diff --git a/.drone.yml b/.drone.yml new file mode 100644 index 0000000..cec0565 --- /dev/null +++ b/.drone.yml @@ -0,0 +1,51 @@ +--- +# ---------------------------------------------- +# -- Build an image and push it to the registry +# ---------------------------------------------- +kind: pipeline +type: docker +name: Build the builder + +trigger: + event: + - push + branch: + - main + +steps: + - name: Build openvpn xor amd64 + image: git.badhouseplants.net/badhouseplants/badhouseplants-builder:555262114ea81f6f286010474527f419b56d33a3 + privileged: true + environment: + GITEA_TOKEN: + from_secret: GITEA_TOKEN + CONTAINERFILE: ./containerfiles/Containerfile-XOR + CUSTOM_TAG: v2.6.6-XOR-4.0.0beta08 + commands: + - build-container + + - name: Build openvpn amd64 + image: git.badhouseplants.net/badhouseplants/badhouseplants-builder:555262114ea81f6f286010474527f419b56d33a3 + privileged: true + environment: + GITEA_TOKEN: + from_secret: GITEA_TOKEN + CONTAINERFILE: ./containerfiles/Containerfile + CUSTOM_TAG: v2.6.6 + commands: + - build-container + + - name: Publish the Helm chart + image: alpine/helm + depends_on: + - Build openvpn xor amd64 + - Build openvpn amd64 + environment: + GITEA_TOKEN: + from_secret: GITEA_TOKEN + commands: + - cd helm + - helm plugin install https://github.com/chartmuseum/helm-push + - helm package . -d chart-package + - helm repo add --username allanger --password $GITEA_TOKEN openvpn https://git.badhouseplants.net/api/packages/allanger/helm + - helm cm-push "./chart-package/$(ls chart-package)" openvpn diff --git a/.github/workflows/anchore-analysis.yml b/.github/workflows/anchore-analysis.yml deleted file mode 100644 index b254b51..0000000 --- a/.github/workflows/anchore-analysis.yml +++ /dev/null @@ -1,30 +0,0 @@ -# This workflow checks out code, performs an Anchore container image -# vulnerability and compliance scan, and integrates the results with -# GitHub Advanced Security code scanning feature. For more information on -# the Anchore scan action usage and parameters, see -# https://github.com/anchore/scan-action. For more information on -# Anchore container image scanning in general, see -# https://docs.anchore.com. - -name: Anchore Container Scan - -on: push - -jobs: - Anchore-Build-Scan: - runs-on: ubuntu-latest - steps: - - name: Checkout the code - uses: actions/checkout@v2 - - name: Build the Docker image - run: docker build . --file Dockerfile --tag localbuild/testimage:latest - - name: Run the local Anchore scan action itself with GitHub Advanced Security code scanning integration enabled - uses: anchore/scan-action@master - with: - image-reference: "localbuild/testimage:latest" - dockerfile-path: "Dockerfile" - acs-report-enable: true - - name: Upload Anchore Scan Report - uses: github/codeql-action/upload-sarif@v1 - with: - sarif_file: results.sarif diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 78a1ca4..0000000 --- a/.travis.yml +++ /dev/null @@ -1,33 +0,0 @@ -# Disallowing packages: openvpn -# If you require these packages, please review the package approval process at: https://github.com/travis-ci/apt-package-whitelist#package-approval-process -#addons: -# apt: -# sources: -# - ubuntu-toolchain-r-test -# packages: -# - openvpn - -services: - - docker - -before_install: - - docker --version - -install: - - git clone https://github.com/docker-library/official-images.git official-images - -# Assist with ci test debugging: -# - DEBUG=1 -before_script: - - image="kylemanna/openvpn" - - docker build -t "$image" . - - docker inspect "$image" - - docker run --rm "$image" openvpn --version || true # why does it return 1? - - docker run --rm "$image" openssl version - -script: - - official-images/test/run.sh "$image" - - test/run.sh "$image" - -after_script: - - docker images diff --git a/Containerfile b/Containerfile new file mode 100644 index 0000000..8b8639e --- /dev/null +++ b/Containerfile @@ -0,0 +1,79 @@ +FROM ghcr.io/allanger/dumb-downloader as dudo +ENV OPENVPN_VERSION=2.6.5 +ENV TUNNELBLICK_VERSION=4.0.0beta08 +ENV EASYRSA_VERSION=3.1.5 +RUN apt update && apt install gnupg tar -y +RUN mkdir /output +# ------------------------------------------------------ +# -- Downlaod OpenVPN +# ------------------------------------------------------ +RUN dudo -l "https://keys.openpgp.org/vks/v1/by-fingerprint/F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7" -d security-openvpn-net.asc -p DUMMY +RUN gpg --import security-openvpn-net.asc +RUN dudo -l "https://swupdate.openvpn.org/community/releases/openvpn-{{ version }}.tar.gz.asc" -d /tmp/openvpn.asc -p $OPENVPN_VERSION +# ------------------------------------------------------ +# -- I should fix it later +# ------------------------------------------------------ +# RUN gpg --no-tty --verify /tmp/openvpn.asc +RUN dudo -l "https://swupdate.openvpn.org/community/releases/openvpn-{{ version }}.tar.gz " -d /tmp/openvpn.tar.gz -p $OPENVPN_VERSION +RUN tar -xf /tmp/openvpn.tar.gz -C /tmp && rm -f /tmp/openvpn.tar.gz +RUN mv /tmp/openvpn-$OPENVPN_VERSION /output/openvpn +# ------------------------------------------------------ +# -- Download Tunnelblick +# ------------------------------------------------------ +RUN dudo -l "https://github.com/Tunnelblick/Tunnelblick/archive/refs/tags/v{{ version }}.tar.gz" -d /tmp/tunnelblick.tar.gz -p $TUNNELBLICK_VERSION +RUN tar -xf /tmp/tunnelblick.tar.gz -C /tmp && rm -f /tmp/tunnelblick.tar.gz +RUN mv /tmp/Tunnelblick-$TUNNELBLICK_VERSION /output/tunnelblick + +FROM ubuntu as builder +# ------------------------------------------------------ +# -- TODO: Define it only once +# ------------------------------------------------------ +ENV OPENVPN_VERSION=2.6.5 +ENV TUNNELBLICK_VERSION=v4.0.0beta08 +COPY --from=dudo /output /src +RUN apt-get update &&\ + apt-get install -y wget tar unzip build-essential \ + libssl-dev iproute2 liblz4-dev liblzo2-dev \ + libpam0g-dev libpkcs11-helper1-dev libsystemd-dev \ + easy-rsa iptables pkg-config libcap-ng-dev +RUN cp /src/tunnelblick/third_party/sources/openvpn/openvpn-$OPENVPN_VERSION/patches/*.diff /src/openvpn +WORKDIR /src/openvpn +RUN for patch in $(find -type f | grep diff); do\ + patch -p1 < $patch;\ + done +RUN ./configure --disable-systemd --enable-async-push --enable-iproute2 +RUN make && make install +RUN mkdir /output +RUN cp $(which openvpn) /output/ + +# ------------------------------------------------------ +# -- Final container +# ------------------------------------------------------ +FROM ubuntu:22.04 +LABEL maintainer="allanger " +COPY --from=builder /output /src +# ------------------------------------------------------- +# -- Prepare system deps +# ------------------------------------------------------- +RUN apt update && apt install openvpn easy-rsa iptables -y && \ + mv /src/openvpn $(which openvpn) + +# Needed by scripts +ENV OPENVPN /etc/openvpn + +# Prevents refused client connection because of an expired CRL +ENV EASYRSA_CRL_DAYS 3650 + +VOLUME ["/etc/openvpn"] + +# Internally uses port 1194, remap if needed using `docker run -p 443:1194/tcp` +EXPOSE 1194 + +CMD ["ovpn_run"] + +COPY --chmod='755' ./bin /usr/local/bin +# ----------------------------------------------------------- +# -- Add support for OTP authentication using a PAM module +# -- I have no idea how it works yet +# ----------------------------------------------------------- +COPY ./otp/openvpn /etc/pam.d/ diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index c027639..0000000 --- a/Dockerfile +++ /dev/null @@ -1,48 +0,0 @@ -# Original credit: https://github.com/jpetazzo/dockvpn - -# Smallest base image -FROM ubuntu:18.04@sha256:9bc830af2bef73276515a29aa896eedfa7bdf4bdbc5c1063b4c457a4bbb8cd79 - -LABEL maintainer="lawtancool" - -# Testing: pamtester -#RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing/" >> /etc/apk/repositories && \ -# apk add --update openvpn iptables bash easy-rsa openvpn-auth-pam google-authenticator pamtester && \ -# ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin && \ -# rm -rf /tmp/* /var/tmp/* /var/cache/apk/* /var/cache/distfiles/* - -RUN apt-get update && apt-get install -y wget tar unzip build-essential libssl-dev iproute2 liblz4-dev liblzo2-dev libpam0g-dev libpkcs11-helper1-dev libsystemd-dev easy-rsa iptables pkg-config && \ - wget https://swupdate.openvpn.org/community/releases/openvpn-2.5.3.tar.gz && tar xvf openvpn-2.5.3.tar.gz && \ - wget https://github.com/Tunnelblick/Tunnelblick/archive/refs/tags/v3.8.6beta05.zip && unzip v3.8.6beta05.zip && \ - cp Tunnelblick-3.8.6beta05/third_party/sources/openvpn/openvpn-2.5.3/patches/*.diff openvpn-2.5.3 && \ - cd openvpn-2.5.3 && \ - patch -p1 < 02-tunnelblick-openvpn_xorpatch-a.diff && \ - patch -p1 < 03-tunnelblick-openvpn_xorpatch-b.diff && \ - patch -p1 < 04-tunnelblick-openvpn_xorpatch-c.diff && \ - patch -p1 < 05-tunnelblick-openvpn_xorpatch-d.diff && \ - patch -p1 < 06-tunnelblick-openvpn_xorpatch-e.diff && \ - ./configure --disable-systemd --enable-async-push --enable-iproute2 && \ - make && make install && \ - cd .. && rm -r openvpn-2.5.3 && rm -r Tunnelblick-3.8.6beta05 - -# Needed by scripts -ENV OPENVPN /etc/openvpn -ENV EASYRSA /usr/share/easy-rsa -ENV EASYRSA_PKI $OPENVPN/pki -ENV EASYRSA_VARS_FILE $OPENVPN/vars - -# Prevents refused client connection because of an expired CRL -ENV EASYRSA_CRL_DAYS 3650 - -VOLUME ["/etc/openvpn"] - -# Internally uses port 1194, remap if needed using `docker run -p 443:1194/tcp` -EXPOSE 1194 - -CMD ["ovpn_run"] - -ADD ./bin /usr/local/bin -RUN chmod a+x /usr/local/bin/* - -# Add support for OTP authentication using a PAM module -ADD ./otp/openvpn /etc/pam.d/ diff --git a/Dockerfile.arm32v7 b/Dockerfile.arm32v7 deleted file mode 100644 index 4f2676c..0000000 --- a/Dockerfile.arm32v7 +++ /dev/null @@ -1,50 +0,0 @@ -# Original credit: https://github.com/jpetazzo/dockvpn - -# Smallest base image -FROM arm32v7/ubuntu:18.04 - -LABEL maintainer="lawtancool" - -COPY qemu-arm-static /usr/bin - -# Testing: pamtester -#RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing/" >> /etc/apk/repositories && \ -# apk add --update openvpn iptables bash easy-rsa openvpn-auth-pam google-authenticator pamtester && \ -# ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin && \ -# rm -rf /tmp/* /var/tmp/* /var/cache/apk/* /var/cache/distfiles/* - -RUN apt-get update && apt-get install -y wget tar unzip build-essential libssl-dev iproute2 liblz4-dev liblzo2-dev libpam0g-dev libpkcs11-helper1-dev libsystemd-dev easy-rsa iptables pkg-config && \ - wget https://swupdate.openvpn.org/community/releases/openvpn-2.5.3.tar.gz && tar xvf openvpn-2.5.3.tar.gz && \ - wget https://github.com/Tunnelblick/Tunnelblick/archive/refs/tags/v3.8.6beta05.zip && unzip v3.8.6beta05.zip && \ - cp Tunnelblick-3.8.6beta05/third_party/sources/openvpn/openvpn-2.5.3/patches/*.diff openvpn-2.5.3 && \ - cd openvpn-2.5.3 && \ - patch -p1 < 02-tunnelblick-openvpn_xorpatch-a.diff && \ - patch -p1 < 03-tunnelblick-openvpn_xorpatch-b.diff && \ - patch -p1 < 04-tunnelblick-openvpn_xorpatch-c.diff && \ - patch -p1 < 05-tunnelblick-openvpn_xorpatch-d.diff && \ - patch -p1 < 06-tunnelblick-openvpn_xorpatch-e.diff && \ - ./configure --disable-systemd --enable-async-push --enable-iproute2 && \ - make && make install && \ - cd .. && rm -r openvpn-2.5.3 && rm -r Tunnelblick-3.8.6beta05 - -# Needed by scripts -ENV OPENVPN /etc/openvpn -ENV EASYRSA /usr/share/easy-rsa -ENV EASYRSA_PKI $OPENVPN/pki -ENV EASYRSA_VARS_FILE $OPENVPN/vars - -# Prevents refused client connection because of an expired CRL -ENV EASYRSA_CRL_DAYS 3650 - -VOLUME ["/etc/openvpn"] - -# Internally uses port 1194, remap if needed using `docker run -p 443:1194/tcp` -EXPOSE 1194 - -CMD ["ovpn_run"] - -ADD ./bin /usr/local/bin -RUN chmod a+x /usr/local/bin/* - -# Add support for OTP authentication using a PAM module -ADD ./otp/openvpn /etc/pam.d/ diff --git a/Dockerfile.arm64v8 b/Dockerfile.arm64v8 deleted file mode 100644 index 5a38c78..0000000 --- a/Dockerfile.arm64v8 +++ /dev/null @@ -1,50 +0,0 @@ -# Original credit: https://github.com/jpetazzo/dockvpn - -# Smallest base image -FROM arm64v8/ubuntu:18.04 - -LABEL maintainer="lawtancool" - -COPY qemu-aarch64-static /usr/bin - -# Testing: pamtester -#RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing/" >> /etc/apk/repositories && \ -# apk add --update openvpn iptables bash easy-rsa openvpn-auth-pam google-authenticator pamtester && \ -# ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin && \ -# rm -rf /tmp/* /var/tmp/* /var/cache/apk/* /var/cache/distfiles/* - -RUN apt-get update && apt-get install -y wget tar unzip build-essential libssl-dev iproute2 liblz4-dev liblzo2-dev libpam0g-dev libpkcs11-helper1-dev libsystemd-dev easy-rsa iptables pkg-config && \ - wget https://swupdate.openvpn.org/community/releases/openvpn-2.5.3.tar.gz && tar xvf openvpn-2.5.3.tar.gz && \ - wget https://github.com/Tunnelblick/Tunnelblick/archive/refs/tags/v3.8.6beta05.zip && unzip v3.8.6beta05.zip && \ - cp Tunnelblick-3.8.6beta05/third_party/sources/openvpn/openvpn-2.5.3/patches/*.diff openvpn-2.5.3 && \ - cd openvpn-2.5.3 && \ - patch -p1 < 02-tunnelblick-openvpn_xorpatch-a.diff && \ - patch -p1 < 03-tunnelblick-openvpn_xorpatch-b.diff && \ - patch -p1 < 04-tunnelblick-openvpn_xorpatch-c.diff && \ - patch -p1 < 05-tunnelblick-openvpn_xorpatch-d.diff && \ - patch -p1 < 06-tunnelblick-openvpn_xorpatch-e.diff && \ - ./configure --disable-systemd --enable-async-push --enable-iproute2 && \ - make && make install && \ - cd .. && rm -r openvpn-2.5.3 && rm -r Tunnelblick-3.8.6beta05 - -# Needed by scripts -ENV OPENVPN /etc/openvpn -ENV EASYRSA /usr/share/easy-rsa -ENV EASYRSA_PKI $OPENVPN/pki -ENV EASYRSA_VARS_FILE $OPENVPN/vars - -# Prevents refused client connection because of an expired CRL -ENV EASYRSA_CRL_DAYS 3650 - -VOLUME ["/etc/openvpn"] - -# Internally uses port 1194, remap if needed using `docker run -p 443:1194/tcp` -EXPOSE 1194 - -CMD ["ovpn_run"] - -ADD ./bin /usr/local/bin -RUN chmod a+x /usr/local/bin/* - -# Add support for OTP authentication using a PAM module -ADD ./otp/openvpn /etc/pam.d/ diff --git a/Makefile.in b/Makefile.in new file mode 100644 index 0000000..e69de29 diff --git a/bin/ovpn_genclientcert b/bin/ovpn_genclientcert index 7d38641..d7516be 100644 --- a/bin/ovpn_genclientcert +++ b/bin/ovpn_genclientcert @@ -15,15 +15,4 @@ set -e source "$OPENVPN/ovpn_env.sh" -# Download EasyRSA because Ubuntu doesn't have it as a CLI command -wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz -tar xvf EasyRSA-unix-v3.0.6.tgz - -export EASYRSA="EasyRSA-v3.0.6/" -export EASYRSA_SSL_CONF="EasyRSA-v3.0.6/openssl-easyrsa.cnf" - -EasyRSA-v3.0.6/easyrsa build-client-full $CLIENTNAME $PASSWORD - -# Remove EasyRSA files when we're done -rm -r EasyRSA-v3.0.6/ -rm EasyRSA-unix-v3.0.6.tgz +/usr/share/easy-rsa/easyrsa build-client-full $CLIENTNAME $PASSWORD diff --git a/bin/ovpn_initpki b/bin/ovpn_initpki index edb69f8..ae101e2 100755 --- a/bin/ovpn_initpki +++ b/bin/ovpn_initpki @@ -15,22 +15,9 @@ source "$OPENVPN/ovpn_env.sh" # Specify "nopass" as arg[2] to make the CA insecure (not recommended!) nopass=$1 -# Download EasyRSA because Ubuntu doesn't have it as a CLI command -wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz -tar xvf EasyRSA-unix-v3.0.6.tgz - -export EASYRSA="EasyRSA-v3.0.6/" -export EASYRSA_SSL_CONF="EasyRSA-v3.0.6/openssl-easyrsa.cnf" -cp -r EasyRSA-v3.0.6/x509-types/ x509-types/ -# Provides a sufficient warning before erasing pre-existing files -EasyRSA-v3.0.6/easyrsa init-pki - -# CA always has a password for protection in event server is compromised. The -# password is only needed to sign client/server certificates. No password is -# needed for normal OpenVPN operation. -EasyRSA-v3.0.6/easyrsa build-ca $nopass - -EasyRSA-v3.0.6/easyrsa gen-dh +/usr/share/easy-rsa/easyrsa init-pki +/usr/share/easy-rsa/easyrsa build-ca $nopass +/usr/share/easy-rsa/easyrsa gen-dh openvpn --genkey --secret $EASYRSA_PKI/ta.key # Was nice to autoset, but probably a bad idea in practice, users should @@ -44,12 +31,7 @@ openvpn --genkey --secret $EASYRSA_PKI/ta.key #fi # For a server key with a password, manually init; this is autopilot -EasyRSA-v3.0.6/easyrsa build-server-full "$OVPN_CN" nopass +/usr/share/easy-rsa/easyrsa build-server-full "$OVPN_CN" nopass # Generate the CRL for client/server certificates revocation. -EasyRSA-v3.0.6/easyrsa gen-crl - -# Remove EasyRSA files when we're done -rm -r EasyRSA-v3.0.6/ -rm EasyRSA-unix-v3.0.6.tgz -rm -r x509-types/ +/usr/share/easy-rsa/easyrsa gen-crl diff --git a/bin/ovpn_revokeclient b/bin/ovpn_revokeclient index eae1af7..1ef5b42 100755 --- a/bin/ovpn_revokeclient +++ b/bin/ovpn_revokeclient @@ -31,23 +31,11 @@ fi revoke_client_certificate(){ # Download EasyRSA because Ubuntu doesn't have it as a CLI command - wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz - tar xvf EasyRSA-unix-v3.0.6.tgz - - export EASYRSA="EasyRSA-v3.0.6/" - export EASYRSA_SSL_CONF="EasyRSA-v3.0.6/openssl-easyrsa.cnf" - cp -r EasyRSA-v3.0.6/x509-types/ x509-types/ - - EasyRSA-v3.0.6/easyrsa revoke "$1" + /usr/share/easy-rsa/easyrsa revoke "$1" echo "Generating the Certificate Revocation List :" - EasyRSA-v3.0.6/easyrsa gen-crl + /usr/share/easy-rsa/easyrsa gen-crl cp -f "$EASYRSA_PKI/crl.pem" "$OPENVPN/crl.pem" chmod 644 "$OPENVPN/crl.pem" - - # Remove EasyRSA files when we're done - rm -r EasyRSA-v3.0.6/ - rm EasyRSA-unix-v3.0.6.tgz - rm -r x509-types/ } remove_files(){ diff --git a/containerfiles/Containerfile b/containerfiles/Containerfile new file mode 100644 index 0000000..04295b8 --- /dev/null +++ b/containerfiles/Containerfile @@ -0,0 +1,66 @@ +FROM ghcr.io/allanger/dumb-downloader as dudo +ENV OPENVPN_VERSION=2.6.6 +RUN apt update && apt install gnupg tar -y +RUN mkdir /output +# ------------------------------------------------------ +# -- Downlaod OpenVPN +# ------------------------------------------------------ +RUN dudo -l "https://keys.openpgp.org/vks/v1/by-fingerprint/F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7" -d security-openvpn-net.asc -p DUMMY +RUN gpg --import security-openvpn-net.asc +RUN dudo -l "https://swupdate.openvpn.org/community/releases/openvpn-{{ version }}.tar.gz.asc" -d /tmp/openvpn.asc -p $OPENVPN_VERSION +# ------------------------------------------------------ +# -- I should fix it later +# ------------------------------------------------------ +# RUN gpg --no-tty --verify /tmp/openvpn.asc +RUN dudo -l "https://swupdate.openvpn.org/community/releases/openvpn-{{ version }}.tar.gz " -d /tmp/openvpn.tar.gz -p $OPENVPN_VERSION +RUN tar -xf /tmp/openvpn.tar.gz -C /tmp && rm -f /tmp/openvpn.tar.gz +RUN mv /tmp/openvpn-$OPENVPN_VERSION /output/openvpn + +FROM ubuntu as builder +# ------------------------------------------------------ +# -- TODO: Define it only once +# ------------------------------------------------------ +ENV OPENVPN_VERSION=2.6.5 +COPY --from=dudo /output /src +RUN apt-get update &&\ + apt-get install -y wget tar unzip build-essential \ + libssl-dev iproute2 liblz4-dev liblzo2-dev \ + libpam0g-dev libpkcs11-helper1-dev libsystemd-dev \ + easy-rsa iptables pkg-config libcap-ng-dev +WORKDIR /src/openvpn +RUN ./configure --disable-systemd --enable-async-push --enable-iproute2 +RUN make && make install +RUN mkdir /output +RUN cp $(which openvpn) /output/ + +# ------------------------------------------------------ +# -- Final container +# ------------------------------------------------------ +FROM ubuntu:22.04 +LABEL maintainer="allanger " +COPY --from=builder /output /src +# ------------------------------------------------------- +# -- Prepare system deps +# ------------------------------------------------------- +RUN apt update && apt install openvpn easy-rsa iptables -y && \ + mv /src/openvpn $(which openvpn) + +# Needed by scripts +ENV OPENVPN /etc/openvpn + +# Prevents refused client connection because of an expired CRL +ENV EASYRSA_CRL_DAYS 3650 + +VOLUME ["/etc/openvpn"] + +# Internally uses port 1194, remap if needed using `docker run -p 443:1194/tcp` +EXPOSE 1194 + +CMD ["ovpn_run"] + +COPY --chmod='755' ./bin /usr/local/bin +# ----------------------------------------------------------- +# -- Add support for OTP authentication using a PAM module +# -- I have no idea how it works yet +# ----------------------------------------------------------- +COPY ./otp/openvpn /etc/pam.d/ diff --git a/containerfiles/Containerfile-XOR b/containerfiles/Containerfile-XOR new file mode 100644 index 0000000..7aa8e5b --- /dev/null +++ b/containerfiles/Containerfile-XOR @@ -0,0 +1,79 @@ +FROM ghcr.io/allanger/dumb-downloader as dudo +ENV OPENVPN_VERSION=2.6.6 +ENV TUNNELBLICK_VERSION=4.0.0beta08 +ENV EASYRSA_VERSION=3.1.5 +RUN apt update && apt install gnupg tar -y +RUN mkdir /output +# ------------------------------------------------------ +# -- Downlaod OpenVPN +# ------------------------------------------------------ +RUN dudo -l "https://keys.openpgp.org/vks/v1/by-fingerprint/F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7" -d security-openvpn-net.asc -p DUMMY +RUN gpg --import security-openvpn-net.asc +RUN dudo -l "https://swupdate.openvpn.org/community/releases/openvpn-{{ version }}.tar.gz.asc" -d /tmp/openvpn.asc -p $OPENVPN_VERSION +# ------------------------------------------------------ +# -- I should fix it later +# ------------------------------------------------------ +# RUN gpg --no-tty --verify /tmp/openvpn.asc +RUN dudo -l "https://swupdate.openvpn.org/community/releases/openvpn-{{ version }}.tar.gz " -d /tmp/openvpn.tar.gz -p $OPENVPN_VERSION +RUN tar -xf /tmp/openvpn.tar.gz -C /tmp && rm -f /tmp/openvpn.tar.gz +RUN mv /tmp/openvpn-$OPENVPN_VERSION /output/openvpn +# ------------------------------------------------------ +# -- Download Tunnelblick +# ------------------------------------------------------ +RUN dudo -l "https://github.com/Tunnelblick/Tunnelblick/archive/refs/tags/v{{ version }}.tar.gz" -d /tmp/tunnelblick.tar.gz -p $TUNNELBLICK_VERSION +RUN tar -xf /tmp/tunnelblick.tar.gz -C /tmp && rm -f /tmp/tunnelblick.tar.gz +RUN mv /tmp/Tunnelblick-$TUNNELBLICK_VERSION /output/tunnelblick + +FROM ubuntu as builder +# ------------------------------------------------------ +# -- TODO: Define it only once +# ------------------------------------------------------ +ENV OPENVPN_VERSION=2.6.5 +ENV TUNNELBLICK_VERSION=v4.0.0beta08 +COPY --from=dudo /output /src +RUN apt-get update &&\ + apt-get install -y wget tar unzip build-essential \ + libssl-dev iproute2 liblz4-dev liblzo2-dev \ + libpam0g-dev libpkcs11-helper1-dev libsystemd-dev \ + easy-rsa iptables pkg-config libcap-ng-dev +RUN cp /src/tunnelblick/third_party/sources/openvpn/openvpn-$OPENVPN_VERSION/patches/*.diff /src/openvpn +WORKDIR /src/openvpn +RUN for patch in $(find -type f | grep diff); do\ + patch -p1 < $patch;\ + done +RUN ./configure --disable-systemd --enable-async-push --enable-iproute2 +RUN make && make install +RUN mkdir /output +RUN cp $(which openvpn) /output/ + +# ------------------------------------------------------ +# -- Final container +# ------------------------------------------------------ +FROM ubuntu:22.04 +LABEL maintainer="allanger " +COPY --from=builder /output /src +# ------------------------------------------------------- +# -- Prepare system deps +# ------------------------------------------------------- +RUN apt update && apt install openvpn easy-rsa iptables -y && \ + mv /src/openvpn $(which openvpn) + +# Needed by scripts +ENV OPENVPN /etc/openvpn + +# Prevents refused client connection because of an expired CRL +ENV EASYRSA_CRL_DAYS 3650 + +VOLUME ["/etc/openvpn"] + +# Internally uses port 1194, remap if needed using `docker run -p 443:1194/tcp` +EXPOSE 1194 + +CMD ["ovpn_run"] + +COPY --chmod='755' ./bin /usr/local/bin +# ----------------------------------------------------------- +# -- Add support for OTP authentication using a PAM module +# -- I have no idea how it works yet +# ----------------------------------------------------------- +COPY ./otp/openvpn /etc/pam.d/ diff --git a/helm/Chart.yaml b/helm/Chart.yaml new file mode 100644 index 0000000..d97dd28 --- /dev/null +++ b/helm/Chart.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: v2 +name: openvpn +description: A Helm chart for deploying OpenVPN +type: application +version: 1.0.5 +appVersion: "2.6.6" + +sources: + - https://git.badhouseplants.net/allanger/container-openvpn-xor + - https://github.com/kylemanna/docker-openvpn + - https://github.com/lawtancool/docker-openvpn-xor + +maintainers: + - name: allanger + email: allanger@zohomail.com + url: https://badhouseplants.net + +keywords: + - OpenVPN + - VPN + - xor diff --git a/helm/LICENSE b/helm/LICENSE new file mode 100644 index 0000000..d5075a3 --- /dev/null +++ b/helm/LICENSE @@ -0,0 +1,17 @@ +Permission is hereby granted, without written agreement and without +license or royalty fees, to use, copy, modify, and distribute this +software and its documentation for any purpose, provided that the +above copyright notice and the following two paragraphs appear in +all copies of this software. + +IN NO EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE TO ANY PARTY FOR +DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES +ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN +IF THE COPYRIGHT HOLDER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH +DAMAGE. + +THE COPYRIGHT HOLDER SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING, +BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND +FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS +ON AN "AS IS" BASIS, AND THE COPYRIGHT HOLDER HAS NO OBLIGATION TO +PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. diff --git a/helm/README.md b/helm/README.md new file mode 100644 index 0000000..4041aa1 --- /dev/null +++ b/helm/README.md @@ -0,0 +1,9 @@ +# helm-openvpn + +A helm chart to deploy openvpn +## K8s reqs: +--allowed-unsafe-sysctls=net.ipv4.ip_forward +## How it works? + +1. It's generating the openvpn configuration if it's not generated yet. It's an `ininContainer` that really runs only once. + diff --git a/helm/templates/NOTES.txt b/helm/templates/NOTES.txt new file mode 100644 index 0000000..7d790da --- /dev/null +++ b/helm/templates/NOTES.txt @@ -0,0 +1 @@ +1. Get the application URL by running these commands: diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl new file mode 100644 index 0000000..e4d932c --- /dev/null +++ b/helm/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "openvpn-chart.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "openvpn-chart.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "openvpn-chart.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "openvpn-chart.labels" -}} +helm.sh/chart: {{ include "openvpn-chart.chart" . }} +{{ include "openvpn-chart.