From d338d7e641be67b8790ca88ae14ff89bcaa6f209 Mon Sep 17 00:00:00 2001 From: Martin Date: Wed, 31 Jul 2019 15:46:33 +0200 Subject: [PATCH 1/4] Added IPv6 settings & notes --- root/defaults/example/config/basic_nat_ipv6/client/client.conf | 1 + root/defaults/example/config/basic_nat_ipv6/config/server.conf | 1 + .../example/config/basic_nat_wlp_ipv6/client/client.conf | 1 + .../example/config/basic_nat_wlp_ipv6/config/server.conf | 1 + .../defaults/example/config/basic_routed_ipv6/client/client.conf | 1 + .../defaults/example/config/basic_routed_ipv6/config/server.conf | 1 + 6 files changed, 6 insertions(+) diff --git a/root/defaults/example/config/basic_nat_ipv6/client/client.conf b/root/defaults/example/config/basic_nat_ipv6/client/client.conf index 5c956c7..8e3418c 100644 --- a/root/defaults/example/config/basic_nat_ipv6/client/client.conf +++ b/root/defaults/example/config/basic_nat_ipv6/client/client.conf @@ -9,6 +9,7 @@ client dev tun0 proto $PROTO +#proto udp6 # Uncomment this to use IPv6 to connect to server nobind # Remote info diff --git a/root/defaults/example/config/basic_nat_ipv6/config/server.conf b/root/defaults/example/config/basic_nat_ipv6/config/server.conf index 4357abc..c76f421 100644 --- a/root/defaults/example/config/basic_nat_ipv6/config/server.conf +++ b/root/defaults/example/config/basic_nat_ipv6/config/server.conf @@ -7,6 +7,7 @@ # Basic info proto $PROTO +#proto udp6 # Uncomment this so server is accessible over IPv6 port $PORT # Network info (local VPN network) diff --git a/root/defaults/example/config/basic_nat_wlp_ipv6/client/client.conf b/root/defaults/example/config/basic_nat_wlp_ipv6/client/client.conf index 5c956c7..8e3418c 100644 --- a/root/defaults/example/config/basic_nat_wlp_ipv6/client/client.conf +++ b/root/defaults/example/config/basic_nat_wlp_ipv6/client/client.conf @@ -9,6 +9,7 @@ client dev tun0 proto $PROTO +#proto udp6 # Uncomment this to use IPv6 to connect to server nobind # Remote info diff --git a/root/defaults/example/config/basic_nat_wlp_ipv6/config/server.conf b/root/defaults/example/config/basic_nat_wlp_ipv6/config/server.conf index 4357abc..c76f421 100644 --- a/root/defaults/example/config/basic_nat_wlp_ipv6/config/server.conf +++ b/root/defaults/example/config/basic_nat_wlp_ipv6/config/server.conf @@ -7,6 +7,7 @@ # Basic info proto $PROTO +#proto udp6 # Uncomment this so server is accessible over IPv6 port $PORT # Network info (local VPN network) diff --git a/root/defaults/example/config/basic_routed_ipv6/client/client.conf b/root/defaults/example/config/basic_routed_ipv6/client/client.conf index 5c956c7..8e3418c 100644 --- a/root/defaults/example/config/basic_routed_ipv6/client/client.conf +++ b/root/defaults/example/config/basic_routed_ipv6/client/client.conf @@ -9,6 +9,7 @@ client dev tun0 proto $PROTO +#proto udp6 # Uncomment this to use IPv6 to connect to server nobind # Remote info diff --git a/root/defaults/example/config/basic_routed_ipv6/config/server.conf b/root/defaults/example/config/basic_routed_ipv6/config/server.conf index 4357abc..c76f421 100644 --- a/root/defaults/example/config/basic_routed_ipv6/config/server.conf +++ b/root/defaults/example/config/basic_routed_ipv6/config/server.conf @@ -7,6 +7,7 @@ # Basic info proto $PROTO +#proto udp6 # Uncomment this so server is accessible over IPv6 port $PORT # Network info (local VPN network) From 302b41573db923b7e23779f050bfd8d9f0d576e5 Mon Sep 17 00:00:00 2001 From: Martin Date: Wed, 31 Jul 2019 15:46:53 +0200 Subject: [PATCH 2/4] Added sleep on crash --- root/etc/services.d/openvpn/finish | 2 ++ 1 file changed, 2 insertions(+) diff --git