Generalization.

README

@@ -1,3 +1,11 @@
+Certificates creation:
+./create_conf.sh
+
+Then store the directory conf/ in the encrypted archive for secrets.
+
+Two docker-compose files are provided: one in host mode and one for regular docker network.
+
+References:
 https://stackoverflow.com/questions/17089889/openssl-x509v3-extended-key-usage
 https://forums.openvpn.net/viewtopic.php?t=7484
 https://serverfault.com/questions/785108/why-does-openvpn-give-the-error-unsupported-certificate-purpose-for-an-interm

create_conf.sh

@@ -4,18 +4,19 @@ cd conf
 openssl req -nodes -days 3650 -new -x509 -keyout ca.key -out ca.crt -subj "/C=FR/O=scimetis/CN=scimetis.net" 
 openssl dhparam -out dh1024.pem 1024
 
-openssl req -nodes -new -keyout server.key -out server.csr -subj "/C=FR/O=scimetis/CN=scimetis.net" -reqexts server -config ../openssl.conf
+openssl req -nodes -new -keyout server.key -out server.csr -subj "/C=FR/O=scimetis/CN=ovh1.scimetis.net" -reqexts server -config ../openssl.conf
 openssl x509 -req -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -extensions server -extfile ../openssl.conf -in server.csr -out server.crt
 
-openssl req -nodes -new -keyout client.key -out client.csr -subj "/C=FR/O=scimetis/CN=serveur Windows" -reqexts usr_cert -config ../openssl.conf
+openssl req -nodes -new -keyout client.key -out client.csr -subj "/C=FR/O=scimetis/CN=serveur.scimetis.net" -reqexts usr_cert -config ../openssl.conf
 openssl x509 -req -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -extensions usr_cert -extfile ../openssl.conf -in client.csr -out client.crt
 
-openssl req -nodes -new -keyout client2.key -out client2.csr -subj "/C=FR/O=scimetis/CN=PC client" -reqexts usr_cert -config ../openssl.conf
+openssl req -nodes -new -keyout client2.key -out client2.csr -subj "/C=FR/O=scimetis/CN=serveur-appart.scimetis.net" -reqexts usr_cert -config ../openssl.conf
 openssl x509 -req -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -extensions usr_cert -extfile ../openssl.conf -in client2.csr -out client2.crt
 
 chcon -R -u system_u -r object_r -t svirt_sandbox_file_t ./
 mkdir keys
 mkdir ccd
 cp -a ca.crt ca.srl dh1024.pem server.crt server.key keys/
-echo "ifconfig-push 192.168.102.10 255.255.255.0" > "ccd/serveur Windows"
+echo "ifconfig-push 192.168.102.10 255.255.255.0" > "ccd/serveur.scimetis.net"
+echo "ifconfig-push 192.168.102.3 255.255.255.0" > "ccd/serveur-appart.scimetis.net"
 cd ..

docker-compose.yml

@@ -3,17 +3,19 @@ version: "2.1"
 services:
 
   openvpn-server:
-    image: openvpn-server
+    image: openvpn-server:$VERSION_OPENVPN_SERVER
+    build: "https://git.scimetis.net/yohan/docker-OpenVPN-server.git"
     ports:
-      - 1195:1194/udp
+      - 1194:1194/udp
     volumes:
       - ./conf/keys:/etc/openvpn/server/keys
       - ./conf/ccd:/etc/openvpn/server/ccd
+      - ./server.conf:/etc/openvpn/server/server.conf
     cap_add:
       - NET_ADMIN
     devices:
       - /dev/net/tun
-    restart: always
+    restart: unless-stopped
     #entrypoint: /bin/bash
     #privileged: true
-    #network_mode: "host"
+    network_mode: "host"

docker-compose.yml-subnet

@@ -0,0 +1,21 @@
+version: "2.1"
+ 
+services:
+
+  openvpn-server:
+    image: openvpn-server:$VERSION_OPENVPN_SERVER
+    build: "https://git.scimetis.net/yohan/docker-OpenVPN-server.git"
+    ports:
+      - 1194:1194/udp
+    volumes:
+      - ./conf/keys:/etc/openvpn/server/keys
+      - ./conf/ccd:/etc/openvpn/server/ccd
+      - ./server.conf:/etc/openvpn/server/server.conf
+    cap_add:
+      - NET_ADMIN
+    devices:
+      - /dev/net/tun
+    restart: unless-stopped
+    #entrypoint: /bin/bash
+    #privileged: true
+    #network_mode: "host"

start_or_update.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+source vars
+test -z ${KEY} && { echo "KEY variable is not defined."; exit 1; }
+test -z $1 || HOST="_$1"
+test -z $2 || INSTANCE="_$2"
+
+sudo rm -f conf/keys/* conf/ccd/*
+
+test -f ~/secrets.tar.gz.enc || curl -o ~/secrets.tar.gz.enc "https://${CLOUD_SERVER}/s/${KEY}/download?path=%2F&files=secrets.tar.gz.enc"
+openssl enc -aes-256-cbc -d -in ~/secrets.tar.gz.enc | sudo tar -zxv --strip 2 secrets/docker-OpenVPN-server-stack${HOST}${INSTANCE}/conf/keys
+
+mkdir -p conf/ccd
+rm -rf ~/config
+git clone https://${GIT_SERVER}/yohan/config.git ~/config
+sudo cp -a ~/config/docker-OpenVPN-server-stack${HOST}${INSTANCE}/server.conf ./
+sudo cp -a ~/config/docker-OpenVPN-server-stack${HOST}${INSTANCE}/ccd/* conf/ccd/
+rm -rf ~/config
+sudo chown -R root. conf server.conf
+
+# --force-recreate is used to recreate container when crontab file has changed
+unset VERSION_OPENVPN_SERVER
+VERSION_OPENVPN_SERVER=$(git ls-remote https://${GIT_SERVER}/yohan/docker-OpenVPN-server.git| head -1 | cut -f 1|cut -c -10) \
+ sudo -E bash -c 'docker-compose up -d --force-recreate'
+

stop.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+sudo docker-compose kill -s SIGTERM
+COUNT=1
+ATTEMPT=0
+
+while [ $COUNT -ne 0 ] && [ $ATTEMPT -lt 10 ]
+do
+    sleep 1
+    COUNT=$(sudo docker-compose top | wc -l)
+    ATTEMPT=$(( $ATTEMPT + 1 ))
+done
+
+if [ $COUNT -eq 0 ]
+then
+    sudo docker-compose down
+    exit 0
+else
+    echo "ERROR: Some containers are still running"
+    sudo docker-compose ps
+    exit 1
+fi

vars

@@ -0,0 +1,3 @@
+CLOUD_SERVER=cloud.scimetis.net
+GIT_SERVER=git.scimetis.net
+