diff --git a/Dockerfile b/Dockerfile index b3d21cb..51681ad 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.14.1 +FROM alpine:3.18.3 LABEL maintainer="Alexander Litvinenko " @@ -19,7 +19,7 @@ COPY scripts . COPY config ./config COPY VERSION ./config -RUN apk add --no-cache openvpn easy-rsa bash netcat-openbsd zip curl dumb-init && \ +RUN apk add --no-cache openvpn iptables easy-rsa bash netcat-openbsd zip curl dumb-init && \ ln -s /usr/share/easy-rsa/easyrsa /usr/bin/easyrsa && \ mkdir -p ${APP_PERSIST_DIR} && \ cd ${APP_PERSIST_DIR} && \ diff --git a/README.md b/README.md index d43e18d..40de97f 100644 --- a/README.md +++ b/README.md @@ -113,11 +113,11 @@ docker run -it --rm --cap-add=NET_ADMIN \ After container was run using `docker run` command, it's possible to execute additional commands using `docker exec` command. For example, `docker exec ./version.sh`. See table below to get the full list of supported commands. -| Command | Description | Parameters | Example | -| :------: | :---------: | :--------: | :-----: | -| `./version.sh` | Outputs full container version, i.e `Dockovpn v1.2.0` | | `docker exec dockovpn ./version.sh` | -| `./genclient.sh` | Generates new client configuration | `z` — Optional. Puts newly generated client.ovpn file into client.zip archive.

`zp paswd` — Optional. Puts newly generated client.ovpn file into client.zip archive with password `pswd`

`o` — Optional. Prints cert to the output.

`oz` — Optional. Prints zipped cert to the output. Use with output redirection.

`ozp paswd` — Optional. Prints encrypted zipped cert to the output. Use with output redirection. | `docker exec dockovpn ./genclient.sh`

`docker exec dockovpn ./genclient.sh z`

`docker exec dockovpn ./genclient.sh zp 123`

`docker exec dockovpn ./genclient.sh o > client.ovpn`

`docker exec dockovpn ./genclient.sh oz > client.zip`

`docker exec dockovpn ./genclient.sh ozp paswd > client.zip`| - | `./rmclient.sh` | Revokes client certificate thus making him/her anable to connect to given Dockovpn server. | Client Id, i.e `vFOoQ3Hngz4H790IpRo6JgKR6cMR3YAp`. | `docker exec dockovpn ./rmclient.sh vFOoQ3Hngz4H790IpRo6JgKR6cMR3YAp` | +| Command | Description | Parameters | Example | +| :------: | :---------: |:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------:|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------:| +| `./version.sh` | Outputs full container version, i.e `Dockovpn v1.2.0` | | `docker exec dockovpn ./version.sh` | +| `./genclient.sh` | Generates new client configuration | `z` — Optional. Puts newly generated client.ovpn file into client.zip archive.

`zp paswd` — Optional. Puts newly generated client.ovpn file into client.zip archive with password `pswd`

`o` — Optional. Prints cert to the output.

`oz` — Optional. Prints zipped cert to the output. Use with output redirection.

`ozp paswd` — Optional. Prints encrypted zipped cert to the output. Use with output redirection.

`n profile_name` — Optional. Use specified profile_name parameter instead of random id. Prints client.ovpn to the output

`np profile_name` — Optional. Use specified profile_name parameter instead of random id and protects by password asked by stdin. Password refers to the connection and it will be asked during connection stage. Prints client.ovpn to the output | `docker exec dockovpn ./genclient.sh`

