Reorganize OpenVPN and use s6-overlay

2016-12-27 00:48:47 -05:00 · 2016-12-27 00:48:47 -05:00 · 0472a0ecd6
parent 311d1b4ad6
commit 0472a0ecd6
10 changed files with 56 additions and 40 deletions
--- a/Dockerfiles/openvpn/Dockerfile
+++ b/Dockerfiles/openvpn/Dockerfile
@ -1,12 +1,15 @@
-FROM ubuntu:xenial
+FROM buildpack-deps:xenial-curl
 MAINTAINER Kelvin Chen <kelvin@kelvinchen.org>

 # Install OpenVPN
-RUN apt-get update \
+RUN curl -sL "https://github.com/just-containers/s6-overlay/releases/download/v1.18.1.5/s6-overlay-amd64.tar.gz" \
+        | tar xz -C / \
+    && apt-get update \
    && apt-get install -y --no-install-recommends \
        openvpn \
        easy-rsa \
        iptables \
+        bridge-utils \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

@ -16,8 +19,6 @@ EXPOSE 1194/udp

 VOLUME /config

-COPY vars /usr/share/easy-rsa/
-COPY openvpn.conf init client.ovpn /
-COPY export-client /usr/local/bin/
+COPY container-root/ /

 CMD ["/init"]
--- a/Dockerfiles/openvpn/container-root/etc/cont-init.d/10-mknod
+++ b/Dockerfiles/openvpn/container-root/etc/cont-init.d/10-mknod
@ -0,0 +1,9 @@
+#!/usr/bin/with-contenv bash
+
+mkdir -p /dev/net
+
+if [ ! -c /dev/net/tun ]; then
+    mknod /dev/net/tun c 10 200
+fi
+
+chmod 600 /dev/net/tun
--- a/Dockerfiles/openvpn/container-root/etc/cont-init.d/20-iptables
+++ b/Dockerfiles/openvpn/container-root/etc/cont-init.d/20-iptables
@ -0,0 +1,3 @@
+#!/usr/bin/with-contenv bash
+
+iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
--- a/Dockerfiles/openvpn/container-root/etc/cont-init.d/30-ovpn
+++ b/Dockerfiles/openvpn/container-root/etc/cont-init.d/30-ovpn
@ -0,0 +1,19 @@
+#!/usr/bin/with-contenv bash
+
+# Make sure OpenVPN config directory exists.
+mkdir -p /config/openvpn/
+
+# Copy over the default OpenVPN config if it does not exist
+cp -n /etc/defaults/openvpn.conf /config/openvpn/
+
+# Create server CA/keys and keys for client "client" if they do not exist
+if [ ! -d "/config/openvpn/keys" ]; then
+    cd /usr/share/easy-rsa
+    source vars
+    ./clean-all
+    ./build-dh
+    ./pkitool --initca
+    ./pkitool --server server
+    ./pkitool client
+    openvpn --genkey --secret /config/openvpn/keys/ta.key
+fi
--- a/Dockerfiles/openvpn/container-root/etc/defaults/client.ovpn
+++ b/Dockerfiles/openvpn/container-root/etc/defaults/client.ovpn
@ -13,7 +13,10 @@ auth       SHA512

 tls-client

-comp-lzo
+# comp-lzo

 persist-tun
 persist-key
+
+sndbuf 393216
+rcvbuf 393216
--- a/Dockerfiles/openvpn/container-root/etc/defaults/openvpn.conf
+++ b/Dockerfiles/openvpn/container-root/etc/defaults/openvpn.conf
@ -25,7 +25,12 @@ push "redirect-gateway def1 bypass-dhcp"
 push "dhcp-option DNS 8.8.8.8"
 push "dhcp-option DNS 8.8.4.4"

-comp-lzo
+# comp-lzo

 persist-key
 persist-tun
+
+sndbuf 393216
+rcvbuf 393216
+push "sndbuf 393216"
+push "rcvbuf 393216"
--- a/Dockerfiles/openvpn/container-root/etc/services.d/openvpn/run
+++ b/Dockerfiles/openvpn/container-root/etc/services.d/openvpn/run
@ -0,0 +1,3 @@
+#!/usr/bin/with-contenv sh
+
+exec openvpn /config/openvpn/openvpn.conf
--- a/Dockerfiles/openvpn/container-root/usr/local/bin/export-client
+++ b/Dockerfiles/openvpn/container-root/usr/local/bin/export-client
@ -4,7 +4,7 @@ KEYDIR="/config/openvpn/keys"
 CLIENT=${1:-client}

 echo "
-$(cat /client.ovpn)
+$(cat /etc/defaults/client.ovpn)
 <ca>
 $(cat $KEYDIR/ca.crt)
 </ca>
--- a/Dockerfiles/openvpn/container-root/usr/share/easy-rsa/vars
+++ b/Dockerfiles/openvpn/container-root/usr/share/easy-rsa/vars
@ -43,8 +43,8 @@ export KEY_EXPIRE=3650
 # Don't leave any of these fields blank.
 export KEY_COUNTRY="US"
 export KEY_PROVINCE="CA"
-export KEY_CITY="SanFrancisco"
-export KEY_ORG="Fort-Funston"
+export KEY_CITY="MyCity"
+export KEY_ORG="MyOrg"
 export KEY_EMAIL="me@myhost.mydomain"
 export KEY_OU="MyOrganizationalUnit"

@ -55,6 +55,7 @@ export KEY_NAME="EasyRSA"
 # export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
 # export PKCS11_PIN=1234

-# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
-# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
+# If you'd like to sign all keys with the same Common Name, uncomment the
+# KEY_CN export below. You will also need to make sure your OpenVPN server
+# config has the duplicate-cn option set
 # export KEY_CN="CommonName"
--- a/Dockerfiles/openvpn/init
+++ b/Dockerfiles/openvpn/init
@ -1,28 +0,0 @@
-#!/usr/bin/env bash
-
-# Make sure OpenVPN config directory exists.
-mkdir -p /config/openvpn/
-
-cp -n /openvpn.conf /config/openvpn/
-
-# Check if keys exist, if not, create with easy-rsa
-if [ ! -d "/config/openvpn/keys" ]; then
-    cd /usr/share/easy-rsa
-    source vars
-    ./clean-all
-    ./build-dh
-    ./pkitool --initca
-    ./pkitool --server server
-    ./pkitool client
-    openvpn --genkey --secret /config/openvpn/keys/ta.key
-fi
-
-# Make the tun device
-mkdir -p /dev/net
-if [ ! -c /dev/net/tun ]; then
-    mknod /dev/net/tun c 10 200
-fi
-
-iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-
-exec openvpn /config/openvpn/openvpn.conf