From 6bee5e9a107a855e7a352faf04bab05b35865f56 Mon Sep 17 00:00:00 2001 From: Chris Abella Date: Mon, 31 Aug 2020 20:47:29 -0400 Subject: [PATCH 01/19] bin/ovpn_initpki: Touch vars file before init-pki EasyRSA 3.0.7 introduces a check for the existence of vars in the vars_setup() function. '$ easyrsa init-pki' fails without first creating the file. See https://github.com/OpenVPN/easy-rsa/commit/ abaa2f57b48e218ac58ee6dc793f178aada31f82#diff-231cb43897d7aa2a98df da5720c2b40f for the exact change. --- bin/ovpn_initpki | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/bin/ovpn_initpki b/bin/ovpn_initpki index 14b8ec9e..c7029d2e 100755 --- a/bin/ovpn_initpki +++ b/bin/ovpn_initpki @@ -15,6 +15,10 @@ source "$OPENVPN/ovpn_env.sh" # Specify "nopass" as arg[2] to make the CA insecure (not recommended!) nopass=$1 +# EasyRSA 3.0.7 introduced checks for $EASYRSA_VARS_FILE existence +# in the init-pki script +touch $EASYRSA_VARS_FILE + # Provides a sufficient warning before erasing pre-existing files easyrsa init-pki From a26aa01db2ac1643df3d704c20661e0926cdc7e6 Mon Sep 17 00:00:00 2001 From: Eugene Chow Date: Thu, 3 Oct 2019 18:08:12 +0800 Subject: [PATCH 02/19] 'apk add libqrencode' because it's missing from the image --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index a85cb24b..5f8d0ea8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,7 +7,7 @@ LABEL maintainer="Kyle Manna " # Testing: pamtester RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing/" >> /etc/apk/repositories && \ - apk add --update openvpn iptables bash easy-rsa openvpn-auth-pam google-authenticator pamtester && \ + apk add --update openvpn iptables bash easy-rsa openvpn-auth-pam google-authenticator pamtester libqrencode && \ ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin && \ rm -rf /tmp/* /var/tmp/* /var/cache/apk/* /var/cache/distfiles/* From df80ea5663f1306c45881b01b348888ae1151de7 Mon Sep 17 00:00:00 2001 From: Kyle Manna Date: Sun, 25 Oct 2020 18:22:51 -0700 Subject: [PATCH 03/19] otp: Disable confirmation in non-interactive mode * This would hang the tests. --- bin/ovpn_otp_user | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/bin/ovpn_otp_user b/bin/ovpn_otp_user index 7af9c1ec..dcebd4a6 100755 --- a/bin/ovpn_otp_user +++ b/bin/ovpn_otp_user @@ -28,6 +28,7 @@ if [ "$2" == "interactive" ]; then # Always use time base OTP otherwise storage for counters must be configured somewhere in volume google-authenticator --time-based --force -l "${1}@${OVPN_CN}" -s /etc/openvpn/otp/${1}.google_authenticator else + # Skip confirmation if not running in interctive mode. Essential for integration tests. google-authenticator --time-based --disallow-reuse --force --rate-limit=3 --rate-time=30 --window-size=3 \ - -l "${1}@${OVPN_CN}" -s /etc/openvpn/otp/${1}.google_authenticator -fi \ No newline at end of file + -l "${1}@${OVPN_CN}" -s /etc/openvpn/otp/${1}.google_authenticator --no-confirm +fi From 0b2e632047abc7fa76e61fa7bde74f36e8a861de Mon Sep 17 00:00:00 2001 From: Marco Ost Date: Fri, 25 Oct 2019 12:08:39 +0200 Subject: [PATCH 04/19] remove remove_files function and second arg --- bin/ovpn_revokeclient | 24 +----------------------- 1 file changed, 1 insertion(+), 23 deletions(-) diff --git a/bin/ovpn_revokeclient b/bin/ovpn_revokeclient index c1c175f6..f93078f2 100755 --- a/bin/ovpn_revokeclient +++ b/bin/ovpn_revokeclient @@ -22,7 +22,6 @@ if [ -z "$EASYRSA_PKI" ]; then fi cn="$1" -parm="$2" if [ ! -f "$EASYRSA_PKI/private/${cn}.key" ]; then echo "Unable to find \"${cn}\", please try again or generate the key first" >&2 @@ -37,25 +36,4 @@ revoke_client_certificate(){ chmod 644 "$OPENVPN/crl.pem" } -remove_files(){ - rm -v "$EASYRSA_PKI/issued/${1}.crt" - rm -v "$EASYRSA_PKI/private/${1}.key" - rm -v "$EASYRSA_PKI/reqs/${1}.req" -} - -case "$parm" in - "remove") - revoke_client_certificate "$cn" - remove_files "$cn" - ;; - "" | "keep") - revoke_client_certificate "$cn" - ;; - *) - echo "When revoking a client certificate, this script let you choose if you want to remove the corresponding crt, key and req files." >&2 - echo "Pease note that the removal of those files is required if you want to generate a new client certificate using the revoked certificate's CN." >&2 - echo " 1. keep (default): Keep the files." >&2 - echo " 2. remove: Remove the files." >&2 - echo "Please specify one of those options as second parameter." >&2 - ;; -esac +revoke_client_certificate "$cn" \ No newline at end of file From 1a22f6195e83a37ab35151394c4d00bd12804317 Mon Sep 17 00:00:00 2001 From: Kyle Manna Date: Sun, 25 Oct 2020 19:11:02 -0700 Subject: [PATCH 05/19] test: revocation: Fix EasyRSA revoke behavior * EasyRSA moves the files aside now, see EasyRSA v3.0.6 for details * https://github.com/OpenVPN/easy-rsa/commit/675fc990edf01a76133b375d47f0ab70656a6b2b --- bin/ovpn_revokeclient | 2 +- test/tests/revocation/run.