Generalization.

This commit is contained in:
yohan 2019-12-31 20:46:17 +01:00
parent 122039a653
commit e850b73902
7 changed files with 89 additions and 8 deletions

8
README
View File

@ -1,3 +1,11 @@
Certificates creation:
./create_conf.sh
Then store the directory conf/ in the encrypted archive for secrets.
Two docker-compose files are provided: one in host mode and one for regular docker network.
References:
https://stackoverflow.com/questions/17089889/openssl-x509v3-extended-key-usage https://stackoverflow.com/questions/17089889/openssl-x509v3-extended-key-usage
https://forums.openvpn.net/viewtopic.php?t=7484 https://forums.openvpn.net/viewtopic.php?t=7484
https://serverfault.com/questions/785108/why-does-openvpn-give-the-error-unsupported-certificate-purpose-for-an-interm https://serverfault.com/questions/785108/why-does-openvpn-give-the-error-unsupported-certificate-purpose-for-an-interm

View File

@ -4,18 +4,19 @@ cd conf
openssl req -nodes -days 3650 -new -x509 -keyout ca.key -out ca.crt -subj "/C=FR/O=scimetis/CN=scimetis.net" openssl req -nodes -days 3650 -new -x509 -keyout ca.key -out ca.crt -subj "/C=FR/O=scimetis/CN=scimetis.net"
openssl dhparam -out dh1024.pem 1024 openssl dhparam -out dh1024.pem 1024
openssl req -nodes -new -keyout server.key -out server.csr -subj "/C=FR/O=scimetis/CN=scimetis.net" -reqexts server -config ../openssl.conf openssl req -nodes -new -keyout server.key -out server.csr -subj "/C=FR/O=scimetis/CN=ovh1.scimetis.net" -reqexts server -config ../openssl.conf
openssl x509 -req -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -extensions server -extfile ../openssl.conf -in server.csr -out server.crt openssl x509 -req -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -extensions server -extfile ../openssl.conf -in server.csr -out server.crt
openssl req -nodes -new -keyout client.key -out client.csr -subj "/C=FR/O=scimetis/CN=serveur Windows" -reqexts usr_cert -config ../openssl.conf openssl req -nodes -new -keyout client.key -out client.csr -subj "/C=FR/O=scimetis/CN=serveur.scimetis.net" -reqexts usr_cert -config ../openssl.conf
openssl x509 -req -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -extensions usr_cert -extfile ../openssl.conf -in client.csr -out client.crt openssl x509 -req -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -extensions usr_cert -extfile ../openssl.conf -in client.csr -out client.crt
openssl req -nodes -new -keyout client2.key -out client2.csr -subj "/C=FR/O=scimetis/CN=PC client" -reqexts usr_cert -config ../openssl.conf openssl req -nodes -new -keyout client2.key -out client2.csr -subj "/C=FR/O=scimetis/CN=serveur-appart.scimetis.net" -reqexts usr_cert -config ../openssl.conf
openssl x509 -req -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -extensions usr_cert -extfile ../openssl.conf -in client2.csr -out client2.crt openssl x509 -req -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -extensions usr_cert -extfile ../openssl.conf -in client2.csr -out client2.crt
chcon -R -u system_u -r object_r -t svirt_sandbox_file_t ./ chcon -R -u system_u -r object_r -t svirt_sandbox_file_t ./
mkdir keys mkdir keys
mkdir ccd mkdir ccd
cp -a ca.crt ca.srl dh1024.pem server.crt server.key keys/ cp -a ca.crt ca.srl dh1024.pem server.crt server.key keys/
echo "ifconfig-push 192.168.102.10 255.255.255.0" > "ccd/serveur Windows" echo "ifconfig-push 192.168.102.10 255.255.255.0" > "ccd/serveur.scimetis.net"
echo "ifconfig-push 192.168.102.3 255.255.255.0" > "ccd/serveur-appart.scimetis.net"
cd .. cd ..

