Kyle Manna
commit
74c4ca94a7
|
|
@ -45,7 +45,7 @@ a corresponding [Digital Ocean Community Tutorial](http://bit.ly/1AGUZkq).
|
|||
|
||||
* Create an environment variable with the name DEBUG and value of 1 to enable debug output (using "docker -e").
|
||||
|
||||
for example - docker run --volumes-from $OVPN_DATA -d -p 1194:1194/udp --privileged -e DEBUG=1 kylemanna/openvpn
|
||||
docker run --volumes-from $OVPN_DATA -d -p 1194:1194/udp --privileged -e DEBUG=1 kylemanna/openvpn
|
||||
|
||||
## How Does It Work?
|
||||
|
||||
|
|
@ -109,13 +109,13 @@ packets, etc).
|
|||
simplicity. It's highly recommended to secure the CA key with some
|
||||
passphrase to protect against a filesystem compromise. A more secure system
|
||||
would put the EasyRSA PKI CA on an offline system (can use the same Docker
|
||||
image and the script [`ovpn_copy_server_files`](/docs/clients.md) to accomplish this).
|
||||
image and the script [`ovpn_copy_server_files`](/docs/paranoid.md) to accomplish this).
|
||||
* It would be impossible for an adversary to sign bad or forged certificates
|
||||
without first cracking the key's passphase should the adversary have root
|
||||
access to the filesystem.
|
||||
* The EasyRSA `build-client-full` command will generate and leave keys on the
|
||||
server, again possible to compromise and steal the keys. The keys generated
|
||||
need to signed by the CA which the user hopefully configured with a passphrase
|
||||
need to be signed by the CA which the user hopefully configured with a passphrase
|
||||
as described above.
|
||||
* Assuming the rest of the Docker container's filesystem is secure, TLS + PKI
|
||||
security should prevent any malicious host from using the VPN.
|
||||
|
|
|
|||
|
|
@ -2,9 +2,9 @@
|
|||
|
||||
## Security
|
||||
|
||||
The resulting archive from this back-up contains all credential to impersonate the server at a minimum. If the client's private keys are generated using the EasyRSA utility then it also contains the client certificates that could be used to impersonate said clients. Most importantly, if the certificate authority key is in this archive (as it is given the quick start directions), then a adversary could generate certificates at will.
|
||||
The resulting archive from this backup contains all credential to impersonate the server at a minimum. If the client's private keys are generated using the EasyRSA utility then it also contains the client certificates that could be used to impersonate said clients. Most importantly, if the certificate authority key is in this archive (as it is given the quick start directions), then a adversary could generate certificates at will.
|
||||
|
||||
I'd recommend encrypting the archive with something strong (e.g. gpg or openssl + AES). For the paranoid keep backup offline. For the truly paranoid users, never keep any keys (i.e. client and certificate authority) in the docker container to begin with :).
|
||||
I'd recommend encrypting the archive with something strong (e.g. gpg or openssl + AES). For the paranoid keep backup offline. For the [truly paranoid users](/docs/paranoid.md), never keep any keys (i.e. client and certificate authority) in the docker container to begin with :).
|
||||
|
||||
|
||||
**TL;DR Protect the resulting archive file. Ensure there is very limited access to it.**
|
||||
|
|
|
|||
|
|
@ -15,12 +15,11 @@ If you have more than a few clients, you will want to generate and update your c
|
|||
|
||||
Execute the following to generate the configuration for all clients:
|
||||
|
||||
docker run --rm -it -v /tmp/openvpn:/etc/openvpn kylemanna/openvpn ovpn_getclient_all
|
||||
docker run --rm -it --volumes-from $OVPN_DATA --volume /tmp/openvpn_clients:/etc/openvpn/clients kylemanna/openvpn ovpn_getclient_all
|
||||
|
||||
After doing so, you will find the following files in each of the `$cn` directories:
|
||||
|
||||
ca.crt
|
||||
dh.pem
|
||||
$cn-combined.ovpn # Combined configuration file format. If your client recognices this file then only this file is needed.
|
||||
$cn.ovpn # Separated configuration. This configuration file requires the other files ca.crt dh.pem $cn.crt $cn.key ta.key
|
||||
$cn.crt
|
||||
|
|
@ -34,4 +33,4 @@ Revoke `client1`'s certificate and generate the certificate revocation list (CRL
|
|||
docker run --rm -it --volumes-from $OVPN_DATA kylemanna/openvpn easyrsa revoke client1
|
||||
docker run --rm -it --volumes-from $OVPN_DATA kylemanna/openvpn easyrsa gen-crl
|
||||
|
||||
The OpenVPN server will read this change everytime a client connects (no need to restart server) and deny clients access using revoked certificates.
|
||||
The OpenVPN server will read this change every time a client connects (no need to restart server) and deny clients access using revoked certificates.
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ It is recommended to use platforms that support systemd as future versions of th
|
|||
|
||||
### Step 1 — Set Up Docker
|
||||
|
||||
Docker is moving fast and Debian / Ubuntu's long term support (LTS) policy doesn't keep up. To work around this we'll install a PPA that will get us the latest version of Docker.
|
||||
Docker is moving fast and Debian / Ubuntu's long term support (LTS) policy doesn't keep up. To work around this we'll install a PPA that will get us the latest version of Docker. For Debian Jessie users, just install docker.io from jessie-backports.
|
||||
|
||||
Ensure dependencies are installed:
|
||||
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
## Keep the CA root key save
|
||||
As mentioned in the [backup section](/docs/backup.md), there are good reasons to not generate the CA and/or leave it on the server. This document describes how you can generate the CA and all your certificates on a secure machine and then copy only the needed files (which never includes the CA root key obviously ;) ) to the server(s) and clients.
|
||||
|
||||
Execute the following commands. Note that you might want to change the volume `/tmp/openvpn` to persistent storage or use a data docker container for this.
|
||||
Execute the following commands. Note that you might want to change the volume `$PWD` or use a data docker container for this.
|
||||
|
||||
docker run --rm -t -i -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_genconfig -u udp://VPN.SERVERNAME.COM
|
||||
docker run --rm -t -i -v $PWD:/etc/openvpn kylemanna/openvpn ovpn_initpki
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# Static IP Addresses
|
||||
|
||||
The docker image is setup for static client configuration on the 192.168.254.0/24 subnet. To use it follow the Quick Start section below. Note that the IP addresses octects need to be picked special, see [OpenVPN Documentation](https://openvpn.net/index.php/open-source/documentation/howto.html#policy) for more details.
|
||||
The docker image is setup for static client configuration on the 192.168.254.0/24 subnet. To use it follow the Quick Start section below. Note that the IP addresses octets need to be picked special, see [OpenVPN Documentation](https://openvpn.net/index.php/open-source/documentation/howto.html#policy) for more details.
|
||||
|
||||
## Quick Start
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue