The main goal is to automatically start an openvpn server, generate certificates and clients through http requests. The steps on certificates generation and server setup are based on this Digital Ocean tutorial https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-18-04
TLS authentication will be skipped for now as my end goal does not need it
Following the steps on the Digital Ocean tutorial, there will be two services, one responsible for only generating the certificates files, cert-server, and other responsible for the openvpn server, ovpn-server.
Files storage:
- When a file is generated by the easyrsa script remains on its original place in the pki folder (/usr/share/certs/pki);
- When a .req file goes from the ovpn-server to the cert-server it is saved on /usr/share/certs/pki/reqs;
- When ca.crt is transfered from the cert-server to the ovpn-server it goes to the openvpn folder (/etc/openvpn/);
- When any other .crt file is transfered from cert-server to the ovpn-server it goes to /usr/share/certs/crt
- When .ovpn is created on the ovpn-server it is saved on /usr/share/certs/ovpn
Inside the api folder are all scripts necessary for the service.
The project structure is based on the Michael Herman course Test-Driven Development with Python, Flask, and Docker. Here is his repo https://github.com/testdrivenio/testdriven-app-2.5
First be sure to have docker and docker-compose installed, that is the only thing you need.
To start, first create a token, I usually do it in python as follows:
>>> import binascii
>>> import os
>>> binascii.hexlify(os.urandom(24))
b'c0f6a2bef78cfabd0bafce4221d5d3444a3c5b4c39a5765b'
Export the token to SECRET_KEY:
export SECRET_KEY=c0f6a2bef78cfabd0bafce4221d5d3444a3c5b4c39a5765b
After that just run start.sh script:
./start.sh dev start # for development enviroment
# or
./start.sh prod start # for production enviroment
It will start the services, initiate the pki's, create server.crt, server.key, dh.pem and ca.crt files and put them on the openvpn folder
After that you are able to run the tests and call the endpoints.
For the ovpn server to start you got to run
docker-compose exec ovpn-server service openvpn start
To stop the services run:
docker-compose down
You can call the script ./generate_ovpn.sh to create the .ovpn file
./generate_ovpn.sh your_file_name
This command will create a file called your_file_name.ovpn and download it to your current folder
If you already created the file and just want to download, you use ./download_ovpn.sh
./download_ovpn.sh your_file_name
This will download a file named your_file_name.ovpn to your current folder
IMPORTANT: remember to have the SECRET_KEY declared on your enviroment and change the url on the script to match yours
To generate the .ovpn files manually you can call the following endpoints in the following order:
- /ovpn/create_req
- /ovpn/transfer_req
- /cert/transfer
Remember to add an authorization header to all http requests with the token you generated:
headers={'Authorization': 'Bearer YOUR_SECRET_TOKEN'}
To retrieve the .ovpn file run:
docker-compose exec ovpn-server cat /usr/share/certs/ovpn/filename.ovpn > filename.ovpn
This will create a .ovpn file on your local machine that should be used to establish the connection.
After the first time you executed the start.sh script you can just use docker-compose to build the services again:
docker-compose -f docker-compose-prod.yml up -d --build
or with curl just like in the download_ovpn.sh script
If you re-build the ovpn-server using docker-compose remember to set the configurations and restart the service
docker-compose exec ovpn-server python manage.py conf_ovpn_server
docker-compose exec ovpn-server service openvpn start
This command will copy server.crt, server.key, dh.pem and ca.crt files to the openvpn folder.
You can also use the start.sh script
./start.sh dev rebuild # for development enviroment
# or
./start.sh prod rebuild # for production enviroment
This will rebuild all services and erase all certificates, so be sure you want to do that before you run it. If you want to build without losing any certificate run the script with 'start' instead of 'build'
To run the tests just run the scrip test.sh
./test.sh
Sometimes, when starting the services, you may run into some permissions issues on the cert_server/certs/pki and/or ovpn_server/certs/pki folders. To run docker-compose properly change the owner of the folders and all inner files. Do not run the docker-compose with sudo
sudo chown -R $USER:$USER ./services/ovpn_server/certs/
sudo chown -R $USER:$USER ./services/cert_server/certs/
Create a PR for an existing issue, each commit is tested on travis-ci before merge.
Add unit tests and/or integration tests for each new method/endpoint created.
Along with the commit add the test coverage resume for the service you modified. To get the test coverage just run
docker-compose exec ovpn-server python manage.py cov # for the ovnp-server service
docker-compose exec cert-server python manage.py cov # for the cert-server service
To configure the ovpn server change the server.conf file on services/ovpn-server folder with the settings you need Remember to update the base.conf file to match the alterations, that file will be used to create your client .ovpn file to connect to your server