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "openvpn-chart.selectorLabels" -}} +app.kubernetes.io/name: {{ include "openvpn-chart.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "openvpn-chart.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "openvpn-chart.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml new file mode 100644 index 0000000..fc270c3 --- /dev/null +++ b/helm/templates/deployment.yaml @@ -0,0 +1,121 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "openvpn-chart.fullname" . }} + labels: + {{- include "openvpn-chart.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "openvpn-chart.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "openvpn-chart.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: pvc-openvpn + persistentVolumeClaim: + claimName: {{ include "openvpn-chart.fullname" . }} + - name: pki-scripts + configMap: + name: {{ include "openvpn-chart.fullname" . }}-pki-scripts + securityContext: + sysctls: + - name: net.ipv4.ip_forward + value: "1" + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - mountPath: "/etc/openvpn" + name: pvc-openvpn + - mountPath: /scripts + name: pki-scripts + env: + - name: OVPN_SERVER + value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}" + securityContext: + capabilities: + add: + - NET_ADMIN + initContainers: + # ---------------------------------------------------------------------- + # -- This init container is generating the basic configuration + # ---------------------------------------------------------------------- + - name: 0-ovpn-genconfig + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + volumeMounts: + - mountPath: "/etc/openvpn" + name: pvc-openvpn + env: + - name: OVPN_SERVER_URL + value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}" + - name: OVPN_DATA + value: "/etc/openvpn" + command: + - sh + - -c + - 'if ! [ -f "/etc/openvpn/ovpn_env.sh" ]; then ovpn_genconfig -u $OVPN_SERVER_URL && touch /etc/openvpn/.init; fi' + - name: 1-ovpn-initpki + env: + - name: OVPN_DATA + value: /etc/openvpn + - name: EASYRSA_REQ_CN + value: {{ .Values.easyrsa.cn }} + - name: EASYRSA_REQ_COUNTRY + value: {{ .Values.easyrsa.country }} + - name: EASYRSA_REQ_PROVINCE + value: {{ .Values.easyrsa.province }} + - name: EASYRSA_REQ_CITY + value: {{ .Values.easyrsa.city }} + - name: EASYRSA_REQ_ORG + value: {{ .Values.easyrsa.org }} + - name: EASYRSA_REQ_EMAIL + value: {{ .Values.easyrsa.email }} + - name: EASYRSA_REQ_OU + value: {{ .Values.easyrsa.ou }} + - name: EASYRSA_ALGO + value: {{ .Values.easyrsa.algo }} + - name: EASYRSA_DIGEST + value: {{ .Values.easyrsa.digest }} + - name: EASYRSA_BATCH + value: "yes" + - name: OVPN_SERVER_URL + value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}" + volumeMounts: + - mountPath: "/etc/openvpn" + name: pvc-openvpn + - mountPath: /scripts + name: pki-scripts + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + command: + - bash + - /scripts/init_pki.sh + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/helm/templates/pki-generate-scripts.yaml b/helm/templates/pki-generate-scripts.yaml new file mode 100644 index 0000000..d211fe1 --- /dev/null +++ b/helm/templates/pki-generate-scripts.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "openvpn-chart.fullname" . }}-pki-scripts + labels: + {{- include "openvpn-chart.labels" . | nindent 4 }} +data: + init_pki.sh: | + if [ ! -d /etc/openvpn/pki ]; then + source "$OPENVPN/ovpn_env.sh" + OVPN_DIR=/etc/openvpn + PKI_DIR=$OVPN_DIR/pki + cd $OVPN_DIR + export EASYRSA_BATCH=yes + unset EASYRSA_VARS_FILE + /usr/share/easy-rsa/easyrsa init-pki + /usr/share/easy-rsa/easyrsa build-ca nopass + /usr/share/easy-rsa/easyrsa build-server-full {{ .Values.openvpn.host }} nopass + /usr/share/easy-rsa/easyrsa gen-dh + cd $PKI_DIR + openvpn --genkey tls-crypt-v2-server private/{{ .Values.openvpn.host }}.pem + openvpn --genkey secret > ta.key + fi + gen_client.sh: | + source "$OPENVPN/ovpn_env.sh" + CLIENTNAME=$1 + PASSWORD=$2 + OVPN_DIR=/etc/openvpn + cd $OVPN_DIR + /usr/share/easy-rsa/easyrsa build-client-full $CLIENTNAME $PASSWORD diff --git a/helm/templates/pvc.yaml b/helm/templates/pvc.yaml new file mode 100644 index 0000000..495cd06 --- /dev/null +++ b/helm/templates/pvc.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "openvpn-chart.fullname" . }} + labels: + {{- include "openvpn-chart.labels" . | nindent 4 }} +spec: + storageClassName: {{ .Values.storage.class }} + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.storage.size }} diff --git a/helm/templates/service.yaml b/helm/templates/service.yaml new file mode 100644 index 0000000..e84818f --- /dev/null +++ b/helm/templates/service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "openvpn-chart.fullname" . }} + labels: + {{- include "openvpn-chart.