Partial rewrite

Changed config directory structure, changed command names, added backup/restore, reorganized code, switched to new baseimage

Author: SloCompTech

CHANGELOG.md

@@ -1,5 +1,16 @@
 # Changelog
 
+### 2.0.0 - Partial rewrite
+
+- Moved `/config/hooks` to `/config/openvpn/hooks`
+- Renamed `/config/openvpn/server` to `config`
+- Changed base image to [slocomptech/baseimage-alpine](https://github.com/SloCompTech/docker-baseimage-alpine)
+- Moved all helper scripts to `/root/usr/local/bin`
+- Got rid of bash lib files
+- Hiearhicaly moved all commands under the hood of `ovpn` command
+- Improved backup command
+- Added restore command
+
 ### 1.0.6 - Bugfix
 
 - Added missing `DNS` keyword to **dhcp-option** in example configs

CONTRIBUTING.md

@@ -6,76 +6,70 @@ Feel free to contribute to this project.
 
 Sections:
 
-- [Example configs & hooks](root/defaults/example/README.md) 
+- [Example configs & hooks](root/defaults/example/README.md)
 - [Guides](docs/README.md)
 - [Helper Scripts](root/app/README.md)  
 - [Modules](root/defaults/module/README.md)
 
 ## Syntax
 
-- Identation: tab (4 spaces width)
+- Identation: space (2 spaces width)
 - Javadoc style documentation
 
 ## Directory structure of project
 
 ```
-/app # Utils (part of image)
-    bin # Scripts for using this image
 /config # Configuration dir (all config is here, generated on container start)
-    openvpn # Openvpn configuration
-        ccd # Client config directory
-        client # Client configuration directory
-            <clientconffile>.conf # Base for building client config (all files merged)
-        server # Server configuration directory
-            <name>.conf # Server config files (all files merged)
-    pki
-        ca.crt # CA certificate
-        certs by serial # Certs by Serial ID
-            <serial-id-cert>.pem
-        crl.pem # CRL
-        dh.pem
-        index.txt # Database index file
-        issued
-            <name>.crt # Certificates
-        private # Directory with private keys
-            ca.key # CA secret
-            <name>.key # Certificate secrets
-        reqs # Directroy with signing requests
-        serial # The current serial number
-        ta.key # Secret for tls-auth, tls-crypt
-    ssl
-        safessl-easyrsa.cnf
-        vars
-    example # Example configs (see root/defaults/example/README.md)
-        config # Example client & server configs
-        hook # Example hook configs
-    module # Modules for openvpn
+  backup # Folder where backups are generated
+  example # Example configs (see root/defaults/example/README.md)
+  module # Modules for openvpn
+  openvpn # Openvpn configuration
+    ccd # OpenVPN client-specific configuration directory (applied when client connects)
+    client # Client configuration directory (for generation of .ovpn files)
+      <clientconffile>.conf # Base for building client config (all files merged)
+    config # Running config (server/client)
+      <name>.conf # Config files (all files merged)
     hooks # Put your custom scripts in one of subfolders
-        auth # On authentication (needs to be enabled in config)
-        client-connect # Client connected
-        client-disconnect # Client disconnected
-        down # After interface is down
-        finish # Deinit container
-        init # Init container
-        learn-address
-        route-up # After routes are added
-        route-pre-down # Before routes are removed
-        up # After interface is up  
-        tls-verify # Check certificate
+      auth # On authentication (needs to be enabled in config)
+      client-connect # Client connected
+      client-disconnect # Client disconnected
+      down # After interface is down
+      finish # Deinit container
+      init # Init container
+      learn-address
+      route-up # After routes are added
+      route-pre-down # Before routes are removed
+      up # After interface is up  
+      tls-verify # Check certificate
     system.conf # System OpenVPN config file (do not edit, unless instructed)
-    include-server.conf # File that includes all server configuration files (automatically generated)
-    donotdelete # Leave this file alone, if deleted it triggers full setup
+    include-conf.conf # File that includes all configuration files (automatically generated)
+  pki
+    ca.crt # CA certificate
+    certs by serial # Certs by Serial ID
+      <serial-id-cert>.pem
+    crl.pem # CRL
+    dh.pem
+    index.txt # Database index file
+    issued
+      <name>.crt # Certificates
+    private # Directory with private keys
+      ca.key # CA secret
+      <name>.key # Certificate secrets
+    reqs # Directroy with signing requests
+    secret.key # Static key (if not using real PKI)
+    serial # The current serial number
+    ta.key # Secret for tls-auth, tls-crypt
+  ssl
+    safessl-easyrsa.cnf
+    vars
+  tmp # Temporary folder
 /defaults # Default configuration, which is copied into config on full setup
-    example # Examples
-        config # Example configs
-        hook # Example hooks
-    module # Modules (for example password authentication ...)
-    system.conf # Original server config
+  ...
 /etc # System config
-    cont-init.d # Scripts run before services are started
-    fix-attrs.d # Fix file permissions
-    logrotate.d # Log settings
-    services.d  # Scripts that start services
+  cont-init.d # Scripts run before services are started
+  cont-finish.d # Scripts run after services are finished
+  fix-attrs.d # Fix file permissions
+  services.d  # Scripts that start services
 ```
 
