvpn
- mountPath: /scripts
name: pki-scripts
env:
- name: OVPN_SERVER
value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}"
- name: OPENVPN
value: "/etc/openvpn"
securityContext:
capabilities:
add:
- NET_ADMIN
initContainers:
# ----------------------------------------------------------------------
# -- This init container is generating the basic configuration
# ----------------------------------------------------------------------
- name: 0-ovpn-genconfig
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
volumeMounts:
- mountPath: "/etc/openvpn"
name: pvc-openvpn
env:
- name: OVPN_SERVER_URL
value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}"
- name: OVPN_DATA
value: "/etc/openvpn"
- name: OPENVPN
value: "/etc/openvpn"
command:
- sh
- -c
- 'if ! [ -f "/etc/openvpn/ovpn_env.sh" ]; then ovpn_genconfig -u $OVPN_SERVER_URL && touch /etc/openvpn/.init; fi'
- name: 1-ovpn-initpki
env:
- name: OVPN_DATA
value: /etc/openvpn
- name: OPENVPN
value: "/etc/openvpn"
- name: EASYRSA_REQ_CN
value: {{ .Values.easyrsa.cn }}
- name: EASYRSA_REQ_COUNTRY
value: {{ .Values.easyrsa.country }}
- name: EASYRSA_REQ_PROVINCE
value: {{ .Values.easyrsa.province }}
- name: EASYRSA_REQ_CITY
value: {{ .Values.easyrsa.city }}
- name: EASYRSA_REQ_ORG
value: {{ .Values.easyrsa.org }}
- name: EASYRSA_REQ_EMAIL
value: {{ .Values.easyrsa.email }}
- name: EASYRSA_REQ_OU
value: {{ .Values.easyrsa.ou }}
- name: EASYRSA_ALGO
value: {{ .Values.easyrsa.algo }}
- name: EASYRSA_DIGEST
value: {{ .Values.easyrsa.digest }}
- name: EASYRSA_BATCH
value: "yes"
- name: OVPN_SERVER_URL
value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}"
volumeMounts:
- mountPath: "/etc/openvpn"
name: pvc-openvpn
- mountPath: /scripts
name: pki-scripts
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- bash
- /scripts/init_pki.sh
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

30
helm/templates/pki-generate-scripts.yaml
View File

@ -1,30 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "openvpn-chart.fullname" . }}-pki-scripts
labels:
{{- include "openvpn-chart.labels" . | nindent 4 }}
data:
init_pki.sh: |
if [ ! -d /etc/openvpn/pki ]; then
source "$OPENVPN/ovpn_env.sh"
OVPN_DIR=/etc/openvpn
PKI_DIR=$OVPN_DIR/pki
cd $OVPN_DIR
export EASYRSA_BATCH=yes
unset EASYRSA_VARS_FILE
/usr/share/easy-rsa/easyrsa init-pki
/usr/share/easy-rsa/easyrsa build-ca nopass
/usr/share/easy-rsa/easyrsa build-server-full {{ .Values.openvpn.host }} nopass
/usr/share/easy-rsa/easyrsa gen-dh
cd $PKI_DIR
openvpn --genkey tls-crypt-v2-server private/{{ .Values.openvpn.host }}.pem
openvpn --genkey secret > ta.key
fi
gen_client.sh: |
source "$OPENVPN/ovpn_env.sh"
CLIENTNAME=$1
PASSWORD=$2
OVPN_DIR=/etc/openvpn
cd $OVPN_DIR
/usr/share/easy-rsa/easyrsa build-client-full $CLIENTNAME $PASSWORD

19
helm/templates/pvc.yaml
View File

@ -1,19 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ include "openvpn-chart.fullname" . }}
labels:
{{- include "openvpn-chart.labels" . | nindent 4 }}
spec:
{{- if .Values.storage.class }}
{{- if (eq "-" .Values.storage.class) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.storage.class }}"
{{- end }}
{{- end }}
accessModes:
- ReadWriteOnce
resources:
requests:
storage: {{ .Values.storage.size }}

