Merge branch 'develop'

Author: SloCompTech

.gitignore

@@ -0,0 +1,4 @@
+# Data folder for docker data
+/data
+/tmp.txt
+/tmp

CONTRIBUTING.md

@@ -46,8 +46,8 @@ Sections:
     ssl
         safessl-easyrsa.cnf
         vars
-    example # Example configs
-        config # Example client & server configs (see root/defaults/example/README.md)
+    example # Example configs (see root/defaults/example/README.md)
+        config # Example client & server configs
         hook # Example hook configs
     module # Modules for openvpn
     hooks # Put your custom scripts in one of subfolders
@@ -89,4 +89,5 @@ Sections:
 **OpenVPN:**  
 
 - [OpenVPN docs](https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN)  
+- [Setup OpenVPN on alpine linux](https://wiki.alpinelinux.org/wiki/Setting_up_a_OpenVPN_server#Alternative_Certificate_Method)  
 - [EasyRSA](https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN)   

Dockerfile

@@ -1,17 +1,39 @@
-
+#
 # Base image
+# @see https://github.com/linuxserver/docker-baseimage-alpine
+# @see https://github.com/linuxserver/docker-baseimage-alpine-python3
+#
 FROM lsiobase/alpine.python3:latest
 
+# Build arguments
+ARG BUILD_DATE
+ARG VCS_REF
+ARG VCS_SRC
+ARG VERSION
+
 # 
 # Image labels
 # @see https://github.com/opencontainers/image-spec/blob/master/annotations.md
+# @see http://label-schema.org/rc1/
 # @see https://semver.org/
 #
-LABEL   org.opencontainers.image.title = "OpenVPN Server" \
-        org.opencontainers.image.description = "Docker image with OpenVPN server" \
-        org.opencontainers.image.url = "" \
-        org.opencontainers.image.authors = "Martin Dagarin <>" \
-        org.opencontainers.image.version = "0.0.2"
+LABEL   org.opencontainers.image.title="OpenVPN Server" \
+        org.label-schema.name="OpenVPN Server" \
+        org.opencontainers.image.description="Docker image with OpenVPN server" \
+        org.label-schema.description="Docker image with OpenVPN server" \
+        org.opencontainers.image.url="https://github.com/SloCompTech/docker-openvpn" \
+        org.label-schema.url="https://github.com/SloCompTech/docker-openvpn" \
+        org.opencontainers.image.authors="Martin Dagarin <[email protected]>" \
+        org.opencontainers.image.version=$VERSION \
+        org.label-schema.version=$VERSION \
+        org.opencontainers.image.revision=$VCS_REF \
+        org.label-schema.vcs-ref=$VCS_REF \
+        org.opencontainers.image.source=$VCS_SRC \
+        org.label-schema.vcs-url=$VCS_SRC \
+        org.opencontainers.image.created=$BUILD_DATE \
+        org.label-schema.build-date=$BUILD_DATE \
+        org.label-schema.schema-version="1.0"
+
 
 #
 # Environment variables
@@ -26,7 +48,6 @@ ENV PATH="/app/bin:$PATH" \
     EASYRSA_SAFE_CONF=/config/ssl/safessl-easyrsa.cnf \
     EASYRSA_TEMP_FILE=/config/temp \
     OVPN_ROOT=/config \
-    OVPN_CONFIG=/config/openvpn \
     OVPN_HOOKS=/config/hooks \
     OVPN_RUN=system.conf
 
@@ -42,14 +63,12 @@ RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/main/" >> /etc/apk/repositor
     # Remove any temporary files created by apk
     rm -rf /tmp/* /var/tmp/* /var/cache/apk/* /var/cache/distfiles/* && \
     # Add permission for network management to user abc
-    echo "abc ALL=(ALL) NOPASSWD: /sbin/ip" >> /etc/sudoers && \
-    # Create tunnel interface
-    mkdir -p /dev/net && \
-    mknod /dev/net/tun c 10 200
+    echo "abc ALL=(ALL) NOPASSWD: /sbin/ip, /sbin/iptables" >> /etc/sudoers
 
 # Add repo files to image
 COPY root/ /
 
 # Configure
 RUN chmod +x /app/bin/* && \
+    chmod +x /usr/local/sbin/* && \
     chmod -R 0644 /etc/logrotate.d

LICENSE.md

@@ -1,7 +1,7 @@
 
 The MIT License (MIT)
 
-Copyright (c) 2019 Martin
+Copyright (c) 2019 Martin Dagarin
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