`docker exec dockovpn ./genclient.sh z`

`docker exec dockovpn ./genclient.sh zp 123`

`docker exec dockovpn ./genclient.sh o > client.ovpn`

`docker exec dockovpn ./genclient.sh oz > client.zip`

`docker exec dockovpn ./genclient.sh ozp paswd > client.zip`

`docker exec dockovpn ./genclient.sh n profile_name`

`docker exec -ti dockovpn ./genclient.sh np profile_name` | + | `./rmclient.sh` | Revokes client certificate thus making him/her anable to connect to given Dockovpn server. | Client Id, i.e `vFOoQ3Hngz4H790IpRo6JgKR6cMR3YAp`. | `docker exec dockovpn ./rmclient.sh vFOoQ3Hngz4H790IpRo6JgKR6cMR3YAp` | ## 📺 Video Guide diff --git a/scripts/functions.sh b/scripts/functions.sh index a3f1332..0fe53ac 100644 --- a/scripts/functions.sh +++ b/scripts/functions.sh @@ -8,11 +8,15 @@ function datef() { function createConfig() { cd "$APP_PERSIST_DIR" - CLIENT_ID="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)" - CLIENT_PATH="$APP_PERSIST_DIR/clients/$CLIENT_ID" # Redirect stderr to the black hole - easyrsa build-client-full "$CLIENT_ID" nopass &> /dev/null + + if [ $PASSWORD_PROTECTED -eq 1 ]; then + easyrsa build-client-full "$CLIENT_ID" + else + easyrsa build-client-full "$CLIENT_ID" nopass &> /dev/null + fi + # Writing new private key to '/usr/share/easy-rsa/pki/private/client.key # Client sertificate /usr/share/easy-rsa/pki/issued/client.crt # CA is by the path /usr/share/easy-rsa/pki/ca.crt @@ -94,7 +98,26 @@ function getVersionFull() { } function generateClientConfig() { - CLIENT_PATH="$(createConfig)" + #case + #first argument = n use second argument as CLIENT_ID + #first argument = np use second argument as CLIENT_ID and set PASSWORD_PROTECTED as 1 + #default generate random CLIENT_ID + FLAGS=$1 + case $FLAGS in + n) + CLIENT_ID="$2" + ;; + np) + CLIENT_ID="$2" + PASSWORD_PROTECTED=1 + ;; + *) + CLIENT_ID="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)" + ;; + esac + + CLIENT_PATH="$APP_PERSIST_DIR/clients/$CLIENT_ID" + createConfig CONTENT_TYPE=application/text FILE_NAME=client.ovpn FILE_PATH="$CLIENT_PATH/$FILE_NAME" @@ -129,7 +152,7 @@ function generateClientConfig() { FILE_PATH="$CLIENT_PATH/$FILE_NAME" fi ;; - o) + o|n|np) cat "$FILE_PATH" exit 0 ;; diff --git a/scripts/genclient.sh b/scripts/genclient.sh index ed92a59..ead6d3f 100755 --- a/scripts/genclient.sh +++ b/scripts/genclient.sh @@ -2,4 +2,4 @@ source ./functions.sh -generateClientConfig \ No newline at end of file +generateClientConfig "$@" diff --git a/scripts/start.sh b/scripts/start.sh index 4d28f52..5f4a071 100755 --- a/scripts/start.sh +++ b/scripts/start.sh @@ -69,13 +69,11 @@ LOCKFILE=.gen if [ ! -f $LOCKFILE ]; then IS_INITIAL="1" - if [[ -n $REGENERATE ]]; then - easyrsa --batch init-pki - easyrsa --batch gen-dh - # DH parameters of size 2048 created at /usr/share/easy-rsa/pki/dh.pem - # Copy DH file - cp pki/dh.pem /etc/openvpn - fi + easyrsa --batch init-pki + easyrsa --batch gen-dh + # DH parameters of size 2048 created at /usr/share/easy-rsa/pki/dh.pem + # Copy DH file + cp pki/dh.pem /etc/openvpn easyrsa build-ca nopass << EOF @@ -117,13 +115,6 @@ if ! [[ -n $NOOP ]]; then # Need to feed key password openvpn --config /etc/openvpn/server.conf & - if [[ -n $IS_INITIAL ]]; then - # By some strange reason we need to do echo command to get to the next command - echo " " - - # Generate client config - generateClientConfig $@ - fi fi if ! [[ -n $QUIT ]]; then