View File

@ -3,17 +3,19 @@ version: "2.1"
services: services:
openvpn-server: openvpn-server:
image: openvpn-server image: openvpn-server:$VERSION_OPENVPN_SERVER
build: "https://git.scimetis.net/yohan/docker-OpenVPN-server.git"
ports: ports:
- 1195:1194/udp - 1194:1194/udp
volumes: volumes:
- ./conf/keys:/etc/openvpn/server/keys - ./conf/keys:/etc/openvpn/server/keys
- ./conf/ccd:/etc/openvpn/server/ccd - ./conf/ccd:/etc/openvpn/server/ccd
- ./server.conf:/etc/openvpn/server/server.conf
cap_add: cap_add:
- NET_ADMIN - NET_ADMIN
devices: devices:
- /dev/net/tun - /dev/net/tun
restart: always restart: unless-stopped
#entrypoint: /bin/bash #entrypoint: /bin/bash
#privileged: true #privileged: true
#network_mode: "host" network_mode: "host"

21
docker-compose.yml-subnet Normal file
View File

@ -0,0 +1,21 @@
version: "2.1"
services:
openvpn-server:
image: openvpn-server:$VERSION_OPENVPN_SERVER
build: "https://git.scimetis.net/yohan/docker-OpenVPN-server.git"
ports:
- 1194:1194/udp
volumes:
- ./conf/keys:/etc/openvpn/server/keys
- ./conf/ccd:/etc/openvpn/server/ccd
- ./server.conf:/etc/openvpn/server/server.conf
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun
restart: unless-stopped
#entrypoint: /bin/bash
#privileged: true
#network_mode: "host"

24
start_or_update.sh Executable file
View File

@ -0,0 +1,24 @@
#!/bin/bash
source vars
test -z ${KEY} && { echo "KEY variable is not defined."; exit 1; }
test -z $1 || HOST="_$1"
test -z $2 || INSTANCE="_$2"
sudo rm -f conf/keys/* conf/ccd/*
test -f ~/secrets.tar.gz.enc || curl -o ~/secrets.tar.gz.enc "https://${CLOUD_SERVER}/s/${KEY}/download?path=%2F&files=secrets.tar.gz.enc"
openssl enc -aes-256-cbc -d -in ~/secrets.tar.gz.enc | sudo tar -zxv --strip 2 secrets/docker-OpenVPN-server-stack${HOST}${INSTANCE}/conf/keys
mkdir -p conf/ccd
rm -rf ~/config
git clone https://${GIT_SERVER}/yohan/config.git ~/config
sudo cp -a ~/config/docker-OpenVPN-server-stack${HOST}${INSTANCE}/server.conf ./
sudo cp -a ~/config/docker-OpenVPN-server-stack${HOST}${INSTANCE}/ccd/* conf/ccd/
rm -rf ~/config
sudo chown -R root. conf server.conf
# --force-recreate is used to recreate container when crontab file has changed
unset VERSION_OPENVPN_SERVER
VERSION_OPENVPN_SERVER=$(git ls-remote https://${GIT_SERVER}/yohan/docker-OpenVPN-server.git| head -1 | cut -f 1|cut -c -10) \
sudo -E bash -c 'docker-compose up -d --force-recreate'

22
stop.sh Executable file
View File

@ -0,0 +1,22 @@
#!/bin/bash
sudo docker-compose kill -s SIGTERM
COUNT=1
ATTEMPT=0
while [ $COUNT -ne 0 ] && [ $ATTEMPT -lt 10 ]
do
sleep 1
COUNT=$(sudo docker-compose top | wc -l)
ATTEMPT=$(( $ATTEMPT + 1 ))
done
if [ $COUNT -eq 0 ]
then
sudo docker-compose down
exit 0
else
echo "ERROR: Some containers are still running"
sudo docker-compose ps
exit 1
fi

3
vars Normal file
View File

@ -0,0 +1,3 @@
CLOUD_SERVER=cloud.scimetis.net
GIT_SERVER=git.scimetis.net