2023-08-18 15:20:59 +00:00
29 changed files with 681 additions and 297 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -0,0 +1,51 @@
 ---
 # ----------------------------------------------
 # -- Build an image and push it to the registry
 # ----------------------------------------------
 kind: pipeline
 type: docker
 name: Build the builder
 trigger:
  event:
    - push
  branch:
    - main
 steps:
  - name: Build openvpn xor amd64
    image: git.badhouseplants.net/badhouseplants/badhouseplants-builder:555262114ea81f6f286010474527f419b56d33a3
    privileged: true
    environment:
      GITEA_TOKEN:
        from_secret: GITEA_TOKEN
      CONTAINERFILE: ./containerfiles/Containerfile-XOR
      CUSTOM_TAG: v2.6.6-XOR-4.0.0beta08
    commands:
      - build-container
  - name: Build openvpn amd64
    image: git.badhouseplants.net/badhouseplants/badhouseplants-builder:555262114ea81f6f286010474527f419b56d33a3
    privileged: true
    environment:
      GITEA_TOKEN:
        from_secret: GITEA_TOKEN
      CONTAINERFILE: ./containerfiles/Containerfile
      CUSTOM_TAG: v2.6.6
    commands:
      - build-container
  - name: Publish the Helm chart
    image: alpine/helm
    depends_on:
      - Build openvpn xor amd64
      - Build openvpn amd64
    environment:
      GITEA_TOKEN:
        from_secret: GITEA_TOKEN
    commands:
      - cd helm
      - helm plugin install https://github.com/chartmuseum/helm-push
      - helm package . -d chart-package
      - helm repo add  --username allanger --password $GITEA_TOKEN openvpn https://git.badhouseplants.net/api/packages/allanger/helm
      - helm cm-push "./chart-package/$(ls chart-package)" openvpn
--- a/.github/workflows/anchore-analysis.yml
+++ b/.github/workflows/anchore-analysis.yml
@ -1,30 +0,0 @@
 # This workflow checks out code, performs an Anchore container image
 # vulnerability and compliance scan, and integrates the results with
 # GitHub Advanced Security code scanning feature.  For more information on
 # the Anchore scan action usage and parameters, see
 # https://github.com/anchore/scan-action.  For more information on
 # Anchore container image scanning in general, see
 # https://docs.anchore.com.
 name: Anchore Container Scan
 on: push
 jobs:
  Anchore-Build-Scan:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout the code
      uses: actions/checkout@v2
    - name: Build the Docker image
      run: docker build . --file Dockerfile --tag localbuild/testimage:latest      
    - name: Run the local Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
      uses: anchore/scan-action@master
      with:
        image-reference: "localbuild/testimage:latest"
        dockerfile-path: "Dockerfile"
        acs-report-enable: true
    - name: Upload Anchore Scan Report
      uses: github/codeql-action/upload-sarif@v1
      with:
        sarif_file: results.sarif
--- a/.travis.yml
+++ b/.travis.yml
@ -1,33 +0,0 @@
 # Disallowing packages: openvpn
 # If you require these packages, please review the package approval process at: https://github.com/travis-ci/apt-package-whitelist#package-approval-process
 #addons:
 #    apt:
 #        sources:
 #            - ubuntu-toolchain-r-test
 #        packages:
 #            - openvpn
 services:
    - docker
 before_install:
    - docker --version
 install:
    - git clone https://github.com/docker-library/official-images.git official-images
 # Assist with ci test debugging:
 #   - DEBUG=1
 before_script:
    - image="kylemanna/openvpn"
    - docker build -t "$image" .
    - docker inspect "$image"
    - docker run --rm "$image" openvpn --version || true # why does it return 1?
    - docker run --rm "$image" openssl version
 script:
    - official-images/test/run.sh "$image"
    - test/run.sh "$image"
 after_script:
    - docker images
--- a/79
+++ b/79
@ -0,0 +1,79 @@
 FROM ghcr.io/allanger/dumb-downloader as dudo
 ENV OPENVPN_VERSION=2.6.5
 ENV TUNNELBLICK_VERSION=4.0.0beta08
 ENV EASYRSA_VERSION=3.1.5
 RUN apt update && apt install gnupg tar -y
 RUN mkdir /output
 # ------------------------------------------------------
 # -- Downlaod OpenVPN
 # ------------------------------------------------------
 RUN dudo -l "https://keys.openpgp.org/vks/v1/by-fingerprint/F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7" -d security-openvpn-net.asc -p DUMMY
 RUN gpg --import security-openvpn-net.asc
 RUN dudo -l "https://swupdate.openvpn.org/community/releases/openvpn-{{ version }}.tar.gz.asc" -d /tmp/openvpn.asc -p $OPENVPN_VERSION
 # ------------------------------------------------------
 # -- I should fix it later
 # ------------------------------------------------------
 # RUN gpg  --no-tty --verify /tmp/openvpn.asc
 RUN dudo -l "https://swupdate.openvpn.org/community/releases/openvpn-{{ version }}.tar.gz " -d /tmp/openvpn.tar.gz -p $OPENVPN_VERSION
 RUN tar -xf /tmp/openvpn.tar.gz  -C /tmp && rm -f /tmp/openvpn.tar.gz
 RUN mv /tmp/openvpn-$OPENVPN_VERSION /output/openvpn
 # ------------------------------------------------------
 # -- Download Tunnelblick
 # ------------------------------------------------------
 RUN dudo -l "https://github.com/Tunnelblick/Tunnelblick/archive/refs/tags/v{{ version }}.tar.gz" -d /tmp/tunnelblick.tar.gz -p $TUNNELBLICK_VERSION
 RUN tar -xf /tmp/tunnelblick.tar.gz  -C /tmp && rm -f /tmp/tunnelblick.tar.gz
 RUN mv /tmp/Tunnelblick-$TUNNELBLICK_VERSION /output/tunnelblick
 FROM ubuntu as builder
 # ------------------------------------------------------
 # -- TODO: Define it only once
 # ------------------------------------------------------
 ENV OPENVPN_VERSION=2.6.5
 ENV TUNNELBLICK_VERSION=v4.0.0beta08
 COPY --from=dudo /output /src
 RUN apt-get update &&\
      apt-get install -y wget tar unzip build-essential \
      libssl-dev iproute2 liblz4-dev liblzo2-dev \
      libpam0g-dev libpkcs11-helper1-dev libsystemd-dev \
      easy-rsa iptables pkg-config libcap-ng-dev
 RUN cp /src/tunnelblick/third_party/sources/openvpn/openvpn-$OPENVPN_VERSION/patches/*.diff /src/openvpn
 WORKDIR /src/openvpn
 RUN for patch in $(find -type f | grep diff); do\
        patch -p1 < $patch;\
    done
 RUN ./configure --disable-systemd --enable-async-push --enable-iproute2
 RUN make && make install
 RUN mkdir /output
 RUN cp $(which openvpn) /output/
 # ------------------------------------------------------
 # -- Final container
 # ------------------------------------------------------
 FROM ubuntu:22.04
 LABEL maintainer="allanger <allanger@zohomail.com>"
 COPY --from=builder /output /src
 # -------------------------------------------------------
 # -- Prepare system deps
 # -------------------------------------------------------
 RUN apt update && apt install openvpn easy-rsa iptables -y && \
  mv /src/openvpn $(which openvpn)
 # Needed by scripts
 ENV OPENVPN /etc/openvpn
 # Prevents refused client connection because of an expired CRL
 ENV EASYRSA_CRL_DAYS 3650
 VOLUME ["/etc/openvpn"]
 # Internally uses port 1194, remap if needed using `docker run -p 443:1194/tcp`
 EXPOSE 1194
 CMD ["ovpn_run"]
 COPY --chmod='755' ./bin /usr/local/bin
 # -----------------------------------------------------------
 # -- Add support for OTP authentication using a PAM module
 # -- I have no idea how it works yet
 # -----------------------------------------------------------
 COPY ./otp/openvpn /etc/pam.d/
--- a/48
+++ b/48
@ -1,48 +0,0 @@
 # Original credit: https://github.com/jpetazzo/dockvpn
 # Smallest base image
 FROM ubuntu:18.04@sha256:9bc830af2bef73276515a29aa896eedfa7bdf4bdbc5c1063b4c457a4bbb8cd79
 LABEL maintainer="lawtancool"
 # Testing: pamtester
 #RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing/" >> /etc/apk/repositories && \
 #    apk add --update openvpn iptables bash easy-rsa openvpn-auth-pam google-authenticator pamtester && \
 #    ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin && \
 #    rm -rf /tmp/* /var/tmp/* /var/cache/apk/* /var/cache/distfiles/*
 RUN apt-get update && apt-get install -y wget tar unzip build-essential libssl-dev iproute2 liblz4-dev liblzo2-dev libpam0g-dev libpkcs11-helper1-dev libsystemd-dev easy-rsa iptables pkg-config && \
    wget https://swupdate.openvpn.org/community/releases/openvpn-2.5.3.tar.gz && tar xvf openvpn-2.5.3.tar.gz && \
    wget https://github.com/Tunnelblick/Tunnelblick/archive/refs/tags/v3.8.6beta05.zip && unzip v3.8.6beta05.zip && \
    cp Tunnelblick-3.8.6beta05/third_party/sources/openvpn/openvpn-2.5.3/patches/*.diff openvpn-2.5.3 && \
    cd openvpn-2.5.3 && \
    patch -p1 < 02-tunnelblick-openvpn_xorpatch-a.diff && \
    patch -p1 < 03-tunnelblick-openvpn_xorpatch-b.diff && \
    patch -p1 < 04-tunnelblick-openvpn_xorpatch-c.diff && \
