init

.gitignore

@@ -1,4 +1,4 @@
 /data
 .swp
-env_override
+env_override*
 docker-compose.override.yml

README

@@ -0,0 +1,12 @@
+Configure variables in `env`
+
+Add route on host, enable and allow forwarding:
+```
+ip route add ${openvpn_subnet} via 10.116.0.10 src ${eth0_ip}
+sysctl -w net.ipv4.ip_forward=1
+iptables -D FORWARD -j ACCEPT
+```
+
+where `openvpn_subnet` is the subnet configured in `env` (OVPN_SUBNET_ADDR and OVPN_SUBNET_MASK) in CIDR form (x.x.x.x/xx) and `eth0_ip` is the visible ip of the host on the local (physical, not VPN) network.
+
+Do not forget to add a route on your default gateway

docker-compose.yml

@@ -0,0 +1,26 @@
+version: '2'
+
+services:
+    openvpn:
+        build: ./openvpn
+        container_name: vpn-c2s-openvpn
+        privileged: true
+#        restart: unless-stopped
+        networks:
+            vpn-c2s.internal.docker:
+                aliases:
+                    - openvpn.vpn-c2s.internal.docker
+                ipv4_address: 10.116.0.10
+        volumes:
+            - ./data/openvpn/client-config-dir:/etc/openvpn/client-config-dir
+            - ./data/openvpn/credentials:/etc/openvpn/credentials
+        ports:
+            - "0.0.0.0:35090:4242"
+        env_file:
+            - env
+
+networks:
+    vpn-c2s.internal.docker:
+        ipam:
+            config:
+              - subnet: 10.116.0.0/24

env

@@ -0,0 +1,17 @@
+SSMTP_ROOT=root@example.com
+SSMTP_MAILHUB=172.17.0.1:10025
+SSMTP_MAILDOMAIN=example.com
+
+SITES_SUBNET_ADDR=10.100.0.0
+SITES_SUBNET_MASK=255.255.0.0
+SITE_DNS1=10.100.0.3
+SITE_DNS2=10.100.0.3
+
+OVPN_SUBNET_ADDR=10.100.7.0
+OVPN_SUBNET_MASK=255.255.255.0
+
+OVPN_LDAP_URL=ldap://ldap.example.com
+OVPN_LDAP_BIND_USERNAME=auth.ovpn@example.com
+OVPN_LDAP_BIND_PASSWORD=change_it
+OVPN_LDAP_BASE_DN=dc=example,dc=com
+OVPN_LDAP_SEARCH_FILTER=(\&(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(memberof:1.2.840.113556.1.4.1941:=cn=access-ovpn,cn=Users,dc=example,dc=com))

openvpn/Dockerfile

@@ -0,0 +1,22 @@
+FROM robinthoni/debian-multiarch:jessie
+
+ARG CONFIG_DIR=/etc/default/config-files/
+
+RUN apt-get update &&\
+    apt-get install -y ssmtp openvpn openvpn-auth-ldap openvpn-auth-radius ldap-utils &&\
+    apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \
+    rm /etc/cron.*/*
+
+COPY ./vars-vars /etc/vars-vars
+
+COPY ./vars-files /etc/vars-files
+
+COPY ./common.sh /common.sh
+
+COPY run.sh /run.sh
+
+RUN mkdir "${CONFIG_DIR}"
+
+COPY ./config "${CONFIG_DIR}"
+
+CMD ["/run.sh"]

openvpn/common.sh

@@ -0,0 +1,41 @@
+export CONFIG_DIR="/etc/default/config-files/"
+
+resolv_host()
+{
+  hostname="${1}"
+  ip=$(getent hosts "${hostname}" | cut -d' ' -f1)
+  echo "${ip}"
+}
+
+replace_var()
+{
+  file="${1}"
+  var="${2}"
+  sed -e "s?${var}?${!var}?g" -i "${file}"
+}
+
+replace_vars()
+{
+  file="${1}"
+  for var in $(cat /etc/vars-vars)
+  do
+    replace_var "${file}" "${var}"
+  done
+}
+
+replace_files()
+{
+  cat /etc/vars-files | while read line
+  do
+    filesrc="${CONFIG_DIR}$(echo "${line}" | awk '{print $1}')"
+    filedst=$(echo "${line}" | awk '{print $2}')
+    if [ -f "${filesrc}" ]
+    then
+      echo "Expanding file ${filesrc} to ${filedst}"
+      cp "${filesrc}" "${filedst}"
+      replace_vars "${filedst}"
+    else
+      echo "File ${filesrc} does not exist. Skipping."
+    fi
+  done
+}

