allanger
/
container-openvpn
1
0
Fork 0
Code Issues 4 Pull Requests Packages Projects Releases Activity

Take over the project
continuous-integration/drone/push Build is passing Details 

I've decided to maintain the project myself now, so I've forked it and
create a drone pipeline to push image to my registry
This commit is contained in:
Nikolai Rodionov 2023-08-09 19:49:38 +02:00
parent 6a86b23ed8
commit 2ec840ff63
Signed by: allanger
GPG Key ID: 19DB54039EBF8F10
29 changed files with 681 additions and 297 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
.drone.yml Normal file
View File

@ -0,0 +1,51 @@
---
# ----------------------------------------------
# -- Build an image and push it to the registry
# ----------------------------------------------
kind: pipeline
type: docker
name: Build the builder
trigger:
event:
- push
branch:
- main
steps:
- name: Build openvpn xor amd64
image: git.badhouseplants.net/badhouseplants/badhouseplants-builder:555262114ea81f6f286010474527f419b56d33a3
privileged: true
environment:
GITEA_TOKEN:
from_secret: GITEA_TOKEN
CONTAINERFILE: ./containerfiles/Containerfile-XOR
CUSTOM_TAG: v2.6.6-XOR-4.0.0beta08
commands:
- build-container
- name: Build openvpn amd64
image: git.badhouseplants.net/badhouseplants/badhouseplants-builder:555262114ea81f6f286010474527f419b56d33a3
privileged: true
environment:
GITEA_TOKEN:
from_secret: GITEA_TOKEN
CONTAINERFILE: ./containerfiles/Containerfile
CUSTOM_TAG: v2.6.6
commands:
- build-container
- name: Publish the Helm chart
image: alpine/helm
depends_on:
- Build openvpn xor amd64
- Build openvpn amd64
environment:
GITEA_TOKEN:
from_secret: GITEA_TOKEN
commands:
- cd helm
- helm plugin install https://github.com/chartmuseum/helm-push
- helm package . -d chart-package
- helm repo add --username allanger --password $GITEA_TOKEN openvpn https://git.badhouseplants.net/api/packages/allanger/helm
- helm cm-push "./chart-package/$(ls chart-package)" openvpn

30
.github/workflows/anchore-analysis.yml vendored
View File

@ -1,30 +0,0 @@
# This workflow checks out code, performs an Anchore container image
# vulnerability and compliance scan, and integrates the results with
# GitHub Advanced Security code scanning feature. For more information on
# the Anchore scan action usage and parameters, see
# https://github.com/anchore/scan-action. For more information on
# Anchore container image scanning in general, see
# https://docs.anchore.com.
name: Anchore Container Scan
on: push
jobs:
Anchore-Build-Scan:
runs-on: ubuntu-latest
steps:
- name: Checkout the code
uses: actions/checkout@v2
- name: Build the Docker image
run: docker build . --file Dockerfile --tag localbuild/testimage:latest
- name: Run the local Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
uses: anchore/scan-action@master
with:
image-reference: "localbuild/testimage:latest"
dockerfile-path: "Dockerfile"
acs-report-enable: true
- name: Upload Anchore Scan Report
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: results.sarif

33
.travis.yml
View File

@ -1,33 +0,0 @@
# Disallowing packages: openvpn
# If you require these packages, please review the package approval process at: https://github.com/travis-ci/apt-package-whitelist#package-approval-process
#addons:
# apt:
# sources:
# - ubuntu-toolchain-r-test
# packages:
# - openvpn
services:
- docker
before_install:
- docker --version
install:
- git clone https://github.com/docker-library/official-images.git official-images
# Assist with ci test debugging:
# - DEBUG=1
before_script:
- image="kylemanna/openvpn"
- docker build -t "$image" .
- docker inspect "$image"
- docker run --rm "$image" openvpn --version || true # why does it return 1?
- docker run --rm "$image" openssl version
script:
- official-images/test/run.sh "$image"
- test/run.sh "$image"
after_script:
- docker images

