Make fully configurable for other networks

This commit is contained in:
Paul 2018-04-22 20:34:51 +02:00
parent 83d0ed4cb7
commit b5c742f19d
5 changed files with 41 additions and 55 deletions

View file

@ -14,8 +14,12 @@ ENV \
OAUTH2_CLIENT_SECRET="" \ OAUTH2_CLIENT_SECRET="" \
OAUTH2_AUTH_URL="https://gitlab.example.com/oauth/authorize" \ OAUTH2_AUTH_URL="https://gitlab.example.com/oauth/authorize" \
OAUTH2_TOKEN_URL="https://gitlab.example.com/oauth/token" \ OAUTH2_TOKEN_URL="https://gitlab.example.com/oauth/token" \
OAUTH2_REDIRECT_URL="https://certman.example.com/login/oauth2/redirect" \ OAUTH2_REDIRECT_URL="https://vpn.example.com/login/oauth2/redirect" \
USER_ENDPOINT="https://gitlab.example.com/api/v4/user" \ USER_ENDPOINT="https://gitlab.example.com/api/v4/user" \
VPN_DEV="tun" \
VPN_HOST="vpn.example.com" \
VPN_PORT="1194" \
VPN_PROTO="udp" \
APP_KEY="" APP_KEY=""
COPY --from=0 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ COPY --from=0 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=0 /go/src/git.klink.asia/paul/certman/certman / COPY --from=0 /go/src/git.klink.asia/paul/certman/certman /

View file

@ -40,11 +40,16 @@ variables:
* `USER_ENDPOINT` the URL to the Identity provider user endpoint, for gitlab this is "/api/v4/user". The "username" attribute of the returned JSON will used for authentication. * `USER_ENDPOINT` the URL to the Identity provider user endpoint, for gitlab this is "/api/v4/user". The "username" attribute of the returned JSON will used for authentication.
* `APP_KEY` random ASCII string, 32 characters in length. Used for cookie generation. * `APP_KEY` random ASCII string, 32 characters in length. Used for cookie generation.
* `APP_LISTEN` port and ip to listen on, e.g. `:8000` or `127.0.0.1:3000` * `APP_LISTEN` port and ip to listen on, e.g. `:8000` or `127.0.0.1:3000`
* `VPN_DEV` which device is used by the network, either `tun` or `tap` (check server cfg)
* `VPN_HOST` Hostname or IP address of the server
* `VPN_PORT` Port of the VPN server
* `VPN_PROTO` Protocol of the VPN server, either `tcp` or `udp`
There are some files that need to be mounted inside the container: There are some files that need to be mounted inside the container:
* `/ca.crt` the certificate of the server PKI * `/ca.crt` the certificate of the server PKI
* `/ca.key` the key of the server PKI, unencrypted * `/ca.key` the key of the server PKI, unencrypted
* `/ta.key` shared HMAC secret of server and client
* `/clients.json` the generated certificates for each client * `/clients.json` the generated certificates for each client
There is an [`docker-compose.yml example`](docker-compose.yml.example) you can use as a base for your own docker-compose service. There is an [`docker-compose.yml example`](docker-compose.yml.example) you can use as a base for your own docker-compose service.

