Added docs

Author: SloCompTech

README.md

@@ -1,22 +1,34 @@
 
-# [slocomptech/docker-openvpn]()
+# [slocomptech/docker-openvpn](https://github.com/SloCompTech/docker-openvpn)
 
 
 Features:  
 
-- OpenVPN is running as non-root user, soo it has limited permission.
-- OpenVPN is running in isolated environment (container) so you don't break it with updates, upgrades of your PC.
-- Easy managed (has helper scripts).
+- OpenVPN running as non-root user (limited permission)
+- Containerized (Isolated environment)
+- Easy managed (Helper scripts).
 - Easy start (Simple first-start guide).
 - Easly modified to your needs (see [docs](CONTRIBUTING.md)).
 - Easy scripting (python3 installed).
 
 ## Usage
 
+Here are some example snippets to help you get started creating a container.  
+
 ### docker
 
 ``` bash
-
+# Normal start command (but you need to setup config first)
+docker run \
+  --name=ovpn \
+  --cap-add NET_ADMIN \
+  -e PUID=1000 \
+  -e GUID=1000 \
+  -p 1194:1194/udp \
+  -v </path/o/config>:/config \
+  --restart=unless-stopped \
+  --network host \
+  slocomptech/openvpn:latest
 ```
 
 ### docker-compose
@@ -29,6 +41,9 @@ Features:
 
 |**Parameter**|**Function**|
 |:-----------:|:----------:|
+|`-e PUID=1000`|for UserID - see below for explanation|
+|`-e PGID=1000`|for GroupID - see below for explanation|
+|`-v /config`|All the config files including OpenVPNs reside here|
 
 ## User / Group Identifiers
 
@@ -45,29 +60,56 @@ In this instance `PUID=1000` and `PGID=1000`, to find yours use `id user` as bel
 
 ## Application setup
 
-``` bash
-# Setup config directory
-sudo docker run -v <Config on Host>:/config --rm -it slocomptech/docker-openvpn bash
-$ ovpn_init
-# Here will ask for password for CA (needed for signing new certificates) (add nopass if you dont want to set password)
-# Enable basic example as config & edit /config/openvpn/server/server_*.conf & /config/openvpn/client_*.conf
-$ ovpn_enconf basic1
-# Or put your own server config in /config/openvpn/server & client template (without certs) to /config/openvpn/client
-# To add client (generate certificates)
-$ ovpn_client add <name> [nopass]
-# To build .ovpn file
-$ ovpn_client ovpn <name> > <file>
-# Or from outside of docker (currently not working yet)
-sudo docker exec -it <container name> ovpn_client add <name> nopass && ovpn_client ovpn <name> > <file>
-# Exit from temporary container
-$ exit
-# Run container for real
-sudo docker run -v <Config on Host>:/config --cap-add NET_ADMIN -p 1104:1194/udp --restart=unless-stopped slocomptech/docker-openvpn
-# Setup routing
+### Initial setup
 
-```
+If you are new to containers please see rather [Detailed first setup guide](docs/SetupGuide.md), because it includes more detailed description.
+
+1. Init configuration directory with initial config files:
+
+  ``` bash
+  docker run -it --rm --cap-add NET_ADMIN -v </path/to/config>:/config slocomptech/openvpn:latest bash
+  ```
+
+2. At this point you will have bash shell which runs in container. Now run following commands to setup your PKI:
+
+  ``` bash
+  ovpn_init [nopass] # Inits PKI
+  ```
+
+3. Setup OpenVPN config based on example `basic_nat` with configuration wizard:  
+
+  ``` bash
+  ovpn_enconf basic_nat
+  #Protocol udp, tcp, udp6, tcp6 [udp]:
+  #VPN network [10.0.0.0]:
+  #Port [1194]:
+  #Public IP or domain of server: <YOUR PUBLIC IP>
+  #DNS1 [8.8.8.8]:
+  #DNS2 [8.8.4.4]:
+  ```
+4. Enable **port forwarding** on your router so OpenVPN server will be accessible from the internet.
+5. Add clients
+
+  ``` bash
+  # Generates client certificates
+  ovpn_client add <name> [nopass]
+
+  # Generates client config file and prints it to screen (redirect to file)
+  ovpn_client ovpn <name> > <config file>.ovpn
+
+  # OR BETTER SOLLUTION: Run outside container
+  docker exec -it <container name> ovpn_client ovpn <name> > <config file>.ovpn
+  ```
+
+5. Exit container with `exit`, then it will destroy itself.
+6. Start container using command specified in *Usage* section.
+
+For more infromation see:
 
-See more in [docs](docs).  
+- [Detailed first setup guide](docs/SetupGuide.md)  
+- [docs](docs) (for detailed command usage)  
+- **configuration example directory** (for more info about example)  
+- [Contributing](CONTRIBUTING.md) (for explanation how container works, how to write an example config ...)  
 
