From efafd813a2895d1d14c69d418050e8ef22431ad6 Mon Sep 17 00:00:00 2001 From: Randall Mason Date: Wed, 4 Jun 2014 18:22:52 +0300 Subject: [PATCH 01/21] change image to my debian-armel:jessie --- Dockerfile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6a2ee12..5a8a58b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,6 @@ -FROM ubuntu:precise -RUN echo deb http://archive.ubuntu.com/ubuntu/ precise main universe > /etc/apt/sources.list.d/precise.list +FROM clashthebunny/debian-armel:jessie +MAINTAINER randall@mason.ch + RUN apt-get update -q RUN apt-get install -qy openvpn iptables socat curl ADD ./bin /usr/local/sbin From 86a6817f400c638ecd43098fcc69b2a7e07ec561 Mon Sep 17 00:00:00 2001 From: Randall Mason Date: Wed, 4 Jun 2014 20:54:12 +0300 Subject: [PATCH 02/21] add ability to configure server quite a bit --- bin/printconfig.sh | 7 ++ bin/run | 206 +++++++++++++++++++++++++++++++-------------- bin/serveconfig | 6 +- 3 files changed, 155 insertions(+), 64 deletions(-) create mode 100755 bin/printconfig.sh diff --git a/bin/printconfig.sh b/bin/printconfig.sh new file mode 100755 index 0000000..332c564 --- /dev/null +++ b/bin/printconfig.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +while read line +do + grep -q GET "$line" | sed -e 's#GET /\([a-z]\).ovpn HTTP.*#\1#g' | grep -q . && \ + cat client.$(grep -q GET "$line" | sed -e 's#GET /\([a-z]\).ovpn HTTP.*#\1#g').combined.ovpn +done diff --git a/bin/run b/bin/run index 908e28b..03f50b1 100755 --- a/bin/run +++ b/bin/run @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash set -e [ -d /dev/net ] || @@ -6,101 +6,185 @@ set -e [ -c /dev/net/tun ] || mknod /dev/net/tun c 10 200 +cd /usr/share/easy-rsa/ + +EASY_RSA="`pwd`" +OPENSSL="openssl" +PKCS11TOOL="pkcs11-tool" +GREP="grep" +KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` +KEY_DIR="/etc/openvpn/keys" +PKCS11_MODULE_PATH="dummy" +PKCS11_PIN="dummy" + +KEY_SIZE=${KEY_SIZE:-2048} +CA_EXPIRE=${CA_EXPIRE:-3650} +KEY_EXPIRE=${KEY_EXPIRE:-3650} +KEY_COUNTRY="${KEY_COUNTRY:-US}" +KEY_PROVINCE="${KEY_PROVINCE:-CA}" +KEY_CITY="${KEY_CITY:-SanFrancisco}" +KEY_ORG="${KEY_ORG:-Fort-Funston}" +KEY_EMAIL="${KEY_EMAIL:-me@myhost.mydomain}" +KEY_OU="${KEY_OU:-MyOrganizationalUnit}" +KEY_NAME="${KEY_NAME:-EasyRSA}" +SERVERNAME="${SERVERNAME:-dockvpn}" +CLIENTNAMES="${CLIENTNAMES:-clash}" + +"$EASY_RSA/pkitool" --initca +"$EASY_RSA/pkitool" --server "${SERVERNAME}" +./build-dh +openvpn --genkey --secret $KEY_DIR/ta.key + +for CLIENTNAME in $CLIENTNAMES +do + "$EASY_RSA/pkitool" "${CLIENTNAME}" + openssl pkcs12 -export -inkey $KEY_DIR/$CLIENTNAME.key -in $KEY_DIR/$CLIENTNAME.crt -certfile $KEY_DIR/ca.crt -out $KEY_DIR/$CLIENTNAME.p12 +done + cd /etc/openvpn -[ -f dh.pem ] || - openssl dhparam -out dh.pem 512 -[ -f key.pem ] || - openssl genrsa -out key.pem 2048 -chmod 600 key.pem -[ -f csr.pem ] || - openssl req -new -key key.pem -out csr.pem -subj /CN=OpenVPN/ -[ -f cert.pem ] || - openssl x509 -req -in csr.pem -out cert.pem -signkey key.pem -days 36525 - -[ -f tcp443.conf ] || cat >tcp443.conf <server.udp.conf <udp1194.conf <server.tcp.conf <client.ovpn <client.${CLIENTNAME}.combined.ovpn < +remote $MY_IP_ADDR ${SERVER_UDP_PORT} udp + + + +remote $MY_IP_ADDR ${SERVER_TCP_PORT} tcp-client + +EOF + +cp client.${CLIENTNAME}.combined.ovpn client.${CLIENTNAME}.ovpn + +cat >>client.${CLIENTNAME}.ovpn<>client.${CLIENTNAME}.combined.ovpn< -`cat key.pem` +`cat keys/$CLIENTNAME.key` -`cat cert.pem` +`cat keys/$CLIENTNAME.crt` -`cat cert.pem` +`cat keys/ca.crt` -`cat dh.pem` +`cat keys/dh.pem` - -remote $MY_IP_ADDR 1194 udp - +EOF ) - -remote $MY_IP_ADDR 443 tcp-client - -EOF -[ -f client.http ] || cat >client.http <client.${CLIENTNAME}.http <> tcp443.log & -while true ; do openvpn udp1194.conf ; done >> udp1194.log & +touch tcp.log udp.log http8080.log +while true ; do openvpn server.tcp.conf; done >> tcp.log & +while true ; do openvpn server.udp.conf; done >> udp.log & tail -F *.log diff --git a/bin/serveconfig b/bin/serveconfig index 9ba7dba..8830d66 100755 --- a/bin/serveconfig +++ b/bin/serveconfig @@ -1,14 +1,14 @@ #!/bin/sh cd /etc/openvpn -[ -f client.http ] || { +ls client*config | cut -d \. -f 2 || { echo "Please run the OpenVPN container at least once in normal mode," echo "to generate the client configuration file. Thank you." exit 1 } -echo "https://$(curl -s http://myip.enix.org/REMOTE_ADDR):8080/" +echo "https://$(curl -s http://myip.enix.org/REMOTE_ADDR):8080/.ovpn" socat -d -d \ OPENSSL-LISTEN:8080,fork,reuseaddr,key=key.pem,certificate=cert.pem,verify=0 \ - EXEC:'cat client.http' \ + EXEC:'printCombined.config.sh' \ 2>> http8080.log From 4421748a96dde473ab536759d5218011ac765952 Mon Sep 17 00:00:00 2001 From: Randall Mason Date: Wed, 4 Jun 2014 21:27:50 +0300 Subject: [PATCH 03/21] export the variables so as to be accessable --- bin/run | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/bin/run b/bin/run index 03f50b1..dcc1090 100755 --- a/bin/run +++ b/bin/run @@ -8,27 +8,27 @@ set -e cd /usr/share/easy-rsa/ -EASY_RSA="`pwd`" -OPENSSL="openssl" -PKCS11TOOL="pkcs11-tool" -GREP="grep" -KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` -KEY_DIR="/etc/openvpn/keys" -PKCS11_MODULE_PATH="dummy" -PKCS11_PIN="dummy" - -KEY_SIZE=${KEY_SIZE:-2048} -CA_EXPIRE=${CA_EXPIRE:-3650} -KEY_EXPIRE=${KEY_EXPIRE:-3650} -KEY_COUNTRY="${KEY_COUNTRY:-US}" -KEY_PROVINCE="${KEY_PROVINCE:-CA}" -KEY_CITY="${KEY_CITY:-SanFrancisco}" -KEY_ORG="${KEY_ORG:-Fort-Funston}" -KEY_EMAIL="${KEY_EMAIL:-me@myhost.mydomain}" -KEY_OU="${KEY_OU:-MyOrganizationalUnit}" -KEY_NAME="${KEY_NAME:-EasyRSA}" -SERVERNAME="${SERVERNAME:-dockvpn}" -CLIENTNAMES="${CLIENTNAMES:-clash}" +export EASY_RSA="`pwd`" +export OPENSSL="openssl" +export PKCS11TOOL="pkcs11-tool" +export GREP="grep" +export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` +export KEY_DIR="/etc/openvpn/keys" +export PKCS11_MODULE_PATH="dummy" +export PKCS11_PIN="dummy" + +export KEY_SIZE=${KEY_SIZE:-2048} +export CA_EXPIRE=${CA_EXPIRE:-3650} +export KEY_EXPIRE=${KEY_EXPIRE:-3650} +export KEY_COUNTRY="${KEY_COUNTRY:-US}" +export KEY_PROVINCE="${KEY_PROVINCE:-CA}" +export KEY_CITY="${KEY_CITY:-SanFrancisco}" +export KEY_ORG="${KEY_ORG:-Fort-Funston}" +export KEY_EMAIL="${KEY_EMAIL:-me@myhost.mydomain}" +export KEY_OU="${KEY_OU:-MyOrganizationalUnit}" +export KEY_NAME="${KEY_NAME:-EasyRSA}" +export SERVERNAME="${SERVERNAME:-dockvpn}" +export