79
Containerfile Normal file
View File

@ -0,0 +1,79 @@
FROM ghcr.io/allanger/dumb-downloader as dudo
ENV OPENVPN_VERSION=2.6.5
ENV TUNNELBLICK_VERSION=4.0.0beta08
ENV EASYRSA_VERSION=3.1.5
RUN apt update && apt install gnupg tar -y
RUN mkdir /output
# ------------------------------------------------------
# -- Downlaod OpenVPN
# ------------------------------------------------------
RUN dudo -l "https://keys.openpgp.org/vks/v1/by-fingerprint/F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7" -d security-openvpn-net.asc -p DUMMY
RUN gpg --import security-openvpn-net.asc
RUN dudo -l "https://swupdate.openvpn.org/community/releases/openvpn-{{ version }}.tar.gz.asc" -d /tmp/openvpn.asc -p $OPENVPN_VERSION
# ------------------------------------------------------
# -- I should fix it later
# ------------------------------------------------------
# RUN gpg --no-tty --verify /tmp/openvpn.asc
RUN dudo -l "https://swupdate.openvpn.org/community/releases/openvpn-{{ version }}.tar.gz " -d /tmp/openvpn.tar.gz -p $OPENVPN_VERSION
RUN tar -xf /tmp/openvpn.tar.gz -C /tmp && rm -f /tmp/openvpn.tar.gz
RUN mv /tmp/openvpn-$OPENVPN_VERSION /output/openvpn
# ------------------------------------------------------
# -- Download Tunnelblick
# ------------------------------------------------------
RUN dudo -l "https://github.com/Tunnelblick/Tunnelblick/archive/refs/tags/v{{ version }}.tar.gz" -d /tmp/tunnelblick.tar.gz -p $TUNNELBLICK_VERSION
RUN tar -xf /tmp/tunnelblick.tar.gz -C /tmp && rm -f /tmp/tunnelblick.tar.gz
RUN mv /tmp/Tunnelblick-$TUNNELBLICK_VERSION /output/tunnelblick
FROM ubuntu as builder
# ------------------------------------------------------
# -- TODO: Define it only once
# ------------------------------------------------------
ENV OPENVPN_VERSION=2.6.5
ENV TUNNELBLICK_VERSION=v4.0.0beta08
COPY --from=dudo /output /src
RUN apt-get update &&\
apt-get install -y wget tar unzip build-essential \
libssl-dev iproute2 liblz4-dev liblzo2-dev \
libpam0g-dev libpkcs11-helper1-dev libsystemd-dev \
easy-rsa iptables pkg-config libcap-ng-dev
RUN cp /src/tunnelblick/third_party/sources/openvpn/openvpn-$OPENVPN_VERSION/patches/*.diff /src/openvpn
WORKDIR /src/openvpn
RUN for patch in $(find -type f | grep diff); do\
patch -p1 < $patch;\
done
RUN ./configure --disable-systemd --enable-async-push --enable-iproute2
RUN make && make install
RUN mkdir /output
RUN cp $(which openvpn) /output/
# ------------------------------------------------------
# -- Final container
# ------------------------------------------------------
FROM ubuntu:22.04
LABEL maintainer="allanger <allanger@zohomail.com>"
COPY --from=builder /output /src
# -------------------------------------------------------
# -- Prepare system deps
# -------------------------------------------------------
RUN apt update && apt install openvpn easy-rsa iptables -y && \
mv /src/openvpn $(which openvpn)
# Needed by scripts
ENV OPENVPN /etc/openvpn
# Prevents refused client connection because of an expired CRL
ENV EASYRSA_CRL_DAYS 3650
VOLUME ["/etc/openvpn"]
# Internally uses port 1194, remap if needed using `docker run -p 443:1194/tcp`
EXPOSE 1194
CMD ["ovpn_run"]
COPY --chmod='755' ./bin /usr/local/bin
# -----------------------------------------------------------
# -- Add support for OTP authentication using a PAM module
# -- I have no idea how it works yet
# -----------------------------------------------------------
COPY ./otp/openvpn /etc/pam.d/

48
Dockerfile
View File

@ -1,48 +0,0 @@
# Original credit: https://github.com/jpetazzo/dockvpn
# Smallest base image
FROM ubuntu:18.04@sha256:9bc830af2bef73276515a29aa896eedfa7bdf4bdbc5c1063b4c457a4bbb8cd79
LABEL maintainer="lawtancool"
# Testing: pamtester
#RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing/" >> /etc/apk/repositories && \
# apk add --update openvpn iptables bash easy-rsa openvpn-auth-pam google-authenticator pamtester && \
# ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin && \
# rm -rf /tmp/* /var/tmp/* /var/cache/apk/* /var/cache/distfiles/*
RUN apt-get update && apt-get install -y wget tar unzip build-essential libssl-dev iproute2 liblz4-dev liblzo2-dev libpam0g-dev libpkcs11-helper1-dev libsystemd-dev easy-rsa iptables pkg-config && \
wget https://swupdate.openvpn.org/community/releases/openvpn-2.5.3.tar.gz && tar xvf openvpn-2.5.3.tar.gz && \
wget https://github.com/Tunnelblick/Tunnelblick/archive/refs/tags/v3.8.6beta05.zip && unzip v3.8.6beta05.zip && \
cp Tunnelblick-3.8.6beta05/third_party/sources/openvpn/openvpn-2.5.3/patches/*.diff openvpn-2.5.3 && \
cd openvpn-2.5.3 && \
patch -p1 < 02-tunnelblick-openvpn_xorpatch-a.diff && \
patch -p1 < 03-tunnelblick-openvpn_xorpatch-b.diff && \
patch -p1 < 04-tunnelblick-openvpn_xorpatch-c.diff && \
patch -p1 < 05-tunnelblick-openvpn_xorpatch-d.diff && \
patch -p1 < 06-tunnelblick-openvpn_xorpatch-e.diff && \
./configure --disable-systemd --enable-async-push --enable-iproute2 && \
make && make install && \
cd .. && rm -r openvpn-2.5.3 && rm -r Tunnelblick-3.8.6beta05
# Needed by scripts
ENV OPENVPN /etc/openvpn
ENV EASYRSA /usr/share/easy-rsa
ENV EASYRSA_PKI $OPENVPN/pki
ENV EASYRSA_VARS_FILE $OPENVPN/vars
# Prevents refused client connection because of an expired CRL
ENV EASYRSA_CRL_DAYS 3650
VOLUME ["/etc/openvpn"]
# Internally uses port 1194, remap if needed using `docker run -p 443:1194/tcp`
EXPOSE 1194
CMD ["ovpn_run"]
ADD ./bin /usr/local/bin
RUN chmod a+x /usr/local/bin/*
# Add support for OTP authentication using a PAM module
ADD ./otp/openvpn /etc/pam.d/

