|
| 1 | +#!/bin/bash |
| 2 | +set -e |
| 3 | + |
| 4 | +[ -n "${DEBUG+x}" ] && set -x |
| 5 | + |
| 6 | +OVPN_DATA="basic-data" |
| 7 | +CLIENT1="travis-client1" |
| 8 | +CLIENT2="travis-client2" |
| 9 | +IMG="kylemanna/openvpn" |
| 10 | +NAME="ovpn-test" |
| 11 | +CLIENT_DIR="$(readlink -f "$(dirname "$BASH_SOURCE")/../../client")" |
| 12 | +SERV_IP="$(ip -4 -o addr show scope global | awk '{print $4}' | sed -e 's:/.*::' | head -n1)" |
| 13 | + |
| 14 | +# |
| 15 | +# Initialize openvpn configuration and pki. |
| 16 | +# |
| 17 | +docker volume create --name $OVPN_DATA |
| 18 | +docker run --rm -v $OVPN_DATA:/etc/openvpn $IMG ovpn_genconfig -u udp://$SERV_IP |
| 19 | +docker run --rm -v $OVPN_DATA:/etc/openvpn -it -e "EASYRSA_BATCH=1" -e "EASYRSA_REQ_CN=Travis-CI Test CA" $IMG ovpn_initpki nopass |
| 20 | + |
| 21 | +# |
| 22 | +# Fire up the server. |
| 23 | +# |
| 24 | +sudo iptables -N DOCKER || echo 'Firewall already configured' |
| 25 | +sudo iptables -I FORWARD 1 -j DOCKER |
| 26 | +docker run -d -v $OVPN_DATA:/etc/openvpn --cap-add=NET_ADMIN --privileged -p 1194:1194/udp --name $NAME $IMG |
| 27 | + |
| 28 | +# |
| 29 | +# Generate a first client certificate and configuration using $CLIENT1 as CN then revoke it. |
| 30 | +# |
| 31 | +docker exec -it $NAME easyrsa build-client-full $CLIENT1 nopass |
| 32 | +docker exec -it $NAME ovpn_getclient $CLIENT1 > $CLIENT_DIR/config.ovpn |
| 33 | +docker exec -it $NAME bash -c "echo 'yes' | ovpn_revokeclient $CLIENT1 remove" |
| 34 | + |
| 35 | +# |
| 36 | +# Test that openvpn client can't connect using $CLIENT1 config. |
| 37 | +# |
| 38 | +if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --privileged --net=host $IMG /client/wait-for-connect.sh; then |
| 39 | + echo "Client was able to connect after revocation test #1." >&2 |
| 40 | + exit 2 |
| 41 | +fi |
| 42 | + |
| 43 | +# |
| 44 | +# Generate and revoke a second client certificate using $CLIENT2 as CN, then test for failed client connection. |
| 45 | +# |
| 46 | +docker exec -it $NAME easyrsa build-client-full $CLIENT2 nopass |
| 47 | +docker exec -it $NAME ovpn_getclient $CLIENT2 > $CLIENT_DIR/config.ovpn |
| 48 | +docker exec -it $NAME bash -c "echo 'yes' | ovpn_revokeclient $CLIENT2 remove" |
| 49 | + |
| 50 | +if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --privileged --net=host $IMG /client/wait-for-connect.sh; then |
| 51 | + echo "Client was able to connect after revocation test #2." >&2 |
| 52 | + exit 2 |
| 53 | +fi |
| 54 | + |
| 55 | +# |
| 56 | +# Restart the server |
| 57 | +# |
| 58 | +docker stop $NAME && docker start $NAME |
| 59 | + |
| 60 | +# |
| 61 | +# Test for failed connection using $CLIENT2 config again. |
| 62 | +# |
| 63 | +if docker run --rm -v $CLIENT_DIR:/client --cap-add=NET_ADMIN --privileged --net=host $IMG /client/wait-for-connect.sh; then |
| 64 | + echo "Client was able to connect after revocation test #3." >&2 |
| 65 | + exit 2 |
| 66 | +fi |
| 67 | + |
| 68 | +# |
| 69 | +# Stop the server and clean up |
| 70 | +# |
| 71 | +docker kill $NAME && docker rm $NAME |
| 72 | +docker volume rm $OVPN_DATA |
| 73 | +sudo iptables -D FORWARD 1 |
| 74 | + |
| 75 | +# |
| 76 | +# Celebrate |
| 77 | +# |
| 78 | +cat <<EOF |
| 79 | + ___________ |
| 80 | +< it worked > |
| 81 | + ----------- |
| 82 | + \ ^__^ |
| 83 | + \ (oo)\_______ |
| 84 | + (__)\ )\/\\ |
| 85 | + ||----w | |
| 86 | + || || |
| 87 | +EOF |
0 commit comments