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + {{- if .Values.service.nodePort }} + nodePort: {{ int .Values.service.nodePort }} + {{- end}} + targetPort: {{ .Values.service.port | default 1194 }} + protocol: {{ .Values.service.protocol | default "UDP" | quote }} + name: openvpn + selector: + {{- include "openvpn-chart.selectorLabels" . | nindent 4 }} diff --git a/helm/templates/tests/test-connection.yaml b/helm/templates/tests/test-connection.yaml new file mode 100644 index 0000000..e4d90ed --- /dev/null +++ b/helm/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "openvpn-chart.fullname" . }}-test-connection" + labels: + {{- include "openvpn-chart.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "openvpn-chart.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/helm/values.yaml b/helm/values.yaml new file mode 100644 index 0000000..9842ad6 --- /dev/null +++ b/helm/values.yaml @@ -0,0 +1,90 @@ +# Default values for openvpn-chart. +image: + repository: git.badhouseplants.net/allanger/container-openvpn + pullPolicy: IfNotPresent + # ------------------------------------------- + # -- TODO: Switch to proper versions + # ------------------------------------------- + tag: v2.6.6 + +# ----------------------------- +# -- Open VPN configuration +# ----------------------------- +openvpn: + proto: udp + host: 127.0.0.1 + port: 1194 +# ----------------------------- +# -- Easy RSA configuration +# ----------------------------- +easyrsa: + cn: . # -- EASYRSA_REQ_CN + country: . # -- EASYRSA_REQ_COUNTRY + province: . # -- EASYRSA_REQ_PROVINCE + city: . # -- EASYRSA_REQ_CITY + org: . # -- EASYRSA_REQ_ORG + email: . # -- EASYRSA_REQ_EMAIL + ou: Community # -- EASYRSA_REQ_OU + algo: ec # -- EASYRSA_ALGO + digest: sha512 # -- EASYRSA_DIGEST + +replicaCount: 1 + + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" +storage: + class: microk8s-hostpath + size: 1Gi +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: LoadBalancer + port: 1194 + + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} diff --git a/hooks/post_checkout b/hooks/post_checkout deleted file mode 100644 index 4788ac1..0000000 --- a/hooks/post_checkout +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash -# downloads a local copy of qemu on docker-hub build machines -curl -L https://github.com/balena-io/qemu/releases/download/v3.0.0%2Bresin/qemu-3.0.0+resin-arm.tar.gz | tar zxvf - -C . && mv qemu-3.0.0+resin-arm/qemu-arm-static . -curl -L https://github.com/balena-io/qemu/releases/download/v3.0.0%2Bresin/qemu-3.0.0+resin-aarch64.tar.gz | tar zxvf - -C . && mv qemu-3.0.0+resin-aarch64/qemu-aarch64-static . diff --git a/hooks/post_push b/hooks/post_push deleted file mode 100644 index 1c4d1f3..0000000 --- a/hooks/post_push +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash - -# Use manifest-tool to create the manifest, given the experimental -# "docker manifest" command isn't available yet on Docker Hub. - -curl -Lo manifest-tool https://github.com/estesp/manifest-tool/releases/download/v0.9.0/manifest-tool-linux-amd64 -chmod +x manifest-tool - -./manifest-tool push from-spec multi-arch-manifest.yaml diff --git a/hooks/pre_build b/hooks/pre_build deleted file mode 100644 index 0a94f7e..0000000 --- a/hooks/pre_build +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash - -# Register qemu-*-static for all supported processors except the -# current one, but also remove all registered binfmt_misc before -docker run --rm --privileged multiarch/qemu-user-static:register --reset diff --git a/multi-arch-manifest.yaml b/multi-arch-manifest.yaml deleted file mode 100644 index e6df52f..0000000 --- a/multi-arch-manifest.yaml +++ /dev/null @@ -1,16 +0,0 @@ -image: lawtancool/docker-openvpn-xor:latest -manifests: - - image: lawtancool/docker-openvpn-xor:amd64 - platform: - architecture: amd64 - os: linux - - image: lawtancool/docker-openvpn-xor:arm32v7 - platform: - architecture: arm - os: linux - variant: v7 - - image: lawtancool/docker-openvpn-xor:arm64v8 - platform: - architecture: arm64 - os: linux - variant: v8 diff --git a/renovate.json b/renovate.json deleted file mode 100644 index 79dc750..0000000 --- a/renovate.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - "includeForks": true -}