openvpn/config/auth-ldap.conf

@@ -0,0 +1,17 @@
+<LDAP>
+URL           OVPN_LDAP_URL
+BindDN        OVPN_LDAP_BIND_USERNAME
+Password      OVPN_LDAP_BIND_PASSWORD
+
+Timeout         10
+
+</LDAP>
+
+<Authorization>
+# Base DN
+BaseDN          "OVPN_LDAP_BASE_DN"
+# User Search Filter
+SearchFilter    "OVPN_LDAP_SEARCH_FILTER"
+# Require Group Membership
+RequireGroup    false
+</Authorization>

openvpn/config/clients-to-site.conf

@@ -0,0 +1,50 @@
+# Server TCP
+mode server
+proto tcp-server
+port 4242
+dev tun
+client-to-client
+#client-connect misc/on-client-event.py
+#client-disconnect misc/on-client-event.py
+#route-up misc/route-up.sh
+
+# Keys and certificates
+ca credentials/ca.crt
+cert credentials/server.crt
+key credentials/server.key
+dh credentials/dh2048.pem
+tls-auth credentials/ta.key 1
+
+key-direction 0
+cipher AES-256-CBC
+client-config-dir client-config-dir
+
+# Network
+server OVPN_SUBNET_ADDR OVPN_SUBNET_MASK
+keepalive 10 120
+
+# Uncomment this to redirect client internet traffic trough VPN
+# You'll also need to add iptables rules like:
+# iptables -t nat -s $internal_subnet/24 -A POSTROUTING -j SNAT --to $out_ip
+#push "redirect-gateway def1 bypass-dhcp"
+push "route SITES_SUBNET_ADDR SITES_SUBNET_MASK"
+push "dhcp-option DNS SITE_DNS1"
+push "dhcp-option DNS SITE_DNS2"
+
+# Security
+user root
+group root
+persist-key
+persist-tun
+comp-lzo
+script-security 3
+username-as-common-name
+client-cert-not-required
+plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf
+#auth-user-pass-verify credentials/passwd-verify via-env
+
+# Log
+verb 3
+mute 20
+status /var/log/openvpn-status-vpn-sites-server
+#log-append /var/log/openvpn-vpn-sites-server.log

openvpn/config/ssmtp.conf

@@ -0,0 +1,19 @@
+# Configuartion file for sSMTP sendmail
+
+# The person who gets all mail for userids < 1000
+# Make this empty to disable rewriting.
+root=SSMTP_ROOT
+
+# We want to use this with an exim container. Link these
+# so that that container will be reachable as 'exim' in
+# this container.
+mailhub=SSMTP_MAILHUB
+
+# Where will the mail seem to come from?
+rewriteDomain=SSMTP_MAILDOMAIN
+
+# The full hostname
+#hostname=
+
+# Are users allowed to set their own From: address? (YES/NO)
+FromLineOverride=YES

openvpn/run.sh

@@ -0,0 +1,23 @@
+#! /usr/bin/env bash
+
+. /common.sh
+
+replace_files
+
+if [ ! -e /etc/openvpn/credentials/server.key ]
+then
+  echo Creating new openvpn credentials...
+
+  cd /usr/share/easy-rsa
+  . ./vars
+  ./clean-all
+  ./pkitool --initca
+  ./pkitool --server server
+  ./build-dh
+  openvpn --genkey --secret keys/ta.key
+  mv keys/* /etc/openvpn/credentials
+fi
+
+cd /etc/openvpn; openvpn /etc/openvpn/clients-to-site.conf
+
+sleep 3600

openvpn/vars-files

@@ -0,0 +1,3 @@
+ssmtp.conf /etc/ssmtp/ssmtp.conf
+clients-to-site.conf /etc/openvpn/clients-to-site.conf
+auth-ldap.conf /etc/openvpn/auth-ldap.conf

openvpn/vars-vars

@@ -0,0 +1,17 @@
+SSMTP_ROOT
+SSMTP_MAILHUB
+SSMTP_MAILDOMAIN
+
+SITES_SUBNET_ADDR
+SITES_SUBNET_MASK
+SITE_DNS1
+SITE_DNS2
+
+OVPN_SUBNET_ADDR
+OVPN_SUBNET_MASK
+
+OVPN_LDAP_URL
+OVPN_LDAP_BIND_USERNAME
+OVPN_LDAP_BIND_PASSWORD
+OVPN_LDAP_BASE_DN
+OVPN_LDAP_SEARCH_FILTER

update_vars.sh

@@ -0,0 +1,7 @@
+#! /usr/bin/env sh
+
+vars=$(cat env | cut -d= -f1)
+for docker in openvpn
+do
+  echo "${vars}" > "./${docker}/vars-vars"
+done