various fixes

2020-06-09 02:00:55 -03:00 · 2020-06-09 02:00:55 -03:00 · a56c452f4f
commit a56c452f4f
parent d2b4c8c23f
3 changed files with 63 additions and 28 deletions
--- a/13
+++ b/13
@ -1,14 +1,17 @@
 FROM debian:buster-slim
 ARG REMCO_VER=0.11.1
 RUN apt-get update \
-  && DEBIAN_FRONTEND=noninteractive apt-get install -y \
-    openvpn \
-  && apt-get clean \
-  && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \
+  && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+    openvpn unzip wget ca-certificates \
  && wget https://github.com/HeavyHorst/remco/releases/download/v${REMCO_VER}/remco_${REMCO_VER}_linux_amd64.zip \
  && unzip remco_${REMCO_VER}_linux_amd64.zip \
  && rm remco_${REMCO_VER}_linux_amd64.zip \
-  && mv remco_linux /bin/remco
+  && mv remco_linux /bin/remco \
+  && apt-get purge -y unzip wget ca-certificates \
+  && apt-get autoremove --purge -y \
+  && apt-get clean \
+  && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
 COPY config /etc/remco/config
 COPY openvpn_setup.tmpl /etc/remco/templates/openvpn_setup.tmpl
 ENTRYPOINT ["remco"]
--- a/docker-compose.sample.yml
+++ b/docker-compose.sample.yml
@ -0,0 +1,25 @@
+---
+version: "3.5"
+services:
+  openvpn:
+    build: .
+    cap_add:
+      - NET_ADMIN
+    labels:
+      - traefik.enable=false
+    environment:
+      OPENVPN_MODE: client
+      OPENVPN_DEV: tun
+      OPENVPN_REMOTE: ${OPENVPN_REMOTE}
+      OPENVPN_NOBIND: "yes"
+      OPENVPN_COMP_LZO: "yes"
+      OPENVPN_NS_CERT_TYPE: server
+      OPENVPN_TLS_CLIENT: "yes"
+      # OPENVPN_TA: ${OPENVPN_TA}
+      # OPENVPN_TA_DIR: "1"
+      OPENVPN_CA: ${OPENVPN_CA}
+      OPENVPN_KEY: ${OPENVPN_KEY}
+      OPENVPN_CERT: ${OPENVPN_CERT}
+      OPENVPN_VERB: 3
+    volumes:
+      - /dev/net/tun:/dev/net/tun
--- a/openvpn_setup.tmpl
+++ b/openvpn_setup.tmpl
@ -6,48 +6,53 @@ mkdir -p /etc/openvpn
 cat - <<EOF > /etc/openvpn.conf

 # client
-{% if getv("/openvpn/mode") %}
+{% if exists("/openvpn/mode") %}
 {{ getv("/openvpn/mode") }}
 {% endif %}

 # dev tun
-{% if getv("/openvpn/dev") %}
+{% if exists("/openvpn/dev") %}
 dev {{ getv("/openvpn/dev") }}
 {% endif %}

 # remote <host>
-{% if getv("/openvpn/remote") %}
+{% if exists("/openvpn/remote") %}
 remote {{ getv("/openvpn/remote") }}
 {% endif %}

 # proto udp
-{% if getv("/openvpn/proto") %}
+{% if exists("/openvpn/proto") %}
 proto {{ getv("/openvpn/proto") }}
 {% endif %}

 # nobind
-{% if getv("/openvpn/nobind") %}
+{% if exists("/openvpn/nobind") %}
 nobind
 {% endif %}

 # ns-cert-type server
-{% if getv("/openvpn/ns/cert/type") %}
+{% if exists("/openvpn/ns/cert/type") %}
 ns-cert-type {{ getv("/openvpn/ns/cert/type") }}
 {% endif %}

 # up /etc/openvpn/update-resolv-conf
-{% if getv("/openvpn/up") %}
+{% if exists("/openvpn/up") %}
 up {{ getv("/openvpn/up") }}
 {% endif %}

 # down /etc/openvpn/update-resolv-conf
-{% if getv("/openvpn/down") %}
+{% if exists("/openvpn/down") %}
 down {{ getv("/openvpn/down") }}
 {% endif %}

-# tls-auth file 1 # This file is secret
-{% if getv("/openvpn/ta") %}
-tls-auth /etc/openvpn/ta {{ getv("/openvpn/ta/dir")|default(1) }}
+# tls-client
+{% if exists("/openvpn/tls/client") %}
+tls-client
+{% endif %}
+
+# tls-auth file 1
+{% if exists("/openvpn/ta") %}
+tls-auth /etc/openvpn/ta {{ getv("/openvpn/ta/dir")|default:"1" }}
 {% endif %}

 # ca <file>
@ -60,70 +65,71 @@ cert /etc/openvpn/cert
 key /etc/openvpn/key

 # port 1194
-{% if getv("/openvpn/port") %}
+{% if exists("/openvpn/port") %}
 port {{ getv("/openvpn/port") }}
 {% endif %}

-{% if getv("/openvpn/user") %}
+{% if exists("/openvpn/user") %}
 user {{ getv("/openvpn/user") }}
 {% else %}
 user nobody
 {% endif %}

-{% if getv("/openvpn/group") %}
+{% if exists("/openvpn/group") %}
 group {{ getv("/openvpn/group") }}
 {% else %}
 group nogroup
 {% endif %}

 # comp-lzo
-{% if getv("/openvpn/comp/lzo") %}
+{% if exists("/openvpn/comp/lzo") %}
 comp-lzo
 {% endif %}

 # ping 15
-{% if getv("/openvpn/ping") %}
+{% if exists("/openvpn/ping") %}
 ping {{ getv("/openvpn/ping") }}
 {% endif %}

 # ping-restart 45
-{% if getv("/openvpn/ping/restart") %}
+{% if exists("/openvpn/ping/restart") %}
 ping-restart {{ getv("/openvpn/ping/restart") }}
 {% endif %}

 # ping-timer-rem
-{% if getv("/openvpn/ping/timer/rem") %}
+{% if exists("/openvpn/ping/timer/rem") %}
 ping-timer-rem
 {% endif %}

 # persist-tun
-{% if getv("/openvpn/persist/tun") %}
+{% if exists("/openvpn/persist/tun") %}
 persist-tun
 {% endif %}

 # persist-remote-ip
-{% if getv("/openvpn/persist/remote/ip") %}
+{% if exists("/openvpn/persist/remote/ip") %}
 persist-remote-ip
 {% endif %}

 # persist-key
-{% if getv("/openvpn/persist/key") %}
+{% if exists("/openvpn/persist/key") %}
 persist-key
 {% endif %}

 # verb 4
-{% if getv("/openvpn/verb") %}
+{% if exists("/openvpn/verb") %}
 verb {{ getv("/openvpn/verb") }}
 {% endif %}

 EOF

-{% if getv("/openvpn/ta") %}
+{% if exists("/openvpn/ta") %}
 cat - <<EOKEY > /etc/openvpn/ta
 {% for keyline in (replace(getv("/openvpn/ta"),"\\n","!",-1)|split:"!") %}
 {{ keyline }}
 {% endfor %}
 EOKEY
+chmod 600 /etc/openvpn/ta
 {% endif %}

 cat - <<EOKEY > /etc/openvpn/ca
@ -143,3 +149,4 @@ cat - <<EOKEY > /etc/openvpn/key
 {{ keyline }}
 {% endfor %}
 EOKEY
+chmod 600 /etc/openvpn/key