CLIENTNAMES="${CLIENTNAMES:-clash}" "$EASY_RSA/pkitool" --initca "$EASY_RSA/pkitool" --server "${SERVERNAME}" From cb2b215f9504db4a25a66d820bf9b99a276f384c Mon Sep 17 00:00:00 2001 From: Randall Mason Date: Wed, 4 Jun 2014 21:35:34 +0300 Subject: [PATCH 04/21] just give path to correct openssl.cnf --- bin/run | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/run b/bin/run index dcc1090..aa0d296 100755 --- a/bin/run +++ b/bin/run @@ -12,7 +12,7 @@ export EASY_RSA="`pwd`" export OPENSSL="openssl" export PKCS11TOOL="pkcs11-tool" export GREP="grep" -export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` +export KEY_CONFIG="$EASY_RSA/openssl-1.0.0.cnf" export KEY_DIR="/etc/openvpn/keys" export PKCS11_MODULE_PATH="dummy" export PKCS11_PIN="dummy" From 131fecf66719a4bacb341a36a7ff44e6eb07f5cf Mon Sep 17 00:00:00 2001 From: Randall Mason Date: Wed, 4 Jun 2014 21:53:47 +0300 Subject: [PATCH 05/21] make keydir --- bin/run | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bin/run b/bin/run index aa0d296..005412b 100755 --- a/bin/run +++ b/bin/run @@ -30,6 +30,8 @@ export KEY_NAME="${KEY_NAME:-EasyRSA}" export SERVERNAME="${SERVERNAME:-dockvpn}" export CLIENTNAMES="${CLIENTNAMES:-clash}" +mkdir -p $KEY_DIR + "$EASY_RSA/pkitool" --initca "$EASY_RSA/pkitool" --server "${SERVERNAME}" ./build-dh From d0c8489a00abd1da1c3d74dd8e26047838ea86aa Mon Sep 17 00:00:00 2001 From: Randall Mason Date: Wed, 4 Jun 2014 21:59:48 +0300 Subject: [PATCH 06/21] clean-all creates the keydir and does other beneficial things --- bin/run | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bin/run b/bin/run index 005412b..7be8064 100755 --- a/bin/run +++ b/bin/run @@ -30,7 +30,8 @@ export KEY_NAME="${KEY_NAME:-EasyRSA}" export SERVERNAME="${SERVERNAME:-dockvpn}" export CLIENTNAMES="${CLIENTNAMES:-clash}" -mkdir -p $KEY_DIR +[ -d $KEY_DIR ] || + ./clean-all "$EASY_RSA/pkitool" --initca "$EASY_RSA/pkitool" --server "${SERVERNAME}" From f2a2f770569cbb7a9e7ba3ded88c2fc7de0d1684 Mon Sep 17 00:00:00 2001 From: Randall Mason Date: Wed, 4 Jun 2014 22:42:23 +0300 Subject: [PATCH 07/21] check for existance of files before re-creating them --- bin/run | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/bin/run b/bin/run index 7be8064..a1bfd27 100755 --- a/bin/run +++ b/bin/run @@ -33,15 +33,21 @@ export CLIENTNAMES="${CLIENTNAMES:-clash}" [ -d $KEY_DIR ] || ./clean-all -"$EASY_RSA/pkitool" --initca -"$EASY_RSA/pkitool" --server "${SERVERNAME}" -./build-dh -openvpn --genkey --secret $KEY_DIR/ta.key +[ -f $KEY_DIR/ca.crt ] || + "$EASY_RSA/pkitool" --initca +[ -f $KEY_DIR/${SERVERNAME}.crt ] || + "$EASY_RSA/pkitool" --server "${SERVERNAME}" +[ -f $KEY_DIR/dh2048.pem ] || + ./build-dh +[ -f $KEY_DIR/ta.key ] || + openvpn --genkey --secret $KEY_DIR/ta.key for CLIENTNAME in $CLIENTNAMES do - "$EASY_RSA/pkitool" "${CLIENTNAME}" - openssl pkcs12 -export -inkey $KEY_DIR/$CLIENTNAME.key -in $KEY_DIR/$CLIENTNAME.crt -certfile $KEY_DIR/ca.crt -out $KEY_DIR/$CLIENTNAME.p12 + [ -f $KEY_DIR/${CLIENTNAME}.key ] || + "$EASY_RSA/pkitool" "${CLIENTNAME}" + [ -f $KEY_DIR/${CLIENTNAME}.p12 ] || + $OPENSSL pkcs12 -export -inkey $KEY_DIR/$CLIENTNAME.key -in $KEY_DIR/$CLIENTNAME.crt -certfile $KEY_DIR/ca.crt -out $KEY_DIR/$CLIENTNAME.p12 -password pass:"" done cd /etc/openvpn From c7c2eaef1cf3cde901ee3591670b1da6217bcab9 Mon Sep 17 00:00:00 2001 From: Randall Mason Date: Wed, 4 Jun 2014 23:02:32 +0300 Subject: [PATCH 08/21] add zip for both TunnelBlick and Ubuntu Configurations --- Dockerfile | 2 +- bin/run | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 5a8a58b..559b81b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM clashthebunny/debian-armel:jessie MAINTAINER randall@mason.ch RUN apt-get update -q -RUN apt-get install -qy openvpn iptables socat curl +RUN apt-get install -qy openvpn iptables socat zip curl ADD ./bin /usr/local/sbin VOLUME /etc/openvpn EXPOSE 443/tcp 1194/udp 8080/tcp diff --git a/bin/run b/bin/run index a1bfd27..83a063a 100755 --- a/bin/run +++ b/bin/run @@ -180,6 +180,10 @@ cat >>client.${CLIENTNAME}.combined.ovpn<client.${CLIENTNAME}.http < Date: Wed, 4 Jun 2014 23:22:56 +0300 Subject: [PATCH 09/21] fix problem with parens and add easy-rsa for ubuntu --- Dockerfile | 2 +- bin/run | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 559b81b..a3a1f33 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM clashthebunny/debian-armel:jessie MAINTAINER randall@mason.ch RUN apt-get update -q -RUN apt-get install -qy openvpn iptables socat zip curl +RUN apt-get install -qy openvpn iptables socat zip easy-rsa curl ADD ./bin /usr/local/sbin VOLUME /etc/openvpn EXPOSE 443/tcp 1194/udp 8080/tcp diff --git a/bin/run b/bin/run index 83a063a..597aa43 100755 --- a/bin/run +++ b/bin/run @@ -129,7 +129,7 @@ ping -c 1 -n $SERVERNAME && MY_IP_ADDR=$SERVERNAME for CLIENTNAME in $CLIENTNAMES do -[ -f client.${CLIENTNAME}.ovpn ] || ( cat >client.${CLIENTNAME}.combined.ovpn <client.${CLIENTNAME}.combined.ovpn <>client.${CLIENTNAME}.combined.ovpn< -EOF ) +EOF +} mkdir ${CLIENTNAME}.tblk mv client.${CLIENTNAME}.ovpn keys/$CLIENTNAME.key keys/$CLIENTNAME.crt keys/ca.crt keys/dh.pem ta.key ${CLIENTNAME}.tblk From 5bd3568e0ce789b6a0adb8873f9909bcf955fc20 Mon Sep 17 00:00:00 2001 From: Randall Mason Date: Wed, 4 Jun 2014 23:37:37 +0300 Subject: [PATCH 10/21] replace dh1024 with dh2048, check for tblk directory and skip if exists, use ${SERVERNAME} in key --- Dockerfile | 1 - bin/run | 24 +++++++++++++----------- 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/Dockerfile b/Dockerfile index a3a1f33..2f49965 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,6 +4,5 @@ MAINTAINER randall@mason.ch RUN apt-get update -q RUN apt-get install -qy openvpn iptables socat zip easy-rsa curl ADD ./bin /usr/local/sbin -VOLUME /etc/openvpn EXPOSE 443/tcp 1194/udp 8080/tcp CMD run diff --git a/bin/run b/bin/run index 597aa43..253a67d 100755 --- a/bin/run +++ b/bin/run @@ -63,9 +63,9 @@ dev tun persist-key persist-tun ca keys/ca.crt -cert keys/server.crt -key keys/server.key # This file should be kept secret -dh keys/dh1024.pem +cert keys/${SERVERNAME}.crt +key keys/${SERVERNAME}.key # This file should be kept secret +dh keys/dh2048.pem tls-auth keys/ta.key 0 # This file is secret cipher BF-CBC # Blowfish (default) comp-lzo @@ -95,9 +95,9 @@ persist-key persist-tun ca keys/ca.crt -cert keys/server.crt -key keys/server.key # This file should be kept secret -dh keys/dh1024.pem +cert keys/${SERVERNAME}.crt +key keys/${SERVERNAME}.key # This file should be kept secret +dh keys/dh2048.pem tls-auth keys/ta.key 0 # This file is secret cipher BF-CBC # Blowfish (default) @@ -175,16 +175,18 @@ cat >>client.