Added site-to-site example

SloCompTech · SloCompTech · commit 1c924bda1817 · 2020-03-21T23:48:36.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@
 - Changed fs structure
 - Rewritten helper scripts
 - Reorganized examples
+- Added Site-to-site example
 
 ### 2.0.6 - Fixed bugs, added additonal parameters
 
diff --git a/Dockerfile b/Dockerfile
@@ -31,6 +31,7 @@ LABEL org.opencontainers.image.title="OpenVPN Server" \
 #
 ENV BACKUP_DIR=/config/backup \
     EASYRSA=/usr/share/easy-rsa \
+    EASYRSA_EXT_DIR=/config/x509-types \
     EASYRSA_PKI=/config/pki \
     EASYRSA_SSL_CONF=/config/openssl-easyrsa.cnf \
     EASYRSA_SAFE_CONF=/config/safessl-easyrsa.cnf \
@@ -41,6 +42,7 @@ ENV BACKUP_DIR=/config/backup \
 RUN apk add --no-cache \
       # Core packages
       bash \
+      gettext \
       easy-rsa \
       iptables \
       ip6tables \
@@ -74,7 +76,8 @@ RUN apk add --no-cache \
       >> /etc/sudoers.d/${CONTAINER_USER} && \
     # Default configuration
     cp $EASYRSA/vars.example /defaults/vars && \
-    cp $EASYRSA/openssl-easyrsa.cnf /defaults
+    cp $EASYRSA/openssl-easyrsa.cnf /defaults && \
+    cp -r $EASYRSA/x509-types /defaults
 
 # Add repo files to image
 COPY root/ /
diff --git a/root/usr/local/share/docker-openvpn/examples/basic_s2s/README.md b/root/usr/local/share/docker-openvpn/examples/basic_s2s/README.md
@@ -0,0 +1,30 @@
+# basic_s2s
+
+Features:  
+
+- Site-to-site VPN
+
+## Configuration
+
+``` bash
+# PKI init
+ovpn pki init [nopass]
+
+# Load example
+ovpn example basic_s2s
+
+# Certifcates
+# NOTE: To also use server certificates for p2p connection between servers
+#       add clientAuth to extendedKeyUsage before generating certificate
+ovpn subject add first server [nopass]
+# Change filenames in config file
+
+ovpn subject add second server [nopass]
+ovpn subject gen-pkg second # creates .tar.gz in client-confs
+# Copy .tar.gz to second machine
+ovpn load NAME.pkg.tar.gz # Second machine
+```
+
+## External docs
+
+- [Tutorial 1](https://zeldor.biz/2010/12/openvpn-site-to-site-setup/)
diff --git a/root/usr/local/share/docker-openvpn/examples/basic_s2s/config/openvpn/openvpn-template.conf b/root/usr/local/share/docker-openvpn/examples/basic_s2s/config/openvpn/openvpn-template.conf
@@ -0,0 +1,38 @@
+#
+# Basic OpenVPN site-to-site configuration
+# @author Martin Dagarin
+# @version 1
+# @since 21/03/2020
+#
+
+mode p2p
+dev tun0
+config include.conf
+config unprivileged.conf
+
+# Basic info
+remote $REMOTE_A
+proto $PROTO
+port $PORT
+
+# Network info 
+ifconfig $IP_B $IP_A
+
+# Set routes in routing table
+# route 192.168.2.0 255.255.255.0
+
+# CA files
+tls-client
+remote-cert-tls server
+
+# Connection settings
+persist-local-ip
+persist-remote-ip
+persist-tun
+
+# Encryption settings
+cipher AES-256-GCM
+
+# Additional settings
+keepalive 15 120
+explicit-exit-notify 10
diff --git a/root/usr/local/share/docker-openvpn/examples/basic_s2s/config/openvpn/openvpn.conf b/root/usr/local/share/docker-openvpn/examples/basic_s2s/config/openvpn/openvpn.conf
@@ -0,0 +1,43 @@
+#
+# Basic OpenVPN site-to-site configuration
+# @author Martin Dagarin
+# @version 1
+# @since 21/03/2020
+#
+
+mode p2p
+dev tun0
+config include.conf
+config unprivileged.conf
+
+# Basic info
+remote $REMOTE_B
+proto $PROTO
+port $PORT
+
+# Network info 
+ifconfig $IP_A $IP_B
+
+# Set routes in routing table
+# route 192.168.2.0 255.255.255.0
+
+# CA files
+ca ca.crt
+cert server.crt
+key server.key
+dh dh.pem
+tls-crypt ta.key
+tls-server # Note: Only for TLS negotiation, requires dh.pem
+remote-cert-tls client # NOTE: Change this to server if you use server certificates on both sides
+
+# Connection settings
+persist-local-ip
+persist-remote-ip
+persist-tun
+
+# Encryption settings
+cipher AES-256-GCM
+
+# Additional settings
+keepalive 15 120
+explicit-exit-notify 10
diff --git a/root/usr/local/share/docker-openvpn/examples/basic_s2s/wizard b/root/usr/local/share/docker-openvpn/examples/basic_s2s/wizard
@@ -0,0 +1,47 @@
+#!/usr/bin/with-contenv bash
+#
+# Config wizard for basic_s2s example
+# @author Martin Dagarin
+# @version 1
+# @since 20/03/2020
+#
+
+if [ -z "$1" ]; then
+  echo 'Directory path missing'
+  exit 1
+fi
+
+read -p 'Protocol udp, tcp, udp6, tcp6 [udp]: ' protocol
+protocol=${protocol:=udp}
+
+read -p 'Port [1194]: ' port
+port=${port:=1194}
+
+read -p 'Site A public IP: ' remote_a
+if [ -z "$remote_a" ]; then echo 'Invalid IP'; exit 2; fi
+
+read -p 'Site A tunnel IP: ' ip_a
+if [ -z "$ip_a" ]; then echo 'Invalid IP'; exit 2; fi
+
+read -p 'Site B public IP: ' remote_b
+if [ -z "$remote_b" ]; then echo 'Invalid IP'; exit 2; fi
+
+read -p 'Site B tunnel IP: ' ip_b
+if [ -z "$ip_b" ]; then echo 'Invalid IP'; exit 2; fi
+
+confs=(
+  "$1/config/openvpn/openvpn.conf"
+  "$1/config/openvpn/openvpn-template.conf"
+)
+
+for file in "${confs[@]}"
+do
+  mv $file $file.old
+  PROTO="$protocol" \
+  PORT="$port" \
+  REMOTE_A="$remote_a" \
+  IP_A="$ip_a" \
+  REMOTE_B="$remote_b" \
+  IP_B="$ip_b" \
+  envsubst < $file.old > $file
+done
