From 0472a0ecd6cd57843430dee760624b7153bb232b Mon Sep 17 00:00:00 2001 From: Kelvin Chen Date: Tue, 27 Dec 2016 00:48:47 -0500 Subject: [PATCH] Reorganize OpenVPN and use s6-overlay --- Dockerfiles/openvpn/Dockerfile | 11 ++++---- .../container-root/etc/cont-init.d/10-mknod | 9 ++++++ .../etc/cont-init.d/20-iptables | 3 ++ .../container-root/etc/cont-init.d/30-ovpn | 19 +++++++++++++ .../etc/defaults}/client.ovpn | 5 +++- .../etc/defaults}/openvpn.conf | 7 ++++- .../container-root/etc/services.d/openvpn/run | 3 ++ .../usr/local/bin}/export-client | 2 +- .../usr/share/easy-rsa}/vars | 9 +++--- Dockerfiles/openvpn/init | 28 ------------------- 10 files changed, 56 insertions(+), 40 deletions(-) create mode 100644 Dockerfiles/openvpn/container-root/etc/cont-init.d/10-mknod create mode 100644 Dockerfiles/openvpn/container-root/etc/cont-init.d/20-iptables create mode 100644 Dockerfiles/openvpn/container-root/etc/cont-init.d/30-ovpn rename Dockerfiles/openvpn/{ => container-root/etc/defaults}/client.ovpn (80%) rename Dockerfiles/openvpn/{ => container-root/etc/defaults}/openvpn.conf (86%) create mode 100644 Dockerfiles/openvpn/container-root/etc/services.d/openvpn/run rename Dockerfiles/openvpn/{ => container-root/usr/local/bin}/export-client (88%) rename Dockerfiles/openvpn/{ => container-root/usr/share/easy-rsa}/vars (88%) delete mode 100755 Dockerfiles/openvpn/init diff --git a/Dockerfiles/openvpn/Dockerfile b/Dockerfiles/openvpn/Dockerfile index f971f3e..231efc0 100644 --- a/Dockerfiles/openvpn/Dockerfile +++ b/Dockerfiles/openvpn/Dockerfile @@ -1,12 +1,15 @@ -FROM ubuntu:xenial +FROM buildpack-deps:xenial-curl MAINTAINER Kelvin Chen # Install OpenVPN -RUN apt-get update \ +RUN curl -sL "https://github.com/just-containers/s6-overlay/releases/download/v1.18.1.5/s6-overlay-amd64.tar.gz" \ + | tar xz -C / \ + && apt-get update \ && apt-get install -y --no-install-recommends \ openvpn \ easy-rsa \ iptables \ + bridge-utils \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* @@ -16,8 +19,6 @@ EXPOSE 1194/udp VOLUME /config -COPY vars /usr/share/easy-rsa/ -COPY openvpn.conf init client.ovpn / -COPY export-client /usr/local/bin/ +COPY container-root/ / CMD ["/init"] diff --git a/Dockerfiles/openvpn/container-root/etc/cont-init.d/10-mknod b/Dockerfiles/openvpn/container-root/etc/cont-init.d/10-mknod new file mode 100644 index 0000000..f6b755f --- /dev/null +++ b/Dockerfiles/openvpn/container-root/etc/cont-init.d/10-mknod @@ -0,0 +1,9 @@ +#!/usr/bin/with-contenv bash + +mkdir -p /dev/net + +if [ ! -c /dev/net/tun ]; then + mknod /dev/net/tun c 10 200 +fi + +chmod 600 /dev/net/tun diff --git a/Dockerfiles/openvpn/container-root/etc/cont-init.d/20-iptables b/Dockerfiles/openvpn/container-root/etc/cont-init.d/20-iptables new file mode 100644 index 0000000..22c75f2 --- /dev/null +++ b/Dockerfiles/openvpn/container-root/etc/cont-init.d/20-iptables @@ -0,0 +1,3 @@ +#!/usr/bin/with-contenv bash + +iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE diff --git a/Dockerfiles/openvpn/container-root/etc/cont-init.d/30-ovpn b/Dockerfiles/openvpn/container-root/etc/cont-init.d/30-ovpn new file mode 100644 index 0000000..f9fc3c6 --- /dev/null +++ b/Dockerfiles/openvpn/container-root/etc/cont-init.d/30-ovpn @@ -0,0 +1,19 @@ +#!/usr/bin/with-contenv bash + +# Make sure OpenVPN config directory exists. +mkdir -p /config/openvpn/ + +# Copy over the default OpenVPN config if it does not exist +cp -n /etc/defaults/openvpn.conf /config/openvpn/ + +# Create server CA/keys and keys for client "client" if they do not exist +if [ ! -d "/config/openvpn/keys" ]; then + cd /usr/share/easy-rsa + source vars + ./clean-all + ./build-dh + ./pkitool --initca + ./pkitool --server server + ./pkitool client + openvpn --genkey --secret /config/openvpn/keys/ta.key +fi diff --git a/Dockerfiles/openvpn/client.ovpn b/Dockerfiles/openvpn/container-root/etc/defaults/client.ovpn