First version

Author: SloCompTech

CONTRIBUTING.md

@@ -0,0 +1,92 @@
+# Contribute guide
+
+Feel free to contribute to this project.  
+
+## Table of contents
+
+Sections:
+
+- [Example configs & hooks](root/defaults/example/README.md) 
+- [Guides](docs/README.md)
+- [Helper Scripts](root/app/README.md)  
+- [Modules](root/defaults/module/README.md)
+
+## Syntax
+
+- Identation: tab (4 spaces width)
+- Javadoc style documentation
+
+## Directory structure of project
+
+```
+/app # Utils (part of image)
+    bin # Scripts for using this image
+/config # Configuration dir (all config is here, generated on container start)
+    openvpn # Openvpn configuration
+        ccd # Client config directory
+        client # Client configuration directory
+            <clientconffile>.conf # Base for building client config (all files merged)
+        server # Server configuration directory
+            <name>.conf # Server config files (all files merged)
+    pki
+        ca.crt # CA certificate
+        certs by serial # Certs by Serial ID
+            <serial-id-cert>.pem
+        crl.pem # CRL
+        dh.pem
+        index.txt # Database index file
+        issued
+            <name>.crt # Certificates
+        private # Directory with private keys
+            ca.key # CA secret
+            <name>.key # Certificate secrets
+        reqs # Directroy with signing requests
+        serial # The current serial number
+        ta.key # Secret for tls-auth, tls-crypt
+    ssl
+        safessl-easyrsa.cnf
+        vars
+    example # Example configs
+        config # Example client & server configs (see root/defaults/example/README.md)
+        hook # Example hook configs
+    module # Modules for openvpn
+    hooks # Put your custom scripts in one of subfolders
+        init # Init container
+        route-up # After routes are added
+        route-pre-down # Before routes are removed
+        up # After interface is up  
+        down # After interface is down
+        client-connect # Client connected
+        client-disconnect # Client disconnected
+        learn-address
+        tls-verify # Check certificate
+        auth # On authentication (needs to be enabled in config)
+    system.conf # System OpenVPN config file (do not edit, unless instructed)
+    include-server.conf # File that includes all server configuration files (automatically generated)
+    donotdelete # Leave this file alone, if deleted it triggers full setup
+/defaults # Default configuration, which is copied into config on full setup
+    example # Examples
+        config # Example configs
+        hook # Example hooks
+    module # Modules (for example password authentication ...)
+    system.conf # Original server config
+/etc # System config
+    cont-init.d # Scripts run before services are started
+    fix-attrs.d # Fix file permissions
+    logrotate.d # Log settings
+    services.d  # Scripts that start services
+```
+
+## Useful links
+
+**Project:**  
+
+- [Versioning](https://semver.org/)  
+- [Container labels](https://github.com/opencontainers/image-spec/blob/master/annotations.md)  
+- [Container badges](https://microbadger.com/about)  
+- [s6 overlay](https://github.com/just-containers/s6-overlay)  
+
+**OpenVPN:**  
+
+- [OpenVPN docs](https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN)  
+- [EasyRSA](https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN)   

Dockerfile

@@ -0,0 +1,55 @@
+
+# Base image
+FROM lsiobase/alpine.python3:latest
+
+# 
+# Image labels
+# @see https://github.com/opencontainers/image-spec/blob/master/annotations.md
+# @see https://semver.org/
+#
+LABEL   org.opencontainers.image.title = "OpenVPN Server" \
+        org.opencontainers.image.description = "Docker image with OpenVPN server" \
+        org.opencontainers.image.url = "" \
+        org.opencontainers.image.authors = "Martin Dagarin <>" \
+        org.opencontainers.image.version = "0.0.2"
+
+#
+# Environment variables
+# @see https://github.com/OpenVPN/easy-rsa/blob/master/doc/EasyRSA-Advanced.md
+#
+ENV PATH="/app/bin:$PATH" \
+    S6_BEHAVIOUR_IF_STAGE2_FAILS=0 \
+    EASYRSA=/usr/share/easy-rsa \
+    EASYRSA_PKI=/config/pki \
+    EASYRSA_VARS_FILE=/config/ssl/vars \
+    #EASYRSA_SSL_CONF=/config/ssl/openssl-easyrsa.cnf \
+    EASYRSA_SAFE_CONF=/config/ssl/safessl-easyrsa.cnf \
+    EASYRSA_TEMP_FILE=/config/temp \
+    OVPN_ROOT=/config \
+    OVPN_CONFIG=/config/openvpn \
+    OVPN_HOOKS=/config/hooks \
+    OVPN_RUN=system.conf
+
+# Install packages
+RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/main/" >> /etc/apk/repositories && \
+    apk add --no-cache \
+    # Core packages
+    bash sudo iptables git openvpn easy-rsa && \
+    # Link easy-rsa in bin directory
+    ln -s ${EASYRSA}/easyrsa /usr/local/bin && \
+    # Link python3 also as python
+    ln -s /usr/bin/python3 /usr/bin/python && \
+    # Remove any temporary files created by apk
+    rm -rf /tmp/* /var/tmp/* /var/cache/apk/* /var/cache/distfiles/* && \
+    # Add permission for network management to user abc
+    echo "abc ALL=(ALL) NOPASSWD: /sbin/ip" >> /etc/sudoers && \
+    # Create tunnel interface
+    mkdir -p /dev/net && \
+    mknod /dev/net/tun c 10 200
+
+# Add repo files to image
+COPY root/ /
+
+# Configure
+RUN chmod +x /app/bin/* && \
+    chmod -R 0644 /etc/logrotate.d