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/bin/ovpn_revokeclient b/bin/ovpn_revokeclient index f93078f2..00fefd9a 100755 --- a/bin/ovpn_revokeclient +++ b/bin/ovpn_revokeclient @@ -36,4 +36,4 @@ revoke_client_certificate(){ chmod 644 "$OPENVPN/crl.pem" } -revoke_client_certificate "$cn" \ No newline at end of file +revoke_client_certificate "$cn" diff --git a/test/tests/revocation/run.sh b/test/tests/revocation/run.sh index 6130aa53..9ec81875 100755 --- a/test/tests/revocation/run.sh +++ b/test/tests/revocation/run.sh @@ -44,7 +44,7 @@ fi # docker exec -it $NAME easyrsa build-client-full $CLIENT1 nopass docker exec -it $NAME ovpn_getclient $CLIENT1 > $CLIENT_DIR/config.ovpn -docker exec -it $NAME bash -c "echo 'yes' | ovpn_revokeclient $CLIENT1 remove" +docker exec -it $NAME bash -c "echo 'yes' | ovpn_revokeclient $CLIENT1" # # Test that openvpn client can't connect using $CLIENT1 config. @@ -59,7 +59,7 @@ fi # docker exec -it $NAME easyrsa build-client-full $CLIENT2 nopass docker exec -it $NAME ovpn_getclient $CLIENT2 > $CLIENT_DIR/config.ovpn -docker exec -it $NAME bash -c "echo 'yes' | ovpn_revokeclient $CLIENT2 remove" +docker exec -it $NAME bash -c "echo 'yes' | ovpn_revokeclient $CLIENT2" if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --privileged --net=host $IMG /client/wait-for-connect.sh; then echo "Client was able to connect after revocation test #2." >&2 From a71140e0cfe61f7a07c4a28a85c64ad85ed954e4 Mon Sep 17 00:00:00 2001 From: Kyle Manna Date: Sun, 25 Oct 2020 19:12:12 -0700 Subject: [PATCH 06/19] test: revocation: Minor style clean ups * Always tear down test server if it exits for any reason. * Give container + volume unique name. * Drop iptables commands, these scare me as they are mucking with the state of my machine. * Fix path to cert revocation list, the OpenVPN crl is copied at start-up and is a race condition. --- test/tests/revocation/run.sh | 28 ++++++++++++---------------- 1 file changed, 12 insertions(+), 16 deletions(-) diff --git a/test/tests/revocation/run.sh b/test/tests/revocation/run.sh index 9ec81875..fa5f5fdc 100755 --- a/test/tests/revocation/run.sh +++ b/test/tests/revocation/run.sh @@ -3,11 +3,11 @@ set -e [ -n "${DEBUG+x}" ] && set -x -OVPN_DATA="basic-data" +OVPN_DATA="ovpn-revoke-test-data" CLIENT1="travis-client1" CLIENT2="travis-client2" IMG="kylemanna/openvpn" -NAME="ovpn-test" +NAME="ovpn-revoke-test" CLIENT_DIR="$(readlink -f "$(dirname "$BASH_SOURCE")/../../client")" SERV_IP="$(ip -4 -o addr show scope global | awk '{print $4}' | sed -e 's:/.*::' | head -n1)" @@ -18,18 +18,21 @@ docker volume create --name $OVPN_DATA docker run --rm -v $OVPN_DATA:/etc/openvpn $IMG ovpn_genconfig -u udp://$SERV_IP docker run --rm -v $OVPN_DATA:/etc/openvpn -it -e "EASYRSA_BATCH=1" -e "EASYRSA_REQ_CN=Travis-CI Test CA" $IMG ovpn_initpki nopass -# -# Fire up the server. -# -sudo iptables -N DOCKER || echo 'Firewall already configured' -sudo iptables -I FORWARD 1 -j DOCKER -docker run -d -v $OVPN_DATA:/etc/openvpn --cap-add=NET_ADMIN --privileged -p 1194:1194/udp --name $NAME $IMG +# Register clean-up function +function finish { + # Stop the server and clean up + docker rm -f $NAME + docker volume rm $OVPN_DATA +} +trap finish EXIT +# Put the server in the background +docker run -d -v $OVPN_DATA:/etc/openvpn --cap-add=NET_ADMIN -p 1194:1194/udp --name $NAME $IMG # # Test that easy_rsa generate CRLs with 'next publish' set to 3650 days. # -crl_next_update="$(docker exec $NAME openssl crl -nextupdate -noout -in /etc/openvpn/crl.pem | cut -d'=' -f2 | tr -d 'GMT')" +crl_next_update="$(docker exec $NAME bash -c "openssl crl -nextupdate -noout -in \$EASYRSA_PKI/crl.pem | cut -d'=' -f2 | tr -d 'GMT'")" crl_next_update="$(date -u -d "$crl_next_update" "+%s")" now="$(docker exec $NAME date "+%s")" crl_remain="$(( $crl_next_update - $now ))" @@ -79,13 +82,6 @@ if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --privileged --net exit 2 fi -# -# Stop the server and clean up -# -docker kill $NAME && docker rm $NAME -docker volume rm $OVPN_DATA -sudo iptables -D FORWARD 1 - # # Celebrate # From 09819ad9cd971cc21f6a3158cf6e95f04956ef91 Mon Sep 17 00:00:00 2001 From: Kyle Manna Date: Sun, 25 Oct 2020 20:23:07 -0700 Subject: [PATCH 07/19] test: iptables: Remove start-up race condition * The iptables rule to check will only be present after the server has succeeded at starting-up. * Spin up to ~10 seconds waiting. * Fix eval which was intended to be an exec. * Simplify kill + rm. --- test/tests/iptables/run.sh | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/test/tests/iptables/run.sh b/test/tests/iptables/run.sh index b35cefdd..b44a6f0a 100755 --- a/test/tests/iptables/run.sh +++ b/test/tests/iptables/run.sh @@ -16,14 +16,17 @@ docker run -v $OVPN_DATA:/etc/openvpn --rm -it -e "EASYRSA_BATCH=1" -e "EASYRSA_ docker run -d --name $NAME -v $OVPN_DATA:/etc/openvpn --cap-add=NET_ADMIN $IMG # check default iptables rules -docker exec -ti $NAME bash -c 'source /etc/openvpn/ovpn_env.sh; eval iptables -t nat -C POSTROUTING -s $OVPN_SERVER -o eth0 -j MASQUERADE' +for i in $(seq 10); do + docker exec -ti $NAME bash -c 'source /etc/openvpn/ovpn_env.sh; exec iptables -t nat -C POSTROUTING -s $OVPN_SERVER -o eth0 -j MASQUERADE' && break + echo waiting for server start-up + sleep 1 +done # append new setupIptablesAndRouting function to config docker exec -ti $NAME bash -c 'echo function setupIptablesAndRouting { iptables -t nat -A POSTROUTING -m comment --comment "test"\;} >> /etc/openvpn/ovpn_env.sh' # kill server in preparation to modify config -docker