 ## Contribute
 
@@ -92,3 +134,4 @@ Wanted features (please help implement):
 
 ## Versions
 
+See [CHANGELOG](CHANGELOG.md)  

docs/README.md

@@ -0,0 +1,88 @@
+# Documentation
+
+## Table of content
+
+1. Commands
+
+- [Simple setup guide](SetupGuide.md)  
+
+## Commands
+
+This section explains commands available for use.
+
+### Command List
+
+|**Command**|**Description**|
+|:---------:|:-------------:|
+|`ovpn_backup`|Backups your configration|
+|`ovpn_client`|Manages clients|
+|`ovpn_disconf`|Deletes active OpenVPN config|
+|`ovpn_enconf`|Enables OpenVPN config from examples|
+|`ovpn_init`|Inits PKI|
+
+#### ovpn_backup
+
+This command backups your configration into *.tar.gz* archive and puts it into `/config/backup` directory.
+
+```
+Usage: ovpn_backup COMMAND
+
+Commands:
+  all     # Backup whole config directory"
+  pki     # Backup PKI files"
+  hooks   # Backup hooks"
+  openvpn # Backup openvpn live config"
+```
+
+**Note:** Store your backups in a **SECURE** way, because they are unecrypted.  
+
+#### ovpn_client
+
+This commands manages clients of your OpenVPN server.
+
+```
+Usage: ovpn_client COMMAND [ARGS]
+
+Commands:
+  add [NAME [nopass]]             # Creates certificates for client
+  ovpn NAME                       # Builds .ovpn file
+  revoke|ban|delete|remove NAME   # Removes client
+```
+
+**Note:** First you need to use `add` to create client certificates, before you can use `ovpn` command.
+
+#### ovpn_disconf
+
+This command deletes your active configuration. **Container restart** is needed for changes to take affect.
+
+```
+Usage: ovpn_disconf
+```
+
+**NOTE:** This command does not delete PKI.
+
+#### ovpn_enconf
+
+This command enables OpenVPN config based on config example. If config name isn't specified it prints out config list.
+
+```
+Usage: ovpn_enconf CONFIG_NAME [wizard args...]
+
+Configs:
+    <example config name>
+```
+
+**Note:** Please read example documentation to understand how to use it.  
+**Tip:** If you modifed config in a way that others might need same configuration, consider making new example.  
+
+#### ovpn_init
+
+This command inits your PKI in `/config/pki` folder. You need to run this command only once.  
+
+```
+Usage: ovpn_init [nopass]
+```
+
+**Note:** Best practise is to use password for your PKI. Password is only needed for signing new certificates (when adding new clients). If you don't want your PKI certificate protected with password, add `nopass` parameter.  
+**Note:** In this process you need to enter PKI password serveral times, because a lot of things are generated.  
+