README.md

@@ -1 +1,84 @@
-docker-openvpn
+
+# [slocomptech/docker-openvpn]()
+
+
+## Usage
+
+### docker
+
+``` bash
+
+```
+
+### docker-compose
+
+```
+
+```
+
+## Parameters
+
+|**Parameter**|**Function**|
+|:-----------:|:----------:|
+
+## User / Group Identifiers
+
+When using volumes (`-v` flags) permissions issues can arise between the host OS and the container, we avoid this issue by allowing you to specify the user `PUID` and group `PGID`.
+
+Ensure any volume directories on the host are owned by the same user you specify and any permissions issues will vanish like magic.
+
+In this instance `PUID=1000` and `PGID=1000`, to find yours use `id user` as below:
+
+```
+  $ id username
+    uid=1000(dockeruser) gid=1000(dockergroup) groups=1000(dockergroup)
+```
+
+## Application setup
+
+``` bash
+# Setup config directory
+sudo docker run -v <Config on Host>:/config --rm -it slocomptech/docker-openvpn bash
+$ ovpn_init
+# Here will ask for password for CA (needed for signing new certificates) (add nopass if you dont want to set password)
+# Enable basic example as config & edit /config/openvpn/server/server_*.conf & /config/openvpn/client_*.conf
+$ ovpn_enconf basic1
+# Or put your own server config in /config/openvpn/server & client template (without certs) to /config/openvpn/client
+# To add client (generate certificates)
+$ ovpn_client add <name> [nopass]
+# To build .ovpn file
+$ ovpn_client ovpn <name> > <file>
+# Or from outside of docker (currently not working yet)
+sudo docker exec -it <container name> ovpn_client add <name> nopass && ovpn_client ovpn <name> > <file>
+# Exit from temporary container
+$ exit
+# Run container for real
+sudo docker run -v <Config on Host>:/config --cap-add NET_ADMIN -p 1104:1194/udp --restart=unless-stopped slocomptech/docker-openvpn
+# Setup routing
+
+```
+
+See more in [docs](docs).  
+
+## Contribute
+
+Feel free to contribute new features to this container, but first see [Contribute Guide](CONTRIBUTING.md).
+
+## TODO
+
+Planed features:
+
+- Hooks
+- Example configs
+- Setup instructions
+- Setup scripts
+- Setup & run via environment variables
+- Config overwrite protection
+
+Wanted features (please help implement):
+
+- LDAP authentication script
+- Google authenticator 
+
+## Versions
+

docs/README.md

@@ -0,0 +1,5 @@
+# App
+
+Here are located all helper scripts and dependencies written to help user with tasks. All scripts are located in `bin` directory, scripts with functions only, which are used in multiple other scripts are located in `lib` folder.  
+
+Every script **MUST** start with **ovpn_** prefix, so it can be easy identified that script belongs to this project. Please write guide how to use your script, so users will be able to use it without checking source code and give a lot of examples.