 ## Useful links
@@ -92,4 +86,4 @@ Sections:
 - [OpenVPN docs](https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN)  
 - [Setup OpenVPN on alpine linux](https://wiki.alpinelinux.org/wiki/Setting_up_a_OpenVPN_server#Alternative_Certificate_Method)  
 - [EasyRSA](https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN)
-- [EasyRSA doc](https://github.com/OpenVPN/easy-rsa/tree/master/doc)
+- [EasyRSA doc](https://github.com/OpenVPN/easy-rsa/tree/master/doc)

Dockerfile

@@ -3,7 +3,7 @@
 # @see https://github.com/linuxserver/docker-baseimage-alpine
 # @see https://github.com/linuxserver/docker-baseimage-alpine-python3
 #
-FROM lsiobase/alpine.python3:latest
+FROM slocomptech/baseimage-alpine
 
 # Build arguments
 ARG BUILD_DATE
@@ -17,61 +17,76 @@ ARG VERSION
 # @see http://label-schema.org/rc1/
 # @see https://semver.org/
 #
-LABEL   org.opencontainers.image.title="OpenVPN Server" \
-        org.label-schema.name="OpenVPN Server" \
-        org.opencontainers.image.description="Docker image with OpenVPN server" \
-        org.label-schema.description="Docker image with OpenVPN server" \
-        org.opencontainers.image.url="https://github.com/SloCompTech/docker-openvpn" \
-        org.label-schema.url="https://github.com/SloCompTech/docker-openvpn" \
-        org.opencontainers.image.authors="Martin Dagarin <martin.dagarin@gmail.com>" \
-        org.opencontainers.image.version=$VERSION \
-        org.label-schema.version=$VERSION \
-        org.opencontainers.image.revision=$VCS_REF \
-        org.label-schema.vcs-ref=$VCS_REF \
-        org.opencontainers.image.source=$VCS_SRC \
-        org.label-schema.vcs-url=$VCS_SRC \
-        org.opencontainers.image.created=$BUILD_DATE \
-        org.label-schema.build-date=$BUILD_DATE \
-        org.label-schema.schema-version="1.0"
+LABEL org.opencontainers.image.title="OpenVPN Server" \
+      org.label-schema.name="OpenVPN Server" \
+      org.opencontainers.image.description="Docker image with OpenVPN server" \
+      org.label-schema.description="Docker image with OpenVPN server" \
+      org.opencontainers.image.url="https://github.com/SloCompTech/docker-openvpn" \
+      org.label-schema.url="https://github.com/SloCompTech/docker-openvpn" \
+      org.opencontainers.image.authors="Martin Dagarin <martin.dagarin@gmail.com>" \
+      org.opencontainers.image.version=$VERSION \
+      org.label-schema.version=$VERSION \
+      org.opencontainers.image.revision=$VCS_REF \
+      org.label-schema.vcs-ref=$VCS_REF \
+      org.opencontainers.image.source=$VCS_SRC \
+      org.label-schema.vcs-url=$VCS_SRC \
+      org.opencontainers.image.created=$BUILD_DATE \
+      org.label-schema.build-date=$BUILD_DATE \
+      org.label-schema.schema-version="1.0"
 
 
 #
 # Environment variables
 # @see https://github.com/OpenVPN/easy-rsa/blob/master/doc/EasyRSA-Advanced.md
 #
-ENV PATH="/app/bin:$PATH" \
-    S6_BEHAVIOUR_IF_STAGE2_FAILS=0 \
-    EASYRSA=/usr/share/easy-rsa \
+ENV EASYRSA=/usr/share/easy-rsa \
     EASYRSA_PKI=/config/pki \
     EASYRSA_VARS_FILE=/config/ssl/vars \
     #EASYRSA_SSL_CONF=/config/ssl/openssl-easyrsa.cnf \
     EASYRSA_SAFE_CONF=/config/ssl/safessl-easyrsa.cnf \
-    EASYRSA_TEMP_FILE=/config/temp \
-    OVPN_ROOT=/config \
-    OVPN_HOOKS=/config/hooks \
-    OVPN_RUN=system.conf
+    EASYRSA_TEMP_FILE=/config/tmp/temp
 
