Compare commits
12 Commits
Author | SHA1 | Date | |
---|---|---|---|
b662d82ae3 | |||
bad40c1d1a | |||
bd099af12f | |||
c794049d19 | |||
061225e9e3 | |||
8cfb7784fb | |||
9ef9efb1a6 | |||
49a12e960c | |||
ba554734a2 | |||
23ecfa9367 | |||
3d6c3fca6e | |||
46cf80016c |
@ -16,6 +16,12 @@ jobs:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Set up QEMU
|
||||
uses: docker/setup-qemu-action@v3
|
||||
|
||||
- name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@v3
|
||||
|
||||
- name: Login to DockerHub Container Registry
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
@ -45,6 +51,7 @@ jobs:
|
||||
uses: docker/build-push-action@v5
|
||||
with:
|
||||
context: .
|
||||
platforms: linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64
|
||||
push: true
|
||||
tags: ${{ steps.meta.outputs.tags }}
|
||||
|
||||
@ -61,9 +68,8 @@ jobs:
|
||||
- name: Generate Release Notes
|
||||
run: |
|
||||
touch release-notes.md
|
||||
echo "< CHANGELOG >" >> release-notes.md
|
||||
echo >> release-notes.md
|
||||
echo "< SETUP INSTRUCTIONS >" >> release-notes.md
|
||||
echo "### Changelog" >> release-notes.md
|
||||
echo "<!-- CHANGELOG -->" >> release-notes.md
|
||||
|
||||
- uses: ncipollo/release-action@v1
|
||||
with:
|
||||
|
48
README.md
Normal file
48
README.md
Normal file
@ -0,0 +1,48 @@
|
||||
# OpenVPN Docker
|
||||
Run OpenVPN Server within Docker Container
|
||||
|
||||
## Setup Instructions
|
||||
**Docker Run** (not recommended):
|
||||
```console
|
||||
$ docker run -d --name "openvpn" --cap-add=NET_ADMIN -v ./data:/etc/openvpn-data -p 1194:1194/tcp -p 1194:1194/udp drmaxnix/openvpn
|
||||
```
|
||||
|
||||
**Docker Compose** (recommended):
|
||||
```yaml
|
||||
services:
|
||||
main:
|
||||
image: drmaxnix/openvpn
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
- ./data:/etc/openvpn-data
|
||||
ports:
|
||||
- "1194:1194/udp"
|
||||
- "1194:1194/tcp"
|
||||
cap_add:
|
||||
- NET_ADMIN
|
||||
```
|
||||
```console
|
||||
$ docker compose up -d
|
||||
```
|
||||
|
||||
> [!TIP]
|
||||
> For both variants, persistent config and key files will be stored in the `./data` directory. Feel free to change this to your needs.
|
||||
|
||||
## Client Management
|
||||
Generate new client keys and output its config:
|
||||
```console
|
||||
$ docker compose exec main clientmgmt add
|
||||
```
|
||||
|
||||
List registered client keys:
|
||||
```console
|
||||
$ docker compose exec main clientmgmt list
|
||||
```
|
||||
|
||||
Revoke a client's keys:
|
||||
```console
|
||||
$ docker compose exec main clientmgmt revoke
|
||||
```
|
||||
|
||||
> [!NOTE]
|
||||
> If you are using docker run, replace `docker compose exec main` with `docker exec -it openvpn`.
|
19
clientmgmt
19
clientmgmt
@ -96,14 +96,14 @@ clientmgmt_add(){
|
||||
# ask whether auto-detection should be used
|
||||
local answer="x"
|
||||
local first=0
|
||||
until [[ -z "$answer" || "$answer" =~ ^Y|y|N|n$ ]]; do
|
||||
until [[ -z "$answer" || "$answer" =~ ^(Y|y|N|n)$ ]]; do
|
||||
[[ "$first" -le 0 ]] && first=1 || echo "Invalid answer '$answer'"
|
||||
read -ep "Auto-detect public IP-Address using icanhazip.com? [Y/n]: " answer
|
||||
done
|
||||
|
||||
# maybe do auto-detection
|
||||
local public_ip=""
|
||||
if [[ ! "$answer" =~ ^N|n$ ]]; then
|
||||
if [[ ! "$answer" =~ ^(N|n)$ ]]; then
|
||||
local exit=0
|
||||
local icanhazip
|
||||
icanhazip=$(wget -O - -q icanhazip.com) || exit=$?
