From a56c452f4f1dd565cc5c69a2ccd45b9873db039a Mon Sep 17 00:00:00 2001 From: Mauro Torrez Date: Tue, 9 Jun 2020 02:00:55 -0300 Subject: [PATCH] various fixes --- Dockerfile | 13 +++--- docker-compose.sample.yml | 25 ++++++++++++ openvpn_setup.yml => openvpn_setup.tmpl | 53 ++++++++++++++----------- 3 files changed, 63 insertions(+), 28 deletions(-) create mode 100644 docker-compose.sample.yml rename openvpn_setup.yml => openvpn_setup.tmpl (66%) diff --git a/Dockerfile b/Dockerfile index ef1ff17..6c01a20 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,14 +1,17 @@ FROM debian:buster-slim ARG REMCO_VER=0.11.1 RUN apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y \ - openvpn \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + openvpn unzip wget ca-certificates \ && wget https://github.com/HeavyHorst/remco/releases/download/v${REMCO_VER}/remco_${REMCO_VER}_linux_amd64.zip \ && unzip remco_${REMCO_VER}_linux_amd64.zip \ && rm remco_${REMCO_VER}_linux_amd64.zip \ - && mv remco_linux /bin/remco + && mv remco_linux /bin/remco \ + && apt-get purge -y unzip wget ca-certificates \ + && apt-get autoremove --purge -y \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* + COPY config /etc/remco/config COPY openvpn_setup.tmpl /etc/remco/templates/openvpn_setup.tmpl ENTRYPOINT ["remco"] diff --git a/docker-compose.sample.yml b/docker-compose.sample.yml new file mode 100644 index 0000000..ef98ce0 --- /dev/null +++ b/docker-compose.sample.yml @@ -0,0 +1,25 @@ +--- +version: "3.5" +services: + openvpn: + build: . + cap_add: + - NET_ADMIN + labels: + - traefik.enable=false + environment: + OPENVPN_MODE: client + OPENVPN_DEV: tun + OPENVPN_REMOTE: ${OPENVPN_REMOTE} + OPENVPN_NOBIND: "yes" + OPENVPN_COMP_LZO: "yes" + OPENVPN_NS_CERT_TYPE: server + OPENVPN_TLS_CLIENT: "yes" + # OPENVPN_TA: ${OPENVPN_TA} + # OPENVPN_TA_DIR: "1" + OPENVPN_CA: ${OPENVPN_CA} + OPENVPN_KEY: ${OPENVPN_KEY} + OPENVPN_CERT: ${OPENVPN_CERT} + OPENVPN_VERB: 3 + volumes: + - /dev/net/tun:/dev/net/tun diff --git a/openvpn_setup.yml b/openvpn_setup.tmpl similarity index 66% rename from openvpn_setup.yml rename to openvpn_setup.tmpl index 8fc13d1..65fb861 100644 --- a/openvpn_setup.yml +++ b/openvpn_setup.tmpl @@ -6,48 +6,53 @@ mkdir -p /etc/openvpn cat - < /etc/openvpn.conf # client -{% if getv("/openvpn/mode") %} +{% if exists("/openvpn/mode") %} {{ getv("/openvpn/mode") }} {% endif %} # dev tun -{% if getv("/openvpn/dev") %} +{% if exists("/openvpn/dev") %} dev {{ getv("/openvpn/dev") }} {% endif %} # remote -{% if getv("/openvpn/remote") %} +{% if exists("/openvpn/remote") %} remote {{ getv("/openvpn/remote") }} {% endif %} # proto udp -{% if getv("/openvpn/proto") %} +{% if exists("/openvpn/proto") %} proto {{ getv("/openvpn/proto") }} {% endif %} # nobind -{% if getv("/openvpn/nobind") %} +{% if exists("/openvpn/nobind") %} nobind {% endif %} # ns-cert-type server -{% if getv("/openvpn/ns/cert/type") %} +{% if exists("/openvpn/ns/cert/type") %} ns-cert-type {{ getv("/openvpn/ns/cert/type") }} {% endif %} # up /etc/openvpn/update-resolv-conf -{% if getv("/openvpn/up") %} +{% if exists("/openvpn/up") %} up {{ getv("/openvpn/up") }} {% endif %} # down /etc/openvpn/update-resolv-conf -{% if getv("/openvpn/down") %} +{% if exists("/openvpn/down") %} down {{ getv("/openvpn/down") }} {% endif %} -# tls-auth file 1 # This file is secret -{% if getv("/openvpn/ta") %} -tls-auth /etc/openvpn/ta {{ getv("/openvpn/ta/dir")|default(1) }} +# tls-client +{% if exists("/openvpn/tls/client") %} +tls-client +{% endif %} + +# tls-auth file 1 +{% if exists("/openvpn/ta") %} +tls-auth /etc/openvpn/ta {{ getv("/openvpn/ta/dir")|default:"1" }} {% endif %} # ca @@ -60,70 +65,71 @@ cert /etc/openvpn/cert key /etc/openvpn/key # port 1194 -{% if getv("/openvpn/port") %} +{% if exists("/openvpn/port") %} port {{ getv("/openvpn/port") }} {% endif %} -{% if getv("/openvpn/user") %} +{% if exists("/openvpn/user") %} user {{ getv("/openvpn/user") }} {% else %} user nobody {% endif %} -{% if getv("/openvpn/group") %} +{% if exists("/openvpn/group") %} group {{ getv("/openvpn/group") }} {% else %} group nogroup {% endif %} # comp-lzo -{% if getv("/openvpn/comp/lzo") %} +{% if exists("/openvpn/comp/lzo") %} comp-lzo {% endif %} # ping 15 -{% if getv("/openvpn/ping") %} +{% if exists("/openvpn/ping") %} ping {{ getv("/openvpn/ping") }} {% endif %} # ping-restart 45 -{% if getv("/openvpn/ping/restart") %} +{% if exists("/openvpn/ping/restart") %} ping-restart {{ getv("/openvpn/ping/restart") }} {% endif %} # ping-timer-rem -{% if getv("/openvpn/ping/timer/rem") %} +{% if exists("/openvpn/ping/timer/rem") %} ping-timer-rem {% endif %} # persist-tun -{% if getv("/openvpn/persist/tun") %} +{% if exists("/openvpn/persist/tun") %} persist-tun {% endif %} # persist-remote-ip -{% if getv("/openvpn/persist/remote/ip") %} +{% if exists("/openvpn/persist/remote/ip") %} persist-remote-ip {% endif %} # persist-key -{% if getv("/openvpn/persist/key") %} +{% if exists("/openvpn/persist/key") %} persist-key {% endif %} # verb 4 -{% if getv("/openvpn/verb") %} +{% if exists("/openvpn/verb") %} verb {{ getv("/openvpn/verb") }} {% endif %} EOF -{% if getv("/openvpn/ta") %} +{% if exists("/openvpn/ta") %} cat - < /etc/openvpn/ta {% for keyline in (replace(getv("/openvpn/ta"),"\\n","!",-1)|split:"!") %} {{ keyline }} {% endfor %} EOKEY +chmod 600 /etc/openvpn/ta {% endif %} cat - < /etc/openvpn/ca @@ -143,3 +149,4 @@ cat - < /etc/openvpn/key {{ keyline }} {% endfor %} EOKEY +chmod 600 /etc/openvpn/key