    patch -p1 < 05-tunnelblick-openvpn_xorpatch-d.diff && \
    patch -p1 < 06-tunnelblick-openvpn_xorpatch-e.diff && \
    ./configure --disable-systemd --enable-async-push --enable-iproute2 && \
    make && make install && \
    cd .. && rm -r openvpn-2.5.3 && rm -r Tunnelblick-3.8.6beta05
 # Needed by scripts
 ENV OPENVPN /etc/openvpn
 ENV EASYRSA /usr/share/easy-rsa
 ENV EASYRSA_PKI $OPENVPN/pki
 ENV EASYRSA_VARS_FILE $OPENVPN/vars
 # Prevents refused client connection because of an expired CRL
 ENV EASYRSA_CRL_DAYS 3650
 VOLUME ["/etc/openvpn"]
 # Internally uses port 1194, remap if needed using `docker run -p 443:1194/tcp`
 EXPOSE 1194
 CMD ["ovpn_run"]
 ADD ./bin /usr/local/bin
 RUN chmod a+x /usr/local/bin/*
 # Add support for OTP authentication using a PAM module
 ADD ./otp/openvpn /etc/pam.d/
--- a/Dockerfile.arm32v7
+++ b/Dockerfile.arm32v7
@ -1,50 +0,0 @@
 # Original credit: https://github.com/jpetazzo/dockvpn
 # Smallest base image
 FROM arm32v7/ubuntu:18.04
 LABEL maintainer="lawtancool"
 COPY qemu-arm-static /usr/bin
 # Testing: pamtester
 #RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing/" >> /etc/apk/repositories && \
 #    apk add --update openvpn iptables bash easy-rsa openvpn-auth-pam google-authenticator pamtester && \
 #    ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin && \
 #    rm -rf /tmp/* /var/tmp/* /var/cache/apk/* /var/cache/distfiles/*
 RUN apt-get update && apt-get install -y wget tar unzip build-essential libssl-dev iproute2 liblz4-dev liblzo2-dev libpam0g-dev libpkcs11-helper1-dev libsystemd-dev easy-rsa iptables pkg-config && \
    wget https://swupdate.openvpn.org/community/releases/openvpn-2.5.3.tar.gz && tar xvf openvpn-2.5.3.tar.gz && \
    wget https://github.com/Tunnelblick/Tunnelblick/archive/refs/tags/v3.8.6beta05.zip && unzip v3.8.6beta05.zip && \
    cp Tunnelblick-3.8.6beta05/third_party/sources/openvpn/openvpn-2.5.3/patches/*.diff openvpn-2.5.3 && \
    cd openvpn-2.5.3 && \
    patch -p1 < 02-tunnelblick-openvpn_xorpatch-a.diff && \
    patch -p1 < 03-tunnelblick-openvpn_xorpatch-b.diff && \
    patch -p1 < 04-tunnelblick-openvpn_xorpatch-c.diff && \
    patch -p1 < 05-tunnelblick-openvpn_xorpatch-d.diff && \
    patch -p1 < 06-tunnelblick-openvpn_xorpatch-e.diff && \
    ./configure --disable-systemd --enable-async-push --enable-iproute2 && \
    make && make install && \
    cd .. && rm -r openvpn-2.5.3 && rm -r Tunnelblick-3.8.6beta05
 # Needed by scripts
 ENV OPENVPN /etc/openvpn
 ENV EASYRSA /usr/share/easy-rsa
 ENV EASYRSA_PKI $OPENVPN/pki
 ENV EASYRSA_VARS_FILE $OPENVPN/vars
 # Prevents refused client connection because of an expired CRL
 ENV EASYRSA_CRL_DAYS 3650
 VOLUME ["/etc/openvpn"]
 # Internally uses port 1194, remap if needed using `docker run -p 443:1194/tcp`
 EXPOSE 1194
 CMD ["ovpn_run"]
 ADD ./bin /usr/local/bin
 RUN chmod a+x /usr/local/bin/*
 # Add support for OTP authentication using a PAM module
 ADD ./otp/openvpn /etc/pam.d/
--- a/Dockerfile.arm64v8
+++ b/Dockerfile.arm64v8
@ -1,50 +0,0 @@
 # Original credit: https://github.com/jpetazzo/dockvpn
 # Smallest base image
 FROM arm64v8/ubuntu:18.04
 LABEL maintainer="lawtancool"
 COPY qemu-aarch64-static /usr/bin
 # Testing: pamtester
 #RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing/" >> /etc/apk/repositories && \
 #    apk add --update openvpn iptables bash easy-rsa openvpn-auth-pam google-authenticator pamtester && \
 #    ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin && \
 #    rm -rf /tmp/* /var/tmp/* /var/cache/apk/* /var/cache/distfiles/*
 RUN apt-get update && apt-get install -y wget tar unzip build-essential libssl-dev iproute2 liblz4-dev liblzo2-dev libpam0g-dev libpkcs11-helper1-dev libsystemd-dev easy-rsa iptables pkg-config && \
    wget https://swupdate.openvpn.org/community/releases/openvpn-2.5.3.tar.gz && tar xvf openvpn-2.5.3.tar.gz && \
    wget https://github.com/Tunnelblick/Tunnelblick/archive/refs/tags/v3.8.6beta05.zip && unzip v3.8.6beta05.zip && \
    cp Tunnelblick-3.8.6beta05/third_party/sources/openvpn/openvpn-2.5.3/patches/*.diff openvpn-2.5.3 && \
    cd openvpn-2.5.3 && \
    patch -p1 < 02-tunnelblick-openvpn_xorpatch-a.diff && \
    patch -p1 < 03-tunnelblick-openvpn_xorpatch-b.diff && \
    patch -p1 < 04-tunnelblick-openvpn_xorpatch-c.diff && \