kill $NAME -docker rm $NAME +docker rm -f $NAME # check that overridden function exists and that test iptables rules is active docker run -d --name $NAME -v $OVPN_DATA:/etc/openvpn --cap-add=NET_ADMIN $IMG @@ -33,6 +36,5 @@ docker exec -ti $NAME bash -c 'source /etc/openvpn/ovpn_env.sh; type -t setupIpt # kill server # -docker kill $NAME -docker rm $NAME +docker rm -f $NAME docker volume rm $OVPN_DATA From 0fa57e5968329da6a3c77e2b9e94f154785a3c89 Mon Sep 17 00:00:00 2001 From: Kyle Manna Date: Sun, 25 Oct 2020 20:26:54 -0700 Subject: [PATCH 08/19] test: basic: Drop iptables hackery * Don't muck with iptables on the host machine. --- test/tests/basic/run.sh | 3 --- 1 file changed, 3 deletions(-) diff --git a/test/tests/basic/run.sh b/test/tests/basic/run.sh index f1013bca..ad496e1d 100755 --- a/test/tests/basic/run.sh +++ b/test/tests/basic/run.sh @@ -24,9 +24,6 @@ docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_listclients | grep $CLIENT # # Fire up the server # -sudo iptables -N DOCKER || echo 'Firewall already configured' -sudo iptables -I FORWARD -j DOCKER || echo 'Forward already configured' -# run in shell bg to get logs docker run --name "ovpn-test" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --privileged $IMG & #for i in $(seq 10); do From 7d372e5db8de69c600018300bc5330e91cc1bc68 Mon Sep 17 00:00:00 2001 From: Kyle Manna Date: Sun, 25 Oct 2020 20:27:30 -0700 Subject: [PATCH 09/19] test: dual-proto: Drop iptables hackery * Don't muck with iptables on the host machine. --- test/tests/dual-proto/run.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/test/tests/dual-proto/run.sh b/test/tests/dual-proto/run.sh index 5696252b..a117d0d3 100755 --- a/test/tests/dual-proto/run.sh +++ b/test/tests/dual-proto/run.sh @@ -34,8 +34,6 @@ docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_listclients | grep $CLIENT_ # # Fire up the server # -sudo iptables -N DOCKER || echo 'Firewall already configured' -sudo iptables -I FORWARD -j DOCKER || echo 'Forward already configured' # run in shell bg to get logs docker run --name "ovpn-test-udp" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --privileged $IMG & From e8c614e836760081685813978b12f868e0b71694 Mon Sep 17 00:00:00 2001 From: Kyle Manna Date: Sun, 25 Oct 2020 20:27:52 -0700 Subject: [PATCH 10/19] test: otp: Drop iptables hackery * Don't muck with iptables on the host machine. --- test/tests/otp/run.sh | 3 --- 1 file changed, 3 deletions(-) diff --git a/test/tests/otp/run.sh b/test/tests/otp/run.sh index bea67a8d..8a000c6a 100755 --- a/test/tests/otp/run.sh +++ b/test/tests/otp/run.sh @@ -49,9 +49,6 @@ grep 'reneg-sec 0' $CLIENT_DIR/config.ovpn || abort 'reneg-sec not set to 0 in c # # Fire up the server # -sudo iptables -N DOCKER || echo 'Firewall already configured' -sudo iptables -I FORWARD -j DOCKER || echo 'Forward already configured' -# run in shell bg to get logs docker run --name "ovpn-test" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --privileged $IMG & #for i in $(seq 10); do From 1c553563d9cb8524dd33eebd9864b00f55bbe74d Mon Sep 17 00:00:00 2001 From: Kyle Manna Date: Sun, 25 Oct 2020 21:25:11 -0700 Subject: [PATCH 11/19] dockerfile: Reduce ENV lines to single layer * Results in a slightly simpler docker image. --- Dockerfile | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index 5f8d0ea8..6fb30ec2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,13 +12,11 @@ RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing/" >> /etc/apk/reposi rm -rf /tmp/* /var/tmp/* /var/cache/apk/* /var/cache/distfiles/* # Needed by scripts -ENV OPENVPN /etc/openvpn -ENV EASYRSA /usr/share/easy-rsa -ENV EASYRSA_PKI $OPENVPN/pki -ENV EASYRSA_VARS_FILE $OPENVPN/vars - -# Prevents refused client connection because of an expired CRL -ENV EASYRSA_CRL_DAYS 3650 +ENV OPENVPN=/etc/openvpn +ENV EASYRSA=/usr/share/easy-rsa \ + EASYRSA_CRL_DAYS=3650 \ + EASYRSA_PKI=$OPENVPN/pki \ + EASYRSA_VARS_FILE=$OPENVPN/vars VOLUME ["/etc/openvpn"] From afc68a437860a5ce746ca89db9dcf3b1fd8919c6 Mon Sep 17 00:00:00 2001 From: Kyle Manna Date: Sun, 1 Nov 2020 10:15:21 -0800 Subject: [PATCH 12/19] test: Wait for children to exit * Clean-up processes properly. --- test/client/wait-for-connect.sh | 7 +++---- test/tests/basic/run.sh | 7 ++----- test/tests/dual-proto/run.sh | 7 ++----- test/tests/otp/run.sh | 5 +---- test/tests/revocation/run.sh | 2 ++ 5 files changed, 10 insertions(+), 18 deletions(-) diff --git a/test/client/wait-for-connect.sh b/test/client/wait-for-connect.sh index 43f09acd..fa69afd8 100755 --- a/test/client/wait-for-connect.sh +++ b/test/client/wait-for-connect.sh @@ -5,7 +5,8 @@ set -e OPENVPN_CONFIG=${1:-/client/config.ovpn} -# Run in background, rely on bash for job management +# Run in background using bash job management, setup trap to clean-up +trap "{ jobs -p | xargs -r kill; wait; }" EXIT openvpn --config "$OPENVPN_CONFIG" --management 127.0.0.1 9999 & # Spin waiting for interface to exist signifying connection @@ -31,8 +32,6 @@ done if [ $i -ge $timeout ]; then echo "Error starting OpenVPN, i=$i, exiting." - exit 2; + exit 2 fi -# The show is over. -kill %1 diff --git a/test/tests/basic/run.sh b/test/tests/basic/run.sh index ad496e1d..0d1f8b1c 100755 --- a/test/tests/basic/run.sh +++ b/test/tests/basic/run.sh @@ -22,8 +22,9 @@ docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_getclient $CLIENT | tee $CL docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_listclients | grep $CLIENT # -# Fire up the server +# Fire up the server and setup a trap to always clean it up # +trap "{ jobs -p | xargs -r kill; wait; }" EXIT docker run --name "ovpn-test" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --privileged $IMG & #for i in $(seq 10); do @@ -39,10 +40,6 @@ docker run --name "ovpn-test" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp - # docker run --rm --net=host --privileged --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh -# -# Client either connected or timed out, kill server -# -kill %1 # # Celebrate diff --git a/test/tests/dual-proto/run.sh b/test/tests/dual-proto/run.sh index a117d0d3..08aa13dd 100755 --- a/test/tests/dual-proto/run.sh +++ b/test/tests/dual-proto/run.sh @@ -35,7 +35,8 @@ docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_listclients | grep $CLIENT_ # Fire up the server # -# run in shell bg to get logs +# Run in shell bg to get logs, setup trap to clean-up +trap "{ jobs -p | xargs -r kill; wait; }" EXIT docker run --name "ovpn-test-udp" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --privileged $IMG & docker run --name "ovpn-test-tcp" -v $OVPN_DATA:/etc/openvpn --rm -p 443:1194/tcp --privileged $IMG ovpn_run --proto tcp & @@ -47,10 +48,6 @@ docker run --name "ovpn-test-tcp" -v $OVPN_DATA:/etc/openvpn --rm -p 443:1194/tc docker run --rm --net=host --privileged --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh docker run --rm --net=host --privileged --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh "/client/config-tcp.ovpn" -# -# Client either connected or timed out, kill server -# -kill %1 %2 # # Celebrate diff --git a/test/tests/otp/run.sh b/test/tests/otp/run.sh index 8a000c6a..d320fd71 100755 --- a/test/tests/otp/run.sh +++ b/test/tests/otp/run.sh @@ -49,6 +49,7 @@ grep 'reneg-sec 0' $CLIENT_DIR/config.ovpn || abort 'reneg-sec not set to 0 in c # # Fire up the server # +trap "{ jobs -p | xargs -r kill; wait; }" EXIT docker run --name "ovpn-test" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --privileged $IMG & #for i in $(seq 10); do @@ -64,10 +65,6 @@ docker run --name "ovpn-test" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp - # docker run --rm --net=host --privileged --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh -# -# Client either connected or timed out, kill server -# -kill %1 # # Celebrate diff --git a/test/tests/revocation/run.sh b/test/tests/revocation/run.sh index fa5f5fdc..972c98d4 100755 --- a/test/tests/revocation/run.sh +++ b/test/tests/revocation/run.sh @@ -23,6 +23,8 @@ function finish { # Stop the server and clean up docker rm -f $NAME docker volume rm $OVPN_DATA + jobs -p | xargs -r kill + wait } trap finish EXIT From 9eae9306eab946daa2e28c8e9a6f9a2c18d1e90c Mon Sep 17 00:00:00 2001 From: Kyle Manna Date: Sun, 1 Nov 2020 10:28:24 -0800 Subject: [PATCH 13/19] ovpn_run: Don't call sysctl which requires --privileged * Instead encourage the user to change how they invoke docker. --- bin/ovpn_run | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/bin/ovpn_run b/bin/ovpn_run index 9e9f3d54..7fa3dd6b 100755 --- a/bin/ovpn_run +++ b/bin/ovpn_run @@ -87,13 +87,18 @@ fi ip -6 route show default 2>/dev/null if [ $? = 0 ]; then - echo "Enabling IPv6 Forwarding" - # If this fails, ensure the docker container is run with --privileged - # Could be side stepped with `ip netns` madness to drop privileged flag + echo "Checking IPv6 Forwarding" + if [ "$( Date: Sun, 1 Nov 2020 12:09:45 -0800 Subject: [PATCH 14/19] ovpn_run: Silence iptables rule checks * It's fine for these to fail, it's expected. --- bin/ovpn_run | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/ovpn_run b/bin/ovpn_run index 7fa3dd6b..e93201bc 100755 --- a/bin/ovpn_run +++ b/bin/ovpn_run @@ -39,11 +39,11 @@ function addArg { # this allows rules/routing to be altered by supplying this function # in an included file, such as ovpn_env.sh function setupIptablesAndRouting { - iptables -t nat -C POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE || { + iptables -t nat -C POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE 2>/dev/null || { iptables -t nat -A POSTROUTING -s $OVPN_SERVER -o $OVPN_NATDEVICE -j MASQUERADE } for i in "${OVPN_ROUTES[@]}"; do - iptables -t nat -C POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE || { + iptables -t nat -C POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE 2>/dev/null || { iptables -t nat -A POSTROUTING -s "$i" -o $OVPN_NATDEVICE -j MASQUERADE } done From 8931825841598c5539ed1da9274feac6a63ab261 Mon Sep 17 00:00:00 2001 From: Kyle Manna Date: Sun, 1 Nov 2020 21:47:20 -0800 Subject: [PATCH 15/19] test: Drop --privileged docker run flag * Fix all the test to not require this flag. --- test/client/wait-for-connect.sh | 41 ++++++++++++++++++++++----------- test/tests/basic/run.sh | 20 ++++++++-------- test/tests/dual-proto/run.sh | 9 ++++---- test/tests/otp/run.sh | 20 +++++++--------- test/tests/revocation/run.sh | 6 ++--- 5 files changed, 51 insertions(+), 