|
||||
@ -307,7 +307,7 @@ clientmgmt_askname(){
|
||||
|
||||
## VALIDATE ##
|
||||
# check for reserved names
|
||||
if [[ "$answer" =~ ^ca|server$ ]]; then
|
||||
if [[ "$answer" =~ ^(ca|server)$ ]]; then
|
||||
log_error "Name is reserved for internal use: '$answer'"
|
||||
fi
|
||||
|
||||
@ -363,19 +363,32 @@ clientmgmt_clientlist(){
|
||||
|
||||
|
||||
|
||||
#
|
||||
# HELPER: Make sure config and key files have been fully initialized.
|
||||
#
|
||||
clientmgmt_check_init_done(){
|
||||
[[ -f "${DATA_SERVER_DIR}/server.conf" ]] && return 0
|
||||
log_error "Server is still initializing config and key files; try again in a few seconds"
|
||||
}
|
||||
|
||||
|
||||
|
||||
## MAIN ##
|
||||
case ${1:-""} in
|
||||
add)
|
||||
clientmgmt_check_init_done
|
||||
clientmgmt_add
|
||||
exit 0
|
||||
;;
|
||||
|
||||
list)
|
||||
clientmgmt_check_init_done
|
||||
clientmgmt_list
|
||||
exit 0
|
||||
;;
|
||||
|
||||
revoke)
|
||||
clientmgmt_check_init_done
|
||||
clientmgmt_revoke
|
||||
exit 0
|
||||
;;
|
||||
|
@ -19,7 +19,7 @@ trap_exit(){
|
||||
q=$(( q + 1 ))
|
||||
snore 1
|
||||
if [[ "$q" -ge 15 ]]; then
|
||||
log_warn "Sending kill to OpenVPN"
|
||||
echo "Sending kill to OpenVPN" 1>&2
|
||||
kill -s KILL -- $openvpn_pid 2> /dev/null || true
|
||||
break
|
||||
fi
|
||||
@ -53,7 +53,8 @@ proc_running(){
|
||||
# try reading state
|
||||
local state_path="/proc/$1/stat"
|
||||
[[ ! -f "$state_path" ]] && return 1
|
||||
local state=$(cat "$state_path" | cut -d ' ' -f3)
|
||||
local state
|
||||
state=$(cat "$state_path" 2> /dev/null | cut -d ' ' -f3) || return 1
|
||||
|
||||
# parse state
|
||||
case "$state" in
|
||||
@ -103,6 +104,7 @@ easyrsa_server_keys_create(){
|
||||
|
||||
# new pki
|
||||
/usr/bin/easyrsa --batch init-pki
|
||||
chmod 755 pki
|
||||
|
||||
# create ca
|
||||
/usr/bin/easyrsa --batch --days=7300 build-ca nopass
|
||||
@ -122,8 +124,15 @@ easyrsa_server_keys_create(){
|
||||
|
||||
|
||||
## OTHER KEYS ##
|
||||
# dh parameters
|
||||
openssl dhparam -out "${DATA_SERVER_DIR}/dh2048.pem" 2048
|
||||
# dh parameters from `IETF RFC 7919`
|
||||
echo "-----BEGIN DH PARAMETERS-----
|
||||
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
|
||||
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
|
||||
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
|
||||
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
|
||||
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
|
||||
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
|
||||
-----END DH PARAMETERS-----" > "${DATA_SERVER_DIR}/dh2048.pem"
|
||||
|
||||
# tls-crypt key
|
||||
openvpn --genkey secret "${DATA_SERVER_DIR}/tls-crypt.key"
|
||||
@ -158,7 +167,7 @@ auth SHA512
|
||||
|
||||
client-config-dir ${DATA_CLIENT_DIR}
|
||||
ifconfig-pool-persist ipp.txt
|
||||
keepalive 600 720
|
||||
keepalive 300 1500
|
||||
persist-key
|
||||
persist-tun
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user