a/root/etc/services.d/openvpn/finish b/root/etc/services.d/openvpn/finish index 4134391..4a13f3b 100644 --- a/root/etc/services.d/openvpn/finish +++ b/root/etc/services.d/openvpn/finish @@ -6,4 +6,6 @@ if [ "$FAIL_MODE" == "hard" ]; then exec s6-svscanctl -t /var/run/s6/services +else + sleep 30 fi From e8c58a76089cfb53afbd94bf4290ee34e9d98895 Mon Sep 17 00:00:00 2001 From: Martin Date: Wed, 31 Jul 2019 15:50:21 +0200 Subject: [PATCH 3/4] Lowered sleep interval on crash --- root/etc/services.d/openvpn/finish | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root/etc/services.d/openvpn/finish b/root/etc/services.d/openvpn/finish index 4a13f3b..a64c0a7 100644 --- a/root/etc/services.d/openvpn/finish +++ b/root/etc/services.d/openvpn/finish @@ -7,5 +7,5 @@ if [ "$FAIL_MODE" == "hard" ]; then exec s6-svscanctl -t /var/run/s6/services else - sleep 30 + sleep 5 fi From 229d223dab0a81f089f466a05bc81b73545452ff Mon Sep 17 00:00:00 2001 From: Martin Date: Wed, 31 Jul 2019 16:15:10 +0200 Subject: [PATCH 4/4] Client mode Implemented client mode (removes server specific config), outsourced server specific config to `system-server.conf`, added `MODE` parameter to change to client mode --- CHANGELOG.md | 7 ++++++ CONTRIBUTING.md | 4 +++- README.md | 10 ++++++++- root/defaults/openvpn/system-server.conf | 28 ++++++++++++++++++++++++ root/defaults/openvpn/system.conf | 18 --------------- root/etc/cont-init.d/70-config.sh | 15 +++++++++++++ 6 files changed, 62 insertions(+), 20 deletions(-) create mode 100644 root/defaults/openvpn/system-server.conf diff --git a/CHANGELOG.md b/CHANGELOG.md index 14cf516..241ed05 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # Changelog +### 2.0.3 - Improved IPv6 support & finalized client mode support + +- Added some IPv6 settings to examples +- Sleep interval on crash +- Outsourced server specific config to `system-server.conf` +- Added parameter `MODE` so you can choose **client** mode instead of server (to not include server specific options) + ### 2.0.2 - Added multi-instance support - Added `TUNNEL_INTERFACE` to set interface name (in case of multiple containers) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 2668afd..59da115 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -42,7 +42,9 @@ Sections: up # After interface is up tls-verify # Check certificate system.conf # System OpenVPN config file (do not edit, unless instructed) - include-conf.conf # File that includes all configuration files (automatically generated) + system-server.conf # System OpenCPN server specific file (do not edit, unless instructed) + system-client.conf # System OpenCPN client specific file (do not edit, unless instructed) + dynamic.conf # File that links all config files together (automatically generated) pki ca.crt # CA certificate certs by serial # Certs by Serial ID diff --git a/README.md b/README.md index 90aaba3..dd962a1 100644 --- a/README.md +++ b/README.md @@ -67,6 +67,7 @@ services: |**Parameter**|**Function**| |:-----------:|:----------:| |`-e FAIL_MODE=hard`|Restart whole container on error| +|`-e MODE=client`|Set docker mode (valid values: *empty*,server,client; default: server), set to client in case you use container as client| |`-e PUID=1000`|for UserID - see below for explanation| |`-e PGID=1000`|for GroupID - see below for explanation| |`-e PERSISTENT_INTERFACE=true`|Enable persistent TUN interface| @@ -147,7 +148,14 @@ For more infromation see: ### Client mode -Just put *.ovpn* file in `/config/openvpn/config` and restart container. +1. Run container to get config structure `docker run -it --rm -v PATH:/config slocomptech/openvpn`. +2. Make sure