feat: add openvpn-auth-oauth2, various cleanups

This commit is contained in:
Stefan Reimer 2024-11-18 17:10:30 +00:00
parent d953b04ee3
commit 6bc0a475dc
6 changed files with 25 additions and 59 deletions

View File

@ -17,26 +17,30 @@ RUN cd /etc/apk/keys && \
easy-rsa \ easy-rsa \
openvpn-auth-pam \ openvpn-auth-pam \
google-authenticator \ google-authenticator \
libqrencode \ libqrencode-tools \
openvpn_exporter@kubezero && \ openvpn_exporter@kubezero \
openvpn-auth-oauth2@kubezero && \
ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin
# Needed by scripts # Needed by scripts
ENV OPENVPN=/etc/openvpn ENV OPENVPN=/etc/openvpn \
ENV EASYRSA=/usr/share/easy-rsa \ EASYRSA=/usr/share/easy-rsa \
EASYRSA_CRL_DAYS=3650 \ EASYRSA_CRL_DAYS=3650 \
EASYRSA_PKI=$OPENVPN/pki \ EASYRSA_PKI=/etc/openvpn/pki \
EASYRSA_SILENT=1 EASYRSA_SILENT=1
VOLUME ["/etc/openvpn"] # /etc RO config, /var/run to share status
VOLUME ["/etc/openvpn", "/var/run"]
EXPOSE 1194/udp EXPOSE 1194/udp
EXPOSE 9176/tcp
CMD ["ovpn_run"]
ADD ./bin /usr/local/bin ADD ./bin /usr/local/bin
RUN chmod a+x /usr/local/bin/* RUN chmod a+x /usr/local/bin/* && \
mkdir -p /etc/openvpn-oauth
# Add support for OTP authentication using a PAM module # Add support for OTP authentication using a PAM module
ADD ./otp/openvpn /etc/pam.d/ ADD ./otp/openvpn /etc/pam.d/
# Breaks all easyrsa commands locally due to UID mappings
# would require podman as plain docker doesnt support keep-id
# USER openvpn

View File

@ -2,6 +2,12 @@
OpenVPN container incl. easy-rsa, TOTP, prometheus exporter OpenVPN container incl. easy-rsa, TOTP, prometheus exporter
# Grafana Dashboard
- https://grafana.com/grafana/dashboards/10562-openvpn-server/
# Device access
- https://github.com/devplayer0/k8s-hostdev-plugin
## Credits: ## Credits:
- https://amilstead.com/blog/openvpn-with-google-authenticator-totp/#example-client-config-generator - https://amilstead.com/blog/openvpn-with-google-authenticator-totp/#example-client-config-generator
- https://github.com/seb-daehne/docker-openvpn.git - https://github.com/seb-daehne/docker-openvpn.git

View File

@ -25,13 +25,13 @@ if [ -f "$EASYRSA_PKI/issued/${cn}.crt" ]; then
exit 1 exit 1
fi fi
# Ensure folders exist
mkdir -p $OPENVPN/pki/reqs $OPENVPN/pki/issued $OPENVPN/pki/certs_by_serial $OPENVPN/otp $OPENVPN/ccd
cat << EOF | easyrsa build-client-full "$cn" nopass cat << EOF | easyrsa build-client-full "$cn" nopass
yes yes
EOF EOF
# Generate OpenVPN users via google authenticator
mkdir -p /etc/openvpn/otp
# Skip confirmation if not running in interctive mode. Essential for integration tests. # Skip confirmation if not running in interctive mode. Essential for integration tests.
google-authenticator --time-based --disallow-reuse --force --rate-limit=3 --rate-time=30 --window-size=3 \ google-authenticator --time-based --disallow-reuse --force --rate-limit=3 --rate-time=30 --window-size=3 \
-l "${cn}" -i "${server}" -s /etc/openvpn/otp/${cn}.google_authenticator --no-confirm -q -l "${cn}" -i "${server}" -s /etc/openvpn/otp/${cn}.google_authenticator --no-confirm -q

View File

@ -12,52 +12,10 @@ fi
set -e set -e
# these might get lost if empty syncing to object storage # Ensure folders exist
mkdir -p $OPENVPN/pki/reqs $OPENVPN/pki/issued $OPENVPN/pki/certs_by_serial $OPENVPN/otp $OPENVPN/ccd mkdir -p $OPENVPN/pki/reqs $OPENVPN/pki/issued $OPENVPN/pki/certs_by_serial $OPENVPN/otp $OPENVPN/ccd
touch $OPENVPN/otp/_empty $OPENVPN/ccd/_empty
# Finally generate server cert # Finally generate server cert
cat << EOF | easyrsa build-server-full "$1" nopass cat << EOF | easyrsa build-server-full "$1" nopass
yes yes
EOF EOF
# write server FQDN
echo "$1" > $OPENVPN/server
# static server config
cat <<EOF > $OPENVPN/openvpn.conf
port 1194
proto udp
dev tun
topology subnet
cipher AES-256-GCM
keepalive 10 120
user nobody
group nogroup
persist-key
persist-tun
status /var/run/openvpn-status.log
status-version 3
verb 3
verify-client-cert require
reneg-sec 0
plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password snafu pin PASSWORD"
#plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP"
#auth-user-pass-optional
ifconfig-pool-persist ipp.txt
ca /etc/openvpn/ca.crt
dh /etc/openvpn/dh.pem
crl-verify /etc/openvpn/crl.pem
tls-auth /etc/openvpn/ta.key
# Include local config last
config /etc/openvpn/local.conf
EOF

View File

@ -5,6 +5,7 @@
# #
if [ "$DEBUG" == "1" ]; then if [ "$DEBUG" == "1" ]; then
env
set -x set -x
else else
exec 2> /dev/null exec 2> /dev/null

View File

@ -70,8 +70,5 @@ fi
# Setup NAT forwarding if requested # Setup NAT forwarding if requested
setupIptablesAndRouting setupIptablesAndRouting
echo "Starting openvpn_exporter"
openvpn_exporter --openvpn.status_paths /var/run/openvpn-status.log &
echo "Running 'openvpn ${ARGS[@]} ${USER_ARGS[@]}'" echo "Running 'openvpn ${ARGS[@]} ${USER_ARGS[@]}'"
exec openvpn ${ARGS[@]} ${USER_ARGS[@]} exec openvpn ${ARGS[@]} ${USER_ARGS[@]}