Merge pull request #132 from flant/rc/2.0.0

Release 2.0.0

.dockerignore

@@ -3,7 +3,7 @@
 *.iml
 out
 gen
-
+.github
 
 easyrsa
 easyrsa_master
@@ -13,11 +13,14 @@ ccd_master
 ccd_slave
 werf.yaml
 frontend/node_modules
+frontend/static/dist
 openvpn-web-ui
 openvpn-ui
 openvpn-admin
 ovpn-admin
 
 docker-compose.yaml
 docker-compose-slave.yaml
-img
+img
+dashboard
+.helm

.github/workflows/publish-latest.yaml

@@ -5,7 +5,7 @@ on:
 
 jobs:
   build:
-    name: build latest images for relase
+    name: build latest images for release
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code

.github/workflows/release.yaml

@@ -17,7 +17,7 @@ jobs:
       - name: checkout code
         uses: actions/checkout@v2
       - name: build binaries
-        uses: wangyoucao577/go-release-action@v1.22
+        uses: wangyoucao577/go-release-action@v1.28
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           goversion: 1.17

.github/workflows/release_arm.yaml

@@ -17,7 +17,7 @@ jobs:
       - name: checkout code
         uses: actions/checkout@v2
       - name: build binaries
-        uses: wangyoucao577/go-release-action@v1.22
+        uses: wangyoucao577/go-release-action@v1.28
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           goversion: 1.17

Dockerfile

@@ -1,4 +1,4 @@
-FROM node:16.13.0-alpine3.12 AS frontend-builder
+FROM node:16-alpine3.15 AS frontend-builder
 COPY frontend/ /app
 RUN cd /app && npm install && npm run build
 
@@ -8,10 +8,10 @@ COPY --from=frontend-builder /app/static /app/frontend/static
 COPY . /app
 RUN cd /app && packr2 && env CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -a -tags netgo -ldflags '-linkmode external -extldflags -static -s -w' -o ovpn-admin && packr2 clean
 
-FROM alpine:3.14
+FROM alpine:3.16
 WORKDIR /app
 COPY --from=backend-builder /app/ovpn-admin /app
-RUN apk add --update bash easy-rsa openssl openvpn  && \
+RUN apk add --update bash easy-rsa openssl openvpn coreutils  && \
     ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin && \
-    wget https://github.com/pashcovich/openvpn-user/releases/download/v1.0.3/openvpn-user-linux-amd64.tar.gz -O - | tar xz -C /usr/local/bin && \
+    wget https://github.com/pashcovich/openvpn-user/releases/download/v1.0.4/openvpn-user-linux-amd64.tar.gz -O - | tar xz -C /usr/local/bin && \
     rm -rf /tmp/* /var/tmp/* /var/cache/apk/* /var/cache/distfiles/*

Dockerfile.openvpn

@@ -1,7 +1,7 @@
-FROM alpine:3.14
-RUN apk add --update bash openvpn easy-rsa  && \
+FROM alpine:3.16
+RUN apk add --update bash openvpn easy-rsa iptables  && \
     ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin && \
-    wget https://github.com/pashcovich/openvpn-user/releases/download/v1.0.3/openvpn-user-linux-amd64.tar.gz -O - | tar xz -C /usr/local/bin && \
+    wget https://github.com/pashcovich/openvpn-user/releases/download/v1.0.4/openvpn-user-linux-amd64.tar.gz -O - | tar xz -C /usr/local/bin && \
     rm -rf /tmp/* /var/tmp/* /var/cache/apk/* /var/cache/distfiles/*
 COPY setup/ /etc/openvpn/setup
 RUN chmod +x /etc/openvpn/setup/configure.sh

README.md

@@ -8,8 +8,8 @@ Originally created in [Flant](https://flant.com/) for internal needs & used for
 
 ## Features
 
-* Adding OpenVPN users (generating certificates for them);
-* Revoking/restoring users certificates;
+* Adding, deleting OpenVPN users (generating certificates for them);
+* Revoking/restoring/rotating users certificates;
 * Generating ready-to-user config files;
 * Providing metrics for Prometheus, including certificates expiration date, number of (connected/total) users, information about connected users;
 * (optionally) Specifying CCD (`client-config-dir`) for each user;
@@ -28,15 +28,12 @@ An example of dashboard made using ovpn-admin metrics:
 
 ## Installation
 
-### Disclaimer
-
-This tool uses external calls for `bash`, `coreutils` and `easy-rsa`, thus **Linux systems only are supported** at the moment.
-
 ### 1. Docker
 
 There is a ready-to-use [docker-compose.yaml](https://github.com/flant/ovpn-admin/blob/master/docker-compose.yaml), so you can just change/add values you need and start it with [start.sh](https://github.com/flant/ovpn-admin/blob/master/start.sh).
 