    patch -p1 < 05-tunnelblick-openvpn_xorpatch-d.diff && \
    patch -p1 < 06-tunnelblick-openvpn_xorpatch-e.diff && \
    ./configure --disable-systemd --enable-async-push --enable-iproute2 && \
    make && make install && \
    cd .. && rm -r openvpn-2.5.3 && rm -r Tunnelblick-3.8.6beta05
 # Needed by scripts
 ENV OPENVPN /etc/openvpn
 ENV EASYRSA /usr/share/easy-rsa
 ENV EASYRSA_PKI $OPENVPN/pki
 ENV EASYRSA_VARS_FILE $OPENVPN/vars
 # Prevents refused client connection because of an expired CRL
 ENV EASYRSA_CRL_DAYS 3650
 VOLUME ["/etc/openvpn"]
 # Internally uses port 1194, remap if needed using `docker run -p 443:1194/tcp`
 EXPOSE 1194
 CMD ["ovpn_run"]
 ADD ./bin /usr/local/bin
 RUN chmod a+x /usr/local/bin/*
 # Add support for OTP authentication using a PAM module
 ADD ./otp/openvpn /etc/pam.d/
--- a/Makefile.in
+++ b/Makefile.in
--- a/bin/ovpn_genclientcert
+++ b/bin/ovpn_genclientcert
@ -15,15 +15,4 @@ set -e
 source "$OPENVPN/ovpn_env.sh"
-# Download EasyRSA because Ubuntu doesn't have it as a CLI command
+/usr/share/easy-rsa/easyrsa build-client-full $CLIENTNAME $PASSWORD
 wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz
 tar xvf EasyRSA-unix-v3.0.6.tgz
 export EASYRSA="EasyRSA-v3.0.6/"
 export EASYRSA_SSL_CONF="EasyRSA-v3.0.6/openssl-easyrsa.cnf"
 EasyRSA-v3.0.6/easyrsa build-client-full $CLIENTNAME $PASSWORD
 # Remove EasyRSA files when we're done
 rm -r EasyRSA-v3.0.6/
 rm EasyRSA-unix-v3.0.6.tgz
--- a/bin/ovpn_initpki
+++ b/bin/ovpn_initpki
@ -15,22 +15,9 @@ source "$OPENVPN/ovpn_env.sh"
 # Specify "nopass" as arg[2] to make the CA insecure (not recommended!)
 nopass=$1
-# Download EasyRSA because Ubuntu doesn't have it as a CLI command
+/usr/share/easy-rsa/easyrsa init-pki
-wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz
+/usr/share/easy-rsa/easyrsa build-ca $nopass
-tar xvf EasyRSA-unix-v3.0.6.tgz
+/usr/share/easy-rsa/easyrsa gen-dh
 export EASYRSA="EasyRSA-v3.0.6/"
 export EASYRSA_SSL_CONF="EasyRSA-v3.0.6/openssl-easyrsa.cnf"
 cp -r EasyRSA-v3.0.6/x509-types/ x509-types/
 # Provides a sufficient warning before erasing pre-existing files
 EasyRSA-v3.0.6/easyrsa init-pki
 # CA always has a password for protection in event server is compromised. The
 # password is only needed to sign client/server certificates.  No password is
 # needed for normal OpenVPN operation.
 EasyRSA-v3.0.6/easyrsa build-ca $nopass
 EasyRSA-v3.0.6/easyrsa gen-dh
 openvpn --genkey --secret $EASYRSA_PKI/ta.key
 # Was nice to autoset, but probably a bad idea in practice, users should
@ -44,12 +31,7 @@ openvpn --genkey --secret $EASYRSA_PKI/ta.key
 #fi
 # For a server key with a password, manually init; this is autopilot
-EasyRSA-v3.0.6/easyrsa build-server-full "$OVPN_CN" nopass
+/usr/share/easy-rsa/easyrsa build-server-full "$OVPN_CN" nopass
 # Generate the CRL for client/server certificates revocation.
-EasyRSA-v3.0.6/easyrsa gen-crl
+/usr/share/easy-rsa/easyrsa gen-crl
 # Remove EasyRSA files when we're done
 rm -r EasyRSA-v3.0.6/
 rm EasyRSA-unix-v3.0.6.tgz
 rm -r x509-types/
--- a/bin/ovpn_revokeclient
+++ b/bin/ovpn_revokeclient
@ -31,23 +31,11 @@ fi
 revoke_client_certificate(){
    # Download EasyRSA because Ubuntu doesn't have it as a CLI command
-    wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz
+    /usr/share/easy-rsa/easyrsa revoke "$1"
    tar xvf EasyRSA-unix-v3.0.6.tgz
    export EASYRSA="EasyRSA-v3.0.6/"
    export EASYRSA_SSL_CONF="EasyRSA-v3.0.6/openssl-easyrsa.cnf"
    cp -r EasyRSA-v3.0.6/x509-types/ x509-types/
    EasyRSA-v3.0.6/easyrsa revoke "$1"
    echo "Generating the Certificate Revocation List :"
-    EasyRSA-v3.0.6/easyrsa gen-crl
+    /usr/share/easy-rsa/easyrsa gen-crl
    cp -f "$EASYRSA_PKI/crl.pem" "$OPENVPN/crl.pem"
    chmod 644 "$OPENVPN/crl.pem"
    # Remove EasyRSA files when we're done
    rm -r EasyRSA-v3.0.6/
    rm EasyRSA-unix-v3.0.6.tgz
    rm -r x509-types/
 }
 remove_files(){
--- a/containerfiles/Containerfile
+++ b/containerfiles/Containerfile
@ -0,0 +1,66 @@
 FROM ghcr.io/allanger/dumb-downloader as dudo
 ENV OPENVPN_VERSION=2.6.6
 RUN apt update && apt install gnupg tar -y
 RUN mkdir /output
 # ------------------------------------------------------
 # -- Downlaod OpenVPN
 # ------------------------------------------------------
 RUN dudo -l "https://keys.openpgp.org/vks/v1/by-fingerprint/F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7" -d security-openvpn-net.asc -p DUMMY