docs/SetupGuide.md

@@ -0,0 +1,143 @@
+# Setup guide
+
+This is simple setup guide to help you get started. It uses the simplest configuration which works nearly out of the box.
+
+## Steps
+
+1. Init configuration directory with initial config files:
+
+  ``` bash
+  # Starts temporary container, soo you will be able to generate intial config files and opens bash shell in container
+  docker run -it --rm --cap-add NET_ADMIN -v </path/to/config>:/config slocomptech/openvpn:latest bash
+  ```
+
+2. At this point you will have bash shell which runs in container. Now run following commands to **setup your PKI**:  
+
+  ``` bash
+  ovpn_init [nopass] # Inits PKI
+  #CA settings are located in /config/ssl/vars
+  #Did you modified the file or are you planing to enter values interactively ?
+  #[y/N]: y
+  #
+  #init-pki complete; you may now create a CA or requests.
+  #Generating DH parameters, 2048 bit long safe prime, generator 2
+  #This is going to take a long time
+  #.................................
+  #DH parameters of size 2048 created at /config/pki/dh.pem
+  #
+  #Now it will build CA files for issuing new certifiactes
+  #Please protect ca.key with secure password (used for signing new certs)
+  #ca.key is needed only for signing new certificates, not for OpenVPN to work
+
+  #Using SSL: openssl OpenSSL 1.1.1a  20 Nov 2018
+  #Enter New CA Key Passphrase: <ENTER SECRET PKI PASSWORD>
+  #Re-Enter New CA Key Passphrase: <ENTER SECRET PKI PASSWORD>
+  #Generating RSA private key, 2048 bit long modulus (2 primes)
+  #...............................+++++
+  #You are about to be asked to enter information that will be incorporated
+  #into your certificate request.
+  #What you are about to enter is what is called a Distinguished Name or a DN.
+  #There are quite a few fields but you can leave some blank
+  #For some fields there will be a default value,
+  #If you enter '.', the field will be left blank.
+  #-----
+  #Common Name (eg: your user, host, or server name) [Easy-RSA CA]: <COMMON NAME OF YOUR CA>
+  #
+  #CA creation complete and you may now import and sign cert requests.
+  #
+  #Generating a RSA private key
+  #..............+++++
+  #writing new private key to '/config/pki/private/server.key.osYA8Mim31'
+  #-----
+  #Enter pass phrase for /config/pki/private/ca.key: <ENTER SECRET PKI PASSWORD>
+  #Check that the request matches the signature
+  #Signature ok
+  #The Subject's Distinguished Name is as follows
+  #commonName            :ASN.1 12:'server'
+  #Certificate is to be certified until Mar  4 21:36:34 2022 GMT (1080 days)
+  #
+  #Write out database with 1 new entries
+  #Data Base Updated
+  #
+  #You are about to sign the following certificate.
+  #Please check over the details shown below for accuracy. Note that this request
+  #has not been cryptographically verified. Please be sure it came from a trusted
+  #source or that you have verified the request checksum with the sender.
+  #
+  #Request subject, to be signed as a server certificate for 1080 days:
+  #
+  #subject=
+  #    commonName                = server
+  #
+  #Type the word 'yes' to continue, or any other input to abort.
+  #  Confirm request details: <YES>
+  #Enter pass phrase for /config/pki/private/ca.key: <ENTER SECRET PKI PASSWORD>
+  #Check that the request matches the signature
+  #Signature ok
+  #The Subject's Distinguished Name is as follows
+  #commonName            :ASN.1 12:'server'
+  #The matching entry has the following details
+  #Type          :Valid
+  #Expires on    :220304213634Z
+  #Serial Number :DA40AFDB4E9D5C1D596BA698A2EBC1BE
+  #File name     :unknown
+  #Subject Name  :/CN=server
+  #
+  #Enter pass phrase for /config/pki/private/ca.key: <ENTER SECRET PKI PASSWORD>
+  #
+  #An updated CRL has been created.
+  #CRL file: /config/pki/crl.pem
+  ```
+
+  **Note:** You can generate PKI without password, just use `nopass` option.  
+
+3. Setup OpenVPN config based on example `basic_nat` with configuration wizard:
+
+  ``` bash
+  ovpn_enconf basic_nat
+  #Protocol udp, tcp, udp6, tcp6 [udp]:
+  #VPN network [10.0.0.0]:
+  #Port [1194]:
+  #Public IP or domain of server: <PUBLIC IP>
+  #DNS1 [8.8.8.8]:
+  #DNS2 [8.8.4.4]:
+  ```
+
+  **Note:** If you are using this container for production use your Public IP (if you don't know it, check with `whatsmyip` website and make sure it is **static**, for testing purposes at home, you can use local IP).
+
+4. Enable **port forwarding** on your router so OpenVPN server will be accessible from the internet.
+5. Add clients to your server
+
+  ``` bash
+  # Generates client certificates
+  ovpn_client add <name> [nopass]
+
+  # Generates client config file and prints it to screen (redirect to file)
+  ovpn_client ovpn <name> > <config file>.ovpn
+
+  # OR BETTER SOLLUTION: Run outside container
+  docker exec -it <container name> ovpn_client ovpn <name> > <config file>.ovpn
+  ```
+
+**Note:** Client config files MUST be transported to your devices via **SECURE** methon such as USB (email is considered **INSECURE**).
+
+5. Exit container with `exit`, then it will destroy itself.
+6. Now you can create config file outside container, mentioned above.
+7. If you need to access bash shell again (to add another client after server was started) just use `docker exec -it <container name> bash`.
+8. Start container using normal command:
+
+    ``` bash
+    docker run \
+    --name=ovpn \
+    --cap-add NET_ADMIN \
+    -e PUID=1000 \
+    -e GUID=1000 \
+    -p 1194:1194/udp \
+    -v </path/o/config>:/config \
+    --restart=unless-stopped \
+    --network host \
+    slocomptech/openvpn:latest
+    ```
+
+**Note:** PUID, GUID parameters are optional.  
+**Note:** Container in this example will connect to host network, so there is less network overhead (recommended), this also works if container is in default docker network.