Compare commits
12 Commits
Author | SHA1 | Date | |
---|---|---|---|
b662d82ae3 | |||
bad40c1d1a | |||
bd099af12f | |||
c794049d19 | |||
061225e9e3 | |||
8cfb7784fb | |||
9ef9efb1a6 | |||
49a12e960c | |||
ba554734a2 | |||
23ecfa9367 | |||
3d6c3fca6e | |||
46cf80016c |
@ -16,6 +16,12 @@ jobs:
|
|||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- name: Set up QEMU
|
||||||
|
uses: docker/setup-qemu-action@v3
|
||||||
|
|
||||||
|
- name: Set up Docker Buildx
|
||||||
|
uses: docker/setup-buildx-action@v3
|
||||||
|
|
||||||
- name: Login to DockerHub Container Registry
|
- name: Login to DockerHub Container Registry
|
||||||
uses: docker/login-action@v3
|
uses: docker/login-action@v3
|
||||||
with:
|
with:
|
||||||
@ -45,6 +51,7 @@ jobs:
|
|||||||
uses: docker/build-push-action@v5
|
uses: docker/build-push-action@v5
|
||||||
with:
|
with:
|
||||||
context: .
|
context: .
|
||||||
|
platforms: linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64
|
||||||
push: true
|
push: true
|
||||||
tags: ${{ steps.meta.outputs.tags }}
|
tags: ${{ steps.meta.outputs.tags }}
|
||||||
|
|
||||||
@ -61,9 +68,8 @@ jobs:
|
|||||||
- name: Generate Release Notes
|
- name: Generate Release Notes
|
||||||
run: |
|
run: |
|
||||||
touch release-notes.md
|
touch release-notes.md
|
||||||
echo "< CHANGELOG >" >> release-notes.md
|
echo "### Changelog" >> release-notes.md
|
||||||
echo >> release-notes.md
|
echo "<!-- CHANGELOG -->" >> release-notes.md
|
||||||
echo "< SETUP INSTRUCTIONS >" >> release-notes.md
|
|
||||||
|
|
||||||
- uses: ncipollo/release-action@v1
|
- uses: ncipollo/release-action@v1
|
||||||
with:
|
with:
|
||||||
|
48
README.md
Normal file
48
README.md
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
# OpenVPN Docker
|
||||||
|
Run OpenVPN Server within Docker Container
|
||||||
|
|
||||||
|
## Setup Instructions
|
||||||
|
**Docker Run** (not recommended):
|
||||||
|
```console
|
||||||
|
$ docker run -d --name "openvpn" --cap-add=NET_ADMIN -v ./data:/etc/openvpn-data -p 1194:1194/tcp -p 1194:1194/udp drmaxnix/openvpn
|
||||||
|
```
|
||||||
|
|
||||||
|
**Docker Compose** (recommended):
|
||||||
|
```yaml
|
||||||
|
services:
|
||||||
|
main:
|
||||||
|
image: drmaxnix/openvpn
|
||||||
|
restart: unless-stopped
|
||||||
|
volumes:
|
||||||
|
- ./data:/etc/openvpn-data
|
||||||
|
ports:
|
||||||
|
- "1194:1194/udp"
|
||||||
|
- "1194:1194/tcp"
|
||||||
|
cap_add:
|
||||||
|
- NET_ADMIN
|
||||||
|
```
|
||||||
|
```console
|
||||||
|
$ docker compose up -d
|
||||||
|
```
|
||||||
|
|
||||||
|
> [!TIP]
|
||||||
|
> For both variants, persistent config and key files will be stored in the `./data` directory. Feel free to change this to your needs.
|
||||||
|
|
||||||
|
## Client Management
|
||||||
|
Generate new client keys and output its config:
|
||||||
|
```console
|
||||||
|
$ docker compose exec main clientmgmt add
|
||||||
|
```
|
||||||
|
|
||||||
|
List registered client keys:
|
||||||
|
```console
|
||||||
|
$ docker compose exec main clientmgmt list
|
||||||
|
```
|
||||||
|
|
||||||
|
Revoke a client's keys:
|
||||||
|
```console
|
||||||
|
$ docker compose exec main clientmgmt revoke
|
||||||
|
```
|
||||||
|
|
||||||
|
> [!NOTE]
|
||||||
|
> If you are using docker run, replace `docker compose exec main` with `docker exec -it openvpn`.
|
19
clientmgmt
19
clientmgmt
@ -96,14 +96,14 @@ clientmgmt_add(){
|
|||||||
# ask whether auto-detection should be used
|
# ask whether auto-detection should be used
|
||||||
local answer="x"
|
local answer="x"
|
||||||
local first=0
|
local first=0
|
||||||
until [[ -z "$answer" || "$answer" =~ ^Y|y|N|n$ ]]; do
|
until [[ -z "$answer" || "$answer" =~ ^(Y|y|N|n)$ ]]; do
|
||||||
[[ "$first" -le 0 ]] && first=1 || echo "Invalid answer '$answer'"
|
[[ "$first" -le 0 ]] && first=1 || echo "Invalid answer '$answer'"
|
||||||
read -ep "Auto-detect public IP-Address using icanhazip.com? [Y/n]: " answer
|
read -ep "Auto-detect public IP-Address using icanhazip.com? [Y/n]: " answer
|
||||||
done
|
done
|
||||||
|
|
||||||
# maybe do auto-detection
|
# maybe do auto-detection
|
||||||
local public_ip=""
|
local public_ip=""
|
||||||
if [[ ! "$answer" =~ ^N|n$ ]]; then
|
if [[ ! "$answer" =~ ^(N|n)$ ]]; then
|
||||||
local exit=0
|
local exit=0
|
||||||
local icanhazip
|
local icanhazip
|
||||||
icanhazip=$(wget -O - -q icanhazip.com) || exit=$?