View file

@ -1,8 +1,7 @@
{{ define "base" }}# Client configuration for {{ .User }}@{{ .Name }} {{ define "base" }}# Client configuration for {{ .User }}@{{ .Name }}
client client
dev tun dev {{ .Dev }}
remote ovpn.oneofftech.xyz 443 udp remote {{ .Host }} {{ .Port }} {{ .Proto }}
remote ovpn.oneofftech.xyz 443 tcp
resolv-retry infinite resolv-retry infinite
nobind nobind
persist-key persist-key
@ -16,33 +15,8 @@ tls-version-min 1.2
;comp-lzo ;comp-lzo
verb 3 verb 3
route 172.31.1.100 255.255.255.255 net_gateway
<ca> <ca>
-----BEGIN CERTIFICATE----- {{ .CA | html }}</ca>
MIIDwDCCAqigAwIBAgIJAMvRC7FajlAOMA0GCSqGSIb3DQEBCwUAMHUxCzAJBgNV
BAYTAkRFMQ8wDQYDVQQIDAZCZXJsaW4xDzANBgNVBAcMBkJlcmxpbjETMBEGA1UE
CgwKT25lT2ZmVGVjaDEWMBQGA1UECwwNSVQgZGVwYXJ0bWVudDEXMBUGA1UEAwwO
Y2EtY2VydGlmaWNhdGUwHhcNMTgwMTI1MTM0NjI3WhcNMjMwMTI0MTM0NjI3WjB1
MQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4x
EzARBgNVBAoMCk9uZU9mZlRlY2gxFjAUBgNVBAsMDUlUIGRlcGFydG1lbnQxFzAV
BgNVBAMMDmNhLWNlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA5LzVrHqz33L5YiFs1HOZWvLht9yQ6+AxK1+RDZsx8490UEYvPnguyU/c
8NtaZPtWOg5Qvnh+0tHpLHV+3WbWyIObkix6b3U5EgR6Hgdf1zuzX7y/S2o7uPT1
zkCgIi9EQfy0IDIhIErsO0dOWndFt/cAfrMaOx0LV/kzr9bKdgg7WLQoVzUgawZq
ROScZUogaElISxC/C77YaGg9V5sV9qTa3uZ9DxuESzXLGMDx3DJMjH+Yu+nhJjoc
isSxK5qEnfqWJhZgJFTAY2BRbcMFMieVz/+UGk2GDZf1tpMZOQKxwrNibe4HO8zo
lfhX+H+sb4QZCdn30eUGstK/jJdQrQIDAQABo1MwUTAdBgNVHQ4EFgQU9UASoCXR
ountXC2vQ4s9BT5qGRYwHwYDVR0jBBgwFoAU9UASoCXRountXC2vQ4s9BT5qGRYw
DwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEA2YgYuFKMzoblpPf+
VcyFKAXC9IoOJFeoA8FWMLBy38FedpCP+aFtlnG5eSLB/Xy7rdJK+7ASrdbAsFMD
U6P2guqUix4veIBZK0WLGTLfRKHQiOUqNP1zZpWsdrwUoUjGOEt4iqG9PCcaANSg
mOfl/BK+MtuRevF6Ry2JAZDArUXrXXjNdRXKB7iNc3Sd5icII53OGXXtn1ehzZXL
djbdz4MZa1kbA1ZlJVaYCRzOS/F9kU2aQceO17foxI5BvnOkpONLXDZHs61/KtYu
5z7hJoH49+4iyWZuRgWT/sq36qpvu+/f48JPxzqV94Jp77Z9BocTIjdfqHM++X9h
Yo95ZQ==
-----END CERTIFICATE-----
</ca>
<cert> <cert>
{{ .Cert | html }}</cert> {{ .Cert | html }}</cert>
@ -51,26 +25,5 @@ Yo95ZQ==
{{ .Key | html }}</key> {{ .Key | html }}</key>
<tls-auth> <tls-auth>
# {{ .TA | html }}</tls-auth>
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
187be23c2b3b0a6a9d79bc5b5c95b70b
b43b6b303e7c00eb75121d68df470ea3
3cdd0ddedc273f5412f181709890ea32
7086cbc5b21bbaf3dd231d115b5ba986
1b1aee31bff9be5f6c6f6dd490d593a1
eec50bb866558c6b2c6fe62ebfe125d9
34b7115e72d94ce08cc9e1c4e8ccdbfe
a5ee19ac0aec60da63df881e3c2e7d4d
9c4f167ec1b46309f17c16c36683780b
bed7551ad7a3d526c19014567370122e
98ae0ae7fd83a8a6de09883fcc181b36
a8465c0deda7a345ec3d16a4daf3fbf5
23dc36a48e679c653b3cfc6dbaa150a7
7ace46081d2c3712ce655f4b8211f674
4d4688c2b3828f9208a80bf71e6e4554
ae09b91154a435995439ad576fcc72c1
-----END OpenVPN Static key V1-----
</tls-auth>
{{ end }} {{ end }}

View file

@ -20,6 +20,7 @@ services:
volumes: volumes:
- ./ca.crt:/ca.crt:ro - ./ca.crt:/ca.crt:ro
- ./ca.key:/ca.key:ro - ./ca.key:/ca.key:ro
- ./ta.key:/ta.key:ro
- ./clients.json:/clients.json:rw - ./clients.json:/clients.json:rw
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"

View file

@ -13,6 +13,7 @@ import (
"log" "log"
"math/big" "math/big"
"net/http" "net/http"
"os"
"strings" "strings"
"time" "time"
@ -170,9 +171,31 @@ func DownloadCertHandler(p *services.Provider) http.HandlerFunc {
pem.Encode(cbuf, &pem.Block{Type: "CERTIFICATE", Bytes: client.Cert}) pem.Encode(cbuf, &pem.Block{Type: "CERTIFICATE", Bytes: client.Cert})
pem.Encode(kbuf, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: client.PrivateKey}) pem.Encode(kbuf, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: client.PrivateKey})
ca, err := ioutil.ReadFile("ca.crt")
if err != nil {
log.Printf("Error loading ca file: %s", err)
v.RenderError(w, http.StatusInternalServerError)
return
}
ta, err := ioutil.ReadFile("ta.key")
if err != nil {
log.Printf("Error loading ta file: %s", err)
v.RenderError(w, http.StatusInternalServerError)
return
}
vars := map[string]string{ vars := map[string]string{
"Cert": cbuf.String(), "CA": string(ca),
"Key": kbuf.String(), "TA": string(ta),
"Cert": cbuf.String(),
"Key": kbuf.String(),
"User": username,
"Name": name,
"Dev": os.Getenv("VPN_DEV"),
"Host": os.Getenv("VPN_HOST"),
"Port": os.Getenv("VPN_PORT"),
"Proto": os.Getenv("VPN_PROTO"),
} }
t, err := views.GetTemplate("config.ovpn") t, err := views.GetTemplate("config.ovpn")