 RUN gpg --import security-openvpn-net.asc
 RUN dudo -l "https://swupdate.openvpn.org/community/releases/openvpn-{{ version }}.tar.gz.asc" -d /tmp/openvpn.asc -p $OPENVPN_VERSION
 # ------------------------------------------------------
 # -- I should fix it later
 # ------------------------------------------------------
 # RUN gpg  --no-tty --verify /tmp/openvpn.asc
 RUN dudo -l "https://swupdate.openvpn.org/community/releases/openvpn-{{ version }}.tar.gz " -d /tmp/openvpn.tar.gz -p $OPENVPN_VERSION
 RUN tar -xf /tmp/openvpn.tar.gz  -C /tmp && rm -f /tmp/openvpn.tar.gz
 RUN mv /tmp/openvpn-$OPENVPN_VERSION /output/openvpn
 FROM ubuntu as builder
 # ------------------------------------------------------
 # -- TODO: Define it only once
 # ------------------------------------------------------
 ENV OPENVPN_VERSION=2.6.5
 COPY --from=dudo /output /src
 RUN apt-get update &&\
      apt-get install -y wget tar unzip build-essential \
      libssl-dev iproute2 liblz4-dev liblzo2-dev \
      libpam0g-dev libpkcs11-helper1-dev libsystemd-dev \
      easy-rsa iptables pkg-config libcap-ng-dev
 WORKDIR /src/openvpn
 RUN ./configure --disable-systemd --enable-async-push --enable-iproute2
 RUN make && make install
 RUN mkdir /output
 RUN cp $(which openvpn) /output/
 # ------------------------------------------------------
 # -- Final container
 # ------------------------------------------------------
 FROM ubuntu:22.04
 LABEL maintainer="allanger <allanger@zohomail.com>"
 COPY --from=builder /output /src
 # -------------------------------------------------------
 # -- Prepare system deps
 # -------------------------------------------------------
 RUN apt update && apt install openvpn easy-rsa iptables -y && \
  mv /src/openvpn $(which openvpn)
 # Needed by scripts
 ENV OPENVPN /etc/openvpn
 # Prevents refused client connection because of an expired CRL
 ENV EASYRSA_CRL_DAYS 3650
 VOLUME ["/etc/openvpn"]
 # Internally uses port 1194, remap if needed using `docker run -p 443:1194/tcp`
 EXPOSE 1194
 CMD ["ovpn_run"]
 COPY --chmod='755' ./bin /usr/local/bin
 # -----------------------------------------------------------
 # -- Add support for OTP authentication using a PAM module
 # -- I have no idea how it works yet
 # -----------------------------------------------------------
 COPY ./otp/openvpn /etc/pam.d/
--- a/containerfiles/Containerfile-XOR
+++ b/containerfiles/Containerfile-XOR
@ -0,0 +1,79 @@
 FROM ghcr.io/allanger/dumb-downloader as dudo
 ENV OPENVPN_VERSION=2.6.6
 ENV TUNNELBLICK_VERSION=4.0.0beta08
 ENV EASYRSA_VERSION=3.1.5
 RUN apt update && apt install gnupg tar -y
 RUN mkdir /output
 # ------------------------------------------------------
 # -- Downlaod OpenVPN
 # ------------------------------------------------------
 RUN dudo -l "https://keys.openpgp.org/vks/v1/by-fingerprint/F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7" -d security-openvpn-net.asc -p DUMMY
 RUN gpg --import security-openvpn-net.asc
 RUN dudo -l "https://swupdate.openvpn.org/community/releases/openvpn-{{ version }}.tar.gz.asc" -d /tmp/openvpn.asc -p $OPENVPN_VERSION
 # ------------------------------------------------------
 # -- I should fix it later
 # ------------------------------------------------------
 # RUN gpg  --no-tty --verify /tmp/openvpn.asc
 RUN dudo -l "https://swupdate.openvpn.org/community/releases/openvpn-{{ version }}.tar.gz " -d /tmp/openvpn.tar.gz -p $OPENVPN_VERSION
 RUN tar -xf /tmp/openvpn.tar.gz  -C /tmp && rm -f /tmp/openvpn.tar.gz
 RUN mv /tmp/openvpn-$OPENVPN_VERSION /output/openvpn
 # ------------------------------------------------------
 # -- Download Tunnelblick
 # ------------------------------------------------------
 RUN dudo -l "https://github.com/Tunnelblick/Tunnelblick/archive/refs/tags/v{{ version }}.tar.gz" -d /tmp/tunnelblick.tar.gz -p $TUNNELBLICK_VERSION
 RUN tar -xf /tmp/tunnelblick.tar.gz  -C /tmp && rm -f /tmp/tunnelblick.tar.gz
 RUN mv /tmp/Tunnelblick-$TUNNELBLICK_VERSION /output/tunnelblick
 FROM ubuntu as builder
 # ------------------------------------------------------
 # -- TODO: Define it only once
 # ------------------------------------------------------
 ENV OPENVPN_VERSION=2.6.5