you **don't** have following options specified in your *.ovpn* file + - dev + - user + - group + - anything that is already specified in *system.conf* +3. Put *.ovpn* file in `config/openvpn/config` in your volume. +4. Start conatiner with `-e MODE=client`. ## Troubleshooting diff --git a/root/defaults/openvpn/system-server.conf b/root/defaults/openvpn/system-server.conf new file mode 100644 index 0000000..966048f --- /dev/null +++ b/root/defaults/openvpn/system-server.conf @@ -0,0 +1,28 @@ +# +# System OpenVPN config file - server specific +# +# @see https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage +# +# DO NOT EDIT THIS FILE, if you are unsure what to do, +# place your config file in openvpn directory +# + +# Server hooks +client-connect "/usr/local/bin/run_hooks client-connect" +client-disconnect "/usr/local/bin/run_hooks client-disconnect" +learn-address "/usr/local/bin/run_hooks learn-address" +tls-verify "/usr/local/bin/run_hooks tls-verify" + +# Client config directory +client-config-dir /config/openvpn/ccd + +# Certificate revocation list +crl-verify /config/pki/crl.pem + +# +# For username & password authentication uncomment bellow +# +#auth-user-pass-verify "/app/bin/run_hooks via-env" + +# Username & password authentication optional +#--auth-user-pass-optional diff --git a/root/defaults/openvpn/system.conf b/root/defaults/openvpn/system.conf index 431ebb7..84182d1 100644 --- a/root/defaults/openvpn/system.conf +++ b/root/defaults/openvpn/system.conf @@ -19,18 +19,6 @@ route-pre-down "/usr/local/bin/run_hooks route-pre-down" up "/usr/local/bin/run_hooks up" down-pre down "/usr/local/bin/run_hooks down" -client-connect "/usr/local/bin/run_hooks client-connect" -client-disconnect "/usr/local/bin/run_hooks client-disconnect" -learn-address "/usr/local/bin/run_hooks learn-address" -tls-verify "/usr/local/bin/run_hooks tls-verify" - -# -# For username & password authentication uncomment bellow -# -#auth-user-pass-verify "/app/bin/run_hooks via-env" - -# Username & password authentication optional -#--auth-user-pass-optional # Temporary dir tmp-dir /config/tmp @@ -44,11 +32,5 @@ mute 100 #status /log/status 30 status-version 2 -# Client config directory -client-config-dir /config/openvpn/ccd - -# Certificate revocation list -crl-verify /config/pki/crl.pem - # Include configs config /config/openvpn/dynamic.conf diff --git a/root/etc/cont-init.d/70-config.sh b/root/etc/cont-init.d/70-config.sh index 5657e25..2e709e9 100755 --- a/root/etc/cont-init.d/70-config.sh +++ b/root/etc/cont-init.d/70-config.sh @@ -4,7 +4,9 @@ # Dynamic OpenVPN configs # +CLIENT_FILE=/config/openvpn/system-client.conf DYNAMIC_FILE=/config/openvpn/dynamic.conf +SERVER_FILE=/config/openvpn/system-server.conf # Build link file echo "#" > $DYNAMIC_FILE @@ -18,12 +20,25 @@ echo "# Interface" >> $DYNAMIC_FILE echo "dev $TUNNEL_INTERFACE" >> $DYNAMIC_FILE echo "" >> $DYNAMIC_FILE +# Include mode specific configuration +if { [ -z "$MODE" ] || [ "$MODE" == "server" ]; } && [ -f "$SERVER_FILE" ]; then + echo "# Server specific configuration" >> $DYNAMIC_FILE + echo "config $SERVER_FILE" >> $DYNAMIC_FILE + echo "" >> $DYNAMIC_FILE +elif [ "$MODE" == "client" ] && [ -f "$CLIENT_FILE" ]; then + echo "# Client specific configuration" >> $DYNAMIC_FILE + echo "config $CLIENT_FILE" >> $DYNAMIC_FILE + echo "" >> $DYNAMIC_FILE +fi + # Include all configuration files +echo "# Configuration files" >> $DYNAMIC_FILE for file in /config/openvpn/config/* do [ -e "$file" ] || continue echo "config $file" >> $DYNAMIC_FILE done +echo "" >> $DYNAMIC_FILE chown $CONTAINER_USER:$CONTAINER_USER $DYNAMIC_FILE