Browse Source

init

tags/v1.0.0
Robin Thoni 6 years ago
parent
commit
f23f7ff63b
13 changed files with 255 additions and 1 deletions
  1. 1
    1
      .gitignore
  2. 12
    0
      README
  3. 26
    0
      docker-compose.yml
  4. 17
    0
      env
  5. 22
    0
      openvpn/Dockerfile
  6. 41
    0
      openvpn/common.sh
  7. 17
    0
      openvpn/config/auth-ldap.conf
  8. 50
    0
      openvpn/config/clients-to-site.conf
  9. 19
    0
      openvpn/config/ssmtp.conf
  10. 23
    0
      openvpn/run.sh
  11. 3
    0
      openvpn/vars-files
  12. 17
    0
      openvpn/vars-vars
  13. 7
    0
      update_vars.sh

+ 1
- 1
.gitignore View File

@@ -1,4 +1,4 @@
1 1
 /data
2 2
 .swp
3
-env_override
3
+env_override*
4 4
 docker-compose.override.yml

+ 12
- 0
README View File

@@ -0,0 +1,12 @@
1
+Configure variables in `env`
2
+
3
+Add route on host, enable and allow forwarding:
4
+```
5
+ip route add ${openvpn_subnet} via 10.116.0.10 src ${eth0_ip}
6
+sysctl -w net.ipv4.ip_forward=1
7
+iptables -D FORWARD -j ACCEPT
8
+```
9
+
10
+where `openvpn_subnet` is the subnet configured in `env` (OVPN_SUBNET_ADDR and OVPN_SUBNET_MASK) in CIDR form (x.x.x.x/xx) and `eth0_ip` is the visible ip of the host on the local (physical, not VPN) network.
11
+
12
+Do not forget to add a route on your default gateway

+ 26
- 0
docker-compose.yml View File

@@ -0,0 +1,26 @@
1
+version: '2'
2
+
3
+services:
4
+    openvpn:
5
+        build: ./openvpn
6
+        container_name: vpn-c2s-openvpn
7
+        privileged: true
8
+#        restart: unless-stopped
9
+        networks:
10
+            vpn-c2s.internal.docker:
11
+                aliases:
12
+                    - openvpn.vpn-c2s.internal.docker
13
+                ipv4_address: 10.116.0.10
14
+        volumes:
15
+            - ./data/openvpn/client-config-dir:/etc/openvpn/client-config-dir
16
+            - ./data/openvpn/credentials:/etc/openvpn/credentials
17
+        ports:
18
+            - "0.0.0.0:35090:4242"
19
+        env_file:
20
+            - env
21
+
22
+networks:
23
+    vpn-c2s.internal.docker:
24
+        ipam:
25
+            config:
26
+              - subnet: 10.116.0.0/24

+ 17
- 0
env View File

@@ -0,0 +1,17 @@
1
+SSMTP_ROOT=root@example.com
2
+SSMTP_MAILHUB=172.17.0.1:10025
3
+SSMTP_MAILDOMAIN=example.com
4
+
5
+SITES_SUBNET_ADDR=10.100.0.0
6
+SITES_SUBNET_MASK=255.255.0.0
7
+SITE_DNS1=10.100.0.3
8
+SITE_DNS2=10.100.0.3
9
+
10
+OVPN_SUBNET_ADDR=10.100.7.0
11
+OVPN_SUBNET_MASK=255.255.255.0
12
+
13
+OVPN_LDAP_URL=ldap://ldap.example.com
14
+OVPN_LDAP_BIND_USERNAME=auth.ovpn@example.com
15
+OVPN_LDAP_BIND_PASSWORD=change_it
16
+OVPN_LDAP_BASE_DN=dc=example,dc=com
17
+OVPN_LDAP_SEARCH_FILTER=(\&(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(memberof:1.2.840.113556.1.4.1941:=cn=access-ovpn,cn=Users,dc=example,dc=com))