Makefile

@@ -0,0 +1,65 @@
+#
+#	Makefile
+#	to build image easier
+#
+
+IMAGE_NAME=slocomptech/openvpn
+DATA_DIR=$(shell pwd)/data
+CONTAINER=ovpn
+
+
+default: build
+
+#
+#	Build docker image
+#
+build:
+	@echo "Building image"
+	docker build \
+		--build-arg BUILD_DATE=$(shell date -u +\"%Y-%m-%dT%H:%M:%SZ\") \
+		--build-arg VCS_REF="$(shell git rev-parse --short HEAD)" \
+		--build-arg VCS_SRC="https://github.com/SloCompTech/docker-openvpn/commit/$(shell git rev-parse HEAD)" \
+		--build-arg VERSION=latest \
+		-t ${IMAGE_NAME} .
+
+#
+#	Run setup command
+#	Opens temporary container to setup environment
+#
+config:
+	@echo "Running temporary container"
+	mkdir -p data
+	docker run -it --rm --cap-add NET_ADMIN -v ${DATA_DIR}:/config ${IMAGE_NAME}:latest bash
+
+#
+#	Setups & starts real container
+#	Run only once, then use docker start|stop|restart|exec
+#
+setup:
+	@echo "Running temporary container"
+	docker run -it --cap-add NET_ADMIN -p 1194:1194/udp -v ${DATA_DIR}:/config --name ${CONTAINER} ${IMAGE_NAME}:latest 
+
+#
+#	Starts container
+#
+start:
+	docker start ${CONTAINER}
+
+#
+#	Stops container
+#
+stop:
+	docker stop ${CONTAINER}
+
+#
+#	Restart container
+#
+restart:
+	docker restart ${CONTAINER}
+
+#
+#	Open terminal inside container
+#	Only when container is running
+#
+term:
+	docker exec -it ${CONTAINER} bash

README.md

@@ -2,6 +2,15 @@
 # [slocomptech/docker-openvpn]()
 
 
+Features:  
+
+- OpenVPN is running as non-root user, soo it has limited permission.
+- OpenVPN is running in isolated environment (container) so you don't break it with updates, upgrades of your PC.
+- Easy managed (has helper scripts).
+- Easy start (Simple first-start guide).
+- Easly modified to your needs (see [docs](CONTRIBUTING.md)).
+- Easy scripting (python3 installed).
+
 ## Usage
 
 ### docker
@@ -68,17 +77,18 @@ Feel free to contribute new features to this container, but first see [Contribut
 
 Planed features:
 
-- Hooks
-- Example configs
-- Setup instructions
-- Setup scripts
-- Setup & run via environment variables
-- Config overwrite protection
-
 Wanted features (please help implement):
 
 - LDAP authentication script
 - Google authenticator 
 
+## Licenses
+
+- [This project](LICENSE.md)  
+- [OpenVPN]()  
+- [Base image](https://github.com/linuxserver/docker-baseimage-alpine)  
+- [s6 Layer](https://github.com/just-containers/s6-overlay/blob/master/LICENSE.md)  
+
+
 ## Versions
 

hooks/build

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+#
+#   DockerHub build hook (overrides default build command)
+#   @see https://docs.docker.com/docker-hub/builds/advanced/
+#   @see https://microbadger.com/labels
+#
+
+echo "Building image"
+
+docker build \
+    --build-arg BUILD_DATE=`date -u +"%Y-%m-%dT%H:%M:%SZ"` \
+    --build-arg VCS_REF=`git rev-parse --short HEAD` \
+    --build-arg VCS_SRC="https://github.com/SloCompTech/docker-openvpn/commit/$SOURCE_COMMIT" \
+    --build-arg VERSION="$SOURCE_BRANCH" \
+    -t $IMAGE_NAME .

root/app/bin/ovpn_backup

@@ -37,7 +37,7 @@ elif [ $1 = "pki" ]; then
 elif [ $1 = "hooks" ]; then
     $RUNAS $ARCHIVE_CMD $OVPN_ROOT/backup/backup_hooks_$(date +%H%M%S%d%m%Y).tar.gz $OVPN_HOOKS
 elif [ $1 = "openvpn" ]; then
-    $RUNAS $ARCHIVE_CMD $OVPN_ROOT/backup/backup_conf_$(date +%H%M%S%d%m%Y).tar.gz $OVPN_CONFIG
+    $RUNAS $ARCHIVE_CMD $OVPN_ROOT/backup/backup_conf_$(date +%H%M%S%d%m%Y).tar.gz $OVPN_ROOT/openvpn
 else
     usage
     exit 1