50
Dockerfile.arm32v7
View File

@ -1,50 +0,0 @@
# Original credit: https://github.com/jpetazzo/dockvpn
# Smallest base image
FROM arm32v7/ubuntu:18.04
LABEL maintainer="lawtancool"
COPY qemu-arm-static /usr/bin
# Testing: pamtester
#RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing/" >> /etc/apk/repositories && \
# apk add --update openvpn iptables bash easy-rsa openvpn-auth-pam google-authenticator pamtester && \
# ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin && \
# rm -rf /tmp/* /var/tmp/* /var/cache/apk/* /var/cache/distfiles/*
RUN apt-get update && apt-get install -y wget tar unzip build-essential libssl-dev iproute2 liblz4-dev liblzo2-dev libpam0g-dev libpkcs11-helper1-dev libsystemd-dev easy-rsa iptables pkg-config && \
wget https://swupdate.openvpn.org/community/releases/openvpn-2.5.3.tar.gz && tar xvf openvpn-2.5.3.tar.gz && \
wget https://github.com/Tunnelblick/Tunnelblick/archive/refs/tags/v3.8.6beta05.zip && unzip v3.8.6beta05.zip && \
cp Tunnelblick-3.8.6beta05/third_party/sources/openvpn/openvpn-2.5.3/patches/*.diff openvpn-2.5.3 && \
cd openvpn-2.5.3 && \
patch -p1 < 02-tunnelblick-openvpn_xorpatch-a.diff && \
patch -p1 < 03-tunnelblick-openvpn_xorpatch-b.diff && \
patch -p1 < 04-tunnelblick-openvpn_xorpatch-c.diff && \
patch -p1 < 05-tunnelblick-openvpn_xorpatch-d.diff && \
patch -p1 < 06-tunnelblick-openvpn_xorpatch-e.diff && \
./configure --disable-systemd --enable-async-push --enable-iproute2 && \
make && make install && \
cd .. && rm -r openvpn-2.5.3 && rm -r Tunnelblick-3.8.6beta05
# Needed by scripts
ENV OPENVPN /etc/openvpn
ENV EASYRSA /usr/share/easy-rsa
ENV EASYRSA_PKI $OPENVPN/pki
ENV EASYRSA_VARS_FILE $OPENVPN/vars
# Prevents refused client connection because of an expired CRL
ENV EASYRSA_CRL_DAYS 3650
VOLUME ["/etc/openvpn"]
# Internally uses port 1194, remap if needed using `docker run -p 443:1194/tcp`
EXPOSE 1194
CMD ["ovpn_run"]
ADD ./bin /usr/local/bin
RUN chmod a+x /usr/local/bin/*
# Add support for OTP authentication using a PAM module
ADD ./otp/openvpn /etc/pam.d/