similarity index 80% rename from Dockerfiles/openvpn/client.ovpn rename to Dockerfiles/openvpn/container-root/etc/defaults/client.ovpn index 3fa6ea6..d274612 100644 --- a/Dockerfiles/openvpn/client.ovpn +++ b/Dockerfiles/openvpn/container-root/etc/defaults/client.ovpn @@ -13,7 +13,10 @@ auth SHA512 tls-client -comp-lzo +# comp-lzo persist-tun persist-key + +sndbuf 393216 +rcvbuf 393216 diff --git a/Dockerfiles/openvpn/openvpn.conf b/Dockerfiles/openvpn/container-root/etc/defaults/openvpn.conf similarity index 86% rename from Dockerfiles/openvpn/openvpn.conf rename to Dockerfiles/openvpn/container-root/etc/defaults/openvpn.conf index 8db72e4..ad15a8f 100644 --- a/Dockerfiles/openvpn/openvpn.conf +++ b/Dockerfiles/openvpn/container-root/etc/defaults/openvpn.conf @@ -25,7 +25,12 @@ push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" -comp-lzo +# comp-lzo persist-key persist-tun + +sndbuf 393216 +rcvbuf 393216 +push "sndbuf 393216" +push "rcvbuf 393216" diff --git a/Dockerfiles/openvpn/container-root/etc/services.d/openvpn/run b/Dockerfiles/openvpn/container-root/etc/services.d/openvpn/run new file mode 100644 index 0000000..496fe27 --- /dev/null +++ b/Dockerfiles/openvpn/container-root/etc/services.d/openvpn/run @@ -0,0 +1,3 @@ +#!/usr/bin/with-contenv sh + +exec openvpn /config/openvpn/openvpn.conf diff --git a/Dockerfiles/openvpn/export-client b/Dockerfiles/openvpn/container-root/usr/local/bin/export-client similarity index 88% rename from Dockerfiles/openvpn/export-client rename to Dockerfiles/openvpn/container-root/usr/local/bin/export-client index 1c08ddf..2da63cb 100755 --- a/Dockerfiles/openvpn/export-client +++ b/Dockerfiles/openvpn/container-root/usr/local/bin/export-client @@ -4,7 +4,7 @@ KEYDIR="/config/openvpn/keys" CLIENT=${1:-client} echo " -$(cat /client.ovpn) +$(cat /etc/defaults/client.ovpn) $(cat $KEYDIR/ca.crt) diff --git a/Dockerfiles/openvpn/vars b/Dockerfiles/openvpn/container-root/usr/share/easy-rsa/vars similarity index 88% rename from Dockerfiles/openvpn/vars rename to Dockerfiles/openvpn/container-root/usr/share/easy-rsa/vars index 6fa65d4..845be48 100644 --- a/Dockerfiles/openvpn/vars +++ b/Dockerfiles/openvpn/container-root/usr/share/easy-rsa/vars @@ -43,8 +43,8 @@ export KEY_EXPIRE=3650 # Don't leave any of these fields blank. export KEY_COUNTRY="US" export KEY_PROVINCE="CA" -export KEY_CITY="SanFrancisco" -export KEY_ORG="Fort-Funston" +export KEY_CITY="MyCity" +export KEY_ORG="MyOrg" export KEY_EMAIL="me@myhost.mydomain" export KEY_OU="MyOrganizationalUnit" @@ -55,6 +55,7 @@ export KEY_NAME="EasyRSA" # export PKCS11_MODULE_PATH="/usr/lib/changeme.so" # export PKCS11_PIN=1234 -# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below -# You will also need to make sure your OpenVPN server config has the duplicate-cn option set +# If you'd like to sign all keys with the same Common Name, uncomment the +# KEY_CN export below. You will also need to make sure your OpenVPN server +# config has the duplicate-cn option set # export KEY_CN="CommonName" diff --git a/Dockerfiles/openvpn/init b/Dockerfiles/openvpn/init deleted file mode 100755 index e3884f5..0000000 --- a/Dockerfiles/openvpn/init +++ /dev/null @@ -1,28 +0,0 @@ -#!/usr/bin/env bash - -# Make sure OpenVPN config directory exists. -mkdir -p /config/openvpn/ - -cp -n /openvpn.conf /config/openvpn/ - -# Check if keys exist, if not, create with easy-rsa -if [ ! -d "/config/openvpn/keys" ]; then - cd /usr/share/easy-rsa - source vars - ./clean-all - ./build-dh - ./pkitool --initca - ./pkitool --server server - ./pkitool client - openvpn --genkey --secret /config/openvpn/keys/ta.key -fi - -# Make the tun device -mkdir -p /dev/net -if [ ! -c /dev/net/tun ]; then - mknod /dev/net/tun c 10 200 -fi - -iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE - -exec openvpn /config/openvpn/openvpn.conf