18
helm/templates/service.yaml
View File

@ -1,18 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "openvpn-chart.fullname" . }}
labels:
{{- include "openvpn-chart.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
{{- if .Values.service.nodePort }}
nodePort: {{ int .Values.service.nodePort }}
{{- end}}
targetPort: {{ .Values.service.port | default 1194 }}
protocol: {{ .Values.service.protocol | default "UDP" | quote }}
name: openvpn
selector:
{{- include "openvpn-chart.selectorLabels" . | nindent 4 }}

200
helm/templates/tests/test-connection.yaml
View File

@ -1,200 +0,0 @@
{{- $version := semver .Capabilities.KubeVersion.Version }}
{{- if .Values.tests.enabled }}
# ---------------------------------------------------------------------
# -- Test that CRDs are installed
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "openvpn-chart.fullname" . }}-test-script
labels:
{{- include "openvpn-chart.selectorLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
{{- if .Values.tests.cleanup }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- end }}
"helm.sh/hook-weight": "6"
data:
get_config.sh: |-
#!/bin/bash
kubectl rollout status deployment/{{ include "openvpn-chart.fullname" . }}
kubectl exec deployment/{{ include "openvpn-chart.fullname" . }} -- ovpn_genclientcert test nopass
kubectl exec deployment/{{ include "openvpn-chart.fullname" . }} -- ovpn_getclient test > /data/test.ovpn
test_connection.sh : |-
sed -i "s/127.0.0.1/{{ include "openvpn-chart.fullname" . }}/g" /data/test.ovpn
mkdir -p /dev/net
mknod /dev/net/tun c 10 200
chmod 600 /dev/net/tun
openvpn --config /data/test.ovpn --daemon --log-append /tmp/ovpnlog
tail -n0 -f /tmp/ovpnlog | sed '/Initialization Sequence Completed/ q'
---
# ---------------------------------------------------------------------
# -- Prepare roles and bindings to access k8s resources from the test
# ---------------------------------------------------------------------
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "openvpn-chart.fullname" . }}-test-role
labels:
{{- include "openvpn-chart.selectorLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
{{- if .Values.tests.cleanup }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- end }}
"helm.sh/hook-weight": "1"
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa
labels:
{{- include "openvpn-chart.selectorLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
{{- if .Values.tests.cleanup }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- end }}
"helm.sh/hook-weight": "1"
automountServiceAccountToken: true
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-rb
labels:
{{- include "openvpn-chart.selectorLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
{{- if .Values.tests.cleanup }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- end }}
"helm.sh/hook-weight": "1"
subjects:
- kind: ServiceAccount
name: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: {{ include "openvpn-chart.fullname" . }}-test-role
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ include "openvpn-chart.fullname" . }}-test
annotations:
"helm.sh/hook": test
{{- if .Values.tests.cleanup }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- end }}
"helm.sh/hook-weight": "7"
labels:
{{- include "openvpn-chart.labels" . | nindent 4 }}
spec:
storageClassName: {{ .Values.storage.class }}
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 512Mi
---
apiVersion: v1
kind: Pod
metadata:
name: {{ include "openvpn-chart.fullname" . }}-test
labels:
{{- include "openvpn-chart.selectorLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
{{- if .Values.tests.cleanup }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- end }}
"helm.sh/hook-weight": "7"
spec:
serviceAccountName: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa
automountServiceAccountToken: true
volumes:
- name: test-script
configMap:
name: {{ include "openvpn-chart.fullname" . }}-test-script
- name: data
persistentVolumeClaim:
claimName: {{ include "openvpn-chart.fullname" . }}-test
containers:
- name: tester
image: alpine/k8s:{{ $version.Major }}.{{ $version.Minor }}.{{ $version.Patch }}
volumeMounts:
- name: test-script
readOnly: true
mountPath: /get_config.sh
subPath: get_config.sh
- name: data
readOnly: false
mountPath: /data
command:
- bash
args:
- -e
- /get_config.sh
restartPolicy: Never
---
apiVersion: v1
kind: Pod
metadata:
name: {{ include "openvpn-chart.fullname" . }}-test-connection
labels:
{{- include "openvpn-chart.selectorLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
{{- if .Values.tests.cleanup }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- end }}
"helm.sh/hook-weight": "7"
spec:
serviceAccountName: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa
automountServiceAccountToken: true
volumes:
- name: data
persistentVolumeClaim:
claimName: {{ include "openvpn-chart.fullname" . }}-test
- name: test-script
configMap:
name: {{ include "openvpn-chart.fullname" . }}-test-script
containers:
- name: tester
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
volumeMounts:
- name: data
readOnly: false
mountPath: /data
- name: test-script
readOnly: true
mountPath: /test_connection.sh
subPath: test_connection.sh
command:
- bash
args:
- -e
- /test_connection.sh
securityContext:
capabilities:
add:
- NET_ADMIN
restartPolicy: Never
{{- end }}