 # Install packages
-RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/main/" >> /etc/apk/repositories && \
-    apk add --no-cache \
+RUN apk add --no-cache \
     # Core packages
-    bash sudo iptables ip6tables git openvpn easy-rsa && \
+    bash \
+    easy-rsa \
+    iptables \
+    ip6tables \
+    openvpn \
+    python3 \
+    sudo && \
     # Link easy-rsa in bin directory
     ln -s ${EASYRSA}/easyrsa /usr/local/bin && \
     # Link python3 also as python
+    ln -s /usr/bin/pip3 /usr/bin/pip && \
     ln -s /usr/bin/python3 /usr/bin/python && \
     # Remove any temporary files created by apk
     rm -rf /tmp/* /var/tmp/* /var/cache/apk/* /var/cache/distfiles/* && \
     # Add permission for network management to user abc
-    echo "abc ALL=(ALL) NOPASSWD: /sbin/ip, /sbin/ip6tables, /sbin/ip6tables-compat, /sbin/ip6tables-compat-restore, /sbin/ip6tables-compat-save, /sbin/ip6tables-restore, /sbin/ip6tables-restore-translate, \
-        /sbin/ip6tables-save, /sbin/ip6tables-translate, /sbin/iptables, /sbin/iptables-compat, /sbin/iptables-compat-restore, /sbin/iptables-compat-save, \
-        /sbin/iptables-restore, /sbin/iptables-restore-translate, /sbin/iptables-save, /sbin/iptables-translate, /sbin/route" \
-        >> /etc/sudoers.d/abc
+    echo "abc ALL=(ALL) NOPASSWD: \
+      /sbin/ip, \
+      /sbin/ip6tables, \
+      /sbin/ip6tables-compat, \
+      /sbin/ip6tables-compat-restore, \
+      /sbin/ip6tables-compat-save, \
+      /sbin/ip6tables-restore, \
+      /sbin/ip6tables-restore-translate, \
+      /sbin/ip6tables-save, \
+      /sbin/ip6tables-translate, \
+      /sbin/iptables, \
+      /sbin/iptables-compat, \
+      /sbin/iptables-compat-restore, \
+      /sbin/iptables-compat-save, \
+      /sbin/iptables-restore, \
+      /sbin/iptables-restore-translate, \
+      /sbin/iptables-save, \
+      /sbin/iptables-translate, \
+      /sbin/route" \
+      >> /etc/sudoers.d/abc
 
 # Add repo files to image
 COPY root/ /
 
 # Configure
-RUN chmod +x /app/bin/* && \
-    chmod +x /usr/local/sbin/* && \
-    chmod -R 0644 /etc/logrotate.d
+RUN chmod -R 0644 /etc/logrotate.d

README.md

@@ -68,11 +68,13 @@ services:
 
 |**Parameter**|**Function**|
 |:-----------:|:----------:|
+|`-e FAIL_MODE=hard`|Restart whole container on error|
 |`-e PUID=1000`|for UserID - see below for explanation|
 |`-e PGID=1000`|for GroupID - see below for explanation|
-|`-e OVPN_NFW=true`|Disable any firewall related rules to be created, modified ... (must be implemented in example)|
-|`-e OVPN_PERINT=true`|Enable persistent TUN interface|
+|`-e PERSISTENT_INTERFACE=true`|Enable persistent TUN interface|
+|`-e USE_FIREWALL=false`|Disable any firewall related rules to be created, modified ... (must be implemented in example)|
 |`-v /config`|All the config files including OpenVPNs reside here|
+|`-v /log`|Log files reside here|
 
 See also: [EasyRSA](https://github.com/OpenVPN/easy-rsa/blob/master/doc/EasyRSA-Advanced.md)  
 
@@ -104,13 +106,13 @@ If you are new to containers please see rather [Detailed first setup guide](docs
 2. At this point you will have bash shell which runs in container. Now run following commands to setup your PKI:
 
   ``` bash
-  ovpn_init [nopass] # Inits PKI
+  ovpn pki init [nopass] # Inits PKI
   ```
 
 3. Setup OpenVPN config based on example `basic_nat` with configuration wizard:  
 
   ``` bash
-  ovpn_enconf basic_nat
+  ovpn enconf basic_nat
   #Out interface [eth0]: <interface connected to the Internet>
   #Protocol udp, tcp, udp6, tcp6 [udp]:
   #VPN network [10.0.0.0]:
@@ -125,13 +127,13 @@ If you are new to containers please see rather [Detailed first setup guide](docs
 
   ``` bash
   # Generates client certificates
-  ovpn_client add <name> [nopass]
+  ovpn client add <name> [nopass]
 
-  # Generates client config file and prints it to screen (redirect to file)
-  ovpn_client ovpn <name> > <config file>.ovpn
+  # Generates client config file and saves it to /config/tmp
+  ovpn client ovpn <name>
 
   # OR BETTER SOLLUTION: Run outside container
-  docker exec -it <container name> ovpn_client ovpn <name> > <config file>.ovpn
+  docker exec -it <container name> ovpn client ovpnp <name> > <config file>.ovpn
   ```
 
 5. Exit container with `exit`, then it will destroy itself.
@@ -170,4 +172,4 @@ Wanted features (please help implement):
 
 ## Versions
 
-See [CHANGELOG](CHANGELOG.md)  
+See [CHANGELOG](CHANGELOG.md)