${CLIENTNAME}.combined.ovpn< -`cat keys/dh.pem` +`cat keys/dh2048.pem` EOF } -mkdir ${CLIENTNAME}.tblk -mv client.${CLIENTNAME}.ovpn keys/$CLIENTNAME.key keys/$CLIENTNAME.crt keys/ca.crt keys/dh.pem ta.key ${CLIENTNAME}.tblk -zip -r ${CLIENTNAME}.tblk.zip ${CLIENTNAME}.tblk -zip -jr ${CLIENTNAME}.zip ${CLIENTNAME}.tblk +[ -d ${CLIENTNAME}.tblk ] || { + mkdir ${CLIENTNAME}.tblk + mv client.${CLIENTNAME}.ovpn keys/$CLIENTNAME.key keys/$CLIENTNAME.crt keys/ca.crt keys/dh2048.pem ta.key ${CLIENTNAME}.tblk + zip -r ${CLIENTNAME}.tblk.zip ${CLIENTNAME}.tblk + zip -jr ${CLIENTNAME}.zip ${CLIENTNAME}.tblk +} [ -f client.${CLIENTNAME}.http ] || cat >client.${CLIENTNAME}.http < Date: Wed, 4 Jun 2014 23:40:32 +0300 Subject: [PATCH 11/21] fix ta.key path --- bin/run | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/run b/bin/run index 253a67d..fda482c 100755 --- a/bin/run +++ b/bin/run @@ -183,7 +183,7 @@ EOF [ -d ${CLIENTNAME}.tblk ] || { mkdir ${CLIENTNAME}.tblk - mv client.${CLIENTNAME}.ovpn keys/$CLIENTNAME.key keys/$CLIENTNAME.crt keys/ca.crt keys/dh2048.pem ta.key ${CLIENTNAME}.tblk + mv client.${CLIENTNAME}.ovpn keys/$CLIENTNAME.key keys/$CLIENTNAME.crt keys/ca.crt keys/dh2048.pem keys/ta.key ${CLIENTNAME}.tblk zip -r ${CLIENTNAME}.tblk.zip ${CLIENTNAME}.tblk zip -jr ${CLIENTNAME}.zip ${CLIENTNAME}.tblk } From 3ed3e693cfacf8b751b5611a87a9ebd0d3b21950 Mon Sep 17 00:00:00 2001 From: Randall Mason Date: Wed, 4 Jun 2014 23:44:25 +0300 Subject: [PATCH 12/21] reference actual number of bits in dh .pem --- bin/run | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/bin/run b/bin/run index fda482c..dff3d84 100755 --- a/bin/run +++ b/bin/run @@ -37,7 +37,7 @@ export CLIENTNAMES="${CLIENTNAMES:-clash}" "$EASY_RSA/pkitool" --initca [ -f $KEY_DIR/${SERVERNAME}.crt ] || "$EASY_RSA/pkitool" --server "${SERVERNAME}" -[ -f $KEY_DIR/dh2048.pem ] || +[ -f $KEY_DIR/dh${KEY_SIZE}.pem ] || ./build-dh [ -f $KEY_DIR/ta.key ] || openvpn --genkey --secret $KEY_DIR/ta.key @@ -65,7 +65,7 @@ persist-tun ca keys/ca.crt cert keys/${SERVERNAME}.crt key keys/${SERVERNAME}.key # This file should be kept secret -dh keys/dh2048.pem +dh keys/dh${KEY_SIZE}.pem tls-auth keys/ta.key 0 # This file is secret cipher BF-CBC # Blowfish (default) comp-lzo @@ -97,7 +97,7 @@ persist-tun ca keys/ca.crt cert keys/${SERVERNAME}.crt key keys/${SERVERNAME}.key # This file should be kept secret -dh keys/dh2048.pem +dh keys/dh${KEY_SIZE}.pem tls-auth keys/ta.key 0 # This file is secret cipher BF-CBC # Blowfish (default) @@ -175,7 +175,7 @@ cat >>client.${CLIENTNAME}.combined.ovpn< -`cat keys/dh2048.pem` +`cat keys/dh${KEY_SIZE}.pem` EOF @@ -183,7 +183,7 @@ EOF [ -d ${CLIENTNAME}.tblk ] || { mkdir ${CLIENTNAME}.tblk - mv client.${CLIENTNAME}.ovpn keys/$CLIENTNAME.key keys/$CLIENTNAME.crt keys/ca.crt keys/dh2048.pem keys/ta.key ${CLIENTNAME}.tblk + mv client.${CLIENTNAME}.ovpn keys/$CLIENTNAME.key keys/$CLIENTNAME.crt keys/ca.crt keys/dh${KEY_SIZE}.pem keys/ta.key ${CLIENTNAME}.tblk zip -r ${CLIENTNAME}.tblk.zip ${CLIENTNAME}.tblk zip -jr ${CLIENTNAME}.zip ${CLIENTNAME}.tblk } From ce7a1eb83da0f69358b1b8e21aac3ead67a3d72e Mon Sep 17 00:00:00 2001 From: Randall Mason Date: Thu, 5 Jun 2014 11:10:48 +0300 Subject: [PATCH 13/21] don't build android's key, seems to delete files --- bin/run | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/run b/bin/run index dff3d84..47bde14 100755 --- a/bin/run +++ b/bin/run @@ -46,8 +46,8 @@ for CLIENTNAME in $CLIENTNAMES do [ -f $KEY_DIR/${CLIENTNAME}.key ] || "$EASY_RSA/pkitool" "${CLIENTNAME}" - [ -f $KEY_DIR/${CLIENTNAME}.p12 ] || - $OPENSSL pkcs12 -export -inkey $KEY_DIR/$CLIENTNAME.key -in $KEY_DIR/$CLIENTNAME.crt -certfile $KEY_DIR/ca.crt -out $KEY_DIR/$CLIENTNAME.p12 -password pass:"" +# [ -f $KEY_DIR/${CLIENTNAME}.p12 ] || +# $OPENSSL pkcs12 -export -inkey $KEY_DIR/$CLIENTNAME.key -in $KEY_DIR/$CLIENTNAME.crt -certfile $KEY_DIR/ca.crt -out $KEY_DIR/$CLIENTNAME.p12 -password pass:"" done cd /etc/openvpn From 67f67f11cfeb8e6d68cb39466e50291d824fda73 Mon Sep 17 00:00:00 2001 From: Randall Mason Date: Fri, 6 Jun 2014 11:19:40 +0300 Subject: [PATCH 14/21] add scripts to start and configure --- bin/run | 102 ++++++++++++++++++--------------------- bin/serveconfig | 2 +- environmentVariables | 1 + makePersistentStorage.md | 2 + runDockVPN.sh | 26 ++++++++++ 5 files changed, 78 insertions(+), 55 deletions(-) create mode 100755 environmentVariables create mode 100644 makePersistentStorage.md create mode 100755 runDockVPN.sh diff --git a/bin/run b/bin/run index 47bde14..9f979cb 100755 --- a/bin/run +++ b/bin/run @@ -6,54 +6,44 @@ set -e [ -c /dev/net/tun ] || mknod /dev/net/tun c 10 200 -cd /usr/share/easy-rsa/ - -export EASY_RSA="`pwd`" -export OPENSSL="openssl" -export PKCS11TOOL="pkcs11-tool" -export GREP="grep" -export KEY_CONFIG="$EASY_RSA/openssl-1.0.0.cnf" -export KEY_DIR="/etc/openvpn/keys" -export PKCS11_MODULE_PATH="dummy" -export PKCS11_PIN="dummy" - -export KEY_SIZE=${KEY_SIZE:-2048} -export CA_EXPIRE=${CA_EXPIRE:-3650} -export KEY_EXPIRE=${KEY_EXPIRE:-3650} -export KEY_COUNTRY="${KEY_COUNTRY:-US}" -export KEY_PROVINCE="${KEY_PROVINCE:-CA}" -export KEY_CITY="${KEY_CITY:-SanFrancisco}" -export KEY_ORG="${KEY_ORG:-Fort-Funston}" -export KEY_EMAIL="${KEY_EMAIL:-me@myhost.mydomain}" -export KEY_OU="${KEY_OU:-MyOrganizationalUnit}" -export KEY_NAME="${KEY_NAME:-EasyRSA}" -export SERVERNAME="${SERVERNAME:-dockvpn}" -export CLIENTNAMES="${CLIENTNAMES:-clash}" +cd /etc/openvpn/ -[ -d $KEY_DIR ] || - ./clean-all +SERVER_TCP_PORT=${SERVER_TCP_PORT:-443} +SERVER_UDP_PORT=${SERVER_UDP_PORT:-1194} + +EASY_RSA="/usr/share/easy-rsa/" +OPENSSL="openssl" +PKCS11TOOL="pkcs11-tool" +GREP="grep" +KEY_CONFIG="$EASY_RSA/openssl-1.0.0.cnf" +KEY_DIR="/etc/openvpn/keys" +PKCS11_MODULE_PATH="dummy" +PKCS11_PIN="dummy" + +KEY_SIZE=${KEY_SIZE:-2048} +CA_EXPIRE=${CA_EXPIRE:-3650} +KEY_EXPIRE=${KEY_EXPIRE:-3650} +KEY_COUNTRY="${KEY_COUNTRY:-US}" +KEY_PROVINCE="${KEY_PROVINCE:-CA}" +KEY_CITY="${KEY_CITY:-SanFrancisco}" +KEY_ORG="${KEY_ORG:-Fort-Funston}" +KEY_EMAIL="${KEY_EMAIL:-me@myhost.mydomain}" +KEY_OU="${KEY_OU:-MyOrganizationalUnit}" +KEY_NAME="${KEY_NAME:-EasyRSA}" +SERVERNAME="${SERVERNAME:-dockvpn}" +CLIENTNAMES="${CLIENTNAMES:-clash}" +[ -d $KEY_DIR ] || + $EASY_RSA/clean-all [ -f $KEY_DIR/ca.crt ] || "$EASY_RSA/pkitool" --initca [ -f $KEY_DIR/${SERVERNAME}.crt ] || "$EASY_RSA/pkitool" --server "${SERVERNAME}" [ -f $KEY_DIR/dh${KEY_SIZE}.pem ] || - ./build-dh + $EASY_RSA/build-dh [ -f $KEY_DIR/ta.key ] || openvpn --genkey --secret $KEY_DIR/ta.key -for CLIENTNAME in $CLIENTNAMES -do - [ -f $KEY_DIR/${CLIENTNAME}.key ] || - "$EASY_RSA/pkitool" "${CLIENTNAME}" -# [ -f $KEY_DIR/${CLIENTNAME}.p12 ] || -# $OPENSSL pkcs12 -export -inkey $KEY_DIR/$CLIENTNAME.key -in $KEY_DIR/$CLIENTNAME.crt -certfile $KEY_DIR/ca.crt -out $KEY_DIR/$CLIENTNAME.p12 -password pass:"" -done - -cd /etc/openvpn -SERVER_TCP_PORT=${SERVER_TCP_PORT:-443} -SERVER_UDP_PORT=${SERVER_UDP_PORT:-1194} - [ -f server.udp.conf ] || cat >server.udp.conf <client.