89
helm/values.yaml
View File

@ -1,89 +0,0 @@
# Default values for openvpn-chart.
image:
repository: git.badhouseplants.net/allanger/container-openvpn
pullPolicy: Always
# -------------------------------------------
# -- TODO: Switch to proper versions
# -------------------------------------------
# tag: ""
# -----------------------------
# -- Open VPN configuration
# -----------------------------
openvpn:
proto: tcp
host: 127.0.0.1
port: 1194
# ---------------------------------------
# -- Deploy OpenVPN admin
# -- https://github.com/flant/ovpn-admin
# ---------------------------------------
openvpn_admin:
enabled: true
# -----------------------------
# -- Easy RSA configuration
# -----------------------------
easyrsa:
cn: . # -- EASYRSA_REQ_CN
country: . # -- EASYRSA_REQ_COUNTRY
province: . # -- EASYRSA_REQ_PROVINCE
city: . # -- EASYRSA_REQ_CITY
org: . # -- EASYRSA_REQ_ORG
email: . # -- EASYRSA_REQ_EMAIL
ou: Community # -- EASYRSA_REQ_OU
algo: ec # -- EASYRSA_ALGO
digest: sha512 # -- EASYRSA_DIGEST
replicaCount: 1
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
storage:
class: ""
size: 1Gi
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
port: 1194
protocol: TCP
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
nodeSelector: {}
tolerations: []
affinity: {}
tests:
enabled: false
cleanup: true

21
kind.yaml
View File

@ -1,21 +0,0 @@
apiVersion: kind.x-k8s.io/v1alpha4
kind: Cluster
name: test
networking:
apiServerAddress: "0.0.0.0"
apiServerPort: 16443
kubeadmConfigPatches:
- |
kind: InitConfiguration
nodeRegistration:
kubeletExtraArgs:
allowed-unsafe-sysctls: net.ipv4.ip_forward
nodes:
- role: control-plane
kubeadmConfigPatches:
- |
kind: ClusterConfiguration
apiServer:
certSANs:
- "docker"
- role: worker

7
otp/openvpn
View File

@ -1,7 +0,0 @@
# Uses google authenticator library as PAM module using a single folder for all users tokens
# User root is required to stick with an hardcoded user when trying to determine user id and allow unexisting system users
# See https://github.com/google/google-authenticator-libpam#usersome-user
auth required pam_google_authenticator.so secret=/etc/openvpn/otp/${USER}.google_authenticator user=root
# Accept any user since we're dealing with virtual users there's no need to have a system account (pam_unix.so)
account sufficient pam_permit.so

4
scripts/build_upstream.sh Executable file
View File

@ -0,0 +1,4 @@
#!/usr/bin/env sh
export CUSTOM_TAG="v$OPENVPN_VERSION"
export BUILD_ARGS="--build-arg OPENVPN_VERSION=$OPENVPN_VERSION"
build-container

7
scripts/build_xor.sh Executable file
View File

@ -0,0 +1,7 @@
#!/usr/bin/env sh
git clone https://github.com/Tunnelblick/Tunnelblick.git /tmp/tunnelblick
git -C /tmp/tunnelblick checkout $TUNNELBLICK_VERSION
export OPENVPN_VERSION=$(ls /tmp/tunnelblick/third_party/sources/openvpn | sed 's/openvpn-//g' | sort -k1,1nr -k2,2n -k3,3n | head -n 1)
export CUSTOM_TAG="v$OPENVPN_VERSION-XOR-$TUNNELBLICK_VERSION"
export BUILD_ARGS="--build-arg OPENVPN_VERSION=$OPENVPN_VERSION --build-arg TUNNELBLICK_VERSION=$TUNNELBLICK_VERSION"
build-container