diff --git a/Dockerfile b/Dockerfile index a85cb24b..4ece3147 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,18 +7,15 @@ LABEL maintainer="Kyle Manna " # Testing: pamtester RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing/" >> /etc/apk/repositories && \ - apk add --update openvpn iptables bash easy-rsa openvpn-auth-pam google-authenticator pamtester && \ + apk add --update openvpn iptables bash easy-rsa openvpn-auth-pam google-authenticator pamtester libqrencode && \ ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin && \ rm -rf /tmp/* /var/tmp/* /var/cache/apk/* /var/cache/distfiles/* # Needed by scripts -ENV OPENVPN /etc/openvpn -ENV EASYRSA /usr/share/easy-rsa -ENV EASYRSA_PKI $OPENVPN/pki -ENV EASYRSA_VARS_FILE $OPENVPN/vars - -# Prevents refused client connection because of an expired CRL -ENV EASYRSA_CRL_DAYS 3650 +ENV OPENVPN=/etc/openvpn +ENV EASYRSA=/usr/share/easy-rsa \ + EASYRSA_CRL_DAYS=3650 \ + EASYRSA_PKI=$OPENVPN/pki VOLUME ["/etc/openvpn"] diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index 7207a09e..324b8363 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -15,7 +15,6 @@ RUN echo "http://dl-4.alpinelinux.org/alpine/edge/community/" >> /etc/apk/reposi ENV OPENVPN /etc/openvpn ENV EASYRSA /usr/share/easy-rsa ENV EASYRSA_PKI $OPENVPN/pki -ENV EASYRSA_VARS_FILE $OPENVPN/vars # Prevents refused client connection because of an expired CRL ENV EASYRSA_CRL_DAYS 3650 diff --git a/README.md b/README.md index cd110301..a9106737 100644 --- a/README.md +++ b/README.md @@ -31,8 +31,8 @@ a corresponding [Digital Ocean Community Tutorial](http://bit.ly/1AGUZkq). private key used by the newly generated certificate authority. docker volume create --name $OVPN_DATA - docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM - docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it kylemanna/openvpn ovpn_initpki + docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM + docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn ovpn_initpki * Start OpenVPN server process @@ -40,11 +40,11 @@ a corresponding [Digital Ocean Community Tutorial](http://bit.ly/1AGUZkq). * Generate a client certificate without a passphrase - docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass + docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass * Retrieve the client configuration with embedded certificates - docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn + docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn ## Next Steps @@ -69,7 +69,7 @@ If you prefer to use `docker-compose` please refer to the [documentation](docs/d * Create an environment variable with the name DEBUG and value of 1 to enable debug output (using "docker -e"). - docker run -v $OVPN_DATA:/etc/openvpn -p 1194:1194/udp --privileged -e DEBUG=1 kylemanna/openvpn + docker run -v $OVPN_DATA:/etc/openvpn -p 1194:1194/udp --cap-add=NET_ADMIN -e DEBUG=1 kylemanna/openvpn * Test using a client that has openvpn installed correctly diff --git a/bin/easyrsa_vars b/bin/easyrsa_vars deleted file mode 100755 index e2fb56f2..00000000 --- a/bin/easyrsa_vars +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/sh - -# -# Import/export EasyRSA default settings -# - -if [ "$DEBUG" == "1" ]; then - set -x -fi - -set -e - -if [ $# -lt 1 ]; then - echo "No command provided" - echo - echo "$0 export > /path/to/file" - echo "$0 import < /path/to/file" - exit 1 -fi - -cmd=$1 -shift - -case "$cmd" in - export) - if [ -f "$EASYRSA_VARS_FILE" ]; then - cat "$EASYRSA_VARS_FILE" - else - cat "$EASYRSA/vars.example" - fi - ;; - import) - cat > "$EASYRSA_VARS_FILE" - ;; - *) - echo "Unknown cmd \"$cmd\"" - exit 2 - ;; -esac diff --git a/bin/ovpn_otp_user b/bin/ovpn_otp_user index 7af9c1ec..dcebd4a6 100755 --- a/bin/ovpn_otp_user +++ b/bin/ovpn_otp_user @@ -28,6 +28,7 @@ if [ "$2" == "interactive" ]; then # Always use time base OTP otherwise storage for counters must be