Skip to content

Commit

Permalink
Fix easy-rsa issues and update the README.
Browse files Browse the repository at this point in the history
  • Loading branch information
wheelybird committed May 3, 2023
1 parent b5ac034 commit def106b
Show file tree
Hide file tree
Showing 6 changed files with 15 additions and 19 deletions.
15 changes: 10 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,9 @@ This will create an OpenVPN server. You can either use LDAP for authentication (
The container will automatically generate the certificates on the first run (using a 2048 bit key) which means that *the initial run could take several minutes* whilst keys are generated. The client configuration will be output in the logs.
A volume is created for data persistence.

### A note about the VORACLE attack
### A note about compression

The [VORACLE ATTACK](https://community.openvpn.net/openvpn/wiki/VORACLE) uses a vulnerability in OpenVPN's traffic compression. **It is highly recommended that you disable compression** using `OVPN_ENABLE_COMPRESSION=false`.
Compression is enabled by default for backwards-compatibility - if either the client or server's configuration has `comp-lzo` set and the other doesn't then the tunnel will break. Compression was set without an option to disable it in previous versions of this container, so all previous client configurations will have it enabled.
Compression is no longer enabled by default for backwards-compatibility. However the backwards-compatible option `compress migrate` has been added to the server configuration. This simply allows the server to ignore the client's request for compression. More information on why compression is disabled can be found [on the OpenVPN website](https://community.openvpn.net/openvpn/wiki/Compression).

## Configuration

Expand All @@ -22,6 +21,11 @@ Configuration is via environmental variables. Here's a list, along with the def
* `LDAP_URI`: The URI used to connect to the LDAP server. e.g. `ldap://ldap.example.org`.
* `LDAP_BASE_DN`: The base DN used for LDAP lookups. e.g. `dc=example,dc=org`.

---
**Tip**: The LDAP authentication module authenticates the user by searching for their LDAP entry and if it can't return that record authentication fails. Many LDAP servers don't allow anonymous binds/searches, so set `LDAP_BIND_USER_DN` (and `LDAP_BIND_USER_PASS`) as a user that has permission to search the directory.

