fix: enhance OpenVPN image security and privacy

[wolf31o2]

---

Summary by cubic

Hardened the OpenVPN image for better security and privacy. Adds a kill switch, healthcheck, a slimmer base image, and automated vulnerability scans.

• New Features

  • Basic kill switch: default DROP on FORWARD; allow VPN traffic only when NAT is enabled.
  • Healthcheck to ensure the OpenVPN process is running.
  • Weekly CI run with Trivy image scan; uploads SARIF to GitHub Security (adds security-events: write).
  • Docs with privacy-focused OpenVPN/Docker settings and maintenance tips.

• Dependencies

  • Switch base to debian:bookworm-slim; install only openvpn and iptables.
  • Remove cron and rsyslog; clear logs to reduce footprint and exposure.

^{Written for commit fc6fa67. Summary will update automatically on new commits.}

Summary by CodeRabbit

• New Features

  • Automated weekly vulnerability scans with SARIF upload to security reporting
  • Runtime health check that verifies OpenVPN is running

• Documentation

  • New Privacy & Security Recommendations with configuration and maintenance guidance
  • Documented VPN kill-switch guidance (no behavioral change)

• Improvements

  • Smaller container footprint via updated base image and package cleanup

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates CI, the container image, the entrypoint comment, and documentation. The GitHub Actions workflow adds a weekly (Mon 00:00 UTC) Trivy image scan of ghcr.io/blinklabs-io/openvpn:main, extracts the first tag from metadata, emits SARIF, uploads the SARIF to GitHub Security, and grants security-events: write. The Dockerfile switches from ubuntu:24.04 to debian:bookworm-slim, installs openvpn/iptables with --no-install-recommends, purges cron/rsyslog, removes /var/log, and adds a HEALTHCHECK that pgrep's openvpn. bin/entrypoint adds a comment documenting a VPN kill-switch; forwarding rules remain functionally the same. README gains a Privacy and Security Recommendations section and updates the description.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• .github/workflows/publish.yml: validate Trivy command, SARIF output/upload configuration, and the security-events: write permission scope.
• Dockerfile: confirm package names/workflow on debian:bookworm-slim, correctness of --no-install-recommends usage, cleanup steps, and HEALTHCHECK robustness.
• bin/entrypoint: verify the comment accurately reflects behavior and ensure no unintended functional changes to iptables/forwarding rules.
• README.md: review accuracy and clarity of the added security/privacy recommendations.

Pre-merge checks and finishing touches

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: enhancing OpenVPN image security and privacy through hardening measures like kill switch, healthcheck, vulnerability scanning, and documentation.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch security-improvements

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 547609c and fc6fa67.

📒 Files selected for processing (4)

• .github/workflows/publish.yml (4 hunks)
• Dockerfile (1 hunks)
• README.md (2 hunks)
• bin/entrypoint (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (4)

• bin/entrypoint
• README.md
• Dockerfile
• .github/workflows/publish.yml

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

README.md (1)

16-52: Add language to fenced config block to satisfy markdownlint

The new recommendations section looks solid. To address MD040 and improve readability, add a language to the OpenVPN config block, e.g.:

-```
+```conf
 # Disable logging
 log /dev/null
 verb 0

Dockerfile (1)

1-14: Consider --no-install-recommends to reduce image footprint and attack surface

The Debian base + explicit OpenVPN/iptables install looks good. To minimize extra packages and potential vulnerabilities, consider:

- && apt-get install -y openvpn iptables \
+ && apt-get install -y --no-install-recommends openvpn iptables \

You can keep the purge/clean steps as-is.

bin/entrypoint (1)

21-24: Kill-switch iptables rules are sensible; consider conntrack match for modern stacks

The default DROP on FORWARD plus explicit tun↔NAT rules give a reasonable container-level kill-switch when NAT is enabled.

As a small modernization and to better align with nftables-backed iptables, consider using conntrack instead of the legacy state match:

-iptables -A FORWARD -i ${NAT_DEVICE} -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
+iptables -A FORWARD -i ${NAT_DEVICE} -o tun+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

This keeps behavior while matching current iptables conventions.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8160732 and ada1eda.

📒 Files selected for processing (4)

• .github/workflows/publish.yml (3 hunks)
• Dockerfile (1 hunks)
• README.md (2 hunks)
• bin/entrypoint (1 hunks)

🧰 Additional context used

🪛 GitHub Check: CodeQL

.github/workflows/publish.yml

[warning] 57-57: Unpinned tag for a non-immutable Action in workflow
Unpinned 3rd party Action 'publish' step Uses Step uses 'aquasecurity/trivy-action' with ref 'master', not a pinned commit hash

🪛 markdownlint-cli2 (0.18.1)

README.md

22-22: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🔇 Additional comments (4)

README.md (1)

3-3: Tagline update is clear and accurate

The new description correctly reflects the image’s purpose and focus on privacy.

Dockerfile (1)

15-15: HEALTHCHECK is reasonable for monitoring OpenVPN

Using pgrep -f openvpn as a healthcheck is simple and aligns with the single-process model. This is fine given OpenVPN is exec’d from the entrypoint.

.github/workflows/publish.yml (2)

8-10: Scheduled weekly run is appropriate for recurring security scans

The Monday 00:00 UTC schedule is a good cadence to keep images and vulnerability data fresh without overloading CI.

---

20-20: security-events: write is needed for SARIF uploads

Granting security-events: write is correct and scoped narrowly to what the CodeQL upload step requires.

[cubic-dev-ai]

No issues found across 4 files

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

Dockerfile (1)

15-15: Refine healthcheck to avoid false positives.

The pgrep -f flag searches the full command line, which could match unintended processes that have "openvpn" in their arguments (e.g., a script named check-openvpn-config.sh).

Apply this diff to match only the openvpn process name:

-HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 CMD pgrep -f openvpn || exit 1
+HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 CMD pgrep openvpn || exit 1

.github/workflows/publish.yml (1)

56-67: Note: Scanning occurs after image push.

The vulnerability scan runs after the image has already been pushed to both Docker Hub and GHCR. While this provides visibility into vulnerabilities via the GitHub Security tab, it doesn't prevent vulnerable images from being published. Consider adding a pre-push scan step with severity gating if you want to block vulnerable images from being published.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ada1eda and 547609c.

📒 Files selected for processing (4)

• .github/workflows/publish.yml (3 hunks)
• Dockerfile (1 hunks)
• README.md (2 hunks)
• bin/entrypoint (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• README.md

🔇 Additional comments (4)

bin/entrypoint (1)

21-24: LGTM! Kill-switch implementation is correct.

The VPN kill-switch correctly implements a default-deny forwarding policy with explicit allow rules for VPN-related traffic only. The rule order ensures that NAT masquerading is configured first, then the DROP policy is enforced with specific exceptions for tun interfaces.

.github/workflows/publish.yml (2)

8-10: LGTM! Weekly scanning schedule improves security posture.

The weekly cron schedule ensures regular vulnerability scanning of the image, which is essential for detecting newly discovered vulnerabilities in dependencies.

---

20-20: LGTM! Required permission for SARIF upload.

The security-events: write permission is correctly added to enable SARIF results upload to the GitHub Security tab.

Dockerfile (1)

7-8: The OpenVPN version reference in the Dockerfile is accurate.

Verification confirms that Debian Bookworm repositories provide OpenVPN version 2.6.3-1+deb12u3, which matches the comment's reference to "latest 2.6.x." The documentation is correct, and no update is needed.