45 deletions(-) diff --git a/test/client/wait-for-connect.sh b/test/client/wait-for-connect.sh index fa69afd8..fdc03242 100755 --- a/test/client/wait-for-connect.sh +++ b/test/client/wait-for-connect.sh @@ -5,6 +5,12 @@ set -e OPENVPN_CONFIG=${1:-/client/config.ovpn} +# For some reason privileged mode creates the char device and cap-add=NET_ADMIN doesn't +mkdir -p /dev/net +if [ ! -c /dev/net/tun ]; then + mknod /dev/net/tun c 10 200 +fi + # Run in background using bash job management, setup trap to clean-up trap "{ jobs -p | xargs -r kill; wait; }" EXIT openvpn --config "$OPENVPN_CONFIG" --management 127.0.0.1 9999 & @@ -12,26 +18,33 @@ openvpn --config "$OPENVPN_CONFIG" --management 127.0.0.1 9999 & # Spin waiting for interface to exist signifying connection timeout=10 for i in $(seq $timeout); do + # Allow to start-up + sleep 0.5 - # Break when connected - #echo state | busybox nc 127.0.0.1 9999 | grep -q "CONNECTED,SUCCESS" && break; + # Use bash magic to open tcp socket on fd 3 and break when successful + exec 3<>/dev/tcp/127.0.0.1/9999 && break +done + +if [ $i -ge $timeout ]; then + echo "Error connecting to OpenVPN mgmt interface, i=$i, exiting." + exit 2 +fi - # Bash magic for tcp sockets - if exec 3<>/dev/tcp/127.0.0.1/9999; then - # Consume all header input - while read -t 0.1 <&3; do true; done - echo "state" >&3 - read -t 1 <&3 - echo -n $REPLY | grep -q "CONNECTED,SUCCESS" && break || true - exec 3>&- - fi +# Consume all header input and echo, look for errors here +while read -t 0.1 <&3; do echo $REPLY; done - # Else sleep +# Request state over mgmt interface +timeout=10 +for i in $(seq $timeout); do + echo "state" >&3 + state=$(head -n1 <&3) + echo -n "$state" | grep -q 'CONNECTED,SUCCESS' && break sleep 1 done if [ $i -ge $timeout ]; then - echo "Error starting OpenVPN, i=$i, exiting." - exit 2 + echo "Error connecting to OpenVPN, i=$i, exiting." + exit 3 fi +exec 3>&- diff --git a/test/tests/basic/run.sh b/test/tests/basic/run.sh index 0d1f8b1c..26760696 100755 --- a/test/tests/basic/run.sh +++ b/test/tests/basic/run.sh @@ -25,21 +25,19 @@ docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_listclients | grep $CLIENT # Fire up the server and setup a trap to always clean it up # trap "{ jobs -p | xargs -r kill; wait; }" EXIT -docker run --name "ovpn-test" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --privileged $IMG & +docker run --name "ovpn-test" -v $OVPN_DATA:/etc/openvpn --rm -e DEBUG --cap-add=NET_ADMIN $IMG & -#for i in $(seq 10); do -# SERV_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}') -# test -n "$SERV_IP" && break -#done -#sed -ie s:SERV_IP:$SERV_IP:g config.ovpn +for i in $(seq 10); do + SERV_IP_INTERNAL=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' "ovpn-test" 2>/dev/null || true) + test -n "$SERV_IP_INTERNAL" && break + sleep 0.1 +done +sed -i -e s:$SERV_IP:$SERV_IP_INTERNAL:g ${CLIENT_DIR}/config.ovpn # -# Fire up a client in a container since openvpn is disallowed by Travis-CI, don't NAT -# the host as it confuses itself: -# "Incoming packet rejected from [AF_INET]172.17.42.1:1194[2], expected peer address: [AF_INET]10.240.118.86:1194" +# Fire up a client in a container since openvpn is disallowed by Travis-CI # -docker run --rm --net=host --privileged --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh - +docker run --rm --cap-add=NET_ADMIN -e DEBUG --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh # # Celebrate diff --git a/test/tests/dual-proto/run.sh b/test/tests/dual-proto/run.sh index 08aa13dd..63043450 100755 --- a/test/tests/dual-proto/run.sh +++ b/test/tests/dual-proto/run.sh @@ -37,17 +37,16 @@ docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_listclients | grep $CLIENT_ # Run in shell bg to get logs, setup trap to clean-up trap "{ jobs -p | xargs -r kill; wait; }" EXIT -docker run --name "ovpn-test-udp" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --privileged $IMG & -docker run --name "ovpn-test-tcp" -v $OVPN_DATA:/etc/openvpn --rm -p 443:1194/tcp --privileged $IMG ovpn_run --proto tcp & +docker run --name "ovpn-test-udp" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --cap-add=NET_ADMIN $IMG & +docker run --name "ovpn-test-tcp" -v $OVPN_DATA:/etc/openvpn --rm -p 443:1194/tcp --cap-add=NET_ADMIN $IMG ovpn_run --proto tcp & # # Fire up a clients in a containers since openvpn is disallowed by Travis-CI, don't NAT # the host as it confuses itself: # "Incoming packet rejected from [AF_INET]172.17.42.1:1194[2], expected peer address: [AF_INET]10.240.118.86:1194" # -docker run --rm --net=host --privileged --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh -docker run --rm --net=host --privileged --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh "/client/config-tcp.ovpn" - +docker run --rm --net=host --cap-add=NET_ADMIN --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh +docker run --rm --net=host --cap-add=NET_ADMIN --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh "/client/config-tcp.ovpn" # # Celebrate diff --git a/test/tests/otp/run.sh b/test/tests/otp/run.sh index d320fd71..ad9cac30 100755 --- a/test/tests/otp/run.sh +++ b/test/tests/otp/run.sh @@ -50,21 +50,17 @@ grep 'reneg-sec 0' $CLIENT_DIR/config.ovpn || abort 'reneg-sec not set to 0 in c # Fire up the server # trap "{ jobs -p | xargs -r kill; wait; }" EXIT -docker run --name "ovpn-test" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --privileged $IMG & +docker run --name "ovpn-test" -v $OVPN_DATA:/etc/openvpn --rm --cap-add=NET_ADMIN $IMG & -#for i in $(seq 10); do -# SERV_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}') -# test -n "$SERV_IP" && break -#done -#sed -ie s:SERV_IP:$SERV_IP:g $CLIENT_DIR/config.ovpn +for i in $(seq 10); do + SERV_IP_INTERNAL=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}') + test -n "$SERV_IP_INTERNAL" && break +done +sed -ie s:$SERV_IP:$SERV_IP:g $CLIENT_DIR/config.ovpn # -# Fire up a client in a container since openvpn is disallowed by Travis-CI, don't NAT -# the host as it confuses itself: -# "Incoming packet rejected from [AF_INET]172.17.42.1:1194[2], expected peer address: [AF_INET]10.240.118.86:1194" -# -docker run --rm --net=host --privileged --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh - +# Fire up a client in a container since openvpn is disallowed by Travis-CI +docker run --rm --net=host --cap-add=NET_ADMIN --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh # # Celebrate diff --git a/test/tests/revocation/run.sh b/test/tests/revocation/run.sh index 972c98d4..e12d5158 100755 --- a/test/tests/revocation/run.sh +++ b/test/tests/revocation/run.sh @@ -54,7 +54,7 @@ docker exec -it $NAME bash -c "echo 'yes' | ovpn_revokeclient $CLIENT1" # # Test that openvpn client can't connect using $CLIENT1 config. # -if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --privileged --net=host $IMG /client/wait-for-connect.sh; then +if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --cap-add=NET_ADMIN --net=host $IMG /client/wait-for-connect.sh; then echo "Client was able to connect after revocation test #1." >&2 exit 2 fi @@ -66,7 +66,7 @@ docker exec -it $NAME easyrsa build-client-full $CLIENT2 nopass docker exec -it $NAME ovpn_getclient $CLIENT2 > $CLIENT_DIR/config.ovpn docker exec -it $NAME bash -c "echo 'yes' | ovpn_revokeclient $CLIENT2" -if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --privileged --net=host $IMG /client/wait-for-connect.sh; then +if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --cap-add=NET_ADMIN --net=host $IMG /client/wait-for-connect.sh; then echo "Client was able to connect after revocation test #2." >&2 exit 2 fi @@ -79,7 +79,7 @@ docker stop $NAME && docker start $NAME # # Test for failed connection using $CLIENT2 config again. # -if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --privileged --net=host $IMG /client/wait-for-connect.sh; then +if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --cap-add=NET_ADMIN --net=host $IMG /client/wait-for-connect.sh; then echo "Client was able to connect after revocation test #3." >&2 exit 2 fi From dc81347dd12219da7b26e245aaa0e80c00f066e8 Mon Sep 17 00:00:00 2001 From: Kyle Manna Date: Sun, 1 Nov 2020 21:48:13 -0800 Subject: [PATCH 16/19] docs: Drop --privileged docker run flag * Fix all the docs to not mention this flag. --- README.md | 2 +- docs/advanced.md | 2 +- docs/tcp.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index cd110301..32939649 100644 --- a/README.md +++ b/README.md @@ -69,7 +69,7 @@ If you prefer to use `docker-compose` please refer to the [documentation](docs/d * Create an environment variable with the name DEBUG and value of 1 to enable debug output (using "docker -e"). - docker run -v $OVPN_DATA:/etc/openvpn -p 1194:1194/udp --privileged -e DEBUG=1 kylemanna/openvpn + docker run -v $OVPN_DATA:/etc/openvpn -p 1194:1194/udp --cap-add=NET_ADMIN -e DEBUG=1 kylemanna/openvpn * Test using a client that has openvpn installed correctly diff --git a/docs/advanced.md b/docs/advanced.md index ad7c8b3b..26981979 100644 --- a/docs/advanced.md +++ b/docs/advanced.md @@ -17,4 +17,4 @@ The [`ovpn_genconfig`](/bin/ovpn_genconfig) script is intended for simple config * Start the server with: - docker run -v $PWD:/etc/openvpn -d -p 1194:1194/udp --privileged kylemanna/openvpn + docker run -v $PWD:/etc/openvpn -d -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn diff --git a/docs/tcp.md b/docs/tcp.md index 6896ea41..1507d5d8 100644 --- a/docs/tcp.md +++ b/docs/tcp.md @@ -21,7 +21,7 @@ specified protocol, adjust the mapping appropriately: ## Running a Second Fallback TCP Container Instead of choosing between UDP and TCP, you can use both. A single instance of OpenVPN can only listen for a single protocol on a single port, but this image makes it easy to run two instances simultaneously. After building, configuring, and starting a standard container listening for UDP traffic on 1194, you can start a second container listening for tcp traffic on port 443: - docker run -v $OVPN_DATA:/etc/openvpn --rm -p 443:1194/tcp --privileged kylemanna/openvpn ovpn_run --proto tcp + docker run -v $OVPN_DATA:/etc/openvpn --rm -p 443:1194/tcp --cap-add=NET_ADMIN kylemanna/openvpn ovpn_run --proto tcp `ovpn_run` will load all the values from the default config file, and `--proto tcp` will override the protocol setting. From 192ce973754d333fb84cdc0e96f44cd39d8a3193 Mon Sep 17 00:00:00 2001 From: Kyle Manna Date: Sun, 1 Nov 