+ 22
- 0
openvpn/Dockerfile View File

@@ -0,0 +1,22 @@
1
+FROM robinthoni/debian-multiarch:jessie
2
+
3
+ARG CONFIG_DIR=/etc/default/config-files/
4
+
5
+RUN apt-get update &&\
6
+    apt-get install -y ssmtp openvpn openvpn-auth-ldap openvpn-auth-radius ldap-utils &&\
7
+    apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \
8
+    rm /etc/cron.*/*
9
+
10
+COPY ./vars-vars /etc/vars-vars
11
+
12
+COPY ./vars-files /etc/vars-files
13
+
14
+COPY ./common.sh /common.sh
15
+
16
+COPY run.sh /run.sh
17
+
18
+RUN mkdir "${CONFIG_DIR}"
19
+
20
+COPY ./config "${CONFIG_DIR}"
21
+
22
+CMD ["/run.sh"]

+ 41
- 0
openvpn/common.sh View File

@@ -0,0 +1,41 @@
1
+export CONFIG_DIR="/etc/default/config-files/"
2
+
3
+resolv_host()
4
+{
5
+  hostname="${1}"
6
+  ip=$(getent hosts "${hostname}" | cut -d' ' -f1)
7
+  echo "${ip}"
8
+}
9
+
10
+replace_var()
11
+{
12
+  file="${1}"
13
+  var="${2}"
14
+  sed -e "s?${var}?${!var}?g" -i "${file}"
15
+}
16
+
17
+replace_vars()
18
+{
19
+  file="${1}"
20
+  for var in $(cat /etc/vars-vars)
21
+  do
22
+    replace_var "${file}" "${var}"
23
+  done
24
+}
25
+
26
+replace_files()
27
+{
28
+  cat /etc/vars-files | while read line
29
+  do
30
+    filesrc="${CONFIG_DIR}$(echo "${line}" | awk '{print $1}')"
31
+    filedst=$(echo "${line}" | awk '{print $2}')
32
+    if [ -f "${filesrc}" ]
33
+    then
34
+      echo "Expanding file ${filesrc} to ${filedst}"
35
+      cp "${filesrc}" "${filedst}"
36
+      replace_vars "${filedst}"
37
+    else
38
+      echo "File ${filesrc} does not exist. Skipping."
39
+    fi
40
+  done
41
+}

+ 17
- 0
openvpn/config/auth-ldap.conf View File

@@ -0,0 +1,17 @@
1
+<LDAP>
2
+URL           OVPN_LDAP_URL
3
+BindDN        OVPN_LDAP_BIND_USERNAME
4
+Password      OVPN_LDAP_BIND_PASSWORD
5
+
6
+Timeout         10
7
+
8
+</LDAP>
9
+
10
+<Authorization>
11
+# Base DN
12
+BaseDN          "OVPN_LDAP_BASE_DN"
13
+# User Search Filter
14
+SearchFilter    "OVPN_LDAP_SEARCH_FILTER"
15
+# Require Group Membership
16
+RequireGroup    false
17
+</Authorization>