-Requirements. You need [Docker](https://docs.docker.com/get-docker/) and [docker-compose](https://docs.docker.com/compose/install/) installed.
+Requirements:
+You need [Docker](https://docs.docker.com/get-docker/) and [docker-compose](https://docs.docker.com/compose/install/) installed.
 
 Commands to execute:
 
@@ -45,6 +42,9 @@ git clone https://github.com/flant/ovpn-admin.git
 cd ovpn-admin
 ./start.sh
 ```
+#### 1.1
+Ready docker images available on [Docker Hub](https://hub.docker.com/r/flant/ovpn-admin/tags) 
+. Tags are simple: `$VERSION` or `latest` for ovpn-admin and `openvpn-$VERSION` or `openvpn-latest` for openvpn-server
 
 ### 2. Building from source
 
@@ -65,11 +65,19 @@ cd ovpn-admin
 
 (Please don't forget to configure all needed params in advance.)
 
-### 3. Prebuilt binary (WIP)
+### 3. Prebuilt binary
+
+You can also download and use prebuilt binaries from the [releases](https://github.com/flant/ovpn-admin/releases/latest) page — just choose a relevant tar.gz file.
 
-You can also download and use prebuilt binaries from the [releases](https://github.com/flant/ovpn-admin/releases) page — just choose a relevant tar.gz file.
 
-To use password authentication (the `--auth` flag) you have to install [openvpn-user](https://github.com/pashcovich/openvpn-user/releases). This tool should be available in your `$PATH` and its binary should be executable (`+x`).
+## Notes
+* this tool uses external calls for `bash`, `coreutils` and `easy-rsa`, thus **Linux systems only are supported** at the moment.
+* to enable additional password authentication provide `--auth` and `--auth.db="/etc/easyrsa/pki/users.db`" flags and install [openvpn-user](https://github.com/pashcovich/openvpn-user/releases/latest). This tool should be available in your `$PATH` and its binary should be executable (`+x`).
+* master-replica synchronization does not work with `--storage.backend=kubernetes.secrets` - **WIP**
+* additional password authentication does not work with `--storage.backend=kubernetes.secrets` -  **WIP**
+* if you use `--ccd` and `--ccd.path="/etc/openvpn/ccd"` abd plan to use static address setup for users do not forget to provide `--ovpn.network="172.16.100.0/24"` with valid openvpn-server network 
+* tested only with Openvpn-server versions 2.4 and 2.
+* status of users connections update every 28 second(*no need to ask why =)*)
 
 ## Usage
 
@@ -80,88 +88,82 @@ Flags:
   --help                       show context-sensitive help (try also --help-long and --help-man)
 
   --listen.host="0.0.0.0"      host for ovpn-admin
-  (or $OVPN_LISTEN_HOST)
+  (or OVPN_LISTEN_HOST)
 
   --listen.port="8080"         port for ovpn-admin
-  (or $OVPN_LISTEN_PORT)
+  (or OVPN_LISTEN_PORT)
 
   --role="master"              server role, master or slave
-  (or $OVPN_ROLE)
+  (or OVPN_ROLE)
 
   --master.host="http://127.0.0.1"  
-  (or $OVPN_MASTER_HOST)       URL for the master server
+  (or OVPN_MASTER_HOST)       URL for the master server
 
   --master.basic-auth.user=""  user for master server's Basic Auth
-  (or $OVPN_MASTER_USER)
+  (or OVPN_MASTER_USER)
  
   --master.basic-auth.password=""  
-  (or $OVPN_MASTER_PASSWORD)   password for master server's Basic Auth
+  (or OVPN_MASTER_PASSWORD)   password for master server's Basic Auth
 
   --master.sync-frequency=600  master host data sync frequency in seconds
-  (or $OVPN_MASTER_SYNC_FREQUENCY)
+  (or OVPN_MASTER_SYNC_FREQUENCY)
 
   --master.sync-token=TOKEN    master host data sync security token
-  (or $OVPN_MASTER_TOKEN)
+  (or OVPN_MASTER_TOKEN)
 
   --ovpn.network="172.16.100.0/24"  
-  (or $OVPN_NETWORK)           NETWORK/MASK_PREFIX for OpenVPN server
+  (or OVPN_NETWORK)           NETWORK/MASK_PREFIX for OpenVPN server
 
   --ovpn.server=HOST:PORT:PROTOCOL ...  
-  (or $OVPN_SERVER)            HOST:PORT:PROTOCOL for OpenVPN server
+  (or OVPN_SERVER)            HOST:PORT:PROTOCOL for OpenVPN server
                                can have multiple values
 
   --ovpn.server.behindLB       enable if your OpenVPN server is behind Kubernetes
-  (or $OVPN_LB)                Service having the LoadBalancer type
+  (or OVPN_LB)                Service having the LoadBalancer type
 
   --ovpn.service="openvpn-external"  
-  (or $OVPN_LB_SERVICE)        the name of Kubernetes Service having the LoadBalancer
+  (or OVPN_LB_SERVICE)        the name of Kubernetes Service having the LoadBalancer
                                type if your OpenVPN server is behind it
 
   --mgmt=main=127.0.0.1:8989 ...  
-  (or $OVPN_MGMT)              ALIAS=HOST:PORT for OpenVPN server mgmt interface;
+  (or OVPN_MGMT)              ALIAS=HOST:PORT for OpenVPN server mgmt interface;
                                can have multiple values
 
   --metrics.path="/metrics"    URL path for exposing collected metrics
-  (or $OVPN_METRICS_PATH)
+  (or OVPN_METRICS_PATH)
 
   --easyrsa.path="./easyrsa/"  path to easyrsa dir
-  (or $EASYRSA_PATH)
+  (or EASYRSA_PATH)
 
   --easyrsa.index-path="./easyrsa/pki/index.txt"  
-  (or $OVPN_INDEX_PATH)        path to easyrsa index file
+  (or OVPN_INDEX_PATH)        path to easyrsa index file
 
   --ccd                        enable client-config-dir
-  (or $OVPN_CCD)
+  (or OVPN_CCD)
 
   --ccd.path="./ccd"           path to client-config-dir
-  (or $OVPN_CCD_PATH)
+  (or OVPN_CCD_PATH)
 
   --templates.clientconfig-path=""  
-  (or $OVPN_TEMPLATES_CC_PATH) path to custom client.conf.tpl
+  (or OVPN_TEMPLATES_CC_PATH) path to custom client.conf.tpl
 
   --templates.ccd-path=""      path to custom ccd.tpl
-  (or $OVPN_TEMPLATES_CCD_PATH)
+  (or OVPN_TEMPLATES_CCD_PATH)
 
   --auth.password              enable additional password authorization
-  (or $OVPN_AUTH)
+  (or OVPN_AUTH)
 
   --auth.db="./easyrsa/pki/users.db"
-  (or $OVPN_AUTH_DB_PATH)      database path for password authorization
-
-  --debug                      enable debug mode
-  (or $OVPN_DEBUG)
-
-  --verbose                    enable verbose mode
-  (or $OVPN_VERBOSE)
+  (or OVPN_AUTH_DB_PATH)      database path for password authorization
   
   --log.level                  set log level: trace, debug, info, warn, error (default info)
-  (or $LOG_LEVEL)
+  (or LOG_LEVEL)
   
   --log.format                 set log format: text, json (default text)
-  (or $LOG_FORMAT)
+  (or LOG_FORMAT)
   
   --storage.backend            storage backend: filesystem, kubernetes.secrets (default filesystem)
-  (or $STORAGE_BACKEND)
+  (or STORAGE_BACKEND)
  
   --version                    show application version
 ```