root/app/README.md

@@ -0,0 +1,44 @@
+#!/bin/bash
+
+#
+# Backup sciript
+#
+
+ARCHIVE_CMD="tar --exclude=$OVPN_ROOT/backup -zcvf"
+
+# User permission fix
+if [ "$USER" != "abc" ]; then
+    RUNAS="sudo -E -u abc"
+else
+    RUNAS=""
+fi
+
+function usage() {
+    echo "Usage: ovpn_backup COMMAND"
+    echo ""
+    echo "Commands:"
+    echo "  all     # Backup whole config directory"
+    echo "  pki     # Backup PKI files"
+    echo "  hooks   # Backup hooks"
+    echo "  openvpn # Backup openvpn live config"
+}
+
+if [ $# -lt 1 ] || [ $1 = "help" ] || [ $1 = "-h" ] || [ $1 = "--help" ]; then
+    usage
+    exit 1
+fi
+
+
+
+if [ $1 = "all" ]; then
+    $RUNAS $ARCHIVE_CMD $OVPN_ROOT/backup/backup_all_$(date +%H%M%S%d%m%Y).tar.gz $OVPN_ROOT
+elif [ $1 = "pki" ]; then
+    $RUNAS $ARCHIVE_CMD $OVPN_ROOT/backup/backup_pki_$(date +%H%M%S%d%m%Y).tar.gz $EASYRSA_PKI $OVPN_ROOT/ssl
+elif [ $1 = "hooks" ]; then
+    $RUNAS $ARCHIVE_CMD $OVPN_ROOT/backup/backup_hooks_$(date +%H%M%S%d%m%Y).tar.gz $OVPN_HOOKS
+elif [ $1 = "openvpn" ]; then
+    $RUNAS $ARCHIVE_CMD $OVPN_ROOT/backup/backup_conf_$(date +%H%M%S%d%m%Y).tar.gz $OVPN_CONFIG
+else
+    usage
+    exit 1
+fi

root/app/bin/ovpn_backup

@@ -0,0 +1,103 @@
+#!/bin/bash
+
+#
+# OpenVPN client configuration generator
+#
+
+source /app/lib/utils
+
+# User permission fix
+if [ "$USER" != "abc" ]; then
+    RUNAS="sudo -E -u abc"
+else
+    RUNAS=""
+fi
+
+function usage() {
+    echo "Usage: ovpn_client COMMAND [ARGS]"
+    echo ""
+    echo "Commands:"
+    echo "  add [NAME [nopass]]             # Creates certificates for client"
+    echo "  ovpn NAME                       # Builds .ovpn file"
+    echo "  revoke|ban|delete|remove NAME   # Removes client"
+}
+
+function build_ovpn() {
+    if [ $# -gt 0 ]; then
+        # Client standard config
+        for file in $OVPN_ROOT/openvpn/client/*.conf
+        do
+            [ -e "$file" ] || continue
+            cat $file
+        done
+
+        # CA
+        echo "<ca>"
+        cat $EASYRSA_PKI/ca.crt
+        echo "</ca>"
+        echo ""
+        
+        # Client certs
+        echo "<cert>"
+        cat $EASYRSA_PKI/issued/$1.crt
+        echo "</cert>"
+
+        # Client key
+        echo "<key>"
+        cat $EASYRSA_PKI/private/$1.key
+        echo "</key>"
+
+        # tls-crypt
+        echo "<tls-crypt>"
+        cat $EASYRSA_PKI/ta.key
+        echo "</tls-crypt>"
+    fi
+}
+
+# Check if command even set
+if [ $# -lt 1 ]; then
+    # Invalid command
+    usage
+    exit 1
+fi
+
+if [ "$1" = "add" ]; then
+    if [ $# -eq 1 ]; then
+        # Cert guide
+        read -p "Common name:" CN
+        echo -n "Password protect "
+        P=$(yn)
+        if [ $P -eq 0 ]; then
+            $RUNAS easyrsa gen-req $CN nopass
+        else
+            $RUNAS easyrsa gen-req $CN
+        fi
+        $RUNAS easyrsa sign-req client $CN
+    else
+        # Just build cert
+        $RUNAS easyrsa gen-req ${@:2}
+        $RUNAS easyrsa sign-req client ${@:2}
+    fi
+    
+elif [ "$1" = "ovpn" ]; then
+    if [ $# -eq 2 ]; then
+        build_ovpn $2
+    else
+        usage
+        exit 1
+    fi
+elif [ "$1" = "ban" ] || [ "$1" = "remove" ] || [ "$1" = "delete"] || [ "$1" = "revoke" ] ; then
+    if [ $# -eq 2 ]; then
+        $RUNAS easyrsa revoke $2
+        $RUNAS easyrsa gen-crl
+    else
+        usage
+        exit 1
+    fi
+else
+    usage
+    exit 1
+fi
+
+
+