configured somewhere in volume google-authenticator --time-based --force -l "${1}@${OVPN_CN}" -s /etc/openvpn/otp/${1}.google_authenticator else + # Skip confirmation if not running in interctive mode. Essential for integration tests. google-authenticator --time-based --disallow-reuse --force --rate-limit=3 --rate-time=30 --window-size=3 \ - -l "${1}@${OVPN_CN}" -s /etc/openvpn/otp/${1}.google_authenticator -fi \ No newline at end of file + -l "${1}@${OVPN_CN}" -s /etc/openvpn/otp/${1}.google_authenticator --no-confirm +fi diff --git a/bin/ovpn_revokeclient b/bin/ovpn_revokeclient index c1c175f6..00fefd9a 100755 --- a/bin/ovpn_revokeclient +++ b/bin/ovpn_revokeclient @@ -22,7 +22,6 @@ if [ -z "$EASYRSA_PKI" ]; then fi cn="$1" -parm="$2" if [ ! -f "$EASYRSA_PKI/private/${cn}.key" ]; then echo "Unable to find \"${cn}\", please try again or generate the key first" >&2 @@ -37,25 +36,4 @@ revoke_client_certificate(){ chmod 644 "$OPENVPN/crl.pem" } -remove_files(){ - rm -v "$EASYRSA_PKI/issued/${1}.crt" - rm -v "$EASYRSA_PKI/private/${1}.key" - rm -v "$EASYRSA_PKI/reqs/${1}.req" -} - -case "$parm" in - "remove") - revoke_client_certificate "$cn" - remove_files "$cn" - ;; - "" | "keep") - revoke_client_certificate "$cn" - ;; - *) - echo "When revoking a client certificate, this script let you choose if you want to remove the corresponding crt, key and req files." >&2 - echo "Pease note that the removal of those files is required if you want to generate a new client certificate using the revoked certificate's CN." >&2 - echo " 1. keep (default): Keep the files." >&2 - echo " 2. remove: Remove the files." >&2 - echo "Please specify one of those options as second parameter." >&2 - ;; -esac +revoke_client_certificate "$cn" diff --git a/bin/ovpn_run b/bin/ovpn_run index 9e9f3d54..e93201bc 100755 --- a/bin/ovpn_run +++ b/bin/ovpn_run @@ -39,11 +39,11 @@ function addArg { # this allows rules/routing to be altered by supplying this function # in an included file, such as ovpn_env.sh function setupIptablesAndRouting { - iptables -t nat -C POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE || { + iptables -t nat -C POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE 2>/dev/null || { iptables -t nat -A POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE } for i in "${OVPN_ROUTES[@]}"; do - iptables -t nat -C POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE || { + iptables -t nat -C POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE 2>/dev/null || { iptables -t nat -A POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE } done @@ -87,13 +87,18 @@ fi ip -6 route show default 2>/dev/null if [ $? = 0 ]; then - echo "Enabling IPv6 Forwarding" - # If this fails, ensure the docker container is run with --privileged - # Could be side stepped with `ip netns` madness to drop privileged flag + echo "Checking IPv6 Forwarding" + if [ "$(/dev/tcp/127.0.0.1/9999 && break +done - # Break when connected - #echo state | busybox nc 127.0.0.1 9999 | grep -q "CONNECTED,SUCCESS" && break; +if [ $i -ge $timeout ]; then + echo "Error connecting to OpenVPN mgmt interface, i=$i, exiting." + exit 2 +fi - # Bash magic for tcp sockets - if exec 3<>/dev/tcp/127.0.0.1/9999; then - # Consume all header input - while read -t 0.1 <&3; do true; done - echo "state" >&3 - read -t 1 <&3 - echo -n $REPLY | grep -q "CONNECTED,SUCCESS" && break || true - exec 3>&- - fi +# Consume all header input and echo, look for errors here +while read -t 0.1 <&3; do echo $REPLY; done - # Else sleep +# Request state over mgmt interface +timeout=10 +for i in $(seq $timeout); do + echo "state" >&3 + state=$(head -n1 <&3) + echo -n "$state" | grep -q 'CONNECTED,SUCCESS' && break sleep 1 done if [ $i -ge $timeout ]; then - echo "Error starting OpenVPN, i=$i, exiting." - exit 2; + echo "Error connecting to OpenVPN, i=$i, exiting." + exit 3 fi -# The show is over. -kill %1 +exec 3>&- diff --git a/test/tests/basic/run.sh b/test/tests/basic/run.sh index f1013bca..26760696 100755 --- a/test/tests/basic/run.sh +++ b/test/tests/basic/run.sh @@ -22,30 +22,22 @@ docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_getclient $CLIENT | tee $CL docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_listclients | grep $CLIENT # -# Fire up the server +# Fire up the server and setup a trap to always clean it up # -sudo iptables -N DOCKER || echo 'Firewall already configured' -sudo iptables -I FORWARD -j DOCKER || echo 'Forward already configured' -# run in shell bg to get logs -docker run --name "ovpn-test" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --privileged $IMG & +trap "{ jobs -p | xargs -r kill; wait; }" EXIT +docker run --name "ovpn-test" -v $OVPN_DATA:/etc/openvpn --rm -e DEBUG --cap-add=NET_ADMIN $IMG & -#for i in $(seq 10); do -# SERV_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}') -# test -n "$SERV_IP" && break -#done -#sed -ie s:SERV_IP:$SERV_IP:g config.ovpn +for i in $(seq 10); do + SERV_IP_INTERNAL=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' "ovpn-test" 2>/dev/null || true) + test -n "$SERV_IP_INTERNAL" && break + sleep 0.1 +done +sed -i -e s:$SERV_IP:$SERV_IP_INTERNAL:g ${CLIENT_DIR}/config.ovpn # -# Fire up a client in a container since openvpn is disallowed by Travis-CI, don't NAT -# the host as it confuses itself: -# "Incoming packet rejected from [AF_INET]172.17.42.1:1194[2], expected peer address: [AF_INET]10.240.118.86:1194" +# Fire up a client in a container since openvpn is disallowed by Travis-CI # -docker run --rm --net=host --privileged --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh - -# -# Client either connected or timed out, kill server -# -kill %1 +docker run --rm --cap-add=NET_ADMIN -e DEBUG --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh # # Celebrate diff --git a/test/tests/dual-proto/run.sh b/test/tests/dual-proto/run.sh index 5696252b..210df9c8 100755 --- a/test/tests/dual-proto/run.sh +++ b/test/tests/dual-proto/run.sh @@ -34,25 +34,32 @@ docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_listclients | grep $CLIENT_ # # Fire up the server # -sudo iptables -N DOCKER || echo 'Firewall already configured' -sudo iptables -I FORWARD -j DOCKER || echo 'Forward already configured' -# run in shell bg to get logs -docker run --name "ovpn-test-udp" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --privileged $IMG & -docker run --name "ovpn-test-tcp" -v $OVPN_DATA:/etc/openvpn --rm -p 443:1194/tcp --privileged $IMG ovpn_run --proto tcp & +# Run in shell bg to get logs, setup trap to clean-up +trap "{ jobs -p | xargs -r kill; wait; docker volume rm ${OVPN_DATA}; }" EXIT +docker run --name "ovpn-test-udp" -v $OVPN_DATA:/etc/openvpn --rm --cap-add=NET_ADMIN -e DEBUG $IMG & +docker run --name "ovpn-test-tcp" -v $OVPN_DATA:/etc/openvpn --rm --cap-add=NET_ADMIN -e DEBUG $IMG ovpn_run --proto tcp --port 443 & -# -# Fire up a clients in a containers since openvpn is disallowed by Travis-CI, don't NAT -# the host as it confuses itself: -# "Incoming packet rejected from [AF_INET]172.17.42.1:1194[2], expected peer address: [AF_INET]10.240.118.86:1194" -# -docker run --rm --net=host --privileged --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh -docker run --rm --net=host --privileged --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh "/client/config-tcp.ovpn" +# Update configs +for i in $(seq 10); do + SERV_IP_INTERNAL=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' "ovpn-test-udp" 2>/dev/null || true) + test -n "$SERV_IP_INTERNAL" && break + sleep 0.1 +done +sed -i -e s:$SERV_IP:$SERV_IP_INTERNAL:g $CLIENT_DIR/config.ovpn + +for i in $(seq 10); do + SERV_IP_INTERNAL=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' "ovpn-test-tcp" 2>/dev/null || true) + test -n "$SERV_IP_INTERNAL" && break + sleep 0.1 +done +sed -i -e s:$SERV_IP:$SERV_IP_INTERNAL:g $CLIENT_DIR/config-tcp.ovpn # -# Client either connected or timed out, kill server +# Fire up a clients in a containers since openvpn is disallowed by Travis-CI # -kill %1 %2 +docker run --rm --cap-add=NET_ADMIN -v $CLIENT_DIR:/client -e DEBUG $IMG /client/wait-for-connect.sh +docker run --rm --cap-add=NET_ADMIN -v $CLIENT_DIR:/client -e DEBUG $IMG /client/wait-for-connect.sh "/client/config-tcp.ovpn" # # Celebrate diff --git a/test/tests/iptables/run.sh b/test/tests/iptables/run.sh index b35cefdd..b44a6f0a 100755 --- a/test/tests/iptables/run.sh +++ b/test/tests/iptables/run.sh @@ -16,14 +16,17 @@ docker run -v $OVPN_DATA:/etc/openvpn --rm -it -e "EASYRSA_BATCH=1" -e "EASYRSA_ docker run -d --name $NAME -v $OVPN_DATA:/etc/openvpn --cap-add=NET_ADMIN $IMG # check default iptables rules -docker exec -ti $NAME bash -c 'source /etc/openvpn/ovpn_env.sh; eval iptables -t nat -C POSTROUTING -s $OVPN_SERVER -o eth0 -j MASQUERADE' +for i in $(seq 10); do + docker exec -ti $NAME bash -c 'source /etc/openvpn/ovpn_env.sh; exec iptables -t nat -C POSTROUTING -s $OVPN_SERVER -o eth0 -j MASQUERADE' && break + echo waiting for server start-up + sleep 1 +done # append new setupIptablesAndRouting function to config docker exec -ti $NAME bash -c 'echo function setupIptablesAndRouting { iptables -t nat -A POSTROUTING -m comment --comment "test"\;} >> /etc/openvpn/ovpn_env.sh' # kill server in preparation to modify config -docker kill $NAME -docker rm $NAME +docker rm -f $NAME # check that overridden function exists and that test iptables rules is active docker run -d --name $NAME -v $OVPN_DATA:/etc/openvpn --cap-add=NET_ADMIN $IMG @@ -33,6 +36,5 @@ docker exec -ti $NAME bash -c 'source /etc/openvpn/ovpn_env.sh; type -t setupIpt # kill server # -docker kill $NAME -docker rm $NAME +docker rm -f $NAME docker volume rm $OVPN_DATA diff --git a/test/tests/otp/run.sh b/test/tests/otp/run.sh index bea67a8d..c162918d 100755 --- a/test/tests/otp/run.sh +++ b/test/tests/otp/run.sh @@ -49,28 +49,19 @@ grep 'reneg-sec 0' $CLIENT_DIR/config.ovpn || abort 'reneg-sec not set to 0 in c # # Fire up the server # -sudo iptables -N DOCKER || echo 'Firewall already configured' -sudo iptables -I FORWARD -j DOCKER || echo 'Forward already configured' -# run in shell bg to get logs -docker run --name "ovpn-test" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --privileged $IMG & +trap "{ jobs -p | xargs -r kill; wait; }" EXIT +docker run --name "ovpn-test" -v $OVPN_DATA:/etc/openvpn --rm --cap-add=NET_ADMIN $IMG & -#for i in $(seq 10); do -# SERV_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}') -# test -n "$SERV_IP" && break -#done -#sed -ie s:SERV_IP:$SERV_IP:g $CLIENT_DIR/config.ovpn +for i in $(seq 10); do + SERV_IP_INTERNAL=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' "ovpn-test" 2>/dev/null || true) + test -n "$SERV_IP_INTERNAL" && break + sleep 0.1 +done +sed -i -e s:$SERV_IP:$SERV_IP_INTERNAL:g $CLIENT_DIR/config.ovpn # -# Fire up a client in a container since openvpn is disallowed by Travis-CI, don't NAT -# the host as it confuses itself: -# "Incoming packet rejected from [AF_INET]172.17.42.1:1194[2], expected peer address: [AF_INET]10.240.118.86:1194" -# -docker run --rm --net=host --privileged --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh - -# -# Client either connected or timed out, kill server -# -kill %1 +# Fire up a client in a container since openvpn is disallowed by Travis-CI +docker run --rm --cap-add=NET_ADMIN --volume $CLIENT_DIR:/client -e DEBUG $IMG /client/wait-for-connect.sh # # Celebrate diff --git a/test/tests/revocation/run.sh b/test/tests/revocation/run.sh index 6130aa53..25c99897 100755 --- a/test/tests/revocation/run.sh +++ b/test/tests/revocation/run.sh @@ -3,11 +3,11 @@ set -e [ -n "${DEBUG+x}" ] && set -x -OVPN_DATA="basic-data" +OVPN_DATA="ovpn-revoke-test-data" CLIENT1="travis-client1" CLIENT2="travis-client2" IMG="kylemanna/openvpn" -NAME="ovpn-test" +NAME="ovpn-revoke-test" CLIENT_DIR="$(readlink -f "$(dirname "$BASH_SOURCE")/../../client")" SERV_IP="$(ip -4 -o addr show scope global | awk '{print $4}' | sed -e 's:/.