Add an OpenVPN container

2015-11-11 03:14:53 -05:00 · 2015-11-11 03:14:53 -05:00 · a2762c9f60
parent 85328b8eea
commit a2762c9f60
10 changed files with 203 additions and 0 deletions
--- a/Dockerfiles/openvpn/Dockerfile
+++ b/Dockerfiles/openvpn/Dockerfile
@ -0,0 +1,23 @@
 FROM kelvinchen/seedbox:base
 MAINTAINER Kelvin Chen <kelvin@kelvinchen.org>
 # Install OpenVPN
 RUN apt-get update \
    && apt-get install -y --no-install-recommends \
        openvpn \
        easy-rsa \
        iptables \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*
 WORKDIR /usr/share/easy-rsa
 EXPOSE 1194/udp
 VOLUME /config
 COPY vars /usr/share/easy-rsa/
 COPY openvpn.conf start client.ovpn /
 COPY create-client /usr/local/bin/
 CMD ["/start"]
--- a/Dockerfiles/openvpn/client.ovpn
+++ b/Dockerfiles/openvpn/client.ovpn
@ -0,0 +1,19 @@
 client
 nobind
 remote MYSERVER_HOST 1194
 proto udp
 dev tun
 resolv-retry infinite
 cipher     AES-256-CBC
 auth       SHA512
 tls-client
 comp-lzo
 persist-tun
 persist-key
--- a/Dockerfiles/openvpn/create-client
+++ b/Dockerfiles/openvpn/create-client
@ -0,0 +1,21 @@
 #!/usr/bin/env bash
 KEYDIR="/config/openvpn/keys"
 CLIENT=${1:-client}
 echo "
 $(cat /client.ovpn)
 <ca>
 $(cat $KEYDIR/ca.crt)
 </ca>
 <cert>
 $(cat $KEYDIR/$CLIENT.crt)
 </cert>
 <key>
 $(cat $KEYDIR/$CLIENT.key)
 </key>
 <tls-auth>
 $(cat $KEYDIR/ta.key)
 </tls-auth>
 key-direction 1
 "
--- a/Dockerfiles/openvpn/openvpn.conf
+++ b/Dockerfiles/openvpn/openvpn.conf
@ -0,0 +1,31 @@
 # vim: ft=conf
 port  1194
 proto udp
 dev   tun
 ca       /config/openvpn/keys/ca.crt
 cert     /config/openvpn/keys/server.crt
 key      /config/openvpn/keys/server.key
 dh       /config/openvpn/keys/dh2048.pem
 tls-auth /config/openvpn/keys/ta.key 0
 cipher     AES-256-CBC
 auth       SHA512
 tls-server
 server 10.8.0.0 255.255.255.0
 ifconfig-pool-persist /config/openvpn/ipp.txt
 keepalive 10 120
 push "redirect-gateway def1 bypass-dhcp"
 push "dhcp-option DNS 8.8.8.8"
 push "dhcp-option DNS 8.8.4.4"
 comp-lzo
 persist-key
 persist-tun
--- a/Dockerfiles/openvpn/start
+++ b/Dockerfiles/openvpn/start
@ -0,0 +1,28 @@
 #!/usr/bin/env bash
 # Make sure OpenVPN config directory exists.
 mkdir -p /config/openvpn/
 cp -n /openvpn.conf /config/openvpn/
 # Check if keys exist, if not, create with easy-rsa
 if [ ! -d "/config/openvpn/keys" ]; then
    cd /usr/share/easy-rsa
    source vars
    ./clean-all
    ./build-dh
    ./pkitool --initca
    ./pkitool --server server
    ./pkitool client
    openvpn --genkey --secret /config/openvpn/keys/ta.key
 fi
 # Make the tun device
 mkdir -p /dev/net
 if [ ! -c /dev/net/tun ]; then
    mknod /dev/net/tun c 10 200
 fi
 iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
 openvpn /config/openvpn/openvpn.conf
--- a/Dockerfiles/openvpn/vars
+++ b/Dockerfiles/openvpn/vars
@ -0,0 +1,60 @@
 # easy-rsa parameter settings
 export EASY_RSA="/usr/share/easy-rsa"
 export OPENSSL="openssl"
 export PKCS11TOOL="pkcs11-tool"
 export GREP="grep"
 # This variable should point to
 # the openssl.cnf file included
 # with easy-rsa.
 export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
 # Edit this variable to point to
 # your soon-to-be-created key
 # directory.
 #
 # WARNING: clean-all will do
 # a rm -rf on this directory
 # so make sure you define
 # it correctly!
 export KEY_DIR="/config/openvpn/keys"
 # PKCS11 fixes
 export PKCS11_MODULE_PATH="dummy"
 export PKCS11_PIN="dummy"
 # Increase this to 2048 if you
 # are paranoid.  This will slow
 # down TLS negotiation performance
 # as well as the one-time DH parms
 # generation process.
 export KEY_SIZE=2048
 # In how many days should the root CA key expire?
 export CA_EXPIRE=3650
 # In how many days should certificates expire?
 export KEY_EXPIRE=3650
 # These are the default values for fields
 # which will be placed in the certificate.
 # Don't leave any of these fields blank.
 export KEY_COUNTRY="US"
 export KEY_PROVINCE="CA"
 export KEY_CITY="SanFrancisco"
 export KEY_ORG="Fort-Funston"
 export KEY_EMAIL="me@myhost.mydomain"
 export KEY_OU="MyOrganizationalUnit"
 # X509 Subject Field
 export KEY_NAME="EasyRSA"
 # PKCS11 Smart Card
 # export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
 # export PKCS11_PIN=1234
 # If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
 # You will also need to make sure your OpenVPN server config has the duplicate-cn option set
 # export KEY_CN="CommonName"
--- a/README.md
+++ b/README.md
@ -47,3 +47,10 @@ certificates for you.
 ## Where is my data?
 All data are saved in the docker volumes `seedbox_config` or
 `seedbox_torrents`.
 ## OpenVPN
 The OpenVPN container generates a single client key/cert pair by default.
 Run the `create-client CLIENT_NAME` tool in the openvpn container to generate
 the openvpn file. e.g. `create-client client >> client.ovpn`. You can transfer
 the file back using syncthing or scp. You can also create more certs by using
 easy-rsa.
--- a/build-all.sh
+++ b/build-all.sh
@ -11,3 +11,4 @@ docker build -t kelvinchen/seedbox:plex      Dockerfiles/plex
 docker build -t kelvinchen/seedbox:rtorrent  Dockerfiles/rtorrent
 docker build -t kelvinchen/seedbox:sickrage  Dockerfiles/sickrage
 docker build -t kelvinchen/seedbox:syncthing Dockerfiles/syncthing
 docker build -t kelvinchen/seedbox:openvpn   Dockerfiles/openvpn
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -50,3 +50,15 @@ syncthing:
    volumes:
        - seedbox_config:/config
        - seedbox_torrents:/torrents
 openvpn:
    image: kelvinchen/seedbox:openvpn
    restart: always
    net: seedbox
    ports:
        - "1194:1194/udp"
    volumes:
        - seedbox_config:/config
        - seedbox_torrents:/torrents
    cap_add:
        - NET_ADMIN
--- a/push-images.sh
+++ b/push-images.sh
@ -8,3 +8,4 @@ docker push kelvinchen/seedbox:plex
 docker push kelvinchen/seedbox:rtorrent
 docker push kelvinchen/seedbox:sickrage
 docker push kelvinchen/seedbox:syncthing
 docker push kelvinchen/seedbox:openvpn