root/app/bin/ovpn_client

@@ -31,6 +31,16 @@ function build_ovpn() {
             cat $file
         done
 
+        # Check if server config is using tls-crypt or tls-auth
+        local crypto=""
+        for srv_file in $OVPN_ROOT/openvpn/server/*.conf
+        do
+            crypto="$(ovpn_findopt $srv_file tls-crypt tls-auth)"
+            if [ -n "$crypto" ]; then
+                break
+            fi
+        done
+
         # CA
         echo "<ca>"
         cat $EASYRSA_PKI/ca.crt
@@ -47,10 +57,17 @@ function build_ovpn() {
         cat $EASYRSA_PKI/private/$1.key
         echo "</key>"
 
-        # tls-crypt
-        echo "<tls-crypt>"
-        cat $EASYRSA_PKI/ta.key
-        echo "</tls-crypt>"
+        if [ "$crypto" = "tls-crypt" ]; then
+            # tls-crypt
+            echo "<tls-crypt>"
+            cat $EASYRSA_PKI/ta.key
+            echo "</tls-crypt>"
+        elif [ "$crypto" = "tls-auth" ]; then
+            # tls-auth
+            echo "<tls-auth>"
+            cat $EASYRSA_PKI/ta.key
+            echo "</tls-auth>"
+        fi
     fi
 }
 

root/app/bin/ovpn_disconf

@@ -150,7 +150,7 @@ if [ $# -gt 0 ]; then
     if [ -f "$config_path/wizard" ] && [ -x "$config_path/wizard" ]; then
         tmp_path=/tmp/wizard
 
-        # Delete existing tmp dir
+        # Delete existing tmp directory
         if [ -e "$tmp_path" ]; then
             rm -rf $tmp_path
         fi
@@ -172,6 +172,9 @@ if [ $# -gt 0 ]; then
         install_server $tmp_path $OVPN_ROOT/openvpn
         install_client $tmp_path $OVPN_ROOT/openvpn
         install_hooks $tmp_path $OVPN_ROOT
+
+        # Remove temporary directory
+        rm -rf $tmp_path
     else
         # Directly copy files
         install_server $config_path $OVPN_ROOT/openvpn

root/app/bin/ovpn_enconf

@@ -0,0 +1,28 @@
+#!/usr/bin/python
+
+#
+#   Finds first of specified options in config file
+#   @author Martin Dagarin
+#   @version 1
+#   @since 19/03/2019
+#
+#   Usage: ovpn_findopt <config_file> <opt1> <opt2> <opt3> ...
+#
+import sys
+
+# Import libraries included in this docker
+sys.path.insert(0, '/app/lib')
+import libovpn
+
+if len(sys.argv) < 3:
+    # Invalid command
+    print("")
+    sys.exit(0)
+
+config_file = sys.argv[1]
+found = libovpn.conf_optFindFirst(config_file, sys.argv[2:])
+
+if found is not None:
+    print(found)
+else:
+    print("")

root/app/bin/ovpn_findopt

@@ -0,0 +1,54 @@
+#!/usr/bin/python
+
+#
+#   Functions to help with scripting
+#   @author Martin Dagarin
+#   @version 1
+#   @since 19/03/2019
+#
+
+#
+#   Checks if OpenVPN file has configuration option enabled
+#   @param file Path to OpenVPN config file
+#   @param opt Option to check for
+#   @return Returns True if found, else false
+#
+
+def conf_hasOpt(file, opt):
+    with open(file, "r") as f:
+        for line in f:
+            line = line.strip()
+            if line.startswith(opt):
+                return True
+        return False
+
+#
+#   Finds option which is enabled in config
+#   @param file Path to OpenVPN config file
+#   @param opts Array of options, which to check
+#   @return Returns first options which was found or None
+#
+def conf_optFindFirst(file, opts):
+    with open(file, "r") as f:
+        for line in f:
+            line = line.strip()
+            for opt in opts:
+                if line.startswith(opt):
+                    return opt
+        return None
+
+#
+#   Replaces $VARIABLES in file with values
+#   @param file Path to file
+#   @param var Array of tuples with key value ("$KEY","VALUE")
+#
+def conf_envsubst(file, vars):
+    with open(file, "r") as f:
+        lines = f.readlines()
+    with open(file, "w") as f:
+        for line in lines:
+            # Dont proces comments
+            if not line.strip().startswith("#"):
+                for kv in vars:
+                    line = line.replace(kv[0],kv[1])
+            f.write(line)