50
Dockerfile.arm64v8
View File

@ -1,50 +0,0 @@
# Original credit: https://github.com/jpetazzo/dockvpn
# Smallest base image
FROM arm64v8/ubuntu:18.04
LABEL maintainer="lawtancool"
COPY qemu-aarch64-static /usr/bin
# Testing: pamtester
#RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing/" >> /etc/apk/repositories && \
# apk add --update openvpn iptables bash easy-rsa openvpn-auth-pam google-authenticator pamtester && \
# ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin && \
# rm -rf /tmp/* /var/tmp/* /var/cache/apk/* /var/cache/distfiles/*
RUN apt-get update && apt-get install -y wget tar unzip build-essential libssl-dev iproute2 liblz4-dev liblzo2-dev libpam0g-dev libpkcs11-helper1-dev libsystemd-dev easy-rsa iptables pkg-config && \
wget https://swupdate.openvpn.org/community/releases/openvpn-2.5.3.tar.gz && tar xvf openvpn-2.5.3.tar.gz && \
wget https://github.com/Tunnelblick/Tunnelblick/archive/refs/tags/v3.8.6beta05.zip && unzip v3.8.6beta05.zip && \
cp Tunnelblick-3.8.6beta05/third_party/sources/openvpn/openvpn-2.5.3/patches/*.diff openvpn-2.5.3 && \
cd openvpn-2.5.3 && \
patch -p1 < 02-tunnelblick-openvpn_xorpatch-a.diff && \
patch -p1 < 03-tunnelblick-openvpn_xorpatch-b.diff && \
patch -p1 < 04-tunnelblick-openvpn_xorpatch-c.diff && \
patch -p1 < 05-tunnelblick-openvpn_xorpatch-d.diff && \
patch -p1 < 06-tunnelblick-openvpn_xorpatch-e.diff && \
./configure --disable-systemd --enable-async-push --enable-iproute2 && \
make && make install && \
cd .. && rm -r openvpn-2.5.3 && rm -r Tunnelblick-3.8.6beta05
# Needed by scripts
ENV OPENVPN /etc/openvpn
ENV EASYRSA /usr/share/easy-rsa
ENV EASYRSA_PKI $OPENVPN/pki
ENV EASYRSA_VARS_FILE $OPENVPN/vars
# Prevents refused client connection because of an expired CRL
ENV EASYRSA_CRL_DAYS 3650
VOLUME ["/etc/openvpn"]
# Internally uses port 1194, remap if needed using `docker run -p 443:1194/tcp`
EXPOSE 1194
CMD ["ovpn_run"]
ADD ./bin /usr/local/bin
RUN chmod a+x /usr/local/bin/*
# Add support for OTP authentication using a PAM module
ADD ./otp/openvpn /etc/pam.d/

0
Makefile.in Normal file
View File

13
bin/ovpn_genclientcert
View File

@ -15,15 +15,4 @@ set -e
source "$OPENVPN/ovpn_env.sh"
# Download EasyRSA because Ubuntu doesn't have it as a CLI command
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz
tar xvf EasyRSA-unix-v3.0.6.tgz
export EASYRSA="EasyRSA-v3.0.6/"
export EASYRSA_SSL_CONF="EasyRSA-v3.0.6/openssl-easyrsa.cnf"
EasyRSA-v3.0.6/easyrsa build-client-full $CLIENTNAME $PASSWORD
# Remove EasyRSA files when we're done
rm -r EasyRSA-v3.0.6/
rm EasyRSA-unix-v3.0.6.tgz
/usr/share/easy-rsa/easyrsa build-client-full $CLIENTNAME $PASSWORD

28
bin/ovpn_initpki
View File

@ -15,22 +15,9 @@ source "$OPENVPN/ovpn_env.sh"
# Specify "nopass" as arg[2] to make the CA insecure (not recommended!)
nopass=$1
# Download EasyRSA because Ubuntu doesn't have it as a CLI command
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz
tar xvf EasyRSA-unix-v3.0.6.tgz
export EASYRSA="EasyRSA-v3.0.6/"
export EASYRSA_SSL_CONF="EasyRSA-v3.0.6/openssl-easyrsa.cnf"
cp -r EasyRSA-v3.0.6/x509-types/ x509-types/
# Provides a sufficient warning before erasing pre-existing files
EasyRSA-v3.0.6/easyrsa init-pki
# CA always has a password for protection in event server is compromised. The
# password is only needed to sign client/server certificates. No password is
# needed for normal OpenVPN operation.
EasyRSA-v3.0.6/easyrsa build-ca $nopass
EasyRSA-v3.0.6/easyrsa gen-dh
/usr/share/easy-rsa/easyrsa init-pki
/usr/share/easy-rsa/easyrsa build-ca $nopass
/usr/share/easy-rsa/easyrsa gen-dh
openvpn --genkey --secret $EASYRSA_PKI/ta.key
# Was nice to autoset, but probably a bad idea in practice, users should
@ -44,12 +31,7 @@ openvpn --genkey --secret $EASYRSA_PKI/ta.key
#fi
# For a server key with a password, manually init; this is autopilot
EasyRSA-v3.0.6/easyrsa build-server-full "$OVPN_CN" nopass
/usr/share/easy-rsa/easyrsa build-server-full "$OVPN_CN" nopass
# Generate the CRL for client/server certificates revocation.
EasyRSA-v3.0.6/easyrsa gen-crl
# Remove EasyRSA files when we're done
rm -r EasyRSA-v3.0.6/
rm EasyRSA-unix-v3.0.6.tgz
rm -r x509-types/
/usr/share/easy-rsa/easyrsa gen-crl