+ 50
- 0
openvpn/config/clients-to-site.conf View File

@@ -0,0 +1,50 @@
1
+# Server TCP
2
+mode server
3
+proto tcp-server
4
+port 4242
5
+dev tun
6
+client-to-client
7
+#client-connect misc/on-client-event.py
8
+#client-disconnect misc/on-client-event.py
9
+#route-up misc/route-up.sh
10
+
11
+# Keys and certificates
12
+ca credentials/ca.crt
13
+cert credentials/server.crt
14
+key credentials/server.key
15
+dh credentials/dh2048.pem
16
+tls-auth credentials/ta.key 1
17
+
18
+key-direction 0
19
+cipher AES-256-CBC
20
+client-config-dir client-config-dir
21
+
22
+# Network
23
+server OVPN_SUBNET_ADDR OVPN_SUBNET_MASK
24
+keepalive 10 120
25
+
26
+# Uncomment this to redirect client internet traffic trough VPN
27
+# You'll also need to add iptables rules like:
28
+# iptables -t nat -s $internal_subnet/24 -A POSTROUTING -j SNAT --to $out_ip
29
+#push "redirect-gateway def1 bypass-dhcp"
30
+push "route SITES_SUBNET_ADDR SITES_SUBNET_MASK"
31
+push "dhcp-option DNS SITE_DNS1"
32
+push "dhcp-option DNS SITE_DNS2"
33
+
34
+# Security
35
+user root
36
+group root
37
+persist-key
38
+persist-tun
39
+comp-lzo
40
+script-security 3
41
+username-as-common-name
42
+client-cert-not-required
43
+plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf
44
+#auth-user-pass-verify credentials/passwd-verify via-env
45
+
46
+# Log
47
+verb 3
48
+mute 20
49
+status /var/log/openvpn-status-vpn-sites-server
50
+#log-append /var/log/openvpn-vpn-sites-server.log

+ 19
- 0
openvpn/config/ssmtp.conf View File

@@ -0,0 +1,19 @@
1
+# Configuartion file for sSMTP sendmail
2
+
3
+# The person who gets all mail for userids < 1000
4
+# Make this empty to disable rewriting.
5
+root=SSMTP_ROOT
6
+
7
+# We want to use this with an exim container. Link these
8
+# so that that container will be reachable as 'exim' in
9
+# this container.
10
+mailhub=SSMTP_MAILHUB
11
+
12
+# Where will the mail seem to come from?
13
+rewriteDomain=SSMTP_MAILDOMAIN
14
+
15
+# The full hostname
16
+#hostname=
17
+
18
+# Are users allowed to set their own From: address? (YES/NO)
19
+FromLineOverride=YES

+ 23
- 0
openvpn/run.sh View File

@@ -0,0 +1,23 @@
1
+#! /usr/bin/env bash
2
+
3
+. /common.sh
4
+
5
+replace_files
6
+
7
+if [ ! -e /etc/openvpn/credentials/server.key ]
8
+then
9
+  echo Creating new openvpn credentials...
10
+
11
+  cd /usr/share/easy-rsa
12
+  . ./vars
13
+  ./clean-all
14
+  ./pkitool --initca
15
+  ./pkitool --server server
16
+  ./build-dh
17
+  openvpn --genkey --secret keys/ta.key
18
+  mv keys/* /etc/openvpn/credentials
19
+fi
20
+
21
+cd /etc/openvpn; openvpn /etc/openvpn/clients-to-site.conf
22
+
23
+sleep 3600

+ 3
- 0
openvpn/vars-files View File

@@ -0,0 +1,3 @@
1
+ssmtp.conf /etc/ssmtp/ssmtp.conf
2
+clients-to-site.conf /etc/openvpn/clients-to-site.conf
3
+auth-ldap.conf /etc/openvpn/auth-ldap.conf

+ 17
- 0
openvpn/vars-vars View File

@@ -0,0 +1,17 @@
1
+SSMTP_ROOT
2
+SSMTP_MAILHUB
3
+SSMTP_MAILDOMAIN
4
+
5
+SITES_SUBNET_ADDR
6
+SITES_SUBNET_MASK
7
+SITE_DNS1
8
+SITE_DNS2
9
+
10
+OVPN_SUBNET_ADDR
11
+OVPN_SUBNET_MASK
12
+
13
+OVPN_LDAP_URL
14
+OVPN_LDAP_BIND_USERNAME
15
+OVPN_LDAP_BIND_PASSWORD
16
+OVPN_LDAP_BASE_DN
17
+OVPN_LDAP_SEARCH_FILTER

+ 7
- 0
update_vars.sh View File

@@ -0,0 +1,7 @@
1
+#! /usr/bin/env sh
2
+
3
+vars=$(cat env | cut -d= -f1)
4
+for docker in openvpn
5
+do
6
+  echo "${vars}" > "./${docker}/vars-vars"
7
+done

Loading…
Cancel
Save