*::' | head -n1)" @@ -18,18 +18,23 @@ docker volume create --name $OVPN_DATA docker run --rm -v $OVPN_DATA:/etc/openvpn $IMG ovpn_genconfig -u udp://$SERV_IP docker run --rm -v $OVPN_DATA:/etc/openvpn -it -e "EASYRSA_BATCH=1" -e "EASYRSA_REQ_CN=Travis-CI Test CA" $IMG ovpn_initpki nopass -# -# Fire up the server. -# -sudo iptables -N DOCKER || echo 'Firewall already configured' -sudo iptables -I FORWARD 1 -j DOCKER -docker run -d -v $OVPN_DATA:/etc/openvpn --cap-add=NET_ADMIN --privileged -p 1194:1194/udp --name $NAME $IMG +# Register clean-up function +function finish { + # Stop the server and clean up + docker rm -f $NAME + docker volume rm $OVPN_DATA + jobs -p | xargs -r kill + wait +} +trap finish EXIT +# Put the server in the background +docker run -d -v $OVPN_DATA:/etc/openvpn --cap-add=NET_ADMIN --name $NAME $IMG # # Test that easy_rsa generate CRLs with 'next publish' set to 3650 days. # -crl_next_update="$(docker exec $NAME openssl crl -nextupdate -noout -in /etc/openvpn/crl.pem | cut -d'=' -f2 | tr -d 'GMT')" +crl_next_update="$(docker exec $NAME bash -c "openssl crl -nextupdate -noout -in \$EASYRSA_PKI/crl.pem | cut -d'=' -f2 | tr -d 'GMT'")" crl_next_update="$(date -u -d "$crl_next_update" "+%s")" now="$(docker exec $NAME date "+%s")" crl_remain="$(( $crl_next_update - $now ))" @@ -44,12 +49,20 @@ fi # docker exec -it $NAME easyrsa build-client-full $CLIENT1 nopass docker exec -it $NAME ovpn_getclient $CLIENT1 > $CLIENT_DIR/config.ovpn -docker exec -it $NAME bash -c "echo 'yes' | ovpn_revokeclient $CLIENT1 remove" +docker exec -it $NAME bash -c "echo 'yes' | ovpn_revokeclient $CLIENT1" + +# Determine IP address of container running daemon and update config +for i in $(seq 10); do + SERV_IP_INTERNAL=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' "$NAME" 2>/dev/null || true) + test -n "$SERV_IP_INTERNAL" && break + sleep 0.1 +done +sed -i -e s:$SERV_IP:$SERV_IP_INTERNAL:g $CLIENT_DIR/config.ovpn # # Test that openvpn client can't connect using $CLIENT1 config. # -if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --privileged --net=host $IMG /client/wait-for-connect.sh; then +if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN -e DEBUG $IMG /client/wait-for-connect.sh; then echo "Client was able to connect after revocation test #1." >&2 exit 2 fi @@ -59,9 +72,16 @@ fi # docker exec -it $NAME easyrsa build-client-full $CLIENT2 nopass docker exec -it $NAME ovpn_getclient $CLIENT2 > $CLIENT_DIR/config.ovpn -docker exec -it $NAME bash -c "echo 'yes' | ovpn_revokeclient $CLIENT2 remove" +docker exec -it $NAME bash -c "echo 'yes' | ovpn_revokeclient $CLIENT2" + +# Determine IP address of container running daemon and update config +for i in $(seq 10); do + SERV_IP_INTERNAL=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' "$NAME" 2>/dev/null || true) + test -n "$SERV_IP_INTERNAL" && break + sleep 0.1 +done -if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --privileged --net=host $IMG /client/wait-for-connect.sh; then +if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN -e DEBUG $IMG /client/wait-for-connect.sh; then echo "Client was able to connect after revocation test #2." >&2 exit 2 fi @@ -74,18 +94,11 @@ docker stop $NAME && docker start $NAME # # Test for failed connection using $CLIENT2 config again. # -if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --privileged --net=host $IMG /client/wait-for-connect.sh; then +if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN -e DEBUG $IMG /client/wait-for-connect.sh; then echo "Client was able to connect after revocation test #3." >&2 exit 2 fi -# -# Stop the server and clean up -# -docker kill $NAME && docker rm $NAME -docker volume rm $OVPN_DATA -sudo iptables -D FORWARD 1 - # # Celebrate #