${CLIENTNAME}.combined.ovpn <>client.${CLIENTNAME}.combined.ovpn< -`cat keys/$CLIENTNAME.key` +`cat ${KEY_DIR}/$CLIENTNAME.key` -`cat keys/$CLIENTNAME.crt` +`cat ${KEY_DIR}/$CLIENTNAME.crt` -`cat keys/ca.crt` +`cat ${KEY_DIR}/ca.crt` -`cat keys/dh${KEY_SIZE}.pem` +`cat ${KEY_DIR}/dh${KEY_SIZE}.pem` EOF @@ -183,7 +177,7 @@ EOF [ -d ${CLIENTNAME}.tblk ] || { mkdir ${CLIENTNAME}.tblk - mv client.${CLIENTNAME}.ovpn keys/$CLIENTNAME.key keys/$CLIENTNAME.crt keys/ca.crt keys/dh${KEY_SIZE}.pem keys/ta.key ${CLIENTNAME}.tblk + mv client.${CLIENTNAME}.ovpn ${KEY_DIR}/$CLIENTNAME.key ${KEY_DIR}/$CLIENTNAME.crt ${KEY_DIR}/ca.crt ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_DIR}/ta.key ${CLIENTNAME}.tblk zip -r ${CLIENTNAME}.tblk.zip ${CLIENTNAME}.tblk zip -jr ${CLIENTNAME}.zip ${CLIENTNAME}.tblk } @@ -191,7 +185,7 @@ EOF [ -f client.${CLIENTNAME}.http ] || cat >client.${CLIENTNAME}.http <" \\/g' diff --git a/makePersistentStorage.md b/makePersistentStorage.md new file mode 100644 index 0000000..1ca83bc --- /dev/null +++ b/makePersistentStorage.md @@ -0,0 +1,2 @@ +docker run -v /etc/openvpn/ --name OpenVPN-Config busybox true +docker run -t -i --rm --volumes-from OpenVPN-Config --name dockvpn dockvpn bash diff --git a/runDockVPN.sh b/runDockVPN.sh new file mode 100755 index 0000000..7ad6306 --- /dev/null +++ b/runDockVPN.sh @@ -0,0 +1,26 @@ +docker build -t="dockvpn" . # Build this Dockerfile + +# create a container that's just saving the state of /etc/openvpn/ +# this won't overwrite something that exists +docker ps -a | grep -q OpenVpn-Config || docker run -v /etc/openvpn/ --name OpenVPN-Config busybox true + +# delete any old builds +docker stop dockvpn; docker rm dockvpn + +# run this new build +docker run -d --privileged --volumes-from OpenVPN-Config --name dockvpn \ + -e "SERVER_TCP_PORT=1197" \ + -e "SERVER_UDP_PORT=1197" \ + -e "KEY_SIZE=2048" \ + -e "CA_EXPIRE=3650" \ + -e "KEY_EXPIRE=3650" \ + -e "KEY_COUNTRY=US" \ + -e "KEY_PROVINCE=Massachusetts" \ + -e "KEY_CITY=Boston" \ + -e "KEY_ORG=MasonFamily" \ + -e "KEY_EMAIL=randall@mason.ch" \ + -e "KEY_OU=TheITGuy" \ + -e "KEY_NAME=DockVpN" \ + -e "SERVERNAME=vpn3.boston.mason.ch" \ + -e "CLIENTNAMES=\"randall android iphone\"" \ + dockvpn run From 326395ca4dee9b82d7b8956e4295ab4e34f8b812 Mon Sep 17 00:00:00 2001 From: Randall Mason Date: Fri, 6 Jun 2014 12:37:40 +0300 Subject: [PATCH 15/21] wait, we really do want those export statements --- bin/run | 47 +++++++++++++++++++++++++---------------------- runDockVPN.sh | 45 +++++++++++++++++++++++++++------------------ 2 files changed, 52 insertions(+), 40 deletions(-) diff --git a/bin/run b/bin/run index 9f979cb..4fea103 100755 --- a/bin/run +++ b/bin/run @@ -11,27 +11,27 @@ cd /etc/openvpn/ SERVER_TCP_PORT=${SERVER_TCP_PORT:-443} SERVER_UDP_PORT=${SERVER_UDP_PORT:-1194} -EASY_RSA="/usr/share/easy-rsa/" -OPENSSL="openssl" -PKCS11TOOL="pkcs11-tool" -GREP="grep" -KEY_CONFIG="$EASY_RSA/openssl-1.0.0.cnf" -KEY_DIR="/etc/openvpn/keys" -PKCS11_MODULE_PATH="dummy" -PKCS11_PIN="dummy" - -KEY_SIZE=${KEY_SIZE:-2048} -CA_EXPIRE=${CA_EXPIRE:-3650} -KEY_EXPIRE=${KEY_EXPIRE:-3650} -KEY_COUNTRY="${KEY_COUNTRY:-US}" -KEY_PROVINCE="${KEY_PROVINCE:-CA}" -KEY_CITY="${KEY_CITY:-SanFrancisco}" -KEY_ORG="${KEY_ORG:-Fort-Funston}" -KEY_EMAIL="${KEY_EMAIL:-me@myhost.mydomain}" -KEY_OU="${KEY_OU:-MyOrganizationalUnit}" -KEY_NAME="${KEY_NAME:-EasyRSA}" -SERVERNAME="${SERVERNAME:-dockvpn}" -CLIENTNAMES="${CLIENTNAMES:-clash}" +export EASY_RSA="/usr/share/easy-rsa/" +export OPENSSL="openssl" +export PKCS11TOOL="pkcs11-tool" +export GREP="grep" +export KEY_CONFIG="$EASY_RSA/openssl-1.0.0.cnf" +export KEY_DIR="/etc/openvpn/keys" +export PKCS11_MODULE_PATH="dummy" +export PKCS11_PIN="dummy" + +export KEY_SIZE=${KEY_SIZE:-2048} +export CA_EXPIRE=${CA_EXPIRE:-3650} +export KEY_EXPIRE=${KEY_EXPIRE:-3650} +export KEY_COUNTRY="${KEY_COUNTRY:-US}" +export KEY_PROVINCE="${KEY_PROVINCE:-CA}" +export KEY_CITY="${KEY_CITY:-SanFrancisco}" +export KEY_ORG="${KEY_ORG:-Fort-Funston}" +export KEY_EMAIL="${KEY_EMAIL:-me@myhost.mydomain}" +export KEY_OU="${KEY_OU:-MyOrganizationalUnit}" +export KEY_NAME="${KEY_NAME:-EasyRSA}" +export SERVERNAME="${SERVERNAME:-dockvpn}" +export CLIENTNAMES="${CLIENTNAMES:-clash}" [ -d $KEY_DIR ] || $EASY_RSA/clean-all @@ -106,6 +106,7 @@ status openvpn-status.tcp.log verb 3 EOF +[ "$MY_IP_ADDR" ] || { ping -c 1 -n $SERVERNAME && MY_IP_ADDR=$SERVERNAME [ "$MY_IP_ADDR" ] || { MY_IP_ADDR=${MY_IP_ADDR:-$(curl -s http://myip.enix.org/REMOTE_ADDR)} @@ -116,6 +117,7 @@ ping -c 1 -n $SERVERNAME && MY_IP_ADDR=$SERVERNAME exit 1 } } +} for CLIENTNAME in $CLIENTNAMES do @@ -177,7 +179,8 @@ EOF [ -d ${CLIENTNAME}.tblk ] || { mkdir ${CLIENTNAME}.tblk - mv client.${CLIENTNAME}.ovpn ${KEY_DIR}/$CLIENTNAME.key ${KEY_DIR}/$CLIENTNAME.crt ${KEY_DIR}/ca.crt ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_DIR}/ta.key ${CLIENTNAME}.tblk + mv client.${CLIENTNAME}.ovpn ${CLIENTNAME}.tblk + cp ${KEY_DIR}/$CLIENTNAME.key ${KEY_DIR}/$CLIENTNAME.crt ${KEY_DIR}/ca.crt ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_DIR}/ta.key ${CLIENTNAME}.tblk zip -r ${CLIENTNAME}.tblk.zip ${CLIENTNAME}.tblk zip -jr ${CLIENTNAME}.zip ${CLIENTNAME}.tblk } diff --git a/runDockVPN.sh b/runDockVPN.sh index 7ad6306..525df39 100755 --- a/runDockVPN.sh +++ b/runDockVPN.sh @@ -1,26 +1,35 @@ -docker build -t="dockvpn" . # Build this Dockerfile +#!