16
bin/ovpn_revokeclient
View File

@ -31,23 +31,11 @@ fi
revoke_client_certificate(){
# Download EasyRSA because Ubuntu doesn't have it as a CLI command
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz
tar xvf EasyRSA-unix-v3.0.6.tgz
export EASYRSA="EasyRSA-v3.0.6/"
export EASYRSA_SSL_CONF="EasyRSA-v3.0.6/openssl-easyrsa.cnf"
cp -r EasyRSA-v3.0.6/x509-types/ x509-types/
EasyRSA-v3.0.6/easyrsa revoke "$1"
/usr/share/easy-rsa/easyrsa revoke "$1"
echo "Generating the Certificate Revocation List :"
EasyRSA-v3.0.6/easyrsa gen-crl
/usr/share/easy-rsa/easyrsa gen-crl
cp -f "$EASYRSA_PKI/crl.pem" "$OPENVPN/crl.pem"
chmod 644 "$OPENVPN/crl.pem"
# Remove EasyRSA files when we're done
rm -r EasyRSA-v3.0.6/
rm EasyRSA-unix-v3.0.6.tgz
rm -r x509-types/
}
remove_files(){

66
containerfiles/Containerfile Normal file
View File

@ -0,0 +1,66 @@
FROM ghcr.io/allanger/dumb-downloader as dudo
ENV OPENVPN_VERSION=2.6.6
RUN apt update && apt install gnupg tar -y
RUN mkdir /output
# ------------------------------------------------------
# -- Downlaod OpenVPN
# ------------------------------------------------------
RUN dudo -l "https://keys.openpgp.org/vks/v1/by-fingerprint/F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7" -d security-openvpn-net.asc -p DUMMY
RUN gpg --import security-openvpn-net.asc
RUN dudo -l "https://swupdate.openvpn.org/community/releases/openvpn-{{ version }}.tar.gz.asc" -d /tmp/openvpn.asc -p $OPENVPN_VERSION
# ------------------------------------------------------
# -- I should fix it later
# ------------------------------------------------------
# RUN gpg --no-tty --verify /tmp/openvpn.asc
RUN dudo -l "https://swupdate.openvpn.org/community/releases/openvpn-{{ version }}.tar.gz " -d /tmp/openvpn.tar.gz -p $OPENVPN_VERSION
RUN tar -xf /tmp/openvpn.tar.gz -C /tmp && rm -f /tmp/openvpn.tar.gz
RUN mv /tmp/openvpn-$OPENVPN_VERSION /output/openvpn
FROM ubuntu as builder
# ------------------------------------------------------
# -- TODO: Define it only once
# ------------------------------------------------------
ENV OPENVPN_VERSION=2.6.5
COPY --from=dudo /output /src
RUN apt-get update &&\
apt-get install -y wget tar unzip build-essential \
libssl-dev iproute2 liblz4-dev liblzo2-dev \
libpam0g-dev libpkcs11-helper1-dev libsystemd-dev \
easy-rsa iptables pkg-config libcap-ng-dev
WORKDIR /src/openvpn
RUN ./configure --disable-systemd --enable-async-push --enable-iproute2
RUN make && make install
RUN mkdir /output
RUN cp $(which openvpn) /output/
# ------------------------------------------------------
# -- Final container
# ------------------------------------------------------
FROM ubuntu:22.04
LABEL maintainer="allanger <allanger@zohomail.com>"
COPY --from=builder /output /src
# -------------------------------------------------------
# -- Prepare system deps
# -------------------------------------------------------
RUN apt update && apt install openvpn easy-rsa iptables -y && \
mv /src/openvpn $(which openvpn)
# Needed by scripts
ENV OPENVPN /etc/openvpn
# Prevents refused client connection because of an expired CRL
ENV EASYRSA_CRL_DAYS 3650
VOLUME ["/etc/openvpn"]
# Internally uses port 1194, remap if needed using `docker run -p 443:1194/tcp`
EXPOSE 1194
CMD ["ovpn_run"]
COPY --chmod='755' ./bin /usr/local/bin
# -----------------------------------------------------------
# -- Add support for OTP authentication using a PAM module
# -- I have no idea how it works yet
# -----------------------------------------------------------
COPY ./otp/openvpn /etc/pam.d/