---

### Optional settings:

* `USE_CLIENT_CERTIFICATE` (false): If this is set to `true` then the container will generate a client key and certificate and won't use LDAP (or OTP) for authentication. See [Using a client certificate](#using_a_client_certificate) for more information.
Expand Down Expand Up @@ -49,7 +53,6 @@ Configuration is via environmental variables. Here's a list, along with the def
* `OVPN_DNS_SERVERS` (_undefined_): A comma-separated list of DNS nameservers to push to the client. Set this if the remote network has its own DNS or if you route all traffic through the VPN and the remote side blocks access to external name servers. Note that not all OpenVPN clients will automatically use these nameservers. e.g. `8.8.8.8,8.8.4.4`
* `OVPN_DNS_SEARCH_DOMAIN` (_undefined_): If using the remote network's DNS server then push the search domain (or domains) to the client. This will allow the client to lookup by hostnames rather than fully-qualified domain names. i.e. setting this to `example.org` will allow `ping remotehost` instead of `ping remotehost.example.org`. Separate multiple domains with commas, e.g. `example.org,wheelybird.com,test.net`.
* `OVPN_REGISTER_DNS` (false): Include `register-dns` in the client config, which is a Windows client option that can force some clients to load the DNS configuration.
* `OVPN_ENABLE_COMPRESSION` (true): Enable this to add `comp-lzo` to the server and client configuration. This will compress traffic going through the VPN tunnel.
* `OVPN_IDLE_TIMEOUT` (_undefined_): The number of seconds before an idle VPN connection will be disconnected. This also prevents the client reconnecting due to a keepalive heartbeat timeout. You might want to use this setting for compliance reasons (e.g. PCI_DSS). See [Keepalive settings](#keepalive_settings) for more information.
* `OVPN_VERBOSITY` (4): The verbosity of OpenVPN's logs.
* `OVPN_DEFAULT_SERVER` (true): If true, the OpenVPN `server <network> <netmask>` directive will be generated in the server configuration file. If `false`, you have to configure the server yourself by using `OVPN_EXTRA`.
Expand Down Expand Up @@ -83,8 +86,10 @@ docker run \
-e "OVPN_SERVER_CN=myserver.mycompany.com" \
-e "LDAP_URI=ldap://ldap.mycompany.com" \
-e "LDAP_BASE_DN=dc=mycompany,dc=com" \
-e "LDAP_BIND_USER_DN=cn=example,dc=mycompany,dc=com" \
-e "LDAP_BIND_USER_PASS=examplepass" \
--cap-add=NET_ADMIN \
wheelybird/openvpn-ldap-otp:v1.6
wheelybird/openvpn-ldap-otp:v1.7
```

* `--cap-add=NET_ADMIN` is necessary; the container needs to create the tunnel device and create iptable rules.
Expand Down
10 changes: 3 additions & 7 deletions files/bin/show-client-config
Original file line number Diff line number Diff line change
Expand Up @@ -28,10 +28,6 @@ proto $OVPN_PROTOCOL
reneg-sec 0
"

if [ "${OVPN_ENABLE_COMPRESSION}" == "true" ]; then
echo "comp-lzo"
fi

if [ "${OVPN_ROUTES}x" == "x" ] ; then
echo "redirect-gateway def1"
fi
Expand All @@ -43,15 +39,15 @@ fi
if [ "${OVPN_DNS_SERVERS}x" != "x" ] ; then

echo "
##Un-comment these lines in most of Linux distros
##Un-comment these lines when using Linux
##in order to set the DNS server:
## If systemd-resolved is used
## If your Linux distro uses systemd-resolved:
#script-security 2
#up /etc/openvpn/update-systemd-resolved
#down /etc/openvpn/update-systemd-resolved
## If not
## Otherwise:
#script-security 2
#up /etc/openvpn/update-resolv-conf
#down /etc/openvpn/update-resolv-conf
Expand Down
4 changes: 1 addition & 3 deletions files/configuration/create_server_config.sh
Original file line number Diff line number Diff line change
Expand Up @@ -39,9 +39,7 @@ if [ "${OVPN_DNS_SEARCH_DOMAIN}x" != "x" ]; then
done
fi

if [ "${OVPN_ENABLE_COMPRESSION}" == "true" ]; then
echo "comp-lzo" >> $CONFIG_FILE
fi
echo "compress migrate" >> $CONFIG_FILE

if [ "${OVPN_IDLE_TIMEOUT}x" != "x" ] && [ "${OVPN_IDLE_TIMEOUT##*[!0-9]*}" ] ; then
cat <<TIMEOUTS >> $CONFIG_FILE
Expand Down
2 changes: 1 addition & 1 deletion files/configuration/setup_pki.sh
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
if [ ! -f "$PKI_DIR/issued/$OVPN_SERVER_CN.crt" ] || [ "$REGENERATE_CERTS" == 'true' ]; then

echo "easyrsa: creating server certs"
sed -i 's/^RANDFILE/#RANDFILE/g' /opt/easyrsa/openssl-1.0.cnf
sed -i 's/^RANDFILE/#RANDFILE/g' /opt/easyrsa/openssl-easyrsa.cnf
EASYCMD="/opt/easyrsa/easyrsa --vars=/opt/easyrsa/vars"
$EASYCMD init-pki

Expand Down
File renamed without changes.
3 changes: 0 additions & 3 deletions files/easyrsa/vars
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
set_var EASYRSA "/opt/easyrsa"
set_var EASYRSA_SSL_CONF "/opt/easyrsa/openssl-1.0.cnf"
set_var EASYRSA_OPENSSL "openssl"
set_var EASYRSA_PKI "/etc/openvpn/pki"

Expand All @@ -18,5 +17,3 @@ set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CERT_EXPIRE 3650

set_var EASYRSA_CRL_DAYS 180
set_var EASYRSA_SSL_CONF "/opt/openssl-1.0.cnf"

0 comments on commit def106b

Please sign in to comment.