|
icanhazip=$(wget -O - -q icanhazip.com) || exit=$?
|
||||||
@ -307,7 +307,7 @@ clientmgmt_askname(){
|
|||||||
|
|
||||||
## VALIDATE ##
|
## VALIDATE ##
|
||||||
# check for reserved names
|
# check for reserved names
|
||||||
if [[ "$answer" =~ ^ca|server$ ]]; then
|
if [[ "$answer" =~ ^(ca|server)$ ]]; then
|
||||||
log_error "Name is reserved for internal use: '$answer'"
|
log_error "Name is reserved for internal use: '$answer'"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@ -363,19 +363,32 @@ clientmgmt_clientlist(){
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# HELPER: Make sure config and key files have been fully initialized.
|
||||||
|
#
|
||||||
|
clientmgmt_check_init_done(){
|
||||||
|
[[ -f "${DATA_SERVER_DIR}/server.conf" ]] && return 0
|
||||||
|
log_error "Server is still initializing config and key files; try again in a few seconds"
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## MAIN ##
|
## MAIN ##
|
||||||
case ${1:-""} in
|
case ${1:-""} in
|
||||||
add)
|
add)
|
||||||
|
clientmgmt_check_init_done
|
||||||
clientmgmt_add
|
clientmgmt_add
|
||||||
exit 0
|
exit 0
|
||||||
;;
|
;;
|
||||||
|
|
||||||
list)
|
list)
|
||||||
|
clientmgmt_check_init_done
|
||||||
clientmgmt_list
|
clientmgmt_list
|
||||||
exit 0
|
exit 0
|
||||||
;;
|
;;
|
||||||
|
|
||||||
revoke)
|
revoke)
|
||||||
|
clientmgmt_check_init_done
|
||||||
clientmgmt_revoke
|
clientmgmt_revoke
|
||||||
exit 0
|
exit 0
|
||||||
;;
|
;;
|
||||||
|
@ -19,7 +19,7 @@ trap_exit(){
|
|||||||
q=$(( q + 1 ))
|
q=$(( q + 1 ))
|
||||||
snore 1
|
snore 1
|
||||||
if [[ "$q" -ge 15 ]]; then
|
if [[ "$q" -ge 15 ]]; then
|
||||||
log_warn "Sending kill to OpenVPN"
|
echo "Sending kill to OpenVPN" 1>&2
|
||||||
kill -s KILL -- $openvpn_pid 2> /dev/null || true
|
kill -s KILL -- $openvpn_pid 2> /dev/null || true
|
||||||
break
|
break
|
||||||
fi
|
fi
|
||||||
@ -53,7 +53,8 @@ proc_running(){
|
|||||||
# try reading state
|
# try reading state
|
||||||
local state_path="/proc/$1/stat"
|
local state_path="/proc/$1/stat"
|
||||||
[[ ! -f "$state_path" ]] && return 1
|
[[ ! -f "$state_path" ]] && return 1
|
||||||
local state=$(cat "$state_path" | cut -d ' ' -f3)
|
local state
|
||||||
|
state=$(cat "$state_path" 2> /dev/null | cut -d ' ' -f3) || return 1
|
||||||
|
|
||||||
# parse state
|
# parse state
|
||||||
case "$state" in
|
case "$state" in
|
||||||
@ -103,6 +104,7 @@ easyrsa_server_keys_create(){
|
|||||||
|
|
||||||
# new pki
|
# new pki
|
||||||
/usr/bin/easyrsa --batch init-pki
|
/usr/bin/easyrsa --batch init-pki
|
||||||
|
chmod 755 pki
|
||||||
|
|
||||||
# create ca
|
# create ca
|
||||||
/usr/bin/easyrsa --batch --days=7300 build-ca nopass
|
/usr/bin/easyrsa --batch --days=7300 build-ca nopass
|
||||||
@ -122,8 +124,15 @@ easyrsa_server_keys_create(){
|
|||||||
|
|
||||||
|
|
||||||
## OTHER KEYS ##
|
## OTHER KEYS ##
|
||||||
# dh parameters
|
# dh parameters from `IETF RFC 7919`
|
||||||
openssl dhparam -out "${DATA_SERVER_DIR}/dh2048.pem" 2048
|
echo "-----BEGIN DH PARAMETERS-----
|
||||||
|
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
|
||||||
|
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
|
||||||
|
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
|
||||||
|
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
|
||||||
|
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
|
||||||
|
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
|
||||||
|
-----END DH PARAMETERS-----" > "${DATA_SERVER_DIR}/dh2048.pem"
|
||||||
|
|
||||||
# tls-crypt key
|
# tls-crypt key
|
||||||
openvpn --genkey secret "${DATA_SERVER_DIR}/tls-crypt.key"
|
openvpn --genkey secret "${DATA_SERVER_DIR}/tls-crypt.key"
|
||||||
@ -158,7 +167,7 @@ auth SHA512
|
|||||||
|
|
||||||
client-config-dir ${DATA_CLIENT_DIR}
|
client-config-dir ${DATA_CLIENT_DIR}
|
||||||
ifconfig-pool-persist ipp.txt
|
ifconfig-pool-persist ipp.txt
|
||||||
keepalive 600 720
|
keepalive 300 1500
|
||||||
persist-key
|
persist-key
|
||||||
persist-tun
|
persist-tun
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user