feat: add openvpn-auth-oauth2, various cleanups

Dockerfile

@@ -17,26 +17,30 @@ RUN cd /etc/apk/keys && \
       easy-rsa \
       openvpn-auth-pam \
       google-authenticator \
-      libqrencode \
-      openvpn_exporter@kubezero && \
+      libqrencode-tools \
+      openvpn_exporter@kubezero \
+      openvpn-auth-oauth2@kubezero && \
       ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin
 
 # Needed by scripts
-ENV OPENVPN=/etc/openvpn
-ENV EASYRSA=/usr/share/easy-rsa \
+ENV OPENVPN=/etc/openvpn \
+    EASYRSA=/usr/share/easy-rsa \
     EASYRSA_CRL_DAYS=3650 \
-    EASYRSA_PKI=$OPENVPN/pki \
+    EASYRSA_PKI=/etc/openvpn/pki \
     EASYRSA_SILENT=1
 
-VOLUME ["/etc/openvpn"]
+# /etc RO config, /var/run to share status
+VOLUME ["/etc/openvpn", "/var/run"]
 
 EXPOSE 1194/udp
-EXPOSE 9176/tcp
-
-CMD ["ovpn_run"]
 
 ADD ./bin /usr/local/bin
-RUN chmod a+x /usr/local/bin/*
+RUN chmod a+x /usr/local/bin/* && \
+    mkdir -p /etc/openvpn-oauth
 
 # Add support for OTP authentication using a PAM module
 ADD ./otp/openvpn /etc/pam.d/
+
+# Breaks all easyrsa commands locally due to UID mappings
+# would require podman as plain docker doesnt support keep-id
+# USER openvpn

README.md

@@ -2,6 +2,12 @@
 
 OpenVPN container incl. easy-rsa, TOTP, prometheus exporter
 
+# Grafana Dashboard
+- https://grafana.com/grafana/dashboards/10562-openvpn-server/
+
+# Device access
+- https://github.com/devplayer0/k8s-hostdev-plugin
+
 ## Credits:
 - https://amilstead.com/blog/openvpn-with-google-authenticator-totp/#example-client-config-generator
 - https://github.com/seb-daehne/docker-openvpn.git

bin/ovpn_create_client

@@ -25,13 +25,13 @@ if [ -f "$EASYRSA_PKI/issued/${cn}.crt" ]; then
   exit 1
 fi
 
+# Ensure folders exist
+mkdir -p $OPENVPN/pki/reqs $OPENVPN/pki/issued $OPENVPN/pki/certs_by_serial $OPENVPN/otp $OPENVPN/ccd
+
 cat << EOF | easyrsa build-client-full "$cn" nopass
 yes
 EOF
 
-# Generate OpenVPN users via google authenticator
-mkdir -p /etc/openvpn/otp
-
 # Skip confirmation if not running in interctive mode. Essential for integration tests.
 google-authenticator --time-based --disallow-reuse --force --rate-limit=3 --rate-time=30 --window-size=3 \
 		-l "${cn}" -i "${server}" -s /etc/openvpn/otp/${cn}.google_authenticator --no-confirm -q

bin/ovpn_create_server

@@ -12,52 +12,10 @@ fi
 
 set -e
 
-# these might get lost if empty syncing to object storage
+# Ensure folders exist
 mkdir -p $OPENVPN/pki/reqs $OPENVPN/pki/issued $OPENVPN/pki/certs_by_serial $OPENVPN/otp $OPENVPN/ccd
-touch $OPENVPN/otp/_empty $OPENVPN/ccd/_empty
 
 # Finally generate server cert
 cat << EOF | easyrsa build-server-full "$1" nopass
 yes
 EOF
-
-# write server FQDN
-echo "$1" > $OPENVPN/server
-
-# static server config
-cat <<EOF > $OPENVPN/openvpn.conf
-port 1194
-proto udp
-dev tun
-topology subnet
-cipher AES-256-GCM
-
-keepalive 10 120
-
-user nobody
-group nogroup
-
-persist-key
-persist-tun
-
-status /var/run/openvpn-status.log
-status-version 3
-verb 3
-
-verify-client-cert require
-reneg-sec 0
-
-plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password snafu pin PASSWORD"
-#plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP"
-#auth-user-pass-optional
-
-ifconfig-pool-persist ipp.txt
-
-ca /etc/openvpn/ca.crt
-dh /etc/openvpn/dh.pem
-crl-verify /etc/openvpn/crl.pem
-tls-auth /etc/openvpn/ta.key
-
-# Include local config last
-config /etc/openvpn/local.conf
-EOF

bin/ovpn_initpki

@@ -5,6 +5,7 @@
 #
 
 if [ "$DEBUG" == "1" ]; then
+  env
   set -x
 else
   exec 2> /dev/null

bin/ovpn_run

@@ -70,8 +70,5 @@ fi
 # Setup NAT forwarding if requested
 setupIptablesAndRouting
 
-echo "Starting openvpn_exporter"
-openvpn_exporter --openvpn.status_paths /var/run/openvpn-status.log &
-
 echo "Running 'openvpn ${ARGS[@]} ${USER_ARGS[@]}'"
 exec openvpn ${ARGS[@]} ${USER_ARGS[@]}