KeyArgo
/
seedbox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Reorganize OpenVPN and use s6-overlay

This commit is contained in:
Kelvin Chen 2016-12-27 00:48:47 -05:00
parent 311d1b4ad6
commit 0472a0ecd6
10 changed files with 56 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
Dockerfiles/openvpn/Dockerfile
View File

@ -1,12 +1,15 @@
FROM ubuntu:xenial FROM buildpack-deps:xenial-curl
MAINTAINER Kelvin Chen <kelvin@kelvinchen.org> MAINTAINER Kelvin Chen <kelvin@kelvinchen.org>
# Install OpenVPN # Install OpenVPN
RUN apt-get update \ RUN curl -sL "https://github.com/just-containers/s6-overlay/releases/download/v1.18.1.5/s6-overlay-amd64.tar.gz" \
| tar xz -C / \
&& apt-get update \
&& apt-get install -y --no-install-recommends \ && apt-get install -y --no-install-recommends \
openvpn \ openvpn \
easy-rsa \ easy-rsa \
iptables \ iptables \
bridge-utils \
&& apt-get clean \ && apt-get clean \
&& rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
@ -16,8 +19,6 @@ EXPOSE 1194/udp
VOLUME /config VOLUME /config
COPY vars /usr/share/easy-rsa/ COPY container-root/ /
COPY openvpn.conf init client.ovpn /
COPY export-client /usr/local/bin/
CMD ["/init"] CMD ["/init"]

9
Dockerfiles/openvpn/container-root/etc/cont-init.d/10-mknod Normal file
View File

@ -0,0 +1,9 @@
#!/usr/bin/with-contenv bash
mkdir -p /dev/net
if [ ! -c /dev/net/tun ]; then
mknod /dev/net/tun c 10 200
fi
chmod 600 /dev/net/tun

3
Dockerfiles/openvpn/container-root/etc/cont-init.d/20-iptables Normal file
View File

@ -0,0 +1,3 @@
#!/usr/bin/with-contenv bash
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

19
Dockerfiles/openvpn/container-root/etc/cont-init.d/30-ovpn Normal file
View File

@ -0,0 +1,19 @@
#!/usr/bin/with-contenv bash
# Make sure OpenVPN config directory exists.
mkdir -p /config/openvpn/
# Copy over the default OpenVPN config if it does not exist
cp -n /etc/defaults/openvpn.conf /config/openvpn/
# Create server CA/keys and keys for client "client" if they do not exist
if [ ! -d "/config/openvpn/keys" ]; then
cd /usr/share/easy-rsa
source vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server
./pkitool client
openvpn --genkey --secret /config/openvpn/keys/ta.key
fi

5
Dockerfiles/openvpn/client.ovpn → Dockerfiles/openvpn/container-root/etc/defaults/client.ovpn
View File

@ -13,7 +13,10 @@ auth SHA512
tls-client tls-client
comp-lzo # comp-lzo
persist-tun persist-tun
persist-key persist-key
sndbuf 393216
rcvbuf 393216

7
Dockerfiles/openvpn/openvpn.conf → Dockerfiles/openvpn/container-root/etc/defaults/openvpn.conf
View File

@ -25,7 +25,12 @@ push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4" push "dhcp-option DNS 8.8.4.4"
comp-lzo # comp-lzo
persist-key persist-key
persist-tun persist-tun
sndbuf 393216
rcvbuf 393216
push "sndbuf 393216"
push "rcvbuf 393216"

3
Dockerfiles/openvpn/container-root/etc/services.d/openvpn/run Normal file
View File

@ -0,0 +1,3 @@
#!/usr/bin/with-contenv sh
exec openvpn /config/openvpn/openvpn.conf

2
Dockerfiles/openvpn/export-client → Dockerfiles/openvpn/container-root/usr/local/bin/export-client
View File

@ -4,7 +4,7 @@ KEYDIR="/config/openvpn/keys"
CLIENT=${1:-client} CLIENT=${1:-client}
echo " echo "
$(cat /client.ovpn) $(cat /etc/defaults/client.ovpn)
<ca> <ca>
$(cat $KEYDIR/ca.crt) $(cat $KEYDIR/ca.crt)
</ca> </ca>

9
Dockerfiles/openvpn/vars → Dockerfiles/openvpn/container-root/usr/share/easy-rsa/vars
View File

@ -43,8 +43,8 @@ export KEY_EXPIRE=3650
# Don't leave any of these fields blank. # Don't leave any of these fields blank.
export KEY_COUNTRY="US" export KEY_COUNTRY="US"
export KEY_PROVINCE="CA" export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco" export KEY_CITY="MyCity"
export KEY_ORG="Fort-Funston" export KEY_ORG="MyOrg"
export KEY_EMAIL="me@myhost.mydomain" export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit" export KEY_OU="MyOrganizationalUnit"
@ -55,6 +55,7 @@ export KEY_NAME="EasyRSA"
# export PKCS11_MODULE_PATH="/usr/lib/changeme.so" # export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
# export PKCS11_PIN=1234 # export PKCS11_PIN=1234
# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below # If you'd like to sign all keys with the same Common Name, uncomment the
# You will also need to make sure your OpenVPN server config has the duplicate-cn option set # KEY_CN export below. You will also need to make sure your OpenVPN server
# config has the duplicate-cn option set
# export KEY_CN="CommonName" # export KEY_CN="CommonName"

28
Dockerfiles/openvpn/init
View File

@ -1,28 +0,0 @@
#!/usr/bin/env bash
# Make sure OpenVPN config directory exists.
mkdir -p /config/openvpn/
cp -n /openvpn.conf /config/openvpn/
# Check if keys exist, if not, create with easy-rsa
if [ ! -d "/config/openvpn/keys" ]; then
cd /usr/share/easy-rsa
source vars
./clean-all
./build-dh
./pkitool --initca
./pkitool --server server
./pkitool client
openvpn --genkey --secret /config/openvpn/keys/ta.key
fi
# Make the tun device
mkdir -p /dev/net
if [ ! -c /dev/net/tun ]; then
mknod /dev/net/tun c 10 200
fi
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
exec openvpn /config/openvpn/openvpn.conf