79
containerfiles/Containerfile-XOR Normal file
View File

@ -0,0 +1,79 @@
FROM ghcr.io/allanger/dumb-downloader as dudo
ENV OPENVPN_VERSION=2.6.6
ENV TUNNELBLICK_VERSION=4.0.0beta08
ENV EASYRSA_VERSION=3.1.5
RUN apt update && apt install gnupg tar -y
RUN mkdir /output
# ------------------------------------------------------
# -- Downlaod OpenVPN
# ------------------------------------------------------
RUN dudo -l "https://keys.openpgp.org/vks/v1/by-fingerprint/F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7" -d security-openvpn-net.asc -p DUMMY
RUN gpg --import security-openvpn-net.asc
RUN dudo -l "https://swupdate.openvpn.org/community/releases/openvpn-{{ version }}.tar.gz.asc" -d /tmp/openvpn.asc -p $OPENVPN_VERSION
# ------------------------------------------------------
# -- I should fix it later
# ------------------------------------------------------
# RUN gpg --no-tty --verify /tmp/openvpn.asc
RUN dudo -l "https://swupdate.openvpn.org/community/releases/openvpn-{{ version }}.tar.gz " -d /tmp/openvpn.tar.gz -p $OPENVPN_VERSION
RUN tar -xf /tmp/openvpn.tar.gz -C /tmp && rm -f /tmp/openvpn.tar.gz
RUN mv /tmp/openvpn-$OPENVPN_VERSION /output/openvpn
# ------------------------------------------------------
# -- Download Tunnelblick
# ------------------------------------------------------
RUN dudo -l "https://github.com/Tunnelblick/Tunnelblick/archive/refs/tags/v{{ version }}.tar.gz" -d /tmp/tunnelblick.tar.gz -p $TUNNELBLICK_VERSION
RUN tar -xf /tmp/tunnelblick.tar.gz -C /tmp && rm -f /tmp/tunnelblick.tar.gz
RUN mv /tmp/Tunnelblick-$TUNNELBLICK_VERSION /output/tunnelblick
FROM ubuntu as builder
# ------------------------------------------------------
# -- TODO: Define it only once
# ------------------------------------------------------
ENV OPENVPN_VERSION=2.6.5
ENV TUNNELBLICK_VERSION=v4.0.0beta08
COPY --from=dudo /output /src
RUN apt-get update &&\
apt-get install -y wget tar unzip build-essential \
libssl-dev iproute2 liblz4-dev liblzo2-dev \
libpam0g-dev libpkcs11-helper1-dev libsystemd-dev \
easy-rsa iptables pkg-config libcap-ng-dev
RUN cp /src/tunnelblick/third_party/sources/openvpn/openvpn-$OPENVPN_VERSION/patches/*.diff /src/openvpn
WORKDIR /src/openvpn
RUN for patch in $(find -type f | grep diff); do\
patch -p1 < $patch;\
done
RUN ./configure --disable-systemd --enable-async-push --enable-iproute2
RUN make && make install
RUN mkdir /output
RUN cp $(which openvpn) /output/
# ------------------------------------------------------
# -- Final container
# ------------------------------------------------------
FROM ubuntu:22.04
LABEL maintainer="allanger <allanger@zohomail.com>"
COPY --from=builder /output /src
# -------------------------------------------------------
# -- Prepare system deps
# -------------------------------------------------------
RUN apt update && apt install openvpn easy-rsa iptables -y && \
mv /src/openvpn $(which openvpn)
# Needed by scripts
ENV OPENVPN /etc/openvpn
# Prevents refused client connection because of an expired CRL
ENV EASYRSA_CRL_DAYS 3650
VOLUME ["/etc/openvpn"]
# Internally uses port 1194, remap if needed using `docker run -p 443:1194/tcp`
EXPOSE 1194
CMD ["ovpn_run"]
COPY --chmod='755' ./bin /usr/local/bin
# -----------------------------------------------------------
# -- Add support for OTP authentication using a PAM module
# -- I have no idea how it works yet
# -----------------------------------------------------------
COPY ./otp/openvpn /etc/pam.d/

22
helm/Chart.yaml Normal file
View File

@ -0,0 +1,22 @@
---
apiVersion: v2
name: openvpn
description: A Helm chart for deploying OpenVPN
type: application
version: 1.0.5
appVersion: "2.6.6"
sources:
- https://git.badhouseplants.net/allanger/container-openvpn-xor
- https://github.com/kylemanna/docker-openvpn
- https://github.com/lawtancool/docker-openvpn-xor
maintainers:
- name: allanger
email: allanger@zohomail.com
url: https://badhouseplants.net
keywords:
- OpenVPN
- VPN
- xor

17
helm/LICENSE Normal file
View File

@ -0,0 +1,17 @@
Permission is hereby granted, without written agreement and without
license or royalty fees, to use, copy, modify, and distribute this
software and its documentation for any purpose, provided that the
above copyright notice and the following two paragraphs appear in
all copies of this software.
IN NO EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE TO ANY PARTY FOR
DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES
ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN
IF THE COPYRIGHT HOLDER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
THE COPYRIGHT HOLDER SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS
ON AN "AS IS" BASIS, AND THE COPYRIGHT HOLDER HAS NO OBLIGATION TO
PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.