docker-compose.yaml

@@ -10,6 +10,7 @@ services:
     environment:
       OVPN_SERVER_NET: "192.168.100.0"
       OVPN_SERVER_MASK: "255.255.255.0"
+      OVPN_PASSWD_AUTH: "true"
     cap_add:
       - NET_ADMIN
     ports:
@@ -24,12 +25,17 @@ services:
     image: ovpn-admin:local
     command: /app/ovpn-admin
     environment:
-      OVPN_DEBUG: "True"
-      OVPN_VERBOSE: "True"
+      OVPN_DEBUG: "true"
+      OVPN_VERBOSE: "true"
       OVPN_NETWORK: "192.168.100.0/24"
+      OVPN_CCD: "true"
+      OVPN_CCD_PATH: "/mnt/ccd"
       EASYRSA_PATH: "/mnt/easyrsa"
       OVPN_SERVER: "127.0.0.1:7777:tcp"
       OVPN_INDEX_PATH: "/mnt/easyrsa/pki/index.txt"
+      OVPN_AUTH: "true"
+      OVPN_AUTH_DB_PATH: "/mnt/easyrsa/pki/users.db"
+      LOG_LEVEL: "debug"
     network_mode: service:openvpn
     volumes:
       - ./easyrsa_master:/mnt/easyrsa