/bin/bash + +sudo git pull && sudo chown -R rmason:rmason . + +docker build -t="clashthebunny/dockvpn:0.1-armel" . # create a container that's just saving the state of /etc/openvpn/ # this won't overwrite something that exists -docker ps -a | grep -q OpenVpn-Config || docker run -v /etc/openvpn/ --name OpenVPN-Config busybox true +docker ps -a | grep -q OpenVPN-Config || docker run -v /etc/openvpn/ --name OpenVPN-Config busybox true # delete any old builds docker stop dockvpn; docker rm dockvpn # run this new build -docker run -d --privileged --volumes-from OpenVPN-Config --name dockvpn \ - -e "SERVER_TCP_PORT=1197" \ - -e "SERVER_UDP_PORT=1197" \ - -e "KEY_SIZE=2048" \ - -e "CA_EXPIRE=3650" \ - -e "KEY_EXPIRE=3650" \ - -e "KEY_COUNTRY=US" \ - -e "KEY_PROVINCE=Massachusetts" \ - -e "KEY_CITY=Boston" \ - -e "KEY_ORG=MasonFamily" \ - -e "KEY_EMAIL=randall@mason.ch" \ - -e "KEY_OU=TheITGuy" \ - -e "KEY_NAME=DockVpN" \ - -e "SERVERNAME=vpn3.boston.mason.ch" \ - -e "CLIENTNAMES=\"randall android iphone\"" \ - dockvpn run +docker run -d --privileged --volumes-from OpenVPN-Config --name dockvpn \ + -e "SERVER_TCP_PORT=1197" `# some unused port` \ + -e "SERVER_UDP_PORT=1197" `# same or different from above` \ + -e "KEY_SIZE=2048" `# 2048 ought to be enough for anybody` \ + -e "CA_EXPIRE=3650" `# 10 years` \ + -e "KEY_EXPIRE=3650" `# still 10 years` \ + -e "KEY_COUNTRY=US" `# where are you` \ + -e "KEY_PROVINCE=Massachusetts" `# no, really, where are you` \ + -e "KEY_CITY=Boston" `# no, exactly, where are you` \ + -e "KEY_ORG=MasonFamily" `# and where do you work` \ + -e "KEY_EMAIL=randall@mason.ch" `# and how can you be reached?` \ + -e "KEY_OU=TheITGuy" `# IT, as disfunctional as that is` \ + -e "KEY_NAME=DockVpN" `# This is the name of this system` \ + -e "SERVERNAME=timeru.mason.ch" `# the hostname of the server, external`\ + -e "CLIENTNAMES=randall android iphone" `# space seperated list of clients` \ + -e "MY_IP_ADDR=192.168.128.138" `# The server\'s IP, if all else fails` \ + clashthebunny/dockvpn:0.1-armel bash -c 'bash -x $(which run)' + +echo "now get your config files from here:" +sudo ls -lah $(docker inspect OpenVPN-Config | python -c 'import json,fileinput; print json.loads("".join(fileinput.input()))[0]["Volumes"]["/etc/openvpn"]') +echo $(docker inspect OpenVPN-Config | python -c 'import json,fileinput; print json.loads("".join(fileinput.input()))[0]["Volumes"]["/etc/openvpn"]') From 5170005219370361ec4799f8a16cad3a7cb3c664 Mon Sep 17 00:00:00 2001 From: Randall Mason Date: Fri, 6 Jun 2014 12:53:25 +0300 Subject: [PATCH 16/21] autodetect hostname and arch --- runDockVPN.sh | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/runDockVPN.sh b/runDockVPN.sh index 525df39..a629174 100755 --- a/runDockVPN.sh +++ b/runDockVPN.sh @@ -2,7 +2,7 @@ sudo git pull && sudo chown -R rmason:rmason . -docker build -t="clashthebunny/dockvpn:0.1-armel" . +docker build -t="clashthebunny/dockvpn:0.1-$(dpkg --print-architecture 2>/dev/null || echo amd64)" . # create a container that's just saving the state of /etc/openvpn/ # this won't overwrite something that exists @@ -25,11 +25,9 @@ docker run -d --privileged --volumes-from OpenVPN-Config --name dockvpn -e "KEY_EMAIL=randall@mason.ch" `# and how can you be reached?` \ -e "KEY_OU=TheITGuy" `# IT, as disfunctional as that is` \ -e "KEY_NAME=DockVpN" `# This is the name of this system` \ - -e "SERVERNAME=timeru.mason.ch" `# the hostname of the server, external`\ + -e "SERVERNAME=$(uname -n)" `# the hostname of the server, external`\ -e "CLIENTNAMES=randall android iphone" `# space seperated list of clients` \ - -e "MY_IP_ADDR=192.168.128.138" `# The server\'s IP, if all else fails` \ - clashthebunny/dockvpn:0.1-armel bash -c 'bash -x $(which run)' + clashthebunny/dockvpn:0.1-$(dpkg --print-architecture 2>/dev/null || echo amd64) bash -c 'bash -x $(which run)' echo "now get your config files from here:" -sudo ls -lah $(docker inspect OpenVPN-Config | python -c 'import json,fileinput; print json.loads("".join(fileinput.input()))[0]["Volumes"]["/etc/openvpn"]') echo $(docker inspect OpenVPN-Config | python -c 'import json,fileinput; print json.loads("".join(fileinput.input()))[0]["Volumes"]["/etc/openvpn"]') From 53dbeda8444111424feac8f05e393c6274710da1 Mon Sep 17 00:00:00 2001 From: Randall Mason Date: Fri, 6 Jun 2014 13:28:16 +0300 Subject: [PATCH 17/21] fix runDockVPN.sh so it tags images better, use non python detection of OpenVPN-Config directory --- runDockVPN.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/runDockVPN.sh b/runDockVPN.sh index a629174..0c5fb27 100755 --- a/runDockVPN.sh +++ b/runDockVPN.sh @@ -1,8 +1,7 @@ #!/bin/bash -sudo git pull && sudo chown -R rmason:rmason . - -docker build -t="clashthebunny/dockvpn:0.1-$(dpkg --print-architecture 2>/dev/null || echo amd64)" . +TAG="clashthebunny/dockvpn:0.1-$(dpkg --print-architecture 2>/dev/null || echo amd64)" +docker build -t="$TAG" . # create a container that's just saving the state of /etc/openvpn/ # this won't overwrite something that exists @@ -27,7 +26,8 @@ docker run -d --privileged --volumes-from OpenVPN-Config --name dockvpn -e "KEY_NAME=DockVpN" `# This is the name of this system` \ -e "SERVERNAME=$(uname -n)" `# the hostname of the server, external`\ -e "CLIENTNAMES=randall android iphone" `# space seperated list of clients` \ - clashthebunny/dockvpn:0.1-$(dpkg --print-architecture 2>/dev/null || echo amd64) bash -c 'bash -x $(which run)' + "$TAG" bash -c 'bash -x $(which run)' echo "now get your config files from here:" -echo $(docker inspect OpenVPN-Config | python -c 'import json,fileinput; print json.loads("".join(fileinput.input()))[0]["Volumes"]["/etc/openvpn"]') +#echo $(docker inspect OpenVPN-Config | python -c 'import json,fileinput; print json.loads("".join(fileinput.input()))[0]["Volumes"]["/etc/openvpn"]') +echo $(docker inspect OpenVPN-Config | grep -A1 Volumes | cut -d \" -f 4 | grep "\/") From 6ec2a3031334c9691863fc6bec780936019d0a17 Mon Sep 17 00:00:00 2001 From: Randall Mason Date: Fri, 6 Jun 2014 13:39:40 +0300 Subject: [PATCH 18/21] update README.md --- Dockerfile | 2 +- README.md | 85 ++++++++++-------------------------------------------- 2 files changed, 16 insertions(+), 71 deletions(-) diff --git a/Dockerfile b/Dockerfile index 2f49965..79b1592 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM clashthebunny/debian-armel:jessie +FROM ubuntu:trusty MAINTAINER randall@mason.ch RUN apt-get update -q diff --git a/README.md b/README.md