9
helm/README.md Normal file
View File

@ -0,0 +1,9 @@
# helm-openvpn
A helm chart to deploy openvpn
## K8s reqs:
--allowed-unsafe-sysctls=net.ipv4.ip_forward
## How it works?
1. It's generating the openvpn configuration if it's not generated yet. It's an `ininContainer` that really runs only once.

1
helm/templates/NOTES.txt Normal file
View File

@ -0,0 +1 @@
1. Get the application URL by running these commands:

62
helm/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,62 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "openvpn-chart.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "openvpn-chart.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "openvpn-chart.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "openvpn-chart.labels" -}}
helm.sh/chart: {{ include "openvpn-chart.chart" . }}
{{ include "openvpn-chart.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "openvpn-chart.selectorLabels" -}}
app.kubernetes.io/name: {{ include "openvpn-chart.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "openvpn-chart.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "openvpn-chart.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

121
helm/templates/deployment.yaml Normal file
View File

@ -0,0 +1,121 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "openvpn-chart.fullname" . }}
labels:
{{- include "openvpn-chart.labels" . | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "openvpn-chart.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "openvpn-chart.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: pvc-openvpn
persistentVolumeClaim:
claimName: {{ include "openvpn-chart.fullname" . }}
- name: pki-scripts
configMap:
name: {{ include "openvpn-chart.fullname" . }}-pki-scripts
securityContext:
sysctls:
- name: net.ipv4.ip_forward
value: "1"
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumeMounts:
- mountPath: "/etc/openvpn"
name: pvc-openvpn
- mountPath: /scripts
name: pki-scripts
env:
- name: OVPN_SERVER
value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}"
securityContext:
capabilities:
add:
- NET_ADMIN
initContainers:
# ----------------------------------------------------------------------
# -- This init container is generating the basic configuration
# ----------------------------------------------------------------------
- name: 0-ovpn-genconfig
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
volumeMounts:
- mountPath: "/etc/openvpn"
name: pvc-openvpn
env:
- name: OVPN_SERVER_URL
value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}"
- name: OVPN_DATA
value: "/etc/openvpn"
command:
- sh
- -c
- 'if ! [ -f "/etc/openvpn/ovpn_env.sh" ]; then ovpn_genconfig -u $OVPN_SERVER_URL && touch /etc/openvpn/.init; fi'
- name: 1-ovpn-initpki
env:
- name: OVPN_DATA
value: /etc/openvpn
- name: EASYRSA_REQ_CN
value: {{ .Values.easyrsa.cn }}
- name: EASYRSA_REQ_COUNTRY
value: {{ .Values.easyrsa.country }}
- name: EASYRSA_REQ_PROVINCE
value: {{ .Values.easyrsa.province }}
- name: EASYRSA_REQ_CITY
value: {{ .Values.easyrsa.city }}
- name: EASYRSA_REQ_ORG
value: {{ .Values.easyrsa.org }}
- name: EASYRSA_REQ_EMAIL
value: {{ .Values.easyrsa.email }}
- name: EASYRSA_REQ_OU
value: {{ .Values.easyrsa.ou }}
- name: EASYRSA_ALGO
value: {{ .Values.easyrsa.algo }}
- name: EASYRSA_DIGEST
value: {{ .Values.easyrsa.digest }}
- name: EASYRSA_BATCH
value: "yes"
- name: OVPN_SERVER_URL
value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}"
volumeMounts:
- mountPath: "/etc/openvpn"
name: pvc-openvpn
- mountPath: /scripts
name: pki-scripts
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
command:
- bash
- /scripts/init_pki.sh
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

30
helm/templates/pki-generate-scripts.yaml Normal file
View File

@ -0,0 +1,30 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "openvpn-chart.fullname" . }}-pki-scripts
labels:
{{- include "openvpn-chart.labels" . | nindent 4 }}
data:
init_pki.sh: |
if [ ! -d /etc/openvpn/pki ]; then
source "$OPENVPN/ovpn_env.sh"
OVPN_DIR=/etc/openvpn
PKI_DIR=$OVPN_DIR/pki
cd $OVPN_DIR
export EASYRSA_BATCH=yes
unset EASYRSA_VARS_FILE
/usr/share/easy-rsa/easyrsa init-pki
/usr/share/easy-rsa/easyrsa build-ca nopass
/usr/share/easy-rsa/easyrsa build-server-full {{ .Values.openvpn.host }} nopass
/usr/share/easy-rsa/easyrsa gen-dh
cd $PKI_DIR
openvpn --genkey tls-crypt-v2-server private/{{ .Values.openvpn.host }}.pem
openvpn --genkey secret > ta.key
fi
gen_client.sh: |
source "$OPENVPN/ovpn_env.sh"
CLIENTNAME=$1
PASSWORD=$2
OVPN_DIR=/etc/openvpn
cd $OVPN_DIR
/usr/share/easy-rsa/easyrsa build-client-full $CLIENTNAME $PASSWORD