 ENV TUNNELBLICK_VERSION=v4.0.0beta08
 COPY --from=dudo /output /src
 RUN apt-get update &&\
      apt-get install -y wget tar unzip build-essential \
      libssl-dev iproute2 liblz4-dev liblzo2-dev \
      libpam0g-dev libpkcs11-helper1-dev libsystemd-dev \
      easy-rsa iptables pkg-config libcap-ng-dev
 RUN cp /src/tunnelblick/third_party/sources/openvpn/openvpn-$OPENVPN_VERSION/patches/*.diff /src/openvpn
 WORKDIR /src/openvpn
 RUN for patch in $(find -type f | grep diff); do\
        patch -p1 < $patch;\
    done
 RUN ./configure --disable-systemd --enable-async-push --enable-iproute2
 RUN make && make install
 RUN mkdir /output
 RUN cp $(which openvpn) /output/
 # ------------------------------------------------------
 # -- Final container
 # ------------------------------------------------------
 FROM ubuntu:22.04
 LABEL maintainer="allanger <allanger@zohomail.com>"
 COPY --from=builder /output /src
 # -------------------------------------------------------
 # -- Prepare system deps
 # -------------------------------------------------------
 RUN apt update && apt install openvpn easy-rsa iptables -y && \
  mv /src/openvpn $(which openvpn)
 # Needed by scripts
 ENV OPENVPN /etc/openvpn
 # Prevents refused client connection because of an expired CRL
 ENV EASYRSA_CRL_DAYS 3650
 VOLUME ["/etc/openvpn"]
 # Internally uses port 1194, remap if needed using `docker run -p 443:1194/tcp`
 EXPOSE 1194
 CMD ["ovpn_run"]
 COPY --chmod='755' ./bin /usr/local/bin
 # -----------------------------------------------------------
 # -- Add support for OTP authentication using a PAM module
 # -- I have no idea how it works yet
 # -----------------------------------------------------------
 COPY ./otp/openvpn /etc/pam.d/
--- a/helm/Chart.yaml
+++ b/helm/Chart.yaml
@ -0,0 +1,22 @@
 ---
 apiVersion: v2
 name: openvpn
 description: A Helm chart for deploying OpenVPN
 type: application
 version: 1.0.5
 appVersion: "2.6.6"
 sources:
  - https://git.badhouseplants.net/allanger/container-openvpn-xor
  - https://github.com/kylemanna/docker-openvpn
  - https://github.com/lawtancool/docker-openvpn-xor
 maintainers:
  - name: allanger
    email: allanger@zohomail.com
    url: https://badhouseplants.net
 keywords:
  - OpenVPN
  - VPN
  - xor
--- a/helm/LICENSE
+++ b/helm/LICENSE
@ -0,0 +1,17 @@
 Permission is hereby granted, without written agreement and without
 license or royalty fees, to use, copy, modify, and distribute this
 software and its documentation for any purpose, provided that the
 above copyright notice and the following two paragraphs appear in
 all copies of this software.
 IN NO EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE TO ANY PARTY FOR
 DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES
 ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN
 IF THE COPYRIGHT HOLDER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
 DAMAGE.
 THE COPYRIGHT HOLDER SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING,
 BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
 FITNESS FOR A PARTICULAR PURPOSE.  THE SOFTWARE PROVIDED HEREUNDER IS
 ON AN "AS IS" BASIS, AND THE COPYRIGHT HOLDER HAS NO OBLIGATION TO
 PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
--- a/helm/README.md
+++ b/helm/README.md
@ -0,0 +1,9 @@
 # helm-openvpn
 A helm chart to deploy openvpn
 ## K8s reqs:
 --allowed-unsafe-sysctls=net.ipv4.ip_forward
 ## How it works?
 1. It's generating the openvpn configuration if it's not generated yet. It's an `ininContainer` that really runs only once.
--- a/helm/templates/NOTES.txt
+++ b/helm/templates/NOTES.txt
@ -0,0 +1 @@
 1. Get the application URL by running these commands:
--- a/helm/templates/_helpers.tpl
+++ b/helm/templates/_helpers.tpl
@ -0,0 +1,62 @@
 {{/*
 Expand the name of the chart.
 */}}
 {{- define "openvpn-chart.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
 {{- define "openvpn-chart.fullname" -}}
 {{- if .Values.fullnameOverride }}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
 {{- else }}
 {{- $name := default .Chart.Name .Values.nameOverride }}
 {{- if contains $name .Release.Name }}
 {{- .Release.Name | trunc 63 | trimSuffix "-" }}
 {{- else }}
 {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{- end }}
 {{- end }}
 {{/*
 Create chart name and version as used by the chart label.