index 89a1c48..f4c038c 100644 --- a/README.md +++ b/README.md @@ -2,58 +2,24 @@ Quick instructions: +Edit the environment variables half way down runDockVPN.sh and then run it: ```bash -CID=$(docker run -d --privileged -p 1194:1194/udp -p 443:443/tcp jpetazzo/openvpn) -docker run -t -i -p 8080:8080 --volumes-from $CID jpetazzo/openvpn serveconfig +vim runDockVPN.sh +./runDockVPN.sh ``` +it will print out the directory where your OpenVPN configuration files +are stored and you should get those (SECURELY!!!) to your local directory: +```bash +rsync -avH --rsync-path="sudo rsync" userWithSudo@dockerHost:/ OpenVPN-Config/ +``` +then you can directly import those files into Ubuntu's Network Manager, +TunnelBlick, iPhone or Android's OpenVPN Connect, or pretty much anywhere. -Now download the file located at the indicated URL. You will get a -certificate warning, since the connection is done over SSL, but we are -using a self-signed certificate. After downloading the configuration, -stop the `serveconfig` container. You can restart it later if you need -to re-download the configuration, or to download it to multiple devices. - -The file can be used immediately as an OpenVPN profile. It embeds all the -required configuration and credentials. It has been tested successfully on -Linux, Windows, and Android clients. If you can test it on OS X and iPhone, -let me know! - -**Note:** there is a [bug in the Android Download Manager]( -http://code.google.com/p/android/issues/detail?id=3492) which prevents -downloading files from untrusted SSL servers; and in that case, our -self-signed certificate means that our server is untrusted. If you -try to download with the default browser on your Android device, -it will show the download as "in progress" but it will remain stuck. -You can download it with Firefox; or you can transfer it with another -way: Dropbox, USB, micro-SD card... - -If you reboot the server (or stop the container) and you `docker run` -again, you will create a new service (with a new configuration) and -you will have to re-download the configuration file. However, you can -use `docker start` to restart the service without touching the configuration. - - -## How does it work? - -When the `jpetazzo/openvpn` image is started, it generates: - -- Diffie-Hellman parameters, -- a private key, -- a self-certificate matching the private key, -- two OpenVPN server configurations (for UDP and TCP), -- an OpenVPN client profile. - -Then, it starts two OpenVPN server processes (one on 1194/udp, another -on 443/tcp). - -The configuration is located in `/etc/openvpn`, and the Dockerfile -declares that directory as a volume. It means that you can start another -container with the `--volumes-from` flag, and access the configuration. -Conveniently, `jpetazzo/openvpn` comes with a script called `serveconfig`, -which starts a pseudo HTTPS server on `8080/tcp`. The pseudo server -does not even check the HTTP request; it just sends the HTTP status line, -headers, and body right away. - +Since the configuration files are in a seperate volume only container named OpenVPN-Config, +any reboots or restarts will start you back off where you were. Just re-run the script. +If you need to add hosts to your server, just edit and re-run the script. It will restart +OpenVPN, but it will re-create the needed files. A new script to add hosts without a restart +is easy to create, and will hopefully be added later. ## OpenVPN details @@ -74,24 +40,3 @@ directly reachable, since you will try to reach them through the VPN and they might not answer to you. If that happens, use public DNS resolvers like those of Google (8.8.4.4 and 8.8.8.8) or OpenDNS (208.67.222.222 and 208.67.220.220). - - -## Security discussion - -For simplicity, the client and the server use the same private key and -certificate. This is certainly a terrible idea. If someone can get their -hands on the configuration on one of your clients, they will be able to -connect to your VPN, and you will have to generate new keys. Which is, -by the way, extremely easy, since each time you `docker run` the OpenVPN -image, a new key is created. If someone steals your configuration file -(and key), they will also be able to impersonate the VPN server (if they -can also somehow hijack your connection). - -It would probably be a good idea to generate two sets of keys. - -It would probably be even better to generate the server key when -running the container for the first time (as it is done now), but -generate a new client key each time the `serveconfig` command is -called. The command could even take the client CN as argument, and -another `revoke` command could be used to revoke previously issued -keys. From 6efebc0b529dd21d68071ac13aee9671764d40d8 Mon Sep 17 00:00:00 2001 From: Randall Mason Date: Fri, 6 Jun 2014 13:44:32 +0300 Subject: [PATCH 19/21] More options for getting config files out in README --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index f4c038c..8b8e828 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,12 @@ are stored and you should get those (SECURELY!!!) to your local directory: ```bash rsync -avH --rsync-path="sudo rsync" userWithSudo@dockerHost:/ OpenVPN-Config/ ``` +or +```bash +docker run -rm --volumes-from OpenVPN-Config busybox tar cvf - /etc/openvpn/ \ + | ssh mobile@jailBrokeniPhone "mkdir OpenVPN-Config; tar -xvf - -C OpenVPN-Config/" +``` + then you can directly import those files into Ubuntu's Network Manager, TunnelBlick, iPhone or Android's OpenVPN Connect, or pretty much anywhere. From fbce001e26f7f5b2bba9a34520a059b2492977e6 Mon Sep 17 00:00:00 2001 From: Randall Mason Date: Tue, 10 Jun 2014 12:41:33 +0300 Subject: [PATCH 20/21] make the server stateless besides the CA and Keys, open ports on the router if upnpc is installed, or if you pass UPNP_URL, have all servers save connection hints for multiple servers using the same OpenVPN-Config volume --- Dockerfile | 6 +- README.md | 14 -- bin/client.combined.template | 32 +++++ bin/client.template | 19 +++ bin/run | 251 ++++++++++++++--------------------- bin/server_stanza.template | 7 + runDockVPN.sh | 73 ++++++---- 7 files changed, 209 insertions(+), 193 deletions(-) create mode 100755 bin/client.combined.template create mode 100755 bin/client.template create mode 100644 bin/server_stanza.template diff --git a/Dockerfile b/Dockerfile index 79b1592..0865797 