-
-
Notifications
You must be signed in to change notification settings - Fork 235
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Templating of Server Config & Monitoring #168
base: master
Are you sure you want to change the base?
Changes from all commits
546c01f
1f797a4
1a32b32
d02f88f
cc3bd77
1905997
037956f
5271b57
cd4650c
09efeae
d4c264b
5a0ca7e
cae1e06
7f7d31b
1148802
87b4ed8
4ece002
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -3,4 +3,5 @@ done.txt | |
/client/ | ||
.git | ||
.gitignore | ||
/docs/ | ||
/docs/ | ||
vpndata |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -8,4 +8,5 @@ tests-report/ | |
test-reports/ | ||
target | ||
.vscode/ | ||
ipv6-leack-test.sh | ||
ipv6-leack-test.sh | ||
vpndata |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
{ | ||
"name": "server", | ||
"port": "1194", | ||
"protocol": "udp", | ||
"ip_base": "10.8.0.0", | ||
"ip_base_mask": "255.255.255.0", | ||
"dns1": "208.67.222.222", | ||
"dns2": "208.67.222.220", | ||
"client2client": "true" | ||
} |
This file was deleted.
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
port {{cookiecutter.port}} | ||
proto {{cookiecutter.protocol}} | ||
dev tun | ||
ca /etc/openvpn/ca.crt | ||
cert /etc/openvpn/MyReq.crt | ||
key /etc/openvpn/MyReq.key | ||
dh /etc/openvpn/dh.pem | ||
client-config-dir /etc/openvpn/ccd | ||
{% if cookiecutter.client2client == true %} | ||
client-to-client | ||
{% endif %} | ||
ifconfig-pool-persist ipp.txt | ||
duplicate-cn | ||
keepalive 10 120 | ||
cipher AES-256-GCM | ||
ncp-ciphers AES-256-GCM:AES-256-CBC | ||
auth SHA512 | ||
persist-key | ||
persist-tun | ||
status openvpn-status.log | ||
verb 1 | ||
management 0.0.0.0 5555 | ||
tls-server | ||
tls-version-min 1.2 | ||
tls-auth /etc/openvpn/ta.key 0 | ||
crl-verify /etc/openvpn/crl.pem | ||
management 0.0.0.0 5555 | ||
server {{cookiecutter.ip_base}} {{cookiecutter.ip_base_mask}} | ||
push "redirect-gateway def1 bypass-dhcp" | ||
push "route {{cookiecutter.ip_base}} {{cookiecutter.ip_base_mask}}" | ||
push "dhcp-option DNS {{cookiecutter.dns1}}" | ||
push "dhcp-option DNS {{cookiecutter.dns2}}" |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -8,8 +8,11 @@ function datef() { | |
|
||
function createConfig() { | ||
cd "$APP_PERSIST_DIR" | ||
CLIENT_ID="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)" | ||
ARG1=$1 | ||
DEFAULT_ID="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)" | ||
CLIENT_ID="${ARG1:=$DEFAULT_ID}" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I more or less did what was mentioned here. I also modified how |
||
CLIENT_PATH="$APP_PERSIST_DIR/clients/$CLIENT_ID" | ||
[ -d $CLIENT_PATH ] && CLIENT_PATH=${CLIENT_PATH}_1 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think if given path already exists it's better to return an error code. Otherwise, we will end up in a situation where we have two certificates with the same subject name (CLIENT_ID is present in generated certificate in subject field), which in its turn may lead to other problems. For instance, when we remove client with |
||
|
||
# Redirect stderr to the black hole | ||
easyrsa build-client-full "$CLIENT_ID" nopass &> /dev/null | ||
|
@@ -30,7 +33,7 @@ function createConfig() { | |
cd "$APP_INSTALL_PATH" | ||
cp config/client.ovpn $CLIENT_PATH | ||
|
||
echo -e "\nremote $HOST_ADDR 1194" >> "$CLIENT_PATH/client.ovpn" | ||
echo -e "\nremote $HOST_ADDR ${PORT:=1194}" >> "$CLIENT_PATH/client.ovpn" | ||
|
||
# Embed client authentication files into config file | ||
cat <(echo -e '<ca>') \ | ||
|
@@ -87,4 +90,4 @@ EOF | |
cp /opt/Dockovpn_data/pki/crl.pem /etc/openvpn | ||
|
||
cd "$APP_INSTALL_PATH" | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -2,10 +2,9 @@ | |
|
||
source ./functions.sh | ||
|
||
CLIENT_PATH="$(createConfig)" | ||
RANDOM_CLIENT_ID="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)" | ||
CONTENT_TYPE=application/text | ||
FILE_NAME=client.ovpn | ||
FILE_PATH="$CLIENT_PATH/$FILE_NAME" | ||
|
||
if (($#)) | ||
then | ||
|
@@ -18,13 +17,16 @@ then | |
# Switch statement | ||
case $FLAGS in | ||
z) | ||
CLIENT_PATH="$(createConfig $3)" | ||
zipFiles "$CLIENT_PATH" | ||
|
||
CONTENT_TYPE=application/zip | ||
FILE_NAME=client.zip | ||
FILE_PATH="$CLIENT_PATH/$FILE_NAME" | ||
;; | ||
zp) | ||
|
||
CLIENT_PATH="$(createConfig $3)" | ||
# (()) engaes arthimetic context | ||
if (($# < 2)) | ||
then | ||
|
@@ -38,10 +40,14 @@ then | |
fi | ||
;; | ||
o) | ||
CLIENT_PATH="$(createConfig $2)" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Here and for all the other cases I moved the |
||
FILE_PATH="$CLIENT_PATH/$FILE_NAME" | ||
cat "$FILE_PATH" | ||
exit 0 | ||
;; | ||
oz) | ||
|
||
CLIENT_PATH="$(createConfig $2)" | ||
zipFiles "$CLIENT_PATH" -q | ||
|
||
FILE_NAME=client.zip | ||
|
@@ -50,6 +56,9 @@ then | |
exit 0 | ||
;; | ||
ozp) | ||
|
||
CLIENT_PATH="$(createConfig $3)" | ||
FILE_PATH="$CLIENT_PATH/$FILE_NAME" | ||
if (($# < 2)) | ||
then | ||
echo "$(datef) Not enough arguments" && exit 1 | ||
|
@@ -74,4 +83,4 @@ echo "$(datef) NOTE: After you download your client config, http server will be | |
|
||
{ echo -ne "HTTP/1.1 200 OK\r\nContent-Length: $(wc -c <$FILE_PATH)\r\nContent-Type: $CONTENT_TYPE\r\nContent-Disposition: attachment; fileName=\"$FILE_NAME\"\r\nAccept-Ranges: bytes\r\n\r\n"; cat "$FILE_PATH"; } | nc -w0 -l 8080 | ||
|
||
echo "$(datef) Config http server has been shut down" | ||
echo "$(datef) Config http server has been shut down" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thoroughly reviewed the templating part and it's truly amazing! However it brings in another execution environment i.e python and package dependencies which leads to much greater image size. At the moment I'd like to keep resulting image as small as possible for the benefit of embedded and RISK architectures.
![Screenshot 2022-09-05 at 23 22 45](https://user-images.githubusercontent.com/4963165/188512976-ce4548c4-f6d2-4c95-8296-8a4514b43590.png)