 */}}
 {{- define "openvpn-chart.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{/*
 Common labels
 */}}
 {{- define "openvpn-chart.labels" -}}
 helm.sh/chart: {{ include "openvpn-chart.chart" . }}
 {{ include "openvpn-chart.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "openvpn-chart.selectorLabels" -}}
 app.kubernetes.io/name: {{ include "openvpn-chart.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 {{/*
 Create the name of the service account to use
 */}}
 {{- define "openvpn-chart.serviceAccountName" -}}
 {{- if .Values.serviceAccount.create }}
 {{- default (include "openvpn-chart.fullname" .) .Values.serviceAccount.name }}
 {{- else }}
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
--- a/helm/templates/deployment.yaml
+++ b/helm/templates/deployment.yaml
@ -0,0 +1,121 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "openvpn-chart.fullname" . }}
  labels:
    {{- include "openvpn-chart.labels" . | nindent 4 }}
 spec:
  {{- if not .Values.autoscaling.enabled }}
  replicas: {{ .Values.replicaCount }}
  {{- end }}
  selector:
    matchLabels:
      {{- include "openvpn-chart.selectorLabels" . | nindent 6 }}
  template:
    metadata:
      {{- with .Values.podAnnotations }}
      annotations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      labels:
        {{- include "openvpn-chart.selectorLabels" . | nindent 8 }}
    spec:
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      volumes:
        - name: pvc-openvpn
          persistentVolumeClaim:
            claimName: {{ include "openvpn-chart.fullname" . }}
        - name: pki-scripts
          configMap:
            name: {{ include "openvpn-chart.fullname" . }}-pki-scripts
      securityContext:
          sysctls:
            - name: net.ipv4.ip_forward
              value: "1"
      containers:
        - name: {{ .Chart.Name }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
          volumeMounts:
            - mountPath: "/etc/openvpn"
              name: pvc-openvpn
            - mountPath: /scripts
              name: pki-scripts
          env:
          - name: OVPN_SERVER
            value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}"
          securityContext:
            capabilities:
              add:
                - NET_ADMIN
      initContainers:
        # ----------------------------------------------------------------------
        # -- This init container is generating the basic configuration
        # ----------------------------------------------------------------------
        - name: 0-ovpn-genconfig
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
          volumeMounts:
            - mountPath: "/etc/openvpn"
              name: pvc-openvpn
          env:
            - name: OVPN_SERVER_URL
              value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}"
            - name: OVPN_DATA
              value: "/etc/openvpn" 
          command: 
            - sh
            - -c 
            - 'if ! [ -f "/etc/openvpn/ovpn_env.sh" ]; then ovpn_genconfig -u $OVPN_SERVER_URL && touch /etc/openvpn/.init; fi'
        - name: 1-ovpn-initpki
          env:
            - name: OVPN_DATA
              value: /etc/openvpn
            - name: EASYRSA_REQ_CN
              value: {{ .Values.easyrsa.cn }}
            - name: EASYRSA_REQ_COUNTRY
              value: {{ .Values.easyrsa.country }}
            - name: EASYRSA_REQ_PROVINCE
              value: {{ .Values.easyrsa.province }}
            - name: EASYRSA_REQ_CITY
              value: {{ .Values.easyrsa.city }}
            - name: EASYRSA_REQ_ORG
              value: {{ .Values.easyrsa.org }}
            - name: EASYRSA_REQ_EMAIL
              value: {{ .Values.easyrsa.email }}
            - name: EASYRSA_REQ_OU
              value: {{ .Values.easyrsa.ou }}
            - name: EASYRSA_ALGO
              value: {{ .Values.easyrsa.algo }}
            - name: EASYRSA_DIGEST
              value: {{ .Values.easyrsa.digest }}
            - name: EASYRSA_BATCH
              value: "yes" 
            - name: OVPN_SERVER_URL
              value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}"
          volumeMounts:
            - mountPath: "/etc/openvpn"
              name: pvc-openvpn
            - mountPath: /scripts
              name: pki-scripts
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
          command: 
            - bash
            - /scripts/init_pki.sh
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
--- a/helm/templates/pki-generate-scripts.yaml
+++ b/helm/templates/pki-generate-scripts.yaml
@ -0,0 +1,30 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ include "openvpn-chart.fullname" . }}-pki-scripts
  labels:
    {{- include "openvpn-chart.labels" . | nindent 4 }}
 data:
  init_pki.sh: |
    if [ ! -d /etc/openvpn/pki ]; then
      source "$OPENVPN/ovpn_env.sh"
      OVPN_DIR=/etc/openvpn
      PKI_DIR=$OVPN_DIR/pki
      cd $OVPN_DIR
      export EASYRSA_BATCH=yes
      unset EASYRSA_VARS_FILE
      /usr/share/easy-rsa/easyrsa init-pki
      /usr/share/easy-rsa/easyrsa build-ca nopass
      /usr/share/easy-rsa/easyrsa build-server-full {{ .Values.openvpn.host }} nopass
      /usr/share/easy-rsa/easyrsa gen-dh
      cd $PKI_DIR
      openvpn --genkey tls-crypt-v2-server private/{{ .Values.openvpn.host }}.pem
      openvpn --genkey secret > ta.key
    fi
  gen_client.sh: |
    source "$OPENVPN/ovpn_env.sh"
    CLIENTNAME=$1
    PASSWORD=$2
    OVPN_DIR=/etc/openvpn
    cd $OVPN_DIR
    /usr/share/easy-rsa/easyrsa build-client-full $CLIENTNAME $PASSWORD
--- a/helm/templates/pvc.yaml
+++ b/helm/templates/pvc.yaml
@ -0,0 +1,13 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: {{ include "openvpn-chart.fullname" . }}
  labels:
    {{- include "openvpn-chart.labels" . | nindent 4 }}
 spec:
  storageClassName: {{ .Values.storage.class }}
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: {{ .Values.storage.size }}
--- a/helm/templates/service.yaml
+++ b/helm/templates/service.yaml
@ -0,0 +1,18 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "openvpn-chart.fullname" . }}
  labels:
    {{- include "openvpn-chart.labels" . | nindent 4 }}
 spec:
  type: {{ .Values.service.type }}
  ports:
    - port: {{ .Values.service.port }}
      {{- if .Values.service.nodePort }}
      nodePort: {{ int .Values.service.nodePort }}
      {{- end}}
      targetPort: {{ .Values.service.port | default 1194 }}
      protocol: {{ .Values.service.protocol | default "UDP" | quote }}
      name: openvpn
  selector:
    {{- include "openvpn-chart.selectorLabels" . | nindent 4 }}
--- a/helm/templates/tests/test-connection.yaml
+++ b/helm/templates/tests/test-connection.yaml
@ -0,0 +1,15 @@
 apiVersion: v1
 kind: Pod
 metadata:
  name: "{{ include "openvpn-chart.fullname" . }}-test-connection"
  labels:
    {{- include "openvpn-chart.labels" . | nindent 4 }}
  annotations:
    "helm.sh/hook": test
 spec:
  containers:
    - name: wget
      image: busybox
      command: ['wget']
      args: ['{{ include "openvpn-chart.fullname" . }}:{{ .Values.service.port }}']