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM ubuntu:trusty MAINTAINER randall@mason.ch RUN apt-get update -q -RUN apt-get install -qy openvpn iptables socat zip easy-rsa curl +RUN apt-get install -qy openvpn iptables socat zip easy-rsa curl gettext-base miniupnpc ADD ./bin /usr/local/sbin -EXPOSE 443/tcp 1194/udp 8080/tcp -CMD run + +CMD ["/usr/local/sbin/run"] diff --git a/README.md b/README.md index 8b8e828..fc10a8f 100644 --- a/README.md +++ b/README.md @@ -32,17 +32,3 @@ is easy to create, and will hopefully be added later. We use `tun` mode, because it works on the widest range of devices. `tap` mode, for instance, does not work on Android, except if the device is rooted. - -The topology used is `net30`, because it works on the widest range of OS. -`p2p`, for instance, does not work on Windows. - -The TCP server uses `192.168.255.0/25` and the UDP server uses -`192.168.255.128/25`. - -The client profile specifies `redirect-gateway def1`, meaning that after -establishing the VPN connection, all traffic will go through the VPN. -This might cause problems if you use local DNS recursors which are not -directly reachable, since you will try to reach them through the VPN -and they might not answer to you. If that happens, use public DNS -resolvers like those of Google (8.8.4.4 and 8.8.8.8) or OpenDNS -(208.67.222.222 and 208.67.220.220). diff --git a/bin/client.combined.template b/bin/client.combined.template new file mode 100755 index 0000000..272be47 --- /dev/null +++ b/bin/client.combined.template @@ -0,0 +1,32 @@ +client +dev tun +nobind +resolv-retry infinite +persist-key +persist-tun + +cipher BF-CBC +comp-lzo +passtos +mssfix +verb 3 + +redirect-gateway def1 + + +$CLIENT_KEY + + +$CLIENT_CRT + + +$CA_CRT + + +$DH_PARAMS + +key-direction 1 + +$TA_KEY + + diff --git a/bin/client.template b/bin/client.template new file mode 100755 index 0000000..e853c05 --- /dev/null +++ b/bin/client.template @@ -0,0 +1,19 @@ +client +dev tun +nobind +resolv-retry infinite +persist-key +persist-tun + +cipher BF-CBC +comp-lzo +passtos +mssfix +verb 3 + +redirect-gateway def1 + +ca ca.crt +cert ${CLIENTNAME}.crt +key ${CLIENTNAME}.key +tls-auth ta.key 1 diff --git a/bin/run b/bin/run index 4fea103..f03f890 100755 --- a/bin/run +++ b/bin/run @@ -6,17 +6,17 @@ set -e [ -c /dev/net/tun ] || mknod /dev/net/tun c 10 200 -cd /etc/openvpn/ +CONFIG_DIR=${CONFIG_DIR:-/etc/openvpn} +SCRIPT_PATH=$(cd `dirname "${BASH_SOURCE[0]}"` && pwd) -SERVER_TCP_PORT=${SERVER_TCP_PORT:-443} -SERVER_UDP_PORT=${SERVER_UDP_PORT:-1194} +cd ${CONFIG_DIR} export EASY_RSA="/usr/share/easy-rsa/" export OPENSSL="openssl" export PKCS11TOOL="pkcs11-tool" export GREP="grep" export KEY_CONFIG="$EASY_RSA/openssl-1.0.0.cnf" -export KEY_DIR="/etc/openvpn/keys" +export KEY_DIR="$CONFIG_DIR/keys" export PKCS11_MODULE_PATH="dummy" export PKCS11_PIN="dummy" @@ -30,174 +30,119 @@ export KEY_ORG="${KEY_ORG:-Fort-Funston}" export KEY_EMAIL="${KEY_EMAIL:-me@myhost.mydomain}" export KEY_OU="${KEY_OU:-MyOrganizationalUnit}" export KEY_NAME="${KEY_NAME:-EasyRSA}" -export SERVERNAME="${SERVERNAME:-dockvpn}" +export SERVER_NAME="${SERVER_NAME:-$(uname -n)}" export CLIENTNAMES="${CLIENTNAMES:-clash}" [ -d $KEY_DIR ] || $EASY_RSA/clean-all + [ -f $KEY_DIR/ca.crt ] || "$EASY_RSA/pkitool" --initca -[ -f $KEY_DIR/${SERVERNAME}.crt ] || - "$EASY_RSA/pkitool" --server "${SERVERNAME}" +export CA_CRT=$(< $KEY_DIR/ca.crt ) + +[ -f $KEY_DIR/${SERVER_NAME}.crt ] || + "$EASY_RSA/pkitool" --server "${SERVER_NAME}" + [ -f $KEY_DIR/dh${KEY_SIZE}.pem ] || $EASY_RSA/build-dh +export DH_PARAMS=$(< $KEY_DIR/dh${KEY_SIZE}.pem) + [ -f $KEY_DIR/ta.key ] || openvpn --genkey --secret $KEY_DIR/ta.key - -[ -f server.udp.conf ] || cat >server.udp.conf <server.tcp.conf < ${SERVER_NAME}-${SERVER_IP}-${SERVER_PROTO}-${SERVER_PORT}.servers for CLIENTNAME in $CLIENTNAMES do + export CLIENTNAME [ -f $KEY_DIR/${CLIENTNAME}.key ] || "$EASY_RSA/pkitool" "${CLIENTNAME}" + export CLIENT_KEY=$(< $KEY_DIR/$CLIENTNAME.key) + export CLIENT_CRT=$(< $KEY_DIR/$CLIENTNAME.crt) + [ -f $KEY_DIR/${CLIENTNAME}.p12 ] || $OPENSSL pkcs12 -export -inkey $KEY_DIR/$CLIENTNAME.key -in $KEY_DIR/$CLIENTNAME.crt -certfile $KEY_DIR/ca.crt -out $KEY_DIR/$CLIENTNAME.p12 -password pass:"" -[ -f client.${CLIENTNAME}.ovpn ] || { cat >client.${CLIENTNAME}.combined.ovpn < -remote $MY_IP_ADDR ${SERVER_UDP_PORT} udp - - - -remote $MY_IP_ADDR ${SERVER_TCP_PORT} tcp-client - -EOF - -cp client.${CLIENTNAME}.combined.ovpn client.${CLIENTNAME}.ovpn - -cat >>client.${CLIENTNAME}.ovpn<>client.${CLIENTNAME}.combined.ovpn< -`cat ${KEY_DIR}/$CLIENTNAME.key` - - -`cat ${KEY_DIR}/$CLIENTNAME.crt` - - -`cat ${KEY_DIR}/ca.crt` - - -`cat ${KEY_DIR}/dh${KEY_SIZE}.pem` - - -EOF -} - -[ -d ${CLIENTNAME}.tblk ] || { - mkdir ${CLIENTNAME}.tblk - mv client.${CLIENTNAME}.ovpn ${CLIENTNAME}.tblk - cp ${KEY_DIR}/$CLIENTNAME.key ${KEY_DIR}/$CLIENTNAME.crt ${KEY_DIR}/ca.crt ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_DIR}/ta.key ${CLIENTNAME}.tblk - zip -r ${CLIENTNAME}.tblk.zip ${CLIENTNAME}.tblk - zip -jr ${CLIENTNAME}.zip ${CLIENTNAME}.tblk -} - -[ -f client.${CLIENTNAME}.http ] || cat >client.${CLIENTNAME}.http < client.${CLIENTNAME}.combined.ovpn + cat $SCRIPT_PATH/client.template | envsubst > client.${CLIENTNAME}.ovpn + # Add in each server template to the bottom of the config, newest first for only the current server: + # for SERVER_STANZA in "$(ls -t ${SERVER_NAME}*servers)" + # Add in each server template to the bottom of the config, newest first for all servers using this same OpenVPN-Config: + for SERVER_STANZA in "$(ls -t *servers)" + do + cat $SERVER_STANZA >> client.${CLIENTNAME}.combined.ovpn + cat $SERVER_STANZA >> client.${CLIENTNAME}.ovpn + done + + } + + #[ -d ${CLIENTNAME}.tblk ] || { + { + mkdir -p ${CLIENTNAME}.tblk + mv client.${CLIENTNAME}.ovpn ${CLIENTNAME}.tblk + cp ${KEY_DIR}/$CLIENTNAME.key ${KEY_DIR}/$CLIENTNAME.crt ${KEY_DIR}/ca.crt ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_DIR}/ta.key ${CLIENTNAME}.tblk + zip -r ${CLIENTNAME}.tblk.zip ${CLIENTNAME}.tblk + zip -jr ${CLIENTNAME}.zip ${CLIENTNAME}.tblk + } + +# #[ -f client.${CLIENTNAME}.http ] || cat >client.${CLIENTNAME}.http <client.