13
helm/templates/pvc.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ include "openvpn-chart.fullname" . }}
labels:
{{- include "openvpn-chart.labels" . | nindent 4 }}
spec:
storageClassName: {{ .Values.storage.class }}
accessModes:
- ReadWriteOnce
resources:
requests:
storage: {{ .Values.storage.size }}

18
helm/templates/service.yaml Normal file
View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "openvpn-chart.fullname" . }}
labels:
{{- include "openvpn-chart.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
{{- if .Values.service.nodePort }}
nodePort: {{ int .Values.service.nodePort }}
{{- end}}
targetPort: {{ .Values.service.port | default 1194 }}
protocol: {{ .Values.service.protocol | default "UDP" | quote }}
name: openvpn
selector:
{{- include "openvpn-chart.selectorLabels" . | nindent 4 }}

15
helm/templates/tests/test-connection.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "openvpn-chart.fullname" . }}-test-connection"
labels:
{{- include "openvpn-chart.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
spec:
containers:
- name: wget
image: busybox
command: ['wget']
args: ['{{ include "openvpn-chart.fullname" . }}:{{ .Values.service.port }}']
restartPolicy: Never

90
helm/values.yaml Normal file
View File

@ -0,0 +1,90 @@
# Default values for openvpn-chart.
image:
repository: git.badhouseplants.net/allanger/container-openvpn
pullPolicy: IfNotPresent
# -------------------------------------------
# -- TODO: Switch to proper versions
# -------------------------------------------
tag: v2.6.6
# -----------------------------
# -- Open VPN configuration
# -----------------------------
openvpn:
proto: udp
host: 127.0.0.1
port: 1194
# -----------------------------
# -- Easy RSA configuration
# -----------------------------
easyrsa:
cn: . # -- EASYRSA_REQ_CN
country: . # -- EASYRSA_REQ_COUNTRY
province: . # -- EASYRSA_REQ_PROVINCE
city: . # -- EASYRSA_REQ_CITY
org: . # -- EASYRSA_REQ_ORG
email: . # -- EASYRSA_REQ_EMAIL
ou: Community # -- EASYRSA_REQ_OU
algo: ec # -- EASYRSA_ALGO
digest: sha512 # -- EASYRSA_DIGEST
replicaCount: 1
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
storage:
class: microk8s-hostpath
size: 1Gi
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: LoadBalancer
port: 1194
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
nodeSelector: {}
tolerations: []
affinity: {}

4
hooks/post_checkout
View File

@ -1,4 +0,0 @@
#!/bin/bash
# downloads a local copy of qemu on docker-hub build machines
curl -L https://github.com/balena-io/qemu/releases/download/v3.0.0%2Bresin/qemu-3.0.0+resin-arm.tar.gz | tar zxvf - -C . && mv qemu-3.0.0+resin-arm/qemu-arm-static .
curl -L https://github.com/balena-io/qemu/releases/download/v3.0.0%2Bresin/qemu-3.0.0+resin-aarch64.tar.gz | tar zxvf - -C . && mv qemu-3.0.0+resin-aarch64/qemu-aarch64-static .

9
hooks/post_push
View File

@ -1,9 +0,0 @@
#!/bin/bash
# Use manifest-tool to create the manifest, given the experimental
# "docker manifest" command isn't available yet on Docker Hub.
curl -Lo manifest-tool https://github.com/estesp/manifest-tool/releases/download/v0.9.0/manifest-tool-linux-amd64
chmod +x manifest-tool
./manifest-tool push from-spec multi-arch-manifest.yaml

5
hooks/pre_build
View File

@ -1,5 +0,0 @@
#!/bin/bash
# Register qemu-*-static for all supported processors except the
# current one, but also remove all registered binfmt_misc before
docker run --rm --privileged multiarch/qemu-user-static:register --reset

16
multi-arch-manifest.yaml
View File

@ -1,16 +0,0 @@
image: lawtancool/docker-openvpn-xor:latest
manifests:
- image: lawtancool/docker-openvpn-xor:amd64
platform:
architecture: amd64
os: linux
- image: lawtancool/docker-openvpn-xor:arm32v7
platform:
architecture: arm
os: linux
variant: v7
- image: lawtancool/docker-openvpn-xor:arm64v8
platform:
architecture: arm64
os: linux
variant: v8

3
renovate.json
View File

@ -1,3 +0,0 @@
{
"includeForks": true
}