  restartPolicy: Never
--- a/helm/values.yaml
+++ b/helm/values.yaml
@ -0,0 +1,90 @@
 # Default values for openvpn-chart.
 image:
  repository: git.badhouseplants.net/allanger/container-openvpn
  pullPolicy: IfNotPresent
  # -------------------------------------------
  # -- TODO: Switch to proper versions
  # -------------------------------------------
  tag: v2.6.6
 # ----------------------------- 
 # -- Open VPN configuration 
 # -----------------------------
 openvpn:
  proto: udp
  host: 127.0.0.1
  port: 1194
 # -----------------------------
 # -- Easy RSA configuration
 # -----------------------------
 easyrsa: 
  cn: . # -- EASYRSA_REQ_CN
  country: . # -- EASYRSA_REQ_COUNTRY
  province: . # -- EASYRSA_REQ_PROVINCE
  city: . # -- EASYRSA_REQ_CITY
  org: . # -- EASYRSA_REQ_ORG
  email: . # -- EASYRSA_REQ_EMAIL
  ou: Community # -- EASYRSA_REQ_OU
  algo: ec # -- EASYRSA_ALGO
  digest: sha512 # -- EASYRSA_DIGEST 
 replicaCount: 1
 imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
 storage:
  class: microk8s-hostpath
  size: 1Gi
 serviceAccount:
  # Specifies whether a service account should be created
  create: true
  # Annotations to add to the service account
  annotations: {}
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""
 podAnnotations: {}
 podSecurityContext: {}
  # fsGroup: 2000
 securityContext: {}
  # capabilities:
  #   drop:
  #   - ALL
  # readOnlyRootFilesystem: true
  # runAsNonRoot: true
  # runAsUser: 1000
 service:
  type: LoadBalancer
  port: 1194
 resources: {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi
 autoscaling:
  enabled: false
  minReplicas: 1
  maxReplicas: 100
  targetCPUUtilizationPercentage: 80
  # targetMemoryUtilizationPercentage: 80
 nodeSelector: {}
 tolerations: []
 affinity: {}
--- a/hooks/post_checkout
+++ b/hooks/post_checkout
@ -1,4 +0,0 @@
 #!/bin/bash
 # downloads a local copy of qemu on docker-hub build machines
 curl -L https://github.com/balena-io/qemu/releases/download/v3.0.0%2Bresin/qemu-3.0.0+resin-arm.tar.gz | tar zxvf - -C . && mv qemu-3.0.0+resin-arm/qemu-arm-static .
 curl -L https://github.com/balena-io/qemu/releases/download/v3.0.0%2Bresin/qemu-3.0.0+resin-aarch64.tar.gz | tar zxvf - -C . && mv qemu-3.0.0+resin-aarch64/qemu-aarch64-static .
--- a/hooks/post_push
+++ b/hooks/post_push
@ -1,9 +0,0 @@
 #!/bin/bash
 # Use manifest-tool to create the manifest, given the experimental
 # "docker manifest" command isn't available yet on Docker Hub.
 curl -Lo manifest-tool https://github.com/estesp/manifest-tool/releases/download/v0.9.0/manifest-tool-linux-amd64
 chmod +x manifest-tool
 ./manifest-tool push from-spec multi-arch-manifest.yaml
--- a/hooks/pre_build
+++ b/hooks/pre_build
@ -1,5 +0,0 @@
 #!/bin/bash
 # Register qemu-*-static for all supported processors except the 
 # current one, but also remove all registered binfmt_misc before
 docker run --rm --privileged multiarch/qemu-user-static:register --reset
--- a/multi-arch-manifest.yaml
+++ b/multi-arch-manifest.yaml
@ -1,16 +0,0 @@
 image: lawtancool/docker-openvpn-xor:latest
 manifests:
  - image: lawtancool/docker-openvpn-xor:amd64
    platform:
      architecture: amd64
      os: linux
  - image: lawtancool/docker-openvpn-xor:arm32v7
    platform:
      architecture: arm
      os: linux
      variant: v7
  - image: lawtancool/docker-openvpn-xor:arm64v8
    platform:
      architecture: arm64
      os: linux
      variant: v8
--- a/renovate.json
+++ b/renovate.json
@ -1,3 +0,0 @@
 {
 	"includeForks": true
 }
		`@ -0,0 +1 @@`
							`1. Get the application URL by running these commands:`