2020 23:00:16 -0800 Subject: [PATCH 17/19] test: Drop dependence on --net=host * This is really hard to work on other things while running this test when the host networking stack is being manipulated, primarily the default route. * Propagate DEBUG flag deeper where possible. --- test/tests/dual-proto/run.sh | 29 +++++++++++++++++++++-------- test/tests/otp/run.sh | 7 ++++--- test/tests/revocation/run.sh | 23 +++++++++++++++++++---- 3 files changed, 44 insertions(+), 15 deletions(-) diff --git a/test/tests/dual-proto/run.sh b/test/tests/dual-proto/run.sh index 63043450..210df9c8 100755 --- a/test/tests/dual-proto/run.sh +++ b/test/tests/dual-proto/run.sh @@ -36,17 +36,30 @@ docker run -v $OVPN_DATA:/etc/openvpn --rm $IMG ovpn_listclients | grep $CLIENT_ # # Run in shell bg to get logs, setup trap to clean-up -trap "{ jobs -p | xargs -r kill; wait; }" EXIT -docker run --name "ovpn-test-udp" -v $OVPN_DATA:/etc/openvpn --rm -p 1194:1194/udp --cap-add=NET_ADMIN $IMG & -docker run --name "ovpn-test-tcp" -v $OVPN_DATA:/etc/openvpn --rm -p 443:1194/tcp --cap-add=NET_ADMIN $IMG ovpn_run --proto tcp & +trap "{ jobs -p | xargs -r kill; wait; docker volume rm ${OVPN_DATA}; }" EXIT +docker run --name "ovpn-test-udp" -v $OVPN_DATA:/etc/openvpn --rm --cap-add=NET_ADMIN -e DEBUG $IMG & +docker run --name "ovpn-test-tcp" -v $OVPN_DATA:/etc/openvpn --rm --cap-add=NET_ADMIN -e DEBUG $IMG ovpn_run --proto tcp --port 443 & + +# Update configs +for i in $(seq 10); do + SERV_IP_INTERNAL=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' "ovpn-test-udp" 2>/dev/null || true) + test -n "$SERV_IP_INTERNAL" && break + sleep 0.1 +done +sed -i -e s:$SERV_IP:$SERV_IP_INTERNAL:g $CLIENT_DIR/config.ovpn + +for i in $(seq 10); do + SERV_IP_INTERNAL=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' "ovpn-test-tcp" 2>/dev/null || true) + test -n "$SERV_IP_INTERNAL" && break + sleep 0.1 +done +sed -i -e s:$SERV_IP:$SERV_IP_INTERNAL:g $CLIENT_DIR/config-tcp.ovpn # -# Fire up a clients in a containers since openvpn is disallowed by Travis-CI, don't NAT -# the host as it confuses itself: -# "Incoming packet rejected from [AF_INET]172.17.42.1:1194[2], expected peer address: [AF_INET]10.240.118.86:1194" +# Fire up a clients in a containers since openvpn is disallowed by Travis-CI # -docker run --rm --net=host --cap-add=NET_ADMIN --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh -docker run --rm --net=host --cap-add=NET_ADMIN --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh "/client/config-tcp.ovpn" +docker run --rm --cap-add=NET_ADMIN -v $CLIENT_DIR:/client -e DEBUG $IMG /client/wait-for-connect.sh +docker run --rm --cap-add=NET_ADMIN -v $CLIENT_DIR:/client -e DEBUG $IMG /client/wait-for-connect.sh "/client/config-tcp.ovpn" # # Celebrate diff --git a/test/tests/otp/run.sh b/test/tests/otp/run.sh index ad9cac30..c162918d 100755 --- a/test/tests/otp/run.sh +++ b/test/tests/otp/run.sh @@ -53,14 +53,15 @@ trap "{ jobs -p | xargs -r kill; wait; }" EXIT docker run --name "ovpn-test" -v $OVPN_DATA:/etc/openvpn --rm --cap-add=NET_ADMIN $IMG & for i in $(seq 10); do - SERV_IP_INTERNAL=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}') + SERV_IP_INTERNAL=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' "ovpn-test" 2>/dev/null || true) test -n "$SERV_IP_INTERNAL" && break + sleep 0.1 done -sed -ie s:$SERV_IP:$SERV_IP:g $CLIENT_DIR/config.ovpn +sed -i -e s:$SERV_IP:$SERV_IP_INTERNAL:g $CLIENT_DIR/config.ovpn # # Fire up a client in a container since openvpn is disallowed by Travis-CI -docker run --rm --net=host --cap-add=NET_ADMIN --volume $CLIENT_DIR:/client $IMG /client/wait-for-connect.sh +docker run --rm --cap-add=NET_ADMIN --volume $CLIENT_DIR:/client -e DEBUG $IMG /client/wait-for-connect.sh # # Celebrate diff --git a/test/tests/revocation/run.sh b/test/tests/revocation/run.sh index e12d5158..25c99897 100755 --- a/test/tests/revocation/run.sh +++ b/test/tests/revocation/run.sh @@ -29,7 +29,7 @@ function finish { trap finish EXIT # Put the server in the background -docker run -d -v $OVPN_DATA:/etc/openvpn --cap-add=NET_ADMIN -p 1194:1194/udp --name $NAME $IMG +docker run -d -v $OVPN_DATA:/etc/openvpn --cap-add=NET_ADMIN --name $NAME $IMG # # Test that easy_rsa generate CRLs with 'next publish' set to 3650 days. @@ -51,10 +51,18 @@ docker exec -it $NAME easyrsa build-client-full $CLIENT1 nopass docker exec -it $NAME ovpn_getclient $CLIENT1 > $CLIENT_DIR/config.ovpn docker exec -it $NAME bash -c "echo 'yes' | ovpn_revokeclient $CLIENT1" +# Determine IP address of container running daemon and update config +for i in $(seq 10); do + SERV_IP_INTERNAL=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' "$NAME" 2>/dev/null || true) + test -n "$SERV_IP_INTERNAL" && break + sleep 0.1 +done +sed -i -e s:$SERV_IP:$SERV_IP_INTERNAL:g $CLIENT_DIR/config.ovpn + # # Test that openvpn client can't connect using $CLIENT1 config. # -if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --cap-add=NET_ADMIN --net=host $IMG /client/wait-for-connect.sh; then +if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN -e DEBUG $IMG /client/wait-for-connect.sh; then echo "Client was able to connect after revocation test #1." >&2 exit 2 fi @@ -66,7 +74,14 @@ docker exec -it $NAME easyrsa build-client-full $CLIENT2 nopass docker exec -it $NAME ovpn_getclient $CLIENT2 > $CLIENT_DIR/config.ovpn docker exec -it $NAME bash -c "echo 'yes' | ovpn_revokeclient $CLIENT2" -if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --cap-add=NET_ADMIN --net=host $IMG /client/wait-for-connect.sh; then +# Determine IP address of container running daemon and update config +for i in $(seq 10); do + SERV_IP_INTERNAL=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' "$NAME" 2>/dev/null || true) + test -n "$SERV_IP_INTERNAL" && break + sleep 0.1 +done + +if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN -e DEBUG $IMG /client/wait-for-connect.sh; then echo "Client was able to connect after revocation test #2." >&2 exit 2 fi @@ -79,7 +94,7 @@ docker stop $NAME && docker start $NAME # # Test for failed connection using $CLIENT2 config again. # -if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --cap-add=NET_ADMIN --net=host $IMG /client/wait-for-connect.sh; then +if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN -e DEBUG $IMG /client/wait-for-connect.sh; then echo "Client was able to connect after revocation test #3." >&2 exit 2 fi From c4b94369cd7bed5e2e0d9dd96809b82b7fa1d525 Mon Sep 17 00:00:00 2001 From: Kyle Manna Date: Mon, 30 Nov 2020 23:38:36 -0800 Subject: [PATCH 18/19] README: Drop log-driver argument * This is overly verbose. --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 32939649..a9106737 100644 --- a/README.md +++ b/README.md @@ -31,8 +31,8 @@ a corresponding [Digital Ocean Community Tutorial](http://bit.ly/1AGUZkq). private key used by the newly generated certificate authority. docker volume create --name $OVPN_DATA - docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM - docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it kylemanna/openvpn ovpn_initpki + docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM + docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn ovpn_initpki * Start OpenVPN server process @@ -40,11 +40,11 @@ a corresponding [Digital Ocean Community Tutorial](http://bit.ly/1AGUZkq). * Generate a client certificate without a passphrase - docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass + docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full CLIENTNAME nopass * Retrieve the client configuration with embedded certificates - docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn + docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > CLIENTNAME.ovpn ## Next Steps From 6ad931090bf76b6d17824c5429a66933d0063662 Mon Sep 17 00:00:00 2001 From: Kyle Manna Date: Thu, 3 Dec 2020 19:21:40 -0800 Subject: [PATCH 19/19] easy-rsa: Drop all mention of the vars file * This exists to import/export a number of easy-rsa default values but creates headaches for old volumes due to changes where easy-rsa insists on loading the var file if the environment variable is set. * Going forward people should pass the variables via: `docker run -e EASYRSA_var ...` * Closes #608 --- Dockerfile | 3 +-- Dockerfile.aarch64 | 1 - bin/easyrsa_vars | 39 --------------------------------------- bin/ovpn_initpki | 4 ---- 4 files changed, 1 insertion(+), 46 deletions(-) delete mode 100755 bin/easyrsa_vars diff --git a/Dockerfile b/Dockerfile index 6fb30ec2..4ece3147 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,8 +15,7 @@ RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing/" >> /etc/apk/reposi ENV OPENVPN=/etc/openvpn ENV EASYRSA=/usr/share/easy-rsa \ EASYRSA_CRL_DAYS=3650 \ - EASYRSA_PKI=$OPENVPN/pki \ - EASYRSA_VARS_FILE=$OPENVPN/vars + EASYRSA_PKI=$OPENVPN/pki VOLUME ["/etc/openvpn"] diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index 7207a09e..324b8363 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -15,7 +15,6 @@ RUN echo "http://dl-4.alpinelinux.org/alpine/edge/community/" >> /etc/apk/reposi ENV OPENVPN /etc/openvpn ENV EASYRSA /usr/share/easy-rsa ENV EASYRSA_PKI $OPENVPN/pki -ENV EASYRSA_VARS_FILE $OPENVPN/vars # Prevents refused client connection because of an expired CRL ENV EASYRSA_CRL_DAYS 3650 diff --git a/bin/easyrsa_vars b/bin/easyrsa_vars deleted file mode 100755 index e2fb56f2..00000000 --- a/bin/easyrsa_vars +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/sh - -# -# Import/export EasyRSA default settings -# - -if [ "$DEBUG" == "1" ]; then - set -x -fi - -set -e - -if [ $# -lt 1 ]; then - echo "No command provided" - echo - echo "$0 export > /path/to/file" - echo "$0 import < /path/to/file" - exit 1 -fi - -cmd=$1 -shift - -case "$cmd" in - export) - if [ -f "$EASYRSA_VARS_FILE" ]; then - cat "$EASYRSA_VARS_FILE" - else - cat "$EASYRSA/vars.example" - fi - ;; - import) - cat > "$EASYRSA_VARS_FILE" - ;; - *) - echo "Unknown cmd \"$cmd\"" - exit 2 - ;; -esac diff --git a/bin/ovpn_initpki b/bin/ovpn_initpki index c7029d2e..14b8ec9e 100755 --- a/bin/ovpn_initpki +++ b/bin/ovpn_initpki @@ -15,10 +15,6 @@ source "$OPENVPN/ovpn_env.sh" # Specify "nopass" as arg[2] to make the CA insecure (not recommended!) nopass=$1 -# EasyRSA 3.0.7 introduced checks for $EASYRSA_VARS_FILE existence -# in the init-pki script -touch $EASYRSA_VARS_FILE - # Provides a sufficient warning before erasing pre-existing files easyrsa init-pki