🐛 use echo, lib log not loaded

.gitea/workflows/release.yaml

@@ -16,6 +16,12 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
       
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      
       - name: Login to DockerHub Container Registry
         uses: docker/login-action@v3
         with:
@@ -45,6 +51,7 @@ jobs:
         uses: docker/build-push-action@v5
         with:
           context: .
+          platforms: linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64
           push: true
           tags: ${{ steps.meta.outputs.tags }}
   
@@ -61,9 +68,8 @@ jobs:
     - name: Generate Release Notes
       run: |
         touch release-notes.md
-        echo "< CHANGELOG >" >> release-notes.md
+        echo "### Changelog" >> release-notes.md
-        echo >> release-notes.md
+        echo "<!-- CHANGELOG -->" >> release-notes.md
-        echo "< SETUP INSTRUCTIONS >" >> release-notes.md
     
     - uses: ncipollo/release-action@v1
       with:

README.md

@@ -0,0 +1,48 @@
+# OpenVPN Docker
+Run OpenVPN Server within Docker Container
+
+## Setup Instructions
+**Docker Run** (not recommended):
+```console
+$ docker run -d --name "openvpn" --cap-add=NET_ADMIN -v ./data:/etc/openvpn-data -p 1194:1194/tcp -p 1194:1194/udp drmaxnix/openvpn
+```
+
+**Docker Compose** (recommended):
+```yaml
+services:
+  main:
+    image: drmaxnix/openvpn
+    restart: unless-stopped
+    volumes:
+      - ./data:/etc/openvpn-data
+    ports:
+      - "1194:1194/udp"
+      - "1194:1194/tcp"
+    cap_add:
+      - NET_ADMIN
+```
+```console
+$ docker compose up -d
+```
+
+> [!TIP]
+> For both variants, persistent config and key files will be stored in the `./data` directory. Feel free to change this to your needs.
+
+## Client Management
+Generate new client keys and output its config:
+```console
+$ docker compose exec main clientmgmt add
+```
+
+List registered client keys:
+```console
+$ docker compose exec main clientmgmt list
+```
+
+Revoke a client's keys:
+```console
+$ docker compose exec main clientmgmt revoke
+```
+
+> [!NOTE]
+> If you are using docker run, replace `docker compose exec main` with `docker exec -it openvpn`.

clientmgmt

@@ -96,14 +96,14 @@ clientmgmt_add(){
 	# ask whether auto-detection should be used
 	local answer="x"
 	local first=0
-	until [[ -z "$answer" || "$answer" =~ ^Y|y|N|n$ ]]; do
+	until [[ -z "$answer" || "$answer" =~ ^(Y|y|N|n)$ ]]; do
 		[[ "$first" -le 0 ]] && first=1 || echo "Invalid answer '$answer'"
 		read -ep "Auto-detect public IP-Address using icanhazip.com? [Y/n]: " answer
 	done
 	
 	# maybe do auto-detection
 	local public_ip=""
-	if [[ ! "$answer" =~ ^N|n$ ]]; then
+	if [[ ! "$answer" =~ ^(N|n)$ ]]; then
 		local exit=0
 		local icanhazip
 		icanhazip=$(wget -O - -q icanhazip.com) || exit=$?
@@ -307,7 +307,7 @@ clientmgmt_askname(){
 	
 	## VALIDATE ##
 	# check for reserved names
-	if [[ "$answer" =~ ^ca|server$ ]]; then
+	if [[ "$answer" =~ ^(ca|server)$ ]]; then
 		log_error "Name is reserved for internal use: '$answer'"
 	fi
 	
@@ -363,19 +363,32 @@ clientmgmt_clientlist(){
 
 
 
+#
+# HELPER: Make sure config and key files have been fully initialized.
+#
+clientmgmt_check_init_done(){
+	[[ -f "${DATA_SERVER_DIR}/server.conf" ]] && return 0
+	log_error "Server is still initializing config and key files; try again in a few seconds"
+}
+
+
+
 ## MAIN ##
 case ${1:-""} in
 	add)
+		clientmgmt_check_init_done
 		clientmgmt_add
 		exit 0
 	;;
 	
 	list)
+		clientmgmt_check_init_done
 		clientmgmt_list
 		exit 0
 	;;
 	
 	revoke)
+		clientmgmt_check_init_done
 		clientmgmt_revoke
 		exit 0
 	;;

entrypoint.sh

@@ -19,7 +19,7 @@ trap_exit(){
 			q=$(( q + 1 ))
 			snore 1
 			if [[ "$q" -ge 15 ]]; then
-				log_warn "Sending kill to OpenVPN"
+				echo "Sending kill to OpenVPN" 1>&2
 				kill -s KILL -- $openvpn_pid 2> /dev/null || true
 				break
 			fi
@@ -53,7 +53,8 @@ proc_running(){
 	# try reading state
 	local state_path="/proc/$1/stat"
 	[[ ! -f "$state_path" ]] && return 1
-	local state=$(cat "$state_path" | cut -d ' ' -f3)
+	local state
+	state=$(cat "$state_path" 2> /dev/null | cut -d ' ' -f3) || return 1
 	
 	# parse state
 	case "$state" in
@@ -103,6 +104,7 @@ easyrsa_server_keys_create(){
 	
 	# new pki
 	/usr/bin/easyrsa --batch init-pki
+	chmod 755 pki
 	
 	# create ca
 	/usr/bin/easyrsa --batch --days=7300 build-ca nopass
@@ -122,8 +124,15 @@ easyrsa_server_keys_create(){
 	
 	
 	## OTHER KEYS ##
-	# dh parameters
+	# dh parameters from `IETF RFC 7919`
-	openssl dhparam -out "${DATA_SERVER_DIR}/dh2048.pem" 2048
+	echo "-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----" > "${DATA_SERVER_DIR}/dh2048.pem"
 	
 	# tls-crypt key
 	openvpn --genkey secret "${DATA_SERVER_DIR}/tls-crypt.key"
@@ -158,7 +167,7 @@ auth SHA512
 
 client-config-dir ${DATA_CLIENT_DIR}
 ifconfig-pool-persist ipp.txt
-keepalive 600 720
+keepalive 300 1500
 persist-key
 persist-tun