Add an OpenVPN container

2015-11-11 03:14:53 -05:00 · 2015-11-11 03:14:53 -05:00 · a2762c9f60
parent 85328b8eea
commit a2762c9f60
10 changed files with 203 additions and 0 deletions
--- a/Dockerfiles/openvpn/Dockerfile
+++ b/Dockerfiles/openvpn/Dockerfile
@ -0,0 +1,23 @@
+FROM kelvinchen/seedbox:base
+MAINTAINER Kelvin Chen <kelvin@kelvinchen.org>
+
+# Install OpenVPN
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends \
+        openvpn \
+        easy-rsa \
+        iptables \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /usr/share/easy-rsa
+
+EXPOSE 1194/udp
+
+VOLUME /config
+
+COPY vars /usr/share/easy-rsa/
+COPY openvpn.conf start client.ovpn /
+COPY create-client /usr/local/bin/
+
+CMD ["/start"]
--- a/Dockerfiles/openvpn/client.ovpn
+++ b/Dockerfiles/openvpn/client.ovpn
@ -0,0 +1,19 @@
+client
+
+nobind
+
+remote MYSERVER_HOST 1194
+proto udp
+dev tun
+
+resolv-retry infinite
+
+cipher     AES-256-CBC
+auth       SHA512
+
+tls-client
+
+comp-lzo
+
+persist-tun
+persist-key
--- a/Dockerfiles/openvpn/create-client
+++ b/Dockerfiles/openvpn/create-client
@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+
+KEYDIR="/config/openvpn/keys"
+CLIENT=${1:-client}
+
+echo "
+$(cat /client.ovpn)
+<ca>
+$(cat $KEYDIR/ca.crt)
+</ca>
+<cert>
+$(cat $KEYDIR/$CLIENT.crt)
+</cert>
+<key>
+$(cat $KEYDIR/$CLIENT.key)
+</key>
+<tls-auth>
+$(cat $KEYDIR/ta.key)
+</tls-auth>
+key-direction 1
+"
--- a/Dockerfiles/openvpn/openvpn.conf
+++ b/Dockerfiles/openvpn/openvpn.conf
@ -0,0 +1,31 @@
+# vim: ft=conf
+
+port  1194
+proto udp
+dev   tun
+
+ca       /config/openvpn/keys/ca.crt
+cert     /config/openvpn/keys/server.crt
+key      /config/openvpn/keys/server.key
+dh       /config/openvpn/keys/dh2048.pem
+tls-auth /config/openvpn/keys/ta.key 0
+
+cipher     AES-256-CBC
+auth       SHA512
+
+tls-server
+
+server 10.8.0.0 255.255.255.0
+
+ifconfig-pool-persist /config/openvpn/ipp.txt
+
+keepalive 10 120
+
+push "redirect-gateway def1 bypass-dhcp"
+push "dhcp-option DNS 8.8.8.8"
+push "dhcp-option DNS 8.8.4.4"
+
+comp-lzo
+
+persist-key
+persist-tun
--- a/Dockerfiles/openvpn/start
+++ b/Dockerfiles/openvpn/start
@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+# Make sure OpenVPN config directory exists.
+mkdir -p /config/openvpn/
+
+cp -n /openvpn.conf /config/openvpn/
+
+# Check if keys exist, if not, create with easy-rsa
+if [ ! -d "/config/openvpn/keys" ]; then
+    cd /usr/share/easy-rsa
+    source vars
+    ./clean-all
+    ./build-dh
+    ./pkitool --initca
+    ./pkitool --server server
+    ./pkitool client
+    openvpn --genkey --secret /config/openvpn/keys/ta.key
+fi
+
+# Make the tun device
+mkdir -p /dev/net
+if [ ! -c /dev/net/tun ]; then
+    mknod /dev/net/tun c 10 200
+fi
+
+iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
+
+openvpn /config/openvpn/openvpn.conf
--- a/Dockerfiles/openvpn/vars
+++ b/Dockerfiles/openvpn/vars
@ -0,0 +1,60 @@
+# easy-rsa parameter settings
+
+export EASY_RSA="/usr/share/easy-rsa"
+
+export OPENSSL="openssl"
+export PKCS11TOOL="pkcs11-tool"
+export GREP="grep"
+
+# This variable should point to
+# the openssl.cnf file included
+# with easy-rsa.
+export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
+
+# Edit this variable to point to
+# your soon-to-be-created key
+# directory.
+#
+# WARNING: clean-all will do
+# a rm -rf on this directory
+# so make sure you define
+# it correctly!
+export KEY_DIR="/config/openvpn/keys"
+
+# PKCS11 fixes
+export PKCS11_MODULE_PATH="dummy"
+export PKCS11_PIN="dummy"
+
+# Increase this to 2048 if you
+# are paranoid.  This will slow
+# down TLS negotiation performance
+# as well as the one-time DH parms
+# generation process.
+export KEY_SIZE=2048
+
+# In how many days should the root CA key expire?
+export CA_EXPIRE=3650
+
+# In how many days should certificates expire?
+export KEY_EXPIRE=3650
+
+# These are the default values for fields
+# which will be placed in the certificate.
+# Don't leave any of these fields blank.
+export KEY_COUNTRY="US"
+export KEY_PROVINCE="CA"
+export KEY_CITY="SanFrancisco"
+export KEY_ORG="Fort-Funston"
+export KEY_EMAIL="me@myhost.mydomain"
+export KEY_OU="MyOrganizationalUnit"
+
+# X509 Subject Field
+export KEY_NAME="EasyRSA"
+
+# PKCS11 Smart Card
+# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
+# export PKCS11_PIN=1234
+
+# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
+# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
+# export KEY_CN="CommonName"
--- a/README.md
+++ b/README.md
@ -47,3 +47,10 @@ certificates for you.
 ## Where is my data?
 All data are saved in the docker volumes `seedbox_config` or
 `seedbox_torrents`.
+
+## OpenVPN
+The OpenVPN container generates a single client key/cert pair by default.
+Run the `create-client CLIENT_NAME` tool in the openvpn container to generate
+the openvpn file. e.g. `create-client client >> client.ovpn`. You can transfer
+the file back using syncthing or scp. You can also create more certs by using
+easy-rsa.
--- a/build-all.sh
+++ b/build-all.sh
@ -11,3 +11,4 @@ docker build -t kelvinchen/seedbox:plex      Dockerfiles/plex
 docker build -t kelvinchen/seedbox:rtorrent  Dockerfiles/rtorrent
 docker build -t kelvinchen/seedbox:sickrage  Dockerfiles/sickrage
 docker build -t kelvinchen/seedbox:syncthing Dockerfiles/syncthing
+docker build -t kelvinchen/seedbox:openvpn   Dockerfiles/openvpn
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -50,3 +50,15 @@ syncthing:
    volumes:
        - seedbox_config:/config
        - seedbox_torrents:/torrents
+
+openvpn:
+    image: kelvinchen/seedbox:openvpn
+    restart: always
+    net: seedbox
+    ports:
+        - "1194:1194/udp"
+    volumes:
+        - seedbox_config:/config
+        - seedbox_torrents:/torrents
+    cap_add:
+        - NET_ADMIN
--- a/push-images.sh
+++ b/push-images.sh
@ -8,3 +8,4 @@ docker push kelvinchen/seedbox:plex
 docker push kelvinchen/seedbox:rtorrent
 docker push kelvinchen/seedbox:sickrage
 docker push kelvinchen/seedbox:syncthing
+docker push kelvinchen/seedbox:openvpn