${CLIENTNAME}.http <> tcp.log & -while true ; do openvpn server.udp.conf; done >> udp.log & -tail -F *.log +set -x + +iptables -t nat -A POSTROUTING -s ${SERVER_NETWORK:-192.168.255.128}/${SERVER_NETMASK:-255.255.255.128} -o eth0 -j MASQUERADE + +openvpn \ + --ca ${KEY_DIR}/ca.crt \ + --cert ${KEY_DIR}/${SERVER_NAME}.crt \ + --key ${KEY_DIR}/${SERVER_NAME}.key \ + --dh ${KEY_DIR}/dh${KEY_SIZE}.pem \ + --tls-auth ${KEY_DIR}/ta.key 0 \ + --port ${SERVER_PORT:-1194} \ + --proto ${SERVER_PROTO:-udp} \ + --dev ${SERVER_DEV:-tun} \ + --topology ${SERVER_TOPOLOGY:-subnet} \ + --server ${SERVER_NETWORK:-192.168.255.128} ${SERVER_NETMASK:-255.255.255.128} \ + --push "dhcp-option DNS ${DNS_SERVER:-8.8.8.8}" \ + --max-clients ${SERVER_MAX_CLIENTS:-20} \ + --ifconfig-pool-persist ipp.${SERVER_PROTO:-udp}.txt \ + --push "redirect-gateway def1 bypass-dhcp" \ + --persist-key \ + --persist-tun \ + --comp-lzo \ + --mode server \ + --tls-server \ + --user ${SERVER_USER:-nobody} \ + --group ${SERVER_GROUP:-nogroup} \ + --keepalive 10 120 \ + --status openvpn-status.udp.log \ + --verb 3 diff --git a/bin/server_stanza.template b/bin/server_stanza.template new file mode 100644 index 0000000..eca8364 --- /dev/null +++ b/bin/server_stanza.template @@ -0,0 +1,7 @@ + + +remote $SERVER_IP ${SERVER_PORT} ${SERVER_PROTO} + + +remote $SERVER_NAME ${SERVER_PORT} ${SERVER_PROTO} + diff --git a/runDockVPN.sh b/runDockVPN.sh index 0c5fb27..1299e76 100755 --- a/runDockVPN.sh +++ b/runDockVPN.sh @@ -1,32 +1,59 @@ #!/bin/bash +# Bash inline comments per: http://stackoverflow.com/a/12797512/317670 + TAG="clashthebunny/dockvpn:0.1-$(dpkg --print-architecture 2>/dev/null || echo amd64)" docker build -t="$TAG" . # create a container that's just saving the state of /etc/openvpn/ -# this won't overwrite something that exists -docker ps -a | grep -q OpenVPN-Config || docker run -v /etc/openvpn/ --name OpenVPN-Config busybox true - -# delete any old builds -docker stop dockvpn; docker rm dockvpn - -# run this new build -docker run -d --privileged --volumes-from OpenVPN-Config --name dockvpn \ - -e "SERVER_TCP_PORT=1197" `# some unused port` \ - -e "SERVER_UDP_PORT=1197" `# same or different from above` \ - -e "KEY_SIZE=2048" `# 2048 ought to be enough for anybody` \ - -e "CA_EXPIRE=3650" `# 10 years` \ - -e "KEY_EXPIRE=3650" `# still 10 years` \ - -e "KEY_COUNTRY=US" `# where are you` \ - -e "KEY_PROVINCE=Massachusetts" `# no, really, where are you` \ - -e "KEY_CITY=Boston" `# no, exactly, where are you` \ - -e "KEY_ORG=MasonFamily" `# and where do you work` \ - -e "KEY_EMAIL=randall@mason.ch" `# and how can you be reached?` \ - -e "KEY_OU=TheITGuy" `# IT, as disfunctional as that is` \ - -e "KEY_NAME=DockVpN" `# This is the name of this system` \ - -e "SERVERNAME=$(uname -n)" `# the hostname of the server, external`\ - -e "CLIENTNAMES=randall android iphone" `# space seperated list of clients` \ - "$TAG" bash -c 'bash -x $(which run)' +# this won't overwrite something that exists. If you set this to +# something other than /etc/openvpn, be sure to change $CONFIG_DIR. +CONFIG_DIR="/etc/openvpn" +docker ps -a | grep -q OpenVPN-Config || docker run -v $CONFIG_DIR --name OpenVPN-Config busybox true + +SERVER_PORT=${SERVER_PORT:-1194} +SERVER_PROTO=${SERVER_PROTO:-udp} + +UPNP_URL=$(upnpc -s | grep IGD | sed -e 's/.*http/http/g') +# TODO: add pagekite and/or ngrok support + +# delete any old builds or running vpn clients. +docker ps | grep -q " dockvpn-$SERVER_PROTO-$SERVER_PORT " && docker stop dockvpn-$SERVER_PROTO-$SERVER_PORT +docker ps -a | grep -q " dockvpn-$SERVER_PROTO-$SERVER_PORT " && docker rm dockvpn-$SERVER_PROTO-$SERVER_PORT + +# Run this new build. All the environment variables below are the default in the run script and therefore optional +# You can always override everything by adding a command on the end of the tag. This is because I don't use entrypoint +# This means that once you have a good stable config and openvpn command, just run the openvpn command at the end of the +# line and drop all of the environment variables. +docker run --privileged -t -i --volumes-from OpenVPN-Config \ + --name dockvpn-$SERVER_PROTO-$SERVER_PORT \ + -e "UPNP_URL=$UPNP_URL" `# url to control router` \ + -e "SERVER_PORT=$SERVER_PORT" `# some unused port` \ + -e "SERVER_PROTO=$SERVER_PROTO" `# udp or tcp` \ + -e "SERVER_USER=nobody" `# DROP ROOT PRIVELEGES` \ + -e "SERVER_GROUP=nogroup" `# DROP ROOT GROUP` \ + -e "SERVER_DEV=tun" `# tun will create the next tunX dev` \ + -e "SERVER_TOPOLOGY=subnet" `# subnet, p2p, or net30` \ + -e "SERVER_MAX_CLIENTS=20" `# You know, how many phones you got?` \ + -e "SERVER_NETWORK=192.168.255.0" `# A uniq address space among clients` \ + -e "SERVER_NETMASK=255.255.255.128" `# netmask for above network` \ + -e "DNS_SERVER=8.8.8.8" `# Google\'s last service: xkcd.com/1361/` \ + -e "CONFIG_DIR=$CONFIG_DIR" `# What does OpenVPN-Config share` \ + -e "KEY_SIZE=2048" `# 2048 ought to be enough for anybody...` \ + -e "CA_EXPIRE=3650" `# 10 years` \ + -e "KEY_EXPIRE=3650" `# still 10 years` \ + -e "KEY_COUNTRY=US" `# where are you` \ + -e "KEY_PROVINCE=Massachusetts" `# no, really, where are you` \ + -e "KEY_CITY=Boston" `# no, exactly, where are you` \ + -e "KEY_ORG=MasonFamily" `# and where do you work` \ + -e "KEY_EMAIL=randall@mason.ch" `# and how can you be reached?` \ + -e "KEY_OU=TheITGuy" `# IT, as disfunctional as that is` \ + -e "KEY_NAME=DockVpN" `# This is the name of this system` \ + -e "SERVER_NAME=${SERVER_NAME:-$(uname -n)}" `# the hostname of the server, external` \ + -e "CLIENTNAMES=randall android iphone" `# space seperated list of clients` \ + `# there is one optional argument without a default if all hell breaks loose with DNS` \ + `# -e "SERVER_IP=123.456.789.ABC"` `# great for situations without internet` \ + "$TAG" "$@" echo "now get your config files from here:" #echo $(docker inspect OpenVPN-Config | python -c 'import json,fileinput; print json.loads("".join(fileinput.input()))[0]["Volumes"]["/etc/openvpn"]') From b04768b35a74a0bd53463ae1c128ec581ea397fe Mon Sep 17 00:00:00 2001 From: Randall Mason Date: Fri, 13 Jun 2014 22:10:32 +0300 Subject: [PATCH 21/21] add import script, run after creation of OpenVPN-Config container, fix up some commands to make them look all purdy. --- README.md | 2 +- importDir.sh | 1 + runDockVPN.sh | 3 ++- 3 files changed, 4 insertions(+), 2 deletions(-) create mode 100644 importDir.sh diff --git a/README.md b/README.md index fc10a8f..bbaa512 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ rsync -avH --rsync-path="sudo rsync" userWithSudo@dockerHost: