From 6bc0a475dcf95c5ef6dccf31b96ab276ca3b6e65 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Mon, 18 Nov 2024 17:10:30 +0000 Subject: [PATCH] feat: add openvpn-auth-oauth2, various cleanups --- Dockerfile | 24 +++++++++++++---------- README.md | 6 ++++++ bin/ovpn_create_client | 6 +++--- bin/ovpn_create_server | 44 +----------------------------------------- bin/ovpn_initpki | 1 + bin/ovpn_run | 3 --- 6 files changed, 25 insertions(+), 59 deletions(-) diff --git a/Dockerfile b/Dockerfile index 93ea64e..cde1efe 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,26 +17,30 @@ RUN cd /etc/apk/keys && \ easy-rsa \ openvpn-auth-pam \ google-authenticator \ - libqrencode \ - openvpn_exporter@kubezero && \ + libqrencode-tools \ + openvpn_exporter@kubezero \ + openvpn-auth-oauth2@kubezero && \ ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin # Needed by scripts -ENV OPENVPN=/etc/openvpn -ENV EASYRSA=/usr/share/easy-rsa \ +ENV OPENVPN=/etc/openvpn \ + EASYRSA=/usr/share/easy-rsa \ EASYRSA_CRL_DAYS=3650 \ - EASYRSA_PKI=$OPENVPN/pki \ + EASYRSA_PKI=/etc/openvpn/pki \ EASYRSA_SILENT=1 -VOLUME ["/etc/openvpn"] +# /etc RO config, /var/run to share status +VOLUME ["/etc/openvpn", "/var/run"] EXPOSE 1194/udp -EXPOSE 9176/tcp - -CMD ["ovpn_run"] ADD ./bin /usr/local/bin -RUN chmod a+x /usr/local/bin/* +RUN chmod a+x /usr/local/bin/* && \ + mkdir -p /etc/openvpn-oauth # Add support for OTP authentication using a PAM module ADD ./otp/openvpn /etc/pam.d/ + +# Breaks all easyrsa commands locally due to UID mappings +# would require podman as plain docker doesnt support keep-id +# USER openvpn diff --git a/README.md b/README.md index 4afda7f..87e1242 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,12 @@ OpenVPN container incl. easy-rsa, TOTP, prometheus exporter +# Grafana Dashboard +- https://grafana.com/grafana/dashboards/10562-openvpn-server/ + +# Device access +- https://github.com/devplayer0/k8s-hostdev-plugin + ## Credits: - https://amilstead.com/blog/openvpn-with-google-authenticator-totp/#example-client-config-generator - https://github.com/seb-daehne/docker-openvpn.git diff --git a/bin/ovpn_create_client b/bin/ovpn_create_client index 7df23fa..6b3ad5d 100755 --- a/bin/ovpn_create_client +++ b/bin/ovpn_create_client @@ -25,13 +25,13 @@ if [ -f "$EASYRSA_PKI/issued/${cn}.crt" ]; then exit 1 fi +# Ensure folders exist +mkdir -p $OPENVPN/pki/reqs $OPENVPN/pki/issued $OPENVPN/pki/certs_by_serial $OPENVPN/otp $OPENVPN/ccd + cat << EOF | easyrsa build-client-full "$cn" nopass yes EOF -# Generate OpenVPN users via google authenticator -mkdir -p /etc/openvpn/otp - # Skip confirmation if not running in interctive mode. Essential for integration tests. google-authenticator --time-based --disallow-reuse --force --rate-limit=3 --rate-time=30 --window-size=3 \ -l "${cn}" -i "${server}" -s /etc/openvpn/otp/${cn}.google_authenticator --no-confirm -q diff --git a/bin/ovpn_create_server b/bin/ovpn_create_server index 656c078..5670832 100755 --- a/bin/ovpn_create_server +++ b/bin/ovpn_create_server @@ -12,52 +12,10 @@ fi set -e -# these might get lost if empty syncing to object storage +# Ensure folders exist mkdir -p $OPENVPN/pki/reqs $OPENVPN/pki/issued $OPENVPN/pki/certs_by_serial $OPENVPN/otp $OPENVPN/ccd -touch $OPENVPN/otp/_empty $OPENVPN/ccd/_empty # Finally generate server cert cat << EOF | easyrsa build-server-full "$1" nopass yes EOF - -# write server FQDN -echo "$1" > $OPENVPN/server - -# static server config -cat < $OPENVPN/openvpn.conf -port 1194 -proto udp -dev tun -topology subnet -cipher AES-256-GCM - -keepalive 10 120 - -user nobody -group nogroup - -persist-key -persist-tun - -status /var/run/openvpn-status.log -status-version 3 -verb 3 - -verify-client-cert require -reneg-sec 0 - -plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password snafu pin PASSWORD" -#plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP" -#auth-user-pass-optional - -ifconfig-pool-persist ipp.txt - -ca /etc/openvpn/ca.crt -dh /etc/openvpn/dh.pem -crl-verify /etc/openvpn/crl.pem -tls-auth /etc/openvpn/ta.key - -# Include local config last -config /etc/openvpn/local.conf -EOF diff --git a/bin/ovpn_initpki b/bin/ovpn_initpki index 906ff5c..63ea2d5 100755 --- a/bin/ovpn_initpki +++ b/bin/ovpn_initpki @@ -5,6 +5,7 @@ # if [ "$DEBUG" == "1" ]; then + env set -x else exec 2> /dev/null diff --git a/bin/ovpn_run b/bin/ovpn_run index 01d63a2..dbb4222 100755 --- a/bin/ovpn_run +++ b/bin/ovpn_run @@ -70,8 +70,5 @@ fi # Setup NAT forwarding if requested setupIptablesAndRouting -echo "Starting openvpn_exporter" -openvpn_exporter --openvpn.status_paths /var/run/openvpn-status.log & - echo "Running 'openvpn ${ARGS[@]} ${USER_ARGS[@]}'" exec openvpn ${ARGS[@]} ${USER_ARGS[@]}