ovpn-certman/README.md

# Certman
Certman is a simple certificate manager web service for OpenVPN.

**For usage tips, please consult [`usage.md`](usage.md)

## Installation
### Binary
There are prebuilt binary files for this application. They are statically
linked and have no additional dependencies. Supported plattforms are:
 * Windows (XP and up)
 * Linux (2.6.16 and up)
 * Linux ARM (for raspberry pi, 3.0 and up)
Simply download them from the "artifacts" section of this project.
### Docker
A prebuilt docker image (10MB) is available:

```
docker pull zombi/certman
```
### From Source-Docker
You can easily build your own docker image from source

```
docker build -t zombi/certman .
```

## Configuration
Certman assumes the root certificates of the VPN CA are located in the same
directory as the binary, If that is not the case you need to copy over the
`ca.crt` and `ca.key` files before you are able to generate certificates
with this tool.

Additionally, the project is configured by the following environment
variables:
 * `OAUTH2_CLIENT_ID` the Client ID, assigned during client registration
 * `OAUTH2_CLIENT_SECRET` the Client secret, assigned during client registration
 * `OAUTH2_AUTH_URL` the URL to the "/authorize" endpoint of the identity provider
 * `OAUTH2_TOKEN_URL` the URL to the "/token" endpoint of the identity provider
 * `OAUTH2_REDIRECT_URL` the redirect URL used by the app, usually the hostname suffixed by "/login/oauth2/redirect"
 * `USER_ENDPOINT` the URL to the Identity provider user endpoint, for gitlab this is "/api/v4/user". The "username" attribute of the returned JSON will used for authentication.
 * `APP_LISTEN` port and ip to listen on, e.g. `:8000` or `127.0.0.1:3000`
 * `VPN_DEV` which device is used by the network, either `tun` or `tap` (check server cfg)
 * `VPN_HOST` Hostname or IP address of the server
 * `VPN_PORT` Port of the VPN server
 * `VPN_PROTO` Protocol of the VPN server, either `tcp` or `udp`

There are some files that need to be mounted inside the container:

 * `/ca.crt` the certificate of the server PKI
 * `/ca.key` the key of the server PKI, unencrypted
 * `/ta.key` shared HMAC secret of server and client
 * `/clients.json` the generated certificates for each client

 There is an [`docker-compose.yml example`](docker-compose.yml.example) you can use as a base for your own docker-compose service.
Refactor code, delete old references 2018-02-03 18:14:47 +01:00			`# Certman`
			`Certman is a simple certificate manager web service for OpenVPN.`

Add usage manual 2018-03-09 11:59:31 +01:00			**For usage tips, please consult [`usage.md`](usage.md)

Refactor code, delete old references 2018-02-03 18:14:47 +01:00			`## Installation`
			`### Binary`
			`There are prebuilt binary files for this application. They are statically`
			`linked and have no additional dependencies. Supported plattforms are:`
			`* Windows (XP and up)`
			`* Linux (2.6.16 and up)`
			`* Linux ARM (for raspberry pi, 3.0 and up)`
			`Simply download them from the "artifacts" section of this project.`
			`### Docker`
			`A prebuilt docker image (10MB) is available:`
Improve documentation 2018-04-22 19:47:26 +02:00
			```
Increase security of config 2019-04-23 02:14:16 +02:00			`docker pull zombi/certman`
Refactor code, delete old references 2018-02-03 18:14:47 +01:00			```
			`### From Source-Docker`
			`You can easily build your own docker image from source`
Improve documentation 2018-04-22 19:47:26 +02:00
			```
Increase security of config 2019-04-23 02:14:16 +02:00			`docker build -t zombi/certman .`
Refactor code, delete old references 2018-02-03 18:14:47 +01:00			```

			`## Configuration`
			`Certman assumes the root certificates of the VPN CA are located in the same`
			`directory as the binary, If that is not the case you need to copy over the`
			`ca.crt` and `ca.key` files before you are able to generate certificates
			`with this tool.`

			`Additionally, the project is configured by the following environment`
			`variables:`
			* `OAUTH2_CLIENT_ID` the Client ID, assigned during client registration
			* `OAUTH2_CLIENT_SECRET` the Client secret, assigned during client registration
			* `OAUTH2_AUTH_URL` the URL to the "/authorize" endpoint of the identity provider
			* `OAUTH2_TOKEN_URL` the URL to the "/token" endpoint of the identity provider
			* `OAUTH2_REDIRECT_URL` the redirect URL used by the app, usually the hostname suffixed by "/login/oauth2/redirect"
			* `USER_ENDPOINT` the URL to the Identity provider user endpoint, for gitlab this is "/api/v4/user". The "username" attribute of the returned JSON will used for authentication.
Improve documentation 2018-04-22 19:47:26 +02:00			* `APP_LISTEN` port and ip to listen on, e.g. `:8000` or `127.0.0.1:3000`
Make fully configurable for other networks 2018-04-22 20:34:51 +02:00			* `VPN_DEV` which device is used by the network, either `tun` or `tap` (check server cfg)
			* `VPN_HOST` Hostname or IP address of the server
			* `VPN_PORT` Port of the VPN server
			* `VPN_PROTO` Protocol of the VPN server, either `tcp` or `udp`
Improve documentation 2018-04-22 19:47:26 +02:00
			`There are some files that need to be mounted inside the container:`

			* `/ca.crt` the certificate of the server PKI
			* `/ca.key` the key of the server PKI, unencrypted
Make fully configurable for other networks 2018-04-22 20:34:51 +02:00			* `/ta.key` shared HMAC secret of server and client
Improve documentation 2018-04-22 19:47:26 +02:00			* `/clients.json` the generated certificates for each client

Make fully configurable for other networks 2018-04-22 20:34:51 +02:00			There is an [`docker-compose.yml example`](docker-compose.yml.example) you can use as a base for your own docker-compose service.